This posting is here to collect cyber security news in January 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in January 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
439 Comments
Tomi Engdahl says:
As part of the January 2022 Patch Tuesday, Microsoft fixed a ‘Win32k Elevation of Privilege Vulnerability’ vulnerability tracked as CVE-2022-21882, which is a bypass for the previously patched and actively exploited CVE-2021-1732 bug.
Windows vulnerability with new public exploits lets you become admin
https://www.bleepingcomputer.com/news/microsoft/windows-vulnerability-with-new-public-exploits-lets-you-become-admin/
Tomi Engdahl says:
Cyberattack Targets Belarus’ Rail Network To Slow Flood Of Russian Forces Into The Country
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.thedrive.com%2Fthe-war-zone%2F44066%2Fcyberattack-targets-belarus-rail-network-to-slow-flood-of-russian-forces-into-the-country&h=AT1jp5TyjlQLlIbK0FlRpMEFqZaS3PVGstjr4G3JszcUInL6K3WyBIIkMpsa1J14N73-bVK5EYelFT1k3UU35kIah-YR5QBuSA_idGGq4kATyk_tKpuE-vm7piSFxS9fbw
The cyberattack was claimed by a non-state actor and underlines just how complex the cyber battlefield is becoming.
Tomi Engdahl says:
Suomalaisia diplomaattikännyköitä vakoiltiin
https://www.uusiteknologia.fi/2022/01/28/diplomaattikannykoita-vakoiltiin/
Suomalaisiin diplomaatteihin on kohdistettu ulkoministeriön mukaan kybervakoilua tunnetulla NSO Groupin Pegasus -vakoiluhaittaohjelmalla. Kyseessä on haittaohjelma, joka on pystytty siirtämään käyttäjän Apple- tai Android-puhelimeen ilman käyttäjän omia toimenpiteitä.
Ulkoministeriö on saanut selvitettyä siihen kohdistuneen vakoilutapauksen
https://um.fi/ajankohtaista/-/asset_publisher/gc654PySnjTX/content/ulkoministerio-on-saanut-selvitettya-siihen-kohdistuneen-vakoilutapauksen
Suomalaisiin diplomaatteihin on kohdistettu kybervakoilua paljon julkisuutta saaneella NSO Groupin Pegasus -vakoiluhaittaohjelmalla. Kyseessä on erittäin kehittynyt haittaohjelma, joka on pystytty tuomaan käyttäjän Apple- tai Android-puhelimeen hänen huomaamattaan ja ilman käyttäjän toimenpiteitä. Vakoiluohjelma on voinut mahdollistaa hyvin laajasti puhelimessa olevan tiedon ja sen ominaisuuksien hyväksikäytön.
Tomi Engdahl says:
Vulnerabilities in Swiss E-Voting System Earn Researchers Big Bounties
https://www.securityweek.com/vulnerabilities-swiss-e-voting-system-earn-researchers-big-bounties
Researchers have already earned tens of thousands of euros for vulnerabilities found in Switzerland’s new e-voting system as part of a recently launched bug bounty program.
E-voting was first introduced in Switzerland nearly two decades ago. However, the country’s national postal service, Swiss Post, which is in charge of e-voting, has been working on a new system “with complete verifiability.”
Tomi Engdahl says:
Zerodium Offering $400,000 for Microsoft Outlook Zero-Day Exploits
https://www.securityweek.com/zerodium-offering-400000-microsoft-outlook-zero-day-exploits
The exploit acquisition firm Zerodium this week showed increased interest in buying zero-day exploits targeting the popular email clients Microsoft Outlook and Mozilla Thunderbird.
The company was already looking to acquire Microsoft Outlook zero-day exploits, but this week it announced higher maximum payouts for them, up from $250,000 to $400,000, yet only temporarily.
“We are looking for zero-click exploits leading to remote code execution when receiving/downloading emails in Outlook, without requiring any user interaction such as reading the malicious email message or opening an attachment,” the company says.
Tomi Engdahl says:
FBI Warns of Hacker Attacks Conducted by Iranian Cyber Firm
https://www.securityweek.com/fbi-warns-hacker-attacks-conducted-iranian-cyber-firm
Tomi Engdahl says:
Xerox Quietly Patched Device-Bricking Flaw Affecting Some Printers
https://www.securityweek.com/xerox-quietly-patched-device-bricking-flaw-some-printer-models
Xerox patched a device-bricking vulnerability in certain printer models more than a year and a half ago, but said nothing until this week, when information on the bug became public.
