This posting is here to collect cyber security news in September 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in September 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
414 Comments
Tomi Engdahl says:
US-built Databases a Potential Tool of Taliban Repression
https://www.securityweek.com/us-built-databases-potential-tool-taliban-repression
Tomi Engdahl says:
Howard University Cancels Classes, Shuts Campus After Ransomware Attack
https://www.securityweek.com/howard-university-cancels-classes-shuts-campus-after-ransomware-attack
Howard University closed its physical campus and canceled classes this week after experiencing a ransomware attack.
The incident was discovered on September 3, right before the Labor Day weekend, and the University’s Enterprise Technology Services (ETS) immediately shut down the internal network to contain the attack.
The University did not provide information on which ransomware family might have been involved in the attack, but did say that personal information doesn’t appear to have been compromised.
“To date, there has been no evidence of personal information being accessed or exfiltrated; however, our investigation remains ongoing, and we continue to work toward clarifying the facts surrounding what happened and what information has been accessed,” according to a statement from the university.
https://newsroom.howard.edu/newsroom/article/14946/ransomware-cyberattack-update
Tomi Engdahl says:
Google Android Security Update Patches 40 Vulnerabilities
https://www.securityweek.com/google-android-security-update-patches-40-vulnerabilities
Google on Tuesday published the Android Security Bulletin for September 2021 with patches for a total of 40 vulnerabilities, including seven that are rated critical.
A total of 16 issues were patched with the first part of this month’s security updates – the 2021-09-01 security patch level – including one critical issue in the Framework component. Tracked as CVE-2021-0687, the security bug affects Android 8.1, 9, 10, and 11.
“The most severe of these issues is a critical security vulnerability in the Framework component that could enable a remote attacker using a specially crafted file to cause a permanent denial of service,” according to Google’s advisory.
Six other vulnerabilities were patched in the Framework component, all considered high-severity. These include five elevation of privilege flaws and one information disclosure vulnerability.
https://source.android.com/security/bulletin/2021-09-01
Tomi Engdahl says:
Internet Explorer may still haunt your nightmares, even if you no longer use it. There’s a vulnerability in its engine, MSHTML, that hackers are exploiting in attacks on Microsoft Office users. No patch for this vulnerability exists, but there’s a workaround.
Internet Explorer vulnerability threatens Microsoft Office users
https://www.kaspersky.com/blog/cve-2021-40444-vulnerability-mshtml/41728/?utm_source=facebook&utm_medium=social&utm_campaign=gl_MSHTML-Vulnerability-RR-_ay0073_promo&utm_content=sm-post&utm_term=gl_facebook_promo_rfrm31s473vohoi&fbclid=IwAR1W5q7XY1lrIfcdWuRM1sCpY-FmncMvJdNGhemxZfY5QBDZQ-CU0GkqglY
An unpatched vulnerability in the MSHTML engine is enabling attacks on Microsoft Office users
Tomi Engdahl says:
Joka kolmas epäilyttävä työmeili yrittää kalastella tietoja
https://etn.fi/index.php/13-news/12534-joka-kolmas-epaeilyttaevae-tyoemeili-yrittaeae-kalastella-tietoja
Uuden tutkimuksen mukaan 33 prosenttia työntekijöiden ilmoittamista kalastelusähköpostiviesteistä on tietoturvan kannalta haitallista tai erittäin haitallista sisältöä. Havainto perustuu F-Securen analyysiin, jota varten on kerätty työntekijöiden raportoimia sähköpostiviestejä eri organisaatioilta ympäri maailmaa vuoden 2021 ensimmäisen puoliskon ajan.
Kolmasosa työtekijöistä, joiden organisaatiossa on käytössä F-Securen Microsoft Office 365:n sähköpostiraportointi, lähettivät yli 200 000 sähköpostia analysoitavaksi vuoden ensimmäisen puoliskon aikana. Aktiiviset käyttäjät lähettivät keskimäärin 2,14 sähköpostia.
Analyysin mukaan yleisin syy ilmoituksen tekemiseen oli epäilyttävä linkki, jonka mainitsi 59 prosenttia käyttäjistä. 54 prosenttia ilmoitti sähköpostista väärän tai odottamattoman lähettäjän takia ja 37 prosenttia roskapostin vuoksi. Käyttäjistä 34% epäili manipulointia (social engineering) ja 7% teki ilmoituksen epäilyttävän liitteen vuoksi.
Tomi Engdahl says:
Sam Levin / The Guardian:
Documents: LAPD directs its officers to collect social media information of every civilian they interview, including those not arrested or accused of a crime — An internal police chief memo shows employees were directed to use ‘field interview cards’ which would then be reviewed
Revealed: LAPD officers told to collect social media data on every civilian they stop
https://www.theguardian.com/us-news/2021/sep/08/revealed-los-angeles-police-officers-gathering-social-media
Tomi Engdahl says:
Joseph Menn / Reuters:
Microsoft says it has now fixed a flaw that could have allowed hackers to access data of some Azure customers; Palo Alto Networks reported the flaw in July — Microsoft (MSFT.O) warned some of its Azure cloud computing customers that a flaw discovered by security researchers could have allowed hackers access to their data.
Microsoft warns Azure customers of flaw that could have permitted hackers access to data
By Joseph Menn
https://www.reuters.com/technology/microsoft-warns-azure-customers-flaw-that-could-have-permitted-hackers-access-2021-09-08/
SAN FRANCISCO, Sept 8 (Reuters) – Microsoft (MSFT.O) warned some of its Azure cloud computing customers that a flaw discovered by security researchers could have allowed hackers access to their data.
In a blog post from its security response team, Microsoft said it had fixed the flaw reported by Palo Alto Networks and it had no evidence malicious hackers had abused the technique.
It said it had notified some customers they should change their login credentials as a precaution.
The blog post followed questions from Reuters about the technique described by Palo Alto.
