Cyber security news October 2021

This posting is here to collect cyber security news in October 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.


  1. Tomi Engdahl says:

    Ransomware gangs are abusing a zero-day in EntroLink VPN appliances
    Multiple ransomware gangs have weaponized and are abusing a zero-day in EntroLink VPN appliances after an exploit was released on an underground cybercrime forum at the start of September 2021. The zero-day is believed to impact EntroLink PPX-AnyLink devices, popular with South Korean companies, and used as user authentication gateways and VPNs to allow employees remote access to company networks and internal resources.

  2. Tomi Engdahl says:

    Conti Ransom Gang Starts Selling Access to Victims
    The Conti ransomware affiliate program appears to have altered its business plan recently. Organizations infected with Conti’s malware who refuse to negotiate a ransom payment are added to Conti’s victim shaming blog, where confidential files stolen from victims may be published or sold. But sometime over the past 48 hours, the cybercriminal syndicate updated its victim shaming blog to indicate that it is now selling access to many of the organizations it has hacked.

  3. Tomi Engdahl says:

    Polygon pays out record $2 million bug bounty reward for critical vulnerability
    Polygon, a blockchain technology company, has paid out $2 million in bug bounty rewards for a double spend’ vulnerability that could have wreaked havoc across its network. The flaw, discovered by ethical hacker Gerhard Wagner, enabled an attacker to double the amount of cryptocurrency they intend to withdraw up to 233 times.

  4. Tomi Engdahl says:

    Kansas Man Admits Hacking Public Water Facility

    Roughly seven months after being indicted for his actions, a Kansas man admitted in court to tampering with the systems at the Post Rock Rural Water District.

    The plant’s system, investigators discovered, was accessed from Travnichek’s cell phone and the device was in his possession when the facility was shut down. The defendant told investigators that on the night of the incident he was intoxicated and didn’t remember anything.

    “Protecting America’s drinking water is a top EPA priority. EPA will continue our focused efforts with DOJ and the states as we investigate and pursue any threats that might be directed toward vital community drinking water resources,” said Lance Ehrig of the Environmental Protection Agency’s Criminal Investigation Division in Kansas.

  5. Tomi Engdahl says:

    CISA Raises Alarm on Critical Vulnerability in Discourse Forum Software

    The United States Cybersecurity and Infrastructure Security Agency (CISA) over the weekend issued an alert on a critical vulnerability in open source discussion platform Discourse.

    Residing in the upstream aws-sdk-sns gem, the issue is a validation error that can be exploited to achieve remote code execution in Discourse. To exploit the bug, an attacker would need to send a maliciously crafted request.

    Tracked as CVE-2021-41163, the vulnerability has a CVSS score of 10 and exists because of a lack of validation in subscribe_url values.

    Both CISA and Discourse, which released a patch for the security flaw last week, refrained from providing technical details on the issue, due to potential exploitation attempts.

    The vulnerability was addressed in Discourse versions 2.7.9 (stable) and 2.8.0.beta7 (beta and tests-passed).

    “CISA urges developers to update to patched versions 2.7.9 or later or apply the necessary workarounds,” the US agency said on Sunday.

  6. Tomi Engdahl says:

    Researcher Earns $2 Million for Critical Vulnerability in Polygon

    Security researcher Gerhard Wagner earned a $2 million bug bounty reward for a critical vulnerability in Polygon’s Plasma Bridge that could have allowed a malicious user to submit the same withdrawal transaction 224 times, with different exit IDs.

    Specifically, a user could deposit a specific amount to the Polygon Plasma Bridge, withdraw the entire sum, and then submit the same withdrawal transaction an additional 223 times, each time receiving the full amount. Basically, one could deposit $1 million and withdraw $224 million.

    With the DepositManager for the Plasma Bridge holding roughly $850 million in total, an attacker could have depleted the entire amount using multiple fraudulent transactions.

    Polygon’s solution has been designed to provide a blockchain bridge – a method of connecting two distinct blockchains –, creating a two-way transaction channel that enables users to move assets from the root chain (Ethereum) to the child chain (Polygon).

  7. Tomi Engdahl says:

    Having learned NOTHING from last week, Missouri Governor Mike Parson doubles down again…this time he is using a political action committee to advertise disinformation about the incident.
    It’s about as fascist as you would expect it to be.

