This posting is here to collect cyber security news in May 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
318 Comments
Tomi Engdahl says:
Pulse Secure fixes VPN zero-day used to hack high-value targets https://www.bleepingcomputer.com/news/security/pulse-secure-fixes-vpn-zero-day-used-to-hack-high-value-targets/
Tomi Engdahl says:
Apple releases fixes for three WebKit zero-days, additional patches for a fourth https://therecord.media/apple-releases-fixes-for-three-webkit-zero-days-additional-patches-for-a-fourth/
Tomi Engdahl says:
Experian API Exposed Credit Scores of Most Americans https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/
American consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address
Tomi Engdahl says:
Swiss Cloud becomes the latest web hosting provider to suffer a ransomware attack https://therecord.media/swiss-cloud-becomes-the-latest-web-hosting-provider-to-suffer-a-ransomware-attack/
While the incident did not impact the company’s entire server infrastructure spread among different data centers across Switzerland the disruption has impacted server availability for more than 6500 customers.
Tomi Engdahl says:
DigitalOcean admits data breach exposed customers’ billing details https://hotforsecurity.bitdefender.com/blog/digitalocean-admits-data-breach-exposed-customers-billing-details-25754.html
DigitalOcean explained that an unauthorised party had managed to exploit the flaw to gain access to billing information between April 9 and April 22, 2021. The company underlined that it does not store users’ fill payment card numbers and so they were not exposed. In addition, DigitalOcean says that it has fixed the flaw that the hacker exploited, and informed data protection authorities about the breach.
Tomi Engdahl says:
PortDoor: New Chinese APT Backdoor Attack Targets Russian Defense Sector https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector
The Cybereason Nocturnus Team has been tracking recent developments in the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder. Over the years, this tool has become a part of the arsenal of several Chinese-related threat actors such as Tick, Tonto Team and TA428, all of which employ RoyalRoad regularly for spear-phishing in targeted attacks against high-value targets. See also:
https://threatpost.com/portdoor-espionage-malware-takes-aim-at-russian-defense-sector/165770/.
See also:
https://therecord.media/china-linked-apt-group-targets-russian-nuclear-sub-designer-with-an-undocumented-backdoor/
Tomi Engdahl says:
U.S. government probes VPN hack within federal agencies, races to find clues https://www.reuters.com/technology/us-government-probes-vpn-hack-within-federal-agencies-races-find-clues-2021-04-29/
It is the latest so-called supply chain cyberattack, highlighting how sophisticated, often government-backed groups are targeting vulnerable software built by third parties as a stepping-stone to sensitive government and corporate computer networks. The new government breaches involve a popular virtual private network (VPN) known as Pulse Connect Secure, which hackers were able to break into
Tomi Engdahl says:
Office 365 security baseline adds macro signing, JScript protection https://www.bleepingcomputer.com/news/security/office-365-security-baseline-adds-macro-signing-jscript-protection/
Microsoft has updated the security baseline for Microsoft 365 Apps for enterprise (formerly Office 365 Professional Plus) to include protection from JScript code execution attacks and unsigned macros.
Security baselines enable security admins to use Microsoft-recommended Group Policy Object (GPO) baselines to reduce the attack surface of Microsoft 365 Apps and boost the security posture of enterprise endpoints they run on.
Tomi Engdahl says:
DarkPath scam group loses 134 domains impersonating the WHO https://therecord.media/darkpath-scam-group-loses-134-domains-impersonating-the-who/
United Nations security experts and security firm Group-IB said they worked together to take down 134 websites operated by a cybercrime group known as DarkPath. Group-IB told The Record that after notifying the UN’s International Computing Centre, they worked with “a wide network of regulators and service suppliers domain name registrars, hosting providers, associations, including FIRST, TRUSTED Introducer, APWG, Scamadviser and many others” to take down the 134 sites.
Tomi Engdahl says:
Babuk ransomware readies ‘shut down’ post, plans to open source malware https://www.bleepingcomputer.com/news/security/babuk-ransomware-readies-shut-down-post-plans-to-open-source-malware/
Whenever the Babuk ransomware gang decides to call it quits, at least under the Babuk name, they would “do something like Open Source Ransomware-as-a-Service (RaaS), everyone can make their own product based on our product and finish with the rest of the RaaS.”
