This posting is here to collect cyber security news in October 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
376 Comments
Tomi Engdahl says:
Ransomware gangs are abusing a zero-day in EntroLink VPN appliances https://therecord.media/ransomware-gangs-are-abusing-a-zero-day-in-entrolink-vpn-appliances/
Multiple ransomware gangs have weaponized and are abusing a zero-day in EntroLink VPN appliances after an exploit was released on an underground cybercrime forum at the start of September 2021. The zero-day is believed to impact EntroLink PPX-AnyLink devices, popular with South Korean companies, and used as user authentication gateways and VPNs to allow employees remote access to company networks and internal resources.
Tomi Engdahl says:
Conti Ransom Gang Starts Selling Access to Victims https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/
The Conti ransomware affiliate program appears to have altered its business plan recently. Organizations infected with Conti’s malware who refuse to negotiate a ransom payment are added to Conti’s victim shaming blog, where confidential files stolen from victims may be published or sold. But sometime over the past 48 hours, the cybercriminal syndicate updated its victim shaming blog to indicate that it is now selling access to many of the organizations it has hacked.
Tomi Engdahl says:
Polygon pays out record $2 million bug bounty reward for critical vulnerability https://portswigger.net/daily-swig/polygon-pays-out-record-2-million-bug-bounty-reward-for-critical-vulnerability
Polygon, a blockchain technology company, has paid out $2 million in bug bounty rewards for a double spend’ vulnerability that could have wreaked havoc across its network. The flaw, discovered by ethical hacker Gerhard Wagner, enabled an attacker to double the amount of cryptocurrency they intend to withdraw up to 233 times.
Tomi Engdahl says:
Kansas Man Admits Hacking Public Water Facility
https://www.securityweek.com/kansas-man-admits-hacking-public-water-facility
Roughly seven months after being indicted for his actions, a Kansas man admitted in court to tampering with the systems at the Post Rock Rural Water District.
The plant’s system, investigators discovered, was accessed from Travnichek’s cell phone and the device was in his possession when the facility was shut down. The defendant told investigators that on the night of the incident he was intoxicated and didn’t remember anything.
“Protecting America’s drinking water is a top EPA priority. EPA will continue our focused efforts with DOJ and the states as we investigate and pursue any threats that might be directed toward vital community drinking water resources,” said Lance Ehrig of the Environmental Protection Agency’s Criminal Investigation Division in Kansas.
Tomi Engdahl says:
CISA Raises Alarm on Critical Vulnerability in Discourse Forum Software
https://www.securityweek.com/cisa-raises-alarm-critical-vulnerability-discourse-forum-software
The United States Cybersecurity and Infrastructure Security Agency (CISA) over the weekend issued an alert on a critical vulnerability in open source discussion platform Discourse.
Residing in the upstream aws-sdk-sns gem, the issue is a validation error that can be exploited to achieve remote code execution in Discourse. To exploit the bug, an attacker would need to send a maliciously crafted request.
Tracked as CVE-2021-41163, the vulnerability has a CVSS score of 10 and exists because of a lack of validation in subscribe_url values.
Both CISA and Discourse, which released a patch for the security flaw last week, refrained from providing technical details on the issue, due to potential exploitation attempts.
The vulnerability was addressed in Discourse versions 2.7.9 (stable) and 2.8.0.beta7 (beta and tests-passed).
“CISA urges developers to update to patched versions 2.7.9 or later or apply the necessary workarounds,” the US agency said on Sunday.
Tomi Engdahl says:
Russia-Linked SolarWinds Hackers Continue Supply Chain Attack Rampage
https://www.securityweek.com/russia-linked-solarwinds-hackers-continue-launching-supply-chain-attacks
Tomi Engdahl says:
Researcher Earns $2 Million for Critical Vulnerability in Polygon
https://www.securityweek.com/researcher-earns-2-million-critical-vulnerability-polygon
Security researcher Gerhard Wagner earned a $2 million bug bounty reward for a critical vulnerability in Polygon’s Plasma Bridge that could have allowed a malicious user to submit the same withdrawal transaction 224 times, with different exit IDs.
