Cyber security news September 2021

This posting is here to collect cyber security news in September 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.


  1. Tomi Engdahl says:

    A New Bug in Microsoft Windows Could Let Hackers Easily Install a Rootkit
    Security researchers have disclosed an unpatched weakness in Microsoft Windows Platform Binary Table (WPBT) affecting all Windows-based devices since Windows 8 that could be potentially exploited to install a rootkit and compromise the integrity of devices.

  2. Tomi Engdahl says:

    Miten kiinalaisten puhelinten käy Suomessa? Näin kommentoivat operaattorit
    Suomen operaattorikolmikko ottaa väitteet puhelinten tietoturvaongelmista vakavasti, mutta myynti jatkuu toistaiseksi normaalisti.

  3. Tomi Engdahl says:

    Colombian Real Estate Agency Leak Exposes Records of Over 100,000 Buyers
    More than one terabyte of data containing 5.5 million files has been left exposed, leaking personal information of over 100,000 customers of a Colombian real estate firm, according to cybersecurity company WizCase.

  4. Tomi Engdahl says:

    EU Denounces Alleged Russian Hacking Ahead of German Vote

    The European Union on Friday condemned alleged Russian cyber attacks that have targeted Germany in the run up to this weekend’s election for Chancellor Angela Merkel’s successor.

    “Some EU Member States have observed malicious cyber activities, collectively designated as ‘Ghostwriter’, and associated these with the Russian state,” foreign policy chief Josep Borrell said.

    “Such activities are unacceptable as they seek to threaten our integrity and security, democratic values and principles and the core functioning of our democracies.”

    Borrell’s statement said the EU and its member states “strongly denounce these malicious cyber activities, which all involved must put to an end immediately”.

  5. Tomi Engdahl says:

    FamousSparrow Cyberspies Exploit ProxyLogon in Attacks on Governments, Hotels

    A cyberespionage group active since at least 2019 started exploiting ProxyLogon one day after the Microsoft Exchange vulnerability was publicly disclosed, ESET security researchers say.

    Active since at least August 2019 and tracked as FamousSparrow, the group is mainly targeting hotels, but has also attacked government organizations, law firms, and international companies in roughly a dozen countries, including Brazil, Canada, Israel, Saudi Arabia, Taiwan, and the United Kingdom.

  6. Tomi Engdahl says:

    Google Says Threat Actors Using New Code Signing Tricks to Evade Detection

    Financially motivated threat actors have started using new code signing tricks to increase the chances of their software evading detection on Windows systems, Google’s Threat Analysis Group reported on Thursday.

    The new technique has been used by the operators of OpenSUpdater, which cybersecurity vendors have classified as adware, potentially unwanted program (PUP), or potentially unwanted application (PUA). These types of pieces of software can ruin the user experience and they may attempt to download and install other shady programs.

    The operation observed by Google has impacted many users in the United States, particularly people who download game cracks and what the tech giant has described as “grey-area software.”

  7. Tomi Engdahl says:

    SonicWall Patches Critical Vulnerability in SMA Appliances

    SonicWall has published a security advisory and a security notice to inform customers about a critical vulnerability affecting some of its Secure Mobile Access (SMA) appliances.

    The flaw, identified as CVE-2021-20034, can be exploited by a remote, unauthenticated attacker to delete arbitrary files from the targeted appliance, which could result in the device being reset to factory settings. The security hole can also allow an attacker to gain administrator access to the underlying host.

    The cybersecurity firm highlighted that it has seen no evidence of the vulnerability being exploited in the wild. It’s not surprising that this statement is highlighted in the vendor’s advisory considering that SMA appliances have been known to be targeted by malicious actors, in some cases even before a patch was released.

    CVE-2021-20034 was reported to SonicWall by Wenxu Yin, a researcher at Chinese cybersecurity firm Qihoo 360.

    The vulnerability has been found to impact SMA 200, 210, 400, 410 and 500v appliances running versions, and, and earlier. Patches have been released for each of the affected versions.

    “The vulnerability (SNWLID-2021-0021) is due to an improper limitation of a file path to a restricted directory potentially leading to arbitrary file deletion as ‘nobody’,” SonicWall explained in its security notice.

