This posting is here to collect cyber security news in February 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in February 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
511 Comments
Tomi Engdahl says:
Slow Windows Updates got you down? Here’s why this is happening.
Microsoft Says Windows May Need up to 8 Hours to Update
By Ian Evenden published 1 day ago
And it’s tracking your Update Connectivity
https://www.tomshardware.com/news/windows-update-needs-eight-hours?utm_medium=social&utm_content=tomsguide&utm_campaign=socialflow&utm_source=facebook.com
Windows computers need at least eight hours of online time to obtain and install the latest operating system updates successfully. This information comes via a post on the Microsoft IT Pro Blog by David Guyer, program manager for Windows Updates in Endpoint Manager at Microsoft.
Achieve better patch compliance with Update Connectivity data
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/achieve-better-patch-compliance-with-update-connectivity-data/ba-p/3073356
Tomi Engdahl says:
Iranian state-sponsored group APT35 linked to Memento ransomware https://therecord.media/iranian-state-sponsored-group-apt35-linked-to-memento-ransomware/
Security researchers have found links between APT35, one of Irans most active cyber-espionage groups, and Memento, a ransomware strain that was deployed in attacks in the fall of 2021. [Original at https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage
Tomi Engdahl says:
NSO offered US mobile security firm bags of cash, whistleblower claims https://www.theguardian.com/news/2022/feb/01/nso-offered-us-mobile-security-firm-bags-of-cash-whistleblower-claims
A whistleblower has alleged that an executive at NSO Group offered a US-based mobile security company bags of cash in exchange for access to a global signalling network used to track individuals through their mobile phone, according to a complaint that was made to the US Department of Justice. [Also on NSO followup: .
https://www.forbes.com/sites/thomasbrewster/2022/02/01/billionaire-facebook-investor-peter-thiel-secretly-funded-a-cyber-warfare-startup-that-hacked-whatsapp/
Tomi Engdahl says:
SureMDM vulnerability could lead to supply chain compromise https://www.immersivelabs.com/resources/blog/suremdm-vulnerability-could-lead-to-supply-chain-compromise/
By chaining the vulnerabilities affecting the web console together, an attacker could disable security tools and install malware or other malicious code onto every Linux, MacOS or Android device with SureMDM installed. An attacker does not need to know customer details to achieve this or even have an account on SureMDM.
Tomi Engdahl says:
Critical Vulnerability Fixed In Essential Addons for Elementor Plugin https://patchstack.com/articles/critical-vulnerability-fixed-in-essential-addons-for-elementor-plugin/
The plugin Essential Addons for Elementor (versions 5.0.4 and below), which has over 1 million active installations, suffers from a critical vulnerability that was originally discovered by Wai Yan Myo Thet. This vulnerability allows any user, regardless of their authentication or authorization status, to perform a local file inclusion attack.
Tomi Engdahl says:
CVE-2022-0185: Kubernetes Container Escape Using Linux Kernel Exploit https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/
On Jan. 18, 2022, researchers found a heap base buffer overflow flaw
(CVE-2022-0185) in the Linux kernel (5.1-rc1+) function legacy_parse_param of filesystem context functionality, which allows an out-of-bounds write in kernel memory. Using this primitive, an unprivileged attacker can escalate its privilege to root, bypassing any Linux namespace restrictions.
Tomi Engdahl says:
Powerful new Oski variant Mars Stealer grabbing 2FAs and crypto https://www.bleepingcomputer.com/news/security/powerful-new-oski-variant-mars-stealer-grabbing-2fas-and-crypto/
A new and powerful malware named Mars Stealer has appeared in the wild, and appears to be a redesign of the Oski malware that shut down development abruptly in the summer of 2020.
Tomi Engdahl says:
Telco fined 9 million for hiding cyberattack impact to customers https://www.bleepingcomputer.com/news/security/telco-fined-9-million-for-hiding-cyberattack-impact-to-customers/
The Greek data protection authority has imposed fines of 5,850,000 EUR
($6.55 million) to COSMOTE and 3,250,000 EUR ($3.65 million) to OTE, for leaking sensitive customer communication due to a cyberattack.
Tomi Engdahl says:
Cyberattacker hits German service station petrol terminal provider https://www.theregister.com/2022/02/01/oiltrading/
Shell station logistics supplier Oiltanking ‘operating with limited capacity’. [Also https://www.bleepingcomputer.com/news/security/german-petrol-supply-firm-oiltanking-paralyzed-by-cyber-attack/
https://www.zdnet.com/article/shell-forced-re-route-oil-supplies-after-cyberattack-on-german-companies/
.
