Cyber security news February 2023

This posting is here to collect cyber security news in February 2023.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.


  1. Tomi Engdahl says:

    Recent iPhone thefts highlight the danger of using passcodes in public
    A new report from The Wall Street Journal looks at a recent trend of iPhone thefts that have happened across the US. Instead of just looking to snatch devices, these thieves are watching for passcodes so they can immediately get into iPhones, change Apple ID passwords, access financial accounts, and more. Heres a look at the risks of using an iPhone passcode in public, how much power the passcode wields, and some steps to keep yourself safer

  2. Tomi Engdahl says:

    ChromeLoader campaign lures with malicious VHDs for popular games
    Security researchers have noticed that the operators of the ChromeLoader browser hijacking and adware campaign are now using VHD files named after popular games. Previously, such campaigns relied on ISO-based distribution. The malicious files were discovered by member of the Ahnlab Security Emergency Response Center (ASEC) through Google search results to queries for popular games

  3. Tomi Engdahl says:

    Microsoft: For better security, scan more Exchange server objects
    Microsoft is recommending that Exchange server users scan certain objects for viruses and other threats that until now had been excluded. In particular, the software giant said this week that sysadmins should now include the Temporary ASP.NET files, Inetsrv folders, and the PowerShell and w3wp processes on the list of files and folders to be run through antivirus systems

  4. Tomi Engdahl says:

    Fortinet FortiNAC Vulnerability Exploited in Wild Days After Release of Patch

    Hackers started exploiting the Fortinet FortiNAC vulnerability CVE-2022-39952 the same day a PoC exploit was released.

  5. Tomi Engdahl says:

    Palo Alto Networks Unveils Zero Trust OT Security Solution

    Palo Alto Networks introduces a new OT security solution for industrial organizations that provides visibility, zero trust and simplified operations.

  6. Tomi Engdahl says:

    Uutiskanava paljasti totuuden ylistetystä ravintolasta: Täyttä huijausta
    TripAdvisorissa koko Montrealin parhaaksi arvosteltu ravintola on paljastunut huijaukseksi.

    Montrealin ykkösravintolaksi TripAdvisor-matkailusivustolla rankattu Le Nouveau Duluth on osoittautunut humpuukiksi. Ravintolaa ei ole todellisuudessa olemassa, kertoo kanadalainen uutiskanava CBC.

    Montrealin ravintolahuijaus ei ole ainoa laatuaan. Vuonna 2017 toimittaja ja elokuvantekijä Oobah Butler päätti kokeilla, saisiko hän nostettua pihavajansa Lontoon parhaimmaksi ravintolaksi TripAdvisorissa. Hän valjasti ystäväpiirinsä kirjoittamaan sivustolle valheellisia arvosteluja ravintolasta, jota ei ollut oikeasti olemassa.

    Huijaus onnistui, ja puolessa vuodessa The Shed nousi sivustolla Lontoon parhaimmat arvosanat saaneeksi ravintolaksi, vaikkei Butler ollut koskaan tarjonnut ”ravintolassaan” ruokaa kenellekään.

    Montreal’s No. 1 restaurant on Tripadvisor didn’t really exist

    I Made My Shed the Top Rated Restaurant On TripAdvisor

  7. Tomi Engdahl says:

    Limited number of News Corp employees sent breach notification letters after January cyberattack
    Employees of News Corp are being sent breach notification letters this week following a January 2022 breach that the company believes the Chinese government was behind. On Wednesday, News Corp submitted documents to Massachusetts confirming the breach. A News Corp spokesperson would not tell The Record how many people were sent letters but at least one person in Massachusetts was sent a copy

  8. Tomi Engdahl says:

    Danish hospitals hit by cyberattack from Anonymous Sudan
    The websites of nine hospitals in Denmark went offline on Sunday evening following distributed-denial-of-service (DDoS) attacks from a group calling itself Anonymous Sudan. Copenhagens health authority said on Twitter that although the websites for the hospitals were down, medical care at the facilities was unaffected by the attacks. It later added the sites were back online after a couple of hours.

