Cyber security news March 2022

This posting is here to collect cyber security news in March 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

888 Comments

  1. Tomi Engdahl says:

    Chinese APT Hackers Targeting Betting Companies in Southeast Asia https://thehackernews.com/2022/03/chinese-apt-hackers-targeting-betting.html
    A Chinese-speaking advanced persistent threat (APT) has been linked to a new campaign targeting gambling-related companies in South East Asia, particularly Taiwan, the Philippines, and Hong Kong. Lisäksi:
    https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/

    Reply
  2. Tomi Engdahl says:

    HubSpot Data Breach Ripples Through Crytocurrency Industry https://threatpost.com/hubspot-data-breach-crytocurrency-industry/179086/
    A rogue employee working at HubSpot used by more than 135, 000 (and
    growing) customers to manage marketing campaigns and on-board new users has been fired over a breach that zeroed in on the company’s cryptocurrency customers, the company confirmed on Friday.

    Reply
  3. Tomi Engdahl says:

    Poliisi varoittaa: Ethän lähde mukaan rikolliseen verkkotoimintaan edes kriisitilanteessa https://poliisi.fi/blogi/-/blogs/poliisi-varoittaa-ethan-lahde-mukaan-rikolliseen-verkkotoimintaan-edes-kriisitilanteessa
    Poliisin tietojen ja havaintojen mukaan Ukrainan tilanne on synnyttänyt ilmiön, jossa verkon käyttäjät ovat alkaneet tehdä verkkorikoksia niitä toimijoita kohtaan, joiden katsotaan liittyvän Venäjän hyökkäykseen tai tukevan sitä. Haluamme muistuttaa, että oli motiivi mikä tahansa, se ei oikeuta lain rikkomiseen.

    Reply
  4. Tomi Engdahl says:

    Russian nationals charged for alleged roles in DragonFly and Triton hacks https://www.zdnet.com/article/russian-nationals-charged-for-alleged-roles-in-dragonfly-and-triton-hacks
    Four Russian nationals who worked for the Russian government were charged with two sets of US indictments last year for their alleged role in hacks performed by the DragonFly and Triton groups, which both targeted critical infrastructure around the world. Lisäksi:
    https://www.is.fi/digitoday/tietoturva/art-2000008706983.html

    Reply
  5. Tomi Engdahl says:

    Huoltovarmuuden tilannekuva: Ukrainan sodalla suoria ja epäsuoria vaikutuksia https://www.huoltovarmuuskeskus.fi/a/huoltovarmuuden-tilannekuva-ukrainan-sodalla-suoria-ja-epasuoria-vaikutuksia
    Ukrainan sota ei ole toistaiseksi aiheuttanut merkittäviä huoltovarmuusvaikutuksia Suomessa. Logistiikassa tilanne on aiempaa vaikeammin ennustettava. Myös pakotteiden ja vastapakotteiden muutokset ovat nopeita sekä niiden vaikutukset voivat jatkossa aiheuttaa tilapäisiä häiriöitä huoltovarmuuteen.

    Reply
  6. Tomi Engdahl says:

    Researchers tie Ukraine cyber intrusion attempt to suspected Chinese threat actor Scarab’
    https://therecord.media/researchers-tie-ukraine-cyber-intrusion-attempt-to-suspected-chinese-threat-actor-scarab/
    Ukraine’s Computer Emergency Response Team (CERT-UA) published evidence this week indicating that Chinese threat actors are targeting their systems publicly for the first time since Russia invaded Ukraine. Lisäksi: https://cert.gov.ua/article/38097

    Reply
  7. Tomi Engdahl says:

    Russia hacked Ukrainian satellite communications, officials believe
    https://www.bbc.com/news/technology-60796079
    Western intelligence agencies have been investigating the incident and while they have not yet made a public accusation, they believe Russia was behind it.

    Reply
  8. Tomi Engdahl says:

    URL rendering trick enabled WhatsApp, Signal, iMessage phishing https://www.bleepingcomputer.com/news/security/url-rendering-trick-enabled-whatsapp-signal-imessage-phishing/
    A rendering technique affecting the world’s leading messaging and email platforms, including Instagram, iMessage, WhatsApp, Signal, and Facebook Messenger, allowed threat actors to create legitimate-looking phishing messages for the past three years. Lisäksi:
    https://sick.codes/sick-2022-40/

    Reply
  9. Tomi Engdahl says:

    Estonian Tied to 13 Ransomware Attacks Gets 66 Months in Prison https://krebsonsecurity.com/2022/03/estonian-tied-to-13-ransomware-attacks-gets-66-months-in-prison/
    An Estonian man was sentenced today to more than five years in a U.S.
    prison for his role in at least 13 ransomware attacks that caused losses of approximately $53 million. Prosecutors say the accused also enjoyed a lengthy career of “cashing out” access to hacked bank accounts worldwide.

