This posting is here to collect cyber security news in March 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in March 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
888 Comments
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/content-filtering-devices-abused-for-65x-ddos-amplification/
Tomi Engdahl says:
https://www.darkreading.com/attacks-breaches/fbi-alert-ransomware-attacks-hit-critical-infrastructure-organizations
Tomi Engdahl says:
SATCOM terminals under attack in Europe: a plausible analysis.
https://www.reversemode.com/2022/03/satcom-terminals-under-attack-in-europe.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/hackers-leak-190gb-of-alleged-samsung-data-source-code/
Tomi Engdahl says:
Android malware Escobar steals your Google Authenticator MFA codes
https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/
The Aberebot Android banking trojan has returned under the name ‘Escobar’ with new features, including stealing Google Authenticator multi-factor authentication codes.
The new features in the latest Aberebot version also include taking control of the infected Android devices using VNC, recording audio, and taking photos, while also expanding the set of targeted apps for credential theft.
Tomi Engdahl says:
Last night India accidentally fired off what appears to be (or at least could have looked like) a warhead-capable missile into Pakistan. It’s lucky no one freaked out and returned fire.
https://www.bbc.com/news/world-asia-india-60711653
Tomi Engdahl says:
Report: Recent 10x Increase in Cyberattacks on Ukraine https://krebsonsecurity.com/2022/03/report-recent-10x-increase-in-cyberattacks-on-ukraine/
Bill Woodcock is executive director at Packet Clearing House, a nonprofit based in San Francisco that is one of several sponsors of Quad9. Woodcock said the spike in blocked DNS queries coming out of Ukraine clearly shows an increase in phishing and malware attacks against Ukrainians. “They’re being targeted by a huge amount of phishing, and a lot of malware that is getting onto machines is trying to contact malicious command-and-control infrastructure, ” Woodcock said.
Tomi Engdahl says:
Ukrainassa toimivia avustusjärjestöjä vastaan isketään haittaohjelmilla ruoan ja lääkkeiden toimitus vaikeutuu https://www.tivi.fi/uutiset/tv/7a3a7d46-cc0d-4711-ba82-cc79c7c7549f
Amazon Web Services ilmoittaa huomanneensa useita haittaohjelmia, jotka on kohdennettu Ukrainassa humanitääristä apua antavia järjestöjä vastaan. Pahimmissa tapauksissa haittaohjelmat ovat vaikuttaneet lääketieteellisten tarvikkeiden, ruoan ja vaatteiden toimittamiseen.
Tomi Engdahl says:
Russia bans Instagram, a week after blocking Facebook, Twitter https://www.bleepingcomputer.com/news/technology/russia-bans-instagram-a-week-after-blocking-facebook-twitter/
Russian Internet watchdog Roskomnadzor announced that Instagram will also be banned in Russia one week after blocking the Facebook and Twitter social networks. “As you know, on March 11, Meta Platforms Inc. made an unprecedented decision by allowing the posting of information containing calls for violence against Russian citizens on its social networks Facebook and Instagram, ” the Russian Internet watchdog said. myös:
https://www.is.fi/digitoday/art-2000008676248.html – Venäjä aikoo estää Whatsappin ja Instagramin käytön Interfax: Syyttäjät pyytävät nimeämään Metan “äärijärjestöksi”
Tomi Engdahl says:
Teboilin verkkosivuilla oli pelottava ilmoitus tästä on kyse https://www.is.fi/digitoday/tietoturva/art-2000008674882.html
VIIME päivinä Ukrainan sodan vuoksi negatiivista julkisuutta saaneen Teboil-huoltoasemaketjun verkkosivut antoivat virheilmoitusta.
Verkkosivujen ilmoituksella ei ole mitään tekemistä sen kanssa, että Teboilin omistaa venäläinen Lukoil-konserni ja sitä on vaadittu boikotoitavaksi. Eri verkkoselaimilla hieman erilaiselta näyttävä ilmoitus saattaa kertoa esimerkiksi, että “hakkerit yrittävät varastaa henkilökohtaisia tietojasi, kuten salasanojasi, viestejäsi tai luottokorttitietojasi”. Ilmoituksessa on todellisuudessa kyse siitä, että Teboilin verkkosivujen varmenne oli vanhentunut.
