This posting is here to collect cyber security news in March 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in March 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
888 Comments
Tomi Engdahl says:
Critical Remote Code Execution Vulnerability in Sophos Firewall
https://www.securityweek.com/critical-remote-code-execution-vulnerability-sophos-firewall
Tomi Engdahl says:
New Lapsus$ Hack Documents Make Okta’s Response Look More Bizarre
https://www.wired.com/story/lapsus-okta-hack-sitel-leak/
It was a credential breach of a customer service account. Generally self respecting companies have measures in place for engineers to only access the systems that they need to work on so hence the 366 customers possibly affected. Its not a zero day its an engineer that was likely doing unsanctioned things on his/her work laptop. We get/give trainings about this ..
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cisa-warns-orgs-to-patch-actively-exploited-chrome-redis-bugs/
Tomi Engdahl says:
https://thehackernews.com/2022/03/new-hacking-campaign-by-transparent.html
Tomi Engdahl says:
A Large-Scale Supply Chain Attack Distributed Over 800 Malicious NPM Packages
https://thehackernews.com/2022/03/a-threat-actor-dubbed-red-lili-has-been.html
Tomi Engdahl says:
Hackers have allegedly breached a gaming-focused blockchain platform last week and extracted cryptocurrencies now valued at more than $600 million.
Second Biggest Crypto Hack Ever: $600 Million In Ether Stolen From NFT Gaming Blockchain
https://lm.facebook.com/l.php?u=https%3A%2F%2Ftrib.al%2FHuIT7kK&h=AT3D-E5XatXRkpIyd-zFpGTX3YrR6-qmvOZw0YKUo53e73XuTeveK4of-vFkLj2g5m9Be9hX0Gz35Hnaf7zQC68jGdy96IP30gSTRaKOjryfkzfOnNccjfjup0kWGC9D2Q
Hackers allegedly breached gaming-focused blockchain platform Ronin Network last week and extracted cryptocurrencies now valued at more than $600 million, the company announced on Tuesday, marking the second-biggest hack ever in the burgeoning cryptocurrency space.
“There has been a security breach,” Ronin, an Ethereum-linked blockchain platform for non-fungible token-based video game Axie Infinity, the company wrote in a blog post on Tuesday, adding that the hack was discovered today but occurred on Wednesday.
According to Ronin, 173,600 ether tokens and 25.5 million USD coins—worth nearly $620 on Tuesday—were drained from its platform after an attacker used hacked private keys to forge two fake withdrawals last week.
Tomi Engdahl says:
A programmer behind the popular open-source npm program node-ipc poisoned it with malware that erased the hard drives of computers located in Russia or Belarus.
Corrupted open-source software enters the Russian battlefield
https://www.zdnet.com/article/corrupted-open-source-software-enters-the-russian-battlefield/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
A programmer behind the popular open-source npm program node-ipc poisoned it with malware that erased the hard drives of computers located in Russia or Belarus.
Tomi Engdahl says:
Europe’s quest for energy independence and how cyberrisks come into play https://www.welivesecurity.com/2022/03/29/europe-quest-energy-independence-cyber-risks/
Soaring energy prices and increased geopolitical tensions amid the Russian invasion of Ukraine bring a sharp focus on European energy security. It is generally understood that the world is deeply interconnected, especially when it comes to energy supplies and the global energy trade. Maintaining complex, but reliable business and nation-state relationships has been central to ensuring a smooth and sustained functioning of the energy supply chain.
Tomi Engdahl says:
Shutterfly discloses data breach after Conti ransomware attack https://www.bleepingcomputer.com/news/security/shutterfly-discloses-data-breach-after-conti-ransomware-attack/
Online retail and photography manufacturing platform Shutterfly has disclosed a data breach that exposed employee information after threat actors stole data during a Conti ransomware attack.
Tomi Engdahl says:
Ukraine war: Major internet provider suffers cyber-attack
https://www.bbc.com/news/60854881
Ukraine’s national telecoms operator Ukrtelecom is restoring internet services after driving back a major cyber-attack. Lisäksi:
https://www.is.fi/digitoday/tietoturva/art-2000008714200.html
Tomi Engdahl says:
New spear phishing campaign targets Russian dissidents https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/
Several threat actors have taken advantage of the war in Ukraine to launch a number of cyber attacks. The Malwarebytes Threat Intelligence team is activity monitoring these threats and has observed activities associated with the geopolitical conflict.