Coordinated disclosure of vulnerability in Azure Container Instances Service
https://msrc-blog.microsoft.com/2021/09/08/coordinated-disclosure-of-vulnerability-in-azure-container-instances-service/
Microsoft recently mitigated a vulnerability reported by a security researcher in the Azure Container Instances (ACI) that could potentially allow a user to access other customers’ information in the ACI service. Our investigation surfaced no unauthorized access to customer data. Out of an abundance of caution we notified customers with containers running on the same clusters as the researchers via Service Health Notifications in the Azure Portal. If you did not receive a notification, no action is required with respect to this vulnerability.
Part of any robust security posture is working with researchers to help find vulnerabilities, so we can fix any findings before they are misused. We want to thank Palo Alto Networks who reported this vulnerability and worked with the Microsoft Security Response Center (MSRC) under Coordinated Vulnerability Disclosure (CVD) to help keep Microsoft customers safe.
Tomi Engdahl says:
Dustin Volz / Wall Street Journal:
Researchers: China-linked fake social media accounts tried to draw Asian-Americans to protests against racism; Facebook, YouTube, Twitter suspended the accounts — Campaign is first known instance of China-linked actors fomenting real-world U.S. protest; ‘They’re copying the Kremlin’s playbook’
Pro-China Online Network Used Fake Accounts to Urge Asian-Americans to Attend Protests, Researchers Say
Campaign is first known instance of China-linked actors fomenting real-world U.S. protest; ‘They’re copying the Kremlin’s playbook’
https://www.wsj.com/articles/pro-china-online-network-used-fake-accounts-to-urge-asian-americans-to-attend-protests-researchers-say-11631109601?mod=djemalertNEWS
Tomi Engdahl says:
University of South Wales: Hacker jailed for selling exam answers
https://www.bbc.co.uk/news/uk-wales-58502963
A former student has been jailed for 20 months for hacking university computers and selling exam answers for thousands of pounds.
Aljayyash’s crimes were committed between November 2017 and May 2019.
Cardiff Crown Court heard Aljayyash, from Iraq, remained undetected by using “sophisticated” techniques.
Jim Davis, prosecuting, said it became obvious to Mr Harris a number of students had answered questions by copying his own marking scheme and solutions.
Five students had even copied typing mistakes from Mr Harris’s original working papers.
Cardiff Crown Court heard the university established a “war room” to process 140 million log records, which identified an IP address – linked to a house in Brook Street, Treforest, where Aljayyash and Eltarki were both living – from which the systems were accessed.
Police were informed of what had happened and arrested Aljayyash at home on 30 May 2019.
Hacking ‘cost university £100,000′
The court heard Aljayyash made about £20,000, including £6,500 from one second-year student.
Eltarki was paid £300 or £400 each time by Aljayyash for finding students to buy the stolen papers.
The court heard the investigation and new security measures cost the university more than £100,000.
Sentencing Aljayyash, Judge Wynn Morgan told the defendant had “obvious talent and skill,” and what he did was “planned and consistent”.
He called the scheme “very sophisticated” and said it had “damaged the reputation of the institution”.
He told Aljayyash that his motive was “financial greed”.
“I hope that this sentence serves as a warning to those thinking about attempting to overcome security protocols for financial gain.”
Tomi Engdahl says:
Yandex is battling the largest DDoS in Russian Internet history
https://www.bleepingcomputer.com/news/security/yandex-is-battling-the-largest-ddos-in-russian-internet-history/
Russian internet giant Yandex has been targeted in a massive distributed denial-of-service (DDoS) attack that started last week and reportedly continues this week.
A report in Russian media says that the assault is the largest in the short history of the Russian internet, the RuNet, and that it was confirmed by a U.S.-based company.
RuNet is the Russian segment of the internet, created to function independently of the worldwide web.
Services and data not impacted
The Russian publication says that a Yandex spokesperson confirmed the DDoS attack and that the company’s network infrastructure managed to filter the unwanted requests, resulting in no impact on provided services or user data.
According to Alexander Lyamin, the CEO of Qrator Labs, quoted by Vedomosti, Yandex appears to have been targeted by a new botnet that harnesses the power of network equipment from a vendor in the Baltic region.
Two of the largest DDoS attacks publicly reported are a 2.3Tbps detected by Amazon Web Services Shield in the first quarter of 2020 and a 17 million requests per second assault mitigated by Cloudflare in July this year.
Tomi Engdahl says:
New Mēris botnet breaks DDoS record with 21.8 million RPS attack
https://www.bleepingcomputer.com/news/security/new-m-ris-botnet-breaks-ddos-record-with-218-million-rps-attack/
A new distributed denial-of-service (DDoS) botnet that kept growing over the summer has been hammering Russian internet giant Yandex for the past month, the attack peaking at the unprecedented rate of 21.8 million requests per second.
The botnet received the name Mēris, and it gets its power from tens of thousands of compromised devices that researchers believe to be primarily powerful networking equipment.
Large and powerful botnet
News about a massive DDoS attack hitting Yandex broke this week in the Russian media, which described it as being the largest in the history of the Russian internet, the so-called RuNet
Information collected separately from several attacks deployed by the new Mēris (Latvian for ‘plague’) botnet, showed a striking force of more than 30,000 devices.
From the data that Yandex observed, assaults on its servers relied on about 56,000 attacking hosts. However, the researchers have seen indications that the number of compromised devices may be closer to 250,000.
The researchers note that the compromised hosts in Mēris are “not your typical IoT blinker connected to WiFi” but highly capable devices that require an Ethernet connection.
Mēris is the same botnet responsible for generating the largest volume of attack traffic that Cloudflare recorded and mitigated to date, as it peaked at 17.2 million requests per second (RPS).
However, Mēris botnet broke that record when hitting Yandex, as its flux on September 5 reached a force of 21.8 million RPS.
