This posting is here to collect cyber security news in September 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in September 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
414 Comments
Tomi Engdahl says:
Apple Ships Urgent Patch for FORCEDENTRY Zero-Days
https://www.securityweek.com/apple-ships-urgent-patch-forcedentry-zero-days
Apple on Monday rolled out fixes for a pair of iOS and macOS security defects alongside a warning that these issues belong in the “actively exploited” zero-day category.
As is customary, Apple did not provide any additional details on the live attacks beyond crediting Citizen Lab for one of the discoveries, a major clue the patch covers the FORCEDENTRY zero-click malware attacks seen targeting political activists in Bahrain.
The FORCEDENTRY attacks, documented here by Citizen Lab, includes an iOS zero-click exploit for iMessage that bypasses Apple’s ‘BlastDoor’ sandbox to plant the Pegasus spyware on iPhones.
Here’s how Apple documents the two vulnerabilities on its flagship iOS mobile platforms:
CoreGraphics: (available for iPhone, iPad and iPod touch) — Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. An integer overflow was addressed with improved input validation. CVE-2021-30860: The Citizen Lab
WebKit: (available for iPhone, iPad and iPod touch) — Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.A use after free issue was addressed with improved memory management. CVE-2021-30858: an anonymous researcher.
Tomi Engdahl says:
SSID Stripping: New Method for Tricking Users Into Connecting to Rogue APs
https://www.securityweek.com/ssid-stripping-new-method-tricking-users-connecting-rogue-aps
A team of researchers has identified what appears to be a new method that malicious actors could use to trick users into connecting to their wireless access points (APs).
The method, dubbed SSID Stripping, was disclosed on Monday by AirEye, which specializes in wireless security. It was discovered in collaboration with researchers at the Technion – Israel Institute of Technology.
According to the researchers, SSID Stripping affects devices running Windows, macOS, Ubuntu, Android and iOS. They showed how an attacker could manipulate the name of a wireless network, specifically the SSID (Service Set Identifier), so that it’s displayed to the user with the name of a legitimate network.
They were able to generate three types of what they describe as “display errors.” One of them involves inserting a NULL byte into the SSID, causing Apple devices to display only the part of the name that is before this byte. On Windows devices, the attacker could use “new line” characters to achieve the same effect.
Another type of display error — these appear to be the most common — can be triggered using non-printable characters. An attacker can add special characters to the SSID that will be included in the name, but will not actually be displayed to the user.
“For example, the network name ‘aireye_x1cnetwork’ (with x1c representing a byte with the value 0x1C hex), is displayed exactly the same as ‘aireye_network’,” the researchers explained.
The SSID Stripping Vulnerability: When You Don’t See What You Get
https://aireye.tech/2021/09/13/the-ssid-stripping-vulnerability-when-you-dont-see-what-you-get/
AirEye’s research team in collaboration with the Computer Science faculty at the Technion – Israel Institute of Technology have found a vulnerability, dubbed SSID Stripping, which causes a network name – aka SSID – to appear differently in the device’s “List of Networks” than its actual network name.
The significance? Unsuspecting users may connect to an attacker-controlled network they did not intend to connect to.
The SSID Stripping vulnerability affects all major software platforms – Microsoft Windows, Apple iOS and macOS, Android and Ubuntu.
Tomi Engdahl says:
Tens of Thousands of Unpatched Fortinet VPNs Hacked via Old Security Flaw
https://www.securityweek.com/tens-thousands-unpatched-fortinet-vpns-hacked-old-security-flaw
A threat actor has leaked online access credentials for 87,000 Fortinet VPN devices that were apparently compromised using a vulnerability identified and patched two years ago.
Approximately 500,000 credentials for FortiGate SSL-VPN devices were leaked online last week, essentially providing anyone with access to devices at organizations in 74 countries around the world.
A total of 22,500 entities are believed to be affected, with nearly 3,000 of them located in the United States. Others are located in France, India, Italy, Israel, and Taiwan.
The credentials, according to Fortinet, were stolen from devices still vulnerable to CVE-2018-13379, a path traversal vulnerability in the FortiOS SSL VPN web portal, which is known to have been exploited in live attacks.
Tomi Engdahl says:
Tenable to Acquire Accurics in $160M Deal
https://www.securityweek.com/tenable-acquire-accurics-160m-deal
Attack surface management pioneer Tenable on Monday announced plans to spend $160 million in cash to snap up Accurics, an early-stage startup selling cloud-native security for DevOps and security teams.
Tomi Engdahl says:
Facebook Announces Encrypted WhatsApp Backups
https://www.securityweek.com/facebook-announces-encrypted-whatsapp-backups
Facebook has announced plans to further improve WhatsApp privacy and security by allowing users to encrypt their message history backups in the cloud.
While a user can easily turn on WhatsApp on any new device, given that accounts are phone number-based, conversation history isn’t available unless a backup was created on the previous device. Users can set time intervals for the creation of local backups and can also choose to store those in the cloud, for fast access.
While conversations in WhatsApp have been end-to-end encrypted for years (with only the sender and recipient being able to view them), backups have been stored in the cloud unencrypted, albeit secured by the cloud services providers.
By adding an end-to-end encryption option for backups stored in the cloud, Facebook essentially ensures that no one but the account owner can access these backups and their backup encryption key.
Tomi Engdahl says:
WordPress 5.8.1 Patches Several Vulnerabilities
https://www.securityweek.com/wordpress-581-patches-several-vulnerabilities
WordPress 5.8.1, a security and maintenance release announced last week, fixes 60 bugs and several vulnerabilities.
