This posting is here to collect cyber security news in January 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in January 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
446 Comments
Tomi Engdahl says:
Microsoft Azure-Based Kerberos Attacks Crack Open Cloud Accounts
https://www.darkreading.com/cloud/microsoft-azure-kerberos-attacks-open-cloud-accounts
Two common attacks against on-premises Kerberos authentication servers — known as Pass the Ticket and Silver Ticket — can be used against Microsoft’s Azure AD Kerberos, a security firms says.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-windows-cryptoapi-spoofing-bug/
Tomi Engdahl says:
Malware exploited critical Realtek SDK bug in millions of attacks
https://www.bleepingcomputer.com/news/security/malware-exploited-critical-realtek-sdk-bug-in-millions-of-attacks/
Hackers have leveraged a critical remote code execution vulnerability in Realtek Jungle SDK 134 million attacks trying to infect smart devices in the second half of 2022.
Exploited by multiple threat actors, the vulnerability is tracked as CVE-2021-35394 and comes with a severity score of 9.8 out of 10.
Between August and October last year, sensors from Palo Alto Networks observed significant exploitation activity for this security issue, accounting for more than 40% of the total number of incidents.
High exploitation levels
Starting September 2022, a new sizable botnet malware named ‘RedGoBot’ appeared in the wild targeting IoT devices vulnerable to CVE-2021-35394.
Three different payloads were delivered as a result of these attacks:
a script that executes a shell command on the target server to download malware
an injected command that writes a binary payload to a file and executes it
an injected command that reboots the server
Most of these attacks originate from botnet malware families like Mirai, Gafgyt, Mozi, and derivatives of them. In April 2022, the Fodcha botnet was spotted exploiting CVE-2021-35394 for distributed denial-of-service (DDoS) operations.
Tomi Engdahl says:
Tietomurron uhriksi joutunut hittipelin kehittäjä ei lähtenyt mukaan rikollisten leikkiin – seuraukset olivat odotettavissa
https://www.tivi.fi/uutiset/tietomurron-uhriksi-joutunut-hittipelin-kehittaja-ei-lahtenyt-mukaan-rikollisten-leikkiin-seuraukset-olivat-odotettavissa/c67fc101-90dd-42bb-95e3-0dbb1db42e59
League of Legendsin väitettyä lähdekoodia myydään huutokaupalla.
Hittipeli League of Legendsin kehittänyt Riot Games joutui hiljattain tietomurron kohteeksi. Rikolliset pääsivät käsiksi yhtiön kehitysjärjestelmiin ja saivat mukaansa League of Legendsin, Teamfight Tacticsin sekä huijauksenestoalusta Packmanin lähdekoodin.
Tomi Engdahl says:
Malicious Android app found powering account creation service
https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/
Tomi Engdahl says:
https://thehackernews.com/2023/01/researchers-release-poc-exploit-for.html
Tomi Engdahl says:
The Register® — Biting the hand that feeds IT
BOOTNOTES
92 comment bubble on white
Three seconds of audio could end up costing Fox $500,000
And that, kids, is why we don’t play the Emergency Alert System tone on TV
iconRichard Currie
Fri 27 Jan 2023 // 19:00 UTC
https://www.theregister.com/2023/01/27/fox_eas_tones_fine/
Despite being a well-known illegal sound that many film and television productions have been fined over, US media titan Fox stands accused of playing the Emergency Alert System attention tone to promote an NFL show on dozens of TV channels.
The Federal Communications Commission, which polices use of the sound to protect its integrity, now wants to fine the organization $504,000 – just as it did for Hollywood action film Olympus Has Fallen ($1.9 million, 2014) right down to Jimmy Kimmel Live ($395,000, 2019).
