This posting is here to collect cyber security news in October 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
376 Comments
Tomi Engdahl says:
Kurt Wagner / Bloomberg:
Facebook says it will stop linking Facebook and Instagram accounts behind the scenes for advertising purposes due to privacy and regulatory changes
https://www.bloomberg.com/news/articles/2021-10-11/facebook-changes-the-way-it-measures-accounts-for-advertisers
Tomi Engdahl says:
Sky denies it suffered a significant network breach
Says no customer impact despite warnings from experts
https://www.techradar.com/news/sky-may-have-suffered-a-major-data-breach
Cybersecurity researchers have found what appears to be a configuration file hosted on a domain hosted by the Sky media group apparently listing access credentials of production-level databases in plain text.
Discovered by CyberNews researchers during a threat intelligence gathering operation, the file appears to be the main configuration file of the application hosted on the ‘upliftmedia’ subdomain of Sky.com
In addition to plain text access credentials to databases, the file also contains addresses to development endpoints.
Sky.com servers exposed via misconfiguration
https://cybernews.com/news/sky-com-servers-exposed-via-misconfiguration/
CyberNews researchers found an exposed configuration file hosted on a Sky.com subdomain, containing what appear to be production-level database access credentials, as well as addresses to development endpoints.
Sky, a subsidiary of Comcast, is Europe’s largest media company, boasting a 12% market share and a revenue of approximately £13.4 billion in 2020, as well as more than 31,000 employees and 24 million customers. UpLift Media, launched by Sky and Molson Coors in 2015, is an in-venue digital screen advertising network that operates digital screens in bars and other leisure venues across the UK.
During a threat intelligence gathering operation, our Investigations team came across an exposed configuration file that included plain text access credentials to multiple databases on a domain hosted by the Sky media conglomerate.
Tomi Engdahl says:
FontOnLake malware strikes Linux systems in targeted attacks
The malware is accompanied by a rootkit to sink its claws firmly into vulnerable machines.
https://www.zdnet.com/article/fontonlake-malware-strikes-linux-systems-in-targeted-attacks/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/study-reveals-android-phones-constantly-snoop-on-their-users/
Tomi Engdahl says:
A Pro-Choice Hacking Team Defaced the Texas GOP Website. So We DM’d Them
Hackers speak out after one the biggest leaks of far-right data ever
https://www.rollingstone.com/politics/politics-features/meet-the-woman-led-hacking-team-that-defaced-the-texas-gop-website-1238782/
For several hours on September 11th, 2021 — a little more than a week after the most restrictive abortion ban in the country went into effect — the Texas GOP’s website was plastered with an army of adorable, amphibious Pokémon. Scroll a little further down the home page and you would find a Rick Astley music video, a mission statement attributed to the “Republican Party of Fucking Over Women,” and a joke about U.S. Sen. Ted Cruz being the Zodiac Killer.
Beyond the memes and inside jokes, Operation Jane’s purpose was pretty simple: to troll, spam, frustrate and otherwise disrupt the organizations and “snitch systems” supporting S.B. 8. And it worked.
Tomi Engdahl says:
https://www.uusiteknologia.fi/2021/10/11/kiristysohjelma-rassaa-eniten-suomalaisia/
Tomi Engdahl says:
Google to give security keys to ‘high risk’ users targeted by government hackers
https://techcrunch.com/2021/10/08/google-to-give-security-keys-to-high-risk-users-targeted-by-government-hackers/
Google has said it will provide 10,000 “high-risk” users with free hardware security keys, days after the company warned thousands of Gmail users that they were targeted by state-sponsored hackers.
The warning, sent by Google’s Threat Analysis Group (TAG), alerted more than 14,000 Gmail users that they had been targeted in a state-sponsored phishing campaign from APT28, also known as Fancy Bear, said to be made up of operatives of Russia’s GRU intelligence agency. Fancy Bear has been active for more than a decade but it’s widely known for hacking into the Democratic National Committee and its disinformation and election influencing campaign in the run-up to the 2016 U.S. presidential election.
Tomi Engdahl says:
MysterySnail attacks with Windows zero-day https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/
In late August and early September 2021, Kaspersky technologies detected attacks with the use of an elevation of privilege exploit on multiple Microsoft Windows servers. The exploit had numerous debug strings from an older, publicly known exploit for vulnerability CVE-2016-3309, but closer analysis revealed that it was a zero-day. We discovered that it was using a previously unknown vulnerability in the Win32k driver and exploitation relies heavily on a technique to leak the base addresses of kernel modules.
Tomi Engdahl says:
Necro Python Botnet Goes After Vulnerable VisualTools DVR https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr
In the last week of September 2021, Juniper Threat Labs detected a new activity from Necro Python (a.k.a N3Cr0m0rPh , Freakout,
Python.IRCBot) that is actively exploiting some services, including a new exploit added to its arsenal. This new exploit targets Visual Tools DVR VX16 4.2.28.0 from visual-tools.com (no CVE number is assigned to this vulnerability). Successful exploitation will download the bot into the system and install a Monero miner.
