Cyber security news March 2022

This posting is here to collect cyber security news in March 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

888 Comments

  1. Tomi Engdahl says:

    Suomen finanssisektorin vakavaraisuus antaa puskuria kohdata heikentyneet talousnäkymät – kohonneisiin riskeihin varautuminen on tärkeää
    https://www.sttinfo.fi/tiedote/suomen-finanssisektorin-vakavaraisuus-antaa-puskuria-kohdata-heikentyneet-talousnakymat—kohonneisiin-riskeihin-varautuminen-on-tarkeaa?publisherId=69817444&releaseId=69935060
    Venäjän hyökkäys Ukrainaan on kasvattanut myös Suomen finanssisektorin riskejä vaikeasti ennakoitavalla tavalla. Vahva vakavaraisuus antaa puskuria kohdata toimintaympäristön heikkeneminen. Toimijoiden on kuitenkin varauduttava kasvaneisiin riskeihin, joita tuovat niin heikkenevät talousnäkymät kuin kasvanut kyberhyökkäysten uhka.

    Banks on alert for Russian reprisal cyberattacks on Swift https://arstechnica.com/information-technology/2022/03/banks-on-alert-for-russian-reprisal-cyberattacks-on-swift/
    Big banks fear that Swift faces a growing threat of Russian cyberattacks after seven of the country’s lenders were kicked off the global payments messaging system over the weekend.

    Reply
  2. Tomi Engdahl says:

    cr8escape: Zero-day in CRI-O Container Engine Discovered by CrowdStrike (CVE-2022-0811) https://www.crowdstrike.com/blog/cr8escape-zero-day-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/
    CrowdStrike’s Cloud Threat Research team discovered a zero-day vulnerability (CVE-2022-0811) in CRI-O (a container runtime engine underpinning Kubernetes). Dubbed “cr8escape, ” when invoked, an attacker could escape from a Kubernetes container and gain root access to the host and be able to move anywhere in the cluster. Invocation of
    CVE-2022-0811 can allow an attacker to perform a variety of actions on objectives, including execution of malware, exfiltration of data and lateral movement across pods.

    Reply
  3. Tomi Engdahl says:

    Stop Neglecting Your Cloud Security Features: Check Point Research Found Thousands of Open Cloud Databases Exposing Data in the Wild https://blog.checkpoint.com/2022/03/15/stop-neglecting-your-cloud-security-features-check-point-research-found-thousands-of-open-cloud-databases-exposing-data-in-the-wild/
    Check Point Research (CPR) warns against bad practices in cloud-based application development that could lead to serious security breaches.
    Thousands of new applications every month have their Firebase databasess open leaving data exposed.

    Reply
  4. Tomi Engdahl says:

    CaddyWiper: Another Destructive Wiper Malware Targeting Ukraine
    https://www.securityweek.com/caddywiper-another-destructive-wiper-malware-targeting-ukraine

    ESET’s security researchers have identified another data wiper targeting Ukrainian organizations, the third destructive malware identified since Russia began its invasion of the country.

    Dubbed CaddyWiper, the threat does not show significant code similarities with known malware families, and has been used only against a small number of organizations.

    CaddyWiper, ESET explains, erases user data and partition information, but does not destroy the information stored on domain controllers, thus allowing the attackers to maintain access to the compromised networks.

    The newly identified malware is being deployed via default domain policy (GPO), which suggests that the attackers had access to the compromised network prior to executing the malware.

    According to ESET, only “a few dozen systems in a limited number of organizations” have been infected with CaddyWiper. The malware is not signed and appears to have been compiled the same day it was deployed and executed, the cybersecurity firm says.

    CaddyWiper: New wiper malware discovered in Ukraine
    This is the third time in as many weeks that ESET researchers have spotted previously unknown data wiping malware taking aim at Ukrainian organizations
    https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/

    Reply
  5. Tomi Engdahl says:

    Thousands of Secret Keys Found in Leaked Samsung Source Code
    https://www.securityweek.com/thousands-secret-keys-found-leaked-samsung-source-code

    An analysis of the recently leaked Samsung source code revealed that thousands of secret keys have been exposed, including many that could be highly useful to malicious actors.

