This posting is here to collect cyber security news in October 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
376 Comments
Tomi Engdahl says:
Thieves abused Apple’s enterprise app programs to steal $1.4 million in crypto https://appleinsider.com/articles/21/10/14/thieves-abused-apples-enterprise-app-programs-to-steal-14-million-in-crypto
A scam circulating for six months has evolved to impact iOS users. The CryptoRom fraud implementation is fairly straight-forward after gaining a victim’s trust through social media or existing data apps, users are fooled into installing a modified version of a cryptocurrency exchange, baited into investing, and then defrauded out of cash.
Tomi Engdahl says:
Varo, Wilman käyttäjä käyttäjien tietoja kalastellaan https://www.is.fi/digitoday/tietoturva/art-2000008331529.html
Wilman tunnuksia kalastetaan väärennetyn sivun kautta. Järvenpään kaupunki varoittaa vanhempia. Hyökkääjä pyrkii keräämään käyttäjien käyttäjätunnuksia ja salasanoja. Sivusto on verkkorikollisen tekemä.
Tomi Engdahl says:
Passengers couldn’t fly after NHS vaccine passport went offline https://arstechnica.com/information-technology/2021/10/passengers-couldnt-fly-after-nhs-vaccine-passport-went-offline/
England’s COVID Pass system went offline for hours on Wednesday, causing British travelers to remain stranded at airports. Some passengers couldn’t board their flights, while others suffered delays as both the National Health Service (NHS) website and app experienced issues.
Tomi Engdahl says:
Experts Warn of Unprotected Prometheus Endpoints Exposing Sensitive Information https://thehackernews.com/2021/10/experts-warn-of-unprotected-prometheus.html
A large-scale unauthenticated scraping of publicly available and non-secured endpoints from older versions of Prometheus event monitoring and alerting solution could be leveraged to inadvertently leak sensitive information, according to the latest research.
Tomi Engdahl says:
Hackers targeted US drinking water and wastewater facilities as recently as August, Homeland Security says
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.usatoday.com%2Fstory%2Fnews%2Fpolitics%2F2021%2F10%2F15%2Fhackers-targeting-us-water-facilities-hit-california-maine-2021%2F8461429002%2F&h=AT0yNQIEt7Nwu9uydfEmc662SIl649fBy5pUunFSvh8KW0QEIBfBbZoCZIGJUbf_rW-nHjzuPSG5lhtoSUerhaWHPIjXiHAixQubE2jTidnQddKZTiAlPguL0WbQ2gQg5BTnMnIdHuQ7TvuIKQ
The nation’s top cybersecurity officials issue a warning , saying malicious hackers are targeting government water and wastewater treatment systems.
WASHINGTON – The nation’s top civilian cybersecurity agency issued a warning Thursday about ongoing cyber threats to the U.S. drinking water supply, saying malicious hackers are targeting government water and wastewater treatment systems.
Authorities said they wanted to highlight ongoing malicious cyber activity “by both known and unknown actors” targeting the technology and information systems that provide clean, drinkable water and treat the billions of gallons of wastewater created in the U.S. every year.
One DHS cybersecurity official described it as the routine sharing of technical information between federal agencies and their industry partners “to help collectively reduce the risk to critical infrastructure in the United States.” Added a second Homeland Security official: “It’s not any indication of a new threat. We don’t want anyone to think that their drinking water supply is under attack.”
The advisory also includes bare-bones details of four other unauthorized intrusions between 2019 and August 2021 in California, Maine, Nevada and New Jersey. All of them were ransomware attempts, or efforts to shut down water and wastewater systems in an effort to get a payout in order to put the systems back online, it said, without providing specifics.
The advisory comes several days after Homeland Security Secretary Alejandro Mayorkas and senior DHS cybersecurity officials told USA TODAY that they were concerned about the possibility of a deliberate cyberattack on a water treatment plant or other critical facility that could result in serious injuries or even death.
Tomi Engdahl says:
Missouri governor vows criminal prosecution of reporter who found flaw in state website
https://missouriindependent.com/2021/10/14/missouri-governor-vows-criminal-prosecution-of-reporter-who-found-flaw-in-state-website/
The St. Louis Post-Dispatch notified a state agency and held its story while a problem that risked exposing the social security numbers of Missouri teachers was fixed
On Tuesday, a reporter with the St. Louis Post-Dispatch alerted the state that Social Security numbers of school teachers and administrators were vulnerable to public exposure due to flaws on a website maintained by Missouri’s department of education.
The newspaper agreed to hold off publishing any story while the department fixed the problem and protected the private information of teachers around the state.
But by Thursday, Gov. Mike Parson was labeling the Post-Dispatch reporter a “hacker” and vowing to seek criminal prosecution.
“The state does not take this matter lightly,” Parson said Thursday at a hastily called press conference. He refused to take questions afterward.
According to the Post-Dispatch, one of its reporters discovered the flaw in a web application allowing the public to search teacher certifications and credentials. No private information was clearly visible, but teacher Social Security numbers were contained in HTML source code of the pages.
