Cyber security news August 2021

This posting is here to collect cyber security news in August 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

309 Comments

  1. Tomi Engdahl says:

    Microsoft Exchange servers scanned for ProxyShell vulnerability, Patch Now https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-scanned-for-proxyshell-vulnerability-patch-now/
    Threat actors are now actively scanning for the Microsoft Exchange ProxyShell remote code execution vulnerabilities after technical details were released at the Black Hat conference. ProxyShell is the name for three vulnerabilities that perform unauthenticated, remote code execution on Microsoft Exchange servers when chained together.
    Strangely, while both CVE-2021-34473 and CVE-2021-34523 were first disclosed in July, they were actually quietly patched in April’s Microsoft Exchange KB5001779 cumulative update.

    Reply
  2. Tomi Engdahl says:

    All your DNS were belong to us: AWS and Google Cloud shut down spying vulnerability https://www.theregister.com/2021/08/06/aws_google_dns/
    Until February this year, Amazon Route53′s DNS service offered largely unappreciated network eavesdropping capabilities. And this undocumented spying option was also available at Google Cloud DNS and at least one other DNS-as-a-service provider. In a presentation earlier this week at the Black Hat USA 2021 security conference in Las Vegas, Nevada, Shir Tamari and Ami Luttwak from security firm Wiz, described how they found a DNS name server hijacking flaw that allowed them to spy on the dynamic DNS traffic of other customers. According to Tamari, Amazon and Google have fixed this issue in their respective DNS services, but other DNS service providers may still be vulnerable.
    The researchers said three of the six DNS-as-a-service providers they’d found were vulnerable.

    Reply
  3. Tomi Engdahl says:

    Can You Recycle a Hard Drive? Google Is Trying to Find Out https://www.wired.com/story/can-you-recycle-a-hard-drive-google-is-trying-to-find-out/
    Rare-earth magnet recycling could reduce the need to mine for more resources, leading to more sustainable data centers. At a laboratory inside a Google data center in Mayes County, Oklahoma, researchers spent the fall of 2019 disassembling old hard disk drives by hand in order to extract a 2-inch-long component known as the magnet assembly.
    Consisting of two powerful rare-earth magnets, the magnet assembly is a critical muscle within the hard drive, controlling an actuator arm that allows the device to read and write data.

    Reply
  4. Tomi Engdahl says:

    Angry Affiliate Leaks Conti Ransomware Gang Playbook https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442/
    A security researcher shared a comment from an online forum allegedly posted by someone who did business with Conti that included information integral to its ransomware-as-as-service (RaaS) operation, according to a report. Data revealed by the post included the IP addresses for the group’s Cobalt Strike command-and-control servers
    (C2s) and a 113MB archive that contains numerous tools and training material for how Conti performs ransomware attacks, according to the report, which was later verified by Kremez on Twitter.

    Reply
  5. Tomi Engdahl says:

    Conti ransomware affiliate goes rogue, leaks “gang data”
    https://nakedsecurity.sophos.com/2021/08/06/conti-ransomware-affiliate-goes-rogue-leaks-company-data/
    Ultimately, the data leaked by the disaffected affiliate doesn’t really amount to much. The criminals at the core of so-called ransomware-as-a-service groups keep the source code, the decryption keys and the blackmail payment details to themselves.

    Reply
  6. Tomi Engdahl says:

    Windows PetitPotam vulnerability gets an unofficial free patch https://www.bleepingcomputer.com/news/microsoft/windows-petitpotam-vulnerability-gets-an-unofficial-free-patch/
    A free unofficial patch is now available to block attackers from taking over domain controllers and compromising entire Windows domains via PetitPotam NTLM relay attacks. The 0patch micropatching service has released today a free unofficial patch that can be used to block PetitPotam NTLM relay attacks on Windows Server 2019, Windows Server 2016, Windows Server 2012 R2 and Windows Server 2008 R2. If you can’t immediately deploy one of these temporary patches, you can also defend against PetitPotam attacks using NETSH RPC filters that block remote access to the MS-EFSRPC API, effectively removing the unauthenticated PetitPotam attack vector.

