This posting is here to collect cyber security news in January 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in January 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
439 Comments
Tomi Engdahl says:
Y2K22 bug: Microsoft rings in the new year by breaking Exchange servers all around the world
https://www.neowin.net/news/y2k22-bug-microsoft-rings-in-the-new-year-by-breaking-exchange-servers-all-around-the-world/
For many, the New Year was a time to spend with family and friends and a time to form loose and hopeful pacts in the form of New Year’s resolutions. For sysadmins responsible for Exchange servers, it’s been a much different story as Microsoft Exchange servers have not been able to properly process the new date, and therefore, can’t process mail.
The first social report for this rolled in at 1am EST from Reddit user /u/FST-LANE who suggested that Microsoft released a bad update, aptly named “220101001”. This was presumably a scheduled patch to allow for processing the new date, but it didn’t go as planned. “ I see a bunch of errors from FIPFS service which say: Cannot convert “220101001” to long,” wrote /u/FST-LANE.
This aligns with reports from Marius Sandbu, manager for the Norwegian firm Sopra Steria, who released a detailed synopsis of the cause. He reports Microsoft Exchange servers have stopped processing mail altogether because it isn’t prepared to handle today’s date. He states, “The reason for this is because Microsoft is using a signed int32 for the date and with the new value of 2.201.010.001 is over the max value of the “long” int being 2.147.483.647.”
The most troubling part of this is the stop-gap solution. In order to resume processing of mail, sysadmins are disabling malware scanning on their exchange servers, leaving their users, and possibly the servers themselves, vulnerable to attack.
Trouble with Exchange in 2022 – Cannot Convert 220101001 to long
https://msandbu.org/trouble-with-exchange-2022-cannot-convert-220101001-to-long/
Many Exchange admins woke up today and seeing that Exchange is no longer processing emails. This is because Microsoft Filtering Management Service is stopping because it cannot handle the new date format.
The reason for this is because Microsoft is using a signed int32 for the date and with the new value of 2.201.010.001 is over the max value of the “long” int being 2.147.483.647.
This seems to be affecting Exchange versions 2016/2019
You can see this error within the Application Event Log where there is a bunch of errors stating “Cannot Convert 220101001 to long” or different Events stating 3811 and 5801 (with timeout of the MSExchange Antimalware Engine)
Tomi Engdahl says:
UPDATE: Microsoft has confirmed disabling the malware filtering is the only current workaround. While new signatures and engine updates have been released, they don’t seem to fix the issue. We’ll continue to wait for an official response from Microsoft.
Here is also a post from Microsoft https://techcommunity.microsoft.com/t5/exchange-team-blog/email-stuck-in-transport-queues/ba-p/3049447
Tomi Engdahl says:
China harvests masses of data on Western targets, documents show
https://www.washingtonpost.com/national-security/china-harvests-masses-of-data-on-western-targets-documents-show/2021/12/31/3981ce9c-538e-11ec-8927-c396fa861a71_story.html?s=04
China is turning a major part of its internal Internet-data surveillance network outward, mining Western social media, including Facebook and Twitter, to equip its government agencies, military and police with information on foreign targets, according to a Washington Post review of hundreds of Chinese bidding documents, contracts and company filings.
Tomi Engdahl says:
Microsoft Exchange year 2022 bug in FIP-FS breaks email delivery
https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-year-2022-bug-in-fip-fs-breaks-email-delivery/
Microsoft Exchange on-premise servers cannot deliver email starting on January 1st, 2022, due to a “Year 2022″ bug in the FIP-FS anti-malware scanning engine.
Starting with Exchange Server 2013, Microsoft enabled the FIP-FS anti-spam and anti-malware scanning engine by default to protect users from malicious email.
Microsoft Exchange Y2K22 bug
According to numerous reports from Microsoft Exchange admins worldwide, a bug in the FIP-FS engine is blocking email delivery with on-premise servers starting at midnight on January 1st, 2022.
Security researcher and Exchange admin Joseph Roosen said that this is caused by Microsoft using a signed int32 variable to store the value of a date, which has a maximum value of 2,147,483,647.
When this bug is triggered, an 1106 error will appear in the Exchange Server’s Event Log stating, “The FIP-FS Scan Process failed initialization. Error: 0×8004005. Error Details: Unspecified Error” or “Error Code: 0×80004005. Error Description: Can’t convert “2201010001″ to long.”
Microsoft will need to release an Exchange Server update that uses a larger variable to hold the date to officially fix this bug.
However, for on-premise Exchange Servers currently affected, admins have found that you can disable the FIP-FS scanning engine to allow email to start delivering again.
