This posting is here to collect cyber security news in November 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in November 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
373 Comments
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researchers say they used a new Rowhammer exploit to successfully flip bits on all 40 PC-DDR4 DRAM devices they tested, defeating recent hardware mitigations — Researchers build “fuzzer” that supercharges potentially serious bitflipping exploits. — Rowhammer exploits that allow unprivileged attackers …
DDR4 memory protections are broken wide open by new Rowhammer technique
Researchers build “fuzzer” that supercharges potentially serious bitflipping exploits.
https://arstechnica.com/gadgets/2021/11/ddr4-memory-is-even-more-susceptible-to-rowhammer-attacks-than-anyone-thought/
Rowhammer exploits that allow unprivileged attackers to change or corrupt data stored in vulnerable memory chips are now possible on virtually all DDR4 modules due to a new approach that neuters defenses chip manufacturers added to make their wares more resistant to such attacks.
Rowhammer attacks work by accessing—or hammering—physical rows inside vulnerable chips millions of times per second in ways that cause bits in neighboring rows to flip, meaning 1s turn to 0s and vice versa. Researchers have shown the attacks can be used to give untrusted applications nearly unfettered system privileges, bypass security sandboxes designed to keep malicious code from accessing sensitive operating system resources, and root or infect Android devices, among other things.
All previous Rowhammer attacks have hammered rows with uniform patterns, such as single-sided, double-sided, or n-sided. In all three cases, these “aggressor” rows—meaning those that cause bitflips in nearby “victim” rows—are accessed the same number of times.
Bypassing all in-DRAM mitigations
Research published on Monday presented a new Rowhammer technique. It uses non-uniform patterns that access two or more aggressor rows with different frequencies. The result: all 40 of the randomly selected DIMMs in a test pool experienced bitflips, up from 13 out of 42 chips tested in previous work from the same researchers.
“We found that by creating special memory access patterns we can bypass all mitigations that are deployed inside DRAM,” Kaveh Razavi and Patrick Jattke, two of the research authors, wrote in an email. “This increases the number of devices that can potentially be hacked with known attacks to 80 percent, according to our analysis. These issues cannot be patched due to their hardware nature and will remain with us for many years to come.”
The non-uniform patterns work against Target Row Refresh. Abbreviated as TRR, the mitigation works differently from vendor to vendor but generally tracks the number of times a row is accessed and recharges neighboring victim rows when there are signs of abuse. The neutering of this defense puts further pressure on chipmakers to mitigate a class of attacks that many people thought more recent types of memory chips were resistant to.
Blacksmith
https://comsec.ethz.ch/research/dram/blacksmith/
We demonstrate that it is possible to trigger Rowhammer bit flips on all DRAM devices today despite deployed mitigations on commodity off-the-shelf systems with little effort. This result has a significant impact on the system’s security as DRAM devices in the wild cannot easily be fixed, and previous work showed real-world Rowhammer attacks are practical, for example, in the browser using JavaScript, on smartphones, across VMs in the cloud, and even over the network.
Rowhammer is a vulnerability caused by leaking charges in DRAM cells that enables attackers to induce bit flips in DRAM memory. To stop Rowhammer, DRAM implements a mitigation known as Target Row Refresh (TRR). Our previous work showed that the new n-sided patterns can still trigger bit flips on 31% of today’s PC-DDR4 devices. We propose a new highly effective approach for crafting non-uniform and frequency-based Rowhammer access patterns that can bypass TRR from standard PCs. We implement these patterns in our Rowhammer fuzzer named Blacksmith and show that it can bypass TRR on 100% of the PC-DDR4 DRAM devices in our test pool. Further, our work provides new insights on the deployed mitigations.
How bad is it?
For our evaluation, we considered a test pool of 40 DDR4 devices covering the three major manufacturers (Samsung, Micron, SK Hynix), including 4 devices that did not report their manufacturer. We let our Blacksmith fuzzer run for 12 hours to assess its capability to find effective patterns. Thereafter, we swept the best pattern (based on the number of total bit flips triggered) over a contiguous memory area of 256 MB and report the number of bit flips. The results in Table 1 show that our Blacksmith fuzzer is able to trigger bit flips on all 40 DRAM devices with a large number of bit flips, especially on devices of manufacturers A and D.
