Cyber security news January 2023

This posting is here to collect cyber security news in January 2023.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

446 Comments

  1. Tomi Engdahl says:

    Kiinalaiset ”vakoilukamerat” Suomessa herättivät huolen – asiantuntijan mukaan yksi asetus pitää aina muuttaa https://www.is.fi/jaakiekko/art-2000009317321.html

    Jarno Niemelä pitää epätodennäköisenä, että kuva jäähallikamerasta kiinnostaisi kyseenalaisia tahoja.

    ILTA-SANOMAT uutisoi tiistaina, että Jääkiekkoliiton striimauspalvelu Leijonat TV käyttää kiinalaisen Hikvisionin kameroita.

    Turvallisuus- ja tiedustelualan tutkimusyhtiö IPVM paljasti kesällä, että Hikvisionin teknologiaa käytetään Kiinassa Xinjiangissa mm. uiguurien ja muiden etnisten ryhmien valvontaan ja tunnistamiseen.

    Hikvisionin kamerateknologian avulla on muun muassa tunnistettu yksilöitä, joita on kuvien perusteella otettu kiinni.

    Hikvision on aiemmin kiistänyt väitteet, mutta kieltäytyi kommentoimasta IPVM:n uutista.

    Hikvision Cameras Used to Catch Uyghurs Featured in Xinjiang Police Files
    https://ipvm.com/reports/xinjiang-police-files

    Reply
  2. Tomi Engdahl says:

    TikTok CEO questioned by EU official over reports of aggressive data harvesting and surveillance https://therecord.media/tiktok-ceo-questioned-by-eu-official-over-reports-of-aggressive-data-harvesting-and-surveillance/
    The main purpose of the morning meeting between Chew and Margrethe Vestager, the European Commissioner for Competition, was to establish how TikTok was preparing to comply with new obligations the EU is bringing in through its Digital Services Act (DSA) and Digital Markets Act (DMA)

    Reply
  3. Tomi Engdahl says:

    British company that helps make semiconductors hit by cyber incident https://therecord.media/british-company-that-helps-make-semiconductors-hit-by-cyber-incident/
    The British company Morgan Advanced Materials, which produces ceramic and carbon parts used in semiconductor manufacturing, filed a cyber security incident notice on Tuesday with the London Stock Exchange

    Reply
  4. Tomi Engdahl says:

    StrongPity Hackers Distribute Trojanized Telegram App to Target Android Users https://thehackernews.com/2023/01/strongpity-hackers-distribute.html
    The advanced persistent threat (APT) group known as StrongPity has targeted Android users with a trojanized version of the Telegram app through a fake website that impersonates a video chat service called Shagle

    Reply
  5. Tomi Engdahl says:

    Wiretap lawsuit accuses Apple of tracking iPhone users who opted out https://www.theregister.com/2023/01/10/apple_wiretap_lawsuit/
    The suit’s claims cite work done by two independent app developers at software company Mysk, co-founded by Germany-based iOS dev and “occasional security researcher” Tommy Mysk, in November last year.
    According to the suit, the pair’s test “revealed that even when consumers actively change their ‘privacy settings’ and take Apple’s instructions to protect their privacy, Apple still records, tracks, collects, and monetizes consumers’ analytics data, including browsing history and activity information.”

    Reply
  6. Tomi Engdahl says:

    Crypto-inspired Magecart skimmer surfaces via digital crime haven https://www.malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspired-magecart-skimmer-surfaces-via-digital-crime-haven
    During one of our crawls, we spotted a skimmer using the ‘Mr.SNIFFA’
    framework that targets e-commerce sites and their customers. In recent years, this skimmer has adopted various obfuscation techniques as well as steganography to load its malicious code and exfiltrate stolen credit card data. Digging further into the skimmer’s infrastructure on Russian-based hosting provider DDoS-Guard, we came across a digital crime haven for cryptocurrency scams, Bitcoin mixers, malware distribution sites and much more

    Reply
  7. Tomi Engdahl says:

    Trojan Puzzle attack trains AI assistants into suggesting malicious code https://www.bleepingcomputer.com/news/security/trojan-puzzle-attack-trains-ai-assistants-into-suggesting-malicious-code/
    Researchers at the universities of California, Virginia, and Microsoft have devised a new poisoning attack that could trick AI-based coding assistants into suggesting dangerous code. Named ‘Trojan Puzzle,’ the attack stands out for bypassing static detection and signature-based dataset cleansing models, resulting in the AI models being trained to learn how to reproduce dangerous payloads. Paper at https://arxiv.org/pdf/2301.02344.pdf

    Reply
  8. Tomi Engdahl says:

    Researchers Could Track the GPS Location of All of Californias New Digital License Plates https://www.vice.com/en/article/wxn9vx/researchers-track-reviver-digital-license-plate-gps-location
    A team of security researchers managed to gain super administrative access into Reviver, the company behind Californias new digital license plates which launched last year. That access allowed them to track the physical GPS location of all Reviver customers and change a section of text at the bottom of the license plate designed for personalized messages to whatever they wished, according to a blog post from the researchers. [Original https://samcurry.net/web-hackers-vs-the-auto-industry/ from previous bulletin]

    Reply
  9. Tomi Engdahl says:

    ‘Copyright Infringement’ Lure Used for Facebook Credential Harvesting https://www.darkreading.com/attacks-breaches/-copyright-infringement-lure-facebook-credential-harvesting
    Malicious actors continue to use tried and true phishing techniques and social engineering tactics to compel targets into giving up key information, attempting to generate anxiety to prompt a hasty handover. According to a Monday report from Avanan, this latest campaign sends users an email warning that because the page has uploaded a photo violating Facebooks copyright infringement policy, the account will be permanently suspended unless they click on link to appeal the decision. Original at https://www.avanan.com/blog/facebook-termination-notices-leads-to-phishing

    Reply
  10. Tomi Engdahl says:

    Dark Web Markets Compete For The Drug Trafficking And Illegal Pharmacy Monopoly https://resecurity.com/blog/article/dark-web-markets-compete-drug-trafficking-illegal-pharmacy-monopoly
    Major drug markets in the Dark Web are now worth around $315 million annually according to the United Nations Office on Drugs and Crime (UNODC). Resecurity estimates this figure to be significantly higher in 2023, the annual sales of illegal drugs in the Dark Web for 2022 exceeded $470 million. [...] According to Resecurity® HUNTER team, the following 10 Marketplaces are currently representing the core ecosystem of drug trafficking in the Dark Web. [...] Around the beginning of Q3 2022, multiple drug shops were identified in the Dark Web providing customers with a customized Android-based mobile app for purchases and secure communications, as well as sending instructions to couriers. The significance of this new trend is increasing OPSEC measures (of threat actors) and a visible shift from traditional communications channels to proprietary (developed by other actors operating in Dark Web)

    Reply
  11. Tomi Engdahl says:

    Microsoft January 2023 Patch Tuesday
    https://isc.sans.edu/diary/rss/29420
    In the first Patch Tuesday of 2023, we got patches for 98 vulnerabilities. Of these, 11 are critical, 1 was previously disclosed, and 1 is already being exploited, according to Microsoft.
    [Lisätietoja haavakoosteessa]

    Reply
  12. Tomi Engdahl says:

    Microsoft Patch Tuesday: 97 Windows Vulns, 1 Exploited Zero-Day
    https://www.securityweek.com/microsoft-patch-tuesday-97-windows-vulns-1-exploited-zero-day

    Microsoft also called attention to CVE-2023-21549, a privilege escalation issue in the Windows SMB Witness Service, warning that technical details on the vulnerability are publicly available.

    Reply
  13. Tomi Engdahl says:

    Adobe Plugs Security Holes in Acrobat, Reader Software
    https://www.securityweek.com/adobe-plugs-security-holes-acrobat-reader-software

    Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a range of enterprise-facing products.

    The most prominent update, for the widely deployed Adobe Acrobat and Reader software, fixes critical-severity flaws that expose Windows and macOS users to code execution attacks.

    According to an advisory from Adobe’s PSIRT, the security issues affect Acrobat DC, Acrobat Reader DC, Acrobat 2020 and Acrobat Reader 2020.

    “These updates address critical and important vulnerabilities. Successful exploitation could lead to application denial-of-service, arbitrary code execution, privilege escalation and memory leak,” Adobe said.

    Reply
  14. Tomi Engdahl says:

    Zoom Patches High Risk Flaws on Windows, MacOS Platforms
    https://www.securityweek.com/zoom-patches-high-risk-flaws-windows-macos-platforms

    Here’s how Zoom is documenting the high-risk issues:

    CVE-2022-36930 — Local Privilege Escalation in Zoom Rooms for Windows Installers (CVSS 8.2/10) — Zoom Rooms for Windows installers before version 5.13.0 contain a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability in an attack chain to escalate their privileges to the SYSTEM user.

    CVE-2022-36929 – Local Privilege Escalation in Zoom Rooms for Windows Clients (CVSS 7.8/10) –Zoom Rooms for Windows clients before version 5.12.7 contain a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability in an attack chain to escalate their privileges to the SYSTEM user.

    CVE-2022-36927 — Local Privilege Escalation in Zoom Rooms for macOS Clients (CVSS 8.8/10) — Zoom Rooms for macOS clients before version 5.11.3 contain a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability to escalate their privileges to root.

    Reply
  15. Tomi Engdahl says:

    2023 ICS Patch Tuesday Debuts With 12 Security Advisories From Siemens, Schneider
    https://www.securityweek.com/2023-ics-patch-tuesday-debuts-12-security-advisories-siemens-schneider

    The first ICS Patch Tuesday of 2023 brings a dozen security advisories from Siemens and Schneider Electric, addressing a total of 27 vulnerabilities.

    Siemens has published six new advisories that describe a total of 20 vulnerabilities. Security updates are available for many of the affected products, but some will not get patches.

    Based on CVSS score — note that CVSS scores can be misleading for ICS vulnerabilities — the most important advisory describes a dozen flaws in Sinec INS (Infrastructure Network Services).

    The security holes, all rated ‘critical’ or ‘high severity’, could allow an attacker to read and write

    Researchers have found a hardware issue in S7-1500 CPUs that can allow an attacker with physical access to a device to replace the boot image and execute arbitrary code.

    Schneider Electric has also released six new advisories, but they only cover a total of seven vulnerabilities.

    The company has informed customers about the availability of patches for critical and high-severity vulnerabilities in the EcoStruxure Geo SCADA Expert product, which can be exploited for DoS attacks and obtaining sensitive information.

