This posting is here to collect cyber security news in August 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in August 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
309 Comments
Tomi Engdahl says:
Vulnerabilities Allow Hackers to Tamper With Doses Delivered by Medical Infusion Pumps
https://www.securityweek.com/vulnerabilities-allow-hackers-tamper-doses-delivered-medical-infusion-pumps
McAfee security researchers, in partnership with Culinda, identified a series of severe vulnerabilities in B. Braun’s Infusomat Space large volume infusion pump and SpaceStation system that they claim could potentially lead to dispensing potentially lethal doses of medication.
A total of five vulnerabilities were identified, the most severe of which carries a CVSS score of 9.7 and is tracked as CVE-2021-33885. The issue exists because the device doesn’t verify who is sending the commands, thus allowing a remote, unauthenticated attacker to send input to the device, which will use it instead of the correct data.
Next in line is CVE-2021-33886 (CVSS score of 8.2), where proprietary networking commands aren’t properly authenticated, thus allowing an attacker to reconfigure the device remotely.
The remaining three issues include CVE-2021-33886 (CVSS score of 7.7), which allows an attacker to gain user level command line access, CVE-2021-33883 (CVSS score of 7.1), where sensitive information is transmitted in clear text, and CVE-2021-33884 (CVSS score of 5.8), where an attacker could upload files to a directory.
Tomi Engdahl says:
Microsoft Issues Guidance on ProxyShell Vulnerabilities
https://www.securityweek.com/microsoft-issues-guidance-proxyshell-vulnerabilities
Microsoft on Wednesday warned Exchange customers that their deployments are exposed to attacks exploiting the ProxyShell vulnerabilities, unless the adequate patches have been installed.
The ProxyShell bugs, which are tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, can be chained to run arbitrary code without authentication. The first two bugs were patched in April, while the third received a fix in May.
Researchers with security consulting firm DEVCORE exploited the security holes at the 2021 Pwn2Own hacking contest, but technical details were made public only a few weeks ago, at the Black Hat and DEF CON cybersecurity conferences.
Soon after, the first scans for vulnerable Exchange servers commenced, and the first attacks targeting the exposed servers – over 30,000 of them – were also observed.
Tomi Engdahl says:
The FBI/TSC no-fly list was hosted on a server in Bahrain without a password. Why Bahrain?
2 million government records exposed online in ‘no-fly’ watchlist, researcher says
https://www.cnet.com/tech/services-and-software/2-million-government-records-exposed-online-in-no-fly-watchlist-researcher-says/
A security researcher says the massive trove of records included names, birthdates and passport details.
A security researcher said Monday that nearly 2 million records of personally identifiable information — including passport details, dates of birth, and names — were exposed in what may be the leak of a secret terrorist watchlist. The records included “no-fly” status information for each person’s record, according to a report by Bleeping Computer.
In a blog post on LinkedIn, Security Discovery researcher Bob Diachenko said he discovered the trove of records online July 19 in an unprotected Elasticsearch cluster, which required no password or identity authentication to access. Diachenko said the exposed server had a Bahrain IP address, and it’s unclear whether the server is owned by the US government or another party.
America’s secret terrorist watchlist exposed on the web without a password: report
https://www.linkedin.com/pulse/americas-secret-terrorist-watchlist-exposed-web-report-diachenko/
On July 19, 2021 I discovered a terrorist watchlist containing 1.9 million records online without a password or any other authentication required to access it.
The watchlist came from the Terrorist Screening Center, a multi-agency group administered by the FBI. The TSC maintains the country’s no-fly list, which is a subset of the larger watchlist. A typical record in the list contains a full name, citizenship, gender, date of birth, passport number, no-fly indicator, and more.
I immediately reported it to Department of Homeland Security officials, who acknowledged the incident and thanked me for my work. The DHS did not provide any further official comment, though.
Tomi Engdahl says:
Microsoft on Thursday warned thousands of its cloud computing customers, including some of the world’s largest companies, that intruders could have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber security researcher.
The vulnerability is in Microsoft Azure’s flagship Cosmos DB database. A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies. Wiz Chief Technology Officer Ami Luttwak is a former chief technology officer at Microsoft’s Cloud Security Group.
Because Microsoft cannot change those keys by itself, it emailed the customers Thursday telling them to create new ones. Microsoft agreed to pay Wiz $40,000 for finding the flaw and reporting it, according to an email it sent to Wiz.
EXCLUSIVE Microsoft warns thousands of cloud customers of exposed databases
https://www.reuters.com/technology/exclusive-microsoft-warns-thousands-cloud-customers-exposed-databases-emails-2021-08-26/
Microsoft (MSFT.O) on Thursday warned thousands of its cloud computing customers, including some of the world’s largest companies, that intruders could have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber security researcher.
“We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure,” Microsoft told Reuters.
Tomi Engdahl says:
Big Tech Plans to Work with the Public Sector for Cybersecurity
https://sudosecurity.org/blog/big-tech-work-with-public-sector/
Both Microsoft, Inc. and Alphabet, Inc. will put a combined $30 billion dollars into cybersecurity over the next five years and work with the public sector on several initiatives to help improve cybersecurity.
