This posting is here to collect cyber security news in September 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in September 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
411 Comments
Tomi Engdahl says:
Ask.FM database with 350m user records allegedly sold online https://cybernews.com/news/ask-fm-database-with-350m-user-records-sold-online/
A listing on a popular hacker forum offers 350 million Ask.FM user records for sale in what might be one of the biggest breaches of all time. The listing allegedly includes 350 million Ask.FM user records, with the threat actor also offering 607 repositories plus their Gitlab, Jira, and Confluence databases. Ask.FM is a question and answer network launched in June 2010, with over 215 million registered users.
Tomi Engdahl says:
Revealed: US Military Bought Mass Monitoring Tool That Includes Internet Browsing, Email Data https://www.vice.com/en/article/y3pnkw/us-military-bought-mass-monitoring-augury-team-cymru-browsing-email-data
The “Augury” platform includes highly sensitive network data that Team Cymru, a private company, is selling to the military. “It’s everything. There’s nothing else to capture except the smell of electricity, ” one cybersecurity expert said.
Tomi Engdahl says:
RAT Delivered Through FODHelper
https://isc.sans.edu/diary/rss/29078
I found a simple batch file that drops a Remcos[1] RAT through an old UAC Bypass technique. This technique is based on the “fodhelper” utility (“Features On Demand Helper”). Once launched, this tool will search for specific registry keys and, if present, will execute their content with high privileges.
The script, called “2.bat”, is very simple. Note that opened into a text editor, it will display Chinese characters due to the BOM (Byte Order Mark)
Tomi Engdahl says:
Malicious OAuth applications used to compromise email servers and spread spam https://www.microsoft.com/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
This blog presents the technical analysis of this attack vector and the succeeding spam campaign attempted by the threat actor. It also provides guidance for defenders on protecting organizations from this threat, and how Microsoft security technologies detect it.
Tomi Engdahl says:
IT Security Takeaways from the Wiseasy Hack https://thehackernews.com/2022/09/it-security-takeaways-from-wiseasy-hack.html
Last month Tech Crunch reported that payment terminal manufacturer Wiseasy had been hacked. Although Wiseasy might not be well known in North America, their Android-based payment terminals are widely used in the Asia Pacific region and hackers managed to steal passwords for 140, 000 payment terminals.
Tomi Engdahl says:
https://www.securityweek.com/iranian-hackers-breached-albanian-government-one-year-disruptive-attacks
Tomi Engdahl says:
Oracle Cloud Infrastructure Vulnerability Exposed Sensitive Data
https://www.securityweek.com/oracle-cloud-infrastructure-vulnerability-exposed-sensitive-data
Cloud security company Wiz has published information on an Oracle Cloud Infrastructure (OCI) vulnerability allowing attackers to modify users’ storage volumes without authorization.
Referred to as #AttachMe and mentioned in Oracle’s July 2022 Critical Patch Update, the vulnerability could have exposed sensitive data to attackers knowing the victim’s Oracle Cloud Identifier (OCID).
“OCI customers could have been targeted by an attacker with knowledge of #AttachMe. Any unattached storage volume, or attached storage volumes allowing multi-attachment, could have been read from or written to as long as an attacker had its Oracle Cloud Identifier (OCID),” Wiz security researcher Elad Gabay explains.
Essentially, because of this vulnerability, cloud isolation in OCI no longer worked, allowing anyone to attach disks to virtual machines in other accounts, without requiring permissions.
Tomi Engdahl says:
Australian Telecoms Firm Optus Discloses Breach Impacting Customer Data
https://www.securityweek.com/australian-telecoms-firm-optus-discloses-breach-impacting-customer-data
Tomi Engdahl says:
Malwarebytes Raises $100 Million From Vector Capital
https://www.securityweek.com/malwarebytes-raises-100-million-vector-capital
Cybersecurity solutions provider Malwarebytes on Wednesday announced that it has received a $100 million minority investment from Vector Capital, which brings the total raised by the company to $180 million.
Founded in 2008, the Santa Clara, California-based company provides businesses and consumers with real-time threat detection and prevention solutions that leverage deep threat intelligence, artificial intelligence, and machine learning.
Malwarebytes says it will use the new funds to expand product portfolios, accelerate momentum with channel partners, and grow its managed service provider (MSP) business.
Tomi Engdahl says:
Twitter Logs Out Some Users Due to Security Issue Related to Password Resets
https://www.securityweek.com/twitter-logs-out-some-users-due-security-issue-related-password-resets
Twitter said on Wednesday that some users have been logged out of their active sessions in response to a bug that posed a security risk.
The issue was related to password resets — when users reset their password, their active sessions on Android and iOS devices were not closed. Impacted users have been directly notified.
“We learned of a bug that allowed some Twitter accounts to stay logged in on multiple mobile devices after a voluntary password reset. That means that if you proactively changed your password on one device, but still had an open session on another device, that session may not have been closed,” Twitter explained.
The company said users do not have to take any action — except to log back into their account if they were signed out — and noted that web sessions were not impacted. It explained that the bug was introduced last year as a result of a change to systems powering password resets.
