This posting is here to collect cyber security news in January 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in January 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
439 Comments
Tomi Engdahl says:
noPac Exploit: Latest Microsoft AD Flaw May Lead to Total Domain Compromise in Seconds https://www.crowdstrike.com/blog/nopac-exploit-latest-microsoft-ad-flaw-may-lead-to-total-domain-compromise/
Microsoft recently published two critical CVEs related to Active Directory (CVE-2021-42278 and CVE-2021-42287), which when combined by a malicious actor could lead to privilege escalation with a direct path to a compromised domain. In mid-December 2021, a public exploit that combined these two Microsoft Active Directory design flaws (referred also as “noPac”) was released. The exploit allowed the escalation of privileges of a regular domain user to domain administrator, which enables a malicious actor to launch multiple attacks such as domain takeover or a ransomware attack. This is a serious concern because this exploit was confirmed by multiple researchers as a low-effort exploit with critical impact. Researchers at Secureworks have demonstrated how to exploit these Active Directory flaws to gain domain privileges in just 16 seconds. Yes, you read it right a compromised domain in a quarter of a minute!
Tomi Engdahl says:
New SysJoker Backdoor Targets Windows, Linux, and macOS
https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/
In December 2021, we discovered a new multi-platform backdoor that targets Windows, Mac, and Linux. The Linux and Mac versions are fully undetected in VirusTotal. We named this backdoor SysJoker. SysJoker was first discovered during an active attack on a Linux-based web server of a leading educational institution. After further investigation, we found that SysJoker also has Mach-O and Windows PE versions. Based on Command and Control (C2) domain registration and samples found in VirusTotal, we estimate that the SysJoker attack was initiated during the second half of 2021. Below we provide a technical analysis of this malware together with IoCs and detection and response mitigations.
Tomi Engdahl says:
Critical SonicWall NAC Vulnerability Stems from Apache Mods https://threatpost.com/sonicwall-nac-vulnerability-apache-mods/177529/
Rapid7 has offered up more details on a SonicWall critical flaw that allows for unauthenticated remote code execution (RCE) on affected devices, noting that it arises from tweaks that the vendor made to the Apache httpd server. The bug (CVE-2021-20038) is one of five vulnerabilities discovered in its series of popular network access control (NAC) system products.
Tomi Engdahl says:
Multiple Node.js vulnerabilities fixed in flurry of new releases https://portswigger.net/daily-swig/multiple-node-js-vulnerabilities-fixed-in-flurry-of-new-releases
The developers behind Node.js have released new versions of several release lines to address four vulnerabilities in the server-side technology. The security flaws, three of medium severity and one marked as low severity, have been fixed in new versions of the 12.x, 14.x, 16.x, and 17.x branches.
Tomi Engdahl says:
FinalSite: No school data stolen in ransomware attack behind site outages https://www.bleepingcomputer.com/news/security/finalsite-no-school-data-stolen-in-ransomware-attack-behind-site-outages/
FinalSite announced today the findings of a six-day investigation into last week’s ransomware attack, stating it found no evidence schools’
data accessed or stolen by hackers.
Tomi Engdahl says:
https://www.securityweek.com/albania-hires-us-company-boost-cybersecurity-after-leak
Tomi Engdahl says:
Patch Tuesday: Microsoft Calls Attention to ‘Wormable’ Windows Flaw
https://www.securityweek.com/patch-tuesday-microsoft-calls-attention-wormable-windows-flaw
Microsoft’s first batch of patches for 2022 is a big one: 97 documented security flaws in the Windows ecosystem, some serious enough to cause remote code execution attacks.
The January security updates from Redmond cover security defects in a wide range of default Windows OS components, including a critical flaw in the HTTP Protocol Stack (http.sys) that Microsoft describes as “wormable,” and another code execution Exchange Server bug reported by the NSA.
According to Microsoft’s documentation, nine of the 97 bugs are rated “critical,” the company’s highest severity rating. The majority of the bulletins are rated “important” and Microsoft is warning that at least a half-dozen have already been publicly documented.
The company said it had no information that any of the patched vulnerabilities have been exploited as zero-day in the wild.
