This posting is here to collect cyber security news in February 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in February 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
390 Comments
Tomi Engdahl says:
City of Oakland Hit by Ransomware Attack
https://www.securityweek.com/city-of-oakland-hit-by-ransomware-attack/
The City of Oakland has disclosed a ransomware attack that impacted several non-emergency systems.
Tomi Engdahl says:
Patch Tuesday: Microsoft Warns of Exploited Windows Zero-Days
https://www.securityweek.com/patch-tuesday-microsoft-warns-of-exploited-windows-zero-days/
Microsoft’s Patch Tuesday machine is humming loudly with software updates to fix at least 76 vulnerabilities in Windows and OS components.
Microsoft’s Patch Tuesday machine is humming loudly with software updates to fix at least 76 vulnerabilities in Windows and OS components and the company is warning that some of the bugs have already been exploited in the wild.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/14594-qbot-troijalainen-nyt-yleisin-haittaohjelma
Tomi Engdahl says:
Bloomberg:
Lufthansa grounded all flights after damage to a set of Deutsche Telekom broadband cables caused widespread IT disruptions; the timeline for a fix is unclear — Deutsche Lufthansa AG grounded all of its flights on Wednesday after damage to a set of Deutsche Telekom broadband cables caused widespread IT problems.
Lufthansa Resumes Flights After IT Issues Crippled Operations
https://www.bloomberg.com/news/articles/2023-02-15/lufthansa-says-it-system-issues-causing-widespread-cancellations?leadSource=uverify%20wall
Problem should be fully fixed by early evening, company says
Europe’s biggest carrier operates around 700 aircraft
Deutsche Lufthansa AG is returning to normal flight operations after widespread software problems linked to damaged Deutsche Telekom AG broadband cables grounded hundreds of planes.
The situation at Lufthansa’s main base in Frankfurt is normalizing, a spokesman said Wednesday. Lufthansa expects the IT issues that affected systems including check-in operations to be fully resolved by early e
Tomi Engdahl says:
Scandinavian Airlines hit by cyberattack, Anonymous Sudan claims responsibility https://therecord.media/scandinavian-airlines-cyberattack-anonymous-sudan/
A cyberattack on Scandinavian Airlines (SAS) knocked its website offline and exposed some customer data on Tuesday. Customers who attempted to log into the SAS mobile app were sent to someone elses account and had access to their contact information and itineraries, among other things. SAS said in a statement that there was no risk that this information could be exploited and that passport details were not part of the compromised information, according to a company statement. SAS is the flagship carrier for Denmark, Norway and Sweden and did not respond to The Records request for more information about how many customers were affected by the breach
Tomi Engdahl says:
Vaasassa Wilmasta vuosi 50 oppilaan henkilötiedot, eikä kyseessä ole ensimmäinen tietoturvaloukkaus kehittäjä kiistää tietosuojariskin
https://yle.fi/a/74-20018090
Ohjelmistoyritys Visma Enterprisen mukaan Vaasassa uutisoitu tietomurtotapaus on johtunut järjestelmävian sijaan siitä, että omista tunnuksista ja salasanoista ei pidetä riittävän hyvin huolta.