Tomi Engdahl says:
NSO says Israeli police got ‘weaker’ variant of Pegasus phone hacking tool https://www.reuters.com/technology/nso-says-israeli-police-got-weaker-variant-pegasus-phone-hacking-tool-2022-03-29/
JERUSALEM, March 29 (Reuters) – The chief of Israeli spyware firm NSO Group said on Tuesday it had sold the country’s police a variant of the Pegasus hacking tool that can access local cellphones, but which he described as being “weaker” than the export version.
Tomi Engdahl says:
Hacked WordPress sites force visitors to DDoS Ukrainian targets https://www.bleepingcomputer.com/news/security/hacked-wordpress-sites-force-visitors-to-ddos-ukrainian-targets/
Hackers are compromising WordPress sites to insert a malicious script that uses visitors’ browsers to perform distributed denial-of-service attacks on Ukrainian websites.
Tomi Engdahl says:
New Hacking Campaign by Transparent Tribe Hackers Targeting Indian Officials https://thehackernews.com/2022/03/new-hacking-campaign-by-transparent.html
A threat actor of likely Pakistani origin has been attributed to yet another campaign designed to backdoor targets of interest with a Windows-based remote access trojan named CrimsonRAT since at least June 2021. Lisäksi:
https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/.
Lisäksi:
https://www.zdnet.com/article/transparent-tribe-apt-returns-to-strike-indias-government-and-military
Tomi Engdahl says:
Critical Sophos Firewall RCE Vulnerability Under Active Exploitation https://thehackernews.com/2022/03/critical-sophos-firewall-rce.html
Cybersecurity firm Sophos on Monday warned that a recently patched critical security vulnerability in its firewall product is being actively exploited in real-world attacks.
Tomi Engdahl says:
Critical SonicWall firewall patch not released for all devices https://www.bleepingcomputer.com/news/security/critical-sonicwall-firewall-patch-not-released-for-all-devices/
Security hardware manufacturer SonicWall has fixed a critical vulnerability in the SonicOS security operating system that allows denial of service (DoS) attacks and could lead to remote code execution (RCE).
Tomi Engdahl says:
Exchange Servers Speared in IcedID Phishing Campaign https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/
The ever-evolving malware shows off new tactics that use email thread hijacking and other obfuscation techniques to provide advanced evasion techniques. Lisäksi:
https://threatpost.com/icedid-web-forms-google-urls/165347/
Tomi Engdahl says:
Data-harvesting code in mobile apps sends user data to “Russia’s Google”
https://arstechnica.com/information-technology/2022/03/data-harvesting-code-in-mobile-apps-sends-user-data-to-russias-google/
Data from apps on Apple- and Google-powered mobile devices is sent to Russian servers. Yandex collects user data harvested from mobile phones before sending the information to servers in Russia.
Researchers have raised concerns the same “metadata” may then be accessed by the Kremlin and used to track people through their mobile phones.
Tomi Engdahl says:
Some Twitter traffic briefly funneled through Russian ISP, thanks to BGP mishap https://arstechnica.com/information-technology/2022/03/absence-of-malice-russian-isps-hijacking-of-twitter-ips-appears-to-be-a-goof/
Some Internet traffic in and out of Twitter on Monday was briefly funneled through Russia after a major ISP in that country misconfigured the Internet’s routing table, network monitoring services said.
Tomi Engdahl says:
Europol dismantles massive call center investment scam operation https://www.bleepingcomputer.com/news/security/europol-dismantles-massive-call-center-investment-scam-operation/
Europol has announced the arrest of 108 people suspected of being involved in an international call center operation that tricked victims into investment scams. Europol accouncement:
https://www.europol.europa.eu/media-press/newsroom/news/latvia-and-lithuania-detain-108-over-multi-million-euro-call-centre-scam
Tomi Engdahl says:
Attack on Cities: Skylines malicious code in a virtual city https://www.kaspersky.com/blog/cities-skylines-malicious-mods/44004/
We explain why game mods can be dangerous, using as an example malicious mods for Cities: Skylines.