Tomi Engdahl says:
Cyberattack Steals Passenger Data From Portuguese Airline
https://www.securityweek.com/cyberattack-steals-passenger-data-portuguese-airline
By Associated Press on September 22, 2022
Portugal’s national airline TAP Air Portugal says hackers obtained the personal data of some of its customers and have published the information on the dark web.
No payment data was taken in the cyberattack, the flag carrier said in a statement late Wednesday.
The attack began almost a month ago and is being investigated by Portuguese authorities, with the help of specialists from Microsoft, the airline said.
https://www.securityweek.com/ransomware-gang-claims-customer-data-stolen-tap-air-portugal-hack
Tomi Engdahl says:
15-Year-Old Python Vulnerability Present in 350,000 Projects Resurrected
https://www.securityweek.com/15-year-old-python-vulnerability-present-350000-projects-resurrected
Researchers at threat detection and response company Trellix have resurrected a 15-year-old Python vulnerability, showing that it’s more serious than initially believed and that it could affect hundreds of thousands of applications.
The vulnerability in question is CVE-2007-4559, initially described as a directory traversal vulnerability in Python’s ‘tarfile’ module that could allow an attacker to remotely overwrite arbitrary files by convincing users to process specially crafted tar archives.
The flaw was never properly patched and instead users were warned not to open archive files from untrusted sources.
The cybersecurity firm has released an open source tool, named Creosote, that can be used to scan projects for this tarfile vulnerability. With this tool they scanned public GitHub repositories and discovered 300,000 files containing the tarfile module, roughly 61% of which were vulnerable to attacks exploiting CVE-2007-4559.
https://github.com/advanced-threat-research/Creosote
Limiting the Software Supply Chain Attack Surface
https://www.trellix.com/en-us/about/newsroom/stories/research/limiting-the-software-supply-chain-attack-surface.html
https://nvd.nist.gov/vuln/detail/CVE-2007-4559
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
Official Statement from Red Hat (10/15/2007)
Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=263261 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
Tomi Engdahl says:
Uusi huijaus kiertää suojaukset ovelasti – varo tutulta tulevaa sähköpostia
Microsoftin 365 -tilejä kaapataan huijausviestien lähettämiseksi.
https://www.is.fi/digitoday/tietoturva/art-2000009089661.html
Suomessa on meneillään aktiivinen kampanja varsinkin julkishallinnon Microsoft 365 -sähköpostitilien kaappaamiseksi. Kalastelusta varoitti Microsoft-palveluita myyvän Digikuun perustaja Ville Kankare LinkedInissä.
– Tuossa alkoi iltapäivästä näkymään isossa joukossa asiakkaita aktiivista kalastelukampanjaa. Postit tulevat toisen organisaation ”tutulta” lähettäjältä, jonka tili on saatu korkattua ja näin ollen postit laitetaan matkaan 365:sta, Kankare kirjoitti keskiviikkona.
Lisäksi sähköpostit näyttävät täysin aidoilta isojen suomalaisten yritysten turvaposteilta, ja viestien logot luetaan samasta osoitteesta aitojen viestien kanssa.
Huijausviesteissä on linkki kalastelusovellukseen, joka tarjoaa lomaketta salasanojen ja käyttäjätunnusten varastamista varten. Sovellus toimii Microsoft Power Platformin (Portals) päällä, mikä Kankareen mukaan on uutta.
Tomi Engdahl says:
Alice Uribe / Wall Street Journal:
Australian telecom Optus suffers a cyberattack, potentially giving the hacker access to data on up to 9.8M customers, per the CEO; the police are investigating — Australian telecoms company says mass breach could have exposed birth dates, phone numbers and other personal data
Cyberattack on Optus Potentially Exposes Millions of Customer Accounts
https://www.wsj.com/articles/cyberattack-on-optus-potentially-exposes-millions-of-customer-accounts-11663920097?mod=djemalertNEWS
Australian telecoms company says mass breach could have exposed birth dates, phone numbers and other personal data
SYDNEY—A cyberattack on one of Australia’s largest telecoms companies could have accessed the personal information of as many as 9.8 million customers, in what one lawmaker called the most significant data breach in recent years.
Optus, an Australian unit of Singapore Telecommunications Ltd. , said it doesn’t yet know who was behind the cyberattack that could have exposed customer information dating back to 2017, including names, dates of birth and phone numbers. The company, which said it first became aware of the breach on Wednesday, said some identity documents might also have been compromised.
Kelly Bayer Rosmarin, Optus’s chief executive, said the access of 9.8 million customer accounts is a worst-case scenario as investigators seek to define the extent of the breach, which has been referred to the Australian Federal Police.
“We have reason to believe that the number is actually smaller than that, but we are working through reconstructing exactly what the attackers have received,” she said.
So far, the company hadn’t received any ransomware demands following the cyberattack, Ms. Bayer Rosmarin said.
“The IP address kept moving. It’s a sophisticated attack,” she said.
Australia has faced several attempts to access confidential data in recent years, prompting its leaders to increase investment to safeguard systems.
James Paterson, shadow minister for cybersecurity with the opposition Liberal Party, said the apparent theft of so much personal information from Optus was particularly concerning and called it the country’s most significant user-data breach in some time. “There’s certainly been other Australian-based companies that have been attacked, but none who hold so much personal detail of Australian users,” Mr. Paterson said in a radio interview with the Australian Broadcasting Corp.
