Cyber security news June 2021

This posting is here to collect cyber security news in June 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.


  1. Tomi Engdahl says:

    Every year in the month of June, someone by the unlikely name of posts a question to the Linux Kernel Mailing List asking whether a Linux kernel module is possible that would blow the PC speaker. It’s fairly obviously a joke, which is why the UK-based anti-virus company Sophos have devoted a light-hearted blog post to it. The post is an interesting diversion into early PC sounds, when the only hardware guaranteed to be present was a small speaker hooked up to a bit on an output port….

  2. Tomi Engdahl says:

    Vermont Hospital Still Calculating Cost of Ransomware Attack

    Officials at Vermont’s largest hospital are still trying to determine the full financial impact of the cyberattack last October that knocked out computers affecting three hospitals in Vermont and three in New York.

  3. Tomi Engdahl says:

    Water Sector Security Report Released Just as Another Water Plant Hack Comes to Light

    The Water Sector Coordinating Council last week announced a new cybersecurity report focusing on water and wastewater utilities in the United States. The release of the report coincided with news that a threat actor in January attempted to poison the water at a facility in the U.S.

    The Water Sector Coordinating Council describes itself as “a policy, strategy and coordination mechanism for the Water and Wastewater Sector in interactions with the government and other sectors on critical infrastructure security and resilience issues.”

    The organization in April surveyed 606 individuals working at water and wastewater utilities in the U.S. to get a better understanding of the sector in terms of cybersecurity.

    According to the report made public on June 17, 356 of respondents said they did not experience any IT security incident in the past year. Three respondents said they experienced 5 or more incidents and 83 reported 1-4 incidents in the last 12 months.

  4. Tomi Engdahl says:

    ADATA suffers 700 GB data leak in Ragnar Locker ransomware attack
    The Ragnar Locker ransomware gang have published download links for more than 700GB of archived data stolen from Taiwanese memory and storage chip maker ADATA.

  5. Tomi Engdahl says:

    Researcher Claims Apple Downplayed Severity of iCloud Account Takeover Vulnerability

    A security researcher claims he discovered a critical vulnerability in Apple’s password reset feature that could have been used to take over any iCloud account, but Apple has downplayed the impact of the flaw.

    The issue, researcher Laxman Muthiyah says, was a bypass of the various security measures Apple has in place to prevent attempts to brute force the ‘forgot password’ functionality for Apple accounts.

    When attempting to reset a password, the user is prompted to provide their phone number or email address to receive a 6-digit one-time passcode.

    Thus, an attacker looking to take over the account, first needs to know the victim’s phone number or email address, and then to correctly guess the 6-digit code or be able to try all of the roughly 1 million possibilities.

    To prevent brute-forcing of this code, Apple limited the number of attempts one can make to 5, and also limited the number of concurrent POST requests to the same server from the same IP address to 6, which means that an attacker would need 28,000 IP addresses to send a million requests.

    As an additional security measure, Apple also blacklisted cloud service providers and appears to automatically reject POST requests coming from many of them, including AWS and Google Cloud. However, the researcher discovered that an attacker could send the requests using cloud services that are not blocked, enabling them to brute-force the 6-digit code and gain access to the targeted iCloud account.

    “Of course the attack isn’t easy to do, we need to have a proper setup to successfully exploit this vulnerability,” Muthiyah explained. “First we need to bypass the SMS 6 digit code then 6 digit code received in the email address. Both bypasses are based on same method and environment so we need not change anything while trying the second bypass. Even if the user has two factor authentication enabled, we will still be able to access their account, because 2FA endpoint also shares the rate limit and was vulnerable. The same vulnerability was also present in the password validation endpoint.”

  6. Tomi Engdahl says:

    A CCTV Company Is Paying Remote Workers in India to Yell at Armed Robbers
    Clerks at 7-Eleven and other convenience stores are being constantly monitored by a voice of god that can intervene from thousands of miles away.

  7. Tomi Engdahl says:

    City of Liege, Belgium hit by ransomware
    Liege, the third biggest city in Belgium, has suffered today a ransomware attack that has disrupted the municipality’s IT network and online services. While officials only described the incident as a “computer attack, ” two Belgian radio and TV stations reported that the attack was the work of the Ryuk ransomware gang.

