Cyber security news January 2022

This posting is here to collect cyber security news in January 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

439 Comments

  1. Tomi Engdahl says:

    As part of the January 2022 Patch Tuesday, Microsoft fixed a ‘Win32k Elevation of Privilege Vulnerability’ vulnerability tracked as CVE-2022-21882, which is a bypass for the previously patched and actively exploited CVE-2021-1732 bug.

    Windows vulnerability with new public exploits lets you become admin
    https://www.bleepingcomputer.com/news/microsoft/windows-vulnerability-with-new-public-exploits-lets-you-become-admin/

    Reply
  2. Tomi Engdahl says:

    Suomalaisia diplomaattikännyköitä vakoiltiin
    https://www.uusiteknologia.fi/2022/01/28/diplomaattikannykoita-vakoiltiin/

    Suomalaisiin diplomaatteihin on kohdistettu ulkoministeriön mukaan kybervakoilua tunnetulla NSO Groupin Pegasus -vakoiluhaittaohjelmalla. Kyseessä on haittaohjelma, joka on pystytty siirtämään käyttäjän Apple- tai Android-puhelimeen ilman käyttäjän omia toimenpiteitä.

    Ulkoministeriö on saanut selvitettyä siihen kohdistuneen vakoilutapauksen
    https://um.fi/ajankohtaista/-/asset_publisher/gc654PySnjTX/content/ulkoministerio-on-saanut-selvitettya-siihen-kohdistuneen-vakoilutapauksen

    Suomalaisiin diplomaatteihin on kohdistettu kybervakoilua paljon julkisuutta saaneella NSO Groupin Pegasus -vakoiluhaittaohjelmalla. Kyseessä on erittäin kehittynyt haittaohjelma, joka on pystytty tuomaan käyttäjän Apple- tai Android-puhelimeen hänen huomaamattaan ja ilman käyttäjän toimenpiteitä. Vakoiluohjelma on voinut mahdollistaa hyvin laajasti puhelimessa olevan tiedon ja sen ominaisuuksien hyväksikäytön.

    Reply
  3. Tomi Engdahl says:

    Vulnerabilities in Swiss E-Voting System Earn Researchers Big Bounties
    https://www.securityweek.com/vulnerabilities-swiss-e-voting-system-earn-researchers-big-bounties

    Researchers have already earned tens of thousands of euros for vulnerabilities found in Switzerland’s new e-voting system as part of a recently launched bug bounty program.

    E-voting was first introduced in Switzerland nearly two decades ago. However, the country’s national postal service, Swiss Post, which is in charge of e-voting, has been working on a new system “with complete verifiability.”

    Reply
  4. Tomi Engdahl says:

    Zerodium Offering $400,000 for Microsoft Outlook Zero-Day Exploits
    https://www.securityweek.com/zerodium-offering-400000-microsoft-outlook-zero-day-exploits

    The exploit acquisition firm Zerodium this week showed increased interest in buying zero-day exploits targeting the popular email clients Microsoft Outlook and Mozilla Thunderbird.

    The company was already looking to acquire Microsoft Outlook zero-day exploits, but this week it announced higher maximum payouts for them, up from $250,000 to $400,000, yet only temporarily.

    “We are looking for zero-click exploits leading to remote code execution when receiving/downloading emails in Outlook, without requiring any user interaction such as reading the malicious email message or opening an attachment,” the company says.

    Reply
  5. Tomi Engdahl says:

    Xerox Quietly Patched Device-Bricking Flaw Affecting Some Printers
    https://www.securityweek.com/xerox-quietly-patched-device-bricking-flaw-some-printer-models

    Xerox patched a device-bricking vulnerability in certain printer models more than a year and a half ago, but said nothing until this week, when information on the bug became public.

    The security defect – now tracked as CVE-2022-23968 – was reported to Xerox in September 2019. In January 2020, the vendor had confirmed impact on at least one series of printer models, but said nothing else of the bug for two more years.

    The critical-severity issue can be triggered to at least partially brick a vulnerable device by causing a denial of service (DoS) condition in which the printer asks for a reboot. The error is triggered again immediately after reboot, in a continuous loop.

