Cyber security news March 2022

This posting is here to collect cyber security news in March 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

888 Comments

  1. Tomi Engdahl says:

    Hacker Group Claims Extraordinary Access to User Authentication Firm Okta
    LAPSUS$ also recently published source code for Microsoft’s Cortana and Bing.
    https://gizmodo.com/hacker-group-claims-extraordinary-access-to-user-authen-1848684491

    Hacker group LAPSUS$ posted images on its Telegram channel overnight claiming it achieved administrator access to Okta, a user authentication and data management company. And if that’s true, it’s potentially bad for a number of large firms that use Okta services.

    “For a service that powers authentication systems to many of the largest corporations (and FEDRAMP approved) I think these security measures are pretty poor.”

    The hacker group went on to post in all caps explaining that they didn’t access or steal any databases from Okta. “Our focus was ONLY on Okta customers,” the hacker group explained.

    If the screenshots are accurate they include a timestamp from January of this year, suggesting the hackers have potentially had access for months. It’s unclear whether the hackers still have access to Okta systems. But for its part, Okta claims the hackers only had limited access through a subcontractor.

    “In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors,” a spokesperson for Okta, Chris Hollis, said in an email to Gizmodo early Tuesday.

    “The matter was investigated and contained by the subprocessor.”

    The hack, first reported by Reuters, comes after LAPSUS$ claimed on Monday it had gotten 37 GB worth of source code for Microsoft’s Bing search engine and the Cortana virtual assistant.

    LAPSUS$ previously hacked tech companies like Nvidia, Ubisoft, and Samsung, typically working under a data extortion model, as Bleeping Computer notes. The hacking group will acquire large amounts of sensitive data and demand money in order to get a big payout from the company that was hacked. If the sum isn’t paid, the hacking group leaks the data publicly.

    Reply
  2. Tomi Engdahl says:

    Trend Micro and ASUS warns: Cyclops Blink Botnet targets ASUS Routers
    https://borncity.com/win/2022/03/20/asus-warnt-cyclops-blink-botnet-zielt-auf-router/

    The Cyclops Blink botnet has been infecting network devices around the world for several weeks. The botnet is operated by the suspected Russian Sandworm APT. Manufacturer ASUS has issued a warning this week, which is directed at users of its routers. The Cyclops Blink botnet is probably attacking ASUS routers in order to insert them into the botnet. Here is some information about it.

    Reply
  3. Tomi Engdahl says:

    Activists are targeting Russians with open-source “protestware”
    At least one open-source software project has had malicious code added which aimed to wipe computers located in Russia and Belarus.
    https://www.technologyreview.com/2022/03/21/1047489/activists-are-targeting-russians-with-open-source-protestware/

    Reply
  4. Tomi Engdahl says:

    F-Secure jakautuu – Mikko Hyppönen sai neljännen työn­antajan, vaikkei hän ole koskaan vaihtanut työ­paikkaa https://www.is.fi/digitoday/tietoturva/art-2000008699350.html

    Reply
  5. Tomi Engdahl says:

    Uusi uhka Suomelle: Kyberrikolliset osallistuvat Ukrainan sotaan ja valitsevat puoliaan – Mikko Hyppösen mukaan tilanne on ennennäkemätön
    https://www.mtvuutiset.fi/artikkeli/uusi-uhka-suomelle-kyberrikolliset-osallistuvat-ukrainan-sotaan-ja-valitsevat-puoliaan-mikko-hypposen-mukaan-tilanne-on-ennennakematon/8380544?utm_medium=referral&utm_source=upday#gs.u87j2p

    Uusi uhka Suomelle: Kyberrikolliset osallistuvat Ukrainan sotaan ja valitsevat puoliaan – Mikko Hyppösen mukaan tilanne on ennennäkemätön
    https://f7td5.app.goo.gl/nbDFyf

    Ukrainan sodassa on ollut jo jonkin aikaa mukana erilaisia verkkotoimijoita: haktivisteiksi kutsuttavia harrastelijoita ja myös todennäköisesti valtiollisia toimijoita kuten puolustusvoimia tai tiedustelupalveluita. Nyt myös ammattimaiset kyberrikolliset ovat ilmoittaneet osallistuvan sotaan.