    Reply
  10. Tomi Engdahl says:

    Hackers remotely start, unlock Honda Civics with $300 tech https://www.theregister.com/2022/03/25/honda_civic_hack/
    If you’re driving a Honda Civic manufactured between 2016 and 2020, this newly reported key fob hijack should start your worry engine.

    Reply
  11. Tomi Engdahl says:

    Racoon Stealer malware suspends operations due to war in Ukraine https://www.bleepingcomputer.com/news/security/racoon-stealer-malware-suspends-operations-due-to-war-in-ukraine/
    The cybercrime group behind the development of the Racoon Stealer password-stealing malware has suspended its operation after claiming that one of its developers died in the invasion of Ukraine.

    Reply
  12. Tomi Engdahl says:

    HackerOne kicks Kaspersky’s bug bounty program off its platform https://www.bleepingcomputer.com/news/security/hackerone-kicks-kaspersky-s-bug-bounty-program-off-its-platform/
    Bug bounty platform HackerOne disabled Kaspersky’s bug bounty program on Friday following sanctions imposed on Russia and Belarus after the invasion of Ukraine.

    Reply
  13. Tomi Engdahl says:

    Crypto malware in patched wallets targeting Android and iOS devices https://www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices/
    ESET Research uncovers a sophisticated scheme that distributes trojanized Android and iOS apps posing as popular cryptocurrency wallets. Lisäksi:
    https://thehackernews.com/2022/03/experts-uncover-campaign-stealing.html

    Reply
  14. Tomi Engdahl says:

    US says Kaspersky poses unacceptable risk to national security https://www.bleepingcomputer.com/news/security/us-says-kaspersky-poses-unacceptable-risk-to-national-security/
    The Federal Communications Commission (FCC) added Russian cybersecurity firm Kaspersky to its Covered List, saying it poses unacceptable risks to U.S. national security.

    Reply
  15. Tomi Engdahl says:

    Western Digital patches Samba bug giving root on My Cloud devices https://www.bleepingcomputer.com/news/security/western-digital-patches-samba-bug-giving-root-on-my-cloud-devices/
    Western Digital has fixed a critical severity vulnerability that enabled attackers to gain remote code execution with root privileges on unpatched My Cloud OS 5 devices.

    Reply
  16. Tomi Engdahl says:

    Critical Sophos Firewall vulnerability allows remote code execution https://www.bleepingcomputer.com/news/security/critical-sophos-firewall-vulnerability-allows-remote-code-execution/
    Sophos has fixed a critical vulnerability in its Sophos Firewall product that allows remote code execution (RCE). Tracked as CVE-2022-1040, the authentication bypass vulnerability exists in the User Portal and Webadmin areas of Sophos Firewall.

    Reply
  17. Tomi Engdahl says:

    Purple Fox Uses New Arrival Vector and Improves Malware Arsenal https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html
    This most recent investigation covers Purple Fox’s new arrival vector and the early access loaders we believe are associated with the intrusion set behind this botnet. Our data shows that users’ machines are targeted via trojanized software packages masquerading as legitimate application installers.

    Reply
  18. Tomi Engdahl says:

    News and updates from the Project Zero team at Google https://googleprojectzero.blogspot.com/2022/03/racing-against-clock-hitting-tiny.html
    Racing against the clock — hitting a tiny kernel race window

    Reply
  19. Tomi Engdahl says:

    Okta: “We made a mistake” delaying the Lapsus$ hack disclosure https://www.bleepingcomputer.com/news/security/okta-we-made-a-mistake-delaying-the-lapsus-hack-disclosure/
    Okta has admitted that it made a mistake delaying the disclosure of hack from the Lapsus$ data extortion group that took place in January.

    Reply
  20. Tomi Engdahl says:

    North Korea Gov Hackers Caught Sharing Chrome Zero-Day
    https://www.securityweek.com/north-korea-gov-hackers-caught-sharing-chrome-zero-day

    Malware hunters at Google have spotted signs that North Korean government hackers are sharing zero-day browser exploits for use in waves of targeted attacks hitting U.S. news media, crypto-banks and IT organizations.