Tomi Engdahl says:
Portugal’s parliament investigating possible website hack on election day https://www.euronews.com/2022/01/30/portugal-s-parliament-investigating-possible-website-hack-on-election-day
Portugal’s parliament is investigating claims of a possible cyberattack on their website during the country’s legislative elections. A hacking group claimed it had gained access to the Portuguese parliament website and “stolen sensitive information”. The parliament’s official website was unavailable in France for a short time on Sunday evening.
Infamous ransomware group claims it hacked Frances Justice Ministry https://www.politico.eu/article/infamous-ransomware-group-claims-it-hacked-frances-justice-ministry/
The Lockbit 2.0 ransomware gang added the French Ministry of Justice to its list of victims it publishes on a data leak site. The listing, seen by POLITICO, said the ministry has until February 10 to pay a ransom or else “all available data will be published” on the dark web site.
Tomi Engdahl says:
RIPTA Data Breach Affected About 22,000 People
https://www.securityweek.com/ripta-data-breach-affected-about-22000-people
A data breach at the state agency that operates Rhode Island’s public bus service compromised the personal information of about 22,000 people, agency officials said at a legislative hearing.
Tomi Engdahl says:
New Samba Bug Allows Remote Attackers to Execute Arbitrary Code as Root
https://thehackernews.com/2022/01/new-samba-bug-allows-remote-attackers.html
Samba has issued software updates to address multiple security vulnerabilities that, if successfully exploited, could allow remote attackers to execute arbitrary code with the highest privileges on affected installations.
Chief among them is CVE-2021-44142, which impacts all versions of Samba before 4.13.17 and concerns an out-of-bounds heap read/write vulnerability in the VFS module “vfs_fruit” that provides compatibility with Apple SMB clients.
“All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit,” the maintainers said in an advisory published on January 31.
According to the CERT Coordination Center (CERT/CC), the flaw also affects widely used Linux distributions such as Red Hat, SUSE Linux, and Ubuntu.
Tomi Engdahl says:
Israeli Police: Possible Improper Surveillance by Our Own
https://www.securityweek.com/israeli-police-possible-improper-surveillance-our-own
Israel’s national police force on Tuesday said it had found evidence pointing to improper use of sophisticated spyware by its own investigators to snoop on Israeli citizens’ phones.
The announcement came two weeks after an Israeli newspaper reported a string of instances of the police using the NSO Group’s Pegasus software to surveil protesters, politicians and criminal suspects without authorization from a judge. The report caused outrage in Israel and prompted the attorney general and lawmakers to launch investigations.
Last month, police said a preliminary internal investigation had found no evidence of misuse of the controversial spyware. But on Tuesday, the police said a secondary inspection “found additional evidence that changes certain aspects of the state of affairs.”
The statement made no mention of NSO, indicating that surveillance products developed by other Israeli firms might be under scrutiny. The company had no comment.
Tomi Engdahl says:
OpenSSF Alpha-Omega Project Tackles Supply Chain Security
https://www.securityweek.com/openssf-alpha-omega-project-tackles-supply-chain-security
Microsoft and Google are throwing their weight behind a new Linux Foundation OpenSSF initiative to address major security gaps in the open-source software ecosystem.
The two tech giants have invested $5 million into the Alpha-Omega Project, an ambitious effort that tackles open source software security through direct engagement of software security experts and automated security testing.
The Alpha-Omega Project is the first major announcement following a meeting between the U.S. government and private sector security leaders in response to the Log4j incident and promises help for at least 10,000 important and widely deployed open-source projects.
Tomi Engdahl says:
Two Dozen UEFI Vulnerabilities Impact Millions of Devices From Major Vendors
https://www.securityweek.com/two-dozen-uefi-vulnerabilities-impact-millions-devices-major-vendors
Researchers at firmware security company Binarly have identified nearly two dozen vulnerabilities in UEFI firmware code used by the world’s largest device makers.
According to Binarly, the 23 high-severity vulnerabilities could impact millions of enterprise devices, such as laptops, servers, routers, network appliances, industrial control systems (ICS), and edge computing devices. There are more than 25 affected vendors, including HP, Lenovo, Fujitsu, Microsoft, Intel, Dell, Bull (Atos) and Siemens.
The security holes exist in the InsydeH2O UEFI firmware provided by Insyde Software.
“The root cause of the problem was found in the reference code associated with InsydeH2O firmware framework code. All of the [impacted] vendors were using Insyde-based firmware SDK to develop their pieces of firmware,” Binarly explained.
