Cyber security news September 2021

This posting is here to collect cyber security news in September 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

414 Comments

  1. Tomi Engdahl says:

    Attracting flies with Honey(gain): Adversarial abuse of proxyware https://blog.talosintelligence.com/2021/08/proxyware-abuse.html
    With internet-sharing applications, or “proxyware,” users download software that allows them to share a percentage of their bandwidth with other internet users for a fee, with the companies that created this software acting as a go-between. As proxyware has grown in popularity, attackers have taken notice and are now attempting to exploit this interest to monetize their malware campaigns. Malware is currently leveraging these platforms to monetize the internet bandwidth of victims, similar to how malicious cryptocurrency mining attempts to monetize the CPU cycles of infected systems.

    Reply
  2. Tomi Engdahl says:

    Skimming the CREAM recursive withdrawals loot $13M in cryptocash https://nakedsecurity.sophos.com/2021/08/31/skimming-the-cream-recursive-withdrawals-loot-13m-in-cryptocash/
    You must have had that happy feeling (happiest of all when its still a day or two to payday and you know that your balance is paper-thin) when youre withdrawing money from a cash machine and, even though youre still nervously watching the ATM screen telling you that your request is being processed, you hear the motors in the cash dispensing machinery start to spin up. That means, even before any banknotes get counted out or the display tells you the final verdict, that [a] youve got enough funds, [b] the transaction has been approved, [c] the machine is working properly, and [d] youre about to get the money.

    Reply
  3. Tomi Engdahl says:

    Financial Institutions in the Sight of New JsOutProx Attack Waves https://yoroi.company/research/financial-institutions-in-the-sight-of-new-jsoutprox-attack-waves/
    When threat actors evolve, their tools do so. Observing the evolution of the threats we track during our cyber defense operations is part of what we do to secure our customers. Back in 2019, the Yorois Malware ZLAB unit discovered a complete new malware implant named JsOutProx (TH-264), a complex JavaScript-based RAT used to attack financial institutions in the APAC area.

    Reply
  4. Tomi Engdahl says:

    Cybercriminal sells tool to hide malware in AMD, NVIDIA GPUs https://www.bleepingcomputer.com/news/security/cybercriminal-sells-tool-to-hide-malware-in-amd-nvidia-gpus/
    Cybercriminals are making strides towards attacks with malware that can execute code from the graphics processing unit (GPU) of a compromised system. While the method is not new and demo code has been published before, projects so far came from the academic world or were incomplete and unrefined. Earlier this month, the proof-of-concept
    (PoC) was sold on a hacker forum, potentially marking cybercriminals transition to a new sophistication level for their attacks.

    Reply
  5. Tomi Engdahl says:

    BrakTooth: Impacts, Implications and Next Steps https://isc.sans.edu/forums/diary/BrakTooth+Impacts+Implications+and+Next+Steps/27802/
    In a previous diary entry, I had written about the increasing trend of Bluetooth vulnerabilities being reported in the recent years. oday, the Automated Systems SEcuriTy (ASSET) Research Group from the Singapore University of Technology and Design (SUTD) revealed the BrakTooth family of vulnerabilities in commercial Bluetooth (BT) Classic stacks for various System-on-Chips (SoC).. In this diary, I will be giving a brief background on BrakTooth, highlight affected products and also discuss next steps affected users/vendors could consider.

    Reply
  6. Tomi Engdahl says:

    The SEC Exposed Cybersecuritys Fatal Flaw Executive Resistance To Bad News
    https://www.forbes.com/sites/noahbarsky/2021/08/31/the-sec-exposed-cybersecuritys-fatal-flaw—executive-resistance-to-bad-news/
    As companies chase emerging cybersecurity threats, regulators are increasingly scrutinizing breach disclosure speed, accuracy and informativeness. For instance, the SEC recently cited real estate title insurance company First American Financial for disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed over 800 million images of highly sensitive customer data. Without admitting guilt, First American Financial settled the case and agreed to a $487,616 fine.

    Reply
  7. Tomi Engdahl says:

    WooCommerce Pricing Plugin Allows Malicious Code-Injection https://threatpost.com/woocommerce-plugin-malicious/169063/
    A pair of security vulnerabilities in the WooCommerce Dynamic Pricing and Discounts plugin from Envato could allow unauthenticated attackers to inject malicious code into websites running unpatched versions.
    This can result in a variety of attacks, including website redirections to phishing pages, insertion of malicious scripts on product pages and more. The plugin, which has 19,700+ sales on Envato Market, offers a variety of pricing and promotion tools for online retailers, including special offers, bulk pricing, tiered pricing, bundle pricing, deals of the day, flash sales, wholesale pricing, member pricing, individual pricing, loyalty programs, behavioral pricing, location-based pricing and so on.

    Reply
  8. Tomi Engdahl says:

    New Edition of Pipeline Cybersecurity Standard Covers All Control Systems
    https://www.securityweek.com/new-edition-pipeline-cybersecurity-standard-covers-all-control-systems

    The American Petroleum Institute (API) this month published the third edition of its pipeline cybersecurity standard, which focuses on managing cyber risks associated with industrial automation and control environments.

    The third edition of Standard 1164, Pipeline Control Systems Cybersecurity, has been in the works since 2017, and it’s based on input from over 70 organizations. The standard is based on NIST’s Cybersecurity Framework and the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards.