Tomi Engdahl says:
PHP Supply Chain Attack on Composer
https://blog.sonarsource.com/php-supply-chain-attack-on-composer
In the PHP ecosystem, Composer is the major tool to manage and install software dependencies. It is used by development teams world-wide to ease the update process and to ensure that applications work effortless across environments and versions. During our security research, we discovered a critical vulnerability in the source code of Composer which is used by Packagist. It allowed us to execute arbitrary system commands on the Packagist.org server. In this blog post, we introduce the detected code vulnerabilities and how these were patched.
Tomi Engdahl says:
Computer science researchers at the University of Virginia School of Engineering and University of California, San Diego, jointly published a paper outlining new Spectre variants that they say affect “billions” of AMD and Intel PCs.
Researchers find new CPU vulnerabilities and say fixes would kill performance
By Paul Lilly 1 day ago
https://www.pcgamer.com/researchers-find-new-cpu-vulnerabilities-and-say-fixes-would-kill-performance/?utm_source=facebook.com&utm_medium=social&utm_campaign=socialflow
The new Spectre variants leave billions of PCs defenseless, researchers say.
Update: In a statement provided to us, Intel refutes that the vulnerabilities outlined in the research paper are not addressed with existing patches and firmware updates.
“Intel reviewed the report and informed researchers that existing mitigations were not being bypassed and that this scenario is addressed in our secure coding guidance. Software following our guidance already have protections against incidental channels including the uop cache incidental channel. No new mitigations or guidance are needed,” Intel said.
Guidelines for Mitigating Timing Side Channels Against Cryptographic Implementations
https://software.intel.com/security-software-guidance/secure-coding/guidelines-mitigating-timing-side-channels-against-cryptographic-implementations
The primary concern with side channels is the protection of secrets. Secrets are broadly defined as any data that should not be seen or known by other users, applications, or even other code modules. When using side channel methods, malicious actors most commonly seek API keys, user passwords, or cryptographic keys because these may allow malicious actors to decrypt or access other protected secrets.
Tomi Engdahl says:
Catalin Cimpanu / The Record:
An ongoing DDoS attack has crippled the Belgian government’s IT network, affecting 200+ government orgs, a COVID-19 reservation app, tax filing services, more
Belgium’s government network goes down after massive DDoS attack
https://therecord.media/belgiums-government-network-goes-down-after-massive-ddos-attack/
Most of the Belgium government’s IT network has been down today after a massive distributed denial of service (DDoS) attack knocked offline both internal systems and public-facing websites.
The attack targeted Belnet, a government-funded ISP that provides internet connectivity for Belgian government organizations, such as its Parliament, educational institutes, ministries, and research centers.
The incident, which Belnet is still dealing with at the time of writing, is believed to have impacted the activities of more than 200 Belgian government organizations.
Impacted services include My Minfin, the government’s official tax- and form-filing portal, but also IT systems used by schools and universities for remote learning applications.
The country’s COVID-19 vaccine reservation portal, which is hosted on Belnet’s infrastructure, has also been down today as a result of the attack.
Parliament and other government activities were also disrupted today, as some meetings couldn’t take place as they couldn’t be streamed for remote participants due to the ongoing DDoS attack.
Several Belgium politicians and political observers noted today that the attack started around the same time the Belgium Parliament’s Foreign Affairs Committee was supposed to hold a meeting and hear a testimony from a survivor of China’s Uyghur forced labor camps.
Neither Belnet nor any other Belgium government organization have attributed the DDoS attack to any particular entity and seeing that the attack is still ongoing and would have to be investigated, attribution is currently very far away.
Tomi Engdahl says:
Catalin Cimpanu / The Record:
Dell patches a recently discovered 12-year-old driver vulnerability impacting hundreds of millions of Dell systems, which gives local attackers full PC control
Dell patches 12-year-old driver vulnerability impacting millions of PCs
https://therecord.media/dell-patches-12-year-old-driver-vulnerability-impacting-millions-of-pcs/
Hundreds of millions of Dell desktops, laptops, notebooks, and tablets will need to update their Dell DBUtil driver to fix a 12-year-old vulnerability that exposes systems to attacks.
The bug, tracked as CVE-2021-21551, impacts version 2.3 of DBUtil, a Dell BIOS driver that allows the OS and system apps to interact with the computer’s BIOS and hardware.
In a report published today and shared with The Record, security firm SentinelOne said it found a vulnerability in this driver that could be abused to allow threat actors access driver functions and execute malicious code with SYSTEM and kernel-level privileges.
