This posting is here to collect cyber security news in August 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in August 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
542 Comments
Tomi Engdahl says:
On tämä noloa, etenkin pankille, jolta luulisi löytyvän ammattitaitoa turvallisuuspuolella.
Tomi Engdahl says:
Montenegro says Russian cyberattacks threaten key state functions https://www.bleepingcomputer.com/news/security/montenegro-says-russian-cyberattacks-threaten-key-state-functions/
Members of the government in Montenegro are stating that the country is being hit with sophisticated and persistent cyberattacks that threaten the country’s essential infrastructure.
Tomi Engdahl says:
Okta one-time MFA passcodes exposed in Twilio cyberattack https://www.bleepingcomputer.com/news/security/okta-one-time-mfa-passcodes-exposed-in-twilio-cyberattack/
The threat actor behind the Twilio hack used their access to steal one-time passwords (OTPs) delivered over SMS from customers of Okta identity and access management company.
Tomi Engdahl says:
Leading library services firm Baker & Taylor hit by ransomware https://www.bleepingcomputer.com/news/security/leading-library-services-firm-baker-and-taylor-hit-by-ransomware/
Baker & Taylor, which describes itself as the world’s largest distributor of books to libraries worldwide, today confirmed it’s still working on restoring systems after being hit by ransomware more than a week ago.
Tomi Engdahl says:
Check Point Research detects Crypto Miner malware disguised as Google translate desktop and other legitimate applications https://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications/
At the end of July 2022, Check Point Research (CPR) detected a previously undisclosed cryptomining campaign, called Nitrokod, which potentially infected thousands of machines worldwide. Lisäksi:
https://thehackernews.com/2022/08/nitrokod-crypto-miner-infected-over.html
Tomi Engdahl says:
US govt sues Kochava for selling sensitive geolocation data https://www.bleepingcomputer.com/news/security/us-govt-sues-kochava-for-selling-sensitive-geolocation-data/
The U.S. Federal Trade Commission (FTC) announced today that it filed a lawsuit against Idaho-based location data broker Kochava for selling sensitive and precise geolocation data (in meters) collected from hundreds of millions of mobile devices.
Tomi Engdahl says:
CISA Adds 10 New Known Actively Exploited Vulnerabilities to its Catalog https://thehackernews.com/2022/08/cisa-adds-10-new-known-actively.html
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added 10 new actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including a high-severity security flaw affecting industrial automation software from Delta Electronics.
Tomi Engdahl says:
https://www.securityweek.com/elon-musk-subpoenas-twitter-whistleblower-ahead-trial
Tomi Engdahl says:
https://www.securityweek.com/ftc-accuses-data-broker-selling-sensitive-location-data
Federal regulators have sued a data broker they accuse of selling sensitive geolocation data from millions of mobile devices, information that can be used to identify people and track their movements to and from sensitive locations, including reproductive health clinics, homeless shelters and places of worship.
The Federal Trade Commission on Monday sued Idaho-based Kochava Inc. amid a charged debate over the privacy of individuals who may be seeking an abortion in the wake of the Supreme Court’s ruling in June ending the constitutional protections for abortion. Although it’s not the first case the FTC has brought against a data broker, experts say it is the first one involving health care data and referencing reproductive health clinics.
“This is potentially a big deal,” Jeff Chester, executive director of the Center for Digital Democracy, a privacy advocacy group, said of the FTC’s action. “They’ve placed a stake in the ground.”
Tomi Engdahl says:
Okta Impersonation Technique Could be Utilized by Attackers
https://www.securityweek.com/okta-impersonation-technique-could-be-utilized-attackers
Okta has a standard process that can be abused for nefarious purposes. The legitimate method for changing credential details within Okta (for example, if a person gets married and changes her last name and adopts a new email address) can be misused by an attacker to impersonate another existing user.
The potential has been explored by cloud identity firm Permiso. The initial incentive came from a Permiso customer who could see the possibility, but wished to know how a nefarious action could be detected.
The process itself is not simple to abuse, but not impossible. It requires the credentials of either an Okta super administrator or application administrator, and – if necessary – the ability to bypass any MFA deployd. Credentials can be phished or possibly bought off the web. MFA is often urged as a way of making life more difficult for attackers, but is sometimes bypassed by advanced attackers.
