This posting is here to collect cyber security news in October 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
376 Comments
Tomi Engdahl says:
No honor among thieves: One in five targets of FIN12 hacking group is in healthcare
The group strikes big game targets with annual revenues of over $6 billion.
https://www.zdnet.com/article/no-honor-among-thieves-one-in-five-targets-of-fin12-hacking-group-is-involved-in-healthcare/
Tomi Engdahl says:
https://thehackernews.com/2021/10/iranian-hackers-abuse-dropbox-in.html
Tomi Engdahl says:
New Python ransomware targets virtual machines, ESXi hypervisors to encrypt disks
By targeting ESXi, encryption was achieved in less than three hours on a corporate network.
https://www.zdnet.com/article/new-python-ransomware-targets-virtual-machines-esxi-hypervisor-to-encrypt-disks/
Tomi Engdahl says:
https://thehackernews.com/2021/10/apache-warns-of-zero-day-exploit-in.html
Tomi Engdahl says:
Facebook bans, sends cease-and-desist letter to developer of Unfollow Everything extension
That’ll help improve its image
https://www.techspot.com/news/91650-facebook-bans-sends-cease-desist-letter-developer-unfollow.html
What just happened? Given the rough couple of weeks Facebook has been through, the company could definitely use some good PR right now, so here’s exactly the opposite: it’s been revealed that the social network has permanently banned the creator of a tool that unfollows all connections automatically, potentially making the social network less addictive and depressing.
Louis Barclay, creator of the Unfollow Everything browser extension that lets users unfollow—not unfriend—all their friends, groups, and pages simultaneously (rather than individually), writes that his program has not been welcomed by Facebook.
Unfollow Everything essentially gets rid of your entire newsfeed, something highlighted as an addictive factor in keeping people on the service. “I still remember the feeling of unfollowing everything for the first time. It was near-miraculous. I had lost nothing, since I could still see my favorite friends and groups by going to them directly,
“But I had gained a staggering amount of control. I was no longer tempted to scroll down an infinite feed of content. The time I spent on Facebook decreased dramatically. Overnight, my Facebook addiction became manageable.”
Facebook responded to the tool by sending Barclay a cease-and-decease letter threatening legal action. It claimed he violated the site’s terms of service through a program that automates user interactions. The company then “permanently disabled my Facebook and Instagram accounts” and “demanded that I agree to never again create tools that interact with Facebook or its other services.”
The last few weeks have been Facebook’s worst since it was rocked by the Cambridge Analytica scandal in 2018.
Tomi Engdahl says:
Google announces new efforts to protect journalists and high-risk users from cyberattacks
The announcement comes one day after the Google TAG team alerted journalists and high-risk groups that could be targets to ongoing attacks.
https://www.zdnet.com/article/google-announces-new-efforts-to-protect-journalists-and-high-risk-users-from-cyberattacks/
Tomi Engdahl says:
McAfee/FireEye merger completed, CEO says automation only way forward for cybersecurity
CEO Bryan Palma said the deficit of cybersecurity talent means AI and machine learning will need to take on a bigger role in cybersecurity.
https://www.zdnet.com/article/mcafeefireeye-merger-completed-ceo-says-automation-only-way-forward-for-cybersecurity/
Tomi Engdahl says:
https://blog.cloudflare.com/october-2021-facebook-outage/
Tomi Engdahl says:
September 2021s Most Wanted Malware: Trickbot Once Again Tops the List https://blog.checkpoint.com/2021/10/08/september-2021s-most-wanted-malware-trickbot-once-again-tops-the-list/
Check Point Research reports that Trickbot is the most prevalent malware while remote access trojan, njRAT, has entered the index for the first time. The remote access trojan, njRAT, has entered the top ten for the first time, taking the place of Phorpiex which is no longer active. Trickbot is a banking trojan that can steal financial details, account credentials, and personally identifiable information, as well as spread within a network and drop ransomware.
Tomi Engdahl says:
Discord scammers lure victims with promise of free Nitro subscriptions https://blog.malwarebytes.com/scams/2021/10/discord-scammers-lure-victims-with-promise-of-free-nitro-subscriptions/
A number of bogus offers are doing the rounds in Discord land at the moment. Discord, a group text chat/VoiP app of choice for many gaming communities, is having a bit of trouble with phishing links. You may recall weve covered a lot of Discord scams previously. Service users can create bots, those bots can be invited into channels, and then they get to work spamming. The messages run the range of free games, discount sign-ups for services, or just plain old fake login screens.
