This posting is here to collect cyber security news in January 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in January 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
446 Comments
Tomi Engdahl says:
Pakistani authorities investigating if cyberattack caused nationwide blackout https://therecord.media/pakistani-authorities-investigating-if-cyberattack-caused-nationwide-blackout/
Pakistani authorities are investigating whether a nationwide blackout which left millions of people without power on Monday was caused by a cyberattack. The countrys energy minister Khurram Dastgir Khan told journalists during a news conference on Tuesday morning that there was a remote chance the incident was caused by hackers. Cyberattacks on energy grids are rare, although several have targeted Ukraine in the context of Russias attacks against the country since 2014. Outages have become a common occurrence in the South Asian country in recent years, where an ongoing economic crisis and last years devastating floods have severely impacted the lives of the countrys more than 220 million people
Tomi Engdahl says:
Vice Society Ransomware Group Targets Manufacturing Companies https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
Vice Society, which was initially reported to be exploiting the PrintNightmare vulnerability in their routines, have previously deployed ransomware variants such as Hello Kitty/Five Hands and Zeppelin (the groups email has been in their ransom notes). More recently, Vice Society has been able to develop its own custom ransomware builder and adopt more robust encryption methods. This, and any further enhancements, could mean that the group is preparing for their own ransomware-as-a-service (RaaS) operation. Most reports have the threat actor focusing its efforts on the education and the healthcare industries. However, through Trend Micros telemetry data, we have evidence that the group is also targeting the manufacturing sector, which means that they have capability and desire to penetrate different industries most likely accomplished via the purchasing of compromised credentials from underground channels. We have detected the presence of Vice Society in Brazil (primarily affecting the countrys manufacturing industry), Argentina, Switzerland, and Israel.
In this blog entry, wed like to highlight our findings on Vice Society, which includes an end-to-end infection diagram that we were able to create using Trend Micro internal telemetry. Our detection name for this variant of Vice Societys ransomware is Ransom.Win64.VICESOCIETY.A
Tomi Engdahl says:
Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/
Unit 42 researchers review tens of millions of attack records every month, and most months, attacks targeting a single vulnerability do not exceed 10% of the total number of attacks. However, we discovered that between August and October 2022, the number of attacks attempting to exploit a Realtek Jungle SDK remote code execution vulnerability
(CVE-2021-35394) accounted for more than 40% of the total number of attacks. As of December 2022, weve observed 134 million exploit attempts in total leveraging this vulnerability, and about 97% of these attacks occurred after the start of August 2022. At the time of writing, the attack is still ongoing. Many of the attacks we observed tried to deliver malware to infect vulnerable IoT devices. This tells us that threat groups are using this vulnerability to carry out large-scale attacks on smart devices around the world. While the attacks we observed were successfully blocked by our products, its important to assess protection of these devices in your environment.
Because IoT devices and routers are often not considered as part of an organizations security posture, many devices and organizations could still be at risk
Tomi Engdahl says:
GoTo says hackers stole customers’ backups and encryption key https://www.bleepingcomputer.com/news/security/goto-says-hackers-stole-customers-backups-and-encryption-key/
GoTo (formerly LogMeIn) is warning customers that threat actors who breached its development environment in November 2022 stole encrypted backups containing customer information and an encryption key for a portion of that data. In November 2022, the company disclosed a security breach on its development environment and a cloud storage service used by both them and its affiliate, LastPass. At the time, the impact on the client data had yet to become known as the company’s investigation into the incident with the help of cybersecurity firm Mandiant had just begun. The internal investigation so far has revealed that the incident had a significant impact on GoTo’s customers. According to a GoTo’s security incident notification a reader shared with BleepingComputer, the attack affected backups relating to the Central and Pro product tiers stored in a third-party cloud storage facility
Tomi Engdahl says:
Zendesk Hacked After Employees Fall for Phishing Attack
https://www.securityweek.com/zendesk-hacked-after-employees-fall-for-phishing-attack/
Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.
Customer service solutions provider Zendesk has suffered a data breach that resulted from employee account credentials getting phished by hackers.
Cryptocurrency trading and portfolio management company Coinigy revealed last week that it had been informed by Zendesk about a cybersecurity incident.
According to the email received by Coinigy, Zendesk learned on October 25, 2022, that several employees were targeted in a “sophisticated SMS phishing campaign”. Some employees took the bait and handed over their account credentials to the attackers, allowing them to access unstructured data from a logging platform between September 25 and October 26, 2022.
