This posting is here to collect cyber security news in May 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
318 Comments
Tomi Engdahl says:
Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises https://www.fireeye.com/blog/threat-research/2021/05/increasing-low-sophistication-operational-technology-compromises.html
The researchers at Mandiant walk you through the year 2020 of low sophistication compromises on OT environments
Tomi Engdahl says:
Attacks on PDF Certification
https://web-in-security.blogspot.com/2021/05/attacks-on-pdf-certification.html
PDF specification also specifies the certification of documents, also known as certification signatures. Researchers performed an extensive analysis of the security of PDF certification. In doing so, they developed the Evil Annotation Attack (EAA), as well as the Sneaky Signature Attack (SSA).
Tomi Engdahl says:
New hammering technique for DRAM Rowhammer bug https://security.googleblog.com/2021/05/introducing-half-double-new-hammering.html
Half-Double, a new Rowhammer technique that capitalizes on the worsening physics of some of the newer DRAM chips to alter the contents of memory.
Tomi Engdahl says:
New Bluetooth Vulnerabilities Could Expose Many Devices to Impersonation Attacks
https://www.securityweek.com/new-bluetooth-vulnerabilities-could-expose-many-devices-impersonation-attacks
Researchers working for a French government agency have identified seven new Bluetooth vulnerabilities that could expose many devices to impersonation and other types of attacks.
The flaws, discovered by researchers at France’s national cybersecurity agency ANSSI, affect devices that support the Bluetooth Core and Mesh specifications, which define technical and policy requirements for devices operating over Bluetooth connections.
Malicious actors who are within Bluetooth range can exploit the weaknesses to impersonate legitimate devices, according to an advisory published on Monday by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University.
Advisories for each flaw have also been published by the Bluetooth Special Interest Group (SIG), the organization that oversees the development of Bluetooth standards.
https://kb.cert.org/vuls/id/799380
https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/
Tomi Engdahl says:
Belgium Interior Ministry Targeted in Cyber Attack
https://www.securityweek.com/belgium-interior-ministry-targeted-cyber-attack
Tomi Engdahl says:
Hack Prompts New Security Regulations for US Pipelines
https://www.securityweek.com/hack-prompts-new-security-regulations-us-pipelines
The federal government will issue cybersecurity regulations in the coming days for U.S. pipeline operators following a ransomware attack that led to fuel shortages across much of the Eastern Seaboard.
The Transportation Security Administration, which oversees the nation’s network of pipelines, is expected to issue a security directive this week that will address some of the issues raised by the Colonial Pipeline shutdown, a U.S. official said Tuesday.
The directive will include a requirement that pipeline companies report cyber incidents to the federal government, said the official, speaking on condition of anonymity because the proposal has not yet been publicly released.
It addresses, to an extent, the ransomware attack that led to the shutdown of the pipeline this month, but it also reflects a broader Biden administration focus on cybersecurity after a series of damaging intrusions by overseas hackers.
The Department of Homeland Security declined to confirm any specifics of the pending directive, issuing a statement that said TSA and another component of the agency, the Cybersecurity and Infrastructure Agency, are working with private companies to address cyber threats. “The Biden Administration is taking further action to better secure our nation’s critical infrastructure,” it said.
Tomi Engdahl says:
Catalin Cimpanu / The Record:
RaidForums is blocked in Indonesia after a threat actor leaked personal data of 1M citizens after claiming to have personal data of 279M Indonesians in a post — The Indonesian government has blocked access inside its borders to Raid Forums, a well-known cybercrime hub, in an attempt to limit the spread of a sensitive data leak.
Indonesian government blocks hacking forum after data leak
https://therecord.media/indonesian-government-blocks-hacking-forum-after-data-leak/
Tomi Engdahl says:
David Pan / CoinDesk:
Inner Mongolia issues a draft plan to crack down on crypto mining after China’s February ban that cited environmental concerns and State Council’s recent notice — Inner Mongolia drafted a detailed plan to crack down on crypto mining in the region following the ban issued in February and the State Council’s notice.
Inner Mongolia Outlines How It May Ban Crypto Mining
https://www.coindesk.com/inner-mongolia-outlines-how-it-may-ban-crypto-mining
Inner Mongolia drafted a detailed plan to crack down on crypto mining in the region following the ban issued in February and the State Council’s notice.
