This posting is here to collect cyber security news in September 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in September 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
414 Comments
Tomi Engdahl says:
iOS 15 Is Available Now With These Stunning New iPhone Privacy Features https://www.forbes.com/sites/kateoflahertyuk/2021/09/20/ios-15-is-available-now-with-these-stunning-new-iphone-privacy-features/
It’s been a long time coming but iOS 15 is now available, along with a bunch of stunning new iPhone privacy features you can start using straight away.
Tomi Engdahl says:
An in-depth analysis of ExpressVPN’s terrible, horrible, no good, very bad week https://www.zdnet.com/article/trust-but-verify-an-in-depth-analysis-of-expressvpns-terrible-horrible-no-good-very-bad-week/
ExpressVPN has been all over the news for the past week, and not in a good way. Kape Technologies has announced plans to acquire ExpressVPN for $986 million. Kape was once considered a malware provider.
Additionally, a report in Reuters indicating that ExpressVPN CIO Daniel Gericke is among three men fined $1.6 million by the US Department of Justice for hacking and spying on US citizens on behalf of the government of the UAE (United Arab Emirates).
Tomi Engdahl says:
#OMIGOD Exploits Captured in the Wild. Researchers responsible for half of scans for related ports
https://isc.sans.edu/diary/rss/27852
After the “OMIGOD” vulnerability details were made public, and it became obvious that exploiting vulnerable hosts would be trivial, researchers and attackers started pretty much immediately to scan for vulnerable hosts.
Tomi Engdahl says:
https://isc.sans.edu/forums/diary/OMIGOD+Exploits+Captured+in+the+Wild+Researchers+responsible+for+half+of+scans+for+related+ports/27852/
Tomi Engdahl says:
Apple Ships iOS 15 with MFA Code Generator
https://www.securityweek.com/apple-ships-ios-15-mfa-code-generator
Apple on Monday rolled out a major refresh of its flagship iOS mobile platform, adding a built-in two-factor authentication code generator and multiple anti-tracking security and privacy features.
The iOS 15 makeover also includes patches for at least 22 documented security vulnerabilities, some serious enough to expose iPhone and iPad users to remote denial-of-service and local code execution attacks.
The latest mobile operating system refresh comes on the heels of two major security and privacy-related controversies at Apple. The company was forced to scramble out an emergency iOS patch last week to address in-the-wild zero day attacks and Apple was also caught in a privacy scandal linked to its now-delayed sex-abuse scanning technology.
Tomi Engdahl says:
Attacks Targeting OMIGOD Vulnerability Ramping Up
https://www.securityweek.com/attacks-targeting-omigod-vulnerability-ramping
Tomi Engdahl says:
Finanssivalvonta pitää pankkimokaa vakavana: Näitä toimia Nordealta nyt odotetaan
Nordean asiakkailla näkyi tilillä vähemmän rahaa kuin olisi pitänyt. Virhe on vakava.
https://www.iltalehti.fi/raha-nyt/a/c6c83ccf-7c36-4f8c-8ea5-98026f41e3d7
Virhe, jonka seurauksena asiakkaiden tileillä oli käytettävissä vähemmän rahaa kuin olisi pitänyt, on vakava. Näin sanoo Finanssivalvonnan it-, tietoturva- ja maksujärjestelmäasioiden johtava riskiasiantuntija Anne Nisén.
– Se on erittäin ikävä tilanne, ja nämä ovat merkittäviä häiriöitä, kun tulee tilanteita, jossa asiakkaan oikea tilitilanne näyttää pienemmältä siitä syystä, että samat tapahtumat on veloitettu ja varattu.
Näin tapahtui Nordealla viikonlopun jälkeen. Nisén sanoo, että yksittäistä valvottavan yrityksen tilannetta Fiva ei voi kommentoida.
– Yleisesti voidaan todeta, että seuraamme erityisesti asiakkaiden palveluissa olevia häiriötilanteita tiiviisti ja tarvittaessa olemme yhteydessä yrityksiin, joilla näitä häiriöitä on.
