This posting is here to collect cyber security news in October 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
376 Comments
Tomi Engdahl says:
SASE Firm Cato Networks Raises $200 Million at $2.5 Billion Valuation
https://www.securityweek.com/sase-firm-cato-networks-raises-200-million-25-billion-valuation
Tel Aviv, Israel-based Secure Access Service Edge (SASE) provider Cato Networks on Tuesday announced raising $200 million at a market valuation of $2.5 billion.
Cato has developed a cloud-native SASE platform designed to securely and optimally connect an organization’s data centers, branches, users and cloud resources. Customers’ traffic goes through Cato’s platform, where it’s analyzed for threats.
“Cato is at the forefront of SASE transformation,” said Shlomo Kramer, CEO and co-founder of Cato Networks. “Large enterprises are deploying Cato as their global network to reap the operational and business benefits of Cato’s proven and mature SASE platform. Cato is rapidly expanding its service capabilities, global footprint, and sales and marketing teams, while preserving our unique DNA of agility, simplicity, and ease of doing business that is so valued by customers and partners.”
Tomi Engdahl says:
University of Pittsburgh Medical Center Hacker Sentenced to Prison
https://www.securityweek.com/university-pittsburgh-medical-center-hacker-sentenced-prison
The individual who hacked the human resources databases of the University of Pittsburgh Medical Center was sentenced to seven years in prison, the United States Department of Justice announced.
The man, Justin Sean Johnson, 30, formerly of Detroit, Michigan, who was known on the dark web as TheDearthStar and Dearthy Star, stole personally identifiable information (PII) of more than 65,000 UPMC employees.
Johnson, the DoJ explains, hacked UPMC’s servers between 2013 and 2014, stealing both PII and W-2 information that he then sold on dark web forums.
Tomi Engdahl says:
U.S. Government Issues Urgent Warning on BlackMatter Ransomware
https://www.securityweek.com/us-government-issues-urgent-warning-blackmatter-ransomware
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) this week published a joint advisory to warn organizations of an increased threat posed by the BlackMatter ransomware gang.
Active since July 2021, BlackMatter is believed to be the successor of DarkSide, a ransomware-as-a-service (RaaS) that shut down operations in May 2021. DarkSide was responsible for multiple high-profile ransomware attacks.
According to the joint advisory, the BlackMatter ransomware has already targeted multiple critical infrastructure entities in the United States, including two organizations in the food and agriculture sector.
Tomi Engdahl says:
https://www.forbes.com/sites/gordonkelly/2021/10/20/google-chrome-hack-new-attack-exploit-upgrade-chrome-now/?sh=113ffc266738&utm_source=ForbesMainFacebook&utm_medium=social&utm_campaign=socialflowForbesMainFB
Tomi Engdahl says:
Zerodium wants zero-day exploits for Windows VPN clients https://www.bleepingcomputer.com/news/security/zerodium-wants-zero-day-exploits-for-windows-vpn-clients/
In a short tweet today, exploit broker Zerodium said that it is looking to acquire zero-day exploits for vulnerabilities in three popular virtual private network (VPN) service providers on the market.
Lisäksi:
https://therecord.media/zerodium-seeking-zero-days-in-expressvpn-nordvpn-and-surfshark-vpn-apps/
Tomi Engdahl says:
Political-themed actor using old MS Office flaw to drop multiple RATs https://www.bleepingcomputer.com/news/security/political-themed-actor-using-old-ms-office-flaw-to-drop-multiple-rats/
A novel threat actor with unclear motivesis running a crimeware campaign delivering multiple Windows and Android RATs (remote access
tools) through the exploitation of CVE-2017-11882. Lisäksi:
https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html.
Lisäksi:
https://threatpost.com/apt-commodity-rats-microsoft-bug/175601/
Tomi Engdahl says:
VPN Exposes Data for 1M Users, Leading to Researcher Questioning https://threatpost.com/vpn-exposes-data-1m/175612/
Free virtual private network (VPN) service Quickfox, which provides access to Chinese websites from outside the country, exposed the personally identifiable information (PII) of more than a million users in just the latest high-profile VPN security failure.
Tomi Engdahl says:
q-logger skimmer keeps Magecart attacks going https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/
Although global e-commerce is continuing to grow rapidly, it seems as though Magecart attacks via digital skimmers have not followed the same trend. This is certainly true if we only look at recent newsworthy attacks; indeed when a victim is a large business or popular brand we typically are more likely to remember it.
Tomi Engdahl says:
Researchers Break Intel SGX With New ‘SmashEx’ CPU Attack Technique https://thehackernews.com/2021/10/researchers-break-intel-sgx-with-new.html
A newly disclosed vulnerability affecting Intel processors could be abused by an adversary to gain access to sensitive information stored within enclaves and even run arbitrary code on vulnerable systems.
