This posting is here to collect cyber security news in October 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
395 Comments
Tomi Engdahl says:
Coverage of Killnet DDoS attacks plays into attackers’ hands, experts say https://therecord.media/coverage-of-killnet-ddos-attacks-plays-into-attackers-hands-experts-say/
A notorious pro-Russian hacking group drew headlines on Monday after launching distributed denial-of-service (DDoS) attacks on the websites of airports in at least 24 different states and threatening more operations against U.S. entities.
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
Signal plans to phase out SMS and MMS support from its Android app; users have “several months to transition away from SMS” and export messages to another app — Signal says it will start to phase out SMS and MMS message support from its Android app to streamline the user experience and prioritize security and privacy.
Signal will remove support for SMS text messages on Android
https://www.bleepingcomputer.com/news/technology/signal-will-remove-support-for-sms-text-messages-on-android/
Signal says it will start to phase out SMS and MMS message support from its Android app to streamline the user experience and prioritize security and privacy.
While this announcement may surprise those who don’t know Signal can also be used to manage this type of text message, the Signal for Android app could be configured as the default SMS/MMS app since its beginning as TextSecure, an app that used the Axolotl Ratchet protocol.
“We have now reached the point where SMS support no longer makes sense. In order to enable a more streamlined Signal experience, we are starting to phase out SMS support from the Android app,” the company said in a blog post published today.
Tomi Engdahl says:
https://www.mikrobitti.fi/uutiset/hakkerit-korkkasivat-finanssiyhtion-kuin-vakoojaelokuvissa-iskivat-heikkoon-kohtaan-tavalla-jota-ei-osata-varoa/6afa444f-6b80-4577-b50b-c777dd6ed448
https://www.theregister.com/2022/10/12/drone-roof-attack/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/caffeine-service-lets-anyone-launch-microsoft-365-phishing-attacks/
Tomi Engdahl says:
Researchers Uncover Custom Backdoors and Spying Tools Used by Polonium Hackers https://thehackernews.com/2022/10/researchers-uncover-custom-backdoors.html
A threat actor tracked as Polonium has been linked to over a dozen highly targeted attacks aimed at Israelian entities with seven different custom backdoors since at least September 2021. The intrusions were aimed at organizations in various verticals, such as engineering, information technology, law, communications, branding and marketing, media, insurance, and social services, cybersecurity firm ESET said. Polonium is the chemical element-themed moniker given by Microsoft to a sophisticated operational group that’s believed to be based in Lebanon and is known to exclusively strike Israeli targets.
Tomi Engdahl says:
Budworm Hackers Resurface with New Espionage Attacks Aimed at U.S.
Organization
https://thehackernews.com/2022/10/budworm-hackers-resurface-with-new.html
An advanced persistent threat (APT) actor known as Budworm targeted a U.S.-based entity for the first time in more than six years, according to latest research. The attack was aimed at an unnamed U.S. state legislature, the Symantec Threat Hunter team, part of Broadcom Software, said in a report shared with The Hacker News. Other “strategically significant” intrusions mounted over the past six months were directed against a government of a Middle Eastern country, a multinational electronics manufacturer, and a hospital in South East Asia. Budworm, also called APT27, Bronze Union, Emissary Panda, Lucky Mouse, and Red Phoenix, is a threat actor that’s believed to operate on behalf of China through attacks that leverage a mix of custom and openly available tools to exfiltrate information of interest.
Tomi Engdahl says:
Exploit available for critical Fortinet auth bypass bug, patch now https://www.bleepingcomputer.com/news/security/exploit-available-for-critical-fortinet-auth-bypass-bug-patch-now/
Proof-of-concept exploit code is now available for a critical authentication bypass vulnerability affecting Fortinet’s FortiOS, FortiProxy, and FortiSwitchManager appliances. This security flaw
(CVE-2022-40684) allows attackers to bypass the authentication process on the administrative interface of FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager (FSWM) on-premise management instances. Fortinet released security updates to address this flaw last Thursday. It also urged customers in private alerts to disable remote management user interfaces on affected devices “with the utmost urgency.”
