Cyber security news November 2021

This posting is here to collect cyber security news in November 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

373 Comments

  1. Tomi Engdahl says:

    Action needed by self-managed customers in response to CVE-2021-22205 https://about.gitlab.com/blog/2021/11/04/action-needed-in-response-to-cve2021-22205/
    CVE-2021-22205 is a critical severity vulnerability (CVSS 10.0) that is a result of improper validation of image files by a 3rd-party file parser Exif-Tool, resulting in a remote command execution vulnerability that can lead to the compromise of your GitLab instance.
    This issue was remediated and patched in the GitLab 13.10.3, 13.9.6, and 13.8.8 release from April 14, 2021. We have confirmed reports of the vulnerability being exploited on self-hosted public-facing GitLab instances. GitLab.com users are not affected.

    Reply
  2. Tomi Engdahl says:

    Phishing Attack Blends Spoofed Amazon Order and Fraudulent Customer Service Agents
    https://www.darkreading.com/attacks-breaches/new-lure-impersonates-popular-amazon-brand-and-combines-email-phishing-with-a-voice-scam-
    A new multistage phishing campaign spoofs Amazon’s order notification page and includes a phony customer service voice number where the attackers request the victim’s credit card details to correct the errant “order.”

    Reply
  3. Tomi Engdahl says:

    Rahanpesuskandaali ravistelee Twitchiä mukana tuhansia striimaajia?
    https://www.tivi.fi/uutiset/tv/dfe9a64a-98bf-41bb-a4fd-5dde26be15c5
    Luottokorttitietoja varastaneet hakkerit ovat hyödyntäneet Twitch-striimaajia rahanpesuoperaatiossaan.

    Reply
  4. Tomi Engdahl says:

    151:stä Play-kaupan sovelluksesta löytyi kavala vaara ladattu yli 10 miljoonaa kertaa https://www.is.fi/digitoday/mobiili/art-2000008381959.html
    ANDROIDIN virallisesta sovelluskaupasta Google Playsta on poistettu tämän vuoden kuluessa jo 151 samaan kampanjaan kuuluvaa sovellusta, jotka yrittivät panna uhrinsa maksamaan kalliista tekstiviestipalveluista. Asiasta kertoo tietoturvayhtiö Avast, joka kutsuu haittakampanjaa nimellä UltimaSMS.

    Reply
  5. Tomi Engdahl says:

    N.L. health-care cyberattack is worst in Canadian history, says cybersecurity expert
    https://www.cbc.ca/news/canada/newfoundland-labrador/nl-cyber-attack-worst-canada-1.6236210
    One cybersecurity expert says the cyberattack on the Newfoundland and Labrador health-care system may be the worst in Canadian history, and has implications for national security. David Shipley, the CEO of a cybersecurity firm in Fredericton, said he’s seen similar breaches before, but usually on a smaller scale. “We’ve never seen a health-network takedown this large, ever, ” Shipley said in an interview with CBC News. “The severity of this is what really sets it apart.”

    Reply
  6. Tomi Engdahl says:

    Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory https://isc.sans.edu/forums/diary/Decrypting+Cobalt+Strike+Traffic+With+Keys+Extracted+From+Process+Memory/28006/
    In this diary entry, I will show how to decrypt Cobalt Strike network traffic with AES keys extracted from the beacon’s process memory.

    Reply
  7. Tomi Engdahl says:

    1.8 TB of Police Helicopter Surveillance Footage Leaks Online https://www.wired.com/story/ddosecrets-police-helicopter-data-leak/
    DDoSecrets published the trove Friday afternoon. Privacy advocates say it shows how pervasive law enforcement’s eye has become, and how lax its data protection can be.

    Reply
  8. Tomi Engdahl says:

    Hacker steals $55 million from bZx DeFi platform https://therecord.media/hacker-steals-55-million-from-bzx-defi-platform/
    A hacker has stolen an estimated $55 million worth of cryptocurrency assets from bZx, a decentralized finance (DeFi) platform that allows users to borrow, loan, and speculate on cryptocurrency price variations.

    Reply
  9. Tomi Engdahl says:

    US defense contractor Electronic Warfare hit by data breach https://www.bleepingcomputer.com/news/security/us-defense-contractor-electronic-warfare-hit-by-data-breach/
    US defense contractor Electronic Warfare Associates (EWA) has disclosed a data breach after threat actors hacked their email system and stole files containing personal information.

    Reply
  10. Tomi Engdahl says:

    Ransomware Attack on Lab in Florida
    https://www.infosecurity-magazine.com/news/ransomware-attack-on-florida-lab/
    A ransomware attack on a laboratory based in Florida has exposed the personal health information (PHI) of more than 30, 000 patients.

