Cyber security news October 2022

This posting is here to collect cyber security news in October 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.


  1. Tomi Engdahl says:

    Fodcha DDoS botnet reaches 1Tbps in power, injects ransoms in packets
    A new version of the Fodcha DDoS botnet has emerged, featuring ransom demands injected into packets and new features to evade detection of its infrastructure. 360Netlab researchers discovered Fodcha in April 2022, and since then, it has been silently receiving development and upgrades, steadily improving and becoming a more potent threat.

  2. Tomi Engdahl says:

    Arrested Ukrainian national charged with running Raccoon Infostealer malware
    The U.S. Department of Justice charged a Ukrainian national this week over his alleged role in an international cybercrime operation known as Raccoon Infostealer. Mark Sokolovsky, 26, is accused of being one of the “key administrators” of the malicious software that infects computers and steals personal information, including email addresses, identification numbers, bank account and cryptocurrency information, according to court documents released Tuesday.. Sokolovsky, also known online as “raccoonstealer, ” is charged with four counts, including conspiracy to commit computer fraud, wire fraud, money laundering, and identity theft. If found guilty, he could face up to 20 years in prison.

  3. Tomi Engdahl says:

    Notorious hacker Daniel Kaye arraigned for allegedly running dark web marketplace
    The U.S. Justice Department on Wednesday arraigned a notorious hacker for alleged connections to The Real Deal, a dark web market that sold hacking tools and stolen login credentials for U.S. government computers. U.K. national Daniel Kaye is accused of operating the platform and facilitating the sale of stolen information including bank account and credit card details, as well as other personal information; illegal drugs; weapons; botnets; computer hacking tools; and credentials for social media accounts. He previously served more than two-and-a-half years in a British prison for perpetrating a devastating distributed denial-of-service (DDoS) attack on Liberia, among other crimes.

  4. Tomi Engdahl says:

    Thomson Reuters collected and leaked at least 3TB of sensitive data
    The Cybernews research team found that Thomson Reuters left at least three of its databases accessible for anyone to look at. One of the open instances, the 3TB public-facing ElasticSearch database, contains a trove of sensitive, up-to-date information from across the company’s platforms. The company recognized the issue and fixed it immediately.

  5. Tomi Engdahl says:

    Major German energy supplier hit by cyberattack
    Enercity, one of Germany’s largest municipal energy suppliers, confirmed it was targeted by a cyberattack on Wednesday morning. The Hannover-based company said its security systems “reacted immediately”
    and that “greater damage to the company” has been averted. Enercity confirmed that it would continue supplying energy to customers, explaining its operational technology and critical infrastructure was not affected. “Our grids and power plants are stable and the security of supply is guaranteed, ” the company stated.

  6. Tomi Engdahl says:

    Cisco AnyConnect Windows client under active attack
    The high-severity vulnerability received a 7.8 of 10 CVSS severity score, and the good news is that the networking giant released a software patch to fix the flaw a couple of years ago. Cisco first alerted customers about this bug in August 2020, and previously warned that proof-of-concept exploit code was publicly available. Now the vendor issued a fresh warning:. “In October 2022, the Cisco Product Security Incident Response Team became aware of additional attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability.”

  7. Tomi Engdahl says:

    Upcoming critical’ OpenSSL update prompts feverish speculation
    Developers of the OpenSSL cryptography library have taken the unusual step of pre-warning that an update due to land next Tuesday (November
    1) will fix a critical vulnerability. The looming OpenSSL 3.x patch represent the only the second time the project has addressed a flaw classified as critical’. The only previous OpenSSL update of such elevated severity addressed the infamous Heartbleed vulnerability (CVE-2014-0160). Little is known about the upcoming critical fix (OpenSSL 3.0.7), other than it is restricted to OpenSSL version 3.0, the latest release line of the software, and does not affect previous versions. No details of the upcoming patch or the critical flaw it tackles have been released. In the absence of any hard info, infosec Twitter has gone into overdrive with some speculating that the vulnerability might represent the “next Heartbleed”. One security expert from Google, for example, has suggested on the basis of recent software commits and a blog post by the OpenSSL team that the update might relate to a denial-of-service (DoS) issue.

