Cyber security news September 2021

This posting is here to collect cyber security news in September 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

377 Comments

  1. Tomi Engdahl says:

    A New Bug in Microsoft Windows Could Let Hackers Easily Install a Rootkit https://thehackernews.com/2021/09/a-new-bug-in-microsoft-windows-could.html
    Security researchers have disclosed an unpatched weakness in Microsoft Windows Platform Binary Table (WPBT) affecting all Windows-based devices since Windows 8 that could be potentially exploited to install a rootkit and compromise the integrity of devices.

    Reply
  2. Tomi Engdahl says:

    Miten kiinalaisten puhelinten käy Suomessa? Näin kommentoivat operaattorit https://www.is.fi/digitoday/mobiili/art-2000008286255.html
    Suomen operaattorikolmikko ottaa väitteet puhelinten tietoturvaongelmista vakavasti, mutta myynti jatkuu toistaiseksi normaalisti.

    Reply
  3. Tomi Engdahl says:

    Colombian Real Estate Agency Leak Exposes Records of Over 100,000 Buyers https://thehackernews.com/2021/09/colombian-real-estate-agency-leak.html
    More than one terabyte of data containing 5.5 million files has been left exposed, leaking personal information of over 100,000 customers of a Colombian real estate firm, according to cybersecurity company WizCase.

    Reply
  4. Tomi Engdahl says:

    EU Denounces Alleged Russian Hacking Ahead of German Vote
    https://www.securityweek.com/eu-denounces-alleged-russian-hacking-ahead-german-vote

    The European Union on Friday condemned alleged Russian cyber attacks that have targeted Germany in the run up to this weekend’s election for Chancellor Angela Merkel’s successor.

    “Some EU Member States have observed malicious cyber activities, collectively designated as ‘Ghostwriter’, and associated these with the Russian state,” foreign policy chief Josep Borrell said.

    “Such activities are unacceptable as they seek to threaten our integrity and security, democratic values and principles and the core functioning of our democracies.”

    Borrell’s statement said the EU and its member states “strongly denounce these malicious cyber activities, which all involved must put to an end immediately”.

    https://www.securityweek.com/russia-linked-ghostwriter-disinformation-campaign-tied-cyberspy-group

    Reply
  5. Tomi Engdahl says:

    FamousSparrow Cyberspies Exploit ProxyLogon in Attacks on Governments, Hotels
    https://www.securityweek.com/famoussparrow-cyberspies-exploit-proxylogon-attacks-governments-hotels

    A cyberespionage group active since at least 2019 started exploiting ProxyLogon one day after the Microsoft Exchange vulnerability was publicly disclosed, ESET security researchers say.

    Active since at least August 2019 and tracked as FamousSparrow, the group is mainly targeting hotels, but has also attacked government organizations, law firms, and international companies in roughly a dozen countries, including Brazil, Canada, Israel, Saudi Arabia, Taiwan, and the United Kingdom.

    https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/

    Reply
  6. Tomi Engdahl says:

    Google Says Threat Actors Using New Code Signing Tricks to Evade Detection
    https://www.securityweek.com/google-says-threat-actors-using-new-code-signing-tricks-evade-detection

    Financially motivated threat actors have started using new code signing tricks to increase the chances of their software evading detection on Windows systems, Google’s Threat Analysis Group reported on Thursday.

    The new technique has been used by the operators of OpenSUpdater, which cybersecurity vendors have classified as adware, potentially unwanted program (PUP), or potentially unwanted application (PUA). These types of pieces of software can ruin the user experience and they may attempt to download and install other shady programs.

    The operation observed by Google has impacted many users in the United States, particularly people who download game cracks and what the tech giant has described as “grey-area software.”

    Reply
  7. Tomi Engdahl says:

    SonicWall Patches Critical Vulnerability in SMA Appliances
    https://www.securityweek.com/sonicwall-patches-critical-vulnerability-sma-appliances

    SonicWall has published a security advisory and a security notice to inform customers about a critical vulnerability affecting some of its Secure Mobile Access (SMA) appliances.

    The flaw, identified as CVE-2021-20034, can be exploited by a remote, unauthenticated attacker to delete arbitrary files from the targeted appliance, which could result in the device being reset to factory settings. The security hole can also allow an attacker to gain administrator access to the underlying host.

    The cybersecurity firm highlighted that it has seen no evidence of the vulnerability being exploited in the wild. It’s not surprising that this statement is highlighted in the vendor’s advisory considering that SMA appliances have been known to be targeted by malicious actors, in some cases even before a patch was released.

    CVE-2021-20034 was reported to SonicWall by Wenxu Yin, a researcher at Chinese cybersecurity firm Qihoo 360.

    The vulnerability has been found to impact SMA 200, 210, 400, 410 and 500v appliances running versions 10.2.1.0-17sv, 10.2.0.7-34sv and 9.0.0.10-28sv, and earlier. Patches have been released for each of the affected versions.

    “The vulnerability (SNWLID-2021-0021) is due to an improper limitation of a file path to a restricted directory potentially leading to arbitrary file deletion as ‘nobody’,” SonicWall explained in its security notice.

