This posting is here to collect cyber security news in September 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in September 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
414 Comments
Tomi Engdahl says:
Malware found preinstalled in classic push-button phones sold in Russia
https://therecord.media/malware-found-preinstalled-in-classic-push-button-phones-sold-in-russia/
A security researcher has discovered malicious code inside the firmware of four low-budget push-button mobile phones sold through Russian online stores.
In a report published this week by a Russian security researcher named ValdikSS, push-button phones such as DEXP SD2810, Itel it2160, Irbis SF63, and F+ Flip 3 were caught subscribing users to premium SMS services and intercepting incoming SMS messages to prevent detection.
ValdikSS, who set up a local 2G base station in order to intercept the phones’ communications, said the devices also secretly notified a remote internet server when they were activated for the first time, even if the phones had no internet browser.
Tomi Engdahl says:
Karu ennustus: Kybermurhista tulee totta 4 vuodessa https://www.is.fi/digitoday/tietoturva/art-2000008239757.html
Gartner Predicts By 2025 Cyber Attackers Will Have Weaponized Operational Technology Environments to Successfully Harm or Kill Humans
https://www.gartner.com/en/newsroom/press-releases/2021-07-21-gartner-predicts-by-2025-cyber-attackers-will-have-we
Organizations Can Reduce Risk by Implementing a Security Control Framework
By 2025, cyber attackers will have weaponized operational technology (OT) environments to successfully harm or kill humans, according to Gartner, Inc.
Attacks on OT – hardware and software that monitors or controls equipment, assets and processes – have become more common. They have also evolved from immediate process disruption such as shutting down a plant, to compromising the integrity of industrial environments with intent to create physical harm. Other recent events like the Colonial Pipeline ransomware attack have highlighted the need to have properly segmented networks for IT and OT.
“In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft,” said Wam Voster, senior research director at Gartner. “Inquiries with Gartner clients reveal that organizations in asset-intensive industries like manufacturing, resources and utilities struggle to define appropriate control frameworks.”
Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023. Even without taking the value of human life into account, the costs for organizations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant. Gartner also predicts that most CEOs will be personally liable for such incidents.
Tomi Engdahl says:
US Cybercom says mass exploitation of Atlassian Confluence vulnerability ‘ongoing and expected to accelerate’
IT leaders have taken to Twitter to confirm that the exploitation is ongoing globally.
https://www.zdnet.com/article/us-cybercom-says-mass-exploitation-of-atlassian-confluence-vulnerability-ongoing-and-expected-to-accelerate/
Tomi Engdahl says:
Malware found preinstalled in classic push-button phones sold in Russia https://therecord.media/malware-found-preinstalled-in-classic-push-button-phones-sold-in-russia/
In a report published this week by a Russian security researcher named ValdikSS, push-button phones such as DEXP SD2810, Itel it2160, Irbis SF63, and F+ Flip 3 were caught subscribing users to premium SMS services and intercepting incoming SMS messages to prevent detection.
Tomi Engdahl says:
PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html
Mandiant responded to multiple intrusions impacting a wide variety of industries including Education, Government, Business services, and Telecommunications. These organizations are based in the United States, Europe, and Middle East. However, targeting is almost certainly broader than directly observed.. One specific targeted attack observed by Mandiant, detailed in this post, was against a US-based university where UNC2980 exploited ProxyShell vulnerabilities to gain access to the environment.
Tomi Engdahl says:
Norwegian student tracks Bluetooth headset wearers by wardriving around Oslo on a bicycle https://www.theregister.com/2021/09/04/bluetooth_headphones_tracking_oslo/
A Norwegian student who went wardriving around Oslo on a pushbike has discovered that several popular models of Bluetooth headphones don’t implement MAC address randomisation meaning they can be used to track their wearers.
Tomi Engdahl says:
Juniper Breach Mystery Starts to Clear With New Details on Hackers and U.S. Role https://finance.yahoo.com/news/juniper-breach-mystery-starts-clear-130016591.html
Bloomberg News investigation has filled in significant new details, including why Sunnyvale, California-based Juniper, a top maker of computer networking equipment, used the NSA algorithm in the first place, and who was behind the attack.. Pentagon tied some future contracts for Juniper specifically to the use of Dual Elliptic Curve, the employees said. The request prompted concern among some Juniper engineers, but ultimately the code was added to appease a large customer, the employees said.. Members of a hacking group linked to the Chinese government called APT 5 hijacked the NSA algorithm in 2012, according to two people involved with Junipers investigation and an internal document detailing its findings that Bloomberg reviewed.
The hackers altered the algorithm so they could decipher encrypted data flowing through the virtual private network connections created by NetScreen . devices. They returned in 2014 and added a separate backdoor that allowed them to directly access NetScreen products, according to the people and the document.