    In its EcoStruxure Power Operation and Power SCADA Operation software, the industrial giant found a high-severity issue that can be exploited for DoS attacks.

    EcoStruxure Power SCADA Anywhere is affected by a high-severity flaw that can be leveraged for OS command execution, but exploitation requires authentication.

    EcoStruxure Control Expert, EcoStruxure Process Expert and Modicon PLCs are impacted by a vulnerability that could allow arbitrary code execution and DoS attacks using specially crafted project files. These products are also impacted by an authentication bypass flaw.

    Reply
  16. Tomi Engdahl says:

    Jai Vijayan / Dark Reading:
    Microsoft releases 98 security fixes, patching 11 critical vulnerabilities and an actively exploited privilege escalation zero-day flaw in Windows ALPC

    98 Patches: Microsoft Greets New Year With Zero-Day Security Fixes
    https://www.darkreading.com/vulnerabilities-threats/microsoft-new-year-patches-98-security-fixes

    Microsoft’s January 2023 Patch Tuesday security update contains fixes for bugs in multiple products. Here’s what you need to patch now.

    Reply
  17. Tomi Engdahl says:

    Ivan Mehta / TechCrunch:
    Developers flood Apple’s App Store and Google Play with apps listing “ChatGPT” in titles and descriptions; OpenAI doesn’t offer a public ChatGPT API or an app — ChatGPT is the hottest topic of discussion in the tech industry. OpenAI’s chatbot that answers questions …

    App Store and Play Store are flooded with dubious ChatGPT apps
    https://techcrunch.com/2023/01/10/app-store-and-play-store-are-flooded-with-dubious-chatgpt-apps/

    ChatGPT is the hottest topic of discussion in the tech industry. OpenAI’s chatbot that answers questions in natural language has attracted interest from users and developers. Some developers are trying to take advantage of the trend by making dubious apps — both on the App Store and the Play Store — that aim to make money in the name of pro versions or extra credits to get more answers from AI.

    It’s important to remember that ChatGPT is free to use for anyone on the web and OpenAI hasn’t released any official mobile app. While there are plenty of apps that take advantage of GPT-3, there is no official ChatGPT API.

    Reply
  18. Tomi Engdahl says:

    USA:n lentoliikenteen pysäyttäneen järjestelmävian korjaus etenee – yli 4000 lentoa myöhässä
    Syy Yhdysvaltain lentokaaokseen on ilmeisesti ilmailuhallinnon järjestelmässä. Valkoisen talon mukaan näyttöä kyberhyökkäyksestä ei ole. Vian syytä selvitetään.
    https://www.iltalehti.fi/ulkomaat/a/f2a86e35-cd56-4c2e-86b6-a3a9a7460d1a

    Yhdysvaltojen lentoliikenne on ollut täyskaaoksessa keskiviikon aikana, kertovat yhdysvaltalaismediat.

    Uutistoimisto Reutersin mukaan jopa 4000 lentoa on myöhässä aikataulustaan ja 600 lentoa on peruttu. Kaaos on vaikuttanut sekä kansainvälisiin että maansisäisiin lentoihin.

    Tapahtumaketjun taustalla kerrotaan olevan Yhdysvaltain ilmailuhallinto FAA:n Notice to Air Missions (Notam) -tietokonejärjestelmään tullut vika. Järjestelmän kautta lentohenkilökunnalle lähetetään välttämättömiä turvallisuustietoja ennen lennon lähtöä.

    Järjestelmävirhe havaittiin alkujaan noin kello 9 aamulla Suomen aikaa, jonka johdosta FAA määräsi kaikki USA:n lähtevät lennot pysymään maassa tuntien ajan.

    USA:n presidentti Joe Biden kertoi aiemmin keskiviikkona, ettei syy järjestelmävialle toistaiseksi ole selvillä. Valkoisen talon mukaan ei kuitenkaan alustavasti ole mitään todisteita siitä, että kyseessä olisi kyberhyökkäys. Asiasta kertoo Reuters.

    FAA vahvistaa iltapäivällä Twitterissä, että ”alkuperäisen ongelman syy” on yhä selvityksen alla.

    https://www.nytimes.com/live/2023/01/11/business/faa-flights-grounded#faa-outage-flights-grounded

    Reply
  19. Tomi Engdahl says:

    British Manufacturing Firm Morgan Advanced Materials Investigating Cyberattack
    https://www.securityweek.com/british-manufacturing-firm-morgan-advanced-materials-investigating-cyberattack

    Reply
  20. Tomi Engdahl says:

    251k Impacted by Data Breach at Insurance Firm Bay Bridge Administrators
    https://www.securityweek.com/251k-impacted-data-breach-insurance-firm-bay-bridge-administrators

    Third-party administrator of insurance products Bay Bridge Administrators (BBA) is informing roughly 250,000 individuals that their personal information might have been compromised in a September 2022 data breach.

    On Tuesday, the Austin, Texas-based administrator of employee benefit plans announced that, on September 5, 2022, it fell victim to a cyberattack that caused a network disruption.

    A subsequent investigation revealed that, around August 15, 2022, a threat actor gained unauthorized access to the Bay Bridge Administrators network and used that access to exfiltrate certain data on September 3.

