This posting is here to collect cyber security news in August 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in August 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
309 Comments
Tomi Engdahl says:
Hackers dump stolen Electronic Arts data after extortion failure
https://www.computing.co.uk/news/4035305/hackers-dump-electronic-arts-data
The thieves failed to find a buyer, then failed at extorting EA
The hackers who stole a wealth of data from game publishing giant Electronic Arts (EA) last month have dumped their haul on an underground forum, after failing to extort the firm.
The criminals released the data on 26th July, according to The Record, and it’s now being widely distributed on torrent sites.
Tomi Engdahl says:
Toll unsure if it lawyered up to avoid ASD assistance following ransomware attack
Logistics company said it might have been the company that was flouting assistance from the ASD, even though ASD Director-General in March last year said her organisation had been working with Toll.
https://www.zdnet.com/article/toll-unsure-if-it-lawyered-up-to-avoid-asd-assistance-following-ransomware-attack/
Tomi Engdahl says:
[Write-up] Universal Privilege Escalation and Persistence – Printer
https://pentestlab.blog/2021/08/02/universal-privilege-escalation-and-persistence-printer/
Tomi Engdahl says:
Trusted platform module security defeated in 30 minutes, no soldering required
https://arstechnica.com/gadgets/2021/08/how-to-go-from-stolen-pc-to-network-intrusion-in-30-minutes/?amp=1
Let’s say you’re a large company that has just shipped an employee a brand-new replacement laptop. And let’s say it comes preconfigured to use all the latest, best security practices, including full-disk encryption using a trusted platform module, password-protected BIOS settings, UEFI SecureBoot, and virtually all other recommendations from the National Security Agency and NIST for locking down federal computer systems. And let’s say an attacker manages to intercept the machine. Can the attacker use it to hack your network?
Research published last week shows that the answer is a resounding “yes.” Not only that, but a hacker who has done her homework needs a surprisingly short stretch of time alone with the machine to carry out the attack. With that, the hacker can gain the ability to write not only to the stolen laptop but to the fortified network it was configured to connect to.
Tomi Engdahl says:
Russia tells UN it wants vast expansion of cybercrime offenses, plus network backdoors, online censorship
And said entirely with a straight face, too
https://www.theregister.com/2021/08/03/russia_cybercrime_laws/
Russia has put forward a draft convention to the United Nations ostensibly to fight cyber-crime.
The proposal, titled “United Nations Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes,” [PDF] calls for member states to develop domestic laws to punish a far broader set of offenses than current international rules recognize.
Russia, the ransomware hotbed whose cyber-spies were blamed for attacking US and allied networks, did not join the 2001 Budapest Convention on Cybercrime because it allowed cross-border operations, which it considers a threat to national sovereignty.
Tomi Engdahl says:
”Totta kai sinne pystyy tekemään haamualuksen” – sata väärennettyä sotalaivaa eivät hämää viranomaisia ja Merivoimia https://www.is.fi/digitoday/tietoturva/art-2000008172783.html
Tomi Engdahl says:
AIS spoofing – New technologies for new threats
https://windward.ai/blog/ais-spoofing-new-technologies-for-new-threats/
Businesses and organizations that want to protect their assets and operations need to ensure that they utilize the most advanced technological innovations to do so while driving efficiencies, and staying ahead of new evasion tactics, such as AIS spoofing.
When originally developed, the sole purpose of Automatic Identification Systems (AIS) was to enable vessels to see one another at sea, thereby avoiding collisions. With time, AIS use has evolved, and with it, the reliance vessels have on it. Today, governments and security agencies use AIS to detect and prevent illicit activities at sea, and private organizations use AIS data as a crucial element of their due-diligence process.
Safety of Life at Seas (SOLAS) convention recognized the benefits of AIS and sought to instil AIS transmissions as a primary safety tool for all vessels.
AIS technology relies on radio frequency and, to some extent, manual inputting of data, it can be prone to human error or intentional manipulation.
Tomi Engdahl says:
HMS Defender: AIS spoofing is opening up a new front in the war on reality
https://www.euronews.com/next/2021/06/28/hms-defender-ais-spoofing-is-opening-up-a-new-front-in-the-war-on-reality
The voyage that didn’t happen
In the early hours of June 19, the site’s tracking data showed the HMS Defender and a Dutch frigate, HNLMS Evertsen, approaching the port of Sevastopol in Crimea.
