This posting is here to collect cyber security news in June 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in June 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
341 Comments
Tomi Engdahl says:
Domain seizure per Operation Ironside/Trojan shield asking the users to turn themselves in! https://www.anom.io
See also https://www.npr.org/2021/06/08/1004332551/drug-rings-platform-operation-trojan-shield-anom-operation-greenlight
Tomi Engdahl says:
Fake encrypted app cooked up over beers by Aussie cops and the FBI leads to global sting that has smashed gangs in UK and across the world – with 100 crime bosses busted and huge haul of drugs, cash and luxury goods seized
https://www.dailymail.co.uk/news/article-9663125/Fake-encrypted-app-cooked-beers-Aussie-cops-FBI-leads-global-sting.html
Fake encrypted app was developed by the FBI and introduced into the criminal underworld 18 months ago
The app called ‘AN0M’ spread to 12,000 phones, across 300 crime gangs in more than 100 countries
The UK National Crime Agency said it had carried out ‘multiple operations’ as a result of the sting operation
4,000 Australian cops were deployed Monday night as part of sweeping raid on safe houses across the nation
Globally, AN0M led to confiscation of £100m in cash, 6 tons of cocaine, 4 tons of cannabis, 2 tons of meth
The app was used by international drugs kingpins who unwittingly acted as ‘influencers’ giving it legitimacy
But instead of keeping their messages secret, it re-routed all their messages to the FBI and its partner forces
Celebrities from Australian reality TV were snared along with notorious biker gangsters and the country’s most wanted criminal, who was the jewel in the FBI’s crown, boosting the app to the global underworld
Tomi Engdahl says:
Trojan Shield: How the FBI Secretly Ran a Phone Network for Criminals
https://www.vice.com/en/article/akgkwj/operation-trojan-shield-anom-fbi-secret-phone-network?utm_source=motherboardtv_facebook&utm_medium=social
New court records detail how the FBI turned encrypted phone company ‘Anom’ into a honeypot for organized crime.
For years the FBI has secretly run an encrypted communications app used by organized crime in order to surreptitiously collect its users’ messages and monitor criminals’ activity on a massive scale, according to a newly unsealed court document. In all, the elaborate operation netted more than 20 million messages from over 11,800 devices used by suspected criminals.
“The FBI opened a new covert investigation, Operation Trojan Shield, which centered on exploiting Anom by inserting it into criminal networks and working with international partners, including the Australian Federal Police (“AFP”), to monitor the communications,”
The AFP began going public with the contours of Anom Tuesday morning local time, and announced it had begun making arrests with data pulled from the honeypot.
In 2018, the FBI arrested Vincent Ramos, the CEO of Phantom Secure, which provided custom, privacy-focused devices to organized criminals. In the wake of that arrest, a confidential human source (CHS) who previously sold phones on behalf of Phantom and another firm called Sky Global, was developing their own encrypted communications product.
This CHS then “offered this next generation device, named ‘Anom,’ to the FBI to use in ongoing and new investigations,” the court document reads. While criminals left Phantom, they flocked to other offerings. One of those was Anom; the FBI started what it called Operation Trojan Shield, in which it effectively operated a communications network targeted to criminals and intercepted messages running across it.
The FBI, AFP, and CHS built the Anom system in such a way that a master key silently attached itself to every message set through the app, enabling “law enforcement to decrypt and store the message as it is transmitted,” the document reads.
“A user of Anom is unaware of this capability,” it adds.
But first the FBI and their source needed to establish Anom as an option in the criminal underworld.
The CHS introduced Anom to his already trusted distributors of mobile devices, who were in turn trusted by criminal organizations, the document reads. Three people in Australia who had previously distributed Phantom, “seeing a huge payday,” agreed to then sell these Anom devices, the document adds. With this, “the FBI aimed to grow the use of Anom organically through these networks,” it reads.
“Introducing Anom—a Ultra-Secure Mobile-Cell-Phone Messaging App for Android,” the announcement read. “Your Confidentiality, Assured. Software hardened against targeted surveillance and intrusion—Anom Secure. Keep Secrets Safe!”
The Phantom, Sky, and Encrochat operations showed that law enforcement may shutdown or even hack into encrypted phone companies. But the Anom case shows that law enforcement will also go one step further: they will run such a network themselves. A previous DEA operation involved something similar but on a much smaller scale with BlackBerry devices.
Tomi Engdahl says:
Moni rikollinen tarttui FBI:n valesovellukseen myös Suomessa – Tampereelta löytyi varasto, jossa tehtailtiin aseen osia 3D-tulostimella
https://yle.fi/uutiset/3-11970836?utm_source=facebook&utm_campaign=yleuutiset&utm_medium=social
Vastaavaa tutkintakeinoa ei ole Suomessa koskaan käytetty. Suomen tutkintakokonaisuuden yleisjohtajan mukaan tutkinnassa on noudatettu tarkoin Suomen lakia. Taustalla on FBI:n kehittämä valeviestintäalusta, jolla se pystyi salakuuntelemaan rikollisia.
Tomi Engdahl says:
Two U.S. agents — one IRS, one DEA — created a fake offshore bank to catch drug traffickers.
Episode 418: How The Government Set Up A Fake Bank To Launder Drug Money
https://www.npr.org/sections/money/2012/11/20/165590860/episode-418-how-the-government-set-up-a-fake-bank-to-launder-drug-money
One day in the early 1990s, a man walked into the U.S. embassy in Ecuador. He said he had information somebody would want to hear — information on how to go after some of the most powerful drug traffickers in the world.
