This posting is here to collect cyber security news in December 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in December 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
435 Comments
Tomi Engdahl says:
Android Eavesdropping Vulnerability Patched by MediaTek; GoDaddy Hacked – ThreatWire
https://m.youtube.com/watch?v=4k17VXpnvbw&feature=youtu.be
Tomi Engdahl says:
Analyzing How TeamTNT Used Compromised Docker Hub Accounts
https://www.trendmicro.com/en_us/research/21/l/more-tools-in-the-arsenal-how-teamtnt-used-compromised-docker-hu.html
In early November, we disclosed that compromised Docker Hub accounts were being used for cryptocurrency mining and that these activities were tied to the TeamTNT threat actor. While those accounts have now been removed, we were still able to investigate TeamTNT’s activities in connection with these compromised accounts. In addition to the behavior we noted earlier, we identified several other actions that the same threat actor carried out in different venues. One was the use of Weave Scope, a legitimate tool by Weaveworks used to monitor/control deployed containers.
Tomi Engdahl says:
SMS Messages Socially Engineered to Steal Billions of Rial from Iran’s Citizens
https://blog.checkpoint.com/2021/12/01/sms-messages-socially-engineered-to-steal-billions-of-rial-from-irans-citizens/
In the midst of major cyber attacks targeting the general population of Iran, Check Point Research (CPR) sees ongoing malicious campaigns using socially engineered SMS messages to infect tens of thousands of devices of Iran’s citizens. The SMS messages, designed to impersonate the Iranian government, lure victims into downloading malicious Android applications that steal credit card credentials, personal SMS messages and two-factor authentication codes. The threat actors then proceed to make unauthorized money withdrawals and turn each infected device into a bot, spreading the malware to others. CPR attributes attacks to threat actors, likely in Iran, who are financially motivated.
Tomi Engdahl says:
Founder of bulletproof hosting provider used by malware gangs gets 5 years in prison
https://therecord.media/founder-of-bulletproof-hosting-provider-used-by-malware-gangs-gets-5-years-in-prison/
A US federal judge has sentenced today a Russian national to five years in prison for founding and operating a bulletproof hosting company that provided servers and technical support to malware and cybercrime groups between 2008 and 2015.
Tomi Engdahl says:
2021 SANS Holiday Hack Challenge
https://www.sans.org/mlp/holiday-hack-challenge/
This year Santa faces a new set of cybersecurity challenges as the holiday season is under siege once again by a familiar foe. But Santa has his helpers the Four Calling Birds, as well as his army of Elves ready to tackle any threat the North Pole should face. Join Santa, the Four Calling Birds, and his Elves in tackling all the cybersecurity obstacles in this year’s SANS Holiday Hack Challenge and save the holiday season from disaster!
Tomi Engdahl says:
TryHackMe – Advent of Cyber
https://tryhackme.com/christmas
Get started with cyber security in 25 days!. Learn the basics of cyber security by doing a new, beginner friendly security exercise every day leading up to Christmas
Tomi Engdahl says:
Advent of Code 2021 is here!
https://adventofcode.com/
Advent of Code is an Advent calendar of small programming puzzles for a variety of skill sets and skill levels that can be solved in any programming language you like. People use them as a speed contest, interview prep, company training, university coursework, practice problems, or to challenge each other. You don’t need a computer science background to participate – just a little programming knowledge and some problem solving skills will get you pretty far. Nor do you need a fancy computer; every problem has a solution that completes in at most 15 seconds on ten-year-old hardware.
Tomi Engdahl says:
Bulletproof hosting founder imprisoned for helping cybercrime gangs
https://www.bleepingcomputer.com/news/security/bulletproof-hosting-founder-imprisoned-for-helping-cybercrime-gangs/
34-year-old Russian Aleksandr Grichishkin, the founder of a bulletproof hosting service, was sentenced to 60 months in prison for allowing cybercrime gangs to use the platform in attacks targeting US financial institutions between 2008 to 2015.
Grichishkin, who was also the organization’s leader, provided multiple cybercrime operations with the infrastructure (IP addresses, servers, and domains) needed to distribute malware, host phishing kits, breach targets’ networks, build botnets, and steal banking credentials.
According to the sentencing memorandum, malware hosted on the organization’s bulletproof hosting platform—including Zeus, SpyEye, Citadel, and the Blackhole Exploit Kit—was used in attacks against U.S. organizations and caused millions of dollars in losses.