  8. Tomi Engdahl says:

    Check Point varoittaa uudestaan: älä osta koronatodistusta verkosta!

    Viikko sitten tietoturvayritys Check Point Software kertoi, että verkosta on mahdollista ostaa väärennetty koronatodistus 150 eurolla. Nyt väärentäjät ovat löytäneet uusia keinoja markkinoida tuotteitaan, mutta todistusta ei pidä edelleenkään ostaa verkosta, yritys varoittaa.

    Uutena keinona väärentäjät käyttävät tekniikkaa, jossa ne väittävät pääsevänsä käsiksi Euroopan tautienehkäisy- ja valvontakeskuksen verkkosivuille. Väitteiden mukaan todistuksen ostaja voidaan rekisteröidä aitoon tietokantaan, joten tarkistuksissa todisteen omistaja näkyisi täysin rokotetetun statuksella.

    Myyntiä vahvistetaan lähettämällä ostajalle väärennetty dokumentti. Todistuksen QR-koodi vie väärennettyyn tietokantaan, joka näyttää aidolta. Tämä ongelma tulee Check Pointin mukaan säilymään niin kauan, kuin yhtenäinen tietokanta todistusten verifiointiin saadaan hallituksen välillä kehitettyä.

  9. Tomi Engdahl says:

    Washington Post:
    Extremism researchers say the Epik hack is the “mother of all data lodes”, and will let them map the ecosystem of extremist websites and organizations — The colossal hack of Epik, an Internet-services company popular with the far right, has been called the “mother of all data lodes” for extremism researchers.

  10. Tomi Engdahl says:

    VMware Confirms In-the-Wild Exploitation of vCenter Server Vulnerability

    VMware has confirmed that the recently patched vCenter Server vulnerability tracked as CVE-2021-22005 has been exploited in the wild, and some researchers say it has been chained with another flaw that was fixed in the same round of updates.

    VMware on September 21 informed customers that updates released for its vCenter Server product patched 19 vulnerabilities, including CVE-2021-22005, a critical arbitrary file upload flaw that could lead to arbitrary code execution on impacted servers.

    The next day, threat intelligence company Bad Packets already reported seeing internet scans targeting CVE-2021-22005, but the activity seemed limited. Initial scans appeared to be based on a workaround test shared by VMware when it announced patches.

    Researchers have been analyzing the patches and the information made public by VMware, and a Vietnam-based researcher known as Jang has already released technical information and even a proof-of-concept (PoC) exploit.

    Quick note of vCenter RCE (CVE-2021–22005)

  11. Tomi Engdahl says:

    When a senior executive at virtual private network company ExpressVPN admitted to working on behalf of a foreign intelligence service to hack American machines last week, it stunned employees at his new company, according to interviews and electronic records.

    ExpressVPN employees complain about ex-spy’s top role at company

  12. Tomi Engdahl says:

    AWS EC2 North Virginia outage resolves but some issues linger

    UPDATE: Signal falls over while Xero and Nest got a bit iffy when the main AWS EC2 region had degraded performance. Amazon Web Service says all is well but some users are still reporting trouble.

  13. Tomi Engdahl says:

    FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor
    NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components. Use of FoggyWeb has been observed in the wild as early as April 2021.

  14. Tomi Engdahl says:

    QNAP fixes critical bugs in QVR video surveillance solution
    Network-attached storage (NAS) maker QNAP has patched its QVR video management system against two critical-severity issues that could be exploited to run arbitrary commands.

  15. Tomi Engdahl says:

    Härski huijaus suomalaislehtien nimissä ilmoitukset täyttivät puhelimen
    Uutissivustoja matkivat huijaussivustot yrittävät saada uhrin sijoitusansaan. Sivustolle voidaan ohjata esimerkiksi mainosten kautta.

  16. Tomi Engdahl says:

    Australians are losing over AU$6.6 million each month to cryptoscams
    Losses related to cryptocurrency investment scams made up over a quarter of the total scams reported to the Australian Competition and Consumer Commission (ACCC) from the start of the year to the end of August.

