This posting is here to collect cyber security news in March 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in March 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
888 Comments
Tomi Engdahl says:
FBI disrupts BEC cybercrime gangs targeting victims worldwide https://www.bleepingcomputer.com/news/legal/fbi-disrupts-bec-cybercrime-gangs-targeting-victims-worldwide/
A coordinated operation conducted by the FBI and its international law enforcement partners has resulted in disrupting business email compromise (BEC) schemes in several countries.
Tomi Engdahl says:
Chrome Browser Gets Major Security Update
https://www.securityweek.com/chrome-browser-gets-major-security-update
Google this week released a security-themed Chrome browser makeover with patches 28 documented vulnerabilities, some serious enough to lead to code execution attacks.
The new browser refresh is now rolling out to Windows, Mac and Linux users as Chrome 100.0.4896.60.
Nine of the security defects identified by external researchers are rated high-severity. Use-after-free was the most common type of vulnerability among the issues reported externally, followed by inappropriate implementation.
Chrome 100 arrives less than a week after Google issued an emergency fix to address a zero-day vulnerability in the V8 JavaScript engine. There have been only two documented zero-days in Chrome this year.
Tomi Engdahl says:
Remote ‘Brokenwire’ Hack Prevents Charging of Electric Vehicles
https://www.securityweek.com/remote-brokenwire-hack-prevents-charging-electric-vehicles
Researchers from the University of Oxford in the UK and Switzerland’s Armasuisse federal agency have identified a new attack method that can be used to remotely interrupt the charging of electric vehicles.
The attack method, named Brokenwire, involves wirelessly sending malicious signals to the targeted vehicle in order to cause electromagnetic interference and disrupt the charging session.
The attack targets the Combined Charging System — a widely used DC rapid charging technology — and it interrupts the communication between the charger and the vehicle.
The researchers pointed out that the Brokenwire attack only works against DC rapid chargers. Home charging stations, which typically use AC charging, are not impacted as they use different communication standards.
During their experiments, the researchers managed to reproduce the method against seven types of vehicles and 18 chargers, at distances of up to 47 m (150 feet) using a software-defined radio, a 1 W RF amplifier, and a dipole antenna. They demonstrated that the attack works between different floors of a building and through perimeter fences, and drive-by attacks are possible as well.
Brokenwire, which they described as a stealthy and scalable attack, affects not only electric cars, but also electric ships, airplanes and heavy duty vehicles.
“Brokenwire has immediate implications for many of the around 12 million battery EVs on the roads worldwide — and profound effects on the new wave of electrification for vehicle fleets, both for private enterprise and crucial public services,” the researchers said.
“While it may only be an inconvenience for individuals, interrupting the charging process of critical vehicles, such as electric ambulances, can have life-threatening consequences,” they warned.
Once an attack has been launched, the targeted vehicle will not charge until the attack stops and the vehicle is manually reconnected to the charging station. The experts noted that while the attack can be used to interrupt charging sessions, it does not appear to cause any permanent damage to the targeted systems.
Brokenwire
Vulnerability in the Combined Charging System for Electric Vehicles
https://www.brokenwire.fail/
Brokenwire is a novel attack against the Combined Charging System (CCS), one of the most widely used DC rapid charging technologies for electric vehicles (EVs). The attack interrupts necessary control communication between the vehicle and charger, causing charging sessions to abort. The attack can be conducted wirelessly from a distance using electromagnetic interference, allowing individual vehicles or entire fleets to be disrupted simultaneously. In addition, the attack can be mounted with off-the-shelf radio hardware and minimal technical knowledge. With a power budget of 1 W, the attack is successful from around 47 m distance. The exploited behavior is a required part of the HomePlug Green PHY, DIN 70121 & ISO 15118 standards and all known implementations exhibit it.
Brokenwire has immediate implications for many of the 12 million battery EVs estimated to be on the roads worldwide — and profound effects on the new wave of electrification for vehicle fleets, both for private enterprise and for crucial public services. In addition to electric cars, Brokenwire affects electric ships, airplanes and heavy duty vehicles. As such, we conducted a disclosure to industry and discuss a range of mitigation techniques that could be deployed to limit the impact.