    Reply
  21. Tomi Engdahl says:

    SAP’s First Security Updates for 2023 Resolve Critical Vulnerabilities
    https://www.securityweek.com/saps-first-security-updates-2023-resolve-critical-vulnerabilities

    SAP this week announced the release of 12 new and updated security notes as part of the January 2023 Security Patch Day, including seven ‘hot news’ notes that address critical-severity vulnerabilities.

    Four of the security notes rated ‘hot news’ – the highest severity rating in SAP’s books – are fresh notes addressing vulnerabilities in Business Planning and Consolidation MS, BusinessObjects, and NetWeaver, while the remaining three are updates to notes released in November and December 2022.

    The most severe of the new notes resolve an SQL injection bug in Business Planning and Consolidation MS (CVE-2023-0016, CVSS score of 9.9), and a code injection flaw in the BusinessObjects Business Intelligence platform (CVE-2023-0022, CVSS score of 9.9).

    Reply
  22. Tomi Engdahl says:

    EU Tells TikTok Chief To Respect Data Privacy Laws
    https://www.securityweek.com/eu-tells-tiktok-chief-respect-data-privacy-laws

    Reply
  23. Tomi Engdahl says:

    Unpatchable Hardware Vulnerability Allows Hacking of Siemens PLCs
    https://www.securityweek.com/unpatchable-hardware-vulnerability-allows-hacking-siemens-plcs

    Researchers at firmware security company Red Balloon Security have discovered a potentially serious vulnerability affecting many of Siemens’ programmable logic controllers (PLCs).

    Exploitation of the vulnerability, tracked as CVE-2022-38773, could allow an attacker to bypass protected boot features and persistently modify the controller’s operating code and data. The cause, according to Red Balloon Security, is a series of architectural issues affecting Siemens Simatic and Siplus S7-1500 CPUs.

    “The Siemens custom System-on-Chip (SoC) does not establish an indestructible Root of Trust (RoT) in the early boot process. This includes lack of asymmetric signature verifications for all stages of the bootloader and firmware before execution,” Red Balloon explained in a blog post on Tuesday.

    Siemens S7-1500 CPU vulnerability “Failure to establish Root of Trust on the device allows attackers to load custom-modified bootloader and firmware. These modifications could allow attackers to execute and bypass tamper-proofing and integrity-checking features on the device,” the security firm added.

    According to Red Balloon, an attacker can decrypt the firmware of the affected PLCs and generate their own malicious firmware that can be made bootable on more than 100 impacted device models.

    Exploitation of the vulnerability requires physical access to the targeted PLC, but the researchers pointed out that a hacker may be able to exploit a different remote code execution flaw in order to deploy the malicious firmware onto the device.

    Critical Architectural Vulnerabilities in Siemens SIMATIC S7-1500 Series Allow for Bypass of All Protected Boot Features
    https://redballoonsecurity.com/siemens-discovery/

    Reply
  24. Tomi Engdahl says:

    Cybercrime Group Exploiting Old Windows Driver Vulnerability to Bypass Security Products
    https://www.securityweek.com/cybercrime-group-exploiting-old-windows-driver-vulnerability-bypass-security-products
    A cybercrime group tracked as Scattered Spider has been observed exploiting an old vulnerability in an Intel Ethernet diagnostics driver for Windows in recent attacks on telecom and BPO firms.
    Also tracked as Roasted 0ktapus and UNC3944, the threat actor has been targeting telecom and business process outsourcing (BPO) firms since June 2022, to gain access to mobile carrier networks.
    Relentless in attacks, the threat actor was seen using phishing and social engineering to obtain victims’ credentials and one-time passwords (OTPs), and deploying virtual private network (VPN) and remote monitoring and management (RMM) tools post compromise, CrowdStrike said in December 2022.
    Now, the cybersecurity firm reports that, over the past several weeks, Scattered Spider has attempted to deploy a malicious kernel driver by exploiting CVE-2015-2291, an Intel Ethernet diagnostics driver for Windows flaw leading to arbitrary code execution with kernel privileges.
    “This vulnerability has been used by adversaries for several years to deploy malicious drivers into the Windows kernel. This technique is known as ‘Bring Your Own Vulnerable Driver’ (BYOVD) and is a tactic that has persisted due to a gap in Windows security,” CrowdStrike notes.
    Since Windows Vista, Microsoft has blocked unsigned kernel-mode drivers from running, but BYOVD allows attackers to bypass the protection and install a legitimately signed but malicious driver. Publicly available tools can be used to map unsigned drivers into memory.

    Reply
  25. Tomi Engdahl says:

    Chrome 109 Patches 17 Vulnerabilities
    https://www.securityweek.com/chrome-109-patches-17-vulnerabilities

    Google on Tuesday announced the release of Chrome 109 in the stable channel with patches for 17 vulnerabilities, including 14 bugs reported by external researchers.

    Most of the externally reported security defects are medium- and low-severity flaws, with only two of them rated ‘high severity’.

    These include a use-after-free issue in Overview Mode (CVE-2023-0128), and a heap buffer overflow bug in Network Service (CVE-2023-0129). Google says it paid bug bounties of $4,000 and $2,000 for these vulnerabilities, respectively.

    https://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop.html

    Reply
  26. Tomi Engdahl says:

    Britannian postiin kyber­hyökkäys, lähetykset ulko­maille eivät kulje https://www.is.fi/digitoday/tietoturva/art-2000009321178.html

    Britannian posti Royal Mail ei tällä hetkellä pysty käsittelemään ulkomaille suuntautuvia lähetyksiä.

