This posting is here to collect cyber security news in May 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
408 Comments
Tomi Engdahl says:
Hacker says hijacking libraries, stealing AWS keys was ethical research https://www.bleepingcomputer.com/news/security/hacker-says-hijacking-libraries-stealing-aws-keys-was-ethical-research/
Yesterday, developers took notice of two hugely popular Python and PHP libraries, respectively, ‘ctx’ and ‘PHPass’ that had been hijacked, as first reported in the news by BleepingComputer. Both of these legitimate open source projects had been altered to steal developer’s AWS credentials. The hacker behind this hijack has now broken silence and explained his reasons to BleepingComputer. According to the hacker, rather “security researcher, ” this was a bug bounty exercise and no malicious activity was intended.
Tomi Engdahl says:
BPFDoor malware uses Solaris vulnerability to get root privileges https://www.bleepingcomputer.com/news/security/bpfdoor-malware-uses-solaris-vulnerability-to-get-root-privileges/
New research into the inner workings of the stealthy BPFdoor malware for Linux and Solaris reveals that the threat actor behind it leveraged an old vulnerability to achieve persistence on targeted systems. BPFDoor is a custom backdoor that has been used largely undetected for at least five years in attacks against telecommunications, government, education, and logistics organizations. The malware was discovered only recently and reported first by researchers from PricewaterhouseCoopers (PwC), who attributed it to a China-based threat actor they track as Red Menshen.
Tomi Engdahl says:
Pakistan shuts down internet ahead of protests over ousting of prime minister https://therecord.media/pakistan-internet-shutdown-protests-imran-khan/
Internet service in Pakistan is being artificially limited as the government seeks to shut down protests organized by former Prime Minister Imran Khan, who became the first leader in the country’s history to be removed from office in a no-confidence motion in parliament on April 10.
Tomi Engdahl says:
New ‘Cheers’ Linux ransomware targets VMware ESXi servers
https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-targets-vmware-esxi-servers/
A new ransomware named ‘Cheers’ has appeared in the cybercrime space and has started its operations by targeting vulnerable VMware ESXi servers.
VMware ESXi is a virtualization platform commonly used by large organizations worldwide, so encrypting them typically causes severe disruption to a business’ operations.
We have seen many ransomware groups targeting the VMware ESXi platform in the past, with the most recent additions being LockBit and Hive.
The addition of Cheers ransomware to the club was discovered by analysts at Trend Micro, who call the new variant ‘Cheerscrypt’.
Once a VMware ESXi server is compromised, the threat actors launch the encryptor, which will automatically enumerate the running virtual machines and shut them down using the following esxcli command.
When encrypting files it specifically seeks out files with the following .log, .vmdk, .vmem, .vswp, and .vmsn extensions. These file extensions are associated with ESXi snapshots, log files, swap files, paging files, and virtual disks.
Each encrypted file will have the “.Cheers” extension appended to its filename.
Based on BleepingComputer’s research into the new operation, it appears to have launched in March 2022.
While only a Linux ransomware variant has been found to date, there is likely a Windows variant available as well.
Cheers is performing data exfiltration during the attacks and using the stolen data in double-extortion attacks.
If victims do not pay a ransom, the threat actors say they will sell the stolen data to other crooks.
If nobody is interested in buying the data, it gets published on the leak portal and becomes exposed to clients, contractors, data protection authorities, competitors, and other threat actors.
‘
Tomi Engdahl says:
Critical Zoom vulnerabilities fixed last week required no user interaction https://arstechnica.com/information-technology/2022/05/critical-zoom-vulnerabilities-fixed-last-week-required-no-user-interaction/
Tracked as CVE-2022-22786 and CVE-2022-22784, the vulnerabilities made it possible to perform attacks even when the victim took no action other than to have the client open.. Google’s Project Zero vulnerability research team detailed critical vulnerabilities Zoom patched last week making that made it possible for hackers to execute zero-click attacks that remotely ran malicious code on devices running the messaging software
Tomi Engdahl says:
Millions of people’s info stolen from MGM Resorts dumped on Telegram for free https://www.theregister.com/2022/05/25/mgm_customers_data_dumped_again/
Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief. The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they “assume at least 30 million people had some of their data leaked.”
Tomi Engdahl says:
Country Extortion: Ransomware expands business to include the government sector https://blog.checkpoint.com/2022/05/26/country-extortion-ransomware-expands-business-to-the-governmental-sector/
An unprecedented event has occurred in Costa Rica. On May 12, the country’s president declared a state of national emergency. Days later, he announced that the country is at war; a war against a cybercrime group Conti. This took place after the Conti group breached and encrypted at least 27 of Costa Rica’s governmental agencies.
Moreover, while the government decided not to pay the ransom, the group declared its goal to overthrow the government of Costa Rica and called for its citizens to go to the streets and change the government.
Tomi Engdahl says:
Russian hackers are linked to new Brexit leak website, Google says https://www.euractiv.com/section/cybersecurity/news/russian-hackers-are-linked-to-new-brexit-leak-website-google-says/
A new website that published leaked emails from several leading proponents of Britain’s exit from the European Union is tied to Russian hackers, according to a Google cybersecurity official and the former head of UK foreign intelligence.