Tomi Engdahl says:
GitHub finds 7 code execution vulnerabilities in ‘tar’ and npm CLI https://www.bleepingcomputer.com/news/security/github-finds-7-code-execution-vulnerabilities-in-tar-and-npm-cli/
GitHub security team has identified several high-severity vulnerabilities in npm packages, “tar” and “@npmcli/arborist,” used by npm CLI.
Tomi Engdahl says:
Coordinated disclosure of vulnerability in Azure Container Instances Service https://msrc-blog.microsoft.com/2021/09/08/coordinated-disclosure-of-vulnerability-in-azure-container-instances-service/
Microsoft recently mitigated a vulnerability reported by a security researcher in the Azure Container Instances (ACI) that could potentially allow a user to access other customers information in the ACI service. Our investigation surfaced no unauthorized access to customer data. Out of an abundance of caution we notified customers with containers running on the same clusters as the researchers . via Service Health Notifications in the Azure Portal. If you did not receive a notification, no action is required with respect to this vulnerability.
Tomi Engdahl says:
Confluence vulnerability, a tale of catching active exploitation in the wild https://sensorfleet.com/2021/09/07/confluence-vulnerability.html
In this blog post I summarize how a simple test with a SensorFleet Sensor in partner infrastructure yielded the detection of exploitation of the Atlassian Confluence OGNL injection vulnerability (CVE-2021-26084).
Tomi Engdahl says:
Dark web prices for stolen PayPal accounts up, credit cards down:
report
https://www.comparitech.com/blog/vpn-privacy/dark-web-prices/
Comparitech researchers sifted through several illicit marketplaces on the dark web to find out how much our private information is worth.
Where possible, well also examine how prices have changed over time.
Tomi Engdahl says:
Yandex is battling the largest DDoS in Russian Internet history https://www.bleepingcomputer.com/news/security/yandex-is-battling-the-largest-ddos-in-russian-internet-history/
Russian internet giant Yandex has been targeted in a massive distributed denial-of-service (DDoS) attack that started last week and reportedly continues this week.
Tomi Engdahl says:
Over 60,000 parked domains were vulnerable to AWS hijacking https://www.bleepingcomputer.com/news/security/over-60-000-parked-domains-were-vulnerable-to-aws-hijacking/
Domain registrar MarkMonitor had left more than 60,000 parked domains vulnerable to domain hijacking.. The parked domains were seen pointing to nonexistent Amazon S3 bucket addresses, hinting that there existed a domain takeover weakness.
Tomi Engdahl says:
Fortinet warns customers after hackers leak passwords for 87, 000 VPNs https://therecord.media/fortinet-warns-customers-after-hackers-leak-passwords-for-87000-vpns/
Networking equipment vendor Fortinet has notified customers today that a cybercriminal gang has assembled a collection of access credentials for more than 87, 000 FortiGate SSL-VPN devices. “This incident is related to an old vulnerability resolved in May 2019, ” the company said in a blog post following an inquiry from The Record sent on Tuesday, when a small portion of this larger list was published on a private cybercrime forum hosted on the dark web, and later on the website of a ransomware gang, known to have close affiliations with the same forum. The researchers, who publicly admit to being “gray hats” but still did not want their names included in this article for legal reasons, said that from a list of 502, 677 credentials, belonging to around 22, 500 Fortinet VPNs, the vast majority (varying from 80% to 90%, depending on scan) did not work anymore, or the login screen was protected by a two-factor authentication system.
Tomi Engdahl says:
Mastercard to Acquire Blockchain Analytics Firm CipherTrace
https://www.securityweek.com/mastercard-acquire-blockchain-analytics-firm-ciphertrace
Payments giant Mastercard (NYSE: MA) announced Thursday that it has agreed to acquire cryptocurrency intelligence and blockchain analytics company CipherTrace for an undisclosed sum.
Tomi Engdahl says:
Microsoft Warns of Information Leak Flaw in Azure Container Instances
https://www.securityweek.com/microsoft-warns-information-leak-flaw-azure-container-instances
Microsoft has patched an Azure Container Instances (ACI) vulnerability that could have allowed users to access the information of other Azure customers.
The company did not provide technical details on the vulnerability but security researchers with Palo Alto Networks say attackers could have exploited the bug to execute code on other users’ containers, steal sensitive information such as crypto secrets, and even deploy crypto-mining malware.
Microsoft said it it notified customers that might have been affected, through the Service Health Notifications in the Azure Portal. Those that did not receive a notification need take no action, the company added.
Tomi Engdahl says:
Bloomberg:
Resecurity: hackers gained access to UN’s proprietary project management tool Umoja from April 5 to August 7, stealing an unknown amount of data
https://www.bloomberg.com/news/articles/2021-09-09/united-nations-computers-breached-by-hackers-earlier-this-year
Tomi Engdahl says:
https://thehackernews.com/2021/09/haproxy-found-vulnerable-to-critical.html?m=1
A critical security vulnerability has been disclosed in HAProxy, a widely used open-source load balancer and proxy server, that could be abused by an adversary to possibly smuggle HTTP requests, resulting in unauthorized access to sensitive data and execution of arbitrary commands, effectively opening the door to an array of attacks.
Tracked as CVE-2021-40346, the Integer Overflow vulnerability has a severity rating of 8.6 on the CVSS scoring system and has been rectified in HAProxy versions 2.0.25, 2.2.17, 2.3.14 and 2.4.4.
Tomi Engdahl says:
The U.S. Navy has successfully invented a special electronic device that is designed to stop people from talking. A form of non-lethal weapon, the new electronic device effectively repeats a speaker’s own voice back at them, and only them, while they attempt to talk.
https://interestingengineering.com/a-new-navy-weapon-actually-stops-you-from-talking
Tomi Engdahl says:
https://www.occrp.org/en/investigations/how-a-russian-mobile-app-developer-recruited-phones-into-a-secret-ad-watching-robot-army
Tomi Engdahl says:
https://apple.news/ASDtpvl_iQti2Fhj7-E75UA
Outside of items such as planes, and a (very) few ships… Almost all military computer hardware and software is 15-20+ years outdated.