Tomi Engdahl says:
Washington Post:
In a first, DHS will issue mandatory rules regulating cybersecurity for pipelines, initially to require incident reporting, after Colonial’s ransomware attack — Two directives will seek oversight of the industry after a ransomware attack upended gas availability in the southeast U.S. for 11 days.
DHS to issue first cybersecurity regulations for pipelines after Colonial hack
Two directives will seek oversight of the industry after a ransomware attack upended gas availability in the Southeast for 11 days
https://www.washingtonpost.com/business/2021/05/25/colonial-hack-pipeline-dhs-cybersecurity/
The Department of Homeland Security is moving to regulate cybersecurity in the pipeline industry for the first time in an effort to prevent a repeat of a major computer attack that crippled nearly half the East Coast’s fuel supply this month — an incident that highlighted the vulnerability of critical infrastructure to online attacks.
The Transportation Security Administration, a DHS unit, will issue a security directive this week requiring pipeline companies to report cyber incidents to federal authorities, senior DHS officials said. It will follow up in coming weeks with a more robust set of mandatory rules for how pipeline companies must safeguard their systems against cyberattacks and the steps they should take if they are hacked, the officials said. The agency has offered only voluntary guidelines in the past.
The ransomware attack that led Colonial Pipeline to shutter its pipeline for 11 days this month prompted gasoline shortages and panic buying in the southeastern United States, including in the nation’s capital. Had it gone on much longer, it could have affected airlines, mass transit and chemical refineries that rely on diesel fuel. Colonial’s chief executive has said the company paid $4.4 million to foreign hackers to release its systems.
The cyberattack spurred DHS Secretary Alejandro Mayorkas and other top officials to consider how they could use existing TSA powers to bring change to the industry, said the officials.
That TSA handles pipeline security at all is an artifact of the post-Sept. 11, 2001, reorganization of the federal government. Originally, the Department of Transportation oversaw pipelines, which were seen as a mode of transportation — whether conveying fuel, gas or chemicals. Then in 2002, responsibility for pipeline security was moved to the newly created TSA, which was given statutory authority to secure surface transportation. DOT, however, still is in charge of safety of the actual pipes — or ensuring they do not fail.
TSA, though, mostly focused on physical security of pipelines, safeguarding them against terrorist attacks or sabotage. It was only in 2010 that the first set of cyber-related guidelines was issued. The guidelines were updated in 2018 but still fall far short of what many experts say is needed.
Most critical infrastructure sectors — whether dams, health care or wastewater systems — do not have mandatory cyber standards. A handful do, including bulk electric power and nuclear plants. A congressional effort to institute mandatory requirements in 2012 failed in the face of strong U.S. Chamber of Commerce opposition.
TSA’s new security directive will require pipeline companies to report cyber incidents to TSA and CISA and to have a cyber official — such as a chief information security officer — with a 24/7 direct line to TSA and CISA to report an attack. It will also require companies to assess the security of their systems as measured against existing cyber guidelines; fixing any gaps is currently voluntary.
“This is a first step, and the department views it as a first step, and it will be followed by a much more robust directive that puts in place meaningful requirements that are meant to be durable and flexible as technology changes,” said a senior DHS official, who spoke on the condition of anonymity because the directives have not been issued yet.
Tomi Engdahl says:
“Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors,” he said.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
VMware patches a new bug in vCenter Server, a virtualization management product used by an estimated 43K organizations, that could allow remote code execution — Remote code execution flaw in vCenter Server poses “serious” risk to data centers. — Data centers around the world …
Vulnerability in VMware product has severity rating of 9.8 out of 10
Remote code execution flaw in vCenter Server poses “serious” risk to data centers.
https://arstechnica.com/gadgets/2021/05/vulnerability-in-vmware-product-has-severity-rating-of-9-8-out-of-10/
The security flaw, which VMware disclosed and patched on Tuesday, resides in the vCenter Server, a tool used for managing virtualization in large data centers. vCenter Server is used to administer VMware’s vSphere and ESXi host products, which by some rankings are the first and second most popular virtualization solutions on the market. Enlyft, a site that provides business intelligence, shows that more than 43,000 organizations use vSphere.
A VMware advisory said that vCenter machines using default configurations have a bug that, in many networks, allows for the execution of malicious code when the machines are reachable on a port that is exposed to the Internet. The vulnerability is tracked as CVE-2021-21985 and has a severity score of 9.8 out of 10.
“The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server,” Tuesday’s advisory stated. “VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8… A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.”