Tomi Engdahl says:
Apple Delays iPhone Child Sexual Abuse Scanning After Uproar https://www.forbes.com/sites/thomasbrewster/2021/09/03/apple-delays-iphone-child-sexual-abuse-scanning-after-uproar/
Apple has apparently been listening to its critics. On Friday, it announced it was going to delay a controversial technology that would scan users iPhone photos before they went up to the iCloud to check them for known child sexual abuse material (CSAM).
Tomi Engdahl says:
Babuk ransomware’s full source code leaked on hacker forum https://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum/
A threat actor has leaked the complete source code for the Babuk ransomware on a Russian-speaking hacking forum.
Tomi Engdahl says:
More than 10% of Firebase databases are open and exposing data https://therecord.media/more-than-10-of-firebase-databases-are-open-and-exposing-data/
In a research project conducted in July 2021 and published this week on Wednesday, cybersecurity firm Avast said it found nearly 19,300 Firebase databases from a grand total of 180,300 that were left exposed online without authentication.
Tomi Engdahl says:
New Zealand internet outage blamed on DDoS attack on nation’s third largest internet provider https://www.theregister.com/2021/09/03/nz_outage/
Vocus the country’s third-largest internet operator which is behind brands including Orcon, Slingshot and Stuff Fibre confirmed the cyberattack originated at one of its customers.
Tomi Engdahl says:
FTC bans ‘brazen’ stalkerware maker SpyFone, orders data deletion, alerts to victims https://www.theregister.com/2021/09/02/ftc_spyfone_stalkerware/
America’s trade watchdog today banned stalkerware developer SpyFone and its CEO from the surveillance industry, effectively putting an end to its business.
Tomi Engdahl says:
USCYBERCOM Warns of Mass Exploitation of Atlassian Vulnerability Ahead of Holiday Weekend
https://www.securityweek.com/uscybercom-warns-mass-exploitation-atlassian-vulnerability-ahead-holiday-weekend
USCYBERCOM and the Cybersecurity and Infrastructure Security Agency (CISA) are sounding the alarm just before the Labor Day weekend in the U.S., urging organizations to patch a critical vulnerability (CVE-2021-26084) affecting Atlassian Confluence Server and Data Center.
“Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate,” USCYBERCOM tweeted Friday morning. “Please patch immediately if you haven’t already— this cannot wait until after the weekend.”
On August 25, Atlassian issued patches to address the critical code execution vulnerability that carried a CVSS score of 9.8. Described by the software maker as an OGNL injection issue that can be exploited by an authenticated attacker — and in some cases an unauthenticated attacker — to execute arbitrary code on affected systems, the flaw has been fixed with the release of versions 6.13.23, 7.4.11, 7.11.6, 7.12.5 and 7.13.0.
Tomi Engdahl says:
Flaws in Moxa Railway Devices Could Allow Hackers to Cause Disruptions
https://www.securityweek.com/flaws-moxa-railway-devices-could-allow-hackers-cause-disruptions
Tomi Engdahl says:
Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation: Microsoft
https://www.securityweek.com/microsoft-hacked-solarwinds-ftp-software-lacked-basic-anti-exploit-mitigation
Software vendor SolarWinds failed to enable an anti-exploit mitigation available since the launch of Windows Vista 15 years ago, an oversight that made it easy for attackers to launch targeted malware attacks in July this year.
The missing mitigation was flagged by Microsoft in a post mortem of last month’s zero-day attack that hit businesses using the SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP products.
Microsoft originally shipped the mitigation — called ASLR (Address Space Layout Randomization) in Windows Vista back in 2006 as part of a larger plan to make it more difficult to automate attacks against the operating system.
Tomi Engdahl says:
https://www.securityweek.com/apple-announces-delay-child-protection-measures
Tomi Engdahl says:
https://www.securityweek.com/facebook-pays-out-40000-account-takeover-exploit-chain
Tomi Engdahl says:
Catalin Cimpanu / The Record:
Researchers uncover BrakTooth, 16 flaws in Bluetooth firmware in SoC boards used in billions of devices from 11 top vendors that can allow remote code execution — A team of security researchers has published details this week about a suite of 16 vulnerabilities that impact the Bluetooth software stack …
Billions of devices impacted by new BrakTooth Bluetooth vulnerabilities
https://therecord.media/billions-of-devices-impacted-by-new-braktooth-bluetooth-vulnerabilities/
Academics found 16 vulnerabilities impacting the Bluetooth software stack of many popular SoC chipsets.
The same Bluetooth software stacks are also used in 1,400 chipsets, used in laptops, smartphones, industrial, and iOT devices.
The vulnerabilities can be used to crash, freeze, or take over vulnerable devices.