Pankeilla on velvollisuus raportoida Finanssivalvonnalle kaikista asiakkaiden tarvitsemien palveluiden häiriöistä. Ensimmäinen raportti täytyy toimittaa ilman aiheetonta viivytystä. Lisäksi yhtiöiden täytyy raportoida häiriön kuluessa ja toimittaa loppuraportti, jossa kerrotaan häiriön syy ja toimenpiteet, jotka on tehty vastaavien tilanteiden ehkäisemiseksi.
Aiheuttivatko huoltotyöt Nordean veloituskriisin? ”Keskitymme nyt siihen, että asia saadaan korjattua”
Nordean mukaan häiriö ei edellytä asiakkailta toimenpiteitä.
https://www.iltalehti.fi/kotimaa/a/0e741a98-9f2d-40e6-b302-8f1192114050
Nordea on saanut poistettua lähes kaikki asiakkaidensa tilien tarpeettomat katevaraukset. Pankki tiedotti asiasta tiistaina puolenpäivän jälkeen Twitterissä.
Osalla Nordean asiakkaista on näkynyt maanantaina ja tiistaina tilitiedoissa samasta ostoksesta sekä veloitettu korttimaksu että katevaraus.
Tomi Engdahl says:
Hackers want $5.9 million ransom from Iowa farm cooperative, threaten release of stolen data
https://kwwl.com/2021/09/21/iowa-farm-cooperative-hit-by-ransomware-systems-go-offline-3/
A ransomware attack has forced a cooperative of Iowa corn and soybean farmers to take their computer systems offline.
The Associated Press reports someone close to the “New Cooperative” says it has created workarounds to receive grain and distribute feed. The cooperative said in a statement to the AP that the attack was “successfully contained” and that it notified law enforcement.
The attack hit just as Iowa’s corn and soy harvesting is getting underway. “New Cooperative” did not say whether it had paid a ransom. A security researcher said the criminals had demanded $5.9 million
Tomi Engdahl says:
Marketron marketing services hit by Blackmatter ransomware https://www.bleepingcomputer.com/news/security/marketron-marketing-services-hit-by-blackmatter-ransomware/
BlackMatter ransomware gang over the weekend hit Marketron, a business software solutions provider that serves more than 6, 000 customers in the media industry. Marketron provides cloud-based revenue and traffic management tools for broadcast and media organizations. It specializes in revenue management and audience engagement, handling advertising revenue of $5 billion every year. Marketron customers learned of the incident in an email on Sunday night from the company CEO, Jim Howard, who said that “the Russian criminal organization BlackMatter” was responsible for the attack.
Tomi Engdahl says:
New Mac malware masquerades as iTerm2, Remote Desktop and other apps https://blog.malwarebytes.com/malwarebytes-news/2021/09/new-mac-malware-masquerades-as-iterm2-remote-desktop-and-other-apps/
This makes iTerm2 an ideal app to trojanize to infect people who may have access to development system, research intelligence, etc.. Last week, security researcher Patrick Wardle released details of a new piece of malware masquerading as the legitimate app iTerm2. iTerm2 is a legitimate replacement for the macOS Terminal app, offering some powerful features that Terminal does not. It is frequently used by power users. It is a favorite of security researchers because of the propensity for Mac malware to take control or detect usage of the Terminal app, which can interfere with attempts to reverse engineer malware
Tomi Engdahl says:
Data breach at Texas behavioral health center affects more than 24,000
https://therecord.media/data-breach-at-texas-behavioral-health-center-affects-more-than-24000/
A data breach at Texas behavioral health provider Texoma Community Center affected more than 24, 000 people and highlights how timelines for breach notification may lag behind security eventseven when the most sensitive information is compromised. Texoma is a nonprofit that specializes in delivering mental health and substance abuse services.
The public notice posted on its website last week says the organization “became aware of suspicious activity relating to several employee email accounts that were sending unauthorized messages, ” on October 20 of last year and “immediately launched an investigation.”.
However, it took nearly 10 months for the center to notify stakeholders, including health authorities, of the breach.
Tomi Engdahl says:
Google Security Blog – An update on Memory Safety in Chrome https://security.googleblog.com/2021/09/an-update-on-memory-safety-in-chrome.html
attackers innovate, browsers always have to mount new defenses to stay ahead, and Chrome has invested in ever-stronger multi-process architecture built on sandboxing and site isolation. Combined with fuzzing, these are still our primary lines of defense, but they are reaching their limits, and we can no longer solely rely on this strategy to defeat in-the-wild attacks.