Tomi Engdahl says:
Hackers Steal Over $600M in Major Crypto Heist
https://www.securityweek.com/hackers-steal-over-600m-major-crypto-heist
Hackers stole cryptocurrency worth over $600 million from a digital ledger used by players of the popular online game Axie Infinity, in a major digital cash heist revealed Tuesday.
Interest in cyptocurrency has boomed, along with its values, but the money has also become an attractive target for tech savvy thieves.
Ronin Network said the attack targeting its blockchain netted 173,600 ether and $25.5 million worth of stablecoin, a digital asset pegged to the US dollar.
The haul was valued at $545 million when it was stolen on March 23, but was worth about $615 million based on prices Tuesday, making it one of largest thefts ever in the crypto world.
“Most of the hacked funds are still in the hacker’s wallet,” Ronin said in a post revealing the theft.
Tomi Engdahl says:
With War Next Door, EU is Warned on Cybersecurity Gaps
https://www.securityweek.com/war-next-door-eu-warned-cybersecurity-gaps
As Russia’s invasion of Ukraine accelerates European Union defense cooperation, a watchdog said Tuesday that EU institutions face vulnerabilities on another front: cybersecurity.
The warning by the European Court of Auditors covers the wide range of EU bodies — from the executive arm based in Brussels to specialist agencies located across Europe — that run the 27-nation bloc’s day-to-day business.
“The EU must step up its efforts to protect its own organizations,” Bettina Jakobsen, a member of the ECA, said in a statement accompanying a special report on cyberthreats. “Such attacks can have significant political implications.”
Cyberattacks against EU bodies are increasing “sharply,” with major incidents jumping more than tenfold between 2018 and 2021, according to the Luxembourg-based ECA.
Cybersecurity has jumped up the political agenda in Europe following attacks in recent years that targeted EU nations such as Germany and other industrialized countries including the United States, Britain and Australia.
In 2020, the EU imposed cyber sanctions for the first time, blacklisting a number of Russian, Chinese and North Korean hackers.
Nonetheless, the European auditors said Tuesday that EU organizations were failing to enact some “essential” cybersecurity controls and underspending in this area. The auditors also alleged a lack of “systematic” cybersecurity training and information sharing.
EU entities as a whole handle political, diplomatic, financial, economic and regulatory matters. The spectrum of activities underpins the bloc’s status as a geopolitical force, a global setter of industrial rules and the world’s most lucrative single market.
The sensitive information processed by EU bodies makes them attractive targets for hackers, according to the report, which said the risks have grown as a result of remote working prompted by the COVID-19 pandemic.
“This has considerably increased the number of potential access points for attackers,” the ECA said.
Tomi Engdahl says:
VMware vCenter Server Vulnerability Can Facilitate Attacks on Many Organizations
https://www.securityweek.com/vmware-vcenter-server-vulnerability-can-facilitate-attacks-many-organizations
VMware on Tuesday announced the availability of patches for a vCenter Server vulnerability that could facilitate attacks against many organizations.
The vulnerability, tracked as CVE-2022-22948, is described as an information disclosure issue caused by improper file permissions. The flaw was reported to the virtualization giant by Pentera, a company that helps organizations reduce their cyber exposure.
Pentera on Tuesday disclosed the details of the security hole, warning that while CVE-2022-22948 may not seem very dangerous — it has been assigned a “moderate severity” rating — it can be chained with other vulnerabilities for a complete server takeover.
For example, an attacker can obtain initial access to an endpoint hosting a vCenter Server client by exploiting CVE-2021-21972, a flaw that has been used by malicious actors since at least the spring of 2021. Once they have gained initial access, attackers can exploit the newly disclosed vulnerability to extract sensitive information.
Specifically, a hacker can exploit CVE-2022-22948 to obtain the credentials for a high-privilege account that can be used to take complete control of the server.
The exploit chain described by the cybersecurity firm also involves CVE-2021-22015, a privilege escalation flaw that is needed to decrypt the password for the aforementioned high-privilege account. CVE-2021-22015 is a high-severity issue that was reported to VMware last year.
CVE-2022-22948: Sensitive Information Disclosure in VMware vCenter
https://www.pentera.io/blog/information-disclosure-in-vmware-vcenter/
New zero-day vulnerability joins a chain of recently discovered vulnerabilities capable of operating an end-to-end attack on ESXi. Organizations should evaluate risk and apply vCenter client patches immediately.
