This posting is here to collect cyber security news in July 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in July 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
243 Comments
Tomi Engdahl says:
A Defunct Video Hosting Site Is Flooding Normal Websites With Hardcore Porn
https://www.vice.com/en/article/qj8xz3/a-defunct-video-hosting-site-is-flooding-normal-websites-with-hardcore-porn
Stories on major news sites like ‘The Washington Post,’ and ‘New York Magazine’ currently have porn embedded in them because of an old site called Vidme.
Hardcore porn is embedded all over regular-ass websites because a porn company has purchased the domain of a popular, defunct video hosting site.
As pointed out by Twitter user @dox_gay, hardcore porn is now embedded on the pages of the Huffington Post, New York magazine, The Washington Post, and a host of other websites. This is because a porn site called 5 Star Porn HD bought the domain for Vidme, a brief YouTube competitor founded in 2014 and shuttered in 2017.
Seemingly any vid.me embeds now redirect to the 5 Star Porn HD homepage. The site vid.me also redirects there.
This is funny, unfortunate, and also, an example of a much larger problem: The internet is a collective hallucination that is fading away thanks to link rot.
Tomi Engdahl says:
https://krebsonsecurity.com/2021/07/serial-swatter-who-caused-death-gets-five-years-in-prison/
Tomi Engdahl says:
11-Year-Old Finds Loophole in Newegg App to Quickly Buy PC Graphics Cards
The loophole bypasses the need to go through the Newegg Shuffle lottery system to obtain a standalone RTX 3000 card. Instead, you get a normal, smooth checkout process.
https://uk.pcmag.com/graphics-cards/134643/11-year-old-finds-loophole-in-newegg-app-to-quickly-buy-pc-graphics-cards
Tomi Engdahl says:
Possible ‘white hat hacker’ exploits THORChain for $8M, proposes 10% bounty
https://cointelegraph.com/news/possible-white-hat-hacker-exploits-thorchain-for-8m-proposes-10-bounty
The white hat hacker claims to have mercifully minimized the damage of their $8 million exploit in a bid to teach THORChain a lesson.
Cross-chain decentralized exchange THORChain has suffered its second multimillion-dollar hack in as many weeks, with $8 million worth of Ether impacted.
However, the attack appears to have been carried out by a white hat hacker, with THORChain announcing the perpetrator had requested a 10% bounty. ETH will be halted until the code has been audited.
Liquidity providers impacted by the exploit will be subsidized using the project’s treasury funds.
The hacker claims they deliberately minimized the damage from the exploit in a bid to teach THORChain a lesson, stating: “Do not rush code that controls 9 figures,” and “Disable until audits are complete.”
The hacker adds that they could have stolen Ether, Bitcoin, Binance Coin, Lycancoin, and many BEP-20 tokens if they had wanted to, asserting that “multiple critical issues” were found and that a 10% bug bounty could have prevented the incident.
On July 16, Cointelegraph reported that THORChain had been halted after 4,000 Ether worth $7.6 million was drained from the protocol. The protocol unsuccessfully proposed a bug bounty to the hacker in exchange for returning the stolen funds.
The decentralized exchange also lost $140,000 in a separate exploit suffered last month.
THORChain entered into its guarded “Chaosnet” launch in April, enabling cross-chain swaps across the Bitcoin, Ethereum, Litecoin, Bitcoin Cash, and Binance Chain networks.
Tomi Engdahl says:
The world’s top ransomware gangs have created a cybercrime “cartel”
https://www.cbsnews.com/news/ransomware-cybercrime-cartel-wizard-spider-viking-spider-lockbit-twisted-spider/
Several of the largest Russian ransomware cybercriminal gangs have partnered up and are sharing hacking techniques, purloined data-breach information, malware code and technology infrastructure.
The most active collaborators are four groups known as Wizard Spider, Twisted Spider, Viking Spider and LockBit. The gangs in this cluster jointly control access to illicit data leak sites and custom ransomware code. They also associate with the larger criminal ransomware ecosystem, exert influence over smaller gangs and license their tools to affiliates,
Tomi Engdahl says:
The FBI Is Locating Cars By Spying On Their WiFi
https://www.forbes.com/sites/thomasbrewster/2021/07/22/the-fbi-is-using-stingray-smartphone-surveillance-to-locate-cars-and-spy-on-their-wifi/
The FBI is using a controversial technology traditionally used to locate smartphones as a car tracking surveillance tool that spies on vehicles’ on-board WiFi.