  8. Tomi Engdahl says:

    Smart thermostats cranked up remotely by Texas energy firms, as consumers swelter in heat wave
    Some sweltering residents of Texas are reporting that they are unable to lower the temperature on their Wi-Fi enabled “smart” thermostats after it was mysteriously raised, and they are struggling to understand why. The reason, it transpires, is not that malicious hackers have broken into the IoT devices to cause mayhem but is instead all part of an energy conservation campaign promoted by Texas’s power grid operator struggling to stay online in the Lone Star State.

  9. Tomi Engdahl says:

    Ransomware Gang Cl0p Announces New Victim After Police Bust
    The hacking group has resurfaced online on its official dark web site, suggesting the arrests may not have hit it too hard.

  10. Tomi Engdahl says:

    North Korean hackers breach South Korean submarine builder (again)
    North Korean hackers are believed to have breached South Korea’s top submarine builder for the second time in the past decade, South Korean news outlet JoongAng reported on Sunday.

  11. Tomi Engdahl says:

    Zephyr OS Bluetooth vulnerabilities left smart devices open to attack
    Vulnerabilities in the Zephyr real-time operating system’s Bluetooth stack have been identified, leaving a wide variety of Internet of Things devices open to attack unless upgraded to a patched version of the OS.

  12. Tomi Engdahl says:

    Bugs in NVIDIA’s Jetson Chipset Opens Door to DoS Attacks, Data Theft
    Chipmaker patches nine high-severity bugs in its Jetson SoC framework tied to the way it handles low-level cryptographic algorithms.

  13. Tomi Engdahl says:

    Lexmark Printers Open to Arbitrary Code-Execution Zero-Day
    Successful execution requires an intruder to have access to the underlying host system, Barratt said via email on Tuesday, so it’s “more of an attack vector for potential lateral movement and privilege escalation.” He noted that the bug could be used potentially by a malicious insider looking to circumvent permissions on a corporate computer, for example.

    Email Bug Allows Message Snooping, Credential Theft
    A year-old proof-of-concept attack that allows an attacker to bypass TLS email protections to snoop on messages has been patched.

  14. Tomi Engdahl says:

    APNIC left a dump from its Whois SQL database in a public Google Cloud bucket
    The Asia Pacific Network Information Centre (APNIC), the internet registry for the region, has admitted it left at least a portion of its Whois SQL database, which contains sensitive information, facing the public internet for three months.

  15. Tomi Engdahl says:

    Sonatype Catches New PyPI Cryptomining Malware
    Sonatype has identified malicious typosquatting packages infiltrating the PyPI repository that secretly pull in cryptominers on the affected machines.

  16. Tomi Engdahl says:

    John McAfee: Anti-virus creator found dead in prison cell

    Anti-virus software entrepreneur John McAfee has been found dead in a Barcelona prison cell, just hours after a Spanish court agreed to extradite him to the US to face tax evasion charges.

    The Catalan Justice Department said prison medics tried to resuscitate him, but were not successful.

    It said in a statement that “everything indicates” Mr McAfee took his own life.

    A controversial figure, Mr McAfee’s company released the first commercial anti-virus software.

    It helped to spark a multi-billion dollar industry in the computer world.

    In October 2020, he was arrested in Spain, and accused of failing to file tax returns for four years, despite earning millions from consulting work, speaking engagements, crypto-currencies and selling the rights to his life story.

  17. Tomi Engdahl says:

    This secretive firm has powerful new hacking tools
    A secretive cyberintelligence firm claims to have created powerful hacking tools that can remotely monitor and take control of Android, MacOS and Windows devices. Designed for those looking to “investigate targets in tactical operations, ” Mollitiam Industries is promoting tools that are capable of the “anonymous interception, and the remote and invisible control of targets connected to the internet, ”
    according to documents seen by WIRED.

  18. Tomi Engdahl says:

    Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators
    In this blog, we describe a string of recent incidents in which the CrowdStrike Falcon Complete team observed a financially motivated eCrime operator (likely WIZARD SPIDER) use compromised external remote services (Microsoft Remote Desktop Protocol, or RDP) along with Cobalt Strike in an unsuccessful attempt to deploy ransomware. This activity indicates a notable increase in the adversary’s tactics to include RDP brute forcing along with their more traditional modus operandi for initial access via phishing or leveraging their partner networks of access brokers.

