Cyber security news September 2022

This posting is here to collect cyber security news in September 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.


  1. Tomi Engdahl says:

    Hunting for Unsigned DLLs to Find APTs
    Malware authors regularly evolve their techniques to evade detection and execute more sophisticated attacks. We’ve commonly observed one method over the past few years: unsigned DLL loading. Assuming that this method might be used by advanced persistent threats (APTs), we hunted for it. The hunt revealed sophisticated payloads and APT groups in the wild, including the Chinese cyberespionage group Stately Taurus (formerly known as PKPLUG, aka Mustang Panda) and the North Korean Selective Pisces (aka Lazarus Group).

  2. Tomi Engdahl says:

    Adware on Google Play and Apple Store installed 13 million times
    Security researchers have discovered 75 applications on Google Play and another ten on Apple’s App Store engaged in ad fraud.
    Collectively, they add to 13 million installations. also:

  3. Tomi Engdahl says:

    TAP Air Portugal confirms hack, as Ragnar Locker gang leaks data – including that of Portuguese president
    Politicians including Portuguese president Marcelo Rebelo de Sousa are amongst those who have had their personal information leaked following an attack by the notorious Ragnar Locker gang against the country’s national airline TAP.

  4. Tomi Engdahl says:

    Hackers Leak French Hospital Patient Data in Ransom Fight

    Hackers who crippled a French hospital and stole a trove of data last month have released personal records of patients online, officials have confirmed.

    The cyberattackers demanded a multimillion dollar ransom from the Corbeil-Essonnes hospital near Paris a month ago, but the institution refused to pay.

    The hospital said the hackers had now dumped medical scans and lab analyses along with the national security numbers of patients.

    “I condemn in the strongest possible terms the unspeakable disclosure of hacked data,” health minister Francois Braun tweeted on Sunday.

    Hospitals around the world have been facing increasing attacks from ransomware groups, particularly since the pandemic stretched resources to breaking point.

  5. Tomi Engdahl says:

    Angus Whitley / Bloomberg:
    As the Optus hacker appears to release data of 10,000 customers, Optus CEO Kelly Bayer Rosmarin says the Australian police are investigating a ransom demand

    Ransom Demand Probed After Data Hack, Australia’s Optus Says
    Hack exposed personal details of up to 10 million customers
    Optus faces growing pressure from customers, government

  6. Tomi Engdahl says:

    Viranomainen varoittaa hyvällä suomella tehdyistä huijauksista
    Suomalaisten puhelimiin alati pääsevät tekstiviestihuijaukset näkyvät muun muassa väitteinä paketin toimittamisesta ja siihen liittyvistä ongelmista. Nyt sellaisia viestejä on taas runsaasti liikkeellä.

  7. Tomi Engdahl says:

    Telian ongelmien syy on mysteeri – tee tämä temppu, jos sivut eivät toimi
    Telian järjestelmistä alkunsa saanut vika kaatoi, esti Minun Telia -asiakasportaalin käyttöä ja rajoitti asiakaspalvelun toimintakykyä. Vika vaikutti myös mobiilivarmenteen ja Prepaid lataus
    - -sovelluksen toimintaan. ONGELMAT korjattiin tietämättä vieläkään tarkalleen, mistä ne ylipäätään johtuivat. – Se ilmeisesti liittyy pilviympäristön arkkitehtuurissa oleviin asetuksiin, jotka ovat jollakin tavalla järjestelmän tietoliikennettä siellä ohjanneet.
    Siellä tehtiin paljon erilaisia järjestelmien uudelleenkäynnistyksiä ja sitä kautta ilmeisesti löydettiin se pullonkaula, Saxén selvittää.

  8. Tomi Engdahl says:

    Purported Optus hacker releases 10, 000 records including email addresses from defence and prime minister’s office
    On Monday night, the purported attacker released a text file of 10,
    000 records, promising to leak 10, 000 each day for the next four days unless Optus pays them $1m. The released records include email addresses from the Department of Defence and the Office of the Prime Minister and Cabinet. On Tuesday morning, the purported attacker deleted the original post with the links to the data and apologised for attempting to sell the data. They claimed to have deleted their copy of the data.