Users have been informed that the latest update includes three security fixes, including for a data exposure flaw related to the REST API, and a cross-site scripting (XSS) issue in the block editor. WordPress 5.8.1 also updates Lodash, a JavaScript library that provides utility functions for common programming tasks, to address security issues.
These vulnerabilities affect WordPress versions between 5.4 and 5.8. All versions starting with 5.4 have been updated and they include patches for the vulnerabilities.
WordPress developers also mentioned that XSS and privilege escalation vulnerabilities affecting the block editor have been identified and patched during the beta testing period for version 5.8.
Tomi Engdahl says:
WordPress Releases Security Update
https://us-cert.cisa.gov/ncas/current-activity/2021/09/10/wordpress-releases-security-update
WordPress 5.4-5.8 are affected by multiple vulnerabilities. An attacker could exploit these vulnerabilities to take control of an affected website.
CISA encourages users and administrators to review the WordPress Security and Maintenance Release and upgrade to WordPress 5.8.1.
Tomi Engdahl says:
Citrix Patches Hypervisor Vulnerabilities Allowing Host Compromise
https://www.securityweek.com/citrix-patches-hypervisor-vulnerabilities-allowing-host-compromise
Tomi Engdahl says:
Kids living in a US town where WiFi is banned hacked teachers’ computers and paid $20 for codes to get online
https://www.businessinsider.com/kids-living-green-bank-quiet-zone-outlawed-wifi-2021-9?utm_source=facebook&utm_medium=news_tab&utm_content=algorithm&r=US&IR=T
This story is available exclusively to Insider subscribers. Become an Insider and start reading now.
In a rural American town where WiFi is a crime and a lot of technology is banned, a student was caught hacking a teacher’s computer to get online — a move punishable by a $50 fine.
Welcome to Green Bank, West Virginia.
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Citizen Lab says it found evidence of ForcedEntry on an activist’s iPhone and the exploit worked on iPads, Macs, and Watches as well, prior to recent updates — Citizen Lab says the ForcedEntry flaw affects all iPhones, iPads, Macs and Watches — Apple has released security updates …
Apple patches an NSO zero-day flaw affecting all devices
Citizen Lab says the ForcedEntry exploit affects all iPhones, iPads, Macs and Watches
https://techcrunch.com/2021/09/13/apple-zero-day-nso-pegasus/
Tomi Engdahl says:
Jeff Horwitz / Wall Street Journal:
Internal Facebook documents detail XCheck, a program that shields VIP users from normal content enforcement policies, which included over 5.8M users in 2020 — A program known as XCheck has given millions of celebrities, politicians and other high-profile users special treatment, a privilege many abuse
https://www.wsj.com/articles/facebook-files-xcheck-zuckerberg-elite-rules-11631541353?mod=djemalertNEWS
Tomi Engdahl says:
Karen Hao / MIT Technology Review:
Researcher discovers an AI-powered service that makes it incredibly easy for users to generate nonconsensual deepfake porn by uploading a picture of a face — Deepfake researchers have long feared the day this would arrive. — The website is eye-catching for its simplicity.
https://www.technologyreview.com/2021/09/13/1035449/ai-deepfake-app-face-swaps-women-into-porn/
Tomi Engdahl says:
Microsoft September 2021 Patch Tuesday: Remote code execution flaws in MSHTML, OMI fixed https://www.zdnet.com/article/microsoft-september-2021-patch-tuesday-remote-code-execution-flaws-in-mshtml-open-management-fixed/
This month’s round of security fixes tackles critical software issues including a zero-day flaw known to be exploited in the wild. Microsoft has released over 60 security fixes and updates resolving issues including a remote code execution (RCE) flaw in MSHTML and other critical bugs. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, landed on September 14. Products impacted by September’s security update include Azure Open Management Infrastructure, Azure Sphere, Office Excel, PowerPoint, Word, and Access; the kernel, Visual Studio, Microsoft Windows DNS, and BitLocker, among other software. .
More information:
https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2021-patch-tuesday-fixes-2-zero-days-60-flaws/
Tomi Engdahl says:
New Zloader attacks disable Windows Defender to evade detection https://www.bleepingcomputer.com/news/security/new-zloader-attacks-disable-windows-defender-to-evade-detection/
An ongoing Zloader campaign uses a new infection chain to disable Microsoft Defender Antivirus (formerly Windows Defender) on victims’
computers to evade detection. According to Microsoft’s stats, Microsoft Defender Antivirus is the anti-malware solution pre-installed on more than 1 billion systems running Windows 10. The attackers have also changed the malware delivery vector from spam or phishing emails to TeamViewer Google ads published through Google Adwords, redirecting the targets to fake download sites. From there, they are tricked into downloading signed and malicious MSI installers designed to install Zloader malware payloads on their computers.
Tomi Engdahl says:
How to Detect Cobalt Strike: An Inside Look at the Popular Commercial Post-Exploitation Tool https://www.recordedfuture.com/detect-cobalt-strike-inside-look/
Throughout history there are many examples of inventions created with good intentions (and maybe still are used for the right purposes) but when in the wrong hands, are used for something more malicious than their original intent. The commercially available adversary emulation software called Cobalt Strike is a perfect example. It was created in
2012 with the intention of aiding pentesters and red teams. Its purpose was to help these teams become more advanced in their work to conduct intrusions where they were allowed to carry out an authorized cyber attack on their company or in a consultative role. It quickly gained popularity in the community because of its full suite of functionality from payloads and exploitation to command & control.
This allowed (and still allows) red teams to conduct an incredibly advanced and wide-ranging attack scenario that wasn’t possibleor as easyprior to Cobalt Strike. To take a deeper look at the features and the various ways that detecting Cobalt Strike is possible even with the embedded advanced evasion features, the Recorded Future Insikt Group purchased Cobalt Strike and tried to detect it themselves. They found that using full-spectrum detection techniques, there are actually multiple ways and times to detect Cobalt Strike.