Tomi Engdahl says:
Okta Says Customer Data Compromised in Twilio Hack
https://www.securityweek.com/okta-says-customer-data-compromised-twilio-hack
Identity and access management provider Okta said last week that customer mobile phone numbers and SMS messages containing one-time passwords (OTPs) were compromised during the recent Twilio cyberattack.
In early August, enterprise communications firm Twilio announced that it was hacked after an employee fell victim to a phishing attack and provided their login credentials to a sophisticated threat actor.
The incident resulted in attackers accessing information related to 163 Twilio customers, with secure communications firm Signal and Okta already confirming being impacted by the incident.
Tomi Engdahl says:
https://hackaday.com/2022/08/29/genshin-security-impact/
Tomi Engdahl says:
RTLS Systems Found Vulnerable to MiTM Attacks and Location Tampering
https://thehackernews.com/2022/08/rtls-systems-found-vulnerable-to-mitm.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cisa-prepare-now-for-quantum-computers-not-when-hackers-use-them/#.YwvM2bBKzNw.facebook
Tomi Engdahl says:
Ransomware abuses Genshin Impact’s kernel mode anti-cheat to bypass antivirus protection
By Jonathan Bolding published 4 days ago
Best part? You don’t need to have installed Genshin Impact.
https://www.pcgamer.com/ransomware-abuses-genshin-impacts-kernel-mode-anti-cheat-to-bypass-antivirus-protection/
Tomi Engdahl says:
the bug you can find with zero hacking skill and get U.S Department of Defence hall of fame
https://www.bugbounty.info/2022/03/the-bug-you-can-find-with-zero-hacking.html
Tomi Engdahl says:
Your mechanical keyboard isn’t just annoying, it’s also a security risk
By Jess Weatherbed last updated May 23, 2022
This website is all ears
https://www.techradar.com/news/your-mechanical-keyboard-isnt-just-annoying-its-also-a-security-risk
If noisy mechanical keyboards are the bane of your life at home or in the office then you may have just found the perfect excuse to stop your colleagues or loved one from smashing those keys so loudly – it turns out that hackers can tell almost exactly what you’re writing just by listening to you type.
Keytap3 is a software developed by Georgi Gerganov that can detect what keys are being pressed simply by listening at a close range with a half-decent microphone, with Gerganov demonstrating this using a mobile phone’s built-in microphone in an ‘acoustic eavesdropping’ test on their YouTube channel.
Tomi Engdahl says:
https://thehackernews.com/2022/08/cisa-adds-7-new-actively-exploited.html
Tomi Engdahl says:
https://albertpedersen.com/blog/hijacking-email-with-cloudflare-email-routing/
Tomi Engdahl says:
Announcing Google’s Open Source Software Vulnerability Rewards Program https://security.googleblog.com/2023/08/Announcing-Googles-Open-Source-Software-Vulnerability-Rewards-Program%20.html
Today, we are launching Google’s Open Source Software Vulnerability Rewards Program (OSS VRP) to reward discoveries of vulnerabilities in Google’s open source projects. As the maintainer of major projects such as Golang, Angular, and Fuchsia, Google is among the largest contributors and users of open source in the world.
Tomi Engdahl says:
JavaScript bugs aplenty in Node.js ecosystem found automatically https://nakedsecurity.sophos.com/2022/08/30/javascript-bugs-aplenty-in-node-js-ecosystem-found-automatically/
We’re going to cheat a little bit here by not digging into and explaining the core research presented by the authors of the paper (some mathematics, and knowledge of operational semantics notation is desirable when reading it), which is a method for the static analysis of source code that they call ODGEN, short for Object Dependence Graph Generator. Lisäksi:
https://www.usenix.org/conference/usenixsecurity22/presentation/li-song
Tomi Engdahl says:
Chinese hackers target Australian govt with ScanBox malware https://www.bleepingcomputer.com/news/security/chinese-hackers-target-australian-govt-with-scanbox-malware/
China-based threat actors have been targeting Australian government agencies and wind turbine fleets in the South China Sea by directing select individuals to a fake impersonating an Australian news media outlet. Lisäksi:
https://threatpost.com/watering-hole-attacks-push-scanbox-keylogger/180490/
Tomi Engdahl says:
Chrome extensions with 1.4 million installs steal browsing data https://www.bleepingcomputer.com/news/security/chrome-extensions-with-14-million-installs-steal-browsing-data/
Threat analysts at McAfee found five Google Chrome extensions that steal track users’ browsing activity. Collectively, the extensions have been downloaded more then 1.4 million times. The purpose of the malicious extensions is to monitor when users visit e-commerce website and to modify the visitor’s cookie to appear as if they came through a referrer link. For this, the authors of the extensions get an affiliate fee for any purchases at electronic shops.
