This posting is here to collect cyber security news in July 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in July 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
243 Comments
Tomi Engdahl says:
ZLoader Adopts New Macro-Related Delivery Technique in Recent Attacks
https://www.securityweek.com/zloader-adopts-new-macro-related-delivery-technique-recent-attacks
The ZLoader malware family has switched to a new delivery mechanism in recent spam campaigns, fetching malicious code only after the initial attachment has been opened, McAfee reports.
Active for more than half a decade, ZLoader is the successor of the infamous Zeus Trojan, and is also tracked as Silent Night and ZBot. Last year, the threat started being offered under the malware-as-a-service (MaaS) model.
https://www.securityweek.com/silent-night-new-malware-service-banking-trojan-analyzed
Tomi Engdahl says:
Did Microsoft Botch the PrintNightmare Patch?
https://www.securityweek.com/did-microsoft-botch-printnightmare-patch
Just days after shipping an emergency Windows update to cover a dangerous code execution flaw (CVE-2021-1675) in the Print Spooler service, Microsoft is investigating a new set of claims that its so-called ‘PrintNightmare’ patch has not properly fixed the underlying vulnerability.
The issue has been a public embarrassment for Microsoft over the last two weeks as security researchers used social media to highlight major problems with Redmond’s mitigation guidance and the effectiveness of its out-of-band update.
“We’re aware of claims and are investigating, but at this time we are not aware of any bypasses,” Microsoft said in a short statement sent to SecurityWeek. “We have seen claims of bypass where an administrator has changed default registry settings to an unsecure configuration. See CVE-2021-34527 guidance for more information on settings required to secure your system,” it added.
The company followed up with a blog post late Thursday insisting the emergency patch is “working as designed” and “effective against the known print spooling exploits.”
Print Spooler, turned on by default on Microsoft Windows, is an executable file that’s responsible for managing all print jobs getting sent to the computer printer or print server.
Despite the communication hiccups, Microsoft is strongly recommending that Windows users follow these steps immediately:
In ALL cases, apply the CVE-2021-34527 security update. The update will not change existing registry settings
After applying the security update, review the registry settings documented in the CVE-2021-34527 advisory
If the registry keys documented do not exist, no further action is required
If the registry keys documented exist, in order to secure your system, you must confirm that the following registry keys are set to 0 (zero) or are not present:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
The U.S. government’s CISA cybersecurity agency is urging Windows fleet admins to disable the Windows Print spooler service in Domain Controllers and systems that do not print.
PrintNightmare, Critical Windows Print Spooler Vulnerability
https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability
Tomi Engdahl says:
Mitsubishi Electric Patches Vulnerabilities in Air Conditioning Systems
https://www.securityweek.com/mitsubishi-electric-patches-vulnerabilities-air-conditioning-systems
Mitsubishi Electric recently patched critical and high-severity vulnerabilities affecting many of its air conditioning products, mainly centralized controllers.
Advisories describing the vulnerabilities were published this month by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Mitsubishi Electric. SecurityWeek has also obtained additional information from people involved in the discovery and disclosure of these flaws.
One advisory describes a critical vulnerability that exposes the affected control systems to unauthenticated XML external entity injection (XXE) attacks. The issue is tracked as CVE-2021-20595 and has a CVSS score of 9.3.
Mitsubishi Electric patches vulnerabilities in AC controllersExploitation of the vulnerability can lead to denial of service (DoS) or information disclosure.
“This vulnerability can be triggered by sending an XXE payload to the process listening to the TCP port number 1025, which causes the application to make arbitrary HTTP and/or FTP requests. Exploiting this vulnerability may lead to information disclosure and/or denial of service on the affected system models and firmware versions,” explained in an advisory Howard McGreehan, a cybersecurity researcher at UK-based professional services firm Aon and the individual who discovered the issue.
McGreehan told SecurityWeek, “This is an easy vulnerability to exploit, a standard XXE, and probably the most serious thing would be taking the controllers offline by invoking DoS conditions on them.”
The second vulnerability, tracked as CVE-2021-20593 and rated high severity
Tomi Engdahl says:
Kaseya Releases Patches for Vulnerabilities Exploited in Ransomware Attack
https://www.securityweek.com/kaseya-releases-patches-vulnerabilities-exploited-ransomware-attack
IT management solutions provider Kaseya has released patches for the vulnerabilities exploited in the recent ransomware attack, and the company has also started restoring SaaS services.
Kaseya shut down its VSA remote monitoring and management product on July 2, shortly after learning of a ransomware attack targeting the company and its customers. The attackers exploited zero-day vulnerabilities in VSA to deliver REvil ransomware to the MSPs that use the product, as well as to their customers — it’s currently estimated that between 800 and 1,500 organizations were hit.
While only on-premises VSA installations were targeted, Kaseya also shut down SaaS services as a precaution. After its initial attempt to restore services failed, the company over the weekend released patches for the on-premises product and started restoration of SaaS services.
The latest update, provided by the company early on Monday morning, said SaaS services had been restored for 95% of customers.