The state removed the search tool after being notified of the issue by the Post-Dispatch. It was unclear how long the Social Security numbers had been vulnerable.
In a press release Wednesday, the Office of Administration Information Technology Services Division said that through a multi-step process, a “hacker took the records of at least three educators, decoded the HTML source code, and viewed the social security number of those specific educators.”
Parson said Thursday that he wasn’t sure why the reporter accessed the information. He claimed it was part of a “political game by what is supposed to be one of Missouri’s news outlets.”
“The state is committed to bring to justice anyone who hacked our system and anyone who aided and abetted them to do so,” Parson said, later arguing that the reporter was “attempting to embarrass the state and sell headlines for their news outlet.”
Republican state Rep. Tony Lovasco, who according to his legislative biography has worked in software deployment and maintenance, tweeted Thursday that “it’s clear the Governor’s Office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities.
“Journalists responsibly sounding an alarm on data privacy is not criminal hacking,” he said.
Chris Vickery, a California-based data security expert, told The Independent that it appears the department of education was “publishing data that it shouldn’t have been publishing.
“That’s not a crime for the journalists discovering it,” he said. “Putting Social Security numbers within HTML, even if it’s ‘non-display rendering’ HTML, is a stupid thing for the Missouri website to do and is a type of boneheaded mistake that has been around since day one of the Internet. No exploit, hacking or vulnerability is involved here.”
The court ruled in that case that someone violates the law when they access files or other information that is off-limits to them. In Missouri, Vickery said, the state was publishing “the HTML source to the public internet, with no hurdles of a password or other requisite form of authentication challenge, means the public can reasonably assume to be authorized to view that content for the purposes of laws related to ‘computer trespass’ forms of offense.”
The Post-Dispatch published a statement in response from its attorney, saying the reporter “did the responsible thing by reporting his findings to (the Department of Elementary and Secondary Education) so that the state could act to prevent disclosure and misuse.
“A hacker is someone who subverts computer security with malicious or criminal intent,” the statement continued. “Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”
“The governor should direct his anger towards the failure of state government to keep its technology secure and up to date and to work to fix the problem,” she said, “not threaten journalists with prosecution for uncovering those failures.”
Tomi Engdahl says:
Governor Wants to Prosecute Journalist Who Clicked ‘View Source’ on Government Site
https://www.vice.com/en/article/jg8ynp/governor-wants-to-prosecute-journalist-who-clicked-view-source-on-government-site
A St. Louis Post-Dispatch journalist found 100,000 Social Security numbers exposed in a government website, and reported the flaw to the government.
Missouri Gov. Mike Parson wants to prosecute a journalist who warned the state that a government website left school teachers and administrators’ Social Security numbers exposed.
Parson called St. Louis Post-Dispatch reporter Josh Renaud a “hacker” and vowed to seek criminal prosecution at a press conference on Thursday. Renaud’s “crime?” Clicking “view source” on a publicly available webpage.
“The state does not take this matter lightly,” Parson said
On Wednesday, the St. Louis Post-Dispatch reported that a flaw in the state’s Department of Elementary and Secondary Education left exposed the SSNs of the department employees, including teachers, administrators, and counselors. Renaud reported that the SSNs were visible simply by viewing the HTML source code of the vulnerable pages, something that anyone can do with two clicks on any modern browser.
The way the St. Louis Post-Dispatch and Renaud handled the situation seems like a textbook example of ethical disclosure of a bug. The paper reported having found the bug in the web app set up to allow the public to search teacher certifications and credentials. More than 100,000 SSNs were exposed, according to the paper.
Once the paper alerted the state government, the department fixed the bug on Tuesday, and the paper published its story on Wednesday, once there were no risks for the teachers whose SSNs were exposed. Parson’s comments are also a textbook example of government officials seemingly not having any clue how technology works, and vilifying people who do ethical security research as criminals, rather than simply thanking them for doing a public service that makes us all safer.
“The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information, and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities,”
“The reporter did the responsible thing by reporting his findings to the Department of Elementary and Secondary Education (DESE) so that the state could act to prevent disclosure and misuse,” the statement read. “A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”
Tomi Engdahl says:
SCADA systems are sooo BASIC…
Hackers targeted US drinking water and wastewater facilities as recently as August, Homeland Security says
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.usatoday.com%2Fstory%2Fnews%2Fpolitics%2F2021%2F10%2F15%2Fhackers-targeting-us-water-facilities-hit-california-maine-2021%2F8461429002%2F&h=AT28S1W6f6FKYZutLfPuxA9KaoyjKSttF7T_gPSpyzerWgxmSv-XzZdiykXzsRAHhsJXFPwv3Uhp8RNKeDVTiVbYD09NKdL1-ZFmAIFRXAEidkCTnPChKy0BaKLlGitvmw
The nation’s top cybersecurity officials issue a warning , saying malicious hackers are targeting government water and wastewater treatment systems.
Authorities said they wanted to highlight ongoing malicious cyber activity “by both known and unknown actors” targeting the technology and information systems that provide clean, drinkable water and treat the billions of gallons of wastewater created in the U.S. every year.