Tomi Engdahl says:
Adobe Patches Reader Flaws That Earned Hackers $150,000 at Chinese Contest
https://www.securityweek.com/adobe-patches-reader-flaws-earned-hackers-150000-chinese-contest
Adobe on Tuesday announced security updates for several products, including for Acrobat and Reader, in which the software giant patched a total of 26 vulnerabilities.
Of the 26 security holes fixed in the Windows and macOS versions of Acrobat and Reader, 16 have been assigned a “critical” severity rating (high severity based on their CVSS score), and a majority are memory-related issues that can be exploited for arbitrary code execution.
Four of these critical vulnerabilities — CVE-2021-44704 through CVE-2021-44707 — were disclosed by four different teams at China’s Tianfu Cup hacking contest.
Tomi Engdahl says:
Details Disclosed for Recent Vulnerabilities in SonicWall Remote Access Appliances
https://www.securityweek.com/details-disclosed-recent-vulnerabilities-sonicwall-remote-access-appliances
Rapid7 today shared details on a series of vulnerabilities that SonicWall patched in the Secure Mobile Access (SMA) 100 series secure access gateway products last month.
The impacted devices include the SMA 200, 210, 400, 410, and 500 edge network access control systems that have the Web Application Firewall (WAF) enabled.
The most severe of these vulnerabilities is CVE-2021-20038 (CVSS score of 9.8), an unauthenticated stack-based buffer overflow that could lead to remote code execution (RCE) as the ‘nobody’ user.
“The vulnerability is due to the SonicWall SMA SSLVPN Apache httpd server GET method of mod_cgi module environment variables use a single stack-based buffer using `strcat`. This allows remote attacker to cause stack-based buffer overflow and would result in code execution,” SonicWall says.
Tomi Engdahl says:
Millions of Routers Impacted by NetUSB Kernel Vulnerability
https://www.securityweek.com/millions-routers-impacted-netusb-kernel-vulnerability
A vulnerability in the NetUSB kernel module could allow remote attackers to execute code on millions of router devices, endpoint security company SentinelOne warns.
Developed by KCodes, NetUSB was designed to enable the interaction between remote network devices in a network and USB devices that are connected to a router. A driver needs to be installed on the remote PC to enable the functionality.
The code is employed by devices from numerous vendors, including Netgear, TP-Link, Tenda, EDiMAX, D-Link, and Western Digital.
Tracked as CVE-2021-45608, the security error exists in code that takes a command number and then routes the message to the respective SoftwareBus function, SentinelLabs, the threat intelligence and malware analysis unit of SentinelOne, explains.
https://www.sentinelone.com/labs/cve-2021-45608-netusb-rce-flaw-in-millions-of-end-user-routers/
Tomi Engdahl says:
Moxie Marlinspike Steps Down as Signal CEO
https://www.securityweek.com/moxie-marlinspike-steps-down-signal-ceo
Tomi Engdahl says:
CISA Unaware of Any Significant Log4j Breaches in U.S.
https://www.securityweek.com/cisa-unaware-any-significant-log4j-breaches-us
CISA Concerned About Risk Posed by Log4Shell to Critical Infrastructure
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) says it’s currently unaware of any significant breaches related to the recently disclosed Log4j vulnerabilities.
In a briefing with reporters on Monday, CISA’s director, Jen Easterly, and Eric Goldstein, executive assistant director for cybersecurity at CISA, said they are not aware of any significant incident, which is likely due to the quick action taken by many organizations.
On the other hand, the CISA officials warned that malicious actors will likely continue to exploit the Log4j vulnerability known as Log4Shell. In addition, threat actors may have already exploited Log4Shell to gain access to the systems of major organizations, but they may be waiting for the right time to further leverage that access to achieve their goals.
Tomi Engdahl says:
LastPass is likely knowingly restricting users from exporting their passwords while putting their new pricing plan into effect. This makes the user have to choose between paying an increased price for LastPass or losing access to all of their online accounts. If this is true, they are in major violation of Article 20 of the GDPR.