Tomi Engdahl says:
Really stupid “smart contract” bug let hackers steal $31 million in digital coin
Company says it has contacted the hacker in an attempt to recover the funds. Good luck.
https://arstechnica.com/information-technology/2021/12/hackers-drain-31-million-from-cryptocurrency-service-monox-finance/
Blockchain startup MonoX Finance said on Wednesday that a hacker stole $31 million by exploiting a bug in software the service uses to draft smart contracts.
The company uses a decentralized finance protocol known as MonoX that lets users trade digital currency tokens without some of the requirements of traditional exchanges. “Project owners can list their tokens without the burden of capital requirements and focus on using funds for building the project instead of providing liquidity,” MonoX company representatives say here. “It works by grouping deposited tokens into a virtual pair with vCASH, to offer a single token pool design.”
An accounting error built into the company’s software let an attacker inflate the price of the MONO token and to then use it to cash out all the other deposited tokens, MonoX Finance revealed in a post. The haul amounted to $31 million worth of tokens on the Ethereum or Polygon blockchains, both of which are supported by the MonoX protocol.
Exploit: Post Mortem
https://medium.com/monoswap/exploit-post-mortem-33921a779b43
MONO Family. It’s with a heavy heart that we are writing such an update.
The past 24 hours have been difficult, and we’re simply at a loss for words. No apologies and no amount of words can describe how the team has been feeling since the attack transpired. We started building over a year ago with a mission to make DeFi more accessible to users and projects.
How the attack happened
The exploit was caused by a smart contract bug that allows the sold and bought token to be the same. In the case of the attack, it was our native MONO token. When a swap was taking place and tokenIn was the same as tokenOut, the transaction was permitted by the contract.
Any price updates from swap from tokenIn and tokenOut were independently verified by the contract. With tokenOut being verified last, this caused a massive price appreciation of MONO. The attacker then used the highly priced MONO to purchase all the other assets in our pool and drained the funds.
The attack was completed through a script, and was highly organized.
Tomi Engdahl says:
Suurisku verkkorikollisuuteen: 1803 pidätetty, 67, 5 miljoonaa euroa pelastettu https://www.is.fi/digitoday/tietoturva/art-2000008447466.html
Euroopan poliisivirasto Europol tiedottaa kansainvälisestä suuroperaatiosta verkkorikollisuutta vastaan. Sarjassaan seitsemäs Emma-operaatio (European Money Mule Action) käsitti 27 maata, Suomi mukaan lukien, ja keskittyi rikollisuuden avulla hankittujen rahojen pesemiseen niin sanottujen muulien avulla. See also:
https://www.europol.europa.eu/newsroom/news/european-money-mule-action-leads-to-1-803-arrests
Tomi Engdahl says:
Emotet now spreads via fake Adobe Windows App Installer packages https://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/
The threat actors behind Emotet are now infecting systems by installing malicious packages using a built-in feature of Windows 10 and Windows 11 called App Installer. Researchers previously saw this same method being used to distribute the BazarLoader malware where it installed malicious packages hosted on Microsoft Azure.
Tomi Engdahl says:
Critical Bug in Mozilla’s NSS Crypto Library Potentially Affects Several Other Software https://thehackernews.com/2021/12/critical-bug-in-mozillas-nss-crypto.html
Mozilla has rolled out fixes to address a critical security weakness in its cross-platform Network Security Services (NSS) cryptographic library that could be potentially exploited by an adversary to crash a vulnerable application and even execute arbitrary code.
Tracked as CVE-2021-43527, the flaw affects NSS versions prior to 3.73 or 3.68.1 ESR, and concerns a heap overflow vulnerability when verifying digital signatures such as DSA and RSA-PSS algorithms that are encoded using the DER binary format. Credited with reporting the issue is Tavis Ormandy of Google Project Zero, who codenamed it “BigSig.”
“NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures,” Mozilla said in an advisory published Wednesday. “Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted.”
NSS is a collection of open-source cryptographic computer libraries designed to enable cross-platform development of client-server applications, with support for SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.
While the BigSig shortcoming doesn’t affect Mozilla’s Firefox web browser itself, email clients, PDF viewers, and other applications that rely on NSS for signature verification, such as Red Hat, Thunderbird, LibreOffice, Evolution, and Evince, are believed to be vulnerable.
https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/
Tomi Engdahl says:
RHSA-2021:4904 – Security Advisory
https://access.redhat.com/errata/RHSA-2021:4904
Critical: nss security update
Security Advisory: Critical
An update for nss is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing this update, applications using NSS (for example, Firefox) must be restarted for this update to take effect.