The security defect – now tracked as CVE-2022-23968 – was reported to Xerox in September 2019. In January 2020, the vendor had confirmed impact on at least one series of printer models, but said nothing else of the bug for two more years.
The critical-severity issue can be triggered to at least partially brick a vulnerable device by causing a denial of service (DoS) condition in which the printer asks for a reboot. The error is triggered again immediately after reboot, in a continuous loop.
Tomi Engdahl says:
Over 100 Million Android Users Installed ‘Dark Herring’ Scamware
https://www.securityweek.com/over-100-million-android-users-installed-dark-herring-scamware
More than 105 million Android users downloaded and installed scamware from Google Play and third-party app stores, according to mobile security firm Zimperium.
A total of 470 malicious applications, collectively named Dark Herring, were used to target users in 70 countries in what appears to be the largest SMS scam campaign known to date. Called GriftHorse, a previous similar campaign compromised roughly 10 million users globally.
The Dark Herring campaign has been ongoing since at least March 2020, subscribing users to services that charge them with an average monthly premium of $15. With millions of dollars in recurring revenue generated monthly, the attackers caused total losses of hundreds of millions.
The campaign remained active for such a long period of time because the malicious applications provided users with the expected functionality, which allowed them to remain installed on the victims’ devices.
Tomi Engdahl says:
French Ministry of Justice Targeted in Ransomware Attack
https://www.securityweek.com/french-ministry-justice-targeted-ransomware-attack
Tomi Engdahl says:
Ulkoministeriö on saanut selvitettyä siihen kohdistuneen vakoilutapauksen https://um.fi/ajankohtaista/-/asset_publisher/gc654PySnjTX/content/ulkoministerio-on-saanut-selvitettya-siihen-kohdistuneen-vakoilutapauksen
Suomalaisiin diplomaatteihin on kohdistettu kybervakoilua paljon julkisuutta saaneella NSO Groupin Pegasus -vakoiluhaittaohjelmalla.
Kyseessä on erittäin kehittynyt haittaohjelma, joka on pystytty tuomaan käyttäjän Apple- tai Android-puhelimeen hänen huomaamattaan ja ilman käyttäjän toimenpiteitä. Vakoiluohjelma on voinut mahdollistaa hyvin laajasti puhelimessa olevan tiedon ja sen . ominaisuuksien hyväksikäytön. Myös https://www.hs.fi/kotimaa/art-2000008573488.html
https://yle.fi/uutiset/3-12292218
https://www.bleepingcomputer.com/news/security/finnish-diplomats-phones-infected-with-nso-group-pegasus-spyware/
Tomi Engdahl says:
Popular apps left biometric data, IDs of millions of users in danger https://cybernews.com/security/popular-apps-left-biometric-data-ids-of-millions-of-users-in-danger/
Service providers using Onfido, an identification verification (IDV) service, let a major flaw in their security go unchecked, in the form of an exposed admin token that potentially left app users biometric data exposed. Using this safety gap, threat actors could have downloaded personally identifiable information (PII), including copies of client-submitted IDs, passports, and driver’s licenses.
Tomi Engdahl says:
BlackCat ransomware targeting US, European retail, construction and transportation orgs https://www.zdnet.com/article/blackcat-ransomware-targeting-us-european-retail-construction-and-transportation-orgs/
Palo Alto said that as of December 2021, BlackCat has the 7th largest number of victims listed on their leak site among ransomware groups that Unit 42 tracks.
Tomi Engdahl says:
After Russian Arrests, REvil Activity Persists https://blog.reversinglabs.com/blog/after-russian-arrests-revil-rolls-on
Almost two weeks after Russian authorities orchestrated high profile arrests of cyber criminals affiliated with the notorious ransomware group, there has been little change in the availability of malicious files and implants associated with the group, ReversingLabs data shows. Also https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/
Tomi Engdahl says:
Finland warns of Facebook accounts hijacked via Messenger phishing https://www.bleepingcomputer.com/news/security/finland-warns-of-facebook-accounts-hijacked-via-messenger-phishing/
Finland’s National Cyber Security Centre (NCSC-FI) warns of an ongoing phishing campaign attempting to hijack Facebook accounts by impersonating victims’ friends in Facebook Messenger chats.
