This posting is here to collect cyber security news in September 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in September 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
411 Comments
Tomi Engdahl says:
Uber Newsroom:
Responding to last week’s hack, Uber says a contractor’s account was breached by Lapsus$-linked hackers and exposed HackerOne bug reports were remediated — While our investigation is still ongoing, we are providing an update on our response to last week’s security incident. — What happened?
https://www.uber.com/newsroom/security-update/
September 19, 10:45am PT
While our investigation is still ongoing, we are providing an update on our response to last week’s security incident.
What happened?
An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.
From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal site
How did we respond?
Our existing security monitoring processes allowed our teams to quickly identify the issue and move to respond. Our top priorities were to make sure the attacker no longer had access to our systems; to ensure user data was secure and that Uber services were not affected; and then to investigate the scope and impact of the incident.
Here are some of the key actions we took, and continue to take:
We identified any employee accounts that were compromised or potentially compromised and either blocked their access to Uber systems or required a password reset.
We disabled many affected or potentially affected internal tools.
We rotated keys (effectively resetting access) to many of our internal services.
We locked down our codebase, preventing any new code changes.
When restoring access to internal tools, we required employees to re-authenticate. We are also further strengthening our multi-factor authentication (MFA) policies.
We added additional monitoring of our internal environment to keep an even closer eye on any further suspicious activity.
What was the impact?
The attacker accessed several internal systems, and our investigation has focused on determining whether there was any material impact. While the investigation is still ongoing, we do have some details of our current findings that we can share.
Tomi Engdahl says:
Revolut mobile banking startup confirms data breach of 50,000 users https://therecord.media/revolut-mobile-banking-startup-confirms-data-breach-of-50000-users/
Digital banking startup Revolut confirmed it was hacked last week, exposing data on more than 50,000 customers around the world, including over 20,000 in Europe. The company disclosed the breach on Friday to the state data protection agency of Lithuania, where the company holds a banking license. London-based Revolut is UKs most valuable fintech startup valued at $33 billion, according to Forbes.
It has over 20 million users in 200 countries but is most popular in Europe and the UK.
Tomi Engdahl says:
Chainsaw: Hunt, search, and extract event log records
https://isc.sans.edu/diary/Chainsaw%3A+Hunt%2C+search%2C+and+extract+event+log+records/29066
I first spotted Chainsaw courtesy of Florian Roths Twitter feed given that Chainsaw favors using Sigma as one of its rule engines. Chainsaw is a standalone tools that provides a simple and fast method to triage Windows event logs and identify interesting elements within the logs while applying detection logic (Sigma and Chainsaw) to detect malicious activity. Chainsaws powerful first-response capability offers a generic and fast method of searching through event logs for keywords.
Tomi Engdahl says:
Game dev 2Ks support site hacked to push malware via fake tickets https://www.bleepingcomputer.com/news/security/game-dev-2k-s-support-site-hacked-to-push-malware-via-fake-tickets/
Hackers have compromised the support system of American video game publisher 2K and now are sending support tickets to gamers containing the RedLine password-stealing malware. 2K is the publisher behind numerous popular game franchises, including NBA 2K, Borderlands, WWE 2K, PGA Tour 2K, Bioshock, Civilization, and Xcom. Starting today, 2K customers began receiving emails stating that they opened support tickets on 2ksupport.zendesk.com, 2K’s online support ticketing system. While the users confirmed these tickets had been created, numerous recipients on Twitter and Reddit stated that they were not the ones who opened the tickets.
Tomi Engdahl says:
https://www.securityweek.com/uber-confirms-hacker-accessed-bug-bounty-dashboard-internal-tools
Tomi Engdahl says:
American Airlines Says Personal Data Exposed After Email Phishing Attack
https://www.securityweek.com/american-airlines-says-personal-data-exposed-after-email-phishing-attack
American Airlines is informing some customers that their personal information may have been compromised after threat actors gained access to employee email accounts.
The airline said a phishing campaign resulted in the mailboxes of a ‘limited number’ of employees getting accessed by hackers. The compromised email accounts contained the personal information of some customers.
Tomi Engdahl says:
https://www.securityweek.com/crowdstrike-buy-reposify-invests-salt-security
Tomi Engdahl says:
https://www.securityweek.com/us-government-contractors-targeted-evolving-phishing-campaign
Tomi Engdahl says:
EU Court Rules Against German Data Collection Law
https://www.securityweek.com/eu-court-rules-against-german-data-collection-law
A German law requiring telecoms companies to retain customer data is a breach of EU legislation, a European court ruled Tuesday, prompting the justice minister to vow an overhaul of the rules.
Firms Telekom Deutschland and SpaceNet took action in the German courts challenging the law that obliged telecoms companies to retain customers’ traffic and location data for several weeks.
The case headed to the European Court of Justice (ECJ) in Luxembourg, which ruled against the German legislation.
“EU law precludes the general and indiscriminate retention of traffic and location data,” the court said in a statement, confirming its previous judgements on the issue.
The Federal Administrative Court, one of Germany’s top courts, had argued there was a limited possibility of conclusions being drawn about people’s private lives from the data, and sufficient safeguards were in place.
But the ECJ said the German legislation — which required traffic data to be retained for 10 weeks, and location for four — applies to a “very broad set” of information.
It “may allow very precise conclusions to be drawn concerning the private lives of the persons whose data are retained… and, in particular, enable a profile of those persons to be established.”
The stated aim of the law was to prosecute serious criminal offences or prevent specific risks to national security, but the court said that such measures were not permitted on a “preventative basis”.
However, it said that in cases where an EU state faces a “serious threat to national security” that is “genuine and present”, telecoms providers can be ordered to retain data.
Such an instruction must be subject to review and can only be in place for a period deemed necessary.
