This posting is here to collect cyber security news in November 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in November 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
373 Comments
Tomi Engdahl says:
Varo tätä kaverilta tulevaa yksityisviestiä päättyy Instagram- tai Facebook-tilisi kaappaamiseen https://www.is.fi/digitoday/tietoturva/art-2000008389877.html
FACEBOOKIN pikaviestimessä Messengerissä ja Instagramin yksityisviesteissä leviää huijaus, jolla pyritään kaappaamaan ihmisten käyttäjätilejä. Hyökkäys alkaa suomeksi kirjoitetulla viestillä, joka tulee kaverin tunnukselta käsin. Viestissä tiedustellaan vastaanottajan puhelinnumeroa. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen tietoturva-asiantuntija Ville Kontinen kertoo, että viranomaiset ovat saaneet ilmoituksia huijauskampanjasta noin parin viikon ajan. TILIN palauttaminen voi olla hankalaa. Petoksessa on Facebookin tai Instagramin näkökulmasta kaksi tahoa, jotka väittävät tiliä omakseen. Kontinen kehottaakin pitämään tilinpalautustiedot ajan tasalla. Näihin kuuluu muun muassa vaihtoehtoinen sähköpostiosoite. – Jos hyökkääjä saa vietyä kaappauksen puhelinnumerolla ja luovutetulla pin-koodilla läpi, joudut uhrina tekemään samanlaisen ilmoituksen. Facebook saa tällöin kaksi ilmoitusta lyhyen ajan sisään tilin hakkeroinnista. Mitä paremmin tiedot ovat ajan tasalla, sitä paremmin pystyt todentamaan olevasi profiilin omistaja, Kontinen sanoo.
Tomi Engdahl says:
Scheming with URLs: One-Click Attack Surface in Linux Desktop Environments https://www.crowdstrike.com/blog/one-click-attack-surface-in-linux-desktop-environments/
The Advanced Research Team at CrowdStrike Intelligence discovered multiple vulnerabilities affecting libvncclient. In some widely used desktop environments, such as GNOME, these vulnerabilities can be triggered in a one-click fashion.
Tomi Engdahl says:
Rikolliset pyrkivät nyt kaappaamaan koko älypuhelimen pahimmillaan tunkeutuja voi äänittää puhelimellasi huoneessa käymääsi keskustelua
https://yle.fi/uutiset/3-12172880
Tietoturva-ammattilaisten mukaan pankkihuijaukset ja henkilön tunnistamistietojen kalasteluyritykset ovat lisääntyneet selvästi.
Erilaiset huijausyritykset keskittyvät jatkossa yhä enemmän mobiiliin.
Tomi Engdahl says:
Suojelupoliisilla on vahva epäily, että sitä on vakoiltu työntekijöiden palkkauksesta löytyi aukko
https://yle.fi/uutiset/3-12174055
Epäilyn mukaan joihinkin Supon työpaikkoihin on haettu vain siksi, että hakija pääsisi urkkimaan tehtäviin valittujen henkilöiden nimiä ja muita tietoja. Tiedustelussa on käytetty hyväksi julkisen virantäytön asianosaisjulkisuutta.
Tomi Engdahl says:
Hacking group says it has found encryption keys needed to unlock the
PS5
https://arstechnica.com/gaming/2021/11/uncovered-ps5-encryption-keys-are-the-first-step-to-unlocking-the-console/
Hacking group Fail0verflow announced Sunday evening that it had obtained the encryption “root keys” for the PlayStation 5, an important first step in any effort to unlock the system and allow users to run homebrew software.
Tomi Engdahl says:
Many Healthcare, OT Systems Exposed to Attacks by NUCLEUS:13 Vulnerabilities
https://www.securityweek.com/many-healthcare-ot-systems-exposed-attacks-nucleus13-vulnerabilities
A series of 13 vulnerabilities identified in the Nucleus TCP/IP stack could be exploited to execute code remotely, cause a denial of service condition, or to obtain sensitive information, enterprise device security firm Forescout warns.
Collectively referred to as NUCLEUS:13, the issues likely affect safety-critical devices, such as anesthesia machines, patient monitors and other types of devices used in healthcare. Other types of operational technology (OT) systems are also impacted.
The most important of the newly identified issues is CVE-2021-31886 (CVSS score of 9.8), a stack-based buffer overflow that exists because the FTP server fails to properly validate the length of the “USER” command. An attacker could exploit the vulnerability to cause a denial of service (DoS) condition or to achieve remote code execution.
Two other similar issues in the FTP server (related to the improper validation of the length of the “PWD/XPWD” and “MKD/XMKD” commands) were assessed with a severity rating of high.
Of the remaining bugs, nine are considered high severity and could be exploited to leak sensitive information or cause DoS conditions. The last issue in the set is a medium-severity bug in the ICMP that could be exploited to send ICMP echo reply messages to arbitrary network systems.
Some of these vulnerabilities, Forescout explains, were addressed in existing versions of the Nucleus TCP/IP stack, yet they were never issued CVE identifiers. Patches are available for all 13 security holes.
Developed by Accelerated Technology, Inc. (ATI) in 1993, Nucleus NET, the TCP/IP stack in the Nucleus real-time operating system (RTOS), is now owned by Siemens. Over its 28-year life, Nucleus has been deployed in devices across several verticals, including healthcare, automotive, and industrial systems.
