This posting is here to collect cyber security news in March 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in March 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
342 Comments
Tomi Engdahl says:
FBI: Phishing emails are spreading this sophisticated malware
https://www.zdnet.com/article/fbi-phishing-emails-are-spreading-this-sophisticated-malware/
Alert by the FBI and CISA warns that Trickbot – one of the most common
and most powerful forms of malware around – is using a new trick in an
effort to infect even more victims.
Tomi Engdahl says:
Cathy Reisenwitz / OneZero :
By eroding Section 230, Democratic senators’ SAFE TECH Act risks silencing marginalized communities and will make the internet less safe for sex workers
The SAFE TECH Act Will Make the Internet Less Safe for Sex Workers
https://onezero.medium.com/the-safe-tech-act-will-make-the-internet-less-safe-for-sex-workers-e6790eec874f
Lawmakers should listen to the communities most affected before rushing to change Section 230 again
Tomi Engdahl says:
The f5 exploit makes entertaining reading.
https://mobile.twitter.com/h4x0r_dz/status/1373365080876810246
Tomi Engdahl says:
Hackers are exploiting a server vulnerability with a severity of 9.8 out of 10
As if the mass-exploitation of Exchange servers wasn’t enough, now there’s BIG-IP.
https://arstechnica.com/gadgets/2021/03/to-security-pros-dread-another-critical-server-vulnerability-is-under-exploit/
Tomi Engdahl says:
Hobby Lobby Exposes Customer Data in Cloud Misconfiguration
https://threatpost.com/hobby-lobby-customer-data-cloud-misconfiguration/164980/?utm_source=dlvr.it&utm_medium=linkedin
The arts-and-crafts retailer left 138GB of sensitive information open to the public internet.
Arts-and-crafts retailer Hobby Lobby has suffered a cloud-bucket misconfiguration, exposing a raft of customer information, according to a report.
An independent security researcher who goes by the handle “Boogeyman” uncovered the issue and reported it to Motherboard in an online chat, according to a Vice writeup.
Cloud Misconfigurations: A Cyberthreat Attack Vector
Cloud misconfigurations are a common threat vector for organizations of all sizes.
Hobby Lobby Exposed 138GB of Data
https://www.vice.com/en/article/v7m9ey/hobby-lobby-data-breach
The cache included customer names, phone numbers, addresses, and the last four digits of their payment card.
Tomi Engdahl says:
Alert: Further targeted ransomware attacks on the UK education sector
by cyber criminals
https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-on-uk-education-sector
The NCSC is responding to further targeted ransomware attacks on the
education sector by cyber criminals.
Tomi Engdahl says:
ENCE-tähti Aleksi Jallin pelitili hakkeroitiin, peliyhtiö riensi
hätiin näillä vinkeillä suojaudut huijareilta
https://www.is.fi/digitoday/esports/art-2000007876835.html
ENCEn Counter-Strike-pelaajan Aleksi “allu” Jallin henkilökohtainen
Steam-pelitunnus hakkeroitiin maanantaina. Pelaaja kertoi asiasta
Twitterissä.
Tomi Engdahl says:
Pimeästä verkosta löytyi Sputnikia asiantuntija antaa tärkeän neuvon
jo rokotetuille
https://www.is.fi/digitoday/tietoturva/art-2000007876273.html
Kuvaa rokotetodistuksesta ei pitäisi jakaa sosiaalisessa mediassa,
sillä se saattaa päätyä rikolliseen käyttöön.
Tomi Engdahl says:
Muutimme punaisen Exchange-varoituksen keltaiseksi
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/Varoitus_TTN_0221
Annoimme 3.3.2021 punaisen varoituksen haavoittuvista
Exchange-palvelimista. Akuuttivaihe on takana, mutta organisaatioiden,
joilla Exchange on tai on ollut käytössä, tulee tehdä
tietoturvatutkinta.
