This posting is here to collect cyber security news in December 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in December 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
355 Comments
Tomi Engdahl says:
Facebook Agrees to Pay $725 Million to Settle Privacy Suit
https://www.securityweek.com/facebook-agrees-pay-725-million-settle-privacy-suit
Facebook parent Meta has agreed to pay $725 million to settle a long-running lawsuit that accused the social network of allowing third parties, including Cambridge Analytica, to access users’ private data.
The amount was disclosed in a court filing late on Thursday.
“The proposed settlement of $725,000,000 is the largest recovery ever achieved in a data privacy class action and the most Facebook has ever paid to resolve a private class action,” lawyers for the plaintiffs said in the filing.
Facebook has not admitted any wrongdoing as part of the settlement, which still requires approval by a judge in the San Francisco division of the US District Court.
“We pursued a settlement as it’s in the best interest of our community and shareholders,” Meta spokesperson Dina El-Kassaby Luce said in a statement. “Over the last three years we revamped our approach to privacy and implemented a comprehensive privacy program.”
It was reported in August that Facebook had reached a preliminary agreement, although the amount and terms of the settlement were not announced.
Tomi Engdahl says:
New Stealth Techniques used by Cranefly Espionage Hackers
https://x-phy.com/new-stealth-techniques-used-by-cranefly-espionage-hackers/
Web-based cybersecurity attackers use “stealthier techniques” which are not as “noisy” as active attacks, making it easier to continue undetected for a longer period of time. Stealthy techniques are employed by malware developers which utilize various mechanisms to avoid detection. It takes its name from the term stealth, which describes an approach to doing something while avoiding notice. Once injected into a computer, the stealthier techniques enable the malware to operate and gain control over parts of the system or the entire system without issuing any alerts or notifying the user of its presence.
A news report broadcasted by the hacker news outlines the Sealthy Techniques revealed by researchers from Symantec which are being utilized by Cranefly Espionage Hackers. The Cranefly Espionage hackers group is recognized for attacking bulk email collections of employees that worked in corporate development, mergers, acquisitions and large corporate transactions. Initial analysis appeared to show a link between the toolset of Cranefly activity and that of a group called UNC3524 which surfaced for the first time in May 2022. These attackers spent at least 18 months on victim networks without retreating data and used backdoors on appliances that didn’t support security tools to remain undetected.
Tomi Engdahl says:
Google & Apache Found Vulnerable to GitHub Environment Injection
https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability-0
In this blog post, we’ll discuss a new type of GitHub Actions workflow vulnerability we called “GitHub Environment Injection”. We’ve found a couple of top-tier open-source organizations vulnerable to this attack: Google Firebase and Apache. Both Google and Apache acknowledged the issues we reported and fixed their workflows accordingly. Those organizations contained repositories that had workflows that download an untrusted artifact and dumped its content into a GitHub environment file. As we’ve seen previously, using untrusted data in a privileged context can open the door to CI/CD pipeline takeover risk and allow a malicious actor to take control of the pipeline.
In this write-up, we’ll cover the vulnerable Google Firebase workflows and how they can lead to a software supply chain attack. To keep this blog within a reasonable length and due to similarities between the cases, we won’t cover the Apache case, but you can find their fix here.
https://github.com/apache/camel/commit/1e64de78999396bc0b8603470df12440f126c1bb
Tomi Engdahl says:
https://hackaday.com/2022/12/23/this-week-in-security-github-actions-sha-1-retirement-and-a-self-worming-vulnerability/
Bits and Bytes
Okta is having a rough year. After several breaches earlier this year, Okta’s private GitHub repositories were accessed and copied by an attacker. So far, it appears that no customer data was accessed, and to their credit, Okta has a security posture that “does not rely on the confidentiality of its source code as a means to secure its services.” It’s likely that this incident was a follow-on from the previous breach, using credentials obtained in that data.
And breaking just before we hit the presses, Lastpass has revealed more information about the breach they suffered back in November. It’s not good. We made an educated guess that the cause was an access token lost during a previous incident, but the latest news indicates it was a social engineering attack, using captured information. The data lost is troubling: including encrypted data vaults, metadata like URLs, customer name, address, phone number, IP Address, etc.