Researchers said the DBUtil vulnerability cannot be exploited over the internet to gain access to unpatched systems remotely. Instead, threat actors who gained initial access to a computer, even to a low-level account, could abuse this bug to take full control over the compromised PC — in what the security community typically describes as a privilege escalation vulnerability.
CVE-2021-21551- Hundreds Of Millions Of Dell Computers At Risk Due to Multiple BIOS Driver Privilege Escalation Flaws
https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
Tomi Engdahl says:
ISC urges updates of DNS servers to wipe out new BIND vulnerabilities
https://www.zdnet.com/article/isc-urges-updates-of-dns-servers-to-wipe-out-new-bind-vulnerabilities/
This week, the organization said the vulnerabilities impact ISC Berkeley Internet Name Domain (BIND) 9, widely used as a DNS system and maintained as an open source project.
The first vulnerability is tracked as CVE-2021-25216 and has been issued a CVSS severity score of 8.1 (32-bit) or 7.4 (64-bit). Threat actors can remotely trigger the flaw by performing a buffer overflow attack against BIND’s GSSAPI security policy negotiation mechanism for the GSS-TSIG protocol, potentially leading to wider exploits including crashes and remote code execution.
However, under configurations using default BIND settings, vulnerable code paths are not exposed — unless a server’s values (tkey-gssapi-keytab/tkey-gssapi-credential) are set otherwise.
The second security flaw, CVE-2021-25215, has earned a CVSS score of 7.5. CVE-2021-25215 is a remotely-exploitable flaw found in the way DNAME records are processed and may cause process crashes due to failed assertions.
The least dangerous bug, tracked as CVE-2021-25214, has been issued a CVSS score of 6.5. This issue was found in incremental zone transfers (IXFR) and if a named server receives a malformed IXFR, this causes the named process to crash due to a failed assertion.
Tomi Engdahl says:
https://lawandcrime.com/crime/florida-teen-faces-potentially-serious-prison-time-after-allegedly-rigging-homecoming-queen-vote-with-moms-help/
hacking the homecoming vote for fun and profit
Tomi Engdahl says:
CVE-2021-21551- Hundreds Of Millions Of Dell Computers At Risk Due to Multiple BIOS Driver Privilege Escalation Flaws
https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
Executive Summary
SentinelLabs has discovered five high severity flaws in Dell’s firmware update driver impacting Dell desktops, laptops, notebooks and tablets.
Attackers may exploit these vulnerabilities to locally escalate to kernel-mode privileges.
Since 2009, Dell has released hundreds of millions of Windows devices worldwide which contain the vulnerable driver.
SentinelLabs findings were proactively reported to Dell on Dec 1, 2020 and are tracked as CVE-2021-21551, marked with CVSS Score 8.8.
Dell has released a security update to its customers to address this vulnerability.
At this time, SentinelOne has not discovered evidence of in-the-wild abuse.
Tomi Engdahl says:
https://www.telegraph.co.uk/technology/2021/05/02/logging-nhs-app-using-airport-wi-fi-leaves-open-hackers-holidaymakers/
Tomi Engdahl says:
https://www.securityweek.com/high-severity-dell-driver-vulnerabilities-impact-hundreds-millions-devices
Tomi Engdahl says:
Researchers find new CPU vulnerabilities and say fixes would kill performance
By Paul Lilly 2 days ago
The new Spectre variants leave billions of PCs defenseless, researchers say.
https://www.pcgamer.com/researchers-find-new-cpu-vulnerabilities-and-say-fixes-would-kill-performance/
Tomi Engdahl says:
U.S. Agency for Global Media (USAGM) has disclosed a data breach that exposed the personal information of current and former employees and their beneficiaries.
https://www.bleepingcomputer.com/news/security/us-agency-for-global-media-data-breach-caused-by-a-phishing-attack/
Tomi Engdahl says:
Peloton’s leaky API let anyone grab riders’ private account data https://techcrunch.com/2021/05/05/peloton-bug-account-data-leak/
A bug allowed anyone to pull users’ private account data directly from Peloton’s servers, even with their profile set to private. Pen Test Partners report:
https://www.pentestpartners.com/security-blog/tour-de-peloton-exposed-user-data/.