Organizations are advised to identify within their environments all devices that are running Nucleus and apply the available patches or mitigations as soon as possible, as well as to ensure proper network segmentation is enforced. They should also monitor network traffic to identify any malicious packets and disable FTP/TFTP if not needed, or use switch-based DHCP control mechanisms.
https://www.forescout.com/resources/nucleus13-research-report-dissecting-the-nucleus-tcpip-stack/
Siemens has also published advisories describing the impact of the vulnerabilities on its own products.
https://www.securityweek.com/ics-patch-tuesday-siemens-and-schneider-electric-address-over-50-vulnerabilities-0
Tomi Engdahl says:
ICS Patch Tuesday: Siemens and Schneider Electric Address Over 50 Security Flaws
https://www.securityweek.com/ics-patch-tuesday-siemens-and-schneider-electric-address-over-50-vulnerabilities-0
Industrial giants Siemens and Schneider Electric have released a total of 20 Patch Tuesday advisories to address more than 50 vulnerabilities affecting their products.
Siemens has published 13 advisories describing 36 vulnerabilities. Two of the advisories focus on the impact of the newly disclosed NUCLEUS:13 vulnerabilities on the company’s products.
NUCLEUS:13 is the name given to 13 vulnerabilities discovered by researchers in the Nucleus TCP/IP stack owned by Siemens. The flaws, many of which have been assigned critical and high severity ratings, can be exploited by remote attackers for remote code execution, DoS attacks, and to obtain information. Nucleus is widely used in healthcare and other organizations that rely on operational technology (OT).
Another advisory covering critical and high-severity flaws is for SIMATIC products. A local attacker could exploit the vulnerabilities to escalate privileges, and read, write or delete files.
https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications
Schneider Electric released seven advisories on Tuesday. They address a total of 17 vulnerabilities affecting products such as SCADAPack 300E, Schneider Electric Software Update (SESU), network management cards (NMC), EcoStruxure Process Expert, TelevisAir Dongle BTLE, Eurotherm GUIcon, and various others.
Schneider has released advisories describing the impact of the vulnerabilities known as PrintNightmare and BadAlloc, which are introduced by the use of Microsoft software.
A high-severity DoS vulnerability has been patched in SCADAPack 300E Series RTU products.
https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp
Tomi Engdahl says:
Adobe Patches Critical RoboHelp Server Security Flaw
https://www.securityweek.com/adobe-patches-critical-robohelp-server-security-flaw
Software maker Adobe on Tuesday released patches to cover at least four documented security defects that expose users to malicious hacker attacks.
The most serious of the flaw was addressed in RoboHelp Server and is rated “critical” because it exposes corporate environments to arbitrary code execution attacks.
Adobe warned that the vulnerability — CVE-2021-39858 — affects RoboHelp Server RHS2020.0.1 and earlier versions on the Microsoft Windows platform.
The company said it was unaware of any exploits in the wild targeting this flaw.
Tomi Engdahl says:
Russian Cybercrime Group Exploits SolarWinds Serv-U Vulnerability
https://www.securityweek.com/russian-cybercrime-group-exploits-solarwinds-serv-u-vulnerability
The Russia-linked ‘Evil Corp’ cybercrime group has been exploiting a vulnerability in SolarWinds Serv-U for initial infection, cybersecurity and risk mitigation firm NCC Group reports.
Tracked as CVE-2021-35211, the security error affects Serv-U installations that have SSH enabled. An attacker able to exploit the bug could run arbitrary code on a vulnerable system.
The security issue was initially detailed on July 9, when SolarWinds shipped an urgent hotfix for it. The issue was already being targeted in attacks, and days later Microsoft attributed the activity to a Chinese threat group.
In a Monday report, UK-based NCC Group revealed that Russian cybercriminals are also targeting the vulnerability, which marks a shift from their typical phishing-based tactic.
Tomi Engdahl says:
Zero-Days Under Attack: Microsoft Plugs Exchange Server, Excel Holes
https://www.securityweek.com/zero-days-under-attack-microsoft-plugs-exchange-server-excel-holes
Microsoft on Tuesday pushed out patches for at least 55 documented security vulnerabilities in a wide range of products and called urgent attention to a pair of flaws that have already been exploited in the wild.
Microsoft said the two under-attack vulnerabilities exist in Microsoft Exchange Server and Microsoft Excel, two widely deployed products in the Windows ecosystem.
“We are aware of limited targeted attacks in the wild using one of vulnerabilities (CVE-2021-42321), which is a post-authentication vulnerability in Exchange 2016 and 2019,” Redmond acknowledged, noting that the issue affects on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode.
Microsoft slapped a “critical” rating on the Exchange Server bug and warned that an authenticated attacker can launch code execution attacks.
The second zero-day was flagged in the popular Microsoft Excel productivity tool and is described as a “feature bypass vulnerability” that allows code execution via specially crafted spreadsheets. Microsoft said the Excel bug — CVE-2021-42292 — is being actively exploited but did not provide any additional details.
The Microsoft Patch Tuesday updates also include fixes for serious flaws affecting Azure, Microsoft Edge, Windows Defender, Visual Studio and multiple Windows components.
Six of the 55 security bulletins from Microsoft are rated “critical,” Microsoft’s highest severity rating. Four of the 55 bugs are listed as publicly known.
