This posting is here to collect cyber security news in June 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in June 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
381 Comments
Tomi Engdahl says:
BlackCat Ransomware Gang Targeting Unpatched Microsoft Exchange Servers
https://thehackernews.com/2022/06/blackcat-ransomware-gang-targeting.html?m=1
Microsoft is warning that the BlackCat ransomware crew is leveraging exploits for unpatched Exchange server vulnerabilities to gain access to targeted networks. According to an alert released by the U.S.
Federal Bureau of Investigation (FBI), BlackCat ransomware attacks have victimized at least 60 entities worldwide as of March 2022 since it was first spotted in November 2021.
Tomi Engdahl says:
MaliBot: A New Android Banking Trojan Spotted in the Wild
https://thehackernews.com/2022/06/malibot-new-android-banking-trojan.html?m=1
A new strain of Android malware has been spotted in the wild targeting online banking and cryptocurrency wallet customers in Spain and Italy, just weeks after a coordinated law enforcement operation dismantled FluBot. The information stealing trojan, codenamed MaliBot by F5 Labs, is as feature-rich as its counterparts, allowing it to steal credentials and cookies, bypass multi-factor authentication (MFA) codes, and abuse Android’s Accessibility Service to monitor the victim’s device screen. Myös:
https://www.zdnet.com/article/this-new-android-malware-bypasses-multi-factor-authentication-to-steal-your-passwords/#ftag=RSSbaffb68
Tomi Engdahl says:
This Linux botnet has found a novel way of spreading to new devices
https://www.zdnet.com/article/this-linux-botnet-has-found-a-novel-way-of-spreading-to-new-devices/#ftag=RSSbaffb68
Linux users need to be watch out of a new peer-to-peer (P2P) botnet that spreads between networks using stolen SSH keys and runs its crypto-mining malware in a device’s memory. The Panchan P2P botnet was discovered by researchers at Akamai in March and the company is now warning it could be taking advantage of collaboration between academic institutions to spread by causing previously stolen SSH authentication keys to be shared across networks.
Tomi Engdahl says:
Police Linked to Hacking Campaign to Frame Indian Activists https://www.wired.com/story/modified-elephant-planted-evidence-hacking-police/
POLICE FORCES AROUND the world have increasingly used hacking tools to identify and track protesters, expose political dissidents’ secrets, and turn activists’ computers and phones into inescapable eavesdropping bugs. Now, new clues in a case in India connect law enforcement to a hacking campaign that used those tools to go an appalling step further: planting false incriminating files on targets’
computers that the same police then used as grounds to arrest and jail them.
Tomi Engdahl says:
CISA warning: Hackers are exploiting these 36 “significant” cybersecurity vulnerabilities – so patch now
Flaws in Microsoft, Google, Adobe, Cisco, Netgear, QNAP and other products have been added to CISA’s known exploited vulnerabilities catalog.
https://www.zdnet.com/article/cisa-warning-hackers-are-exploiting-these-36-significant-cybersecurity-vulnerabilities-so-patch-now/
Tomi Engdahl says:
Elasticsearch server with no password or encryption leaks a million records https://www.theregister.com/2022/06/16/storehub_data_leak/
Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub. Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.
Tomi Engdahl says:
https://www.securityweek.com/malibot-android-malware-steals-financial-personal-information
Tomi Engdahl says:
Volexity Blames ‘DriftingCloud’ APT For Sophos Firewall Zero-Day
https://www.securityweek.com/volexity-blames-driftingcloud-apt-sophos-firewall-zero-day
Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors and launch man-in-the-middle attacks.
The Sophos firewall vulnerability — tracked as CVE-2022-1040 — was patched in March this year but only after Volexity intercepted a sophisticated zero-day that exposed Sophos users to remote code execution attacks.
“This particular attack leveraged a zero-day exploit to compromise the [victim company] firewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the [victim's] staff,” Volexity said in a research report.
Tomi Engdahl says:
https://www.securityweek.com/microsoft-dismisses-false-reports-about-end-patch-tuesday
Tomi Engdahl says:
https://www.securityweek.com/cisco-patches-critical-vulnerability-email-security-appliance
Tomi Engdahl says:
2,000 People Arrested Worldwide for Social Engineering Schemes
https://www.securityweek.com/2000-people-arrested-worldwide-social-engineering-schemes
Interpol announced on Wednesday that many individuals have been arrested and a significant amount of criminal assets have been seized as part of an international law enforcement operation targeting social engineering schemes.
