This posting is here to collect cyber security news in September 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in September 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
411 Comments
Emily Elizabeth says:
Cyber security is one of the most important things to keep up with today. It’s not just a matter of keeping your computer or smartphone secure, but also protecting yourself from being attacked by other people online.
Emily Elizabeth says:
Cyber security is one of the most important things to keep up with today. It’s not just a matter of keeping your computer or smartphone secure, but also protecting yourself from being attacked by other people online. Cyber security is important to everyone. It’s not just a niche market or something that only affects companies with high-profile clients, like banks and government agencies. If you’re reading this article, there’s a good chance that cyber security has already affected your life in some way.
Tomi Engdahl says:
Uber Investigating Data Breach After Hacker Claims Extensive Compromise
https://www.securityweek.com/uber-investigating-data-breach-after-hacker-claims-extensive-compromise
Uber “responding to a cybersecurity incident” after hacker claims to have breached several systems
Uber has launched an investigation after a hacker claimed to have breached many of the ride sharing giant’s systems.
Uber has not shared any information, but it has confirmed that it’s responding to a cybersecurity incident. The company says law enforcement has been notified and it has promised to share updates on Twitter.
Tomi Engdahl says:
Serious Breach at Uber Spotlights Hacker Social Deception
https://www.securityweek.com/serious-breach-uber-spotlights-hacker-social-deception
The ride-hailing service Uber said Friday that all its services were operational following what security professionals are calling a major data breach, claiming there was no evidence the hacker got access to sensitive user data.
But the breach, apparently by a lone hacker, put the spotlight on an increasingly effective break-in routine involving social engineering: The hacker apparently gained access posing as a colleague, tricking an Uber employee into surrendering their credentials.
They were then able to locate passwords on the network that got them the level of privileged access reserved for system administrators.
The potential damage was serious: Screenshots the hacker shared with security researchers indicate they obtained full access to the cloud-based systems where Uber stores sensitive customer and financial data.
It is not known how much data the hacker stole or how long they were inside Uber’s network. Two researchers who communicated directly with the person — who self-identified as an 18-year-old to one of them — said they appeared interested in publicity. There was no indication they destroyed data.
But files shared with the researchers and posted widely on Twitter and other social media indicated the hacker was able to access Uber’s most crucial internal systems.
“It was really bad the access he had. It’s awful,” said Corben Leo, one of the researchers who chatted with the hacker online.
The cybersecurity community’s online reaction — Uber also suffered a serious 2016 breach — was harsh.
The hack “wasn’t sophisticated or complicated and clearly hinged on multiple big systemic security culture and engineering failures,” tweeted Lesley Carhart, incident response director of Dragos Inc., which specializes in an industrial-control systems.
Leo said screenshots the hacker shared showed the intruder got access to systems stored on Amazon and Google cloud-based servers where Uber keeps source code, financial data and customer data such as driver’s licenses.
“If he had keys to the kingdom he could start stopping services. He could delete stuff. He could download customer data, change people’s passwords,” said Leo, a researcher and head of business development at the security company Zellic.
Screenshots the hacker shared — many of which found their way online — showed sensitive financial data and internal databases accessed. Also widely circulating online: The hacker announcing the breach Thursday on Uber’s internal Slack collaboration system.
Leo, along with Sam Curry, an engineer with Yuga Labs who also communicated with the hacker, said there was no indication that the hacker had done any damage or was interested in anything more than publicity.
“It’s pretty clear he’s a young hacker because he wants what 99% of what young hackers want, which is fame,” Leo said.
Curry said he spoke to several Uber employees Thursday who said they were “working to lock down everything internally” to restrict the hacker’s access. That included the San Francisco company’s Slack network, he said.
In a statement posted online Friday, Uber said “internal software tools that we took down as a precaution yesterday are coming back online.”
Tomi Engdahl says:
Water Tank Management System Used Worldwide Has Unpatched Security Hole
https://www.securityweek.com/water-tank-management-system-used-worldwide-has-unpatched-security-hole
A water tank management system used by organizations worldwide is affected by a critical vulnerability that can be exploited remotely and the vendor does not appear to want to patch it.
The affected product is made by the water and energy unit of Irish building materials company Kingspan. The Kingspan TMS300 CS water tank management system provides tank level information via a screen, web server, application, online portal or email. It features wired and wireless multi-tank level measurements, alarms, and internet or local network connectivity.
Kingspan water management product vulnerabilityAccording to an advisory published this week by CISA, researcher Maxim Rupp discovered that the product is affected by a critical vulnerability caused by the lack of properly implemented access control rules, which allows an unauthenticated attacker to view or modify the device’s settings.
The researcher discovered that an attacker can access the device’s settings without authenticating, simply by navigating to specific URLs. These URLs can be identified by browsing the web interface or via a brute force attack, Rupp told SecurityWeek.
The flaw has been assigned the CVE identifier CVE-2022-2757 and a CVSS score of 9.8.
These devices can be configured to be accessible from the internet. An attacker can exploit the security hole from anywhere as long as they have access to the device’s web interface, Rupp explained.
Based on the product’s documentation, Rupp said an attacker could change various settings after exploiting this vulnerability, including ones related to sensors, tank details, and alarm thresholds.
According to CISA, the impacted product is used worldwide in the water and wastewater systems sector. The agency says the vulnerability remains unpatched.
“Kingspan has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected product are encouraged to contact Kingspan customer support for additional information,” CISA said.
Tomi Engdahl says:
Game Acceleration Module Vulnerability Exposes Netgear Routers to Attacks
https://www.securityweek.com/game-acceleration-module-vulnerability-exposes-netgear-routers-attacks
Multiple Netgear router models are vulnerable to arbitrary code execution via FunJSQ, a third-party module for online game acceleration, European security and compliance assessment company Onekey warns.
Integrated in various Netgear routers and Orbi WiFi systems, the gaming optimization module is developed by China-based Xiamen Xunwang Network Technology.
What Onekey has discovered is that the FunJSQ module has an insecure update process with only superficial checks of the update packages received from the server: packages are unsigned and are validated on the device using a hash checksum only.
The module lacks secure communication for the update process, allowing an attacker to tamper with data returned from the server, and package contents are extracted to the root folder with elevated privileges, this allowing an attacker with control over the update package to overwrite anything on the device.
“All of these combined can lead to arbitrary code execution from the WAN interface,” Onekey notes.
Two CVE identifiers were issued for the discovered vulnerabilities, namely CVE-2022-40619 (unauthenticated command injection) and CVE-2022-40620 (insecure update mechanism).
Netgear was informed of the security holes in June and has released a first set of patches for the vulnerable devices this month.