Tomi Engdahl says:
Cyberattack Disrupts Services at Ecuador’s Largest Bank
https://www.securityweek.com/cyberattack-disrupts-services-ecuadors-largest-bank
Customers of Ecuador’s largest bank continued to experience service disruptions on Friday following a cyberattack on the institution several days earlier.
Long lines formed outside Pichincha bank branches and thousands of customers took their complaints to social media. People reported being unable to access services offered by the bank(s online and mobile app. ATMs worked somewhat regularly and branches remained open.
The bank in a statement Monday acknowledged that it had “identified a cybersecurity incident in our systems that has partially disabled our services.”
Tomi Engdahl says:
Twitch Says Hack Impacted ‘Small Fraction of Users’
https://www.securityweek.com/twitch-says-hack-impacted-small-fraction-users
Amazon-owned live streaming service Twitch on Friday shared another update on the recent data breach. The company says it’s confident that only a “small fraction of users” are affected and that customer impact is minimal.
The company said the breach was a result of a server configuration change that allowed the hackers to gain access to its systems.
In its latest update, the company said passwords have not been exposed and systems storing login credentials have not been accessed by the attackers. It also pointed out that full payment card numbers or bank information has not been compromised.
“The exposed data primarily contained documents from Twitch’s source code repository, as well as a subset of creator payout data,” the company said.
Twitch has millions of active streamers and their streams are watched by tens of millions of people.
Tomi Engdahl says:
Russia-Linked TA505 Back at Targeting Financial Institutions
https://www.securityweek.com/russia-linked-ta505-back-targeting-financial-institutions
Russia-linked threat actor TA505 has been observed using a lightweight Office file for malware distribution in a new campaign targeting financial institutions in multiple geographies.
The attacks target organizations across multiple sectors in Canada, the United States, Hong Kong, Europe, and more, and have seen low detection rates in Google’s VirusTotal scanning engine.
Dubbed MirrorBlast, the campaign started in early September, following similar activity in April 2021, Morphisec’s security researchers reveal.
The infection chain starts with a malicious document delivered using phishing emails and later on moves to using the Google feedproxy URL, employing SharePoint and OneDrive lures masquerading as file share requests.
Tomi Engdahl says:
Nations Vow to Combat Ransomware at US-Led Summit
https://www.securityweek.com/nations-vow-combat-ransomware-us-led-summit
Over two dozen nations resolved Thursday to battle collectively against the global and escalating threat posed by cyber-extortionists, following a Washington-led anti-ransomware summit.
The United States gathered the countries — with the notable exception of Russia — to unify and boost efforts to fight a cybercrime that is transnational, on the rise and potentially devastating.
“The threat of ransomware is complex and global in nature and requires a shared response,” the joint summit statement said, adding the nations “recognize the need for urgent action, common priorities and complementary efforts.”
These attacks involve breaking into an entity’s networks to encrypt its data, then demanding a ransom, typically paid via cryptocurrency in exchange for the key to unlock it.
Stronger digital security and offline backups as well as collectively targeting the laundering of the attacks’ proceeds were identified as crucial steps in the fight.
“We will consider all national tools available in taking action against those responsible for ransomware operations threatening critical infrastructure and public safety,” the statement said.
Tomi Engdahl says:
Catalin Cimpanu / The Record:
A joint advisory by the FBI, NSA, CISA, and EPA reveals three more ransomware attacks on water treatment plants this year in Nevada, Maine, and California
US govt reveals three more ransomware attacks on water treatment plants this year
https://therecord.media/us-govt-reveals-three-more-ransomware-attacks-on-water-treatment-plants-this-year/
Ransomware gangs have silently hit three US water and wastewater treatment facilities this year, in 2021, the US government said in a joint cybersecurity advisory published today by the FBI, NSA, CISA, and the EPA.
The attacks —which had been previously unreported— took place in March, July, and August and hit facilities in Nevada, Maine, and California, respectively.
The attacks led to the threat actors encrypting files, and in one case, even corrupting a computer used to control the SCADA industrial equipment deployed inside the treatment plant.
The three new incidents [see below] were listed as examples of what could happen when water treatment facilities ignore and fail to secure their computer networks.
In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS [water and wastewater system] facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.
In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.
In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim’s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).
Tomi Engdahl says:
Ransomware Hit SCADA Systems at 3 Water Facilities in U.S.
https://www.securityweek.com/ransomware-hit-scada-systems-3-water-facilities-us
Several U.S. government agencies issued a joint alert on Thursday to warn organizations in the water and wastewater sector about ongoing cyberattacks. The alert also describes three previously unreported ransomware attacks that impacted industrial control systems (ICS) at water facilities.
The alert was issued by the FBI, CISA, the EPA and the NSA. The agencies are aware of attacks — launched by both known and unknown threat actors — against the IT and OT (operational technology) networks of water facilities.
The agencies noted that while cyber threats are increasing across critical infrastructure sectors, the latest alert does not intend to suggest that the water and wastewater sector is targeted more than other sectors.
