This posting is here to collect cyber security news in February 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in February 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
511 Comments
Tomi Engdahl says:
CISA Says ‘HiveNightmare’ Windows Vulnerability Exploited in Attacks
https://www.securityweek.com/cisa-says-hivenightmare-windows-vulnerability-exploited-attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 16 new CVE identifiers to its list of known exploited vulnerabilities, including a Windows flaw that federal agencies are required to patch within two weeks.
A majority of the 15 flaws added by CISA to its “Known Exploited Vulnerabilities Catalog” on Thursday are old — they were disclosed in 2014, 2015, 2016, 2017, 2018 and 2020. They impact Windows, Jenkins, Apache Struts and ActiveMQ, Oracle’s WebLogic, Microsoft Office, D-Link routers, and Apple’s OS X operating system.
CISA adds new vulnerabilities to list of actively exploited security flawsThe 16th vulnerability, a WebKit zero-day patched by Apple this week in iOS and macOS, was added to the list on Friday.
Tomi Engdahl says:
Feds Oppose Immediate Release of Voting Machine Report
https://www.securityweek.com/feds-oppose-immediate-release-voting-machine-report
A federal cybersecurity agency is reviewing a report that alleges security vulnerabilities in voting machines used by Georgia and other states and says the document shouldn’t be made public until the agency has had time to assess and mitigate potential risks.
The report has been under seal since July in federal court in Atlanta, part of a long-running lawsuit challenging Georgia’s voting machines. Its author, J. Alex Halderman, said in sworn declarations filed publicly with the court that he examined the Dominion Voting Systems machines for 12 weeks and identified “multiple severe security flaws” that would allow bad actors to install malicious software.
Plaintiffs in the case, who are election security advocates and individual voters, have for months called for the release of a redacted version of the report and urged that it be shared with state and federal election security officials. Lawyers for the state had repeatedly objected to those requests, but Secretary of State Brad Raffensperger last month put out a news release calling for its release.
Tomi Engdahl says:
India-Linked Threat Actor Involved in Spying, Planting Evidence
https://www.securityweek.com/india-linked-threat-actor-involved-spying-planting-evidence
For roughly a decade, a previously unknown advanced persistent threat (APT) actor has been engaging in long-term surveillance operations against academics, activists, journalists, human rights defenders, and law professionals, SentinelOne reports.
Dubbed ModifiedElephant and still active, the group is also believed to have planted evidence that was later used to justify arrests.
The APT was observed launching phishing attacks, mainly against targets in India, and attempting to infect victims through emails carrying macro-enabled Office documents.
Tomi Engdahl says:
Spanish Authorities Dismantle SIM Swapping Gang
https://www.securityweek.com/spanish-authorities-dismantle-sim-swapping-gang
Spanish authorities this week announced they arrested eight individuals that were part of a fraud ring that employed SIM swapping to compromise bank accounts.
The suspects used phishing and impersonation to obtain the personal information of potential victims and then proceeded to take over online banking accounts to steal money.
As part of the scheme, the suspects convinced employees at phone stores to transfer the potential victims’ phone numbers to SIM cards in the attackers’ possession, the Spanish National Police says.
Posing as legitimate institutions, including banks, the attackers employed phishing (via SMS, email, and instant messaging applications) to obtain sensitive information from their victims, including passwords, credit card numbers, and copies of ID documents.
Tomi Engdahl says:
Yllätys kohtasi kymmeniä Kelaan soittaneita: Luuriin vastasi tavallinen kansalainen
Kelassa jouduttiin turvautumaan varajärjestelmään, johon oli tullut näppäilyvirhe. Puheluita ohjautui tavalliselle kansalaiselle.
https://www.iltalehti.fi/kotimaa/a/1f432e0d-9cf8-4256-98e7-9d99ae90c867
Iltalehden saamien tietojen mukaan noin kolmekymmentä Kelalle tarkoitettua puhelua ohjautui tavalliselle kansalaiselle perjantaina iltapäivällä. Yksityishenkilö oli kertonut soittajille, että puhelu on tullut väärään numeroon.
Perjantaina kello 15 jälkeen Kansaneläkelaitoksen käyttämässä OC-puhelinpalvelujärjestelmässä oli vika. Järjestelmä kaatui.
Kelalla on olemassa varaohjausjärjestelmä, joka tämän jälkeen otettiin käyttöön. Järjestelmässä on satoja Kelan työntekijöiden puhelinnumeroita.
– Sitä käytetään todella harvoin, ehkä 1–2 kertaa vuodessa.
Puhelinnumerot on määritelty järjestelmään manuaalisesti. Kyseessä oli siis näppäilyvirhe, joka yhteen numeroon oli tullut.
