This posting is here to collect cyber security news in November 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in November 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
373 Comments
Tomi Engdahl says:
MosesStaff attacks organizations with encryption malware: No payment demand made
Israeli firms are being targeted for purely political and destructive purposes.
https://www.zdnet.com/article/mosesstaff-attackers-deploy-ransomware-on-your-systems-no-payment-no-decryption-possible/
Tomi Engdahl says:
CISA warns of equipment vulnerabilities from multiple vendors
CISA said the issues were found in equipment from Eclipse, eProsima, GurumNetworks, Object Computing, Inc. (OCI), Real-Time Innovations (RTI), and TwinOaks Computing.
Tomi Engdahl says:
Researchers wait 12 months to report vulnerability with 9.8 out of 10 severity rating
Palo Alto Networks patches critical buffer overflow bug in its GlobalProtect VPN.
https://arstechnica.com/gadgets/2021/11/vpn-vulnerability-on-10k-servers-has-severity-rating-of-9-8-out-of-10/
Tomi Engdahl says:
Patch now! FatPipe VPN zero-day actively exploited https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/patch-now-fatpipe-vpn-zero-day-actively-exploited/
Older versions of the device software used by FatPipe’s MPVPN, WARP, and IPVPN products, are all vunerable to a serious zero-day exploit that has been actively exploited in the wild for at least six months.
FatPipe advises that versions 10.1.2r60p93 and 10.2.2r44p1 of its software, or later, are the ones you need. If you are unable to update immediately, FatPipe recommends you cut off access to your admin console from the Internet at large: “disable UI access on all the WAN interfaces or configure Access Lists on the interface page to allow access only from trusted sources.”
Tomi Engdahl says:
Malicious Python packages caught stealing Discord tokens, installing shells https://therecord.media/malicious-python-packages-caught-stealing-discord-tokens-installing-shells/
The operators of the Python Package Index (PyPI) have removed this week 11 Python libraries from their portal for various malicious behaviors, including the collection and theft of user data, passwords, and Discord access tokens and the installation of remote access shells for remote access to infected systems. According to the security team at DevOps platform JFrog, which discovered this set of malicious libraries, the 11 packages had been downloaded and installed more than 30, 000 times before the packages were spotted and reported. Infected / malicious packages: importantpackage, important-package, pptest, ipboards, owlmoon, DiscordSafety, trrfab, 10Cent10, 10Cent11, yandex-yt, and yiffparty.
Tomi Engdahl says:
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html
In September, Squirrelwaffle emerged as a new loader that is spread through spam campaigns. It is known for sending its malicious emails as replies to preexisting email chains, a tactic that lowers a victim’s guard against malicious activities. To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits. The Trend Micro Incident Response team looked into several intrusions related to Squirrelwaffle, that happened in the Middle East. This led to a deeper investigation into the initial access of these attacks. We wanted to see if the attacks involved the said exploits.
Tomi Engdahl says:
Experts Expose Secrets of Conti Ransomware Group That Made 25 Million from Victims https://thehackernews.com/2021/11/experts-expose-secrets-of-conti.html
The clearnet and dark web payment portals operated by the Conti ransomware group have gone down in what appears to be an attempt to shift to new infrastructure after details about the gang’s inner workings and its members were made public. According to MalwareHunterTeam, “while both the clearweb and Tor domains of the leak site of the Conti ransomware gang is online and working, both their clearweb and Tor domains for the payment site (which is obviously more important than the leak) is down.”. Three members of the Conti team have been identified so far, each playing the roles of admin (“Tokyo”), assistant (“it_work_support@xmpp[.]jp”), and recruiter (“IT_Work”) to attract new affiliates into their network.
Tomi Engdahl says:
Milloin tietovuodosta pitää kertoa myös potilaalle?
Tietosuojavaltuutettu antoi ohjeen
https://www.tivi.fi/uutiset/tv/64a2bb65-4bf3-4480-b8e5-ff4980d1adec
Apulaistietosuojavaltuutettu on lähettänyt sosiaali- ja terveydenhuollon toimijoille ohjekirjeen, jonka tarkoituksena on yhdenmukaistaa tietoturvaloukkausten ilmoituskäytäntöjä.
Tietosuojavaltuutetun toimisto on havainnut, että toimialalla on tarve tarkentavalle ohjeistukselle tietoturvaloukkauksista ilmoittamiseen.