Tomi Engdahl says:
14 New Vulnerabilities Discovered in BusyBox
https://www.securityweek.com/14-new-vulnerabilities-discovered-busybox
Home › Vulnerabilities
14 New Vulnerabilities Discovered in BusyBox
By Eduard Kovacs on November 09, 2021
Researchers from software development company JFrog and industrial cybersecurity firm Claroty have identified a total of 14 new vulnerabilities in BusyBox, and on Tuesday they detailed some of their findings.
There are certain requirements for exploiting the vulnerabilities discovered by Claroty and JFrog, including the attacker being able to control all parameters passed to a vulnerable applet, supplying a specially crafted file, and supplying specially crafted command lines.
Researchers conducted a manual review of the BusyBox source code and leveraged fuzzing to identify the vulnerabilities.
“To assess the threat level posed by these vulnerabilities, we inspected JFrog’s database of more than 10,000 embedded firmware images (composed of only publicly available firmware images, and not ones uploaded to JFrog Artifactory),” the researchers explained. “We found that 40% of them contained a BusyBox executable file that is linked with one of the affected applets, making these issues extremely widespread among Linux-based embedded firmware.”
The researchers noted that while the DoS flaws are easy to exploit, they are mitigated by applets typically running as a separate forked process. They also pointed out that the information disclosure vulnerability they have found is not easy to exploit, and the exploitation of the use-after-free bugs that can lead to remote code execution involves an uncommon scenario.
JFrog and Claroty have published a blog post describing their findings. They have shared technical information for one of the vulnerabilities they have found, CVE-2021-42374, which can lead to information leaks and DoS.
Unboxing BusyBox – 14 new vulnerabilities uncovered by Claroty and JFrog
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
As part of our commitment to improving open-source software security, Claroty’s Team82 and JFrog collaborated on a vulnerability research project examining BusyBox. Using static and dynamic techniques, Claroty’s Team82 and JFrog discovered 14 vulnerabilities affecting the latest version of BusyBox. All vulnerabilities were privately disclosed and fixed by BusyBox in version 1.34.0, which was released Aug. 19.
In most cases, the expected impact of these issues is denial of service (DoS). However, in rarer cases, these issues can also lead to information leaks and possibly remote code execution.
AFFECTED busybox versions 1.16-1.33.1
Tomi Engdahl says:
13 New Flaws in Siemens Nucleus TCP/IP Stack Impact Safety-Critical Equipment
https://thehackernews.com/2021/11/13-new-flaws-in-siemens-nucleus-tcpip.html
Tomi Engdahl says:
Remote Code Execution Flaw in Palo Alto GlobalProtect VPN
https://www.securityweek.com/remote-code-execution-flaw-palo-alto-globalprotect-vpn
Cybersecurity vendor Palo Alto Networks is calling urgent attention to a remote code execution vulnerability in its GlobalProtect portal and gateway interfaces, warning that it’s easy to launch network-based exploits with root privileges.
The Santa Clara, Calif.-based Palo Alto Networks said the security defect can be exploited to allow an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges.
The company slapped a critical-severity rating on the CVE-2021-3064 vulnerability and noted that an attacker must have network access to the GlobalProtect interface to exploit this issue.
Zero-Day Disclosure: Palo Alto Networks GlobalProtect VPN
CVE-2021-3064
https://www.randori.com/blog/cve-2021-3064/
On November 10, 2021 Palo Alto Networks (PAN) provided an update that patched CVE-2021-3064 which was discovered and disclosed by Randori.
This vulnerability affects PAN firewalls using the GlobalProtect Portal VPN and allows for unauthenticated remote code execution on vulnerable installations of the product. The issue affects multiple versions of PAN-OS 8.1 prior to 8.1.17 and Randori has found numerous vulnerable instances exposed on internet-facing assets, in excess of 70, 000 assets.. The Randori Attack Team developed a reliable working exploit and leveraged the capability as part of Randori’s continuous and automated red team platform. Our team was able to gain a shell on the affected target, access sensitive configuration data, extract credentials, and more. Once an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally. In an effort to avoid enabling misuse, technical details related to CVE-2021-3064 will be withheld from public dissemination for a period of 30 days from the date of this publication. In order to exploit this vulnerability, an attacker must have network access to the device on the GlobalProtect service port (default port 443). As the affected product is a VPN portal, this port is often accessible over the Internet. On devices with ASLR enabled (which appears to be the case in most hardware devices), exploitation is difficult but possible. On virtualized devices (VM-series firewalls), exploitation is significantly easier due to lack of ASLR and Randori expects public exploits will surface. Randori recommends affected organizations apply the patches provided by PAN.
Additionally, PAN has made available Threat Prevention signatures
91820 and 91855 that can be enabled to thwart exploitation while organizations plan for the software upgrade. For organizations not using the VPN capability as part of the firewall, we recommend disabling GlobalProtect.
Tomi Engdahl says:
THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware
In this Threat Analysis report, the GSOC investigates recent attack campaigns that reflect the current developments of the ITG23 threat group (also known as the TrickBot Gang or Wizard Spider). The ITG23 group is partnering with the TA551 (Shatak) threat group to distribute ITG23′s TrickBot and BazarBackdoor malware, which malicious actors use to deploy ITG23′s Conti ransomware on compromised systems.
Tomi Engdahl says:
Lazarus hackers target researchers with trojanized IDA Pro https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-researchers-with-trojanized-ida-pro/
A North Korean state-sponsored hacking group known as Lazarus is again trying to hack security researchers, this time with a trojanized pirated version of the popular IDA Pro reverse engineering application.