Affected Products
• Red Hat Enterprise Linux Server 7 x86_64
• Red Hat Enterprise Linux Workstation 7 x86_64
• Red Hat Enterprise Linux Desktop 7 x86_64
• Red Hat Enterprise Linux for IBM z Systems 7 s390x
• Red Hat Enterprise Linux for Power, big endian 7 ppc64
• Red Hat Enterprise Linux for Scientific Computing 7 x86_64
• Red Hat Enterprise Linux for Power, little endian 7 ppc64le
CVE-2021-43527
Published: 01 December 2021
Heap overflow in NSS when verifying DSA/RSA-PSS DER-encoded signatures
https://ubuntu.com/security/CVE-2021-43527
Tomi Engdahl says:
Disclosing state-linked information operations we’ve removed
https://blog.twitter.com/en_us/topics/company/2021/disclosing-state-linked-information-operations-we-ve-removed
Today, we’re disclosing an additional 3, 465 accounts to our archive of state-linked information operations the only one of its kind in the industry. The account sets include eight distinct operations we’ve attributed to six countries Mexico, the People’s Republic of China (PRC), Russia, Tanzania, Uganda, and Venezuela, respectively. Every account and piece of content associated with these operations has been permanently removed from the service.
Tomi Engdahl says:
Hackers use in-house Zoho ServiceDesk exploit to drop webshells
https://www.bleepingcomputer.com/news/security/hackers-use-in-house-zoho-servicedesk-exploit-to-drop-webshells/
An advanced persistent threat (APT) group that had been exploiting a flaw in the Zoho ManageEngine ADSelfService Plus software has pivoted to leveraging a different vulnerability in another Zoho product. The actor has been seen exploiting an unauthenticated remote code execution issue in Zoho ServiceDesk Plus versions 11305 and older, currently tracked as CVE-2021-44077. See also:
https://us-cert.cisa.gov/ncas/current-activity/2021/12/02/cisa-and-fbi-release-alert-active-exploitation-cve-2021-44077-zoho
Tomi Engdahl says:
Former Ubiquiti dev charged for trying to extort his employer https://www.bleepingcomputer.com/news/security/former-ubiquiti-dev-charged-for-trying-to-extort-his-employer/
Nickolas Sharp, a former employee of networking device maker Ubiquiti, was arrested and charged today with data theft and attempting to extort his employer while posing as a whistleblower and an anonymous hacker.
Tomi Engdahl says:
Facebook’s Secret “Dangerous Organizations and Individuals” List Creates Problems for the Companyand Its Users https://www.eff.org/deeplinks/2021/12/facebooks-secret-dangerous-organizations-and-individuals-list-creates-problems
Along with the trove of “Facebook Papers” recently leaked to press outlets was a document that Facebook has, until now, kept intentionally secret: its list of “Dangerous Organizations and Individuals.” This list comprises supposed terrorist groups, hate groups, criminal groups, and individuals associated with each, and is used to filter and remove speech on the platform. While the list included many of the usual suspects, it also contained a number of charities and hospitals, as well as several musical groups, some of whom were likely surprised to find themselves lumped together with state-designated terrorist organizations.
Meta Expands Facebook Protect Program to Activists, Journalists, Government Officials https://thehackernews.com/2021/12/meta-expands-facebook-protect-program.html
Meta, the company formerly known as Facebook, on Thursday announced an expansion of its Facebook Protect security program to include human rights defenders, activists, journalists, and government officials who are more likely to be targeted by bad actors across its social media platforms.
Tomi Engdahl says:
Exploring Container Security: A Storage Vulnerability Deep Dive
https://security.googleblog.com/2021/12/exploring-container-security-storage.html
Recently, the GKE Security team discovered a high severity vulnerability that allowed workloads to have access to parts of the host filesystem outside the mounted volumes boundaries. Although the vulnerability was patched back in September we thought it would be beneficial to write up a more in-depth analysis of the issue to share with the community.
Tomi Engdahl says:
New malware hides as legit nginx process on e-commerce servers https://www.bleepingcomputer.com/news/security/new-malware-hides-as-legit-nginx-process-on-e-commerce-servers/
The threat received the name NginRAT, a combination of the application it targets and the remote access capabilities it provides and is being used in server-side attacks to steal payment card data from online stores. NginRAT was found on eCommerce servers in North America and Europe that had been infected with CronRAT, a remote access trojan
(RAT) that hides payloads in tasks scheduled to execute on an invalid day of the calendar.
Tomi Engdahl says:
SideCopy APT: Connecting lures to victims, payloads to infrastructure
https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/
Last week, Facebook announced that back in August it had taken action against a Pakistani APT group known as SideCopy. Facebook describes how the threat actors used romantic lures to compromise targets in Afghanistan. In this blog post we are providing additional details about SideCopy that have not been published before. We were able to have unique insights about victims and targeted countries as well as the kind of data the APT group was able to successfully exfiltrate.