The Air Force’s chief software officer quit because its technology was so bad
Cybersecurity is not looking great these days.
https://www.popsci.com/military/air-force-chief-software-officer-quits/
Former Air Force Chief Software Officer Nicolas Chaillan posted a tell-all about his resignation on a recent LinkedIn post.
If you’ve ever struggled with a government computer still running on Windows 2000, know that you’re not alone. In fact, the military’s cybersecurity infrastructure and software development enterprise is in such a bad state that the Air Force’s first-ever Chief Software Officer will soon resign because it isn’t worth fighting the entire bureaucracy of the Department of Defense just to get some basic information technology issues fixed.
“We are running in circles trying to fix transport/connectivity, cloud, endpoints, and various basic IT capabilities that are seen as trivial for any organization outside of the U.S. Government,” wrote Nicolas Chaillan in a LinkedIn post announcing his resignation on Thursday. “At this point, I am just tired of continuously chasing support and money to do my job. My office still has no billet and no funding, this year and the next.”
For those who might be thinking “what do I care about software? Let the nerds figure that one out,” hear this: Many experts believe that future conflicts will be won and lost based on our ability to develop new software.
“Success in tomorrow’s conflicts will largely depend on how warfighters are able to harness and adapt everything from mission systems on aircraft to sensor packages, networks, and decision aides,”
“To prevail in a dynamic and contested battlespace, warfighters must be able to reprogram and reconfigure their weapon systems, sensors and networks,” they wrote. “Yet the Air Force continues to develop, update, and manage software and architectures in a highly centralized and stove-piped fashion.”
“The bureaucracy of Department of Defense funding categories also prevents software tools from being fielded and employed,” they wrote, which means warfighters are always a step behind their changing battlespace. “This is a recipe for failure given tomorrow’s challenges. To put it bluntly, software and networks shouldn’t be governed by industrial age processes.”
“I’m tired of hearing the right words without action, and I called on leadership to ‘walk the walk,’
There are several specific experiences that impressed on Chaillan how little military leadership actually cares about cybersecurity and software development. One of those is DevSecOps, which is short for development, security, and operations.
“There is absolutely no valid reason not to use and mandate DevSecOps in 2021 for custom software. It is borderline criminal not to do so. It is effectively guaranteeing a tremendous waste of taxpayer money and creates massive cybersecurity threats but also prevents us from delivering capabilities at the pace of relevance, putting lives at risk[.]”
The same problem applies to implementing Zero Trust systems. Those are software security steps like when Gmail or Facebook texts you a verification code just to make sure you’re not a hacker. You’d think national security secrets would have a better layer of security than my company’s Mailchimp account, but apparently not
“[W]e hear the leadership talk about Zero Trust implementations without our teams receiving a dime of funding to make it happen,” he wrote.
“Why waste more taxpayer money playing catch up?” the software officer wrote. “The ‘not invented here’ syndrome is powerful in DoD and our leadership is not willing to stop it.”
“Although the F-22 and F-35 are the only two 5th generation fighters in the Air Force inventory, they cannot share information with each other machine-to-machine,” because they use incompatible datalinks that were developed 10 years apart
Tomi Engdahl says:
Confessions of a ransomware negotiator: Well, somebody’s got to talk to the criminals holding data hostage
We can’t deny people are paying up left, right, and centre…
https://www.theregister.com/2021/09/03/how_to_be_a_ransomware/
Many people outside of IT believe computers will do away with jobs, but the current ransomware plague shows that new and more curious kinds of jobs are created at least as fast. So what sort of background sets you up to talk to people holding your data for ransom?
To find out, The Reg talked to Nick Shah of STORM Guidance, who says he acts as a conduit between victims and the extortionists.
“We should point out that current British government advice is not to pay a ransomware demand.
The National Cyber Security Centre, meanwhile, has urged British businesses to think carefully when picking a cyber insurance policy – but won’t say whether insurance that covers ransomware payoffs is a bad thing or not.”
Buying time
Shah’s first advice is that: “A negotiator should never reveal that they are a ‘trained negotiator’. Ideally we purport to just be another member of staff.
“It is important to indicate to the attackers that you (the negotiator) are not a senior member of staff that can make decisions,” reducing their ability to put pressure on you whilst you “purport to be administrative level staff and need to refer upwards for decisions.”
He added: “Should the incident require longer term negotiations, we could at some point – to keep the attacker’s interest – suggest we have escalated it to a manager. Again this manager would not be senior. In reality, it could just be the same negotiator, using a different name and conversation style.”
Negotiation is not about getting the lowest figure possible, it is mainly about getting information and time
“I have seen many CEOs and senior managers be badly affected by the emotional pressures of dealing with a ransomware incident. As well as some feelings of guilt for causing or at least failing to stop criminals from getting into systems, they also carry the burden of worry of what impact this could have on the business and its staff.”
To get some idea of just how stressful this is, STORM has found it sometimes needs a team of confidential counsellors to get staff through it, since even if they are at fault, they are also part of putting it back together and as Shah says: “There is no time or benefit from pointing the finger of blame. It is a rescue mission.” But that, of course, doesn’t stop it from happening.
His experience is that most people are very reluctant to talk to serious criminals themselves.
Often he finds that the ransomware gang’s negotiating skills are quite weak. So part of his role is to make sure that the ransomware-flingers – or their henchpersons – don’t learn anything more during the negotiations than they already do about the company they’ve attacked and the data they’ve encrypted and/or stolen.
balancing act the negotiator needs to maintain: making sure the criminals keep in contact, and are talking towards some sort of solution while the in-house IT professionals and his firm work to try to get things back on track.
Storm’s technical team need time to try to disarm the ransomware and, if possible, resolve the issue without payment, Shah tells us, adding: “Negotiation is not about getting the lowest figure possible, it is mainly about getting information and time. My job is to get them time without the attackers becoming aware of the tactic.”
But be clear when data is leaked, it stays leaked.