Tomi Engdahl says:
Operant Networks Emerges From Stealth With SASE Solution for Energy OT
https://www.securityweek.com/operant-networks-emerges-stealth-sase-solution-energy-ot
Operant Networks has emerged from stealth mode with $3.8 million in seed funding and a secure access service edge (SASE) solution focused on operational technology (OT) in the energy sector.
The Santa Rosa, California-based company provides machine-to-machine communications and its goal is to help energy organizations with their networking and cybersecurity requirements.
Operant Networks says its SASE solution for OT is ideal for organizations with a growing number of various edge devices, with data and communications both locally and in the cloud, with remote device connectivity requirements, and with secure communication needs.
The company’s SASE solution uses named data networking for resilience, security and observability. In addition, it applies zero trust architecture principles to each data packet for an additional level of security that does not impact network performance.
“We hear similar pain-points from customers connecting to industrial field equipment, regardless of asset type or industry. Traditional solutions force customers to choose between reliability, security, and cost. The inevitable result is poorly performing projects, and inflated network and cyber response teams struggling to keep up.” said Operant Networks CEO Keith Rose.
It claims to have already deployed its networking and cybersecurity solutions to over 3GW of critical infrastructure in the energy sector.
https://operantnetworks.com/
Tomi Engdahl says:
Carly Page / TechCrunch:
London-based banking and stock trading app Revolut says a cyberattack exposed the personal details of 50,150 customers, per a breach disclosure in Lithuania
Revolut confirms cyberattack exposed personal data of tens of thousands of users
https://techcrunch.com/2022/09/20/revolut-cyberattack-thousands-exposed/
Fintech startup Revolut has confirmed it was hit by a highly targeted cyberattack that allowed hackers to access the personal details of tens of thousands of customers.
Revolut spokesperson Michael Bodansky told TechCrunch that an “unauthorized third party obtained access to the details of a small percentage (0.16%) of our customers for a short period of time.” Revolut discovered the malicious access late on September 10 and isolated the attack by the following morning.
“We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected,” Bodansky said. “Customers who have not received an email have not been impacted.”
Revolut, which has a banking license in Lithuania, wouldn’t say exactly how many customers were affected. Its website says the company has approximately 20 million customers; 0.16% would translate to about 32,000 customers. However, according to Revolut’s breach disclosure to the authorities in Lithuania, first spotted by Bleeping Computer, the company says 50,150 customers were impacted by the breach, including 20,687 customers in the European Economic Area and 379 Lithuanian citizens.
Revolut also declined to say what types of data were accessed but told TechCrunch that no funds were accessed or stolen in the incident.
Tomi Engdahl says:
FBI Investigating Alleged Rockstar Hacker
Dozens of GTA 6 videos were leaked last week.
https://nordic.ign.com/grand-theft-auto-vi/60224/news/fbi-investigating-alleged-rockstar-hacker
The alleged hacker that leaked around 90 videos of Grand Theft Auto 6 and also targeted Uber is being investigated by the FBI.
As reported by Eurogamer, the hacker who claimed responsibility also said they were behind the major cyber attack suffered by Uber on September 18. The taxi company has since released a blog post that announced it is actively working with the FBI and the U.S. Department of Justice to resolve the matter.
FBI investigate hacker allegedly behind Rockstar GTA 6 leak
Grand theft uh-oh.
https://www.eurogamer.net/fbi-investigating-hacker-who-claimed-to-have-breached-rockstar-and-uber
The hacker who claimed responsibility for this weekend’s enormous leak of Grand Theft Auto 6 material is now being investigated by the FBI.
The same attacker also said they were behind last week’s high-profile hack of ride app Uber, which has provided an update on its own investigations.
Uber said it believed the person responsible to be “affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so” and which has similarly breached a list of other technology companies this year such as Microsoft, Samsung and Nvidia.
The GTA maker said it was “extremely disappointed”, but that there would be no “long-term effect” on development. No live services, such as Grand Theft Auto Online, were interrupted.
Tomi Engdahl says:
Iranian State Actors Conduct Cyber Operations Against the Government of Albania https://www.cisa.gov/uscert/ncas/alerts/aa22-264a
In July 2022, Iranian state cyber actorsidentifying as HomeLand Justicelaunched a destructive cyber attack against the Government of Albania which rendered websites and services unavailable. A FBI investigation indicates Iranian state cyber actors acquired initial access to the victims network approximately 14 months before launching the destructive cyber attack, which included a ransomware-style file encryptor and disk wiping malware. The actors maintained continuous network access for approximately a year, periodically accessing and exfiltrating e-mail content. Between May and June 2022, Iranian state cyber actors conducted lateral movements, network reconnaissance, and credential harvesting from Albanian government networks
Tomi Engdahl says:
Törkeä huijaus poliisin nimissä tällaisella viestillä tietosi yritetään varastaa https://www.iltalehti.fi/tietoturva/a/c886a71a-5c73-4789-8830-7c92e1fec9bb
Suomalaisille on alkanut saapua sähköpostiviestejä, joissa väitetään, että he ovat syyllistyneet rikokseen, joka on johtanut kuulusteluihin.
Viestissä on liite, joka yritetään saada avaamaan lisätietojen tarjoamiseksi. Keskusrikospoliisi varoitti viesteistä reilu viikko sitten ja kertoo kirjanneensa kymmeniä rikosilmoituksia kuvatuista huijauksista nimikkeenä virkavallan anastus. Poliisi kertoi, ettei sen tiedossa ole tapauksia, joissa huijauksesta olisi aiheutunut juurikaan rikosvahinkoa. Vastaavia huijausviestejä oli liikkeellä myös keväällä.
Myös näissä viesteissä pyrittiin saada uhri ottamaan yhteyttä viestissä olevaan sähköpostiosoitteeseen.
