Cyber security news April 2022

This posting is here to collect cyber security news in April 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

424 Comments

  1. Tomi Engdahl says:

    ARMO Raises $30 Million for Open Source Kubernetes Security Platform
    https://www.securityweek.com/armo-raises-30-million-open-source-kubernetes-security-platform

    ARMO has developed Kubescape, an end-to-end open source security platform for the Kubernetes container orchestration solution.

    The platform is designed to scan configuration files, clusters and worker nodes for known vulnerabilities and misconfigurations. It also provides recommendations for addressing the identified issues.

    While the community edition of the Kubescape platform is free, ARMO also offers paid Team and Enterprise plans. The company says its platform is used by tens of thousands of users.

    Reply
  2. Tomi Engdahl says:

    Internet Outages in French Cities After Cable ‘Attacks’: Operator
    https://www.securityweek.com/internet-outages-french-cities-after-cable-attacks-operator

    Internet and phone services were down or running slowly in several French cities on Wednesday after fibre optic cables were cut overnight in suspected attacks on the crucial data infrastructure, telecom operators said.

    “The attacks took place overnight at 4:00 am (0200 GMT). Our teams have been at work since this morning,” said a spokesman for Free, the worst-affected internet and mobile phone service provider.

    In a message on Twitter, the company referred to “multiple malicious acts” targeting its cables which led to outages and slow connections for many clients.

    Competitor SFR said it had experienced “several fibre cuts” in the Paris region and in Lyon in southeast France.

    Other operators such as Bouygues Telecom and market leader Orange were not affected because they use different networks, but problems were reported by users around the country including in regional cities such as Strasbourg, Reims and Grenoble.

    “Cuts to cables have been confirmed in the Paris region affecting fixed and mobile services,” Digital Affairs Minister Cedric O wrote on Twitter.

    Reply
  3. Tomi Engdahl says:

    Synology, QNAP, WD Warn Users About Vulnerabilities Exploited at Hacking Contest
    https://www.securityweek.com/synology-qnap-wd-warn-users-about-vulnerabilities-exploited-hacking-contest

    Synology, QNAP and Western Digital (WD) have warned their customers about several critical Netatalk vulnerabilities that have been exploited at a recent hacking contest.

    The vulnerabilities were disclosed at the Zero Day Initiative’s Pwn2Own Austin contest in November 2021, where participants earned more than $1 million for hacking routers, printers, smart spears, smartphones and network-attached storage (NAS) devices. The NAS exploits at Pwn2Own targeted WD devices, and they earned participants roughly $500,000.

    It turns out that at least half a dozen of the NAS vulnerabilities exploited at Pwn2Own affected Netatalk, the open source Apple Filing Protocol (AFP) file server.

    The flaws, many of which can be exploited remotely and without authentication for arbitrary code execution, can allow an attacker to take complete control of the targeted device.

    Netatalk developers delivered patches for seven vulnerabilities on March 22 with the release of version 3.1.13. The flaws are tracked as CVE-2021-31439, CVE-2022-23121, CVE-2022-23122, CVE-2022-23123, CVE-2022-23124, CVE-2022-23125 and CVE-2022-0194.

    Reply
  4. Tomi Engdahl says:

    Watchguard Attacks in the Wild
    https://hackaday.com/2022/04/22/this-week-in-security-javas-psychic-signatures-aws-escape-and-a-nasty-windows-bug/
    CVE-2022-26318 was announced and fixed back in March with the very helpful “a vulnerability that could allow an unauthenticated user to execute arbitrary code on the Firebox.” As we know, an obscure vulnerability description isn’t enough to prevent a determined attacker from reverse-engineering a flaw; by the end of March, attacks were being observed in the wild. [Dylan Pindur] comes to our rescue in this post from Assetnote, which recaps the history of the bug, and does an analysis of the vulnerability. The whole dive is good stuff, but the short version is that a malformed XML document triggers too many calls to strcat(), which overflows a buffer into the heap.
    Diving Deeper into WatchGuard Pre-Auth RCE – CVE-2022-26318
    https://blog.assetnote.io/2022/04/13/watchguard-firebox-rce/

    Reply
  5. Tomi Engdahl says:

    Oudoille Suomi-luvuille kiristys­hyökkäyksissä selitys – tieto­turva­yhtiö mokasi https://www.is.fi/digitoday/tietoturva/art-2000008783792.html

    Reply
  6. Tomi Engdahl says:

    https://www.cyberscoop.com/french-fiber-optic-cables-attack-critical-infrastructure/
    A day after what French telecom companies are calling a large-scale coordinated attack which destroyed a large number of fiber optic cables powering the French internet, authorities there are investigating the attacks as a criminal act.

    Reply
  7. Tomi Engdahl says:

    Azure Database for PostgreSQL Flexible Server Privilege Escalation and Remote Code Execution https://msrc-blog.microsoft.com/2022/04/28/azure-database-for-postgresql-flexible-server-privilege-escalation-and-remote-code-execution
    MSRC was informed by Wiz, a cloud security vendor, under Coordinated Vulnerability Disclosure (CVD) of an issue with the Azure Database for PostgreSQL Flexible Server that could result in unauthorized cross-account database access in a region. Full research https://www.wiz.io/blog/wiz-research-discovers-extrareplica-cross-account-database-vulnerability-in-azure-postgresql/

    Reply
  8. Tomi Engdahl says:

    Synology warns of critical Netatalk bugs in multiple products https://www.bleepingcomputer.com/news/security/synology-warns-of-critical-netatalk-bugs-in-multiple-products/
    Synology has warned customers that some of its network-attached storage (NAS) appliances are exposed to attacks exploiting multiple critical Netatalk vulnerabilities.