Shah explains: “The attackers will increase the pressure as time goes on. They are focused on getting payment as soon as possible and as such will make attempts to rush matters along.
“Storm experts and the negotiator’s role is to support the clients with knowledge and experience to assist them in making the appropriate business decisions in a timely manner. We will be able to assess the validity of threats and give advice on the likelihood of the threat being carried out.”
Talking money
Part of the reason for using a negotiator is that not being personally affected or blamed, Shah and his team will not sound so panicked, and will be much less vulnerable to high demands. An axiom of this work is “to not let them know what your bottom line is going to be – if they know that, you will pay more, they will demand it.”
“The skill of a negotiator is not to make offers, but to get the attackers to ‘bring an offer’,” he tells us. “When discussing their offer we could use tactics to indicate that the demands are unaffordable, unrealistic or [that] acceding to such demands would take some time. These conversation styles generate further debate, either providing us with additional information, delays or a lower demand price. We can then potentially repeat the cycle, until we achieve our objectives.”
Firstly, the former NCA man says, they waste too much time on unrealistic demands and would make more money by asking for a number that can be put down as a cost of business then moving on.
“The obvious difference is that in a kidnap, the negotiator’s primary objective is the safe release of the hostage, and in a ransomware incident, it’s to protect or retrieve data. Suitably trained and experienced kidnap negotiators will have the appropriate skills in their ‘tool kit’ to manage ransomware attackers.”
Unlike a kidnap, where you cannot put a price on a hostage’s life, in ransomware cases, you know the value of the data relatively well
To get their money, extortionists are often more than willing to answer questions during the process, and part of Shah’s work is to get samples of what the attackers have exfiltrated to prove they are telling the truth about it (apparently some criminals lie) and/or to get them to decrypt some data, since there is little point in paying them if they cannot do this. Whether they will or not is another matter. In this way, the negotiations are a lot more stepwise than the binary state of a hostage release.
Shah’s experience is different to most others this writer has talked to in that he doesn’t see repeat attacks, “mainly due to the fact [that], post-incident, the company strengthens their cyber security protocols.”
He adds: “I have not seen any reporting or evidence to indicate that by paying a demand [this] leads to an increase in vulnerability, however, like any negotiations, it is important to not make yourself an easy target by giving an impression that you will accede to initial or any demands.”
Tomi Engdahl says:
Indonesian intelligence agency compromised in suspected Chinese hack https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/
Chinese hackers have breached the internal networks of at least ten Indonesian government ministries and agencies, including computers from Indonesia’s primary intelligence service, the Badan Intelijen Negara (BIN). The intrusion, discovered by Insikt Group, the threat research division of Recorded Future, has been linked to Mustang Panda, a Chinese threat actor known for its cyber-espionage campaigns targeting the Southeast Asian region[1, 2]. Insikt researchers first discovered this campaign in April this year, when they detected PlugX malware command and control (C&C) servers, operated by the Mustang Panda group, communicating with hosts inside the networks of the Indonesian government. These communications were later traced back to at least March 2021. The intrusion point and delivery method of the malware are still unclear.
Tomi Engdahl says:
Healthcare orgs in California, Arizona send out breach letters for nearly 150, 000 after SSNs accessed during ransomware attacks
https://www.zdnet.com/article/healthcare-orgs-in-california-arizona-send-out-breach-notice-letters-for-nearly-150000-after-ssns-accessed-during-ransomware-attacks/#ftag=RSSbaffb68
Two healthcare organizations have begun sending out breach notification letters to thousands of people in California and Arizona after both revealed that sensitive information — including social security numbers, treatment information and diagnosis data — were accessed during recent cyberattacks. LifeLong Medical Care, a California health center, is sending letters to about 115, 000 people about a ransomware attack that took place on November 24, 2020. The letter does not say which ransomware group was involved but said Netgain, a third-party vendor that provides services to LifeLong Medical Care, “discovered anomalous network activity” and only determined it was a ransomware attack by February 25, 2021.
Tomi Engdahl says:
Stolen Credentials Led to Data Theft at United Nations https://threatpost.com/data-theft-united-nations/169357/
A threat actor used stolen credentials from a United Nations employee to breach parts of the UN’s network in April and steal critical data, a spokesman for the intergovernmental organization has confirmed. That data lifted from the network can be used to target agencies within the UN, which already has experienced and responded to “further attacks”
linked to the breach, St©phane Dujarric, spokesman for the UN Secretary-General, told Bloomberg, which broke the news in a report published Thursday. In another high-profile attack in January 2020, the operators behind the notorious Emotet malware took aim at the UN with a concerted phishing campaign, the intent of which was to steal credentials and deliver the TrickBot trojan. The attack ultimately was found to be the result of a Microsoft SharePoint flaw, allowing attackers to steal 400 GB of sensitive data.
Tomi Engdahl says:
Meet Meris, the new 250, 000-strong DDoS botnet terrorizing the internet https://therecord.media/meet-meris-the-new-250000-strong-ddos-botnet-terrorizing-the-internet/
A new botnet consisting of an estimated 250, 000 malware-infected devices has been behind some of the biggest DDoS attacks over the summer, breaking the record for the largest volumetric DDoS attack twice, once in June and again this month. Named Mris, the Latvian word for “plague, ” the botnet has been primarily used as part of a DDoS extortion campaign against internet service providers and financial entities across several countries, such as Russia, the UK, the US, and New Zealand. The group behind the botnet typically sends menacing emails to large companies asking for a ransom payment. The emails, which target companies with extensive online infrastructure and which can’t afford any downtime, contain threats to take down crucial servers if the group is not paid a certain amount of cryptocurrency by a deadline.
