This posting is here to collect cyber security news in August 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in August 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
333 Comments
Tomi Engdahl says:
EU Digital Services Act: Challenges remain as enforcement begins https://www.euractiv.com/section/law-enforcement/news/eu-digital-services-act-challenges-remain-as-enforcement-begins/
>From Friday (25 August), large online platforms and search engines will
>have
to comply with the new EU Digital Services Act, a landmark law designed to combat hate speech and disinformation online. However, enforcing the new rules is likely to be challenging.
Tomi Engdahl says:
Puhelimeen päässyt haittaohjelma toi mojovan laskun – uhri halusi operaattorin korvaavan, näin päätti kuluttajariitalautakunta https://www.is.fi/digitoday/tietoturva/art-2000009803052.html
Kuluttajariitalautakunta julkaisi päätöksensä tapauksessa, jossa haittaohjelman puhelimeensa ladannut henkilö halusi teleoperaattorinsa korvaavan kokonaan aiheutuneet vahingot. [...] Tulkintaa voi pitää myös eräänlaisena ennakkotapauksena siitä, minkä tasoista osaamista kuluttajilta edellytetään.
Tomi Engdahl says:
Venäläisjengi retosteli tietomurrolla Valmetiin – näin yhtiö kommentoi https://www.is.fi/digitoday/tietoturva/art-2000009807077.html
Suomalainen ja kansainvälinen teknologiayritys Valmet joutui toukokuun lopussa verkkohyökkäyksen kohteeksi osana laajaa kampanjaa, jossa iskettiin MOVEit-tiedonsiirto-ohjelmiston haavoittuvuuteen eri puolilla maailmaa. Valmet vahvistaa murron IS Digitodaylle, mutta korostaa vahinkojen jääneen pieniksi.
Mikäli Valmetin ilmoitus pitävää paikkansa, CL0P näyttää lisäävän uhreja listalleen melko heppoisin perustein. Valmet sanoo, ettei ryhmä ole ollut yhtiöön yhteydessä.
Tomi Engdahl says:
New Whiffy Recon malware uses WiFi to triangulate your location https://www.bleepingcomputer.com/news/security/new-whiffy-recon-malware-uses-wifi-to-triangulate-your-location/
Cybercriminals behind the Smoke Loader botnet are using a new piece of malware called Whiffy Recon to triangulate the location of infected devices through WiFi scanning and Google’s geolocation API. In Whiffy Recon’s case, knowing the victim’s location could help carry out attacks that are better focused on specific regions or even urban areas, or help intimidate victims by showing tracking ability.
Tomi Engdahl says:
New Whiffy Recon malware uses WiFi to triangulate your location https://www.bleepingcomputer.com/news/security/new-whiffy-recon-malware-uses-wifi-to-triangulate-your-location/
Cybercriminals behind the Smoke Loader botnet are using a new piece of malware called Whiffy Recon to triangulate the location of infected devices through WiFi scanning and Google’s geolocation API. In Whiffy Recon’s case, knowing the victim’s location could help carry out attacks that are better focused on specific regions or even urban areas, or help intimidate victims by showing tracking ability.
For Windows systems where that service is present, Whiffy Recon enters a WiFi scanning loop that runs every minute, abusing the Windows WLAN API to collect the required data and sending HTTPS POST requests containing WiFi access point information in JSON format to Google’s geolocation API.
Using the coordinates in Google’s response, the malware formulates a more complete report about the access points, now including their geographic position, encryption method, SSID, and sends it to the threat actor’s C2 as a JSON POST request.
Depending on the number of WiFi access points in the area, the triangulation accuracy via Google’s geolocation API ranges between 20-50 meters (65-165ft) or less, though that figure increases in less dense areas.
Tomi Engdahl says:
New Telegram Bot “Telekopye” Powering Large-scale Phishing Scams from Russia https://thehackernews.com/2023/08/new-telegram-bot-telekopye-powering.html
A new financially motivated operation is leveraging a malicious Telegram bot to help threat actors scam their victims.
Dubbed Telekopye, a portmanteau of Telegram and kopye (meaning “spear” in Russian), the toolkit functions as an automated means to create a phishing web page from a premade template and send the URL to potential victims, codenamed Mammoths by the criminals.
Tomi Engdahl says:
Lazarus Group’s infrastructure reuse leads to discovery of new malware https://blog.talosintelligence.com/lazarus-collectionrat/
In the Lazarus Group’s latest campaign, which we detailed in a recent blog, the North Korean state-sponsored actor is exploiting CVE-2022-47966, a ManageEngine ServiceDesk vulnerability to deploy multiple threats. In addition to their “QuiteRAT” malware, which we covered in the blog, we also discovered Lazarus Group using a new threat called “CollectionRAT.”