Kirjeessä annetaan muun muassa esimerkkejä ilmoitusvelvollisuudesta erilaisissa tilanteissa. Kirje:
https://tietosuoja.fi/documents/6927448/58640544/TSV_Tietoturvaloukkauksia+koskeva+kirje.pdf/17b870d9-3d04-6dee-e294-c47be48a42c0/TSV_Tietoturvaloukkauksia+koskeva+kirje.pdf
Tomi Engdahl says:
Clop gang exploiting SolarWinds Serv-U flaw in ransomware attacks https://www.bleepingcomputer.com/news/security/clop-gang-exploiting-solarwinds-serv-u-flaw-in-ransomware-attacks/
The Clop ransomware gang, also tracked as TA505 and FIN11, is exploiting a SolarWinds Serv-U vulnerability to breach corporate networks and ultimately encrypt its devices. The Serv-U Managed File Transfer and Serv-U Secure FTP remote code execution vulnerability, tracked as CVE-2021-35211, allows a remote threat actor to execute commands on a vulnerable server with elevated privileges. SolarWinds released an emergency security update in July 2021 after discovering a “a single threat actor” exploiting it in attacks. The company also warned that this vulnerability only affects customers who have enabled the SSH feature, which is commonly used to further protect connections to the FTP server.
Tomi Engdahl says:
Iranians Charged in Cyberattacks Against U.S. 2020 Election https://threatpost.com/iranians-charged-cyberattacks-2020-election/176488/
The U.S. Department of Justice has unsealed charges against two Iranian nationals for cyberattacks against the U.S. 2020 presidential campaign, and there’s a $10 million reward offered for information on their activities. The two men, Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian, allegedly stole voter information and engaged in intimidation and disinformation aimed at undermining confidence in the election, according to a newly unsealed indictment. The Department of Justice identified the two as contractors for Iran-based cybersecurity company Emennet Pasargad, formerly Eleyanet Gostar, reportedly a known vendor for the Iranian government.
Tomi Engdahl says:
Nft-huumalle tylytystä Pirate Bayta ihannoiva projekti sisältää 15 teratavua kuvia https://www.tivi.fi/uutiset/tv/16324a12-6c42-4b68-9d58-fe623b4f6a5e
Non-fungible tokenit eli nft:t ovat olleet suuressa huudossa tänä vuonna. Näitä digitaalisia keräilykohteita on myyty jopa kymmenillä miljoonilla ja kuplimista on ollut havaittavissa. Hienoisena vastaiskuna tälle huumalle on synnytetty The NFT Bay, joka on samalla myös kunnianosoitus tunnetulle piratismisivu Pirate Baylle. Nft Bayn kuvauksessa jäljitellään Pirate Bayn ulkoasua ja kysytään seuraavaa:
“Tiesitkö, että nft on vain hyperlinkki kuvaan, joka on yleensä tallennettu Google Driveen tai muulle web 2.0 -alustalle?”
Tomi Engdahl says:
Emotet botnet comeback orchestrated by Conti ransomware gang https://www.bleepingcomputer.com/news/security/emotet-botnet-comeback-orchestrated-by-conti-ransomware-gang/
The Emotet botnet is back by popular demand, resurrected by its former operator, who was convinced by members of the Conti ransomware gang.
Security researchers at intelligence company Advanced Intelligence
(AdvIntel) believe that restarting the project was driven by the void Emotet itself left behind on the high-quality initial access market after law enforcement took it down ten months ago. The revival of the botnet follows a long period of malware loader shortage and the decline of decentralized ransomware operations that allowed organized crime syndicates to rise again.
Tomi Engdahl says:
Fake TSA PreCheck sites scam US travelers with fake renewals https://www.bleepingcomputer.com/news/security/fake-tsa-precheck-sites-scam-us-travelers-with-fake-renewals/
There has been a surge in reports of people getting scammed after visiting TSA PreCheck, Global Entry, and NEXUS application service sites, being charged $140 only to get nothing in return. Reports about these scams first appeared in March 2021, and by July, threat actors were abusing Google Ads to promote the fake sites on Google Search and increase their traffic. A report by Abnormal Security confirms that the scams are still ongoing, and as we’re heading to the Christmas travel season, the chances of more people falling victim to them multiply.
Tomi Engdahl says:
Updated: APT Exploitation of ManageEngine ADSelfService Plus Vulnerability https://us-cert.cisa.gov/ncas/current-activity/2021/11/19/updated-apt-exploitation-manageengine-adselfservice-plus
The Federal Bureau of Investigation (FBI), CISA, and Coast Guard Cyber Command (CGCYBER) have updated the Joint Cybersecurity Advisory (CSA) published on September 16, 2021, which details the active exploitation of an authentication bypass vulnerability (CVE-2021-40539) in Zoho ManageEngine ADSelfService Plusa self-service password management and single sign-on solution. The update provides details on a suite of tools APT actors are using to enable this campaign: Dropper: a dropper trojan that drops Godzilla webshell on a system, Godzilla: a Chinese language web shell, NGLite: a backdoor trojan written in Go, and
KdcSponge: a tool that targets undocumented APIs in Microsoft’s implementation of Kerberos for credential exfiltration.