Tomi Engdahl says:
Huijarit lähettivät tekstiviestejä saapuneesta paketista: onnistuivat huijaamaan ihmisiltä alle vuodessa 375 000 euroa
https://yle.fi/uutiset/3-12098399
Poliisin mukaan epäillyt valmistelivat rikokset huolellisesti ja tekotapa oli poikkeuksellisen suunnitelmallinen ja monimutkainen.
Kokonaisuudessa on yli 40 epäiltyä. Helsingin poliisi on saanut valmiiksi kuuden eri petosvyyhdin esitutkinnan, poliisi tiedottaa (siirryt toiseen palveluun). Tapauksissa on kaapattu satojen yksityishenkilöiden pankki- ja henkilötietoja, ja heidän nimissään on haettu lainoja rahoitusyhtiöiltä. Epäillyt ovat saaneet henkilöiden pankkitunnukset haltuunsa huijausviesteillä, joita on lähetetty esimerkiksi Postin nimissä. Yksi petosaalto eteni syyteharkintaan jo tämän vuoden talvella. Lisäksi tutkinnassa on edelleen kolme samaan kokonaisuuteen liittyvää tapausta. Poliisin tiedote:
https://poliisi.fi/-/poliisi-tutkii-viime-vuonna-tapahtunutta-mittavaa-petosaaltojen-kokonaisuutta
Tomi Engdahl says:
Apple releases emergency update: Patch, but don’t panic https://blog.malwarebytes.com/privacy-2/2021/09/apple-releases-emergency-update-patch-but-dont-panic/
Spyware developed by the company NSO Group is back in the news today after Apple released an emergency fix for iPhones, iPads, Macs, and Apple Watches. The update fixes a vulnerability silently exploited by software called Pegasus, which is often used in high-level surveillance campaigns by governments.
Tomi Engdahl says:
Warning: Update Chrome Now As Hackers Attack Two Major Vulnerabilities In Google Browser https://www.forbes.com/sites/thomasbrewster/2021/09/14/google-chrome-update-now-to-stop-browser-hacks/
Google has revealed that two weaknesses in Chrome are under active attack, as users have been urged to update their browser to avoid becoming a victim. They were reported to Google via an anonymous party and were given a severity rating of “high.” Little more information was provided on where or how the vulnerabilitiesknown as zero-days, as developers have “zero days” to fix the flaw before it’s been abused by malicious hackershave been exploited. The updated version will roll out for Windows, Mac and Linux users “over the coming days/weeks, ”
Google said in a blog post. When Forbes updated on Tuesday morning on an Apple Mac, it was to the latest, most secure version, 93.0.4577.82.
Users can check what version they’re running by clicking the “About Google Chrome” button in the help section in the browser. Monday was a big day for significant security updates. Google also revealed nine other vulnerabilities rated “high” severity that were patched in the latest Chrome release. Two of those were deemed serious enough to warrant a $7, 500 payout to the security researchers who found them.
Tomi Engdahl says:
HP patches severe OMEN driver privilege escalation vulnerability https://www.zdnet.com/article/hp-patches-omen-driver-privilege-escalation-vulnerability/
A high-impact vulnerability in OMEN Command Center driver software has been patched by HP. On Tuesday, researchers from SentinelLabs published a technical deep-dive on the bug, tracked as CVE-2021-3437 and issued with a CVSS score of 7.8. . SentinelLabs says the high-severity flaw impacts “millions of devices worldwide, ” including a wide variety of OMEN gaming laptops and desktops, as well as HP Pavilion and HP ENVY models.
Tomi Engdahl says:
OWASP Top 10 ranking has a new leader after ten years https://therecord.media/owasp-top-10-ranking-has-a-new-leader-after-ten-years/
The OWASP Top 10, a list of the most dangerous web vulnerabilities, has been updated after four years, and, after more than a decade, there is a new vulnerability at the top of the ranking. New Top 3:
Broken Access Control, Cryptographic Failures, Injection.
Tomi Engdahl says:
IPhone ja iPad -laitteisiin kohdistuu uhka toimi heti näin, jotta tietosi ovat turvassa https://www.is.fi/digitoday/art-2000008263336.html
Apple on julkaissut korjauspäivityksen kahteen kriittiseen tietoturva-aukkoon. Haavoittuvuudet kuulostavat hyvinkin arkisilta:
PDF-liitteiden avaaminen ja tietyillä sivustoilla vieraileminen. Katso videolta, miten päivität iPhonesi ja turvaat tietosi. Samoja ohjeita voi soveltaa myös iPadiin. Päivityksiä ei ole saatavilla vanhoihin
iPhone- ja iPad-malleihin.
Tomi Engdahl says:
More ProxyShell? Web Shells Lead to ZeroLogon and Application Impersonation Attacks https://www.fortinet.com/blog/threat-research/more-proxyshell-web-shells-lead-to-zerologon-and-application-impersonation-attacks
FortiGuard Labs recently discovered an unidentified threat actor leveraging ProxyShell exploits using techniques that have yet to be reported. Multiple instances of FortiEDR had detected malicious DLLs in memory, and we uncovered these new techniques while consulting with one of the organizations that had been compromised by ProxyShell.
Through active threat hunting, we were then able to determine that other organizations had also been compromised. The DLLs, which were previously unknown based on their SHA256 file hashes, were used to perform active reconnaissance, obtain hashed passwords via Zerologon, and perform pass-the-hash authentication to establish persistence via Exchange Application Impersonation. This blog intends to provide an analysis of these DLLs. We documented the malicious activity associated with them by recreating the incidents in a lab environment.