  8. Tomi Engdahl says:

    Upcoming Critical OpenSSL Vulnerability: What will be Affected?
    In short: This is something you will need to worry about!. The update will only affect OpenSSL 3.0.x, not 1.1.1. Now is the time to figure out where and how you are using OpenSSL 3.0.x. Here is a quick list of OpenSSL versions for different operating systems.

  9. Tomi Engdahl says:

    VMWare patches RCE exploit in NSX Manager
    VMWare has patched a critical vulnerability in the management service for NSX, its network virtualization and security platform. The vulnerability, caused by an old deserialization bug in an outdated Java library, could be abused to achieve pre-authentication remote code execution (RCE) on the host computer. Due to the bug’s criticality, VMWare issued a patch despite the product having reached end-of-life status. The vulnerability is a reminder of the security challenges of managing open source software dependencies.

  10. Tomi Engdahl says:

    Nettijätin noloakin nolompi moka tärkeä palvelin auki kaikelle kansalle, ja tästä datasta moni maksaisi pitkän pennin
    TechCrunch kertoo, että tällä kertaa täysin suojaamattoman palvelimen kytki nettiin itse Amazon. Tämän lisäksi palvelin oli vieläpä täynnä dataa, jonka saamisesta moni taho ilahtuisi suuresti. Avoimella palvelimella oli tietokanta, joka tallensi Amazonin Prime Video
    - -suoratoistopalvelun käyttäjien katsomistottumuksia. Sauron-niminen tietokanta sisälsi 215 miljoonaa merkintää, johon lukeutui muun muassa suoratoistettavan sarjan tai elokuvan nimi, millä laitteella viihdettä katsotaan, kuvan laatu sekä onko katsoja Amazon Primen asiakas.
    Palvelimelle pääsyyn riitti pelkkä ip-osoite. Sitä ei oltu suojattu mitenkään, ei edes yksinkertaisella salasanalla. Amazon on sittemmin estänyt pääsyn tietokantaan.

  11. Tomi Engdahl says:

    Suomessakin tunnettu it-talo joutui törkeän huijauksen uhriksi rikolliset veivät liki puolet liikevoitoista
    Pohjoismaissa operoivan järjestelmäintegraattori Netnordic Groupin Tanskan toimisto on joutunut vakavan huijauksen uhriksi. Computer Swedenin mukaan huijarit saivat saaliikseen 3, 6 miljoonaa Tanskan kruunua eli noin 500 000 euroa. “Olemme valitettavasti suorittaneet vääriä maksuja viimeisen viiden tai kuuden viikon aikana. Toisin sanoen, olemme maksaneet väärennettyjä laskuja, ” Netnordic Denmarkin toimitusjohtaja Ulrik Kjeldgaard kommentoi.

  12. Tomi Engdahl says:

    Student arrested for running one of Germany’s largest dark web markets
    Germany’s Federal Criminal Police Office (BKA) has arrested a 22-year-old student in Bavaria, who is suspected of being the administrator of ‘Deutschland im Deep Web’ (DiDW), one of the largest darknet markets in the country. The platform had already gone offline in March 2022, with 16, 000 registered users, 28, 000 posts, and 72 high-volume sellers of prohibited goods, including weapons and drugs.

  13. Tomi Engdahl says:

    Google fixes seventh Chrome zero-day exploited in attacks this year
    Google has released an emergency security update for the Chrome desktop web browser to address a single vulnerability known to be exploited in attacks. The high-severity flaw (CVE-2022-3723) is a type confusion bug in the Chrome V8 Javascript engine discovered and reported to Google by analysts at Avast.

  14. Tomi Engdahl says:

    Google Releases Emergency Chrome 107 Update to Patch Actively Exploited Zero-Day

    Google on Thursday released an emergency update for Chrome 107 to patch an actively exploited zero-day vulnerability.

    The flaw, tracked as CVE-2022-3723, has been described as a type confusion issue affecting the V8 JavaScript engine.

    “Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild,” Google said.

    The internet giant was informed about the zero-day vulnerability by cybersecurity firm Avast on October 25.

