This posting is here to collect cyber security news in March 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in March 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
888 Comments
Tomi Engdahl says:
Russian Cyclops Blink botnet launches assault against Asus routers
The only option available might be a return to factory settings for infected routers.
https://www.zdnet.com/article/cyclops-blink-botnet-launches-assault-against-asus-routers/
Tomi Engdahl says:
Google discovers threat actor working as an ‘initial access broker’ for Conti ransomware hackers
https://techcrunch.com/2022/03/17/google-exotic-lily-conti-ransomware/
Tomi Engdahl says:
BIG sabotage: Famous npm package deletes files to protest Ukraine war
https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/
This month, the developer behind the popular npm package ‘node-ipc’ released sabotaged versions of the library in protest of the ongoing Russo-Ukrainian War.
Newer versions of the ‘node-ipc’ package began deleting all data and overwriting all files on developer’s machines, in addition to creating new text files with “peace” messages.
With over a million weekly downloads, ‘node-ipc’ is a prominent package used by major libraries like Vue.js CLI.
Protestware: Ukraine’s ongoing crisis bleeds into open source
Select versions (10.1.1 and 10.1.2) of the massively popular ‘node-ipc’ package were caught containing malicious code that would overwrite or delete arbitrary files on a system for users based in Russia and Belarus. These versions are tracked under CVE-2022-23812.
Tomi Engdahl says:
BIG sabotage: Famous npm package deletes files to protest Ukraine war https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/
Select versions (10.1.1 and 10.1.2) of the massively popular ‘node-ipc’ package were caught containing malicious code that would overwrite or delete arbitrary files on a system for users based in Russia and Belarus. These versions are tracked under CVE-2022-23812.
Popular JavaScript front end framework ‘Vue.js’ also uses ‘node-ipc’
as a dependency. But prior to this incident, ‘Vue.js’ did not pin the versions of ‘node-ipc’ dependency to a safe version and was set up to fetch the latest minor and patch versions instead
Tomi Engdahl says:
KRP:n nimissä lähetetään huijausviestejä toimi näin, jos olet saanut viestin
https://www.mtvuutiset.fi/artikkeli/krp-n-nimissa-lahetetaan-huijausviesteja-toimi-nain-jos-olet-saanut-viestin/8380370
KRP:n mukaan viestien sisällöt vaihtelevat ja niitä on lähetetty eri sähköpostiosoitteista. Sähköpostit eivät tule oikeasti poliisista, vaan rikolliset pyrkivät jäljittelemään poliisin käyttämiä sähköpostiosoitteita. Yhdistävä tekijä viesteissä on nykytiedon mukaan se, että viestien liitteinä on pdf-tiedostoja ja viestien otsikossa mainitaan “artikla 360″. Viesteissä on väitetty vastaanottajan syyllistyneen rikoksiin.
Tomi Engdahl says:
Cyclops Blink Sets Sights on Asus Routers https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers–.html
Cyclops Blink, an advanced modular botnet that is reportedly linked to the Sandworm or Voodoo Bear advanced persistent threat (APT) group, has recently been used to target WatchGuard Firebox devices according to an analysis performed by the UK’s National Cyber Security Centre (NCSC). We acquired a variant of the Cyclops Blink malware family that targets Asus routers. This report discusses the technical capabilities of this Cyclops Blink malware variant and includes a list of more than
150 current and historical command-and-control (C&C) servers of the Cyclops Blink botnet.
Tomi Engdahl says:
SolarWinds warns of attacks targeting Web Help Desk instances https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-attacks-targeting-web-help-desk-instances/
SolarWinds warned customers of attacks targeting Internet-exposed Web Help Desk (WHD) instances and advised removing them from publicly accessible infrastructure (likely to prevent the exploitation of a potential security flaw). “A SolarWinds customer reported an external attempted attack on their instance of Web Help Desk (WHD) 12.7.5. The customer’s endpoint detection and response (EDR) system blocked the attack and alerted the customer to the issue, ” SolarWinds said. “In an abundance of caution, SolarWinds recommends all Web Help Desk customers whose WHD implementation is externally facing to remove it from your public (internet-facing) infrastructure until we know more.”