Tomi Engdahl says:
GoTo Says Hackers Stole Encrypted Backups, MFA Settings
https://www.securityweek.com/goto-says-hackers-stole-encrypted-backups-mfa-settings/
GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.
Tomi Engdahl says:
Apple Patches WebKit Code Execution in iPhones, MacBooks
Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.
https://www.securityweek.com/apple-patches-webkit-code-execution-flaws/
Tomi Engdahl says:
VMware Plugs Critical Code Execution Flaws
https://www.securityweek.com/vmware-plugs-critical-code-execution-flaws/
VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.
Virtualization technology giant VMware on Tuesday shipped its first security bulletin for 2023 with patches for multiple critical-level flaws that expose businesses to remote code execution attacks.
VMware said the security defects affect users of its VMware vRealize Log Insight and could be exploited by an unauthenticated attacker to take full control of a target system.
VMware’s VRealize Log Insight is a log collection and analytics virtual appliance used by administrators to collect, view, manage and analyze syslog data.
The company said the most serious of the four documented flaws carry a CVSS severity score of 9.8 out of 10, adding to the urgency for organizations to apply available patches.
An advisory from the Palo Alto, Calif. company described the flaws — CVE-2022-31706, CVE-2022-31704, CVE-2022-31710 and CVE-2022-31711 –as directory traversal and broken access control issues with dangerous implications.
“An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution,” VMware warned.
Tomi Engdahl says:
Akriti Sharma / Reuters:
Microsoft is investigating a “potential networking issue” impacting Teams, Outlook, and more, taking the services down in India, Japan, the UK, and elsewhere
Microsoft cloud outage hits users around the world
https://www.reuters.com/technology/microsoft-teams-down-thousands-users-india-downdetector-2023-01-25/
Jan 25 (Reuters) – Microsoft Corp (MSFT.O) on Wednesday was hit with a networking outage that took down its cloud platform Azure along with services such as Teams and Outlook, potentially affecting millions of users globally.
Reporting by Akriti Sharma in Bengaluru and Supantha Mukherjee in Stockholm; Editing by Subhranshu Sahu and Elaine Hardcastle
Tomi Engdahl says:
Alexander Martin / The Record:
Riot Games says the company won’t pay a ransom after hackers exfiltrated source code for League of Legends, Teamfight Tactics, and “a legacy anticheat platform” — Riot Games, the video game developer and esports organizer, said on Tuesday that it had received a ransom email following a social engineering attack last week.
https://therecord.media/riot-games-receives-ransom-email-for-stolen-source-code-following-social-engineering-attack/
Tomi Engdahl says:
Jesse Hamilton / CoinDesk:
The FBI says North Korea-backed hacking groups Lazarus and APT38 are behind the June 2022 theft of ~$100M in ETH, USDT, and wBTC from Harmony’s Horizon bridge
FBI: North Korean Hackers Behind $100M Horizon Bridge Theft
Lazarus Group and APT38, both associated with North Korea, are responsible for the attack in June, the agency concluded.
https://www.coindesk.com/policy/2023/01/23/fbi-north-korean-hackers-behind-100-million-horizon-bridge-theft/
Tomi Engdahl says:
Nämä kaikki Microsoftin palvelut ovat nurin – nyt vika löytyi https://www.is.fi/digitoday/art-2000009349138.html
TEKNOLOGIAYHTIÖ Microsoft kärsii ongelmista, jotka koskevat ainakin Teams-viestintäohjelmistoa sekä yrityksissä laajasti käytettyä Sharepoint-alustaa.
Toimintahäiriöistä ilmoituksia keräävässä Downdetector-palvelussa on vahva piikki vikailmoituksissa, jotka koskevat Microsoft Teamsia, Microsoft 365 -palveluita sekä Microsoftin Azure-palveluita.
Tomi Engdahl says:
Näin monen ihmisen tiedot paljastuivat, kun Aktian tunnistus teki temput https://www.is.fi/digitoday/tietoturva/art-2000009350205.html
Järjestelmäpäivitys johti poikkeukselliseen vahinkoon tiistaina.
AKTIA Pankin ongelma vahvassa tunnistautumisessa sai pankin asiakkaat näkemään väärien ihmisten henkilötietoja esimerkiksi verohallinnon tai Kelan verkkopalvelussa tiistaiaamuna. Muun muassa Suomi.fi-tunnistautumista koskenut vika johtui Aktian pieleen menneestä järjestelmäpäivityksestä.