Tomi Engdahl says:
HUSin verkkopalveluun kohdistuu palvelunestohyökkäys – aiheuttaa ajoittaisia häiriöitä
https://www.mtvuutiset.fi/artikkeli/husin-verkkopalveluun-kohdistuu-palvelunestohyokkays-aiheuttaa-ajoittaisia-hairioita/8621646?utm_source=upday&utm_medium=referral#gs.ny0bf7
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-stealthy-python-rat-malware-targets-windows-in-attacks/
Tomi Engdahl says:
ESET: Sandworm could be behind new file-deleting malware targeting Ukraine https://therecord.media/sandworm-swiftslicer-malware-ukraine-russia-eset/
The notorious state-backed Russian hacking group known as Sandworm may be behind new malware targeting Ukraine, according to research published Friday by cybersecurity company ESET. Malware called SwiftSlicer hit one organization in Ukraine before it was discovered by the Slovakia-based firm this week. SwiftSlicer malware “is relatively simple but effective,” according to Boutin. Once executed, it deletes backup copies of computer files, overwrites files located on specific drives and then reboots the computer
Tomi Engdahl says:
Researchers Discover New PlugX Malware Variant Spreading via Removable USB Devices https://thehackernews.com/2023/01/researchers-discover-new-plugx-malware.html
Cybersecurity researchers have uncovered a PlugX sample that employs sneaky methods to infect attached removable USB media devices in order to propagate the malware to additional systems. “This PlugX variant is wormable and infects USB devices in such a way that it conceals itself from the Windows operating file system,” Palo Alto Networks Unit 42 researchers Mike Harbison and Jen Miller-Osborn said. “A user would not know their USB device is infected or possibly used to exfiltrate data out of their networks.” The cybersecurity company said it uncovered the artifact during an incident response effort following a Black Basta ransomware attack against an unnamed victim. Among other tools discovered in the compromised environment include the Gootkit malware loader and the Brute Ratel C4 red team framework
Tomi Engdahl says:
Microsoft urges admins to patch on-premises Exchange servers https://www.bleepingcomputer.com/news/security/microsoft-urges-admins-to-patch-on-premises-exchange-servers/
Microsoft urged customers today to keep their on-premises Exchange servers patched by applying the latest supported Cumulative Update
(CU) to have them always ready to deploy an emergency security update.
Redmond says that the Exchange server update process is “straightforward” (something that many admins might disagree with) and recommends always running the Exchange Server Health Checker script after installing updates. “To defend your Exchange servers against attacks that exploit known vulnerabilities, you must install the latest supported CU and the latest SU,” The Exchange Team said
Tomi Engdahl says:
#GermanyRIP. Kremlin-loyal hacktivists wage DDoSes to retaliate for tank aid https://arstechnica.com/information-technology/2023/01/germanyrip-kremlin-loyal-hacktivists-wage-ddoses-to-retaliate-for-tank-aid/
Threat actors loyal to the Kremlin have stepped up attacks in support of its invasion of Ukraine, with denial-of-service attacks hitting German banks and other organizations and the unleashing of a new destructive data wiper on Ukraine. Germany’s BSI agency, which monitors cybersecurity in that country, said the attacks caused small outages but ultimately did little damage
Tomi Engdahl says:
Massive Microsoft 365 outage caused by WAN router IP change https://www.bleepingcomputer.com/news/microsoft/massive-microsoft-365-outage-caused-by-wan-router-ip-change/
Microsoft says this week’s five-hour-long Microsoft 365 worldwide outage was caused by a router IP address change that led to packet forwarding issues between all other routers in its Wide Area Network (WAN). Redmond said at the time that the outage resulted from DNS and WAN networking configuration issues caused by a WAN update and that users across all regions serviced by the impacted infrastructure were having problems accessing the affected Microsoft 365 services. The issue led to service impact in waves, peaking approximately every 30 minutes as shared on the Microsoft Azure service status page (this status page was also affected as it intermittently displayed “504 Gateway Time-out” errors). In all, it took Redmond over five hours to address the issue, from 7:05 AM UTC when it started investigating up until 12:43 PM UTC when service was restored
Tomi Engdahl says:
Facebook two-factor authentication bypass issue patched https://portswigger.net/daily-swig/facebook-two-factor-authentication-bypass-issue-patched
Meta has patched a vulnerability in Facebook that could have allowed an attacker to bypass SMS-based two-factor authentication (2FA). The bug – which earned its finder a $27,200 bounty – did this by confirming the targeted users already-verified Facebook mobile number using the Meta Accounts Center in Instagram. It exploited a rate-limiting issue in Instagram that enabled an attacker to brute force the verification pin required to confirm someones phone number
Tomi Engdahl says:
Target says data sold on dark web is ‘outdated,’ likely ‘released by third party’
https://therecord.media/target-says-data-sold-on-dark-web-is-outdated-likely-released-by-third-party/
Following the posting of an alleged database of customer information on a hacker forum, Target is denying that the data being sold on the dark web is current and says that the information was not taken directly from its systems. On Thursday, the hacker posted the trove, which contains names, addresses, and transaction information, purportedly for more than 800,000 Target customers. But Target spokesperson Brian Harper-Tibaldo told The Record that the data is “outdated” and “may have been released by a third party.”