    Reply
  6. Tomi Engdahl says:

    Over 100 Million Android Users Installed ‘Dark Herring’ Scamware
    https://www.securityweek.com/over-100-million-android-users-installed-dark-herring-scamware

    More than 105 million Android users downloaded and installed scamware from Google Play and third-party app stores, according to mobile security firm Zimperium.

    A total of 470 malicious applications, collectively named Dark Herring, were used to target users in 70 countries in what appears to be the largest SMS scam campaign known to date. Called GriftHorse, a previous similar campaign compromised roughly 10 million users globally.

    The Dark Herring campaign has been ongoing since at least March 2020, subscribing users to services that charge them with an average monthly premium of $15. With millions of dollars in recurring revenue generated monthly, the attackers caused total losses of hundreds of millions.

    The campaign remained active for such a long period of time because the malicious applications provided users with the expected functionality, which allowed them to remain installed on the victims’ devices.

    Reply
  7. Tomi Engdahl says:

    Ulkoministeriö on saanut selvitettyä siihen kohdistuneen vakoilutapauksen https://um.fi/ajankohtaista/-/asset_publisher/gc654PySnjTX/content/ulkoministerio-on-saanut-selvitettya-siihen-kohdistuneen-vakoilutapauksen
    Suomalaisiin diplomaatteihin on kohdistettu kybervakoilua paljon julkisuutta saaneella NSO Groupin Pegasus -vakoiluhaittaohjelmalla.
    Kyseessä on erittäin kehittynyt haittaohjelma, joka on pystytty tuomaan käyttäjän Apple- tai Android-puhelimeen hänen huomaamattaan ja ilman käyttäjän toimenpiteitä. Vakoiluohjelma on voinut mahdollistaa hyvin laajasti puhelimessa olevan tiedon ja sen . ominaisuuksien hyväksikäytön. Myös https://www.hs.fi/kotimaa/art-2000008573488.html
    https://yle.fi/uutiset/3-12292218
    https://www.bleepingcomputer.com/news/security/finnish-diplomats-phones-infected-with-nso-group-pegasus-spyware/

    Reply
  8. Tomi Engdahl says:

    Popular apps left biometric data, IDs of millions of users in danger https://cybernews.com/security/popular-apps-left-biometric-data-ids-of-millions-of-users-in-danger/
    Service providers using Onfido, an identification verification (IDV) service, let a major flaw in their security go unchecked, in the form of an exposed admin token that potentially left app users biometric data exposed. Using this safety gap, threat actors could have downloaded personally identifiable information (PII), including copies of client-submitted IDs, passports, and driver’s licenses.

    Reply
  9. Tomi Engdahl says:

    BlackCat ransomware targeting US, European retail, construction and transportation orgs https://www.zdnet.com/article/blackcat-ransomware-targeting-us-european-retail-construction-and-transportation-orgs/
    Palo Alto said that as of December 2021, BlackCat has the 7th largest number of victims listed on their leak site among ransomware groups that Unit 42 tracks.

    Reply
  10. Tomi Engdahl says:

    After Russian Arrests, REvil Activity Persists https://blog.reversinglabs.com/blog/after-russian-arrests-revil-rolls-on
    Almost two weeks after Russian authorities orchestrated high profile arrests of cyber criminals affiliated with the notorious ransomware group, there has been little change in the availability of malicious files and implants associated with the group, ReversingLabs data shows. Also https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/

    Reply
  11. Tomi Engdahl says:

    Finland warns of Facebook accounts hijacked via Messenger phishing https://www.bleepingcomputer.com/news/security/finland-warns-of-facebook-accounts-hijacked-via-messenger-phishing/
    Finland’s National Cyber Security Centre (NCSC-FI) warns of an ongoing phishing campaign attempting to hijack Facebook accounts by impersonating victims’ friends in Facebook Messenger chats.

    Reply
  12. Tomi Engdahl says:

    Hackers are taking over CEO accounts with rogue OAuth apps https://www.bleepingcomputer.com/news/security/hackers-are-taking-over-ceo-accounts-with-rogue-oauth-apps/
    Threat analysts have observed a new campaign named OiVaVoii, targeting company executives and general managers with malicious OAuth apps and custom phishing lures sent from hijacked Office 365 accounts.

