This posting is here to collect cyber security news in February 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in February 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
511 Comments
Tomi Engdahl says:
A lone hacker on a revenge mission says he is the one who keeps turning off North Korea’s internet
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.businessinsider.com%2Flone-hacker-claims-responsibility-for-turning-off-north-koreas-internet-2022-2&h=AT08lPj0ZR4fKWiwC8H6GgXoeXlkh-VNYTeuRq1bJ_En4XYsDW4KeXMqum8nyVoujQ4IY54p9UAd61gkcQ9tQ-Y34gcLWkDY-6Npb4_Wn8huqi1uL2eYTLe6y8RO3djFYw
A lone hacker is claiming responsibility for crippling North Korea’s internet in recent weeks.
The American hacker was bent on revenge after being targeted by a North Korean cyberattack, according to Wired.
North Korea’s internet has been going down in what some experts have said may be a distributed denial-of-service attack.
North Korea disappeared from the internet at least twice in the last month, with state-run websites becoming inaccessible, in what some observers speculated was a distributed denial-of-service attack on the country’s servers. Now, a lone hacker bent on revenge claims he is responsible for crippling the secretive country’s internet, according to a report from Wired.
Tomi Engdahl says:
QR codes on Twitter deliver malicious Chrome extension
https://www.gdatasoftware.com/blog/2022/01/37236-qr-codes-on-twitter-deliver-malicious-chrome-extension
The loader for the malicious Chrome extension was initially analysed by @x3ph1 who dubbed it ChromeLoader. To avoid misunderstandings with legitimate Chrome components we hereby refer to it as Choziosi loader.
The analysis on the loader is detailed but x3ph1 does not describe the Chrome extension Choziosi, which got me intrigued.. Twitter user @th3_protoCOL found QR codes that circulate on Twitter and advertise pirated software to lure people into downloading an ISO. Reddit users also complain about malicious ISO files on websites that provide Steam games.
Tomi Engdahl says:
Cisco fixes critical bugs in RV routers, exploit code available https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-bugs-in-rv-routers-exploit-code-available/
Cisco has released patches for multiple vulnerabilities in the Small Business RV Series router platform that could allow remote attackers to gain complete control over the device, in many cases, without authentication. In total, there are fifteen vulnerabilities fixed by these security updates, with five of them rated as Critical as threat actors can use them to gain ‘root’ privileges or remotely execute commands on the device.. Also:
https://thehackernews.com/2022/02/critical-flaws-discovered-in-cisco.html.
https://threatpost.com/criticalcisco-bugs-vpn-routers-cyberattacks/178199/
Tomi Engdahl says:
BlackCat ransomware what you need to know https://www.tripwire.com/state-of-security/security-data-protection/blackcat-ransomware-what-you-need-to-know/
BlackCat (also known as ALPHV) is a relatively new ransomware-as-a-service (RaaS) operation, which has been aggressively recruiting affiliates from other ransomware groups and targeting organisations worldwide. Like other ransomware groups, BlackCat extorts money from targeted organisations by stealing sensitive data (and threatening to release it publicly), and encrypting systems. But BlackCat goes one stage further and also threatens to launch a distributed denial-of-service (DDoS) attack if its demands are not met.
Tomi Engdahl says:
iPhone flaw exploited by second Israeli spy firm-sources
https://www.euractiv.com/section/cybersecurity/news/iphone-flaw-exploited-by-second-israeli-spy-firm-sources/
A flaw in Apples software exploited by Israeli surveillance firm NSO Group to break into iPhones in 2021 was simultaneously abused by a competing company, according to five people familiar with the matter.
QuaDream, the sources said, is a smaller and lower profile Israeli firm that also develops smartphone hacking tools intended for government clients.
Tomi Engdahl says:
String of cyberattacks on European oil and chemical sectors likely not coordinated, officials say https://therecord.media/string-of-cyberattacks-on-european-oil-and-chemical-sectors-likely-not-coordinated-officials-say/
European prosecutors and cybersecurity officials are investigating a ransomware attack affecting several major oil port terminals that occurred just days after a separate hack on two German companies forced oil suppliers to reroute their products to alternative depots.
The attacks targeted organizations in Belgium, the Netherlands, and Germany, including some of the largest ports in the region.