Tomi Engdahl says:
Google, Microsoft plan to spend billions on cybersecurity after meeting with Biden
https://www.cnbc.com/2021/08/25/google-microsoft-plan-to-spend-billions-on-cybersecurity-after-meeting-with-biden.html
Tomi Engdahl says:
Microsoft Breaks Silence on Barrage of ProxyShell Attacks https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/
Microsoft has broken its silence on the recent barrage of attacks on several ProxyShell vulnerabilities in that were highlighted by a researcher at Black Hat earlier this month. The company released an advisory late Wednesday letting customers know that threat actors may use unpatched Exchange servers “to deploy ransomware or conduct other post-exploitation activities” and urging them to update immediately.
“Our recommendation, as always, is to install the latest CU and SU on all your Exchange servers to ensure that you are protected against the latest threats, ” the company said. “Please update now!”
Tomi Engdahl says:
FBI shares technical details for Hive ransomware https://www.bleepingcomputer.com/news/security/fbi-shares-technical-details-for-hive-ransomware/
The Federal Bureau of Investigation (FBI) has released some technical details and indicators of compromise associated with Hive ransomware attacks. In a rare occurrence, the FBI has included the link to the leak site where the ransomware gang publishes data stolen from companies that did not pay. Hive ransomware relies on a diverse set of tactics, techniques, Biden gets Google, Apple, others to join “whole-of-nation” cybersecurity effortand procedures, which makes it difficult for organizations to defend against its attacks, the FBI says.
Tomi Engdahl says:
New variant of PRISM Backdoor WaterDrop’ targets Linux systems https://www.hackread.com/prism-backdoor-varian-waterdrop-hits-linux/
Security researchers at AT&T Labs have published a report sharing details of a newly discovered Linux ELF executables cluster having zero to low antivirus detections on VirusTotal. Researchers noted that these executables have a modified version of the open-source backdoor PRISM, which threat actors use extensively in different campaigns.
Reportedly, the malware has been on their radar for more than 3.5 years. The oldest samples date back to November 8th, 2017. It concerns researchers that the executables aren’t detected by VirusTotal that usually detects malicious URLs and files easily.
Tomi Engdahl says:
US government and private sector agree to invest time, money in cybersecurity https://blog.malwarebytes.com/awareness/2021/08/us-government-and-private-sector-agree-to-invest-time-money-in-cybersecurity/
In the wake of several high-profile ransomware attacks against critical infrastructure and major organizations in the last few months, President Biden met with private sector and education leaders to discuss a whole-of-nation effort needed to address cybersecurity threats and bolster the nation’s cybersecurity. Several participants in President Biden’s meetings have recently announced commitments and initiatives. The key iniatives are protection from supply chain attacks, the industrial control systems cybersecurity initiative and security training.
Tomi Engdahl says:
Updates on our continued collaboration with NIST to secure the Software Supply Chain https://security.googleblog.com/2021/08/updates-on-our-continued-collaboration.html
Yesterday, we were honored to participate in President Biden’s White House Cyber Security Summit where we shared recommendations to advance the administration’s cybersecurity agenda. This included our commitment to invest $10 billion over the next five years to expand zero-trust programs, help secure the software supply chain, and enhance open-source security.
Tomi Engdahl says:
Atlassian warns of critical Confluence flaw https://www.theregister.com/2021/08/26/atlassian_critical_confluence_flaw/
Atlassian has warned users of its Confluence Server that they need to patch the product to remedy a Critical-rated flaw. The company’s not saying a lot about CVE-2021-26084, besides describing it as a “Confluence Server Webwork OGNL injection vulnerability that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.”. Atlassian has released fixed versions of the product namely versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0 but the company’s advisory suggests upgrading to the latest long-term service release.
Tomi Engdahl says:
Synology: Multiple products impacted by OpenSSL RCE vulnerability https://www.bleepingcomputer.com/news/security/synology-multiple-products-impacted-by-openssl-rce-vulnerability/
Taiwan-based NAS maker Synology has revealed that recently disclosed remote code execution (RCE) and denial-of-service (DoS) OpenSSL vulnerabilities impact some of its products. The complete list of devices affected by the security flaws tracked as CVE-2021-3711 and
CVE-2021-3712 includes DSM 7.0, DSM 6.2, DSM UC, SkyNAS, VS960HD, SRM 1.2, VPN Plus Server, and VPN Server.
Tomi Engdahl says:
Engineering Workstations Are Concerning Initial Access Vector in OT Attacks
https://www.securityweek.com/engineering-workstations-are-concerning-initial-access-vector-ot-attacks
Organizations that use industrial control systems (ICS) and other operational technology (OT) are increasingly concerned about cyber threats, and while they have taken steps to address risks, many don’t know if they have suffered a breach, according to a survey conducted by the SANS Institute on behalf of industrial cybersecurity firm Nozomi Networks.
The SANS 2021 OT/ICS Cybersecurity Report is based on information provided by 480 individuals from a wide range of industries.