    According to new data published by Google’s TAG (Threat Analysis Group), two distinct North Korean hacker groups separately used a Chrome browser zero-day flaw in organized malware campaigns.

    The Chrome vulnerability in question – CVE-2022-0609 – was patched by Google last month with the company issuing a barebones advisory to warn of the zero-day in-the-wild exploitation.

    Reply
  21. Tomi Engdahl says:

    The Chaos (and Cost) of the Lapsus$ Hacking Carnage
    https://www.securityweek.com/chaos-and-cost-lapsus-hacking-carnage

    NEWS ANALYSIS: Security experts say the Lapsus$ gang’s “extortion and destruction” hacking spree is the work of an amateur gang allegedly led by a British teenager. What does this say about the state of cybersecurity?

    The timing for Lapsus$ attacks couldn’t possibly be worse.

    As enterprise network defenders absorbed warnings about cyberwar and confirmed reports of nation-state wiper and ransomware attacks, the Lapsus$ hacking gang stormed into public view with taunts and evidence of data-theft hacks against prominent brands NVIDIA, Samsung and Ubisoft.

    Later, Microsoft and Okta would be dragged into the victim pool with Redmond publicly documenting “a large-scale social engineering and extortion campaign” and Okta badly botching its communications with customers on the extent of its breach.

    The chaos — and ongoing controversies — caused by Lapsus$ (Microsoft calls them DEV-0537) is confirmation that attack surfaces and third-party vendor dependencies expose attack surfaces that are near impossible to defend. Worse, it confirms that even the most well-resourced organizations with the best security talent can fall victim to skilled, motivated attackers.

    Microsoft’s blog post on Lapsus$ tells the story of a loosely organized group leaving a trail of destruction after successful hacking attacks against multiple organizations around the world.

    “[The group is] known for using a pure extortion and destruction model without deploying ransomware payloads,” Microsoft warned in a note acknowledging its own systems were compromised in the high-profile raids.

    Reply
  22. Tomi Engdahl says:

    VMware Patches Critical Vulnerabilities in Carbon Black App Control
    https://www.securityweek.com/vmware-patches-critical-vulnerabilities-carbon-black-app-control
    VMware this week announced software updates that address two critical-severity vulnerabilities in its Carbon Black App Control product.
    An application allow listing solution, Carbon Black App Control allows security teams to secure enterprise systems by locking them down to prevent unwanted changes, and to maintain continuous compliance.
    Tracked as CVE-2022-22951, the first of the two security holes is an OS command injection issue that could lead to remote code execution. The flaw exists because user input isn’t properly validated.
    An attacker looking to exploit the bug needs to be authenticated as a high-privileged user and requires network access to the App Control interface in order to execute commands on the server.

    Reply
  23. Tomi Engdahl says:

    Näin pankit suojautuvat kyberiskuilta Suomessa: ”Yksi henkilö ei pääse räjäyttämään koko pankin asioita”
    Pankki- ja vakuutuspalvelut ovat yhteiskunnalle välttämättömiä ja siksi ne ovat houkutteleva kohde tietoverkkojen kautta tapahtuville hyökkäyksille.
    https://www.iltalehti.fi/kotimaa/a/cdeacf59-43d3-4fa6-b41c-acc300bd63ea

    Reply
  24. Tomi Engdahl says:

    Sophos fixes critical hijack flaw in firewall offering
    Authentication bypass followed by remote-code execution at the network boundary
    https://www.theregister.com/2022/03/28/sophos-firewall-rce-vulnerability/

    Reply
  25. Tomi Engdahl says:

    CISA: Here are 66 more security flaws actively being used by hackers – so get patching
    Such flaws are a frequent attack vector, warns security agency.
    https://www.zdnet.com/article/cisa-here-are-66-more-security-flaws-actively-being-used-by-hackers-so-get-patching/

    Reply
  26. Tomi Engdahl says:

    Hackers weigh in on programming languages of choice
    Small, self-described sample, sure. But results show shifts over time
    https://www.theregister.com/2022/03/24/hacker_language_study/

    Reply
  27. Tomi Engdahl says:

    Adafruit Doubles Security to Prevent Raspberry Pi Bot Sales
    By Ian Evenden published 3 days ago
    Two-factor all the way
    https://www.tomshardware.com/news/adafruit-two-factor-security-for-raspberry-pi

