This posting is here to collect cyber security news in September 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in September 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
414 Comments
Tomi Engdahl says:
Patch Tuesday: Microsoft Plugs Exploited MSHTML Zero-Day Hole
https://www.securityweek.com/patch-tuesday-microsoft-plugs-exploited-mshtml-zero-day-hole
Microsoft on Tuesday shipped a major security update to blunt zero-day attacks targeting a gaping hole in its proprietary MSHTML browsing engine.
The patch comes exactly one week after the Redmond, Wash. software giant acknowledged the CVE-2021-40444 security defect and confirmed the existence of in-the-wild exploitation via booby-trapped Microsoft Office documents.
Microsoft did not provide additional details of the live attacks or any indicators of compromise to help defenders hunt for signs of malicious activity. However, there are enough clues in the attribution section of Microsoft’s bulletin to suggest this is the work of nation-state APT actors.
Tomi Engdahl says:
Cobalt Strike Beacon Reimplementation ‘Vermilion Strike’ Targets Windows, Linux
https://www.securityweek.com/cobalt-strike-beacon-reimplementation-vermilion-strike-targets-windows-linux
Security researchers with Intezer have identified a reimplementation of the infamous Cobalt Strike Beacon payload, which features completely new code.
Dubbed Vermilion Strike, the malware can be used to target Linux and Windows devices and provides attackers with remote access capabilities such as file manipulation and shell command execution.
Since August 2021, adversaries have been using the new beacon to target government agencies, financial institutions, IT companies, telecommunication providers, and advisory companies worldwide. Limited targeting, however, suggests the malware is being used in specific attacks only.
“The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor,” Intezer says.
Tomi Engdahl says:
Zoom Introduces End-to-End Encrypted Phone Calls
https://www.securityweek.com/zoom-introduces-end-end-encrypted-phone-calls
Tomi Engdahl says:
ICS Patch Tuesday: Siemens, Schneider Electric Address Over 40 Vulnerabilities
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-over-40-vulnerabilities
Siemens and Schneider Electric on Tuesday published a total of 25 advisories to address more than 40 vulnerabilities affecting their industrial control system (ICS) products.
Siemens has released 21 new advisories and updated 25 previously published advisories. The new advisories cover 36 vulnerabilities, including five that have been assigned a critical severity rating.
One of the critical flaws, with a CVSS score of 10, impacts the Desigo CC building management platform and the Cerberus danger management station (DMS).
Another critical vulnerability with a CVSS score of 10 is a command injection issue affecting the Siveillance Open Interface Services (OIS) application used by Siemens building management systems. It can be exploited by a remote, unauthenticated attacker for code execution with root privileges.
A critical severity rating has also been assigned to a buffer overflow in the web server of APOGEE and TALON automation devices. A remote attacker can exploit the security hole for arbitrary code execution with root privileges.
An update for Siemens’ Industrial Edge app and device management product fixes a critical issue that can allow an unauthenticated attacker to change the password of any user on the system, enabling them to impersonate that user.
The last critical flaw impacts SIPROTEC 5 relays and it can allow a remote attacker to cause a denial of service (DoS) condition or execute arbitrary code.
High-severity flaws have been addressed in Ruggedcom ROX devices (take control of device), Simcenter STAR-CCM+ Viewer (code execution or data extraction), Siemens NX (access violation and potentially code execution), SINEC NMS (download files from the filesystem and manipulate configuration), SCALANCE switches (DoS), Teamcenter (account takeover and unauthorized data access), SIMATIC NET CP modules (DoS), LOGO! CMR and SIMATIC RTU 3000 (DoS), SIPROTEC 5 (DoS), RFID terminals (code execution), and SINEMA Remote Connect Server (DoS).
Medium-severity vulnerabilities that can lead to information disclosure, connection hijacking, and path traversal have been addressed in SIMATIC, LOGO! CMR and SIMATIC RTU 3000, Teamcenter Active Workspace, SINEMA Server, and Simcenter Femap products.
Siemens has released patches and/or mitigations for the vulnerabilities disclosed on Tuesday.
Tomi Engdahl says:
Reminder: If you don’t control it, it’s never secure.
ExpressVPN CIO Helped United Arab of Emirates Hack Into Phones, Computers
https://uk.pcmag.com/vpn/135678/expressvpn-cio-helped-united-arab-of-emirates-hack-into-phones-computers
However, ExpressVPN is sticking with Daniel Gericke. ‘His history and expertise…made him an invaluable hire for our mission to protect users’ privacy and security,’ it says.
