This posting is here to collect cyber security news in January 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in January 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
446 Comments
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-create-cloudflare-tunnels-to-bypass-firewalls/
Tomi Engdahl says:
“NortonLifeLock warns that hackers breached Password Manager accounts”
https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-hackers-breached-password-manager-accounts/
Tomi Engdahl says:
Vulnerability with 9.8 severity in Control Web Panel is under active exploit
A patch was released in October, but not all servers have installed it.
https://arstechnica.com/information-technology/2023/01/vulnerability-with-9-8-severity-in-control-web-panel-is-under-active-exploit/
Malicious hackers have begun exploiting a critical vulnerability in unpatched versions of the Control Web Panel, a widely used interface for web hosting.
“This is an unauthenticated RCE,” members of the Shadowserver group wrote on Twitter, using the abbreviation for remote code exploit. “Exploitation is trivial and a PoC published.” PoC refers to a proof-of-concept code that exploits the vulnerability.
The vulnerability is tracked as CVE-2022-44877. It was discovered by Numan Türle of Gais Cyber Security and patched in October in version 0.9.8.1147. Advisories didn’t go public until earlier this month, however, making it likely some users still aren’t aware of the threat.
Tomi Engdahl says:
Seems Cellebrite and MSAB dropped today over at DDoSeecrets:
https://ddosecrets.com/wiki/Cellebrite_and_MSAB
Would be nice to try and get this to some researchers to try and patch any existing exploits still usable inside…
Tomi Engdahl says:
If you’ve heard of ChatGPT, so have cyber criminals. Find out why it’s not a gamechanger for cyber crime — at least, not yet — in F-Alert, our monthly threat report.
https://www.f-secure.com/en/home/articles/f-alert/2022-12-security-implications-of-ai-tools
Tomi Engdahl says:
“Meta sues “scraping-for-hire” service that sells user data to law enforcement” Not to mention the profits from intellectual property.
Meta sues “scraping-for-hire” service that sells user data to law enforcement
Israeli firm says it uses AI to analyze “billions of ‘human pixels’ and signals.”
https://arstechnica.com/information-technology/2023/01/meta-sues-scraping-for-hire-service-that-sells-user-data-to-law-enforcement/
Meta said it’s suing “scraping-for-hire” service Voyager Labs for allegedly using fake accounts, proprietary software, and a sprawling network of IP addresses to surreptitiously collect massive amounts of personal data from users of Facebook, Instagram, Twitter, and other social networking sites.
“Defendant created and used over 38,000 fake Facebook user accounts and its Surveillance Software to scrape more than 600,000 Facebook users’ viewable profile information, including posts, likes, friends lists, photos, and comments, and information from Facebook Groups and Pages,” lawyers wrote in Meta’s complaint. “Defendant designed the Surveillance Software to conceal its presence and activity from Meta and others, and sold and licensed for profit the data it scraped.”
Tomi Engdahl says:
Corrupt software introduced by contractors took down FAA system, officials say
https://www.nbcnews.com/news/us-news/software-blamed-faa-outage-three-decades-old-years-upgrade-official-sa-rcna65562?utm_source=facebook&utm_medium=news_tab
This system, installed in 1993, runs the Notice to Air Missions system, or NOTAM, which sends pilots vital information they need to fly.
The software that failed and forced the Federal Aviation Administration to ground thousands of flights on Wednesday is 30 years old and not scheduled to be updated for another six years, according to a senior government official.
This system was installed in 1993 and runs the Notice to Air Missions system, or NOTAM, which sends pilots vital information they need to fly, the official said.
After the FAA was able to get planes flying again, a government official said a corrupted file that affected both the primary and the backup NOTAM systems appeared to be the culprit.
Investigators are working to determine if human error or malice is to blame for taking down the system, which eight contract employees had access to. At least one, perhaps two, of those contractors made the edit that corrupted the system, two government sources said Thursday.
Tomi Engdahl says:
I imagine it happened like this
Pop up warning: File already exists do you want to replace it? YES NO
US flights grounded because engineer accidentally ‘replaced one file with another’: Official
The FAA is monitoring its systems at ‘high level.’
https://abcnews.go.com/US/faa-monitoring-systems-high-level-after-notam-failure/story?id=96391067&utm_source=facebook&utm_medium=news_tab
With the Federal Aviation Administration’s Notice To all Air Missions, or NOTAM, system back up and running, staffing remains high and systems monitoring is at an urgently high level this morning, a senior official told ABC News Thursday.