Also: https://grahamcluley.com/peloton-exercise-bikes-data/
Tomi Engdahl says:
FBI is probably patching your system for you without your consent https://www.pandasecurity.com/en/mediacenter/mobile-news/fbi-patching-your-system/
FBI has been actively patching vulnerable computer systems of businesses located in the USA. The fixed systems belong to organizations from both the private and government sectors. the acting US Attorney for the Southern District of Texas has authorized an operation allowing the FBI to access hundreds of vulnerable computers.
The court-authorized activity executed by qualified FBI agents aimed to copy and remove malicious web shells from vulnerable or infected computers running on-premises versions of Microsoft Exchange.
Tomi Engdahl says:
Android Updates for May 2021 Patch Over 40 Vulnerabilities
https://www.securityweek.com/android-updates-may-2021-patch-over-40-vulnerabilities
The Android operating system updates released by Google for May 2021 patch a total of 42 vulnerabilities, including four considered critical severity.
Addressed as part of the 2021-05-01 security patch level, three of the critical flaws were identified in the System component and all three could be exploited remotely to execute arbitrary code on a vulnerable device.
“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains.
Tracked as CVE-2021-0473 and CVE-2021-0474, two of these bugs affect Android 8.1, 9, 10, and 11 releases, while the third, CVE-2021-0475, impacts Android 10 and 11 only.
Android Security Bulletin—May 2021
https://source.android.com/security/bulletin/2021-05-01
Tomi Engdahl says:
Chrome for Windows Gets Hardware-enforced Exploitation Protection
https://www.securityweek.com/google-makes-chrome-windows-more-resilient-vulnerability-exploitation
Google makes Chrome for Windows more resilient to vulnerability exploitation with new mitigation technology
Starting in version 90, Chrome for Windows improves resilience against vulnerability exploitation by adopting Hardware-enforced Stack Protection.
With this mitigation technology, which is available in Windows 10 20H1 or later, on processors that feature Control-flow Enforcement Technology (CET), the processor maintains a shadow stack of valid return addresses, which makes it more difficult for bad actors to write exploits.
Tomi Engdahl says:
Google explains that some software may not be compatible with the mechanism, and that the Stack Protection has some limitations, such as the fact that Chrome doesn’t support every direction of control flow enforcement for the time being.
“Stack protection enforces the reverse-edge of the call graph but does not constrain the forward-edge. It will still be possible to make indirect jumps around existing code as stack protection is only validated when a return instruction is encountered, and call targets are not validated,” Google explains.
Enabling Hardware-enforced Stack Protection (cetcompat) in Chrome
https://security.googleblog.com/2021/05/enabling-hardware-enforced-stack.html
Tomi Engdahl says:
DOD Expands Vulnerability Disclosure Program to Web-Facing Targets
https://www.securityweek.com/dod-expands-vulnerability-disclosure-program-web-facing-targets
Tomi Engdahl says:
Bobby Allyn / NPR:
US appeals court rules that Snap could be sued for a fatal car crash, involving its “speed filter”, saying Sec. 230 doesn’t apply to the design of the app
Snapchat Can Be Sued Over Role In Fatal Car Crash, Court Rules
https://www.npr.org/2021/05/04/993579600/snapchat-can-be-sued-for-role-in-fatal-car-crash-court-rules?t=1620300263337
Three young men got into a car in Walworth County, Wis., in May 2017. They were set on driving at rapid speeds down a long, cornfield-lined road — and sharing their escapade on social media.
As the 17-year-old behind the wheel accelerated to 123 miles per hour, one of the passengers opened Snapchat.
His parents say their son wanted to capture the experience using an app feature — the controversial “speed filter” — that documents real-life speed, hoping for engagement and attention from followers on the messaging app.
It was one of the last things the trio did before the vehicle ran off the road and crashed into a tree, killing all of them.
Was Snapchat partially to blame? The boys’ parents think so. And, in a surprise decision on Tuesday, a federal appeals court ordered that the parents should have the right to sue Snap Inc.
Tomi Engdahl says:
Shoshana Wodinsky / Gizmodo:
Signal says Facebook shut down its ad account over an Instagram ad campaign that showed the user data Facebook used in targeting the ads
Signal Tries to Run the Most Honest Facebook Ad Campaign Ever, Immediately Gets Banned [Updated]
https://gizmodo.com/signal-tried-to-run-the-most-honest-facebook-ad-campaig-1846823457?scrolla=5eb6d68b7fedc32c19ef33b4
A series of Instagram ads run by the privacy-positive platform Signal got the messaging app booted from the former’s ad platform, according to a blog post Signal published on Tuesday. The ads were meant to show users the bevy of data that Instagram and its parent company Facebook collects on users, by… targeting those users using Instagram’s own adtech tools.
