This posting is here to collect cyber security news in June 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in June 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
341 Comments
Tomi Engdahl says:
NFT creators tricked into installing malware in highly targeted attack https://therecord.media/nft-creators-tricked-into-installing-malware-in-highly-targeted-attack/
Multiple digital artists and creators of non-fungible tokens (NFT) were at the center of a highly targeted malware campaign last week during which a threat actor tried to swipe their hard-earned profits.
The attacks, which began last week and continued through the weekend, were widely reported on Twitter after several victims caught on to the scheme or noticed the theft of cryptocurrency assets from their private wallets.. According to public reports, the threat actor used multiple identities to approach Twitter users advertising themselves as NFT creators with business deals and trick them into downloading and running a malware-laced file.
Tomi Engdahl says:
A New Program for Your Peloton Whether You Like It or Not https://www.mcafee.com/blogs/other-blogs/mcafee-labs/a-new-program-for-your-peloton-whether-you-like-it-or-not/
The McAfee Advanced Threat Research team (ATR) is committed to uncovering security issues in both software and hardware to help developers provide safer products for businesses and consumers. As security researchers, something that we always try to establish before looking at a target is what our scope should be. More specifically, we often assume well-vetted technologies like network stacks or the OS layers are sound and instead focus our attention on the application layers or software that is specific to a target. Whether that approach is comprehensive sometimes doesnt matter; and its what we decided to do for this project as well, bypassing the Android OS itself and with a focus on the Peloton code and implementations.
Tomi Engdahl says:
Suomi turvautui suosittuun tietoturvasivustoon selvittää valtionhallinnon salasanavuotoja https://www.tivi.fi/uutiset/tv/c4cedd04-d109-47c0-9748-5e27432fcbff
Kyberturvallisuuskeskus on ottanut käyttöön Have I Been Pwned
- -sivuston rajapinnan, jonka avulla voi tarkastaa käyttäjätietojen vuotoja. Suositun Have I Been Pwned -sivuston (HIBP) luoja Troy Hunt toivottaa blogissaan tervetulleeksi Suomen Kyberturvallisuuskeskuksen.
Kyberturvallisuuskeskukselle on annettu pääsy HIBP:n rajapintaan, jonka avulla voidaan tarkastaa, onko valtionhallinnon työntekijöiden käyttäjätietoja vuotanut ulkopuolisille. Huntin mukaan Suomi on viides Pohjois-Euroopan maa ja kaiken kaikkiaan 21. valtiollinen toimija, joka kyseisen rajapinnan ottaa käyttöön. Monia muita julkistetaan Huntin mukaan lähiaikoina.
Tomi Engdahl says:
Security Flaw Found in 2G Mobile Data Encryption Standard
https://www.securityweek.com/security-flaw-found-2g-mobile-data-encryption-standard
Cybersecurity researchers in Europe say they have discovered a flaw in an encryption algorithm used by cellphones that may have allowed attackers to eavesdrop on some data traffic for more than two decades.
In a paper published Wednesday, researchers from Germany, France and Norway said the flaw affects the GPRS – or 2G – mobile data standard.
While most phones now use 4G or even 5G standards, GPRS remains a fallback for data connections in some countries.
The vulnerability in the GEA-1 algorithm is unlikely to have been an accident, the researchers said. Instead, it was probably created intentionally to provide law enforcement agencies with a “backdoor” and comply with laws restricting the export of strong encryption tools.
Tomi Engdahl says:
Google Rolls out E2EE For Android Messages App
https://www.securityweek.com/google-rolls-out-e2ee-android-messages-app
Google has finally enabled end-to-end encryption (E2EE) for the Messages app in Android but the privacy-enhancing tool remains somewhat limited.
Google announced end-to-end encryption is now available in Android, but only for one-on-one conversations between users of the Messages app.
Tomi Engdahl says:
Cuffed: Ukraine police collar six Clop ransomware gang suspects in joint raids with South Korean cops
Cobalt Strike and Flawedammyy RAT named as favoured tools
https://www.theregister.com/2021/06/16/clop_ransomware_gang_arrests_ukraine/
Ukrainian police have arrested six people, alleged to be members of the notorious Clop* ransomware gang, seizing cash, cars – and a number of Apple Mac laptops and desktops.