The goal is to help the public and future customers determine if they have related activity in their environment and take appropriate action.
Tomi Engdahl says:
Suomessa hyökätään enemmän sähköpostiin kuin muissa Pohjoismaissa
https://etn.fi/index.php/13-news/12559-suomessa-hyoekaetaeaen-enemmaen-saehkoepostiin-kuin-muissa-pohjoismaissa
Tietoturvayhtiö Trend Micro julkaisee tänään vuoden 2021 ensimmäisen puoliskon tietoturvaraportin. Attacks from All Angles -raportista käy ilmi, että yhtiön työkaluilla on pysäytetty alkuvuonna 40,9 miljardia sähköpostiuhkaa, vaarallista tiedostoa ja tietojenkalasteluun liittyvää linkkiä.
Hyökkäysten määrä kasvoi globaalisti 47 prosentilla edellisvuoden alkupuoliskoon verrattuna. Suomessa pysäytettiin lähes 24,5 miljoonaa sähköpostiuhkaa, enemmän kuin missään muussa Pohjoismaassa.
Tomi Engdahl says:
General Promises US ‘Surge’ Against Foreign Cyberattacks
https://www.securityweek.com/general-promises-us-surge-against-foreign-cyberattacks
The general who leads U.S. efforts to thwart foreign-based cyberattacks, and punish those responsible, says he’s mounting a “surge” to fight incursions that have debilitated government agencies and companies responsible for critical infrastructure.
In an interview Tuesday with The Associated Press, Gen. Paul Nakasone broadly described “an intense focus” by government specialists to better find and share information about cyberattacks and “impose costs when necessary.” Those costs include publicly linking adversarial countries to high-profile attacks and exposing the means by which those attacks were carried out, he said.
Tomi Engdahl says:
The Implications of China’s New Personal Information Protection Law
https://www.securityweek.com/implications-chinas-new-personal-information-protection-law
The cornerstone of Chinese national and international policy is a fundamental principle: China First. So, while its new data privacy law, the Personal Information Protection Law (PIPL), will provide solid protection for its people’s personal information nationally, internationally the law can be used as a weapon.
PIPL is the third of China’s new cybersecurity laws. The first was the Cybersecurity Law, which has been in effect since June 2017. This is designed to regulate the network and platform providers, and how they handle personal data.
The second is the Data Security Law (DSL), which came into effect on September 1, 2021. This looks at the protection of data more from the government’s perspective. It includes, for example, stricter regulation of ‘national core data’. And it has an extraterritorial reach for data processing outside of China that might affect ‘the national security, public interests, or lawful rights and interests of citizens and organizations in China’.
Tomi Engdahl says:
https://www.reuters.com/investigates/special-report/usa-spying-raven/
Tomi Engdahl says:
Lucas Ropek / Gizmodo:
Anonymous claims to have hacked Epik, allegedly leaking “a decade’s worth of data”, including Epik’s client information; Epik says it’s not aware of any breach
Anonymous Claims to Have Stolen Huge Trove of Data From Epik, the Right-Wing’s Favorite Web Host
https://gizmodo.com/anonymous-claims-to-have-stolen-huge-trove-of-data-from-1847673935?scrolla=5eb6d68b7fedc32c19ef33b4
The controversial domain registrar, which has been known to host Nazis and other unfortunate groups, apparently just had all of its data boosted.
Tomi Engdahl says:
Anonymous says it will release massive trove of secrets from far-right web host
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.dailydot.com%2Fdebug%2Fanonymous-hack-far-right-web-host-epik%2F&h=AT2g_Y4a8SI5CgZBisk_-RES7OlqKjvdG9VmAnwQ6j0rDAwoTKv2bkFshXoQR9sgTnWRMtrYCN6yblWRGmN5q2q5V1U3jJoE_jNtGow-Nn7uK9nxScG2M92zWXzKLaz3Lw
The hactivist collective Anonymous says that it has gained access to a massive trove of data from Epik, the web host and domain registrar for a variety of right-wing sites. Epik’s client list has reportedly ranged from more mainstream conservative groups like the Texas Republican Party to Gab and other far-right sites on the fringes of the internet.
Tomi Engdahl says:
https://4chan.partyvan.epikfail.win:55899/#
Tomi Engdahl says:
Putin warning as cyberattacks and ‘aggression’ against West demand ‘punitive measures’
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.express.co.uk%2Fnews%2Fscience%2F1491580%2Fvladimir-putin-warning-russia-cyberattacks-solarwinds-russian-hackers-1491580&h=AT1BPSNGO_sepwkBRUy3F06gdZx5K6C0b2FcrhXrHHwTsl4SfDeLcEtN0Ybll_Di5f-mrPu5E9504XwfWAGEXmbmPVNvsWqlu-gtWhzHVqOVxuipljlNgJrSYNHuk_xd9w
VLADIMIR PUTIN has been warned Russia needs to take responsibility for the plague of cyberattacks targeting the West or face “punitive measures” and sanctions.
Cybercriminals with links to Russia have been responsible for some of the biggest attacks on US infrastructure in recent years. In May this year, a number of US agencies, including the Treasure and Commerce Departments, fell prey to hackers likely acting on behalf of a foreign government. According to US officials, hackers broke in and gained access to major networks and internal email systems.
And in December 2020, in what has been described as the biggest cyberattack in history, hackers used the SolarWinds software to target some 18,000 private and public organisations.
Following the attack, Microsoft President Brad Smith said: “From a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen.”
In a Forbes report published last year, cybersecurity expert Jody Westby claimed Russia has been carrying out such attacks against the West for at least 20 years.