Tomi Engdahl says:
Researchers Find Python-Based Ransomware Targeting Jupyter Notebook Web Apps
https://www.securityweek.com/researchers-find-python-based-ransomware-targeting-jupyter-notebook-web-apps
Tomi Engdahl says:
RCE Bug in Spring Cloud Could Be the Next Log4Shell, Researchers Warn
https://threatpost.com/critical-rce-bug-spring-log4shell/179173/
The so-called ‘Spring4Shell’ bug has cropped up, so to speak, and could be lurking in any number of Java applications.
A concerning security vulnerability has bloomed in the Spring Cloud Function, which could lead to remote code execution (RCE) and the compromise of an entire internet-connected host.
Some researchers have dubbed it “Spring4Shell” due to its ease of exploit and Java-based nature, a la the Log4Shell vulnerability discovered in December.
“Spring4Shell is another in a series of major Java vulnerabilities,” Stefano Chierici, a security researcher at Sysdig, noted in materials shared with Threatpost. “It has a very low bar for exploitation so we should expect to see attackers heavily scanning the internet. Once found, they will likely install cryptominers, [distributed denial-of-service] DDoS agents, or their remote-access toolkits.”
The bug (CVE-2022-22963) affects versions 3.1.6 and 3.2.2, as well as older, unsupported versions, according to a Tuesday advisory. Users should update to 3.1.7 and 3.2.3 in order to implement a patch.
Spring Cloud is an open-source microservices framework: A collection of ready-to-use components which are useful in building distributed applications in an enterprise. It’s widely used across industries by various companies and includes ready-made integration with components from various app providers, including Kubernetes and Netflix.
As such, its footprint is concerning, according to Sysdig.
“Spring is…used by millions of developers using Spring Framework to create high-performing, easily testable code,” Chierici said. “The Spring Cloud Function framework allows developers to write cloud-agnostic functions using Spring features. These functions can be stand-alone classes and one can easily deploy them on any cloud platform to build a serverless framework.”
The CVE-2022-22963 Bug in Bloom
According to Sysdig, the vulnerability can be exploited over HTTP: Just like Log4Shell, it only requires an attacker to send a malicious string to a Java app’s HTTP service.
“Using routing functionality, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) as a routing-expression to access local resources and execute commands in the host,” Chierici explained. “The issue with CVE-2022-22963 is that it permits using HTTP request header spring.cloud.function.routing-expression parameter and SpEL expression to be injected and executed through StandardEvaluationContext.”
As such, unfortunately, an exploit is “quite easy to accomplish” using a simple curl command he noted:
curl -i -s -k -X $’POST’ -H $’Host: 192.168.1.2:8080′ -H $’spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(\”touch /tmp/test”)’ –data-binary $’exploit_poc’ $’http://192.168.1.2:8080/functionRouter’
Tomi Engdahl says:
William Turton / Bloomberg:
Sources say Apple and Meta gave user data to hackers in response to forged Emergency Data Requests; Discord said it had also fulfilled a forged legal request — Apple Inc. and Meta Platforms Inc., the parent company of Facebook, provided customer data to hackers who masqueraded as law enforcement officials …
https://www.bloomberg.com/news/articles/2022-03-30/apple-meta-gave-user-data-to-hackers-who-forged-legal-requests
Tomi Engdahl says:
Carly Page / TechCrunch:
IT and software developer Globant says its code repo was partially breached, after Lapsus$ shared 70GB of allegedly stolen data; Globant’s stock closed down 10% — Just days after police in the U.K. arrested seven people over suspected connections to the now-infamous hacking and extortion group, Lapsus$ is claiming its latest victim.
Lapsus$ hacking group claims software consultancy giant Globant as its latest breach victim
https://techcrunch.com/2022/03/30/lapsus-globant-breach/
Tomi Engdahl says:
Steve Zurier / SC Media:
IoT manufacturer Ubiquiti sues cybersecurity journalist Brian Krebs, claiming he falsely accused the company of covering up a cyberattack — Ubiquiti on Tuesday filed a lawsuit against industry blogger Brian Krebs for $425 million in damages for allegedly falsely accusing the company of “covering up” a cyberattack.
