This posting is here to collect cyber security news in January 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in January 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
446 Comments
Tomi Engdahl says:
Critical Architectural Vulnerabilities in Siemens SIMATIC S7-1500 Series Allow for Bypass of All Protected Boot Features https://redballoonsecurity.com/siemens-discovery/
Red Balloons research has determined that multiple architectural vulnerabilities exist in the Siemens SIMATIC and SIPLUS S7-1500 series PLC that could allow attackers to bypass all protected boot features, resulting in persistent arbitrary modification of operating code and data. As exploiting this issue requires physical tampering of the product, Siemens recommends to assess the risk of physical access to the device in the target deployment and to implement measures to make sure that only trusted personnel have access to the physical hardware
Tomi Engdahl says:
THREAT ANALYSIS: From IcedID to Domain Compromise https://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise
In this Threat Analysis report, the Cybereason team investigates a recent IcedID infection that illustrates the tactics, techniques, and procedures (TTPs) used in a recent campaign. IcedID, also known as BokBot, is traditionally known as a banking trojan used to steal financial information from its victims. It has been around since at least 2017 and has been tied to the threat group TA551
Tomi Engdahl says:
Taking over a Dead IoT Company
https://blog.kchung.co/taking-over-a-dead-iot-company/
Back in 2017, NYCTrainSign was a company making replicas of the countdown timers that told you how long it would be until the next train came. 5 years after NYCTrainSign collapsed, I investigate why the company failed and end up writing an exploit to take over their fleet
Tomi Engdahl says:
SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/
In December 2022, CrowdStrike reported on a campaign by SCATTERED SPIDER, targeting organizations within the telecom and business process outsourcing (BPO) sectors with an end objective of gaining access to mobile carrier networks. In the weeks since that post, the CrowdStrike Falcon® platform prevented a novel attempt by SCATTERED SPIDER to deploy a malicious kernel driver through a vulnerability
(CVE-2015-2291) in the Intel Ethernet diagnostics driver
Tomi Engdahl says:
Danish Banks Are Targets of Pro-Russian DDoS Hacking Group
https://www.bankinfosecurity.com/danish-banks-targets-pro-russian-ddos-hacking-group-a-20902
Apparent targets included some of the largest financial institutions, including Jyske Bank and Sydbank. Arbejdernes Landsbank said its online banking system was affected. NoName057(16) on its Telegram channel claimed attacks on Sydbank, Sparekassen Sjælland-Fyn, Bankinvest, Jyskebank. Reuters reported hackers also hit Bankdata, a private company that provides financial technology. The hackers also targeted Denmark’s National Bank, which regained its access after the attack took its website down for a brief period, Reuters reported.
Also
https://www.reuters.com/technology/denmarks-central-bank-website-hit-by-cyberattack-2023-01-10/
Tomi Engdahl says:
Data leak exposes information of 10,000 French social security beneficiaries https://www.csoonline.com/article/3685233/data-leak-exposes-information-of-10-000-french-social-security-beneficiaries.html
CAF [...] sent a file containing sensitive and personal information of
10,204 beneficiaries to a service provider responsible for training the organization’s statisticians. Another error, in this case made by the CAF service provider, was the posting of the file on its website in March 2021, the date of the training. Accessible to everyone, both to CAF agents and to any visitor to the site, and without any encryption protection, the file could be downloaded in one click
Tomi Engdahl says:
Recently Disclosed Vulnerability Exploited to Hack Hundreds of SugarCRM Servers
https://www.securityweek.com/recently-disclosed-vulnerability-exploited-hack-hundreds-sugarcrm-servers
Tomi Engdahl says:
https://www.securityweek.com/sophisticated-dark-pink-apt-targets-government-military-organizations
Tomi Engdahl says:
Yli 10 prosenttia tietokoneista on nyt suojattomia
https://etn.fi/index.php/13-news/14454-yli-10-prosenttia-tietokoneista-on-nyt-suojattomia
Microsoft on lopettanut päivitykset Windows 7-, Windows 8- ja Windows 8.1-kättöjärjestelmilleen. Päätös koskee satoja miljoonia käyttäjiä, sillä vuoden 2022 lipulla Windows 7:aa käytti vielä 11,2 prosenttia kaikista Windows-käyttäjistä. Windows 8.1:n osuus oli joulukuun lopulla 2,6 prosenttia.