A team of security researchers has published details this week about a suite of 16 vulnerabilities that impact the Bluetooth software stack that ships with System-on-Chip (SoC) boards from several popular vendors.
The vulnerabilities, collectively known as BrakTooth, allow attackers to crash or freeze devices or, in the worst-case scenarios, execute malicious code and take over entire systems.
For their tests, researchers said they only examined the Bluetooth software libraries for 13 SoC boards from 11 vendors.
However, subsequent research found that the same Bluetooth firmware was most likely used inside more than 1,400 chipsets, used as the base for a wide assortment of devices, such as laptops, smartphones, industrial equipment, and many types of smart “Internet of Things” devices.
Billions of devices impacted by new BrakTooth Bluetooth vulnerabilities
Academics found 16 vulnerabilities impacting the Bluetooth software stack of many popular SoC chipsets.
The same Bluetooth software stacks are also used in 1,400 chipsets, used in laptops, smartphones, industrial, and iOT devices.
The vulnerabilities can be used to crash, freeze, or take over vulnerable devices.
A team of security researchers has published details this week about a suite of 16 vulnerabilities that impact the Bluetooth software stack that ships with System-on-Chip (SoC) boards from several popular vendors.
The vulnerabilities, collectively known as BrakTooth, allow attackers to crash or freeze devices or, in the worst-case scenarios, execute malicious code and take over entire systems.
For their tests, researchers said they only examined the Bluetooth software libraries for 13 SoC boards from 11 vendors.
However, subsequent research found that the same Bluetooth firmware was most likely used inside more than 1,400 chipsets, used as the base for a wide assortment of devices, such as laptops, smartphones, industrial equipment, and many types of smart “Internet of Things” devices.
BrakTooth-affected
BrakTooth severity and impact varies per device
The number of affected devices is believed to be in the realm of billions, but the impact is different based on the device’s underlying SoC board and Bluetooth software stack.
The worst vulnerability part of the BrakTooth findings is CVE-2021-28139, which allows remote attackers to run their own malicious code on vulnerable devices via Bluetooth LMP packets.
According to the research team, CVE-2021-28139 affects smart devices and industrial equipment built on Espressif Systems’ ESP32 SoC boards, but the issue is bound to impact many of the other 1,400 commercial products some of which are bound to have reused the same Bluetooth software stack.
Billions of devices impacted by new BrakTooth Bluetooth vulnerabilities
Academics found 16 vulnerabilities impacting the Bluetooth software stack of many popular SoC chipsets.
The same Bluetooth software stacks are also used in 1,400 chipsets, used in laptops, smartphones, industrial, and iOT devices.
The vulnerabilities can be used to crash, freeze, or take over vulnerable devices.
A team of security researchers has published details this week about a suite of 16 vulnerabilities that impact the Bluetooth software stack that ships with System-on-Chip (SoC) boards from several popular vendors.
The vulnerabilities, collectively known as BrakTooth, allow attackers to crash or freeze devices or, in the worst-case scenarios, execute malicious code and take over entire systems.
For their tests, researchers said they only examined the Bluetooth software libraries for 13 SoC boards from 11 vendors.
However, subsequent research found that the same Bluetooth firmware was most likely used inside more than 1,400 chipsets, used as the base for a wide assortment of devices, such as laptops, smartphones, industrial equipment, and many types of smart “Internet of Things” devices.
BrakTooth-affected
BrakTooth severity and impact varies per device
The number of affected devices is believed to be in the realm of billions, but the impact is different based on the device’s underlying SoC board and Bluetooth software stack.
The worst vulnerability part of the BrakTooth findings is CVE-2021-28139, which allows remote attackers to run their own malicious code on vulnerable devices via Bluetooth LMP packets.
According to the research team, CVE-2021-28139 affects smart devices and industrial equipment built on Espressif Systems’ ESP32 SoC boards, but the issue is bound to impact many of the other 1,400 commercial products some of which are bound to have reused the same Bluetooth software stack.
Other BrakTooth issues are less severe but still annoying. For example, there are several vulnerabilities that can be used to crash the Bluetooth service on smartphones and laptops by flooding devices with malformed Bluetooth LMP (Link Manager Protocol) packets.
Vulnerable to these attacks are Microsoft Surface laptops, Dell desktops, and several Qualcomm-based smartphone models.
Billions of devices impacted by new BrakTooth Bluetooth vulnerabilities
Academics found 16 vulnerabilities impacting the Bluetooth software stack of many popular SoC chipsets.
The same Bluetooth software stacks are also used in 1,400 chipsets, used in laptops, smartphones, industrial, and iOT devices.
The vulnerabilities can be used to crash, freeze, or take over vulnerable devices.