Tomi Engdahl says:
HUSin verkkosivut eivät aukea teknisen ongelman vuoksi taustalla saattavat olla venäläishakkerit
https://yle.fi/a/74-20015216
Helsingin ja Uudenmaan sairaanhoitopiirin verkkosivuilla (siirryt toiseen palveluun) on ollut lauantaina teknisiä ongelmia. Sivut eivät aukea, ja latautuvassa näkymässä kerrotaan katkon syyn olevan selvityksessä. Teknisten ongelmien taustalla saattavat olla venäläishakkerit. Venäläinen hakkeriryhmä KillMilk on tänään julkaissut Telegram-kanavallaan listan terveydenhuollon laitoksista, joihin uusi palvelunestohyökkäys kohdistuu, ja Ilmoittanut sen alkamisesta. HUS ei osaa arvioida häiriötilanteen kestoa
Tomi Engdahl says:
British Cyber Agency Warns of Russian and Iranian Hackers Targeting Key Industries https://thehackernews.com/2023/01/british-cyber-agency-warns-of-russian.html
The U.K. National Cyber Security Centre (NCSC) on Thursday warned of spear-phishing attacks mounted by Russian and Iranian state-sponsored actors for information-gathering operations. “The attacks are not aimed at the general public but targets in specified sectors, including academia, defense, government organizations, NGOs, think tanks, as well as politicians, journalists and activists,” the NCSC said. The agency attributed the intrusions to SEABORGIUM (aka Callisto, COLDRIVER, and TA446) and APT42 (aka ITG18, TA453, and Yellow Garuda). The similarities in the modus operandi aside, there is no evidence the two groups are collaborating with each other
Tomi Engdahl says:
Charter Communications says vendor breach exposed some customer data https://therecord.media/telecom-giant-charter-communications-says-third-party-vendor-had-security-breach/
Telecommunications company Charter Communications said one of its third-party vendors suffered from a security breach after data from the company showed up on a hacking forum. On Thursday, a forum user posted information allegedly stolen from the company that included names, account numbers, addresses and more for about 550,000 customers
Tomi Engdahl says:
Latvia confirms phishing attack on Ministry of Defense, linking it to Russian hacking group https://therecord.media/latvia-confirms-phishing-attack-on-ministry-of-defense-linking-it-to-russian-hacking-group/
The Russian cyber-espionage group known as Gamaredon may have been behind a phishing attack on Latvias Ministry of Defense last week, the ministry told The Record on Friday. Hackers sent malicious emails to several employees of the ministry, pretending to be Ukrainian government officials. The attempted cyberattack was unsuccessful, the ministry added
Tomi Engdahl says:
Gootkit Malware Continues to Evolve with New Components and Obfuscations https://thehackernews.com/2023/01/gootkit-malware-continues-to-evolve.html
The threat actors associated with the Gootkit malware have made “notable changes” to their toolset, adding new components and obfuscations to their infection chains. Google-owned Mandiant is monitoring the activity cluster under the moniker UNC2565, noting that the usage of the malware is “exclusive to this group.” Gootkit, also called Gootloader, is spread through compromised websites that victims are tricked into visiting when searching for business-related documents like agreements and contracts via a technique called search engine optimization (SEO) poisoning. The purported documents take the form of ZIP archives that harbor the JavaScript malware, which, when launched, paves the way for additional payloads such as Cobalt Strike Beacon, FONELAUNCH, and SNOWCONE
Tomi Engdahl says:
Hackers use new SwiftSlicer wiper to destroy Windows domains https://www.bleepingcomputer.com/news/security/hackers-use-new-swiftslicer-wiper-to-destroy-windows-domains/
Security researchers have identified a new data-wiping malware they named SwiftSlicer that aims to overwrite crucial files used by the Windows operating system. The new malware was discovered in a recent cyberattack against a target in Ukraine and has been attributed to Sandworm, a hacking group working for Russias General Staff Main Intelligence Directorate (GRU) as part of the Main Center for Special Technologies (GTsST) military unit 74455. While details are scant regarding SwiftSlicer at the moment, security researchers at cybersecurity company ESET say that they found the destructive malware deployed during a cyberattack in Ukraine
Tomi Engdahl says:
A Blog with NoName – Further Insight into the Hacktivist Operation Targeting NATO and Affiliated Nations https://www.team-cymru.com/post/a-blog-with-noname
NoName057(16) attacks have targeted government / military departments in Ukraine and NATO countries, as well as organizations from core sectors such as finance, freight, and media. Recent reporting (Avast,
SentinelLabs) has revealed that NoName057(16) relies upon a volunteer system (rather than a botnet of infected hosts), in which the volunteers are rewarded financially for contributing attack infrastructure. This system is managed via two Telegram channels
(@noname05716 and @nn05716chat)
Tomi Engdahl says:
Microsoft Urges Customers to Secure On-Premises Exchange Servers https://thehackernews.com/2023/01/microsoft-urges-customers-to-secure-on.html
Microsoft is urging customers to keep their Exchange servers updated as well as take steps to bolster the environment, such as enabling Windows Extended Protection and configuring certificate-based signing of PowerShell serialization payloads. “Attackers looking to exploit unpatched Exchange servers are not going to go away,” the tech giant’s Exchange Team said in a post. “There are too many aspects of unpatched on-premises Exchange environments that are valuable to bad actors looking to exfiltrate data or commit other malicious acts.”
Tomi Engdahl says:
Researchers to release VMware vRealize Log RCE exploit, patch now https://www.bleepingcomputer.com/news/security/researchers-to-release-vmware-vrealize-log-rce-exploit-patch-now/
Security researchers with Horizon3′s Attack Team will release an exploit targeting a vulnerability chain next week for gaining remote code execution on unpatched VMware vRealize Log Insight appliances.
Now known as VMware Aria Operations for Logs, vRealize Log Insight makes it easier for VMware admins to analyze and manage terabytes of infrastructure and application logs. On Tuesday, VMware patched four security vulnerabilities in this log analysis tool, two of which are critical and allow attackers to execute code remotely without authentication
Tomi Engdahl says:
Royal Mail resumes some international parcel services from UK
https://www.computerweekly.com/news/252529609/Royal-Mail-resumes-some-international-parcel-services-from-UK?utm_campaign=20230127_Lords+question+%E2%80%98extensive%E2%80%99+government+online+safety+powers&utm_medium=EM&utm_source=MDN&source_ad_id=252529609&asrc=EM_MDN_259195383&bt_ee=pvJwYXzI2G%2FlOgyww9U%2FsVlQwSgLMMOX5tApK1CudOLPkStF7sWvLXoWdifxY%2FTo&bt_ts=1675009671105
Royal Mail has successfully stood up its International Tracked and Signed, and International Signed, services as it continues to recover from a ransomware attack
Royal Mail continues to make steady progress on recovering its international letter and parcel export services following a suspected LockBit ransomware attack earlier in January.