Tomi Engdahl says:
Leading Russian streaming platform suffers data leak allegedly impacting 44 million users https://therecord.media/leading-russian-streaming-platform-suffers-data-leak-allegedly-impacting-44-million-users/
Russian streaming giant START said on Sunday that the personal information of its customers was leaked during a cyberattack.
Tomi Engdahl says:
Chinese Hackers Target Energy Firms in South China Sea
https://www.securityweek.com/chinese-hackers-target-energy-firms-south-china-sea
The Chinese APT known as TA423 (aka Red Ladon, APT40 and Leviathan) has been operating a cyberespionage campaign across Australia, Malaysia and Europe. The campaign has had three distinct phases – the latest from April 2022 to mid-June 2022. The primary targets have been Australian organizations and energy exploration in the South China Sea.
TA423 has been active since 2013, with previous targets including defense contractors, manufacturers, universities, government agencies, legal firms involved in diplomatic disputes, and foreign companies involved with Australasian policy or South China Sea operations. The focus is on areas of geopolitical interest to the Chinese government.
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
A researcher says a Chinese database of up to 800M records was exposed for months, storing names, resident ID numbers, images of faces, license plates, and more
A huge Chinese database of faces and vehicle license plates spilled online
Another mass data lapse exposes new weaknesses in China’s sprawling surveillance state
https://techcrunch.com/2022/08/30/china-database-face-recognition/
A massive Chinese database storing millions of faces and vehicle license plates was left exposed on the internet for months before it quietly disappeared in August.
While its contents might seem unremarkable for China, where facial recognition is routine and state surveillance is ubiquitous, the sheer size of the exposed database is staggering. At its peak the database held over 800 million records, representing one of the biggest known data security lapses of the year by scale, second to a massive data leak of 1 billion records from a Shanghai police database in June. In both cases, the data was likely exposed inadvertently and as a result of human error.
The exposed data belongs to a tech company called Xinai Electronics based in Hangzhou on China’s east coast. The company builds systems for controlling access for people and vehicles to workplaces, schools, construction sites and parking garages across China. Its website touts its use of facial recognition for a range of purposes beyond building access, including personnel management, like payroll, monitoring employee attendance and performance, while its cloud-based vehicle license plate recognition system allows drivers to pay for parking in unattended garages that are managed by staff remotely.
Tomi Engdahl says:
https://hackaday.com/2022/08/29/genshin-security-impact/
An MMORPG with cute anime-style characters and maybe a bit too much inspiration taken from another classic Nintento franchise, Genshin Impact is a relatively popular game across the PlayStation, iOS, Android, and PC platforms. That last one has already generated a bit of controversy, since the PC version game includes an anti-cheat kernel driver that runs in the Windows kernel context, and on initial release that module kept running even after the game was closed.
That anti-cheat driver is back in the news, with Trend Micro discovering a ransomware campaign that includes mhyprot2.sys, the anti-cheat driver, as a component of the infection. The module is known to have vulnerabilities, and is still a signed kernel driver, so the malware campaign loads the driver and uses its functions to disable anti-malware protections.
Tomi Engdahl says:
https://thehackernews.com/2022/08/cisa-adds-10-new-known-actively.html?m=1
Tomi Engdahl says:
Mikko Hyppönen oikaisee yleisen harhaluulon salasanoista: ”Lopeta” https://www.is.fi/digitoday/tietoturva/art-2000009036343.html
Salasanojen säännöllinen vaihtaminen ei paranna turvallisuuttasi, kovan luokan tietoturva-ammattilainen vakuuttaa.
MAAILMAN johtaviin kyberasiantuntijoihin lukeutuva WithSecuren tutkimusjohtaja Mikko Hyppönen opettaa tärkeän läksyn salasanoista. Hyppönen piti Redditissä kysy mitä vaan -tuokion ja yksi kysyjä mietti, parantaako salasanojen säännöllinen vaihtaminen oikeasti turvallisuutta.
– Ei ja sinun pitäisi lopettaa sen tekeminen, Hyppönen kuittasi.