Wilma-oppilashallintojärjestelmän tietomurto Vaasassa on herättänyt kysymyksiä järjestelmän tietoturvallisuudesta. Murron aikana päästiin käsiksi noin 50 oppilaan henkilötietoihin. Tietomurto tapahtui viime vuoden joulukuussa. Wilman kehittäjän Visma Enterprise Oy:n Wilma-liiketoimintajohtaja Teemu Lehtonen kiistää sovelluksessa olevan suuria tietoturvariskejä. Lehtosen mukaan usein on ollut kyse siitä, että käyttäjätunnukset ovat päätyneet vääriin käsiin
Tomi Engdahl says:
City of Oakland declares state of emergency after ransomware attack https://www.bleepingcomputer.com/news/security/city-of-oakland-declares-state-of-emergency-after-ransomware-attack/
Oakland has declared a local state of emergency because of the impact of a ransomware attack that forced the City to take all its IT systems offline on February 8th. Interim City Administrator G. Harold Duffey declared a state of emergency to allow the City of Oakland to expedite orders, materials and equipment procurement, and activate emergency workers when needed. “Today, Interim City Administrator, G. Harold Duffey issued a local state of emergency due to the ongoing impacts of the network outages resulting from the ransomware attack that began on Wednesday, February 8,” a statement issued today reads
Tomi Engdahl says:
The Evolution of ESXiArgs Ransomware
https://censys.io/the-evolution-of-esxiargs-ransomware/
Over the last few days, Censys has observed just over 500 hosts newly infected with ESXiArgs ransomware, most of which are in France, Germany, the Netherlands, and the UK. During analysis, we discovered two hosts with strikingly similar ransom notes dating back to mid-October 2022, just after ESXi versions 6.5 and 6.7 reached end of life. We have created a dashboard (using Censys data and updated every
24 hours) for researchers to track the spread of this ransomware campaign
Tomi Engdahl says:
Mirai Variant V3G4 Targets IoT Devices
https://unit42.paloaltonetworks.com/mirai-variant-v3g4/
- From July to December 2022, Unit 42 researchers observed a Mirai variant called V3G4, which was leveraging several vulnerabilities to spread itself. Once the vulnerable devices are compromised, they will be fully controlled by attackers and become a part of the botnet. The threat actor has the capability to utilize those devices to conduct further attacks, such as distributed denial-of-service (DDoS) attacks.
The exploit attempts captured by Unit 42 researchers leverage the aforementioned vulnerabilities to spread V3G4, which targets exposed servers and networking devices running Linux
Tomi Engdahl says:
Tonga is the latest Pacific Island nation hit with ransomware https://therecord.media/tonga-is-the-latest-pacific-island-nation-hit-with-ransomware/
Tongas state-owned telecommunications company has been hit with ransomware, it warned customers on Monday. Tonga Communications Corporation (TCC) one of two telecoms companies in the country published a notice on Facebook saying the attack may slow down administrative operations. “Ransomware attack has been confirmed to encrypt and lock access to part of TCCs system. This does not affect voice and internet service delivery to the customers, however, it may slow down the process of connecting new customers, delivering of bills and managing customers enquiries, the company said
Tomi Engdahl says:
Gulp! Pepsi hack sees personal information stolen by data-stealing malware https://www.bitdefender.com/blog/hotforsecurity/gulp-pepsi-hack-sees-personal-information-stolen-by-data-stealing-malware/
Towards the end of last year, malicious hackers broke into the systems of Pepsi Bottling Ventures, the largest privately-owned bottler of Pepsi-Cola beverages in the USA, and installed malware. For almost the month the malware secretly exfiltrated personally identifiable information (PII) from the company’s network. The first Pepsi Bottling Ventures knew about the unauthorized access to its network was on January 10 2023, but it took a further nine days until the organisation completely shut the attackers out of its systems
Tomi Engdahl says:
The return of ICEFALL: Two critical bugs revealed in Schneider Electric tech https://therecord.media/schneider-electric-modicon-vulnerabilities-forescout-icefall/
Researchers have announced two critical vulnerabilities in some operational technology systems made by the digital automation giant Schneider Electric. The announcement comes just months after researchers at Forescout and the U.S. Cybersecurity and Infrastructure Agency (CISA) disclosed some 56 bugs affecting a roster of industrial technology companies including among others, Siemens, Motorola, and Honeywell. The discoveries were known collectively as ICEFALL.
Schneider had asked the researchers to refrain from including the two bugs in the ICEFALL list so it could work with customers to remedy the issues before they were announced publicly
Tomi Engdahl says:
North Korea’s APT37 Targeting Southern Counterpart with New M2RAT Malware https://thehackernews.com/2023/02/north-koreas-apt37-targeting-southern.html
The North Korea-linked threat actor tracked as APT37 has been linked to a piece of new malware dubbed M2RAT in attacks targeting its southern counterpart, suggesting continued evolution of the group’s features and tactics. APT37, also tracked under the monikers Reaper, RedEyes, Ricochet Chollima, and ScarCruft, is linked to North Korea’s Ministry of State Security (MSS) unlike the Lazarus and Kimsuky threat clusters that are part of the Reconnaissance General Bureau (RGB).