Tomi Engdahl says:
Microsoft October 2021 Patch Tuesday: 71 vulnerabilities, four zero-days squashed https://www.zdnet.com/article/microsoft-october-2021-patch-tuesday-71-vulnerabilities-four-zero-days-squashed/
Microsoft has released 71 security fixes for software including an actively-exploited zero-day bug in Win32k. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for a total of four zero-day flaws, three of which are public. Products impacted by October’s security update include Microsoft Office, Exchange Server, MSHTML, Visual Studio, and the Edge browser. Also https://www.bleepingcomputer.com/news/microsoft/microsoft-october-2021-patch-tuesday-fixes-4-zero-days-71-flaws/.
https://isc.sans.edu/forums/diary/Microsoft+October+2021+Patch+Tuesday/27928/.
https://blog.talosintelligence.com/2021/10/microsoft-patch-tuesday-for-oct-2021.html.
https://www.tenable.com/blog/microsoft-s-october-2021-patch-tuesday-addresses-74-cves-cve-2021-40449
Tomi Engdahl says:
Business as usual for Azure customers despite 2.4 Tbps DDoS attack https://azure.microsoft.com/en-us/blog/business-as-usual-for-azure-customers-despite-24-tbps-ddos-attack/
In early August, we shared Azures Distributed Denial-of-Service (DDoS) attack trends for the first half of 2021. We reported a 25 percent increase in the number of attacks compared to Q4 of 2020, albeit a decline in maximum attack throughput, from one terabyte per second
(Tbps) in Q3 of 2020 to 625 Mbps in the first half of 2021. The last week of August, we observed a 2.4 Tbps DDoS attack targeting an Azure customer in Europe. This is 140 percent higher than 2020s 1 Tbps attack and higher than any network volumetric event previously detected on Azure.
Tomi Engdahl says:
Cyberattack shuts down Ecuador’s largest bank, Banco Pichincha https://www.bleepingcomputer.com/news/security/cyberattack-shuts-down-ecuadors-largest-bank-banco-pichincha/
Ecuador’s largest private bank Banco Pichincha has suffered a cyberattack that disrupted operations and taken the ATM and online banking portal offline. The cyberattack occurred over the weekend, causing the bank to shut down portions of their network to prevent the attack’s spread to other systems. The shut down of systems has led to widespread disruption for the bank, with ATMs no longer working and the online banking portals showing maintenance messages.
Tomi Engdahl says:
GitHub Revoked Insecure SSH Keys Generated by a Popular git Client https://thehackernews.com/2021/10/github-revoked-insecure-ssh-keys.html
Code hosting platform GitHub has revoked weak SSH authentication keys that were generated via the GitKraken git GUI client due to a vulnerability in a third-party library that increased the likelihood of duplicated SSH keys. As an added precautionary measure, the Microsoft-owned company also said it’s building safeguards to prevent vulnerable versions of GitKraken from adding newly generated weak keys.
Tomi Engdahl says:
Blue OLEx 2021 : Testing the Response to Large Cyber Incidents https://www.enisa.europa.eu/news/blue-olex-2021-testing-the-response-to-large-cyber-incidents
Together with the Romanian National Cyber Security Directorate, the European Union Agency for Cybersecurity organised the third Blue OLEx exercise to test the operating procedures for the EU Cyber Crisis Liaison Organisation Network (CyCLONe). The Blue OLEx exercise of 12th October was designed to test the Standard Operating Procedures (SOP) of the EU CyCLONe at executive level in case of a large-scale cross-border cyber crisis or incident affecting EU citizens and businesses. Organised by the Romanian National Cyber Security Directorate with the support of the ENISA, the event took place in Bucharest as well as online.
Tomi Engdahl says:
SnapMC skips ransomware, steals data
https://research.nccgroup.com/2021/10/11/snapmc-skips-ransomware-steals-data/
Over the past few months NCC Group has observed an increasing number of data breach extortion cases, where the attacker steals data and threatens to publish said data online if the victim decides not to pay. Given the current threat landscape, most notable is the absence of ransomware or any technical attempt at disrupting the victims operations.
Tomi Engdahl says:
Olympus US systems hit by cyberattack over the weekend https://www.bleepingcomputer.com/news/security/olympus-us-systems-hit-by-cyberattack-over-the-weekend/
Olympus, a leading medical technology company, was forced to take down IT systems in the Americas (U.S., Canada, and Latin America) following a cyberattack that hit its network Sunday, October 10, 2021. “Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensics experts, and we are currently working with the highest priority to resolve this issue,”
Olympus says in a statement published today, two days after the attack.
