This posting is here to collect cyber security news in February 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in February 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
511 Comments
Tomi Engdahl says:
BlackCat (ALPHV) ransomware linked to BlackMatter, DarkSide gangs https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-linked-to-blackmatter-darkside-gangs/
The Black Cat ransomware gang, also known as ALPHV, has confirmed they are former members of the notorious BlackMatter/DarkSide ransomware operation. BlackCat/ALPHV is a new feature-rich ransomware operation launched in November 2021 and developed in the Rust programming language, which is unusual for ransomware infections. The ransomware executable is highly customizable, with different encryption methods and options allowing for attacks on a wide range of corporate environments.
Tomi Engdahl says:
Washington state agency discloses data breach impacting hundreds of thousands of licensed professionals https://therecord.media/washington-state-agency-discloses-data-breach-impacting-hundreds-of-thousands-of-licensed-professionals/
The Washington Department of Licensing (DOL) said in a press release late Friday night that it suffered a security breach of its IT system and that the personal data of hundreds of thousands of licensed professionals may have been exposed. The breach occurred during the week of January 24 and impacted POLARIS, an online web-based database where the agency stores information on licensed professionals such as drivers, accountants, lawyers, bail bonds agents, funeral directors, home inspectors, notaries, and others.
Tomi Engdahl says:
$4.4 million stolen in attack on blockchain infrastructure Meter https://www.zdnet.com/article/4-4-million-stolen-in-attack-on-blockchain-infrastructure-meter/
Blockchain infrastructure company Meter said $4.4 million was stolen during a cyberattack on the platform that started at around 9 am ET on Saturday morning. The company said it manages an infrastructure that allows smart contracts to scale and travel through heterogeneous blockchain networks. The Meter network as well as the Moonriver network were affected by the hack. . Blockchain research company PeckShield confirmed that 1391 ETH and 2.74 BTC were stolen during the incident.
Tomi Engdahl says:
Breach of Washington State Database May Expose Personal Information
https://www.securityweek.com/breach-washington-state-database-may-expose-personal-information
The Washington State Department of Licensing said the personal information of potentially millions of licensed professionals may have been exposed after it detected suspicious activity on its online licensing system.
The agency licenses about 40 categories of businesses and professionals, from auctioneers to real estate agents, and it shut down its online platform temporarily after learning of the activity in January, agency spokesperson Christine Anthony said Friday. Data stored on the system, which is called POLARIS, could include Social Security numbers, birth dates and driver’s licenses.
Tomi Engdahl says:
Microsoft, Symantec Share Notes on Russian Hacks Hitting Ukraine
https://www.securityweek.com/microsoft-symantec-share-notes-russian-hacks-hitting-ukraine
Tomi Engdahl says:
Business Services Firm Morley Discloses Data Breach Affecting 500,000 People
https://www.securityweek.com/business-services-firm-morley-discloses-data-breach-affecting-500000-people
Business services company Morley this week announced being targeted in a ransomware attack that may have resulted in the information of more than 500,000 individuals getting stolen.
In letters sent to impacted individuals, Morley, which serves Fortune 500 and Global 500 companies across various industries, said the incident was discovered in August 2021, when it noticed that some files became inaccessible due to a ransomware infection.
An investigation revealed that the attackers may have gained access to client and employee data, including personal and protected health information.
Tomi Engdahl says:
Media Giant News Corp Targeted in China-Linked Cyberattack
https://www.securityweek.com/media-giant-news-corp-targeted-china-linked-cyberattack
Long-awaited public-private initiative established to evaluate nation’s cybersecurity and improve resilience
Several government and private sector organizations in the United States have joined forces for the Department of Homeland Security’s first ever Cyber Safety Review Board, whose goal is to boost the nation’s cybersecurity.
The DHS’s Cyber Safety Review Board (CSRB) has been established as instructed by the executive order signed by President Joe Biden in May 2021 to improve cyber defenses.
That executive order represents the foundation for several cybersecurity initiatives, including two that were announced last month: a memorandum focused on boosting the cybersecurity of National Security Systems, and a federal zero trust strategy.
Tomi Engdahl says:
IPhonen legendaarinen turvallisuus romuttui – taas yksi yhtiö, joka korkkaa puhelimia tuosta vaan
Jori Virtanen7.2.2022 08:04TietoturvaVakoiluiPhonePikaviestimetYksityisyysHakkerit
Israelilainen NSO Group ei ollutkaan ainoa, joka kykeni murtamaan iPhonen suojat.
https://www.tivi.fi/uutiset/iphonen-legendaarinen-turvallisuus-romuttui-taas-yksi-yhtio-joka-korkkaa-puhelimia-tuosta-vaan/e7ba4960-0e0a-4ba5-9d5f-db0f0df1b2a6
Viime vuonna uutisoitiin ahkeraan, kuinka NSO:n Pegasus-hakkerointityökalua on käytetty muun muassa suomalaisten diplomaattien, Ranskan presidentti Emmanuel Macronin, taiwanilaisten poliitikkojen sekä Puolan opposition puhelinten vakoilemiseen.
