This posting is here to collect cyber security news in January 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in January 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
439 Comments
Tomi Engdahl says:
EU Targets Fictitious Finnish Power Company in Cyberattack Test https://www.bloomberg.com/news/articles/2022-01-15/eu-targets-fictitious-finnish-power-company-in-cyberattack-test
The European Union began testing its cyber-defense responsiveness on Friday with a simulated attack on a fictitious Finnish power company as the bloc seeks to strengthen its digital defenses amid concern about a potential attacks. The start of the cyber exercise came the same day Ukraine fell victim to an actual attack that brought down around 70 government websites.
Tomi Engdahl says:
Cyber espionage campaign targets renewable energy companies https://www.bleepingcomputer.com/news/security/cyber-espionage-campaign-targets-renewable-energy-companies/
A large-scale cyber-espionage campaign targeting primarily renewable energy and industrial technology organizations have been discovered to be active since at least 2019, targeting over fifteen entities worldwide. The campaign was discovered by security researcher William Thomas, a Curated Intelligence trust group member, who employed OSINT (open-source intelligence) techniques like DNS scans and public sandbox submissions.
Tomi Engdahl says:
Same-origin violation vulnerability in Safari 15 could leak a users website history and identity https://portswigger.net/daily-swig/same-origin-violation-vulnerability-in-safari-15-could-leak-a-users-website-history-and-identity
The issue was introduced in Safaris implementation of the IndexedDB API in its latest offering, version 15. IndexedDB is a browser API for client-side storage designed to hold significant amounts of data. To prevent data leaks from cross-site scripting (XSS) attacks, IndexedDB follows the same-origin policy, controlling which resources can access each piece of data.
Tomi Engdahl says:
Earth Lusca threat actor targets governments and cryptocurrency companies alike https://therecord.media/earth-lusca-threat-actor-targets-governments-and-cryptocurrency-companies-alike/
Cybersecurity researchers said they discovered a Chinese cyber-espionage group that, besides spying on strategic targets, also dabbled in financially-motivated attacks for their own profits. Named Earth Lusca, the group has spent the past years spying on targets that could be considered of interest to the Chinese government.
Tomi Engdahl says:
Additional Healthcare Firms Disclose Impact From Netgain Ransomware Attack
https://www.securityweek.com/additional-healthcare-firms-disclose-impact-netgain-ransomware-attack
Tomi Engdahl says:
Vulnerability in IDEMIA Biometric Readers Allows Hackers to Unlock Doors
https://www.securityweek.com/vulnerability-idemia-biometric-readers-allows-hackers-unlock-doors
A critical vulnerability impacting multiple IDEMIA biometric identification devices can be exploited to unlock doors and turnstiles.
Because of this security defect, if the TLS protocol is not activated, an attacker in the network can send specific commands without authentication to open doors or turnstiles directly operated by a vulnerable device.
The attacker could also exploit the bug to cause a denial of service (DoS) condition by sending a reboot command to the vulnerable device, according to an advisory published by IDEMIA, a France-based tech company that specializes in identity-related physical security services.
Identified by researchers at Russian cybersecurity firm Positive Technologies – which was sanctioned by the United States last year for alleged ties with Russian intelligence – the flaw has a CVSS score of 9.1, yet no CVE identification number has been issued for it until now.
Affected products include MorphoWave Compact MD/MDPI/MDPI-M, VisionPass MD/MDPI/MDPI-M, all variants of SIGMA Lite/Lite+/Wide, SIGMA Extreme, and MA VP MD.
Tomi Engdahl says:
Oracle to Release Nearly 500 New Security Patches
https://www.securityweek.com/oracle-release-nearly-500-new-security-patches
Oracle is preparing the release of nearly 500 new security patches with its Critical Patch Update (CPU) for January 2022.
According to its pre-release announcement, the company has lined up 483 new patches for the first CPU of 2022, which is scheduled for Tuesday, January 18.
Critical vulnerabilities will be patched in Oracle Essbase, Graph Server and Client, Secure Backup, Communications Applications, Communications, Construction and Engineering, Enterprise Manager, Financial Services Applications, Fusion Middleware, Insurance Applications, PeopleSoft, Support Tools, and Utilities Applications.
High-severity flaws will be fixed in Airlines Data Model, Big Data Graph, Communications Data Model, Commerce, Food and Beverage Applications, E-Business Suite, GoldenGate, Health Sciences Applications, HealthCare Applications, Hospitality Applications, Hyperion, iLearning, JD Edwards, MySQL, Policy Automation, Retail Applications, REST Data Services, Siebel CRM, Supply Chain, Systems, Spatial Studio, and TimesTen In-Memory.
Many of these flaws can be exploited remotely without authentication.