    Reply
  7. Tomi Engdahl says:

    Energy group ERG reports minor disruptions after ransomware attack https://www.bleepingcomputer.com/news/security/energy-group-erg-reports-minor-disruptions-after-ransomware-attack/
    Italian energy company ERG reports “only a few minor disruptions”
    affecting its information and communications technology (ICT) infrastructure following a ransomware attack on its systems.

    Reply
  8. Tomi Engdahl says:

    Linux version of BlackMatter ransomware targets VMware ESXi servers https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/
    The BlackMatter gang has joined the ranks of ransomware operations to develop a Linux encryptor that targets VMware’s ESXi virtual machine platform.

    Reply
  9. Tomi Engdahl says:

    Disgruntled ransomware affiliate leaks the Conti gang’s technical manuals https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/
    A disgruntled member of the Conti ransomware program has leaked today the manuals and technical guides used by the Conti gang to train affiliate members on how to access, move laterally, and escalate access inside a hacked company and then exfiltrate its data before encrypting files.

    Reply
  10. Tomi Engdahl says:

    EU officials investigating breach of Cybersecurity Atlas project https://therecord.media/eu-officials-investigating-breach-of-cybersecurity-atlas-project/
    The European Commission is investigating a breach of its Cybersecurity Atlas project after a copy of the site’s backend database was put up for sale on an underground cybercrime forum on Monday. While by the nature of being a public inventory of contacts details, the data in the Cybersecurity Atlas and its members was supposed to be public and accessible by design, The Record was able to confirm that this information was an SQL database dump of the project’s Drupal website rather than being a scrape of data listed on the official site.

    Reply
  11. Tomi Engdahl says:

    Microsoft announces new Super Duper Secure Mode’ for Edge https://therecord.media/microsoft-announces-new-super-duper-secure-mode-for-edge/
    Microsoft said today it plans to run an experiment in its Edge web browser where it will intentionally disable an important performance and optimization feature [V8 JIT] in order to enable more advanced security upgrades in what the company is calling Edge Super Duper Secure Mode.

    Reply
  12. Tomi Engdahl says:

    New Cobalt Strike bugs allow takedown of attackers’ servers https://www.bleepingcomputer.com/news/security/new-cobalt-strike-bugs-allow-takedown-of-attackers-servers/
    Security researchers have discovered Cobalt Strike denial of service
    (DoS) vulnerabilities that allow blocking beacon command-and-control
    (C2) communication channels and new deployments.

    Reply
  13. Tomi Engdahl says:

    Russian Federal Agencies Were Attacked With Chinese Webdav-O Virus https://thehackernews.com/2021/08/russian-federal-agencies-were-attacked.html
    An amalgam of multiple state-sponsored threat groups from China may have been behind a string of targeted attacks against Russian federal executive authorities in 2020.

    Reply
  14. Tomi Engdahl says:

    Phishing Campaign Dangles SharePoint File-Shares https://threatpost.com/phishing-sharepoint-file-shares/168356/
    Attackers spoof sender addresses to appear legitimate in a crafty campaign that can slip past numerous detections, Microsoft researchers have discovered.

    Reply
  15. Tomi Engdahl says:

    Amazon and Google patch major bug in their DNS-as-a-Service platforms https://therecord.media/amazon-and-google-patch-major-bug-in-their-dns-as-a-service-platforms/
    At the Black Hat security conference today, two security researchers have disclosed a security issue impacting hosted DNS service providers that can be abused to hijack the platform’s nodes, intercept some of the incoming DNS traffic, and then map customers’ internal networks.
    While this data looked innocuous, it was not. The data included internal and external IP addresses for each system, computer names, and in some cases, even employee names.