Cybersecurity officials from those countries on Thursday said they do not have reason to believe that the attacks are linked to one another.. Also:
https://www.zdnet.com/article/cyberattack-affecting-belgian-port-operations/
Tomi Engdahl says:
Wormhole Crypto Platform: Funds Are Safe After $314M Heist
https://threatpost.com/wormhole-crypto-funds-safe-heist/178189/
Wormhole a web-based blockchain bridge that enables users to convert cryptocurrencies said on Thursday that all funds are safe after attackers abused a vulnerability to shake it down for 120,000 Ethereum (approximately $314 million). The popular bridge, which connects Ethereum (ETH), the Solana blockchain (SOL) and more, has reportedly been trying to negotiate on-chain with the attacker since Wednesdays attack. Also:
https://therecord.media/cryptocurrency-platform-wormhole-hacked-for-an-estimated-322-million/.
https://www.bleepingcomputer.com/news/cryptocurrency/wormhole-cryptocurrency-platform-hacked-to-steal-326-million/
Tomi Engdahl says:
https://www.binarly.io/posts/An_In_Depth_Look_at_the_23_High_Impact_Vulnerabilities/index.html
An In Depth Look at the 23 High Impact Vulnerabilities. Today, we are announcing the discovery of 23 high-impact vulnerabilities in one of the major Independent BIOS Developers (IBV) software. These vulnerabilities impact not only a single vendor, but all the vendors who adopted the IBV code into their UEFI firmware software. Binarly confirmed that all these vulnerabilities are found in several of the major enterprise vendor ecosystems. The verified list of impacted vendors consists of: Fujitsu, Siemens, Dell, HP, HPE, Lenovo, Microsoft, Intel and Bull Atos.
Tomi Engdahl says:
North Korea Hacked Him. So He Took Down Its Internet https://www.wired.com/story/north-korea-hacker-internet-outage/
FOR THE PAST two weeks, observers of North Korea’s strange and tightly restricted corner of the internet began to notice that the country seemed to be dealing with some serious connectivity problems. On several different days, practically all of its websitesthe notoriously isolated nation only has a few dozenintermittently dropped offline en masse, from the booking site for its Air Koryo airline to Naenara, a page that serves as the official portal for dictator Kim Jong-un’s government.
Tomi Engdahl says:
Russias Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/
Since November, geopolitical tensions between Russia and Ukraine have escalated dramatically. It is estimated that Russia has now amassed over 100,000 troops on Ukraine’s eastern border, leading some to speculate that an invasion may come next. On Jan. 14, 2022, this conflict spilled over into the cyber domain as the Ukrainian government was targeted with destructive malware (WhisperGate) and a separate vulnerability in OctoberCMS was exploited to deface several Ukrainian government websites. While attribution of those events is ongoing and there is no known link to Gamaredon (aka Primitive Bear).
Tomi Engdahl says:
Volexity Warns of ‘Active Exploitation’ of Zimbra Zero-Day
https://www.securityweek.com/volexity-warns-active-exploitation-zimbra-zero-day
Malware hunters at Volexity are raising the alarm for a Chinese threat actor seen exploiting a zero-day flaw in the Zimbra email platform to infect media and government targets in Europe.
The attacks, which start with a series of targeted spear phishing emails, include the use of an exploit for a still-unpatched cross-site scripting (XSS) flaw in the open-source Zimbra email platform, Volexity said in an advisory released late Thursday.
The attacks, described as ongoing and “active,” are targeting media and government organizations in Europe.
“At the time of writing, this exploit has no available patch, nor has it been assigned a CVE,” the company said. “This is a zero-day vulnerability.”
Tomi Engdahl says:
Over $300 Million in Cryptocurrency Stolen in Wormhole Hack
https://www.securityweek.com/over-300-million-cryptocurrency-stolen-wormhole-hack
Tomi Engdahl says:
Ransomware Attack Disrupts Manufacturing at KP Snacks
https://www.securityweek.com/ransomware-attack-disrupts-manufacturing-kp-snacks
British snacks producer Kenyon Produce (KP) Snacks has fallen victim to a ransomware attack that caused some disruptions to its manufacturing and distribution operations.
The German-owned company says it became aware of the attack on January 28, and that it immediately took the necessary steps to contain the incident.
