This posting is here to collect cyber security news in June 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in June 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
381 Comments
Tomi Engdahl says:
This co-worker does not exist: FBI warns of deepfakes interviewing for tech jobs
https://techcrunch.com/2022/06/28/this-coworker-does-not-exist-fbi-warns-of-deepfakes-interviewing-for-tech-jobs/
Tomi Engdahl says:
Clever phishing method bypasses MFA using Microsoft WebView2 apps
https://www.bleepingcomputer.com/news/security/clever-phishing-method-bypasses-mfa-using-microsoft-webview2-apps/
Tomi Engdahl says:
Nyt hakkerit pääsevät jopa porealtaaseen ja voivat säätää lämpötilaa etänä – Yksi onnistui nappaamaan kylpijöiden tiedot ympäri maailmaa
Antti Kailio23.6.202219:12TEOLLINEN INTERNET (IOT)TIETOTURVAIOTASUMINENTIETOTURVAVERKOT
Iot-laitteiden heikosta tietoturvasta on varoiteltu useaan otteeseen. Nyt siitä on saatu jälleen uusi esimerkki.
https://www.tekniikkatalous.fi/uutiset/nyt-hakkerit-paasevat-jopa-porealtaaseen-ja-voivat-saataa-lampotilaa-etana-yksi-onnistui-nappaamaan-kylpijoiden-tiedot-ympari-maailmaa/cc93498d-0231-4669-b5b5-acade8e46972#Echobox=1656153954
Tomi Engdahl says:
Researcher Hacks Into Backend for Network of Smart Jacuzzis
A security researcher discovered a security vulnerability in SmartTubs that gave them access to the personal information of anyone in the world who used the software.
https://www.vice.com/en/article/88q9b5/researcher-hacks-into-backend-for-network-of-smart-jacuzzis
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/fbi-stolen-pii-and-deepfakes-used-to-apply-for-remote-tech-jobs/
Tomi Engdahl says:
https://thehackernews.com/2022/06/zuorat-malware-hijacking-home-office.html
Tomi Engdahl says:
CISA Warns of Active Exploitation of ‘PwnKit’ Linux Vulnerability in the Wild
https://thehackernews.com/2022/06/cisa-warns-of-active-exploitation-of.html
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week moved to add a Linux vulnerability dubbed PwnKit to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation.
The issue, tracked as CVE-2021-4034 (CVSS score: 7.8), came to light in January 2022 and concerns a case of local privilege escalation in polkit’s pkexec utility, which allows an authorized user to execute commands as another user.
Tomi Engdahl says:
Lawrence Abrams / BleepingComputer:
Firefox now offers a feature to strip some web tracking parameters from URLs, including HubSpot, Marketo, and Meta, following similar functionality in Brave
https://www.bleepingcomputer.com/news/security/new-firefox-privacy-feature-strips-urls-of-tracking-parameters/
Tomi Engdahl says:
Brendan Murray / Bloomberg:
Experts express concerns over hackers commandeering ship controls, including automated steering and propulsion systems, despite efforts to address the issues
Cyber Pirates Prowling Ship Controls Threaten Another Big Shock
https://www.bloomberg.com/news/articles/2022-06-28/cyber-pirates-prowling-ship-controls-threaten-another-big-shock
Coast Guard urges vigilance as ship systems probed ‘every day’
IMO guidelines haven’t done enough to protect against hacks
In February 2019, a large container ship sailing for New York identified a cyber intrusion on board that startled the US Coast Guard. Though the malware attack never controlled the vessel’s movement, authorities concluded that weak defenses exposed critical functions to “significant vulnerabilities.”
A maritime disaster didn’t happen that day, but a warning flare rose over an emerging threat to global trade: cyber piracy able to penetrate on-board technology that’s replacing old ways of steering, propulsion, navigation and other key operations. Such leaps in hacking capabilities could do enormous economic damage, particularly now, when supply chains are already stressed from the pandemic and the war in Ukraine, experts including a top Coast Guard official said.