Pentera Labs’ Senior Security Researcher, Yuval Lazar, discovered an Information Disclosure vulnerability impacting more than 500,000 appliances running default vCenter Server deployments.
This finding is critical given its potential global impact. According to VMware – more than 80 percent of virtualized workloads are running on VMware technology, including 100 percent of Fortune 500 and Fortune Global 100 companies. The ease and convenience that vCenter offers for managing virtualized hosts in enterprise environments provides cybercriminals with centralized access and the potential to inflict widespread damage on organizations.
In the full attack vector, threat actors can completely take over an organization’s ESXi’s deployed in a hybrid infrastructure and virtual machines hosted and managed by the hypervisor from just endpoint access to a host with a vCenter client.
VMware has issued a patch for the vulnerability that can be found here.
VMware vCenter Server updates address an information disclosure vulnerability (CVE-2022-22948)
https://www.vmware.com/security/advisories/VMSA-2022-0009.html
Tomi Engdahl says:
A Large-Scale Supply Chain Attack Distributed Over 800 Malicious NPM Packages
https://thehackernews.com/2022/03/a-threat-actor-dubbed-red-lili-has-been.html
A threat actor dubbed “RED-LILI” has been linked to an ongoing large-scale supply chain attack campaign targeting the NPM package repository by publishing nearly 800 malicious modules.
“Customarily, attackers use an anonymous disposable NPM account from which they launch their attacks,” Israeli security company Checkmarx said. “As it seems this time, the attacker has fully-automated the process of NPM account creation and has opened dedicated accounts, one per package, making his new malicious packages batch harder to spot.”
The findings build on recent reports from JFrog and Sonatype, both of which detailed hundreds of NPM packages that leverage techniques like dependency confusion and typosquatting to target Azure, Uber, and Airbnb developers.
Tomi Engdahl says:
Critical Vulnerabilities Found in Microsoft Defender for IoT
https://www.securityweek.com/critical-vulnerabilities-found-microsoft-defender-iot
Researchers at endpoint security firm SentinelOne on Monday published detailed information on a couple of critical remote code execution vulnerabilities discovered in Microsoft Defender for IoT.
Designed with continuous network detection and response (NDR) capabilities, Defender for IoT supports various IoT, OT, and industrial control system (ICS) devices, and can be deployed both on-premises and in the cloud.
Tracked as CVE-2021-42311 and CVE-2021-42313, the two critical bugs have a CVSS score of 10 and were addressed by Microsoft with its December 2021 Patch Tuesday updates.
Both are SQL injection vulnerabilities that a remote attacker could exploit without authentication to achieve arbitrary code execution.
Identified in the token validation process, CVE-2021-42313 exists because the UUID parameter isn’t sanitized, SentinelLabs explains.
Pwning Microsoft Azure Defender for IoT | Multiple Flaws Allow Remote Code Execution for All
https://www.sentinelone.com/labs/pwning-microsoft-azure-defender-for-iot-multiple-flaws-allow-remote-code-execution-for-all/
Executive Summary
SentinelLabs has discovered a number of critical severity flaws in Microsoft Azure’s Defender for IoT affecting cloud and on-premise customers.
Unauthenticated attackers can remotely compromise devices protected by Microsoft Azure Defender for IoT by abusing vulnerabilities in Azure’s Password Recovery mechanism.
SentinelLabs’ findings were proactively reported to Microsoft in June 2021 and the vulnerabilities are tracked as CVE-2021-42310, CVE-2021-42312, CVE-2021-37222, CVE-2021-42313 and CVE-2021-42311 marked as critical, some with CVSS score 10.0.
Microsoft has released security updates to address these critical vulnerabilities. Users are encouraged to take action immediately.
At this time, SentinelLabs has not discovered evidence of in-the-wild abuse.
Introduction
Operational technology (OT) networks power many of the most critical aspects of our society; however, many of these technologies were not designed with security in mind and can’t be protected with traditional IT security controls. Meanwhile, the Internet of Things (IoT) is enabling a new wave of innovation with billions of connected devices, increasing the attack surface and risk.
The problem has not gone unnoticed by vendors, and many offer security solutions in an attempt to address it, but what if the security solution itself introduces vulnerabilities? In this report, we will discuss critical vulnerabilities found in Microsoft Azure Defender for IoT, a security product for IoT/OT networks by Microsoft Azure.