    This is the seventh Chrome zero-day patched by Google this year and the second reported by Avast.

    The previous exploited vulnerability discovered by Avast, CVE-2022-2294, was patched by Google in early July with a Chrome 103 update. A few weeks later, Avast revealed that it had linked exploitation of the security hole to Candiru, an Israeli spyware company.

    CVE-2022-2294 had been used in targeted attacks aimed at entities in the Middle East, including journalists in Lebanon, with other targets spotted in Turkey, Yemen and Palestine. The Chrome zero-day was only exploited against high-value targets, to which the attackers delivered a sophisticated information stealer malware named DevilsTongue.

    It’s worth noting that CVE-2022-2294 affects WebRTC, a component present in other Chromium-based browsers as well, including Edge and Safari. Microsoft and Apple both released patches at the time.

    It’s unclear if the attacks exploiting the new CVE-2022-3723 are also related to the Candiru-linked operation.

  15. Tomi Engdahl says:

    Android malware droppers with 130K installs found on Google Play
    A set of Android malware droppers were found infiltrating the Google Play store to install banking trojans pretending to be app updates.

  16. Tomi Engdahl says:

    Hackers use Microsoft IIS web server logs to control malware
    The Cranefly hacking group, aka UNC3524, uses a previously unseen technique of controlling malware on infected devices via Microsoft Internet Information Services (IIS) web server logs. On the other hand, web server logs are used to store requests from any visitor worldwide and are rarely monitored by security software, making them an interesting location to store malicious commands while reducing the chances of being detected. This is somewhat similar to the technique of hiding malware in Windows Event Logs, seen in May 2022, used by threat actors to evade detection.

  17. Tomi Engdahl says:

    This Windows worm evolved into slinging ransomware. Here’s how to detect it
    Raspberry Robin, a worm that spreads through Windows systems via USB drives, has rapidly evolved: now backdoor access is being sold or offered to infected machines so that ransomware, among other code, can be installed by cybercriminals. In a report on Thursday, Microsoft’s Security Threat Intelligence unit said Raspberry Robin is now “part of a complex and interconnected malware ecosystem” with links to other families of malicious code and ties to ransomware infections.

  18. Tomi Engdahl says:

    S-ryhmästä varoitus asiakkaille varmista, että laitteesi kelpaa edelleen
    S-Pankin mukaan sovellus toimii jatkossa iPhone- ja Android-älypuhelimilla, joissa on käyttöjärjestelmänä iOS 12 tai Android 8.0 tai sitä uudempi versio. “Vanhempiin käyttöjärjestelmiin ei välttämättä julkaista uusimpia tietoturvapäivityksiä eivätkä ne siitä syystä ole yhteensopivia S-mobiilin kanssa.”

  19. Tomi Engdahl says:

    Daily Mail: Liz Trussin henkilö­kohtainen puhelin hakkeroitiin teosta epäillään venäläis­vakoojia
    EPÄILLYT venäläisvakoojat hakkeroivat Britannian entisen pääministerin Liz Trussin henkilökohtainen puhelimen hänen toimiessaan ulkoministerin virassa, Reuters uutisoi Daily Mail -lehteä lainaten.
    Lehden mukaan Trussin käymissä keskusteluissa oltaisiin puitu Ukrainan sotaan liittyviä asioita, kuten Ukrainalle tehtyjä aselahjoituksia ja niiden lähettämistä maahan. Viestejä, joihin agenttien uskotaan päässeen käsiksi, on vuoden ajalta. BBC:n mukaan hakkeroinnin tarkka ajankohta ei ole tiedossa. Britannian oppositio on vaatinut, että tapaus tutkitaan maan tiedustelupalveluiden toimesta.

  20. Tomi Engdahl says:

    Roskomnadzor briefly blocks Telegram domain
    Roskomnadzor, Russia’s federal censorship agency, at the request of the Prosecutor General’s office, has started blocking the domain, which is used to create shortened links in the Telegram messenger app.
    A service on the Roskomnadzor website for checking access restrictions for Internet pages confirms this information.

