This posting is here to collect cyber security news in April 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in April 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
425 Comments
Tomi Engdahl says:
https://thehackernews.com/2022/04/researchers-report-critical-rce.html
Tomi Engdahl says:
https://thehackernews.com/2022/04/iranian-hackers-exploiting-vmware-rce.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/real-time-voice-concealment-algorithm-blocks-microphone-spying/
Tomi Engdahl says:
https://thehackernews.com/2022/04/fbi-warns-of-blackcat-ransomware-that.html
Tomi Engdahl says:
https://www.theverge.com/2022/4/21/23035183/ios-messages-communication-safety-nudity-sexually-explicit-message-blurring
Tomi Engdahl says:
https://www.darkreading.com/threat-intelligence/zero-day-exploit-use-exploded-in-2021
Tomi Engdahl says:
https://www.theregister.com/2022/04/21/machine_learning_models_backdoors/
Tomi Engdahl says:
https://www.darkreading.com/attacks-breaches/-iranian-group-among-those-exploiting-recently-disclosed-rce-flaw-in-vmware
Tomi Engdahl says:
https://uk.pcmag.com/smart-home/139876/smart-home-company-insteon-shuts-down-servers-without-warning
Tomi Engdahl says:
Chinese team breaks distance record for quantum secure direct communication
https://phys.org/news/2022-04-chinese-team-distance-quantum.html
Tomi Engdahl says:
Windows malware can steal social media credentials, banking logins and more
https://www.komando.com/security-privacy/windows-malware-threats/834344/
Tomi Engdahl says:
Powerful ‘Trojan horse’ spyware found on Downing Street phone, security researchers say
The so-called ‘Pegasus’ attack is believed to have originated from the United Arab Emirates
https://www.independent.co.uk/news/uk/politics/downing-street-spyware-pegasus-boris-johnson-b2060160.html#Echobox=1650293696
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/us-warns-of-lazarus-hackers-using-malicious-cryptocurrency-apps/
Tomi Engdahl says:
https://techxplore.com/news/2022-04-inexperienced-users-phishing-emails.html
Tomi Engdahl says:
https://thehackernews.com/2022/04/new-solarmarker-malware-variant-using.html
Tomi Engdahl says:
Apple to roll out child safety feature that scans messages for nudity to UK iPhones
Feature that searches messages will go ahead after delays over privacy and safety concerns
https://www.theguardian.com/technology/2022/apr/20/apple-says-new-child-safety-feature-to-be-rolled-out-for-uk-iphones
Tomi Engdahl says:
https://www.tomshardware.com/news/7-zip-zero-day-exploit
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/newly-found-zero-click-iphone-exploit-used-in-nso-spyware-attacks/
Tomi Engdahl says:
Ainakin kahdessa suomalaishotellissa laaja tietovuoto Lähes 16000 asiakkaan varaustiedot vuotaneet, kertoo hotelliketju https://www.hs.fi/kotimaa/art-2000008773864.html
Nordic Choice Hotels -ketjun hotelleista tietovuodon kohteeksi joutui vain kaksi, helsinkiläiset Kämp ja F6, kertoo Blom. Tarkalleen 15947 asiakkaan tiedot joutuivat vääriin käsiin.
Tomi Engdahl says:
Iranian Hackers Exploiting VMware RCE Bug to Deploy ‘Core Impact’
Backdoor
https://thehackernews.com/2022/04/iranian-hackers-exploiting-vmware-rce.html
An Iranian-linked threat actor known as Rocket Kitten has been observed actively exploiting a recently patched VMware vulnerability to gain initial access and deploy the Core Impact penetration testing tool on vulnerable systems.
Tomi Engdahl says:
Microsoft finds new elevation of privilege Linux vulnerability, Nimbuspwn https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/
Microsoft has discovered several vulnerabilities, collectively referred to as Nimbuspwn, that could allow an attacker to elevate privileges to root on many Linux desktop endpoints. The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution.
Tomi Engdahl says:
Nation-state Hackers Target Journalists with Goldbackdoor Malware https://threatpost.com/hackers-target-journalists-goldbackdoor/179389/
A campaign by APT37 used a sophisticated malware to steal information about sources , which appears to be a successor to Bluelight.