    The analysis was conducted by GitGuardian, a company that specializes in Git security scanning and secrets detection. The firm’s researchers looked at the source code leaked recently by a cybercrime group calling itself Lapsus$.

    The hackers claim to have breached several major companies in the past weeks, including NVIDIA, Samsung, Ubisoft and Vodafone. In many cases they appear to have obtained source code belonging to the victims, some of which has been made public.

    In the case of Samsung, the cybercriminals claim to have stolen 190 Gb of data and the tech giant has confirmed that the compromised information included source code related to Galaxy devices.

    GitGuardian’s analysis of the leaked Samsung source code led to the discovery of more than 6,600 secret keys, including private keys, usernames and passwords, AWS keys, Google keys, and GitHub keys.

    A few months ago, GitGuardian also analyzed the source code leaked from Amazon-owned live streaming service Twitch, from which hackers obtained and made public roughly 6,000 internal Git repositories.

    Reply
  6. Tomi Engdahl says:

    Over 200 Organizations Take Part in CISA’s Cyber Storm Exercise
    https://www.securityweek.com/over-200-organizations-take-part-cisas-cyber-storm-exercise

    The Cybersecurity and Infrastructure Security Agency (CISA) last week hosted Cyber Storm VIII, a three-day national cyber exercise whose goal was to test preparedness to a cyber-crisis impacting critical infrastructure.

    More than 2,000 participants from government, private sector, and international organizations helped evaluate cybersecurity preparedness and incident response and identify opportunities for information sharing.

    During the cyber exercise, participants can simulate the process of discovering and responding to a widespread coordinated cyberattack. The scenario used at Cyber Storm VIII combined operational and traditional enterprise systems targeted in attacks such as ransomware and data exfiltration.

    Through Cyber Storm, CISA is working with the nation’s critical infrastructure stakeholders to ensure the continuous assessment and strengthening of cyber resilience, with a focus on critical infrastructure.

    Reply
  7. Tomi Engdahl says:

    High-Severity DoS Vulnerability Patched in OpenSSL
    https://www.securityweek.com/high-severity-dos-vulnerability-patched-openssl

    OpenSSL updates announced on Tuesday patch a high-severity denial-of-service (DoS) vulnerability related to certificate parsing.

    The flaw, tracked as CVE-2022-0778, was reported to the OpenSSL Project by Google vulnerability researcher Tavis Ormandy.

    The security hole affects OpenSSL versions 1.0.2, 1.1.1 and 3.0, and it has been fixed with the release of versions 1.0.2zd (for premium support customers), 1.1.1n and 3.0.2. Version 1.1.0 is also impacted, but it’s no longer supported and will not receive a patch.

    Exploitation of the vulnerability is possible in certain situations, and it can lead to a DoS attack against a process that parses externally supplied certificates.

    “The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli,” the OpenSSL Project explained in its advisory. “Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.”

    “It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters,” the advisory reads.

    CVE-2022-0778 is the second OpenSSL vulnerability patched in 2022 — a moderate-severity issue was fixed in January.

    Reply
  8. Tomi Engdahl says:

    Yli 2000 mobiilisovellusten tietokantaa löytyi suojaamattomana
    https://etn.fi/index.php/13-news/13304-yli-2000-mobiilisovellusten-tietokantaa-loeytyi-suojaamattomana

    Tietoturvayritys Check Point Research on tutkinut, miten hyvin mobiilisovellusten luomat tietokannat on suojattu. Tulos on odotetusti surkea. CPR löysi yli 2000 sovelluksen tietokannat suojaamattomina ja kaikkien selaimen käyttäjien saatavilla.

    CPR kertoo, että haku “VirusTotal” löysi kaikkiaan 2113 mobiilisovellusta, joiden tietokannat olivat suojaamattomia pilvessä. Tutkimusaika oli kolme kuukautta. Sovellusten latausmäärät vaihtelivat 10 000 ja 10 miljoonan välillä, joten joukossa oli erittäin suosittuja sovelluksia.