Responding to a SecurityWeek inquiry, KP Snacks said it started an investigation into the attack soon after enacting its cybersecurity response plan. However, the situation hasn’t been resolved as of yet.
“While this is causing some disruption to our manufacturing and shipping processes, we are already working on plans to keep our products stocked and on shelves,” KP Snacks told SecurityWeek.
The company also said it has informed employees, customers, and suppliers of the incident, adding that it is keeping them informed of new developments.
Tomi Engdahl says:
Critical Vulnerabilities Found in Sealevel Device Used in ICS Environments
https://www.securityweek.com/critical-vulnerabilities-found-sealevel-device-used-ics-environments
Cisco’s Talos security researchers have published details on a series of critical vulnerabilities that Sealevel has addressed in the SeaConnect 370W WiFi-connected edge device.
The internet of things (IoT) device is used in industrial control system (ICS) environments for the monitoring of real-world I/O processes. The identified bugs could be exploited to execute arbitrary code on a vulnerable device, or to perform man-in-the-middle attacks.
The most severe of the newly disclosed bugs are three buffer overflow issues rated “critical severity,” which could be exploited to achieve remote code execution on vulnerable devices.
With a CVSS score of 10, two of the flaws were identified in the LLMNR and NBNS name resolution services that SeaConnect 370W exposes. The bugs are tracked as CVE-2021-21960 and CVE-2021-21961.
“The vulnerability occurs when attempting to copy the queried name to a local buffer of fixed size (identified above as name_buffer). The implementation does not conduct any bounds checking prior to copying the data, simply trusting the supplied length field will be accurate and no larger than 32 bytes,” Talos explains.
https://blog.talosintelligence.com/2022/02/vuln-spotlight-sea-level-connect.html
Tomi Engdahl says:
Cisco Patches Critical Vulnerabilities in Small Business RV Routers
https://www.securityweek.com/cisco-patches-critical-vulnerabilities-small-business-rv-routers
Tomi Engdahl says:
European Oil Port Terminals Hit by Cyberattack
https://www.securityweek.com/european-oil-port-terminals-hit-cyberattack
Major oil terminals in some of Western Europe’s biggest ports have fallen victim to a cyberattack at a time when energy prices are already soaring, sources confirmed on Thursday.
Belgian prosecutors have launched an investigation into the hacking of oil facilities in the country’s maritime entryways, including Antwerp, Europe’s second biggest port after Rotterdam.
In Germany, prosecutors said they were investigating a cyberattack targeting oil facilities in what was described as a possible ransomware strike, in which hackers demand money to reopen hijacked networks.
Oil prices hit a seven-year high last month amid diplomatic tensions with gas supplier Russia, and energy bills are fuelling a rise in inflation that has spooked European policymakers.
Tomi Engdahl says:
Financially Motivated Hackers Use Leaked Conti Ransomware Techniques in Attacks
https://www.securityweek.com/financially-motivated-hackers-use-leaked-conti-ransomware-techniques-attacks
A series of financially motivated attacks are employing techniques observed in Conti ransomware playbooks that were leaked online in August 2021, Mandiant reports.
The attacks employ a multi-stage infection chain that starts with search engine optimization (SEO) poisoning and ends with the deployment of backdoors for stealthy access and information theft.
As part of the analyzed attacks, victims are lured to compromised websites and tricked into downloading malicious installers containing both legitimate software and the Batloader malware, which serves as the first stage of the infection chain.
Following Batloader’s execution, both malicious and legitimate tools are deployed onto the victim’s machine, including PowerShell, Msiexec.exe, and Mshta.exe, which allow attackers to avoid detection.
One variant of the attack resembles the exploitation of a Windows spoofing vulnerability patched in 2020 (CVE-2020-1599), where HTA-supported scripts are appended to PE files while the digital signature remains valid. The file runs the scripts if executed with Mshta.exe.
Tomi Engdahl says:
European oil facilities hit by cyber-attacks
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.bbc.com%2Fnews%2Ftechnology-60250956&h=AT0QYq4INAMmewdujedK0ZGo7J9Vzk_W1DUWG6uy8sDfHFd8qtIbkxpF6BMFhjWxlFNGg1HMLMFX67y8c41K6eVImwFdCdw34ZokNHZHLWOzs1SW64MiElRGZSFaQ5Onc9p5B_vd27bSOaKvtw
Multiple oil transport and storage companies across Europe are dealing with cyber-attacks.