Tomi Engdahl says:
Bloomberg:
Five former Kaseya employees say they had warned the company about its lax security practices, and were laid off or quit as Kaseya failed to address the issues
https://www.bloomberg.com/news/articles/2021-07-10/kaseya-failed-to-address-security-before-hack-ex-employees-say
Tomi Engdahl says:
“Cyber Disruption” Stops Websites of Iranian Ministry
https://www.securityweek.com/cyber-disruption-stops-websites-iranian-ministry
Websites of Iran’s transport and urbanization ministry Saturday went out of service after a “cyber disruption” in computer systems of its staff, the official IRNA news agency reported.
The report did not elaborate but said the case is under investigation. This is the second abnormality in computer systems related to the ministry.
On Friday, Iran’s railroad system came under cyberattack with hackers posting fake messages about alleged train delays or cancellations on display boards at stations across the country. It came after the electronic tracking system on trains across Iran failed.
Also on Saturday, minister of telecommunications, Mohammad Javad Azari Jahromi warned about possible cyberattacks though ransomwares. In 2018 Iran reported similar attacks.
Tomi Engdahl says:
“Cyber Disruption” Stops Websites of Iranian Ministry
https://www.securityweek.com/cyber-disruption-stops-websites-iranian-ministry
Tomi Engdahl says:
Joseph Cox / VICE:
Phones with the “Anom” messaging app used in FBI and AFP’s global sting are being sold on the secondary market, revealing the ArcaneOS operating system and more
We Got the Phone the FBI Secretly Sold to Criminals
https://www.vice.com/en/article/n7b4gg/anom-phone-arcaneos-fbi-backdoor
‘Anom’ phones used in an FBI honeypot are mysteriously showing up on the secondary market. We bought one.
Tomi Engdahl says:
There is a serious loophole in the security of the highly popular payment intermediary Klarna, which allows fraudulent ordering goods in another’s name and bill sent to him/her later. On tests the goods were ordered on behalf of five people from five different recommended online stores to any address just by knowing e-mail address and postal code of person who has used the service. Klarna says it is investing in eradicating fraud.
Sweden’s financial watchdog said on Monday it was investigating payments firm Klarna over a potential breach of banking secrecy laws in connection with an IT incident at the firm in May. On May 27, 2021, Klarna exposed the accounts of its users randomly to any user.
In June 2021, Klarna raised $639 million in a fundraising round led by SoftBank Group’s Vision Fund 2, taking the company’s valuation to $45.6 billion.
https://www.pymnts.com/news/security-and-risk/2021/sweden-fsa-probes-klarna-over-customer-info-breach/
https://www.reuters.com/technology/swedish-watchdog-investigate-klarna-bank-secrecy-breach-2021-07-05/
https://yle.fi/uutiset/3-12014974
https://en.wikipedia.org/wiki/Klarna
Tomi Engdahl says:
DNS-over-HTTPS takes another small step towards global domination https://blog.malwarebytes.com/privacy-2/2021/07/dns-over-https-takes-another-small-step-towards-global-domination/
Firefox recently announced that it will be rolling out DNS-over-HTTPS (or DoH) soon to one percent of its Canadian users as part of its partnership with CIRA (the Canadian Internet Registration Authority), the Ontario-based organization responsible for managing the .ca top-level domain for Canada and a local DoH provider. The rollout will begin on 20 July until every Firefox Canada user is reached in late September 2021. This announcement came five months after Firefox rolled out DoH by default for its US-based users.
Tomi Engdahl says:
Kaseya patches VSA vulnerabilities used in REvil ransomware attack https://www.bleepingcomputer.com/news/security/kaseya-patches-vsa-vulnerabilities-used-in-revil-ransomware-attack/
Kaseya has released a security update for the VSA zero-day vulnerabilities used by the REvil ransomware gang to attack MSPs and their customers. Kaseya VSA is a remote management and monitoring solution commonly used by managed service providers to support their customers. MSPs can deploy VSA on-premise using their servers or utilize Kaseya’s cloud-based SaaS solution.. Also:
https://thehackernews.com/2021/07/kaseya-releases-patches-for-flaws.html.
https://threatpost.com/kaseya-patches-zero-days-revil-attacks/167670/.
https://www.zdnet.com/article/kaseya-issues-patch-for-on-premise-customers-saas-rollout-underway/
Tomi Engdahl says:
Hackers Spread BIOPASS Malware via Chinese Online Gambling Sites https://thehackernews.com/2021/07/hackers-spread-biopass-malware-via.html
Cybersecurity researchers are warning about a new malware that’s striking online gambling companies in China via a watering hole attack to deploy either Cobalt Strike beacons or a previously undocumented Python-based backdoor called BIOPASS RAT that takes advantage of Open Broadcaster Software (OBS) Studio’s live-streaming app to capture the screen of its victims to attackers. The attack involves deceiving gaming website visitors into downloading a malware loader camouflaged as a legitimate installer for popular-but-deprecated apps such as Adobe Flash Player or Microsoft Silverlight, only for the loader to act as a conduit for fetching next-stage payloads.