A team of security researchers has published details this week about a suite of 16 vulnerabilities that impact the Bluetooth software stack that ships with System-on-Chip (SoC) boards from several popular vendors.
The vulnerabilities, collectively known as BrakTooth, allow attackers to crash or freeze devices or, in the worst-case scenarios, execute malicious code and take over entire systems.
For their tests, researchers said they only examined the Bluetooth software libraries for 13 SoC boards from 11 vendors.
However, subsequent research found that the same Bluetooth firmware was most likely used inside more than 1,400 chipsets, used as the base for a wide assortment of devices, such as laptops, smartphones, industrial equipment, and many types of smart “Internet of Things” devices.
BrakTooth-affected
BrakTooth severity and impact varies per device
The number of affected devices is believed to be in the realm of billions, but the impact is different based on the device’s underlying SoC board and Bluetooth software stack.
The worst vulnerability part of the BrakTooth findings is CVE-2021-28139, which allows remote attackers to run their own malicious code on vulnerable devices via Bluetooth LMP packets.
According to the research team, CVE-2021-28139 affects smart devices and industrial equipment built on Espressif Systems’ ESP32 SoC boards, but the issue is bound to impact many of the other 1,400 commercial products some of which are bound to have reused the same Bluetooth software stack.
Other BrakTooth issues are less severe but still annoying. For example, there are several vulnerabilities that can be used to crash the Bluetooth service on smartphones and laptops by flooding devices with malformed Bluetooth LMP (Link Manager Protocol) packets.
Vulnerable to these attacks are Microsoft Surface laptops, Dell desktops, and several Qualcomm-based smartphone models.
In addition, attackers can also use truncated, oversized, or out-of-order Bluetooth LMP packets to crash devices altogether, which will require a manual reboot, as seen in the demo below.
Tomi Engdahl says:
Suomalainen pörssiyhtiö kertoi tietomurrosta
6.9.202111:26|päivitetty6.9.202111:57TIETOMURROTDIGITALOUSTIETOTURVAPÖRSSI
Tietomurto on iskenyt Adapteoon, joka on parhaillaan yrityskaupan kohteena
https://www.tivi.fi/uutiset/suomalainen-porssiyhtio-kertoi-tietomurrosta/c1cd5d25-7c7b-4382-90d8-37e0270d07ed
Suomalainen kiinteistöyhtiö Adapteo tiedotti sunnuntai-iltana joutuneensa tietomurron kohteeksi. Tiedotteen mukaan kolmannen osapuolen tietomurto iski yhtiön järjestelmiin perjantaina 3. syyskuuta. Isku vaikuttaa yhtiön palvelimiin ja liiketoiminnan ydinsovelluksiin. Tietomurron laajuus ei ole vielä selvillä.
Nasdaq Tukholmassa listattu Adapteo toimii Ruotsissa, Suomessa, Norjassa, Tanskassa, Saksassa ja Alankomaissa. Vuonna 2020 yhtiön liikevaihto oli 231 miljoonaa euroa. Yhtiön pääkonttori sijaitsee Vantaalla.
Adapteo on parhaillaan yrityskaupan kohteena. Infrastruktuurisijoittaja West Street Global Partnersin tytäryhtiö Palace Bidco teki toukokuussa julkisen ostotarjouksen kaikista Adapteon osakkeista. Elokuussa Adapteo kertoi Palace Bidcon omistavan 94,18 prosenttia Adapteon kaikista osakkeista.
Ostotarjouksen toteutuessa Adapteo on poistumassa Tukholman pörssistä. Yhtiön rinnakkaislistautuminen Suomeen jäi tekemättä lykkäysten ja ostotarjousten vuoksi.
Tomi Engdahl says:
Samsung Can Remotely Disable Any of Its TVs Worldwide
The technology is called TV Block, and it’s pre-loaded on every Samsung TV.
https://uk.pcmag.com/tvs/135256/samsung-can-remotely-disable-any-of-its-tvs-worldwide
On July 11, a distribution center located in KwaZulu-Natal, South Africa was looted and an unknown number of Samsung televisions were stolen. However, all of those TVs are now useless as Samsung has revealed they are fitted with remote blocking technology.
What you may be surprised to hear is that Samsung can do this to any of its TVs, regardless of where they are in the world. The company admitted as much in its latest Samsung Newsroom post detailing how the TVs in South Africa were stolen and then disabled.
The technology is called TV Block and it’s “pre-loaded on all Samsung TV products.” Whenever a TV is confirmed as being stolen, Samsung logs the serial number of the TV and then waits for it to be connected to the internet. At that point a Samsung server is connected to by default, the serial number is checked, and if it’s on the list, “the blocking system is implemented, disabling all the television functions.”
