This posting is here to collect cyber security news in March 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in March 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
370 Comments
Tomi Engdahl says:
A look at a Magecart skimmer using the Hunter obfuscator https://www.malwarebytes.com/blog/threat-intelligence/2023/03/hunter-skimmer
Today, we look at a Magecart skimmer that uses Hunter, a PHP Javascript obfuscator. During our investigation, we were able to discover a number of domains all part of the same infrastructure with custom skimmers for several Magento stores
Tomi Engdahl says:
The Unintentional Leak: A glimpse into the attack vectors of APT37
https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
At Zscaler ThreatLabz, we have been closely monitoring the tools, techniques and procedures (TTPs) of APT37 (also known as ScarCruft or
Temp.Reaper) – a North Korea-based advanced persistent threat actor.
This threat actor has been very active in February and March 2023 targeting individuals in various South Korean organizations. In this blog, we will provide a high-level technical analysis of the infection chain, the new loaders we identified and a detailed analysis of the themes used by this APT group, discovered while reviewing the GitHub commit history. Even though the threat actor routinely deletes the files from the repository, we were able to retrieve all the deleted files and do an analysis of them
Tomi Engdahl says:
WooCommerce Credit Card Skimmer Reveals Tampered Gateway Plugin https://blog.sucuri.net/2023/03/woocommerce-skimmer-reveals-tampered-gateway-plugin.html
WooCommerce is an excellent and highly customizable eCommerce platform used by over 40% of all known online stores. It can be used in conjunction with a wide variety of payment gateways, including one such popular gateway Authorize.net. Both the plugin and payment gateway are generally considered to be secure for processing payments and safe to use, however in this blog post we will explore how even the most secure software applications can be tampered with by malicious actors to suit their own criminal goals
Tomi Engdahl says:
Another One Bites the Dust: The (Apparent) End of Breach Forums https://flashpoint.io/blog/end-of-breach-forums/
On March 21, 2023, in a Telegram message within the Breach Forums channel, the administrator baphomet announced that they would be closing the forum. Following pompompurins arrest, the admin initially claimed they had access to the infrastructure and would keep the forum online. However, their most recent message indicates that it may not be worthwhile to keep the forum online
Tomi Engdahl says:
IcedIDs VNC Backdoors: Dark Cat, Anubis & Keyhole https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/
In this blog-post we will share insights into IcedIDs VNC backdoor(s) as seen from an attackers perspective, insights we obtained by extracting and reassembling VNC (RFC6143) traffic embedded within private and public captures published by Brad Duncan. In this post we introduce the three variants we observed as well as their
capabilities: Dark Cat, Anubis and Keyhole. Well follow by exposing common techniques employed by the operators before revealing information they leaked through their clipboard data
Tomi Engdahl says:
North Korean hackers using Chrome extensions to steal Gmail emails https://www.bleepingcomputer.com/news/security/north-korean-hackers-using-chrome-extensions-to-steal-gmail-emails/
A joint cybersecurity advisory from the German Federal Office for the Protection of the Constitution (BfV) and the National Intelligence Service of the Republic of Korea (NIS) warn about Kimsuky’s use of Chrome extensions to steal target’s Gmail emails. While the current campaign targets people in South Korea, the techniques used by Kimsuky can be applied globally, so raising awareness is vital
Tomi Engdahl says:
FakeGPT #2: Open-Source Turned Malicious in Another Variant of the Facebook Account-Stealer Chrome Extension
https://labs.guard.io/fakegpt-2-open-source-turned-malicious-in-another-variant-of-the-facebook-account-stealer-d00ef9883d61
Following our discovery of FakeGPT, the Facebook Ad Accounts stealer masquerading as a Chat-GPT Chrome Extension, Guardios security team uncovered another variant in a new campaign already hitting thousands a day. In this write-up we will share our insights on this latest variant activities, how it abuses open-source as well as the effective propagation using Google services
Tomi Engdahl says:
https://krebsonsecurity.com/2023/03/google-suspends-chinese-e-commerce-app-pinduoduo-over-malware/
Tomi Engdahl says:
The “Acropalypse” bug, which allows content you’ve cropped out of your Android screenshot to be partially recovered (and poses a problem if you’ve edited out sensitive information), has now been ported to PC, it seems.
