Table of Contents

  1. Vulnerabilities
    1. Hospital Management System 4.0 SQL Injection
  2. Privacy
    1. EFF Year in Review
  3. Malware
    1. New trojan called ‘Lampion’ has spread using template emails from the Portuguese Government Finance & Tax during the last days of 2019.
    2. Shitcoin Wallet Chrome extension steals crypto-wallet private keys and passwords
  4. Crime
    1. Sextortion Email Scammers Try New Tactics to Bypass Spam Filters
  5. Politics
    1. Irish National Cyber Security Strategy warns of ​attacks on Irish data centres
  6. Leaks
    1. Expert finds Starbucks API Key exposed online
  7. Exploit development
    1. dlinject.py – Inject a .so into a running Linux process, without ptrace

Vulnerabilities

Hospital Management System 4.0 SQL Injection

One more proof healthcare security sucks badly: Trivial SQL Injection in Hospital Management System.

Privacy

EFF Year in Review

Electronic Frontier Foundation has released two more reports regarding consumer privacy and surveillance self-defense in year 2019.

Malware

New trojan called ‘Lampion’ has spread using template emails from the Portuguese Government Finance & Tax during the last days of 2019.

Last days of 2019 were the perfect time to spread phishing campaigns using email templates based on the Portuguese Government Finance & Tax. SI-LAB noted that Portuguese users were targeted with malscam messages that reported issues related to a debt of the year 2018. The malware was named ‘Lampion’ as this is the name used as part of its internal name. Regarding a broad analysis, it looks like the Trojan-Banker.Win32.ChePro family, but with improvements that make hard its detection and analysis.

Shitcoin Wallet Chrome extension steals crypto-wallet private keys and passwords

Security expert discovered a Google Chrome extension named Shitcoin Wallet that steals passwords and wallet private keys. Harry Denley, director of security at the MyCrypto, discovered that the Google Chrome extension named Shitcoin Wallet is stealing passwords and wallet private keys.

Crime

Sextortion Email Scammers Try New Tactics to Bypass Spam Filters

Sextortion scammers have started to utilize new tactics to bypass spam filters and secure email gateways so that their scam emails are delivered to their intended recipients. To bypass SPAM filters, attackers have started to utilize new tactics such as sending sextortion emails in foreign languages and splitting bitcoin addresses into two parts.

Politics

Irish National Cyber Security Strategy warns of ​attacks on Irish data centres

The Irish government has published its National Cyber Security Strategy​, it is an update of the country’s first Strategy which was published in 2015. The report warns the national economy and the confidence in the State would be undermined by a major cyber attack on one of the numerous data centers that multinational tech giants have built around the country.

Leaks

Expert finds Starbucks API Key exposed online

The development team at Starbucks left exposed an API key that could be used by an attacker to access company internal systems and manipulate the list of authorized users. The issue was discovered by the security expert Vinoth Kumar, he found the key in a public GitHub repository. This issue could allow attackers to execute commands on systems, add/remove users which has access to internal systems, and potentially AWS account takeover.

Exploit development

dlinject.py – Inject a .so into a running Linux process, without ptrace

Inject a shared library (i.e. arbitrary code) into a live linux process, without ptrace. Inspired by Cexigua and linux-inject, among other things.