Montako virheellistä tunnistustapahtumaa kirjattiin, eli monenko tiedot vuosivat, Aktian viestintäjohtaja Lotta Borgström?
– Häiriön aikana tapahtui 62 virheellistä tunnistustapahtumaa.
Mikä oli vahingon tarkka syy, eli miten järjestelmäpäivitys voi mennä tällä tavalla pieleen?
– Päivitimme järjestelmää tunnistuksen yksinkertaistamiseksi ja selkeyttämiseksi. Tässä yhteydessä järjestelmään jäi valitettavasti vääriä määrityksiä. Nämä kaikki korjattiin eilen välittömästi klo 10 mennessä.
Keiden tietoja on nähty? Ovatko hekin kaikki Aktian asiakkaita vai ihan ketä tahansa?
– Häiriö koski vain Aktian asiakkaita. Olemme yhteydessä mahdollisimman pian kaikkiin asiakkaisiin, joita häiriö tunnistautumispalvelussa koski. Olemme tehneet myös viranomaisille tarvittavat ilmoitukset asiasta.
BORGSTRÖM korosti jo tiistaina, ettei tällainen virhe ole mitenkään hyväksyttävissä. Aktia Pankki on tapahtuneesta hyvin pahoillaan.
Alle tunnin mittainen vikatilanne ei koskenut verkkopankkiin tunnistautumista.
Tomi Engdahl says:
Microsoft 365 outage takes down Teams, Exchange Online, Outlook https://www.bleepingcomputer.com/news/microsoft/microsoft-365-outage-takes-down-teams-exchange-online-outlook/
Microsoft is investigating an ongoing outage impacting multiple Microsoft 365 services after customers have reported experiencing connection issues. “We’re investigating issues impacting multiple Microsoft 365 services. We’ve identified a potential networking issue and are reviewing telemetry to determine the next troubleshooting steps,” the Microsoft 365 team said in a Twitter thread. “Weve isolated the problem to networking configuration issues, and we’re analyzing the best mitigation strategy to address these without causing additional impact. According to Redmond, users across all regions currently being serviced by the impacted infrastructure may be unable to access the affected Microsoft 365 services
Tomi Engdahl says:
Logfile management is no fun. Now it’s a nightmare thanks to critical-rated VMware flaws https://www.theregister.com/2023/01/25/critical_vmware_flaws/
VMware has issued fixes for four vulnerabilities, including two critical 9.8-rated remote code execution bugs, in its vRealize Log Insight software. There are no reports (yet) of nation-state thugs or cybercriminals finding and exploiting these bugs, according to VMware.
However, it’s a good idea to patch sooner than later to avoid being patient zero. vRealize Log Insight is a log management tool – everyone’s favourite tas, not – and while it may not be as popular as some of the virtualization giant’s other products, VMware’s ubiquity across enterprises and governments and practice of bundling products means holes in its products are always very attractive targets for miscreants looking to make a buck and/or steal sensitive information.
The two most serious bugs in today’s security advisory include a directory traversal vulnerability (CVE-2022-31703) and a broken access control vulnerability (CVE-2022-31704). Both received a near-perfect
9.8 out of 10 CVSS rating
Tomi Engdahl says:
Hilton denies hack after data from 3.7 million Honors customer offered for sale https://therecord.media/hilton-denies-hack-after-data-from-3-7-million-honors-customer-offered-for-sale/
Hotel giant Hilton denied that it has been hacked after cybercriminals claimed to have breached the companys systems and stolen data related to 3.7 million customers. On Monday, hackers said they stole a database from 2017 consisting of information from customers enrolled in the Hilton Hotel Honors program. The information in the database includes names, Honors ID and Honors Tier as well as more specific data on reservations like check-in dates and more. A Hilton spokesperson told The Record that while they do not believe they have been hacked, they are investigating the claims
Tomi Engdahl says:
DuoLingo investigating dark web post offering data from 2.6 million accounts https://therecord.media/duolingo-investigating-dark-web-post-offering-data-from-2-6-million-accounts/
Language learning platform DuoLingo said it is investigating a post on a hacking forum offering information on 2.6 million customer accounts for $1,500. A spokesperson for the company said they are aware of the post, which was created on Tuesday morning and offers emails, phone numbers, courses taken and other information on how customers use the platform. These records were obtained by data scraping public profile information, a spokesperson said. No data breach or hack has occurred.