Having started to despatch standard export letters, and letters and parcels from Northern Ireland into Ireland, on Thursday 19 January, the postal service now says that having made progress on clearing the backlog of items in the system before the attack, it is now in a position to stand up two key parcel services, International Tracked and Signed, and International Signed.
“We have made further progress in exporting an increasing number of items to a growing number of international destinations,” Royal Mail said in a statement. “We are using alternative solutions and systems, which were not affected by the recent cyber incident.
Tomi Engdahl says:
https://www.securityweek.com/critical-vulnerability-impacts-over-120-lexmark-printers/
Tomi Engdahl says:
BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
https://www.securityweek.com/bind-updates-patch-high-severity-remotely-exploitable-dos-flaws/
The latest BIND updates patch multiple remotely exploitable vulnerabilities that could lead to denial-of-service (DoS).
The Internet Systems Consortium (ISC) this week announced patches for multiple high-severity denial-of-service (DoS) vulnerabilities in the DNS software suite BIND.
The addressed issues could be exploited remotely to cause named – the BIND daemon that acts both as an authoritative name server and as a recursive resolver – to crash, or could lead to the exhaustion of the available memory.
The first of the security defects, tracked as CVE-2022-3094, can be exploited by sending a flood of dynamic DNS updates, which would cause named to allocate large amounts of memory, resulting in a crash due to a lack of free memory.
According to ISC, because allocated memory is only retained for clients for which access credentials are accepted, the scope of the vulnerability is limited to trusted clients that are allowed to make dynamic zone changes.
For BIND 9.11 and earlier branches, the flaw can be exploited to exhaust internal resources, which results in performance issues, but not a crash.
Tracked as CVE-2022-3736, the second issue leads to a crash “when stale cache and stale answers are enabled, option stale-answer-client-timeout is set to a positive integer, and the resolver receives an RRSIG query,” ISC explains. A remote attacker can trigger the bug by sending crafted queries to the resolver.
Tomi Engdahl says:
CVE-2022-3094: An UPDATE message flood may cause named to exhaust all available memory
https://kb.isc.org/v1/docs/cve-2022-3094
CVE: CVE-2022-3094
Document version: 2.1
Posting date: 25 January 2023
Program impacted: BIND 9
Versions affected:
BIND
9.16.0 -> 9.16.36
9.18.0 -> 9.18.10
9.19.0 -> 9.19.8
(Versions prior to 9.11.37 were not assessed.)
BIND Supported Preview Edition
9.16.8-S1 -> 9.16.36-S1
(Versions prior to 9.11.37-S1 were not assessed.)
Severity: High
Exploitable: Remotely
Sending a flood of dynamic DNS updates may cause named to allocate large amounts of memory. This, in turn, may cause named to exit due to a lack of free memory. We are not aware of any cases where this has been exploited.
Impact:
By flooding the target server with UPDATE requests, the attacker can exhaust all available memory on that server.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Tomi Engdahl says:
Mies osti uunin ja hämmästyi – ottaa yhteyden Venäjälle ja Kiinaan 12 kertaa tunnissa https://www.is.fi/digitoday/tietoturva/art-2000009359273.html
AEG:n uunit tarkistavat nettiyhteyden toimivuuden ottamalla yhteyden jatkuvasti kolmeen hakukoneeseen. Tutkija on huolissaan.
KUN ostat kodinkoneen, et ehkä tule ajatelleeksi mitä kaikkea se tekee ilmeisen käyttötarkoituksensa lisäksi. Hyvän esimerkin antaa ohjelmistoasiantuntija Stephan van Rooij, joka huomasi kahden AEG-merkkisen uuninsa ottavan yhteyttä kolmeen hakukoneeseen 5 minuutin välein.