The new alert highlights the risks related to data, ransomware, network segmentation, network complexity, and system maintenance, and shares information on the tactics, techniques and procedures (TTPs) used by threat actors to compromise IT and OT systems and networks. It also provides recommendations on how organizations can prevent, detect, and respond to cyber threats.
Tomi Engdahl says:
Researchers Disclose New Side-Channel Attacks Affecting All AMD CPUs
https://www.securityweek.com/researchers-disclose-new-side-channel-attacks-affecting-all-amd-cpus
Researchers have disclosed the details of new timing and power-based side-channel attacks that affect all CPUs made by AMD, but the chipmaker says no new mitigations are necessary.
The new attack method was discovered by researchers Moritz Lipp and Daniel Gruss of the Graz University of Technology and Michael Schwarz of the CISPA Helmholtz Center for Information Security. They were among those who discovered the original Meltdown and Spectre vulnerabilities, research that paved the way for many other side-channel attack methods targeting widely used processors.
Many of the side-channel attacks disclosed over the past years targeted Intel processors, but systems powered by AMD processors are not immune either, as the newly presented research shows.
The new attacks demonstrated by Lipp, Gruss and Schwarz leverage time and power measurements of prefetch instructions.
“In contrast to previous work on prefetch attacks on Intel, we show that the prefetch instruction on AMD leaks even more information,” the researchers explained in the abstract of their paper.
They have demonstrated several attack scenarios, including one in which they mounted a Spectre attack to leak sensitive data from the operating system, and showed a new method for establishing a covert channel to exfiltrate data.
The researchers also claim to have identified the first “full microarchitectural KASLR (kernel address space layout randomization) break on AMD that works on all major operating systems.” KASLR is an exploit mitigation technique and the experts showed how an attacker could break it on laptops, desktop PCs, and virtual machines in the cloud.
The findings were reported to AMD in mid- and late 2020, and the vendor acknowledged them and provided feedback in February 2021.
AMD has assigned the CVE identifier CVE-2021-26318 and a medium severity rating to the vulnerabilities. The chipmaker has confirmed that the issue impacts all of its processors, but it’s not recommending any new mitigations due to the fact that “the attacks discussed in the paper do not directly leak data across address space boundaries.”
AMD Prefetch Attacks through Power and Time
https://cispa.de/en/research/publications/3507-amd-prefetch-attacks-through-power-and-time
Side-channels Related to the x86 PREFETCH Instruction
https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1017
Tomi Engdahl says:
Juniper Networks Patches Over 70 Vulnerabilities
https://www.securityweek.com/juniper-networks-patches-over-70-vulnerabilities
Tomi Engdahl says:
European Cybersecurity Month: Test your Skills with a Quiz https://www.enisa.europa.eu/news/enisa-news/cybersecurity-month-test-your-skills-with-a-quiz
The second theme of the European Cybersecurity Month (ECSM): “Cyber First Aid” is launched today and introduces guidelines in case one falls victim of a cyberattacks.
Tomi Engdahl says:
Critical infrastructure security dubbed ‘abysmal’ by researchers https://www.zdnet.com/article/critical-infrastructure-security-dubbed-abysmal-by-researchers/
The “abysmal” state of security for industrial control systems (ICSs) is putting critical services at serious risk, new research finds.
Tomi Engdahl says:
Russian cybercrime gang targets finance firms with stealthy macros https://www.bleepingcomputer.com/news/security/russian-cybercrime-gang-targets-finance-firms-with-stealthy-macros/
A new phishing campaign dubbed MirrorBlast is deploying weaponized Excel documents that are extremely difficult to detect to compromise financial service organizations. The most notable feature of MirrorBlast is the low detection rates of the campaign’s malicious Excel documents by security software, putting firms that rely solely upon detection tools at high risk.
Tomi Engdahl says:
Spamhaus Botnet Threat Update: Q3-2021
https://www.spamhaus.org/news/article/815/spamhaus-botnet-threat-update-q3-2021
Q3 has seen a massive 82% rise in the number of new botnet command and controllers (C&Cs) identified by our research team. They have observed an explosion in the use of backdoor malware with nefarious operators hiding behind FastFlux. In turn, this has caused several new countries and service providers to be listed in our Top 20 charts. Welcome to the Spamhaus Botnet Threat Update Q3 2021.
Tomi Engdahl says:
Twitch downplays this month’s hack, says it had minimal impact https://www.bleepingcomputer.com/news/security/twitch-downplays-this-months-hack-says-it-had-minimal-impact/
In an update regarding this month’s security incident, Twitch downplayed the breach saying that it had minimal impact and only affected a small number of users.
Accenture confirms data breach after August ransomware attack https://www.bleepingcomputer.com/news/security/accenture-confirms-data-breach-after-august-ransomware-attack/
Global IT consultancy giant Accenture confirmed that LockBit ransomware operators stole data from its systems during an attack that hit the company’s systems in August 2021.