Tomi Engdahl says:
https://thehackernews.com/2021/05/critical-rce-vulnerability-found-in.html?m=1
VMware has rolled out patches to address a critical security vulnerability in vCenter Server that could be leveraged by an adversary to execute arbitrary code on the server.
Tracked as CVE-2021-21985 (CVSS score 9.8), the issue stems from a lack of input validation in the Virtual SAN (vSAN) Health Check plug-in, which is enabled by default in the vCenter Server. “A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,” VMware said in its advisory.
Tomi Engdahl says:
VMware Sounds Ransomware Alarm Over Critical Severity Bug
https://threatpost.com/vmware-ransomware-alarm-critical-bug/166501/
Threatpost
Previous article
VMware Sounds Ransomware Alarm Over Critical Severity Bug
Author:
Tom Spring
May 26, 2021 3:45 pm
Share this article:
vmware
VMware’s virtualization management platform, vCenter Server, has a critical severity bug the company is urging customers to patch “as soon as possible”.
VMware patched a critical bug impacting its vCenter Server platform with a severity rating of 9.8 out of 10. The company said the flaw could allow a remote attacker to exploit its products and take control of a company’s affected system.
VMware went a step further on Tuesday, calling on IT security teams – already on high alert over an uptick in costly and destructive ransomware attacks – to patch systems fast
The vulnerability, tracked as CVE-2021-21985, impacts vCenter Server platforms, which is in widespread use and used to administer VMware’s market leading vSphere and ESXi host products.
Tomi Engdahl says:
North Korean (LAZARUS) hackers behind CryptoCore multi-million dollar heists https://www.bleepingcomputer.com/news/security/north-korean-hackers-behind-cryptocore-multi-million-dollar-heists/
Security researchers piecing together evidence from multiple attacks on cryptocurrency exchanges, attributed to a threat actor they named CryptoCore have established a strong connection to the North Korean state-sponsored group Lazarus. Full report as PDF:
https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf
Tomi Engdahl says:
Russian Hydra DarkNet Market Made Over $1.3 Billion in 2020 https://thehackernews.com/2021/05/russian-hydra-darknet-market-made-over.html
Russian-language dark web marketplace Hydra has emerged as a hotspot for illicit activities, pulling in a whopping $1.37 billion worth of cryptocurrencies in 2020, up from $9.4 million in 2016.
Ryuk Ransomware Operators Shift Tactics to Target Victims https://securityintelligence.com/articles/ryuk-ransomware-operators-shift-tactics/
The ransomware operators continue to target critical infrastructure and extract high ransom payments from vulnerable groups, including an attack on a large health care organization last year.
Tomi Engdahl says:
BazaFlix: BazaLoader Fakes Movie Streaming Service https://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service
Proofpoint researchers identified a BazaLoader campaign requiring significant human interaction to execute and install the BazaLoader backdoor. The threat actor leveraged phone-based customer service representatives to direct victims to unknowingly download and install the malware. See also:
https://threatpost.com/bazaloader-fake-movie-streaming-service/166489/
Tomi Engdahl says:
Lessons Learned from Telemetry Analysis of DarkSide Affiliate Exfiltration Operations https://www.dragos.com/blog/industry-news/lessons-learned-from-telemetry-analysis-of-darkside-affiliate-exfiltration-operations/
Using internet traffic telemetry from Team Cymru, Dragos identified the DarkSide adversary’s stolen data repository hosted with a popular Virtual Private Server (VPS) hosting provider.
Tomi Engdahl says:
Office 365 bug: Exchange Online, Outlook emails sent to junk folder https://www.bleepingcomputer.com/news/microsoft/office-365-bug-exchange-online-outlook-emails-sent-to-junk-folder/
Microsoft is investigating an Office 365 issue causing Outlook and Exchange Online emails to skip recipients’ inboxes and being sent their junk folders instead.
Tomi Engdahl says:
‘World’s Leading Bank Robbers’: North Korea’s Hacker Army
https://www.securityweek.com/worlds-leading-bank-robbers-north-koreas-hacker-army
Nuclear-armed North Korea is advancing on the front lines of cyberwarfare, analysts say, stealing billions of dollars and presenting a clearer and more present danger than its banned weapons programmes.
Pyongyang is under multiple international sanctions over its atomic bomb and ballistic missile programmes, which have seen rapid progress under North Korean leader Kim Jong Un.