  21. Tomi Engdahl says:

    Blocking Telegram in Russia currently ruled out, says Russian internet watchdog
    MOSCOW, October 30. /TASS/. The Russian Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications has ruled out that Telegram may be blocked in Russia, the watchdog said in a statement on its Telegram channel on Saturday.

  22. Tomi Engdahl says:

    Erittäin vaarallinen haittaohjelma jättää Windows-käyttäjän todelliseen pinteeseen näin suojaudut
    Windows-päivityksiä ei todellakaan kannata ladata mistä tahansa, tietoturvayhtiö McAfee varoittaa. Liikkeellä on toinen toistaan ilkeämpiä haittaohjelmia, joista Magniber edustaa kärkipäätä. Magniber toimii siten, että käyttäjä houkutellaan lataamaan päivitys Windows 10:lle valesivustolta. Kun linkkiä klikkaa, kaikki toivo on menetetty, Laptop Mag kirjottaa. Kiristyshaittaohjelma salaa käyttäjän tiedostot ja tarjoaa rikollisille pääkäyttäjätason oikeudet järjestelmään.
    Verkkorikolliset voivat siis esimerkiksi katsella ja poistaa tiedostojasi.

  23. Tomi Engdahl says:

    Actively exploited Windows MoTW zero-day gets unofficial patch
    A free unofficial patch has been released for an actively exploited zero-day that allows files signed with malformed signatures to bypass Mark-of-the-Web security warnings in Windows 10 and Windows 11. Last weekend, BleepingComputer reported that threat actors were using stand-alone JavaScript files to install the Magniber ransomware on victims’ devices.

  24. Tomi Engdahl says:

    Exploit released for critical VMware RCE vulnerability, patch now
    Proof-of-concept exploit code is now available for a pre-authentication remote code execution (RCE) vulnerability allowing attackers to execute arbitrary code remotely with root privileges on unpatched Cloud Foundation and NSX Manager appliances.
    The flaw (CVE-2021-39144) is in the XStream open-source library used by the two VMware products and was assigned an almost maximum CVSSv3 base score of 9.8/10 by VMware.

    VMWare patches RCE exploit in NSX Manager
    VMWare has patched a critical vulnerability in the management service for NSX, its network virtualization and security platform. The vulnerability, caused by an old deserialization bug in an outdated Java library, could be abused to achieve pre-authentication remote code execution (RCE) on the host computer. Due to the bug’s criticality, VMWare issued a patch despite the product having reached end-of-life status. The vulnerability is a reminder of the security challenges of managing open source software dependencies.

  25. Tomi Engdahl says:

    OpenSSL:ssä kriittinen haavoittuvuus

    Isoa osaa internet-liikenteestä salaavassa OpenSSL-kirjastossa on kriittinen haavoittuvuus. OpenSSL-projekti on ilmoittanut paikkaavansa aukon huomenna lähetettävällä päivityksellä. Haavoittuvuuden yksityiskohtia ei ole kerrottu.

    Haavoittuvuus koskee OpenSSL:n versioita 3.0:sta eteenpäin. Huomenna luvassa oleva päivitysversio on versioltaan 3.0.7.

    OpenSSL on avoin, internetin dataa salaava kirjasto. Siihen liittyvät haavoittuvuudet ovat aina hankalia

    Lisätietoja uudesta haavoittuvuudesta saadaan huomenna. Samalla palvelujen ylläpitäjiä kehotetaan päivittämään OpenSSL-kirjastonsa välittömästi, kun se on mahdollista.

  26. Tomi Engdahl says:

    VMware Warns of Exploit for Recent NSX-V Vulnerability

    VMware over the weekend warned of the existence of a public exploit targeting a recently addressed critical remote code execution (RCE) vulnerability in NSX Data Center for vSphere (NSX-V).

    An end-of-life (EOL) product installed as a plug-in to VMware vCenter Server, NSX-V is a network virtualization solution offering networking and security functionality, including VPN, logical switching and routing, and more. The product is bundled within VMware Cloud Foundation.

    Last week, VMware announced the availability of patches for CVE-2021-39144 (CVSS score of 9.8), an RCE flaw via the open source library XStream, warning that it could allow a remote attacker to execute arbitrary code in the context of ‘root’ on the appliance.