Tomi Engdahl says:
Google has disclosed that a now-patched vulnerability affecting
Android devices that use Qualcomm chipsets is being weaponized by
adversaries to launch targeted attacks
https://thehackernews.com/2021/03/warning-new-android-zero-day.html
Tracked as CVE-2020-11261 (CVSS score 8.4), the flaw concerns an
“improper input validation” issue in Qualcomm’s Graphics component
that could be exploited to trigger memory corruption when an
attacker-engineered app requests access to a huge chunk of the
device’s memory. Also:
https://www.qualcomm.com/company/product-security/bulletins/january-2021-bulletin.
Also: https://source.android.com/security/bulletin/2021-01-01
Tomi Engdahl says:
1-15 March 2021 Cyber Attack Timeline
https://www.hackmageddon.com/2021/03/23/1-15-march-2021-cyber-attack-timeline/
Here’s the first cyber attacks timeline of March, covering the main
events occurred in the first half of this month. What an unbelievable
period from an infosecurity standpoint! I have collected a staggering
150 events, and the reason is that there are some factors that are
undoubtedly characterizing the period and will probably leave some
consequences throughout the entire 2021.
Tomi Engdahl says:
CISA Warns of Security Flaws in GE Power Management Devices
https://threatpost.com/cisa-security-flaws-ge-power-management/164961/
The flaws could allow an attacker to access sensitive information,
reboot the UR, gain privileged access, or cause a denial-of-service
condition. Also:
https://us-cert.cisa.gov/ics/advisories/icsa-21-075-02
Tomi Engdahl says:
Microsoft warns of phishing attacks bypassing email gateways
https://www.bleepingcomputer.com/news/security/microsoft-warns-of-phishing-attacks-bypassing-email-gateways/
An ongoing phishing operation that stole an estimated 400, 000 OWA and
Office 365 credentials since December has now expanded to abuse new
legitimate services to bypass secure email gateways (SEGs). The
attacks are part of multiple phishing campaigns collectively dubbed
the “Compact” Campaign, active since early 2020 first detected by the
WMC Global Threat Intelligence Team. Also:
https://twitter.com/MsftSecIntel/status/1374148166912647168
Tomi Engdahl says:
Ransomware attack shuts down Sierra Wireless IoT maker
https://www.zdnet.com/article/three-billion-phishing-emails-are-sent-every-day-but-one-change-could-make-life-much-harder-for-scammers/#ftag=RSSbaffb68
Sierra Wireless, a world-leading IoT (Internet of Things) solutions
provider, today disclosed a ransomware attack that forced it to halt
production at all manufacturing sites. The ransomware attack hit
Sierra Wireless’ internal network over the weekend, on March 20. The
company says that the attack did not impact any customer-facing
services or products. Following the attack, the company also had to
shut down manufacturing plants worldwide, and it expects to resume
production and operations soon.
Tomi Engdahl says:
Microsoft: 92% of Exchange servers safe from ProxyLogon attacks
https://www.bleepingcomputer.com/news/security/microsoft-92-percent-of-exchange-servers-safe-from-proxylogon-attacks/
Roughly 92% of all Internet-connected on-premises Microsoft Exchange
servers affected by the ProxyLogon vulnerabilities are now patched and
safe from attacks, Microsoft said on Monday.
Tomi Engdahl says:
Purple Fox Malware Squirms Like a Worm on Windows
https://www.securityweek.com/purple-fox-malware-squirms-worm-windows
Malware hunters at Guardicore are warning that an aggressive botnet operator has turned to SMB password brute-forcing to infect and spread like a worm across the Microsoft Windows ecosystem.
The malware campaign, dubbed Purple Fox, has been active since at least 2018 and the discovery of the new worm-like infection vector is yet another sign that consumer-grade malware continues to reap profits for cybercriminals.
According to Guardicore researcher Amit Serper, the Purple Fox operators primarily used exploit kits and phishing emails to build botnets for crypto-mining and other nefarious uses.
Now, the new SMB brute-force method is being combined with rootkit capabilities to hide and spread widely across internet-facing Windows computers with weak passwords.
“Throughout the end of 2020 and the beginning of 2021, Guardicore Global Sensors Network (GGSN) detected Purple Fox’s novel spreading technique via indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes,” Serper explained.