  17. Tomi Engdahl says:

    A New Jupyter Malware Version is Being Distributed via MSI Installers
    Cybersecurity researchers have charted the evolution of Jupyter, a .NET infostealer known for singling out healthcare and education sectors, which make it exceptional at defeating most endpoint security scanning solutions.

  18. Tomi Engdahl says:

    New Android Malware Steals Financial Data from 378 Banking and Wallet Apps
    The operators behind the BlackRock mobile malware have surfaced back with a new Android banking trojan called ERMAC that targets Poland and has its roots in the infamous Cerberus malware, according to the latest research.

  19. Tomi Engdahl says:

    Microsoft will disable Basic Auth in Exchange Online in October 2022
    Microsoft announced that Basic Authentication will be turned off for all protocols in all tenants starting October 1st, 2022, to protect millions of Exchange Online users.

  20. Tomi Engdahl says:

    BloodyStealer and gaming assets for sale
    In this report, we take a closer look at threats linked to loss of accounts with popular video game digital distribution services, such as Steam and Origin. We also explore the kind of game-related data that ends up on the black market and the prices.

  21. Tomi Engdahl says:

    Quad Nations Commit to Fostering a Secure Technology Ecosystem

    The Quad countries (Australia, India, Japan, and the United States) on Friday announced a partnership to foster the development of secure technology.

    At the first-ever in-person Leaders’ Summit of the Quad, the four committed to working together on initiatives to improve global health and infrastructure, to combat climate change, and ensure the security of critical and emerging technology.

    The Quad committed to building trust, integrity and interoperability, but underlined that suppliers, vendors, and distributors are expected to ensure the transparency and accountability of their practices.

    Furthermore, technology developers are expected to adopt a security-by-design approach, ensuring that robust safety and security practices are implemented in the development process.

    “Resilient, diverse, and secure technology supply chains – for hardware, software, and services – are vital to our shared national interests,” a White House announcement reads. “Close cooperation on supply chains with allies and partners who share our values will enhance our security and prosperity, and strengthen our capacity to respond to international disasters and emergencies.”

  22. Tomi Engdahl says:

    Controversial Web Host Epik Confirms Customer Data Exposed in Breach

    Controversial web services provider Epik last week confirmed that sensitive information pertaining to its customers was stolen in a data breach.

    During the incident, hackers were able to access non-public Epik servers that stored a backup copy of the company’s domain-side service accounts. The attack happened on or before September 13, 2021, Epik said in a notification letter to customers.

    The attackers were able to access data such as names and addresses, phone and VAT numbers, email addresses, login credentials (usernames and passwords), domain ownership, transaction histories, and in some cases credit card information.

    The company says it has retained cybersecurity firms to investigate the breach, while notifying law enforcement and the affected customers.

    “At this time, we have secured access to our domain-side services and have applied additional security measures to help protect services and users going forward,” the company says.

    Information Epik submitted to the Maine Attorney General’s office shows that 110,000 people were affected by the breach. The Washington Post says up to 38,000 credit card numbers were compromised in the incident.

  23. Tomi Engdahl says:

    Lorenzo Franceschi-Bicchierai / VICE:
    The researcher who disclosed three iOS zero-days last week says Apple apologized for the delayed response and said it is still investigating the vulnerabilities — Apple apologized for the delay in responding to the researcher, but experts think Apple needs to do better. — Lorenzo Franceschi-Bicchierai

    Apple ‘Still Investigating’ Unpatched and Public iPhone Vulnerabilities

    Apple apologized for the delay in responding to the researcher, but experts think Apple needs to do better.

  24. Tomi Engdahl says:

    Atlassian Confluence RCE Flaw Abused in Multiple Cyberattack Campaigns
    Opportunistic threat actors have been found actively exploiting a recently disclosed critical security flaw in Atlassian Confluence deployments across Windows and Linux to deploy web shells that result in the execution of crypto miners on compromised systems.

  25. Tomi Engdahl says:

    Microsoft 365 MFA outage locks users out of their accounts
    Microsoft is investigating an ongoing Multi-Factor Authentication
    (MFA) issue preventing some customers from logging into their Microsoft 365 accounts.