  9. Tomi Engdahl says:

    New Erbium password-stealing malware spreads as game cracks, cheats
    The new ‘Erbium’ information-stealing malware is being distributed as fake cracks and cheats for popular video games to steal victims’
    credentials and cryptocurrency wallets. Erbium is a new Malware-as-a-Service (MaaS) that provides subscribers with a new information-stealing malware that is gaining popularity in the cybercrime community thanks to its extensive functionality, customer support, and competitive pricing. also:

  10. Tomi Engdahl says:

    North Korea’s Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs
    The infamous Lazarus Group has continued its pattern of leveraging unsolicited job opportunities to deploy malware targeting Apple’s macOS operating system.

  11. Tomi Engdahl says:

    More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID
    Unit 42 recently observed a polyglot Microsoft Compiled HTML Help
    (CHM) file being employed in the infection process used by the information stealer IcedID. We will show how to analyze the polyglot CHM file and the final payload so you can understand how the sample evades detection.

  12. Tomi Engdahl says:

    Meta dismantles massive Russian network spoofing Western news sites
    Meta says it took down an extensive network of Facebook and Instagram accounts pushing disinformation published on more than 60 websites that spoofed multiple legitimate news sites across Europe. This influence network mainly targeted Germany, France, Italy, Ukraine, and the U.K., with original articles arguing that Western sanctions on Russia would backfire and criticizing Ukraine and Ukrainian refugees.

  13. Tomi Engdahl says:

    Bridge firewalling “bypass” using VLAN 0
    L2 networks are insecure by default, vulnerable to ARP, DHCP, Router Advertisement spoofing to name a few. Over the years security mechanisms have been implemented to detect and or stop those attacks.
    As usual when you try to filter anything, you MUST use an allow list approach, else you risk letting some unwanted traffic go through. I was not able to find anything about VLAN 0 attacks, so this might be a novel attack. also:

  14. Tomi Engdahl says:

    Google, Apple Remove ‘Scylla’ Mobile Ad Fraud Apps After 13 Million Downloads

    Cybersecurity firm Human has discovered and disrupted a mobile ad fraud campaign involving 89 mobile applications with a total download count of 13 million.

    Dubbed Scylla, the campaign is the third adaptation of Poseidon, a fraud operation that was initially identified in 2019. Charybdis, the second iteration of the campaign, was observed in 2020.

    As part of the new, still ongoing attack, Human has identified a total of 80 Android and 9 iOS applications that engaged in ad fraud through app spoofing, hidden ads, and fake clicks.

    The applications contained obfuscated code similar to Charybdis and, just as that attack adaptation, targeted advertising software development kits (SDKs), Human explains.

    Some of the Scylla apps contained code to pose as other, completely different applications in front of advertisers and ad tech companies. Human identified 29 Android apps pretending to be over 6,000 CTV-based applications, to bring higher advertising proceeds compared to mobile games.

    Poseidon’s Offspring: Charybdis and Scylla

  15. Tomi Engdahl says:

    New Infostealer Malware ‘Erbium’ Offered as MaaS for Thousands of Dollars

    Security researchers are warning of a new information stealer named Erbium being distributed under the Malware-as-a-Service (MaaS) model.

    The threat made its initial appearance in late July, when a Russian speaking threat actor started advertising it on a dark web forum.

    Initially, the developer was offering Erbium for up to $150 for a one-year license, but they are now requesting a minimum of $100 for a month of usage and thousands of dollars for the year-long license.

  16. Tomi Engdahl says:

    Represented by Clarkson Law Firm, two Samsung users have filed a class action lawsuit against the electronics manufacturer over the two data breaches the company has suffered in 2022.

  17. Tomi Engdahl says:

    Two Remote Code Execution Vulnerabilities Patched in WhatsApp

    WhatsApp has patched two serious vulnerabilities that could be exploited for remote code execution.

    WhatsApp only has three security advisories for 2022, with the first two released in January and February. The latest advisory, released this month, informs customers of two memory-related issues affecting the WhatsApp mobile applications.

    One of the flaws, tracked as CVE-2022-36934 and rated ‘critical’, is an integer overflow issue that affects WhatsApp for Android prior to, Business for Android prior to, iOS prior to, and Business for iOS prior to

    According to WhatsApp, an attacker can exploit the vulnerability for remote code execution during a video call.

    The second issue, a high-severity flaw tracked as CVE-2022-27492, is an integer underflow that can be exploited for remote code execution by sending a specially crafted video file to the targeted user. It has been patched in WhatsApp for Android and iOS with the release of versions and, respectively.

