This posting is here to collect cyber security news in April 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in April 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
260 Comments
Tomi Engdahl says:
Fake Microsoft DirectX 12 site pushes crypto-stealing malware
https://www.bleepingcomputer.com/news/security/fake-microsoft-directx-12-site-pushes-crypto-stealing-malware/
Cybercriminals have created a fake Microsoft DirectX 12 download page to distribute malware that steals your cryptocurrency wallets and passwords.
Even though the site comes complete with a contact form, privacy policy, a disclaimer, and a DMCA infringement page, there is nothing legitimate about the website or the programs it distributes.
lead to malware that tries to steal victims’ files, passwords, and cryptocurrency wallets
Tomi Engdahl says:
Cryptojacking has rocketed ahead of ransomware as the attack of choice for hackers. Here’s what you need to know…
Forget Ransomware, Microsoft Says Cryptojacking Is Our Biggest Threat
BY SIMON BATT
PUBLISHED 2 DAYS AGO
https://www.makeuseof.com/microsoft-says-cryptojacking-is-biggest-threat/?utm_source=MUO-FB-P&utm_medium=Social-Distribution&utm_campaign=MUO-FB-P
As cryptocurrency increases in popularity, so too does the means of gaining it at other’s expense.
Tomi Engdahl says:
Guy disagreed with COVID tracking program, so he replaced QR codes with fake ones. Now he’s banned from carrying any kind of QR codes.
Man Banned From Carrying ‘Loose QR Codes’ After Altering Covid Check-In Signs
https://gizmodo.com/man-banned-from-carrying-loose-qr-codes-after-altering-1846778345
A man in the Australian state of South Australia was arrested Wednesday after allegedly placing his own QR codes on two official covid-19 check-in signs, according to police in South Australia. The man was granted bail with one very specific condition: He can’t carry “loose QR codes” anywhere.
Caitlin McGarry
4
Davies allegedly placed the fake QR codes at two sites in the Forbes Shopping Center in South Plympton on Sunday and those codes reportedly redirected to an anti-vaccination website. Anyone using the official South Australia covid-19 app wouldn’t be redirected by the altered QR code, according to Australia’s ABC News, but users could be redirected to the anti-vaxx site if they scanned the code with their camera app.
Tomi Engdahl says:
Experian API Exposed Credit Scores of Most Americans
April 28, 2021
https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/
Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.
Tomi Engdahl says:
You can’t design large-scale software without taking responsibility for its impact
Bruce Schneier Wants You to Make Software Better
https://spectrum.ieee.org/at-work/tech-careers/bruce-schneier-wants-you-to-make-software-better
Security technologist Bruce Schneier has a warning ““What you code affects the world now. Gone are the days when programmers could ignore the social context of what they code, when we could say, ‘The users will just figure it all out.’ Today, programs, apps, and algorithms affect society. Facebook’s choices influence democracy. How driverless cars will choose to avoid accidents will affect human lives.”
Schneier should know, because synthesizing and explaining the impact of technology is what he does. “I work at the intersection of security, technology, and people, mostly thinking about security and privacy policy…. I don’t have a single job,” says Schneier. “Instead, I do a portfolio of related things.”
“My latest book, Click Here to Kill Everybody [2018], is about the security of cyberphysical systems. Everything is turning into a computer—cars, appliances, toys, streetlamps, power plants—and these computers can affect the world in a direct physical manner. Computer security is now about life and property.”
Schneier started out in cryptography in the mid-1990s
Becoming a good communicator is essential, stresses Schneier. “Explaining technology across interdisciplinary boundaries requires being able to write, speak, to animate a topic, to analogize and synthesize, to summarize and generalize. These are all critical skills. They’re not specific skills, but they are vitally important.”