We also evaluated the exploitability of these bit flips based on three attacks from previous work: an attack targeting the page frame number of a page table entry (PTE) to pivot it to an attacker-controlled page table page, an attack on the RSA-2048 public key that allows recovering the associated private key used to authenticate to an SSH host, and an attack on the password verification logic of the sudoers.so library that enables gaining root privileges.
You can a demo of our Blacksmith fuzzer below, showing how easy and quick it is to find bit flips on TRR-enabled DDR4 devices.
BLACKSMITH: Scalable Rowhammering in the Frequency Domain
https://comsec.ethz.ch/wp-content/files/blacksmith_sp22.pdf
Tomi Engdahl says:
https://www.securityweek.com/emotet-using-trickbot-get-back-game
Tomi Engdahl says:
GitHub Confirms Another Major NPM Security Defect
https://www.securityweek.com/github-confirms-another-major-npm-security-defect
Microsoft-owned GitHub is again flagging major security problems in the npm registry, warning that a pair of newly discovered vulnerabilities continue to expose the soft underbelly of the open-source software supply chain.
The first major bug, reported via GitHub’s bug bounty program on November 2, basically lets an attacker publish new versions of any npm package using an account without proper authorization.
“We determined that this vulnerability was due to inconsistent authorization checks and validation of data across several microservices that handle requests to the npm registry. In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determines which package to publish based on the contents of the uploaded package file,” according to a note from GitHub security chief Mike Hanley.
Hanley said the discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package. “We mitigated this issue by ensuring consistency across both the publishing service and authorization service to ensure that the same package is being used for both authorization and publishing,” he added.
GitHub said it fixed the underlying issue within six hours, but the company cannot be sure the flaw was never exploited in the wild.
“This vulnerability existed in the npm registry beyond the timeframe for which we have telemetry to determine whether it has ever been exploited maliciously,” Hanley said.
Tomi Engdahl says:
https://threatpost.com/busybox-security-bugs-linux-devices/176098/
Tomi Engdahl says:
FBI Hacker Offers to Sell Data Allegedly Stolen in Robinhood Breach
https://www.securityweek.com/fbi-hacker-offers-sell-data-allegedly-stolen-robinhood-breach
The hacker who last week sent out thousands of fake emails from FBI systems is offering to sell data allegedly stolen in the recent breach at mobile stock trading platform Robinhood.
Robinhood last week revealed that it had suffered a data breach in early November after someone used social engineering to trick an employee into giving them access to some customer support systems.
The company said the attacker gained access to email addresses for five million users, and full names for a different group of roughly two million people. Approximately 310 users also had additional personal information exposed, including name, date of birth, and zip code. Ten of them also had “more extensive account details” exposed.
Robinhood noted at the time that the hacker had “demanded an extortion payment,” suggesting that the attack was conducted by a profit-driven cybercriminal.
Tomi Engdahl says:
Mandiant Attributes Ghostwriter APT Attacks to Belarus
https://www.securityweek.com/mandiant-attributes-ghostwriter-apt-attacks-belarus
Tomi Engdahl says:
Chrome 96 Plugs High-Risk Browser Flaws
https://www.securityweek.com/chrome-96-plugs-high-risk-browser-flaws
Google this week announced the availability of Chrome 96 in the stable channel with fixes for 25 security flaws, including 18 bugs reported by external security researchers.
Of the externally reported security flaws, seven are rated “high severity.” Google described the high-risk bugs as use-after-free issues in components such as media, storage foundation, and loader.
The remaining three vulnerabilities addressed with this browser release include a Type Confusion in V8 and two inappropriate implementations, in cache and service workers.
The latest Chrome version is now rolling out to Windows, Mac and Linux users as version 96.0.4664.45.
Tomi Engdahl says:
Blacksmith: Rowhammer Fuzzer Bypasses Existing Protections
https://www.securityweek.com/blacksmith-rowhammer-fuzzer-bypasses-existing-protections
A group of security researchers devised a new attack that completely bypasses the existing mitigations against the Rowhammer vulnerability in dynamic random-access memory (DRAM) chips.
The Rowhammer issue, which has been around for roughly one decade, exists because cells on DRAM chips are smaller and closer to each other, making it difficult to prevent electrical interaction between them. Thus, by repeatedly accessing data in a row of memory, data in nearby rows may become corrupted.