The operation, dubbed “First Light 2022,” involved law enforcement agencies in more than 70 countries, including China, Singapore, Papua New Guinea and Portugal.
As part of this operation, which ran between March 8 and May 8, police raided more than 1,700 locations, identified roughly 3,000 suspects, and arrested 2,000 individuals believed to be involved in illicit activities.
Authorities also froze approximately 4,000 bank accounts and intercepted $50 million worth of illegal funds.
Tomi Engdahl says:
https://www.securityweek.com/sophisticated-android-spyware-hermit-used-governments
Tomi Engdahl says:
https://www.securityweek.com/second-trial-ex-cia-employee-defends-himself-big-leak
Tomi Engdahl says:
Researchers Discover Way to Attack SharePoint and OneDrive Files With Ransomware
https://www.securityweek.com/researchers-discover-way-attack-sharepoint-and-onedrive-files-ransomware
Ransomware can attack data in the cloud and launch attacks on cloud infrastructure
Researchers have discovered a functionality within Office 365 that could allow attackers to ransom files stored on SharePoint and OneDrive. On disclosure to Microsoft, the researchers were told the system ‘is working as intended’. That is, it’s a feature, not a flaw.
It has long been considered that files stored and edited in the cloud are resilient to encryption extortion – the autosave and versioning features should provide sufficient backup capability.
Researchers at Proofpoint have demonstrated that this is a false assumption. They report, “Our research focused on… SharePoint Online and OneDrive… and shows that ransomware actors can now target organizations’ data in the cloud and launch attacks on cloud infrastructure.”
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/icloud-hacker-gets-9-years-in-prison-for-stealing-nude-photos/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-syslogk-linux-rootkit-uses-magic-packets-to-trigger-backdoor/
Tomi Engdahl says:
Researchers Find Side-Channel Vulnerabilities in Analog to Digital Converters — So Design Their Own
Designed to thwart power and electromagnetic domain side-channel attacks, these new ADCs could help secure future IoT sensors.
https://www.hackster.io/news/researchers-find-side-channel-vulnerabilities-in-analog-to-digital-converters-so-design-their-own-e84996a53f56
Tomi Engdahl says:
Varo! Kiero pankkihuijaus vaihtoi osoitetta: “Uusi maksunsaaja lisätty”
https://www.is.fi/digitoday/tietoturva/art-2000008892814.html
TÄLLÄ viikolla alkanut S-Pankin nimissä tehtävä pankkihuijaus jatkuu.
Verkkorikolliset ovat vaihtaneet verkkosivun osoitetta, johon ihmiset ohjataan.
Tomi Engdahl says:
Venäjän hyökkäys sai tapahtumajärjestäjät varautumaan hybridiuhkiin todennäköisyys ei ole suuri, mutta uhka on mahdollinen https://yle.fi/uutiset/3-12499327?origin=rss
Tapahtumajärjestäjät ovat entistä kiinnostuneempia tapahtumiin kohdistuvista hybridiuhista. Hybridivaikuttamiseen varautuminen on noussut erityisesti esiin Venäjän aloitettua hyökkäyssodan Ukrainassa.
Tapahtumateollisuus ry:n varapuheenjohtaja Kalle Marttinen kertoo, että tapahtumajärjestäjille on tarjolla koulutusta hybridivaikuttamisesta ja sen ennaltaehkäisystä.
Tomi Engdahl says:
June Windows updates break Microsoft 365 sign-ins on Arm devices https://www.bleepingcomputer.com/news/microsoft/june-windows-updates-break-microsoft-365-sign-ins-on-arm-devices/
Microsoft is investigating a new known issue causing Azure Active Directory and Microsoft 365 sign-in issues on Arm devices after deploying the June 2022 Windows updates. The company says in a new entry on the Windows release health dashboard that “you might be unable to sign in using Azure Active Directory (AAD)” on a Windows Arm-based device after installing updates released as part of this month’s Patch Tuesday.
Tomi Engdahl says:
Microsoft: June Windows updates may break Wi-Fi hotspots https://www.bleepingcomputer.com/news/microsoft/microsoft-june-windows-updates-may-break-wi-fi-hotspots/
Microsoft is investigating a newly acknowledged issue causing connectivity issues when using Wi-Fi hotspots after deploying Windows updates released during the June 2022 Patch Tuesday. According to a new entry on the Windows release health dashboard, Windows devices where one of the June updates has been installed might be unable to use the Wi-Fi hotspot feature.