LastPass appears to be holding users’ passwords hostage alongside more expensive pricing plans
https://alternativeto.net/news/2022/1/lastpass-seemingly-deliberately-holding-users-password-data-hostage-alongside-new-pricing-plans/
As discussed on the r/software subreddit, LastPass is using multiple tactics to trap users into their ecosystem
Tomi Engdahl says:
https://www.bloomberg.com/news/articles/2022-01-12/teen-hacker-claims-to-have-taken-control-of-25-teslas-worldwide?sref=YfHlo0rL
Tomi Engdahl says:
Xbox Boss Phil Spencer Calls For Cross-Platform Ban Program
If that can’t happen, Spencer said he hopes to see a system that lets you bring a “banned user list” to a new network.
https://www.gamespot.com/articles/xbox-boss-phil-spencer-calls-for-cross-platform-ban-program/1100-6499488/
Tomi Engdahl says:
Ransomware Attack Locks Down US Prison
https://www.securityweek.com/ransomware-attack-locks-down-us-prison
A ransomware attack locked down a US jail, knocking out security cameras and leaving inmates confined to their cells, court documents show.
Cyber attackers hacked into the computer system that controls servers and internet access at the prison in Bernalillo County, New Mexico last w
Tomi Engdahl says:
Apple Patches iOS HomeKit Flaw After Researcher Warning
https://www.securityweek.com/apple-patches-ios-homekit-flaw-after-researcher-warning
Apple has released an iOS security update with a fix for a persistent denial-of-service flaw in the HomeKit software framework but only after an independent researcher publicly criticized the company for ignoring his discovery.
The iOS 15.2.1 patch, available for all supported iPhones and iPads, is described simply as a “resource exhaustion issue” that causes the device to hang when processing maliciously crafted HomeKit accessory names.
The sudden appearance of the patch comes almost two weeks after researcher Trevor Spiniolas publicly documented the HomeKit bug and warned that it could be exploited to launch ransomware-type attacks on iPhones.
Spinolas found that when the name of an Apple HomeKit device is changed to an unusually large string, any iOS device that loads the string will face a persistent disruption. Even worse, restoring a device and signing back into the iCloud account linked to the HomeKit device will again trigger the bug, Spinolas explained.
Tomi Engdahl says:
Mozilla Patches High-Risk Firefox, Thunderbird Security Flaws
https://www.securityweek.com/mozilla-patches-high-risk-firefox-thunderbird-security-flaws
Mozilla has released Firefox 96 with patches for 18 security vulnerabilities affecting its flagship web browser and the Thunderbird mail program.
Of the newly patched security flaws, nine are rated high-severity while six carry a “medium-severity” rating.
The most important of these issues is CVE-2022-22746, a race condition leading to the bypass of full-screen notification on Windows machines.
Next in line is CVE-2022-22743, another fullscreen spoof, this time affecting the browser window. The bug could allow an attacker-controlled tab to prevent the browser from leaving fullscreen mode when the user navigates from inside an iframe.
Both security defects were discovered by Irvan Kurniawan, who also found that it was possible to prevent a popup window from leaving fullscreen mode when resizing the popup while requesting fullscreen access (CVE-2022-22741).
Tomi Engdahl says:
Microsoft Introduces New Security Update Notifications
https://www.securityweek.com/microsoft-introduces-new-security-update-notifications
Microsoft this week announced updated notifications for the Security Update Guide, the page where the tech company informs users of vulnerabilities that affect Microsoft products.
The newly announced changes, Microsoft says, are designed to help receive Security Update Guide notifications easier, allowing users to sign up with any email address and receive alerts in their inbox (previously, only Live IDs were accepted).
Furthermore, the company is making notifications more automated and streamlined, and is also providing customers with the option to manage their settings from the Security Update Guide itself.
https://msrc-blog.microsoft.com/2022/01/11/coming-soon-new-security-update-guide-notification-system/
Tomi Engdahl says:
New Cross-Platform Backdoor ‘SysJoker’ Used in Targeted Attacks
https://www.securityweek.com/new-cross-platform-backdoor-sysjoker-used-targeted-attacks
A backdoor likely used by an advanced persistent threat (APT) actor in targeted attacks was built to target Windows, macOS, and Linux systems, Intezer reports.
Dubbed SysJoker, the backdoor was identified last month in an attack targeting the web server of an educational institution. In addition to the Linux-based variant used in this attack, Intezer’s security researchers identified Mach-O and Windows PE versions of the threat as well.