    Reply
  28. Tomi Engdahl says:

    23-Year-Old Russian Hacker Wanted by FBI for Running Marketplace of Stolen Logins
    https://thehackernews.com/2022/03/23-year-old-russian-hacker-wanted-by.html

    Reply
  29. Tomi Engdahl says:

    Using just a laptop, an encryption code designed to prevent a quantum computer attack was cracked in just 53 hours
    Tech institutions are trying to find ways to guarantee security as new processing systems becoming increasingly sophisticated
    https://english.elpais.com/science-tech/2022-03-24/using-just-a-laptop-an-encryption-code-designed-to-prevent-a-quantum-computer-attack-was-cracked-in-just-53-hours.html

    Reply
  30. Tomi Engdahl says:

    This browser-in-browser attack is perfect for phishing
    If you’re involved in malvertising, please don’t read this. We don’t want to give you ideas
    https://www.theregister.com/2022/03/18/browser_in_browser_phishing/

    A novel way of tricking people out of their passwords has left us wondering if there’s a need to rethink how much we trust our web browsers to protect us and to accelerate efforts to close web security gaps.

    Earlier this week, an infosec researcher known as mr.d0x described a browser-in-the-browser (BitB) attack. It’s a way to steal login credentials by simulating the little browser windows that Google, Microsoft, and other authentication service providers pop up that ask you for your username and password to continue. You’ve probably seen these windows: you click on something like a “Sign in with Microsoft” button on a website, and popup appears asking for your credentials to access your account or profile.

    https://mrd0x.com/browser-in-the-browser-phishing-attack/

    Reply
  31. Tomi Engdahl says:

    Isku hakkeri­jengiä vastaan: 7 pidätetty, mukana ala­ikäisiä https://www.is.fi/digitoday/tietoturva/art-2000008712491.html

    Reply
  32. Tomi Engdahl says:

    When Nokia Pulled Out of Russia, a Vast Surveillance System Remained https://www.nytimes.com/2022/03/28/technology/nokia-russia-surveillance-system-sorm.html
    Nokia said this month that it would stop its sales in Russia and denounced the invasion of Ukraine. But the Finnish company didn’t mention what it was leaving behind: equipment and software connecting the government’s most powerful tool for digital surveillance to the nation’s largest telecommunications network.

    Nokia responds to New York Times article of March 28 on lawful interception
    https://www.nokia.com/about-us/newsroom/statements/nokia-statement-on-new-york-times/
    The New York Times, in its article of March 28, makes claims regarding Nokia’s role in Russia’s lawful intercept system, also known by the abbreviation SORM. Nokia believes this article is misleading. As Nokia has made clear to The New York Times, Nokia does not manufacture, install or service SORM equipment or systems. Any suggestions that we do, are incorrect.

    Reply
  33. Tomi Engdahl says:

    Breaking|Mar 28, 2022, 12:40pm EDT
    https://www.forbes.com/sites/thomasbrewster/2022/03/28/huge-cyberattack-on-ukrtelecom-biggest-since-russian-invasion-crashes-ukraine-telecom/
    Most Severe’ Cyberattack Since Russian Invasion Crashes Ukraine Internet Provider. A “powerful” cyberattack has hit Ukraine’s biggest fixed line telecommunications company, Ukrtelecom.

    Reply
  34. Tomi Engdahl says:

    Lapsus$ and SolarWinds hackers both use the same old trick to bypass MFA
    https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/
    Not all MFA is created equal, as script kiddies and elite hackers have shown recently.

    Reply
  35. Tomi Engdahl says:

    Hive ransomware ports its Linux VMware ESXi encryptor to Rust https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/
    The Hive ransomware operation has converted their VMware ESXi Linux encryptor to the Rust programming language and added new features to make it harder for security researchers to snoop on victim’s ransom negotiations.

    Reply
  36. Tomi Engdahl says:

    New Windows security feature blocks vulnerable drivers
    https://www.bleepingcomputer.com/news/microsoft/new-windows-security-feature-blocks-vulnerable-drivers/
    Microsoft now allows Windows users to block drivers with known vulnerabilities with the help of Windows Defender Application Control
    (WDAC) and a vulnerable driver blocklist. Lisäksi:
    https://www.zdnet.com/article/microsoft-is-adding-a-new-driver-blocklist-feature-to-windows-defender-on-windows-10-and-11/

    Reply
  37. Tomi Engdahl says:

    Russia facing internet outages due to equipment shortage https://www.bleepingcomputer.com/news/technology/russia-facing-internet-outages-due-to-equipment-shortage/
    Russia’s RSPP Commission for Communications and IT, the country’s largest entrepreneurship union, has warned of imminent large-scale service Internet service outages due to the lack of available telecom equipment.

