This posting is here to collect cyber security news in March 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in March 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
888 Comments
Tomi Engdahl says:
https://www.androidpolice.com/dozens-of-budget-android-phones-are-at-risk-due-to-a-critical-security-flaw/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-chrome-zero-day-weeks-before-patch/
Tomi Engdahl says:
Some developers are fouling up open-source software
From ethical concerns, a desire for more money, and simple obnoxiousness, a handful of developers are ruining open-source for everyone.
https://www.zdnet.com/article/some-developers-are-fouling-up-open-source-software/
For example, JavaScript’s package manager maintainer RIAEvangelist, Brandon Nozaki Miller, wrote and published an open-code npm source-code package called peacenotwar. It did little but print a message for peace to desktops. So far, so harmless.
Miller then inserted malicious code into the package to overwrite users’ filesystems if their computer had a Russia or Belarus IP address. He then added it as a dependency to his popular node-ipc program and instant chaos! Numerous servers and PCs went down as they updated to the newest code and then their systems had their drives erased.
Miller’s defense, “This is all public, documented, licensed and open source,” doesn’t hold up.
Tomi Engdahl says:
Seven teenagers arrested in connection with the Lapsus$ hacking group
Reports surfaced Wednesday indicating a teenager is the group’s mastermind
https://www.theverge.com/2022/3/24/22994563/lapsus-hacking-group-london-police-arrest-microsoft-nvidia
City of London Police have arrested seven teenagers due to their suspected connections with a hacking group that is believed to be the recently prolific Lapsus$ group, BBC News reports.
Lapsus$ has taken responsibility for some major security breaches at tech companies, including Nvidia, Samsung, Ubisoft, Okta, and Microsoft. On Wednesday, reports surfaced indicating an Oxford-based teenager is the mastermind of the group. City of London Police did not say if this teenager was among those arrested.
Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal
https://www.bbc.com/news/technology-60864283
A 16-year-old from Oxford has been accused of being one of the leaders of cyber-crime gang Lapsus$.
The teenager, who is alleged to have amassed a $14m (£10.6m) fortune from hacking, has been named by rival hackers and researchers.
City of London Police say they have arrested seven teenagers in relation to the gang but will not say if he is one.
Tomi Engdahl says:
Group of men ‘hack petrol pumps with device to push prices down’ as fuel prices soar
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.mirror.co.uk%2Fnews%2Fworld-news%2Fgroup-men-hack-petrol-pumps-26530230&h=AT1j2YllDW9EVnl9l6yEbcxNOMP-oNtg4ogWRt3FJNU1DUQYDsp-KRVZxjyV11nUhPMRiaPBWaEmUNYATevZt_PK3VAxrk6y4A8ECgWJJFssfmCFqm3FijqoGZ8S4FPp7A
The men are said to have installed sophisticated “pulsators” inside pumps that regulate price and fuel flow, with the device sending price per litre downwards
Tomi Engdahl says:
Emergency Google Chrome update fixes zero-day used in attacks
https://www.bleepingcomputer.com/news/security/emergency-google-chrome-update-fixes-zero-day-used-in-attacks/
Google has released Chrome 99.0.4844.84 for Windows, Mac, and Linux users to address a high-severity zero-day bug exploited in the wild.
“Google is aware that an exploit for CVE-2022-1096 exists in the wild,” the browser vendor said in a security advisory published on Friday.
The 99.0.4844.84 version is already rolling out worldwide in the Stable Desktop channel, and Google says it might be a matter of weeks until it reaches the entire userbase.
Tomi Engdahl says:
Dept. of Justice Charges Three FSB Officers for Cyberattacks
https://sudosecurity.org/blog/doj-charges-3-russian-fsb/
It’s finally time that the US Department of Justice (DoJ) has charged three Russian FSB officers and a programmer that worked for a Russian military research institute. The past attacks were against industrial control systems (ICS) operated by critical infrastructure providers.
Each of the attacks involve the 2017 Triton malware that was designed to infect safety instrumented system (SIS) controllers made by Schneider Electric’s Triconex division. In the 2013 attack, Havex remote access Trojan that included a module to map supervisory control and data acquisition (SCADA) on networks. These malware threats were used against energy sector organizations including oil, gas, – which a lot of us are not liking right now due to the prices of something we all need – nuclear power plants, and power transmission companies.
Tomi Engdahl says:
These attacks are gaining more and more traction now since everyone now is using DDoS Protection from CloudFlare or it being built into people’s hosting packages now so a new attack vector is showing it’s face since the pandemic has forced more people online instead of the office.