Tomi Engdahl says:
PhoneSpy: The App-Based Cyberattack Snooping South Korean Citizens https://blog.zimperium.com/phonespy-the-app-based-cyberattack-snooping-south-korean-citizens/
Recently, we discovered and began monitoring the activity behind PhoneSpy, a spyware aimed at South Korean residents with Android devices. With more than a thousand South Korean victims, the malicious group behind this invasive campaign has had access to all the data, communications, and services on their devices. PhoneSpy hides in plain sight, disguising itself as a regular application with purposes ranging from learning Yoga to watching TV and videos, or browsing photos. But in reality, the application is stealing data, messages, images, and remote control of Android phones. In this blog, we will:
Cover the capabilities of the Android spyware; Discuss the techniques used to collect and store data; and Show the communication with the C&C server to exfiltrate stolen data.
Tomi Engdahl says:
Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT https://www.trendmicro.com/en_us/research/21/k/compromised-docker-hub-accounts-abused-for-cryptomining-linked-t.html
In October 2021, we observed threat actors targeting poorly configured servers with exposed Docker REST APIs by spinning up containers from images that execute malicious scripts. We identified Docker Hub registry accounts that were either compromised or belong to TeamTNT.
These accounts were being used to host malicious images and were an active part of botnets and malware campaigns that abused the Docker REST API. Exposed Docker APIs have become prevalent targets for attackers as these allow them to execute their own malicious code with root privileges on a targeted host if security considerations are not accounted for. This recent attack only highlights the increasing sophistication with which exposed servers are targeted, especially by capable threat actors like TeamTNT that use compromised user credentials to fulfill their malicious motives.
Tomi Engdahl says:
CERT-PL employees rally around politically-dismissed chief
https://therecord.media/cert-pl-employees-rally-around-politically-dismissed-chief/
The Polish government has fired the head of CERT-PL, the country’s official computer emergency response team, in what the organization’s employees have described as a dismissal based on the manager’s personal political views. Przemysaw “Prezmek” Jaroszewski, who has been the head of CERT-PL since July 2016, was dismissed last week after he was summoned to a meeting with Janusz Cieszyski, the Secretary of State for Digital Affairs in the Prime Minister’s office.
Cieszyski told Jaroszewski that higher-ups became aware of the CERT-PL’s head criticism of the Polish government on his personal Facebook account, according to sources in the Prime Minister’s office and the Ministry of Interior and Administration, who spoke with Polish TV station TVN24.
Tomi Engdahl says:
Citrix Patches Critical Vulnerability in ADC, Gateway
https://www.securityweek.com/citrix-patches-critical-vulnerability-adc-gateway
Citrix this week released patches for a couple of vulnerabilities affecting Citrix ADC, Gateway, and SD-WAN, including a critical bug leading to denial of service (DoS).
The most severe of the two bugs is CVE-2021-22955, a critical security hole that could lead to a DoS condition on appliances that have been configured as a VPN (Gateway) or AAA virtual server.
The security flaw was identified in Citrix Application Delivery Controller (ADC, formerly NetScaler ADC), and Gateway (formerly NetScaler Gateway).
Tracked as CVE-2021-22956, the second flaw could lead to the temporary disruption of the Management GUI, Nitro API, and RPC communication.
Considered low severity, the bug affects ADC and Gateway, as well as SD-WAN WANOP edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO, Citrix explains in an advisory.
https://support.citrix.com/article/CTX330728
Tomi Engdahl says:
South Korean Users Targeted with Android Spyware ‘PhoneSpy’
https://www.securityweek.com/south-korean-users-targeted-android-spyware-phonespy
More than 1,000 mobile phone users in South Korea have been targeted with a powerful piece of Android spyware as part of an ongoing campaign, according to a new report from Zimperium zLabs.
Dubbed PhoneSpy, the malware was designed with extensive spyware capabilities inside, such including data theft, audio and video capture, and location monitoring.
More than 1,000 mobile phone users in South Korea have been targeted with a powerful piece of Android spyware as part of an ongoing campaign, according to a new report from Zimperium zLabs.
Dubbed PhoneSpy, the malware was designed with extensive spyware capabilities inside, such including data theft, audio and video capture, and location monitoring.
https://blog.zimperium.com/phonespy-the-app-based-cyberattack-snooping-south-korean-citizens/
Tomi Engdahl says:
VMware Working on Patches for Serious vCenter Server Vulnerability
https://www.securityweek.com/vmware-working-patches-serious-vcenter-server-vulnerability
VMware announced on Wednesday that it’s working on patches for a potentially serious privilege escalation vulnerability affecting vCenter Server.
The vulnerability is tracked as CVE-2021-22048 and it has been assigned an “important” severity rating, which is equivalent to “high severity” based on its CVSS score of 7.1.
“The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism,” VMware said in its advisory. “A malicious actor with non-administrative access to vCenter Server may exploit this issue to elevate privileges to a higher privileged group.”
The vulnerability impacts vCenter Server 6.7 and 7.0, as well as Cloud Foundation 3.x and 4.x. Until patches become available, VMware has published a document with workaround instructions.
“Workaround for CVE-2021-22048 is to switch to AD over LDAPS authentication/Identity Provider Federation for AD FS (vSphere 7.0 only) from Integrated Windows Authentication (IWA),” the virtualization giant explained.
