This posting is here to collect cyber security news in November 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in November 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
373 Comments
Tomi Engdahl says:
CNBC:
Agreements between Apple and some states to offer digital IDs in Wallet show states covering the costs of issuing the IDs and Apple approving marketing efforts — – Apple requires states to maintain the systems needed to issue and service credentials at taxpayer expense, according to contracts signed by four states.
Apple is sticking taxpayers with part of the bill for rollout of tech giant’s digital ID card
https://www.cnbc.com/2021/11/14/apple-sticking-taxpayers-with-part-of-the-bill-for-digital-id-rollout.html
Tomi Engdahl says:
‘Lyceum’ Threat Group Broadens Focus to ISPs https://www.darkreading.com/attacks-breaches/-lyceum-threat-group-broadens-focus-to-isps
“Lyceum, ” an advanced persistent threat actor associated with numerous attacks on telecom organizations and oil and natural gas companies in the Middle East since 2017, has recently begun targeting Internet service providers (ISPs) and government organizations. The increased focus on ISPs appears to be part of the group’s effort to compromise organizations in order to gain access to a broad set of customers and subscribers, according to a new report this week from Accenture and Prevailion on Lyceum’s activities. Researchers from Prevailion’s adversarial counterintelligence team and Accenture’s cyber defense group analyzed recently publicized campaigns attributed to Lyceum by Kaspersky and ClearSky. The focus of the study was Lyceum’s operational infrastructure and the group’s victim profile.
Tomi Engdahl says:
macOS zero-day deployed via Hong Kong pro-democracy news sites https://therecord.media/macos-zero-day-deployed-via-hong-kong-pro-democracy-news-sites/
A suspected state-sponsored threat actor has used Hong Kong pro-democracy news sites to deploy a macOS zero-day exploit chain that installed a backdoor on visitors’ computers. The attacks have been taking place since at least August 2021. The exploit chain combined a remote code execution bug in WebKit (CVE-2021-1789, patched on Jan 5,
2021) with a local privilege escalation in the XNU kernel component (CVE-2021-30869, later patched on Sept 23, 2021). The attackers used the exploit chain to gain root access to the macOS operating system and download and install a malware strain named MACMA or OSX.CDDS.
Tomi Engdahl says:
Windows 10 Privilege-Escalation Zero-Day Gets an Unofficial Fix https://threatpost.com/windows-10-privilege-escalation-zero-day-unofficial-fix/176313/
A partially unpatched security bug in Windows that could allow local privilege escalation from a regular user to System remains unaddressed fully by Microsoft but an unofficial micropatch from oPatch has hit the scene. The bug (CVE-2021-34484) was originally disclosed and patched as part of Microsoft’s August Patch Tuesday updates. At the time, it was categorized as an arbitrary directory-deletion issue that was considered low-priority because an attacker would need to locally log into the targeted computer to exploit it, which, in theory, would allow the adversary to delete file folders anyway. However, the security researcher who discovered it, Abdelhamid Naceri, soon uncovered that it could also be used for privilege escalation, which is a whole other ball of wax. System-level users have access to resources, databases and servers on other parts of the network. The micropatch fixes this by extending the security check for symbolic links to the entire destination path by calling the “GetFinalPathNameByHandle” function.
Tomi Engdahl says:
ChaosDB: Infosec bods could pull anyone’s plaintext Azure Cosmos DB keys at will from Microsoft admin tools https://www.theregister.com/2021/11/12/chaos_db_wiz_azure_cosmos_research_pwnage/
An astonishing piece of vulnerability probing gave infosec researchers a way into to Microsoft’s management controls for Azure Cosmos DB with full read and write privileges over customer databases. The so-called ChaosDB vuln gave Wiz researchers “access to the control panel of the underlying service” that hosts Azure Cosmos, Microsoft’s managed cloudy document database service, they said. Wiz was able to obtain plaintext Primary Keys “for anyCosmos DBinstance running in our cluster” as well as executing arbitrary code in any other customer’s Jupyter Notebook instances. Worse than that, the researcher claimed:
“Using just one certificate, we managed to authenticate to internal Service Fabric instances of multiple [Azure Cosmos] regions that were accessible from the internet.” Service Fabric, as Reg readers may know, is Microsoft’s home-grown microservice platform and one of the core services in Azure.
Tomi Engdahl says:
To Joke or Not to Joke: COVID-22 Brings Disaster to MBR https://www.fortinet.com/blog/threat-research/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr
Even now, almost two years after the COVID-19 pandemic started, there is no sign that cybercriminals will stop taking advantage of the situation as an attack vector. This time, however, this attacker uses a COVID pandemic that has not yet happened as bait. FortiGuard Labs recently discovered a new malware posing as a mysterious COVID22 installer. While containing many of the features of “joke” malware, it is also destructive, causing infected machines to fail to boot.
Because it has no features for encrypting data demanding a ransom to undo the damage it inflicts, it is instead a new destructive malware variant designed to render affected systems inoperable. This blog explains how this malware works.