Tomi Engdahl says:
APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus https://us-cert.cisa.gov/ncas/alerts/aa21-259a
The FBI, CISA, and CGCYBER assess that advanced persistent threat
(APT) cyber actors are likely among those exploiting the vulnerability. The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software. Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.
CVE-2021-40539, rated critical by the Common Vulnerability Scoring System (CVSS), is an authentication bypass vulnerability affecting representational state transfer (REST) application programming interface (API) URLs that could enable remote code execution.
Tomi Engdahl says:
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware https://www.bitdefender.com/blog/labs/bitdefender-offers-free-universal-decryptor-for-revil-sodinokibi-ransomware/
Bitdefender announced the availability of a universal decryptor for REvil/Sodinokibi. Created in collaboration with a trusted law enforcement partner, this tool helps victims encrypted by REvil ransomware to restore their files and recover from attacks made before July 13, 2021.
Tomi Engdahl says:
Customer Care Giant TTEC Hit By Ransomware https://krebsonsecurity.com/2021/09/customer-care-giant-ttec-hit-by-ransomware/
TTEC, a company used by some of the world’s largest brands to help manage customer support and sales online and over the phone, is dealing with disruptions from a network security incident resulting from a ransomware attack. TTEC’s own message to employees suggests the company’s network may have been hit by the ransomware group “Ragnar Locker”.
Tomi Engdahl says:
Anonymous hacks and leaks data from domain registrar Epik https://therecord.media/anonymous-hacks-and-leaks-data-from-domain-registrar-epik/
Hacktivist group Anonymous has successfully breached and leaked the database of Epik, a controversial web hosting provider and domain registrar that has given shelter to many right-wing websites over the past few years, such as Gab, Parler, and The Donald. The hack, which based on timestamps in the leaked data took place on February 28, was announced on Monday via a dedicated website and posts on internet forum 4chan.
Tomi Engdahl says:
Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects https://thehackernews.com/2021/09/travis-ci-flaw-exposes-secrets-of.html
Continuous integration vendor Travis CI has patched a serious security flaw that exposed API keys, access tokens, and credentials, potentially putting organizations that use public source code repositories at risk of further attacks. The issue tracked as
CVE-2021-41077 concerns unauthorized access and plunder of secret environment data associated with a public open-source project during the software build process. The problem is said to have lasted during an eight-day window between September 3 and September 10. Felix Lange of Ethereum has been credited with discovering the leakage on September 7, with the company’s Péter Szilágyi pointing out that “anyone could exfiltrate these and gain lateral movement into 1000s of organizations.”
Tomi Engdahl says:
New Windows security updates break network printing https://www.bleepingcomputer.com/news/security/new-windows-security-updates-break-network-printing/
Windows administrators report wide-scale network printing problems after installing this week’s September 2021 Patch Tuesday security updates. On Tuesday, Microsoft released sixty security updates and fixes for numerous bugs as part of their monthly Patch Tuesday updates, including a fix for the last remaining PrintNightmare vulnerability tracked as CVE-2021-36958. However, many Windows system administrators are now reporting that their computers can no longer print to network printers after installing the PrintNightmare fixes on their print servers.
Tomi Engdahl says:
MIT kehitti universaalin salauksen purkupiirin
https://etn.fi/index.php/13-news/12573-mit-kehitti-universaalin-salauksen-purkupiirin
Nyt MIT:n, Bostonin yliopiston ja Irlannin Maynoothin yliopiston tutkijat ovat nyt luoneet ensimmäisen piisirun, joka pystyy dekoodaamaan minkä tahansa koodin rakenteesta riippumatta mahdollisimman tarkasti käyttäen yleistä dekoodausalgoritmia nimeltä Guessing Random Additive Noise Decoding (GRAND). Poistamalla useiden laskennallisesti monimutkaisten dekooderien tarpeen GRAND lisää tehokkuutta, jolla voisi olla sovelluksia AR- ja virtuaalitodellisuudessa, peleissä, 5G-verkoissa ja periaatteessa kaikissa verkkolaitteissa, jotka halutaan käsitellä suuria määriä dataa pienellä viiveellä.
Yksi tapa ajatella näitä koodeja on nähdä ne alkuperäisen datan loppuun lisättyinä tarpeettomina merkkeinä (tässä tapauksessa sarja 1 ja 0). Tämän salauksen säännöt tallennetaan tiettyyn koodikirjaan.
Kun koodatut tiedot kulkevat verkon yli, niihin kohdistuu kohinaa tai energiaa, joka häiritsee signaalia, joka usein syntyy muista elektronisista laitteista. Kun koodattu data ja niihin vaikuttava melu saapuvat määränpäähänsä, dekoodausalgoritmi tutkii koodikirjaansa arvatakseen, mitä tallennetut tiedot ovat.