    Parson doubles down on push to prosecute reporter who found security flaw in state site

    Meanwhile, the governor’s estimate that the incident would cost the state $50 million continues to be called into question

    Gov. Mike Parson escalated his war with the St. Louis Post-Dispatch on Wednesday when his political operation published a video doubling down on his attack against a reporter who informed the state that a state website revealed teacher Social Security numbers.

    The video is produced by Uniting Missouri, a political action committee created by Parson supporters to back his 2020 election campaign. The PAC continues to raise and spend large sums of money to promote Parson’s political agenda. It operates without direct input from Parson on its activities.

    “The St. Louis Post-Dispatch is purely playing politics,” the ad states. “Exploiting personal information is a squalid excuse for journalism.”

    The ad comes less than a week after Parson’s widely criticized demand for an investigation and prosecution of the reporter who discovered the security flaw in a state website, along with “all those involved.” Parson read a statement calling the reporter “

    Social Security numbers for teachers, administrators and counselors was visible in the HTML code of a publicly accessible site operated by the state education department.

    The newspaper informed the state of the problem and promised not to publish any story until the issue was fixed.

    “We stand by our reporting and our reporter who did everything right,” Post-Dispatch Publisher Ian Caso said in a story in his newspaper. “It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to DESE’s attention.”

    Parson said the Missouri State Highway Patrol would investigate and that Cole County Prosecuting Attorney Locke Thompson had been notified.

    $50 million price tag
    The video continuing the attack on the Post-Dispatch was posted online as Democrats on the House Budget Committee continued to question Parson’s estimate that it will take $50 million to respond “to this one incident alone and divert workers and resources from other state agencies.”

    The Public Schools and Education Employees Retirement System responded to a different potential data exposure on Sept. 11 by offering all 350,000 members credit monitoring, identity theft protection and the services of a call center through a contract with Experian, according to Dearld Snider, the agency’s executive director.

    The cost of that response was just under $600,000.

    State Rep. Peter Merideth, D-St. Louis, said the only thing lawmakers have been told would come from the $50 million Parson cited from the latest security breach would be credit protection and a call center for approximately 100,000 educators.

    The biggest cost, he said, will be studying the state’s computer systems and upgrading them to provide better service and security.

    “It is not about what the reporter did,” Merideth said, “it is about the vulnerability and the outdated systems we have.”

    Kelli Jones, spokeswoman for the governor, has not responded to requests seeking information on the cost estimate used by Parson.

    “It is important we take data security as seriously as physical security,” Jones said.

    The union has not joined Parson’s call for prosecution of the journalist.

    “There is nothing that indicates to me,” Jones said, “that the reporter did anything but act ethically within the bounds of good journalism.”

  8. Tomi Engdahl says:

    BillQuick Billing Software Exploited to Hack U.S. Engineering Company

    Hackers abused the BillQuick Web Suite billing software to compromise the network of an engineering company in the United States and deploy ransomware, threat detection firm Huntress reports.

    The attack exploited a critical vulnerability in BQE Software’s BillQuick Web Suite versions 2018 through 2021, before Tracked as CVE-2021-42258, the issue is described as an SQL injection bug that could be exploited for unauthenticated remote code execution.

    While attempting to recreate the attack in their lab, Huntress’ security researchers identified multiple SQL injection points. Without authentication, they were able to remotely leak sensitive employee information from the billing software’s databases.

  9. Tomi Engdahl says:

    Researcher Explains Wi-Fi Password Cracking at Scale

    A security researcher at CyberArk was able to easily break more than 70 percent of Wi-Fi passwords he sniffed using relatively simple, cheap equipment.

    Conducted in Tel Aviv, the researcher’s experiment showed just how easy an attacker could hack into home and enterprise networks, by simply walking around a city with the right equipment in hand.

    For his experiment, CyberArk’s Ido Hoorvitch used an AWUS036ACH ALFA Network card, which costs around $50, and provides both monitoring and packet injection capabilities, connected it to an Ubuntu system, and walked around the center of Tel Aviv with the system in a backpack, to sniff Wi-Fi networks.

    Hoorvitch said the attack exploits a vulnerability in RSN IE (Robust Security Network Information Element) that allows for the retrieval of the PMKID, a hash used for roaming capabilities between access points. The PMKID is driven from a PMK (generated from SSID and the WiFi password), the MAC address of the AP, and the client MAC address.

