This posting is here to collect cyber security news in March 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in March 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
370 Comments
Tomi Engdahl says:
KillNet and affiliate hacktivist groups targeting healthcare with DDoS attacks https://www.microsoft.com/en-us/security/blog/2023/03/17/killnet-and-affiliate-hacktivist-groups-targeting-healthcare-with-ddos-attacks/
In this blog post, we provide an overview of the DDoS attack landscape against healthcare applications hosted in Azure over three months. We then list a couple of recent campaigns from KillNet, describe their attack patterns, and present how we mitigated and protected customers from these attacks. Finally, we outline best practices for organizations to protect their applications against DDoS attacks
Tomi Engdahl says:
Hitachi Energy confirms data breach after Clop GoAnywhere attacks https://www.bleepingcomputer.com/news/security/hitachi-energy-confirms-data-breach-after-clop-goanywhere-attacks/
Hitachi Energy confirmed it suffered a data breach after the Clop ransomware gang stole data using a zero-day GoAnyway zero-day vulnerability. Hitachi Energy is a department of Japanese engineering and technology giant Hitachi focused on energy solutions and power systems. It has an annual revenue of $10 billion. The attack was made possible by exploiting a zero-day vulnerability in the Fortra GoAnywhere MFT (Managed File Transfer), first disclosed on February 3, 2023, and now tracked as CVE-2023-0669.. also:
https://securityaffairs.com/143633/cyber-crime/cl0p-ransomware-shell-bombardier.html
Tomi Engdahl says:
RAT developer arrested for infecting 10, 000 PCs with malware https://www.bleepingcomputer.com/news/security/rat-developer-arrested-for-infecting-10-000-pcs-with-malware/
Ukraine’s cyberpolice has arrested the developer of a remote access trojan (RAT) malware that infected over 10, 000 computers while posing as game applications. “The 25-year-old offender was exposed by employees of the Khmelnychchyna Cybercrime Department together with the regional police investigative department and the SBU regional department, ” reads the cyberpolice’s announcement. “The man developed viral software, which he positioned as applications for computer games.”
Tomi Engdahl says:
Uncovering HinataBot: A Deep Dive into a Go-Based Threat https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet
Akamai researchers on the Security Intelligence Response Team (SIRT) have discovered a new Go-based, DDoS-focused botnet. The malware appears to have been named “Hinata” by the malware author after a character from the popular anime series, Naruto. We are calling it “HinataBot.”
Tomi Engdahl says:
Uncovering HinataBot: A Deep Dive into a Go-Based Threat
https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet
Executive summary
Akamai researchers on the Security Intelligence Response Team (SIRT) have discovered a new Go-based, DDoS-focused botnet. The malware appears to have been named “Hinata” by the malware author after a character from the popular anime series, Naruto. We are calling it “HinataBot.”
HinataBot was seen being distributed during the first three months of 2023 and is actively being updated by the authors/operators.
The sample was discovered in HTTP and SSH honeypots abusing old vulnerabilities and weak credentials.
Infection attempts observed include exploitation of the miniigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers (CVE N/A).
Through a combination of reverse engineering the malware and imitating the command and control (C2) server, we were able to get a deep look into how the malware works and what is unique about its resulting attack traffic.
Tomi Engdahl says:
Kauniaisten sähköposti murrettiin – tämä tiedetään nyt, hyökkäyksiä muuallakin https://www.is.fi/digitoday/tietoturva/art-2000009460374.html
KAUNIAISTEN kaupunki kärsi viime vuoden toukokuussa viikkojen mittaisen sähköpostikatkon, jonka syyksi kaupunki epäili jo tuolloin verkkohyökkäystä. Varsinaisesta tekijästä on niukasti tietoa. – Näkemässäni raportissa viitattiin Euroopan suuntaan, mutta on vaikea sanoa, kuka se oikeasti oli, kaupunginjohtaja Christoffer Masar kertoo puhelimitse.
Tomi Engdahl says:
#StopRansomware: LockBit 3.0
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.
