Cyber security news January 2022

This posting is here to collect cyber security news in January 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

439 Comments

  1. Tomi Engdahl says:

    EU Targets Fictitious Finnish Power Company in Cyberattack Test https://www.bloomberg.com/news/articles/2022-01-15/eu-targets-fictitious-finnish-power-company-in-cyberattack-test
    The European Union began testing its cyber-defense responsiveness on Friday with a simulated attack on a fictitious Finnish power company as the bloc seeks to strengthen its digital defenses amid concern about a potential attacks. The start of the cyber exercise came the same day Ukraine fell victim to an actual attack that brought down around 70 government websites.

    Reply
  2. Tomi Engdahl says:

    Cyber espionage campaign targets renewable energy companies https://www.bleepingcomputer.com/news/security/cyber-espionage-campaign-targets-renewable-energy-companies/
    A large-scale cyber-espionage campaign targeting primarily renewable energy and industrial technology organizations have been discovered to be active since at least 2019, targeting over fifteen entities worldwide. The campaign was discovered by security researcher William Thomas, a Curated Intelligence trust group member, who employed OSINT (open-source intelligence) techniques like DNS scans and public sandbox submissions.

    Reply
  3. Tomi Engdahl says:

    Same-origin violation vulnerability in Safari 15 could leak a users website history and identity https://portswigger.net/daily-swig/same-origin-violation-vulnerability-in-safari-15-could-leak-a-users-website-history-and-identity
    The issue was introduced in Safaris implementation of the IndexedDB API in its latest offering, version 15. IndexedDB is a browser API for client-side storage designed to hold significant amounts of data. To prevent data leaks from cross-site scripting (XSS) attacks, IndexedDB follows the same-origin policy, controlling which resources can access each piece of data.

    Reply
  4. Tomi Engdahl says:

    Earth Lusca threat actor targets governments and cryptocurrency companies alike https://therecord.media/earth-lusca-threat-actor-targets-governments-and-cryptocurrency-companies-alike/
    Cybersecurity researchers said they discovered a Chinese cyber-espionage group that, besides spying on strategic targets, also dabbled in financially-motivated attacks for their own profits. Named Earth Lusca, the group has spent the past years spying on targets that could be considered of interest to the Chinese government.

    Reply
  5. Tomi Engdahl says:

    Vulnerability in IDEMIA Biometric Readers Allows Hackers to Unlock Doors
    https://www.securityweek.com/vulnerability-idemia-biometric-readers-allows-hackers-unlock-doors

    A critical vulnerability impacting multiple IDEMIA biometric identification devices can be exploited to unlock doors and turnstiles.

    Because of this security defect, if the TLS protocol is not activated, an attacker in the network can send specific commands without authentication to open doors or turnstiles directly operated by a vulnerable device.

    The attacker could also exploit the bug to cause a denial of service (DoS) condition by sending a reboot command to the vulnerable device, according to an advisory published by IDEMIA, a France-based tech company that specializes in identity-related physical security services.

    Identified by researchers at Russian cybersecurity firm Positive Technologies – which was sanctioned by the United States last year for alleged ties with Russian intelligence – the flaw has a CVSS score of 9.1, yet no CVE identification number has been issued for it until now.

    Affected products include MorphoWave Compact MD/MDPI/MDPI-M, VisionPass MD/MDPI/MDPI-M, all variants of SIGMA Lite/Lite+/Wide, SIGMA Extreme, and MA VP MD.

    Reply
  6. Tomi Engdahl says:

    Oracle to Release Nearly 500 New Security Patches
    https://www.securityweek.com/oracle-release-nearly-500-new-security-patches

    Oracle is preparing the release of nearly 500 new security patches with its Critical Patch Update (CPU) for January 2022.

    According to its pre-release announcement, the company has lined up 483 new patches for the first CPU of 2022, which is scheduled for Tuesday, January 18.

    Critical vulnerabilities will be patched in Oracle Essbase, Graph Server and Client, Secure Backup, Communications Applications, Communications, Construction and Engineering, Enterprise Manager, Financial Services Applications, Fusion Middleware, Insurance Applications, PeopleSoft, Support Tools, and Utilities Applications.

    High-severity flaws will be fixed in Airlines Data Model, Big Data Graph, Communications Data Model, Commerce, Food and Beverage Applications, E-Business Suite, GoldenGate, Health Sciences Applications, HealthCare Applications, Hospitality Applications, Hyperion, iLearning, JD Edwards, MySQL, Policy Automation, Retail Applications, REST Data Services, Siebel CRM, Supply Chain, Systems, Spatial Studio, and TimesTen In-Memory.

    Many of these flaws can be exploited remotely without authentication.

    Reply
  7. Tomi Engdahl says:

    Critical SAP Vulnerability Allows Supply Chain Attacks
    https://www.securityweek.com/critical-sap-vulnerability-allows-supply-chain-attacks

    A critical vulnerability addressed recently in SAP NetWeaver AS ABAP and ABAP Platform could be abused to set up supply chain attacks, SAP security solutions provider SecurityBridge warns.