Ubiquiti seeks $425 million in damages against industry blogger Brian Krebs
https://www.scmagazine.com/news/breach/ubiquiti-seeks-425-million-in-damaged-against-industry-blogger-brian-krebs%EF%BF%BC
Ubiquiti on Tuesday filed a lawsuit against industry blogger Brian Krebs for $425 million in damages for allegedly falsely accusing the company of “covering up” a cyberattack.
According to the complaint, Krebs intentionally misled the public about a data breach and a subsequent blackmail attempt.
Ubiquiti said it promptly notified customers of the attack and instructed them to take additional security precautions to protect their information. Ubiquiti then notified the public in the next filing it made with the SEC, but they claim Krebs intentionally disregarded the steps the company took to target Ubiquiti and increase ad revenue by driving traffic to his website, KrebsonSecurity.
The complaint said that only one source propped up Kreb’s story against Ubiquiti: Nickolas Sharp, the Ubiquiti employee behind the cyberattack.
In an email provided to SC Media, Krebs said that at the request of counsel, he will not be commenting.
On Dec. 1, 2021, federal prosecutors with the U.S. Attorney’s Office from the Southern District of New York charged Sharp on four felony counts for “stealing confidential data and extorting” Ubiquiti “while posing as an anonymous attacker.”
Ubiquiti said Krebs allegedly reviewed the press release and knew that his sole source had been indicted for his criminal involvement in the cyberattack. But the indictment said Krebs published a story on his blog the next day doubling down on his accusations against Ubiquiti and intentionally misleading his readers into believing that his earlier reporting was not sourced by Sharp, the hacker behind the attack.
In a long tweet thread, Corey Quinn, chief cloud economist at the Duckbill Group calls into question the Ubiquiti lawsuit and pointed out that the law firm representing Ubiquiti, Clare Locke LLP in Alexandria, Virginia, has a long history of suing media companies.
Tomi Engdahl says:
Hackers Gaining Power of Subpoena Via Fake “Emergency Data Requests”
https://krebsonsecurity.com/2022/03/hackers-gaining-power-of-subpoena-via-fake-emergency-data-requests/
There is a terrifying and highly effective “method” that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies and social media firms. It involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.
In the United States, when federal, state or local law enforcement agencies wish to obtain information about who owns an account at a social media firm, or what Internet addresses a specific cell phone account has used in the past, they must submit an official court-ordered warrant or subpoena.
Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name.
But in certain circumstances — such as a case involving imminent harm or death — an investigating authority may make what’s known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents.
It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.
In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person.
“We have a legal process to compel production of documents, and we have a streamlined legal process for police to get information from ISPs and other providers,” said Mark Rasch, a former prosecutor with the U.S. Department of Justice.
To make matters more complicated, there are tens of thousands of police jurisdictions around the world — including roughly 18,000 in the United States alone — and all it takes for hackers to succeed is illicit access to a single police email account.
THE LAPSUS$ CONNECTION
The reality that teenagers are now impersonating law enforcement agencies to subpoena privileged data on their targets at whim is evident in the dramatic backstory behind LAPSUS$, the data extortion group that recently hacked into some of the world’s most valuable technology companies, including Microsoft, Okta, NVIDIA and Vodafone.
In a blog post about their recent hack, Microsoft said LAPSUS$ succeeded against its targets through a combination of low-tech attacks, mostly involving old-fashioned social engineering — such as bribing employees at or contractors for the target organization.
“Other tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multi-factor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets,” Microsoft wrote of LAPSUS$.