Tomi Engdahl says:
Senate approves historic cyber incident reporting bill, sends to Biden’s desk https://therecord.media/senate-approves-historic-cyber-incident-reporting-bill-sends-to-bidens-desk/
The Senate on Thursday passed landmark legislation that will mandate critical infrastructure operators alert the federal government when they are hacked or make a ransomware payment.
Tomi Engdahl says:
Corporate website contact forms used to spread BazarBackdoor malware https://www.bleepingcomputer.com/news/security/corporate-website-contact-forms-used-to-spread-bazarbackdoor-malware/
The BazarBackdoor malware is usually spread through phishing emails that include malicious documents that download and install the malware. However, as secure email gateways have become better at detecting these malware droppers, distributors are moving to new ways of spreading the malware. In a new report by Abnormal Security, analysts explain that a new distribution campaign started in December
2021 targets corporate victims with BazarBackdoor, with the likely goal of deploying Cobalt Strike or ransomware payloads. Instead of sending phishing emails to the targets, the threat actors first use corporate contact forms to initiate communication. also:
https://abnormalsecurity.com/blog/bazarloader-contact-form
Tomi Engdahl says:
Raccoon Stealer Crawls Into Telegram
https://threatpost.com/raccoon-stealer-telegram/178881/
The credential-stealing trash panda is using the chat app to store and update C2 addresses as crooks find creative new ways to distribute the malware.
Tomi Engdahl says:
20 terabytes: Anonymous Germany hijacks data from Rosneft Germany https://anonleaks.net/en/2022/anonymous-germany/20-terabytes-anonymous-germany-hijacks-data-from-rosneft-germany/
Hacktivists gained access to the servers of Rosneft Deutschland, a subsidiary of the Russian oil company
Tomi Engdahl says:
Android malware Escobar steals your Google Authenticator MFA codes https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/
The Aberebot Android banking trojan has returned under the name ‘Escobar’ with new features, including stealing Google Authenticator multi-factor authentication codes. The new features in the latest Aberebot version also include taking control of the infected Android devices using VNC, recording audio, and taking photos, while also expanding the set of targeted apps for credential theft. The main goal of the trojan is to steal enough information to allow the threat actors to take over victims’ bank accounts, siphon available balances, and perform unauthorized transactions.
Tomi Engdahl says:
Singapore uncovers four critical vulnerabilities in Riverbed software https://www.theregister.com/2022/03/11/riverbed_vulnerabilities/
Singapore’s Cyber Security Group, an agency charged with securing the nation’s cyberspace, has uncovered four critical flaws in code from network software company Riverbed. also:
https://medium.com/csg-govtech/how-we-discovered-zero-day-vulnerabilities-in-riverbed-software-agent-4adc812f7ae0
Tomi Engdahl says:
LockBit ransomware gang claims attack on Bridgestone Americas https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-attack-on-bridgestone-americas/
A cyberattack on Bridgestone Americas, one of the largest manufacturers of tires in the world, has been claimed by the LockBit ransomware gang.
Ubisoft confirms ‘cyber security incident’, resets staff passwords https://www.bleepingcomputer.com/news/security/ubisoft-confirms-cyber-security-incident-resets-staff-passwords/
Video game developer Ubisoft has confirmed that it suffered a ‘cyber security incident’ that caused disruption to its games, systems, and services. Data extortion group LAPSUS$, who has claimed responsibility for hacking Samsung, NVIDIA, and Mercado Libre thus far, appears to be behind this incident.
Tomi Engdahl says:
Vodafone Investigating Source Code Theft Claims https://www.securityweek.com/vodafone-investigating-source-code-theft-claims
Vodafone has launched an investigation after a cybercrime group claimed to have stolen hundreds of gigabytes of source code from the telecoms giant. The hacker group, calling itself “Lapsus$, ” claims to have obtained roughly 200 Gb of source code files, allegedly representing approximately 5, 000 GitHub repositories.