    Tracked as CVE-2021-38178 and featuring a CVSS score of 9.1, the critical vulnerability was addressed on the October 2021 SAP Patch Day.

    Described as an improper authorization issue, the security error allows an attacker to tamper with transport requests, thus bypassing quality gates and transferring code artifacts to production systems.

    Production systems are typically at the end of the line in SAP instances for development, integration, and testing, with all instances often sharing a central transport directory, where files needed for deploying changes from development to production are stored.

    Reply
  8. Tomi Engdahl says:

    Asiantuntija Ruotsin dronehavainnoista: ”Motiivina todennäköisesti testata, kuinka Ruotsi reagoi”
    Poikkeuksellisten dronelentojen uskotaan liittyvän Itämeren kiristyneeseen turvallisuustilanteeseen.
    https://www.iltalehti.fi/ulkomaat/a/32265e47-0bed-4113-8f6a-c20fbb3e0607

    Reply
  9. Tomi Engdahl says:

    Andrew Asmakov / Decrypt:
    Crypto.com halted withdrawals and requires users to re-sign-in and reset 2FA; research shows Crypto.com lost 4,600+ ETH, worth $15M+, during a suspected hack — The crypto exchange has reportedly lost at least $15 million in Ethereum, and security experts believe the true losses could be much higher.

    Crypto.com Suffers Hack for At Least $15M in Ethereum
    https://decrypt.co/90590/crypto-com-suffers-hack-at-least-15m-ethereum

    The crypto exchange has reportedly lost at least $15 million in Ethereum, and security experts believe the true losses could be much higher.

    Reply
  10. Tomi Engdahl says:

    Max Seddon / Financial Times:
    Ukraine’s digital transformation ministry says “all evidence points to Russia being behind the attack”, which took down about 70 government websites
    https://www.ft.com/content/0bdfafb8-a340-4e6a-a688-d878c45d1010

    Reply
  11. Tomi Engdahl says:

    Zooming in on Zero-click Exploits
    https://googleprojectzero.blogspot.com/2022/01/zooming-in-on-zero-click-exploits.html
    Zoom is a video conferencing platform that has gained popularity throughout the pandemic. Unlike other video conferencing systems that I have investigated, where one user initiates a call that other users must immediately accept or reject, Zoom calls are typically scheduled in advance and joined via an email invitation. In the past, I hadnt prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user. However, a zero-click attack against the Windows Zoom client was recently revealed at Pwn2Own, showing that it does indeed have a fully remote attack surface. The following post details my investigation into Zoom.

    Reply
  12. Tomi Engdahl says:

    Unhappy New Year for cybercriminals as VPNLab.net goes offline https://www.europol.europa.eu/media-press/newsroom/news/unhappy-new-year-for-cybercriminals-vpnlabnet-goes-offline
    This week, law enforcement authorities took action against the criminal misuse of VPN services as they targeted the users and infrastructure of VPNLab.net. The VPN providers service, which aimed to offer shielded communications and internet access, were being used in support of serious criminal acts such as ransomware deployment and other cybercrime activities. On 17 January, disruptive actions took place in a coordinated manner in Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States and the United Kingdom. Law enforcement authorities have now seized or disrupted the 15 servers that hosted VPNLab.nets service, rendering it no longer available.

    Reply
  13. Tomi Engdahl says:

    Microsoft releases emergency fixes for Windows Server, VPN bugs https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-fixes-for-windows-server-vpn-bugs/
    Microsoft has released emergency out-of-band (OOB) updates to address multiple issues caused by Windows Updates issued during the January
    2022 Patch Tuesday. “Microsoft is releasing Out-of-band (OOB) updates today, January 18, 2022, for some versions of Windows,” the company said. “This update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures, and ReFS-formatted removable media failing to mount.”

    Reply
  14. Tomi Engdahl says:

    Mixed Messages: Busting Boxs MFA Methods https://www.varonis.com/blog/box-mfa-bypass-sms
    Varonis Threat Labs discovered a way to bypass multi-factor authentication (MFA) for Box accounts that use an SMS code for login verification. Using this technique, an attacker could use stolen credentials to compromise an organizations Box account and exfiltrate sensitive data without access to the victims phone.

    Reply
  15. Tomi Engdahl says:

    Ukraine investigates multiple intrusion vectors in last weeks website defacements, data wiper attacks https://therecord.media/ukraine-investigates-multiple-vectors-in-website-defacements-data-wiper-attacks/
    The Ukrainian government said on Monday that it is investigating multiple intrusion vectors that could have been used to carry out the cyber-attacks that hit its government agencies last week. The attacks, which took place last Friday, included an attempt to deface more than
    70 Ukrainian government websites and the deployment of a data-wiper on some government systems, a wiper that was designed to corrupt files and look like the affected systems were hit with a ransomware attack.