    Selaimella tietokannoista oli luettavissa hyvin arkaluontoista dataa: käyttäjien perheiden kuvia, terveydenhuollon sovellusten token-tunnukset, kryptovaluutan vaihtoalustojen tiedot ja paljon muuta. CPR tarjoaa useita esimerkkejä sovelluksista, joiden tiedot havaittiin paljastuneena.

    Reply
  9. Tomi Engdahl says:

    Sergiu Gatlan / BleepingComputer:
    The FBI and CISA warn that Russian state-sponsored hackers accessed an unnamed NGO’s network by exploiting default MFA protocols and the PrintNightmare flaw — The FBI says Russian state-backed hackers gained access to a non-governmental organization (NGO) cloud after enrolling their own device …

    FBI warns of MFA flaw used by state hackers for lateral movement
    https://www.bleepingcomputer.com/news/security/fbi-warns-of-mfa-flaw-used-by-state-hackers-for-lateral-movement/

    The FBI says Russian state-backed hackers gained access to a non-governmental organization (NGO) cloud after enrolling their own device in the organization’s Duo MFA following the exploitation of misconfigured default multifactor authentication (MFA) protocols.

    To breach the network, they used credentials compromised in a brute-force password guessing attack to access an un-enrolled and inactive account, not yet disabled in the organization’s Active Directory.

    “As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network,” the federal agencies explained.

    Reply
  10. Tomi Engdahl says:

    Margaret Harding McGill / Axios:
    With Congress divided over passing a national privacy law, tech industry groups are lobbying Utah and other states to pass privacy laws weaker than California’s — The tech industry is lobbying statehouses across the country to pass privacy bills that critics call weak.
    https://www.axios.com/techs-state-privacy-law-lobbying-9d7845cc-4fd0-4488-92b8-4e0c9df556ce.html

    Reply
  11. Tomi Engdahl says:

    Huge DDoS attack temporarily kicks Israeli government sites offline http://go.newsfusion.com/security/item/2012073

    Reply
  12. Tomi Engdahl says:

    Nasty Linux netfilter firewall security hole found
    How embarrassing! It turns out there was a security hole lurking in Linux’s netfilter firewall program.
    https://www.zdnet.com/article/nasty-linux-netfilter-firewall-security-hole-found/

    Behind almost all Linux firewalls tools such as iptables; its newer version, nftables; firewalld; and ufw, is netfilter, which controls access to and from Linux’s network stack. It’s an essential Linux security program, so when a security hole is found in it, it’s a big deal.

    This is a serious bug. Specifically, it’s a heap out-of-bounds write problem with the kernel’s netfilter. Gregory said it’s ” exploitable to achieve kernel code execution (via ROP [return-oriented programming]), giving full local privilege escalation, container escape, whatever you want.” Yuck!

    This problem exists because netfilter doesn’t handle its hardware offload feature correctly. A local, unprivileged attacker can use this to cause a denial-of-service (DoS), execute arbitrary code, and cause general mayhem. Adding insult to injury, this works even if the hardware being attacked doesn’t have offload functionality! That’s because, as Gregory wrote to a security list, “Despite being in code dealing with hardware offload, this is reachable when targeting network devices that don’t have offload functionality (e.g. lo) as the bug is triggered before the rule creation fails.”

    This vulnerability is present in the Linux kernel versions 5.4 through 5.6.10. It’s listed as Common Vulnerabilities and Exposures (CVE-2022-25636), and with a Common Vulnerability Scoring System (CVSS) score of 7.8), this is a real badie.

    How bad? In its advisory, Red Hat said, “This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat.” So, yes, this is bad.

    Worse still, it affects recent major distribution releases such as Red Hat Enterprise Linux (RHEL) 8.x; Debian Bullseye; Ubuntu Linux, and SUSE Linux Enterprise 15.3. While the Linux kernel netfilter patch has been made, the patch isn’t available yet in all distribution releases.