    Konsulttiyritys Accenturen julkaiseman raportin mukaan kyberrikolliset ovat tehneet ennennäkemättömän rintamalinjojen valinnan sen jälkeen, kun Venäjä hyökkäsi Ukrainaan ja länsimaat vastasivat tukemalla Ukrainaa. Osa rikollisorganisaatioista on ilmoittanut tukevansa aktiivisesti Venäjää sen toimissa. Osa taas toimii maata vastaan.

    Reply
  6. Tomi Engdahl says:

    Hacker Steals Customer Data From Circle, BlockFi, Other Big Crypto Firms
    Hubspot said data was taken from “fewer than 30 HubSpot portals,” but didn’t provide a list of which accounts were compromised.
    https://decrypt.co/95586/hacker-steals-customer-data-circle-blockfi-big-crypto-firms

    Reply
  7. Tomi Engdahl says:

    Vulnerability CVE-2022-22988 in Western Digital EdgeRover desktop application allows admin privileges (macOS, Windows)
    https://borncity.com/win/2022/03/22/schwachstelle-cve-2022-22988-in-western-digital-edgerover-desktop-anwendung-ermglicht-admin-rechte-macos-windows/

    Reply
  8. Tomi Engdahl says:

    Facebook users banned ‘indefinitely’ for ignoring messages
    https://lm.facebook.com/l.php?u=https%3A%2F%2Fnypost.com%2F2022%2F03%2F21%2Ffacebook-users-banned-indefinitely-for-ignoring-messages%2F%3Futm_medium%3DSocialFlow%26utm_campaign%3DSocialFlow%26sr_share%3Dfacebook%26utm_source%3DNYPFacebook&h=AT1IJb6nkZGBXfZdwjOVli-jwuP3aaDynKuP1EbBPurgizwBeilCIegz-DxdpRhRfO3nRPb_6nZ3ssfsbXaLoteXfpN55rL56TeUVXLAaLghfGW3dPpA8HU5sGiZDdeKWA

    Facebook users are being locked out of their accounts for failing to respond to a message some mistook for spam.

    People who realized the warning is actually real have since tried to follow the social network’s instructions — but an issue is apparently preventing them from regaining access.

    A notice was sent to selected accounts deemed at particular risk from hackers, telling them to enable an enhanced security feature called Facebook Protect.

    The unusual email address used, [email protected], probably didn’t help matters.

    However, those who went ahead with it claim the setup system is broken — meaning they are still locked out.

    “I got locked out from Facebook indefinitely today because I didn’t respond to emails from FB (that looked like a scam) about its new Facebook Protect system, which I was required to enable by today,” one user said.

    Another complained on Twitter, saying: “This Facebook Protect thing is so annoying because it’s not letting me turn it on and I need Facebook for work so I’m really hoping Facebook fixes the stupid code.”

    Facebook Protect is a special monitoring program for people at heightened risk of being targeted by hackers.

    This includes those working in human rights, journalists and government officials.

    Reply
  9. Tomi Engdahl says:

    ‘The NSA could put the Russians back to the 19th century,’ in cyber warfare, says Christopher Rouland
    https://www.cnbc.com/video/2022/03/22/the-nsa-could-put-the-russians-back-to-the-19th-century-in-cyber-warfare-says-christopher-rouland.html

    Christopher Rouland, Phosphorus Cybersecurity CEO and former CTO of IBM, joins ‘Power Lunch’ to discuss the biggest existing cybersecurity threat, how the U.S. can best protect against cybersecurity threats and what a retaliation from the U.S. in cyber warfare would look like.
    TUE, MAR 22 20222:34 PM EDT

    Reply
  10. Tomi Engdahl says:

    A cyberattack could lead to war. But it is very unlikely
    https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.cnn.com%2F2022%2F03%2F22%2Fpolitics%2Frussian-cyberattacks-what-matters%2Findex.html&h=AT0wEEeTdTSZYSQlIiGM9wnlMFK54mWDDJlYGhvQBpdcEJfZNPyMwv2pfounDOJWO4I6RAMqAxz7Hhx-bn_PSTXGijieVd2yBuxpW91vZONNs7su81q-6OcOahmMRXDzFA

    (CNN) – President Joe Biden issued an urgent and ominous warning to American individuals and businesses Monday, when he said “evolving intelligence” suggests Russia might be planning cyberattacks against the US.