Tomi Engdahl says:
Apache patch proves patchy now you need to patch the patch https://nakedsecurity.sophos.com/2021/10/08/apache-patch-proves-patchy-now-you-need-to-patch-the-patch/
Software patches are sometimes a bit like buses. You dont get one for a while, and then three come at once. For buses on busy urban routes, at least, the explanation of the phenomenon goes something like this.
If three buses start out travelling the same route together in a nicely spaced sequence, then the first one is most likely to be the slowest, because it will be stopping to scoop up most of the waiting passengers, while the ones behind will tend to travel faster because they need to stop less often or for shorter periods.
Tomi Engdahl says:
FontOnLake: Previously unknown malware family targeting Linux https://securityintelligence.com/articles/case-for-cybersecurity-education-engineers/
Engineering and cybersecurity are two distinct disciplines, each demanding its own rigorous education and training. But should there be crossover? Should engineers or engineering students invest in cybersecurity education as well? What are the opportunities for engineers to gain expertise in protecting against threat actors in the software realm?.
https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/.
ESET researchers have discovered a previously unknown malware family that utilizes custom and well-designed modules, targeting systems running Linux. Modules used by this malware family, which we dubbed FontOnLake. are constantly under development and provide remote access to the operators, collect credentials, and serve as a proxy server. In this blogpost, we summarize the findings published in full in our white paper.
Tomi Engdahl says:
New Patch Released for Actively Exploited 0-Day Apache Path Traversal to RCE Attacks https://thehackernews.com/2021/10/new-patch-released-for-actively.html
The Apache Software Foundation on Thursday released additional security updates for its HTTP Server product to remediate what it says is an “incomplete fix” for an actively exploited path traversal and remote code execution flaw that it patched earlier this week.
CVE-2021-42013, as the new vulnerability is identified as, builds upon CVE-2021-41773, a flaw that impacted Apache web servers running version 2.4.49 and involved a path normalization bug that could enable an adversary to access and view arbitrary files stored on a vulnerable server.
Tomi Engdahl says:
BrewDog exposed data for over 200,000 shareholders and customers https://www.bleepingcomputer.com/news/security/brewdog-exposed-data-for-over-200-000-shareholders-and-customers/
BrewDog, the Scottish brewery and pub chain famous for its crowd-ownership model and the tasty IPAs, has irreversibly exposed the details of 200,000 of its shareholders and customers. The exposure lasted for over 18 months and the point of the leak was the firms mobile app, which gives the Equity Punks community access to information, discounts at bars, and more.
Tomi Engdahl says:
Actors Target Huawei Cloud Using Upgraded Linux Malware https://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html
We have recently noticed another Linux threat evolution that targets relatively new cloud service providers (CSPs) with cryptocurrency-mining malware and cryptojacking attacks. In this article, we discuss a new Linux malware trend in which malicious actors deploy code that removes applications and services present mainly in Huawei Cloud. Specifically, the malicious code disables the hostguard service, a Huawei Cloud Linux agent process that detects security issues, protects the system, and monitors the agent.
Tomi Engdahl says:
Togo: Prominent activist targeted with Indian-made spyware linked to notorious hacker group https://www.amnesty.org/en/latest/news/2021/10/togo-activist-targeted-with-spyware-by-notorious-hacker-group/
Togolese activist targeted with spyware by the Donot Team hacker group. Amnesty International exposes links between the Donot Team attacks and Innefu Labs, a cybersecurity company based in India. First time Donot Team publicly linked to cyberattacks targeting activists outside of South Asia. Spyware-loaded emails and fake Android applications could access devices camera and microphone, steal photos and files, and read WhatsApp messages.
Tomi Engdahl says:
Suomi arvioi kohua herättäneen raportin kiinalaisista puhelimista:
Pääosin paikkansa pitävä
https://www.is.fi/digitoday/tietoturva/art-2000008315834.html
LIIKENNE- ja viestintävirasto Traficomin Kyberturvallisuuskeskus on antanut arvionsa Liettuan viranomaisten syyskuun lopulla kohua aiheuttaneesta kehotuksesta lopettaa kiinalaisten puhelimien käyttö.
Liettuan puolustusministeriö tutki perinpohjaisesti Xiaomi Mi 10T 5G:n, Huawei P40 5G:n sekä OnePlus 8T 5G:n. Xiaomista löytyi käyttäjän viestintää avainsanojen perusteella seuraavia ominaisuuksia ja Huaweista tietoturva-aukko.