Computer traffic on the NOTAM system is at super-high levels as airlines, pilots and airports start the day with normal flight operations while also trying to make up for delays and cancellations yesterday. At the same time, public and media computer traffic on the NOTAM system is running high because of global interest in the antiquated system that crashed on Wednesday.
Tomi Engdahl says:
NortonLifeLock warns that hackers breached Password Manager accounts
https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-hackers-breached-password-manager-accounts/
Tomi Engdahl says:
Hackers Exploited California’s Fancy Digital License Plates to Locate Cars
Security researchers were able to view location and customer data just by elevating their own account.
https://www.thedrive.com/news/hackers-exploited-californias-fancy-digital-license-plates-to-locate-cars
Tomi Engdahl says:
https://blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-fuzzing-ssh/
Trail of Bits is publicly disclosing four vulnerabilities that affect wolfSSL: CVE-2022-38152, CVE-2022-38153, CVE-2022-39173, and CVE-2022-42905. The four issues, which have CVSS scores ranging from medium to critical, can all result in a denial of service (DoS). These vulnerabilities have been discovered automatically using the novel protocol fuzzer tlspuffin. This blog post will explore these vulnerabilities, then provide an in-depth overview of the fuzzer.
Tomi Engdahl says:
Vulnerability with 9.8 severity in Control Web Panel is under active exploit
A patch was released in October, but not all servers have installed it.
https://arstechnica.com/information-technology/2023/01/vulnerability-with-9-8-severity-in-control-web-panel-is-under-active-exploit/
Tomi Engdahl says:
Buggy Microsoft Defender ASR rule deletes Windows app shortcuts
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/buggy-microsoft-defender-asr-rule-deletes-windows-app-shortcuts/
Tomi Engdahl says:
https://ddosecrets.com/wiki/Cellebrite_and_MSAB
Tomi Engdahl says:
SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security
https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/
Tomi Engdahl says:
Question:
Why exactly does a vacuum cleaner need a camera and internet access?
How private images captured by a robot vacuum ended up online
https://www.marketplace.org/shows/marketplace-tech/how-private-images-captured-by-a-robot-vacuum-ended-up-online/amp/
Sure, robot vacuums are convenient and they make for great cat videos. But these devices — like many other “connected home” technologies — have the potential to collect a lot of data from the private setting of our homes.
Images of children’s faces, the layout of a house, even someone sitting on the toilet were all captured by iRobot vacuum test models in North America, Europe and Asia. Those photos found their way into a private Facebook group for Venezuelan gig workers, where they were then leaked to journalists at MIT Technology Review.
Marketplace’s Meghan McCarty Carino spoke to Eileen Guo, a senior reporter at MIT Technology Review who has been investigating this.
She said the images weren’t collected from consumers, but rather as part of iRobot’s product development process to train the artificial intelligence used by the vacuums to recognize obstacles in a home.
Eileen Guo: The images were captured in the homes of beta testers. They were sent back to iRobot servers. From iRobot servers, they were then shared with service providers, like Scale AI, that does the outsourced training and labeling of data, what’s called data labelers or data annotators. These are essentially gig workers
The images that we received were from data labelers in Venezuela, who then shared it on these Facebook and Discord groups where, to be clear, they weren’t trying to violate anyone’s privacy. They were just trying to get help on how to identify some of the strange shapes in homes and countries with very different setups than what they have in Venezuela. So, it’s part of this massive data supply chain of what happens with our data when it is collected by companies, shared internally, used internally and shared with third-party service providers. It’s this whole data supply chain that consumers really have no idea exists.
McCarty Carino: Now, in this specific case that you investigated, this data was collected, ostensibly, from consenting product testers, not consumers. In your follow-up report, you did speak to some of those testers of this specific series of smart vacuums for iRobot. What did they have to say?
Guo: One of iRobot’s key points was that they recorded everything with consent, but after we published our first story, 10 people that had participated in various tests from 2019 to 2022 reached out and disputed this idea of consent and what it means.