Tomi Engdahl says:
The Week in Ransomware – September 10th 2021 – REvil returns https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-10th-2021-revil-returns/
This week marked the return of the notorious REvil ransomware group, who disappeared in July after conducting a massive attack using a Kaseya zero-day vulnerability. Their July attack affected over 1, 500 businesses and drew the full attention of international law enforcement and the White House, who demanded that Russia do something about these attacks. Soon after, REvil shut down all of its servers and mysteriously disappeared. That is until this week when REvil’s servers started back up, and a new sample of their ransomware was spotted on VirusTotal.
Tomi Engdahl says:
New Dridex Variant Being Spread By Crafted Excel Document https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document
Dridex is a Trojan malware, also known as Bugat or Cridex, which is capable of stealing sensitive information from infected machines and delivering and executing malicious modules (dll). FortiGuard Labs recently captured new phishing email campaigns in the wild that included a specially crafted Excel document attachment. FortiGuard Labs did a deep research on one of them and discovered that once the malicious Excel document is opened on a victim’s machine, it downloads a new variant of Dridex. In this analysis, FortiGuard Labs will elaborate how the Excel document downloads Dridex, how this version of Dridex runs on a victim’s device, what sensitive information it collects, and how it delivers malicious modules (dll).
Tomi Engdahl says:
Fujitsu confirms stolen data not connected to cyberattack on its systems https://www.zdnet.com/article/fujitsu-confirms-stolen-data-marketed-on-dark-web-not-connected-to-cyberattack-on-its-systems/
Criminal marketplace Marketo claimed to have 4GB of data from Fujitsu last month and began marketing it widely. At the time, Fujitsu said it was investigating a potential breach and told ZDNet that “details of the source of this information, including whether it comes from our systems or environment, are unknown.”. Marketo claimed to have confidential customer information, company data, budget data, reports and other company documents, including project information. But now both sides have confirmed that the data stolen is not connected to Fujitsu and is instead related to one of the company’s partners in Japan. Fujitsu spokesperson Andrew Kane sent an update to ZDNet confirming that an investigation revealed the stolen data was not from their systems and he noted that even Marketo has since changed how they are marketing the stolen data.
Tomi Engdahl says:
WhatsApp to offer end-to-end encrypted backups in iCloud, Google Drive with user-managed keys https://www.theregister.com/2021/09/11/whatsapp_cloud_encryption/
Facebook’s WhatsApp on Friday said users will soon be able to store end-to-end (E2E) encrypted backups of their chat history on Google Drive in Android or Apple iCloud in iOS, with an option to self-manage the encryption key. The move makes encryption-enforced message privacy typically rather complicated more viable for consumer-oriented messaging services, if you take for granted the technical integrity of WhatsApp’s encryption and the company’s claims about its privacy practices.
Tomi Engdahl says:
New York State fixes vulnerability in COVID-19 passport app that allowed storage of fake vaccine credentials https://www.zdnet.com/article/new-york-state-fixes-vulnerability-in-covid-19-passport-app-that-allowed-storage-of-fake-vaccine-credentials/
New York state has fixed an issue with the Excelsior Pass Wallet that allows users to acquire and store COVID-19 vaccine credentials. The issue — discovered by researchers at the NCC Group — allows someone “to create and store fake vaccine credentials in their NYS Excelsior Pass Wallet that might allow them to gain access to physical spaces (such as businesses and event venues) where they would not be allowed without a vaccine credential, even when they have not received a
COVID-19 vaccine.”. The researchers found that the application did not validate vaccine credentials added to it, allowing forged credentials to be stored by users. A patch solving the issue was released on August 20.
Tomi Engdahl says:
Windows MSHTML zero-day exploits shared on hacking forums https://www.bleepingcomputer.com/news/microsoft/windows-mshtml-zero-day-exploits-shared-on-hacking-forums/
Threat actors are sharing Windows MSHTML zero-day (CVE-2021-40444) tutorials and exploits on hacking forums, allowing other hackers to start exploiting the new vulnerability in their own attacks. Last Tuesday, Microsoft disclosed a new zero-day vulnerability in Windows MSHTML that allows threat actors to create malicious documents, including Office and RTF docs, to execute commands on a victim’s computer remotely. Even though there are no security updates available for the CVE-2021-40444 vulnerability, as it was discovered used in active attacks by EXPMOM and Mandiant, Microsoft decided to disclose the vulnerability and provide mitigations to help prevent its exploitation. These mitigations work by blocking ActiveX controls and Word/RTF document previews in Windows Explorer. However, researchers have been able to modify the exploit not to use ActiveX, effectively bypassing Microsoft’s mitigations.
Tomi Engdahl says:
Google Introduces Private Compute Services for Android
https://www.securityweek.com/google-introduces-private-compute-services-android
Google this week introduced a new suite of services designed to improve privacy in the Android operating system.
The new features add to the previously introduced Private Compute Core in Android 12 beta, an open source, secure environment designed to be completely isolated from the Android platform itself, as well as from other applications.
For the time being, Private Compute Core includes features such as Live Caption, Now Playing, and Smart Reply, but Google says that additional privacy-preserving features will be added with each new Android release.
To increase privacy, these features keep user data on the device, as the data processed in the Private Compute Core isn’t shared with other apps, and allow for the device to access the cloud without compromising privacy.
No feature within the Private Compute Core has direct access to a network, which is where the newly introduced Private Compute Services come into play. Powered by machine learning, Google says they create a bridge between Private Compute Core and the cloud.
Tomi Engdahl says:
ProtonMail (Wrongly?) Criticized for Disclosing User IP to Authorities
https://www.securityweek.com/protonmail-wrongly-criticized-disclosing-user-ip-authorities
Blaming ProtonMail misses important lessons of the case, as request from authorities ticked the necessary requirements under Swiss law
ProtonMail, a privacy and security-focused email provider based in Switzerland, has been strongly criticized for providing the IP address of a customer to Swiss authorities, ultimately leading to the arrest of a climate activist in France. But simply blaming ProtonMail misses the important lessons of this case.
Background
French authorities were aware that a group ‘of interest’ (the Youth for Climate collective and associated groups) used the jmm18[@]protonmail.com email address. According to police reports, the climate group had hardened its interests along general anti-capitalist lines, and were taking part in illegal squatting and damage to property.