Among the information that was stolen is access to government portals, Facebook, Twitter and Google credentials, banking information, and password-protected documents.
Tomi Engdahl says:
FIN7 hacker trialed in Russia gets no prison time https://therecord.media/fin7-hacker-trialed-in-russia-gets-no-prison-time/
A Russian court handed down a mild one-year suspended prison sentence to a member of the FIN7 hacking group, a notorious cybercrime cartel that has hacked more than 100 US companies between 2015 and 2018.
Tomi Engdahl says:
CISA Adds Zoho, Qualcomm, Mikrotik Flaws to ‘Must-Patch’ List
https://www.securityweek.com/cisa-adds-zoho-qualcomm-mikrotik-flaws-must-patch-list
The U.S. government’s cybersecurity agency has updated its catalog of “known exploited vulnerabilities” and set deadlines for federal agencies to apply fixes for security defects in software made by Qualcomm, Mikrotik, Zoho and the Apache Software Foundation.
Citing evidence of active exploitation against five specific vulnerabilities, the Cybersecurity and Infrastructure Security Agency (CISA) warned that further delays in applying available fixes “pose significant risk to the federal enterprise.”
Federal agencies have until December, 15, 2021 to apply patches for a pair of Zoho ManageEngine ServiceDesk flaws that have been at the center of documented APT attacks over the last few months.
The new CVE additions:
• CVE-2020-11261 — Qualcomm Multiple Chipsets Improper Input Validation Vulnerability | Fix by 06/01/2022
• CVE-2018-14847 — MikroTik Router OS Directory Traversal Vulnerability | Fix by 06/01/2022
• CVE-2021-37415 — Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability | Fix by 12/15/2021
• CVE-2021-40438 — Apache HTTP Server-Side Request Forgery (SSRF) | Fix by 12/15/2021
• CVE-2021-44077 — Zoho ManageEngine ServiceDesk Plus Remote Code Execution | Fix by 12/15/2021
Tomi Engdahl says:
Karamba Security Raises $10 Million to Protect Connected Devices
https://www.securityweek.com/karamba-security-raises-10-million-protect-connected-devices
Another $10 million has been raised by Karamba Security, an Israel-based company that provides products and services for securing industrial, automotive, enterprise and consumer IoT systems.
The funding round is an extension to the Series B funding announced several years ago, and it brings the total raised by Karamba to $27 million. It announced another $10 million in funding in 2018, but the company says that was only a credit line that it did not use.
Tomi Engdahl says:
Critical Flaw in NSS Cryptographic Library Affects Several Popular Applications
https://www.securityweek.com/critical-flaw-nss-cryptographic-library-affects-several-popular-applications
Mozilla on Wednesday announced the rollout of patches for a critical vulnerability in the NSS (Network Security Services) cross-platform cryptographic library.
Tracked as CVE-2021-43527, the security error was identified by Tavis Ormandy, a vulnerability researcher with Google Project Zero. Ormandy named the flaw “BigSig.”
Described as a “heap overflow when handling DER-encoded DSA or RSA-PSS signatures,” the issue affects all NSS versions prior to 3.73 or 3.68.1 ESR.
According to Mozilla, all applications that rely on NSS for handling signatures encoded within CMS, PKCS #7, PKCS #12, and S/MIME are potentially affected.
Furthermore, the security defect may also impact applications that employ NSS for validating certificates, or for additional CRL, OCSP, TLS, or X.509 functionality, depending on how NSS is configured.
“This vulnerability does NOT impact Mozilla Firefox. However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted,” Mozilla says.
Tomi Engdahl says:
Rikollisilla on uusi ja poikkeuksellisen karu tapa kiristää – Mikko Hyppönen: ”He varastavat nyt ensimmäisenä…” https://www.is.fi/digitoday/tietoturva/art-2000008449870.html
Tomi Engdahl says:
A single VPN drop-out exposed breach scandal that cost Ubiquiti $4bn
https://www.techradar.com/news/a-single-vpn-dropout-exposed-breach-scandal-that-cost-ubiquiti-dollar4bn
This is why using a VPN without a kill switch is a bad idea
A brief VPN outage has led to the arrest of a former Ubiquiti developer, who has reportedly been charged with stealing data and trying to extort his employer while pretending to be a whistleblower.