Tomi Engdahl says:
Twitter suspends hacker who allegedly stole data of 45 million Argentinians https://www.zdnet.com/article/twitter-suspends-hacker-who-stole-data-of-46-million-argentinians/
Twitter has suspended a hacker who allegedly stole all of the data from Argentina’s database holding the IDs and information of all 45 million citizens of the country.
Tomi Engdahl says:
Google Patches 19 Vulnerabilities in Chrome 95 Browser Refresh
https://www.securityweek.com/google-patches-19-vulnerabilities-chrome-95-browser-refresh
Google has released a new version of its flagship Chrome web browser with patches for a total of 19 vulnerabilities, including 16 reported by external researchers.
The most severe of these issues is CVE-2021-37981, a heap buffer overflow in Skia, for which a $20,000 bounty reward was paid, Google said in an advisory.
Next in line are CVE-2021-37982 (use-after-free issue in the Incognito component) and CVE-2021-37983 (use-after-free error in Dev Tools). Google says it awarded a $10,000 bounty reward for data on each of these flaws.
The remaining two high severity issues patched which this browser release are CVE-2021-37984 (heap buffer overflow in PDFium) and CVE-2021-37985 (use-after-free in V8), for which the Internet search giant paid $7,500 and $5,000, respectively.
Three other use-after-free vulnerabilities addressed with the release of Chrome 95 (in Network APIs, Profiles, and PDF Accessibility) feature a severity rating of medium, as do a heap buffer overflow in Settings, inappropriate implementations in Blink and WebView, a race in V8, and an out of bounds read in WebAudio.
Tomi Engdahl says:
Zerodium Buying Zero-Day Exploits Targeting VPN Software
https://www.securityweek.com/zerodium-buying-zero-day-exploits-targeting-vpn-software
Exploit acquisition company Zerodium on Tuesday announced that it’s looking to buy zero-day exploits targeting popular VPN software.
Specifically, the company wants to acquire exploits that work against the Windows versions of the ExpressVPN, NordVPN and Surfshark applications. These VPN services have millions of users.
Zerodium is looking for remote code execution, IP address leak, and other information disclosure exploits. It does not want to acquire local privilege escalation vulnerabilities.
The company has not said how much it’s willing to pay for the zero-day exploits.
ExpressVPN and NordVPN both run bug bounty programs. ExpressVPN offers up to $2,500 per vulnerability with bonuses of up to $10,000, while NordVPN offers $5,000 or more for critical security flaws. Zerodium is likely prepared to pay out much more for zero-day exploits.
Tomi Engdahl says:
Acer Confirms Breach of Servers in Taiwan
https://www.securityweek.com/acer-confirms-breach-servers-taiwan
Taiwanese tech giant Acer has confirmed that, in addition to servers in India, hackers breached some of its systems in Taiwan.
Acer initially confirmed that some of its servers in India had been hacked after a group called Desorden claimed to have stolen more than 60 gigabytes of data from Acer India.
The hackers claimed to have obtained information on millions of customers, login credentials used by thousands of retailers and distributors, and various corporate and financial documents.
Acer immediately confirmed the breach of its Indian servers, but described it as an isolated attack targeting its after-sales service systems in India.
Tomi Engdahl says:
Magnitude EK Expands Arsenal With PuzzleMaker Exploit Chain
https://www.securityweek.com/magnitude-ek-expands-arsenal-puzzlemaker-exploit-chain
The Magnitude exploit kit (EK) is now capable of targeting Chromium-based browsers running on Windows systems, security researchers with Avast warn.
Exploit kits such as Magnitude are known for expanding their arsenal with new browser or plugin exploits in a timely fashion, but for years they have mainly focused on Microsoft’s Internet Explorer and left other browsers aside.
This, however, changed when Magnitude added to its arsenal exploits for CVE-2021-21224 and CVE-2021-31956, two vulnerabilities that affect Google’s Chrome browser and Microsoft’s Windows platform, respectively.
Tomi Engdahl says:
British Licence Plate Camera Fooled By Clothing
https://hackaday.com/2021/10/21/british-licence-plate-camera-fooled-by-clothing/
It’s a story that has caused consternation and mirth in equal measure amongst Brits, that the owners of a car in Surrey received a fine for driving in a bus lane miles away in Bath, when in fact the camera had been confused by the text on a sweater worn by a pedestrian. It seems the word “knitter” had been interpreted by the reader as “KN19 TER”, which as Brits will tell you follows the standard format for modern UK licence plate.