Sen sijaan GRAND arvailee viestiin vaikuttanutta kohinaa ja päättelee alkuperäisen tiedon kohinamallin perusteella. GRAND luo sarjan kohinasarjoja niiden esiintymisjärjestyksessä, vähentää ne vastaanotetuista tiedoista ja tarkistaa, onko tuloksena oleva koodisana koodikirjassa. Vaikka kohina näyttää luonteeltaan satunnaiselta, sillä on todennäköisyysrakenne, jonka avulla algoritmi voi arvata, mikä se voisi olla.
Tomi Engdahl says:
Links Found Between MSHTML Zero-Day Attacks and Ransomware Operations
https://www.securityweek.com/links-found-between-mshtml-zero-day-attacks-and-ransomware-operations
Microsoft and threat intelligence company RiskIQ reported finding links between the exploitation of a recently patched Windows zero-day vulnerability and known ransomware operators.
The existence of the zero-day, tracked as CVE-2021-40444, came to light on September 7, when Microsoft announced mitigations and warned that the flaw had been exploited in targeted attacks using specially crafted Office documents.
The issue, related to the MSHTML browsing engine built into Office, can and has been exploited for remote code execution. Microsoft released patches on September 14 as part of its Patch Tuesday updates.
Microsoft and RiskIQ — Microsoft announced acquiring RiskIQ in July — on Wednesday published separate blog posts analyzing the attacks exploiting CVE-2021-40444.
The first exploitation attempts were spotted in mid-August, but Microsoft reported seeing a significant increase in exploitation attempts after proof-of-concept (PoC) code and other information was made publicly available shortly after its initial disclosure.
Tomi Engdahl says:
Mass Personal Data Theft From Paris Covid Tests: Hospitals
https://www.securityweek.com/mass-personal-data-theft-paris-covid-tests-hospitals
Hackers stole the personal data of around 1.4 million people who took Covid-19 tests in the Paris region in the middle of 2020, hospital officials in the French capital disclosed on Wednesday.
Hospital officials said they filed a complaint with the Paris prosecutor’s office on Wednesday after confirming on September 12 that such a cyber attack took place over the summer.
Stolen were the identities, social security numbers and contact details of people tested as well as the identities and contact details of health professionals who dealt with them, along with the test results, the hospital organisation said.
Tomi Engdahl says:
Researchers Create Toolkit for Hardware Security Tests on Apple’s Mobile Processors
https://www.securityweek.com/researchers-create-toolkit-hardware-security-tests-apples-mobile-processors
A group of researchers from North Carolina State University has built a software toolkit to explore vulnerabilities in Apple’s mobile processors and used the findings to devise a cache timing attack.
Using the permanent exploit known as checkm8 as a starting point, the researchers implemented a BootROM toolkit to test Apple’s A10 Fusion system-on-a-chip (SoC) and then came up with a new access-driven cache timing attack based on the Prime+Probe method.
“We find that the SoC employs a randomized cache-line replacement policy as well as a hardware-based L1 prefetcher. We propose statistical innovations which specifically account for these hardware structures and thus further the state-of-the-art in cache timing attacks,” the academics note in their research paper.
The checkm8 exploit can be used against most iPhone models (ranging from iPhone 5 to the iPhone X), but the researchers focused on iPhone 7, which was the most common Apple mobile device on the market in 2019, when the research started.
Tomi Engdahl says:
It seems here in Vegas, even with Kevin Mitnick and Captain crunch John Draper living here, and DEFCON, casinos still won’t listen to the experts…
At some point, it becomes ridiculous…..
Popular slot machine chain Dotty’s reveals data breach exposing SSNs, financial account numbers, biometric data, medical records and more
https://www.zdnet.com/article/popular-slot-machine-chain-dottys-reveals-data-breach-exposing-ssns-financial-account-numbers-biometric-data-medical-records-and-more/
The breach involved customer driver’s license numbers, passport numbers, financial account and routing numbers, taxpayer identification numbers and credit card numbers, as well as expiration dates.
https://sway.office.com/xD9FO63chcJBt2k1?ref=Link
Tomi Engdahl says:
Israel’s Pegasus: Is your phone a ‘24-hour surveillance device’?
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.aljazeera.com%2Fopinions%2F2021%2F9%2F17%2Fisraels-pegasus-is-your-phone-a-24-hour-surveillance-device&h=AT1UewLOpcecjN_gf_MChFLvY8re89i3vQUSiNGoLpgov_Whj9d-WWl2siR0XOC3R6xpDH2ug2HfboMCVGlrYvVhI5zHMZD7U-lbdh4YQTThOyDow51qagfLASaYUnGp2F7v-KSZKavFRI2-hQ
Between June 2020 and February 2021, the iPhones of nine Bahraini activists – including two dissidents exiled in London and three members of the Bahrain Centre for Human Rights – were hacked using the Pegasus spyware that was developed by NSO Group, an Israeli cyber-surveillance firm regulated by Israel’s defence ministry.