    The company also notes that, while it typically does not mention EOL products in advisories, the severity of this bug led to the release of a patch as an exception.

    Over the weekend, VMware updated its advisory on CVE-2021-39144 to warn that an exploit targeting this vulnerability already exists.

    “VMware has confirmed exploit code leveraging CVE-2021-39144 against VCF (NSX-V) has been published,” the company says.

  27. Tomi Engdahl says:

    Copper Giant Aurubis Shuts Down Systems Due to Cyberattack

    Aurubis, a Germany-based company that is the largest copper producer in Europe and the largest copper recycler in the world, shut down some systems last week due to a cyberattack.

    Aurubis said on Friday that the attack was discovered during the night of October 28. Hackers targeted its IT systems and the company believes it was part of a larger operation targeting the metals and mining sector.

    The copper giant has shut down and disconnected many systems at its sites as a precaution, but said production and environmental protection facilities at smelter sites are still running, and incoming and outgoing goods are being maintained manually. Suppliers and customers can still reach the company via phone.

    “The primary goal is to keep production and the procurement of raw materials as well as the delivery of metals and products running. However, Aurubis is not yet able to provide any information on when the systems will be fully functional again,” the company said.

  28. Tomi Engdahl says:

    200 000 suomalaisen LinkedIn-käyttäjän tiedot päätyivät pimeälle hakkeri­foorumille

  29. Tomi Engdahl says:

    200000 suomalaisen LinkedIn-käyttäjän tiedot päätyivät pimeälle hakkeri­foorumille
    LUKUISTEN suomalaisten LinkedIn-käyttäjien on syytä olla nyt varuillaan. Tietoturvayhtiö F-Securen mukaan rikolliselle hakkerifoorumille vuodettiin yli 200000 suomalaisille käyttäjille kuuluvaa tietuetta. Niissä ovat mukana muun muassa nimet, puhelinnumerot ja sähköpostiosoitteet. F-Securen Twitter-viestin mukaan kyse näyttää olevan LinkedInissä julkaistujen tietojen automaattisesta keräämisestä. Tämänkaltaisesta toiminnasta käytetään nimitystä kaavinta. Käyttäjäprofiilien automaattinen kaavinta on kielletty LinkedInin käyttöehdoissa. Ilmeisesti tekotavan vuoksi LinkedIn kiistää joutuneensa tietomurron kohteeksi. Palvelu totesi Cybernewsille, ettei kyseessä ole hakkerointi tai murto eikä mitään jäsenten yksityisiä tietoja vuotanut. Lisäksi LinkedIn huomautti, että tietojen kaavinta ei ole sallittua.

  30. Tomi Engdahl says:

    S-Pankin palveluissa laaja toimintahäiriö
    Verkkopankkiin tai mobiilisovellukseen kirjautuminen ei välttämättä onnistu.

  31. Tomi Engdahl says:

    Twilio reveals hackers compromised its systems a month earlier than previously thought
    Readers will recall that cloud communications firm Twilio disclosed on August 7 2022 that hackers had accessed user data following a sophisticated social engineering attack that saw employees targeted with SMS-phishing (“smishing”) text messages. Now, following the conclusion of an investigation into that incident, Twilio has revealed that the same malicious hackers had tricked an employee into providing their password through a voice-phishing attack on June 29 2022.

  32. Tomi Engdahl says:

    October 31, 202211:12 AM GMT+2Last Updated 10 hours ago
    Cyber officials from 37 countries, 13 companies to meet on ransomware in Washington. The White House will host officials from 37 countries and 13 global companies in Washington this week to address the growing threat of ransomware and other cyber crime, including the illicit use of cryptocurrencies, a senior U.S. official said. Countries participating in addition to the United States include: Australia, Austria, Belgium Brazil, Bulgaria, Canada, Croatia, Czech Republic, the Dominican Republic, Estonia, European Commission, France,.
    Germany, India, Ireland, Israel, Italy, Japan, Kenya, Lithuania, Mexico, the Netherlands, New Zealand, Nigeria, Norway Poland, South Korea, Romania, Singapore, South Africa, Spain, Sweden, Switzerland, Ukraine, United Arab Emirates and Britain.