She called for an international response to the clear and present danger, which has been a cause of chaos around the world.
In 2011, Ms Westby co-authored a report for the United Nations, which warned cyberattacks can strike anytime and anywhere, and “cause immense damage in the blink of an eye”.
Colonial Pipeline: Drivers queue for gas after cyberattack
The expert’s calls for action have now been joined by the US-based Gatestone Institute think-thank.
The Budapest Convention on Cybercrime, which was signed by 66 nations including the US and UK, is the world’s first international treaty seeking to address the issue of cybercrime.
Tomi Engdahl says:
Microsoft’s passwordless plans lets users switch to app-based login
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.bbc.co.uk%2Fnews%2Ftechnology-58575954&h=AT0j0io8mbrJ3_1JaaqSd-91hclGF92WeifsB4jA9Cpka4-PDAfPUU0qO9GOlEAmufE9389SAxkNWhnOewxVUM5NFrAgUslSrZdoee5bS-zuMCzZp081Qr-NVoODaMU-iQ
Microsoft has announced users can now delete all passwords from their accounts and instead login using an authenticator app or other solution.
The technology giant made passwordless accounts available for business users of its products in March.
And that system is now being made available to all Microsoft or Windows users.
It said “nearly 100% of our employees” were already using the new, more secure system for their corporate accounts.
If passwordless login is enabled, users re-logging in to a Microsoft account will be asked to give their fingerprint, or other secure unlock, on their mobile phone.
And this is far more secure than using passwords, which can be guessed or stolen, according to Microsoft.
“Only you can provide fingerprint authentication or provide the right response on your mobile at the right time,” it said.
Windows users will still be able to use quick-login features such as a Pin code, though.
Some rare exceptions will still need passwords, such as Office 2010, Xbox 360 consoles, and Windows 8.1 or earlier machines.
And Microsoft says security-conscious users who have two-factor authentication set up will need to have access to two different recovery methods.
Prof Alan Woodward, part of a research team investigating passwordless authentication, at the University of Surrey, called it “quite a bold step from Microsoft”.
“This isn’t just logging into PCs, it’s logging into online services as well” – including important ones such as cloud storage, he said.
Microsoft laid out its reasons for the new system in a series of blog posts.
Security vice-president Vasu Jakkal wrote: “Passwords are incredibly inconvenient to create, remember, and manage across all the accounts in our lives.
“We are expected to create complex and unique passwords, remember them, and change them frequently – but nobody likes doing that.”
The passwordless future is here for your Microsoft account
https://www.microsoft.com/security/blog/2021/09/15/the-passwordless-future-is-here-for-your-microsoft-account/
Tomi Engdahl says:
Jason Arteaga-Loayza admitted helping to arrange the drone flights that dropped packages of contraband into the prison where it was sold to inmates for a profit, according to the U.S. attorney’s office.
Former NJ inmate gets 43 months in drone smuggling scheme
https://6abc.com/11022086/?ex_cid=TA_WPVI_FB&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
The packages included cellphones, cellphone accessories, tobacco, weight loss supplements, eyeglasses and other items.
NEWARK, New Jersey — A former inmate at a federal prison in New Jersey was sentenced Tuesday to more than three years for his role in a scheme to use drones to smuggle contraband.
admitted helping to arrange the drone flights that dropped packages of contraband into the prison where it was sold to inmates for a profit, according to the U.S. attorney’s office. The packages included cellphones, cellphone accessories, tobacco, weight loss supplements, eyeglasses and other items.
Arteaga-Loayza also helped take inmate requests for specific items of contraband and oversaw the collection of payments, prosecutors said. The drones were flown from concealed positions in the woods surrounding the prison, and their lights were covered with tape to make it more difficult for prison officials to spot them.
Tomi Engdahl says:
When Cyber War Becomes War
https://www.forbes.com/sites/emilsayegh/2021/09/15/when-cyber-war-becomes-war/?sh=508388666186
In the last several months alone, the impact of targeted cyberattacks resulted in critical gut punches to the nation. SolarWinds, the meat processing giant JBS, and the software platform known as Kaseya are examples of companies that faced attacks that compromised and crippled critical services such as fuel and food in parts of the United States. The Colonial Pipeline hack shut down the eastern seaboard for about a week, while the JBS meatpacking plant hack shut down a key ingredient of our food supply.
These attacks could have simply been disastrous had they lasted longer, or been more distributed across the U.S. The threat of cyberattacks has been a looming presence in computing for longer than most people are willing to admit. What many failed to realize, however, is that despite significant efforts to secure and protect their organizations, this cyber battlefield has accelerated on several technical fronts. What has happened in the last several months should not shock.
● Poor architectures
● Poor awareness of risks
● Legacy IT systems
● Security gaps
● Software supply chain vulnerabilities
● Cheaper, more available means of cyberattack
● State-sponsorship of cybercrime
The list goes on. And as the world sheltered during the COVID-19 crisis a year ago, criminal cyber-plotting hit an entirely new level. For years, cybercriminals have stepped up their efforts against hospitals, city governments, law enforcement, and beyond but ransomware is in the news every day now, and the stakes are higher than ever. Even the ransom amounts speak to how devastating these attacks can be. Just a decade ago, ransomware demands were a few hundred bucks and the sort of blight that affected individual users, not organizations or entire countries.
Modern War is Cyber War
The situation is tantamount to a prelude to a war, and it is difficult to envision a real life “shooting war” without a cyberattack that precedes it or accompanies it.