We take data privacy and security seriously and are continuing to investigate this matter to determine if theres any further action needed to protect our learners. In the post, the hacker said they obtained the information from scraping an exposed application programming interface (API) and provided a sample of data from 1,000 accounts
Tomi Engdahl says:
Securonix Security Advisory: Python-Based PY#RATION Attack Campaign Leverages Fernet Encryption and Websockets to Avoid Detection https://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/
The Securonix Threat Research Team has identified a new Python-based attack campaign (tracked by Securonix as PY#RATION) in the wild. The malware exhibits remote access trojan (RAT) behavior, allowing for control of and persistence on the affected host. As with other RATs, PY#RATION possesses a whole host of features and capabilities, including data exfiltration and keylogging. What makes this malware particularly unique is its utilization of websockets for both command and control (C2) communication and exfiltration as well as how it evades detection from antivirus and network security measures. The use of Python for malicious purposes is increasing, and is noteworthy for its similarities to Go-based malware, as demonstrated by the GO#WEBBFUSCATOR attack campaign we covered previously. To illustrate, malicious code can be compiled and packed into an executable requiring no outside code or library dependencies, making cross-platform support possible. Creating Python executables in Windows can be trivial and requires only the knowledge of a few existing tools such as Py2exe or auto-py-to-exe, for example
Tomi Engdahl says:
Exploiting Hardcoded Keys to achieve RCE in Yellowfin BI https://blog.assetnote.io/2023/01/24/yellowfin-auth-bypass-to-rce/
At Assetnote, we often audit enterprise software source code to discover pre-authentication vulnerabilities. Yellowfin BI had significance to us because it is a popular analytics platform for product managers, and we were able to deliver value to customers of our Attack Surface Management platform by alerting our customers about their exposure. One of the patterns that we often come across when performing source code review is the usage of hardcoded keys. This blog post will describe how we leveraged a number of hardcoded keys inside a Java monolith application (Yellowfin BI) to achieve command execution. All three of our authentication bypass vulnerabilities were due to hardcoded keys which were used to encrypt/decrypt auth related data. This blog post will walk you through the entire exploit chain which goes from pre-authentication to post-authentication, leading finally to command execution. In this blog post, we will provide exploit code for each vulnerability
Tomi Engdahl says:
VMware Plugs Critical Code Execution Flaws
https://www.securityweek.com/vmware-plugs-critical-code-execution-flaws/
VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.
Virtualization technology giant VMware on Tuesday shipped its first security bulletin for 2023 with patches for multiple critical-level flaws that expose businesses to remote code execution attacks.
VMware said the security defects affect users of its VMware vRealize Log Insight and could be exploited by an unauthenticated attacker to take full control of a target system.
The company said the most serious of the four documented flaws carry a CVSS severity score of 9.8 out of 10, adding to the urgency for organizations to apply available patches.
An advisory from the Palo Alto, Calif. company described the flaws — CVE-2022-31706, CVE-2022-31704, CVE-2022-31710 and CVE-2022-31711 –as directory traversal and broken access control issues with dangerous implications.
Tomi Engdahl says:
Riot Games Says Source Code Stolen in Ransomware Attack
https://www.securityweek.com/riot-games-says-source-code-stolen-in-ransomware-attack/
Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack
Tomi Engdahl says:
North Korean APT Expands Its Attack Repertoire
The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by other hackers.
https://www.securityweek.com/north-korean-apt-expands-its-attack-repertoire-into-phishing/
Tomi Engdahl says:
Security Update for Chrome 109 Patches 6 Vulnerabilities
https://www.securityweek.com/security-update-for-chrome-109-patches-6-vulnerabilities/
Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.
Google has awarded a total of more than $25,000 to the researchers who reported the vulnerabilities patched with the release of a Chrome 109 update.
The company informed users on Tuesday that six security holes have been patched in Chrome, including four reported by external researchers.
Two of them are high-severity use-after-free issues affecting the WebTransport and WebRTC components. Researchers Chichoo Kim and Cassidy Kim have been credited for reporting the flaws and they have earned a total of $19,000 for their findings.
These vulnerabilities are tracked as CVE-2023-0471 and CVE-2023-0472.
https://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop_24.html
Tomi Engdahl says:
Zendesk Hacked After Employees Fall for Phishing Attack
https://www.securityweek.com/zendesk-hacked-after-employees-fall-for-phishing-attack/
Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.