Kun Windowsin markkinaosuus vuoden päättyessä oli yli 75 prosenttia, tämä tarkoittaa, että karkeasti joka kymmenes henkilökohtainen tietokone maailmassa on nyt vailla suojauspäivityksiä.
Tomi Engdahl says:
David Shepardson / Reuters:
A look at the FAA’s struggles to modernize air traffic control, including improving safety notices to pilots and ending use of paper strips to track aircrafts
FAA has struggled to modernize computer, air traffic operations
https://www.reuters.com/technology/faa-has-struggled-modernize-computer-air-traffic-operations-2023-01-12/
Tomi Engdahl says:
Prince George’s Co. teen arrested after using USB charging cord to steal car, police say
by 7News Staff
Thursday, January 12th 2023
UserWay icon for accessibility widget
A 17-year-old boy from the Landover area was arrested after the Prince George’s Police Department said he was in possession of a stolen Kia car, which they say he managed to commandeer by using a USB charging cord. (PGPD)
https://wjla.com/news/local/prince-georges-county-teen-arrested-after-using-usb-charging-cord-steal-car-police-say-carjacking-crime-maryland-dc-dmv-stolen#
Tomi Engdahl says:
TikTok fined in France for manipulative cookie consent flow
https://techcrunch.com/2023/01/12/tiktok-cnil-cookie-fine/?tpcc=tcplusfacebook
TikTok is the latest tech giant to be schooled by France’s data protection watchdog for breaking rules on cookie consent.
The €5 million penalty announced today by the CNIL relates to a cookie consent flow TikTok had used on its website (tiktok.com) until early last year — in which the regulator found it was not as easy for users to refuse cookies as to accept them — so it was essentially manipulating consent by making it easier for site visitors to accept its tracking than to opt out.
Tomi Engdahl says:
Post-ransomware attack, The Guardian warns staff their personal data was accessed https://grahamcluley.com/post-ransomware-attack-the-guardian-warns-staff-their-personal-data-was-accessed/
Yesterday, staff at the 200-year-old news organisation were sent an email that warned them that the ongoing investigation into the attack had uncovered that hackers had gained access to files containing staffs personal information. According to the email, data accessed
includes: names, addresses, dates of birth, National Insurance numbers, bank account details, salary information, and identity documents such as passports
Tomi Engdahl says:
Twitter Denies Hacking Claims, Assures Leaked User Data Not from its System https://thehackernews.com/2023/01/twitter-denies-hacking-claims-assures.html
Twitter on Wednesday said that its investigation found “no evidence”
that users’ data sold online was obtained by exploiting any security vulnerabilities in its systems. “Based on information and intel analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems,” the company said in a statement. “The data is likely a collection of data already publicly available online through different sources.”