Security Advisory for Vulnerabilities in FunJSQ on Some Routers and Orbi WiFi Systems, PSV-2022-0117
https://kb.netgear.com/000065132/Security-Advisory-for-Vulnerabilities-in-FunJSQ-on-Some-Routers-and-Orbi-WiFi-Systems-PSV-2022-0117
Tomi Engdahl says:
Security Advisory: NETGEAR Routers FunJSQ Vulnerabilities
https://onekey.com/blog/security-advisory-netgear-routers-funjsq-vulnerabilities/
When working on improving our component detection capabilities to provide more exhaustive automated Software Bill of Materials (SBOM) for IoT devices, we sometimes find ourselves facing “weird” third-party software components. Back in May 2022, we discovered FunJSQ, a third-party gaming speed-improvement service by China-based Xiamen Xunwang Network Technology Co., Ltd., present in the majority of NETGEAR firmware images in our corpus.
The plot thickened as we dug more into it and we ended up performing full-on vulnerability research against it. We identified multiple issues affecting this third-party component that could lead to arbitrary code execution from LAN and WAN interfaces. These issues are now fixed
Tomi Engdahl says:
US Agencies Publish Security Guidance on Implementing Open RAN Architecture
https://www.securityweek.com/us-agencies-publish-security-guidance-implementing-open-ran-architecture
The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have published guidance on implementing an Open Radio Access Network (RAN) architecture.
A general-purpose document titled Open Radio Access Network Security Considerations, the guidance is based on current knowledge and recommended practices and should apply to a variety of industries.
“Open RAN is the industry term for the evolution of traditional RAN architecture to open interoperable interfaces, virtualization, and big data and AI-enabled intelligence,” the document reads.
An Open RAN architecture, CISA and the NSA explain, opens the door to cloudification and virtualization, while promoting ‘increased competition, vendor diversity, and innovation’ by creating a multi-vendor ecosystem.
Open RAN can increase resiliency and flexibility in telecommunications networks through the adoption of ‘best-of-breed’ solutions from multiple vendors and also takes advantage of the security features of 5G, while offering increased transparency to help identify and address issues in real-time, the document notes.
“The deployment of Open RAN introduces new security considerations for mobile network operators (MNO). By nature, an open ecosystem that involves a disaggregated multi-vendor environment requires specific focus on changes to the threat surface area at the interfaces between technologies integrated via the architecture,” CISA and the NSA note.
https://www.cisa.gov/sites/default/files/publications/open-radio-access-network-security-considerations_508.pdf
Tomi Engdahl says:
https://www.securityweek.com/starbucks-singapore-says-customer-database-breached
Tomi Engdahl says:
Akamai Sees Europe’s Biggest DDoS Attack to Date
https://www.securityweek.com/akamai-sees-europes-biggest-ddos-attack-date
Akamai recently mitigated a distributed denial-of-service (DDoS) attack that set a new record for attacks targeting European organizations in terms of packets per second.
Identified and thwarted on September 12, the assault peaked at 704.8 million packets per second (Mpps) and represented the second record-setting DDoS attack targeting the same customer over the past three months.
In July, after being at the receiving end of 74 DDoS attacks, the organization was the target of a 659.6 Mpps DDoS assault. Since then, it was targeted with 201 other DDoS attacks, Akamai says.
While it was not the largest to date, the September DDoS assault did set a new record for DDoS attacks targeting European entities, the internet giant notes.
As part of the incident, attackers targeted over 1,800 IP addresses belonging to the same organization, distributed at 6 different locations.
Tomi Engdahl says:
Tuhansien sote-työntekijöiden yksityisiä tietoja lipsahti sähköpostijakeluun Kuopiossa joukossa palkkatietoja ja sosiaaliturvatunnuksia
https://yle.fi/uutiset/3-12628167
Kuopion kaupungin julkisessa terveydenhuollossa on tapahtunut laaja tietoturvaloukkaus. Lähes kolmen tuhannen työntekijän yksityisiä tietoja päätyi syyskuun alussa useille kymmenille muille kaupungin työntekijöille. Levinneiden tietojen joukossa on muun muassa henkilöturvatunnuksia ja palkkatietoja. Tietoturvaloukkaus koskee perusturvan ja terveydenhuollon työntekijöitä. Heitä informoitiin asiasta tänään perjantaina.
Tomi Engdahl says:
Uber was breached to its core, purportedly by an 18-year-old. Heres whats known https://arstechnica.com/information-technology/2022/09/uber-was-hacked-to-its-core-purportedly-by-an-18-year-old-here-are-the-basics/
Uber employees on Thursday discovered that huge swaths of their internal network had been accessed by someone who announced the feat on the company Slack channel. The intruder, who sent screenshots documenting the breach to The New York Times and security researchers, claimed to be 18 years old and was unusually forthcoming about how it occurred and just how far it reached, according to the news outlet, which broke the story. It didnt take long for independent researchers, including Bill Demirkapi, to confirm The New York Times coverage and conclude that the intruder likely gained initial access by contacting an Uber employee over WhatsApp. Also:
https://www.forbes.com/sites/daveywinder/2022/09/15/has-uber-been-hacked-company-investigates-cybersecurity-incident-as-law-enforcement-alerted/.
https://nakedsecurity.sophos.com/2022/09/16/uber-has-been-hacked-boasts-hacker-how-to-stop-it-happening-to-you/
Tomi Engdahl says:
Zero-Day Exploit Detection Using Machine Learning https://unit42.paloaltonetworks.com/injection-detection-machine-learning/
Code injection is an attack technique widely used by threat actors to launch arbitrary code execution on victim machines through vulnerable applications. In 2021, the Open Web Application Security Project
(OWASP) ranked it as third in the top 10 web application security risks. Given the popularity of code injection in exploits, signatures with pattern matches are commonly used to identify the anomalies in network traffic (mostly URI path, header string, etc.). However, injections can happen in numerous forms, and a simple injection can easily evade a signature-based solution by adding extraneous strings.
Therefore, signature-based solutions will often fail on the variants of the proof of concept (PoC) of Common Vulnerabilities and Exposures (CVEs). In this blog, we explore how deep learning models can help provide more flexible coverage that is more robust to attempts by attackers to avoid traditional signatures.
Tomi Engdahl says:
Bitdefender releases free decryptor for LockerGoga ransomware https://www.bleepingcomputer.com/news/security/bitdefender-releases-free-decryptor-for-lockergoga-ransomware/
Romanian cybersecurity firm Bitdefender has released a free decryptor to help LockerGoga ransomware victims recover their files without paying a ransom. The free tool is available for download from Bitdefender’s servers and allows you to recover encrypted files using instructions in this usage guide. Bitdefender says the decryptor was developed in cooperation with law enforcement agencies, including Europol, the NoMoreRansom Project, the Zürich Public Prosecutor’s Office, and the Zürich Cantonal Police.
Tomi Engdahl says:
It’s Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing
In July 2022, during proactive threat hunting activities at a company in the media industry, Mandiant Managed Defense identified a novel spear phish methodology employed by the threat cluster tracked as UNC4034. Mandiant has identified several overlaps between this group and those we suspect have a North Korea nexus. UNC4034 established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility.