  26. Tomi Engdahl says:

    Twitter web client outage forces users to log out, blocks logins
    Twitter is experiencing a worldwide outage affecting their web platform that prompts users to logout and prevents them from accessing tweets.

  27. Tomi Engdahl says:

    Apple AirTag Bug Enables Good Samaritan Attack
    The new $30 AirTag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons to scan it with a mobile phone and discover its owners phone number if the AirTag has been set to lost mode. But according to new research, this same feature can be abused to redirect the Good Samaritan to an iCloud phishing page or to any other malicious website.

  28. Tomi Engdahl says:

    UK umbrella payroll firm GiantPay confirms it was hit by ‘sophisticated’ cyber-attack
    Giant Group, the umbrella company that has thousands of contractors on its books, has been targeted by a “sophisticated” cyber-attack that floored systems and left workers out in the cold, the biz has now confirmed.

  29. Tomi Engdahl says:

    Phone screenshots accidentally leaked online by stalkerware-type company
    pcTattleTale hasnt been very careful about securing the screenshots it sneakily takes from its victims phones.. According to Jo Coscia, the security researcher who discovered the issue while using a trial version of pcTattleTale, the company uploads the screenshots to an unsecured AWS bucket.

  30. Tomi Engdahl says:

    Matthew Gault / VICE:
    Internal docs detail Amazon’s Astro, including its use of facial recognition and “Sentry” mode; sources who worked on Astro say it is a “privacy nightmare” — Leaked meetings show the robot will heavily rely on facial recognition and user behavior, but sources who worked on Astro say the robot is flawed.

    Leaked Documents Show How Amazon’s Astro Robot Tracks Everything You Do

    Leaked meetings show the robot will heavily rely on facial recognition and user behavior, but sources who worked on Astro say the robot is flawed.

  31. Tomi Engdahl says:

    Krebs on Security:
    Researcher discloses AirTag Lost Mode vulnerability that enables a phishing attack, and says Apple spent three months investigating and refused basic questions — The new $30 Airtag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons

    Apple AirTag Bug Enables ‘Good Samaritan’ Attack

  32. Tomi Engdahl says:

    FinSpy Surveillance Spyware Fitted With UEFI Bootkit

    Security researchers at Kaspersky have spotted signs of the notorious FinSpy surveillance spyware hijacking — and replacing — the Windows UEFI bootloader to perform stealthy infections on target machines.

    This method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks and serves as confirmation that the controversial vendor of “lawful interception” spyware has modernized operations to remain undetected.

    “UEFI infections are very rare and generally hard to execute, they stand out due to their evasiveness and persistence,” according to Kaspersky’s Igor Kuznetsov and Georgy Kucherin. “While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy as the malicious module was installed on a separate partition and could control the boot process of the infected machine.”

    In a research paper documenting what it calls “unseen findings” related to FinSpy, Kaspersky said the spyware has been tweaked since 2018 to add multiple checks to avoid the prying eyes of security researchers.

    “[This is] one of the hardest-to-detect spywares to date,” the researchers said, noting that the spyware has now been fitted with four different levels of obfuscation in addition to the UEFI bootkit vector.

  33. Tomi Engdahl says:

    Microsoft Details FoggyWeb Backdoor Used by SolarWinds Hackers

    Microsoft on Monday published a blog post detailing a piece of malware used by the threat actor behind the SolarWinds attack to exfiltrate data from compromised servers.

    The Russia-linked threat group that breached the systems of Texas-based IT management solutions provider SolarWinds is tracked by Microsoft as Nobelium. The tech giant has detailed several pieces of malware used by the hackers in their attacks and on Monday it shared an in-depth analysis of a backdoor it has named FoggyWeb.

    Microsoft says FoggyWeb has been used in attacks since at least April 2021. The company has notified customers whose systems have been targeted or compromised as part of attacks involving this malware.

    FoggyWeb has been described by Microsoft as a post-exploitation passive backdoor that the hackers have been using to remotely exfiltrate sensitive information from compromised Active Directory Federation Services (AD FS) servers. The backdoor, the company says, is persistent and highly targeted.