Hyppösen mukaan salasanan vaihtamiseen ei ylipäätään ole tarvetta, ellei salasana ole vuotanut tai on syytä epäillä niin tapahtuneen.
– Salasanan vaihtamiseen pakottaminen pelkän vaihtamisen vuoksi ei paranna tietoturvaa, se itse asiassa saa ihmiset luomaan helposti arvattavia salasanoja, Hyppönen huomauttaa.
Tomi Engdahl says:
Chromium browsers can write to the system clipboard without your permission https://www.malwarebytes.com/blog/news/2022/08/chromium-browsers-can-write-to-the-system-clipboard
If you are a user of Google Chrome or any other Chromium-based web browser, then websites may push anything they want to the operating system’s clipboard without your permission or any user interaction.
Tomi Engdahl says:
Vulnerability in TikTok Android app could lead to one-click account hijacking https://www.microsoft.com/security/blog/2022/08/31/vulnerability-in-tiktok-android-app-could-lead-to-one-click-account-hijacking/
Microsoft discovered a high-severity vulnerability in the TikTok Android application, which could have allowed attackers to compromise users’ accounts with a single click. Lisäksi:
https://www.bleepingcomputer.com/news/security/microsoft-found-tiktok-android-flaw-that-let-hackers-hijack-accounts/
Tomi Engdahl says:
Chrome patches 24 security holes, enables “Sanitizer” safety system https://nakedsecurity.sophos.com/2022/08/31/chrome-patches-24-security-holes-enables-sanitizer-safety-system/
Google’s latest Chrome browser, version 105, is out, though the full version number is annoyingly different depending on whether you are on Windows, Mac or Linux.
Tomi Engdahl says:
Hackers hide malware in James Webb telescope images https://www.bleepingcomputer.com/news/security/hackers-hide-malware-in-james-webb-telescope-images/
Threat analysts have spotted a new malware campaign dubbed GO#WEBBFUSCATOR’ that relies on phishing emails, malicious documents, and space images from the James Webb telescope to spread malware.
Lisäksi:
https://www.securonix.com/blog/golang-attack-campaign-gowebbfuscator-leverages-office-macros-and-james-webb-images-to-infect-systems/
Tomi Engdahl says:
Ragnar Locker ransomware claims attack on Portugal’s flag airline https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-claims-attack-on-portugals-flag-airline/
The Ragnar Locker ransomware gang has claimed an attack on the flag carrier of Portugal, TAP Air Portugal, disclosed by the airline after its systems were hit on Thursday night.
Tomi Engdahl says:
Ukraine takes down cybercrime group hitting crypto fraud victims https://www.bleepingcomputer.com/news/security/ukraine-takes-down-cybercrime-group-hitting-crypto-fraud-victims/
The National Police of Ukraine (NPU) took down a network of call centers used by a cybercrime group focused on financial scams and targeting victims of cryptocurrency scams under the guise of helping them recover their stolen funds. Lisäksi:
https://www.npu.gov.ua/news/kiberzlochini/naczpolicziya-vikrila-merezhu-call-czentriv-figuranti-speczializuvalisya-na-finansovix-aferax/
Tomi Engdahl says:
Chile says gov’t agency struggling with ransomware attack https://therecord.media/chile-says-govt-agency-struggling-with-ransomware-attack/
Chile’s cybersecurity incident response team said an unnamed government agency is dealing with a ransomware attack that targeted the organization’s Microsoft tools and VMware ESXi servers.
Tomi Engdahl says:
Ransomware Gang Accessed Water Supplier’s Control System https://www.vice.com/en/article/4axaeq/ransomware-gang-accessed-water-suppliers-control-system
Now, security researchers who specialize in industrial control systems cybersecurity (ICS) and who have analyzed the data published by Cl0p think the gang could potentially have interfered with the systems of South Staff Water (SSW), a UK water supply provider.
Tomi Engdahl says:
iOS 12 Update for Older iPhones Patches Exploited Vulnerability
https://www.securityweek.com/ios-12-update-older-iphones-patches-exploited-vulnerability
Apple on Wednesday started shipping patches for older iPhone and iPad devices to address a recent, actively exploited vulnerability.
Tracked as CVE-2022-32893, the vulnerability impacts WebKit and it can be exploited to achieve arbitrary code execution when the user visits a malicious website.
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” Apple notes in an advisory.
The security flaw was resolved with the release of iOS 12.5.6, which is now rolling out to iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).
