Cyber security news April 2022

This posting is here to collect cyber security news in April 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.


  1. Tomi Engdahl says:

    Chinese team breaks distance record for quantum secure direct communication

  2. Tomi Engdahl says:

    Windows malware can steal social media credentials, banking logins and more

  3. Tomi Engdahl says:

    Powerful ‘Trojan horse’ spyware found on Downing Street phone, security researchers say
    The so-called ‘Pegasus’ attack is believed to have originated from the United Arab Emirates

  4. Tomi Engdahl says:

    Apple to roll out child safety feature that scans messages for nudity to UK iPhones
    Feature that searches messages will go ahead after delays over privacy and safety concerns

  5. Tomi Engdahl says:

    Ainakin kahdessa suomalais­hotellissa laaja tietovuoto Lähes 16000 asiakkaan varaus­tiedot vuotaneet, kertoo hotelliketju
    Nordic Choice Hotels -ketjun hotelleista tietovuodon kohteeksi joutui vain kaksi, helsinkiläiset Kämp ja F6, kertoo Blom. Tarkalleen 15947 asiakkaan tiedot joutuivat vääriin käsiin.

  6. Tomi Engdahl says:

    Iranian Hackers Exploiting VMware RCE Bug to Deploy ‘Core Impact’
    An Iranian-linked threat actor known as Rocket Kitten has been observed actively exploiting a recently patched VMware vulnerability to gain initial access and deploy the Core Impact penetration testing tool on vulnerable systems.

  7. Tomi Engdahl says:

    Microsoft finds new elevation of privilege Linux vulnerability, Nimbuspwn
    Microsoft has discovered several vulnerabilities, collectively referred to as Nimbuspwn, that could allow an attacker to elevate privileges to root on many Linux desktop endpoints. The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution.

  8. Tomi Engdahl says:

    Nation-state Hackers Target Journalists with Goldbackdoor Malware
    A campaign by APT37 used a sophisticated malware to steal information about sources , which appears to be a successor to Bluelight.

  9. Tomi Engdahl says:

    Coca-Cola investigating claims of hack after ransomware group hawks stolen data
    Coca-Cola said it is investigating reports of a data breach after a ransomware group claimed to have stolen documents from the beverage giant.

  10. Tomi Engdahl says:

    Researchers Takeover Unpatched 3rd-Party Antivirus Sandboxes via VirusTotal
    Security researchers have disclosed a security issue that could have allowed attackers to weaponize the VirusTotal platform as a conduit to achieve remote code execution (RCE) on unpatched third-party sandboxing machines employed antivirus engines.

  11. Tomi Engdahl says:

    Google Play Store now forces apps to disclose what data is collected
    Google is rolling out a new Data Safety section on the Play Store, Android’s official app repository, where developers must declare what data their software collects from users of their apps.

  12. Tomi Engdahl says:

    Hive0117 Continues Fileless Malware Delivery in Eastern Europe
    Through continued research into the ongoing cyber activity throughout Eastern Europe, IBM Security X-Force identified a phishing email campaign by Hive0117, likely a financially motivated cybercriminal group, from February 2022, designed to deliver the fileless malware variant dubbed DarkWatchman.

  13. Tomi Engdahl says:

    Emotet Testing New Delivery Ideas After Microsoft Disables VBA Macros by Default
    The threat actor behind the prolific Emotet botnet is testing new attack methods on a small scale before co-opting them into their larger volume malspam campaigns, potentially in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default across its products.

  14. Tomi Engdahl says:

    Noin 20000 asiakkaan varaustiedot vuosivat kahdesta suomalais­hotellista poliisi aloitti tietomurtotutkinnan
    Scandic, Sokos Hotels, Lapland Hotels ja Omenahotellit-ketjuilta kerrotaan HS:lle, ettei tietomurto ole kohdistunut heidän asiakkaisiinsa. maksukortti­tietoja ei vuotanut. Tietovuoto rajoittuu Sabren mukaan lähes kokonaan niihin muutamiin hotelleihin Suomessa, jotka yritykselle vuodosta ilmoittivatkin. Sabresta ei haluttu antaa haastattelua aiheesta tiistaina. Viestinnästä ei myöskään vastattu tarkentaviin kysymyksiin esimerkiksi tietomurron kohteena olevien hotellien määrästä.