IT systems have been disrupted at Oiltanking in Germany, SEA-Invest in Belgium and Evos in the Netherlands.
In total dozens of terminals with oil storage and transport around the world have been affected, with firms reporting that the attacks occurred over the weekend.
But experts caution against assuming this is a co-ordinated attack.
The BBC understands that all three companies’ IT systems went down or were severely disrupted.
The company is working to get a back-up IT system online but says that most liquid transportation is operational.
Some reports suggest the attack on Oiltanking is ransomware, where hackers scramble data and make computer systems inoperable until they get paid a ransom.
In May last year a ransomware attack on US oil supplier Colonial Pipeline saw supplies tighten across the US and multiple states declaring an emergency.
The disruption comes as tensions remain high between Ukraine and Russia and as concern over rising energy prices grows.
But cyber-security experts caution against jumping to the conclusion that the multiple incidents are the result of a co-ordinated effort to disrupt the European energy sector.
Tomi Engdahl says:
Dustin Volz / Wall Street Journal:
White House forms the Cyber Safety Review Board, loosely modeled on NTSB, to investigate major national cybersecurity failures, starting with the Log4j bug
Biden Administration Forms Cybersecurity Review Board to Probe Failures
https://www.wsj.com/articles/biden-administration-forms-cybersecurity-review-board-to-probe-failures-11643898601?mod=djemalertNEWS
The new panel is loosely modeled on the National Transportation Safety Board and will look into the recently discovered Log4j internet bug
The Biden administration has formed a panel of senior administration officials and private-sector experts to investigate major national cybersecurity failures, and it will probe as its first case the recently discovered Log4j internet bug, officials said.
The new Cyber Safety Review Board is tasked with examining significant cybersecurity events that affect government, business and critical infrastructure. It will publish reports on security findings and recommendations, officials said. Details of the board will be announced Thursday.
Several government agencies, including the National Security Agency and other parts of DHS, have expansive cybersecurity missions that include protecting the federal government and assisting the private sector. Officials said the new board was necessary to combine the expertise of government officials and private-sector researchers to study high-profile cybersecurity episodes and share comprehensive findings with the public.
Tomi Engdahl says:
Andrew Thurman / CoinDesk:
Wormhole’s parent company replaces $322M worth of ETH stolen by a hacker on Wednesday; the bridge’s operations resumed after the attack vector was patched
Jump Trading Backstops Wormhole’s $320M Exploit Loss
Wormhole’s parent company has stepped in to prevent chaos across the Solana DeFi landscape.
https://www.coindesk.com/business/2022/02/03/jump-trading-backstops-wormholes-320m-exploit-loss-sources/
After one of the most devastating exploits in crypto history, the parent company for a popular cross-blockchain bridge has reportedly stepped in to backstop funds – a move that may have prevented widespread damage in the Solana decentralized finance (DeFi) ecosystem.
On Wednesday night, the Wormhole bridge suffered an exploit to its Solana-Ethereum bridge, with an attacker fraudulently minting 120,000 ether (ETH) worth over $320 million. The attacker moved the majority of the funds to the Ethereum main chain, while keeping 40,000 wrapped ETH on Solana and trading portions of that ether for other assets.
On Thursday, three people familiar with the matter confirmed to CoinDesk that Jump Trading is responsible for replenishing the lost ETH. After publication of this article, Jump confirmed the move in a tweet:
The unbacked ETH briefly appeared as if it might lead to chaos across popular Solana platforms. Blockchain bridges often work by locking an asset into a smart contract and issuing a parallel, “wrapped” asset on another chain. Because the exploit minted wrapped ETH, it left Wormhole’s real ETH reserves unbacked.
Step Finance co-founder George Harrap told CoinDesk on Wednesday that a number of Solana-based protocols that accept ETH as collateral could become insolvent due to the exploit.
“If nobody backs it and the coins are truly gone then Wormhole ETH is worth [zero] and everyone who has a balance of it becomes worthless, DeFi protocols, users, everyone,” he said.