Application Layer Attacks can defeat DDoS Protection
https://sudosecurity.org/blog/app-layer-attacks-ddos-attacks/
Tomi Engdahl says:
Morgan Stanley client accounts breached in social engineering attacks
https://www.bleepingcomputer.com/news/security/morgan-stanley-client-accounts-breached-in-social-engineering-attacks/
Morgan Stanley Wealth Management, the wealth and asset management division of Morgan Stanley, says some of its customers had their accounts compromised in social engineering attacks.
The account breaches were the result of vishing (aka voice phishing), a social engineering attack where scammers impersonate a trusted entity (in this case Morgan Stanley) during a voice call to convince their targets into revealing or handing over sensitive information such as banking or login credentials.
Tomi Engdahl says:
U.S. Federal Communications Commission (FCC) has added Russian cybersecurity firm Kaspersky Lab and two Chinese telecom firms on its list of national security threats, saying they pose an “unacceptable risk” to the country’s national security.
https://thehackernews.com/2022/03/fcc-adds-kaspersky-and-chinese-telecom.html?m=1
Tomi Engdahl says:
In this case, CISA gives federal agencies until April 15, 2022, to patch the listed vulnerabilities and reduce the risk of falling victim to cyberattacks.
CISA adds 66 vulnerabilities to list of bugs exploited in attacks
https://www.bleepingcomputer.com/news/security/cisa-adds-66-vulnerabilities-to-list-of-bugs-exploited-in-attacks/
Tomi Engdahl says:
Google Issues Emergency Security Update For 3.2 Billion Chrome Users—Attacks Underway
https://www.forbes.com/sites/daveywinder/2022/03/26/google-confirms-emergency-security-update-for-32-billion-chrome-users-attacks-underway/
Google has issued an emergency security update for all Chrome users as it confirms that attackers are already exploiting a high severity zero-day vulnerability.
The emergency update to version 99.0.4844.84 of Chrome is highly unusual in that it addresses just a single security vulnerability. A fact that only goes to emphasize how serious this one is.
In a Chrome stable channel update announcement, published March 25, Google confirms it “is aware that an exploit for CVE-2022-1096 exists in the wild.”
Tomi Engdahl says:
The Fragile Open Source Ecosystem Isn’t Ready for ‘Protestware’
A recent uptick in disruptions to open source software, including incidents aimed at objecting to Russia’s war in Ukraine, have left the community on edge.
https://www.wired.com/story/open-source-sabotage-protestware/
Tomi Engdahl says:
Critical Sophos Firewall vulnerability allows remote code execution
https://www.bleepingcomputer.com/news/security/critical-sophos-firewall-vulnerability-allows-remote-code-execution/
Tomi Engdahl says:
FCC Warns That Kaspersky Poses National Security Risk
As do China Mobile and China Telecom, according to the commission.
https://uk.pcmag.com/security/139453/fcc-warns-that-kaspersky-poses-national-security-risk
The FCC has added Kaspersky, China Mobile, and China Telecom to the list of companies affected by the Secure and Trusted Communications Networks Act of 2019.
The so-called Covered List includes companies “that are deemed to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons,” the commission explains, typically because of their connections to foreign governments.
The addition of Kaspersky, China Mobile, and China Telecom nearly doubles the number of companies on the Covered List. The FCC’s initial list included five companies—Huawei, ZTE, Hytera, Hikvision, and Dahua—when it was formally announced in March 2021.
Tomi Engdahl says:
Chromeen ja Edgeen hätäpäivitys – mene tähän valikkoon heti https://www.is.fi/digitoday/tietoturva/art-2000008711572.html
Tomi Engdahl says:
Ghostwriter in the Shell: Expanding on Mandiant’s Attribution of
UNC1151 to Belarus
https://www.recordedfuture.com/ghostwriter-in-the-shell/
This research expands on Mandiant’s public attribution of UNC1151 and Ghostwriter activity to entities in Belarus and describes Russian military organizational influence in Minsk, substantiating a likely nexus to Russian interests. The time frame for our research spans between March 2017 through the present and employs data from the Recorded Future Platform with open source enrichment. It is intended to provide a foundation for understanding the relationship between the threat actor(s) and the broader influences and drivers for activity, as well as augment existing cybersecurity industry reporting and address established knowledge gaps in the understanding of UNC1151 and Ghostwriter activity. This report will be of interest to cybersecurity professionals who track advanced persistent threat actors as well as those seeking greater information on UNC1151 and Ghostwriter.
Tomi Engdahl says:
Google Maps just got lost for a few hours https://www.theregister.com/2022/03/18/google_maps_outage/
Google Maps Platform services went missing for a few hours on Friday as various APIs fell over. Around 0847 am PDT (1347 UTC), users of Google Maps Platform services began reporting problems. These surfaced on crowdsourced reporting sites like DownDetector.com and on the Maps Platform Status Page. The service status page indicated that the Directions API, Gaming Services, Maps Embed API, Maps JavaScript API, Maps Static API, and Places Library all experienced outages.