Tomi Engdahl says:
Julie Jargon / Wall Street Journal:
Research shows TikTok tic videos contribute to a rise in cases of girls with tics; US ER room visits among teen girls with tics has tripled during the pandemic — Tourette videos posted on the platform continue to draw many viewers, and doctors say teen girls keep showing up at their offices with functional neurological issues
Teen Girls Are Still Getting TikTok-Related Tics—and Other Disorders
https://www.wsj.com/articles/teen-girls-are-still-getting-tiktok-related-ticsand-other-disorders-11648248555?mod=djemalertNEWS
Tourette videos posted on the platform continue to draw many viewers, and doctors say teen girls keep showing up at their offices with functional neurological issues
Tomi Engdahl says:
Frederic Lardinois / TechCrunch:
Wing Security, which helps companies discover, monitor, and remediate potential security issues with SaaS tools used by their employees, raises a $20M Series A — As businesses increasingly rely on an ever-growing number of SaaS products, it has become imperative for security
https://techcrunch.com/2022/03/30/wing-security-launches-its-end-to-end-saas-security-platform-raises-26m/
Tomi Engdahl says:
Uusi WithSecure fokusoi yritystietoturvaan
https://www.uusiteknologia.fi/2022/03/31/uusi-withsecure-fokusoi-yritystietoturvaan/
Suomalainen tietoturvayhtiö F-Secure lanseeraa yritystietoturvalle uuden WithSecure-yhtiön ja brändin. Nimi perustuu näkemykseen, jossa kyberturvallisuuden tulee olla kiinteä osa liiketoimintaa, digitaalista yhteiskuntaa ja yhteistyötä.
Tietoturvayhtiö F-Securen uusi strategia perustuu toimintojen eriyttämiseksi kahdeksi vahvaksi liiketoiminnaksi. WithSecure-brändin lanseeraus on jatkoa helmikuussa 2022 tehdylle alustavalle ilmoitukselle jakautua kahdeksi erilliseksi yritykseksi.
WithSecure:n portfolio koostuu pilvipohjaisesta ja älykkäästä päätelaitesuojauksesta, sisällönsuojauksesta pilvipalveluissa, hallitusta tietoturvahyökkäysten esto-, tunnistus- ja torjuntapalvelusta sekä laaja-alaisesta kyberturvallisuuden konsultoinnista.
https://www.withsecure.com/fi/about-us/who-we-are
Tomi Engdahl says:
Joseph Cox / VICE:
Scammers are advertising access to Meta’s Media Partner Portal, used by media and PR agencies to resolve issues, to get Facebook and Instagram users verified
The Media’s Backdoor to Facebook That Scammers Use to Verify Accounts
https://www.vice.com/en/article/jgm433/facebook-backdoor-verification-media-partner-portal
Alleged “ghost agencies” advertise their privileged access to the “Facebook Media Partner Portal” for sale to scammers.
Tomi Engdahl says:
Dade Hayes / Deadline:
As Netflix cracks down on password sharing, a survey finds 33% of 4,400 US consumers share their password while 64% only use Netflix in their household
https://deadline.com/2022/03/netflix-password-sharing-subscribers-survey-streaming-1234990125/
Tomi Engdahl says:
Security Patch Releases for Critical Zero-Day Bug in Java Spring Framework https://thehackernews.com/2022/03/security-patch-releases-for-critical.html
The maintainers of Spring Framework have released an emergency patch to address a newly disclosed remote code execution flaw that, if successfully exploited, could allow an unauthenticated attacker to take control of a targeted system.
Tomi Engdahl says:
Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attempts https://www.zdnet.com/article/google-multiple-hacking-groups-are-using-the-war-in-ukraine-as-a-lure-in-phishing-attempts/
Hostile hacking groups are exploiting Russia’s invasion of Ukraine to carry out cyberattacks designed to steal login credentials, sensitive information, money and more from victims around the world.
State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/
In the past month while the Russian invasion of Ukraine was unfolding, Check Point Research (CPR) has observed advanced persistent threat
(APT) groups around the world launching new campaigns, or quickly adapting ongoing ones to target victims with spear-phishing emails using the war as a lure. In this article, CPR will provide an overview of several campaigns by different APT groups using the ongoing Russia-Ukraine war to increase the efficiency of their campaigns. (El Machete, Lyceum ja SideWinder).