Tomi Engdahl says:
LANtenna hack spies on your data from across the room! (Sort of) https://nakedsecurity.sophos.com/2021/10/15/lantenna-hack-spies-on-your-data-from-across-the-room-sort-of/
Mordechai Guri from the abovementioned Ben Gurion University of the Negev (BGU) in Israel has recently published a new data exfiltration’
paper detailing an unexpectedly effective way of sneaking very small amounts of data out of a cabled network without using any obvious sort of interconnection. This one is entitled LANTENNA: Exfiltrating Data from Air-Gapped Networks via Ethernet Cables, and it’s the latest of many BGU publications in recent years dealing with a tricky problem in cybersecurity, namely. Lisäksi: https://arxiv.org/pdf/2110.00104.pdf
Tomi Engdahl says:
CISA Issues Warning On Cyber Threats Targeting Water and Wastewater Systems https://thehackernews.com/2021/10/cisa-issues-warning-on-cyber-threats.html
The U.S. Cybersecurity Infrastructure and Security Agency (CISA) on Thursday warned of continued ransomware attacks aimed at disrupting water and wastewater facilities (WWS), highlighting five incidents that occurred between March 2019 and August 2021. Lisäksi:
https://us-cert.cisa.gov/ncas/alerts/aa21-287a
Tomi Engdahl says:
Apache is Actively Scan for CVE-2021-41773 & CVE-2021-42013
https://isc.sans.edu/diary/rss/27940
Johannes published a diary on this activity last week for an Apache
2.4.49 directory traversal vulnerability where the patch was made available on September 15, 2021. Apache released a new update on October 7, 2021, indicating their advisory for “Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)”.
Tomi Engdahl says:
Do Not Exchange! It has a Shell Inside
https://www.deepinstinct.com/blog/do-not-exchange-it-has-a-shell-inside
Threat Researchers recently discovered several new Microsoft Exchange vulnerabilities in ProxyShell that allow attackers to gain remote-code execution capabilities. While these vulnerabilities were disclosed to Microsoft and mostly patched prior to the technical details of the vulnerabilities becoming public, many Exchange servers were left unpatched and have since been compromised.
Tomi Engdahl says:
Windows 10, iOS 15, Ubuntu, Chrome fall at China’s Tianfu hacking contest https://therecord.media/windows-10-ios-15-ubuntu-chrome-fall-at-chinas-tianfu-hacking-contest/
Chinese security researchers took home $1.88 million after hacking some of the world’s most popular software at the Tianfu Cup, the country’s largest and most prestigious hacking competition. The contest, which took place over the weekend of October 16 and 17 in the city of Chengdu, was won by researchers from Chinese security firm Kunlun Lab, who took home $654, 500, a third of the total purse.
Tomi Engdahl says:
Brazilian insurance giant Porto Seguro hit by cyberattack
https://www.zdnet.com/article/brazilian-insurance-giant-porto-seguro-hit-by-cyberattack/#ftag=RSSbaffb68
One of Brazil’s largest insurance groups, Porto Seguro has reported it suffered a cyberattack that resulted in instability to its service channels and some of its systems.
Tomi Engdahl says:
Talvirenkaista oli tulla iso lasku: Tori.fi:n myyjiä huijataan uudella tavalla https://www.is.fi/digitoday/tietoturva/art-2000008332890.html
Suomalaisten paljon käyttämä verkon kauppapaikka Tori.fi on myös rikollisten suosiossa. Vanhastaan tunnettu vitsaus ostajien petkuttamisesta on saanut rinnalleen huijauksia, joissa kohteena ovat nimenomaan myyjät.
Tomi Engdahl says:
Catalin Cimpanu / The Record:
In an SEC filing, Sinclair confirms it suffered a ransomware attack that disrupted its channels on Sunday; Sinclair initially blamed technical issues — Sinclair formally confirmed the ransomware attack a day after this initial report in SEC documents. Original reporting below.
Sinclair TV stations disrupted across the US after ransomware attack
https://therecord.media/sinclair-tv-stations-disrupted-across-the-us-in-apparent-ransomware-attack/
TV broadcasts for Sinclair-owned channels have gone down today across the US in what the stations have described as technical issues, but which multiple sources told The Record to be a ransomware attack.
The incident occurred in the early hours of the day and took down the Sinclair internal corporate network, email servers, phone services, and the broadcasting systems of local TV stations.
As a result of the attack, many channels weren’t able to broadcast morning shows, news segments, and scheduled NFL games, according to a barrage of tweets coming from viewers and the TV channels themselves.
“Internally, it’s bad,” a source who had to call Sinclair employees on their personal numbers to get more details about the attack, told The Record earlier today in a private conversation.
The attack could have been isolated, but many sections of the Sinclair IT network were interconnected through the same Active Directory domain, allowing the attackers to reach broadcasting systems for local TV stations.
However, the attack did not reach the part of the Sinclair broadcast system called “the master control,” which allowed the company to replace the scheduled local programming on the affected channels with a national feed, allowing some channels to at least remain on the air.
The incident comes after Sinclair performed a company-wide password reset for IT resources shared by local stations in July after what it described as a “potentially serious network security issue.”