Tomi Engdahl says:
Critical Flaw in WordPress Plugin Leads to Database Wipe
https://www.securityweek.com/critical-flaw-wordpress-plugin-leads-database-wipe
A major security vulnerability in the WP Reset PRO WordPress plugin could be exploited by an authenticated user to wipe the entire database of a website, according to a warning from researchers at Packstack (formerly WebARX).
The issue can be exploited by any authenticated user, regardless of their authorization, to wipe all tables in a WordPress installation’s database.
This would trigger the restart of the WordPress installation process. An attacker could abuse this to create an administrator account onto the WordPress website (an admin account must be created to complete the installation process), according to a Patchstack advisory.
WP Reset PRO aims to help site administrators to easily reset a website’s database to the default installation while leaving files intact, to restore damaged sites, and remove customizations or parts of the site.
https://patchstack.com/wp-reset-pro-critical-vulnerability-fixed/
Tomi Engdahl says:
Researchers wait 12 months to report vulnerability with 9.8 out of 10 severity rating
Palo Alto Networks patches critical buffer overflow bug in its GlobalProtect VPN.
https://arstechnica.com/gadgets/2021/11/vpn-vulnerability-on-10k-servers-has-severity-rating-of-9-8-out-of-10/
About 10,000 enterprise servers running Palo Alto Networks’ GlobalProtect VPN are vulnerable to a just-patched buffer overflow bug with a severity rating of 9.8 out of a possible 10.
Security firm Randori said on Wednesday that it discovered the vulnerability 12 months ago and for most of the time since has been privately using it in its red team products, which help customers test their network defenses against real-world threats. The norm among security professionals is for researchers to privately report high-severity vulnerabilities to vendors as soon as possible rather than hoarding them in secret.
CVE-2021-3064, as the vulnerability is tracked, is a buffer overflow flaw that occurs when parsing user-supplied input in a fixed-length location on the stack. A proof-of-concept exploit Randori researchers developed demonstrates the considerable damage that can result.
“Our team was able to gain a shell on the affected target, access sensitive configuration data, extract credentials, and more,” researchers from Randori wrote on Wednesday. “Once an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally.”
CVE-2021-3064 affects only versions earlier than PAN-OS 8.1.17, where the GlobalProtect VPN is located. While those versions are more than a year old,
Tomi Engdahl says:
CVE-2021-3064 PAN-OS: Memory Corruption Vulnerability in GlobalProtect Portal and Gateway Interfaces
https://security.paloaltonetworks.com/CVE-2021-3064
Tomi Engdahl says:
Critical Citrix DDoS Bug Shuts Down Network, Cloud App Access https://threatpost.com/critical-citrix-bug-etwork-cloud-app-access/176183/
The distributed computing vendor patched the flaw, affecting Citrix ADC and Gateway, along with another flaw impacting availability for SD-WAN appliances.
Tomi Engdahl says:
HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks
https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/
HTML smuggling, a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features, is increasingly used in email campaigns that deploy banking malware, remote access Trojans (RATs), and other payloads related to targeted attacks. .
Notably, this technique was observed in a spear-phishing campaign from the threat actor NOBELIUM in May. More recently, we have also seen this technique deliver the banking Trojan Mekotio, as well as AsyncRAT/NJRAT and Trickbot, malware that attackers utilize to gain control of affected devices and deliver ransomware payloads and other threats.
Tomi Engdahl says:
North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html
Cisco Talos recently discovered a campaign operated by the North Korean Kimsuky APT group delivering malware to high-value South Korean targets namely geopolitical and aerospace research agencies. This campaign has been active since at least June 2021 deploying a constantly evolving set of implants derived from the Gold Dragon/Brave Prince family of implants.
Tomi Engdahl says:
Hackers Targeted Apple Devices in Hong Kong for Widespread Attack https://www.wired.com/story/ios-macos-hacks-hong-kong-watering-hole/
Visitors to pro-democracy and media sites in the region were infected with malware that could download files, steal data, and more.. see also https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/
Tomi Engdahl says:
Poliisi varoittaa Google-huijauksesta kohteena kryptovaluutat https://www.iltalehti.fi/tietoturva/a/4c86dc1b-15a7-48ca-b3a9-6afc9b96460c
Keskusrikospoliisin Kyberrikostorjuntakeskus varoittaa valesivustoista, jotka imitoivat virtuaalivaluuttojen vaihtopalveluita sekä virtuaalilompakoita.
Tomi Engdahl says:
King of fraud sentenced to 10 years in prison for role in Methbot/3ve botnet https://therecord.media/king-of-fraud-sentenced-to-10-years-in-prison-for-role-in-methbot-3ve-botnet/
A US judge sentenced a Russian national to 10 years in prison for running Methbot, a giant ad fraud botnet that stole more than $7 million from ad publishers and ad networks between 2014 and 2018.
Tomi Engdahl says:
Congress Mulls Ban on Big Ransom Payouts Unless Victims Get Official Say-So https://threatpost.com/congress-ban-ransomware-payouts/176213/
A U.S. lawmaker has introduced a bill the Ransomware and Financial Stability Act (H.R.5936) (PDF) that would make it illegal for financial firms to pay ransoms over $100,000 without first getting the governments permission.