Tomi Engdahl says:
Ubuntu 18.04.6 LTS Released with Critical Security Fix https://www.omgubuntu.co.uk/2021/09/ubuntu-18-04-6-lts-released-with-critical-security-fixes
No, you’re not misreading the title, Ubuntu 18.04.6 LTS is available to download. This (unplanned) point release arrives with one key pun intended purpose: to make Ubuntu 18.04 LTS bootable again on Secure Boot-enabled systems.
Tomi Engdahl says:
Unpatched High-Severity Vulnerability Affects Apple macOS Computers https://thehackernews.com/2021/09/unpatched-high-severity-vulnerability.html
Cybersecurity researchers on Tuesday disclosed details of an unpatched vulnerability in macOS Finder that could be abused by remote adversaries to trick users into running arbitrary commands on the machines. “A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands, these files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user, ” SSD Secure Disclosure said in a write-up published today.
Tomi Engdahl says:
White House Blacklists Russian Ransomware Payment ‘Enabler’
https://www.securityweek.com/white-house-blacklists-russian-ransomware-payment-%E2%80%98enabler%E2%80%99
The Biden administration sought Tuesday to choke the finances of criminal ransomware gangs, announcing sanctions against a Russia-based virtual currency brokerage that officials say helped at least eight ransomware gangs launder virtual currency.
The Treasury Department sanctions are aimed at kneecapping the economic infrastructure of a ransomware threat that has surged over the last year, crippling corporations, schools, hospitals and critical infrastructure, including a major fuel pipeline. Ransomware payments reached more than $400 million in 2020, the costliest year on record.
The goal is to go after the “financial enablers” of ransomware gangs, Deputy Treasury Secretary Wally Adeyemo told reporters. “Today’s action is a signal of our intention to expose and disrupt the illicit infrastructure using these attacks.”
The blacklisted brokerage is SUEX OTC, a so-called “nested exchange” that conducted transactions from accounts on major, legal global cryptocurrency exchanges. Such operations process a disproportionate amount of illicit transactions, Adeyemo said. In the case of SUEX, officials said, more than 40% of its known transactions have been associated with illicit actors. That’s more than $370 million, according to the cryptocurrency-tracking firm Elliptic.
Tomi Engdahl says:
VMware Calls Attention to High-Severity vCenter Server Flaw
https://www.securityweek.com/vmware-calls-attention-high-severity-vcenter-server-flaw
Cloud computing and virtualization technology giant VMware on Tuesday shipped an urgent security patch for a flaw in its vCenter Server product and warned users to expect public exploit code within minutes of disclosure.
“Time is of the essence,” VMware said in a note calling attention to CVE-2021-22005, a file upload bug in the vCenter Server Analytics service. “The ramifications of this vulnerability are serious and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available.”
The company has attached a CVSSv3 base score of 9.8 to underscore the severity of the vulnerability.
The Palo Alto, Calif. company said a malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.
VMware took the extra step of warning that this type of security flaw is perfect for ransomware actors. “With the threat of ransomware looming nowadays the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spear-phishing, and act accordingly. This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence.”
Tomi Engdahl says:
Russia-Linked Turla APT Uses New Backdoor in Latest Attacks
https://www.securityweek.com/russia-linked-turla-apt-uses-new-backdoor-latest-attacks
Tomi Engdahl says:
Decade-Old Adobe ColdFusion Vulnerabilities Exploited by Ransomware Gang
https://www.securityweek.com/decade-old-adobe-coldfusion-vulnerabilities-exploited-ransomware-gang
Tomi Engdahl says:
OpenOffice Vulnerability Exposes Users to Code Execution Attacks
https://www.securityweek.com/openoffice-vulnerability-exposes-users-code-execution-attacks
A buffer overflow vulnerability in Apache OpenOffice could be exploited to execute arbitrary code on target machines using malicious documents.
Tracked as CVE-2021-33035 and discovered by security researcher Eugene Lim, the bug affects OpenOffice versions up to 4.1.10, with patches deployed in the 4.1.11 beta only, meaning that most installations out there are likely vulnerable.