“Acropalypse” Android screenshot bug turns into a 0-day Windows vulnerability
Unpatched bug can be exploited with modified versions of the Android scripts.
https://arstechnica.com/information-technology/2023/03/windows-10-and-11-get-their-own-version-of-the-acropalypse-screenshot-bug/?utm_social-type=owned&utm_source=facebook&utm_brand=ars&utm_medium=social
Earlier this week, programmer and “accidental security researcher” Simon Aarons disclosed a bug in Google’s Markup screenshot editing tool for its Pixel phones. Dubbed “acropalypse,” the bug allows content you’ve cropped out of your Android screenshot to be partially recovered, which can be a problem if you’ve cropped out sensitive information.
Today, Aarons’ collaborator, David Buchanan, revealed that a similar bug affects the Snipping Tool app in Windows 11. As detailed by Bleeping Computer, which was able to verify the existence of the bug, PNG files all have an “IEND” data chunk that tells software where the image file ends. A screenshot cropped with Snipping Tool and then saved over the original (the default behavior) adds a new IEND chunk to the PNG image but leaves a bunch of the original screenshot’s data after the IEND chunk.
Tomi Engdahl says:
“The DEA Quietly Turned Apple’s AirTag Into A Surveillance Tool”
The DEA Quietly Turned Apple’s AirTag Into A Surveillance Tool
https://www.forbes.com/sites/thomasbrewster/2023/03/23/apple-airtag-becomes-dea-surveillance-device/?sh=4a8b47273d3d
Apple’s quarter-size location tracker was hidden in a pill press by the DEA to conduct surveillance. The AirTag’s small size and reliability could make it an attractive tool for cops.
Tomi Engdahl says:
Journalist plugs in unknown USB drive mailed to him – it exploded in his face https://arstechnica.com/gadgets/2023/03/journalist-plugs-in-unknown-usb-drive-mailed-to-him-it-exploded-in-his-face/
As reported by the Agence France-Presse (via CBS News) on Tuesday, five Ecuadorian journalists have received USB drives in the mail from Quinsaloma. Each of the USB sticks was meant to explode when activated. Upon receiving the drive, Lenin Artieda of the Ecuavisa TV station in Guayaquil inserted it into his computer, at which point it exploded. According to a police official who spoke with AFP, the journalist suffered mild hand and face injuries, and no one else was harmed
Tomi Engdahl says:
Windows 11, Tesla, Ubuntu, and macOS hacked at Pwn2Own 2023 https://www.bleepingcomputer.com/news/security/windows-11-tesla-ubuntu-and-macos-hacked-at-pwn2own-2023/
On the first day of Pwn2Own Vancouver 2023, security researchers successfully demoed Tesla Model 3, Windows 11, and macOS zero-day exploits and exploit chains to win $375,000 and a Tesla Model 3
Tomi Engdahl says:
New Kritec Magecart skimmer found on Magento stores https://www.malwarebytes.com/blog/threat-intelligence/2023/03/new-kritec-skimmer
Threat actors often compete for the same resources, and this couldn’t be further from the truth when it comes to website compromises. After all, if a vulnerability exists one can expect that it will be exploited more than once. In this blog post, we show how the newly found Kritec skimmer was found along side one of its competitors
Tomi Engdahl says:
Emotet Resumes Spam Operations, Switches to OneNote https://blog.talosintelligence.com/emotet-switches-to-onenote/
Emotet resumed spamming operations on March 7, 2023, after a months-long hiatus. Initially leveraging heavily padded Microsoft Word documents to attempt to evade sandbox analysis and endpoint protection, the botnets switched to distributing malicious OneNote documents on March 16. Since returning, Emotet has leveraged several distinct infection chains, indicating that they are modifying their approach based on their perceived success in infecting new systems.