Tomi Engdahl says:
S-Pankin nimissä tulevat huijausviestit muuttuivat älä lankea tähän ansaan https://www.is.fi/digitoday/tietoturva/art-2000009082939.html
S-PANKIN nimissä on kevään ja kesän mittaan lähetetty erinäisiä huijausviestejä, joiden avulla yritetään kalastella pankkitunnuksia.
Nyt syyskuussa viestit ovat taas jatkuneet. Tekstiviestissä on linkki S-Pankin sisäänkirjautumista jäljitteleville verkkosivuille, joihin uhrin on määrä syöttää pankkitunnuksensa. Huijausviesti päätyy samaan viestiketjuun pankilta tulleiden aitojen viestien kanssa, tässä tapauksessa väärennetyllä SPankki-lähettäjänimellä. Tekstiviestien lähettäjän väärentäminen on vanha ongelma, johon ei ole vieläkään löytynyt ratkaisua.
Tomi Engdahl says:
Rewards plus: Fake mobile banking rewards apps lure users to install info-stealing RAT on Android devices https://www.microsoft.com/security/blog/2022/09/21/rewards-plus-fake-mobile-banking-rewards-apps-lure-users-to-install-info-stealing-rat-on-android-devices/
Our analysis of a recent version of a previously reported info-stealing Android malware, delivered through an ongoing SMS campaign, demonstrates the continuous evolution of mobile threats.
Masquerading as a banking rewards app, this new version has additional remote access trojan (RAT) capabilities, is more obfuscated, and is currently being used to target customers of Indian banks. The SMS campaign sends out messages containing a link that points to the info-stealing Android malware. The malwares RAT capabilities allow the attacker to intercept important device notifications such as incoming messages, an apparent effort to catch two-factor authentication (2FA) messages often used by banking and financial institutions.
Tomi Engdahl says:
Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware https://www.trendmicro.com/en_us/research/22/i/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.html
We observed the active exploitation of CVE-2022-26134, an unauthenticated remote code execution (RCE) vulnerability with a critical rating of 9.8 in the collaboration tool Atlassian Confluence.. he gap is being abused for malicious cryptocurrency mining. Confluence has already released a security advisory detailing the fixes necessary for all affected products, namely all versions of Confluence Server and Confluence Data Center. If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment information stealers, remote access trojans (RATs), and ransomware.
Tomi Engdahl says:
LockBit ransomware builder leaked online by angry developer https://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/
The LockBit ransomware operation has suffered a breach, with an allegedly disgruntled developer leaking the builder for the gang’s newest encryptor. In June, the LockBit ransomware operation released version 3.0 of their encryptor, codenamed LockBit Black, after testing it for two months. The new version promised to ‘Make Ransomware Great Again,’ adding new anti-analysis features, a ransomware bug bounty program, and new extortion methods. However, it looks like LockBit has suffered a breach, with two people (or maybe the same person) leaking the LockBit 3.0 builder on Twitter.
Tomi Engdahl says:
American Airlines suffers data breach after phishing incident https://www.malwarebytes.com/blog/news/2022/09/american-airlines-suffers-data-breach-after-phishing-incident
Major airline American Airlines has fallen victim to a data breach after a threat actor got access to the email accounts of several employees via a phishing attack. According to a published notice of a security incident, the data breach was discovered in July 2022.
American Airlines said the successful phishing attack led to the unauthorized access of a limited number of team member mailboxes.
American Airlines discovered the breach on July 5, 2022 and immediately secured the impacted email accounts.
Tomi Engdahl says:
Okta: Credential stuffing accounts for 34% of all login attempts https://www.bleepingcomputer.com/news/security/okta-credential-stuffing-accounts-for-34-percent-of-all-login-attempts/
Credential stuffing attacks have become so prevalent in the first quarter of 2022 that traffic surpassed that of legitimate login attempts from normal users in some countries. This type of attack takes advantage of password recycling, which is the bad practice of using the same credential pairs (login name and password) across multiple sites. Once the credential are leaked or brute-forced from one site, threat actors perform a credential stuffing attack that attempts to use the same leaked credentials at other sites to gain access to users’ accounts.
Tomi Engdahl says:
Record 25.3 Billion Request Multiplexing Attack Mitigated by Imperva https://www.imperva.com/blog/record-25-3-billion-request-multiplexing-attack-mitigated-by-imperva/
On June 27, 2022, Imperva mitigated a single attack with over 25.3 billion requests, setting a new record for Impervas application DDoS mitigation solution. While attacks with over one million requests per second (RPS) arent new, weve previously only seen them last for several seconds to a few minutes. On June 27, Imperva successfully mitigated a strong attack that lasted more than four hours and peaked at 3.9 million RPS. The owner of the targeted site, a Chinese telecommunications company, is often targeted by large attacks. This specific site was targeted again two days later, although the attack was shorter in duration. We havent seen any similar attacks target this site since these two at the end of June.
Tomi Engdahl says:
Anonymous takes down Iranian government websites amid protests following death of Mahsa Amini https://therecord.media/anonymous-takes-down-iranian-government-websites-amid-protests-following-death-of-mahsa-amini/
Anonymous hackers have claimed to be behind attacks on several websites affiliated with the Iranian government amid protests following the death of 22-year-old Mahsa Amini. Several websites, including for the central bank and the national government portal and state-owned media sites, have been intermittently unreachable.
Tomi Engdahl says:
Critical Remote Hack Flaws Found in Dataprobe’s Power Distribution Units https://thehackernews.com/2022/09/critical-remote-hack-flaws-found-in.html
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released an industrial control systems (ICS) advisory warning of seven security flaws in Dataprobe’s iBoot-PDU power distribution unit product, mostly used in industrial environments and data centers.