Tomi Engdahl says:
FBI: Avoslocker ransomware targets US critical infrastructure https://www.bleepingcomputer.com/news/security/fbi-avoslocker-ransomware-targets-us-critical-infrastructure/
“AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors, ” the FBI said. The advisory provides network defenders with indicators of compromise (IOCs) they can use to detect and block AvosLocker ransomware attacks. AvosLocker has seen a spike in activity between November and December 2021 and is still constantly hitting and encrypting at least a handful of victims each month based on ID-Ransomware submissions.
Tomi Engdahl says:
Western Digital app bug gives elevated privileges in Windows, macOS https://www.bleepingcomputer.com/news/security/western-digital-app-bug-gives-elevated-privileges-in-windows-macos/
Western Digital’s EdgeRover desktop app for both Windows and Mac are vulnerable to local privilege escalation and sandboxing escape bugs that could allow the disclosure of sensitive information or denial of service (DoS) attacks. EdgeRover is a centralized content management solution for Western Digital and SanDisk products, unifying multiple digital storage devices under a single management interface. The vulnerability, tracked as CVE-2022-22998, is a directory traversal bug, allowing unauthorized access to restricted directories and files.
The vulnerability has been given a CVSS v3 severity rating of 9.1, categorizing the flaw as critical.
Tomi Engdahl says:
Is That Wordle Clone App Tracking You? Betteridge’s Law Does Not Apply https://www.forbes.com/sites/daveywinder/2022/03/20/todays-wordle-clone-answer-is-track-say-privacy-researchers/
You don’t need me to tell you how popular Wordle is. You might, however, have needed me to reveal just the other week how ad-trackers had slipped into the puzzler since being acquired by The New York Times. But what about the multitude of Wordle clone apps that have popped up, and mopped up, since the stunning success of the original word game? Are they tracking you or assisting third parties in doing so?. The privacy researchers analyzed network traffic from some of the most popular Wordle clones, with more than 10 million downloads between them this year, and determined they collectively gave advertisers access to “significant user data.”
Tomi Engdahl says:
Hackers claim to breach TransUnion South Africa with ‘Password’
password
https://www.bleepingcomputer.com/news/security/hackers-claim-to-breach-transunion-south-africa-with-password-password/
TransUnion South Africa has disclosed that hackers breached one of their servers using stolen credentials and demanded a ransom payment not to release stolen data. According to the company’s statement, an unauthorized person obtained access to a server based in South Africa using stolen credentials. A Brazilian hacking group known as “N4ughtysecTU” has claimed responsibility for the attack and told BleepingComputer that they downloaded 4TB of data during the cyberattack. The “N4ughtysecTu” threat actor also told us they didn’t steal any user credentials but performed a brute force attack on the SFTP server. The account they ultimately breached was allegedly using the password “Password”, so it was quick and straightforward to brute-force.
Tomi Engdahl says:
Fury As OktaThe Company That Manages 100 Million LoginsFails To Tell Customers About Breach For Months https://www.forbes.com/sites/thomasbrewster/2022/03/22/fury-as-okta-the-company-that-manages-100-million-logins-fails-to-tell-customers-about-breach-for-months/
Okta, the $25 billion market cap company that handles logins for more than 100 million users, today confirmed it suffered a breach in January via a third party customer support provider. But for some customers who spoke to Forbes, the disclosure was too late and too scant with information. While Okta’s statement would indicate the hack isn’t severe, what has concerned onlookers and customers is the communication, or lack thereof, from Okta. It’s been nearly two months since the initial hack and not a word from the company until Tuesday, not long after LAPSUS$ claimed credit for the breach. Multiple security professionals who spoke with Forbes said they were outraged by the lack of disclosure from Okta, though declined to comment on record.
Tomi Engdahl says:
LAPSUS$ & OKTA: The Cyber Attacks Continue https://blog.checkpoint.com/2022/03/22/lapsuss-okta-the-cyber-attacks-continue/
Lapsus$, a Portuguese hacking group from Brazil, has recently been linked to cyber attacks on some high-profile targets. The cyber gang is best known for publishing sensitive information stolen from major technology companies and governments. The group has boasted breaking into Nvidia, Samsung, Ubisoft and others. How the group managed to breach these targets has never fully been clear to the public. If true, the breach at Okta may explain how Lapsus$ has been able to achieve part of its recent string successes. Lapsus$ commenced its activity in December 2021. Most of its activities are focused around breaching different governmental agencies and technology companies.