Internet of Things (IoT) specialist Ubiquiti disclosed a network breach in January 2021, the scope of which was questioned by an anonymous whistleblower a couple of months later.
However, according to KrebsOnSecurity, it has now emerged that both incidents were the handiwork of the same individual
Ubiquiti Developer Charged With Extortion, Causing 2020 “Breach”
https://krebsonsecurity.com/2021/12/ubiquiti-developer-charged-with-extortion-causing-2020-breach/
In January 2021, technology vendor Ubiquiti Inc. [NYSE:UI] disclosed that a breach at a third party cloud provider had exposed customer account credentials. In March, a Ubiquiti employee warned that the company had drastically understated the scope of the incident, and that the third-party cloud provider claim was a fabrication. On Wednesday, a former Ubiquiti developer was arrested and charged with stealing data and trying to extort his employer while pretending to be a whistleblower.
On Dec. 28, other Ubiquiti employees spotted the unusual downloads, which had leveraged internal company credentials and a Surfshark VPN connection to hide the downloader’s true Internet address. Assuming an external attacker had breached its security, Ubiquiti quickly launched an investigation.
Tomi Engdahl says:
Apple’s Huge iPhone Mistake—New Warning For 1 Billion Users
https://www.forbes.com/sites/zakdoffman/2021/12/04/apple-iphone-ipad-mac-icloud-warning-as-dangerous-settings-exposed/?utm_campaign=sprinklrForbesMainFB&utm_content=6003209259&utm_medium=social&utm_source=FBPAGE&sh=531c3a4d7e72
Apple has a very serious problem that has suddenly become a headline issue, undermining claims about iPhone’s security and privacy credentials. It turns out that what happens on your iPhone, doesn’t always stay on your iPhone after all.
have warned before about the dangerous flaw in Apple’s iPhone security when it comes to the private messages sent between its billion-plus users. Privacy is built in from the beginning,” Apple says. “Powerful security features help prevent anyone except you from being able to access your information.” If only it was that clear-cut. Now a new warning from a very surprising source has hit the news.
iMessage is Apple’s stock end-to-end encrypted messenger. Designed to compete with WhatsApp, it seems to have the same security—albeit only when communicating within Apple’s ecosystem. Message an Android user and you fallback to SMS, which is unacceptable in 2021—more on that later. But even when you think you’re secure, you’re probably wrong. iMessage has an alarming catch.
The issue is iCloud and the general backups you make from your iPhone. If you use Apple’s default, recommended settings, then you run Messages in iCloud—meaning you sync your messages across all your devices, and you also run a generic iCloud backup, meaning you save a copy of your phone’s data and settings to Apple’s cloud.
iMessage is secured by end-to-end encryption, the idea being that the keys to decrypt messages between you and those you message are only shared between you. That stops anyone intercepting your content. But in a bizarre twist, Apple stores a copy of those encryption keys in that iCloud backup, which it can access. That means the end-to-end encryption is actually fairly pointless.
This issue came to the fore this week, with the publication of a sensitive FBI document that advises on which messaging platforms its agents can most easily access. The iMessage issue was front and center: “if target uses iCloud backup, the encryption keys should also be provided with [lawful access] content return; can also acquire iMessages from iCloud returns if target has enabled Messages in iCloud.”
Tomi Engdahl says:
Microsoft says you just can’t trust Google
https://www.zdnet.com/article/microsoft-says-you-just-cant-trust-google/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
Will Microsoft stop at nothing to get people to switch to Edge? Will it stoop to everything? Yes, and yes, it seems.
“We’ve got to get people to download Edge,” says one large brain.
“Nah, we’ve got to force them into it,” says another. “It’s the only way that works. It’s the traditional way.”
And so Microsoft has tried so many stinky, annoying ways to get customers over (to) the Edge. Making it harder to use other browsers in Windows, for example.
It’s clear this isn’t going to stop. I’m delighted, therefore, that the latest phase of Microsoft (no-)charm Edge offensive is so wonderfully, well, offensive. To Google, that is.
Spotted by Neowin, Microsoft is offering a perky little popup whenever someone tries to download Chrome from Edge.
It begins: “Microsoft Edge runs on the same technology as Chrome.”
Yet it’s the kicker that tries to make all the difference: “With the added trust of Microsoft.”
Ah. Oh.
Does trying to force your captive Windows users to use Edge engender trust? Or does it incite anger, resentment and a feeling of unwanted captivity? Will insulting Google turn Google users over to your side?
As I may have mentioned several hundred times before, I’ve rarely — if ever — seen a company create a very good product and then make no attempt to charm people into trying it. Instead, the old Microsoft hammer comes down, the squeeze on customers gets tighter.
