This posting is here to collect cyber security news October 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
249 Comments
Tomi Engdahl says:
Diplomats are supposed to be subtle and clever. Australia’s just leaked 1,000 citizens’ email addresses
And not just any citizens, but folks stranded overseas and in dire need of assistance
https://www.theregister.com/2020/10/01/dfat_email_leak/
Tomi Engdahl says:
HP Offering Big Rewards for Cartridge Vulnerabilities
https://www.securityweek.com/hp-offering-big-rewards-cartridge-vulnerabilities
HP announced on Thursday that it has expanded its bug bounty program, inviting several white hat hackers to find vulnerabilities in its office-class ink and toner cartridges.
The printer giant says it’s working with Bugcrowd to run this program for three months. The program is private and only four researchers have been invited to find vulnerabilities in original HP cartridges.
HP says it has invested roughly $200,000 into this initiative and it’s prepared to award an extra $10,000 for each vulnerability, in addition to the researchers’ base fee.
HP has been running a bug bounty program for its printers since 2018 — the company claimed at the time that this was the industry’s first printer bug bounty program. The company says there has been an increase in attacks on embedded systems, and printer firmware may also be targeted.
The company has warned that, in addition to poor printing results and the financial damage they cause to the industry, imitation and fake cartridges can introduce unknown and untrusted electrical hardware into an organization’s network.
“While the industry has become sophisticated at spotting and blocking software-based intrusions, the same can’t be said for hardware. In fact, it is well understood in the IT industry that counterfeit hardware can become the source of hardware-based exploitation,” said Shivaun Albright, chief technologist for print security at HP.
HP says it has taken steps to prevent cartridge chips from being replaced or altered in the supply chain.
Tomi Engdahl says:
North Korea Has Tried To Hack 11 Officials of the UN Security Council
https://news.slashdot.org/story/20/09/30/201253/north-korea-has-tried-to-hack-11-officials-of-the-un-security-council?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
A hacker group previously associated with the North Korean regime has been spotted launching spear-phishing attacks to compromise officials part of the United Nations Security Council. From a report:
The attacks, disclosed in a UN report last month, have taken place this year and have targeted at least 28 UN officials, including at least 11 individuals representing six countries on the UN Security Council. UN officials said they learned of the attacks after being alerted by an unnamed UN member state (country).
North Korea has tried to hack 11 officials of the UN Security Council
https://www.zdnet.com/article/north-korea-has-tried-to-hack-11-officials-of-the-un-security-council/
New UN Security Council report reveals repeated targeting of UN Security Council officials over the past year.
Tomi Engdahl says:
With API attacks rising, Cloudflare launches a free API security tool
Claudflare launches API Shield, a new service to protect web APIs against attacks.
https://www.zdnet.com/article/with-api-attacks-rising-cloudflare-launches-a-free-api-security-tool/
After attacks against API servers have constantly risen over the past few years, Cloudflare has launched today a new security tool to secure these systems against automated exploitation attempts.
Named the Cloudflare API Shield, this new service will be available for free for all Cloudflare account holders, regardless of pricing plan.
According to industry reports, attacks on web-based API endpoints have grown in number and volume in recent years, and are expected to rise as more companies move to the cloud, where APIs are the glue that holds most companies’ infrastructure together.
The Cloudflare API Shield was built for these systems —the web-based APIs— that are exposed online all the time and susceptible to attacks such as automated login attempts, command injections, user data enumeration, and more.
Cloudflare’s new API Shield works by using a “deny-all” security policy, which the company calls “positive security.”
“We’ll initially support [API] JSON traffic and, based on customer feedback, we will consider extending schema protection to binary protocols, such as gRPC,” Cloudflare said in a press release today.
https://blog.cloudflare.com/introducing-api-shield/
Tomi Engdahl says:
Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency
https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/
New clues indicate that APT28 may be behind a mysterious intrusion
that US officials disclosed last week.
Tomi Engdahl says:
OAuth Consent Phishing Ramps Up with Microsoft Office 365 Attacks
https://threatpost.com/oauth-phishing-microsoft-o365-attacks/159713/
An APT known as TA2552 has been spotted using OAuth2 or other
token-based authorization methods to access Office 365 accounts, in
order to steal users’ contacts and mail.