    According to the API, which is the largest trade association for the oil and natural gas industry, this edition covers all control systems, rather than just SCADA systems as the previous edition did.

    The new standard describes requirements for hardening pipeline assets against ransomware and other threats.

    Reply
  9. Tomi Engdahl says:

    Vulnerabilities Can Allow Hackers to Disarm Fortress Home Security Systems
    https://www.securityweek.com/vulnerabilities-can-allow-hackers-disarm-fortress-home-security-systems

    Researchers at cybersecurity firm Rapid7 have identified a couple of vulnerabilities that they claim can be exploited by hackers to remotely disarm one of the home security systems offered by Fortress Security Store.

    Fortress Security Store is a physical security solutions provider based in the United States. The company says thousands of consumers and businesses use its products.

    The flaws were found in Fortress’ S03 WiFi Security System, which connects to an existing Wi-Fi network or phone line. The system can include security cameras, window and door sensors, motion detectors, glass break and vibration sensors, as well as smoke, gas and water alarms.

    Reply
  10. Tomi Engdahl says:

    ‘ProxyToken’ Exchange Server Vulnerability Leads to Email Compromise
    https://www.securityweek.com/proxytoken-exchange-server-vulnerability-leads-email-compromise

    A vulnerability that Microsoft patched in Exchange Server earlier this year can allow attackers to set forwarding rules on target accounts and gain access to incoming emails.

    Tracked as CVE-2021-33766 and referred to as ProxyToken, the vulnerability has a severity rating of medium (CVSS score of 6.5). The security hole was identified by Le Xuan Tuyen of VNPT ISC, working with Trend Micro’s Zero Day Initiative (ZDI).

    The security bug is related to the authentication of requests to services within the ecp web application and can be exploited using crafted requests to bypass authentication.

    “With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users. As an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker,” ZDI’s Simon Zuckerbraun explains.

    Reply
  11. Tomi Engdahl says:

    Companies Release Security Advisories in Response to New OpenSSL Vulnerabilities
    https://www.securityweek.com/companies-release-security-advisories-response-new-openssl-vulnerabilities

    Companies that use OpenSSL in their products have started releasing security advisories to inform customers about the impact of two recently patched vulnerabilities.

    Updates announced by the OpenSSL Project on August 24 patched CVE-2021-3711, a high-severity buffer overflow related to SM2 decryption, and CVE-2021-3712, a medium-severity flaw that can be exploited for denial-of-service (DoS) attacks, and possibly for the disclosure of private memory contents.

    The high-severity vulnerability, patched with the release of OpenSSL 1.1.1l, can allow an attacker to change an application’s behavior or cause it to crash. The changes an attacker could make depend on the targeted app and the type of data it processes.

    Cybersecurity firm Sophos, which published an analysis of the two OpenSSL vulnerabilities, noted that an attacker could trick an application “into thinking that something succeeded (or failed) when it didn’t, or even to take over the flow of program execution entirely.”

    Several major organizations whose products rely on OpenSSL have released security advisories, including Linux distributions such as Red Hat (not affected), Ubuntu, SUSE, Debian, and Alpine Linux

    OpenSSL Vulnerability Can Be Exploited to Change Application Data
    https://www.securityweek.com/openssl-vulnerability-can-be-exploited-change-application-data

    The OpenSSL Project on Tuesday announced the availability of OpenSSL 1.1.1l, which patches a high-severity vulnerability that could allow an attacker to change an application’s behavior or cause the app to crash.

    The flaw, tracked as CVE-2021-3711, has been described as a buffer overflow related to SM2 decryption.

    “A malicious attacker who is able to present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated,” the OpenSSL Project said in an advisory.

    Reply
  12. Tomi Engdahl says:

    Israel Promises to Investigate Group Accused of Selling Pegasus Spyware to Governments
    https://www.google.com/amp/s/www.newsweek.com/israel-promises-investigate-group-accused-selling-pegasus-spyware-governments-1625102%3famp=1

    Israel’s foreign minister promised to investigate a cyberespionage group accused of selling Pegasus spyware to governments that is then used to spy on journalists, dissidents and other civilians.

    The Israeli technology firm NSO Group is the creator of Pegasus, a spyware that stealthily infiltrates a target’s mobile phone, giving access to data, email, contacts and even the phone’s camera and microphones. Pegasus has been sold to governments for law enforcement purposes.

    “Once you have sold the jet, the cannon, the gun or the missile, or Pegasus, it is in the hands of the government who bought it,” Lapid said. “So we’re trying our best to make sure it doesn’t fall into the wrong hands. But no one has an ability to fully protect the other side after it was sold.”

    Reply
  13. Tomi Engdahl says:

    Too Log; Didn’t Read Unknown Actor Using CLFS Log Files for Stealth https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html
    The Mandiant Advanced Practices team recently discovered a new malware family we have named PRIVATELOG and its installer, STASHLOG. In this post, we will share a novel and especially interesting technique the samples use to hide data, along with detailed analysis of both files that was performed with the support of FLARE analysts. We will also share sample detection rules, and hunting . Mandiant has yet to observe PRIVATELOG or STASHLOG in any customer environments or to recover any second-stage payloads launched by PRIVATELOG. This may indicate malware that is still in development, the work of a researcher, or targeted activity.