Tomi Engdahl says:
A Reporter Is on Trial for Using the ‘View Source’ Function on a Website
https://lm.facebook.com/l.php?u=https%3A%2F%2Finterestingengineering.com%2Freporter-on-trial-for-using-view-source-on-a-website%3Futm_source%3Dnewsletter&h=AT0uUxV2Z2voB75Xdmt-UbMLfe4JXuVmjGVTlsPsyt9j7Vu1KzDW3TUHTefdpUeyU15NTF90qjVsNpVQpNiU-ka8WnnU6oDeN9WtY0nvlXokuImD_QxcQqSka_PalrTkfA
Apparently, right clicking on a site and pressing ‘view source’ counts as tampering.
They say that no good deed goes unpunished and this is a story that illustrates just that. A journalist who accidentally came across the source HTML of a Missouri Department of Elementary and Secondary Education website is now looking at charges of computer tampering according to Missouri Governor Mike Parson, reported the Union-Bulletin (might be inaccessible outside the U.S.).
This all began when the reporter took a look at the “view source” menu item that lets you see the HTML code of the web page and discovered that the source code contained the Social Security numbers of educators. Being a diligent and respectful citizen, he then proceeded to inform the state about the dangerous glitch.
Once the private numbers were removed from the web page, the wrote an expose on the incident. This led to Governor Parson announcing a criminal investigation into the reporter and the Post-Dispatch.
Tomi Engdahl says:
A log4j vulnerability filesystem scanner and Go package for analyzing JAR files.
https://github.com/google/log4jscanner
This project includes a scanner that walks directory, printing any detected JARs to stdout.
Tomi Engdahl says:
Lapsus$ ransomware gang hits SIC, Portugal’s largest TV channel https://therecord.media/lapsus-ransomware-gang-hits-sic-portugals-largest-tv-channel/
The Lapsus$ ransomware gang has hacked and is currently extorting Impresa, the largest media conglomerate in Portugal and the owner of SIC and Expresso, the country’s largest TV channel and weekly newspaper, respectively. The attack has taken place over the New Year holiday and has hit the company’s online IT server infrastructure.
Websites for the Impressa group, Expresso, and all the SIC TV channels are currently offline. National airwave and cable TV broadcasts are operating normally, but the attack has taken down SIC’s internet streaming capabilities. The Lapsus$ group took credit for the attack by defacing all of Impressa’s sites with a ransom note (pictured at the top of this article). Besides a ransom request, the message claims that the group has gained access to Impresa’s Amazon Web Services account. Impresa staff appeared to have regained control over this account earlier today when all the sites were put into maintenance mode, but the attackers immediately tweeted from Expresso’s verified Twitter account to show that they still had access to company resources.
Tomi Engdahl says:
Uber ignores vulnerability that lets you send any email from Uber.com
https://www.bleepingcomputer.com/news/security/uber-ignores-vulnerability-that-lets-you-send-any-email-from-ubercom/
Security researcher and bug bounty hunter Seif Elsallamy discovered a flaw in Uber’s systems that enables anyone to send emails on behalf of Uber.
Tomi Engdahl says:
https://hackaday.com/2021/12/31/this-week-in-security-the-log4j-that-wont-go-away-webos-and-more/
WebOS Falls to a Snapshot
[David Buchanan] acknowledges that while this is an interesting exploit, there isn’t much utility to it at this point. That could change, but let’s look at the flaw for now. Snapshots are a cool feature in the V8 JavaScript engine. When you navigate to a web page, the JavaScript context for that page has to be generated in memory, including loading all the libraries called by the page. That doesn’t take too long on a desktop, but on an embedded device or a cell phone loading a local interface, this initialization step can represent a large percentage of the time needed to draw the requested page. Snapshots are a great hack, where the context is initialized, and then saved. When the interface is later opened, the V8 engine can be called with that file, and the context is pre-initialized, making the launch of the app or interface appreciably faster. The only catch is that V8 expects snapshots to only be loaded from a trusted source.
On to the WebOS platform itself. Individual apps are sandboxed, but web apps run their code in the context of the WebAppMgr (WAM), their browser based on Chromium/V8. While the individual apps are sandboxed, WAM is not.
[David] has published the full PoC, noting that LG notoriously underpays for bug bounties.
https://github.com/DavidBuchanan314/WAMpage
Tomi Engdahl says:
Lawrence Abrams / BleepingComputer:
Microsoft releases an emergency fix for a Y2K22 bug in its FIP-FS anti-malware scanning engine that stops Exchange on-premise servers from delivering email — Microsoft has released an emergency fix for a year 2022 bug that is breaking email delivery on on-premise Microsoft Exchange servers.
Microsoft releases emergency fix for Exchange year 2022 bug
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-fix-for-exchange-year-2022-bug/
Tomi Engdahl says:
Brian Newar / Cointelegraph:
OpenSea freezes 16 Ape NFTs, worth ~$2.3M, after they were reportedly stolen, leading some to point out the lack of decentralization in the NFT space — Art gallery owner Todd Kramer had his valuable NFT collection stolen from his hot wallet yesterday, so OpenSea froze the stolen assets worth about $2.2 million.