“Successful exploitation of these vulnerabilities could lead to unauthenticated remote code execution on the Dataprobe iBoot-PDU device,” the agency said in a notice. Credited with disclosing the flaws is industrial cybersecurity firm Claroty, which said the weaknesses could be remotely triggered “either through a direct web connection to the device or via the cloud.”
Tomi Engdahl says:
Unpatched 15-year old Python bug allows code execution in 350k projects https://www.bleepingcomputer.com/news/security/unpatched-15-year-old-python-bug-allows-code-execution-in-350k-projects/
A vulnerability in the Python programming language that has been overlooked for 15 years is now back in the spotlight as it likely affects more than 350,000 open-source repositories and can lead to code execution. Disclosed in 2007 and tagged as CVE-2007-4559, the security issue never received a patch, the only mitigation provided being a documentation update warning developers about the risk.
Tomi Engdahl says:
Prototype pollution bug in Chromium bypassed Sanitizer API https://portswigger.net/daily-swig/prototype-pollution-bug-in-chromium-bypassed-sanitizer-api
A prototype pollution bug in the Chromium project allowed attackers to bypass Sanitizer API, a built-in browser library for removing potentially malicious code from user-controlled input sources.
Prototype pollution is a type of JavaScript vulnerability that allows attackers to exploit the rules of the programming language to change an applications behavior and compromise it in various ways. Reported by security researcher Micha Bentkowski, the bug highlights the challenges of preventing client-side prototype pollution attacks.
Tomi Engdahl says:
Oracle Cloud at one point would let you access any other customer’s data https://www.theregister.com/2022/09/21/oracle_fixes_critical_cloud_vuln/
A “critical” Oracle Cloud Infrastructure vulnerability could have been exploited by any customer to read and write data belonging to any other OCI customer without any permission checks, according to Wiz security researchers. Luckily, upon disclosing the bug to Oracle, the IT giant patched the security hole “within 24 hours,” according to Wiz’s Elad Gabay. The good news is that the fix didn’t require any action on the part of customers.. Essentially, the flaw, as described by Wiz, could be exploited thus: if you knew the Oracle Cloud Identifier for another customers’ storage volume which is not a secret you could attach that volume to your own virtual machine in Oracle’s cloud as long as the volume wasn’t already attached or supported multi-attachment
Tomi Engdahl says:
https://www.securityweek.com/natos-team-albania-help-iran-alleged-cyberattack
Tomi Engdahl says:
Morgan Stanley to Pay $35M Fine for Exposing Information of Millions of Customers
https://www.securityweek.com/morgan-stanley-pay-35m-fine-exposing-information-millions-customers
Tomi Engdahl says:
Hundreds of eCommerce Domains Infected With Google Tag Manager-Based Skimmers
https://www.securityweek.com/hundreds-ecommerce-domains-infected-google-tag-manager-based-skimmers
Security researchers with Recorded Future have identified a total of 569 ecommerce domains infected with skimmers, 314 of which have been infected with web skimmers leveraging Google Tag Manager (GTM) containers.
A legitimate Google service typically used for marketing and usage tracking, GTM relies on containers for embedding JavaScript and other types of resources into websites, and cybercriminals are abusing GTM containers to have HTML or JavaScript code injected into the websites that use Google’s service.
“In most contemporary cases, the threat actors themselves create the GTM containers and then inject the GTM loader script configuration needed to load them into the e-commerce domains (as opposed to injecting malicious code into existing GTM containers that were created by the e-commerce website administrators),” Recorded Future notes.
All of the 569 ecommerce platforms infected with skimmers were associated in one way or the other with GTM abuse. While 314 have been infected with a GTM-based skimmer, data from the remaining 255 has been exfiltrated to domains associated with GTM container abuse.
As of August 2022, there were 87 ecommerce websites still infected with a GTM-based skimmer, with the total number of compromised payment cards likely in the hundreds of thousands range.
Tomi Engdahl says:
Hackers Steal $160 Million From Crypto Market Maker Wintermute
https://www.securityweek.com/hackers-steal-160-million-crypto-market-maker-wintermute
Cryptocurrency market maker Wintermute on Tuesday announced that hackers have stolen $160 million from its decentralized finance (DeFi) operation.
Founded in 2017, the London-based algorithmic trading firm trades billions of dollars across both centralized and decentralized cryptocurrency trading platforms.
The company says that the Tuesday hack impacted DeFi operations only, with the lending and over-the-counter (OTC) services unaffected.
“We’ve been hacked for about $160M in our defi operations. Cefi and OTC operations are not affected. We are solvent with twice over that amount in equity left,” Wintermute founder and CEO Evgeny Gaevoy announced on Twitter.
https://twitter.com/EvgenyGaevoy/status/1572134271011225601
Tomi Engdahl says:
iBoot Power Distribution Unit Flaws Allow Hackers to Remotely Shut Down Devices
https://www.securityweek.com/iboot-power-distribution-unit-flaws-allow-hackers-remotely-shut-down-devices
Critical vulnerabilities discovered by researchers in Dataprobe’s iBoot power distribution unit (PDU) can allow malicious actors to remotely hack the product and shut down connected devices, potentially causing disruption within the targeted organization.
The vulnerabilities affecting the iBoot-PDU product were identified by researchers at industrial cybersecurity firm Claroty, who found a total of seven issues, including ones allowing a remote, unauthenticated attacker to execute arbitrary code.
iBoot PDU vulnerabilitiesThe impacted PDU provides a web interface and a cloud platform for configuring the product and controlling each individual outlet for remote power management.
A 2021 report from Censys showed that there were more than 2,000 PDUs directly exposed to the internet and nearly one-third of them were iBoot PDUs.
In addition to showing that hackers could exploit these internet-exposed devices, the Claroty researchers showed that attackers could also reach devices that are not directly exposed to the web, through the cloud-based platform that provides access to the device’s management page.