Tivihän on varoittanut NSO Groupista ja Pegasuksesta jo pitkään.
Pelottavinta tapauksissa on, että Pegasus ei vaadi uhriltaan mitään toimenpiteitä. Toisin sanoen, se ei esimerkiksi yritä jujuttaa käyttäjää klikkaamaan epäilyttäviä linkkejä, jotka päästäisivät haitakkeita puhelimen uumeniin. Pegasus ei tarvitse mitään tällaista kikkailua. Se murtaa iPhonen pomminvarmoina pidetyt suojaukset, vaikka puhelin vain lojuisi pöydällä.
Reutersin lukuisat lähteet kertovat, ettei NSO Group ole ainoa taho, joka tällaista muurinmurtajaa myy.
QuaDream on pienemmän profiilin israelilainen yhtiö, joka kehittää älypuhelimia korkkaavia työkaluja. Näitä palveluita myydään pääasiassa valtioille. QuaDreamin asiakaslistoille on päässyt muun muassa Saudi-Arabia, Meksiko sekä Singapore.
Vaikka QuaDream onkin pienempi kuin NSO Group, se ei silti ole hampaaton. Digivahtikoira Citizen Labin tietoturvatutkija Bill Marczak sanoi Reutersille, että QuaDreamin Reign-työkalu on ihan yhtä tehokas kuin NSO Groupinkin.
EXCLUSIVE iPhone flaw exploited by second Israeli spy firm-sources
https://www.reuters.com/technology/exclusive-iphone-flaw-exploited-by-second-israeli-spy-firm-sources-2022-02-03/
WASHINGTON, Feb 3 (Reuters) – A flaw in Apple’s software exploited by Israeli surveillance firm NSO Group to break into iPhones in 2021 was simultaneously abused by a competing company, according to five people familiar with the matter.
QuaDream, the sources said, is a smaller and lower profile Israeli firm that also develops smartphone hacking tools intended for government clients.
The two rival businesses gained the same ability last year to remotely break into iPhones, according to the five sources, meaning that both firms could compromise Apple phones without an owner needing to open a malicious link. That two firms employed the same sophisticated hacking technique – known as a “zero-click” – shows that phones are more vulnerable to powerful digital spying tools than the industry will admit, one expert said.
Experts analyzing intrusions engineered by NSO Group and QuaDream since last year believe the two companies used very similar software exploits, known as ForcedEntry, to hijack iPhones.
“People want to believe they’re secure, and phone companies want you to believe they’re secure. What we’ve learned is, they’re not,” said Dave Aitel, a partner at Cordyceps Systems, a cybersecurity firm.
The analysts believed NSO and QuaDream’s exploits were similar because they leveraged many of the same vulnerabilities hidden deep inside Apple’s instant messaging platform and used a comparable approach to plant malicious software on targeted devices, according to three of the sources.
https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
Tomi Engdahl says:
Forbes sanoo, että NSO Group ehti korkkailla iPhoneja viiden vuoden ajan, ennen kuin se jäi kiinni. QuaDreamin kolttoset tulivat julki vasta äskettäin. Vanhan sananlaskun mukaan ei kahta ilman kolmatta: on ihan perusteltua pohtia, että jos kerran kaksi yhtiötä kykenee tähän, onko näitä palveluita tarjoavia tahoja lisääkin, ja ne vain ovat onnistuneet pysymään toistaiseksi varjoissa?
Serious iPhone Warning Issued For A Billion Apple Users
https://www.forbes.com/sites/gordonkelly/2022/02/06/apple-iphone-security-quadream-reign-warning-new-iphone-hack/?sh=2d1284db60ee
A shocking new report from Reuters has revealed a secretive company called QuaDream which has been hacking iPhones for more than five years, granting access to users’ microphones, cameras (front and back) and monitoring calls in real time.
Reuters says that QuaDream’s flagship product was called ‘REIGN’ and the company sold its hacks to the highest bidder. REIGN could take remote control of any iPhone without the users’ knowledge. It would then access emails, photos, texts, contacts and instant messages — even from end-to-end encrypted services like WhatsApp, Telegram and Signal.
The discovery mimics that of Israeli cyberarms firm NSO Group and its ‘Pegasus’ software, which had been successfully hacking iPhones since 2016 until it was exposed last year in news that sent shockwaves around the world.