Tomi Engdahl says:
Dutch police send warning letters to customers of DDoS booter service https://therecord.media/dutch-police-send-warning-letters-to-customers-of-ddos-booter-service/
Dutch police have taken a rare step this week and sent letters to 29 individuals who used a now-defunct DDoS-for-hire service also known as a DDoS booter to launch DDoS attacks against various targets. In the letters, Dutch officials warned users that theyd been added to a database of past miscreants, and any involvement in new DDoS attacks will lead to a criminal case.
Tomi Engdahl says:
MS Patch Tuesday: 71 Vulns, One Exploited as Zero-Day
https://www.securityweek.com/ms-patch-tuesday-71-vulns-one-exploited-zero-day
The Microsoft Patch Tuesday freight train for October rolled in with fixes for at least 71 security defects in Windows products and components and an urgent warning about a newly discovered zero-day cyberespionage campaign.
The Redmond, Wash. software maker confirmed in-the-wild exploitation of one of the patched bugs — CVE-2021-40449 — in an exploit chain discovered and reported by malware hunters at Kaspersky.
Tomi Engdahl says:
Medical Technology Company Olympus Discloses Cyberattack
https://www.securityweek.com/medical-technology-company-olympus-discloses-cyberattack
Japanese medical technology company Olympus this week revealed that its operations in the Americas were affected by a cyberattack.
Detected on October 10, the attack forced the company to shut down some of its systems, but Olympus says that it is already working on restoring them back to normal.
“Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensics experts, and we are currently working with the highest priority to resolve this issue. As part of the investigation and containment, we have suspended affected systems and have informed the relevant external partners,” the company says.
The company says that only its operations in the Americas (the United States, Canada, and Latin America) were affected by the incident.
Investigating potential cybersecurity incident affecting our IT system in the Americas
https://www.olympus-global.com/news/2021/nr02217.html
Tomi Engdahl says:
Adobe Patches Critical Code Execution Vulnerabilities in Several Products
https://www.securityweek.com/adobe-patches-critical-code-execution-vulnerabilities-several-products
Adobe on Tuesday announced that it has patched a total of 10 vulnerabilities across its Acrobat and Reader, Connect, Commerce, and Campaign Standard products.
Adobe has patched four vulnerabilities in Acrobat and Reader for Windows and macOS. Two of the flaws, described as use-after-free and out-of-bounds issues, have been classified as critical and they can lead to arbitrary code execution in the context of the current user. The other two are moderate-severity flaws that can be exploited for privilege escalation.
In Reader for Android, the company fixed an important-severity issue that could lead to information disclosure and arbitrary code execution.
In Adobe Campaign Standard for Windows and Linux, the software giant addressed a critical cross-site scripting (XSS) bug. An XSS flaw was also patched in Connect, along with a critical code execution vulnerability related to deserialization of untrusted data.
Tomi Engdahl says:
Microsoft Azure Hit by 2.4 Tbps DDoS Attack
https://www.securityweek.com/microsoft-mitigates-24-tbps-ddos-attack-targeting-azure
Microsoft on Monday revealed that an Azure customer was targeted in late August in a massive distributed denial of service (DDoS) attack that peaked at 2.4 Tbps (terabytes per second).
Originating from roughly 70,000 sources worldwide and lasting for more than 10 minutes, with very short bursts, the attack consisted of UDP traffic, employed reflection, and was 1.4 times larger than the largest attack previously mitigated by Azure.
Most of the attack’s sources were located in the Asia-Pacific region, in China, Japan, Malaysia, Taiwan, and Vietnam. Some of them, however, were located in the United States, Microsoft says.
The tech giant also notes that the attack reached three main bursts, peaking at 2.4 Tbps, 0.55 Tbps, and 1.7 Tbps, respectively.
Tomi Engdahl says:
ICS Patch Tuesday: Siemens and Schneider Electric Address Over 50 Vulnerabilities
https://www.securityweek.com/ics-patch-tuesday-siemens-and-schneider-electric-address-over-50-vulnerabilities
Industrial giants Siemens and Schneider Electric on Tuesday released nearly a dozen security advisories describing a total of more than 50 vulnerabilities affecting their products.
For its SCALANCE W1750D controller-based direct access points, Siemens released patches and mitigations covering 15 vulnerabilities, including critical weaknesses that can allow a remote, unauthenticated attacker to cause a DoS condition or execute arbitrary code on the underlying operating system. The W1750D is a brand-labeled device from Aruba, and a majority of the flaws exist in the ArubaOS operating system.
The company has also informed customers about a critical authentication vulnerability in the SIMATIC Process Historian. An attacker can exploit the flaw to insert, modify or delete data.
The two remaining advisories address high-severity denial of service (DoS) vulnerabilities in SINUMERIK controllers and RUGGEDCOM ROX devices. In the case of the RUGGEDCOM devices, an unauthenticated attacker could cause a permanent DoS condition in certain circumstances.