    Reply
  16. Tomi Engdahl says:

    Five Southeast Asian telcos hacked by three different Chinese espionage groups https://therecord.media/five-southeast-asian-telcos-hacked-by-three-different-chinese-espionage-groups/
    At least five major telecommunication providers from Southeast Asia have been hacked over the past years by different Chinese cyber-espionage groups. “These are global telcos with tens of millions of customers, ” Assaf Dahan, Senior Director and Head of Threat Research at security firm Cybereason, told The Record this week.
    report:
    https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos

    Reply
  17. Tomi Engdahl says:

    Lietsooko joku sotaa Itämerelle? Yhdysvaltojen hävittäjäaluksen sijainti väärennettiin Venäjän merialueelle https://www.is.fi/digitoday/art-2000008166319.html
    Viimeisen vuoden aikana kansainväliseen merenkulun tietokantaan on väärennetty noin sadan sotalaivan paikkatietoja. Väärennökset on luotu todennäköisesti jonkinlaisella AIS-simulaattoriohjelmalla ja syötetty järjestelmään maalla sijaitsevien AIS-vastaanottimien kautta.

    Reply
  18. Tomi Engdahl says:

    WireGuard VPN gets native port to the Windows kernel https://www.theregister.com/2021/08/03/wireguard_native_windows_port/
    WireGuard, a high performance and easily configured VPN protocol, is getting a native port from Linux to the Windows kernel, and the code has been published as experimental work in progress.

    Reply
  19. Tomi Engdahl says:

    Microsoft Windows Active Directory Certificate Services can allow for AD compromise via PetitPotam NTLM relay attacks
    https://kb.cert.org/vuls/id/405600
    Microsoft Windows Active Directory Certificate Services (AD CS) by default can be used as a target for NTLM relay attacks, which can allow a domain-joined computer to take over the entire Active Directory. The CERT/CC is currently unaware of a practical solution to this problem. Please see KB5005413 for several workarounds.

    Reply
  20. Tomi Engdahl says:

    Trusted platform module security defeated in 30 minutes, no soldering required https://arstechnica.com/gadgets/2021/08/how-to-go-from-stolen-pc-to-network-intrusion-in-30-minutes/
    Sometimes, locking down a laptop with the latest defenses isn’t enough. Microsoft’s BitLocker, meanwhile, doesn’t use any of the encrypted communications features of the latest TPM standard. That meant if the researchers could tap into the connection between the TPM and the CPU, they might be able to extract the key.

    Reply
  21. Tomi Engdahl says:

    Pegasus spyware found on journalists’ phones, French intelligence confirms https://www.theguardian.com/news/2021/aug/02/pegasus-spyware-found-on-journalists-phones-french-intelligence-confirms
    Announcement is first time an independent and official authority has corroborated Pegasus project findings

    ‘I will not be silenced’: Women targeted in hack-and-leak attacks speak out about spyware
    https://www.nbcnews.com/tech/social-media/i-will-not-be-silenced-women-targeted-hack-leak-attacks-n1275540
    Female journalists and activists say they had their private photos shared on social media by governments seeking to intimidate and silence them.

    Reply
  22. Tomi Engdahl says:

    New APT Hacking Group Targets Microsoft IIS Servers with ASP.NET Exploits https://thehackernews.com/2021/08/new-apt-hacking-group-targets-microsoft.html
    A new highly capable and persistent threat actor has been targeting major high-profile public and private entities in the U.S. as part of a series of targeted cyber intrusion attacks by exploiting internet-facing Microsoft Internet Information Services (IIS) servers to infiltrate their networks. Israeli cybersecurity firm Sygnia, which identified the campaign, is tracking the advanced, stealthy adversary under the moniker “Praying Mantis” or “TG2021.”

    Reply
  23. Tomi Engdahl says:

    Hackers shut down system for booking COVID-19 shots in Italy’s Lazio region https://www.reuters.com/world/europe/hackers-shut-down-system-booking-covid-19-shots-italys-lazio-region-2021-08-01/
    Hackers have attacked and shut down the IT systems of the company that manages COVID-19 vaccination appointments for the Lazio region surrounding Rome, the regional government said on Sunday.