Tomi Engdahl says:
Sierra Wireless Says Ransomware Disrupted Production at Manufacturing Facilities
https://www.securityweek.com/sierra-wireless-says-ransomware-disrupted-production-manufacturing-facilities
Tomi Engdahl says:
Recently Patched Android Vulnerability Exploited in Attacks
https://www.securityweek.com/recently-patched-android-vulnerability-exploited-attacks
Google has warned Android users that a recently patched vulnerability has been exploited in attacks.
The vulnerability in question, tracked as CVE-2020-11261, was patched by Google with the Android security updates released in January 2021.
The vulnerability is a high-severity improper input validation issue affecting a display/graphics component from Qualcomm. The flaw was reported to Qualcomm through Google in July 2020 and it affects a long list of chipsets.
In Qualcomm’s advisory, CVE-2020-11261 is described as a “memory corruption due to improper check to return error when user application requests memory allocation of a huge size.”
Tomi Engdahl says:
Resentful employee deletes 1,200 Microsoft Office 365 accounts, gets prison
https://www.bleepingcomputer.com/news/security/resentful-employee-deletes-1-200-microsoft-office-365-accounts-gets-prison/
A former IT consultant hacked a company in Carlsbad, California, and deleted almost all its Microsoft Office 365 accounts in an act of revenge that has brought him two years of prison time.
More than 1,200 user accounts were removed in this act of sabotage, causing a complete shutdown of the company’s operations for two days.
Two-day downtime, months of recovery
Tomi Engdahl says:
Online trading broker FBS exposes 20TB of data with 16 billion records
https://www.hackread.com/online-trading-broker-fbs-exposes-data/
The leaked data also included unredacted credit cards and passports of millions of users around the world.
Tomi Engdahl says:
Tietomurtojen aalto ravistelee Suomea: Viranomaiselle kymmeniä ilmoituksia – lisää tulee https://www.is.fi/digitoday/tietoturva/art-2000007879325.html
Tomi Engdahl says:
Microsoftin Exchange-palvelimen haavoittuvuudesta johtuvasta henkilötietojen tietoturvaloukkauksesta tulee ilmoittaa rekisteröidyille ja tietosuojavaltuutetun toimistolle
https://tietosuoja.fi/-/microsoftin-exchange-palvelimen-haavoittuvuudesta-johtuvasta-henkilotietojen-tietoturvaloukkauksesta-tulee-ilmoittaa-rekisteroidyille-ja-tietosuojavaltuutetun-toimistolle
Tomi Engdahl says:
Microsoftin Exchange-palvelimen haavoittuvuudesta johtuvasta
henkilötietojen tietoturvaloukkauksesta tulee ilmoittaa
rekisteröidyille ja tietosuojavaltuutetun toimistolle
https://tietosuoja.fi/-/microsoftin-exchange-palvelimen-haavoittuvuudesta-johtuvasta-henkilotietojen-tietoturvaloukkauksesta-tulee-ilmoittaa-rekisteroidyille-ja-tietosuojavaltuutetun-toimistolle
Tietosuojavaltuutetun toimisto muistuttaa, että rekisterinpitäjän
tulee ilmoittaa henkilötietojen tietoturvaloukkauksesta sen kohteena
oleville henkilöille sekä valvontaviranomaiselle silloin, kun
tietoturvaloukkaus aiheuttaa todennäköisesti korkean riskin
rekisteröidyille. Kyberturvallisuuskeskus varoitti
Exchange-sähköpostipalvelimen kriittisestä haavoittuvuudesta
maaliskuun alussa.