Tomi Engdahl says:
Facebook removes deepfake of Ukrainian President Zelenskyy https://www.bleepingcomputer.com/news/technology/facebook-removes-deepfake-of-ukrainian-president-zelenskyy/
Facebook has removed a deepfake video of Ukrainian President Volodymyr Zelenskyy spreading across the social network and asking Ukrainian troops lay down their arms and surrender. “We’ve quickly reviewed and removed this video for violating our policy against misleading manipulated media, and notified our peers at other platforms.”. The altered video was first shared on the compromised website of Ukraine
24 after a Wednesday breach, according to DailyDot, and it spread to other compromised news sites, including Segodnya.
Tomi Engdahl says:
Vikatilanne ei johtunut Apotista: Vantaa korjasi it-ongelman
https://www.tivi.fi/uutiset/tv/7b7a460c-48d5-48c0-a6d9-83a984b92a31
Potilas- ja asiakastietojärjestelmä Apotin käyttö ei onnistunut Vantaalla tiistai-iltana ja keskiviikkona aamulla. Apottia käytetään laajasti niin terveydenhoidon, erikoissairaanhoidon kuin sosiaalitoimenkin puolella. Vantaan tietohallintojohtaja Matti Lampo kommentoi Tiville, että ongelmat liittyivät Vantaalla Apotin sisäänkirjautumiseen. Ongelman aiheutti inhimillinen virhe järjestelmien palvelutunnusten ylläpidossa. Se ei vaikuttanut muihin järjestelmiin.
Tomi Engdahl says:
Exposing initial access broker with ties to Conti https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/
In early September 2021, Threat Analysis Group (TAG) observed a financially motivated threat actor we refer to as EXOTIC LILY, exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigating this group’s activity, we determined they are an Initial Access Broker
(IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike). EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. At the peak of EXOTIC LILY’s activity, we estimate they were sending more than 5, 000 emails a day, to as many as 650 targeted organizations globally.
Tomi Engdahl says:
CVE-2021-28372: How a Vulnerability in Third-Party Technology Is Leaving Many IP Cameras and Surveillance Systems Vulnerable https://unit42.paloaltonetworks.com/iot-supply-chain-cve-2021-28372/
A large number of IP cameras and surveillance systems used in enterprise networks were recently discovered to be vulnerable to remote code execution and information leakage due to CVE-2021-28372, a vulnerability in the built-in ThroughTek Kalay P2P software development kit that is used by many of these devices. Many users of IP cameras and surveillance systems are unaware of the built-in software and TCP/IP stacks in their devices, and can overlook related vulnerabilities as a result.
Tomi Engdahl says:
New Ransomware Family Identified: LokiLocker RaaS Targets Windows Systems https://blogs.blackberry.com/en/2022/03/lokilocker-ransomware
Like so many other strains of ransomware, LokiLocker encrypts your files and will render your machine unusable if you don’t pay up in time. However, like its namesake god Loki, this threat seems to have a few subtle tricks up its sleeve – not least being a potential “false flag” tactic that points the finger at Iranian threat actors.
LokiLocker is a relatively new ransomware family targeting English-speaking victims and Windows® PCs; the threat was first seen in the wild in mid-August 2021. It shouldn’t be confused with an older ransomware family called Locky, which was notorious in 2016, or LokiBot, which is an infostealer.It shares some similarities with the LockBit ransomware (registry values, ransom note filename), but it doesn’t seem to be its direct descendant.
Tomi Engdahl says:
Scammers have 2 clever new ways to install malicious apps on iOS devices https://arstechnica.com/information-technology/2022/03/scammers-have-2-clever-new-ways-to-install-malicious-apps-on-ios-devices/
Scammers pushing iOS malware are stepping up their game by abusing two legitimate Apple features to bypass App Store vetting requirements and trick people into installing malicious apps. By installing Apple’s TestFlight app from the App Store, any iOS user can download and install apps that have not yet passed the vetting process. Once TestFlight is installed, the user can download the unvetted apps using links attackers publish on scam sites or in emails. People can use TestFlight to invite up to 10, 000 testers using their email address or by sharing a public link. The post said the CryptoRom scammers are using a second Apple feature to disguise their activities. That featureknown as Web Clipsadds a webpage link directly to an iPhone home screen in the form of an icon that can be confused with a benign app.