Tomi Engdahl says:
Hackers are taking over CEO accounts with rogue OAuth apps https://www.bleepingcomputer.com/news/security/hackers-are-taking-over-ceo-accounts-with-rogue-oauth-apps/
Threat analysts have observed a new campaign named OiVaVoii, targeting company executives and general managers with malicious OAuth apps and custom phishing lures sent from hijacked Office 365 accounts.
Tomi Engdahl says:
Tietoturva-asiantuntija: Suomalaisia diplomaatteja vakoiltu toisen valtion toimesta
https://yle.fi/uutiset/3-12293637
Vakoilu on tehty israelilaisten kehittämällä vakoiluohjelmalla ja se on tiettävästi ensimmäinen laatuaan, jossa Pegasus-vakoiluohjelman tiedetään liittyvän Suomeen.
Tomi Engdahl says:
Over 20,000 data center management systems exposed to hackers https://www.bleepingcomputer.com/news/security/over-20-000-data-center-management-systems-exposed-to-hackers/
Researchers have found over 20,000 instances of publicly exposed data center infrastructure management (DCIM) software that monitor devices, HVAC control systems, and power distribution units, which could be used for a range of catastrophic attacks.
Tomi Engdahl says:
Windows vulnerability with new public exploits lets you become admin https://www.bleepingcomputer.com/news/microsoft/windows-vulnerability-with-new-public-exploits-lets-you-become-admin/
As part of the January 2022 Patch Tuesday, Microsoft fixed a ‘Win32k Elevation of Privilege Vulnerability’ vulnerability tracked as CVE-2022-21882, which is a bypass for the previously patched and actively exploited CVE-2021-1732 bug.. BleepingComputer also tested the vulnerability and had no problem compiling the exploit and using it to open Notepad with SYSTEM privileges on Windows 10, as shown below. BleepingComputer could not get the exploit to work on Windows 11.
Tomi Engdahl says:
2FA App Loaded with Banking Trojan Infests 10K Victims via Google Play https://threatpost.com/2fa-app-banking-trojan-google-play/178077/
The threat actors developed an operational and convincing application to disguise the malware dropper, using open-source Aegis authentication code injected with malicious add-ons. That helped it spread via Google Play undetected, according to a Pradeo report released on Thursday. Original at https://blog.pradeo.com/vultur-malware-dropper-google-play
Tomi Engdahl says:
Teen who turned down $5,000 from Elon Musk to shut down a Twitter account tracking the billionaire’s jet says he gets too much work satisfaction to settle for less than $50,000
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.businessinsider.com%2Felon-musk-private-jet-tracking-twitter-account-2022-1&h=AT3V1OZkmB9TCegQeQ4_HqN3buAWOdw4lQGEstfZauJNZRmezNw8vP-W4wJbKNp4EkfUjhOjlwzq3OAJAl3GQczSb-3pv4YzrRiOWPF9-FuNRQrwFUKr2SioYn2xs4WovQ
19-year-old Jack Sweeney runs a Twitter account that tracks Elon Musk’s private jet.
Musk offered Sweeney $5,000 to remove it and give advice on how to make his jet less trackable.
Sweeney told Insider he thought $5,000 was too low for the satisfaction he gets from the work.
Tomi Engdahl says:
Cyber vigilante hunts down DeFi scammers running away with $25M rug pull
An exclusive Cointelegraph interview on tracking down a group of DeFi scammers responsible for the $25 million StableMagnet rug pull.
https://cointelegraph.com/news/cyber-vigilante-hunts-down-defi-scammers-running-away-with-25m-rug-pull
Tomi Engdahl says:
Security Paper Finds GPU Fingerprinting Disturbingly Effective At Tracking You Online
https://hothardware.com/news/security-paper-finds-gpu-fingerprinting-disturbingly-effective-at-tracking-you-online
Many websites and applications employ various device fingerprinting methods to identify users and track their activity across websites and applications over time. The Electronic Frontier Foundation has a good explainer on this subject, as well as a tool to test how well your browser protects you from fingerprinting. TorZillaPrint from arkenfox is another good fingerprint testing tool. Both of these tools use a number of tracking methods that are currently in use on the web. However, researchers are continually developing and testing new methods of digital fingerprinting.