Since the beginning of its operations, the group has been viewed as a “ransomware group”, although its modus operandi so far has been very different from that of a regular ransomware group’, as they do not encrypt the systems of their victims.
Lapsus$ hackers leak 37GB of Microsoft’s alleged source code https://www.bleepingcomputer.com/news/microsoft/lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code/
Monday night, the hacking group posted a torrent for a 9 GB 7zip archive containing the source code of over 250 projects that they say belong to Microsoft. When posting the torrent, Lapsus$ said it contained 90% of the source code for Bing and approximately 45% of the code for Bing Maps and Cortana. Even though they say only some of the source code was leaked, BleepingComputer is told that the uncompressed archive contains approximately 37GB of source code allegedly belonging to Microsoft. Security researchers who have pored over the leaked files told BleepingComputer that they appear to be legitimate internal source code from Microsoft.
Tomi Engdahl says:
DEV-0537 criminal actor targeting organizations for data exfiltration and destruction https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads. DEV-0537 started targeting organizations in the United Kingdom and South America but expanded to global targets, including organizations in government, technology, telecom, media, retail, and healthcare sectors. Unlike most activity groups that stay under the radar, DEV-0537 doesn’t seem to cover its tracks. They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations. DEV-0537 also uses several tactics that are less frequently used by other threat actors tracked by Microsoft. Their tactics include phone-based social engineering: SIM-swapping to facilitate account takeover, accessing personal email accounts of employees at target organizations, paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication approval; and intruding in the ongoing crisis-communication calls of their targets.
Tomi Engdahl says:
Ransomware group attacks Scottish mental health charity https://therecord.media/ransomware-group-attacks-scottish-mental-health-charity/
A Scottish mental health charity is in the process of recovering from a ransomware incident after it was attacked last Thursday. The attack on the Scottish Association for Mental Health (SAMH) was first reported by the BBC Scotland and Emsisoft threat analyst Brett Callow confirmed to The Record that the RansomExx ransomware group claimed credit for the incident. By Monday, SAMH chief executive Billy Watson issued a second statement condemning the attack. “We are devastated by this attack.It is difficult to understand why anyone would deliberately try to disrupt the work of an organization that is relied on by people at their most vulnerable. Our priority is tocontinue to doeverything we can to deliver our vital services, ” Watson said. The organization recently showed up on the leak site of RansomExx, and Callow said the group is generally less interested in publicity than other ransomware groups. The group claims to have stolen about 12GB of data from SAMH during the attack.
Tomi Engdahl says:
Helsingin yliopisto joutui laajan verkkohyökkäyksen kohteeksi:
some-päivityksiin tullut jopa 2 500 venäläisvastaista kommenttia
https://yle.fi/uutiset/3-12370984
Helsingin yliopistoon kohdistuu poikkeuksellisen laaja verkkohyökkäys.
Yliopiston sosiaalisen median tileille on vuorokauden aikana lähtetetty jopa 2 500 kommenttia erilaisilta valeprofiileilta vaikuttavilta tileiltä. Kommenttien vyöry alkoi maanantaina iltapäivällä. Viestien sisältö on venäläisvastaista. Niissä muun muassa vaaditaan, että venäläisiltä opiskelijoilta poistetaan opinto-oikeus. Viestejä on voitu lähettää automatisoidusti, jolloin puhutaan bottihyökkäyksestä. Tähän viittaa se, että viestit toistavat sanasta sanaan tiettyä noin 1015 erilaisen sisällön viestiarsenaalia.
Tomi Engdahl says:
U.K. echoes Biden warning on Russian cyberattacks https://therecord.media/u-k-echoes-biden-warning-on-russian-cyberattacks/
The United Kingdom’s top cyber authority on Tuesday backed the Biden administration’s call for vigilance and beefed up security against potential Russian digital attacks as Moscow’s invasion of Ukraine grinds to a stalemate. “In heightened periods of international tension all organisations should be vigilant to cyber risks, and for several months the NCSC has been advising organisations to bolster their cyber security, ” the National Cyber Security Centre (NCSC) said in a statement. While the NCSC is “unaware of specific, targeted threats to the U.K. resulting from Russia’s illegal invasion of Ukraine” the organization recommended entities follow previously published advice on how to better protect their networks and systems against hackers.
See also:
https://www.ncsc.gov.uk/news/ncsc-supports-white-house-call-for-increased-precautions
Tomi Engdahl says:
Top Russian meat producer hit with Windows BitLocker encryption attack https://www.bleepingcomputer.com/news/security/top-russian-meat-producer-hit-with-windows-bitlocker-encryption-attack/
Moscow-based meat producer and distributor Miratorg Agribusiness Holding has suffered a major cyberattack that encrypted its IT systems, according to a report from Rosselkhoznadzor – the Russian federal veterinary and phytosanitary supervision service. The announcement notes that the attackers leveraged the Windows BitLocker feature to encrypt files, essentially performing a ransomware attack.
