This posting is here to collect cyber security news in October 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
395 Comments
Tomi Engdahl says:
Police dismantles criminal ring that hacked keyless cars https://www.bleepingcomputer.com/news/security/police-dismantles-criminal-ring-that-hacked-keyless-cars/
Authorities from France, Latvia, and Spain arrested 31 suspects believed to be part of a car theft ring that targeted vehicles from two French car manufacturers. The criminals only targeted cars that use keyless entry and start systems and stole them after exploiting their keyless technology to unlock the doors and start the engines without having to use the key fobs. To do that, they used a fraudulent tool promoted online as an automotive diagnostic solution to replace the stolen cars’ software and bypass the vehicles’ keyless system to enter and steal them.
Tomi Engdahl says:
Zimbra Releases Patch for Actively Exploited Vulnerability in its Collaboration Suite https://thehackernews.com/2022/10/zimbra-releases-patch-for-actively.html
Zimbra has released patches to contain an actively exploited security flaw in its enterprise collaboration suite that could be leveraged to upload arbitrary files to vulnerable instances. Tracked as
CVE-2022-41352 (CVSS score: 9.8), the issue affects a component of the Zimbra suite called Amavis, an open source content filter, and more specifically, the cpio utility it uses to scan and extract archives.
The flaw, in turn, is said to be rooted in another underlying vulnerability (CVE-2015-1197) that was first disclosed in early 2015, which according to Flashpoint was rectified, only to be subsequently reverted in later Linux distributions.
Tomi Engdahl says:
German cyber chief suspended following allegation he associated with Russian intelligence https://therecord.media/german-cyber-chief-suspended-following-allegation-he-associated-with-russian-intelligence/
The head of Germany’s federal cybersecurity office has been suspended, a spokesperson confirmed on Tuesday, following accusations that he had associated with a business connected to the Russian intelligence services. Arne Schönbohm, who has been president of the Federal Office for Information Security (BSI) since 2016, has been under scrutiny since the allegations were raised in a late night satirical television show called ZDF Magazine Royale. The head of Germany’s Interior Ministry, Nancy Faeser, has prohibited him from “conducting official business as President of the BSI with immediate effect” a spokesperson told The Record.
Tomi Engdahl says:
Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1 https://securityintelligence.com/posts/analysis-rce-vulnerability-cobalt-strike/
On September 20, 2022, HelpSystems published an out-of-band patch for Cobalt Strike which stated that there was potential for Remote Code Execution (RCE). Creating Swing components from user input allows users to create arbitrary Java objects in the class path and invoke their setter methods, which can lead to remote code execution in specific cases. This post outlines the analysis process conducted to make this evaluation: patch analysis, root cause review and vulnerability weaponization
Tomi Engdahl says:
Malware dev claims to sell new BlackLotus Windows UEFI bootkit https://www.bleepingcomputer.com/news/security/malware-dev-claims-to-sell-new-blacklotus-windows-uefi-bootkit/
A threat actor is selling on hacking forums what they claim to be a new UEFI bootkit named BlackLotus, a malicious tool with capabilities usually linked to state-backed threat groups. UEFI bootkits are planted in the system firmware and are invisible to security software running within the operating system because the malware loads in the initial stage of the booting sequence. The seller says BlackLotus features integrated Secure Boot bypass, has built-in Ring0/Kernel protection against removal, and will start in recovery or safe mode.
BlackLotus claims to come with anti-virtual machine (anti-VM), anti-debug, and code obfuscation features to block malware analysis attempts. The seller also claims that security software cannot detect and kill the bootkit as it runs under the SYSTEM account within a legitimate process. Even more, this tiny bootkit with a size of only
80 kb on disk after installation can disable built-in Windows security protection such as Hypervisor-Protected Code Integrity (HVCI) and Windows Defender and bypass User Account Control (UAC).
Tomi Engdahl says:
Hackers compromised Hong Kong govt agency network for a year https://www.bleepingcomputer.com/news/security/hackers-compromised-hong-kong-govt-agency-network-for-a-year/
Researchers at Symantec have uncovered cyberattacks attributed to the China-linked espionage actor APT41 (a.k.a. Winnti) that breached government agencies in Hong Kong and remained undetected for a year in some cases. The threat actor has been using custom malware called Spyder Loader, which has been previously attributed to the group. In May 2022, researchers at Cybereason discovered Operation CuckooBees’, which had been underway since 2019 focusing on high-tech and manufacturing firms in North America, East Asia, and Western Europe.
Symantec’s report notes that there are signs that the newly discovered Hong Kong activity is part of the same operation, and Winnti’s targets are government agencies in the special administrative region.