Tomi Engdahl says:
Researchers Uncover ‘Hermit’ Android Spyware Used in Kazakhstan, Syria, and Italy https://thehackernews.com/2022/06/researchers-uncover-hermit-android.html
An enterprise-grade surveillanceware dubbed Hermit has been put to use by entities operating from within Kazakhstan, Syria, and Italy over the years since 2019, new research has revealed. Hermit is modular and comes with myriad capabilities that allow it to “exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages, ” Lookout researchers Justin Albrecht and Paul Shunk said in a new write-up. The spyware is believed to be distributed via SMS messages that trick users into installing what are seemingly innocuous apps from Samsung, Vivo, and Oppo, which, when opened, loads a website from the impersonated company while stealthily activating the kill chain in the background.
Tomi Engdahl says:
Interpol anti-fraud operation busts call centers behind business email scams https://www.theregister.com/2022/06/17/interpol_operation_first_light_fraud_scam/
Law enforcement agencies around the world have arrested about 2, 000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe. In the latest action in the ongoing “First Light”, an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1, 770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes. Among the 2, 000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4, 000 bank accounts frozen and 3, 000 suspects identified.
Tomi Engdahl says:
QNAP warns of new DeadBolt ransomware attack locking up NAS devices https://www.bitdefender.com/blog/hotforsecurity/qnap-warns-of-new-deadbolt-ransomware-attack-locking-up-nas-devices/
Owners of NAS drives manufactured by QNAP have been advised that the company is “thoroughly investigating” reports that a new variant of the DeadBolt ransomware is targeting devices, locking up data and demanding victims pay a fee to extortionists.
Tomi Engdahl says:
Security firm warns of ransomware attacks targeting Microsoft cloud versioning’ feature https://therecord.media/security-firm-warns-of-ransomware-attacks-targeting-microsoft-cloud-versioning-feature/
Researchers said they have discovered a way ransomware groups can encrypt files stored on Microsoft’s SharePoint and OneDrive applications that would make them “unrecoverable without dedicated backups or a decryption key from the attacker.”. The attack centers on the “versioning” feature within SharePoint and OneDrive. SharePoint Online and OneDrive allow users to set the number of saved versions of every document library. Users do not need to be an administrator or have elevated privileges to do this.
Tomi Engdahl says:
Chinese APT groups targeting India, Pakistan and more with Sophos firewall vulnerability https://therecord.media/chinese-apt-groups-targeting-india-pakistan-and-more-with-sophos-firewall-vulnerability/
Chinese state-sponsored hackers are targeting organizations and governments in Afghanistan, Bhutan, India, Nepal, Pakistan and Sri Lanka with a now-patched zero-day vulnerability in Sophos Firewall, according to several different cybersecurity companies.
Tomi Engdahl says:
Evidence suggests that a just-discovered APT has been active since
2013
https://threatpost.com/apt-flew-under-radar-decade/179995/
Researchers say one of the tactics and techniques of Aoqin Dragon include using pornographic themed malicious documents as bait to entice victims to download them.. Researchers have identified a small yet potent China-linked APT that has flown under the radar for nearly a decade running campaigns against government, education and telecommunication organizations in Southeast Asia and Australia.
Researchers from SentinelLabs said the APT, which they dubbed Aoqin Dragon, has been operating since at least 2013. The APT is “a small Chinese-speaking team with potential association to [an APT called] UNC94, ” they reported
Tomi Engdahl says:
Käytätkö Tori.fitä tai muita myyntipalstoja? Varo näitä viestejä https://www.is.fi/digitoday/tietoturva/art-2000008891797.html
Huijarit yrittävät saada myyjän suostumaan myytävän tavaran toimittamiseen kuriiripalveluilla ja jakavat linkin aidolta näyttävään palveluun, jonne pyydetään syöttämään pankki- tai maksukortin tiedot “maksun vastaanottamista varten”. Jos niin tekee, konnat veloittavat niin paljon kuin ehtivät.