See also: https://blog.talosintelligence.com/lazarus-quiterat/
Tomi Engdahl says:
https://www.securityweek.com/hosting-provider-cloudnordic-loses-all-customer-data-in-ransomware-attack/
Tomi Engdahl says:
Chinese-backed APT ‘Flax Typhoon’ Hacks Taiwan with Minimal Malware Footprint
https://www.securityweek.com/chinese-backed-apt-flax-typhoon-hacks-taiwan-with-minimal-malware-footprint/
Microsoft warns that Chinese spies are hacking into Taiwanese organizations with minimal use of malware and by abusing legitimate software
Tomi Engdahl says:
Rockwell ThinManager Vulnerabilities Could Expose Industrial HMIs to Attacks
https://www.securityweek.com/rockwell-thinmanager-vulnerabilities-could-expose-industrial-hmis-to-attacks/
Rockwell Automation ThinManager ThinServer vulnerabilities could allow remote attackers to take control of servers and hack HMIs.
Vulnerabilities discovered by researchers in Rockwell Automation’s ThinManager ThinServer product could be exploited in attacks aimed at industrial control systems (ICS).
Researchers at cybersecurity firm Tenable discovered one critical and two high-severity vulnerabilities in ThinManager ThinServer, a thin client and RDP server management software offered by Rockwell. The flaws are tracked as CVE-2023-2914, CVE-2023-2915 and CVE-2023-2917.
The security holes have been described as improper input validation issues that can lead to integer overflow or path traversal. The flaws can be exploited by remote attackers — without prior authentication — by sending specially crafted synchronization protocol messages.
Tomi Engdahl says:
University of Minnesota Confirms Data Breach, Says Ransomware Not Involved
https://www.securityweek.com/university-of-minnesota-confirms-data-breach-says-ransomware-not-involved/
University of Minnesota confirms data was stolen from its systems, says no malware infection or file encryption has been identified.
Tomi Engdahl says:
Cisco Patches Vulnerabilities Exposing Switches, Firewalls to DoS Attacks
https://www.securityweek.com/cisco-patches-vulnerabilities-exposing-switches-firewalls-to-dos-attacks/
Cisco has released patches for three high-severity vulnerabilities in NX-OS and FXOS software that could lead to denial-of-service (DoS) conditions.
Cisco on Wednesday announced patches for six vulnerabilities in its products, including three high-severity bugs in NX-OS and FXOS software that could be exploited to cause a denial-of-service (DoS) condition.
Impacting the FXOS software of Firepower 4100 and Firepower 9300 security appliances and of UCS 6300 series fabric interconnects, the most severe of these flaws is CVE-2023-20200, described as the improper handling of specific SNMP requests.
The issue allows an authenticated, remote attacker to send crafted SNMP requests to an affected device and cause it to reload, resulting in a DoS condition.
“This vulnerability affects all supported SNMP versions. To exploit this vulnerability through SNMPv2c or earlier, an attacker must know the SNMP community string that is configured on an affected device. To exploit this vulnerability through SNMPv3, the attacker must have valid credentials for an SNMP user who is configured on the affected device,” Cisco explains.
The second high-severity flaw, CVE-2023-20169, impacts the NX-OS software for Nexus 3000 and Nexus 9000 series switches in standalone NX-OS mode, and is described as an insufficient input validation in the Intermediate System-to-Intermediate System (IS-IS) protocol.
Tomi Engdahl says:
By Sayan Sen – A “UNSUPPORTED_PROCESSOR” issue has been affecting Intel chips this week since the latest Windows updates. While trying to address the issue, Microsoft claims its updates aren’t at fault. #Microsoft #Intel #Windows #BS
https://www.neowin.net/news/microsoft-puts-little-blame-on-its-windows-update-after-unsupported-processor-bsod-bug/?fbclid=IwAR3iecYGYpGQCsLBnGEBrNjWaa79sk_vxVDd4ypW9KNeRS1zlOwOo8C2E1I
Tomi Engdahl says:
Two LAPSUS$ Hackers Convicted in London Court for High-Profile Tech Firm Hacks https://thehackernews.com/2023/08/two-lapsus-hackers-convicted-in-london.html
Two U.K. teenagers have been convicted by a jury in London for being part of the notorious LAPSUS$ (aka Slippy Spider) transnational gang and for orchestrating a series of brazen, high-profile hacks against major tech firms and demanding a ransom in exchange for not leaking the stolen information.