Tomi Engdahl says:
Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
Cobalt Strike is commercial threat emulation software that emulates a quiet, long-term embedded actor in a network. This actor, known as Beacon, communicates with an external team server to emulate command and control (C2) traffic. Due to its versatility, Cobalt Strike is commonly used as a legitimate tool by red teams but is also widely used by threat actors for real-world attacks. Cobalt Strike users control Beacon’s HTTP indicators through a profile, and can select either the default profile or a customizable Malleable C2 profile.
Tomi Engdahl says:
DirtyMoe: Worming Modules
https://decoded.avast.io/martinchlumecky/dirtymoe-5/
The DirtyMoe malware is deployed using various kits like PurpleFox or injected installers of Telegram Messenger that require user interaction. Complementary to this deployment, one of the DirtyMoe modules expands the malware using worm-like techniques that require no user interaction. The analysis showed that the worming module targets older well-known vulnerabilities, e.g., EternalBlue and Hot Potato Windows Privilege Escalation. Another important discovery is a dictionary attack using Service Control Manager Remote Protocol (SCMR), WMI, and MS SQL services. Finally, an equally critical outcome is discovering the algorithm that generates victim target IP addresses based on the worming module’s geographical location.
Tomi Engdahl says:
Gh0stCringe RAT Being Distributed to Vulnerable Database Servers https://asec.ahnlab.com/en/32572/ Gh0stCringe, also known as CirenegRAT, is one of the malware variants based on the code of Gh0st RAT. It was first discovered in December 2018, and it is known to have been distributed via SMB vulnerability (using the SMB vulnerability tool of ZombieBoy). Since then, no direct relationship has been found, but it was mentioned in the KingMiner CoinMiner analysis report published in June 2020. Gh0stCringe RAT that is recently being discovered is being distributed to vulnerable database servers. Gh0stCringe-related logs in AhnLab’s ASD show that logs were not only created by the sqlservr.exe process (MS-SQL server) but also by the MySQL server process for Windows environment.
Tomi Engdahl says:
Have Your Cake and Eat it Too? An Overview of UNC2891 https://www.mandiant.com/resources/unc2891-overview
Mandiant has investigated and attributed several intrusions to a threat cluster we believe has a nexus to this actor, currently being tracked as UNC2891. Through these investigations, Mandiant has discovered additional techniques, malware, and utilities being used by
UNC2891 alongside those previously observed in use by UNC1945. Despite having identified significant overlaps between these threat clusters, Mandiant has not determined they are attributable to the same actor.
Mandiant discovered a previously unknown rootkit for Oracle Solaris systems that UNC2891 used to remain hidden in victim networks, we have named this CAKETAP. One Variant of CAKETAP manipulated messages transiting a victims Automatic Teller Machine (ATM) switching network.
It is believed this was leveraged as part of a larger operation to perform unauthorized cash withdrawals at several banks using fraudulent bank cards.
Tomi Engdahl says:
China’s Government Is Learning From Russia’s Cyberattacks Against Ukraine https://www.recordedfuture.com/chinas-government-is-learning-from-russias-cyberattacks-against-ukraine/
Chinese government entities, state-owned enterprises, and cybersecurity researchers have demonstrated a practical interest in the 2015 cyberattack against Ukraine’s power grid as well as subsequent attacks, which have been credibly attributed to Sandworm Team, a Russian state-sponsored advanced persistent threat group.
Recorded Future has found that procurement documents associated with various Chinese government entities and state-owned enterprises have referenced the attack, with several documents explicitly calling for cybersecurity capabilities to counter or simulate such an attack.
Likewise, cybersecurity researchers associated with the People’s Liberation Army, state-run research organizations, and other such entities have discussed the implications of the incident in their ongoing technical research, highlighting the national security relevance of protecting critical infrastructure and the prominence of this infrastructure as a target in interstate conflict.
Tomi Engdahl says:
Inauguration of new headquarters
https://www.enisa.europa.eu/news/enisa-news/inauguration-of-new-headquarters‘
Greek Minister of Digital Governance, Kyriakos Pierrakakis and European Commission Vice-President, Margaritis Schinas, open the new headquarters of the EU Agency for Cybersecurity (ENISA) in Athens.