Tomi Engdahl says:
Germany clocks that ripping out Huawei, ZTE network kit won’t be cheap or easy https://www.theregister.com/2023/03/18/germany_huawei_mobile/
Ripping and replacing Huawei and ZTE equipment from German carrier networks is going to be a painful process, according to the country’s economy ministry. The letter to the Bundestag lower house of parliament’s economic committee, obtained by Reuters, warns that “there is likely to be significant impact on the operation of mobile networks and the fulfillment of coverage requirements, ” if the country removes Chinese telecommunications technologies from its network.
Tomi Engdahl says:
LockBit ransomware attacks Essendant
https://www.malwarebytes.com/blog/news/2023/03/lockbit-ransomware-threatens-to-leak-essendant-data
The LockBit ransomware group is claiming responsibility for taking down a US-based distributor of office products called Essendant. This attack, which is said to have begun on or around March 6, created severe ramifications for the organisation, disrupting freight carrier pickups, online orders, and access to customer support.
Tomi Engdahl says:
Pixel Markup vulnerability lets some screenshots be un-redacted, un-cropped; fixed by March update https://9to5google.com/2023/03/18/pixel-markup-screenshot-vulnerability/
Besides the Samsung Exynos modem issue, Android 13 QPR2 with the March
2023 security update fixes a vulnerability with the Pixel’s Markup screenshot tool. Dubbed “aCropalypse, ” Simon Aarons identified and reported this vulnerability (CVE-2023-21036) to Google in early January, with the initial proof-of-concept exploit developed by David
Buchanan: Screenshots cropped using the built-in “Markup” app on Google Pixel devices may be retroactively un-cropped and un-redacted under many circumstances.
Tomi Engdahl says:
Emotet malware now distributed in Microsoft OneNote files to evade defenses https://www.bleepingcomputer.com/news/security/emotet-malware-now-distributed-in-microsoft-onenote-files-to-evade-defenses/
The Emotet malware is now distributed using Microsoft OneNote email attachments, aiming to bypass Microsoft security restrictions and infect more targets.
Tomi Engdahl says:
Researcher create polymorphic Blackmamba malware with ChatGPT https://www.hackread.com/chatgpt-blackmamba-malware-keylogger/
HYAS Institute researcher and cybersecurity expert, Jeff Sims, has developed a new type of ChatGPT-powered malware named Blackmamba, which can bypass Endpoint Detection and Response (EDR) filters. As per the HYAS Institute’s report (PDF), the malware can gather sensitive data such as usernames, debit/credit card numbers, passwords, and other confidential data entered by a user into their device.
Tomi Engdahl says:
BianLian ransomware crew goes 100% extortion after free decryptor lands https://www.theregister.com/2023/03/19/bianlian_ransomware_extortion/
The BianLian gang is ditching the
encrypting-files-and-demanding-ransom route and instead is going for full-on extortion. “Rather than follow the typical double-extortion model of encrypting files and threatening to leak data, we have increasingly observed BianLian choosing to forgo encrypting victims’
data and instead focus on convincing victims to pay solely using an extortion demand in return for BianLian’s silence, ” threat researchers for cybersecurity company Redacted wrote in a report.
Tomi Engdahl says:
Feds arrest alleged BreachForums owner linked to FBI hacks https://www.theverge.com/2023/3/18/23646476/feds-arrest-alleged-hacking-forum-owner-breachforums-pompompurin
The FBI has arrested the person allegedly in charge of the BreachForums online hacking community, as reported earlier by Krebs on Security and Bleeping Computer. Conor Brian Fitzpatrick, also known online as “Pompompurin, ” was arrested at his New York home on Wednesday and charged with conspiracy to commit access device fraud, according to a pair of court filings.
Tomi Engdahl says:
NOBELIUM Uses Poland’s Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine
NOBELIUM, aka APT29, is a sophisticated, Russian state-sponsored threat actor targeting Western countries. At the beginning of March, BlackBerry researchers observed a new campaign targeting European Union countries; specifically, its diplomatic entities and systems transmitting sensitive information about the region’s politics, aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine.