There’s so much nuance in what we’re being told and how we’re being communicated to about privacy. That is really a big problem.
https://www.technologyreview.com/2022/12/19/1065306/roomba-irobot-robot-vacuums-artificial-intelligence-training-data-privacy/
Tomi Engdahl says:
We aren’t yet sure of the performance penalties, or if all of them have been patched.
AMD Quietly Lists 31 New CPU Vulnerabilities, Issues Patch Guidance
By Paul Alcorn published about 16 hours ago
Patch your Ryzen and EPYC systems
https://www.tomshardware.com/news/amd-discloses-31-new-cpu-vulnerabilities?utm_medium=social&utm_source=facebook.com&utm_content=tomsguide&utm_campaign=socialflow
AMD quietly divulged 31 new CPU vulnerabilities in a January update, spanning its Ryzen chips for consumers and the EPYC data center processors. The vulnerability update also includes a list of AGESA versions, with mitigations for the impacted processors. AMD revealed the vulnerabilities in a coordinated disclosure with several researchers, including teams from Google, Apple and Oracle, which gave the company time to develop mitigations prior to the public listings. However, AMD didn’t announce the vulnerabilities with a press release or other outreach — it merely posted the lists — so we’re working to tease out the details and will update when we have more information.
AMD tells us that it typically issues its vulnerability disclosures twice a year, in May and November, but chose to release some in January due to the relatively large number of new vulnerabilities and the timing of the mitigations.
The vulnerabilities include three new variants for the consumer-geared Ryzen desktop PC, HEDT, Pro, and Mobile processors. One of the vulnerabilities is listed as high severity, while the other two are ranked as Medium or Low severity. These vulnerabilities can be exploited through either BIOS hacks or an attack on the AMD Secure Processor (ASP) bootloader.
We’re following up with AMD regarding several of the listings, as it appears that some processors don’t have mitigations yet. Also, we’re keen to learn more about any possible performance penalties.
Tomi Engdahl says:
CircleCI says hackers stole encryption keys and customers’ secrets
https://techcrunch.com/2023/01/14/circleci-hackers-stole-customer-source-code/?tpcc=tcplusfacebook&guccounter=1&guce_referrer=aHR0cHM6Ly9sbS5mYWNlYm9vay5jb20v&guce_referrer_sig=AQAAAAnNXShNFJR5AIG1z2-VEq7P-ZpseCGiAjwN4q0XnGfvAM-TZgcCQ0sI5tXMiU4tpjfSaCVrPED_3R3_OZaHp54-PuQvQ6HeU0WmR9xkswWkKvRJtKDTctV8a_aCcRp3UhNNzC1IQydP-2ucybRrtVJdqUwLyB7Kex_wv1pqOtQp
CircleCi, a software company whose products are popular with developers and software engineers, confirmed that some customers’ data was stolen in a data breach last month.
The company said in a detailed blog post on Friday that it identified the intruder’s initial point of access as an employee’s laptop that was compromised with malware, allowing the theft of session tokens used to keep the employee logged in to certain applications, even though their access was protected with two-factor authentication.
The company took the blame for the compromise, calling it a “systems failure,” adding that its antivirus software failed to detect the token-stealing malware on the employee’s laptop.
Session tokens allow a user to stay logged in without having to keep re-entering their password or re-authorizing using two-factor authentication each time. But a stolen session token allows an intruder to gain the same access as the account holder without needing their password or two-factor code.
The initial point of access — the token-stealing on an employee’s laptop — bears some resemblance to how the password manager giant LastPass was hacked, which also involved an intruder targeting an employee’s device, though it’s not known if the two incidents are linked.
Tomi Engdahl says:
A Police App Exposed Secret Details About Raids and Suspects
https://www.wired.com/story/sweepwizard-police-raids-data-exposure/
SweepWizard, an app that law enforcement used to coordinate raids, left sensitive information about hundreds of police operations publicly accessible.
The raid was hailed as a success by Chief Michael Moore of the LAPD at a press conference the following week. But there was a problem: Unbeknownst to police, SweepWizard had been leaking a trove of confidential details about the operation to the open internet.
The data, which the LAPD and partners in the regional Internet Crimes Against Children (ICAC) Task Force uploaded to SweepWizard, included private information about the suspects as well as sensitive details that, in the wrong hands, could tip off suspects as to when they were going to be raided and cast suspicion on people who had not yet been convicted of any crime.