  9. Tomi Engdahl says:

    PlugX Trojan Disguised as Legitimate Windows Debugger Tool in Latest Attacks
    The PlugX remote access trojan has been observed masquerading as an open source Windows debugger tool called x64dbg in an attempt to circumvent security protections and gain control of a target system.
    PlugX, also known as Korplug, is a post-exploitation modular implant, which, among other things, is known for its multiple functionalities such as data exfiltration and its ability to use the compromised machine for nefarious purposes

  10. Tomi Engdahl says:

    RIG Exploit Kit still infects enterprise users via Internet Explorer
    The RIG Exploit Kit is undergoing its most successful period, attempting roughly 2,000 intrusions daily and succeeding in about 30% of cases, the highest ratio in the service’s long operational history.
    By exploiting relatively old Internet Explorer vulnerabilities, RIG EK has been seen distributing various malware families, including Dridex, SmokeLoader, and RaccoonStealer. According to a detailed report by Prodaft, whose researchers gained access to the service’s backend web panel, the exploit kit remains a significant large-scale threat to individuals and organizations

  11. Tomi Engdahl says:

    Lastpass hacked again: LastPass Says DevOps Engineer Home Computer Hacked #infosec #security

  12. Tomi Engdahl says:

    Cyberattack on Boston Union Results in $6.4M Loss

    A cyberattack on the Boston-based Pipefitters Local 537 union’s health fund resulted in the loss of $6.4 million.

  13. Tomi Engdahl says:

    LastPass Says DevOps Engineer Home Computer Hacked

    LastPass DevOp engineer’s home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud storage resources.

  14. Tomi Engdahl says:

    White House: No More TikTok on Gov’t Devices Within 30 Days
    The White House is giving all federal agencies 30 days to wipe TikTok off all government devices.

  15. Tomi Engdahl says:

    Malware & Threats
    ‘PureCrypter’ Downloader Used to Deliver Malware to Governments

    Threat actor uses the PureCrypter downloader to deliver malware to government entities in Asia-Pacific and North America.

    A threat actor is using the PureCrypter downloader to deliver different types of malware to government entities in the Asia-Pacific and North America regions, Menlo Labs warns.

    As part of the observed attacks, Discord is used for distribution purposes, while the domain of a compromised non-profit organization serves as a command-and-control (C&C) server, hosting a secondary payload.

    To date, the attackers have been targeting the intended victims with information stealers, remote access trojans (RATs), and other threats, including Redline Stealer, AgentTesla, Eternity, Blackmoon, and Philadelphia ransomware.

    An advanced downloader that provides persistence, PureCrypter has been available for purchase since March 2021. Written in .NET, the threat supports different injection types and defense mechanisms and can be customized with fake messages and additional files to be written to disk.

  16. Tomi Engdahl says:

    Any slowdown in Twitter productivity generates concern that the platform could grow unstable, and those fears do not appear unfounded. At the start of this month, Twitter experienced a global outage, then a Super Bowl outage, and just yesterday, a 20-minute outage in Asia, Platformer reported.

  17. Tomi Engdahl says:

    Microsoft Defender app now force-installed for Microsoft 365 users

    Microsoft is now force-installing the Microsoft Defender for Individuals application when installing or updating the Microsoft 365 apps.

    It was first unveiled for Windows 11 Insiders in March 2022 and has been available for customers with Personal or Family subscriptions since June 2022.

    However, starting earlier this month, it will also be automatically installed when first running the Microsoft 365 installer or after the next update, as spotted by WindowsLatest.

    “Starting in late February of 2023, the Microsoft Defender app will be included in the Microsoft 365 installer,” the company says in a support document updated last week.

  18. Tomi Engdahl says:

    Microsoft Edge’s built-in VPN support is around the corner

    Microsoft Edge’s built-in VPN functionality could soon begin rolling out to all users in the stable channel, with some users already getting access to the feature.

    Edge’s VPN ‘Edge Secure Network’ uses Cloudflare and aims to protect your device and sensitive data as you browse, but remember it is not a proper replacement for your VPN.

    Unlike traditional VPN extensions or tools, Edge uses Cloudflare’s routing to encrypt your internet connection and protect your data from online threats like hackers.

  19. Tomi Engdahl says:

    Tavaratalon verkkosivu alkoi suoltaa hävyttömiä hakutuloksia – Puuilo kertoo, mitä tapahtui

    Tavarataloketju Puuilon hakukone rupesi syöttämään käyttäjille maanantain ja tiistain välisenä yönä mitä erikoisempia hakusanoja. Toimitusjohtajan mukaan taustalla on ulkopuolisen tahon kiusanteko.

    Saarelan mukaan kyse on ulkopuolisen tahon kiusanteosta tai huonosta vitsistä.