Tomi Engdahl says:
Cox Media Group confirms ransomware attack that took down broadcasts https://www.bleepingcomputer.com/news/security/cox-media-group-confirms-ransomware-attack-that-took-down-broadcasts/
American media conglomerate Cox Media Group (CMG) confirmed that it was hit by a ransomware attack that took down live TV and radio broadcast streams in June 2021. The company acknowledged the attack in data breach notification letters sent today via U.S. Mail to over 800 impacted individuals believed to have had their personal information exposed in the attack. The group first informed potentially affected individuals of the incident via email on July 30.
Tomi Engdahl says:
ESET researchers have discovered a previously unknown malware family that utilizes custom and well-designed modules, targeting systems running Linux https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/
Modules used by this malware family, which we dubbed FontOnLake, are constantly under development and provide remote access to the operators, collect credentials, and serve as a proxy server. In this blogpost, we summarize the findings published in full in our white paper.
Tomi Engdahl says:
Scanning for Previous Oracle WebLogic Vulnerabilities https://isc.sans.edu/forums/diary/Scanning+for+Previous+Oracle+WebLogic+Vulnerabilities/27918/
In the past few weeks, I have captured multiple instance of traffic related to some past Oracle vulnerabilities that have already been patched. The first is related to a RCE (CVE-2017-10271) that can be triggered to execute commands remotely by bypassing the CVE-2017-3506 patch’s limitations. The POST contains an init.sh script which doesn’t appear to be available for download. The second example is a vulnerability in the Oracle WebLogic Server component related to a Deserialization Vulnerability (CVE-2019-2725).
Tomi Engdahl says:
New Python ransomware targets virtual machines, ESXi hypervisors to encrypt disks
By targeting ESXi, encryption was achieved in less than three hours on a corporate network.
https://www.zdnet.com/article/new-python-ransomware-targets-virtual-machines-esxi-hypervisor-to-encrypt-disks/
A new strain of Python-based malware has been used in a “sniper” campaign to achieve encryption on a corporate system in less than three hours.
The attack, one of the fastest recorded by Sophos researchers, was achieved by operators who “precision-targeted the ESXi platform” in order to encrypt the virtual machines of the victim.
On Tuesday, Sophos said the malware, a new variant written in Python, was deployed ten minutes after threat actors managed to break into a TeamViewer account belonging to the victim organization.
Python ransomware script targets ESXi server for encryption https://news.sophos.com/en-us/2021/10/05/python-ransomware-script-targets-esxi-server-for-encryption/
A recently-concluded investigation into a ransomware attack revealed that the attackers executed a custom Python script on the target’s virtual machine hypervisor to encrypt all the virtual disks, taking the organization’s VMs offline. In what was one of the quickest attacks Sophos has investigated, from the time of the initial compromise until the deployment of the ransomware script, the attackers only spent just over three hours on the target’s network before encrypting the virtual disks in a VMware ESXi server.
Tomi Engdahl says:
https://www.securityweek.com/twitch-struggles-hackers-and-hate-raid-bots
Tomi Engdahl says:
https://www.securityweek.com/iran-linked-malkamak-hackers-targeting-aerospace-telcos-shellclient-rat
Tomi Engdahl says:
https://www.securityweek.com/cisco-patches-high-severity-vulnerabilities-security-appliances-business-switches
Tomi Engdahl says:
Attackers Encrypt VMware ESXi Server With Python Ransomware
https://www.securityweek.com/attackers-encrypt-vmware-esxi-server-python-ransomware
A recently observed attack employed a Python-based ransomware variant to target an organization’s VMware ESXi server and encrypt all virtual disks, Sophos reports.
The attack involved the use of a custom Python script that, once executed on the target organization’s virtual machine hypervisor, took all VMs offline.
The attackers, Sophos’ security researchers explain, were rather quick to execute the ransomware: the encryption process started roughly three hours after initial compromise.
For initial access, the attackers compromised a TeamViewer account that did not have multi-factor authentication set up, and which was running in the background on a computer belonging to a user that had Domain Administrator credentials.
The attackers waited 30 minutes past midnight in the organization’s time zone to log in, then downloaded and executed a tool to identify targets on the network, which allowed them to find a VMware ESXi server, Sophos explains.