According to the agency, the reason behind the attack appears to be sabotage and not financial, since Miratorg is one of Russia’s largest and food suppliers. The point of compromise was VetIS, a state information system used by veterinary services and companies engaging in the field, making it likely a supply chain compromise, although more clarification is needed in this regard.
Tomi Engdahl says:
Greece’s public postal service offline due to ransomware attack https://www.bleepingcomputer.com/news/security/greeces-public-postal-service-offline-due-to-ransomware-attack/
ELTA, the state-owned provider of postal services in Greece, has disclosed a ransomware incident detected on Sunday that is still keeping most of the organizations services offline. An initial statement about the attack came on Monday, when ELTA announced the cause of a service disruption, claiming that its immediate response and isolation of the entire data center has helped mitigate the impact. In a new announcement today, the organization has shared more details about the incident and updated its customers about the extent of the service outages. More specifically, its IT teams have determined that the threat actors exploited an unpatched vulnerability to drop malware that allowed access to one workstation using an HTTPS reverse shell.
Tomi Engdahl says:
F-Secure jakautuu Mikko Hyppönen sai neljännen työnantajan, vaikkei hän ole koskaan vaihtanut työpaikkaa https://www.is.fi/digitoday/tietoturva/art-2000008699350.html
Helsingissä pääkonttoriaan pitävä, vuonna 1988 Data Fellowsina perustettu tietoturvayhtiö F-Secure on ilmoittanut jakautuvansa kahdeksi yhtiöksi. Tänään pitämässään tilaisuudessa kerrottiin uuden, WithSecureksi nimetyn yhtiön tulevaisuudesta. WithSecure keskittyy yritysasiakkaisiin ja kyberturvallisuuteen. Sen tuotteita ovat pilvipohjainen ja älykäs päätelaitesuojaus, sisällönsuojaus pilvipalveluissa, hallittu tietoturvahyökkäysten esto-, tunnistus- ja torjuntapalvelu sekä kyberturvallisuuden konsultointi. Teknisesti muutos toteutuu siten, että F-Secure uudelleennimetään WithSecureksi.
Myöhemmin yhtiöstä eriytetään kuluttajaliiketoimintaan erikoistunut F-Secure Corporation, jonka toimitusjohtajana toimii Timo Laaksonen.
Kuluttajien tietoturvatuotteet ja palvelut jatkavat F-Secure-tuotemerkin alla.
Tomi Engdahl says:
Zoom agrees privacy conditions, gets low-risk rating from Netherlands https://www.theregister.com/2022/03/21/zoom_dpia/
Hot on the heels of Microsoft’s report card from the Dutch department of Justice and Security comes news of rival messaging platform Zoom receiving a nod via a renewed Data Protection Impact Assessment (DPIA). The assessment was performed by the Privacy Company and was commissioned by SURF (the purchasing organisation for Netherlands’
universities.). The first assessment kicked off in 2020 and by May
2021 [PDF] concluded that there were nine high and three low data protection risks for users of the video conferencing platform. These risks included worries about where personal data was actually being processed and the retention of customer data. The latest DPIA, however, has given the US videoconferencing giant the green light, albeit with some provisos. Risks remain, but according to the Privacy Company “universities and government organisations can mitigate these risks themselves.”. The latest DPIA also suggested some mitigations of the low risks, such as enabling end-to-end encryption for all calls, meetings and chats and warning users “that E2EE is technically not possible when using Zoom via the browser, and that the browser should therefore only be used for non-confidential sessions such as attending a class.”
Tomi Engdahl says:
OVHcloud datacenter ‘lacked’ automatic fire extinguishers and electrical cutoff https://www.theregister.com/2022/03/22/ovhcloud_fire_datacenter/
The OVHcloud datacenter in Strasbourg, France, that was destroyed in a fire last year had no automatic fire extinguisher system nor an electrical cutoff mechanism, according to a report from the Bas-Rhin fire service. It describes several issues that contributed to the destructiveness of the blaze, including the presence of toxic fumes from lead batteries, a wooden ceiling rated to resist fire for only an hour, and two inner courtyards that acted as “fire chimneys.”
Tomi Engdahl says:
Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/
In late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security Monitoring service. Volexity detected a system running frp, otherwise known as fast reverse proxy, and subsequently detected internal port scanning shortly afterward.