Tomi Engdahl says:
CISA orders agencies to patch vulnerability used in Stuxnet attacks https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-vulnerability-used-in-stuxnet-attacks/
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added half a dozen vulnerabilities to its catalog of Known Exploited Vulnerabilities and is ordering federal agencies to follow vendors instructions to fix them. Of the six security flaws, only one was disclosed this year. It impacts Trend Micros Apex One platform for automated threat detection and response.
https://www.cisa.gov/uscert/ncas/current-activity/2022/09/15/cisa-adds-six-known-exploited-vulnerabilities-catalog
Tomi Engdahl says:
Malvertising on Microsoft Edge’s News Feed pushes tech support scams https://www.malwarebytes.com/blog/threat-intelligence/2022/09/microsoft-edges-news-feed-pushes-tech-support-scam
While Google Chrome still dominates as the top browser, Microsoft Edge, which is based on the Chromium source code, is gradually gaining more users. Perhaps more importantly, it is the default browser on the Microsoft Windows platform and as such some segments of its user base are of particular interest to fraudsters. We have tracked and observed a malvertising campaign on the Microsoft Edge News Feed used to redirect victims to tech support scam pages. The scheme is simple and relies on threat actors inserting their advertisements on the Edge home page and trying to lure users with shocking or bizarre stories.
Tomi Engdahl says:
Canadian police investigating ransomware attack on Bell subsidiary after employee data stolen https://therecord.media/canadian-police-investigating-ransomware-attack-on-bell-subsidiary-after-employee-data-stolen/
Bell Technical Solutions a subsidiary of multibillion-dollar telecommunications giant Bell Canada announced a data breach after a ransomware group added the company to its leak site on Thursday. A Bell spokesperson told The Record that Bell Technical Solutions servers containing operational company and employee information were involved in a recent cyberattack. Bell Technical Solutions is in charge of installing Bell services like telephones, WiFi and cable for residential and small business customers in Ontario and Québec. An unknown number of customers who booked technician visits also had their names, addresses and phone numbers leaked during the incident.
Tomi Engdahl says:
Uber Claims No Sensitive Data Exposed in Latest Breach But There’s More to This https://thehackernews.com/2022/09/uber-claims-no-sensitive-data-exposed.html
Uber, in an update, said there is “no evidence” that users’ private information was compromised in a breach of its internal computer systems that was discovered late Thursday. “We have no evidence that the incident involved access to sensitive user data (like trip history),” the company said. “All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational.”. The ride-hailing company also said it’s brought back online all the internal software tools it took down previously as a precaution, reiterating it’s notified law enforcement of the matter. It’s not immediately clear if the incident resulted in the theft of any other information or how long the intruder was inside Uber’s network.
Tomi Engdahl says:
Emotet botnet now pushes Quantum and BlackCat ransomware https://www.bleepingcomputer.com/news/security/emotet-botnet-now-pushes-quantum-and-blackcat-ransomware/
While monitoring the Emotet botnet’s current activity, security researchers found that the Quantum and BlackCat ransomware gangs are now using the malware to deploy their payloads. This is an interesting development given that the Conti cybercrime syndicate was the one that previously used the botnet before shutting down in June. The Conti group was the one who orchestrated its comeback in November after an international law enforcement action took down Emotet’s infrastructure at the beginning of 2021. “The Emotet botnet (also known as SpmTools) has fueled major cybercriminal groups as an initial attack vector, or precursor, for numerous ongoing attacks,” security researchers at intelligence company AdvIntel said.
Tomi Engdahl says:
School app Seesaw compromised to send shock NSFW images https://www.malwarebytes.com/blog/news/2022/09/popular-learning-platform-seesaw-compromised-to-disperse-adult-media
On Wednesday, parents and teachers reported that student learning platform, Seesaw, had been hacked after some users received an infamous explicit photo known as “goatse” on private chats. Schools from districts in Colorado, Illinois, Kansas, Michigan, New York, Oklahoma, South Dakota, and Texas all experienced similar issues, and began to send out warnings.
Tomi Engdahl says:
How Belarusian hacktivists are using digital tools to fight back https://therecord.media/how-belarusian-hacktivists-are-using-digital-tools-to-fight-back/
When Belarusian activist Yuliana Shemetovets was offered a job as the spokesperson of the Belarusian Cyber Partisans hacktivist group, she didnt rush to accept it. To be honest, I was scared, she told The Record. She had reasons to be. Belarus is an authoritarian state in which elections are openly rigged and civil liberties are severely restricted. The country is ruled by dictator Alexander Lukashenko, who has resorted to repression and corruption to stay in power for more than 30 years. Belarusian Cyber Partisans, meanwhile, are doing their part to overthrow Lukashenko by leaking government secrets and attacking the computer systems of enterprises that support the dictators regime.
Tomi Engdahl says:
Hackers Had Access to LastPass’s Development Systems for Four Days https://thehackernews.com/2022/09/hackers-had-access-to-lastpasss.html
Password management solution LastPass shared more details pertaining to the security incident last month, disclosing that the threat actor had access to its systems for a four-day period in August 2022. “There is no evidence of any threat actor activity beyond the established timeline,” LastPass CEO Karim Toubba said in an update shared on September 15, adding, “there is no evidence that this incident involved any access to customer data or encrypted password vaults.”.
LastPass in late August revealed that a breach targeting its development environment resulted in the theft of some of its source code and technical information, although no further specifics were offered.
Tomi Engdahl says:
New York ambulance service discloses data breach after ransomware attack https://www.bleepingcomputer.com/news/security/new-york-ambulance-service-discloses-data-breach-after-ransomware-attack/
Empress EMS (Emergency Medical Services), a New York-based emergency response and ambulance service provider, has disclosed a data breach that exposed customer information. According to the notification, the company suffered a ransomware attack on July 14, 2022. An investigation into the incident revealed that the intruder had gained access to Empress EMS systems on May 26, 2022. About a month and a half later, on July 13, the hackers exfiltrated a small subset of files, a day before deploying the encryption. Some of these files contained patient names, dates of service, insurance information, and in some instances, Social Security numbers, reads the disclosure from Empress EMS.
Tomi Engdahl says:
Nettihuijauksia tehdään yhä useammin aasialaisella orjatyövoimalla ihmiskaupan uhrit pumppaavat rahaa hikipajoissa https://www.tivi.fi/uutiset/tv/b8e0970e-ea95-4e6d-8c83-1e0286185dcb
Verkkohuijauksia tehdään nykyään yhä enemmän hyväksikäyttäen työvoimana ihmiskaupan uhreja, kirjoittaa tutkivaa journalismia tekevä yhdistys ProPublica. Sekä huijausoperaatioiden että ihmiskaupan keskuksensa toimii Kaakkois-Aasia. Kymmeniä tuhansia ihmisiä Kiinasta, Taiwanista, Thaimaasta ja Vietnamista on houkuteltu lupaavilla työpaikkailmoituksilla Kambodaan, Laosiin ja Myanmariin, jossa kiinalaiset rikossyndikaatit pyörittävät ammattimaisia huijausoperaatioita
Tomi Engdahl says:
Botched Crypto Mugging Lands Three U.K. Men in Jail https://krebsonsecurity.com/2022/09/botched-crypto-mugging-lands-three-u-k-men-in-jail/
Three men in the United Kingdom were arrested this month after police responding to an attempted break-in at a residence stopped their car as they fled the scene. The authorities found weapons and a police uniform in the trunk, and say the trio intended to assault a local man and force him to hand over virtual currencies. Shortly after 11 p.m.