OpenSea freezes $2.2M of stolen Bored Apes
https://cointelegraph.com/news/opensea-freezes-2-2m-of-stolen-bored-apes
Art gallery owner Todd Kramer had his valuable NFT collection stolen from his hot wallet yesterday, so OpenSea froze the stolen assets worth about $2.2 million.
Tomi Engdahl says:
New York Times:
Investigation: how China identifies, tracks, and pressures its critics on Facebook and Twitter, including Chinese living abroad and citizens of other nations
https://www.nytimes.com/2021/12/31/business/china-internet-police-twitter.html
Tomi Engdahl says:
Data breach: Broward Health warns 1.3 million patients, staff of ‘medical identity theft’
https://www.zdnet.com/article/broward-health-warns-1-3-million-patients-staff-of-medical-identity-theft-after-data-breach/#ftag=RSSbaffb68
This weekend, the Broward Health hospital system notified more than
1.3 million patients and staff members that their personal information was involved in a data breach that started on October 15. In a statement on Saturday, the Florida hospital system said that in addition to names, addresses and phone numbers, Social Security numbers, bank account information and medical history data was included in the breach. Insurance account information, driver’s license numbers, email addresses and treatments received were also included. The hospital system said it waited months to notify victims because the Department of Justice told them to hold off on sending out breach notification letters.
Tomi Engdahl says:
Kyberhyökkäys lamautti norjalaisen mediatalon lehdet jäivät ilmestymättä, lunnaita vaaditaan https://www.kauppalehti.fi/uutiset/kyberhyokkays-lamautti-norjalaisen-mediatalon-lehdet-jaivat-ilmestymatta-lunnaita-vaaditaan/046613ff-db3d-4b95-b03b-d628970c9dba
Norjalainen mediayhtiö Amedia joutui tiistaina kyberhyökkäyksen kohteeksi, kirjoittaa Computer Sweden. Hyökkäys aiheutti järjestelmähäiriön, jonka takia yhtiön painettuja lehtiä ei julkaistu keskiviikkona. Torstaina pystyttiin julkaisemaan osa printtilehdistä.
Verkkosivustoihin hyökkäyksellä ei ole ollut vaikutusta. The Record
- -sivuston mukaan häiriö paitsi seisautti painokoneet, myös esti asiakkaita tekemästä ja päättämästä tilauksiaan. Lisäksi mainosmyynti keskeytyi. Toistaiseksi ei ole selvää, vuotiko hyökkäyksen yhteydessä myös asiakastietoja. Hyökkäyksen kohteeksi joutuneessa järjestelmässä oli tilaajien nimiä, osoitteita, puhelinnumeroita sekä tietoja lehtitilauksista. Käyttäjätunnusten salasanat, lukuhistoriatiedot ja maksukorttitiedot ovat erillisessä järjestelmässä.
Tomi Engdahl says:
CrowdStrike Beefs Up Exploit Detection With Intel CPU Telemetry
https://www.securityweek.com/crowdstrike-beefs-exploit-detection-intel-cpu-telemetry
Anti-malware giant CrowdStrike says it is using telemetry from Intel processors to help detect and thwart sophisticated software exploits that bypass traditional OS-based defenses.
CrowdStrike said the CPU telemetry is powering a new Hardware Enhanced Exploit Detection feature in its Falcon platform and will help detect complex attack techniques that are notoriously hard to identify and expand memory safety protections on older PCs that lack modern anti-exploit mitigations.
“Once activated, the new feature detects exploits by analyzing suspicious operations associated with exploit techniques, such as shellcode injection, return-oriented programming,” CrowdStrike said.
The new detection technology has been fitted into version 6.27 of CrowdStrike’s Falcon sensor and is available on systems with Intel CPUs, sixth generation or newer, running Windows 10 RS4 or later.
Tomi Engdahl says:
Shopping Platform PulseTV Discloses Potential Breach Impacting 200,000 People
https://www.securityweek.com/shopping-platform-pulsetv-discloses-potential-breach-impacting-200000-people
Tomi Engdahl says:
Sophisticated iLOBleed Rootkit Targets HP Servers
https://www.securityweek.com/sophisticated-ilobleed-rootkit-targets-hp-servers
An Iranian cybersecurity firm claims to have discovered a sophisticated rootkit that is designed to target HP servers.
The malware, dubbed iLOBleed, was analyzed by Tehran-based Amnpardaz, which indicates that it has been used to target organizations in Iran. However, no other information has been shared on victims.
It’s unclear who is behind the attacks involving iLOBleed, but its sophistication suggests it’s likely an advanced persistent threat (APT) actor. The United States and Israel are suspected to have launched sophisticated cyberattacks against Iran.