Tomi Engdahl says:
Telnyx is the latest VoIP provider hit with DDoS attacks https://www.bleepingcomputer.com/news/security/telnyx-is-the-latest-voip-provider-hit-with-ddos-attacks/
Telnyx is the latest VoIP telephony provider targeted with distributed denial-of-service (DDoS) attacks, causing worldwide outages since yesterday.
Tomi Engdahl says:
Microsoft: New security updates trigger Windows Server auth issues https://www.bleepingcomputer.com/news/microsoft/microsoft-new-security-updates-trigger-windows-server-auth-issues/
Microsoft says users might experience authentication issues on Domain Controllers (DC) running Windows Server. after installing security updates released during the November Patch Tuesday.
Tomi Engdahl says:
Remote Code Execution Flaw in Palo Alto GlobalProtect VPN
https://www.securityweek.com/remote-code-execution-flaw-palo-alto-globalprotect-vpn
Tomi Engdahl says:
VMware Working on Patches for Serious vCenter Server Vulnerability
https://www.securityweek.com/vmware-working-patches-serious-vcenter-server-vulnerability
VMware announced on Wednesday that it’s working on patches for a potentially serious privilege escalation vulnerability affecting vCenter Server.
The vulnerability is tracked as CVE-2021-22048 and it has been assigned an “important” severity rating, which is equivalent to “high severity” based on its CVSS score of 7.1.
“The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism,” VMware said in its advisory. “A malicious actor with non-administrative access to vCenter Server may exploit this issue to elevate privileges to a higher privileged group.”
The vulnerability impacts vCenter Server 6.7 and 7.0, as well as Cloud Foundation 3.x and 4.x. Until patches become available, VMware has published a document with workaround instructions.
“Workaround for CVE-2021-22048 is to switch to AD over LDAPS authentication/Identity Provider Federation for AD FS (vSphere 7.0 only) from Integrated Windows Authentication (IWA),” the virtualization giant explained.
https://www.vmware.com/security/advisories/VMSA-2021-0025.html
Tomi Engdahl says:
Elisa suodattaa Suomeen tulevia soittoja – suomalaisfirmojen puheluita jää vastaamatta https://www.is.fi/digitoday/art-2000008392571.html
Tomi Engdahl says:
Hakkerit innostuivat Apache-palvelinten haavoittuvuudesta
https://etn.fi/index.php/13-news/12818-hakkerit-innostuivat-apache-palvelinten-haavoittuvuudesta
Tietoturvayhtiö Check Point Softwaren tutkimusosasto kertoo, että Suomen yleisin haittaohjelma oli lokakuussa edelleen kiristysohjelma Mailto. Maailmanlaajuisesti kärkisijaa pitää jo viidennen kerran Trickbot. Uusi Apache-palvelinten haavoittuvuus on noussut nopeasti eniten hyödynnettyjen haavoittuvuuksien top10:een.
Pankkitroijalainen Trickbot jatkaa maailman yleisimpänä haittaohjelmana. Sitä esiintyy neljässä prosentissa maailman yritysverkoista.
Yleisimmin hyödynnettyjen haavoittuvuuksien joukkoon ylsi lokakuussa uusi haavoittuvuus nimeltään ”Apache HTTP Server Directory Traversal”. Apache julkaisi paikkauksen ohjelmistoonsa, mutta se todettiin riittämättömäksi. Apache HTTP Server -palvelinohjelmistossa on yhä haavoittuvuus, jonka onnistunut hyödyntäminen voi antaa hyökkääjälle pääsyn järjestelmän tiedostoihin.
- Apache-haavoittuvuus havaittiin vasta lokakuun alussa, ja se on jo maailman kymmenenneksi hyödynnetyin, mikä osoittaa, kuinka nopeita hyökkääjät ovat liikkeissään. Apache-käyttäjillä olisi ehdottomasti oltava käytössään riittävät turvatoimet, sanoo Check Pointin tietoturvatutkijoiden ryhmää johtava Maya Horowitz.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / VICE:
Google researchers found a watering hole attack in August exploiting a macOS zero-day and targeting Hong Kong pro-democracy sites; Apple patched on September 23 — “The nature of the activity and targeting is consistent with a government backed actor,” the Google researchers say.
Google Caught Hackers Using a Mac Zero-Day Against Hong Kong Users
“The nature of the activity and targeting is consistent with a government backed actor,” the Google researchers say.
https://www.vice.com/en/article/93bw8y/google-caught-hackers-using-a-mac-zero-day-against-hong-kong-users
Google researchers caught hackers targeting users in Hong Kong exploiting what were at the time unknown vulnerabilities in Apple’s Mac operating system. According to the researchers, the attacks have the hallmarks of government-backed hackers.
On Thursday, Google’s Threat Analysis Group (TAG), the company’s elite team of hacker hunters, published a report detailing the hacking campaign. The researchers didn’t go as far as pointing the finger at a specific hacking group or country, but they said it was “a well resourced group, likely state backed.”
Tomi Engdahl says:
Rebecca Falconer / Axios:
US joins a global cybersecurity partnership launched in 2018 with 80 countries and companies like Google and Microsoft, after declining to sign up under Trump — The U.S. is now part of an international agreement on cybersecurity that the Trump administration declined to sign up for …
U.S. joins global cybersecurity partnership ignored by Trump
https://www.axios.com/us-joins-global-cybersecurity-partnership-ignored-by-trump-1c7cd0a1-17fa-4ab8-ba1f-001639a04bf7.html
Tomi Engdahl says:
Palo Alto Networks patches zero-day affecting firewalls using GlobalProtect Portal VPN
https://www.zdnet.com/article/palo-alto-networks-patches-zero-day-affecting-firewalls-using-globalprotect-portal-vpn/
The issue affects multiple versions of PAN-OS 8.1 prior to 8.1.17 and Randori said it found numerous vulnerable instances exposed on internet-facing assets, in excess of 70,000 assets.
