This posting is here to collect cyber security news in October 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
376 Comments
Tomi Engdahl says:
Infowars host Alex Jones is responsible for damages triggered by his false claims on the Sandy Hook shooting, judge rules
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.cnn.com%2F2021%2F10%2F01%2Fus%2Falex-jones-loses-sandy-hook-cases%2Findex.html&h=AT2jm2tx382THSbv1jj4VXJ8MtkbazY7tKRCYge6Ikn5aPJaj6Mh5pqCCkM4sVDfRMCM4iu_7Iy5GOOp-40D5fOo3ZDlN1kyePG31AJKWasUpsEs_IfpMreCru_EReSo_A
(CNN) – Alex Jones, the conspiracy theorist who hosts the right-wing commentary website Infowars, was found legally responsible in two lawsuits for damages caused by his claims surrounding the 2012 Sandy Hook school mass shooting, according to court documents released Thursday.
Tomi Engdahl says:
$89 million in crypto was mistakenly sent out to users of a decentralized finance platform, and now its CEO is asking users to voluntarily send it back
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.businessinsider.com%2Fcompound-ceo-asks-users-return-89-million-crypto-after-glitch-2021-10&h=AT2m-GoPjqulqNrU4FIzYdIjiLCbao6n2pbjlD0DsbWUAb52zoAbZL1VtMsMTfleo6nnWyzZaN1tZrEAAG676Krwl-y9V4_DeFTCyNL3lBbN3zxYEt1nNH7bU6mBt1XDHA
Users of DeFi lending platform Compound were erroneously sent $89 million worth of cryptocurrency.
A glitch in a recent platform update led to some users receiving too much “COMP.”
“This is the greatest opportunity, and greatest risk for a decentralized protocol,” Compound’s CEO tweeted.
Tomi Engdahl says:
Why You Suddenly Need To Delete Google Chrome
https://www.forbes.com/sites/zakdoffman/2021/10/02/stop-using-google-chrome-on-windows-10-android-and-apple-iphones-ipads-and-macs/?utm_campaign=sprinklrForbesMainFB&utm_content=5619552822&utm_medium=social&utm_source=FBPAGE&sh=6311a5532f30
An alarming new update from Google that hasn’t yet made headlines has suddenly put Chrome’s 2.6 billion users at risk of “surveillance, manipulation and abuse.” If you’re one of those users, this nasty new surprise just gave you a reason to quit.
Chrome has serious issues when it comes to protecting your security and your privacy. The world’s leading browser has issued one urgent fix after another this year, as high-risk exploits have been found in the wild; and just a few weeks ago, Google finally admitted it had “accidentally” allowed millions of users to be secretly tracked.
Google says it wants to change, to put your privacy first, that web tracking is now out of control and has resulted in “an erosion of trust.” But as DuckDuckGo warns, “it’s all noise until Google actually agrees to collect less data and do less behavioral targeting.”
The latest tracking nightmare for Chrome users comes in two parts. First, Google has ignored security warnings and launched a new Chrome API to detect and report when you’re “idle,” i.e., not actively using your device. Apple warns “this is an obvious privacy concern,” and Mozilla that it’s “too tempting an opportunity for surveillance.”
Vivaldi agrees, telling me: “We are not happy with the privacy implications of this API (since it can be abused for behavioral tracking), or the fact that it can be abused to know about when you might not notice if something is using your CPU… There are privacy implications that a user cannot be expected to realize.”
If this release of a controversial Chrome tracking technology despite industry warnings sounds familiar, that’s because we saw the same with FLoC earlier this year: Google was warned that its attempt to anonymize users while still serving the needs of advertisers was a surveillance disaster in the making. Google refuted any such claims and secretly enrolled millions of users into a trial, before quietly admitting later that those warnings had come true, that it had made the risks of tracking worse.