Since Switzerland is not part of the EU, the French police could not demand that the Swiss authorities obtain and hand over the IP address of the email user. Instead, it approached Switzerland via Europol. Switzerland acquiesced with Europol, and required ProtonMail to deliver up the IP address. Since the request ticked all the necessary requirements under Swiss law, ProtonMail had no option but to obey.
It should be stressed that ProtonMail cannot deliver the content of its end-to-end encryption – this is solely about the user’s IP address.
Tomi Engdahl says:
Cisco Patches High-Severity Security Flaws in IOS XR
https://www.securityweek.com/cisco-patches-high-severity-security-flaws-ios-xr
Cisco this week released patches for multiple high-severity vulnerabilities in the IOS XR software and warned that attackers could exploit these bugs to reboot devices, elevate privileges, or overwrite and read arbitrary files.
The most severe of these issues is CVE-2021-34720 (CVSS score 8.6), a bug that could be exploited remotely without authentication to exhaust device packet memory, leading to a denial of service (DoS) condition.
The issue was identified in the IP Service Level Agreements (IP SLA) responder and Two-Way Active Measurement Protocol (TWAMP) features of IOS XR and exists because socket creation failures are not handled correctly during the IP SLA and TWAMP processes.
By sending specific IP SLA or TWAMP packets, an attacker could trigger the vulnerability to exhaust the packet memory. This could result in the crash of the IP SLA process or could affect other processes, such as routing protocols.
Cisco also patched a separate issue (CVE-2021-34718, CVSS 8.1) in the SSH Server process of IOS XR that could be exploited by a remote attacker to overwrite and read arbitrary files. Exploitation of this bug requires authentication.
Tomi Engdahl says:
HAProxy Vulnerability Leads to HTTP Request Smuggling
https://www.securityweek.com/haproxy-vulnerability-leads-http-request-smuggling
A critical security vulnerability in HAProxy could allow attackers to bypass security controls and access sensitive data without authorization, according to a warning from security research outfit JFrog.
An attacker could exploit the vulnerability – tracked as CVE-2021-40346 (CVSS score of 8.6) – to bypass duplicate HTTP Content-Length header checks. Thus, the attacker could smuggle HTTP requests to the backend server without the proxy server noticing it, or launch a response-splitting attack.
“Our analysis confirmed that the duplication is achieved by making use of the memory layout of HAProxy’s internal representation of an HTTP message to slip a select character from the header’s name to its value. Due to the difficulty in executing such an attack, the risk is low,” according to an HAProxy advisory.
Tomi Engdahl says:
Varo Office-tiedostoja jo esikatselu voi olla vaarallista https://www.is.fi/digitoday/tietoturva/art-2000008260361.html
Microsoftin Office-asiakirjoissa, eli Wordilla, Excelillä ja PowerPointilla tehdyissä tiedostoissa piilee luultua suurempi vaara, kertovat muun muassa Traficomin Kyberturvallisuuskeskus sekä Kaspersky Lab. Aiemmin kerrottiin, että Windowsiin kuuluvassa MSHTML-nimisessä ohjelmistokomponentissa oleva haavoittuvuus mahdollistaa haittaohjelman ujuttamisen tietokoneelle Office-asiakirjan mukana.
Tällöin uskottiin haittaohjelman aktivoitumisen edellyttävän asiakirjan avaamista ja suojausvaroituksen klikkaamista. Nyt on käynyt ilmi, että nimellä CVE-2021-40444 tunnettu haavoittuvuus on oletettua pahempi. Onnistuneeseen hyökkäykseen riittää se, että vastaanottaja esikatselee saastutettua asiakirjaa. Lopputuloksena hyökkääjä pääsee suorittamaan omia ohjelmiaan uhrin tietokoneella. Haavoittuvuutta käytetään jo hyväksi hyökkäyksiin.
Tomi Engdahl says:
BlackMatter ransomware hits medical technology giant Olympus https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-hits-medical-technology-giant-olympus/
Olympus, a leading medical technology company, is investigating a “potential cybersecurity incident” that impacted some of its EMEA (Europe, Middle East, Africa) IT systems last week. Olympus has more than 31, 000 employees worldwide and over 100 years of history developing for the medical, life sciences, and industrial equipment industries. The company’s camera, audio recorder, and binocular divisions have been transferred to OM Digital Solutions, which has been selling and distributing these products starting with January 2021.
Tomi Engdahl says:
Threat actor ports Cobalt Strike beacon to Linux, uses it in attacks https://therecord.media/threat-actor-ports-cobalt-strike-beacon-to-linux-uses-it-in-attacks/
A newly discovered hacking group has used a customized and enhanced version of a popular security tool to orchestrate attacks against a wide range of targets across the world over the month of August 2021.
The attacks targeted telecom companies, government agencies, IT companies, financial institutions, and advisory companies. Codenamed Vermilion, the threat actor modified a version of Cobalt Strike, a penetration testing toolkit developed by security software firm HelpSystems. While the tool was developed to help security firms emulate techniques used by threat actors as part of penetration tests, the tool’s advanced features have also made it a favorite among cybercrime groups.
Tomi Engdahl says:
Hackers stole Puma source code, no customer data, company says https://therecord.media/hackers-stole-puma-source-code-no-customer-data-company-says/
Hackers have stolen information from sportswear maker Puma and are currently trying to extort the German company into paying a ransom demand, threatening to release the stolen files on a dark web portal specialized in the leaking and selling of stolen information. The entry advertising the Puma data was added on the site more than two weeks ago, at the end of August, The Record has learned. “It was a PUMA source code for an internal application, which was leaked, ”
Robert-Jan Bartunek, head for Puma’s corporate communications, told The Record last week. “No consumer or employee data was affected, ”
Bartunek added.