“It was established that six defendants carried out attacks of malicious software such as ‘ransomware’ on the servers of American and [South] Korean companies,” alleged Ukraine’s national police force in a statement published at lunchtime today.
https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/
Tomi Engdahl says:
Scammers are sending fake replacement devices to Ledger customers exposed in a recent data breach that are used to steal cryptocurrency wallets.
Criminals are mailing altered Ledger devices to steal cryptocurrency
https://www.bleepingcomputer.com/news/cryptocurrency/criminals-are-mailing-altered-ledger-devices-to-steal-cryptocurrency/
Scammers are sending fake replacement devices to Ledger customers exposed in a recent data breach that are used to steal cryptocurrency wallets.
Ledger has been a popular target by scammers lately with rising cryptocurrency prices and the popularity of hardware wallets to secure cryptofunds.
In a post on Reddit, a Ledger user shared a devious scam after receiving what looks like a Ledger Nano X device in the mail.
Tomi Engdahl says:
The man who got the FBI’s fake messaging app off the ground says pulling off one of the biggest police stings in history wasn’t the only goal
https://www.businessinsider.com/how-fbi-fake-encrypted-chat-app-got-off-the-ground-2021-6
Tomi Engdahl says:
CVS Health Records for 1.1 Billion Customers Exposed
https://threatpost.com/cvs-health-records-billion-customers-exposed/167011/
A vendor exposed the records, which were accessible with no password or other authentication, likely because of a cloud-storage misconfiguration.
More than 1 billion records for CVS Health customers were left in the database of a third-party, unnamed vendor – exposed, unprotected, online. Researchers said the data points revealed could be strung together to create an extremely personal snapshot of someones’s medical situation.
The glitch is likely due to human error, security researcher Jeremiah Fowler said in a post on WebsitePlanet on Thursday: In other words, it’s probably yet another incidence of rampant misconfiguration that’s plaguing cloud-based storage, leading to exposure of sensitive data on an internal network.
Report: CVS Health Exposed Search Records Online
https://www.websiteplanet.com/blog/cvs-health-leak-report/
On March 21st, 2021 theWebsitePlanet research team in cooperation with Security Researcher Jeremiah Fowler discovered a non-password protected database that contained over 1 billion records. Upon further research it was apparent that the data was connected to CVS Health. We immediately sent a responsible disclosure notice to CVS Health and public access was restricted the same day.
Here is what the database contained:
Total Size: 204.0 GB
Total Records: 1,148,327,940
Tomi Engdahl says:
Google’s Own Android App—With 5 Billion Installs—Was Vulnerable To A Privacy-Destroying Hack
https://www.forbes.com/sites/thomasbrewster/2021/06/17/google-android-app-with-5-billion-installs-was-vulnerable-to-a-privacy-destroying-hack/
Google’s Android app, with more than 5 billion downloads, has been patched after a researcher found it was vulnerable to an attack that could have allowed hackers to obtain sensitive data from users’ phones, from Gmail messages to search history. Users should ensure they’re running the latest version of the app to avoid being hit by any real-world attack, the researcher said.
Google said the issue was patched in May. If users have automatic updates on, they shouldn’t have to do anything. For others, they will have to manually update the app. “We created our Vulnerability Rewards Program specifically to identify and fix vulnerabilities like this one. We are appreciative of Oversecured and the broader security community’s participation in these programs. We rolled out a fix to our users more than a month ago and have not seen any evidence of exploitation.”
Tomi Engdahl says:
https://thehackernews.com/2021/06/researchers-uncover-process-ghosting.html?m=1
Tomi Engdahl says:
Bombshell Report Finds Phone Network Encryption Was Deliberately Weakened
A new paper shows that two old encryption algorithms still used in mobile networks can be exploited to spy on phones’ internet traffic.
https://www.vice.com/en/article/4avnan/bombshell-report-finds-phone-network-encryption-was-deliberately-weakened?utm_medium=social&utm_source=motherboardtv_facebook
A weakness in the algorithm used to encrypt cellphone data in the 1990s and 2000s allowed hackers to spy on some internet traffic, according to a new research paper.