    Reply
  24. Tomi Engdahl says:

    Windows PetitPotam attacks can be blocked using new method https://www.bleepingcomputer.com/news/microsoft/windows-petitpotam-attacks-can-be-blocked-using-new-method/
    The good news is that researchers have figured out a way to block the remote unauthenticated PetitPotam attack vector using NETSH filters without affecting local EFS functionality.

    Reply
  25. Tomi Engdahl says:

    Node.js fixes severe HTTP bug that could let attackers crash apps https://www.bleepingcomputer.com/news/security/nodejs-fixes-severe-http-bug-that-could-let-attackers-crash-apps/
    Node.js has released updates for a high severity vulnerability that could be exploited by attackers to corrupt the process and cause unexpected behaviors, such as application crashes and potentially remote code execution (RCE).

    Reply
  26. Tomi Engdahl says:

    Linux eBPF bug gets root privileges on Ubuntu – Exploit released https://www.bleepingcomputer.com/news/security/linux-ebpf-bug-gets-root-privileges-on-ubuntu-exploit-released/
    A security researcher released exploit code for a high-severity vulnerability in Linux kernel eBPF (Extended Berkeley Packet Filter) that can give an attacker increased privileges on Ubuntu machines.

    Reply
  27. Tomi Engdahl says:

    Google to block logins on old Android devices starting September https://www.bleepingcomputer.com/news/google/google-to-block-logins-on-old-android-devices-starting-september/
    Google is emailing Android users to let them know that, starting late September, they will no longer be able to log in to their Google accounts on devices running Android 2.3.7 (Gingerbread) and lower.

    Reply
  28. Tomi Engdahl says:

    Public print server gives anyone Windows admin privileges https://www.bleepingcomputer.com/news/microsoft/public-print-server-gives-anyone-windows-admin-privileges/
    To illustrate his research, Delpy created an Internet-accessible print server at \\printnightmare[.]gentilkiwi[.]com that installs a print driver and launches a DLL with SYSTEM privileges.

    Reply
  29. Tomi Engdahl says:

    New bank-fraud malware called Vultur infects thousands of devices https://arstechnica.com/gadgets/2021/07/new-bank-fraud-malware-called-vultur-infects-thousands-of-devices/
    Recently detected Android malware, some spread through the Google Play Store, uses a novel way to supercharge the harvesting of login credentials from more than 100 banking and cryptocurrency applications.. Screen sharing courtesy of VNC mirrors device screens to attacker-controlled servers.

    Reply
  30. Tomi Engdahl says:

    Cyber-attack on Iranian railway was a wiper incident, not ransomware https://therecord.media/cyber-attack-on-iranian-railway-was-a-wiper-incident-not-ransomware/
    The cyber-attack that paralyzed Irans national railway system at the start of the month was caused by a disk-wiping malware strain named Meteor and not by a ransomware attack, according to research published by security firms Amnpardaz and SentinelOne, which managed to obtain a copy of the malware.. Also https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/

    Reply
  31. Tomi Engdahl says:

    Google Play Protect fails Android security tests once more https://www.bleepingcomputer.com/news/security/google-play-protect-fails-android-security-tests-once-more/
    Google Play Protect, the Android built-in malware defense system, has failed the real-world tests of antivirus testing lab AV-TEST after detecting just over two thirds out of more than 20,000 malicious apps it was pitted against.