Tomi Engdahl says:
Kommentti: Näin Suomi korkattiin – silmille vyöryneet katastrofit opettivat 4 asiaa https://www.is.fi/digitoday/tietoturva/art-2000009089256.html
Suomessa harjoiteltiin tällä viikolla yhteiskunnan toimintaa laajassa kyberhäiriötilanteessa. Harjoitukseen osallistui myös Ilta-Sanomien digitoimittaja Henrik Kärkkäinen.
KORKKAAMINEN on tietoturvaslangia ja tarkoittaa verkkopalvelun murtamista. Eli toimintaa, jota on nähty viime aikoina enemmän kuin ihan vähän Ukrainan ja Venäjän suunnilla.
Nuo kolme päivää olin Tieto22-harjoituksessa joka on osa Suomessa säännöllisesti järjestettävää varautumisharjoitusten sarjaa.
Huoltovarmuuskeskuksen järjestämä harjoitus oli iso. Siihen osallistui noin 120 organisaatiota ja vajaat 500 henkeä. Lisäksi mukana oli osallistujia Virosta ja Ruotsista.
Painopiste oli pankkialalla sekä elintarvike- ja vesihuollossa. Mukana oli myös energiayhtiöitä, it-palveluntarjoajia, mediaa, vakuutusyhtiöitä ja muuta kriittistä infrastruktuuria yhteiskunnan huoltovarmuuden kannalta tärkeiltä aloilta.
Harjoituksessa johdettiin virtuaali-Suomessa toimivia aidon kaltaisia organisaatioita, jotka joutuvat poikkeuksellisiin tilanteisiin. Uhkia oli sisäisiä ja ulkoisia, niin valtioita kuin rikollisia.
Katastrofi seurasi toistaan. Tilanne oli epäselvä ja muuttui koko ajan. Toimitusketjut alkoivat pettää.
Toimittajat soittelivat kriisiyrityksiin ja kyselevät, mikä on niiden tilanne. Sitä oli vaikea kertoa, kun johto ei tiennyt sitä itsekään. Samaan aikaan oli tehtävä päätöksiä.
EIHÄN se täydellisesti mennyt, mutta harjoitellessa saa mokaillakin.
Mutta eipä mennyt vahvasti muillakaan. Lopulta näytti siltä, että koko virtuaali-Suomi oli korkattu
Lopputulos oli kuitenkin se, että yhteiskunta säilytti kohtuullisesti toimintakykynsä.
Itselleni tärkeimmät opit kriisitilanteessa toimimisesta voi tiivistää neljään asiaan.
Työnjako. Kriisin keskellä olevassa organisaatiossa on oltava selvät vastuut ja keskinäinen ymmärrys siitä, kuka tekee mitäkin. Jokaiselle tehtävälle asialle nimetään vastuuhenkilö.
Sivuttaisviestintä. Harva toimiala on niin erityinen, ettei siellä olisi muitakin organisaatioilta. Kysy rehdisti kilpailijalta, miten heillä menee ja sopisiko tiedonvaihto.
Kaiken kirjaaminen. Kun toimitaan keskellä kriisiä, pidä tapahtumapöytäkirjaa. Kuka otti yhteyttä kehen ja milloin. Mitä tämä yhteydenotto poiki? Kun kaikki on dokumentoitu huolellisesti, se säästää paljon aikaa myöhemmin.
Kerro avoimesti julkisuuteen niin paljon kuin voit. Kun katastrofit alkavat, suut iskujen kohteessa menevät helposti suppuun. Kun tietoa ei ole, se korvautuu väärällä tiedolla ja huhuilla.
VENÄJÄN aloitettua täysmittaisen hyökkäyssodan moni on ihmetellyt, miksi se ei ole saanut Ukrainasta kuristusotetta hakkeroimalla.
Kyse ei ole siitä, etteikö Venäjä olisi yrittänyt. Yritystä on riittänyt, suurin osa vakavista yrityksistä on kuitenkin torjuttu.
Ja se on onnistunut, koska ukrainalaiset ovat harjoitelleet.
Suomalaisilla on etuoikeus harjoitella olosuhteissa, joissa tietokoneen voi sammuttaa harjoituspäivänkin päätteeksi.
Ja vaikka korkata oluen.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/unpatched-15-year-old-python-bug-allows-code-execution-in-350k-projects/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-outlook-is-disabling-teams-meeting-add-in-how-to-fix/
Tomi Engdahl says:
Tutkimus: Tietoturva-alan opiskelijoita ei valmistu riittävästi – koulutus ei myöskään vastaa työelämän tarvetta
https://www.mtvuutiset.fi/artikkeli/tutkimus-tietoturva-alan-opiskelijoita-ei-valmistu-riittavasti-koulutus-ei-myoskaan-vastaa-tyoelaman-tarvetta/8520286#gs.ct8b9m
Suomessa on pulaa kyberturva-alan osaajista, mutta oppilaitoksissa annettavan koulutuksen taso ei vastaa työelämän vaatimuksia.
Asia ilmenee Jyväskylän yliopiston loppukesällä julkaisemasta tutkimuksesta, jossa selvitettiin kyberturvallisuuden koulutusohjelman muutostarpeita.