This traffic was determined to be unauthorized and the system, a MacBook Pro running macOS 11.6 (Big Sur), was isolated for further forensic analysis. This led to the discovery of a macOS variant of a malware implant Volexity calls GIMMICK. Volexity has encountered Windows versions of the malware family on several previous occasions.
GIMMICK is used in targeted attacks by Storm Cloud, a Chinese espionage threat actor known to attack organizations across Asia. It is a feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google Drive) for command-and-control
(C2) channels. The newly identified macOS variant is written primarily in Objective C, with Windows versions written in both.NET and Delphi.
Tomi Engdahl says:
What is Arid Gopher? An Analysis of a New, Never-Before-Seen Malware Variant https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant
The team recently encountered an executable file written in the Go programming language. The identified file was initially submitted to VirusTotal on December 29, 2021 and was detected by only six security vendors. After initial inspection, two additional similar files written in Go have been found. During the analysis of these files, the team identified a previously unseen variant of Arid Gopher malware; the new unknown malware is a variant of the Micropsia malware, written and used exclusively by APT-C-23 (Arid Viper). This strain of malware was first identified in 2017 by “360 Security, ” but later re-named to Micropsia. This malware targets computers running Windows OS and has primarily been used to target the Middle East region, with specific interest against Palestinian targets. Arid Viper also has a unique Android malware that has been used against Israeli targets. Arid Viper has been previously linked to the Hamas organization. In April 2021, Facebook (now Meta) published a threat report about Arid Viper. In the report they identified a new iOS malware developed by APT-C-23.
Facebook highlighted the specifics of how the threat actor had constantly changed the programming language used for developing the Micropsia malware which included Pascal, Delphi, C++, and even Python.
Tomi Engdahl says:
FBI and FinCEN Release Advisory on AvosLocker Ransomware https://www.cisa.gov/uscert/ncas/current-activity/2022/03/22/fbi-and-fincen-release-advisory-avoslocker-ransomware
The Federal Bureau of Investigation (FBI) and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) have released a joint Cybersecurity Advisory identifying indicators of compromise associated with AvosLocker ransomware. AvosLocker is a ransomware-as-a-service affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors. Advisory:
https://www.ic3.gov/Media/News/2022/220318.pdf
Tomi Engdahl says:
Deadbolt Ransomware is Back
https://censys.wpengine.com/deadbolt-ransomware-is-back/
Two months ago, in January of 2022, Censys reported on the spread of a new variant of ransomware dubbed Deadbolt. This ransomware targeted a series of network-attached storage devices (NAS) for consumers and small businesses running the QNAP QTS (Linux-based) operating system.
What makes this particular variant unique is its communication with the victim. Instead of encrypting the entire device, which effectively takes the device offline (and out of the purview of Censys), the ransomware only targets specific backup directories for encryption and vandalizes the web administration interface with an informational message explaining how to remove the infection. This recent attack started slowly, with two new infections (a total of 373 infections) on March 16th, and over the course of three days, Censys observed 869 newly infected services. By March 19th, the number of Deadbolt-infected services had risen to 1, 146!
Tomi Engdahl says:
Okta Hack Exposes A Huge Hole In Tech Giant Security https://www.forbes.com/sites/thomasbrewster/2022/03/23/okta-hack-exposes-a-huge-hole-in-tech-giant-security/
Under Costa Rica’s sunny skies, in a pastel-colored office space northwest of the capital San José, employees are beavering away in their cubicles, answering calls and providing tech support for customers. They work for a little-known outsourcing firm called Sykes.
Most people have never heard of the company, even though it’s now part of Sitel Group. According to LinkedIn profiles, its staff have done contract work for companies that are instantly recognizable, such as Amazon and Cisco, to name two. Working as a Sykes customer-support employee requires access to data of the contracting company’s big-name clients. That access, it turns out, is very attractive to hackers.
Sykes confirmed to Forbes that “parts” of its network were hacked in January, claiming it didn’t believe any serious breach had occurred and there was no longer a risk for its corporate customers (or for the customers of its customers). Okta later said that the breach lasted five days and allowed the hackers to reset passwords and those one-time codes.