Tomi Engdahl says:
LinkedIn bug bounty program goes public with rewards of up to $18k https://portswigger.net/daily-swig/linkedin-bug-bounty-program-goes-public-with-rewards-of-up-to-18k
LinkedIn has launched a public bug bounty program to replace the invite-only program that has been running since 2014. Critical security vulnerabilities discovered on the business-oriented social media platform will net researchers bounties ranging from $5, 000 up to $15, 000, while high severity issues will command rewards of between $2, 500 and $5, 000, and medium severity flaws will net bug hunters between $250 and $2, 500.
Tomi Engdahl says:
Tails OS Users Advised Not to Use Tor Browser Until Critical Firefox Bugs are Patched https://thehackernews.com/2022/05/tails-os-users-advised-not-to-use-tor.html
The maintainers of the Tails project have issued a warning that the Tor Browser that’s bundled with the operating system is unsafe to use for accessing or entering sensitive information.
Tomi Engdahl says:
Cybergang Claims REvil is Back, Executes DDoS Attacks https://threatpost.com/cybergang-claims-revil-is-back-executes-ddos-attacks/179734/
Actors claiming to be the defunct ransomware group are targeting one of Akami’s customers with a Layer 7 attack, demanding an extortion payment in Bitcoin
Tomi Engdahl says:
Twitter to Pay $150M Penalty Over Privacy of Users’ Data
https://www.securityweek.com/twitter-pay-150m-penalty-over-privacy-users-data
Twitter will pay a $150 million penalty and put in new safeguards to settle federal regulators’ allegations that the social platform failed to protect the privacy of users’ data over a six-year span.
The Justice Department and the Federal Trade Commission announced the settlement with Twitter on Wednesday. The regulators allege Twitter violated a 2011 FTC order by deceiving users about how well it maintained and protected the privacy and security of their nonpublic contact information.
From May 2013 to September 2019, Twitter told users that it was collecting their phone numbers and email addresses for purposes of account security. But it failed to disclose that it also would use the information to enable companies to send targeted online ads to users on the platform, the government alleged.
The regulators also alleged, in a federal lawsuit filed Wednesday, that Twitter falsely claimed that it complied with U.S. privacy agreements with the European Union and Switzerland, which prohibit companies from processing user information in ways that are at odds with purposes authorized by users.
“Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” FTC Chair Lina Khan said in a statement. “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”
Tomi Engdahl says:
Spain to Tighten Control Over Secret Services After Spying Scandal
https://www.securityweek.com/spain-tighten-control-over-secret-services-after-spying-scandal
Spain’s prime minister vowed Thursday to tighten oversight of the country’s secret services in the wake of a scandal over the hacking of top politicians’ mobile phones that has roiled his fragile coalition government.
The affair broke in April when Canadian cybersecurity watchdog Citizen Lab said the telephones of more than 60 people linked to the Catalan separatist movement had been tapped using Pegasus spyware after a failed independence bid in 2017.
The scandal sparked a crisis between Prime Minister Pedro Sanchez’s minority government and Catalan separatist party ERC which blamed Madrid for the phone hacking.
His fragile coalition relies on the ERC to pass legislation in parliament and remain in power until the next general election due at the end of 2023.
The scandal deepened after the government announced that the phones of Sanchez and the defense and interior ministers were hacked by the same spyware, made by Israel’s NSO Group, by an “external actor” last year.
Tomi Engdahl says:
Cloud Security Firm Lacework Lays Off 20% of Workforce
https://www.securityweek.com/cloud-security-firm-lacework-lays-20-workforce
Cloud security company Lacework is laying off a significant chunk of its workforce as a result of restructuring.
The firm blamed the layoffs on a “seismic shift” in public and private markets, which have forced it to restructure and change its plan.
News of the layoffs came to light on Wednesday, hours before the company published a blog post explaining its decision. Gergely Orosz of The Pragmatic Engineer Newsletter broke the news when he tweeted that the company was laying off roughly 300 employees, or 20% of its workforce.
The layoffs were announced just months after the company raised $1.3 billion in a second Series D funding round and was valued at $8.3 billion.
https://www.lacework.com/blog/lacework-update/
https://twitter.com/GergelyOrosz/status/1529575067117658112
Tomi Engdahl says:
VMware to Absorb Broadcom Security Solutions Following $61 Billion Deal
https://www.securityweek.com/vmware-absorb-broadcom-security-solutions-following-61-billion-deal
Chipmaker Broadcom on Thursday announced an agreement to acquire virtualization giant VMware for roughly $61 billion in cash and stock.
VMware shareholders can receive either $142.50 in cash or 0.2520 shares of Broadcom common stock for each VMware share. Broadcom, which obtained $32 billion in financing from a consortium of banks to help fund the deal, will also assume $8 billion of VMware net debt.
The transaction is expected to be completed in Broadcom’s fiscal year 2023. While the boards of both companies have signed off on the deal, the agreement includes a 40-day “go-shop” period.
After the transaction is completed, Broadcom Software Group will rebrand and operate as VMware, with Broadcom’s infrastructure and security software solutions becoming part of VMware’s portfolio.
SecurityWeek has reached out to Broadcom for clarifications regarding the migration of Symantec technologies and services to VMware.