The initial emails delivered to victims are consistent with what has been observed from Emotet over the past several years
Tomi Engdahl says:
Google Suspends Chinese E-Commerce App Pinduoduo Over Malware https://krebsonsecurity.com/2023/03/google-suspends-chinese-e-commerce-app-pinduoduo-over-malware/
Google says it has suspended the app for the Chinese e-commerce giant Pinduoduo after malware was found in versions of the software. The move comes just weeks after Chinese security researchers published an analysis suggesting the popular e-commerce app sought to seize total control over affected devices by exploiting multiple security vulnerabilities in a variety of Android-based smartphones
Tomi Engdahl says:
New loader on the bloc – AresLoader
https://intel471.com/blog/new-loader-on-the-bloc-aresloader
AresLoader is a new loader malware-as-a-service (MaaS) offered by threat actors with links to Russian hacktivism that was spotted recently in the wild. Most users are pushing a variety of information stealers with the service. The service offers a binder tool that allows users to masquerade their malware as legitimate software
Tomi Engdahl says:
Attackers hit Bitcoin ATMs to steal $1.5 million in crypto cash https://www.theregister.com/2023/03/23/general_bytes_crypto_atm/
Unidentified miscreants have siphoned cryptocurrency valued at more than $1.5 million from Bitcoin ATMs by exploiting an unknown flaw in digicash delivery systems. According to General Bytes, the outfit that sold the ATMs and had managed some of them with a cloud service, the attackers used an interface designed to upload videos to instead inject a malicious Java application, and then subverted ATM user privileges. They drained at least 56 Bitcoin about $1.5 million as of publication time – from crypto wallets
Tomi Engdahl says:
Operation Tainted Love | Chinese APTs Target Telcos in New Attacks https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/
In collaboration with QGroup GmbH, SentinelLabs recently observed initial threat activities targeting the telecommunication sector. We assess it is highly likely that these attacks were conducted by a Chinese cyberespionage actor related to the Operation Soft Cell campaign. The initial attack phase involves infiltrating Internet-facing Microsoft Exchange servers to deploy webshells used for command execution. Once a foothold is established, the attackers conduct a variety of reconnaissance, credential theft, lateral movement, and data exfiltration activities. The deployment of custom credential theft malware is central to this new campaign. The malware implemented a series of Mimikatz modifications on closed-source tooling. This post details the multi-component architecture and functionality of a sample, referred to as mim221
Tomi Engdahl says:
Nexus: A New Rising Android Banking Trojan Targeting 450 Financial Apps https://thehackernews.com/2023/03/nexus-new-rising-android-banking-trojan.html
An emerging Android banking trojan dubbed Nexus has already been adopted by several threat actors to target 450 financial applications and conduct fraud. “Nexus appears to be in its early stages of development,” Italian cybersecurity firm Cleafy said in a report published this week. “Nexus provides all the main features to perform ATO attacks (Account Takeover) against banking portals and cryptocurrency services, such as credentials stealing and SMS interception.” also:
https://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet
Tomi Engdahl says:
Malicious JavaScript Injection Campaign Infects 51k Websites https://unit42.paloaltonetworks.com/malicious-javascript-injection/
Unit 42 researchers have been tracking a widespread malicious JavaScript (JS) injection campaign that redirects victims to malicious content such as adware and scam pages. This threat was active throughout 2022 and continues to infect websites in 2023
Tomi Engdahl says:
Saitko lapseltasi tällaisen viestin? Varo, kyseessä on törkeä huijaus https://www.iltalehti.fi/tietoturva/a/c442f8f1-2f17-4b9b-94e6-2d2ab0bfd8ce
Tietoja kalastelevia huijaustekstiviestejä on edelleen liikenteessä.
Tekstiviestit voivat tulla jopa salattuihin numeroihin.
Tuntemattomasta numerosta saapuvaa linkkiä ei kuulu avata. – Tapauksissa ei ole ollut jälkeläisellä nimeä. Viestejä ovat saaneet myös lapsettomat ja alaikäiset lapset, Kyberturvallisuuskeskuksen erityisasiantuntija Juha Tretjakov kertoo
Tomi Engdahl says:
Vaaralliset vinkit leviävät Youtubessa – Tekoälyn ohjeita noudattava saa haittaohjelman
Maksullisten ohjelmien ilmaislatauksia mainostaviin videoihin kuuluu suhtautua varauksella.
https://www.iltalehti.fi/tietoturva/a/f19e4b7b-1b41-47de-9a91-834ba5231576
Tekoälyllä tuotettu haittaohjelmasisältö on kasvanut Googlen omistamassa videopalvelu Youtubessa kuukausittain 200–300 prosenttia. Kasvua on havaittu viime vuoden marraskuusta lähtien. Asiasta kertoi tekoälyyn erikoistunut tietoturvayhtiö CouldSEK.
Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware
https://cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware
Tomi Engdahl says:
Cisco Patches High-Severity Vulnerabilities in IOS Software
https://www.securityweek.com/cisco-patches-high-severity-vulnerabilities-in-ios-software/
Cisco’s semiannual security updates for IOS and IOS XE software resolve high-severity DoS, command injection, and privilege escalation vulnerabilities.