Tomi Engdahl says:
Näin Postin nimissä levitettävä haittaohjelma luikertelee puhelimeesi
Puhelinlasku voi sen jälkeen yskittää
https://www.kauppalehti.fi/uutiset/nain-postin-nimissa-levitettava-haittaohjelma-luikertelee-puhelimeesi-puhelinlasku-voi-sen-jalkeen-yskittaa/e854786f-09b7-438c-b431-5d4b1160ea89
Haittaohjelman asentaminen älypuhelimeen vaatii uhrilta melkoista
sinisilmäisyyttä. Lue:
https://pjarvinen.blogspot.com/2021/03/nain-haittaohjelma-tulee-alypuhelimeen.html?m=1&s=09
Tomi Engdahl says:
Purple Fox malware worms its way into exposed Windows systems
https://www.bleepingcomputer.com/news/security/purple-fox-malware-worms-its-way-into-exposed-windows-systems/
Purple Fox, a malware previously distributed via exploit kits and
phishing emails, has now added a worm module that allows it to scan
for and infect Windows systems reachable over the Internet in ongoing
attacks.
Tomi Engdahl says:
Ransomware gang leaks data stolen from Colorado, Miami universities
https://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-stolen-from-colorado-miami-universities/
Grades and social security numbers for students at the University of
Colorado and University of Miami patient data have been posted online
by the Clop ransomware group.
Tomi Engdahl says:
Lahtelainen aluetaksi joutui hakkereiden kynsiin palvelunesto
“onnistui totaalisesti”
https://www.tivi.fi/uutiset/tv/8c646ae5-7838-462b-8404-aba1ce8d68fa
Kyberhyökkäykset eivät ole pelkästään isojen yritysten ongelma. Myös
vahvasti alueelliset toimijat joutuvat kärsimään niistä. Lahden
aluetaksin palvelimeen tehtiin noin kuukausi sitten
palvelunestohyökkäys, jonka seurauksena yhtiö joutui hylkäämään oman
palvelimensa ja vaihtamaan ulkopuoliseen palveluntarjoajaan.
Tomi Engdahl says:
Inside the Web Shell Used in the Microsoft Exchange Server Attacks
https://www.darkreading.com/attacks-breaches/inside-the-web-shell-used-in-the-microsoft-exchange-server-attacks/d/d-id/1340498
The history and details of China Chopper – a Web shell commonly seen
in the widespread Microsoft Exchange Server attacks. China Chopper Web
shells are an older threat causing new problems for many organizations
targeted in ongoing attacks against vulnerable Microsoft Exchange
Servers worldwide.
Tomi Engdahl says:
Phish Leads to Breach at Calif. State Controller
https://krebsonsecurity.com/2021/03/phish-leads-to-breach-at-calif-state-controller/
A phishing attack last week gave attackers access to email and files
at the California State Controller’s Office (SCO), an agency
responsible for handling more than $100 billion in public funds each
year. The phishers had access for more than 24 hours, and sources tell
KrebsOnSecurity the intruders used that time to steal Social Security
numbers and sensitive files on thousands of state workers, and to send
targeted phishing messages to at least 9, 000 other workers and their
contacts.
Tomi Engdahl says:
REvil Ransomware Can Now Reboot Infected Devices
https://www.inforisktoday.com/revil-ransomware-now-reboot-infected-devices-a-16259
The REvil ransomware gang has added a new malware capability that
enables the attackers to reboot an infected device after encryption,
security researchers at MalwareHunterTeam report. Also:
https://twitter.com/malwrhunterteam/status/1372536434125512712
Tomi Engdahl says:
Facebook Disrupts Chinese Spies Using iPhone, Android Malware
https://www.securityweek.com/facebook-disrupts-chinese-spies-using-iphone-android-malware
Facebook’s threat intelligence team says it has disrupted a sophisticated Chinese spying team that routinely use iPhone and Android malware to hit journalists, dissidents and activists around the world.
The hacking group, known to malware hunters as Evil Eye, has used Facebook to plant links to watering hole websites rigged with exploits for the two major mobile platforms.
Facebook’s Head of Cyber Espionage Investigations Mike Dvilyanski has published an advisory with indicators of compromise (IOCs) and other data to help victims and targets block the attacks.
https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/
Tomi Engdahl says:
Microsoft: Ongoing, Expanding Campaign Bypassing Phishing Protections
https://www.securityweek.com/microsoft-ongoing-expanding-campaign-bypassing-phishing-protections
A phishing email campaign detailed earlier this month is expanding with the use of additional email services to hide malicious intent, according to a warning from software giant Microsoft.