Tomi Engdahl says:
RedCurl Corporate Espionage Hackers Return With Updated Hacking Tools https://thehackernews.com/2021/11/redcurl-corporate-espionage-hackers.html
A corporate cyber-espionage hacker group has resurfaced after a seven-month hiatus with new intrusions targeting four companies this year, including one of the largest wholesale stores in Russia, while simultaneously making tactical improvements to its toolset in an attempt to thwart analysis. “In every attack, the threat actor demonstrates extensive red teaming skills and the ability to bypass traditional antivirus detection using their own custom malware, ”
Group-IB’s Ivan Pisarev said. Active since at least November 2018, the Russian-speaking RedCurl hacking group has been linked to 30 attacks to date with the goal of corporate cyber espionage and document theft aimed at 14 organizations spanning construction, finance, consulting, retail, insurance, and legal sectors and located in the U.K., Germany, Canada, Norway, Russia, and Ukraine.
Tomi Engdahl says:
Conti ransomware gang suffers security breach https://therecord.media/conti-ransomware-gang-suffers-security-breach/
The Conti ransomware group has suffered an embarrassing data breach after a security firm was able to identify the real IP address of one of its most sensitive servers and then gain console access to the affected system for more than a month. The exposed server, called a payment portal or recovery site, is where the Conti gang tells victims to visit in order to negotiate ransom payments. “Our team detected a vulnerability in the recovery servers that Conti uses, and leveraged that vulnerability to discover the real IP addresses of the hidden service hosting the group’s recovery website, “. Swiss security firm Prodaft said in a 37-page report published on Thursday, identifying the server as hosted on 217.12.204.135, an IP address owned by Ukrainian web hosting company ITL LLC.
Tomi Engdahl says:
Some Tesla owners unable to unlock cars due to server errors https://www.bleepingcomputer.com/news/technology/some-tesla-owners-unable-to-unlock-cars-due-to-server-errors/
Some Tesla owners worldwide are unable to unlock or communicate with their cars using the app due to an outage of the company’s servers.
Starting around 4 PM EST, Tesla owners have taken to social media reporting that the Tesla app is returning a “500 server error” when attempting to communicate with the car. This outage prevents owners from using the app to get into the car and it reports an incorrect location of the car. Owners have reported the issue to Elon Musk on Twitter, who has stated that he is looking into the matter.
Tomi Engdahl says:
Windows 10 Zero-Click Security Exploit Wanted. Reward: $3 Million https://www.forbes.com/sites/daveywinder/2021/11/21/windows-10-zero-click-security-exploit-wanted-reward-3-million/
Million-dollar security exploits, the one-click and zero-day vulnerabilities that can cause so much harm, pretty much used to be the sole territory of state-sponsored actors. However, the ransomware pandemic has changed all that. This is very bad news for everyone, including Windows 10 users, as new research reveals. The report, ‘Vulnerability Intelligence: Do you know where your flaws are?’ found that the ceiling for such zero-day pricing has now hit $10 million.
Not that there is evidence, as of yet, that these sums have been realized, but the chatter is there, and that’s worrying. As is the $3 million that has been put on the table by one threat actor looking for a working zero-click remote code execution exploit for Windows 10.
Tomi Engdahl says:
US SEC warns investors of ongoing govt impersonation attacks https://www.bleepingcomputer.com/news/security/us-sec-warns-investors-of-ongoing-govt-impersonation-attacks/
The Securities and Exchange Commission (SEC) has warned US investors of scammers impersonating SEC officials in government impersonator schemes via phone calls, voicemails, emails, and letters. The alert comes from SEC’s Office of Investor Education and Advocacy (OIEA), which regularly issues warnings to inform investors about the latest developments in investment frauds and scams. “We are aware that several individuals recently received phone calls or voicemail messages that appeared to be from an SEC phone number, ” OIEA said.
“The calls and messages raised purported concerns about unauthorized transactions or other suspicious activity in the recipients’ checking or cryptocurrency accounts.”
Tomi Engdahl says:
Canadian Teen Arrested Over Theft of $36 Million in Cryptocurrency
https://www.securityweek.com/canadian-teen-arrested-over-theft-36-million-cryptocurrency
A Canadian teen has been arrested for their alleged role in the theft of roughly $36.5 million (CAD$46 million) worth of cryptocurrency from a single victim in the United States, according to the Hamilton Police in Ontario, Canada.
The arrest was made following an investigation that started in March 2020 and in which the FBI and the United States Secret Service Electronic Crimes Task Force participated as well.
SIM swapping was used to perform the cryptocurrency theft, authorities revealed. The technique involves manipulating employees at a wireless network services provider into transferring the victim’s phone number to a SIM card in the attacker’s possession.