Tomi Engdahl says:
Uutta tietoa verkkohyökkäyksestä Helsingin yliopistoon: Osa viesteistä vaikuttaakin olevan bottien sijaan ukrainalaisilta ihmisiltä
https://yle.fi/uutiset/3-12371862
Helsingin yliopiston sosiaalisen median asiantuntijoiden tilannekuva alkuviikon verkkohyökkäyksestä on päivittynyt. Monet sosiaaliseen mediaan lähetetyistä viesteistä ovatkin mahdollisesti oikeilta ukrainalaisilta henkilöiltä. Maanantai- ja tiistai-iltapäivän aikana yliopiston sosiaaliseen mediaan vyöryi ennennäkemätön määrä, jopa 2
500 viestiä. Niiden sisältö oli venäläisvastaista. Vihamieliset viestit kohdistuivat yliopiston venäläisiin opiskelijoihin sekä tutkijoihin. Viesteissä toivottiin muun muassa sanktioita venäläisiä kohtaan. Yliopistolla on nyt analysoitu viestejä tarkemmin tutkijoiden avustuksella. Yliopiston uuden arvion mukaan kyseessä eivät ole botit eli automatisoitu viestintä, vaan manuaalisesti ylläpidettyjen tilien operaatio.
Tomi Engdahl says:
Verkkoon piirretty viiva
https://yle.fi/uutiset/3-12370108
Kybersota on julistettu alkaneeksi useita kertoja viime vuosikymmenien aikana. Jälkikäteen julistukset ovat paljastuneet ennenaikaisiksi.
Onko nyt toisin?. Viimeisen kahdeksan vuoden aikana venäläishakkerit ovat toistuvasti murtautuneet Ukrainan viranomaisten, pankkien, medioiden ja yritysten järjestelmiin. Palvelunestohyökkäykset ovat arkipäivää ja useita vaarallisia haittaohjelmia on lähtenyt leviämään Ukrainasta maailmalle. Kybersota on hankalasti määriteltävä termi.
Yleisesti sillä tarkoitetaan informaatioteknologian hyväksikäyttämistä sotilaallisen toiminnan rinnalla. Toisaalta usein kybersodankäynnin katsotaan pitävän sisällään vihollisten järjestelmiin kohdistuvien kyberhyökkäysten lisäksi verkkotiedustelun ja -vakoilun. Kybersodan rajat ovat paljon hämärämmät kuin perinteisen sodan, jonka rajat eivät nekään ole täysin selkeät. Jos valtioiden harjoittama verkkotiedustelu on kybersotaa, me olemme käyneet globaalia kybersotaa vuosikymmenten ajan. Jos taas kehittyneiden verkkohyökkäysten pitää olla yhteydessä fyysisiin sotilastoimiin, maailman ensimmäinen kybersota saattaa olla vasta edessä.
Tomi Engdahl says:
Bad Actors Trying to Capitalize on Current Events via Shameless Email Scams https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams
Malicious email and phishing scams are usually topical and follow a pattern of current events. They are usually crafted around calendar and/or trending issues as attackers realize that victims are interested in all things relevant to the moment. Threat actors are aware that not all recipients will bite, but some will, hence the origination of the term “phishing.”. Threat actors often put in the least amount of work possible for a maximum return, sending out phishing emails to thousands of targets. Even if less than one percent of victims respond, the return on investment is still significant due to the gain of PII and/or establishing a foothold within an organization using stolen credentials, malware, or other means. This blog highlights some examples we’ve encountered that may help users better spot suspicious emails. Recent examples observed by FortiGuard Labs include emails related to tax season and the Ukrainian conflict, which reflect the timeliness of current and newsworthy events at the time of writing.
Tomi Engdahl says:
MS Office Files Involved Again in Recent Emotet Trojan Campaign Part II https://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii
Fortinet’s FortiGuard Labs recently captured more than 500 Microsoft Excel files involved in a campaign to deliver a fresh Emotet Trojan onto the victim’s device. Emotet, known as a modular Trojan, was first discovered in the middle of 2014. Since then, it has become very active, continually updating itself. Emotet uses social engineering, like email, to lure recipients into opening attached document files (including Word, Excel, PDF, etc.) or to click links within the content of the email that downloads the latest Emotet variant onto the victim’s device and then executes it. In Part I, I explained how this variant of Emotet is spread by malicious VBA code in Excel documents, how the downloaded malware runs within a Rundll32 program, what kind of anti-analysis techniques this variant uses, how it encrypts and submits its victim’s data to its C2 server, what it does when it receives data from the C2 server, and to enable persistence on the victim’s device. In this post, you will learn what the data in response packets with malicious modules look like, what modules have been received from the C2 server for the current Emotet campaign, and how they are deployed in the victim’s device. You will also discover what sensitive data those modules steal from a victim’s device.
Tomi Engdahl says:
FBI adds Russian cybercrime market suspect to its Cyber Most Wanted’
list
https://therecord.media/fbi-adds-russian-cybercrime-market-suspect-to-its-cyber-most-wanted-list/
A Russian national accused of running a cybercrime forum that sold stolen credentials and sensitive information faces up to 20 years in federal prison, the Department of Justice announced Tuesday evening.