  19. Tomi Engdahl says:

    Unpatched Flaw in Linux Pling Store Apps Could Lead to Supply-Chain Attacks
    Cybersecurity researchers have disclosed a critical unpatched vulnerability affecting Pling-based free and open-source software
    (FOSS) marketplaces for Linux platform that could be potentially abused to stage supply-chain attacks and achieve remote code execution (RCE).

  20. Tomi Engdahl says:

    SonicWall bug affecting 800K firewalls was only partially fixed
    Turns out, the vulnerability was not properly patcheduntil now. As such a new vulnerability identifier, CVE-2021-20019 has been assigned to the flaw. SonicWall has now released advisories related to this vulnerability today, with further information on the fixed versions.

  21. Tomi Engdahl says:

    USB-based malware is a growing concern for industrial firms, new Honeywell findings show
    The number of cyber threats designed to use USB sticks and other external media devices as launching pads doubled in 2021, according to new research from Honeywell, the industrial automation giant.

  22. Tomi Engdahl says:

    Tulsa warns of data breach after Conti ransomware leaks police citations
    The City of Tulsa, Oklahoma, is warning residents that their personal data may have been exposed after a ransomware gang published police citations online.

  23. Tomi Engdahl says:

    Pakistan-linked hackers targeted Indian power company with ReverseRat
    A threat actor with suspected ties to Pakistan has been striking government and energy organizations in the South and Central Asia regions to deploy a remote access trojan on compromised Windows systems, according to new research. also:

  24. Tomi Engdahl says:

    Iowa Eye Clinic: 500,000 Patient Files May Have Been Stolen

    The records of roughly 500,000 patients of an eye clinic with locations throughout Iowa may have been stolen as part of a ransomware attack on the business earlier this year.

    Wolfe Eye Clinic said Tuesday its computer network was attacked on Feb. 8 by hackers who demanded a ransom to unlock access to its systems, but the company didn’t pay the hackers. The company plans to notify affected patients that their information may have been stolen and offer them a year of credit monitoring and identity theft protection services.

  25. Tomi Engdahl says:

    Researcher Finds Vulnerability Impacting Multiple Linux Marketplaces

    Linux marketplaces that are based on the Pling platform are impacted by a cross-site scripting (XSS) vulnerability and potentially exposed to supply chain attacks, according to German cybersecurity consultancy Positive Security.

    Pling allows for the creation of free and open-source software (FOSS) marketplaces that are used for the distribution of software, themes, and other content that might not be available through other distribution channels.

    Positive Security co-founder Fabian Bräunlein discovered that all Pling-based marketplaces are impacted by a wormable XSS that potentially opens the door for supply chain attacks.

  26. Tomi Engdahl says:

    New REvil-Based Ransomware Emerges

    A threat actor appears to have repurposed the REvil ransomware to create their own ransomware family and possibly launch a ransomware-as-a-service (RaaS) offering.

    Also known as Sodinokibi, REvil has become one of the most prominent ransomware families out there, being involved in a large number of high-profile attacks, including the one on JBS, the world’s largest meat processing company.

    REvil is offered by an Eastern Europe/Russia-based threat actor tracked as PINCHY SPIDER, which is known for their RaaS business that previously involved the GandCrab ransomware, which was retired in June 2019, two months after REvil emerged.

    On Tuesday, security researchers with Secureworks, which tracks REvil’s operators as GOLD SOUTHFIELD, revealed that a new ransomware family that is making the rounds appears to be nothing more than a repurposed REvil iteration created by a threat actor referred to as GOLD NORTHFIELD.

    “[Secureworks Counter Threat Unit] analysis confirmed that the GOLD NORTHFIELD threat group, which operates LV, replaced the configuration of a REvil v2.03 beta version to repurpose the REvil binary for the LV ransomware,” the researchers say.

  27. Tomi Engdahl says:

    John McAfee has died in a Spanish jail cell by suicide according to his lawyer, hours after news that he would be extradited to face federal charges in the US — Antivirus creator John McAfee, 75, was found dead in his prison cell in Barcelona after the Spanish high court had authorised …

    Larger-than-life software mogul John McAfee dies in Spain by suicide, lawyer says

  28. Tomi Engdahl says:

    BIOSConnect code execution bugs impact millions of Dell devices
    A critical bug chain allows attackers to impersonate the vendor and impact code at the root level.