  18. Tomi Engdahl says:

    Ukraine Says Russia Planning ‘Massive Cyberattacks’ on Critical Infrastructure

    The Ukrainian government says it is bracing to deal with “massive cyberattacks” from Russian hackers against critical infrastructure targets in the energy sector.

    In a brief statement released Monday, Ukraine’s defense intelligence agency warned that Kremlin-backed hackers are planning to carry out massive cyberattacks on the critical infrastructure facilities of Ukrainian enterprises.

    The agency also accused Russia of planning cyberattacks on critical infrastructure institutions of Ukraine’s allies, primarily Poland and the Baltic States.

    “First of all, [the] attacks will be aimed at enterprises in the energy sector. The experience of cyberattacks on Ukraine’s energy systems in 2015 and 2016 will be used when conducting operations,” the defense intelligence agency said.

  19. Tomi Engdahl says:

    Australian police were investigating a purported hacker’s release of the stolen personal data of 10,000 Optus customers and demand for a $1 million ransom in cryptocurrency, the telecommunications company’s chief executive said Tuesday.

  20. Tomi Engdahl says:

    Verkkohyökkäys Koneeseen – Uber- ja GTA-hakkeria epäillään

  21. Tomi Engdahl says:

    Hissiyhtiö Kone on joutunut verkkohyökkäyksen kohteeksi – sama hakkeri voi olla taksipalvelu Uberin ja peliyhtiön hyökkäysten takana
    Väite samasta tekijästä on peräisin haittaohjelmakirjastoa ylläpitävän vx-underground-palvelun Twitter-tililtä. Yhtiö ei ota kantaa epäiltyyn tekijään. Koneen viestintäpäällikkö Gia Forsman-Härkönsen mukaan yhtiöön kohdistui syyskuun puolessavälissä tietoturvahyökkäys samoihin aikoihin, kun Twitterissä hakkeri kertoo saaneensa koneen yritystietoja haltuunsa. Forsman-Härkösen mukaan hyökkäys huomattiin hyvin nopeasti, ja Kone sai rajattua hyökkäyksen. – Hyökkääjä on saanut muutamien Koneen työntekijöiden työhön liittyviä dokumentteja käsiinsä, mutta tiedot eivät ole olleet arkaluonteisia, Forsman-Härkönen sanoo.

  22. Tomi Engdahl says:

    Australia asks FBI to help find attacker who stole data from millions of users
    Attorney general Mark Dreyfus yesterday revealed the FBI was asked to help identify the entities involved in the attack, which saw Optus leak data describing over ten million account holders. Data suspected to have been accessed included drivers licence details, passport numbers, email addresses and phone numbers.

  23. Tomi Engdahl says:

    Scammers use Queen’s death to steal passwords
    However, this Queen-inspired scam has been designed to allow scammers to get round MFA too. Using a tool called EvilProxy, the cybercriminals are also able to capture the MFA token that accompanies their victim’s login credentials. Once they have the username, password and MFA token, they are able to take complete control of the user’s Microsoft account. Hackers can read email, access files stored in OneDrive and use the account to commit identity theft or fraud.

  24. Tomi Engdahl says:

    Hacker Groups take to Telegram, Signal and Darkweb to assist Protestors in Iran
    Check Point Research (CPR) sees multiple hacker groups using Telegram, Signal and the darkweb to aid anti-government protestors in Iran bypass regime restrictions. Key activities are data leaking and selling, including officials’ phone numbers and emails, and maps of sensitive locations. CPR sees the sharing of open VPN servers to bypass censorship and reports on the internet status in Iran, as well as the hacking of conversations and guides. CPR is sharing five examples with visuals of activities currently happening.

  25. Tomi Engdahl says:

    Cyber Criminals Using Quantum Builder Sold on Dark Web to Deliver Agent Tesla Malware
    A recently discovered malware builder called Quantum Builder is being used to deliver the Agent Tesla remote access trojan (RAT). “This campaign features enhancements and a shift toward LNK (Windows
    shortcut) files when compared to similar attacks in the past, ”
    Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar said in a Tuesday write-up. Sold on the dark web for 189 a month, Quantum Builder is a customizable tool for generating malicious shortcut files as well as HTA, ISO, and PowerShell payloads to deliver next-stage malware on the targeted machines, in this case Agent Tesla. also:

  26. Tomi Engdahl says:

    Hakkerit lähettivät rasistisia push-ilmoituksia talouslehti sulki nettisivunsa
    Hakkerit pääsivät sisään Fast Companyn järjestelmiin WordPressin kautta.