And, let’s reach for (attempted) objectivity here; Chrome has undoubtedly become a doddery, power-swallowing browser in desperate need of modernizing. Why? Because my colleague Adrian Kingsley-Hughes just declared that ditching Chrome was the best thing he’s done all year.
Tomi Engdahl says:
U.S. State Department phones hacked with Israeli company spyware – sources
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.reuters.com%2Ftechnology%2Fexclusive-us-state-department-phones-hacked-with-israeli-company-spyware-sources-2021-12-03%2F&h=AT1sbSLz7L9gg6tTsFZgtdxPNwdERP69DJv_SFUjzufSOvH36L0lvr72puYELcevbA8JKKKxyFk9O7G6dXOf8mfOWw8iInyuu5Kcn3SGXnE0LZ_ynBo9KCJmaN-y2lNSqHxFoTbbcn5zRlD1UQ
Apple Inc iPhones of at least nine U.S. State Department employees were hacked by an unknown assailant using sophisticated spyware developed by the Israel-based NSO Group, according to four people familiar with the matter.
The hacks, which took place in the last several months, hit U.S. officials either based in Uganda or focused on matters concerning the East African country, two of the sources said.
Tomi Engdahl says:
Thousands of AT&T customers in the US infected by new data-stealing malware
Malware exploits 2017 vulnerability in a widely used network edge device.
https://arstechnica.com/information-technology/2021/12/thousands-of-att-customers-in-the-us-infected-by-new-data-stealing-malware/
Thousands of networking devices belonging to AT&T Internet subscribers in the US have been infected with newly discovered malware that allows the devices to be used in denial-of-service attacks and attacks on internal networks, researchers said on Tuesday.
The device model under attack is the EdgeMarc Enterprise Session Border Controller, an appliance used by small- to medium-sized enterprises to secure and manage phone calls, video conferencing, and similar real-time communications. As the bridge between enterprises and their ISPs, session border controllers have access to ample amounts of bandwidth and can access potentially sensitive information, making them ideal for distributed denial of service attacks and for harvesting data.
Researchers from Qihoo 360 in China said they recently spotted a previously unknown botnet and managed to infiltrate one of its command-and-control servers during a three-hour span before they lost access.
“However, during this brief observation, we confirmed that the attacked devices were EdgeMarc Enterprise Session Border Controller, belonging to the telecom company AT&T, and that all 5.7k active victims that we saw during the short time window were all geographically located in the US,” Qihoo 360 researchers Alex Turing and Hui Wang wrote.
They said they have detected more than 100,000 devices accessing the same TLS certificate used by the infected controllers, an indication that the pool of affected devices may be much bigger. “We are not sure how many devices corresponding to these IPs could be infected, but we can speculate that as they belong to the same class of devices the possible impact is real,” they added.
Default credentials strike again
The vulnerability being exploited to infect the devices is tracked as CVE-2017-6079, a command-injection flaw that penetration tester Spencer Davis reported in 2017 after using it to successfully hack a customer’s network. The vulnerability stemmed from an account in the device that, as Davis learned from this document, had the username and password of “root” and “default.”
Because the vulnerability gives people the ability to remotely gain unfettered root access, its severity rating carried a 9.8 out of a possible 10. A year after the vulnerability came to light, exploit code became available online.
https://www.kitploit.com/2018/09/exploit-cve-2017-6079-blind-command.html?m=1
Tomi Engdahl says:
Really stupid “smart contract” bug let hackers steal $31 million in digital coin
Company says it has contacted the hacker in an attempt to recover the funds. Good luck.
https://arstechnica.com/information-technology/2021/12/hackers-drain-31-million-from-cryptocurrency-service-monox-finance/
Tomi Engdahl says:
Hackers Steal $119M From ‘Web3’ Crypto Project With Old School Attack
The hacker took control of the web infrastructure of BadgerDAO decentralized autonomous organization and tricked users into giving them control.
https://www.vice.com/en/article/pkpp4n/hackers-steal-dollar119m-from-web3-crypto-project-with-old-school-attack
An unknown hacker or hackers stole a reported $119 million in cryptocurrency from a blockchain-based decentralized finance (DeFi) platform on Wednesday.
In a Tweet on Wednesday, BadgerDAO (decentralized autonomous organization) wrote that it received “reports of unauthorized withdrawals of user funds.” According to blockchain security company PeckShield, the hackers stole around 2100 BTC ($118,500,000) and 151 ETH ($679,000) worth of cryptocurrency tokens.