Tomi Engdahl says:
ACSC: Australian organizations compromised through ForgeRock vulnerability https://therecord.media/acsc-australian-organizations-compromised-through-forgerock-zero-day/
Australias main cyber-security agency said on Friday that it identified a number of Australian organizations that have been compromised through the exploitation of a vulnerability in ForgeRock OpenAM, an open-source application used by large corporations as an identity access management solution across internal applications. The vulnerability, tracked as CVE-2021-35464, was discovered and disclosed on June 29, last month, by Michael Stepankin, a security researcher at PortSwigger.. Also:
https://threatpost.com/critical-vulnerability-rce-forgerock-openam/167679/
Tomi Engdahl says:
Fashion retailer Guess discloses data breach after ransomware attack https://www.bleepingcomputer.com/news/security/fashion-retailer-guess-discloses-data-breach-after-ransomware-attack/
American fashion brand and retailer Guess is notifying affected customers of a data breach following a February ransomware attack that led to data theft. “A cybersecurity forensic firm was engaged to assist with the investigation and identified unauthorized access to Guess systems between February 2, 2021 and February 23, 2021,” the company said in breach notification letters mailed to impacted customers.
Tomi Engdahl says:
SolarWinds patches critical Serv-U vulnerability exploited in the wild https://www.bleepingcomputer.com/news/security/solarwinds-patches-critical-serv-u-vulnerability-exploited-in-the-wild/
SolarWinds is urging customers to patch a Serv-U remote code execution vulnerability exploited in the wild by “a single threat actor” in attacks targeting a limited number of customers. “Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability,” the company said in an advisory published on Friday. “To the best of our understanding, no other SolarWinds products have been affected by this vulnerability.
[..] SolarWinds is unaware of the identity of the potentially affected customers.”. Also:
https://therecord.media/microsoft-discovers-a-solarwinds-zero-day-exploited-in-the-wild/.
https://arstechnica.com/gadgets/2021/07/microsoft-discovers-critical-solarwinds-zero-day-under-active-attack/
Tomi Engdahl says:
Suomalaisten puhelimia piinannut vitsaus yltyi uudestaan: Varo vastaajaviestejä https://www.is.fi/digitoday/tietoturva/art-2000008120427.html
SUOMESSA viime aikoina aktiivisesti levitetty FluBot-haittaohjelma on taas ajankohtainen. Haittaohjelmaa on naamioitu muun muassa vastaajaviesteiksi. Niillä tarkoitetaan automaattisia tekstiviestejä, jotka voi asettaa lähtemään yhteyttä ottavalle käyttäjän ollessa tavoittamattomissa. KYBERTURVALLISUUSKESKUKSEN mukaan FluBotin levittäminen on jälleen yltynyt. Keskukselle on viikonlopun ja maanantain aikana tullut kymmenittäin ilmoituksia vastaajaviesteistä.
Uusissa tekstiviesteissä on tyypillistä juuri niiden lyhyt väite yhden vastaajaviestin odottamisesta. Muilta osin kampanja toimii niin kuin ennenkin.
Tomi Engdahl says:
Kyberrikollista syytetään vuosia vanhoista teoista myi pörssivinkkejä salaisille agenteille https://www.tivi.fi/uutiset/tv/dd1a05e0-89c9-46fd-aa37-4e71d544ffbd
Lähes neljä vuotta AlphaBay-kauppapaikan sulkemisen jälkeen poliisit syyttävät vieläkin ihmisiä pimeän verkon markkinapaikkaan liittyvistä rikoksista. Perjantaina Yhdysvaltain arvopaperi- ja pörssikomissio ja oikeusministeriö ilmoittivat nostavansa syytteet kreikkalaista Apostolos Troviasta vastaan, joka on virastojen mukaan toiminut markkinapaikoilla nimimerkillä The Bull eli härkä. Toisin kuin aiemmin kohteena olleita huumekauppiaita viranomaiset syyttävät Troviasta foorumeiden käyttämisestä tietojen myymiseen. Troviaksen kohteena olivat sisäpiirikauppatietoja myyvät ja ostavat ihmiset.
Tomi Engdahl says:
2021 MITRE ATT&CK for ICS Evaluation Results Coming Soon https://www.dragos.com/blog/industry-news/2021-mitre-attck-for-ics-evaluation-results-coming-soon/
Last January, MITRE released the ATT&CK for ICS framework which organizes and codifies the malicious threat behaviors affecting industrial control systems (ICS). The MITRE ATT&CK for ICS framework is a critical development in the defense of industrial environments which evolves cyber defensive from low-level tactics to detecting and defending against strategic behaviors of real-world threats. Dragos is proud to have played a role in its founding and continues as a key contributor to improving the ongoing work to better understand ICS-focused threats. Later this month, MITRE will publicly announce their ATT&CK for ICS evaluation results.
