Cyber security news January 2023

This posting is here to collect cyber security news in January 2023.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

446 Comments

  1. Tomi Engdahl says:

    https://www.bleepingcomputer.com/news/security/new-blank-image-attack-hides-phishing-scripts-in-svg-files/

    Reply
  2. Tomi Engdahl says:

    Suomessa myyty 1 300 vaarallisen taka­portin sisältänyttä netti­kameraa – myynnissä myös Prismoissa
    Laite on nyt vedetty pois Prismoista, mutta sitä on vielä myynnissä pienemmissä kaupoissa.
    https://www.is.fi/digitoday/tietoturva/art-2000009324472.html

    80–100 euroa maksavaa SWM Base -ip-kameraa on myyty Suomessa muun muassa Prismoissa sekä useammissa pienissä liikkeissä. Laitetta myytiin muun muassa 76 Prisma-myymälässä asian tullessa Ilta-Sanomat Digitodayn tietoon.

    Reply
  3. Tomi Engdahl says:

    https://www.cnbc.com/2023/01/19/t-mobile-investigating-data-breach-affecting-37-million-accounts.html

    Reply
  4. Tomi Engdahl says:

    Ransomware attack severs 1,000 ships from their on-shore servers
    Get your eyepatch out: Cyber attacks on the high seas are trending
    https://www.theregister.com/2023/01/19/ransomware_attack_cuts_1000_ships/

    Reply
  5. Tomi Engdahl says:

    Hackers push malware via Google search ads for VLC, 7-Zip, CCleaner
    https://www.bleepingcomputer.com/news/security/hackers-push-malware-via-google-search-ads-for-vlc-7-zip-ccleaner/

    Reply
  6. Tomi Engdahl says:

    CISA Warns of Flaws Affecting Industrial Control Systems from Major Manufacturers
    https://thehackernews.com/2023/01/cisa-warns-for-flaws-affecting.html

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released several Industrial Control Systems (ICS) advisories warning of critical security flaws affecting products from Sewio, InHand Networks, Sauter Controls, and Siemens.

    https://us-cert.cisa.gov/ncas/current-activity/2023/01/12/cisa-releases-twelve-industrial-control-systems-advisories

    Reply
  7. Tomi Engdahl says:

    Kevin Chung Reverse Engineered NYCTrainSign and Their API After the IoT Company Vanished
    A story about a shady company, high BOM cost, and exploitable devices.
    https://www.hackster.io/news/kevin-chung-reverse-engineered-nyctrainsign-and-their-api-after-the-iot-company-vanished-7de09a355234

    Reply
  8. Tomi Engdahl says:

    Suomalainen silmä­kirurgia­sivusto joutui porno­hyökkäyksen kohteeksi https://www.is.fi/digitoday/tietoturva/art-2000009325943.html

    Reply
  9. Tomi Engdahl says:

    Kommentti: Sika säkissä satasella – meillä on polttava ongelma netti­laitteiden kanssa https://www.is.fi/digitoday/tietoturva/art-2000009329861.html

    Verkkoon kytkettävän laitteen, kuten nettikameran tai reitittimen, tekemisistä ei voi olla varma. Silti toiset laitteet ovat turvallisempia kuin toiset, kirjoittaa Ilta-Sanomien digitoimittaja Henrik Kärkkäinen.

    ILTA-SANOMAT Digitoday kirjoitti tänään Suomessa myytävästä webbikamerasta, joka on avoin kaikille pääkäyttäjän salasanan tunteville. Tämän lisäksi laite on kaapattavissa verkosta käsin, eli siihen on mitä ilmeisimmin jätetty tarkoituksellisesti takaovi.

    Tämä tarkoittaa sitä, että kamera on valjastettavissa niin salakatselulaitteeksi kuin palvelunestohyökkäyksiä tekevän bottiverkon osaksi. Tai mitä kameraa etäohjaavalle taholle nyt mieleen juolahtaakaan.

    Tapaus ei ole ainutlaatuinen – kaikkea muuta. Ottaessaan verkkoon kytkeytyvän laitteen käyttöön meistä jokainen on laitteen toimittajan armoilla. Päällepäin kukaan ei voi nähdä, tekeekö se luvattujen asioiden ohessa jotain muutakin.

    Silti ostajilla pitäisi olla oikeus luottaa markettiketjun hyllyillä myytävän tuotteen turvallisuuteen. Se herättää suuren kysymyksen: kuka on vastuussa kauppoihin tulevien laitteiden turvallisuudesta?

    MAHDOLLISIA vastauksia ovat maahantuoja ja viranomaiset. Molemmissa on ongelmansa.

    Monet maahantuojat ovat pienyrityksiä, joilla ei ole resursseja testaamiseen. Tuotteen perinpohjainen turvatarkistus eli auditointi on hidasta ja rahaa vievää. Ja kun laite saa ohjelmistopäivityksen, kaikki pitäisi tehdä uudelleen. Minkä tahansa laitteen voi teoriassa päivittää vakoiluaparaatiksi.

    Suomessa viranomainen, tässä tapauksessa Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus, ratkoo ongelmaa Tietoturvamerkillä. Se on logo, joka myönnetään tuotteille, jotka täyttävät tietyt kriteerit.

    ONGELMA on siinä, että tietoturvamerkattuja tuotteita ei ole montaa. Merkkejä on myönnetty 25 kappaletta

    Turvamerkattuja nettikameroita ei kuitenkaan ole. Nyt on syytä kääntää katse isoihin kauppaketjuihin ja maahantuojiin: mitäpä, jos laittaisitte painetta valmistajien suuntaan ja korostaisitte tietoturvamerkintää kilpailuetuna?