Tomi Engdahl says:
Verizon notifies prepaid customers their accounts were breached https://www.bleepingcomputer.com/news/security/verizon-notifies-prepaid-customers-their-accounts-were-breached/
Verizon warned an undisclosed number of prepaid customers that attackers gained access to Verizon accounts and used exposed credit card info in SIM swapping attacks. “We determined that between October
6 and October 10, 2022, a third party actor accessed the last four digits of the credit card used to make automatic payments on your account, ” Verizon said in an alert published this week. “Using the last four digits of that credit card, the third party was able to gain access to your Verizon account and may have processed an unauthorized SIM card change on the prepaid line that received the SMS linking to this notice. If a SIM card change occurred, Verizon has reversed it.”.
Verizon added that it blocked further unauthorized access to its clients’ accounts and found no evidence that this malicious activity is still ongoing.
Tomi Engdahl says:
Hackers target Asian casinos in lengthy cyberespionage campaign https://www.bleepingcomputer.com/news/security/hackers-target-asian-casinos-in-lengthy-cyberespionage-campaign/
A hacking group named DiceyF’ has been observed deploying a malicious attack framework against online casinos based in Southeast Asia since at least November 2021. According to a new report by Kaspersky, the DiceyF APT group does not appear to be targeting financial gains from the casinos but instead conducting stealthy cyberespionage and intellectual property theft. The DiceyF activity aligns with “Operation Earth Berberoka” reported by Trend Micro in March 2022, both pointing to the threat actors being of Chinese origin.
Tomi Engdahl says:
Researchers Keep a Wary Eye on Critical New Vulnerability in Apache Commons Text
https://www.darkreading.com/application-security/researchers-keep-a-wary-eye-on-critical-new-vulnerability-in-apache-commons-text
There’s nothing yet to suggest CVE-2022-42889 is the next Log4j. But proof-of-concept code is available, and interest appears to be ticking up.
Researchers are closely tracking a critical, newly disclosed vulnerability in Apache Commons Text that gives unauthenticated attackers a way to execute code remotely on servers running applications with the affected component.
The flaw (CVE-2022-42889) has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and exists in versions 1.5 through 1.9 of Apache Commons Text. Proof-of-concept code for the vulnerability is already available, though so far there has been no sign of exploit activity.
Updated Version Available
The Apache Software Foundation (ASF) released an updated version of the software (Apache Commons Text 1.10.0) on September 24 but issued an advisory on the flaw only last Thursday. In it, the Foundation described the flaw as stemming from insecure defaults when Apache Commons Text performs variable interpolation, which basically is the process of looking up and evaluating string values in code that contain placeholders. “Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers,” the advisory said.
The ASF Apache describes the Commons Text library as providing additions to the standard Java Development Kit’s (JDK) text handling. Some 2,588 projects currently use the library, including some major ones such as Apache Hadoop Common, Spark Project Core, Apache Velocity, and Apache Commons Configuration, according to data in the Maven Central Java repository.
Tomi Engdahl says:
Microsoft Azure SFX bug let hackers hijack Service Fabric clusters https://www.bleepingcomputer.com/news/security/microsoft-azure-sfx-bug-let-hackers-hijack-service-fabric-clusters/
Attackers could exploit a now-patched spoofing vulnerability in Service Fabric Explorer to gain admin privileges and hijack Azure Service Fabric clusters. Service Fabric is a platform for business-critical applications that hosts over 1 million apps and powers many Microsoft products, including but not limited to Microsoft Intune, Dynamics 365, Skype for Business, Cortana, Microsoft Power BI, and multiple core Azure services. Service Fabric Explorer (SFX), an open-source tool that can be used as a hosted solution or as a desktop app, allows Azure admins to manage and inspect nodes and cloud applications in Azure Service Fabric clusters. Orca Security found an SFX spoofing flaw (CVE-2022-35829) dubbed FabriXss that could enable potential attackers to gain full Administrator permissions and take over Service Fabric clusters.
Tomi Engdahl says:
Hackers use new stealthy PowerShell backdoor to target 60+ victims https://www.bleepingcomputer.com/news/security/hackers-use-new-stealthy-powershell-backdoor-to-target-60-plus-victims/
A previously undocumented, fully undetectable PowerShell backdoor is being actively used by a threat actor who has targeted at least 69 entities. Based on its features, the malware is designed for cyberespionage, mainly engaging in data exfiltration from the compromised system. When first detected, the PowerShell backdoor was not seen as malicious by any vendors on the VirusTotal scanning service. However, its cover was blown due to operational mistakes by the hackers, allowing SafeBreach analysts to access and decrypt commands sent by the attackers to execute on infected devices.
Tomi Engdahl says:
Microsoft leaked customer data from misconfigured Azure Storage https://www.bleepingcomputer.com/news/security/microsoft-leaked-customer-data-from-misconfigured-azure-storage/
Microsoft said today that some prospective customers’ data was exposed by a misconfigured Microsoft server accessible over the Internet. The company secured the server after being notified of the leak on September 24, 2022 by security researchers at threat intelligence firm SOCRadar. “This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services, ” the company revealed.