Tomi Engdahl says:
Alert: Hackers Actively Exploiting Critical “Control Web Panel” RCE Vulnerability https://thehackernews.com/2023/01/alert-hackers-actively-exploiting.html
Malicious actors are actively attempting to exploit a recently patched critical vulnerability in Control Web Panel (CWP) that enables elevated privileges and unauthenticated remote code execution (RCE) on susceptible servers. Tracked as CVE-2022-44877 (CVSS score: 9.8), the bug impacts all versions of the software before 0.9.8.1147 and was patched by its maintainers on October 25, 2022
Tomi Engdahl says:
4 Predictions for Cyber Insurance Requirements 2023 https://www.trendmicro.com/en_us/ciso/23/a/cyber-insurance-requirements-2023.html
As the threat landscape evolves and the cost of data breaches increase, so will cyber insurance requirements from carriers. Cyber Risk Specialist Vince Kearns shares his 4 predictions for 2023
Tomi Engdahl says:
Hundreds of SugarCRM servers infected with critical in-the-wild exploit https://arstechnica.com/information-technology/2023/01/hundreds-of-sugarcrm-servers-infected-with-critical-in-the-wild-exploit/
For the past two weeks, hackers have been exploiting a critical vulnerability in the SugarCRM (customer relationship management) system to infect users with malware that gives them full control of their servers. SugarCRMs advisory, published on January 5, made hotfixes available and said it had already been applied to its cloud-based service. It also advised users with instances running outside of SugarCloud or SugarCRM-managed hosting to install the hotfixes
Tomi Engdahl says:
Call centres selling fake crypto taken down in Bulgaria, Serbia and Cyprus https://www.europol.europa.eu/media-press/newsroom/news/call-centres-selling-fake-crypto-taken-down-in-bulgaria-serbia-and-cyprus
The criminal organisations lured German victims to invest over EUR 2 million in bogus crypto investment websites
Tomi Engdahl says:
Vice Society ransomware claims attack on Australian firefighting service https://www.bleepingcomputer.com/news/security/vice-society-ransomware-claims-attack-on-australian-firefighting-service/
Australia’s Fire Rescue Victoria has disclosed a data breach caused by a December cyberattack that is now claimed by the Vice Society ransomware gang
Tomi Engdahl says:
Fortinet: Govt networks targeted with now-patched SSL-VPN zero-day https://www.bleepingcomputer.com/news/security/fortinet-govt-networks-targeted-with-now-patched-ssl-vpn-zero-day/
Fortinet says unknown attackers exploited a FortiOS SSL-VPN zero-day vulnerability patched last month in attacks against government organizations and government-related targets. also:
https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd
Tomi Engdahl says:
IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours https://thehackernews.com/2023/01/icedid-malware-strikes-again-active.html
A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access. “Throughout the attack, the attacker followed a routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the newly compromised host,” Cybereason researchers said in a report published this week. also:
https://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise
Tomi Engdahl says:
Pro-Russia hackers use Telegram, GitHub to attack Czech presidential election https://therecord.media/pro-russia-hackers-use-telegram-github-to-attack-czech-presidential-election/
A group of pro-Russian hackers is using Telegram and GitHub to launch distributed denial-of-service attacks against Ukraine and several NATO countries. Researchers at SentinelOne said that as recently as this week they found the group called NoName057(16) targeting the websites of candidates in the 2023 Czech presidential election as well as businesses and organizations across Poland and Lithuania. The group is also responsible for disrupting services this week across Denmarks financial sector
Tomi Engdahl says:
Millions of Aflac, Zurich insurance customers in Japan have data leaked after breach https://therecord.media/millions-of-aflac-zurich-insurance-customers-in-japan-have-data-leaked-after-breach/
The Japanese customers of two large insurance companies have had their personal information leaked after the breach of a third-party service provider. Neither company would say if the two breaches were connected, and the attacked provider has not been named. But each company released statements this week warning their customers that their information was made public
Tomi Engdahl says:
https://www.securityweek.com/tesla-returns-pwn2own-hacker-takeover-target
Tomi Engdahl says:
https://www.securityweek.com/twitter-finds-no-evidence-vulnerability-exploitation-recent-data-leaks
Tomi Engdahl says:
https://www.securityweek.com/cisco-warns-critical-vulnerability-eol-small-business-routers
Tomi Engdahl says:
https://www.securityweek.com/guardian-confirms-personal-information-compromised-ransomware-attack
Tomi Engdahl says:
https://www.securityweek.com/threema-under-fire-after-downplaying-security-research
Tomi Engdahl says:
The Guardian:
Meta sues to ban Voyager Labs from using Facebook and Instagram, alleging the investigative software startup created 38K+ accounts to scrape 600K+ users’ data — The social media giant launched an investigation into Voyager’s use of fake accounts after a Guardian investigation
Meta alleges surveillance firm collected data on 600,000 users via fake accounts
https://www.theguardian.com/technology/2023/jan/12/meta-voyager-labs-surveillance-fake-accounts
Lawsuit targets Voyager after Guardian investigation uncovered police partnership and company’s claims it could predict crime
Tomi Engdahl says:
Pro-Russian Group DDoS-ing Governments, Critical Infrastructure in Ukraine, NATO Countries
https://www.securityweek.com/pro-russian-group-ddos-ing-governments-critical-infrastructure-ukraine-nato-countries
A Pro-Russian cybercrime group named NoName057(16) is actively launching distributed denial-of-service (DDoS) attacks against organizations in Ukraine and NATO countries.