Tomi Engdahl says:
Microsoft to Acquire Threat Intelligence Vendor RiskIQ
https://www.securityweek.com/microsoft-acquires-threat-intelligence-vendor-riskiq
Microsoft has flexed its muscles in the cybersecurity space, and will drop a reported $500 million in cash to acquire RiskIQ, a late stage startup in the threat intelligence and attack surface management business.
The deal, believed to be Microsoft’s largest cybersecurity acquisition, gives Redmond an automatic entry point into the lucrative attack surface management and third party risk-intelligence space.
RiskIQ raised a total of $83 million over multiple venture capital funding rounds since launching in 2009 as a vendor capable of providing early warnings of data exposure on underground hacker forums. In 2015, RiskIQ acquired PassiveTotal as part of an expansion into the growing attack surface management business.
Microsoft called out the value of RiskIQ’s attack surface management capabilities as part of the impetus for the acquisition.
“As organizations pursue digital transformation and embrace the concept of Zero Trust, their applications, infrastructure, and even IoT applications are increasingly running across multiple clouds and hybrid cloud environments. Effectively the internet is becoming their new network, and it’s increasingly critical to understand the full scope of their assets to reduce their attack surface,” said Eric Doerr, Vice President of Cloud Security at Microsoft.
Tomi Engdahl says:
SolarWinds Confirms New Zero-Day Flaw Under Attack
https://www.securityweek.com/solarwinds-confirms-new-zero-day-flaw-under-attack
Security responders at SolarWinds are scrambling to contain a new zero-day vulnerability being actively exploited in what is being described as “limited, targeted attacks.”
In an advisory issued over the weekend, SolarWinds said a single threat actor exploited security flaws in its Serv-U Managed File Transfer and Serv-U Secure FTP products against “a limited, targeted set of customers.”
This zero-day is new and completely unrelated to the SUNBURST supply chain attacks, the company said.
The embattled company said the attacks were discovered by threat hunters at Microsoft who noticed live, in-the-wild attacks hitting a remote code execution flaw in the SolarWinds Serv-U product.
Microsoft provided a proof of concept of the exploit along with evidence of the zero-day attacks.
Tomi Engdahl says:
SolarWinds patches critical Serv-U vulnerability exploited in the wild
https://www.bleepingcomputer.com/news/security/solarwinds-patches-critical-serv-u-vulnerability-exploited-in-the-wild/
SolarWinds is urging customers to patch a Serv-U remote code execution vulnerability exploited in the wild by “a single threat actor” in attacks targeting a limited number of customers.
“Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability,” the company said in an advisory published on Friday.
Only impacts servers with SSH enabled
The zero-day vulnerability (tracked as CVE-2021-35211) impacts Serv-U Managed File Transfer and Serv-U Secure FTP, and it enables remote threat actors to execute arbitrary code with privileges following successful exploitation.
According to SolarWinds, “if SSH is not enabled in the environment, the vulnerability does not exist.”
Tomi Engdahl says:
https://arstechnica.com/gadgets/2021/07/microsoft-discovers-critical-solarwinds-zero-day-under-active-attack/
Tomi Engdahl says:
Tech company estimates recovery for 90 percent of clients by Monday night after massive cyber attack
https://thehill.com/policy/technology/562476-tech-company-estimates-recovery-for-90-percent-of-clients-by-monday-night
Tomi Engdahl says:
Mint Mobile data breach allowed attacker to port phone numbers
https://appleinsider.com/articles/21/07/10/mint-mobile-data-breach-allowed-attacker-to-port-phone-numbers
Carrier Mint Mobile has revealed it was the victim of a data breach, one which allowed a number of customer phone numbers to be ported out to another carrier, along with possible access to subscriber data.
An email sent on Saturday to affected customers by Mint Mobile discloses there was a breach of the carrier’s systems. The breach, which occurred between June 8 and June 10, reveals a “very small number of Mint Mobile subscribers’ phone numbers were affected by the incident.
Tomi Engdahl says:
Code in huge ransomware attack written to avoid computers that use Russian, says new report
“They don’t want to annoy the local authorities, and they know they will be able to run their business much longer if they do it this way,” said an expert.
https://www.nbcnews.com/politics/national-security/code-huge-ransomware-attack-written-avoid-computers-use-russian-says-n1273222
Tomi Engdahl says:
Hacker dumps private info of pro-Trump GETTR social network members
https://www.bleepingcomputer.com/news/security/hacker-dumps-private-info-of-pro-trump-gettr-social-network-members/
Tomi Engdahl says:
SolarWinds 0-day gave Chinese hackers privileged access to customer servers
Hackers IDed as DEV-0322 have a fondness for defense contractors and software makers.
https://arstechnica.com/gadgets/2021/07/microsoft-says-hackers-in-china-exploited-critical-solarwinds-0-day/
Tomi Engdahl says:
REvil ransomware gang’s websites vanish soon after Kaseya fiasco, Uncle Sam threatens retaliation
Has the US just had enough, or is it just a strategic retreat?
https://www.theregister.com/2021/07/13/revil_ransomware_shuts/
The clear and dark web sites run by the REvil ransomware gang have gone offline, leaving netizens wondering if the extortionists have closed down – or been closed down.