Kyberturvaan panostaminen olisi vakuutus tulevaisuuteen
Liikenne- ja viestintäviraston (Traficom) alaisen Kyberturvallisuuskeskuksen mukaan muun muassa tekoälyä hyödyntävän automaatiotekniikan kehittyessä uudenlaiset tietoturvariskit kasvavat.
Suojelupoliisi on aiemmin kommentoinut, että Ukrainan sodan alettua tietoverkoissa tapahtuvan venäläisen teollisuusvakoilun uhka on kasvanut.
Lehdon mukaan kyberturvallisuuteen panostaminen olisi yritysten puolelta vakuutus tulevaisuuteen.
– Kustannukset onnistuneessa kyberhyökkäyksessä voivat olla satoja tuhansia, Lehto sanoo.
Kyberturvallisuusalan kattojärjestö FISC:in mukaan vuonna 2025 tarve olisi 15 000:lle alan osaajalle Suomessa.
Liikenne- ja viestintäministeriön kyberosaamistarvetta mittaavan kyselyn mukaan 73 prosenttia viranomaisista sekä elinkeinoelämän ja kolmannen sektorin toimijoista kokee merkittävää osaamispulaa. Tutkimuksesta ilmenee, että osaajapula on esteenä yrityskasvulle.
Suomen yrityksistä 35 prosenttia kokee osaajapulan olevan merkittävä yrityskasvun este. Vastaava luku esimerkiksi Britanniassa on 13 prosenttia.
Osaajien saaminen on pitkä prosessi
Vastauksena osaajapulaan opetusministeriö lisäsi korkeakoulujen tietojenkäsittelyn ja tietoliikenteen aloille yhteensä 325 aloituspaikkaa joulukuussa 2021.
Ammattiosaajien valmistuminen on kuitenkin pitkä prosessi.
– Koulutuksen lisääminen on pitkän aikajänteen ratkaisu. Nopea ratkaisu osaamisen vahvistamiseksi on lisäkoulutuksen antaminen niille, joilta tietopohjaa jo löytyy, opetus- ja kulttuuriministeriön ylijohtaja Atte Jääskeläinen sanoo.
Lehto arvioi koulutustilanteen parantamiseksi tarvittavien kustannusten olevan vuosittain noin 10 miljoonaa euroa.
Nato-jäsenyys toisi markkinoita
Puolustusliitto Naton jäsenyys toisi markkinoita suomalaisille kyberturvallisuusalan yrityksille. Liikenne- ja viestintäministeriön mukaan puolustusliitolla on suuret odotukset Suomen kyberosaamiselle.
– Naton päässä katsotaan, että olemme asian hoitaneet hyvin, ja heillä olisi opittavaa tästä, valtion kyberturvallisuusjohtaja Rauli Paananen sanoo.
Haittaohjelmiin osataan Suomessa puuttua ja varautua. Paanasen mukaan Naton odotuksiin vaikuttaa Microsoftin vuonna 2017 tekemä tietoturvatutkimus ja sitä aiemmat tilastot, joiden mukaan Suomessa on maailman puhtaimmat tietoliikenneverkot.
– Suomessa operaattorien tehtävänä on huolehtia verkkojen puhtaudesta, Paananen sanoo.
Kyberosaaminen näkyy myös käytännössä, mikä vaikuttaa Naton odotuksiin. Suomen joukkue voitti aiemmin keväällä maailman suurimman kyberpuolustusharjoituksen.
Tomi Engdahl says:
Someone ‘hacked’ a plane’s intercom and made ‘orgasm noises’ for the entire flight
https://www.indy100.com/viral/airplane-intercom-hack-noises-tiktok?utm_medium=Social&utm_source=Facebook#Echobox=1664015955
Multiple people on social media have reported hearing mysterious moaning and yelling noises coming through the intercom system on their flight with no indication where they are coming from.
“Weirdest flight ever,” Emerson Collins wrote in the caption of a TikTok video he posted on Thursday.
In the video, a man’s voice can be heard over the intercom moaning, screaming, and vocalizing in what Collins called “somewhere between an orgasm and vomiting”.
Although the TikToker thought the sounds could be coming from a passenger aboard the flight, he later said nobody, including the flight crew, knew where it was coming from.
Strangely Collins experience was not unique as other people on Twitter shared a similar anomaly on their flights
“Currently on AA1631 and someone keeps hacking into the PA and making moaning and screaming sounds the flight attendants are standing by their phones because it isn’t them and the captain just came on and told us they don’t think the flight systems are compromised so we will finish the flight to DFW”,” the tweet read.
https://twitter.com/xJonNYC/status/1571632831847354368
Tomi Engdahl says:
Anonymous Lays Waste To Russian Message Board, Releases Entire Database Online
https://www.smartnews.com/p/4462891498832136516?placement=article-preview&utm_campaign=sn_lid:4462891498832136516%7Csn_channel:cr_en_us_top
Even as Russia brings suffering and sorrow to the people of Ukraine, hacker-activists are trying to bring some pain to Russians inside Russia.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/microsoft-sql-servers-hacked-in-targetcompany-ransomware-attacks/
Tomi Engdahl says:
The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/
SentinelLabs researchers uncovered a never-before-seen advanced threat actor we’ve dubbed Metador’. Metador primarily targets telecommunications, internet service providers, and universities in several countries in the Middle East and Africa. In this post, we offer a short summary of our full findings, which include a detailed report, threat indicators, and an extensive Technical Appendix.