But while the world’s diplomatic focus has been on its nuclear ambitions, the North has been quietly and steadily building up its cyber capabilities, and analysts say its army of thousands of well-trained hackers are proving to be just as dangerous.
“North Korea’s nuclear and military programmes are long-term threats, but its cyber threats are immediate, realistic threats,” said Oh Il-seok, a researcher at the Institute for National Security Strategy in Seoul.
Pyongyang’s cyberwarfare abilities first came to global prominence in 2014 when it was accused of hacking into Sony Pictures Entertainment as revenge for “The Interview”, a satirical film that mocked leader Kim.
The attack resulted in the posting of several unreleased movies online as well as a vast trove of confidential documents.
Since then the North has been blamed for a number of high-profile cyberattacks, including a $81 million heist from the Bangladesh Central Bank as well as the 2017 WannaCry global ransomware attack, which infected some 300,000 computers in 150 nations.
Tomi Engdahl says:
US Exchanges Offer a Rich Potential Target for Hackers
https://www.securityweek.com/us-exchanges-offer-rich-potential-target-hackers
Cyberattacks have long been seen as a threat to financial markets, but worries are becoming even more acute following a US pipeline hack that set off a public panic and forced the company to pay a ransom.
Financial exchanges that manage daily transactions of tens or hundreds of billions of dollars are an appealing target for hackers.
Major stock exchanges insist they are on top of the issue, but remain mum about what steps they are taking to safeguard their networks.
“Technology and operational resiliency sits at the heart of everything we do,” a Nasdaq spokesperson told AFP.
Likewise, the Chicago Board Options Exchange “takes cybersecurity very seriously and does not discuss our cyber defenses publicly,” an exchange spokesperson said.
Tomi Engdahl says:
VMware Urges Customers to Immediately Patch Critical vSphere Vulnerability
https://www.securityweek.com/vmware-urges-customers-immediately-patch-critical-vsphere-vulnerability
VMware has urged customers to immediately patch a critical vulnerability affecting vCenter Server, the management interface for vSphere environments.
The vulnerability, tracked as CVE-2021-21985, was reported to VMware by Ricter Z of 360 Noah Lab and it has been patched in versions 6.5, 6.7 and 7.0 of vCenter Server.
According to VMware, the vulnerability impacts the vSphere Client, specifically the Virtual SAN Health Check plugin, which is enabled by default in vCenter Server even if the plugin is not actually being used. An attacker with access to port 443 can exploit the flaw to execute commands with elevated privileges on the operating system that hosts vCenter Server.
Another vulnerability patched by the same updates, tracked as CVE-2021-21986 and rated medium severity, is related to an authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plugins. An unauthenticated attacker with access to port 443 can leverage the weakness to perform actions allowed by the affected plugins.
VMware has published an advisory, a blog post, and an FAQ document for these vulnerabilities,
https://core.vmware.com/resource/vmsa-2021-0010-faq#
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researcher details a WebKit flaw, which can lead to a RCE exploit, that remains unpatched by Apple despite the availability of an open source fix for 3 weeks
No, it doesn’t just crash Safari. Apple has yet to fix exploitable flaw
WebKit bug that was fixed upstream has yet to find its way into Apple products.
https://arstechnica.com/gadgets/2021/05/exploitable-security-bug-remains-in-ios-and-macos-3-weeks-after-upstream-fix/
Tomi Engdahl says:
Klarna’s statement on bug causing random user data being exposed to the wrong users
Klarna comment: statement on app bug.
https://www.klarna.com/uk/blog/written-statement-on-app-bug/
Update: The incident is resolved.
Trust is at the very core of Klarna and banking. This is why we are sad and frustrated to inform you of a self-inflicted incident, that for 31 min affected a small subset of our app users. The bug led to random user data being exposed to the wrong user when accessing our user interfaces. It is important to note that the access to data has been entirely random and not showing any data containing card or bank details (obfuscated data was visible). Even though GDPR would classify the information visible as “non-sensitive”, for Klarna all data is important. We are taking this incident very seriously and we will work tirelessly to regain the affected consumers’ trust.
Tomi Engdahl says:
Clearview AI — The Facial Recognition Company Embraced By U.S. Law Enforcement — Just Got Hit With A Barrage Of Privacy Complaints In Europe
https://www.forbes.com/sites/roberthart/2021/05/27/clearview-ai—the-facial-recognition-company-embraced-by-us-law-enforcement—just-got-hit-with-a-barrage-of-privacy-complaints-in-europe/
Clearview AI, the American purveyor of facial recognition tech reportedly used by thousands of government and law enforcement agencies throughout the world, is facing an onslaught of legal complaints across Europe Thursday for allegedly breaching the bloc’s strict data protection laws.