    Reply
  11. Tomi Engdahl says:

    Nikhilesh De / CoinDesk:
    The US infrastructure bill amends tax code section 6050I to require certain recipients of digital assets worth $10K+ to report sender details to the IRS — The U.S. House of Representatives voted to pass a bipartisan infrastructure bill that contains a controversial cryptocurrency tax reporting requirement.

    House Sends Infrastructure Bill With Crypto Tax Provision to US President
    The vote passed with bipartisan support on Friday night.
    https://www.coindesk.com/business/2021/11/06/house-sends-infrastructure-bill-with-crypto-tax-provision-to-us-president/

    The U.S. House of Representatives voted to pass a bipartisan infrastructure bill that contains a controversial cryptocurrency tax reporting requirement.

    The House voted in favor of the bill with at least 218 ayes late Friday night, fulfilling a key priority for the Biden administration amid controversy over whether an accompanying Democrat-led bill would also move forward. The Senate originally passed the bill in August after lawmakers shot down any attempts at amending the crypto provision.

    The bill now goes to U.S. President Joe Biden for his signature.

    The crypto industry was concerned about a tax reporting requirement within the bill that sought to expand the definition of a broker for IRS purposes. The reporting requirement would see all brokers report transactions under the current tax code.

    Reply
  12. Tomi Engdahl says:

    Jacob Pramuk / CNBC:
    House passes $1T+ bipartisan infrastructure bill, with a controversial crypto tax provision and $65B in broadband funding; Biden could sign the bill within days — – The House passed a more than $1 trillion bipartisan infrastructure bill, sending it to President Joe Biden for his signature.

    House passes $1 trillion bipartisan infrastructure bill that includes transport, broadband and utility funding, sends it to Biden
    https://www.cnbc.com/2021/11/05/house-passes-bipartisan-infrastructure-bill-sends-it-to-biden.html

    Reply
  13. Tomi Engdahl says:

    Catalin Cimpanu / The Record:
    DeFi platform bZx says a hacker stole an estimated $55M worth of cryptocurrency assets after spear-phishing one of its employees and swiping two private keys — A hacker has stolen an estimated $55 million worth of cryptocurrency assets from bZx, a decentralized finance (DeFi) …

    Cybercrime
    News

    Hacker steals $55 million from bZx DeFi platform
    https://therecord.media/hacker-steals-55-million-from-bzx-defi-platform/

    Hacker spear-phished a bZx employee and stole two private keys for the DeFi platform.
    The private keys were used for bZx’s integration with the Polygon and Binance Smart Chain blockchains.
    bZx on Twitter: “Our treasury is robust and our community will decide a compensation package.”

    Reply
  14. Tomi Engdahl says:

    Cisco Plugs Critical Holes in Catalyst PON Enterprise Switches
    https://www.securityweek.com/cisco-plugs-critical-holes-catalyst-pon-enterprise-switches

    Enterprise networking giant Cisco has released patches for multiple vulnerabilities across its product portfolio, including critical security defects in Catalyst Passive Optical Network (PON) series switches and the Policy Suite product.

    The most severe of these issues are CVE-2021-34795 and CVE-2021-40113 (CVSS 10.0), two flaws in Catalyst PON switches that could be exploited to log in to a vulnerable device using unintentional debugging credentials, or to perform unauthenticated command injection, Cisco said in an advisory.

    The company said CVE-2021-34795 exists in the Telnet service of Cisco Catalyst PON series switches ONT and could be exploited to establish a Telnet session to the device using the default credential. The bug would allow the attacker to take over the vulnerable device.

    The second CVE-2021-40113 bug affects the web-based management interface of the enterprise switches and could be exploited remotely, without authentication. Because user-supplied input isn’t sufficiently validated, the flaw allows an attacker to execute commands as root.

    Reply
  15. Tomi Engdahl says:

    Linux Foundation Fixes ‘Dangerous’ Code Execution Kernel Bug
    https://www.securityweek.com/linux-foundation-fixes-dangerous-code-execution-kernel-bug

    Researchers are calling attention to a newly discovered security defect in a kernel module that ships with all major Linux distributions, warning that remote attackers can exploit the bug to take complete control of a vulnerable system.

    The vulnerability — CVE-2021-43267 — is described as a heap overflow in the TIPC (Transparent Inter-Process Communication) module that ships with the Linux kernel to allow nodes in a cluster to communicate with each other in a fault-tolerant way.

    “The vulnerability can be exploited either locally or remotely within a network to gain kernel privileges, allowing an attacker to compromise the entire system,” according to a warning from SentinelOne’s Max Van Amerongen, the security researcher who found — and helped fix — the underlying vulnerability.