First, we show how flaws in the password reset mechanism can be abused by remote attackers to gain unauthorized access. Then, we discuss multiple SQL injection vulnerabilities in Defender for IoT that allow remote attackers to gain access without authentication. Ultimately, our research raises serious questions about the security of security products themselves and their overall effect on the security posture of vulnerable sectors.
Microsoft Azure Defender For IoT
Microsoft Defender for IoT is an agentless network-layer security for continuous IoT/OT asset discovery, vulnerability management, and threat detection that does not require changes to existing environments. It can be deployed fully on-premises or in Azure-connected environments.
This solution consists of two main components:
Microsoft Azure Defender For IoT Management – Enables SOC teams to manage and analyze alerts aggregated from multiple sensors into a single dashboard and provides an overall view of the health of the networks.
Microsoft Azure Defender For IoT Sensor – Discovers and continuously monitors network devices. Sensors collect ICS network traffic using passive (agentless) monitoring on IoT and OT devices. Sensors connect to a SPAN port or network TAP and immediately begin performing DPI (Deep packet inspection) on IoT and OT network traffic.
Both components can be either installed on a dedicated appliance or on a VM.
Deep packet inspection (DPI) is achieved via the horizon component, which is responsible for analyzing network traffic. The horizon component loads built-in dissectors and can be extended to add custom network protocol dissectors.
Defender for IoT Web Interface Attack Surface
Both the management and the sensor share roughly the same code base, with configuration changes to fit the purpose of the machine. This is the reason why both machines are affected by most of the same vulnerabilities.
The most appealing attack surface exposed on both machines is the web interface, which allows controlling the environment in an easy way. The sensor additionally exposes another attack surface which is the DPI service (horizon) that parses the network traffic.
Defender for IoT is a product formerly known as CyberX, acquired by Microsoft in 2020. Looking around in the home directory of the “cyberx” user, we found the installation script and a tar archive containing the system’s encrypted files. Reading the script we found the command that decrypts the archive file.
Tomi Engdahl says:
Sophos Warns of Attacks Exploiting Recent Firewall Vulnerability
https://www.securityweek.com/sophos-warns-attacks-exploiting-recent-firewall-vulnerability
Sophos on Monday raised the alarm about a recently patched Sophos Firewall vulnerability being exploited in attacks.
Impacting the User Portal and Webadmin of Sophos Firewall, the bug is described as an authentication bypass that could lead to remote code execution.
Tracked as CVE-2022-1040 (CVSS score of 9.8), the security hole impacts Sophos Firewall version v18.5 MR3 (18.5.3) and older.
“Sophos has observed this vulnerability being used to target a small set of specific organizations primarily in the South Asia region. We have informed each of these organizations directly,” the company said in an update to its advisory.
Resolved RCE in Sophos Firewall (CVE-2022-1040)
https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce
Tomi Engdahl says:
SonicWall Patches Critical Vulnerability in Firewall Appliances
https://www.securityweek.com/sonicwall-patches-critical-vulnerability-firewall-appliances
Tomi Engdahl says:
US Brands Russian Cybersecurity Firm Kaspersky ‘Security Threat’
https://www.securityweek.com/us-brands-russian-cybersecurity-firm-kaspersky-security-threat
US regulators have deemed antivirus software maker Kaspersky a “threat to national security,” a designation that will restrict its dealings in the United States.
The Federal Communications Commission has added Kaspersky to a threat list — which blocks paying the firm with certain US government subsidies — that also includes Chinese companies like Huawei and ZTE.
The FCC’s statement released Friday did not mention Russia’s invasion of Ukraine, but Kaspersky responded to the designation by saying it was imposed “on political grounds.”
“This decision is not based on any technical assessment of Kaspersky products,” the firm added in a statement.
German cyber security agency BSI urged consumers earlier this month against using Kaspersky’s antivirus software, warning that the company could be implicated — willingly or unwillingly — in hacking assaults amid Russia’s war in Ukraine.