Tomi Engdahl says:
QBot returns for a new wave of infections using Squirrelwaffle https://www.bleepingcomputer.com/news/security/qbot-returns-for-a-new-wave-of-infections-using-squirrelwaffle/
The activity of the QBot (also known as Quakbot) banking trojan is spiking again, and analysts from multiple security research firms attribute this to the rise of Squirrelwaffle. Squirrelwaffle emerged last month as one of the most likely candidates to fill the void left by the take-down of Emotet, and unfortunately, these predictions are quickly being confirmed.
Tomi Engdahl says:
Abcbot – A New Evolving Wormable Botnet Malware Targeting Linux https://thehackernews.com/2021/11/abcbot-new-evolving-wormable-botnet.html
Researchers from Qihoo 360′s Netlab security team have released details of a new evolving botnet called “Abcbot” that has been observed in the wild with worm-like propagation features to infect Linux systems and launch distributed denial-of-service (DDoS) attacks against targets. While the earliest version of the botnet dates back to July 2021, new variants observed as recently as October 30 have been equipped with additional updates to strike Linux web servers with weak passwords and are susceptible to N-day vulnerabilities, including a custom implementation of DDoS functionality, indicating that the malware is under continuous development. Netlab’s findings also build on a report from Trend Micro early last month, which publicized attacks targeting Huawei Cloud with cryptocurrency-mining and cryptojacking malware. The intrusions were also notable for the fact that the malicious shell scripts specifically disabled a process designed to monitor and scan the servers for security issues as well as reset users’ passwords to the Elastic cloud service. Now according to the Chinese internet security company, these shell scripts are being used to spread Abcbot. A total of six versions of the botnet have been observed to date.
Tomi Engdahl says:
Costco discloses data breach after finding credit card skimmer https://www.bleepingcomputer.com/news/security/costco-discloses-data-breach-after-finding-credit-card-skimmer/
Costco Wholesale Corporation has warned customers in notification letters sent this month that their payment card information might have been stolen while recently shopping at one of its stores. Costco discovered the breach after finding a payment card skimming device in one of its warehouses during a routine check conducted by Costco personnel. The company removed the device, notified the authorities, and is now working with law enforcement agents who are investigating the incident. Costco added that individuals impacted by this incident might have had their payment information stolen if those who planted the card theft device were able to gain access to the info before the skimmer was found and removed.
Tomi Engdahl says:
Number of Malicious Shopping Websites Jumps 178% ahead of November e-Shopping Holidays, Breaking Records https://blog.checkpoint.com/2021/11/12/number-of-malicious-shopping-websites-jumps-178-ahead-of-november-e-shopping-holidays-breaking-records/
Check Point Research (CPR) spots over 5300 different malicious websites per week, marking the highest since the beginning of 2021.
Numbers show a 178% increase compared to 2021 so far. 1 out of 38 corporate networks are being impacted on average per week in November, compared to 1 in 47 in October, and 1 in 352 earlier in 2021
Tomi Engdahl says:
Varo kaverilta tulevaa viestiä tilisi yritetään kaapata https://www.iltalehti.fi/tietoturva/a/c54d3bf9-3ac5-4634-b014-ccfb1246ba3f
Instagramissa ja Facebookin Messengerissä kiertää nyt huijausaalto, jossa käytetään hyväksi kaapattuja sometilejä. Kyseisten tilien kautta jaetaan suomenkielistä viestiä, jonka tarkoituksena on saada urkittua käyttäjän puhelinnumero sekä varmistuskoodi, ja käyttää näitä rahallisen hyödyn tavoitteluun. Meille on tullut noin 30 ilmoitusta Messengerin ja Instagramin kautta tulleista oudoista viesteistä.
Todellisuudessa näiden tapausten määrä on varmaan paljon suurempi, tietoturva-asiantuntija Ville Kontinen Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksesta kertoo. Huijari yrittää ovelasti käyttää hyväksi Instagramin ja Facebookin palautustoimintoa, jolla kaapattu tili voidaan sen oikealla käyttötarkoituksella palauttaa sen oikealle omistajalle tekstiviestinä lähetettävän koodin avulla. Jos koodin jakaa, voi tili päätyä huijarin haltuun, jonka jälkeen tämä alkaa tehdä tilin tietoihin muutoksia ja käyttää sitä huijausviestin . Huijari ei kuitenkaan tyydy pelkkään kaapattuun tiliin, vaan hän haluaa saada huijauksella rahaa itselleen. Tämän vuoksi henkilölle, joka on luovuttanut numeronsa sekä vahvistuskoodin, lähetetään uusi viesti, jossa väitetään, että kilpailuun liittyvän voiton lunastamiseen tarvitaan luottokorttitietoja.