To mitigate the flaw, Target Row Refresh (TRR) was introduced in DRAM but a group of researchers managed to bypass the protection using “non-uniform and frequency-based Rowhammer access patterns.”
All Rowhammer access patterns published to date exploit rows uniformly, and TRR exploits this behavior to identify ‘aggressor’ rows and refresh nearby ‘victim’ rows to prevent failure.
However, as smaller technology nodes are used, the underlying DRAM technologies are increasingly vulnerable, resulting in fewer accesses being needed to trigger bit flips in DRAM memory. Thus, non-uniform access patterns can be used to bypass TRR, the researchers said in a paper documenting the work.
The researchers conducted experiments on 40 DDR4 DIMMs (from Samsung, Micron, and SK Hynix) to explore the possibility of bypassing mitigations through “accessing aggressor rows in non-uniform access patterns.”
BLACKSMITH: Scalable Rowhammering in the Frequency Domain
https://comsec.ethz.ch/wp-content/files/blacksmith_sp22.pdf
Tomi Engdahl says:
Intel CPU Vulnerability Can Expose Cryptographic Keys
https://www.securityweek.com/intel-cpu-vulnerability-can-expose-cryptographic-keys
One of the vulnerabilities patched recently by Intel in its processors could allow an attacker with physical access to the targeted system to obtain cryptographic keys, according to the cybersecurity firm whose researchers discovered the flaw.
The security hole, tracked as CVE-2021-0146 and rated high severity, impacts Pentium, Celeron and Atom CPUs on mobile, desktop and embedded devices. Affected Atom IoT processors are present in many cars, apparently including ones made by Tesla.
Intel announced the availability of fixes when it released its November 2021 Patch Tuesday updates.
“Hardware allows activation of test or debug logic at runtime for some Intel processors which may allow an unauthenticated user to potentially enable escalation of privilege via physical access,” Intel said in its advisory.
Intel® Processor Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html
Tomi Engdahl says:
Google Chrome 96 breaks Twitter, Discord, video rendering and more https://www.bleepingcomputer.com/news/google/google-chrome-96-breaks-twitter-discord-video-rendering-and-more/
Google Chrome 96 was released yesterday, and users are reporting problems with Twitter, Discord, and Instagram caused by the new version.
Tomi Engdahl says:
UK Covid App Goes Offline
https://www.pandasecurity.com/en/mediacenter/technology/uk-covid-app-goes-offline/
People are now hugely reliant on their Covid passports. So when NHS England experienced a system outage, app users experienced some serious problems. Travellers could not check in for their flights at airports, and others were turned away from venues demanding proof at the entrance.
Tomi Engdahl says:
Evolving trends in Iranian threat actor activity MSTIC presentation at CyberWarCon 2021 https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
Over the past year, the Microsoft Threat Intelligence Center (MSTIC) has observed a gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran. . At CyberWarCon 2021, MSTIC analysts presented their analysis of these trends in Iranian nation state actor activity during a session titled The Iranian evolution: Observed changes in Iranian malicious network operations.
Tomi Engdahl says:
Hands-On Muhstik Botnet: crypto-mining attacks targeting Kubernetes
https://sysdig.com/blog/muhstik-malware-botnet-analysis/
Malware is continuously mutating, targeting new services and platforms. The Sysdig Security Research team has identified the famous Muhstik Botnet with new behavior, attacking a Kubernetes Pod with the plan to control the Pod and mine cryptocurrency.
Tomi Engdahl says:
New secret-spilling hole in Intel CPUs sends company patching (again) https://arstechnica.com/gadgets/2021/11/intel-releases-patch-for-high-severity-bug-that-exposes-a-cpus-master-key/
Researchers figure out how to obtain the “fuse encryption key” unique to each CPU.
Tomi Engdahl says:
Facebook says hackers in Pakistan targeted Afghan users amid government collapse https://www.reuters.com/world/asia-pacific/exclusive-facebook-says-hackers-pakistan-targeted-afghan-users-amid-government-2021-11-16/
Hackers from Pakistan used Facebook to target people in Afghanistan with connections to the previous government during the Taliban’s takeover of the country, the company’s threat investigators said in an interview with Reuters.