Dubbed ‘Compact’ Campaign, the operation has been ongoing since December 2020, targeting thousands of users. In early March, researchers with the WMC Global Threat Intelligence Team estimated that more than 400,000 Outlook Web Access and Office 365 credentials had been compromised in multiple, connected campaigns.
Tomi Engdahl says:
Vulnerabilities in TBox RTUs Can Expose Industrial Organizations to Remote Attacks
https://www.securityweek.com/vulnerabilities-tbox-rtus-can-expose-industrial-organizations-remote-attacks
UK-based industrial automation company Ovarro recently patched a series of vulnerabilities in its TBox remote terminal units (RTUs). Cybersecurity experts say these flaws could pose a serious risk to organizations.
Ovarro’s TBox RTUs are described by the vendor as a remote telemetry solution for remote automation and monitoring of critical assets. These devices are used worldwide, including in the water, oil and gas, power, transportation and process industries.
Tomi Engdahl says:
Insurer CNA Says Cyberattack Caused Network Disruption
https://www.securityweek.com/insurer-cna-says-cyberattack-caused-network-disruption
Commercial insurer CNA on Tuesday announced that it was recently targeted in what it described as a sophisticated cyberattack.
The Chicago, Illinois-based company is one of the largest commercial insurers in the United States, offering cyber insurance policies alongside a broad range of other insurance products.
In a March 23 announcement, the company revealed that, over the weekend, it fell victim to a cyberattack that impacted certain systems, and which resulted in network disruptions.
“On March 21, 2021, CNA determined that it sustained a sophisticated cybersecurity attack. The attack caused a network disruption and impacted certain CNA systems, including corporate email,” the company says in an incident notification on its website.
Tomi Engdahl says:
Honeywell Says Malware Disrupted IT Systems
https://www.securityweek.com/honeywell-says-malware-disrupted-it-systems
Industrial giant Honeywell on Tuesday revealed that some of its IT systems were disrupted as a result of a malware attack.
The company said the intrusion was detected “recently” and only a “limited number” of IT systems were disrupted. No other information has been provided regarding impact.
Tomi Engdahl says:
Purple Fox Malware Squirms Like a Worm on Windows
https://www.securityweek.com/purple-fox-malware-squirms-worm-windows
Malware hunters at Guardicore are warning that an aggressive botnet operator has turned to SMB password brute-forcing to infect and spread like a worm across the Microsoft Windows ecosystem.
The malware campaign, dubbed Purple Fox, has been active since at least 2018 and the discovery of the new worm-like infection vector is yet another sign that consumer-grade malware continues to reap profits for cybercriminals.
According to Guardicore researcher Amit Serper, the Purple Fox operators primarily used exploit kits and phishing emails to build botnets for crypto-mining and other nefarious uses.
Tomi Engdahl says:
The Markup:
Analysis of vaccine appointment sites for every US state, Puerto Rico, and DC shows some have issues maintaining users’ privacy, loading on mobile devices, more — The results, measuring accessibility and privacy protections, were not always great — Christine Meyer, a Pennsylvania doctor …
We Ran Tests on Every State’s COVID-19 Vaccine Website
https://themarkup.org/coronavirus/2021/03/24/we-ran-tests-on-every-states-covid-19-vaccine-website
The results, measuring accessibility and privacy protections, were not always great
Tomi Engdahl says:
Hackers Start Exploiting Recent Vulnerabilities in Thrive Theme WordPress Plugins
https://www.securityweek.com/hackers-start-exploiting-recent-vulnerabilities-thrive-theme-wordpress-plugins
Over 100,000 WordPress websites could be exposed to attacks targeting a couple of recently addressed vulnerabilities affecting Thrive Theme plugins, warns the Wordfence Threat Intelligence Team at WordPress security company Defiant.
The Thrive Themes represent a collection of themes and plugins that provide WordPress administrators with the means to quickly customize their websites.