VMware’s security portfolio currently includes solutions for security operations centers (SOC), endpoints, cloud environments, applications, and networks. Many of the current products are powered by technology obtained following the acquisition of endpoint security firm Carbon Black for $2.1 billion in 2019.
Tomi Engdahl says:
Greg Johnson to Take Reins as McAfee CEO
https://www.securityweek.com/greg-johnson-take-reins-mcafee-ceo
Tomi Engdahl says:
Critical Vulnerabilities Found in Open Automation Software Platform
https://www.securityweek.com/critical-vulnerabilities-found-open-automation-software-platform
Cisco’s Talos research and threat intelligence unit revealed on Wednesday that one of its employees discovered several critical and high-severity vulnerabilities in the Open Automation Software Platform.
Open Automation Software is a US-based company that provides connectivity solutions for ICS or IoT devices, databases, and custom applications. The company’s Open Automation Software (OAS) Platform, powered by a universal data connector, can be used to move data between PLCs from different vendors, from a PLC to a database, or from a database into a visualization.
The firm says its solutions are used by some of the world’s biggest companies, including in the energy, defense, aerospace, healthcare, water, and automotive sectors.
Talos’ Jared Rittle discovered that the OAS Platform is affected by eight vulnerabilities that can be exploited by an attacker for arbitrary code execution, DoS attacks, obtaining sensitive information, and other purposes.
The vendor was informed about the vulnerabilities in March and April, and released patches last week, according to Talos.
Two vulnerabilities have been assigned a “critical” severity rating based on their CVSS score. This includes CVE-2022-26082, a file write vulnerability that can be exploited for remote code execution using specially crafted network requests, and CVE-2022-26833, which allows an attacker to authenticate as the default user with a blank username and password sent to a certain endpoint.
Vulnerability Spotlight: Vulnerabilities in Open Automation Software Platform could lead to information disclosure, denial of service
https://blog.talosintelligence.com/2022/05/vuln-spotlight-open-automation-platform.html
Tomi Engdahl says:
QCT Servers Affected by ‘Pantsdown’ BMC Vulnerability
https://www.securityweek.com/qct-servers-affected-pantsdown-bmc-vulnerability
Servers made by Quanta Cloud Technology (QCT) are affected by the baseboard management controller (BMC) vulnerability known as CVE-2019-6260 and “Pantsdown.”
The vulnerability, whose details were disclosed in early 2019, affects ASPEED ast2400 and ast2500 BMC hardware and firmware implementing Advanced High-performance Bus (AHB) bridges, which allow arbitrary read and write access to the BMC’s physical address space from the host and — in some cases — from the network.
Several major manufacturers released advisories at the time to inform their customers about the critical vulnerability, including Supermicro, IBM, HP and Gigabyte.
Firmware and hardware security company Eclypsium determined last year that QCT servers had still been affected by the Pantsdown vulnerability. QCT’s data center solutions are used by major companies such as Facebook and Rackspace, according to QCT’s Wikipedia page.
Eclypsium’s researchers have developed a proof-of-concept (PoC) exploit to show how an unsophisticated attacker with remote access to the operating system could exploit the vulnerability for arbitrary code execution within the BMC of a targeted server.
“This vulnerability can provide an attacker with full control over the server including the ability to propagate ransomware, stealthily steal data, or disable the BMC or the server itself,” Eclypsium explained. “Additionally, by gaining code execution in the BMC, attackers could steal the BMC credentials, which could allow the attack to spread to other servers in the same IPMI group.”
According to the company, an attacker who gains access to a server with a vulnerable BMC can conduct various activities, including modify the BMC flash for persistence, modify the UEFI to plant persistent malware, modify the kernel and inject malware into a running host, inject arbitrary keyboard or mouse events, move laterally to other devices on the network, use virtual USB devices to route traffic, or brick the device.
The cybersecurity firm informed Quanta about the vulnerability in October 2021. The vendor has informed Eclypsium that new firmware addressing the flaw is privately available to customers, but it will not be made public.
It’s unclear how many customers have actually installed the firmware patches.
Tomi Engdahl says:
Darknet market Versus shuts down after hacker leaks security flaw
https://www.bleepingcomputer.com/news/security/darknet-market-versus-shuts-down-after-hacker-leaks-security-flaw/
The Versus Market, one of the most popular English-speaking criminal darknet markets, is shutting down after discovering a severe exploit that could have allowed access to its database and exposed the IP address of its servers.
When conducting criminal activities online, dark web marketplaces must keep their physical assets hidden; otherwise, their operators risk identification and arrest.
The same applies to the users and vendors, who need to remain anonymous while using these illegal platforms. Anything that undermines trust to protect their info renders the platform extremely risky.
Apparently, after finding these vulnerabilities, the operators of Versus have decided to pull the plug themselves, finding it too risky to continue.
Versus launched three years ago and reached very high popularity in the cybercrime community, offering drugs, coin mixing, hacking services, stolen payment cards, and exfiltrated databases.
Going dark
Last week, a hacker exposed the marketplace’s poor security by leaking a PoC on how to access the file system of the site’s server on Dread, a darknet social media space.
Hacker mocking Versus security on Dread
Versus went offline to conduct a security audit like the site says it has done twice before, following suspicions of severe flaws or even actual hacks.