Cisco this week published its semiannual IOS and IOS XE software security advisory bundle, which addresses ten vulnerabilities, including six rated ‘high severity’.
The most important are three security bugs that can be exploited by remote, unauthenticated attackers to cause a denial-of-service (DoS) condition.
Tracked as CVE-2023-20080, the first of these flaws impacts the IPv6 DHCP version 6 (DHCPv6) relay and server features of IOS and IOS XE software. Insufficient validation of data boundaries allows an attacker to send crafted DHCPv6 messages to an affected device and cause it to reload unexpectedly.
The second vulnerability, CVE-2023-20072, impacts the fragmentation handling code of tunnel protocol packets and can be exploited by sending crafted fragmented packets to an affected system.
Cisco also addressed CVE-2023-20027, an issue in the implementation of the IPv4 Virtual Fragmentation Reassembly (VFR) feature of IOS and IOS XE software, which exists because large packets are not properly reassembled when VFR is enabled.
Tomi Engdahl says:
Vulnerabilities
Chrome 111 Update Patches High-Severity Vulnerabilities
https://www.securityweek.com/chrome-111-update-patches-high-severity-vulnerabilities/
The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.
Google this week announced a Chrome 111 update that brings patches for eight vulnerabilities, including seven flaws that were reported by external researchers.
All seven of the externally reported issues are high-severity memory safety bugs, with four of them described as use-after-free vulnerabilities, a type of bug that could lead to arbitrary code execution, data corruption, or denial of service.
The latest Chrome release is now rolling out as version 111.0.5563.110 for Mac and Linux and as versions 111.0.5563.110/.111 for Windows.
Tomi Engdahl says:
Dole Says Employee Information Compromised in Ransomware Attack
https://www.securityweek.com/dole-says-employee-information-compromised-in-ransomware-attack/
Dole has admitted in an SEC filing that its investigation into the recent ransomware attack found that the hackers had accessed employee information.
Tomi Engdahl says:
High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
https://www.securityweek.com/high-severity-vulnerabilities-found-in-wellintech-industrial-data-historian/
Cisco Talos researchers found two high-severity vulnerabilities in WellinTech’s KingHistorian industrial data historian software.
Cisco’s Talos threat intelligence and research unit this week disclosed the details of two high-severity vulnerabilities discovered last year in WellinTech’s KingHistorian industrial data historian software.
China-based industrial automation software company WellinTech designed KingHistorian for collecting and processing a ‘massive amount’ of industrial control system (ICS) data.
Talos researchers discovered that the historian is impacted by two flaws. One of them, tracked as CVE-2022-45124, can allow an attacker who can intercept an authentication packet to obtain the username and password of the legitimate user who logged in to the system.
Tomi Engdahl says:
Cybercrime
BreachForums Shut Down Over Law Enforcement Takeover Concerns
https://www.securityweek.com/breachforums-shut-down-over-law-enforcement-takeover-concerns/
The popular cybercrime forum BreachForums is being shut down following the arrest of Conor Brian Fitzpatrick, who is accused of running the website.
Tomi Engdahl says:
Linus Tech tips YouTube channel was deleted
https://youtu.be/yGXaAWbzl5A
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/exploit-released-for-veeam-bug-allowing-cleartext-credential-theft/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-pushes-oob-security-updates-for-windows-snipping-tool-flaw/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/microsoft-shares-tips-on-detecting-outlook-zero-day-exploitation/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/windows-ubuntu-and-vmware-workstation-hacked-on-last-day-of-pwn2own/
Tomi Engdahl says:
Fortra told breached companies their data was safe
https://techcrunch.com/2023/03/24/fortra-goanywhere-clop-ransomware/
Tomi Engdahl says:
GitHub publishes RSA SSH host keys by mistake, issues update
Getting connection failures? Don’t panic. Get new keys
https://www.theregister.com/2023/03/24/github_changes_its_ssh_host/
Tomi Engdahl says:
how hackers bypass windows login screen!
https://www.youtube.com/watch?v=2v-mGf4_9-A
Tomi Engdahl says:
Learn How to bypass windows user password without any software or Reset Windows 11 User login password
https://www.youtube.com/watch?v=c0WEmk9yBhg
Tomi Engdahl says:
Tesla Hacked Twice at Pwn2Own Exploit Contest
https://www.securityweek.com/tesla-hacked-twice-at-pwn2own-exploit-contest/
Researchers at offensive hacking shop Synacktiv demonstrated successful exploit chains and were able to “fully compromise” Tesla’s newest electric car and take top billing at the annual Pwn2Own contest.