    Reply
  13. Tomi Engdahl says:

    Tietoturva-asiantuntija: Suomalaisia diplomaatteja vakoiltu toisen valtion toimesta
    https://yle.fi/uutiset/3-12293637
    Vakoilu on tehty israelilaisten kehittämällä vakoiluohjelmalla ja se on tiettävästi ensimmäinen laatuaan, jossa Pegasus-vakoiluohjelman tiedetään liittyvän Suomeen.

    Reply
  14. Tomi Engdahl says:

    Over 20,000 data center management systems exposed to hackers https://www.bleepingcomputer.com/news/security/over-20-000-data-center-management-systems-exposed-to-hackers/
    Researchers have found over 20,000 instances of publicly exposed data center infrastructure management (DCIM) software that monitor devices, HVAC control systems, and power distribution units, which could be used for a range of catastrophic attacks.

    Reply
  15. Tomi Engdahl says:

    Windows vulnerability with new public exploits lets you become admin https://www.bleepingcomputer.com/news/microsoft/windows-vulnerability-with-new-public-exploits-lets-you-become-admin/
    As part of the January 2022 Patch Tuesday, Microsoft fixed a ‘Win32k Elevation of Privilege Vulnerability’ vulnerability tracked as CVE-2022-21882, which is a bypass for the previously patched and actively exploited CVE-2021-1732 bug.. BleepingComputer also tested the vulnerability and had no problem compiling the exploit and using it to open Notepad with SYSTEM privileges on Windows 10, as shown below. BleepingComputer could not get the exploit to work on Windows 11.

    Reply
  16. Tomi Engdahl says:

    2FA App Loaded with Banking Trojan Infests 10K Victims via Google Play https://threatpost.com/2fa-app-banking-trojan-google-play/178077/
    The threat actors developed an operational and convincing application to disguise the malware dropper, using open-source Aegis authentication code injected with malicious add-ons. That helped it spread via Google Play undetected, according to a Pradeo report released on Thursday. Original at https://blog.pradeo.com/vultur-malware-dropper-google-play

    Reply
  17. Tomi Engdahl says:

    Teen who turned down $5,000 from Elon Musk to shut down a Twitter account tracking the billionaire’s jet says he gets too much work satisfaction to settle for less than $50,000
    https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.businessinsider.com%2Felon-musk-private-jet-tracking-twitter-account-2022-1&h=AT3V1OZkmB9TCegQeQ4_HqN3buAWOdw4lQGEstfZauJNZRmezNw8vP-W4wJbKNp4EkfUjhOjlwzq3OAJAl3GQczSb-3pv4YzrRiOWPF9-FuNRQrwFUKr2SioYn2xs4WovQ

    19-year-old Jack Sweeney runs a Twitter account that tracks Elon Musk’s private jet.
    Musk offered Sweeney $5,000 to remove it and give advice on how to make his jet less trackable.
    Sweeney told Insider he thought $5,000 was too low for the satisfaction he gets from the work.

    Reply
  18. Tomi Engdahl says:

    Cyber vigilante hunts down DeFi scammers running away with $25M rug pull
    An exclusive Cointelegraph interview on tracking down a group of DeFi scammers responsible for the $25 million StableMagnet rug pull.
    https://cointelegraph.com/news/cyber-vigilante-hunts-down-defi-scammers-running-away-with-25m-rug-pull

    Reply
  19. Tomi Engdahl says:

    Security Paper Finds GPU Fingerprinting Disturbingly Effective At Tracking You Online
    https://hothardware.com/news/security-paper-finds-gpu-fingerprinting-disturbingly-effective-at-tracking-you-online

    Many websites and applications employ various device fingerprinting methods to identify users and track their activity across websites and applications over time. The Electronic Frontier Foundation has a good explainer on this subject, as well as a tool to test how well your browser protects you from fingerprinting. TorZillaPrint from arkenfox is another good fingerprint testing tool. Both of these tools use a number of tracking methods that are currently in use on the web. However, researchers are continually developing and testing new methods of digital fingerprinting.