At around 2am, the attackers fetched an SSH client to log into the server, leveraging the built-in SSH service ESXi Shell that can be enabled on ESXi servers for management purposes.
Three hours after the network was first scanned, the attackers logged into the ESXi Shell, copied the Python script, and then executed it for each datastore disk volume, thus encrypting the virtual disk and settings files for virtual machines.
The script is only 6kb in size, but allows attackers to configure it with multiple encryption keys, as well as with various email addresses and with the file suffix to be appended to encrypted files.
Tomi Engdahl says:
Aggressive Ransomware Group FIN12 Moves Fast, Targets Big Companies
https://www.securityweek.com/aggressive-ransomware-group-fin12-moves-fast-targets-big-companies
A report published by Mandiant on Thursday details the activities and tools of FIN12, a highly aggressive ransomware group that has likely made a significant amount of money over the past years.
The threat group, tracked until now by Mandiant as UNC1878, has been around since at least October 2018. The UNC classification is assigned to “uncategorized” entities before the cybersecurity firm can determine with certainty if it’s a financially-motivated group (FIN) or a state-sponsored advanced persistent threat actor (APT).
FIN12 has mostly used the Ryuk ransomware in its attacks and it has relied on other cybercrime groups for initial access into victims’ environments. Until March 2020, they mostly relied on access obtained by operators of the Trickbot trojan, but later they started leveraging other malware, as well as remote Citrix and RDP logins using credentials that were likely obtained on underground forums.
Tomi Engdahl says:
Apache Releases Another Patch for Actively Exploited HTTP Server Zero-Day
https://www.securityweek.com/apache-releases-another-patch-actively-exploited-http-server-zero-day
The Apache HTTP Server Project on Thursday announced the release of another update in response to a recently discovered zero-day vulnerability after determining that the initial fix was incomplete.
The vulnerability, tracked as CVE-2021-41773, can be exploited for path traversal and remote code execution. The flaw impacts Apache HTTP Server 2.4.49 and it has been exploited in attacks, so it’s important that organizations install the patches as soon as possible.
Apache HTTP Server 2.4.50 was initially released to patch CVE-2021-41773, but the fix was not sufficient. Another CVE identifier, CVE-2021-42013, has been assigned, and HTTP Server 2.4.51 was released on Thursday in an attempt to deliver a more complete patch.
“An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives,” the developers explained in a new advisory. “If files outside of these directories are not protected by the usual default configuration ‘require all denied’, these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.”
Tomi Engdahl says:
FontOnLake Linux Malware Used in Targeted Attacks
https://www.securityweek.com/fontonlake-linux-malware-used-targeted-attacks
A previously unknown, modular malware family that targets Linux systems has been used in targeted attacks to collect credentials and gain access to victim systems, ESET reported on Thursday.
Dubbed FontOnLake, the malware family employs a rootkit to conceal its presence and uses different command and control servers for each sample, which shows how careful its operators are to maintain a low profile.
What’s more, the malware developers are constantly modifying the FontOnLake modules, and use three categories of components that have been designed to work together, namely trojanized applications, backdoors, and rootkits.
Evidence suggests that FontOnLake has been used in attacks aimed at organizations in Southeast Asia.
https://www.welivesecurity.com/wp-content/uploads/2021/10/eset_fontonlake.pdf
Tomi Engdahl says:
Google Patches Four Severe Vulnerabilities in Chrome
https://www.securityweek.com/google-patches-four-severe-vulnerabilities-chrome
Google this week announced the release of an updated Chrome version for Windows, Mac and Linux, to address a total of four high-severity vulnerabilities in the browser.
Tracked as CVE-2021-37977, the most severe of these security holes could be exploited to achieve arbitrary code execution on a target system.
The flaw, described as a use-after-free bug in Garbage Collection, was reported last month by an anonymous researcher. Google says it paid a $10,000 bounty reward for the finding.
Now rolling out to desktop users as Chrome version 94.0.4606.81, the new browser iteration also addresses two heap buffer overflow vulnerabilities in Blink (CVE-2021-37978) and WebRTC (CVE-2021-37979).
Google says the Chrome extended stable channel too was updated to version 94.0.4606.81 for Windows and Mac.