According to Google-owned Mandiant, MSS is tasked with “domestic counterespionage and overseas counterintelligence activities,” with APT37′s attack campaigns reflective of the agency’s priorities
Tomi Engdahl says:
Health info for 1 million patients stolen using critical GoAnywhere vulnerability https://arstechnica.com/information-technology/2023/02/goanywhere-vulnerability-exploit-used-to-steal-health-info-of-1-million-patients/
One of the biggest hospital chains in the US said hackers obtained protected health information for 1 million patients after exploiting a vulnerability in an enterprise software product called GoAnywhere.
Community Health Systems of Franklin, Tennessee, said in a filing with the Securities and Exchange Commission on Monday that the attack targeted GoAnywhere MFT, a managed file transfer product Fortra licenses to large organizations. The filing said that an ongoing investigation has so far revealed that the hack likely affected 1 million individuals. The compromised data included protected health information as defined by the Health Insurance Portability and Accountability Act, as well as patients personal information
Tomi Engdahl says:
Emsisoft says hackers are spoofing its certs to breach networks https://www.bleepingcomputer.com/news/security/emsisoft-says-hackers-are-spoofing-its-certs-to-breach-networks/
A hacker is using fake code-signing certificates impersonating cybersecurity firm Emsisoft to target customers using its security products, hoping to bypass their defenses. Code signing certificates are digital signatures used to sign an application so that users, software, and operating systems can verify that the software has not been tampered with since the publisher signed it. Threat actors attempt to take advantage of this by creating fake certificates whose name appears to be associated with a trustworthy entity but, in reality, are not valid certificates
Tomi Engdahl says:
Russian crook made $90M exploiting stolen info on Tesla, Roku, Avnet, Snap, more https://www.theregister.com/2023/02/15/russian_convicted_insider_trading/
A Russian national with ties to the Kremlin exploited stolen upcoming financial filings belonging to hundreds of companies to help him and his associates net more than $90 million. A US federal jury in Boston on Tuesday found Vladislav Klyushin who owned an IT biz based in Moscow called M-13 guilty of wire and securities fraud and conspiracy after two weeks of testimony and ten hours of deliberations.
Prosecutors in the case argued that Klyushin and four others broke into the networks of Donnelley Financial Solutions and Toppan Merrill, through which publicly traded entities electronically file their quarterly earnings reports with America’s financial watchdog, the Securities and Exchange Commission (SEC)
Tomi Engdahl says:
Surge in ESXiArgs Ransomware Attacks as Questions Linger Over Exploited Vulnerability
https://www.securityweek.com/surge-in-esxiargs-ransomware-attacks-as-questions-linger-over-exploited-vulnerability/
Hundreds of new servers were compromised in the past days as part of ESXiArgs ransomware attacks, but it’s still unclear which vulnerability is being exploited.
There has been a surge in ESXiArgs ransomware attacks in the past days, but it’s still not clear exactly which vulnerability is being exploited by threat actors.
In fact, questions linger over several aspects of these attacks, including who may be behind them and the origins of the malware delivered by the hackers.
In ESXiArgs attacks, an unidentified threat group has been delivering ransomware to unpatched VMware ESXi servers, encrypting files and dropping ransom notes instructing victims to pay up. While the ransom notes also inform victims that their files have been stolen, researchers have not found any evidence of data theft.
The Censys and Shodan search engines currently show 1,000-2,000 compromised ESXi servers. The number of hacked systems can be determined because the ransom notes dropped on each system are accessible directly from the internet.
The US Cybersecurity and Infrastructure Security Agency (CISA) reported seeing 3,800 compromised servers as of February 8, but that number has likely grown significantly in the past week.
It’s worth pointing out that the ransom notes are similar to the ones delivered in ransomware attacks involving Cheerscrypt, a Linux-based ransomware seen targeting ESXi servers since the spring of 2022. The base code of Cheerscrypt is derived from leaked Babuk source code.
Tomi Engdahl says:
Patch Tuesday: Microsoft Warns of Exploited Windows Zero-Days
https://www.securityweek.com/patch-tuesday-microsoft-warns-of-exploited-windows-zero-days/
Microsoft’s Patch Tuesday machine is humming loudly with software updates to fix at least 76 vulnerabilities in Windows and OS components
Tomi Engdahl says:
ICS Patch Tuesday: 100 Vulnerabilities Addressed by Siemens, Schneider Electric
https://www.securityweek.com/ics-patch-tuesday-100-vulnerabilities-addressed-by-siemens-schneider-electric/
Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.