The man worked as a money changer. He said he was getting a lot of requests from traffickers who had a problem: They had so much cash that they didn’t know what to do with it. They couldn’t figure out how to launder their money.
What they needed was an offshore bank to help them. On today’s show, we hear how two U.S. agents — one IRS, one DEA — created a fake offshore bank to catch drug traffickers.
Tomi Engdahl says:
LOG IN
The Criminals Thought the Devices Were Secure. But the Seller Was the F.B.I.
Global law enforcement officials
https://www.nytimes.com/2021/06/08/world/australia/operation-trojan-horse-anom.html?smtyp=cur&smid=fb-nytimes
Tomi Engdahl says:
ANOM: Hundreds arrested in massive global crime sting using messaging app
https://www.bbc.com/news/world-57394831
More than 800 suspected criminals have been arrested worldwide after being tricked into using an FBI-run encrypted messaging app, officials say.
The operation, jointly conceived by Australia and the FBI, saw devices with the ANOM app secretly distributed among criminals, allowing police to monitor their chats about drug smuggling, money laundering and even murder plots.
Targets included drug gangs and people with links to the mafia.
The FBI began operating an encrypted device network called ANOM, and covertly distributed devices with the chat app among the criminal underworld via informants.
Tomi Engdahl says:
Melissa Heikkilä / Politico:
An open letter with 170 signatories in 55 countries calls for a ban on biometric recognition tech, after EU proposes AI rules that critics say have loopholes — Activists fear loopholes in the bloc’s artificial intelligence bill could allow for widespread facial recognition beyond Europe’s borders.
Europe’s AI rules open door to mass use of facial recognition, critics warn
https://www.politico.eu/article/eu-ai-artificial-intelligence-rules-facial-recognition/
Activists fear loopholes in the bloc’s artificial intelligence bill could allow for widespread facial recognition beyond Europe’s borders.
Tomi Engdahl says:
NYC’s 1,000-Lawyer Law Department Targeted by Cyberattack
https://www.securityweek.com/nyc%E2%80%99s-1000-lawyer-law-department-targeted-cyberattack
New York City’s law department was been hit with a cyberattack that forced officials to take the 1,000-lawyer agency offline, but Mayor Bill de Blasio said he believes no data was compromised in the hack.
“To this hour we have not seen information compromised or a ransom demand,” the Democratic mayor said at a virtual news briefing on Tuesday, adding that the investigation was “evolving.”
City officials said they disconnected the law department’s computers from the city’s network on Sunday, after discovering the cyberattack.
“As the investigation remains ongoing, the City has taken additional steps to maintain security, including limiting access to the Law Department’s network at this time,” de Blasio spokesperson Laura Feyer said in a statement.
Geoff Brown, the city’s chief information security officer, who joined de Blasio at Tuesday’s briefing, said the attack was “not a ransom situation” but declined to discuss possible motives.
Tomi Engdahl says:
Adobe Patches Major Security Flaws in PDF Reader, Photoshop
https://www.securityweek.com/adobe-patches-major-security-flaws-pdf-reader-photoshop
According to the San Jose, Calif. software maker, this month’s batch of patches address a swathe of potentially dangerous vulnerabilities in Adobe Acrobat and Reader, Adobe Photoshop, and the ever-present Adobe Creative Cloud Desktop Application.
The most serious of the vulnerabilities could allow attackers to take complete control of a Windows or macOS machine with minimal user action. In some cases, malicious exploits can be triggered remotely to hijack unpatched machines, Adobe warned.
Windows and MacOS users and network administrators are encouraged to prioritize the Adobe Acrobat and Reader update, a patch that provides cover for at least five memory corruption vulnerabilities that expose users to remote code execution attacks.
“These updates address multiple critical vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user,” Adobe said.
https://helpx.adobe.com/security/products/acrobat/apsb21-37.html
Tomi Engdahl says:
Organizations Warned About DoS Flaws in Popular Open Source Message Brokers
https://www.securityweek.com/organizations-warned-about-dos-flaws-popular-open-source-message-brokers
Organizations have been warned about denial of service (DoS) vulnerabilities found in RabbitMQ, EMQ X and VerneMQ, three widely used open source message brokers.
Message brokers enable applications, systems and services to communicate with each other and exchange information by translating messages between formal messaging protocols. One of the protocols they use is Message Queuing Telemetry Transport (MQTT).
A researcher at the Synopsys Cybersecurity Research Center discovered that specially crafted MQTT messages can cause excessive memory consumption in RabbitMQ (owned by VMware), EMQ X and VerneMQ, leading to the operating system terminating the application.
A type of malformed message that causes a DoS condition has been identified for each of the three message brokers, but there does not appear to be a single message that impacts all three brokers.
“Message brokers can be the nerve center of a complex system,” Jonathan Knudsen, the researcher who discovered the flaws, told SecurityWeek. “If the message broker isn’t working, then the various components of the system cannot communicate. Whatever services are provided by that system are unavailable until the message broker is restored.”