Tomi Engdahl says:
WordPress sites are being hacked in fake ransomware attacks https://www.bleepingcomputer.com/news/security/wordpress-sites-are-being-hacked-in-fake-ransomware-attacks/
A new wave of attacks starting late last week has hacked close to 300 WordPress sites to display fake encryption notices, trying to trick the site owners into paying 0.1 bitcoin for restoration.
Tomi Engdahl says:
Ghostwriter Looks Like a Purely Russian OpExcept It’s Not
https://www.wired.com/story/ghostwriter-hackers-belarus-russia-misinformationo/
Security researchers have found signs that the pervasive hacking and misinformation campaign comes not from Moscow but from Minsk.
Tomi Engdahl says:
Uusi huijaus: Uhri höynäytetään soittamaan rikollisille ja sitten tapahtuu ikäviä https://www.is.fi/digitoday/tietoturva/art-2000008408726.html
Huijauksessa on samoja piirteitä kuin suomalaisille tutuissa teknisen tuen huijauksissa.
Tomi Engdahl says:
Spotify, Discord, and others are coming back online after a brief Google Cloud outage https://www.theverge.com/2021/11/16/22785599/google-cloud-outage-spotify-discord-snapchat-google-cloud
A Google Cloud networking issue made a mess of the internet for a moment
Tomi Engdahl says:
The self-driving smart suitcase that the person behind you can hijack!
https://nakedsecurity.sophos.com/2021/11/16/the-self-driving-smart-suitcase-that-the-person-behind-you-can-hijack/
Tomi Engdahl says:
Identifying Pompompurin: Attribution of the hacker behind the FBI email hoax https://shadowbyte.com/blog/2021/pompompurin-fbi-email-hack/
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / VICE:
Israeli spyware vendor Candiru, recently blacklisted by the US, waged “watering hole” attacks on UK and Middle East websites critical of Saudi Arabia and others — Cybersecurity researchers tracked a hacking campaign spanning more than a year that hit around 20 websites.
Hackers Compromised Middle East Eye News Website to Hack Visitors, Researchers Say
https://www.vice.com/en/article/pkpbdm/hackers-compromised-middle-east-eye-news-website-to-hack-visitors-researchers-say
Cybersecurity researchers tracked a hacking campaign spanning more than a year that hit around 20 websites.
A group of hackers compromised a popular London-based news website that focuses on the Middle East with the goal of hacking its visitors, according to researchers.
On Tuesday, cybersecurity firm ESET published a report detailing the hacking campaign, which spanned from March 2020 until August of this year. During this time, according to the report, hackers compromised around 20 websites, including Middle East Eye, a popular independent news site that covers the Middle East and Africa and is based in the UK. A group of hackers compromised a popular London-based news website that focuses on the Middle East with the goal of hacking its visitors, according to researchers.
On Tuesday, cybersecurity firm ESET published a report detailing the hacking campaign, which spanned from March 2020 until August of this year. During this time, according to the report, hackers compromised around 20 websites, including Middle East Eye, a popular independent news site that covers the Middle East and Africa and is based in the UK.
Tomi Engdahl says:
Ax Sharma / BleepingComputer:
GitHub fixes major security flaws in Node.js package manager npm that could have let attackers bypass authentication and publish versions of any package
NPM fixes private package names leak, serious authorization bug
https://www.bleepingcomputer.com/news/security/npm-fixes-private-package-names-leak-serious-authorization-bug/
The largest software registry of Node.js packages, npm, has disclosed multiple security flaws that were identified and remedied recently.
The first flaw concerns leak of names of private npm packages on the npmjs.com’s ‘replica’ server—feeds from which are consumed by third-party services.
Whereas, the second flaw allows attackers to publish new versions of any existing npm package that they do not own or have rights to, due to improper authorization checks.
Private npm package names leaked
This week, npm’s parent company, GitHub has disclosed two security flaws that were identified and resolved in the npm registry between October and this month.
The first one is a data leak on the npmjs’ replication server, which was caused by ‘routine maintenance.’ The leak exposed a list of names of private npm packages, but not the content of these packages during the maintenance window.