The vulnerabilities are mostly related to System Management Mode (SMM) and they can lead to arbitrary code execution with elevated privileges. CVE identifiers have been assigned to each of the 23 weaknesses.
Tomi Engdahl says:
British Council Student Data Found in Unprotected Database
https://www.securityweek.com/british-council-student-data-found-unprotected-database
The information of many British Council students was recently exposed online in an unprotected repository.
A world leading education institution, British Council operates in over 100 countries worldwide. In 2019 and 2020, it connected directly with roughly 80 million people, and with over 790 million overall.
In early December 2021, MacKeeper and cybersecurity researcher Bob Diachenko discovered an open, unsecured Microsoft Azure blob repository with over 144,000 files (xml, json and xls/xlsx) containing personal information and login details belonging to British Council students.
The blob container was indexed by a public search engine but it’s unclear for how long the data remained accessible to the public without authentication, MacKeeper explains.
The security firm contacted the British Council immediately after confirming the sensitivity of the information and the owner of the repository. The blob container was secured on December 23, roughly two weeks after the initial contact.
Tomi Engdahl says:
Germany: 2 Oil Storage and Supply Firms Hit by Cyberattack
https://www.securityweek.com/germany-2-oil-storage-and-supply-firms-hit-cyberattack
Two companies involved in storing and supplying oil and other materials said Tuesday they have been hit by a cyberattack that has impacted operations in Germany.
Oiltanking GmbH Group and Mabanaft Group on Saturday discovered what they called a “cyber incident affecting our IT systems” and launched an investigation together with external specialists, the companies said in an emailed statement. They did not elaborate on the nature of the incident or address who might be responsible, and said they are working to understand its “full scope.”
They said that Oiltanking GmbH Group — which operates storage tank terminals for oil, gas and chemicals — is still operating all terminals in all global markets. But facilities at Oiltanking Deutschland GmbH, a separate entity that operates all terminals in Germany and is part of Mabanaft, are “operating with limited capacity.”
Mabanaft’s German branch “has also declared force majeure for the majority of its inland supply activities in Germany,” the statement said. The company is an importer, wholesaler and supplier of heating oil, gasoline, diesel fuel, jet fuel and other oil products.
The companies said that they are working “to restore operations to normal in all our terminals as soon as possible.”
Tomi Engdahl says:
Iranian Hackers Using New PowerShell Backdoor Linked to Memento Ransomware
https://www.securityweek.com/iranian-hackers-using-new-powershell-backdoor-linked-memento-ransomware
Attacks from the Iranian Phosphorus APT (aka Charming Kitten, APT35) are well documented. Now a new set of tools incorporated into the group’s arsenal, and a connection with the Memento ransomware, have been discovered.
Researchers from Cybereason’s Nocturnus Team have detected a new and undocumented PowerShell backdoor that supports downloading malware such as a keylogger and an infostealer. The code runs in the context of a .NET app without launching powershell.exe and thus avoiding detection, note the researchers in a report.
https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage
Tomi Engdahl says:
Newly Detected “StrifeWater” RAT Linked to Iranian APT
https://www.securityweek.com/newly-detected-strifewater-rat-linked-iranian-apt
The Iranian threat group known as Moses Staff was first spotted in October 2021. It claims its purpose is to harm Israeli companies by leaking sensitive stolen data, but it has also been seen targeting a variety of industries in countries such as Italy, India, Germany, Chile, Turkey, UAE and the U.S.
Tomi Engdahl says:
Critical Flaw Impacts WordPress Plugin With 1 Million Installations
https://www.securityweek.com/critical-flaw-impacts-wordpress-plugin-1-million-installations
Over one million WordPress websites might have been impacted by a critical vulnerability in the Essential Addons for Elementor plugin.
Essential Addons for Elementor provides WordPress site admins with more than 80 elements and extensions to help them easily design WordPress pages and posts.
Affecting version 5.0.4 and earlier of the plugin, the security flaw allows any user to perform a local file inclusion attack, regardless of their authentication or authorization level. The attack then could lead to remote code execution, if the included file contains malicious PHP code.
https://patchstack.com/articles/critical-vulnerability-fixed-in-essential-addons-for-elementor-plugin/
Tomi Engdahl says:
Craig Timberg / Washington Post:
A whistleblower working with the DOJ says NSO Group offered staffers from US mobile security firm Mobileum “bags of cash” for access to global cellular networks — Rep. Ted Lieu asks the Justice Department to investigate after hearing the account of what he called ‘fishy’ behavior.
https://www.washingtonpost.com/technology/2022/02/01/nso-pegasus-bags-of-cash-fbi/
Tomi Engdahl says:
Koneesi grafiikkaprosessori paljastaa sinut netissä
https://etn.fi/index.php/13-news/13116-koneesi-grafiikkaprosessori-paljastaa-sinut-netissae
Kun käyttäjiä yritetään paikantaa verkossa – yleensä rikollisessa tarkoituksessa – se onnistuu tyypillisesti selaimen tuottamiin ”sormenjälkiin”. Tutkijat ovat nyt kehittäneet tekniikan, joka tunnistaa laitteen grafiikkaprosessorin sormenjäljet. Tekniikalle on annettu nimeksi DrawnApart.