Siemens has published 13 new advisories covering a total of 86 vulnerabilities.
The most significant vulnerability — based on its CVSS score of 10 — is a memory corruption issue that can lead to a denial-of-service (DoS) condition or arbitrary code execution in the Comos plant engineering software.
This vulnerability was identified by Siemens’ own employees, which is not surprising. According to a recent report from industrial cybersecurity firm SynSaber, Siemens’ product security team self-reported 544 vulnerabilities in 2022, up from 230 in the previous year. It’s worth noting that many of the flaws addressed by Siemens in its products are actually introduced by third-party components.
Siemens has patched roughly a dozen critical and high-severity vulnerabilities in its Brownfield Connectivity product. Exploitation of the flaws can lead to a DoS condition.
Schneider Electric has published three advisories covering 10 vulnerabilities. One advisory describes nine high- and medium-severity issues discovered in the company’s StruxureWare Data Center Expert monitoring software.
Remarks by ETM regarding SSA-111512 for SIMATIC WinCC OA
https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications
Schneider
https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp
Tomi Engdahl says:
Citrix Patches High-Severity Vulnerabilities in Windows, Linux Apps
https://www.securityweek.com/citrix-patches-high-severity-vulnerabilities-in-windows-linux-apps/
Citrix released patches for multiple vulnerabilities in Virtual Apps and Desktops, and Workspace apps for Windows and Linux.
Citrix this week announced patches for severe vulnerabilities in Virtual Apps and Desktops, as well as in Workspace apps for Windows and Linux.
Tracked as CVE-2023-24483, the Virtual Apps and Desktops vulnerability is described as a privilege escalation issue that allows an attacker with access to a Windows VDA as a standard Windows user to elevate privileges to System.
The security defect impacts all Citrix Virtual Apps and Desktops versions before 2212, as well as long term service release (LTSR) versions 2203 before CU2 and 1912 before CU6.
Citrix addressed two bugs in the Workspace app for Windows, which could be chained to elevate privileges and perform actions as a System user.
Tomi Engdahl says:
Kommentti: Ministerin tarina afrikkalaisista hakkereista oli niin naurettava, että itkettää
Marko-Oskari Lehtonen
Ministeri Mika Lintilän eduskuntapuhelinta ei kaapattu, lehmät eivät lennä eivätkä ministerit valehtele vaalien alla, kirjoittaa Iltalehden politiikan ja talouden toimittaja Marko-Oskari Lehtonen.
https://www.iltalehti.fi/politiikka/a/eb216014-0fa7-4d51-86c9-9c34e5058188
Tomi Engdahl says:
Isojen valmistajien Android-puhelimista tehtiin karuja löytöjä https://www.is.fi/digitoday/tietoturva/art-2000009394376.html
Tomi Engdahl says:
ANDROID MOBILE DEVICES FROM TOP VENDORS IN CHINA HAVE PRE-INSTALLED MALWARE
FEBRUARY 10, 2023 PIERLUIGI PAGANINI
Researchers reported that the top-of-the-line Android mobile devices sold in China are shipped with malware.
https://securityaffairs.com/141989/malware/android-mobile-devices-china-malware.html
Tomi Engdahl says:
Critical Vulnerability Patched in Cisco Security Products
https://www.securityweek.com/critical-vulnerability-patched-in-cisco-security-products/
Cisco updates endpoint, cloud, and web security products to address a critical vulnerability in third-party scanning library ClamAV.
Cisco on Wednesday announced updates for endpoint, cloud, and web security products to address a critical vulnerability in third-party scanning library ClamAV.
An open-source cross-platform antimalware toolkit, ClamAV can detect trojans, viruses, and other types of malware.
On February 15, ClamAV’s maintainers announced critical patches that address two vulnerabilities in the library, the most severe of which could lead to remote code execution.
Tracked as CVE-2023-20032 (CVSS score of 9.8), the issue resides in the HFS+ file parser and impacts ClamAV versions 0.103.7 and earlier, 0.105.1 and earlier, and 1.0.0 and earlier.
A missing buffer check in the parser could lead to a heap buffer overflow write. An attacker could submit a crafted HFS+ partition file to be scanned, triggering the vulnerability.
“A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition,” Cisco explains in its advisory.