Tomi Engdahl says:
NSO Group iMessage Zero-Click Exploit Captured in the Wild https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/
The Citizen Lab disclosed the vulnerability and code to Apple, which has assigned the FORCEDENTRY vulnerability CVE-2021-30860 and describes the vulnerability as “processing a maliciously crafted PDF may lead to arbitrary code execution.”. In this article, Citizen Lab analyses the exploit chain in detail.
Tomi Engdahl says:
Microsoft MSHTML Flaw Exploited by Ryuk Ransomware Gang https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/
Microsoft and RiskIQ researchers have identified several campaigns using the recently patched zero-day, reiterating a call for organizations to update affected systems. Criminals behind the Ryuk ransomware were early exploiters of the Windows MSHTML flaw, actively leveraging the bug in campaigns ahead of a patch released by Microsoft this week.
Tomi Engdahl says:
Malware samples found trying to hack Windows from its Linux subsystem https://therecord.media/malware-samples-found-trying-to-hack-windows-from-its-linux-subsystem/
Security researchers at Lumen’s Black Lotus Labs have found a series of malware samples that were configured to infect the Windows Subsystem for Linux and then pivot to its native Windows environment.
Researchers claim the samples are the first of their kind, albeit security experts have theorized as far back as 2017 that such attacks would be possible at one point.
Tomi Engdahl says:
OMIGOD: Microsoft Azure VMs exploited to drop Mirai, miners https://www.bleepingcomputer.com/news/security/omigod-microsoft-azure-vms-exploited-to-drop-mirai-miners/
Threat actors started actively exploiting the critical Azure OMIGOD vulnerabilities two days after Microsoft disclosed them during this month’s Patch Tuesday. The four security flaws (allowing privilege escalation and remote code execution) were found in the Open Management Infrastructure (OMI) software agent silently installed by Microsoft on more than half of all Azure instances.
Tomi Engdahl says:
Microsoft asks Azure Linux admins to manually patch OMIGOD bugs https://www.bleepingcomputer.com/news/microsoft/microsoft-asks-azure-linux-admins-to-manually-patch-omigod-bugs/
Microsoft has issued additional guidance on securing Azure Linux machines impacted by recently addressed critical OMIGOD vulnerabilities. The four security flaws (allowing remote code execution and privilege escalation) were found in the Open Management Infrastructure (OMI) software agent silently installed on more than half of Azure instances.
Tomi Engdahl says:
Malware Attack on Aviation Sector Uncovered After Going Unnoticed for
2 Years
https://thehackernews.com/2021/09/malware-attack-on-aviation-sector.html
A targeted phishing campaign aimed at the aviation industry for two years may be spearheaded by a threat actor operating out of Nigeria, highlighting how attackers can carry out small-scale cyber offensives for extended periods of time while staying under the radar.
Tomi Engdahl says:
Väärennettyjä rokotetodistuksia kaupitellaan viestisovellus Telegramissa suomalainen “todistus” 150:llä eurolla
https://yle.fi/uutiset/3-12101786
Viestisovellus Telegramiin on pesiytynyt väärennettyjen rokotetodistusten musta pörssi, ilmenee kansainvälisen tietoturvayhtiö Check Point Researchin tekemästä selvityksestä(siirryt toiseen palveluun). Selvityksen mukaan viestisovelluksessa kaupitellaan kaikkiaan 28:n maan koronarokotetodistuksia esittäviä väärennöksiä.
Joukossa on monia EU-maita Suomi mukaan lukien. Suomen ja useimpien muidenkin EU-maiden väärennetyn rokotetodistuksen hinta on selvityksen mukaan 150 euroa.
Tomi Engdahl says:
Trial Ends in Guilty Verdict for DDoS-for-Hire Boss – downthem / ampnode https://krebsonsecurity.com/2021/09/trial-ends-in-guilty-verdict-for-ddos-for-hire-boss/
A jury in California today reached a guilty verdict in the trial of Matthew Gatrel, a St. Charles, Ill. man charged in 2018 with operating two online services that allowed paying customers to launch powerful distributed denial-of-service (DDoS) attacks against Internet users and websites. Gatrel’s conviction comes roughly two weeks after his co-conspirator pleaded guilty to criminal charges related to running the services.
