Cyber security news June 2021

This posting is here to collect cyber security news in June 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.


  1. Tomi Engdahl says:

    AWS Has Acquired Encrypted Messaging Service Wickr
    Amazon’s cloud services giant Amazon Web Services (AWS) is getting into the encrypted messaging business. The company has just announced that it has acquired secure communications service Wickr a messaging app that has geared itself towards providing services to government and military groups and enterprises. It claims to be the only “collaboration service” that meets security criteria set out by the NSA.

  2. Tomi Engdahl says:

    Pankkien nimissä huijattu tänä vuonna jo 5 miljoonaa euroa
    Poliisi varoittaa nousevasta rikosilmiöstä, jossa rikolliset kalastelevat verkkopankkitunnuksia pankkien verkkosivuja muistuttavien valesivustojen avulla. Verkkopankilta näyttäville valesivustoille päätyy useimmiten joko pankin nimissä saapuneen teksti- tai sähköpostiviestin kautta tai verkon hakukoneen hakutuloksista.

  3. Tomi Engdahl says:

    Microsoft says SolarWinds hacking group has breached three new victims
    Microsoft said on Friday that it discovered new cyberattacks carried out by Nobelium, the codename the company has assigned to the Russian state-sponsored hacking group responsible for the SolarWinds hack last year. Direct link to Microsoft report:

  4. Tomi Engdahl says:

    Microsoft admits to signing rootkit malware in supply-chain fiasco
    Microsoft has now confirmed signing a malicious driver being distributed within gaming environments. This driver, called “Netfilter, ” is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs. G Data malware analyst Karsten Hahn first took notice of this event last week and was joined by the wider infosec. community in tracing and analyzing the malicious drivers bearing the seal of Microsoft. Link to Microsoft report:

  5. Tomi Engdahl says:

    Builder for Babuk Locker ransomware leaked online
    The builder for the Babuk Locker ransomware was leaked online this week, allowing easy access to an advanced ransomware strain to any would-be criminal group looking to get into the ransomware scene with little to no development effort

  6. Tomi Engdahl says:

    Old Vulnerability Exploited to Hack, Wipe WD Storage Devices

    Many owners of My Book Live and My Book Live Duo network-attached storage (NAS) devices made by Western Digital (WD) reported having their files wiped, and it seems that it’s the result of an attack exploiting an old vulnerability.

    Victims said a factory reset had been initiated on their device, which resulted in all files being erased. Some users reported losing very important data.

    WD NAS device vulnerability exploitedOne post on the WD Community forum received more than 160 replies and it has been viewed nearly 15,000 times in just over 24 hours. A post on Reddit also received more than 80 responses within 24 hours.

  7. Tomi Engdahl says:

    Google Rolling Out Security Update for Google Drive

    Google this week announced a security update for Google Drive that is meant to make sharing links more secure for files stored with the service.

    With this update, the search advertising giant is adding a resource key to sharing links, which will impact access to the files for those users who haven’t yet viewed the files.

    “Once the update has been applied to a file, users who haven’t viewed the file before will have to use a URL containing the resource key to gain access, and those who have viewed the file before or have direct access will not need the resource key to access the file,” Google said in a note accompanying the update.

  8. Tomi Engdahl says:

    Vulnerabilities Expose Fortinet Firewalls to Remote Attacks

    A high-severity vulnerability patched recently by Fortinet in its FortiWeb web application firewall (WAF) can be exploited to execute arbitrary commands. The flaw can pose an even more serious risk if it’s chained with a misconfiguration and another recently discovered security hole.

    Andrey Medov, a researcher at Russian enterprise cybersecurity firm Positive Technologies, discovered that the FortiWeb firewall — specifically its management interface — is affected by a vulnerability that can allow a remote, authenticated attacker to execute commands on the system via the SAML server configuration page.

    The flaw, tracked as CVE-2021-22123, has been patched with the release of FortiWeb versions 6.3.8 and 6.2.4, Fortinet said in an advisory published in late May.

  9. Tomi Engdahl says:

    Joseph Menn / Reuters:
    Microsoft, following a probe of SolarWinds hack, says an attacker compromised one of the company’s support agents to launch attacks against customers

    Microsoft says new breach discovered in probe of suspected SolarWinds hackers

    Microsoft (MSFT.O) said on Friday an attacker had won access to one of its customer-service agents and then used information from that to launch hacking attempts against customers.