    Van Amerongen said he discovered the bug almost by accident using Microsoft’s CodeQL, an open-source semantic code analysis engine that helps ferret out security defects at scale.

    He said the flaw was introduced in the Linux kernel in September 2020 when a new user message type called MSG_CRYPTO was added to allow peers to send cryptographic keys. Looking at the code, Van Amerongen found a “clear-cut kernel heap buffer overflow” with remote exploit implications.

    Although the vulnerable TIPC module comes with all major Linux distributions, it needs to be loaded in order to enable the protocol and trigger the vulnerability.

    The Linux foundation shipped a patch on October 29 and confirmed the underlying vulnerability affects kernel versions between 5.10 and 5.15.

    SentinelOne said Thursday it had not seen evidence of in-the-wild abuse.

    “This vulnerability can be exploited both locally and remotely. While local exploitation is easier due to greater control over the objects allocated in the kernel heap, remote exploitation can be achieved thanks to the structures that TIPC supports,” Van Amerongen notes.

    CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution
    https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow-allows-arbitrary-code-execution/

    Reply
  16. Tomi Engdahl says:

    Mozilla Rolling Out ‘Site Isolation’ With Release of Firefox 94
    https://www.securityweek.com/mozilla-rolling-out-site-isolation-release-firefox-94

    Mozilla this week announced that Firefox 94 is bringing Site Isolation to all users, along with patches for over a dozen vulnerabilities, including seven that feature a high severity rating.

    The most severe of the security issues patched in Firefox 94 could lead to code execution, the Multi-State Information Sharing and Analysis Center (MS-ISAC) says in an alert. The attacker could install applications, modify data, or even register new user accounts.

    The most important of the newly addressed vulnerabilities is CVE-2021-38503, which exists because iframe sandbox rules were incorrectly applied to XSLT (Extensible Stylesheet Language Transformations) stylesheets, which could result in iframes being able to bypass restrictions and execute scripts or navigate the top-level frame.

    Next in line is CVE-2021-38504, a use-after-free vulnerability in file picker dialog, followed by CVE-2021-38505, an issue that exists because Firefox before version 94 did not use specific clipboard formats that would prevent Windows 10 Cloud Clipboard from recording sensitive user data.

    Another security error could result in Firefox being “coaxed into going into fullscreen mode without notification or warning.” Tracked as CVE-2021-38506, the vulnerability may lead to spoofing attacks in the browser, including phishing, Mozilla explains in an advisory.

    Another high-severity bug addressed with the release of Firefox 94 is CVE-2021-38507, where the Opportunistic Encryption feature of HTTP2 (RFC 8164) could be exploited to bypass Same-Origin-Policy. Mozilla decided to disable the feature, noting that it has low usage.

    Mozilla also addressed a high-severity universal cross-site scripting (XSS) issue in Firefox for Android (it exists because URLs scanned from QR codes weren’t properly sanitized), as well as memory safety bugs that affect both Firefox 94 and Firefox ESR 91.3 and which could lead to arbitrary code execution.

    Reply
  17. Tomi Engdahl says:

    Hungarian Official: Government Bought, Used Pegasus Spyware
    https://www.securityweek.com/hungarian-official-government-bought-used-pegasus-spyware

    A senior official in Hungary’s governing party acknowledged for the first time on Thursday that the government purchased a powerful spyware tool, which was allegedly used to target journalists, businesspeople and an opposition politician.

    Reply
  18. Tomi Engdahl says:

    Researchers Release PoC Tool Targeting BrakTooth Bluetooth Vulnerabilities
    https://www.securityweek.com/researchers-release-poc-tool-targeting-braktooth-bluetooth-vulnerabilities

    The United States Cybersecurity and Infrastructure Security Agency (CISA) this week warned on proof-of-concept (PoC) code for the BrakTooth Bluetooth vulnerabilities now being publicly available.

    BrakTooth is the name researchers with the Singapore University of Technology and Design gave to a set of roughly two dozen vulnerabilities in commercial Bluetooth Classic (BT) stacks and which affect system-on-chips (SoCs) running Bluetooth 3.0 + HS to Bluetooth 5.2.

    The bugs could be exploited to cause denial of service (DoS) conditions, through crash of deadlock, and, in some cases, could also lead to arbitrary code execution. Exploitation of these flaws requires for the attacker to be within Bluetooth range of a vulnerable device.

    In an August paper detailing the security holes, the researchers said they had identified 1,400 affected products, but also noted that the actual number could be much higher, given that the BT stack is often shared across multiple products. Overall, millions of devices are likely vulnerable.