At the time of writing, it is unclear how many Sinclair TV stations have been impacted. A Sinclair spokesperson could not be contacted via email or phone as these systems were down because of the attack.
The Sinclair Broadcast Group is one of the largest media empires in the US, controlling 294 television stations in 89 markets across the US. The Record found tens of Sinclair stations, from Washington to Maryland and from Illinois to Texas, which announced technical issues today.
Tomi Engdahl says:
iPhone 13 Pro Hacked: Chinese Hackers Suddenly Break iOS 15.0.2 Security http://on.forbes.com/6185JOGuF
Tomi Engdahl says:
Thingiverse Data Leaked — Check Your Passwords
https://hackaday.com/2021/10/14/thingiverse-data-leaked-check-your-passwords/
Every week seems to bring another set of high-profile data leaks, and this time it’s the turn of a service that should be of concern to many in our community. A database backup from the popular 3D model sharing website Thingiverse has leaked online, containing 228,000 email addresses, full names, addresses, and passwords stored as unsalted SHA-1 or bcrypt hashes. If you have an account with Thingiverse it is probably worth your while to head over to Have I Been Pwned to search on your email address, and just to be sure you should also change your password on the site. Our informal testing suggests that not all accounts appear to be contained in the leak, which appears to relate to comments left on the site.
https://haveibeenpwned.com/PwnedWebsites#Thingiverse
Tomi Engdahl says:
Multiple vulnerabilities in popular WordPress plugin WP Fastest Cache https://blog.malwarebytes.com/malwarebytes-news/2021/10/multiple-vulnerabilities-in-popular-wordpress-plugin-wp-fastest-cache/
Multiple vulnerabilities have been found in the popular WordPress plugin WP Fastest Cache during an internal audit by the Jetpack Scan team. Jetpack reports that it found an Authenticated SQL Injection vulnerability and a Stored XSS (Cross-Site Scripting) via Cross-Site Request Forgery (CSRF) issue.
Tomi Engdahl says:
BlackByte ransomware decryptor released
https://www.zdnet.com/article/blackbyte-ransomware-decryptor-released/
Anew form of malware found in a recent IT incident appears to have been inspired by other strains known to reap their operators’ huge financial rewards — but is likely the work of amateurs. Dubbed BlackByte and discovered by Trustwave, the Windows-based ransomware is considered “odd” due to some of the design and function decisions made by its creators.
Tomi Engdahl says:
State-backed hackers breach telcos with custom malware https://www.bleepingcomputer.com/news/security/state-backed-hackers-breach-telcos-with-custom-malware/
A previously unknown state-sponsored actor is deploying a novel toolset in attacks targeting telecommunication providers and IT firms in South Asia. The goal of the group tracked as Harvester by researchers at Symantec who spotted it is to collect intelligence in highly targeted espionage campaigns focusing on IT, telecom, and government entities
Tomi Engdahl says:
Microsoft asks admins to patch PowerShell to fix WDAC bypass https://www.bleepingcomputer.com/news/microsoft/microsoft-asks-admins-to-patch-powershell-to-fix-wdac-bypass/
Microsoft has asked system administrators to patch PowerShell 7 against two vulnerabilities allowing attackers to bypass Windows Defender Application Control (WDAC) enforcements and gain access to plain text credentials.
Tomi Engdahl says:
Sinclair TV stations crippled by weekend ransomware attack https://www.bleepingcomputer.com/news/security/sinclair-tv-stations-crippled-by-weekend-ransomware-attack/
TV stations owned by the Sinclair Broadcast Group broadcast television company went down over the weekend across the US, with multiple sources telling BleepingComputer a ransomware attack caused the downtime. Lisäksi:
https://www.businesswire.com/news/home/20211018005490/en/Sinclair-Broadcast-Group-Provides-Information-On-Cybersecurity-Incident
- – Sinclair Broadcast Group Provides Information On Cybersecurity Incident. Lisäksi:
https://therecord.media/sinclair-tv-stations-disrupted-across-the-us-in-apparent-ransomware-attack/
Tomi Engdahl says:
REvil Ransomware Gang Goes Underground After Tor Sites Were Compromised https://thehackernews.com/2021/10/revil-ransomware-gang-goes-underground.html
REvil, the notorious ransomware gang behind a string of cyberattacks in recent years, appears to have gone off the radar once again, a little over a month after the cybercrime group staged a surprise return following a two-month-long hiatus. Lisäksi:
https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/.
Lisäksi:
https://therecord.media/revil-gang-shuts-down-for-the-second-time-after-its-tor-servers-were-hacked/
Tomi Engdahl says:
Hacker steals government ID database for Argentina’s entire population https://therecord.media/hacker-steals-government-id-database-for-argentinas-entire-population/
A hacker has breached the Argentinian government’s IT network and stolen ID card details for the country’s entire population, data that is now being sold in private circles.