It gives us all a chance to have a good old laugh at the expense of the UK traffic authorities, but it raises some worthwhile points about the fallacy of relying on automatic cameras to dish out fines without human intervention.
Bus lane camera mistakes woman’s sweater for number plate
https://www.bbc.com/news/uk-england-somerset-58959930
A couple were sent a fine for driving in a bus lane when a camera mistook a word on a woman’s clothing for their number plate.
Dave and Paula Knight, from Surrey, received the fine for driving in a bus lane in Bath despite not being in the city at the time.
A camera had registered the word ‘knitter’ on a pedestrian’s clothing as Mr Knight’s number plate KN19 TER.
“We thought one of our friends was stitching us up,” said Mrs Knight.
Bath and North East Somerset Council (BANES) confirmed the fine had been cancelled.
Mr Knight said they planned to frame the notice and put it on the mantelpiece.
“I was looking for my vehicle in it [the picture] and thinking to myself have I been to Bath?
“The poor lady walking down the bus lane has got a top on very similar to my number plate but her handbag is blocking one of the letters out so it assumed it was my number plate,” he said.
Tomi Engdahl says:
This is literally a technique available in that game up.link
AI-Savvy Criminals Clone Executive’s Voice in $35 Million Deepfake Bank Heist
https://lm.facebook.com/l.php?u=https%3A%2F%2Fsingularityhub.com%2F2021%2F10%2F20%2Fai-savvy-criminals-pulled-off-a-35-million-deepfake-bank-heist%2F&h=AT0VC6C1s-ZZAEDMaQH0OxNmiI2VC6rfulKUlc67VKhFBCtORt_bD3iMNyCvPLsucAP81VNxRY4JrwVTvOyMcDuolA3dcLD1H8KX6RmHkG9GizfQLqVR0g78qkvLvY1jVg
Thanks to the advance of deepfake technology, it’s becoming easier to clone peoples’ voices. Some uses of the tech, like creating voice-overs to fill in gaps in Roadrunner, the documentary about Anthony Bourdain released this past summer, are harmless (though even the ethics of this move were hotly debated when the film came out). In other cases, though, deepfaked voices are being used for ends that are very clearly nefarious—like stealing millions of dollars.
An article published last week by Forbes revealed that a group of cybercriminals in the United Arab Emirates used deepfake technology as part of a bank heist that transferred a total of $35 million out of the country and into accounts all over the world.
In this case, criminals used deepfake software to recreate the voice of an executive at a large company (details around the company, the software used, and the recordings to train said software don’t appear to be available). They then placed phone calls to a bank manager with whom the executive had a pre-existing relationship, meaning the bank manager knew the executive’s voice. The impersonators also sent forged emails to the bank manager confirming details of the requested transactions. Between the emails and the familiar voice, when the executive asked the manager to authorize transfer of millions of dollars between accounts, the manager saw no problem with going ahead and doing so.
The fraud took place in January 2020, but a relevant court document was just filed in the US last week. Officials in the UAE are asking investigators in the US for help tracing $400,000 of the stolen money that went to US bank accounts at Centennial Bank.
Tomi Engdahl says:
State-backed hackers breach telcos with custom malware
https://www.bleepingcomputer.com/news/security/state-backed-hackers-breach-telcos-with-custom-malware/
A previously unknown state-sponsored actor is deploying a novel toolset in attacks targeting telecommunication providers and IT firms in South Asia.
The goal of the group — tracked as Harvester by researchers at Symantec who spotted it — is to collect intelligence in highly targeted espionage campaigns focusing on IT, telecom, and government entities.
Harvester’s malicious tools haven’t been encountered in the wild before, indicating that this is a threat actor with no connections to known adversaries.
Tomi Engdahl says:
https://www.tomshardware.com/news/fbi-nsa-warn-cybersecurity-experts-of-impending-blackmatter-ransomware-attacks
Tomi Engdahl says:
Acer hit with second cyberattack in less than a week, Taiwanese authorities notified
The same hacker group claimed responsibility for an attack on the company’s offices in Taiwan.
https://www.zdnet.com/article/acer-hit-with-second-cyberattack-in-less-than-a-week-this-time-in-taiwan-offices/
Tomi Engdahl says:
Trump’s Truth Social Hacked Within Hours of Announcement
https://www.newsweek.com/trump-truth-social-hacked-within-hours-announcement-1641137
Former President Donald Trump’s new social media platform was reportedly hacked within hours of its announcement.
Trump announced he was launching a new media company, Trump Media & Technology Group, and its “Truth Social” app on Wednesday. The “Truth Social” app will begin a beta launch for “invited guests” in November, with a nationwide rollout planned for early 2022, according to a press release.