Hakukoneet ovat yhdysvaltalainen Google, kiinalainen Baidu ja venäläinen Yandex. Kyseiset uunit, AEG:n BSK798280B ja KMK768080B, käyvät näiden hakukoneiden pääsivuilla tarkistaakseen, että nettiyhteys on kunnossa.
– En todellakaan pidä siitä, että uunini ottaa yhteyttä Kiinaan ja Venäjälle vain tarkistaakseen, että sillä on internet-yhteys. Jos tämä on ainoa asia, jonka se tekee, van Rooij kirjoittaa.
I disconnected our smart oven, and maybe you should as well
https://svrooij.io/2023/01/25/disconnect-your-smart-appliance/
Arstechnica published an article yesterday, called “Appliance makers sad that 50% of customers won’t connect smart appliances”. Let me tell you, I’m glad people don’t connect their oven to the internet. We own two of these smart appliances from AEG and I disconnected them as soon as I discovered what they do.
When would I use the smart part of these appliances?
We did not explicitly bought “smart” appliances. We noticed they had wifi after we installed them. Here are some use cases of the “smart” functionality.
I’m was working late, on the way back in the grocery store, thinking I’ll just take some pizza and pre-heat my oven while still in the store.
While waking up deciding we want fresh baked buns in the morning, and we want to pre-heat the oven.
Maybe receiving notifications on the phone when the pre-set timer finishes
These three use cases are probably the only reason why people even consider buying a “smart” oven.
Devices check for internet access
Every smart devices (laptop/phone/appliance) wants to know if the wifi they are connected to is actually providing access to internet. Microsoft created a special endpoint that is used by your Windows device to check for internet connectivity. Apple and Google follow a similar strategy, I cannot find the exact documentation on it.
If a company doesn’t want to setup an external api for this, or you have an api that is not really stable, you can always use public websites to check if you have an internet connection. In my opinion your should always setup your own api to do the checking, because you don’t want to report to the user that the device does not have internet access because some external website is down.
And if you already have an api, just make sure your api is stable!
How AEG smart appliances check internet connectivity?
AEG choose the easy route, and checks three public websites every 5 minutes when connected to your wifi. The AEG smart appliances also have this hidden cloud api which is used for controlling the devices, so there should not be a reason to connect to these websites:
google.com no shock there, that is the number one website I personally use if I have to check internet connectivity.
baidu.cn yes, every 5 minutes your oven sends a message to the Chinese google alternative.
yandex.ru yes, not even just China, also the Russian google alternative.
I really don’t like the fact that my oven connects to China and Russia just to check if it has an internet connection. If that is the only thing it’s doing.
Tomi Engdahl says:
https://www.securityweek.com/industry-reactions-to-hive-ransomware-takedown-feedback-friday/
Tomi Engdahl says:
Microsoft Urges Customers to Patch Exchange Servers
https://www.securityweek.com/microsoft-urges-customers-to-patch-exchange-servers/
Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.
Tomi Engdahl says:
Cyberwarfare
Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham’s Ax persona
https://www.securityweek.com/iranian-apt-leaks-data-from-saudi-arabia-government-under-new-persona/
Tomi Engdahl says:
US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive operation.
https://www.securityweek.com/us-reiterates-10-million-reward-offer-after-disruption-of-hive-ransomware/
Tomi Engdahl says:
KSMBD Again
https://hackaday.com/2023/01/27/this-week-in-security-gta-apple-and-android-and-insecure-boot/
It’s beginning to look like a bad idea to put the Server Message Block Daemon driver in the Linux kernel, as we have another pre-auth integer underflow leading to denial of service. Researchers at Sysdig found the flaw this time, researching based on the previous ZDI-22-1690, which was a more serious RCE in the same kernel module. This one is a bit different from other integer underflows we’ve looked at. The wrap-around nature of integers instead saves this vulnerability from being a more serious one.