The paper has sent shockwaves through the encryption community because of what it implies: The researchers believe that the mathematical probability of the weakness being introduced on accident is extremely low.
Thus, they speculate that a weakness was intentionally put into the algorithm. After the paper was published, the group that designed the algorithm confirmed this was the case.
The researchers said they obtained two encryption algorithms, GEA-1 and GEA-2, which are proprietary and thus not public, “from a source.” They then analyzed them and realized they were vulnerable to attacks that allowed for decryption of all traffic.
When trying to reverse-engineer the algorithm, the researchers wrote that (to simplify), they tried to design a similar encryption algorithm using a random number generator often used in cryptography and never came close to creating an encryption scheme as weak as the one actually used: “In a million tries we never even got close to such a weak instance,” they wrote.
“This implies that the weakness in GEA-1 is unlikely to occur by chance, indicating that the security level of 40 bits is due to export regulations.”
Researchers dubbed the attack “divide-and-conquer,” and said it was “rather straightforward.” In short, the attack allows someone who can intercept cellphone data traffic to recover the key used to encrypt the data and then decrypt all traffic. The weakness in GEA-1, the oldest algorithm developed in 1998, is that it provides only 40-bit security. That’s what allows an attacker to get the key and decrypt all traffic, according to the researchers.
“To meet political requirements, millions of users were apparently poorly protected while surfing for years.”
A spokesperson for the organization that designed the GEA-1 algorithm, the European Telecommunications Standards Institute (ETSI), admitted that the algorithm contained a weakness, but said it was introduced because the export regulations at the time did not allow for stronger encryption.
“We followed regulations: we followed export control regulations that limited the strength of GEA-1,” a spokesperson for ETSI told Motherboard in an email.
Raddum and his colleagues found that GEA-1′s successor, GEA-2 did not contain the same weakness. In fact, the ETSI spokesperson said that when they introduced GEA-2 the export controls had been eased. Still, the researchers were able to decrypt traffic protected by GEA-2 as well with a more technical attack, and concluded that GEA-2 “does not offer a high enough security level for today’s standards,” as they wrote in their paper.
Tomi Engdahl says:
Black Kingdom ransomware
https://securelist.com/black-kingdom-ransomware/102873/
Black Kingdom ransomware appeared on the scene back in 2019, but we observed some activity again in 2021. The ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065). The complexity and sophistication of the Black Kingdom family cannot bear a comparison with other Ransomware-as-a-Service (RaaS) or Big Game Hunting (BGH) families. The ransomware is coded in Python and compiled to an executable using PyInstaller; it supports two encryption modes: one generated dynamically and one using a hardcoded key.. Code analysis revealed an amateurish development cycle and a possibility to recover files encrypted with Black Kingdom with the help of the hardcoded key. The industry already provided a script to recover encrypted files in case they were encrypted with the embedded key.
Tomi Engdahl says:
Criminals are mailing altered Ledger devices to steal cryptocurrency https://www.bleepingcomputer.com/news/cryptocurrency/criminals-are-mailing-altered-ledger-devices-to-steal-cryptocurrency/
Scammers are sending fake replacement devices to Ledger customers exposed in a recent data breach that are used to steal cryptocurrency wallets. Ledger has been a popular target by scammers lately with rising cryptocurrency prices and the popularity of hardware wallets to secure cryptofunds. In a post on Reddit, a Ledger user shared a devious scam after receiving what looks like a Ledger Nano X device in the mail.
Tomi Engdahl says:
What you need to know about Process Ghosting, a new executable image tampering attack https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack
Security teams defending Windows environments often rely on anti-malware products as a first line of defense against malicious executables. Microsoft provides security vendors with the ability to register callbacks that will be invoked upon the creation of processes on the system. Driver developers can call APIs such as PsSetCreateProcessNotifyRoutineEx to receive such events. Despite the name, PsSetCreateProcessNotifyRoutineEx callbacks are not actually invoked upon the creation of processes, but rather upon the creation of the first threads within those processes. This creates a gap between when a process is created and when security products are notified of its creation.