Tomi Engdahl says:
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits
During the past month, FortiEDR detected a campaign by Deep Panda, a Chinese APT group. The group exploited the infamous Log4Shell vulnerability in VMware Horizon servers. The nature of targeting was opportunistic insofar that multiple infections in several countries and various sectors occurred on the same dates. The victims belong to the financial, academic, cosmetics, and travel industries. Myös:
https://www.bleepingcomputer.com/news/security/chinese-hacking-group-uses-new-fire-chili-windows-rootkit/
Tomi Engdahl says:
Conti-nuation: methods and techniques observed in operations post the leaks https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/
Despite the public disclosure of their arsenal, it appears that Conti operators continue their business as usual by proceeding to compromise networks, exfiltrating data and finally deploying their ransomware.
This post describes the methods and techniques we observed during recent incidents that took place after the Conti data leaks.
Tomi Engdahl says:
FBI adds LAPSUS$ data extortion gang to its “Most Wanted” list https://grahamcluley.com/fbi-adds-lapsus-data-extortion-gang-to-its-most-wanted-list/
The FBI is calling on members of the public to help it uncover members of an increasingly-notorious cybercrime gang. Alkup.
https://www.fbi.gov/wanted/seeking-info/lapsus
Tomi Engdahl says:
Chrome Zero-Day from North Korea
https://www.schneier.com/blog/archives/2022/03/chrome-zero-day-from-north-korea.html
North Korean hackers have been exploiting a zero-day in Chrome. The flaw, tracked as CVE-2022-0609, was exploited by two separate North Korean hacking groups. Both groups deployed the same exploit kit on websites that either belonged to legitimate organizations and were hacked or were set up for the express purpose of serving attack code on unsuspecting visitors. One group was dubbed Operation Dream Job, and it targeted more than 250 people working for 10 different companies. The other group, known as AppleJeus, targeted 85 users.
Tomi Engdahl says:
Lazarus Trojanized DeFi app for delivering malware https://securelist.com/lazarus-trojanized-defi-app/106195/
We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a malicious file when executed. This malware is a full-featured backdoor containing sufficient capabilities to control the compromised victim. After looking into the functionalities of this backdoor, we discovered numerous overlaps with other tools used by the Lazarus group. Myös:
https://www.bleepingcomputer.com/news/security/dprk-hackers-go-after-crypto-assets-using-trojanized-defi-wallet-app/
Tomi Engdahl says:
New AcidRain data wiper malware targets modems and routers https://www.bleepingcomputer.com/news/security/new-acidrain-data-wiper-malware-targets-modems-and-routers/
A newly discovered data wiper malware that wipes routers and modems has been loosely linked to the cyberattack that targeted the KA-SAT satellite broadband service on February 24, affecting thousands in Ukraine and tens of thousands across Europe. Based on the name of the AcidRain binary uploaded to VirusTotal, which could be an abbreviation of “Ukraine Operation” SentinelOne suspects that the malware might have been developed explicitly for an operation against Ukraine and likely used to wipe modems in the KA-SAT cyberattack.
Tomi Engdahl says:
Uusi tietoja varastava haittaohjelma Mars Stealer lisää suosiotaan hakkereiden keskuudessa
https://www.tivi.fi/uutiset/tv/0412159b-d1ad-4a4f-83a2-4f184ba216b7
Morphisecin tutkijoiden havaitsemassa uusimmassa Mars Stealer
- -kampanjassa käytetään kloonattuja OpenOffice-sivuja, jota mainostetaan Googlen hakukoneessa. Väärennettyjen OpenOffice-sivujen mainokset ovat nousseet korkealle Googlen hakutuloksissa erityisesti Kanadassa.
Tomi Engdahl says:
Globant confirms reports of breach after Lapsus$ shares 70GB of stolen files https://therecord.media/globant-confirms-reports-of-breach-after-lapsus-shares-70gb-of-stolen-files/
Multibillion-dollar software development company Globant has confirmed reports that their systems were breached and that someone gained access to the company’s code repository. In a statement on Wednesday afternoon, Globant said they recently detected that a “limited section” of their code repository was accessed. Myös:
https://www.bleepingcomputer.com/news/security/globant-confirms-hack-after-lapsus-leaks-70gb-of-stolen-data/.