Tomi Engdahl says:
Suomalaisten puhelimia kurittanut haittaohjelma saamassa jatkoa “Käyttäjien oltava varuillaan”
https://www.is.fi/digitoday/tietoturva/art-2000008892908.html
MAAILMALLA on havaittu Android-puhelimiin iskevä MaliBot-haittaohjelma. Teknologiayhtiö F5:n tietoturvaan keskittynyt yksikkö F5 Labs löysi ja nimesi MaliBotin seuratessaan pahamaineista FluBotia ja näki uuden haitakkeen hyökänneen pankkiasiakkaita vastaan Espanjassa ja Italiassa. Uhka ei kuitenkaan rajoitu heihin. MaliBotin kyky varastaa kirjautumistietoja ja evästeitä sekä ohittaa monivaiheisen tunnistuksen koodeja tarkoittaa, että Android-käyttäjien kaikkialla maailmassa on oltava varuillaan, F5 Labsin tutkija Dor Nizar sanoo blogissa.
Tomi Engdahl says:
Over a Dozen Flaws Found in Siemens’ Industrial Network Management System https://thehackernews.com/2022/06/over-dozen-flaws-found-in-siemens.html
Cybersecurity researchers have disclosed details about 15 security flaws in Siemens SINEC network management system (NMS), some of which could be chained by an attacker to achieve remote code execution on affected systems. The shortcomings in question tracked from
CVE-2021-33722 through CVE-2021-33736 were addressed by Siemens in version V1.0 SP2 Update 1 as part of updates shipped on October 12, 2021. “The most severe could allow an authenticated remote attacker to execute arbitrary code on the system, with system privileges, under certain conditions, ” Siemens noted in an advisory at the time.
Tomi Engdahl says:
Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html
A recently patched critical security flaw in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads. In at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a crypto miner called z0miner on victim networks.
Tomi Engdahl says:
Cisco says it won’t fix zero-day RCE in end-of-life VPN routers https://www.bleepingcomputer.com/news/security/cisco-says-it-won-t-fix-zero-day-rce-in-end-of-life-vpn-routers/
Cisco advises owners of end-of-life Small Business RV routers to upgrade to newer models after disclosing a remote code execution vulnerability that will not be patched. The vulnerability impacts four Small Business RV Series models, namely the RV110W Wireless-N VPN Firewall, the RV130 VPN Router, the RV130W Wireless-N Multifunction VPN Router, and the RV215W Wireless-N VPN Router. This vulnerability only affects devices with the web-based remote management interface enabled on WAN connections. While the remote management feature is not enabled in the default configuration, brief searches using Shodan found exposed devices.
Tomi Engdahl says:
Chinese Officials Are Weaponizing COVID Health Tracker to Block Protests https://www.vice.com/en/article/93a53v/china-covid-health-code-protest-henan
Chinese bank depositors planning a protest about their frozen funds saw their health code mysteriously turn red and were stopped from traveling to the site of a rally, confirming fears that China’s vast COVID-tracking system could be weaponized as a powerful tool to stifle dissent. A red health code designated the would-be protesters as suspected or confirmed COVID-19 patients, limiting their movement and access to public transportation. Their rallies in the central Henan province this week were thwarted as some were forced into quarantine and others detained by police.
Tomi Engdahl says:
Wave of ‘Matanbuchus’ spam is infecting devices with Cobalt Strike https://www.bleepingcomputer.com/news/security/wave-of-matanbuchus-spam-is-infecting-devices-with-cobalt-strike/
Security researchers have noticed a new malicious spam campaign that delivers the ‘Matanbuchus’ malware to drop Cobalt Strike beacons on compromised machines. Matanbuchus is a malware-as-a-service (MaaS) project first spotted in February 2021 in advertisements on the dark web promoting it as a $2, 500 loader that launches executables directly into system memory.
Tomi Engdahl says:
Tietoturvayhtiöt vihaisia Microsoftille: pilvipalvelun turvallisuus vaarantui merkittävästi
https://www.kauppalehti.fi/uutiset/tietoturvayhtiot-vihaisia-microsoftille-pilvipalvelun-turvallisuus-vaarantui-merkittavasti/d7192b5e-efd9-4712-9659-264d1f75ac55
Tietoturvayhtiöt Orca Security ja Tenable syyttävät Microsoftia asiakkaiden datan ja pilviympäristöjen tarpeettomasta vaarantamisesta.
Yhtiöiden mukaan Microsoft vaarantaa turvallisuutta viivyttelemällä Azure-pilvipalvelun kriittisten haavoittuvuuksien korjaamisessa, kirjoittaa The Register:.
https://www.theregister.com/2022/06/14/security_azure_patch/
Tomi Engdahl says:
QNAP NAS devices targeted by surge of eCh0raix ransomware attacks https://www.bleepingcomputer.com/news/security/qnap-nas-devices-targeted-by-surge-of-ech0raix-ransomware-attacks/
This week, ech0raix ransomware has started targeting vulnerable QNAP Network Attached Storage (NAS) devices again, according to user reports and sample submissions on the ID Ransomware platform. ech0raix (also known as QNAPCrypt) had hit QNAP customers in multiple large-scale waves starting with the summer of 2019 when the attackers brute-forced their way into Internet-exposed NAS devices. A new surge of ech0raix attacks has now been confirmed by a quickly increasing number of ID Ransomware submissions and users reporting being hit in the BleepingComputer forums [1, 2], with the earliest hit recorded on June 8.