Two vulnerabilities that the Thrive Themes team addressed earlier this month are currently being targeted in live attacks to upload arbitrary files to vulnerable websites, and provide attackers with backdoor control to them.
The most important of the bugs is a critical (CVSS score of 10) unauthenticated arbitrary file upload and option deletion vulnerability that affects all Thrive Theme’s Legacy Themes. The flaw exists because the Legacy Themes include an insecurely implemented function to automatically compress images during uploads.
The second bug is considered medium severity (CVSS score of 5.8) and is an unauthenticated option update issue. The flaw is rooted in the insecure implementation of the ability to integrate with Zapier, which is available in the Thrive Dashboard.
Tomi Engdahl says:
FatFace tells customers to keep its data breach ‘strictly private’
https://techcrunch.com/2021/03/25/fatface-data-breach-strictly-private/?tpcc=ECFB2021
Clothing giant FatFace had a data breach, but doesn’t want you to tell anyone about it.
The company sent an email to customers this week disclosing that it first detected a breach on January 17. A hacker made off with the customer’s name, email and postal address, and the last four-digits of their credit card. “Full payment card information was not compromised,” the notice reiterated.
But despite going out to thousands of customers, the email said to “keep this email and the information included within it strictly private and confidential,” an entirely unenforceable request.
Under the U.K. data protection laws, a company must disclose a data breach within 72 hours of becoming aware of an incident, but there are no legal requirements on the customer to keep the information confidential. It didn’t take long for the company to face flack from the public. The company didn’t have much to say in response, asking instead to “DM us with any questions.”
Tomi Engdahl says:
Engineer punished for reporting data leak
An engineer speaks out about how reporting a data leak to UK-based non-profit landed him in legal trouble
https://www.itsecurityguru.org/2021/03/25/engineer-punished-for-reporting-data-leak/
Security engineer Rob Dyke recently reported a data leak to the Apperta Foundation, which is a non-profit, supported by NHS England and NHS Digital. The organisation thanked him for responsible reporting, however later ‘thanked him’ with legal correspondence and police intervention. Dyke discovered an exposed GitHub repository earlier this month, which was exposing passwords, API keys and sensitive financial records belonging to the Apperta Foundation. The repository had been public since at least 2019. The researcher encrypted the data he had found and securely stored it for 90 days, which is a part of the coordinated disclosure process.
Dyke then received an email from a Northumbria Police cyber investigator, relating to a report of “computer misuse”. This was after he had received a reply from Apperta with the representative thanking him, and claiming they’ll sort the issue. The engineer stated: “I knew how I was supposed to report it to them. So I reported it to them, via their established procedure. And I didn’t really think any more about it.” Apperta’s lawyers stated they believed the engineer’s actions to be “unlawful” and demanded a written undertaking that any data the engineer had come across was deleted.
Tomi Engdahl says:
Saudi Arabia’s $500 billion megacity Neom is creating plans to harvest an unprecedented amount of data from future residents. Experts say it’s either dystopian or genius.
https://www.businessinsider.com/neom-saudi-smart-city-data-surveillance-plans-experts-2021-3
Saudi Arabia is building a futuristic megacity from scratch named Neom.
The city plans to ask future residents to submit a huge amount of personal data to help it run.
Experts said technophiles would flock to Neom but warned about potential mass surveillance.
Tomi Engdahl says:
https://www.hackread.com/online-trading-broker-fbs-exposes-data/
Tomi Engdahl says:
Cuomo’s Covid-19 Vaccine Passport Leaves Users Clueless About Privacy
https://theintercept.com/2021/03/24/andrew-cuomo-covid-ibm-blockchain/
Tomi Engdahl says:
Credit Card Hacking Forum Gets Hacked, Exposing 300,000 Hackers’ Accounts
Credit card hacking forum Carding Mafia is the latest victim of the age-old hackers on hackers crime.
https://www.vice.com/en/article/v7m9jx/credit-card-hacking-forum-gets-hacked-exposing-300000-hackers-accounts
Tomi Engdahl says:
New Code Execution Flaws In Solarwinds Orion Platform
https://www.securityweek.com/new-code-execution-flaws-solarwinds-orion-platform
Solarwinds has shipped a major security update to fix at least four documented security vulnerabilities, including a pair of bugs that be exploited for remote code execution attacks.
