This posting is here to collect cyber security news in September 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in September 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
414 Comments
Tomi Engdahl says:
A New Bug in Microsoft Windows Could Let Hackers Easily Install a Rootkit https://thehackernews.com/2021/09/a-new-bug-in-microsoft-windows-could.html
Security researchers have disclosed an unpatched weakness in Microsoft Windows Platform Binary Table (WPBT) affecting all Windows-based devices since Windows 8 that could be potentially exploited to install a rootkit and compromise the integrity of devices.
Tomi Engdahl says:
Miten kiinalaisten puhelinten käy Suomessa? Näin kommentoivat operaattorit https://www.is.fi/digitoday/mobiili/art-2000008286255.html
Suomen operaattorikolmikko ottaa väitteet puhelinten tietoturvaongelmista vakavasti, mutta myynti jatkuu toistaiseksi normaalisti.
Tomi Engdahl says:
Hunting the LockBit Gang’s Exfiltration Infrastructures https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/
Tomi Engdahl says:
Colombian Real Estate Agency Leak Exposes Records of Over 100,000 Buyers https://thehackernews.com/2021/09/colombian-real-estate-agency-leak.html
More than one terabyte of data containing 5.5 million files has been left exposed, leaking personal information of over 100,000 customers of a Colombian real estate firm, according to cybersecurity company WizCase.
Tomi Engdahl says:
EU Denounces Alleged Russian Hacking Ahead of German Vote
https://www.securityweek.com/eu-denounces-alleged-russian-hacking-ahead-german-vote
The European Union on Friday condemned alleged Russian cyber attacks that have targeted Germany in the run up to this weekend’s election for Chancellor Angela Merkel’s successor.
“Some EU Member States have observed malicious cyber activities, collectively designated as ‘Ghostwriter’, and associated these with the Russian state,” foreign policy chief Josep Borrell said.
“Such activities are unacceptable as they seek to threaten our integrity and security, democratic values and principles and the core functioning of our democracies.”
Borrell’s statement said the EU and its member states “strongly denounce these malicious cyber activities, which all involved must put to an end immediately”.
https://www.securityweek.com/russia-linked-ghostwriter-disinformation-campaign-tied-cyberspy-group
Tomi Engdahl says:
FamousSparrow Cyberspies Exploit ProxyLogon in Attacks on Governments, Hotels
https://www.securityweek.com/famoussparrow-cyberspies-exploit-proxylogon-attacks-governments-hotels
A cyberespionage group active since at least 2019 started exploiting ProxyLogon one day after the Microsoft Exchange vulnerability was publicly disclosed, ESET security researchers say.
Active since at least August 2019 and tracked as FamousSparrow, the group is mainly targeting hotels, but has also attacked government organizations, law firms, and international companies in roughly a dozen countries, including Brazil, Canada, Israel, Saudi Arabia, Taiwan, and the United Kingdom.
https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/
Tomi Engdahl says:
Google Says Threat Actors Using New Code Signing Tricks to Evade Detection
https://www.securityweek.com/google-says-threat-actors-using-new-code-signing-tricks-evade-detection
Financially motivated threat actors have started using new code signing tricks to increase the chances of their software evading detection on Windows systems, Google’s Threat Analysis Group reported on Thursday.
The new technique has been used by the operators of OpenSUpdater, which cybersecurity vendors have classified as adware, potentially unwanted program (PUP), or potentially unwanted application (PUA). These types of pieces of software can ruin the user experience and they may attempt to download and install other shady programs.
The operation observed by Google has impacted many users in the United States, particularly people who download game cracks and what the tech giant has described as “grey-area software.”
Tomi Engdahl says:
SonicWall Patches Critical Vulnerability in SMA Appliances
https://www.securityweek.com/sonicwall-patches-critical-vulnerability-sma-appliances
SonicWall has published a security advisory and a security notice to inform customers about a critical vulnerability affecting some of its Secure Mobile Access (SMA) appliances.
The flaw, identified as CVE-2021-20034, can be exploited by a remote, unauthenticated attacker to delete arbitrary files from the targeted appliance, which could result in the device being reset to factory settings. The security hole can also allow an attacker to gain administrator access to the underlying host.