Tomi Engdahl says:
How a Chinese malware gang defrauded Facebook users of $4 million
https://www.zdnet.com/article/how-a-chinese-malware-gang-defrauded-facebook-users-of-4-million/
SilentFade group utilized a Windows rootkit, browser injections,
clever scripting, and a Facebook platform bug to buy and post ads on
behalf of hacked users.
Tomi Engdahl says:
IPStorm botnet expands from Windows to Android, Mac, and Linux
https://www.zdnet.com/article/ipstorm-botnet-expands-from-windows-to-android-mac-and-linux/
IPStorm, a malware botnet that was first spotted last year targeting
Windows systems, has evolved to infect other types of platforms, such
as Android, Linux, and Mac devices. Furthermore, the botnet has also
quadrupled in size, growing from around 3, 000 infected systems in May
2019 to more than 13, 500 devices this month
Tomi Engdahl says:
NVIDIA fixes high severity flaws in Windows display driver
https://www.bleepingcomputer.com/news/security/nvidia-fixes-high-severity-flaws-in-windows-display-driver/
NVIDIA has released security updates to address high severity
vulnerabilities in the Windows GPU display driver that could lead to
code execution, escalation of privileges, information disclosure, and
denial of service.
Tomi Engdahl says:
With API attacks rising, Cloudflare launches a free API security tool
https://www.zdnet.com/article/with-api-attacks-rising-cloudflare-launches-a-free-api-security-tool/
Cloudflare launches API Shield, a new service to protect web APIs
against attacks.
Tomi Engdahl says:
Critical Flaws Discovered in Popular Industrial Remote Access Systems
https://thehackernews.com/2020/10/industrial-remote-access.html
Cybersecurity researchers have found critical security flaws in two
popular industrial remote access systems that can be exploited to ban
access to industrial production floors, hack into company networks,
tamper with data, and even steal sensitive business secrets.
Tomi Engdahl says:
Cybercriminals Stole $15 Million From 150 Companies in BEC Attacks
https://www.securityweek.com/cybercriminals-stole-15-million-150-companies-bec-attacks
Tomi Engdahl says:
Owners of BitMEX, a Leading Bitcoin Exchange, Face Criminal Charges
BitMEX made itself a haven for hackers and illegal transactions, American prosecutors said.
https://www.nytimes.com/2020/10/01/technology/bitmex-bitcoin-criminal-charges.html
Tomi Engdahl says:
ESET discovers a rare APT that stayed undetected for nine years
Active since 2011 but only discovered this year, the XDSpy hacker group targeted government and private companies in Belarus, Moldova, Russia, Serbia, and Ukraine.
https://www.zdnet.com/google-amp/article/eset-discovers-a-rare-apt-that-stayed-undetected-for-nine-years/
Tomi Engdahl says:
Bowser arrested and charged for selling Nintendo Switch hacks
Members of piracy group Team Xecuter were charged with 11 felony counts
https://www.theverge.com/2020/10/2/21499297/team-xecuter-selling-nintendo-hacks-arrested-charged-fraud
Team Xecuter is a sophisticated operation known best for its Nintendo hacks, including a USB device called the SX Pro that allows the Nintendo Switch to run pirated games. The group’s for-profit motive has made it controversial in the modding and emulation communities, reports Ars Technica, because those communities tend to focus on open-source efforts and shy away from selling products that could draw the attention of both console makers and federal authorities. Team Xecuter also makes hacking tools for the Nintendo 3DS and the NES Classic, among other devices.
With new Switch-hacking tech looming, Nintendo targets retailers
Team-Xecuter hackers plan solderable device that even works on “updated” hardware.
https://arstechnica.com/gaming/2020/05/nintendo-goes-to-court-to-stop-sale-of-new-switch-hacking-tech/
Tomi Engdahl says:
It’s been a rough week for Microsoft users who have first- and third-party apps that rely on Azure Active Directory for authentication. Microsoft has published a root-cause analysis of its issues.
Microsoft’s Azure AD authentication outage: What went wrong
https://www.zdnet.com/article/microsofts-azure-ad-authentication-outage-what-went-wrong/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
Tomi Engdahl says:
How One Guy Ruined #Hacktoberfest2020 #Drama
https://joel.net/how-one-guy-ruined-hacktoberfest2020-drama
Hacktoberfest is an annual event that occurs every October. It is held by Digital Ocean and encourages developers to submit Pull Requests to Open Source repositories and as a reward you get a T-Shirt.