However, Harrap said that he expected Jump Trading, a large crypto venture capital and trading firm that purchased Wormhole developer Certus One in August, to step in to back the lost ETH.
Tomi Engdahl says:
Cyberattack on News Corp, Believed Linked to China, Targeted Emails of Journalists, Others
https://www.wsj.com/articles/cyberattack-on-news-corp-believed-linked-to-china-targeted-emails-of-journalists-others-11643979328?mod=flipboard
The attack, discovered on Jan. 20, affected units including The Wall Street Journal, the New York Post and the U.K. news operation
Tomi Engdahl says:
News Corp said the attack affected the New York Post, News Technology Services, Dow Jones, and News UK.
News Corp Cyberattack Targeted Journalists — Cybersecurity Firm Says Attack Likely Linked To China
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.forbes.com%2Fsites%2Fannakaplan%2F2022%2F02%2F04%2Fnews-corp-cyberattack-targeted-journalists—cybersecurity-firm-says-attack-likely-linked-to-china%2F%3Futm_campaign%3Dforbes%26utm_source%3Dfacebook%26utm_medium%3Dsocial%26utm_term%3DGordie&h=AT20c9cYyA0XQSXF378Jmnj6fSpcft6kjrQX12gKQwSukqU3-FVG_XuiQwmXNagobRypF5rWYfcmqXpkEpUdtkmOmHzQXjtXS9OjJYnJSBn58C7lnrCpANQ0P68108_VRw
News Corp, the Rupert Murdoch-founded parent company of the Wall Street Journal and Dow Jones, was the target of a cybersecurity attack affecting “a limited number” of employees, including journalists, the company said in an email to staff on Friday—a hack that the cybersecurity firm hired by News Corp said likely was to collect intelligence to “benefit China’s interests.”
In an email to staff, News Corp said it became aware of attack activity on January 20 affecting “a limited number” of business accounts and documents from News Corp headquarters, News Technology Services, Dow Jones, News UK and the New York Post.
The company said it believes the threat activity has been contained, and that it contacted law enforcement and launched an investigation with cybersecurity firm Mandiant.
It is unclear exactly how many employees were affected by the cyberattack, or what the method of the hack was.
U.S. officials have alleged China-based hackers have been behind a series of attacks threatening journalists, claims China denies.
Earlier this week, FBI Director Christopher Gray warned China poses a larger threat than any other nation, in part due to their hacking capabilities. Gray said the FBI has over 2,000 investigations focused on the Chinese government trying to steal information and technology.
Tomi Engdahl says:
DHS creates Cyber Safety Review Board, targets Log4j exploit for its first report
https://www.theverge.com/2022/2/4/22917802/dhs-creates-cyber-safety-review-board-log4j-fbi-nsa
The board was outlined in the president’s executive order on improving the nation’s cybersecurity
Tomi Engdahl says:
Tens of Thousands of Websites Vulnerable to RCE Flaw in WordPress Plug-in
Now-patched issue in Essential Addons for Elementor gives attackers a way to carry out local file inclusion attacks, researchers say.
https://www.darkreading.com/vulnerabilities-threats/tens-of-thousands-of-websites-vulnerable-to-rce-flaw-in-wordpress-plugin
Tomi Engdahl says:
UEFI firmware vulnerabilities affecting Fujitsu, Intel and more discovered
23 “high-impact vulnerabilities” were discovered by security company Binarly.
https://www.zdnet.com/article/firmware-vulnerabilities-affecting-fujitsu-intel-and-more-discovered/
Tomi Engdahl says:
23 Major BIOS Vulnerabilities Discovered, Impact Intel, Lenovo, Others
By Aaron Klotz published 3 days ago
The affected parties relate to OEMs only
https://www.tomshardware.com/news/enterprise-oem-vunerabilities
Tomi Engdahl says:
Critical Bug Found in WordPress Plugin for Elementor with Over a Million Installations
https://thehackernews.com/2022/02/critical-bug-found-in-wordpress-plugin.html
Tomi Engdahl says:
https://www.exploit-db.com/exploits/50691
Tomi Engdahl says:
GPU Fingerprinting Can Be Used to Track You Online: Researchers
By Francisco Pires published 5 days ago
And we thought cookies were dangerous enough.