After they went offline, users became concerned that the Versus was conducting an exit scam, that the FBI had taken over the site, and various typical assumptions that accompany these sudden moves.
Soon though, the platform’s operators re-emerged to announce that they were shutting down the marketplace.
The message ends with a notice to vendors on the platform, promising to post a link for them to perform transactions without time restrictions, allowing the retrieval of escrow balances.
Versus was exposed for IP leaks in March 2020 and suffered a massive Bitcoin theft from user wallets in July 2020. In both cases, the platform owned the mistakes and was completely transparent about what happened.
This allowed Versus to continue forward and become a large marketplace in terms of user numbers and transaction volumes. However, the operators probably realized the risk of exposure was too significant to continue.
Whether or not members of the law enforcement have already exploited the existing vulnerability remains to be seen in the weeks/months ahead.
Tomi Engdahl says:
Hacker says hijacking libraries, stealing AWS keys was ethical research
https://www.bleepingcomputer.com/news/security/hacker-says-hijacking-libraries-stealing-aws-keys-was-ethical-research/
Yesterday, developers took notice of two hugely popular Python and PHP libraries, respectively, ‘ctx’ and ‘PHPass’ that had been hijacked, as first reported in the news by BleepingComputer.
Both of these legitimate open source projects had been altered to steal developer’s AWS credentials.
Considering ‘ctx’ and ‘PHPass’ have together garnered over 3 million downloads over their lifetimes, the incident sparked much panic and discussion among developers—now worried about the impact of the hijack on the overall software supply chain.
The hacker behind this hijack has now broken silence and explained his reasons to BleepingComputer. According to the hacker, rather “security researcher,” this was a bug bounty exercise and no malicious activity was intended.
PoC package stole AWS secret keys to show “maximum impact”
Today, the hacker of the widely used ‘ctx’ and ‘PHPass’ software projects has explained his rationale behind the hijack—that this was a proof-of-concept (PoC) bug bounty exercise with no “malicious activity” or harm intended.
In fact, the hijacker of these libraries is an Istanbul-based security researcher, Yunus Aydın aka SockPuppets, who has attested to the fact when approached by BleepingComputer.
He claims his rationale for stealing AWS tokens was to demonstrate the “maximum impact” of the exploit.
Claims of the widely used Python library ‘ctx’ being compromised first originated on Reddit when user jimtk noticed that the library, which had not been updated in 8 years, suddenly had new versions released.
Moreover, as BleepingComputer explained yesterday, these new versions of ‘ctx’ exfiltrated your environment variables and AWS secret keys to a mysterious Heroku endpoint.
Tomi Engdahl says:
Windows 11 KB5014019 breaks Trend Micro ransomware protection https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/
This week’s Windows optional cumulative update previews have introduced a compatibility issue with some of Trend Micro’s security products that breaks some of their capabilities, including the ransomware protection feature.
Tomi Engdahl says:
Firefox, Thunderbird, receive patches for critical security issues https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/firefox-thunderbird-receive-patches-for-critical-security-issues/
Mozilla has published updates for two critical security issues in Firefox and Thunderbird, demonstrated during Pwn2Own Vancouver. The vulnerabilities, discovered in the Firefox JavaScript engine (shared by the Firefox-based Tor browser) relate to Firefox 100.0.2, Firefox for Android 100.3.0, and Firefox ESR 91.9.1. For users of Thunderbird, the vulnerability there is in relation to Thunderbird 91.9.91.
Tomi Engdahl says:
Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC Part II https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware-part-two
Fortinet’s FortiGuard Labs captured a phishing campaign that delivers three fileless malware onto a victim’s device. Once executed, they are able to control and steal sensitive information from that device to perform other actions according to the control commands from their server.
Tomi Engdahl says:
This Windows malware uses PowerShell to inject malicious extension into Chrome https://www.theregister.com/2022/05/27/chromeloader-malware-powershell/
A strain of Windows uses PowerShell to add a malicious extension to a victim’s Chrome browser for nefarious purposes. A macOS variant exists that uses Bash to achieve the same and also targets Safari.
Tomi Engdahl says:
Android apps with millions of downloads exposed to high-severity vulnerabilities https://www.microsoft.com/security/blog/2022/05/27/android-apps-with-millions-of-downloads-exposed-to-high-severity-vulnerabilities/
Microsoft uncovered high-severity vulnerabilities in a mobile framework owned by mce Systems and used by multiple large mobile service providers in pre-installed Android System apps that potentially exposed users to remote (albeit complex) or local attacks.
The vulnerabilities, which affected apps with millions of downloads, have been fixed by all involved parties. Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information.
Tomi Engdahl says:
BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-asks-5-million-to-unlock-austrian-state/
Austrian federal state Carinthia has been hit by the BlackCat ransomware gang, also known as ALPHV, who demanded a $5 million to unlock the encrypted computer systems. The attack occurred on Tuesday and has caused severe operational disruption of government services, as thousands of workstations have allegedly been locked by the threat actor.
Tomi Engdahl says:
GitHub saved plaintext passwords of npm users in log files, post mortem reveals https://www.theregister.com/2022/05/27/github_publishes_a_post_mortem/
Unrelated to the OAuth token attack, but still troubling as org reveals details of around 100, 000 users were grabbed by the baddies.