Tomi Engdahl says:
Data breach at French govt agency exposes info of 10 million people https://www.bleepingcomputer.com/news/security/data-breach-at-french-govt-agency-exposes-info-of-10-million-people/
Pôle emploi, France’s governmental unemployment registration and financial aid agency, is informing of a data breach that exposed data belonging to 10 million individuals.
The exposed information includes full names and social security numbers, while email addresses, phone numbers, passwords, and banking data have not been affected by this data leak.
Tomi Engdahl says:
Raccoon Malware Resurfaces in Dark Web with New Stealing Capabilities https://cybersecuritynews.com/raccoon-malware-resurface/
It has recently come to light that the individuals responsible for the development and distribution of the infamous Raccoon Stealer malware have returned to online hacker forums.
The Raccoon Stealer malware works by stealing sensitive information from unsuspecting victims, making this development a cause for concern among cybersecurity professionals and the general public alike.
Tomi Engdahl says:
Poland investigates cyber-attack on rail network
https://www.bbc.com/news/world-europe-66630260
Polish intelligence services are investigating a hacking attack on the country’s railways, Polish media say.
Hackers broke into railway frequencies to disrupt traffic in the north-west of the country overnight, the Polish Press Agency (PAP) reported on Saturday.
The signals were interspersed with recording of Russia’s national anthem and a speech by President Vladimir Putin, the report says.
Tomi Engdahl says:
Met police on high alert after supplier IT security breach https://www.theguardian.com/uk-news/2023/aug/26/met-police-on-high-alert-after-it-system-holding-officers-details-hacked
The Metropolitan police are on high alert after a security breach involving the IT system of one of their suppliers.
Scotland Yard is working with the company to try to understand the scale of the incident.
The company had access to names, ranks, photos, vetting levels and pay numbers for officers and staff, but did not hold personal information such as addresses, phone numbers or financial details, the force said.
Tomi Engdahl says:
Kroll Suffers Data Breach: Employee Falls Victim to SIM Swapping Attack https://thehackernews.com/2023/08/kroll-suffers-data-breach-employee.html
Risk and financial advisory solutions provider Kroll on Friday disclosed that one of its employees fell victim to a “highly sophisticated” SIM swapping attack.
The incident, which took place on August 19, 2023, targeted the employee’s T-Mobile account, the company said.
SIM swapping (aka SIM splitting or simjacking), while generally a benign process, could be exploited by threat actors to fraudulently activate a SIM card under their control with a victim’s phone number. This makes it possible to intercept SMS messages and voice calls and receive MFA-related messages that control access to online accounts.
Tomi Engdahl says:
BYPASSING BITLOCKER WITH A LOGIC ANALZYER https://hackaday.com/2023/08/25/bypassing-bitlocker-with-a-logic-analzyer/
Security Engineer [Guillaume Quéré] spends the day penetration testing systems for their employer and has pointed out and successfully exploited a rather obvious weakness in the BitLocker full volume encryption system, which as the linked article says, allows one to simply sniff the traffic between the discrete TPM chip and CPU via an SPI bus. The way Bitlocker works is to use a private key stored in the TPM chip to encrypt the full volume key that in turn was used to encrypt the volume data. This is all done by low-level device drivers in the Windows kernel and is transparent to the user.
Tomi Engdahl says:
Varo tätä MobilePayn nimissä tulevaa tekstiviestiä – älä ainakaan klikkaa https://www.is.fi/digitoday/tietoturva/art-2000009809180.html
Suomessa suosittu maksusovellus MobilePay on päätynyt nettihuijarien täkyksi.
Suomalaisten puhelimiin on lähetetty ainakin torstaina MobilePayn nimissä tekstiviestiä, joka uhkaa tilin sulkemisella.
Huijauksen verkkosivu lakkasi toimimasta nopeasti, mutta uusissa viesteissä on varsin mahdollisesti toinen toimiva linkki. Verkkorikolliset ovat nopeita siirtämään huijaussivustonsa uusiin osoitteisiin vanhojen sulkeutuessa.
Älä missään tapauksessa näpäytä linkkiä auki ja syötä arkaluonteisia tietojasi avautuvalle verkkosivulle, vaikka se näyttäisi kuinka uskottavalta. Jopa pankkitilillä olevat rahasi voivat olla vaarassa ja niiden takaisin saamisesta pahimman sattuessa ei ole mitään takeita.