Tomi Engdahl says:
Router protection for MikroTik users
https://www.kaspersky.com/blog/how-to-protect-mikrotik-from-meris-botnet/41972/
Recent large-scale DDoS attacks using a new botnet called Mris peaked at almost 22 million requests per second. According to Qrator research, MikroTik’s network devices generated a fair share of the botnet’s traffic. Having analyzed the situation, MikroTik experts found no new vulnerabilities in the company’s routers; however, old ones may still pose a threat. Therefore, to ensure your router has not joined the Mris botnet (or any other botnet, for that matter), you need to follow a few recommendations.
Tomi Engdahl says:
Telegram emerges as new dark web for cyber criminals https://arstechnica.com/information-technology/2021/09/telegram-emerges-as-new-dark-web-for-cyber-criminals/
Telegram has exploded as a hub for cybercriminals looking to buy, sell, and share stolen data and hacking tools, new research shows, as the messaging app emerges as an alternative to the dark web.
Tomi Engdahl says:
Exploitation of the CVE-2021-40444 vulnerability in MSHTML https://securelist.com/exploitation-of-the-cve-2021-40444-vulnerability-in-mshtml/104218/
Last week, Microsoft reported the remote code execution vulnerability
CVE-2021-40444 in the MSHTML browser engine. According to the company, this vulnerability has already been used in targeted attacks against Microsoft Office users. In attempt to exploit this vulnerability, attackers create a document with a specially-crafted object. If a user opens the document, MS Office will download and execute a malicious script. According to our data, the same attacks are still happening all over the world. We are currently seeing attempts to exploit the
CVE-2021-40444 vulnerability targeting companies in the research and development sector, the energy sector and large industrial sectors, banking and medical technology development sectors, as well as telecommunications and the IT sector.
Tomi Engdahl says:
Apple and Google Go Further Than Ever to Appease Russia https://www.wired.com/story/russia-apple-google-voting-app-navalny/
The Russian government had pressured Apple and Google to take down the voting app for weeks, threatening fines and even accusing the companies of illegal election interference. Created by associates of imprisoned opposition leader Aleksei Navalny, it offered recommendations across each of Russia’s 225 voting districts for candidates with the best shot of defeating the dominant United Russia party in each race. Voting is open through the weekend, but the app is no longer available for download, and misleading imposter apps have already started to pop up in its place.
Tomi Engdahl says:
A new app helps Iranians hide messages in plain sight https://arstechnica.com/information-technology/2021/09/a-new-app-helps-iranians-hide-messages-in-plain-sight/
Amid ever-increasing government Internet control, surveillance, and censorship in Iran, a new Android app aims to give Iranians a way to speak freely. Nahoft, which means “hidden” in Farsi, is an encryption tool that turns up to 1, 000 characters of Farsi text into a jumble of random words. You can send this mélange to a friend over any communication platformTelegram, WhatsApp, Google Chat, etc.and then they run it through Nahoft on their device to decipher what you’ve said.
Tomi Engdahl says:
Freedom Hosting admin gets 27 years in prison for hosting child pornography https://therecord.media/freedom-hosting-admin-gets-27-years-in-prison-for-hosting-child-pornography/
An Irish man who ran a cheap dark web hosting service has been sentenced today to 27 years in prison for turning a blind eye to customers hosting child sex abuse material.
Tomi Engdahl says:
Google will extend Permission Auto-Reset feature to older Android versions https://therecord.media/google-will-extend-permission-auto-reset-feature-to-older-android-versions/
Google announced plans today to port its Permission Auto-Reset feature from Android 11 to older versions of its mobile operating system, as far back as Android 6. Launched last fall, the Permission Auto-Reset feature works by automatically withdrawing user permissions from an app that hasn’t been opened and used for a few months.
Tomi Engdahl says:
What’s Up with WhatsApp Encrypted Backups https://www.eff.org/deeplinks/2021/09/whats-whatsapp-encrypted-backups
WhatsApp is rolling out an option for users to encrypt their message backups, and that is a big win for user privacy and security. The new feature is expected to be available for both iOS and Android “in the coming weeks.”. EFF has pointed out unencrypted backups as a huge weakness for WhatsApp and for any messenger that claims to offer end-to-end encryption, and we applaud this improvement. Next, encryption for backups should become the default for all users, not just an option.
Tomi Engdahl says:
AMD Chipset Driver Vulnerability Can Allow Hackers to Obtain Sensitive Data
https://www.securityweek.com/amd-chipset-driver-vulnerability-can-allow-hackers-obtain-sensitive-data
Chipmaker AMD has patched a driver vulnerability that could allow an attacker to obtain sensitive information from the targeted system.