Tomi Engdahl says:
New ‘SharkBot’ Android Banking Malware Hitting U.S., UK and Italy Targets
https://www.securityweek.com/new-%E2%80%98sharkbot%E2%80%99-android-banking-malware-hitting-us-uk-and-italy-targets
A new Android banking trojan has been found, targeting international banks from the United Kingdom and Italy (including in the U.S.). and five different cryptocurrency services. Twenty-two instances have been discovered, but more are expected.
Tomi Engdahl says:
SnapAttack Spins Out of Booz Allen Hamilton With $8 Million in Funding
https://www.securityweek.com/snapattack-spins-out-booz-allen-hamilton-8-million-funding
Threat hunting and detection company SnapAttack this week announced closing an $8 million funding round, just as it spun out of Booz Allen Hamilton.
The funding round was led by Volition Capital. Booz Allen Hamilton and Strategic Cyber Ventures (SCV) also invested in the new independent company.
SnapAttack promises an extensive library of labeled attacks, to help security teams deploy validated analytics based on hacker tradecraft. New content is continuously added to the platform to be immediately disseminated and shared.
The platform combines red teaming (offensive) and blue teaming (defensive) tradecraft to find security defects and refine behavioral detections. A vendor-agnostic platform, it can be integrated with SIEM, EDR/XDR, and cloud solutions.
SnapAttack’s platform — which focuses on attack emulation, detection, and behavioral analytics — can help deploy proactive security measures, to help prevent attacks before they happen.
Tomi Engdahl says:
Ecommerce platforms (cough, Magento) need patching before Black Friday, warns UK’s National Cyber Security Centre
https://www.theregister.com/2021/11/22/ncsc_magento_updates_black_friday_reminder/
If you run a small online business powered by the Magento ecommerce platform, Britain’s National Cyber Security Centre (NCSC) is begging you to make sure it’s fully patched ahead of Black Friday. “Retailers are urged to ensure that Magento and any other software they use is up to date, ” said the GCHQ offshoot in a statement today, adding it had notified 4, 151 online stores that their Magento installations were vulnerable to compromise by criminals. “The majority of the online shops used for skimming identified by the NCSC had been compromised via a known vulnerability in Magento, a popular e-commerce platform, ”
said the cybersecurity agency.
Tomi Engdahl says:
Turbine maker Vestas Wind Systems admits to cyber incident, refuses to confirm if ransomware is at play
https://www.theregister.com/2021/11/22/vestas_wind_systems/
Vestas Wind Systems, one of the world’s largest makers of wind turbines, today confirmed company data has been compromised in a “cyber security incident” that forced the firm to isolate parts of its IT infrastructure. Vestas, which employs 29, 000 people globally, says it has installed more than 145GW of wind turbines in 85 countries, and that its sustainable energy solutions have prevented 1.5 billion tonnes of CO2 from being released into the atmosphere. In the latest update, Vestas said that according to preliminary findings, the incident “impacted all parts of Vestas’ internal IT infrastructure and that data has been compromised.”. The attack bears the hallmarks of ransomware, but a spokesperson at the Vestas refused to be drawn on the specific nature of the attack at this stage.
Tomi Engdahl says:
New Golang-based Linux Malware Targeting eCommerce Websites https://thehackernews.com/2021/11/new-golang-based-linux-malware.html
Weaknesses in e-commerce portals are being exploited to deploy a Linux backdoor as well as a credit card skimmer that’s capable of stealing payment information from compromised websites. “The attacker started with automated e-commerce attack probes, testing for dozens of weaknesses in common online store platforms, ” researchers from Sansec Threat Research said in an analysis. “After a day and a half, the attacker found a file upload vulnerability in one of the store’s plugins.” The name of the affected vendor was not revealed. The initial foothold was then leveraged to upload a malicious web shell and alter the server code to siphon customer data. Additionally, the attacker delivered a Golang-based malware called “linux_avp” that serves as a backdoor to execute commands remotely sent from a command-and-control server hosted in Beijing.
Tomi Engdahl says:
Hackers breach corporate email servers to send spam to employees
https://therecord.media/hackers-breach-corporate-email-servers-to-send-spam-on-employees/
A threat actor has hacked Microsoft Exchange email servers across the world in order to gain access to their internal messaging capabilities and send malicious emails to company customers and employees in the hopes of infecting them with malware. In a report on Friday, security firm Trend Micro said the attackers specifically targeted Exchange servers that haven’t been patched for old vulnerabilities like ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523). Once the attackers gained access to the server, Trend Micro said they used a Powershell feature to read and interact with the server email storage system, and they hijacked existing conversations by inserting and sending new replies to all participants.