SysJoker was found on the VirusTotal scanning engine with the suffix .ts, for TypeScript files, which could indicate distribution via an infected npm package, the researchers say.
To evade detection, the threat poses as a system update and its operators are constantly changing the command and control (C&C) server. The C&C is generated by decoding a string fetched from a text file on Google Drive, which the attackers control.
Tomi Engdahl says:
ICS Patch Tuesday: Siemens, Schneider Electric Address 40 Vulnerabilities
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-40-vulnerabilities
Tomi Engdahl says:
SAP Patches Log4Shell Vulnerability in More Applications
https://www.securityweek.com/sap-patches-log4shell-vulnerability-more-applications
Tomi Engdahl says:
New Windows Server updates cause DC boot loops, break Hyper-V https://www.bleepingcomputer.com/news/microsoft/new-windows-server-updates-cause-dc-boot-loops-break-hyper-v/
The latest Windows Server updates are causing severe issues for administrators, with domain controllers having spontaneous reboots, Hyper-V not starting, and inaccessible ReFS volumes until the updates are rolled back. Yesterday, Microsoft released the Windows Server 2012
R2 KB5009624 update, the Windows Server 2019 KB5009557 update, and the Windows Server 2022 KB5009555 update as part of the January 2022 Patch Tuesday. After installing these updates, administrators have been battling multiple issues that are only resolved after removing the updates. also:
https://borncity.com/win/2022/01/12/windows-server-januar-2022-sicherheitsupdates-verursachen-boot-schleife/
Tomi Engdahl says:
Wormable Windows HTTP hole what you need to know
https://nakedsecurity.sophos.com/2022/01/12/wormable-windows-http-hole-what-you-need-to-know/
We wrote up an overview of the updates, as we do every month, over on our sister site news.sophos.com: First Patch Tuesday of 2022 repairs
102 bugs. For better or for worse, one update has caught the media’s attention more than any other, namely CVE-2022-21907, more fully known as HTTP Protocol Stack Remote Code Execution Vulnerability. This bug was one of seven of this month’s security holes that could lead to remote code execution (RCE), the sort of bug that means someone outside your network could trick a computer inside your network into running some sort of program without asking for permission first.
also:
https://isc.sans.edu/forums/diary/A+Quick+CVE202221907+FAQ+work+in+progress/28234/
Tomi Engdahl says:
Tori- ja Facebook-huijarit kaappaavat suomalaisten korttitietoja “Ilmoituksia tulee päivittäin”
https://www.iltalehti.fi/tietoturva/a/66b2c4ed-fc35-4c9b-b9bd-cbbf98ff9eee
Tori.fissä sekä Facebookin Marketplace-kauppapaikalla liikkuu tällä hetkellä todella paljon huijareita. Kauppaa näillä alustoilla käyvän kannattaa miettiä tarkkaan, ilmoittaako puhelinnumeronsa myynti-ilmoituksen yhteydessä, sillä yhteydenotot tapahtuvat pääosin Whatsappin välityksellä. Liikenne- ja viestintäviraston Kyberturvallisuuskeskuksen erityisasiantuntija Juha Tretjakov kertoo, että keskus on saanut viimeisen kahden viikon aikana useita ilmoituksia päivässä myyntipalstoilla tapahtuvista huijausyrityksistä.
Tomi Engdahl says:
Ole tarkkana, jos saat tällaisen puhelun huijaustilanteeseen yksi selkeä neuvo
https://www.iltalehti.fi/tietoturva/a/0d289d8b-27e8-4e90-aa1b-bf2a92290ac5
Vajaa kahden vuoden ajan suomalaisia ovat kiusanneet huijarisoittajat, jotka ovat aiemmin esiintyneet Microsoftin tukena. Nyt huijarit ovat muuttaneet lähestymistapaansa esiintyen operaattorien edustajina.