Thankfully this doesn’t include credit card information, and the Lastpass Zero Knowledge architecture does protect the actual passwords — assuming your master password is sufficiently secure. This isn’t quite a worst-case scenario, as no malicious code was shipped to customers, but it’s just about as bad as could be otherwise.
Tomi Engdahl says:
New York Times:
German researchers bought a US military device, last used in Afghanistan in 2012, with fingerprints, iris scans, and other data on 2,632 people, for $68 on eBay — German security researchers studying biometric capture devices popular with the U.S. military got more than they expected for $68 on eBay.
https://www.nytimes.com/2022/12/27/technology/for-sale-on-ebay-a-military-database-of-fingerprints-and-iris-scans.html
Tomi Engdahl says:
Hammaslääkäri joutui sanomaan lapselle ei: Kyberhyökkäys on kyykyttänyt pikkukunnan palveluita viikon https://www.is.fi/digitoday/art-2000009293531.html
SÄKYLÄN kunta Satakunnassa ei ole vielä täysin toipunut kyberhyökkäyksestä, joka havaittiin sunnuntaina 18. joulukuuta.
Osa kunnan tietojärjestelmistä otettiin hyökkäyksen takia pois käytöstä.
Kyseessä ei ollut palveluja suurella liikennemäärällä estävä hyökkäys, vaan yritys tunkeutua kunnan tietoihin. Kiristyksestä ei ole viitteitä, eikä hyökkäyksessä onnistuttu tämän hetken tiedon mukaan varastamaan tietoja.
HYÖKKÄÄJIEN alkuperästä ei ole tietoa, eikä heidän motiiveistaan ole varmuutta.
– Emme halua ottaa siihen kantaa. Erilaisia käsityksiä kulkee, kun katsoo karttaa ja mitä toimintoja Säkylässä on, Mäenpää viittaa Porin prikaatin läsnäoloon.
Porin prikaati on Suomen maavoimien suurin yksittäinen joukko-osasto ja yksi maavoimien kolmesta valmiusyhtymästä.
– Jotkut ovat tehneet siitä päätelmiä. Mutta ei meillä ole yhteydestä mitään faktaa
Tomi Engdahl says:
US House bans TikTok on lawmakers’ official phones
https://techcrunch.com/2022/12/28/house-bans-tiktok-lawmakers-phones/?tpcc=tcplusfacebook&guccounter=1&guce_referrer=aHR0cHM6Ly9sbS5mYWNlYm9vay5jb20v&guce_referrer_sig=AQAAAMleyGcOhX5xHvGPtAk7eRlwp9S2iDia_KG8vONalAP1yPcDGJIx6Wf97AVpy98pC9PQk_tc0WtqeFUdn4MOVWIYjekVUr8-LXsNrixdw9fN6E4U-DYQJ7HdLYVZCES_Di5ThhWhrutF9qxzCkHBQ1P3FiLzjNk99fV9FC0UbDni
The U.S. House of Representatives has ordered its staff and lawmakers to delete TikTok from any government-issued mobile devices due to “security issues” with the popular video-sharing app.
The order to delete the app was issued by Catherine Szpindor, the chief administrative officer of the House, whose office warned in August that the app represented a “high risk to users” citing a “number of security concerns.”
Tomi Engdahl says:
EarSpy attack eavesdrops on Android phones via motion sensors https://www.bleepingcomputer.com/news/security/earspy-attack-eavesdrops-on-android-phones-via-motion-sensors/
A team of researchers has developed an eavesdropping attack for Android devices that can, to various degrees, recognize the caller’s gender and identity, and even discern private speech. Named EarSpy, the side-channel attack aims at exploring new possibilities of eavesdropping through capturing motion sensor data readings caused by reverberations from ear speakers in mobile devices. EarSpy is an academic effort of researchers from five American universities (Texas A&M University, New Jersey Institute of Technology, Temple University, University of Dayton, and Rutgers University). While this type of attack has been explored in smartphone loudspeakers, ear speakers were considered too weak to generate enough vibration for eavesdropping risk to turn such a side-channel attack into a practical one. However, modern smartphones use more powerful stereo speakers compared to models a few years ago, which produce much better sound quality and stronger vibrations.