Tomi Engdahl says:
GoDaddy data breach impacts 1.2 million WordPress site owners
https://therecord.media/godaddy-data-breach-impacts-1-2-million-wordpress-site-owners/
Internet infrastructure company GoDaddy said on Monday that a hacker gained access to the personal information of more than 1.2 million customers of its WordPress hosting service. In documents filed with the US Securities and Exchange Commission earlier today, GoDaddy said it discovered the breach last week, on November 17, after noticing “suspicious activity” on its Managed WordPress hosting environment.
The subsequent investigation found that a hacker had access to its servers for more than two months, since at least September 6. GoDaddy said it already reset sFTP and database passwords exposed in the hack.
It also reset the admin account password for customers who were still using the default one that GoDaddy issued when their sites were created. GoDaddy statement:
https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm
Tomi Engdahl says:
Reminder for Critical Infrastructure to Stay Vigilant Against Threats During Holidays and Weekends
https://us-cert.cisa.gov/ncas/current-activity/2021/11/22/reminder-critical-infrastructure-stay-vigilant-against-threats
Recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for waysbig and smallto disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure.
There are actions that executives, leaders, and workers in any organization can take proactively to protect themselves against cyberattacks, including possible ransomware attacks, during the upcoming holiday seasona time during which offices are often closed, and employees are home with their friends and families. Although neither CISA nor the FBI currently have identified any specific threats, recent 2021 trends show malicious cyber actors launching serious and impactful ransomware attacks during holidays and weekends, including Independence Day and Mother’s Day weekends. CISA and the FBI strongly urge all entitiesespecially critical infrastructure partnersto examine their current cybersecurity posture and implement best practices and mitigations to manage the risk posed by cyber threats.
Tomi Engdahl says:
Severe Code Execution Vulnerabilities Affect OpenVPN-Based Applications
https://www.securityweek.com/severe-code-execution-vulnerabilities-affect-openvpn-based-applications
Security researchers at Claroty have raised the alarm for a series of severe code execution vulnerabilities affecting virtual private network (VPN) solutions relying on OpenVPN.
The company documented four security errors in products from HMS Industrial Networks, MB connect line, PerFact, and Siemens that allow attackers to achieve code execution by tricking potential victims into visiting a maliciously crafted web page.
VPN solutions are designed to provide users with means to encrypt the traffic flowing between their devices and a specific network, to ensure that potentially sensitive data is transmitted securely, and OpenVPN is the most common implementation of a VPN solution.
During its analysis of OpenVPN-based solutions, Claroty discovered that vendors usually deploy OpenVPN as a service with SYSTEM privileges, which poses security risks, because any remote or local applications can control an OpenVPN instance to initiate or terminate a secured connection.
An attacker looking to exploit this flaw would simply need to trick the victim into accessing a malicious website containing embedded JavaScript code designed to send a blind POST request locally, to inject commands in the VPN client back end. This is a classic Server-Side Request Forgery (SSRF) case, the company said.
“Once the victim clicks the link, a HTTP POST request will be fired locally to the dedicated TCP port, and since HTTP is a cleartext based protocol which every line ends with \n, the back end server will read and ignore all the lines until reaching a meaningful command,” according to Claroty’s documentation.
All Roads Lead to OpenVPN: Pwning Industrial Remote Access Clients
https://claroty.com/2021/11/19/blog-research-all-roads-lead-to-openvpn-pwning-industrial-remote-access-clients/
Tomi Engdahl says:
Philips Working on Patches for Vulnerabilities Found in Medical Products
https://www.securityweek.com/philips-working-patches-vulnerabilities-found-medical-products
Philips is working on patches for several vulnerabilities discovered by researchers in some of the company’s medical products.
The flaws were identified by researchers at industrial cybersecurity firm Nozomi Networks in Philips IntelliBridge, Patient Information Center iX (PIC iX), and Efficia CM series products. Advisories for the vulnerabilities were published last week by Philips and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
One advisory describes two high-severity vulnerabilities found in IntelliBridge EC 40 and EC 80 Hub patient monitoring systems, which integrate point-of-care devices with hospital information systems. The flaws are related to the use of hardcoded credentials and authentication bypass.
“Successful exploitation of these issues may allow an attacker unauthorized access to the Philips IntelliBridge EC40/80 hub and may allow access to execute software, modify device configuration, or view/update files, including unidentifiable patient data,” Philips said in its advisory. “The vulnerabilities can potentially be exploited over the Philips patient monitoring network, which is required to be physically or logically isolated from the hospital local area network (LAN).”
Tomi Engdahl says:
GoDaddy Breach Exposes 1.2 Million Managed WordPress Customer Accounts
https://www.securityweek.com/godaddy-breach-exposes-12-million-managed-wordpress-customer-accounts
Domain registrar and web hosting giant GoDaddy has been hacked and customer data for some 1.2 million WordPress users were exposed to the attacker for more than three months.