Tomi Engdahl says:
Menghan Xiao / SC Media:
Using automation, Trellix patches nearly 62K open-source projects susceptible to a Python path traversal flaw first disclosed in 2007, affecting ~350K projects — The Trellix research team said they have patched nearly 62,000 open-source projects that were susceptible to a 15-year-old path …
Trellix automates patching for 62,000 open-source projects linked to a 15-year-old Python bug
https://www.scmagazine.com/analysis/application-security/trellix-automates-patching-for-62000-open-source-projects-linked-to-a-15-year-old-python-bug
The Trellix research team said they have patched nearly 62,000 open-source projects that were susceptible to a 15-year-old path traversal vulnerability in the Python programming ecosystem.
The team identified the bug, tracked under CVE-2007-4559, in Python’s tarfile module late last year. It was first reported to the Python project in 2007 but left unchecked. Since then, it’s presence has greatly expanded as it has been used in approximately 350,000 open-source projects and countless other closed-source or proprietary software projects.
To minimize the vulnerability surface area the team drew inspiration from security researcher Jonathan Leitschuh’s DEFCON 2022 talk on fixing vulnerabilities at scale, spending months conducting automated patching to close the vulnerability in 61,895 open-source projects, according to a Jan. 23 Trellix blog post.
Trellix Advanced Research Center Patches 61,000 Vulnerable Open-Source Projects
https://www.trellix.com/en-us/about/newsroom/stories/research/trellix-advanced-research-center-patches-vulnerable-open-source-projects.html
Late last year, the Trellix Advanced Research Center team uncovered a vulnerability in Python’s tarfile module. As we dug in, we realized this was CVE-2007-4559 – a 15-year-old path traversal vulnerability with potential to allow an attacker to overwrite arbitrary files. CVE-2007-4559 was reported to the Python project on 2007, and left unchecked, had been unintentionally added to an estimated 350,000 open-source projects and prevalent in closed-source projects.
Today, we’re excited to share an update on this work. Through GitHub, our vulnerability research team has patched 61,895 open-source projects previously susceptible to the vulnerability. This work was led by Kasimir Schulz and Charles McFarland, and concluded earlier this month.
Tomi Engdahl says:
Uusin kiristysohjelma leviää Putinin nimissä
https://etn.fi/index.php/13-news/14518-uusin-kiristysohjelma-leviaeae-putinin-nimissae
Kyberturvallisuusyritys Fortinetin mukaan erilaiset kiristysohjelmavariantit ovat lisääntyneet viime aikoina. Eräs hiljattain tavattu variantti on ajankohtaisesti Putiniksi nimetty ohjelma, jonka takaa löytyy itseään Putin Teamiksi kutsuva ryhmä.
Monien muiden kiristysohjelmien tapaan Putin-variantti salaa vastaanottajan tietokoneella olevat tiedostot ja kiristää uhrilta sen jälkeen rahaa. Variantti tallentaa uhrin koneelle README.txt-tekstitiedoston, jossa luvataan palauttaa salatut tiedostot ennalleen, kunhan uhri maksaa niistä lunnaat kahden päivän kuluessa. Tällaista taktiikkaa, jossa uhria painostetaan maksamaan rahat mahdollisimman nopeasti, käytetään monissa kiristysohjelmissa.
Tomi Engdahl says:
Varo meilejä näiltä tunnetuilta yrityksiltä!
https://etn.fi/index.php/13-news/14516-varo-meilejae-naeiltae-tunnetuilta-yrityksiltae
Tietoturvayhtiö Check Point Software Technologiesin tutkimusosasto on julkaissut vuoden 2022viimeisen neljänneksen koskevan Brand Phishing -raporttinsa. Raportin mukaan loka-joulukuussa tietojenkalasteluhyökkäyksissä eniten jäljitelty brändi oli Yahoo. Se nousi listalla edeltävältä neljännekseltä 23 sijaa.
Peräti viidennes eli 20 prosenttia kaikista brändiväärennösyrityksistä liittyi Yahoo-brändiin.
Toiseksi sijoittui DHL 16 prosentin osuudella brändiväärennösyrityksistä ja kolmanneksi Microsoft (11 prosenttia). Listalle palannut LinkedIn oli sijalla viisi (5,7 prosenttia).
Kalasteluhyökkäyksessä rikolliset yrittävät jäljitellä tunnetun yrityksen tai tuotemerkin verkkosivuja käyttämällä samantyyppistä domain-nimeä tai URL-osoitetta ja sukunäköistä ulkoasua. Väärennetylle verkkosivulle vievä linkki voidaan lähettää uhreille sähköpostitse tai tekstiviestinä. On myös mahdollista, että uhri pyritään ohjaamaan väärennetylle sivulle verkkoselailun aikana tai väärennetyn puhelinsovelluksen avulla. Väärennetty verkkosivu sisältää usein lomakkeen, jonka tarkoitus on anastaa uhrin henkilö- tai maksutietoja tai salasanoja.