Tomi Engdahl says:
Hackers steal $8 million from users running trojanized BitKeep apps https://www.bleepingcomputer.com/news/security/hackers-steal-8-million-from-users-running-trojanized-bitkeep-apps/
Multiple BitKeep crypto wallet users reported that their wallets were emptied during Christmas after hackers triggered transactions that didn’t require verification. BitKeep is a decentralized multi-chain
web3 DeFi wallet supporting over 30 blockchains, 76 mainnets, 20,000 decentralized applications, and more than 223,000 assets. Its used by over eight million people in 168 countries for asset management and transaction handling. While the platform has not released an official announcement on its website, it has informed the community on the official Telegram channel that the incident appears to have impacted users who downloaded an unofficial version of the BitKeep app.
Tomi Engdahl says:
Canadas largest childrens hospital struggles to recover from pre-Christmas ransomware attack https://therecord.media/canadas-largest-childrens-hospital-struggles-to-recover-from-pre-christmas-ransomware-attack/
Malware Canadas largest childrens hospital struggles to recover from pre-Christmas ransomware attack Torontos Hospital for Sick Children, Canadas largest pediatric health center, is still recovering from a ransomware attack that began on December 18. The hospital, which is attached to the University of Toronto, initially said the attack affected several network systems but did not discontinue patient care.
Despite that, the healthcare organization declared the incident a code grey which they said represented a system failure. Officials later confirmed that it was a ransomware attack but said there was no evidence that the personal information of patients had been compromised.
Tomi Engdahl says:
BTC.com lost $3 million worth of cryptocurrency in cyberattack https://www.bleepingcomputer.com/news/security/btccom-lost-3-million-worth-of-cryptocurrency-in-cyberattack/
BTC.com, one of the world’s largest cryptocurrency mining pools, announced it was the victim of a cyberattack that resulted in the theft of approximately $3 million worth of crypto assets belonging to both customers and the company. According to its mining pool tracker, BTC.com is the seventh largest cryptocurrency mining pool, with 2.66% of the network’s total hashrate.
Tomi Engdahl says:
TikTok banned from House of Representatives devices https://therecord.media/tiktok-banned-from-house-of-representatives-devices/
TikTok will be banned from all devices managed by the House of Representatives, the chambers Chief Administrative Office announced Tuesday. The agencys Office of Cybersecurity has deemed The TikTok mobile application to be a high risk to users due to a number of security risks, the CAO said in an email. Staffers are NOT allowed to download the TikTok app on any House mobile devices and the app is NOT allowed on House mobile devices, the message stated.
Tomi Engdahl says:
BlueNoroff introduces new methods bypassing MoTW https://securelist.com/bluenoroff-methods-bypass-motw/108383/
BlueNoroff group is a financially motivated threat actor eager to profit from its cyberattack capabilities. The group usually takes advantage of Word documents and uses shortcut files for the initial intrusion. However, it has recently started to adopt new methods of malware delivery. The first new method the group adopted is aimed at evading the Mark-of-the-Web (MOTW) flag, the security measure whereby Windows displays a warning message when the user tries to open a file downloaded from the internet. To do this, optical disk image (.iso
extension) and virtual hard disk (.vhd extension) file formats were used. This is a common tactic used nowadays to evade MOTW, and BlueNoroff has also adopted it.
Tomi Engdahl says:
APT Hackers Turn to Malicious Excel Add-ins as Initial Intrusion Vector https://thehackernews.com/2022/12/apt-hackers-turn-to-malicious-excel-add.html
Microsoft’s decision to block Visual Basic for Applications (VBA) macros by default for Office files downloaded from the internet has led many threat actors to improvise their attack chains in recent months. Now according to Cisco Talos, advanced persistent threat (APT) actors and commodity malware families alike are increasingly using Excel add-in (.XLL) files as an initial intrusion vector. Weaponized Office documents delivered via spear-phishing emails and other social engineering attacks have remained one of the widely used entry points for criminal groups looking to execute malicious code. These documents traditionally prompt the victims to enable macros to view seemingly innocuous content, only to activate the execution of malware stealthily in the background.