Tomi Engdahl says:
Coca-Cola investigating claims of hack after ransomware group hawks stolen data https://therecord.media/coca-cola-investigating-claims-of-hack-after-ransomware-group-hawks-stolen-data/
Coca-Cola said it is investigating reports of a data breach after a ransomware group claimed to have stolen documents from the beverage giant.
Tomi Engdahl says:
Researchers Takeover Unpatched 3rd-Party Antivirus Sandboxes via VirusTotal https://thehackernews.com/2022/04/researchers-report-critical-rce.html
Security researchers have disclosed a security issue that could have allowed attackers to weaponize the VirusTotal platform as a conduit to achieve remote code execution (RCE) on unpatched third-party sandboxing machines employed antivirus engines.
Tomi Engdahl says:
Google Play Store now forces apps to disclose what data is collected https://www.bleepingcomputer.com/news/security/google-play-store-now-forces-apps-to-disclose-what-data-is-collected/
Google is rolling out a new Data Safety section on the Play Store, Android’s official app repository, where developers must declare what data their software collects from users of their apps.
Tomi Engdahl says:
Hive0117 Continues Fileless Malware Delivery in Eastern Europe https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/
Through continued research into the ongoing cyber activity throughout Eastern Europe, IBM Security X-Force identified a phishing email campaign by Hive0117, likely a financially motivated cybercriminal group, from February 2022, designed to deliver the fileless malware variant dubbed DarkWatchman.
Tomi Engdahl says:
Emotet Testing New Delivery Ideas After Microsoft Disables VBA Macros by Default https://thehackernews.com/2022/04/emotet-testing-new-delivery-ideas-after.html
The threat actor behind the prolific Emotet botnet is testing new attack methods on a small scale before co-opting them into their larger volume malspam campaigns, potentially in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default across its products.
Tomi Engdahl says:
Noin 20000 asiakkaan varaustiedot vuosivat kahdesta suomalaishotellista poliisi aloitti tietomurtotutkinnan https://www.hs.fi/kotimaa/art-2000008774004.html
Scandic, Sokos Hotels, Lapland Hotels ja Omenahotellit-ketjuilta kerrotaan HS:lle, ettei tietomurto ole kohdistunut heidän asiakkaisiinsa. maksukorttitietoja ei vuotanut. Tietovuoto rajoittuu Sabren mukaan lähes kokonaan niihin muutamiin hotelleihin Suomessa, jotka yritykselle vuodosta ilmoittivatkin. Sabresta ei haluttu antaa haastattelua aiheesta tiistaina. Viestinnästä ei myöskään vastattu tarkentaviin kysymyksiin esimerkiksi tietomurron kohteena olevien hotellien määrästä.
Tomi Engdahl says:
BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx
The threat groups targeting shift could reflect a change in Chinas intelligence collection requirements due to the war in Ukraine.
US offers $10 million reward for tips on Russian Sandworm hackers https://www.bleepingcomputer.com/news/security/us-offers-10-million-reward-for-tips-on-russian-sandworm-hackers/
The U.S. is offering up to $10 million to identify or locate six Russian GRU hackers who are part of the notorious Sandworm hacking group.
Tomi Engdahl says:
Long-running North Korean operation hacked into engineering firm, Symantec says https://therecord.media/north-korea-hackers-stonefly-symantec/
An unnamed engineering company with energy and military customers was recently the target of a North Korean hacking group that has been operating since at least 2009, researchers said Wednesday.
Tomi Engdahl says:
NPM Bug Allowed Attackers to Distribute Malware as Legitimate Packages https://thehackernews.com/2022/04/npm-bug-allowed-attackers-to-distribute.html
A “logical flaw” has been disclosed in NPM, the default package manager for the Node.js JavaScript runtime environment, that enables malicious actors to pass off rogue libraries as legitimate and trick unsuspecting developers into installing them.
Tomi Engdahl says:
Assembling the Russian Nesting Doll: UNC2452 Merged into APT29
https://www.mandiant.com/resources/unc2452-merged-into-apt29
Mandiant has gathered sufficient evidence to assess that the activity tracked as UNC2452, the group name used to track the SolarWinds compromise in December 2020, is attributable to APT29.