  10. Tomi Engdahl says:

    30M Dell Devices at Risk for Remote BIOS Attacks, RCE

  11. Tomi Engdahl says:

    Critical vulnerability security incident alert and mitigation firmware update
    Zyxel devices with remote management are being targeted and there is active exploitation of the vulnerability. No CVE has been issued.
    Hotfix is being worked on. Mitigation is to separate remote management from other functions and restrict access to the remote management port. Mitigation firmware and instructions are available.

  12. Tomi Engdahl says:

    Proof of Concept exploit released for Cisco ASA vulnerability
    After PoC for cross-site scripting vulnerability (CVE-2020-3580) was posted on Twitter, bug hunters as well as criminals started searching for vulnerable devices. The bug requires tricking a user with an account on the device’s admin interface to click a malicious link.
    Exploiting the bug allows the attacker to execute malicious code on the ASA and FTD management panel with admin privileges. PoC:

  13. Tomi Engdahl says:

    Spear phishing campaign with new techniques aimed at aviation companies
    FortiGuard Labs Threat Research Report goes through spear phishing campaign technical details ending with final payload of AsyncRAT, a tool to steal credentials and other sensitive data

  14. Tomi Engdahl says:

    Ransomware gangs now creating websites to recruit affiliates
    Some Ransomware as a Service have been having to adapt to getting new affiliates to distribute the ransomware, after the topic was banned on Russian-speaking cybercrime forums. One of the RaaS providers, Himalaya, prohibits using the provided ransomare against healthcare, public, and non-profit organizations.

  15. Tomi Engdahl says:

    New ransomware variant uses Golang packer
    CrowdStrike recently observed a ransomware sample borrowing implementations from previous HelloKitty and FiveHands variants and using a Golang packer compiled with the most recent version of Golang (Go1.16, released mid-February 2021). Golang-written malware and packers are not new, compiling it with the latest Golang (Go1.16) makes it challenging to debug for malware researchers. That’s because all necessary libraries are statically linked and included in the compiler binary and the function name recovery is difficult.

  16. Tomi Engdahl says:

    EA ignored domain vulnerabilities for months despite warnings and breaches
    Gaming giant Electronic Arts is facing even more criticism from the cybersecurity industry after ignoring warnings from cybersecurity researchers in December 2020 that multiple vulnerabilities left the company severely exposed to hackers.

  17. Tomi Engdahl says:

    Mercedes-Benz USA Says Vendor Exposed Customer Information

    Mercedes-Benz USA said last week that sensitive personal information pertaining to its customers was inadvertently exposed by a vendor.

    The incident, initially disclosed by the affected vendor on June 11, involved more than 1.6 million records, a vast majority of which including names, addresses, email addresses, phone numbers, and some details on purchased vehicles.

    However, only “less than 1,000 Mercedes-Benz customers and interested buyers” had what the German luxury carmaker described as “sensitive personal information” impacted.

    This information includes self-reported credit scores, along with a small number of credit card details, dates of birth, driver license numbers, and social security numbers.

  18. Tomi Engdahl says:

    Threat Actor Abuses Microsoft’s WHCP to Sign Malicious Drivers

    Microsoft is investigating an incident where a threat actor submitted malicious drivers for certification through the Windows Hardware Compatibility Program.

    Built by a third-party, the drivers were designed to target gaming environments and could allow the attacker to spoof their location and play from anywhere.

    Immediately upon learning of the issue, Microsoft said it suspended the offending account and started reviewing their submissions to identify any additional malware.

    The company also added detection rules in Microsoft Defender for Endpoint to block the driver and its associated files, and also shared the information with other security vendors.

    “We have seen no evidence that the WHCP signing certificate was exposed. The infrastructure was not compromised,” Microsoft says.

  19. Tomi Engdahl says:

    Russian hackers had months-long access to Denmark’s central bank
    Russian state hackers compromised Denmark’s central bank (Danmarks
    Nationalbank) and planted malware that gave them access to the network for more than half a year without being detected.

  20. Tomi Engdahl says:

    REvil ransomware’s new Linux encryptor targets ESXi virtual machines
    The REvil ransomware operation is now using a Linux encryptor that targets and encrypts Vmware ESXi virtual machines.

