This posting is here to collect cyber security news in January 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in January 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
439 Comments
Tomi Engdahl says:
Watch Out! You Might Get Hacked When Copy-Pasting Commands from Webpages
The Command You Copy Might Not Be the Same as the Command You Paste.
https://heimdalsecurity.com/blog/watch-out-you-might-get-hacked-when-copy-pasting-commands-from-webpages/
A new hacking method is standing out on the cyberthreat landscape. People who use to copy-paste commands from webpages into a console or terminals like programmers, sysadmins, security researchers, and people interested in tech subjects should pay attention as these might result in their system being compromised. This warning comes after a demonstration of a technologist about a trick that makes this copy-paste of commands action dangerous.
In his blog’s POC (proof of concept), Friedlander urges readers to copy an example of a common command: sudo apt update. He advises readers to paste it into Notepad or a textbox and the result will indicate the following:
false command
What’s interesting here is that what gets pasted on the clipboard is not the initial command, but something different that even automatically adds at the end a newline character. This indicates the fact that the example command once it is pasted in a Linux terminal it will be executed.
Tomi Engdahl says:
Solo BumbleBee makes Linux eBPF programming easier
Solo’s new open-source program BumbleBee will make it much easier to build Linux eBPF programs.
https://www.zdnet.com/article/solo-bumblebee-makes-linux-ebpf-programming-easier/
In 1992, the Berkeley Packet Filter (BPF) was introduced in Unix circles as a new, improved network packet filter. Nice, but not that big a deal. Then, in 2014, it was changed and brought into the Linux kernel as extended BPF (eBPF). Again, that was okay. Just okay. Soon thereafter though, developers started using it to run user-space code inside a virtual machine (VM) on the Linux kernel. And, then it was a huge deal. As Netflix computer performance expert Brendan Gregg said, with eBPF, “superpowers have finally come to Linux.”
What superpowers? eBPF gives you the power to run programs in the Linux kernel without changing the kernel source code or adding additional modules. In effect, it acts as a lightweight (VM) inside the Linux kernel space. There, programs that can run in eBPF run much faster, while taking advantage of kernel features unavailable to other higher-level Linux programs.
Typically eBPF is used as a safe way to enhance the kernel with observability, networking, and security technologies. These programs run in response to events such as network packets arriving. Typically, eBPF programs are written in a higher-level language, such as C, and then Just in Time (JIT) compiled into x86 assembly for maximum performance and safety.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/dont-copy-paste-commands-from-webpages-you-can-get-hacked/
Tomi Engdahl says:
Internet Bug Bounty: High severity vulnerability in Apache HTTP Server could lead to RCE
https://portswigger.net/daily-swig/internet-bug-bounty-high-severity-vulnerability-in-apache-http-server-could-lead-to-rce
Tomi Engdahl says:
Cyber Ninjas Says It’s Shutting Down As Judge Orders $50K Daily Fine For Records Violations
https://talkingpointsmemo.com/news/cyber-ninjas-says-its-shutting-down-as-judge-orders-50k-daily-fine-for-records-violations
An Arizona state judge on Thursday ordered that the Arizona “audit” contractor Cyber Ninjas pay $50,000 in fines every day until it provided documents that the Arizona Republic newspaper had successfully sought in a public records request.
Also on Thursday, Cyber Ninjas, whose audit affirmed Joe Biden’s 2020 victory in Arizona’s largest county despite its error-filled final report, announced that… it had ceased to be an entity.
The audit firm was the belle of the Trumpworld ball for several months as the former president’s supporters looked to the audit Maricopa County’s votes for non-existent proof that Donald Trump’s second term had been stolen from him.
The newspaper initially sought a $1,000 daily fine for the missing records, but Hannah bumped that up 50-fold to $50,000.
Tomi Engdahl says:
The JNDI Strikes Back Unauthenticated RCE in H2 Database Console
https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/
Very recently, the JFrog security research team has disclosed an issue in the H2 database console which was issued a critical CVE CVE-2021-42392. This issue has the same root cause as the infamous Log4Shell vulnerability in Apache Log4j (JNDI remote class loading).