Tomi Engdahl says:
As unrest grows, Iran restricts access to Instagram, WhatsApp https://www.reuters.com/world/middle-east/iran-restricts-access-instagram-netblocks-2022-09-21/
Tomi Engdahl says:
OpIran – Anonymous Hits Iranian State Sites, Hacks Over 300 CCTV Cameras https://www.hackread.com/opiran-anonymous-iran-state-sites-cctv-camera-hack/
Here’s everything you want to know about Anonymous and its cyber attacks against the Iranian government for OpIran.
Tomi Engdahl says:
YouTube down: Live streams hit by worldwide outage https://www.bleepingcomputer.com/news/technology/youtube-down-live-streams-hit-by-worldwide-outage/
YouTube is currently experiencing a worldwide outage, with thousands of reports saying they cannot access live streams.
Tomi Engdahl says:
Huijarit pääsivät rehtorin sähköpostiin ja lähettivät “lastensuojeluilmoituksia” – poliisin mukaan epäilty rikos tehty ulkomailta
https://yle.fi/uutiset/3-12635696
Rikoskomisario Veli-Pekka Välisaari sanoo, että rikos on kirjattu poliisille. Rikoksen epäillään tapahtuneen ulkomailta käsin. – Periaatteessa kyse on tietomurrosta ja rikoksen tekopaikka on asianomaisen selvityksen mukaan ulkomailla. Tutkinta nimikkeenä on muu tutkinta, johtuen juuri tuosta rikoksen tekopaikasta, joka on ulkomailla, Välisaari kertoo Ylelle.
Tomi Engdahl says:
Tuhansien sote-työntekijöiden yksityisiä tietoja vuoti sähköpostijakeluun Kuopiossa – poliisille tehty rikosilmoitus
https://yle.fi/uutiset/74-20000299
Itä-Suomen poliisin mukaan tietoturvaloukkausta voi pitää vakanana asiana siinä mielessä, jos henkilöiden yksityiselämään liittyneitä tietoja on levinnyt muille.
Tomi Engdahl says:
Sophos warns of new firewall RCE bug exploited in attacks https://www.bleepingcomputer.com/news/security/sophos-warns-of-new-firewall-rce-bug-exploited-in-attacks/
Sophos warned today that a critical code injection security vulnerability in the company’s Firewall product is being exploited in the wild. “Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region, ” the security software and hardware vendor warned. The company says it has released hotfixes for Sophos Firewall versions affected by this security bug (v19.0 MR1 (19.0.1) and older) that will roll out automatically to all instances since automatic updates are enabled by default.
Tomi Engdahl says:
Chinese state media claims U.S. NSA infiltrated country’s telecommunications networks https://www.cnbc.com/2022/09/22/us-nsa-hacked-chinas-telecommunications-networks-state-media-claims.html
U.S. intelligence agency gained access to China’s telecommunications network after hacking a university, Chinese state media claimed Thursday. The U.S. National Security Agency used phishing a hacking technique where a malicious link is included in an email to gain access to the government funded Northwestern Polytechnical University, the Global Times alleged, citing an unnamed source. American hackers stole “core technology data including key network equipment configuration, network management data, and core operational data, ”
and other files, according to the Global Times.
Tomi Engdahl says:
CISA warns of critical ManageEngine RCE bug used in attacks https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-manageengine-rce-bug-used-in-attacks/
The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical severity Java deserialization vulnerability affecting multiple Zoho ManageEngine products to its catalog of bugs exploited in the wild.
Tomi Engdahl says:
Microsoft SQL servers hacked in TargetCompany ransomware attacks https://www.bleepingcomputer.com/news/security/microsoft-sql-servers-hacked-in-targetcompany-ransomware-attacks/
Vulnerable Microsoft SQL servers are being targeted in a new wave of attacks with FARGO ransomware, security researchers are warning. The recommendation for MS-SQL server administrators is to make sure that they use strong enough and unique passwords. Additionally, keeping the machine up-to-date with the latest fixes for security vulnerabilities is advice that never goes out of fashion. also:
https://asec.ahnlab.com/en/39152/
Tomi Engdahl says:
Accused Russian RSOCKS Botmaster Arrested, Requests Extradition to U.S https://krebsonsecurity.com/2022/09/accused-russian-rsocks-botmaster-arrested-requests-extradition-to-u-s/
A 36-year-old Russian man recently identified by KrebsOnSecurity as the likely proprietor of the massive RSOCKS botnet has been arrested in Bulgaria at the request of U.S. authorities. At a court hearing in Bulgaria this month, the accused hacker requested and was granted extradition to the United States, reportedly telling the judge, “America is looking for me because I have enormous information and they need it.”
Tomi Engdahl says:
American Airlines learned it was breached from phishing targets https://www.bleepingcomputer.com/news/security/american-airlines-learned-it-was-breached-from-phishing-targets/
American Airlines says its Cyber Security Response Team found out about a recently disclosed data breach from the targets of a phishing campaign that was using an employee’s hacked Microsoft 365 account.