Tomi Engdahl says:
https://hackaday.com/2021/10/08/this-week-in-security-apache-nightmare-revil-arrests-and-the-ultimate-rickroll/
The Apache HTTP Server version 2.4.49 has a blistering vulnerability, and it’s already being leveraged in attacks. CVE-2021-41773 is a simple path traversal flaw, where the %2e encoding is used to bypass filtering. Thankfully the bug was introduced in 2.4.49, the latest release, and a hotfix has already been released, 2.4.50.
curl –data “echo;id” ‘http://127.0.0.1:80/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh’
If that returns anything other than a 403 error, your server may be vulnerable. It’s worth pointing out that Apache is shipped with a configuration block that mitigates this vulnerability.
# Deny access to the entirety of your server’s filesystem. You must
# explicitly permit access to web content directories in other
# blocks below.
#
AllowOverride none
Require all denied
Tomi Engdahl says:
OpenOffice has released 4.1.11, containing the fix for CVE-2021–33035, which we discussed last week. Just a reminder, that means that this vulnerability was available as a 0-day for about a week before this release.
https://blogs.apache.org/foundation/entry/the-apache-software-foundation-announces79
Tomi Engdahl says:
https://techcrunch.com/2021/10/11/google-pulls-stalkerware-ads-that-promoted-phone-spying-apps/?tpcc=tcplusfacebook
Tomi Engdahl says:
Iran-linked DEV-0343 targeting defense, GIS, and maritime sectors https://www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/
DEV-0343 is a new activity cluster that the Microsoft Threat Intelligence Center (MSTIC) first observed and began tracking in late July 2021. MSTIC has observed DEV-0343 conducting extensive password spraying against more than 250 Office 365 tenants, with a focus on US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East. Less than 20 of the targeted tenants were successfully compromised, but DEV-0343 continues to evolve their techniques to refine its attacks. MSTIC noted that Office 365 accounts with multifactor authentication (MFA) enabled are resilient against password sprays.
Tomi Engdahl says:
Cybersecurity awareness month: Fight the phish!
https://nakedsecurity.sophos.com/2021/10/11/becybersmart-2021-week2/
Its the second week of Cybersecurity Awareness Month 2021, and this weeks theme is an alliterative reminder: Fight the Phish!.
Unfortunately, anti-phishing advice often seems to fall on deaf ears, because phishing is an old cybercrime trick, and lots of people seem to think its what computer scientists or mathematical analysts call a solved game.
Tomi Engdahl says:
Ukrainian police arrest DDoS operator controlling 100,000 bots https://www.bleepingcomputer.com/news/security/ukrainian-police-arrest-ddos-operator-controlling-100-000-bots/
Ukrainian police have arrested a hacker who controlled a 100,000 device botnet used to perform DDoS attacks on behalf of paid customers. The threat actor was arrested at his home in Prykarpattia where he was allegedly using the botnet to perform DDoS attacks or to support other malicious activity for his clients. This activity included brute-forcing login credentials at web sites, performing spamming operations, and to penetration testing on remote devices to identify and exploit vulnerabilities.
Tomi Engdahl says:
Pacific City Bank discloses ransomware attack claimed by AvosLocker https://www.bleepingcomputer.com/news/security/pacific-city-bank-discloses-ransomware-attack-claimed-by-avoslocker/
Pacific City Bank (PCB), one of the largest Korean-American community banking service providers in America, has disclosed a ransomware incident that took place last month. The bank is circulating notices to inform its clients of a security breach it identified on August 30, 2021, which they claim to have addressed promptly.
Tomi Engdahl says:
Things that go “Bump” in the Night: Non HTTP Requests Hitting Web Servers https://isc.sans.edu/forums/diary/Things+that+go+Bump+in+the+Night+Non+HTTP+Requests+Hitting+Web+Servers/27924/
If you are reviewing your web server logs periodically, you may notice some odd requests that are not HTTP requests in your logs. In particular if you have a web server listening on a non standard port.
I want to quickly review some of the most common requests like that, that I am seeing…
Tomi Engdahl says:
Microsoft Defender for Identity to detect Windows Bronze Bit attacks https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-for-identity-to-detect-windows-bronze-bit-attacks/
Microsoft is working on adding support for Bronze Bit attacks detection to Microsoft Defender for Identity to make it easier for Security Operations teams to detect attempts to abuse a Windows Kerberos security bypass bug tracked as CVE-2020-17049. Microsoft Defender for Identity (previously Azure Advanced Threat Protection or Azure ATP) is a cloud-based security solution that leverages on-premises Active Directory signals
Tomi Engdahl says:
Useat suomalaiset ovat haksahtaneet Omakanta-huijaukseen Kelan mukaan huijaussivustot saatu poistettua netistä
https://yle.fi/uutiset/3-12138550
Omakanta-sivusto joutui huijauksen uhriksi syyskuussa. Ulkomaiset rikollisliigat avasivat Omakantaa muistuttavan huijaussivuston ja kalastelivat sen kautta rahaa. Nyt huijaussivustot on saatu poistettua hakukoneista, Kelasta vakuutetaan.