Tomi Engdahl says:
Word Maldoc With CustomXML and Renamed VBAProject.bin
https://isc.sans.edu/diary/Word+Maldoc+With+CustomXML+and+Renamed+VBAProject.bin/29056
Friend and colleague 0xThiebaut just gave me a heads up for this interesting sample. This is what we get with oledump.py… As there seems to be quite a lot of VBA code, I use plugin plugin_vba_dco to give me a summary.
Tomi Engdahl says:
Windows Log system vulnerability
Windowsista löytyi niin paha haavoittuvuus, että jopa tuen ulkopuolelle tipahtanut Windows 7 saa korjauksen – koskee myös uudempia versioita | Mikrobitti
https://www.mikrobitti.fi/uutiset/windowsista-loytyi-niin-paha-haavoittuvuus-etta-jopa-tuen-ulkopuolelle-tipahtanut-windows-7-saa-korjauksen-koskee-myos-uudempia-versioita/d27e3587-1047-4a83-acc0-4a878b535f91
Microsoft on ilmoittanut julkaisevansa päivitystiedoston, joka paikkaa aiemmin tuntemattoman nollapäivähaavoittuvuuden.
TechCrunchin mukaan päivitys julkaistaan kaikille Windows-järjestelmille, eli niin Windows 11, 10 kuin 8/8.1 päivitetään. Päivitys julkaistaan myös Windows Server -järjestelmille aina WS 2008 -järjestelmään asti.
Haavoittuvuus CVE-2022-37969 on bugi, joka antaa hyökkääjän kasvattaa käyttäjäoikeuksiaan Windows Common Log File System Driver -ajurin kautta. Hyökkääjä saa nostettua itsensä aina järjestelmänvalvojan tasolle asti.
Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2022-37969
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969
What privileges could an attacker gain?
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
According to the CVSS metric, the privileges required is low (PR:L). What does that mean for this vulnerability?
An attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system.
Microsoft patches a new zero-day affecting all versions of Windows
https://techcrunch.com/2022/09/14/microsoft-zero-day-windows/
Microsoft has released security fixes for a zero-day vulnerability affecting all supported versions of Windows that has been exploited in real-world attacks.
The zero-day bug, tracked as CVE-2022-37969, is described as an elevation of privilege flaw in the Windows Common Log File System Driver, a subsystem used for data and event logging. The bug allows an attacker to obtain the highest level of access, known as system privileges, to a vulnerable device.
Microsoft says users running Windows 11 and earlier, and Windows Server 2008 and Windows Server 2012, are affected. Windows 7 will also receive security patches, despite falling out of support in 2020.
Microsoft said the flaw requires that an attacker already has access to a compromised device, or the ability to run code on the target system.
“Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link,” said Dustin Childs, head of threat intelligence at the Zero Day Initiative (ZDI). “Once they do, additional code executes with elevated privileges to take over a system.”
Microsoft credited four different sets of researchers from CrowdStrike, DBAPPSecurity, Mandiant and Zscaler for reporting the flaw, which may be an indication of widespread exploitation in the wild.
Tomi Engdahl says:
Yoinks! Pretty decent breakdown of what transpired in the article.
Hacker couple deleted hotel chain data for fun
https://www.msn.com/en-us/news/world/hacker-couple-deleted-hotel-chain-data-for-fun/ar-AA11VyNN
Hackers have told the BBC they carried out a destructive cyber-attack against Holiday Inn owner Intercontinental Hotels Group (IHG) “for fun”.
Tomi Engdahl says:
Suomessa alkaa jättimäinen viranomaisten kybersotapeli, jonka käsikirjoituksesta ei hiiskuta julkisuuteen Mukana 120 organisaatiota
https://yle.fi/uutiset/3-12629560
Huomenna käynnistyy roolipeli, jossa yritykset ja viranomaiset harjoittelevat toimintaa kuvitteellisessa laajassa maksuliikennehäiriössä. Valtakunnallinen Tieto22-harjoitus on Suomen suurin yritysten ja viranomaisten yhteistoimintaharjoitus laajojen kyberhäiriöiden varalta. Laajoihin maksujärjestelmien häiriöihin varautuminen on painopisteenä kuluvalla viikolla huipentuvassa Tieto
2022 -valmiusharjoituksessa. Kyseessä on harjoituksen kolmipäiväinen pelivaihe, jossa mennään tilanteisiin, joihin toivotaan, ettei koskaan jouduta oikeasti, sanoo Digipoolin puheenjohtaja Tuomo Haukkovaara.
Tomi Engdahl says:
Hurrah for Denmark, Top Winner of the 2022 European Cybersecurity Challenge https://www.enisa.europa.eu/news/hurrah-for-denmark-top-winner-of-the-2022-european-cybersecurity-challenge
The 8th edition of the ECSC concludes successfully, especially for the top three winners of the competition with Denmark in first place, Germany in second place and France in third place. The European Union Agency for Cybersecurity (ENISA) warmly thanks Austria for hosting the event in Vienna. After two days of intensive competition, the ECSC closed on Friday in Vienna. A total of 33 teams and over 600 participants competed representing EU Member States and European Free Trade Association (EFTA) countries, as well as the five non-EU guest teams from Canada, Israel, Serbia, the United Arab Emirates and the United States of America.
Tomi Engdahl says:
Uber links breach to Lapsus$ group, blames contractor for hack https://www.bleepingcomputer.com/news/security/uber-links-breach-to-lapsus-group-blames-contractor-for-hack/
Uber believes the hacker behind last week’s breach is affiliated with the Lapsus$ extortion group, known for breaching other high-profile tech companies such as Microsoft, Cisco, NVIDIA, Samsung, and Okta.
The company added that the attacker used the stolen credentials of an Uber EXT contractor in an MFA fatigue attack where the contractor was flooded with two-factor authentication (2FA) login requests until one of them was accepted.. This social engineering tactic has become very popular and has been used in recent attacks targeting well-known companies worldwide, including Twitter, Robinhood, MailChimp, and Okta.
Tomi Engdahl says:
Rockstar Games Confirms Hacker Stole Early Grand Theft Auto VI Footage https://thehackernews.com/2022/09/rockstar-games-confirms-hacker-stole.html
American video game publisher Rockstar Games on Monday revealed it was a victim of a “network intrusion” that allowed an unauthorized party to illegally download early footage for the Grand Theft Auto VI. “At this time, we do not anticipate any disruption to our live game services nor any long-term effect on the development of our ongoing projects,” the company said in a notice shared on its social media handles. The company said that the third-party accessed “confidential information from our systems,” although it’s not immediately clear if it involved any other data beyond the game footage.