Schneider Electric
Schneider Electric has released 6 new advisories covering 20 vulnerabilities. One advisory describes the impact of 11 Windows flaws on the company’s Conext solar power plant products. The security holes were patched by Microsoft in 2019 and 2020 and many of them have critical or high severity ratings.
Another advisory describes two critical, one high-severity and one medium-severity vulnerabilities affecting Schneider’s IGSS SCADA system. The company says the worst case exploitation scenario “could result in an attacker gaining access to the Windows Operating System on the machine running IGSS in production.”
Tomi Engdahl says:
GitKraken Vulnerability Prompts Action From GitHub, GitLab, Bitbucket
https://www.securityweek.com/gitkraken-vulnerability-prompts-action-github-gitlab-bitbucket
Developers of Git GUI client GitKraken have addressed a vulnerability resulting in the generation of weak SSH keys, and they are prompting users to revoke and renew their keys.
Discovered in the open source library that the Git GUI client uses for SSH key generation, the issue affects all keys issued using versions 7.6.x, 7.7.x, and 8.0.0 of GitKraken.
The security hole was identified in late September and was addressed with the release of GitKraken version 8.0.1. The SSH key generation library was replaced with a new one.
Due to the presence of the vulnerability in multiple versions of GitKraken, users are advised to regenerate their SSH keys even if they have already updated to the patched version.
“We are not aware of any accounts being compromised due to this flaw. We will continue to work toward the highest security standards possible for all of our users,” the GitKraken team said.
Tomi Engdahl says:
FontOnLake malware strikes Linux systems in targeted attacks
https://www.zdnet.com/article/fontonlake-malware-strikes-linux-systems-in-targeted-attacks/
The malware is accompanied by a rootkit to sink its claws firmly into vulnerable machines.
A brand of malware that has previously gone undetected is being used in targeted attacks against Linux systems.
According to researchers from cybersecurity firm ESET, the malware, named FontOnLake, appears to be well-designed and while under active development already includes remote access options, credential theft features, and is able to initialize proxy servers.
The researchers added that Linux systems targeted by the malware may be located in areas including Southeast Asia.
ESET believes the operators are “overly cautious” about being caught and their activities exposed as almost all samples obtained use different C2 server addresses and a variety of ports. Furthermore, the malware’s authors make use of C/C++ and a number of third-party libraries such as Boost and Protobuf.
FontOnLake is modular malware that harnesses custom binaries to infect a machine and to execute malicious code. While ESET is still investigating FontOnLake, the firm says that among its known components are trojanized apps which are used to load backdoors, rootkits, and to collect information.
FontOnLake is always joined with a kernel-mode rootkit to maintain persistence on an infected Linux machine. According to Avast, the rootkit is based on the open source Suterusu project.
Tomi Engdahl says:
A former Navy nuclear engineer and his wife have been arrested on espionage charges
https://www.npr.org/2021/10/10/1044883780/nuclear-engineer-navy-and-wife-arrested-espionage-charges?utm_source=facebook.com&utm_medium=social&utm_campaign=npr&utm_term=nprnews&utm_content=2041
A former nuclear engineer officer in the U.S. Navy and his wife have been arrested on espionage charges, after allegedly attempting to sell secrets about submarines to a foreign entity, according to court records unsealed Sunday.
Toebbe held an active national security clearance through the Department of Defense, giving him access to restricted data, authorities said.
The 42-year-old former lieutenant in the Navy and his wife, 45, sold restricted information “concerning the design of nuclear powered warships” to someone they believed was a representative of an unnamed foreign power, according to federal law enforcement officials.
Authorities said military secrets were hidden in a peanut butter sandwich
The FBI later recovered the package Toebbe had left behind. Authorities said they found a 16-gigabyte data card “wrapped in plastic and placed between two slices of bread on a half of a peanut butter sandwich. The half sandwich was housed inside of a plastic bag.”
Investigators said the data card contained “militarily sensitive design elements, operating parameters, and performance characteristics of Virginia-class submarine reactors.”
Tomi Engdahl says:
Martin Matishak / The Record:
US to host a two-day virtual event from Wed. on ransomware with 30 countries, except Russia and China; source says Russia isn’t invited “for a host of reasons”
U.S. convenes 30 countries on ransomware threat — without Russia or China
https://therecord.media/u-s-convenes-30-countries-on-ransomware-threat-without-russia-or-china/
The Biden administration did not invite Russia to participate in the first meeting of a global effort to combat cybercrime, but could welcome the country that has become synonymous with ransomware to future gatherings.
On Wednesday the White House will begin a two-day virtual event with representatives from 30 countries around the world, dubbed the “Counter-Ransomware Initiative.” The forum is meant to strengthen law enforcement cooperation and diplomatic ties against malicious activities, including the misuse of virtual currency to launder ransom payments.
“In this first round of discussions we did not invite the Russians to participate for a host of reasons,” a senior administration official told reporters during a call on Tuesday. “That doesn’t preclude future opportunities for them to participate as we do further sessions.”