Tomi Engdahl says:
https://thehackernews.com/2022/03/dirtymoe-botnet-gains-new-exploits-in.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/emotet-malware-campaign-impersonates-the-irs-for-2022-tax-season/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/google-exposes-tactics-of-a-conti-ransomware-access-broker/
Tomi Engdahl says:
Viranomaiselta yllättävä tieto: Näin Ukrainan verkkosota näkyy Suomessa https://www.is.fi/digitoday/tietoturva/art-2000008691534.html
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/kybersaa_02/2022
Suomessa kyberturvallisuuden tilanne on tällä hetkellä vakaa ja viestintäverkot toimivat normaalisti. Kansainvälinen kireä tilanne Ukrainassa vaikuttaa väistämättä myös digitaaliseen maailmaan ja sen varautumiseen. Ukrainassa on havaittu vuoden 2022 aikana useita kyberhyökkäyksiä. Hyökkäyksiin on kuulunut hallinnon verkkosivuihin kohdistuvia palvelunestohyökkäyksiä, järjestelmien tietoja tuhoava haittaohjelmia ja erilaisia kalasteluyrityksiä. Käytetyt menetelmät eivät ole uusia tai poikkeuksellisia. Suomessa pystymme reagoimaan vastaaviin uhkiin osana normaaleja kyberturvallisuuden prosesseja.
Tomi Engdahl says:
Hundreds of GoDaddy-hosted sites backdoored in a single day
https://www.bleepingcomputer.com/news/security/hundreds-of-godaddy-hosted-sites-backdoored-in-a-single-day/
Internet security analysts have spotted a spike in backdoor infections on WordPress websites hosted on GoDaddy’s Managed WordPress service, all featuring an identical backdoor payload.
The case affects internet service resellers such as MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress.
The discovery comes from Wordfence, whose team first observed the malicious activity on March 11, 2022, with 298 websites infected by the backdoor within 24 hours, 281 of which were hosted on GoDaddy.
Old template spammer
The backdoor infecting all sites is a 2015 Google search SEO-poisoning tool implanted on the wp-config.php to fetch spam link templates from the C2 that are used to inject malicious pages into search results.
Supply chain attack?
The intrusion vector hasn’t been determined, so while this looks suspiciously close to a supply chain attack, it hasn’t been confirmed.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/
Tomi Engdahl says:
Study: 30% of Log4Shell instances remain unpatched
https://techcrunch.com/2022/03/18/study-30-of-log4shell-instances-remain-vulnerable/?tpcc=ecfb2020
In December 9, 2021, a critical zero-day vulnerability affecting Apache’s Log4j2 library, a Java-based logging utility, was disclosed to the world and broke the internet.
As the third most used computer language, Java is practically ubiquitous, and its Log4j2 library is extremely popular, with an estimated 15 billion devices around the globe currently running Java. The worst part is that Log4j is hard to find and easy to exploit, which places hundreds of millions of Java-based applications, databases and devices at severe risk.
The full scope of risk presented by the vulnerability is unprecedented, spanning every type of organization across every industry. Due to the ease of the exploit combined with the difficulty in uncovering the vulnerability within your organization, Log4Shell is the proverbial needle in a haystack.
Cybersecurity and Infrastructure Security Agency director Jen Easterly noted that Log4Shell is the “most serious” vulnerability she has witnessed in her decades-long career.
Quick to patch, quicker to exploit
As many companies prepared to operate with skeleton IT staff in the last two weeks of 2021, hackers and attackers saw an opportunity. It didn’t take long for this critical Java vulnerability to be exploited in the wild. Nearly 1 million attack attempts were launched in just 72 hours following the vulnerability’s disclosure.
Tomi Engdahl says:
New Unix rootkit used to steal ATM banking data
https://www.bleepingcomputer.com/news/security/new-unix-rootkit-used-to-steal-atm-banking-data/
Tomi Engdahl says:
Hackers claim to breach TransUnion South Africa with ‘Password’ password
https://www.bleepingcomputer.com/news/security/hackers-claim-to-breach-transunion-south-africa-with-password-password/
Tomi Engdahl says:
Google Maps down: World disappears from mapping service amid major technical problem
https://www.independent.co.uk/tech/google-maps-down-not-working-b2039118.html#Echobox=1647619502
Tomi Engdahl says:
Unsecured Microsoft SQL, MySQL servers hit by Gh0stCringe malware
https://www.bleepingcomputer.com/news/security/unsecured-microsoft-sql-mysql-servers-hit-by-gh0stcringe-malware/
Tomi Engdahl says:
https://techcrunch.com/2022/03/18/russia-warns-youtube/
Tomi Engdahl says:
CVE-2021-28372: How a Vulnerability in Third-Party Technology Is Leaving Many IP Cameras and Surveillance Systems Vulnerable
https://unit42.paloaltonetworks.com/iot-supply-chain-cve-2021-28372/
Tomi Engdahl says:
https://securityaffairs.co/wordpress/129167/hacking/microsoft-tool-mikrotik-routers.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/openssl-cert-parsing-bug-causes-infinite-denial-of-service-loop/
Tomi Engdahl says:
Mitchell Clark / The Verge:
CEO Pavel Durov says Telegram was unresponsive to Brazil’s Supreme Court because the court used the wrong email address, apologizes, and asks for a ruling delay — Telegram’s founder and CEO Pavel Durov has just put out a statement about why Brazil’s Supreme Court is now suspending the app, and the reason is incredible.