    Reply
  16. Tomi Engdahl says:

    Cybercriminals Actively Target VMware vSphere with Cryptominers https://threatpost.com/cybercriminals-vmware-vsphere-cryptominers/177722/
    Organizations running sophisticated virtual networks with VMwares vSphere service are actively being targeted by cryptojackers, who have figured out how to inject the XMRig commercial cryptominer into the environment, undetected. Uptycs Siddharth Sharma has released research showing threat actors are using malicious shell scripts to make modifications and run the cryptominer on vSphere virtual networks.

    Reply
  17. Tomi Engdahl says:

    Brazilian Ministry of Health recovers systems over a month after cyberattack https://www.zdnet.com/article/brazilian-ministry-of-health-recovers-systems-over-a-month-after-cyberattack/
    After a major cyberattack brought key systems of Brazil’s Ministry of Health (MoH) to a halt, the department has reported all its platforms are back online. According to a statement released by the MoH on Friday (14), most systems have been reestablished following a cyberattack in early December 2021, including ConecteSUS, which holds
    COVID-19 vaccination data. However, some systems still need to be recovered, and the deadline for completing the work is this coming Friday (21).

    Reply
  18. Tomi Engdahl says:

    VirusTotal Hacking Offers a Supercharged Version of Google Hacking
    https://www.securityweek.com/virustotal-hacking-offers-supercharged-version-google-hacking

    Chronicle’s VirusTotal (VT) is a boon to security researchers and a gift to potential criminals. Apart from virus samples it contains likely millions of user credentials readily available to anyone who knows where and how to look.

    This is the finding of SafeBreach researchers who wanted to see if VT’s advanced search capabilities could provide a supercharged version of Google Hacking (dorking). They found it could.

    The research started with an analysis of samples of well-known infostealers found on VT, such as RedLine Stealer, Azulrt, Raccoon Stealer and Hawkeye. The malware samples contain their exfiltration filenames. SafeBreach researchers then used VT’s own search capabilities to see if any infostealer exfiltration files could also be found on VT. Perhaps surprisingly, they found many such files.

    Reply
  19. Tomi Engdahl says:

    Jeffrey Knockel / The Citizen Lab:
    China’s MY2022 Olympics app, mandatory for attendees to report travel and health data, has serious encryption flaws and contains a censorship keyword list

    Cross-country Exposure Analysis of the MY2022 Olympics app
    https://citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/

    Key Findings

    MY2022, an app mandated for use by all attendees of the 2022 Olympic Games in Beijing, has a simple but devastating flaw where encryption protecting users’ voice audio and file transfers can be trivially sidestepped. Health customs forms which transmit passport details, demographic information, and medical and travel history are also vulnerable. Server responses can also be spoofed, allowing an attacker to display fake instructions to users.
    MY2022 is fairly straightforward about the types of data it collects from users in its public-facing documents. However, as the app collects a range of highly sensitive medical information, it is unclear with whom or which organization(s) it shares this information.
    MY2022 includes features that allow users to report “politically sensitive” content. The app also includes a censorship keyword list, which, while presently inactive, targets a variety of political topics including domestic issues such as Xinjiang and Tibet as well as references to Chinese government agencies.
    While the vendor did not respond to our security disclosure, we find that the app’s security deficits may not only violate Google’s Unwanted Software Policy and Apple’s App Store guidelines but also China’s own laws and national standards pertaining to privacy protection, providing potential avenues for future redress.

    Reply
  20. Tomi Engdahl says:

    VPNLab.net Shut Down for Helping Hackers Spread Ransomware
    Europol says it seized servers and customer data for VPNLab.net.
    https://uk.pcmag.com/vpn/138203/vpnlabnet-shut-down-for-helping-hackers-spread-ransomware

    Law enforcement has shut down a VPN provider called VPNLab.net for allegedly supplying services to hackers.

    On Tuesday, Europol announced it had seized or disrupted 15 servers that hosted VPNLab.net on claims it facilitated numerous cybercrimes, including the distribution of ransomware.

    Reply
  21. Tomi Engdahl says:

    Just one of the alleged fraudsters of the 11 arrested was actively spying on at least 16 companies, Interpol claimed.

    800,000 Passwords, 50,000 Targets: A Huge Nigerian Fraud Operation Busted
    https://www.forbes.com/sites/thomasbrewster/2022/01/19/800000-passwords-50000-targets-a-huge-nigerian-fraud-operation-busted/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie&sh=57337f4e4dc0

    Reply
  22. Tomi Engdahl says:

    Half a million dollars lost to scammers spoofing bank hotlines on Google ads: Police
    https://www.channelnewsasia.com/singapore/scam-bank-hotline-phone-number-google-search-police-2444971

    SINGAPORE: A new scam that tricks victims into calling fake bank hotlines found in advertisements on Google searches has resulted in losses amounting to at least S$495,000, the police said on Wednesday (Jan 19).