The survey conducted by SANS showed that nearly 70% of respondents believe the risk to their OT environment is high or severe, which is a significant increase from the 51% in 2019, when SANS conducted a similar survey.
https://www.nozominetworks.com/downloads/SANS-Survey-2021-OT-ICS-Cybersecurity-Nozomi-Networks.pdf
Tomi Engdahl says:
Cisco Patches Serious Vulnerabilities in Data Center Products
https://www.securityweek.com/cisco-patches-serious-vulnerabilities-data-center-products
Cisco this week announced the release of patches for a critical vulnerability affecting its Application Policy Infrastructure Controller (APIC) and Cloud APIC products.
Tracked as CVE-2021-1577 (CVSS score of 9.1), the issue exists because of improper access control. An unauthenticated, remote attacker could exploit the vulnerability to upload files to an affected device, gaining the ability to read or write arbitrary files.
There are no workarounds to address the vulnerability. However, the company did release patches for versions 3.2, 4.2, and 5.1 of Cisco APIC and Cloud APIC, encouraging customers to apply them as soon as possible, or to migrate to a patched release.
Cisco also released patches for two high-severity bugs in APIC and Cloud APIC, both of which could be exploited to escalate privileges on an affected system.
Three medium-severity issues — a stored cross-site scripting, a command injection and a file upload issue — were also addressed in APIC and Cloud APIC.
APIC is one of the main components of Cisco’s Application Centric Infrastructure (ACI) software-defined networking solution for data centers.
Tomi Engdahl says:
Google Issues YouTube Security Warning For 2 Million Creators
https://www.forbes.com/sites/daveywinder/2021/08/27/google-issues-youtube-warning-for-millions-of-creators/?utm_source=FBPAGE&utm_medium=social&utm_content=5373012603&utm_campaign=sprinklrForbesMainFB&sh=14ed821e4545
While Google continues to come under scrutiny from those preaching the privacy gospel, there’s one area where the technology titan deserves to be applauded: security. Earlier this year, Google announced it would suddenly flip the security switch on millions of Gmail accounts, a switch that will now also be toggled for two million YouTube creators.
Tomi Engdahl says:
Wall Street Journal:
Q&A with John Binns, a 21-year-old American living in Turkey, who claims responsibility for the recent T-Mobile hack and says its security is “awful”
T-Mobile Hacker Who Stole Data on 50 Million Customers: ‘Their Security Is Awful’
https://www.wsj.com/articles/t-mobile-hacker-who-stole-data-on-50-million-customers-their-security-is-awful-11629985105?mod=djemalertNEWS
A 21-year-old American said he used an unprotected router to access millions of customer records in the mobile carrier’s latest breach
The hacker who is taking responsibility for breaking into T-Mobile US Inc.’s TMUS -1.63% systems said the wireless company’s lax security eased his path into a cache of records with personal details on more than 50 million people and counting.
John Binns, a 21-year-old American who moved to Turkey a few years ago, told The Wall Street Journal he was behind the security breach. Mr. Binns, who since 2017 has used several online aliases, communicated with the Journal in Telegram messages from an account that discussed details of the hack before they were widely known.
The August intrusion was the latest in a string of high-profile breaches at U.S. companies that have allowed thieves to walk away with troves of personal details on consumers. A booming industry of cybersecurity consultants, software suppliers and incident-response teams have so far failed to turn the tide against hackers and identity thieves who fuel their businesses by tapping these deep reservoirs of stolen corporate data.
The breach is the third major customer data leak that T-Mobile has disclosed in the past two years. The Bellevue, Wash., company is the second-largest U.S. mobile carrier with roughly 90 million cellphones connecting to its networks.
In messages with the Journal, Mr. Binns said he managed to pierce T-Mobile’s defenses after discovering in July an unprotected router exposed on the internet. He said he had been scanning T-Mobile’s known internet addresses for weak spots using a simple tool available to the public.
The young hacker said he did it to gain attention. “Generating noise was one goal,” he wrote. He declined to say whether he had sold any of the stolen data or whether he was paid to breach T-Mobile.
Several cybersecurity experts said the public details of the hack and reports of previous T-Mobile breaches show the carrier’s defenses need improvement. Many of the records reported stolen were from prospective clients or former customers long gone. “That to me does not sound like good data management practices,”
Mr. Binns said he used that entry point to hack into the cellphone carrier’s data center outside East Wenatchee, Wash., where stored credentials allowed him to access more than 100 servers.
“I was panicking because I had access to something big,” he wrote. “Their security is awful.”
On Aug. 13, the security research firm Unit221B LLC reported to T-Mobile that an account was attempting to sell T-Mobile customer data, according to the security firm. Two days later, T-Mobile publicly acknowledged it was investigating a potential breach.
T-Mobile confirmed that more than 50 million customer records have been stolen.
For Mr. Binns, who uses the online names IRDev and v0rtex, among others, the T-Mobile hack represents a major development in a track record that has featured various exploits and—four years ago—peripheral involvement in the creation of a massive network of hacked devices that was used for online attacks.
Mr. Binns showed the Journal that he could access accounts linked to the IRDev online personality, which shared screenshots depicting access into T-Mobile’s network.