The SweepWizard app, built by a company called ODIN Intelligence, is meant to help police manage multi-agency raids. But WIRED found that it didn’t just expose data from Operation Protect the Innocent; it had already leaked confidential details about hundreds of sweeps from dozens of departments over multiple years.
Tomi Engdahl says:
Microsoft: Cuba ransomware hacking Exchange servers via OWASSRF flaw https://www.bleepingcomputer.com/news/security/microsoft-cuba-ransomware-hacking-exchange-servers-via-owassrf-flaw/
Microsoft says Cuba ransomware threat actors are hacking Microsoft Exchange servers unpatched against a critical server-side request forgery (SSRF) vulnerability also exploited in Play ransomware attacks. Cloud computing provider Rackspace recently confirmed that Play ransomware used a zero-day exploit dubbed OWASSRF targeting this bug (CVE-2022-41080) to compromise unpatched Microsoft Exchange servers on its network after bypassing ProxyNotShell URL rewrite mitigations. According to Microsoft, the Play ransomware gang has abused this security flaw since late November 2022. The company advises customers to prioritize CVE-2022-41080 patching to block potential attacks
Tomi Engdahl says:
CISA adds recently-announced Microsoft zero-day to exploited vulnerability catalog https://therecord.media/cisa-adds-recently-announced-microsoft-zero-day-to-exploited-vulnerability-catalog/
CISA ordered all federal civilian agencies to patch CVE-2023-21674 by January 31. The bug – first unveiled in Microsofts initial Patch Tuesday release of 2023 – affects the Windows Advanced Local Procedure Call (ALPC) and has a CVSS score of 8.8 out of a possible 10. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges, Microsoft said
Tomi Engdahl says:
Microsoft Defender ASR rules remove icons and apps shortcuts from Taskbar https://www.theregister.com/2023/01/13/happy_friday_13th_microsoft_defender/
Techies are reporting that Microsoft Defender for Endpoint attack surface reduction (ASR) rules have gone haywire and are removing icons and applications shortcuts from the Taskbar and Start Menu. The problems were first noted early today, Friday 13th, by multiple IT folk and many seem to be scratching their head as to the cause. Some said they are experiencing it on both Windows 10 and Windows 11
Tomi Engdahl says:
Russian Hackers Eager to Bypass OpenAIs Restrictions to Abuse ChatGPT https://www.hackread.com/russian-hackers-bypass-openai-chatgpt/
Russian hacker forums have been flooded with queries wondering how hackers can bypass OpenAIs restrictions to exploit ChatGPT for spreading malware and other day-to-day criminal operations
Tomi Engdahl says:
Most Cacti Installations Unpatched Against Exploited Vulnerability https://www.securityweek.com/most-cacti-installations-unpatched-against-exploited-vulnerability
Most internet-exposed Cacti installations have not been patched against a critical-severity command injection vulnerability that is being exploited in attacks. Using Cacti? We started to pick up exploitation attempts for Cacti unauthenticated remote command injection CVE-2022-46169 including subsequent malware download. These started Jan 3rd. Make sure to patch & not expose your Cacti instance to the Internet, Shadowserver said. This week, attack surface management firm Censys revealed that, out of 6,400 internet-accessible Cacti hosts that it has identified, only 26 were running a patched version of the tool
Tomi Engdahl says:
PoC exploits released for critical bugs in popular WordPress plugins https://www.bleepingcomputer.com/news/security/poc-exploits-released-for-critical-bugs-in-popular-wordpress-plugins/
Three popular WordPress plugins with tens of thousands of active installations are vulnerable to high-severity or critical SQL injection vulnerabilities, with proof-of-concept exploits now publicly available
The first plugin that was found to be vulnerable to SQL injection is ‘Paid Memberships Pro,’ a membership and subscriptions management tool used in over 100,000 websites.
The flaw is tracked as CVE-2023-23488, receiving a CVSSv3 severity rating of 9.8 (critical), and it affects all versions of the plugin older than 2.9.8. Paid Memberships Pro fixed the vulnerability on December 27, 2022, with the release of version 2.9.8.
The second WordPress add-on vulnerable to SQL injection is ‘Easy Digital Downloads,’ an e-commerce solution for selling digital files with over 50,000 active installations.