    BrakTooth Proof of Concept Tool Demonstrates Bluetooth Vulnerabilities
    https://us-cert.cisa.gov/ncas/current-activity/2021/11/04/braktooth-proof-concept-tool-demonstrates-bluetooth

    On November 1, 2021, researchers publicly released a BrakTooth proof-of-concept (PoC) tool to test Bluetooth-enabled devices against potential Bluetooth exploits using the researcher’s software tools. BrakTooth—originally disclosed in August 2021—is a family of security vulnerabilities in commercial Bluetooth stacks. An attacker could exploit BrakTooth vulnerabilities to cause a range of effects from denial-of-service to arbitrary code execution.

    BrakTooth: New Bluetooth Vulnerabilities Could Affect Millions of Devices
    https://www.securityweek.com/braktooth-new-bluetooth-vulnerabilities-could-affect-millions-devices

    https://asset-group.github.io/disclosures/braktooth/

    Reply
  19. Tomi Engdahl says:

    Device Exploits Earn Hackers Over $1 Million at Pwn2Own Austin 2021
    https://www.securityweek.com/device-exploits-earn-hackers-over-1-million-pwn2own-austin-2021

    The Zero Day Initiative’s Pwn2Own Austin 2021 hacking contest has come to an end, with participants earning a total of more than $1 million for their router, printer, NAS device, smartphone, and smart speaker zero-day exploits.

    Pwn2Own Austin has focused on hacking devices and ZDI described it as the largest Pwn2Own to date. White hat hackers earned $362,500 on the first day of the event, $415,000 on the second day, $238,750 on the third day, and $65,000? on the fourth day. Sixty-one bugs were disclosed at the contest — exploits typically chained multiple vulnerabilities — earning participants a total of $1,081,250.

    The single highest bounties were paid out for Sonos One smart speaker exploits. Two teams earned $60,000 each for achieving arbitrary code execution and taking control of the device.

    For the first time in Pwn2Own history, participants hacked printers — there were 11 successful printer hacks demonstrated at the event, earning researchers nearly $200,000.

    Reply
  20. Tomi Engdahl says:

    ‘Critical Severity’ Warning: Malware Found in Widely Deployed npm Packages
    https://www.securityweek.com/critical-severity-warning-malware-found-widely-deployed-npm-packages

    Software supply chain security jitters escalated again Friday with new “critical severity” warnings about malware embedded in two npm package managers widely used by some of the biggest names in tech.

    According to separate advisories from GitHub, confirmed by the npm security team, two popular npm package managers — the Coa parser and the rc configuration loader — were compromised and rigged with password-stealing malware.

    The npm security team confirmed that the package rc had versions published with malicious code. Users of affected versions (1.2.9, 1.3.9, and 2.3.9) should downgrade to 1.2.8 as soon as possible and check their systems for suspicious activity.

    Reply
  21. Tomi Engdahl says:

    Babuk Ransomware Seen Exploiting ProxyShell Vulnerabilities
    https://www.securityweek.com/babuk-ransomware-seen-exploiting-proxyshell-vulnerabilities

    A newly observed Babuk ransomware campaign is targeting ProxyShell vulnerabilities in Microsoft Exchange Server, according to security researchers at Cisco Talos.

    The researchers spotted signs that the attackers are leveraging a China Chopper web shell for the initial compromise, and then use that for the deployment of Babuk.

    Tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, the issues were addressed in April and May, with technical details made public in August. An unauthenticated attacker can chain the bugs to for arbitrary code execution.

    Reply
  22. Tomi Engdahl says:

    The AP Interview: Justice Dept. Conducting Cyber Crackdown
    https://www.securityweek.com/ap-interview-justice-dept-conducting-cyber-crackdown

    The Justice Department is stepping up actions to combat ransomware and cybercrime through arrests and other actions, its No. 2 official told The Associated Press, as the Biden administration escalates its response to what it regards as an urgent economic and national security threat.

    Deputy Attorney General Lisa Monaco said that “in the days and weeks to come, you’re going to see more arrests,” more seizures of ransom payments to hackers and additional law enforcement operations.

    “If you come for us, we’re going to come for you,” Monaco said in an interview with the AP this week. She declined to offer specifics about who in particular might face prosecution.

    Reply
  23. Tomi Engdahl says:

    Industry Reactions to New ‘Trojan Source’ Attack: Feedback Friday
    https://www.securityweek.com/industry-reactions-new-trojan-source-attack-feedback-friday

    Researchers from the University of Cambridge have identified a new attack method that abuses Unicode to stealthily inject vulnerabilities into code.

    Dubbed Trojan Source, the attack impacts many of the compilers, interpreters, code editors, and code repository frontend services used by software developers. Malicious actors could leverage the method to create code that would be displayed one way in code editors, but be interpreted differently by the compiler.