Tomi Engdahl says:
Reuters:
Sources: US is investigating a recently discovered hack against federal agencies that used a vulnerability in Pulse Secure VPN, that began during Trump years — (Reuters) – For at least the third time since the beginning of this year, the U.S. government is investigating a hack …
U.S. government probes VPN hack within federal agencies, races to find clues
https://www.reuters.com/article/us-usa-cyber-vpn-idUSKBN2CG2EB
Tomi Engdahl says:
“BadAlloc” Memory allocation vulnerabilities could affect wide range
of IoT and OT devices in industrial, medical, and enterprise networks
https://msrc-blog.microsoft.com/2021/04/29/badalloc-memory-allocation-vulnerabilities-could-affect-wide-range-of-iot-and-ot-devices-in-industrial-medical-and-enterprise-networks/
Microsoft’s Section 52, the Azure Defender for IoT security research
group, recently uncovered a series of critical memory allocation
vulnerabilities in IoT and OT devices that adversaries could exploit
to bypass security controls in order to execute malicious code or
cause a system crash. These remote code execution (RCE)
vulnerabilities cover more than 25 CVEs and potentially affect a wide
range of domains, from consumer and medical IoT to Industrial IoT,
Operational Technology (OT), and industrial control systems.
Tomi Engdahl says:
PHP Supply Chain Attack on Composer
https://blog.sonarsource.com/php-supply-chain-attack-on-composer
In the PHP ecosystem, Composer is the major tool to manage and install
software dependencies. It is used by development teams world-wide to
ease the update process and to ensure that applications work
effortless across environments and versions. During our security
research, we discovered a critical vulnerability in the source code of
Composer which is used by Packagist. It allowed us to execute
arbitrary system commands on the Packagist.org server. In this blog
post, we introduce the detected code vulnerabilities and how these
were patched.
Tomi Engdahl says:
Ransomware gang leaks court and prisoner files from Illinois Attorney
General Office
https://therecord.media/ransomware-gang-leaks-court-and-prisoner-files-from-illinois-attorney-general-office/
The operators of the DopplePaymer ransomware have leaked a large
collection of files from the Illinois Office of the Attorney General
after negotiations have broken down and officials refused to pay a
ransom demand, The Record has learned.
Tomi Engdahl says:
Suomalaistutkija päätti kokeilla onnistuuko hyökkäys Applen
järjestelmiin no kyllähän se onnistui
https://www.tivi.fi/uutiset/tv/8cce5350-ebf3-4cff-ba40-1f5fe9a9911b
Kyberturvallisuusyhtiö Nixun tietoturva-asiantuntija Aapo Oksman löysi
haavoittuvuuden Applen iOS-käyttöjärjestelmästä ja sen App Store
- -sovelluskaupan toiminnasta. Haavoittuvuus paikattiin hiljattain
julkaistuissa iOS 14.5- ja iPadOS 14.5 -päivityksissä.
Tomi Engdahl says:
City fined for tracking its citizens via their phones
https://blog.malwarebytes.com/privacy-2/2021/04/city-fined-for-tracking-its-citizens-via-their-phones/
The Dutch information watchdogthe Autoriteit Persoonsgegevens (AP)has
fined the city of Enschede for 600, 000 for tracking its citizens’
movements without permission. It is the first time that a Dutch
government body has been fined by the AP. The investigation was set in
motion after it received a complaint about tracking.
Tomi Engdahl says:
Stealthy RotaJakiro Backdoor Targeting Linux Systems
https://www.securityweek.com/stealthy-rotajakiro-backdoor-targeting-linux-systems
Previously undocumented and stealthy Linux malware named RotaJakiro has been discovered targeting Linux X64 systems. It has been undetected for at least three years, and operates as a backdoor.
Four samples have now been discovered, all using the same C2s. The earliest was discovered in 2018. None of the samples were labeled malware by VirusTotal.
The discovery was made by researchers at Chinese security firm Qihoo 360 NETLAB after their BotMon system flagged a suspicious ELF file. Investigation revealed the backdoor malware they named RotaJakiro, because, say the researchers, “the family uses rotate encryption and behaves differently for root/non-root accounts when executing.”
Tomi Engdahl says:
BadAlloc: Microsoft Flags Major Security Holes in OT, IoT Devices
https://www.securityweek.com/badalloc-microsoft-flags-major-security-holes-ot-iot-devices
Security researchers at Microsoft are raising the alarm for multiple gaping security holes in a wide range of enterprise internet-connected devices, warning that the high-risk bugs expose businesses to remote code execution attacks.