According to Amnpardaz, iLOBleed is an implant that targets HPE’s Integrated Lights-Out (iLO) embedded server management technology, which enables users to remotely monitor, configure and update their servers. iLO is embedded on the motherboard of HP servers.
Implant.ARM.iLOBleed.a
https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/
Tomi Engdahl says:
Multiple Vulnerabilities Impact Netgear Nighthawk R6700 Routers
https://www.securityweek.com/multiple-vulnerabilities-impact-netgear-nighthawk-r6700-routers
Netgear Nighthawk R6700v3 routers running the latest firmware are affected by multiple vulnerabilities. Details of the flaws were disclosed last week by Tenable after the vendor failed to release patches.
The most important of these security defects results in an authenticated attacker being able to inject commands that would be executed when the device checks for updates.
Tracked as CVE-2021-20173, the issue exists because unsanitized input is being sent to system() calls in the upnpd binary. The attacker can send requests from the SOAP interface to force update checks and trigger the execution of commands.
Furthermore, Tenable’s researchers discovered that communication to and from the device’s web and SOAP interfaces is not encrypted, meaning that sensitive information – such as usernames and passwords – is transmitted in cleartext.
The issues were assigned CVE identifiers CVE-2021-20174 and CVE-2021-20175, respectively.
Tenable also noticed that the device stores usernames and passwords in plaintext, including the admin password. The issue is tracked as CVE-2021-45077.
Another identified vulnerability (CVE-2021-23147) could allow an attacker with physical access to the device to connect to the UART port via a serial connection and run commands as root without authentication.
“We recommend disabling this UART console for production runs, or at least enforcing the same password mechanisms used for other functionality in the device (such as the web UI),” Tenable says.
Tomi Engdahl says:
Israeli Media Outlets Hacked on Soleimani Killing Anniversary
https://www.securityweek.com/israeli-media-outlets-hacked-soleimani-killing-anniversary
Two major Israeli media outlets were hacked early Monday with a threatening message that appeared linked to the killing of a top Iranian general two years ago.
The website of the English-language Jerusalem Post and the Twitter account of Hebrew-language Maariv were taken over with a picture of a fist firing a shell out of a ring with a red stone on a finger toward an exploded dome.
“We are close to you where you do not think about it”, read text in English and Hebrew below the fist.
The hacking came exactly two years after the January 3, 2020 US drone strike in Baghdad that killed Iranian General Qasem Soleimani, who headed the Quds Force, the foreign operations arm of Iran’s Revolutionary Guards.
Tomi Engdahl says:
Cyberattack against UK Ministry of Defence training academy revealed
https://www.zdnet.com/article/ex-officer-reveals-cyberattack-against-uk-ministry-of-defence-training-academy/
A retired military officer has disclosed a cyberattack that struck the UK Ministry of Defence (MoD) academy and had a “significant” impact on the organization. Air Marshal Edward Stringer, an officer in charge at the time, told Sky News that the cyberattack was discovered in March 2021. According to the retired officer, “unusual activity” was detected by IT outsourcer Serco but originally it was thought that this may have been due to some form of IT error rather than something malicious. The Defence Academy of the United Kingdom was the target.
The organization is responsible for teaching and training thousands of military personnel, MoD employees, wider government figures, and overseas students. Courses on offer relate to topics including security, strategy, languages, and information warfare. While full attribution is not available as to whom was responsible, the publication reports that China or Russia was “possibly” involved.
Tomi Engdahl says:
Log4j flaw attack levels remain high, Microsoft warns
https://www.zdnet.com/article/log4j-flaw-attacks-are-causing-lots-of-problems-microsoft-warns/
Microsoft has warned Windows and Azure customers to remain vigilant after observing state-sponsored and cyber-criminal attackers probing systems for the Log4j ‘Log4Shell’ flaw through December. Disclosed by the Apache Software Foundation on December 9, Log4Shell will likely take years to remediate because of how widely the error-logging software component is used in applications and services. Microsoft warns that customers might not be aware of how widespread the Log4j issue is in their environment. Over the past month, Microsoft has released numerous updates, including to its Defender security software, to help customers identify the issue as attackers stepped up scanning activity.