Specifically, a user could deposit a specific amount to the Polygon Plasma Bridge, withdraw the entire sum, and then submit the same withdrawal transaction an additional 223 times, each time receiving the full amount. Basically, one could deposit $1 million and withdraw $224 million.
With the DepositManager for the Plasma Bridge holding roughly $850 million in total, an attacker could have depleted the entire amount using multiple fraudulent transactions.
Polygon’s solution has been designed to provide a blockchain bridge – a method of connecting two distinct blockchains –, creating a two-way transaction channel that enables users to move assets from the root chain (Ethereum) to the child chain (Polygon).
Tomi Engdahl says:
Facebook Sues Ukrainian for Scraping, Selling Data of 178 Million Users
https://www.securityweek.com/facebook-sues-ukrainian-scraping-selling-data-178-million-users
Tomi Engdahl says:
Having learned NOTHING from last week, Missouri Governor Mike Parson doubles down again…this time he is using a political action committee to advertise disinformation about the incident.
It’s about as fascist as you would expect it to be.
Parson doubles down on push to prosecute reporter who found security flaw in state site
https://missouriindependent.com/2021/10/21/parson-doubles-down-on-push-to-prosecute-reporter-who-found-security-flaw-in-state-site/
Meanwhile, the governor’s estimate that the incident would cost the state $50 million continues to be called into question
Gov. Mike Parson escalated his war with the St. Louis Post-Dispatch on Wednesday when his political operation published a video doubling down on his attack against a reporter who informed the state that a state website revealed teacher Social Security numbers.
The video is produced by Uniting Missouri, a political action committee created by Parson supporters to back his 2020 election campaign. The PAC continues to raise and spend large sums of money to promote Parson’s political agenda. It operates without direct input from Parson on its activities.
“The St. Louis Post-Dispatch is purely playing politics,” the ad states. “Exploiting personal information is a squalid excuse for journalism.”
The ad comes less than a week after Parson’s widely criticized demand for an investigation and prosecution of the reporter who discovered the security flaw in a state website, along with “all those involved.” Parson read a statement calling the reporter “
Social Security numbers for teachers, administrators and counselors was visible in the HTML code of a publicly accessible site operated by the state education department.
The newspaper informed the state of the problem and promised not to publish any story until the issue was fixed.
“We stand by our reporting and our reporter who did everything right,” Post-Dispatch Publisher Ian Caso said in a story in his newspaper. “It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to DESE’s attention.”
Parson said the Missouri State Highway Patrol would investigate and that Cole County Prosecuting Attorney Locke Thompson had been notified.
$50 million price tag
The video continuing the attack on the Post-Dispatch was posted online as Democrats on the House Budget Committee continued to question Parson’s estimate that it will take $50 million to respond “to this one incident alone and divert workers and resources from other state agencies.”
The Public Schools and Education Employees Retirement System responded to a different potential data exposure on Sept. 11 by offering all 350,000 members credit monitoring, identity theft protection and the services of a call center through a contract with Experian, according to Dearld Snider, the agency’s executive director.
The cost of that response was just under $600,000.
State Rep. Peter Merideth, D-St. Louis, said the only thing lawmakers have been told would come from the $50 million Parson cited from the latest security breach would be credit protection and a call center for approximately 100,000 educators.
The biggest cost, he said, will be studying the state’s computer systems and upgrading them to provide better service and security.
“It is not about what the reporter did,” Merideth said, “it is about the vulnerability and the outdated systems we have.”
Kelli Jones, spokeswoman for the governor, has not responded to requests seeking information on the cost estimate used by Parson.
“It is important we take data security as seriously as physical security,” Jones said.
The union has not joined Parson’s call for prosecution of the journalist.
“There is nothing that indicates to me,” Jones said, “that the reporter did anything but act ethically within the bounds of good journalism.”
Tomi Engdahl says:
BillQuick Billing Software Exploited to Hack U.S. Engineering Company
https://www.securityweek.com/billquick-billing-software-exploited-hack-us-engineering-company
Hackers abused the BillQuick Web Suite billing software to compromise the network of an engineering company in the United States and deploy ransomware, threat detection firm Huntress reports.