Tomi Engdahl says:
Ongoing exploitation of CVE-2022-41352 (Zimbra 0-day) https://securelist.com/ongoing-exploitation-of-cve-2022-41352-zimbra-0-day/107703/
On September 10, 2022, a user reported on Zimbra’s official forums that their team detected a security incident originating from a fully patched instance of Zimbra. The details they provided allowed Zimbra to confirm that an unknown vulnerability allowed attackers to upload arbitrary files to up-to-date servers. At the moment, Zimbra has released a patch and shared its installation steps. In addition, manual mitigation steps can be undertaken by system administrators to prevent successful exploitation (see below). Kaspersky investigated the threat and was able to confirm that unknown APT groups have actively been exploiting this vulnerability in the wild, one of which is systematically infecting all vulnerable servers in Central Asia. On October 7, 2022, a proof of concept for this vulnerability was added to the Metasploit framework, laying the groundwork for massive and global exploitation from even low-sophistication attackers.
Tomi Engdahl says:
New Alchimist attack framework targets Windows, macOS, Linux https://www.bleepingcomputer.com/news/security/new-alchimist-attack-framework-targets-windows-macos-linux/
Cybersecurity researchers have discovered a new attack and C2 framework called Alchimist, ‘ which appears to be actively used in attacks targeting Windows, Linux, and macOS systems. The framework and all its files are 64-bit executables written in GoLang, a programming language that makes cross-compatibility between different operating systems a lot easier. Alchimist offers a web-based interface using the Simplified Chinese language, and it’s very similar to Manjusaka, a recently-emerged post-exploitation attack framework growing popular among Chinese hackers. Cisco Talos researchers who discovered both of these frameworks highlight their similarities but explain there are enough technical differences to deduce different authors developed them.
Tomi Engdahl says:
Magniber ransomware now infects Windows users via JavaScript files https://www.bleepingcomputer.com/news/security/magniber-ransomware-now-infects-windows-users-via-javascript-files/
A recent malicious campaign delivering Magniber ransomware has been targeting Windows home users with fake security updates. Threat actors created in September websites that promoted fake antivirus and security updates for Windows 10. The downloaded malicious files (ZIP
archives) contained JavaScript that initiated an intricate infection with the file-encrypting malware. A report from HP’s threat intelligence team notes that Magniber ransomware operators demanded payment of up to $2, 500 for home users to receive a decryption tool and recover their files. The strain focuses explicitly on Windows 10 and Windows 11 builds.
Tomi Engdahl says:
Cloudflare mitigated record DDoS attack against Minecraft server https://www.bleepingcomputer.com/news/security/cloudflare-mitigated-record-ddos-attack-against-minecraft-server/
Wynncraft, one of the largest Minecraft servers, was recently hit by a
2.5 Tbps distributed denial-of-service (DDoS) attack. It was a multi-vector attack that lasted for about two minutes and consisted of UDP and TCP floods packets attempting to overwhelm the server and keep out hundreds of thousands of players, DDoS mitigation company Cloudflare says. The researchers say this was the largest bitrate attack they ever recorded and handled.
Tomi Engdahl says:
Signal will remove support for SMS text messages on Android https://www.bleepingcomputer.com/news/technology/signal-will-remove-support-for-sms-text-messages-on-android/
Signal says it will start to phase out SMS and MMS message support from its Android app to streamline the user experience and prioritize security and privacy. While this announcement may surprise those who don’t know Signal can also be used to manage this type of text message, the Signal for Android app could be configured as the default SMS/MMS app since its beginning as TextSecure, an app that used the Axolotl Ratchet protocol. “We have now reached the point where SMS support no longer makes sense. In order to enable a more streamlined Signal experience, we are starting to phase out SMS support from the Android app, ” the company said in a blog post published today.
Tomi Engdahl says:
Websites of multiple US airports taken down by hackers https://www.pandasecurity.com/en/mediacenter/security/us-airports-hackers/
Earlier this week, the websites of some of the busiest airports in the US were successfully attacked by cybercriminals. A pro-Russian hacking group called Killnet took responsibility for the malicious actions against major airports in Los Angeles, New York, Atlanta, and Chicago.
Russian citizens likely run the hacker organization, but there is no concrete evidence of whether they are tied to the Russian government.
The websites were victims of multiple Denial-of-Service (DoS) attacks that briefly took them down. The cyber-attack did not cause any disruptions of flights at the airports, as the attack only affected the public web interface of those airports. Flight information and other useful public data on these websites were not immediately available after the attack, but websites were quickly restored.