Although this is a critical issue with a similar root cause,
CVE-2021-42392 should not be as widespread as Log4Shell (CVE-2021-44228). That being said, if you are running an H2 console which is exposed to your LAN (or worse, WAN) this issue is extremely critical (unauthenticated remote code execution) and you should update your H2 database to version 2.0.206 immediately.
Tomi Engdahl says:
“Olet maksamassa palvelussamme” varo uutta pankkihuijausta https://www.is.fi/digitoday/tietoturva/art-2000008524565.html
OP varoittaa nimissään tehtävästä huijauksesta. Ihmisille lähetetään tekstiviestejä, joissa ilmoitetaan näiden tekemästä maksusta.
Viestissä on linkki, joka johtaa pankkitunnuksia varastavalle sivulle.
Verkkopankkiin tai viranomaispalveluihin ei tulisi kirjautua tekstiviestitse tai sähköpostitse tulleiden linkkien kautta.
Tomi Engdahl says:
FluBot malware now targets Europe posing as Flash Player app https://www.bleepingcomputer.com/news/security/flubot-malware-now-targets-europe-posing-as-flash-player-app/
The widely distributed FluBot malware continues to evolve, with new campaigns distributing the malware as Flash Player and the developers adding new features.
Tomi Engdahl says:
FinalSite ransomware attack shuts down thousands of school websites https://www.bleepingcomputer.com/news/security/finalsite-ransomware-attack-shuts-down-thousands-of-school-websites/
FinalSite, a leading school website services provider, has suffered a ransomware attack disrupting access to websites for thousands of schools worldwide. FinalSite is a software as a service (SaaS) provider that offers website design, hosting, and content management solutions for K-12 school districts and universities. FinalSite claims to provide solutions for over 8, 000 schools and universities across
115 different countries.
Tomi Engdahl says:
Night Sky is the latest ransomware targeting corporate networks https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/
It’s a new year, and with it comes a new ransomware to keep an eye on called ‘Night Sky’ that targets corporate networks and steals data in double-extortion attacks.
Tomi Engdahl says:
Massive internet outages continue to sow confusion amid Kazakhstan protests https://therecord.media/massive-internet-outages-continue-to-sow-confusion-amid-kazakhstan-protests/
Nation-level internet traffic was cut off in Kazakhstan this week in the latest example of a petrostate trying to use shutdowns to quell protests and sow confusion. Early reports of communications disruptions started coming in on January 2, the first day people took to the streets in Almaty and other cities to protest fuel price increases and deteriorating economic conditions. Those reports were limited to localized mobile network interference and blocks on traffic to certain messaging services, including Telegram and Signal, Natalia Krapiva, Tech Legal Counsel at digital rights group Access Now said.
Tomi Engdahl says:
Latest WordPress security release fixes XSS, SQL injection bugs
https://portswigger.net/daily-swig/latest-wordpress-security-release-fixes-xss-sql-injection-bugs
The developers of WordPress have pushed out a security-focused update that addresses four significant security flaws in the content management software. More specifically WordPress 5.8.3 patches cross site scripting (XSS) and SQL injection vulnerabilities that affect WordPress versions between 3.7 and 5.8.
Tomi Engdahl says:
UK NHS: Threat actor targets VMware Horizon servers using Log4Shell exploits https://therecord.media/uk-nhs-threat-actor-targets-vmware-horizon-servers-using-log4shell-exploits/
The security team of the UK National Health Service (NHS) said that it detected an unknown threat actor using the Log4Shell vulnerability to hack VMWare Horizon servers and plant web shells for future attacks.
“The web shell can then be used by an attacker to carry out a number of malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware, ” the NHS team said in a security alert published on Wednesday. also:
https://digital.nhs.uk/cyber-alerts/2022/cc-4002
Tomi Engdahl says:
QNAP: Get NAS Devices Off the Internet Now https://threatpost.com/qnap-nas-devices-ransomware-attacks/177452/
There are active ransomware and brute-force attacks being launched against internet-exposed, network-attached storage devices, the device maker warned. “The most vulnerable victims will be those devices exposed to the Internet without any protection, ” QNAP said on Friday, urging all QNAP NAS users to follow security-setting instructions that the Taiwanese NAS maker included in its alert. also:
https://www.qnap.com/en/security-news/2022/take-immediate-actions-to-secure-qnap-nas
Tomi Engdahl says:
Custom Python RAT Builder
https://isc.sans.edu/diary/rss/28224
Tomi Engdahl says:
FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/
The US Federal Bureau of Investigation says that FIN7, an infamous cybercrime group that is behind the Darkside and BlackMatter ransomware operations, has sent malicious USB devices to US companies over the past few months in the hopes of infecting their systems with malware and carrying out future attacks. “Since August 2021, the FBI has received reports of several packages containing these USB devices, sent to US businesses in the transportation, insurance, and defense industries, ” the Bureau said in a security alert sent yesterday to US organizations. “There are two variations of packagesthose imitating HHS [US Department of Health and Human Services ] are often accompanied by letters referencing COVID-19 guidelines enclosed with a USB; and those imitating Amazon arrived in a decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB.”