Tomi Engdahl says:
Financially Motivated Mobile Scamware Exceeds 100M Installations
https://blog.zimperium.com/dark-herring-android-scamware-exceeds-100m-installations/
Tomi Engdahl says:
A North Korean-linked hacking attempt aimed at simultaneous interpreters at international events appears https://blog-alyac-co-kr.translate.goog/4450?_x_tr_sl=auto&_x_tr_tl=en
The newly discovered attack is characterized by sending crafted hacking emails to multiple interpreters as if they were requesting simultaneous interpretation of an international event. This targeted attack on interpreters is very unusual, with interpreters fluent in English, Chinese and Russian being threatened.
Tomi Engdahl says:
Russian ‘Gamaredon’ hackers use 8 new malware payloads in attacks https://www.bleepingcomputer.com/news/security/russian-gamaredon-hackers-use-8-new-malware-payloads-in-attacks/
The Russia-linked hackers known as ‘Gamaredon’ (aka Armageddon or
Shuckworm) were spotted deploying eight custom binaries in cyber-espionage operations against Ukrainian entities. Original at https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine
Tomi Engdahl says:
CISA adds 8 vulnerabilities to list of actively exploited bugs https://www.bleepingcomputer.com/news/security/cisa-adds-8-vulnerabilities-to-list-of-actively-exploited-bugs/
The US Cybersecurity & Infrastructure Security Agency (CISA) has added eight more flaws to its catalog of exploited vulnerabilities that are known to be used in attacks, and they’re a mix of old and new.
Tomi Engdahl says:
Apple Pays $100.5K Bug Bounty for Mac Webcam Hack https://threatpost.com/apple-bug-bounty-mac-webcam-hack/178114/
The researcher found that he could gain unauthorized camera access via a shared iCloud document that could also “hack every website you’ve ever visited.”
Tomi Engdahl says:
Threat actor target Ubiquiti network appliances using Log4Shell exploits https://therecord.media/threat-actor-target-ubiquiti-network-appliances-using-log4shell-exploits/
Threat actors are using a customized public exploit for the Log4Shell vulnerability to attack and take over Ubiquiti network appliances running the UniFi software, security firm Morphisec said in a report last week. Original at https://www.sprocketsecurity.com/blog/another-log4j-on-the-fire-unifi
Tomi Engdahl says:
Unsecured AWS server exposed 3TB in airport employee records https://www.zdnet.com/article/unsecured-aws-server-exposed-airport-employee-records-3tb-in-data/
On Monday, the SafetyDetectives cybersecurity team said the server belonged to Securitas. The Stockholm, Sweden-based company provides on-site guarding, electronic security solutions, enterprise risk management, and fire & safety services.
Tomi Engdahl says:
277, 000 routers exposed to Eternal Silence attacks via UPnP https://www.bleepingcomputer.com/news/security/277-000-routers-exposed-to-eternal-silence-attacks-via-upnp/
A malicious campaign known as ‘Eternal Silence’ is abusing Universal Plug and Play (UPnP) turns your router into a proxy server used to launch malicious attacks while hiding the location of the threat actors.
Tomi Engdahl says:
Be careful with RPMSG files
https://isc.sans.edu/forums/diary/Be+careful+with+RPMSG+files/28292/
Not many people are aware of “.rpmsg” files. The file extension means “restricted-permission message”. They are used to deliver email messages between people and implement some controls applied at the recipient side. Such permissions are, by example, the right to forward or copy the original email.
Tomi Engdahl says:
Cyberattacks Increasingly Hobble Pandemic-Weary US Schools
https://www.securityweek.com/cyberattacks-increasingly-hobble-pandemic-weary-us-schools
Tomi Engdahl says:
North Korean Hackers Abuse Windows Update Client in Attacks on Defense Industry
https://www.securityweek.com/north-korean-hackers-abuse-windows-update-client-attacks-defense-industry
Tomi Engdahl says:
More Russian Attacks Against Ukraine Come to Light
https://www.securityweek.com/more-russian-attacks-against-ukraine-come-light
The WhisperGate attack is not the only operation believed to have been conducted by Russia-linked threat actors against Ukraine in recent months. Symantec on Monday disclosed the details of an espionage operation that it has tied to a known group.
For years, Russian advanced persistent threat (APT) actors have been observed launching various cyberattacks against Ukrainian targets, with some of these groups believed to be part of or under the direct supervision of Moscow’s secret service.