– Se on puhelinnumero, joka ei ole Kelan käytössä. Tässähän tämä yksityishenkilö toimi sillä tavalla hienosti, että hän otti yhteyttä Kelaan. Kymmenen minuutin kuluttua siitä, kun tämä yhteydenotto tuli, asia oli korjattu.
Tietoturvaloukkaus?
Jotkin soittajat ehtivät kuitenkin alkaa kertoa yksityisistä asioistaan puhelimeen vastanneelle kansalaiselle. Kela käsitteleekin asiaa nyt mahdollisena tietoturvaloukkauksena.
– Tämä on tosi harmillista. Tämähän on mahdollinen tietoturvaloukkaus, jota Kelassa on jo lähdetty käsittelemään henkilötietoihin kohdistuvana tietoturvapoikkeamana. Tässä edetään sisäisen prosessimme mukaisesti.
– Käymme läpi myös varaohjausjärjestelmän luotettavuutta, jottei näppäilyvirhettä enää tulisi.
Tomi Engdahl says:
CISA Again Warns U.S. Organizations of Potential Russian Cyberattacks
https://www.securityweek.com/cisa-again-warns-us-organizations-potential-russian-cyberattacks
Tomi Engdahl says:
Sophisticated FritzFrog P2P Botnet Returns After Long Break
https://www.securityweek.com/sophisticated-fritzfrog-p2p-botnet-returns-after-long-break
Tomi Engdahl says:
FBI: BlackByte ransomware breached US critical infrastructure
https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/
The US Federal Bureau of Investigation (FBI) revealed that the BlackByte ransomware group has breached the networks of at least three organizations from US critical infrastructure sectors in the last three months.
This was disclosed in a TLP:WHITE joint cybersecurity advisory released Friday in coordination with the US Secret Service.
Tomi Engdahl says:
Major security vulnerability found in top servers
https://www.networkworld.com/article/3649365/major-security-vulnerability-found-in-top-servers.html
More than 20 vulnerabilities have been found affecting unified extensible firmware interfaces (UEFI) software, allowing attackers to bypass hardware security mechanisms.
Tomi Engdahl says:
Leak site says it has been given list of Canada truck convoy donors after reported hack
https://www.reuters.com/world/us/leak-site-says-it-has-been-given-list-canada-truck-convoy-donors-after-reported-2022-02-14/
A leak site says it has been given reams of data about the donors to the Canadian anti-vaccine mandate truckers after the fundraising platform popular with supporters of the movement allegedly suffered a hack.
Distributed Denial of Secrets announced on its website that it had 30 megabytes of donor information from Christian fundraising site GiveSendGo, including names, email addresses, zip codes, and internet protocol addresses.
Tomi Engdahl says:
Cisco makes $20 billion-plus takeover offer for Splunk
https://www.cnn.com/2022/02/12/tech/cisco-splunk-takeover/index.html
Tomi Engdahl says:
FritzFrog botnet grows 10x, hits healthcare, edu, and govt systems
https://www.bleepingcomputer.com/news/security/fritzfrog-botnet-grows-10x-hits-healthcare-edu-and-govt-systems/
The FritzFrog botnet that’s been active for more than two years has resurfaced with an alarming infection rate, growing ten times in just a month of hitting healthcare, education, and government systems with an exposed SSH server.
Tomi Engdahl says:
Tripwire for Real War? Cyber’s Fuzzy Rules of Engagement
https://www.securityweek.com/tripwire-real-war-cybers-fuzzy-rules-engagement
Tomi Engdahl says:
Venäjän vastaisku voisi osua it-alaankin
https://www.tivi.fi/uutiset/tv/60c3d971-c5af-48d8-af59-8c8e99477105
Yhdysvalloissa hallinto on huolissaan Venäjän suhteiden kiristymisestä ja seurauksena mahdollisesta siruteollisuuden kannalta kriittisten materiaalien pulasta.. Yhdysvallat on uhannut Venäjää raskailla pakotteilla, jos Venäjä hyökkää Ukrainaan. Reuters kertoo nimettömien sisäpiirilähteiden perusteella, että Valkoinen talo kehottaa maansa puolijohdeteollisuutta varautumaan hankintaketjujaan monipuolistamalla mahdolliseen tilanteeseen, jossa Venäjä reagoi pakotteisiin vastavuoroisesti vaikeuttamalla siruvalmistuksen kannalta kriittisten raaka-aineiden saamista. Myös sotatoimet voivat vaikeuttaa saatavuutta. Techcet arvioi, että yli 90 prosenttia Yhdysvalloissa puolijohteisiin käytetystä neonista tulee Ukrainasta. 35 prosenttia palladiumista taas tulee Venäjältä.