The Tempe, Arizona-based GoDaddy disclosed the breach in an SEC filing and confirmed that millions of users of its managed WordPress hosting service had sensitive data stolen, including database usernames and passwords, email addresses and private SSL keys.
GoDaddy did not provide details on the compromise beyond a note that the attacker used a compromised password to access the provisioning system in its legacy code base for Managed WordPress.
The company said the hack began on September 6 and, over the last three months, the attacker gained access to valuable customer information.
The raw details on the breach:
Up to 1.2 million active and inactive Managed WordPress customers had email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, GoDaddy reset those passwords.
For active customers, sFTP and database usernames and passwords were exposed. GoDaddy said it reset both passwords.
For a subset of active customers, the SSL private key was exposed. GoDaddy says it is in the process of issuing and installing new certificates for those customers.
Tomi Engdahl says:
U.S. Agencies Share More Details on ADSelfService Plus Vulnerability Exploitation
https://www.securityweek.com/us-agencies-share-more-details-adselfservice-plus-vulnerability-exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER) have shared new details on in-the-wild attacks targeting a recently patched flaw in Zoho’s ManageEngine ADSelfService Plus product.
Tracked as CVE-2021-40539, the critical severity bug (CVSS 9.8) was already being targeted in attacks when Zoho released patches for the self-service password management and single sign-on utility in September 2021.
The issue resides in the representational state transfer (REST) application programming interface (API) URLs, allowing attackers to bypass authentication and execute code remotely, ultimately taking over a vulnerable system.
One week after Zoho announced the release of patches for the vulnerability, U.S. security response agencies warned that advanced persistent threat (APT) actors were likely targeting the vulnerability in attacks, urging organizations to apply the available patches as a matter of urgency.
Tomi Engdahl says:
Wind Turbine Giant Vestas Fending Off Cyberattack
https://www.securityweek.com/wind-turbine-giant-vestas-fending-cyberattack
Tomi Engdahl says:
Researchers Hack Conti Ransomware Infrastructure
https://www.securityweek.com/researchers-hack-conti-ransomware-infrastructure
Prodaft security researchers exploited a vulnerability in the recovery servers used by the Conti Ransomware-as-a-Service (RaaS), which allowed them to gain insight into the inner workings of the ransomware.
The flaw also allowed the researchers to identify the real IP addresses of the hidden service hosting the recovery website, including 20 IPs communicating with the Conti servers, and two Tor entry nodes used for the recovery service, all of which were reported to the authorities.
Furthermore, Prodaft discovered victim chat sessions that allowed them to identify accounts used when extorting victims’ data, including connecting IP addresses and the employed software. The investigation also revealed the use of the same Bitcoin wallet addresses for multiple victims.
In a new report, Prodaft’s security researchers provide technical details related to the inner workings of Conti, and also show the close connection between Conti and Ryuk, essentially saying that these appear to be one and the same ransomware family.
https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis/
Tomi Engdahl says:
Iran’s Mahan Air Says Hit by Cyberattack
https://www.securityweek.com/irans-mahan-air-says-hit-cyberattack
Tomi Engdahl says:
Utah Medical Group Discloses Data Breach Affecting Over 580,000 Patients
https://www.securityweek.com/utah-medical-group-discloses-data-breach-affecting-over-580000-patients
Farmington, Utah-based radiology medical center Utah Imaging Associates has started informing former and current patients that their information might have been compromised in a data breach.
As part of the incident, which was identified on September 4, 2021, unknown threat actors accessed files that contained sensitive personal information related to patients.
Following the incident, Utah Imaging Associates informed the U.S. Department of Health and Human Services that the data of 583,643 individuals was compromised during the incident.
The affected data, HIPAA Journal reported last week, included full names, birth dates, mailing addresses, health insurance policy numbers, and Social Security Numbers. Medical information, including diagnosis, prescription details, and treatment information was also affected.
Tomi Engdahl says:
Serious Vulnerabilities Found in Wi-Fi Module Designed for Critical Industrial Applications
https://www.securityweek.com/serious-vulnerabilities-found-wi-fi-module-designed-critical-industrial-applications
More than 20 vulnerabilities have been identified by Cisco’s Talos research and threat intelligence unit in a Lantronix Wi-Fi module designed for critical industrial and commercial applications.
The affected product, the PremierWave 2050 enterprise Wi-Fi module, delivers always-on 5G Wi-Fi connectivity, and is designed for mission-critical operations. According to the vendor’s website, it delivers enterprise-grade security.
However, Cisco Talos researchers discovered that the product is affected by a total of 21 vulnerabilities, a majority of which have been assigned critical or high severity ratings. Talos has published 18 separate advisories describing the vulnerabilities.