  21. Tomi Engdahl says:

    700 million LinkedIn records for sale on hacker forum
    After 500 million LinkedIn users were affected by data scraping in April, it happened again. The information includes full names, gender, email addresses, phone numbers, and industry information.

  22. Tomi Engdahl says:

    An unpatched security vulnerability affecting Google’s Compute Engine platform could be abused by an attacker to take over virtual machines over the network
    PoC available:

  23. Tomi Engdahl says:

    Microsoft’s Halo game development servers breached by a security researcher
    Microsoft has had trouble with npm dependency confusion earlier this year, this time another researcher found out that the problem still exists because some packages have dependencies not present on npmjs-registry.

  24. Tomi Engdahl says:

    High-Severity Vulnerabilities Found in Several Phoenix Contact Industrial Products

    Germany-based industrial solutions provider Phoenix Contact last week informed customers that a total of 10 vulnerabilities have been identified across several of the company’s products.

    According to advisories published by Phoenix Contact and Germany’s CERT@VDE, which coordinates cybersecurity issues related to industrial automation, the vulnerabilities were reported to the company by various researchers and companies.

    The vendor addressed many of the flaws with firmware updates, but in some cases it only provided recommendations for preventing attacks.

    Phoenix Contact’s TC router, FL MGUARD modules, ILC 2050 BI building controllers, and PLCNext products are affected by two vulnerabilities: a high-severity security bypass issue and a medium-severity denial of service (DoS) flaw.

    SMARTRTU AXC remote terminal and automation systems, CHARX control modular AC charging controllers, EEM-SB37x energy meters, and PLCNext products are impacted by a high-severity vulnerability that can be exploited to install malicious firmware on a device.

    The vendor revealed that FL SWITCH SMCS series switches are impacted by three security holes that can be exploited for DoS and cross-site scripting (XSS) attacks. The XSS bug can be leveraged to inject malicious code into the web-based management interface of a device.

    FL COMSERVER UNI products, which are used to integrate serial interfaces into existing Ethernet networks, are affected by a high-severity DoS vulnerability.

  25. Tomi Engdahl says:

    New Security Measures Announced for Google Play Developer Accounts

    Google on Monday announced new security measures for developer accounts on Google Play, meant to ensure that each account is created by a real person.

    Google Play, which provides access to millions of Android applications and games, has been abused by threat actors for the distribution of malware, and Google is looking for new ways to strengthen the security of both developers and users.

  26. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    After hackers wiped many of Western Digital’s My Book Live devices, a look at the code suggests the manufacturer had removed authentication code — Western Digital removed code that would have prevented the wiping of petabytes of data. — Update 6/29/2021, 9:00 PM: Western Digital …

    Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices [Updated]
    Western Digital removed code that would have prevented the wiping of petabytes of data.

    Update 6/29/2021, 9:00 PM: Western Digital has published an update that says the company will provide data recovery services starting early next month. My Book Live customers will also be eligible for a trade-in program so they can upgrade to My Cloud devices. A spokeswoman said the data recovery service will be free of charge.

    The company also provided new technical details about the zeroday, which is now being tracked as CVE-2021-35941.

    Last week’s mass-wiping of Western Digital My Book Live storage devices involved the exploitation of not just one vulnerability but also a second critical security bug that allowed hackers to remotely perform a factory reset without a password, an investigation shows.

    The vulnerability is remarkable because it made it trivial to wipe what is likely petabytes of user data. More notable still was that, according to the vulnerable code itself, a Western Digital developer actively removed code that required a valid user password before allowing factory resets to proceed.

    Done and undone

    The undocumented vulnerability resided in a file aptly named system_factory_restore. It contains a PHP script that performs resets, allowing users to restore all default configurations and wipe all data stored on the devices.

    Normally, and for good reason, factory resets require the person making the request to provide a user password. This authentication ensures that devices exposed to the Internet can only be reset by the legitimate owner and not by a malicious hacker.

    As the following script shows, however, a Western Digital developer created five lines of code to password-protect the reset command. For unknown reasons, the authentication check was cancelled, or in developer parlance, it was commented out, as indicated by the double / character at the beginning of each line.

    function post($urlPath, $queryParams = null, $ouputFormat = ‘xml’) {
    // if(!authenticateAsOwner($queryParams))
    // {
    // header(“HTTP/1.0 401 Unauthorized”);
    // return;
    // }

    “The vendor commenting out the authentication in the system restore endpoint really doesn’t make things look good for them,” HD Moore, a security expert and the CEO of network discovery platform Rumble, told Ars. “It’s like they intentionally enabled the bypass.”