Tomi Engdahl says:
Israelin poliisia epäillään luvattomasta kuuntelusta Pegasus-vakoiluohjelmalla taustalla maan entisen pääministerin korruptioepäilyt
https://www.tivi.fi/uutiset/tv/122c2da1-fb98-4bcf-a3b9-b208c44ffa15
Israelissa on aloitettu korkean tason tutkinta syytöksistä, joiden mukaan maan poliisi olisi käyttänyt Pegasus-vakoiluohjelmaa kuunnellakseen ihmisiä ilman oikeuden lupaa, kertoo Reuters. Maan oikeusministeriö tiedotti sunnuntaina, että tutkimuksessa käydään läpi vakoiluohjelman luoneen NSO Groupin tietokantaa.
Tomi Engdahl says:
The world’s most coveted spyware, Pegasus: Lock and Code S03E04 https://blog.malwarebytes.com/podcast/2022/02/the-worlds-most-coveted-spyware-pegasus-lock-and-code-s03e04/
Two years ago, the FBI reportedly purchased a copy of the world’s most coveted spyware, a tool that can remotely and silently crack into Androids and iPhones without leaving a trace, spilling device contents onto a console possibly thousands of miles away, with little more effort than entering a phone number. This tool is Pegasus, and, according to recent reporting from The New York Times, the FBI purchased the tool for examination, but deferred from using it for any real investigations. Remarkably, at the same time, the US government was also considering a version of Pegasus that could allow for domestic spying on Americansa new, upgraded Pegasus called “Phantom.”.
Pegasus and Phantom were reportedly never deployed by the US government, but that doesn’t mean that these invasive hacking powers are rarely used. In fact, Pegasus has been sold to the governments of India, Saudi Arabia, Bahrain, Azerbaijan, Mexico, the United Arab Emirates, Morocco, Hungary, and Rwanda.
Tomi Engdahl says:
Full-time internet surveillance comes to Cambodia this week https://www.theregister.com/2022/02/14/cambodia_national_internet_gateway/
Cambodia’s National Internet Gateway comes online this Wednesday, exposing all traffic within the country to pervasive government surveillance.
Tomi Engdahl says:
FBI: BlackByte ransomware breached US critical infrastructure https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/
The US Federal Bureau of Investigation (FBI) revealed that the BlackByte ransomware group has breached the networks of at least three organizations from US critical infrastructure sectors in the last three months. This was disclosed in a TLP:WHITE joint cybersecurity advisory released Friday in coordination with the US Secret Service.
Alkup. https://www.ic3.gov/Media/News/2022/220211.pdf
Tomi Engdahl says:
Allcome clipbanker is a newcomer in underground forums https://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-newcomer-in-malware-underground-forums
The malware underground market might seem astoundingly professional in marketing and support. Let’s take a look under the covers of one particular malware-as-a-servicethe clipboard banker Allcome. Unlike its elaborate marketing banner, Allcome clipbanker is very simple under the hood. Especially its main functionality, the clipboard replacement, is not thought-out which is good for potentially affected users, who will soon realize that something is wrong. Nevertheless it seems to have gained quite some traction. A quick VirusTotal search already came up with 51 Allcome samples. Sometimes marketing is everything.
Tomi Engdahl says:
Wazawaka Goes Waka Waka
https://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/
In January, KrebsOnSecurity examined clues left behind by “Wazawaka, ”
the hacker handle chosen by a major ransomware criminal in the Russian-speaking cybercrime scene. Wazawaka has since “lost his mind”
according to his erstwhile colleagues, creating a Twitter account to drop exploit code for a widely-used virtual private networking (VPN) appliance, and publishing bizarre selfie videos taunting security researchers and journalists. As noted in January’s profile, Wazawaka has worked with at least two different ransomware affiliate programs, including LockBit. Wazawaka said LockBit had paid him roughly $500,
000 in commissions for the six months leading up to September 2020.
Wazawaka also said he’d teamed up with DarkSide, the ransomware affiliate group responsible for the six-day outage at Colonial Pipeline last year that caused nationwide fuel shortages and price spikes. The U.S. Department of State has since offered a $5 million reward for information leading to the arrest and conviction of any DarkSide affiliates.
Tomi Engdahl says:
Twitter cans 2FA service provider over surveillance claims https://blog.malwarebytes.com/privacy-2/2022/02/twitter-cans-2fa-service-provider-over-surveillance-claims/
Twitter is transitioning away from from its two-factor authentication
(2FA) provider, Mitto AG, a Swiss communications company. The social media giant broke the news to US Senator Ron Wyden of Oregon. It is noted that Twitter’s decision to move away from Mitto AG came after allegations that its co-founder and Chief Operating Officer, Ilja Gorelik, sold access to Mitto’s networks to surveillance technology firms. Talking to Bloomberg, an aide close to Wyden said that Twitter cited media reports as a significant factor for its decision.
Tomi Engdahl says:
Cities: Skylines’ Gaming Modder Banned Over Hidden Malware https://threatpost.com/cities-skylines-modder-banned-over-hidden-malware/178403/
35K+ players were exposed to an auto-updater that planted a trojan
that choked performance for fellow modders and Colossal Order employees.