The real problem is that during SMB authentication, the data structure from the remote user contains a pair of length values, which are used to parse the incoming authentication data. It’s obvious that these values aren’t implicitly trusted, and some good error checking is done to prevent a trivial buffer overflow.
CVE-2023-0210
Linux Kernel Unauthenticated Remote Heap Overflow Within KSMBD
https://sysdig.com/blog/cve-2023-0210-linux-kernel-unauthenticated-remote-heap-overflow/
KSMBD, as defined by the kernel documentation1, is a linux kernel server which implements SMB3 protocol in kernel space for sharing files over network. It was introduced in kernel version ‘v5.15-rc1’ so it’s still relatively new. Most distributions do not have KSMBD compiled into the kernel or enabled by default.
Recently, another vulnerability (ZDI-22-16902) was discovered in KSMBD, which allowed for unauthenticated remote code execution in the kernel context. This provided a motivation to look further into KSMBD’s code, where we found a new heap overflow in KSMBD’s authentication code.
Conclusion
As scary as these bugs sound, they aren’t that big of a deal for most Linux users, mainly because of two reasons: KSMBD is not enabled by default but it is a module, which means that the user has to enable and configure it by themselves, as documented here6. It is also worth noting that, given the nature of the SMB protocol and its historical implication in large scale security incidents, one might rarely need to expose the SMB port directly to the internet, a practice that is generally discouraged.
Tomi Engdahl says:
The QT suite has an issue, where Javascript embedded in QML (Qt Modeling Language) code could trigger one of two memory handling issues, and achieve RCE. There’s a bit of disagreement between Cisco Talos and QT, as to whether this is a simple bug, or security vulnerability. QML code is explicitly intended to be user interface code for applications, and should never execute untrusted code.
Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML
https://blog.talosintelligence.com/vulnerability-spotlight-integer-and-buffer-overflow-vulnerabilities-found-in-qt-qml/
Emma Reuter and Theo Morales of ASIG and Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.
Cisco ASIG and Cisco Talos recently discovered code execution vulnerabilities in QT QML.
Qt is a popular software suite primarily used to create graphical user interfaces. It also contains several supporting libraries which all aim to enable cross-platform application development with a unified programming API.
QT has responded to vulnerability notifications with this statement: “We have analyzed your report, and our evaluation is that this is not a security issue, even though it is a real bug. Qt’s QML and JavaScript support is explicitly not designed for untrusted content… Each application that is passing untrusted input to QtQml needs to have an advisory instead and must thoroughly check their inputs.”
This advisory concerns:
TALOS-2022-1617 (CVE-2022-40983), in which Javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. A target application would need to access a malicious web page to trigger this vulnerability.
Secondarily, TALOS-2022-1650 (CVE-2022-43591) can involve an out-of-bounds memory access, leading to arbitrary code execution.
Cisco Talos believes these are potential security issues and notified QT of the issues all in adherence to Cisco’s vulnerability disclosure policy.
Tomi Engdahl says:
”Olemme kaapanneet tilisi” – Hannele Laurilta kiristettiin tänä aamuna rahaa julmalla viestillä, menetti elinkeinonsa
https://www.iltalehti.fi/viihdeuutiset/a/6431acae-9971-4392-bb81-c9f4c18ab94a
Hannele Laurin nyt jo poistuneella Instagram-käyttäjällä oli yli 22 tuhatta seuraajaa.
Näyttelijä Hannele Lauri sai tiistaina 31. tammikuuta pelottavan viestin puhelimeensa. Tuntematon numero kirjoitti Whatsapp-viestissä Laurille, että hänen täytyy lähettää rahaa tai hänen Instagram-tilinsä poistuu.
– Olemme kaapanneet tilisi. Jos haluat tilisi takaisin, joudut maksamaan. Ota yhteyttä, viestissä luki englanniksi.