Tomi Engdahl says:
Näin suomalaisiin kohdistuva poliisihuijaus etenee https://www.is.fi/digitoday/tietoturva/art-2000009145505.html
SUOMALAISILLE lähetetään parhaillaan poliisin nimissä runsaasti huijauksia, joissa väitetään vastaanottajan syyllistyneen lapsipornoon liittyviin rikoksiin internetissä. “Syytekirjelmä” tulee sähköpostitse pfd-tiedostona, jossa haetaan virallisuuden tuntua ja joka lähetetään tyypillisesti korkeiden poliisien nimissä. Kirjeessä vaaditaan vastaanottajalta “sakkoja”. Vaihtoehdoksi kerrotaan merkittävästi kalliimmaksi tuleva “oikeusprosessi”. Sähköpostit ovat viime viikkoina ryöpsähtäneet. Näitä tavattiin alkuvuodesta, mutta nyt on nähty uusi purske. Samanlaisia on nähty myös muualla maailmassa, sanoo KRP:n rikoskomisario Marko Leponen.
Tomi Engdahl says:
Kuin Vastaamo pienemmässä mittakaavassa: Järkyttävä kiristys meneillään Australiassa https://www.is.fi/digitoday/tietoturva/art-2000009145732.html
SUURI australialainen sairausvakuutusten tarjoaja Medibank on joutunut kiristäjien kohteeksi. Sydney Morning Heraldin mukaan yhtiö on vastaanottanut kirjeen, jossa sitä uhataan tietojen vuotamisella.
Hakkerit väittävät varastaneensa 200 gigatavun edestä tietoja ja uhkaavat lähettää tuhannen merkittävimmän asiakkaan tiedot heidän nähtäväkseen varoituksena. Viestin mukaan näiden asiakkaiden joukossa on esimerkiksi poliitikkoja, LGBT-aktivisteja ja näyttelijöitä. Jos Medibank ei maksa lunnaita, rikolliset sanovat myyvänsä tiedot ulkopuolisille. Mukana on oletetusti arkaluonteisia terveystietoja ja luottokorttien tietoja. Tapaus muistuttaa paljon suomalaisen psykoterapiakeskus Vastaamon kärsimää vahinkoa, jossa yhtiöstä murrettiin kymmenien tuhansien potilaiden arkaluonteiset tiedot. Murto aiheuttaa kärsimystä edelleen monille uhreille.
Tomi Engdahl says:
Microsoft Confirms Data Breach, But Claims Numbers Are Exaggerated
https://www.securityweek.com/microsoft-confirms-data-breach-claims-numbers-are-exaggerated
Microsoft has confirmed that it inadvertently exposed information related to prospective customers, but claims that the company which reported the incident has exaggerated the numbers.
Threat intelligence firm SOCRadar revealed on Wednesday that it has identified many misconfigured cloud storage systems, including six large buckets that stored information associated with 150,000 companies across 123 countries.
These buckets, which the firm has dubbed BlueBleed, included a misconfigured Azure Blob Storage instance allegedly containing information on more than 65,000 entities in 111 countries. SOCRadar described it as “one of the most significant B2B leaks”.
SOCRadar said the exposed data belonged to Microsoft and it totaled 2.4 Tb of files collected between 2017 and August 2022. The exposed information allegedly included over 335,000 emails, 133,000 projects, and 548,000 users.
The company said the leak included proof-of-execution (PoE) and statement of work (SoW) documents, user information, product orders and offers, project details, and personal information.
Tomi Engdahl says:
Microsoft Patches Vulnerability Allowing Full Access to Azure Service Fabric Clusters
https://www.securityweek.com/microsoft-patches-vulnerability-allowing-full-access-azure-service-fabric-clusters
Microsoft recently patched a vulnerability that can allow an attacker to gain full administrator permissions on Azure Service Fabric clusters.
Azure Service Fabric is a distributed systems platform that makes it easy to package, deploy, and manage microservices and containers. Users can create Service Fabric clusters — these are the hardware resources where applications can be deployed — on premises or in the cloud. Service Fabric Explorer (SFX) is an open-source tool for inspecting and managing these clusters.
Researchers at cloud security company Orca discovered that SFX v1 is affected by a spoofing vulnerability. The issue, tracked as CVE-2022-35829 and named FabriXss by Orca, involves client-side template injection (CSTI) and stored cross-site scripting (XSS).
“We found that a Deployer type user with a single permission to ‘Create new Applications’ via the dashboard, can use this single permission to create a malicious application name and abuse the Administrator permissions to perform various calls and actions,” Orca explained in a blog post detailing FabriXss.
FabriXss (CVE-2022-35829): How We Managed to Abuse a Custom Role User Using CSTI and Stored XSS in Azure Fabric Explorer
https://orca.security/resources/blog/fabrixss-vulnerability-azure-fabric-explorer/
Tomi Engdahl says:
China’s Winnti Group Seen Targeting Governments in Sri Lanka, Hong Kong
https://www.securityweek.com/chinas-winnti-group-seen-targeting-governments-sri-lanka-hong-kong
Tomi Engdahl says:
New PowerShell Backdoor Poses as Part of Windows Update Process
https://www.securityweek.com/new-powershell-backdoor-poses-part-windows-update-process
Cybersecurity firm SafeBreach has issued a warning about a new PowerShell backdoor that disguises itself as part of the Windows update process to remain fully undetected.