    Reply
  32. Tomi Engdahl says:

    New Android malware records smartphones via VNC to steal passwords https://therecord.media/new-android-malware-records-smartphones-via-vnc-to-steal-passwords/
    Security researchers have discovered a novel piece of Android malware that uses the VNC technology to record and broadcast a victims smartphone activity, allowing threat actors to collect keyboard presses and app passwords.. Also https://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution
    https://thehackernews.com/2021/07/ubel-is-new-oscorp-android-credential.html

    Reply
  33. Tomi Engdahl says:

    BlackMatter ransomware targets companies with revenue of $100 million and more https://therecord.media/blackmatter-ransomware-targets-companies-with-revenues-of-100-million-and-more/
    A new ransomware gang launched into operation this week, claiming to combine the best features of the now-defunct Darkside and REvil ransomware groups, Recorded Future analysts have discovered.. Per the BlackMatter gang, the networks need to have between 500 and 15,000 hosts and be located in the US, the UK, Canada, or Australia.. The BlackMatter group says it is willing to pay up to $100,000 for exclusive access to any of these high-value networks.

    Reply
  34. Tomi Engdahl says:

    Windows printer driver for HP/Samsung/Xerox vulnerable to local privilege escalation – millions of printers affected https://labs.sentinelone.com/cve-2021-3438-16-years-in-hiding-millions-of-printers-worldwide-vulnerable/
    SentinelLabs has discovered a high severity Windows local privilege escalation flaw in HP, Samsung, and Xerox printer drivers. Since 2005 HP, Samsung, and Xerox have released millions of printers worldwide with the vulnerable driver.

    Reply
  35. Tomi Engdahl says:

    New Windows 10 vulnerability allows anyone to get admin privileges https://www.bleepingcomputer.com/news/microsoft/new-windows-10-vulnerability-allows-anyone-to-get-admin-privileges/
    Yesterday, security researcher Jonas Lykkegaard told BleepingComputer he discovered that the Windows 10 and Windows 11 Registry files associated with the Security Account Manager (SAM), and all other Registry databases, are accessible to the ‘Users’ group that has low privileges on a device. Will Dormann, a vulnerability analyst for CERT/CC, and SANS author Jeff McJunkin, said Microsoft introduced the permission changes in Windows 10 1809.

    Reply
  36. Tomi Engdahl says:

    Saudi Aramco data breach sees 1 TB stolen data for sale https://www.bleepingcomputer.com/news/security/saudi-aramco-data-breach-sees-1-tb-stolen-data-for-sale/
    A threat actor group known as ZeroX is offering 1 TB of proprietary data belonging to Saudi Aramco for sale. Saudi Aramco told BleepingComputer that the data breach occurred at third-party contractors, rather than direct exploitation of Aramco’s systems

    Reply
  37. Tomi Engdahl says:

    D-Link issues hotfix for hard-coded password router vulnerabilities https://www.bleepingcomputer.com/news/security/d-link-issues-hotfix-for-hard-coded-password-router-vulnerabilities/
    Following successful exploitation, they can let attackers execute arbitrary code on unpatched routers, gain access to sensitive information or crash the routers after triggering a denial of service state. Additionally, it makes it possible to start a “hidden telnet service can be started without authentication by visiting https:///start_telnet” and log into the test environment using a default password stored in unencrypted form on the router. Also:
    https://blog.talosintelligence.com/2021/07/vuln-spotlight-d-link.html

    Reply
  38. Tomi Engdahl says:

    BIOPASS RAT Uses Live Streaming Steal Victims Data https://threatpost.com/biopass-rat-live-streaming/167695/
    Online gambling companies in China are being targeted by a new remote access trojan (RAT) which, in addition to its predictable features like file assessment and exfiltration takes the novel approach of using live streaming to spy on the screens of its victims. What makes BIOPASS RAT particularly interesting is that it can sniff its victims screen by abusing the framework of Open Broadcaster Software (OBS) Studio, a popular live streaming and video recording app, to establish live streaming to a cloud service via real-time messaging protocol (RTMP),

    Reply
  39. Tomi Engdahl says:

    Puhelimissa leviää huijaus, joka kehottaa avaamaan vastaajaviestin tulee tavallisista suomalaisista numeroista ja selvällä suomen kielellä
    https://yle.fi/uutiset/3-12018913
    Huijaustekstiviesti kehottaa vastaanottajaansa kuuntelemaan vastaajaviestin. Kyberturvallisuuskeskuksen mukaan kyse on alkukesän huijauskampanjan jatkeesta eli niin sanotusta flubot-ilmiöstä.
    Tekstiviestin linkkiä ei pidä avata. Huijausviestissä olevan linkin takaa asentuva ohjelma mahdollistaa myös huijausviestien lähettämisen saastuneen puhelimen kautta. Ja se juuri tekee tästä huijauskampanjasta tehokkaan, tietää Kyberturvallisuuskeskuksen tietoturva-asiantuntija Matias Mesiä. Myös:
    https://www.is.fi/digitoday/tietoturva/art-2000008120427.html.
    https://www.kauppalehti.fi/uutiset/kl/7cb28548-47d4-44ad-af34-cee48b7a79b8.
    https://www.hs.fi/kotimaa/art-2000008123111.html.
    https://www.tivi.fi/uutiset/tv/d40d23dd-e148-4d6c-9087-8bcf1788a952

    Reply
  40. Tomi Engdahl says:

    Maksufirma Klarnan kautta pystyy tilaamaan tavaraa toisen nimiin MOT:n testi osoittaa, kuinka pahasti ruotsalaisyhtiön tietoturva vuotaa
    https://yle.fi/uutiset/3-12014974
    Pohjoismaiden suurimpiin kuuluvan maksunvälitysyhtiö Klarnan järjestelmässä on vakava tietoturvaongelma, joka mahdollistaa yhtiön asiakkaiden tilien käyttämisen petoksiin, identiteettivarkauksiin ja kiusantekoon. Ongelma on ollut tiedossa useiden vuosien ajan. Heikon tietoturvan takia Klarnan palvelua on myös hyödynnetty toistuvasti rikosten tekemiseen. Näyttää aika pahalta. Tietosuoja on niin kriittinen asia, että ei pitäisi olla mahdollista tilata tavaroita toisen nimiin. Vaikka yrityksellä on jonkinlaista valvontaa, niin selvästikin se vuotaa, sanoo tietotekniikan asiantuntija ja tietokirjailija Petteri Järvinen.

    Reply
  41. Tomi Engdahl says:

    August 2021 ICS Patch Tuesday: Siemens, Schneider Address Over 50 Flaws
    https://www.securityweek.com/august-2021-ics-patch-tuesday-siemens-schneider-address-over-50-flaws
    Siemens and Schneider Electric on Tuesday released 18 security advisories addressing a total of more than 50 vulnerabilities affecting their products.
    The vendors have provided patches, mitigations, and general security recommendations for reducing the risk of attacks.

    Reply
  42. Tomi Engdahl says:

    August 2021 ICS Patch Tuesday: Siemens, Schneider Address Over 50 Flaws
    https://www.securityweek.com/august-2021-ics-patch-tuesday-siemens-schneider-address-over-50-flaws

    Siemens and Schneider Electric on Tuesday released 18 security advisories addressing a total of more than 50 vulnerabilities affecting their products.

    The vendors have provided patches, mitigations, and general security recommendations for reducing the risk of attacks.

    Reply
  43. Tomi Engdahl says:

    Trend Micro Confirms In-the-Wild Zero-Day Attacks
    https://www.securityweek.com/trend-micro-confirms-wild-zero-day-attacks

    Security vendor Trend Micro has issued a warning for in-the-wild zero-day attacks hitting customers using its Apex One and Apex One as a Service products.

    In a security bulletin released quietly on July 28, Trend Micro rolled out patches for at least four documented vulnerabilities alongside a warning that malicious attackers are already launching exploits against two of the security defects.

    “Trend Micro has observed an active attempt of exploitation against two of these vulnerabilities (chained) in-the-wild (ITW) in a very limited number of instances, and we have been in contact with these customers already. All customers are strongly encouraged to update to the latest versions as soon as possible,” the company said.