Tracked as CVE-2023-20052 (CVSS score of 5.3), the second flaw is an XML external entity (XXE) injection that can be triggered by submitting crafted DMG files for scanning, resulting in the leakage of bytes from files read by ClamAV.
https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-q8DThCy
Tomi Engdahl says:
Ministeri Lintilä: Whatsapp-tiliä ei ollut kaapattu, mutta en lähettänyt viestiä itse
https://www.hs.fi/politiikka/art-2000009397666.html
Lintilän mukaan on mahdollista, että hänen Whatsapp-tiliään ”rinnakkaiskäytettiin” jollain toisella laitteella.
Elinkeinoministeri Mika Lintilän (kesk) eduskuntapuhelimen Whatsapp-tiliä ei ollut kaapattu. Lintilä kertoi eduskunnan tietohallinnon selvityksen tuloksesta eduskunnassa torstaina.
Lintilän numerosta lähetettiin viikko sitten keskustan sisäiseen ryhmään viesti, jossa pilailtiin pääministeri Sanna Marinin (sd) ja kansanedustaja Matias Mäkysen (sd) kustannuksella. Ministeri sanoi silloin puhelimensa tulleen kaapatuksi. Torstaina Lintilä kuvasi sanavalintaansa ylireagoinniksi.
Hän vakuutti silti yhä, että on puhunut totta eikä ole lähettänyt viestiä itse. Ministerin mukaan on mahdollista, että hänen Whatsapp-tiliään käytettiin jollain toisella laitteella.
”Tilin rinnakkaiskäyttöä ei voida poissulkea. Asiantuntijat tietävät, mitä se tarkoittaa, eli kysykää heiltä. Mutta ilmeisesti qr-koodien avulla se onnistuu verrattain helposti. Keskusteluissa selvisi, että tili voi olla avattuna pitkiäkin aikoja”, Lintilä sanoi.
Lintilä ei halunnut arvioida, kuka toinen henkilö olisi hänen Whatsapp-tiliään saattanut käyttää ja miten tili tarkalleen olisi päätynyt toisen henkilön käyttöön. Hän ei muistinsa mukaan ole avannut tiliä rinnakkaiskäyttöön esimerkiksi perheenjäsenilleen.
Lintilän mukaan eduskuntapuhelin oli hänen takkinsa taskussa viestin lähettämisen aikaan.
”Tulemme käymään keskustelun [Whatssappin omistajan] Metan ja todennäköisesti myös poliisin kanssa. Lokitiedot on käytännössä nyt saatava. Ilman niitä ei voi todentaa rinnakkaiskäyttöä.”
Tomi Engdahl says:
Kiero huijaus rantautui Suomeen: Viesti tulee aidosta PayPal-osoitteesta ja ”lasku” on oikealla nettisivulla https://www.is.fi/digitoday/tietoturva/art-2000009393044.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cisa-warns-of-windows-and-ios-bugs-exploited-as-zero-days/
Tomi Engdahl says:
HTML phishing attachment with browser-in-the-browser technique
https://isc.sans.edu/diary/rss/29556
Although the browser-in-the-browser (BitB) technique has been with us for a while now, it is far from what one might call ubiquitous. Simply put, the technique is based on displaying a simulated browser pop-up window (usually a login prompt) within the confines of an HTML page opened in a browser. The simulated pop-up may look almost indistinguishable from a real browser window and since it may contain an arbitrary URL in the simulated address bar, the use of the BitB technique for phishing can be quite effective, as most people have been repeatedly taught that they should check the URL, and if it is the right one, the page should be genuine during security awareness courses.
Tomi Engdahl says:
Päivititkö jo latauskaapelisi? Kyllä, Apple julkaisi ohjelmistopäivityksen virtajohdolle
https://www.tivi.fi/uutiset/tv/bd55bd6b-0929-4272-8166-8b9a72e87b14
Tsekkaa, jos et usko; Apple on julkaissut firmware- eli laiteohjelmistopäivityksen tietokoneen latauskaapelille. Tarkemmin sanottuna tuoreemman pään MacBookeissa käytettävä usb-c-magsafe 3
- -kaapeli on saanut uuden laiteohjelmiston sisällään oleviin älykkäisiin ohjauspiireihinsä.