  33. Tomi Engdahl says:

    Hackers selling access to 576 corporate networks for $4 million
    A new report shows that hackers are selling access to 576 corporate networks worldwide for a total cumulative sales price of $4, 000, 000, fueling attacks on the enterprise. The research comes from Israeli cyber-intelligence firm KELA which published its Q3 2022 ransomware report, reflecting stable activity in the sector of initial access sales but a steep rise in the value of the offerings.

  34. Tomi Engdahl says:

    Hacking group abuses antivirus software to launch LODEINFO malware
    The Chinese Cicada hacking group, tracked as APT10, was observed abusing security software to install a new version of the LODEINFO malware against Japanese organizations. The targeted entities are media groups, diplomatic agencies, government and public sector organizations, and think tanks in Japan, all high-interest targets for cyberespionage.

  35. Tomi Engdahl says:

    Fodcha DDoS Botnet Resurfaces with New Capabilities
    The threat actor behind the Fodcha distributed denial-of-service
    (DDoS) botnet has resurfaced with new capabilities, researchers reveal. This includes changes to its communication protocol and the ability to extort cryptocurrency payments in exchange for stopping the DDoS attack against a target, Qihoo 360′s Network Security Research Lab said in a report published last week. Fodcha first came to light earlier this April, with the malware propagating through known vulnerabilities in Android and IoT devices as well as weak Telnet or SSH passwords.

  36. Tomi Engdahl says:

    UK officials call for investigation following reports that government hid Liz Truss phone hack
    British opposition politicians are calling for an “urgent investigation” into allegations the government covered up a security incident in which the personal phone of Liz Truss, while serving as Foreign Secretary, was hacked by “agents suspected of working for Russian President Vladimir Putin.”. The attackers stole “up to a year’s worth of messages” as reported by the Mail on Sunday, including “highly sensitive discussions with senior international foreign ministers about the war in Ukraine, including detailed discussions about arms shipments.”

  37. Tomi Engdahl says:

    Rovaniemen kaupunki luopuu WhatsAppin käytöstä
    Aiemmin kaupunki on suositellut WhatsAppin välttämistä.. Rovaniemen kaupunki on kieltänyt työntekijöiltään kaupallisten pikaviestisovellusten käytön työasioissa ja työntekijän laitteilla.
    Kielto koskee esimerkiksi WhatsApp-, Signal- ja Telegram-sovelluksia sekä muita vastaavia kaupallisia pikaviestisovelluksia, joita ei ole erikseen hyväksytty käytettäväksi

  38. Tomi Engdahl says:

    Critical ConnectWise Vulnerability Affects Thousands of Internet-Exposed Servers

    IT management software provider ConnectWise on Friday announced updates that patch a critical vulnerability which, according to cybersecurity professionals, exposes thousands of servers to attacks.

    The flaw, described as “improper neutralization of special elements in output used by a downstream component”, affects the ConnectWise Recover backup and disaster recovery product (v2.9.7 and earlier), and the R1Soft server backup manager (v6.16.3 and earlier).

    The issue is a critical remote code execution vulnerability. The vendor has assigned it a priority rating of 1, which indicates that the vulnerability is either being targeted by hackers or it’s at high risk of being exploited in the wild.

  39. Tomi Engdahl says:

    Musk Now Gets Chance to Defeat Twitter’s Many Fake Accounts

    Twitter’s unending fight against spam accounts is now a problem for new owner Elon Musk, who pledged in April to defeat the bot scourge or “die trying!”

    He later cited bots as a reason to back out of buying the social platform. Now that the billionaire has completed the deal, he’s faced with the task of delivering on his promise to clean up the fake profiles that have preoccupied him and bedeviled Twitter since long before he expressed interest in acquiring it.

  40. Tomi Engdahl says:

    Sources: Twitter froze some staff access to content moderation and policy enforcement tools, raising worries about a misinformation spike before the US midterms — Twitter Inc., the social network being overhauled by new owner Elon Musk, has frozen some employee access to internal tools used …


Leave a Comment

Your email address will not be published. Required fields are marked *