    If you don’t have a patch yet, you can mitigate the problem in the RHEL family with the commands:

    # echo 0 > /proc/sys/user/max_user_namespaces

    And, in the Debian/Ubuntu family with the command:

    $ sudo sysctl kernel.unprivileged_userns_clone=0

    Reply
  13. Tomi Engdahl says:

    Linux developers patch security holes faster than anyone else, says Google Project Zero
    Linux programmers do a better job of patching security holes than programmers at Apple, Google, and Microsoft.
    https://www.zdnet.com/article/google-project-zero-finds-linux-developers-patch-security-holes-faster-than-anyone-else/

    There’s a lot of FUD about how Linux is being shown recently to be less secure than proprietary systems. That’s nonsense. But, now there are hard facts from Google’s Project Zero, Google’s security research team, showing Linux’s developers do a faster job of fixing security bugs than anyone else, including Google.

    Reply
  14. Tomi Engdahl says:

    Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare”
    Vulnerability
    https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
    As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network. The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527) to run arbitrary code with system privileges.

    Reply
  15. Tomi Engdahl says:

    Microsoft Defender tags Office updates as ransomware activity https://www.bleepingcomputer.com/news/security/microsoft-defender-tags-office-updates-as-ransomware-activity/
    Windows admins were hit today by a wave of Microsoft Defender for Endpoint false positives where Office updates were tagged as malicious in alerts pointing to ransomware behavior detected on their systems.
    Following the surge of reports, Microsoft confirmed the Office updates were mistakenly marked as ransomware activity due to false positives.

    Reply
  16. Tomi Engdahl says:

    New Threat: B1txor20, A Linux Backdoor Using DNS Tunnel https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/
    In short, B1txor20 is a Backdoor for the Linux platform, which uses DNS Tunnel technology to build C2 communication channels. In addition to the traditional backdoor functions, B1txor20 also has functions such as opening Socket5 proxy and remotely downloading and installing Rootkit.

    Reply
  17. Tomi Engdahl says:

    Qakbot infection with Cobalt Strike and VNC activity
    https://isc.sans.edu/diary/rss/28448
    On Monday 2022-03-14, I infected a vulnerable Windows host with Qakbot
    (Qbot) malware. Approximately 17 hours later, the infected host generated traffic for Cobalt Strike and VNC (Virtual Network
    Computing) activity. Like Cobalt Strike, VNC provides remote access to an infected host. Today’s diary provides a quick review of the infection activity.

    Reply
  18. Tomi Engdahl says:

    Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/
    The Microsoft Defender for IoT research team has recently discovered the exact method through which MikroTik devices are used in Trickbot’s
    C2 infrastructure. In this blog, we will share our analysis of the said method and provide insights on how attackers gain access to MikroTik devices and use compromised IoT devices in Trickbot attacks.

    Reply
  19. Tomi Engdahl says:

    Android trojan persists on the Google Play Store since January https://www.bleepingcomputer.com/news/security/android-trojan-persists-on-the-google-play-store-since-january/
    Security researchers tracking the mobile app ecosystem have noticed a recent spike in trojan infiltration on the Google Play Store, with one of the apps having over 500, 000 installs and available to download.
    Most of these apps belong to a family of trojan malware used in various scams, resulting in financial losses and also loss of sensitive personal information.

    Reply
  20. Tomi Engdahl says:

    Kaspersky complains about ‘political’ German advisory against it https://www.zdnet.com/article/kaspersky-complains-about-political-german-advisory-against-it/
    Kaspersky has responded to an advisory issued against it by the German Federal Office for Information Security (BSI) saying users should replace its products by claiming the warning is politically motivated.
    “We believe this decision is not based on a technical assessment of Kaspersky products — that we continuously advocated for with the BSI and across Europe — but instead is being made on political grounds, “

    Reply
  21. Tomi Engdahl says:

    Kaspersky complains about ‘political’ German advisory against it https://www.zdnet.com/article/kaspersky-complains-about-political-german-advisory-against-it/
    Kaspersky has responded to an advisory issued against it by the German Federal Office for Information Security (BSI) saying users should replace its products by claiming the warning is politically motivated.
    “We believe this decision is not based on a technical assessment of Kaspersky products — that we continuously advocated for with the BSI and across Europe — but instead is being made on political grounds, ”
    the security company said on Wednesday. “We believe that peaceful dialogue is the only possible instrument for resolving conflicts. War isn’t good for anyone.”. Kaspersky statement:
    https://www.kaspersky.com/about/press-releases/2022_kaspersky-statement-regarding-the-bsi-warning

    Reply
  22. Tomi Engdahl says:

    OpenSSL patches crash-me bug triggered by rogue certs https://www.theregister.com/2022/03/15/openssl_bug_dos/
    A bug in OpenSSL certificate parsing leaves systems open to denial-of-service attacks from anyone wielding an explicit curve. This parsing happens prior to verification of the certificate’s signature.
    Slip a bad certificate to any app or server using BN_mod_sqrt() to parse certs, and the software will get caught in the loop and stop working.