Suomeksi:
https://www.tivi.fi/uutiset/tv/9258b652-4716-4911-a268-7ce963ce351a
Tomi Engdahl says:
Shutterfly, hit by Conti ransomware group, warns staff their data has been stolen https://grahamcluley.com/shutterfly-hit-by-conti-ransomware-group-warns-staff-their-data-has-been-stolen/
Online photography printing service Shutterfly has disclosed that it has suffered a security breach that exposed the personal information of some employees. According to a sample data breach notification letter filed with the California Attorney General’s Office, Shutterfly was hit by a ransomware attack in December 2021 which encrypted some of its systems, and exfiltrated sensitive data from its servers.
Tomi Engdahl says:
Spring4Shell: Spring Flaws Lead to Confusion, Concerns of New Log4Shell-Like Threat
https://www.securityweek.com/spring4shell-spring-flaws-lead-confusion-concerns-new-log4shell-threat
The disclosure of several vulnerabilities affecting the widely used Spring Java framework has led to confusion and concerns that organizations may need to deal with a flaw similar to the notorious Log4Shell.
VMware-owned Spring has been described as the world’s most popular Java framework. Spring is designed to increase speed and productivity by making Java programming easier.
The cybersecurity community started to panic on Wednesday after a Chinese researcher recently made available a proof-of-concept (PoC) exploit for a remote code execution vulnerability affecting the Spring framework’s Core module.
The PoC exploit has since been removed, but researchers who have analyzed it have confirmed that it targets what appears to be an unpatched flaw that can be exploited without authentication. A CVSS score of 10 has been assigned to the bug, but there is no CVE identifier.
Cybersecurity company Praetorian reported that the zero-day vulnerability, which has been dubbed Spring4Shell and SpringShell, appears to be the result of a bypass for an old security hole tracked as CVE-2010-1622.
Spring Core on JDK9+ is vulnerable to remote code execution
https://www.praetorian.com/blog/spring-core-jdk9-rce/
Spring Core on JDK9+ is vulnerable to remote code execution due to a bypass for CVE-2010-1622. At the time of writing, this vulnerability is unpatched in Spring Framework and there is a public proof-of-concept available. As we have remediation advice for customers (see below), we have elected to share this information publicly.
Spring Core is a very popular Java framework for building modern Java web applications.
In certain configurations, exploitation of this issue is straightforward, as it only requires an attacker to send a crafted HTTP request to a vulnerable system. However, exploitation of different configurations will require the attacker to do additional research to find payloads that will be effective.
This vulnerability allows an unauthenticated attacker to execute arbitrary code on the target system.
Remediation
In Spring Framework, DataBinder has functionality to disallow certain patterns. As a temporary mitigation for this vulnerability, Praetorian recommends creating a ControllerAdvice component (which is a Spring component shared across Controllers) and adding dangerous patterns to the denylist.
Update: March 31, 2022 A patch has officially been released.
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
https://tanzu.vmware.com/security/cve-2022-22965
Tomi Engdahl says:
Apple Ships Emergency Patches for ‘Actively Exploited’ macOS, iOS Flaws
https://www.securityweek.com/apple-ships-emergency-patches-actively-exploited-macos-ios-flaws
Apple’s security response team on Thursday released emergency patches to cover a pair of “actively exploited” vulnerabilities affecting macOS, iOS and iPadOS devices.
Apple confirmed the two security defects — CVE-2022-22675 and CVE-2022-22674 — in all its major operating systems and warned that remote code execution attacks may already be underway.
One of the two vulnerabilities, described as an out-of-bounds memory corruption issue in AppleAVD, affects both iOS and macOS devices.
iOS update 15.4.1 fixes CVE-2022-22675 and CVE-2022-22674 “An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited,” the Cupertino, California company said in a barebones advisory.
Tomi Engdahl says:
New Modem Wiper Malware May be Connected to Viasat Hack
https://www.securityweek.com/sentinellabs-new-modem-wiper-malware-may-be-connected-viasat-hack
A pair of security researchers at SentinelLabs have intercepted a piece of destructive wiper malware hitting routers and modems and found digital breadcrumbs suggesting a link to the devastating Viasat hack that took down wind turbines in Germany.
SentinelLabs malware hunters Juan Andres Guerrero-Saade and Max van Amerongen believe the newest wiper — called AcidRain — is part of a larger supply chain attack aimed at crippling Viasat’s satellite internet service.