The actual idea behind the ad campaign is pretty simple. Because Instagram and Facebook share the same ad platform, any data that gets hoovered up while you’re scrolling your Insta or Facebook feeds gets fed into the same cesspool of data, which can be used to target you on either platform later.
Across each of these platforms, you’re also able to target people using a nearly infinite array of data points collected by Facebook’s herd of properties.
Based on this kind of minute data, Signal was able to create some super-targeted ads that were branded with the exact targeting specs that Signal used. If an ad was targeted towards K-pop fans, the ad said so. If the ad was targeted towards a single person, the ad said so. And if the ad was targeted towards London-based divorcees with degrees in art history, the ad said so.
Apparently, Facebook wasn’t a fan of this sort of transparency into its system. While the company hasn’t yet responded to Gizmodo’s request for comment, Signal’s blog post says that the ad account used to run these ads was shut down before these ads could reach their target audiences. Personally, I think that’s a shame—I’d have loved to see an ad that showed what Instagram really thinks of me.
Tomi Engdahl says:
Joseph Cox / VICE:
Schemes offering to buy workplace login credentials appear linked to Argyle, a startup backed by Bain Ventures; providing access might break hacking laws
‘Phishing’ Sites Buying Workplace Login Details Linked to Well-Funded Startup
Argyle says it provides access to employment and payroll history. Buying login details may fall afoul of U.S. hacking laws.
https://www.vice.com/en/article/7kvvbb/argyle-payroll-login-phishing
Earlier this year, workers across the country received a tantalizing email from an organization called Workplace Unite: provide us with your workplace login credentials, and we’ll pay you a neat $500. Not only that, but Workplace Unite would also keep paying the recipients $25 a month as long as the login credentials continued to work. Other sites with similar names and branded websites such as “Workers Unite” offered a one time payment of $100.
“Workplace Unite aims to maximize the personal value of every worker’s data,” a message on one of the sites reads. “We are looking for people who work (or used to work) at various companies to join our paid beta program and share their work experience with us. This knowledge sharing will aid us at building a new tool which will put every worker in charge of their own personal data.”
Some of the sites said that people providing their payroll account credentials would let them see how much they earn compared to their peers. But this access also lets whoever is harvesting all of these credentials to get that sort of visibility at scale, potentially monitoring the salaries or pay of different roles across various industries.
Behind the cute marketing was what appeared to be a potential security and legal issue. An employee providing access to their current or past employer’s payroll infrastructure without authorization could fall afoul of the U.S.’s hacking laws. But interestingly, those emails and sites offering payment for login details are clearly linked to a startup called Argyle which recently raised $20 million in funding, according to analysis from security researchers and Motherboard.
Tomi Engdahl says:
Malicious Office 365 Apps Are the Ultimate Insiders https://krebsonsecurity.com/2021/05/malicious-office-365-apps-are-the-ultimate-insiders/
Phishers targeting Microsoft Office 365 users increasingly are turning to specialized links that take users to their organization’s own email login page. After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user’s emails and files, both of which are then plundered to launch malware and phishing scams against others.
Tomi Engdahl says:
ISPs paid third party vendors to steal American’s personal information and then submit fraudulent comments to the government. And no one went to jail???
Biggest ISPs paid for 8.5 million fake FCC comments opposing net neutrality
ISP-funded astroturfing used millions of real names and faked consent records.
https://arstechnica.com/tech-policy/2021/05/biggest-isps-paid-for-8-5-million-fake-fcc-comments-opposing-net-neutrality/
The largest Internet providers in the US funded a campaign that generated “8.5 million fake comments” to the Federal Communications Commission as part of the ISPs’ fight against net neutrality rules during the Trump administration, according to a report issued today by New York State Attorney General Letitia James.
Nearly 18 million out of 22 million comments were fabricated, including both pro- and anti-net neutrality submissions, the report said. One 19-year-old submitted 7.7 million pro-net neutrality comments under fake, randomly generated names. But the astroturfing effort funded by the broadband industry stood out because it used real people’s names without their consent, with third-party firms hired by the industry faking consent records, the report said.