According to an advisory from Redmond’s Azure Defender for IoT security research group, there are at least 25 documented vulnerabilities (CVEs) affecting a wide range of IoT and operational technology (OT) devices the industrial, medical, and enterprise networks.
Microsoft is calling the family of vulnerabilities “BadAlloc”.
“Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device,” Microsoft explained.
[Adversaries] could exploit to bypass security controls in order to execute malicious code or cause a system crash, Microsoft warned.
A separate advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) provides a list of affected devices and information on applying available security patches.
According to Microsoft, the vulnerabilities exist in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations.
The list of affected products include IOT/OT devices sold by Amazon, ARM, Cesanta, Google Cloud, Samsung, Texas Instruments and Tencent. US-CERT says various open-source products are also affected.
ICS Advisory (ICSA-21-119-04)
Multiple RTOS
https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04
Tomi Engdahl says:
Vulnerability Exposes F5 BIG-IP to Kerberos KDC Hijacking Attacks
https://www.securityweek.com/vulnerability-exposes-f5-big-ip-kerberos-kdc-hijacking-attacks
Tomi Engdahl says:
DigitalOcean Discloses Breach Involving Billing Information
https://www.securityweek.com/digitalocean-discloses-breach-involving-billing-information
Tomi Engdahl says:
Several High-Severity Vulnerabilities Expose Cisco Firewalls to Remote Attacks
https://www.securityweek.com/several-high-severity-vulnerabilities-expose-cisco-firewalls-remote-attacks
Cisco this week released patches for multiple vulnerabilities in Firepower Threat Defense (FTD) software, including high-severity issues that could be exploited for arbitrary command execution or denial-of-service (DoS) attacks.
Tracked as CVE-2021-1448 and having a CVSS score of 7.8, the command injection bug is mitigated by the fact that authentication and local access are required for successful exploitation. An attacker able to abuse it, however, may execute arbitrary commands as root on the underlying OS.
The flaw exists because user-supplied command arguments aren’t sufficiently validated, and affects Firepower 4100 and Firepower 9300 series appliances. No workarounds exist, but software updates to address the vulnerability are already available.
Another flaw rooted in insufficient validation impacts the software-based SSL/TLS message handler of FTD and could be abused to cause a DoS condition. The security hole is tracked as CVE-2021-1402 (CVSS score of 8.6).
Remote, unauthenticated attackers could exploit this vulnerability by sending a “crafted SSL/TLS message through an affected device.” However, messages that are sent to the affected device won’t trigger the bug, Cisco notes.
Affected devices include 3000 series industrial security appliances (ISAs), ASA 5512-X/ASA 5515-X/ASA 5525-X/ASA 5545-X/ASA 5555-X adaptive security appliances, Firepower 1000/2100 series, and Firepower Threat Defense Virtual (FTDv) products.
Tomi Engdahl says:
ISC urges updates of DNS servers to wipe out new BIND vulnerabilities
The security flaws could lead to remote exploitation.
https://www.zdnet.com/article/isc-urges-updates-of-dns-servers-to-wipe-out-new-bind-vulnerabilities/
The Internet Systems Consortium (ISC) has released an advisory outlining a trio of vulnerabilities that could impact the safety of DNS systems.
This week, the organization said the vulnerabilities impact ISC Berkeley Internet Name Domain (BIND) 9, widely used as a DNS system and maintained as an open source project.
The first vulnerability is tracked as CVE-2021-25216 and has been issued a CVSS severity score of 8.1 (32-bit) or 7.4 (64-bit). Threat actors can remotely trigger the flaw by performing a buffer overflow attack against BIND’s GSSAPI security policy negotiation mechanism for the GSS-TSIG protocol, potentially leading to wider exploits including crashes and remote code execution.
However, under configurations using default BIND settings, vulnerable code paths are not exposed — unless a server’s values (tkey-gssapi-keytab/tkey-gssapi-credential) are set otherwise.
“Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers,”
Tomi Engdahl says:
A crafty Linux malware has evaded detection for years and experts still don’t know what it does
By Paul Lilly 2 days ago
Crafty malware has managed to hide in plain sight since at least 2018.
https://www.pcgamer.com/a-crafty-linux-malware-has-evaded-detection-for-years-and-experts-still-dont-know-what-it-does/
Tomi Engdahl says:
https://www.immuniweb.com/compliance/
Tomi Engdahl says:
Cybercriminals Widely Abusing Excel 4.0 Macro to Distribute Malware https://thehackernews.com/2021/04/cybercriminals-widely-abusing-excel-40.html
Threat actors are increasingly adopting Excel 4.0 documents as an initial stage vector to distribute malware such as ZLoader and Quakbot, according to new research. The findings come from an analysis of 160, 000 Excel 4.0 documents between November 2020 and March 2021, out of which more than 90% were classified as malicious or suspicious.
Tomi Engdahl says:
Security firm Kaspersky believes it found new CIA malware https://therecord.media/security-firm-kaspersky-believes-it-found-new-cia-malware/
Cybersecurity firm Kaspersky said today it discovered new malware that appears to have been developed by the US Central Intelligence Agency.
Kaspersky said it discovered the malware in “a collection of malware samples” that its analysts and other security firms received in February 2019.
Tomi Engdahl says:
RotaJakiro: A long live secret backdoor with 0 VT detection https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/
On March 25, 2021, 360 NETLAB’s BotMon system flagged a suspiciousELF file (MD5=64f6cfe44ba08b0babdd3904233c4857) with 0 VT detection, the sample communicates with 4 domains on TCP 443 (HTTPS), but the traffic is not of TLS/SSL. A close look at the sample revealed it to be a backdoor targeting Linux X64 systems, a family that has been around for at least 3 years.
Tomi Engdahl says:
Meet critical infrastructure security compliance requirements with Microsoft 365 https://www.microsoft.com/security/blog/2021/04/27/meet-critical-infrastructure-security-compliance-requirements-with-microsoft-365/
IT environments, with their large attack surface, can be the entryway to attack critical infrastructure even where those IT systems are not critical infrastructure themselves. Security and compliance failures may include life safety, environmental, or national security consequencesa different risk management challenge from other enterprise IT systems.
Tomi Engdahl says:
Microsoft mulls over tweaks to threat data, code-sharing scheme following Exchange Server debacle https://www.zdnet.com/article/microsoft-mulls-over-threat-data-code-sharing-scheme-following-exchange-server-debacle/
Microsoft is reportedly considering revisions to a threat and vulnerability sharing program suspected of being a key factor in widespread attacks against Exchange servers. According to six people close to the matter, as reported by Bloomberg, Microsoft is considering revisions to the program that could alter how and when information concerning vulnerabilities in the vendor’s products are shared.. The publication says that Microsoft fears participants may have “tipped off” threat actors after critical Exchange Server vulnerabilities were shared with partners privately in February. At least two Chinese companies are involved in the probe.
Tomi Engdahl says:
Google Promised Its Contact Tracing App Was Completely PrivateBut It Wasn’t https://themarkup.org/privacy/2021/04/27/google-promised-its-contact-tracing-app-was-completely-private-but-it-wasnt
Researchers say hundreds of preinstalled apps can access a log found on Android devices where sensitive contact tracing information is stored
Why Google Should Stop Logging Contact-Tracing Data https://blog.appcensus.io/2021/04/27/why-google-should-stop-logging-contact-tracing-data/
Recently, we found that Google’s implementation of GAEN logs crucial pieces of information to the system log, which can be read by hundreds of third-party apps and used for the privacy attacks that we previously warned about.
Tomi Engdahl says:
Ransomware gang threatens to expose police informants if ransom is not paid https://therecord.media/ransomware-gang-threatens-to-expose-police-informants-if-ransom-is-not-paid/
A ransomware gang is threatening to leak sensitive police files that may expose police investigations and informants unless the Metropolitan Police Department of the District of Columbia agrees to pay a ransom demand. “We are aware of unauthorized access on our server, ” Sean Hickman, a public spokesperson for DC Police, told The Record in an email today after screenshots of the department’s internal files and servers were published on the website of the Babuk Locker ransomware gang.