    Reply
  23. Tomi Engdahl says:

    Multiple Flaws Uncovered in ClickHouse OLAP Database System for Big Data https://thehackernews.com/2022/03/multiple-flaws-uncovered-in-clickhouse.html
    Researchers have disclosed seven new security vulnerabilities in an open-source database management system solution called ClickHouse that could be weaponized to crash the servers, leak memory contents, and even lead to the execution of arbitrary code. “The vulnerabilities require authentication, but can be triggered by any user with read permissions, ” Uriya Yavnieli and Or Peles, researchers from DevSecOps firm JFrog, said in a report published Tuesday. also:
    https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-dbms/

    Reply
  24. Tomi Engdahl says:

    Suomalaisia piinaava Facebook- ja Instagram-huijaus muuttui todella häijyksi 3 tiukkaa neuvoa https://www.is.fi/digitoday/tietoturva/art-2000008682389.html
    PITKÄAIKAINEN kampanja suomalaisten Facebook-tilien kaappaamiseksi on ottanut käänteen pahempaan suuntaan. Liikenne- ja viestintävirasto Traficomin alaisen Kyberturvallisuuskeskuksen mukaan nyt huijarit tavoittelevat myös pankkitietoja ja joissakin tapauksissa luottokortin tietoja.

    Reply
  25. Tomi Engdahl says:

    CISA Adds 15 Known Exploited Vulnerability to Catalog https://www.cisa.gov/uscert/ncas/current-activity/2022/03/15/cisa-adds-15-known-exploited-vulnerability-catalog
    CISA has added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below.

    Reply
  26. Tomi Engdahl says:

    Increase In Malware Sightings on GoDaddy Managed Hosting https://www.wordfence.com/blog/2022/03/increase-in-malware-sightings-on-godaddy-managed-hosting/
    Today, March 15, 2022, The Wordfence Incident Response team alerted our Threat Intelligence team to an increase in infected websites hosted on GoDaddy’s Managed WordPress service, which includes MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress sites. These affected sites have a nearly identical backdoor prepended to the wp-config.php file. Of the 298 sites that have been newly infected by this backdoor starting 5 days ago on March 11, at least 281 are hosted with GoDaddy.

    Reply
  27. Tomi Engdahl says:

    Emotet Spoofs IRS in Tax Season-Themed Phishing Campaign https://cofense.com/blog/emotet-spoofs-irs-in-tax-season/
    In past years, Cofense Intelligence has reported on Emotet taking advantage of tax season to deliver W-9 themed malicious documents but, this year, the tactic has been improved. Emotet operators have upped their game in this most recent campaign, now including the Internal Revenue Service (IRS) logo, a specific mention of the organization employing individual recipients, and a password with which to extract the attached password-protected archives. When the Office-macro-laden spreadsheets enclosed in the password-protected archives are opened, they request that macros be enabled. If macros are enabled, Emotet.dll files are delivered to the victim’s computer.

    Reply
  28. Tomi Engdahl says:

    The Russia-Ukraine War And The Revival Of Hacktivism https://www.digitalshadows.com/blog-and-research/the-russia-ukraine-war-and-the-revival-of-hacktivism/
    Another notable response is the resurgence of hacktivism. A variety of hacktivist attacks have been conducted, with a significant number, unsurprisingly, coming from within Ukraine. This blog will dive into hacktivist activity we’ve observed in the past few weeks, and discuss what hacktivists are doing differently this time around.