Tomi Engdahl says:
Safari 15 Vulnerability Allows Cross-Site Tracking of Users
https://www.securityweek.com/safari-15-vulnerability-allows-cross-site-tracking-users
Tomi Engdahl says:
Critical SAP Vulnerability Allows Supply Chain Attacks
https://www.securityweek.com/critical-sap-vulnerability-allows-supply-chain-attacks
A critical vulnerability addressed recently in SAP NetWeaver AS ABAP and ABAP Platform could be abused to set up supply chain attacks, SAP security solutions provider SecurityBridge warns.
Tracked as CVE-2021-38178 and featuring a CVSS score of 9.1, the critical vulnerability was addressed on the October 2021 SAP Patch Day.
Described as an improper authorization issue, the security error allows an attacker to tamper with transport requests, thus bypassing quality gates and transferring code artifacts to production systems.
Production systems are typically at the end of the line in SAP instances for development, integration, and testing, with all instances often sharing a central transport directory, where files needed for deploying changes from development to production are stored.
Tomi Engdahl says:
Asiantuntija Ruotsin dronehavainnoista: ”Motiivina todennäköisesti testata, kuinka Ruotsi reagoi”
Poikkeuksellisten dronelentojen uskotaan liittyvän Itämeren kiristyneeseen turvallisuustilanteeseen.
https://www.iltalehti.fi/ulkomaat/a/32265e47-0bed-4113-8f6a-c20fbb3e0607
Tomi Engdahl says:
Andrew Asmakov / Decrypt:
Crypto.com halted withdrawals and requires users to re-sign-in and reset 2FA; research shows Crypto.com lost 4,600+ ETH, worth $15M+, during a suspected hack — The crypto exchange has reportedly lost at least $15 million in Ethereum, and security experts believe the true losses could be much higher.
Crypto.com Suffers Hack for At Least $15M in Ethereum
https://decrypt.co/90590/crypto-com-suffers-hack-at-least-15m-ethereum
The crypto exchange has reportedly lost at least $15 million in Ethereum, and security experts believe the true losses could be much higher.
Tomi Engdahl says:
Max Seddon / Financial Times:
Ukraine’s digital transformation ministry says “all evidence points to Russia being behind the attack”, which took down about 70 government websites
https://www.ft.com/content/0bdfafb8-a340-4e6a-a688-d878c45d1010
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/safari-bug-leaks-your-google-account-info-browsing-history/
Tomi Engdahl says:
Zooming in on Zero-click Exploits
https://googleprojectzero.blogspot.com/2022/01/zooming-in-on-zero-click-exploits.html
Zoom is a video conferencing platform that has gained popularity throughout the pandemic. Unlike other video conferencing systems that I have investigated, where one user initiates a call that other users must immediately accept or reject, Zoom calls are typically scheduled in advance and joined via an email invitation. In the past, I hadnt prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user. However, a zero-click attack against the Windows Zoom client was recently revealed at Pwn2Own, showing that it does indeed have a fully remote attack surface. The following post details my investigation into Zoom.
Tomi Engdahl says:
Unhappy New Year for cybercriminals as VPNLab.net goes offline https://www.europol.europa.eu/media-press/newsroom/news/unhappy-new-year-for-cybercriminals-vpnlabnet-goes-offline
This week, law enforcement authorities took action against the criminal misuse of VPN services as they targeted the users and infrastructure of VPNLab.net. The VPN providers service, which aimed to offer shielded communications and internet access, were being used in support of serious criminal acts such as ransomware deployment and other cybercrime activities. On 17 January, disruptive actions took place in a coordinated manner in Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States and the United Kingdom. Law enforcement authorities have now seized or disrupted the 15 servers that hosted VPNLab.nets service, rendering it no longer available.
Tomi Engdahl says:
Microsoft releases emergency fixes for Windows Server, VPN bugs https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-fixes-for-windows-server-vpn-bugs/
Microsoft has released emergency out-of-band (OOB) updates to address multiple issues caused by Windows Updates issued during the January
2022 Patch Tuesday. “Microsoft is releasing Out-of-band (OOB) updates today, January 18, 2022, for some versions of Windows,” the company said. “This update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures, and ReFS-formatted removable media failing to mount.”
Tomi Engdahl says:
Mixed Messages: Busting Boxs MFA Methods https://www.varonis.com/blog/box-mfa-bypass-sms
Varonis Threat Labs discovered a way to bypass multi-factor authentication (MFA) for Box accounts that use an SMS code for login verification. Using this technique, an attacker could use stolen credentials to compromise an organizations Box account and exfiltrate sensitive data without access to the victims phone.
Tomi Engdahl says:
Ukraine investigates multiple intrusion vectors in last weeks website defacements, data wiper attacks https://therecord.media/ukraine-investigates-multiple-vectors-in-website-defacements-data-wiper-attacks/
The Ukrainian government said on Monday that it is investigating multiple intrusion vectors that could have been used to carry out the cyber-attacks that hit its government agencies last week. The attacks, which took place last Friday, included an attempt to deface more than
70 Ukrainian government websites and the deployment of a data-wiper on some government systems, a wiper that was designed to corrupt files and look like the affected systems were hit with a ransomware attack.