    Talouslehti Fast Companyn nimissä lähetettiin kaksi identtistä, loukkaavaa push-ilmoitusta Applen Apple News -uutispalvelussa. Tapaus sattui aamuyöstä keskiviikkona Suomen aikaa.

  27. Tomi Engdahl says:

    New Malware Variants Serve Bogus CloudFlare DDoS Captcha
    The attack is simple: when browsing an infected website, the user receives a notification that insists they must download a file to continue to access the content. What they don’t know is that the file is actually a Remote Access Trojan which gives the attackers full access to their system, and is likely paving the way for a ransomware or banking account attack.

  28. Tomi Engdahl says:

    Serious vulnerabilities in Matrix’s end-to-end encryption are being patched
    Developers of the open source Matrix messenger protocol are releasing an update on Thursday to fix critical end-to-end encryption vulnerabilities that subvert the confidentiality and authentication guarantees that have been key to the platform’s meteoric rise. Matrix is a sprawling ecosystem of open source and proprietary chat and collaboration clients and servers that are fully interoperable. The best-known app in this family is Element, a chat client for Windows, macOS, iOS, and Android, but there’s a dizzying array of other members as well.

  29. Tomi Engdahl says:

    Chrome 106 Patches High-Severity Vulnerabilities
    Google this week announced the release of Chrome 106 to the stable channel with patches for 20 vulnerabilities, including 16 reported by external researchers.
    Of the externally reported security bugs, five are rated ‘high’ severity, eight are ‘medium’ severity, and three are ‘low’ severity.
    Half of these vulnerabilities are use-after-free bugs, which could lead to arbitrary code execution, denial of service, or data corruption. If combined with other vulnerabilities, the bugs could be exploited to achieve full system compromise.
    In Chrome, use-after-free flaws can often be exploited for sandbox escapes, and Google earlier this month announced improved protections against the exploitation of these security holes.
    Of the five high-severity issues that Chrome 106 resolves, four are use-after-free vulnerabilities impacting three browser components, namely CSS, Survey, and Media. The fifth is an insufficient validation of untrusted input in Developer Tools.

  30. Tomi Engdahl says:

    Fast Company Hack Impacts Website, Apple News Account

    American business magazine Fast Company has confirmed that its Apple News account was hijacked after hackers compromised its content management system (CMS).

    The monthly magazine focuses on business, technology, and design. In addition to its online version, the magazine publishes six print issues each year.

    On Tuesday evening, Apple News took it to Twitter to announce that Fast Company’s account was suspended after hackers had used it to post two offensive messages.

    “An incredibly offensive alert was sent by Fast Company, which has been hacked. Apple News has disabled their channel,” Apple News said.

    A few hours later, Fast Company confirmed via Twitter that its Apple News account was hijacked after hackers had gained access to its CMS.

  31. Tomi Engdahl says:

    L2 Network Security Control Bypass Flaws Impact Multiple Cisco Products

    Cisco this week has confirmed that tens of its enterprise routers and switches are impacted by bypass vulnerabilities in the Layer-2 (L2) network security controls.

    An attacker can bypass the controls provided by these enterprise devices by sending crafted packets that would trigger a denial-of-service (DoS) or allow them to perform a man-in-the-middle (MitM) attack.

    A total of four medium-severity security issues were found in the L2 network security controls, in the Ethernet encapsulation protocols, the CERT Coordination Center (CERT/CC) at the Carnegie Mellon University notes in an advisory.

    Tracked as CVE-2021-27853, CVE-2021-27854, CVE-2021-27861 and CVE-2021-27862, each of these vulnerabilities represents a different type of bypass of Layer 2 network packet inspection functionality.

    The bugs allow for stacking of virtual local area network (VLAN) headers and 802.2 LLC/SNAP headers, enabling an attacker to bypass a device’s various filtering capabilities, including IPv6 RA Guard, Dynamic ARP inspection, and IPv6 Neighbor Discovery (ND) protection.

    “An attacker can bypass security controls and deceive a locally connected target host to route traffic to arbitrary destinations. Victim devices experience either a DoS (blackholing traffic) or MitM (observing the unencrypted traffic and maybe breaking encryption),” CERT/CC’s advisory reads.