Tomi Engdahl says:
Russia orders Google to delete ‘illegal’ content or face slowdowns
https://www.engadget.com/russia-google-24-hour-order-185919787.html
Google faces an ultimatum in Russia. Per Reuters, the country’s Roskomnadzor internet commission gave the company 24 hours to delete more than 26,000 instances of what it’s classifying as illegal content. If Google doesn’t comply with the order, it could face fines valued at up to 10 percent of its annual revenue, in addition to seeing its services slowed down within the country. The agency has also accused Google of censoring Russian media outlets, including state-owned entities like RT and Sputnik.
Russia gives Google one day to delete banned content, threatens slowdown
https://www.reuters.com/technology/russia-gives-google-one-day-delete-banned-content-threatens-slowdown-2021-05-24/
Russia’s communications watchdog on Monday gave Google (GOOGL.O) 24 hours to delete what it called prohibited content and said that Moscow could impose a punitive slowdown measure on it, the TASS new agency reported.
Tomi Engdahl says:
Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html
In April, Mandiant published information about Pulse Secure devices, in this blog post they update the findings and provide recommendations to defenders
Tomi Engdahl says:
APT hackers breached US local govt by exploiting Fortinet bugs https://www.bleepingcomputer.com/news/security/fbi-apt-hackers-breached-us-local-govt-by-exploiting-fortinet-bugs/
FBI: As of at least May 2021, an APT actor group almost certainly exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government. FBI Flash alert:
https://www.aha.org/system/files/media/file/2021/05/fbi-flash-tlp-white-apt-actors-exploiting-fortinet-vulnerabilities-to-gain-access-for-malicious-activity-5-27-21.pdf
Tomi Engdahl says:
Analysis report of the Facefish rootkit
https://blog.netlab.360.com/ssh_stealer_facefish_en/
Indepth analysis of a rootkit/backdoor for Linux called “Facefish”
that steals ssh credentials from server and client, and can provide attackers the means to execute commands on the system
Tomi Engdahl says:
Klarna mobile app bug let users log into other customers’ accounts https://www.bleepingcomputer.com/news/security/klarna-mobile-app-bug-let-users-log-into-other-customers-accounts/
Klarna Bank suffered a severe technical issue this morning that allowed mobile app users to log into other customers’ accounts and see their stored information.
Tomi Engdahl says:
Japanese government agencies suffer data breaches after Fujitsu hack https://www.bleepingcomputer.com/news/security/japanese-government-agencies-suffer-data-breaches-after-fujitsu-hack/
Offices of multiple Japanese agencies were breached via Fujitsu’s “ProjectWEB” information sharing tool. By gaining unauthorized access to government systems via ProjectWEB, attackers were able to obtain at least 76, 000 e-mail addresses, and proprietary information, including the e-mail system settings.
Belgium government discovered 2019 hack during Hafnium investigation https://therecord.media/belgium-government-discovers-old-2019-hack-during-hafnium-investigation/
Officials found Exchange servers that were vulnerable and needed patching, but the IT staff at the Federal Public Service Interiorthe country’s interior ministryalso found additional signs of compromise that dated back years, rather than months, when the first Hafnium attacks were spotted.
Tomi Engdahl says:
Deep dive into Visual Studio Code extension security vulnerabilities https://snyk.io/blog/visual-studio-code-extension-security-vulnerabilities-deep-dive/
Snyk has discovered a new vector for supply chain attacks: IDE plugins. Severe vulnerabilities were found in popular VS Code extensions, enabling attackers to compromise local machines as well as build and deployment systems through a developer’s IDE.
Tomi Engdahl says:
US Pipelines Ordered to Increase Cyber Defenses After Hack
https://www.securityweek.com/us-pipelines-ordered-increase-cyber-defenses-after-hack
Tomi Engdahl says:
New Iranian Group ‘Agrius’ Launches Destructive Cyberattacks on Israeli Targets
https://www.securityweek.com/new-iranian-group-agrius-launches-destructive-cyberattacks-israeli-targets
Over the past year, an Iran-linked threat actor named Agrius has been observed launching destructive attacks on Israeli targets, under the disguise of ransomware attacks, according to endpoint security company SentinelOne.