Also known as NoName05716, 05716nnm or Nnm05716, the threat actor has been supporting Russia’s invasion of Ukraine since March 2022, launching disruptive attacks against government and critical infrastructure organizations.
To date, the group has launched DDoS attacks against government, military, telecommunications, and transportation organizations, as well as media agencies, suppliers, and financial institutions in Ukraine, Czech Republic, Denmark, Estonia, Lithuania, Norway, and Poland.
According to cybersecurity firm SentinelOne, the group focused on Ukrainian news websites at first, but later shifted attention to NATO-associated targets, aiming to silence what it deems to be anti-Russian.
Tomi Engdahl says:
Gareth Corfield / Telegraph:
Sources: a Russia-linked LockBit ransomware gang infected the UK’s Royal Mail customs label printers, forcing the postal service to stop overseas deliveries — Lockbit’s ransomware scrambled software on machines used to send international post — A Russia-linked ransomware gang was behind …
https://www.telegraph.co.uk/business/2023/01/12/russia-linked-hackers-behind-royal-mail-cyber-attack/
Tomi Engdahl says:
Tonya Riley / CyberScoop:
NSA Director Paul Nakasone urges Congress to renew the FISA’s Section 702, set to expire in 2023, saying the surveillance law protects the US from cyberattacks
SA director urges Congress to renew controversial intelligence authority
https://www.cyberscoop.com/nsa-director-section-702-pclob/
NSA Director and head of U.S. Cyber Command Gen. Paul Nakasone said in remarks on Thursday that intelligence authorities up for renewal later this year have played a key role in protecting the United States against cyberattacks.
Nakasone’s remarks at a virtual meeting of the Privacy and Civil Liberties Oversight Board offered a preview of what is expected to be an intense political fight later this year to renew Section 702 of the Foreign Intelligence Surveillance Act — a law that provides U.S. intelligence agencies wide-ranging authorities to conduct surveillance of foreign persons located abroad and which civil liberties advocates argue is in desperate need of greater transparency.
Section 702 will expire at the end of the year unless Congress acts, and on Thursday Nakasone made the case that “the authority plays an outsized role in protecting our nation.”
Tomi Engdahl says:
is there any truth to the idea that the day is unlucky, or statistics to back it up?
Tomi Engdahl says:
https://securityaffairs.com/140691/deep-web/telegram-access-dark-web.html
Researchers reported that a threat actor claims to provide access to internal servers at Telegram for $20,000.
SafetyDetectives reported that a member of a dark web marketplace is claiming to provide access to internal servers at Telegram for $20,000.
Tomi Engdahl says:
NSA director urges Congress to renew controversial intelligence authority
https://www.cyberscoop.com/nsa-director-section-702-pclob/
Tomi Engdahl says:
https://www.theguardian.com/business/2023/jan/12/royal-mail-ransomware-attackers-threaten-to-publish-stolen-data
Tomi Engdahl says:
https://hackaday.com/2023/01/13/this-week-in-security-cacti-rce/
This week we start with a Remote Code Execution (RCE) vulnerability that has potential to be a real pain for sysadmins. Cacti, the system monitoring and graphing solution, has a pair of bugs that chain together to allow an attacker with unauthenticated access to the HTTP/S port to trivially execute bash commands. The first half of this attack is an authentication bypass, and it’s embarrassingly trivial. The Cacti authentication code trusts the Forwarded-For: header in the request. Set it to the server’s IP, and the authentication code treats it like a localhoast request, bypassing any real authentication process.