Tomi Engdahl says:
Suomalaisia pelotellaan nyt tietomurroilla: “Sivustosi on hakkeroitu”
https://www.is.fi/digitoday/tietoturva/art-2000009125357.html
SUOMESSA on tavattu sähköpostitse lähetettyjä huijausviestejä, joissa verkkosivustojen ylläpitäjiä pelotellaan sivuston murtamisella.
Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus kertoi huijauksista viikkokatsauksessaan. Katsauksessa julkaistiin esimerkki kiristysviestistä. Se alkaa valheellisella väitteellä sivuston murtamisesta “Your Site Has Been Hacked”, ja viestissä on kyseisen sivuston osoite. Toistaiseksi ei ole löytynyt yhtä yksittäistä lähettäjää, ja lunnaita varten perustetut bitcoin-lompakot ovat olleet yksilöityjä. Kyberturvallisuuskeskus ei tiedä yhtäkään tapausta, joissa sivusto olisi oikeasti murrettu.
Tomi Engdahl says:
Palo Alto Networks, Aruba Patch Severe Vulnerabilities
https://www.securityweek.com/palo-alto-networks-aruba-patch-severe-vulnerabilities
Palo Alto Networks and Aruba Networks have each announced patches for severe vulnerabilities affecting their products.
An advisory published by Palo Alto Networks on October 12 informs customers about a high-severity authentication bypass vulnerability affecting the web interface of its PAN-OS 8.1 software. The security hole is tracked as CVE-2022-0030.
According to the company, a network-based attacker with specific knowledge of the targeted firewall or Panorama appliance can impersonate an existing PAN-OS admin and perform privileged actions.
PAN-OS 8.1.24 and later versions patch the vulnerability, but the vendor noted that PAN-OS 8.1 has reached end of life (EOL) and is supported only on certain firewalls and appliances until they reach EOL status as well.
Authentication bypass flaws have also been identified in Aruba’s EdgeConnect Enterprise Orchestrator product. The product is impacted by two critical authentication bypass issues that can lead to a complete compromise of the orchestrator host.
The flaws are tracked as CVE-2022-37913 and CVE-2022-37914, and they can be exploited remotely by an unauthenticated attacker to obtain admin privileges on the targeted system. An advisory describing the vulnerabilities was published on October 11.
The advisory also informs Aruba customers about a critical unauthenticated remote code execution vulnerability (CVE-2022-37915) affecting the same orchestrator product.
“A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an unauthenticated remote attacker to run arbitrary commands on the underlying host. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise,” the company said.
Tomi Engdahl says:
https://www.securityweek.com/chinese-cyberspies-targeting-us-state-legislature
A China-linked cyberespionage group was recently observed targeting a state legislature in the United States, Symantec warns.
Active since at least 2010, the group is tracked as APT27, Bronze Union, Budworm, Emissary Panda, Iron Tiger, Lucky Mouse, and TG-3390 (Threat Group 3390), and has been observed targeting various entities worldwide, mainly focusing on the Middle East and Asia.
In a new report detailing APT27’s recent activities, Symantec notes that the attack on the US state legislature is the first time in several years that it has seen the cyberespionage group targeting a US entity.
Over the past six months, Symantec also observed the threat actor targeting a Middle Eastern government, a hospital in South East Asia, and a multinational electronics manufacturer.
Tomi Engdahl says:
https://www.securityweek.com/new-chinese-cyberespionage-group-wip19-targets-telcos-it-service-providers
Tomi Engdahl says:
https://www.securityweek.com/austrias-kurz-sets-cyber-firm-ex-nso-chief
Tomi Engdahl says:
Mirai Botnet Launched 2.5 Tbps DDoS Attack Against Minecraft Server
https://www.securityweek.com/mirai-botnet-launched-25-tbps-ddos-attack-against-minecraft-server
A Mirai botnet variant has launched a distributed denial-of-service (DDoS) attack that peaked at 2.5 terabytes per second (Tbps), according to Cloudflare, which described it as the largest attack it has seen in terms of bitrate.
The attack was aimed at a Minecraft server named Wynncraft and it involved UDP and TCP floods. However, the web security firm said it mitigated the attack, preventing it from causing any disruption to the game.