The NY AG’s office began its investigation in 2017 and said it faced stonewalling from then-FCC Chairman Ajit Pai, who refused requests for evidence. But after a years-long process of obtaining and analyzing “tens of thousands of internal emails, planning documents, bank records, invoices, and data comprising hundreds of millions of records,” the NY AG said it “found that millions of fake comments were submitted through a secret campaign, funded by the country’s largest broadband companies, to manufacture support for the repeal of existing net neutrality rules using lead generators.”
It was clear before Pai completed the repeal in December 2017 that millions of people—including dead people—were impersonated in net neutrality comments. Even industry-funded research found that 98.5 percent of genuine comments opposed Pai’s deregulatory plan. But today’s report reveals more details about how many comments were fake and how the broadband industry was involved.
“The broadband industry could not, in fact, rely on grassroots support for its campaign because the public overwhelmingly supported robust net neutrality rules,” the report noted. “So the broadband industry tried to manufacture support for repeal by hiring companies to generate comments for a fee.”
Comcast, Charter, and AT&T biggest ISPs in group
The AG report said the industry campaign was run through Broadband for America (BFA), an umbrella group that includes Comcast, Charter, AT&T, Cox, and CenturyLink.
“BFA hid its role in the campaign by recruiting anti-regulation advocacy groups—unrelated to the broadband industry—to serve as the campaign’s public faces,” the AG report said.
Comcast, Charter, and AT&T are the biggest members of Broadband for America. Comcast has 31.1 million residential customers in the broadband, phone, and TV categories combined. Charter has 29.4 million such customers. AT&T has 14.1 million Internet customers and 15.9 million TV customers
Tomi Engdahl says:
tsuNAME – New DNS bug allows attackers to DDoS authoritative DNS servers https://www.bleepingcomputer.com/news/security/new-tsuname-dns-bug-allows-attackers-to-ddos-authoritative-dns-servers/
“What makes TsuNAME particularly dangerous is that it can be exploited to carry out DDoS attacks against critical DNS infrastructure like large TLDs or ccTLDs, potentially affecting country-specific services”. “Resolvers vulnerable to TsuNAME will send non-stop queries to authoritative servers that have cyclic dependent records, ” the researchers explain in their security advisory. tsuNAME:
https://tsuname.io/
Tomi Engdahl says:
Qualcomm vulnerability impacts nearly 40% of all mobile phones https://www.bleepingcomputer.com/news/security/qualcomm-vulnerability-impacts-nearly-40-percent-of-all-mobile-phones/
Qualcomm MSM is a series of 2G, 3G, 4G, and 5G capable system on chips
(SoCs) used in roughly 40% of mobile phones by multiple vendors, including Samsung, Google, LG, OnePlus, and Xiaomi. “If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones, ” according to Check Point researchers. Check Point Research alerted Qualcomm who confirmed and fixed the issue. Check Point:
https://research.checkpoint.com/2021/security-probe-of-qualcomm-msm/.
Forbes:
https://www.forbes.com/sites/zakdoffman/2021/05/06/warning-for-samsung-galaxy-5g-android-users-with-qualcomm-flaw/
Tomi Engdahl says:
A student pirating software led to a full-blown Ryuk ransomware attack https://www.bleepingcomputer.com/news/security/a-student-pirating-software-led-to-a-full-blown-ryuk-ransomware-attack/
A student’s attempt to pirate an expensive data visualization software led to a full-blown Ryuk ransomware attack at a European biomolecular research institute.
Tomi Engdahl says:
Formerly unknown rootkit used to secretly control networks of regional organizations https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/
A newly discovered rootkit that we dub Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The rootkit was found on networks of regional diplomatic organizations in Asia and Africa, detected on several instances dating back to October 2019 and May 2020, where the infection persisted in the targeted networks for several months after each deployment of the malware.
Tomi Engdahl says:
https://www.securityweek.com/qualcomm-modem-chip-flaw-exploitable-android-researchers
Tomi Engdahl says:
TsuNAME Vulnerability Can Be Exploited for DDoS Attacks on DNS Servers
https://www.securityweek.com/tsuname-vulnerability-can-be-exploited-ddos-attacks-dns-servers
VMware has patched another critical vulnerability reported by Positive Technologies, a Russian cybersecurity firm that was sanctioned recently by the United States.
Positive Technologies is one of the several Russian tech firms sanctioned in April by the U.S. for allegedly supporting Kremlin intelligence agencies. The company has reported many serious vulnerabilities to major vendors such as Microsoft, Intel and VMware over the past years and says that it plans to continue doing so.