  34. Tomi Engdahl says:

    CISA Warns of Hikvision Camera Flaw as U.S. Aims to Rid Chinese Gear From Networks

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday informed organizations that some cameras made by Chinese video surveillance vendor Hikvision are affected by a critical vulnerability.

    The notification came shortly after the Federal Communications Commission (FCC) announced taking steps toward the removal of Chinese equipment from U.S. networks due to national security concerns stemming from alleged ties between manufacturers and the Chinese government.

    CISA’s notification is for CVE-2021-36260, a critical command injection vulnerability affecting more than 70 Hikvision camera and NVR models. The flaw can allow a remote attacker to take complete control of a targeted device without any user interaction.

  35. Tomi Engdahl says:

    Russia Detains Head of Cybersecurity Group on Treason Charges

    Russia on Wednesday detained the head of one of the country’s leading cybersecurity firms on charges of treason, in a move that targets a company collaborating with the West on stemming cyberattacks.

    The arrest comes after US President Joe Biden earlier this year raised concerns with Russian President Vladimir Putin that Moscow is allowing cybercrime directed at Western countries to flourish in the country.

    Founded in 2003, the Group-IB group specialises in the detection and prevention of cyberattacks and works with Interpol and several other global institutions.

    Moscow’s Lefortovsky district court ordered the group’s 35-year-old co-founder and CEO, Ilya Sachkov, to be held in pre-trial custody for two months on treason charges, the court’s press service said.

  36. Tomi Engdahl says:

    Russia arrests Ilya Sachkov, the CEO of cybersecurity company Group-IB, on suspicion of treason and will hold him in custody for two months — Russia has arrested Ilya Sachkov, the chief executive of top Russian cybersecurity company Group IB, on suspicion of state treason and will hold …

  37. Tomi Engdahl says:

    Russia arrests top cybersecurity executive in treason case
    Ilya Sachkov, 35, who founded Group IB, one of Russia’s most prominent cyber security firms, was arrested on Tuesday, the RTVI TV channel reported as law enforcement officers carried out searches at the Moscow offices of the firm.

  38. Tomi Engdahl says:

    DarkHalo after SolarWinds: the Tomiris connection
    Tomiris is a backdoor written in Go whose role is to continuously query its C2 server for executables to download and execute on the victim system.

  39. Tomi Engdahl says:

    New GriftHorse malware has infected more than 10 million Android phones
    Security researchers have found a massive malware operation that has infected more than 10 million Android smartphones across more than 70 countries since at least November 2020 and is making millions of dollars for its operators on a monthly basis.. see also

  40. Tomi Engdahl says:

    FormBook Adds Latest Office 365 0-Day Vulnerability (CVE-2021-40444) to Its Arsenal
    Trend Micro detected a new campaign using a recent version of the known FormBook malware, an infostealer that has been around since 2016. Several analyses have been written about FormBook in the last few years, including the expanded support for macOS.

  41. Tomi Engdahl says:

    Conti Ransomware Expands Ability to Blow Up Backups
    The Conti ransomware gang has developed novel tactics to demolish backups, especially the Veeam recovery software.

  42. Tomi Engdahl says:

    Vaccine passport app leaks users personal data
    Security and privacy advocates may have cause to worry after all:
    Portpass, a vaccine passport app in Canada, has been found to have been exposing the personal data of its users for an unknown length of time.

  43. Tomi Engdahl says:

    China Intensified Attacks on Major Afghan Telecom Firm as U.S. Finalized Withdrawal

    Several China-linked cyberespionage groups were observed intensifying attacks on a major telecom firm in Afghanistan just as the United States was finalizing its withdrawal from the country.

    Threat intelligence company Recorded Future reported on Tuesday that it had seen four different Chinese threat groups targeting a mail server belonging to Roshan, a major telecom provider that has more than 6.5 million subscribers across Afghanistan.

    The attacks were conducted by the groups known as Calypso and RedFoxtrot, as well as two different Winnti and PlugX activity clusters that Recorded Future researchers could not connect to other known actors.


Leave a Comment

Your email address will not be published. Required fields are marked *