    Reply
  14. Tomi Engdahl says:

    Fired NY credit union employee nukes 21GB of data in revenge https://www.bleepingcomputer.com/news/security/fired-ny-credit-union-employee-nukes-21gb-of-data-in-revenge/
    Juliana Barile, the former employee of a New York credit union, pleaded guilty to accessing the financial institution’s computer systems without authorization and destroying over 21 gigabytes of data in revenge after being fired. “In an act of revenge for being terminated, Barile surreptitiously accessed the computer system of her former employer, a New York Credit Union, and deleted mortgage loan applications and other sensitive information maintained on its file server,” Acting U.S. Attorney Jacquelyn M. Kasulis said.

    Reply
  15. Tomi Engdahl says:

    Linphone SIP Stack Bug Could Let Attackers Remotely Crash Client Devices https://thehackernews.com/2021/09/linphone-sip-stack-bug-could-let.html
    Cybersecurity researchers on Tuesday disclosed details about a zero-click security vulnerability in Linphone Session Initiation Protocol (SIP) stack that could be remotely exploited without any action from a victim to crash the SIP client and cause a denial-of-service (DoS) condition. Tracked as CVE-2021-33056 (CVSS
    score: 7.5), the issue concerns a NULL pointer dereference vulnerability in the “belle-sip” component, a C-language library used to implement SIP transport, transaction, and dialog layers, with all versions prior to 4.5.20 affected by the flaw. The weakness was discovered and reported by industrial cybersecurity company Claroty..
    Report:
    https://www.claroty.com/2021/08/31/blog-research-crashing-sip-clients-with-a-single-slash/

    Reply
  16. Tomi Engdahl says:

    STRRAT: a Java-based RAT that doesn’t care if you have Java https://isc.sans.edu/forums/diary/STRRAT+a+Javabased+RAT+that+doesnt+care+if+you+have+Java/27798/
    STRRAT was discovered earlier this year as a Java-based Remote Access Tool (RAT) that does not require a preinstalled Java Runtime Environment (JRE). It has been distributed through malicious spam
    (malspam) during 2021. Today’s diary reviews an infection generated using an Excel spreadsheet discovered on Monday, 2021-08-30.. During this infection, STRRAT was installed with its own JRE environment. It was part of a zip archive that contained JRE version 8 update 261, a .jar file for STRRAT, and a command script to run STRRAT using JRE from the zip archive.

    Reply
  17. Tomi Engdahl says:

    BEC Scammers Seek Native English Speakers on Underground https://threatpost.com/bec-scammers-native-english-speakers/169092/
    Looking for work? Speak fluent English? Capable of convincingly portraying a professional as in, somebody a highly ranked corporate leader would talk to?. If you lack scruples and disregard those pesky things called laws, it could be your lucky day: Cybercrooks are putting up help-wanted ads, looking for native English speakers to carry out the social-engineering elements of business email compromise
    (BEC) attacks. Its easy work, they promise: Theyll do the heavy lifting of getting unauthorized access to Microsoft Office 365 domains. All that their English-speaking conspirators need to do is sound convincing.

    Reply
  18. Tomi Engdahl says:

    Etsintäkuulutettu ammattirikollinen murtautui F-Securen pääkonttoriin sisään pääsi häiritsevän helposti https://www.tivi.fi/uutiset/tv/420aeddf-e34a-4c24-a0fe-7ad0866f5e0d
    Harvemmin ison yrityksen pääkonttorille onnistutaan murtautumaan, ja vielä harvemmin niin, ettei murtautuja vie mennessään yhtään mitään.
    Näin kuitenkin kävi Suomessa eräänä salaperäisenä yönä. Asialla oli tunnettu ammattirikollinen. Teknisen tietoturvakonsultoinnin johtaja Tomi Tuominen on kirjoittanut F-Securen sivuille lähes kaunokirjallisen blogitekstin tapauksesta. Se nousi tänä kesänä puheenaiheeksi it-alalla, koska konttorilla oli F-Securen mukaan siivouskomeroksi luultu, kansallisen infrastruktuurin kannalta kriittinen tietoliikennehuone. F-Securen teksti herätti keskustelua it-alalla erityisesti tietoliikennehuoneen takia. Kysyimme Liikenne- ja viestintäviraston Kyberturvallisuuskeskuksen asiantuntijalta Tapio Sokuralta, millaisia tavoitteita tietoliikennehuoneisiin tähtäävillä hyökkääjillä voi olla. Sokura kommentoi asiaa yleisellä tasolla.

    Reply
  19. Tomi Engdahl says:

    Report: Indonesian Governments Covid-19 App Accidentally Exposes Over
    1 Million People in Massive Data Leak
    https://www.vpnmentor.com/blog/report-ehac-indonesia-leak/
    Led by Noam Rotem and Ran Locar, vpnMentors research team discovered a data breach in the Indonesian governments eHAC program created to tackle the COVID-19 pandemic spread in the country. eHAC is a test and trace app for people entering Indonesia to ensure theyre not carrying the virus into the country. The app was established in 2021 by the Indonesian Ministry of Health. However, the app developers failed to implement adequate data privacy protocols and left the data of over 1 million people exposed on an open server.