Tomi Engdahl says:
Apple Home software bug could lock you out of your iPhone https://nakedsecurity.sophos.com/2022/01/04/apple-home-software-bug-could-lock-you-out-of-your-iphone/
A security research called Trevor Spiniolas has just published information about a bug he claims has existed in Apple’s iOS operating system since at least version 14.7. The bug affects the Home app, Apple’s home automation software that lets you control home devices webcams, doorbells, thermostats, light bulbs, and so on that support Apple’s HomeKit ecosystem. Spiniolas has dubbed the bug doorLock, giving it both a logo and a dedicated web page, claiming that although he disclosed it to Apple back in August 2021, the company’s attempts to patch it so far have been incomplete, and his specified deadline of
01 January 2022 for “going live” with details of the flaw has now passed.
Tomi Engdahl says:
FTC warns companies to secure consumer data from Log4J attacks https://www.bleepingcomputer.com/news/security/ftc-warns-companies-to-secure-consumer-data-from-log4j-attacks/
The US Federal Trade Commission (FTC) has warned today that it will go after any US company that fails to protect its customers’ data against ongoing Log4J attacks. “The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future, ” the US government agency said.
“The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. “It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”
Tomi Engdahl says:
Purple Fox rootkit now bundled with Telegram installer
https://blog.malwarebytes.com/trojans/2022/01/purple-fox-rootkit-now-bundled-with-telegram-installer/
The Purple Fox rootkit is being spread as an installer for the popular Telegram instant messaging app for Windows, according to researchers.
Tomi Engdahl says:
Over 20 years of employee data leaked during McMenamins ransomware attack https://www.zdnet.com/article/ransomware-attack-on-mcmenamins-leads-to-breach/
Oregon-based venue operator McMenamins said employee data was accessed during a ransomware attack that occurred on December 12.
Tomi Engdahl says:
Google Acquires Siemplify in Ambitious Cybersecurity Push
https://www.securityweek.com/google-acquires-siemplify-ambitious-cybersecurity-push
Google has expanded its push into the lucrative cybersecurity business with a new deal to acquire Siemplify, a late-state Israeli startup selling SOAR (security orchestration, automation and response) technology.
Financial terms of the transaction were not released but reports out of Israel peg the price tag in the range of $500 million.
Google plans to pair Siemplify’s SOAR technology with its own home-built Chronicle security analytics platform to “change the rules on how organizations hunt, detect, and respond to threats,” according to Sunil Potti, vice president of Google Cloud Security.
Tomi Engdahl says:
Unpatched HomeKit Vulnerability Exposes iPhones, iPads to DoS Attacks
https://www.securityweek.com/unpatched-homekit-vulnerability-exposes-iphones-ipads-dos-attacks
A researcher claims Apple has failed to patch a potentially serious vulnerability that can be exploited to launch denial-of-service (DoS) attacks against iPhones and iPads.
The flaw, dubbed doorLock, was reported to Apple on August 10 by Trevor Spiniolas, who decided to disclose his findings on January 1. The researcher said the tech giant had initially planned on rolling out a fix by the end of the year, but in December that deadline changed to “early 2022.”
The vulnerability is related to HomeKit, the software framework provided by Apple for configuring and controlling smart home appliances from iPhones and iPads.
The security bug is related to the name assigned to a HomeKit device. If the name is a large string — 500,000 characters were used in the tests conducted by Spiniolas — the device that loads the string significantly slows down or becomes unresponsive. The victim will not be able to access data stored on the phone or tablet and the problem persists across a device reboot or update.
https://trevorspiniolas.com/doorlock/doorlock.html
Tomi Engdahl says:
Skimmer Injected Into 100 Real Estate Websites via Cloud Video Platform
https://www.securityweek.com/skimmer-injected-100-real-estate-websites-cloud-video-platform
More than 100 real estate websites belonging to the same parent company were injected with web skimmer code via an unnamed cloud video platform.
Increasingly popular, skimmer attacks involve the use of malicious JavaScript code to steal data provided by users on the targeted website.
As part of this recent campaign, Palo Alto Networks explains, skimmer code was injected into a video so that it was automatically embedded into websites that imported the video.
A New Web Skimmer Campaign Targets Real Estate Websites Through Attacking Cloud Video Distribution Supply Chain
https://unit42.paloaltonetworks.com/web-skimmer-video-distribution/
Tomi Engdahl says:
Google acquires Israeli cybersecurity company Siemplify for $500 million
https://www.zdnet.com/article/google-acquires-israeli-cybersecurity-company-siemplify-for-500-million/
Google announced on Tuesday that it is acquiring Israeli cybersecurity startup Siemplify for a reported $500 million. Google Cloud Security vice president Sunil Potti said Siemplify is a leader in the security orchestration, automation and response (SOAR) field. Their platform will be integrated into Google Cloud’s security team “to help companies better manage their threat response
Tomi Engdahl says:
Google Issues Warning For 2 Billion Chrome Users
https://www.forbes.com/sites/gordonkelly/2022/01/05/google-chrome-hack-warning-new-attacks-exploits-upgrade-chrome-now/?sh=7231cf1f10b0&utm_medium=social&utm_campaign=socialflowForbesMainFB&utm_source=ForbesMainFacebook
Google Chrome users need to be on high alert. After a record breaking number of attacks last year, Google has already issued the first serious new upgrade warning of 2022 to all the browser’s two billion users
Google confirmed the news in a new blog post, where it revealed an eye-opening 37 security vulnerabilities have been discovered. Google has classified 10 of these vulnerabilities as posing a ‘High’ threat level with a further hack ranked as critically dangerous. Linux, macOS and Windows users are all affected and need to take immediate action.