Tomi Engdahl says:
Conti affiliates use ProxyShell Exchange exploit in ransomware attacks https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/
An investigation into recent attacks by a Conti affiliate reveals that that the attackers initially accessed targeted organizations networks with ProxyShell, an exploit of vulnerabilities in Microsoft Exchange that have been the subject of multiple critical updates over the past several months. The attacker otherwise closely followed the game plan laid out in a recently leaked set of . documentation attributed to Contis operators.
Tomi Engdahl says:
Russia responsible for cyber attacks on German parliament -German foreign ministry https://www.reuters.com/world/europe/russia-responsible-cyber-attacks-german-parliament-german-foreign-ministry-2021-09-06/
“The German government has reliable information according to which ghost writer activities can be attributed to cyber protagonists of the Russian state or Russia’s GRU military intelligence (service),” said the spokesperson.
Tomi Engdahl says:
Jenkins project discloses security breach following Confluence server hack https://therecord.media/jenkins-project-discloses-security-breach-following-confluence-server-hack/
The developers of the Jenkins server, one of the most widely used open-source automation systems, said they suffered a security breach after hackers gained access to one of their internal servers and deployed a cryptocurrency miner.
Tomi Engdahl says:
Salesforce Email Service Used for Phishing Campaign https://www.esecurityplanet.com/threats/salesforce-email-service-used-for-phishing-campaign/
Mass Email gives users the option to send an individual, personalized email to each recipient, thus creating the perception of receiving a unique email, created especially for you, Slavoutsky and Golderman wrote. Spoofing attempts of Salesforce are nothing new to us.
Attackers spoof emails from Salesforce for credential theft, is a typical example. In this case, the attackers actually . purchased and abused the service; knowing that most companies use this service as part of their business, and therefore have it whitelisted and even allowed in their SPF records.
Tomi Engdahl says:
FBI Warns Ransomware Attack Could Disrupt Food Supply Chain
https://www.securityweek.com/fbi-warns-ransomware-attack-could-disrupt-food-supply-chain
Ransomware attack on U.S. farm incurred $9 million in losses
The Federal Bureau of Investigation (FBI) has sent out a Private Industry Notification to warn organizations in the Food and Agriculture sector about an increase in ransomware attacks that could and impact the food supply chain.
The increased reliance on smart technologies, Internet-connected (IoT) devices, and industrial control systems exposes the sector to various types of cyberattacks that may lead to disrupted operations, affecting the entire food supply chain.
All types of businesses in the sector are at risk, the FBI says, including farms, processors, manufacturers, markets, and restaurants. Ransomware attacks are often complemented by the theft of data, which is then used as leverage to extort victims.
“Food and agriculture businesses victimized by ransomware suffer significant financial loss resulting from ransom payments, loss of productivity, and remediation costs. Companies may also experience the loss of proprietary information and personally identifiable information (PII) and may suffer reputational damage resulting from a ransomware attack,” the FBI’s notification says.
Some high-profile attacks this year have shown just how disruptive ransomware can be. The Kaseya attack forced one of Sweden’s leading supermarket chains to close hundreds of stores for days. Meat processing giant JBS had to suspend operations as well, just as Colonial Pipeline and Molson Coors did.
Tomi Engdahl says:
TechCrunch:
ProtonMail is under fire for disclosing a French activist’s IP address to Swiss authorities; ProtonMail had claimed to only log IPs in “extreme criminal cases” — ProtonMail, a hosted email service with a focus on end-to-end encrypted communications, has been facing criticism …
ProtonMail logged IP address of French activist after order by Swiss authorities
https://techcrunch.com/2021/09/06/protonmail-logged-ip-address-of-french-activist-after-order-by-swiss-authorities/
Tomi Engdahl says:
Lucas Matney / TechCrunch:
Apple made an unforced error by trying to tackle CSAM and child safety issues without soliciting expert advice while adhering to its annual iOS release schedule
Apple’s dangerous path
https://techcrunch.com/2021/09/04/apples-dangerous-path/
the big thing
In the past month, Apple did something it generally has done an exceptional job avoiding — the company made what seemed to be an entirely unforced error.
In early August — seemingly out of nowhere** — the company announced that by the end of the year they would be rolling out a technology called NeuralHash that actively scanned the libraries of all iCloud Photos users, seeking out image hashes that matched known images of child sexual abuse material (CSAM). For obvious reasons, the on-device scanning could not be opted out of.
This announcement was not coordinated with other major consumer tech giants, Apple pushed forward on the announcement alone.