Tomi Engdahl says:
The FCC Wants to Force Wireless Carriers to Finally Stop SIM Hijacking
FCC rule update takes aim at rampant identity and cryptocurrency theft made possible by wireless number port-out fraud.
https://www.vice.com/en/article/n7babx/the-fcc-wants-to-force-wireless-carries-to-finally-stop-sim-swapping
Tomi Engdahl says:
FCC proposes new rules to combat SIM swapping scams
https://www.engadget.com/fcc-proposes-new-rules-sim-swapping-scams-093840753.html
Tomi Engdahl says:
Ransomware attack might have caused another death
https://www.washingtonpost.com/politics/2021/10/01/ransomware-attack-might-have-caused-another-death/
HACKERS ATTACKED A HOSPITAL AND ALLEGEDLY KILLED A NEWBORN BABY
THE MOTHER IS SUING OVER WHAT SEEMS TO BE THE FIRST DEATH CAUSED BY RANSOMWARE.
https://futurism.com/neoscope/hackers-hospital-allegedly-killed-newborn-baby
Tomi Engdahl says:
https://www.exploit-db.com/google-hacking-database
Tomi Engdahl says:
“Internet goes down for millions, tech companies scramble as key encryption service expires” https://news.yahoo.com/internet-goes-down-millions-tech-021400230.html
Oops
Tomi Engdahl says:
FCC orders phone carriers to enforce unlawful robocall blocking
https://www.bleepingcomputer.com/news/security/fcc-orders-phone-carriers-to-enforce-unlawful-robocall-blocking/
The Federal Communications Commission (FCC) announced earlier this week that phone companies are now required to filter calls from providers who haven’t complied with a deadline to block illegal robocalls that expired on September 28th.
They can only accept calls from voice service providers registered in the Robocall Mitigation Database who have implemented caller ID authentication technology for calls carried made over Internet Protocol (IP) networks or filed a robocall mitigation plan with the FCC.
https://fccprod.servicenowservices.com/rmd?id=rmd_welcome
Tomi Engdahl says:
White House to convene 30-country cybersecurity meeting
https://www.zdnet.com/article/white-house-to-convene-30-country-cybersecurity-meeting/
The topics of the meeting, Biden said, will include combating cybercrime, improving law enforcement collaboration, stemming the illicit use of cryptocurrency, building trusted 5G technology and better securing supply chains.
Tomi Engdahl says:
Flubot Android malware now spreads via fake security updates https://www.bleepingcomputer.com/news/security/flubot-android-malware-now-spreads-via-fake-security-updates/
The Flubot malware has switched to a new and likely more effective lure to compromise Android devices, now trying to trick its victims into infecting themselves with the help of fake security updates warning them of Flubot infections.
Tomi Engdahl says:
Google Patches Two More Exploited Zero-Day Vulnerabilities in Chrome
https://www.securityweek.com/google-patches-two-more-exploited-zero-day-vulnerabilities-chrome
Google on Thursday announced the rollout of a Chrome update to address four security vulnerabilities, including two that are already being exploited in the wild.
The exploited vulnerabilities include CVE-2021-37975, a high-severity use-after-free bug in the V8 engine, and CVE-2021-37976, a medium-severity information leak issue in the core. Both were reported last week.
“Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild,” the Internet search giant says.
Now rolling out to Windows, Mac and Linux users as Chrome version 94.0.4606.71, the new browser iteration also addresses CVE-2021-37974, a high-severity use-after-free in Safe Browsing.
Update Google Chrome ASAP to Patch 2 New Actively Exploited Zero-Day Flaws https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html
Google on Thursday pushed urgent security fixes for its Chrome browser, including a pair of new security weaknesses that the company said are being exploited in the wild, making them the fourth and fifth actively zero-days plugged this month alone.
Tomi Engdahl says:
Fortinet, Shopify and more report issues after root CA certificate from Lets Encrypt expires https://www.zdnet.com/article/fortinet-shopify-others-report-issues-after-root-ca-certificate-from-lets-encrypt-expires/
Experts had been warning for weeks that there would be issues resulting from the expiration of root CA certificates provided by Lets Encrypt.
Tomi Engdahl says:
A Death Due to Ransomware
https://www.schneier.com/blog/archives/2021/10/a-death-due-to-ransomware.html
The Wall Street Journal is reporting on a baby’s death at an Alabama hospital in 2019, which they argue was a direct result of the ransomware attack the hospital was undergoing. What will be interesting to see is whether the courts rule that the hospital was negligent in its security, contributing to the success of the ransomware and by extension the death of the infant.