    BRITANNIAN postiin Royal Mailiin on kohdistunut kyberhyökkäys. Asiasta kertoo uutistoimisto Reuters.

    Royal Mail kertoo verkkosivuillaan, että ulkomaille suuntautuvia lähetyksiä ei pystytä käsittelemään.

    https://personal.help.royalmail.com/app/answers/detail/a_id/12556/~/service-update

    Reply
  27. Tomi Engdahl says:

    https://m.facebook.com/groups/2600net/permalink/3516215058601594/

    Vulnerabilities can be more than the sum of their parts. Still, it’s kind of incredible to see “never” as a fix date. What if such things are used in a day a safety of life application like an elevator in a mine, to extract a ransom?
    What if someone crashed an elevator in a random skyscraper to prove they could and then started trying to extort building owners with similar makes in other buildings?

    In theory, some evil group could measure performance of an empty elevator in the middle of the night, and try and crash a preferably empty elevator(within a margin of error of one or two people)…or even try to crash one with at least one high profile executive in one using card key access.

    In this great big world, it’s hard to imagine with variety of hardware and lacking physical security that there isn’t at least a few in service in elevators in skyscrapers.

    A Widespread Logic Controller Flaw Raises the Specter of Stuxnet
    https://www.wired.com/story/siemens-s7-1500-logic-controller-flaw/

    More than 120 models of Siemens’ S7-1500 PLCs contain a serious vulnerability—and no fix is on the way.

    IN 2009, THE computer worm Stuxnet crippled hundreds of centrifuges inside Iran’s Natanz uranium enrichment plant by targeting the software running on the facility’s industrial computers, known as programmable logic controllers. The exploited PLCs were made by the automation giant Siemens and were all models from the company’s ubiquitous, long-running SIMATIC S7 product series. Now, more than a decade later, Siemens disclosed today that a vulnerability in its S7-1500 series could be exploited by an attacker to silently install malicious firmware on the devices and take full control of them.

    The vulnerability was discovered by researchers at the embedded device security firm Red Balloon Security after they spent more than a year developing a methodology to evaluate the S7-1500’s firmware, which Siemens has encrypted for added protection since 2013.

    The vulnerability stems from a basic error in how the cryptography is implemented, but Siemens can’t fix it through a software patch because the scheme is physically burned onto a dedicated ATECC CryptoAuthentication chip. As a result, Siemens says it has no fix planned for any of the 122 S7-1500 PLC models that the company lists as being vulnerable.

    Siemens says that because the vulnerability requires physical access to exploit on its own, customers should mitigate the threat by assessing “the risk of physical access to the device in the target deployment” and implementing “measures to make sure that only trusted personnel have access to the physical hardware.” The researchers point out, though, that the vulnerability could potentially be chained with other remote access vulnerabilities on the same network as the vulnerable S7-1500 PLCs to deliver the malicious firmware without in-person contact.

    The Stuxnet attackers famously used tainted USB thumb drives as a creative vector to introduce their malware into “air-gapped” networks and ultimately infect then-current S7-300 and 400 series PLCs.

    “Seimans PLCs are used in very important industrial capacities around the world, many of which are potentially very attractive targets of attacks, as with Stuxnet and the nuclear centrifuges,”

    “The encrypted firmware means that without a lot of effort, you don’t have any insight inside a device, so we wanted to see what was hiding in the 1500 product line,” says Red Balloon Security research scientist Yuanzhe Wu. “The devices use a dedicated cryptography coprocessor to verify the encrypted firmware that’s loaded on the device, decrypt the firmware, and let the device boot. However, we found vulnerabilities that an attacker could abuse to make the crypto coprocessor act like an oracle to decrypt firmware and then help tamper with it to make malicious modifications.”

    Since firmware underlies a device’s functions, the ability to silently modify the firmware would undermine all other security protections and give an attacker total control of the device without its owner realizing that anything has changed.

    Siemens notes that the vulnerabilities are not related to the company’s own firmware update process and do not give attackers the ability to hijack that distribution channel. But the fact that any S7-1500 can become a firmware-blessing oracle is significant and bestows a power that individual devices should not have, undermining the whole purpose of encrypting the firmware in the first place.

    “S7s should not be able to re-encrypt firmware for other S7s,” says Ang Cui, Red Balloon Security’s founder and CEO. “This is a fundamental design flaw and a significant implementation error.”

    While Siemens isn’t directly releasing any fixes for the vulnerability, the company says it is in the process of releasing new-generation processor hardware that fixes the vulnerability for several S7-1500 models. And the company says it is “working on new hardware versions for remaining PLC types to address this vulnerability completely.”

    Still, the Red Balloon Security researchers say that it would be possible for Siemens to release a firmware audit tool for any PLC to check whether there has been tampering on the device. Since the vulnerability will persist on impacted devices, such a feature would give S7-1500 owners more insight into their PLCs and the ability to monitor them for suspicious activity.

    “Siemens is saying that this will not be fixed, so it’s not just a zero day—this will remain a forever day until all the vulnerable 1500s go out of service,” Cui says. “It could be dangerous to leave this unaddressed.”