Tomi Engdahl says:
Lockbit leak, research opportunities on tools leaked from TAs https://securelist.com/lockbit-ransomware-builder-analysis/110370/
Lockbit is one of the most prevalent ransomware strains. It comes with an affiliate ransomware-as-a-service (RaaS) program offering up to 80% of the ransom demand to participants, and includes a bug bounty program for those who detect and report vulnerabilities that allow files to be decrypted without paying the ransom. According to the Lockbit owners, the namesake cybercriminal group, there have been bounty payments of up to 50 thousand dollars. In addition to these features, Lockbit has offered a searchable portal to query leaked information from companies targeted by this ransomware family, and even offered payment to those who get tattooed with a Lockbit logo on their body
Tomi Engdahl says:
Microsoft: Stealthy Flax Typhoon hackers use LOLBins to evade detection https://www.bleepingcomputer.com/news/security/microsoft-stealthy-flax-typhoon-hackers-use-lolbins-to-evade-detection/
Microsoft has identified a new hacking group it now tracks as Flax Typhoon that argets government agencies and education, critical manufacturing, and information technology organizations likely for espionage purposes.
The threat actor does not rely much on malware to gain and maintain access to the victim network and prefers using mostly components already available on the operating system, the so-called living-off-the-land binaries or LOLBins, and legitimate software.
Operating since at least mid-2021, Flax Typhoon mainly targeted organizations in Taiwan, although Microsoft discovered some victims in Southeast Asia, North America, and Africa.
Tomi Engdahl says:
FBI warns of patched Barracuda ESG appliances still being hacked https://www.bleepingcomputer.com/news/security/fbi-warns-of-patched-barracuda-esg-appliances-still-being-hacked/
The Federal Bureau of Investigation warned that patches for a critical Barracuda Email Security Gateway (ESG) remote command injection flaw are “ineffective,” and patched appliances are still being compromised in ongoing attacks.
Tracked as CVE-2023-2868, the vulnerability was first exploited in October
2022 to backdoor ESG appliances and steal data from the compromised systems.
The attackers deployed previously unknown malware, SeaSpy and Saltwater, and a malicious tool, SeaSide, to establish reverse shells for remote access.
Tomi Engdahl says:
Jack Schickler / CoinDesk:
Hackers access some customer data at FTX, Genesis, and BlockFi by SIM swapping an employee of Kroll, which manages creditor claims for the bankrupt companies
FTX, BlockFi, Genesis Customer Data Compromised in Kroll Hack
A ‘cybersecurity incident’ affected Kroll, which gathers customer claim data on behalf of bankrupt companies.
https://www.coindesk.com/policy/2023/08/25/ftx-blockfis-customer-data-compromised-in-kroll-hack/
Tomi Engdahl says:
Gwyn Topham / The Guardian:
The UK’s NATS “identified and remedied” a network-wide computer failure earlier on August 28 that resulted in ~500 canceled flights and delayed hundreds more — Some regional routes operating but few planes took off from Heathrow and inbound flights have been held
UK flight chaos could last for days, airline passengers warned
https://www.theguardian.com/world/2023/aug/28/uk-air-traffic-control-hit-network-wide-failure-airline
Technical meltdown in air traffic control causes bank holiday misery, with 500 flights cancelled and others delayed
Airline passengers have been warned that flight disruption could persist for days, after a technical meltdown in UK air traffic control left hundreds of thousands of passengers stranded or delayed on the summer bank holiday.
Returning holidaymakers and those hoping to travel out of UK airports faced cancellations and delays of up to 12 hours after takeoffs and inbound flights were suspended due to a “network-wide” computer failure.
A limited number of flights were able to operate but air traffic was severely restricted as engineers struggled to locate and rectify the problem.
With controllers forced to input flight plans manually, about 500 flights were cancelled and others delayed for hours even before Nats, the national airspace controllers, announced at 3.15pm that it had “identified and remedied” the issue that arose almost four hours earlier.
Tomi Engdahl says:
Issue with UK air traffic control system ‘identified and remedied’ but thousands still face major delays after fault – as it happened
https://www.theguardian.com/world/live/2023/aug/28/air-traffic-control-uk-delays-airport-travel-live-latest-updates
National air traffic services say they have fixed the issue that has caused a network-wide failure but significant flights backlog remains
Tomi Engdahl says:
MalDoc in PDF – Detection bypass by embedding a malicious Word file into a PDF file https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html
JPCERT/CC has confirmed that a new technique was used in an attack that occurred in July, which bypasses detection by embedding a malicious Word file into a PDF file. This blog article calls the technique “MalDoc in PDF”
hereafter and explains the details of and countermeasures against it.