Tomi Engdahl says:
Volexity Blames ‘DriftingCloud’ APT For Sophos Firewall Zero-Day
https://www.securityweek.com/volexity-blames-driftingcloud-apt-sophos-firewall-zero-day
Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors and launch man-in-the-middle attacks.
The Sophos firewall vulnerability — tracked as CVE-2022-1040 — was patched in March this year but only after Volexity intercepted a sophisticated zero-day that exposed Sophos users to remote code execution attacks.
“This particular attack leveraged a zero-day exploit to compromise the [victim company] firewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the [victim's] staff,” Volexity said in a research report.
“These attacks aimed to further breach cloud-hosted web servers hosting the organization’s public-facing websites. This type of attack is rare and difficult to detect,” the company said in a research note with technical details on the incident.
https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/
https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce
Tomi Engdahl says:
‘MaliBot’ Android Malware Steals Financial, Personal Information
https://www.securityweek.com/malibot-android-malware-steals-financial-personal-information
Researchers at F5 Labs have nabbed a new Android malware family capable of exfiltrating financial and personal information after taking control of infected devices.
Dubbed MaliBot, the malware poses as a cryptocurrency mining application, but may also pretend to be a Chrome browser or another app. On nfected devices, the threat focuses on harvesting financial information and stealing cryptocurrency and personally identifiable information (PII).
The malware uses a VNC server implementation that allows it to control the infected devices, and was also designed to steal and bypass multi-factor authentication (MFA).
According to F5 Labs, MaliBot’s command and control (C&C) is in Russia, using the same servers that were previously used to distribute the Sality malware. Since June 2020, the IP has been used to launch various other malicious campaigns.
F5 Labs Investigates MaliBot
https://www.f5.com/labs/articles/threat-intelligence/f5-labs-investigates-malibot
While tracking the mobile banking trojan FluBot, F5 Labs recently discovered a new strain of Android malware which we have dubbed “MaliBot”. While its main targets are online banking customers in Spain and Italy, its ability to steal credentials, cookies, and bypass multi-factor authentication (MFA) codes, means that Android users all over the world must be vigilant. Some of MaliBot’s key characteristics include:
MaliBot disguises itself as a cryptocurrency mining app named “Mining X” or “The CryptoApp”, and occasionally assumes some other guises, such as “MySocialSecurity” and “Chrome”
MaliBot is focused on stealing financial information, credentials, crypto wallets, and personal data (PII), and also targets financial institutions in Italy and Spain
Malibot is capable of stealing and bypassing multi-factor (2FA/MFA) codes
It includes the ability to remotely control infected devices using a VNC server implementation
Tomi Engdahl says:
Costa Rica Chaos a Warning That Ransomware Threat Remains
https://www.securityweek.com/costa-rica-chaos-warning-ransomware-threat-remains
Teachers unable to get paychecks. Tax and customs systems paralyzed. Health officials unable to access medical records or track the spread of COVID-19. A country’s president declaring war against foreign hackers saying they want to overthrow the government.
For two months now, Costa Rica has been reeling from unprecedented ransomware attacks disrupting everyday life in the Central American nation. It’s a situation raising questions about the United States’ role in protecting friendly nations from cyberattacks at a time when Russian-based criminal gangs are targeting less developed countries in ways that could have major global repercussions.
“Today it’s Costa Rica. Tomorrow it could be the Panama Canal,” said Belisario Contreras, former manager of the cybersecurity program at the Organization of American States, referring to a major Central American shipping lane that carries a large amount of U.S. import and export traffic.
Last year, cybercriminals launched ransomware attacks in the U.S. that forced the shutdown of an oil pipeline that supplies the East Coast, halted production of the world’s largest meat-processing company and compromised a major software-company that has thousands of customers around the world.