The patches were pushed out Thursday as part of a minor security makeover of the Orion Platform, the same compromised Solarwinds product that was exploited in recent nation-state software supply chain attacks.
The latest Orion Platform 2020.2.5 addresses at least four security flaws, one rated “critical” because of the risk of remote code execution attacks. The company did not release technical details of the vulnerability, which does not yet have a CVE assigned.
Solarwinds described that flaw simply as “RCE via Actions and JSON Deserialization.”
Tomi Engdahl says:
OpenSSL 1.1.1k Patches Two High-Severity Vulnerabilities
https://www.securityweek.com/openssl-111k-patches-two-high-severity-vulnerabilities
The OpenSSL Project on Thursday announced the release of version 1.1.1k, which patches two high-severity vulnerabilities, including one related to verifying a certificate chain and one that can lead to a server crash.
The first security hole, tracked as CVE-2021-3450, has been described as a “problem with verifying a certificate chain when using the X509_V_FLAG_X509_STRICT flag.” The flaw was discovered by researchers at Akamai.
“Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates,” the OpenSSL Project explained in its advisory.
The second vulnerability, tracked as CVE-2021-3449 and discovered by employees of telecoms giant Nokia, involves sending a specially crafted renegotiation ClientHello message from a client, and it can be exploited for denial-of-service (DoS) attacks.
“If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack,” reads the description of this vulnerability.
Servers running OpenSSL 1.1.1 are affected by CVE-2021-3449 if they have TLS 1.2 and renegotiation enabled — this is the default configuration.
Tomi Engdahl says:
Dark web bursting with COVID-19 vaccines, vaccine passports
Researchers saw listings increase 300% in the last three months.
https://arstechnica.com/tech-policy/2021/03/dark-web-bursting-with-covid-19-vaccines-vaccine-passports/
just $500, you could get a COVID-19 vaccine dose tomorrow (overnight shipping not included). Too rich for your blood? How about a vaccination card for just $150?
Security researchers have seen a spike in listings on dark web marketplaces in recent weeks. The sites are advertising everything from vaccine doses to falsified vaccine certifications and negative test results. Currently, more than 1,200 listings are offering a variety of vaccines, including Pfizer, Moderna, Johnson & Johnson, AstraZeneca, Sputnik, and Sinopharm.
Tomi Engdahl says:
Joseph Cox / VICE:
Text routing firm Aerialink says that all major US cell carriers have closed an SMS loophole that allowed hackers to easily reroute a target’s text messages — All the mobile carries have mitigated a major SMS security loophole that allowed a hacker to hijack text messages for just $16. — Joseph Cox
T-Mobile, Verizon, AT&T Stop SMS Hijacks After Motherboard Investigation
https://www.vice.com/en/article/5dp7ad/tmobile-verizon-att-sms-hijack-change
All the mobile carries have mitigated a major SMS security loophole that allowed a hacker to hijack text messages for just $16.
Tomi Engdahl says:
Reuters:
Source: Biden EO draft would require many software vendors to notify their federal govt. clients of cybersecurity breaches and preserve accompanying data logs — SAN FRANCISCO (Reuters) – A planned Biden administration executive order will require many software vendors to notify …
Exclusive: Software vendors would have to disclose breaches to U.S. government users under new order: draft
https://www.reuters.com/article/us-usa-biden-cyber-exclusive-idUSKBN2BH37I
A planned Biden administration executive order will require many software vendors to notify their federal government customers when the companies have a cybersecurity breach, according to a draft seen by Reuters.
Tomi Engdahl says:
Google’s top security teams unilaterally shut down a counterterrorism operation
https://www.technologyreview.com/2021/03/26/1021318/google-security-shut-down-counter-terrorist-us-ally/amp/?__twitter_impression=true
The decision to block an “expert” level cyberattack has caused controversy inside Google after it emerged that the hackers in question were working for a US ally.