Tomi Engdahl says:
Hydra malware targets customers of Germany’s second largest bank https://www.bleepingcomputer.com/news/security/hydra-malware-targets-customers-of-germanys-second-largest-bank/
The Hydra banking trojan is back to targeting European e-banking platform users, and more specifically, customers of Commerzbank, Germany’s second-largest financial institution.
Tomi Engdahl says:
Conti gang threatens to dump victim data if ransom negotiations leak to reporters https://therecord.media/conti-gang-threatens-to-dump-victim-data-if-ransom-negotiations-leak-to-reporters/
The Conti ransomware gang has published a rare public statement today threatening hacked companies that they will leak their stolen files if details or screenshots of the ransom negotiations process are leaked to journalists.
Tomi Engdahl says:
October is Cybersecurity Awareness Month! Why being cybersmart matters https://www.welivesecurity.com/2021/10/01/october-cybersecurity-awareness-month-being-cyber-smart/
The campaign may last for a month, but we should remember that cybersecurity is a year-round affair
Tomi Engdahl says:
Sandhills online machinery markets shut down by ransomware attack https://www.bleepingcomputer.com/news/security/sandhills-online-machinery-markets-shut-down-by-ransomware-attack/
Industry publication giant Sandhills Global has suffered a ransomware attack, causing hosted websites to become inaccessible and disrupting their business operations. Sandhills Global is a US-based trade publication and hosting company catering to the transportation, agriculture, aircraft, heavy machinery, and technology industries.
Numerous sources have told BleepingComputer that a Conti ransomware attack is behind these outages. This attack reportedly took place in the early morning hours of Thursday, causing the company to shut down all of its IT systems to prevent the attack’s spread.
Tomi Engdahl says:
Blair, Shakira ja Putinin sisäpiiri maailman suurimmasta tietovuodosta löytyy poliitikkojen lisäksi monen alan maailmantähtiä
https://yle.fi/uutiset/3-12126500
Ylen MOT-toimitus on ollut mukana tutkimassa laajaa tietovuotoa, joka paljastaa paljon uutta tietoa sekä poliittista valtaa käyttävien että muiden vaikutusvaltaisten henkilöiden toiminnasta veroparatiiseissa.
myös: https://yle.fi/uutiset/3-12126521
Tomi Engdahl says:
ChamelGang Hackers Target Energy, Aviation, and Government Sectors
https://www.securityweek.com/chamelgang-hackers-target-energy-aviation-and-government-sectors
New “ChamelGang” APT group group has not been associated with any existing threat actor
A new advanced threat group has been detected targeting energy and aviation firms in Russia, and institutions including governments in nine other countries. The group has not been associated with any existing APT, nor is its country of origin known. It has been named ChamelGang after its practice of blending into the background like a chameleon.
ChamelGang was first detected following repeated anti-virus alerts on the presence of Cobalt Strike Beacon in RAM at a Russian Energy organization. This breach was investigated and analyzed by Positive Technologies (PT). Using what it learned, PT discovered and analyzed a second attack by the same threat group against an organization in the Russian aviation sector.
PT subsequently found attacks against institutions in nine other countries, including the United States, India, Nepal, Taiwan, and Japan, where in five countries, researchers discovered compromised government servers. These other attacks have not been analyzed in PT’s report on ChamelGang, but all of the victims have been notified by their national CERTs. Since the gang uses the ProxyShell vulnerabilities in its attack chain, PT thinks it possible that vulnerable servers in the UK will be targeted in the future.
Tomi Engdahl says:
McAfee Enterprise, FireEye Products Merged Into $2B Entity
https://www.securityweek.com/mcafee-enterprise-fireeye-products-merged-2b-entity
Private equity giant Symphony Technology Group (STG) this week announced the merger of McAfee Enterprise and the newly acquired FireEye Products into a single entity with $2 billion in annual revenue.
The Menlo Park, Calif.-based STG has tapped FireEye’s Bryan Palma to head up the combined entity, which will continue to sell security products for endpoints, infrastructure, applications, and cloud deployments.