Tomi Engdahl says:
Attackers Take Advantage of New Google Docs Exploit https://www.avanan.com/blog/attackers-take-advantage-of-new-google-doc-exploit
Avanan analysts have recently discovered an exploit vector in Google Docs that attackers are using to deliver malicious phishing websites to victims
Tomi Engdahl says:
Audi, Volkswagen customer data being sold on a hacking forum https://www.bleepingcomputer.com/news/security/audi-volkswagen-customer-data-being-sold-on-a-hacking-forum/
Audi and Volkswagen customer data is being sold on a hacking forum after allegedly being stolen from an exposed Azure BLOB container.
Last week, the Volkswagen Group of America, Inc. (VWGoA) disclosed a data breach after a vendor left customer data unsecured on the Internet between August 2019 and May 2021. “The data included some or all of the following contact information about you: first and last name, personal or business mailing address, email address, or phone number,” disclosed VWGoA in a data breach notification.
Tomi Engdahl says:
Hiccup in Akamais DDoS Mitigation Service Triggers Massive String of Outages https://threatpost.com/hiccup-akamais-ddos-outages/167004/
Major financial institutions, airlines and the Hong Kong stock exchange were knocked offline by a backfiring distributed denial-of-service (DDoS) mitigation service Thursday. The hour-long outage, which was triggered at approximately 1 a.m. EST Thursday, is tied to Akamai Technologys anti-DDoS Prolexic service. In a statement to Threatpost at 7:44 a.m. EST, Akamai confirm a segment of its Prolexic platform was impacted and is now back up and running. We are continuing to validate services. We will share more details of what transpired, but our first priority is ensuring all customer impact is mitigated, wrote Chris Nicholson, senior public relations manager, Akamai.. Myös: https://www.is.fi/digitoday/art-2000008063974.html
Tomi Engdahl says:
Polazert Trojan using poisoned Google Search results to spread https://blog.malwarebytes.com/awareness/2021/06/polazert-trojan-using-poisoned-google-search-results-to-spread/
Trojan.Polazert aka SolarMarker has gone back and fine-tuned an old tactic known as SEO-poisoning to plant their Remote Access Trojan
(RAT) on as many systems as possible. This RAT runs in memory and is used by attackers to install additional malware on affected systems.
Trojan.Polazert is specifically designed to steal credentials from browsers and provide an attacker with a backdoor that allows them to further compromise infected systems. To achieve this, collected data is sent to a C&C server.
Tomi Engdahl says:
Travel and retail industries facing wave of credential stuffing attacks https://www.zdnet.com/article/travel-and-retail-industries-facing-wave-of-credential-stuffing-attacks/
A new report from Auth0 has discovered that government institutions as well as travel and retail companies continue to face an inordinate amount of credential stuffing attacks. Auth0, which was recently acquired by Okta for $6.5 billion, released startling statistics of what they are seeing in their State of Secure Identity report. In the first three months of 2021, Auth0 found that credential stuffing accounted for 16.5% of attempted login traffic on its platform, with a peak of over 40% near the end of March.
Tomi Engdahl says:
Biden to Putin: Get your ransomware gangs under control and dont you dare cyber-attack our infrastructure https://www.theregister.com/2021/06/17/biden_putin_summit_cybersecurity_discussion/
US President Joe Biden and his Russian Federation counterpart Vladimir Putin have traded barbs over cyber-attacks at a summit meeting staged yesterday in Switzerland. The readout of Bidens post-summit press conference states that what the two presidents spent a great deal of time on was cyber and cybersecurity.. – I talked about the proposition that certain critical infrastructure should be off limits to attack period by cyber or any other means.. Biden gave Putin a list of 16 specific entities defined as critical infrastructure under US policy, from the energy sector to our water systems.