The strange thing is, they weren’t there.
A live webcam feed showed both ships were actually docked roughly 300 km away in Odessa, Ukraine, at the time Marine Traffic showed them approaching Russian-controlled territory.
How do you spoof AIS?
Shipping transparency watchdog Global Fishing Watch told Euronews Next that faking a ship’s position was complicated but possible.
Tomi Engdahl says:
https://globalfishingwatch.org/data/spoofing-one-identity-shared-by-multiple-vessels/
Tomi Engdahl says:
How secure are New York’s vaccine passport apps?
https://www.fox5ny.com/news/ny-vaccine-passport-apps-security
Tomi Engdahl says:
Kaseya ransomware attack sets off race to hack service providers -researchers
https://www.reuters.com/technology/kaseya-ransomware-attack-sets-off-race-hack-service-providers-researchers-2021-08-03/
Now that criminals see how powerful MSP attacks can be, “they are already busy, they have already moved on and we don’t know where,” said Victor Gevers, head of the non-profit Dutch Institute for Vulnerability Disclosure, which warned Kaseya of the weaknesses before the attack.
“This is going to happen again and again.”
Gevers said his researchers had discovered similar vulnerabilities in more MSPs. He declined to name the firms because they have not yet fixed all the problems.
Managed service providers include companies such as IBM (IBM.N) and Accenture (ACN.N) offering cloud versions of popular software and specialist firms devoted to specific industries. They typically serve small and medium-sized firms that lack in-house technology capabilities and often boost security.
Tomi Engdahl says:
Potentially unwanted apps will be blocked by default
Windows 10
https://support.microsoft.com/en-us/windows/potentially-unwanted-apps-will-be-blocked-by-default-b9f53cb9-7f1e-40bb-8c6b-a17e0ab6289e
Potentially unwanted applications (PUA) are a category of software that can cause your device to run slowly, display unexpected ads, or at worst, install other software which may be more harmful or annoying. PUA isn’t malware, but it is software that you often don’t need and probably don’t want.
In the Windows 10 May 2020 Update we added Potentially Unwanted App blocking for everyone running Windows 10, but customers who wanted to use it still had to turn it on.
Tomi Engdahl says:
Apple to scan U.S. iPhones for images of child sexual abuse
https://apnews.com/article/technology-business-child-abuse-apple-inc-7fe2a09427d663cda8addfeeffc40196
Apple unveiled plans to scan U.S. iPhones for images of child sexual abuse, drawing applause from child protection groups but raising concern among some security researchers that the system could be misused, including by governments looking to surveil their citizens.
https://www.apple.com/child-safety/
Tomi Engdahl says:
The Scariest Things We Saw at Black Hat 2021
The annual hacker conference showcases the best and most frightening research for the year.
https://uk.pcmag.com/security/134940/the-scariest-things-we-saw-at-black-hat-2021
Tomi Engdahl says:
https://uk.pcmag.com/security/134912/pew-pew-researcher-uses-laser-to-steal-data-from-a-tiny-chip
Tomi Engdahl says:
From Stranger to DA // Using PetitPotam to NTLM relay to Domain Administrator
https://blog.truesec.com/2021/08/05/from-stranger-to-da-using-petitpotam-to-ntlm-relay-to-active-directory/
Tomi Engdahl says:
Black Hat: Enterprise players face ‘one-two-punch’ extortion in ransomware attacks
Intrusions have become even more costly to the enterprise due to double-extortion tactics.
https://www.zdnet.com/article/black-hat-enterprise-players-face-one-two-punch-extortion-tactics-in-ransomware-attacks/
Tomi Engdahl says:
More than 12,500 vulnerabilities disclosed in first half of 2021: Risk Based Security
Of the vulnerabilities disclosed in 2021, 1,425 are remotely exploitable and have a public exploit as well as a mitigating solution while nearly 900 vulnerabilities that are remotely exploitable do not have a mitigating solution at all.
https://www.zdnet.com/article/more-than-12500-vulnerabilities-disclosed-in-first-half-of-2021-risk-based-security/
Tomi Engdahl says:
From SVG and back, yet another mutation XSS via namespace confusion for DOMPurify < 2.2.2 bypass
https://pentestmag.com/from-svg-and-back-yet-another-mutation-xss-via-namespace-confusion-for-dompurify-2-2-2-bypass/
Tomi Engdahl says:
Go, Rust “net” library affected by critical IP address validation vulnerability
https://www.bleepingcomputer.com/news/security/go-rust-net-library-affected-by-critical-ip-address-validation-vulnerability/
Tomi Engdahl says:
New York City
Citi Bikes being swiped by joyriding scammers who have cracked the QR code
https://nypost.com/2021/08/07/citi-bikes-being-swiped-by-joyriding-scammers-who-have-cracked-the-qr-code/
Local scam artists are pedaling a new con.