DRAWNAPART: A Device Identification Technique
based on Remote GPU Fingerprinting
https://arxiv.org/pdf/2201.09956.pdf
Tomi Engdahl says:
Samba Patches Critical Flaws That Earned Researchers Big Rewards
https://www.securityweek.com/samba-patches-critical-flaws-earned-researchers-big-rewards
The latest updates for Samba, the widely used interoperability suite that provides file and print sharing capabilities between Windows and Unix computers, patch critical vulnerabilities that earned researchers tens of thousands of dollars at a recent hacking contest.
Samba developers informed users this week that Samba 4.13.17, 4.14.12 and 4.15.5 patch CVE-2021-44142, an out-of-bounds heap read/write vulnerability that can be exploited for remote code execution with root privileges. Exploitation does not require authentication.
The flaw is related to the virtual file system (VFS) module vfs_fruit and removing the problematic module from the list of configured VFS has been described as a workaround. However, installing the patches is recommended, as the workaround could impact the functionality of macOS systems attempting to access the Samba server.
“The specific flaw exists within the parsing of EA metadata when opening files in smbd,” Samba developers explained in their advisory. “Access as a user that has write access to a file’s extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and CERT/CC have also informed organizations about the Samba vulnerabilities. Several major Linux distributions have confirmed being affected.
Tomi Engdahl says:
Cloudflare Launches Public Bug Bounty Program
https://www.securityweek.com/cloudflare-launches-public-bug-bounty-program
Tomi Engdahl says:
FBI Warns of Potential Cyberattacks Targeting 2022 Winter Olympics
https://www.securityweek.com/fbi-warns-potential-cyberattacks-targeting-2022-winter-olympics
The Federal Bureau of Investigation (FBI) on Tuesday announced the release of a Private Industry Notification (PIN) to warn entities associated with the 2022 Winter Olympics and Paralympic games of potential cyberattacks targeting them.
The ongoing COVID-19 pandemic will result in foreign spectators relying on streaming services and social media to stay up-to-date with the Olympics, and adversaries might attempt to disrupt such services using various techniques.
According to the FBI, threat actors seeking to disrupt the live broadcast of the event might launch distributed denial of service (DDoS) or ransomware attacks, or could attempt to implant malware in the networks of hotels or transit and other services providers.
What’s more, adversaries could employ social engineering techniques or phishing to harvest sensitive data, they might launch disinformation campaigns, or engage in data theft or leaks. The attacks could target both public and private digital infrastructure supporting the Olympics, the FBI notes in the PIN.
However, Olympics participants and travelers might become the targets of such attacks as well and should pay attention to the mobile applications they use, especially if they are built by untrusted vendors.
“The download and use of applications, including those required to participate or stay in the country, could increase the opportunity for cyber actors to steal personal information or install tracking tools, malicious code, or malware,” the FBI says.
Tomi Engdahl says:
North Korea Hacked Him. So He Took Down Its Internet
https://www.wired.com/story/north-korea-hacker-internet-outage/?utm_social-type=owned&mbid=social_facebook&utm_source=facebook&utm_brand=wired&utm_medium=social
Disappointed with the lack of US response to the Hermit Kingdom’s attacks against US security researchers, one hacker took matters into his own hands.
responsibility for North Korea’s ongoing internet outages doesn’t lie with US Cyber Command or any other state-sponsored hacking agency. In fact, it was the work of one American man in a T-shirt, pajama pants, and slippers, sitting in his living room night after night, watching
Just over a year ago, an independent hacker who goes by the handle P4x was himself hacked by North Korean spies. P4x was just one victim of a hacking campaign that targeted Western security researchers with the apparent aim of stealing their hacking tools and details about software vulnerabilities. He says he managed to prevent those hackers from swiping anything of value from him. But he nonetheless felt deeply unnerved by state-sponsored hackers targeting him personally
—and by the lack of any visible response from the US government.