Tomi Engdahl says:
Exploit released for Juniper firewall bugs allowing RCE attacks https://www.bleepingcomputer.com/news/security/exploit-released-for-juniper-firewall-bugs-allowing-rce-attacks/
Proof-of-concept exploit code has been publicly released for vulnerabilities in Juniper SRX firewalls that, when chained, can allow unauthenticated attackers to gain remote code execution in Juniper’s JunOS on unpatched devices.
Juniper disclosed four medium-severity bugs in its EX switches and SRX firewalls and released security patches two weeks ago.
Tomi Engdahl says:
Experts Uncover How Cybercriminals Could Exploit Microsoft Entra ID for Elevated Privilege https://thehackernews.com/2023/08/experts-uncover-how-cybercriminals.html
Cybersecurity researchers have discovered a case of privilege escalation associated with a Microsoft Entra ID (formerly Azure Active Directory) application by taking advantage of an abandoned reply URL.
“The threat actor could then call Power Platform API via a middle-tier service and obtain elevated privileges.”
Following responsible disclosure on April 5, 2023, the issue was addressed by Microsoft via an update released a day later. Secureworks has also made available an open-source tool that other organizations can use to scan for abandoned reply URLs.
Tomi Engdahl says:
Spain warns of LockBit Locker ransomware phishing attacks https://www.bleepingcomputer.com/news/security/spain-warns-of-lockbit-locker-ransomware-phishing-attacks/
The National Police of Spain is warning of an ongoing ‘LockBit Locker’
ransomware campaign targeting architecture companies in the country through phishing emails.
Spain’s cyber police have detected that many emails are sent from the non-existent domain “fotoprix.eu” and impersonate a photographic firm.
The threat actors pretend to be a newly launched photography store requesting a facility renovation/development plan and a cost estimate for the work from the architecture firm.
Tomi Engdahl says:
Attacks on Citrix NetScaler systems linked to ransomware actor https://www.bleepingcomputer.com/news/security/attacks-on-citrix-netscaler-systems-linked-to-ransomware-actor/
A threat actor believed to be tied to the FIN8 hacking group exploits the
CVE-2023-3519 remote code execution flaw to compromise unpatched Citrix NetScaler systems in domain-wide attacks.
Sophos has been monitoring this campaign since mid-August, reporting that the threat actor performs payload injections, uses BlueVPS for malware stating, deploys obfuscated PowerShell scripts, and drops PHP webshells on victim machines.
Tomi Engdahl says:
Microsoft will enable Exchange Extended Protection by default this fall https://www.bleepingcomputer.com/news/security/microsoft-will-enable-exchange-extended-protection-by-default-this-fall/
Microsoft announced today that Windows Extended Protection will be enabled by default on servers running Exchange Server 2019 starting this fall after installing the 2023 H2 Cumulative Update (CU14).
Extended Protection (EP) is a feature that strengthens Windows Server auth functionality to mitigate authentication relay or “man in the middle” (MitM) attacks.
Microsoft also urged customers in January to keep their on-premises Exchange servers up-to-date by installing the latest supported Cumulative Updates (CU) always to be ready to deploy emergency security patches.
Exchange servers are valuable targets, as shown by financially motivated cybercrime groups like FIN7, which developed an attack platform specifically designed to breach Exchange servers.
Tomi Engdahl says:
Phishing-as-a-Service Gets Smarter: Microsoft Sounds Alarm on AiTM Attacks https://thehackernews.com/2023/08/phishing-as-service-gets-smarter.html
Microsoft is warning of an increase in adversary-in-the-middle (AiTM) phishing techniques, which are being propagated as part of the phishing-as-a-service
(PhaaS) cybercrime model.
In addition to an uptick in AiTM-capable PhaaS platforms, the tech giant noted that existing phishing services like PerSwaysion are incorporating AiTM capabilities.
Phishing kits with AiTM capabilities work in two ways, one of which concerns the use of reverse proxy servers (i.e., the phishing page) to relay traffic to and from the client and legitimate website and stealthily capture user credentials, two-factor authentication codes, and session cookies.
Tomi Engdahl says:
2.6 million DuoLingo users have scraped data released https://www.malwarebytes.com/blog/news/2023/08/2.6-million-duolingo-users-have-scraped-data-released
An unknown party has released the scraped data of 2.6 million DuoLingo users on a hacking forum. While they offered the data set for sale in January for $1,500, it’s now been released on a new version of the Breached hacking forum for 8 site credits, worth only $2.13.