The STG announcement is the latest chapter in McAfee’s bumpy corporate saga. In March this year, McAfee Corp sold off the McAfee Enterprise business to a consortium led by STG in an all-cash transaction valued at $4 billion.
Tomi Engdahl says:
Contactless Payment Card Hack Affects Apple Pay, Visa
https://www.securityweek.com/contactless-payment-card-hack-affects-apple-pay-visa
A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities exploited in the attack remain unpatched, but the impacted vendors say they are not concerned.
The research was conducted by researchers at the University of Birmingham and the University of Surrey in the United Kingdom.
They discovered that if an iPhone is configured to use Apple Pay and a Visa card in “transit mode,” an attacker can remotely steal money from the targeted individual without any authentication or authorization being required — the attack works against locked iPhones.
“Express Transit” or “Express Travel” is a feature in Apple Pay that enables users to quickly pay for rides on certain public transport networks without having to authorize the payment with Face ID or Touch ID, as is typically required when Apple Pay is used. This feature can be highly useful, but researchers found that it also introduces some security risks.
https://practical_emv.gitlab.io/
Tomi Engdahl says:
Xage Lands DOE Contract to Bring Zero Trust Principles to Emergency Responders
https://www.securityweek.com/xage-lands-doe-contract-bring-zero-trust-principles-emergency-responders
Tomi Engdahl says:
GriftHorse Android Trojan Infects Over 10 Million Devices Worldwide
https://www.securityweek.com/grifthorse-android-trojan-infects-over-10-million-devices-worldwide
A recently discovered cybercrime campaign leveraging mobile premium services has made over 10 million victims worldwide, potentially causing hundreds of millions in losses, according to mobile security firm Zimperium.
To maximize spread, the campaign operators used trojanized applications that posed as harmless software, but which subscribed the victims to paid services that charged them roughly €36 (roughly $42) per month.
The campaign operators started distributing the Android Trojan – which Zimperium calls GriftHorse – in November 2020 through Google Play and third-party stores. The malware has since been removed from Google Play but continues to be distributed via third-party application stores.
To date, users in more than 70 countries fell victim to the attackers, which served them tailored malicious pages, based on geo-location, using the local language. On infected devices, users are bombarded with notifications that they have won a prize, until the offer is accepted.
Tomi Engdahl says:
Hackers Can Exploit Apple AirTag Vulnerability to Lure Users to Malicious Sites
https://www.securityweek.com/hackers-can-exploit-apple-airtag-vulnerability-lure-users-malicious-sites
Apple’s AirTag product is affected by a vulnerability that could be exploited by hackers to lure unsuspecting users to phishing or other types of malicious websites.
Security consultant Bobby Rauch discovered that AirTags, which Apple sells for $30 and advertises as a “supereasy way to keep track of your stuff,” are affected by a stored cross-site scripting (XSS) vulnerability.
While the issue has not been patched by Apple, Rauch disclosed its details this week after becoming frustrated with the tech giant’s vulnerability reporting process.
https://krebsonsecurity.com/2021/09/apple-airtag-bug-enables-good-samaritan-attack/
Tomi Engdahl says:
Threat Actor Promises Pegasus Spyware Protection, Serves Trojan Instead
https://www.securityweek.com/threat-actor-promises-pegasus-spyware-protection-serves-trojan-instead
A threat group is distributing the little-known Sarwent Trojan via a fake website that impersonates Amnesty International and claims to deliver protection against the Pegasus mobile malware.
According to security researchers at Cisco Talos, the attack targets individuals who believe they might have been targeted by the NSO Group’s Pegasus spyware and might be associated with nation-state activity, but Talos has yet to identify links to a specific threat actor.
Tomi Engdahl says:
Google Patches Vulnerability in Cloud Endpoints Proxy
https://www.securityweek.com/google-patches-vulnerability-cloud-endpoints-proxy
A researcher has disclosed the details of a privilege escalation vulnerability he discovered in a Google Cloud component. The flaw was patched by Google in late August, but some users will need to manually update their systems to prevent potential exploitation.
The vulnerability was found by security researcher Imre Rad, who disclosed his findings last week on the Full Disclosure mailing list.