Tomi Engdahl says:
Documents reveal depth of anxiety over possible Russian cyberattacks on U.S. grid https://readme.security/documents-reveal-depth-of-anxiety-over-possible-russian-cyberattacks-on-u-s-grid-7f718d6b3e8b
A trove of emails from top Homeland Security officials expose how the U.S. government scrambled to ensure the defenses of American utilities after Russia brought down parts of Ukraine’s power grid in 2015.
Tomi Engdahl says:
John D. McKinnon / Wall Street Journal:
Texas sues Meta over its use of facial recognition from 2010 to late 2021 in the state; source: Texas seeks hundreds of billions of dollars in civil penalties — State says social-media giant violated privacy protections in lawsuit, seeks hundreds of billions of dollars in civil penalties
Texas Sues Meta Over Facebook’s Facial-Recognition Practices
Meta, which has ended the practices at issue, says the claims are without merit
https://www.wsj.com/articles/texas-sues-meta-over-facebooks-facial-recognition-practices-11644854794?mod=djemalertNEWS
Tomi Engdahl says:
Google Discovers Attack Exploiting Chrome Zero-Day Vulnerability
https://www.securityweek.com/google-discovers-attack-exploiting-chrome-zero-day-vulnerability
Google on Monday announced the release of 11 security patches for Chrome, including one for a vulnerability exploited in the wild.
Tracked as CVE-2022-0609 and rated high severity, the exploited vulnerability is described as a use-after-free issue in Animation that was reported by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group.
“Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild,” the Internet giant notes in an advisory.
While the company did not provide additional information on the exploited zero-day, use-after-free bugs are typically exploited to achieve the execution of arbitrary code on vulnerable systems.
This is the first exploited Chrome zero-day patched by Google in 2022. According to data from the company’s Project Zero group, there were 14 exploited Chrome flaws last year.
Tomi Engdahl says:
https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html
Tomi Engdahl says:
David Gilbert / VICE:
Christian fundraising site GiveSendGo is offline, possibly due to a hack, amid a leak of alleged personal info of ~92K donors to the Canadian “Freedom Convoy”
Hackers Just Leaked the Names of 92,000 ‘Freedom Convoy’ Donors
https://www.vice.com/en/article/k7wpax/freedom-convoy-givesendgo-donors-leaked
GiveSendGo, the Christian crowdfunding site that helped raise $8.7 million for the anti-vax “freedom convoy” in Canada, was hacked on Sunday night.
The Christian crowdfunding site that helped raise $8.7 million for the anti-vax “freedom convoy” in Canada was hacked on Sunday night, and the names and personal details of over 92,000 donors were leaked online.
The database of 92,845 donors is no longer available on the site, but VICE News was able to review a copy of the data.
While some of the donors did not provide their names—such as the person behind the current top donation of $215,000—the vast majority did provide them
While GiveSendGo does allow donors to make their donations public, many chose to use their company’s name or omit their names entirely, so the leaked database contains a lot of information that was never meant to be shared, data like donors’ full names, email addresses, and location.
Analysis of the leaked data by extremism researcher Amarnath Amarasingam shows that while the majority of donors come from the U.S. (56%) and Canada (29%), there are also thousands of donations from overseas, including the U.K., Australia, and Ireland.
Also included in the leaked data were the messages that some donors posted alongside their donations. The messages contained over 13,000 references to “God” or “Jesus” as well as thousands of references to “tyranny.”
While most of the users’ messages were relatively benign, there are a number of more troubling posts, like this from one user: “I look forward to the day you tyrants are swinging from a noose.”
In their message, the hacker or hackers also pointed out that the Canadian trucker protest has inspired copycat protests around the world. “Has anyone thought about how dangerous this is, especially during these times?” they wrote.
“The Canadian government has informed you that the money you assholes raised to fund an insurrection is frozen,” the hackers added.
This was a reference to the fact that on Friday, the Superior Court of Justice in Ontario granted a restraining order requested by the Government of Ontario against the crowdfunding platform, demanding that protesters’ funds be frozen.
In response, GiveSendGo dismissed the court order, tweeting: “Canada has absolutely ZERO jurisdiction over how we manage our funds here at GiveSendGo. All funds for EVERY campaign on GiveSendGo flow directly to the recipients of those campaigns.”
GiveSendGo has become the go-to platform for extremists of all stripes in recent years, hosting fundraisers for groups including the Proud Boys, QAnon influencers, anti-vaxxers, and the families of Jan. 6 prisoners.
GiveSendGo’s website was offline early Monday morning with a message reading: “Application is under maintenance, we will be back very soon.”