    At least 15 people have fallen prey to this new scam variant since December 2021, the police added.

    Reply
  23. Tomi Engdahl says:

    Zoom vulnerabilities impact clients, MMR servers
    Now-patched vulnerabilities in the videoconferencing software have been analyzed by Google researchers.
    https://www.zdnet.com/article/zoom-vulnerabilities-impact-clients-mmr-servers/

    Reply
  24. Tomi Engdahl says:

    Crypto.com CEO admits hundreds of customer accounts were hacked
    https://techcrunch.com/2022/01/19/crypto-com-ceo-admits-hundreds-of-customer-accounts-were-hacked/?tpcc=tcplusfacebook

    Crypto.com CEO Kris Marszalek said around 400 customer accounts have been compromised in a hack in an interview with Bloomberg TV on Wednesday. His confirmation of the breach comes after multiple Crypto.com users alleged their funds had been stolen – complaints that had until now been met with vague responses from the company.

    While Marszalek did not provide details as to how the hack occurred, he told Bloomberg TV that the exchange was back online “about 13-14 hours” after the incident and that all the impacted accounts were reimbursed.

    The company then reassured users numerous times in its communications that customer funds were safe, drawing speculation that Crypto.com would cover any customer losses incurred.

    The losses may amount to $15 million worth of ETH, blockchain security provider PeckShield tweeted on Monday.

    OXT Research speculated that the hack may actually have cost the exchange $33 million.

    Crypto.com is the world’s fourth-largest crypto exchange, it has been pushing hard into U.S. markets in recent months

    Reply
  25. Tomi Engdahl says:

    Italian senate meeting interrupted by Final Fantasy hentai
    By Rich Stanton published 1 day ago
    An interloper got on the virtual meet and played the video.
    https://www.pcgamer.com/italian-senate-meeting-interrupted-by-final-fantasy-hentai/?utm_campaign=socialflow&utm_medium=social&utm_source=facebook.com

    Reply
  26. Tomi Engdahl says:

    CISA Urges Organizations to Implement Immediate Cybersecurity Measures to Protect Against Potential Threats https://www.cisa.gov/uscert/ncas/current-activity/2022/01/18/cisa-urges-organizations-implement-immediate-cybersecurity
    In response to recent malicious cyber incidents in Ukraineincluding the defacement of government websites and the presence of potentially destructive malware on Ukrainian systemsCISA has published CISA
    Insights: Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats. The CISA Insights strongly urges leaders and network defenders to be on alert for malicious cyber activity and provides a checklist of concrete actions that every organizationregardless of sector or sizecan take immediately.

    Reply
  27. Tomi Engdahl says:

    Poland raises cybersecurity terror threat after Ukraine cyber attack https://www.reuters.com/technology/poland-raises-cybersecurity-terror-threat-after-ukraine-cyber-attack-2022-01-18/
    Poland on Tuesday raised its nationwide cybersecurity terror threat in the wake of a cyber attack on Ukraine last week, adding that the new alert level was preventative. Last week, Ukraine was hit by a cyber attack that warned Ukrainians to “be afraid and expect the worst” as the country braces for a possible new military offensive from neighbouring Russia. Ukrainian officials say the attack hit around 70 internet sites of government bodies including the security and defence council, the cabinet of ministers and several ministries.

    State-Sponsored Cyber Attacks Against Ukraine https://www.truesec.com/hub/blog/state-sponsored-cyber-attacks-against-ukraine
    Truesec has spent the last few days analyzing the events unfolding in Ukraine. Weve explored these events from primarily two perspectives: a threat actor analysis perspective and a technical, reverse engineering perspective. From the threat actor perspective, we looked at historically similar attacks and compared them to what weve seen in Ukraine. From the technical perspective, we reverse engineered the malware initially discovered by Microsoft to ascertain its purpose, technical sophistication, and uncover any other artefacts that may shed light on the attacks. Our Threat Intelligence Unit has also received information from local sources, providing insight about the attack.

    Reply
  28. Tomi Engdahl says:

    Britain’s computer crime cops are targeting youngsters as young as nine years old in an attempt to dissuade them from embarking on a life of cybercrime
    https://www.bitdefender.com/blog/hotforsecurity/nine-year-old-kids-are-launching-ddos-attacks-against-schools/

    The UK’s National Crime Agency (NCA) has launched a new initiative with the hope of educating youngsters of the consequences of launching DDoS attacks. A study by the NCA’s National Cyber Crime Unit (NCCU) discovered that the number of Distributed Denial of Service (DDoS) attacks launched against school networks and websites has more doubled from 2019 to 2020.