    After successfully sniffing 5000 networks, the researcher moved to cracking the passwords, using the hashcat password recovery tool, which supports dictionary and rules and mask attacks.

    Hoorvitch says he was able to successfully crack roughly 3,600 of the passwords, thus being able to hack all of the corresponding Wi-Fi networks.

    Cracking WiFi at Scale with One Simple Trick

    How I Cracked 70% of Tel Aviv’s Wifi Networks (from a Sample of 5,000 Gathered WiFi).

    In the past seven years that I’ve lived in Tel Aviv, I’ve changed apartments four times. Every time I faced the same scenario: the internet company took several days to connect the apartment, leaving me disconnected and frustrated while trying to watch laggy Netflix on the TV with my cellphone hotspot. A solution I have to this scenario is having the “Hello. I am the new neighbor” talk with the neighbors while trying to get their cell phone number in case of emergencies — and asking if I could use their WiFi until the cable company connected me. I think we all can agree that not having internet easily falls into the emergency category! Often, their cell phone number was also their WiFi password!

    I hypothesized that most people living in Israel (and globally) have unsafe WiFi passwords that can be easily cracked or even guessed by curious neighbors or malicious actors.

    The combination of my past experience, a relatively new WiFi attack that I will explain momentarily, a new monster cracking rig (8 x QUADRO RTX 8000 48GB GPUs) in CyberArk Labs and the fact that WiFi is everywhere because connectivity is more important than ever drove me to research, whether I was right with my hypothesis or maybe just lucky.

  10. Tomi Engdahl says:

    Iran Blames Cyberattack as Fuel Supply Hit

    Iranian authorities on Tuesday blamed a mysterious cyber attack for unprecedented disruption to the country’s fuel distribution network.

    Iran is a major oil producer and the country’s motorists, used to cheap petrol, were surprised to see filling stations inexplicably closing one after the other and queues growing longer.

    “The Supreme National Security Council confirmed that there has been a cyber attack against the petrol distribution computer system,” state television said.

    It had earlier reported that the interruption was due to “disruptions to the computer system”.

  11. Tomi Engdahl says:

    Mozilla Blocks Malicious Firefox Add-Ons Abusing Proxy API

    The open-source Mozilla Foundation says it blocked a series of malicious Firefox add-ons that misused the proxy API that extensions use to proxy web requests.

    The API allows add-ons to control the manner in which the browser connects to the Internet, and some extensions were found to abuse this.

    Specifically, the manner in which the offending add-ons interacted with the API prevented users from accessing updated blocklists, from downloading updates, and from updating content remotely configured.

    According to Mozilla, a total of 455,000 users downloaded and installed the malicious add-ons before the browser maker was able to block the extensions.

    “Starting with Firefox 91.1, Firefox now includes changes to fall back to direct connections when Firefox makes an important request (such as those for updates) via a proxy configuration that fails,” Mozilla explains.

    Securing the proxy API for Firefox add-ons

  12. Tomi Engdahl says:

    Adobe Patches Gaping Security Flaws in 14 Software Products

    Adobe on Tuesday released a slew of urgent patches with fixes for more than 90 documented vulnerabilities that expose Windows, macOS and Linux users to malicious hacker attacks.

    The security defects affect a wide range of popular products, including Adobe Photoshop, Adobe InDesign, Adobe Illustrator and Adobe Premiere.

  13. Tomi Engdahl says:

    150 People Arrested in US-Europe Darknet Drug Probe

    Law enforcement officials in the U.S. and Europe have arrested 150 people and seized more than $31 million in an international drug trafficking investigation stemming from sales on the darknet, the Justice Department said Tuesday.

    The arrests are connected to a 10-month investigation between federal law enforcement officials in the U.S. and Europol in Europe. Prosecutors allege those charges are responsible for tens of thousands of illegal sales in the U.S., the United Kingdom, Australia, Bulgaria, France, Germany, Italy, the Netherlands and Switzerland.

    The Justice Department says investigators have seized over $31.6 million in cash and virtual currency and 45 guns.