    Reply
  20. Tomi Engdahl says:

    Gutenberg Template Library & Redux Framework Bugs Plague WordPress Sites https://threatpost.com/gutenberg-template-library-redux-bugs-wordpress/169111/
    Two vulnerabilities have been found in the Gutenberg Template Library & Redux Framework plugin for WordPress, which is installed on more than 1 million websites. They could allow arbitrary plugin installation, post deletions and access to potentially sensitive information about a sites configuration, researchers said. The plugin, from developer Redux.io, offers various templates and building blocks for creating web pages within WordPress Gutenberg editor:

    Reply
  21. Tomi Engdahl says:

    The bill was rushed through in just 24 hours.

    Australia’s New Police Powers Allow Them To Control Social Media Accounts, Delete Data
    https://www.iflscience.com/policy/australias-new-police-powers-allow-them-to-control-social-media-accounts-delete-data/

    BY JACK DUNHILL

    01 SEP 2021, 17:05
    The Australian government has rushed a bill through parliament in just 24 hours, allowing police to hack the devices of anyone involved in an ongoing investigation. Through this new law, police will be able to modify or delete data, take control over social media accounts, and collect network activity to the extent they feel necessary to further their inquiries. All this can be done by creating one of three warrants, which critics have claimed are far too easy to gain.

    They believe the new police powers will grant them the ability to fight back against online crime, while Senator Lidia Thorpe calls the bill a “cyber-enabled abuse of power”.

    “The bill does not identify or explain why these powers are necessary and our allies in the United States, the United Kingdom, Canada, and New Zealand do not grant law enforcement these rights.” Thorpe wrote in a blog post.

    the legislation grants police the power to gain three new warrants:

    1. Data disruption warrants: this enables police to modify or entirely delete a suspect’s data;
    2. Network activity warrants: police can gain information stored in computers of a suspect, alongside any suspected criminal networks and users linked to the individual;
    3. Account takeover warrants: the police may take control of a suspect’s social media and online accounts.

    More Police Powers, Less Protections
    https://lidia-thorpe.greensmps.org.au/articles/more-police-powers-less-protections

    Reply
  22. Tomi Engdahl says:

    Verkossa 14 miljoonaa haavoittunutta Linux-järjestelmää
    https://etn.fi/index.php/13-news/12500-verkossa-14-miljoonaa-haavoittunutta-linux-jarjestelmaa

    Tietoturvayritys Trend Micron raportin mukaan verkossa on tällä hetkellä kaikkiaan lähes 14 miljoonaa haavoittuvuuksille altista Linux-järjestelmää. Alkuvuoden aikana Trend Micro raportoi yli 50 miljoonaa hyökkäystä Linux-palvelimiin ja pilvijärjestelmiin.

    Trend Micron raportissa on listattu 15 käytetyintä Linux-haavoittuvuutta. Niistä valtaosa on arvioitu kriittisiksi. Kaikkiaan haavoittuvuuksia on yli 200.

    Useimmiten haavoittuvuuksia yritetään hyödyntää hyökkäämällä web-sovellukseen.

    Linux Threat Report 2021 1H
    https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations

    Linux Threats in the Cloud and Security Recommendations
    Linux powers many cloud infrastructures today. However, it is not immune to threats and risks. We discuss several pressing security issues including malware and vulnerabilities that compromise Linux systems in the first half of 2021.

    Reply
  23. Tomi Engdahl says:

    Ireland Fines WhatsApp 225M Euros for Breaching EU Privacy Laws
    https://www.securityweek.com/ireland-fines-whatsapp-225m-euros-breaching-eu-privacy-laws

    Ireland on Thursday imposed a 225-million-euro fine on Facebook-owned messaging service WhatsApp for breaching EU data privacy laws after European regulators demanded the penalty be increased.

    Ireland was asked to “reassess and increase its proposed fine on the basis of a number of factors … and following this reassessment the DPC has imposed a fine of 225 million euro on WhatsApp,” said Ireland’s Data Protection Commission (DPC).

    The fine, the equivalent of $267 million, was handed down by the DPC as the country hosts the European headquarters of Facebook.

    Reply
  24. Tomi Engdahl says:

    FTC Bans SpyFone From Surveillance Business for Selling Stalkerware
    https://www.securityweek.com/ftc-bans-spyfone-surveillance-business-selling-stalkerware

    The U.S. Federal Trade Commission (FTC) this week announced that it has banned stalkerware app maker SpyFone and its CEO, Scott Zuckerman, from the surveillance business.

    SpyFone is marketed as an application that provides people with the ability to monitor their children’s activity on an Android or iOS device. The app can also be used to monitor “employees or other consenting adults,” the company says.

    Reply
  25. Tomi Engdahl says:

    https://www.bleepingcomputer.com/news/security/translated-conti-ransomware-playbook-gives-insight-into-attacks/
    Linguists working with Cisco Talos researchers went through the leaked material to provide an intelligible English version that accurately describes the gang’s techniques and tools.