Liikenne- ja viestintäviraston Kyberturvallisuuskeskuksen erityisasiantuntija Juha Tretjakov kertoo, että keskus on saanut huijauspuheluista ilmoituksia. Puhelut ovat osa suurempaa Microsoft-huijausaaltoa ja ne voivat tulla myös suomalaisista numeroista. – Kun “operaattorilta” soitetaan suomenkieliselle “asiakkaalle” ja puhutaan englantia, on se jo iso tunnusmerkki siitä, että kyseessä on huijaus, Tretjakov toteaa. Tretjakovin ohjeet tilanteisiin, joissa saa oudon puhelun, ovat yksinkertaiset: – Vaikka se tylyltä tuntuisikin, luurin saa lyödä suoraan tällaisen soittajan korvaan.
Tomi Engdahl says:
Check your SPF records: Wide IP ranges undo email security and make for tasty phishes https://www.zdnet.com/article/check-your-spf-records-wide-ip-ranges-undo-email-security-and-make-for-tasty-phishes/
With parts of the Australian private sector, governments at all levels, and a university falling foul of wide IP ranges in a SPF record, it might be time to check yours.
Tomi Engdahl says:
Ransomware targets Edge users
https://blog.malwarebytes.com/threat-intelligence/2022/01/ransomware-targets-edge-users/
Last week, Malwarebytes’ Threat Intelligence worked with nao_sec researchers to investigate a recently-discovered update to the Magnitude Exploit Kit that was duping users with a fake Microsoft Edge browser update. The Magnitude exploit kit uses a grab-bag of social engineering lures and exploits to attack web users and install ransomware on their computers. Although Magnitude has been used to target different geographies and deliver different kinds of ransomware in the past, these days it is strictly focussed on installing Magniber ransomware on targets in South Korea. also:
https://asec.ahnlab.com/en/30645/
Tomi Engdahl says:
Millions of Wi-Fi routers vulnerable to hacker attack — what you need to do
By Paul Wagenseil published 2 days ago
Models from Netgear, TP-Link, D-Link thought to be affected
https://www.tomsguide.com/uk/news/router-attack-netusb-flaw
A severe security flaw could let malicious hackers attack and take over millions of home Wi-Fi routers over the internet, researchers disclosed today (Jan. 11).
Tomi Engdahl says:
FIN7 Uses Flash Drives to Spread Remote Access Trojan https://www.recordedfuture.com/fin7-flash-drives-spread-remote-access-trojan/
Recorded Future analysts continue to monitor the activities of the
FIN7 group as they adapt and expand their cybercrime operations.
Gemini has conducted a more in-depth investigation into these types of attack after a Gemini source provided analysts with a file sketch_jul31a.ino, which was linked to FIN7s BadUSB attacks. The file had the extension (.INO), indicating it contained the source code for an Arduino sketch (the Arduino term for a program). BleepingComputer also recently released a public report on FIN7s use of the BadUSB attack method, outlining the activity around this type of attack.
Tomi Engdahl says:
Microsoft Defender weakness lets hackers bypass malware detection https://www.bleepingcomputer.com/news/security/microsoft-defender-weakness-lets-hackers-bypass-malware-detection/
Threat actors can take advantage of a weakness that affects Microsoft Defender antivirus on Windows to learn locations excluded from scanning and plant malware there. The issue has persisted for at least eight years, according to some users, and affects Windows 10 21H1 and Windows 10 21H2.
Tomi Engdahl says:
BreakingFormation: Orca Security Research Team Discovers AWS CloudFormation Vulnerability https://orca.security/resources/blog/aws-cloudformation-vulnerability/
Orca Securitys vulnerability researcher, Tzah Pahima, discovered a vulnerability in AWS allowing file and credential disclosure of an AWS internal service. This zero-day, which AWS completely mitigated within
6 days of our submission, was an XXE (XML External Entity) vulnerability found in the CloudFormation service. This could have been used to leak sensitive files found on the vulnerable service machine and make server-side requests (SSRF) susceptible to the unauthorized disclosure of credentials of internal AWS infrastructure services.
Tomi Engdahl says:
Uusi nettiansa panee lähettämään tekstiviestin ja se käy kalliiksi https://www.is.fi/digitoday/tietoturva/art-2000008537973.html
TILAUSANSAT ovat piinanneet suomalaisia netinkäyttäjiä. Kyseessä on verkkohuijauksen muoto, jossa uhri houkutellaan luovuttamaan maksukorttinsa tiedot, ja korttia aletaan veloittaa säännöllisesti.