Operated by a sophisticated, unknown threat actor, the backdoor is distributed via a malicious Word document that appears linked to a LinkedIn-based job application spear-phishing lure.
When the document is opened, macro code inside it drops a PowerShell script on the victim’s machine, creates a scheduled task claiming to be part of a Windows update, and then executes the script from a fake update folder.
The script was designed to execute another PowerShell script but, before the scheduled task is executed, two other scripts are dropped on the system.
“The content of the PowerShell scripts is stored in text boxes inside the Word document and will be saved to the same fake update directory,” SafeBreach said in a note documenting the threat.
Tomi Engdahl says:
WordPress Security Update 6.0.3 Patches 16 Vulnerabilities
https://www.securityweek.com/wordpress-security-update-603-patches-16-vulnerabilities
WordPress 6.0.3 started rolling out this week. The latest security release patches 16 vulnerabilities.
WordPress 6.0.3 fixes nine stored and reflected cross-site scripting (XSS) vulnerabilities, as well as open redirect, data exposure, cross-site request forgery (CSRF), and SQL injection flaws.
WordPress security company Defiant has shared a description of each vulnerability. Four of them have a ‘high severity’ rating, and the rest have ‘medium’ or ‘low’ severity.
“We have determined that these vulnerabilities are unlikely to be seen as mass exploits but several of them could offer a way for skilled attackers to exploit high-value sites using targeted attacks,” the company warned.
One of the high-severity vulnerabilities is a stored XSS issue that can be exploited by a user who can submit posts to a website via email to inject malicious JavaScript code into posts. The code would get executed when the malicious post is accessed.
Tomi Engdahl says:
Oracle Releases 370 New Security Patches With October 2022 CPU
https://www.securityweek.com/oracle-releases-370-new-security-patches-october-2022-cpu
Oracle on Tuesday announced the release of 370 patches as part of its quarterly set of security updates. The October 2022 Critical Patch Update (CPU) resolves over 50 critical-severity vulnerabilities.
More than 200 of the newly released security patches deal with vulnerabilities that are remotely exploitable without authentication.
This month, MySQL received 37 new security patches (11 remotely exploitable, unauthenticated bugs)
Oracle also released numerous patches for Siebel CRM (14 patches – 12 for vulnerabilities remotely exploitable without authentication), Supply Chain (13 – 9), JD Edwards (10 – 9), Virtualization (10 – 3), Java SE (9 – 9), PeopleSoft (8 – 4), Systems (8 – 4), and Database Server (8 – 1).
Tomi Engdahl says:
German Cybersecurity Chief Sacked Over Alleged Russia Ties
https://www.securityweek.com/german-cybersecurity-chief-sacked-over-alleged-russia-ties
Germany’s cybersecurity chief was sacked on Tuesday after a TV satire show accused him of having ties to Russian intelligence services, with the country on high alert over potential sabotage activities by Moscow.
Arne Schoenbohm, head of the Federal Cyber Security Authority (BSI), had been at the centre of intense speculation since the popular show accused him in early October of contacts with Russia.
He has now been relieved of his duties “with immediate effect”, an interior ministry spokesman told AFP on Tuesday, citing “the allegations revealed and widely discussed in the media” as one of the reasons behind the move.
The allegations “have permanently damaged the necessary public trust” in Schoenbohm as head of the authority, the spokesman said.
“This is all the more true in the current crisis situation regarding Russian hybrid warfare,” he added.
Schoenbohm was accused in the satire show on broadcaster ZDF of contacts with Russian secret services through an association he co-founded in 2012 known as the Cyber Security Council Germany.
One member of that association, Berlin cybersecurity company Protelion, reportedly operated under the name “Infotecs GmbH” until the end of March.
- ‘Great annoyance’ -
The cybersecurity chief would be “presumed innocent” in the meantime, he said.
The Handelsblatt daily had reported that there was “great annoyance” within the government over the allegations.
A planned joint appearance by Schoenbohm and Interior Minister Nancy Faeser to present a cybersecurity report was cancelled last week.
Schoenbohm told Spiegel on Tuesday that as he had not heard back over the allegations, he had himself sought disciplinary proceedings to clarify the issue.
He added that he did not know “what the ministry has checked and what are the concrete allegations against me.”
Germany has in recent years repeatedly accused Russia of online espionage attempts.
Tomi Engdahl says:
IDA Pro Owner Hex-Rays Acquired by European VC Firm
https://www.securityweek.com/ida-pro-owner-hex-rays-acquired-european-vc-firm
European venture capital and private equity firm Smartfin on Tuesday announced a deal to acquire Hex-Rays, the Belgian company behind the widely deployed IDA Pro software disassembler.