Tomi Engdahl says:
https://hackaday.com/2022/02/04/this-week-in-security-samba-wormhole-crypto-heist-and-a-bogus-cve/
Samba has a very serious vulnerability, CVE-2021-44142, that was just patched in new releases 4.13.17, 4.14.12, and 4.15.5. Discovered by researchers at TrendMicro, this unauthenticated RCE bug weighs in at a CVSS 9.9. The saving grace is that it requires the fruit VFS module to be enabled, which is used to support MacOS client and server interop. If enabled, the default settings are vulnerable. Attacks haven’t been seen in the wild yet, but go ahead and get updated, as PoC code will likely drop soon.
https://www.trendmicro.com/en_us/research/22/b/the-samba-vulnerability-what-is-cve-2021-44142-and-how-to-fix-it.html
https://www.samba.org/samba/security/CVE-2021-44142.html
Tomi Engdahl says:
https://hackaday.com/2022/02/04/this-week-in-security-samba-wormhole-crypto-heist-and-a-bogus-cve/
The 9.8 CVE That Wasn’t
Dealing with security reports can be challenging.
CVE-2022-0329 was one of those. The package in question is the Python library, loguru, which boasts “Python logging made (stupidly) simple”. A serious CVE in a logging library? The internet briefly collectively braced for another log4j style problem. Then more people started looking at the vulnerability report and bug report, and casting doubt on the validity of the issue. So much so, that the CVE has been revoked. How did a non-bug get rated as such a high security issue, that GitHub was even sending out automated alerts about it?
The theoretical vulnerability was a deserialization problem, where the pickle library, included as a dependency of loguru, does not safely deserialize untrusted data. That’s a valid problem, but the report failed to demonstrate how loguru would allow untrusted data to be deserialized in an unsafe way.
There’s a concept at play here, the “airtight hatchway”. In any codebase or system, there will be a point where manipulating program data can lead to code execution. T
In this case, if you can build the object that pickle will deserialize, you already have arbitrary code execution. That’s not to say it’s never appropriate to fix such an instance, but that’s code hardening, not fixing a vulnerability.
That’s where this went off the rails. [Delgan], the developer behind loguru was convinced this wasn’t a true vulnerability, but he wanted to do some code hardening around the idea, so marked the original vulnerability report as accepted. This set the automated machinery in motion, and a CVE was issued. That CVE was set as extremely serious, based on a naive understanding of the issue, maybe also an automated action. This automated frenzy continued all the way to a Github advisory, before someone finally stepped in and cut the power to the out-of-control automaton.
Tomi Engdahl says:
Windows EoP PoC
In January, Microsoft patched CVE-2022-21882, an Escalation of Privilege in the Win32 code of Windows. Don’t let that fool you, it’s present in 64-bit versions of Windows, too. If you’re behind on your updates, you might want to get busy, as a Proof-of-Concept has now dropped for this bug. This has been reported as a patch bypass, making this essentially the same underlying problem as CVE-2021-1732.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882
https://github.com/KaLendsi/CVE-2022-21882
https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/technical-analysis-of-cve-2021-1732/
Tomi Engdahl says:
[1409] The Most Significant Security Flaw in North America
https://www.youtube.com/watch?v=U5-qy2tbDG8
Not only is he showing how to break into stores, he’s showing you where to get the tools. Great video as always
Newscaster: “There’s been a rise of burglaries around the country overnight.”
LPL: “…to show it’s not a fluke.”
Almost every store has an alarm with motion detection inside.
The alarm goes off and mostly the police is at the scene within 2 minutes.
Tomi Engdahl says:
High-Severity Flaw in Argo CD Is Information Leak Risk
https://www.securityweek.com/high-severity-flaw-argo-cd-information-leak-risk
A high-severity security vulnerability in Argo CD could allow an attacker to access sensitive information from target applications.
Argo CD, a popular open-source Continuous Delivery (CD) tool for Kubernetes, is used to monitor running applications and compares their live state, helping administrators synchronize applications with their desired state.
Tracked as CVE-2022-24348 (CVSS score of 7.7), the vulnerability is a path traversal bug that allows an attacker to load a Kubernetes Helm Chart YAML file and gain access to another application’s data. Helm charts are YAML files containing different fields that embed resources and configurations required for application deployment.
Tomi Engdahl says:
Microsoft Says Mac Trojan Becoming Stealthier, More Menacing
https://www.securityweek.com/microsoft-disables-msix-protocol-due-abuse-malware
Malware hunters at Microsoft are calling attention to a nasty macOS malware family that has evolved quickly from a basic information-gathering trojan to a stealthy backdoor with more powerful capabilities.
The macOS malware family, called UpdateAgent, first surfaced just over a year ago with rudimentary infection and data-theft capabilities but researchers have spotted signs the malware is becoming a fully-powered spy toolkit.
In the beginning, around November 2020, Microsoft first observed the macOS threat being used for reconnaissance with basic functions to collect product names, software versions and other system information.
By January 2021, the a newer version added capabilities for fetching secondary payloads from public clouds and a few months later, Microsoft noticed stealthy bypasses of Apple’s security controls, two worrying signs that the gang behind the malware continues to invest heavily to reach victims on Apple’s flagship desktop platform.