Tomi Engdahl says:
Justice Dept. Claws Back $2.3M Paid by Colonial Pipeline to Ransomware Gang https://krebsonsecurity.com/2021/06/justice-dept-claws-back-2-3m-paid-by-colonial-pipeline-to-ransomware-gang/
The U.S. Department of Justice said today it has recovered $2.3 million worth of Bitcoin that Colonial Pipeline paid to ransomware extortionists last month. Lisäksi:
https://thehackernews.com/2021/06/us-recovers-23-million-ransom-paid-to.html.
Lisäksi:
https://threatpost.com/fbi-claws-back-millions-darksides-ransom/166705/.
Lisäksi: https://yle.fi/uutiset/3-11970237
Tomi Engdahl says:
StackOverflow, Twitch, Reddit, others down in Fastly CDN outage https://www.bleepingcomputer.com/news/security/stackoverflow-twitch-reddit-others-down-in-fastly-cdn-outage/
Major websites around the world are either completely down or not loading properly in a global outage. Lisäksi:
https://status.fastly.com/. Lisäksi:
https://www.wired.com/story/fastly-cdn-internet-outages-2021/
Tomi Engdahl says:
Tällainen on suomalaisten puhelimia riivaava haittaohjelma: Näin se leviää ja varastaa tietosi ja näin pääset siitä eroon https://www.is.fi/digitoday/tietoturva/art-2000008034177.html
Viime viikon torstaina alkanut suomalaisten puhelimiin kohdistunut haittaohjelmien levityskampanja on erilainen kuin aiemmin Suomessa nähdyt ja luonteeltaan poikkeuksellisen aggressiivinen. Lisäksi:
https://www.kyberturvallisuuskeskus.fi/fi/tekstiviestitse-levitettavat-android-haittaohjelmat
Tomi Engdahl says:
“Asensin videon, jossa masturboit” varo tätä kiristysviestiä!
https://www.iltalehti.fi/tietoturva/a/35c6b655-05ad-4b67-a20e-e1ef422db953
Niin sanotut pornokiristäjät ovat taas aktivoituneet ja alkaneet lähettää suomalaisille kiristysviestejä. Näissä viesteissä väitetään, että vastaanottajan koneelle on saatu asennettua virus, jonka avulla tämän vierailuja pornosivustoilla on pystytty seuraamaan. Lisäksi:
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/pornokiristyksia-runsaasti-liikkeella-ala-usko-huijarien-vaitteita
Tomi Engdahl says:
FBI and Australian police ran an encrypted chat platform to catch criminal gangs https://therecord.media/fbi-and-australian-police-ran-an-encrypted-chat-platform-to-catch-criminal-gangs/
The FBI and Australian Federal Police ran an encrypted chat platform and intercepted secret messages between criminal gang members from all over the world for more than three years. Lisäksi:
https://yle.fi/uutiset/3-11970836?. Lisäksi:
https://hotforsecurity.bitdefender.com/blog/criminal-networks-smashed-after-using-secure-chat-app-secretly-run-by-cops-25948.html.
https://blog.malwarebytes.com/reports/2021/06/800-arrested-after-police-dupe-criminals-with-backdoored-message-service-an0m/
Tomi Engdahl says:
Novel Victory’ Backdoor Spotted in Chinese APT Campaign https://threatpost.com/victory-backdoor-apt-campaign/166700/
Researchers said the malware has been under development for at least three years. An ongoing surveillance operation has been uncovered that targets a Southeast Asian government, researchers said using a previously unknown espionage malware. Lisäksi:
https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/
Tomi Engdahl says:
New UAF Vulnerability Affecting Microsoft Office to be Patched Today https://thehackernews.com/2021/06/new-uaf-vulnerability-affecting.html
Four security vulnerabilities discovered in the Microsoft Office suite, including Excel and Office online, could be potentially abused by bad actors to deliver attack code via Word and Excel documents.
Lisäksi:
https://research.checkpoint.com/2021/fuzzing-the-office-ecosystem/
Microsoft June 2021 Patch Tuesday: 50 vulnerabilities patched, six zero-days exploited in the wild https://www.zdnet.com/article/microsoft-june-2021-patch-tuesday-50-vulnerabilities-patched-including-six-zero-days-exploited-in-the-wild/
Six out of seven zero-days are being actively used in cyberattacks.
Lisäksi:https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2021-patch-tuesday-fixes-6-exploited-zero-days-50-flaws/
Four Security Vulnerabilities were Found in Microsoft Office https://blog.checkpoint.com/2021/06/08/four-security-vulnerabilities-were-found-in-microsoft-office/
Check Point Research (CPR) urges Windows users to update their software, after discovering four security vulnerabilities that affect products in Microsoft Office suite, including Excel and Office online.
Rooted from legacy code, the vulnerabilities could have granted an attacker the ability to execute code on targets via malicious Office documents, such as Word, Excel and Outlook.
Tomi Engdahl says:
PuzzleMaker attacks with Chrome zero-day exploit chain https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/
On April 14-15, 2021, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. Lisäksi:
https://www.bleepingcomputer.com/news/security/windows-10-targeted-by-puzzlemaker-hackers-using-chrome-zero-days/
Tomi Engdahl says:
Massive internet outage hits websites including Amazon, gov.uk and Guardian
Technical problem traced to network run by Fastly brings some sites down entirely
https://www.theguardian.com/technology/2021/jun/08/massive-internet-outage-hits-websites-including-amazon-govuk-and-guardian-fastly?CMP=fb_a-technology_b-gdntech
The failure was not geographically universal. Users in some locations, such as Berlin, reported no problems, while others experienced massive failures across the internet. Outages were reported in locations as varied as London, Texas and New Zealand.