At time of writing, all of REvil’s portals and infrastructure – used to negotiate and collect ransom payments, and leak stolen data to encourage victims to cough up before the whole lot is released – have vanished.
it’s believed REvil is orchestrated by miscreants in Russia. For one thing, it appears to leave computers in the nation alone.
Tomi Engdahl says:
Finanssiala varoittaa: Älä mene verkkopankkiin googlaamalla, hakutuloksista löytyy erittäin uskottavia huijaussivuja
Huijarit ovat saaneet Finanssialan mukaan ujutettua Googlen ja Bingin kaltaisiin hakukoneisiin omia mainoksiaan, jotka ponnahtavat kärkeen, jos pyrkii haun avulla verkkopankkiin.
https://www.hs.fi/talous/art-2000008127367.html
PANKKIEN edunvalvojajärjestö Finanssiala varoittaa uskottavan näköisistä verkkopankkeja imitoivista huijaussivustoista.
Tästä syystä Finanssiala sanoo, ettei verkkopankkiin pitäisi mennä käyttämällä esimerkiksi Googlen kaltaisia hakukoneita. Turvallisin tapa kirjautua omaan verkkopankkiin on kirjoittaa selaimen osoitekenttään pankin suora osoite.
Finanssialan mukaan huijaussivustot ovat pankeilta tulleiden viestien perusteella erittäin aidon näköisiä. Ainoa ero aitoon sivustoon nähden saattaa olla yksi poikkeava merkki verkkosivun osoitteessa.
Tomi Engdahl says:
Software maker removes “backdoor” giving root access to radio devices
https://www.bleepingcomputer.com/news/security/software-maker-removes-backdoor-giving-root-access-to-radio-devices/
The author of a popular software-defined radio (SDR) project has removed a “backdoor” from radio devices that granted root-level access.
The backdoor had been, according to the author, present in all versions of KiwiSDR devices for the purposes of remote administration and debugging.
Last night, the author pushed out a “bug fix” on the project’s GitHub aimed at removing this backdoor silently, which sparked some backlash.
Hardcoded password gives root access to all devices
KiwiSDR is a software-defined radio that can be attached to an embedded computer, like Seeed BeagleBone Green (BBG).
It is provided either as a standalone board or a more complete version featuring BBG, a GPS antenna, and an enclosure.
Yesterday, Mark Jessop, an RF engineer, and radio operator came across an interesting forum post in which the author of the KiwiSDR project admitted to having remote access to all radio receiver devices running the software.
Furthermore, as of today, over 600 KiwiSDR devices are online with the backdoor still present in them, as highlighted by Hacker Fantastic.
Although these devices are mainly acting as radio receivers, it is worth noting, any remote actor who logs in using the hardcoded master password is granted root-level access to the device’s (Linux-based) console.
This can enable adversaries to probe into the IoT devices, take them over, and begin traversing adjacent networks the radio devices are connected to:
“These KiwiSDRs are used for receiving HF radio stations. The backdoor itself doesn’t give an attacker any special SDR access, just that they can access the console of the device (Linux) and start pivoting into networks,”
Dev pushes out “bug fix” overnight removing the backdoor
As seen by BleepingComputer, as of a few hours ago a fix has been committed to KiwiSDR’s GitHub project removing the backdoor code.
The update removes multiple administrative functions
But, like others, the engineer did express concerns, that the master password would transmit over HTTP enabling any Man-in-the-Middle (MitM) threat actor to potentially intercept it and consequently gain remote access to all devices.
KiwiSDR users should upgrade to the latest version v1.461 released today on GitHub that removes the backdoor from their radio devices.
Tomi Engdahl says:
SonicWall Warns Secure VPN Hardware Bugs Under Attack
https://threatpost.com/sonicwall-vpn-bugs-attack/167824/
Tomi Engdahl says:
US agencies circulate warning about ‘aggressive’ Chinese hacking effort to steal secrets from a range of targets
https://www.cyberscoop.com/china-hacking-fbi-biden-alert-ip/
Tomi Engdahl says:
Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware
https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
Tomi Engdahl says:
So nice of China to put all of its network zero-day vulns in one giant database no one will think to break into
We sum up Middle Kingdom’s massive crackdown on bug reports
https://www.theregister.com/2021/07/15/china_vulnerability_law/
Tomi Engdahl says:
Cryptographers unearth vulnerabilities in Telegram’s encryption protocol
https://www.cyberscoop.com/telegram-app-security-encryption/
Tomi Engdahl says:
Microsoft attributes new SolarWinds attack to a Chinese hacker group
SolarWinds’ Orion management software was attacked in December 2020
https://www.theverge.com/2021/7/14/22577471/microsoft-solarwinds-hack-zero-day-serv-u
Tomi Engdahl says:
Viktor Orbán using NSO spyware in assault on media, data suggests
Viktor Orbán
Hungary’s far-right government suspected of hacking phones of investigative journalists and targeting owners
https://www.theguardian.com/news/2021/jul/18/viktor-orban-using-nso-spyware-in-assault-on-media-data-suggests
Tomi Engdahl says:
Hooking Candiru
Another Mercenary Spyware Vendor Comes into Focus
https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
Summary
Candiru is a secretive Israel-based company that sells spyware exclusively to governments. Reportedly, their spyware can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts.