What we are facing are well-organized criminals with ties to foreign intelligence agencies, with massive leverage, time, and deep technical knowledge. The scenario of cyberattacks escalating to actual warfare is highly likely as cyber weapons are now viable tools of war that cripple a nation’s power supply, power grid, and food supplies without a single bullet being fired. Lives and livelihoods are the eventual casualty of future cyberattacks. Would a sustained attack on the IRS or a complete outage of the banking system or a shutdown of the stock exchanges be enough to prompt a conventional or even a nuclear war? Where is the line drawn and where does the leap happen?
Those are questions we should probably all agree on because of the ramifications of loss that go along with these decisions.
None of us want to be the weak link in our efforts to suppress the rampant and vicious cybercrime. These sorts of cyber threats have always been around, and they always will be. It is up to the organizations themselves to accept responsibilities of their actions, of targeted spending and of building out well-advised operations. It is more critical than ever to readily identify threats, to secure resources wherever they may exist, to protect data when it is delivered to partners and customers, to be prepared to safely recover when things go wrong and to assure operations remain intact under any challenge. Let’s do our part, as a cyberwar can become a shooting war, and a shooting war almost never ends well.
Tomi Engdahl says:
https://www.facebook.com/groups/electronicfrontierfinland/permalink/10159998633323982/
Kolmannella kotimaisella kielellä… Onko nykyään enään mitään “turvallista” VPN:ää? ProtonVPN:äkään ei enään voi luottaa koska luovuttivat ympäristöaktivistin(?) ProtonMail-logi- IP- ja muut tiedot viranomaisille jne jne.. unohtakaa myös F-Securen VPN koska ei ole luotettava enään.. “Reaaliaikaisista” kyberhyökkäyskartoista näkee kuinka paljon F-Secure:akin vastaan hyökätään niin Idästä kuin Lännestä eli Kiinasta ja USA:sta ja myös monista muista NATO-maista…
https://cybernews.com/news/expressvpn-cio-daniel-gericke-fined-335-000-for-cyber-espionage/?utm_source=facebook&utm_medium=social&utm_campaign=cybernews&utm_content=post
Tomi Engdahl says:
Patch now! PrintNightmare over, MSHTML fixed, a new horror appears OMIGOD https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-printnightmare-over-mshtml-fixed-a-new-horror-appears-omigod/
The September 2021 Patch Tuesday could be remembered as the final patching attempt in the PrintNightmare nightmare. The ease with which the vulnerabilities shrugged off the August patches doesn’t look to get a rerun. So far we haven’t seen any indications that this patch is so easy to circumvent. The total count of fixes for this Patch Tuesday tallies up to 86, including 26 for Microsoft Edge alone. Only a few of these vulnerabilities are listed as zero-days and two of them are “old friends”. There is a third, less-likely-to-be-exploited one, and then we get to introduce a whole new set of vulnerabilities nicknamed OMIGOD, for reasons that will become obvious. Azure was the subject of five CVE’s, one of them listed as critical. The four that affect the Open Management Infrastructure (OMI) were found by researchers, grouped together and received the nickname OMIGOD. Additional source:
https://therecord.media/microsoft-fixes-omigod-bugs-in-secret-azure-app/.
Additional source:
https://threatpost.com/microsoft-patch-tuesday-exploited-windows-zero-day/169459/.
Additional source:
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-remaining-windows-printnightmare-vulnerabilities/.
Additional source:
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-cve-2021-40444-mshtml-zero-day-bug/
Tomi Engdahl says:
“Secret” Agent Exposes Azure Customers To Unauthorized Code Execution https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution
Wiz’s research team recently discovered a series of alarming vulnerabilities that highlight the supply chain risk of open source code, particularly for customers of cloud computing services. The source of the problem is a ubiquitous but little-known software agent called Open Management Infrastructure (OMI) that’s embedded in many popular Azure services. When customers set up a Linux virtual machine in their cloud, the OMI agent is automatically deployed without their knowledge when they enable certain Azure services. Unless a patch is applied, attackers can easily exploit these four vulnerabilities to escalate to root privileges and remotely execute malicious code (for instance, encrypting files for ransom). We named this quartet of zero-days “OMIGOD” because that was our reaction when we discovered them. We conservatively estimate that thousands of Azure customers and millions of endpoints are affected. In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk. Today Microsoft issued the following CVEs for OMIGOD and made a patch available to customers during their Patch Tuesday release:. CVE-2021-38647 Unauthenticated RCE as root (Severity: 9.8); CVE-2021-38648 Privilege Escalation vulnerability (Severity: 7.8); CVE-2021-38645 Privilege Escalation vulnerability (Severity: 7.8); CVE-2021-38649 Privilege Escalation vulnerability (Severity: 7.0).
Tomi Engdahl says:
Attackers Impersonate DoT in Two-Day Phishing Scam https://threatpost.com/attackers-impersonate-dot-phishing-scam/169484/
Threat actors impersonated the U.S. Department of Transportation
(USDOT) in a two-day phishing campaign that used a combination of tactics including creating new domains that mimic federal sites so as to appear to be legitimate to evade security detections. Between Aug.
16-18, researchers at e-mail security provider INKY detected 41 phishing emails dangling the lure of bidding for projects benefitting from a $1 trillion infrastructure package recently passed by Congress, according to a report written by INKY’s Roger Kay, vice president of security strategy, that was published on Wednesday. The campaign which targeted companies in industries such as engineering, energy and architecture that likely would work with the USDOT sends potential victims an initial email in which they’re told that the USDOT is inviting them to submit a bid for a department project by clicking a big blue button with the words “Click Here to Bid.”. The emails themselves are launched from a domain, transportationgov[.]net, that was registered by Amazon on Aug. 16, Kay said. The date of its creation revealed by WHOIS seems to signal that the site was set up specifically for the phishing campaign. To anyone familiar with government sites, the domain would appear suspicious given that government sites typically have a.gov suffix. However, “to someone reading through quickly, the domain name might seem at least somewhere in the ballpark of reality, ” Kay observed.