Tomi Engdahl says:
Cybercriminals Actively Target VMware vSphere with Cryptominers https://threatpost.com/cybercriminals-vmware-vsphere-cryptominers/177722/
Organizations running sophisticated virtual networks with VMwares vSphere service are actively being targeted by cryptojackers, who have figured out how to inject the XMRig commercial cryptominer into the environment, undetected. Uptycs Siddharth Sharma has released research showing threat actors are using malicious shell scripts to make modifications and run the cryptominer on vSphere virtual networks.
Tomi Engdahl says:
Brazilian Ministry of Health recovers systems over a month after cyberattack https://www.zdnet.com/article/brazilian-ministry-of-health-recovers-systems-over-a-month-after-cyberattack/
After a major cyberattack brought key systems of Brazil’s Ministry of Health (MoH) to a halt, the department has reported all its platforms are back online. According to a statement released by the MoH on Friday (14), most systems have been reestablished following a cyberattack in early December 2021, including ConecteSUS, which holds
COVID-19 vaccination data. However, some systems still need to be recovered, and the deadline for completing the work is this coming Friday (21).
Tomi Engdahl says:
Israel Lawmakers Outraged Over Claim Police Used NSO Spyware
https://www.securityweek.com/israel-lawmakers-outraged-over-claim-police-used-nso-spyware
Tomi Engdahl says:
VirusTotal Hacking Offers a Supercharged Version of Google Hacking
https://www.securityweek.com/virustotal-hacking-offers-supercharged-version-google-hacking
Chronicle’s VirusTotal (VT) is a boon to security researchers and a gift to potential criminals. Apart from virus samples it contains likely millions of user credentials readily available to anyone who knows where and how to look.
This is the finding of SafeBreach researchers who wanted to see if VT’s advanced search capabilities could provide a supercharged version of Google Hacking (dorking). They found it could.
The research started with an analysis of samples of well-known infostealers found on VT, such as RedLine Stealer, Azulrt, Raccoon Stealer and Hawkeye. The malware samples contain their exfiltration filenames. SafeBreach researchers then used VT’s own search capabilities to see if any infostealer exfiltration files could also be found on VT. Perhaps surprisingly, they found many such files.
Tomi Engdahl says:
Multi-Factor Authentication Bypass Led to Box Account Takeover
https://www.securityweek.com/multi-factor-authentication-bypass-led-box-account-takeover
Tomi Engdahl says:
Final Fantasy VII Porn Interrupts Government Meeting
The Italian Senate Zoom saw a very NSFW hentai clip of FF7′s Tifa Lockhart
https://kotaku.com/final-fantasy-vii-porn-interrupts-government-meeting-1848378136?utm_campaign=Kotaku&utm_content=1642536902&utm_medium=SocialMarketing&utm_source=facebook
Tomi Engdahl says:
Jeffrey Knockel / The Citizen Lab:
China’s MY2022 Olympics app, mandatory for attendees to report travel and health data, has serious encryption flaws and contains a censorship keyword list
Cross-country Exposure Analysis of the MY2022 Olympics app
https://citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/
Key Findings
MY2022, an app mandated for use by all attendees of the 2022 Olympic Games in Beijing, has a simple but devastating flaw where encryption protecting users’ voice audio and file transfers can be trivially sidestepped. Health customs forms which transmit passport details, demographic information, and medical and travel history are also vulnerable. Server responses can also be spoofed, allowing an attacker to display fake instructions to users.
MY2022 is fairly straightforward about the types of data it collects from users in its public-facing documents. However, as the app collects a range of highly sensitive medical information, it is unclear with whom or which organization(s) it shares this information.
MY2022 includes features that allow users to report “politically sensitive” content. The app also includes a censorship keyword list, which, while presently inactive, targets a variety of political topics including domestic issues such as Xinjiang and Tibet as well as references to Chinese government agencies.
While the vendor did not respond to our security disclosure, we find that the app’s security deficits may not only violate Google’s Unwanted Software Policy and Apple’s App Store guidelines but also China’s own laws and national standards pertaining to privacy protection, providing potential avenues for future redress.
Tomi Engdahl says:
VPNLab.net Shut Down for Helping Hackers Spread Ransomware
Europol says it seized servers and customer data for VPNLab.net.
https://uk.pcmag.com/vpn/138203/vpnlabnet-shut-down-for-helping-hackers-spread-ransomware
Law enforcement has shut down a VPN provider called VPNLab.net for allegedly supplying services to hackers.
On Tuesday, Europol announced it had seized or disrupted 15 servers that hosted VPNLab.net on claims it facilitated numerous cybercrimes, including the distribution of ransomware.