Using Internet scanning we identified more than 750 websites linked to Candiru’s spyware infrastructure. We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities.
We identified a politically active victim in Western Europe and recovered a copy of Candiru’s Windows spyware.
Working with Microsoft Threat Intelligence Center (MSTIC) we analyzed the spyware, resulting in the discovery of CVE-2021-31979 and CVE-2021-33771 by Microsoft, two privilege escalation vulnerabilities exploited by Candiru. Microsoft patched both vulnerabilities on July 13th, 2021.
As part of their investigation, Microsoft observed at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore. Victims include human rights defenders, dissidents, journalists, activists, and politicians.
Reported Sales and Investments
According to a lawsuit brought by a former employee, Candiru had sales of “nearly $30 million,” within two years of its founding. The firm’s reported clients are located in “Europe, the former Soviet Union, the Persian Gulf, Asia and Latin America.”
Candiru’s Spyware Offerings
A leaked Candiru project proposal published by TheMarker shows that Candiru’s spyware can be installed using a number of different vectors, including malicious links, man-in-the-middle attacks, and physical attacks. A vector named “Sherlock” is also offered, that they claim works on Windows, iOS, and Android. This may be a browser-based zero-click vector.
Like many of its peers, Candiru appears to license its spyware by number of concurrent infections, which reflects the number of targets that can be under active surveillance at any one instant in time. Like NSO Group, Candiru also appears to restrict the customer to a set of approved countries.
The €16 million project proposal allows for an unlimited number of spyware infection attempts, but the monitoring of only 10 devices simultaneously. For an additional €1.5M, the customer can purchase the ability to monitor 15 additional devices simultaneously, and to infect devices in a single additional country. For an additional €5.5M, the customer can monitor 25 additional devices simultaneously, and conduct espionage in five more countries.
The fine print in the proposal states that the product will operate in “all agreed upon territories, ”then mentions a list of restricted countries including the US, Russia, China, Israel and Iran. This same list of restricted countries has previously been mentioned by NSO Group. Nevertheless, Microsoft observed Candiru victims in Iran, suggesting that in some situations, products from Candiru do operate in restricted territories. In addition, targeting infrastructure disclosed in this report includes domains masquerading as the Russian postal service.
The proposal states that the spyware can exfiltrate private data from a number of apps and accounts including Gmail, Skype, Telegram, and Facebook. The spyware can also capture browsing history and passwords, turn on the target’s webcam and microphone, and take pictures of the screen. Capturing data from additional apps, such as Signal Private Messenger, is sold as an add-on.
For a further additional €1.5M fee, customers can purchase a remote shell capability, which allows them full access to run any command or program on the target’s computer. This kind of capability is especially concerning, given that it could also be used to download files, such as planting incriminating materials, onto an infected device.
Tomi Engdahl says:
Beyond Kaseya: Everyday IT Tools Can Offer ‘God Mode’ for Hackers
Attackers are increasingly attuned to the power and potential of remote management software.
https://www.wired.com/story/it-management-tools-hacking-jamf-kaseya/
Tomi Engdahl says:
Facebook says Iranian hackers used site in spying on U.S. military personnel
https://www.reuters.com/technology/facebook-says-iran-based-hackers-used-site-target-us-military-personnel-2021-07-15/
Facebook (FB.O) said on Thursday it had taken down about 200 accounts run by a group of hackers in Iran as part of a cyber-spying operation that targeted mostly U.S. military personnel and people working at defense and aerospace companies.
“This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it,” Facebook’s investigations team said in a blog post.
Tomi Engdahl says:
U.S. Formally Accuses China of Hacking Microsoft
https://www.nytimes.com/2021/07/19/us/politics/microsoft-hacking-china-biden.html
The Biden administration is also expected to organize a broad group of allies to condemn Beijing for cyberattacks around the world, but stop short of taking concrete punitive steps.
WASHINGTON — The Biden administration on Monday formally accused the Chinese government of breaching Microsoft email systems used by many of the world’s largest companies, governments and military contractors, as the United States joined a broad group of allies, including all NATO members, to condemn Beijing for cyberattacks around the world.
The United States accused China for the first time of paying criminal groups to conduct large-scale hackings, including ransomware attacks to extort companies for millions of dollars, according to a statement from the White House. Microsoft had pointed to hackers linked to the Chinese Ministry of State Security for exploiting holes in the company’s email systems in March; the U.S. announcement on Monday morning was the first suggestion that the Chinese government hired criminal groups to hack tens of thousands of computers and networks around the world for “significant remediation costs for its mostly private sector victims,” according to the White House.