The scraped data among others contain email addresses, usernames, languages, and which language the users are learning.
Affected users should be wary of phishing emails making use of this information. For example, since you are interested in a certain language you might be more likely to fall for an email inviting you to visit a country where that language is spoken.
Tomi Engdahl says:
New Android MMRat malware uses Protobuf protocol to steal your data https://www.bleepingcomputer.com/news/security/new-android-mmrat-malware-uses-protobuf-protocol-to-steal-your-data/
MMRat was spotted for the first time by Trend Micro in late June 2023, primarily targeting users in Southeast Asia and remaining undetected on antivirus scanning services like VirusTotal.
While the researchers do not know how the malware is initially promoted to victims, they found that MMRat is distributed via websites disguised as official app stores.
In conclusion, MMRat shows the evolving sophistication of Android banking trojans, adeptly blending stealth with efficient data extraction.
Tomi Engdahl says:
Qakbot botnet dismantled after infecting over 700,000 computers https://www.bleepingcomputer.com/news/security/qakbot-botnet-dismantled-after-infecting-over-700-000-computers/
Qakbot, one of the largest and longest-running botnets to date, was taken down following a multinational law enforcement operation spearheaded by the FBI and known as Operation ‘Duck Hunt.’
The botnet (also known as Qbot and Pinkslipbot) was linked by law enforcement to at least 40 ransomware attacks against companies, healthcare providers, and government agencies worldwide, causing hundreds of millions of dollars in damage, according to conservative estimates. Over the past 18 months alone, losses have surpassed 58 million dollars.
Throughout the years, Qakbot has consistently served as an initial infection vector for various ransomware gangs and their affiliates or operators, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and, most recently, Black Basta.
Tomi Engdahl says:
US govt email servers hacked in Barracuda zero-day attacks https://www.bleepingcomputer.com/news/security/us-govt-email-servers-hacked-in-barracuda-zero-day-attacks/
Suspected Chinese hackers disproportionately targeted and breached government and government-linked organizations worldwide in recent attacks targeting a Barracuda Email Security Gateway (ESG) zero-day, with a focus on entities across the Americas.
Almost a third of appliances hacked in this campaign belonged to government agencies, most of them between October and December 2022, according to a Mandiant report published today.
The attacks’ motivation was espionage, with the threat actor (tracked as
UNC4841) engaging in targeted exfiltration from systems belonging to high-profile users in government and high-tech verticals.
Tomi Engdahl says:
How the FBI nuked Qakbot malware from infected Windows PCs https://www.bleepingcomputer.com/news/security/how-the-fbi-nuked-qakbot-malware-from-infected-windows-pcs/
The FBI announced today the disruption of the Qakbot botnet in an international law enforcement operation that not only seized infrastructure but also uninstalled the malware from infected devices.
Qakbot, aka Qbot and Pinkslipbot, started as a banking trojan in 2008, used to steal banking credentials, website cookies, and credit cards to conduct financial fraud.
Qakbot is distributed through phishing campaigns that utilize a variety of lures, including reply-chain email attacks, which is when threat actors use a stolen email thread and then reply to it with their own message and an attached malicious document.
Tomi Engdahl says:
Two Men Arrested Following Poland Railway Hacking
https://www.securityweek.com/two-men-arrested-following-poland-railway-hacking/
Polish police have arrested two men suspected of illegally hacking into the national railway’s communications network, causing disruption to 20 trains.
Polish police on Sunday arrested two men suspected of illegally hacking into the national railway’s communications network, which destabilized traffic in some areas of the country this weekend.
“The two men arrested are Polish citizens,” said Tomasz Krupa, a police spokesman in the eastern city of Bialystok where the arrest occurred.
Police also seized radio equipment from the apartment where the men, who are 24 and 29 years of age, were detained.
On Friday night, the radio communication network of the Polish PKP railway was hacked near the northwestern city of Szczecin leading to the issuing of several stop signals which brought to a standstill or delayed some 20 trains.
Traffic resumed a few hours later, according to PKP.
Media reports said the signals were interspersed with renditions of the Russian national anthem and a recording of a speech by Russian President Vladimir Putin.
Poland, a loyal ally of Ukraine, plays a key role in the transit of Western arms into the country.
The country’s internal security agency said Saturday it was investigating the incident.
“We know that for some months there have been attempts to destabilise the Polish state. Such attempts have been undertaken by the Russian Federation in conjunction with Belarus,” deputy coordinator of special services Stanislaw Zaryn told the PAP news agency.