Notably, the hack did not involve complicated smart contract exploits. Instead, it was a front-end attack targeting BadgerDAO’s web infrastructure, in particular its Cloudflare account, BadgerDAO’s content delivery network. When interacting with BadgerDAO using a Metamask wallet, users were confronted with illicit permission requests. Users noticed the attack when they saw that their wallets were being emptied, and BadgerDAO then “paused” all smart contracts.
it appears someone injected a malicious script into BadgerDAO’s frontend after compromising an API key for BadgerDAO’s Cloudflare account. Cloudflare is a web infrastructure, content delivery network, and website security company, which is used by millions of sites on the internet.
“The malicious script basically tricked people into giving the address rights to send the tokens to the exploiter address,” Jonto told Motherboard in an online chat.
BadgerDAO’s admins and developers have been doing damage control in the official Discord channel.
“Everyone is angry and shocked and [sic] what happened,”
DeFi platforms like BadgerDAO have proliferated recently, with billions of dollars lost to scams and hacks along the way in the fast-moving industry. The idea is to create financial systems based on the blockchain, and BadgerDAO in particular was designed to be a “bridge” for people to take, say, their Bitcoin, and use it equivalently on Ethereum-based DeFi projects by “wrapping” it.
Earlier this year, the crypto lending service C.R.E.A.M. got exploited via a complex “flash loan” and lost $130 million, and a hacker stole around $600 million from the popular platform Poly Network—and later returned the money in one of the most bizarre hacks of the year. These are just examples from this year, there have been many more in years prior.
Notably, though, the BadgerDAO attack seems to not have targeted the smart contracts or used any clever blockchain trickery. Instead, it was an attack targeting Badger’s web infrastructure.
As it turns out, so-called web3 can depend heavily on good old web1 security.
“Supply chain integrity means every link in the chain,”
Tomi Engdahl says:
FBI: Cuba ransomware breached 49 US critical infrastructure orgs
https://www.bleepingcomputer.com/news/security/fbi-cuba-ransomware-breached-49-us-critical-infrastructure-orgs/
The Federal Bureau of Investigation (FBI) has revealed that the Cuba ransomware gang has compromised the networks of at least 49 organizations from US critical infrastructure sectors.
“The FBI has identified, as of early November 2021 that Cuba ransomware actors have compromised at least 49 entities in five critical infrastructure sectors, including but not limited to the financial, government, healthcare, manufacturing, and information technology sectors,” the federal law enforcement agency said.
The FBI also added that this ransomware group had made over $40 million since it started targeting US companies.
Tomi Engdahl says:
Facebook details its takedown of a mass-harassment network
This, and mass-reporting, fall under its Coordinated Inauthentic Behavior threats.
https://www.engadget.com/facebook-coordinated-inauthentic-behavior-mass-reporting-brigading-200023029.html
Tomi Engdahl says:
Hackers are turning to this simple technique to install their malware on PCs
Cybersecurity researchers warn about hacking groups increasingly using a simple technique that seems to work.
https://www.zdnet.com/article/hackers-are-turning-to-this-simple-technique-to-install-their-malware-on-pcs/
Tomi Engdahl says:
Hackers Are Spamming Businesses’ Receipt Printers With ‘Antiwork’ Manifestos
https://www.vice.com/en/article/qjbb9d/hackers-are-spamming-businesses-receipt-printers-with-antiwork-manifestos
Dozens of printers across the internet are printing out a manifesto that encourages workers to discuss their pay with coworkers, and pressure their employers.
Tomi Engdahl says:
U.S. State Department phones hacked with Israeli company spyware – sources
https://www.reuters.com/technology/exclusive-us-state-department-phones-hacked-with-israeli-company-spyware-sources-2021-12-03/
Tomi Engdahl says:
Fake temporary paper license plates cause concerns for Texas law enforcement
https://www.fox26houston.com/news/temporary-paper-license-plates-causing-concerns-for-texas-law-enforcement
Tomi Engdahl says:
Verizon May Have Just Enrolled You in a Data-Collection Scheme–Here’s How to Get Out
The mobile carrier is reportedly gathering customers’ contacts, app usage, and location information.
https://gizmodo.com/verizon-may-have-just-enrolled-you-in-a-data-collection-1848156157
Tomi Engdahl says:
“Maailman paras pankki” nolona – it-palvelut kaatuivat 3 päiväksi
Jori Virtanen29.11.202111:44VERKKOPANKITIT-PALVELUT
Singaporelaisen DBS-pankin slogan on aiemmin ollut ”Digital to the core”.
https://www.tivi.fi/uutiset/maailman-paras-pankki-nolona-it-palvelut-kaatuivat-3-paivaksi/30591e47-30b6-41ee-91ee-3fc416365506
Tomi Engdahl says:
Panasonic discloses data breach after network hack
https://www.bleepingcomputer.com/news/security/panasonic-discloses-data-breach-after-network-hack/
Japanese multinational conglomerate Panasonic disclosed a security breach after unknown threat actors gained access to servers on its network this month.