    Reply
  28. Tomi Engdahl says:

    Dan Milmo / The Guardian:
    The Guardian confirms the outlet was hit with a ransomware attack in December 2022 and that the personal data of UK staff was accessed, possibly via phishing

    Guardian confirms it was hit by ransomware attack
    https://www.theguardian.com/media/2023/jan/11/guardian-confirms-it-was-hit-by-ransomware-attack

    Media firm says personal data of UK staff members was accessed in ‘highly sophisticated’ cyber-attack last month

    Reply
  29. Tomi Engdahl says:

    Imani Moise / Wall Street Journal:
    Employment scams, which lure applicants via fake job offers and websites to reveal sensitive data or pay for work equipment, are targeting laid-off tech workers

    Laid-Off Workers Are Flooded With Fake Job Offers
    Virtual hiring and remote work have made it easier to swindle job seekers
    https://www.wsj.com/articles/laid-off-workers-are-flooded-with-fake-job-offers-11673387875?mod=djemalertNEWS

    Reply
  30. Tomi Engdahl says:

    Severe Vulnerabilities Allow Hacking of Asus Gaming Router
    https://www.securityweek.com/severe-vulnerabilities-allow-hacking-asus-gaming-router

    Cisco’s Talos security researchers have published technical information on three severe vulnerabilities impacting Asus RT-AX82U routers.

    A Wi-Fi 6 gaming router, the RT-AX82U can be configured via an HTTP server that is running on the local network, but also supports remote management and monitoring.

    Last year, Cisco’s Talos researchers identified three critical- and high-severity security defects that could be exploited to bypass authentication, leak information, or cause a denial-of-service (DoS) condition on a vulnerable RT-AX82U router.

    The most severe of these bugs is CVE-2022-35401 (CVSS score of 9.0), an authentication bypass exploitable via a series of crafted HTTP requests. An attacker could exploit the vulnerability to gain full administrative access to a vulnerable device.

    Reply
  31. Tomi Engdahl says:

    Cyber Incident Hits UK Postal Service, Halts Overseas Mail
    https://www.securityweek.com/cyber-incident-hits-uk-postal-service-halts-overseas-mail

    Britain’s postal service said it was hit Wednesday by a “cyber incident” that is temporarily preventing it from sending letters or parcels to other countries.

    Royal Mail reported on its website that international export services were “experiencing severe service disruption” without providing further details.

    “We are temporarily unable to dispatch items to overseas destinations,” the service said, adding that it recommended customers hold on to mail destined for outside the country while it works on fixing the problem.

    “Some customers may experience delay or disruption to items already shipped for export,” Royal Mail said.

    Reply
  32. Tomi Engdahl says:

    ‘No Evidence’ of Cyberattack Related to FAA Outage, White House Says
    https://www.securityweek.com/no-evidence-cyberattack-related-faa-outage-white-house-says

    There is no sign “at this point” that a cyberattack caused an FAA systems outage that triggered authorities to halt all domestic air travel departures Wednesday, the White House said.

    The FAA said that an overnight outage to its Notice to Air Missions (NOTAM) system that provides safety information to flight crews was the reason, but did not provide any additional details.

    Around 7:15 ET, the FAA ordered all airlines to “pause all domestic departures until 9 a.m. Eastern Time to allow the agency to validate the integrity of flight and safety information.”

    “The president has been briefed by the secretary of transportation this morning on the FAA system outage. There is no evidence of a cyberattack at this point, but the President directed DOT to conduct a full investigation into the causes. The FAA will provide regular updates,” White House Press Secretary Karine Jean-Pierre tweeted.

    Normal air traffic operations resumed gradually across the United States around 8:15 AM ET

    https://twitter.com/PressSec/status/1613153561289932800?s=20&t=5yX0Q1NHtZUpIXic3DfjIw

    Reply
  33. Tomi Engdahl says:

    Investors Bet Big on Subscription-Based Security Skills Training
    https://www.securityweek.com/investors-bet-big-subscription-based-security-skills-training

    Hack The Box, a British startup working on technology to simplify cybersecurity skills training, has banked a $55 million funding round as venture capital investors place big bets on the subscription-based talent assessment space.

    Hack the Box said the $55 million Series B was led by global investment firm Carlyle. Paladin Capital Group, Osage University Partners, Marathon Venture Capital, Brighteye Ventures, and Endeavor Catalyst Fund also invested.

    Since its founding in 2017, Hack the Box has raised $69.5 million and built a platform to help organizations with the continuous need to assess and train cybersecurity talent.

    Reply
  34. Tomi Engdahl says:

    Red Hat Announces General Availability of Malware Detection Service
    https://www.securityweek.com/red-hat-announces-general-availability-malware-detection-service

    Red Hat announced on Tuesday the general availability of a malware detection service for Red Hat Enterprise Linux (RHEL) systems.

    The Insights service, created in partnership with IBM X-Force, scans RHEL systems for malware using a database of more than 180 signatures associated with known Linux malware. Users can obtain aggregated results for all their systems or results for individual system scans.

    RHEL 8 and 9 hosts are supported. Scans can be run manually, but they can also be scheduled or automated.