    C, C++, C#, JavaScript, Java, Rust, Go, and Python have been found to be impacted, as well as VS Code, Atom, SublimeText, Notepad, vim, emacs, GitHub and BitBucket.

    Reply
  24. Tomi Engdahl says:

    Robinhood Hacked, Millions of Names, Emails Stolen
    https://www.securityweek.com/robinhood-hacked-millions-names-emails-stolen

    Hacker socially engineered customer support employee to obtain millions of names and emails, demanded extortion payment

    Mobile stock trading platform Robinhood (NASDAQ: HOOD) on Monday fessed up to a security breach that exposed names and email addresses for millions of users and “extensive account details” for what appeared to be very specific targets.

    The Menlo Park., Calif-based company, which claims that about 22 million users trade stocks, ETFs, and cryptocurrencies with its mobile app, said the breach happened on November 3 when a hacker stole names, email addresses, dates of birth, zip codes and additional personal information from its customer user data.

    The company downplayed the extent of the impact, saying that only “a limited amount of personal information for a portion of our customers” was stolen but confirmed the intruder obtained about 5 million names and approximately 2 million email addresses.

    “We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed,” Robinhood said in a statement announcing the incident.

    “We are in the process of making appropriate disclosures to affected people,” it added.

    Under the Hood:
    Robinhood says an unauthorized party obtained a list of email addresses for ~5M users, full names for another ~2M users, and more info on ~310 others — Late in the evening of November 3, we experienced a data security incident. An unauthorized third party obtained access to a limited amount

    Robinhood Announces Data Security Incident
    https://blog.robinhood.com/news/2021/11/8/data-security-incident

    Late in the evening of November 3, we experienced a data security incident. An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers. Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident.

    The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems. At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people. We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed. We are in the process of making appropriate disclosures to affected people.

    Reply
  25. Tomi Engdahl says:

    US Treasury Sanctions Crypto Exchange in Anti-Ransomware Crackdown
    https://www.securityweek.com/us-treasury-sanctions-crypto-exchange-anti-ransomware-crackdown

    The U.S. government’s aggressive anti-ransomware crackdown is showing no signs of slowing down with the Treasury Department announcing sanctions against a cryptocurrency exchange and new multi-million-dollar rewards for information on the REvil ransomware group.

    On the heels of a law enforcement hack-back operation and a $10 million bounty in the hunt for the DarkSide data extortion gang, the U.S. Treasury slapped sanctions against Chatex, a company that describes itself as “a full-fledged cryptobank” for Telegram.

    The Treasury Department also sanctioned three additional companies — IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd. — for providing technology and support to Chatex.

    “Chatex, which claims to have a presence in multiple countries, has facilitated transactions for multiple ransomware variants. Analysis of Chatex’s known transactions indicate that over half are directly traced to illicit or high-risk activities such as darknet markets, high-risk exchanges, and ransomware,” the department said in a statement announcing the sanction.

    The U.S. government said Chatex has direct ties with SUEX OTC, S.R.O. (Suex), using Suex’s function as a nested exchange to conduct transactions. Suex was sanctioned earlier this year for facilitating financial transactions for ransomware actors.

    Reply
  26. Tomi Engdahl says:

    Global Companies Compromised via ADSelfService Plus Exploitation
    https://www.securityweek.com/global-companies-compromised-adselfservice-plus-exploitation

    At least nine global organizations have been compromised in attacks targeting a recent vulnerability in ManageEngine ADSelfService Plus, according to a warning from researchers at Palo Alto Networks.

    The vulnerability was made public in early September when zero-day attacks were discovered exploiting CVE-2021-40539, a critical severity (CVSS 9.8) flaw that allows attackers to bypass authentication on the self-service password management and single sign-on solution.

    Immediately after, Zoho provided patches for the underlying security defects and the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) published an alert to urge administrators to review and apply the patches as soon as possible.

    Reply
  27. Tomi Engdahl says:

    US Government Contractor EWA Discloses Data-Theft Breach
    https://www.securityweek.com/us-government-contractor-ewa-discloses-data-theft-breach

    U.S. government defense contractor Electronic Warfare Associates (EWA) has started sending out notifications to warn of a data breach that resulted in the theft of Personally Identifiable Information (PII).

    In early August 2021, the company said a threat actor was able to compromise the EWA email system following a successful phishing attack.

    Reply
  28. Tomi Engdahl says:

    McAfee to be Taken Private in $14 Billion Private Equity Deal
    https://www.securityweek.com/mcafee-be-taken-private-14-billion-private-equity-deal

    Cybersecurity firm McAfee Corp. (NASDAQ:MCFE) has agreed to be acquired by a group of private equity firms in a deal valued at more than $14 billion, the company announced Monday.