GitHub has revealed it stored a “number of plaintext user credentials for the npm registry” in internal logs following the integration of the JavaScript package registry into GitHub’s logging systems. The information came to light when the company today published the results of its investigation into April’s unrelated OAuth token theft attack, where it described how an attacker grabbed data including the details of approximately 100, 000 npm users.
Tomi Engdahl says:
Kyberhyökkäykset eivät ole lisääntyneet Suomessa Nato-hakemuksen jättämisen jälkeen
https://yle.fi/uutiset/3-12461321
Viime viikolla Kyberturvallisuuskeskukselle tuli vajaat 40 haittaohjelmailmoitusta. Määrä ei keskuksen mukaan ole poikkeuksellinen, eikä kuluneina viikkoina ilmoitetuissa tapauksissa ole havaittu aiemmin näkemättömiä piirteitä. Tilanne on ollut viime viikot edelleen vakaa, eikä Kyberturvallisuuskeskukselle tulleiden ilmoitusten kokonaismäärässä näy erityisiä heilahduksia, sanoo Kyberturvallisuuskeskuksen ylijohtaja Sauli Pahlman Ylelle sähköpostivastauksessaan.
Tomi Engdahl says:
US college VPN credentials for sale on Russian crime forums, FBI says https://arstechnica.com/information-technology/2022/05/us-college-vpn-credentials-for-sale-on-russian-crime-forums-fbi-says/
The FBI on Friday said that thousands of compromised credentials harvested from US college and university networks are circulating on online crime forums in Russia and elsewhereand could lead to breaches that install ransomware or steal data.
Tomi Engdahl says:
New Windows Subsystem for Linux malware steals browser auth cookies https://www.bleepingcomputer.com/news/security/new-windows-subsystem-for-linux-malware-steals-browser-auth-cookies/
Hackers are showing an increased interest in the Windows Subsystem for Linux (WSL) as an attack surface as they build new malware, the more advanced samples being suitable for espionage and downloading additional malicious modules.
Tomi Engdahl says:
Clop ransomware gang is back, hits 21 victims in a single month https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/
After effectively shutting down their entire operation for several months, between November and February, the Clop ransomware is now back, according to NCC Group researchers. “CL0P had an explosive and unexpected return to the forefront of the ransomware threat landscape, jumping from the least active threat actor in March to the fourth most active in April, ” NCC Group said. This surge in activity was noticed after the ransomware group added 21 new victims to their data leak site within a single month, in April.
Tomi Engdahl says:
Tämä kiristyshaittaohjelma saattaa yllättää: salauksen purkamiseksi vaaditaan lunnaiden sijaan jotain aivan muuta
https://www.tivi.fi/uutiset/tv/3884504c-074f-433c-9c51-353ecd84cb64
Tietoturvayhtiö CloudSEKin tietoturvatutkijat ovat havainneet GoodWill:ksi eli hyväksi tahdoksi ristityn haittaohjelman, jonka asettaman salauksen purku vaatii käyttäjän osallistumista hyväntekeväisyyteen. GoodWillin asettama salaus luvataan purkaa vain, jos uhri on valmis auttamaan vähäosaisia tarjoamalla asunnottomille vilttejä tai rahaa sairaalapotilaille. Kaikkiaan haittaohjelman uhrin tulee osallistua kolmeen eri hyväntekeväisyystekoon salauksen purkuavaimen saadakseen, Neowin kirjoittaa.
Tomi Engdahl says:
EnemyBot malware adds exploits for critical bugs in VMware, F5 BIG-IP https://www.bleepingcomputer.com/news/security/enemybot-malware-adds-exploits-for-critical-bugs-in-vmware-f5-big-ip/
EnemyBot, a botnet based on code from multiple malware pieces, is expanding its reach by quickly adding exploits for recently disclosed critical vulnerabilities in web servers, content management systems, IoT, and Android devices.
Tomi Engdahl says:
Exploit released for critical VMware auth bypass bug, patch now https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-vmware-auth-bypass-bug-patch-now/
Proof-of-concept exploit code is now available online for a critical authentication bypass vulnerability in multiple VMware products that allows attackers to gain admin privileges. VMware released security updates to address the CVE-2022-22972 flaw affecting Workspace ONE Access, VMware Identity Manager (vIDM), or vRealize Automation. The company also shared temporary workarounds for admins who cannot patch vulnerable appliances immediately, requiring them to disable all users except one provisioned administrator.
Exploitation of VMware Vulnerability Imminent Following Release of PoC
https://www.securityweek.com/exploitation-vmware-vulnerability-imminent-following-release-poc
When VMware announced patches for a critical vulnerability on May 18, users were warned that exploitation in the wild would likely start soon, and now a proof-of-concept (PoC) exploit targeting the flaw has been made public.
The vulnerability, tracked as CVE-2022-22972, affects VMware Workspace ONE Access, Identity Manager and vRealize Automation. It allows a malicious actor who has network access to the UI to bypass authentication.
Shortly after VMware released patches, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors would “quickly develop a capability to exploit CVE-2022-22972,” as well as CVE-2022-22973, a privilege escalation fixed with the same round of patches.