The latest security hole reported by Positive Technologies to VMware is CVE-2021-21984, a critical remote code execution vulnerability affecting VMware vRealize Business for Cloud.
Tomi Engdahl says:
Android App Developers Required by Google to Share More Info on Data Handling
https://www.securityweek.com/android-app-developers-required-google-share-more-info-data-handling
Tomi Engdahl says:
This Android App Promises To Wipe Your Phone If Cops Try To Hack It
https://www.forbes.com/sites/thomasbrewster/2021/05/07/this-android-app-promises-to-wipe-your-phone-if-cops-try-to-hack-it/?sh=7d5f78cc13c0
If the police get hold of a smartphone and they have a warrant to search it, they’ll often turn to a tool from Israeli company Cellebrite that can hack into it and download the data within. But on Friday a security researcher is releasing an app that he says can detect when a Cellebrite is about to raid the device, turn the phone off and wipe it.
“My goal is not to arm criminals. It’s more to educate the general public and make it aware that we need policy changes to address these issues,” Bergin added. “I hope we see changes in policy that require the types of testing that I do.”
Tomi Engdahl says:
Serious Android flaw threatens hundreds of millions of users — what to do
By Paul Wagenseil 1 day ago
Modem flaw could be used to steal data, hide malware
https://www.tomsguide.com/news/qualcomm-modem-flaw
A deep-rooted flaw in Qualcomm chips threatens hundreds of millions of Android phones.
The vulnerability lies in the Mobile Station Modem (i.e., a cellular modem), which dates back to 1990 and is still present in the integrated chipsets of the latest 5G-enabled phones, Check Point says.
Check Point estimates that up to 30% of Android phones worldwide, including top models made by Samsung, Google, Xiaomi, LG and OnePlus, have the Qualcomm modem software that includes this vulnerability. Other top makers using Qualcomm chips include Asus, Sony and ZTE.
Tomi Engdahl says:
https://www.washingtonpost.com/business/2021/05/08/cyber-attack-colonial-pipeline/#click=https://t.co/nNXocQPXYT
Tomi Engdahl says:
https://archive.md/kEziH Colonial Pipeline, the largest U.S. gasoline and diesel pipeline system, halted all operations Friday after a cybersecurity attack and said it’s working to get things back to normal.
Colonial took certain systems offline to contain the threat which stopped all operations and affected IT systems. The company is seeking to minimize disruption to customers, it said in a statement.
The artery is a crucial piece of infrastructure that can transport 2.5 million barrels a day of refined petroleum products from the Gulf Coast to Linden, New Jersey. It supplies gasoline, diesel and jet fuel to fuel distributors and airports from Houston to New York.
The pipeline operator engaged a third-party cybersecurity firm that has launched an investigation into the nature and scope of the incident. Colonial has also contacted law enforcement and other federal agencies.
The company didn’t immediately respond to a phone call or email for further comment early Saturday.
Nymex gasoline futures rose 1.32 cents to settle at $2.1269 per gallon Friday in New York.
Tomi Engdahl says:
Cyber attack shuts down largest US gasoline pipeline – 45% of east coast and southern regions
https://americanmilitarynews.com/2021/05/cyber-attack-shuts-down-largest-us-gasoline-pipeline-45-of-east-coast-and-southern-regions/
On Friday night, the largest U.S. gas pipeline announced it had halted its operations after it discovered it was targeted in a cyber attack. The pipeline provides about 45 percent of the fuel supply along the east coast and southern United States.
In a company statement Friday night, Colonial Pipeline said, “On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”
According to Bloomberg, Colonial Pipeline operates the largest gasoline and diesel pipeline system in the U.S.
CNBC reported the company transports 2.5 million barrels of gasoline, diesel, jet fuel and other refined products every day, accounting for about 45 percent of the east coast’s fuel supply. That fuel passes through 5,500 miles of pipelines. The pipeline network moves fuel from U.S. gulf coast refineries to populous areas along the eastern and southern United States.
Infrastructure is increasingly becoming a critical target for potential cyberattacks.
Mike Chapple, a former NSA computer scientist and cybersecurity expert at the University of Notre Dame told the Washington Post, “This pipeline shutdown sends the message that core elements of our national infrastructure continue to be vulnerable to cyberattack.”