Tomi Engdahl says:
Jumping NAT to Shut Down Electric Devices
https://claroty.com/team82/research/jumping-nat-to-shut-down-electric-devices
Executive Summary
Team82 has uncovered and disclosed multiple vulnerabilities in Dataprobe’s iBoot-PDU, the company’s intelligent power distribution unit product.
iBoot-PDU can be managed from any location via a web-based interface; devices that are not directly connected to the internet can also be managed via Dataprobe’s cloud-based platform.
Some of the vulnerabilities uncovered by Team82 can lead to unauthenticated remote code execution on the iBoot-PDU.
Team82 has also developed a means by which it can enumerate cloud-connected iBoot-PDU devices, expanding the available attack surface to all connected devices.
An attacker would be able to remotely exploit these vulnerabilities either through a direct web connection to the device or via the cloud.
This research is an extension of Team82’s previous work exploiting cloud-based OT devices. Read “Top-Down, Bottom-Up: Exploiting Vulnerabilities in the OT-Cloud Era” here.
Dataprobe has addressed these vulnerabilities in a new version update. Users are urged to update to Version 1.42.06162022. Dataprobe also recommends users disable SNMP, telnet, and HTTP, if not in use, as a mitigation against some of these vulnerabilities.
ICS-CERT has issued an advisory as well. Find it here.
ICS Advisory (ICSA-22-263-03)
Dataprobe iBoot-PDU
https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-03
Tomi Engdahl says:
Onpas monimutkaimen uutinen. Joku pääsi murtautumaan sähköpostiin, mutta ei päässytkään murtautumaan mihinkään. Ja lisäksi saman sähköpostin olisi voinut lähettää väärennetysti jostain muualtakin murtautumatta mihinkään.
Rehtorin sähköpostiin murtauduttiin – ulkopuolinen taho ehti lähettää huijausviestejä 1 500 vastaanottajalle
https://yle.fi/uutiset/3-12634392?origin=rss
Ulkopuolinen taho lähetti viestejä rehtorin virkasähköpostista hämäävällä otsikolla. Kuhmoisten kunnalta vakuutetaan, ettei kunnan tietojärjestelmiin ole päästy sisälle.
Pirkanmaalla sijaitsevan Kuhmoisten kunnan julkaiseman tiedotteen mukaan ulkopuolinen taho oli päässyt kirjautumaan rehtorin sähköpostiin ja lähettänyt sähköposteja tuhansiin osoitteisiin. Viestien otsikkona on “Lastensuojeluilmoitus”, joka omalta osaltaan hämää vastaanottajia avaamaan viestin.
Tiedotteessa kehotetaan, ettei sähköpostia tai sen sisältämää linkkiä tulisi missään tapauksessa avata. Viestin vastaanottamisesta tulee myös ilmoittaa Kuhmoisten kunnan atk-tukeen.
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
Take-Two Interactive’s 2K, the publisher of Bioshock, Xcom, and popular sports games, says a hacker accessed its help desk and sent customers links to malware — American video game publisher 2K has confirmed that its help desk platform was hacked and used to target customers …
2K Games says hacked help desk targeted players with malware
https://www.bleepingcomputer.com/news/security/2k-games-says-hacked-help-desk-targeted-players-with-malware/
American video game publisher 2K has confirmed that its help desk platform was hacked and used to target customers with fake support tickets pushing malware via embedded links.
“Earlier today, we became aware that an unauthorized third party illegally accessed the credentials of one of our vendors to the help desk platform that 2K uses to provide support to our customers,” 2K’s support account tweeted on Tuesday after BleepingComputer broke the story on the security breach.
“The unauthorized party sent a communication to certain players containing a malicious link. Please do not open any emails or click on any links that you receive from the 2K Games support account.”
2K game support hacked to email RedLine info-stealing malware
https://www.bleepingcomputer.com/news/security/2k-game-support-hacked-to-email-redline-info-stealing-malware/
Tomi Engdahl says:
https://lakitieto.edita.fi/nain-ennaltaehkaiset-tietoturvaloukkauksia-tehokkaasti/
Tomi Engdahl says:
https://www.namecheap.com/blog/acquiring-a-great-domain-can-take-persistence/
Tomi Engdahl says:
Microsoft Teams vulnerability shows danger of collaboration apps
https://venturebeat.com/security/microsoft-teams-vulnerability-shows-danger-of-collaboration-apps/
Microsoft Teams is perhaps the biggest enterprise communication platform in the world. It rose to prominence during the COVID-19 pandemic as a key space for enterprise users to maintain productivity.
Teams has over 270 million monthly active users. The pandemic helped accelerate the platform’s reach from 75 million users in April 2020 to 115 million in October 2020, and 145 million in April 2021.
Tomi Engdahl says:
https://techcrunch.com/2022/09/14/microsoft-zero-day-windows/
Tomi Engdahl says:
Microsoft patches a new zero-day affecting all versions of Windows
https://techcrunch.com/2022/09/14/microsoft-zero-day-windows/
Microsoft has released security fixes for a zero-day vulnerability affecting all supported versions of Windows that has been exploited in real-world attacks.
The zero-day bug, tracked as CVE-2022-37969, is described as an elevation of privilege flaw in the Windows Common Log File System Driver, a subsystem used for data and event logging. The bug allows an attacker to obtain the highest level of access, known as system privileges, to a vulnerable device.
Microsoft says users running Windows 11 and earlier, and Windows Server 2008 and Windows Server 2012, are affected. Windows 7 will also receive security patches, despite falling out of support in 2020.