The Cupertino-based company, which has credited an anonymous researcher for reporting the vulnerability, shipped the initial batch of patches for this zero-day roughly two weeks ago.
A second zero-day addressed at the time (with iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1) could lead to arbitrary code execution with kernel privileges. Tracked as CVE-2022-32894, the bug does not impact iOS 12, Apple says.
Tomi Engdahl says:
1.4 Million Users Install Chrome Extensions That Inject Code Into eCommerce Sites
https://www.securityweek.com/14-million-users-install-chrome-extensions-inject-code-ecommerce-sites
ndpoint security company McAfee warns of five malicious Chrome extensions designed to track users’ browsing activity and inject code into ecommerce platforms.
With a total install base of over 1.4 million, the extensions can modify cookies on ecommerce websites so that their creator receives affiliate payments for the purchased items, without the victim’s knowledge.
The five malicious extensions help users watch Netflix shows together (Netflix Party and Netflix Party 2, with a combined install base of 1.1 million), enable them to track online prices and coupons (FlipShope – Price Tracker Extension and AutoBuy Flash Sales, with 100,000 installs), and capture screenshots (Full Page Screenshot Capture – Screenshotting, with 200,000 installs).
McAfee’s analysis of the extensions has revealed that the user tracking and code injection behavior resides in a script named ‘b0.js’, which contains many other functions as well.
The extensions subscribe to events triggered when the user accesses a new URL in a tab, so they can send tracking data to the creator’s server (at langhort.com), which checks if the user navigates to a site for which an affiliate ID exists.
Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-cookie-stuffing-chrome-extensions-with-1-4-million-users/
Tomi Engdahl says:
WordPress 6.0.2 Patches Vulnerability That Could Impact Millions of Legacy Sites
https://www.securityweek.com/wordpress-602-patches-vulnerability-could-impact-millions-legacy-sites
The WordPress team this week announced the release of version 6.0.2 of the content management system (CMS), with patches for three security bugs, including a high-severity SQL injection vulnerability.
Identified in the WordPress Link functionality, previously known as ‘Bookmarks’, the issue only impacts older installations, as the capability is disabled by default on new installations.
However, the functionality might still be enabled on millions of legacy WordPress sites even if they are running newer versions of the CMS, the Wordfence team at WordPress security company Defiant says.
With a CVSS score of 8.0, the security flaw requires administrative privileges and is not easy to exploit in default configurations, but there might be plugins or themes that allow it to be triggered by users with lower privileges (such as editor-level and below), Wordfence says.
“Vulnerable versions of WordPress failed to successfully sanitize the limit argument of the link retrieval query in the get_bookmarks function, used to ensure that only a certain number of links were returned,” Wordfence explains.
WordPress Core 6.0.2 Security & Maintenance Release – What You Need to Know
https://www.wordfence.com/blog/2022/08/wordpress-core-6-0-2-security-maintenance-release-what-you-need-to-know/
Tomi Engdahl says:
Cybercriminals Apparently Involved in Russia-Linked Attack on Montenegro Government
https://www.securityweek.com/cybercriminals-apparently-involved-russia-linked-attack-montenegro-government
Montenegro has been targeted in a disruptive cyberattack blamed on Russian hackers, and a known ransomware group may have been involved.
The country’s Agency for National Security announced last week that government servers had been targeted in an ongoing attack that was described as massive and coordinated.
The attack targeted government systems and other critical infrastructure, and managed to cause some disruptions. The US embassy warned citizens residing in the country that the attack could disrupt transportation, public utilities and telecommunications.
Tomi Engdahl says:
Chrome 105 Patches Critical, High-Severity Vulnerabilities
https://www.securityweek.com/chrome-105-patches-critical-high-severity-vulnerabilities
Google this week announced the first stable release of Chrome 105, which comes with patches for 24 vulnerabilities, including 13 use-after-free and heap buffer overflow bugs.
Twenty-one of the resolved security defects were reported by external researchers, including one critical-, eight high-, nine medium-, and three low-severity vulnerabilities.
A total of nine use-after-free issues were resolved with the latest browser update, the most important of which is a critical flaw in the Network Service component, reported by Google Project Zero researcher Sergei Glazunov, the company notes in an advisory.
Chrome 105 also patches five high-severity use-after-free vulnerabilities, impacting browser components such as WebSQL, Layout, PhoneHub, and Browser Tag.
https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_30.html