“We’ve been lucky so far,” said Rick Tiene, vice president with Mission Secure Inc., a cybersecurity firm in Charlottesville, Virginia. “More and more incidents are happening, and the hackers are getting a better understanding what they can do once they’ve taken over an operational technology system. In the case of maritime — whether it be the ports or the vessels themselves — there is a tremendous amount that could be done to harm both the network and physical operations.”
Stress System
“A potential intentional attack could really stress the system and we’re certainly thinking about how to shore that up,” Arguin said in an interview. “When you couple that with the sensitivity of supply-chain disruptions, it does have the potential to be devastating to the marine transportation system.”
BlueVoyant, a New York-based cyber-defense platform that recently analyzed 20 well-known shipping companies, said some strides have been made since 2021, but “there are more cyber-defense actions the industry can take to make things more secure.” A wider survey into third-party cyber risks showed 93% of respondents acknowledged suffering direct breaches tied to supply-chain weaknesses, with the average number of intrusions rising to 3.7 last year from 2.7 in 2020, according to Lorri Janssen-Anessi, BlueVoyant’s director of external cyber assessments.
Hackers have hit major logistics operations several times already this year. Jawaharlal Nehru Port Trust, India’s busiest container port, suffered a ransomware attack in February. A targeted attack on Expeditors International of Washington Inc., a large freight-forwarding company, crippled its systems for about three weeks and led to $60 million in expenses. Blume Global Inc., a supply-chain tech company based in Pleasanton, California, said in early May that a cyber incident temporarily made its asset-management platform inaccessible.
The ocean shipping industry is the backbone of global goods trade but when it comes to cyber vulnerabilities, its broad reach is an Achilles heel. The biggest companies are playing catch-up and, after years of struggling to make money, now have the resources to invest in upgraded ship-to-shore technology.
Hapag-Lloyd AG, Germany’s largest shipping line, announced in April that it’ll become the first carrier to equip its entire fleet of containers with real-time tracking devices. Most of the large container lines use remote sensors for functions like monitoring engine performance, maintaining cooling systems or opening a pump valve. Electronic charts and collision-avoidance mapping can be updated on shore and shared remotely. Many new ships ordered during this period of peak profitability will be fitted with more online connectivity to land-based operations.
“Ships were quickly connected to the internet using satellite communications, but without all the other security controls needed to be safe and secure at sea,”said Ken Munro, a security specialist at Pen Test Partners, a cybersecurity company with clients in the maritime industry. “So now shipping operators are frantically trying to build these controls back in, but are struggling with decades-old equipment on board that can be really hard to secure.”
To help guard against the threats, the International Maritime Organization, a United Nations agency responsible for safety and security, issued guidelines that companies were supposed to adopt starting in 2021. Some analysts said those regulations haven’t had enough of the intended effect and led to a wide range of responses.
System Patchwork
“Some were very proactive and started doing the work long before the regulations,”
“On the other end of the spectrum, you had people who are aware and doing just the bare minimum just to get the certificate in their files.”
Even modern ships have a patchwork of systems from different manufacturers that have taken cybersecurity in varying degrees of seriousness, said Andy Jones, the former chief information security officer at A.P. Moller-Maersk A/S, the world’s No. 2 container carrier. “Some operators have taken this seriously, but with substantial fleets and ships that are probably over 30 years old, it is a very tall order.”
Jakob Larsen, a maritime security specialist with Bimco, one of the world’s biggest associations representing shipowners, defended the industry’s position on cyber protections as “relatively strong” and on par with other sectors. Though increased digitization brings “more and more of an attack surface,” he said instances where operational controls have been hacked are rare and technically difficult to pull off.
“This idea that someone can take over the control of a ship and do all sorts of things, while it might be technically possible for a really skilled hacker who has the time to do it, in reality it’s not really something that we’re seeing,” Larsen said. “Theoretically, yes in can happen and of course we have to constantly stay updated with our defenses and pay attention to new threats.”
‘Huge Underreporting’
Khanna said there’s a “huge underreporting” when ships get attacked and “the ones who say they haven’t been, just don’t know about it.”
Across industry and government, there’s agreement that there needs to be more information sharing.
For some observers, a wakeup call about the stakes involved came in March 2021, when the Ever Given — one of the world’s largest container ships — ran aground and blocked traffic in the Suez Canal for almost a week. The accident, blamed partly on strong winds, cut off much of Europe’s trade with Asia and threw supply chains off kilter for several weeks.