Tomi Engdahl says:
The U.S. Has Formally Accused China Of A Massive Cyberattack On Microsoft
https://www.npr.org/2021/07/19/1017844801/biden-administration-accuses-china-microsoft-hack
The White House is publicly blaming China for an attack on Microsoft’s Exchange email server software that compromised tens of thousands of computers worldwide, allowing hackers to gain access to troves of sensitive data.
Tomi Engdahl says:
News article regarding the response to the recent ransomware attack against the Health Services in Ireland, revealing that the response involved a white-hat hacking unit within the Defense Forces.
Defence Forces deployed ‘ethical hackers’ to fight back against massive HSE cyber attack
https://jrnl.ie/5499730
Tomi Engdahl says:
iPhone WiFi bug morphs into zero-click hacking, but there’s a fix
https://www.bleepingcomputer.com/news/apple/iphone-wifi-bug-morphs-into-zero-click-hacking-but-theres-a-fix/
Security researchers investigating a bug that crashed the Wifi service on iPhones found that it could be exploited for remote code execution without user interaction.
When initially disclosed, the bug could disable an iPhone’s WiFi connection after trying to connect to a network with a name (SSID) that included a special character.
Security researcher Carl Schou found the vulnerability after making his iPhone join a network with the SSID “%p%s%s%s%s%n,” resulting in the device losing its WiFi connection capability
Different variations of the string led to crashing the WiFi service and sending it into a restart loop. Tests from done by BleepingComputer and security researchers shows that the vulnerability discovered by Schou is exploitable in iOS 14.6 when connecting to a maliciously crafted SSID.
Bug worse than thought
However, researchers at mobile security startup ZecOps found that there is more to this bug than the initially reported WiFi denial-of-service (DoS) condition.
In a blog post last week, the researchers note that the bug can be triggered as a zero-click (no user interaction) and has potential for remote code execution.
If the WiFi connection is enabled and the auto-join feature turned on, which is the default state, one scenario is to create a malicious WiFi network and wait for the target to connect.
Tomi Engdahl says:
Microsoft takes down domains used to scam Office 365 users
https://www.bleepingcomputer.com/news/security/microsoft-takes-down-domains-used-to-scam-office-365-users/
Microsoft’s Digital Crimes Unit (DCU) has seized 17 malicious domains used by scammers in a business email compromise (BEC) campaign targeting the company’s customers.
The domains taken down by Microsoft were so-called “homoglyph” domains registered to resemble those of legitimate business. This technique allowed the threat actors to impersonate companies when communicating with their clients.
Tomi Engdahl says:
New Windows 10 vulnerability allows anyone to get admin privileges
https://www.bleepingcomputer.com/news/microsoft/new-windows-10-vulnerability-allows-anyone-to-get-admin-privileges/
Windows 10 and Windows 11 are vulnerable to a local elevation of privilege vulnerability after discovering that users with low privileges can access sensitive Registry database files.
The database files associated with the Windows Registry are stored under the C:\Windows\system32\config folder and are broken up into different files such as SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE.
As these files contain sensitive information about all user accounts on a device and security tokens used by Windows features, they should be restricted from being viewed by regular users with no elevated privileges.
This is especially true for the Security Account Manager (SAM) file as it contains the hashed passwords for all users on a system, which threat actors can use to assume their identity.
SAM file can be read by anyone
Yesterday, security researcher Jonas Lykkegaard told BleepingComputer he discovered that the Windows 10 and Windows 11 Registry files associated with the Security Account Manager (SAM), and all other Registry databases, are accessible to the ‘Users’ group that has low privileges on a device.
With these low file permissions, a threat actor with limited privileges on a device can extract the NTLM hashed passwords for all accounts on a device and use those hashes in pass-the-hash attacks to gain elevated privileges.
as the Registry files, including the SAM, are usually backed up by the Windows shadow volume copies, Lykkegaard says you can access the files through shadow volumes without an access violation.
Using these low and incorrect file permissions, along with shadow volume copies of the files, Security researcher and Mimikatz creator Benjamin Delpy has told BleepingComputer that you could easily steal an elevated account’s NTLM hashed password to gain higher privileges.
It is unclear why Microsoft changed the permissions on the Registry to allow regular users to read the files.
Tomi Engdahl says:
Two-for-Tuesday vulnerabilities send Windows and Linux users scrambling
Both OSes have flaws that allow attackers with a toehold to elevate access.
https://arstechnica.com/gadgets/2021/07/separate-eop-flaws-let-hackers-gain-full-control-of-windows-and-linux-systems/
The world woke up on Tuesday to two new vulnerabilities—one in Windows and the other in Linux—that allow hackers with a toehold in a vulnerable system to bypass OS security restrictions and access sensitive resources.
Breaking Windows
The Windows vulnerability came to light by accident on Monday when a researcher observed what he believed was a coding regression in a beta version of the upcoming Windows 11. The researcher found that the contents of the security account manager—the database that stores user accounts and security descriptors for users on the local computer—could be read by users with limited system privileges.