Early last week TechCrunch revealed that security researchers had discovered 50GB of unsecured GiveSendGo data including scans of passports and driver’s licenses. The crowdfunding platform said it fixed the issue, but the Daily Dot reported Thursday that the data was still accessible.
Tomi Engdahl says:
Google Chrome—Emergency Security Update For 3.2 Billion As Attacks Underway
https://www.forbes.com/sites/daveywinder/2022/02/15/google-chrome-emergency-security-update-for-32-billion-as-attacks-underway/
Google has confirmed the latest in a growing list of emergency security updates to the Chrome web browser used by an estimated 3.2 billion users.
The update to version 98.0.4758.102 of Chrome patches a total of eight security vulnerabilities, one of which, Google has confirmed, is a zero-day vulnerability that attackers are already exploiting.
The Google Chrome stable channel blog update announcement, published on Valentine’s Day, stated that “Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild.”
CVE-2022-0609 is a high-rated remote code execution vulnerability that could enable an attacker to run code on a targeted computer.
There’s not any detail of the vulnerability, other than the ‘use after free in animation’ descriptor in the update posting. This lack of technical details regarding a vulnerability that is being actively exploited is not at all unusual.
Tomi Engdahl says:
Microsoft Issues ‘Turn It Off And On Again’ Warning For Windows 10 Users
Microsoft Issues ‘Turn It Off And On Again’ Warning For Windows 10 Users
https://lm.facebook.com/l.php?u=https%3A%2F%2Ftrib.al%2FjZNB6Jb&h=AT0JFqrWEUS5J0-64MdYlfRc5ZSDksZp351ca3ET31HvQv7uC7nYESL14UTOGV8o4hMicgtgOhEqivJiiDGJ1z5cMY-ejBo_ol_eWVq00GHgRw0Hhu2u5VGM3tjPQ3gucw
In the cult British TV situation comedy, The IT Crowd, Roy, the hapless technical support person, always answered the phone by asking, “have you tried turning it off and on again?” This de facto response quickly became the most remembered and repeated catchphrase from the long-running series. Microsoft would appear to think this isn’t a laughing matter, at least not as far as Windows 10 users are concerned. Indeed, turning it off and on again might just be making your computer less secure. Stick with me, and I’ll explain why you should take this seriously.
The February Patch Tuesday security update turned out to be something of a damp squib: 51 security fixes, none were rated as critical and only a single zero-day vulnerability among them. Which is, obviously, a good thing as less is more when it comes to operating system vulnerabilities.
My recommendation for users of Windows to always update as soon as possible remains firmly in place. This, it would seem, isn’t as easy as it looks.
In a recent blog posting, one of Microsoft’s Windows Updates program managers, David Guyer, revealed the results of research into why Windows devices might not be as up-to-date as they should be.
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/achieve-better-patch-compliance-with-update-connectivity-data/ba-p/3073356
Tomi Engdahl says:
Startup Virsec Systems says it can eliminate the need for most cybersecurity tools
https://siliconangle.com/2022/02/12/startup-virsec-systems-says-can-eliminate-need-cybersecurity-tools/
Having dwelt largely in the shadows for the past six years, cybersecurity startup Virsec Systems Inc. is now doing some flag-waving about its claim that it has developed a radical new approach to protection that can render most other security products unnecessary.
Led by a team of cybersecurity veterans, the company says it can detect attacks by understanding the intended behavior of software and identifying and blocking irregularities in a few milliseconds.
Virsec comes at the problem by embedding a read-only application called AppMap into memory to provide what it calls deterministic protection. The software analyzes running code to learn what permutations the software can invoke and then monitors the full operating stack to detect deviations from intended outcomes and stop them instantly.
“We don’t touch the software, but we map at a very low level to understand its behavior,” Furneaux said, comparing the process to that of a GPS navigation system that understands a map and can navigate from point to point.
Tomi Engdahl says:
Ukrainian military agencies, banks hit by DDoS attacks, defacements https://www.bleepingcomputer.com/news/security/ukrainian-military-agencies-banks-hit-by-ddos-attacks-defacements/
The Ministry of Defense and the Armed Forces of Ukraine and two of the country’s state-owned banks, Privatbank and Oschadbank (Ukraine’s State Savings Bank), are being hammered by Distributed Denial-of-Service (DDoS) attacks. Today, Ukraine’s Cyberpolice also reported that bank customers received text messages claiming that bank ATMs were down, adding that they were “part of an information attack and do not correspond to reality.”
Tomi Engdahl says:
Ukraine says it’s targeted by massive wave of hybrid warfare’
https://www.bleepingcomputer.com/news/security/ukraine-says-it-s-targeted-by-massive-wave-of-hybrid-warfare-/
The Security Service of Ukraine (SSU) today said the country is the target of an ongoing “wave of hybrid warfare, ” aiming to instill anxiety and undermine Ukrainian society’s confidence in the state’s ability to defend its citizens. “Ukraine is facing attempts to systemically sow panic, spread fake information and distort the real state of affairs. All this combined is nothing more than another massive wave of hybrid warfare, ” the SSU said. The SSU added that it had to counteract multiple such attempts linked to hostile intelligence agencies and bot farms targeting both social networks and mass media.