    TÄTÄ odotellessa ostajan kannattaa tehdä läksynsä ennen (netti)kauppaan menoa.

    Kysy myyjältä, kauanko laite saa päivityksiä tai milloin viimeisin sellainen on tullut.

    Googlaa kiinnostava laite etukäteen. Löytyykö netistä oikeita testiartikkeleita, ei pelkästään mahdollisesti tekaistuja viiden tähden ostoarvosteluita?

    Oletko kuullut valmistajasta aikaisemmin? Tunnetko jonkun tyytyväisen käyttäjän?

    Ja sitten toivotaan parasta

    Reply
  10. Tomi Engdahl says:

    Hackers turn to Google search ads to push info-stealing malware https://www.bleepingcomputer.com/news/security/hackers-turn-to-google-search-ads-to-push-info-stealing-malware/
    Hackers are setting up fake websites for popular free and open-source software to promote malicious downloads through advertisements in Google search results

    Reply
  11. Tomi Engdahl says:

    Git patches two critical remote code execution security flaws https://www.bleepingcomputer.com/news/security/git-patches-two-critical-remote-code-execution-security-flaws/
    Git has patched two critical severity security vulnerabilities that could allow attackers to execute arbitrary code after successfully exploiting heap-based buffer overflow weaknesses. A third Windows-specific flaw impacting the Git GUI tool caused by an untrusted search path weakness enables unauthenticated threat actors to run untrusted code low-complexity attacks

    Reply
  12. Tomi Engdahl says:

    Vice Society ransomware gang claims attack on one of Germanys largest universities https://therecord.media/vice-society-ransomware-gang-claims-attack-on-one-of-germanys-largest-universities/
    The Vice Society ransomware group said it was responsible for a November attack against one of Germanys largest universities. The University of Duisburg-Essen in the countrys North Rhine-Westphalia region was forced to shut down its entire IT infrastructure and disconnect it from the network following the incident. The university has 12 departments and about 43,000 students

    Reply
  13. Tomi Engdahl says:

    QBot Campaigns Overwhelmingly Lead Reported Payloads in Q4 https://www.phishlabs.com/blog/qbot-campaigns-overwhelmingly-lead-reported-payloads-in-q4/
    QBot was the most reported payload targeting employee inboxes in Q4, according to Fortras PhishLabs. This is the fourth consecutive month QBot has led malware activity as bad actors target organizations with a steady stream of high-volume attack campaigns. QBot is a versatile MaaS (malware-as-a-service) capable of performing a broad range of actions including stealing financial information and credentials, moving laterally within networks, and more

    Reply
  14. Tomi Engdahl says:

    Chinese Playful Taurus Activity in Iran
    https://unit42.paloaltonetworks.com/playful-taurus/
    In June 2021, ESET reported that this group had upgraded their tool kit to include a new backdoor called Turian. This backdoor remains under active development and we assess that it is used exclusively by Playful Taurus actors. Following the evolution of this capability, we recently identified new variants of this backdoor as well as new command and control infrastructure. Analysis of both the samples and connections to the malicious infrastructure suggests that several Iranian government networks have likely been compromised by Playful Taurus

    Reply
  15. Tomi Engdahl says:

    Turvallisena pidetty salaus­tekniikka petti käyttäjänsä – terrorismin avustamisesta epäilty paljastui https://www.is.fi/digitoday/tietoturva/art-2000009334711.html
    FBI tunnisti anonyymin Tor-verkon käyttäjän. Tämä on tehokas muistutus siitä, etteivät edes sen käyttäjät ole täysin nimettömiä. Asiasta kertoi Vice Motherboard

    Reply
  16. Tomi Engdahl says:

    Spyware company Intellexa fined 50,000 for holding up Greek inquiry https://therecord.media/spyware-company-intellexa-fined-e50000-for-holding-up-greek-inquiry/
    Greeces Data Protection Authority (DPA) has issued the Israeli-owned spyware consortium Intellexa a 50,000 fine (about $54,000) for failing to comply with its investigations into the use of the controversial technology

    Reply
  17. Tomi Engdahl says:

    WAGO fixes config export flaw threatening data leak from industrial devices https://portswigger.net/daily-swig/wago-fixes-config-export-flaw-threatening-data-leak-from-industrial-devices
    Security researchers have disclosed a vulnerability that potentially led to exposure of sensitive data and credential theft in WAGO products. also:
    https://onekey.com/blog/security-advisory-wago-unauthenticated-config-export-vulnerability/

    Reply
  18. Tomi Engdahl says:

    Critical Security Vulnerabilities Discovered in Netcomm and TP-Link Routers https://thehackernews.com/2023/01/critical-security-vulnerabilities.html
    Security vulnerabilities have been disclosed in Netcomm and TP-Link routers, some of which could be weaponized to achieve remote code execution

    Reply
  19. Tomi Engdahl says:

    Hack the Pentagon 3.0: Groundbreaking Bug Bounty Program Is Back https://www.hackread.com/hack-the-pentagon-3-bug-bounty-program/
    The US military seeks public help in securing its critical cyber infrastructure with Hack the Pentagon 3.0 bug bounty program

    Reply
  20. Tomi Engdahl says:

    Kansallisgallerian verkkokaupasta varastettiin asiakastietoja https://www.is.fi/digitoday/tietoturva/art-2000009341603.html
    Kansallisgalleria varoittaa, että sen Museoshop.fi -verkkokauppaan on tehty tietomurto. Murtautujat ovat saaneet haltuunsa verkkokauppaan tallennettuja tietoja, kuten asiakkaiden nimi, osoite, sähköpostiosoite, puhelinnumero ja osto- ja lahjoitushistoria. Maksu- tai luottokorttitietoihin murtautujilla ei ole ollut pääsyä.
    Rekisteriin ei ole kerätty henkilötunnuksia tai muuta arkaluontoista tietoa ja salasanat on kryptattu, Kansallisgalleria muotoilee tiedotteessa. Kansallisgallerian mukaan selvitystoimet on käynnistetty. Vahinkojen vähentämiseksi Kansallisgalleria sulki verkkokaupan. Kansallisgalleria vakuuttaa, ettei tietoturvaloukkauksen kohteeksi joutuneelle koidu seurauksia. Rekisterissä ei ollut arkaluonteisia tietoja.