It’s unclear whether Mr. Binns worked alone.
“Online videogaming drives a natural competitiveness,” Mr. Benjamin said. ”Everybody’s looking for that edge. That can reach into this area of outside of the videogame,” where tactics end up “breaking the internet instead of just inside the rules of the game.”
Mr. Binns told the Journal he first learned to find zero-days—previously undisclosed software flaws—by figuring out cheats for videogames such as “Minecraft,” “Arma” and “DayZ.” He said he found the zero-day that other hackers used to create Satori, a botnet-building virus that infects unprotected home routers, but denied writing any of the Satori code.
The August hack of T-Mobile stole an array of personal details from more than 54 million customers, according to the company’s latest tally. Some customers had their names, Social Security numbers and birth dates exposed. Another batch of data included IMEI and IMSI numbers tied to users’ phones, which other attackers could use as a starting point to take control of victims’ phone lines.
T-Mobile last week started notifying affected customers. The company offered two years of identity-protection services and reminded customers to regularly update passwords and PIN codes as a standard precaution.
The Federal Communications Commission said it has launched a probe into the latest failure.
Past data-breach penalties have reached into the hundreds of millions of dollars. Equifax Inc. in 2019 reached a settlement with U.S. officials to resolve several investigations and lawsuits for $700 million. The credit-data provider generated $3.5 billion of revenue that year. T-Mobile had $68.4 billion of revenue in 2020.
A 2020 merger with Sprint Corp. made T-Mobile the U.S.’s second-largest mobile service provider, trailing only Verizon Communications Inc. T-Mobile executives have said they intend to keep growing by luring subscribers away from the competition.
Tomi Engdahl says:
Joseph Menn / Reuters:
Microsoft warns thousands of cloud customers that a now-fixed Azure Cosmos vulnerability might have exposed databases, but it saw no evidence it was exploited — Microsoft (MSFT.O) on Thursday warned thousands of its cloud computing customers, including some of the world’s largest companies …
EXCLUSIVE Microsoft warns thousands of cloud customers of exposed databases
https://www.reuters.com/technology/exclusive-microsoft-warns-thousands-cloud-customers-exposed-databases-emails-2021-08-26/
SAN FRANCISCO, Aug 26 (Reuters) – Microsoft (MSFT.O) on Thursday warned thousands of its cloud computing customers, including some of the world’s largest companies, that intruders could have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber security researcher.
The vulnerability is in Microsoft Azure’s flagship Cosmos DB database. A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies. Wiz Chief Technology Officer Ami Luttwak is a former chief technology officer at Microsoft’s Cloud Security Group.
Tomi Engdahl says:
‘Extraordinary’ hacking powers pass Parliament
https://www.innovationaus.com/extraordinary-new-hacking-powers-pass-parliament/
Legislation handing “extraordinary” new hacking powers to Australian authorities has sailed through Parliament with support from the Opposition, despite the government not implementing some of the recommendations from the national security committee.
The Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) will now be able to access the computers and networks of those suspected of conducting criminal activity online, and even take over their online accounts covertly, under the Identify and Disrupt bill, which was passed by the Senate on Wednesday.
Three new warrants will be introduced under the legislation, allowing authorities to “disrupt” the data of suspected offenders, access their devices and networks to identify them and take over their accounts.
“Under our changes the AFP will have more tools to pursue organised crime gangs to keep drugs off our street and out of our community, and those who commit the most heinous crimes against children,” Home Affairs Minister Karen Andrews said.
Currently, the broad new powers can be granted to combat a swathe of crimes, far further than the terrorism and other offences the government has pointed to in order to justify the need for the legislation.
But the government instead raised the threshold for issuing the warrants to them being “reasonably necessary and proportionate”, up from “justifiable and proportionate”.
“While these powers do have international precedent, they also carry inherent risks. As currently drafted, the substance of this bill does not match the government’s rhetoric.”
“New warrants allow police to monitor online activity without accusing us of a crime. Take over our accounts and edit our data…making the AFP judge, jury and executioner is not how we deliver justice in this country.”
Tomi Engdahl says:
New Windows 10 hacking warning for millions of users. http://on.forbes.com/6189yQ5fN
https://www.forbes.com/sites/daveywinder/2021/08/28/new-windows-10-hacking-warning-for-millions-of-users/?utm_source=FBPAGE&utm_medium=social&utm_content=5377732331&utm_campaign=sprinklrForbesMainFB&sh=688c25b01bb7
Just when you thought things couldn’t get much worse for Windows 10 users after a miserable few weeks of security issues from PrintNightmare through to SeriousSAM and even a potential Windows Hello facial recognition bypass, they only went and did.
Annoyed security researcher discovers simple Windows 10 zero-day
I spoke with the security researcher, who only wants to be known by the Twitter handle of j0nh4t, who told me how the hack came to light. “I noticed the Razer Synapse installer was bundled with ‘driver’ installs via Windows Update,” while using the mouse, j0hn4t says, “I was annoyed by this behavior and decided to take a deeper look.” Unfortunately, what that look revealed was an issue that’s shockingly trivial to exploit.