This flood of low quality PR spam appears to come from a YouTuber with an audience of 672K where he demonstrates how easy it is to make a Pull Request to a repo.
Where he went wrong was demonstrating a low quality PR, thus setting the bar low for his viewers who went on to copy exactly what he did.
Tomi Engdahl says:
NodeJS malware caught exfiltrating IPs, username, and device information on GitHub
https://securityreport.com/nodejs-malware-caught-exfiltrating-ips-username-and-device-information-on-github/
Multiple NodeJS packages laden with malicious code have been spotted on npm registry.
These “typosquatting” packages served no purpose other than collecting data from the user’s device and broadcasting it on public GitHub pages.
Tomi Engdahl says:
New malware found targeting IoT devices, Android TV globally
https://www.hackread.com/malware-targets-iot-devices-android-tv/
Tomi Engdahl says:
Egregor Ransomware Threatens ‘Mass-Media’ Release of Corporate Data
https://threatpost.com/egregor-ransomware-mass-media-corporate-data/159816/
The newly discovered ransomware is hitting companies worldwide, including the GEFCO global logistics company.
A freshly discovered family of ransomware called Egregor has been spotted in the wild, using a tactic of siphoning off corporate information and threatening a “mass-media” release of it before encrypting all files.
Tomi Engdahl says:
more healthcare ransomware attacks
Clinical Trials Hit by Ransomware Attack on Health Tech Firm
https://www.nytimes.com/2020/10/03/technology/clinical-trials-ransomware-attack-drugmakers.html
Tomi Engdahl says:
Emotet malware takes part in the 2020 U.S. elections
https://www.bleepingcomputer.com/news/security/emotet-malware-takes-part-in-the-2020-us-elections/
Emotet is now taking part in the United States 2020 Presidential
election with a new spam campaign pretending to be from the Democratic
National Convention’s Team Blue initiative.
Tomi Engdahl says:
HP Device Manager backdoor lets attackers take over Windows systems
https://www.bleepingcomputer.com/news/security/hp-device-manager-backdoor-lets-attackers-take-over-windows-systems/
HP released a security advisory detailing three critical and high
severity vulnerabilities in the HP Device Manager that could lead to
system takeover.
Tomi Engdahl says:
Attacks Aimed at Disrupting the Trickbot Botnet
https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet
Over the past 10 days, someone has been launching a series of
coordinated attacks designed to disrupt Trickbot
Tomi Engdahl says:
Egregor Ransomware Threatens Mass-Media’ Release of Corporate Data
https://threatpost.com/egregor-ransomware-mass-media-corporate-data/159816/
A freshly discovered family of ransomware called Egregor has been
spotted in the wild, using a tactic of siphoning off corporate
information and threatening a “mass-media” release of it before
encrypting all files.
Tomi Engdahl says:
Grindr fixed a bug allowing full takeover of any user account
https://www.bleepingcomputer.com/news/security/grindr-fixed-a-bug-allowing-full-takeover-of-any-user-account/
Grindr has fixed a security flaw that could have allowed attackers to
easily hijack any Grindr account if they knew the user’s email
address.
Tomi Engdahl says:
Ttint is a new form of IoT botnet that also includes remote access
tools-like (RAT) features, rarely seen in these types of botnets
before
https://www.zdnet.com/article/new-ttint-iot-botnet-caught-exploiting-two-zero-days-in-tenda-routers
For almost a year, a threat actor has been using zero-day
vulnerabilities to install malware on Tenda routers and build a
so-called IoT (Internet of Things) botnet.
Tomi Engdahl says:
Google offers up $50k in cloud credits to fuzz the hell out of
JavaScript engines
https://www.theregister.com/2020/10/02/google_javascript_fuzzing_funds/
Google is offering bug hunters thousands of dollars worth of compute
time on its cloud to hammer away at JavaScript engines and uncover new
security flaws in the software.
Tomi Engdahl says:
Palmerworm: Espionage Gang Targets the Media, Finance, and Other
Sectors
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt
The Threat Hunter Team at Symantec, a division of Broadcom (NASDAQ:
AVGO), has uncovered a new espionage campaign carried out by the
Palmerworm group (aka BlackTech) involving a brand new suite of custom
malware, targeting organizations in Japan, Taiwan, the U.S., and
China.