Within minutes of the outage starting, Fastly, a cloud computing services provider, acknowledged that its content distribution network was the cause of the problem. The company runs an “edge cloud”, which is designed to speed up loading times for websites, protect them from denial-of-service attacks, and help them deal with bursts of traffic.
Despite speculation on social media that the outage was the result of a malicious attack, leading to the hashtag #cyberattack trending on Twitter, there is no evidence pointing to foul play. Instead, the company says a configuration error was at fault. A Fastly spokesperson said: “We identified a service configuration that triggered disruptions across our POPs [points of presence] globally and have disabled that configuration. Our global network is coming back online.”
Boris Johnson’s spokesman said the government was aware of the problems with accessing gov.uk. He also said reports that users were unable to book Covid-19 tests online were being investigated as a “matter of urgency”.
Asked if ministers believed a malicious foreign group or state was responsible, he said the outage “appears to be… affecting a number of sites globally, it doesn’t appear to be targeted at any one site”.
Different websites handled the outage in different ways.
Tomi Engdahl says:
One Fastly customer ‘triggered internet meltdown’
https://www.bbc.com/news/technology-57413224
A major internet blackout that hit many high-profile websites on Tuesday has been blamed on a software bug.
Fastly, the cloud-computing company responsible for the issues, said the bug had been triggered when one of its customers had changed their settings.
The outage has raised questions about relying on a handful of companies to run the vast infrastructure that underpins the internet.
Fastly apologised and said the problem should have been anticipated.
But a customer changing their settings had exposed a bug in a software update issued to customers in mid-May, causing “85% of our network to return errors”, it said.
Tomi Engdahl says:
Microsoft Office -haavoittuvuus paljastui: Päivitä Windows heti
Windows-käyttöjärjestelmä suositellaan päivitettäväksi välittömästi.
https://www.yrittajat.fi/uutiset/652953-microsoft-office-haavoittuvuus-paljastui-paivita-windows-heti?utm_source=facebook&utm_medium=some_ad&utm_campaign=sy_jatkuva
Tomi Engdahl says:
Genius’s bought commo devices w/ malware pre-installed by the feds!
“Heavy blow against organized crime” after criminal “kingmakers” tricked into using FBI-run messaging app
https://www.cbsnews.com/news/anom-app-fbi-criminals-trojan-shield/
Authorities in Australia, New Zealand, the U.S. and Europe said Tuesday that they’ve dealt a huge blow to organized crime after hundreds of criminals were tricked into using a messaging app that was being secretly run by the FBI. Police said criminal gangs thought the encrypted app called ANOM was safe from snooping when, in fact, authorities for months had been monitoring millions of messages about drug smuggling, money laundering and even planned killings.
The app was part of a worldwide sting called operation Trojan Shield, which was led by the FBI and involved the U.S. Drug Enforcement Administration, the European Union police agency Europol and law enforcement agencies in more than a dozen countries.
Europol said police from a total of 16 countries had carried out raids sparked by evidence from the FBI-monitored smart phones.
Tomi Engdahl says:
Passwords compromised on a huge scale, again:
Largest password data breach in history has been leaked online
https://techxplore.com/news/2021-06-largest-password-breach-history-leaked.html
Back in 2009, threat actors hacked into the website servers of social app RockYou, accessing over 32 million user passwords stored in plaintext. Now, in what appears to be the largest data breach in history, attackers have compromised 262 times as many passwords. With 3.2 billion leaked passwords from multiple databases, this attack has been dubbed RockYou2021.
As only 4.7 billion users utilize the Internet, that means RockYou2021 could actually involve the passwords of nearly twice the global population. Therefore, users should immediately check to see whether their passwords were affected by this leak. Users can check for password compromise using the website Have I Been Pwned or the CyberNews personal data leak checker.
Threat actors can take advantage of the RockYou2021 password collection by combining 8.4 billion unique password variations with existing breach compilations of email addresses and usernames. The hackers could then use these credentials for dictionary and password spraying attacks against an unknowable number of online accounts.
So far, research suggests that all of the passwords involved in this leak have non-ASCII characters between 6-20 characters each, with white spaces removed.
Tomi Engdahl says:
Why it’s never a good idea to cut back on testing….
Fastly says single customer triggered bug behind mass internet outage
https://www.theguardian.com/technology/2021/jun/09/fastly-says-single-customer-triggered-bug-that-caused-mass-outage
Flaw was introduced in May and lay dormant until a customer updated their settings, firm says
An internet blackout that knocked out some of the world’s biggest websites on Tuesday was ultimately caused by a single customer updating their settings, the infrastructure provider Fastly has revealed.
A bug in Fastly’s code introduced in mid-May had lain dormant until Tuesday morning, according to Nick Rockwell, the company’s head of engineering and infrastructure. When the unnamed customer updated their settings, it triggered the flaw, which ultimately took down 85% of the company’s network.
“On May 12, we began a software deployment that introduced a bug that could be triggered by a specific customer configuration under specific circumstances,” Rockwell said. “Early June 8, a customer pushed a valid configuration change that included the specific circumstances that triggered the bug, which caused 85% of our network to return errors.