Tomi Engdahl says:
Planet-Incinerating Ponzi Grifters. Possibly up to 18% of all bitcoining is in Kazakhstan. Revealed when their president turned off their internet.
Kazakhstan internet shutdown sheds light on a big Bitcoin mining mystery
https://fortune.com/2022/01/05/kazakhstan-internet-bitcoin-mining-mystery-crypto/
The curtain just lifted on one of the many mysteries surrounding Bitcoin: How much is being produced using super-dirty coal in Kazakhstan. We knew that the Eurasian nation was a major destination for miners, and that the refugees recently expelled from China were flocking there. Still, it was difficult to establish how much of all the world’s coins Kazakhstan was minting. Clouding the picture was the government’s recent moves to severely restrict the mining boom that was plaguing its cities via rolling blackouts.
On January 5, the world got at least a rough answer. Violent protests erupted over the soaring cost of fuel and the nation’s autocratic rule. President Kassym-Jomart Tokayev sacked his government and declared a state of emergency. Apparently on his orders, the largest telecom provider shuttered the internet to interrupt communications among the opposition’s ranks. When the web goes down, miners can’t communicate with the Bitcoin network. The “hash rate,” the random codes that win fresh awards of Bitcoin, collapses. A few hours into the outage, Larry Cermak of the crypto news and research site The Block tweeted that a full 12% of Bitcoin’s worldwide computational power had vanished.
Tomi Engdahl says:
https://threatpost.com/attackers-exploit-flaw-google-docs-comments/177412/
Tomi Engdahl says:
VMware Patches Important Bug Affecting ESXi, Workstation and Fusion Products
https://thehackernews.com/2022/01/vmware-patches-important-bug-affecting.html
VMWare has shipped updates to Workstation, Fusion, and ESXi products to address an “important” security vulnerability that could be weaponized by a threat actor to take control of affected systems.
The issue relates to a heap-overflow vulnerability — tracked as CVE-2021-22045 (CVSS score: 7.7) — that, if successfully exploited, results in the execution of arbitrary code. The company credited Jaanus Kääp, a security researcher with Clarified Security, for reporting the flaw.
“A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine,” VMware said in an advisory published on January 4.
Tomi Engdahl says:
North Korean Hackers Start New Year with Attacks on Russian Foreign Ministry https://thehackernews.com/2022/01/north-korean-hackers-start-new-year.html
A North Korean cyberespionage group named Konni has been linked to a series of targeted attacks aimed at the Russian Federation’s Ministry of Foreign Affairs (MID) with New Year lures to compromise Windows systems with malware. “This activity cluster demonstrates the patient and persistent nature of advanced actors in waging multi-phased campaigns against perceived high-value networks, ” researchers from Lumen Technologies’ Black Lotus Labs said in an analysis shared with The Hacker News. The Konni group’s tactics, techniques, and procedures
(TTPs) are known to overlap with threat actors belonging to the broader Kimsuky umbrella, which is also tracked by the cybersecurity community under the monikers Velvet Chollima, ITG16, Black Banshee, and Thallium.
Tomi Engdahl says:
Microsoft: KB5008212 Windows security update breaks Outlook search https://www.bleepingcomputer.com/news/microsoft/microsoft-kb5008212-windows-security-update-breaks-outlook-search/
Microsoft has acknowledged an issue triggered by a Windows 10, version
21H2 security update released during the December 2021 Patch Tuesday that leads to search issues in Outlook for Microsoft 365. “After you install update KB5008212, recent emails may not appear in search results, ” Microsoft explained in a recently published Office support document. The company said it’s currently investigating this issue and will provide more information and an update as soon as possible.
Tomi Engdahl says:
Attackers Exploit Flaw in Google Docs’ Comments Feature https://threatpost.com/attackers-exploit-flaw-google-docs-comments/177412/
Attackers are using the “Comments” feature of Google Docs to send malicious links in a phishing campaign targeted primarily at Outlook users, researchers have discovered. Researchers from email collaboration and security firm Avanan, a CheckPoint company, first observed “a new, massive wave of hackers leveraging the comment feature in Google Docs” in December, Avanan Cybersecurity Researcher/Analyst Jeremy Fuchs wrote in a report published Thursday.
Avanan first identified that the Comments feature of Google Docs, Sheets and Slides could be exploited to send spam emails in October, but so far Google has not responded to the issue, Fuchs wrote.