Tomi Engdahl says:
Valtion virastoihin tietomurto Kiina vastaavien iskujen takana, viranomainen vaitelias https://www.is.fi/digitoday/tietoturva/art-2000007942369.html
Ohjelmistoaukon kautta tehty hyökkäys herättää paljon kysymyksiä, mutta vastaukset ovat niukkoja.
Tomi Engdahl says:
3.2 Billion Leaked Passwords Contain 1.5 Million Records with Government Emails https://thehackernews.com/2021/04/32-billion-leaked-passwords-contain-15.html
A staggering number of 3.28 billion passwords linked to 2.18 billion unique email addresses were exposed in what’s one of the largest data dumps of breached usernames and passwords. The findings come from an analysis of a massive 100GB data set called “COMB21″ aka Compilation of Many Breaches that was published for free in an online cybercrime forum earlier this February by putting together data from multiple leaks in different companies and organizations that occurred over the years.
Tomi Engdahl says:
New ICS Threat Activity Group: TALONITE
https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/
Dragos first disclosed four new threat activity groups targeting ICS/OT in the ICS Cybersecurity 2020 Year in Review report. In this blog post, we will provide more information on one of the new groups:
TALONITE.
Tomi Engdahl says:
10, 000+ unpatched home alarm systems can be deactivated remotely https://therecord.media/10000-unpatched-home-alarm-systems-can-be-deactivated-remotely/
Thousands of ABUS Secvest smart alarm systems are currently unpatched and vulnerable to a bug that would allow miscreants to remotely disable alarm systems and expose homes and corporate headquarters to intrusions and thefts. ABUS patched the bug in January, but three months later, more than 90% of its customers have yet to apply the firmware patch.
Tomi Engdahl says:
SolarWinds hack analysis reveals 56% boost in command server footprint https://www.zdnet.com/article/solarwinds-hack-analysis-reveals-56-boost-in-command-server-footprint/
A new analysis of the SolarWinds breach suggests that the attacker infrastructure behind the campaign is far larger than first believed
Tomi Engdahl says:
Researchers Find Additional Infrastructure Used By SolarWinds Hackers https://thehackernews.com/2021/04/researchers-find-additional.html
The sprawling SolarWinds cyberattack which came to light last December was known for its sophistication in the breadth of tactics used to infiltrate and persist in the target infrastructure. So much so that Microsoft went on to call the threat actor behind the campaign “skillful and methodic operators who follow operations security
(OpSec) best practices to minimize traces, stay under the radar, and avoid detection.”. Lisäksi:
https://www.riskiq.com/blog/external-threat-management/solarwinds-c2-servers-new-tactics/
Tomi Engdahl says:
FBI face recognition trawl finds Capitol rioter via his girlfriend’s Instagram https://blog.malwarebytes.com/privacy-2/2021/04/fbi-face-recognition-trawl-finds-capitol-rioter-via-his-girlfriends-instagram/
Facial recognition tech is in the news again after the FBI discovered the identify of one of the Capitol rioters by using facial recognition software on his girlfriend’s Instagram posts. It may sound scary and invasive, but in truth, what’s happening isn’t particularly new.
Tomi Engdahl says:
In epic hack, Signal developer turns the tables on forensics firm Cellebrite https://arstechnica.com/information-technology/2021/04/in-epic-hack-signal-developer-turns-the-tables-on-forensics-firm-cellebrite/
For years, Israeli digital forensics firm Cellebrite has helped governments and police around the world break into confiscated mobile phones, mostly by exploiting vulnerabilities that went overlooked by device manufacturers. Now, Moxie Marlinspikethe brainchild behind the Signal messaging apphas turned the tables.
Tomi Engdahl says:
Lazarus APT conceals malicious code within BMP image to drop its RAT https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
Lazarus APT is one of the most sophisticated North Korean Threat Actors that has been active since at least 2009. This actor is known to target the U.S., South Korea, Japan and several other countries. In one of their most recent campaigns Lazarus used a complex targeted phishing attack against security researchers.