Tomi Engdahl says:
Windows zero-day flaw giving admin rights gets unofficial patch, again https://www.bleepingcomputer.com/news/microsoft/windows-zero-day-flaw-giving-admin-rights-gets-unofficial-patch-again/
A Windows local privilege escalation zero-day vulnerability that Microsoft has failed to fully address for several months now, allows users to gain administrative privileges in Windows 10, Windows 11, and Windows Server. The locally exploited vulnerability in Windows User Profile Service is tracked as CVE-2021-34484 and was given a CVSS v3 score of 7.8. While exploits have been publicly disclosed in the past, they are not believed to be actively exploited in the wild. The peculiarity of this case lies in the fact that Microsoft has been unable to address the flaw since its discovery last summer and that it has marked the bug as fixed twice. According to the 0patch team, which has been unofficially providing fixes for discontinued Windows versions and some vulnerabilities that Microsoft won’t address, the flaw is still a zero-day. In fact, Microsoft’s patches failed to fix the bug and broke 0patch’s previous unofficial patch.
Tomi Engdahl says:
Cyber Attacks from Chinese IPs on NATO Countries Surge by 116% https://blog.checkpoint.com/2022/03/21/cyber-attacks-from-chinese-ips-on-nato-countries-surge-by-116/
Last week, Check Point Research (CPR) observed an increase in cyber attacks aimed for NATO countries that were sourced from Chinese IP addresses. CPR examined the trend before and after Russia’s invasion into Ukraine, learning that cyber attacks from Chinese IPs jumped by 116% on NATO countries, and 72% world-wide. CPR can not attribute the cyber attacks to the Chinese entities or to any known Chinese threat actor. The observation indicates a trend that hackers, likely within China and abroad, are increasingly using Chinese IPs as a resource to launch cyber attacks after the advent of the Russia-Ukraine conflict.
Tomi Engdahl says:
Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
Proofpoint observed new, targeted activity impacting French entities in the construction and government sectors. The threat actor used macro-enabled Microsoft Word documents to distribute the Chocolatey installer package, an open-source package installer. Various parts of the VBA macro include the following ASCII art and depict a snake. The threat actor attempted to install a backdoor on a potential victim’s device, which could enable remote administration, command and control (C2), data theft, or deliver other additional payloads. Proofpoint refers to this backdoor as Serpent. The ultimate objective of the threat actor is currently unknown.
Tomi Engdahl says:
Microsoft investigating claims of hacked source code repositories https://www.bleepingcomputer.com/news/security/microsoft-investigating-claims-of-hacked-source-code-repositories/
Microsoft says they are investigating claims that the Lapsus$ data extortion hacking group breached their internal Azure DevOps source code repositories and stolen data. Unlike many extortion groups we read about today, Lapsus$ does not deploy ransomware on their victim’s devices. Instead, they target the source code repositories for large companies, steal their proprietary data, and then attempt to ransom that data back to the company for millions of dollars. While it is not known if the extortion group has successfully ransomed stolen data, Lapsus has gained notoriety over the past months for their confirmed attacks against NVIDIA, Samsung, Vodafone, Ubisoft, and Mercado Libre.
Tomi Engdahl says:
Bridgestone Hit as Ransomware Torches Toyota Supply Chain https://threatpost.com/bridgestone-hit-as-ransomware-torches-toyota-supply-chain/178998/
A ransomware attack struck Bridgestone Americas, weeks after another Toyota supplier experienced the same and a third reported some kind of cyber hit. On Friday, Bridgestone Corp. admitted that a subsidiary experienced a ransomware attack in February, prompting it to shut down the computer network and production at its factories in North and Middle America for about a week, said Reuters. Among other things, Bridgestone is a major supplier of tires for Toyota vehicles. This is notable because, only 11 days after Bridgestone’s attack, another Toyota supplier Denso Corp. fell victim to its own ransomware attack.
Tomi Engdahl says:
APT35 Automates Initial Access Using ProxyShell https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities and tasks was remarkably similar to that observed in our previous report, “Exchange Exploit Leads to Domain Wide Ransomware”. In this intrusion, we observed the initial exploitation of the ProxyShell vulnerabilities followed by some further post-exploitation activity, which included web shells, credential dumping, and specialized payloads. We assess that this activity was related to APT35 (TA453, COBALT ILLUSION, Charming Kitten, ITG18, Phosphorus, Newscaster) due to the TTP’s mirroring previously reported activity that was attributed to the group.