Tomi Engdahl says:
Microsoft Disables MSIX Protocol Due to Abuse by Malware
https://www.securityweek.com/microsoft-disables-msix-protocol-due-abuse-malware
Microsoft announced on Friday that the ms-appinstaller protocol for MSIX has been disabled temporarily due to the fact that it has been abused by malware.
Microsoft in December informed users about CVE-2021-43890, which it described as a Windows AppX installer spoofing vulnerability. The tech giant warned at the time that cybercriminals had been exploiting the vulnerability using specially crafted packages to deliver Emotet, TrickBot and Bazaloader (BazarLoader) malware.
Tomi Engdahl says:
IRS to End Use of Facial Recognition to Identify Taxpayers
https://www.securityweek.com/irs-end-use-facial-recognition-identify-taxpayers
The IRS said Monday it will suspend the use of facial recognition technology to authenticate people who create online accounts after the practice was criticized by privacy advocates and lawmakers.
The agency said it would no longer use a third-party service, called ID.me, for facial recognition. Critics of the software said the database could become a target for cyberthreats. They also expressed concern about how the information could be used by other government agencies, among other concerns.
Earlier Monday, Senate Finance Committee Chair Ron Wyden, D-Ore., called on the agency to end its use of the ID.me software. After the IRS announced the practice would be suspended, Wyden said “the Treasury Department has made the smart decision to direct the IRS to transition away from using the controversial ID.me verification service.”
“No one should be forced to submit to facial recognition to access critical government services,” he added.
Tomi Engdahl says:
Catalin Cimpanu / The Record:
Microsoft starts blocking VBA macro scripts by default in Excel, PowerPoint, Access, Visio, and Word, after years of security experts requesting the change
Microsoft to block internet macros by default in five Office applications
https://therecord.media/microsoft-blocks-internet-macros-by-default-in-five-office-applications/
In one of the most impactful changes made in recent years, Microsoft has announced today that it will block by default the execution of VBA macro scripts inside five Office applications.
Starting with early April 2022, Access, Excel, PowerPoint, Visio, and Word users will not be able to enable macro scripts inside untrusted documents that they downloaded from the internet.
The change, which security researchers have been requesting for years, is expected to put a serious roadblock for malware gangs, which have relied on tricking users into enabling the execution of a macro script as a way to install malware on their systems.
In these attacks, users typically receive a document via email or which they are instructed to download from an internet website. When they open the file, the attacker typically leaves a message instructing the user to enable the execution of the macro script.
While users with some technical and cybersecurity knowledge may be able to recognize this as a lure to get infected with malware, many day-to-day Office users are still unaware of this technique and end up following the provided instructions, effectively infecting themselves with malware.
Tomi Engdahl says:
Gettr Fired Its Entire Cybersecurity Team and Never Replaced Them, Former Employees Say
The right-wing Twitter alternative is apparently having big financial problems. The solution? Layoff its entire IT staff.
https://gizmodo.com/gettr-reportedly-fired-its-entire-cybersecurity-team-in-1848480655
Gettr, the MAGA-minded social media platform that recently saw a big spike in membership, seems to be on a mission to get hacked. Or at least, that’s what you’d be led to believe by the company’s reported decision to fire pretty much everybody in charge of making sure the company doesn’t get hacked.
Among the purged were the company’s chief information officer and its chief information security officer, typically two of the most important positions when it comes to keeping a company—particularly a tech company—running safely and smoothly.
To bring things back to Gettr: Does it make sense to inject megatons of money into a startup and then take said startup out at the knees by firing its most essential staff? No, not really.
One thing is certain: If Gettr doesn’t re-hire a cybersecurity team soon or, ya know, just a couple of IT folks, it’s seriously opening itself up to the possibility of getting hacked. The emergent right-wing tech sector doesn’t have the best track record when it comes to securing data and I have a hard time believing that Gettr, now bereft of any digital security, will be the exception.
Tomi Engdahl says:
Foreign Office target of ‘serious cyber incident’
https://www.bbc.co.uk/news/technology-60309335
The UK’s Foreign, Commonwealth and Development Office (FCDO) was the target of a “serious cyber-security incident”, it has emerged. The details came via a tender document published on a government website, seemingly by mistake. It revealed that cyber-security firm BAE Systems Applied Intelligence was called on for “urgent support”. The BBC understands unidentified hackers got inside the FCDO systems, but were detected. A spokesperson for the FCDO told the BBC: “We do not comment on security but have systems in place to detect and defend against potential cyber incidents.”