    ”Ulkoapäin on pystytty lisäämään verkkokauppaan epäasiallisia hakusanoja. Verkkokauppa toimii siten, että käyttäjien hakusanat muodostavat listan tietokantaan. Mitä suositumpi tietty hakusana on, se nousee hakutermien listalla korkeammalle ja sitä tarjotaan käyttäjille”, Saarela selittää.

    ”Joillain nettisivuilla on tällaista toimintaa, että tehdään roskahakuja, jotka ruokkivat toisiaan.”

    Saarela ja Puuilon tietohallintojohtaja Juha Parviainen kertovat, että heillä ei ole syytä epäillä, että verkkokaupassa olisi muita tietoteknisiä ongelmia tai haavoittuvuuksia.

  20. Tomi Engdahl says:

    Uncovered: 1,000 phrases that incorrectly trigger Alexa, Siri, and Google Assistant
    “Election” can trigger Alexa; “Montana” can trigger Cortana.

    As Alexa, Google Home, Siri, and other voice assistants have become fixtures in millions of homes, privacy advocates have grown concerned that their near-constant listening to nearby conversations could pose more risk than benefit to users. New research suggests the privacy threat may be greater than previously thought.

    The findings demonstrate how common it is for dialog in TV shows and other sources to produce false triggers that cause the devices to turn on, sometimes sending nearby sounds to Amazon, Apple, Google, or other manufacturers. In all, researchers uncovered more than 1,000 word sequences—including those from Game of Thrones, Modern Family, House of Cards, and news broadcasts—that incorrectly trigger the devices.

    “The devices are intentionally programmed in a somewhat forgiving manner, because they are supposed to be able to understand their humans,” one of the researchers, Dorothea Kolossa, said. “Therefore, they are more likely to start up once too often rather than not at all.”

    That which must not be said
    Examples of words or word sequences that provide false triggers include

    Alexa: “unacceptable,” “election,” and “a letter”
    Google Home: “OK, cool,” and “Okay, who is reading”
    Siri: “a city” and “hey jerry”
    Microsoft Cortana: “Montana”

    after mistakenly concluding that these are likely a wake word, the devices then send the audio to remote servers where more robust checking mechanisms also mistake the words for wake terms. In other cases, the words or phrases trick only the local wake word detection but not algorithms in the cloud.

    Unacceptable privacy intrusion
    When devices wake, the researchers said, they record a portion of what’s said and transmit it to the manufacturer. The audio may then be transcribed and checked by employees in an attempt to improve word recognition. The result: fragments of potentially private conversations can end up in the company logs.

    The risk to privacy isn’t solely theoretical. In 2016, law enforcement authorities investigating a murder subpoenaed Amazon for Alexa data transmitted in the moments leading up to the crime. Last year, The Guardian reported that Apple employees sometimes transcribe sensitive conversations overheard by Siri. They include private discussions between doctors and patients, business deals, seemingly criminal dealings, and sexual encounters.

  21. Tomi Engdahl says:

    TikTok kielletään nyt useissa maissa – syy on tämä

    TikTokin takana olevalla teknologia­yrityksellä ByteDancella kerrotaan olevan läheisiä kytköksiä Kiinan hallintoon.

    KIINALAINEN sosiaalisen median videoalusta TikTok ei ole tällä hetkellä kovaa huutoa.

    Tanskan ja Euroopan parlamentit ovat liittyneet Yhdysvaltojen ja Kanadan seuraan ja kieltäneet TikTokin käytön hallituksensa työntekijöiden puhelimissa ja muissa laitteissa.

    Siinä missä Tanskan parlamentti eli kansankäräjät ”pyytää” poistamaan TikTokin, Euroopan parlamentin osalta kielto ulottuu työlaitteiden lisäksi henkilökunnan omiin, henkilö­kohtaisiin laitteisiin.

    Aiemmin tänään Yhdysvalloissa Valkoinen talo antoi valtion virastoille 30 päivää aikaa poistaa TikTok-sovellus valtion laitteilta.

    KAIKKIEN huoli on yhteinen: TikTok aiheuttaa heidän mielestään kyber­turvallisuus­riskin.

    Useat asiantuntijat ovat pitäneet TikTokia kiinalaisten vakoiluohjelmana, sillä ei ole selvää, paljonko tietoa käyttäjistä päätyy yhtiölle ja mitä sillä tehdään.

    TikTokin takana olevalla teknologiayrityksellä ByteDancella kerrotaan olevan läheisiä kytköksiä Kiinan hallintoon.