    The move will take the company private just over one year after it went public through an initial public offering (IPO).

    The investor group, led by Advent International, and supported by Permira Advisers, Crosspoint Capital, Canada Pension Plan Investment Board, GIC Private Limited, and a subsidiary of the Abu Dhabi Investment, will pay $26 per share in an all-cash transaction to acquire all outstanding shares of McAfee common stock.

    Reply
  29. Tomi Engdahl says:

    Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/
    On Sept. 16, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning that advanced persistent threat (APT) actors were actively exploiting newly identified vulnerabilities in a self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. The alert explained that malicious actors were observed deploying a specific webshell and other techniques to maintain persistence in victim environments; however, in the days that followed, we observed a second unrelated campaign carry out successful attacks against the same vulnerability. As early as Sept. 17 the actor leveraged leased infrastructure in the United States to scan hundreds of vulnerable organizations across the internet. Subsequently, exploitation attempts began on Sept. 22 and likely continued into early October. During that window, the actor successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries.

    Reply
  30. Tomi Engdahl says:

    Varo 2 euron “tullimaksua” Postin nimissä levitetään harvinaisen petollista huijausta https://www.tivi.fi/uutiset/tv/b84a3823-66d7-4d69-8c90-66fecfd16e2c
    Nopealla vilkaisulla suomenkielinen ja Postin tyyliä muistuttava viesti voi vaikuttaa luotettavalta. Vastaanottajalle kerrotaan, ettei pakettia pystytty toimittamaan. Uuden toimitus- tai noutopäivämäärän varaamiseksi uhria pyydetään seuraamaan viestin lopussa olevaa linkkiä.

    Reply
  31. Tomi Engdahl says:

    Eikö huijauspuheluita voi estää? Näin Suomen operaattorit vastaavat https://www.is.fi/digitoday/tietoturva/art-2000008378895.html
    Operaattorien luottamus on kova, että huijauspuheluihin voidaan puuttua tehokkaasti Suomessakin. Joitakin ratkaisuja on jo käytössä.

    Reply
  32. Tomi Engdahl says:

    FIVE AFFILIATES TO SODINOKIBI/REVIL UNPLUGGED https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged
    On 4 November, Romanian authorities arrested two individuals suspected of cyber-attacks deploying the Sodinokibi/REvil ransomware. They are allegedly responsible for 5 000 infections, which in total pocketed half a million euros in ransom payments. Since February 2021, law enforcement authorities have arrested three other affiliates of Sodinokibi/REvil and two suspects connected to GandCrab. These are some of the results of operation GoldDust, which involved 17 countries*, Europol, Eurojust and INTERPOL. All these arrests follow the joint international law enforcement efforts of identification, wiretapping and seizure of some of the infrastructure used by Sodinokibi/REvil ransomware family, which is seen as the successor of GandCrab.

    US seizes $6 million from REvil ransomware, arrest Kaseya hacker https://www.bleepingcomputer.com/news/security/us-seizes-6-million-from-revil-ransomware-arrest-kaseya-hacker/
    The United States Department of Justice today has announced charges against a REvil ransomware affiliate responsible for the attack against the Kaseya MSP platform on July 2nd and seizing more than $6 million from another REvil partner.

    Reply
  33. Tomi Engdahl says:

    US Treasury sanctions crypto-exchange Chatex for links to ransomware payments https://therecord.media/us-treasury-sanctions-crypto-exchange-chatex-for-links-to-ransomware-payments/
    The US Treasury Department has imposed sanctions today on cryptocurrency exchange Chatex for “facilitating financial transactions for ransomware actors.”. “Analysis of Chatex’s known transactions indicate that over half are directly traced to illicit or high-risk activities such as darknet markets, high-risk exchanges, and ransomware, ” Treasury officials said today. Officials said the exchange had “direct ties” to Suex, a Russian cryptocurrency exchange portal Suex, which the Treasury sanctioned in September for the exact same reason.

    Reply
  34. Tomi Engdahl says:

    Electronics retail giant MediaMarkt hit by ransomware attack https://www.bleepingcomputer.com/news/security/electronics-retail-giant-mediamarkt-hit-by-ransomware-attack/
    Electronics retail giant MediaMarkt has suffered a Hive ransomware with an initial ransom demand of $240 million, causing IT systems to shut down and store operations to be disrupted in Netherlands and Germany. MediaMarkt is Europe’s largest consumer electronics retailer with over 1, 000 stores in 13 countries. MediaMarkt employs approximately 53, 000 employees and has a total sales of 20.8 billion.