Tomi Engdahl says:
Malware That Spreads Via Xcode Projects Now Targeting Apple’s M1-based Macs https://thehackernews.com/2021/04/malware-spreads-via-xcode-projects-now.html
A Mac malware campaign targeting Xcode developers has been retooled to add support for Apple’s new M1 chips and expand its features to steal confidential information from cryptocurrency apps.
Tomi Engdahl says:
Malvertisers hacked 120 ad servers to load malicious ads https://therecord.media/malvertisers-hacked-120-ad-servers-to-load-malicious-ads/
A malvertising operation known under the codename of Tag Barnakle has breached more than 120 ad servers over the past year and inserted malicious code into legitimate ads that redirected website visitors to sites promoting scams and malware.
Tomi Engdahl says:
SolarWinds hack affected six EU agencies https://therecord.media/solarwinds-hack-affected-six-eu-agencies/
Six European Union institutions were hacked part of the SolarWinds supply chain attack, a top EU administration official said this week.
CERT-EU officials said that only 14 EU institutions ran a version of the SolarWinds Orion IT monitoring platform, which was the conduit of SolarWinds supply chain attack.
Tomi Engdahl says:
Spring cleaning? Don’t forget about your digital footprint https://www.welivesecurity.com/2021/04/16/spring-cleaning-dont-forget-digital-footprint
You’ve probably heard the phrase “digital footprint” before, but do you really know what it is? Your social media content, various online payment transactions, location history, emails sent, messages sent through instant messaging platforms, and passport usage these are just some of the data that makes up your digital footprint.
Tomi Engdahl says:
White House formally blames Russian intelligence service SVR for SolarWinds hack https://therecord.media/white-house-formally-blames-russian-intelligence-service-svr-for-solarwinds-hack/
In a press release today announcing a broad set of sanctions against the Russian government, the Biden administration has formally named the Russian Foreign Intelligence Service, also known as the SVR, as the perpetrator of the 2020 SolarWinds Orion supply chain attack.. The White House said that SVRs hacking unit, known as APT 29, Cozy Bear, or The Dukes, exploited the SolarWinds Orion platform and other information technology infrastructures as part of a broad-scope cyber espionage campaign.. see also https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/.
and https://home.treasury.gov/news/press-releases/jy0127. and https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise.
and https://www.nato.int/cps/en/natohq/official_texts_183168.htm. and https://www.consilium.europa.eu/en/press/press-releases/2021/04/15/declaration-by-the-high-representative-on-behalf-of-the-european-union-expressing-solidarity-with-the-united-states-on-the-impact-of-the-solarwinds-cyber-operation/
Tomi Engdahl says:
University of Hertfordshire pulls the plug on, well, everything after cyber attack https://www.theregister.com/2021/04/15/university_hertfordshire_cyber_attack/
The University of Hertfordshire has fallen victim to a cyber attack that has resulted in the establishment pulling all its systems offline to deal with the situation.
Tomi Engdahl says:
FBI blasts away web shells on US servers in wake of Exchange vulnerabilities https://www.zdnet.com/article/fbi-blasts-away-web-shells-on-us-servers-in-wake-of-exchange-vulnerabilities/
Feds turn into cyberfirefighters and hose down the web shell bonfire raging on hundreds of unpatched Exchange servers.
Tomi Engdahl says:
An Update: The COVID-19 Vaccines Global Cold Chain Continues to Be a Target https://securityintelligence.com/posts/covid-19-vaccine-global-cold-chain-security/
In December 2020, IBM Security X-Force released a research blog disclosing that the COVID-19 cold chain an integral part of delivering and storing COVID-19 vaccines at safe temperatures was targeted by cyber adversaries.. After that first report, we recently discovered an additional 50 files tied to spear-phishing emails that targeted 44 companies in 14 countries in Europe, North America, South America, Africa and Asia
Tomi Engdahl says:
Capcom: Ransomware gang used old VPN device to breach the network https://www.bleepingcomputer.com/news/security/capcom-ransomware-gang-used-old-vpn-device-to-breach-the-network/
Capcom has released a final update about the ransomware attack it suffered last year, detailing how the hackers gained access to the network, compromised devices, and stole personal information belonging to thousands of individuals.