    On Tuesday, an FBI advisory was sent to US companies in the energy, defense and financial sectors, warning of potential prep work for hacking from IP addresses in Russia.

    This activity is likely “not about espionage, it’s probably very likely about disruptive or destructive (cyber) activity,” US Cybersecurity and Infrastructure Security Agency Director Jen Easterly said during a phone briefing with industry executives and state and local government personnel, according to three sources on the call, writes CNN’s Sean Lyngaas.

    Reply
  11. Tomi Engdahl says:

    Russian printers juiced by hacker antiwar messages
    https://cybernews.com/cyber-war/russian-printers-juiced-by-hacker-antiwar-messages/

    Hacktivist group GhostSec has apparently decided that even in modern warfare the pen is mightier than the sword, and is claiming to have remotely hijacked more than 300 Russian printers, forcing them to run antiwar messages until their ink runs dry.

    Reply
  12. Tomi Engdahl says:

    FBI advised that hackers scanned networks of 5 US energy firms ahead of Biden’s Russia cyberattack warning
    https://www.cnn.com/2022/03/22/politics/fbi-energy-hacking-warning/index.html

    Hackers associated with Russian internet addresses have been scanning the networks of five US energy companies in a possible prelude to hacking attempts, the FBI said in a March 18 advisory to US businesses obtained by CNN.

    The FBI issued the notice days before President Joe Biden publicly warned that Kremlin-linked hackers could target US organizations as the Russian military continues to suffer heavy losses in Ukraine and as Western sanctions on the Kremlin begin to bite.

    Reply
  13. Tomi Engdahl says:

    Microsoft confirms they were hacked by Lapsus$ extortion group
    https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/

    Microsoft has confirmed that one of their employees was compromised by the Lapsus$ hacking group, allowing the threat actors to access and steal portions of their source code.

    Last night, the Lapsus$ gang released 37GB of source code stolen from Microsoft’s Azure DevOps server. The source code is for various internal Microsoft projects, including for Bing, Cortana, and Bing Maps.

    Reply
  14. Tomi Engdahl says:

    Over 200,000 MicroTik Routers Worldwide Are Under the Control of Botnet Malware
    https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html

    Reply
  15. Tomi Engdahl says:

    Microsoft vahvistaa: meidät on hakkeroitu – 37 Gt lähdekoodia saaliiksi
    Jori Virtanen23.3.202207:50HAKKERITTIETOTURVAVERKKORIKOLLISUUS
    Hakkeriryhmä Lapsus$ on ollut kovassa vauhdissa.
    https://www.tivi.fi/uutiset/microsoft-vahvistaa-meidat-on-hakkeroitu-37-gt-lahdekoodia-saaliiksi/5df93081-6255-46bf-9ba6-bf6362f8a789

    Reply
  16. Tomi Engdahl says:

    Tietoturvatutkijat varoittavat suositusta kuvasovelluksesta – sisältää käyttäjätietoja varastavan troijalaisen
    22.3.202213:24|päivitetty22.3.202213:24
    Valokuvia sarjakuviksi muuttavasta Android-sovelluksesta paljastui salakavala haittaohjelma.
    https://www.mikrobitti.fi/uutiset/tietoturvatutkijat-varoittavat-suositusta-kuvasovelluksesta-sisaltaa-kayttajatietoja-varastavan-troijalaisen/9f25b621-1a9c-4c9b-9f6d-34fb2dd9f4a9

    Android-sovellusta on ladattu Google Play -sovelluskaupasta jo yli 100 000 kertaa. Sovellus on edelleen ladattavissa, vaikka sen sisältämä haittaohjelma on tiedossa, kertoo Bleepingcomputer.