The issue was identified while researching for potential security holes in software that parses the .dbf file format, explains Lim, a white hat hacker and researcher with the GovTech Singapore Cyber Security Group.
As part of his work, Lim came up with a dumb fuzzing template that would trigger the bug on a target machine and tested it on several DBF processors, which helped him discover two vulnerabilities, namely CVE-2021–35297 in Scalabium dBase Viewer and CVE-2021–33035 in Apache OpenOffice, an open source office suite with hundreds of millions of downloads.
The identified issue is a buffer overflow that basically exists because the buffer size of a DBF file is determined either by the fieldLength or the fieldType in the header. Thus, if one is trusted when allocating the buffer and the other one when copying into that buffer, an overflow could be triggered.
Tomi Engdahl says:
Details of 100M Visitors to Thailand Exposed Online: Research Firm
https://www.securityweek.com/details-100m-visitors-thailand-exposed-online-research-firm
More than 106 million travellers to Thailand had their personal details exposed online in August, a cybersecurity research company that discovered the data said Monday, but the leak was quickly plugged by authorities.
The Southeast Asian nation is a popular tourist destination, drawing nearly 40 million visitors in 2019 before the pandemic shuttered borders and seized up global travel.
Britain-based consumer security company Comparitech said in a report that its head of cybersecurity research Bob Diachenko found a database in August containing the personal information of travellers to the kingdom.
He said “any foreigner who travelled to Thailand in the last decade might have had their information exposed in the incident”, including their name, passport number and residency status.
Comparitech said Diachenko also found his own name and details about his entries into Thailand on the database, which contained information dating back to 2011.
Thai authorities were informed on August 22 and secured the data the following day.
“However we do not know how long the data was exposed prior to being indexed,” said the report.
Thai authorities “maintain the data was not accessed by any unauthorised parties”, it added.
Tomi Engdahl says:
Providing Developers Value-Focused Feedback in Security Software Development
https://www.securityweek.com/providing-developers-value-focused-feedback-security-software-development
I recently wrote an article on attracting and retaining A-Players, and one of the key elements was to ensure that leadership share the mission with developers to create a sense of purpose. Having purpose and seeing impact is incredibly important for anyone, but for engineers, understanding their impact in the context of a larger program or product can be particularly challenging. I wanted to dig into this further and share a few anecdotes that might help managers of security software development teams be very deliberate in providing feedback.
Tomi Engdahl says:
Washington Post:
Sources: FBI refrained from sharing a ransomware decryptor with businesses for almost three weeks, as it carried out an operation to disrupt the REvil gang — The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled …
https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html
Tomi Engdahl says:
Andrius Sytas / Reuters:
Lithuanian government recommends ditching Chinese phones after finding Xiaomi devices with censorship capabilities that can be activated remotely — Lithuania’s Defense Ministry recommended that consumers avoid buying Chinese mobile phones and advised people to throw away the ones …
https://www.reuters.com/business/media-telecom/lithuania-says-throw-away-chinese-phones-due-censorship-concerns-2021-09-21/
Tomi Engdahl says:
Juli Clover / MacRumors:
iOS 15.1 beta lets users store their verifiable health records, including COVID-19 vaccination cards and test results, in the Health app — The iOS 15.1 beta that was introduced today allows iPhone users to upload their COVID-19 vaccination status to the Health app and then generate a vaccination card in Apple Wallet.
https://www.macrumors.com/2021/09/21/ios-15-vaccine-card-wallet-app/?scrolla=5eb6d68b7fedc32c19ef33b4
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
macOS is susceptible to running arbitrary code when a user opens a malicious .inetloc file, and Apple’s first attempt to silently fix the issue failed — Security researchers disclosed today a new vulnerability in Apple’s macOS Finder, which makes it possible for attackers to run arbitrary commands …
New macOS zero-day bug lets attackers run commands remotely
https://www.bleepingcomputer.com/news/apple/new-macos-zero-day-bug-lets-attackers-run-commands-remotely/
Tomi Engdahl says:
Simon Sharwood / The Register:
VMware urges customers to immediately patch a critical arbitrary file upload vulnerability in its flagship vCenter and vSphere products — File upload vuln lets miscreants hijack vCenter Server — VMware has disclosed a critical bug in its flagship vSphere and vCenter products and urged users to drop everything and patch it.