Tomi Engdahl says:
Muuta asetuksia heti! Nämä yleiset puhelimet voidaan kaapata puhelin¬soitolla https://www.is.fi/digitoday/tietoturva/art-2000009463869.html
Piirejä käytetään monissa puhelimissa sekä esimerkiksi autojen järjestelmissä. Kyberturvallisuuskeskuksen mukaan haavoittuvia piirejä löytyy Samsungin puhelimissa ainakin Galaxy S22-, M33-, M13-, M12-, A71-, A53-, A33-, A21s-, A13-, A12- ja A04-sarjan laitteissa.
Haavoittuvia piirejä on myös Vivon S16-, S15-, S6-, X70-, X60- ja X30-sarjan puhelimissa sekä Googlen Pixel 6- ja 7-puhelimissa.
Myös autot, joissa on Samsungin Exynos Auto T5123 -piirisarja, ovat haavoittuvia.
Samsungin puhelimissa wifi-puhelut otetaan pois päältä valitsemalla asetukset > yhteydet > Wi-Fi-puhelu ja napsauttamalla ominaisuus pois päältä. Jos puhelimessa on kaksi sim-korttia, ominaisuus on poistettava molempien kohdalta.
VoLTE-asetuksen pitäisi löytyä Samsungin puhelimissa valitsemalla asetukset > yhteydet > matkapuhelinverkot. Täältä asetus otetaan pois päältä.
Google tells users of some Android phones: Nuke voice calling to avoid infection | Ars Technica
https://arstechnica.com/information-technology/2023/03/critical-vulnerabilities-allow-some-android-phones-to-be-hacked/
Google is urging owners of certain Android phones to take urgent action to protect themselves from critical vulnerabilities that give skilled hackers the ability to surreptitiously compromise their devices by making a specially crafted call to their number. It’s not clear if all actions urged are even possible, however, and even if they are, the measures will neuter devices of most voice-calling capabilities.
The vulnerability affects Android devices that use the Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, Exynos Auto T5123 chipsets made by Samsung’s semiconductor division. Vulnerable devices include the Pixel 6 and 7, international versions of the Samsung Galaxy S22, various mid-range Samsung phones, the Galaxy Watch 4 and 5, and cars with the Exynos Auto T5123 chip. These devices are ONLY vulnerable if they run the Exynos chipset, which includes the baseband that processes signals for voice calls. The US version of the Galaxy S22 runs a Qualcomm Snapdragon chip.
A bug tracked as CVE-2023-24033 and three others that have yet to receive a CVE designation make it possible for hackers to execute malicious code
The problem is, it’s not entirely clear that it’s possible to turn off VoLTE, at least on many models. A screenshot one S22 user posted to Reddit last year shows that the option to turn off VoLTE is grayed out. While that user’s S22 was running a Snapdragon chip, the experience for users of Exynos-based phones is likely the same.
And even if it is possible to turn off VoLTE, doing so in conjunction with turning off Wi-Fi turns phones into little more than tiny tablets running Android. VoLTE came into widespread use a few years ago, and since then most carriers in North America have stopped supporting older 3G and 2G frequencies.
This is the most terrifying of them all ‘Internet to baseband’. Exactly what I’ve been preaching about for years. Here are 18 of them 4 of which are severe. These impact phones/wearables/cars. Many of these attacks have to jump off of other attacks, which we call pivoting. How long did the [#NSA](https://www.facebook.com/hashtag/nsa?__eep__=6&__cft__0=AZWt3E1MsWwsXUTnsnh-AfNxMoEt1a7hwVnbu2nPWu6yOQuSAzjfe23brvWXqZa2MxTsR-vFHfUDDqTPEce-3RWiWBz9u4dg2wR_AFx-TPjAug&__tn__=*NK-R) sit on these? Of course not, we’re not gonna burn our bridges.