    Reply
  21. Tomi Engdahl says:

    T-Mobile confirms another data breach affecting 37 million customer accounts https://therecord.media/t-mobile-confirms-another-data-breach-affecting-37-million-customer-accounts/
    T-Mobile, one of the largest wireless network operators in the United States, said on Thursday that it was investigating a data breach involving 37 million customer accounts. In a disclosure notice filed to the U.S. Securities and Exchange Commission, the company explained the breach was discovered after it identified malicious activity on its networks on January 5. A bad actor was obtaining data through a single Application Programming Interface (API) without authorization, as the filing described the activity. T-Mobile said that its security team alongside external cybersecurity experts were able to trace the source of the malicious activity and stop it within a day of identifying the access. However the company acknowledged that the bad actor had been retrieving data from its system through the insecure API starting on or around November 25, 2022.

    Reply
  22. Tomi Engdahl says:

    Electronic health record giant NextGen dealing with cyberattack https://therecord.media/electronic-health-record-giant-nextgen-dealing-with-cyberattack/
    Hospital technology giant NextGen Healthcare said it is responding to a cyberattack after a notorious ransomware group added the company to its list of victims. The multibillion-dollar healthcare giant produces electronic health record (EHR) software and practice management systems for hundreds of the biggest hospitals and clinics in the U.S., U.K., India and Canada. On Tuesday, hackers associated with the AlphV/BlackCat ransomware added the company to its list of victims alongside several other businesses. A spokesperson for NextGen Healthcare said it is aware of the claim and explained that they have been working with cybersecurity experts to investigate and remediate the issue.

    Reply
  23. Tomi Engdahl says:

    Suomessa myyty 1300 vaarallisen taka­portin sisältänyttä netti­kameraa myynnissä myös Prismoissa https://www.is.fi/digitoday/tietoturva/art-2000009324472.html
    Suomessa myydään nettikameraa, jossa on vakava haavoittuvuus.
    Tietoturvatutkija ja valkohattuhakkeri Jarkko Vesiluoman mukaan kyse on laitteen ohjelmiston kehittäjän tarkoituksellisesti jättämästä aukosta eli takaovesta. Takaovi on nimensä mukaisesti laitteeseen tai ohjelmaan jätetty aukko, joka mahdollistaa ohjaamisen ja tietojen varastamisen ulkopuolelta käsin. 80100 euroa maksavaa SWM Base
    - -ip-kameraa on myyty Suomessa muun muassa Prismoissa sekä useammissa pienissä liikkeissä. Laitetta myytiin muun muassa 76 Prisma-myymälässä asian tullessa Ilta-Sanomat Digitodayn tietoon. Mikäli kamera on suoraan julkisessa verkossa kiinni, niin hyökkääjä pääsee esimerkiksi jatkamaan kameran kautta hyökkäystä eteenpäin uhrin sisäverkkoon tai katsomaan kameran lähettämää kuvaa. Hyökkääjä saa kameran täysin hallintaansa, Vesiluoma kertoo.

    Reply
  24. Tomi Engdahl says:

    Samsung investigating claims of hack on South Korea systems, internal employee platform https://therecord.media/samsung-investigating-claims-of-hack-on-south-korea-systems-internal-employee-platform/
    Samsung is investigating a potential cyberattack and data breach on an internal employee platform and several systems in South Korea. On Tuesday, a group of hackers going by the name Genesis Day claimed it attacked Samsungs offices in South Korea because of the countrys recent opening of a mission to the North Atlantic Treaty Organization (NATO). The group said it hacked the internal File Transfer Protocol service of the Samsung Group in South Korea as well as the internal employee system and the Samsung Group intranet. They threatened to leak business data from Samsungs operations in France and more. We are aware of the recent online posting and are in the process of verifying the claim, a Samsung spokesperson told The Record.

    Reply
  25. Tomi Engdahl says:

    Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability
    (CVE-2022-42475)
    https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw
    Mandiant is tracking a suspected China-nexus campaign believed to have exploited a recently announced vulnerability in Fortinet’s FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Evidence suggests the exploitation was occurring as early as October 2022 and identified targets include a European government entity and a managed service provider located in Africa. Mandiant identified a new malware we are tracking as BOLDMOVE as part of our investigation. We have uncovered a Windows variant of BOLDMOVE and a Linux variant, which is specifically designed to run on FortiGate Firewalls. We believe that this is the latest in a series of Chinese cyber espionage operations that have targeted internet-facing devices and we anticipate this tactic will continue to be the intrusion vector of choice for well-resourced Chinese groups.