The vulnerability is tracked as CVE-2023-23489 and has received a CVSSv3 severity rating of 9.8, categorizing it as critical. The flaw impacts all versions below 3.1.0.4, released on January 5, 2023.
Finally, Tenable discovered CVE-2023-23490, a ‘high-severity’ SQL injection flaw in ‘Survey Marker,’ a WordPress plugin used by 3,000 websites for surveys and market research.
The flaw received a severity rating of 8.8, according to the CVSS v3, because the attacker has to be authenticated as at least a subscriber to exploit it.
Tomi Engdahl says:
NortonLifeLock: threat actors breached Norton Password Manager accounts https://securityaffairs.com/140772/data-breach/norton-password-manager-security-breach.html
Gen Digital, formerly Symantec Corporation and NortonLifeLock, warns that hackers breached Norton Password Manager accounts. The company pointed out that its systems were not compromised, the credentials used in the attack may have been obtained from another source.
NortonLifeLock has yet to disclose the number of impacted customers.
Threat actors had access to Password Manager accounts and may have viewed account info, including first name, last name, phone number, and mailing address
Tomi Engdahl says:
Canada’s largest alcohol retailer’s site hacked to steal credit cards https://www.bleepingcomputer.com/news/security/canadas-largest-alcohol-retailers-site-hacked-to-steal-credit-cards/
The Liquor Control Board of Ontario (LCBO), a Canadian government enterprise and the country’s largest beverage alcohol retailer, revealed that unknown attackers had breached its website to inject malicious code designed to steal customer and credit card information at check-out
Tomi Engdahl says:
Microsoft script recreates shortcuts deleted by bad Defender ASR rule https://www.bleepingcomputer.com/news/microsoft/microsoft-script-recreates-shortcuts-deleted-by-bad-defender-asr-rule/
Microsoft released advanced hunting queries (AHQs) and a PowerShell script to find and recover some of the Windows application shortcuts deleted Friday morning by a buggy Microsoft Defender ASR rule.
“Microsoft has confirmed steps that customers can take to recreate start menu links for a significant sub-set of the affected applications that were deleted,” Microsoft explained in a new support document. “These have been consolidated into the PowerShell script below to help enterprise administrators take recovery actions in their environment.” also:
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/recovering-from-attack-surface-reduction-rule-shortcut-deletions/ba-p/3716011
Tomi Engdahl says:
Elon Musk Themed Crypto Scams Flooding YouTube Today
https://isc.sans.edu/diary/rss/29434
I noticed several videos posted to YouTube today attempting to direct users to crypto coin scam websites. The overall ruse is quite old: The scam promises that Elon Musk, or an organization associated with him, is giving away crypto coins. The catch: You first have to send crypto coins to the address to receive multiple of them back
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-hackers-breached-password-manager-accounts/
Tomi Engdahl says:
https://www.securityweek.com/cybersecurity-experts-cast-doubt-hackers-ics-ransomware-claims
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/hackers-exploit-cacti-critical-bug-to-install-malware-open-reverse-shells/
Tomi Engdahl says:
https://www.securityweek.com/circleci-hacked-malware-employee-laptop
Tomi Engdahl says:
The FBI is reportedly probing 3Commas after API keys leaked on Twitter
https://www.bitdefender.com/blog/hotforsecurity/the-fbi-is-reportedly-probing-3commas-after-api-keys-leaked-on-twitter/?cid=soc%7Cc%7Cfb%7Ch4sprivacy%2F
The FBI is purportedly investigating the data breach and subsequent financial losses affecting users of 3Commas, an Estonian-based crypto trading bot platform, CoinDesk reported, without naming its sources.
In late December, the 3Commas data breach made headlines after an anonymous Twitter user posted 10,000 API keys allegedly stolen from the crypto platform.
Although 3Commas denied it suffered any security issues in an initial statement, the company confirmed the breach in a tweet on Dec. 29, 2022.
The threat actor who leaked the API keys also claimed that the 3Commas keys were sold by someone working within the company. 3Commas, however, denied the claims, insisting that “no evidence of an inside job was found.”