    Reply
  38. Tomi Engdahl says:

    Muhstik Botnet Targeting Redis Servers Using Recently Disclosed Vulnerability https://thehackernews.com/2022/03/muhstik-botnet-targeting-redis-servers.html
    Muhstik, a botnet infamous for propagating via web application exploits, has been observed targeting Redis servers using a recently disclosed vulnerability in the database system.

    Reply
  39. Tomi Engdahl says:

    1, 000-plus AI-generated LinkedIn faces uncovered https://www.theregister.com/2022/03/28/ai_fake_linkedin_faces/
    Two Stanford researchers have fallen down a LinkedIn rabbit hole, finding over 1, 000 fake profiles using AI-generated faces at the bottom.

    Reply
  40. Tomi Engdahl says:

    Researchers Hack Remote Keyless System of Honda Vehicles
    https://www.securityweek.com/researchers-hack-remote-keyless-system-honda-vehicles

    A researcher has published proof-of-concept (PoC) videos to demonstrate how an attacker can remotely unlock the doors of a Honda vehicle, or even start its engine.

    The attack is possible because of a vulnerability in the car manufacturer’s remote keyless system (CVE-2022-27254) that appears to impact all Honda Civic (LX, EX, EX-L, Touring, Si, and Type R) models between 2016 and 2020.

    The issue is that the same unencrypted radio frequency (RF) signal is sent for commands to unlock/lock doors, open the boot, or start the engine remotely, Ayyappan Rajesh, a student at University of Massachusetts Dartmouth, explained.

    Because of that, an attacker in a man-in-the-middle position could eavesdrop on the request and then use it to launch a replay attack.

    Basically, if the attacker is located near a vulnerable vehicle, they can record the remote signal sent by the car owner to wirelessly open and start the vehicle, and later perform the same action by themselves.

    https://github.com/nonamecoder/CVE-2022-27254

    Reply
  41. Tomi Engdahl says:

    Checkmarx Finds Threat Actor ‘Fully Automating’ NPM Supply Chain Attacks
    https://www.securityweek.com/checkmarx-finds-threat-actor-fully-automating-npm-supply-chain-attacks

    Threat hunters at Checkmarx on Monday raised an alarm after discovering a threat actor fully automating the creation and delivery of “hundreds of malicious packages” into the NPM ecosystem.

    The Checkmarx warning comes on the heels of Snyk’s discovery of “deliberate sabotage” of NPM package managers and raises new concerns about the software supply chain threat landscape.

    According to an advisory from Checkmarx, a threat actor flagged as RED-LILI has “fully automated” the process of NPM account creation to launch difficult-to-detect dependency confusion attacks.

    “Customarily, attackers use an anonymous disposable NPM account from which they launch their attacks. As it seems this time, the attacker has fully-automated the process of NPM account creation and has opened dedicated accounts, one per package, making his new malicious packages batch harder to spot,” said Jossef Harush, head of Checkmarx’s supply chain security engineering group.

    Software Supply Chain Weakness: Snyk Warns of ‘Deliberate Sabotage’ of NPM Ecosystem
    https://www.securityweek.com/software-supply-chain-weakness-snyk-warns-deliberate-sabotage-npm-ecosystem

    Reply
  42. Tomi Engdahl says:

    German Authorities Seize Spyware Firm FinFisher’s Accounts
    https://www.securityweek.com/german-authorities-seize-spyware-firm-finfishers-accounts

    German authorities have seized accounts belonging to the spyware company FinFisher amid an investigation into whether it broke export laws by selling its products to authoritarian governments.

    Munich prosecutors confirmed Monday that the company’s accounts were impounded, though the measure will have no immediate effect because FinFisher is undergoing insolvency proceedings.

    Human rights groups accuse the Munich-based company of supplying Turkey, Egypt and Myanmar with trojan software known as FinSpy that could be used to eavesdrop on dissidents.

    The European Center for Constitutional and Human Rights and others argue that exporting such software outside the European Union requires prior authorization, which was not issued.

    https://www.securityweek.com/finspy-surveillance-spyware-fitted-uefi-bootkit

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*