Tomi Engdahl says:
Two Members of Notorious Videogame Piracy Group “Team Xecuter” in
Custody
https://www.justice.gov/opa/pr/two-members-notorious-videogame-piracy-group-team-xecuter-custody
Two leaders of one of the world’s most notorious videogame piracy
groups, Team Xecuter, have been arrested and are in custody facing
charges filed in U.S. District Court in Seattle.
Tomi Engdahl says:
Wacky Indoor Amazon Drone Takes on Privacy Skeptics
https://www.securityweek.com/wacky-indoor-amazon-drone-takes-privacy-skeptics
Tomi Engdahl says:
Hacked Hospital Chain Says All 250 US Facilities Affected
https://www.securityweek.com/hacked-hospital-chain-says-all-250-us-facilities-affected
The hospital chain Universal Health Services said Thursday that computer services at all 250 of its U.S. facilities were hobbled in last weekend’s malware attack and efforts to restore hospital networks were continuing.
Doctors and nurses at affected hospitals and clinics, many already burdened with coronavirus care, have had to rely on manual record-keeping, with lab work slowed. Employees have described chaotic conditions impeding patient care.
The chain has not commented on reports it was hit by ransomware, though its description of the attack in a statement Thursday was consistent with malware variety that encrypts data into gibberish that can only be restored with software keys after ransoms are paid.
King of Prussia, Pennsylvania-based UHS said its “systems were quickly disconnected and the network was shut down in order to prevent further propagation.”
The company, with 90,000 employees, said electronic medical records systems were not impacted by the attack and it was making steady progress restoring and reconnecting systems.
UHS Shuts Down Systems in U.S. Hospitals Following Cyberattack
https://www.securityweek.com/uhs-shuts-down-systems-us-hospitals-following-cyberattack
Universal Health Services (UHS) over the weekend shut down the IT networks at multiple hospitals in the United States, after being hit with a cyberattack.
A Fortune 500 company operating more than 400 facilities in the United States, Puerto Rico, and the United Kingdom, the healthcare services provider has approximately 90,000 employees and claimed an annual revenue of $11.4 billion for 2019.
Tomi Engdahl says:
Industry Reactions to New Pastebin Security Features: Feedback Friday
https://www.securityweek.com/industry-reactions-new-pastebin-security-features-feedback-friday
Pastebin recently announced two new security features, but some industry professionals have warned that they will likely be abused for malicious purposes.
The new features are Burn After Read, which allows users to create pastes that are deleted after they are read once, and Password Protected Pastes, which allow users to create pastes that can only be accessed by users who have the associated password.
Tomi Engdahl says:
Industry Reactions to New Pastebin Security Features: Feedback Friday
https://www.securityweek.com/industry-reactions-new-pastebin-security-features-feedback-friday
Tomi Engdahl says:
https://semiengineering.com/week-in-review-auto-security-pervasive-computing-35/
ynopsys’ Cybersecurity Research Center disclosed that its research resulted in three Common Vulnerability and Exposures (CVE) advisories on wireless router chipsets that have partial authentication bypass vulnerabilities. The vulnerability lets an attacker send an unencrypted data frame through a WPA2-protected WLAN, which will may respond with an encrypted data frame that the attacker can mine for or change the data. CVE-2019-18989 warns that the issue was found in Mediatek’s MT7620N chipset; CVE-2019-18990 shows it in Realtek RTL8812AR 1.21WW, RTL8196D 1.0.0, RTL8192ER 2.10, and RTL8881AN 1.09 devices; and CVE-2019-18991 shows it in Qualcomm’s Atheros AR9132 3.60 (AMX.8), AR9283 1.85, and AR9285 1.0.0.12NA devices. Synopsys says in a press release that Mediatek and Realtek are offering patches upon request and Qualcomm said the chipsets have been discontinued and current chipsets are unaffected by the vulnerability.