Tomi Engdahl says:
Open redirect on UK council website was being used for Royal Mail-themed parcel payments scam https://www.theregister.com/2021/09/13/open_redirect_council_property_website_spam/
An open redirect on a UK council-backed property website allowed low-level miscreants to evade filters. The website operated by tech services biz Civica had an open redirect being actively abused by spammers, piggybacking off the website’s domain authority so their messages weren’t flagged up by scanning tools. Fortuitously, one of the spam emails that bounced through the Homes4Wiltshire website ended up in the mailbox of ethical hacker Scott Helme, who was intrigued enough to track down how it had got through his defences. The message itself was a Royal Mail-themed spam campaign urging Helme to pay for a delivery a very familiar scam from the past couple of years. On clicking the “proceed now” button in the email, he saw it linked to Homes4Wiltshire’s website and traced the full number of hops back to a domain called package-royamail[.]co[.]uk. (Did you spot the missing L? Plenty wouldn’t have.). Helme blogged about his detective work tracking down the root cause of the redirect, which he attributed to a configuration problem in a web app deployed by Civica to its customers’ websites. Some brief Google-enabled sleuthing helped him find other domains using the same unique ViewSwitcherSwitchView?mobile=True&returnUrl= string.
Tomi Engdahl says:
This is how a cybersecurity researcher accidentally broke Apple Shortcuts
https://www.zdnet.com/article/this-is-how-a-cybersecurity-researcher-accidentally-broke-apple-shortcuts/#ftag=RSSbaffb68
A Detectify researcher has explained how an investigation into Apple CloudKit led to the accidental downtime of Shortcuts functionality for users. In March, Apple users began to report error messages when they attempted to open shared shortcuts. As noted by 9to5Mac, this bizarre issue was of particular concern to content creators who shared shortcuts with their followers via iCloud, who suddenly found their links were broken. . Reports began to surface on March 24, and a day later, the iPad and iPhone maker told MacStories editor-in-chief Federico Viticci that the company was “working to restore previously shared shortcuts as quickly as possible.”. According to Detectify Knowledge Advisor and bug bounty hunter Frans Rosén, the root cause of the issue was a misconfiguration flaw he accidentally stumbled upon — and triggered — in Apple CloudKit.
Tomi Engdahl says:
WhatsApp’s End-to-End Encryption Isn’t Actually Broken https://threatpost.com/whatsapp-end-encryption-broken/169399/
WhatsApp’s moderators sent messages flagged by intended recipients.
Researchers say this isn’t concerning yet. New revelations about WhatsApp’s moderator access to messages last week might seem like they run counter to the company’s privacy-forward brand, but a closer look shows the messaging service’s privacy protections remain in place and are operating as intended. Taylor Gulley with nVisium told Threatpost that he too agrees WhatsApp isn’t violating user privacy with its reporting feature.
Tomi Engdahl says:
Apple releases patches for NSO Group’s ForcedEntry zero-day
https://support.apple.com/en-us/HT212807
Apple has released security updates today to patch ForcedEntry, a professional exploit developed by Israeli spyware maker NSO Group, and which has been abused to hack into the phones of multiple activists since February this year. Patches are available today for macOS, iOS, iPadOS, and watchOS. Tracked as CVE-2021-30860, the ForcedEntry zero-day exploits a bug in CoreGraphics, an Apple component for drawing 2D graphics. In addition, Apple’s security updates today also include a patch for a second zero-day, tracked as CVE-2021-30858.
These two zero-days represent the 14th and 15th zero-days Apple has patched this year. More information:.
https://therecord.media/apple-releases-patches-for-nso-groups-forcedentry-zero-day/.
https://www.bleepingcomputer.com/news/apple/apple-fixes-ios-zero-day-used-to-deploy-nso-iphone-spyware/
Tomi Engdahl says:
OpenSSL 3.0 Released After 3 Years of Development
https://www.securityweek.com/openssl-30-released-after-3-years-development
The OpenSSL Project last week announced the official release of OpenSSL 3.0, a version that has been under development for the past 3 years.
OpenSSL 3.0 is the successor of version 1.1.1. The latest version is the result of more than 7,500 commits and contributions made by over 350 individuals, and it took 17 alpha releases and two beta releases to prepare OpenSSL 3.0 for its official release.
The full-time engineers working on OpenSSL 3.0 have been aided by many users who have been testing the new release to ensure that it works with a wide range of applications in real world environments.
The OpenSSL Project lists well over 200 changes between version 1.1.1 and 3.0. A migration guide that details the most significant changes has been made available.
“OpenSSL 3.0 is a major release and not fully backwards compatible with the previous release,” explained the OpenSSL Project’s Matt Caswell. “Most applications that worked with OpenSSL 1.1.1 will still work unchanged and will simply need to be recompiled (although you may see numerous compilation warnings about using deprecated APIs). Some applications may need to make changes to compile and work correctly, and many applications will need to be changed to avoid the deprecations warnings.”
Users have been advised to take action to prevent potential problems introduced by deprecated API functions.
https://www.openssl.org/news/changelog.html
Tomi Engdahl says:
Google Warns of Exploited Zero-Days in Chrome Browser
https://www.securityweek.com/google-warns-exploited-zero-days-chrome-browser
Google has joined the list of major software providers scrambling to respond to zero-day exploits in the wild.
On the same day Apple pushed out iOS and macOS patches to address gaping security holes, Google shipped an advisory of its own to warn of a pair of already-exploited flaws in its desktop Chrome browser.
“Google is aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild,” the company said.
Google did not provide any additional details on the vulnerability or public exploits. The company said the two flaws were reported anonymously.
The raw details:
High-severity – CVE-2021-30632: Out of bounds write in V8. Reported by Anonymous on 2021-09-08
High-severity – CVE-2021-30633: Use after free in Indexed DB API. Reported by Anonymous on 2021-09-08
The new Google Chrome 93.0.4577.82, available for Windows, macOS and Linux users, fixes at least nine documented security defects, all carrying a “high-severity” rating.