Tomi Engdahl says:
Kyberisku rampautti hammashoidon – SK: Satojentuhansien lasku, Säkylän röntgenkuvat kateissa https://www.is.fi/digitoday/tietoturva/art-2000009353137.html
Joulukuinen verkkohyökkäys Säkylän kuntaa vastaan aiheuttaa edelleen ongelmia hammashoidossa.
Tomi Engdahl says:
Source code for all major services of Yandex been leaked:
Search Engine and Indexing Bot
Maps – Like Google Maps and Street View
Alice – AI assistant like Siri / Alexa
Taxi – Uber-like taxi service
Direct – Ads service like Google Ads / Adwords
Mail – Mail service like GMail
Disk – File storage service like Google drive
Market – Marketplace like Amazon
Travel – Like a Booking.com plus Airplane, Train and Bus tickets
Yandex360 – Like Google Workspaces for services on your own domain
Cloud – Probably not all infrastructure code was leaked.
Pay – Payment processing like Stripe, but with limited set of features
Metrika – Like Google Analytics
https://gist.github.com/ArseniyShestakov/53a80e3214601aa20d1075872a1ea989
Tomi Engdahl says:
Hakkeri ”Guccifer” kertoo, miksi teki rikoksensa – tempulla oli järisyttävät seuraukset
https://www.mikrobitti.fi/uutiset/hakkeri-guccifer-kertoo-miksi-teki-rikoksensa-tempulla-oli-jarisyttavat-seuraukset/cb1853bb-5f58-4b52-b9e6-a1ed7b854d3d
Pitkän vankeustuomion jälkeen kotimaahansa palannut hakkeri Marcel ”Guccifer” Lazar avaa tuntojaan menneisyydestään ja motiiveistaan laajamittaiseen tietomurtokampanjaan.
Tomi Engdahl says:
Cybercriminals stung as HIVE infrastructure shut down https://www.europol.europa.eu/media-press/newsroom/news/cybercriminals-stung-hive-infrastructure-shut-down
Europol supported the German, Dutch and US authorities in taking down the infrastructure of the prolific HIVE ransomware. This international operation involved authorities from 13* countries in total. Law enforcement identified the decryption keys and shared them with many of the victims, helping them regain access to their data without paying the cybercriminals
Tomi Engdahl says:
New Mimic ransomware abuses ‘Everything’ Windows search tool https://www.bleepingcomputer.com/news/security/new-mimic-ransomware-abuses-everything-windows-search-tool/
Security researchers discovered a new ransomware strain they named Mimic that leverages the APIs of the ‘Everything’ file search tool for Windows to look for files targeted for encryption. Discovered in June
2022 by researchers at cybersecurity company Trend Micro, the malware appears to target mainly English and Russian-speaking users
Tomi Engdahl says:
Google Takes Down 50,000 Instances of Pro-Chinese DRAGONBRIDGE Influence Operation https://thehackernews.com/2023/01/google-takes-down-50000-instances-of.html
Google on Thursday disclosed it took steps to dismantle over 50,000 instances of activity orchestrated by a pro-Chinese influence operation known as DRAGONBRIDGE in 2022. “Most DRAGONBRIDGE activity is low quality content without a political message, populated across many channels and blogs,” the company’s Threat Analysis Group (TAG) said in a report shared with The Hacker News. “However, a small fraction of DRAGONBRIDGE accounts also post about current events with messaging that pushes pro-China talking points.” DRAGONBRIDGE was first exposed by Google-owned Mandiant in July 2022, calling out its unsuccessful efforts in targeting rare earth mining companies in Australia, Canada, and the U.S. with the goal of triggering environmental protests against the firms
Tomi Engdahl says:
U.S. Federal Agencies Fall Victim to Cyber Attack Utilizing Legitimate RMM Software https://thehackernews.com/2023/01/us-federal-agencies-fall-victim-to.html
At least two federal agencies in the U.S. fell victim to a “widespread cyber campaign” that involved the use of legitimate remote monitoring and management (RMM) software to perpetuate a phishing scam.
“Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate RMM software ScreenConnect (now ConnectWise Control) and AnyDesk – which the actors used in a refund scam to steal money from victim bank accounts,” U.S. cybersecurity authorities said
Tomi Engdahl says:
Bitwarden password vaults targeted in Google ads phishing attack https://www.bleepingcomputer.com/news/security/bitwarden-password-vaults-targeted-in-google-ads-phishing-attack/
Bitwarden and other password managers are being targeted in Google ads phishing campaigns to steal users’ password vault credentials. On Tuesday, Bitwarden users began seeing a Google ad titled ‘Bitward – Password Manager’ in search results for “bitwarden password manager.”
The phishing site was an exact replica of the legitimate Bitwarden Web Vault login page
Tomi Engdahl says:
Yandex denies hack, blames source code leak on former employee https://www.bleepingcomputer.com/news/security/yandex-denies-hack-blames-source-code-leak-on-former-employee/
A Yandex source code repository allegedly stolen by a former employee of the Russian technology company has been leaked as a Torrent on a popular hacking forum. Yesterday, the leaker posted a magnet link that they claim are ‘Yandex git sources’ consisting of 44.7 GB of files stolen from the company in July 2022. These code repositories allegedly contain all of the company’s source code besides anti-spam rules. Software engineer Arseniy Shestakov analyzed the leaked Yandex Git repository and said it contains technical data and code
Tomi Engdahl says:
Exploit released for critical Windows CryptoAPI spoofing bug https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-windows-cryptoapi-spoofing-bug/
Proof of concept exploit code has been released by Akamai researchers for a critical Windows CryptoAPI vulnerability discovered by the NSA and U.K.’s NCSC allowing MD5-collision certificate spoofing. Tracked as CVE-2022-34689, this security flaw was addressed with security updates released in August 2022, but Microsoft only made this public in October, when the advisory was first published. “An attacker could manipulate an existing public x.509 certificate to spoof their identity and perform actions such as authentication or code signing as the targeted certificate,” Microsoft explains
Tomi Engdahl says:
Chinese Hackers Adopting Open Source ‘SparkRAT’ Tool
https://www.securityweek.com/chinese-hackers-adopting-open-source-sparkrat-tool/
Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.
Tomi Engdahl says:
UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
https://www.securityweek.com/uk-gov-warns-of-phishing-attacks-launched-by-iranian-russian-cyberspies/
The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.
The United Kingdom’s National Cyber Security Centre (NCSC) has published an advisory to warn organizations and individuals about separate spearphishing campaigns conducted by Russian and Iranian cyberespionage groups.
The advisory focuses on activities conducted by the Russia-linked Seaborgium group (aka Callisto, Blue Callisto and Coldriver) and the Iran-linked TA453 (aka Charming Kitten, APT35, Magic Hound, NewsBeef, Newscaster and Phosphorus).
Tomi Engdahl says:
Hive Ransomware Operation Shut Down by Law Enforcement
https://www.securityweek.com/hive-ransomware-operation-apparently-shut-down-by-law-enforcement/
The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.
Tomi Engdahl says:
820k Impacted by Data Breach at Zacks Investment Research
https://www.securityweek.com/820k-impacted-by-data-breach-at-zacks-investment-research/
Zacks Investment Research is informing 820,000 individuals that their personal data was compromised in a data breach.
Founded in 1978, Zacks Investment Research is one of the largest providers of stock research, analysis and recommendations for firms in the US.
Earlier this week, the company informed the Maine Attorney General’s Office that the personal information of 820,000 individuals was compromised after a third-party gained unauthorized access to its systems.
The data breach, the firm says, was discovered in December 2022, but the unauthorized access occurred sometime between November 2021 and August 2022.
Tomi Engdahl says:
US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
https://www.securityweek.com/us-infiltrates-big-ransomware-gang-we-hacked-the-hackers/
The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.
Tomi Engdahl says:
Cyberwarfare
Cyberattacks Target Websites of German Airports, Admin
https://www.securityweek.com/cyberattacks-target-websites-of-german-airports-admin/
Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet
The websites of German airports, public administration bodies and financial sector organizations have been hit by cyberattacks instigated by a Russian “hacker group”, authorities said Thursday.
The Federal Cyber Security Authority (BSI) had “knowledge of DDoS attacks against targets in Germany”, a spokesman told AFP.
A distributed denial-of-service (DDoS) attack is designed to overwhelm the target with a flood of internet traffic, preventing the system from functioning normally.