Tomi Engdahl says:
Bosnia and Herzegovina investigating alleged ransomware attack on parliament https://therecord.media/bosnia-and-herzegovina-investigating-alleged-ransomware-attack-on-parliament/
Prosecutors in Bosnia and Herzegovina are investigating a wide-ranging cyberattack that has crippled the operations of the countrys parliament. For nearly two weeks, the website for the countrys parliament has been down, and local news outlet Nezavisne spoke with several lawmakers who said they were told to not even turn on their computers, barring them from access to their email accounts and official documents. A spokesperson for the prosecutors office of Bosnia and Herzegovina told The Record that they were assigned the case a couple of days ago.
Tomi Engdahl says:
VMware, Microsoft warn of widespread Chromeloader malware attacks https://www.bleepingcomputer.com/news/security/vmware-microsoft-warn-of-widespread-chromeloader-malware-attacks/
VMware and Microsoft are warning of an ongoing, widespread Chromeloader malware campaign that has evolved into a more dangerous threat, seen dropping malicious browser extensions, node-WebKit malware, and even ransomware in some cases. Chromeloader infections surged in Q1 2022, with researchers at Red Canary warning about the dangers of the browser hijacker used for marketing affiliation and advertising fraud. Back then, the malware infected Chrome with a malicious extension that redirected user traffic to advertising sites to perform click fraud and generate income for the threat actors.. A few months later, Palo Alto Network’s Unit 42 noticed that Chromeloader was evolving into an info-stealer, attempting to snatch data stored on the browsers while retaining its adware functions.
Tomi Engdahl says:
Kiwi Farms has been breached; assume passwords and emails have been leaked https://arstechnica.com/information-technology/2022/09/kiwi-farms-has-been-breached-assume-passwords-and-emails-have-been-leaked/
Harassment site is down for now after hacker gains access to admin account. The head of Kiwi Farms, the Internet forum best known for organizing harassment campaigns against trans and non-binary people, said the site experienced a breach that allowed hackers to access his administrator account and possibly the accounts of all other users.
Moon said that the unknown individual or individuals behind the hack gained access to his admin account by using a technique known as session hijacking, in which an attacker obtains the authentication cookies a site sets after an account holder enters valid credentials and successfully completes any two-factor authentication requirements
Tomi Engdahl says:
Preventing ISO Malware
https://isc.sans.edu/diary/Preventing+ISO+Malware+/29062
In the last few weeks, Ive seen a significant uptick in systems infected with Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things.
Tomi Engdahl says:
Uber Confirms Hacker Accessed Internal Tools, Bug Bounty Dashboard
https://www.securityweek.com/uber-confirms-hacker-accessed-bug-bounty-dashboard-internal-tools
Ride-hailing giant Uber is moving quickly to downplay the impact from a devastating security breach that included the theft of employee credentials, access to the HackerOne bug bounty dashboard and data from an internal invoicing tool.
In a note published Monday, Uber confirmed that an external contractor had their account compromised by an attacker who used that access to elevate permissions on Google GSuite and the Slack communications platforms.
Uber acknowledged that the attacker had access to several internal tools but insisted that public-facing systems that handle credit cards, bank account information or ride-share trip history remained safe.
Tomi Engdahl says:
Rockstar Games Confirms Breach Leading to GTA 6 Leak
https://www.securityweek.com/rockstar-games-confirms-breach-leading-gta-6-leak
Video game publisher Rockstar Games has confirmed suffering a network breach that resulted in videos from the upcoming Grand Theft Auto (GTA) 6 game getting leaked.
“We recently suffered a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto. At this time, we do not anticipate any disruption to our live game services nor any long-term effect on the development of our ongoing projects,” Rockstar stated.
Rockstar Games hacked
A hacker has leaked tens of videos showing GTA 6 gameplay apparently recorded during early stages of game development. The hacker also claimed to have obtained GTA 5 and GTA 6 source code and other information, and offered to sell some of it.
He also urged Rockstar Games to make him an offer to prevent the information from getting to others. SecurityWeek has reached out to the company to find out if it plans on paying the hacker.
The leaked videos have been posted on many websites and Rockstar has been working on getting them removed.
“We are extremely disappointed to have any details of our next game shared with you all in this way. Our work on the next Grand Theft Auto game will continue as planned and we remain as committed as ever to delivering an experience to you, our players, that truly exceeds your expectations. We will update everyone again soon and, of course, will properly introduce you to this next game when it is ready,” Rockstar said.
The same hacker claims to be behind the recent Uber breach.
Tomi Engdahl says:
Eyeglass Reflections Can Leak Information During Video Calls
https://www.securityweek.com/eyeglass-reflections-can-leak-information-during-video-calls
A group of academic researchers have devised a method of reconstructing text exposed via participants’ eyeglasses and other reflective objects during video conferences.
Zoom and other video conferencing tools, which have been widely adopted over the past couple of years as a result of the Covid-19 pandemic, may be used by attackers to leak information unintentionally reflected in objects such as eyeglasses, the researchers say.
“Using mathematical modeling and human subjects experiments, this research explores the extent to which emerging webcams might leak recognizable textual and graphical information gleaming from eyeglass reflections captured by webcams,” the academics note in their research paper.
According to the researchers, evolving webcam technology may result in optical attacks that rely on using multiframe super resolution techniques for the reconstruction of the reflected content.
Dubbed ‘webcam peeking attack’, a threat model devised by academics shows that it is possible to obtain an accuracy of over 75% when reconstructing and recognizing text with heights as small as 10 mm, captured by a 720p webcam.
“We further apply this threat model to web textual contents with varying attacker capabilities to find thresholds at which text becomes recognizable. Our user study with 20 participants suggests present-day 720p webcams are sufficient for adversaries to reconstruct textual content on big-font websites,” the researchers note.
Private Eye: On the Limits of
Textual Screen Peeking via Eyeglass Reflections
in Video Conferencing
https://arxiv.org/pdf/2205.03971.pdf
Tomi Engdahl says:
Serious Breach at Uber Spotlights Hacker Social Deception
https://www.securityweek.com/serious-breach-uber-spotlights-hacker-social-deception
The ride-hailing service Uber said Friday that all its services were operational following what security professionals are calling a major data breach, claiming there was no evidence the hacker got access to sensitive user data.
But the breach, apparently by a lone hacker, put the spotlight on an increasingly effective break-in routine involving social engineering: The hacker apparently gained access posing as a colleague, tricking an Uber employee into surrendering their credentials.
They were then able to locate passwords on the network that got them the level of privileged access reserved for system administrators.
The potential damage was serious: Screenshots the hacker shared with security researchers indicate they obtained full access to the cloud-based systems where Uber stores sensitive customer and financial data.
It is not known how much data the hacker stole or how long they were inside Uber’s network. Two researchers who communicated directly with the person — who self-identified as an 18-year-old to one of them — said they appeared interested in publicity. There was no indication they destroyed data.
“It was really bad the access he had. It’s awful,” said Corben Leo, one of the researchers who chatted with the hacker online.