Tomi Engdahl says:
Sinclair Hit by Ransomware Attack, TV Stations Disrupted
https://www.securityweek.com/sinclair-hit-ransomware-attack-tv-stations-disrupted
Tomi Engdahl says:
Many Prometheus Endpoints Expose Sensitive Data
https://www.securityweek.com/many-prometheus-endpoints-expose-sensitive-data
Unprotected instances of open source event monitoring solution Prometheus may leak metric and label data to the Internet, software company JFrog warns.
Designed to harvest real-time metrics from various endpoints, Prometheus enables organizations to keep a close eye on systems’ state, network usage, and the like. Close to 800 cloud-native platforms, including Slack and Uber, leverage the solution.
In January 2021, Prometheus added support for Transport Layer Security (TLS) and basic authentication, to prevent access to the captured metrics. However, numerous Prometheus endpoints that are accessible from the Internet were found to leak metric and label data, JFrog reveals.
https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
Prometheus is an open-source, metrics-based event monitoring and alerting solution for cloud applications. It is used by nearly 800 cloud-native organizations including Uber, Slack, Robinhood, and more. By scraping real-time metrics from various endpoints, Prometheus allows easy observation of a system’s state in addition to observation of hardware and software metrics such as memory usage, network usage and software-specific defined metrics (ex. number of failed login attempts to a web application).
Tomi Engdahl says:
Accenture Confirms Data Stolen in Ransomware Attack
https://www.securityweek.com/accenture-confirms-data-stolen-ransomware-attack
Consulting giant Accenture has confirmed that proprietary information was stolen in a ransomware attack disclosed in August 2021.
At the time, LockBit ransomware operators claimed to have stolen over 6 terabytes of data from Accenture’s systems, demanding a $50 million ransom to be paid in exchange for keeping the data private.
Given that Accenture did not pay the requested amount in due time, the attackers published over 2,000 files allegedly stolen during the incident, threatening to publish more of them.
Accenture said at the time that it was able to quickly contain the incident and restore affected systems from backups, but did not provide specific details on the type of data that was stolen.
In a Form 10-K filing with the Securities and Exchange Commission (SEC) last week, the company confirmed that the attackers were able to steal some proprietary information from its servers.
https://www.accenture.com/_acnmedia/PDF-165/Accenture-Fiscal-2021-Annual-Report.pdf#zoom=50
Ransomware Gang Leaks Files Allegedly Stolen From Accenture
https://www.securityweek.com/ransomware-gang-leaks-files-allegedly-stolen-accenture
Tomi Engdahl says:
Missouri Governor Urged to Appoint Cybersecurity Panel
https://www.securityweek.com/missouri-governor-urged-appoint-cybersecurity-panel
Three months after creation of a commission to identify cybersecurity risks in state government, Missouri Gov. Mike Parson has yet to appoint any members. A state lawmaker said Friday that vulnerabilities exposed on a state website prove the need for just such a panel of experts.
Democratic state Rep. Ashley Aune, of Kansas City, helped write the section of Senate Bill 49 that created the Missouri Cybersecurity Commission. Parson, a Republican, signed the bill into law in mid-July.
“In light of the events that have transpired this week, I believe the governor cannot wait any longer to appoint members to this commission so it may do the critical work of identifying and rectifying gaps in Missouri’s cyberinfrastructure,” Aune said in a news release.
Tomi Engdahl says:
Tim Starks / CyberScoop:
NSA, CISA, and FBI say that ransomware group BlackMatter is attacking critical US infrastructure, including the food sector, demanding $80K-$15M in crypto — A government advisory published Monday warned that BlackMatter ransomware attackers are going after U.S. critical infrastructure …
NSA, DHS shine light on BlackMatter ransomware threat to food industry, demands of up to $15 million
https://www.cyberscoop.com/blackmatter-food-agriculture-ransomware-cisa-fbi-nsa/
Oct 18, 2021 | CYBERSCOOP
A government advisory published Monday warned that BlackMatter ransomware attackers are going after U.S. critical infrastructure, including food and agriculture organizations, and demanding exorbitant payouts.
It’s the latest joint alert from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency, this time about a form of ransomware that first emerged in July. It comes just days after a similar alert about ransomware threats to water and wastewater facilities. It’s also part of a recent push by federal security agencies to put a focus on the food and agriculture sector.
“This advisory highlights the evolving and persistent nature of criminal cyber actors and the need for a collective public and private approach to reduce the impact and prevalence of ransomware attacks,” said Eric Goldstein, executive assistant director for cybersecurity at CISA.
BlackMatter seeks between $80,000 and $15 million in cryptocurrency, including bitcoin and Monero, to unlock its victims’ systems, the government agencies said. BlackMatter ransomware developers operate on a ransomware-as-a-service model, where they lease some illicit responsibilities and share in the profits with other scammers who use their malware.
The report doesn’t name the two food and agriculture organizations mentioned in the alert, and CISA referred questions about their identities to the FBI, which did not immediately respond to a request for comment. But in September, two separate ag organizations suffered ransomware attacks.
Intruders first breached New Cooperative, an Iowa grain collective, which resulted in the business taking some of its systems offline and warning of food supply disruptions. By October, New Cooperative was still working to restore normal operations. BlackMatter took credit for that attack.