The researchers have reproduced the vulnerabilities on Lantronix PremierWave 2050 version 8.9.0.0R4, and Talos claims there are no official patches for the security holes, despite the vendor knowing about them since June 15.
Vulnerability Spotlight: Vulnerabilities in Lantronix PremierWave 2050 could lead to code execution, file deletion
https://blog.talosintelligence.com/2021/11/lantronix-premier-wave-vuln-spotlight.html
Cisco Talos recently discovered multiple vulnerabilities in Lantronix’s PremierWave 2050, an embedded Wi-Fi module.
There are several vulnerabilities in PremierWave 2050’s Web Manager, a web-accessible application that allows users to configure settings for the 2050 gateway. An attacker could exploit some of these vulnerabilities to carry out a range of malicious actions, including executing arbitrary code and deleting or replacing files on the targeted device.
Tomi Engdahl says:
New Windows zero-day with public exploit lets you become an admin https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/
A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server.
BleepingComputer has tested the exploit and used it to open to command prompt with SYSTEM privileges from an account with only low-level ‘Standard’ privileges. Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network. The vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022.
Tomi Engdahl says:
Check your patches public exploit now out for critical Exchange bug https://nakedsecurity.sophos.com/2021/11/23/check-your-patches-public-exploit-now-out-for-critical-exchange-bug/
At the start of this month, CVE-2021-42321 was technically an Exchange zero-day flaw. This bug could be exploited for unauthorised remote code execution (RCE) on Microsoft Exchange 2016 and 2019, and was patched in the November 2021 Patch Tuesday updates. Microsoft officially listed the bug with the words “Exploitation Detected”, meaning that someone, somewhere, was already using it to mount cyberttacks. The silver lining, if there is such a thing for any zero-day hole, is that the attacker first needs to be authenticated (logged on, if you like) to the Exchange server.
Tomi Engdahl says:
Invisible implants in source code
https://www.kaspersky.com/blog/trojan-source/42987/
Researchers from Cambridge describe the Trojan Source method for inserting hidden implants in source code. University of Cambridge experts described a vulnerability they say affects most modern compilers. A novel attack method uses a legitimate feature of development tools whereby the source code displays one thing but compiles something completely different. It happens through the magic of Unicode control characters. Most of the time, control characters do not appear on the screen with the rest of the code (although some editors display them), but they modify the text in some way. This table contains the codes for the Unicode Bidirectional (bidi) Algorithm, for example. In the authors’ work, they used such codes to, for example, move the comment terminator in Python code from the middle of a line to the end. They applied an RLI code to shift just a few characters, leaving the rest unaffected.
Tomi Engdahl says:
Security researchers play peek-a-boo with Conti ransomware server https://blog.malwarebytes.com/ransomware/2021/11/security-researchers-play-peek-a-boo-with-conti-ransomware-server/
Conti ransomware is perhaps most well known for its use in the HSE healthcare attacks back in May. More than 80, 000 endpoints were shut down and the health service had to revert to the pen and paper approach. Providers in the US and New Zealand were also affected.
Conti is created and distributed by “Wizard Spider”, a group which also created the well-known Ryuk ransomware. Conti, offered to affiliates as Ransomware as a Service, ran wild in the first quarter of 2021. RDP brute forcing, phishing, and hardware / software vulnerabilities are the chosen methods for Conti compromise. Where it gets interesting is that Conti directs victims to Dark Web “support portals” where they talk through the steps to unlocking impacted devices. This is where the current Conti issues have arisen.
Tomi Engdahl says:
Apple sues spyware-maker NSO Group, notifies iOS exploit targets https://www.bleepingcomputer.com/news/apple/apple-sues-spyware-maker-nso-group-notifies-ios-exploit-targets/
Apple has filed a lawsuit against Pegasus spyware-maker NSO Group and its parent company for the targeting and spying of Apple users with surveillance tech. The company says the state-sponsored attacks that used NSO’s spyware only targeted “a very small number” of individuals, across multiple platforms, including iOS and Android. The exploits used to deploy NSO Group’s Pegasus spyware were used to hack and compromise the devices of high-profile targets such as government officials, diplomats, activists, dissidents, academics, and journalists worldwide. For instance, NSO’s FORCEDENTRY exploit was used by state-backed attackers to break into Apple devices to install the latest version of Pegasus spyware, as revealed by the Citizen Lab in August. “To prevent further abuse and harm to its users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices, ” Apple added.. Apple’s release:
https://www.apple.com/newsroom/2021/11/apple-sues-nso-group-to-curb-the-abuse-of-state-sponsored-spyware/
Tomi Engdahl says:
UK Ministry of Justice secures HVAC systems ‘protected’ by passwordless Wi-Fi after Register tipoff https://www.theregister.com/2021/11/23/unsecured_rcj_hvac_wifi_routers/
The Ministry of Justice has secured a set of Wi-Fi access points that potentially gave admin access to industrial control equipment after a tipoff by The Register. Four unsecured wireless networks named “Boiler Pump 1″ to “Boiler Pump 4″ were freely accessible in the Royal Courts of Justice (RCJ) until The Register told officials what was happening.