Lauri ei suostunut kiristykseen, ja pian hän huomasi Instagram-tilinsä olevan poissa. Lauri kertoo Iltalehdelle olevansa todella raivoissaan tilanteen takia.
Tomi Engdahl says:
Realtek Vulnerability Under Attack: Over 134 Million Attempts to Hack IoT Devices https://thehackernews.com/2023/01/realtek-vulnerability-under-attack-134.html
Researchers are warning about a spike in exploitation attempts weaponizing a now-patched critical remote code execution flaw in Realtek Jungle SDK since the start of August 2022. According to Palo Alto Networks Unit 42, the ongoing campaign is said to have recorded
134 million exploit attempts as of December 2022, with 97% of the attacks occurring in the past four months
Tomi Engdahl says:
Riot Games refuses to pay ransom to avoid League of Legends leak https://www.malwarebytes.com/blog/news/2023/01/stolen-code-from-riot-games-already-being-auctioned-off
After confirming threat actors were able to steal some of its code, Riot Games has also revealed that it received a ransom email from its attacker. The attackers demanding $10 million to stop them leaking source code from League of Legend’s and other games
Tomi Engdahl says:
Pro-Russian DDoS attacks raise alarm in Denmark, U.S.
https://therecord.media/ddos-denmark-us-russia-killnet/
Distributed denial-of-service (DDoS) attacks by pro-Russian hacking groups are causing alarm in the U.S. and Denmark after several incidents affected websites of hospitals and government offices in both countries. On Tuesday, Denmark announced that it was raising its cyber risk alert level after weeks of attacks on banks and the countrys defense ministry
Tomi Engdahl says:
Microsoft releases emergency updates to fix XPS display issues https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-updates-to-fix-xps-display-issues/
Microsoft has released out-of-band (OOB) updates for some .NET Framework and .NET versions to address XPS display issues triggered by December 2022 cumulative security updates. Users will experience null reference exceptions and images or glyphs displaying incorrectly when viewing XPS documents rendered using affected Windows Presentation Foundation (WPF) based apps
Tomi Engdahl says:
Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
https://www.securityweek.com/microsofts-verified-publisher-status-abused-in-email-theft-campaign/
Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.
Tomi Engdahl says:
Vulnerabilities
Critical QNAP Vulnerability Leads to Code Injection
https://www.securityweek.com/critical-qnap-vulnerability-leads-to-code-injection/
QNAP warns users of a critical vulnerability that allows attackers to inject malicious code on NAS devices.
Tomi Engdahl says:
GitHub Revokes Code Signing Certificates Following Cyberattack
https://www.securityweek.com/github-revokes-code-signing-certificates-following-cyberattack/
GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.
Tomi Engdahl says:
Russian Millionaire on Trial in Hack, Insider Trade Scheme
https://www.securityweek.com/russian-millionaire-on-trial-in-hack-insider-trade-scheme/
Russian Vladislav Klyushin made tens of millions of dollars by hacking into U.S. computer networks to steal insider information.
A wealthy Russian businessman and associates made tens of millions of dollars by cheating the stock market in an elaborate scheme that involved hacking into U.S. computer networks to steal insider information about companies such as Microsoft and Tesla, a prosecutor told jurors on Monday.
Vladislav Klyushin, the owner a Moscow-based information technology company with ties to the upper levels of the Russian government, is standing in trial in a Boston federal court nearly two years after he was arrested after landing in Switzerland on a private jet for a skiing trip.
He’s the only Russian national charged in the nearly $90 million scheme who has been arrested and extradited to the U.S.; four accused co-conspirators — including a Russian military intelligence officer who’s also been charged with meddling in the 2016 presidential election — remain at large.
Tomi Engdahl says:
Data Breaches
British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
https://www.securityweek.com/british-retailer-jd-sports-discloses-data-breach-affecting-10-million-customers/
JD Sports discovers unauthorized access to information from orders placed by customers between 2018 and 2020.