So after a year of letting his resentment simmer, P4x has taken matters into his own hands. “It felt like the right thing to do here. If they don’t see we have teeth, it’s just going to keep coming,”
P4x says he’s found numerous known but unpatched vulnerabilities in North Korean systems that have allowed him to singlehandedly launch “denial-of-service” attacks on the servers and routers the country’s few internet-connected networks depend on. For the most part, he declined to publicly reveal those vulnerabilities, which he argues would help the North Korean government defend against his attacks.
But he named, as an example, a known bug in the web server software NginX that mishandles certain HTTP headers, allowing the servers that run the software to be overwhelmed and knocked offline. He also alluded to finding “ancient” versions of the web server software Apache, and says he’s started to examine North Korea’s own national homebrew operating system, known as Red Star OS
P4x says he has largely automated his attacks on the North Korean systems, periodically running scripts that enumerate which systems remain online and then launching exploits to take them down. “For me, this is like the size of a small-to-medium pentest,”
“If they don’t see we have teeth, it’s just going to keep coming.”
P4X, HACKER
Junade Ali, a cybersecurity researcher who monitors the North Korean internet, says he began to observe what appeared to be mysterious, mass-scale attacks on the country’s internet starting two weeks ago and has since closely tracked the attacks without having any idea who was carrying them out.
Ali says he saw key routers for the country go down at times
“As their routers fail, it would literally then be impossible for data to be routed into North Korea,” Ali says, describing the result as “effectively a total internet outage affecting the country.” (P4x notes that while his attacks at times disrupted all websites hosted in the country and access from abroad to any other internet services hosted there, they didn’t cut off North Koreans’ outbound access to the rest of the internet.)
As rare as it may be for a single pseudonymous hacker to cause an internet blackout on that scale, it’s far from clear what real effects the attacks have had on the North Korean government. Only a tiny fraction of North Koreans have access to internet-connected systems to begin with
Williams points out that the hackers who targeted P4x last year—like almost all the country’s hackers—are almost certainly based in other countries, such as China. “I would say, if he’s going after those people, he’s probably directing his attentions to the wrong place,” says Williams. “But if he just wants to annoy North Korea, then he is probably being annoying.”
He acknowledges that his attacks amount to no more than “tearing down government banners or defacing buildings,” as he puts it.
Tomi Engdahl says:
Trezor responds after YouTuber hacks its hardware wallet recovering $2 million in crypto
https://finbold.com/trezor-responds-after-youtuber-hacks-its-hardware-wallet-recovering-2-million-in-crypto/
Hardware crypto wallet provider Trezor has responded after a hacker detailed how he managed to recover his digital assets after losing the PIN to the storage device.
In a detailed YouTube video, Dan Reich, an electrical engineer, explained how he managed to crack a Trezor One hardware wallet containing more than $2 million worth of cryptocurrency.
The wallet was automatically wiped after 16 incorrect PIN guesses.
How the hack was achieved
According to Grand, Trezor One wallet temporarily moved the PIN and key to the RAM during a firmware update. At this point, they deployed a tactic identified as a fault injection attack to recover the credentials. Grand stated that the wallet moved the necessary information back to flash after the update.
The technique changed the voltage directed towards the chip. He explained how they managed to get the phrase code and the PIN.
“We are basically causing misbehavior on the silicon chip inside the device in order to defeat security. And what ended up happening is that I was sitting here watching the computer screen and saw that I was able to defeat the security, the private information, the recovery seed, and the pin that I was going after popped up on the screen,” said Grand.
They explored a vulnerability that allowed them to put the wallet in firmware update mode enabling Grand to install unauthorized code on the device. This approach helped him to read the PIN and key while in RAM.
Trezor’s response
In response, Trezor indicated that the exploit had been fixed. The wallets can no longer copy or move the key and PIN into RAM.
“Hi, we just want to add that this is an outdated exploit that is not a concern for current users and that we fixed in 2017 right after a report that we received through our responsible disclosure program. This attack requires full physical access to the device, and there is no record of any funds being compromised.”
Tomi Engdahl says:
Welcome to the Burner Phone Olympics >
https://www.wired.com/story/winter-olympics-2022-phones-security/
Tomi Engdahl says:
PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage
Over the past months, the Cybereason Nocturnus Team observed an uptick in the activity of the Iranian attributed group dubbed Phosphorus (AKA Charming Kitten, APT35), known for previously attacking medical research organizations in the US and Israel in late 2020, and for targeting academic researchers from the US, France, and the Middle East region back in 2019.