Break out your emergency change process and patch this ransomware-friendly bug ASAP, says VMware
File upload vuln lets miscreants hijack vCenter Server
https://www.theregister.com/2021/09/22/vmware_emergency_vcenter_patch_recommendation/
Tomi Engdahl says:
Anonymous Hack Triggers Massive Data Dump on Proud Boys, QAnon
https://www.thedailybeast.com/anonymous-hack-breaches-far-right-internet-company-epik-dumps-data-on-proud-boys-qanon-8chan
In what is being called “the Panama Papers of hate groups” by some researchers, hacktivist collective Anonymous has dumped more than 150 gigabytes of identifying, previously private data on the customers of Epik, a web service provider infamous for lending safe harbor to sites with far-right and extremist views. On Epik’s clientele list were a number of sites banned from other platforms for violating policies on hate speech and misinformation, like those associated with the Proud Boys, 8chan, Parler, and QAnon conspiracy groups. In a statement attached to the stolen data’s torrent file, Anonymous said it’s “a decade’s worth” of company data, and includes passwords, internal emails, and clients’ home addresses and phone numbers.
Extremist researchers and political opponents say they will need time—months, perhaps even years—to comb through it all. “It’s massive. It may be the biggest domain-style leak
Tomi Engdahl says:
Huge hack reveals embarrassing details of who’s behind Proud Boys and other far-right websites
https://www.yahoo.com/news/huge-hack-reveals-embarrassing-details-185327291.html?guccounter=1&guce_referrer=aHR0cDovL20uZmFjZWJvb2suY29tLw&guce_referrer_sig=AQAAAJtzfMk3en4wJ86HgkE29Y3pJViWRyT-l9cwdt0CFlzo2O_4YhTXolryfCosD1mBC2L7xwXAesTHD7U3mIv4Ok16nDTDMPLp47Rklu6EAtUvLHr26hbhm1W3vHRwZ3qM-MfUl7YazY7xiHgXIpATdUq1p6X3U0TVg0ptARhbl3gP
Epik long has been the favorite Internet company of the far-right, providing domain services to QAnon theorists, Proud Boys and other instigators of the Jan. 6 attack on the U.S. Capitol – allowing them to broadcast hateful messages from behind a veil of anonymity.
But that veil abruptly vanished last week when a huge breach by the hacker group Anonymous dumped into public view more than 150 gigabytes of previously private data – including user names, passwords and other identifying information of Epik’s customers.
Tomi Engdahl says:
RCE is back: VMware details file upload vulnerability in vCenter Server
Once again, if a malicious actor can hit port 443 on vCenter Server, it’s goodnight nurse
https://www.zdnet.com/article/rce-is-back-vmware-details-file-upload-vulnerability-in-vcenter-server/
Tomi Engdahl says:
Catalin Cimpanu / The Record:
Microsoft uncovers a massive phishing operation offering “Phishing-as-a-Service” subscriptions or one-time tools based on over 120 templates for $80-$100 — Microsoft’s security team said today that it uncovered a massive operation that provides phishing services to cybercrime gangs using …
September 21, 2021
Cybercrime
News
Microsoft uncovers giant Phishing-as-a-Service operation
https://therecord.media/microsoft-uncovers-giant-phishing-as-a-service-operation/
BulletProofLink works as a Phishing-as-a-Service portal for the cybercrime underground.
BulletProofLink operators provide phishing kits and out-of-the-box hosting for phishing campaigns.
The BulletProofLink store provides “customers” with access to more than 120 phishing templates.
Microsoft’s security team said today that it uncovered a massive operation that provides phishing services to cybercrime gangs using a hosting-like infrastructure that the OS maker likened to a Phishing-as-a-Service (PHaaS) model.
Known as BulletProofLink, BulletProftLink, or Anthrax, the service is currently advertised on underground cybercrime forums.
The service is an evolution on “phishing kits,” which are collections of phishing pages and templates imitating the login forms of known companies.