    Reply
  26. Tomi Engdahl says:

    Ukraine signs agreement to join NATO cyber defense center https://therecord.media/ukraine-signs-agreement-to-join-nato-cyber-defense-center/
    Ukraine has taken another step to deepen its cooperation with NATO in the cybersecurity field as its war with Russia both kinetic and digital approaches the one-year mark. On Thursday, Ukraine signed an agreement to join the Estonia-based NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). Before it is official, all of CCDCOEs members will have to sign this agreement. Both sides stand to benefit from this partnership. Ukraine will get access to NATOs cutting-edge technology and research, while CCDCOE members will learn more from Ukraine about how to defend against cyberattacks during wartime.

    Reply
  27. Tomi Engdahl says:

    Yksi klikkaus vielä ja koko tili tyhjäksi varo tätä OP:n nimissä lähetettävää huijausta https://www.iltalehti.fi/digiuutiset/a/fd8fa9d0-63a0-471f-b809-91e51b09cccb
    Pankkien nimissä lähetettävät tekstiviestihuijaukset ovat yleistyneet viimeisen neljän kuukauden aikana valtavalla volyymilla. Iltalehden tietoon tullessa esimerkkitapauksessa uhrin säästötilin tyhjentyminen oli yhden painalluksen päässä. Uhrilta pyydettiin 10 000 euron tilisiirtoa, joka oli vain vahvistamista vaille valmis. Uhri oli saanut OP:n nimissä lähetetyn viestin, jonka linkin hän oli epähuomiossa avannut. Linkki oli vienyt pankin sivulta näyttävään tietojenkalasteluosoitteeseen, johon hän oli syöttänyt omat pankkitunnuksensa. Vasta pankin lähettämän aidon varmistusviestin jälkeen hänelle selvisi, mitä todellisuudessa olisi tapahtumassa.
    Varkailta jäi rahat saamatta viime hetken hälytyskellojen ansiosta.

    Reply
  28. Tomi Engdahl says:

    Popular password managers auto-filled credentials on untrusted websites https://portswigger.net/daily-swig/popular-password-managers-auto-filled-credentials-on-untrusted-websites
    Security shortcomings mean that multiple password managers could be tricked into auto-filling credentials on untrusted pages, security researchers at Google warn. The team from Google went public with their findings on Tuesday (17 January), 90 days after notifying the applications Dashlane, Bitwarden, and the built-in password manager bundled with Apples Safari browser of the vulnerabilities. Both Dashlane and Bitwarden have updated their software although Dashlane, at least, remains unconvinced that the bug represents any kind of security threat. The status of any fix for Apples Safari built-in password manager remains unconfirmed at the time of writing.

    Reply
  29. Tomi Engdahl says:

    Exploits released for two Samsung Galaxy App Store vulnerabilities https://www.bleepingcomputer.com/news/security/exploits-released-for-two-samsung-galaxy-app-store-vulnerabilities/
    Two vulnerabilities in the Galaxy App Store, Samsungs official repository for its devices, could enable attackers to install any app in the Galaxy Store without the users knowledge or to direct victims to a malicious web location. The issues were discovered by researchers from the NCC Group between November 23 and December 3, 2022. The Korean smartphone maker announced on January 1, 2023 that it fixed the two flaws and released a new version for Galaxy App Store (4.5.49.8).
    Today, the NCC Group published technical details for the two security issues, along with proof-of-concept (PoC) exploit code for each of them. The NCC advisory:
    https://research.nccgroup.com/2023/01/20/technical-advisory-multiple-vulnerabilities-in-the-galaxy-app-store-cve-2023-21433-cve-2023-21434/

    Reply
  30. Tomi Engdahl says:

    Android 13 is running on 5.2% of all devices five months after launch https://9to5google.com/2023/01/18/android-13-device-distribution/
    According to the latest official Android distribution numbers from Google, Android 13 is running on 5.2% of all devices less than six months after launch. Today marks the first update to the distribution chart in 2023 and offers our first glimpse of how quickly Android 13 is being delivered to devices. According to Android Studio, devices running Android 13 now account for 5.2% of all devices. Meanwhile Android 12 and 12L now account for 18.9% of the total, a significant increase from Augusts 13.5% figure. Looking at the older versions, we see that usage of Android Oreo has finally dropped below 10%, with similar drops in percentage down the line. Android Jelly Bean, which previously weighed in at 0.3%, is no longer listed, while KitKat has dropped from 0.9% to 0.7%.

    Reply
  31. Tomi Engdahl says:

    Hackers now use Microsoft OneNote attachments to spread malware https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/
    Threat actors now use OneNote attachments in phishing emails that infect victims with remote access malware which can be used to install further malware, steal passwords, or even cryptocurrency wallets. This comes after attackers have been distributing malware in emails using malicious Word and Excel attachments that launch macros to download and install malware for years. Since mid-December, cybersecurity researchers warned that threat actors had started distributing malicious spam emails containing OneNote attachments. From samples found by BleepingComputer, these malspam emails pretend to be DHL shipping notifications, invoices, ACH remittance forms, mechanical drawings, and shipping documents.

    Reply
  32. Tomi Engdahl says:

    Massive outage grounded US flights because someone accidentally deleted a file https://www.theregister.com/2023/01/21/faa_outage_reasons/
    The US Federal Aviation Administration says its preliminary investigation of last week’s system outage that caused the first nationwide grounding of flights since September 11, 2001, has uncovered the cause: contractors accidentally deleted some essential files. Oops. In its first word on the outage since January 11, the day the FAA’s Notice to Air Mission Systems (NOTAM) went offline, the agency said contract personnel were working to correct a synchronization issue between the live primary database and a backup copy. In the process, some incorrect keys were apparently pressed and more than 11,000 flights were grounded.