In an official statement, Viasat confirmed a dual-pronged attack against its KA-SAT network ended with malicious software commands rendering tens of thousands of modems across Europe inoperable by overwriting key data in their internal memory.
The Viasat attack, coming just as Russia was launching its invasion of Ukraine, also impacted modem service in France and Italy and even paralyzed wind turbines in Germany, according to published reports.
Tomi Engdahl says:
Cybersecurity Vendors Assessing Impact of Recent OpenSSL Vulnerability
https://www.securityweek.com/cybersecurity-vendors-assessing-impact-recent-openssl-vulnerability
Cybersecurity, cloud, storage and other vendors are assessing the impact of a recent OpenSSL vulnerability on their products and services.
Updates released by the OpenSSL Project earlier this month patch a high-severity denial-of-service (DoS) vulnerability related to certificate parsing.
The security hole, tracked as CVE-2022-0778 and reported by Google vulnerability researcher Tavis Ormandy, affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It has been fixed with the release of versions 1.0.2zd, 1.1.1n and 3.0.2.
Exploitation of the vulnerability is possible in certain situations, and it can lead to a DoS attack against a process that parses externally supplied certificates.
Technical details and at least one proof-of-concept (PoC) exploit are publicly available, and companies whose products and services rely on OpenSSL have started assessing its impact.
https://github.com/drago-96/CVE-2022-0778
Red Hat initially said it was not directly affected by the flaw, but further investigation revealed that some versions of Red Hat Enterprise Linux are vulnerable to DoS attacks. Other Linux distributions have also released advisories.
https://access.redhat.com/security/cve/cve-2022-0778
https://www.freebsd.org/security/advisories/FreeBSD-SA-22:03.openssl.asc
https://access.redhat.com/security/cve/cve-2022-0778
While Red Hat initially stated not to be directly affected by this flaw, after further investigation we found that the versions of OpenSSL as shipped in Red Hat Enterprise Linux 6, 7, and 8 are vulnerable to a denial of service attack through malicious Elliptic Curve parameters. During processing of the parameters OpenSSL will call BN_mod_sqrt() with invalid arguments, causing the process to enter an infinite loop. The invalid EC parameters can be provided to OpenSSL through X.509 certificates (used in TLS connections), through public and private keys, through certificate signing requests and other places where applications process Elliptic Curve parameters. The flaw has been rated as having a security impact of Important. A future update will address this issue in Red Hat Enterprise Linux 6, 7 and 8.
Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.
CVSS v3 Base Score 7.5
Tomi Engdahl says:
How To Fix CVE-2022-0778- A Denial-Of-Service Vulnerability In OpenSSL
https://www.thesecmaster.com/how-to-fix-cve-2022-0778-a-denial-of-service-vulnerability-in-openssl/
On 15th March, OpenSSL has published an advisory that talks about a high severity vulnerability in its software library. The flaw that is tracked as CVE-2022-0778 with a base score of 7.5 in CVSS3.1 would lead to a denial-of-service (DoS) condition in OpenSSL when parsing certificates. Since the flaw allows attackers to crash servers, it is important to learn How to Fix CVE-2022-0778- A Denial-of-Service Vulnerability in OpenSSL.
The Summary Of CVE-2022-0778- A Denial-Of-Service Vulnerability In OpenSSL:
Any process that parses an externally supplied certificate may be subject to a denial of service attack since certificate parsing happens prior to verification of the certificate signature. This allows forming an infinite loop in the process of parsing crafted private keys if they contain explicit elliptic curve parameters. Usually, an attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature as per OpenSSL.
The advisory explains a few circumstances in which the flaw can be exploited. There are:
TLS clients consuming server certificates.
TLS servers consuming client certificates.
Hosting providers taking certificates or private keys from customers.
Certificate authorities parsing certification requests from subscribers.
Anything else which parses ASN.1 elliptic curve parameters.
Applications that use the BN_mod_sqrt() where the attacker can control the parameter values.
How To Fix CVE-2022-0778- A Denial-Of-Service Vulnerability In OpenSSL?