Tomi Engdahl says:
Nyt tarkkana: Viranomaiselta tiukka varoitus netin kauppapaikoista https://www.is.fi/digitoday/tietoturva/art-2000008670150.html
Rikollinen lähestyy esimerkiksi Tori.fin tai Facebook Marketplacen myyjää usein WhatsApp-viestillä kysellen tuotteen kunnosta. Sitten hän tarjoutuu ostamaan tuotteen kuriiripalvelun avulla. Tämän pyynnön tulisi kertoa myyjälle, että kaikki ei välttämättä ole kunnossa.
Tomi Engdahl says:
Google Attempts to Explain Surge in Chrome Zero-Day Exploitation
https://www.securityweek.com/google-attempts-explain-surge-chrome-zero-day-exploitation
14 Chrome Zero-Day Vulnerabilities Exploited in Attacks in 2021
The number of Chrome vulnerabilities exploited in malicious attacks has been increasing over the past years and Google believes several factors have contributed to this trend.
The number of Chrome vulnerabilities exploited in the wild reached 14 in 2021, up from eight in 2020 and two in 2019. Chrome is targeted far more often than Firefox, Safari and Internet Explorer, according to data from Google’s Project Zero research unit, which tracks exploitation of zero-days.
Tomi Engdahl says:
High-Severity Vulnerabilities Patched in Omron PLC Programming Software
https://www.securityweek.com/high-severity-vulnerabilities-patched-omron-plc-programming-software
Several high-severity vulnerabilities that can be exploited for remote code execution were patched recently in the CX-Programmer software of Japanese electronics giant Omron.
An advisory released earlier this month by Japan’s JPCERT/CC revealed that the product is affected by five use-after-free and out-of-bounds vulnerabilities, all with a CVSS score of 7.8.
CX-Programmer, which is part of Omron’s CX-One automation software suite, is designed for programming and debugging Omron programmable logic controllers (PLCs). According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the product is used worldwide, including in the critical manufacturing sector.
The CX-Programmer vulnerabilities affect version 9.76.1 and earlier. The flaws were discovered by security researcher Michael Heinzl, who told SecurityWeek that his findings were reported to the vendor in May and June 2021 through JPCERT/CC.
Tomi Engdahl says:
U.S. Warns of Conti Ransomware Attacks as Gang Deals With Leak Fallout
https://www.securityweek.com/us-warns-conti-ransomware-attacks-gang-deals-leak-fallout
The U.S. government has reissued an alert warning organizations about Conti ransomware attacks as the cybercrime group deals with the recent leaks.
An alert originally released in September 2021 was reissued recently by CISA, FBI, NSA and the U.S. Secret Service. The alert contains technical details on Conti attacks, as well as indicators of compromise (IoCs) that can be useful to defenders.
Shortly after Russia launched an invasion of Ukraine, the Conti group announced its support for Russia, threatening to attack the critical infrastructure of “enemies.” They later revised their statement to say that they condemned the war, but the threat to launch cyber operations in response to the West’s actions remained.
Tomi Engdahl says:
Filter Blocked 70,000 Emails to Indiana Lawmakers on Bill
https://www.securityweek.com/filter-blocked-70000-emails-indiana-lawmakers-bill
A spam filter blocked as many as 70,000 emails sent to Indiana legislators about a contentious bill that aimed to place restrictions on teaching about racism and political topics.
The Indiana State Teachers Association said it found out less than a week before the legislative session ended early Wednesday about emails sent through a form on its website not reaching the accounts of lawmakers, The Indianapolis Star reported.
ISTA executive director Dan Holub said the teachers union believes the messages had been blocked since January and possibly fewer than half of the nearly 120,000 emails sent through its website were delivered.
The head of the agency that handles technology services for the General Assembly said it has had a policy since 2012 limiting how many emails can come from a single source. Legislative Services Agency executive director George Angelone said that was in order to protect against email spam attacks.