#Google ‘Project Zero’ finds 18 zero-day vulnerabilities in #Samsung #Exynos chipsets
https://www.bleepingcomputer.com/news/security/google-finds-18-zero-day-vulnerabilities-in-samsung-exynos-chipsets/
Tomi Engdahl says:
https://hackaday.com/2023/03/17/this-week-in-security-kali-purple-malicious-notifications-and-cybersecurity-strategy/
After a one-week hiatus, we’re back. It’s been a busy couple weeks, and up first is the release of Kali Purple. This new tool from Kali Linux is billed as an SOC-in-a-box, that follows the NIST CSF structure. That is a veritable alphabet soup of abbreviated jargon, so let’s break this down a bit. First up, SOC IAB or SOC-in-a-box is integrated software for a Security Operation Center. It’s intrusion detection, intrusion prevention, data analysis, automated system accounting and vulnerability scanning, and more. Think a control room with multiple monitors showing graphs based on current traffic, a list of protected machines, and log analysis on demand.
NIST CSF is guidance published by the National Institute of Standards and Technology, a US government agency that does quite a bit of the formal ratification of cryptography and other security standards. CSF is the CyberSecurity Framework, which among other things, breaks cybersecurity into five tasks: identify, protect, detect, respond, and recover. The framework doesn’t map perfectly to the complexities of security, but it’s what we have to work with, and Kali Purple is tailor-made for that framework.
Tomi Engdahl says:
New ‘Trigona’ Ransomware Targets US, Europe, Australia
https://www.securityweek.com/new-trigona-ransomware-targets-us-europe-australia/
The recently identified Trigona ransomware has been highly active, targeting tens of organizations globally.
A new ransomware family has proven highly active over the past several months, cybersecurity firm Palo Alto Networks warns.
Dubbed Trigona, the malware emerged at the end of October 2022, targeting organizations in agriculture, construction, finance, high tech, manufacturing, and marketing in Australia, Italy, France, Germany, New Zealand, and the United States.
One of the main features that sets Trigona apart from other file-encrypting ransomware out there is the use of a .hta ransomware note that contains JavaScript code to display payment instructions to the victim.
The JavaScript code contains unique victim identifiers, a link to a Tor portal to negotiate with the attackers, and an email address.
Based on the victim IDs embedded in identified ransom notes, Palo Alto Networks believes that at least 15 organizations were potentially compromised in December 2022 alone. Several other ransom notes were found in January and February 2023.
Tomi Engdahl says:
Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
https://www.securityweek.com/exploitation-of-recent-fortinet-zero-day-linked-to-chinese-cyberspies/
Mandiant links exploitation of the Fortinet zero-day CVE-2022-41328, exploited in government attacks, to a Chinese cyberespionage group.
Tomi Engdahl says:
Mobile & Wireless
Project Zero: Samsung Mobile Chipsets Vulnerable to Baseband Code Execution Exploits
https://www.securityweek.com/project-zero-samsung-mobile-chipsets-vulnerable-to-baseband-code-execution-exploits/
Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs the victim’s phone number.
Tomi Engdahl says:
New Espionage Group ‘YoroTrooper’ Targeting Entities in European, CIS Countries
https://www.securityweek.com/new-espionage-group-yorotrooper-targeting-entities-in-european-cis-countries/
A newly identified threat actor named YoroTrooper is targeting organizations in Europe and the CIS region for espionage and data theft.
Tomi Engdahl says:
Ransomware
US Government Warns Organizations of LockBit 3.0 Ransomware Attacks
https://www.securityweek.com/us-government-warns-organizations-of-lockbit-3-0-ransomware-attacks/
Three US government agencies have issued a joint warning to organizations about LockBit 3.0 ransomware attacks.
Tomi Engdahl says:
Latitude Financial Services Data Breach Impacts 300,000 Customers
https://www.securityweek.com/latitude-financial-services-data-breach-impacts-300000-customers/
Latitude Financial Services says the personal information of 300,000 customers was stolen in a cyberattack.
Australian financial services company Latitude Financial Services is notifying roughly 300,000 customers that their personal information might have been compromised in a data breach.
A subsidiary of Deutsche Bank and KKE operating since 2015 and headquartered in Melbourne, Latitude is the largest non-bank lender of consumer credit in Australia, also offering services in New Zealand, under the brand Gem Finance.
On Thursday, the company disclosed falling victim to a cyberattack that forced it to suspend services and which also resulted in the theft of customer data.