Penetration testing company Horizon3.ai on Thursday published a technical deep dive for CVE-2022-22972 and made public a PoC exploit. VMware has updated its initial advisory to inform customers about the availability of a PoC, which further increases the chances of exploitation.
Tomi Engdahl says:
Microsoft Finds Major Security Flaws in Pre-Installed Android Apps
https://www.securityweek.com/microsoft-finds-major-security-flaws-pre-installed-android-apps
Bug hunters at Microsoft are calling attention to several high-severity vulnerabilities in a mobile framework used in pre-installed Android System apps, warning that exploitation could have allowed the implantation of a persistent backdoor on Android devices.
According to an advisory released Friday by the Microsoft 365 Defender Research Team, a total of four documented vulnerabilities were found – and fixed – in a mobile framework owned by mce Systems, an Israeli company that provides software to mobile carriers.
“Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information,” Redmond warned.
As it is with many of pre-installed or default applications that ship on Android devices, Microsoft’s bug hunters warned that some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device.
The researchers shared notes on the discovery of the four flaws – CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601 – that expose millions of pre-loaded Android apps to malware attacks.
“All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues,” Microsoft noted.
Tomi Engdahl says:
FBI: Higher Education Credentials Sold on Cybercrime Forums
https://www.securityweek.com/fbi-higher-education-credentials-sold-cybercrime-forums
The FBI issued an alert on Thursday to inform the higher education sector about the exposure of credentials that can allow threat actors to access user accounts or an organization’s network.
According to the FBI, cybercriminals have been selling usernames and passwords on various public and dark web forums.
The agency has provided three examples. One example, from January 2022, involves the sale of network and VPN access credentials belonging to US-based universities and colleges on Russian cybercrime forums. In some cases, the sellers were offering the information for thousands of dollars.
Tomi Engdahl says:
Hundreds Stranded After Ransomware Attack on Indian Airline
https://www.securityweek.com/hundreds-stranded-after-ransomware-attack-indian-airline
Hundreds of Indian air travellers were stranded inside their planes after the low-cost airline SpiceJet cancelled or delayed flights due to an “attempted ransomware attack”, the company has said.
Many angry passengers, some of whom were left waiting inside their planes for up to five hours earlier this week, complained about a lack of communication from the budget carrier.
“Certain SpiceJet systems faced an attempted ransomware attack last night that impacted our flight operations,” the airline said Wednesday on Twitter.
Tomi Engdahl says:
https://hackaday.com/2022/05/27/this-week-in-security-good-faith-easy-forgery-and-i18n/
Digital ID
In New South Wales, Australia, citizens can use digital driver’s licenses. This is done via the Service NSW app, available on Android and iOS. What could possibly go wrong? There is a glaring problem with this, it’s a terrible idea to voluntarily hand your phone to a law enforcement officer. That aside, the app generates the ID image on-the-fly from data stored on the device. On a jailboken phone, this is trivial to modify, but on any other iPhone, one can manipulate the app’s data using a backup and restore. ServiceNSW encrypts this data… using a 4 digit numeric code. It’s trivial to manipulate the data stored on the phone, and therefore the ID presented. Bizarrely, after the initial pull, the app never verifies its data store against the official database. The app even includes a pull-to-refresh function that claims to update the ID data. This function updates the date, time, and QR code, but not the potentially spoofed data.
https://arstechnica.com/information-technology/2022/05/digital-drivers-license-used-by-4m-australians-is-a-snap-to-forge/
Tomi Engdahl says:
https://hackaday.com/2022/05/27/this-week-in-security-good-faith-easy-forgery-and-i18n/
Just Here For the i18ntranslation
Bonita is a business automation platform, mainly designed to let businesses put together workflows with minimal code. It’s a Java application, typically running on Tomcat, and distributed as a docker image among other channels. That Docker image, with it’s over five million downloads, had a big problem. The web.xml file contains filter stanzas used for controlling how requests are handled. A pair of those filters were intended to match i18n (internationalization) files, and deliver those endpoints without any authorization checks. This makes sense, as it allows a user to change the interface language on the login page. It’s a naive filter, literally matching any url containing i18ntranslation. So, any endpoint can be appended with ;i18ntranslation, and an unauthorized user has access. Whoops! The Docker image and other releases have been updated to fix the issue.
CVE-2022-25237: Bonitasoft Authorization Bypass and RCE
https://rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/
Tomi Engdahl says:
Zoom Fixed, Update!
https://hackaday.com/2022/05/27/this-week-in-security-good-faith-easy-forgery-and-i18n/
First, if you have zoom installed, go check the version. If you’re older than 5.10.4, go trigger an update. And if you run Zoom on Linux, you’ll probably have to go download the installer again manually to update, though that makes things a bit safer in this case.
With that out of the way, let’s talk about the series of issues that could have allowed Remote Code Execution (RCE). Zoom does XMPP messaging, which is massages messages over XML. Zoom also sends control messages over this XML stream. The trick is that the server uses one library to validate those XML messages, and the client uses a different one, with different quirks. Sound familiar? Classic request smuggling material.