People responding to Lykkegaard pointed out that the behavior wasn’t a regression introduced in Windows 11. Instead, the same vulnerability was present in the latest version of Windows 10. The US Computer Emergency Readiness Team said that the vulnerability is present when the Volume Shadow Copy Service—the Windows feature that allows the OS or applications to take “point-in-time snapshots” of an entire disk without locking the filesystem—is turned on.
Researcher Benjamin Delpy showed how the vulnerability can be exploited to obtain password hashes or other sensitive data
Currently, there is no patch available.
The vulnerability is being tracked as CVE-2021-36934. Microsoft said here that exploits in the wild are “more likely.”
Et tu, Linux kernel?
Most versions of Linux, meanwhile, are in the process of distributing a fix for a vulnerability disclosed on Tuesday. CVE-2021-33909, as the security flaw is tracked, allows an untrusted user to gain unfettered system rights by creating, mounting, and deleting a deep directory structure with a total path length that exceeds 1GB and then opening and reading the /proc/self/mountinfo file.
“We successfully exploited this uncontrolled out-of-bounds write and obtained full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation,” researchers from Qualys, the security firm that discovered the vulnerability and created proof-of-concept code that exploits it, wrote. “Other Linux distributions are certainly vulnerable, and probably exploitable.”
The exploit Qualys described comes with significant overhead, specifically roughly 1 million nested directories. The attack also requires about 5GB of memory and 1 million inodes. Despite the hurdles, a Qualys representative described the PoC as “extremely reliable” and said it takes about three minutes to complete.
People running Linux should check with the distributor to determine if patches are available to fix the vulnerability.
Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909)
https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909
The Qualys Research Team has discovered a size_t-to-int type conversion vulnerability in the Linux Kernel’s filesystem layer affecting most Linux operating systems. Any unprivileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration.
Impact
Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely vulnerable and probably exploitable.
Solution
Given the breadth of the attack surface for this vulnerability, Qualys recommends users apply patches for this vulnerability immediately.
What versions are vulnerable?
All Linux kernel versions from 2014 onwards are vulnerable.
Will the Qualys Research Team publish exploit code for this vulnerability?
A PoC is attached with the advisory and available at https://www.qualys.com/research/security-advisories/.
Are there any mitigations for this vulnerability?
to completely fix this vulnerability, the kernel must be patched.
Set /proc/sys/kernel/unprivileged_userns_clone to 0, to prevent an attacker from mounting a long directory in a user namespace. However, the attacker may mount a long directory via FUSE instead
we have not fully explored this possibility, because we accidentally stumbled upon CVE-2021-33910 in systemd: if an attacker FUSE-mounts a long directory (longer than 8MB), then systemd exhausts its stack, crashes, and therefore crashes the entire operating system (a kernel panic).
Set /proc/sys/kernel/unprivileged_bpf_disabled to 1, to prevent an attacker from loading an eBPF program into the kernel. However, the attacker may corrupt other vmalloc()ated objects instead (for example, thread stacks),
Tomi Engdahl says:
EXTRACTING THE WIFI FIRMWARE AND PUTTING BACK A KEYLOGGER
https://hackaday.com/2021/07/20/extracting-the-wifi-firmware-and-putting-back-a-keylogger/
Tomi Engdahl says:
Fortinet’s security appliances hit by remote code execution vulnerability
Cure worse than the disease for anyone with the ‘fgfmsd’ daemon activated
https://www.theregister.com/2021/07/20/fortinet_rce/
Tomi Engdahl says:
This is Akamai CDN network services that went down and they help distribute web services globally. They say it’s “minor” and is being fixed. This affects Amazon AWS sites, Amazon, Fidelity, and other big name corporations.
A DNS outage just took down a large chunk of the internet
https://techcrunch.com/2021/07/22/a-dns-outage-just-took-down-a-good-chunk-of-the-internet/
A large chunk of the internet dropped offline on Thursday. Some of the most popular sites, apps and services on the internet were down, including UPS and FedEx (which have since come back online), Airbnb, Fidelity, and others are reporting Steam, LastPass, and the PlayStation Network are all experiencing downtime.
Many other websites around the world are also affected, including media outlets in Europe.
What appears to be the cause is an outage at Akamai, an internet security giant that provides networking and content delivery services to companies. At around 11 a.m. ET, Akamai reported an issue with its Edge DNS
Banks, brokerages, PSN, the Steam Store, and more went down in massive internet outage
PSN, Steam, banks, and more
https://www.theverge.com/2021/7/22/22588837/internet-outage-psn-steam-banks-trading-gaming-more-911-systems
Many websites — including banking pages, brokerages, and gaming services — were affected for just over an hour Thursday, as part of a major internet outage. During the outage, consumers were unable to access services like Ally Bank, Fidelity, Sony’s PlayStation Network, Airbnb, and more. Several airline sites were also affected: Delta, British Airways, and Southwest’s sites were either down, or had important functionality like flight check-ins broken.