Tomi Engdahl says:
Aleksin yli 13 000 euron sijoitus katosi yön aikana tässä on huijaus, johon haksahtavat nuoret miehet
https://www.iltalehti.fi/tietoturva/a/30555c54-fe89-442a-84ac-9ee1d175e1f4
Aleksi törmäsi uuteen kryptovaluuttaan, josta pystyi käymään kauppaa SpookySwap-alustalla, ja siirtyi sinne Google-haun kautta tai ainakin luuli siirtyvänsä. Aleksi avasi sivuston ja alkoi yhdistää virtuaalilompakkoaan palvelimelle. Sivusto kysyi yllättäen palautusavainta, mikä yllätti. Aleksi oli kuitenkin toiminut aiemmin samalla tavalla toista lompakkoa yhdistäessä, joten hän ei huolestunut tästä. Rikolliset olivat perustaneet identtisen valesivuston, jonka osoitteessa oleva W oli korvattu VV:llä. Tällaista eroa voi olla vaikea huomata. Valesivusto oli saatu mainostamalla nostettua ylimmälle paikalle Google-haussa.
Tomi Engdahl says:
Elisa suodattaa Suomeen tulevia soittoja suomalaisfirmojen puheluita jää vastaamatta https://www.is.fi/digitoday/art-2000008392571.html
Teleoperaattori Elisan tekemä ulkomailta tulevien puheluiden suodattaminen aiheuttaa haittaa joillekin suomalaisyrityksille.
Puhelinyhteytensä ulkomailta kytkettävinä internet-puheluina toteuttavien yritysten soitot näkyvät Elisan liittymän omistajille tuntemattomasta numerosta tulevana. Tämä saa monen jättämään vastaamatta puheluihin. Elisa kertoi IS Digitodaylle, että se torjuu ulkomailta tulevia huijauspuheluita soittajia paikantamalla.
Ulkomailta Elisan liittymään tulevan puhelun osalta tehdään tarkastus, kun soittajalla vaikuttaa olevan Elisan matkapuhelinnumero. Tällöin Elisa tarkistaa, onko soittajan liittymä todella Suomessa vai ulkomailla. Mikäli soittajan käyttämä aito numero on verkossa Suomessa, vaikka puhelu tulee ulkomailta, Elisa ei välitä numeroa vastaanottajalle. Itse puhelu kyllä menee läpi, mutta se näyttää tulevan tuntemattomasta numerosta.
Tomi Engdahl says:
Millions of Routers, IoT Devices at Risk from New Open-Source Malware https://threatpost.com/routers-iot-open-source-malware/176270/
Discovered by researchers at AT&T AlienLabs, BotenaGo can exploit more than 30 different vulnerabilities to attack a target, Ofer Caspi, a security researcher at Alien Labs, wrote in a blog post published Thursday. The malware, which is written in Golanga language Google first published in 2007works by creating a backdoor to the device. It then waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine, he wrote. BotenaGo commences its work with some exploratory moves to see if a device is vulnerable to attack, Caspi wrote. It starts by initializing global infection counters that will be printed to the screen, informing the attacker about total successful infections. The malware then looks for the dlrs’ folder in which to load shell scripts files. If this folder is missing, BotenaGo stops the infection process. In its last step before fully engaging, BotenaGo calls the function scannerInitExploits’, “which initiates the malware attack surface by mapping all offensive functions with its relevant string that represent the targeted system, ” Caspi wrote.
Tomi Engdahl says:
Security company faces backlash for waiting 12 months to disclose Palo Alto 0-day https://www.zdnet.com/article/security-company-faces-backlash-for-waiting-12-months-to-disclose-palo-alto-0-day/
Randori has faced a barrage of criticism for its decision to wait one year to publish a notice about a vulnerability it found in 2020.. see also https://www.randori.com/blog/cve-2021-3064/
Tomi Engdahl says:
A multi-stage PowerShell based attack targets Kazakhstan https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/
On November 10 we identified a multi-stage PowerShell attack using a document lure impersonating the Kazakh Ministry of Health Care, leading us to believe it targets Kazakhstan.
Tomi Engdahl says:
US detains crypto-exchange exec for helping Ryuk ransomware gang launder profits https://therecord.media/us-detains-crypto-exchange-exec-for-helping-ryuk-ransomware-gang-launder-profits/
A Russian national and the co-founder of two cryptocurrency exchanges was arrested at the request of US law enforcement on accusations of helping the Ryuk ransomware gang launder funds obtained from extorting US companies.
Tomi Engdahl says:
Comic book distributor struggling with shipments after ransomware attack https://www.zdnet.com/article/comic-book-distributor-struggling-with-shipments-after-ransomware-attack/
On Sunday, Diamond Comic Distributors said a ransomware attack was affecting its order processing systems and its internal communications platforms.
Tomi Engdahl says:
Hus: Tietojärjestelmä hyökkäyksen kohteena palveluissa katkoksia viikon ajan https://www.is.fi/digitoday/art-2000008403507.html
Husin mukaan potilasturvallisuus ei ole vaarantunut, mutta
koronavirusrokotus- ja testausjärjestelmässä on ollut katkoksia.
Tomi Engdahl says:
Fake end-to-end encrypted chat app distributes Android spyware https://www.bleepingcomputer.com/news/security/fake-end-to-end-encrypted-chat-app-distributes-android-spyware/
The GravityRAT remote access trojan is being distributed in the wild again, this time under the guise of an end-to-end encrypted chat application called SoSafe Chat.