https://www.tomshardware.com/news/researchers-gpus-can-be-used-for-digital-fingerprinting-and-web-tracking
Tomi Engdahl says:
Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors
https://thehackernews.com/2022/02/dozens-of-security-flaws-discovered-in.html
Tomi Engdahl says:
Blockchain enthusiast allegedly loses $500K by sending wETH to contract address
While the contract does wrap ETH sent to the address into wETH, the opposite is not true.
https://cointelegraph.com/news/blockchain-enthusiast-allegedly-losses-500k-by-sending-weth-to-contract-address
Tomi Engdahl says:
Raspberry Pi Virus Detection System Can Detect Malware on other Devices
https://community.element14.com/technologies/sensor-technology/b/blog/posts/raspberry-pi-virus-detection-system-can-detect-malware-on-other-devices
The system uses the Pi, an H-field probe and an o-scope to detect electromagnetic wave signatures from multiple virus types.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/samba-bug-can-let-remote-attackers-execute-code-as-root/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/linux-system-service-bug-gives-root-on-all-major-distros-exploit-released/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/277-000-routers-exposed-to-eternal-silence-attacks-via-upnp/
Tomi Engdahl says:
https://hothardware.com/news/windows-exploit-gives-hackers-control-patch-asap
Tomi Engdahl says:
Alarming Eternal Silence UPnP Exploit Exposes 1.7 Million Devices To Wi-Fi Zombie Attacks
https://hothardware.com/news/eternal-silence-exposes-17-million-devices-wi-fi-zombie-attacks
Tomi Engdahl says:
Mark Zuckerberg Warns Not To Screenshot Your Facebook Chats
https://www.iflscience.com/technology/mark-zuckerberg-warns-not-to-screenshot-your-facebook-chats/
The founder, Mark Zuckerberg, announced that the company is introducing an update to “disappearing messages” or “vanish mode” on the site, which makes all new messages disappear within 12 hours when activated – much like Snapchat.
Tomi Engdahl says:
https://www.cyberark.com/resources/threat-research-blog/checking-for-vulnerable-systems-for-cve-2021-4034-with-pwnkit-hunter
Tomi Engdahl says:
HHS: Conti ransomware encrypted 80% of Ireland’s HSE IT systems
https://www.bleepingcomputer.com/news/security/hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems/
A threat brief published by the US Department of Health and Human Services (HHS) on Thursday paints a grim picture of how Ireland’s health service, the HSE, was overwhelmed and had 80% of its systems encrypted during last year’s Conti ransomware attack.
This led to severe disruptions of healthcare services throughout Ireland and exposed the information of thousands of Irish people who received COVID-19 vaccines before the attack after roughly 700 GB of data (including protected health information) was stolen from HSE’s network and sent to attackers’ servers.
Tomi Engdahl says:
CISA orders federal agencies to patch actively exploited Windows bug
https://www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies-to-patch-actively-exploited-windows-bug/
The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch their systems against an actively exploited Windows vulnerability that enables attackers to gain SYSTEM privileges.
Per a binding operational directive (BOD 22-01) issued in November and today’s announcement, all Federal Civilian Executive Branch Agencies (FCEB) agencies are now required to patch all systems against this vulnerability, tracked as CVE-2022-21882 within two weeks, until February 18th.
Tomi Engdahl says:
Savonia-ammattikorkeakouluun tehty massiivinen tietoturvahyökkäys kiristysohjelma lukinnut tietoja
https://yle.fi/uutiset/3-12302764
Pohjois-Savossa toimivaan Savonia-ammattikorkeakouluun on tehty massiivinen tietoturvahyökkäys. Se huomattiin perjantaiaamuna, hyökkäys on tapahtunut aamuyön aikana. Ammattikorkeakoulun mukaan tiedossa ei ole, että esimerkiksi henkilötietoja tai muuta arkaluontoista tietoa olisi vaarantunut. Ammattikorkeakoulun tietokoneille on asentunut kiristysohjelma, joka on lukinnut tiedostoja. Niiden avaamiseksi vaaditaan maksua bitcoineina.
Kiristysohjelma on salakirjoittanut ammattikorkeakoulun verkkolevyillä olevia tietoja. Ammattikorkeakoulun toimintaan hyökkäys on vaikuttanut niin, että opettajat eivät päässeet kaikkiin tiedostoihin. Tiedote:
https://www.savonia.fi/uutiset/savoniaan-on-kohdistunut-tietoturvahyokkays/.