  15. Tomi Engdahl says:

    BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX
    The threat groups targeting shift could reflect a change in Chinas intelligence collection requirements due to the war in Ukraine.

    US offers $10 million reward for tips on Russian Sandworm hackers
    The U.S. is offering up to $10 million to identify or locate six Russian GRU hackers who are part of the notorious Sandworm hacking group.

  16. Tomi Engdahl says:

    Long-running North Korean operation hacked into engineering firm, Symantec says
    An unnamed engineering company with energy and military customers was recently the target of a North Korean hacking group that has been operating since at least 2009, researchers said Wednesday.

  17. Tomi Engdahl says:

    NPM Bug Allowed Attackers to Distribute Malware as Legitimate Packages
    A “logical flaw” has been disclosed in NPM, the default package manager for the Node.js JavaScript runtime environment, that enables malicious actors to pass off rogue libraries as legitimate and trick unsuspecting developers into installing them.

  18. Tomi Engdahl says:

    Assembling the Russian Nesting Doll: UNC2452 Merged into APT29
    Mandiant has gathered sufficient evidence to assess that the activity tracked as UNC2452, the group name used to track the SolarWinds compromise in December 2020, is attributable to APT29.

  19. Tomi Engdahl says:

    Russian govt impersonators target telcos in phishing attacks
    A previously unknown and financially motivated hacking group is impersonating a Russian agency in a phishing campaign targeting entities in Eastern European countries.

  20. Tomi Engdahl says:

    Emotet fixes bug in code, resumes spam campaign
    Emotet threat actors resumed their email spam campaign on Monday after stopping it late last week to fix a bug.

  21. Tomi Engdahl says:

    RIG Exploit Kit drops RedLine malware via Internet Explorer bug
    Threat analysts have uncovered yet a new campaign that uses the RIG Exploit Kit to deliver the RedLine stealer malware.

  22. Tomi Engdahl says:

    New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware
    We recently discovered a new advanced persistent threat (APT) group that we have dubbed Earth Berberoka (aka GamblingPuppet). Based on our analysis, this group targets gambling websites. Our investigation has also uncovered that Earth Berberoka targets the Windows, Linux, and macOS platforms, and uses malware families that have been historically aimed at Chinese-speaking individuals.

  23. Tomi Engdahl says:

    Kelan verkkosivusto kerännyt kävijöistä tietoja ilman lupaa
    Kelan mukaan verkkosivustolla on ollut 28. maaliskuuta ja 19.
    huhtikuuta välisenä aikana evästeitä, jotka ovat keränneet kävijöiden IP-osoitteita, vaikka suostumusta evästeiden käyttämiseen ei olisi annettu. Kela.fissä on ollut kyseisellä aikavälillä noin 1, 25 miljoonaa kävijää.

  24. Tomi Engdahl says:

    Experts Detail 3 Hacking Teams Working Under the Umbrella of TA410 Group
    A cyberespionage threat actor known for targeting a variety of critical infrastructure sectors in Africa, the Middle East, and the U.S. has been observed using an upgraded version of a remote access trojan with information stealing capabilities.

  25. Tomi Engdahl says:

    Cyberattacks Rage in Ukraine, Support Military Operations
    At least five APTs are believed involved with attacks tied ground campaigns and designed to damage Ukraine’s digital infrastructure.

  26. Tomi Engdahl says:

    QNAP customers urged to disable AFP to protect against severe vulnerabilities
    MacOS users that have a network-attached storage (NAS) device made by QNAP are being advised to disable the Apple Filing Protocol (AFP) on their devices until some severe vulnerabilities have been fixed. But QNAP is not the only vendor that needed to fix these vulnerabilities.
    Others have already done so, or have taken more drastic measures.

  27. Tomi Engdahl says:

    New Bumblebee malware replaces Conti’s BazarLoader in cyberattacks
    A newly discovered malware loader called Bumblebee is likely the latest development of the Conti syndicate, designed to replace the BazarLoader backdoor used to deliver ransomware payloads.