The official said there have been “candid and direct” talks within the experts group that was established after President Joe Biden and Russian President Vladimir Putin met earlier this year about what actions Washington expects the Kremlin to take against ransomware gangs operating on its soil.
“We’ve seen some steps by the Russian government and are looking to see follow-up actions,” according to the official, who declined to elaborate.
Ransomware has become a national security threat over the last year following a series of devastating attacks on businesses that operate critical infrastructure, such as the Colonial Pipeline. Biden gave Putin a list of 16 critical infrastructure sectors that are supposed to be off limits to hackers but, after a brief lull, attacks on U.S. targets by organizations known or suspected to be in Russia have ramped up.
Last month a senior FBI official said his agency saw “no indication” Moscow has cracked down on criminal networks within its territory. A week later the Treasury Department imposed sanctions on a cryptocurrency exchange owned by Russian nationals that officials allege helped launder more than $160 million in illicit funds for various ransomware and criminal groups.
Tomi Engdahl says:
How Coinbase Phishers Steal One-Time Passwords
https://krebsonsecurity.com/2021/10/how-coinbase-phishers-steal-one-time-passwords
A recent phishing campaign targeting Coinbase users shows thieves are getting smarter about phishing one-time passwords (OTPs) needed to complete the login process. It also shows that phishers are attempting to sign up for new Coinbase accounts by the millions as part of an effort to identify email addresses that are already associated with active accounts.
Tomi Engdahl says:
Check Point Research Prevents Theft of Crypto Wallets on OpenSea, the Worlds Largest NFT Marketplace https://research.checkpoint.com/2021/check-point-research-prevents-theft-of-crypto-wallets-on-opensea-the-worlds-largest-nft-marketplace/
During the past few weeks, Check Point researchers spotted various cases where people tweeted reports claiming they lost their crypto wallet balance, while receiving a free gift on the OpenSea market place. OpenSea is the largest digital collectible marketplace, a peer-to-peer marketplace for crypto collectibles and non-fungible tokens, aka NFT. OpeanSea recorded $3.4 billion in transaction volume in August 2021 alone, and has grown to be the largest marketplace for non-fungible tokens of the crypto world.
Tomi Engdahl says:
Cyberattack hits Meliá, one of the largest hotel chains in the world https://therecord.media/cyberattack-hits-melia-one-of-the-largest-hotel-chains-in-the-world/
A cybersecurity incident has crippled activities at Meliá Hotels International, one of the largest hotel chains in the world. The incident occurred in the early hours of Monday, October 4, and affected Meliás Spain-based operations primarily, where attackers took down parts of the internal network and some web-based servers, including its reservation system and public websites.
Tomi Engdahl says:
Apple silently fixes iOS zero-day, asks bug reporter to keep quiet https://www.bleepingcomputer.com/news/apple/apple-silently-fixes-ios-zero-day-asks-bug-reporter-to-keep-quiet/
Apple has silently fixed a ‘gamed’ zero-day vulnerability with the release of iOS 15.0.2, on Monday, a security flaw that could let attackers gain access to sensitive user information. The company addressed the bug without acknowledging or crediting software developer Denis Tokarev for the discovery even though he reported the flaw seven months before iOS 15.0.2 was released.
Tomi Engdahl says:
U.S. convenes 30 countries on ransomware threat without Russia or China https://therecord.media/u-s-convenes-30-countries-on-ransomware-threat-without-russia-or-china/
The Biden administration did not invite Russia to participate in the first meeting of a global effort to combat cybercrime, but could welcome the country that has become synonymous with ransomware to future gatherings. On Wednesday the White House will begin a two-day virtual event with representatives from 30 countries around the world, dubbed the Counter-Ransomware Initiative. The forum is meant to strengthen law enforcement cooperation and diplomatic ties against malicious activities, including the misuse of virtual currency to launder ransom payments.
Tomi Engdahl says:
Olympus suffers second cyberattack in 2021
https://www.zdnet.com/article/olympus-announces-second-cyberattack-in-2021/
On Tuesday, Japanese tech manufacturer Olympus said that it was investigating a cyberattack on its IT systems in the US, Canada, and Latin America. The company said the cybersecurity incident was detected on Sunday, but despite the help of forensics experts, they are still working to resolve the issue.. “As part of the investigation and containment, we have suspended affected systems and have informed the relevant external partners. The current results of our investigation indicate the incident was contained to the Americas with no known impact to other regions,” the company statement said.
Tomi Engdahl says:
Multiple Vulnerabilities in Brizy Page Builder Plugin Allow Site Takeover
https://www.wordfence.com/blog/2021/10/multiple-vulnerabilities-in-brizy-page-builder-plugin-allow-site-takeover/
On August 19, 2021, the Wordfence Threat Intelligence team initiated the Responsible Disclosure process for Brizy Page Builder, a WordPress plugin installed on over 90,000 sites. During a routine review of our firewall rules, we found traffic indicating that a vulnerability might be present in the Brizy Page Builder plugin, though it did not appear to be under active attack. This led us to discover two new vulnerabilities as well as a previously patched access control vulnerability in the plugin that had been reintroduced.