    CERT/CC says that more than 200 vendors have been warned of these vulnerabilities, but that only two of them have confirmed impact, namely Cisco and Juniper Networks.

  32. Tomi Engdahl says:

    Fast Company Hack Impacts Website, Apple News Account

    American business magazine Fast Company has confirmed that its Apple News account was hijacked after hackers compromised its content management system (CMS).

    The monthly magazine focuses on business, technology, and design. In addition to its online version, the magazine publishes six print issues each year.

    On Tuesday evening, Apple News took it to Twitter to announce that Fast Company’s account was suspended after hackers had used it to post two offensive messages.

    “An incredibly offensive alert was sent by Fast Company, which has been hacked. Apple News has disabled their channel,” Apple News said.

  33. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Researchers detail Chaos, a new cross-platform malware that infected a wide range of Linux and Windows devices, including routers, FreeBSD boxes, and servers

    Never-before-seen malware has infected hundreds of Linux and Windows devices
    Small office routers? FreeBSD machines? Enterprise servers? Chaos infects them all.

    Researchers have revealed a never-before-seen piece of cross-platform malware that has infected a wide range of Linux and Windows devices, including small office routers, FreeBSD boxes, and large enterprise servers.

    Black Lotus Labs, the research arm of security firm Lumen, is calling the malware Chaos, a word that repeatedly appears in function names, certificates, and file names it uses. Chaos emerged no later than April 16, when the first cluster of control servers went live in the wild. From June through mid-July, researchers found hundreds of unique IP addresses representing compromised Chaos devices. Staging servers used to infect new devices have mushroomed in recent months, growing from 39 in May to 93 in August. As of Tuesday, the number reached 111.

    Black Lotus has observed interactions with these staging servers from both embedded Linux devices as well as enterprise servers, including one in Europe that was hosting an instance of GitLab. There are more than 100 unique samples in the wild.

    “The potency of the Chaos malware stems from a few factors,” Black Lotus Labs researchers wrote in a Wednesday morning blog post. “First, it is designed to work across several architectures, including: ARM, Intel (i386), MIPS and PowerPC—in addition to both Windows and Linux operating systems. Second, unlike largescale ransomware distribution botnets like Emotet that leverage spam to spread and grow, Chaos propagates through known CVEs and brute forced as well as stolen SSH keys.”

    CVEs refer to the mechanism used to track specific vulnerabilities. Wednesday’s report referred to only a few, including CVE-2017-17215 and CVE-2022-30525 affecting firewalls sold by Huawei, and CVE-2022-1388, an extremely severe vulnerability in load balancers, firewalls, and network inspection gear sold by F5. SSH infections using password brute-forcing and stolen keys also allow Chaos to spread from machine to machine inside an infected network.

    Chaos also has various capabilities, including enumerating all devices connected to an infected network, running remote shells that allow attackers to execute commands, and loading additional modules. Combined with the ability to run on such a wide range of devices, these capabilities have lead Black Lotus Labs to suspect Chaos “is the work of a cybercriminal actor that is cultivating a network of infected devices to leverage for initial access, DDoS attacks and crypto mining,” company researchers said.

    Infected IP addresses indicate that Chaos infections are most heavily concentrated in Europe, with smaller hotspots in North and South America, and Asia Pacific.

    The two most important things people can do to prevent Chaos infections are to keep all routers, servers, and other devices fully updated and to use strong passwords and FIDO2-based multifactor authentication whenever possible. A reminder to small office router owners everywhere: Most router malware can’t survive a reboot. Consider restarting your device every week or so. Those who use SSH should always use a cryptographic key for authentication.

  34. Tomi Engdahl says:

    WhatsAppissa vakava aukko, puhelin voidaan kaapata – näin tarkistat, oletko turvassa

  35. Tomi Engdahl says:

    APT28 attack uses old PowerPoint trick to download malware
    Researchers at Cluster25 have published research about exploit code thats triggered when a user moves their mouse over a link in a booby-trapped PowerPoint presentation.. The code starts a PowerShell script that downloads and executes a dropper for Graphite malware..
    The attack was attributed to the Russian APT28 group, also known as Sofacy or Fancy Bear, a notorious Russian threat actor that has been active since at least 2004. . Its main activity is collecting intelligence for the Russian government. The group is known to have targeted US politicians, organizations, and even nuclear facilities.