Tomi Engdahl says:
Russian govt impersonators target telcos in phishing attacks https://www.bleepingcomputer.com/news/security/russian-govt-impersonators-target-telcos-in-phishing-attacks/
A previously unknown and financially motivated hacking group is impersonating a Russian agency in a phishing campaign targeting entities in Eastern European countries.
Tomi Engdahl says:
Emotet fixes bug in code, resumes spam campaign https://blog.malwarebytes.com/cybercrime/malware/2022/04/emotet-fixes-bug-in-code-resumes-spam-campaign/
Emotet threat actors resumed their email spam campaign on Monday after stopping it late last week to fix a bug.
Tomi Engdahl says:
RIG Exploit Kit drops RedLine malware via Internet Explorer bug https://www.bleepingcomputer.com/news/security/rig-exploit-kit-drops-redline-malware-via-internet-explorer-bug/
Threat analysts have uncovered yet a new campaign that uses the RIG Exploit Kit to deliver the RedLine stealer malware.
Tomi Engdahl says:
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html
We recently discovered a new advanced persistent threat (APT) group that we have dubbed Earth Berberoka (aka GamblingPuppet). Based on our analysis, this group targets gambling websites. Our investigation has also uncovered that Earth Berberoka targets the Windows, Linux, and macOS platforms, and uses malware families that have been historically aimed at Chinese-speaking individuals.
Tomi Engdahl says:
Kelan verkkosivusto kerännyt kävijöistä tietoja ilman lupaa https://www.is.fi/digitoday/art-2000008779279.html
Kelan mukaan verkkosivustolla on ollut 28. maaliskuuta ja 19.
huhtikuuta välisenä aikana evästeitä, jotka ovat keränneet kävijöiden IP-osoitteita, vaikka suostumusta evästeiden käyttämiseen ei olisi annettu. Kela.fissä on ollut kyseisellä aikavälillä noin 1, 25 miljoonaa kävijää.
Tomi Engdahl says:
Experts Detail 3 Hacking Teams Working Under the Umbrella of TA410 Group https://thehackernews.com/2022/04/experts-detail-3-hacking-teams-working.html
A cyberespionage threat actor known for targeting a variety of critical infrastructure sectors in Africa, the Middle East, and the U.S. has been observed using an upgraded version of a remote access trojan with information stealing capabilities.
Tomi Engdahl says:
Cyberattacks Rage in Ukraine, Support Military Operations https://threatpost.com/cyberwar-ukraine-military/179421/
At least five APTs are believed involved with attacks tied ground campaigns and designed to damage Ukraine’s digital infrastructure.
Tomi Engdahl says:
QNAP customers urged to disable AFP to protect against severe vulnerabilities https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/qnap-customers-urged-to-disable-afp-to-protect-against-severe-vulnerabilities/
MacOS users that have a network-attached storage (NAS) device made by QNAP are being advised to disable the Apple Filing Protocol (AFP) on their devices until some severe vulnerabilities have been fixed. But QNAP is not the only vendor that needed to fix these vulnerabilities.
Others have already done so, or have taken more drastic measures.
Tomi Engdahl says:
New Bumblebee malware replaces Conti’s BazarLoader in cyberattacks https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/
A newly discovered malware loader called Bumblebee is likely the latest development of the Conti syndicate, designed to replace the BazarLoader backdoor used to deliver ransomware payloads.
Tomi Engdahl says:
WhatsAppissa vaanii uusi huijaus: näin kannattaa toimia
https://www.tivi.fi/uutiset/tv/e025ff02-4aab-4e4f-8b63-8d77f7124d89
WhatsApp-käyttäjiä vaanii uusi huijaus, jossa rikolliset esiintyvät sovelluksen tukipalveluna. Asiasta kertoi ensimmäisenä WABetaInfo-blogi
Tomi Engdahl says:
Cloudflare blocks 15M rps HTTPS DDoS attack https://blog.cloudflare.com/15m-rps-ddos-attack/
Earlier this month, Cloudflare’s systems automatically detected and mitigated a 15.3 million request-per-second (rps) DDoS attack one of the largest HTTPS DDoS attacks on record.