Tomi Engdahl says:
Apple Points to Android Malware Infections in Argument Against Sideloading on iOS
https://www.securityweek.com/apple-points-android-malware-infections-argument-against-sideloading-ios
Apple Threat Analysis Report Highlights Risks Posed by Sideloading on iOS
Apple on Wednesday published a 30-page threat analysis report in an effort to show why allowing sideloading on iOS would pose serious privacy and security risks to iPhone users.
Sideloading is the process of downloading and installing mobile apps on Apple devices from sources other than the official App Store, such as through direct downloads or third-party app stores.
There has been pressure on Apple to support sideloading, but the tech giant believes that sideloading would “cripple the privacy and security protections that have made iPhone so secure, and expose users to serious security risks.”
Apple’s report also highlights a recent EU report claiming that its cybersecurity agency, ENISA, detected 230,000 new malware infections every day between January 2019 and April 2020. It’s worth noting that Apple’s report says “230,000 new mobile malware infections,” but the EU and ENISA reports seem to refer to infections across all platforms, not just mobile platforms.
The tech giant also points to a Kaspersky report showing that the cybersecurity firm’s products detected more than 5.6 million malicious installation packages targeting Android devices last year.
The company said that if it were forced to support sideloading, it would be easier for cybercriminals to target its customers, even if sideloading were limited to third-party app stores.
“Some sideloading initiatives would also mandate removing protections against third-party access to proprietary hardware elements and non-public operating system functions. This would undermine core components of platform security that protect the operating system and iPhone data and services from malware, intrusion, and even operational flaws that could affect the reliability of the device and stop it from working,” Apple wrote in its report.
https://www.apple.com/privacy/docs/Building_a_Trusted_Ecosystem_for_Millions_of_Apps_A_Threat_Analysis_of_Sideloading.pdf
Tomi Engdahl says:
US Talks Global Cybersecurity Without a Key Player: Russia
https://www.securityweek.com/us-talks-global-cybersecurity-without-key-player-russia
Russia, which hosts many of the criminal syndicates behind ransomware attacks around the world was not invited to an international counter-ransomware event
Amid an epidemic of ransomware attacks, the U.S. is discussing cybersecurity strategy this week with 30 countries while leaving out one key player: Russia.
The country that, unwittingly or not, hosts many of the criminal syndicates behind ransomware attacks was not invited to a two-day meeting starting Wednesday to develop new strategies to counter the threat.
White House national security adviser Jake Sullivan called it a gathering of “like-minded” governments in agreement on the urgency of the need to protect citizens and businesses from ransomware. “No one country, no one group can solve this problem,” he said in opening remarks.
Tomi Engdahl says:
OT Cybersecurity Firm Shift5 Raises $20 Million to Protect Planes, Trains and Tanks
https://www.securityweek.com/ot-cybersecurity-firm-shift5-raises-20-million-protect-planes-trains-and-tanks
Shift5, an operational technology (OT) cybersecurity company specializing in transportation infrastructure and weapons systems, this week announced raising $20 million in a Series A funding round.
The funding was led by 645 Ventures, with participation from Squadra Ventures, General Advance, and First In.
“Shift5′s data-driven solution integrates directly onto existing vehicle platforms, collecting and enriching data from on-board digital components and continuously monitoring data streams for security and operational anomalies. Its analytics platform provides cybersecurity intrusion detection, smarter maintenance, and improved operational intelligence for fleet operators,” the company said in a press release announcing the funding round.
Tomi Engdahl says:
Extortionist Hacker Group SnapMC Breaches Networks in Under 30 Minutes
https://www.securityweek.com/extortionist-hacker-group-snapmc-breaches-networks-under-30-minutes
Over the past few months, a threat actor has been increasingly breaching enterprise networks to steal data and extort victims, but without disrupting their operations, researchers with the NCC Group reveal.
Dubbed SnapMC, the hacking group attempts to exploit multiple vulnerabilities in webserver and VPN applications for initial access and typically compromises victim networks in under 30 minutes.
The group then exfiltrates victim data to leverage it for extortion, but doesn’t use ransomware or other means of disrupting the victim’s operations.
SnapMC threatens to publish the stolen data online unless a ransom is paid, provides victims with a list of the stolen data as evidence of breach, and even goes through with the threats.
The adversary scans webserver applications and VPNs for multiple vulnerabilities that would allow it to gain access to the target environments. NCC Group has observed the group exploiting a remote code execution flaw in Telerik UI for ASPX.NET, as well as SQL injection bugs.