Tomi Engdahl says:
Just one of the alleged fraudsters of the 11 arrested was actively spying on at least 16 companies, Interpol claimed.
800,000 Passwords, 50,000 Targets: A Huge Nigerian Fraud Operation Busted
https://www.forbes.com/sites/thomasbrewster/2022/01/19/800000-passwords-50000-targets-a-huge-nigerian-fraud-operation-busted/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie&sh=57337f4e4dc0
Tomi Engdahl says:
Half a million dollars lost to scammers spoofing bank hotlines on Google ads: Police
https://www.channelnewsasia.com/singapore/scam-bank-hotline-phone-number-google-search-police-2444971
SINGAPORE: A new scam that tricks victims into calling fake bank hotlines found in advertisements on Google searches has resulted in losses amounting to at least S$495,000, the police said on Wednesday (Jan 19).
At least 15 people have fallen prey to this new scam variant since December 2021, the police added.
Tomi Engdahl says:
Zoom vulnerabilities impact clients, MMR servers
Now-patched vulnerabilities in the videoconferencing software have been analyzed by Google researchers.
https://www.zdnet.com/article/zoom-vulnerabilities-impact-clients-mmr-servers/
Tomi Engdahl says:
Crypto.com CEO admits hundreds of customer accounts were hacked
https://techcrunch.com/2022/01/19/crypto-com-ceo-admits-hundreds-of-customer-accounts-were-hacked/?tpcc=tcplusfacebook
Crypto.com CEO Kris Marszalek said around 400 customer accounts have been compromised in a hack in an interview with Bloomberg TV on Wednesday. His confirmation of the breach comes after multiple Crypto.com users alleged their funds had been stolen – complaints that had until now been met with vague responses from the company.
While Marszalek did not provide details as to how the hack occurred, he told Bloomberg TV that the exchange was back online “about 13-14 hours” after the incident and that all the impacted accounts were reimbursed.
The company then reassured users numerous times in its communications that customer funds were safe, drawing speculation that Crypto.com would cover any customer losses incurred.
The losses may amount to $15 million worth of ETH, blockchain security provider PeckShield tweeted on Monday.
OXT Research speculated that the hack may actually have cost the exchange $33 million.
Crypto.com is the world’s fourth-largest crypto exchange, it has been pushing hard into U.S. markets in recent months
Tomi Engdahl says:
Italian senate meeting interrupted by Final Fantasy hentai
By Rich Stanton published 1 day ago
An interloper got on the virtual meet and played the video.
https://www.pcgamer.com/italian-senate-meeting-interrupted-by-final-fantasy-hentai/?utm_campaign=socialflow&utm_medium=social&utm_source=facebook.com
Tomi Engdahl says:
CISA Urges Organizations to Implement Immediate Cybersecurity Measures to Protect Against Potential Threats https://www.cisa.gov/uscert/ncas/current-activity/2022/01/18/cisa-urges-organizations-implement-immediate-cybersecurity
In response to recent malicious cyber incidents in Ukraineincluding the defacement of government websites and the presence of potentially destructive malware on Ukrainian systemsCISA has published CISA
Insights: Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats. The CISA Insights strongly urges leaders and network defenders to be on alert for malicious cyber activity and provides a checklist of concrete actions that every organizationregardless of sector or sizecan take immediately.
Tomi Engdahl says:
Poland raises cybersecurity terror threat after Ukraine cyber attack https://www.reuters.com/technology/poland-raises-cybersecurity-terror-threat-after-ukraine-cyber-attack-2022-01-18/
Poland on Tuesday raised its nationwide cybersecurity terror threat in the wake of a cyber attack on Ukraine last week, adding that the new alert level was preventative. Last week, Ukraine was hit by a cyber attack that warned Ukrainians to “be afraid and expect the worst” as the country braces for a possible new military offensive from neighbouring Russia. Ukrainian officials say the attack hit around 70 internet sites of government bodies including the security and defence council, the cabinet of ministers and several ministries.
State-Sponsored Cyber Attacks Against Ukraine https://www.truesec.com/hub/blog/state-sponsored-cyber-attacks-against-ukraine
Truesec has spent the last few days analyzing the events unfolding in Ukraine. Weve explored these events from primarily two perspectives: a threat actor analysis perspective and a technical, reverse engineering perspective. From the threat actor perspective, we looked at historically similar attacks and compared them to what weve seen in Ukraine. From the technical perspective, we reverse engineered the malware initially discovered by Microsoft to ascertain its purpose, technical sophistication, and uncover any other artefacts that may shed light on the attacks. Our Threat Intelligence Unit has also received information from local sources, providing insight about the attack.