Tomi Engdahl says:
Nixusta tarjotaan liki 100 miljoonaa euroa “pidämme hintaa hyvin houkuttelevana”
https://www.tivi.fi/uutiset/tv/0b564a9e-3424-453d-9267-25476b66936e
Kansainvälinen laadunvarmistus- ja riskienhallintapalveluiden tarjoava DNV tarjoaa 13,00 euroa Nixun osakkeelta, mikä on 67,1 prosenttia korkeampi hinta yhtiön eilisen 7,78 euron päätöskurssiin nähden.
Tomi Engdahl says:
Hackers backdoor Microsoft IIS servers with new Frebniis malware https://www.bleepingcomputer.com/news/security/hackers-backdoor-microsoft-iis-servers-with-new-frebniis-malware/
Hackers are deploying a new malware named ‘Frebniss’ on Microsoft’s Internet Information Services (IIS) that stealthily executes commands sent via web requests. Symantec’s Threat Hunter Team reported that an unknown threat actor is currently using it against Taiwan-based targets. The hackers abuse an IIS feature called ‘Failed Request Event Buffering’ (FREB), responsible for collecting request metadata.
Symantec says that the threat actors first need to breach an IIS server to compromise the FREB module, but they could not determine the method used to gain access initially.
Tomi Engdahl says:
Researchers Hijack Popular NPM Package with Millions of Downloads https://thehackernews.com/2023/02/researchers-hijack-popular-npm-package.html
A popular npm package with more than 3.5 million weekly downloads has been found vulnerable to an account takeover attack. “The package can be taken over by recovering an expired domain name for one of its maintainers and resetting the password,” software supply chain security company Illustria said in a report
Tomi Engdahl says:
Hackers start using Havoc post-exploitation framework in attacks https://www.bleepingcomputer.com/news/security/hackers-start-using-havoc-post-exploitation-framework-in-attacks/
Security researchers are seeing threat actors switching to a new and open-source command and control (C2) framework known as Havoc as an alternative to paid options such as Cobalt Strike and Brute Ratel.
Among its most interesting capabilities, Havoc is cross-platform and it bypasses Microsoft Defender on up-to-date Windows 11 devices using sleep obfuscation, return address stack spoofing, and indirect syscalls.
Tomi Engdahl says:
ChatGPT Is Ingesting Corporate Secrets
https://www.schneier.com/blog/archives/2023/02/chatgpt-is-ingesting-corporate-secrets.html
According to internal Slack messages that were leaked to Insider, an Amazon lawyer told workers that they had “already seen instances” of text generated by ChatGPT that “closely” resembled internal company data.
Tomi Engdahl says:
How Telegram accounts are hijacked
https://www.kaspersky.com/blog/telegram-takeover-contest/47195/
Telegram users have recently begun encountering various Telegram messenger hijacking schemes. Things usually start off with a message from one of their contacts containing a link to some site. The bait can be an invitation to take part in an online vote or contest, a Telegram Premium gift or trial version, a request to sign a collective petition, or something else. What all these schemes have in common is the need to authenticate via Telegram.
Tomi Engdahl says:
https://www.securityweek.com/mirai-variant-v3g4-targets-13-vulnerabilities-to-infect-iot-devices/
Tomi Engdahl says:
Firefox Updates Patch 10 High-Severity Vulnerabilities
Mozilla releases Firefox 110 and Firefox ESR 102.8 with patches for 10 high-severity vulnerabilities.
https://www.securityweek.com/firefox-updates-patch-10-high-severity-vulnerabilities/
Mozilla this week announced the release of Firefox 110 and Firefox ESR 102.8 with patches for 10 high-severity vulnerabilities.
Tracked as CVE-2023-25728, the first of the security defects could result in an attacker being able to leak a child iframe’s unredacted URI, provided that a redirect is triggered when interacting with that iframe.
The latest Firefox releases also resolve a flaw related to screen hijacking via browser fullscreen mode. Tracked as CVE-2023-25730, the issue exists because a background script could invoke the fullscreen mode and then block the main thread to force the mode indefinitely.
Successful exploitation of the vulnerability, Mozilla explains in its advisory, could result in potential user confusion or spoofing attacks.
https://www.mozilla.org/en-US/security/advisories/mfsa2023-05/
Tomi Engdahl says:
Management & Strategy
Chris Inglis Steps Down as US National Cyber Director
https://www.securityweek.com/chris-inglis-steps-down-as-us-national-cyber-director/
The former NSA deputy director Chris Inglis was picked 17 months ago to be President Joe Biden’s top advisor on cybersecurity issues.