Rad found the vulnerability in Extensible Service Proxy (ESP), an open source, Nginx-based proxy that enables API management capabilities for JSON/REST or gRPC API services. Its features include authentication, monitoring and logging. ESP is a component of Google’s Cloud Endpoints API management system, which is designed for securing, monitoring and analyzing APIs.
https://seclists.org/fulldisclosure/2021/Sep/51
Tomi Engdahl says:
Neiman Marcus Confirms Payment Cards Compromised in Data Breach
https://www.securityweek.com/neiman-marcus-confirms-payment-cards-compromised-data-breach
Luxury retail company Neiman Marcus Group on Thursday confirmed that customer information was indeed stolen in a data breach.
During the incident, which occurred in May 2020, hackers were able to exfiltrate information associated with online customer accounts, including payment card data, the company says.
A total of 4.6 million online customers were affected by the attack and Neiman Marcus is working on notifying them. The company also says that 3.1 million payment and virtual gift cards were compromised, 85% of which were either expired or invalid.
Tomi Engdahl says:
Varo tätä ilmoitusta: Suomalaisten puhelimia kiusannutta haittaohjelmaa levitetään nyt kierolla juonella https://www.is.fi/digitoday/tietoturva/art-2000008307749.html
Tomi Engdahl says:
Facebookin palveluissa poikkeuksellisia ongelmia ympäri maailman F-Securen Hyppönen: tiettävästi palveluiden ylläpitäjän tekemä virhe
https://yle.fi/uutiset/3-12128258
Somejätti Facebookin palveluissa on ollut illan aikana ongelmia ympäri maailman, kertovat useat kansainväliset mediat. Uutistoimisto Reutersin mukaan ongelmia on ilmennyt myös Twitterillä, Googlella ja Amazonilla. myös: https://www.hs.fi/talous/art-2000008309670.html.
myös:
https://www.iltalehti.fi/digiuutiset/a/e9d571df-f2b7-48d7-87e6-5836f0425624.
myös: https://www.is.fi/digitoday/art-2000008309646.html
Tomi Engdahl says:
Facebook Outage: Yes, its DNS (sort of). A super quick analysis of what is going on https://isc.sans.edu/forums/diary/Facebook+Outage+Yes+its+DNS+sort+of+A+super+quick+analysis+of+what+is+going+on/27900/
More readable summary of the analysis below: The BGP routes pointing traffic to Facebook’s IP address space have been withdrawn. The Internet no longer knows where to find Facebook’s IPs. One symptom is that DNS requests are failing. But this is just the result of Facebook hosting its DNS servers inside its own network. Even with working DNS (for example if you still have cached results), the IPs are currently not reachable. also:
https://krebsonsecurity.com/2021/10/what-happened-to-facebook-instagram-whatsapp/.
also:
https://arstechnica.com/information-technology/2021/10/facebook-instagram-whatsapp-and-oculus-are-down-heres-what-we-know/
Tomi Engdahl says:
Facebookin skandaali syvenee, ilmiantaja astui esiin “valitsee ennemmin tuotot kuin ihmisten turvallisuuden”
https://www.tivi.fi/uutiset/tv/ed2d6dde-58e9-4120-93f1-3804a96929f1
Facebookin sisäisiä dokumentteja vuotanut ilmiantaja astui viikonloppuna julkisuuteen.
Tomi Engdahl says:
Two ransomware operators arrested in Ukraine https://therecord.media/two-members-of-a-ransomware-gang-were-arrested-in-ukraine-following-a-joint-international-law-enforcement-operation/
Two members of a ransomware gang were arrested in Ukraine following a joint international law enforcement operation. The arrests took place last week, on September 28, in Kyiv, Ukraine’s capital, and were carried out by officers of the Ukrainian National Police, with aid from the French Gendarmerie, the FBI, Europol, and Interpol.
Tomi Engdahl says:
Jumpataan kyberturvallisuuden perustaidot kuntoon – Tule mukaan!
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/jumpataan-kyberturvallisuuden-perustaidot-kuntoon-tule-mukaan
Euroopan kyberturvallisuuskuukausi, European Cyber Security Month, kutsuu mukaan meidät kaikki, jotka käytämme nettiä ja älylaitteita.