Tomi Engdahl says:
Exploited Vulnerability Patched in WordPress Plugin With Over 1 Million Installations
https://www.securityweek.com/exploited-vulnerability-patched-wordpress-plugin-over-1-million-installations
More than one million WordPress websites were potentially impacted by a critical Ninja Forms plugin vulnerability that appears to have been exploited in the wild.
With over one million installations, the popular Ninja Forms plugin helps administrators add customizable forms to their WordPress sites.
The exploited security issue, which was identified in the Merge Tag functionality of the plugin, does not have a CVE identifier yet, but it has a CVSS score of 9.8.
“One feature of Ninja Forms is the ability to add ‘Merge Tags’ to forms that will auto-populate values from other areas of WordPress like Post IDs and logged in user’s names,” the Wordfence team at WordPress security company Defiant explains.
Because of the bug, it was possible to call various Ninja Form classes and abuse them for “a wide range of exploits targeting vulnerable WordPress sites,” Wordfence researchers say.
The researchers also note that the manner in which the NF_MergeTags_Other class handles Merge Tags makes it possible for unauthenticated attackers to supply Merge Tags.
PSA: Critical Vulnerability Patched in Ninja Forms WordPress Plugin
https://www.wordfence.com/blog/2022/06/psa-critical-vulnerability-patched-in-ninja-forms-wordpress-plugin/
On June 16, 2022, the Wordfence Threat Intelligence team noticed a back-ported security update in Ninja Forms, a WordPress plugin with over one million active installations. As with all security updates in WordPress plugins and themes, our team analyzed the plugin to determine the exploitability and severity of the vulnerability that had been patched.
We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection. This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.
Tomi Engdahl says:
Details of Twice-Patched Windows RDP Vulnerability Disclosed
https://www.securityweek.com/details-twice-patched-windows-rdp-vulnerability-disclosed
Researchers at identity security firm CyberArk this week shared technical information on an RDP named pipe vulnerability in Windows for which Microsoft had to release two rounds of patches.
Tracked as CVE-2022-21893, the issue was initially addressed on January 2022 Patch Tuesday, but an analysis of the fix revealed that a new attack vector had not been patched. On April 2022 Patch Tuesday, Microsoft resolved the bug as CVE-2022-24533.
CVE-2022-21893, CyberArk explains, is a Windows Remote Desktop Services vulnerability that could allow an unprivileged user who accesses a machine via RDP to access the file system of client machines of other connected users.
The issue would also allow the attacker to view and modify the data of other connected users, including clipboard contents, transferred files, and smart card PINs. An attacker could also impersonate other users logged on to the machine, and gain access to a victim’s redirected devices, including USB devices, hard drives, and more.
“This could lead to data privacy issues, lateral movement and privilege escalation,” CyberArk notes.
Tomi Engdahl says:
Law Enforcement Dismantle Infrastructure of Russian ‘RSOCKS’ Botnet
https://www.securityweek.com/law-enforcement-dismantle-infrastructure-russian-rsocks-botnet
The United States on Thursday announced the takedown of a botnet operated by Russian cybercriminals that ensnared millions of devices worldwide.
Dubbed “RSOCKS,” the botnet initially targeted Internet of Things (IoT) devices – including industrial control systems, routers, content streaming devices, and various smart devices – but later expanded to compromising Android devices and conventional computers as well.
The purpose of the botnet was to abuse the IP addresses of the compromised devices to reroute internet traffic for paying customers, thus allowing them to hide their real IPs.
Legitimate proxy services lease IP addresses from ISPs and then provide those IPs to their customers for a fee. The RSOCKS botnet offered access to the IP addresses of hacked devices without the permission or the knowledge of the owners.
Miscreants could access a web-based “storefront” where they could rent access to proxies for a specific time period. The RSOCKS botnet’s operators asked for $30 per day for access to 2,000 proxies, but the price could go up to $200 per day for access to 90,000 proxies.
Tomi Engdahl says:
Staffing Firm Robert Half Says Hackers Targeted Over 1,000 Customer Accounts
https://www.securityweek.com/staffing-firm-robert-half-says-hackers-targeted-over-1000-customer-accounts
HR consulting firm Robert Half has started informing customers that their personal and financial information might have been compromised after hackers targeted their RobertHalf.com accounts.
Information provided by the company to the Maine Attorney General shows that threat actors targeted Robert Half between April 26 and May 16. The incident, discovered on May 31, impacts 1,058 individuals.
“We recently identified suspicious login activity on your RobertHalf.com account that occurred in late April/early May 2022. Upon detection, we required you to reset your account password, and we took steps to strengthen authentication controls for the website,” the company said in a cybersecurity incident notice sent to impacted individuals.