The networks were all viewable from the ground floor of the Queen’s Building, a 1960s extension to the original neo-Gothic court building.
The RCJ houses Britain’s most senior civil courts, including the Court of Appeal. A source told us that connecting to the passwordless access points exposed a login page for what appeared to be an industrial control system developed by Armstrong Fluid Technology. Armstrong’s website hosts PDF copies of equipment manuals complete with default administrator passwords, referred to by Armstrong as “Level 2″ access.
Tomi Engdahl says:
Researchers warn of severe risks from Printjack’ printer attacks https://www.bleepingcomputer.com/news/security/researchers-warn-of-severe-risks-from-printjack-printer-attacks/
A team of Italian researchers has compiled a set of three attacks called ‘Printjack, ‘ warning users of the significant consequences of over-trusting their printer. The attacks include recruiting the printers in DDoS swarms, imposing a paper DoS state, and performing privacy breaches. As the researchers point out, modern printers are still vulnerable to elementary flaws and lag behind other IoT and electronic devices that are starting to conform with cybersecurity and data privacy requirements. By evaluating the attack potential and the risk levels, the researchers found non-compliance with GDPR requirements and the ISO/IEC 27005:2018 (framework for managing cyber-risks). This lack of in-built security is particularly problematic when considering how omnipresent printers are, being deployed in critical environments, companies, and organizations of all sizes.
Tomi Engdahl says:
Apple Slaps Lawsuit on NSO Group Over Pegasus iOS Exploitation
https://www.securityweek.com/apple-slaps-lawsuit-nso-group-over-pegasus-ios-exploitation
Tomi Engdahl says:
PoC Exploit Published for Latest Microsoft Exchange Zero-Day
https://www.securityweek.com/poc-exploit-published-latest-microsoft-exchange-zero-day
A security researcher has released proof-of-concept (PoC) exploit code for a recently patched code execution vulnerability affecting on-prem Microsoft Exchange Server installations.
Tracked as CVE-2021-42321 (CVSS 8.8), the security defect was addressed with the November 2021 Patch Tuesday set of updates, when Microsoft warned that it was already being exploited in “limited targeted attacks in the wild.”
Tomi Engdahl says:
Serious Vulnerability Found in Imunify360 Web Server Security Product
https://www.securityweek.com/serious-vulnerability-found-imunify360-web-server-security-product
A vulnerability discovered in CloudLinux’s Imunify360 security product could have been exploited for remote code execution using specially crafted files.
The flaw, tracked as CVE-2021-21956 and described as a deserialization issue, exists in the Ai-Bolit malware scanner component.
“[The vulnerability] could be triggered automatically just after the attacker creates a malicious file in the system if Immunify is configured with real-time file system scanning. It could also be triggered if the user scans a malicious file provided by the attacker with Ai-Bolit scanner,” Talos said.
Tomi Engdahl says:
New Windows zero-day with public exploit lets you become an admin https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/
A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server.
BleepingComputer has tested the exploit and used it to open to command prompt with SYSTEM privileges from an account with only low-level ‘Standard’ privileges. Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network. The vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022.
Researcher releases bypass to patched vulnerability
As part of the November 2021 Patch Tuesday, Microsoft fixed a ‘Windows Installer Elevation of Privilege Vulnerability’ vulnerability tracked as CVE-2021-41379.
https://github.com/klinix5/InstallerFileTakeOver
Tomi Engdahl says:
[CVE-2021-34421] Incomplete Cleanup of Messages In Keybase for Android/iOS in Keybase
https://www.oliviaohara.com/keybase
Tomi Engdahl says:
APT C-23 Hackers Using New Android Spyware Variant to Target Middle East Users https://thehackernews.com/2021/11/apt-c-23-hackers-using-new-android.html
A threat actor known for striking targets in the Middle East has evolved its Android spyware yet again with enhanced capabilities that allow it to be stealthier and more persistent while passing off as seemingly innocuous app updates to stay under the radar. The new variants have “incorporated new features into their malicious apps that make them more resilient to actions by users, who might try to remove them manually, and to security and web hosting companies that attempt to block access to, or shut down, their command-and-control server domains, ” Sophos threat researcher Pankaj Kohli said in a report published Tuesday. The mobile spyware has been a preferred tool of choice for the APT-C-23 threat group since at least 2017, with successive iterations featuring extended surveillance functionality to vacuum files, images, contacts and call logs, read notifications from messaging apps, record calls (including WhatsApp), and dismiss notifications from built-in Android security apps.