  36. Tomi Engdahl says:

    A Brazilian threat actor known as Prilex has resurfaced after a year-long operational hiatus with an advanced and complex malware to steal money by means of fraudulent transactions.
    The Prilex group has shown a high level of knowledge about credit and debit card transactions, and how software used for payment processing works, Kaspersky researchers said. . This enables the attackers to keep updating their tools in order to find a way to circumvent the authorization policies, allowing them to perform their attacks..
    Prilexs modus operandi over the years has since evolved to take advantage of processes relating to point-of-sale (PoS) software to intercept and modify communications with electronic devices such as PIN pads, which are used to facilitate payments using debit or credit cards.

  37. Tomi Engdahl says:

    Microsoft: Lazarus hackers are weaponizing open-source software
    Microsoft says the North Korean-sponsored Lazarus threat group is trojanizing legitimate open-source software and using it to backdoor organizations in many industry sectors, such as technology, defense, and media entertainment.. The list of open-source software weaponized by Lazarus state hackers to deploy the BLINDINGCAN (aka ZetaNile) backdoor includes PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and the muPDF/Subliminal Recording software installer.. The PuTTY and KiTTY SSH clients were also used to backdoor targets devices in fake job skills assessments, as reported by Mandiant this month.

  38. Tomi Engdahl says:

    Matrix: Install security update to fix end-to-end encryption flaws
    Matrix decentralized communication platform has published a security warning about two critical-severity vulnerabilities that affect the end-to-end encryption in the software development kit (SDK).. A threat actor exploiting these flaws could break the confidentiality of Matrix communications and run man-in-the-middle attacks that expose message contents in a readable form.. Clients affected by the bugs are those using the matrix-js-sdk, matrix-ios-sdk, and matrix-android-sdk2, like Element, Beeper, Cinny, SchildiChat, Circuli, and

  39. Tomi Engdahl says:

    Spyware disguises itself as Zoom downloads
    Zoom video call software continues to be a staple in work environments. Despite a slow, post-lockdown easing back to the old normal, many businesses still have remote workers, or people working in different geographies.. Its no surprise then to see criminals continuing to abuse Zooms popularity, in the hope of netting interested parties and, potentially, luring current users into downloading and installing malware.. This particular campaign, initially discovered by an Internet researcher going by the handle @idclickthat, gets unsuspecting users to download an information-stealerspyware, if you preferfrom fake sites hosting malformed Zoom installers (malware bundled with a legitimate Zoom
    installer) onto their work systems.

  40. Tomi Engdahl says:

    New malware backdoors VMware ESXi servers to hijack virtual machines
    Hackers have found a new method to establish persistence on VMware ESXi hypervisors to control vCenter servers and virtual machines for Windows and Linux while avoiding detection.. With the help of malicious vSphere Installation Bundles, the attacker was able to install on the bare-metal hypervisor two backdoors that researchers have named VirtualPita and VirtualPie.. Researchers also uncovered a unique malware sample that they called VirtualGate, which includes a dropper and a payload.

  41. Tomi Engdahl says:

    IT admin admits sabotaging ex-employers network in bid for higher salary
    A 40-year-old man could face up to 10 years in prison, after admitting in a US District Court to sabotaging his former employers computer systems.. Casey K Umetsu, of Honolulu, Hawaii, has pleaded guilty to charges that he deliberately misdirected a financial companys email traffic and prevented customers from reaching its website in a failed attempt to convince the firm to rehire him at a greater salary.. As the Department of Justice describes, Umetsu additionally locked the company out of its domain name registrar account, preventing them from undoing the damage, for several

  42. Tomi Engdahl says:

    North Korean Gov Hackers Caught Rigging Legit Software

    Threat hunters at Microsoft have intercepted a notorious North Korean government hacking group lacing legitimate open source software with custom malware capable of data theft, espionage, financial gain and network destruction.

    The hackers, a sub-group of Lazarus that Microsoft calls ZINC, are weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installers in a new wave of malware attacks.

    Redmond described the attackers as a “highly operational, destructive, and sophisticated nation-state activity group” and warned that its LinkedIn networking portal was also being abused to trawl for targets.

    In a report documenting the discovery, Microsoft said the hackers use LinkedIn to connect with and befriend employees in organizations across multiple industries including media, defense and aerospace, and IT services in the US, UK, India, and Russia.

    “Beginning in June 2022, ZINC employed traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets. Upon successful connection, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads,” Microsoft added.