The cybersecurity community’s online reaction — Uber also suffered a serious 2016 breach — was harsh.
Uber Investigating Data Breach After Hacker Claims Extensive Compromise
https://www.securityweek.com/uber-investigating-data-breach-after-hacker-claims-extensive-compromise
Tomi Engdahl says:
LastPass Found No Code Injection Attempts Following August Data Breach
https://www.securityweek.com/lastpass-found-no-code-injection-attempts-following-august-data-breach
Password management software provider LastPass says its investigation into the August 2022 data breach has not revealed any attempts to inject malicious code into LastPass software.
The GoTo-owned company announced on August 25 that unknown intruders had gained access to the LastPass development environment and stole “portions of source code and some proprietary LastPass technical information”.
At the time, the company posted a notice online, saying that no user data or master passwords were compromised in the incident, and that its products and services continued to operate normally throughout the incident.
In a September 15 update, LastPass provided additional information on the incident, explaining that the data breach was limited to the LastPass development environment, which does not store customer data, and which is physically separated from production.
“LastPass does not have any access to the master passwords of our customers’ vaults – without the master password, it is not possible for anyone other than the owner of a vault to decrypt vault data as part of our Zero Knowledge security model,” the company also notes.
Tomi Engdahl says:
LastPass Says Source Code Stolen in Data Breach
https://www.securityweek.com/lastpass-says-source-code-stolen-data-breach
Password management software firm LastPass has suffered a data breach that led to the theft of source code and proprietary technical information.
The company, which is owned by GoTo (formerly LogMeIn), disclosed the breach in an online notice posted Thursday but insisted that the customer master passwords or any encrypted password vault data were not compromised.
LastPass chief executive Karim Toubba said the company’s security team detected unusual activity within portions of the LastPass development environment two weeks ago and launched an investigation that confirmed the source code theft.
From the LastPass notice:
We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.
In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.
Tomi Engdahl says:
GTA 6 Videos and Source Code Stolen in Rockstar Games Hack
https://www.securityweek.com/gta-6-videos-and-source-code-stolen-rockstar-games-hack
The Rockstar Games hacker also claims to be behind the recent Uber breach
Video game publisher Rockstar Games appears to have suffered a data breach, with the hacker claiming to have stolen source code for the upcoming Grand Theft Auto (GTA) 6 game.
Rockstar has officially provided little information about the upcoming GTA game. However, the hacker, who uses the online moniker ‘Tea pot’, has leaked tens of videos showing GTA 6 gameplay. The clips appear to have been recorded during game development.
The hacker also claimed to have obtained GTA 5 and GTA 6 source code and other information, and offered to sell some of it. He urged Rockstar Games to get in touch and make him an offer to prevent the information from getting to others.
The hacker suggested that the company was forced to shut down many systems as a result of the breach.
The leaked videos have been posted on many websites and Rockstar has apparently been working on getting them removed.
Tomi Engdahl says:
Kristiina sai kioskilta ventovieraan passin – Yle: useampia passeja väärille henkilöille
Passien jakelussa on ilmennyt virhetilanne.
https://www.iltalehti.fi/kotimaa/a/fc636728-d89a-4b21-8a78-9076018e0444
Sipoossa asuva Kristiina haki maanantaina uuden passinsa läheiseltä R-kioskilta saatuaan tiedon passin saapumisesta.
– Avasin kuoren siellä kioskilla ja se oli ihan ventovieraan ihmisen passi, hän kertoo.
R-kioskin työntekijä kertoi, että sama oli tapahtunut maanantaina jo kerran aiemminkin. Myyjä kehotti Kristiinaa olemaan yhteydessä poliisiin, niinpä hän lähti kotiin väärä passi mukanaan.
Maanantaina Yle uutisoi, että passeja on toimitettu väärille henkilöille jakeluvirheen takia.
Kristiinallekin poliisista sanottiin, että samanlaisia tapauksia on nyt satoja ellei jopa tuhansia. Häntä ohjeistettiin toimittamaan väärä passi takaisin noutopaikkaan, mistä se palautetaan lähettäjälle.
Väärinkäytön riski
Poliisihallituksen lupahallintapäällikkö Hanna Piipposen mukaan passien jakelussa on ilmennyt virhetilanne.
– Tässä on useamman ihmisen passi, noutopisteeseen asti menneitä ja väärälle päätyneitä on muutamia, hän kommentoi Ylelle.
Piipposen mukaan väärille henkilöille toimitetut passit on jäljitetty, eikä niitä ole kateissa. Jakeluvirheen syytä hän ei kommentoinut. Poliisihallitus ei pakkaa passeja, vaikka vastaakin niiden jakelusta.
Tomi Engdahl says:
HS: Pahamaineisten vihasivustojen palvelimet löytyivät Suomesta https://www.is.fi/digitoday/art-2000009081233.html
KAHDEN pahamaineisen vihasivuston palvelimet löytyivät Suomesta. Asiasta kertoi viime lauantaina Helsingin Sanomat (maksullinen), joka löysi palvelimet Helsingin Pitäjänmäestä.
Kyseessä ovat paremmin vanhalla 8chan-nimellään tunnettu 8kun-keskustelupalsta sekä uusnatsien suosima Daily Stormer -sivusto. Asiasta HS:lle kertoi amerikkalainen Ron Guilmette, joka on tutkinut sivustojen taustoja ja niiden palvelinjärjestelyjä jo vuosien ajan.
HS:n selvityksen mukaan sivustojen liikenne kulkee Suomen ohella esimerkiksi Liettuan, Alankomaiden ja Venäjän kautta. Näiden välietappien kautta polku johtaa amerikkalaiseen Vanwatech-yhtiöön, jota pyörittää Nick Lim.
Suomessa Vanwatech oli vuokrannut palvelimen Oy Crea Nova Hosting Solutions -nimiseltä yhtiöltä.
Pian HS:n yhteydenottojen jälkeen Crea Nova sulki Vanwatechin Suomesta vuokraaman palvelimen. Tämä johti sekä Daily Stormerin että 8kunin väliaikaiseen katoamiseen internetistä, mutta tiistaiaamuna Suomen aikaa molemmat sivustot olivat jälleen käynnissä.
KUMPAAKIN sivustoa on yritetty erinäisin keinoin sulkea internetistä vuosien ajan. Daily Stormer esimerkiksi sylkee eetteriin hurjia määriä ennen kaikkea rasistista sisältöä.
Samoin on toiminut myös 8kun, joka nousi otsikoihin esimerkiksi tammikuussa 2021, jolloin presidentti Donald Trumpin kannattajat valtasivat Yhdysvaltain kongressitalon. Tuota hyökkäystä oli masinoitu nimenomaan 8kunissa, joka on sekin ennen kaikkea äärimmäisen äärioikeiston suosima paikka.