“The Suez incident made everybody realize that global supply chains are actually quite vulnerable,” Munro said. “Not that Suez was a hack — it wasn’t — but it so easily could’ve been.”
Tomi Engdahl says:
Russisk hackergruppe skal ha startet angrep mot Norge
https://www.nrk.no/norge/russisk-hackergruppe-skal-ha-startet-angrep-mot-norge-1.16020947
Flere store offentlige nettsider ble slått ut av det som trolig er et dataangrep fra en russisk hackergruppe.
Tomi Engdahl says:
Firefox 102 fixes address bar spoofing security hole (and helps with
Follina!)
https://nakedsecurity.sophos.com/2022/06/29/firefox-102-fixes-address-bar-spoofing-security-hole/
This month’s scheduled Firefox release is out, with the new 102.0 version patching 19 CVE-numbered bugs.
Tomi Engdahl says:
Microsoft Azure FabricScape bug let hackers hijack Linux clusters https://www.bleepingcomputer.com/news/security/microsoft-azure-fabricscape-bug-let-hackers-hijack-linux-clusters/
Microsoft has fixed a container escape bug dubbed FabricScape in the Service Fabric (SF) application hosting platform that let threat actors escalate privileges to root, gain control of the host node, and compromise the entire SF Linux cluster.
Tomi Engdahl says:
New YTStealer malware steals accounts from YouTube Creators https://www.bleepingcomputer.com/news/security/new-ytstealer-malware-steals-accounts-from-youtube-creators/
A new information-stealing malware named YTStealer is targeting YouTube content creators and attempting to steal their authentication tokens and hijack their channels.
Tomi Engdahl says:
Ukraine arrests cybercrime gang operating over 400 phishing sites https://www.bleepingcomputer.com/news/security/ukraine-arrests-cybercrime-gang-operating-over-400-phishing-sites/
The Ukrainian cyberpolice force arrested nine members of a criminal group that operated over 400 phishing websites crafted to appear like legitimate EU portals offering financial assistance to Ukrainians.
Tomi Engdahl says:
Amazon fixes high-severity vulnerability in Android Photos app https://www.bleepingcomputer.com/news/security/amazon-fixes-high-severity-vulnerability-in-android-photos-app/
Amazon has confirmed and fixed a vulnerability in its Photos app for Android, which has been downloaded over 50 million times on the Google Play Store.
Tomi Engdahl says:
Firefox 102 Patches 19 Vulnerabilities, Improves Privacy
https://www.securityweek.com/firefox-102-patches-19-vulnerabilities-improves-privacy
Mozilla this week announced the availability of Firefox 102 in the stable channel with patches for 19 vulnerabilities, including four high-severity bugs.
With the latest update, Mozilla has patched CVE-2022-34470, a high-severity use-after-free issue in nsSHistory that was triggered when navigating between XML documents, and which could lead to a potentially exploitable crash.
Use-after-free vulnerabilities can be exploited to achieve arbitrary code execution, data corruption, or denial of service, and could lead to full system compromise if combined with other flaws. Malicious websites can exploit these bugs to escape a browser’s sandbox.
CVE-2022-34468, another high-severity flaw addressed in Firefox 102, could allow for the bypass of a CSP sandbox header without `allow-scripts` by using a retargeted javascript: URI. Because of this issue, when a user clicks on a javascript: link, an iframe could run scripts without authorization.
The new Firefox release also resolves CVE-2022-34479, a Linux-specific issue that allows malicious websites to create popup windows that can be resized in such a manner that the address bar would be overlayed with web content, potentially leading to spoofing attacks.
Multiple memory safety bugs have been assigned CVE-2022-34484, including ones that “showed evidence of JavaScript prototype or memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.”
Tomi Engdahl says:
Rita Liao / TechCrunch:
OpenSea tells customers that an employee at email vendor Customer.io downloaded and sent email details to an external party, impacting almost all users — Opensea, the popular NFT marketplace that hit a colossal $13 billion valuation in January, is warning users of email phishing after a data breach.