“We detected the disruption within one minute, then identified and isolated the cause, and disabled the configuration. Within 49 minutes, 95% of our network was operating as normal.”
Rockwell added: “Even though there were specific conditions that triggered this outage, we should have anticipated it. We provide mission-critical services, and we treat any action that can cause service issues with the utmost sensitivity and priority. We apologize to our customers and those who rely on them for the outage and sincerely thank the community for its support.”
The content delivery network (CDN) operated by Fastly is one of the largest on the internet, along with similar networks operated by Akamai, Cloudflare and Amazon’s CloudFront. All operate on the same principle: that the internet is faster and more stable if users can connect to servers physically close to them, optimised for handling lots of traffic.
In typical times, doing so not only cuts loading times but also allows the CDN operators, with expertise in running internet infrastructure, to take on the burden of handling security threats, unexpected traffic spikes, and high bandwidth bills. But the outage highlighted the risks associated with a concentration of critical internet infrastructure in the hands of just a few companies.
Counterintuitively, the outage and recovery led to a rise in Fastly’s stock price, which was up 12% over the course of Tuesday. The increase may have been because the company had demonstrated an effective incident response plan, or simply because the outage had served to make investors more aware of the scale of the Fastly’s business and the size of its customer base.
The effects will not have been quite so rosy for Fastly’s customers. At Amazon alone, for instance, the outage could have lost the company $32m in sales, according to a calculation by the SEO agency Reboot.
“Although it seems they weren’t down for long, the impact it would have had will be huge, especially on e-commerce sites,”
Few Fastly customers were able to switch over to a backup system in time to recover from the outage, in part because doing so is typically considered more high-risk than simply waiting for the provider to fix problems.
Tomi Engdahl says:
Internet outage illustrates lack of resilience at heart of critical services
It is not clear if UK government had alternative that would have allowed services to be back online promptly
https://www.theguardian.com/technology/2021/jun/08/internet-outage-illustrates-lack-of-resilience-at-heart-of-critical-services
Tuesday morning’s 45-minute internet outage, which knocked out the Gov.uk domain as well as a string of publishers and other websites, cannot easily be dismissed as an isolated event. It demonstrates a lack of resilience at the heart of critical government services.
What is unclear is if the government or any of the other websites affected had an alternative solution that would have allowed them to be back online promptly.
Yet, Paddy McGuinness, a former deputy director of national security until 2018, observes that “technology that starts out as nice to have is rapidly become fundamental to the way we operate. But too often resilience is an afterthought.”
Some parts of Britain’s national infrastructure, such as nuclear power, have a high degree of resilience built in from the start for safety reasons. But that has not been the case with other economically useful or practically significant services, not least the growing amount of business undertaken online.
Britain’s government and security establishment says it is a world leader in computer security, with politicians often highlighting the country’s National Cyber Security Centre. But as the Fastly network outage reveals: new dependencies and new vulnerabilities are emerging and it is not obvious if those responsible for homeland security are always one step ahead.
Tomi Engdahl says:
Major internet outage ‘shows infrastructure needs urgent fixing’
Experts say outage shows internet services too centralised and lack resilience
https://www.theguardian.com/technology/2021/jun/08/security-warning-error-cloud-websites-offline-outage
One of the world’s biggest web outages should act as a “wake-up call” that internet infrastructure has become dangerously over-centralized and lacks resilience
Tomi Engdahl says:
MICROSOFT SAYS SOLARWINDS HACKERS HAVE STRUCK AGAIN AT THE US AND OTHER COUNTRIES
https://www.wktv.com/content/news/574522532.html
The hackers behind one of the worst data breaches ever to hit the US government have launched a new global cyberattack on more than 150 government agencies, think tanks and other organizations, according to Microsoft.
The group, which Microsoft calls “Nobelium,” targeted 3,000 email accounts at various organizations this week — most of which were in the United States, the company said in a blog post Thursday.
It believes the hackers are part of the same Russian group behind last year’s devastating attack on SolarWinds — a software vendor — that targeted at least nine US federal agencies and 100 companies.
Tomi Engdahl says:
The M.T.A. Is Breached by Hackers as Cyberattacks Surge
https://www.nytimes.com/2021/06/02/nyregion/mta-cyber-attack.html
Hackers with suspected ties to China penetrated the New York transit agency’s computer systems in April, an M.T.A. document shows. Transit officials say the intrusion did not pose a risk to riders.
Tomi Engdahl says:
PuzzleMaker: Targeted attacks against multiple companies
Our technologies detected targeted attacks involving a number of zero-day exploits.
https://www.kaspersky.com/blog/chrome-windows-zero-day/40191/
Behavioral threat detection and exploit prevention technologies in Kaspersky Endpoint Security for Business have identified a wave of highly targeted attacks on several companies. These attacks used a chain of zero-day exploits of Google’s Chrome browser and Microsoft Windows vulnerabilities. By now, patches for the vulnerabilities are available (as of a Microsoft update released June 8), so we recommend everybody update both browser and OS. We are calling the threat actor behind these attacks PuzzleMaker.
Tomi Engdahl says:
RockYou2021: largest password compilation of all time leaked online with 8.4 billion entries
https://securityaffairs.co/wordpress/118696/data-breach/rockyou2021-largest-password-compilation-of-all-time-leaked-online-with-8-4-billion-entries.html
Tomi Engdahl says:
Finding Path Traversal Vulnerability
https://pentestmag.com/finding-path-traversal-vulnerability/
Local File Inclusion (LFI) also known as path traversal is a vulnerability that can potentially allow an attacker to view sensitive documents or files from the server. It can also lead to Remote Code Execution, Denial of service but before jumping on what local file inclusion or lfi is, let’s understand how modern-day web applications handle application files.