    Reply
  26. Tomi Engdahl says:

    TikToker Makes Script to Flood Texas Abortion ‘Whistleblower’ Site With Fake Info
    An easy to use iOS shortcut lets non-technical users bombard the site, according to Motherboard’s tests.
    https://www.vice.com/en/article/z3x9ba/tiktok-texas-abortion-law-bot-site-ios-shortcut?utm_source=motherboardtv_facebook&utm_medium=social

    An activist has made a script to flood a Texas website used to solicit information on people seeking abortions with fabricated data, according to a TikTok video from the developer and Motherboard’s test of the tool. The developer, whose social media identifies him as Sean Black, also made an iOS shortcut making it easier for non-technical activists to participate as well.

    Reply
  27. Tomi Engdahl says:

    https://www.macrumors.com/2021/09/02/lightning-cable-with-hidden-chip/

    A normal-looking Lightning cable that can used to steal data like passwords and send it to a hacker has been developed, Vice reports.

    This Seemingly Normal Lightning Cable Will Leak Everything You Type
    https://www.vice.com/en/article/k789me/omg-cables-keylogger-usbc-lightning

    A new version of the OMG Cable is a USB-C to Lightning Cable that hackers can use to steal your passwords or other data.

    It looks like a Lightning cable, it works like a Lightning cable, and I can use it to connect my keyboard to my Mac. But it is actually a malicious cable that can record everything I type, including passwords, and wirelessly send that data to a hacker who could be more than a mile away.

    This is the new version of a series of penetration testing tools made by the security researcher known as MG. MG previously demoed an earlier version of the cables for Motherboard at the DEF CON hacking conference in 2019. Shortly after that, MG said he had successfully moved the cables into mass production, and cybersecurity vendor Hak5 started selling the cables.

    Reply
  28. Tomi Engdahl says:

    NIST Study on Kids’ Passwords Shows Gap Between Knowledge of Password Best Practices and Behavior
    https://www.nist.gov/news-events/news/2021/08/nist-study-kids-passwords-shows-gap-between-knowledge-password-best

    When it comes to passwords, the challenges are endless. We must create multiple passwords to manage our many online accounts, from email to shopping sites and social media profiles. We have to safely keep track of these many passwords and ensure they’re strong enough to reduce the risk of cyberattacks. All of these reasons emphasize why education and training are so important for strengthening passwords and protecting personal accounts.

    The problem isn’t limited to just adults. Children may seem more technologically savvy because they’ve grown up in the digital space, but they still face the same cybersecurity threats. So, to shed light on what kids understand about passwords and their behavior in creating and using them, researchers at the National Institute of Standards and Technology (NIST) conducted a study that surveyed kids from third to 12th grade.

    Reply
  29. Tomi Engdahl says:

    UK VoIP telco receives ‘colossal ransom demand’, reveals REvil cybercrooks suspected of ‘organised’ DDoS attacks on UK VoIP companies https://www.theregister.com/2021/09/02/uk_voip_telcos_revil_ransom/
    In a statement, chair of Comms Council UK Eli Katz told us: “Comms Council UK is aware of the Denial of Service attacks currently targeting IP-based communications service providers in the UK and that a small number of our members have been impacted. We have communicated the issue to our membership and are continuing to liaise closely with them to share further information and support as the

    Reply
  30. Tomi Engdahl says:

    Facebook Pays Out $40,000 for Account Takeover Exploit Chain
    https://www.securityweek.com/facebook-pays-out-40000-account-takeover-exploit-chain

    Social media giant Facebook on Thursday announced a new payout guideline to help vulnerability hunters better understand its bounty decisions related to given bugs.

    Specifically, the new guideline covers security issues in contact point visibility settings in the “Who can look you up using the email address or phone number you provided” section.

    Per the new guideline, Facebook will shell out a maximum of $10,000, “for reports that demonstrate the ability to obtain one or more contact points (i.e. phone number or email) from an account that has their settings for ‘Who can look you up using the email address or phone number you provided’ configured to ‘Only Me’ or ‘Friends’,” the social medial platform explains.

    Facebook also notes that, when determining the amount to be rewarded to a researcher, it takes into consideration factors such as whether user interaction is required for the exploit, whether the attacker needs to be in a privileged position, and whether the attack applies to Workplace or not. The fewer mitigating factors are found, the higher the awarded bounty reward.

    Reply
  31. Tomi Engdahl says:

    Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation: Microsoft
    https://www.securityweek.com/microsoft-hacked-solarwinds-ftp-software-lacked-basic-anti-exploit-mitigation

    Software vendor SolarWinds failed to enable an anti-exploit mitigation available since the launch of Windows Vista 15 years ago, an oversight that made it easy for attackers to launch targeted malware attacks in July this year.

    The missing mitigation was flagged by Microsoft in a post mortem of last month’s zero-day attack that hit businesses using the SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP products.

    Microsoft originally shipped the mitigation — called ASLR (Address Space Layout Randomization) in Windows Vista back in 2006 as part of a larger plan to make it more difficult to automate attacks against the operating system.

    However, according to Microsoft’s newly minted Offensive Research & Security Engineering team, SolarWinds developers failed to enable ASLR compatibility in some modules.

    “Enabling ASLR is a simple compile-time flag. [It] is a critical security mitigation for services which are exposed to untrusted remote inputs, and requires that all binaries in the process are compatible in order to be effective at preventing attackers from using hardcoded addresses in their exploits, as was possible in Serv-U,” Microsoft said.