Tomi Engdahl says:
https://www.mikrobitti.fi/uutiset/windowsista-loytyi-niin-paha-haavoittuvuus-etta-jopa-tuen-ulkopuolelle-tipahtanut-windows-7-saa-korjauksen-koskee-myos-uudempia-versioita/d27e3587-1047-4a83-acc0-4a878b535f91
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/google-microsoft-can-get-your-passwords-via-web-browsers-spellcheck/
Tomi Engdahl says:
Avoimeen lähdekoodiin jää usein heikkouksia
https://etn.fi/index.php/13-news/14033-avoimeen-laehdekoodiin-jaeae-usein-heikkouksia
Avoimen lähdekoodin ohjelmistot ovat tärkeitä tekijöitä pilvipohjaisissa sovelluksissa, sillä ne mahdollistavat ohjelmistokehittäjille vapauden reagoida puutteisiin ja virheisiin nopeasti ja tehokkaasti. Avoimen lähdekoodin ohjelmistoissa on kuitenkin omanlaisia turvallisuusriskejä, selviää Palo Alto Networksin Unit 42 -tutkimusyksikön laatimasta vuoden 2021 toisen puoliskon uhkaraportista.
Raportin mukaan avoimeen lähdekoodiin jää usein tunnettuja heikkouksia ja puutteita, jotka asettavat organisaatiot alttiiksi ulkoisille uhille. Palo Alto Networks on kehittänyt ratkaisuksi alan ensimmäisen SCA-ohjelmistoanalyysityökalun. Se auttaa ohjelmistokehittäjiä käyttämään avoimen lähdekoodin ohjelmistoja turvallisesti.
Perinteiset SCA-ratkaisut ovat itsenäisiä tuotteita, jotka tekevät ahkerasti hälytyksiä uhkatilanteista. Niiltä kuitenkin puuttuu kyky reagoida tilanteisiin reaaliaikaisesti ongelman korjaamiseksi. Tuomalla SCA-analyysin osaksi Prisma Cloud -palvelua, kehittäjät ja turvallisuustiimit voivat toimia uhkien suhteen proaktiivisesti ja ennaltaehkäisevästi koko tuotteen ja palvelun käyttöiän ajan. Näin tunnettuihin järjestelmäheikkouksiin voidaan tehdä korjauksia ajoissa.
Tomi Engdahl says:
Turvallisuus tuli Bluetoothin ytimeen
https://etn.fi/index.php/tekniset-artikkelit/14031-turvallisuus-tuli-bluetoothin-ytimeen
Teollisuussovelluksissa on selvä kysyntä langattomille yhteyksille. Ratkaisuna ovat langattomiin sovelluksiin tarkoitetut tiheästi integroidut mikro-ohjaimet, joissa yhdistetään RF-radio ja ohjelmistopohjainen digitaalinen ohjaus. Vaikka tällaiset mikro-ohjaimet ovatkin yleistymässä markkinoilla, laitevalmistajien vaatimukset ovat samalla kasvaneet. He haluavat RF:n tarjoamien yhteysominaisuuksien lisäksi entistä parempia turvaominaisuuksia kaikilla tasoilla.
Jatkuva taistelu uusia kyberuhkia vastaan tarkoittaa, että kaikkien käytettävien alustojen osalta on mietittävä, miten niiden turvallisuus taataan tulevaisuudessakin. Tähän tarvitaan vankkoja alustoja, jotka tukevat turvallisia langattomasti tapahtuvia laiteohjelmiston päivityksiä (FOTA). Täysin integroidun RF-radion hyödyntäminen helpottaa turvallisuuden ylläpitoa, mutta se myös edustaa ilmeistä uutta hyökkäyspintaa tai -vektoria hakkereille.
Järjestelmätason turva mikro-ohjaimissa
Koska turvallisuus on perustavaa laatua oleva tarve, se on sisällytetty osaksi jopa laitetasoa. Toisin sanoen se on tehty osaksi itse prosessoria ja varustamalla laite lisätyillä turvaominaisuuksilla, jotka ovat hyökkääjien ulottumattomissa. Tällaisia ovat salausmenetelmien käyttö tunnistamisessa ja valtuuttamisessa sekä turvallinen salauksessa käytettävien avainten luominen, jakaminen ja tallentaminen.
Tällä tavoin toteutettuna on mahdollistaa laajentaa jo tarjolla olevien Bluetooth LE -protokollan turvaominaisuuksia esimerkiksi lisäämällä turvakäynnistys luottamuksen juuren (Root of Trust) avulla. Arm-ekosysteemissä tämä voidaan toteuttaa valitsemalla toteutukseen Arm TrustZone- ja CryptoCell-312 -turva-IP:t. Tällä tavoin voidaan lisätä turvaominaisuudet Arm Cortex -toteutuksiin, jotka perustuvat Armv8-M-käskykantaan. CryptoCell on suunniteltu toteuttamaan monia tärkeitä ominaisuuksia kuten todellisen satunnaislukugeneroinnin (TRNG), koodin salauksen ja datan valtuutuksen. Se tukee myös toimenpiteen palautuksen suojausta ja elinkaaren hallintaa, minkä on yleinen heikkous muissa IoT-laitteissa. Se tuottaa valtuutetun toimintaympäristön ja käyttää salausta sekä ohjelmistopäivitysten validointia.
Arm TrustZone suunniteltiin suojaamaan laitteistoa tukemalla fyysisesti eristettyjä alueita suunnittelussa, minkä ansiosta ohjelmisto- ja laitteistotason suoritukset tapahtuvat erillään. Yhdessä nämä teknologiat lisäävät turvallisuustasoa koko ratkaisun osalta.