CyRC Vulnerability Advisory: Authentication bypass vulnerabilities in multiple wireless router chipsets (CVE-2019-18989, CVE-2019-18990, and CVE-2019-18991)
https://www.synopsys.com/blogs/software-security/cyrc-advisory-sept2020/
Tomi Engdahl says:
Microsoft Exchange 2010 support ends in a matter of days and there are 139,000 internet-facing servers still up
Research finds orgs taking big chances with unpatched email relays
https://www.theregister.com/2020/10/02/exchange2010_servers_exposed/
Security company Rapid7 reports that there are more than 139,000 Microsoft Exchange 2010 servers with internet-facing services (Outlook Web Access or OWA) despite the application going out of support this month.
Exchange 2010 was initially due to go end-of-life in January this year, but Microsoft extended support to 13 October. After this date the application will continue to run but “Microsoft will no longer provide technical support … including bug fixes, security fixes, and time zone updates.” It will have been supported for nearly 11 years, having been released on 9 November 2009.
Tomi Engdahl says:
Nicole Perlroth / New York Times:
Ransomware attacks on ERT, IQVIA, and others involved in hundreds of clinical trials and work on a COVID-19 vaccine, has slowed some trials according to clients
Clinical Trials Hit by Ransomware Attack on Health Tech Firm
https://www.nytimes.com/2020/10/03/technology/clinical-trials-ransomware-attack-drugmakers.html
No patients were affected, but the incident was another reminder of the risks in the increasingly common assaults on computer networks.
Tomi Engdahl says:
Custom-made UEFI bootkit found lurking in the wild
Attackers are going to great lengths to gain the highest level of persistence.
https://arstechnica.com/information-technology/2020/10/custom-made-uefi-bootkit-found-lurking-in-the-wild/
For only the second time in the annals of cybersecurity, researchers have found real-world malware lurking in the UEFI, the low-level and highly opaque firmware required to boot up nearly every modern computer.
As software that bridges a PC’s device firmware with its operating system, the UEFI—short for Unified Extensible Firmware Interface—is an operating system in its own right. It’s located in a SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code. And it’s the first thing to be run when a computer is turned on, allowing it influence or even control the OS, security apps, and all other software that follows.
Those characteristics make the UEFI the perfect place to stash malware, and that’s just what an unknown attack group has done, according to new research presented on Monday by security firm Kaspersky Lab.
Tomi Engdahl says:
https://www.ic3.gov/media/2020/201002.aspx
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are issuing this announcement to help the public recognize and avoid spoofed election-related internet domains and email accounts during the 2020 election year.
Spoofed domains and email accounts are leveraged by foreign actors and cybercriminals and can be easily mistaken for legitimate websites or emails. Adversaries can use spoofed domains and email accounts to disseminate false information; gather valid usernames, passwords, and email addresses; collect personally identifiable information; and spread malware, leading to further compromises and potential financial losses.
Cyber actors set up spoofed domains with slightly altered characteristics of legitimate domains. A
Tomi Engdahl says:
Tenda Router Zero-Days Emerge in Spyware Botnet Campaign
https://threatpost.com/tenda-router-zero-days-spyware-botnet/159834/
A variant of the Mirai botnet, called Ttint, has added espionage
capabilities to complement its denial-of-service functions.
Tomi Engdahl says:
Four npm packages found uploading user details on a GitHub page
https://www.zdnet.com/article/four-npm-packages-found-uploading-user-details-on-a-github-page/
Four JavaScript npm packages contained malicious code that collected
user details and uploaded the information to a public GitHub page.
Tomi Engdahl says:
Slack outage causes lag, message errors, blank screens worldwide
https://www.bleepingcomputer.com/news/technology/slack-outage-causes-lag-message-errors-blank-screens-worldwide/
Slack is experiencing a worldwide outage causing problems sending
messages, editing messages, lag in chats, and channels displaying a
blank screen. Lisäksi:
https://status.slack.com/2020-10/e8c094cc99aabf64
Tomi Engdahl says:
New ransomware vaccine kills programs wiping Windows shadow volumes
https://www.bleepingcomputer.com/news/security/new-ransomware-vaccine-kills-programs-wiping-windows-shadow-volumes/
A new ransomware vaccine program has been created that terminates
processes that try to delete volume shadow copies using Microsoft’s
vssadmin.exe program
Tomi Engdahl says:
New Flaws in Top Antivirus Software Could Make Computers More
Vulnerable
https://thehackernews.com/2020/10/antivirus-software-vulnerabilities.html
Cybersecurity researchers today disclosed details of security
vulnerabilities found in popular antivirus solutions that could enable
attackers to elevate their privileges, thereby helping malware sustain
its foothold on the compromised systems.