Spam filters blocked 70,000 emails to lawmakers opposing Indiana CRT-inspired bill
https://eu.indystar.com/story/news/education/2022/03/08/hb-1134-lawmakers-never-received-thousands-emails-opposition-critical-race-theory-indiana/9418370002/
As many as 70,000 emails sent to Indiana lawmakers about one of the most contentious legislative proposals in recent memory have gone undelivered, due to a cybersecurity measure that limits how many emails can be received from a single source each day. At least one lawmaker is calling for a change to the state’s policy.
The Indiana State Teachers Association said it was made aware late last week that emails sent through a form on its website, asking the public to tell lawmakers what they think about controversial proposals that would have restricted what educators could say about race and racism in the classroom and cede some control over curricula and materials, never reached lawmakers inboxes.
As best they can tell, the issue goes back as far as January and has impacted approximately 70,000 messages. That means fewer than half of the nearly 120,000 emails sent through the ISTA website were actually delivered, said Dan Holub, ISTA’s executive director.
“It’s not just an issue for ISTA,” Holub told IndyStar Monday. “It’s an issue for all Hoosiers about whether they’re going to have open access to their legislators.”
Essentially, the General Assembly’s spam filter kicked back the messages.
“The system is not set up to handle 70,000 emails sent simultaneously or in a short period of time,” Angelone said.
ISTA said the emails were not sent simultaneously, but rather as Hoosiers responded to calls to action around House Bill 1134. The bill, which was killed in the Senate last week, was the subject of lengthy debate throughout the legislative session. ISTA said 90% of the emails sent through their website this year dealt with two calls to action around the bill — one earlier in the session, asking lawmakers to oppose it, and another asking them not to bring back the language in a conference committee after the bill had died.
Those who sent the emails have no way of knowing whether their message was delivered.
Tomi Engdahl says:
New method that amplifies DDoSes by 4 billion-fold. What could go wrong?
New method also stretches out DDoS durations to 14 hours.
https://arstechnica.com/information-technology/2022/03/ddosers-use-new-method-capable-of-amplifying-traffic-by-a-factor-of-4-billion/
One of the oldest amplification vectors is misconfigured DNS servers, which increase DDoS volumes by about 54 times. New amplification routes have included the Network Time Protocol servers (about 556x), Plex media servers (about 5x), Microsoft RDP (86x), and the Connectionless Lightweight Directory Access Protocol (at least 50x). Just last week, researchers described a new amplification vector that achieves a factor of at least 65.
Previously, the biggest known amplifier was memcached, which has the potential to increase traffic by an astounding 51,000x.
The newest entrant is the Mitel MiCollab and MiVoice Business Express collaboration systems. Attackers have been using them for the past month to DDoS financial institutions, logistics companies, gaming companies, and organizations in other markets. A fleet of 2,600 servers is exposing an abusable system test facility in the software to the Internet through UDP port 10074, in a break with manufacturer recommendations that the tests be reachable only internally.
The current DDoS records stand at about 3.47 terabits per second for volumetric attacks and roughly 809 million packets per second for exhaustion forms. Volumetric DDoSes work by consuming all available bandwidth either inside the targeted network or service or get between the target and the rest of the Internet. Exhaustion DDoSes, by contrast, over-exert a server.
The new amplification vector provided by the misconfigured Mitel servers has the potential to shatter those records. The vector can do this not only because of the unprecedented 4 billion-fold amplification potential, but also because the Mitel systems can stretch out the attacks for lengths of time not previously possible.
“This particular attack vector differs from most UDP reflection/amplification attack methodologies in that the exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration by means of a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4,294,967,296:1,” researchers from eight organizations wrote in a joint advisory. “A controlled test of this DDoS attack vector yielded more than 400mpps of sustained DDoS attack traffic.”
Tomi Engdahl says:
In-the-wild DDoS attack can be launched from a single packet to create terabytes of traffic
https://www.zdnet.com/article/in-the-wild-ddos-attack-can-be-launched-from-a-single-packet-to-create-terabytes-of-traffic/
A test mode that shouldn’t be exposed to the internet from a PBX-to-internet gateway responsible for amplification ratio of 4,294,967,296 to 1.