Known as a Stingray or a cell-site simulator, the tool masquerades as a cell tower in order to force all devices in a given area to connect into it. Agents can then pick the number they’re interested in and locate the device. Normally that would be a mobile phone, but a search warrant application discovered by Forbes shows it can also be used to find vehicles, as long as they have onboard Wi-Fi. That’s because car Wi-Fi systems act like a phone, in that they reach out to mobile networks to get their data. So it makes sense that police would use it to find a car, though this appears to be the first case on record of it happening.
After that, the FBI decided to use the cell-site simulator. Towards the end of the warrant application, a federal agent explained why, noting that cars like the Dodge were “frequently equipped with cellular modems inside their vehicles. These cellular modems are assigned a unique cellular identifier and generate historical and prospective records similar to a traditional cellular phone.”
“These records can assist law enforcement in identifying the location of the vehicle including patterns of travel and areas where the subject may reside or frequent. Most Original Equipment Manufacturers (OEMs) have partnered with AT&T or Verizon to provide cellular connectivity within their vehicles. A check of open source information from AT&T identifies the 2021 Dodge Durango Hellcat as a vehicle that has a built-in WiFi hotspot that is serviced by AT&T.”
Tomi Engdahl says:
Researchers Hid Malware Inside an AI’s ‘Neurons’ And It Worked Scarily Well
In a proof-of-concept, researchers reported they could embed malware in up to half of an AI model’s nodes and still obtain very high accuracy.
https://www.vice.com/en/article/bvzp78/researchers-hid-malware-inside-an-ais-neurons-and-it-worked-scarily-well
Tomi Engdahl says:
Tokyo 2020 hit by data breach
https://www.computerweekly.com/news/252504456/Tokyo-2020-hit-by-data-breach
The user names and passwords of Tokyo 2020 ticket holders and event volunteers were reportedly compromised, but government official claims the data leak was not large
The user names and passwords of Tokyo 2020 Olympic Games ticket holders and event volunteers were reportedly leaked online, a Japanese government official said last week.
Mihoko Matsubara, chief cyber security strategist at NTT, noted in a February 2021 report on Japan’s cyber security strategy for Tokyo 2020, that the coronavirus pandemic has complicated ways to secure the event both physically and virtually.
With over 90% of Tokyo 2020 organising committee members working from home to prevent Covid-19 infections, Matsubara said it was important to secure not only Tokyo 2020-related infrastructure such as electricity, transportation and venues, but also remote work environments.
At Rio 2016, the International Olympic Committee said it was under regular attack. Phishing emails were also sent to athletes in attempts to steal credentials that could be used to access a World Anti-Doping Agency database.
Tomi Engdahl says:
UNHACKED: 121 TOOLS AGAINST RANSOMWARE ON A SINGLE WEBSITE
https://www.europol.europa.eu/newsroom/news/unhacked-121-tools-against-ransomware-single-website
In its five years of existence, No More Ransom has helped prevent almost a billion euros from ending up in criminals’ pockets
LOCKED? CHECK THE NO MORE RANSOM WEBSITE FOR A KEY
The decryptors available in the No More Ransom repository have helped more than six million people to recover their files for free. This prevented criminals from earning almost a billion euros through ransomware attacks. Currently offering 121 free tools able to decrypt 151 ransomware families, it unites 170 partners from the public and private sector. The portal is available in 37 languages.
Tomi Engdahl says:
New PetitPotam NTLM Relay Attack Lets Hackers Take Over Windows Domains
https://thehackernews.com/2021/07/new-petitpotam-ntlm-relay-attack-lets.html
A newly uncovered security flaw in the Windows operating system can be exploited to coerce remote Windows servers, including Domain Controllers, to authenticate with a malicious destination, thereby allowing an adversary to stage an NTLM relay attack and completely take over a Windows domain.
The issue, dubbed “PetitPotam,” was discovered by security researcher Gilles Lionel, who shared technical details and proof-of-concept (PoC) code last week, noting that the flaw works by forcing “Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function.”
MS-EFSRPC is Microsoft’s Encrypting File System Remote Protocol that’s used to perform “maintenance and management operations on encrypted data that is stored remotely and accessed over a network.”
Tomi Engdahl says:
No cyberattack in sprawling internet outage, Akamai says
https://www.cyberscoop.com/akamai-outage-cyberattack-dns/
Jul 22, 2021 | CYBERSCOOP
A global internet outage on Thursday downed tens of thousands of websites, including those of giant corporations like McDonald’s and Delta Airlines, according to companies that track web statistics.
But the company at the center of it says the downtime was not the result of a hack, data breach or other kind of malicious attack.