Financial terms of the acquisition were not released but Smartfin said IDA Pro creator Ilfak Guilfanov joined a consortium of investors putting cash back into the restructured company.
Hex-Rays, based in Liège, Belgium, was founded in 2005 by Guilfanov with reverse engineering power tool IDA Pro as its flagship product.
IDA Pro is used by cybersecurity professionals to effectively translate a software’s binary code (consisting of ones and zeros) into a human readable text (an approximation of the software’s actual source code), to reveal and understand its original design, architecture, and logic.
The company said the main software use cases are IT security audits, internal stress testing, bug bounty programs, investigating new virus samples and validating security concerns.
Following the acquisition, Hex-Rays plans to expand operations and speed up automation and simplification of its software products.
Tomi Engdahl says:
VMware fixed a high-severity bug in vCenter ServerSecurity Affairs
https://securityaffairs.co/wordpress/136791/security/vmware-vcenter-server-flaws.html
VMware this week addressed a severe vulnerability in vCenter Server that could lead to arbitrary code execution.
VMware on Thursday released security patches to address a code execution vulnerability, tracked as CVE-2022-31680 (CVSS score of 7.2), in vCenter Server.
The security issue is an unsafe deserialization vulnerability that resides in the platform services controller (PSC).
VMware “The vCenter Server contains an unsafe deserialisation vulnerability in the PSC (Platform services controller). VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.” reads the advisory published by the company. “A malicious actor with admin access on vCenter server may exploit this issue to execute arbitrary code on the underlying operating system that hosts the vCenter Server.”
This vulnerability impacts only vCenter Server 6.5 with an external PSC, it was addressed with the release of VMware vCenter Server 6.5 U3u.
https://www.vmware.com/security/advisories/VMSA-2022-0025.html
Tomi Engdahl says:
https://www.securityweek.com/flaw-microsoft-ome-could-lead-leakage-encrypted-data
Tomi Engdahl says:
https://www.securityweek.com/bae-releases-new-cybersecurity-system-f-16-fighter-aircraft
Tomi Engdahl says:
https://www.securityweek.com/timing-attacks-can-be-used-check-existence-private-npm-packages
Tomi Engdahl says:
Linux-ytimestä löytyi viisi Wi-Fi-haavoittuvuutta
https://etn.fi/index.php/13-news/14126-linux-ytimestae-loeytyi-viisi-wi-fi-haavoittuvuutta
Useiden raporttien mukaan Linux-ytimen Wi-Fi-yhteyksiä ohjaavasta koodista on löytynyt kaikkiaan viisi vakavaa haavoittuvuutta. Ne korjataan nyt työn alla olevassa ytimen versiossa 6.1.
Haavoittuvuudet tekee vakaviksi se, että niitä voidaan hyödyntää lähettämällä laitteisiin datapaketteja langattomasti
Husterin mukaan kyse on ns. Beacon-kehyksistä, joissa siis Wi-Fi-linkkiä kuunnellaan. Haavoittuvuudet eivät riipu laitteen Wi-Fi-ajurista.
Various Linux Kernel WLAN security issues (RCE/DOS) found
https://seclists.org/oss-sec/2022/q4/20
Security Researcher Soenke Huster from Tu Darmstadt (
shuster () seemoo tu-darmstadt de ) emailed SUSE with a buffer overwrite in
the Linux Kernel mac80211 framework triggered by WLAN frames.
CVE-2022-41674: fix u8 overflow in cfg80211_update_notlisted_nontrans
(max 256 byte overwrite) (RCE)
CVE-2022-42719: wifi: mac80211: fix MBSSID parsing use-after-free
use after free condition (RCE)
CVE-2022-42720: wifi: cfg80211: fix BSS refcounting bugs
ref counting use-after-free possibilities (RCE)
CVE-2022-42721: wifi: cfg80211: avoid nontransmitted BSS list corruption
list corruption, according to Johannes will however just make it endless loop (DOS)
CVE-2022-42722: wifi: mac80211: fix crash in beacon protection for P2P-device
NULL ptr dereference crash (DOS)
The PoC uses mac80211_hwsim to inject the frames, but the vulnerabilities are – to my knowledge – driver-independent,
and we assume that they are exploitable over the air.
All the malformed frames are Beacon frames.
Tomi Engdahl says:
Parler Accidentally Doxxed Its Most VIP Members When It Announced Kanye’s Acquisition
https://gizmodo.com/parler-doxxes-vips-announcing-kanye-west-acquisition-1849677634
“Hi everyone! It’s a pleasure being doxxed with such a fine crew,” wrote a prominent right-winger included in the ill-fated mass email.
Parler, the rightwing knockoff of Twitter that’s not Truth Social, accidentally exposed the personal email addresses of some of its most elite members on Monday. Rushing to tell them about the company’s acquisition agreement with the artist formerly known as Kanye West, top brass sent out an email that CC-ed a group of VIP members rather than blind carbon copying them. The result was that droves of partisan ghouls like Tim Pool and Laura Loomer had their email addresses shared with one another.