“Panasonic Corporation has confirmed that its network was illegally accessed by a third party on November 11, 2021,” the company said in a press release issued Friday.
“As the result of an internal investigation, it was determined that some data on a file server had been accessed during the intrusion.”
Tomi Engdahl says:
https://www.c4isrnet.com/cyber/2021/12/05/cyberwarriors-will-soon-have-access-to-more-training-tools/
Tomi Engdahl says:
https://pentestmag.com/securing-endpoints-in-2020-proactive-security-with-xdr/
Tomi Engdahl says:
a blog around the finding and analysis of 2 FreeSWITCH vulnerabilities (CVE-2021-37624 and CVE-2021-41157) that were patched and disclosed a month ago.
https://0xinfection.github.io/posts/analyzing-freeswitch-vulns/
Also releasing a scanning and exploitation tool for the vulnerabilities!
https://github.com/0xInfection/PewSWITCH
Tomi Engdahl says:
Germany warns of ransomware attacks over Christmas, citing Emotet return, unpatched Exchange servers https://therecord.media/germany-warns-of-ransomware-attacks-over-christmas-citing-emotet-return-unpatched-exchange-servers/
The German cybersecurity authority has told German organizations to expect ransomware and other cyber-attacks over the Christmas and end-of-year holidays, citing the return of the Emotet botnet and the large number of Microsoft Exchange email servers that have been left unpatched.
Tomi Engdahl says:
US State Dept employees’ phones hacked using NSO spyware https://www.bleepingcomputer.com/news/security/us-state-dept-employees-phones-hacked-using-nso-spyware/
Apple has warned at least nine US Department of State employees that their iPhones have been hacked by unknown attackers using an iOS exploit dubbed ForcedEntry to deploy Pegasus spyware developed by Israeli surveillance firm NSO Group. The attacks hit US officials based in or focused on matters concerning the East African country of Uganda and took place in recent months, according to anonymous sources cited by Reuters today.
Tomi Engdahl says:
FBI: Cuba ransomware breached 49 US critical infrastructure orgs https://www.bleepingcomputer.com/news/security/fbi-cuba-ransomware-breached-49-us-critical-infrastructure-orgs/
“The FBI has identified, as of early November 2021 that Cuba ransomware actors have compromised at least 49 entities in five critical infrastructure sectors, including but not limited to the financial, government, healthcare, manufacturing, and information technology sectors, ” the federal law enforcement agency said.
Tomi Engdahl says:
Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify https://www.trendmicro.com/en_us/research/21/l/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-gitHub-netlify.html
Earlier this year, a security flaw identified as CVE-2021-41773 was disclosed to Apache HTTP Server Project, a path traversal and remote code execution (RCE) flaw in Apache HTTP Server 2.4.49. If this vulnerability is exploited, it allows attackers to map URLs to files outside the directories configured by Alias-like directives. However, when we looked at the malicious samples abusing this vulnerability, we found more of these exploits being abused to target different gaps in products and packages for malicious mining of Monero. In this blog, we look into the abuse of GitHub and Netlify repositories and platforms for hosting cryptocurrency-mining tools and scripts.
Tomi Engdahl says:
A mysterious threat actor is running hundreds of malicious Tor relays https://therecord.media/a-mysterious-threat-actor-is-running-hundreds-of-malicious-tor-relays/
Since at least 2017, a mysterious threat actor has run thousands of malicious servers in entry, middle, and exit positions of the Tor network in what a security researcher has described as an attempt to deanonymize Tor users. Tracked as KAX17, the threat actor ran at its peak more than 900 malicious servers part of the Tor network, which typically tends to hover around a daily total of up to 9, 000-10, 000.
Tomi Engdahl says:
Russian internet watchdog announces ban of six more VPN products https://www.bleepingcomputer.com/news/legal/russian-internet-watchdog-announces-ban-of-six-more-vpn-products/
Russia’s internet watchdog, Roskomnadzor’, has announced the ban of six more VPN products, bringing the total number to more than a dozen, shows a notification to companies in the country. The latest services added to the list of banned VPN services are Betternet, Lantern, X-VPN, Cloudflare WARP, Tachyon VPN, PrivateTunnel.