Tomi Engdahl says:
Surveillance firm pays $1 million fine after ‘spy van’ scandal https://www.bleepingcomputer.com/news/security/surveillance-firm-pays-1-million-fine-after-spy-van-scandal/
The Office of the Commissioner for Personal Data Protection in Cyprus has collected a $1 million fine from intelligence company WiSpear for gathering mobile data from various individuals arriving at the airport in Larnaca.
Tomi Engdahl says:
QAKBOT Loader Returns With New Techniques and Tools https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html
Toward the end of September 2021, we noted that QAKBOT operators resumed email spam operations after an almost three-month hiatus.
Specifically, we saw that the malware distributor TR was sending malicious spam leading victims to SquirrelWaffle (another malware
loader) and QAKBOT.
Tomi Engdahl says:
Intel, AMD Patch High Severity Security Flaws
https://www.securityweek.com/intel-amd-patch-high-severity-security-flaws
Chipmakers Intel and AMD this week released patches for multiple security vulnerabilities in a wide range of product lines, including fixes for a series of high-risk issues in software drivers.
AMD published three bulletins this week documenting at least 27 security problems in the AMD Graphics Driver for Windows 10.
Exploitation of these flaws could allow an attacker to escalate privileges on a vulnerable system, leak information, bypass KASLR, cause a denial of service condition, or write arbitrary data to kernel memory, the company said.
AMD rated 18 of vulnerabilities as high-severity, while the remaining 9 are considered medium-risk. Some of these issues were identified and reported last year, and all are addressed with the release of Radeon software 21.4.1 and higher, and 21.Q2 Enterprise Driver.
Intel published a total of 25 advisories this week with patches for many of these vulnerabilities
https://www.intel.com/content/www/us/en/security-center/default.html
AMD published three bulletins this week documenting at least 27 security problems in the AMD Graphics Driver for Windows 10.
https://www.amd.com/en/corporate/product-security
Tomi Engdahl says:
macOS Zero-Day Exploited to Deliver Malware to Users in Hong Kong
https://www.securityweek.com/macos-zero-day-exploited-deliver-malware-users-hong-kong
Tomi Engdahl says:
HPE Says Customer Data Compromised in Aruba Data Breach
https://www.securityweek.com/hpe-says-customer-data-compromised-aruba-data-breach
Hewlett Packard Enterprise (HPE) has confirmed that a small amount of customer data was compromised in a data breach involving its subsidiary Aruba Networks.
The incident, HPE says, was discovered on November 2, and involved the use of an access key to gain unauthorized access to “a limited subset of information held in the Aruba Central cloud environment.”
Two data repositories were compromised in the incident, one containing network telemetry data on Wi-Fi client devices connected to most Aruba Central customer networks, and another storing location data about Wi-Fi devices, such as details on devices being in proximity of other devices.
Some of the compromised information, HPE explains, includes Media Access Control (MAC) and IP addresses, device operating system details, hostnames, and usernames where authentication is used. Additionally, records of date, time, and the Wi-Fi access point a device was connected to were also stored in the affected repositories.
“The environment did not include any sensitive or special categories of personal data (as defined by GDPR),” the company says.
https://www.arubanetworks.com/support-services/security-bulletins/central-incident-faq/
Tomi Engdahl says:
Researcher Shows Windows Flaw More Serious After Microsoft Releases Incomplete Patch
https://www.securityweek.com/researcher-shows-windows-flaw-more-serious-after-microsoft-releases-incomplete-patch
A researcher has discovered that a Windows vulnerability for which Microsoft released an incomplete patch in August is more serious than initially believed.
Tracked as CVE-2021-34484, the bug is described by Microsoft as a Windows User Profile Service elevation of privilege, and requires local, authenticated access for exploitation. All versions of Windows, including Windows Server, are affected.
The security error resides in the User Profile Service, affecting code designed for creating a temporary user profile folder when the original profile folder is damaged.
Microsoft’s incomplete patch for the issue could be easily bypassed with only a small change in the attacker script, security researcher Abdelhamid Naceri, who discovered the vulnerability, found out.
Tomi Engdahl says:
Zoom Patches High-Risk Flaws in Meeting Connector, Keybase Client
https://www.securityweek.com/zoom-patches-high-risk-flaws-meeting-connector-keybase-client
Tomi Engdahl says:
‘BotenaGo’ Malware Targets Routers, IoT Devices with Over 30 Exploits
https://www.securityweek.com/botenago-malware-targets-routers-iot-devices-over-30-exploits
A newly discovered Golang-based malware is using over 30 exploits in attacks, potentially putting millions of routers and Internet of Things (IoT) at risk of malware infection, according to a warning from AT&T Alien Labs.
Dubbed BotenaGo, the threat deploys a backdoor on the compromised device, and then waits for commands – either from a remote operator or a malicious module on the device – to initiate an attack.
As part of a typical BotenaGo attack, the malware first maps potential targets to attack functions, then queries the target with a GET request, after which it searches the returned data, and only then it attempts to exploit the vulnerable target.
On a compromised device, the malware creates two backdoor ports: 31412 and 19412, and starts listening on port 19412 to receive the victim’s IP. Next, it loops through mapped exploit functions to execute them with the supplied IP.