Researchers and advocacy groups had almost unilaterally negative feedback for the effort, raising concerns that this could create new abuse channels for actors like governments to detect on-device information that they regarded as objectionable. As my colleague Zack noted in a recent story, “The Electronic Frontier Foundation said this week it had amassed more than 25,000 signatures from consumers. On top of that, close to 100 policy and rights groups, including the American Civil Liberties Union, also called on Apple to abandon plans to roll out the technology.”
(The announcement also reportedly generated some controversy inside of Apple.)
The issue — of course — wasn’t that Apple was looking at find ways that prevented the proliferation of CSAM while making as few device security concessions as possible. The issue was that Apple was unilaterally making a massive choice that would affect billions of customers (while likely pushing competitors towards similar solutions), and was doing so without external public input about possible ramifications or necessary safeguards.
A long story short, over the past month researchers discovered Apple’s NeuralHash wasn’t as air tight as hoped and the company announced Friday that it was delaying the rollout “to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.”
Having spent several years in the tech media, I will say that the only reason to release news on a Friday morning ahead of a long weekend is to ensure that the announcement is read and seen by as few people as possible, and it’s clear why they’d want that. It’s a major embarrassment for Apple, and as with any delayed rollout like this, it’s a sign that their internal teams weren’t adequately prepared and lacked the ideological diversity to gauge the scope of the issue that they were tackling. This isn’t really a dig at Apple’s team building this so much as it’s a dig on Apple trying to solve a problem like this inside the Apple Park vacuum while adhering to its annual iOS release schedule.
Apple is increasingly looking to make privacy a key selling point for the iOS ecosystem, and as a result of this productization, has pushed development of privacy-centric features towards the same secrecy its surface-level design changes command.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/12524-bluetooth-haavoittuvuus-uhkaa-miljardeja-laitteita
Tomi Engdahl says:
Some employers are using a technology that takes a live photo of laptops every minute and can track keystrokes and web browsing of work from home employees.
Bosses using ‘tattleware’ to monitor employees working from home
https://6abc.com/11004081/?ex_cid=TA_WPVI_FB&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
Is your boss watching you? More companies are keeping an eye on remote workers to make sure they are actually working.
They are using so-called “tattleware” software that takes a live photo of workers at home about every minute from their company laptops.
Other software can track keystrokes and web browsing. For example, employers can see everything you write in an email or in Slack.
Some employees say the software is an invasion of privacy… companies say it is holding people accountable.
Tomi Engdahl says:
TikToker Makes Script to Flood Texas Abortion ‘Whistleblower’ Site With Fake Info
An easy-to-use iOS shortcut lets non-technical users bombard the site, according to Motherboard’s tests.
https://www.vice.com/en/article/z3x9ba/tiktok-texas-abortion-law-bot-site-ios-shortcut?utm_source=motherboardtv_facebook&utm_medium=social
Tomi Engdahl says:
“YOUR PRIVACY COMES FIRST” — “No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first.”
https://thehackernews.com/2021/09/protonmail-shares-activists-ip-address.html?m=1
Tomi Engdahl says:
Important clarifications regarding arrest of climate activist https://protonmail.com/blog/climate-activist-arrest/
We would like to provide important clarifications regarding the case of the climate activist who was recently arrested by French police on criminal charges. [...] In this case, Proton received a legally binding order from Swiss authorities which we are obligated to comply with. There was no possibility to appeal this particular request.. As detailed in our transparency report, our published threat model, and also our privacy policy, under Swiss law, Proton can be forced to collect information on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account. . Also https://therecord.media/protonmail-forced-to-collect-an-activists-ip-address-in-police-investigation/
Tomi Engdahl says:
Ghostscript zero-day allows full server compromises https://therecord.media/ghostscript-zero-day-allows-full-server-compromises/
Proof-of-concept exploit code was published online over the weekend for an unpatched Ghostscript vulnerability that puts all servers that rely on the component at risk of attacks.
Tomi Engdahl says:
REvil ransomware’s servers mysteriously come back online https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/
Today, both the Tor payment/negotiation site and REvil’s Tor ‘Happy Blog’ data leak site suddenly came back online.. It is unclear at this time whether the ransomware gang is back in operation, the servers have been turned back on by mistake, or it is due to the actions of law enforcement.
Tomi Engdahl says:
UK data watchdog brings cookies to G7 meeting pop-up consent requests, not the delicious baked treats https://www.theregister.com/2021/09/07/ico_cookies_g7/
The ICO said it would call on fellow G7 data protection and privacy authorities three of which used to be its fellow EU member states to work together to overhaul cookie consent pop-ups to make people’s privacy “more meaningfully protected” and help businesses offer “a better web browsing experience.”