“Latitude Financial has experienced a data theft as the result of what appears to be a sophisticated and malicious cyberattack,” Latitude says in a data breach notice.
Tomi Engdahl says:
Incident Response
Meta Develops New Kill Chain Thesis
https://www.securityweek.com/meta-develops-new-kill-chain-thesis/
Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of models.
Tomi Engdahl says:
Abner Li / 9to5Google:
Researchers detail “aCropalypse”, a bug in Google Pixel’s Markup fixed in March 2023, where some edited screenshots can be retroactively unredacted or uncropped — Besides the Samsung Exynos modem issue, Android 13 QPR2 with the March 2023 security update fixes a vulnerability with the Pixel’s Markup screenshot tool.
Pixel Markup vulnerability lets some screenshots be un-redacted, un-cropped; fixed by March update
https://9to5google.com/2023/03/18/pixel-markup-screenshot-vulnerability/
Besides the Samsung Exynos modem issue, Android 13 QPR2 with the March 2023 security update fixes a vulnerability with the Pixel’s Markup screenshot tool.
Dubbed “aCropalypse,” Simon Aarons identified and reported this vulnerability (CVE-2023-21036) to Google in early January, with the initial proof-of-concept exploit developed by David Buchanan:
Screenshots cropped using the built-in “Markup” app on Google Pixel devices may be retroactively un-cropped and un-redacted under many circumstances.
aCropalypse FAQ (coming soon)
The built-in Markup utility, released with Android 9 Pie in 2018, found on Pixel phones lets you edit (crop, add text, draw, and highlight) screenshots.
The problem
For example (as shared on Twitter), let’s say you upload a screenshot from a hypothetical bank app/website that includes a picture of your credit/debit card. You crop out everything save for the card and then use Markup’s Pen tool to black out the 16-digit number. You then share that message on a service, like Discord.
Given a vulnerability in how Markup works, somebody that downloads the image is able to perform a “partial recovery of the original, unedited image data of [the] cropped and/or redacted screenshot.” In the above case, a malicious party can remove the black lines and see the credit card number, as well as ~80% of the full screenshot, which might include other sensitive information.
”The top 20% of the image is corrupted, but the remainder of the image – including a photo of the credit card with its number visible – is fully recovered.”
This might be an issue if you shared screenshots with addresses, phone numbers, and other private info.
What screenshots are affected?
The privacy impact of this bug stems from people sharing cropped images [that] unknowingly included extra data. Fortunately, most social media services re-process uploaded images, which strips the trailing data and mitigates the vulnerability.
Technical explanation
When an image is cropped using Markup, it saves the edited version in the same file location as the original. However, it does not erase the original file before writing the new one. If the new file is smaller, the trailing portion of the original file is left behind, after the new file is supposed to have ended.
aCropalypse FAQ (coming soon)
The issue in Markup was fixed with the March 2023 security patch, with CVE-2023-21036 listed as having a “High” severity. That Pixel update is currently available for the Pixel 4a-5a, 7, and 7 Pro.
Tomi Engdahl says:
Play ransomware gang hit Dutch shipping firm Royal Dirkzwager https://securityaffairs.com/143714/cyber-crime/play-ransomware-royal-dirkzwager.html
Dutch maritime logistics company Royal Dirkzwager suffered a ransomware attack, the company was hit by the Play ransomware gang.
Tomi Engdahl says:
TikTok cannot be considered a private company, says Australian report https://www.theregister.com/2023/03/19/asia_tech_news_roundup/
ByteDance, the Chinese developer of TikTok, “can no longer be accurately described as a private enterprise” and is instead intertwined with China’s government, according to a report [PDF] submitted to Australia’s Select Committee on Foreign Interference through Social Media.
BBC to staff: Uninstall TikTok from our corporate kit unless you can ‘justify’ having it https://www.theregister.com/2023/03/20/british_broadcasting_corporation_softbans_tiktok/
The world’s oldest national broadcaster, the venerable British Broadcasting Corporation, has told staff they shouldn’t keep the TikTok app on a BBC corporate device unless there is a “justified business reason.”