But people were able to sign up to create accounts using a publicly available link
“I literally just registered ‘mikepence.’ The site hasn’t even launched yet and it’s already this vulnerable,”
In another tweet, Harwell said it appeared the “donaldjtrump” account on Truth Social had been hacked.
Tomi Engdahl says:
“Was just able to setup an account using the handle @donaldtrump on ‘Truth Social,’ former President Donald Trump’s new social media website,” Thalen tweeted. “Although the site is not officially open, a URL was discovered allowing users to sign up anyway.”
https://www.newsweek.com/trump-truth-social-hacked-within-hours-announcement-1641137
Tomi Engdahl says:
Chrome targeted by Magnitude exploit kit https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/magnitude-ek-has-been-spotted-targeting-the-chrome-browser/
Exploit kits (EK) are not as widespread as they used to be. One of the reasons is likely that most exploit kits targeted software that is hardly ever used anymore. Internet Explorer, Silverlight, and Flash Player to name a few, have been deprecated, replaced, and quickly lost their user-base. Enter the Magnitude exploit kit. Researchers have found that the Magnitude EK is actively using two vulnerabilities to exploit Chromium-based browsers. Magnitude is used in malvertising attacks to infect victims who visit compromised websites and its payload of choice is the Magniber ransomware.
Tomi Engdahl says:
GPS Daemon (GPSD) Rollover Bug
https://us-cert.cisa.gov/ncas/current-activity/2021/10/21/gps-daemon-gpsd-rollover-bug
On October 24, 2021, Network Time Protocol (NTP) servers using bugged GPSD versions 3.20-3.22 may rollback the date 1, 024 weeks, to March 2002, which may cause systems and services to become unavailable or unresponsive.
Tomi Engdahl says:
U.S. Government Bans Sale of Hacking Tools to Authoritarian Regimes https://thehackernews.com/2021/10/us-government-bans-sale-of-hacking.html
The U.S. Commerce Department on Wednesday announced new rules barring the sales of hacking software and equipment to authoritarian regimes and potentially facilitate human rights abuse for national security
(NS) and anti-terrorism (AT) reasons. The mandate, which is set to go into effect in 90 days, will forbid the export, reexport and transfer of “cybersecurity items” to countries of “national security or weapons of mass destruction concern” such as China and Russia without a license from the department’s Bureau of Industry and Security (BIS).
Tomi Engdahl says:
Two Eastern Europeans Sentenced for Providing Bulletproof Hosting to Cyber Criminals https://thehackernews.com/2021/10/two-eastern-europeans-sentenced-for.html
Two Eastern European nationals have been sentenced in the U.S. for offering “bulletproof hosting” services to cybercriminals, who used the technical infrastructure to distribute malware and attack financial institutions across the country between 2009 to 2015.
Tomi Engdahl says:
Update now! Chrome fixes more security issues https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/update-now-chrome-fixes-more-security-issues/
For the third time in a month Google has issued an update to patch for several security issues. This time the update patches 19 vulnerabilities, of which 5 are classified as “high” risk vulnerabilities. In an update announcement for Chrome 95.0.4638.54, Google specifies the 16 vulnerabilities that were found by external researchers.
Tomi Engdahl says:
FiveSys Rootkit Abuses Microsoft-Issued Digital Signature
https://www.securityweek.com/fivesys-rootkit-abuses-microsoft-issued-digital-signature
A rootkit named FiveSys is able to evade detection and slip unnoticed onto Windows users’ systems courtesy of a Microsoft-issued digital signature, according to security researchers with Bitdefender.
To prevent certain types of malicious attacks, Microsoft introduced strict requirements for driver packages that seek to receive a WHQL (Windows Hardware Quality Labs) digital signature, and starting with Windows 10 build 1607 it’s preventing kernel-mode drivers to be loaded without such a certificate.
Malware developers, however, appear to have identified a means to circumvent Microsoft’s certification and receive digital signatures for their rootkits, which allows them to target victims without raising suspicion.
In June, Microsoft admitted that attackers managed to successfully submit the Netfilter rootkit for certification through the Windows Hardware Compatibility Program.
Now, Bitdefender’s researchers warn that the FiveSys rootkit too features a Microsoft-issued digital signature, suggesting that this might soon prove to be a new trend, where adversaries manage to get their malicious drivers validated and signed by Microsoft.
FiveSys, the researchers say, is similar to the Undead malware that was initially detailed a couple of years ago. Furthermore, the same as Netfilter, the rootkit targets the gaming sector in China.