    Reply
  8. Tomi Engdahl says:

    Check Point varoittaa uudestaan: älä osta koronatodistusta verkosta!
    https://etn.fi/index.php/13-news/12611-check-point-varoittaa-uudestaan-aelae-osta-koronatodistusta-verkosta

    Viikko sitten tietoturvayritys Check Point Software kertoi, että verkosta on mahdollista ostaa väärennetty koronatodistus 150 eurolla. Nyt väärentäjät ovat löytäneet uusia keinoja markkinoida tuotteitaan, mutta todistusta ei pidä edelleenkään ostaa verkosta, yritys varoittaa.

    Uutena keinona väärentäjät käyttävät tekniikkaa, jossa ne väittävät pääsevänsä käsiksi Euroopan tautienehkäisy- ja valvontakeskuksen verkkosivuille. Väitteiden mukaan todistuksen ostaja voidaan rekisteröidä aitoon tietokantaan, joten tarkistuksissa todisteen omistaja näkyisi täysin rokotetetun statuksella.

    Myyntiä vahvistetaan lähettämällä ostajalle väärennetty dokumentti. Todistuksen QR-koodi vie väärennettyyn tietokantaan, joka näyttää aidolta. Tämä ongelma tulee Check Pointin mukaan säilymään niin kauan, kuin yhtenäinen tietokanta todistusten verifiointiin saadaan hallituksen välillä kehitettyä.

    Reply
  9. Tomi Engdahl says:

    Washington Post:
    Extremism researchers say the Epik hack is the “mother of all data lodes”, and will let them map the ecosystem of extremist websites and organizations — The colossal hack of Epik, an Internet-services company popular with the far right, has been called the “mother of all data lodes” for extremism researchers.

    https://www.washingtonpost.com/technology/2021/09/25/epik-hack-fallout/

    Reply
  10. Tomi Engdahl says:

    VMware Confirms In-the-Wild Exploitation of vCenter Server Vulnerability
    https://www.securityweek.com/vmware-confirms-wild-exploitation-vcenter-server-vulnerability

    VMware has confirmed that the recently patched vCenter Server vulnerability tracked as CVE-2021-22005 has been exploited in the wild, and some researchers say it has been chained with another flaw that was fixed in the same round of updates.

    VMware on September 21 informed customers that updates released for its vCenter Server product patched 19 vulnerabilities, including CVE-2021-22005, a critical arbitrary file upload flaw that could lead to arbitrary code execution on impacted servers.

    The next day, threat intelligence company Bad Packets already reported seeing internet scans targeting CVE-2021-22005, but the activity seemed limited. Initial scans appeared to be based on a workaround test shared by VMware when it announced patches.

    Researchers have been analyzing the patches and the information made public by VMware, and a Vietnam-based researcher known as Jang has already released technical information and even a proof-of-concept (PoC) exploit.

    Quick note of vCenter RCE (CVE-2021–22005)
    https://testbnull.medium.com/quick-note-of-vcenter-rce-cve-2021-22005-4337d5a817ee

    Reply
  11. Tomi Engdahl says:

    When a senior executive at virtual private network company ExpressVPN admitted to working on behalf of a foreign intelligence service to hack American machines last week, it stunned employees at his new company, according to interviews and electronic records.

    ExpressVPN employees complain about ex-spy’s top role at company
    https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.reuters.com%2Ftechnology%2Fexpressvpn-employees-complain-about-ex-spys-top-role-company-2021-09-23%2F%3Futm_campaign%3DtrueAnthem%253A%2BTrending%2BContent%26utm_medium%3DtrueAnthem%26utm_source%3Dfacebook&h=AT1ZKWkNufS_OKCE0SXenX1XGxXkczF2l-jkiNJscyx8D0wkYFCtMI6L1qbU7p1k6vcKvm7syjYmLT4UiM0uNcF9SM21jkdFrvJ9AaY-X4hwjUpkHtP6MYNtI_39y2vMsvrDVGnwooNBlg3PAw

    Reply
  12. Tomi Engdahl says:

    AWS EC2 North Virginia outage resolves but some issues linger

    UPDATE: Signal falls over while Xero and Nest got a bit iffy when the main AWS EC2 region had degraded performance. Amazon Web Service says all is well but some users are still reporting trouble.
    https://www.zdnet.com/article/aws-ec2-north-virginia-outage-resolves-but-some-issues-linger/

    Reply
  13. Tomi Engdahl says:

    FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
    NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components. Use of FoggyWeb has been observed in the wild as early as April 2021.

    Reply
  14. Tomi Engdahl says:

    QNAP fixes critical bugs in QVR video surveillance solution https://www.bleepingcomputer.com/news/security/qnap-fixes-critical-bugs-in-qvr-video-surveillance-solution/
    Network-attached storage (NAS) maker QNAP has patched its QVR video management system against two critical-severity issues that could be exploited to run arbitrary commands.