News of the unintentional doxxing was initially shared by Adam Ryan, a newsletter writer, who tweeted Monday that the thread had exposed “the personal emails of many verified users and Parler investors.” The people on the list were those with “gold badges”—an elite status marker given out to accounts held by “influencers, celebrities, journalists, media organizations, public officials, government entities, businesses, organizations, and non-profits.”
Tomi Engdahl says:
Tivi: Alma Mediaan on tehty palvelunestohyökkäyksiä https://www.is.fi/digitoday/art-2000009148903.html
Kauppalehden ja Uuden Suomen sivustoihin on viime päivinä tehty kaksi palvelunestohyökkäystä, kertoo Tivi.
MEDIAKONSERNI Alma Median julkaisuihin on tehty palvelunestohyökkäykset viime sunnuntai-iltana ja tiistaina iltapäivällä. Asiasta kertoo konserniin kuuluva tietotekniikan ammattilehti Tivi.
Lehden mukaan hyökkäyksen aikana Kauppalehden ja Uuden Suomen sivustoihin kohdistui ulkomaisista lähteistä tullutta liikennettä merkittävästi enemmän kuin normaalisti.
Tomi Engdahl says:
A bug in Abode’s home security system could let hackers remotely switch off cameras
https://techcrunch.com/2022/10/20/abode-security-flaws/?tpcc=tcplusfacebook&guccounter=1&guce_referrer=aHR0cHM6Ly9sbS5mYWNlYm9vay5jb20v&guce_referrer_sig=AQAAACGOHLThTTtqngzSClIC6mrdcXIgw2-hYKIk1WZ2f_42iQu4F20J_-avslZESo8PDLSHd8KDk8LNg6f5uFLKaDSTDx9tYSftgte5i-sKRpuknd9AIylQ-v40DtjWUZ6zqeDxfvaUl2BvaeIwcd2xJMbyscCfiK_zXJbpmXBDni-O
A security vulnerability in Abode’s all-in-one home security system could allow malicious actors to remotely switch off customers’ security cameras.
Abode’s Iota All-In-One Security Kit is a DIY home security system that includes a main security camera, motion sensors that can be attached to windows and doors, and a hub that can alert users of unwanted movement in their homes. It also integrates with third-party smart hubs like Google Home, Amazon Alexa and Apple HomeKit.
Researchers at Cisco’s Talos cybersecurity unit this week disclosed several vulnerabilities in Abode’s security system, including a critical-rated authentication bypass flaw that could allow anyone to remotely trigger several sensitive device functions without needing a password by bypassing the authentication mechanism of the devices.
The flaw, tracked as CVE-2022-27805 and given a vulnerability severity rating of 9.8 out of 10, sits in the UDP service
As explained by Matt Wiseman, a senior security researcher at Cisco Talos, a lack of authorization checks means an attacker can remotely execute commands through Abode’s mobile and web applications, such as rebooting the device, changing the admin password and completely disarming the security system.
https://blog.talosintelligence.com/2022/10/vuln-spotlight-abode-.html?m=1
Tomi Engdahl says:
Google sued over biometric data collection without consent https://www.bleepingcomputer.com/news/security/google-sued-over-biometric-data-collection-without-consent/
The Texas AG says that Google allegedly used products and services like Google Photos, Google Assistant, and Nest Hub Max to collect a vast array of biometric identifiers, including voiceprints and records of face geometry since 2015.
Tomi Engdahl says:
Democracies are having a reckoning with mercenary spyware https://therecord.media/democracies-are-having-a-reckoning-with-mercenary-spyware/
Off-the-shelf spyware has long been associated with abuses by autocratic regimes, but in recent years it’s democracies who are reckoning with the their own potential abuse of such surveillance tools.
Tomi Engdahl says:
Internet connectivity worldwide impacted by severed fiber cables in France https://www.bleepingcomputer.com/news/technology/internet-connectivity-worldwide-impacted-by-severed-fiber-cables-in-france/
A major Internet cable in the South of France was severed yesterday at
20:30 UTC, impacting subsea cable connectivity to Europe, Asia, and the United States and causing data packet losses and increased website response latency.
Tomi Engdahl says:
Microsoft data breach exposes customers’ contact info, emails https://www.bleepingcomputer.com/news/security/microsoft-data-breach-exposes-customers-contact-info-emails/
Microsoft said today that some of its customers’ sensitive information was exposed by a misconfigured Microsoft server accessible over the Internet.
Tomi Engdahl says:
Microsoft leaked 2.4TB of data belonging to sensitive customer.
Critics are furious
https://arstechnica.com/information-technology/2022/10/microsoft-under-fire-for-response-to-leak-of-2-4tb-of-sensitive-customer-data/
Microsoft is facing criticism for the way it disclosed a recent security lapse that exposed what a security company said was 2.4 terabytes of data that included signed invoices and contracts, contact information, and emails of 65, 000 current or prospective customers spanning five years.