The cybersecurity firm highlighted that it has seen no evidence of the vulnerability being exploited in the wild. It’s not surprising that this statement is highlighted in the vendor’s advisory considering that SMA appliances have been known to be targeted by malicious actors, in some cases even before a patch was released.
CVE-2021-20034 was reported to SonicWall by Wenxu Yin, a researcher at Chinese cybersecurity firm Qihoo 360.
The vulnerability has been found to impact SMA 200, 210, 400, 410 and 500v appliances running versions 10.2.1.0-17sv, 10.2.0.7-34sv and 9.0.0.10-28sv, and earlier. Patches have been released for each of the affected versions.
“The vulnerability (SNWLID-2021-0021) is due to an improper limitation of a file path to a restricted directory potentially leading to arbitrary file deletion as ‘nobody’,” SonicWall explained in its security notice.
Tomi Engdahl says:
Check Point varoittaa uudestaan: älä osta koronatodistusta verkosta!
https://etn.fi/index.php/13-news/12611-check-point-varoittaa-uudestaan-aelae-osta-koronatodistusta-verkosta
Viikko sitten tietoturvayritys Check Point Software kertoi, että verkosta on mahdollista ostaa väärennetty koronatodistus 150 eurolla. Nyt väärentäjät ovat löytäneet uusia keinoja markkinoida tuotteitaan, mutta todistusta ei pidä edelleenkään ostaa verkosta, yritys varoittaa.
Uutena keinona väärentäjät käyttävät tekniikkaa, jossa ne väittävät pääsevänsä käsiksi Euroopan tautienehkäisy- ja valvontakeskuksen verkkosivuille. Väitteiden mukaan todistuksen ostaja voidaan rekisteröidä aitoon tietokantaan, joten tarkistuksissa todisteen omistaja näkyisi täysin rokotetetun statuksella.
Myyntiä vahvistetaan lähettämällä ostajalle väärennetty dokumentti. Todistuksen QR-koodi vie väärennettyyn tietokantaan, joka näyttää aidolta. Tämä ongelma tulee Check Pointin mukaan säilymään niin kauan, kuin yhtenäinen tietokanta todistusten verifiointiin saadaan hallituksen välillä kehitettyä.
Tomi Engdahl says:
Washington Post:
Extremism researchers say the Epik hack is the “mother of all data lodes”, and will let them map the ecosystem of extremist websites and organizations — The colossal hack of Epik, an Internet-services company popular with the far right, has been called the “mother of all data lodes” for extremism researchers.
https://www.washingtonpost.com/technology/2021/09/25/epik-hack-fallout/
Tomi Engdahl says:
Chrome 94 Update Patches Actively Exploited Zero-Day Vulnerability
https://www.securityweek.com/chrome-94-update-patches-actively-exploited-zero-day-vulnerability
Tomi Engdahl says:
VMware Confirms In-the-Wild Exploitation of vCenter Server Vulnerability
https://www.securityweek.com/vmware-confirms-wild-exploitation-vcenter-server-vulnerability
VMware has confirmed that the recently patched vCenter Server vulnerability tracked as CVE-2021-22005 has been exploited in the wild, and some researchers say it has been chained with another flaw that was fixed in the same round of updates.
VMware on September 21 informed customers that updates released for its vCenter Server product patched 19 vulnerabilities, including CVE-2021-22005, a critical arbitrary file upload flaw that could lead to arbitrary code execution on impacted servers.
The next day, threat intelligence company Bad Packets already reported seeing internet scans targeting CVE-2021-22005, but the activity seemed limited. Initial scans appeared to be based on a workaround test shared by VMware when it announced patches.
Researchers have been analyzing the patches and the information made public by VMware, and a Vietnam-based researcher known as Jang has already released technical information and even a proof-of-concept (PoC) exploit.
Quick note of vCenter RCE (CVE-2021–22005)
https://testbnull.medium.com/quick-note-of-vcenter-rce-cve-2021-22005-4337d5a817ee
Tomi Engdahl says:
When a senior executive at virtual private network company ExpressVPN admitted to working on behalf of a foreign intelligence service to hack American machines last week, it stunned employees at his new company, according to interviews and electronic records.