Tomi Engdahl says:
Google Confirms Sixth Zero-Day Chrome Attack in 2021
https://www.securityweek.com/google-confirms-sixth-zero-day-chrome-attack-2021
Google’s ongoing struggles with in-the-wild zero-day attacks against its flagship Chrome browser isn’t going away anytime soon.
For the sixth time this year, the search giant shipped a Chrome point-update to fix code execution holes that the company says is already being exploited by malicious hackers.
“Google is aware that an exploit for CVE-2021-30554 exists in the wild,” the company said in an advisory posted on Thursday. It refers to a use-after-free vulnerability in WebGL, the JavaScript API used to render graphics without browser plugins.
Tomi Engdahl says:
Akamai Blames Outage on DDoS Protection Service
https://www.securityweek.com/akamai-blames-outage-ddos-protection-service
CDN, cybersecurity and cloud services provider Akamai has blamed an outage that occurred on Thursday on an issue with its Prolexic DDoS attack protection service.
Akamai’s Prolexic Routed is a fully managed service designed to protect an organization’s online assets against distributed denial-of-service (DDoS) attacks.
A problem with the service caused the websites of many major companies to become inaccessible. According to various media reports, the outage impacted financial institutions in Australia, including Commonwealth Bank of Australia and Westpac, U.S. airlines, including American Airlines and Southwest Airlines, as well as the Hong Kong Stock Exchange and organizations in other parts of the world.
Akamai said the outage started at 4:20 AM UTC and the service was restored by 8:47 AM UTC. The company noted that only customers using its Routed 3.0 service were impacted, and they should have received an error alert seconds after the issue was detected.
“Many of the approximately 500 customers using this service were automatically rerouted, which restored operations within a few minutes. The large majority of the remaining customers manually rerouted shortly thereafter,” the company said in a statement released after the problem was addressed.
Tomi Engdahl says:
Cruise Giant Carnival Says Customers Affected by Breach
https://www.securityweek.com/cruise-giant-carnival-says-customers-affected-breach
Carnival Corp. said Thursday that a data breach in March might have exposed personal information about customers and employees on Carnival Cruise Line, Holland America Line and Princess Cruises.
In a letter to customers, the company indicated that outsiders might have gained access to Social Security numbers, passport numbers, dates of birth, addresses and health information of people.
The company declined to say how many people’s information was exposed.
The breach comes after Carnival was hit twice last year by ransomware attacks.
Tomi Engdahl says:
Vigilante Malware Blocks Pirated Software
By Aaron Klotz about 19 hours ago
Is it heroic or villainous? Why not both?
https://www.tomshardware.com/news/vigilante-malware-pirate-bay?utm_medium=social&utm_campaign=socialflow&utm_content=tomsguide&utm_source=facebook.com
A piece of malware is spreading across the internet that doesn’t behave like your usual suspects. Strangely, this malware acts as a vigilante of sorts as the software prevents your system from accessing sites known for redistributing pirated data. BleepingComputer and Sophos News first reported on the malware.
https://news.sophos.com/en-us/2021/06/17/vigilante-antipiracy-malware/
Tomi Engdahl says:
To stop the ransomware pandemic, start with the basics
That will help stop other sorts of cyber-mischief, too
https://www.economist.com/leaders/2021/06/19/to-stop-the-ransomware-pandemic-start-with-the-basics
On May 7th cyber-criminals shut down the pipeline supplying almost half the oil to America’s east coast for five days. To get it flowing again, they demanded a $4.3m ransom from Colonial Pipeline Company, the owner. Days later, a similar “ransomware” assault crippled most hospitals in Ireland.
Such attacks are evidence of an epoch of intensifying cyber-insecurity that will impinge on everyone, from tech firms to schools and armies. One threat is catastrophe: think of an air-traffic-control system or a nuclear-power plant failing. But another is harder to spot, as cybercrime impedes the digitisation of many industries, hampering a revolution that promises to raise living standards around the world.
Tomi Engdahl says:
50,000 security disasters waiting to happen: The problem of America’s water supplies
“If you could imagine a community center run by two old guys who are plumbers, that’s your average water plant,” one cybersecurity consultant said.
https://www.nbcnews.com/tech/security/hacker-tried-poison-calif-water-supply-was-easy-entering-password-rcna1206
On Jan. 15, a hacker tried to poison a water treatment plant that served parts of the San Francisco Bay Area. It didn’t seem hard.