    Reply
  29. Tomi Engdahl says:

    Google Patches Critical Vulnerability With Chrome 99 Update
    https://www.securityweek.com/google-patches-critical-vulnerability-chrome-99-update

    A Chrome 99 update released by Google on Tuesday patches a critical vulnerability discovered by one of the company’s own researchers.

    The critical flaw, tracked as CVE-2022-0971, has been described as a use-after-free issue affecting the Blink Layout component. Sergei Glazunov of Google Project Zero has been credited for reporting the flaw.

    Google doesn’t often assign a “critical severity” rating to Chrome vulnerabilities. In fact, over the past year, only four other Chrome updates fixed a critical issue. Two of the four critical vulnerabilities were discovered by Glazunov, who has also identified a high-severity bug that was patched this week.

    The latest Chrome update includes 11 security fixes, including eight with a “high severity” rating. These flaws, which can typically allow a sandbox escape or remote code execution, are mostly use-after-free issues.

    Reply
  30. Tomi Engdahl says:

    CISA Adds 14 Windows Vulnerabilities to ‘Must-Patch’ List
    https://www.securityweek.com/cisa-adds-14-windows-vulnerabilities-must-patch-list

    The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday announced that it has added 15 vulnerabilities to its Known Exploited Vulnerabilities Catalog.

    More than 500 security flaws have been added to the “Must-Patch” list since November 2021, when CISA first announced it, along with Binding Operational Directive 22-01, which requires federal agencies to take prompt action to address the identified issues.

    The newly added flaws – one affecting SonicWall SonicOS and 14 impacting Microsoft Windows – are older issues, some of them having been patched for more than half a decade.

    The SonicOS security hole (CVE-2020-5135) can be exploited for DoS attacks and arbitrary code execution. The Windows flaws – patched between 2016 and 2019 – can all lead to privilege escalation.

    Reply
  31. Tomi Engdahl says:

    Severe Vulnerability Patched in CRI-O Container Engine for Kubernetes
    https://www.securityweek.com/severe-vulnerability-patched-cri-o-container-engine-kubernetes

    A severe vulnerability affecting the CRI-O container engine for Kubernetes could be exploited to escape the container and gain root access to the host, CrowdStrike reports.

    CRI-O is a lightweight container runtime for Kubernetes with support for OCI (Open Container Initiative) compatible runtimes.

    Tracked as CVE-2022-0811 (CVSS score of 8.8), the vulnerability exists due to the lack of proper validation for kernel parameters passed to the pinns utility. The issue was introduced in CRI-O version 1.19, when sysctl support was added to the container engine.

    Referred to as cr8escape, the security hole could be exploited by an attacker to “escape from a Kubernetes container and gain root access to the host and be able to move anywhere in the cluster,” CrowdStrike said.

    Exploitation requires rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime.

    Reply
  32. Tomi Engdahl says:

    Makena Kelly / The Verge:
    Meta says it removed a deepfake video of Ukrainian President Volodymyr Zelenskyy asking Ukrainians to surrender, citing its misleading manipulated media policy — In the fake video, Zelenskyy surrenders to Russian invasion — On Wednesday, Facebook’s parent company, Meta …

    Facebook removes ‘deepfake’ of Ukrainian President Zelenskyy
    In the fake video, Zelenskyy surrenders to Russian invasion
    https://www.theverge.com/2022/3/16/22981806/facebook-removes-deepfake-ukraine-zelenskyy-meta-instagram?scrolla=5eb6d68b7fedc32c19ef33b4

    Reply
  33. Tomi Engdahl says:

    Amanda Silberling / TechCrunch:
    Meta adds basic parental controls for Quest VR, almost three years after launching the headset, starting with an unlock pattern for specific apps in April — Despite releasing its first virtual reality headsets in May 2019, Meta is only now adding parental supervision tools to its Meta Quest VR headset.