The flaw, tracked as CVE-2021-26333 and classified by AMD as medium severity, affects the company’s Platform Security Processor (PSP) chipset driver, which is used by several graphics cards and processors.
According to AMD, which described it as an information disclosure issue, an attacker who has low privileges on the targeted system can “send requests to the driver resulting in a potential data leak from uninitialized physical pages.”
AMD has advised users to update the PSP driver to version 5.17.0.0 through Windows Update or update the Chipset Driver to version 3.08.17.735.
Kyriakos Economou, co-founder of cybersecurity research and development company ZeroPeril, has been credited for discovering the vulnerability. In a technical advisory detailing the findings, the researcher noted that attacks are possible due to information disclosure and memory leakage bugs.
https://zeroperil.co.uk/wp-content/uploads/2021/09/AMD_PSP_Vulnerability_Report.pdf
Tomi Engdahl says:
Pakistani Man Involved in AT&T Hacking Scheme Sentenced to Prison in U.S.
https://www.securityweek.com/pakistani-man-involved-att-hacking-scheme-sentenced-prison-us
Muhammad Fahd, a 35-year-old Pakistani national, has been sentenced to 12 years of prison in the United States for his role in a scheme that involved illegally unlocking AT&T phones and hacking into the telecoms giant’s systems.
The scheme started in 2012, when Fahd and others recruited AT&T call center employees for help in unlocking phones sold by AT&T to customers under installment plans. These types of devices can only be used on AT&T’s network, but once a phone has been unlocked it can be used on the network on any provider and the device’s owner can avoid paying for AT&T services or making payments for the phone.
Tomi Engdahl says:
Mirai Botnet Starts Exploiting OMIGOD Flaw as Microsoft Issues More Guidance
https://www.securityweek.com/mirai-botnet-starts-exploiting-omigod-flaw-microsoft-issues-more-guidance
Microsoft on Thursday published additional guidance on addressing recently disclosed vulnerabilities in the Open Management Infrastructure (OMI) framework, along with new protections to resolve the bugs within affected Azure Virtual Machine (VM) management extensions.
Microsoft’s guidance was published just as researchers noticed that one of the vulnerabilities is already being exploited in the wild. It appears that the Mirai botnet is attempting to compromise vulnerable systems and that it also closes port 5896 (OMI SSL port) to keep other attackers out.
An open-source Web-Based Enterprise Management (WBEM) implementation, OMI allows for the management of Linux and UNIX systems and is used in various Azure services and Azure Virtual Machine (VM) management extensions.
As part of the September 2021 patches, Microsoft addressed four issues in OMI, one critical bug leading to unauthenticated remote code execution and three high-severity flaws allowing an attacker to elevate privileges. The issues were identified by security researchers with Wiz, which named the RCE defect OMIGOD.
The OMIGOD vulnerability, officially tracked as CVE-2021-38647, is the one reportedly exploited by the Mirai botnet.
Tomi Engdahl says:
German Election Authority Confirms Likely Cyber Attack
https://www.securityweek.com/german-election-authority-confirms-likely-cyber-attack
Suspected hackers last month briefly disrupted the website of the authority running Germany’s September 26 general election, a spokesman for the body told AFP Wednesday.
The development, first reported by Business Insider, comes as German federal prosecutors probe alleged cyber attacks against lawmakers during the campaign to choose a new parliament and a successor to Chancellor Angela Merkel.
“At the end of August the website of the Federal Returning Officer only had limited accessibility for a few minutes due to a malfunction,” the spokesman said when asked about the hacking report.
“The problem was analysed and the technical concepts were further developed accordingly. The information for the public through the website of the Federal Returning Officer was and is ensured.”
Business Insider reported that the website, which publishes the official results of the vote, was bombarded with data requests in a so-called distributed denial of service attack, leading the servers to break down.
Citing government sources, it said that IT systems necessary for the election itself to go off smoothly were not affected, possibly due to extra protections in place.
Berlin has pointed the finger at hackers from Russia’s “Ghostwriter” group which reportedly specialises in spreading disinformation.
Tomi Engdahl says:
U.S. Agencies Warn of APTs Exploiting Recent ADSelfService Plus Zero-Day
https://www.securityweek.com/us-agencies-warn-apts-exploiting-recent-adselfservice-plus-zero-day
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER) have sounded the alarm over in-the-wild attacks targeting a recently disclosed vulnerability in Zoho’s ManageEngine ADSelfService Plus product.
Tracked as CVE-2021-40539 and rated critical severity (CVSS score of 9.8), the vulnerability has been exploited since August 2021 to execute code remotely and take over vulnerable systems.