The hacker had the username and password for a former employee’s TeamViewer account, a popular program that lets users remotely control their computers, according to a private report compiled by the Northern California Regional Intelligence Center in February and seen by NBC News.
After logging in, the hacker, whose name and motive are unknown and who hasn’t been identified by law enforcement, deleted programs that the water plant used to treat drinking water.
Tomi Engdahl says:
A specific network name can completely disable Wi-Fi on your iPhone
https://9to5mac.com/2021/06/19/a-specific-network-name-can-completely-disable-wi-fi-on-your-iphone/amp/
Here’s a funny bug: a security researcher has found that a carefully crafted network name causes a bug in the networking stack of iOS and can completely disable your iPhone’s ability to connect to Wi-Fi.
On Twitter, Carl Schou showed that after joining a Wi-Fi network with a specific name (“%p%s%s%s%s%n”), all Wi-Fi functionality on the iPhone was disabled from that point on.
Once an iPhone or iPad joins the network with the name “%p%s%s%s%s%n”, the device fails to connect to Wi-Fi networks or use system networking features like AirDrop. The issue persists after rebooting the device (although a workaround does exist, see below).
Nevertheless, If you are somehow affected by this, the bug does not appear to permanently damage your hardware.
You should be able to reset all network settings and start over. In Settings, go to General -> Reset -> Reset Network Settings. This resets all saved Wi-Fi networks on the iPhone (as well as other things like cellular settings and VPN access), thereby removing the knowledge of the malicious network name from its memory. You can then join your standard home Wi-Fi once more.
Tomi Engdahl says:
Ransomware criminals look to other hackers to provide them with network access
New report finds ransomware gangs are buying access from hackers planting backdoors
https://www.itpro.co.uk/security/ransomware/359919/ransomware-criminals-look-to-other-hackers-to-provide-them-with-network
Tomi Engdahl says:
NSA cyber director discusses US response, approach to apparent espionage operation
https://www.cyberscoop.com/rob-joyce-nsa-cybersecurity-director-solarwinds-authorities-russia-espionage/
Tomi Engdahl says:
Microsoft Confirms Six Windows 10 ‘Zero Day’ Threats, Pushes Fix
https://www.forbes.com/sites/gordonkelly/2021/06/12/microsoft-issues-windows-10-update-warning-zero-day-security-vulnerability-free-windows-10-upgrade/
Windows 10’s one billion users need to listen up because Microsoft has confirmed seven serious threats to the operating system and warned users to upgrade.
Tomi Engdahl says:
Hackers can mess with HTTPS connections by sending data to your email server
https://arstechnica.com/gadgets/2021/06/hackers-can-mess-with-https-connections-by-sending-data-to-your-email-server/
Tomi Engdahl says:
7-Year-Old Polkit Flaw Lets Unprivileged Linux Users Gain Root Access
https://thehackernews.com/2021/06/7-year-old-polkit-flaw-lets.html
Tomi Engdahl says:
Seven-year-old make-me-root bug in Linux service polkit patched
Error handling? Nah, let’s just unlock everything and be done with it
https://www.theregister.com/2021/06/11/linux_polkit_package_patched/
Tomi Engdahl says:
Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug
https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
Tomi Engdahl says:
A #cybersecurity firm has exposed 5 billion+ (5,085,132,102) records including emails, passwords it collected from previous #databreaches.
Cybersecurity firm exposes 5 billion data breach records
https://www.hackread.com/cybersecurity-firm-expose-data-breach-records/
Cybersecurity firm Cognyte fails to secure its database exposing 5 billion records comprise of previous data breaches.
In recent news, a cybersecurity analytics firm, Cognyte was found to be responsible for leaving a huge database unsecured which led to more than 5 billion records being exposed online.
The database could be accessed by anyone and did not require any sort of authorization or authentication. It appears to be rather ironic that the database was made for the purpose of cross-checking whether the personal information of any client was present in the known breaches that were stored there. However, that database itself turned out to be exposed.