    Meta will add basic parental supervision tools to its VR headset almost three years after launch
    Amanda Silberling
    https://techcrunch.com/2022/03/16/meta-quest-parental-controls-virtual-reality/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cudGVjaG1lbWUuY29tLw&guce_referrer_sig=AQAAAD5kQ-7Mc3FYWcwkwhj7DxVTGs-nMzde7EDIYBI1W8wZEwxaIH-YoAgOOmd6LnQTgAAsRKqEmcfKUdADUdtRHoYNmyph1fFJ082AIHdC-j_InJTa-2GY7Vunf5vOV26OfK-5LVpgwFObuwbMM3V6O3Fz_rXVM7_6XCM0uWYz0ADv

    Jon Porter / The Verge:
    Meta launches Family Center, a suite of parental supervision tools for its apps, starting with Instagram in the US and rolling out globally in the coming months

    Instagram’s promised parental controls arrive in the US
    Allowing parents and guardians to keep a watchful eye
    https://www.theverge.com/2022/3/16/22980648/instagram-parental-control-supervision-vr-family-center?scrolla=5eb6d68b7fedc32c19ef33b4

    Reply
  34. Tomi Engdahl says:

    https://www.bleepingcomputer.com/news/security/qnap-warns-severe-linux-bug-affects-most-of-its-nas-devices/

    Taiwanese hardware vendor QNAP warns most of its Network Attached Storage (NAS) devices are impacted by a high severity Linux vulnerability dubbed ‘Dirty Pipe’ that allows attackers with local access to gain root privileges.

    Reply
  35. Tomi Engdahl says:

    Russia faces IT crisis with just two months of data storage left
    https://www.bleepingcomputer.com/news/technology/russia-faces-it-crisis-with-just-two-months-of-data-storage-left/

    Russia faces a critical IT storage crisis after Western cloud providers pulled out of the country, leaving Russia with only two more months before they run out of data storage.

    The Russian government is exploring various solutions to resolve this IT storage problem, ranging from leasing all available domestic data storage to seizing IT resources left behind by businesses that pulled out of the country.

    These solutions were proposed during a meeting held at the Ministry of Digital Transformation, attended by representatives of Sberbank, MTS, Oxygen, Rostelecom, Atom-Data, Croc, and Yandex.

    Reply
  36. Tomi Engdahl says:

    Researcher uses 379-year-old algorithm to crack crypto keys found in the wild
    It takes only a second to crack the handful of weak keys. Are there more out there?
    https://arstechnica.com/information-technology/2022/03/researcher-uses-600-year-old-algorithm-to-crack-crypto-keys-found-in-the-wild/

    Cryptographic keys generated with older software now owned by technology company Rambus are weak enough to be broken instantly using commodity hardware, a researcher reported on Monday. This revelation is part of an investigation that also uncovered a handful of weak keys in the wild.

    The software comes from a basic version of the SafeZone Crypto Libraries, which were developed by a company called Inside Secure and acquired by Rambus as part of its 2019 acquisition of Verimatrix, a Rambus representative said. That version was deprecated prior to the acquisition and is distinct from a FIPS-certified version that the company now sells under the Rambus FIPS Security Toolkit brand.

    Mind your Ps and Qs
    Researcher Hanno Böck said that the vulnerable SafeZone library doesn’t sufficiently randomize the two prime numbers it used to generate RSA keys

    Reply
  37. Tomi Engdahl says:

    CISA and FBI warning: Hackers used these tricks to dodge multi-factor authentication and steal email from NGO
    Watch out for default configuration on MFA implementation.
    https://www.zdnet.com/article/cisa-and-fbi-warning-hackers-used-these-tricks-to-dodge-multi-factor-authentication-and-steal-email/

    Reply
  38. Tomi Engdahl says:

    Banks on alert for Russian reprisal cyberattacks on Swift
    Payments messaging system could be targeted as pinch point of global transactions network.
    https://www.ft.com/content/a2bdba3b-f1dd-4c9f-a0de-9ffff6e744e4

    Big banks fear that Swift faces a growing threat of Russian cyberattacks after seven of the country’s lenders were kicked off the global payments messaging system over the weekend.

    VTB, Russia’s second-biggest bank, and Promsvyazbank, which finances Russia’s war machine, were among the lenders removed on Saturday from Swift as part of the West’s sanctions campaign against Moscow in response to its invasion of Ukraine.

    Senior executives responsible for cybersecurity at several banks told the Financial Times that the threat to Swift, which enables banks to send trillions in payments across borders every day, could escalate if more of Russia’s lenders are expelled from the system.