    Reply
  33. Tomi Engdahl says:

    U.S. No Fly List Leaks After Being Left in an Unsecured Airline Server https://www.vice.com/en/article/93a4p5/us-no-fly-list-leaks-after-being-left-in-an-unsecured-airline-server
    A copy of the U.S. No Fly List has leaked after being stored on an unsecure server connected to a commercial airline. The No Fly List is an official list maintained by the U.S. government of people it has banned from traveling in or out of the United States on commercial flights. As first reported by The Daily Dot, a Swiss hacker known as maia arson crimew discovered the list on an unsecured Jenkins server one night while poking around on Shodan, a search engine that lets people look through servers connected to the internet. On the server was a large amount of company data about CommuteAir, including the private information about its employees. There was also a file containing a copy of a 2019 edition of the No Fly List. The list includes names and birth dates and more than 1.5 million entries, but many of those entries are aliases that all reference the same person.Its so much bigger than I thought itd be, crimew told Motherboard.

    Reply
  34. Tomi Engdahl says:

    Riot Games hacked, delays game patches after security breach https://www.bleepingcomputer.com/news/security/riot-games-hacked-delays-game-patches-after-security-breach/
    Riot Games, the video game developer and publisher behind League of Legends and Valorant, says it will delay game patches after its development environment was compromised last week. The LA-based game publisher disclosed the incident in a Twitter thread on Friday night and promised to keep customers up-to-date with whatever an ongoing investigation discovers. “Earlier this week, systems in our development environment were compromised via a social engineering attack,” the company said. “We don’t have all the answers right now, but we wanted to communicate early and let you know there is no indication that player data or personal information was obtained.”
    “Unfortunately, this has temporarily affected our ability to release content. While our teams are working hard on a fix, we expect this to impact our upcoming patch cadence across multiple games,” Riot Games said.

    Reply
  35. Tomi Engdahl says:

    EmojiDeploy: Smile! Your Azure web service just got RCEd ._.
    https://ermetic.com/blog/azure/emojideploy-smile-your-azure-web-service-just-got-rced
    Ermetic’s research team discovered a remote code execution vulnerability affecting Azure cloud services and other cloud sovereigns including Function Apps, App Service and Logic Apps. The EmojiDeploy vulnerability is achieved through CSRF (Cross-site request
    forgery) on the ubiquitous SCM service Kudu. By abusing the vulnerability, attackers can deploy malicious zip files containing a payload to the victim’s Azure application. The vulnerability enables RCE and full takeover of the target app. The impact of the vulnerability on the organization as a whole depends on the permissions of the applications managed identity. Effectively applying the principle of least privilege can significantly limit the blast radius.

    Reply
  36. Tomi Engdahl says:

    Technical Advisory U-Boot Unchecked Download Size and Direction in USB DFU (CVE-2022-2347) https://research.nccgroup.com/2023/01/20/technical-advisory-u-boot-unchecked-download-size-and-direction-in-usb-dfu-cve-2022-2347/
    U-Boot is a popular and feature-rich bootloader for embedded systems.
    It includes optional support for the USB Device Firmware Update (DFU) protocol, which can be used by devices to download new firmware, or upload their current firmware. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and it does not verify that the transfer direction corresponds to the specified command. Consequently, if a physical attacker crafts a USB DFU download setup packet with a wLength greater than 4096 bytes, they can write beyond the heap-allocated request buffer. It is also possible to read its content (and beyond it) if the direction bit for the setup packet indicates a device to host direction.

    Reply
  37. Tomi Engdahl says:

    Dissecting and Exploiting TCP/IP RCE Vulnerability EvilESP https://securityintelligence.com/posts/dissecting-exploiting-tcp-ip-rce-vulnerability-evilesp/
    Septembers Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine. Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsofts advisory had been . From my side, it had been a long time since I attempted to do a binary patch diff analysis, so I thought this would be a good bug to do root cause analysis and craft a proof-of-concept
    (PoC) for a blog post. In this blog my follow-up article to my exploit video I include an in-depth explanation of the reverse engineering of the bug and correct some inaccuracies I found in the Numen Cyber Labs blog.

    Reply
  38. Tomi Engdahl says:

    The Daily Dot:
    CommuteAir removed a 2019 copy of the US No Fly List, after a researcher said they found the list, with 1.5M+ entries and many aliases, on an unsecured server — One of the most sensitive U.S. government documents was left online. — An unsecured server discovered by a security researcher …

    EXCLUSIVE: U.S. airline accidentally exposes ‘No Fly List’ on unsecured server
    One of the most sensitive U.S. government documents was left online.
    https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotected-server-commuteair/

    An unsecured server discovered by a security researcher last week contained the identities of hundreds of thousands of individuals from the U.S. government’s Terrorist Screening Database and “No Fly List.”

    Located by the Swiss hacker known as maia arson crimew, the server, run by the U.S. national airline CommuteAir, was left exposed on the public internet. It revealed a vast amount of company data, including private information on almost 1,000 CommuteAir employees.

    Analysis of the server resulted in the discovery of a text file named “NoFly.csv,” a reference to the subset of individuals in the Terrorist Screening Database who have been barred from air travel due to having suspected or known ties to terrorist organizations.

    The list, according to crimew, appeared to have more than 1.5 million entries in total. The data included names as well as birth dates. It also included multiple aliases, placing the number of unique individuals at far less than 1.5 million.

    “It’s just crazy to me how big that Terrorism Screening Database is and yet there is still very clear trends towards almost exclusively Arabic and Russian sounding names throughout the million entries,” crimew said.

    In a statement to the Daily Dot, TSA said that it was “aware of a potential cybersecurity incident with CommuteAir, and we are investigating in coordination with our federal partners.”