Tomi Engdahl says:
Sticky business: Ransomware hits U.S. candymaker ahead of Halloween
https://www.nbcnews.com/tech/security/ransomware-hits-us-candymaker-ahead-halloween-rcna3391
Ferrara, maker of SweeTarts, Nerds, Redhots, Lemonheads, Pixy Stix and Everlasting Gobstoppers, has been able to resume production only in some facilities.
A major U.S. candy company is struggling to fill orders before Halloween after ransomware hackers encrypted its systems.
Ferrara, the Chicago-based manufacturer of candies like SweeTarts, Laffy Taffy, Nerds, Red Hots, Lemonhead candies, Boston Baked Beans, Atomic Fireballs, Pixy Stix and Everlasting Gobstoppers, has been able to resume production only “in select manufacturing facilities,” a spokesperson said in an emailed statement Wednesday.
Tomi Engdahl says:
Keeping Track of Time: Network Time Protocol and a GPSD Bug
https://isc.sans.edu/forums/diary/27886/
The Network Time Protocol (NTP) has been critical in ensuring time is accurately kept for various systems businesses and organizations rely on. Authentication mechanisms such as Time-based One-Time Password (TOTP) and Kerberos also rely heavily on time. As such, should there be a severe mismatch in time, users would not be able to authenticate and gain access to systems. From the perspective of incident handling and incident response, well-synchronized time across systems facilitates log analysis, forensic activities and correlation of events. Depending on operational requirements, organizations may choose to utilize public NTP servers for their time synchronization needs. For organizations that require higher time accuracy, they could opt for Global Positioning Systems (GPS) appliances and use daemons such as GPSD [1] to extract time information from these GPS appliances.
A reader recently highlighted to us a bug in the GPSD project that could cause time to rollback in October 2021 [2].
Tomi Engdahl says:
https://therecord.media/ddos-attacks-hit-multiple-email-providers/?__cf_chl_jschl_tk__=pmd_pfUuvRs2e9GGcmTYDxHpmn0_NbWmR68iJ6z5vtiT7SY-1635064042-0-gqNtZGzNAlCjcnBszQo9
Tomi Engdahl says:
Ransomware hackers nervous, allege harassment from U.S.
https://www.nbcnews.com/tech/security/ransomware-hackers-nervous-allege-harassment-us-rcna3637
They defended their practice of holding computers for ransom after the FBI took down a major ransomware group.
Some of the most destructive ransomware hackers in the world appear to be on edge after the U.S. reportedly took down one of their colleagues.
Several ransomware gangs posted lengthy anti-U.S. screeds, viewed by NBC News, on the dark web. In them, they defended their practice of hacking organizations and holding their computers for ransom. They appear prompted by the news, reported Thursday by Reuters, that the FBI had successfully hacked and taken down another major ransomware group called REvil.
While that takedown is the first of its kind made public, it’s not expected to seriously curb ransomware attacks on the U.S. on its own. It has, however, prompted REvil’s fellow hackers to publicly complain far more than they have before.
“First, an attack against some servers, which the U.S. security attributes to REvil, is another reminder of what we all know: the unilateral, extraterritorial, and bandit-mugging behavior of the United States in world affairs,” the group wrote. “With all the endless talks in your media about “ransomware-is-bad,” we would like to point out the biggest ransomware group of all time: your Federal Government.”
“Is there a law, even an American one, even a local one in any county of any of the 50 states, that legitimize such indiscriminate offensive action?” the author wrote.
Another group wrote that “only time will tell who the real bad guys are here.”
A third complained that cybersecurity companies and the FBI were getting too involved with trying to stop ransomware. “2 sides are interested. One side is company affected. Second side is ransom operator. Nobody else,” it wrote.
The hackers who infamously attacked Colonial Pipeline in May, leading to some gas stations in the U.S. briefly running dry, also finally touched the money from that hack for the first time since the hack on Friday, according to an analysis by Elliptic, a London company that traces bitcoin payments.
Tomi Engdahl says:
Top official says cyber operations are ‘not just about the systems’
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.c4isrnet.com%2Fcyber%2F2021%2F10%2F20%2Ftop-official-says-cyber-operations-are-not-just-about-the-systems%2F&h=AT3rVzdpHCg29VHuv1ubhkSKee-Gvx0578FFFZrwZ_SwMSbcqWXxZ7Gl18gZHEsc76n_vqkzMVdoNwTBiTNuIeRcP4LvZsAwU9wMnpc28rW-XlmQK8mZDEcUOjBbyaCsouo9lga-SS4MeMALTg
The department is examining how cyber can have a bigger impact outside its domain into areas such as the human and cognitive domains.