The attack “did not pose risks to passengers’ health or lives”, he added.
During the week Polish railways saw several accidents, including two derailments, in which nobody was hurt.
Tomi Engdahl says:
New ‘MMRat’ Android Trojan Targeting Users in Southeast Asia
https://www.securityweek.com/new-mmrat-android-trojan-targeting-users-in-southeast-asia/
The newly identified MMRat Android trojan has been targeting users in Southeast Asia to remotely control devices and perform bank fraud.
Tomi Engdahl says:
Chinese APT Was Prepared for Remediation Efforts in Barracuda ESG Zero-Day Attack
https://www.securityweek.com/chinese-apt-was-prepared-for-remediation-efforts-in-barracuda-esg-zero-day-attack/
Chinese threat actor exploiting Barracuda ESG appliances deployed persistence mechanisms in preparation for remediation efforts.
The Chinese cyberespionage group exploiting Barracuda Email Security Gateway (ESG) appliances was preparing for remediation efforts, deploying persistent backdoors on select targets, Mandiant reports.
Tracked as UNC4841 and believed to be working on behalf of the Chinese government, the hacking group is believed to have exploited CVE-2023-2868, a zero-day vulnerability in Barracuda ESG, since at least October 2022.
Barracuda released patches for CVE-2023-2868 in May, but the FBI said last week that the fixes were ineffective and that attacks targeting the flaw have continued, with all Barracuda ESG appliances, including those updated to a patched version, at risk.
In a new report, Mandiant says the vulnerability has not been successfully exploited in recent attacks, explaining that the persistence mechanisms UNC4841 had deployed prior to the release of patches have allowed it to maintain presence on some system
Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)
https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation
Tomi Engdahl says:
VMware Patches Major Security Flaws in Network Monitoring Product
https://www.securityweek.com/vmware-patches-major-security-flaws-in-network-monitoring-product/
VWware patches critical flaws that allow hackers to bypass SSH authentication and gain access to the Aria Operations for Networks command line interface.
Virtualization technology giant VMware on Tuesday shipped a major security update to correct at least two critical vulnerabilities in its Aria Operations for Networks product line.
In a critical-severity advisory, VMware said the flaws could be exploited by malicious hackers to bypass SSH authentication and gain access to the Aria Operations for Networks command line interface.
VMware tagged the network authentication bypass issue as CVE-2023-34039 and applied a CVSS severity score of 9.8 out of 10.
“Aria Operations for Networks contains an authentication bypass vulnerability due to a lack of unique cryptographic key generation. VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8,” the company said.
Tomi Engdahl says:
Signs of Malware Attack Targeting Rust Developers Found on Crates.io
https://www.securityweek.com/signs-of-malware-attack-on-rust-developers-found-on-crates-io/
The Crates.io Rust package registry was targeted in preparation of a malware attack aimed at developers, according to Phylum.
It’s not uncommon for threat actors to rely on typosquatting and software development package registries to deliver malware to Node.js and Python developers.
In these types of attacks, hackers typically create packages with names that are misspelled — or typosquatted — variants of popular packages.
These attacker packages are initially benign to ensure that they are accepted into official registries. Days or weeks later, the threat actor adds malicious functionality that they can leverage against developers who download their package instead of the legitimate version.
Phylum reported that such an attack targeted the Rust package registry Crates.io earlier this month.
Rust Malware Staged on Crates.io
https://blog.phylum.io/rust-malware-staged-on-crates-io/
Tomi Engdahl says:
Nearly 1,000 Organizations, 60 Million Individuals Impacted by MOVEit Hack
https://www.securityweek.com/nearly-1000-organizations-60-million-individuals-impacted-by-moveit-hack/
Nearly 1,000 organizations and 60 million individuals are impacted by the MOVEit hack, and the Cl0p ransomware gang is leaking stolen data.
Tomi Engdahl says:
Polish Railways Fall Victim To Cheap Radio Attack
https://hackaday.com/2023/08/29/polish-railways-fall-victim-to-cheap-radio-attack/
Poland’s railways have recently come under a form of electronic attack, as reported by Wired. The attack has widely been called a “cyber-attack” in the mainstream media, but the incident was altogether a more simple affair pursued via good old analog radio.
The attacks were simple in nature. As outlined in an EU technical document, Poland’s railways use a RADIOSTOP system based on analog radio signals at around 150 MHz. Transmitting a basic tone sequence will trigger any duly equipped trains receiving the signal to engage emergency braking. It’s implemented as part of the PKP radio system on the Polish railway network.