Vanwatech-pomo Lim on avoimesti myöntänyt Bloombergille tarjoavansa verkkopalveluita tämän kaksikon ohella usealle muulle kyseenalaiselle sivustolle, kuten vihakampanjoita masinoivalle Kiwi Farms -foorumille. Tästä huolimatta Lim kieltää olevansa ääriajattelija, mutta kokee kannattavansa ”äärimmäisen vapaata puhetta”
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/vmware-microsoft-warn-of-widespread-chromeloader-malware-attacks/
Tomi Engdahl says:
Elina Lappalainen / Helsingin Sanomat:
A look at Finland-based Crea Nova, an internet service company that hosted hate and conspiracy-filled websites, and its connections to Russia
The darkest corners of the Internet led to Finland
https://www.hs.fi/visio/art-2000009078517.html
This is how 8kun and Daily Stormer, known for their neo-Nazi and Qanon content, went down. The infamous VanwaTech maintained the site’s traffic with the help of a small Finnish server company.
In one word, the Daily Stormer is a horrendous website.
It is a right-wing extremist website that promotes white supremacy and Neo-Nazi ideology where slanderous news titles on Jews and Islam are common, and misogyny runs wild. The site displays a counter depicting the declining number of white people in the US. A banner is asking for bitcoin donations for the site.
The Daily Stormer was founded by the US Andrew Anglin in 2014. The website became a successor to his previous blog, Total Fascism.
The site adopted a style with visuals to woo young people, outrageous humour, memes and blatantly provocative titles.
Anglin has also used his website for online targeting as well as harassment campaigns on the Internet. In 2019, Anglin was ordered to pay $14 million in damages to a Jewish woman for orchestrating a trolling campaign against her.
The site has also been linked to violent attacks against black people and even to mass murders. Dylann Roof, who murdered nine people in Charleston in 2015, actively left comments on the website. The perpetrator of the mass shooting in Buffalo last spring also cited the Daily Stormer as an inspiration.
Another known US-based ‘Internet cesspool’ is the Internet forum 8kun, formerly known as 8chan. It is owned by a website entrepreneur Jim Watkins.
It is also a meeting place for the far-right, Neo-Nazis and QAnon conspiracy theorists who spread racism, Nazism, misogyny, child pornography and violent fantasies in the name of the ‘freedom of speech’.
8chan was the place where the planning began for the attack on the US Capitol building in the early 2021. The forums discussed which politicians should be killed once the Capitol was successfully invaded.
8kun has been linked to the mass murder in 2019 at a Walmart in Texas El Paso and the Christchurch mass shooting that claimed the lives of 50 people.
The question is who is helping these sites stay online.
The Internet would not exist without invisible technology companies. Companies that host web addresses and server rooms, transmit Internet traffic and handle data security.
After the Unite the Right rally in Charlottesville, most of the large Internet companies had had enough of the Daily Stormer.
The first to stop hosting the site was GoDaddy, one of the largest website hosting companies in the world. In 2017, many other technology companies from Google to NameCheap and Cloudflare followed in its footsteps.
The hate site was successfully silenced. But only for a moment.
The small company has become the lifeline of the most important US right-wing extremist and conspiracy websites.
The dark corners of the Internet house companies that have no trouble overlooking even the most appalling content.
On the final stretch of the US presidential elections in 2020, some of the popular right-wing extremist websites and forums suddenly crashed. Conspiracy theorists believed that this had been orchestrated by the Democrats and heralded the coming of the apocalypse.
But it was no conspiracy. It was a small technical glitch with the Internet service provider VanwaTech.
The right-wing extremist websites were resurrected when the owner of the company, 23-year-old Nick Lim, woke up from a nap at his mother’s home. The sites recovered once Lim reset the servers.
Lim founded VanwaTech in late 2019. The company’s best-known customers include the notorious 8kun and the Daily Stormer.
The small company has become the lifeline of the most important US right-wing extremist and conspiracy websites.
VanwaTech made international headlines when it took the right-wing extremist hate forum, Kiwi Farms, under its wing. Kiwi Farms is known for inciting harassment campaigns especially against transgender and lbqt people.
For example, the data security giant Cloudflare stated that Kiwi Farms is causing an “immediate threat to human life”.
Lim has described himself as “an entrepreneur with a maximalist view of free speech”, but he says he is not an extremist.
“There needs to be a me, right?”, he said to the Bloomberg Businessweek. “Once you get to the point where you look at whether content is safe or unsafe, as soon as you do that, you’ve opened a can of worms.”
Pitäjänmäki is a district located in the westernmost district of Helsinki. it is home to more jobs than people.
At Hiomotie street, one office building’s windows have been covered with plywood sheets. A corner of the exterior wall is coated with air conditioners.
The building’s door reads “Oy Crea Nova Hosting Solutions”.
It is a familiar address to the Finnish National Bureau of Investigation (NBI). HS Visio found out that the NBI has visited Crea Nova’s office several times in recent years.
The visits have usually concerned the company’s clients’ Internet content that has prompted information requests from foreign officials.
In July 2022, Crea Nova acquired a particularly famous client. Nick Lim’s VanwaTech, the company known for supporting Neo-Nazi sites, wanted to rent a server at Pitäjänmäki.
HS Visio was informed of the Finnish company’s role when a US information technology expert, Ron Guilmette, contacted the publication. Guilmette has spent nearly a decade voluntarily hunting down the scammers and spammers of the Internet.
A couple of years back, Guilmette set his sight on the hate sites 8kun and the Daily Stormer.
One particular string led Guilmette to Finland. Helsinki has been one of the places from which Neo-Nazi websites have been kept alive.
Crea Nova is one of many companies around the world that VanwaTech, run by Nick Lim, has used to transfer questionable content to the Internet.
Far-right websites often point to Russia. This was the case now as well.
Most of VanwaTech’s recent service providers have been based in Russia or China. Nick Lim’s company was protected against denial-of-service-attacks (DDoS) by the Russian owned DDoS-Guard up until January 2021. The same company protected the pro-Trump social media website Parler when Amazon suspended it from its server hosting service.
This autumn, the Russian company also welcomed the notorious Kiwi Farms to its fold. Its other clients include the Russian Federal Security Service (FSB) and the Russian Ministry of Defence.
Why do Russian companies in particular want to protect websites that disturb the Western social order? This was a question asked by the Foreign Policy magazine in January 2021.
Andrew Anglin, the Daily Stormer’s founder, responded on his website: “There is no internet company that will support your freedom of speech if the media says you shouldn’t have freedom of speech that is not either Chinese or Russian.”
Russia and China are authoritarian countries that control Internet content published within their borders vehemently. Simultaneously, they offer a safe harbour for Western far-right websites and websites that view governments with distrust.
The Daily Stormer, 8kun and Kiwi Farms domain names were registered by Eranet International Limited based in Hong Kong. The company has received approval from the Chinese administrative authority on domain name registrations.
If the domain names were registered by a Western company, officials would have an easier time to intervene in the activities on those sites. Regular methods cannot be used in China or Russia.
The Finnish Crea Nova also has close connections with Russia. The company is owned by a Russian Finn, Nikolai Viskari, and it has a significant customer base in Russia.
HS Visio consulted Nixu on what kind of a picture data security reports and listings paint of Crea Nova.