Internet infrastructure company Akamai said it has fixed the issue that it began investigating shortly after noon EST. The specific problem was with Akamai Edge DNS, a service that touts its ability to provide constant Domain Name System availability.
“Akamai can confirm this was not a cyberattack against Akamai’s platform,” the company said in a statement.
“A software configuration update triggered a bug in the DNS system, the system that directs browsers to websites,” the company said in a statement explaining what went wrong. “This caused a disruption impacting availability of some customer websites.”
Tomi Engdahl says:
https://www.techrepublic.com/article/how-duckduckgo-makes-money-selling-search-not-privacy/
Tomi Engdahl says:
How to Mitigate Microsoft Windows 10, 11 SeriousSAM Vulnerability
https://thehackernews.com/2021/07/how-to-mitigate-microsoft-windows-10-11.html
Tomi Engdahl says:
No More Ransom saves almost €1 billion in ransomware payments in 5 years
https://www.bleepingcomputer.com/news/security/no-more-ransom-saves-almost-1-billion-in-ransomware-payments-in-5-years/
Tomi Engdahl says:
Malware developers turn to ‘exotic’ programming languages to thwart researchers
They are focused on exploiting pain points in code analysis and reverse-engineering.
https://www.zdnet.com/article/malware-developers-turn-to-exotic-programming-languages-to-thwart-researchers/
Tomi Engdahl says:
LockBit ransomware now encrypts Windows domains using group policies
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/
A new version of the LockBit 2.0 ransomware has been found that automates the encryption of a Windows domain using Active Directory group policies.
The LockBit ransomware operation launched in September 2019 as a ransomware-as-a-service, where threat actors are recruited to breach networks and encrypt devices.
In return, the recruited affiliates earn 70-80% of a ransom payment, and the LockBit developers keep the rest.
Tomi Engdahl says:
These Olympic Games Launched a New Era of Cyber Sabotage
https://nationalinterest.org/blog/buzz/these-olympic-games-launched-new-era-cyber-sabotage-190082
Operation Olympic Games has demonstrated the alluring potential of using cyber means to conduct sabotage and network exploitation tasks.
Tomi Engdahl says:
Olympics Broadcaster Announces His Computer Password on Live TV
The announcer complained that it could have been a bit easier to type.
https://www.vice.com/en/article/n7b9mm/olympics-broadcaster-announces-his-computer-password-on-live-tv
In what is, at least so far, the biggest cybersecurity blunder of the Tokyo Olympics, an Italian TV announcer did not realize he was on air when he asked the password for his computer.
“Do you know the password for the computer in this commentator booth?” he asked during the broadcast of the Turkey-China volleyball game, apparently not realizing he was still on air.
“It was too hard to call the password Pippo? Pippo, Pluto or Topolino?” he complained
The snafu was immortalized in a video posted on Twitter by cybersecurity associate professor Stefano Zanero
https://mobile.twitter.com/raistolo/status/1419640700262563846
Turns out the password was “Booth.03″ after the number of the commentator’s booth.
“Even the dot to make it more complicated, as if it was NASA’s computer,” he said on the air. “Next time they will even put a semicolon.”
Zanero joked to his Twitter followers that “next time you hear people chatting about super sophisticated policies and cybersecurity products, you can respond with this video.”
While the snafu is embarrassing, the actual impact of making such a password public is likely limited.
Tomi Engdahl says:
Dan Kaminsky’s death leaves vacancy among holders of ‘keys to the internet’
Shep Smith reports on the death of Dan Kaminsky, who was one of the holders of the ‘Keys to the internet.’ With CNBC’s Eamon Javers.
https://www.cnbc.com/video/2021/07/26/dan-kaminskys-death-leaves-vacancy-among-holders-of-keys-to-the-internet.html
Daniel Kaminsky (February 7, 1979 – April 23, 2021) was an American computer security researcher.
https://en.m.wikipedia.org/wiki/Dan_Kaminsky
Tomi Engdahl says:
Microsoft has a fix for the new #NTLM relay attack #PoC from French security researcher Gilles Lionel – named #PetitPotam – that could force remote #Windows systems to reveal #password #hashes that could then be easily #cracked. #cybersecurity
Microsoft Rushes Fix for ‘PetitPotam’ Attack PoC
https://threatpost.com/microsoft-petitpotam-poc/168163/
Microsoft releases mitigations for a Windows NT LAN Manager exploit that forces remote Windows systems to reveal password hashes that can be easily cracked.
Microsoft was quick to respond with a fix to an attack dubbed “PetitPotam” that could force remote Windows systems to reveal password hashes that could then be easily cracked. To thwart an attack, Microsoft recommends system administrators stop using the now deprecated Windows NT LAN Manager (NTLM).