Tomi Engdahl says:
Google Leads $16 Million Investment in Dope.security
https://www.securityweek.com/google-leads-16-million-investment-in-dope-security/
Dope.security raised $16 million in Series A funding for its fly-direct Secure Web Gateway (SWG).
Dope.security this week announced that it has raised $16 million in a Series A funding round that brings the total investment in the company to $20 million.
While the company may have a somewhat juvenile name, it is attracting serious investors. The new funding round was led by Google Ventures (GV), with additional investment from Boldstart Ventures and Preface.
Founded in 2021 and emerging from stealth mode in September 2022, Mountain View, California-based Dope.security offers a Secure Web Gateway (SWG) that delivers security directly on the endpoint, even for remote users and hybrid environments.
The company claims that, without routing traffic through data centers, its solution provides organizations with improved performance and reliability, while ensuring that decrypted data remains on the device.
The solution enforces endpoint-driven security controls, including anti-malware, cloud application controls, URL categorizations, and user-based policies. Functioning as an on-device proxy, the fly-direct SWG also performs SSL inspection directly on the endpoint.
Tomi Engdahl says:
CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
https://www.securityweek.com/cisa-ships-untitled-goose-tool-to-hunt-for-microsoft-azure-cloud-infections/
The U.S. government’s cybersecurity agency ships a new tool to help network defenders hunt for signs of compromise in Microsoft’s Azure and M365 cloud deployments.
The U.S. government’s cybersecurity agency CISA has jumped into the fray to help network defenders hunt for signs of compromise in Microsoft’s Azure and M365 cloud deployments.
The agency rolled out a free hunt and incident response utility called Untitled Goose Tool that offers novel authentication and data gathering methods to manage a full investigation against enterprise deployments of Microsoft Azure, Azure Active Directory (AAD) and Microsoft 365 (M365).
In a note documenting the release, CISA said the Untitled Goose Tool can also gather additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT).
https://github.com/cisagov/untitledgoosetool
Tomi Engdahl says:
Critical WooCommerce Payments Vulnerability Leads to Site Takeover
A critical-severity flaw in the WooCommerce Payments WordPress plugin could allow attackers to take over site administrator accounts.
https://www.securityweek.com/critical-woocommerce-payments-vulnerability-leads-to-site-takeover/
Tomi Engdahl says:
PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
https://www.securityweek.com/poc-exploit-published-for-just-patched-veeam-data-backup-solution-flaw/
Proof-of-concept code to exploit a just-patched security hole in the Veeam Backup & Replication product has been published online.
Tomi Engdahl says:
UK creates fake DDoS-for-hire sites to identify cybercriminals https://www.bleepingcomputer.com/news/security/uk-creates-fake-ddos-for-hire-sites-to-identify-cybercriminals/
The U.K.’s National Crime Agency (NCA) revealed today that they created multiple fake DDoS-for-hire service websites to identify cybercriminals who utilize these platforms to attack organizations.