The data was stored on an Elasticsearch cluster and in total, there were 5,085,132,102 records. This data may or may not have been accessed by a number of third parties, there really is no way of telling.
From Cognyte’s side, a fast response was observed as cybersecurity expert Bob Diachenko, leader of the Comparitech security research team, informed Cognyte about the exposed data on 29th May 2021, and the database was secured three days later.
This however is not the first time when a cybersecurity company has leaked a trove of data collected from previous and large-scale data breaches. Last year, an England-based cybersecurity firm exposed 5 billion records (5,088,635,374 records) on an Elasticsearch cluster and forced publications to remove their name from the reports covering the incident.
Tomi Engdahl says:
A deep dive into the operations of the LockBit ransomware group https://www.zdnet.com/article/a-deep-dive-into-the-operations-of-the-lockbit-ransomware-group/
Researchers have provided an in-depth look at how LockBit, one of the newer ransomware groups on the scene, operates. report PDF:
https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
Tomi Engdahl says:
Fake DarkSide Campaign Targets Energy and Food Sectors https://www.trendmicro.com/en_us/research/21/f/fake-darkside-campaign-targets-energy-and-food-sectors.html
Threat actors behind a recent campaign pose as DarkSide in a bid to deceive targets into paying ransom.
Tomi Engdahl says:
Carnival Cruise Cyber-Torpedoed by Cyberattack https://threatpost.com/carnival-cruise-cyberattack/167065/
This is the fourth time in a bit over a year that Carnival’s admitted to breaches, with two of them being ransomware attacks.
Tomi Engdahl says:
Poltergeist attack could leave autonomous vehicles blind to obstacles or haunt them with new ones https://www.theregister.com/2021/06/18/poltergeist_autonomous_vehicles/
Researchers at the Ubiquitous System Security Lab of Zhejiang University and the University of Michigan’s Security and Privacy Research Group say they’ve found a way to blind autonomous vehicles to obstacles using simple audio signals.
Tomi Engdahl says:
North Korea Exploited VPN Flaw to Hack South’s Nuclear Research Institute https://thehackernews.com/2021/06/north-korea-exploited-vpn-flaw-to-hack.html
South Korea’s state-run Korea Atomic Energy Research Institute (KAERI) on Friday disclosed that its internal network was infiltrated by suspected attackers operating out of its northern counterpart. The intrusion is said to have taken place on May 14 through a vulnerability in an unnamed virtual private network (VPN) vendor and involved a total of 13 IP addresses, one of which – “27.102.114[.]89″
- – has been previously linked to a state-sponsored threat actor dubbed Kimsuky.
Tomi Engdahl says:
The researchers managed to identify and report the presence of Joker malware in 8 apps on Google Play Store https://www.hackread.com/android-joker-malware-back-on-play-store/
The malware infects the user’s device after the infected application is downloaded and keeps collecting data secretly.
Tomi Engdahl says:
Älä mene pankkiisi Googlesta virhe voi viedä rahat
https://www.tivi.fi/uutiset/tv/81d68e96-5a63-49c4-b49b-58db77e8f377
Valitettavasti liikkeellä on jälleen uusi huijauskampanja, jossa kalastellaan pankkien tunnuksia. Säästöpankki on lähestynyt käyttäjiään ilmoituksin, joissa varoitetaan tietojenkalastelusta.
Pankin mukaan rikolliset yrittävät saada pankkitunnuksia käsiinsä sähköpostitse, puhelimitse sekä tekstiviestein, mutta nyt myös hakutulosten avulla esimerkiksi Googlessa tai Bingissä. “Rikolliset ovat onnistuneet nostamaan hakukoneiden tulosten kärkeen pankkien sivuja muistuttavia huijaussivustoja, joilla kalastellaan pankkitunnuksia.”