Tomi Engdahl says:
StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations
Aside from Israel, which appears to be the main target of the group, Moses Staff was observed targeting organizations in other countries, including Italy, India, Germany, Chile, Turkey, UAE, and the US. The group targets a variety of industries, among them Government, Finance, Travel, Energy, Manufacturing, and the Utilities industry.
Tomi Engdahl says:
US officials prepare for potential Russian cyberattacks as Ukraine standoff continues https://edition.cnn.com/2022/02/02/politics/fbi-ukraine-cyber-russia/index.html
“Have you identified any efforts by known or suspected Russian [hacking groups] to test exploitation capabilities, develop new malware or otherwise prepare for cyber operations?” the FBI asked in a January 21 request for information to US businesses obtained by CNN.
[...]. Robert M. Lee, CEO of Maryland-based cybersecurity firm Dragos, told officials at the National Security Agency and US Cybersecurity and Infrastructure Security Agency in January that a foreign hacking group had probed the computer networks of US electric utilities that operate liquefied natural gas facilities, Lee told CNN.
Tomi Engdahl says:
A story of leaking uninitialized memory from Fastly https://medium.com/@emil.lerner/leaking-uninitialized-memory-from-fastly-83327bcbee1f
This post will go through a QUIC (HTTP/3) implementation bug in the H2O webserver. The bug is pretty interesting as it affected Fastly in a way that it allowed stealing random requests and responses from uninitialized memory of its nodes, somewhat similar to CloudBleed (but unlike CloudBleed, this vulnerability required a specific actions from an attacker).
Tomi Engdahl says:
CoinStomp Malware Family Targets Asian Cloud Service Providers https://www.cadosecurity.com/coinstomp-malware-family-targets-asian-cloud-service-providers/
Researchers at Cado Security recently discovered a new malware campaign targeting Asian Cloud Service Providers (CSPs). This malware, which weve since named CoinStomp, is comprised of a family of shell scripts that attempt to exploit cloud compute instances hosted by these CSPs for the purpose of mining cryptocurrency. While this form of crpytojacking attack is commonplace these days, CoinStomp . makes use of some interesting techniques and even references a prior campaign.
Tomi Engdahl says:
TrickBot Gang Uses Template-Based Metaprogramming in Bazar Malware https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/
This post describes a specific technique that involves what is known as metaprogramming, or more specifically template-based metaprogramming, with a particular focus on its implementation in the Bazar family of malware (BazarBackdoor/BazarLoader). Bazar is best known for its ties to the cybercrime gang that develops and uses the TrickBot Trojan. It is a major cybercrime syndicate that is highly
The evolution of a Mac trojan: UpdateAgents progression https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/
Since its first appearance in September 2020, the malware displayed an increasing progression of sophisticated capabilities, and while the latest two variants were sporting much more refined behavior compared with earlier versions, they show signs that the malware is still in the development stage and more updates are likely to come. The latest campaign saw the malware installing the evasive and . persistent Adload adware, but UpdateAgents ability to gain access to a device can theoretically be further leveraged to fetch other, potentially more dangerous payloads.
Tomi Engdahl says:
European Fuel Terminals Halted by IT Issues Amid German Hack https://www.bloomberg.com/news/articles/2022-02-02/european-fuel-terminals-halted-by-it-issues-amid-german-hack
Numerous terminals in ARA have been impacted by IT issues, Riverlake, which organizes barge shipments, said in a note. ARA stands for Amsterdam, Rotterdam and Antwerp — the nerve center of Europes oil and fuel-trading network. The waiting queue is still building up since Sunday, with currently no prospects when the operations can resume
Tomi Engdahl says:
Office 365 boosts email security against MITM, downgrade attacks https://www.bleepingcomputer.com/news/microsoft/office-365-boosts-email-security-against-mitm-downgrade-attacks/
Microsoft has added SMTP MTA Strict Transport Security (MTA-STS) support to Exchange Online to ensure Office 365 customers’ email communication integrity and security.
Tomi Engdahl says:
Irans national TV stream hacked for the second time in a week https://therecord.media/irans-national-tv-stream-hacked-for-the-second-time-in-a-week/
A hacktivist group known as Adalat Ali (Alis Justice) has hijacked the web stream of Irans state-owned television station, the Islamic Republic of Iran Broadcasting (IRIB), in order to broadcast an anti-regime message earlier this week.