    The FBI declined to answer specific questions about the list to the Daily Dot.

    In a statement to the Daily Dot, CommuteAir said that the exposed infrastructure, which it described as a development server, was used for testing purposes.

    CommuteAir added that the server, which was taken offline prior to publication after being flagged by the Daily Dot, did not expose any customer information based on an initial investigation.

    CommuteAir also confirmed the legitimacy of the data, stating that it was a version of the “federal no-fly list” from roughly four years prior.

    “The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth,”

    CommuteAir is a regional airline based out of Ohio.

    In remarks to the Daily Dot, crimew said that they had made the discovery while searching for Jenkins servers on the specialized search engine Shodan. Jenkins provides automation servers that aid in the building, testing, and deployment of software. Shodan is used throughout the cybersecurity community to locate servers exposed to the open internet.

    The server also held the passport numbers, addresses, and phone numbers of roughly 900 company employees. User credentials to more than 40 Amazon S3 buckets and servers run by CommuteAir were also exposed, said crimew.

    The Terrorism Screening Database, according to the FBI, is a list of individuals shared across government departments to prevent the kind of intelligence lapses that occurred prior to 9/11. Within that is the smaller, more tightly controlled No Fly List. Individuals in the Terrorism Screening Database can be subject to certain restrictions and given additional security screening. Individuals explicitly on the No Fly List are barred from boarding aircraft in the United States.

    “This country has a massive, bloated watchlisting system that can stigmatize people—including Americans—as known or suspected terrorists based on secret standards and secret evidence without a meaningful process to challenge government error and clear their names,” Shamsi said. “The categories of people watchlisted seem every expanding, never constricting … The consequences are significant and have real harms for people’s lives. There’s the obvious stigma and embarrassment and life hardships of being unable to fly in our modern age, to being singled out, to being searched. We’ve had mothers and fathers stigmatized and embarrassed in front of their children.”

    But an expert familiar with the contours of the No Fly List cautioned that a list that size may be the larger Terrorism Screening Database and not the smaller No Fly List.

    The Intercept in 2014 previously reported that the No Fly List held more than 47,000 names. In 2016, Sen. Dianne Feinstein (D-Calif.) suggested that over 81,000 people were on the list.

    Although the list is highly secretive and rarely leaks, it is not considered a classified document due to the number of agencies and individuals that need access to it.

    In a declaration to the ACLU, G. Clayton Grigg, at the time the Deputy Director for Operations of the Terrorist Screening Center, said that while the list does contain classified national security information, “maintaining the TDSB as a sensitive but unclassified system allows for law enforcement screening officers …. to use the identifying information from the TSDB even though they may not possess Secret or Top Secret security clearances.”

    The discovery by crimew is not the first time an unsecured version of the Terrorist Screening Database has been exposed online. Security researcher Volodymyr “Bob” Diachenko found a detailed copy of the terrorism watchlist with 1.9 million entries in 2021.

    Names provided to Diachenko by the Daily Dot matched entries on the list he obtained, although Diachenko never received official confirmation his list was genuine.

    The No Fly List has routinely been criticized by privacy and civil liberties experts. The ACLU successfully sued to allow citizens to challenge their inclusion on the list.

    “It is already a massive and bloated system, and growth is exactly the kind of thing that happens when you have a vague and over-broad system of what’s essentially government surveillance based on suspicion and without due process … At the bare minimum, if the government is to use watchlists, it must have narrow and specific public criteria [for entry] and apply rigorous public procedures for reviewing, updating, and removing dubious entries.”

    Reply
  39. Tomi Engdahl says:

    Google Ads invites being abused to push spam, adult sites https://www.bleepingcomputer.com/news/security/google-ads-invites-being-abused-to-push-spam-adult-sites/
    Google Ads invites are being abused to deliver email messages promoting spam and sex websites to users who are otherwise not necessarily using Google advertising platforms. The Google Ads platform allows advertisers to create advertising campaigns on publisher partner’s web sites and in Google search results. The recently seen widespread campaign involves threat actors using the Google Ads admin interface to send bulk email invitations that, coming from Google, bypass recipient spam filters

    Reply
  40. Tomi Engdahl says:

    Apple iOS 16.3 arrives with support for hardware security keys https://www.bleepingcomputer.com/news/apple/apple-ios-163-arrives-with-support-for-hardware-security-keys/
    Apple released iOS 16.3 today with long-awaited support for hardware security keys to provide extra protection against phishing attacks and unauthorized access to your devices. Hardware security keys are small physical devices that resemble thumb drives and support USB-C (using an adapter) or Near-field communication (NFC) to connect to a Mac or iPhone. These devices can be used as the additional verification step when using two-factor authentication for Apple IDs rather than the regular six-digit verification code shown on devices

    Reply
  41. Tomi Engdahl says:

    Apple Patches WebKit Code Execution in iPhones, MacBooks
    Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.
    https://www.securityweek.com/apple-patches-webkit-code-execution-flaws/

    Apple’s product security response team on Monday rolled out patches to cover numerous serious security vulnerabilities affecting users of its flagship iOS and macOS platforms.

    The most serious of the documented vulnerabilities affect WebKit and can expose both iOS and macOS devices to code execution attacks via booby-trapped web content, Apple warned in multiple advisories.

    On the mobile side, Apple pushed out iOS and iPadOS 16.3 with fixes for more than a dozen documented security defects in a range of operating system components. These include a trio of WebKit rendering engine bugs that expose devices to arbitrary code execution.