Tomi Engdahl says:
Britain’s computer crime cops are targeting youngsters as young as nine years old in an attempt to dissuade them from embarking on a life of cybercrime
https://www.bitdefender.com/blog/hotforsecurity/nine-year-old-kids-are-launching-ddos-attacks-against-schools/
The UK’s National Crime Agency (NCA) has launched a new initiative with the hope of educating youngsters of the consequences of launching DDoS attacks. A study by the NCA’s National Cyber Crime Unit (NCCU) discovered that the number of Distributed Denial of Service (DDoS) attacks launched against school networks and websites has more doubled from 2019 to 2020.
Tomi Engdahl says:
Nigerian cybercrime fraud: 11 suspects arrested, syndicate busted https://www.interpol.int/News-and-Events/News/2022/Nigerian-cybercrime-fraud-11-suspects-arrested-syndicate-busted
The Nigerian Police Force (NPF) has arrested 11 alleged members of a prolific cybercrime network as part of a national police operation coordinated with INTERPOL. Arrested by officers of the NPF Cybercrime Police Unit and INTERPOLs National Central Bureau (NCB) in Nigeria, many of the suspects are thought to be members of SilverTerrier, a network known for Business Email Compromise (BEC) scams which have harmed thousands of companies globally.
Tomi Engdahl says:
GitHub Actions flaw that allowed code to be approved without review is addressed with new feature rollout https://portswigger.net/daily-swig/github-actions-flaw-that-allowed-code-to-be-approved-without-review-is-addressed-with-new-feature-rollout
Omer Gil and colleagues from security start-up Cider Security discovered the code review bypass risk was present even for organizations that had not enabled the recently introduced GitHub Actions feature. Gil previously told The Daily Swig: Required reviews is one of the most widely used security mechanisms in GitHub, and since GitHub Actions is installed by default nearly any organization is vulnerable to this.. GitHub Actions GitHubs continuous integration
(CI) service offers a mechanism to build and run software development workflows all the way from development to production systems.
Tomi Engdahl says:
A top Ukrainian security official on defending the nation against cyber attacks https://therecord.media/a-top-ukrainian-security-official-on-defending-the-nation-against-cyber-attacks/
In the wake of an escalating crisis between Ukraine and Russia, Demediuk agreed to a follow-up interview in which he discussed issues including the recent defacement of Ukrainian websites, the security of the countrys critical infrastructure, and Russias motivations. In addition to his role on the NSDC, Demediuk was tasked in 2015 with building out Ukraines CyberPolice force, which prosecutes cybercriminals and thwarts state-sponsored attacks. The interview with Smilyanets was conducted via email in Russian, and was translated to English with the help of several members of Recorded Futures Strategic and Persistent Threats team.
Tomi Engdahl says:
Technical Analysis of the WhisperGate Malicious Bootloader https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/
On Jan. 15, 2022, a set of malware dubbed WhisperGate was reported to have been deployed against Ukrainian targets. The incident is widely reported to contain three individual components deployed by the same adversary, including a malicious bootloader that corrupts detected local disks, a Discord-based downloader and a file wiper. The activity occurred at approximately the same time multiple websites belonging to the Ukrainian government were defaced. This blog covers the malicious bootloader in more detail.
Tomi Engdahl says:
Red Cross Falls Victim to Massive Cyberattack
https://www.securityweek.com/red-cross-falls-victim-massive-cyberattack
The International Committee of the Red Cross was the victim of a massive cyberattack in which hackers seized the data of more than 515,000 extremely vulnerable people, some of whom had fled conflicts, it said on Wednesday.
“A sophisticated cyber security attack against computer servers hosting information held by the International Committee of the Red Cross (ICRC) was detected this week,” it said in a statement.
“The attack compromised personal data and confidential information on more than 515,000 highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention.”
The body, which has its headquarters in Geneva, had no immediate indication as to who might have carried out the attack.
It said the hackers targeted an external company in Switzerland that the ICRC contracts to store data. There was no evidence so far that the compromised information had been leaked or put in the public domain.
The ICRC said its “most pressing concern” was the “potential risks that come with this breach — including confidential information being shared publicly — for people that the Red Cross and Red Crescent network seeks to protect and assist, as well as their families”.
Tomi Engdahl says:
Project Zero: Zoom Platform Missed ASLR Exploit Mitigation
https://www.securityweek.com/project-zero-zoom-platform-missed-aslr-exploit-mitigation
A prominent security researcher poking around at the Zoom video conferencing platform found worrying signs the company failed to enable a decades-old anti-exploit mitigation, a blunder that greatly increased exposure to malicious hacker attacks.
The discovery was made by Google Project Zero’s Natalie Silvanovich during a black box security audit of Zoom’s widely deployed software and again brings attention to basic developer mistakes that continue to cause major security problems.
Silvanovich, known for her work documenting security defects in Apple’s iMessage, found evidence that Zoom failed to enable Address Space Layout Randomization (ASLR), a memory safety mitigation first introduced in 2006 by Microsoft to make it more difficult to automate attacks against the operating system.