Likely state-sponsored, the threat group initially engaged in cyberespionage attacks, but then attempted to extort victims, claiming to have exfiltrated and encrypted data. The recovery of the impacted files, however, was not possible, due to the destructive nature of the attack.
Dubbed Apostle, the wiper used in these attacks was later updated with encryption capabilities, becoming a fully-functional piece of ransomware.
“The similarity to its wiper version, as well as the nature of the target in the context of regional disputes, leads us to believe that the operators behind it are utilizing ransomware for its disruptive capabilities,” SentinelOne says.
Vulnerabilities in Internet-facing applications are leveraged for intrusion, including CVE-2018-13379, a high-severity path traversal vulnerability in the FortiOS SSL VPN web portal, and various security bugs in other web-based applications.
Agrius, the researchers say, uses VPN services to connect to victims’ environments, and employs webshells (mainly variations of ASPXSpy) to tunnel RDP traffic and exploit compromised accounts for lateral movement.
Tomi Engdahl says:
EU Privacy Groups Set Sights on Facial Recognition Firm
https://www.securityweek.com/eu-privacy-groups-set-sights-facial-recognition-firm
Privacy organisations on Thursday complained to regulators in five European countries over the practices of Clearview AI, a company that has built a powerful facial recognition database using images “scraped” from the web.
Clearview’s use of images — including those from people’s social media accounts — to offer biometrics services to private companies and law enforcement “goes far beyond what we could ever expect as online users”, Ioannis Kouvakas, legal officer at Privacy International, said in a statement.
While Clearview touts its technology’s ability to help law enforcement, its critics say facial recognition is open to abuse and could ultimately eliminate anonymity in public spaces — pointing to cases like China’s massive public surveillance system.
Tomi Engdahl says:
https://arstechnica.com/gadgets/2021/05/farewell-to-firewalls-wi-fi-bugs-open-network-devices-to-remote-hacks/
Tomi Engdahl says:
https://www.cyberscoop.com/solarwinds-ceo-reveals-much-earlier-hack-timeline-regrets-company-blaming-intern/
Tomi Engdahl says:
Eufycam Wi-Fi security cameras streamed video feeds from other people’s homes
https://www.theregister.com/2021/05/17/in_brief_security/
Tomi Engdahl says:
4 vulnerabilities under attack give hackers full control of Android devices
Google updates a 2-week-old security bulletin to say some vulnerabilities were 0-days.
https://arstechnica.com/gadgets/2021/05/hackers-have-been-exploiting-4-critical-android-vulnerabilities/
Tomi Engdahl says:
Kolme poikaa löysi yo-kirjoituksista tietoturva-aukon, josta olisi halutessaan päässyt muokkaamaan vastauksia – nyt heille sataa työtarjouksia
Poikakolmikko löysi laajoja tietoturva-aukkoja lukioiden käyttämästä Abitti-ohjelmasta, jonka kautta järjestetään muun muassa yo-kokeet. 15-18-vuotiaat nuoret miehet ovat hakkereita, jotka ovat saaneet löydöksen jälkeen lukuisia työtarjouksia.
https://yle.fi/uutiset/3-11939828
Tomi Engdahl says:
Teen hacker accused of causing 2-day outage at all Pinellas County schools faces felony charges
https://www.fox13news.com/news/teen-hacker-accused-of-causing-2-day-outage-at-all-pinellas-county-schools-faces-felony-charges
ST. PETERSBURG, Fla. – A 17-year-old St. Petersburg High School student is now facing felony computer crimes charges after investigators say he attacked the school district’s computer system and caused a district-wide outage on March 22 and 23.
“What the student did, was he brought down a distributed denial-of-service attack, which is not the same as breaking in and stealing things and changing grades,” Hamilton explained. “What it does, is it makes the whole network unavailable.”
Pinellas Schools said they paid Charter-Spectrum, their internet service provider, to provide security against this sort of attack. But when the system was upgraded in 2020, Spectrum forgot to continue a certain layer of protection.
Charter said they fixed the issue and gave the school district a $23,000 credit.
Tomi Engdahl says:
‘FIND THIS FUCK:’ Inside Citizen’s Dangerous Effort to Cash In On Vigilantism
https://www.vice.com/en/article/y3dpyw/inside-crime-app-citizen-vigilante
Internal documents, messages, and roadmaps show how crime app Citizen is pushing the boundary of what a private, app-enabled vigilante force may be capable of.