Tomi Engdahl says:
Amid vaccine mandates, fake vaccine certificates become a full blown industry https://blog.checkpoint.com/2021/09/14/amid-vaccine-mandates-fake-vaccine-certificates-become-a-full-blown-industry/
Black market for fake vaccine certificates booms. Check Point Research
(CPR) continues to monitor the black market in which fake COVID-19 vaccine certificates are being sold to anyone willing to pay. Black market for fake vaccine certificates expands globally, now selling certificates in 28 countries, 9 of which are new Including: Austria, Brazil, Latvia, Lithuania, Malta, Portugal, Singapore, Thailand, UAE.
On August 10, CPR saw roughly a 1000 vendors on Telegram. Now, CPR sees north of 10, 000 vendors claiming to offer fake vaccine certificates, marking a 10x increase. Prices globally range from US$85-US$200. Following Biden’s vaccine mandate announcement “Registered” CDC vaccine card in the US has risen from US$100 to
US$200 and Telegram group members in the US risen from 30K to over 300, 000
Tomi Engdahl says:
Microsoft accounts can go passwordless, making “password123″ a thing of the past https://arstechnica.com/gadgets/2021/09/starting-today-you-can-remove-your-password-from-your-microsoft-account/
Microsoft has been working to make passwordless sign-in for Windows and Microsoft accounts a reality for years now, and today those efforts come to fruition: The Verge reports that starting today, users can completely remove their passwords from their Microsoft accounts and opt to rely on Microsoft Authenticator or some other form of verification to sign in on new devices. Microsoft added passwordless login support for work and school accounts back in March, but this is the first time the feature has been offered for regular, old individual Microsoft accounts. Passwordless accounts improve security by taking passwords out of the equation entirely, making it impossible to get any kind of access to your full account information without access to whatever you use to verify your identity for two-factor authentication. Even if you protect your Microsoft account with two-factor authentication, an attacker who knows your Microsoft account password could still try that password on other sites to see if you’ve reused it anywhere. And some forms of two-factor authentication, particularly SMS-based 2FA, have security problems of their own. Additional source:
https://www.zdnet.com/article/microsoft-just-took-another-big-step-towards-getting-rid-of-passwords-forever/
Tomi Engdahl says:
US fines former NSA employees who provided hacker-for-hire services to UAE https://therecord.media/us-fines-former-nsa-employees-who-provided-hacker-for-hire-services-to-uae/
The US Department of Justice has fined three former NSA employees who worked as hackers-for-hire for a United Arab Emirates cybersecurity company. Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40, broke US export control laws that require companies and individuals to obtain a special license from the State Department’s Directorate of Defense Trade Controls (DDTC) before providing defense-related services to a foreign government. According to court documents [PDF], the three suspects helped the UAE company develop and successfully deploy at least two hacking tools. The three entered into a first-of-its-kind deferred prosecution agreement with the DOJ today, agreeing to pay $750, 000, $600, 000, and $335, 000, respectively, over a three-year term, in order to avoid jail time for their actions.
Tomi Engdahl says:
ELFant in the Room capa v3
https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html
Since our initial public release of capa, incident responders and reverse engineers have used the tool to automatically identify capabilities in Windows executables. With our newest code and ruleset updates, capa v3 also identifies capabilities in Executable and Linkable Format (ELF) files, such as those used on Linux and other Unix-like operating systems. This blog post describes the extended analysis and other improvements. You can download capa v3 standalone binaries from the project’s release page and checkout the source code on GitHub.
Tomi Engdahl says:
Kali Linux 2021.3 released with new pentest tools, improvements https://www.bleepingcomputer.com/news/security/kali-linux-20213-released-with-new-pentest-tools-improvements/
Kali Linux 2021.3 was released yesterday by Offensive Security and includes a new set of tools, improved virtualization support, and a new OpenSSL configuration that increases the attack surface. Kali Linux is a Linux distribution designed for cybersecurity professionals and ethical hackers to perform penetration testing and security audits.
Tomi Engdahl says:
Analyzing The ForcedEntry Zero-Click iPhone Exploit Used By Pegasus https://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html
Citizen Lab has released a report detailing sophisticated iPhone exploits being used against nine Bahraini activists. The activists were reportedly hacked with the NSO Group’s Pegasus spyware using two zero-click iMessage exploits: Kismet, which was identified in 2020; and ForcedEntry, a new vulnerability that was identified in 2021.
Zero-click attacks are labeled as sophisticated threats because unlike typical malware, they do not require user interaction to infect a device. The latter zero-click spyware is particularly notable because it can bypass security protections such as BlastDoor, which was designed by Apple to protect users against zero-click intrusions such as these. According to Citizen Lab’s report, Kismet was used from July to September 2020 and was launched against devices running at least iOS 13.5.1 and 13.7. It was likely not effective against the iOS 14 update in September. Then, in February 2021, the NSO Group started deploying the zero-click exploit that managed to circumvent BlastDoor, which Citizen Lab calls ForcedEntry. Amnesty Tech, a global collective of digital rights advocates and security researchers, also observed zero-click iMessage exploit activity during this period and referred to it as Megalodon.
Tomi Engdahl says:
Spies working for the United Arab Emirates discussed the attack with operatives at controversial firm DarkMatter. -Intercept
TEAM OF AMERICAN HACKERS AND EMIRATI SPIES DISCUSSED ATTACKING THE INTERCEPT
https://theintercept.com/2019/06/12/darkmatter-uae-hack-intercept/
Spies working for the United Arab Emirates discussed the attack with operatives at controversial firm DarkMatter.