The attack exploited a critical vulnerability in BQE Software’s BillQuick Web Suite versions 2018 through 2021, before 22.0.9.1. Tracked as CVE-2021-42258, the issue is described as an SQL injection bug that could be exploited for unauthenticated remote code execution.
While attempting to recreate the attack in their lab, Huntress’ security researchers identified multiple SQL injection points. Without authentication, they were able to remotely leak sensitive employee information from the billing software’s databases.
Tomi Engdahl says:
Researcher Explains Wi-Fi Password Cracking at Scale
https://www.securityweek.com/researcher-explains-wi-fi-password-cracking-scale
A security researcher at CyberArk was able to easily break more than 70 percent of Wi-Fi passwords he sniffed using relatively simple, cheap equipment.
Conducted in Tel Aviv, the researcher’s experiment showed just how easy an attacker could hack into home and enterprise networks, by simply walking around a city with the right equipment in hand.
For his experiment, CyberArk’s Ido Hoorvitch used an AWUS036ACH ALFA Network card, which costs around $50, and provides both monitoring and packet injection capabilities, connected it to an Ubuntu system, and walked around the center of Tel Aviv with the system in a backpack, to sniff Wi-Fi networks.
Hoorvitch said the attack exploits a vulnerability in RSN IE (Robust Security Network Information Element) that allows for the retrieval of the PMKID, a hash used for roaming capabilities between access points. The PMKID is driven from a PMK (generated from SSID and the WiFi password), the MAC address of the AP, and the client MAC address.
After successfully sniffing 5000 networks, the researcher moved to cracking the passwords, using the hashcat password recovery tool, which supports dictionary and rules and mask attacks.
Hoorvitch says he was able to successfully crack roughly 3,600 of the passwords, thus being able to hack all of the corresponding Wi-Fi networks.
Cracking WiFi at Scale with One Simple Trick
https://www.cyberark.com/resources/threat-research-blog/cracking-wifi-at-scale-with-one-simple-trick
How I Cracked 70% of Tel Aviv’s Wifi Networks (from a Sample of 5,000 Gathered WiFi).
In the past seven years that I’ve lived in Tel Aviv, I’ve changed apartments four times. Every time I faced the same scenario: the internet company took several days to connect the apartment, leaving me disconnected and frustrated while trying to watch laggy Netflix on the TV with my cellphone hotspot. A solution I have to this scenario is having the “Hello. I am the new neighbor” talk with the neighbors while trying to get their cell phone number in case of emergencies — and asking if I could use their WiFi until the cable company connected me. I think we all can agree that not having internet easily falls into the emergency category! Often, their cell phone number was also their WiFi password!
I hypothesized that most people living in Israel (and globally) have unsafe WiFi passwords that can be easily cracked or even guessed by curious neighbors or malicious actors.
The combination of my past experience, a relatively new WiFi attack that I will explain momentarily, a new monster cracking rig (8 x QUADRO RTX 8000 48GB GPUs) in CyberArk Labs and the fact that WiFi is everywhere because connectivity is more important than ever drove me to research, whether I was right with my hypothesis or maybe just lucky.
Tomi Engdahl says:
Iran Blames Cyberattack as Fuel Supply Hit
https://www.securityweek.com/iran-blames-cyberattack-fuel-supply-hit
Iranian authorities on Tuesday blamed a mysterious cyber attack for unprecedented disruption to the country’s fuel distribution network.
Iran is a major oil producer and the country’s motorists, used to cheap petrol, were surprised to see filling stations inexplicably closing one after the other and queues growing longer.
“The Supreme National Security Council confirmed that there has been a cyber attack against the petrol distribution computer system,” state television said.
It had earlier reported that the interruption was due to “disruptions to the computer system”.
Tomi Engdahl says:
Mozilla Blocks Malicious Firefox Add-Ons Abusing Proxy API
https://www.securityweek.com/mozilla-blocks-malicious-firefox-add-ons-abusing-proxy-api
The open-source Mozilla Foundation says it blocked a series of malicious Firefox add-ons that misused the proxy API that extensions use to proxy web requests.