    Reply
  20. Tomi Engdahl says:

    A North Korean-linked hacking attempt aimed at simultaneous interpreters at international events appears https://blog-alyac-co-kr.translate.goog/4450?_x_tr_sl=auto&_x_tr_tl=en
    The newly discovered attack is characterized by sending crafted hacking emails to multiple interpreters as if they were requesting simultaneous interpretation of an international event. This targeted attack on interpreters is very unusual, with interpreters fluent in English, Chinese and Russian being threatened.

    Reply
  21. Tomi Engdahl says:

    Russian ‘Gamaredon’ hackers use 8 new malware payloads in attacks https://www.bleepingcomputer.com/news/security/russian-gamaredon-hackers-use-8-new-malware-payloads-in-attacks/
    The Russia-linked hackers known as ‘Gamaredon’ (aka Armageddon or
    Shuckworm) were spotted deploying eight custom binaries in cyber-espionage operations against Ukrainian entities. Original at https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine

    Reply
  22. Tomi Engdahl says:

    CISA adds 8 vulnerabilities to list of actively exploited bugs https://www.bleepingcomputer.com/news/security/cisa-adds-8-vulnerabilities-to-list-of-actively-exploited-bugs/
    The US Cybersecurity & Infrastructure Security Agency (CISA) has added eight more flaws to its catalog of exploited vulnerabilities that are known to be used in attacks, and they’re a mix of old and new.

    Reply
  23. Tomi Engdahl says:

    Apple Pays $100.5K Bug Bounty for Mac Webcam Hack https://threatpost.com/apple-bug-bounty-mac-webcam-hack/178114/
    The researcher found that he could gain unauthorized camera access via a shared iCloud document that could also “hack every website you’ve ever visited.”

    Reply
  24. Tomi Engdahl says:

    Threat actor target Ubiquiti network appliances using Log4Shell exploits https://therecord.media/threat-actor-target-ubiquiti-network-appliances-using-log4shell-exploits/
    Threat actors are using a customized public exploit for the Log4Shell vulnerability to attack and take over Ubiquiti network appliances running the UniFi software, security firm Morphisec said in a report last week. Original at https://www.sprocketsecurity.com/blog/another-log4j-on-the-fire-unifi

    Reply
  25. Tomi Engdahl says:

    Unsecured AWS server exposed 3TB in airport employee records https://www.zdnet.com/article/unsecured-aws-server-exposed-airport-employee-records-3tb-in-data/
    On Monday, the SafetyDetectives cybersecurity team said the server belonged to Securitas. The Stockholm, Sweden-based company provides on-site guarding, electronic security solutions, enterprise risk management, and fire & safety services.

    Reply
  26. Tomi Engdahl says:

    277, 000 routers exposed to Eternal Silence attacks via UPnP https://www.bleepingcomputer.com/news/security/277-000-routers-exposed-to-eternal-silence-attacks-via-upnp/
    A malicious campaign known as ‘Eternal Silence’ is abusing Universal Plug and Play (UPnP) turns your router into a proxy server used to launch malicious attacks while hiding the location of the threat actors.

    Reply
  27. Tomi Engdahl says:

    Be careful with RPMSG files
    https://isc.sans.edu/forums/diary/Be+careful+with+RPMSG+files/28292/
    Not many people are aware of “.rpmsg” files. The file extension means “restricted-permission message”. They are used to deliver email messages between people and implement some controls applied at the recipient side. Such permissions are, by example, the right to forward or copy the original email.

    Reply
  28. Tomi Engdahl says:

    More Russian Attacks Against Ukraine Come to Light
    https://www.securityweek.com/more-russian-attacks-against-ukraine-come-light

    The WhisperGate attack is not the only operation believed to have been conducted by Russia-linked threat actors against Ukraine in recent months. Symantec on Monday disclosed the details of an espionage operation that it has tied to a known group.

    For years, Russian advanced persistent threat (APT) actors have been observed launching various cyberattacks against Ukrainian targets, with some of these groups believed to be part of or under the direct supervision of Moscow’s secret service.

    Over the past months, at least two Russian state-sponsored groups have been observed launching cyberattacks against Ukraine, namely Gamaredon, also known as Armageddon, Primitive Bear and Shuckworm, and potentially Sandworm, which is also referred to as Iron Viking, Telebots and Voodoo Bear.