Tomi Engdahl says:
Catalin Cimpanu / The Record:
Blockchain bridge Wormhole confirms a hacker stole $322M worth of ether, and has moved its site into maintenance mode
Cryptocurrency platform Wormhole hacked for an estimated $322 million
https://therecord.media/cryptocurrency-platform-wormhole-hacked-for-an-estimated-322-million/
A threat actor has abused a vulnerability in the Wormhole cryptocurrency platform to steal an estimated $322 million worth of Ether currency.
The attack took place earlier today and impacted Wormhole Portal, a web-based application—also known as a blockchain “bridge”—that allows users to convert one form of cryptocurrency into another.
Bridge portals use “smart contracts” on the Ethereum blockchain to convert an input cryptocurrency into a temporary internal token, which they later convert into the user’s desired output cryptocurrency.
Tomi Engdahl says:
https://www.securityweek.com/walmart-dissects-new-sugar-ransomware
Tomi Engdahl says:
https://www.securityweek.com/cloudflare-launches-public-bug-bounty-program
Tomi Engdahl says:
1,300 Malicious Packages Found in Popular npm JavaScript Package Manager
https://www.securityweek.com/1300-malicious-packages-found-popular-npm-javascript-package-manager
Malicious actors are using the npm registry as the start point for open source software (OSS) supply chain attacks.
Open source software offers huge potential for criminals and nation states to deliver widespread supply chain attacks. OSS registries provide a major feeding ground with easy access.
Npm, Inc., a subsidiary of Microsoft-owned GitHub, is the largest OSS registry providing JavaScript packages. It contains more than 1.8 million active packages – but has, says open-source security management firm WhiteSource, become a playground for ‘malicious actors’. Over the last six months, the WhiteSource Diffend malware detection platform has reported more than 1,300 malicious packages to npm for stealing credentials, stealing crypto and running botnets.
Tomi Engdahl says:
FBI Confirms It Bought Spyware From Israel’s NSO Group
https://www.securityweek.com/fbi-confirms-it-bought-spyware-israels-nso-group
The FBI has confirmed purchasing NSO Group’s powerful spyware tool Pegasus, whose chronic abuse to surveil journalists, dissidents and human rights activists has long been established. It suggested its motivation was to “stay abreast of emerging technologies and tradecraft.”
The agency added in a statement Wednesday that it obtained a limited license from the Israeli firm “for product testing and evaluation only,” never using it operationally or to support any investigation.
But critics wondered why the premier U.S. law enforcement agency would need to pay for access to a notorious surveillance tool that has been extensively researched by public interest cyber sleuths if its interest was so limited.
“Spending millions of dollars to line the pockets of a company that is widely known to serially facilitate widespread human rights abuses, possible criminal acts, and operations that threaten the U.S.’s own national security is definitely troubling,” said Ron Deibert, director of Citizen Lab, the University of Toronto internet watchdog that has exposed dozens of Pegasus hacks since 2016.
Tomi Engdahl says:
Trend Micro Patches Vulnerabilities in Hybrid Cloud Security Products
https://www.securityweek.com/trend-micro-patches-vulnerabilities-hybrid-cloud-security-products
Tomi Engdahl says:
Hacker Wearing Pajama Pants Brings Down North Korea’s Entire Internet
https://lm.facebook.com/l.php?u=https%3A%2F%2Ffuturism.com%2Fthe-byte%2Fhacker-pajamas-north-korea%3Futm_campaign%3DtrueAnthem_manual%26utm_medium%3DtrueAnthem%26utm_source%3Dfacebook&h=AT08UC_vHaX0E7x20O8vcxPR9q_tj0HgIVpPUTVng0paz87vgZe-WWOmUfjwb4a3KKXGUeXCPzmUhXVHJtkZLV500E_JvxuUDQxhSQFB0WYQtuttUVB-y6YRtROEdA1cOw
An American hacker managed to disrupt the internet connection of an entire country — while wearing pajamas, eating chips, and watching the movie “Alien,” Wired reports.
The hacker, who goes by the handle P4x, managed to able to bring North Korea’s tightly walled-off internet to its knees over the last few weeks, making it nearly impossible to connect to the outside world.