All it took for anyone to exploit this vulnerability was to plug in a Razer mouse, or the dongle it uses, and then shift-right from the Explorer window opened by Windows Update to choose a driver location and open a PowerShell with complete SYSTEM, or admin if you prefer, rights. And it got worse as an attacker would also be able to use the hack and save a service binary that could be “hijacked for persistence” and executed before the user even logs on during the boot process.
“I think Microsoft should take a look in the mirror on how they manage ‘driver’ updates,” j0nh4t says, whilst appreciating the fine line of balancing user experience and usability involved. “Should Windows Update solely provide drivers so the device works at a minimum level and the user goes out of their way to download additional software?” the researcher says, adding that “this is a somewhat dangerous and interesting attack vector.”
Tomi Engdahl says:
[Write-up] PRISM attacks fly under the radar
https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar
Tomi Engdahl says:
Police locate signal jamming device in Morgan Hill
Device disrupted and interfered with public safety radio frequency
https://morganhilltimes.com/police-locate-signal-jamming-device-in-morgan-hill/
the device was “disrupting, impeding and interfering with the transmission of communications over the Santa Clara County public safety radio frequency,” according to Morgan Hill police.
The county’s emergency communications team was able to pinpoint the approximate location of the illegal device
Police said the severity of the signal jamming in the immediate area resulted in the loss of WiFi, a satellite signal and cellular signals along with a county radio communication tower located nearby.
Tomi Engdahl says:
FBI releases alert about Hive ransomware after attack on hospital system in Ohio and West Virginia
Hive has so far attacked at least 28 organizations, including Memorial Health System on August 15.
https://www.zdnet.com/article/fbi-releases-alert-about-hive-ransomware-after-attack-on-hospital-system/
Tomi Engdahl says:
https://pentestmag.com/the-top-5-healthcare-cybersecurity-frameworks/
Tomi Engdahl says:
Mirai-style IoT botnet is now scanning for router-pwning critical vuln in Realtek kit
Researchers warn of Dark.IoT’s rapidly evolving nasty
https://www.theregister.com/2021/08/25/mirai_botnet_critical_vuln_realtek_radware/
Tomi Engdahl says:
Big bad decryption bug in OpenSSL but no cause for alarm https://nakedsecurity.sophos.com/2021/08/27/big-bad-decryption-bug-in-openssl-but-no-cause-for-alarm/
The well-known and widely-used encryption library OpenSSL released a security patch earlier this week. OpenSSL, as its name suggests, is mainly used by network software that uses the TLS protocol (transport layer security), formerly known as SSL (secure sockets layer), to protect data in transit. Although TLS has now replaced SSL, removing a huge number of cryptographic flaws along the way, many of the popular open source programming libraries that support it, such as OpenSSL, LibreSSL and BoringSSL, have kept old-school product names for the sake of familiarity
Tomi Engdahl says:
Widespread credential phishing campaign abuses open redirector links https://www.microsoft.com/security/blog/2021/08/26/widespread-credential-phishing-campaign-abuses-open-redirector-links/
Microsoft has been actively tracking a widespread credential phishing campaign using open redirector links. Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking. Doing so leads to a series of redirectionsincluding a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systemsbefore taking the user to a fake sign-in page. This ultimately leads to credential compromise, which opens the user and their organization to other attacks.
Tomi Engdahl says:
Man impersonates Apple support, steals 620,000 photos from iCloud accounts https://www.welivesecurity.com/2021/08/26/man-impersonates-apple-support-steals-620000-photos-icloud/
A California man has fessed up to breaking into the Apple iCloud accounts of hundreds of individuals and downloading more than 620,000 images and 9,000 videos while on the prowl for nude photos of young women. He would then share or trade these images online or keep them for his own collection. Hao Kuo Chi, a 40-year-old citizen of La Puente, Los Angeles County, pleaded guilty to four counts including committing computer fraud, according to a report by the Los Angeles Times. Going by the online handle icloudripper4you, he billed himself as being adept at infiltrating iCloud accounts and pilfering their content, an activity he referred to as ripping.
Tomi Engdahl says:
Fake DMCA complaints, DDoS threats lead to BazaLoader malware https://www.bleepingcomputer.com/news/security/fake-dmca-complaints-ddos-threats-lead-to-bazaloader-malware/
Cybercriminals behind the BazaLoader malware came up with a new lure to trick website owners into opening malicious files: fake notifications about the site being engaged in distributed denial-of-service (DDoS) attacks. The messages contain a legal threat and a file stored in a Google Drive folder that allegedly provides evidence of the source of the attack. The DDoS theme is a variation of another lure, a Digital Millennium Copyright Act (DMCA) infringement complaint linking to a file that supposedly contains evidence about stealing images.