Critical Zoom vulnerabilities fixed last week required no user interaction
If your machine failed to get them automatically, you’re not alone.
https://arstechnica.com/information-technology/2022/05/critical-zoom-vulnerabilities-fixed-last-week-required-no-user-interaction/
Tomi Engdahl says:
Document Exploiting New Microsoft Office Zero-Day Seen in the Wild
https://www.securityweek.com/document-exploiting-new-microsoft-office-zero-day-seen-wild
Cybersecurity researchers have issued a warning after spotting what appears to be a new Microsoft Office zero-day vulnerability that may have been exploited in the wild.
On May 27, a researcher who uses the online moniker “nao_sec” reported on Twitter that they had found an interesting malicious document on the VirusTotal malware scanning service. The malicious Word file, uploaded from Belarus, is designed to execute arbitrary PowerShell code when opened.
The malware was later analyzed by several others, including researcher Kevin Beaumont, who published a blog post detailing his findings on Sunday.
“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell,” Beaumont explained, adding, “That should not be possible.”
Roughly one-third of the vendors on VirusTotal detect the malicious document at the time of writing.
Beaumont and others — including Didier Stevens and NCC Group’s Rich Warren — have confirmed that the Follina zero-day exploit can be used to remotely execute arbitrary code on systems running various versions of Windows and Office. It has been tested against Office Pro Plus, Office 2013, Office 2016, and Office 2021.
Beaumont noted that the exploit does not appear to work against the latest Insider and Current versions of Office, which indicates that Microsoft may be working on patching the flaw, or some modifications need to be made to the exploit.
Interesting maldoc was submitted from Belarus. It uses Word’s external link to load the HTML and then uses the “ms-msdt” scheme to execute PowerShell code.
https://twitter.com/nao_sec/status/1530196847679401984
https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection
Follina — a Microsoft Office code execution vulnerability
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
Two days ago, Nao_sec identified an odd looking Word document in the wild, uploaded from an IP address in Belarus
The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.
That should not be possible.
There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View.
I’m calling it Follina because the spotted sample on the file references 0438, which is the area code of Follina in Italy.
It’s a zero day allowing code execution in Office products. Historically, when there’s easy ways to execute code directly from Office, people use it to do bad things. This breaks the boundary of having macros disabled.
I’ve tested this on various rigs and it works more common than not.
However, with the Insider and Current versions of Office I can’t get this to work — which suggests Microsoft have either tried to harden something, or tried to fix this vulnerability without documenting it. This appears to have happened around May 2022.
The vulnerability still exists in Office 2013 and 2016 for me, other versions may apply.
In the real world, a lot of businesses are on older channels of Office 365 and ProPlus because N-1 policies.
Didler Stevens demonstrates the exploit working on a patched version of Microsoft Office 2021
I’ve written a Defender for Endpoint query, which you can use if you’re rich and have E5. You can save this as under “Custom detection rules” if you want Defender to alert you. Currently it fully misses detection at this stage.
Antivirus providers will probably start blocking these as malicious (they aren’t) but here’s a public PoC .docx.
Note that there’s different ways to trigger this
We’ll see. Microsoft are going to need to patch it across all the different product offerings, and security vendors will need robust detection and blocking.
Detection is probably not going to be great, as Word loads the malicious code from a remote template (webserver), so nothing in the Word document is actually malicious.
Tomi Engdahl says:
Sähköpostihuijaukset voivat pian hieman hiipua, sillä Interpol ja Nigerian poliisivoimat ovat tehneet merkittävän pidätyksen tietoturvayhtiö Palo Alto Networksin tukemana. Nigerialainen sähköpostihuijari meinasi tosin ensin päästä kokonaan pälkästä, mutta pidätettiin uudelleen hänen palattua takaisin Nigeriaan.
Yhdysvaltalaisen Palo Alto Networksin Unit 42 -yksikkö oli luokitellut pidätetyn nigerialaistoimijan osaksi SilverTerrier-haittaohjelmaryhmää, joka on yksi tunnetuista maailmanlaajuisista sähköpostihuijauksia tekevistä ryhmistä.
Pidätys onnistui Palo Alto Networksin sekä muiden tietoturva-alan kumppaneiden tiedustelutietojen ja resurssien ansiosta. Pidätys liittyy aikaisempaan Falcon II -operaatioon, jossa pidätettiin kaikkiaan 11 nigerialaista sähköpostihuijaria tammikuussa 2022.
Merkittävä isku nigerialaishuijauksiin – Interpol iski yhteistyössä
https://www.uusiteknologia.fi/2022/05/30/merkittava-isku-nigerialaishuijauksiin/
Tomi Engdahl says:
Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html
Cybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems. The vulnerability came to light after an independent cybersecurity research team known as nao_sec uncovered a Word document (“05-2022-0438.doc”) that was uploaded to VirusTotal from an IP address in Belarus.
Tomi Engdahl says:
Jos puhelin näyttää tämän ilmoituksen, älä missään nimessä vastaa myöntävästi https://www.is.fi/digitoday/tietoturva/art-2000008836398.html
Verkkosivuilta Android-puhelimiin syötetyt haittaohjelmat ovat yleinen riesa. Opi tunnistamaan tilanteet, joissa puhelimellesi yritetään ujuttaa ulkopuolisia sovelluksia.