  14. Tomi Engdahl says:

    Suspected cyberattack temporarily disrupts gas stations across Iran
    A software glitch believed to have been caused by a cyberattack has disrupted gas stations across Iran and defaced gas pump screens and gas price billboards. The incident, which took place earlier this morning, impacted the IT network of NIOPDC, a state-owned gas distribution company that manages more than 3, 500 gas stations across Iran.

  15. Tomi Engdahl says:ä tietovuoto vahvistaa Iltalehdelle, että käyttäjien piilotettuja puhelinnumeroita on päässyt vuotamaan. vaatii puhelinnumeron ilmoittamista myynti-ilmoitusta tehdessä, vaikka sitä ei ilmoituksessa näytettäisikään. Tästä huolimatta numeroita on päätynyt huijareiden käsiin.

  16. Tomi Engdahl says:

    FBI Raids Chinese Point-of-Sale Giant PAX Technology
    U.S. federal investigators today raided the Florida offices of PAX Technology, a Chinese provider of point-of-sale devices used by millions of businesses and retailers globally. KrebsOnSecurity has learned the raid is tied to reports that PAX’s systems may have been involved in cyberattacks on U.S. and E.U. organizations.

  17. Tomi Engdahl says:

    FCC revokes license for China Telecom Americas amid national security concerns
    The U.S. Federal Communications Commission voted unanimously to revoke China Telecom Americas U.S. operating license on Tuesday, citing national security concerns. Among the reasons cited for the switch:
    China Telecom’s status as a subsidiary of a state-owned enterprise and the possibility that the company could provide a conduit for hackers intent on launching cyber attacks in this country.

  18. Tomi Engdahl says:

    Operation Secondary Infektion Impersonates Swedish Riksdag, Targets European Audiences
    Recorded Future’s Insikt Group has located an image of a photoshopped screenshot, purportedly from the website of the Swedish Riksdag
    (Parliament) and circulating on a Swedish-language forum website and among Ukrainian sources, claiming that Sweden and Ukraine look to join NATO as soon as possible. We believe that this is an effort to sow mistrust of Sweden’s political figures domestically, create uncertainty and false optimism among Ukrainians, and shape negative perceptions of NATO and Ukraine among Russian audiences. This campaign is highly likely an instance of the likely Russian state-sponsored information operation “Secondary Infektion”. Full analysis here:

  19. Tomi Engdahl says:

    Researcher cracked 70% of WiFi networks sampled in Tel Aviv
    A researcher has managed to crack 70% of a 5, 000 WiFi network sample in his hometown, Tel Aviv, to prove that home networks are severely unsecured and easy to hijack.

  20. Tomi Engdahl says:

    Catalin Cimpanu / The Record:
    Hackers steal an estimated $130M from DeFi platform Cream Finance in a flash loan attack; the company lost $37M in Feb. and $29M in Aug. in similar attacks

  21. Tomi Engdahl says:

    New York Times:
    Facebook tells employees to preserve internal docs and communications related to its business since 2016, as governments and legislative bodies begin inquiries — Facebook has told employees to “preserve internal documents and communications since 2016” that pertain to its businesses …

  22. Tomi Engdahl says:

    Wall Street Journal:
    Sources: FTC staff are investigating whether Frances Haugen’s documents show Facebook violated a 2019 privacy settlement that included a record $5B fine

    Federal Trade Commission Scrutinizing Facebook Disclosures

    Lawmakers want agency to determine if Facebook engaged in deceptive conduct; company says internal research is mischaracterized

  23. Tomi Engdahl says:

    Federal Trade Commission Scrutinizing Facebook Disclosures
    Lawmakers want agency to determine if Facebook engaged in deceptive conduct; company says internal research is mischaracterized

  24. Tomi Engdahl says:

    Apple Patches 22 Security Flaws Haunting iPhones
    By Ryan Naraine on October 27, 2021
    Apple has released another IOS 15 update with patches for 22 serious security defects in a wide range of iPhone and iPad software components.

  25. Tomi Engdahl says:

    Yubico Launches New Security Key With USB-C and NFC

    Yubico on Tuesday announced the launch of Security Key C NFC, a new hardware security key that includes NFC capabilities in a USB-C form factor.

    Designed with FIDO-only support, the new authenticator can be used with both desktop and mobile applications, services, and user accounts. Courtesy of NFC support, the security key provides tap-and-go authentication.