Tomi Engdahl says:
LibreOffice, OpenOffice bug allows hackers to spoof signed docs https://www.bleepingcomputer.com/news/security/libreoffice-openoffice-bug-allows-hackers-to-spoof-signed-docs/
LibreOffice and OpenOffice have pushed updates to address a vulnerability that makes it possible for an attacker to manipulate documents to appear as signed by a trusted source. Although the severity of the flaw is classified as moderate, the implications could be dire. The digital signatures used in document macros are meant to help the user verify that the document hasnt been altered and can be trusted.
Tomi Engdahl says:
Apple Confirms iOS 15 Zero-Day Exploitation
https://www.securityweek.com/apple-confirms-ios-15-zero-day-exploitation
Apple rushes out iOS 15.0.2 to address a remote code execution vulnerability that is being actively exploited
According to Apple’s advisory, the security defect (CVE-2021-30883) exists in IOMobileFrameBuffer, a kernel extension used to manage the screen frame buffer.
“An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited,” the company said.
Tomi Engdahl says:
Microsoft Exposes Iran-linked APT Targeting U.S., Israeli Defense Tech Sectors
https://www.securityweek.com/microsoft-exposes-iran-linked-apt-targeting-us-israeli-defense-tech-sectors
Tomi Engdahl says:
Amnesty Links Indian Cybersecurity Firm to Spyware Attack on African Activist
https://www.securityweek.com/amnesty-links-indian-cybersecurity-firm-spyware-attack-african-activist
Human rights organization Amnesty International last week reported identifying a link between an Indian cybersecurity company and the infrastructure used by a hacking group in an attack that attempted to deliver Android and Windows spyware to an activist in the West African country of Togo.
In late 2019 and early 2020, ahead of the presidential elections in Togo, the Donot Team hacking group attempted to spy on a prominent Togolese human rights defender, but only managed to raise the victim’s suspicion.
Active since at least 2012 and also tracked as APT-C-35, and SectorE02, Donot Team is mainly known for its focus on targets in India, Pakistan, China, and other Asian countries. For the past couple of years, however, it has shifted focus to additional geographies, including Argentina, UAE, and the UK.
While this is the first reported Donot Team attack against an individual in West Africa, it is not the first cyberattack against activists in Togo, who have long been the target of shadowy cyber-mercenaries.
Tomi Engdahl says:
InHand Router Flaws Could Expose Many Industrial Companies to Remote Attacks
https://www.securityweek.com/inhand-router-flaws-could-expose-many-industrial-companies-remote-attacks
Several serious vulnerabilities discovered by researchers in industrial routers made by InHand Networks could expose many organizations to remote attacks, and patches do not appear to be available.
The flaws were discovered nearly one year ago by researchers at industrial cybersecurity firm OTORIO in IR615 LTE routers made by industrial IoT solutions provider InHand Networks. The company has offices in China, the U.S. and Germany, and its products are used all around the world. InHand says its customers include Siemens, GE Healthcare, Coca Cola, Philips Healthcare and other major companies.
Tomi Engdahl says:
ICS Advisory (ICSA-21-280-05)
InHand Networks IR615 Router
https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05
Tomi Engdahl says:
Etäkäyttötroijalainen ensimmäistä kertaa yleisimpien listalla
https://etn.fi/index.php/13-news/12681-etaekaeyttoetroijalainen-ensimmaeistae-kertaa-yleisimpien-listalla
Tietoturvayhtiö Check Pointin tutkijat kertovat, että Trickbot palasi syyskuussa maailman yleisimmäksi haittaohjelmaksi. Sitä seurasi ensi kertaa top 10:een yltänyt etäkäyttötroijalainen njRAT. Suomen listaykkönen on kiristysohjelma Mailto.