Why does this Vulnerability Occur?
Now you know many applications use this so-called inclusion functionality to manage images, templates, code, static text. The problem arises when these input parameters or inclusion functions are improperly validated. Attackers take advantage of this and are able to pass payloads(known file paths) which could result in sensitive data leaking out as the inclusion function has the ability to read any file from the server, It can even allow attackers to a remote shell of the server.
How to Hunt Local File Inclusion?
Finding Path Traversal vulnerability is fairly easy, in order to find such a vulnerability one should be able to perform the following tasks.
Enumerate inclusion functions
Test the enumerated inclusion functions
Well How can one enumerate inclusion function?, It’s easy you just need to keep the following question in your mind.
Where are the inclusion functions or file-related parameter in the URL or request body?
If you can see unusual file extension in the URL or request body?
Tomi Engdahl says:
Radio Spectrum Surveillance At The G7 Summit
https://www.youtube.com/watch?v=7VaHuOgNXy0&feature=share
Tomi Engdahl says:
”Maailman vaarallisin usb-kaapeli”: älä ikinä lainaa johtoa iPhonen lataamiseen
1.6.202120:01|päivitetty2.6.202111:12
”Maailman vaarallisin usb-kaapeli” näyttää aivan tavalliselta iPhonen latausjohdolta.
https://www.mikrobitti.fi/uutiset/maailman-vaarallisin-usb-kaapeli-ala-ikina-lainaa-johtoa-iphonen-lataamiseen/4b6c7739-3d2a-402d-aeed-3049b6bef723
Tomi Engdahl says:
Researchers Identified the new method to Bypass Anti-Ransomware Defense from Antivirus.
Researchers from two well-known university has identified the new method to bypass Anti-ransomware defense feature from Antivirus by circumventing “Cut and Mouse” & simulating click events via “Ghost Control” techniques.
https://cyberworkx.in/2021/06/01/researchers-identified-the-new-method-to-bypass-anti-ransomware-defense-from-antivirus/
Cut and Mouse:
In this technique, ransomware can bypass anti-ransomware protection via controlling a trusted application such as notepad or paint and encrypt the files of the victim, including those stored in protected folders.
“The trusted applications should not receive messages from non-trusted applications” as the proposed mitigation strategy by the researchers.
Tomi Engdahl says:
https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/
strains, has a hard-coded do-not-install list of countries which are the principal members of the Commonwealth of Independent States (CIS) — former Soviet satellites that mostly have favorable relations with the Kremlin. The full exclusion list in DarkSide (published by Cybereason)
Simply put, countless malware strains will check for the presence of one of these languages on the system, and if they’re detected the malware will exit and fail to install.
[Side note. Many security experts have pointed to connections between the DarkSide and REvil (a.k.a. “Sodinokibi”) ransomware groups.
CAVEAT EMPTOR
Will installing one of these languages keep your Windows computer safe from all malware? Absolutely not. There is plenty of malware that doesn’t care where in the world you are. And there is no substitute for adopting a defense-in-depth posture, and avoiding risky behaviors online.
But is there really a downside to taking this simple, free, prophylactic approach? None that I can see, other than perhaps a sinking feeling of capitulation. The worst that could happen is that you accidentally toggle the language settings and all your menu options are in Russian.
If this happens (and the first time it does the experience may be a bit jarring) hit the Windows key and the space bar at the same time; if you have more than one language installed you will see the ability to quickly toggle from one to the other.
Tomi Engdahl says:
Meat giant JBS pays $11m in ransom to resolve cyber-attack
https://www.bbc.com/news/business-57423008
The world’s largest meat processing company has paid the equivalent of $11m (£7.8m) in ransom to put an end to a major cyber-attack.
Computer networks at JBS were hacked last week, temporarily shutting down some operations in Australia, Canada and the US.
The payment was reportedly made using Bitcoin after plants had come back online.
JBS says it was necessary to pay to protect customers.
“This was a very difficult decision to make for our company and for me personally,” said JBS chief executive Andre Nogueira.
The company added that it paid the money because of the sophistication of the attack, even though the “vast majority” of its plants remained operational.
The company was forced to halt cattle slaughtering at all of its US plants for a day.
Tomi Engdahl says:
Hackers breach Electronic Arts, stealing game source code and tools
https://edition.cnn.com/2021/06/10/tech/electronic-arts-hack/index.html
Hackers have broken into the systems of Electronic Arts, one of the world’s biggest video game publishers, and stolen source code used in company games, a spokesperson confirmed to CNN Business on Thursday.
Online forum posts reviewed by CNN Business and vetted by an independent cybersecurity expert show that on June 6, hackers claimed to have obtained 780 gigabytes of data from EA (EA), including the Frostbite source code, which is the game engine that powers the FIFA, Madden, and Battlefield series of video games, among others.
The hackers claimed to offer “full capability of exploiting on all EA services.” They also claimed to have stolen software development tools for FIFA 21 and server code for player matchmaking in FIFA 22.
Player data was not compromised in the breach, the EA spokesperson told CNN.