    Reply
  29. Tomi Engdahl says:

    Nigerian cybercrime fraud: 11 suspects arrested, syndicate busted https://www.interpol.int/News-and-Events/News/2022/Nigerian-cybercrime-fraud-11-suspects-arrested-syndicate-busted
    The Nigerian Police Force (NPF) has arrested 11 alleged members of a prolific cybercrime network as part of a national police operation coordinated with INTERPOL. Arrested by officers of the NPF Cybercrime Police Unit and INTERPOLs National Central Bureau (NCB) in Nigeria, many of the suspects are thought to be members of SilverTerrier, a network known for Business Email Compromise (BEC) scams which have harmed thousands of companies globally.

    Reply
  30. Tomi Engdahl says:

    GitHub Actions flaw that allowed code to be approved without review is addressed with new feature rollout https://portswigger.net/daily-swig/github-actions-flaw-that-allowed-code-to-be-approved-without-review-is-addressed-with-new-feature-rollout
    Omer Gil and colleagues from security start-up Cider Security discovered the code review bypass risk was present even for organizations that had not enabled the recently introduced GitHub Actions feature. Gil previously told The Daily Swig: Required reviews is one of the most widely used security mechanisms in GitHub, and since GitHub Actions is installed by default nearly any organization is vulnerable to this.. GitHub Actions GitHubs continuous integration
    (CI) service offers a mechanism to build and run software development workflows all the way from development to production systems.

    Reply
  31. Tomi Engdahl says:

    A top Ukrainian security official on defending the nation against cyber attacks https://therecord.media/a-top-ukrainian-security-official-on-defending-the-nation-against-cyber-attacks/
    In the wake of an escalating crisis between Ukraine and Russia, Demediuk agreed to a follow-up interview in which he discussed issues including the recent defacement of Ukrainian websites, the security of the countrys critical infrastructure, and Russias motivations. In addition to his role on the NSDC, Demediuk was tasked in 2015 with building out Ukraines CyberPolice force, which prosecutes cybercriminals and thwarts state-sponsored attacks. The interview with Smilyanets was conducted via email in Russian, and was translated to English with the help of several members of Recorded Futures Strategic and Persistent Threats team.

    Reply
  32. Tomi Engdahl says:

    Technical Analysis of the WhisperGate Malicious Bootloader https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/
    On Jan. 15, 2022, a set of malware dubbed WhisperGate was reported to have been deployed against Ukrainian targets. The incident is widely reported to contain three individual components deployed by the same adversary, including a malicious bootloader that corrupts detected local disks, a Discord-based downloader and a file wiper. The activity occurred at approximately the same time multiple websites belonging to the Ukrainian government were defaced. This blog covers the malicious bootloader in more detail.

    Reply
  33. Tomi Engdahl says:

    Red Cross Falls Victim to Massive Cyberattack
    https://www.securityweek.com/red-cross-falls-victim-massive-cyberattack

    The International Committee of the Red Cross was the victim of a massive cyberattack in which hackers seized the data of more than 515,000 extremely vulnerable people, some of whom had fled conflicts, it said on Wednesday.

    “A sophisticated cyber security attack against computer servers hosting information held by the International Committee of the Red Cross (ICRC) was detected this week,” it said in a statement.

    “The attack compromised personal data and confidential information on more than 515,000 highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention.”

    The body, which has its headquarters in Geneva, had no immediate indication as to who might have carried out the attack.

    It said the hackers targeted an external company in Switzerland that the ICRC contracts to store data. There was no evidence so far that the compromised information had been leaked or put in the public domain.

    The ICRC said its “most pressing concern” was the “potential risks that come with this breach — including confidential information being shared publicly — for people that the Red Cross and Red Crescent network seeks to protect and assist, as well as their families”.

    Reply
  34. Tomi Engdahl says:

    Project Zero: Zoom Platform Missed ASLR Exploit Mitigation
    https://www.securityweek.com/project-zero-zoom-platform-missed-aslr-exploit-mitigation

    A prominent security researcher poking around at the Zoom video conferencing platform found worrying signs the company failed to enable a decades-old anti-exploit mitigation, a blunder that greatly increased exposure to malicious hacker attacks.

    The discovery was made by Google Project Zero’s Natalie Silvanovich during a black box security audit of Zoom’s widely deployed software and again brings attention to basic developer mistakes that continue to cause major security problems.

    Silvanovich, known for her work documenting security defects in Apple’s iMessage, found evidence that Zoom failed to enable Address Space Layout Randomization (ASLR), a memory safety mitigation first introduced in 2006 by Microsoft to make it more difficult to automate attacks against the operating system.

    Reply
  35. Tomi Engdahl says:

    Thousands of Industrial Firms Targeted in Attacks Leveraging Short-Lived Malware
    https://www.securityweek.com/thousands-industrial-firms-targeted-attacks-leveraging-short-lived-malware

    Thousands of industrial organizations worldwide have been hit in campaigns that leverage short-lived malware to harvest corporate credentials that are then sold by threat actors for a profit, according to Kaspersky.