    Trend Micro did not provide any additional information on the in-the-wild attacks. In a statement sent to SecurityWeek, the company said its policy is not to comment on any in-the-wild attacks “for the safety and confidentiality of our customers.”

    The Trend Micro bulletin, rated critical, documents four security flaws — CVE-2021-32464, CVE-2021-32465, CVE-2021-36741, and CVE-2021-36742 — affecting the Trend Micro Apex One (On Premise) and Apex One as a Service (SaaS) on Windows.

    Reply
  44. Tomi Engdahl says:

    Hacker Dubbed ‘Mr White Hat’ to Return Entire Stolen Crypto Fortune
    https://www.securityweek.com/hacker-dubbed-mr-white-hat-return-entire-stolen-crypto-fortune

    A firm specializing in transferring cryptocurrency said Thursday that a hacker they are calling “Mr White Hat” was giving back all $613 million in digital loot from a record haul.

    Poly Network had put out word previously that nearly half of the digital assets swiped early this week had been returned.

    “As our communication with Mr. White Hat is going on, the remaining user assets on Ethereum are gradually transferred,” Poly Network said in a tweet.

    “We look forward to Mr. White returning all the remaining user assets, as stated by him.”

    Polygon had urged the thief to return the stolen fortune.

    Reply
  45. Tomi Engdahl says:

    Microsoft Confirms (Yet Another) PrintNightmare Flaw as Ransomware Actors Pounce
    https://www.securityweek.com/microsoft-confirms-yet-another-printnightmare-flaw-ransomware-actors-pounce

    Exasperated Windows fleet administrators woke up Thursday to news of a new, unpatched Print Spooler vulnerability that leaves machines exposed to remote code execution attacks.

    Microsoft released a pre-patch advisory to confirm the severe new vulnerability after researchers published video of demo exploits on Twitter showing that Redmond’s latest PrintNightmare update was again problematic.

    To make matters worse, anti-malware vendor CrowdStrike is warning that ransomware actors are already targeting one of the Windows PrintNightmare vulnerabilities to launch data-encrypting extortion attacks in South Korea.

    Microsoft’s confirmation comes just days after the Patch Tuesday release of security patches and changed an OS default setting to attempt to fix a class of Print Spooler flaws that have haunted the Windows ecosystem since at least June 2021.

    Reply
  46. Tomi Engdahl says:

    Consumer Antivirus Firms NortonLifeLock and Avast to Merge in $8.6 Billion Deal
    https://www.securityweek.com/consumer-antivirus-firms-nortonlifelock-and-avast-merge-86-billion-deal

    Consumer cybersecurity firms NortonLifeLock (NASDAQ: NLOK) and Prague-based Avast announced on Tuesday that the two firms have agreed to merge in a deal valued between roughly $8.1-$8.6 billion.

    Under the terms of the agreement, Avast shareholders could receive a combination of cash and newly issued shares in NortonLifeLock, with alternative consideration elections available.

    “Based on NortonLifeLock’s closing share price of USD 27.20 on July 13, 2021 (being the last trading day for NortonLifeLock shares before market speculation began in relation to the merger on July 14, 2021, resulting in the commencement of the offer period), the merger values Avast’s entire issued and to be issued ordinary share capital between approximately USD 8.1B and USD 8.6B, depending on Avast shareholders’ elections,” the announcement said.

    The combined company will service more than 500 million users, with the merger creating roughly $280 million of annual gross cost synergies.

    Reply
  47. Tomi Engdahl says:

    Amazon will monitor workers’ keystrokes to ‘combat data theft’
    https://www.inputmag.com/tech/amazon-will-monitor-workers-keystrokes-to-combat-data-theft-privacy-spying-surveillance

    The company defends the decision citing instances when hackers or imposters might have accessed a worker’s account to steal customer information.

    Amazon will monitor the keyboard and mouse movements of its customer service employees in an effort to thwart imposters or hackers trying to access customer data. That’s according to documents obtained by Vice. Amazon said in response that it does not disclose what security technologies it uses but is always trying to protect customers’ privacy.