Security researcher Gilles Lionel first identified the bug on Thursday and also published proof-of-concept (PoC) exploit code to demonstrate the attack. The following day, Microsoft issued an advisory that included workaround mitigations to protect systems.
https://github.com/topotam/PetitPotam
Tomi Engdahl says:
These hackers built an elaborate online profile to fool their targets into downloading malware
Cyber espionage campaign linked to the Iranian military drew victims in with fake social media profiles and messages in an attempt to steal usernames, passwords and other sensitive information.
https://www.zdnet.com/article/these-hackers-posed-as-an-aerobics-instructor-online-to-trick-their-targets-into-downloading-malware/
Tomi Engdahl says:
I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona
https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media
Tomi Engdahl says:
The Olympics: a timeline of scams, hacks, and malware
https://blog.malwarebytes.com/hacking-2/2021/07/the-olympics-a-timeline-of-scams-hacks-and-malware/
The 2020 Olympics are, after a bit of a delayed start, officially in full swing. So too is the possibility for scammers to crawl out of the woodwork. And while actual, measurable cyberrattacks and hacks surrounding The Olympics did not truly get rolling until 2008 in Beijing, The Olympic games have traditionally been quite the target for malicious acts of all kinds, dating back years. Shall we take a look?
Tomi Engdahl says:
Kaseya’s Unitrends Technology Has Zero-Day Flaws
Researchers Warn: Do Not Expose Technology to the Internet
https://www.govinfosecurity.com/kaseyas-unitrends-technology-has-zero-day-flaws-a-17165
Researchers are warning of three zero-day vulnerabilities in Kaseya’s Unitrends cloud-based enterprise backup and disaster recovery technology.
The news comes after a July 2 ransomware attack exploiting flaws in Kaseya’s Virtual System Administrator software had a major impact, affecting about 60 managed service provider customers and up to 1,500 of their clients.
In a public advisory, the Dutch Institute for Vulnerability Disclosure says the three zero-day flaws in Unitrends are in versions earlier than 10.5.2. DIVD warns users not to expose Unitrends servers or the clients – running default on ports 80, 443, 1743, 1745 – directly to the internet until Kaseya issues patches.
Tomi Engdahl says:
Kaseya says it didn’t pay ransomware gang for decryption key after hacks affected hundreds
https://www.cyberscoop.com/kaseya-decryptor-didnt-pay-revil/
Kaseya, the company at the center of a ransomware outbreak that claimed perhaps thousands of victims, said on Monday that it didn’t pay off the attackers to obtain the decryption tool it announced last week.
The Florida IT firm, breached just before the July 4 holiday, did not elaborate on how it obtained the working decryption key, beyond its statement that a “trusted third party” provided it.
“While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment,” the company said in a website update. “As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom — either directly or indirectly through a third party — to obtain the decryptor.”
Tomi Engdahl says:
Root Cause Analysis of a Printer’s Drivers Vulnerability CVE-2021-3438
https://voidsec.com/root-cause-analysis-of-cve-2021-3438/
Last week SentinelOne disclosed a “high severity” flaw in HP, Samsung, and Xerox printer’s drivers (CVE-2021-3438); the blog post highlighted a vulnerable strncpy operation with a user-controllable size parameter but it did not explain the reverse engineering nor the exploitation phase of the issue. With this blog post, I would like to analyse the vulnerability and its exploitability.
Tomi Engdahl says:
How to mitigate CVE-2021-33909 Sequoia with Falco – Linux filesystem privilege escalation vulnerability
https://sysdig.com/blog/cve-2021-33909-sequoia-falco-linux-filesystem/
Tomi Engdahl says:
Biden Calls for Critical Infrastructure Security Standards
National Security Memo Requires NIST, CISA to Create Standards, But Compliance Is Voluntary
https://www.bankinfosecurity.com/biden-calls-for-critical-infrastructure-security-standards-a-17164
Tomi Engdahl says:
https://www.zdnet.com/article/hackers-used-never-before-seen-wiper-in-recent-attack-on-iranian-train-system-report/
Tomi Engdahl says:
New destructive Meteor wiper malware used in Iranian railway attack
https://www.bleepingcomputer.com/news/security/new-destructive-meteor-wiper-malware-used-in-iranian-railway-attack/
Tomi Engdahl says:
https://www.wired.com/story/punkspider-web-site-vulnerabilities/
Tomi Engdahl says:
Criminals are using call centers to spread ransomware in a crafty scheme
https://www.cyberscoop.com/criminals-call-centers-ransomware-microsoft/
An ongoing ransomware campaign that employs phony call centers to trick victims into downloading malware may be more dangerous than previously thought, Microsoft researchers say.