    Reply
  35. Tomi Engdahl says:

    Sitecore XP RCE flaw patched last month now actively exploited https://www.bleepingcomputer.com/news/security/sitecore-xp-rce-flaw-patched-last-month-now-actively-exploited/
    The Australian Cyber Security Center (ACSC) is alerting web admins of the active exploitation of CVE-2021-42237, a remote code execution flaw in the Sitecore Experience Platform (Sitecore XP). On October 13th, Sitecore disclosed and released a patch for a pre-authentication remote code execution vulnerability tracked as CVE-2021-42237 affecting the Sitecore Experience Platform. Last week, cybersecurity firm Assetnote published a technical write-up on vulnerability allowing hackers to use the details to create exploits and actively exploit vulnerable websites. “There is active exploitation of a vulnerability occurring in certain versions of Sitecore Experience Platform systems. Affected Australian organisation should apply the available security update, ” warned the ACSC in a new advisory released Friday. also:
    https://www.cyber.gov.au/acsc/view-all-content/alerts/active-exploitation-vulnerable-sitecore-experience-platform-content-management-systems

    Sitecore XP is an enterprise-level content management system with data analytics (CMS) used by well-known companies, including American Express, IKEA, Carnival Cruise Lines, L’Oréal, and Volvo.

    On October 13th, Sitecore disclosed and released a patch for a pre-authentication remote code execution vulnerability tracked as CVE-2021-42237 affecting the Sitecore Experience Platform.

    Reply
  36. Tomi Engdahl says:

    TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/
    NCC Group’s global Cyber Incident Response Team have observed an increase in Clop ransomware victims in the past weeks. The surge can be traced back to a vulnerability in SolarWinds Serv-U that is being abused by the TA505 threat actor. TA505 is a known cybercrime threat actor, who is known for extortion attacks using the Cl0p ransomware.
    We believe exploiting such vulnerabilities is a recent initial access technique for TA505, deviating from the actor’s usual phishing-based approach. NCC Group strongly advises updating systems running SolarWinds Serv-U software to the most recent version (at minimum version 15.2.3 HF2) and checking whether exploitation has happened as detailed below. We are sharing this information as a call to action for organisations using SolarWinds Serv-U software and incident responders currently dealing with Clop ransomware.

    Reply
  37. Tomi Engdahl says:

    Escalating XSS to Sainthood with Nagios
    https://blog.grimm-co.com/2021/11/escalating-xss-to-sainthood-with-nagios.html
    During the course of research into Nagios, GRIMM researchers discovered a number of vulnerabilities that would enable attackers to gain Remote Code Execution (RCE) as root on the primary server, which provides great potential for later lateral movement.

    Reply
  38. Tomi Engdahl says:

    Varo tätä kaverilta tulevaa yksityis­viestiä – päättyy Instagram- tai Facebook-tilisi kaappaamiseen https://www.is.fi/digitoday/tietoturva/art-2000008389877.html

    Reply
  39. Tomi Engdahl says:

    Catalin Cimpanu / The Record:
    Europol has arrested seven people suspected of helping REvil and GandCrab with over 7,000 cyberattacks since early 2019, in a Romanian-led investigation — Europol has announced today the arrests of seven suspects who worked as “affiliates” (partners) for a major ransomware cartel …

    Europol: Seven REvil/GandCrab ransomware affiliates were arrested in 2021
    https://therecord.media/europol-seven-revil-gandcrab-ransomware-affiliates-were-arrested-in-2021/

    Reply
  40. Tomi Engdahl says:

    Google fixes Android zero-day exploited in the wild in targeted attacks
    https://therecord.media/google-fixes-android-zero-day-exploited-in-the-wild-in-targeted-attacks/

    Google has released on Monday its monthly Android security bulletin, and the company’s engineers said they patched a zero-day vulnerability that was being exploited in the wild in what they described as “limited, targeted exploitation.”

    Tracked as CVE-2021-1048, Google said the vulnerability resided in one of the Android kernel components and was abused to elevate an attacker’s privileges.

    Details about the attacks, the threat actor(s) behind them, and the victims have not been shared, as is the standard practice for most security patches. This approach is used in order to give end-users more time to update their vulnerable devices before the same bug is weaponized by other threat actors.

    CVE-2021-1048 marks the sixth Android zero-day vulnerability that was exploited this year.