While this may have been a record-breaking attack for Cloudflare, Microsoft last year observed an attack that peaked at 3.47 Tbps and another that reached 3.25 Tbps.
Cloudflare this year also saw an attack reaching 26 million requests per second (RPS). The attack was noteworthy particularly for the fact that it was powered by a small botnet of only 5,000 devices. However, in terms of RPS, Google saw the biggest attack known to date, which peaked at 46 million RPS.
“The entire 2.5 Tbps attack lasted about 2 minutes, and the peak of the 26M rps attack only 15 seconds,” Cloudflare explained. “This emphasizes the need for automated, always-on solutions. Security teams can’t respond quick enough. By the time the security engineer looks at the PagerDuty notification on their phone, the attack has subsided.”
Tomi Engdahl says:
Microsoft confirms all Windows versions from Windows 7 and Windows Server 2008 on are vulnerable to 0Day under active attack.
Microsoft Security: Windows 0Day Under Attack, Most Versions Vulnerable—Update Now
https://www.forbes.com/sites/daveywinder/2022/10/14/microsoft-security-update-windows-0day-under-attack-most-versions-vulnerable/?sh=199b5bc97a37&utm_campaign=socialflowForbesMainFB&utm_source=ForbesMainFacebook&utm_medium=social
It’s the second week of the month, which means it’s time for Microsoft’s scheduled monthly security update. As has become all too familiar with Microsoft users, this month’s Patch Tuesday update confirms yet more Zero-Day (0Day) security vulnerabilities, including one that Microsoft says is being actively exploited.
October Patch Tuesday: 84 vulnerabilities, 13 critical-rated, 2 zero-days
With some 84 vulnerabilities, this is far from the biggest Patch Tuesday event of the year. However, 13 have a critical severity rating, and two are 0Days.
Microsoft defines an 0Day as a security vulnerability with no official fix available when it is publicly disclosed or found to be under active attack.
In the case of CVE-2022-41033, which Microsoft confirms is being actively exploited in the wild but provides no further exploitation information, it impacts most every version of Windows. “All versions of Windows, starting with Windows 7 and Windows Server 2008, are vulnerable,” Mike Walters, vice-president of vulnerability and threat research at Action1, said.
Windows COM+ Event System Service Elevation of Privilege Vulnerability
CVE-2022-41033
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41033
CVSS:3.1 7.8 / 6.8
Attack Vector
Local
Privileges Required
Low
What privileges could an attacker gain?
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/microsoft-office-365-email-encryption-could-expose-message-content/
Tomi Engdahl says:
https://thehackernews.com/2022/09/cyber-criminals-using-quantum-builder.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-adds-command-and-control-traffic-detection/
Tomi Engdahl says:
Critical Open Source vm2 Sandbox Escape Bug Affects Millions
Attackers could exploit the “Sandbreak” security bug, which has earned a 10 out of 10 on the CVSS scale, to execute a sandbox escape, achieve RCE, and run shell commands on a hosting machine.
https://www.darkreading.com/application-security/critical-open-source-vm2-sandbox-escape-bug-affects-millions
Tomi Engdahl says:
Intel Confirms Alder Lake BIOS Source Code Leak, New Details Emerge
By Paul Alcorn published 7 days ago
Hack’s perpetrator and origins remain unknown.
https://www.tomshardware.com/news/intel-confirms-6gb-alder-lake-bios-source-code-leak-new-details-emerge
Tomi Engdahl says:
Datacenter fire takes out South Korea’s top two web giants
Sub-par disaster recovery plans leave Naver and Kakao with savage service interruptions
https://www.theregister.com/2022/10/17/sk_cc_naver_kaako_fire/
South Korea’s two largest domestic internet companies, Naver and Kakao, have experienced significant service interruptions after the datacenter that hosts much of their infrastructure was shut down by a Sunday fire.
The datacenter in question is operated by SK C&C, one of the many arms of South Korean conglomerate SK. SK C&C offers a range of cloud and tech infrastructure services, bills itself as a “total digital transformation partner” and operates three datacenters, in which it happily houses client systems.
The one in Pangyo, just south of South Korea’s capital Seoul, was built in 2014, covers 66,942 square meters, and boasts what SK C&C describes as “Latest/eco-friendly technology”. And it caught fire on the weekend.