According to a report published by CyberArk Labs today and shared with The Hacker News, the high privileges often associated with anti-malware products render them more vulnerable to exploitation via file manipulation attacks, resulting in a scenario where malware gains elevated permissions on the system.
The bugs impact a wide range of antivirus solutions, including those from Kaspersky, McAfee, Symantec, Fortinet, Check Point, Trend Micro, Avira, and Microsoft Defender, each of which has been fixed by the respective vendor.
Tomi Engdahl says:
UN Maritime Agency Hit by ‘Sophisticated Cyberattack’
https://www.securityweek.com/un-maritime-agency-hit-sophisticated-cyberattack
The United Nations’ International Maritime Organization (IMO) last week said some of its systems were disrupted as a result of a cyberattack.
IMO describes itself as the “global standard-setting authority for the safety, security and environmental performance of international shipping.” The organization says its main role is to develop a fair and effective regulatory framework that is universally adopted and implemented.
“IMO has ISO/IEC 27001:2013 certification for its information security management system. IMO was the first UN organization to get this certification in 2015,” IMO stated. “The IMO Headquarters file servers are located in the UK, with extensive backup systems in Geneva. The backup and restore system is regularly tested.”
IMO web services – update 02/10/2020 Access to the http://www.imo.org website restored
https://imo-newsroom.prgloo.com/news/imo-web-services-update-02102020
Tomi Engdahl says:
Ttint Botnet Targets Zero-Day Vulnerabilities in Tenda Routers
https://www.securityweek.com/ttint-botnet-targets-zero-day-vulnerabilities-tenda-routers
A new Mirai-based botnet is targeting zero-day vulnerabilities in Tenda routers, according to researchers at 360 Netlab, a unit of Chinese cybersecurity company Qihoo 360.
Dubbed Ttint, the Remote Access Trojan (RAT) contains distributed denial of service capabilities, just as any Mirai offspring does, but also implements 12 remote access functions, including a Socket5 proxy, modifying router DNS and iptables, and running system commands.
In order to circumvent detection of typical traffic generated by Mirai botnets, Ttint uses the WSS (WebSocket over TLS) protocol for communication with the command and control (C&C) server, and also uses encryption.
Tomi Engdahl says:
Ransomware Vaccine Intercepts Requests to Erase Shadow Copies
https://www.securityweek.com/ransomware-vaccine-intercepts-requests-erase-shadow-copies
A newly released “vaccine” can prevent certain ransomware families from erasing shadow copies to prevent data recovery.
Dubbed “Raccine” and released by security researchers Florian Roth and Ollie Whitehouse, the vaccine targets ransomware families that leverage vssadmin.exe to delete all shadow copies on a compromised machine.
A legitimate utility in Windows, vssadmin.exe provides users with the ability to administer shadow copies, but is often abused for malicious purposes. Raccine was designed to intercept the request to erase shadow copies, and also to kill the process that made the request.
The vaccine works by applying a registry patch to intercept vssadmin.exe invocations.
Tomi Engdahl says:
China-Linked Hackers Used UEFI Malware in North Korea-Themed Attacks
https://www.securityweek.com/china-linked-hackers-used-uefi-malware-north-korea-themed-attacks
A threat actor linked to China has used UEFI malware based on code from Hacking Team in attacks aimed at organizations with an interest in North Korea, Kaspersky reported on Monday.
https://www.securityweek.com/hacking-team-preparing-launch-new-surveillance-solution
Tomi Engdahl says:
Visa Warns of Attack Involving Mix of POS Malware
https://www.securityweek.com/visa-warns-attack-involving-mix-pos-malware
A North American merchant’s point-of-sale (POS) terminals were infected with a mix of POS malware earlier this year, Visa reports.
In May and June 2020, the company analyzed malware variants used in independent attacks on two North American merchants, one of which employed a TinyPOS variant, while the other involved a mix of malware families such as MMon (aka Kaptoxa), PwnPOS, and RtPOS.
Tomi Engdahl says:
Rockwell Automation Acquires Industrial Cybersecurity Firm Oylo
https://www.securityweek.com/rockwell-automation-acquires-industrial-cybersecurity-firm-oylo