Tomi Engdahl says:
Thousands of Citrix servers vulnerable to patched critical flaws https://www.bleepingcomputer.com/news/security/thousands-of-citrix-servers-vulnerable-to-patched-critical-flaws/
Thousands of Citrix ADC and Gateway deployments remain vulnerable to two critical-severity security issues that the vendor fixed in recent months. The first flaw is CVE-2022-27510, fixed on November 8. Its an authentication bypass that affects both Citrix products. An attacker could exploit it to gain unauthorized access to the device, perform remote desktop takeover, or bypass the login brute force protection.
The second bug is tracked as CVE-2022-27518, disclosed and patched on December 13. It allows unauthenticated attackers to perform remote command execution on vulnerable devices and take control of them.
Threat actors had already been exploiting CVE-2022-27518 when Citrix published a security update to fix it. Today, researchers at NCC Groups Fox IT team report that while most public-facing Citrix endpoints have been updated to a safe version, thousands remain vulnerable to attacks.
Tomi Engdahl says:
Ransomware attack at Louisiana hospital impacts 270,000 patients https://www.bleepingcomputer.com/news/security/ransomware-attack-at-louisiana-hospital-impacts-270-000-patients/
The Lake Charles Memorial Health System (LCMHS) is sending out notices of a data breach affecting almost 270,000 people who have received care at one of its medical centers. LCMHS is the largest medical complex in Lake Charles, Louisiana, comprising a 314-bed hospital, a 54-bed women’s hospital, a 42-bed behavioral health hospital, and a primary care clinic for uninsured citizens. According to the announcement posted on the LCMHS site, the cybersecurity incident occurred on October 21, 2022, when the organization’s security team detected unusual activity on the computer network. An internal investigation concluded on October 25, 2022 revealed that hackers had gained unauthorized access to LCMHS’ network and then stole sensitive files.
Tomi Engdahl says:
Royal ransomware claims attack on Intrado telecom provider https://www.bleepingcomputer.com/news/security/royal-ransomware-claims-attack-on-intrado-telecom-provider/
The Royal Ransomware gang claimed responsibility for a cyber attack against telecommunications company Intrado on Tuesday. While Intrado is yet to share any information regarding this incident, sources have told BleepingComputer that the attack started on December 1 and the initial ransom demand was $60 million. The Royal Ransomware group, made up of experienced threat actors and operating without affiliates, has reportedly stolen some data from Intrado’s systems and is now threatening to publish it on their data leak site unless the company pays the ransom.
Tomi Engdahl says:
Hammaslääkäri joutui sanomaan lapselle ei: Kyberhyökkäys on kyykyttänyt pikkukunnan palveluita viikon https://www.is.fi/digitoday/art-2000009293531.html
SÄKYLÄN kunta Satakunnassa ei ole vielä täysin toipunut kyberhyökkäyksestä, joka havaittiin sunnuntaina 18. joulukuuta. Osa kunnan tietojärjestelmistä otettiin hyökkäyksen takia pois käytöstä.
Ilta-Sanomilla on tieto, että vielä eilen tiistaina hammaslääkärissä ei voitu palvella lasta, koska potilasjärjestelmä oli edelleen alhaalla. Pitää paikkansa. Siellä heillä on ollut pulmia, kunnanjohtaja Teijo Mäenpää vahvistaa. Mäenpään mukaan ongelmia oli aikaisemmin myös lääkäripalveluissa, mutta potilaiden turvallisuus ei ole hänen mukaansa vaarantunut. Yleisesti ottaen hyökkäyksestä toipuminen on pitkällä, Mäenpää arvioi.