AT&T Alien Labs researchers have identified a total of 33 exploit functions that BotenaGo initiates.
One of malware’s functions was designed to exploit CVE-2020-8958, a vulnerability that potentially affects over 2 million Guangzhou devices. Another one targets CVE-2020-10173, a vulnerability in the Comtrend VR-3033 routers that potentially impacts roughly 250,000 devices.
The threat also targets vulnerabilities in devices from DrayTek (CVE-2020-8515), D-Link (CVE-2015-2051, CVE-2020-9377, CVE-2016-11021, and CVE-2013-5223), Netgear (CVE-2016-1555, CVE-2016-6277, CVE-2017-6077, and CVE-2017-6334), GPON (CVE-2018-10561 and CVE-2018-10562), Linksys (CVE-2013-3307), XiongMai (CVE-2018-10088), TOTOLINK (CVE-2019-19824), Tenda (CVE-2020-10987), ZyXEL (CVE-2020-9054 and CVE-2017-18368) and ZTE (CVE-2014-2321).
“As payload, BotenaGo will execute remote shell commands on devices in which the vulnerability has been successfully exploited. Depending on the infected system, the malware uses different links, each with a different payload,” the researchers explain.
Tomi Engdahl says:
Simon Sharwood / The Register:
AMD reveals 50 security flaws in its EPYC processors and its Windows 10 graphics driver; Intel discloses 25 vulnerabilities in its products including CPUs
AMD reveals an Epyc 50 flaws – 23 of them rated high severity. Intel has 25 bugs, too
https://www.theregister.com/2021/11/12/amd_and_intel_flaws/
Think of an attack – DoS, arbitrary code execution, memory corruption – and one of these vulns allows it
AMD’s Epyc processors – all three generations of ‘em – have 22 flaws, four of them rated high. Those flaws, and AMD’s descriptions of them, are:
CVE-2020-12954 – A side effect of an integrated chipset option may be able to be used by an attacker to bypass SPI ROM protections, allowing unauthorized SPI ROM modification.
CVE-2020-12961 – A potential vulnerability exists in AMD Platform Security Processor (PSP) that may allow an attacker to zero any privileged register on the System Management Network which may lead to bypassing SPI ROM protections.
CVE-2021-26331 – AMD System Management Unit (SMU) contains a potential issue where a malicious user may be able to manipulate mailbox entries leading to arbitrary code execution.
CVE-2021-26335 – Improper input and range checking in the Platform Security Processor (PSP) boot loader image header may allow for an attacker to use attack-controlled values prior to signature validation potentially resulting in arbitrary code execution.
Intel has also revealed product vulnerabilities – 25 of them. Chipzilla issues its own IDs for flaws, and groups multiple CVEs beneath them.
Those rated High include:
INTEL-SA-00509 – which includes 10 CVEs in Intel WiFi products, allowing escalation of privilege, denial of service, and information disclosure
INTEL-SA-00535 – a single CVE (CVE-2021-0148) that impacts multiple Intel solid state disks. “Insertion of information into log file in firmware … may allow a privileged user to potentially enable information disclosure via local access,” states Intel’s advisory.
INTEL-SA-00528 – an escalation of privilege flaw in Pentium, Celeron, and Atom silicon
INTEL-SA-00562 – Bad BIOS may allow escalation of privileges in 10 types of Intel CPU ranging from this year’s Xeons to Core CPUs from 2016, and even some 2013 Celerons
Tomi Engdahl says:
Hus: Tietojärjestelmä hyökkäyksen kohteena – palveluissa katkoksia viikon ajan
https://www.is.fi/digitoday/art-2000008403507.html
Husin mukaan potilasturvallisuus ei ole vaarantunut, mutta koronavirusrokotus- ja testausjärjestelmässä on ollut katkoksia.
Husin vs. johtajaylilääkäri Jari Petäjä vahvisti lauantaina asian Ilta-Sanomille.
Ilta-Sanomien saamien tietojen mukaan HUS:in tietojärjestelmissä on ollut palvelukatkoksia kuluneen viikon ajan. Miten kommentoitte?
– Meillä on tilanne päällä, joka on aiheuttanut toiminnallisia häiriöitä.
Millaisia vikoja HUS:in järjestelmissä on havaittu?
– Finentry-palvelussa on ollut toimintahäiriöitä, eli palveluissa on ollut katkoksia.
Kuinka pitkään häiriöt ovat jatkuneet?
– Tilanne on jatkunut useita päiviä, meillä on noin viikon verran ollut haasteita.
Onko potilasturvallisuus vaarantunut tämän johdosta?
– Emme ole olleet tapahtumaketjun aikana huolissamme potilasturvallisuudesta, sillä häiriö ei ole ulottunut sairaskertomusjärjestelmiin, Petäjä sanoo.
Miten tämä on näkynyt yleisölle?
– Koronavirusrokotuksiin ja -testauksiin liittyvissä toiminnoissa on ollut häiriöitä.