Tomi Engdahl says:
NewsUS News
DISTURBING HACK ATTACK FBI is ‘HACKED and spam emails about fake cyberattacks are sent out from gov system’
https://www.the-sun.com/news/4059641/fbi-hacked-spam-email-cyberattack/
THE Federal Bureau of Investigation (FBI) had its email system hacked this morning, sending out fake messages about cyberattacks.
The rogue emails, sent from the FBI’s email infrastructure are said to contain a warning from the Department of Homeland Security (DHS) concerning a cyberattack.
“We have been made aware of ‘scary’ emails sent in the last few hours that purport to come from the FBI/DHS [Department of Homeland Security],” the Spamhaus Project said in a post on Twitter.
“While the emails are indeed being sent from infrastructure that is owned by the FBI/DHS (the LEEP portal), our research shows that these emails *are* fake.”
Social media users have reported receiving the oddly worded email which refers to a “sophisticated chain attack” and makes reference to “the extortion gang TheDarkOverlord”.
https://mobile.twitter.com/spamhaus/status/1459450061696417792
Tomi Engdahl says:
FBI Email System Reportedly Hacked to Send Fake DHS Cyberattack Messages
https://www.newsweek.com/fbi-email-system-reportedly-hacked-fake-dhs-cyberattack-messages-1648966
The Federal Bureau of Investigation (FBI) email system had reportedly suffered a hack on Saturday morning amid several reports of messages sent from the agency’s email infrastructure purporting to be a warning from the Department of Homeland Security (DHS) about a cyberattack.
Tomi Engdahl says:
Hus: Tietojärjestelmä hyökkäyksen kohteena – palveluissa katkoksia viikon ajan
https://www.is.fi/digitoday/art-2000008403507.html
Tomi Engdahl says:
International Hackers Have Breached Nine Organizations, Says Bay Area Cybersecurity Firm
https://sfist.com/2021/11/08/international-hackers-have-breached-nine-organizations-says-bay-area-cybersecurity-firm/
At least one U.S. company, but probably more, is among several firms that a Santa Clara-based cybersecurity firm says has been infiltrated via some sort of password theft scheme that appears to be targeting the Department of Defense.
The reporting is all quite purposefully vague, and none of the companies who were breached are named. But according to CNN, “at least one of those organizations is in the U.S.”
Hackers have breached organizations in defense and other sensitive sectors, security firm says
https://edition.cnn.com/2021/11/07/politics/hackers-defense-contractors-energy-health-care-nsa/index.html
Suspected foreign hackers have breached nine organizations in the defense, energy, health care, technology and education sectors — and at least one of those organizations is in the US, according to findings that security firm Palo Alto Networks shared exclusively with CNN.
It’s the type of cyber espionage that security agencies in both the Biden and Trump administrations have aggressively sought to expose before it does too much damage. The goal in going public with the information is to warn other corporations that might be targeted and to burn the hackers’ tools in the process.
In this case, the hackers have stolen passwords from some targeted organizations with a goal of maintaining long-term access to those networks, Ryan Olson, a senior Palo Alto Networks executive, told CNN.
Tomi Engdahl says:
Hackers compromise FBI email system, send thousands of messages
https://www.reuters.com/world/us/hackers-compromise-fbis-external-email-system-bloomberg-news-2021-11-13/
Nov 13 (Reuters) – Hackers compromised a Federal Bureau of Investigation email system on Saturday and sent tens of thousands of messages warning of a possible cyberattack, according to the agency and security specialists.
Fake emails appeared to come from a legitimate FBI email address ending in @ic.fbi.gov, the FBI said in a statement.
Although the hardware impacted by the incident “was taken offline quickly upon discovery of the issue,” the FBI said, “This is an ongoing situation.”
The hackers sent tens of thousands of emails warning of a possible cyberattack, threat-tracking organization Spamhaus Project said on its Twitter account.
Bloomberg News reported the incident on Saturday.
Both the FBI and Cybersecurity and Infrastructure Security Agency are aware of the incident, the FBI statement said.
Tomi Engdahl says:
https://www.npr.org/2021/11/13/1055589999/hackers-sent-spam-emails-from-fbi-accounts-agency-confirms
Tomi Engdahl says:
FBI probes cyber-attack emails sent from internal server
https://www.bbc.com/news/world-us-canada-59278277
The FBI has launched an investigation after thousands of fake email messages were sent from one of its servers warning of a possible cyber-attack.
The government agency said the incident on Saturday morning was part of an “ongoing situation”, but provided no further details.
The messages purported to be from the US Department of Homeland Security.
They claimed to be a warning about a supposed threat and were titled: “Urgent: Threat actor in systems.”
Tomi Engdahl says:
Surveillance firm pays $1 million fine after ‘spy van’ scandal
https://www.bleepingcomputer.com/news/security/surveillance-firm-pays-1-million-fine-after-spy-van-scandal/
The Office of the Commissioner for Personal Data Protection in Cyprus has collected a $1 million fine from intelligence company WiSpear for gathering mobile data from various individuals arriving at the airport in Larnaca.