Tomi Engdahl says:
https://www.securityweek.com/critical-vulnerability-premium-gift-cards-wordpress-plugin-exploited-attacks
Tomi Engdahl says:
https://www.securityweek.com/data-400-million-twitter-users-sale-irish-privacy-watchdog-announces-probe
Tomi Engdahl says:
https://www.securityweek.com/north-korean-hackers-created-70-fake-bank-venture-capital-firm-domains
Tomi Engdahl says:
EarSpy: Spying on Phone Calls via Ear Speaker Vibrations Captured by Accelerometer
https://www.securityweek.com/earspy-spying-phone-calls-ear-speaker-vibrations-captured-accelerometer
As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for eavesdropping on a targeted user’s conversations, according to a team of researchers from several universities in the United States.
The attack method, named EarSpy, is described in a paper published just before Christmas by researchers from Texas A&M University, Temple University, New Jersey Institute of Technology, Rutgers University, and the University of Dayton.
EarSpy: Spying Caller Speech and Identity through
Tiny Vibrations of Smartphone Ear Speakers
https://arxiv.org/pdf/2212.12151.pdf
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/earspy-attack-eavesdrops-on-android-phones-via-motion-sensors/
Tomi Engdahl says:
https://thehackernews.com/2022/12/apt-hackers-turn-to-malicious-excel-add.html
Tomi Engdahl says:
https://securityaffairs.com/140013/hacking/critical-linux-kernel-vulnerability.html
Experts warn of a critical Linux Kernel vulnerability (CVSS score of 10) impacting SMB servers that can lead to remote code execution.
Tomi Engdahl says:
Suosittu salasanapalvelu korkattiin koko totuus on karmaiseva
https://www.tivi.fi/uutiset/tv/f7272bd9-1207-4156-b42e-4db851b91fa8
Maailman suosituimpiin salasananhallintapalveluihin kuuluva LastPass kertoi ennen joulua, että marraskuisessa iskussa sen järjestelmiin hyökkääjät saivat haltuunsa arkaluontoista käyttäjädataa. Itsessään järisyttävä tunnustuskaan ei vielä vakuuta asiantuntijoita, kertoo The Verge.. Tietoturvatutkija Wladimir Palant antaa LastPassin kuulla kunniansa.. LastPassin mukaan marraskuisessa iskussa hyödynnettiin elokuun iskussa vietyä dataa. Palant kirjoittaa, että LastPass saa iskut kuulostamaan kahdelta erilliseltä tapaukselta, kun todellisuudessa palvelu ei vain saanut elokuista hyökkäystä pysäytettyä kuukausienkaan aikana..
https://www.theverge.com/2022/12/28/23529547/lastpass-vault-breach-disclosure-encryption-cybersecurity-rebuttal
Tomi Engdahl says:
Google Home speakers allowed hackers to snoop on conversations https://www.bleepingcomputer.com/news/security/google-home-speakers-allowed-hackers-to-snoop-on-conversations/
A bug in Google Home smart speaker allowed installing a backdoor account that could be used to control it remotely and to turn it into a snooping device by accessing the microphone feed. A researcher discovered the issue and received $107,500 for responsibly reporting it to Google last year. Earlier this week, the researcher published technical details about the finding and an attack scenario to show how the flaw could be leveraged.
Tomi Engdahl says:
Crypto platform 3Commas admits hackers stole API keys https://www.bleepingcomputer.com/news/security/crypto-platform-3commas-admits-hackers-stole-api-keys/
An anonymous Twitter user published yesterday a set of 10,000 API keys allegedly obtained from the 3Commas cryptocurrency trading platform.
3Commas looked into the leaked data and confirmed today that the files contain valid API keys.. As a result, the platform now urges all supported exchanges, including Kucoin, Coinbase, and Binance, to revoke all keys connected to 3Commas
Tomi Engdahl says:
Hackers abuse Google Ads to spread malware in legit software https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-to-spread-malware-in-legit-software/
Malware operators have been increasingly abusing the Google Ads platform to spread malware to unsuspecting users searching for popular software products.. Among the products impersonated in these campaigns include Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, Torrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave.
Tomi Engdahl says:
Personal data from 270,000 patients was leaked in Louisiana hospital cyberattack https://therecord.media/personal-data-from-270000-patients-was-leaked-in-louisiana-hospital-cyberattack/
The personal information of nearly 270,000 patients including Social Security Numbers was leaked in an October cyberattack on the largest hospital in Lake Charles, Louisiana, the facility announced this week.