“During maintenance on the database that powers the public npm replica at replicate.npmjs.com, records were created that could expose the names of private packages,” states GitHub Chief Security Officer, Mike Hanley in a blog post.
https://github.blog/2021-11-15-githubs-commitment-to-npm-ecosystem-security/
Tomi Engdahl says:
Netgear patches severe pre-auth RCE in 61 router and modem models https://therecord.media/netgear-deals-with-its-fifth-wave-of-severe-rce-bugs-this-year/
Networking equipment vendor Netgear has patched the fifth set of dangerous remote code execution bugs impacting its small office and small home (SOHO) routers this year. Discovered by security firm GRIMM, the latest set of patches address a bug that can be exploited from within local networks to allow attackers to take full control of a vulnerable Netgear router.
Tomi Engdahl says:
US, UK warn of Iranian hackers exploiting Microsoft Exchange, Fortinet https://www.bleepingcomputer.com/news/security/us-uk-warn-of-iranian-hackers-exploiting-microsoft-exchange-fortinet/
US, UK, and Australian cybersecurity agencies warned today of ongoing exploitation of Microsoft Exchange ProxyShell and Fortinet vulnerabilities linked to an Iranian-backed hacking group. The warning was issued as a joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC). See also:
https://us-cert.cisa.gov/ncas/alerts/aa21-321a
Tomi Engdahl says:
Linux has a serious security problem that once again enables DNS cache poisoning https://arstechnica.com/gadgets/2021/11/dan-kaminskys-dns-cache-poisoning-attack-is-back-from-the-dead-again/
The exploit, unveiled in research presented today, revives the DNS cache-poisoning attack that researcher Dan Kaminsky disclosed in 2008.
He showed that, by masquerading as an authoritative DNS server and using it to flood a DNS resolver with fake lookup results for a trusted domain, an attacker could poison the resolver cache with the spoofed IP address. From then on, anyone relying on the same resolver would be diverted to the same imposter site.
Tomi Engdahl says:
Cloudflare blocked a massive 2 Tbps DDoS attack
https://techcrunch.com/2021/11/15/cloudflare-terabits-ddos-attack/
Cloudflare says it has blocked a distributed denial-of-service (DDoS) attack that peaked at just under 2 Tbps, making it one of the largest ever recorded.
Tomi Engdahl says:
U.S., U.K. and Australia Warn of Iranian APTs Targeting Fortinet, Microsoft Exchange Flaws
https://www.securityweek.com/us-uk-and-australia-warn-iranian-apts-targeting-fortinet-microsoft-exchange-flaws
Tomi Engdahl says:
Netgear Patches Code Execution Vulnerability Affecting Many Products
https://www.securityweek.com/netgear-patches-code-execution-vulnerability-affecting-many-products
A vulnerability in Netgear small office/home office (SOHO) devices can be exploited by an attacker on the local area network (LAN) to execute code remotely with root privileges, GRIMM security researchers warn.
Tracked as CVE-2021-34991 (CVSS score of 8.8), the vulnerability is described as a pre-authentication buffer overflow and was found to affect a device’s Universal Plug-and-Play (UPnP) daemon.
Netgear SOHO devices affected by the bug include routers, modems, and WiFi range extenders, and GRIMM’s researchers say they were able to devise an exploit capable of compromising even fully patched devices that are running the default configuration.
The issue was discovered in upnpd daemon functions related to the handling of “unauthenticated HTTP SUBSCRIBE and UNSUBSCRIBE requests from clients that wish to receive updates whenever the network’s UPnP configuration changes.”
Tomi Engdahl says:
Robinhood Says Thousands of Phone Numbers Also Stolen in Breach
https://www.securityweek.com/robinhood-says-thousands-phone-numbers-also-stolen-breach
Tomi Engdahl says:
UK Orders National Security Review of NVIDIA Deal to Buy Arm
https://www.securityweek.com/uk-orders-national-security-review-nvidia-deal-buy-arm
American technology company NVIDIA’s planned $40 billion takeover of British chip designer Arm Ltd. faces months of delays after the U.K. government asked competition regulators Tuesday to investigate the national security implications of the deal.
U.K. Digital Secretary Nadine Dorries asked the Competition and Markets Authority to look into both the deal’s impact on competition and national security. NVIDIA has agreed to buy Cambridge-based Arm, Britain’s largest technology firm, from Japan’s Softbank.