Tomi Engdahl says:
https://www.marketwatch.com/story/top-cyber-official-has-never-seen-a-more-serious-vulnerability-heres-what-you-should-know-about-log4j-11643736595
Tomi Engdahl says:
Ax Sharma / BleepingComputer:
KP Snacks, a major British snack producer, has been hit by the Conti ransomware, impacting supplies of Skips, Hula Hoops, McCoy’s, and others to supermarkets
KP Snacks giant hit by Conti ransomware, deliveries disrupted
https://www.bleepingcomputer.com/news/security/kp-snacks-giant-hit-by-conti-ransomware-deliveries-disrupted/
Tomi Engdahl says:
Less than two weeks after reporting a critical attack on Google’s browser, numerous new hacks have been confirmed.
https://trib.al/vE5YTLF
Tomi Engdahl says:
https://therecord.media/threat-actor-target-ubiquiti-network-appliances-using-log4shell-exploits/
Tomi Engdahl says:
Teen Who Tracked Elon Musk’s Private Jet Stirs Security Response
https://lm.facebook.com/l.php?u=https%3A%2F%2Ftrib.al%2FegJnY46&h=AT24CuYe59Lmc-UNAx_caNIY1_CmzkBndo-QhByJ1B8C8QAWpr3k140OYEYbBfxJbEVA7Xw1EDExXPuoJxzlW8hLCUAu3Fzvq61oyY9DMr0ScIb4I1VMt-15g8bSDXs1unlMSyOxR2Zk7eAZMQ
A college student who was able to track wealthy private jet owners—including Elon Musk, Bill Gates and Jeff Bezos—is likely to spur an industry push to stop such activity. Industry officials say the safety and security of high-profile private jet users, their families, flight crews, staff at the airports they are using, and potential corporate espionage is at stake.
In a series of online messages, Musk offered 19-year-old Jack Sweeney $5,000 to stop tracking his private jet flights. The billionaire Tesla founder cited safety concerns, and Sweeney countered, asking for $50,000. According to reports, Musk has since ghosted Sweeney, who was quoted as saying he plans to turn his hobby into a business. His attempts to joust with one of the world’s richest men may find him on the wrong side of a hot-button security issue that dates back more than two decades.
Industry officials say the safety and security of high-profile private jet users, their families, flight crews, staff at the airports they are using, and potential corporate espionage is at stake https://trib.al/egJnY46
Welcome to the real world.. Like all of our lives and families lives dont matter flying public planes with public knowledge of exactly what that plane is doing and time stamped at every turn.. Oh thats right we are not famous billionaires so who cares there is no risk bc nobody cares about the common folk right .. Well cry me a river.. Can’t stand hearing these out of touch people cry about nothing.. They certainly don’t mind all eyes on them when trying to pump their ponzi scheme crypto bs or when we are buying up all the crap they sell making them $$$$$$$$$ billions.. Dfoh!!
Tomi Engdahl says:
Blockchain platform Wormhole offered the attacker $10 million to return the funds.
Solana’s Biggest Hack Ever: $325 Million In Crypto Allegedly Stolen From $1 Billion Decentralized Finance Platform
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.forbes.com%2Fsites%2Fjonathanponciano%2F2022%2F02%2F02%2Fsolanas-biggest-hack-yet-325-million-in-crypto-allegedly-stolen-from-1-billion-decentralized-finance-platform%2F%3Futm_campaign%3Dforbes%26utm_source%3Dfacebook%26utm_medium%3Dsocial%26utm_term%3DGordie&h=AT3xJCGV6go2f6AkoaUbMxr_hGJxXb7uOUZaLY1hZdIDT0DIjsLEaxDYMB6obr-KvikGgpSGehexUOLWxJVEl6LpFJLIKNnZVriCs_5C67VUXTAkPUTrHsBjF2cHDdSLTQ
Wormhole Portal, a platform that helps users transfer cryptocurrency between the Solana and Ethereum blockchains, said Wednesday afternoon a hacker had stolen more than $325 million worth of tokens in what experts call one of the biggest hacks ever in the booming $192 billion decentralized finance space—an area regulators seem keen to crack down on after a slew of high-profile heists.
Blockchain platform Wormhole, which launched last August and holds roughly $1 billion in deposited funds, notified users of a possible hack on Twitter at about 4 p.m. ET Wednesday, saying its network was down for maintenance as the firm looked into a potential attack.
About an hour later, Wormhole said its network had been exploited and claimed about 120,000 tokens of a cryptocurrency known as wrapped ether, which tracks the value of the world’s second-largest cryptocurrency, ether, had been stolen, representing some $325 million in value.
In a message embedded onto the Ethereum blockchain, Wormhole offered the attacker a $10 million bounty to return the funds, according to blockchain analytics company Elliptic, which called the Wednesday incident the fourth largest cryptocurrency hack ever.
Wormhole did not immediately respond to Forbes’ request for comment, but it said shortly before 7 p.m. that the network’s vulnerability had been “patched”; it’s still unclear who the alleged hacker is and how Wormhole users may have been affected by the heist.
https://www.elliptic.co/blog/325-million-stolen-from-wormhole-defi-service