Trickbot on pankkitroijalainen, joka voi varastaa taloudellisia tietoja, tunnuksia ja muita henkilökohtaisia tietoja sekä levittää verkossa kiristysohjelmia. Trickbot on kasvattanut suosiotaan tammikuisen Emotetin alasajon jälkeen. Sitä päivitetään jatkuvasti uusilla ominaisuuksilla ja jakelutavoilla, minkä ansiosta se on joustava ja monikäyttöinen haittaohjelma.
Suomen yleisin haitake syyskuussa oli kiristysohjelma Mailto, jota esiintyi yli kahdeksassa prosentissa maan yritysverkoista. – Viime viikolla tutkijamme kertoivat, että Suomessa on organisaatioihin kohdistuvia hyökkäyksiä tänä vuonna 96 prosenttia enemmän viikoittain kuin vuonna 2020, ja maailmanlaajuisestikin 40 prosenttia enemmän, sanoo Check Pointin Suomen ja Baltian maajohtaja Sampo Vehkaoja.
Tomi Engdahl says:
September 2021’s Most Wanted Malware: Trickbot Once Again Tops the List
https://blog.checkpoint.com/2021/10/08/september-2021s-most-wanted-malware-trickbot-once-again-tops-the-list/
Tomi Engdahl says:
Kiristysohjelma rassaa eniten suomalaisia
https://www.uusiteknologia.fi/2021/10/11/kiristysohjelma-rassaa-eniten-suomalaisia/
Suomen yleisin tietoturvahaitake oli syyskuussa Check Point mukaan tietojen kiristysohjelma Mailto, joka esiintyi yli kahdeksassa prosentissa suomalaisyritysten tietoverkoissa. Maailmalla yleisin haitake oli pankkihuijausohjelma Trickbot.
”Viime viikolla tutkijamme kertoivat, että Suomessa on organisaatioihin kohdistuvia hyökkäyksiä tänä vuonna 96 prosenttia enemmän viikoittain kuin vuonna 2020, ja maailmanlaajuisestikin 40 prosenttia enemmän”, sanoo Check Pointin Suomen ja Baltian maajohtaja Sampo Vehkaoja.
Tietoturvayhtiön Check Pointin tutkijat kertovat, että maailmanlaajuisesti Trickbot on noussut uudelleen yleisimmäksi haittaohjelmaksi pudottuaan elokuussa hetkeksi toiselle sijalle. Nyt toisella sijalle nousi etäkäyttötroijalainen njRAT.
Tomi Engdahl says:
Catalin Cimpanu / The Record:
Microsoft says it mitigated a 2.4Tbps DDoS attack on an Azure customer at the end of August, breaking AWS’ record of mitigating a 2.3Tbps attack in Feb. 2020 — Microsoft said its Azure cloud service mitigated a 2.4 terabytes per second (Tbps) distributed denial of service attack this year …
Microsoft said it mitigated a 2.4 Tbps DDoS attack, the largest ever
https://therecord.media/microsoft-said-it-mitigated-a-2-4-tbps-ddos-attack-the-largest-ever/
Microsoft said its Azure cloud service mitigated a 2.4 terabytes per second (Tbps) distributed denial of service attack this year, at the end of August, representing the largest DDoS attack recorded to date.
Amir Dahan, Senior Program Manager for Azure Networking, said the attack was carried out using a botnet of approximately 70,000 bots primarily located across the Asia-Pacific region, such as Malaysia, Vietnam, Taiwan, Japan, and China, as well as the United States.
Dahan identified the target of the attack only as “an Azure customer in Europe.”
The Microsoft exec said the record-breaking DDoS attack came in three short waves, in the span of ten minutes, with the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps.
Dahan said Microsoft successfully mitigated the attack without Azure going down.
Prior to Microsoft’s disclosure today, the previous DDoS record was held by a 2.3 Tbps attack that Amazon’s AWS division mitigated in February 2020.
Dahan said the largest DDoS attack that hit Azure prior to the August attack was a 1 Tbps attack the company saw in Q3 2020, while this year, Azure didn’t see a DDoS attack over 625 Mbps all year.
Tomi Engdahl says:
Wall Street Journal:
Analysis of leaked data from 4.9M Twitch accounts: the top 1% of streamers made over half of the money paid out in 2021, 3/4 made under $120, and more
Twitch Streamer Earnings Increase for Top Gamers, Data From Hack Shows
The top 1% of paid streamers so far this year got over half of all revenue
https://www.wsj.com/articles/twitch-streamer-earnings-increase-for-top-gamers-data-from-hack-shows-11633802185?mod=djemalertNEWS