Kuukausiveloitukset saattavat olla usein 7080 euron luokkaa. Liikenne- ja viestintäviraston Kyberturvallisuuskeskus varoittaa uudenlaisesta tavasta houkutella ihmisiä ansaan. Kyseessä ovat verkkoselaimen ponnahdusikkunat, jotka ilmoittavat sovelluksen tai käyttöjärjestelmän päivitystarpeesta. Päivitystä varten vaaditaan tekstiviestin lähettämistä
Tomi Engdahl says:
Ransomware Group That Targeted Over 50 Companies Dismantled in Ukraine
https://www.securityweek.com/ransomware-group-targeted-over-50-companies-dismantled-ukraine
Tomi Engdahl says:
https://www.securityweek.com/maryland-confirms-ransomware-attack-health-agency
Tomi Engdahl says:
https://www.securityweek.com/cisco-patches-critical-vulnerability-contact-center-products
Tomi Engdahl says:
U.S. Cyber Command Officially Links MuddyWater Group to Iranian Intelligence
https://www.securityweek.com/us-cyber-command-officially-links-muddywater-group-iranian-intelligence
Tomi Engdahl says:
Report: Dozens of El Salvador Journalists, Activists Hacked
https://www.securityweek.com/report-dozens-el-salvador-journalists-activists-hacked
Tomi Engdahl says:
Nathaniel Mott / PCMag:
Amazon patches two AWS flaws discovered by Orca Security that could have exposed information managed by Glue users and leaked sensitive files via CloudFormation — The flaw could be used by AWS Glue users to access other users’ data. A second bug with AWS CloudFormation, also fixed, could have been used to leak sensitive files.
Amazon Web Services Patches ‘Superglue’ Vulnerability
The flaw could be used by AWS Glue users to access other users’ data. A second bug with AWS CloudFormation, also fixed, could have been used to leak sensitive files.
https://uk.pcmag.com/security/138143/amazon-web-services-patches-superglue-vulnerability
Tomi Engdahl says:
Iso kyberisku Ukrainan hallintoa vastaan
Isku tapahtui yön aikana ja siihen sisältyi uhkaus.
https://www.is.fi/digitoday/tietoturva/art-2000008539389.html
Ukrainassa useille hallinnon verkkosivuille on tehty kyberhyökkäys, maa kertoo. Esimerkiksi useiden ministeriöiden verkkosivuille ei parhaillaan pääse.
Ukrainan opetusministeriö tiedottaa Facebookissa, että ministeriön verkkosivu on alhaalla globaalin kyberhyökkäyksen vuoksi. Hyökkäys on päivityksen mukaan tehty viime yönä.
Ulkoministeriön sivusto on niin ikään alhaalla. Uutistoimisto AFP kertoo, että jonkin aikaa sivulla näkyi ukrainaksi, venäjäksi ja puolaksi kirjoitettu viesti, jossa käskettiin “pelkäämään ja odottamaan pahinta”.
Valtiollisten toimijoiden lisäksi verkossa on myös runsaasti poliittisesti motivoituneita toimijoita.
Tomi Engdahl says:
Ukraine Reports Massive Cyber Attack on Government Websites
https://www.themoscowtimes.com/2022/01/14/ukraine-reports-massive-cyber-attack-on-government-websites-a76038
If Russia launches an attack on Ukraine, what might it look like? Here are some possibilities.
With troops massed on Ukraine’s border, Russia has many options for an attack, experts say, including steps short of full-scale invasion and occupation.