Tomi Engdahl says:
Several DoS, Code Execution Vulnerabilities Found in Rockwell Automation Controllers
https://www.securityweek.com/several-dos-code-execution-vulnerabilities-found-rockwell-automation-controllers
Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities.
The US Cybersecurity and Infrastructure Security Agency (CISA) last week published three advisories to describe a total of four high-severity vulnerabilities. Rockwell Automation has published individual advisories for each security hole.
One flaw is CVE-2022-3156, which impacts the Studio 5000 Logix Emulate controller emulation software. The vulnerability is caused by a misconfiguration that results in users being granted elevated permissions on certain product services. An attacker could exploit the weakness for remote code execution.
The second vulnerability is CVE-2022-3157, which affects CompactLogix, GuardLogix (including Compact), and ControlLogix controllers. An attacker can exploit the flaw to launch a denial-of-service (DoS) attack against a device by sending specially crafted CIP requests that cause a “major non-recoverable fault”.
The remaining vulnerabilities impact MicroLogix 1100 and 1400 programmable logic controllers (PLCs). One of the security holes, CVE-2022-46670, is a stored cross-site scripting (XSS) issue in the embedded webserver that can be exploited for remote code execution without authentication.
Tomi Engdahl says:
Alibaba CEO to oversee cloud arm following major server outage
https://techcrunch.com/2022/12/29/alibaba-reshuffle-2022/
The decision that stands out is happening at Alibaba Cloud, the third-largest public cloud infrastructure provider in the world only after AWS and Microsoft. Jeff Zhang, former president of Alibaba Cloud Intelligence, is stepping down while Daniel Zhang (unrelated), Alibaba’s CEO, takes over as acting president.
The timing of the restructuring is sparking speculation. Just under two weeks ago, Alibaba Cloud’s Hong Kong servers suffered a serious outage that shut down many services in the region, including major crypto exchange OKX. The system failure, which lasted up to one day for some customers, made the incident one of the biggest among Chinese cloud providers in recent history.
Tomi Engdahl says:
CISA Says Two Old JasperReports Vulnerabilities Exploited in Attacks
https://www.securityweek.com/cisa-says-two-old-jasperreports-vulnerabilities-exploited-attacks
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two JasperReports flaws to its Known Exploited Vulnerabilities Catalog.
Tibco’s JasperReports Library is advertised as the world’s most popular open source reporting engine. The JasperReports Server software is designed to enable non-technical users to create reports, dashboards, and visualizations.
CISA has learned that two JasperReports vulnerabilities discovered in 2018 have been exploited in attacks.
One of them is CVE-2018-18809, a critical directory traversal issue in JasperReports Library that can allow webserver users to access data on the host system, which can include credentials for accessing other systems. The flaw was addressed in March 2019.
CVE-2018-18809 has been found to affect the products of major vendors that use the JasperReports Library, including IBM products.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/google-home-speakers-allowed-hackers-to-snoop-on-conversations/
Tomi Engdahl says:
Valtakunnallinen häiriö kaatoi Elisan verkkoyhteyksiä https://www.is.fi/digitoday/art-2000009299500.html
ELISAN verkkoyhteyksissä on ilmeni ongelmia perjantai-iltana. Elisan asiakaspalvelun mukaan ongelmat koskevat niin kiinteitä laajakaistoja kuin mobiiliyhteyksiä. Elisa tiedotti tutkivansa asiaa parhaillaan ja pahoitteli häiriötä. Elisa ilmoittaa, että vika on saatiin korjattua klo 18 mennessä.
Tomi Engdahl says:
TikTok kiellettiin Yhdysvaltain edustajain-huoneessa https://www.is.fi/digitoday/art-2000009298027.html
KIINALAISEN ByteDance-yrityksen videosovellus TikTok pakotetaan pois Yhdysvaltain edustajainhuoneen myöntämistä puhelimista, NBC Newsin näkemä sisäinen muistio paljastaa. Edustajainhuoneen hallinnollisen johtajan Catherine L. Szpindorin tiistaisen muistion mukaan TikTok aiheuttaa korkean riskin käyttäjilleen useiden turvallisuusuhkien vuoksi.