Tomi Engdahl says:
Kavala haavoittuvuus: Pelkkä sähköpostiliitteen esikatselu voi saastuttaa koneen
Rikolliset käyttävät Microsoft-haavoittuvuutta haittaohjelman levittämiseen.
https://www.iltalehti.fi/tietoturva/a/ccf2dcc4-61cb-46f7-bd78-8188e058c914
Kyberturvallisuuskeskus varoittaa Microsoftin nollapäivähaavoittuvuudesta, joka onkin luultua vakavampi. Windowsin MSHTML-komponentissa oleva haavoittuvuus mahdollistaa koneen ohjaamisen etänä. Microsoftin mukaan haavoittuvuutta on käytetty jo hyväksi.
– Hyökkääjien on havaittu käyttävän haavoittuvuutta aktiivisesti hyväkseen, joten epäluotettavista lähteistä saatuihin dokumentteihin kannattaa suhtautua erityisellä varovaisuudella, kunnes haavoittuvuus on saatu korjattua, Kyberturvallisuuskeskus tiedottaa.
Toisin kuin aluksi luultiin, haittaohjelman pääsyyn koneelle ei vaadita Microsoft Office -dokumentin lataamista, vaan ainoastaan sen esikatselu riittää.
– Päivitimme Microsoft MSHTML-haavoittuvuustiedotettamme. Haavoittuvuuden hyväksikäyttöön riittää dokumentin esikatselu Microsoft Explorer -näkymässä, Kyberturvallisuuskeskus tiedotti Twitter-tilillään.
Tomi Engdahl says:
Varo tätä viestiä – huijarit iskevät Nordean verkkopankin uuteen sisäänkirjautumiseen https://www.is.fi/digitoday/tietoturva/art-2000008280713.html
Tomi Engdahl says:
Russian state hackers use new TinyTurla malware as secondary backdoor https://www.bleepingcomputer.com/news/security/russian-state-hackers-use-new-tinyturla-malware-as-secondary-backdoor/
Russian state-sponsored hackers known as the Turla APT group have been using new malware over the past year that acted as a secondary persistence method on compromised systems in the U.S., Germany, and Afghanistan. Security researchers at Cisco Talos say that TinyTurla is a “previously undiscovered” backdoor from the Turla APT group that has been used since at least 2020, slipping past malware detection systems particularly because of its simplicity.
Tomi Engdahl says:
CISA Alert (AA21-265A) – Conti Ransomware https://us-cert.cisa.gov/ncas/alerts/aa21-265a
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations. In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.
Tomi Engdahl says:
Ransomware victims panicked while FBI secretly held REvil decryption key https://arstechnica.com/information-technology/2021/09/ransomware-victims-panicked-while-fbi-secretly-held-revil-decryption-key/
For three weeks during the REvil ransomware attack this summer, the FBI secretly withheld the key that would have decrypted data and computers on up to 1, 500 networks, including those run by hospitals, schools, and businesses. The FBI had penetrated the REvil gang’s servers to obtain the key, but after discussing it with other agencies, the bureau decided to wait before sending it to victims for fear of tipping off the criminals, The Washington Post reports. The FBI hadn’t wanted to tip-off the REvil gang and had hoped to take down their operations, sources told the Post.
Tomi Engdahl says:
Microsoft Exchange Autodiscover bug leaks hundreds of thousands of domain credentials https://therecord.media/microsoft-exchange-autodiscover-bug-leaks-hundreds-of-thousands-of-domain-credentials/
Security researchers have discovered a design flaw in a feature of the Microsoft Exchange email server that can be abused to harvest Windows domain and app credentials from users across the world. Discovered by Amit Serper, AVP of Security Research at security firm Guardicore, the bug resides in the Microsoft Autodiscover protocol, a feature of Exchange email servers that allows email clients to automatically discover email servers, provide credentials, and then receive proper configurations.
Tomi Engdahl says:
Hackers leak LinkedIn 700 million data scrape https://therecord.media/hackers-leak-linkedin-700-million-data-scrape/
A collection containing data about more than 700 million users, believed to have been scraped from LinkedIn, was leaked online this week after hackers previously tried to sell it earlier this year in June. The collection, obtained by The Record from a source, is currently being shared in private Telegram channels in the form of a torrent file containing approximately 187 GB of archived data.