Tomi Engdahl says:
Uusi lakimuutos houkuttelee rikollisia huijaamaan nettitilausten tekijöitä uusilla tavoilla pakettitilaukset voivat kohta tulla viikkojen viiveellä
https://yle.fi/uutiset/3-11982325
Poliisin mukaan viivästykset tarjoavat huijausviestien lähettäjille lisäsauman ryövätä paketinodottajien rahat. – Erilaiset huijausviestit on yksi tämänpäivän vitsauksista ja koko ajan kasvava rikollisuuden ala. Rikosilmoitusmäärät kasvoivat viime vuonna noin 20 prosenttia edellisvuodesta ja nyt suunta näyttää olevan samanlainen, Pöyhönen kertoo.
Tomi Engdahl says:
Major Cyberattack on Poland Came from Russian Territory: Kaczynski
https://www.securityweek.com/major-cyberattack-poland-came-russian-territory-kaczynski
Tomi Engdahl says:
Akamai Blames Outage on DDoS Protection Service
https://www.securityweek.com/akamai-blames-outage-ddos-protection-service
CDN, cybersecurity and cloud services provider Akamai has blamed an outage that occurred on Thursday on an issue with its Prolexic DDoS attack protection service.
Akamai’s Prolexic Routed is a fully managed service designed to protect an organization’s online assets against distributed denial-of-service (DDoS) attacks.
A problem with the service caused the websites of many major companies to become inaccessible. According to various media reports, the outage impacted financial institutions in Australia, including Commonwealth Bank of Australia and Westpac, U.S. airlines, including American Airlines and Southwest Airlines, as well as the Hong Kong Stock Exchange and organizations in other parts of the world.
Tomi Engdahl says:
Researcher Finds Several Vulnerabilities in Cisco Small Business Switches
https://www.securityweek.com/researcher-finds-several-vulnerabilities-cisco-small-business-switches
A researcher has identified several vulnerabilities, including ones that have been rated high severity, in Cisco’s Small Business 220 series smart switches. The networking giant this week informed customers about the availability of patches for these flaws.
The vulnerabilities were discovered by security researcher Jasper Lievisse Adriaanse, and they impact switches that run firmware versions earlier than 1.2.0.6 and have the web-based management interface enabled — the interface is enabled by default.
In an advisory released this week, Cisco said Lievisse Adriaanse found four types of security holes in the small business switches.
Cisco Small Business 220 Series Smart Switches Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ciscosb-multivulns-Wwyb7s5E
Tomi Engdahl says:
Vulnerabilities in Open Design Alliance SDK Impact Siemens, Other Vendors
https://www.securityweek.com/vulnerabilities-open-design-alliance-sdk-impact-siemens-other-vendors
Eight vulnerabilities discovered in the Drawings software development kit (SDK) made by Open Design Alliance (ODA) impact products from Siemens and likely other vendors.
ODA is a nonprofit organization that creates SDKs for engineering applications, including computer aided design (CAD), geographic information systems (GIS), building and construction, product lifecycle management (PLM), and internet of things (IoT). Its website says the organization has 1,200 member companies worldwide, and its products are used by several major companies, including Siemens, Microsoft, Bentley, and Epic Games.
Mat Powell and Brian Gorenc of Trend Micro’s Zero Day Initiative (ZDI) discovered that ODA’s Drawings SDK, which is designed to provide access to all data in .dwg and .dgn design files, is affected by several vulnerabilities that can be exploited by convincing the targeted user to open a specially crafted file.
The ZDI researchers discovered the flaws in Siemens’ JT2Go 3D JT viewing tool, but further analysis revealed that the issues were actually introduced by the use of the Drawings SDK.
Tomi Engdahl says:
Cruise Giant Carnival Says Customers Affected by Breach
https://www.securityweek.com/cruise-giant-carnival-says-customers-affected-breach
Tomi Engdahl says:
Texas power companies automatically raised the temperature of customers’ smart thermostats in the middle of a heat wave
https://www.businessinsider.com/texas-energy-companies-remotely-raised-smart-thermostats-temperatures-2021-6
Texas power companies remotely adjusted customers’ smart thermostats, KHOU 11 reported.
Customers said they had unknowingly agreed to let companies raise the temperature to save energy.
Texas regulators asked residents last week to conserve energy amid a heat wave.