Tomi Engdahl says:
Cyberattacks Knock Out Sites of Ukrainian Army, Major Banks
https://www.securityweek.com/cyberattacks-knock-out-sites-ukrainian-army-major-banks
A series of cyberattacks on Tuesday knocked the websites of the Ukrainian army, the defense ministry and major banks offline, Ukrainian authorities said, as tensions persisted over the threat of a possible Russian invasion.
Still, there was no indication the relatively low-level, distributed-denial-of-service attacks might be a smokescreen for more serious and damaging cyber mischief.
At least 10 Ukrainian websites were unreachable due to the attacks, including the defense, foreign and culture ministries and Ukraine’s two largest state banks. In such attacks, websites are barraged with a flood of junk data packets, rendering them unreachable.
“We don’t have any information of other disruptive actions that (could) be hidden by this DDoS attack,” said Victor Zhora, a top Ukrainian cyberdefense official. He said emergency response teams were working to cut off the attackers and recover services.
Customers at Ukraine’s largest state-owned bank, Privatbank, and the state-owned Sberbank reported problems with online payments and the banks’ apps.
Among the attackers’ targets was the hosting provider for Ukraine’s army and Privatbank, said Doug Madory, director of internet analysis at the network management firm Kentik Inc.
“There is no threat to depositors’ funds,” Zhora’s agency, the Ukrainian Information Ministry’s Center for Strategic Communications and Information Security, said in a statement. Nor did the attack affect the communications of Ukraine’s military forces, said Zhora.
It was too early to say who was behind the attack, he added.
Tomi Engdahl says:
Swissport Investigating Ransomware Group’s Data Leak Claims
https://www.securityweek.com/swissport-investigating-ransomware-groups-data-leak-claiA ransomware group has taken credit for the recent attack targeting aviation services company Swissport, and the cybercriminals claim to have stolen more than one terabyte of data.
Swissport discovered the breach on February 3 and disclosed the incident one day later. The company at the time could not share any information on the type of ransomware used in the attack or whether any data was stolen.
However, operators of a ransomware known as BlackCat, ALPHV and Noberus took credit for the attack on Monday, and published several files allegedly stolen from Swissport systems. Leaked files include passport copies, a database containing job candidate information, and an internal document.
Tomi Engdahl says:
Google Offering $91,000 Rewards for Linux Kernel, GKE Zero-Days
https://www.securityweek.com/google-offering-91000-rewards-linux-kernel-gke-zero-days
Technology giant Google is offering bigger cash awards for hackers reporting critical security flaws affecting the Linux Kernel, GKE, Kubernetes, and kCTF.
In November last year, Google tripled the bug bounty rewards for Linux kernel flaws reported through its Vulnerability Rewards Program (VRP), for payouts of up to $50,337 for zero-day issues.
This week, the company announced it is nearly doubling that amount and offering a maximum reward of $91,337 for exploits that meet certain criteria. The maximum payout includes a base reward and three bonuses.
Tomi Engdahl says:
Researchers Dissect Activity of Cybercrime Group Targeting Aviation, Other Sectors
https://www.securityweek.com/researchers-dissect-activity-cybercrime-group-targeting-aviation-other-sectors
Proofpoint’s security researchers have taken a deep dive into the activity of TA2541, a threat actor targeting the aerospace, aviation, defense, manufacturing and transportation sectors for years.
Active since at least 2017, the adversary has been observed employing aviation-, transportation- and travel-related themes to infect targets with various remote access Trojans (RATs).
Unlike other threat actors that rely on current events as lures in their attacks, TA2541 has shown consistent tactics, techniques, and procedures (TTPs) over time, typically sending phishing emails that carry macro-enabled Word attachments to deploy malicious payloads.
In recent attacks, however, the group has started to frequently use links to payloads hosted on cloud services, including Google Drive, OneDrive, GitHub, Pastetext, and Sharetext. Recent Google Drive URLs led to an obfuscated Visual Basic Script (VBS) file meant to fetch a payload from other platforms.
The attacks employ PowerShell scripts and rely on Windows Management Instrumentation (WMI) to query security products that the adversary attempts to disable. TA2541 also harvests system information prior to persistently installing RATs.
The group typically sends more than 10,000 messages at a time as part of its attacks, targeting hundreds of organizations in North America, Europe, and the Middle East.