    The Kaspersky unit focusing on industrial control systems (ICS) has conducted an analysis of the malware found in the first half of 2021 on ICS computers worldwide and noticed that roughly 20% of these samples had a lifespan of roughly 25 days — they are then replaced with a new sample.

    This is significantly shorter than in typical attacks, particularly since the malware involved was part of widely known commodity families such as AgentTesla, HawkEye, Formbook, Masslogger, Snake Keylogger, Azorult, and Lokibot.

    Reply
  36. Tomi Engdahl says:

    NordVPN: Actually, We Do Comply With Law Enforcement Data Requests
    https://uk.pcmag.com/vpn/138232/nordvpn-actually-we-do-comply-with-law-enforcement-data-requests

    The VPN provider quietly changed a 2017 blog post to note that it does comply with lawful requests for data; it also notes it doesn’t log customer activity ‘unless ordered by a court in an appropriate, legal way.’

    Reply
  37. Tomi Engdahl says:

    Crypto Protocol Publicly Announces Flaw, Users Relentlessly Owned by Hackers

    Crypto Protocol Publicly Announces Flaw, Users Relentlessly Owned by Hackers
    https://www.vice.com/en/article/epxb8m/crypto-protocol-publicly-announces-flaw-users-relentlessly-owned-by-hackers

    The hack against users of Multichain is getting worse as a cybersecurity researcher calls the incident “the worst way to treat a vulnerability.”

    Reply
  38. Tomi Engdahl says:

    https://www.vice.com/en/article/epxb8m/crypto-protocol-publicly-announces-flaw-users-relentlessly-owned-by-hackers

    Earlier this week, a platform that allows users to swap tokens between blockchains publicly announced that there was a flaw that made accounts vulnerable to hackers. The announcement, predictably, prompted several hackers to rush and try to exploit the vulnerability. One of them stole more than $1.4 million dollars, and another one offered victims to return 80 percent of the funds they stole in a message posted to the Ethereum blockchain, keeping the rest as “tips for me saving your money” on Wednesday.

    A Hacker Is Negotiating With Victims on the Blockchain After $1.4M Heist
    https://www.vice.com/en/article/akv7aa/a-hacker-is-negotiating-with-victims-on-the-blockchain-after-dollar14m-heist

    One of the hackers who exploited a vulnerability affecting a blockchain service is now offering to return some of the money, except “tips for me saving your money.”

    Hackers took advantage of a vulnerability in a blockchain service to steal around $1.4 million from users earlier this week. In an unexpected turn of events, one of the hackers is now negotiating on the blockchain itself, offering to return 80 percent of money to the victims, keeping the rest as “tips.” And the hacked company appears to be offering the second hacker a bounty.

    Reply
  39. Tomi Engdahl says:

    Sean Lyngaas / CNN:
    Red Cross says a cyberattack on a vendor for over 60 Red Cross and Red Crescent societies compromised the personal data of 515,000+ “highly vulnerable people” — (CNN)A cyberattack on a contractor used by the International Committee of the Red Cross (ICRC) has compromised …

    Cyberattack on Red Cross compromised data of over 515,000 ‘highly vulnerable people’
    https://edition.cnn.com/2022/01/19/politics/red-cross-cyberattack/

    A cyberattack on a contractor used by the International Committee of the Red Cross (ICRC) has compromised the personal data of more than 515,000 “highly vulnerable people,” including people separated from their families by conflict and disaster, the organization said Wednesday.

    Sophisticated cyber-attack targets Red Cross Red Crescent data on 500,000 people
    https://www.icrc.org/en/document/sophisticated-cyber-attack-targets-red-cross-red-crescent-data-500000-people

    A sophisticated cyber security attack against computer servers hosting information held by the International Committee of the Red Cross (ICRC) was detected this week.

    The attack compromised personal data and confidential information on more than 515,000 highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention. The data originated from at least 60 Red Cross and Red Crescent National Societies around the world.

    The ICRC’s most pressing concern following this attack is the potential risks that come with this breach — including confidential information being shared publicly — for people that the Red Cross and Red Crescent network seeks to protect and assist, as well as their families. When people go missing, the anguish and uncertainty for their families and friends is intense.

    “An attack on the data of people who are missing makes the anguish and suffering for families even more difficult to endure. We are all appalled and perplexed that this humanitarian information would be targeted and compromised,” said Robert Mardini, ICRC’s director-general. “This cyber-attack puts vulnerable people, those already in need of humanitarian services, at further risk.”

    The ICRC has no immediate indications as to who carried out this cyber-attack, which targeted an external company in Switzerland the ICRC contracts to store data. There is not yet any indication that the compromised information has been leaked or shared publicly.