  27. Tomi Engdahl says:

    “With the new caller ID technology, con artists should no longer be able to spoof phone numbers to pose as a legitimate caller like your bank or local Sheriff’s Office. ”
    STIR/SHAKEN is a framework of interconnected standards… calls traveling through interconnected phone networks would have their caller ID “signed” as legitimate by originating carriers and validated by other carriers before reaching consumers. STIR/SHAKEN digitally validates the handoff of phone calls passing through the complex web of networks, allowing the phone company of the consumer receiving the call to verify that a call is in fact from the number displayed on Caller ID.

  28. Tomi Engdahl says:

    Exclusive: An India-based tech startup left an unprotected server online that was spilling data on one of its customers, Byju’s, India’s most valuable company.

  29. Tomi Engdahl says:

    Public Windows PrintNightmare 0-day exploit allows domain takeover
    Another vulnerability, CVE-2021-1675 also regarding Print Spooler, was fixed in the Microsoft June update. Researchers from Chinese security company Sangfor, decided to release their writeup and demo exploit called PrintNightmareand believed to release information about the same issue. As it turns out PrintNightmare is not the same as CVE-2021-1675. PrintNightmare PoC was released to Github and even if the original was removed, it was already cloned and is still available. This vulnerability is critical and workaround should be implemented immediately.

  30. Tomi Engdahl says:

    Kiristyshaittaohjelmahyökkäys sulki Hämeenlinnan, Hattulan ja Janakkalan kirjastot, merkkejä tietojen vuotamisesta ei ole havaittu
    Hattulan ja Janakkalan kirjastojen kirjastojärjestelmässä Vanamossa ilmenneen käyttökatkon syyksi on paljastunut kiristyshaittaohjelmahyökkäys. Hyökkäyksen kohteena on Norjassa järjestelmätoimittaja Axiell, jonka asiakkaita Hämeenlinnan, Hattulan ja Janakkalan kirjastot ovat. Vanamo palautuu asiakkaiden käyttöön luultavimmin torstaina.

  31. Tomi Engdahl says:

    Police seize DoubleVPN data, servers, and domain
    A coordinated effort between global law enforcement agenciesled by the Dutch National Policeshut down a VPN service that was advertised on cybercrime forums. The VPN company promised users the ability to
    double- and triple-encrypt their web traffic to obscure their location and identity.

  32. Tomi Engdahl says:

    Authorities Take Down DoubleVPN Service for Aiding Cybercriminals

    Law enforcement agencies in Europe, the US, and Canada on Tuesday announced the takedown of DoubleVPN, a virtual private network (VPN) service that allegedly helped cybercriminals conduct nefarious activities.

    As part of the takedown operation, servers across the world were seized to ensure the disruption of the DoubleVPN service. Furthermore, the service’s web domains now display a law enforcement splash page.

    “On 29th of June 2021, law enforcement took down DoubleVPN. Law enforcement gained access to the servers of DoubleVPN and seized personal information, logs and statistics kept by DoubleVPN about all of its customers. DoubleVPN’s owners failed to provide the services they promised,” the splash page reads.

    Advertised on underground cybercrime forums for both Russian and English speakers, the service was used by ransomware operators and phishing fraudsters to hide their real location and identity.

  33. Tomi Engdahl says:

    Windows Admins Scrambling to Contain ‘PrintNightmare’ Flaw Exposure

    Windows network administrators are scrambling to contain the fallout from the release of proof-of-concept code for a nasty Windows Print Spooler vulnerability that exposes Windows servers to remote code execution attacks.

    The issue is causing major headaches in security research circles because the exploit targets CVE-2021-1675, a vulnerability that was patched by Microsoft on June 8 and originally misdiagnosed as a low-risk privilege escalation issue.

  34. Tomi Engdahl says:

    “Fully patched Windows 2019 domain controller, popped with 0day exploit (CVE-2021-1675) from a regular Domain User’s account giving full SYSTEM privileges. Disable “Print Spooler” service on servers that do not require it,” according to one researcher tracking the issue

  35. Tomi Engdahl says:

    Putin’s Phone-in Hit by ‘Cyberattacks’

    A televised phone-in with Russian President Vladimir Putin Wednesday was targeted by “powerful” cyberattacks, the state-run Rossiya 24 network which broadcast the event said.