    Reply
  42. Tomi Engdahl says:

    Application Security
    Critical Vulnerabilities Patched in OpenText Enterprise Content Management System
    https://www.securityweek.com/critical-vulnerabilities-patched-opentext-enterprise-content-management-system/

    Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

    Several vulnerabilities described as having critical and high impact, including ones allowing unauthenticated remote code execution, have been found and patched in OpenText’s enterprise content management (ECM) product.

    The vulnerabilities were discovered by a researcher at cybersecurity consultancy Sec Consult in OpenText’s Extended ECM, which is designed for managing the distribution and use of information across an organization. Specifically, the flaws impact the product’s Content Server component.

    The security firm this week published three different advisories describing its findings.

    OpenText was informed about the vulnerabilities in October 2022 and patched them earlier this month with the release of version 22.4, according to Sec Consult.

    One of the critical vulnerabilities, tracked as CVE-2022-45923, can allow an unauthenticated attacker to execute arbitrary code using specially crafted requests.

    The second critical flaw, CVE-2022-45927, impacts the Java Frontend of the OpenText Content Server component and can allow an attacker to bypass authentication. Exploitation could ultimately lead to remote code execution.

    Reply
  43. Tomi Engdahl says:

    Samsung Galaxy Store Flaws Can Lead to Unwanted App Installations, Code Execution
    https://www.securityweek.com/samsung-galaxy-store-flaws-can-lead-unwanted-app-installations-code-execution/

    Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

    Tracked as CVE-2023-21433, the first of the vulnerabilities that NCC Group has identified could allow rogue applications on a device to download and install additional software from the Galaxy Store, without the user’s knowledge.

    The issue is described as an improper access control flaw, where the app store contained an exported activity that failed to safely handle incoming intents. The bug, NCC explains, only impacted devices running Android 12 and older.

    The second vulnerability, CVE-2023-21434, is described as an improper input validation issue that could allow a local attacker to execute JavaScript code by launching a web page.

    Reply
  44. Tomi Engdahl says:

    Companies Impacted by Recent Mailchimp Breach Start Notifying Customers

    Companies affected by the recent Mailchimp data breach have started notifying customers. The list includes WooCommerce, FanDuel, Yuga Labs and the Solana Foundation.

    https://www.securityweek.com/companies-impacted-recent-mailchimp-breach-start-notifying-customers/

    Reply
  45. Tomi Engdahl says:

    Aktian tunnuksilla Omaveroon kirjautuneet näkivät toisten tietoja – kaikki Suomi-fi -asioinnit suljettiin aamupäivällä
    JARI TOIVONEN

    https://www.ts.fi/uutiset/5886801

    MARIKA ANTTILA

    Turun Sanomat

    11:20 Päivitetty 11:58
    Omavero -verkkopalveluun Aktian tunnuksilla kirjautuneet ovat nähneet toisten asiakkaiden tietoja, kertoo Verohallinnon asioista tiedottava Verouutiset Twitterissä.

    Verohallnto sulki aluksi Omaveroon kirjautumisen Aktian tunnuksilla. Myöhemmin Omavero suljettiin kokonaan.

    Verohallinnon tiedon mukaan häiriö koski kaikkea Suomi.fi -asiointia eli myös muita julkisia palveluita.

    Suomi.fi tiedotti yhden aikaan Aktia-pankin häiriön olevan ohi ja Aktian pankkitunnisteiden toimivan jälleen normaalisti. Häiriö ei vaikuttanut muihin tunnistustapoihin.

    Verouutiset tviittasi asiasta ensimmäisen kerran tiistaina aamupäivällä hieman kello 11 jälkeen.

    Verohallinto
    Twitter
    Kotimaa
    Uutiset
    Keskustelut (1)

    MAINOS:
    Näitä luetaan juuri nyt
    1
    Nato-jäsenyysHaavisto: Suomen ja Ruotsin yhtäaikainen Nato-jäsenyys yhä erittäin tärkeää – Ruotsi aikoo olla yhteydessä Suomeen Haaviston aamuisista kommenteista, sanoo maan ulkoministeri
    2
    LukijoiltaMoni Vaisaaren koulun nykyisistä opettajista ei tunnista lehtijuttujen Vaisaarta
    3
    Turun seudun kulttuuriMetallivuori-festivaali siirtyy Turkuun ja tuo mukanaan kotimaisen metallin kärkinimiä
    4
    Naantalin hevostallin tapausNaantalilaisen hevostallin pitäjille syytteitä törkeästä lapsen seksuaalisesta hyväksikäytöstä
    5
    TerveysTHL kutsuu suomalaisia terveystarkastukseen – tutkimusryhmä kiertää muun muassa Turussa, Kaarinassa, Maskussa ja Naantalissa
    Lisää
    Uusimmat
    TarjouskilpailuNaantalin Merisalista jätettiin kymmenkunta tarjousta – salaperäisyys varjoaa kisaa
    Televisio, radio ja suoratoistoKuka murhasi käsikirjoittajan? Kassilan tiistai-illan jännäri tuntuu paremmalta kuin 1990-luvulla
    MusiikkiTurun bändikulttuuri voi hyvin: “Sekoilu ja kännihölmöily on vähentynyt”
    ValtiovierailuPresidentti Niinistö vierailee Ukrainassa tiistaina – Vierailulla osoitetaan Suomen vahvaa ja jatkuvaa tukea Ukrainalle
    VastuullisuusNeljä suomalaisyritystä mahtui sadan vastuullisimman yrityksen listalle
    Lisää
    Luitko jo nämä?
    Turkulaisäidin hänelle itselleen ja miehelleen viikonlopun janojuomiksi tarkoittamat kaksi italialaista olutpulloa jäi kauppaan, koska ostoksilla mukana ollut perheen tytär oli alaikäinen. Arkistokuva.
    Puheenaihe
    Keski-ikäiselle turkulaisäidille ei myyty Prismassa kahta olutta vedoten alaikäisen lapsen läsnäoloon – PTY: “Asiakasta tulee uskoa”
    Diskot
    Hannu päästi prinsessat jonon ohi ja yhdeltätoista räjähti – lue, mitä muuta Turun diskomaailmassa tapahtui 70-, 80- ja 90-luvulla
    Tähtijutut
    Videot

