Major Infosec Events in October 2018
Windows 10 October Update: A Series of Bugs
The Windows 10 October Update (version 1809) turned out to be one of the most problematic in the OS’s history. Users reported a variety of bugs after installing it.
File Deletion
Initially, users noticed that the update was deleting files from their Documents and Pictures folders. Many reported the issue on social media and Microsoft support forums. Some users discovered that if files were not synced with OneDrive but existed locally, the update would overwrite or delete them. Microsoft admitted that about 0.01% of users experienced file loss in their user directories after installing the update.
Driver Incompatibility
File deletion wasn’t the only problem. After Microsoft pulled the update for fixes, a new Insider version caused BSODs (Blue Screens of Death) on HP computers, often due to the C:\Windows\System32\drivers\HpqKbFiltr.sys keyboard driver. Some users experienced BSODs even without this driver after installing the update.
Audio Failure
Lawrence Abrams of Bleeping Computer highlighted another bug: after the October “Patch Tuesday,” many users lost audio, receiving the message “Audio device not installed.” The issue affected various audio drivers (Realtek, Intel, etc.). Microsoft confirmed that a faulty Intel audio driver was briefly distributed via Windows Update, and advised users to check and replace the problematic driver if necessary.
ZIP Archive Bug
Another bug in version 1809 involved the built-in ZIP functionality. When extracting files, Windows 10 failed to ask whether to overwrite existing files, simply replacing them without warning. Microsoft stated the bug was fixed in an upcoming build, but users were advised to be cautious when handling archives.
DuckDuckGo Hits 30 Million Daily Searches
DuckDuckGo’s popularity continues to grow, reaching 30 million daily searches. It took seven years to hit 10 million, two more years for 20 million, and just one more year to reach 30 million. The company notes that traffic growth is accelerating each year.
Apple’s Software Lock Against Unauthorized Repairs
Apple developed a software lock to prevent unauthorized repairs on new Macs with the T2 chip (iMac Pro, MacBook Pro 2018). The lock can activate after repairs like display, logic board, or Touch ID replacement, requiring the AST 2 System Configuration suite—available only to authorized service providers—to complete the repair. If triggered, only Apple Stores or authorized centers can restore functionality. However, iFixit found the lock was not yet active as of late 2018.
A similar mechanism already exists in recent iPhones: replacing the Home button disables Touch ID until recalibrated on Apple’s Horizon Machine.
Crypto Exchange Hacks: $882 Million Lost
Group-IB experts estimated that targeted attacks on cryptocurrency exchanges in 2017 and the first nine months of 2018 resulted in at least $882 million in losses across 14 exchanges. North Korean hacker group Lazarus was responsible for five of these, including the $534 million Coincheck hack. The main attack vector was targeted phishing, accounting for 56% of stolen funds. In 2017, over 10% of all raised investments were stolen, and 80% of projects disappeared after collecting funds.
Triton Malware Linked to Russian Research Institute
FireEye published a detailed report on the Triton (Trisis) malware, which targeted critical infrastructure, including a Saudi petrochemical plant. Evidence suggests a connection to Russia’s Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) and the TEMP.Veles hacker group. Indicators included PDB paths, IP addresses, Cyrillic artifacts, and file creation times matching Moscow’s timezone. However, FireEye notes it’s possible an individual employee acted alone.
IBM to Acquire Red Hat for $34 Billion
IBM announced plans to acquire Red Hat for $34 billion ($190 per share), a move approved by both companies’ leadership. IBM CEO Ginni Rometty called it a game-changer for the cloud market, positioning IBM as the world’s leading hybrid cloud provider.
Bloomberg’s Chinese Spy Chip Allegations
In October 2018, Bloomberg published articles alleging that Chinese spy chips were embedded in Supermicro servers used by companies like Amazon, Apple, the US Navy, and the CIA. However, few named sources confirmed the claims, and most companies—including Apple, Amazon, and Supermicro—denied any evidence of compromised hardware. Apple CEO Tim Cook publicly called for Bloomberg to retract the story, stating that extensive internal investigations found no such chips. Bloomberg stood by its reporting.