ExpressVPN employees complain about ex-spy’s top role at company
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.reuters.com%2Ftechnology%2Fexpressvpn-employees-complain-about-ex-spys-top-role-company-2021-09-23%2F%3Futm_campaign%3DtrueAnthem%253A%2BTrending%2BContent%26utm_medium%3DtrueAnthem%26utm_source%3Dfacebook&h=AT1ZKWkNufS_OKCE0SXenX1XGxXkczF2l-jkiNJscyx8D0wkYFCtMI6L1qbU7p1k6vcKvm7syjYmLT4UiM0uNcF9SM21jkdFrvJ9AaY-X4hwjUpkHtP6MYNtI_39y2vMsvrDVGnwooNBlg3PAw
Tomi Engdahl says:
AWS EC2 North Virginia outage resolves but some issues linger
UPDATE: Signal falls over while Xero and Nest got a bit iffy when the main AWS EC2 region had degraded performance. Amazon Web Service says all is well but some users are still reporting trouble.
https://www.zdnet.com/article/aws-ec2-north-virginia-outage-resolves-but-some-issues-linger/
Tomi Engdahl says:
FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components. Use of FoggyWeb has been observed in the wild as early as April 2021.
Tomi Engdahl says:
QNAP fixes critical bugs in QVR video surveillance solution https://www.bleepingcomputer.com/news/security/qnap-fixes-critical-bugs-in-qvr-video-surveillance-solution/
Network-attached storage (NAS) maker QNAP has patched its QVR video management system against two critical-severity issues that could be exploited to run arbitrary commands.
Tomi Engdahl says:
Härski huijaus suomalaislehtien nimissä ilmoitukset täyttivät puhelimen https://www.iltalehti.fi/tietoturva/a/75b9d9fb-2c56-4cf1-aace-81c916b3ee8d
Uutissivustoja matkivat huijaussivustot yrittävät saada uhrin sijoitusansaan. Sivustolle voidaan ohjata esimerkiksi mainosten kautta.
Tomi Engdahl says:
Australians are losing over AU$6.6 million each month to cryptoscams https://www.zdnet.com/article/australians-are-losing-over-au6-6-million-each-month-to-cryptoscams/
Losses related to cryptocurrency investment scams made up over a quarter of the total scams reported to the Australian Competition and Consumer Commission (ACCC) from the start of the year to the end of August.
Tomi Engdahl says:
A New Jupyter Malware Version is Being Distributed via MSI Installers https://thehackernews.com/2021/09/a-new-jupyter-malware-version-is-being.html
Cybersecurity researchers have charted the evolution of Jupyter, a .NET infostealer known for singling out healthcare and education sectors, which make it exceptional at defeating most endpoint security scanning solutions.
Tomi Engdahl says:
New Android Malware Steals Financial Data from 378 Banking and Wallet Apps https://thehackernews.com/2021/09/new-android-malware-steals-financial.html
The operators behind the BlackRock mobile malware have surfaced back with a new Android banking trojan called ERMAC that targets Poland and has its roots in the infamous Cerberus malware, according to the latest research.
Tomi Engdahl says:
Microsoft will disable Basic Auth in Exchange Online in October 2022 https://www.bleepingcomputer.com/news/microsoft/microsoft-will-disable-basic-auth-in-exchange-online-in-october-2022/
Microsoft announced that Basic Authentication will be turned off for all protocols in all tenants starting October 1st, 2022, to protect millions of Exchange Online users.
Tomi Engdahl says:
BloodyStealer and gaming assets for sale https://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/
In this report, we take a closer look at threats linked to loss of accounts with popular video game digital distribution services, such as Steam and Origin. We also explore the kind of game-related data that ends up on the black market and the prices.
Tomi Engdahl says:
Fake Installers Drop Malware and Open Doors for Opportunistic Attackers https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html
Tomi Engdahl says:
Quad Nations Commit to Fostering a Secure Technology Ecosystem
https://www.securityweek.com/quad-nations-commit-fostering-secure-technology-ecosystem
The Quad countries (Australia, India, Japan, and the United States) on Friday announced a partnership to foster the development of secure technology.
At the first-ever in-person Leaders’ Summit of the Quad, the four committed to working together on initiatives to improve global health and infrastructure, to combat climate change, and ensure the security of critical and emerging technology.
The Quad committed to building trust, integrity and interoperability, but underlined that suppliers, vendors, and distributors are expected to ensure the transparency and accountability of their practices.
Furthermore, technology developers are expected to adopt a security-by-design approach, ensuring that robust safety and security practices are implemented in the development process.