Tomi Engdahl says:
Varo näitä viestejä näin suomalaisia huijataan nyt https://www.is.fi/digitoday/tietoturva/art-2000008246431.html
SUOMALAISILLE lähetetään parhaillaan ahkerasti huijausviestejä pankkien nimissä. Ainakin Nordean nimissä on nähty viime päivinä paljon sähköposteja.. Viestejä on ainakin kahta tyyppiä: yhdessä kerrotaan saapuneesta luottamuksellisesta viestistä tai asiakirjasta ja toisessa psd2-maksupalveludirektiivin vaatimista toimenpiteistä.
Tomi Engdahl says:
Ransomware gang threatens to leak data if victim contacts FBI, police https://www.bleepingcomputer.com/news/security/ransomware-gang-threatens-to-leak-data-if-victim-contacts-fbi-police/
In an announcement published on Ragnar Locker’s darknet leak site this week, the group is threatening to publish full data of victims who seek the help of law enforcement and investigative agencies following a ransomware attack.. The threat also applies to victims contacting data recovery experts to attempt decryption and conduct the negotiation process
Tomi Engdahl says:
Critical Flaw in Pac-Resolver NPM Package Affects 290,000 Repositories
https://www.securityweek.com/critical-flaw-pac-resolver-npm-package-affects-290000-repositories
A high severity vulnerability recently addressed in popular NPC package Pac-Resolver could be exploited to execute arbitrary code remotely.
The vulnerability (CVE-2021-23406, CVSS score of 8.1) was discovered and reported by Tim Perry on May 30. The issue was addressed with the release of Pac-Resolver 5.0.0 in late July, but information on it wasn’t made public until last week.
In a blog post, Perry explains that the security hole can be exploited by an attacker on the local network to execute arbitrary code remotely inside the Node.js process when the user attempts to send an HTTP request.
A PAC file is essentially a piece of JavaScript code that informs an HTTP client which proxy to use for a given hostname and can be used for the distribution of complex proxy rules, given that a single file could map multiple links to different proxies.
https://httptoolkit.tech/blog/npm-pac-proxy-agent-vulnerability/
Tomi Engdahl says:
https://www.securityweek.com/germany-protests-russia-over-pre-election-cyberattacks
Tomi Engdahl says:
https://www.securityweek.com/germany-admits-police-used-controversial-pegasus-spyware
Tomi Engdahl says:
https://www.securityweek.com/germany-protests-russia-over-pre-election-cyberattacks
Germany has protested to Russia over attempts to steal data from lawmakers in what it suspects may have been preparation to spread disinformation before the upcoming German election, the Foreign Ministry in Berlin said Monday.
Foreign Ministry spokeswoman Andrea Sasse said that a hacker outfit called Ghostwriter has been “combining conventional cyberattacks with disinformation and influence operations,” and that activities targeting Germany have been observed “for some time.”
Tomi Engdahl says:
Catalin Cimpanu / The Record:
Microsoft warns of an actively abused zero-day that exploits a vulnerability in IE’s browser engine to target Office applications; patch slated for next week
Microsoft warns of new IE zero-day exploited in targeted Office attacks
https://therecord.media/microsoft-warns-of-new-ie-zero-day-exploited-in-targeted-office-attacks/
Microsoft’s security team issued an alert earlier today to warn about a new Internet Explorer zero-day that is being abused in real-world attacks.
Tracked as CVE-2021-40444, the vulnerability impacts Microsoft MHTML, also known as Trident, the Internet Explorer browser engine.
While MHTML was primarily used for the now-defunct Internet Explorer browser, the component is also used in Office applications to render web-hosted content inside Word, Excel, or PowerPoint documents.
“Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,” the company said in an advisory today.
“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” the OS maker added.
Tomi Engdahl says:
DW.COM:
Germany’s Federal Criminal Police Office confirms it bought NSO’s Pegasus spyware in 2019 and used it in operations on terrorism and organized crime since March
German police secretly bought NSO Pegasus spyware
https://www.dw.com/en/german-police-secretly-bought-nso-pegasus-spyware/a-59113197
Sources have confirmed media reports that federal criminal police purchased and used the controversial Israeli surveillance spyware despite lawyers’ objections.
Tomi Engdahl says:
At least 3 lawsuits filed against T-Mobile for its recent major security breach
https://www.phonearena.com/amp/news/class-action-lawsuits-filed-t-mobile-security-breach_id134824
T-Mobile customers were shocked to find out about a recent data breach that affected many people and we reported back towards the end of August. Now, TmoNews reports that the big carrier would be facing at least 3 class-action lawsuits because of the data breach.
At least 3 lawsuits are looming on T-Mo’s head because of the data breach
At least 3 customers have filed class-action lawsuits against the major carrier. The main accusation of these lawsuits is negligence after the customers’ personal data was exposed by the recent hack.