The attacks brought approximately 20 trains to a standstill, according to the BBC, with services restored within hours. There was no major safety risk in the event,
It’s believed the perpetrators of the attack were supporters of the Russian war effort, as the stop signals were also joined by broadcasts of the Russian national anthem and a speech from Russian President Vladimir Putin.
The concern is that any unsophisticated individual could achieve the same results with cheap off-the-shelf equipment under $100. The emergency stop feature is completely insecure, which has been public knowledge for some time. Unlike an emergency brake on a passenger train, which requires proximity to actuate, the RADIOSTOP feature can be triggered at will from any remote location within transmission range. That makes catching perpetrators more difficult.
Poland’s railways will receive an upgrade to more secure cellular technology by 2025, with the 150 MHz system retained only for shunting duties and other edge cases. Interestingly, it will use GSM-R for connectivity, which is a big deal in Europe.
ENCOMMISSION DECISION
of 7 November 2006
concerning a technical specification for interoperability relating to the control-command and signalling subsystem of the trans-European high speed rail system and modifying Annex A to Decision 2006/679/EC concerning the technical specification for interoperability relating to the control-command and signalling subsystem of the trans-European conventional rail system
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32006D0860
The Cheap Radio Hack That Disrupted Poland’s Railway System
https://www.wired.com/story/poland-train-radio-stop-attack/
The sabotage of more than 20 trains in Poland by apparent supporters of Russia was carried out with a simple “radio-stop” command anyone could broadcast with $30 in equipment.
Tomi Engdahl says:
Veronpalautuksia yritetään varastaa – Varo tätä huijausviestiä
https://www.iltalehti.fi/tietoturva/a/97c85cb6-43dc-49fb-84f4-22db3ceeeb46
Maanantaina 4.9. maksetaan sadoille tuhansille suomalaisille suuri potti veronpalautuksia – tämän tietävät myös huijarit.
Verohallinnon nimissä lähetellään jälleen huijausviestejä, joissa rikolliset pyrkivät saamaan haltuunsa veron asiakkaiden henkilökohtaisia tietoja, kuten pankkitietoja.
Huijausviestit tulevat OmaVero-palveluksi naamioituneena ja vaikuttavat uskottavilta.
Tomi Engdahl says:
Trojanized Signal and Telegram apps on Google Play delivered spyware https://www.bleepingcomputer.com/news/security/trojanized-signal-and-telegram-apps-on-google-play-delivered-spyware/
Trojanized Signal and Telegram apps containing the BadBazaar spyware were uploaded onto Google Play and Samsung Galaxy Store by a Chinese APT hacking group known as GREF.
BadBazaar’s capabilities include tracking the device’s precise location, stealing call logs and SMS, recording phone calls, taking pictures using the camera, exfiltrating contact lists, and stealing files or databases.
Tomi Engdahl says:
Critical Vulnerability Alert: VMware Aria Operations Networks at Risk from Remote Attacks https://thehackernews.com/2023/08/critical-vulnerability-alert-vmware.html
VMware has released software updates to correct two security vulnerabilities in Aria Operations for Networks that could be potentially exploited to bypass authentication and gain remote code execution.
The most severe of the flaws is CVE-2023-34039 (CVSS score: 9.8), which relates to a case of authentication bypass arising as a result of a lack of unique cryptographic key generation.
The second weakness, CVE-2023-20890 (CVSS score: 7.2), is an arbitrary file write vulnerability impacting Aria Operations for Networks that could be abused by an adversary with administrative access to write files to arbitrary locations and achieve remote code execution.
The vulnerabilities, which affect VMware Aria Operations Networks versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10, have been addressed in a series of patches released by VMware for each of the versions.
The virtualization services provider said that version 6.11.0 comes with fixes for the two flaws.
Tomi Engdahl says:
WordPress migration add-on flaw could lead to data breaches https://www.bleepingcomputer.com/news/security/wordpress-migration-add-on-flaw-could-lead-to-data-breaches/
All-in-One WP Migration, a popular data migration plugin for WordPress sites with 5 million active installations, suffers from unauthenticated access token manipulation that could allow attackers to access sensitive site information.
The flaw, tracked as CVE-2023-40004, allows unauthenticated users to access and manipulate token configurations on the affected extensions, potentially allowing attackers to divert website migration data to their own third-party cloud service accounts or restoring malicious backups.
The primary ramification of successfully exploiting CVE-2023-40004 is a data breach that might include user details, critical website data, and proprietary information.