Tomi Engdahl says:
Canadian mining firm shuts down mill after ransomware attack https://www.bleepingcomputer.com/news/security/canadian-mining-firm-shuts-down-mill-after-ransomware-attack/
The Canadian Copper Mountain Mining Corporation (CMMC) in British Columbia has announced that it was the target of a ransomware attack that impacted its operations.. CMMC, partly owned by Mitsubishi Materials Corporation, is an 18,000-acre claim that produces an average of 100 million pounds of copper per year and has an estimated mineral reserve capacity for another 32 years.
Tomi Engdahl says:
New Linux malware uses 30 plugin exploits to backdoor WordPress sites https://www.bleepingcomputer.com/news/security/new-linux-malware-uses-30-plugin-exploits-to-backdoor-wordpress-sites/
A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript. According to a report by antivirus vendor Dr. Web, the malware targets both 32-bit and 64-bit Linux systems, giving its operator remote command capabilities.
Tomi Engdahl says:
Ukraine shuts down fraudulent call center claiming 18,000 victims https://www.bleepingcomputer.com/news/security/ukraine-shuts-down-fraudulent-call-center-claiming-18-000-victims/
A group of imposters operating out of a Ukrainian call center defrauded thousands of victims while pretending to be IT security employees at their banks. They contacted the victims, claimed that their bank accounts had been accessed by attackers, and requested financial information claiming it was needed to prevent fraud but, instead, emptied their bank accounts. The scheme was uncovered by the Cyber Police Department, the Main Investigative Department of the National Police, the Prosecutor General’s Office, and law enforcement officers in Kazakhstan.
Tomi Engdahl says:
Researcher Uncovers Potential Wiretapping Bugs in Google Home Smart Speakers https://thehackernews.com/2022/12/researcher-uncovers-potential.html
A security researcher was awarded a bug bounty of $107,500 for identifying security issues in Google Home smart speakers that could be exploited to install backdoors and turn them into wiretapping devices. The flaws “allowed an attacker within wireless proximity to install a ‘backdoor’ account on the device, enabling them to send commands to it remotely over the internet, access its microphone feed, and make arbitrary HTTP requests within the victim’s LAN,” the researcher, who goes by the name Matt, disclosed in a technical write-up published this week.
Tomi Engdahl says:
Royal ransomware group claims it attacked Iowa PBS station https://therecord.media/royal-ransomware-group-claims-it-attacked-iowa-pbs-station/
A ransomware group linked to a number of recent hacks said on Thursday that it was behind a cyberattack on the Iowa branch of the Public Broadcasting Service. Susan Ramsey, director of communications for Iowa PBS, told The Record that in the early hours of November 20, Iowa PBS became aware of suspicious activity on its network systems. We swiftly brought in systems experts to help us identify the issue, Ramsey said. Iowa PBSs ability to serve Iowans has not been affected.
The broadcast, livestreams and digital platforms are still operational and Iowa PBS will continue to educate, inform, enrich and inspire Iowans.
Tomi Engdahl says:
Port of Lisbon website still down as LockBit gang claims cyberattack https://therecord.media/port-of-lisbon-website-still-down-as-lockbit-gang-claims-cyberattack/
The website for the Port of Lisbon is still down days after officials confirmed it was the target of a cyberattack. On Christmas Day, officials with the Administration of the Port of Lisbon (APL) told the newspaper Publico that it had been targeted. Despite the attack, port officials said the incident did not compromise operational activity but noted that both the National Cybersecurity Center and the Judiciary Police were notified of the incident. On Thursday, the LockBit ransomware group said it launched the attack against the port, claiming to have stolen financial reports, audits, budgets, contracts, ship logs and other information about cargo and crews. The gang gave the port until January 18 to comply with ransom demands, threatening to leak the stolen data.