Tomi Engdahl says:
https://hackaday.com/2021/11/12/this-week-in-security-unicode-strikes-npm-again-and-first-steps-to-ps5-crack/
Maybe we really were better off with ASCII. Back in my day, we had space for 256 characters, didn’t even use 128 of them, and we took what we got. Unicode opened up computers to the languages of the world, but also opened an invisible backdoor. This is a similar technique to last week’s Trojan Source story. While Trojan Source used right-to-left encoding to manipulate benign-looking code, this hack from Certitude uses Unicode characters that appear to be whitespace, but are recognized as valid variable names.
The Invisible JavaScript Backdoor
https://certitude.consulting/blog/en/invisible-backdoor/
Our approach for creating the backdoor was to first, find an invisible Unicode character that can be interpreted as an identifier/variable in JavaScript. Beginning with ECMAScript version 2015, all Unicode characters with the Unicode property ID_Start can be used in identifiers (characters with property ID_Continue can be used after the initial character).
The character “ㅤ” (0×3164 in hex) is called “HANGUL FILLER” and belongs to the Unicode category “Letter, other”. As this character is considered to be a letter, it has the ID_Start property and can therefore appear in a JavaScript variable – perfect!
Note that messing with Unicode to hide vulnerable or malicious code is not a new idea (also using invisible characters) and Unicode inherently opens up additional possibilities to obfuscate code. We believe that these tricks are quite neat though, which is why we wanted to share them.
Unicode should be kept in mind when doing reviews of code from unknown or untrusted contributors. This is especially interesting for open source projects as they might receive contributions from developers that are effectively anonymous.
Tomi Engdahl says:
Hacking group says it has found encryption keys needed to unlock the PS5 [Updated]
Fail0verflow announcement suggests a private exploit to expose system’s secure kernel.
https://hackaday.com/2021/11/12/this-week-in-security-unicode-strikes-npm-again-and-first-steps-to-ps5-crack/
Tomi Engdahl says:
Hacking group says it has found encryption keys needed to unlock the PS5 [Updated]
Fail0verflow announcement suggests a private exploit to expose system’s secure kernel.
https://arstechnica.com/gaming/2021/11/uncovered-ps5-encryption-keys-are-the-first-step-to-unlocking-the-console/
Tomi Engdahl says:
Cloudflare blocked a massive 2 Tbps DDoS attack
https://techcrunch.com/2021/11/15/cloudflare-terabits-ddos-attack/?tpcc=tcplusfacebook
Cloudflare says it has blocked a distributed denial-of-service (DDoS) attack that peaked at just under 2 Tbps, making it one of the largest ever recorded.
The internet company said in a blog post that the attack was launched from approximately 15,000 bots running a variant of the original Mirai code on exploited Internet of Things (IoT) devices and unpatched GitLab instances.
The DDoS attack comes just two weeks after Rapid7 warned of a GitLab vulnerability — rated a full 10.0 on the CVSS severity scale — that could be exploited to allow an attacker to remotely run code, like botnet malware, on an affected server. Rapid7 found that at least half of the 60,000 internet-facing GitLab instances remain unpatched
Tomi Engdahl says:
Fake Emails Sent From FBI Address via Compromised Law Enforcement Portal
https://www.securityweek.com/fake-emails-sent-fbi-address-compromised-law-enforcement-portal
Thousands of fake emails coming from an FBI email address were sent out on Friday by someone who exploited a vulnerability in a law enforcement portal. The FBI has confirmed the breach, but said impact was limited.
The hoax emails, coming from “[email protected],” carried the subject line “Urgent: Threat actor in systems.” The message appeared to come from the DHS and it informed recipients about “exfiltration of several of your virtualized clusters in a sophisticated chain attack.”
The emails claimed the threat actor was identified as Vinny Troia. Troia is a security researcher who claims to have been targeted numerous times by some hackers for exposing them.
Troia on Twitter said he suspected an individual who uses the online moniker “pompompur_in” was behind the attack. He said the individual is associated with a cybercrime group named The Dark Overlord, whose alleged members were exposed in a report published last year by Troia’s company, NightLion Security.
In a statement issued on Sunday, the FBI said the emails were sent out by someone who leveraged a “software misconfiguration” affecting the Law Enforcement Enterprise Portal (LEEP), which is used by the agency to communicate with state and local law enforcement partners.
“While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service,” the FBI stated. “No actor was able to access or compromise any data or PII on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”
Pompompurin told Krebs that they exploited a vulnerability in the LEEP portal account registration process to be able to send out emails from the fbi.gov email address.
Threat intelligence organization Spamhaus reported seeing more than 100,000 fake emails being sent out in two waves.
https://twitter.com/spamhaus/status/1459450061696417792
We have been made aware of “scary” emails sent in the last few hours that purport to come from the FBI/DHS. While the emails are indeed being sent from infrastructure that is owned by the FBI/DHS (the LEEP portal), our research shows that these emails *are* fake.
Tomi Engdahl says:
FBI Statement on Incident Involving Fake Emails
https://www.fbi.gov/news/pressrel/press-releases/fbi-statement-on-incident-involving-fake-emails
Updated November 14, 2021:
The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners. While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.