Tarjoamme on vinkkejä, joiden avulla jokainen voi parantaa tietoturvallisuuttaan ja auttaa myös läheisiä esimerkiksi suojautumaan nettihuijareilta. Eurooppalainen kyberturvallisuuden yhteisponnistus näkyy ja kuuluu verkkosivuillamme ja somekanavissamme. Tule mukaan!
Tomi Engdahl says:
Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/
A new ransomware operator uses stealthy techniques, but borrows heavily from other players.
Tomi Engdahl says:
Misconfigured Airflows Leak Thousands of Credentials from Popular Services https://www.intezer.com/blog/cloud-security/misconfigured-airflows-leak-credentials/
While researching a misconfiguration in the popular workflow platform, Apache Airflow, we discovered a number of unprotected instances. These unsecured instances expose sensitive information of companies across the media, finance, manufacturing, information technology (IT), biotech, e-commerce, health, energy, cybersecurity, and transportation industries. In the vulnerable Airflows, we see exposed credentials for popular platforms and services such as Slack, PayPal, AWS and more.
All Apache Airflow users are urged to update to the latest version immediately and make sure their deployments are only accessible to authorized users.
Tomi Engdahl says:
Company That Routes Billions of Text Messages Quietly Says It Was Hacked https://www.vice.com/en/article/z3xpm8/company-that-routes-billions-of-text-messages-quietly-says-it-was-hacked
A company that is a critical part of the global telecommunications infrastructure used by AT&T, T-Mobile, Verizon and several others around the world such as Vodafone and China Mobile, quietly disclosed that hackers were inside its systems for years, impacting more than
200 of its clients and potentially millions of cellphone users worldwide. Syniverse repeatedly declined to answer specific questions from Motherboard about the scale of the breach and what specific data was affected,. but according to a person who works at a telephone carrier, whoever hacked Syniverse could have had access to metadata such as length and cost, caller and receiver’s numbers, the location of the parties in the call, as well as the content of SMS text messages.
Tomi Engdahl says:
Expired Let’s Encrypt Root Certificate Causes Problems for Many Companies
https://www.securityweek.com/expired-lets-encrypt-root-certificate-causes-problems-many-companies
A root certificate used by Let’s Encrypt expired on September 30 and, despite being notified a long time in advance, many companies experienced problems.
California-based non-profit certificate authority (CA) Let’s Encrypt has been operating since 2015 and it has issued billions of digital certificates for hundreds of millions of websites in an effort to make the internet safer.
When it first started issuing certificates, Let’s Encrypt cross-signed its own ISRG Root X1 certificate with an older root certificate, IdentTrust’s DST Root X3, to ensure that its certificates would be immediately trusted by nearly all devices.
Let’s Encrypt’s ISRG Root X1 certificate is now trusted by a majority of devices and the organization started notifying users nearly one year ago that the DST Root X3 certificate would expire on September 30, 2021.
Let’s Encrypt has been warning service providers and developers that they may need to take action to prevent any disruption after September 30, but it seems the expiration of the certificate still caused problems for many.
Tomi Engdahl says:
Someone said DNS an we all know that in this instance stands for Don’t No Shit
Tomi Engdahl says:
The CIA plot to kidnap or kill Julian Assange in London is a story that is being mistakenly ignored
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.independent.co.uk%2Fvoices%2Fjulian-assange-cia-kidnap-plot-yahoo-news-b1930759.html&h=AT0-Ui3DlxLxIJ9wrt0noJo-VdpS45rgrcA7i3qszBz5B79j16NhNiRMNT2KsaMcxuOtUzpjcRyZxhB5TCJwyu4AZAUHRB6DfsNGpwraQJ4fqRWzRv89xA0rr32pQrZXCkyzqn9TCX6LXXrbLA
Assange and Jamal Khashoggi were targeted because they fulfilled the primary duty of journalists – telling the public what governments want to keep secret
Three years ago, on 2 October 2018, a team of Saudi officials murdered journalist Jamal Khashoggi in the Saudi consulate in Istanbul. The purpose of the killing was to silence Khashoggi and to frighten critics of the Saudi regime by showing that it would pursue and punish them as though they were agents of a foreign power.