Tomi Engdahl says:
Microsoft: Russian SVR hackers target govt agencies from 24 countries
https://www.bleepingcomputer.com/news/security/microsoft-russian-svr-hackers-target-govt-agencies-from-24-countries/
The Microsoft Threat Intelligence Center (MSTIC) has discovered that the Russian-backed hackers behind the SolarWinds supply-chain attack are now coordinating an ongoing phishing campaign targeting government agencies worldwide.
“This week we observed cyberattacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations,” MSTIC revealed.
“This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations.
Phishing emails sent using hacked USAID email marketing account
The threat actors behind these attacks, a hacking group tracked as Nobelium by Microsoft and likely backed by the Russian government, sent the phishing emails using USAID’s compromised Constant Contact account (a legitimate email marketing service).
The campaign started in January 2021, and it slowly turned into a series of attacks culminating with this week’s USAID-themed phishing wave.
Another Nobelium Cyberattack
https://blogs.microsoft.com/on-the-issues/2021/05/27/nobelium-cyberattack-nativezone-solarwinds/
This week we observed cyberattacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations. This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations. While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries. At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work. Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020. These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts.
Tomi Engdahl says:
SolarWinds Hackers Impersonate U.S. Government Agency in New Attacks
https://www.securityweek.com/solarwinds-hackers-impersonate-us-government-agency-new-attacks
The Russia-linked threat group believed to be behind the SolarWinds attack has been observed launching a new campaign this week. The attacks have targeted the United States and other countries, and involve a legitimate mass mailing service and impersonation of a government agency.
The latest attacks were analyzed by Microsoft, which tracks the threat actor as Nobelium, and by incident response firm Volexity, which has found some links to APT29, a notorious cyberspy group previously linked to Russia.
https://blogs.microsoft.com/on-the-issues/2021/05/27/nobelium-cyberattack-nativezone-solarwinds/
Tomi Engdahl says:
Canada Post Says 950,000 Customers Hit by Breach at Supplier
https://www.securityweek.com/canada-post-says-950000-customers-hit-breach-supplier
Canada Post, the primary postal operator in Canada, has informed 44 of its large business customers that some information was compromised as a result of a malware attack at a supplier.
The impacted supplier is Commport Communications, an electronic data interchange (EDI) provider that Canada Post uses to manage shipping manifest data for large parcel business customers.
In a May 14 post seen by SecurityWeek on a popular hacking forum, someone claimed that a ransomware gang known as Lorenz had stolen tens of gigabytes of data from Commport.
Canada Post said it learned about the data breach on May 19, but its IT subsidiary, Innovapost, was informed in November 2020 that there had been a ransomware attack on Commport. However, at the time, Commport claimed it had found no evidence that customer data was compromised.
Tomi Engdahl says:
FBI Shares IOCs for APT Attacks Exploiting Fortinet Vulnerabilities
https://www.securityweek.com/fbi-shares-iocs-apt-attacks-exploiting-fortinet-vulnerabilities
The FBI on Thursday published indicators of compromise (IOCs) associated with the continuous exploitation of Fortinet FortiOS vulnerabilities in attacks targeting commercial, government, and technology services networks.
In early April, the FBI along with the Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors had been targeting serious security holes in Fortinet’s flagship operating system FortiOS for initial access into victims’ networks.
The targeted bugs include CVE-2018-13379 (a path traversal in the FortiOS SSL VPN web portal), CVE-2020-12812 (a bypass of FortiOS SSL VPN two-factor authentication), and CVE-2019-5591 (default configurations ship without LDAP server identity verification).
Tomi Engdahl says:
Chinese Hackers Started Covering Tracks Days Before Public Exposure of Operations
https://www.securityweek.com/chinese-hackers-started-covering-tracks-days-public-exposure-operations
One of the Chinese threat actors targeting Pulse Secure VPN appliances via a recently disclosed vulnerability has been attempting to cover its tracks by removing its webshells from victim networks, FireEye reports.
Tracked as CVE-2021-22893, the vulnerability was made public in late April, after security researchers discovered that threat actors had already been exploiting it in attacks targeting organizations in the defense, financial, government, high tech, and transportation sectors in the U.S. and Europe.