Security researchers from Akamai, Cloudflare, Lumen Black Lotus Labs, Mitel, Netscour, Team Cymru, Telus, and The Shadowserver Foundation have disclosed denial-of-service attacks with an amplification ratio that surpasses 4 billion to one that can be launched from a single packet.
Dubbed CVE-2022-26143, the flaw resides in around 2,600 incorrectly provisioned Mitel MiCollab and MiVoice Business Express systems that act as PBX-to-internet gateways and have a test mode that should not be exposed to the internet.
“The exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration by means of a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4,294,967,296:1,” a blog post on Shadowserver explains.
CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector
https://www.shadowserver.org/news/cve-2022-26143-tp240phonehome-reflection-amplification-ddos-attack-vector/
A new reflection/amplification distributed denial-of-service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks.
Security researchers, network operators, and security vendors observed these attacks and formed a task force to investigate the new DDoS vector and provide mitigation guidance.
Approximately 2,600 Mitel MiCollab and MiVoice Business Express collaboration systems acting as PBX-to-Internet gateways were incorrectly deployed with an abusable system test facility exposed to the public Internet.
Attackers were actively leveraging these systems to launch reflection/amplification DDoS attacks of more than 53 million packets per second (mpps). With optimal attack tuning, the potential traffic yield for this DDoS vector is significantly higher.
Attacks have been observed on broadband access ISPs, financial institutions, logistics companies, gaming companies, and organizations in other vertical markets.
Tomi Engdahl says:
https://grahamcluley.com/ubisoft-changes-employee-passwords-after-cyber-security-incident/
Tomi Engdahl says:
The freight logs of two major Chinese shipping ports have been leaking data, a problem which if left unresolved could disrupt the supply chain of up to 70,000 tonnes of cargo a day, with potentially serious consequences for international shipping.
Open Database Leaves Major Chinese ports Exposed to Shipping Chaos
https://www.realinfosec.net/cybersecurity-news/opendatabase-chinese-ports-exposed/?amp=1
Tomi Engdahl says:
Threat Advisory: Opportunistic cyber criminals take advantage of Ukraine invasion https://blog.talosintelligence.com/2022/03/ukraine-invasion-scams-malware.html
Since the beginning of the war in Ukraine, we have observed threat actors using email lures with themes related to the conflict, including humanitarian assistance and various types of fundraising.
This activity has been increasing since the end of February.
Tomi Engdahl says:
Automotive giant Denso confirms hack, Pandora ransomware group takes credit https://www.zdnet.com/article/automotive-giant-denso-reveals-hack-pandora-ransomware-group-takes-credit/
Denso has confirmed a cyberattack impacting the firm’s German operations. The company is a global supplier of automotive components, including those developed for autonomous vehicle features, connectivity, and mobility services. Denso says that its technologies are used in “almost all vehicles around the globe.”. Clients include Toyota, Honda, General Motors, and Ford. Consolidated revenue in the
2020-2021 fiscal year was reported as $44.6 billion.
Tomi Engdahl says:
Researchers Find New Evidence Linking Kwampirs Malware to Shamoon APT Hackers https://thehackernews.com/2022/03/researchers-find-new-evidence-linking.html
New findings released last week showcase the overlapping source code and techniques between the operators of Shamoon and Kwampirs, indicating that they “are the same group or really close collaborators.”. “Research evidence shows identification of co-evolution between both Shamoon and Kwampirs malware families during the known timeline, ” Pablo Rincón Crespo of Cylera Labs said. “If Kwampirs is based on the original Shamoon, and Shamoon 2 and 3 campaign code is based on Kwampirs, then the authors of Kwampirs would be potentially the same as the authors of Shamoon, or must have a very strong relationship, as has been seen over the course of many years, ”
Rincón Crespo added.
https://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts
Tomi Engdahl says:
Valorant aimbot hack lures the unwary into malware infection https://grahamcluley.com/valorant-aimbot-hack-lures-the-unwary-into-malware-infection/
According to the security researchers, malware has been distributed via descriptions in a YouTube video related to the Valorant first person shooter game. The video’s description cheekily advises users to disable their anti-virus software before downloading the cheat (boy the things people will do if they think it will improve their aim in a video game.)