Because the malware isn’t in a link or document within the email itself, the scam helps attackers bypass some phishing and malware detecting services, Microsoft researchers noted in a report Thursday.
When the company first examined it in May, the scheme features attackers posing as subscription service providers who lure victims onto the phone to cancel a non-existent subscription. Once there, the call center worker guides them to download malware onto their computer.
Tomi Engdahl says:
Apple has released security updates to address a zero-day vulnerability exploited in the wild and impacting iPhones, iPads, and Macs. The vulnerability, tracked as CVE-2021-30807, is a memory corruption issue in the IOMobileFramebuffer kernel extension reported by an anonymous researcher. An application may be able to execute arbitrary code with kernel privileges.
https://www.bleepingcomputer.com/news/apple/apple-fixes-zero-day-affecting-iphones-and-macs-exploited-in-the-wild/
Tomi Engdahl says:
https://wccftech.com/apple-demands-leaker-to-reveal-source-of-stolen-iphone-prototypes/
Tomi Engdahl says:
Microsoft Warns of LemonDuck Malware Targeting Windows and Linux Systems
https://thehackernews.com/2021/07/microsoft-warns-of-lemonduck-malware.html
An infamous cross-platform crypto-mining malware has continued to refine and improve upon its techniques to strike both Windows and Linux operating systems by setting its sights on older vulnerabilities, while simultaneously latching on to a variety of spreading mechanisms to maximize the effectiveness of its campaigns.
“LemonDuck, an actively updated and robust malware that’s primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations,” Microsoft said in a technical write-up published last week. “Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.”
Tomi Engdahl says:
SolarWinds hackers accessed over two dozen federal prosecutors’ offices: DOJ
https://thehill.com/policy/cybersecurity/565751-doj-says-solarwinds-hackers-accessed-over-two-dozen-prosecutors-offices
The Department of Justice (DOJ) said Friday that the hackers behind the major SolarWinds attack compromised employee accounts in more than two dozen federal prosecutors’ offices.
The DOJ said in an update that the hackers are believed to have compromised the accounts from May 7 to Dec. 27, 2020. The data includes “all sent, received, and stored emails and attachments found within those accounts during that time.”
In total, hackers gained access to “one or more employees’ ” emails in 27 office across 15 states and the District of Columbia, the DOJ said Friday.
The hack, which was first discovered in December, involved Russian hackers exploiting software from IT group SolarWinds to gain access to about 18,000 customers, compromising nine federal agencies and 100 private-sector groups.
The incident is believed to be one of the largest cyber espionage attacks in U.S. history.
Tomi Engdahl says:
Hackers abuse single bit change in Intel CPU register to evade detection
Palo Alto Networks discovers that Trap Flag is being abused to notify malware it is being analyzed
https://www.itpro.co.uk/security/malware/360299/hackers-use-single-bit-change-in-intel-cpu-register-to-evade-detection
Tomi Engdahl says:
https://9to5mac.com/2021/07/22/youtuber-sends-airtag-to-tim-cook-and-apple-returns-it-with-a-letter/
Tomi Engdahl says:
Stratospheric Balloons Take Monitoring and Surveillance to New Heights These eyes in the sky fly above drones and below satellites
https://spectrum.ieee.org/stratospheric-balloons-take-monitoring-and-surveillance-to-new-heights
Tomi Engdahl says:
https://www.thousandeyes.com/outages/
Tomi Engdahl says:
740 ransomware victims named on data leak sites in Q2 2021: report
Digital Shadows’ Q2 ransomware report highlighted that the number of victims posted to data leak sites increased by 47% compared to Q1.
https://www.zdnet.com/article/740-ransomware-victims-named-on-data-leak-sites-in-q2-2021-report/
Tomi Engdahl says:
A new technique uses a simplified process of DLL hijacking and mock directories to bypass Windows 10′s UAC security feature and run elevated commands without alerting a user.
Windows UAC is a protection mechanism introduced in Windows Vista and above, which asks the user to confirm if they wish to run a high-risk application before it is executed.
https://www.bleepingcomputer.com/news/security/bypassing-windows-10-uac-with-mock-folders-and-dll-hijacking/
Tomi Engdahl says:
Security News This Week: The Top 30 Vulnerabilities Include Plenty of Usual Suspects
Plus: A sneaky iOS app, a wiper attack in Iran, and more of the week’s top security news.
0https://www.wired.com/story/top-vulnerabilities-russia-nso-group-iran-security-news/