Tomi Engdahl says:
Woman ‘Nauseated’ After Finding Apple Tracking Device Hidden Under Her License Plate
https://www.newsweek.com/apple-tracking-device-car-license-plate-1650787
Tomi Engdahl says:
Will Evans / Wired:
Sources and internal docs detail Amazon’s careless handling of its retail customer data, including letting some low-level staff snoop on celebrity purchases — Voyeurs. Sabotaged accounts. Backdoor schemes. For years, the retail giant has handled your information less carefully than it handles your packages.
Amazon’s Dark Secret: It Has Failed to Protect Your Data
https://www.wired.com/story/amazon-failed-to-protect-your-data-investigation/
Voyeurs. Sabotaged accounts. Backdoor schemes. For years, the retail giant has handled your information less carefully than it handles your packages.
On September 26, 2018, a row of tech executives filed into a marble- and wood-paneled hearing room and sat down behind a row of tabletop microphones and tiny water bottles. They had all been called to testify before the US Senate Commerce Committee on a dry subject—the safekeeping and privacy of customer data—that had recently been making large numbers of people mad as hell.
Tomi Engdahl says:
Byron Tau / Wall Street Journal:
In a letter to Sen. Wyden, data broker Mobilewalla says it was the source of some data used by the DHS, IRS, and US military for warrantless tracking of devices — Mobilewalla CEO writes to U.S. senator investigating location brokers: ‘Selling mobile device data for use by law enforcement agencies is not our business model’
How Cellphone Data Collected for Advertising Landed at U.S. Government Agencies
https://www.wsj.com/articles/mobilewalla-says-data-it-gathered-from-consumers-cellphones-ended-up-with-government-11637242202?mod=djemalertNEWS
Mobilewalla CEO writes to U.S. senator investigating location brokers: ‘Selling mobile device data for use by law enforcement agencies is not our business model’
A company that collects and sells consumer information gleaned from cellphones said it was the source of some of the advertising data used by the Department of Homeland Security and other government entities to track mobile phones without warrants, shedding new light on how device location data is harvested and sold in a secretive multibillion-dollar industry.
Mobilewalla, a closely held digital-advertising company founded in Singapore and now based in Atlanta, said in a letter last week to Sen. Ron Wyden (D., Ore.) that it had indirectly provided some of the data used by DHS, the Internal Revenue Service and the U.S. military for warrantless tracking of devices both at home and abroad. Mr. Wyden’s office, which is conducting an investigation into location brokers, provided the letter to The Wall Street Journal.
The Journal and other news organizations have reported during the past two years on an opaque industry of companies that collect consumer advertising data from apps and ad networks and provide it through intermediaries to government entities. Because the U.S. has no comprehensive privacy law, nothing explicitly bars the use of consumer data in this manner. But lawmakers and regulators have taken notice and proposed measures to curb how such data is acquired, sold and used.
Tomi Engdahl says:
Stefanie Marotta / Bloomberg:
Canada arrests a teenager for allegedly stealing $36.5M in crypto from a US victim using SIM swapping, the largest reported single-person crypto theft
https://www.bloomberg.com/news/articles/2021-11-17/canadian-teen-arrested-in-crypto-theft-worth-36-5-million
Tomi Engdahl says:
FBI Warns of Actively Exploited FatPipe Zero-Day Vulnerability
https://www.securityweek.com/fbi-warns-actively-exploited-fatpipe-zero-day-vulnerability
The Federal Bureau of Investigation (FBI) this week sounded the alarm on a zero-day vulnerability in FatPipe products that has been under active exploitation since at least May 2021.
No CVE identifier has been issued for the security error yet, but FatPipe, which specializes in SD-WAN solutions, did confirm that its WARP, MPVPN, and IPVPN devices are affected by the issue.
The flaw exists because there’s no input and validation check for certain HTTP requests, thus allowing an attacker to send modified HTTP requests to a vulnerable device.
FatPipe says the bug resides in the web management interface of FatPipe software and could be exploited to upload files to any location on the filesystem.
In an alert this week, the FBI warns that adversaries have been exploiting the security hole to deploy a webshell that provides them with root access to a compromised device, enabling further malicious activities.
https://www.fatpipeinc.com/support/cve-list.php
Tomi Engdahl says:
Microsoft Informs Users of High-Severity Vulnerability in Azure AD
https://www.securityweek.com/microsoft-informs-users-high-severity-vulnerability-azure-ad
Microsoft on Wednesday informed customers about a recently patched information disclosure vulnerability affecting Azure Active Directory (AD).