Original statement:
The FBI and CISA are aware of the incident this morning involving fake emails from an @ic.fbi.gov email account. This is an ongoing situation, and we are not able to provide any additional information at this time. The impacted hardware was taken offline quickly upon discovery of the issue. We continue to encourage the public to be cautious of unknown senders and urge you to report suspicious activity to ic3.gov or cisa.gov.
Tomi Engdahl says:
FBI Statement on Incident Involving Fake Emails https://www.fbi.gov/news/pressrel/press-releases/fbi-statement-on-incident-involving-fake-emails
The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal
(LEEP) to send fake emails.. No actor was able to access or compromise any data or PII on the FBIs network.
Tomi Engdahl says:
Emotet botnet returns after law enforcement mass-uninstall operation
https://therecord.media/emotet-botnet-returns-after-law-enforcement-mass-uninstall-operation/
The Emotet malware botnet is back up and running once again almost ten months after an international law enforcement operation took down its command and control servers earlier this year in January.
Tomi Engdahl says:
New Microsoft emergency updates fix Windows Server auth issues https://www.bleepingcomputer.com/news/microsoft/new-microsoft-emergency-updates-fix-windows-server-auth-issues/
Microsoft has released out-of-band updates to address authentication failures related to Kerberos delegation scenarios impacting Domain Controllers (DC) running supported versions of Windows Server.
Tomi Engdahl says:
Uncovering MosesStaff techniques: Ideology over Money https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/
In September 2021, the hacker group MosesStaff began targeting Israeli organizations, joining a wave of attacks which was started about a year ago by the Pay2Key and BlackShadow attack groups. Those actors operated mainly for political reasons in attempt to create noise in the media and damage the countrys image, demanding money and conducting lengthy and public negotiations with the victims.
Tomi Engdahl says:
AT&T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits
AT&T Alien Labs has found new malware written in the open source programming language Golang. Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices.
Tomi Engdahl says:
7 million Robinhood user email addresses for sale on hacker forum https://www.bleepingcomputer.com/news/security/7-million-robinhood-user-email-addresses-for-sale-on-hacker-forum/
The data for approximately 7 million Robinhood customers stolen in a recent data breach are being sold on a popular hacking forum and marketplace.
Tomi Engdahl says:
A new Android banking trojan named SharkBot is makings its presence felt https://therecord.media/a-new-android-banking-trojan-named-sharkbot-is-makings-its-presence-felt/
Security researchers have discovered a new Android banking trojan capable of hijacking users smartphones and emptying out e-banking and cryptocurrency accounts.
Tomi Engdahl says:
North Korean Hackers Target Cybersecurity Researchers with Trojanized IDA Pro https://thehackernews.com/2021/11/north-korean-hackers-target.html
Lazarus, the North Korea-affiliated state-sponsored group, is attempting to once again target security researchers with backdoors and remote access trojans using a trojanized pirated version of the popular IDA Pro reverse engineering software.
Tomi Engdahl says:
Alibaba ECS instances actively hijacked by cryptomining malware https://www.bleepingcomputer.com/news/security/alibaba-ecs-instances-actively-hijacked-by-cryptomining-malware/
Threat actors are hijacking Alibaba Elastic Computing Service (ECS) instances to install cryptominer malware and harness the available server resources for their own profit.
Tomi Engdahl says:
ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks
We are investigating a series of cyberattacks that result in encryption with the Conti ransomware. This post describes some of the indicators that can be used to detect these attacks.
Tomi Engdahl says:
Diebold Nixdorf ATM Flaws Allowed Attackers to Modify Firmware, Steal Cash
https://www.securityweek.com/diebold-nixdorf-atm-flaws-allowed-attackers-modify-firmware-steal-cash
Security researchers with Positive Technologies have published information on a couple of vulnerabilities in Diebold Nixdorf ATMs that could have allowed for an attacker to replace the firmware on the system and withdraw cash.
Tracked as CVE-2018-9099 and CVE-2018-9100, the flaws were identified in the CMD-V5 and RM3/CRS dispensers – one in each device – of the Wincor Cineo ATMs and were addressed a couple of years ago. Diebold acquired Wincor Nixdorf in 2016 and the companies later merged.
During research sanctioned by the vendor, Positive Technologies discovered that, while the ATMs had in place a series of security measures meant to prevent blackbox attacks, such as end-to-end encrypted communication with the cash dispenser, it was actually possible to work around these.
Specifically, the researchers figured out the command encryption between the ATM computer and the cash dispenser, bypassed it, replaced the ATM firmware with an outdated one, and exploited the vulnerabilities to tell the system to spew cash.
Tomi Engdahl says:
IoT Protocol Used by NASA, Siemens and Volkswagen Can Be Exploited by Hackers
https://www.securityweek.com/iot-protocol-used-nasa-siemens-and-volkswagen-can-be-exploited-hackers
Researchers Warn DDS Protocol Can Be Abused for Lateral Movement and Malware C&C
Researchers have shown that a widely used protocol named Data Distribution Service (DDS) is affected by vulnerabilities that could be exploited by threat actors for various purposes.