Tomi Engdahl says:
Google Launches GUAC Open Source Project to Secure Software Supply Chain https://thehackernews.com/2022/10/google-launches-guac-open-source.html
Google on Thursday announced that it’s seeking contributors to a new open source initiative called Graph for Understanding Artifact Composition, also known as GUAC, as part of its ongoing efforts to beef up the software supply chain.
Tomi Engdahl says:
Hackers Using New Version of FurBall Android Malware to Spy on Iranian Citizens https://thehackernews.com/2022/10/hackers-using-new-version-of-furball.html
The Iranian threat actor known as Domestic Kitten has been attributed to a new mobile campaign that masquerades as a translation app to distribute an updated variant of an Android malware known as FurBall.
Tomi Engdahl says:
Brazilian Police Arrest Suspected Member of Lapsus$ Hacking Group https://thehackernews.com/2022/10/brazilian-police-arrest-suspected.html
The Federal Police of Brazil on Wednesday announced it had arrested an individual for purported links to the notorious LAPSUS$ extortionist gang. lisäksi:
https://www.gov.br/pf/pt-br/assuntos/noticias/2022/10/pf-prende-brasileiro-suspeito-de-integrar-organizacao-criminosa-internacional
Tomi Engdahl says:
Black Basta and the Unnoticed Delivery
https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/
In the article below, we describe the inner workings of a Black Basta campaign and pay special attention to the delivery stage where the main preparations for a smooth ransomware execution are made. Lisäksi:
https://blog.checkpoint.com/2022/07/26/check-point-research-weekly-cyber-attacks-increased-by-32-year-over-year-1-out-of-40-organizations-impacted-by-ransomware-2/.
Lisäksi:
https://blog.checkpoint.com/2022/10/20/check-point-research-analyzes-the-newly-emerged-black-basta-ransomware-alerts-organizations-to-adopt-prevention-best-practices/
Tomi Engdahl says:
https://www.securityweek.com/microsoft-confirms-data-breach-claims-numbers-are-exaggerated
Tomi Engdahl says:
https://www.securityweek.com/australian-health-insurer-medibank-admits-customer-data-stolen-ransomware-attack
Tomi Engdahl says:
https://www.securityweek.com/anonos-raises-50-million-data-privacy-platform
Tomi Engdahl says:
https://www.securityweek.com/two-sim-swappers-sentenced-prison-hacking-accounts-stealing-cryptocurrency
Tomi Engdahl says:
Bloomberg:
Sources: the Biden administration is considering subjecting some of Elon Musk’s ventures, including the Twitter deal and Starlink, to national security reviews — Biden administration officials are discussing whether the US should subject some of Elon Musk’s ventures to national security reviews …
US Weighs Security Reviews for Musk Deals, Including Twitter Buy
https://www.bloomberg.com/news/articles/2022-10-21/us-weighs-security-reviews-for-musk-deals-including-twitter-buy#xj4y7vzkg
Concerns over Musk’s stance on Russia, threat to cut Starlink
Discussions at early stage as officials consider legal options
Biden administration officials are discussing whether the US should subject some of Elon Musk’s ventures to national security reviews, including the deal for Twitter Inc. and SpaceX’s Starlink satellite network, according to people familiar with the matter.
Tomi Engdahl says:
Emily Baker-White / Forbes:
Documents: a China-based ByteDance audit and risk control team planned to collect TikTok location data of specific US citizens never employed by the company — The project, assigned to a Beijing-led team, would have involved accessing location data from some U.S. users’ devices without their knowledge or consent.
TikTok Parent ByteDance Planned To Use TikTok To Monitor The Physical Location Of Specific American Citizens
https://www.forbes.com/sites/emilybaker-white/2022/10/20/tiktok-bytedance-surveillance-american-user-data/?sh=35f6c0266c2d
The project, assigned to a Beijing-led team, would have involved accessing location data from some U.S. users’ devices without their knowledge or consent.
A China-based team at TikTok’s parent company, ByteDance, planned to use the TikTok app to monitor the personal location of some specific American citizens, according to materials reviewed by Forbes.
The team behind the monitoring project — ByteDance’s Internal Audit and Risk Control department — is led by Beijing-based executive Song Ye, who reports to ByteDance cofounder and CEO Rubo Liang.
The team primarily conducts investigations into potential misconduct by current and former ByteDance employees. But in at least two cases, the Internal Audit team also planned to collect TikTok data about the location of a U.S. citizen who had never had an employment relationship with the company, the materials show. It is unclear from the materials whether data about these Americans was actually collected; however, the plan was for a Beijing-based ByteDance team to obtain location data from U.S. users’ devices.
TikTok spokesperson Maureen Shanahan said that TikTok collects approximate location information based on users’ IP addresses to “among other things, help show relevant content and ads to users, comply with applicable laws, and detect and prevent fraud and inauthentic behavior.”
But the material reviewed by Forbes indicates that ByteDance’s Internal Audit team was planning to use this location information to surveil individual American citizens, not to target ads or any of these other purposes.