Unfortunately, users of the crypto trading platform have already lost over $20 millio
Tomi Engdahl says:
Ransomware Diaries: Undercover with the Leader of Lockbit https://therecord.media/ransomware-diaries-undercover-with-the-leader-of-lockbit/
An unusual announcement appeared in Russian Dark Web forums in June of 2020. Amid the hundreds of ads offering stolen credit card numbers and batches of personally identifiable information there was a Call for Papers. Were kicking off the summer PAPER CONTEST, it read. Accepted article topics include any methods for popuring shells, malware and malware coding, viruses, trojans, bot development monetization. also:
https://analyst1.com/ransomware-diaries-volume-1/
Tomi Engdahl says:
S-Pankki varoittaa oudoista viesteistä: Tarkkaile näitä merkkejä https://www.is.fi/digitoday/art-2000009329576.html
S-PANKKI varoittaa huijausviesteistä, joita lähetetään tekstiviesteinä suomalaisille. Tiedotteen mukaan viestin lähettäjänä saattaa näkyä oudon puhelinnumeron lisäksi S-Pankki, jolloin viesti tulee samaan viestiketjuun S-Pankilta tulleiden aitojen viestien kanssa.
Huijausviesteissä asiakkaalle saatetaan esimerkiksi kertoa uudesta maksunsaajasta tai epäilyttävästä toiminnasta pankkitilillä, mutta muitakin muunnoksia esiintyy
Tomi Engdahl says:
Avast releases free BianLian ransomware decryptor https://www.bleepingcomputer.com/news/security/avast-releases-free-bianlian-ransomware-decryptor/
Security software company Avast has released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers. The availability of a decryptor comes only about half a year after increased activity from BianLian ransomware over the summer of 2022, when the threat group breached multiple high-profile organizations
Tomi Engdahl says:
Säkylän kyberhyökkäyksen syy selvisi – Kuntalehti: it-kumppani teki vakavan virheen https://www.tivi.fi/uutiset/tv/83a69896-1a01-4559-b64c-824e10f32d6e
Satakunnassa sijaitsevaan Säkylän kuntaan joulukuussa kohdistunut kyberhyökkäys pääsi tapahtumaan, koska kunnan ulkoinen palveluntuottaja teki vakavan virheen. Isku aiheutti satojen tuhansien eurojen vahingot ja kunta selvittää parhaillaan mahdollisuutta saada tapahtuneesta korvauksia
Tomi Engdahl says:
Huoltovarmuuden tilannekuva: Kyberuhat ja sähkön riittävyys herättävät kysymyksiä https://www.huoltovarmuuskeskus.fi/a/huoltovarmuuden-tilannekuva-kyberuhat-ja-sahkon-riittavyys-herattavat-kysymyksia
Huoltovarmuuden yleistilannekuvassa on huomattavissa, että valtionhallintoon ja kriittisen infrastruktuurin yrityksiin kohdistuu tavanomaista enemmän kyberhyökkäyksiä. Kyberuhat ovat myös yksi yritysten keskeinen huolenaihe
Tomi Engdahl says:
1.7 TB of data stolen from digital intelligence firm Cellebrite leaked online https://securityaffairs.com/140838/data-breach/cellebrite-software-leaked-online.html
1.7 TB of data stolen from Cellebrite, a digital intelligence company that provides tools for law enforcement, were leaked online
Tomi Engdahl says:
GitHub Disables Pages of Pro-Russia DDoS Group NoName057(16) https://www.hackread.com/github-disables-pages-ddos-noname05716/
NoName057(16) is a pro-Russia hacktivist collective known for targeting several businesses and organizations in European countries, including Poland and Lithuania. The group had its accounts disabled by GitHub for attempting to launch DDoS attacks against the Czech presidential election candidates websites last week
Tomi Engdahl says:
Hackers disrupt 24 Hours of Le Mans Virtual esports event https://www.bitdefender.com/blog/hotforsecurity/hackers-disrupt-24-hours-of-le-mans-virtual-esports-event/
A security breach may have cost current Formula 1 World Champion Max Verstappen an esports championship victory yesterday, and he’s not happy. The five-round championship, which culminates in a live 24-hour finale, is ending on a sour note after server problems saw Verstappen
- – who was leading the race by over a minute – thrown out of the game and disconnected
Tomi Engdahl says:
Malicious Lolip0p PyPi packages install info-stealing malware https://www.bleepingcomputer.com/news/security/malicious-lolip0p-pypi-packages-install-info-stealing-malware/
A threat actor has uploaded to the PyPI (Python Package Index) repository three malicious packages that carry code to drop info-stealing malware on developers’ systems. The malicious packages, discovered by Fortinet, were all uploaded by the same author named ‘Lolip0p’ between January 7 and 12, 2023. Their names are ‘colorslib,’