Tomi Engdahl says:
Vodafone Portugal hit by hackers, says no client data breach https://www.reuters.com/technology/vodafone-portugal-hit-by-hackers-says-no-client-data-breach-2022-02-08/
Vodafone’s (VOD.L) Portuguese unit said on Tuesday a hacker attack overnight had disrupted its services but assured its customers that their personal data had not been compromised as a result of the incident, which is under investigation. Vodafone Portugal said in a statement its system faced technical problems on Monday evening, with thousands of customers reporting they were unable to make calls or access the internet on their phones or computers. It later discovered the technical issues were caused by what it described as a “deliberate and malicious” cyber attack. Also:
https://www.bleepingcomputer.com/news/security/vodafone-portugal-4g-and-5g-services-down-after-cyberattack/.
https://therecord.media/cyberattack-brings-down-vodafone-portugal-mobile-voice-and-tv-services/
Tomi Engdahl says:
No Critical Bugs for Microsoft February 2022 Patch Tuesday, 1 Zero-Day https://threatpost.com/microsoft-february-patch-tuesday-zero-day/178286/
This batch had zero critical CVEs, which is unheard of. Most (50) of the patches are labeled Important, so dont delay to apply the patches, security experts said. Oh, blessed day: Microsofts Patch Tuesday is a featherweight in comparison to some of its not-atypical, 10-ton security updates, with just 51 patches none of them rated critical.
Among these, Microsoft addressed one zero-day: CVE-2022-21989, a Windows Kernel elevation-of-privilege vulnerability. And, one of the updates is for a CVE first published in 2013.. Also:
https://www.bleepingcomputer.com/news/microsoft/microsoft-february-2022-patch-tuesday-fixes-48-flaws-1-zero-day/.
https://isc.sans.edu/forums/diary/Microsoft+February+2022+Patch+Tuesday/28316/.
https://www.zdnet.com/article/microsoft-february-2021-patch-tuesday-48-bugs-squashed-one-zero-day-resolved/
Tomi Engdahl says:
Mozilla fixes Firefox bug letting you get Windows admin privileges https://www.bleepingcomputer.com/news/security/mozilla-fixes-firefox-bug-letting-you-get-windows-admin-privileges/
Mozilla released a security update to address a high severity privilege escalation vulnerability found in the Mozilla Maintenance Service. The Mozilla Maintenance Service is an optional Firefox and Thunderbird service that makes application updates possible in the background. This provides Firefox users with a seamless updates experience where they are no longer required to click ‘Yes’ in the Windows User Account Control (UAC) dialog before updating their web browser or email client.
Tomi Engdahl says:
DOJ seizes $3.6 billion in crypto from 2016 Bitfinex hack, arrests New York couple https://www.zdnet.com/article/doj-seizes-3-6-billion-in-crypto-from-bitfinex-hack-arrests-new-york-couple/
The Department of Justice announced the seizure of more than $3.6 billion in cryptocurrency that was stolen during an attack on the Bitfinex cryptocurrency exchange in August 2016. The DOJ also said it arrested 34-year-old Ilya Lichtenstein and his 31-year-old wife Heather Morgan for their role in attempting to launder 119,754 bitcoin that were stolen during the attack on the Hong Kong exchange. Deputy Attorney General Lisa Monaco called the seizure the “department’s largest financial seizure ever.”
Tomi Engdahl says:
https://www.securityweek.com/adobe-patches-13-vulnerabilities-illustrator
Tomi Engdahl says:
Microsoft Patches for 51 Windows Security Defects
https://www.securityweek.com/microsoft-patches-51-windows-security-defects
Microsoft’s Patch Tuesday train rumbled into Windows networks with fixes for 51 documented security vulnerabilities, some serious enough to cause full computer takeover attacks.
In addition to the 51 CVEs fixed with this month’s scheduled release, Redmond also patched about 20 different security defects in its Microsoft Edge (Chromium-based) web browser.
According to data from the Microsoft Security Response Center (MSRC), there are no in-the-wild zero-days being addressed with the February updates. However, proof-of-concept exists code for an elevation of privilege bug (CVE-2022-21989) in the Windows kernel.
“A successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment,” Microsoft warned in an advisory. The kernel bug is rated “important” with a CVSS Score of 7.8.
Tomi Engdahl says:
SAP Customers Warned About Critical ‘ICMAD’ Vulnerabilities
https://www.securityweek.com/sap-customers-warned-about-critical-icmad-vulnerabilities
Tomi Engdahl says:
Critical ‘remote escalation’ flaw in Android 12 fixed in Feb security patch batch >
Critical ‘remote escalation’ flaw in Android 12 fixed in Feb security patch batch
This is the final software update from Google for the Pixel 3, 3 XL, too
https://www.theregister.com/2022/02/09/android_security_bulletin/
Tomi Engdahl says:
Update now! Firefox and Adobe updates are more critical than Microsofts https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/02/update-now-firefox-and-adobe-updates-are-more-critical-than-microsofts/
The most critical updates for this Patch Tuesday come from Firefox and Adobe. While Microsoft addresses 70 vulnerabilities in its February
2022 Patch Tuesday release, none of them are ranked as critical.
Firefox and Adobe however have fixed a few issues that could be qualified as critical. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Lets have a look at the ones that jumped out at us.
