Cyber security news May 2022

This posting is here to collect cyber security news in May 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.


  1. Tomi Engdahl says:

    QNAP alerts NAS customers of new DeadBolt ransomware attacks
    Taiwan-based network-attached storage (NAS) maker QNAP warned customers on Thursday to secure their devices against attacks pushing DeadBolt ransomware payloads. The company asked users to update their NAS devices to the latest software version and ensure that they’re not exposed to remote access over the Internet.

  2. Tomi Engdahl says:

    Microsoft detects massive surge in Linux XorDDoS malware activity

    Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices
    In the last six months, we observed a 254% increase in activity from a Linux trojan called XorDdos. First discovered in 2014 by the research group MalwareMustDie, XorDdos was named after its denial-of-service-related activities on Linux endpoints and servers as well as its usage of XOR-based encryption for its communications.

  3. Tomi Engdahl says:

    Bumblebee Malware from TransferXL URLs
    Today’s diary reviews an infection generated from this activity on Wednesday 2022-05-18.. Last month, Google’s Threat Analysis Group
    (TAG) reported on EXOTIC LILY using file transfer services like TransferNow, TransferXL, WeTransfer, or OneDrive to distribute malware. Threat researchers like @k3dg3 occasionally report malware samples from this activity. Based on @k3dg3′s recent tweet, I searched through VirusTotal and found a handful of active TransferXL URLs delivering ISO files for Bumblebee malware

  4. Tomi Engdahl says:

    Phishing websites now use chatbots to steal your credentials
    Phishing attacks are now using automated chatbots to guide visitors through the process of handing over their login credentials to threat actors. This approach automates the process for attackers and gives a sense of legitimacy to visitors of the malicious sites, as chatbots are commonly found on websites for legitimate brands

  5. Tomi Engdahl says:

    New Bluetooth Hack Could Let Attackers Remotely Unlock Smart Locks and Cars
    A novel Bluetooth relay attack can let cybercriminals more easily than ever remotely unlock and operate cars, break open residential smart locks, and breach secure areas. The vulnerability has to do with weaknesses in the current implementation of Bluetooth Low Energy (BLE), a wireless technology used for authenticating Bluetooth devices that are physically located within a close range.

  6. Tomi Engdahl says:

    DOJ Announces It Won’t Prosecute White Hat Security Researchers
    On Thursday the Department of Justice announced a policy shift in that it will no longer prosecute good-faith security research that would have violated the country’s federal hacking law the Computer Fraud and Abuse Act (CFAA).

  7. Tomi Engdahl says:

    The passwords most used by CEOs are startlingly dumb
    A recent cybersecurity report shows how immensely idiotic many CEOs and business owners can be, considering the strength of their chosen account passwords. Imagine entrusting the livelihood of hundreds, even thousands of employees to someone who uses ’123456′ or ‘qwerty’ as a password.

  8. Tomi Engdahl says:

    US Recovers $15 Million From Ad Fraud Group

    United States authorities announced this week that they have retrieved more than $15 million in illicit proceeds derived from the advertising fraud scheme known as “3ve.”

    Consisting of three different sub-operations – the Kovter botnet and two other operations – the 3ve scheme was dismantled in 2018, when authorities announced charges against three involved individuals: Aleksandr Isaev, of Russia, and Sergey Ovsyannikov and Yevgeniy Timchenko, of Kazakhstan.

  9. Tomi Engdahl says:

    Phishers Add Chatbot to the Phishing Lure

    Researchers have discovered a new approach being taken by phishers to increase victim engagement and confidence: the addition of an interactive chatbot. We have all become accustomed to the chatbots used by many of the largest service providers – they are annoying, but something we must navigate.

    The phishers hope that this reluctant acceptance of chatbots will help lower the attention of the target victim. The process is described in a new blog post.

    Interactive Phishing: Using Chatbot-like Web Applications to Harvest Information

    Phishing website links are commonly delivered via email to their respective targets. Once clicked, these websites often show a single webpage that outright asks for sensitive information like account login credentials, credit card details, and other personally identifiable information (PII).

    Recently, we have encountered an interesting phishing website containing an interactive component in it: a chatbot. Unlike a lot of phishing websites, this one establishes a conversation first, and bit-by-bit guides the victim to the actual phishing pages.

    Although the phishing method is quite unique, it still uses email as the delivery channel. A deeper inspection of the email header shows that the “From” header is missing the email address component, which is a red flag already.

    To gain even more confidence and trust from the target, a CAPTCHA is presented right after the victim clicks the “Schedule delivery” button. However, something is odd here – nothing else is clickable except for the confirm and close button.

  10. Tomi Engdahl says:

    Researchers Spot Supply Chain Attack Targeting GitLab CI Pipelines

    Security researchers at SentinelLabs are calling attention to a software chain supply attack targeting Rust developers with malware aimed directly at infecting GitLab Continuous Integration (CI) pipelines.

    The campaign, dubbed CrateDepression, combines typosquatting and the impersonation of a known Rust developer to push a malicious ‘crate’ hosted on the Rust dependency community repository. (Editor’s note: A crate is a compilation unit in Rust).

    The malicious crate was swiftly flagged and removed but SentinelLabs researchers found a second-stage payload exclusively built to Gitlab CI pipelines, signaling a risk of further larger-scale supply-chain attacks.

    “Given the nature of the victims targeted, this attack would serve as an enabler for subsequent supply-chain attacks at a larger-scale relative to the development pipelines infected,” SentinelLabs said in a technical report documenting its findings.