Tomi Engdahl says:
VMware Patches Vulnerabilities Reported by Researchers to Chinese Government
https://www.securityweek.com/vmware-patches-vulnerabilities-reported-researchers-chinese-government
VMware vulnerabilities disclosed at China’s Tianfu Cup hacking contest were also reported to Chinese government
VMware on Tuesday announced that it has patched several high-severity vulnerabilities that were disclosed last year at a major Chinese hacking contest.
The security holes impact VMware ESXi, Workstation, and Fusion, and they were used at the 2021 Tianfu Cup hacking contest by Kunlun Lab, the team that won the event. Kunlun Lab earned a total of more than $650,000 for a wide range of exploits demonstrated at Tianfu Cup.
The event’s organizers offered $80,000 for VMware Workstation exploits that achieve a guest-to-host escape and $180,000 for ESXi exploits that enable the attacker to obtain root permissions on the host. It’s unclear exactly how much Kunlun Lab earned for its VMware exploits at Tianfu Cup.
In an advisory released on Tuesday, VMware provided the following description for the vulnerabilities:
CVE-2021-22040 – use-after-free vulnerability in XHCI USB controller of ESXi, Workstation, and Fusion — allows an attacker with local admin privileges on a virtual machine (VM) to execute code as the VMs VMX process running on the host;
CVE-2021-22041 – double-fetch vulnerability in UHCI USB controller of ESXi, Workstation, and Fusion — allows a local attacker with admin privileges on a VM to execute code as the VMX process running on the host;
CVE-2021-22042 – settingsd unauthorized access vulnerability in ESXi — related to VMX having access to settingsd authorization tickets, allowing an attacker with privileges within the VMX process to access the settingsd service running as a high-privileged user;
CVE-2021-22043 – settingsd TOCTOU vulnerability in ESXi — related to the way temporary files are handled, allows an attacker to escalate privileges by writing arbitrary files.
Tomi Engdahl says:
EU haluaa kieltää kiistellyn vakoiluohjelman https://www.is.fi/digitoday/tietoturva/art-2000008614713.html
EU:N tietosuojavaltuutettu vaatii israelilaisen NSO Groupin puhelimeen asennettavan vakoiluohjelma Pegasuksen kieltämistä, kertoo Reuters.
Tomi Engdahl says:
Internet Society data leak exposed 80, 000 members’ login details https://portswigger.net/daily-swig/internet-society-data-leak-exposed-80-000-members-login-details
The Internet Society (ISOC), a non-profit dedicated to keeping the internet open and secure, has blamed the inadvertent exposure of its 80, 000-plus members’ personal data on a third-party vendor. The data, which was publicly accessible on an unprotected Microsoft Azure cloud repository, comprised millions of JSON files including, among other things, full names, email and mailing addresses, and login details.
Tomi Engdahl says:
Facebook joutuu taas oikeuteen Kasvojentunnistusta hyödynnettiin ilman käyttäjien lupaa
https://www.tivi.fi/uutiset/tv/dbf6f0bb-06eb-4bfa-b6d2-f08ee45d33a4
Texas haastaa Facebookin emoyhtiön Metan oikeuteen kasvojentunnistusteknologian käyttämisestä. Yhtiötä syytetään Texasin oikeusministeri Ken Paxtonin nostamassa kanteessa osavaltion yksityisyyslakien rikkomisesta keräämällä kymmenien miljoonien henkilöiden biometristä dataa ilman lupaa.
Tomi Engdahl says:
Unskilled hacker linked to years of attacks on aviation, transport sectors https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/
For years, a low-skilled attacker has been using off-the-shelf malware in malicious campaigns aimed at companies in the aviation sector as well as in other sensitive industries. The threat actor has been active since at least 2017, targeting entities in the aviation, aerospace, transportation, manufacturing, and defense industries.
Tracked as TA2541 by cybersecurity company Proofpoint, the adversary is believed to operate from Nigeria and its activity has been documented before in analysis of separate campaigns.
BlackCat (ALPHV) claims Swissport ransomware attack, leaks data https://www.bleepingcomputer.com/news/security/blackcat-alphv-claims-swissport-ransomware-attack-leaks-data/
The BlackCat ransomware group, aka ALPHV, has claimed responsibility for the recent cyber attack on Swissport that caused flight delays and service disruptions.
Tomi Engdahl says:
SMS PVA Services’ Use of Infected Android Phones Reveals Flaws in SMS Verification https://www.trendmicro.com/en_us/research/22/b/sms-pva-services-use-of-infected-android-phones-reveals-flaws-in-sms-verification.html
There has been an increase in short message service (SMS) phone-verified account (PVA) services in the last two years. SMS PVA services provide alternative mobile numbers that customers can use to register for online services and platforms. These types of services help circumvent the SMS verification mechanisms widely used by online platforms and services to authenticate new accounts. Malicious actors can register disposable accounts in bulk or create phone-verified accounts for criminal activities.