At the time, FireEye revealed that at least two Chinese threat actors believed to be state-sponsored — UNC2630 and UNC2717 — had been exploiting the vulnerability for initial compromise. The company identified 12 malware families used in attacks associated with the exploitation of CVE-2021-22893 and three other bugs in Pulse Secure VPN appliances.
A patch was shipped on May 3, two weeks after the security hole was publicly disclosed, but the activity surrounding it and the other flaws did not stop. In fact, FireEye says it has since identified four other malware families used in these attacks, namely BLOODMINE, BLOODBANK, CLEANPULSE, and RAPIDPULSE.
On the other hand, just days before FireEye made its findings public in April, UNC2630 was spotted removing its webshells from dozens of devices.
Tomi Engdahl says:
Nuclear Flash Cards: US Secrets Exposed on Learning Apps
https://www.securityweek.com/nuclear-flash-cards-us-secrets-exposed-learning-apps
US troops charged with guarding nuclear weapons in Europe used popular education websites to create flash cards, exposing their exact locations and top-secret security protocols, according to the investigative site Bellingcat Friday.
To familiarize themselves with things like which shelters in various locations had “hot” vaults with live nuclear bombs, with security patrol schedules, and with identification badge details, the soldiers created digital flash card sets on apps like Chegg Prep, Quizlet and Cram.
“By simply searching online for terms publicly known to be associated with nuclear weapons, Bellingcat was able to discover cards used by military personnel serving at all six European military bases reported to store nuclear devices,” wrote Foeke Postma, the author of the Bellingcat article.
They found one set of 70 flashcards on Chegg, entitled “Study!”, which noted the exact shelters containing nuclear weapons at Volkel Air Base in the Netherlands.
“How many WS3 vaults are there on Volkel ab,” said the question side of one virtual flash card, referring to the military term for weapons storage and security systems.
“eleven (11)” it read on the answer side.
Another card from the same set indicated that five of the eleven vaults were “hot” with nuclear bombs while the other 6 were “cold,” and specified which vaults.
A set of 80 cards on the Cram flashcard site detailed hot and cold vaults at Aviano Air Base in Italy, and revealed how a soldier should respond in activating them based on the different level of alarms they receive.
Tomi Engdahl says:
US Says Agencies Largely Fended Off Latest Russian Hack
https://www.securityweek.com/us-says-agencies-largely-fended-latest-russian-hack
The White House says it believes U.S. government agencies largely fended off the latest cyberespionage onslaught blamed on Russian intelligence operatives, saying the spear-phishing campaign should not further damage relations with Moscow ahead of next month’s planned presidential summit.
Officials downplayed the cyber assault as “basic phishing” in which hackers used malware-laden emails to target the computer systems of U.S. and foreign government agencies, think tanks and humanitarian groups. Microsoft, which disclosed the effort late Thursday, said it believed most of the emails were blocked by automated systems that marked them as spam.
As of Friday afternoon, the company said it was “not seeing evidence of any significant number of compromised organizations at this time.”
Even so, the revelation of a new spy campaign so close to the June 16 summit between President Joe Biden and Russian counterpart Vladimir Putin adds to the urgency of White House efforts to confront the Kremlin over aggressive cyber activity that criminal indictments and diplomatic sanctions have done little to deter.
https://www.securityweek.com/solarwinds-hackers-impersonate-us-government-agency-new-attacks
Tomi Engdahl says:
Newly Disclosed Vulnerability Allows Remote Hacking of Siemens PLCs
https://www.securityweek.com/newly-disclosed-vulnerability-allows-remote-hacking-siemens-plcs
Researchers at industrial cybersecurity firm Claroty have identified a serious vulnerability that can be exploited by a remote and unauthenticated attacker to hack some of the programmable logic controllers (PLCs) made by Siemens.
The vulnerability is tracked as CVE-2020-15782 and it has been described as a high-severity memory protection bypass issue that allows an attacker with network access to TCP port 102 to write or read data in protected memory areas.
Siemens PLCs can be hacked remotely via new vulnerabilitySiemens says the security hole impacts its SIMATIC S7-1200 and S7-1500 CPUs. The German industrial giant has released firmware updates for some of the impacted devices and it has provided workarounds for products for which patches have yet to be released.
Tomi Engdahl says:
APT29: Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
The campaign’s phishing e-mails purported to originate from the USAID government agency and contained a malicious link that resulted in an ISO file being delivered. This file contained a malicious LNK file, a malicious DLL file, and a legitimate lure referencing foreign threats to the 2020 US Federal Elections.