Tomi Engdahl says:
Microsoft varoittaa tuhansia asiakkaita Azure-pilvipalvelun tietokannan vuodosta https://www.hs.fi/talous/art-2000008221497.html
OHJELMISTOYHTIÖ Microsoft varoitti torstaina tuhansia pilvipalveluasiakkaitaan tietokantojen vuodosta. Haavoittuvuus on Microsoftin Azure -pilvipalvelun Cosmos DB -tietokannassa. Aukko löytyi, kun tietoturvayhtiö Wizin tutkimusryhmä havaitsi pystyvänsä käyttämään avaimia, jotka ohjaavat tuhansien yritysten hallussa olevia tietokantoja. Wizin teknologiajohtajan Ami Luttwakin mukaan kyseessä on pahin mahdollinen pilvipalvelun haavoittuvuus. Also:
https://www.wiz.io/blog/chaosdb-how-we-hacked-thousands-of-azure-customers-databases.
https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-azure-customers-of-critical-cosmos-db-vulnerability/.
https://thehackernews.com/2021/08/critical-cosmos-database-flaw-affected.html.
https://threatpost.com/azure-cosmos-db-bug-cloud/168986/.
https://www.zdnet.com/article/azure-cosmos-db-alert-critical-vulnerability-puts-users-at-risk/.
https://www.theregister.com/2021/08/27/chaos_db_azure_cosmos_flaw/
Tomi Engdahl says:
Ragnarok ransomware operation shuts down and releases free decrypter https://therecord.media/ragnarok-ransomware-operation-shuts-down-and-releases-free-decrypter/
The Ragnarok (or Asnarök) ransomware gang shut down their operation today and released a free decryption utility to help victims recover their files. The free decrypter, hardcoded with a master decryption key, was released today on the gangs dark web portal, where the group previously used to publish files from victims who refused to pay. The decrypter, which has been confirmed to work by multiple security researchers, is currently being analyzed before security firms will rewrite a clean and safe-to-use version that will be made publicly available through Europols NoMoreRansom portal. Also:
https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/.
https://threatpost.com/ragnarok-releases-decryptor/168976/
Tomi Engdahl says:
T-Mobile CEO: Hacker brute-forced his way through our network https://www.bleepingcomputer.com/news/security/t-mobile-ceo-hacker-brute-forced-his-way-through-our-network/
Today, T-Mobile’s CEO Mike Sievert said that the hacker behind the carrier’s latest massive data breach brute forced his way through T-Mobile’s network after gaining access to testing environments. The attacker could not exfiltrate customer financial information, credit card information, debit or other payment information during the incident. However, T-Mobile says that he stole records belonging to
54.6 million current, former, or prospective customers, containing Social Security numbers, phone numbers, names, addresses, dates of birth, T-Mobile prepaid PINs, and driver license/ID information.
Tomi Engdahl says:
Phorpiex botnet shuts down, source code goes up for sale https://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/
The operators of the Phorpiex malware have shut down their botnet and put its source code for sale on a dark web cybercrime forum, The Record has learned. The ad, posted earlier today by an individual previously linked to the botnets operation, claims that none of the malwares two original authors are involved in running the botnet, hence the reason they decided to sell its source code. As I no longer work and my friend has left the biz, Im here to offer Trik (name from
coder) / Phorpiex (name fomr AV firms) source for sell [sic], the individual said today in a forum post spotted by British security firm Cyjax.
Tomi Engdahl says:
LockFile Ransomware Bypasses Protection Using Intermittent File Encryption https://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html
A new ransomware family that emerged last month comes with its own bag of tricks to bypass ransomware protection by leveraging a novel technique called “intermittent encryption.”. Called LockFile, the operators of the ransomware have been found exploiting recently disclosed flaws such as ProxyShell and PetitPotam to compromise Windows servers and deploy file-encrypting malware that scrambles only every alternate 16 bytes of a file, thereby giving it the ability to evade ransomware defences.
Tomi Engdahl says:
Cisco says it will not release software update for critical 0-day in EOL VPN routers https://www.zdnet.com/article/cisco-not-planning-to-fix-critical-0-day-rce-vulnerability-in-eol-vpn-routers/
Cisco announced recently that it will not be releasing software updates for a vulnerability with its Universal Plug-and-Play (UPnP) service in Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers. The vulnerability allows unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.
Tomi Engdahl says:
DOJ launches program to train prosecutors in cybersecurity topics https://therecord.media/doj-launches-program-to-train-prosecutors-in-cybersecurity-topics/
The US Department of Justice announced a new fellowship program today designed to train a new generation of prosecutors and attorneys on cybersecurity issues, in order to better tackle national security threats and cybercrime. Named the Cyber Fellowship, the new program is one of the outcomes of a 120-day review of cybersecurity challenged the DOJ began in May this year following a series of major cyber-attacks against the US (i.e., Colonial Pipeline incident, Nobelium/Exchange zero-day attacks, SolarWinds supply-chain attack).
Tomi Engdahl says:
Filter JSON Data by Value with Linux jq
https://isc.sans.edu/forums/diary/Filter+JSON+Data+by+Value+with+Linux+jq/27792/
Since JSON has become more prevalent as a data service, unfortunately, it isn’t at all BASH friendly and manipulating JSON data at the command line with REGEX (i.e. sed, grep, etc.) is cumbersome and difficult to get the output I want. So, there is a Linux tool I use for this, jq is a tool specifically written to manipulate and filter the data I want (i.e. like scripting and extract the output I need) from large JSON file in an output format I can easily read and manipulate.