They’re stealing Citi Bikes by switching the QR scan codes on two bicycles near each other at a docking station, then waiting for an unsuspecting cyclist to try to unlock a bike with his or her smartphone app.
The app doesn’t work for the rider but does free up the nearby Citi Bike with the switched code, where a thief is waiting, jumps on the bicycle and rides off.
The ripped-off ride is worth only $3 by itself. But the victimized customer could be on the hook for the $1,200 bike if it ends up lost or stolen. They’re also left without a way to get around town.
“It’s happening every day,”
The scam was caught on video near West 43rd Street.
“Those kids just took off with your bike,” Richard explains to him. “They stole your bike switching off the QR codes. So now they can joyride on your dime.”
Tomi Engdahl says:
Israeli cyber company detects severe Amazon security breach
https://www.jpost.com/jpost-tech/israeli-cyber-company-detects-severe-amazon-security-breach-676045
Check Point, an Israeli cybersecurity provider, found that by clicking an e-book infected by malware, users could lose control of both their Kindle tablet and their Amazon accounts.
Tomi Engdahl says:
Story broke weeks ago and no one seemed to notice until the black hat talk.. awesome find. https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-A-New-Class-Of-DNS-Vulnerabilities-Affecting-Many-DNS-As-Service-Platforms.pdf
Tomi Engdahl says:
Israeli cyber company detects severe Amazon security breach
https://www.jpost.com/jpost-tech/israeli-cyber-company-detects-severe-amazon-security-breach-676045
Tomi Engdahl says:
https://www.zdnet.com/topic/security/
Tomi Engdahl says:
A 5G Shortcut Leaves Phones Exposed to Stingray Surveillance
You may not have the full story
https://www.wired.com/story/5g-network-stingray-surveillance-non-standalone/?utm_source=facebook&utm_medium=news_tab&utm_content=algorithm
IN NORTH AMERICA and many other parts of the world, high-speed 5G mobile data networks dangled just out of reach for years. But as 5G coverage becomes ubiquitous, the rollout comes with an important caveat. Even if your phone says it’s connected to the next-generation wireless standard, you may not actually be getting all of the features 5G promises—including defense against so-called stingray surveillance devices.
To get 5G out to the masses quickly, most carriers around the world deployed it in something called “non-standalone mode” or “non-standalone architecture.”
The approach essentially uses existing 4G network infrastructure as a jumping off point to put out 5G data speeds before the separate, “standalone” 5G core is built.
As long as your 5G connection is in non-standalone mode, a lot of what you’re getting is still actually 4G, complete with security and privacy weaknesses that actual 5G aims to address.
“It’s a false sense of security,” says Ravishankar Borgaonkar, a research scientist at the Norwegian tech analysis firm SINTEF Digital and associate professor at University of Stavanger. “Currently a lot of the 5G deployed all over the world doesn’t actually have the protection mechanisms designed in 5G. You’re getting the high speed connection, but the security level you have is still 4G.
In practice, that means one of 5G’s top-billed privacy benefits—the ability to stymie stingray surveillance—does not yet apply for most people. Also known as “IMSI catchers” for the “international mobile subscriber identity” number assigned to every cell phone, stingrays act like legitimate cell towers and trick devices into connecting. From there, the tools use IMSI numbers or other identifiers to track the device, and even listen in on phone calls. Stingrays are a popular choice among US law enforcement
While the distinctions between the types of 5G matter a great deal, there’s no easy way to tell whether you’re on a standalone network just by looking at your phone. Android users can download apps that analyze a device’s network connection and can flag non-standalone mode, but that’s an onerous extra step. And those tools are less common on iOS because of Apple’s app restrictions.
The security benefits you miss while on a non-standalone 5G network extend beyond stingrays. You’re potentially susceptible to tracking, eavesdropping, and so-called “downgrade attacks” that push target devices onto older, more vulnerable data networks like 3G.