Tomi Engdahl says:
Abitti-järjestelmässä vakavia haavoittuvuuksia mahdollistivat ylioppilaskokeissa huijaamisen
https://www.tivi.fi/uutiset/tv/6734f0fd-fc40-4d62-871f-f92b70a5a949
Ylioppilaskokeissa ja lukioiden kurssikokeissa käytettävässä Abitti-järjestelmässä on havaittu kolme vakavaa haavoittuvuutta.
Ylioppilastutkintolautakunnan tuoteomistajan Matti Latun mukaan aukot ovat mahdollistaneet verkkohyökkäykset sekä ylioppilaskokeissa huijaamisen.
Tomi Engdahl says:
Italy warns organizations to brace for incoming DDoS attacks https://www.bleepingcomputer.com/news/security/italy-warns-organizations-to-brace-for-incoming-ddos-attacks/
Italy’s Computer Security Incident Response Team (CSIRT) has issued an urgent alert to raise awareness about the high risk of cyberattacks against national entities on Monday. The type of cyberattack the Italian organization refers to is DDoS (distributed denial-of-service), which may not be catastrophic but can still cause damage, financial or otherwise, due to service outages and disruptions.
Tomi Engdahl says:
Expired Certificate Causes German Payment Meltdown
https://hackaday.com/2022/05/30/expired-certificate-causes-german-payment-meltdown/
For most Hackaday readers the process of buying groceries this weekend has been a relatively painless one, however we’re guessing some of our German friends will have found their cards unexpectedly declined. The reason? A popular model of payment card terminal, the Verifone H5000, has suffered what has been described as a “software malfunction”. So exactly what has happened? The answer is as simple as it is unfortunate: a security certificate for German transaction processing stored on the device has expired.
The full story exposes the flaws in assuming that a payment terminal is an appliance rather than a computer and its associated software that needs updating like any other. The H5000 is an old terminal that ceased production back in the last decade and has reached end-of-life, however it has remained in use and perhaps more seriously, remained in the supply chain to merchants buying a terminal. With updates requiring a site visit rather than an over-the-air upgrade, it’s likely that the effects of this mess could last a while.
Why are card payments getting rejected in Germany?
https://www.thelocal.de/20220527/why-are-card-payments-getting-rejected-in-germany/
People are currently unable to pay by card in a number of major German retailers. Here’s what’s going on.
Since Tuesday, numerous retailers in Germany have been operating under a cash-only policy after a major brand of card payments terminal stopped processing payments.
The problem was initially announced by the Konsum retail chain in Dresden, who wrote on Facebook on Tuesday morning: “Attention, an important notice for you! Due to a Germany-wide malfunction, card payments are currently not possible in our stores.”
According to the latest information from Focus Online, several branches of Netto, Edeka and a handful of Rewe branches are affected by the issues. There have also been reports of problems at Aldi Nord, Rossmann and DM as well as some smaller, independent retailers and petrol stations.
People who have tried to pay by credit card, debit card or EC card at these places have reportedly been turned away.
What’s going on?
The problems with card payments seem to be linked to a commonly used card payments terminal from US company Verifone. According to reports, H5000 card machines at multiple retailers and businesses experienced a software malfunction that stopped them processing payments.
“As things stand, it will be necessary to install new software updates on all H5000 terminals, which the manufacturer will provide as soon as possible,” the payment service provider Payone said.
https://twitter.com/jwildeboer/status/1530227390286290944?t=a8tMjoGGLW6fDnujWtpY4Q&s=03
One single type of payment terminal (the Verifone H5000), a rather old platform, officially announced End of Life 2018 with some sort of support until 2023, brought down big parts of card payment all over Germany as one of the embedded certificates expired unnoticed on Tuesday.
Tomi Engdahl says:
Hacker steals Verizon employee database after tricking worker into granting remote access https://www.bitdefender.com/blog/hotforsecurity/hacker-steals-verizon-employee-database-after-tricking-worker-into-granting-remote-access/
A database of contact information for hundreds of Verizon employees is in the hands of cybercriminals, after a member of staff was duped into granting a hacker access to their work PC. The revelation of a data breach comes from security journalist Lorenzo Franceschi-Bicchierai of Vice, who describes how an anonymous hacker contacted him earlier this month to brag about what they had achieved:. “These employees are idiots and will allow you to connect to their PC under the guise that you are from internal support, ” the hacker told Franceschi-Bicchierai in an online chat.
Tomi Engdahl says:
Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware https://www.trendmicro.com/en_us/research/22/e/patch-your-wso2-cve-2022-29464-exploited-to-install-linux-compatible-cobalt-strike-beacons-other-malware.html
CVE-2022-29464 has been exploited in the wild since April, allowing unrestricted file uploads resulting to arbitrary remote code execution (RCE). Disclosed and patched in April, the security gap was ranked Critical at 9.8 and affects a number of WSO2 products. It requires no user interaction and administrative privileges for abuse, and can be used to infiltrate networks when left unpatched.
Tomi Engdahl says:
ChromeLoader Browser Hijacker Provides Gateway to Bigger Threats https://threatpost.com/chromeloader-hijacker-threats/179761/
The malvertiser’s use of PowerShell could push it beyond its basic capabilities to spread ransomware, spyware or steal data from browser sessions, researchers warn.