Tomi Engdahl says:
https://www.securityweek.com/rights-group-verifies-polish-senator-was-hacked-spyware
Tomi Engdahl says:
Microsoft Announces Zero-Touch Onboarding for ‘Defender for Endpoint’ on iOS
https://www.securityweek.com/microsoft-announces-zero-touch-onboarding-defender-endpoint-ios
Microsoft this week announced the public preview of zero-touch onboarding for Defender for Endpoint on iOS.
With the new capability, organizations can deploy Defender for Endpoint on iOS across devices in their environment without requiring any form of user interaction, as long as those devices are enrolled with Microsoft Endpoint Manager.
By providing a zero-touch onboarding experience, the tech giant seeks to eliminate deployment friction and ensure that the app can be rolled out to devices quickly, through silent activation. The user is notified of the installation, but they don’t need to open the application.
Tomi Engdahl says:
Fresh Warnings Issued Over Abuse of Google Services
https://www.securityweek.com/fresh-warnings-issued-over-abuse-google-services
U.S. government agencies and cybersecurity companies are warning users and organizations about cybercriminals abusing Google services to achieve their goals.
Tomi Engdahl says:
NY AG: Credential Stuffing Impacts 1.1 Million Users at 17 Companies
https://www.securityweek.com/ny-ag-credential-stuffing-impacts-11-million-users-17-companies
Following months of monitoring online communities dedicated to credentials stuffing, a list of 1.1 million impacted customer accounts at 17 well-known companies was compiled, including accounts at food delivery services, online retailers, and restaurant chains.
According to a “Business Guide for Credential Stuffing Attacks” that the New York Attorney General has just released, there are over 15 billion credentials currently circulating on the web. Adversaries are abusing these to launch hundreds of billions of credential stuffing attacks each year.
https://ag.ny.gov/sites/default/files/businessguide-credentialstuffingattacks.pdf
Tomi Engdahl says:
Hackers Hit Major Portuguese Media Group, Take Down Websites
https://www.securityweek.com/hackers-hit-major-portuguese-media-group-take-down-websites
One of Portugal’s leading media conglomerates said Thursday that a group calling itself “Lapsus$” hacked the company’s online services, taking down some of its most popular websites and contacting subscribers.
Grupo Impresa said the attack was aimed at disrupting the company’s services and sending fake news messages to subscribers, including one that said, “Breaking: President removed and accused of murder: Lapsus$ is Portugal’s new president.”
The company said in a statement that the hackers didn’t demand any payment.
The hackers gained access to the company’s Amazon Web Services account and sent emails and text messages to subscribers, the statement said.
The hackers accessed some subscriber information, but Impresa said it had no evidence they got hold of subscribers’ passwords or credit card details.
The attack occurred early on Jan. 2, the statement said. The company regained control of its cloud services later that day, though on Thursday two of its main websites — belonging to top weekly newspaper Expresso and TV channels run by its broadcaster S.I.C. — were still using temporary sites.
Tomi Engdahl says:
https://www.securityweek.com/chemicals-company-element-solutions-discloses-cybersecurity-incident
Tomi Engdahl says:
France Hits Google, Facebook With Huge Fines Over ‘Cookies’
https://www.securityweek.com/france-hits-google-facebook-huge-fines-over-cookies
French regulators have hit Google and Facebook with 210 million euros ($237 million) in fines over their use of “cookies”, the data used to track users online, authorities said Thursday.
The 150-million-euro fine imposed on Google was a record by France’s National Commission for Information Technology and Freedom (CNIL), beating a previous cookie-related fine of 100 million euros against the company in December 2020.
Facebook was handed a 60-million-euro fine.
“CNIL has determined that the sites facebook.com, google.fr and youtube.com do not allow users to refuse the use of cookies as simply as to accept them,” the regulatory body said.
The two platforms have three months to adapt their practices, after which France will impose fines of 100,000 euros per day, CNIL added.
Google told AFP it would change its practices following the ruling.
Tomi Engdahl says:
Malware Can Fake iPhone Shutdown via ‘NoReboot’ Technique
https://www.securityweek.com/malware-can-fake-iphone-shutdown-noreboot-technique
Researchers at mobile security firm ZecOps have shown how a piece of iOS malware can achieve “persistence” on a device by faking its shutdown process.
Malware designed to target iPhones is not uncommon, but many of these threats are not capable of staying on a device after it has been rebooted.
Instead of trying to develop a sophisticated persistence exploit for their malware, threat actors could simply monitor the victim’s actions and simulate a shutdown of the iPhone when the victim attempts to turn off their device.
ZecOps has dubbed the method “NoReboot” and described it as the “ultimate persistence bug” that cannot be patched.
The attack method abuses the InCallService system application; SpringBoard, the iOS component that manages the iPhone’s home screen; and BackBoard, which Apple introduced to help SpringBoard with some tasks related to hardware events, such as touches and button presses.