  28. Tomi Engdahl says:

    WhatsAppissa vaanii uusi huijaus: näin kannattaa toimia
    WhatsApp-käyttäjiä vaanii uusi huijaus, jossa rikolliset esiintyvät sovelluksen tukipalveluna. Asiasta kertoi ensimmäisenä WABetaInfo-blogi

  29. Tomi Engdahl says:

    Cloudflare blocks 15M rps HTTPS DDoS attack
    Earlier this month, Cloudflare’s systems automatically detected and mitigated a 15.3 million request-per-second (rps) DDoS attack one of the largest HTTPS DDoS attacks on record.

  30. Tomi Engdahl says:

    Ukraine targeted by DDoS attacks from compromised WordPress sites
    Ukraine’s computer emergency response team (CERT-UA) has published an announcement warning of ongoing DDoS (distributed denial of service) attacks targeting pro-Ukraine sites and the government web portal.

  31. Tomi Engdahl says:

    LAPSUS$: Recent techniques, tactics and procedures
    This post describes the techniques, tactics and procedures we observed during recent LAPSUS$ incidents.

  32. Tomi Engdahl says:

    Cisco Patches 11 High-Severity Vulnerabilities in Security Products

    Cisco this week announced the release of its April 2022 bundle of security advisories for Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC).

    The semiannual bundled advisories describe a total of 19 vulnerabilities in Cisco’s security products, including 11 that were assessed with a severity rating of “high.”

    The most severe of these is CVE-2022-20746 (CVSS score of 8.8), an FTD security hole that exists because TCP flows aren’t properly handled, and which could be exploited remotely without authentication to cause a denial of service (DoS) condition.

    “An attacker could exploit this vulnerability by sending a crafted stream of TCP traffic through an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition,” Cisco explains in an advisory.

  33. Tomi Engdahl says:

    Critical Vulnerabilities in Azure PostgreSQL Exposed User Databases

    Cloud security company Wiz has released the details of a series of critical vulnerabilities that could have been exploited to access databases belonging to Azure customers.

    The security holes discovered by Wiz researchers are collectively tracked as ExtraReplica — the name stems from the fact that the flaws affected a database replication feature. They impacted Azure Database for PostgreSQL Flexible Server, a fully managed PostgreSQL database-as-a-service offering.

  34. Tomi Engdahl says:

    Cloudflare Customer Targeted in Record HTTPS DDoS Attack

    Security and web performance services provider Cloudflare recently mitigated the largest HTTPS distributed denial-of-service (DDoS) attack it has seen to date.

    Peaking at 15.3 million request-per-second (RPS), this was not the largest application-layer DDoS attack ever recorded, but Cloudflare says it was the largest to be carried out over HTTPS.

    In August 2021, Cloudflare announced it had mitigated a 17.2 million RPS DDoS attack. Shortly after, the company said it observed the Mēris botnet launching a 21.8 million RPS attack.

    The new assault, observed by Cloudflare earlier this month, stands out because HTTPS DDoS attacks require significantly higher computational resources due to the costs associated with establishing a secure TLS encrypted connection.

    “Therefore it costs the attacker more to launch the attack, and for the victim to mitigate it. We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale,” Cloudflare notes.

  35. Tomi Engdahl says:

    Noin 20 000 asiakkaan varaustiedot vuosivat kahdesta suomalais­hotellista – poliisi aloitti tietomurtotutkinnan
    Scandic, Sokos Hotels, Lapland Hotels ja Omenahotellit-ketjuilta kerrotaan HS:lle, ettei tietomurto ole kohdistunut heidän asiakkaisiinsa. maksukortti­tietoja ei vuotanut

  36. Tomi Engdahl says:

    Chrome 101 Patches 30 Vulnerabilities

    Google this week announced that Chrome 101 was released to the stable channel with 30 security fixes inside, including 25 for vulnerabilities identified by external security researchers.

    The most important of these fixes resolves a high-severity use-after-free issue in the 3D graphics and computing open standard Vulkan. Tracked as CVE-2022-1477, the bug was reported by SeongHwan Park (SeHwa), who received a $10,000 bug bounty payout for it.

    Six other externally reported high-severity flaws were addressed with the release of Chrome 101, four of which are use-after-free vulnerabilities that impact the SwiftShader 3D renderer, the Angle WebGL backend, the Device API, and the Sharing component.’


Leave a Comment

Your email address will not be published. Required fields are marked *