Then, Crystal Valley Cooperative, a Minnesota agriculture suppler, said it was breached, but didn’t identify its attackers.
Both incidents followed an intrusion at meat supplier JBS, which led to meat processing plant shutdowns in June. The FBI blamed the REvil gang for that attack.
The latest alert says that BlackMatter might be a rebranded version of DarkSide, which he FBI said was behind the attack on Colonial Pipeline.
“Ransomware attacks targeting the Food and Agriculture sector disrupt operations, cause financial loss, and negatively impact the food supply chain,
Tomi Engdahl says:
Governor Wants to Prosecute Journalist Who Clicked ‘View Source’ on Government Site
https://www.vice.com/en/article/jg8ynp/governor-wants-to-prosecute-journalist-who-clicked-view-source-on-government-site
A St. Louis Post-Dispatch journalist found 100,000 Social Security numbers exposed in a government website, and reported the flaw to the government.
Parson wants to prosecute a journalist who warned the state that a government website left school teachers and administrators’ Social Security numbers exposed.
Parson called St. Louis Post-Dispatch reporter Josh Renaud a “hacker” and vowed to seek criminal prosecution at a press conference on Thursday. Renaud’s “crime?” Clicking “view source” on a publicly available webpage.
Tomi Engdahl says:
Oraclen lokakuun 2021 kriittiset korjaukset
https://www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_33/2021
Oracle on julkaissut ennakkotiedotteen 418 tietoturvapäivityksestä yhteensä 29 eri tuotteeseensa. Mukana on myös useita kymmeniä pienemmän kriittisyysluokan päivityksiä. Suosittelemme päivittämään nopeasti ja seuraamaan valmistajan ohjeita. Lisäksi:
https://www.oracle.com/security-alerts/cpuoct2021.html
Tomi Engdahl says:
Microsoft issues advisory for Surface Pro 3 TPM bypass vulnerability https://www.bleepingcomputer.com/news/microsoft/microsoft-issues-advisory-for-surface-pro-3-tpm-bypass-vulnerability/
Microsoft has published an advisory regarding a security feature bypass vulnerability impacting Surface Pro 3 tablets which could allow threat actors to introduce malicious devices within enterprise environments.
Tomi Engdahl says:
South African police arrest eight romance scammers for stealing $6.85 million https://therecord.media/south-african-police-arrest-eight-romance-scammers-for-stealing-6-85-million/
The South African Police Service has arrested eight suspects on charges of engaging in romance scams and stealing more than 100 million rand ($6.85 million) from victims.
Tomi Engdahl says:
Squirrel Engine Bug Could Let Attackers Hack Games and Cloud Services https://thehackernews.com/2021/10/squirrel-engine-bug-could-let-attackers.html
Researchers have disclosed an out-of-bounds read vulnerability in the Squirrel programming language that can be abused by attackers to break out of the sandbox restrictions and execute arbitrary code within a SquirrelVM, thus giving a malicious actor complete access to the underlying machine.
Tomi Engdahl says:
A New Variant of FlawedGrace Spreading Through Mass Email Campaigns https://thehackernews.com/2021/10/a-new-variant-of-flawedgrace-spreading.html
ybersecurity researchers on Tuesday took the wraps off a mass volume email attack staged by a prolific cybercriminal gang affecting a wide range of industries, with one of its region-specific operations notably targeting Germany and Austria. Lisäksi:
https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant.
Lisäksi: https://threatpost.com/ta505-retooled-flawedgrace-rat/175559/
Tomi Engdahl says:
$1.9 Million Paid Out for Exploits at China’s Tianfu Cup Hacking Contest
https://www.securityweek.com/19-million-paid-out-exploits-chinas-tianfu-cup-hacking-contest
Several white hat hacker teams that took part in the Chinese hacking contest Tianfu Cup over the weekend earned hundreds of thousands of dollars for their exploits.
The Tianfu Cup hacking competition is similar to Pwn2Own — participants can earn significant rewards for vulnerabilities and exploit chains targeting widely used software and hardware. The event has been taking place in Chengdu, China, and, in the past years, participants have earned a total of $1 million (2018), $500,000 (2019) and $1.2 million (2020).
At the latest edition, participants demonstrated exploits targeting Windows 10, Ubuntu, iOS 15 on iPhone 13 Pro, Microsoft Exchange, Chrome, Safari, Adobe Reader, Parallels Desktop, QEMU, Docker, VMware ESXi and Workstation, and ASUS routers. Only Synology products were not hacked at this year’s event.
Participants earned a total of roughly $1.9 million, with the first three teams taking home $654,500, $522,500 and $392,500.
The biggest single reward, $300,000, was earned by Team Pangu for a remote jailbreak targeting the iPhone 13 Pro with iOS 15. The exploit was triggered with a single click on a specially crafted link.
The winning team, which represented Chinese cybersecurity company Cyber Kunlun, successfully demonstrated exploits targeting Chrome, Adobe Reader, VMware ESXi and Workstation, the iPhone 13 Pro, Safari on macOS, and Windows 10.