Tomi Engdahl says:
Critical Vulnerability Exposed Azure Cosmos DBs for Months
https://www.securityweek.com/critical-vulnerability-exposed-azure-cosmos-dbs-months
Microsoft this week started notifying customers of a critical vulnerability in Azure Cosmos DB that could have provided attackers with administrative access to Cosmos DB instances.
A fully managed NoSQL database, Cosmos DB was launched in 2017, for use with web and mobile applications, but also supports modeling social interactions and integration with third-party services.
Earlier this month, researchers with the cloud security firm Wiz discovered a vulnerability in the Azure cloud platform that could allow a remote attacker to take over Cosmos DB instances without authorization, with full administrative rights, meaning they could read, write, or delete databases.
“The vulnerability has a trivial exploit that doesn’t require any previous access to the target environment, and impacts thousands of organizations, including numerous Fortune 500 companies,” the researchers, who named the vulnerability ChaosDB, say.
Tomi Engdahl says:
FBI Shares IOCs for ‘Hive’ Ransomware Attacks
https://www.securityweek.com/fbi-shares-iocs-hive-ransomware-attacks
Tomi Engdahl says:
Vulnerability Allows Remote Hacking of Annke Video Surveillance Product
https://www.securityweek.com/vulnerability-allows-remote-hacking-annke-video-surveillance-product
Researchers at industrial and IoT cybersecurity firm Nozomi Networks have discovered a critical vulnerability that can be exploited to hack a video surveillance product made by Annke, a Hong Kong-based global provider of home and business security solutions.
The flaw, tracked as CVE-2021-32941 and having a CVSS score of 9.4, has been described as a stack-based buffer overflow that can be exploited by a remote attacker to execute arbitrary code and access sensitive information.
Nozomi said it reported the vulnerability to Annke on July 11 and a patch was delivered via a firmware update on July 22. Annke customers are advised to update their device’s firmware as soon as possible.
Vulnerability found in Annke NVRAccording to an advisory published this week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the affected product is used worldwide.
ICS Advisory (ICSA-21-238-02)
Annke Network Video Recorder
https://us-cert.cisa.gov/ics/advisories/icsa-21-238-02
Tomi Engdahl says:
Benedict Evans:
Many internet privacy proposals circulating today are in direct conflict with those to increase market competition, as they would further entrench big platforms
Ads, privacy and confusion
https://www.ben-evans.com/benedictevans/2021/8/27/understanding-privacy
Privacy is coming to the internet and cookies are going away. This is long overdue – but we don’t know what happens next, we don’t have much consensus on what online privacy actually means, and most of what’s on the table conflicts fundamentally with competition.
The consumer internet industry spent two decades building a huge, complex, chaotic pile of tools and systems to track and analyse what people do on the internet, and we’ve spent the last half-decade arguing about that, sometimes for very good reasons, and sometimes with strong doses of panic and opportunism. Now that’s mostly going to change, between unilateral decisions by some big tech platforms and waves of regulation from all around the world. But we don’t have any clarity on what that would mean, or even quite what we’re trying to achieve, and there are lots of unresolved questions. We are confused.
First, can we achieve the underlying economic aims of online advertising in a private way? Advertisers don’t necessarily want (or at least need) to know who you are as an individual. As Tim O’Reilly put it, data is sand, not oil – all this personal data actually only has value in the aggregate of millions. Advertisers don’t really want to know who you are – they want to show diaper ads to people who have babies, not to show them to people who don’t, and to have some sense of which ads drove half a million sales and which ads drove a million sales. Targeting ads per se doesn’t seem fundamentally evil, unless you think putting car ads in car magazines is also evil. But the internet became able to show car ads to people who read about cars yesterday, somewhere else – to target based on the user rather than the context. This is both exactly the same and completely different.
In practice, ‘showing car ads to people who read about cars’ led the adtech industry to build vast piles of semi-random personal data, aggregated, disaggregated, traded, passed around and sometimes just lost, partly because it could and partly because that appeared to be the only way to do it.
Tomi Engdahl says:
Hackers, tractors, and a few delayed actors. How hacker Sick Codes learned too much about John Deere: Lock and Code S02E16 https://blog.malwarebytes.com/podcast/2021/08/hackers-tractors-and-a-few-delayed-actors-how-hacker-sick-codes-learned-too-much-about-john-deere-lock-and-code-s02e16/
No one ever wants a group of hackers to say about their company: We had the keys to the kingdom.. But thats exactly what the hacker Sick Codes said on this weeks episode of Lock and Code, in speaking with host David Ruiz, when talking about his and fellow hackers efforts to peer into John Deeres data operations center, where the company receives a near-endless stream of data from its Internet-connected tractors, combines, and other smart farming equipment.