  29. Tomi Engdahl says:

    Researchers are warning of wormable DarkRadiation #ransomware that’s targeting RedHat, Debian-based #Linux distributions and Docker cloud containers.

    Cybersecurity researchers are sounding the alarm bell over a new ransomware strain called “DarkRadiation” that’s implemented entirely in Bash and targets Linux and Docker cloud containers, while banking on messaging service Telegram for command-and-control (C2) communications.

    “The ransomware is written in Bash script and targets Red Hat/CentOS and Debian Linux distributions,” researchers from Trend Micro said in a report published last week. “The malware uses OpenSSL’s AES algorithm with CBC mode to encrypt files in various directories. It also uses Telegram’s API to send an infection status to the threat actor(s).”

  30. Tomi Engdahl says:

    Huge leak of 815 million records included usernames, email addresses and other information from one of the world’s largest web hosts could’ve been useful to cybercriminals, a researcher warns.

    DreamHost Mistake Leaks 815 Million-Record Trove Full Of Website Owner Data

    A huge database belonging to one of the world’s largest web hosts, Los Angeles-based DreamHost, was left open online earlier this year, leaking names, usernames and email addresses of its customers, a cybersecurity researcher has warned. 

    The data, wrapped up in a database containing 815 million records, also included administrator and user information for DreamPress, DreamHost’s widely used service for WordPress websites. The data appeared to date back at least three years to 2018, though it’s unclear how long the database was openly accessible. Combined, the data could have been used in attempts to break into users’ accounts, warned Jeremiah Fowler, an independent cybersecurity researcher who partnered with Website Planet, a website for web developers, to disclose the leak. 

  31. Tomi Engdahl says:

    Mercedes-Benz data breach exposes SSNs, credit card numbers

    Mercedes-Benz USA has just disclosed a data breach impacting some of its customers.

    The company assessed 1.6 million customer records which included customer names, addresses, emails, phone numbers, and some purchased vehicle information to determine the impact.

    It appears the data breach exposed credit card information, social security numbers, and driver license numbers of under 1,000 Mercedes-Benz customers and potential buyers.

  32. Tomi Engdahl says:

    Microsoft admits to signing rootkit malware in supply-chain fiasco

    Microsoft has now confirmed signing a malicious driver being distributed within gaming environments.

    This driver, called “Netfilter,” is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs.

    This incident has once again exposed threats to software supply-chain security, except this time it stemmed from a weakness in Microsoft’s code-signing process.

    “Netfilter” driver is rootkit signed by Microsoft
    Last week, G Data’s cybersecurity alert systems flagged what appeared to be a false positive, but was not—a Microsoft signed driver called “Netfilter.”

    The driver in question was seen communicating with China-based C&C IPs providing no legitimate functionality and as such raised suspicions.

    “Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system.”

    “Drivers without a Microsoft certificate cannot be installed by default,” states Hahn.

    Microsoft admits to signing the malicious driver
    Microsoft is actively investigating this incident, although thus far, there is no evidence that stolen code-signing certificates were used.

    The mishap seems to have resulted from the threat actor following Microsoft’s process to submit the malicious Netfilter drivers, and managing to acquire the Microsoft-signed binary in a legitimate manner

    This particular incident, however, has exposed weaknesses in a legitimate code-signing process, exploited by threat actors to acquire Microsoft-signed code without compromising any certificates.

  33. Tomi Engdahl says:

    A high-severity series of 4 #bugs can allow remote adversaries to gain arbitrary code execution in the pre-boot environment on @Dell devices, Eclypsium researchers found.

    30M Dell Devices at Risk for Remote BIOS Attacks, RCE

    Four separate security bugs would give attackers almost complete control and persistence over targeted devices, thanks to a faulty update mechanism.


    A high-severity series of four vulnerabilities can allow remote adversaries to gain arbitrary code execution in the pre-boot environment on Dell devices, researchers said. They affect an estimated 30 million individual Dell endpoints worldwide.

    According to an analysis from Eclypsium, the bugs affect 129 models of laptops, tablet and desktops, including enterprise and consumer devices, that are protected by Secure Boot.