    Reply
  32. Tomi Engdahl says:

    Flaws in Moxa Railway Devices Could Allow Hackers to Cause Disruptions
    https://www.securityweek.com/flaws-moxa-railway-devices-could-allow-hackers-cause-disruptions

    Railway Communication Devices Made by Moxa Affected by 60 Vulnerabilities

    Railway and other types of wireless communication devices made by Taiwan-based industrial networking and automation firm Moxa are affected by nearly 60 vulnerabilities.

    Atos-owned cybersecurity consulting firm SEC Consult this week revealed that one of its researchers discovered two new vulnerabilities in Moxa devices, as well as several outdated third-party software components that introduce tens of flaws.

    According to SEC Consult, Moxa devices are affected by a command injection vulnerability that can be exploited by an authenticated attacker to compromise the device’s operating system (CVE-2021-39279), and a reflected cross-site scripting (XSS) flaw that can be exploited using a specially crafted configuration file (CVE-2021-39278).

    The products are also impacted by more than 50 other vulnerabilities discovered in the past decade in third-party components such as the GNU C Library (glibc), the DHCP client in BusyBox, the Dropbear SSH software, the Linux kernel, and OpenSSL.

    Moxa has published two separate advisories for the vulnerabilities. One of them describes the impact on TAP-323, WAC-1001 and WAC-2004 series devices, which are designed for railways.

    TAP-323, WAC-1001, and WAC-2004 Series Wireless AP/Bridge/Client Vulnerabilities
    https://www.moxa.com/en/support/product-support/security-advisory/tap-323-wac-1001-2004-wireless-ap-bridge-client-vulnerabilities

    Multiple product vulnerabilities were identified in Moxa’s TAP-323 Series and WAC-1001/2004 Series Railway Wireless Controllers. In response to this, Moxa has developed related solutions to address these vulnerabilities.

    Reply
  33. Tomi Engdahl says:

    The same 60 vulnerabilities also impact Moxa’s WDR-3124A series wireless routers, which have reached end of life, and OnCell G3470A-LTE series industrial cellular gateways.

    OnCell G3470A-LTE and WDR-3124A Series Cellular Gateways/Router Vulnerabilities
    https://www.moxa.com/en/support/product-support/security-advisory/oncell-g3470a-wdr-3124a-cellular-gateways-router-vulnerabilities

    Reply
  34. Tomi Engdahl says:

    BrakTooth: New Bluetooth Vulnerabilities Could Affect Millions of Devices
    https://www.securityweek.com/braktooth-new-bluetooth-vulnerabilities-could-affect-millions-devices

    A group of researchers with the Singapore University of Technology and Design have disclosed a family of 16 new vulnerabilities that affect commercial Bluetooth Classic (BT) stacks.

    The researchers identified the security holes after evaluating 13 Bluetooth devices from 11 vendors. A total of 20 CVEs have already been assigned, with four additional vulnerabilities pending CVE assignment from Intel and Qualcomm.

    BrakTooth draws its name from the Norwegian word “Brak”, which translates to “crash” in English, and Tooth from Bluetooth. The vulnerabilities impact system-on-chips (SoCs) running various versions of Bluetooth, ranging from Bluetooth 3.0 + HS to Bluetooth 5.2.BrakTooth

    The naming is suggestive for what exploitation of the vulnerabilities could lead to: denial of service through crash or deadlock. In some cases, the flaws may lead to arbitrary code execution. An attacker looking to exploit the bugs would have to be within Bluetooth range of the target device.

    BRAKTOOTH: Causing Havoc on Bluetooth Link Manager
    https://asset-group.github.io/disclosures/braktooth/

    Bluetooth Classic (BT) protocol is a widely used wireless protocol in laptops, handheld devices, and audio devices. BT main procedures are shown in Figure 1 for reference. In the past few years, Bluetooth has come under scrutiny due to the discovery of several critical vulnerabilities. In this report, we disclose BrakTooth , a family of new security vulnerabilities in commercial BT stacks that range from denial of service (DoS) via firmware crashes and deadlocks in commodity hardware to arbitrary code execution (ACE) in certain IoTs. As of today, we have evaluated 13 BT devices from 11 vendors. We have discovered a total of 16 new security vulnerabilities, with 20 common vulnerability exposures (CVEs) already assigned and four (4) vulnerabilities are pending CVE assignment from Intel and Qualcomm.

    Reply
  35. Tomi Engdahl says:

    Translated: Talos’ insights from the recently leaked Conti ransomware playbook https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html
    Cisco Talos recently became aware of a leaked playbook that has been attributed to the ransomware-as-a-service (RaaS) group Conti. Talos has a team of dedicated, native-level speakers that translated these documents in their entirety into English. We also translated a Cobalt Strike manual that the authors referenced while creating their playbook.