    The product the company will reportedly use comes from a cybersecurity company called BehavioSec. It collects not the specific things a worker types, but rather “behavioral” biometric data in order to monitor for unusual behavior.

    Reply
  48. Tomi Engdahl says:

    Ballot Machine Vulnerability Report “SEALED” — The report by J. Alex Halderman, a computer science professor at the University of Michigan, outlines specific vulnerabilities that, to quote the professor, “allow attackers to change votes despite the state’s purported defenses.” In a signed declaration, Halderman said he’d discovered “multiple severe security flaws” that could be exploited using malware, either with temporary physical access to the machine or by injecting it remotely via election management systems.

    Good Luck to the Judge Who Sealed a Ballot Machine Vulnerability Report in Georgia
    https://gizmodo.com/good-luck-to-the-judge-who-sealed-a-ballot-machine-vuln-1847481421

    The hidden report is a wet dream for election conspiracy theorists.

    Facing a quintessential damned-if-I-do-damned-if-I-don’t scenario, a federal judge in Georgia has sealed a 25,000-word report said to outline vulnerabilities in the state’s ballot-marking machines. The decision was seemingly made out of fear that the contents would add fuel to rampant conspiracy theories surrounding the 2020 election; a topic which is not even broached by its author.

    The Daily Beast, reporting the judge’s decision early Friday, said the report by J. Alex Halderman, a computer science professor at the University of Michigan, outlines specific vulnerabilities that, to quote the professor, “allow attackers to change votes despite the state’s purported defenses.”

    In a signed declaration, Halderman said he’d discovered “multiple severe security flaws” that could be exploited using malware, either with temporary physical access to the machine or by injecting it remotely via election management systems.

    Outside the courtroom, keeping the public in the dark about a particular computer exploit is not an unusual practice. It gives the responsible party time to fix the flaw before word reaches criminals who are certain to take advantage.

    Although the report is said to contain no evidence of any manipulation during the 2020 election, in transcripts obtained by the Beast, U.S. District Court Judge Amy Totenberg said her decision to seal the report was based on sensitive information it contained and a desire not to fuel controversy. “There are so many other ways to educate the public besides trying to use this case,” the Beast quotes Totenberg saying. “I’m at the end of my rope about that.”

    Dominion, the manufacturer of Georgia’s ballot-marking machines, resides at the center of numerous wide-ranging conspiracy theories largely devised by close supporters and friends of the former president, Donald Trump

    Reply
  49. Tomi Engdahl says:

    T-Mobile Investigating Claims of Massive Customer Data Breach
    Hackers selling the data are claiming it affects 100 million users.
    https://www.vice.com/en/article/akg8wg/tmobile-investigating-customer-data-breach-100-million

    T-Mobile says it is investigating a forum post claiming to be selling a mountain of personal data. The forum post itself doesn’t mention T-Mobile, but the seller told Motherboard they have obtained data related to over 100 million people, and that the data came from T-Mobile servers.

    The data includes social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver licenses information, the seller said. Motherboard has seen samples of the data, and confirmed they contained accurate information on T-Mobile customers.

    “I think they already found out because we lost access to the backdoored servers,”

    Reply
  50. Tomi Engdahl says:

    Russian cyberspies targeted the Slovak government for months https://therecord.media/russian-cyberspies-targeted-slovak-government-for-months/
    A Russian cyber-espionage group linked to one of Russia’s intelligence forces has targeted the Slovak government for months, Slovak security firms ESET and IstroSec said this week. The attacks were attributed to a group known as the Dukes, Nobelium, or APT29, which cyber-security agencies from the US and other countries formally linked to the Russian Foreign Intelligence Service, also known as the SVR, earlier this year after its attack on software company SolarWinds. also:
    https://www.istrosec.com/blog/apt-sk-cobalt/

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*