    ZINC weaponizing open-source software

  43. Tomi Engdahl says:

    Auth0 Finds No Breach Following Source Code Compromise

    Okta-owned Auth0 this week announced that it has not identified an intrusion into its environment after a third-party said they were in the possession of older source code repositories.

    In late August, after Okta was informed by an individual that they possessed copies of certain Auth0 code repositories dating from October 2020 and earlier, the company launched an investigation that did not reveal a potential data breach.

    The investigation, the company says, “confirmed that there was no evidence of unauthorized access to our environments, or those of our customers, nor any evidence of any data exfiltration or persistent access”.

    Auth0 notes that it also decided to retain a cybersecurity forensics firm to investigate the claim, and that both investigations have arrived at the same conclusion.

  44. Tomi Engdahl says:

    NSA Cyber Specialist, Army Doctor Charged in US Spying Cases

    A cyber specialist who worked at the US National Security Agency and an army doctor and his wife were charged Thursday in separate cases with seeking to sell US secrets to foreign governments.

  45. Tomi Engdahl says:

    Details Disclosed After Schneider Electric Patches Critical Flaw Allowing PLC Hacking

    Schneider Electric in recent months released patches for its EcoStruxure platform and some Modicon programmable logic controllers (PLCs) to address a critical vulnerability that was disclosed more than a year ago.

    The flaw in question, tracked as CVE-2021-22779, has been described by the industrial giant as an authentication bypass issue that could allow unauthorized access in read and write mode to a Modicon M580 or M340 controller by spoofing Modbus communications between the controller and the engineering software.

    Schneider Electric has credited researchers from several companies for reporting this vulnerability, including Fortinet, Tenable, Kaspersky, Armis and Bolean Tech.

    Armis, which dubbed the flaw ModiPwn, disclosed details in July 2021, when it warned that an unauthenticated attacker who has network access to the targeted PLC could exploit the vulnerability to take complete control of the targeted device. An attacker could alter the operation of the PLC while hiding the malicious modifications from the engineering workstation that manages the controller.

    At the time of Armis’ disclosure, mitigations were available, but no patches had been released by Schneider Electric.

    Now that the issue appears to have been addressed, Kaspersky’s ICS-CERT team has published its own report on CVE-2021-22779 and the UMAS (Unified Messaging Application Services) protocol abused in this attack.

    The secrets of Schneider Electric’s UMAS protocol

    UMAS (Unified Messaging Application Services) is a proprietary Schneider Electric (SE) protocol that is used to configure and monitor Schneider Electric PLCs.

    Schneider Electric controllers that use UMAS include Modicon M580 CPU (part numbers BMEP* and BMEH*) and Modicon M340 CPU (part numbers BMXP34*). Controllers are configured and programmed using engineering software – EcoStruxure™ Control Expert (Unity Pro), EcoStruxure™ Process Expert, etc.

    In 2020, a vulnerability, CVE-2020-28212, was reported, which could be exploited by a remote unauthorized attacker to gain control of a PLC with the privileges of an operator already authenticated on the controller. To address the vulnerability, Schneider Electric developed a new mechanism, Application Password, which should provide protection against unauthorized access to PLCs and unwanted modifications.

    An analysis conducted by Kaspersky ICS CERT experts has shown that the implementation of the new security mechanism also has flaws. The CVE-2021-22779 vulnerability, which was identified in the course of the research, could allow a remote attacker to make changes to the PLC, bypassing authentication.

    It was established that the UMAS protocol, in its implementation prior to the version in which the CVE-2021-22779 vulnerability was fixed, had significant shortcomings that had a critical effect on the security of control systems based on Schneider Electric controllers.

    As of the middle of August 2022, Schneider Electric has released an update for the EcoStruxure™ Control Expert software, as well as for Modicon M340 and Modicon M580 PLC firmware, which fixes the vulnerability.

  46. Tomi Engdahl says:

    Drupal Updates Patch Vulnerability in Twig Template Engine

    Updates announced for Drupal this week address a severe vulnerability in Twig that could lead to the leakage of sensitive information.

    Drupal is a PHP-based open source web content management system that has been using Twig as its default templating engine since Drupal 8, which was first released in November 2015.

    Tracked as CVE-2022-39261, the vulnerability could allow an attacker to load templates outside a configured directory, via the filesystem loader.


Leave a Comment

Your email address will not be published. Required fields are marked *