“Resilient, diverse, and secure technology supply chains – for hardware, software, and services – are vital to our shared national interests,” a White House announcement reads. “Close cooperation on supply chains with allies and partners who share our values will enhance our security and prosperity, and strengthen our capacity to respond to international disasters and emergencies.”
Tomi Engdahl says:
Controversial Web Host Epik Confirms Customer Data Exposed in Breach
https://www.securityweek.com/controversial-web-host-epik-confirms-customer-data-exposed-breach
Controversial web services provider Epik last week confirmed that sensitive information pertaining to its customers was stolen in a data breach.
During the incident, hackers were able to access non-public Epik servers that stored a backup copy of the company’s domain-side service accounts. The attack happened on or before September 13, 2021, Epik said in a notification letter to customers.
The attackers were able to access data such as names and addresses, phone and VAT numbers, email addresses, login credentials (usernames and passwords), domain ownership, transaction histories, and in some cases credit card information.
The company says it has retained cybersecurity firms to investigate the breach, while notifying law enforcement and the affected customers.
“At this time, we have secured access to our domain-side services and have applied additional security measures to help protect services and users going forward,” the company says.
Information Epik submitted to the Maine Attorney General’s office shows that 110,000 people were affected by the breach. The Washington Post says up to 38,000 credit card numbers were compromised in the incident.
Tomi Engdahl says:
https://www.securityweek.com/frustrated-researcher-discloses-three-unpatched-ios-vulnerabilities
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / VICE:
The researcher who disclosed three iOS zero-days last week says Apple apologized for the delayed response and said it is still investigating the vulnerabilities — Apple apologized for the delay in responding to the researcher, but experts think Apple needs to do better. — Lorenzo Franceschi-Bicchierai
Apple ‘Still Investigating’ Unpatched and Public iPhone Vulnerabilities
https://www.vice.com/en/article/g5gan4/apple-still-investigating-unpatched-and-public-iphone-vulnerabilities
Apple apologized for the delay in responding to the researcher, but experts think Apple needs to do better.
Tomi Engdahl says:
https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29&utm_content=FaceBook&m=1
Tomi Engdahl says:
Atlassian Confluence RCE Flaw Abused in Multiple Cyberattack Campaigns https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html
Opportunistic threat actors have been found actively exploiting a recently disclosed critical security flaw in Atlassian Confluence deployments across Windows and Linux to deploy web shells that result in the execution of crypto miners on compromised systems.
Tomi Engdahl says:
Microsoft 365 MFA outage locks users out of their accounts https://www.bleepingcomputer.com/news/microsoft/microsoft-365-mfa-outage-locks-users-out-of-their-accounts/
Microsoft is investigating an ongoing Multi-Factor Authentication
(MFA) issue preventing some customers from logging into their Microsoft 365 accounts.
Tomi Engdahl says:
Twitter web client outage forces users to log out, blocks logins https://www.bleepingcomputer.com/news/technology/twitter-web-client-outage-forces-users-to-log-out-blocks-logins/
Twitter is experiencing a worldwide outage affecting their web platform that prompts users to logout and prevents them from accessing tweets.
Tomi Engdahl says:
Apple AirTag Bug Enables Good Samaritan Attack https://krebsonsecurity.com/2021/09/apple-airtag-bug-enables-good-samaritan-attack/
The new $30 AirTag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons to scan it with a mobile phone and discover its owners phone number if the AirTag has been set to lost mode. But according to new research, this same feature can be abused to redirect the Good Samaritan to an iCloud phishing page or to any other malicious website.
Tomi Engdahl says:
UK umbrella payroll firm GiantPay confirms it was hit by ‘sophisticated’ cyber-attack https://www.theregister.com/2021/09/28/giantpay_confirms_cyberattack/
Giant Group, the umbrella company that has thousands of contractors on its books, has been targeted by a “sophisticated” cyber-attack that floored systems and left workers out in the cold, the biz has now confirmed.
Tomi Engdahl says:
Phone screenshots accidentally leaked online by stalkerware-type company https://blog.malwarebytes.com/stalkerware/2021/09/phone-screenshots-accidentally-leaked-online-by-stalkerware-company/
pcTattleTale hasnt been very careful about securing the screenshots it sneakily takes from its victims phones.. According to Jo Coscia, the security researcher who discovered the issue while using a trial version of pcTattleTale, the company uploads the screenshots to an unsecured AWS bucket.