    “While we don’t know who is responsible for this attack, or why they carried it out, we do have this appeal to make to them,” said Mr Mardini.
    “Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”

    The ICRC along with the wider Red Cross and Red Crescent network jointly runs a program called Restoring Family Links that seeks to reunite family members separated by conflict, disaster or migration. Because of the attack, we have been obliged to shut down the systems underpinning our Restoring Family Links work, affecting the Red Cross and Red Crescent Movement’s ability to reunite separated family members. We are working as quickly as possible to identify workarounds to continue this vital work.

    Reply
  40. Tomi Engdahl says:

    Red Cross forced to shutter family reunion service following cyberattack and data leak >

    Red Cross forced to shutter family reunion service following cyberattack and data leak
    Director-general pleads with cyber-scum: leave this data alone, because the people involved have suffered enough
    https://www.theregister.com/2022/01/20/red_cross_hit_by_cyberattack/

    Humanitarian organization the International Red Cross disclosed this week that it has fallen foul of a cyberattack that saw the data of over 515,000 “highly vulnerable people” exposed to an unknown entity.

    The target of the attack was the organisation’s Restoring Family Links operation, which strives to find missing persons and reunite those separated from their families due to armed conflict, migration, disaster, detention and other catastrophic events. The service is free, but is currently offline.

    Among the stolen data were names, locations, and contact information. The org said the data originated from at least 60 Red Cross and Red Crescent National Societies around the world.

    The threat actor is currently unidentified. However, it is understood that they executed the attack on a Switzerland-based contractor that stores the nonprofit’s data. There are no indications that the data has been leaked publicly.

    The Red Cross said the attack jeopardizes its work, and pleaded with the perp not to leak the data.

    Reply
  41. Tomi Engdahl says:

    Free app for victims of domestic abuse allows users to log evidence of violent crimes until they feel ready to go to the police, and promises that forensic-quality images will be ‘legally-admissable’
    https://www.dailymail.co.uk/femail/article-10410983/Free-app-allows-users-log-legally-admissible-evidence-violent-crimes-launches.html?ITO=applenews

    Injury Capture, available globally, empowers victims to report violent crimes
    Allows users to photograph their injuries to scale and add their medical reports
    The date and time of all evidence compiled on the app is verifiable by metadata
    App users can send their full report of evidence to police at the touch of a button

    Reply
  42. Tomi Engdahl says:

    Andrew Asmakov / Decrypt:
    Crypto.com says its breach affected 483 users, resulting in unauthorized withdrawals of ~$33.84M in cryptocurrencies and cash but says users were reimbursed

    Crypto.com Confirms Exchange Lost Nearly $34M to Hackers
    https://decrypt.co/90786/crypto-com-confirms-exchange-lost-nearly-34m-hackers

    Cryptocurrency exchange Crypto.com has lost roughly $34 million in a recent security incident, according to a post-mortem released on Thursday.

    Crypto.com, the industry’s fourth-largest cryptocurrency exchange, finally admitted it lost user funds due to a recent security breach.

    According to a blog post published on Thursday, the incident affected a total of 483 users, resulting in unauthorized withdrawals totaling 4,836.26 Ethereum, 443.93 Bitcoin, and approximately$66,200 in other cryptocurrencies, or roughly $33.84 million in current prices.

    Crypto.com, the industry’s fourth-largest cryptocurrency exchange, finally admitted it lost user funds due to a recent security breach.

    According to a blog post published on Thursday, the incident affected a total of 483 users, resulting in unauthorized withdrawals totaling 4,836.26 Ethereum, 443.93 Bitcoin, and approximately$66,200 in other cryptocurrencies, or roughly $33.84 million in current prices.

    Singapore-based Crypto.com announced it was pausing withdrawals after “a small number of users experienced unauthorized activity in their accounts” on Monday, urging customers to reset their two-factor authentication (2FA).

    Security company Peckshield later revealed that the incident resulted in Crypto.com losing at least 4,600 ETH (around $15 million) in user funds, telling Decrypt that the scale of the damage was “definitely worse.”

    According to Peckshield, half of the stolen funds were sent to Tornado Cash, a crypto mixing service that enables users to obfuscate their transactions.

    On top of that, blockchain analyst ErgoBTC said hackers managed to make it away with about 444 BTC, the number Crypto.com confirmed in today’s post-mortem.

    Crypto.com, the industry’s fourth-largest cryptocurrency exchange, finally admitted it lost user funds due to a recent security breach.

    According to a blog post published on Thursday, the incident affected a total of 483 users, resulting in unauthorized withdrawals totaling 4,836.26 Ethereum, 443.93 Bitcoin, and approximately$66,200 in other cryptocurrencies, or roughly $33.84 million in current prices.

    Singapore-based Crypto.com announced it was pausing withdrawals after “a small number of users experienced unauthorized activity in their accounts” on Monday, urging customers to reset their two-factor authentication (2FA).
    Hacking attacks are a persistent problem for the crypto industry. Image: Shutterstock
    Crypto.com Suffers Hack for At Least $15M in Ethereum

    Cryptocurrency exchange Crypto.com has reportedly fallen victim to a hack, with at least $15 million worth of Ethereum stolen. Despite reports of missing funds, the platform has yet to confirm…
    News
    Business
    2 min read
    Andrew AsmakovJan 18, 2022

    Security company Peckshield later revealed that the incident resulted in Crypto.com losing at least 4,600 ETH (around $15 million) in user funds, telling Decrypt that the scale of the damage was “definitely worse.”