Yhdistettynä Bluetooth LE:een näitä ominaisuuksia käyttäen voidaan parantaa verkkopalvelun turvallisuutta hyödyntämällä Bluetooth LE:n sijainninmäärityksen tarjoamia mahdollisuuksia. Teollisuuden IoT-sovelluksiin integroidaan enenevässä määrin kartoitus ja paikallistaminen, jolloin pystytään tarjoamaan lisäpalveluita kuten tavaroiden jäljitystä ja sisätiloissa tapahtuvaa navigointia. Paikallisten laitteiden turvallinen autentikointi niiden yrittäessä liittyä yksityiseen verkkoon on yksi esimerkki siitä, miten nämä toiminnot toimivat yhdessä.
Tomi Engdahl says:
Dhruv Mehrotra / Wired:
A look at anti-pornography “accountability apps” used by churches; two apps exploited Android’s accessibility permissions to monitor congregants’ every move
The Ungodly Surveillance of Anti-Porn ‘Shameware’ Apps
https://www.wired.com/story/covenant-eyes-anti-porn-accountability-monitoring-apps/
But Gracepoint did not leave the matter in God’s hands alone. At their next one-on-one the following week, Hao-Wei Lin says the church leader asked him to install an app called Covenant Eyes on his phone. The app is explicitly marketed as anti-pornography software, but according to Hao-Wei Lin, his church leader told him it would help “control all of his urges.”
Covenant Eyes is part of a multimillion-dollar ecosystem of so-called accountability apps that are marketed to both churches and parents as tools to police online activity. For a monthly fee, some of these apps monitor everything their users see and do on their devices, even taking screenshots (at least one per minute, in the case of Covenant Eyes) and eavesdropping on web traffic, WIRED found. The apps then report a feed of all of the users’ online activity directly to a chaperone—an “accountability partner,” in the apps’ parlance. When WIRED presented its findings to Google, however, the company determined that two of the top accountability apps—Covenant Eyes and Accountable2You—violate its policies.
The omnipotence of Covenant Eyes soon weighed heavily on Hao-Wei Lin, who has since left Gracepoint. Within a month of installing the app, he started receiving accusatory emails from his church leader referencing things he had viewed online. “Anything you need to tell me?”
Gracepoint, which focuses on colleges, claims to “serve students” on more than 70 campuses across the United States. According to emails between a Covenant Eyes representative and a former Gracepoint church leader that WIRED reviewed, the company said that in 2012 as many as 450 Gracepoint Church members were signed up to be monitored through Covenant Eyes.
“I wouldn’t quite call it spyware,” says a former member of Gracepoint who was asked to use Covenant Eyes and spoke on the condition of anonymity, due to privacy concerns. “It’s more like ‘shameware,’ and it’s just another way the church controls you.”
Similar to surveillance software like Bark or NetNanny, which is used to monitor children at home and school, “shameware” apps are lesser-known tools that are used to keep track of behaviors parents or religious organizations deem unhealthy or immoral. Fortify, for instance, was developed by the founder of an anti-pornography nonprofit called Fight the New Drug and tracks how often an individual masturbates in order to help them overcome “sexual compulsivity.” The app has been downloaded over 100,000 times and has thousands of reviews on the Google Play store.
The current iteration of the Covenant Eyes app was developed by Michael Holm, a former NSA mathematician who now serves as a data scientist for the company. The system is allegedly capable of distinguishing between pornographic and non-pornographic images. The software captures everything visible on a device’s screen, analyzing the images locally before slightly blurring them and sending them to a server to be saved. “Image-based pornography detection was a huge conceptual change for Covenant Eyes,” Holm told The Christian Post, an evangelical Christian news outlet, in 2019. “While I didn’t yet know it, God had put me in that place at that time for a purpose higher than myself, just as I and others had desired and prayed for.”
Covenant Eyes spokesperson Dan Armstrong says the company is “concerned” about “people being monitored without proper consent.”
Among the top accountability apps—including Accountable2You and EverAccountable—Covenant Eyes appears to be the largest player. The company organizes conferences that are attended by thousands of people and dedicated to educating attendees about the dangers of pornography while pitching the company’s product as an urgent solution to what it characterizes as a growing moral crisis. According to the app analytics firm AppFigures, in the past year more than 50,000 people have downloaded Covenant Eyes. Rocketreach estimates that the company has an annual revenue of $26 million.
What’s common across Covenant Eyes, Accountable2You, and EverAccountable is their zero-tolerance approach to pornography. All three suggest in their marketing materials that not only is watching porn a moral failure, but any amount of porn consumption is bad for your health. Their solution: Promote purity through what they call “radical accountability,” a concept wherein a community comes together to confront a person who is living in sin. At its most basic level, the idea is pretty straightforward: Why would anyone watch porn if they are going to have to talk to their parents or pastor about it?
While these apps claim to have helped many people overcome pornography addictions, experts who study sexual health are skeptical that the apps have a lasting positive effect. “I’ve never seen anyone who’s been on one of these apps feel better about themselves in the long term,” says Nicole Praus, a scientist at the University of California, Los Angeles, who studies the effects of pornography on the brain and the spread of disinformation on sexual health. “These people just end up feeling like there’s something wrong with them when the reality is that there likely isn’t.”
But Covenant Eyes and Accountable2You do much more than just police pornography. When WIRED downloaded, decompiled, and tested Covenant Eyes and Accountable2You, we found that both apps are built to collect, monitor, and report all sorts of innocent behavior. The applications exploited Android’s accessibility permissions to monitor almost everything someone does on their phone. While the accessibility functionalities are meant to help developers build out features that assist people with disabilities, these apps take advantage of such permissions to either capture screenshots of everything actively being viewed on the device or detect the name of apps as they’re being used and record every website visited in the device’s browser.