Tomi Engdahl says:
SonicWall: Y2K22 bug hits Email Security, firewall products https://www.bleepingcomputer.com/news/security/sonicwall-y2k22-bug-hits-email-security-firewall-products/
SonicWall has confirmed today that some of its Email Security and firewall products have been hit by the Y2K22 bug, causing message log updates and junk box failures starting with January 1st, 2022.
Microsoft was also hit by the same bug, with Microsoft Exchange on-premise servers stopping email delivery starting on January 1st, 2022, due to the Y2K22 bug’s impact on the FIP-FS anti-malware scanning engine, which would crash when scanning messages. Starting with January 1st, Honda and Acura car owners began reporting that their in-car navigation systems’ clocks would automatically get knocked back 20 years, to January 1st, 2002.
Tomi Engdahl says:
CDN Cache Poisoning Allows DoS Attacks Against Cloud Apps
https://www.darkreading.com/cloud/cache-poisoning-of-cdns-allows-dos-attacks-against-cloud-apps
A Romanian vulnerability researcher has discovered more than 70 flaws in combinations of cloud applications and content delivery networks
(CDNs) that could be used to poison the CDN caches and result in denial-of-service (DoS) attacks on the applications. The research shows that poisoning Web caches is still a significant threat to cloud applications, Ladunca said in the recap of his research. “Even though Web Cache Poisoning has been around for years, the increasing complexity in technology stacks constantly introduces unexpected behavior which can be abused to achieve novel cache poisoning attacks, ” he stated. also: https://youst.in/posts/cache-poisoning-at-scale/
Tomi Engdahl says:
WebSpec, a formal framework for browser security analysis, reveals new cookie attack
https://www.theregister.com/2022/01/08/webspec_browser_security/
Folks at Technische Universität Wien in Austria have devised a formal security framework called WebSpec to analyze browser security. And they’ve used it to identify multiple logical flaws affecting web browsers, revealing a new cookie-based attack and an unresolved Content Security Policy contradiction. These logical flaws are not necessarily security vulnerabilities, but they can be. They’re inconsistencies between Web platform specifications and the way these specs actually get implemented within web browsers.
Tomi Engdahl says:
500M Avira Antivirus Users Introduced to Cryptomining
https://krebsonsecurity.com/2022/01/500m-avira-antivirus-users-introduced-to-cryptomining/
Many readers were surprised to learn recently that the popular Norton
360 antivirus suite now ships with a program which lets customers make money mining virtual currency. But Norton 360 isn’t alone in this dubious endeavor: Avira antivirus which has built a base of 500 million users worldwide largely by making the product free was recently bought by the same company that owns Norton 360 and is introducing its customers to a service called Avira Crypto.
Tomi Engdahl says:
Osuuspankin verkkosivut joutuivat kyberhyökkäyksen kohteeksi verkkopalvelun häiriö kesti useita tunteja
https://yle.fi/uutiset/3-12263337
Osuuspankin mukaan vika on nyt korjattu. Asiakastietoja tai rahoja ei vaarantunut kyberhyökkäyksessä
Tomi Engdahl says:
Dev corrupts NPM libs ‘colors’ and ‘faker’ breaking thousands of apps https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
The developer behind popular open-source NPM libraries ‘colors’ (aka colors.js on GitHub) and ‘faker’ (aka ‘faker.js’ on GitHub) intentionally introduced mischievous commits in them that are impacting thousands of applications relying on these libraries. The reason behind this mischief on the developer’s part appears to be retaliationagainst mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community.