    TIKTOK on erityisesti nuorten suosima sovellus, jonne lisäillään lyhyitä videoita, joista muut voivat tykkäillä sekä kommentoida niitä.

  22. Tomi Engdahl says:


  23. Tomi Engdahl says:


  24. Tomi Engdahl says:

    LastPass says employee’s home computer was hacked and corporate vault taken
    Already smarting from a breach that put partially encrypted login data into a threat actor’s hands, LastPass on Monday said that the same attacker hacked an employee’s home computer and obtained a decrypted vault available to only a handful of company developers. Although an initial intrusion into LastPass ended on August 12, officials with the leading password manager said the threat actor. “was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity” from August 12 to August 26. In the process,. the unknown threat actor was able to steal valid credentials from a senior DevOps engineer and access the contents of a LastPass data vault. Among other things, the vault gave access to a shared cloud-storage environment that contained the encryption keys for customer vault backups stored in Amazon S3 buckets.

  25. Tomi Engdahl says:

    APT-C-36 Strikes Again: Blind Eagle Hackers Target Key Industries in Colombia
    The threat actor known as Blind Eagle has been linked to a new campaign targeting various key industries in Colombia. The activity, which was detected by the BlackBerry Research and Intelligence Team on February 20, 2023, is also said to encompass Ecuador, Chile, and Spain, suggesting a slow expansion of the hacking group’s victimology footprint.

  26. Tomi Engdahl says:

    CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability
    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw affecting the ZK Framework to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. Tracked as CVE-2022-36537 (CVSS score: 7.5), the issue impacts ZK Framework versions 9.6.1,,,, and, and allows threat actors to retrieve sensitive information via specially crafted requests.

  27. Tomi Engdahl says:

    U.S. Marshals Service investigating ransomware attack, data theft
    The U.S. Marshals Service (USMS) is investigating the theft of sensitive law enforcement information following. a ransomware attack that has impacted what it describes as “a stand-alone USMS system.”.
    USMS is a bureau within the Justice Department that provides support to all elements of the. federal justice system by executing federal court orders, seizing illegally obtained assets, . assuring the safety of government witnesses and their families, and more.

  28. Tomi Engdahl says:

    LastPass Says DevOps Engineer Home Computer Hacked

    LastPass DevOp engineer’s home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud storage resources.

  29. Tomi Engdahl says:

    Security Defects in TPM 2.0 Spec Raise Alarm

    Security defects in the Trusted Platform Module (TPM) 2.0 reference library specification expose devices to code execution attacks.

    Security researchers at Quarkslab have identified a pair of serious security defects in the Trusted Platform Module (TPM) 2.0 reference library specification, prompting a massive cross-vendor effort to identify and patch vulnerable installations.

    The vulnerabilities, tracked as CVE-2023-1017 and CVE-2023-1018, provide pathways for an authenticated, local attacker to overwrite protected data in the TPM firmware and launch code execution attacks, according to an advisory from Carnegie Mellon’s CERT coordination center.

    From the CERT alert:

    “An authenticated, local attacker could send maliciously crafted commands to a vulnerable TPM allowing access to sensitive data. In some cases, the attacker can also overwrite protected data in the TPM firmware. This may lead to a crash or arbitrary code execution within the TPM. Because the attacker’s payload runs within the TPM, it may be undetectable by other components of the target device.”

    The Trusted Computing Group (TCG) responsible for maintaining the TPM spec has issued an Errata documenting the two memory corruption issues and providing mitigation guidance.

    The two vulnerabilities exist in the way the TPM reference spec processes parameters that are part of TPM commands. “An Out Of Bound (OOB) read vulnerability in the CryptParameterDecryption() routine allowed a 2-byte read access to data that was not part of the current session. It was also possible to write 2-bytes past the end of the current command buffer resulting in corruption of memory,” the center warned.

    This discovery has raised alarm bells because TPM technology is used in a variety of devices, from specialized enterprise-grade hardware to Internet of Things (IoT) appliances. With the growth of cloud computing and virtualization, software-based TPM implementations have also gained popularity.

    The CERT coordination center is urging users to apply any updates provided by hardware and software manufacturers through their supply chain as soon as possible.

    “Updating the firmware of TPM chips may be necessary, and this can be done through an OS vendor or the original equipment manufacturer (OEM). In some cases, the OEM may require resetting the TPM to its original factory default values as part of the update process,” the center added.

    In high-assurance computing environments, users should consider using TPM Remote Attestation to detect any changes to devices and ensure their TPM is tamper-proof.

