Cyber security news September 2021

This posting is here to collect cyber security news in September 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.


  1. Tomi Engdahl says:

    A New Bug in Microsoft Windows Could Let Hackers Easily Install a Rootkit
    Security researchers have disclosed an unpatched weakness in Microsoft Windows Platform Binary Table (WPBT) affecting all Windows-based devices since Windows 8 that could be potentially exploited to install a rootkit and compromise the integrity of devices.

  2. Tomi Engdahl says:

    Miten kiinalaisten puhelinten käy Suomessa? Näin kommentoivat operaattorit
    Suomen operaattorikolmikko ottaa väitteet puhelinten tietoturvaongelmista vakavasti, mutta myynti jatkuu toistaiseksi normaalisti.

  3. Tomi Engdahl says:

    Colombian Real Estate Agency Leak Exposes Records of Over 100,000 Buyers
    More than one terabyte of data containing 5.5 million files has been left exposed, leaking personal information of over 100,000 customers of a Colombian real estate firm, according to cybersecurity company WizCase.

  4. Tomi Engdahl says:

    EU Denounces Alleged Russian Hacking Ahead of German Vote

    The European Union on Friday condemned alleged Russian cyber attacks that have targeted Germany in the run up to this weekend’s election for Chancellor Angela Merkel’s successor.

    “Some EU Member States have observed malicious cyber activities, collectively designated as ‘Ghostwriter’, and associated these with the Russian state,” foreign policy chief Josep Borrell said.

    “Such activities are unacceptable as they seek to threaten our integrity and security, democratic values and principles and the core functioning of our democracies.”

    Borrell’s statement said the EU and its member states “strongly denounce these malicious cyber activities, which all involved must put to an end immediately”.

  5. Tomi Engdahl says:

    FamousSparrow Cyberspies Exploit ProxyLogon in Attacks on Governments, Hotels

    A cyberespionage group active since at least 2019 started exploiting ProxyLogon one day after the Microsoft Exchange vulnerability was publicly disclosed, ESET security researchers say.

    Active since at least August 2019 and tracked as FamousSparrow, the group is mainly targeting hotels, but has also attacked government organizations, law firms, and international companies in roughly a dozen countries, including Brazil, Canada, Israel, Saudi Arabia, Taiwan, and the United Kingdom.

  6. Tomi Engdahl says:

    Google Says Threat Actors Using New Code Signing Tricks to Evade Detection

    Financially motivated threat actors have started using new code signing tricks to increase the chances of their software evading detection on Windows systems, Google’s Threat Analysis Group reported on Thursday.

    The new technique has been used by the operators of OpenSUpdater, which cybersecurity vendors have classified as adware, potentially unwanted program (PUP), or potentially unwanted application (PUA). These types of pieces of software can ruin the user experience and they may attempt to download and install other shady programs.

    The operation observed by Google has impacted many users in the United States, particularly people who download game cracks and what the tech giant has described as “grey-area software.”

  7. Tomi Engdahl says:

    SonicWall Patches Critical Vulnerability in SMA Appliances

    SonicWall has published a security advisory and a security notice to inform customers about a critical vulnerability affecting some of its Secure Mobile Access (SMA) appliances.

    The flaw, identified as CVE-2021-20034, can be exploited by a remote, unauthenticated attacker to delete arbitrary files from the targeted appliance, which could result in the device being reset to factory settings. The security hole can also allow an attacker to gain administrator access to the underlying host.

    The cybersecurity firm highlighted that it has seen no evidence of the vulnerability being exploited in the wild. It’s not surprising that this statement is highlighted in the vendor’s advisory considering that SMA appliances have been known to be targeted by malicious actors, in some cases even before a patch was released.

    CVE-2021-20034 was reported to SonicWall by Wenxu Yin, a researcher at Chinese cybersecurity firm Qihoo 360.

    The vulnerability has been found to impact SMA 200, 210, 400, 410 and 500v appliances running versions, and, and earlier. Patches have been released for each of the affected versions.