    Active since at least 2013 and mainly focused on targets in Ukraine, Gamaredon relies on phishing emails for the distribution of off-the-shelves tools (such as RMS and UltraVNC) and customized malware (Pterodo/Pteranodon).

    Reply
  29. Tomi Engdahl says:

    SureMDM Vulnerabilities Exposed Companies to Supply Chain Attacks
    https://www.securityweek.com/suremdm-vulnerabilities-exposed-companies-supply-chain-attacks

    A series of vulnerabilities in 42Gears’ SureMDM device management products could have resulted in a supply chain compromise against any organization using the platform.

    42Gears was founded in 2009. It is based in Bangalore, India, and provides mobile device management and productivity products for organizations with a large mobile workforce. Its website lists a range of major customers (without specifying which products they use) including Deloitte, Saab, Lufthansa, Tesco, Thales, Intel and many others.

    Researchers at Immersive Labs discovered and disclosed the first vulnerability to 42Gears on July 6, 2021. A series of additional vulnerability disclosures together with ‘failed’ private patches (including a new vulnerability introduced by one of the private patches) meant that effective public patches were not released until November 2021 and January 2022.

    On January 23, 2022, 42Gears informed Immersive that they were continuing to apply additional mitigations beyond those reported by the researchers. By this time, Immersive felt they had done everything necessary to ensure their own principles of responsible disclosure, and they could publish their findings.

    Reply
  30. Tomi Engdahl says:

    Israeli Lawyer, Hungarian Rights Group Target Pegasus Spyware
    https://www.securityweek.com/israeli-lawyer-hungarian-rights-group-target-pegasus-spyware

    An Israeli lawyer said Saturday he was working with a rights group in Hungary to pursue authorities and Israeli firm NSO Group on behalf of Hungarian journalists allegedly targeted with Pegasus spyware.

    Eitay Mack told AFP he had asked the Israeli attorney general to investigate how NSO was licensed to sell its surveillance software, which can switch on a phone’s camera or microphone and harvest its data, to Hungary.

    The lawyer said he had coordinated the request with the Hungarian Civil Liberties Union (HCLU), which says Pegasus targeted the phones of four Hungarian journalists, one Belgian national and a sixth person who has requested anonymity.

    Reply
  31. Tomi Engdahl says:

    Finnish Diplomats Targeted by Pegasus Spyware: Ministry
    https://www.securityweek.com/finnish-diplomats-targeted-pegasus-spyware-ministry

    Mobile phones belonging to Finnish diplomats were spied on using the cyber espionage software Pegasus, the country’s foreign ministry said on Friday.

    “We can now be clear that there has been spyware in our phones,” the ministry’s head of information security, Matti Parviainen, told AFP. The infected mobile devices were used by Finnish diplomats posted overseas, although the ministry refused to comment on how many staff were targeted, nor on whether the identity of the cyberattackers is known.

    “We have good guesses” about how long the diplomats were spied on, Parviainen said, but the espionage is no longer continuing. Diplomats’ phones only handle information that is either public or with the lowest security classification, the ministry said, but added “the information and its source may be confidential between diplomats.”

    Reply
  32. Tomi Engdahl says:

    DHS: Americans should be prepared for potential Russian cyberattacks
    https://www.zdnet.com/article/dhs-warns-critical-infrastructure-orgs-local-governments-of-potential-for-russian-cyberattack/

    Officials noted that “Russia’s threshold for conducting disruptive or destructive cyber attacks in the homeland probably remains very high.”

    Reply
  33. Tomi Engdahl says:

    Horde of miner bots and backdoors leveraged Log4J to attack VMware Horizon servers https://news.sophos.com/en-us/2022/03/29/horde-of-miner-bots-and-backdoors-leveraged-log4j-to-attack-vmware-horizon-servers/
    One of the products affected was VMware Horizon, a desktop and application virtualization platform that became part of the solution for some organizations’ work-from-home needs prior to and during office shutdowns over the past two years.
    Lisäksi:https://www.zdnet.com/article/log4shell-exploited-to-infect-vmware-horizon-servers-with-backdoors-crypto-miners/.
    Lisäksi:
    https://threatpost.com/log4jshell-swarm-vmware-servers-miners-backdoors/179142/

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*