And none of this gets communicated to mobile data users, despite enhanced security features being a key 5G selling point.
The inherent challenge of implementing a massive infrastructure overhaul is the key issue
“As long as we need seamless connectivity, continuous connectivity, we’ll need backward- compatibility using 4G,” he says. “4G stingray attacks, downgrading, man-in-the-middle attacks—those will exist for years even though we have 5G. And trying to move away from non-standalone mode to standalone mode everywhere will take some time.”
So far 90 network operators in 45 countries have committed to making the switch to standalone mode, says Jon France, head of industry security at the telecom standards body GSMA.
“The full picture, the full protections of 5G security come over time and do require the standalone to gain full benefit,” he says.
The industry can’t languish in non-standalone mode, says SINTEF Digital’s Borgaonkar. He suggests that smartphone vendors be required to build in options so users can set which types of mobile data networks they want their phone to connect with. Similar to roaming options
“As the end user I don’t have any option to only get 5G standalone mode,” Borgaonkar says. “If 2G is not secure why can’t I stop my phone from connecting to 2G? There is no requirement or coordination among the vendors about giving users these options—giving them the freedom to choose privacy.”
Tomi Engdahl says:
At least $611 million stolen in massive cross-chain hack
https://www.theblockcrypto.com/post/114045/at-least-611-million-stolen-in-massive-cross-chain-hack
Quick Take
Cross-chain protocol Poly Network has been hacked for $611 million.
The team behind the protocol is urging exchanges to block the funds that were taken.
Cross-chain protocol Poly Network has been hacked for $611 million in the largest DeFi hack to date.
“We are sorry to announce that #PolyNetwork was attacked on @BinanceChain @ethereum and @0xPolygon,” tweeted Poly Network today, adding, “We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses.”
Poly Network is a protocol for swapping tokens across multiple blockchains, including Bitcoin, Ethereum and Ontology. It was formed by an alliance between the teams behind multiple blockchain platforms, namely Neo, Ontology, and Switcheo.
Tomi Engdahl says:
Another big company hit by a ransomware attack
https://www.cnn.com/2021/08/11/tech/accenture-ransomware/index.html
From a corporation which claims it has anything relating to computing and security – it has neither
(CNN Business)Accenture, the global consulting firm, has been hit by the LockBit ransomware gang, according to the cybercriminal group’s website.
Accenture (ACN)’s encrypted files will be published by the group on the dark web on Wednesday unless the company pays the ransom, LockBit claimed, according to screenshots of the website reviewed by CNN Business and Emsisoft, a cybersecurity firm.
Stacey Jones, an Accenture spokesperson, confirmed a cybersecurity incident to CNN Business on Wednesday, but did not explicitly acknowledge a ransomware attack.
“Through our security controls and protocols, we identified irregular activity in one of our environments,” Jones said in a statement. “We immediately contained the matter and isolated the affected servers. We fully restored our affected systems from back up. There was no impact on Accenture’s operations, or on our clients’ systems.”
Ransomware has become a critical threat to national and economic security, the US government has said, amid a string of attacks against corporate and infrastructure targets. Earlier this year, an attack by the group DarkSide forced Colonial Pipeline to shut down its fuel distribution operation, causing gasoline shortages nationwide. The criminal gang REvil attacked JBS Foods, one of the world’s largest meat suppliers. And a subsequent attack by the same group — targeting the IT software vendor Kaseya — wound up infecting an estimated 1,500 small businesses around the world.
Tomi Engdahl says:
https://therecord.media/security-tools-showcased-at-black-hat-usa-2021/
Bleh.