‘httpslib,’ and ‘libhttps.’ All three have been reported and removed from the PyPI
Tomi Engdahl says:
Squaring the CircleCI: DevOps platform publishes post-mortem on recent breach https://portswigger.net/daily-swig/squaring-the-circleci-devops-platform-publishes-post-mortem-on-recent-breach
Popular DevOps platform CircleCI has blamed an attack that successfully planted malware on an internal engineers laptop for a recent security breach. In a post-mortem on the breach, published on Friday (January 13), the San Francisco-based company offered a detailed description of what went wrong
Tomi Engdahl says:
Hackers use fear of mobilization to target Russians with phishing attacks https://therecord.media/hackers-use-fear-of-mobilization-to-target-russians-with-phishing-attacks/
Hackers took advantage of Russian concerns about mobilization to steal credentials through malicious links, according to new research. In a phishing campaign described by the Russian cybersecurity channel In2security on the messaging app Telegram and confirmed by researchers from antivirus provider Kaspersky Lab, attackers used a phishing website and Telegram bot to collect personal data from Russian users
Tomi Engdahl says:
Abusing a GitHub Codespaces Feature For Malware Delivery https://www.trendmicro.com/en_us/research/23/a/abusing-github-codespaces-for-malware-delivery.html
Proof of Concept (POC): We investigate one of the GitHub Codespaces real-time code development and collaboration features that attackers can abuse for cloud-based trusted malware delivery. Once exploited, malicious actors can abuse legitimate GitHub accounts to create a malware file server
Tomi Engdahl says:
Hacker Guccifer Launched Clinton Email Scandal Out of Prison https://theintercept.com/2023/01/15/guccifer-interview-hacked-clinton-emails/
Guccifer, the Hacker Who Launched Clinton Email Flap, Speaks Out After Nearly a Decade Behind Bars
Tomi Engdahl says:
Researchers: Brace for Zoho ManageEngine ‘Spray and Pray’ Attacks
https://www.securityweek.com/researchers-brace-zoho-manageengine-spray-and-pray-attacks
Security researchers tracking a known pre-authentication remote code execution vulnerability in Zoho’s ManageEngine products are warning organizations to brace for “spray and pray” attacks across the internet.
The vulnerability, patched by Zoho last November, affects multiple Zoho ManageEngine products and can be reached over the internet to launch code execution exploits if SAML single-sign-on is enabled or has ever been enabled.
According to researchers at automated penetration testing firm Horizon3.ai, the CVE-2022-47966 flaw is easy to exploit and a good candidate for so-called “spray and pray” attacks. In this case, the bug gives attackers complete control over the system or an immediate beachhead to launch additional compromises.
“Once an attacker has SYSTEM level access to the endpoint, attackers are likely to begin dumping credentials via LSASS or leverage existing public tooling to access stored application credentials to conduct lateral movement,” the company said in a note documenting its work creating IOCs to help businesses hunt for signs of infection.
Tomi Engdahl says:
InHand Industrial Router Vulnerabilities Expose Internal OT Networks to Attacks
https://www.securityweek.com/inhand-industrial-router-vulnerabilities-expose-internal-ot-networks-attacks
A series of vulnerabilities affecting industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to internal operational technology (OT) networks from the internet.
The US Cybersecurity and Infrastructure Security Agency (CISA) last week published an advisory to inform organizations about five vulnerabilities identified by a researcher at industrial cybersecurity firm Otorio in InHand’s InRouter302 and InRouter615 cellular routers.
The vendor has released firmware updates that should patch these vulnerabilities.InHand router vulnerabilities
According to CISA, most of the vulnerabilities are related to message queuing telemetry transport (MQTT) and their exploitation could lead to command/code execution and information disclosure.
One of the security holes has been assigned a ‘critical’ severity rating, two have been rated ‘high severity’ and two are medium-severity issues.
https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-03