Robert M. Lee, CEO and cofounder of the cybersecurity firm Dragos, told the Washington Post the pipeline outage may have been caused by a ransomware attack. He said, “There are absolutely cases in industrial operations where ransomware impacts operations.”
Lee said most ransomware attacks of this nature are carried out by criminal groups, rather than foreign governments.
Tomi Engdahl says:
Ransomware Hits Research Facility After Student Installs Pirated Software
A student with access to a European research institute’s network exposed his login credentials after installing pirated software that turned out to be password-stealing malware, according to security firm Sophos.
https://uk.pcmag.com/security/133260/ransomware-hits-research-facility-after-student-installs-pirated-software
Tomi Engdahl says:
Gov Info Security: Colonial Pipeline: Cybersecurity Attack Causes Disruptions > https://www.govinfosecurity.com/colonial-pipeline-cybersecurity-attack-causes-disruptions-a-16549, No date
Threatpost: Major U.S. Pipeline Crippled in Ransomware Attack > https://threatpost.com/pipeline-crippled-ransomware/165963/, 2021-05-08 19:28:28 +0000
Gov Info Security: Colonial Pipeline Confirms Ransomware Causing Disruptions > https://www.govinfosecurity.com/colonial-pipeline-confirms-ransomware-causing-disruptions-a-16549,
Tomi Engdahl says:
Colonial Pipeline Confirms Ransomware Causing Disruptions
Company Has Taken Systems Offline As A Precaution; Investigation Ongoing
https://www.govinfosecurity.com/colonial-pipeline-confirms-ransomware-causing-disruptions-a-16549
Tomi Engdahl says:
Cyberattack disrupts Colonial Pipeline, which transports 100 million gallons of fuel daily
https://www.cyberscoop.com/gas-pipeline-cyberattack-ransomware-colonial/
A cyberattack has temporarily halted operations at Colonial Pipeline, the largest pipeline system for moving gas and diesel products in the U.S., the company said Friday.
Colonial Pipeline, which delivers more than 100 million gallons of fuel daily to customers from Texas to New York, said that after learning of the incident on Friday that it “proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations and affected some of our IT systems.”
It was unclear at press time Saturday morning who was responsible for the digital intrusion or how long the company’s pipeline operations would be halted.
The Department of Homeland Security’s cybersecurity agency said that ransomware was the cause of the incident in a statement Saturday afternoon.
“This underscores the threat that ransomware poses to organizations regardless of size or sector,” DHS’s Cybersecurity and Infrastructure Security Agency (CISA) said, adding that it was working with Colonial Pipeline to address the issue.
As the operators of the nation’s 2.7 million miles of pipelines for oil, natural gas, and other hazardous liquids embrace digital technology to run their businesses more efficiently, concerns about their susceptibility to hackers have grown. The Department of Homeland Security in February 2020 revealed that a ransomware attack on an unnamed natural gas compression facility caused the organization to shut down its operations for two days.
A breach of the IT services that pipeline operators use to process transactions can also be a risk to business. In April 2018, a hack of a billing software vendor used by Texas-based Energy Transfer Partners LP, which owns more than 71,000 miles of pipelines, forced the company to process transactions on its own until the issue was resolved.
More broadly, U.S. national security officials have warned for years that state-sponsored hackers from Russia and elsewhere had demonstrated an interest in mapping vulnerabilities in U.S. critical infrastructure such as electric systems and pipelines.
In general, “China has the ability to launch cyberattacks that cause localized, temporary disruptive effects on critical infrastructure—such as disruption of a natural gas pipeline for days to weeks,” U.S. intelligence agencies said in a 2019 assessment of global security threats.
U.S. lawmakers in late 2018 called on DHS to step up its cybersecurity guidelines and services to support pipeline operators out of concern the U.S. government was not doing enough.
https://mobile.twitter.com/CISAgov/status/1391124273155219459
Tomi Engdahl says:
National Risk Management
https://www.cisa.gov/pipeline-cybersecurity-initiative
Tomi Engdahl says:
Cyber attack shuts down U.S. fuel pipeline ‘jugular,’ Biden briefed
https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/
Top U.S. fuel pipeline operator Colonial Pipeline shut its entire network, the source of nearly half of the U.S. East Coast’s fuel supply, after a cyber attack on Friday that involved ransomware.
Top U.S. fuel pipeline operator Colonial Pipeline shut its entire network, the source of nearly half of the U.S. East Coast’s fuel supply, after a cyber attack on Friday that involved ransomware.