Cloud Katana – a tool developed by Microsoft to automate the execution of adversarial techniques in Azure with the help of Azure Functions with the main goal to validate detection rules and learn the underlying behavior of an attack. (Black Hat | GitHub)
Cloud Sniper – a platform designed to manage Cloud Security Operations, intended to respond to security incidents. (Black Hat | GitHub)
Kubestriker – a blazing fast security auditing tool for Kubernetes (Black Hat | GitHub | Blog)
REW-sploit – a tool to analyze Windows shellcode or attacks originating from the Metasploit or Cobalt Strike offensive tools. (Black Hat | GitHub)
LUDA – standing for “Large URLs Dataset Analyzer,” this tool was developed by security researchers at Akamai to detect patterns in large collections of URLs. The tool can be used by security teams to spot URLs schemes associated to known malware strains or threat actors. (Black Hat | GitHub)
SGXRay – an automated tool developed by Baidu engineers to detect SGX enclave bugs rooting from violations of trusted boundaries. (Black Hat | GitHub)
Cotopaxi – a tool developed by Samsung for testing the security of various IoT protocols. (Black Hat | GitHub)
Packet Sender – an open-source utility available for Windows, Mac, and Linux to allow sending and receiving TCP, UDP, and SSL (encrypted TCP) packets. (Black Hat | GitHub)
Kubesploit – a tool for pen-testing the security of Kubernetes clusters, complete with a post-exploitation HTTP/2 Command & Control server and agent. (Black Hat | GitHub | Blog)
Siembol – open-source, real-time Security Information & Event Management (SIEM) tool based on big data technologies. (Black Hat | GitHub | Blog)
Cloudtopolis – a tool for running a password-cracking system on the Google Cloud Shell platform. (Black Hat | GitHub)
Racketeer – a tool to provide a way for security teams to simulate and test detection of common ransomware operation, in a controlled manner, against a set of company assets and network endpoints. (Black Hat | GitHub)
Phishmonger – is an email phishing tool that allows penetration testers to quickly template, test, and deploy phishing campaigns. (Black Hat | GitHub)
Blue Pigeon – a Bluetooth-based data exfiltration and proxy tool. (Black Hat | GitHub)
Magpie – an open-source cloud security posture management (CSPM) tool meant to help companies secure cloud infrastructure. (Black Hat | GitHub | Video)
PurpleSharp 2.0 – a C# adversary simulation tool that executes adversary techniques with the purpose of generating attack telemetry in monitored Windows environments. (Black Hat | GitHub)
WARCannon – a tool to search the internet at scale for web vulnerabilities. Security researchers and bug bounty hunters can leverage WARCannon to scale their research horizontally across the entire internet in a fast, cost-effective, and entirely non-invasive/invisible way. (Black Hat | GitHub)
PMapper – a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization. (Black Hat | GitHub | Blog)
Ping Castle – a tool for performing security audits on Active Directory servers. (Black Hat | GitHub)
reNgine – an automated reconnaissance framework meant information gathering during penetration testing of web applications. (Black Hat | GitHub | Homepage)
Solitude – an open-source privacy analysis tool that aims to help people inspect where their private data goes once it leaves their favorite mobile or web applications. (Black Hat | GitHub | Blog)
Tomi Engdahl says:
Microsoft fixes Windows Print Spooler PrintNightmare vulnerability
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-print-spooler-printnightmare-vulnerability/
Update 8/10/21 4:02 PM EST: Unfortunately, soon after Microsoft
released the security update, security researcher Benjamin Delpy
confirmed that his packaged print driver PoC still works to gain
elevated privileges.
Tomi Engdahl says:
Accenture says Lockbit ransomware attack caused ‘no impact’
https://www.zdnet.com/article/accenture-says-lockbit-ransomware-attack-caused-no-impact-on-operations-or-clients/
Billion-dollar tech services firm Accenture is downplaying an alleged
ransomware attack that the Lockbit ransomware group announced on
Tuesday night.. Accenture was listed on the group’s leak site next to
a timer set to go off on Wednesday. The ransomware group added a note
that said, “These people are beyond privacy and security. I really
hope that their services are better than what I saw as an insider. If
you’re interested in buying some databases, reach us.”. In a statement
to ZDNet, an Accenture spokesperson downplayed the incident, saying it
had little impact on the company’s operations.
Tomi Engdahl says:
Kaseya’s universal REvil decryption key leaked on a hacking forum
https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/
The universal decryption key for REvil’s attack on Kaseya’s customers
has been leaked on hacking forums allowing researchers their first
glimpse of the mysterious key. It is not clear why the Kaseya
decryptor was posted on a hacking forum, which is an unlikely place
for a victim to post. On July 22nd, Kaseya obtained a universal
decryption key for the ransomware attack from a mysterious “trusted
third party” and began distributing it to affected customers. It is
generally believed that Russian intelligence received the decryptor
from the ransomware gang and shared it with US law enforcement as a
gesture of goodwill.