96% of WordPress Sites Run on Current Versions
At the DerbyCon conference in the US, WordPress developers reported that 96% of WordPress sites now use version 4.x, thanks to the introduction of automatic updates in version 3.7 and reminders from Google about the importance of updates.
iOS Lock Screen Bypasses
Spanish security researcher Jose Rodriguez demonstrated three new ways to bypass the iOS lock screen. The first used Siri and VoiceOver to access contacts and photos. The second exploited the “Answer by SMS” feature to view and send images. The third, discovered hours after iOS 12.1’s release, used Group FaceTime to access the full contact list. All methods required physical access to the device.
Top Phishing Brands: Microsoft, PayPal, Netflix
Vade Secure found that in Q3 2018, phishing attacks increased by 20.4%. The most commonly impersonated brands were Microsoft, PayPal, Netflix, Bank of America, and Wells Fargo. Microsoft-related phishing targeted Office 365, OneDrive, and Azure credentials. Most phishing emails were sent on Tuesdays and Thursdays, while Netflix-related attacks peaked on Sundays.
Google+ to Shut Down
Google announced the shutdown of Google+ due to low user engagement and a bug that exposed private data of 500,000 accounts. The bug, present from 2015 to March 2018, allowed apps to access non-public profile information. Google+ will be phased out over ten months, ending in mid-2019. Google stated that 90% of sessions lasted less than five seconds.
Vitalik Buterin Regrets the Term “Smart Contracts”
Ethereum founder Vitalik Buterin admitted on Twitter that he regrets using the term “smart contracts,” wishing he had chosen a more technical and less flashy name like “persistent scripts.”
libssh Vulnerability (CVE-2018-10933)
A critical vulnerability in the libssh library allowed attackers to bypass authentication and access vulnerable SSH servers without a password. The bug, present since version 0.6.0 (2014), was fixed in versions 0.7.6 and 0.8.4 in October 2018. Shodan found about 6,000 potentially vulnerable systems, but the issue only affected server-mode applications. GitHub was not affected due to a custom implementation. Security bulletins were released by Cisco, Debian, SUSE, Ubuntu, Arch Linux, Dell, and F5 Networks. Exploits and scanners for the bug quickly appeared online.
Sberbank Employee Data Leak
Russian newspaper Kommersant reported that a file containing names, email addresses, and login credentials of about 421,000 Sberbank employees was publicly available online. Sberbank confirmed the leak, stating it was a partial address book accessible to all employees and posed no threat to automated systems or clients.
Security Issues in Signal and Telegram
Unencrypted Messages in Signal
Researcher Matt Suiche found that upgrading from the Signal Chrome extension to the desktop client exported messages to unencrypted text files. The issue affected both macOS and Linux Mint, and the files remained on disk after the upgrade, requiring manual deletion.
Decryption Keys in Signal
Nathaniel Suchy discovered that Signal Desktop stores the encryption key for its SQLite message database in plain text in the config.json file. This means anyone with access to the computer can read the user’s messages. Suchy suggested prompting users for a password to generate the encryption key.
Unencrypted Messages in Telegram
Suchy also found that Telegram Desktop stores chat data in an unencrypted local database, including names and phone numbers. Even “secret chat” conversations were stored unprotected. Telegram’s founder Pavel Durov responded that this is not a vulnerability, as exploitation requires access to the victim’s computer.
USB Threats: Trends and Statistics
Kaspersky Lab reported that the number of users infected via removable media has been declining since 2014. However, USB devices are still used to spread cryptocurrency mining malware, with some infections persisting for years. In 2018, every tenth user affected by USB malware was infected with Trojan.Win64.Miner.all, whose detection rate grows by about 1/6 each year. The Stuxnet exploit (CVE-2010-2568) remains among the top ten threats spread via USB. USB malware is most common in Asia, Africa, and South America, but incidents have also occurred in Europe and North America.