Tomi Engdahl says:
CISA and SAP warn about major vulnerability https://therecord.media/cisa-and-sap-warn-about-major-vulnerability/
German enterprise software maker SAP and the US Cybersecurity and Infrastructure Security Agency have issued security advisories on Tuesday to warn SAP customers to install the companys February security patches as soon as possible in order to prevent the exploitation of a major vulnerability in a ubiquitous SAP component.
Tracked as CVE-2022-22536, the vulnerability was discovered by cloud security firm Onapsis and impacts the SAP Internet Communication Manager (ICM).. Also:
https://www.bleepingcomputer.com/news/security/cisa-warns-admins-to-patch-maximum-severity-sap-vulnerability/.
https://www.zdnet.com/article/sap-releases-patches-for-icmad-vulnerabilities/
Tomi Engdahl says:
European, US regulators tell banks to prepare for Russian cyberattack threat https://www.euractiv.com/section/cybersecurity/news/european-u-s-regulators-tell-banks-to-prepare-for-russian-cyberattack-threat/
The European Central Bank is preparing banks for a possible Russian-sponsored cyber attack as tensions with Ukraine mount, two people with knowledge of the matter said, as the region braces for the financial fallout of any conflict. The stand-off between Russia and Ukraine has rattled Europes political and business leaders, who fear an invasion that would damage the entire region. Earlier this week, French President Emmanuel Macron shuttled from Moscow to Kyiv to act as a mediator after Russia massed troops near Ukraine.
Tomi Engdahl says:
U.S. Arrests Two and Seizes $3.6 Billion Cryptocurrency Stolen in 2016 Bitfinex Hack https://thehackernews.com/2022/02/us-arrests-two-and-seizes-36-million-in.html
The U.S. Justice Department (DoJ) on Tuesday announced the arrest of a married couple in connection with conspiring to launder cryptocurrency worth $4.5 billion that was siphoned during the hack of the virtual currency exchange Bitfinex in 2016. Ilya Lichtenstein, 34, and his wife, Heather Morgan, 31, both of New York, are alleged to have “stolen funds through a labyrinth of cryptocurrency transactions,”
with the law enforcement getting hold of over $3.6 billion in cryptocurrency by following the money trails, resulting in the “largest financial seizure ever.”
Tomi Engdahl says:
Windows explorer has an option to remove properties from media files:
Remove Properties and Personal Information. For example, removing Exif data from JPEG files https://blog.didierstevens.com/2022/02/08/windows-explorer-improper-exif-data-removal/
There is an issue with this feature: it does not properly remove Exif data.
Tomi Engdahl says:
A1 telecom reports data breach compromising personal data of some of their users https://hr.n1info.com/english/news/a1-telecom-reports-data-breach-compromising-personal-data-of-some-of-their-users/
Major telecom A1 Croatia said on Wednesday that they have been target of a hacking attack in which personal data of some of its users had been compromised. The company said they have reported the incident to Croatian police, and added that no information about their users bank accounts or credit cards has been breached, as they are stored in a separate database.. Report:
https://www.a1.hr/tko-smo-mi/objave-za-medije/-/objave/clanak/informacija-za-medije/1431871916
Tomi Engdahl says:
Russian Law Enforcement Take Down Several Cybercrime Forums
https://www.securityweek.com/russian-law-enforcement-take-down-several-cybercrime-forums
Russian authorities this week announced that they have seized Ferum Shop, Sky-Fraud, and Trump’s Dumps, three well-known online shops for stolen payment card data.
On February 7, the domains were seized by the Ministry of Internal Affairs of the Russian Federation’s Department “K” division, which left a message on the sites’ homepages to warn of the illegality of stealing funds from bank cards.
Russian law prohibits the production, purchase, sale, or use of counterfeit payment cards and software, devices, or other means of illegally transferring funds. However, it’s yet unclear whether the seized domains were targeting Russian banks.
Tomi Engdahl says:
Hamas Cyberspies Return With New Malware After Exposure of Operations
https://www.securityweek.com/hamas-cyberspies-return-new-malware-after-exposure-operations
A cyberespionage group linked in the past to the Palestinian terrorist organization Hamas took a break after its operations were exposed last summer and returned with new tools and techniques.
According to enterprise security firm Proofpoint, the threat actor known as Molerats apparently took a short break after the company released information on its activities in June 2021. During that break, it updated its malware and delivery mechanisms.
Molerats has been active since at least 2011 and it focuses on the Middle East. It’s also tracked as Gaza Hackers Team, Gaza Cybergang, DustySky, Extreme Jackal, Moonlight and TA402 — some researchers believe there are multiple groups operating under the same umbrella.