    “The vulnerability (SNWLID-2021-0021) is due to an improper limitation of a file path to a restricted directory potentially leading to arbitrary file deletion as ‘nobody’,” SonicWall explained in its security notice.

  8. Tomi Engdahl says:

    Check Point varoittaa uudestaan: älä osta koronatodistusta verkosta!

    Viikko sitten tietoturvayritys Check Point Software kertoi, että verkosta on mahdollista ostaa väärennetty koronatodistus 150 eurolla. Nyt väärentäjät ovat löytäneet uusia keinoja markkinoida tuotteitaan, mutta todistusta ei pidä edelleenkään ostaa verkosta, yritys varoittaa.

    Uutena keinona väärentäjät käyttävät tekniikkaa, jossa ne väittävät pääsevänsä käsiksi Euroopan tautienehkäisy- ja valvontakeskuksen verkkosivuille. Väitteiden mukaan todistuksen ostaja voidaan rekisteröidä aitoon tietokantaan, joten tarkistuksissa todisteen omistaja näkyisi täysin rokotetetun statuksella.

    Myyntiä vahvistetaan lähettämällä ostajalle väärennetty dokumentti. Todistuksen QR-koodi vie väärennettyyn tietokantaan, joka näyttää aidolta. Tämä ongelma tulee Check Pointin mukaan säilymään niin kauan, kuin yhtenäinen tietokanta todistusten verifiointiin saadaan hallituksen välillä kehitettyä.

  9. Tomi Engdahl says:

    Washington Post:
    Extremism researchers say the Epik hack is the “mother of all data lodes”, and will let them map the ecosystem of extremist websites and organizations — The colossal hack of Epik, an Internet-services company popular with the far right, has been called the “mother of all data lodes” for extremism researchers.

  10. Tomi Engdahl says:

    VMware Confirms In-the-Wild Exploitation of vCenter Server Vulnerability

    VMware has confirmed that the recently patched vCenter Server vulnerability tracked as CVE-2021-22005 has been exploited in the wild, and some researchers say it has been chained with another flaw that was fixed in the same round of updates.

    VMware on September 21 informed customers that updates released for its vCenter Server product patched 19 vulnerabilities, including CVE-2021-22005, a critical arbitrary file upload flaw that could lead to arbitrary code execution on impacted servers.

    The next day, threat intelligence company Bad Packets already reported seeing internet scans targeting CVE-2021-22005, but the activity seemed limited. Initial scans appeared to be based on a workaround test shared by VMware when it announced patches.

    Researchers have been analyzing the patches and the information made public by VMware, and a Vietnam-based researcher known as Jang has already released technical information and even a proof-of-concept (PoC) exploit.

    Quick note of vCenter RCE (CVE-2021–22005)

  11. Tomi Engdahl says:

    When a senior executive at virtual private network company ExpressVPN admitted to working on behalf of a foreign intelligence service to hack American machines last week, it stunned employees at his new company, according to interviews and electronic records.

    ExpressVPN employees complain about ex-spy’s top role at company

  12. Tomi Engdahl says:

    AWS EC2 North Virginia outage resolves but some issues linger

    UPDATE: Signal falls over while Xero and Nest got a bit iffy when the main AWS EC2 region had degraded performance. Amazon Web Service says all is well but some users are still reporting trouble.

  13. Tomi Engdahl says:

    FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor
    NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components. Use of FoggyWeb has been observed in the wild as early as April 2021.

  14. Tomi Engdahl says:

    QNAP fixes critical bugs in QVR video surveillance solution
    Network-attached storage (NAS) maker QNAP has patched its QVR video management system against two critical-severity issues that could be exploited to run arbitrary commands.

  15. Tomi Engdahl says:

    Härski huijaus suomalaislehtien nimissä ilmoitukset täyttivät puhelimen
    Uutissivustoja matkivat huijaussivustot yrittävät saada uhrin sijoitusansaan. Sivustolle voidaan ohjata esimerkiksi mainosten kautta.