Tomi Engdahl says:
Microsoft Warns of a Wide-Scale Phishing-as-a-Service Operation https://thehackernews.com/2021/09/microsoft-warns-of-wide-scale-phishing.html
Microsoft has opened the lid on a large-scale phishing-as-a-service
(PHaaS) operation that’s involved in selling phishing kits and email templates as well as providing hosting and automated services at a low cost, thus enabling cyber actors to purchase phishing campaigns and deploy them with minimal efforts.
Tomi Engdahl says:
Rikolliset lähettivät laskuja johtajan nimissä
https://yle.fi/uutiset/3-12110248
Länsi-Uudellamaan poliisi tutkii törkeää petosta, jossa yritys joutui todennäköisesti ulkomaisten rikollisten röyhkeän huijauksen kohteeksi.
Länsi-Uudellamaalla sijaitsevan yrityksen maksuliikenteestä vastaavalle henkilölle oli lähetetty sähköpostiviesti, jossa yrityksen johtoasemassa ollut henkilö oli kehottanut maksamaan noin 50 000 euroa ulkomaalaiselle tilille. Samoissa nimissä oli lähetetty myös toinen yli 100 000 euron maksupyyntö.
Tomi Engdahl says:
Liettua paljasti Xiaomin kännyköiden sensuroivan käyttäjän hakuja ja kehotti ostoboikottiin suomalaisasiantuntija pitää paljastusta vakavana
https://yle.fi/uutiset/3-12109988
Liettuan viranomaisten mukaan Xiaomi-puhelimien sisään on rakennettu ohjelmisto, joka sensuroi Kiinalle epämiellyttäviä sanoja ja sloganeita. Suomessa Kyberturvallisuuskeskus selvittää asiaa.
Tomi Engdahl says:
VMSA-2021-0020: Questions & Answers
https://core.vmware.com/vmsa-2021-0020-questions-answers-faq
VMware has released patches that address a new critical security advisory, VMSA-2021-0020. This needs your immediate attention if you are using vCenter Server.
Tomi Engdahl says:
Netgear Patches Remote Code Execution Flaw in SOHO Routers
https://www.securityweek.com/netgear-patches-remote-code-execution-flaw-soho-routers
A security vulnerability in Small Offices/Home Offices (SOHO) routers from Netgear could be exploited to execute arbitrary code remotely as root, according to security researchers at consulting firm GRIMM.
Located in the updated process of the Circle Parental Control Service on multiple Netgear router models, the security bug is tracked as CVE-2021-40847 and can be exploited by an attacker on the same network as the vulnerable device to gain code execution as root via a Man-in-the-Middle (MitM) attack.
Enabled by default even if a router isn’t configured to use parental control, the vulnerable component, namely the Circle update daemon, connects to remote servers to obtain version information and updates.
However, because Netgear delivers database updates unsigned and unencrypted (over HTTP), an attacker able to mount a MitM attack on a vulnerable device could respond to update requests with a crafted database file that would allow the attacker to overwrite executable files on the device.
Tomi Engdahl says:
Many Hikvision Cameras Exposed to Attacks Due to Critical Vulnerability
https://www.securityweek.com/many-hikvision-cameras-exposed-attacks-due-critical-vulnerability
More than 70 Hikvision camera and NVR models are affected by a critical vulnerability that can allow hackers to remotely take control of devices without any user interaction.
The flaw, tracked as CVE-2021-36260, was discovered by a researcher who uses the online moniker “Watchful IP.” The researcher published a blog post over the weekend, but has not made public any technical details to prevent abuse.
The vulnerability can be exploited to gain root access and take full control of a device. An attacker could also use compromised devices to access internal networks.
“Given the deployment of these cameras at sensitive sites potentially even critical infrastructure is at risk,” the researcher warned.
“Only access to the http(s) server port (typically 80/443) is needed,” the researcher added. “No username or password needed nor any actions need to be initiated by the camera owner. It will not be detectable by any logging on the camera itself.”
Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)
https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html
Tomi Engdahl says:
https://www.securityweek.com/remote-code-execution-vulnerability-found-aws-workspaces
Tomi Engdahl says:
Hundreds of Thousands of Credentials Leaked Due to Microsoft Exchange Protocol Flaw
https://www.securityweek.com/hundreds-thousands-credentials-leaked-due-microsoft-exchange-protocol-flaw
Cybersecurity researchers have been able to capture hundreds of thousands of Windows domain and application credentials due to the design and implementation of the Autodiscover protocol used by Microsoft Exchange.