WASHINGTON — The Department of Defense is at an “inflection point” when it comes to cyberspace and cyber operations and must consider the role of the people behind cybersecurity systems, according to a top official.
With adversaries increasingly using cyber operations to undermine national security, whether by stealing intellectual property or conducting influence campaigns to sow discord among the American public, the Defense Department has moved to a more offensive approach. This was enabled by new authorities from Congress and the executive branch and culminated in the 2018 DoD cyber strategy.
Tomi Engdahl says:
DarkSide ransomware rushes to cash out $7 million in Bitcoin https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/
Almost $7 million worth of Bitcoin in a wallet controlled by DarkSide ransomware operators has been moved in what looks like a money laundering rollercoaster. The funds have been moving to multiple new wallets since yesterday, a smaller amount being transferred with each transaction to make the money more difficult to track.
Tomi Engdahl says:
Recycled Cobalt Strike key pairs show many crooks are using same cloned installation https://www.theregister.com/2021/10/22/cobalt_strike_virustotal_key_discovery/
Around 1, 500 Cobalt Strike beacons uploaded to VirusTotal were reusing the same RSA keys from a cracked version of the software, according to a security researcher who pored through the malware repository. The discovery could make blue teams’ lives easier by giving them a clue about whether or not Cobalt Strike traffic across their networks is a real threat or an action by an authorised red team carrying out a penetration test.
Tomi Engdahl says:
Crypto-miner found hidden inside three npm libraries https://therecord.media/crypto-miner-found-hidden-inside-three-npm-libraries/
DevOps security firm Sonatype has uncovered crypto-mining malware hidden inside three JavaScript libraries uploaded on the official npm package repository.
Tomi Engdahl says:
Terveystietoja ja henkilötunnuksia saattoi päätyä paperinkeräykseen Utajärvellä
https://yle.fi/uutiset/3-12156589
Mahdollisesti jopa satojen ihmisten terveys- ja henkilötietoja päätyi vahingossa paperinkeräykseen Pohjois-Pohjanmaalla.
Tomi Engdahl says:
Popular NPM library hijacked to install password-stealers, miners https://www.bleepingcomputer.com/news/security/popular-npm-library-hijacked-to-install-password-stealers-miners/
Hackers hijacked the popular UA-Parser-JS NPM library, with millions of downloads a week, to infect Linux and Windows devices with cryptominers and password-stealing trojans in a supply-chain attack.
The UA-Parser-JS library is used to parse a browser’s user agent to identify a visitor’s browser, engine, OS, CPU, and Device type/model.
Tomi Engdahl says:
Hacker sells the data for millions of Moscow drivers for $800 https://www.bleepingcomputer.com/news/security/hacker-sells-the-data-for-millions-of-moscow-drivers-for-800/
Hackers are selling a stolen database containing 50 million records of Moscow driver data on an underground forum for only $800. According to Russian media outlets that purchased the database, the data appears to be valid and contains records collected between 2006 and 2019.
Tomi Engdahl says:
Ransom DDoS attacks hit multiple email providers https://therecord.media/ddos-attacks-hit-multiple-email-providers/
At least three email service providers have been hit by large distributed denial of service (DDoS) attacks on Friday, resulting in prolonged outages, The Record has learned. The attacks have hit Runbox (a privacy email provider based in Norway), Posteo (a secure email provider based in Germany), and Fastmail (a privacy-first email provider based in Australia).
Tomi Engdahl says:
Verkkopankkitunnusten kalastelu jyrkässä nousussa
https://yle.fi/uutiset/3-12157789
Tänä vuonna tehdään ennätyksiä tunnuskalasteluun menneissä rahamäärissä, sanoo tietoturva-asiantuntija Ville Kontinen liikenne- ja viestintävirasto Traficomista. Poliisin kyberrikostorjuntakeskuksen tietojen mukaan verkkopankkitunnusten kalastelulla on aiheutettu tänä vuonna jo yli 8, 5 miljoonan euron vahingot. Valeverkkopankkeihin on kirjautunut tänä vuonna jo satoja suomalaisia.
Tomi Engdahl says:
‘Critical Severity’ Warning for Malware Embedded in Popular JavaScript Library
https://www.securityweek.com/critical-severity-warning-malware-embedded-popular-javascript-library
Security responders are scrambling this weekend to assess the damage from crypto-mining malware embedded in an npm package (JavaScript library) that counts close to 8 million downloads per week.
The hack, which raised eyebrows because of the software supply chain implications, prompted a “critical severity” warning from GitHub that any computer with the embedded npm package “should be considered fully compromised.”