The data breach was first reported by Vice, which cited some of the same forum posts. The EA spokesperson confirmed to CNN Business that EA’s statement is in response to the breach Vice reported.
Hackers Steal Wealth of Data from Game Giant EA
The data includes source code for FIFA 21 and the Frostbite engine.
https://www.vice.com/en/article/wx5xpx/hackers-steal-data-electronic-arts-ea-fifa-source-code
Hackers have broken into gaming giant Electronic Arts, the publisher of Battlefield, FIFA, and The Sims, and stole a wealth of game source code and related internal tools, Motherboard has learned.
EA confirmed to Motherboard that it had suffered a data breach and that the information listed by the hackers was the data that was stolen.
“We are investigating a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen,”
did not publicly distribute any of the internal data itself. Instead, the hackers are, at least ostensibly, trying to sell the information.
Tomi Engdahl says:
The group of hackers who stole a wealth of data from game publishing giant Electronic Arts broke into the company in part by tricking an employee over Slack to provide a login token. The hackers claim they have 780GB of data, and are advertising it for sale on various underground forums.
How Hackers Used Slack to Break into EA Games
https://www.vice.com/en/article/7kvkqb/how-ea-games-was-hacked-slack
A representative for the hackers explained to Motherboard how the group stole a wealth of data from the game publishing giant.
A representative for the hackers told Motherboard in an online chat that the process started by purchasing stolen cookies being sold online for $10 and using those to gain access to a Slack channel used by EA. Cookies can save the login details of particular users, and potentially let hackers log into services as that person. In this case, the hackers were able to get into EA’s Slack using the stolen cookie. (Although not necessarily connected, in February 2020 Motherboard reported that a group of researchers discovered an ex-engineer had left a list of the names of EA Slack channels in a public facing code repository).
“Once inside the chat, we messaged a IT Support members we explain to them we lost our phone at a party last night,” the representative said.
The hackers then requested a multifactor authentication token from EA IT support to gain access to EA’s corporate network. The representative said this was successful two times.
Once inside EA’s network, the hackers found a service for EA developers for compiling games. They successfully logged in and created a virtual machine giving them more visibility into the network, and then accessed one more service and downloaded game source code.
Tomi Engdahl says:
2 weeks??? Why aren’t the alarms being sound as much as Colonial? People are literally being diverted away from the emergency room.
Scripps ransomware shutdown hits the two-week mark
https://www.sandiegouniontribune.com/news/health/story/2021-05-14/scripps-ransomware-shutdown-hits-the-two-week-mark
Trauma, stroke cases to be diverted to other hospitals
As Scripps Health reaches the two-week mark in its ongoing ransomware outage, the “will be back soon” message posted on its website is beginning to look more than a little optimistic.
Though a company spokesman said the health system had nothing new to report on the situation Friday, employees who said they wished to remain anonymous to avoid losing their jobs, confirmed that critical electronic medical records systems remained offline, continuing to force paper documentation and slowing down the pace of care, especially in emergency departments.
“I cannot stress this enough, every minute we are there we feel like we are playing with our license,” one nurse said, adding that many have been advising their own family members to stay away. “We are all buying malpractice insurance at this time.”
California Department of Public Health said it “continues to monitor” Scripps facilities, adding that they “are operational and caring for patients using appropriate contingency protocols.”
Patients continue to give mixed reviews of how their care is being influenced by such a long-running cyber attack.
“They won’t take appointments, they won’t answer any questions about what is happening or when they might re-open, aren’t referring people to outside doctors, and will not even allow their doctors to speak with their patients via telephone as they say they cannot do that without a functioning medical records system,” Bernitz said.
Tomi Engdahl says:
Apple To Kill Passwords With Game-Changing New Face ID Move
https://www.forbes.com/sites/kateoflahertyuk/2021/06/11/apple-to-kill-passwords-with-game-changing-new-face-id-move/
Passwords can be a nightmare. They are often forgotten, exposed in breaches and repeated across services. It is with this in mind that Apple has become the latest big tech company to take game-changing steps towards removing passwords altogether, in favor of biometrics via its Face ID and Touch ID features.
The new iOS 15 feature, Passkeys in iCloud Keychain, will arrive on iPhones and Macs via iOS 15 and macOS Monterey. You can use it each time you sign up to a new service, as long as that service supports it.
Based on WebAuthn technology, all Passkeys will be generated and stored on your device. Like passwords on the iCloud Keychain, they will be synchronized across all your Apple devices via your Apple ID.
“Because it’s just a single tap to sign in, it’s simultaneously easier, faster and more secure than almost all common forms of authentication today,” says Garrett Davidson, an Apple authentication experience engineer.
Can Apple really kill passwords?
Google has also moved to try to eliminate passwords—or at least add another form of authentication—by making two-factor authentication a default for millions of Gmail users.
But Sean Wright, SME application security lead at Immersive Labs, says he doesn’t see passwords being entirely replaced, at least for the next few years. “They have become so engrained into systems, that it will take a significant effort and cost to change this.”
Even so, Wright thinks biometrics such as Apple’s Face ID and Touch ID are “great,” pointing out that “the convenience of them is far better than any password solution.”
However, the problem with biometrics, says Wright, is: “Once your biometric data has become compromised, how is that handled? This is not like a password—you can’t simply change your fingerprint or facial features.”