Tomi Engdahl says:
Up first is Pacman, a bypass for ARM’s Pointer Authentication Code. PAC is a protection built into certain ARM Processors, where a cryptographic hash value must be set correctly when pointers are updated. If the hash is not set correctly, the program simply crashes. The idea is that most exploits use pointer manipulation to achieve code execution, and correctly setting the PAC requires an explicit instruction call. The PAC is actually indicated in the unused bits of the pointer itself. The AArch64 architecture uses 64-bit values for addressing, but the address space is much less than 64-bit, usually 53 bits or less. This leaves 11 bits for the PAC value. Keep in mind that the application doesn’t hold the keys and doesn’t calculate this value. 11 bits may not seem like enough to make this secure, but keep in mind that every failed attempt crashes the program, and every application restart regenerate the keys.
https://pacmanattack.com/
What’s PACMAN?
PACMAN is a novel hardware attack that can bypass Pointer Authentication (PAC) on the Apple M1 CPU. We present the following contributions:
A new way of thinking about compounding threat models in the Spectre age.
Reverse engineered details of the M1 memory hierarchy.
A hardware attack to forge kernel PACs from userspace on M1.
PACMAN is what you get when you mix a hardware mitigation for software attacks with microarchitectural side channels. We believe the core idea of PACMAN will be applicable to much more than just PAC.
Tomi Engdahl says:
https://hackaday.com/2022/06/17/this-week-in-security-pacman-hetzbleed-and-the-death-of-internet-explorer/
PING
The lowly ping command. How much can a single pair of packets tell us about a network and remote host? According to [HD Moore], quite a bit. For example, take the time given for a ping response, and calculate a distance based on 186 miles per millisecond. That’s the absolute maximum distance away that host is, though a quarter and half of that amount are reasonable lower and upper limits for a distance estimate. TTL very likely started at 64, 128, or 255, and you can take a really good guess at the hops encountered along the way. Oh, and if that response started at 64, it’s likely a Linux machine, 128 for Windows, and 255 usually indicates a BSD-derived OS.
Receiving a “destination host unreachable” message is interesting in itself, and tells you about the router that should be able to reach the given IP. Then there’s the broadcast IP, which sends the message to every IP in the subnet. Using something like Wireshark for packet capture is enlightening here. The command itself may only show one response, even though multiple devices may have responded. Each of those responses have a MAC address that has can be looked up to figure out the vendor. Another interesting trick is to spoof the source IP address of a ping packet, using a machine you control with a public IP address. Ping every device on the network, and many of them will send the response via their default gateway. You might find an Internet connection or VPN that isn’t supposed to be there. Who knew you could learn so much from the humble ping.
One ping to find them: lean network discovery
https://www.rumble.run/blog/lean-network-discovery-icmp/
Playing with ping
The standard “ping” utility is one of the most commonly used network troubleshooting tools. This utility sends an ICMP Echo Request to a specific address and reports any replies it receives. This protocol is simple: the sender creates an IP header, appends an ICMP header, sets the Type and Code fields, and then adds the Echo Request data, consisting of an identifier, sequence number, and some data to echo. Finally, this protocol is written to the network, often with an Ethernet header.
In summary
ICMP as a protocol is simple, but the amount of data that can be gleaned through a few creative packets is extensive. Systems that respond to ICMP Echo Requests are effectively providing a remote API: you give them a request, and depending on the configuration, they take various actions, which provides useful data. This “API” has limitations, including default rate limits, but it is available on nearly every networked device on the planet.
Rumble uses ICMP responses for latency measurement, subnet identification, multihomed asset discovery, operating system fingerprinting, topology mapping, and more.
Tomi Engdahl says:
Paige Thompson developed a tool to identify misconfigured AWS accounts and stole customer data from Capital One and others.
Former AWS engineer convicted over hack that cost Capital One $270m
https://techmonitor.ai/technology/cybersecurity/capital-one-hack-aws-paige-thompson
Paige Thompson developed a tool to identify misconfigured AWS accounts and stole customer data from Capital One and others.
A former AWS engineer has been convicted of seven counts of fraud after the personal data of more than 100 million people was stolen from unsecured accounts on the cloud platform. The breach has so far cost US bank Capital One, one of the 30 institutions affected, more than $270m in compensation and regulatory fines.