SnapMC skips ransomware, steals data
https://research.nccgroup.com/2021/10/11/snapmc-skips-ransomware-steals-data/
Tomi Engdahl says:
Vendor Risk Management Firm Black Kite Raises $22 Million
https://www.securityweek.com/vendor-risk-management-firm-black-kite-raises-22-million
Black Kite, a provider of third-party cyber risk rating services, announced today that it has raised $22 million in a Series B funding round led by Volition Capital, bringing the total raised by the Boston, Mass.-based company to more than $33.1 million.
Black Kite offers a cyber ratings platform that evaluates risk from a technical, financial, and compliance perspective to help customers determine which vendors pose the highest risk to their organization on a continuous and automated basis.
Black Kite LogoBlack Kite leverages commonly used frameworks developed by MITRE to calculate ratings and convert technical terms into letter grades for simplicity. The platform also uses the Open FAIR model to calculate the probable financial impact resulting from a breach at a third-party vendor or partner.
Tomi Engdahl says:
Necro Python Botnet Starts Targeting Visual Tools DVRs
https://www.securityweek.com/necro-python-botnet-starts-targeting-visual-tools-dvrs
Security researchers have spotted signs of the Necro Python botnet targeting a vulnerability in Visual Tools DVR systems to install a Monero miner on infected systems.
First discovered in January this year, Necro Python is also tracked as N3Cr0m0rPh, FreakOut, Python.IRCBot and is known for attempting to exploit multiple known vulnerabilities.
Based on Python, the botnet includes a broad range of capabilities, including the ability to sniff network traffic, launch distributed denial of service attacks, infect different types of files (HTML, JS, PHP), install a Monero miner, execute commands, and spread using exploits or brute-forcing.
What’s more, although it emerged in January as a piece of malware targeting Linux systems, the script can run on Windows systems as well and can install a Windows rootkit.
“The script has its own polymorphic engine to morph itself every execution which can bypass signature-based defenses. This works by reading every string in its code and encrypting it using a hardcoded key,” the researchers explain.
The botnet uses a Domain Generation Algorithm (DGA) for both its command and control (C&C) and download server. Once connected to the C&C, it can scan IPs, add/remove ports from the scanner, launch a reverse shell, execute files, kill processes, update itself, launch UDP/SYN/TCP floods, launch amplification/reflection attacks, and more.
Tomi Engdahl says:
New ‘FreakOut’ Malware Ensnares Linux Devices Into Botnet
https://www.securityweek.com/new-freakout-malware-ensnares-linux-devices-botnet
A recently identified piece of malware is targeting Linux devices to ensnare them into a botnet capable of malicious activities such as distributed denial of service (DDoS) and crypto-mining attacks.
Dubbed FreakOut, the malware is infecting devices that haven’t yet received patches for three relatively new vulnerabilities, including one that was made public earlier this month.
FreakOut, according to cybersecurity firm Check Point, can scan ports, harvest information, create and send data packets, perform network sniffing, and can also launch DDoS and network flooding attacks.
One of the vulnerabilities targeted by the botnet is CVE-2020-28188, an unauthenticated, remote command execution in TerraMaster TOS (TerraMaster Operating System) up to version 4.2.06. TerraMaster is a vendor of network- and direct-attached storage solutions.
The second one is CVE-2021-3007, a deserialization bug in Zend Framework that could lead to remote code execution. The popular collection of libraries for web application development is no longer supported by its maintainer.
FreakOut also targets CVE-2020-7961, a deserialization in Liferay Portal prior to 7.2.1 CE GA2, which could lead to the remote execution of arbitrary code via JSON web services (JSONWS). Liferay Portal is a free, open-source enterprise portal designed for building web portals and sites.
Linux users should patch now to block new “FreakOut” malware which exploits new vulnerabilities
https://blog.checkpoint.com/2021/01/19/linux-users-should-patch-now-to-block-new-freakout-malware-which-exploits-new-vulnerabilities/
Tomi Engdahl says:
Intel, VMware Join Patch Tuesday Parade
https://www.securityweek.com/intel-vmware-join-patch-tuesday-parade
Technology giants Intel Corp. and VMware joined the Patch Tuesday parade this week, rolling out fixes for security defects that expose users to malicious hacker attacks.
Intel released two advisories to fix privilege escalation and information disclosure vulnerabilities in the SGX software development kit and Hardware Accelerated Execution Manager (HAXM) software products.
The more serious of the two flaws — CVE-2021-0186 — affects the Software Guard Extensions (SGX) Software Development Kit (SDK) applications compiled for SGX2-enabled processors and may allow escalation of privilege in certain circumstances.
Intel has tagged the bug with a “high risk” rating and a CVSS Base Score of 8.2 and credited multiple academic institutions with reporting the issue.
The second Intel advisory covers a pair of security vulnerabilities in the Intel Hardware Accelerated Execution Manager (HAXM) software that may allow escalation of privilege or information disclosure. The HAXM updates are available on Github.
Separately, VMware released a trio of advisories to warn about security defects in the VMware vRealize IT operations management platform.