Affecting the representational state transfer (REST) application programming interface (API) URLs of the self-service password management and single sign-on solution, the issue is an authentication bypass bug that affects all ADSelfService Plus builds up to 6113.
“The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability,” reads a joint advisory issued on Thursday.
Academic institutions, critical infrastructure (communications, finance, IT, logistics, manufacturing, transportation, and others), and defense contractors are at risk of compromise because of their use of ADSelfService Plus.
“Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files,” the advisory reads.
Tomi Engdahl says:
https://hackaday.com/2021/09/17/this-week-in-security-office-0-day-forcedentry-protonmail-and-omigod/
Router Leaks IP
Researchers at Fidus have put together a very clever attack to unmask the real IPs of users of some VPNS. The attack relies on the presence of an Simple Network Management Protocol (SNMP) web wrapper that is present on some consumer routers. SNMP is a useful protocol to programmatically get statistics and other status information from a networked device. The research was done on Virgin Media routers, which happened to allow unauthenticated requests to the SNMP wrapper. One of the data points accessible is the public IP address assigned to the router.
So all an attacker has to do is get the victim to load their web page, and use some JS code to do a GET request from the router’s IP, right? Except browsers have been adding security features to prevent exactly this sort of abuse. The trick that works here is DNS rebinding, where the DNS record for the malicious site is set to a very low Time To Live (TTL), and the record is changed once the page is loaded. This allows the page JS to make another request to the same domain name, and that request actually go to an arbitrary IP. The router’s web interface doesn’t have any safeguards against this technique, so it gladly gives up the IP address.
This doesn’t work against every VPN. Some clients block access to local IP addresses, probably to prevent exactly this sort of attack. Notably, TOR works this way. For a VPN that does not, however, this can leak the public IP. The other interesting wrinkle to this story is that this was first discovered back in October 2019. Liberty Global, the owner of Virgin Media, requested a full year to address the vulnerability. Rather than work on a coordinated disclosure, Liberty has “ghosted” the researchers ever since. There doesn’t seem to be any fixes rolled out, so this should be treated as a 0-day until proven otherwise. The workaround is to only use a VPN client that blocks access to local IPs, if you’re concerned about not leaking identifying information to sites you visit.
Silently Unmasking Virgin Media VPN Users in Seconds (CVE-2019-16651)
https://fidusinfosec.com/silently-unmasking-virgin-media-vpn-users-in-seconds-cve-2019-16651/
Tomi Engdahl says:
Recent DDoS attacks using a botnet called Mēris hit 22 million request per second – and a large portion of those bots are from MikroTik routers. Here’s how to protect yours.
Router protection for MikroTik users
https://www.kaspersky.com/blog/how-to-protect-mikrotik-from-meris-botnet/41972/?utm_source=facebook&utm_medium=social&utm_campaign=gl_MikroTik-RR-_ay0073_promo&utm_content=sm-post&utm_term=gl_facebook_promo_bxi73lobsgeqkd0&fbclid=IwAR1YLF5JjZceRiT8x8NuLuTKgfWE9WZwwPLoMPSiH4HZnPsn37LzV3oWSyk
To protect MikroTik routers from the Mēris botnet, or to clean a previously infected router, users should update RouterOS and check settings.
Tomi Engdahl says:
VPN users unmasked by zero-day vulnerability in Virgin Media routers
https://portswigger.net/daily-swig/vpn-users-unmasked-by-zero-day-vulnerability-in-virgin-media-routers
Tomi Engdahl says:
https://www.securityweek.com/indonesia-says-no-evidence-alleged-chinese-intel-hack
Tomi Engdahl says:
Ongoing Phishing Campaign Targets APAC, EMEA Governments
https://www.securityweek.com/ongoing-phishing-campaign-targets-apac-emea-governments
Government departments in at least 7 countries in the Asia-Pacific (APAC) and Europe, the Middle East and Africa (EMEA) regions have been targeted in a phishing campaign that has been ongoing since spring 2020.
Focused on credential harvesting, the attacks most likely started in the first half of 2020, when the phishing domains used as part of the campaign were transferred to their current host, security researchers with threat intelligence firm Cyjax say.
At least 15 pages remain active, targeting the governments of countries such as Belarus, Georgia, Kyrgyzstan, Pakistan, Turkmenistan, Ukraine, and Uzbekistan.
Tomi Engdahl says:
Cyberattack on Alaska Health Department Linked to State-Sponsored Hackers
https://www.securityweek.com/cyberattack-alaska-health-department-linked-state-sponsored-hackers
Tomi Engdahl says:
Attackers Use Linux Binaries as Loaders for Windows Malware
https://www.securityweek.com/attackers-use-linux-binaries-loaders-windows-malware
Using Microsoft’s Windows Subsystem for Linux (WSL), attackers have leveraged Linux binaries to load payloads into Windows processes, according to researchers with Black Lotus Labs, the threat intelligence unit of tech company Lumen.