    Android-haittaohjelma on naamioitu Craftsart Cartoon Photo Tools -sovellukseksi, jonka avulla pystyy muuttamaan valokuvia sarjakuviksi tai maalauksiksi. Mobiiliturvayhtiö Pradeonin tutkijat havaitsivat viime viikolla, että sovellus sisältää FaceStealeriksi kutsutun troijalaisen.

    https://www.bleepingcomputer.com/news/security/android-password-stealing-malware-infects-100-000-google-play-users/

    Reply
  17. Tomi Engdahl says:

    What the Newly Signed US Cyber-Incident Law Means for Security
    Bipartisan cybersecurity legislation comes amid increased worries over ransomware, and fears of cyberattacks from Russia in the wake of its invasion of Ukraine.
    https://www.darkreading.com/attacks-breaches/new-cyber-incident-law-not-a-national-breach-law-but-a-major-first-step

    Reply
  18. Tomi Engdahl says:

    Behold, a password phishing site that can trick even savvy users
    Just when you thought you’d seen every phishing trick out there, BitB comes along.
    https://arstechnica.com/information-technology/2022/03/behold-a-password-phishing-site-that-can-trick-even-savvy-users/

    When we teach people how to avoid falling victim to phishing sites, we usually advise closely inspecting the address bar to make sure it does contain HTTPS and that it doesn’t contain suspicious domains such as google.evildomain.com or substitute letters such as g00gle.com. But what if someone found a way to phish passwords using a malicious site that didn’t contain these telltale signs?

    One researcher has devised a technique to do just that. He calls it a BitB, short for “browser in the browser.” It uses a fake browser window inside a real browser window to spoof an OAuth page. Hundreds of thousands of sites use the OAuth protocol to let visitors login using their existing accounts with companies like Google, Facebook, or Apple. Instead of having to create an account on the new site, visitors can use an account that they already have—and the magic of OAuth does the rest.

    Reply
  19. Tomi Engdahl says:

    Hackers steal from hackers by pushing fake malware on forums
    https://www.bleepingcomputer.com/news/security/hackers-steal-from-hackers-by-pushing-fake-malware-on-forums/

    Security analysts from two companies have spotted a new case of hackers targeting hackers via clipboard stealers disguised as cracked RATs and malware building tools.

    Clipboard stealers are quite common, typically used to monitor the clipboard content of a victim to identify cryptocurrency wallet addresses and replace them with one belonging to the malware operator.

    Reply
  20. Tomi Engdahl says:

    Russian Kaspersky antivirus software could be used by Kremlin to hack into computers, governments warn
    https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.independent.co.uk%2Ftech%2Fkaspersky-russian-antivirus-kremlin-hack-computers-b2040418.html%3Futm_content%3DEchobox%26utm_medium%3DSocial%26utm_source%3DFacebook%23Echobox%3D1647884696&h=AT3gBR372mptRhkUljMMjVWa0KXlL0pgNOtcWqri8amvsxGpdeBLe0bgCytuztNhoJHEJF9HPgCytviGEN-e6zR3NK2QPR33CMC2cWaolDEQEetC2mAGaapm621U124r5g

    Russia-based cybersecurity company Kaspersky could be subject to sanctions by the Italian government due to fears that the Kremlin could use its programs to hack websites.

    Reply
  21. Tomi Engdahl says:

    People know that the ransomware attacks usually end up being paid by the people who is being attacked. Yet, do we know the actual costs of these attacks from profits to the downtime they experience?

    SEC Filings Show the True Cost of Ransomware Attacks
    https://sudosecurity.org/blog/true-cost-of-ransome-attacks/

    The amount of Ransomware attacks had reached unprecedented levels in 2021, with ransomware threat actors demanding, and in many cases receiving, ransom payments in the multiple sums of millions of dollars. The world’s largest meat processor, JBS, they confirmed in June 2021 that it paid the equivalent of 11 million in ransom to respond to the criminal hack against its operations.

    Colonial Pipeline paid around 4.5 million to its ransomware attackers back in May 2021. The the U.S Department of Justice (DOJ) managed to get back around 2.3 million of that amount. In May that year, backup appliance supplier ExaGrid paid a 2.6 million ransom to cybercriminals that targeted the company with the Conti ransomware.