In September, President Biden signed an executive order enumerating specific risks that CFIUS should consider when assessing companies of foreign ownership. The order, which states that it intends to “emphasize . . . the risks presented by foreign adversaries’ access to data of United States persons,” focuses specifically on foreign companies’ potential use of data “for the surveillance, tracing, tracking, and targeting of individuals or groups of individuals, with potential adverse impacts on national security.”
The Internal Audit and Risk Control team runs regular audits and investigations of TikTok and ByteDance employees, for infractions like conflicts of interest and misuse of company resources, and also for leaks of confidential information. Internal materials reviewed by Forbes show that senior executives, including TikTok CEO Shou Zi Chew, have ordered the team to investigate individual employees, and that it has investigated employees even after they left the company.
The internal audit team uses a data request system known to employees as the “green channel,”
These documents and records show that “green channel” requests for information about U.S. employees have pulled that data from mainland China.
TikTok did not respond to questions about whether it has ever served different content or experiences to government officials, regulators, activists or journalists than the general public in the TikTok app.
Both Uber and Facebook also reportedly tracked the location of journalists reporting on their apps.
“It is impossible to keep data that should not be stored in CN from being retained in CN-based servers.”
Project Texas, TikTok’s massive effort to rebuild its internal systems so that China-based employees will not be able to access a swath of “protected” identifying user data about U.S. TikTok users, including their phone numbers, birthdays and draft videos. This effort is central to the company’s national security negotiations with CFIUS.
At a Senate hearing in September, TikTok Chief Operating Officer Vanessa Pappas said the forthcoming CFIUS contract would “satisfy all national security concerns” about the app. Still, some senators appeared skeptical.
June report in BuzzFeed News showing that U.S. user data had been repeatedly accessed by ByteDance employees in China.
In a statement about TikTok’s data access controls, TikTok spokesperson Shanahan said that the company uses tools like encryption and “security monitoring” to keep data secure, access approval is overseen by U.S personnel, and that employees are granted access to U.S. data “on an as-needed basis.”
It is unclear what role ByteDance’s Internal Audit team will play in TikTok’s efforts to limit China-based employees’ access to U.S. user data, especially given the team’s plans to monitor some American citizens’ locations using the TikTok app. But a fraud risk assessment written by a member of the team in late 2021 highlighted data storage concerns, saying that according to employees responsible for the company’s data, “it is impossible to keep data that should not be stored in CN from being retained in CN-based servers, even after ByteDance stands up a primary storage cetner [sic] in Singapore. [Lark data is saved in China.]” (brackets in original).
The employee had been asked by Chris Lepitak, TikTok’s Chief Internal Auditor, to meet at an LA-area restaurant off hours. Lepitak, who reports to Beijing-based Song Ye, then asked the employee detailed questions about the location and details of the Oracle server that is central to TikTok’s plans to limit foreign access to personal U.S. user data. The employee told his manager that he was “freaked out” by the exchange.
Oracle spokesperson Ken Glueck said that while TikTok does currently use Oracle’s cloud services, “we have absolutely no insight one way or the other” into who can access TikTok user data. “Today, TikTok is running in the Oracle cloud, but just like Bank of America, General Motors, and a million other customers, they have full control of everything they’re doing,” he said.
This corroborates a January statement made by TikTok’s Head of Data Defense in another leaked audio call. In that call, the executive said to a colleague: “It’s almost incorrect to call it Oracle Cloud, because they’re just giving us bare metal, and then we’re building our VMs [virtual machines] on top of it.”
Tomi Engdahl says:
Yle Areenaan kohdistui palvelunestohyökkäys
Yle Areena toimii jälleen.
https://www.iltalehti.fi/kotimaa/a/64bf6fb8-0d05-4c46-922d-6370b4e02c12
Yle Areena toimii jälleen normaalisti. Palveluun kohdistui perjantaina palvelunestohyökkäys.
Palvelu toimii jälleen normaalisti.
Tomi Engdahl says:
Microsoft Confirms Server Misconfiguration Led to 65,000+ Companies’ Data Leak
https://thehackernews.com/2022/10/microsoft-confirms-server.html
Tomi Engdahl says:
Clare O’Neil warns of new world of ‘relentless’ cyber-attacks after Medibank hack
Group claiming they carried out attack say they wish to negotiate over the insurer’s customer data
https://www.theguardian.com/technology/2022/oct/19/health-insurer-medibank-enters-trading-halt-after-purported-cyber-attack
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/windows-mark-of-the-web-bypass-zero-day-gets-unofficial-patch/
Tomi Engdahl says:
Microsoft Confirms Server Misconfiguration Led to 65, 000+ Companies’
Data Leak
https://thehackernews.com/2022/10/microsoft-confirms-server.html
Microsoft this week confirmed that it inadvertently exposed information related to thousands of customers following a security lapse that left an endpoint publicly accessible over the internet sans any authentication.