It was revealed this week that a year before the Khashoggi killing in 2017, the CIA had plotted to kidnap or assassinate Julian Assange, the founder of WikiLeaks, who had taken refuge five years earlier in the Ecuador embassy in London. A senior US counter-intelligence official said that plans for the forcible rendition of Assange to the US were discussed “at the highest levels” of the Trump administration. The informant was one of more than 30 US officials – eight of whom confirmed details of the abduction proposal – quoted in a 7,500-word investigation by Yahoo News into the CIA campaign against Assange.
Tomi Engdahl says:
Web Scrapers Claim to Possess and Sell Personal Data on 1.5 Billion Facebook Users on a Hacker Forum
https://www.privacyaffairs.com/facebook-data-sold-on-hacker-forum/
The private and personal information of over 1.5 billion Facebook users is being sold on a popular hacking-related forum, potentially enabling cybercriminals and unscrupulous advertisers to target Internet users globally.
If authentic, this may constitute one of the biggest and most significant Facebook data dump to date.
Tomi Engdahl says:
Telecoms Giant Syniverse Discloses Years-Long Data Breach
https://www.securityweek.com/telecoms-giant-syniverse-discloses-years-long-data-breach
Syniverse, a company whose connectivity services are used by nearly all mobile carriers in the world, said hackers had access to its information technology (IT) and operational technology (OT) systems for years.
Syniverse says it has roughly 1,250 customers across 200 countries, including a vast majority of the world’s mobile carriers, such as AT&T, Verizon, T-Mobile, Vodafone, China Mobile, Airtel, Telefónica, and América Móvil. The company’s services are used to connect the networks of different mobile carriers and enable the transmission of data. Syniverse says it enables billions of transactions, conversations and connections every day.
In a recent filing with the U.S. Securities and Exchange Commissions (SEC), the company admitted discovering a data breach in May 2021. An investigation revealed that an unknown threat actor had access to its OT and IT systems since May 2016.
Tomi Engdahl says:
Google Patches Over 50 Serious Vulnerabilities in Android
https://www.securityweek.com/google-patches-over-50-serious-vulnerabilities-android
Google on Monday announced the availability of new security patches for Android, aimed at addressing more than 50 vulnerabilities in the mobile operating system.
The most severe of the security flaws described in the October 2021 Security Bulletin is an issue in the Android System component that could be exploited to achieve remote code execution.
Only 10 vulnerabilities were resolved with the 2021-10-01 security patch level, the first part of this month’s update.
These include high-severity issues in Android runtime (an elevation of privilege bug), Framework (three elevation of privilege, two information disclosure and one denial of service issue), Media Framework (one elevation of privilege) and System (an information disclosure).
The second part of the software update, which will roll out to devices as the 2021-10-05 security patch level, addresses 41 vulnerabilities, 3 of which carry a severity rating of critical.
According to Google, the most severe of these is a remote code execution flaw in the System component. Tracked as CVE-2021-0870, the issue impacts Android 8.1, 9, 10, and 11.
Tomi Engdahl says:
Chase Bank Heavily Targeted Via XBALTI Phishing Kit
https://www.securityweek.com/chase-bank-heavily-targeted-xbalti-phishing-kit
During the three months from mid-May to mid-August 2021, researchers detected a 300% increase in phishing URLs within their own telemetry targeting Chase Bank. Chase was the sixth most targeted brand, behind obvious companies as PayPal, Apple, and Facebook.
During this period, researchers from Cyren – a cloud-based threat intelligence and SaaS company – detected a notable increase in phishing kits designed to mimic the Chase banking portal. Of all the phishing kits collected by Cyren over the last six months, Chase is a close second to only Office 365, and well ahead of Microsoft and PayPal.
Tomi Engdahl says:
Adaptive Shield Raises $30M for SaaS Security Posture Management
https://www.securityweek.com/adaptive-shield-raises-30m-saas-security-posture-management
Adaptive Shield, an Israeli cybersecurity startup that specializes in software-as-a-service (SaaS) application security, on Tuesday announced the closing of a $30 million Series A funding round to expand operations around the world.