“The npm package ua-parser-js had three versions published with malicious code. Users of affected versions (0.7.29, 0.8.0, 1.0.0) should upgrade as soon as possible and check their systems for suspicious activity,” GitHub said in an advisory.
“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer,” GitHub warned.
“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” the company added.
The problematic UAParser.js library is very popular, counting close to 8 million weekly downloads with some of tech’s most recognizable names — Microsoft, Amazon, Facebook, Apple and Oracle — listed among its users.
Embedded malware in ua-parser-js
https://github.com/advisories/GHSA-pjwm-rvh2-c87w
The npm package ua-parser-js had three versions published with malicious code. Users of affected versions (0.7.29, 0.8.0, 1.0.0) should upgrade as soon as possible and check their systems for suspicious activity. See this issue for details as they unfold.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
The urgency of the issue was magnified when the U.S. government’s cybersecurity agency CISA issued its own “patch immediately” alert.
From the CISA advisory:
“Versions of a popular NPM package named ua-parser-js was found to contain malicious code. ua-parser-js is used in apps and websites to discover the type of device or browser a person is using from User-Agent data. A computer or device with the affected software installed or running could allow a remote attacker to obtain sensitive information or take control of the system.”
The agency is strongly urging users and administrators using compromised ua-parser-js versions 0.7.29, 0.8.0, and 1.0.0 to update to the respective patched versions: 0.7.30, 0.8.1, 1.0.1 immediately.
https://us-cert.cisa.gov/ncas/current-activity/2021/10/22/malware-discovered-popular-npm-package-ua-parser-js
Versions of a popular NPM package named ua-parser-js was found to contain malicious code. ua-parser-js is used in apps and websites to discover the type of device or browser a person is using from User-Agent data. A computer or device with the affected software installed or running could allow a remote attacker to obtain sensitive information or take control of the system.
Tomi Engdahl says:
Catalin Cimpanu / The Record:
CISA warns of malware discovered in npm package UAParser.js, which has 6M-7M downloads weekly, that installs a password stealer and a crypto miner — A massively popular JavaScript library (npm package) was hacked today and modified with malicious code that downloaded and installed …
Malware found in npm package with millions of weekly downloads
https://therecord.media/malware-found-in-npm-package-with-millions-of-weekly-downloads/?__cf_chl_jschl_tk__=pmd_m0ANFg4YiYENDWMITlgN9NGJuMJqUpUUy1DMPR3PnLY-1635147009-0-gqNtZGzNAmWjcnBszQoR
Technology
Malware found in npm package with millions of weekly downloads
A massively popular JavaScript library (npm package) was hacked today and modified with malicious code that downloaded and installed a password stealer and cryptocurrency miner on systems where the compromised versions were used.
The incident was detected on Friday, October 22.
It impacted UAParser.js, a JavaScript library for reading information stored inside user-agent strings.
According to its official site, the library is used by companies such as Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, Reddit, and many of Silicon Valley’s elites.
The library also regularly sees between 6 million and 7 million weekly downloads, according to its npm page.
Compromised versions: 0.7.29, 0.8.0, 1.0.0
Patched versions: 0.7.30, 0.8.1, 1.0.1
“I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware,” said Faisal Salman, author of the UAParser.js library.
Tomi Engdahl says:
Julia Kollewe / The Guardian:
Tesco, UK’s largest supermarket chain, was hacked on Saturday, halting online grocery orders through Sunday; Tesco says its site and app are back up and running — Consumers unable to book or amend deliveries after ‘attempt made to interfere with systems’ — Tesco has been hit by hackers …
Tesco website hit by hackers, leaving thousands of customers frustrated
https://www.theguardian.com/business/2021/oct/24/tesco-website-hit-by-hackers-leaving-thousands-of-customers-frustrated
Consumers unable to book or amend deliveries after ‘attempt made to interfere with systems’
Tesco has been hit by hackers, leaving thousands of frustrated shoppers unable to buy groceries online at Britain’s biggest supermarket.
The outage leaves its grocery website and app down for a second day, with people unable to book deliveries or amend existing orders. Tesco receives 1.3m online orders every week.
A Tesco spokesperson said: “Since yesterday, we’ve been experiencing disruption to our online grocery website and app. An attempt was made to interfere with our systems, which has caused problems with the search function on the site. We’re working hard to fully restore all services and apologise for the inconvenience.
“There is no reason to believe that this issue impacts customer data and we continue to take ongoing action to make sure all data stays safe.”
Tesco was hacked previously in 2014, when it was forced to deactivate online customer accounts after more than 2,000 login details, including passwords, were posted online. A separate attack on Tesco’s banking arm resulted in the loss of £2.5m two years later.