The API allows add-ons to control the manner in which the browser connects to the Internet, and some extensions were found to abuse this.
Specifically, the manner in which the offending add-ons interacted with the API prevented users from accessing updated blocklists, from downloading updates, and from updating content remotely configured.
According to Mozilla, a total of 455,000 users downloaded and installed the malicious add-ons before the browser maker was able to block the extensions.
“Starting with Firefox 91.1, Firefox now includes changes to fall back to direct connections when Firefox makes an important request (such as those for updates) via a proxy configuration that fails,” Mozilla explains.
Securing the proxy API for Firefox add-ons
https://blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/
Tomi Engdahl says:
Adobe Patches Gaping Security Flaws in 14 Software Products
https://www.securityweek.com/adobe-patches-gaping-security-flaws-14-software-products
Adobe on Tuesday released a slew of urgent patches with fixes for more than 90 documented vulnerabilities that expose Windows, macOS and Linux users to malicious hacker attacks.
The security defects affect a wide range of popular products, including Adobe Photoshop, Adobe InDesign, Adobe Illustrator and Adobe Premiere.
Tomi Engdahl says:
150 People Arrested in US-Europe Darknet Drug Probe
https://www.securityweek.com/150-people-arrested-us-europe-darknet-drug-probe
Law enforcement officials in the U.S. and Europe have arrested 150 people and seized more than $31 million in an international drug trafficking investigation stemming from sales on the darknet, the Justice Department said Tuesday.
The arrests are connected to a 10-month investigation between federal law enforcement officials in the U.S. and Europol in Europe. Prosecutors allege those charges are responsible for tens of thousands of illegal sales in the U.S., the United Kingdom, Australia, Bulgaria, France, Germany, Italy, the Netherlands and Switzerland.
The Justice Department says investigators have seized over $31.6 million in cash and virtual currency and 45 guns.
Tomi Engdahl says:
Suspected cyberattack temporarily disrupts gas stations across Iran https://therecord.media/suspected-cyberattack-temporarily-disrupts-gas-stations-across-iran/
A software glitch believed to have been caused by a cyberattack has disrupted gas stations across Iran and defaced gas pump screens and gas price billboards. The incident, which took place earlier this morning, impacted the IT network of NIOPDC, a state-owned gas distribution company that manages more than 3, 500 gas stations across Iran.
Tomi Engdahl says:
Tori.fi:ssä tietovuoto
https://www.iltalehti.fi/tietoturva/a/fe54b215-1b25-47d4-a738-5378616c4b70
Tori.fi vahvistaa Iltalehdelle, että käyttäjien piilotettuja puhelinnumeroita on päässyt vuotamaan. Tori.fi vaatii puhelinnumeron ilmoittamista myynti-ilmoitusta tehdessä, vaikka sitä ei ilmoituksessa näytettäisikään. Tästä huolimatta numeroita on päätynyt huijareiden käsiin.
Tomi Engdahl says:
FBI Raids Chinese Point-of-Sale Giant PAX Technology https://krebsonsecurity.com/2021/10/fbi-raids-chinese-point-of-sale-giant-pax-technology/
U.S. federal investigators today raided the Florida offices of PAX Technology, a Chinese provider of point-of-sale devices used by millions of businesses and retailers globally. KrebsOnSecurity has learned the raid is tied to reports that PAX’s systems may have been involved in cyberattacks on U.S. and E.U. organizations.
Tomi Engdahl says:
FCC revokes license for China Telecom Americas amid national security concerns https://therecord.media/fcc-revokes-license-for-china-telecom-americas-amid-national-security-concerns/
The U.S. Federal Communications Commission voted unanimously to revoke China Telecom Americas U.S. operating license on Tuesday, citing national security concerns. Among the reasons cited for the switch:
China Telecom’s status as a subsidiary of a state-owned enterprise and the possibility that the company could provide a conduit for hackers intent on launching cyber attacks in this country.