Tomi Engdahl says:
Published XIoT Vulnerabilities Trend Down, but Vigilance Must Remain High: Report
https://www.securityweek.com/published-xiot-vulnerabilities-trend-down-but-vigilance-must-remain-high-report/
While the total number of new XIoT vulnerabilities is reducing, the difficulty in securing these devices remains high – especially in OT situations.
Published XIoT vulnerabilities are trending down and have been since 2021. At the same time, the percentage of vulnerabilities published by the device manufacturer rather than third-party researchers is trending up. The clear implication is device manufacturers are taking greater responsibility for the security of their own devices.
The reason is probably twofold: government pressure and commercial reality. The introduction of SBOM’s has focused manufacturers’ attention on the software make-up of their devices, while the increasing frequency of adversarial attacks against critical industries – especially healthcare – is making buyers question the security of devices before they purchase.
This does not mean that companies can relax vigilance around their cyber-physical devices. A report (PDF) from Claroty’s Team82 research arm on the state of XIoT security in 2H, 2022 notes that 688 vulnerabilities were published in this period – and that 74% affected OT devices. Four hundred and eighty-seven of the total number of vulnerabilities were assessed as either critical or high severity under CVSS v3. The potential effect of a successful attack against such OT systems, especially in critical infrastructure companies, could be extreme.
Team82 reported 65 of the vulnerabilities. Thirty of these had a CVSS v3 critical rating of 9.5 or higher.
https://web-assets.claroty.com/state-of-xiot-security-report-2h-2022-(2).pdf
Tomi Engdahl says:
https://www.schneier.com/blog/archives/2023/02/chatgpt-is-ingesting-corporate-secrets.html
Tomi Engdahl says:
https://aviationweek.com/defense-space/aircraft-propulsion/hobby-clubs-missing-balloon-feared-shot-down-usaf
Tomi Engdahl says:
https://malwaretips.com/blogs/paypal-your-authorization-for-the-payment-to-binance-corp/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/microsoft-exchange-proxyshell-flaws-exploited-in-new-crypto-mining-attack/
Tomi Engdahl says:
https://nakedsecurity.sophos.com/2023/02/20/godaddy-admits-crooks-hit-us-with-malware-poisoned-customer-websites/
Tomi Engdahl says:
Clumsy ships, one Chinese, sever submarine cables that connect Taiwanese islands
Vietnam has also struggled with four out of five cables in strife
https://www.theregister.com/2023/02/21/taiwan_vietnam_submarine_cable_outages/
Tomi Engdahl says:
Data center logins for Apple and others obtained by hackers; could have facilitated physical access
https://9to5mac.com/2023/02/21/data-center-logins-for-apple/
Tomi Engdahl says:
Hackers use fake ChatGPT apps to push Windows, Android malware
https://www.bleepingcomputer.com/news/security/hackers-use-fake-chatgpt-apps-to-push-windows-android-malware/
Tomi Engdahl says:
Phở no! Vietnam’s last working submarine cable glitches out
Five from five take a dive, but connections are still alive
https://www.theregister.com/2023/02/23/vietnam_submarine_cable_outages/
Cables to Vietnam started hitting trouble in November 2022.
Tomi Engdahl says:
Roomba testers feel misled after intimate images ended up on Facebook
https://www.technologyreview.com/2023/01/10/1066500/roomba-irobot-robot-vacuum-beta-product-testers-consent-agreement-misled/
An MIT Technology Review investigation recently revealed how images of a minor and a tester on the toilet ended up on social media. iRobot said it had consent to collect this kind of data from inside homes—but participants say otherwise.
Tomi Engdahl says:
Faraday – Open Source Vulnerability Management Platform
https://www.kitploit.com/2023/02/faraday-open-source-vulnerability.html?m=1
Security has two difficult tasks: designing smart ways of getting new information, and keeping track of findings to improve remediation efforts. With Faraday, you may focus on discovering vulnerabilities while we help you with the rest. Just use it in your terminal and get your work organized on the run. Faraday was made to let you take advantage of the available tools in the community in a truly multiuser way.
Faraday aggregates and normalizes the data you load, allowing exploring it into different visualizations that are useful to managers and analysts alike.