Cyber security news July 2022

This posting is here to collect cyber security news in July 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.


  1. Tomi Engdahl says:

    Rakennusalan konsulttiyhtiö Vahaseen kohdistui kyberhyökkäys, asiakkaiden ja työntekijöiden tiedot voivat olla vaarassa
    Rakennus- ja kiinteistöalan yritys Vahanen kertoo, että yhtiön viime viikolla alkaneet laajat tietoverkko-ongelmat johtuvat kyberhyökkäyksestä. Yhtiön mukaan kyse on uudentyyppisestä kiristyshaittaohjelmasta. Hyökkäyksen yhtiön järjestelmät ja niissä oleva tieto on lukittu, eikä niihin pääse tällä hetkellä käsiksi, Vahanen tiedottaa. Yhtiön mukaan on mahdollista, että Vahasen nykyisten ja entisten työntekijöiden sekä asiakkaiden ja kumppanien
    projekti- ja henkilötietoja on päätynyt rikollisten haltuun.

  2. Tomi Engdahl says:

    Luna Moth: The Actors Behind the Recent False Subscription Scams
    Over the last few months, Sygnia’s Incident Response team has been methodically tracking the ‘Luna Moth’ ransom group. Their modus-operandi resembles scammers, with the twist of corporate data theft, leveraging the threat of publication to demand millions of dollars in ransom. With the rise in ransomware activity over the past years, the security industry has become used to hearing about double extortion, and even triple extortion attacks, and new crime groups of all kinds. In this blog post, we shed light on a relatively new threat actor which goes by the name of the Silent Ransom Group’ (or SRG’) and was dubbed ‘Luna Moth’ by Sygnia. By launching a phishing campaign with a wide coverage area, ‘Luna Moth’ infiltrates and compromises victim devices. These attacks can be categorized as data breach ransom attacks, in which the main focus of the group is to gain access to sensitive documents and information, and demand payment to withhold publication of the stolen data.

  3. Tomi Engdahl says:

    Exploiting Authentication in AWS IAM Authenticator for Kubernetes
    During my research on the AWS IAM Authenticator component, I found several flaws in the authentication process that could bypass the protection against replay attacks or allow an attacker to gain higher permissions in the cluster by impersonating other identities. In this blog post I will explain about three vulnerabilities detected in the AWS IAM Authenticator where all of them were caused by the same code line. Two of them have been there since the first commit (Oct 12,
    2017) and the third one that enabled impersonation was exploitable since Sept 2, 2020, release v0.5.2.

  4. Tomi Engdahl says:

    Hackers posing as Merkel target ECB’s Lagarde – German source
    Unidentified hackers attempted to trick European Central Bank President Christine Lagarde into letting them open a messaging app account in her name by posing as former German chancellor Angela Merkel, a German source said on Tuesday. A source familiar with the matter told Reuters hackers pretending to be Merkel messaged Lagarde asking her to disclose an authentication code that would have enabled them to open a WhatsApp account linked to the ECB chief’s phone number. There was no official confirmation of this. The plot was quickly foiled without any information being compromised, an ECB spokesperson said.

  5. Tomi Engdahl says:

    Hive ransomware decryption key released as gang evolves its tactics
    A decryption key for malware deployed by the ransomware gang Hive has been released in response to an uptick in activity from the gang in the past three months. Hive has also switched to a more complex coding language called Rust, which is harder to decrypt, making the key even more valuable. The decryption tool for version five of Hive’s malware has been released by a malware analyst and reverse engineer known publicly as reecDeep. The key can be found on Github and was created in order to try and quell recent mounting attacks by the gang.

  6. Tomi Engdahl says:

    ChromeLoader: New Stubborn Malware Campaign
    In January 2022, a new browser hijacker/adware campaign named ChromeLoader (also known as Choziosi Loader and ChromeBack) was discovered. Despite using simple malicious advertisements, the malware became widespread, potentially leaking data from thousands of users and organizations. Instead of more traditional malware like a Windows executable (.exe) or Dynamic Link Library (.dll), the malware authors used a browser extension as their final payload. The browser extension serves as adware and an infostealer, leaking all of the user’s search engine queries. We discovered significant changes and additions of capabilities throughout this campaign’s evolution, and we predict further changes as this campaign continues. In this article, we examine the technical details of this malware, focus on the evolution between its different versions and describe changes in its infection process. This article also reviews new variants that have not yet been publicly reported.

  7. Tomi Engdahl says:

    Uncovering a macOS App Sandbox escape vulnerability: A deep dive into
    Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. We shared these findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in October 2021. A fix for this vulnerability, now identified as CVE-2022-26706, was included in the security updates released by Apple on May 16, 2022. Microsoft shares the vulnerability disclosure credit with another researcher, Arsenii Kostromin (0x3c3e), who discovered a similar technique independently. We encourage macOS users to install these security updates as soon as possible. We also want to thank the Apple product security team for their responsiveness in fixing this issue.

  8. Tomi Engdahl says:

    PayPal phishing kit added to hacked WordPress sites for full ID theft
    A newly discovered phishing kit targeting PayPal users is trying to steal a large set of personal information from victims that includes government identification documents and photos. Over 400 million individuals and companies are using PayPal as an online payment solution. The kit is hosted on legitimate WordPress websites that have been hacked, which allows it to evade detection to a certain degree.

  9. Tomi Engdahl says:

    Clearview AI fined $20 million, banned from processing biometric data in Greece after GDPR violations
    Greece’s privacy authority has fined facial recognition company Clearview AI 20 million for violating parts of Europe’s General Data Protection Regulation (GDPR). The Hellenic Data Protection Authority
    (HDPA) released a 22-page decision demanding Clearview AI stop processing biometric data on individuals in Greece and said the company must delete all the data it has already amassed. The decision stems from a complaint filed by a number of privacy organizations including Homo Digitalis, Privacy International, Hermes Center, and noyb in May 2021 with authorities in Greece, the U.K., Italy, Austria and France. The complaint questioned Clearview AI’s practice of scrapping selfies and photos from public social media accounts and including it in its facial recognition database of some 10 billion facial images. The company sells its facial recognition tools to law enforcement agencies around the world and says it wants to reach 100 billion images in the coming years.

  10. Tomi Engdahl says:

    Amazon handed doorbell cam Ring data to US police 11 times so far in
    Amazon-owned home security company Ring turned over footage to US law enforcement without permission from the devices’ owners 11 times so far in 2022, according to details unveiled by Massachusetts senator Ed Markey. Despite Amazon policy that police cannot view recordings without owners’ explicit permission, that policy does not apply to subpoenas and emergency requests which is exactly what Amazon said happened in these 11 cases, although it seems the judge of what constitutes emergency request is left up to Ring itself.


Leave a Comment

Your email address will not be published. Required fields are marked *