Tomi Engdahl says:
Danny Palmer / ZDNet:
Researchers detail how hackers are using FiveSys, a rootkit with a Microsoft-issued digital signature, to steal the login credentials of gamers in China
Hackers somehow got their rootkit a Microsoft-issued digital signature
https://www.zdnet.com/article/hackers-somehow-got-their-rootkit-a-microsoft-issued-digital-signature/
FiveSys rootkit somehow used a valid digital signature to help bypass cybersecurity measures in order to steal usernames and passwords from victims.
Tomi Engdahl says:
Supply Chain Attack: NPM Library Used By Facebook And Others Was Compromised
https://hackaday.com/2021/10/22/supply-chain-attack-npm-library-used-by-facebook-and-others-was-compromised/
Here at Hackaday we love the good kinds of hacks, but now and then we need to bring up a less good kind. Today it was learned that the NPM package ua-parser-js was compromised, and any software using it as a library may have become victim of a supply chain attack. What is ua-parser-js and why does any of this matter?
For better or worse, repositories of code are now available to do even the smallest of functions so that a developer doesn’t have to write the function from scratch. One such registry is npm (Node Package Manager), who organize a collection of contributed libraries written in JavaScript. One only need to use npm to include a library in their code, and all of the functions of that code are available to the developer. One such example is ua-parser-js which is a User Agent Parser written in JavaScript. This library makes it easy for developers to find out the type of device and software being used to access a web page.
On October 22 2021, the developer of ua-parser-js found that attackers had uploaded a version of his software that contained malware for both Linux and Windows computers. The malicious versions were found to steal data (including passwords and Chrome cookies, perhaps much more) from computers or run a crypto-currency miner. This prompted GitHub to issue a Critical Severity Security Advisory.
What makes this compromise so dangerous is that ua-parser-js is considered to be part of a supply chain, and has been adopted even by Facebook for use in some of its customer facing software. The developer of ua-parser-js has already secured his GitHub account and uploaded new versions of the package that are clean. If you have any software that uses this library, make sure you’ve got the latest version!
Security issue: compromised npm packages of ua-parser-js (0.7.29, 0.8.0, 1.0.0) – Questions about deprecated npm package ua-parser-js #536
https://github.com/faisalman/ua-parser-js/issues/536
Tomi Engdahl says:
Microsoft says Russia hacked at least 14 IT service providers this year https://therecord.media/microsoft-says-russias-apt29-hacked-at-least-14-it-service-providers-this-year/
Microsoft said on Monday that a Russian state-sponsored hacking group known as Nobelium had attacked more than 140 IT and cloud services providers, successfully breaching 14 companies.
Tomi Engdahl says:
NOBELIUM targeting delegated administrative privileges to facilitate broader attacks https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
The targeted activity has been observed against organizations based in the United States and across Europe since May 2021. MSTIC assesses that NOBELIUM has launched a campaign against these organizations to exploit existing technical trust relationships between the provider organizations and the governments, think tanks, and other companies they serve. NOBELIUM is the same actor behind the SolarWinds compromise in 2020, and this latest activity shares the hallmarks of the actor’s compromise-one-to-compromise-many approach.
Tomi Engdahl says:
Mozilla blocks malicious add-ons installed by 455K Firefox users https://www.bleepingcomputer.com/news/security/mozilla-blocks-malicious-add-ons-installed-by-455k-firefox-users/
Mozilla blocked malicious Firefox add-ons installed by roughly 455,
000 users after discovering in early June that they were abusing the proxy API to block Firefox updates. The add-ons (named Bypass and Bypass XM) were using the API to intercept and redirect web requests to block users from downloading updates, updating remotely configured content, and accessing updated blocklists.
Tomi Engdahl says:
New York Times Journalist Ben Hubbard Hacked with Pegasus after Reporting on Previous Hacking Attempts https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/
New York Times journalist Ben Hubbard was repeatedly targeted with NSO Group’s Pegasus spyware over a three-year period from June 2018 to June 2021. The targeting took place while he was reporting on Saudi Arabia, and writing a book about Saudi Crown Prince Mohammed bin Salman.
Tomi Engdahl says:
Millions of Android users targeted in subscription fraud campaign https://www.bleepingcomputer.com/news/security/millions-of-android-users-targeted-in-subscription-fraud-campaign/
A massive fraud campaign utilizing 151 Android apps with 10.5 million downloads was used to subscribe users to premium subscription services without their knowledge. Researchers at Avast discovered the campaign, naming it ‘UltimaSMS, ‘ and reported 80 associated apps that they found on the Google Play Store. While Google quickly removed the apps, the fraudsters likely ammassed millions of dollars in fraudulent subscription charges.