    The actual costs of ransomware attacks – including lost revenues – can far eclipse the simple dollar amount of any ransom paid to the actors.

    Reply
  22. Tomi Engdahl says:

    A new report from BleepingComputer breaks down the problem. Tracked as CVE-2021-34484, it is a zero-day privilege escalation attack which allows hackers to take control of Windows 10, Windows 11 and Windows Server. And the shocker is Microsoft has known about it for seven months.

    Windows zero-day flaw giving admin rights gets unofficial patch, again
    https://www.bleepingcomputer.com/news/microsoft/windows-zero-day-flaw-giving-admin-rights-gets-unofficial-patch-again/

    The locally exploited vulnerability in Windows User Profile Service is tracked as CVE-2021-34484 and was given a CVSS v3 score of 7.8. While exploits have been publicly disclosed in the past, they are not believed to be actively exploited in the wild.

    The peculiarity of this case lies in the fact that Microsoft has been unable to address the flaw since its discovery last summer and that it has marked the bug as fixed twice.

    According to the 0patch team, which has been unofficially providing fixes for discontinued Windows versions and some vulnerabilities that Microsoft won’t address, the flaw is still a zero-day. In fact, Microsoft’s patches failed to fix the bug and broke 0patch’s previous unofficial patch.

    Reply
  23. Tomi Engdahl says:

    Okta says hundreds of companies impacted by security breach
    https://techcrunch.com/2022/03/23/okta-breach-sykes-sitel/?tpcc=tcplusfacebook

    Okta says 366 corporate customers, or about 2.5% of its customer base, were impacted by a security breach that allowed hackers to access the company’s internal network.

    The authentication giant admitted the compromise after the Lapsus$ hacking and extortion group posted screenshots of Okta’s apps and systems on Monday, some two months after the hackers first gained access to its network.

    The breach was initially blamed on an unnamed subprocessor that provides customer support services to Okta. In an updated statement on Wednesday, Okta’s chief security officer David Bradbury confirmed the subprocessor is a company called Sykes, which last year was acquired by Miami-based contact center giant Sitel.

    Customer support companies like Sykes and Sitel often have wide access to the organizations that they support for facilitating customer requests.

    Reply
  24. Tomi Engdahl says:

    New Dell BIOS Bugs Affect Millions of Inspiron, Vostro, XPS, Alienware Systems
    https://thehackernews.com/2022/03/new-dell-bios-bugs-affect-millions-of.html

    Five new security weaknesses have been disclosed in Dell BIOS that, if successfully exploited, could lead to code execution on vulnerable systems, joining the likes of firmware vulnerabilities recently uncovered in Insyde Software’s InsydeH2O and HP Unified Extensible Firmware Interface (UEFI).

    Tracked as CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, and CVE-2022-24421, the high-severity vulnerabilities are rated 8.2 out of 10 on the CVSS scoring system.

    Five new security weaknesses have been disclosed in Dell BIOS that, if successfully exploited, could lead to code execution on vulnerable systems, joining the likes of firmware vulnerabilities recently uncovered in Insyde Software’s InsydeH2O and HP Unified Extensible Firmware Interface (UEFI).

    Tracked as CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, and CVE-2022-24421, the high-severity vulnerabilities are rated 8.2 out of 10 on the CVSS scoring system.

    System Management Mode refers to a special-purpose CPU mode in x86 microcontrollers that’s designed for handling system-wide functions like power management, system hardware control, thermal monitoring, and other proprietary manufacturer-developed code.

    Whenever one of these operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS. Given that SMM code executes at the highest privilege level and is invisible to the underlying operating system, the method makes it ripe for abuse to deploy persistent firmware implants.

    A number of Dell products, including Alienware, Inspiron, Vostro line-ups, and Edge Gateway 3000 Series, are impacted, with the Texas-headquartered PC manufacturer recommending customers to upgrade their BIOS at the “earliest opportunity.”