Tomi Engdahl says:
Trojanized dnSpy app drops malware cocktail on researchers, devs https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/
Hackers targeted cybersecurity researchers and developers this week in a sophisticated malware campaign distributing a malicious version of the dnSpy.NET application to install cryptocurrency stealers, remote access trojans, and miners. This week, a threat actor created a GitHub repository with a compiled version of dnSpy that installs a cocktail of malware, including clipboard hijackers to steal cryptocurrency, the Quasar remote access trojan, a miner, and a variety of unknown payloads.
Tomi Engdahl says:
“Tilisi poistetaan” Pelottavan uskottava Instagram-huijaus kaappaa salasanan https://www.is.fi/digitoday/tietoturva/art-2000008520872.html
Väärät väitteet tekijänoikeuksien loukkaamisesta ovat nyt entistä uskottavampia.
Tomi Engdahl says:
Polish Leader Admits Country Bought Powerful Israeli Spyware
https://www.securityweek.com/polish-leader-admits-country-bought-powerful-israeli-spyware
Poland’s most powerful politician has acknowledged that the country bought advanced spyware from the Israeli surveillance software maker NSO Group, but denied that it was being used to target his political opponents.
Jaroslaw Kaczynski, the leader of Poland’s ruling conservative party, Law and Justice, said in an interview that the software, Pegasus, is now being used by secret services in many countries to combat crime and corruption. He noted that Pegasus represents a technological advancement over earlier monitoring systems, which did not allow the services to monitor encrypted messages.
“It would be bad if the Polish services did not have this type of tool,” Kaczynski said in an interview to be published in the Monday edition of the weekly “Sieci,” excerpts of which were published Friday by the wPolityce.pl news portal.
Tomi Engdahl says:
United States-based online pharmacy service Ravkoo this week started notifying patients of a data breach that potentially resulted in the exposure of personal information.
https://www.securityweek.com/online-pharmacy-service-ravkoo-discloses-data-breach
Tomi Engdahl says:
California Man Pleads Guilty Over Role in $50 Million Fraud Scheme
https://www.securityweek.com/california-man-pleads-guilty-over-role-50-million-fraud-scheme
A California man this week admitted before a U.S. district judge to his role in a $50 million internet-enabled fraud scheme.
Court documents claim that, between 2012 and 2020, Allen Giltman, 56, of Irvine, California, created fraudulent websites to ask for funds from investors.
Working with others, the defendant created websites closely resembling the websites of legitimate financial institutions, as well as websites of seemingly legitimate institutions that in fact did not exist.
The fraudulent websites, which could be discovered by Internet searches, advertised investment opportunities, including the purchase of certificates of deposit. The advertisements promised high rates of return, to lure potential victims.
To appear legitimate, the websites displayed the actual names and logos of financial institutions and claimed that the institutions were regulated by known authorities that also insured the deposits made by investors.
Tomi Engdahl says:
Cyber Ninjas Faces Fine Over Arizona Election Review Records
https://www.securityweek.com/cyber-ninjas-faces-fine-over-arizona-election-review-records
A judge said Thursday he will fine Cyber Ninjas, the contractor that led Arizona Republicans’ 2020 election review, $50,000 a day if the firm doesn’t immediately turn over public records related to the unprecedented inquiry.
The judge found Cyber Ninjas in contempt for its failure to turn over documents, which two Maricopa County judges and the state Court of Appeals have ruled are subject to the public records law.
The $50,000 daily fine imposed by Maricopa County Superior Court Judge John Hannah far exceeds the $1,000 levy suggested by a lawyer for The Arizona Republic newspaper, which filed the public records lawsuit in 2020. Hannah said the lower amount would be “grossly insufficient” to coerce Cyber Ninjas to comply with his orders.
A lawyer for Cyber Ninjas, Jack Wilenchik, said the company is insolvent, has laid off all employees, including former CEO Doug Logan, and can’t afford to sift through its records to find those related to the audit.
Hannah said the $50,000 daily fine would begin accruing on Friday and warned that, if necessary, he will apply the fine to individuals, not just the Cyber Ninjas corporation.
“The court is not going to accept the assertion that Cyber Ninjas is an empty shell and that no one is responsible for seeing that it complies,” Hannah said.