    According to Peckshield, half of the stolen funds were sent to Tornado Cash, a crypto mixing service that enables users to obfuscate their transactions.

    On top of that, blockchain analyst ErgoBTC said hackers managed to make it away with about 444 BTC, the number Crypto.com confirmed in today’s post-mortem.

    Despite the litany of evidence, Crypto.com initially refused to acknowledge the hack, with the company’s CEO Kris Marszalek claiming that “no customer funds were lost.”

    Marszalek appeared on Bloomberg TV on Wednesday, finally confirming that around 400 customer accounts had been compromised.

    According to him, Crypto.com quickly paused withdrawals after detecting that “some of the defense layers were breached,” fixed the issue, and was “back online in about 13 to 14 hours.”

    Crypto.com, the industry’s fourth-largest cryptocurrency exchange, finally admitted it lost user funds due to a recent security breach.

    According to a blog post published on Thursday, the incident affected a total of 483 users, resulting in unauthorized withdrawals totaling 4,836.26 Ethereum, 443.93 Bitcoin, and approximately$66,200 in other cryptocurrencies, or roughly $33.84 million in current prices.

    Singapore-based Crypto.com announced it was pausing withdrawals after “a small number of users experienced unauthorized activity in their accounts” on Monday, urging customers to reset their two-factor authentication (2FA).
    Hacking attacks are a persistent problem for the crypto industry. Image: Shutterstock
    Crypto.com Suffers Hack for At Least $15M in Ethereum

    Cryptocurrency exchange Crypto.com has reportedly fallen victim to a hack, with at least $15 million worth of Ethereum stolen. Despite reports of missing funds, the platform has yet to confirm…
    News
    Business
    2 min read
    Andrew AsmakovJan 18, 2022

    Security company Peckshield later revealed that the incident resulted in Crypto.com losing at least 4,600 ETH (around $15 million) in user funds, telling Decrypt that the scale of the damage was “definitely worse.”

    According to Peckshield, half of the stolen funds were sent to Tornado Cash, a crypto mixing service that enables users to obfuscate their transactions.

    On top of that, blockchain analyst ErgoBTC said hackers managed to make it away with about 444 BTC, the number Crypto.com confirmed in today’s post-mortem.

    Despite the litany of evidence, Crypto.com initially refused to acknowledge the hack, with the company’s CEO Kris Marszalek claiming that “no customer funds were lost.”
    Crypto.com CEO: “Numbers not particularly material”

    Marszalek appeared on Bloomberg TV on Wednesday, finally confirming that around 400 customer accounts had been compromised.

    According to him, Crypto.com quickly paused withdrawals after detecting that “some of the defense layers were breached,” fixed the issue, and was “back online in about 13 to 14 hours.”

    He added that the same day, “all of the accounts that were affected were reimbursed, so there was no loss of customer funds.”

    When pressed with the question about the actual extent of the losses suffered by the exchange, Marszalek said that “given the scale of the business, these numbers are not particularly material.”

    Crypto.com said it also revamped and migrated to an entirely new 2FA infrastructure, with 2FA tokens for all users revoked “to ensure the new infrastructure was in effect.”

    The exchange introduced an additional layer of security to add a mandatory 24-hour delay between registration of a new whitelisted withdrawal address and the first withdrawal of funds.

    According to the company, this will give users “adequate time to react and respond” to notifications that new withdrawal addresses have been added.

    WAPP opens up a possibility to restore funds up to $250,000.

    Reply
  43. Tomi Engdahl says:

    Sophisticated cyber-attack targets Red Cross Red Crescent data on 500,
    000 people
    https://www.icrc.org/en/document/sophisticated-cyber-attack-targets-red-cross-red-crescent-data-500000-people
    The attack compromised personal data and confidential information on more than 515, 000 highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention. Lisäksi:
    https://www.bleepingcomputer.com/news/security/red-cross-cyberattack-exposes-data-of-515-000-people-seeking-missing-family/.
    Lisäksi:
    https://www.mtvuutiset.fi/artikkeli/kansainvalinen-punainen-risti-massiivisen-kyberhyokkayksen-kohteena-humanitaarinen-informaatio-on-vaarantunut/8336394

    Reply
  44. Tomi Engdahl says:

    Open Subtitles breach: The dangers of password reuse
    https://blog.malwarebytes.com/privacy-2/2022/01/open-subtitles-breach-the-dangers-of-password-reuse/
    Popular website Open Subtitles has been breached. The impact so far:
    almost seven million accounts “breached and ransomed” back in August.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*