Tomi Engdahl says:
In the footsteps of the Fancy Bear: PowerPoint mouse-over event abused to deliver Graphite implants https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/
Cluster25 researchers collected and analyzed a lure document used to implant a variant of Graphite malware, uniquely linked to the threat actor known as APT28 (aka Fancy Bear, TSAR Team). The lure document is a PowerPoint file that exploits a code execution technique, which is designed to be triggered when the user starts the presentation mode and moves the mouse. The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable
Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.
Tomi Engdahl says:
Australia’s Optus contacts customers caught in cyber attack https://www.reuters.com/technology/australias-optus-contacts-customers-caught-cyber-attack-2022-09-24/
Australia’s number two telecommunications company, Optus, said on Saturday it was contacting customers about a cyberattack that accessed personal details of up to 10 million customers, in one of Australia’s biggest cybersecurity breaches.
Tomi Engdahl says:
Covid antigen test results of 1.7m Indian and foreign nationals leaked online https://www.hackread.com/covid-antigen-test-results-india-leaked/
The exposed Elasticsearch server belongs to an Indian healthcare software company that has not secured the database despite being alerted.
Tomi Engdahl says:
Lawrence Abrams / BleepingComputer:NEW
UK police arrest and charge a 17-year-old with computer misuse and breaches of bail, believed to be related to the recent Uber and Rockstar hacks — The City of London police announced on Twitter today the arrest of a British 17-year-old teen suspected of being involved in recent cyberattacks.
UK Police arrests teen believed to be behind Uber, Rockstar hacks
https://www.bleepingcomputer.com/news/security/uk-police-arrests-teen-believed-to-be-behind-uber-rockstar-hacks/
The City of London police announced on Twitter today the arrest of a British 17-year-old teen suspected of being involved in recent cyberattacks.
In a short tweet shared by law enforcement, the teen was arrested in Oxfordshire as part of a hacking investigation supported by the UK’s National Crime Agency.
Researchers believe the arrest is tied to Lapsus$
While there are no details about the investigation, the arrest is believed to be tied to the Lapsus$ hacking group, which is suspected to be behind recent cyberattacks on Uber, Rockstar Games, and 2K.
During last year’s attacks, the Lapsus$ hacking group was said to be led by a threat actor named ‘White’ or ‘BreachBase,’ who was doxxed as allegedly a 16-year-old teen from the UK. This hacking group is responsible for numerous high-profile attacks, including Microsoft, Cisco, NVIDIA, Samsung, and Okta.
In April, the City of London Police arrested seven people aged 16 to 21, including the alleged 17-year-old ringleader. However, the UK soon released the two boys on bail as they were minors.
Last Thursday, Uber disclosed they were responding to a cyberattack after a hacker, known as ‘TeaPots,’ gained access to their Slack server and began posting screenshots of their access to other internal services.
Three days later, on Sunday, a threat actor calling themselves ‘teapotuberhacker’ began leaking previously unseen Grand Theft Auto 6 video footage and snippets of source code for GTA V and GTA VI on GTAforums.com.
This threat actor claimed that they breached Rockstar Game’s Slack and Confluence servers to steal the data and also said they were behind the recent attack on Uber.
The owner of the Breached hacking forum, pompompurin, was the first to claim claimed that White was behind the Rockstar Games and Uber attacks.
Soon after, Uber also attributed the attack to the Lapsus$ hacking group, which used MFA Fatigue attacks and other tactics that are known to be associated with this hacking group.
More recently, gaming company 2K also suffered a security breach, where the threat actor used their help desktop to send malware to customers.
Tomi Engdahl says:
Microsoft Issues Out-of-Band Patch for Flaw Allowing Lateral Movement, Ransomware Attacks
https://www.securityweek.com/microsoft-issues-out-band-patch-flaw-allowing-lateral-movement-ransomware-attacks
Microsoft this week released an out-of-band security update for its Endpoint Configuration Manager solution to patch a vulnerability that could be useful to malicious actors for moving around in a targeted organization’s network.
The vulnerability is tracked as CVE-2022-37972 and it has been described by Microsoft as a medium-severity spoofing issue. The tech giant has credited Brandon Colley of Trimarc Security for reporting the flaw.
In its advisory, Microsoft said there is no evidence of exploitation, but the vulnerability has been publicly disclosed.
Prajwal Desai has published a brief blog post describing the patch
The researcher expects a blog post detailing CVE-2022-37972 to only be published in November. However, he noted that it’s related to an issue described in a July blog post focusing on the attack surface of Microsoft System Center Configuration Manager (SCCM) client push accounts.
SCCM Hotfix KB15498768 NTLM connection Fallback Update
https://www.prajwaldesai.com/sccm-hotfix-kb15498768-ntlm-fallback-update/
Microsoft has released a new SCCM hotfix KB15498768 for versions 2103, 2107, 2111, 2203, and 2207 related to NTLM connection fallback. The KB15498768 update prevents any attempt at NTLM authentication for client push installation when the Allow connection fallback to NTLM option is disabled.