    The bugs allow privileged network adversaries to circumvent Secure Boot protections, control the device’s boot process, and subvert the operating system and higher-layer security controls, researchers at Eclypsium said on Thursday. They carry a cumulative CVSS score of 8.3 out of 10.

    Specifically, the issues affect the BIOSConnect feature within Dell SupportAssist (a technical support solution that comes preinstalled on most Windows-based Dell machines). BIOSConnect is used to perform remote OS recoveries or to update the firmware on the device.

    “Technology vendors of all types are increasingly implementing over-the-air update processes to make it as easy as possible for their customers to keep their firmware up to date and recover from system failures,” researchers noted in an analysis. “And while this is a valuable option, any vulnerabilities in these processes, such as those we’ve seen here in Dell’s BIOSConnect, can have serious consequences.”

  34. Tomi Engdahl says:

    FIN7 manager sentenced to 7 years for role in global hacking scheme
    A key member of the international cybercrime group FIN7 was sentenced to 84 months in prison and ordered to pay $2.5 million in restitution

  35. Tomi Engdahl says:

    Hacker wipes database of NewsBlur RSS reader
    NewsBlur was in process of a database migration when MongoDB was left exposed to the internet for three hours before the attacker found and wiped the database, demanding ransom payment for the contents. The company was able to manually restore the original data they had on hand by chance.

  36. Tomi Engdahl says:

    Healthcare giant Grupo Fleury likely hit by REvil/Sodinokibi ransomware attack
    Grupo Fleury, a Brazilian medical diagnostic company, has suffered a ransomware attack that has disrupted business operations after the company took its systems offline. Cyber criminals are demanding $5 million in ransom for decryptor and for not leaking alledgedly stolen files

  37. Tomi Engdahl says:

    WD My Book NAS devices are being remotely wiped clean worldwide
    Cloud connected My Book NAS devices have been reset remotely for currently unknown reason

  38. Tomi Engdahl says:

    A supply-chain breach: Taking over an Atlassian account
    Researchers on disclosed critical flaws in the Atlassian project and software development platform that could be exploited to take over an account and control some connected apps

  39. Tomi Engdahl says:

    NFC Flaws Let Researchers Hack ATMs by Waving a Phone
    Flaws in card reader technology let a security firm consultant wreak havoc with point-of-sale systems

  40. Tomi Engdahl says:

    Route53 domain name service vulnerability let researchers hijack nameservers hosted on AWS—threats/new-dns-name-server-hijack-attack-exposes-businesses-government-agencies/d/d-id/1341377
    Researchers found a “novel” class of DNS vulnerabilities in AWS
    Route53 and other DNS-as-a-service offerings that leak sensitive information on corporate and government customers, with one simple registration step

  41. Tomi Engdahl says:

    Complicated Active Directory setups are undermining security
    SpecterOps researchers found that almost every Active Directory installation had a misconfiguration issue. The researchers have written a paper to raise awareness.

  42. Tomi Engdahl says:

    5G Cyber Security Hack 2021 – 130 professional white hat hackers from
    30 countries hacked 5G technology in Finland
    The global virtual hackathon attracted 130 top-level cyber security experts, from 30 different countries. The goal of the event was to develop and ensure the operations and cyber security of 5G networks and 5G-enabled services.

  43. Tomi Engdahl says:

    BIOSConnect code execution bugs impact millions of Dell devices
    A critical bug chain allows attackers to impersonate the vendor and impact code at the root level

  44. Tomi Engdahl says:

    Microsoft signed a malicious Netfilter rootkit
    What started as a false positive alert for a Microsoft signed file turns out to be a WFP application layer enforcement callout driver that redirects traffic to a Chinese IP.

  45. Tomi Engdahl says:

    Mercedes-Benz data breach exposes SSNs, credit card numbers
    The data breach exposed credit card information, social security numbers, and driver license numbers of under 1, 000 Mercedes-Benz customers and potential buyers.

  46. Tomi Engdahl says:

    Zyxel firewalls and VPNs under active cyberattack
    Zyxel is warning customers of an ongoing attack targeting a “small subset” of its security products such as firewall and VPN servers.

    Cisco ASA Bug Now Actively Exploited
    In-the-wild XSS attacks have commenced against the security appliance (CVE-2020-3580), as researchers publish exploit code on Twitter.


Leave a Comment

Your email address will not be published. Required fields are marked *