Tomi Engdahl says:
Operation Secondary Infektion Impersonates Swedish Riksdag, Targets European Audiences https://www.recordedfuture.com/operation-secondary-infektion-impersonates-swedish-riksdag/
Recorded Future’s Insikt Group has located an image of a photoshopped screenshot, purportedly from the website of the Swedish Riksdag
(Parliament) and circulating on a Swedish-language forum website and among Ukrainian sources, claiming that Sweden and Ukraine look to join NATO as soon as possible. We believe that this is an effort to sow mistrust of Sweden’s political figures domestically, create uncertainty and false optimism among Ukrainians, and shape negative perceptions of NATO and Ukraine among Russian audiences. This campaign is highly likely an instance of the likely Russian state-sponsored information operation “Secondary Infektion”. Full analysis here:
https://go.recordedfuture.com/hubfs/reports/cta-2021-1026.pdf
Tomi Engdahl says:
Researcher cracked 70% of WiFi networks sampled in Tel Aviv https://www.bleepingcomputer.com/news/security/researcher-cracked-70-percent-of-wifi-networks-sampled-in-tel-aviv/
A researcher has managed to crack 70% of a 5, 000 WiFi network sample in his hometown, Tel Aviv, to prove that home networks are severely unsecured and easy to hijack.
Tomi Engdahl says:
Catalin Cimpanu / The Record:
Hackers steal an estimated $130M from DeFi platform Cream Finance in a flash loan attack; the company lost $37M in Feb. and $29M in Aug. in similar attacks
https://therecord.media/hackers-steal-130-million-from-cream-finance-the-companys-3rd-hack-this-year/
Tomi Engdahl says:
New York Times:
Facebook tells employees to preserve internal docs and communications related to its business since 2016, as governments and legislative bodies begin inquiries — Facebook has told employees to “preserve internal documents and communications since 2016” that pertain to its businesses …
https://www.nytimes.com/2021/10/27/technology/facebook-legal-communications.html
Tomi Engdahl says:
Wall Street Journal:
Sources: FTC staff are investigating whether Frances Haugen’s documents show Facebook violated a 2019 privacy settlement that included a record $5B fine
Federal Trade Commission Scrutinizing Facebook Disclosures
https://www.nytimes.com/2021/10/27/technology/facebook-legal-communications.html
Lawmakers want agency to determine if Facebook engaged in deceptive conduct; company says internal research is mischaracterized
Tomi Engdahl says:
Federal Trade Commission Scrutinizing Facebook Disclosures
Lawmakers want agency to determine if Facebook engaged in deceptive conduct; company says internal research is mischaracterized
https://www.wsj.com/articles/facebook-ftc-privacy-kids-11635289993?mod=djemalertNEWS
Tomi Engdahl says:
https://www.securityweek.com/apple-patches-22-security-flaws-haunting-iphones
Tomi Engdahl says:
Apple Patches 22 Security Flaws Haunting iPhones
https://www.securityweek.com/apple-patches-22-security-flaws-haunting-iphones
By Ryan Naraine on October 27, 2021
Apple has released another IOS 15 update with patches for 22 serious security defects in a wide range of iPhone and iPad software components.
Tomi Engdahl says:
Yubico Launches New Security Key With USB-C and NFC
https://www.securityweek.com/yubico-launches-new-security-key-usb-c-and-nfc
Yubico on Tuesday announced the launch of Security Key C NFC, a new hardware security key that includes NFC capabilities in a USB-C form factor.
Designed with FIDO-only support, the new authenticator can be used with both desktop and mobile applications, services, and user accounts. Courtesy of NFC support, the security key provides tap-and-go authentication.
The Security Key C NFC is now available for purchase at $29 (€29). For those looking for a USB-A form factor, Yubico has the Security Key NFC available at $25 (€25).
Tomi Engdahl says:
Washington Secretary of State Appointed CISA’s Senior Election Security Lead
https://www.securityweek.com/washington-secretary-state-appointed-cisa%E2%80%99s-senior-election-security-lead
The United States Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday announced the appointment of Washington Secretary of State Kim Wyman as its Senior Election Security Lead.