Cloud Security Company Orca Raises $550 Million in Extended Series C Round
https://www.securityweek.com/cloud-security-company-orca-raises-550-million-extended-series-c-round
Cloud security company Orca Security on Tuesday announced that it has raised $550 million in an extended Series C funding round, at a valuation of $1.8 billion.
Orca announced in March that it had raised $210 million in a Series C round that valued the company at $1.2 billion.
The extended round was led by Temasek, a state-owned investment company in Singapore, with strategic investments from SAIC and Splunk Ventures.
Tomi Engdahl says:
Arizona Launches Command Center to Combat Cyberattacks
https://www.securityweek.com/arizona-launches-command-center-combat-cyberattacks
Arizona Gov. Doug Ducey has launched a Cyber Command Center that will deal with threats to government computers.
At a ceremony Monday at the Department of Public Safety’s Arizona Counter Terrorism Information Center in Phoenix, Ducey said the command center will be critical in ensuring the state’s cyber infrastructure remains safe and secure.
Tomi Engdahl says:
Kyberturvayhtiö laajenee Jyväskylään
https://www.uusiteknologia.fi/2021/10/06/kyberturvayhtio-laajenee-jyvaskylaan/
Suomalainen ohjelmistotalo Innofactor perustaa marraskuussa uuden toimipisteen Jyväskylään. Yrityksen tavoitteena rekrytoida lähivuosina kymmeniä IT- ja kyberturvallisuusalan osaajia ja opiskelijoita. Yrityksen kyberturvallisuusjohtajana aloitti äskettäin Jarno Limnéll, joka toimii lisäksi professorina Aalto-yliopistossa ja dosenttina Jyväskylän yliopistossa.
Innofactor perustaa Jyväskylään kyberturvakeskuksen
https://etn.fi/index.php/13-news/12660-innofactor-perustaa-jyvaeskylaeaen-kyberturvakeskuksen
Yli 500 kehittäjän Innofactor avaa uuden toimipisteen marraskuun alussa Jyväskylään. Jyväskylä valikoitui uuden toimipaikan sijainniksi erityisesti alueen IT- ja kyberturvallisuuskoulutuksen sekä -osaamisen takia.
Tomi Engdahl says:
Understanding How Facebook Disappeared from the Internet https://blog.cloudflare.com/october-2021-facebook-outage/
The Internet is literally a network of networks, and it’s bound together by BGP. BGP allows one network (say Facebook) to advertise its presence to other networks that form the Internet. As we write Facebook is not advertising its presence, ISPs and other networks can’t find Facebook’s network and so it is unavailable. With those withdrawals, Facebook and its sites had effectively disconnected themselves from the Internet. As a direct consequence of this, DNS resolvers all over the world stopped resolving their domain names.
also: https://engineering.fb.com/2021/10/04/networking-traffic/outage/
Tomi Engdahl says:
UEFI threats moving to the ESP: Introducing ESPecter bootkit https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/
ESET researchers analyze a previously undocumented, real-world UEFI bootkit that persists on the EFI System Partition (ESP). The bootkit, which we’ve named ESPecter, can bypass Windows Driver Signature Enforcement to load its own unsigned driver, which facilitates its espionage activities. Alongside Kaspersky’s recent discovery of the unrelated FinSpy bootkit, it is now safe to say that real-world UEFI threats are no longer limited to SPI flash implants, as used by Lojax.
ESPecter was encountered on a compromised machine along with a user-mode client component with keylogging and document-stealing functionalities, which is why we believe ESPecter is mainly used for espionage.
Tomi Engdahl says:
Mobile Malware: TangleBot Untangled
https://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled
TangleBot is leveraging COVID-19 and electricity-themed lures in its effort to convince users to click on the malicious link and install the malware. The SMS links are only malicious via Android mobile devices and are currently only being sent to US and Canadian users.
TangleBot, while sharing some similarities with the Medusa malware, has some key distinguishing features that make it particularly threatening, such as its advanced behaviors and transmission abilities and its use of a string decryption routine as part of its obfuscation.