Tomi Engdahl says:
Hacker steals $600 million from Poly Network in biggest ever
cryptocurrency hack
https://therecord.media/hacker-steals-600-million-from-poly-network-in-biggest-cryptocurrency-hack-ever/
An unidentified hacker has stolen more than $600 million worth of
cryptocurrency from Poly Network, a decentralized finance (DeFi)
platform based in China. According to its website, Poly Network
provides users the ability to trade cryptocurrency assets across
different blockchains. Under the hood, the Poly Network executes these
transactions using scripts called “contracts.”. On Thursday, August
10, an unidentified individual began moving funds from the Poly
Network platform into cryptocurrency addresses under their control.
Tomi Engdahl says:
Microsoft August 2021 Patch Tuesday fixes 3 zero-days, 44 flaws
https://www.bleepingcomputer.com/news/microsoft/microsoft-august-2021-patch-tuesday-fixes-3-zero-days-44-flaws/
Today is Microsoft’s August 2021 Patch Tuesday, and with it comes
fixes for three zero-day vulnerabilities and a total of 44 flaws, so
please be nice to your Windows admins as they scramble to installed
patches. Microsoft has fixed 44 vulnerabilities (51 including
Microsoft Edge) with today’s update, with seven classified as Critical
and 37 as Important. Of the 44 vulnerabilities, 13 are remote code
execution, eight are information disclosure, two are denial of
service, and four are spoofing vulnerabilities. Microsoft has released
security updates for two eagerly anticipated zero-day vulnerabilities
that were discovered over the past month: PrintNightmare and
PetitPotam
Tomi Engdahl says:
1M Stolen Credit Cards Hit Dark Web for Free
https://threatpost.com/1m-stolen-credit-cards-dark-web/168514/
Threat actors have leaked 1 million stolen credit cards for free
online as a way to promote a fairly new and increasingly popular
cybercriminal site dedicated toselling payment-card credentials. The
leaked credit cards include the following fields: Credit-card number,
expiration date, CVV, name, country, state, city, address, ZIP code,
email and phone number, according to threat actors.
Tomi Engdahl says:
Hallitusta vastustavien hakkerien epäillään saaneen haltuunsa
Valko-Venäjällä koko kansan passitiedot ja poliisien dataa
https://www.hs.fi/ulkomaat/art-2000008182226.html
Valko-Venäjällä epäillään, että maan sisäministeriön ja poliisin
tietokantoihin on kohdistunut vakava tietomurto. Asiasta kertovat
useat valkovenäläiset tiedotusvälineet, joita presidentiksi
julistautuneen Aljaksandr Lukaenkan hallinto ei suoraan kontrolloi
sekä opposition edustajat sosiaalisessa mediassa. Tekijöiksi on
ilmoittautunut Valko-Venäjän kyberpartisaanit -nimellä esiintyvä
hakkeriryhmä, joka kertoo teoistaan viestipalvelu Telegramiin
perustamallaan kanavalla.
Tomi Engdahl says:
Freshly disclosed vulnerability CVE-2021-20090 exploited in the wild
https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild
Juniper Threat Labs continuously monitors in-the-wild network traffic
for malicious activity. Today, we have discovered an active
exploitation of a vulnerability that was disclosed just 2 days ago.
CVE-2021-20090 is a vulnerability that was discovered by Tenable and
made public on August 3, 2021. This vulnerability potentially affects
millions of home routers (and other IOT devices using the same
vulnerable code base) manufactured by no less than 17 vendors
according to Tenable research, including some ISPs. The common thread
between these devices seems to be firmware from Arcadyan.
Tomi Engdahl says:
Beware! New Android Malware Hacks Thousands of Facebook Accounts
https://thehackernews.com/2021/08/beware-new-android-malware-hacks.html
A new Android trojan has been found to compromise Facebook accounts of
over 10, 000 users in at least 144 countries since March 2021 via
fraudulent apps distributed through Google Play Store and other
third-party app marketplaces. Dubbed “FlyTrap, ” the previously
undocumented malware is believed to be part of a family of trojans
that employ social engineering tricks to breach Facebook accounts as
part of a session hijacking campaign orchestrated by malicious actors
operating. out of Vietnam, according to a report published by
Zimperium’s zLabs today and shared with The Hacker News. The malicious
apps claim to offer Netflix and Google AdWords coupon codes and let
users vote for their favorite teams and players at UEFA EURO 2020,
which took place between 11 June and 11 July 2021, only under the
condition that they log in with their Facebook accounts to cast their
vote, or collect the coupon code or credits. Once a user signs into
the account, the malware is equipped to steal the victim’s Facebook
ID, location, email address, IP address, and the cookies and tokens
associated with the Facebook account.