    The Security Key C NFC is now available for purchase at $29 (€29). For those looking for a USB-A form factor, Yubico has the Security Key NFC available at $25 (€25).

  26. Tomi Engdahl says:

    Washington Secretary of State Appointed CISA’s Senior Election Security Lead

    The United States Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday announced the appointment of Washington Secretary of State Kim Wyman as its Senior Election Security Lead.

  27. Tomi Engdahl says:

    North Korean Hackers Targeting IT Supply Chain: Kaspersky

    The North Korea-linked state-sponsored hacking group Lazarus has started to target the IT supply chain in recent attacks, according to cybersecurity firm Kaspersky.

    As part of the observed attacks, the group used an updated DeathNote malware cluster, which includes a slightly modified version of BLINDINGCAN, a piece of malware that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) associated with the group.

    A new variant of COPPERHEDGE, which Lazarus has been using for at least two years, was also used in these attacks.

  28. Tomi Engdahl says:

    Iran Struggles to Relaunch Petrol Stations After Cyberattack

    Iran struggled Wednesday to restart its petrol distribution system after it was hit by an unprecedented cyber-attack which security officials said was launched from abroad.

    The unclaimed attack crippled the country’s system of government-issued electronic cards which motorists use to purchase heavily subsidised fuel.

    Long queues have formed outside petrol stations, angering motorists in a country already suffering under tough economic sanctions over its nuclear dispute with major powers.

  29. Tomi Engdahl says:

    Free decrypters released for AtomSilo, Babuk, and LockFile ransomware strains
    Antivirus maker and cyber-security firm Avast has released today free decryption utilities to recover files that have been encrypted by three ransomware strainsAtomSilo, Babuk, and LockFile. The AtomSilo and LockFile decrypters are being offered as one single download because of the similarities between the two ransomware strains.

  30. Tomi Engdahl says:

    Babuk ransomware decryptor released to recover files for free
    Czech cybersecurity software firm Avast has created and released a decryption tool to help Babuk ransomware victims recover their files for free. According to Avast Threat Labs, the Babuk decryptor was created using leaked source code and decryption keys.

  31. Tomi Engdahl says:

    Workers sent home after ransomware attack on major automotive parts manufacturer
    German multinational company Eberspächer Group has sent a part of its factory workforce home on paid leave while its management and IT teams are dealing with a ransomware attack that crippled its IT systems over the weekend. The Eberspächer Group currently employs more than 10, 000 workers, operates production plants in 80 locations across 28 countries, and is known for building air conditioning, heating, and exhaust systems, which it supplies to almost all of today’s top car brands.

  32. Tomi Engdahl says:

    Ransomware gang claims attack on NRA
    The operators of the Grief ransomware have listed today the US National Rifle Association (NRA) as a victim of one of their attacks.
    The organization’s name was listed on a dark web portal, often called a “leak site, ” where the Grief gang typically lists companies they infected and which haven’t paid their ransom demands.

  33. Tomi Engdahl says:

    Hackers arrested for infiltrating’ Ukraine’s health database
    The Security Service of Ukraine (SSU) has arrested a team of actors who illegally infiltrated the information system of the National Health Service of Ukraine (NHSU) and entered false vaccination entries for other people. The actors found clients in the Sumy region through a team of doctors who participated in the scheme and offered to create false COVID-19 vaccination certificates for anyone who paid them 3,
    000 hryvnias ($114).

  34. Tomi Engdahl says:

    Cyber-attack hits UK internet phone providers
    An “unprecedented” and co-ordinated cyber-attack has struck multiple UK-based providers of voice over internet protocol (VoIP) services, according to an industry body. Industry body Comms Council UK said several of its members had been targeted by distributed denial of service (DDoS) attacks in recent weeks.

  35. Tomi Engdahl says:

    Multiple vulnerabilities in Apple iOS 14 and iPadOS 14 prior to iOS
    14.8.1 and iPadOS 14.8.1
    Update available to iOS and iPadOS, update to 14.8.1

    Multiple vulnerabilities in Apple iOS 15 and iPadOS 15 prior to iOS
    15.1 and iPadOS 15.1
    Update available to iOS and iPadOS, update to 15.1


Leave a Comment

Your email address will not be published. Required fields are marked *