    Shown on Kremlin-friendly media, the annual session with Putin sees the president field in real time queries submitted by Russians throughout the country.

    This year’s phone-in on Wednesday, which lasted nearly four hours, repeatedly faced connection problems, particularly during calls from remote regions.

    “Our digital systems are right now facing attacks, powerful DDoS attacks,” a Rossiya-24 presenter told Putin, after a caller from the Kuzbass region in southwestern Siberia experienced connection issues.

    “Are you joking? Seriously?” Putin responded.

    “Turns out we have hackers in Kuzbass,” he quipped.

    Russia’s largest telecommunications provider, Rostelecom, confirmed the attacks to news agencies, saying that measures were being taken to “block these illegitimate activities”

  36. Tomi Engdahl says:

    NCSC-FI Twitterissä:
    “Kriittinen taustatulostuspalvelun (Print Spooler) haavoittuvuus, poista taustatulostuspalvelu käytöstä toimialueen ohjauskoneella (domain controller). Julkaisemme 1.7. suomenkielisen haavoittuvuustiedotteen 19/2021, stay tuned …
    Lyhytlinkki domainiin

    Hacker Fantastic Twitterissä:
    “Fully patched Windows 2019 domain controller, popped with 0day exploit (CVE-2021-1675) from a regular Domain User’s account giving full SYSTEM privileges. Disable “Print Spooler” service on servers that do not require it….

    Public Windows PrintNightmare 0-day exploit allows domain takeover
    Classification: Critical, Solution: Mitigation, Exploit: Yes
    Another vulnerability, CVE-2021-1675 regarding Print Spooler, was
    fixed in the Microsoft June update. Researchers from Chinese security
    company Sangfor, decided to release their writeup and demo exploit
    called PrintNightmareand believed to release information about the
    same issue. As it turns out PrintNightmare is not the same as
    CVE-2021-1675. PrintNightmare PoC was released to Github and even if
    the original was removed, it was already cloned and is still
    available. This vulnerability is critical and workaround should be
    implemented immediately.

  37. Tomi Engdahl says:

    Major Linux RPM problem uncovered | ZDNet

    Red Hat has used RPM for software package distribution for decades, but we now know RPM contained a nasty hidden security bug since Day One. It’s now been unveiled and a repair patch has been submitted.

    In 1995, when Linux 1.x was the hot new Linux kernel, early Red Hat founding programmers Marc Ewing and Erik Troan created RPM. This software package management system became the default way to distribute software for Red Hat Linux-based distributions such as Red Hat Enterprise Linux (RHEL), CentOS Stream, AlmaLinux OS, and Rocky Linux. Unfortunately, hidden within its heart is a major security hole.

    Dmitry Antipov, a Linux developer at CloudLinux, AlmaLinux OS’s parent company, first spotted the problem in March 2021. Antipov found that RPM would work with unauthorized RPM packages. This meant that unsigned packages or packages signed with revoked keys could silently be patched or updated without a word of warning that they might not be kosher.

    Why? Because RPM had never properly checked revoked certificate key handling.

    How could this be? It’s because RPM dates back from the days when getting code to work was the first priority and security came a long way second.

    Things have changed. Security is a much higher priority.

    Antipov, wearing his hat as a TuxCare (CloudLinux’s KernelCare and Extended Lifecycle Support) team member, has submitted a patch to fix this problem. As Antipov explained in an interview: “The problem is that both RPM and DNF, [a popular software package manager that installs, updates, and removes packages on RPM-based Linux distributions] do a check to see if the key is valid and genuine but not expired, but not for revocation. As I understand it, all the distribution vendors have just been lucky enough to never have been hit by this.”

  38. Tomi Engdahl says:

    Microsoft says new breach discovered in probe of suspected SolarWinds hackers
    The company said it had found the compromise during its response to hacks by a team it identifies as responsible for earlier major breaches at SolarWinds and Microsoft.

  39. Tomi Engdahl says:

    Microsoft says its customer support tools were compromised by the SolarWinds hackers
    It says the group used the tools for targeted attacks

  40. Tomi Engdahl says:

    Huawei dev flamed for ‘useless’ Linux kernel code contributions
    Time-wasting commits called out as effort to burnish submission metrics


Leave a Comment

Your email address will not be published. Required fields are marked *