Telegram forgot to check its email and now it’s banned in Brazil
Whoops
https://www.theverge.com/2022/3/18/22985737/telegram-brazil-supreme-court-ban-email-address-statement-durov?scrolla=5eb6d68b7fedc32c19ef33b4
Telegram’s founder and CEO Pavel Durov has just put out a statement about why Brazil’s Supreme Court is now suspending the app, and the reason is incredible. In the statement, which you can read in full below or on Durov’s Telegram channel, he says it was because his company was checking the wrong email address.
“It seems that we had an issue with emails going between our telegram.org corporate addresses and the Brazilian Supreme Court,” Durov says, going on to explain that his company asked the court to send future takedown requests “to a dedicated email address.” But the court didn’t do that, apparently — it kept using “the old general-purpose email address,” and Telegram missed them somehow, and now it’s getting banned, unless the court takes pity.
The company says it’s now found those emails (implying that the old address did at least work, which makes it even more bizarre that the emails somehow got missed), and is trying to remedy the situation with the court. There’s a lot of political context surrounding the ban, which stems from accusations that Telegram facilitates the spread of disinformation
Tomi Engdahl says:
Reuters:
Brazil’s Supreme Court orders the shutdown of Telegram for not adhering to judicial orders, gives phone carriers, Apple, and Google five days to block the app
https://www.reuters.com/world/americas/brazil-supreme-court-orders-suspension-telegram-app-country-reports-2022-03-18/
Tomi Engdahl says:
Patrick Howell O’Neill / MIT Technology Review:
The US is shifting its cybersecurity strategy from relying on companies’ voluntary cooperation toward stronger oversight, minimum security standards, and more — The specter of Russian hackers and an overreliance on voluntary cooperation from the private sector means officials are finally prepared to get tough.
Inside the plan to fix America’s never-ending cybersecurity failures
https://www.technologyreview.com/2022/03/18/1047395/inside-the-plan-to-fix-americas-never-ending-cybersecurity-failures/
The specter of Russian hackers and an overreliance on voluntary cooperation from the private sector means officials are finally prepared to get tough.
Tomi Engdahl says:
Adnan Bhat / Rest of World:
Doctors say the rise of fantasy sports apps has led to a spike in gambling addiction in India, where gambling is illegal but fantasy gaming has no clear laws — All forms of gambling are illegal in India but there are no clear laws when it comes to fantasy gaming, which is quickly becoming a threat.
Fantasy sports apps are driving a surge in gambling addiction in India
https://restofworld.org/2022/fantasy-sports-apps-are-driving-a-surge-in-gambling-addiction-in-india/
All forms of gambling are illegal in India but there are no clear laws when it comes to fantasy gaming, which is quickly becoming a threat.
Tomi Engdahl says:
Gh0stCringe RAT Targeting Database Servers in Recent Attacks
https://www.securityweek.com/gh0stcringe-rat-targeting-database-servers-recent-attacks
Security researchers have identified a series of recent Gh0stCringe RAT attacks that target MS-SQL and MySQL database servers for credential harvesting and data exfiltration.
First spotted in 2018, the threat is based on publicly released Gh0st RAT source code and targets poorly secured servers, researchers with the AhnLab Security Emergency Response Center (ASEC) say.
Analysis of the malware shows that parts of Gh0st RAT’s source code were used without modifications, yet the majority of Gh0stCringe’s code is unique, which sets it apart from normal variants.
Also referred to as CirenegRAT, Gh0stCringe was found on machines previously infected with Vollgar CoinMiner and other malware being distributed through brute force attacks.