Tomi Engdahl says:
ICS Patch Tuesday: Siemens, Schneider Electric Address Nearly 50 Vulnerabilities
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-nearly-50-vulnerabilities
Industrial giants Siemens and Schneider Electric released a total of 15 advisories on Tuesday to address nearly 50 vulnerabilities discovered in their products.
Tomi Engdahl says:
Vodafone Portugal hit by hackers, says no client data breach
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.reuters.com%2Ftechnology%2Fvodafone-portugal-hit-by-hackers-says-no-client-data-breach-2022-02-08%2F&h=AT1wHC8OlhK1a5PuRIr8e4IkaIAkL53bcbJu0G5G8uc-a1nBsBwuXEVKTQONNWT3Zdf_vrYJHiMYaSlggBj0hBPUOVSgD7fqscVXgI9TRVc9Y9IsiNkIfT8UWI_OGhg7hA
Tomi Engdahl says:
Matt Levine / Bloomberg:
How the feds caught Heather Morgan and Ilya Lichtenstein as they allegedly attempted, rather sloppily, to launder bitcoin from the Bitfinex hack — Bitfinex laundry — In her public life, Heather Morgan seems to have been the cringiest imaginable sort of crypto-adjacent hustle-bro.
https://www.bloomberg.com/opinion/articles/2022-02-09/business-rapper-was-bad-at-bitcoin-laundering
Tomi Engdahl says:
Ilya “Dutch” Lichtenstein raised money from Mark Cuban and other well-known investors. His wife, Heather Morgan, built a following as a quirky rapper and social media luminary.
https://www.forbes.com/sites/davidjeans/2022/02/09/heather-morgan-ilya-lichtenstein-bitcoin-seizure/?utm_source=ForbesMainFacebook&utm_campaign=socialflowForbesMainFB&utm_medium=social
Tomi Engdahl says:
DOJ seizes $3.6B in bitcoins after busting entrepreneur couple in Bitfinex laundering scheme
https://techcrunch.com/2022/02/08/married-tech-entrepreneurs-arrested-charged-with-laundering-funds-from-bitfinex-crypto-hack/?tpcc=tcplusfacebook
The U.S. Justice Department (DOJ) has seized over 94,000 bitcoins that were allegedly stolen in the 2016 hack of crypto exchange Bitfinex and arrested a married couple suspected to have laundered the money, the department announced today. The couple — Ilya Lichtenstein, 34, and Heather Morgan, 31 — faces charges of conspiring to launder money and to defraud the U.S. government. Facing up to 25 years in prison if convicted, they are set to make their initial appearance in federal court in Manhattan later today.
The asset seizure, worth $3.6 billion at today’s bitcoin prices, is the largest in the Justice Department’s history, officials said. They did not recover the entire sum of funds lost in the 2016 hack, though — the 119,754 bitcoins allegedly stolen in total are now worth $4.5 billion.
While Morgan and Lichtenstein were not formally accused of perpetrating the hack, prosecutors said they discovered the suspects because the bitcoins were sent to a digital wallet Lichtenstein controlled. The couple obtained the coins after a hacker breached Bitfinex’s systems, initiating more than 2,000 illegal transactions, the DOJ said.
Lichtenstein and Morgan are both deeply involved in the tech startup ecosystem, according to their LinkedIn profiles.
Over one-third of the stolen bitcoins were transferred out of Lichtenstein’s wallet “via a complicated money laundering process” involving making accounts with fake names and converting the bitcoins to other, more private digital currencies like Monero, a process known as “chain-hopping.” The 94,000 bitcoins that weren’t laundered remained in the wallet that was used to store the proceeds from the hack, which is how agents say they were able to recover them after conducting an extensive online search through court-authorized warrants.
Tomi Engdahl says:
New Vulnerabilities Can Allow Hackers to Remotely Crash Siemens PLCs
https://www.securityweek.com/new-vulnerabilities-can-allow-hackers-remotely-crash-siemens-plcs
Siemens this week announced the availability of patches and mitigations for a series of severe vulnerabilities that can be exploited to remotely crash some of the company’s SIMATIC products.
The German industrial giant released nine advisories on Tuesday to address a total of 27 vulnerabilities. One of these advisories describes three high-severity flaws that can be exploited by a remote, unauthenticated attacker to launch denial-of-service (DoS) attacks against some Siemens programmable logic controllers (PLCs) and associated products.
The security holes are tracked as CVE-2021-37185, CVE-2021-37204 and CVE-2021-37205, and they can be exploited by sending specially crafted packets over TCP port 102 to the targeted device. If a vulnerability has been exploited successfully, the device needs to be restarted in order to restore normal operations.