    Copyright © Turun Sanomat Oy

    27. vuosikerta

    Vastaava päätoimittaja: Jussi Orell

    ISSN: 0356-133X 2000 – 2023

    Verkkotoimitus:

    050 563 9576

    [email protected]

    Uutisvinkit
    Palaute
    Tilaa uutiskirje
    Asiakaspalvelu
    Yhteystiedot
    TS:n periaatelinja
    Tietosuoja ja palveluehdot
    Evästeasetukset
    TS-Yhtymä

    Reply
  46. Tomi Engdahl says:

    Don’t let your pets use your gaming gear to commits credit card fraud. The entire heist started as an experiment to see if fish could complete a game unassisted. Eventually, the pesky little critters got the Nintendo eShop to come up, did a transaction and also exposed credit card information.

    https://www.techspot.com/news/97334-pet-fish-commits-credit-card-fraud-owner-using.html

    Reply
  47. Tomi Engdahl says:

    Pankki­tunnistautumisessa suuri ongelma, väärien ihmisten vero- ja Kela-tietoja näkyvissä https://www.is.fi/digitoday/tietoturva/art-2000009346816.html
    Aktia-pankin tunnistautumisessa on ollut vakavia ongelmia tiistaiaamuna. Tunnuksilla on päässyt käsiksi toisten ihmisten tietoihin. Digi- ja väestötietovirasto vahvistaa, että Aktian tunnistautumisessa on häiriö. Viraston mukaan ongelma todellakin päästää käsiksi vieraiden ihmisten tietoihin, mutta rajoittuu tämänhetkisen tiedon mukaan Aktia-pankkiin. Aktia, kuten muutkin pankit, ovat osa julkishallinnon verkkopalveluihin tunnistautumisessa laajasti käytettyä Suomi.fi-tunnistusta. DVV:n mukaan vika on kuitenkin pankin päässä. Ainakin veroviranomainen on ottanut toistaiseksi Aktian tunnistautumisen pois käytöstä. Aktia Pankki kertoo vian syyksi ohjelmistovirheen. “Virhe johtui järjestelmäpäivityksestä, joka meillä tehtiin aamulla. Se havaittiin nopeasti, ja ryhdyimme välittömästi korjaustoimenpiteisiin”, Aktian viestintäjohtaja Lotta Borgström sanoo

    Reply
  48. Tomi Engdahl says:

    FBI: North Korean hackers stole $100 million in Harmony crypto hack https://www.bleepingcomputer.com/news/security/fbi-north-korean-hackers-stole-100-million-in-harmony-crypto-hack/
    The FBI has confirmed that the North Korean state-sponsored ‘Lazarus’
    and APT38 hacking groups were behind the theft of $100 million worth of Ethereum stolen from Harmony Horizon in June 2022 Harmony Horizon is a cross-chain bridge for Ethereum that suffered a breach in June 2022, allowing hackers to assume control of a MultiSigWallet contract and use it to transfer large amounts of tokens to . Yesterday, the FBI confirmed that two North Korean hacking groups, Lazarus and APT38, were behind the attack. Through our investigation, we were able to confirm that the Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $100 million of virtual currency from Harmonys Horizon bridge, reported on June 24, 2022.

    Reply
  49. Tomi Engdahl says:

    DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/
    SentinelLabs has been monitoring recent attacks against East Asian organizations we track as DragonSpark. The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation.
    The DragonSpark attacks represent the first concrete malicious activity where we observe the consistent use of the open source SparkRAT, a relatively new occurrence on the threat landscape.
    SparkRAT is multi-platform, feature-rich, and frequently updated with new features, making the RAT attractive to threat actors. We observed that the threat actor behind the DragonSpark attacks uses Golang malware that interprets embedded Golang source code at runtime as a technique for hindering static analysis and evading detection by static analysis mechanisms. This uncommon technique provides threat actors with yet another means to evade detection mechanisms by obfuscating malware implementations

    Reply
  50. Tomi Engdahl says:

    Emotet Returns With New Methods of Evasion https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion
    Emotet, a Trojan that is primarily spread through spam emails, has been a prevalent issue since its first appearance in 2014. With a network made up of multiple botnets, denoted as epochs by security research team Cryptolaemus, Emotet has continuously sent out spam emails in campaigns designed to infect users via phishing attacks.
    Once it is successfully running on an endpoint, Emotet drops other malicious programs such as Qakbot, Cobalt Strike, or in some cases, even the notorious Ryuk ransomware. However, as of July 2022, the heavily distributed Malware-as-a-Service (MaaS) seemingly went dark, and no longer appeared to be running these spam campaigns. For the next four months, Emotet remained silent. Then, on November 2, the Cryptolaemus group found that its botnets, particularly those known as
    Epoch4 and Epoch5, had begun sending out spam emails once again. These phishing emails used various methods to lure victims into first opening them, and then downloading and executing .xls files, with macros used to download the Emotet dropper. With as little fanfare as when it went dark, it seems that Emotet has returned, appearing to be as malicious as ever

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*