    Reply
  36. Tomi Engdahl says:

    Sam Schechner / Wall Street Journal:
    Ireland’s Data Protection Commission, on behalf of the EU, fines WhatsApp €225M for privacy violations, the second-largest fine under GDPR; WhatsApp will appeal — Regulators say chat-service unit failed to disclose fully how it collected and shared data about its users

    Facebook’s WhatsApp Fined Around $270 Million for EU Privacy Violations
    https://www.wsj.com/articles/facebooks-whatsapp-fined-around-270-million-for-eu-privacy-violations-11630576800?mod=djemalertNEWS

    Regulators say chat-service unit failed to disclose fully how it collected and shared data about its users

    Reply
  37. Tomi Engdahl says:

    Benjamin Mayo / 9to5Mac:
    Apple begins prompting iOS 15 users for consent to enable Personalized Ads for their Apple ID, which was previously on by default and led to antitrust scrutiny — For iOS 15 users, Apple has begun prompting for their consent to enable Personalized Ads for their Apple ID …

    https://9to5mac.com/2021/09/02/apple-personalized-ads-targeting-ios-15/

    Reply
  38. Tomi Engdahl says:

    OpenSSL Vulnerability Can Be Exploited to Change Application Data
    https://www.securityweek.com/openssl-vulnerability-can-be-exploited-change-application-data
    The OpenSSL Project on Tuesday announced the availability of OpenSSL 1.1.1l, which patches a high-severity vulnerability that could allow an attacker to change an application’s behavior or cause the app to crash.
    The flaw, tracked as CVE-2021-3711, has been described as a buffer overflow related to SM2 decryption.
    “A malicious attacker who is able to present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated,” the OpenSSL Project said in an advisory.
    Strings, long and short
    The second of these bugs, CVE-2021-3712, is the less dangerous of the two, and ironically relates to how OpenSSL handles encoded cryptographic keys and certificates.
    You can can safely treat OpenSSL’s ASN.1 strings as C strings, but only if they were generated by OpenSSL’s special “always add the NUL byte” functions, otherwise you could end up with an unter Unfortunately, a few of OpenSSL’s own functions were found to be taking shortcuts and relying on directly accessing ASN.1 strings from C, even when they couldn’t be sure that the original data had been created with those all-important NUL bytes tacked on the end.
    As a result, with clever shenanigans, it might be possible for an attacker to trick OpenSSL into printing out data that goes beyond the end of the memory buffer.minated string, and all the problems that can cause.
    Data breached due to a read overflow is exactly what happened in the infamous Heartbleed bug
    Decrypting too much
    The more serious bug of the two, CVE-2021-3711, also involves a buffer overflow, but this time it’s a write overflow, making it much more dangerous.
    The CVE-2021-3711 bug relies on a common programming idiom used in software code that generates output data.
    That idiom involves using the same data output function twice in succession: first, you run the function but say “don’t actually generate the data, just tell me how much there will be when I do it for real”; then, after setting aside a buffer of the right size, you run the function again to produce the actual data.
    That way, in theory, you can reliably avoid buffer overflows by making sure that you have enough memory space before you start.
    Except that in one specific case in OpenSSL, namely when using the Chinese government’s cryptographic algorithm known as ShangMi (SM), the software may end up telling you that you’ll need a buffer size up to 62 bytes too small.
    That means that booby-trapped encrypted data sent into for decryption could trigger a significant, writable buffer overflow inside OpenSSL.
    With a bit of luck

    The good news here is that official TLS support for ShangMi was only introduced in RFC 8998, dated March 2021, so it’s a newcomer to the world’s cryptographic stable.
    So, although OpenSSL includes implementations of the SM algorithms (SM2 for key agreement and digital signatures, SM3 for hashing, and SM4 for block encryption)…
    …it doesn’t yet include the code needed to allow you to choose these algorithms as a ciphersuite for use in TLS connections.
    You can’t ask your TLS client code to request a ShangMi connection to someone else’s server, as far as we can see; and you can’t get your TLS server code to accept a ShangMi connection from someone else’s client.
    So the bug is in there, down in the low-level OpenSSL libcrypto code, but if you use OpenSSL at the TLS level to make or accept secure connections, we don’t think you can open up a session in which the buggy code could be triggered.
    What to do?
    Upgrade to OpenSSL 1.1.1l if you can.
    Consider rebuilding OpenSSL without ShangMi support if you can’t upgrade.
    If you’re a programmer, always assume the worst about data.

    Reply
  39. Tomi Engdahl says:

    Air Force chief software officer knocks DoD as he departs
    https://www.c4isrnet.com/battlefield-tech/it-networks/2021/09/02/air-force-chief-software-offer-knocks-dod-as-he-departs/

    Nicolas Chaillan, the Air Force’s top software official, wrote a fiery post about his time with the Air Force.

    WASHINGTON — The Air Force’s chief software officer Nic Chaillan announced his departure in a blistering online post Thursday that criticized senior leaders for not taking IT modernization seriously and hamstringing senior IT leaders.

    Reply
  40. Tomi Engdahl says:

    T-Mobile hacker claims responsibility for breach. Here’s how to protect your data
    The 21-year-old professed hacker did not reveal if he sold the data. Here’s what else you should know.
    https://www.cnet.com/tech/services-and-software/t-mobile-hacker-speaks-out-about-the-cyberattack-heres-how-to-protect-your-data/

    Reply
  41. Tomi Engdahl says:

    NPM package with 3 million weekly downloads had a severe vulnerability
    Untrusted JavaScript config file can execute arbitrary code.
    https://arstechnica.com/information-technology/2021/09/npm-package-with-3-million-weekly-downloads-had-a-severe-vulnerability/

    Popular NPM package “pac-resolver” has fixed a severe remote code execution (RCE) flaw.