    Reply
  25. Tomi Engdahl says:

    Russia could be in the process of cooking up a significant cyberattack against critical infrastructure in the US.

    https://www.iflscience.com/technology/russia-may-be-preparing-for-cyberattack-on-us-white-house-warns/

    Reply
  26. Tomi Engdahl says:

    A Hacker Group Just Leaked 9GB of Microsoft’s Source Code
    BY SIMON BATT
    PUBLISHED 2 DAYS AGO
    This is just the tip of the iceberg, as the group has a total of 37GB of data waiting on the sidelines and ready to be leaked.
    https://www.makeuseof.com/microsoft-bing-source-code-leak/?utm_source=MUO-FB-P&utm_medium=Social-Distribution&utm_campaign=MUO-FB-P

    Reply
  27. Tomi Engdahl says:

    [https://www.theregister.com/2022/03/10/virgin_media_email_password_security/](https://www.theregister.com/2022/03/10/virgin_media_email_password_security/)

    “No more than 10 alphanumerics, no special characters – in 2022?”, this report reads.

    10 alphanemerics is no more than a silly joke from the view point of the mathematical strength against automated brute force attacks. But we could be somewhat empathetic to those people, who might possibly have tried to be very kind to users; from the view point of humans’ memory capacity, more than 10 alphanumerics with special characters are too much for many of us to manage without relying on a memo or storage.

    Starting from such a dilemma, we look to the potential of NON-TEXT secret credential for stronger authentication, whereas some people attempt to remove the secret credentials altogether.

    They offer a seemingly-stronger authentication – ‘Seemingly-Stronger’ because it can by no means be any stronger when the defence surface is removed along with the attack surface.

    They might have been misguided this way – a smaller attack surface means a better defence so removal of the attack surface altogether should mean a yet better defence.

    They tragically overlook a critical fact, that is, it is impossible to remove the attack surface of the password without removing its defence surface. They may have looked away from the fact that an attack surface is included in a defence surface as a section of it, not vice versa.

    Those seemingly-strong authentication schemes, which brings a false sense of security, sadly, make the attacks on the defence from within.

    For the false sense of security caused by ‘Seemingly-Stronger’ authentication schemes, you could refer to “False Sense of Security that is Worse than Lack of Security” [https://www.linkedin.com/posts/hitoshikokumai_biometric-identity-fraud-on-the-rise-activity-6900649696822476800-qQQh](https://www.linkedin.com/posts/hitoshikokumai_biometric-identity-fraud-on-the-rise-activity-6900649696822476800-qQQh)

    and “Clever Solutions to Silly Passwords? – Do What You CAN NOT Do or What You MUST NOT Do” [https://www.linkedin.com/posts/hitoshikokumai_democracy-privacy-ethics-activity-6910783916157136896-YJ8x](https://www.linkedin.com/posts/hitoshikokumai_democracy-privacy-ethics-activity-6910783916157136896-YJ8x)

    For NON-TEXT secret credential, please have a glance at “Solution Resides in Citizen’s Brain Unnoticed” [https://www.linkedin.com/posts/hitoshikokumai_democracy-privacy-ethics-activity-6908966261007503360-_Cd_](https://www.linkedin.com/posts/hitoshikokumai_democracy-privacy-ethics-activity-6908966261007503360-_Cd_)

    #democracy #privacy #ethics #identity #authentication #password #security #biometrics #emergency #disaster #panic #defence #government #pandemic #teleworking #blockchain #AI #quantum #crypto

    [https://www.theregister.com/2022/03/10/virgin_media_email_password_security/](https://www.theregister.com/2022/03/10/virgin_media_email_password_security/)

    Reply
  28. Tomi Engdahl says:

    Apple down: Music, messages, App Store, iCloud, maps and many other services suddenly knocked offline
    https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.independent.co.uk%2Ftech%2Fapple-servers-down-app-store-icloud-b2040703.html&h=AT2QOOL-RhIO5j6RreGzdLXPzpKvSSXDrQPnb4few5TAjGQLzl36jdhgipSdA2qf9vX6-JplimHUisU2UKIUllorxrDryDgBT5NHyCbcZCit8457-_eUAr4mU9oknuqlsg

    Reports even suggested that Apple’s internal systems were facing difficulties, causing problems at its retail stores and for staff working remotely.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*