Tomi Engdahl says:
Security tools showcased at Black Hat USA 2021
https://therecord.media/security-tools-showcased-at-black-hat-usa-2021/
While everyone associates the Black Hat security conference with
high-profile keynotes and state-of-the-art cybersecurity research,
ever since the 2017 edition, the conference has also been the place
where the cybersecurity community has also announced and released
security tools part of the lesser-known “Arsenal” track.
Tomi Engdahl says:
Australian govt warns of escalating LockBit ransomware attacks
https://www.bleepingcomputer.com/news/security/australian-govt-warns-of-escalating-lockbit-ransomware-attacks/
The Australian Cyber Security Centre (ACSC) warns of an increase of
LockBit 2.0 ransomware attacks against Australian organizations
starting July 2021. According to the agency, LockBit victims also
report threats of having data stolen during the attacks leaked online,
a known and popular tactic among ransomware gangs to coerce their
targets into paying the ransoms.
Tomi Engdahl says:
Anti-Piracy Firm Asks Google to Block 127.0.0.1
https://torrentfreak.com/anti-piracy-firm-asks-google-to-block-127-0-0-1-210808/
Ukrainian TV channel TRK has sent a rather bizarre takedown request to
Google. The company’s anti-piracy partner Vindex asked the search
engine to remove a search result that points to 127.0.0.1. Tech-savvy
people will immediately recognize that the anti-piracy company
apparently found copyright-infringing content on its own server.
Tomi Engdahl says:
Apple fixes AWDL bug that could be used to escape air-gapped networks
https://therecord.media/apple-fixed-awdl-bug-that-could-be-used-to-escape-air-gapped-networks/
Apple has fixed a vulnerability in its Apple Wireless Direct Link
(AWDL) technology that could have been abused by threat actors to
escape and steal data from air-gapped networks. Silently patched
earlier this spring, in April with the release of iOS 14.5, iPadOS
14.5, watchOS 7.4, and Big Sur 11.3 the vulnerability was publicly
disclosed for the first time earlier this week in a blog post by Mikko
Kenttälä, a Finish security researcher and the founder and CEO of
SensorFu.
Tomi Engdahl says:
Actively exploited bug bypasses authentication on millions of routers
https://www.bleepingcomputer.com/news/security/actively-exploited-bug-bypasses-authentication-on-millions-of-routers/
Threat actors actively exploit a critical authentication bypass
vulnerability impacting home routers with Arcadyan firmware to take
them over and deploy Mirai botnet malicious payloads. The
vulnerability tracked as CVE-2021-20090 is a critical path traversal
vulnerability (rated 9.9/10) in the web interfaces of routers with
Arcadyan firmware that could allow unauthenticated remote attackers to
bypass authentication. Vulnerable devices include dozens of router
models from multiple vendors and ISPs, including Asus, British
Telecom, Deutsche Telekom, Orange, O2 (Telefonica), Verizon, Vodafone,
Telstra, and Telus.
Tomi Engdahl says:
Microsoft Exchange servers scanned for ProxyShell vulnerability, Patch
Now
https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-scanned-for-proxyshell-vulnerability-patch-now/
Threat actors are now actively scanning for the Microsoft Exchange
ProxyShell remote code execution vulnerabilities after technical
details were released at the Black Hat conference. ProxyShell is the
name for three vulnerabilities that perform unauthenticated, remote
code execution on Microsoft Exchange servers when chained together.
Strangely, while both CVE-2021-34473 and CVE-2021-34523 were first
disclosed in July, they were actually quietly patched in April’s
Microsoft Exchange KB5001779 cumulative update.
Tomi Engdahl says:
NYPD spent $159mn on facial recognition, ‘stingray’ cellphone trackers & X-ray van spy tools using secretive fund, documents show
https://www.rt.com/usa/531740-nypd-invasive-surveillance-secret-fund/
Newly released documents reveal the New York Police Department (NYPD) has spent at least $159 million in public money since 2007, through a “Special Expenses” fund, on potentially invasive surveillance tools like facial-recognition software, predictive policing programs, “stingray” cellphone trackers – and even vans fitted with X-ray machines to spot weapons.