Tomi Engdahl says:
ShellBot Malware Being Distributed to Linux SSH Servers https://asec.ahnlab.com/en/49769/ AhnLab Security Emergency response Center (ASEC) has recently discovered the ShellBot malware being installed on poorly managed Linux SSH servers. ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server. ShellBot is an old malware that has been in steady use and is still being used today to launch attacks against Linux systems.
Tomi Engdahl says:
Mahtikäsky Kremlissä: Heittäkää iPhonet pois – tilalle suomalaisteknologiaa https://www.is.fi/digitoday/mobiili/art-2000009465102.html
Venäjän presidentinhallinnossa on annettu käsky työntekijöille hankkiutua eroon Applen iPhone-puhelimista maaliskuun aikana. Määräys perustuu tietoturvahuoliin, ja se annettiin maaliskuun alussa seminaarissa Moskovassa Putinin kotimaan hallintovirkamiehille, kirjoittaa venäläinen Kommersant. Sitä siteeraa englanniksi Ukrainan Pravda
Tomi Engdahl says:
Ferrari in a spin as crims steal a car-load of customer data https://www.theregister.com/2023/03/21/ferrari_cyber_incident_data_theft/
Italian automaker Ferrari has warned its well-heeled customers that their personal data may be at risk. The maker of flash motors decided not to cough up a ransom as paying such demands funds criminal activity and enables threat actors to perpetuate their attacks.
Moreover, it does not fundamentally change the data exposure.
Tomi Engdahl says:
Meta Manager Was Hacked With Spyware and Wiretapped in Greece https://www.nytimes.com/2023/03/20/world/europe/greece-spyware-hacking-meta.html
A U.S. and Greek national who worked on Metas security and trust team while based in Greece was placed under a yearlong wiretap by the Greek national intelligence service and hacked with a powerful cyberespionage tool, according to documents obtained by The New York Times and officials with knowledge of the case. The Greek government has denied using Predator and has legislated against the use of spyware, which it has called illegal.
Tomi Engdahl says:
Exclusive: Meet Russias Cambridge Analytica, Run By A Former KGB Agent Turned YouTube Influencer https://www.forbes.com/sites/thomasbrewster/2023/03/21/andrei-masalovich-avalanche-russia-cambridge-analytica/
Russias Cyber Grandpa has been sanctioned by the U.S. government for selling a big data surveillance tool to Kremlin spies, Russian energy giants and repressive regimes
Tomi Engdahl says:
Tiktok jälleen vaikeuksissa – Italia selvittää rikkooko suosittu sovellus lakia sallimalla vaarallisia sisältöjä
https://yle.fi/a/74-20023393
Italia kertoi tänään alkavansa selvittää rikkooko Tiktok maan lakia sekä omia käyttöehtojaan sallimalla vaarallisia sisältöjä, jotka muun muassa kannustavat itsemurhaan ja itsensä vahingoittamiseen
Norja suosittelee Tiktokin poistamista hallituksensa työntekijöiden työlaitteilta https://www.is.fi/digitoday/art-2000009468465.html
Oikeusministeriön mukaan hallituksen työntekijät voivat yhä käyttää Telegramia ja Tiktokia työtarkoituksiin tarvittaessa sellaisilla laitteilla, jotka eivät ole kytkettyinä hallituksen digitaalisiin järjestelmiin
Tomi Engdahl says:
Huijarit keksivät tekstiviesteihin uuden koukun – älä missään nimessä klikkaa https://www.is.fi/digitoday/tietoturva/art-2000009466540.html
Ainakin Danske Bankin nimissä lähetettävissä tekstiviesteissä pelotellaan Apple Payn kytkemisellä korttiin
Tomi Engdahl says:
Data Breaches
Ferrari Says Ransomware Attack Exposed Customer Data
https://www.securityweek.com/ferrari-says-ransomware-attack-exposed-customer-data/
Ferrari said that a ransomware attack was responsible for a data breach that exposed customer details, but did not impact company operations.