Maintained by the standards development organization Object Management Group (OMG), DDS is a middleware protocol and API standard for data connectivity that is advertised as ideal for business-critical IoT systems. DDS has been used in sectors such as public transportation, air traffic management, aerospace, autonomous driving, industrial robotics, medical devices, and missile and other military systems.
DDS has been used by organizations such as NASA, Siemens, and Volkswagen, as well as in the popular Robot Operating System (ROS).
There are both open source and closed source implementations of DDS, including by ADLINK Technology, Eclipse (CycloneDDS), eProsima (Fast DDS), OCI (OpenDDS), TwinOaks Computing (CoreDX DDS), Gurum Networks (GurumDDS), and RTI (Connext DDS).
The researchers disclosed some of their findings at the Black Hat Europe 2021 cybersecurity conference last week, with a research paper detailing their work being planned for early next year.
In the meantime, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an industrial control systems (ICS) advisory related to the research.
“CISA is issuing this advisory to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks,” CISA said.
According to CISA, patches have been released for CycloneDDS, FastDDS, OpenDDS, Connext DDS, and CoreDX DDS. There do not appear to be any patches from Gurum, which the researchers said ignored several notification attempts.
ICS Advisory (ICSA-21-315-02)
Multiple Data Distribution Service (DDS) Implementations
https://us-cert.cisa.gov/ics/advisories/icsa-21-315-02
1. EXECUTIVE SUMMARY
CVSS v3 8.6
ATTENTION: Exploitable remotely/low attack complexity
Vendors: Eclipse, eProsima, GurumNetworks, Object Computing, Inc. (OCI), Real-Time Innovations (RTI), TwinOaks Computing
Equipment: CycloneDDS, FastDDS, GurumDDS, OpenDDS, Connext DDS Professional, Connext DDS Secure, Connext DDS Micro, CoreDX DDS
Vulnerabilities: Write-what-where Condition, Improper Handling of Syntactically Invalid Structure, Network Amplification, Incorrect Calculation of Buffer Size, Heap-based Buffer Overflow, Improper Handling of Length Parameter Inconsistency, Amplification, Stack-based Buffer Overflow
CISA is aware of a public report detailing vulnerabilities found in multiple open-source and proprietary Object Management Group (OMG) Data-Distribution Service (DDS) implementations. This advisory addresses a vulnerability that originates within, and affects the implementation of, the DDS standard. In addition, this advisory addresses other vulnerabilities found within the DDS implementation. CISA is issuing this advisory to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.
The following implementations of OMG DDS are affected:
Eclipse CycloneDDS: All versions prior to 0.8.0
eProsima Fast DDS: All versions prior to 2.4.0 (#2269)
GurumNetworks GurumDDS: All versions
Object Computing, Inc. (OCI) OpenDDS: All versions prior to 3.18.1
Real-Time Innovations (RTI) Connext DDS Professional and Connext DDS Secure: Versions 4.2x to 6.1.0
RTI Connext DDS Micro: Versions 3.0.0 and later
TwinOaks Computing CoreDX DDS: All versions prior to 5.9.1
Tomi Engdahl says:
Costco Hit by Card Skimming Attack Heading Into Holiday Season
https://www.securityweek.com/costco-hit-card-skimming-attack-head-holiday-season
Costco, one of the world’s largest retailers, has warned customers that they may have had bank card details stolen, following reports that payment card skimming devices were discovered at Costco warehouses.
“If unauthorized parties were able to remove information from the device before it was discovered, they may have acquired the magnetic stripe of your payment card, including your name, card expiration date, and CVV,” Kevin Green, VP Midwest region operations at Costco, wrote in a letter to potentially affected customers.
The letter, dated November 5, 2021, was uploaded to Documentcloud by Bleeping Computer.
The letter offers customers who may have been affected free credit monitoring from IDX for 12 months, but provides no further details on the device itself, nor the period in which it was operational.
https://www.documentcloud.org/documents/21103155-costco_data_breach_notification_bc_card_skimmer_device
Tomi Engdahl says:
Cloudflare Battles 2 Tbps DDoS Attack Launched by Mirai Botnet
https://www.securityweek.com/cloudflare-mitigates-2-tbps-ddos-attack-launched-mirai-botnet
Web security services provider Cloudflare says it mitigated a distributed denial-of-service (DDoS) attack that peaked at almost 2 terabytes per second (Tbps).
The multi-vector assault was launched by a botnet of approximately 15,000 machines infected with a variant of the original Mirai malware. The bots included Internet of Things (IoT) devices and GitLab instances, Cloudflare said in a new report.
GitLab instances ensnared into the botnet are affected by CVE-2021-22205, a critical (CVSS score of 10) vulnerability that was patched more than six months ago, but which continues to expose tens of thousands of systems.
The 2 Tbps DDoS attack only lasted one minute. The assault combined DNS amplification and UDP floods, company said.
Cloudflare notes that it observed an overall increase in the number of terabit-strong DDoS attacks over the last quarter, and that network-layer incidents were up 44% quarter-over-quarter.