He said there’s been no evidence submitted showing that Cyber Ninjas is actually insolvent and noted that millions of dollars were donated to the election review. He also said the company could comply for very little cost by turning its records over to the Senate and allowing legislative lawyers to determine which must be publicly released.
Wilenchik maintains Cyber Ninjas is not subject to the Arizona public records law because it’s a private company. Trial and appellate judges have disagreed, ruling that the documents must be released because the firm was performing a core government function on behalf of the Senate. The Arizona Supreme Court declined to take the case on appeal.
Experts or ‘Grifters’? Little-Known Firm Runs Arizona Audit
https://www.securityweek.com/experts-or-grifters-little-known-firm-runs-arizona-audit
In early March, a Boston-based vote-counting firm called Clear Ballot Group sent a bid to Arizona’s state Senate to audit the 2020 presidential election results in Maricopa County.
The firm has conducted more than 200 such audits over 13 years in business. “Our level of comparison data is unmatched,” Keir Holeman, a Clear Ballot Group vice president, wrote to the Republican-controlled Senate. He never heard back, he says.
Instead, the state Senate hired a small Florida-based cybersecurity firm known as Cyber Ninjas that had not placed a formal bid for the contract and had no experience with election audits. Senate President Karen Fann says she can’t recall how she found the firm, but her critics believe one credential stood out: Cyber Ninjas’ chief executive officer had tweeted support for conspiracy theories claiming Republican Donald Trump, and not Democrat Joe Biden, had won Maricopa County and Arizona.
Now the untested, little-known cybersecurity firm is running a partly taxpayer-funded process that election experts describe as so deeply flawed it veers into the surreal. Its chief aim, critics say, appears to be testing far-fetched theories, rather than simply recounting votes — an approach that directly undermines the country’s democratic traditions.
Tomi Engdahl says:
Log4Shell-Like Vulnerability Found in Popular H2 Database
https://www.securityweek.com/log4shell-vulnerability-found-popular-h2-database
A critical, unauthenticated remote code execution vulnerability has been impacting the H2 database console since 2008.
An open-source Java SQL database, H2 is an in-memory solution that eliminates the need to store data on disk, and is one of the most popular Maven packages, having roughly 7,000 artifact dependencies,
Tracked as CVE-2021-42392, the newly disclosed vulnerability has been lurking in H2 since version 1.1.100, which was released in 2008. All versions through 2.0.204 (released in December 2021) are affected.
The new bug, JFrog says, has the same root cause as the famous Log4Shell bug – they both involve the Java Naming and Directory Interface (JNDI) lookup feature – yet its impact isn’t as widespread, mainly because the console isn’t always used with the H2 database and because the H2 console listens to localhost by default.
However, the severity of the issue becomes critical when the H2 console is exposed to the LAN or WAN, given that it could be exploited to execute code remotely, without authentication.
The JNDI Strikes Back – Unauthenticated RCE in H2 Database Console
https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/
A short preamble
Very recently, the JFrog security research team has disclosed an issue in the H2 database console which was issued a critical CVE – CVE-2021-42392. This issue has the same root cause as the infamous Log4Shell vulnerability in Apache Log4j (JNDI remote class loading).
H2 is a very popular open-source Java SQL database offering a lightweight in-memory solution that doesn’t require data to be stored on disk. This makes it a popular data storage solution for various projects from web platforms like Spring Boot to IoT platforms like ThingWorks. The com.h2database:h2 package is part of the top 50 most popular Maven packages, with almost 7000 artifact dependencies.
Due to the current sensitivities around anything (Java) JNDI-related, we want to clarify a few of the conditions and configurations that must be present in order to be at risk before getting into the technical details of our H2 vulnerability findings.