Tomi Engdahl says:
QNAP warns severe Linux bug affects most of its NAS devices https://www.bleepingcomputer.com/news/security/qnap-warns-severe-linux-bug-affects-most-of-its-nas-devices/
Taiwanese hardware vendor QNAP warns most of its Network Attached Storage (NAS) devices are impacted by a high severity Linux vulnerability dubbed ‘Dirty Pipe’ that allows attackers with local access to gain root privileges. “Currently there is no mitigation available for this vulnerability. We recommend users to check back and install security updates as soon as they become available.”. also:
https://www.qnap.com/en-us/security-advisory/qsa-22-05
Tomi Engdahl says:
China claims it has captured NSA NOPEN cyber-weapon https://www.theregister.com/2022/03/14/china_nsa_nopen/
China claims it has obtained a sample of malware used by the NSA to steal files, monitor and redirect network traffic, and remotely control computers to spy on foreign targets. The software nasty, dubbed NOPEN, is built to commandeer selected Unix and Linux systems, according to Chinese Communist Party tabloid Global Times, which cites a report it obtained exclusively from the National Computer Virus Emergency Response Center. While it’s not out of the ordinary for Beijing to accuse Washington of cyber espionage and related attacks, NOPEN wouldn’t be the first time that NSA-developed offense code landed in the wrong hands. Perhaps the most infamous example of this is the WannaCry ransomware attack in 2017, which used the NSA’s EternalBlue tool to exploit a vulnerability in Microsoft’s SMB file sharing services.
Tomi Engdahl says:
Is this SID taken? Varonis Threat Labs Discovers Synthetic SID Injection Attack https://www.varonis.com/blog/synthetic-sid
Varonis Threat Labs researchers have discovered a technique where threat actors with existing high privileges can inject synthetic SIDs into an Active Directory Access Control List (ACL). This creates a scenario where backdoors and hidden permission grants can occur when a new account is created with a matching legitimate SID.
Tomi Engdahl says:
Secure your healthcare devices with Microsoft Defender for IoT and HCL’s CARE https://www.microsoft.com/security/blog/2022/03/14/secure-your-healthcare-devices-with-microsoft-defender-for-iot-and-hcls-care/
Recently, Microsoft and global technology services firm HCL Technologies teamed up to help solve the security challenge with a high-performance solution for medical devices. The result is a new reference architecture and platform for building secure medical devices and services based on HCL’s Connected Assets in Regulated Environment (CARE), Microsoft Defender for IoT, and Azure IoT. By freeing medical device manufacturers from the need to build security solutions and cloud services, this new platform will enable them to focus on their own core mission and strengths, which are healthcare-related innovation and patient care, even as they build new, better, and more secure medical devices.
Tomi Engdahl says:
Stay Alert of Facebook Credential Stealer Applications Stealing User’s Credentials https://blogs.quickheal.com/stay-alert-of-facebook-credential-stealer-applications-stealing-users-credentials/
Social media credentials are always a lucrative thing for threat actors. They use various techniques to get them. Some use overlays with fake user interfaces, some use key-logging, and some use simple social engineering to trap users. Another way threat actors have been used in the recent past is JavaScript code injection in WebView to steal Facebook credentials. The script directly hacked the entered Facebook login credentials. In Jan 2022, Quick Heal Security Labs saw many Facebook credentials stealer applications on Google Play Store, which use different techniques to hide their JavaScript code. Android researchers named Facebook credential stealer “Facestealer.”
Tomi Engdahl says:
New Linux Bug in Netfilter Firewall Module Lets Attackers Gain Root Access https://thehackernews.com/2022/03/new-linux-bug-in-netfilter-firewall.html
A newly disclosed security flaw in the Linux kernel could be leveraged by a local adversary to gain elevated privileges on vulnerable systems to execute arbitrary code, escape containers, or induce a kernel panic. also:
https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/
Tomi Engdahl says:
NASA in ‘serious jeopardy’ due to big black hole in security >
NASA in ‘serious jeopardy’ due to big black hole in security
https://www.theregister.com/2022/03/15/nasa_insider_threat_audit/
An audit of NASA’s infosec preparedness against insider threats has warned it faces “serious jeopardy to operations” due to lack of protection for Unclassified information.