Tomi Engdahl says:
SAP Patches Critical Vulnerabilities in Environmental Compliance
https://www.securityweek.com/sap-patches-critical-vulnerabilities-environmental-compliance
On Tuesday, its October 2021 Security Patch Day, SAP announced the release of 13 new security notes and an update for a previously released note. Three of the notes are rated Hot News.
The most important of SAP’s security notes deals with two critical vulnerabilities in SAP Environmental Compliance. Tracked as CVE-2020-10683 and CVE-2021-23926 (CVSS score of 9.8), the bugs are potential XML external entity (XXE) injection issues.
While SAP hasn’t provided specific details on these security holes, XML injection bugs typically allow an attacker to interfere with the processing of XML data, leading to information disclosure or enabling the attacker to interact with backend systems, SAP application security firm Onapsis says.
Tomi Engdahl says:
Phishing campaign uses math symbols to evade detection
https://www.bleepingcomputer.com/review/security/phishing-campaign-uses-math-symbols-to-evade-detection/
For many people who don’t keep up with the latest logo changes though, these slightly altered logos look good enough, so the delivery success and user engagement rates have better chances of staying high.
Tomi Engdahl says:
AI voice cloning is used in a huge heist in the U.A.E, amidst warnings about cybercriminal use of the new technology.
https://www.forbes.com/sites/thomasbrewster/2021/10/14/huge-bank-fraud-uses-deep-fake-voice-tech-to-steal-millions/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie&sh=37495b6a7559
Tomi Engdahl says:
Hackers Claim to Have Stolen 60 GB of Data From Acer
https://www.securityweek.com/hackers-claim-have-stolen-60-gb-data-acer
A group of hackers claims to have stolen more than 60 gigabytes of data after breaching servers belonging to Taiwanese tech giant Acer.
In a post on a publicly accessible hacker forum, a group calling itself “Desorden” claimed to have stolen databases and other files from breached Acer India servers.
The hackers shared a link to a sample of the stolen data and they promised to leak more once they have analyzed it. They also published a video showing the files they allegedly stole from Acer.
They claim the stolen files include information on millions of customers, login credentials used by thousands of Acer retailers and distributors, as well as corporate, financial and audit documents.
Tomi Engdahl says:
Israeli Hospital Targeted in Ransomware Attack
https://www.securityweek.com/israeli-hospital-targeted-ransomware-attack
Tomi Engdahl says:
NFT Marketplace OpenSea Patches Flaw Potentially Leading to Cryptocurrency Theft
https://www.securityweek.com/nft-marketplace-opensea-patches-flaw-potentially-leading-cryptocurrency-theft
OpenSea, the world’s largest NFT marketplace, has addressed a security vulnerability that could have allowed hackers to hijack user accounts and empty their crypto wallets with the help of maliciously crafted NFTs (non-fungible tokens).
The issue was discovered by security researchers with Check Point, following complaints from OpenSea users of crypto-theft attempts after receiving and opening free airdropped NFTs.
NFTs are unique and non-interchangeable units of data that can be used to represent easily-reproducible items such as videos, audio and photos as unique items.
The security defect identified by Check Point could not be exploited without user interaction. The malicious NFTs would trigger pop-up messages on which the user had to accept subsequent operations that allowed hackers to grab their account information.
Specifically, the message would request for the user to allow a connection to their cryptocurrency wallet. With such pop-ups common on OpenSea for other activities, users would likely confirm the connection without too much pondering.
Thus, the victim believed they were enabling action on the received gifted NFT, but they were in fact providing the hackers with access to their wallet.
Subsequently, the hackers could initiate a fraudulent transaction from the victim’s wallet to an attacker-controlled wallet, which would trigger another pop-up message from OpenSea’s storage domain.
Tomi Engdahl says:
A Telegram Bot Told Iranian Hackers When They Got a Hit https://www.wired.com/story/apt35-iran-hackers-phishing-telegram-bot/
When the Iranian hacking group APT35 wants to know if one of its digital lures has gotten a bite, all it has to do is check Telegram.
Whenever someone visits one of the copycat sites they’ve set up, a notification appears in a public channel on the messaging service, detailing the potential victim’s IP address, location, device, browser, and more. It’s not a push notification; it’s a phish notification.
Tomi Engdahl says:
Acer confirms breach of after-sales service systems in India https://www.bleepingcomputer.com/news/security/acer-confirms-breach-of-after-sales-service-systems-in-india/
Taiwanese computer giant Acer has confirmed that its after-sales service systems in India were recently breached in what the company called “an isolated attack.”
Tomi Engdahl says:
Microsoft releases Linux version of the Windows Sysmon tool https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-linux-version-of-the-windows-sysmon-tool/
Microsoft has released a Linux version of the very popular Sysmon system monitoring utility for Windows, allowing Linux administrators to monitor devices for malicious activity.