DDoS-for-hire services, also known as ‘booters,’ are online platforms offering to generate massive garbage HTTP requests towards a website or online service in exchange for money that overwhelm the webserver and take it offline. These illegal services are bought by people aiming to take down a site or disrupt an organization’s operations for various reasons, including espionage, revenge, extortion, and political reasons
Tomi Engdahl says:
GitHub.com rotates its exposed private SSH key https://www.bleepingcomputer.com/news/security/githubcom-rotates-its-exposed-private-ssh-key/
GitHub has rotated its private SSH key for GitHub.com after the secret was was accidentally published in a public GitHub repository. The software development and version control service says, the private RSA key was only “briefly” exposed, but that it took action out of “an abundance of caution.” In a succinct blog post published today, GitHub acknowledged discovering this week that the RSA SSH private key for GitHub.com had been ephemerally exposed in a public GitHub repository
Tomi Engdahl says:
BlackGuard stealer now targets 57 crypto wallets, extensions https://www.bleepingcomputer.com/news/security/blackguard-stealer-now-targets-57-crypto-wallets-extensions/
A new variant of the BlackGuard stealer has been spotted in the wild, featuring new capabilities like USB propagation, persistence mechanisms, loading additional payloads in memory, and targeting additional crypto wallets. In conclusion, the latest version of BlackGuard demonstrates the continuous evolution of the malware which competes in the MaaS space, adding mostly meaningful features that pose an even more significant risk to users. To keep the risk of BlackGuard infections at bay, avoid downloading executables from untrustworthy websites, do not launch files arriving as email attachments from unknown senders, and keep your system and AV tools updated
Tomi Engdahl says:
Researchers Uncover Chinese Nation State Hackers’ Deceptive Attack Strategies https://thehackernews.com/2023/03/researchers-uncover-chinese-nation.html
A recent campaign undertaken by Earth Preta indicates that nation-state groups aligned with China are getting increasingly proficient at bypassing security solutions. The threat actor, active since at least 2012, is tracked by the broader cybersecurity community under Bronze President, HoneyMyte, Mustang Panda, RedDelta, and Red Lich. Attack chains mounted by the group commence with a spear-phishing email to deploy a wide range of tools for backdoor access, command-and-control (C2), and data exfiltration
Tomi Engdahl says:
Viranomainen varoittaa Posti-huijauksesta näin vältät ansan https://www.is.fi/digitoday/art-2000009475708.html
Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus varoittaa Postin nimissä tapahtuvasta aktiivisesta pankkitunnusten kalastelusta. Keskus on saanut huijarien tekstiviesteistä kymmeniä ilmoituksia. Viestit eivät vaikuta tietyille vastaanottajille kohdennetuilta. Postin osalta viestit ovat joskus olleet siitä ilkeitä, että ne ovat osuneet saumaan, jolloin huijausviestin vastaanottaja on todella odottanut tietoa todellisesta saapuvasta paketista. Lisäksi viestit voivat näkyä samassa ketjussa Postin oikeiden tekstiviestien kanssa
Tomi Engdahl says:
How hackers took over Linus Tech Tips
https://www.theverge.com/2023/3/24/23654996/linus-tech-tips-channel-hack-session-token-elon-musk-crypto-scam
The hackers were able to take over three Linus Media Group YouTube channels by targeting session tokens. YouTube channel Linus Tech Tips and two other Linus Media Group YouTube channels have been restored after a major hack allowed a bad actor to do things like livestream crypto scam videos, change channel names, and even delete videos. In a new video, owner Linus Sebastian explains that the breach bypassed things like password and two-factor protections because the bad actor targeted the session tokens that keep you logged in to websites
Tomi Engdahl says:
Guidance for investigating attacks using CVE-2023-23397 https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. A successful exploit of this vulnerability can result in unauthorized access to an organizations environment by triggering a
Net-NTLMv2 hash leak. Understanding the vulnerability and how it has been leveraged by threat actors can help guide the overall investigative process. This vulnerability triggers a Net-NTLMv2 hash leak. Abuse of the leaked Net-NTLMv2 hash is post-exploitation activity. In this blog, we emphasize specific observed post-exploitation activity that targeted Microsoft Exchange Server.
However, there are numerous ways that a leaked Net-NTLMv2 hash could be used by a threat actor
Tomi Engdahl says:
Google Play varoittaa sisältä löytyneistä haittaohjelmista https://www.iltalehti.fi/tietoturva/a/4d879a41-50b7-45ef-95a4-624367f0019a
Teknologiajätti Googlen mukaan useat kiinalaisen Pinduoduo-verkkomarkkinajätin kehittämät sovellukset sisältävät haittaohjelmia. Google varoittaa sovelluksia ladanneita Android-käyttäjiä. Asiasta uutisoi verkkojulkaisu TechCrunch.
Pinduoduo on kasvanut muutamassa vuodessa yhdeksi suurimmista Alibaban kilpailijoista. 903 miljoonan käyttäjän Alibaba tunnetaan suurimpana kiinalaisena verkkomarkkina-alustana
Tomi Engdahl says:
Windows, Ubuntu, and VMWare Workstation hacked on last day of Pwn2Own https://www.bleepingcomputer.com/news/security/windows-ubuntu-and-vmware-workstation-hacked-on-last-day-of-pwn2own/
On the third day of the Pwn2Own hacking contest, security researchers were awarded $185,000 after demonstrating 5 zero-day exploits targeting Windows 11, Ubuntu Desktop, and the VMware Workstation virtualization software. The highlight of the day was the Ubuntu Desktop operating system getting hacked three times by three different teams, although one of them was a collision with the exploit being previously known