Disabling the Allow connection fallback to NTLM option in Client Push Installation Properties is not honored under either of the following condition:
If there are Kerberos authentication failures the client push account will attempt an NTLM connection instead.
The site server computer account will attempt a connection using NTLM if Kerberos authentication fails for all defined client push installation accounts.
Installation of KB15498768 update resolves the following security issue:
CVE-2022-37972
Beginning with Configuration Manager 2207, the Allow connection fallback to NTLM option is disabled by default on new site installations. It is recommended to disable this option in existing environments, where possible, to increase security.
Microsoft Endpoint Configuration Manager Spoofing Vulnerability
CVE-2022-37972
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37972
Tomi Engdahl says:
New ‘Wolfi’ Linux Distro Focuses on Software Supply Chain Security
https://www.securityweek.com/new-wolfi-linux-distro-focuses-software-supply-chain-security
Chainguard this week announced Wolfi, a stripped-down Linux OS distribution designed to improve the security of the software supply chain.
Available on GitHub, the community Linux distribution was created specifically for use with containers and cloud-native applications, and supports Chainguard images, the firm’s collection of curated distroless images.
Wolfi (named after star-sucker pygmy octopus, the smallest known octopus), relies on the environment’s kernel (instead of having its own) to be widely adaptable, and brings support for both glibc and musl.
Wolfi
Wolfi OS github home.
https://github.com/wolfi-dev
Wolfi is a community Linux OS designed for the container and cloud-native era. Chainguard started the Wolfi project to enable building Chainguard Images, our collection of curated distroless images that meet the requirements of a secure software supply chain. This required a Linux distribution with components at the appropriate granularity and with support for both glibc and musl, something that was not yet available in the cloud-native Linux ecosystem.
Wolfi is a stripped-down distro designed for the cloud-native era. It doesn’t have a kernel of its own, instead relying on the environment (such as the container runtime) to provide one. This separation of concerns in Wolfi means it is adaptable to a range of environments.
Tomi Engdahl says:
BIND Updates Patch High-Severity Vulnerabilities
https://www.securityweek.com/bind-updates-patch-high-severity-vulnerabilities
The Internet Systems Consortium (ISC) this week announced the availability of patches for six vulnerabilities in the widely deployed BIND DNS software, all remotely exploitable.
Of the resolved security flaws, four have a severity rating of ‘high’. All four could be exploited to cause a denial-of-service (DoS) condition.
The first of these is CVE-2022-2906, a memory leak issue impacting “key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions”, ISC explains in its advisory.
A remote attacker could exploit the bug to gradually erode available memory, leading to a crash. Because the attacker could exploit the vulnerability again after restart, “there is the potential to deny service”, ISC says.
Tracked as CVE-2022-3080, the second flaw may result in a crash of the BIND 9 resolver under certain conditions, when crafted queries are sent to the resolver.
CVE-2022-38177, ISC says, is a memory leak issue in the DNSSEC verification code for the ECDSA algorithm, which can be triggered by a signature length mismatch.
“By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources,” ISC explains.
The fourth high-severity bug addressed in BIND 9 is CVE-2022-38178, a memory leak impacting the DNSSEC verification code for the EdDSA algorithm, which can be triggered with malformed ECDSA signatures.
Updates were released for BIND 9.18 (stable branch), BIND 9.19 (development version), and BIND 9.16 (Extended Support Version).
BIND 9 Security Vulnerability Matrix
https://kb.isc.org/docs/aa-00913
Tomi Engdahl says:
https://www.securityweek.com/cisa-warns-zoho-manageengine-rce-vulnerability-exploitation
Tomi Engdahl says:
BIND Updates Patch High-Severity Vulnerabilities
https://www.securityweek.com/bind-updates-patch-high-severity-vulnerabilities
The Internet Systems Consortium (ISC) this week announced the availability of patches for six vulnerabilities in the widely deployed BIND DNS software, all remotely exploitable.
Of the resolved security flaws, four have a severity rating of ‘high’. All four could be exploited to cause a denial-of-service (DoS) condition.
The first of these is CVE-2022-2906, a memory leak issue impacting “key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions”, ISC explains in its advisory.
A remote attacker could exploit the bug to gradually erode available memory, leading to a crash. Because the attacker could exploit the vulnerability again after restart, “there is the potential to deny service”, ISC says.
Tracked as CVE-2022-3080, the second flaw may result in a crash of the BIND 9 resolver under certain conditions, when crafted queries are sent to the resolver.
CVE-2022-38177, ISC says, is a memory leak issue in the DNSSEC verification code for the ECDSA algorithm, which can be triggered by a signature length mismatch.
“By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources,” ISC explains.
The fourth high-severity bug addressed in BIND 9 is CVE-2022-38178, a memory leak impacting the DNSSEC verification code for the EdDSA algorithm, which can be triggered with malformed ECDSA signatures.
Updates were released for BIND 9.18 (stable branch), BIND 9.19 (development version), and BIND 9.16 (Extended Support Version).
ISC says it’s not aware of any public exploits targeting these vulnerabilities.
On Thursday, the US Cybersecurity and Infrastructure Security Agency (CISA) encouraged users and administrators to review ISC’s advisories for these four security holes and to apply the available patches as soon as possible.