Researchers found that when a user initiates a shutdown event by pressing and holding the volume button until the “power off” slider appears, the attacker can inject their code into the InCallService, SpringBoard and BackBoard daemons. Thr attacker can get SpringBoard and BackBoard to — instead of shutting down the device — make it look like the device has been powered off by disabling all physical feedback, including the screen, sounds, vibration, the camera indicator, and touch feedback.
To avoid raising suspicion, the attacker can display the system boot animation when the user wants to power on the iPhone.
ZecOps has made available a proof-of-concept (PoC) exploit
Persistence without “Persistence”: Meet The Ultimate Persistence Bug – “NoReboot”
https://blog.zecops.com/research/persistence-without-persistence-meet-the-ultimate-persistence-bug-noreboot/
Tomi Engdahl says:
https://www.securityweek.com/zloader-banking-malware-exploits-microsoft-signature-verification
Tomi Engdahl says:
VMware Plugs Security Holes in Workstation, Fusion and ESXi
https://www.securityweek.com/vmware-plugs-security-holes-workstation-fusion-and-esxi
VMware this week shipped security updates for its Workstation, Fusion and ESXi product lines, warning that a heap-overflow vulnerability could expose users to code execution attacks.
Tracked as CVE-2021-22045 (CVSS score of 7.7), the security vulnerability exists in the CD-ROM device emulation function of Workstation, Fusion and ESXi.
In an advisory, VMWare said the security defect could be exploited by attackers with access to a virtual machine that has CD-ROM device emulation enabled.
An attacker capable of combining the security error with additional flaws could eventually achieve code execution on the hypervisor from the virtual machine.
Disabling or disconnecting the CD-ROM/DVD devices on all running virtual machines should prevent potentially exploitation.
CVE-2021-22045 affects ESXi 6.5, 6.7, and 7 versions, Workstation 16.x, and Fusion 12.x. VMware Cloud Foundation (ESXi) 4.x and 3.x are affected as well.
To date, VMware has addressed the bug with the release of ESXi670-202111101-SG, ESXi650-202110101-SG, Workstation 16.2.0, and Fusion 12.2.0. Customers are advised to apply the fixes as soon as possible.
Tomi Engdahl says:
Chrome 97 Patches 37 Vulnerabilities
https://www.securityweek.com/chrome-97-patches-37-vulnerabilities
Google this week announced the release of Chrome 97 in the stable channel with a total of 37 security fixes, including 24 for vulnerabilities reported by external researchers.
Of the 24 externally reported security flaws, one is rated critical severity, 10 high severity, 10 medium, and three low. The most common types of vulnerabilities are use-after-free (seven bugs), and improper implementation (eight issues).
The most severe is CVE-2022-0096, a use-after-free issue in Storage that could be exploited to execute code in the context of the browser.
Five of the 10 high-severity flaws addressed with this Chrome release are use-after-free errors affecting components such as screen capture, sign-in, SwiftShader, PDF, and Autofill.
The other five are an inappropriate implementation in DevTools, type confusion in V8, and heap buffer overflows in Bookmarks, V8, and ANGLE.
Tomi Engdahl says:
ICS Vendors Respond to Log4j Vulnerabilities
https://www.securityweek.com/ics-vendors-respond-log4j-vulnerabilities
SecurityWeek has compiled a list of the advisories published by industrial control system (ICS) and other industrial-related vendors in response to the recent Log4j vulnerabilities.
Several vulnerabilities have been discovered in the Log4j logging utility since early December, but the most important of them is CVE-2021-44228, which has been dubbed Log4Shell. Log4Shell has been exploited in many attacks by cybercriminals and state-sponsored threat actors, including against industrial organizations.
Tomi Engdahl says:
Finalsite ransomware attack forces 5,000 school websites offline
https://techcrunch.com/2022/01/07/finalsite-ransomware-school-websites-offline/?tpcc=tcplusfacebook
Finalsite, an internet software house that provides school districts with website design, hosting, and content management solutions, has been hit by a ransomware attack.
Earlier this week, school districts whose websites are hosted by Finalsite discovered that they were no longer accessible or displayed errors. While at the time Finalsite blamed the issues on “performance difficulties” across different services, the Glastonbury, Conn.-based company has since confirmed the outage was caused by ransomware.
Finalsite spokesperson Morgan Delack told TechCrunch that 5,000 of its total 8,000 global customers — including school districts in Kansas City, Illinois, and Missouri — are affected by the incident. In addition to website outages, one Reddit user claimed the incident also prevented some schools from sending email notifications about school closures due to COVID-19 outbreaks.
Tomi Engdahl says:
https://hothardware.com/news/unpatchable-noreboot-attack-tricks-iphone-users-by-faking-a-shutdown-to-spy-on-them