Siemens says the flaws impact SIMATIC S7-1200 and S7-1500 PLCs, SIMATIC Drive Controller, ET 200SP Open Controller, S7-1500 Software Controller, SIMATIC S7-PLCSIM Advanced, the TIM 1531 IRC communication module, as well as SIPLUS extreme products.
https://cert-portal.siemens.com/productcert/pdf/ssa-838121.pdf
Tomi Engdahl says:
Critical Code Execution Flaws Patched in ‘PHP Everywhere’ WordPress Plugin
https://www.securityweek.com/critical-code-execution-flaws-patched-php-everywhere-wordpress-plugin
Thousands of WordPress websites were impacted by three remote code execution vulnerabilities that were identified in the PHP Everywhere plugin, the Wordfence team at WordPress security company Defiant warns.
With more than 30,000 downloads, the PHP Everywhere plugin is an open-source plugin designed to enable PHP code everywhere in the WordPress installation.
The latest PHP Everywhere iteration was released last month with patches for three critical vulnerabilities (CVSS score of 9.9) that could allow users with low privileges to execute code on the WordPress sites that use the plugin.
The most severe of these issues is CVE-2022-24663, a vulnerability that allows any authenticated user, including subscribers and customers, to “execute shortcodes via the parse-media-shortcode AJAX action,” Wordfence explains.
Tomi Engdahl says:
Web Skimmer Injected Into Hundreds of Magento-Powered Stores
https://www.securityweek.com/web-skimmer-injected-hundreds-magento-powered-stores
More than 500 online stores running the Magento 1 eCommerce platform were compromised with a digital skimmer, eCommerce security firm Sansec says.
What made the attack stand out was the clever use of a combination of SQL injection and PHP object injection, which ultimately provided the attackers with control of the Magento store. On all infected websites, the payment skimmer was being loaded from the naturalfreshmall(.)com domain.
The initial intrusion vector was a known vulnerability in the Quickview plugin, which attackers typically use to inject rogue admin users into vulnerable Magento stores.
Tomi Engdahl says:
Car radios crashed by station broadcasting images with no file extension
Video killed the radio star, pictures came and broke your car
https://www.theregister.com/2022/02/10/mazda_radios_images/
In January, drivers of older model Mazdas in the area around Seattle, Washington, started seeing their HD Radio receivers crash upon tuning to the local public radio station.
The issue, according to the Seattle Times, has affected 2014-2017 model year Mazdas with infotainment systems that support HD Radio. Tuning to KUOW, which resides at 94.9 on the FM dial, caused some Mazda in-vehicle infotainment systems to fail.
In threads on Reddit, people report that the issue manifests in various ways: some describe a frozen radio display screen, others tell of endless reboot loops. The problem has also resulted in radios being stuck on KUOW, which the public radio station says it’s trying to help resolve.
And to hear Xperi and Madza tell it, the broadcaster is to blame for transmitting images – which show up on HD Radio display screens – without the required file extension in the file name.
Xperi attributed the problem to the way KUOW sent its data.
“Our current assessment is that there was a formatting issue with the transmitted data,” a company spokesperson told The Register in an email. “We have worked with the station to address it, and we do not believe there are any ongoing issues with car radios in the market.”
Mazda too indicated that the transmission killed the radios in its cars.
According to the Seattle Times, Lorenzo Pieruccioni, service manager at Mazda of Olympia, Washington, said he’d seen several customers come in with radio problems, which he attributed to a corrupt Connectivity Master Unit (CMU).
The CMU moderates the flow of video and audio signals to the infotainment system. It costs $1,500 normally, but it remains scarce due to supply chain issues.
Implicit in Mazda’s statement is the admission that older versions of the software in its infotainment system fail to sufficiently validate inputs, thereby allowing malformed data to crash the device.
Mazda and Xperi didn’t immediately respond to a request to clarify which software version fixed this issue for more recent vehicles. But if Mazda’s answer is a hardware replacement, it would appear that a software update isn’t an option.
The 99% Invisible podcast in 2019 explored a separate bug related to printf format string handling that affected the infotainment system in a 2016 Mazda sedan.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/molerats-hackers-deploy-new-malware-in-highly-evasive-campaign/#.YgQafrwK7uM.facebook
The Palestinian-aligned APT group tracked as TA402 (aka Molerats) was spotted using a new implant named ‘NimbleMamba’ in a cyber-espionage campaign that leverages geofencing and URL redirects to legitimate websites.
Tomi Engdahl says:
Two Arrested for Alleged Conspiracy to Launder $4.5 Billion in Stolen Cryptocurrency
Government Seized $3.6 Billion in Stolen Cryptocurrency Directly Linked to 2016 Hack of Virtual Currency Exchange
https://www.justice.gov/opa/pr/two-arrested-alleged-conspiracy-launder-45-billion-stolen-cryptocurrency
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-bugs-in-smb-routers-exploits-available/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/a-look-at-the-new-sugar-ransomware-demanding-low-ransoms/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-plans-to-kill-malware-delivery-via-office-macros/