Tracked as CVE-2021-42306 (CVSS score of 8.1), the vulnerability exists because of the manner in which Automation Account “Run as” credentials are created when a new Automation Account is set up in Azure.
Due to a misconfiguration in Azure, Automation Account “Run as” credentials (PFX certificates) ended up being stored in clear text in Azure AD and could be accessed by anyone with access to information on App Registrations. An attacker could use these credentials to authenticate as the App Registration.
Security researchers with enterprise penetration testing firm NetSPI, who identified the vulnerability, explain that an attacker could leverage the bug to escalate privileges to Contributor of any subscription that has an Automation Account, and access resources in the affected subscriptions.
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42306
https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-cloud-vulnerability-credmanifest/
Tomi Engdahl says:
Cloud Security Firm Lacework Raises Record-Breaking $1.3 Billion
https://www.securityweek.com/cloud-security-firm-lacework-raises-record-breaking-13-billion
Cloud security firm Lacework has raised a record-breaking $1.3 billion in a second Series D funding round led by existing investors Sutter Hill Ventures, Altimeter Capital, D1 Capital Partners, and Tiger Global Management. New investors include Franklin Templeton, Morgan Stanley Investment Management, Durable Capital, General Catalyst and XN.
Tomi Engdahl says:
Israel Defence Minister’s Cleaner Charged With Spying for Iran
https://www.securityweek.com/israel-defence-ministers-cleaner-charged-spying-iran
A man employed in the home of Israeli Defence Minister Benny Gantz was charged Thursday with attempting to spy for the Black Shadow hackers, who are purportedly linked to Iran.
Tomi Engdahl says:
New ETW Attacks Can Allow Hackers to ‘Blind’ Security Products
https://www.securityweek.com/new-etw-attacks-can-allow-hackers-blind-security-products
Researchers have described two new attack methods that can be used to “blind” cybersecurity products that rely on a logging mechanism named Event Tracing for Windows (ETW).
ETW, which is present by default in Windows since Windows XP, is designed for tracing and logging events associated with user-mode applications and kernel-mode drivers. The ETW in Windows 11 can collect more than 50,000 event types from roughly 1,000 providers, including operating system services, cybersecurity tools, common applications, DLLs, the OS kernel, and drivers.
ETW is leveraged by several endpoint detection and response (EDR) solutions to monitor security-related events and detect malware.
Threat actors, including profit-driven cybercriminals and state-sponsored cyberspies, have been known to disable ETW in their attacks in an effort to evade detection. Examples include China-linked APT41, the U.S.-linked Slingshot campaign, and the LockerGoga ransomware.
New ETW attack methods were presented last week at the Black Hat Europe cybersecurity conference by researchers at Binarly, a company that specializes in solutions designed to protect devices against firmware threats.
Tomi Engdahl says:
Cyber Defenders Should Prepare for Holiday Ransomware Attacks
https://www.securityweek.com/cyber-defenders-should-prepare-holiday-ransomware-attacks
High days and holidays are prime time for ransomware. This should come as no surprise to anyone – but many companies remain surprisingly unaware or at least unprepared.
On August 31, 2021 – just ahead of Labor Day – a joint alert from the FBI and CISA warned that ransomware attacks will likely increase on specific holidays and generally throughout the entire holiday season. The alert specifically cited the DarkSide Colonial Pipeline attack (Mother’s Day weekend), the REvil JBS attack (Memorial Day weekend), and the Sodinokibi/REvil Kaseya attack (Fourth of July holiday weekend).
Tomi Engdahl says:
Supply Chain Security Fears Escalate as Iranian APTs Caught Hitting IT Services Sector
https://www.securityweek.com/supply-chain-security-fears-escalate-iranian-apts-caught-hitting-it-services-sector
Fears of software supply chain attacks escalated again this week with a new warning from Microsoft that it has caught Iranian threat actors breaking into IT services shops in India and Israel and using that access to hit the real targets.
Two of Redmond’s premier threat hunting units — the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU) — are sounding the alarm for a series of intrusions at companies that sell business management and integration software to millions of global organizations.
Once inside the IT services organizations, Microsoft said the Iranian hackers are “extending their attacks to compromise downstream customers,” much like the SolarWinds supply chain mega-hack that snagged thousands of corporate victims globally.