Tomi Engdahl says:
Tuntemattoman miehen tilitiedot lävähtivät Janin näytölle S-Pankissa – “Äärimmäisen epätodennäköinen sattuma”
https://www.mtvuutiset.fi/artikkeli/s-pankissa-aarimmaisen-epatodennakoinen-mutta-mahdollinen-sattuma-janin-naytolle-lavahti-tuntemattoman-miehen-tilitiedot/8550262#gs.f98hcu
S-pankin verkkopalvelussa on viikonloppuna tapahtunut outo sattumus. Keskisuomalaisen miehen yritys kirjautua verkkopankkiinsa johtikin tuiki tuntemattoman miehen tilitietojen paljastumiseen.
Viime viikkoina julkisuudessa on puitu S-pankin älypuhelinsovelluksessa S-mobiilissa havaittuja haavoittuvuuksia ja niiden hyväksikäyttöä. S-pankki on kertonut, että ongelmat on korjattu. Sen vuoksi tapaus saikin yllättävään tilanteeseen joutuneen miehen varpailleen.
S-pankki uskoo, että kyse ei ollut sen tietojärjestelmistä vaan asiakkaiden tekemistä virheistä.
Tomi Engdahl says:
https://www.mtvuutiset.fi/artikkeli/s-pankissa-aarimmaisen-epatodennakoinen-mutta-mahdollinen-sattuma-janin-naytolle-lavahti-tuntemattoman-miehen-tilitiedot/8550262#gs.f98hcu
Kyllä on ikävää kuultavaa , kun vielä asiakkaat ovat todella pettyneitä kun rahat häviää tieleiltä ja sitten pankki alkaa syyttämään asiakasta että on tehneet virheen.
Kohta jotkut ihmiset eivät enään uskolla varmaan edes maksaa laskuja tietokoneilla ym..
Ei onko pankin vika, jos toinen hyväksyy tuntemattoman kirjautumisen?
Nykyaika on kovin kummallista ….vakuutusyhtiöt harjoittaa pankkitoimintaa ja päinvastoin … Huoltoasemilla ei enää huolleta autoja vaan myydään elintarvikkeita… Pitäisikö oikeasti keskittyä siihen hommaan joka on se pääosaamisalue ja tehdä se homma hyvin
Tomi Engdahl says:
Researchers Keep a Wary Eye on Critical New Vulnerability in Apache Commons Text
https://www.darkreading.com/application-security/researchers-keep-a-wary-eye-on-critical-new-vulnerability-in-apache-commons-text
There’s nothing yet to suggest CVE-2022-42889 is the next Log4j. But proof-of-concept code is available, and interest appears to be ticking up.
Researchers are closely tracking a critical, newly disclosed vulnerability in Apache Commons Text that gives unauthenticated attackers a way to execute code remotely on servers running applications with the affected component.
The flaw (CVE-2022-42889) has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and exists in versions 1.5 through 1.9 of Apache Commons Text. Proof-of-concept code for the vulnerability is already available, though so far there has been no sign of exploit activity.
Updated Version Available
The Apache Software Foundation (ASF) released an updated version of the software (Apache Commons Text 1.10.0) on September 24 but issued an advisory on the flaw only last Thursday.
Tomi Engdahl says:
Researchers Say Microsoft Office 365 Uses Broken Email Encryption to Secure Messages
https://thehackernews.com/2022/10/researchers-claim-microsoft-office-365.html
Tomi Engdahl says:
Morgan Stanley Discarded Old Hard Drives Without Deleting Customer Data First
Some of the hard drives containing unencrypted customer data were sold on auction sites.
https://uk.pcmag.com/security/142781/morgan-stanley-discarded-old-hard-drives-without-deleting-customer-data-first
Tomi Engdahl says:
New Chinese Malware Attack Framework Targets Windows, macOS, and Linux Systems
https://thehackernews.com/2022/10/new-chinese-malware-attack-framework.html
Tomi Engdahl says:
New Chinese Cyberespionage Group Targeting IT Service Providers and Telcos https://thehackernews.com/2022/10/new-chinese-cyberespionage-group.html
Telecommunications and IT service providers in the Middle East and Asia are being targeted by a previously undocumented Chinese-speaking threat group dubbed WIP19. The espionage-related attacks are characterized by the use of a stolen digital certificate issued by a Korean company called DEEPSoft to sign malicious artifacts deployed during the infection chain to evade detection. “Almost all operations performed by the threat actor were completed in a hands-on keyboard’
fashion, during an interactive session with compromised machines, ”
SentinelOne researchers Joey Chen and Amitai Ben Shushan Ehrlich said in a report this week.