While this is just an administrative fine under the European Union’s General Data Protection Regulation (GDPR), it is related to a scandal two years ago widely publicized as the “spy van” case.
In 2019, a Chevrolet van packed with at least $3.5 million worth of equipment that could hack Android smartphones and steal data including WhatsApp and Signal messages, was stationed near the Larnaca airport.
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
The person claiming responsibility for the FBI email server hack says they were able to send spam messages by abusing insecure code in the FBI’s LEEP portal — The Federal Bureau of Investigation (FBI) confirmed today that its fbi.gov domain name and Internet address were used to blast …
Hoax Email Blast Abused Poor Coding in FBI Website
https://krebsonsecurity.com/2021/11/hoax-email-blast-abused-poor-coding-in-fbi-website/
The Federal Bureau of Investigation (FBI) confirmed today that its fbi.gov domain name and Internet address were used to blast out thousands of fake emails about a cybercrime investigation. According to an interview with the person who claimed responsibility for the hoax, the spam messages were sent by abusing insecure code in an FBI online portal designed to share information with state and local law enforcement authorities.
Late in the evening on Nov. 12 ET, tens of thousands of emails began flooding out from the FBI address [email protected], warning about fake cyberattacks. Around that time, KrebsOnSecurity received a message from the same email address.
“Hi its pompompurin,” read the missive. “Check headers of this email it’s actually coming from FBI server. I am contacting you today because we located a botnet being hosted on your forehead, please take immediate action thanks.”
A review of the email’s message headers indicated it had indeed been sent by the FBI, and from the agency’s own Internet address. The domain in the “from:” portion of the email I received — [email protected] — corresponds to the FBI’s Criminal Justice Information Services division (CJIS).
According to the Department of Justice, “CJIS manages and operates several national crime information systems used by the public safety community for both criminal and civil purposes. CJIS systems are available to the criminal justice community, including law enforcement, jails, prosecutors, courts, as well as probation and pretrial services.”
In response to a request for comment, the FBI confirmed the unauthorized messages, but declined to offer further information.
“The FBI and CISA [the Cybersecurity and Infrastructure Security Agency] are aware of the incident this morning involving fake emails from an @ic.fbi.gov email account,” reads the FBI statement. “This is an ongoing situation and we are not able to provide any additional information at this time. The impacted hardware was taken offline quickly upon discovery of the issue. We continue to encourage the public to be cautious of unknown senders and urge you to report suspicious activity to http://www.ic3.gov or http://www.cisa.gov.”
In an interview with KrebsOnSecurity, Pompompurin said the hack was done to point out a glaring vulnerability in the FBI’s system.
“I could’ve 1000% used this to send more legit looking emails, trick companies into handing over data etc.,” Pompompurin said. “And this would’ve never been found by anyone who would responsibly disclose, due to the notice the feds have on their website.”
Pompompurin says the illicit access to the FBI’s email system began with an exploration of its Law Enforcement Enterprise Portal (LEEP), which the bureau describes as “a gateway providing law enforcement agencies, intelligence groups, and criminal justice entities access to beneficial resources.”
Much of that process involves filling out forms with the applicant’s personal and contact information, and that of their organization. A critical step in that process says applicants will receive an email confirmation from [email protected] with a one-time passcode — ostensibly to validate that the applicant can receive email at the domain in question.
But according to Pompompurin, the FBI’s own website leaked that one-time passcode in the HTML code of the web page.
“Basically, when you requested the confirmation code [it] was generated client-side, then sent to you via a POST Request,” Pompompurin said. “This post request includes the parameters for the email subject and body content.”
Pompompurin said a simple script replaced those parameters with his own message subject and body, and automated the sending of the hoax message to thousands of email addresses.
“Needless to say, this is a horrible thing to be seeing on any website,” Pompompurin said. “I’ve seen it a few times before, but never on a government website, let alone one managed by the FBI.”
“Members of the RaidForums hacking community have a long standing feud with Troia, and commonly deface websites and perform minor hacks where they blame it on the security researcher,” Ionut Illascu wrote for BleepingComputer. “Tweeting about this spam campaign, Vinny Troia hinted at someone known as ‘pompompurin,’ as the likely author of the attack. Troia says the individual has been associated in the past with incidents aimed at damaging the security researcher’s reputation.”
Update, Nov. 14, 11:31 a.m. ET: The FBI has issued an updated statement:
“The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails.”
Tomi Engdahl says:
Ionut Ilascu / BleepingComputer:
FBI email servers were hacked to send spam warning of a “sophisticated chain attack”, with a likely goal to discredit security researcher Vinny Troia — The Federal Bureau of Investigation (FBI) emai
FBI system hacked to email ‘urgent’ warning about fake cyberattacks
https://www.bleepingcomputer.com/news/security/fbi-system-hacked-to-email-urgent-warning-about-fake-cyberattacks/
The Federal Bureau of Investigation (FBI) email servers were hacked to distribute spam email impersonating FBI warnings that the recipients’ network was breached and data was stolen.
The emails pretended to warn about a “sophisticated chain attack” from an advanced threat actor known, who they identify as Vinny Troia. Troia is the head of security research of the dark web intelligence companies NightLion and Shadowbyte
The spam-tracking nonprofit SpamHaus noticed that tens of thousands of these messages were delivered in two waves early this morning. They believe this is just a small part of the campaign.