Myös: https://www.hs.fi/kotimaa/art-2000008590588.html.
https://www.savonsanomat.fi/paikalliset/4467160
Tomi Engdahl says:
Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/
In December 2021, through its Network Security Monitoring service, Volexity identified a series of targeted spear-phishing campaigns against one of its customers from a threat actor it tracks as TEMP_Heretic. Analysis of the emails from these spear phishing campaigns led to a discovery: the attacker was attempting to exploit a zero-day cross-site scripting (XSS) vulnerability in the Zimbra email platform. Zimbra is an open source email platform often used by organizations as an alternative to Microsoft Exchange.
Tomi Engdahl says:
CISA Adds One Known Exploited Vulnerability to Catalog https://www.cisa.gov/uscert/ncas/current-activity/2022/02/04/cisa-adds-one-known-exploited-vulnerability-catalog
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below.
These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. CVE-2022-21882 – Microsoft Win32k Privilege Escalation Vulnerability
Tomi Engdahl says:
Malicious Kubernetes Helm Charts can be used to steal sensitive information from Argo CD deployments https://apiiro.com/blog/malicious-kubernetes-helm-charts-can-be-used-to-steal-sensitive-information-from-argo-cd-deployments/
Apiiros Security Research team has uncovered a major software supply chain 0-day vulnerability (CVE-2022-24348) in Argo CD, the popular open source Continuous Delivery platform, which enables attackers to access sensitive information such as secrets, passwords, and API keys.
Argo CD manages and orchestrates the execution and monitoring of application deployment post-integration.
Tomi Engdahl says:
Swissport ransomware attack delays flights, disrupts operations https://www.bleepingcomputer.com/news/security/swissport-ransomware-attack-delays-flights-disrupts-operations/
Aviation services company Swissport International has disclosed a ransomware attack that has impacted its IT infrastructure and services, causing flights to suffer delays. The Swiss company provides services for cargo handling, security, maintenance, cleaning, and lounge hospitality for 310 airports in 50 countries. It handles 282 million passengers and 4.8 million tons of cargo every year, making it a a vital link in the global aviation travel industry chain.
Tomi Engdahl says:
Cryptojacking Attacks Target Alibaba ECS Instances https://www.trendmicro.com/en_us/devops/22/b/cryptojacking-attacks-target-alibaba-ecs-instances.html
Cryptojacking attacks continue to increase. Unlike ransomware, cryptojacking cybercriminals make their money staying silent and undetected, leeching the computer power from their target to mine valuable cryptocurrency. Cryptomining can cause serious downtime for developers by draining the enterprises processing power. It can also cause subscription bills to skyrocketespecially if youre utilizing an auto-scale feature.
Tomi Engdahl says:
News Corp breached by suspected Chinese hackers https://therecord.media/news-corp-breached-by-suspected-chinese-hackers/
News Corp, one of the largest media conglomerates in the world, said today that it was hacked by Chinese government-backed hackers, the company revealed today in documents filed with the US Securities Exchange Commission and in a report in the Wall Street Journal, one of its news media proprieties.
Tomi Engdahl says:
The White House Memo on Adopting a Zero Trust Architecture: Top Four Tips https://blogs.cisco.com/security/the-white-house-memo-on-adopting-a-zero-trust-architecture-top-four-tips
On the heels of President Bidens Executive Order on Cybersecurity (EO 14028), the Office of Management and Budget (OMB) has released a memorandum addressing the heads of executive departments and agencies that sets forth a Federal zero trust architecture (ZTA) strategy. . My good friend and fellow Advisory CISO Helen Patton has done a great summary of the memo in a previous blog.
Tomi Engdahl says:
Microsoft disables MSIX protocol handler abused in Emotet attacks https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-emotet-attacks/
Microsoft has disabled the MSIX ms-appinstaller protocol handler exploited in malware attacks to install malicious apps directly from a website via a Windows AppX Installer spoofing vulnerability. Today’s decision comes after the company released security updates to address the flaw (tracked as CVE-2021-43890) during the December 2021 Patch Tuesday and provided workarounds to disable the MSIX scheme without deploying the patches