Tomi Engdahl says:
North Korean Hackers Targeting IT Supply Chain: Kaspersky
https://www.securityweek.com/kaspersky-north-korean-hackers-targeting-it-supply-chain
The North Korea-linked state-sponsored hacking group Lazarus has started to target the IT supply chain in recent attacks, according to cybersecurity firm Kaspersky.
As part of the observed attacks, the group used an updated DeathNote malware cluster, which includes a slightly modified version of BLINDINGCAN, a piece of malware that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) associated with the group.
A new variant of COPPERHEDGE, which Lazarus has been using for at least two years, was also used in these attacks.
Tomi Engdahl says:
Fuji Electric Patches Vulnerabilities in Factory Monitoring Software
https://www.securityweek.com/fuji-electric-patches-vulnerabilities-factory-monitoring-software
Tomi Engdahl says:
Iran Struggles to Relaunch Petrol Stations After Cyberattack
https://www.securityweek.com/iran-struggles-relaunch-petrol-stations-after-cyberattack
Iran struggled Wednesday to restart its petrol distribution system after it was hit by an unprecedented cyber-attack which security officials said was launched from abroad.
The unclaimed attack crippled the country’s system of government-issued electronic cards which motorists use to purchase heavily subsidised fuel.
Long queues have formed outside petrol stations, angering motorists in a country already suffering under tough economic sanctions over its nuclear dispute with major powers.
https://www.securityweek.com/iran-blames-cyberattack-fuel-supply-hit
Tomi Engdahl says:
Free decrypters released for AtomSilo, Babuk, and LockFile ransomware strains https://therecord.media/free-decrypters-released-for-atomsilo-babuk-and-lockfile-ransomware-strains/
Antivirus maker and cyber-security firm Avast has released today free decryption utilities to recover files that have been encrypted by three ransomware strainsAtomSilo, Babuk, and LockFile. The AtomSilo and LockFile decrypters are being offered as one single download because of the similarities between the two ransomware strains.
Tomi Engdahl says:
Babuk ransomware decryptor released to recover files for free https://www.bleepingcomputer.com/news/security/babuk-ransomware-decryptor-released-to-recover-files-for-free/
Czech cybersecurity software firm Avast has created and released a decryption tool to help Babuk ransomware victims recover their files for free. According to Avast Threat Labs, the Babuk decryptor was created using leaked source code and decryption keys.
Tomi Engdahl says:
Workers sent home after ransomware attack on major automotive parts manufacturer https://therecord.media/workers-sent-home-after-ransomware-attack-on-major-automotive-parts-manufacturer/
German multinational company Eberspächer Group has sent a part of its factory workforce home on paid leave while its management and IT teams are dealing with a ransomware attack that crippled its IT systems over the weekend. The Eberspächer Group currently employs more than 10, 000 workers, operates production plants in 80 locations across 28 countries, and is known for building air conditioning, heating, and exhaust systems, which it supplies to almost all of today’s top car brands.
Tomi Engdahl says:
Ransomware gang claims attack on NRA
https://therecord.media/ransomware-gang-claims-attack-on-nra/
The operators of the Grief ransomware have listed today the US National Rifle Association (NRA) as a victim of one of their attacks.
The organization’s name was listed on a dark web portal, often called a “leak site, ” where the Grief gang typically lists companies they infected and which haven’t paid their ransom demands.
Tomi Engdahl says:
Hackers arrested for infiltrating’ Ukraine’s health database https://www.bleepingcomputer.com/news/security/hackers-arrested-for-infiltrating-ukraine-s-health-database/
The Security Service of Ukraine (SSU) has arrested a team of actors who illegally infiltrated the information system of the National Health Service of Ukraine (NHSU) and entered false vaccination entries for other people. The actors found clients in the Sumy region through a team of doctors who participated in the scheme and offered to create false COVID-19 vaccination certificates for anyone who paid them 3,
000 hryvnias ($114).
Tomi Engdahl says:
Cyber-attack hits UK internet phone providers
https://www.bbc.com/news/technology-59053876
An “unprecedented” and co-ordinated cyber-attack has struck multiple UK-based providers of voice over internet protocol (VoIP) services, according to an industry body. Industry body Comms Council UK said several of its members had been targeted by distributed denial of service (DDoS) attacks in recent weeks.