    The pac-resolver package receives over 3 million weekly downloads, extending this vulnerability to Node.js applications relying on the open source dependency. Pac-resolver touts itself as a module that accepts JavaScript proxy configuration files and generates a function for your app to map certain domains to use a proxy.

    Tracked as CVE-2021-23406, the vulnerability has to do with how Proxy Auto-Config (PAC) files are processed by the module. PAC files consist of JavaScript code specifying a proxy configuration—which network requests should go over a proxy and which should go out directly.

    Originally introduced as part of Netscape Navigator 2.0 in 1996, the PAC standard remains relevant and in widespread use today. For example, Web Proxy Auto-Discovery Protocol (WAPD) uses DNS and/or DHCP services to locate PAC files on a network and import the proxy configuration into an application. However, as proxy configurations become larger, the JavaScript code in a PAC file can get increasingly complex and is ideally designed to run in a virtualized environment (VM).

    Reply
  42. Tomi Engdahl says:

    Researchers Disclose Meltdown-like Vulnerability for AMD Processors (Updated)
    By Aleksandar Kostovic 4 days ago
    Mitigations require software re-coding
    https://www.tomshardware.com/news/zen2-processor-vulnerability-mitigation

    article and title to clarify that the vulnerability applies to all AMD processors, not just the Zen 2 and Zen+ models listed in the research paper.

    Saidgani Musaev and Christof Fetzer, researchers from Dresden Technology University, discovered the vulnerabilities in AMD Zen+ and Zen 2 processors. The researchers disclosed the CVE-2020-12965 vulnerability to AMD in October 2020, giving the company enough time to develop a mitigation technique that AMD has addressed in the official paper on Arxiv (PDF) and AMD’s security website.

    Reply
  43. Tomi Engdahl says:

    Let’s put EVERYTHING in the cloud because you can access it anywhere….. that is until the cloud also has problems.

    AWS Tokyo outage takes down banks, share traders, and telcos
    https://www.theregister.com/2021/09/02/aws_ap_northeast_1_outage/

    Six-hour slump for Direct Connect caused by ‘loss of networking devices’ – we’ll assume that means they broke, not that they fell behind a couch

    The AP-NORTHEAST-1 region of Amazon Web Services, located in Tokyo, has endured six hours of sub-optimal performance.

    The cloud colossus’s status report states that AWS Direct Connect hybrid cloud networking service had trouble connecting to resources in the region due to “failures in core networking devices”.

    Reply
  44. Tomi Engdahl says:

    A cybersecurity company says Fortress S03, a home security system that relies on Wi-Fi to connect cameras, has a pair of vulnerabilities that can be exploited to disarm the system altogether.
    https://tcrn.ch/3jBRBD4

    A popular smart home security system can be remotely disarmed, researchers say
    https://techcrunch.com/2021/08/31/fortress-home-security-rapid7/?tpcc=ECFB2021

    A cybersecurity company says a popular smart home security system has a pair of vulnerabilities that can be exploited to disarm the system altogether.

    Rapid7 found the vulnerabilities in the Fortress S03, a home security system that relies on Wi-Fi to connect cameras, motion sensors and sirens to the internet, allowing owners to remotely monitor their home anywhere with a mobile app. The security system also uses a radio-controlled key fob to let homeowners arm or disarm their house from outside their front door.

    But the cybersecurity company said the vulnerabilities include an unauthenticated API and an unencrypted radio signal that can be easily intercepted.

    Rapid7 revealed details of the two vulnerabilities on Tuesday after not hearing from Fortress in three months, the standard window of time that security researchers give companies to fix bugs before details are made public. Rapid7 said its only acknowledgment of its email was when Fortress closed its support ticket a week later without commenting.

    Rapid7 said that Fortress’ unauthenticated API can be remotely queried over the internet without the server checking if the request is legitimate. The researchers said by knowing a homeowner’s email address, the server would return the device’s unique IMEI, which in turn could be used to remotely disarm the system.

    The other flaw takes advantage of the unencrypted radio signals sent between the security system and the homeowner’s key fob. That allowed Rapid7 to capture and replay the signals for “arm” and “disarm” because the radio waves weren’t scrambled properly.

    Fortress has not said if it has fixed or plans to fix the vulnerabilities. It’s not clear if Fortress is able to fix the vulnerabilities without replacing the hardware.

    https://www.rapid7.com/blog/post/2021/08/31/cve-2021-3927-67-fortress-s03-wifi-home-security-system-vulnerabilities/

    Reply
  45. Tomi Engdahl says:

    Babuk ransomware’s full source code leaked on hacker forum
    https://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum/#.YTRVn2Csc9k.facebook

    A threat actor has leaked the complete source code for the Babuk ransomware on a Russian-speaking hacking forum.

    Babuk Locker, also known internally as Babyk, is a ransomware operation launched at the beginning of 2021 when it began targeting businesses to steal and encrypt their data in double-extortion attacks.

    After attacking the Washinton DC’s Metropolitan Police Department (MPD) and feeling the heat from U.S. law enforcement, the ransomware gang claimed to have shut down their operation.

    However, members of the same group splintered off to relaunch the ransomware as Babuk V2

    The shared file contains different Visual Studio Babuk ransomware projects for VMware ESXi, NAS, and Windows encryptors

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*