Tomi Engdahl says:
INTERPOL arrests Black Axe’ cybercrime syndicate members https://www.bleepingcomputer.com/news/security/interpol-arrests-black-axe-cybercrime-syndicate-members/
INTERPOL has arrested over 70 suspected members of the Black Axe’
cybercrime syndicate, with two believed to be responsible for $1.8 million in financial fraud. The suspects were arrested as part of Operation Jackal, ‘ an international law enforcement operation between September 26 and 30, 2022, in South Africa. Black Axe was founded in
1977 in Nigeria and is considered one of the world’s most far-reaching and dangerous crime syndicates. The crime syndicate first became involved with cybercrime in 2015, suspected of orchestrating numerous romance and “419 scams.”
Tomi Engdahl says:
Chinese APT’s favorite vulnerabilities revealed https://www.malwarebytes.com/blog/news/2022/10/psa-chinese-apts-target-flaws-that-take-full-control-of-systems
In a joint cybersecurity advisory, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have revealed the top CVEs used by state-sponsored threat actors from China. The advisory aims to “inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).”. The US and other allied nations consider China a cyber threat as it continues to target and attack companies in the US and elsewhere, with the primary aim of stealing intellectual property or gaining access to sensitive networks.
Tomi Engdahl says:
Microsoft Office 365 email encryption could expose message content https://www.bleepingcomputer.com/news/security/microsoft-office-365-email-encryption-could-expose-message-content/
Security researchers at WithSecure, previously F-Secure Business, found that it is possible to partially or fully infer the contents of encrypted messages sent through Microsoft Office 365 due to the use of a weak block cipher mode of operation. Organizations use Office 365 Message Encryption to send or receive emails, both external and internal, to ensure confidentiality of the content from destination to source. However, the feature encrypts the data using the Electronic Code Book (ECB) mode, which allows inferring the plaintext message under certain conditions.
Tomi Engdahl says:
Australian police secret agents exposed in Colombian data leak https://www.bleepingcomputer.com/news/security/australian-police-secret-agents-exposed-in-colombian-data-leak/
Identities of secret agents working for the Australian Federal Police
(AFP) have been exposed after hackers leaked documents stolen from the Colombian government. The leak comes from a hacktivist group called Guacamaya and includes more than five terabytes of classified data, including emails, documents, and methods AFP agents were using to stop drug cartels from running their business in Australia. Details exposed this way are from 35 AFP operations, some of them still active, and also include surveillance reports from agents, phone tap recordings, and payroll data for Colombian officers. The AFP is not the only law enforcement agency collaborating with the Colombian government so police agencies from other countries are likely to be affected.
Tomi Engdahl says:
Ransom Cartel Ransomware: A Possible Connection With REvil https://unit42.paloaltonetworks.com/ransom-cartel-ransomware/
Ransom Cartel is ransomware as a service (RaaS) that surfaced in mid-December 2021. This ransomware performs double extortion attacks and exhibits several similarities and technical overlaps with REvil ransomware. REvil ransomware disappeared just a couple of months before Ransom Cartel surfaced and just one month after 14 of its alleged members were arrested in Russia. When Ransom Cartel first appeared, it was unclear whether it was a rebrand of REvil or an unrelated threat actor who reused or mimicked REvil ransomware code.
In this report, Unit42 provides their analysis of Ransom Cartel ransomware, as well as their assessment of the possible connections between REvil and Ransom Cartel ransomware.
Tomi Engdahl says:
Indian Energy Company Tata Power’s IT Infrastructure Hit By Cyber Attack https://thehackernews.com/2022/10/indian-energy-company-tata-powers-it.html
Tata Power Company Limited, India’s largest integrated power company, on Friday confirmed it was targeted by a cyberattack. The intrusion on IT infrastructure impacted “some of its IT systems, ” the company said in a filing with the National Stock Exchange (NSE) of India. It further said it has taken steps to retrieve and restore the affected machines, adding it put in place security guardrails for customer-facing portals to prevent unauthorized access. The Mumbai-based electric utility company, part of the Tata Group conglomerate, did not disclose any further details about the nature of the attack, or when it took place.