Tomi Engdahl says:
The Mostly Dead Mozi and Its Lingering Bots https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/
It has been nearly 2 years since we (360NETLAB) first disclosed the Mozi botnet in December 2019, and in that time we have witnessed its development from a small-scale botnet to a giant that accounted for an extremely high percentage of IOT traffic at its peak. Now that Mozi’s authors have been taking custody by law enforcement agencies, in which we provided technical assistance throughout, we don’t think it will continue to be updated for quite some time to come. But we know that Mozi uses a P2P network structure, and one of the “advantages” of a P2P network is that it is robust, so even if some of the nodes go down, the whole network will carry on, and the remaining nodes will still infect other vulnerable devices, that is why we can still see Mozi spreading.
Tomi Engdahl says:
Microsoft Exchange ProxyToken bug can let hackers steal user email https://www.bleepingcomputer.com/news/security/microsoft-exchange-proxytoken-bug-can-let-hackers-steal-user-email/
Technical details have emerged on a serious vulnerability in Microsoft Exchange Server dubbed ProxyToken that does not require authentication to access emails from a target account. An attacker can exploit the vulnerability by crafting a request to web services within the Exchange Control Panel (ECP) application and steal messages from a victims inbox.. Also:
https://therecord.media/proxytoken-vulnerability-can-modify-exchange-server-configs/.
https://threatpost.com/microsoft-exchange-proxytoken-email/169030/
Tomi Engdahl says:
Hackers steal $29 million from crypto-platform Cream Finance https://therecord.media/hackers-steal-29-million-from-crypto-platform-cream-finance/
Hackers are estimated to have stolen more than $29 million in cryptocurrency assets from Cream Finance, a decentralized finance
(DeFi) platform that allows users to loan and speculate on cryptocurrency price variations. The company confirmed the hack earlier today, half an hour after blockchain security firm PeckShield noticed signs of an ongoing attack. C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and
1,308.09 in ETH, by way of reentrancy on the AMP token contract.
Tomi Engdahl says:
QNAP works on patches for OpenSSL bugs impacting its NAS devices https://www.bleepingcomputer.com/news/security/qnap-works-on-patches-for-openssl-bugs-impacting-its-nas-devices/
Network-attached storage (NAS) maker QNAP is investigating and working on security updates to address remote code execution (RCE) and denial-of-service (DoS) vulnerabilities patched by OpenSSL last week.
The security flaws tracked as CVE-2021-3711 and CVE-2021-3712, impact QNAP NAS device running QTS, QuTS hero, QuTScloud, and HBS 3 Hybrid Backup Sync (a backup and disaster recovery app), according to advisories published earlier today.
Tomi Engdahl says:
LockBit Gang to Publish 103GB of Bangkok Air Customer Data https://threatpost.com/microsoft-exchange-proxytoken-email/169030/
The LockBit ransomware gang has apparently struck again, having purportedly stolen 103GB worth of files from Bangkok Airways and promising to release them tomorrow, on Tuesday. A Dark Web intelligence firm calling itself DarkTracer (apparently a separate intel firm than the better-known DarkTrace) tweeted a screen capture of a countdown clock from LockBit 2.0 that, as of Friday, showed four and a half days left.. Also:
https://www.zdnet.com/article/bangkok-airways-apologizes-for-passport-info-breach-as-lockbit-ransomware-group-threatens-release-of-more-data/
Tomi Engdahl says:
Kansalaisia huijataan jälleen viranomainen varoittaa pornokiristyksestä https://www.is.fi/digitoday/tietoturva/art-2000008228312.html
SUOMALAISIA jo vuosien ajan häirinnyt pornokiristys ei ota helpottaakseen. Traficomin alainen Kyberturvallisuuskeskus päivitti artikkeliaan aiheesta maanantaina ja korosti, että näitä aikuisviihdeteemaisia kiristysviestejä on edelleen runsaasti liikkeellä. Viesteissä huijari väittää kuvanneensa viestin vastaanottajaa salaa tämän vieraillessa aikuisviihdesivuilla käyttämällä laitteelle asennettua haittaohjelmaa. Kuitenkaan mitään ei ole kuvattu, eikä haittaohjelmaa ole. Huijarille ei pidä maksaa mitään, ja viestit voi yksinkertaisesti poistaa.
Tomi Engdahl says:
House defense policy bill okays $10.4 billion for DoD cybersecurity https://therecord.media/house-defense-policy-bill-okays-10-4-billion-for-dod-cybersecurity/
The House version of the annual defense policy bill backs the Biden administrations proposed $10.4 billion cybersecurity budget for the Defense Department next year, according to an aide for the panels Democratic majority. We support the Presidents budget request, the aide said, adding that the annual National Defense Authorization Act provides additional investment for the protection of the Pentagons information systems. A summary of the bill shows an additional $50 million for such work.
Tomi Engdahl says:
New Mirai Variant Targets WebSVN Command Injection Vulnerability
(CVE-2021-32305)
https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/
We have observed exploits in the wild for a recently disclosed command injection vulnerability affecting WebSVN, an open-source web application for browsing source code. The critical command injection vulnerability was discovered and patched in May 2021. A proof of concept was released and within a week, on June 26, 2021, attackers exploited the vulnerability to deploy variants of the Mirai DDoS malware. We strongly recommend that WebSVN users upgrade to the latest software version.