In Hao-Wei Lin’s case, that included his Amazon purchases, articles he read, and even which friends’ accounts he looked at on Instagram. The trouble is, according to Hao-Wei Lin, providing his church leader with a ledger of everything he did online meant his pastor could always find something to ask him about, and the way Covenant Eyes flagged content didn’t help. For example, in Covenant Eyes reports that Hao-Wei Lin shared with WIRED, his online psychiatry textbook was rated “Highly Mature,” the most severe category of content reserved for “anonymizers, nudity, erotica, and pornography.” The same was true of anything Hao-Wei Lin felt was “remotely gay,” like his Statigr.am searches.
After WIRED contacted Google about Covenant Eyes and Accountable2You, both apps were suspended from the Google Play store. “Google Play permits the use of the Accessibility API for a wide range of applications,”
Covenant Eyes and Accountable2You both remain available on iOS. While WIRED did not test the apps on Apple devices, neither app appears to utilize iOS’ accessibility permissions. Apple has not yet responded to a request for comment.
In our tests of Accountable2You prior to its suspension, we found that the software similarly flagged content with keywords like “gay” or “lesbian” in the URL.
“It’s really not about pornography,” says Brit, a former user of Accountable2You who asked to only be identified by her first name, due to privacy concerns. “It’s about making you conform to what your pastor wants.”
While accountability apps are largely marketed to parents and families, some also advertise their services to churches. Accountable2You, for example, advertises group rates for churches or small groups and has set up several landing pages for specific churches where members can sign up. Covenant Eyes, meanwhile, employs a director of Church and Ministry Outreach to help onboard religious organizations.
While WIRED found several churches recommending Fortify to their congregations, Olsen says neither Fortify nor Impact Suite count religious institutions as customers.
When WIRED tested the Fortify software, we found that the app also utilizes other technology to track users. For instance, because it includes Facebook’s Pixel, data related to Fortify’s masturbation-tracking form is sent to Facebook. While the data does not appear to include the contents of the tracking form, it does have metadata about the form itself, including when it was filled out. Facebook appears to store that data and, when possible, associates it with a user’s account.
Fortify’s inclusion of Facebook’s Pixel isn’t just a privacy issue, it’s a security problem. While testing the app, we also noticed that the password to our account was sent in plaintext to Facebook in the URL of the tracking requests. Facebook claims to have filtering mechanisms to prevent its systems from storing this type of personal information, but Fortify’s apparent oversight is still concerning to experts like Galperin. “That’s a huge vulnerability,” she says. “It’s the sort of behavior that makes me feel like they don’t have security experts reviewing the app or its policies.”
Facebook spokesperson Emil Vazquez says companies that share sensitive user data with the Meta-owned social media platform are violating its policies.
Hao-Wei Lin has since moved on from Gracepoint but is still processing the trauma he feels the church has caused him.
Churches are using invasive phone-monitoring tech to discourage “sinful” behavior. Some software is seeing more than congregants realize.
Tomi Engdahl says:
Rehtorin sähköpostiin murtauduttiin – ulkopuolinen taho ehti lähettää huijausviestejä 1 500 vastaanottajalle
https://yle.fi/uutiset/3-12634392
Kuhmoisten kunnan yhtenäiskoulun rehtorin Juha Nupposen virkasähköpostista on keskiviikkona 21. syyskuuta lähetetty huijausviestejä jopa 1 500 vastaanottajalle. Pirkanmaalla sijaitsevan Kuhmoisten kunnan julkaiseman tiedotteen mukaan ulkopuolinen taho oli päässyt kirjautumaan rehtorin sähköpostiin ja lähettänyt sähköposteja tuhansiin osoitteisiin. Viestien otsikkona on “Lastensuojeluilmoitus”, joka omalta osaltaan hämää vastaanottajia avaamaan viestin.
Tiedotteessa kehotetaan, ettei sähköpostia tai sen sisältämää linkkiä tulisi missään tapauksessa avata. Viestin vastaanottamisesta tulee myös ilmoittaa Kuhmoisten kunnan atk-tukeen.
Tomi Engdahl says:
Kuopion sote-työntekijät antavat voimakasta kritiikkiä kaupungille tietoturvaloukkauksesta – kaupunki: Vahingonkorvauksia saa hakea
https://yle.fi/uutiset/3-12635411
Useat tietoturvaloukkauksen kohteeksi joutuneet Kuopion kaupungin työntekijät vaativat tietoa siitä, keille henkilötiedot ovat levinneet.
Tomi Engdahl says:
Critical Magento vulnerability targeted in new surge of attacks https://www.bleepingcomputer.com/news/security/critical-magento-vulnerability-targeted-in-new-surge-of-attacks/
Researchers have observed a surge in hacking attempts targeting CVE-2022-24086, a critical Magento 2 vulnerability allowing unauthenticated attackers to execute code on unpatched sites. The
CVE-2022-24086 vulnerability was discovered and patched in February 2022, when threat actors were already exploiting it in the wild. At the time, CISA published an alert urging site admins to apply the available security update.
Tomi Engdahl says:
Control System Defense: Know the Opponent – Alert (AA22-265A) https://www.cisa.gov/uscert/ncas/alerts/aa22-265a
This joint Cybersecurity Advisory, which builds on previous NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure, describes TTPs that malicious actors use to compromise OT/ICS assets.
It also recommends mitigations that owners and operators can use to defend their systems.
Tomi Engdahl says:
Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps
Attackers deploying the Noberus (aka BlackCat, ALPHV) ransomware have been using new tactics, tools, and procedures (TTPs) in recent months, making the threat more dangerous than ever. Among some of the more notable developments has been the use of a new version of the Exmatter data exfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by Veeam backup software.
Tomi Engdahl says:
Fake sites fool Zoom users into downloading deadly code https://www.theregister.com/2022/09/22/zoom_malware_infosteal_cyble/
Beware the Zoom site you don’t recognize, as a criminal gang is creating multiple fake versions aimed at luring users to download malware that can steal banking data, IP addresses, and other information.