Tomi Engdahl says:
Matthew Gault / VICE:
Internal docs detail Amazon’s Astro, including its use of facial recognition and “Sentry” mode; sources who worked on Astro say it is a “privacy nightmare” — Leaked meetings show the robot will heavily rely on facial recognition and user behavior, but sources who worked on Astro say the robot is flawed.
Leaked Documents Show How Amazon’s Astro Robot Tracks Everything You Do
https://www.vice.com/en/article/93ypp8/leaked-documents-amazon-astro-surveillance-robot-tracking
Leaked meetings show the robot will heavily rely on facial recognition and user behavior, but sources who worked on Astro say the robot is flawed.
Tomi Engdahl says:
Krebs on Security:
Researcher discloses AirTag Lost Mode vulnerability that enables a phishing attack, and says Apple spent three months investigating and refused basic questions — The new $30 Airtag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons
Apple AirTag Bug Enables ‘Good Samaritan’ Attack
https://krebsonsecurity.com/2021/09/apple-airtag-bug-enables-good-samaritan-attack/
Tomi Engdahl says:
Apple AirTag Bug Enables ‘Good Samaritan’ Attack
https://krebsonsecurity.com/2021/09/apple-airtag-bug-enables-good-samaritan-attack/
Tomi Engdahl says:
FinSpy Surveillance Spyware Fitted With UEFI Bootkit
https://www.securityweek.com/finspy-surveillance-spyware-fitted-uefi-bootkit
Security researchers at Kaspersky have spotted signs of the notorious FinSpy surveillance spyware hijacking — and replacing — the Windows UEFI bootloader to perform stealthy infections on target machines.
This method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks and serves as confirmation that the controversial vendor of “lawful interception” spyware has modernized operations to remain undetected.
“UEFI infections are very rare and generally hard to execute, they stand out due to their evasiveness and persistence,” according to Kaspersky’s Igor Kuznetsov and Georgy Kucherin. “While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy as the malicious module was installed on a separate partition and could control the boot process of the infected machine.”
In a research paper documenting what it calls “unseen findings” related to FinSpy, Kaspersky said the spyware has been tweaked since 2018 to add multiple checks to avoid the prying eyes of security researchers.
“[This is] one of the hardest-to-detect spywares to date,” the researchers said, noting that the spyware has now been fitted with four different levels of obfuscation in addition to the UEFI bootkit vector.
https://securelist.com/finspy-unseen-findings/104322/
Tomi Engdahl says:
Microsoft Details FoggyWeb Backdoor Used by SolarWinds Hackers
https://www.securityweek.com/microsoft-details-foggyweb-backdoor-used-solarwinds-hackers
Microsoft on Monday published a blog post detailing a piece of malware used by the threat actor behind the SolarWinds attack to exfiltrate data from compromised servers.
The Russia-linked threat group that breached the systems of Texas-based IT management solutions provider SolarWinds is tracked by Microsoft as Nobelium. The tech giant has detailed several pieces of malware used by the hackers in their attacks and on Monday it shared an in-depth analysis of a backdoor it has named FoggyWeb.
Microsoft says FoggyWeb has been used in attacks since at least April 2021. The company has notified customers whose systems have been targeted or compromised as part of attacks involving this malware.
FoggyWeb has been described by Microsoft as a post-exploitation passive backdoor that the hackers have been using to remotely exfiltrate sensitive information from compromised Active Directory Federation Services (AD FS) servers. The backdoor, the company says, is persistent and highly targeted.
Tomi Engdahl says:
CISA Warns of Hikvision Camera Flaw as U.S. Aims to Rid Chinese Gear From Networks
https://www.securityweek.com/cisa-warns-hikvision-camera-flaw-us-aims-rid-chinese-gear-networks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday informed organizations that some cameras made by Chinese video surveillance vendor Hikvision are affected by a critical vulnerability.
The notification came shortly after the Federal Communications Commission (FCC) announced taking steps toward the removal of Chinese equipment from U.S. networks due to national security concerns stemming from alleged ties between manufacturers and the Chinese government.