NFT giant OpenSea reports major email data breach
https://techcrunch.com/2022/06/30/nft-opensea-data-breach/
OpenSea, the popular NFT marketplace that hit a colossal $13 billion valuation in January, is warning users of email phishing after a data breach.
A staff at Customer.io, an email vendor contracted by OpenSea, misused their employee access to download and share email addresses of OpenSea’s users and newsletter subscribers with an unauthorized external party, the world’s largest NFT marketplace said Wednesday night.
The scale of the security breach appears massive. “If you have shared your email with OpenSea in the past, you should assume you were impacted,” the company said, adding that it’s working with Customer.io in an ongoing investigation and has reported the incident to law enforcement.
More than 1.8 million users have made at least one purchase through the Ethereum network on OpenSea, according to data collected by Dune Analytics, an open-source crypto analytics platform.
Tomi Engdahl says:
https://www.newsweek.com/california-gun-owners-info-exposed-here-who-affected-1720335
Tomi Engdahl says:
Critical ManageEngine ADAudit Plus Vulnerability Allows Network Takeover, Mass Data Exfiltration: https://bit.ly/3uebYuM
Tomi Engdahl says:
“Package for you. Please scan the QR code”
https://www.kaspersky.com/blog/dhl-scam-with-qr-codes/44744/
Online shopping is now an established part of daily life: we get food, clothes and other goods delivered to our door in a couple of clicks.
Unsurprisingly, this is exploited by attackers who use fake delivery notifications as bait. One example of this is cybercriminals pretending to be the international express courier service, DHL.
However, instead of the usual phishing link, it’s a QR code that’s contained in the e-mail received that kicks off this kind of swindle.
How and why is the topic of this post.
Tomi Engdahl says:
Venäläishakkerit ottivat nyt kohteekseen Norjan tällainen on Killnet https://www.is.fi/digitoday/tietoturva/art-2000008916628.html
Venäläinen hakkeriryhmä teki keskiviikkona laajan iskun Norjaan.
Palvelunestohyökkäys kaatoi maan pankkien tunnistautumispalvelu BankID:n sekä Arbeitstilsynetin eli työturvallisuusviraston verkkosivut. Hyökkäyksen kohteeksi joutuivat myös julkishallinnon palveluportaali Altinn, Norjan poliisi sekä norjalaiset lehdet VG, Aftenposten ja Stavanger Aftenblad. Tekijäksi ilmoittautui venäläinen hakkeriryhmä Killnet, joka on tiettävästi usean Ukrainan sotaan liittyvän kyberhyökkäyksen takana. Viestipalvelu Telegramissa ryhmä uhkaili Naton norjalaista pääsihteeriä Jens Stoltenbergiä.
Tomi Engdahl says:
The SessionManager IIS backdoor
https://securelist.com/the-sessionmanager-iis-backdoor/106868/
Following on from our earlier Owowa discovery, we continued to hunt for more backdoors potentially set up as malicious modules within IIS, a popular web server edited by Microsoft. In 2021, we noticed a trend among several threat actors for deploying a backdoor within IIS after exploiting one of the ProxyLogon-type vulnerabilities within Microsoft Exchange servers. In early 2022, we investigated one such IIS
backdoor: SessionManager. In late April 2022, most of the samples we identified were still not flagged as malicious in a popular online file scanning service, and SessionManager was still deployed in over
20 organizations.
Tomi Engdahl says:
Järkeä älykotiin
https://www.tivi.fi/uutiset/tv/bbf54e5b-64b3-40c3-b04b-e83208f056d9
Yksi älykodin rakentajan ongelmista on ollut eri valmistajien laitteiden yhteensopivuuden puute. Kehitteillä oleva Matter-standardi lupaa tuoda järkeä sekasortoon. Sillä on hyvä mahdollisuus parantaa tilannetta, sillä kaikki isoimmat pelurit ovat mukana. Matter ei välttämättä lopulta näy käyttäjille muutoin kuin ehkä logona älyvalopaketin kyljessä merkkinä sertifioinnista. Matter on sovellustason kerros, joka rakentuu alkuvaiheessa wlanin ja ZigBeeta korvaavan Thread-verkon päälle ja määrittelee sen, miten laitteet viestivät keskenään.