Gh0stCringe RAT Being Distributed to Vulnerable Database Servers
https://asec.ahnlab.com/en/32572/
Tomi Engdahl says:
TransUnion Confirms Data Breach at South Africa Business
https://www.securityweek.com/transunion-confirms-data-breach-south-africa-business
Credit reporting giant TransUnion has confirmed a data breach affecting its South Africa business. The company appears to have been targeted by profit-driven cybercriminals.
In a statement issued on Thursday, the company said cybercriminals gained access to a TransUnion South Africa server using a client’s credentials. The affected client’s access was suspended after the breach was discovered and some services have been taken offline.
The company believes only an “isolated server holding limited data” from its South African business was compromised.
A group that reportedly claims to be operating out of Brazil has taken credit for the attack.
South African technology news website MyBroadband spoke to the attackers, who claim to have stolen 4Gb of files, including the information of 54 million South African individuals.
Tomi Engdahl says:
Google Analyzes Activity of ‘Exotic Lily’ Initial Access Broker
https://www.securityweek.com/google-analyzes-activity-exotic-lily-initial-access-broker
Tomi Engdahl says:
US Critical Infrastructure Targeted by AvosLocker Ransomware
https://www.securityweek.com/us-critical-infrastructure-targeted-avoslocker-ransomware
The FBI and the Treasury Department on Thursday issued a joint cybersecurity advisory to warn organizations in the United States about attacks involving ransomware named AvosLocker.
The advisory says AvosLocker has been used in attacks on various critical infrastructure sectors, including — but not limited to — critical manufacturing, financial services, and government facilities.
The impact of these attacks on critical infrastructure organizations is unclear. However, ransomware attacks such as the one that targeted Colonial Pipeline last year have led to the US taking significant steps to improve the cybersecurity of the country’s most important systems.
AvosLocker is offered as ransomware-as-a-service (RaaS) and its users claim to have targeted organizations around the world, including the United States, the United Kingdom, Germany, Spain, Belgium, Canada, China, Taiwan, Turkey, the United Arab Emirates, Saudi Arabia and Syria.
AvosLocker attacks involve a piece of ransomware that encrypts files on the victim’s systems, as well as the theft of sensitive information in an effort to convince the victim to pay up.
Tomi Engdahl says:
High-Severity Vulnerabilities Patched in BIND Server
https://www.securityweek.com/high-severity-vulnerabilities-patched-bind-server
The Internet Systems Consortium (ISC) has released security updates to fix multiple high-severity vulnerabilities in the widely deployed Berkeley Internet Name Domain (BIND) server software.
According to an advisory from ISC, a total of four security issues were resolved with the latest updates, two of which impact BIND version 9.18. Both flaws carry a CVSS score of 7.0.
Tracked as CVE-2022-0635, the first of these issues is described as “DNAME insist with synth-from-dnssec enabled.”
BIND 9.18 refactors synth-from-dnssec (RFC 8198 – Aggressive Use of DNSSEC-Validated Cache) and has it automatically enabled for dnssec-validating resolvers.
The resolved bug exists because “repeated patterns of specific queries to servers with this feature enabled could cause an INSIST failure in query.c:query_dname which causes named to terminate unexpectedly,” according to the advisory.
BIND 9 Security Vulnerability Matrix
https://kb.isc.org/v1/docs/aa-00913
Tomi Engdahl says:
SATCOM Cybersecurity Alert Issued as Authorities Probe Possible Russian Attack
https://www.securityweek.com/satcom-cybersecurity-alert-issued-authorities-probe-possible-russian-attack
The US Cybersecurity and Infrastructure Security Agency and the FBI on Thursday released a new alert to warn satellite communication (SATCOM) networks about potential cyber threats. The warning comes just as Western intelligence agencies have launched an investigation into attacks — possibly launched by Russia — against satellite internet services.
CISA and the FBI have made a series of recommendations to help SATCOM network providers and customers strengthen cybersecurity.
Network providers have been advised to implement additional monitoring capabilities for anomalous traffic related to SATCOM equipment. They have also been advised to read a recent threat assessment report from the Office of the Director of National Intelligence, which describes the threat posed by Russia to satellites, as well as Moscow’s capabilities.