  16. Tomi Engdahl says:

    Australians are losing over AU$6.6 million each month to cryptoscams
    Losses related to cryptocurrency investment scams made up over a quarter of the total scams reported to the Australian Competition and Consumer Commission (ACCC) from the start of the year to the end of August.

  17. Tomi Engdahl says:

    A New Jupyter Malware Version is Being Distributed via MSI Installers
    Cybersecurity researchers have charted the evolution of Jupyter, a .NET infostealer known for singling out healthcare and education sectors, which make it exceptional at defeating most endpoint security scanning solutions.

  18. Tomi Engdahl says:

    New Android Malware Steals Financial Data from 378 Banking and Wallet Apps
    The operators behind the BlackRock mobile malware have surfaced back with a new Android banking trojan called ERMAC that targets Poland and has its roots in the infamous Cerberus malware, according to the latest research.

  19. Tomi Engdahl says:

    Microsoft will disable Basic Auth in Exchange Online in October 2022
    Microsoft announced that Basic Authentication will be turned off for all protocols in all tenants starting October 1st, 2022, to protect millions of Exchange Online users.

  20. Tomi Engdahl says:

    BloodyStealer and gaming assets for sale
    In this report, we take a closer look at threats linked to loss of accounts with popular video game digital distribution services, such as Steam and Origin. We also explore the kind of game-related data that ends up on the black market and the prices.

  21. Tomi Engdahl says:

    Quad Nations Commit to Fostering a Secure Technology Ecosystem

    The Quad countries (Australia, India, Japan, and the United States) on Friday announced a partnership to foster the development of secure technology.

    At the first-ever in-person Leaders’ Summit of the Quad, the four committed to working together on initiatives to improve global health and infrastructure, to combat climate change, and ensure the security of critical and emerging technology.

    The Quad committed to building trust, integrity and interoperability, but underlined that suppliers, vendors, and distributors are expected to ensure the transparency and accountability of their practices.

    Furthermore, technology developers are expected to adopt a security-by-design approach, ensuring that robust safety and security practices are implemented in the development process.

    “Resilient, diverse, and secure technology supply chains – for hardware, software, and services – are vital to our shared national interests,” a White House announcement reads. “Close cooperation on supply chains with allies and partners who share our values will enhance our security and prosperity, and strengthen our capacity to respond to international disasters and emergencies.”

  22. Tomi Engdahl says:

    Controversial Web Host Epik Confirms Customer Data Exposed in Breach

    Controversial web services provider Epik last week confirmed that sensitive information pertaining to its customers was stolen in a data breach.

    During the incident, hackers were able to access non-public Epik servers that stored a backup copy of the company’s domain-side service accounts. The attack happened on or before September 13, 2021, Epik said in a notification letter to customers.

    The attackers were able to access data such as names and addresses, phone and VAT numbers, email addresses, login credentials (usernames and passwords), domain ownership, transaction histories, and in some cases credit card information.

    The company says it has retained cybersecurity firms to investigate the breach, while notifying law enforcement and the affected customers.

    “At this time, we have secured access to our domain-side services and have applied additional security measures to help protect services and users going forward,” the company says.

    Information Epik submitted to the Maine Attorney General’s office shows that 110,000 people were affected by the breach. The Washington Post says up to 38,000 credit card numbers were compromised in the incident.

  23. Tomi Engdahl says:

    Lorenzo Franceschi-Bicchierai / VICE:
    The researcher who disclosed three iOS zero-days last week says Apple apologized for the delayed response and said it is still investigating the vulnerabilities — Apple apologized for the delay in responding to the researcher, but experts think Apple needs to do better. — Lorenzo Franceschi-Bicchierai

    Apple ‘Still Investigating’ Unpatched and Public iPhone Vulnerabilities

    Apple apologized for the delay in responding to the researcher, but experts think Apple needs to do better.


Leave a Comment

Your email address will not be published. Required fields are marked *