Cacti: Unauthenticated Remote Code Execution
https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution/
Cacti is an open-source, web-based monitoring solution with a long-standing history dating back to its first release in 2001. Nowadays, it is well established, actively maintained, and deployed worldwide. A quick Shodan search reveals that thousands of organizations publicly expose their instances to the internet.
Tomi Engdahl says:
https://hackaday.com/2023/01/13/this-week-in-security-cacti-rce/
JSON Web Token
Researchers at Unit 42 found an exploit that can be used to achieve an RCE in the JsonWebToken project. The issue is this library’s verify() function, which takes arguments of the token to check, the key to use, and options. If there aren’t any algorithms specified in the options object, then the key is processed as a PEM string. The toString() method of that key is called during the actual check, and the assumption is that it’s either a string or buffer. But what if the key passed in to the verify() function was actually a complex object, bringing it’s own toString() method along to play. At that point, we have arbitrary code execution. And if this code is running on the server-side under node.js, that means a popped server.
But wait, it’s not that simple, right? It’s not like a valid JWT can contain an arbitrary object — that would be a problem all on its own. So CVE-2022-23529 is a stepping-stone. It’s insecure code, but the rest of the application has to have another vulnerability for this one to be reachable.
https://unit42.paloaltonetworks.com/jsonwebtoken-vulnerability-cve-2022-23529/
Tomi Engdahl says:
https://www.cyberscoop.com/lastpass-breach-notification-privacy/
Tomi Engdahl says:
https://www.theregister.com/2023/01/11/volte_phone_security/
Tomi Engdahl says:
Researchers Could Track the GPS Location of All of California’s New Digital License Plates
After gaining access to a powerful administrative account, the researchers could perform all sorts of tasks inside Reviver, the sole company that sells the digital plates in California.
https://www.vice.com/en/article/wxn9vx/researchers-track-reviver-digital-license-plate-gps-location
Tomi Engdahl says:
A fifth of passwords used by federal agency cracked in security audit
89% of the department’s high-value assets didn’t use multi-factor authentication.
https://arstechnica.com/information-technology/2023/01/a-fifth-of-passwords-used-by-federal-agency-cracked-in-security-audit/
Tomi Engdahl says:
JsonWebToken Security Bug Opens Servers to RCE
The JsonWebToken package plays a big role in the authentication and authorization functionality for many applications.
https://www.darkreading.com/vulnerabilities-threats/jsonwebtoken-security-bug-opens-servers-rce
Tomi Engdahl says:
https://www.vice.com/en/article/wxn9vx/researchers-track-reviver-digital-license-plate-gps-location
Tomi Engdahl says:
Latest Firmware Flaws in Qualcomm Snapdragon Need Attention
The issue concerns the boot layer of ARM chips, which are driving a low-power mobile ecosystem that includes 5G smartphones and base stations.
https://www.darkreading.com/dr-tech/firmware-vulnerability-in-chips-helps-hackers-take-control-of-systems
Tomi Engdahl says:
Cyberattackers Torch Python Machine Learning Project
The popular PyTorch Python project for data scientists and machine learning developers has become the latest open source project to be targeted with a dependency confusion attack.
https://www.darkreading.com/application-security/cyberattackers-torch-python-machine-learning-project
Tomi Engdahl says:
Privacy on the line: Boffins break VoLTE phone security
Call metadata can be ferreted out
https://www.theregister.com/2023/01/11/volte_phone_security/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-dark-pink-apt-group-targets-govt-and-military-with-custom-malware/
Tomi Engdahl says:
Swiss Army’s Threema messaging app was full of holes – at least seven
At least the penknives are still secure
https://www.theregister.com/2023/01/11/swiss_army_threema_bugs/
Tomi Engdahl says:
Severe Security Flaw Found in “jsonwebtoken” Library Used by 22,000+ Projects
https://thehackernews.com/2023/01/critical-security-flaw-found-in.html