The findings concluded that IP addresses hosted by Crea Nova have been involved with botnets, phishing attacks, mass mailing of spam emails, hacking attempts and other malicious traffic. Many reports classify the company’s IP addresses as high-risk addresses.
“It does not seem like a trustworthy or a reputable service provider,” Hauhia concludes based on the reports.
Crea Nova has a web platform portal where anyone can create an account and set up a service. Strong identification is not necessary, and they accept both regular payments and cryptocurrencies.
Hauhia says that this is unusual in Finland.
“Crea Nova’s customer profile seems a little risky. When you combine that with easy online shopping and anonymous payments, you need an extraordinarily strict data security policy if your goal is to keep up a good corporate image,” says Mellin.
Nikolai Viskari responds to our call on Thursday 8th September.
Content from American Neo-Nazi websites have been allowed to flow freely through Finland to the Internet for two months.
“VanwaTech has been our customer since July,” Nikolai Viskari readily admits.
He seems surprised and a little shaken. However, he responds to questions rather openly.
Viskari denies being familiar with the websites 8kun, Daily Stormer or Kiwi Farms. “The names do not ring a bell.”
He recounts that VanwaTech rented a server from Crea Nova in the summer. Viskari himself installed the server’s operating system. Thus, Crea Nova provides the American company with a device and an Internet connection.
“We don’t know what happens inside the server. I am unaware of our client’s activities,” says Viskari.
He states that Crea Nova has not received complaints about suspicious content.
However, this is not true.
“I do not support racism or anything like that. I will never support racism. This has nothing to do with my personal views. I am an entrepreneur and they are our clients,” says Viskari.
A Dutch data centre is also involved in this tangled web.
At the start of August, Ron Guilmette observed that the Finnish Crea Nova was one of the five companies that transmitted traffic for VanwaTech. However, as Guilmette contacted these companies, the routing seemed to change.
Traffic from Neo-Nazi sites began to pass through the data centre of a Dutch company called Serverius. This network traffic branch has been investigated by journalists at the Dutch NRC newspaper in co-operation with Helsingin Sanomat.
Serverius is one of the largest server providers in the Netherlands. One of its clients has a notorious Russian Internet company called Vdsina (under the name Hosting Technology Limited) as a client.
These kinds of long and shady routing chains are common with trash sites. And they are hard to keep track of.
Nick Lim admitted to an NCR journalist in an email that they use a Dutch data centre but did not offer further comments.
The sudden turn in Neo-Nazi sites’ Internet traffic was no coincidence. Guilmette believes that the real origin of the traffic has been obscured by using a so-called reverse proxy. This proxy was located in the Netherlands.
Simply put, the company owned by Nick Lim has attempted to offer web services for their notorious clients wherever possible.
In addition to Crea Nova and the Dutch data centre, this complicated arrangement has involved Russian operators and, for example, a Lithuanian Internet service provider.
“The client has most likely used their Finnish server to establish a VPN connection through the Dutch data centre to the VanwaTech network,” Mellin reckons.
Public sources also revealed that just last week, Crea Nova was one of the four Internet companies that routed traffic with VanwaTech.
The network routing for Daily Stormer and 8kun has constantly changed to go through different companies. That is not normal, says Mellin. He lists two possible explanations for this: a fault situation or concealing traffic.
“Network traffic is directed through different operators and server rooms on purpose to circumvent potential blockages and to minimise traces from traffic,” Mellin notes.
Could the Finnish company have been unaware of their client’s true nature?
Mellin states that this is a possibility, especially since clients can purchase server capacity on Crea Nova’s website anonymously.
Transferring traffic by itself is not criminal in any sense, and there are no laws that require filtering traffic, Mellin points out.
Viskari states that Crea Nova has only had a few clients whose contents have generated complaints over the years.
According to Viskari, the company reacts to reports on malicious traffic quickly and, for instance, accounts involved with sending spam are closed swiftly.
”I always offer coffee to the NBI.”
He says that he terminates a client relationship due to issues as often as two to five times a month.
“You are wrong if you think that no other data centre has to deal with this. We all deal with the same problems,” Viskari notes.
He states that most of the issues concern their Chinese or US-based customers – not Russians.
In 2019, Crea Nova made the headlines of IT magazines around the world when one of its client’s servers got hacked.
After a day has passed since our interview, Nikolai Viskari calls us back.
“I’ve closed the [VanwaTech’s] server, it’s over now.”
At the same time, a different scenario is playing out in the Netherlands.
The journalists at the NRC have been in contact with the Dutch data centre and the Russian Vdsina company. Vdsina has stated that it is ending its client relationship with VanwaTech.
With the absence of the Dutch proxy server, it seemed that the traffic was passing again through the Finnish company once again. This alarmed Viskari.
“Yesterday, the site was somewhere else and now it has been transferred to us yet again. As soon as I noticed that, I unplugged the server.”
VanwaTech is now demanding the Finnish company to pay them back a little over thousand euros, Viskari says.
“Nick Lim contacted us to ask why we closed down the server.”
You have to go the Internet to see what’s going on on the far-right websites. Both the Daily Stormer and the 8kun forums have crashed. The browser gives an error message “This site can’t be reached”.
American news sites have also noticed that the Neo-Nazi websites have suddenly collapsed. “QAnon’s Jim Watkins Tried to Save Kiwi Farms. Now His Site 8kun is Down,” says the title of a news story in Vice magazine, which speculates that this was caused by a DDoS attack.
They have no idea that a single plug was pulled out at Pitäjänmäki.
Tomi Engdahl says:
Tim Copeland / The Block:
Crypto market maker Wintermute says hackers stole $160M from its DeFi operations but the firm remains solvent; in total, 90 assets were stolen, most worth <$1M — – Crypto market making firm Wintermute has been hacked. — The firm maintains that it is solvent.
Crypto market maker Wintermute hacked for $160 million
https://www.theblock.co/post/171135/crypto-market-maker-wintermute-hacked-for-160-million
Crypto market making firm Wintermute has been hacked.
The firm maintains that it is solvent.
Crypto market making firm Wintermute has been hacked for $160 million but the firm remains solvent, according to founder and CEO Evgeny Gaevoy.
Gaevoy said today on Twitter that the money was related to its DeFi operations and that it's centralized exchange and over-the-counter offerings were not affected.
"We are solvent with twice over that amount in equity left," Gaevoy said. "If you have a MM agreement with Wintermute, your funds are safe. There will be a disruption in our services today and potentially for next few days and will get back to normal after."
Gaevoy said that 90 assets were stolen. Two amounts of tokens were worth between $1 million and $2.5 million, with the remaining below $1 million.
Tomi Engdahl says:
Financial Times:
The SEC fines Morgan Stanley $35M for an “astonishing” failure that exposed 15M customers’ data over five years by auctioning off machines containing the data
Sensitive Morgan Stanley devices were auctioned off online, finds SEC
https://www.ft.com/content/9aed6933-1c96-402e-a194-069c8ed3306c