In response, the NYPD said the documents had been released before POST came into effect and maintained that “no [other] police department or federal agency has gone to the level of depth and transparency on law enforcement tools used in the field.”
However, STOP executive director Albert Fox Cahn countered that the NYPD hid its surveillance spending “not to protect us, but to protect its bottom line.”
Tomi Engdahl says:
LockBit 2.0 Ransomware Group got inside Accenture networks
https://darkfeed.io/2021/08/12/proof-for-accenture-hack/
Tomi Engdahl says:
Microsoft confirms another Windows print spooler zero-day bug
https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-another-windows-print-spooler-zero-day-bug/
Microsoft has issued an advisory for another zero-day Windows print
spooler vulnerability tracked as CVE-2021-36958 that allows local
attackers to gain SYSTEM privileges on a computer. This vulnerability
is part of a class of bugs known as ‘PrintNightmare, ‘ which abuses
configuration settings for the Windows print spooler, print drivers,
and the Windows Point and Print feature.
PrintNightmare vulnerability weaponized by Magniber ransomware gang
https://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/
The operators of the Magniber ransomware have weaponized the infamous
PrintNightmare vulnerability and are now attempting to breach Windows
systems in South Korea. In a report published today by security firm
CrowdStrike, the company said the attacks have been taking place since
at least July 13. While several different vulnerabilities in the
Windows Print Spooler service are collectively referred to as
PrintNightmare, CrowdStrike said the attackers weaponized
CVE-2021-34527 (remote code execution in Print Spooler server). While
several security experts anticipated that PrintNightmare would be
exploited in the wild, especially the RCE variant, for now, the
attacks have been limited to South Korea.
Tomi Engdahl says:
Microsoft warning: This unusual malware attack has just added some new
tricks
https://www.zdnet.com/article/microsoft-warning-this-unusual-malware-attack-has-just-added-some-new-tricks/
Microsoft’s Security Intelligence team is once again raising an alarm
about the call center phishing and malware group behind what it calls
BazaCall. . The ‘Stolen Images’ Bazarloader campaign uses fake
copyright infingement contact form emails and malicious files
pretending to contain “stolen images” to trick users into downloading
the malware.
Tomi Engdahl says:
Haittaohjelmien top 10: Trickbot yhä ykkönen maailmalla Flubot
kalastelee suomalaisten tietoja tekstiviesteissä
https://www.epressi.com/tiedotteet/tietotekniikka/haittaohjelmien-top-10-trickbot-yha-ykkonen-maailmalla-flubot-kalastelee-suomalaisten-tietoja-tekstiviesteissa.html
Tietoturvayhtiö Check Pointin tutkijat kertovat, että Trickbot oli
heinäkuussa maailman yleisin haittaohjelma jo kolmatta kuukautta
peräkkäin. Toiseksi yleisin, Snake Keylogger, ylsi globaaliin
kärkikymmenikköön ensimmäistä kertaa. Suomalaisia piinasi
logistiikkayritykseksi naamioituva Flubot. Suomen yleisimmät
haittaohjelmat heinäkuussa 2021: 1. Flubot 2. REvil 3. Darkside 4.
Formbook 5. Guloader. Flubot on Android-haittaohjelma, jota levitetään
tietojenkalastelutekstiviestien välityksellä ja joka esiintyy
useimmiten logistiikkayrityksenä (kuten viime aikoina DHL). Kun
käyttäjä klikkaa viestissä olevaa linkkiä, FluBot asennetaan ja
hakkeri saa pääsyn puhelimen arkaluonteisiin tietoihin. Esiintyvyys 1,
8 %.
Tomi Engdahl says:
Twitter says it out loud: Removing anonymity will not stop online
abuse
https://blog.malwarebytes.com/malwarebytes-news/2021/08/twitter-says-it-out-loud-removing-anonymity-will-not-stop-online-abuse/
An investigation by Twitter into racist tweets levied against three
Black players on the English football team following the national
hopefuls’ loss against Italy last month revealed that anonymity played
almost no role in whether users posted abusive comments from their
accounts. The analysis, which revealed that 99 percent of the accounts
that Twitter suspended were not anonymous, provides the latest
evidence that requiring real identities on social media platforms will
not lead to any measurable decrease in online abuse. Now, after
decades of this dynamic being recognized by online privacy experts, it
appears that Twitterarmed with its own datahas joined the crowd that
says that, thankfully, anonymity is not worth destroying.