Tomi Engdahl says:
Attackers Hitting VMWare Horizon Servers With Log4j Exploits
https://www.securityweek.com/attackers-hitting-vmware-horizon-servers-log4j-exploits
Tomi Engdahl says:
Ax Sharma / BleepingComputer:
An open-source developer, who expressed regret for supporting “Fortune 500s”, breaks ~19K projects by corrupting NPM libraries with millions of weekly downloads — Users of popular open-source libraries ‘colors’ and ‘faker’ were left stunned after they saw their applications …
Dev corrupts NPM libs ‘colors’ and ‘faker’ breaking thousands of apps
https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
Tomi Engdahl says:
Casey Newton / Platformer:
Signal employees worry anonymous transactions could appeal to criminals, which would attract regulatory scrutiny and aid lawmakers who want to end encryption
How Signal is playing with fire
A push into untraceable payments could put end-to-end encryption at risk
https://www.platformer.news/p/how-signal-is-playing-with-fire
Tomi Engdahl says:
OP:n verkkosivut kaataneen kyberhyökkäyksen tekijöistä tai motiivista ei ole vielä tietoa
https://yle.fi/uutiset/3-12263848
Osuuspankin verkkopalveluissa toimintahäiriön sunnuntaina aiheuttaneen kyberhyökkäyksen mahdollisista tekijöistä tai iskun motiivista ei vielä maanantaina ole saatu mitään tietoa, kertoo pankin tietoturvajohtaja Teemu Ylhäisi STT:lle. – Eilen saatiin hyökkäys torjuttua ja korjaustoimenpiteet tehtyä. Nyt jatketaan teknisiä selvityksiä ja ollaan viranomaisiin yhteydessä. Jatkoselvityksissä menee vielä aikaa, Ylhäisi kertoo. Häiriön aiheutti sovellukseen kohdistuva volumetrinen hyökkäys, jossa palveluun kohdistettiin suuri määrä sovelluskyselyitä. Tämä aiheutti virhetilanteen OP:n verkkosivujen kirjautumissivuilla, minkä vuoksi OP siirsi palvelun huoltotilaan. Häiriö kesti aamukuudesta kello 12.30:een iltapäivällä.
myös: https://www.is.fi/digitoday/tietoturva/art-2000008529880.html
Tomi Engdahl says:
Pakkausjätti Huhtamäki joutui tietomurron kohteeksi jopa 150 gigatavua dataa vääriin käsiin https://www.is.fi/digitoday/tietoturva/art-2000008530521.html
Suuri suomalainen pakkausalan yritys Huhtamäki on joutunut laajan tietomurron kohteeksi. Yhtiöstä on viety mittava määrä tietoja. – Erääseen Huhtamäen ulkomailla sijaitsevaan yksikköön on kohdistunut tietomurto, jonka yhteydessä on anastettu tietoja. Sosiaalisessa mediassa on kerrottu anastettujen tietojen määräksi 150 Gt, mikä vastaa meidänkin käsitystämme. Asian tutkinta on alkuvaiheessa ja sen vuoksi emme voi vahvistaa tietomurron tekotapaa tai anastettujen tietojen laatua, Huhtamäen mediasuhdejohtaja Katariina Hietaranta vahvistaa. – Toimintamme ja toimitusvarmuutemme ei ole ole uhattuna, Hietaranta toteaa.
Tomi Engdahl says:
CISA director: Log4Shell has not resulted in significant’ government intrusions yet
https://therecord.media/cisa-director-log4shell-has-not-resulted-in-significant-government-intrusions-yet/
Top officials at the US Cybersecurity and Infrastructure Security Agency on Monday said the Log4Shell vulnerability has mostly resulted in cryptomining and other minor incidents at federal agencies, but warned that threat actors may soon start actively exploiting the vulnerability to disrupt critical infrastructure and other assets.
Tomi Engdahl says:
Suomessa toimiva hotelliketju joutui kyberiskun uhriksi selvitti tilanteen erikoisella keinolla
https://www.tivi.fi/uutiset/tv/3ea960f6-2d2c-4a2a-992c-e3623692d012
Pohjoismaissa ja Baltiassa toimiva norjalainen hotelliketju Nordic Choice Hotels joutui joulukuussa kiristyshaittaohjelman uhriksi.
Haittaohjelman poistaminen jokaisesta saastuneesta Windows-koneesta olisi vienyt useita tunteja per kone. Haittaohjelman poistamisen sijaan yhtiö päätti vaihtaa koneiden käyttöjärjestelmän Chrome OS:ään.