    Reply
  41. Tomi Engdahl says:

    Johana Bhuiyan / The Guardian:
    Documents show LAPD’s new predictive policing effort is similar to surveillance programs PredPol and Operation Laser that were shut down amid public outcry

    LAPD ended predictive policing programs amid public outcry. A new effort shares many of their flaws
    https://www.theguardian.com/us-news/2021/nov/07/lapd-predictive-policing-surveillance-reform

    Documents show how data-driven policing programs reinforced harmful patterns, fueling the over-policing of Black and brown communities

    Reply
  42. Tomi Engdahl says:

    Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/
    Microsoft has detected exploits being used to compromise systems running the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to CVE-2021-40539 in a targeted campaign. Our colleagues at Palo Alto Unit 42 have also highlighted this activity in their recent blog. We thank Unit 42 for their collaboration as industry partners and ongoing efforts to protect customers. This blog shares what Microsoft has observed in the latest DEV-0322 campaign and inform our customers of protections in place through our security products. We have not observed any exploit of Microsoft products in this activity.

    Reply
  43. Tomi Engdahl says:

    Microsoft November 2021 Patch Tuesday
    https://isc.sans.edu/forums/diary/Microsoft+November+2021+Patch+Tuesday/28018/
    This month we got patches for 55 vulnerabilities. Of these, 6 are critical, 4 were previously disclosed and 2 are being exploited according to Microsoft. One of the exploited vulnerabilities is a remote code execution affecting Microsoft Exchange Server (CVE-2021-42321). According to the advisory, the vulnerability occurs due to improper validation of cmdlet arguments and, to exploit the vulnerability, an attacker need to be in an authenticated role in the Exchange Server. The CVSS v3 score for this vulnerability is 8.8 (out of 10). The other exploited vulnerability is a security feature bypass affecing Microsoft Excel (CVE-2021-42292). According to the advisory, to sucessfully exploit the vulnerability, an attacker requres user interaction. This vulnerabilty affects Microsoft Excel in different product bundles, including Excel for Mac OS. also:
    https://patchtuesdaydashboard.com/

    Reply
  44. Tomi Engdahl says:

    Who are latest targets of cyber group Lyceum?
    https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns
    Accenture’s Cyber Threat Intelligence (ACTI) group and Prevailion’s Adversarial Counterintelligence Team (PACT) dug into recently publicized campaigns of the cyber espionage threat group Lyceum (aka HEXANE, Spirlin) to further analyze the operational infrastructure and victimology of this actor. The team’s findings corroborate and reinforce previous ClearSky and Kaspersky research indicating a primary focus on computer network intrusion events aimed at telecommunications providers in the Middle East. Additionally, the research expands on this victim set by identifying additional targets within internet service providers (ISPs) and government agencies.
    Although all victim-identifying information has been redacted, this report seeks to provide these targeted industry and geographic verticals with additional knowledge of the threat and mitigation opportunities.

    Reply
  45. Tomi Engdahl says:

    New Critical Vulnerabilities Found on Nucleus TCP/IP Stack
    https://www.forescout.com/blog/new-critical-vulnerabilities-found-on-nucleus-tcp-ip-stack/
    Forescout Research Labs, with support from Medigate Labs, have discovered a set of 13 new vulnerabilities affecting the Nucleus TCP/IP stack, which we are collectively calling NUCLEUS:13. The new vulnerabilities allow for remote code execution, denial of service, and information leak. Nucleus is used in safety-critical devices, such as anesthesia machines, patient monitors and others in healthcare.
    Forescout Research Labs is committed to supporting vendors in identifying affected products (our open-source TCP/IP stack detector can be helpful in this respect) and to sharing our findings with the cybersecurity community.

    Reply
  46. Tomi Engdahl says:

    Abcbot, an evolving botnet
    https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/
    On July 14, 2021, our BotMon system identified an unknown ELF file
    (a14d0188e2646d236173b230c59037c7) generating a lot of scanning traffic, after analysis, we determined that this is a Go language implementation of Scanner, based on its source path “abc-hello”
    string, we named it Abcbot internally. As time passed, Abcbot has continued to evolve, and as we expected, it added the DGA feature in subsequent samples. Today Abcbot has the ability to self-updating, setting up Webserver, laughing DDoS, as well as worm like propagation.
    Given that Abcbot is under continuous development, its features are constantly being updated, we decided to write this article to share our findings with the community.

    Reply
  47. Tomi Engdahl says:

    Medical software firm urges password resets after ransomware attack https://www.bleepingcomputer.com/news/security/medical-software-firm-urges-password-resets-after-ransomware-attack/
    Medatixx, a German medical software vendor whose products are used in over 21, 000 health institutions, urges customers to change their application passwords following a ransomware attack that has severely impaired its entire operations.

    Reply
  48. Tomi Engdahl says:

    Multiple BusyBox Security Bugs Threaten Embedded Linux Devices
    https://threatpost.com/busybox-security-bugs-linux-devices/176098/
    Researchers discovered 14 vulnerabilities in the Swiss Army Knife’ of the embedded OS used in many OT and IoT environments. They allow RCE, denial of service and data leaks.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*