Tomi Engdahl says:
Thousands of Industrial Firms Targeted in Attacks Leveraging Short-Lived Malware
https://www.securityweek.com/thousands-industrial-firms-targeted-attacks-leveraging-short-lived-malware
Thousands of industrial organizations worldwide have been hit in campaigns that leverage short-lived malware to harvest corporate credentials that are then sold by threat actors for a profit, according to Kaspersky.
The Kaspersky unit focusing on industrial control systems (ICS) has conducted an analysis of the malware found in the first half of 2021 on ICS computers worldwide and noticed that roughly 20% of these samples had a lifespan of roughly 25 days — they are then replaced with a new sample.
This is significantly shorter than in typical attacks, particularly since the malware involved was part of widely known commodity families such as AgentTesla, HawkEye, Formbook, Masslogger, Snake Keylogger, Azorult, and Lokibot.
Tomi Engdahl says:
NordVPN: Actually, We Do Comply With Law Enforcement Data Requests
https://uk.pcmag.com/vpn/138232/nordvpn-actually-we-do-comply-with-law-enforcement-data-requests
The VPN provider quietly changed a 2017 blog post to note that it does comply with lawful requests for data; it also notes it doesn’t log customer activity ‘unless ordered by a court in an appropriate, legal way.’
Tomi Engdahl says:
Crypto Protocol Publicly Announces Flaw, Users Relentlessly Owned by Hackers
Crypto Protocol Publicly Announces Flaw, Users Relentlessly Owned by Hackers
https://www.vice.com/en/article/epxb8m/crypto-protocol-publicly-announces-flaw-users-relentlessly-owned-by-hackers
The hack against users of Multichain is getting worse as a cybersecurity researcher calls the incident “the worst way to treat a vulnerability.”
Tomi Engdahl says:
https://www.vice.com/en/article/epxb8m/crypto-protocol-publicly-announces-flaw-users-relentlessly-owned-by-hackers
Earlier this week, a platform that allows users to swap tokens between blockchains publicly announced that there was a flaw that made accounts vulnerable to hackers. The announcement, predictably, prompted several hackers to rush and try to exploit the vulnerability. One of them stole more than $1.4 million dollars, and another one offered victims to return 80 percent of the funds they stole in a message posted to the Ethereum blockchain, keeping the rest as “tips for me saving your money” on Wednesday.
A Hacker Is Negotiating With Victims on the Blockchain After $1.4M Heist
https://www.vice.com/en/article/akv7aa/a-hacker-is-negotiating-with-victims-on-the-blockchain-after-dollar14m-heist
One of the hackers who exploited a vulnerability affecting a blockchain service is now offering to return some of the money, except “tips for me saving your money.”
Hackers took advantage of a vulnerability in a blockchain service to steal around $1.4 million from users earlier this week. In an unexpected turn of events, one of the hackers is now negotiating on the blockchain itself, offering to return 80 percent of money to the victims, keeping the rest as “tips.” And the hacked company appears to be offering the second hacker a bounty.
Tomi Engdahl says:
Sean Lyngaas / CNN:
Red Cross says a cyberattack on a vendor for over 60 Red Cross and Red Crescent societies compromised the personal data of 515,000+ “highly vulnerable people” — (CNN)A cyberattack on a contractor used by the International Committee of the Red Cross (ICRC) has compromised …
Cyberattack on Red Cross compromised data of over 515,000 ‘highly vulnerable people’
https://edition.cnn.com/2022/01/19/politics/red-cross-cyberattack/
A cyberattack on a contractor used by the International Committee of the Red Cross (ICRC) has compromised the personal data of more than 515,000 “highly vulnerable people,” including people separated from their families by conflict and disaster, the organization said Wednesday.
Sophisticated cyber-attack targets Red Cross Red Crescent data on 500,000 people
https://www.icrc.org/en/document/sophisticated-cyber-attack-targets-red-cross-red-crescent-data-500000-people
A sophisticated cyber security attack against computer servers hosting information held by the International Committee of the Red Cross (ICRC) was detected this week.
The attack compromised personal data and confidential information on more than 515,000 highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention. The data originated from at least 60 Red Cross and Red Crescent National Societies around the world.
The ICRC’s most pressing concern following this attack is the potential risks that come with this breach — including confidential information being shared publicly — for people that the Red Cross and Red Crescent network seeks to protect and assist, as well as their families. When people go missing, the anguish and uncertainty for their families and friends is intense.
“An attack on the data of people who are missing makes the anguish and suffering for families even more difficult to endure. We are all appalled and perplexed that this humanitarian information would be targeted and compromised,” said Robert Mardini, ICRC’s director-general. “This cyber-attack puts vulnerable people, those already in need of humanitarian services, at further risk.”
The ICRC has no immediate indications as to who carried out this cyber-attack, which targeted an external company in Switzerland the ICRC contracts to store data. There is not yet any indication that the compromised information has been leaked or shared publicly.