Tomi Engdahl says:
Cybercrime
New York Man Arrested for Running BreachForums Cybercrime Website
Conor Brian Fitzpatrick of New York was arrested and charged last week for allegedly running the popular cybercrime forum BreachForums.
https://www.securityweek.com/new-york-man-arrested-for-running-breachforums-cybercrime-forum/
BreachForums, also known as Breached, was launched in 2022, just as the RaidForums cybercrime marketplace was taken down as part of a global law enforcement operation. Pompompurin created BreachForums as an alternative to RaidForums.
BreachForums was hosted on the surface web, with much of the information on the site being accessible to anyone.
Many BreachForums users expressed concerns that their information may have been obtained by law enforcement. Just before it was taken offline, the forum had more than 330,000 members, 47,000 threads, and nearly one million posts.
BreachForums was used in the past months to announce several high-profile cyberattacks, including the recent DC Health Link breach, which involved the sensitive personal data of members of the US House and Senate getting compromised.
Tomi Engdahl says:
Data Breach at Independent Living Systems Impacts 4 Million Individuals
https://www.securityweek.com/data-breach-at-independent-living-systems-impacts-4-million-individuals/
Health services company Independent Living Systems has disclosed a data breach that impacts more than 4 million individuals.
Tomi Engdahl says:
Adobe Acrobat Sign Abused to Distribute Malware
Cybercriminals are abusing the Adobe Acrobat Sign service in a campaign distributing the RedLine information stealer malware.
https://www.securityweek.com/adobe-acrobat-sign-abused-to-distribute-malware/
Tomi Engdahl says:
Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
Cryptocurrency ATM maker General Bytes discloses a security incident resulting in the theft of millions of dollars’ worth of crypto-coins.
https://www.securityweek.com/millions-stolen-in-hack-at-cryptocurrency-atm-manufacturer-general-bytes/
Tomi Engdahl says:
Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
https://www.securityweek.com/hitachi-energy-blames-data-breach-on-zero-day-as-ransomware-gang-threatens-firm/
Hitachi Energy has blamed a data breach affecting employees on the recent exploitation of a zero-day vulnerability in Fortra’s GoAnywhere solution.
Sustainable energy giant Hitachi Energy has blamed a data breach affecting employees on the exploitation of a recently disclosed zero-day vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) software.
In a press release published on Friday, Hitachi Energy said the Cl0p ransomware gang targeted the GoAnywhere product and may have gained unauthorized access to employee data in some countries
Tomi Engdahl says:
NBA Notifying Individuals of Data Breach at Mailing Services Provider
https://www.securityweek.com/nba-notifying-individuals-of-data-breach-at-mailing-services-provider/
NBA is notifying individuals that their information was stolen in a data breach at a third-party mailing services provider.
The National Basketball Association (NBA) is notifying individuals that their personal data was stolen in a data breach at a third-party service provider.
Last week, the NBA started sending out notification emails to an unknown number of individuals, to inform them that their information was compromised in a data breach at a third-party provider of newsletter services.
The incident has resulted in the theft of names and email addresses, with no other types of personal information impacted, reads a copy of the notification email shared on Twitter.
Tomi Engdahl says:
Uncategorized
Google Suspends Chinese Shopping App Amid Security Concerns
https://www.securityweek.com/google-suspends-chinese-shopping-app-amid-security-concerns/
Google has suspended the Chinese shopping app Pinduoduo on its app store after malware was discovered in versions of the app from other sources.
Google has suspended the Chinese shopping app Pinduoduo on its app store after malware was discovered in versions of the app from other sources.
Google said in a statement Tuesday that it suspended the Pinduoduo app on the Google Play app store out of “security concerns” and that it was investigating the matter.
The suspension of the Pinduoduo app — mainly used in China — comes amid heightened U.S.-China tensions over Chinese-owned apps such as TikTok, which some U.S. lawmakers say could be a national security threat. They allege that such apps could be used to spy on American users.
Tomi Engdahl says:
Verosint Launches Account Fraud Detection and Prevention Platform
https://www.securityweek.com/verosint-launches-account-fraud-detection-and-prevention-platform/
443ID is refocusing its solution to tackle account fraud detection and prevention, and has changed its name to Verosint.