    Reply
  15. Tomi Engdahl says:

    Härski huijaus suomalaislehtien nimissä ilmoitukset täyttivät puhelimen https://www.iltalehti.fi/tietoturva/a/75b9d9fb-2c56-4cf1-aace-81c916b3ee8d
    Uutissivustoja matkivat huijaussivustot yrittävät saada uhrin sijoitusansaan. Sivustolle voidaan ohjata esimerkiksi mainosten kautta.

    Reply
  16. Tomi Engdahl says:

    Australians are losing over AU$6.6 million each month to cryptoscams https://www.zdnet.com/article/australians-are-losing-over-au6-6-million-each-month-to-cryptoscams/
    Losses related to cryptocurrency investment scams made up over a quarter of the total scams reported to the Australian Competition and Consumer Commission (ACCC) from the start of the year to the end of August.

    Reply
  17. Tomi Engdahl says:

    A New Jupyter Malware Version is Being Distributed via MSI Installers https://thehackernews.com/2021/09/a-new-jupyter-malware-version-is-being.html
    Cybersecurity researchers have charted the evolution of Jupyter, a .NET infostealer known for singling out healthcare and education sectors, which make it exceptional at defeating most endpoint security scanning solutions.

    Reply
  18. Tomi Engdahl says:

    New Android Malware Steals Financial Data from 378 Banking and Wallet Apps https://thehackernews.com/2021/09/new-android-malware-steals-financial.html
    The operators behind the BlackRock mobile malware have surfaced back with a new Android banking trojan called ERMAC that targets Poland and has its roots in the infamous Cerberus malware, according to the latest research.

    Reply
  19. Tomi Engdahl says:

    Microsoft will disable Basic Auth in Exchange Online in October 2022 https://www.bleepingcomputer.com/news/microsoft/microsoft-will-disable-basic-auth-in-exchange-online-in-october-2022/
    Microsoft announced that Basic Authentication will be turned off for all protocols in all tenants starting October 1st, 2022, to protect millions of Exchange Online users.

    Reply
  20. Tomi Engdahl says:

    BloodyStealer and gaming assets for sale https://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/
    In this report, we take a closer look at threats linked to loss of accounts with popular video game digital distribution services, such as Steam and Origin. We also explore the kind of game-related data that ends up on the black market and the prices.

    Reply
  21. Tomi Engdahl says:

    Quad Nations Commit to Fostering a Secure Technology Ecosystem
    https://www.securityweek.com/quad-nations-commit-fostering-secure-technology-ecosystem

    The Quad countries (Australia, India, Japan, and the United States) on Friday announced a partnership to foster the development of secure technology.

    At the first-ever in-person Leaders’ Summit of the Quad, the four committed to working together on initiatives to improve global health and infrastructure, to combat climate change, and ensure the security of critical and emerging technology.

    The Quad committed to building trust, integrity and interoperability, but underlined that suppliers, vendors, and distributors are expected to ensure the transparency and accountability of their practices.

    Furthermore, technology developers are expected to adopt a security-by-design approach, ensuring that robust safety and security practices are implemented in the development process.

    “Resilient, diverse, and secure technology supply chains – for hardware, software, and services – are vital to our shared national interests,” a White House announcement reads. “Close cooperation on supply chains with allies and partners who share our values will enhance our security and prosperity, and strengthen our capacity to respond to international disasters and emergencies.”

    Reply
  22. Tomi Engdahl says:

    Controversial Web Host Epik Confirms Customer Data Exposed in Breach
    https://www.securityweek.com/controversial-web-host-epik-confirms-customer-data-exposed-breach

    Controversial web services provider Epik last week confirmed that sensitive information pertaining to its customers was stolen in a data breach.

    During the incident, hackers were able to access non-public Epik servers that stored a backup copy of the company’s domain-side service accounts. The attack happened on or before September 13, 2021, Epik said in a notification letter to customers.

    The attackers were able to access data such as names and addresses, phone and VAT numbers, email addresses, login credentials (usernames and passwords), domain ownership, transaction histories, and in some cases credit card information.

    The company says it has retained cybersecurity firms to investigate the breach, while notifying law enforcement and the affected customers.

    “At this time, we have secured access to our domain-side services and have applied additional security measures to help protect services and users going forward,” the company says.

    Information Epik submitted to the Maine Attorney General’s office shows that 110,000 people were affected by the breach. The Washington Post says up to 38,000 credit card numbers were compromised in the incident.

    Reply
  23. Tomi Engdahl says:

    Lorenzo Franceschi-Bicchierai / VICE:
    The researcher who disclosed three iOS zero-days last week says Apple apologized for the delayed response and said it is still investigating the vulnerabilities — Apple apologized for the delay in responding to the researcher, but experts think Apple needs to do better. — Lorenzo Franceschi-Bicchierai

    Apple ‘Still Investigating’ Unpatched and Public iPhone Vulnerabilities
    https://www.vice.com/en/article/g5gan4/apple-still-investigating-unpatched-and-public-iphone-vulnerabilities

    Apple apologized for the delay in responding to the researcher, but experts think Apple needs to do better.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*