    Reply
  9. Tomi Engdahl says:

    Don’t expect to get your data back from the Onyx ransomware group https://www.theregister.com/2022/04/29/onyx-ransomware-destroy-files/
    The cybercriminals trash files larger than 2MB, forever losing them to the void

    Reply
  10. Tomi Engdahl says:

    Attacker Breach Dozens’ of GitHub Repos Using Stolen OAuth Tokens https://threatpost.com/github-repos-stolen-oauth-tokens/179427/
    GitHub shared the timeline of breaches in April 2022, this timeline encompasses the information related to when a threat actor gained access and stole private repositories belonging to dozens of organizations.

    Reply
  11. Tomi Engdahl says:

    More than $13 million stolen from DeFi platform Deus Finance https://therecord.media/more-than-13-million-stolen-from-defi-platform-deus-finance/
    Decentralized finance (DeFi) platform Deus Finance confirmed reports that an attacker used an illicit method to steal millions of dollars on Wednesday evening

    Reply
  12. Tomi Engdahl says:

    It-yhtiö sai gdpr-moukarista vuosi verkkoon liki 500 000 potilaan terveystiedot https://www.tivi.fi/uutiset/tv/57bf4484-ff3e-498b-aafb-6e9b36696f8f
    Ranskan datansuojeluviranomaiset ovat määränneet lääketieteen ohjelmistoja valmistavalle Dedalus Biology -yhtiölle 1, 5 miljoonaa euron sakot. Sakot rapsahtivat kolmen gdpr-säännön rikkomisesta.

    Reply
  13. Tomi Engdahl says:

    Russian hacktivists launch DDoS attacks on Romanian govt sites https://www.bleepingcomputer.com/news/security/russian-hacktivists-launch-ddos-attacks-on-romanian-govt-sites/
    The Romanian national cyber security and incident response team, DNSC, has issued a statement about a series of distributed denial-of-service
    (DDoS) attacks targeting several public websites managed by the state entities.

    Reply
  14. Tomi Engdahl says:

    Indian Govt Orders Organizations to Report Security Breaches Within 6 Hours to CERT-In https://thehackernews.com/2022/04/indian-govt-orders-organisations-to.html
    India’s computer and emergency response team, CERT-In, on Thursday published new guidelines that require service providers, intermediaries, data centers, and government entities to compulsorily report cybersecurity incidents, including data breaches, within six hours.

    Reply
  15. Tomi Engdahl says:

    Bypassing LDAP Channel Binding with StartTLS https://offsec.almond.consulting/bypassing-ldap-channel-binding-with-starttls.html
    While doing research on LDAP client certificate authentication, we realized that the LDAP implementation of Active Directory supports the StartTLS mechanism, which has interesting implications on relay attacks.

    Reply
  16. Tomi Engdahl says:

    Google Play -kauppaan tärkeä parannus tarkista jatkossa tämä ennen kuin lataat https://www.is.fi/digitoday/mobiili/art-2000008777247.html
    Kauppa alkaa kertoa, kuinka sovellukset keräävät dataa ja käyttävät sitä.

    Reply
  17. Tomi Engdahl says:

    Internetin tulevaisuudesta tehtiin tärkeä sopimus Venäjä ja Kiina jättäytyivät pois https://www.tivi.fi/uutiset/tv/157d2ba9-8181-435a-b815-db43793e5a4c
    EU, Iso-Britannia, Yhdysvallat ja 32 muuta valtiota ympäri maailman ovat sitoutuneet yhteiseen sopimukseen, joka kieltää vaaleihin kohdistuvat misinformaatiokampanjat ja ihmisten laittoman vakoilun.
    Yhdysvaltain Valkoinen talo tiedotti Julistus internetin tulevaisuudesta -nimisestä sopimuksesta torstaina.

    Reply
  18. Tomi Engdahl says:

    Fake Windows 10 updates infect you with Magniber ransomware https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/
    Fake Windows 10 updates are being used to distribute the Magniber ransomware in a massive campaign that started earlier this month.

    ¨

    Reply
  19. Tomi Engdahl says:

    Atlassian doubles the number of orgs affected by two week outage https://www.bleepingcomputer.com/news/technology/atlassian-doubles-the-number-of-orgs-affected-by-two-week-outage/
    Atlassian says that this month’s two-week-long cloud outage has impacted almost double the number of customers it initially estimated after learning of the incident.

    Reply
  20. Tomi Engdahl says:

    Many Internet-Exposed Servers Affected by Exploited Redis Vulnerability
    https://www.securityweek.com/many-internet-exposed-servers-affected-exploited-redis-vulnerability

    Rapid7 security researchers have identified 2,000 internet-exposed Linux servers that appear to be impacted by a Redis vulnerability that has been exploited in attacks.

    Tracked as CVE-2022-0543, the security hole has a CVSS score of 10 and is described as an insufficient sanitization in Lua. While Redis statically links the Lua Library, some Debian/Ubuntu packages dynamically link it, leading to a sandbox escape that can be exploited to achieve remote code execution.

    Both Debian and Ubuntu announced patches for the bug on February 18. On March 8, however, Brazilian security researcher Reginaldo Silva, who was credited for finding the issue, released proof-of-concept code targeting it.

    In-the-wild exploitation of this vulnerability started days later, and the US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities Catalog in late March.

    Now, Rapid7 says a Metasploit module was made available on April 26 and warns that “attackers will continue to opportunistically exploit this vulnerability as long as there are internet facing targets to exploit.”

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*