Tomi Engdahl says:
QNAP Extends Security Updates for Some EOL Devices
https://www.securityweek.com/qnap-extends-security-updates-some-eol-devices
Taiwan-based NAS and NVR solutions manufacturer QNAP Systems on Monday announced that it is extending the security update window for some devices that have reached end-of-life (EOL) status.
QNAP typically provides security updates for four years after a product has reached EOL status.
Tomi Engdahl says:
FBI Warns of BlackByte Ransomware Attacks on Critical Infrastructure
https://www.securityweek.com/fbi-warns-blackbyte-ransomware-attacks-critical-infrastructure
The BlackByte ransomware has been used in attacks on at least three critical infrastructure sectors in the United States, the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) warn in a joint advisory.
Available as a Ransomware-as-a-Service (RaaS), BlackByte has been used in attacks against US and foreign businesses, including in critical infrastructure sectors such as government, financial, and food and agriculture, the FBI and USSS warn.
BlackByte operators recently claimed to have obtained financial data from the San Francisco 49ers as a result of an attack that targeted the football team.
Some victims, the joint advisory says, discovered that the attackers exploited a known Microsoft Exchange Server vulnerability to gain initial access to their environments.
Tomi Engdahl says:
Moxa MXview Vulnerabilities Expose Industrial Networks to Attacks
https://www.securityweek.com/moxa-mxview-vulnerabilities-expose-industrial-networks-attacks
Several vulnerabilities, including some that have been rated “critical,” were found in the past months in Moxa’s MXview industrial network management software.
Five types of vulnerabilities were discovered by researchers at industrial and IoT cybersecurity company Claroty. They were patched in September 2021 with the release of version 3.2.4, but their details were disclosed last week by Claroty. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an advisory in October 2021 to warn organizations about these flaws.
Moxa MXview is a web-based network management system designed for configuring, monitoring, and diagnosing networking devices in industrial networks. The product enables users to manage devices via a web browser, including from local or remote sites.
“An attacker can exploit an unpatched Moxa server by chaining several of the vulnerabilities we uncovered to achieve remote code execution,” Noam Moshe, vulnerability researcher at Claroty, told SecurityWeek.
“Network management systems such as MXview not only handle discovery of network devices and connections, but administrators use it to centrally manage configurations and firmware updates for Moxa devices on the network. An attacker with this kind of access can manipulate these configurations to alter processes and affect device integrity,” Moshe explained.
Tomi Engdahl says:
Google Chrome—Emergency Security Update For 3.2 Billion As Attacks Underway
https://www.forbes.com/sites/daveywinder/2022/02/15/google-chrome-emergency-security-update-for-32-billion-as-attacks-underway/?sh=2b3bb8995d78
Google has confirmed the latest in a growing list of emergency security updates to the Chrome web browser used by an estimated 3.2 billion users.
The update to version 98.0.4758.102 of Chrome patches a total of eight security vulnerabilities, one of which, Google has confirmed, is a zero-day vulnerability that attackers are already exploiting.
The Google Chrome stable channel blog update announcement, published on Valentine’s Day, stated that “Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild.”
Tomi Engdahl says:
Daily Crunch: Hackers leak names, personal details of donors to ‘Freedom Convoy’ protest
https://techcrunch.com/2022/02/14/daily-crunch-hackers-leak-names-personal-details-of-donors-to-freedom-convoy-protest/?tpcc=tcplusfacebook
Tomi Engdahl says:
Microsoft Defender will soon block Windows password theft
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-will-soon-block-windows-password-theft/
Microsoft is enabling a Microsoft Defender ‘Attack Surface Reduction’ security rule by default to block hackers’ attempts to steal Windows credentials from the LSASS process.
When threat actors compromise a network, they attempt to spread laterally to other devices by stealing credentials or using exploits.
One of the most common methods to steal Windows credentials is to gain admin privileges on a compromised device and then dump the memory of the Local Security Authority Server Service (LSASS) process running in Windows.
This memory dump contains NTLM hashes of Windows credentials of users who had logged into the computer that can be brute-forced for clear-text passwords or used in Pass-the-Hash attacks to login into other devices.
Tomi Engdahl says:
Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology https://www.cisa.gov/uscert/ncas/alerts/aa22-047a
- From at least January 2020, through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors. The actors have targeted both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources.
Tomi Engdahl says:
Cyberattacks On Ukraine Could Be Prelude To More Aggression, Experts Say https://www.forbes.com/sites/thomasbrewster/2022/02/16/ukraine-cyberattacks-could-be-sign-of-more-aggression-experts-say/
Tuesday’s cyberattacks on Ukrainian banks and military, suspected to originate in Russia, appear to be an attempt to cause psychological disruption in Ukraine and could be a signal for a far more significant attack in the future, and possibly a physical one, Ukrainian officials and cybersecurity experts agreed.