As part of the observed attacks, Linux ELF (Executable and Linkable Format) binaries were employed to inject payloads into running processes using Windows API calls. The ELF binaries were written in Python and converted for the Debian platform using PyInstaller.
“While this approach was not particularly sophisticated, the novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate of one or zero in Virustotal, depending on the sample, as of the time of this writing,” Black Lotus says.
Introduced in 2016, WSL allows for the execution of Linux images on Windows machines, in a near-native environment that eliminates the use of virtual machines. A great tool for developers, the feature also opens the door for new types of abuse in malicious attacks, the security researchers warn.
Black Lotus identified only a small number of malicious samples used in these attacks, suggesting that the activity might be under development or simply limited in scope.
The suspicious ELF files were first identified in August, designed to fetch an embedded or remote payload and inject it using Windows APIs, while ensuring the attack remains undetected, as most Windows security tools won’t analyze ELF files.
No Longer Just Theory: Black Lotus Labs Uncovers Linux Executables Deployed as Stealth Windows Loaders
https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/
In April 2016, Microsoft shocked the PC world when it announced the Windows Subsystem for Linux (WSL). WSL is a supplemental feature that runs a Linux image in a near-native environment on Windows, allowing for functionality like command line tools from Linux without the over-head of a virtual machine. While this new functionality was welcomed by developers for the freedom it offers to leverage open-source software, it is also a new attack surface threat actors can – and do – target.
Black Lotus Labs recently identified several malicious files that were written primarily in Python and compiled in the Linux binary format ELF (Executable and Linkable Format) for the Debian operating system. These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and was then injected into a running process using Windows API calls. While this approach was not particularly sophisticated, the novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate of one or zero in Virus Total, depending on the sample, as of the time of this writing.
Tomi Engdahl says:
Alaska discloses sophisticated’ nation-state cyberattack on health service https://therecord.media/alaska-discloses-sophisticated-nation-state-cyberattack-on-health-service/
A nation-state cyber-espionage group has gained access to the IT network of the Alaska Department of Health and Social Service (DHSS), the agency said last week. While the DHSS made the incident public on May 18 and published two updates in June and August, the agency did not reveal any details about the intrusion until last week, when it officially dispelled the rumor that this was a ransomware attack.
Tomi Engdahl says:
US farmer cooperative hit by $5.9M BlackMatter ransomware attack https://www.bleepingcomputer.com/news/security/us-farmer-cooperative-hit-by-59m-blackmatter-ransomware-attack/
U.S. farmers cooperative NEW Cooperative has suffered a BlackMatter ransomware attack demanding $5.9 million not to leak stolen data and provide a decryptor. In a weekend ransomware attack, the threat actors demand a 5.9 million dollar ransom, which will increase to $11.8 million if a ransom is not paid in five days.
Tomi Engdahl says:
EventBuilder misconfiguration exposes Microsoft event registrant data https://www.bleepingcomputer.com/news/security/eventbuilder-misconfiguration-exposes-microsoft-event-registrant-data/
Personal details of registrants to virtual events available through the EventBuilder platform have stayed accessible over the public internet, open to indexing by various engines. EventBuilder is a software solution for creating virtual events (webinars, training, online learning, conferences) using Microsoft technologies and integrates with Microsoft Teams and Teams Live Events extension.
Tomi Engdahl says:
Tyhjistä sairaalatiloista löytyi taas salaiseksi tarkoitettuja tietoja
https://yle.fi/uutiset/3-12107416
Lukituista tiloista löytynyt tietosuojattava materiaali on tuhottu ja tietoturvaloukkauksista on tehty ilmoitukset tietosuojavaltuutetun toimistoon. Pirkanmaan sairaanhoitopiirin alueella olevista tyhjistä sairaalatiloista on löytynyt taas salaiseksi tarkoitettuja tietoja.
Kyseessä on jo kolmas kerta lyhyen ajan sisällä.
Tomi Engdahl says:
VoIP.ms phone services disrupted by DDoS extortion attack https://www.bleepingcomputer.com/news/security/voipms-phone-services-disrupted-by-ddos-extortion-attack/
Threat actors are targeting voice-over-Internet provider VoIP.ms with a DDoS attack and extorting the company to stop the assault that’s severely disrupting the company’s operation. VoIP.ms is an Internet phone service company that provides affordable voice-over-IP service to businesses around the world.