    Reply
  39. Tomi Engdahl says:

    New “B1txor20″ Linux Botnet Uses DNS Tunnel and Exploits Log4J Flaw
    https://thehackernews.com/2022/03/new-b1txor20-linux-botnet-uses-dns.html

    Reply
  40. Tomi Engdahl says:

    TP-Link Privacy Violation: Router Sends Data To 3rd Parties Without Consent
    https://www.realinfosec.net/cybersecurity-news/tp-link-privacy-violation/

    China’s network equipment manufacturer TP-Link Router is also a German antivirus software company Avira “We are developing a security service in partnership with Avira”. However, there is a report posted on Reddit on the overseas bulletin board that “TP-Link routers are sending a large amount of traffic to Avira’s server even if related services are turned off.” It has become a hot topic.

    I recently enabled a DNS gateway to be able to see requests from my router, and network devices. Was surprised to find 80K + requests (in 24 hours) out to an Avira “Safe Things” subdomains *.safethings.avira.com (far more than any other server).

    Digging into this more, I found that it is related to the built-in router security “Home Shield” that ships with newer TP-Link routers – https://oem.avira.com/en/solutions/safethings-for-router-manufacturers

    Here is the kicker though, I have the Avira / Home Shield services completely turned off (I wasn’t even subscribed to their paid service for it). The router doesn’t care, and sends ALL your traffic to be “analyzed” anyhow.

    Reply
  41. Tomi Engdahl says:

    New Linux Bug in Netfilter Firewall Module Lets Attackers Gain Root Access
    https://thehackernews.com/2022/03/new-linux-bug-in-netfilter-firewall.html

    Reply
  42. Tomi Engdahl says:

    ‘Not the time to go poking around’: How former U.S. hackers view dealing with Russia
    People with experience in U.S. hacking operations say they expect both Washington and Moscow to show caution in how they wield their digital weapons.
    https://www.politico.com/news/2022/03/12/cyber-russia-hacking-security-00016598

    Reply
  43. Tomi Engdahl says:

    Browser In The Browser (BITB) Attack
    March 15, 2022
    https://mrd0x.com/browser-in-the-browser-phishing-attack/

    This article explores a phishing technique that simulates a browser window within the browser to spoof a legitimate domain.

    Introduction
    For security professionals, the URL is usually the most trusted aspect of a domain. Yes there’s attacks like IDN Homograph and DNS Hijacking that may degrade the reliability of URLs but not to an extent that makes URLs unreliable.

    All of this eventually lead me to think, is it possible to make the “Check the URL” advice less reliable? After a week of brainstorming I decided that the answer is yes.

    Reply
  44. Tomi Engdahl says:

    Nasty Linux netfilter firewall security hole found
    How embarrassing! It turns out there was a security hole lurking in Linux’s netfilter firewall program.
    https://www.zdnet.com/article/nasty-linux-netfilter-firewall-security-hole-found/

    Reply
  45. Tomi Engdahl says:

    China claims it detected cyber-espionage tool used by US NSA to steal user data: Report

    https://www.republicworld.com/world-news/russia-ukraine-crisis/china-claims-it-detected-cyber-espionage-tool-used-by-us-nsa-to-steal-user-data-report-articleshow.html

    Amid the ongoing security crisis between Russia and Ukraine, China on Monday claimed that it has detected a cyber spy tool used by US National Security Agency (NSA) controlling global internet equipment. According to a report by Chinese state-owned media Global Times, the US-formulated virus program is capable of lurking in victims’ computers to access sensitive information and steal user data. The virus was identified by China’s National Computer Virus Emergency Response Center.

    The computer virus, Trojan Horse or ‘NOPEN’ is a remote-controlled system for Unix/Linux computers. As per GT, the virus is mainly designed for pilfering user information, redirecting network communication and breaching privacy by assessing vulnerable information from the infected device. The center also claimed that ‘NOPEN’ is also characterised by comprehensive complex technology to fit a variety of processors and operating systems. Through technical analysis, the Trojan Horse can also collaborate with cyber weapons to conduct cyber espionage, GT added.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*