Tomi Engdahl says:
Malware attack is preventing car inspections in eight US states https://www.bleepingcomputer.com/news/security/malware-attack-is-preventing-car-inspections-in-eight-us-states/
A malware cyberattack on emissions testing company Applus Technologies is preventing vehicle inspections in eight states, including Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah, and Wisconsin. Applus Technologies cannot provide a time frame for when they will restore service as State governments require them to go through a rigorous mitigation and testing process. While it is not known what type of malware was associated with the attack, Applus was likely targeted by a ransomware attack.
Tomi Engdahl says:
Buffer overruns, license violations, and bad code: FreeBSD 13′s close call https://arstechnica.com/gadgets/2021/03/buffer-overruns-license-violations-and-bad-code-freebsd-13s-close-call/
40, 000 lines of flawed code almost made it into FreeBSD’s kernel.
Matthew Macy seemed like a perfectly reasonable choice to port WireGuard into the FreeBSD kernel. After roughly nine months of part-time development, Macy committed his portlargely unreviewed and inadequately testeddirectly into the HEAD section of FreeBSD’s code repository, where it was scheduled for incorporation into FreeBSD 13.0-RELEASE.
Tomi Engdahl says:
Hundreds Of Millions Of Dell Computers At Risk Due to Multiple BIOS Driver Privilege Escalation Flaws https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
SentinelLabs has discovered five high severity flaws in Dell’s firmware update driver impacting Dell desktops, laptops, notebooks and tablets since 2009. Attackers may exploit these vulnerabilities to locally escalate to kernel-mode privileges. Dell has released a security update to its customers to address this vulnerability – https://www.dell.com/support/kbdoc/fi-fi/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability.
Also: https://threatpost.com/dell-kernel-privilege-bugs/165843/. Also:
https://www.forbes.com/sites/thomasbrewster/2021/05/04/warning-hundreds-of-millions-at-risk-from-12-year-old-vulnerabilities-lying-deep-in-dell-pcs/?sh=492ec6e263b3
Tomi Engdahl says:
Spectre attacks come back from the dead
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/spectre-attacks-come-back-from-the-dead/
New research has discovered Spectre attacks that bypass existing mitigations. The research claims that all modern AMD and Intel chips with micro-op caches are vulnerable to Spectre-style attacks. The good news is that exploiting Spectre vulnerabilities isn’t easy. It will require an enormous amount of knowledge about the processor at hand and a lot of luck to find any specific information an attacker could be looking for.
Tomi Engdahl says:
Android Updates for May 2021 Patch Over 40 Vulnerabilities
https://www.securityweek.com/android-updates-may-2021-patch-over-40-vulnerabilities
The Android operating system updates released by Google for May 2021 patch a total of 42 vulnerabilities, including four considered critical severity.
Addressed as part of the 2021-05-01 security patch level, three of the critical flaws were identified in the System component and all three could be exploited remotely to execute arbitrary code on a vulnerable device.
“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains.
Tracked as CVE-2021-0473 and CVE-2021-0474, two of these bugs affect Android 8.1, 9, 10, and 11 releases, while the third, CVE-2021-0475, impacts Android 10 and 11 only.
https://source.android.com/security/bulletin/2021-05-01
Tomi Engdahl says:
Tesla Car Hacked Remotely From Drone via Zero-Click Exploit
https://www.securityweek.com/tesla-car-hacked-remotely-drone-zero-click-exploit
Two researchers have shown how a Tesla — and possibly other cars — can be hacked remotely without any user interaction. They carried out the attack from a drone.
This was the result of research conducted last year by Ralf-Philipp Weinmann of Kunnamon and Benedikt Schmotzle of Comsecuris. The analysis was initially carried out for the Pwn2Own 2020 hacking competition — the contest offered a car and other significant prizes for hacking a Tesla — but the findings were later reported to Tesla through its bug bounty program after Pwn2Own organizers decided to temporarily eliminate the automotive category due to the coronavirus pandemic.
The attack, dubbed TBONE, involves exploitation of two vulnerabilities affecting ConnMan, an internet connection manager for embedded devices. An attacker can exploit these flaws to take full control of the infotainment system of a Tesla without any user interaction.