Microsoft warned of a significant surge in these attacks — more than 1,600 notifications to over 40 IT companies in response to Iranian targeting, compared to 48 notifications in 2020 — and warned that downstream attacks are targeting organizations in the defense, energy, and legal sectors
“As India and other nations rise as major IT services hubs, more nation state actors follow the supply chain to target these providers’ public and private sector customers around the world matching nation state interests,” Microsoft said in a report calling attention to the surge in these Iran-linked attacks.
Iranian targeting of IT sector on the rise
https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/
Tomi Engdahl says:
FBI: An APT abused a zero-day in FatPipe VPNs for six months https://therecord.media/fbi-an-apt-abused-a-zero-day-in-fatpipe-vpns-for-six-months/
The US Federal Bureau of Investigation said it discovered an advanced persistent threat (APT) abusing a zero-day vulnerability in FatPipe networking devices as a way to breach companies and gain access to their internal networks.
Tomi Engdahl says:
Philips IntelliBridge EC 40 and EC 80 Hub
https://krebsonsecurity.com/2021/11/tech-ceo-pleads-to-wire-fraud-in-ip-address-scheme/
The CEO of a South Carolina technology firm has pleaded guilty to 20 counts of wire fraud in connection with an elaborate network of phony companies set up to obtain more than 735, 000 Internet Protocol (IP) addresses from the nonprofit organization that leases the digital real estate to entities in North America.. C U U
Tomi Engdahl says:
Philips Patient Information Center iX (PIC iX) and Efficia CM Series https://blog.netlab.360.com/the-pitfall-of-threat-intelligence-whitelisting-specter-botnet-is-taking-over-top-legit-dns-domains-by-using-cloudns-service/
In order to reduce the possible impact of false positives, it is pretty common practice for security industry to whitelist the top Alexa domains such as http://www.google.com, http://www.apple.com, http://www.qq.com, http://www.alipay.com. And we have seen various machine learning detection models that bypass data when they sees these popular Internet business domains. Theoretically, we can register any Zone on ClouDNS that is not registered or not restricted by ClouDNS, and the aforementioned Specter C2 api.github.com is a domain name generated in this way.. S U U
Tomi Engdahl says:
North Korean cyberspies target govt officials with custom malware https://www.bleepingcomputer.com/news/security/north-korean-cyberspies-target-govt-officials-with-custom-malware/
A state-sponsored North Korean threat actor tracked as TA406 was recently observed deploying custom info-stealing malware in espionage campaigns. The particular actor is attributed as one of several groups known as Kimsuky (aka Thallium). TA406has left traces of low-volume activity since 2018, primarily focusing on espionage, money-grabbing scams, and extortion. However, in March and June 2021, TA406 launched two distinct malware distribution campaigns that targeted foreign policy experts, journalists, and members of NGOs (non-governmental organizations). report:
https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals
Tomi Engdahl says:
Conti gang has made at least $25.5 million since July 2021 https://therecord.media/conti-gang-has-made-at-least-25-5-million-since-july-2021/
The operators of the Conti ransomware have earned at least $25.5 million from attacks and subsequent ransoms carried out since July 2021, Swiss security firm Prodaft said in a report today
Tomi Engdahl says:
Canadian teen nabbed in $36.5M crypto heist possibly the biggest haul yet by a single individual https://www.theregister.com/2021/11/18/canadian_cryptocurrency_heist/
A Canadian teenager has been arrested for allegedly stealing $37 million worth of cryptocurrency ($46M Canadian) via a SIM swap scam, making it the largest virtual cash heist affecting a single person yet, according to police.
Tomi Engdahl says:
Tesla drivers left unable to start their cars after outage
https://www.bbc.com/news/technology-59357306
Tesla drivers say they have been locked out of their cars after an outage struck the carmaker’s app.
Dozens of owners posted on social media about seeing an error message on the mobile app that was preventing them from connecting to their vehicles.
Tesla chief executive Elon Musk personally responded to one complaint from a driver in South Korea, saying on Twitter: “Checking.”
Mr Musk later said the app was coming back online.
The Tesla app is used as a key by drivers to unlock and start their cars.
Tomi Engdahl says:
https://thehackernews.com/2021/11/sharkbot-new-android-trojan-stealing.html