  30. Tomi Engdahl says:

    Data Breaches
    Ransomware Attack Hits US Marshals Service

    The US Marshals Service has confirmed that ransomware was deployed on one of its systems that contains sensitive law enforcement information.

  31. Tomi Engdahl says:

    New ‘Exfiltrator-22’ Post-Exploitation Framework Linked to Former LockBit Affiliates

    A recently identified post-exploitation framework ‘Exfiltrator-22’ uses the same C&C infrastructure as the LockBit ransomware.

    A recently identified post-exploitation framework offered as a service appears to be operated by former affiliates of the LockBit ransomware, cybersecurity company Cyfirma reports.

    Dubbed Exfiltrator-22 or EX-22, the tool was created using the leaked source code of other post-exploitation frameworks, and uses the same command-and-control (C&C) infrastructure as LockBit 3.0.

    The malicious tool appears to have been created by skilled developers with knowledge of anti-analysis and defense evasion techniques, who are employing an aggressive marketing strategy, claiming that their solution is fully undetectable.

    Exfiltrator-22’s operators, Cyfirma says, are likely operating from Asia and are interested in building their own affiliation program, using a subscription-based payment model: the malware is offered at $1,000 for a month, or $5,000 for lifetime access.

  32. Tomi Engdahl says:

    ‘Hackers’ Behind Air Raid Alerts Across Russia: Official

    Russian authorities said that several television and radio stations that have recently broadcast air raid alerts had been breached by hackers.

    “As a result of hacking of servers of radio stations and TV channels, in some regions of the country, information about the announcement of an air raid alert was broadcast,” Russia’s emergencies ministry said in a statement.

  33. Tomi Engdahl says:

    Vulnerability in Popular Real Estate Theme Exploited to Hack WordPress Websites

    A critical vulnerability in the Houzez premium WordPress theme and plugin has been exploited in the wild.

  34. Tomi Engdahl says:

    A simple DIY hoodie can fool security cameras
    The ‘Camera Shy Hoodie’ looks innocuous, but keeps your face invisible to surveillance.

  35. Tomi Engdahl says:

    We’ve seen some rough security fails over the years, and GoDaddy’s recent news about a breach leading to rogue website redirects might make the highlight reel. The real juicy part is buried on page 30 of a PDF filing to the SEC.

    Statement on recent website redirect issues

  36. Tomi Engdahl says:

    Joomla’s Force Persuasion

    Joomla has a critical vulnerability, CVE-2023-23752, which is a trivial information leak from a web endpoint. This flaw is present in all of the 4.x releases, up to 4.2.8, which contains the fix. The issue is the Rest API, which gives access to pretty much everything about a given site. It has an authentication component, of course. The bypass is to simply append ?public=true. Yes, it’s a good old “You don’t need to see his identification” force suggestion.

    Security Announcements
    [20230201] – Core – Improper access check in webservice endpoints

    There’s even a PoC script that runs the request and spits out the most interesting data: the username, password, and user id contained in the data. It’s not quite as disastrous as that sounds — the API isn’t actually leaking the administrative username and password, or even password hash. It’s leaking the SQL database information. Though if your database is accessible from the Internet, then that’s pretty much as bad as it could be.

  37. Tomi Engdahl says:

    When the US Air Force shot down some suspected Chinese spy balloons a couple of weeks ago, it was widely reported that one of the targets might have been a much more harmless amateur radio craft. The so-called pico balloon K9YO was a helium-inflated Mylar balloon carrying a tiny solar-powered WSPR beacon, and it abruptly disappeared in the same place and time in which the USAF claimed one of their targets. When we covered the story it garnered a huge number of comments both for and against the balloonists, so perhaps it’s worth returning with the views of a high-altitude-ballooning expert.

    So was an “pico balloon” shot down by an F22?

    The circumstantial evidence very strongly suggests that this is the case. One of these balloons has not been seen on the amateur tracking map since the USAF shot down an object matching the description in the area that the balloon was known to be. It was launched in the USA in October 2022 and was about to complete its 7’th circumnavigation of the globe before it went missing from the tracking map.
    And what are “pico” balloons?

    This is the name given to them by the high altitude balloon community. They are small, plastic (often silvered) balloons, with very light payloads of the order of 10-20 grams. By using plastic with a small amount of helium, instead of bursting they float near the top of the troposphere, for days or sometimes months.


Leave a Comment

Your email address will not be published. Required fields are marked *