Tomi Engdahl says:
Web vendor CafePress fined $500, 000 for giving cybersecurity a low value https://nakedsecurity.sophos.com/2022/03/21/web-vendor-cafepress-fined-500000-for-giving-cybersecurity-a-low-value/
CafePress is a web service that lets artists, shops, businesses, fan clubs anyone who signs up, in fact turn designs, corporate slogans, logos and the like into fun merchandise they can give away or sell on to others. According to the FTC, the CafePress service experienced a data breach, discovered and reported in early 2019, that was not acted on promptly or effectively, making the ultimate side-effects of the breach much worse than they ought to have been. The breach, says the FTC, saw hackers make off with more than 20, 000, 000 plaintext email addresses and weakly-hashed passwords; millions of unencrypted names, physical addresses, and security questions-and-answers; more than 180,
000 unencrypted SSNs (social security numbers); and, for tens of thousands of payment cards, the last four digits of the card plus the expiry date.
Tomi Engdahl says:
Android password-stealing malware infects 100, 000 Google Play users https://www.bleepingcomputer.com/news/security/android-password-stealing-malware-infects-100-000-google-play-users/
A malicious Android app that steals Facebook credentials has been installed over 100, 000 times via the Google Play Store, with the app still available to download. The Android malware is disguised as a cartoonifier app called ‘Craftsart Cartoon Photo Tools, ‘ allowing users to upload an image and convert it into a cartoon rendering. Over the past week, security researchers and mobile security firm Pradeo discovered that the Android app includes a trojan called ‘FaceStealer, ‘ which displays a Facebook login screen that requires users to log in before using the app. See also:
https://blog.pradeo.com/spyware-facestealer-google-play
Tomi Engdahl says:
Facebook phish claims “Someone tried to log into your account”
https://blog.malwarebytes.com/scams/2022/03/facebook-phish-claims-someone-tried-to-log-into-your-account/
Watch out for bogus Facebook phishing messages winging their way to your mailbox. The ruse is quite simple: The mail senders are relying on the recipient’s sense of panic to respond without thinking about it. The mail looks professional enough, and seeks to imitate what would be a fairly typical looking message from Facebook. As for the panic aspect, the phishers have pinned the hopes of this attack onto the old faithful “Someone is trying to login as you, so you’d better do something about it ASAP” routine.
Tomi Engdahl says:
Älä tule huijatuksi somessa tämä työkalu paljastaa väärennetyt profiilikuvat
https://www.tivi.fi/uutiset/tv/9b0170a7-a8d7-4603-b8b6-3bc77fe8ce57
Sosiaalinen media on täynnä valetilejä, joiden profiilikuvat on tekaistu tekoälyn avulla. Tällaiset profiilikuvat näyttävät pikaisella vilkaisulla aidoilta, mutta tarkemmin analysoituna niistä voi havaita epäluonnollisia piirteitä. Peruskäyttäjän on kuitenkin lähes mahdotonta kertoa, onko yksittäinen tuntemattoman käyttäjän profiilikuva aito vai tekoälyn generoima.
Tomi Engdahl says:
This browser-in-browser attack is perfect for phishing https://www.theregister.com/2022/03/18/browser_in_browser_phishing/
A novel way of tricking people out of their passwords has left us wondering if there’s a need to rethink how much we trust our web browsers to protect us and to accelerate efforts to close web security gaps. Earlier this week, an infosec researcher known as mr.d0x described a browser-in-the-browser (BitB) attack. It’s a way to steal login credentials by simulating the little browser windows that Google, Microsoft, and other authentication service providers pop up that ask you for your username and password to continue.
Tomi Engdahl says:
Researchers Find Python-Based Ransomware Targeting Jupyter Notebook Web Apps
https://www.securityweek.com/researchers-find-python-based-ransomware-targeting-jupyter-notebook-web-apps
Researchers warn of likely future ransomware attacks against web applications used by data scientists
Researchers have found what they believe to be the first Python-based ransomware sample specifically targeting Jupyter Notebooks.
Python is not commonly used for developing malware, with criminals preferring languages like Go, DLang, Nim and Rust. Nevertheless, this is not the first Python ransomware. In October 2021, Sophos reported on a Python ransomware specifically targeting VMware ESXi servers.
The new sample was discovered by researchers at Aqua Security, after it was caught in one of its honeypots. The ransomware specifically targets Jupyter Notebooks, an open-source web app used by data professionals to work with data, write and execute code, and visualize the results. This ransomware encrypts every file on a given path on the server, and then deletes itself after execution.