Over the past months, at least two Russian state-sponsored groups have been observed launching cyberattacks against Ukraine, namely Gamaredon, also known as Armageddon, Primitive Bear and Shuckworm, and potentially Sandworm, which is also referred to as Iron Viking, Telebots and Voodoo Bear.
Active since at least 2013 and mainly focused on targets in Ukraine, Gamaredon relies on phishing emails for the distribution of off-the-shelves tools (such as RMS and UltraVNC) and customized malware (Pterodo/Pteranodon).
Tomi Engdahl says:
SureMDM Vulnerabilities Exposed Companies to Supply Chain Attacks
https://www.securityweek.com/suremdm-vulnerabilities-exposed-companies-supply-chain-attacks
A series of vulnerabilities in 42Gears’ SureMDM device management products could have resulted in a supply chain compromise against any organization using the platform.
42Gears was founded in 2009. It is based in Bangalore, India, and provides mobile device management and productivity products for organizations with a large mobile workforce. Its website lists a range of major customers (without specifying which products they use) including Deloitte, Saab, Lufthansa, Tesco, Thales, Intel and many others.
Researchers at Immersive Labs discovered and disclosed the first vulnerability to 42Gears on July 6, 2021. A series of additional vulnerability disclosures together with ‘failed’ private patches (including a new vulnerability introduced by one of the private patches) meant that effective public patches were not released until November 2021 and January 2022.
On January 23, 2022, 42Gears informed Immersive that they were continuing to apply additional mitigations beyond those reported by the researchers. By this time, Immersive felt they had done everything necessary to ensure their own principles of responsible disclosure, and they could publish their findings.
Tomi Engdahl says:
Israeli Lawyer, Hungarian Rights Group Target Pegasus Spyware
https://www.securityweek.com/israeli-lawyer-hungarian-rights-group-target-pegasus-spyware
An Israeli lawyer said Saturday he was working with a rights group in Hungary to pursue authorities and Israeli firm NSO Group on behalf of Hungarian journalists allegedly targeted with Pegasus spyware.
Eitay Mack told AFP he had asked the Israeli attorney general to investigate how NSO was licensed to sell its surveillance software, which can switch on a phone’s camera or microphone and harvest its data, to Hungary.
The lawyer said he had coordinated the request with the Hungarian Civil Liberties Union (HCLU), which says Pegasus targeted the phones of four Hungarian journalists, one Belgian national and a sixth person who has requested anonymity.
Tomi Engdahl says:
Finnish Diplomats Targeted by Pegasus Spyware: Ministry
https://www.securityweek.com/finnish-diplomats-targeted-pegasus-spyware-ministry
Mobile phones belonging to Finnish diplomats were spied on using the cyber espionage software Pegasus, the country’s foreign ministry said on Friday.
“We can now be clear that there has been spyware in our phones,” the ministry’s head of information security, Matti Parviainen, told AFP. The infected mobile devices were used by Finnish diplomats posted overseas, although the ministry refused to comment on how many staff were targeted, nor on whether the identity of the cyberattackers is known.
“We have good guesses” about how long the diplomats were spied on, Parviainen said, but the espionage is no longer continuing. Diplomats’ phones only handle information that is either public or with the lowest security classification, the ministry said, but added “the information and its source may be confidential between diplomats.”
Tomi Engdahl says:
DHS: Americans should be prepared for potential Russian cyberattacks
https://www.zdnet.com/article/dhs-warns-critical-infrastructure-orgs-local-governments-of-potential-for-russian-cyberattack/
Officials noted that “Russia’s threshold for conducting disruptive or destructive cyber attacks in the homeland probably remains very high.”
Tomi Engdahl says:
Horde of miner bots and backdoors leveraged Log4J to attack VMware Horizon servers https://news.sophos.com/en-us/2022/03/29/horde-of-miner-bots-and-backdoors-leveraged-log4j-to-attack-vmware-horizon-servers/
One of the products affected was VMware Horizon, a desktop and application virtualization platform that became part of the solution for some organizations’ work-from-home needs prior to and during office shutdowns over the past two years.
Lisäksi:https://www.zdnet.com/article/log4shell-exploited-to-infect-vmware-horizon-servers-with-backdoors-crypto-miners/.
Lisäksi:
https://threatpost.com/log4jshell-swarm-vmware-servers-miners-backdoors/179142/