Tomi Engdahl says:
Multiple vulnerabilities in Apple iOS 14 and iPadOS 14 prior to iOS
14.8.1 and iPadOS 14.8.1
https://support.apple.com/en-us/HT212868
Update available to iOS and iPadOS, update to 14.8.1
Multiple vulnerabilities in Apple iOS 15 and iPadOS 15 prior to iOS
15.1 and iPadOS 15.1
https://support.apple.com/en-us/HT212867
Update available to iOS and iPadOS, update to 15.1
Tomi Engdahl says:
Hackers Leak Private Details of Thousands in Israeli Army, Threaten Gantz
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.haaretz.com%2Fisrael-news%2F.premium-hackers-leak-private-details-of-thousands-in-israeli-army-threaten-gantz-1.10330266&h=AT0qfHWNPwbza1jIngNHVbg_CmJGRiiCn5XKDpZi4IVdLbvnWmtbumcGqytpgrJekdzfFVcauEYGkBN8a4K-jwP24yeAU3fxCxiykOsG-QlVhW4_TC-fHciL8viTp3frtoIH3sT5kIdG4D5eXg
‘Moses Staff’, the group of hackers who are believed to be composed of Iranian nationals, claimed they have acquired ‘troop deployment information’ of the Israeli army
A group of hackers leaked the private details of hundreds of IDF personnel and thousands of teenagers nearing enlistment age online on Tuesday, only a day after posting personal photographs of Defense Minister Benny Gantz, one of which showed the former army chief of staff pretending to milk a statue of a cow.
According to the report, the data dump included soldiers’ ranks, units and contact details, as well as more private information relating to their personal lives which they had shared with their commanders.
A cyberattack shut down the computer system of Hadera’s Hillel Yaffe Medical Center two weeks ago, forcing staff to record and transmit all patient information by hand. A week earlier, Microsoft reported that hackers linked to Iran had tried to break into 250 Microsoft Office 365 accounts belonging to Israeli and American security companies using a hacking technique known as “password spraying.”
Microsoft said the targets of the attacks were defense companies that support American, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems.
Microsoft said these attacks were identical to others conducted by hackers linked to Iran, alongside other signs that showed they acted under Iranian auspices.
Citing research by cybersecurity firm Acronis, financial news site Calcalist reported last week that 36 percent of Israeli companies have experienced weekly cyberattacks.
Tomi Engdahl says:
Lawrence Abrams / BleepingComputer:
Google releases a Chrome update that fixes seven vulnerabilities, including two zero-days exploited in the wild — Google has released Chrome 95.0.4638.69 for Windows, Mac, and Linux to fix two zero-day vulnerabilities that attackers have actively exploited.
Emergency Google Chrome update fixes zero-days used in attacks
https://www.bleepingcomputer.com/news/google/emergency-google-chrome-update-fixes-zero-days-used-in-attacks/
Google has released Chrome 95.0.4638.69 for Windows, Mac, and Linux to fix two zero-day vulnerabilities that attackers have actively exploited.
“Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild,” Google disclosed in the list of security fixes in today’s Google Chrome release.
While Google states that the new version may take some time to reach everyone, the update has already started rolling out Chrome 95.0.4638.69 to users worldwide in the Stable Desktop channel.
To install the Chrome update immediately, go to Chrome menu > Help > About Google Chrome, and the browser will begin performing the update.
Tomi Engdahl says:
Jon Porter / The Verge:
Google says it will roll out e2e encrypted phone calls on Google Fi over the coming weeks — But only for calls between two Android phones on Fi — In the coming weeks, Google is rolling out end-to-end encrypted phone calls on its Google Fi MVNO, the search giant announced today.
Google Fi is getting end-to-end encrypted phone calls
https://www.theverge.com/2021/10/28/22750313/google-fi-end-to-end-encrypted-phone-calls-android?scrolla=5eb6d68b7fedc32c19ef33b4
But only for calls between two Android phones on Fi
Tomi Engdahl says:
German investigators identify REvil ransomware gang core member https://www.bleepingcomputer.com/news/security/german-investigators-identify-revil-ransomware-gang-core-member/
German investigators have reportedly identified a Russian man whom they believe to be one of REvil ransomware gang’s core members, one of the most notorious and successful ransomware groups in recent years.