The 23-year-old Igor Dekhtyarchuk, who remains at-large, allegedly began promoting the sale of stolen data as early as April 2018. The market he is accused of running called Marketplace A did not begin operating until May of that same year, the DoJ said. FBI investigators were able to track Dekhtyarchuk’s presence in the hacking community back to November 2013 when he joined hacker forums under the alias floraby.’. According to the FBI’s wanted poster, Dekhtyarchuk previously studied at Ural State University and was last known to reside in Kamensk-Uralsky, a mid-size city about 150 miles north of Russia’s border with Kazakhstan. He’s wanted for wire fraud, aggravated identity theft, and access device fraud, among other charges.
Tomi Engdahl says:
AvosLocker ransomware what you need to know https://www.tripwire.com/state-of-security/security-data-protection/avoslocker-ransomware-what-you-need-to-know/
AvosLocker is a ransomware-as-a-service (RaaS) gang that first appeared in mid-2021. It has since become notorious for its attacks targeting critical infrastructure in the United States, including the sectors of financial services, critical manufacturing, and government facilities. In March 2022, the FBI and US Treasury Department issued a warning about the attacks. The group’s leak site on the dark web lists victims around the world, including the United Kingdom, Germany, Canada, China, Spain, Belgium, Turkey, UAE, Syria, Saudi Arabia, and Taiwan. Many of the attacks will have been undertaken by other criminals who are working with the AvosLocker group as affiliates.
Tomi Engdahl says:
Serious Security: DEADBOLT the ransomware that goes straight for your backups https://nakedsecurity.sophos.com/2022/03/23/serious-security-deadbolt-the-ransomware-that-goes-straight-for-for-your-backups/
In January 2021, reports surfaced of a backup-busting ransomware strain called Deadbolt, apparently aimed at small businesses, hobbyists and serious home users. As far as we can see, Deadbolt deliberately chose a deadly niche in which to operate: users who needed backups and were well-informed enough to make them, but who didn’t have the time or funds to look after those backups as a full-time task, or even as part of a reliable part-time routine. Many ransomware attacks unfold with cybercriminals breaking into your network, mapping out all your computers, scrambling all the files on all of them in unison, and then changing everyone’s wallpaper to show a blackmail demand along the lines of, “Pay us $BIGVAL and we’ll send you a decryption key to unlock everything.”. Deadbolt, however, ignores the desktops and laptops on your network, instead finding and attacking vulnerable network-attached storage (NAS) devices directly over the internet.
Tomi Engdahl says:
Who are the Lapsus$ hackers and what do they want?
https://www.zdnet.com/article/who-are-lapsus-and-what-do-they-want
A prolific hacking gang has been making a name for itself with a string of cyberattacks against a range of high-profile targets. In the space of just a few days, a group known as Lapsus$ revealed that it has stolen data from big-name organisations including Microsoft and Okta.. Lisäksi:
https://www.bloomberg.com/news/articles/2022-03-23/teen-suspected-by-cyber-researchers-of-being-lapsus-mastermind?sref=ylv224K8.
Lisäksi: https://unit42.paloaltonetworks.com/lapsus-group/. Lisäksi:
https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/
Tomi Engdahl says:
Okta names Sitel in Lapsus$ security incident impacting up to 366 customers https://www.zdnet.com/article/okta-names-sitel-in-security-incident-potentially-impacting-hundreds-of-customers
Sitel has been named as the third-party allegedly responsible for a recent security incident experienced by Okta.
Tomi Engdahl says:
North Korean hackers exploit Chrome zero-day weeks before patch https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-chrome-zero-day-weeks-before-patch/
North Korean state hackers have exploited a zero-day, remote code execution vulnerability in Google Chrome web browser for more than a month before a patch became available, in attacks targeting news media, IT companies, cryptocurrency, and fintech organizations
Tomi Engdahl says:
Large-scale npm attack targets Azure developers with malicious packages https://jfrog.com/blog/large-scale-npm-attack-targets-azure-developers-with-malicious-packages/
The JFrog Security Research team identified hundreds of malicious packages designed to steal PII in a large scale typosquatting attack.
Lisäksi:
https://www.zdnet.com/article/malicious-npm-packages-target-azure-developers-to-steal-personal-data/.
Lisäksi:
https://thehackernews.com/2022/03/over-200-malicious-npm-packages-caught.html
Tomi Engdahl says:
VMware fixes command injection, file upload flaws in Carbon Black security tool https://www.theregister.com/2022/03/23/critical_bugs_vmware_carbon_black/
VMware has patched two security flaws, an OS command injection vulnerability and a file upload hole, in its Carbon Black App Control security product running on Windows. Lisäksi:
https://thehackernews.com/2022/03/vmware-issues-patches-for-critical.html