Tomi Engdahl says:
Ukraine targeted by DDoS attacks from compromised WordPress sites https://www.bleepingcomputer.com/news/security/ukraine-targeted-by-ddos-attacks-from-compromised-wordpress-sites/
Ukraine’s computer emergency response team (CERT-UA) has published an announcement warning of ongoing DDoS (distributed denial of service) attacks targeting pro-Ukraine sites and the government web portal.
Tomi Engdahl says:
LAPSUS$: Recent techniques, tactics and procedures https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/
This post describes the techniques, tactics and procedures we observed during recent LAPSUS$ incidents.
Tomi Engdahl says:
Cisco Patches 11 High-Severity Vulnerabilities in Security Products
https://www.securityweek.com/cisco-patches-11-high-severity-vulnerabilities-security-products
Cisco this week announced the release of its April 2022 bundle of security advisories for Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC).
The semiannual bundled advisories describe a total of 19 vulnerabilities in Cisco’s security products, including 11 that were assessed with a severity rating of “high.”
The most severe of these is CVE-2022-20746 (CVSS score of 8.8), an FTD security hole that exists because TCP flows aren’t properly handled, and which could be exploited remotely without authentication to cause a denial of service (DoS) condition.
“An attacker could exploit this vulnerability by sending a crafted stream of TCP traffic through an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition,” Cisco explains in an advisory.
Tomi Engdahl says:
Critical Vulnerabilities in Azure PostgreSQL Exposed User Databases
https://www.securityweek.com/critical-vulnerabilities-azure-postgresql-exposed-user-databases
Cloud security company Wiz has released the details of a series of critical vulnerabilities that could have been exploited to access databases belonging to Azure customers.
The security holes discovered by Wiz researchers are collectively tracked as ExtraReplica — the name stems from the fact that the flaws affected a database replication feature. They impacted Azure Database for PostgreSQL Flexible Server, a fully managed PostgreSQL database-as-a-service offering.
Tomi Engdahl says:
Cloudflare Customer Targeted in Record HTTPS DDoS Attack
https://www.securityweek.com/cloudflare-customer-targeted-record-https-ddos-attack
Security and web performance services provider Cloudflare recently mitigated the largest HTTPS distributed denial-of-service (DDoS) attack it has seen to date.
Peaking at 15.3 million request-per-second (RPS), this was not the largest application-layer DDoS attack ever recorded, but Cloudflare says it was the largest to be carried out over HTTPS.
In August 2021, Cloudflare announced it had mitigated a 17.2 million RPS DDoS attack. Shortly after, the company said it observed the Mēris botnet launching a 21.8 million RPS attack.
The new assault, observed by Cloudflare earlier this month, stands out because HTTPS DDoS attacks require significantly higher computational resources due to the costs associated with establishing a secure TLS encrypted connection.
“Therefore it costs the attacker more to launch the attack, and for the victim to mitigate it. We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale,” Cloudflare notes.
Tomi Engdahl says:
Noin 20 000 asiakkaan varaustiedot vuosivat kahdesta suomalaishotellista – poliisi aloitti tietomurtotutkinnan
Scandic, Sokos Hotels, Lapland Hotels ja Omenahotellit-ketjuilta kerrotaan HS:lle, ettei tietomurto ole kohdistunut heidän asiakkaisiinsa. maksukorttitietoja ei vuotanut
https://www.hs.fi/kotimaa/art-2000008774004.html
Tomi Engdahl says:
Chrome 101 Patches 30 Vulnerabilities
https://www.securityweek.com/chrome-101-patches-30-vulnerabilities
Google this week announced that Chrome 101 was released to the stable channel with 30 security fixes inside, including 25 for vulnerabilities identified by external security researchers.
The most important of these fixes resolves a high-severity use-after-free issue in the 3D graphics and computing open standard Vulkan. Tracked as CVE-2022-1477, the bug was reported by SeongHwan Park (SeHwa), who received a $10,000 bug bounty payout for it.
Six other externally reported high-severity flaws were addressed with the release of Chrome 101, four of which are use-after-free vulnerabilities that impact the SwiftShader 3D renderer, the Angle WebGL backend, the Device API, and the Sharing component.’