CISA’s notification is for CVE-2021-36260, a critical command injection vulnerability affecting more than 70 Hikvision camera and NVR models. The flaw can allow a remote attacker to take complete control of a targeted device without any user interaction.
Tomi Engdahl says:
Russia Detains Head of Cybersecurity Group on Treason Charges
https://www.securityweek.com/russia-detains-head-cybersecurity-group-treason-charges
Russia on Wednesday detained the head of one of the country’s leading cybersecurity firms on charges of treason, in a move that targets a company collaborating with the West on stemming cyberattacks.
The arrest comes after US President Joe Biden earlier this year raised concerns with Russian President Vladimir Putin that Moscow is allowing cybercrime directed at Western countries to flourish in the country.
Founded in 2003, the Group-IB group specialises in the detection and prevention of cyberattacks and works with Interpol and several other global institutions.
Moscow’s Lefortovsky district court ordered the group’s 35-year-old co-founder and CEO, Ilya Sachkov, to be held in pre-trial custody for two months on treason charges, the court’s press service said.
Tomi Engdahl says:
Reuters:
Russia arrests Ilya Sachkov, the CEO of cybersecurity company Group-IB, on suspicion of treason and will hold him in custody for two months — Russia has arrested Ilya Sachkov, the chief executive of top Russian cybersecurity company Group IB, on suspicion of state treason and will hold …
https://www.reuters.com/technology/moscow-office-group-ib-cybersecurity-firm-searched-by-police-company-2021-09-29/
Tomi Engdahl says:
https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/?tpcc=tcplusfacebook
Tomi Engdahl says:
Russia arrests top cybersecurity executive in treason case https://www.reuters.com/technology/moscow-office-group-ib-cybersecurity-firm-searched-by-police-company-2021-09-29/
Ilya Sachkov, 35, who founded Group IB, one of Russia’s most prominent cyber security firms, was arrested on Tuesday, the RTVI TV channel reported as law enforcement officers carried out searches at the Moscow offices of the firm.
Tomi Engdahl says:
DarkHalo after SolarWinds: the Tomiris connection https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/
Tomiris is a backdoor written in Go whose role is to continuously query its C2 server for executables to download and execute on the victim system.
Tomi Engdahl says:
New GriftHorse malware has infected more than 10 million Android phones https://therecord.media/new-grifthorse-malware-has-infected-more-than-10-million-android-phones/
Security researchers have found a massive malware operation that has infected more than 10 million Android smartphones across more than 70 countries since at least November 2020 and is making millions of dollars for its operators on a monthly basis.. see also https://blog.zimperium.com/grifthorse-android-trojan-steals-millions-from-over-10-million-victims-globally/
Tomi Engdahl says:
FormBook Adds Latest Office 365 0-Day Vulnerability (CVE-2021-40444) to Its Arsenal https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html
Trend Micro detected a new campaign using a recent version of the known FormBook malware, an infostealer that has been around since 2016. Several analyses have been written about FormBook in the last few years, including the expanded support for macOS.
Tomi Engdahl says:
Conti Ransomware Expands Ability to Blow Up Backups https://threatpost.com/conti-ransomware-backups/175114/
The Conti ransomware gang has developed novel tactics to demolish backups, especially the Veeam recovery software.
Tomi Engdahl says:
Vaccine passport app leaks users personal data https://blog.malwarebytes.com/privacy-2/2021/09/vaccine-passport-app-leaks-users-personal-data/
Security and privacy advocates may have cause to worry after all:
Portpass, a vaccine passport app in Canada, has been found to have been exposing the personal data of its users for an unknown length of time.
Tomi Engdahl says:
China Intensified Attacks on Major Afghan Telecom Firm as U.S. Finalized Withdrawal
https://www.securityweek.com/china-intensified-attacks-major-afghan-telecom-firm-us-finalized-withdrawal
Several China-linked cyberespionage groups were observed intensifying attacks on a major telecom firm in Afghanistan just as the United States was finalizing its withdrawal from the country.
Threat intelligence company Recorded Future reported on Tuesday that it had seen four different Chinese threat groups targeting a mail server belonging to Roshan, a major telecom provider that has more than 6.5 million subscribers across Afghanistan.
The attacks were conducted by the groups known as Calypso and RedFoxtrot, as well as two different Winnti and PlugX activity clusters that Recorded Future researchers could not connect to other known actors.