Tomi Engdahl says:
Pari viikkoa Säkylän kuntaa piinannut kyberhyökkäys on saatu aisoihin
https://yle.fi/a/74-20010926
Säkylän kuntaan kohdistunut kyberhyökkäys on monilta osin päättynyt, kerrotaan kunnan Facebook-sivuilla. Pari viikkoa sitten tehdyn kyberhyökkäyksen torjunta, tutkinta ja haittojen korjaus on saatu pääosin valmiiksi. Kuntalaisten tietojen ei tiedetä vuotaneen ulkopuolisille. Säkylän kunta teki asiasta rikosilmoituksen ja tapausta on tutkittu myös Traficomin Kyberturvallisuuskeskuksen sekä kansainvälisen kyberturvallisuusyrityksen avustuksella.
https://www.facebook.com/sakylankunta
Tomi Engdahl says:
Thousands of Citrix Servers Still Unpatched for Critical Vulnerabilities https://thehackernews.com/2022/12/thousands-of-citrix-servers-still.html
Thousands of Citrix Application Delivery Controller (ADC) and Gateway endpoints remain vulnerable to two critical security flaws disclosed by the company over the last few months. The issues in question are
CVE-2022-27510 and CVE-2022-27518 (CVSS scores: 9.8), which were addressed by the virtualization services provider on November 8 and December 13, 2022, respectively.
Tomi Engdahl says:
New Malvertising Campaign via Google Ads Targets Users Searching for Popular Software https://thehackernews.com/2022/12/new-malvertising-campaign-via-google.html
Users searching for popular software are being targeted by a new malvertising campaign that abuses Google Ads to serve trojanized variants that deploy malware, such as Raccoon Stealer and Vidar. The activity makes use of seemingly credible websites with typosquatted domain names that are surfaced on top of Google search results in the form of malicious ads by hijacking searches for specific keywords.
Tomi Engdahl says:
LockBit ransomware claims attack on Port of Lisbon in Portugal https://www.bleepingcomputer.com/news/security/lockbit-ransomware-claims-attack-on-port-of-lisbon-in-portugal/
A cyberattack hitting the Port of Lisbon Administration (APL), the third-largest port in Portugal, on Christmas day, has been claimed by the LockBit ransomware gang. According to a company statement shared with local media outlets on Monday, the cyberattack did not impact the port’s operations.
Tomi Engdahl says:
CISA Says Two Old JasperReports Vulnerabilities Exploited in Attacks
https://www.securityweek.com/cisa-says-two-old-jasperreports-vulnerabilities-exploited-attacks
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two JasperReports flaws to its Known Exploited Vulnerabilities Catalog.
Tibco’s JasperReports Library is advertised as the world’s most popular open source reporting engine. The JasperReports Server software is designed to enable non-technical users to create reports, dashboards, and visualizations.
CISA has learned that two JasperReports vulnerabilities discovered in 2018 have been exploited in attacks.
One of them is CVE-2018-18809, a critical directory traversal issue in JasperReports Library that can allow webserver users to access data on the host system, which can include credentials for accessing other systems. The flaw was addressed in March 2019.
CVE-2018-18809 has been found to affect the products of major vendors that use the JasperReports Library, including IBM products.
The second vulnerability is CVE-2018-5430, a high-severity information disclosure issue affecting JasperReports Server. The security hole was addressed in April 2018.
Tomi Engdahl says:
North Korean Hackers Created 70 Fake Bank, Venture Capital Firm Domains
https://www.securityweek.com/north-korean-hackers-created-70-fake-bank-venture-capital-firm-domains
Tomi Engdahl says:
EarSpy: Spying on Phone Calls via Ear Speaker Vibrations Captured by Accelerometer
https://www.securityweek.com/earspy-spying-phone-calls-ear-speaker-vibrations-captured-accelerometer
Tomi Engdahl says:
Netwrix Acquires Remediant for PAM Technology
https://www.securityweek.com/netwrix-acquires-remediant-pam-technology
Data security software vendor Netwrix has acquired Remediant, an early-stage startup working on technology in the PAM (privileged access management) category.
Financial terms of the acquisition were not disclosed.