Tomi Engdahl says:
Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
https://www.securityweek.com/ransomware-gang-publishes-data-allegedly-stolen-from-maritime-firm-royal-dirkzwager/
The Play ransomware gang has published data stolen from Dutch maritime services company Royal Dirkzwager.
Tomi Engdahl says:
Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
https://www.securityweek.com/organizations-notified-of-remotely-exploitable-vulnerabilities-in-aveva-hmi-scada-products/
Industrial organizations using HMI and SCADA products from Aveva have been informed about potentially serious vulnerabilities.
Organizations that use human-machine interface (HMI) and supervisory control and data acquisition (SCADA) products from UK-based industrial software maker Aveva have been informed about the existence of several potentially serious vulnerabilities.
Security advisories published last week by Aveva and the US Cybersecurity and Infrastructure Security Agency (CISA) inform users about three vulnerabilities in the InTouch Access Anywhere HMI and Plant SCADA Access Anywhere products. Software updates that patch all vulnerabilities are available from the vendor.
CISA initially published its advisory in 2022, when it informed organizations about a single high-severity path traversal issue discovered by Jens Regel, a consultant at German cybersecurity firm Crisec. CISA has now updated its initial advisory to add information about additional flaws.
The vulnerability found by Regel, tracked as CVE-2022-23854, can allow an unauthenticated attacker with network access to the secure gateway to read files on the system outside the secure gateway web server.
Tomi Engdahl says:
Malicious NuGet Packages Used to Target .NET Developers
https://www.securityweek.com/malicious-nuget-packages-used-to-target-net-developers/
Software developers have been targeted in a new attack via malicious packages in the NuGet repository.
A newly discovered attack has been targeting .NET developers with malicious packages loaded to the NuGet repository, JFrog’s security researchers explain.
A package manager helping developers share and consume reusable code, NuGet allows developers to create code packages using the NuGet client app and have them published in either public or private repositories.
While attacks abusing open source repositories are nothing new, NuGet has not seen severe malicious activity until now, aside from packages designed to spread phishing links.
This incident, however, brings NuGet in line with NPM and PyPI repositories, which are often targeted by cybercriminals: malicious packages submitted to the repository contained code that triggered the download of a second-stage payload.
Tomi Engdahl says:
https://www.securityweek.com/ferrari-says-ransomware-attack-exposed-customer-data/
Tomi Engdahl says:
Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
https://www.securityweek.com/google-pixel-vulnerability-allows-the-recovery-of-cropped-screenshots/
A vulnerability in Google Pixel phones allows for the recovery of an original, unedited screenshot from the cropped version.
A vulnerability lurking in Google’s Pixel phones for five years allows for the recovery of an original, unedited screenshot from the cropped version of the image.
Referred to as aCropalypse and tracked as CVE-2023-21036, the issue resides in Markup, the image-editing application on Pixel devices, which fails to properly truncate edited images, making the cropped data recoverable.
Reverse engineers Simon Aarons and David Buchanan, who identified the bug, point out that the bug has existed since 2018 and that it was the result of a code change that Markup did not adhere to.
Tomi Engdahl says:
João Carrasqueira / XDA Developers:
Windows 11′s Snipping Tool appears to have a bug similar to Pixel’s Markup tool “aCropalypse” bug, which lets anyone reveal info edited out in some screenshots
Windows 11 Snipping Tool vulnerability can reveal sensitive information in screenshots
By
João Carrasqueira
Published 19 hours ago
https://www.xda-developers.com/windows-11-snipping-tool-sensitive-information-acropalypse/
After Pixel phones, it looks like Windows 11′s built-in screenshot tool also lets attackers reveal information you may have cropped out.
Tomi Engdahl says:
Windows 11 Snipping Tool Privacy Bug: Inspecting PNG Files https://isc.sans.edu/diary/Windows+11+Snipping+Tool+Privacy+Bug+Inspecting+PNG+Files/29660/
The issue is the following: if you use Windows 11′s snipping tool to open an existing image, then modify the image to make it smaller (cropping for example), and then save the image again under the same name, then the file will not be truncated. The file will keep its original data after the beginning of the file has been overwritten with the new image