In fact, Wright thinks a better approach is to use hardware tokens such as the Yubico YubiKey. “That way if my token is ever compromised, I can simply replace it with another one.”
Tomi Engdahl says:
Fastly
Summary of June 8 outage
https://www.fastly.com/blog/summary-of-june-8-outage
We experienced a global outage due to an undiscovered software bug that surfaced on June 8 when it was triggered by a valid customer configuration change. We detected the disruption within one minute, then identified and isolated the cause, and disabled the configuration. Within 49 minutes, 95% of our network was operating as normal. Lisäksi:
https://www.zdnet.com/article/fastlys-global-outage-heres-what-went-wrong.
Lisäksi: https://www.bbc.com/news/technology-57413224. Lisäksi:
https://www.forbes.com/sites/daveywinder/2021/06/09/no-a-massive-cyberattack-did-not-take-down-the-internet-yesterday/
Tomi Engdahl says:
Mysterious Custom Malware Collects Billions of Stolen Data Points https://threatpost.com/custom-malware-stolen-data/166753/
Researchers have uncovered a 1.2-terabyte database of stolen data, lifted from 3.2 million Windows-based computers over the course of two years by an unknown, custom malware. The heisted info includes 6.6 million files and 26 million credentials, and 2 billion web login cookies with 400 million of the latter still valid at the time of the database’s discovery.
Tomi Engdahl says:
Hackers can mess with HTTPS connections by sending data to your email server https://arstechnica.com/gadgets/2021/06/hackers-can-mess-with-https-connections-by-sending-data-to-your-email-server/
Cross-protocol attacks could potentially steal login cookies or execute malicious code. The researchers are calling their cross-protocol attacks ALPACA, short for “application layer protocols allowing cross-protocol attacks.” At the moment, ALPACA doesn’t pose a major threat to most people. But the risk posed could increase as new attacks and vulnerabilities are discovered or TLS is used to protect additional communications channels. Lisäksi:
https://alpaca-attack.com/. Lisäksi:
https://thehackernews.com/2021/06/new-tls-attack-lets-attackers-launch.html
Tomi Engdahl says:
Intel Plugs 29 Holes in CPUs, Bluetooth, Security https://threatpost.com/intel-security-holes-cpus-bluetooth-security/166747/
Intel has unleashed 29 security advisories to plug up some serious bugs in the BIOS firmware for Intel processors, as well as in its Bluetooth products, Active Management Technology tools, the NUC Mini PC line, and, ironically, in its own security library. Lisäksi:
https://www.bleepingcomputer.com/news/security/intel-fixes-73-vulnerabilities-in-june-2021-platform-update/.
Lisäksi:
https://www.theregister.com/2021/06/09/intels_latest_patch_set/
Tomi Engdahl says:
Chinese hackers implicated in breach of Russian government agencies https://www.cyberscoop.com/china-hackers-russia-fsb-biden-putin/
Chinese hackers were likely behind a series of intrusions at Russian government agencies last year, security firm SentinelOne said Tuesday.
Malicious code used in the breaches is similar to hacking tools associated with a broad set of suspected Chinese spies that have also targeted Asian governments in recent years, SentinelOne researchers said. Lisäksi:
https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/.
Lisäksi: https://rt-solar.ru/analytics/reports/2203/. Lisäksi:
https://news.drweb.com/show/?i=14177&lng=en
Tomi Engdahl says:
Spain’s Ministry of Labor and Social Economy hit by cyberattack https://www.bleepingcomputer.com/news/security/spains-ministry-of-labor-and-social-economy-hit-by-cyberattack/
The Spanish Ministry of Labor and Social Economy (MITES) is working on restoring services after being hit by a cyberattack on Wednesday.
MITES is a ministerial department with an annual budget of almost 39 million, charged with coordinating and supervising Spain’s employment, social economy, and corporate social responsibility policies
Tomi Engdahl says:
Ransomware gangs are increasingly going after SonicWall devices https://therecord.media/ransomware-gangs-are-increasingly-going-after-sonicwall-devices/
According to reports published in April (by Mandiant) and this week (by CrowdStrike), threat actors appear to have found a new target in SonicWall devices. Per the two reports, during the first half of the year, threat actors scanned the internet and relied on exploits for two vulnerabilities to hijack SonicWall equipment. Lisäksi:
https://www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/.
Lisäksi:
https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html
Tomi Engdahl says:
Gelsemium: When threat actors go gardening https://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/
In mid-2020, ESET researchers started to analyze multiple campaigns, later attributed to the Gelsemium group, and tracked down the earliest version of the malware going back to 2014. Victims of these campaigns are located in East Asia as well as the Middle East and include governments, religious organizations, electronics manufacturers and universities. Lisäksi:
https://www.theregister.com/2021/06/09/eset_gelsemium_research/.
Lisäksi:
https://www.bleepingcomputer.com/news/security/stealthy-gelsemium-cyberspies-linked-to-noxplayer-supply-chain-attack/
Tomi Engdahl says:
GitHub now scans for accidentally-exposed PyPI, RubyGems secrets https://www.bleepingcomputer.com/news/security/github-now-scans-for-accidentally-exposed-pypi-rubygems-secrets/
GitHub has recently expanded its secrets scanning capabilities to repositories containing PyPI and RubyGems registry secrets. The move helps protect millions of applications built by Ruby and Python developers who may inadvertently be committing secrets and credentials to their public GitHub repos.