Tomi Engdahl says:
Student jailed for hacking female classmates’ email, Snapchat accounts https://www.bleepingcomputer.com/news/security/student-jailed-for-hacking-female-classmates-email-snapchat-accounts/
On Thursday, a Puerto Rico judge sentenced a former University of Puerto Rico (UPR) student to 13 months in prison for hacking over a dozen email and Snapchat accounts of female colleagues. The defendant, Iván Santell-Velázquez (aka Slay3r_r00t), pled guilty to cyberstalking on July 13, admitting to targeting more than 100 students. “This individual engaged in phishing and spoofing schemes to steal information, ” said U.S. Attorney Muldrow. Besides targeting dozens of student email accounts, he successfully hacked into multiple university email accounts and collected personal information in spoofing and phishing attacks.
Tomi Engdahl says:
Police tricks DeadBolt ransomware out of 155 decryption keys https://www.bleepingcomputer.com/news/security/police-tricks-deadbolt-ransomware-out-of-155-decryption-keys/
The Dutch National Police, in collaboration with cybersecurity firm Responders.NU, tricked the DeadBolt ransomware gang into handing over
155 decryption keys by faking ransom payments. DeadBolt is a ransomware operation active since January and known for demanding 0.03 bitcoin ransoms after encrypting thousands of QNAP and Asustor Network Attached Storage (NAS) devices (20, 000 worldwide and at least 1, 000 in the Netherlands per the Dutch police.). “The police paid, received the decryption keys, and then withdrew the payments. These keys allow files such as treasured photos or administration to be unlocked again, at no cost to victims, ” according to a news release published Friday.
Tomi Engdahl says:
Fortinet urges admins to patch bug with public exploit immediately https://www.bleepingcomputer.com/news/security/fortinet-urges-admins-to-patch-bug-with-public-exploit-immediately/
Fortinet urges customers to urgently patch their appliances against a critical authentication bypass FortiOS, FortiProxy, and FortiSwitchManager vulnerability exploited in attacks. The company released security updates to address the flaw (CVE-2022-40684) last week and it also advised customers in private alerts to disable remote management user interfaces on affected devices “with the utmost urgency” to block attacks if they can’t immediately patch. One week later, Horizon3.ai security researchers shared a proof-of-concept
(PoC) exploit and a technical root cause analysis for the vulnerability. On Friday, after the exploit code was released, Fortinet issued a public warning asking customers to patch this actively exploited security flaw urgently.
Tomi Engdahl says:
New PHP information-stealing malware targets Facebook accounts https://www.bleepingcomputer.com/news/security/new-php-information-stealing-malware-targets-facebook-accounts/
A new Ducktail phishing campaign is spreading a never-before-seen Windows information-stealing malware written in PHP used to steal Facebook accounts, browser data, and cryptocurrency wallets. Ducktail phishing campaigns were first revealed by researchers from WithSecure in July 2022, who linked the attacks to Vietnamese hackers. Those campaigns relied on social engineering attacks through LinkedIn, pushing.NET Core malware masquerading as a PDF document supposedly containing details about a marketing project. The malware targeted information stored in browsers, focusing on Facebook Business account data, and exfiltrated it to a private Telegram channel that acted as a
C2 server. These stolen credentials are then used for financial fraud or to conduct malicious advertising. Zscaler now reports spotting signs of new activity involving a refreshed Ducktail campaign that uses a PHP script to act as a Windows information-stealing malware.
Tomi Engdahl says:
Almost 900 servers hacked using Zimbra zero-day flaw https://www.bleepingcomputer.com/news/security/almost-900-servers-hacked-using-zimbra-zero-day-flaw/
Almost 900 servers have been hacked using a critical Zimbra Collaboration Suite (ZCS) vulnerability, which at the time was a zero-day without a patch for nearly 1.5 months. The vulnerability tracked as CVE-2022-41352 is a remote code execution flaw that allows attackers to send an email with a malicious archive attachment that plants a web shell in the ZCS server while, at the same time, bypassing antivirus checks. According to the cybersecurity company Kaspersky, various APT (advanced persistent threat) groups actively exploited the flaw soon after it was reported on the Zimbra forums.