“While we don’t know who is responsible for this attack, or why they carried it out, we do have this appeal to make to them,” said Mr Mardini.
“Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”
The ICRC along with the wider Red Cross and Red Crescent network jointly runs a program called Restoring Family Links that seeks to reunite family members separated by conflict, disaster or migration. Because of the attack, we have been obliged to shut down the systems underpinning our Restoring Family Links work, affecting the Red Cross and Red Crescent Movement’s ability to reunite separated family members. We are working as quickly as possible to identify workarounds to continue this vital work.
Tomi Engdahl says:
Red Cross forced to shutter family reunion service following cyberattack and data leak >
Red Cross forced to shutter family reunion service following cyberattack and data leak
Director-general pleads with cyber-scum: leave this data alone, because the people involved have suffered enough
https://www.theregister.com/2022/01/20/red_cross_hit_by_cyberattack/
Humanitarian organization the International Red Cross disclosed this week that it has fallen foul of a cyberattack that saw the data of over 515,000 “highly vulnerable people” exposed to an unknown entity.
The target of the attack was the organisation’s Restoring Family Links operation, which strives to find missing persons and reunite those separated from their families due to armed conflict, migration, disaster, detention and other catastrophic events. The service is free, but is currently offline.
Among the stolen data were names, locations, and contact information. The org said the data originated from at least 60 Red Cross and Red Crescent National Societies around the world.
The threat actor is currently unidentified. However, it is understood that they executed the attack on a Switzerland-based contractor that stores the nonprofit’s data. There are no indications that the data has been leaked publicly.
The Red Cross said the attack jeopardizes its work, and pleaded with the perp not to leak the data.
Tomi Engdahl says:
Free app for victims of domestic abuse allows users to log evidence of violent crimes until they feel ready to go to the police, and promises that forensic-quality images will be ‘legally-admissable’
https://www.dailymail.co.uk/femail/article-10410983/Free-app-allows-users-log-legally-admissible-evidence-violent-crimes-launches.html?ITO=applenews
Injury Capture, available globally, empowers victims to report violent crimes
Allows users to photograph their injuries to scale and add their medical reports
The date and time of all evidence compiled on the app is verifiable by metadata
App users can send their full report of evidence to police at the touch of a button
Tomi Engdahl says:
Andrew Asmakov / Decrypt:
Crypto.com says its breach affected 483 users, resulting in unauthorized withdrawals of ~$33.84M in cryptocurrencies and cash but says users were reimbursed
Crypto.com Confirms Exchange Lost Nearly $34M to Hackers
https://decrypt.co/90786/crypto-com-confirms-exchange-lost-nearly-34m-hackers
Cryptocurrency exchange Crypto.com has lost roughly $34 million in a recent security incident, according to a post-mortem released on Thursday.
Crypto.com, the industry’s fourth-largest cryptocurrency exchange, finally admitted it lost user funds due to a recent security breach.
According to a blog post published on Thursday, the incident affected a total of 483 users, resulting in unauthorized withdrawals totaling 4,836.26 Ethereum, 443.93 Bitcoin, and approximately$66,200 in other cryptocurrencies, or roughly $33.84 million in current prices.
Crypto.com, the industry’s fourth-largest cryptocurrency exchange, finally admitted it lost user funds due to a recent security breach.
According to a blog post published on Thursday, the incident affected a total of 483 users, resulting in unauthorized withdrawals totaling 4,836.26 Ethereum, 443.93 Bitcoin, and approximately$66,200 in other cryptocurrencies, or roughly $33.84 million in current prices.
Singapore-based Crypto.com announced it was pausing withdrawals after “a small number of users experienced unauthorized activity in their accounts” on Monday, urging customers to reset their two-factor authentication (2FA).
Security company Peckshield later revealed that the incident resulted in Crypto.com losing at least 4,600 ETH (around $15 million) in user funds, telling Decrypt that the scale of the damage was “definitely worse.”
According to Peckshield, half of the stolen funds were sent to Tornado Cash, a crypto mixing service that enables users to obfuscate their transactions.
On top of that, blockchain analyst ErgoBTC said hackers managed to make it away with about 444 BTC, the number Crypto.com confirmed in today’s post-mortem.
Crypto.com, the industry’s fourth-largest cryptocurrency exchange, finally admitted it lost user funds due to a recent security breach.
According to a blog post published on Thursday, the incident affected a total of 483 users, resulting in unauthorized withdrawals totaling 4,836.26 Ethereum, 443.93 Bitcoin, and approximately$66,200 in other cryptocurrencies, or roughly $33.84 million in current prices.
Singapore-based Crypto.com announced it was pausing withdrawals after “a small number of users experienced unauthorized activity in their accounts” on Monday, urging customers to reset their two-factor authentication (2FA).