Tomi Engdahl says:
Microsoft creates tool to scan MikroTik routers for TrickBot infections
https://www.bleepingcomputer.com/news/security/microsoft-creates-tool-to-scan-mikrotik-routers-for-trickbot-infections/
Tomi Engdahl says:
Hacker Shows How Gas Pumps Are Security Swiss Cheese And Easy Targets For Thieves
https://hothardware.com/news/gas-station-thieves-steal-gas-through-hacking
As gas prices continue to rise, some shadowy figures are looking for “alternative” method to acquire fuel, whether legal or not. One such method, specifically hacking a gas pump, has led to the recent theft of 400 gallons of fuel at a High Point gas station in North Carolina. However, this is not the only incidence of this happening, and as it turns out, gas pumps are surprisingly vulnerable to being hacked.
Tomi Engdahl says:
actual info about the pump hacks
Gas pumps happen to be about as insecure as your typical router
https://www.cnx-software.com/2022/03/19/gas-pumps-insecure-typical-router/
Around 400 gallons of gas were stolen from a gas station a few days ago by using a special remote to put it in “dispense mode” and get the gasoline for free. It is not an isolated incident and over the years gas pumps have been hacked using different methods, with some running embedded Linux and connected to the Internet just like a router.
We previously noted devices connected o the internet like IP cameras and routers were often not secure since most were configured with default credentials (username/password). I went backpacking a few years ago, and each time I stayed somewhere I tried to log in to the router web interface using the infamous admin/admin, and it worked about 80% of the time. In 2016, I also noticed that changing the default credentials may not help, as the telnet port of my modem router was opened to the outside and configured with default credentials.
Gas pumps have a lot more in common with routers than I initially thought, as reported by FOX 8, many models come with a default passcode that may not always be changed by the gas station’s manager, and using a special remote it’s possible to change the price and other parameters.
They noticed an embedded box running a Linux with a tiny httpd server, and responsible for managing every component of the station, including dispensers, payment terminals, and more. That embedded box was connected to the Internet, and searching for a specific string on service like Shodan would locate over 1,000 embedded boxes installed over the world. At the time of the study, Kaspersky said around 29% of gas stations in India, and 27% in the US were connected to the Internet.
The user manuals from the manufacturer of the embedded box included screenshots, default credentials, different commands, and a step-by-step guide on how to access and manage each of the interfaces, and it did not require a skilled hacker to access the dashboard.
Once you have access to the dashboard you could potentially do some fun things:
Shut down all fueling systems
Cause fuel leakage and risk of casualties
Change fueling price
Circumvent payment terminal to steal money
Scrape vehicle license plates and driver identities
Halt the station’s operation, demanding a ransom in exchange
Execute code on the controller unit
Move freely within the gas station network
Further investigation of the firmware also revealed hardcoded username and password, as well as insecure code allowing remote code execution. Those vulnerabilities were fixed four years ago, but it remains to be seen if all affected embedded boxes (gateways) were updated.
Tomi Engdahl says:
NRA confirms last year’s ransomware attack
A Russian hacking group took credit for the hack
https://www.theverge.com/2022/3/19/22986501/nra-confirms-ransomware-attack-hack
Tomi Engdahl says:
Anonymous hacked Omega Company, the in-house R&D unit of Transneft, the Russian oil pipeline giant, and leaked stolen data.
https://securityaffairs.co/wordpress/129276/data-breach/anonymous-transneft-data-leak.html
Tomi Engdahl says:
okta hacked, supposedly, by lapsus. JFC is this gonna be like log4j all over again?
Authentication firm Okta probes report of digital breach
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.reuters.com%2Ftechnology%2Fauthentication-services-firm-okta-says-it-is-investigating-report-breach-2022-03-22%2F&h=AT2z6lFFbQ9MabwdJLePLhs0KWaDkvlLMZsIBKEe7Ij-2n-oSrCPSvuGxk8ZzU63dCKN5We9qwNU86b269MyocFEWzNWZEsVtmfMdFh9WCbmj1NhDl1XRl76Y_zKeXAnsg
Authentication services provider Okta Inc (OKTA.O) is investigating a report of a digital breach, the company said on Tuesday, after hackers posted screenshots showing what they claimed was its internal company environment.
A hack at Okta could have major consequences because thousands of other companies rely on the San Francisco-based firm to manage access to their own networks and applications.
In a statement, Okta official Chris Hollis said the breach could be related to an earlier incident in January, which was contained.
In a statement, Okta official Chris Hollis said the breach could be related to an earlier incident in January, which was contained.