Tomi Engdahl says:
COVID Omicron Variant Lure Used to Distribute RedLine Stealer
https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer
FortiGuard Labs recently came across a curiously named file, “Omicron Stats.exe”, which turned out to be a variant of Redline Stealer malware. This blog will look at the Redline Stealer malware, including what’s new in this variant, its core functions, how it communicates with its C2 server, and how organizations can protect themselves.
Tomi Engdahl says:
URL Parsing Bugs Allow DoS, RCE, Spoofing & More
https://threatpost.com/url-parsing-bugs-dos-rce-spoofing/177493/
Eight different security vulnerabilities arising from inconsistencies among 16 different URL parsing libraries could allow denial-of-service
(DoS) conditions, information leaks and remote code execution (RCE) in various web applications, researchers are warning. Claroty report
(PDF):
https://claroty.com/wp-content/uploads/2022/01/Exploiting-URL-Parsing-Confusion.pdf
Tomi Engdahl says:
China puts Walmart in the naughty corner, citing 19 alleged cybersecurity ‘violations’
https://www.theregister.com/2022/01/10/walmart_china_security/
American budget retailer Walmart was cited for 19 alleged cybersecurity breaches in China, state-sponsored media reported last week. “It is reported that the public security organs discovered nineteen exploitable network security vulnerabilities in Walmart’s network system on November 25, 2021, and [the company] did not deal with system vulnerabilities in a timely manner, “
Tomi Engdahl says:
New macOS vulnerability, “powerdir, ” could lead to unauthorized user data access https://www.microsoft.com/security/blog/2022/01/10/new-macos-vulnerability-powerdir-could-lead-to-unauthorized-user-data-access/
Following our discovery of the “Shrootless” vulnerability, Microsoft uncovered a new macOS vulnerability, “powerdir, ” that could allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology, thereby gaining unauthorized access to a user’s protected data. Apple released a fix for this vulnerability, now identified as CVE-2021-30970, as part of security updates released on December 13, 2021. We encourage macOS users to apply these security updates as soon as possible.
Tomi Engdahl says:
Indian Cyberspies Expose Their Operation After Infecting Themselves With RAT
https://www.securityweek.com/indian-cyberspies-expose-their-operation-after-infecting-themselves-rat
The India-linked threat actor tracked as Patchwork was observed employing a new variant of the BADNEWS backdoor in a recent campaign, but the hackers also infected one of their own computers, giving researchers a glimpse into their operations.
Also referred to as Dropping Elephant and Chinastrats and active since at least 2015, Patchwork is an advanced persistent threat (APT) group mainly known for the targeting of military and political individuals across the world, with a focus on entities in Pakistan.
https://www.securityweek.com/patchwork-threat-actor-expands-target-list
Tomi Engdahl says:
WordPress 5.8.3 Patches Several Injection Vulnerabilities
https://www.securityweek.com/wordpress-583-patches-several-injection-vulnerabilities
WordPress 5.8.3, a security release that became available last week, patches four injection-related vulnerabilities.
Two of the flaws are SQL injections — one affects WP_Meta_Query (discovered by Ben Bidner of the WordPress security team) and one affects WP_Query (discovered by ngocnb and khuyenn of GiaoHangTietKiem JSC).
Simon Scannell of SonarSource reported an object injection issue affecting some multisite installations, as well as a stored cross-site scripting (XSS) bug. Karim El Ouerghemmi was also credited for the XSS vulnerability.
Tomi Engdahl says:
SonicWall Patches Y2K22 Bug in Email Security, Firewall Products
https://www.securityweek.com/sonicwall-patches-y2k22-bug-email-security-firewall-products
Cybersecurity firm SonicWall says it has released patches for some of its email security and firewall products to address a bug that resulted in failed junk box and message log updates.
Referred to as Y2K22, the bug exists because some software stores dates in a 32-bit integer format, where the largest possible number is 2147483647. Because the dates are stored in the YYMMDDhhmm format, when the new year started the date was converted to 2201010001, which was larger than the maximum allowed, and it resulted in system errors.
As expected, SonicWall, a provider of email anti-spam, virtual private network (VPN), unified threat management (UTM), network firewall, and other security solutions, first observed the issue manifesting on January 1, 2022.
Because of the bug, admins and email users were unable to access the junk box or un-junk new emails, and they couldn’t trace the incoming/outgoing email messages through logs, the company says.