According to Microsoft, the Exchange Autodiscover service “provides an easy way for your client application to configure itself with minimal user input.” This allows users to, for example, configure their Outlook client by only needing to provide their username and password.
Back in 2017, researchers warned that implementation issues related to Autodiscover on mobile email clients could cause information leakage, and the vulnerabilities disclosed at the time were patched. However, an analysis conducted by cloud and data center security company Guardicore earlier this year showed that there are still some serious problems with the design and implementation of Autodiscover.
Tomi Engdahl says:
Google Working on Improving Memory Safety in Chrome
https://www.securityweek.com/google-working-improving-memory-safety-chrome
Google this week shared some details on its long-term plan to improve memory safety in Chrome, while also announcing the first stable release of Chrome 94, which patches a total of 19 vulnerabilities.
Over 70% of the severe bugs identified last year in Chrome were memory safety issues, namely “mistakes with pointers in the C or C++ languages,” and Google decided to tackle the problem before it becomes even more serious.
Of the potential solutions, the Internet search giant decided to focus on two, namely introducing runtime checks to ensure that pointers are correct, and seeking a different memory safe programming language.
“Runtime checks have a performance cost. Checking the correctness of a pointer is an infinitesimal cost in memory and CPU time. But with millions of pointers, it adds up,” Google notes.
Even so, this was deemed a desirable option, and, despite performance loss, Google is experimenting with it alongside attempts to find a suitable replacement for C++, most likely Rust, which is largely compile-time safe.
“[T]he Rust compiler spots mistakes with pointers before the code even gets to your device, and thus there’s no performance penalty,” Google explains.
https://security.googleblog.com/2021/09/an-update-on-memory-safety-in-chrome.html
Tomi Engdahl says:
https://etn.fi/index.php/13-news/12603-xiaomi-kiistaeae-liettuan-esittaemaet-syytoekset
Tomi Engdahl says:
There is no honor amongst thieves, and hackers are worse.
REvil Affiliates Confirm: Leadership Were Cheating Dirtbags
https://threatpost.com/revil-affiliates-leadership-cheated-ransom-payments/174972/
After news of REvil’s rip-off-the-affiliates backdoor & double chats, affiliates fumed, reiterating prior claims against the gang in “Hackers Court.”
A day after news broke about REvil having screwed their own affiliates out of ransomware payments – by using double chats and a backdoor that let REvil operators hijack ransom payments – those affiliates took to the top Russian-language hacking forum to renew their demands for REvil to fork over their pilfered share of ransom payments.
Tomi Engdahl says:
Hackers breached computer network at key US port but did not disrupt operations
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.cnn.com%2F2021%2F09%2F23%2Fpolitics%2Fsuspected-foreign-hack-houston%2Findex.html&h=AT3e8lisGWd0UyuKesHvI-ydSJIkPOoQyCpaPSufZAt_Mk2O1PsfcwYsccgVK8o9ibujh1m1feZL4rCVve9B9LRnPFqOlEK-w-UlDdTRq21Ke-kYK8S3BsatBURVjtcl6Q
(CNN) – Suspected foreign government-backed hackers last month breached a computer network at one of the largest ports on the US Gulf Coast, but early detection of the incident meant the intruders weren’t in a position to disrupt shipping operations, according to a Coast Guard analysis of the incident obtained by CNN and a public statement from a senior US cybersecurity official.
The incident at the Port of Houston is an example of the interest that foreign spies have in surveilling key US maritime ports, and it comes as US officials are trying to fortify critical infrastructure from such intrusions.
“If the compromise had not been detected, the attacker would have had unrestricted remote access to the [IT] network” by using stolen log-in credentials, reads the US Coast Guard Cyber Command’s analysis of the report, which is unclassified and marked “For Official Use Only.” “With this unrestricted access, the attacker would have had numerous options to deliver further effects that could impact port operations.”
Tomi Engdahl says:
KRP varoittaa ovelasta Omakanta-huijauksesta toimi näin suojautuaksesi https://www.is.fi/digitoday/tietoturva/art-2000008285667.html
Poliisi kehottaa noudattamaan varovaisuutta pankkitunnuksilla sähköiseen palveluun kirjauduttaessa.