Hacking attacks are a persistent problem for the crypto industry. Image: Shutterstock
Crypto.com Suffers Hack for At Least $15M in Ethereum
Cryptocurrency exchange Crypto.com has reportedly fallen victim to a hack, with at least $15 million worth of Ethereum stolen. Despite reports of missing funds, the platform has yet to confirm…
News
Business
2 min read
Andrew AsmakovJan 18, 2022
Security company Peckshield later revealed that the incident resulted in Crypto.com losing at least 4,600 ETH (around $15 million) in user funds, telling Decrypt that the scale of the damage was “definitely worse.”
According to Peckshield, half of the stolen funds were sent to Tornado Cash, a crypto mixing service that enables users to obfuscate their transactions.
On top of that, blockchain analyst ErgoBTC said hackers managed to make it away with about 444 BTC, the number Crypto.com confirmed in today’s post-mortem.
Despite the litany of evidence, Crypto.com initially refused to acknowledge the hack, with the company’s CEO Kris Marszalek claiming that “no customer funds were lost.”
Marszalek appeared on Bloomberg TV on Wednesday, finally confirming that around 400 customer accounts had been compromised.
According to him, Crypto.com quickly paused withdrawals after detecting that “some of the defense layers were breached,” fixed the issue, and was “back online in about 13 to 14 hours.”
Crypto.com, the industry’s fourth-largest cryptocurrency exchange, finally admitted it lost user funds due to a recent security breach.
According to a blog post published on Thursday, the incident affected a total of 483 users, resulting in unauthorized withdrawals totaling 4,836.26 Ethereum, 443.93 Bitcoin, and approximately$66,200 in other cryptocurrencies, or roughly $33.84 million in current prices.
Singapore-based Crypto.com announced it was pausing withdrawals after “a small number of users experienced unauthorized activity in their accounts” on Monday, urging customers to reset their two-factor authentication (2FA).
Hacking attacks are a persistent problem for the crypto industry. Image: Shutterstock
Crypto.com Suffers Hack for At Least $15M in Ethereum
Cryptocurrency exchange Crypto.com has reportedly fallen victim to a hack, with at least $15 million worth of Ethereum stolen. Despite reports of missing funds, the platform has yet to confirm…
News
Business
2 min read
Andrew AsmakovJan 18, 2022
Security company Peckshield later revealed that the incident resulted in Crypto.com losing at least 4,600 ETH (around $15 million) in user funds, telling Decrypt that the scale of the damage was “definitely worse.”
According to Peckshield, half of the stolen funds were sent to Tornado Cash, a crypto mixing service that enables users to obfuscate their transactions.
On top of that, blockchain analyst ErgoBTC said hackers managed to make it away with about 444 BTC, the number Crypto.com confirmed in today’s post-mortem.
Despite the litany of evidence, Crypto.com initially refused to acknowledge the hack, with the company’s CEO Kris Marszalek claiming that “no customer funds were lost.”
Crypto.com CEO: “Numbers not particularly material”
Marszalek appeared on Bloomberg TV on Wednesday, finally confirming that around 400 customer accounts had been compromised.
According to him, Crypto.com quickly paused withdrawals after detecting that “some of the defense layers were breached,” fixed the issue, and was “back online in about 13 to 14 hours.”
He added that the same day, “all of the accounts that were affected were reimbursed, so there was no loss of customer funds.”
When pressed with the question about the actual extent of the losses suffered by the exchange, Marszalek said that “given the scale of the business, these numbers are not particularly material.”
Crypto.com said it also revamped and migrated to an entirely new 2FA infrastructure, with 2FA tokens for all users revoked “to ensure the new infrastructure was in effect.”
The exchange introduced an additional layer of security to add a mandatory 24-hour delay between registration of a new whitelisted withdrawal address and the first withdrawal of funds.
According to the company, this will give users “adequate time to react and respond” to notifications that new withdrawal addresses have been added.
WAPP opens up a possibility to restore funds up to $250,000.
Tomi Engdahl says:
Sophisticated cyber-attack targets Red Cross Red Crescent data on 500,
000 people
https://www.icrc.org/en/document/sophisticated-cyber-attack-targets-red-cross-red-crescent-data-500000-people
The attack compromised personal data and confidential information on more than 515, 000 highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention. Lisäksi:
https://www.bleepingcomputer.com/news/security/red-cross-cyberattack-exposes-data-of-515-000-people-seeking-missing-family/.
Lisäksi:
https://www.mtvuutiset.fi/artikkeli/kansainvalinen-punainen-risti-massiivisen-kyberhyokkayksen-kohteena-humanitaarinen-informaatio-on-vaarantunut/8336394
Tomi Engdahl says:
Open Subtitles breach: The dangers of password reuse
https://blog.malwarebytes.com/privacy-2/2022/01/open-subtitles-breach-the-dangers-of-password-reuse/
Popular website Open Subtitles has been breached. The impact so far:
almost seven million accounts “breached and ransomed” back in August.