While the suspect’s real identity has not been revealed, German media is calling him by the fictitious name ‘Nikolay K.’, and report that investigators linked him to Bitcoin ransom payments associated with the GandCrab ransomware group.
Tomi Engdahl says:
Dark HunTOR: 150 arrested, $31 million seized in major dark web bust https://www.welivesecurity.com/2021/10/27/dark-huntor-150-arrested-31-million-seized-major-dark-web-bust/
The police sting spanned three continents and involved crackdowns in nine countries. Law enforcement agencies from Europe, the United States and Australia have teamed up to arrest some 150 people who are believed to have sold and bought illegal drugs and other illicit goods on the dark web.
Tomi Engdahl says:
Ransomware gangs use SEO poisoning to infect visitors https://www.bleepingcomputer.com/news/security/ransomware-gangs-use-seo-poisoning-to-infect-visitors/
Researchers have spotted two campaigns linked to either the REvil ransomware gang or the SolarMarker backdoor that use SEO poisoning to serve payloads to targets. SEO poisoning, also known as “search poisoning, ” is an attack method that relies on optimizing websites using ‘black hat’ SEO techniques to rank higher in Google search results.
Tomi Engdahl says:
Indian supreme court orders inquiry into state’s use of Pegasus spyware https://www.theguardian.com/news/2021/oct/27/indian-supreme-court-orders-inquiry-into-states-use-of-pegasus-spyware
India’s supreme court has ordered an independent inquiry into whether the government used the surveillance software Pegasus to spy illegally on journalists, activists and political opponents.
Tomi Engdahl says:
Android smartphones infected with rare rooting malware https://therecord.media/android-smartphones-infected-with-rare-rooting-malware/
Security researchers at Lookout have discovered a new Android malware strain that contains the ability to root smartphones, a feature that has become quite rare in Android malware strains in recent years. The AbstractEmu malware was distributed hidden inside 19 Android applications that were uploaded on Google Play, the Amazon Appstore, the Samsung Galaxy Store, and other unofficial third-party app stores.
Tomi Engdahl says:
Android spyware apps target Israel in three-year-long campaign https://www.bleepingcomputer.com/news/security/android-spyware-apps-target-israel-in-three-year-long-campaign/
A set of seemingly innocuous Android apps have been infecting Israeli users with spyware since 2018, and the campaign continues to this day.
The spyware-laden apps were discovered by researchers at Qihoo 360 who found various apps disguised as social applications, Threema, Al-Aqsa Radio, Al-Aqsa Mosque, Jerusalem Guide, PDF viewer, Wire, and other applications.
Android spyware spreading as antivirus software in Japan https://www.bleepingcomputer.com/news/security/android-spyware-spreading-as-antivirus-software-in-japan/
A new variant of the Android info-stealer called FakeCop has been spotted by Japanese security researchers, who warn that the distribution of the malicious APK is picking up pace.
Tomi Engdahl says:
Cybersecurity researchers on Wednesday took the wraps off a “simple yet remarkable” malware loader for malicious Windows binaries targeting Central Europe, North America and the Middle East https://thehackernews.com/2021/10/new-wslink-malware-loader-runs-as.html
Codenamed “Wslink” by ESET, this previously undocumented malware stands apart from the rest in that it runs as a server and executes received modules in memory. There are no specifics available on the initial compromise vector and there are no code or operational overlaps that tie this tool to a known threat actor group.
Tomi Engdahl says:
Israeli Researcher Cracked Over 3500 Wi-Fi Networks in Tel Aviv City https://thehackernews.com/2021/10/israeli-researcher-cracked-over-3500-wi.html
Over 70% of Wi-Fi networks from a sample size of 5, 000 were hacked with “relative ease” in the Israeli city of Tel Aviv, highlighting how unsecure Wi-Fi passwords can become a gateway for serious threats to individuals, small businesses, and enterprises alike.