The attacks were aimed “in particular at the websites of airports”, as well as some “targets in the financial sector” and “the websites of federal and state administrations”, the spokesman said.
The attack had been “announced by the Russian hacker group Killnet”, the
BSI spokesman said.
The group’s call to arms was in response to Chancellor Olaf Scholz’s announcement Wednesday that Germany would send Leopard 2 tanks to Ukraine to help repel the Russian invasion, according to financial daily Handelsblatt.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/14518-uusin-kiristysohjelma-leviaeae-putinin-nimissae
Tomi Engdahl says:
Microsoft Urges Customers to Patch Exchange Servers
https://www.securityweek.com/microsoft-urges-customers-to-patch-exchange-servers/
Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.
Microsoft this week published a blog post to remind its customers of the continuous wave of attacks targeting Exchange servers and to urge them to install the latest available updates as soon as possible.
“Attackers looking to exploit unpatched Exchange servers are not going to go away,” Microsoft says, reminding customers that both a cumulative update (CU) and a security update (SU) are available for Exchange.
“There are too many aspects of unpatched on-premises Exchange environments that are valuable to bad actors looking to exfiltrate data or commit other malicious acts,” the company continues.
Tomi Engdahl says:
Cyberwarfare
Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
https://www.securityweek.com/iranian-apt-leaks-data-from-saudi-arabia-government-under-new-persona/
Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham’s Ax persona
Tomi Engdahl says:
Husin verkkosivut eivät toimi https://www.is.fi/digitoday/art-2000009357466.html
Tomi Engdahl says:
PlugX malware hides on USB devices to infect new Windows hosts
https://www.bleepingcomputer.com/news/security/plugx-malware-hides-on-usb-devices-to-infect-new-windows-hosts/
Security researchers have analyzed a variant of the PlugX malware that can hide malicious files on removable USB devices and then infect the Windows hosts they connect to.
The malware uses what researchers call “a novel technique” that allows it to remain undetected for longer periods and could potentially spread to air-gapped systems.
A sample of this PlugX variant was found by Palo Alto Network’s Unit 42 team during a response to a Black Basta ransomware attack that relied on GootLoader and the Brute Ratel post-exploitation toolkit for red-team engagements.
Tomi Engdahl says:
DNS DriveBy: Stealthy GPS Tracking Using Open Wi-Fi
How I created a $10 ESP8266 GPS Tracker that uses Open Wi-Fi networks & DNS exfiltration for communication.
https://www.hackster.io/alexlynd/dns-driveby-stealthy-gps-tracking-using-open-wi-fi-65730a
Tomi Engdahl says:
Microsoft Outage Outrage: Was it BGP or DNS?
https://devops.com/microsoft-outage-bgp-dns-richixbw/
Azure’s Single Point of Failure
Analysis: It’s DNS. It’s always DNS (unless it’s BGP)
It’s clear that some hapless Microserf b0rked the internal network with a configuration change. It appears the change didn’t immediately cause problems, but issues slowly rippled across the infrastructure. This has all the hallmarks of a dodgy DNS config or a broken BGP update.
What’s the story? Akriti Sharma reports—“Microsoft cloud outage hits users around the world”:
“Domino effect”
Microsoft [said] a networking outage took down its cloud platform Azure along with services such as Teams and Outlook used by millions around the globe. Azure’s status page showed services were impacted in Americas, Europe, Asia Pacific, Middle East and Africa.
Speaking of a domino effect, here’s Captain Scarlet:
Yet again a morning of whinging at yet another single point of failure. … I couldn’t access anything (Windows Laptop and Android handset) thanks to the global corp using Microsoft Authenticator: … This wasn’t working either.
…
Because I couldn’t auth with Microsoft MFA, my VPN would connect but refuse to auth further. I couldn’t access the internet because the Proxy software used couldn’t authenticate.
Aside from China, this is a global outage. So sofixa says that’s unheard of:
Azure … is badly designed to such an extent that multiple times there have been global outages. … Azure availability, security (the only major cloud provider with not one but multiple cross-tenant security exploits) and usability are pretty terrible so it shouldn’t be used for anything but saying, “This is how it should not be done.”
GCP had a similar thing once, where a BGP update knocked out their Asian regions. AWS have never had a global outage.
Meanwhile, at least u/StConvolute is happy:
At work I’ve gone from being labeled as, “Old man who yells at clouds,” to, “The guy who saw it coming.”
The Moral of the Story:
Life imposes things on you that you can’t control, but you still have the choice of how you’re going to live through this
—Celine Dion