BIND 9 Security Vulnerability Matrix
https://kb.isc.org/docs/aa-00913
ISC Releases Security Advisories for Multiple Versions of BIND 9
https://www.cisa.gov/uscert/ncas/current-activity/2022/09/22/isc-releases-security-advisories-multiple-versions-bind-9
CISA encourages users and administrators to review the following ISC advisories CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, and CVE-2022-38178 and apply the necessary mitigations.
Tomi Engdahl says:
Seagate Privilege Escalation
In a beautiful write-up, [x86matthew] shares a very simple exploit using Seagate Media Sync, to add an arbitrary service to a Windows machine. Media Sync uses the UI and Service paradigm, where a service runs as SYSTEM to do the heavy lifting, and a user-interface application runs as the logged-in user. A bit of sleuthing and debugging finds the format used for Inter Process Communication (IPC) is a simple named pipe. That pipe supports a handful of commands, but the most interesting one calls a function in the service, MXOSRVSetRegKey.
Exploiting a Seagate service to create a SYSTEM shell (CVE-2022-40286)
https://www.x86matthew.com/view_post?id=windows_seagate_lpe
Tomi Engdahl says:
OpenRazer Escalation — Almost
And because Linux exploitation deserves our love, too, the OpenRazer project had a similar exploitation issue recently fixed. For those not in the know, we Linux geeks like our clacky, LED lit, keyboards just as much as Windows users, but Razer sadly only publishes Windows drivers and tools. To fill the void, projects like OpenRazer re-implement the Razer LED control and other functions for Linux. Part of the OpenRazer project is an out-of-tree Linux kernel module, that allows some of the tricky USB communication bits used to talk to the on-device controllers
Colorful Vulnerabilities
https://www.cyberark.com/resources/threat-research-blog/colorful-vulnerabilities
Tomi Engdahl says:
Kyle Wiggers / TechCrunch:
Cloudflare announces Zero Trust SIM, a US-only, device-specific eSIM for iOS and Android that uses VPNs and DNS filtering, and Zero Trust for Mobile Operators — Are smartphones ever entirely secure? It depends on one’s definition of “secure,” particularly when dealing with corporate environments.
Cloudflare launches an eSIM to secure mobile devices
Kyle Wiggers
https://techcrunch.com/2022/09/26/cloudflare-launches-an-esim-to-secure-mobile-devices/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cudGVjaG1lbWUuY29tLw&guce_referrer_sig=AQAAAAL_cV47ZQs3mFuB_g7SscNUS3ULQdDoC4TjG8nrURPaY1BdQqe8YiP5shlEqTJG16oK-CvMGdmXln9kFfwMrROMuxo1IMlWryDsJxNwJFiinhVFmZe0LZUjEVwLz9Vb1s3bwwzo8YDpQFjELIjLWR75c2dMGjwhopaSMbjh4nr1
Tomi Engdahl says:
Telian palveluita nurin – tämä kaikki ei toimi https://www.is.fi/digitoday/art-2000009094846.html
Telian järjestelmävika vaikuttaa muun muassa verkkosivustoon, asiakasportaaliin ja mobiilivarmenteeseen
Tomi Engdahl says:
Ukraine warns allies of Russian plans to escalate cyberattacks https://www.bleepingcomputer.com/news/security/ukraine-warns-allies-of-russian-plans-to-escalate-cyberattacks/
The Ukrainian military intelligence service warned today that Russia is planning “massive cyber-attacks” targeting the critical infrastructure of Ukraine and its allies. also:
https://gur.gov.ua/en/content/okupanty-hotuiut-masovani-kiberataky-na-ob-iekty-krytychnoi-infrastruktury-ukrainy-ta-ii-soiuznykiv.html
Tomi Engdahl says:
Ukraine Arrests Cybercrime Group for Selling Data of 30 Million Accounts https://thehackernews.com/2022/09/ukraine-arrests-cybercrime-group-for.html
Ukrainian law enforcement authorities on Friday disclosed that it had “neutralized” a hacking group operating from the city of Lviv that it said acted on behalf of Russian interests. The group specialized in the sales of 30 million accounts belonging to citizens from Ukraine and the European Union on the dark web and netted a profit of $372,
000 (14 million UAH) through electronic payment systems like YooMoney, Qiwi, and WebMoney that are outlawed in the country.
Tomi Engdahl says:
BumbleBee: Round Two
https://thedfirreport.com/2022/09/26/bumblebee-round-two/
In this intrusion, we see the threat actor use BumbleBee to deploy Cobalt Strike and Meterpreter. The threat actor then used RDP and SMB to move around the network looking at backup systems and file shares before being evicted from the network.
https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee
This malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent “bumblebee” this malware was dubbed BUMBLEBEE. At the time of Analysis by Google’s Threat Analysis Group (TAG) BumbleBee was observed to fetch Cobalt Strike Payloads.
Tomi Engdahl says:
NullMixer: oodles of Trojans in a single dropper https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/
NullMixer is a dropper leading to an infection chain of a wide variety of malware families. NullMixer spreads via malicious websites that can be found mainly via search engines. These websites are often related to crack, keygen and activators for downloading software illegally, and while they may pretend to be legitimate software, they actually contain a malware dropper.