    Red Hat Insights malware detection service is now generally available
    https://www.redhat.com/en/blog/red-hat-insights-malware-detection-service-now-generally-available

    Reply
  35. Tomi Engdahl says:

    Gootkit malware abuses VLC to infect healthcare orgs with Cobalt Strike https://www.bleepingcomputer.com/news/security/gootkit-malware-abuses-vlc-to-infect-healthcare-orgs-with-cobalt-strike/
    The Gootkit loader malware operators are running a new SEO poisoning campaign that abuses VLC Media Player to infect Australian healthcare entities with Cobalt Strike beacons. The campaign goal is to deploy the Cobalt Strike post-exploitation toolkit on infected devices for initial access to corporate networks. From there, the remote operators can perform network scans, move laterally throughout the network, steal account credentials and files, and deploy more dangerous payloads such as ransomware

    Reply
  36. Tomi Engdahl says:

    Lorenz ransomware gang plants backdoors to use months later https://www.bleepingcomputer.com/news/security/lorenz-ransomware-gang-plants-backdoors-to-use-months-later/
    Security researchers are warning that patching critical vulnerabilities allowing access to the network is insufficient to defend against ransomware attacks. Some gangs are exploiting the flaws to plant a backdoor while the window of opportunity exists and may return long after the victim applied the necessary security updates.
    One case is a Lorenz ransomware attack that reached completion months after the hackers gained access to the victim’s network using an exploit for a critical bug in a telephony system

    Reply
  37. Tomi Engdahl says:

    Raspberry Robins botnet second life
    https://blog.sekoia.io/raspberry-robins-botnet-second-life/
    As many botnets and worms, SEKOIA.IO analysts demonstrate through this article that Raspberry Robin can be repurposed by other threat actors to deploy their own implants

    Reply
  38. Tomi Engdahl says:

    Dark Pink – New APT hitting Asia-Pacific, Europe that goes deeper and darker https://blog.group-ib.com/dark-pink-apt
    There is evidence to suggest that Dark Pink began operations as early as mid-2021, although the groups activity surged in mid-to-late 2022.
    To date, Group-IBs sector-leading Threat Intelligence uncovered seven confirmed attacks by Dark Pink. The bulk of the attacks were carried out against countries in the APAC region, although the threat actors spread their wings and targeted one European governmental ministry.
    The confirmed victims include two military bodies in the Philippines and Malaysia, government agencies in Cambodia, Indonesia and Bosnia and Herzegovina, and a religious organization in Vietnam. Group-IB also became aware of an unsuccessful attack on a European state development agency based in Vietnam

    Reply
  39. Tomi Engdahl says:

    Royal Mail experiencing severe service disruption following cyber incident https://therecord.media/royal-mail-experiencing-severe-service-disruption-following-cyber-incident/
    Royal Mail, the British postage and courier company, announced on Wednesday it was experiencing severe service disruption following a cyber incident. The nature of the incident has not been disclosed but the company said its teams are working around the clock to resolve this disruption and we will update you as soon as we have more information. Also https://www.bbc.com/news/business-64231473

    Reply
  40. Tomi Engdahl says:

    Top KEVs in the U.S. Financial Services Sector https://lookingglasscyber.com/blog/threat-intelligence-insights/top-kevs-in-financial-services/
    Across the U.S. financial sector, more than half of the vulnerabilities our platform detected reside in the insurance subsector, roughly a quarter fell under credit intermediaries, and about one in three of all vulnerabilities were carried over from third party services providers. The most common KEV [Known exploited vulnerability] detected in the U.S. financial services sector is seven years old, but one of the most commonly detected by our platform in critical infrastructure sectors. The next most common KEV in the sector was CVE-2021-31206, which is a known, frequently exploited vulnerability in Microsoft Exchange Server

    Reply
  41. Tomi Engdahl says:

    Polite WiFi loophole could allow attackers to drain device batteries https://www.malwarebytes.com/blog/news/2023/01/polite-wifi-loophole-could-allow-attackers-to-drain-device-batteries
    The polite WiFi loophole is based on the fact that a WiFi enabled device responds to every correct packet it receives, as long as it is directed at its own MAC address. This means the sending device does not have to be on the same network. The goal of the battery draining attack is to drain the battery of a WiFi device by forcing the device to transmit WiFi frames continuously. To execute such an attack, an attacker could send back to back fake 802.11 frames to the target device. This forces the target devices to continuously transmit acknowledgment packets, draining its battery

    Reply
  42. Tomi Engdahl says:

    Polar sai 122 000 euron seuraamusmaksun tietosuojavaltuutetun toimistolta ei yksilöinyt terveystietoja, joihin pyytää lupaa
    https://yle.fi/a/74-20012360
    Suomalainen urheilukellojen valmistaja Polar on saanut tietosuojavaltuutetun toimistolta 122 000 euron seuraamusmaksun tietosuoja-asetuksen rikkomisesta. Tietosuojavaltuutetun toimiston mukaan Polar on kysynyt palvelunsa käyttäjiltä yleisesti suostumuksen terveystietojen käsittelyyn, muttei yksilöinyt pyynnössään tarkemmin, millaisia terveystietoja se kerää ja käsittelee. Palvelun käyttäjille ei annettu selvityksen mukaan myöskään riittävästi tietoa siitä, mihin tarkoitukseen kutakin tietoa käytetään

    Reply
  43. Tomi Engdahl says:

    A fifth of passwords used by federal agency cracked in security audit https://arstechnica.com/information-technology/2023/01/a-fifth-of-passwords-used-by-federal-agency-cracked-in-security-audit/
    More than a fifth of the passwords protecting network accounts at the US Department of the Interiorincluding Password1234, Password1234!, and ChangeItN0w!were weak enough to be cracked using standard methods, a recently published security audit of the agency found. The audit uncovered another security weaknessthe failure to consistently implement multi-factor authentication (MFA). The failure extended to 25or 89 percentof 28 high-value assets (HVAs), which, when breached, have the potential to severely impact agency operations

    Reply
  44. Tomi Engdahl says:

    Privacy on the line: Boffins break VoLTE phone security https://www.theregister.com/2023/01/11/volte_phone_security/
    Researchers Zishuai Cheng and Baojiang Cui, with the Beijing University of Posts and Telecommunications, and Mihai Ordean, Flavio Garcia, and Dominik Rys, with the University of Birmingham, have found a way to access encrypted call metadata VoLTE activity logs that describe call times, duration, and direction (incoming or outgoing) for mobile network conversations. In a paper titled “Watching your
    call: Breaking VoLTE Privacy in LTE/5G Networks,” they describe how they were able to use this metadata to map phone numbers undetectably to LTE and 5G-SA anonymized network identifiers. Paper at
    https://arxiv.org/abs/2301.02487

    Reply
  45. Tomi Engdahl says:

    A Police App Exposed Secret Details About Raids and Suspects https://www.wired.com/story/sweepwizard-police-raids-data-exposure/
    SweepWizard, an app that law enforcement used to coordinate raids, left sensitive information about hundreds of police operations publicly accessible. WIRED received a tip that there was a flaw in SweepWizards application programming interface, or API, that allowed anyone with a specific URL to retrieve confidential law enforcement data from the app. WIRED downloaded the Android version of the app from Google Play and verified that its API endpoints were in fact returning data regardless of authenticationin other words, you didnt need to be logged in to the app to view sensitive data about years worth of raids and other police operations. The data could be viewed in any web browser simply by visiting a SweepWizard URL

    Reply
  46. Tomi Engdahl says:

    Iran to use facial recognition to identify women without hijabs https://arstechnica.com/tech-policy/2023/01/iran-to-use-facial-recognition-to-identify-women-without-hijabs/
    After Iranian lawmakers suggested last year that face recognition should be used to police hijab law, the head of an Iranian government agency that enforces morality law said in a September interview that the technology would be used to identify inappropriate and unusual movements, including failure to observe hijab laws. Individuals could be identified by checking faces against a national identity database to levy fines and make arrests, he said

    Reply
  47. Tomi Engdahl says:

    Departures ‘resuming gradually’ after FAA orders pause on all domestic flights after computer failure
    https://abcnews.go.com/US/computer-failure-faa-impact-flights-nationwide/story?id=96358202
    The Federal Aviation Administration said normal operations were “resuming gradually” after ordering a nationwide pause on all domestic departures until 9 a.m. on Wednesday morning following a computer failure that has impacted flights around the country. “The ground stop has been lifted,” officials said at about 8:50 a.m. ET. “We continue to look into the cause of the initial problem[.]“

    Reply
  48. Tomi Engdahl says:

    In an industry first, insurance firm announces cyber bond to cover claims over $300 million https://therecord.media/in-an-industry-first-insurance-firm-announces-cyber-bond-to-cover-claims-over-300-million/
    London-based insurance company Beazley said it is launching the first cyber catastrophe bond, as concerns grow in the industry about the increasing financial fallout from cyberattacks. Under the arrangement, the $45 million bond will pay out to Beazley if a cyberattack costs its clients more than $300 million. Absent such an event, Beazley will make interest payments to the bonds investors, which include Fermat Capital Management, and will eventually return the principal on the loans

    Reply
  49. Tomi Engdahl says:

    Heads up! Xdr33, A Variant Of CIAs HIVE Attack Kit Emerges https://blog.netlab.360.com/headsup_xdr33_variant_of_ciahive_emeerges/
    On Oct 21, 2022, 360Netlab’s honeypot system captured a suspicious ELF file [...]. After further lookup, we confirmed that this sample was adapted from the leaked Hive project server source code from CIA. This is the first time we caught a variant of the CIA HIVE attack kit in the wild, and we named it xdr33 based on its embedded Bot-side certificate CN=xdr33. To summarize, xdr33 is a backdoor born from the CIA Hive project, its main purpose is to collect sensitive information and provide a foothold for subsequent intrusions

    Reply
  50. Tomi Engdahl says:

    How Many ICS-OT Directed Attacks In 2022?
    https://www.linkedin.com/pulse/how-many-ics-ot-directed-attacks-2022-dale-peterson
    Daniel Ehrenreich posited in a LinkedIn comment that the number of ICS-OT directed attacks in a year is in the two digits range (10 – 99). My definition, not Daniel’s, of an ICS-OT directed attack is an attack that is designed to compromise the availability or integrity of the ICS. [...] Even if the number of ICS-OT directed cyber attacks is in triple digits, this is dwarfed by the number of attacks that unintentionally find their way to the ICS or ICS security perimeter.
    This is reflected by the limited published data where most ICS outages due to a cyber attack are caused by ransomware or some mass market malware / attack code

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*