Tomi Engdahl says:
‘Anonymous’ hackers have a message for Texas abortion ‘snitch’ sites: We’re coming for you
https://www.dailydot.com/debug/anonymous-hactivists-texas-abortion-ban-operation-jane/
Texas’ controversial law banning abortions went into effect on Sept. 1. Two days later, self-described affiliates of the hactivist group Anonymous launched “Operation Jane,” an initiative targeting those who try to enforce the law.
Texas’ anti-abortion law allows anyone to sue a person who obtains or facilitates an abortion after the sixth week of pregnancy for $10,000 plus attorney’s fees. The monetary award has come to be known as an “abortion bounty” and those who may sue under the law as “bounty hunters.” The law has no exceptions for pregnancies involving rape or incest.
The United States Supreme Court declining to block the law sent shockwaves through the pro-choice movement.
After noting that other states are now considering similar legislation, Operation Jane issues a promise and a call to action.
“We must act,” they say. “Every strategic model employed to collect information for SB8 bounties will be compromised and rendered inoperable.”
They added:
“Troves of data will be manipulated to result in an inherently spoiled cache of information. We will exhaust the investigational resources of bounty hunters, their snitch sites, and online gathering spaces until no one is able to maintain data integrity.”
Operation Jane told the Daily Dot via direct message on Twitter that they view this as a “rare opportunity” for people outraged by the law to participate in a “massive form of online grassroots pressure to help protect access to reproductive healthcare.”
They added that anti-choice extremists rely on online intelligence gathering and crowdsourcing for their efforts, which renders them vulnerable.
Tomi Engdahl says:
Government still gauging impact of Wednesday’s denial-of-service attacks https://www.stuff.co.nz/business/300402182/government-still-gauging-impact-of-wednesdays-denialofservice-attacks
ANZ and Kiwibank appear to have made progress recovering from a cyber attack that made their online services inaccessible for many New Zealanders on Wednesday.
Tomi Engdahl says:
AT&T Alien Labs warns of ‘zero or low detection’ for TeamTNT’s latest malware bundle https://www.theregister.com/2021/09/08/att_alien_labs_warns_of/
Now, AT&T’s Alien Labs has shone more light on Chimaera – and says that not only has it been in active use since July but that it is “responsible for thousands of infections globally” across Windows, Linux, AWS, Docker, and Kubernetes targets – and all while avoiding detection from anti-virus and anti-malware tools.
Tomi Engdahl says:
Attacking Google Chrome’s Strict Site Isolation via Speculative Execution and Type Confusion https://www.spookjs.com/ Spook.js is a new transient execution side channel attack which targets the Chrome web browser. We show that despite Google’s attempts to mitigate Spectre by deploying Strict Site Isolation, information extraction via malicious JavaScript code is still possible in some cases.. More specifically, we show that an attacker-controlled webpage can know which other pages from the same websites a user is currently browsing, retrieve sensitive information from these pages, and even recover login credentials (e.g., username and password) when they are autofilled. We further demonstrate that the attacker can retrieve data from Chrome extensions (such as credential managers) if a . user installs a malicous extension.. Also https://therecord.media/new-cpu-side-channel-attack-takes-aim-at-chromes-site-isolation-feature/
Tomi Engdahl says:
Pro-PRC Influence Campaign Expands to Dozens of Social Media Platforms, Websites, and Forums in at Least Seven Languages, Attempted to Physically Mobilize Protesters in the U.S.
https://www.fireeye.com/blog/threat-research/2021/09/pro-prc-influence-campaign-social-media-websites-forums.html
The scope of activity, in terms of languages and platforms used, is far broader than previously understood. Most reporting has highlighted English and Chinese-language activity occurring on the social media giants Facebook, Twitter, and YouTube. However, we have now observed this pro-PRC activity taking place on 30 social media platforms and over 40 additional websites and niche forums, and in . additional languages including Russian, German, Spanish, Korean, and Japanese. .
Accounts in the network have actively sought to physically mobilize protestors in the U.S. in response to the COVID-19 pandemic, though we have seen no indication that these attempts motivated any real-world activity.
Tomi Engdahl says:
Zoho Confirms Zero-Day Authentication Bypass Attacks
https://www.securityweek.com/zoho-confirms-zero-day-authentication-bypass-attacks
Zoho has shipped an urgent patch for an authentication bypass vulnerability in its ManageEngine ADSelfService Plus alongside a warning that the bug is already exploited in attacks.
Tracked as CVE-2021-40539, the security flaw is deemed critical as it could be exploited to take over a vulnerable system.
The issue, according to a Zoho advisory, affects the REST API URLs in ADSelfService Plus and could be abused to achieve remote code execution. Technical details on the vulnerability have yet to be published.
“This is a critical issue. We are noticing indications of this vulnerability being exploited,” Zoho warned.
https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html