Paige Thompson was arrested in July 2019, after Capital One alerted the FBI to the breach. Prosecutors alleged that she had stolen personal data of more than 100 million of the company’s customers, including 140,000 Social Security numbers and 80,000 bank account numbers.
Capital One, which is one of 30 institutions hacked by Thompson, was fined $80m by a US regulator in August 2020 over its failure to properly secure its customers’ data. Last month, it agreed to pay $190m to settle a class action law suit representing customers affected by the breach.
“Thompson used a tool she built to scan Amazon Web Services accounts to look for misconfigured accounts,”
Thompson, who was employed by AWS between 2015 and 2016, also used the breached accounts to mine for cryptocurrency, a practice known as cryptojacking, prosecutors said.
How did the Capital One hack happen?
Capital One received an anonymous tip-off of the breach in July 2019, alerting the company that data taken from an S3 storage bucket operated by the bank has been leaked on GitHub. The S3 bucket had “a firewall misconfiguration”, the US Department of Justice said at the time.
Thompson will be sentenced in September.
Misconfigured AWS instances have led to a number of high-profile data breaches. Earlier this month, researchers revealed that 6.5 terabytes of data belonging to Turkish airline Pegasus Airlines, including personal data on customers and employees, was exposed in a insecure AWS storage bucket. And in 2017, 100GB of data belonging to US Intelligence and Security Command was discovered in a misconfigured bucket.
Anti-malware software provider Malwarebytes detected a 300% increase in ‘cryptojacking’ malware last year, as the price of cryptocurrencies – in particular, Monero – grew.
Tomi Engdahl says:
Yli 100 miljoonaa ihmistä satuttaneen tietomurron syyllinen selviämässä “Hän halusi dataa ja rahaa”
https://www.tivi.fi/uutiset/tv/98ec63c8-1cf2-44c2-b65c-58cf1dccde77
Seattlelaisen oikeusistuimen valamiehistö on tuominnut Amazonin ohjelmistoinsinöörinä työskennelleen naisen Capital One
- -rahoituslaitokseen ja muihin yhtiöihin kohdistuneesta valtavasta tietomurrosta. Vuonna 2019 tapahtuneessa murrossa varastettiin yli 100 miljoonan ihmisen henkilötiedot.
Tomi Engdahl says:
Ydinasevaltio julkaisi luottamukselliset tietoturvaohjeet työntekijöilleen kiusallinen asiakirja vuodettiin heti verkkoon
https://www.tivi.fi/uutiset/tv/7535f0b3-721b-405e-a077-2c9ff374e836
Intian hallitus julkaisi viime viikolla luottamukselliset tietoturvaohjeet 30 miljoonalle hallituksen työntekijälle. Tavoitteena oli parantaa työkäytäntöjä, mutta dokumentti vuodettiin nopeasti hallituksen verkkosivuille, kertoo The Register. Asiakirja paljastaa tietoturvan olevan melko heikolla tasolla maan julkisessa hallinnossa.
Ensimmäisillä sivuilla kerrotaan, miten lisääntynyt ict-teknologian käyttö on lisännyt hyökkäysten ja muiden uhkien riskiä, sillä kyberturvallisuudesta ei pidetä ruohonjuuritasolla huolta. Hallinnon työtekijöille annetut tietoturvaohjeet ovat muutenkin hyvin perustasoisia. Ohjeissa muun muassa muistutetaan, ettei puhelimitse tai muissa kanavissa saa jakaa arkaluontoisia tietoja ulkopuolisille henkilöille.
Tomi Engdahl says:
Android-wiping BRATA malware is evolving into a persistent threat https://www.bleepingcomputer.com/news/security/android-wiping-brata-malware-is-evolving-into-a-persistent-threat/
The threat actor behind BRATA banking trojan has evolved their tactics and improved the malware with information-stealing capabilities.
Italian mobile security company Cleafy has been tracking BRATA activity and noticed in the most recent campaigns changes that lead to longer persistence on the device. “The modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern, ” explains Cleafy in a report this week.
Tomi Engdahl says:
Microsoft 365 credentials targeted in new fake voicemail campaign https://www.bleepingcomputer.com/news/security/microsoft-365-credentials-targeted-in-new-fake-voicemail-campaign/
A new phishing campaign has been targeting U.S. organizations in the military, security software, manufacturing supply chain, healthcare and pharmaceutical sectors to steal Microsoft Office 365 and Outlook credentials. The operation is ongoing and the threat actor behind it uses fake voicemail notifications to lure victims into opening a malicious HTML attachment.