    “An infected machine is inspected for the GITLAB_CI environment variable in an attempt to identify Continuous Integration (CI) pipelines for software development. On those systems, the attacker(s) pull a next-stage payload built on the ‘red-teaming’ post-exploitation framework Mythic,” SentinelLabs explained.

  11. Tomi Engdahl says:

    Lawrence Abrams / BleepingComputer:
    AdvIntel: the Conti ransomware group has taken its infrastructure offline and its leaders have partnered with other smaller ransomware groups to conduct attacks — The notorious Conti ransomware gang has officially shut down their operation, with infrastructure taken offline and team leaders told that the brand is no more.

    Conti ransomware shuts down operation, rebrands into smaller units

  12. Tomi Engdahl says:

    How A Cheap Smart ID Card Reader Sold On Amazon Became A National Security Risk

    Earlier this month, we reported on a phishing attack that stole $23.5 million from the US Department of Defense (DoD). Thankfully, the DoD caught the cybercriminals and recovered the money, but this incident highlights the need for strong cybersecurity practices at the DoD and among its contractors. The DoD is a high value target with an extensive attack surface due to its size and complexity. A recent discovery demonstrates how cyberattacks can be indirect and come from unexpected sources. A government defense contractor relayed this discovery to Brian Krebs of KrebsOnSecurity, who published the details.

    DoD employees and contractors, along with military personal, use ID cards known as Common Access Cards (CAC) to access controlled spaces, as well as computer systems and networks. Cardholders don’t just use these cards onsite. Many employees and contractors need to access their email remotely, which requires CAC authentication. However, approved card readers aren’t standard issue devices for cardholders. As a result, government employees and contractors often turn to the internet to find compatible card readers.

    Alarmingly, a contractor found that one such device is a vector for malware.

    The contractor told KrebsOnSecurity that the distribution of malware by a company selling CAC readers “Seems like a potentially significant national security risk, considering that many end users might have elevated clearance levels who are using PIV cards for secure access.” Saicoo may have been hacked and is distributing the malware unknowingly, but the company doesn’t seem willing to acknowledge the malware’s presence.

  13. Tomi Engdahl says:

    Python Buffer Blown

    This is one of those issues that isn’t a big deal, and yet could be a problem in certain situations. It all started in 2012, when it was observed that the Python memoryview object could crash a program when it pointed to a memory location that is no longer valid.

    This is actually a read and write primitive. Snoop around Python’s memory, find the ELF headers, and then figure out where the glibc system dynamic library is sitting in the procedure linkage table. Find it, use the memory corruption bug to jump to the appropriate location in memory, and boom, you’ve popped a shell from Python!

    And yes, as an exploit, it’s quite unimpressive. [kn32], our tour guide into this quirk of Python points out that it could be used to escape a Python sandbox, but that is a very niche use-case. Even if we conclude that this isn’t really an exploit, it’s a great learning tool, and some fun hackery.

    Exploiting a Use-After-Free for code execution in every version of Python 3

  14. Tomi Engdahl says:

    Microsoft Issues Emergency Windows 10, 11 & Server Security Update–server-security-update/?sh=5007ddb147c4&utm_medium=social&utm_source=ForbesMainFacebook&utm_campaign=socialflowForbesMainFB

    Microsoft has finally, a whole week after I predicted that an emergency out-of-band Windows update would be with us before the month was out, pulled the fix trigger. The target being to correct the somewhat disastrous Patch Tuesday security updates that caused multiple authentication failures for many Windows business users. Anyone who this issue has impacted must apply the update as soon as possible: but there’s a catch, which I’ll get to in a moment.

    May 2022 Patch Tuesday authentication failures
    Those authentication failures were caused by installing the May 2022 Patch Tuesday updates on domain controllers. These included authentication failures on the server or client for services such as Network Policy Server and Extensible Authentication Protocol, to name but two. The issue, according to Microsoft, relates to “how the mapping of certificates to machine accounts is being handled by the domain controller.”

    So, what’s the catch?
    The out-of-band emergency updates are available for impacted users of Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022. Microsoft has published details for all platforms.

  15. Tomi Engdahl says:

    Netgear warns that its BR200 And BR500 business routers have multiple vulnerabilities that could be exploited and are unable to be fixed. The company is offering a free or discounted replacement for those who wish to stop using the products.

  16. Tomi Engdahl says:

    Majority of Kubernetes API Servers Exposed to the Public Internet
    Shadowserver Foundation researchers find 380,000 open Kubernetes API servers.

  17. Tomi Engdahl says:

    ‘Security researchers’ aka hackers make $800k in prize money for exploiting Windows 11 and Teams
    By Jorge Jimenez published 1 day ago

    Day 1 of the Pwn2own hacking event is already proving very lucrative for its participants.

  18. Tomi Engdahl says:

    Mastercard introduces controversial biometric payments that require a face scan
    Dystopian future.

  19. Tomi Engdahl says:

    Tiedusteluasiantuntija: Venäjällä on kykyä toimia verkossa – ”Yritysten on nyt varauduttava hyökkäyksiltä”

  20. Tomi Engdahl says:

    Swapped Out: Hackers target social media users with high-tech fake videos
    “Deepfake” technology previously focused on celebrities and influencers, now used to scam every day Americans


Leave a Comment

Your email address will not be published. Required fields are marked *