“Since Jupyter Notebooks are used to analyze data and build data models, this attack can lead to significant damage to organizations if these environments aren’t properly backed up,” warn the researchers in an alert issued on March 29, 2022.
Tomi Engdahl says:
Globant breach
https://thehackernews.com/2022/03/lapsus-claims-to-have-breached-it-firm.html?m=1
Tomi Engdahl says:
Horde of miner bots and backdoors leveraged Log4J to attack VMware Horizon servers https://news.sophos.com/en-us/2022/03/29/horde-of-miner-bots-and-backdoors-leveraged-log4j-to-attack-vmware-horizon-servers/
One of the products affected was VMware Horizon, a desktop and application virtualization platform that became part of the solution for some organizations’ work-from-home needs prior to and during office shutdowns over the past two years.
Lisäksi:https://www.zdnet.com/article/log4shell-exploited-to-infect-vmware-horizon-servers-with-backdoors-crypto-miners/.
Lisäksi:
https://threatpost.com/log4jshell-swarm-vmware-servers-miners-backdoors/179142/
Tomi Engdahl says:
Tracking cyber activity in Eastern Europe https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/
In early March, Google’s Threat Analysis Group (TAG) published an update on the cyber activity it was tracking with regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns. Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links. Lisäksi:
https://therecord.media/china-iran-north-korea-russia-and-others-using-ukraine-invasion-in-phishing-attacks-google/
Tomi Engdahl says:
Hive ransomware shuts down California health care organization
https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/
Partnership HealthPlan of California, a nonprofit that helps hundreds of thousands of people access health care in California, is in the midst of being attacked by the Hive ransomware group.
Tomi Engdahl says:
Google: Russian phishing attacks target NATO, European military https://www.bleepingcomputer.com/news/security/google-russian-phishing-attacks-target-nato-european-military/
The Google Threat Analysis Group (TAG) says more and more threat actors are now using Russia’s war in Ukraine to target Eastern European and NATO countries, including Ukraine, in phishing and malware attacks. Lisäksi:
https://www.bleepingcomputer.com/news/security/google-russian-phishing-attacks-target-nato-european-military/
Tomi Engdahl says:
Hive ransomware uses new ‘IPfuscation’ trick to hide payload https://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/
The payload itself is obfuscated by taking the form of an array of ASCII IPv4 addresses, so it looks like an innocuous list of IP addresses.
Tomi Engdahl says:
Spring Cloud framework commits patch for code injection flaw
https://portswigger.net/daily-swig/spring-cloud-framework-commits-patch-for-code-injection-flaw
Cybersecurity researchers have disclosed a code injection flaw in the Spring Cloud computing framework that poses a remote attack risk.
Lisäksi:
https://nakedsecurity.sophos.com/2022/03/30/vmware-spring-cloud-java-bug-gives-instant-remote-code-execution-update-now/
Tomi Engdahl says:
QNAP warns severe OpenSSL bug affects most of its NAS devices https://www.bleepingcomputer.com/news/security/qnap-warns-severe-openssl-bug-affects-most-of-its-nas-devices/
Although a patch was released two weeks ago when the bug was publicly disclosed, QNAP explained that its customers would have to wait until the company released its own security updates.
Tomi Engdahl says:
OpenSSL cert parsing bug causes infinite denial of service loop
https://www.bleepingcomputer.com/news/security/openssl-cert-parsing-bug-causes-infinite-denial-of-service-loop/
The vulnerability is tracked as CVE-2022-0778, and affects OpenSSL versions 1.0.2 to 1.0.2zc, 1.1.1 to 1.1.1n, and 3.0 to 3.0.1.
“Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack,” describes OpenSSL’s security notice.
“The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.”
Unfortunately, the problem impacts quite a few deployment scenarios, such as:
TLS clients consuming server certificates
TLS servers consuming client certificates
Hosting providers taking certificates or private keys from customers
Certificate authorities parsing certification requests from subscribers
Anything else which parses ASN.1 elliptic curve parameters
The fixed versions released yesterday are 1.1.1n and 3.0.2, while only premium users of 1.0.2 will be offered a fix through 1.0.2zd.
Although OpenSSL has not said that the bug is already used by threat actors, Italy’s national cybersecurity agency, CSIRT, has marked it as actively exploited in the wild.