A Monday report [PDF] found that NASA has done well, as required, in its efforts to defend and prevent insider threats to Classified information – stuff that NASA defines as “Official information regarding the national security that has been designated Confidential, Secret, or Top Secret.”
Auditor finds space agency defends Classified info well, isn’t paying attention to valuable Unclassified data
But while the report is satisfied NASA has done well to protect its Classified info, it notes that “the vast majority” of NASA tech is not Classified, including plenty of “high-value assets and critical infrastructure.” Among those assets are “sensitive and valuable information such as scientific, engineering, or research data; human resources files; or procurement sensitive information.” Because that infrastructure is not classified, it’s not covered by the insider threat program.
Tomi Engdahl says:
Hackers Target German Branch of Russian Oil Giant Rosneft
https://www.securityweek.com/hackers-target-german-branch-russian-oil-giant-rosneft
The German subsidiary of Russian energy giant Rosneft has been hit by a cyberattack, the Federal Office for Information Security (BSI) said on Monday, with hacker group Anonymous claiming responsibility.
Rosneft Deutschland reported the incident in the early hours of Saturday morning, the BSI said.
Anonymous had published a statement on Friday claiming responsibility for the attack and saying it had captured 20 terabytes of data.
Prosecutors in Berlin have opened an investigation, according to a report in Der Spiegel magazine.
Tomi Engdahl says:
Critical Vulnerabilities Patched in Veeam Data Backup Solution
https://www.securityweek.com/critical-vulnerabilities-patched-veeam-data-backup-solution
Veeam over the weekend announced patches for two critical vulnerabilities impacting Backup & Replication, a backup solution for virtual environments.
The application provides data backup and restore capabilities for virtual machines running on Hyper-V, vSphere, and Nutanix AHV, as well as for servers and workstations, and for cloud-based workloads.
Tracked as CVE-2022-26500 and CVE-2022-26501 (CVSS score of 9.8), the two security holes could be exploited to execute code remotely, without authentication.
The flaws were identified in the Veeam Distribution Service, which by default listens to TCP port 9380 and allows even unauthenticated users to access internal API functions.
Tomi Engdahl says:
Car Parts Giant Denso Targeted by Ransomware Group
https://www.securityweek.com/car-parts-giant-denso-targeted-ransomware-group
Japanese car parts giant Denso on Monday said hackers recently accessed its network in Germany, and the incident appears to have involved a piece of ransomware.
Denso, one of the world’s largest technology and component providers for the automotive industry, said its network was illegally accessed on March 10.
The Fortune Global 500 company shut down the network connections of compromised devices after detecting the breach. The incident has not led to disruption of production activities, with plants operating normally, Denso said.
While the company has not shared any information about the attackers, a cybercrime group named Pandora has taken credit for the attack, claiming to have stolen 1.4 Tb of data.
Tomi Engdahl says:
Apple Patch Day: Gaping Security Holes in iOS, macOS, iPadOS
https://www.securityweek.com/apple-patch-day-gaping-security-holes-ios-macos-ipados
Apple on Monday released fixes for at least 39 security defects in its flagship iOS/iPadOS platform, warning that the most serious of the flaws could expose users to remote code execution attacks.
In addition to the mobile OS security makeovers, Apple released software updates to address security vulnerabilities in macOS (Catalina, Big Sur, Monterey included), tvOS, WatchOS, iTunes and Xcode.
At least five of the 39 documented iOS/iPad vulnerabilities could lead to remote code execution attacks if an iPhone user opens a malicious PDF file or views malicious web content.
Tomi Engdahl says:
Multiple Security Flaws Discovered in Popular Software Package Managers
https://thehackernews.com/2022/03/multiple-security-flaws-discovered-in.html
Multiple security vulnerabilities have been disclosed in popular package managers that, if potentially exploited, could be abused to run arbitrary code and access sensitive information, including source code and access tokens, from compromised machines.