Kaspersky told BleepingComputer that they detected at least 876 servers being compromised by sophisticated attackers leveraging the vulnerability before it was widely publicized and received a CVE identifier.
Tomi Engdahl says:
FBI, CISA warn of disinformation ahead of midterms https://www.malwarebytes.com/blog/news/2022/10/fbi-and-cisa-urge-americans-to-be-critical-of-information-in-light-of-midterm-election
In less than four weeks, the balance of power in the US House of Representatives and Senate will be up for grabs, along with a host of gubernatorial seats, and positions at the state and municipal levels.
With everyone preparing to cast their ballots, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have reminded people about the potential threat of disinformation.
Tomi Engdahl says:
Over 45, 000 VMware ESXi servers just reached end-of-life https://www.bleepingcomputer.com/news/security/over-45-000-vmware-esxi-servers-just-reached-end-of-life/
Over 45, 000 VMware ESXi servers inventoried by Lansweeper just reached end-of-life (EOL), with VMware no longer providing software and security updates unless companies purchase an extended support contract. As of October 15, 2022, VMware ESXi 6.5 and VMware ESXi 6.7 reached end-of-life and will only receive technical support but no security updates, putting the software at risk of vulnerabilities.
Tomi Engdahl says:
Black Basta Ransomware Hackers Infiltrates Networks via Qakbot to Deploy Brute Ratel C4 https://thehackernews.com/2022/10/black-basta-ransomware-hackers.html
The threat actors behind the Black Basta ransomware family have been observed using the Qakbot trojan to deploy the Brute Ratel C4 framework as a second-stage payload in recent attacks. The development marks the first time the nascent adversary simulation software is being delivered via a Qakbot infection, cybersecurity firm Trend Micro said in a technical analysis released last week. The intrusion, achieved using a phishing email containing a weaponized link pointing to a ZIP archive, further entailed the use of Cobalt Strike for lateral movement. While these legitimate utilities are designed for conducting penetration testing activities, their ability to offer remote access has made them a lucrative tool in the hands of attackers looking to stealthily probe the compromised environment without attracting attention for extended periods of time.
Tomi Engdahl says:
Australian insurance firm Medibank confirms ransomware attack https://www.bleepingcomputer.com/news/security/australian-insurance-firm-medibank-confirms-ransomware-attack/
Health insurance provider Medibank has confirmed that a ransomware attack is responsible for last week’s cyberattack and disruption of online services. Medibank Private Limited is one of Australia’s largest private health insurance providers, covering over 3.7 million people and having 4, 000 employees. In a new statement by the company, CEO David Koczkar apologized for the temporary service outage, confirmed they suffered a ransomware attack, and informed customers that normal operations have resumed.
Tomi Engdahl says:
Venus Ransomware targets publicly exposed Remote Desktop services https://www.bleepingcomputer.com/news/security/venus-ransomware-targets-publicly-exposed-remote-desktop-services/
Threat actors behind the relatively new Venus Ransomware are hacking into publicly-exposed Remote Desktop services to encrypt Windows devices. Venus Ransomware appears to have begun operating in the middle of August 2022 and has since encrypted victims worldwide.
However, there was another ransomware using the same encrypted file extension since 2021, but it is unclear if they are related.
BleepingComputer first learned of the ransomware from MalwareHunterTeam, who was contacted by security analyst linuxct looking for information on it. Linuxct told BleepingComputer that the threat actors gained access to a victim’s corporate network through the Windows Remote Desktop protocol. Another victim in the BleepingComputer forums also reported RDP being used for initial access to their network, even when using a non-standard port number for the service.
Tomi Engdahl says:
Ransomware attack halts circulation of some German newspapers https://www.bleepingcomputer.com/news/security/ransomware-attack-halts-circulation-of-some-german-newspapers/
German newspaper Heilbronn Stimme’ published today’s 28-page issue in e-paper form after a Friday ransomware attack crippled its printing systems. On Saturday, the newspaper issued an “emergency” six-page edition while all planned obituaries were posted on the website. Phone and email communication remained offline during the weekend. The regional publication has a circulation of about 75, 000 copies, but due to printing issues has temporarily lifted the paywall from its website, which counts approximately 2 million visitors per month. The attack was conducted by a well-known cybercriminal group that encrypted their systems on Friday night and left ransom notes behind.
However, as of Saturday afternoon, no specific ransom demands have been made.