On January 2, SonicWall released patches for the North America and Europe instances of its hosted Email Security and fully addressed the bug without requiring any user interaction.
What is This Y2K22 Bug? What Problem is it Causing for Sysadmins?
The new year was not too happy for sysadmins with Microsoft Exchange servers to manage.
https://news.itsfoss.com/y2k22-bug/
Tomi Engdahl says:
Abcbot DDoS Botnet Linked to Older Cryptojacking Campaign
https://www.securityweek.com/abcbot-ddos-botnet-linked-older-cryptojacking-campaign
Tomi Engdahl says:
Model tracked and followed home after stranger planted Apple AirTag in her coat
https://lm.facebook.com/l.php?u=https%3A%2F%2Fmetro.co.uk%2F2022%2F01%2F07%2Fmodel-brooks-nader-tracked-after-apple-airtag-put-in-her-pocket-15881360%2F%3Fito%3Dmetrouk&h=AT0SttplwM-qSSpjQAh3pQjHw6dJuMGJvYTqk6PgkQt20ePzjEeaMdGwX0YbEcH2gE3x8tf7scz3m6GInjCyK_iGkZn8AxTLLzqVRpDXkM2WLK7tb5_TEA3kCni4H8-7Dw
Tomi Engdahl says:
Sandbox Metaverse hackers are stealing virtual property worth tens of thousands of dollars
The Sandbox metaverse is full of theft.
https://stealthoptional.com/news/sandbox-metaverse-hackers-stealing-virtual-property/
Tomi Engdahl says:
Microsoft Patch Tuesday – January 2022
https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+January+2022/28230/
Microsoft fixed 126 different CVEs with this month’s update (this includes the Chromium issues patched in Edge). Six of the issues were publicly disclosed, and nine are rated critical. Noteworthy updates:
CVE-2022-21907: This is a remote code execution vulnerability in http.sys. http.sys is part of anything in windows processing HTTP requests (e.g. IIS!). But this vulnerability only affects the HTTP Trailer feature, which is not enabled by default (not sure if there is a good reason to enable it). CVE-2022-21846: Another critical remote code execution vulnerability in Exchange. But this vulnerability is not exploitable across the internet and requires the victim and the attacker to share the same network. CVE-2021-22947: This vulnerability in curl was originally disclosed in September, which is why it is noted as “Publicly Disclosed”. This update fixes several vulnerabilities, not just the listed CVE.
Tomi Engdahl says:
KCodes NetUSB bug exposes millions of routers to RCE attacks https://www.bleepingcomputer.com/news/security/kcodes-netusb-bug-exposes-millions-of-routers-to-rce-attacks/
A high-severity remote code execution flaw tracked as CVE-2021-45388 has been discovered in the KCodes NetUSB kernel module, used by millions of router devices from various vendors. Successfully exploiting this flaw would allow a remote threat actor to execute code in the kernel, and although some restrictions apply, the impact is broad and could be severe. The router vendors that use vulnerable NetUSB modules are Netgear, TP-Link, Tenda, EDiMAX, Dlink, and Western Digital. also:
https://www.sentinelone.com/labs/cve-2021-45608-netusb-rce-flaw-in-millions-of-end-user-routers/
Tomi Engdahl says:
APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/
In this article, we share the details of the latest attacks by APT35 exploiting the Log4j vulnerability and analyze their post-exploitation activities including the new modular PowerShell-based framework dubbed CharmPower, used to establish persistence, gather information, and execute commands.
Tomi Engdahl says:
Night Sky ransomware uses Log4j bug to hack VMware Horizon servers https://www.bleepingcomputer.com/news/security/night-sky-ransomware-uses-log4j-bug-to-hack-vmware-horizon-servers/
The Night Sky ransomware gang has started to exploit the critical
CVE-2021-44228 vulnerability in the Log4j logging library, also known as Log4Shell, to gain access to VMware Horizon systems. On Monday, Microsoft published a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the internet, and deploy Night Sky ransomware. The company adds that the group is known for deploying other ransomware families in the past, such as LockFile, AtomSilo, and Rook. Previous attacks from this actor also exploited security issues in internet-facing systems like Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473 – ProxyShell). It is believed that Night Sky is a continuation of the aforementioned ransomware operations.