Tomi Engdahl says:
Brocade Vulnerabilities Could Impact Storage Solutions of Several Major Companies
https://www.securityweek.com/brocade-vulnerabilities-could-impact-storage-solutions-several-major-companies
Broadcom revealed recently that some of the software provided by its storage networking subsidiary Brocade is affected by several vulnerabilities, and it seems possible that the flaws could impact the products of several major companies.
According to Broadcom, the Brocade SANnav storage area network (SAN) management application is affected by nine vulnerabilities. Patches have been made available for these security holes.
Six of them impact third-party components such as OpenSSL, Oracle Java and NGINX, and they have been rated “medium severity” or “low severity”. Exploitation of these flaws can allow an attacker — in many cases unauthenticated attacker — to manipulate data, decrypt data, and cause a denial of service (DoS) condition.
The remaining three vulnerabilities are specific to Brocade SANnav and they have been assigned a “high” severity and risk impact rating. They can allow an attacker to obtain switch and server passwords from log files, and intercept potentially sensitive information due to static key ciphers.
The security bugs (CVE-2022-28167, CVE-2022-28168 and CVE-2022-28166) were discovered internally and there is no evidence of exploitation in the wild.
However, the storage solutions of several companies that work with Brocade could be affected by these vulnerabilities.
In an advisory published this week, HPE informed customers that its B-Series SANnav Management Portal is affected by the flaws and advised them to install the latest updates.
HPESBST04329 rev.1 – HPE B-Series SANnav Management Portal, Multiple Vulnerabilities
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbst04329en_us
Tomi Engdahl says:
https://www.securityweek.com/vulnerability-amazon-photos-android-app-exposed-user-information
Tomi Engdahl says:
https://www.securityweek.com/azure-service-fabric-vulnerability-can-lead-cluster-takeover
Tomi Engdahl says:
North Korea Lazarus Hackers Blamed for $100 Million Horizon Bridge Heist
https://www.securityweek.com/north-korea-lazarus-hackers-blamed-100-million-horizon-bridge-heist
The infamous North Korean Lazarus hacking group is the prime suspect in the $100 million hack of Harmony’s Horizon Bridge, according to new data and research from blockchain analytics firm Elliptic.
The multi-million compromise, confirmed by Harmony earlier this month, led to the theft of ETH, BNB, USDT, USDC and Dai from the Horizon cross-chain bridge and now there’s evidence linking the heist to Lazarus, a hacking outfit linked to the North Korean government.
Elliptic, a London-based blockchain analysis firm, says the hackers have started moving funds through Tornado Cash, a mixer typically used to hide cryptocurrency transaction trails.
“The Horizon Bridge hacker has so far sent 41% of the $100 million in stolen crypto assets into the Tornado Cash mixer,” Elliptic said on Friday. “[We used our] Tornado demixing capability to trace all of the stolen funds through Tornado and onwards to other wallets,” the company added.
Tomi Engdahl says:
Google Workspace Now Warns Admins of Sensitive Changes
https://www.securityweek.com/google-workspace-now-warns-admins-sensitive-changes
Google this week announced that new warnings added in the Google Workspace Alert Center will keep administrators notified of critical and sensitive configuration changes.
Previously known as G Suite, Google Workspace provides secure collaboration and productivity tools for enterprises of all sizes. Accessible from anywhere in Google Workspace, the Alert Center delivers real-time security alerts and insights, to help admins mitigate threats such as phishing and malware.
With the new alerts in place, admins will also receive notifications whenever select changes are made to their Google Workspace configurations.
Tomi Engdahl says:
SOHO Routers in North America and Europe Targeted With ‘ZuoRAT’ Malware
https://www.securityweek.com/soho-routers-north-america-and-europe-targeted-zuorat-malware
Tomi Engdahl says:
https://www.securityweek.com/brocade-vulnerabilities-could-impact-storage-solutions-several-major-companies
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
Kaspersky researchers discovered malware used in the wild since March 2021 to backdoor Microsoft Exchange servers of government and military orgs worldwide
https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-worldwide-backdoored-with-new-malware/