https://www.nbcnews.com/politics/national-security/if-russia-launches-attack-ukraine-what-might-it-look-here-n1287369
Tomi Engdahl says:
https://www.techspot.com/amp/news/92971-teen-hacker-gains-remote-control-over-20-teslas.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/microsoft-defender-weakness-lets-hackers-bypass-malware-detection/
Tomi Engdahl says:
https://news.sky.com/story/ukraine-says-massive-cyber-attack-has-shut-down-government-websites-12515487
Tomi Engdahl says:
Bloomberg:
Ukraine says a cyberattack brought down websites of several government agencies for hours but no sensitive data was stolen — Ukraine said a cyberattack brought down the websites of several government agencies for hours. Authorities didn’t immediately comment on the source of the outage …
https://www.bloomberg.com/news/articles/2022-01-14/several-ukraine-ministry-websites-struck-by-likely-cyberattack
Tomi Engdahl says:
https://hackaday.com/2022/01/14/this-week-in-security-npm-vandalism-simulating-reboots-and-more/
We’ve covered quite a few stories about malware sneaking into the NPN and other JavaScript repositories. This is a bit different. This time, a JS programmer vandalized his own packages. It’s not even malware, perhaps we should call it protestware? The two packages, colors and faker are both popular, with a combined weekly download of nearly 23 million. Their author, [Marak] added a breaking update to each of them. These libraries now print a header of LIBERTY LIBERTY LIBERTY, and then either random characters, or very poor ASCII art. It’s been confirmed that this wasn’t an outside attacker, but [Marak] breaking his own projects on purpose. Why?
It seems like this story starts back in late 2020, when [Marak] lost quite a bit in a fire, and had to ask for money on Twitter. Two weeks later, he tweeted that billions were being made off open source devs’ work, citing a FAANG leak. FAANG is a reference to the big five American tech companies: Facebook, Apple, Amazon, Netflix, and Google. The same day, he opened an issue on Github for faker.js, throwing down an ultimatum: “Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it.”
Another developer, [DABH] has been doing maintenance since then, up until the vandalism happened. All told, it’s a mess.
Dev corrupts NPM libs ‘colors’ and ‘faker’ breaking thousands of apps
https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
Tomi Engdahl says:
First on CNN: US intelligence indicates Russia preparing operation to justify invasion of Ukraine
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.cnn.com%2F2022%2F01%2F14%2Fpolitics%2Fus-intelligence-russia-false-flag%2Findex.html&h=AT1U3j5Lpst1ApHVYNPEevdJOfUlhWAIR9YDdoXVpzIF6XBPiAu1GeT8g5oSTgavJns5-fR5caM7DSoYsTW6CNRyIskwOKcaRr2DS-EkjIe8iw7Y0k0HHtrwI1jjuV3kMQ
Washington (CNN) – The US has information that indicates Russia has prepositioned a group of operatives to conduct a false-flag operation in eastern Ukraine, a US official told CNN on Friday, in an attempt to create a pretext for an invasion.
“Our intelligence community has developed information, which has now been downgraded, that Russia is laying the groundwork to have the option of fabricating the pretext for an invasion,” Sullivan said on Thursday. “We saw this playbook in 2014. They are preparing this playbook again and we will have, the administration will have, further details on what we see as this potential laying of the pretext to share with the press over the course of the next 24 hours.”
Tomi Engdahl says:
Microsoft revealed it has discovered 97 new security vulnerabilities in its operating systems, impacting all versions of Windows
Microsoft Issues Serious Windows 10, Windows 11 Upgrade Warning
https://www.forbes.com/sites/gordonkelly/2022/01/14/microsoft-warning-windows-10-windows-11-hacks-exploits-vulnerabilities-update-windows-now/?sh=41963ac37d88&utm_campaign=socialflowForbesMainFB&utm_medium=social&utm_source=ForbesMainFacebook
Breaking down the contents of its January 2022 ‘Patch Tuesday’, Microsoft revealed it has discovered an eye-watering 97 new security vulnerabilities in its operating systems. Six of these have been classified as ‘zero day’ which means they are out in the wild and were known to hackers before Microsoft could respond. All versions of Windows are affected, including Windows 7, Windows 8, Windows 10 and Windows 11 as well as Windows Server 2019 and 2022.
Tomi Engdahl says:
Russia Nabs Colonial Pipeline Hacker In Raids On Ransomware Ring, U.S. Says
https://www.forbes.com/sites/zacharysmith/2022/01/14/russia-nabs-colonial-pipeline-hacker-in-raids-on-ransomware-ring-us-says/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie&sh=314481bb6ee8
Russia’s Federal Security Service (FSB) arrested a hacker believed to be responsible for a May cyberattack on the Colonial Pipeline, a fuel pipeline running from Texas to New York, the Biden administration confirmed Friday.
Tomi Engdahl says:
https://thehackernews.com/2022/01/russia-arrests-revil-ransomware-gang.html?m=1