OPERATIVES AT A controversial cybersecurity firm working for the United Arab Emirates government discussed targeting The Intercept and breaching the computers of its employees, according to two sources, including a member of the hacking team who said they were present at a meeting to plan for such an attack.
The firm, DarkMatter, brought ex-National Security Agency hackers and other U.S. intelligence and military veterans together with Emirati analysts to compromise the computers of political dissidents at home and abroad, including American citizens, Reuters revealed in January. The news agency also reported that the FBI is investigating DarkMatter’s use of American hacking expertise and the possibility that it was wielded against Americans.
The campaign against dissidents and critics of the Emirati government, code-named Project Raven, began in Baltimore. A 2016 Intercept article by reporter Jenna McLaughlin revealed how the Maryland-based computer security firm CyberPoint assembled a team of Americans for a contract to hone UAE’s budding hacking and surveillance capabilities, leaving some recruits unsettled. Much of the CyberPoint team was later poached by DarkMatter, a firm with close ties to the Emirati government and headquartered just two floors from the Emirati equivalent of the NSA
One of McLaughlin’s sources described the episode as something of a “hostile takeover” by the UAE government.
“When the article hit, it mentioned DarkMatter, so we had to tiger team a response.”
the 2016 reporting revealing the connection between DarkMatter and the Emirati government made The Intercept a target. “When [McLaughlin’s first] article hit, it mentioned DarkMatter, so we had to tiger team a response to that,” said the source, using jargon for a specialized response group. “Any time NESA or DarkMatter had any media, we would get pulled in to develop target lists.”
Project Raven monitored the internet for mentions of DarkMatter, said Jonathan Cole, an ex-Raven employee who worked in targeting, to make sure that the public-facing cybersecurity company’s name wasn’t attached to the work being done by its hackers on behalf of the NESA. “When an article like this would come out, [the client] would be very upset,” the source added, referring to the NESA.
A second person familiar with the matter confirmed discussions about targeting The Intercept, saying the talks included Marc Baier, a top American DarkMatter executive formerly with the NSA. This person did not say if the discussions led to a decision.
Following several news reports tying DarkMatter to Emirati government surveillance, DarkMatter chief financial officer Samer Khalife moved some Americans from DarkMatter to a new company, Connection Systems, according to the second source
It is not clear if an attack against The Intercept was ever carried out. The Intercept was unable to find evidence of an attack by DarkMatter on its computers. But the targeting would have happened in 2016, so it’s possible that malicious messages were rejected by a spam filter or discarded in the intervening years.
A third source familiar with Project Raven, who spoke on the condition of anonymity because they were not permitted to discuss their work, said they were not aware of any attempt to target The Intercept or its employees, and that it was unlikely a coordinated attack of that sort could have been attempted by DarkMatter’s resident NESA hackers without attracting the attention of their American counterparts. Still, this source noted that the covert targeting of an American publication by Emirati nationals was technically possible.
Other ex-Project Raven members contacted by The Intercept declined to comment, some citing the FBI investigation. The FBI declined to comment.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/12570-koronatodistuksen-saa-darkwebistae-150-eurolla
Tomi Engdahl says:
https://www.securityweek.com/sap-patches-critical-vulnerabilities-september-2021-security-updates
Tomi Engdahl says:
Severe Vulnerabilities Could Expose Thousands of Azure Users to Attacks
https://www.securityweek.com/severe-vulnerabilities-could-expose-thousands-azure-users-attacks
Four of the fixes that Microsoft released as part of its September 2021 Patch Tuesday updates deal with vulnerabilities in the Open Management Infrastructure (OMI) software agent embedded in Azure services.
Assessed with severity ratings of critical and high, the vulnerabilities, collectively dubbed OMIGOD, could be exploited to execute code remotely or gain elevated privileges on vulnerable Linux virtual machines running on Azure.
“We conservatively estimate that thousands of Azure customers and millions of endpoints are affected,” said cloud security company Wiz, whose researchers identified the flaws. “In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk.”
An open source project written in C, OMI helps users manage configurations across environments and is used widely in various Azure services, including Azure Automation, Azure Insights, and more. OMI is similar to Windows Management Instrumentation (WMI) and is deployed automatically when an Azure customer creates a Linux virtual machine.
The most severe of the newly addressed security issues is CVE-2021-38647 (CVSS score of 9.8), which could allow a remote, unauthenticated attacker to execute code on a vulnerable machine. Because of this bug, any request without an authentication header has its privileges automatically set to root.
Tomi Engdahl says:
https://www.securityweek.com/cloud-backup-company-rewind-raises-65-million
Tomi Engdahl says:
Regular Users Can Now Remove Password From Their Microsoft Account
https://www.securityweek.com/regular-users-can-now-remove-password-their-microsoft-account
Microsoft on Wednesday informed owners of consumer accounts that they can now go completely passwordless and rely on other, more secure authentication methods.
Users with existing Microsoft accounts can delete their password from the account, and new accounts can be created without a password. Users will be able to rely on Microsoft’s Authenticator app, Windows Hello, physical security keys, or phone/email verification codes to sign in to services such as Outlook, OneDrive and Family Safety.
Users who want to go passwordless need to access the Advanced Security Options menu in their account and select Passwordless Account to remove their password. However, they need to ensure that another authentication method is linked to the account before removing the password.
Tomi Engdahl says:
Apple Security Flaw: How do ‘Zero-Click’ Attacks Work?
https://www.securityweek.com/apple-security-flaw-how-do-zero-click-attacks-work