It’s, however, worth noting that the flaws require the targeted developers to handle a malicious package in conjunction with one of the affected package managers.
But the newly discovered issues in various package managers highlight that they could be weaponized by attackers to trick victims into executing malicious code. The flaws have been identified in the following package managers –
Composer 1.x < 1.10.23 and 2.x < 2.1.9
Bundler < 2.2.33
Bower < 1.8.13
Poetry < 1.1.9
Yarn < 1.22.13
pnpm < 6.15.1
Pip (no fix), and
Pipenv (no fix)
Chief among the weaknesses is a command injection flaw in Composer's browse command that could be abused to achieve arbitrary code execution by inserting a URL to an already published malicious package.
Tomi Engdahl says:
https://thehill.com/policy/national-security/597902-spending-bill-includes-large-funding-increase-to-boost-cybersecurity
Tomi Engdahl says:
VPN provider bans BitTorrent after getting sued by film studios
https://www.bleepingcomputer.com/news/security/vpn-provider-bans-bittorrent-after-getting-sued-by-film-studios/
“No logs” VPN provider TorGuard has reached a legal settlement this month with over two dozen movie studios that sued the company for encouraging piracy and copyright infringement.
In the settlement, TorGuard has agreed to block BitTorrent traffic for its users.
Tomi Engdahl says:
Saksa varoittaa suositusta virustutkasta – ”Vaarassa ovat kaikki käyttäjät” https://www.is.fi/digitoday/tietoturva/art-2000008683326.html
Tomi Engdahl says:
Apple Updates Everything: MacOS 12.3, XCode 13.3, tvOS 15.4, watchOS 8.5, iPadOS 15.4 and more https://isc.sans.edu/forums/diary/Apple+Updates+Everything+MacOS+123+XCode+133+tvOS+154+watchOS+85+iPadOS+154+and+more/28438/
Apple today released one of its massive “surprise” updates for all of its operating systems. This includes updates for Safari as well as stand-alone security updates for older operating systems like macOS Big Sur and Catalina. As so often, this also includes feature updates for the respective operating systems. For more details, see Apple’s security update page: https://support.apple.com/en-us/HT201222
Tomi Engdahl says:
Fake antivirus updates used to deploy Cobalt Strike in Ukraine https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/
Ukraine’s Computer Emergency Response Team is warning that threat actors are distributing fake Windows antivirus updates that install Cobalt Strike and other malware. The phishing emails impersonate Ukrainian government agencies offering ways to increase network security and advise recipients to download “critical security updates, ” which come in the form of a 60 MB file named “BitdefenderWindowsUpdatePackage.exe.”
Tomi Engdahl says:
Saksa varoittaa suositusta virustutkasta — “Vaarassa ovat kaikki käyttäjät”
https://www.is.fi/digitoday/tietoturva/art-2000008683326.html
SAKSAN tietoturvaviranomainen BSI (Bundesamt fr Sicherheit in der
Informationstechnik) varoittaa venäläisen tietoturvayhtiö Kaspersky Labin tuotteista. BSI kehottaa tiedotteessaan korvaamaan Kasperskyt muiden tietoturvayhtiöiden tuotteilla. BSI muistuttaa, että tietoturvatuotteet ja niihin liittyvät pilvipalvelut vaativat järjestelmissä hyvin pitkälle menevät käyttöoikeudet. Lisäksi ne ovat koko ajan yhteydessä Kasperskyn palvelimiin ulkomailla, eikä yhteyden yli liikkuvista tiedoista ole varmuutta. Tällä tavoin tietoturvaohjelmisto voi muodostaa merkittävän uhan koko järjestelmälle, jota sen on määrä suojella. Tiedote:
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2022/220315_Kaspersky-Warnung.html
Tomi Engdahl says:
Massive DDoS Attack Knocked Israeli Government Websites Offline https://thehackernews.com/2022/03/massive-ddos-attack-knocked-israeli.html
A number of websites belonging to the Israeli government were felled in a distributed denial-of-service (DDoS) attack on Monday, rendering the portals inaccessible for a short period of time.