OpenSSL addresses the vulnerabilities in its new releases. OpenSSL has rolled out three new versions with the patch. All are suggested to find out the current version of OpenSSL on their machines and upgrade to the corresponding suggested versions.
OpenSSL 1.0.2 users should upgrade to 1.0.2zd (premium support customers only)
OpenSSL 1.1.1 users should upgrade to 1.1.1n
OpenSSL 3.0 users should upgrade to 3.0.2
Tomi Engdahl says:
FBI: 65 People Arrested Worldwide in BEC Bust
https://www.securityweek.com/fbi-65-people-arrested-worldwide-bec-bust
The Federal Bureau of Investigation (FBI) this week announced the arrests of 65 individuals as part of an international effort to combat business email compromise (BEC) fraud.
BEC scammers typically target employees in charge of making or authorizing wire transfers, from either a compromised or a spoofed email account.
Using these accounts, the fraudsters send legitimate-looking requests for wire transfers to bank accounts that they control.
These attacks have been observed worldwide, and last year alone the FBI’s Internet Crime Complaint Center (IC3) received reports of attacks that caused adjusted losses close to $2.4 billion.
Named Operation Eagle Sweep, the newly announced BEC crackdown started in September and resulted in the arrests of suspects in the United States (43), Nigeria (12), South Africa (9), Canada (2), and Cambodia (1).
Global Operation Disrupts Business Email Compromise Schemes
FBI, International Partners Carried Out Operation Eagle Sweep to Combat Financially Devastating Crime
https://www.fbi.gov/news/stories/coordinated-operation-disrupts-global-bec-schemes-033022
Tomi Engdahl says:
IT Giant Globant Confirms Source Code Repository Breach
https://www.securityweek.com/it-giant-globant-confirms-source-code-repository-breach
IT giant Globant has confirmed suffering a data breach after the notorious hacker group Lapsus$ leaked tens of gigabytes of data allegedly stolen from the company.
Earlier this week, the hackers made public roughly 70 Gb of source code allegedly belonging to Globant customers. Folder names suggest that some of the source code belongs to major companies, including Apple and Facebook.
The group has also published a list of usernames and passwords that they claim can be used to access various development platforms used by Globant.
In a statement issued on Wednesday, Globant said it has activated security protocols and launched an investigation after detecting unauthorized access to a “limited section” of its code repository.
“According to our current analysis, the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients. To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected,” Globant stated.
The company has more than 23,000 employees and a presence in 18 countries. Its customers include Google, Electronic Arts, and Rockwell Automation.
Lapsus$ has taken credit for attacks on several other major companies, including Microsoft, Okta, Samsung, Vodafone, Ubisoft and NVIDIA.
Tomi Engdahl says:
Alex Heath / The Verge:
Meta confirms a now-fixed Facebook bug led to a “massive ranking failure” that increased views of harmful content up to 30% over the past six months — A group of Facebook engineers identified a “massive ranking failure” that exposed as much as half of all News Feed views to …
A Facebook bug led to increased views of harmful content over six months
https://www.theverge.com/2022/3/31/23004326/facebook-news-feed-downranking-integrity-bug?scrolla=5eb6d68b7fedc32c19ef33b4
The social network touts downranking as a way to thwart problematic content, but what happens when that system breaks?
Tomi Engdahl says:
Bill Toulas / BleepingComputer:
Wyze had been aware of several remote access vulnerabilities in its home security cameras for months and years without fixing them, despite Bitdefender warnings — A Wyze Cam internet camera vulnerability allows unauthenticated, remote access to videos and images stored on local memory cards …
Wyze Cam flaw lets hackers remotely access your saved videos
https://www.bleepingcomputer.com/news/security/wyze-cam-flaw-lets-hackers-remotely-access-your-saved-videos/
Tomi Engdahl says:
https://blog.mollywhite.net/axie-hack/
What is Axie Infinity?
A green fuzzy creature with dizzy-looking eyes, a cactus on its forehead, and a pumpkin on its back
Axie Infinity is a play-to-earn game with mechanics quite similar to Pokémon battles. Each player assembles a team of critters called “Axies”, which have different traits and strengths, and can be battled against other players’ teams. These Axies are somewhat pricey—the price fluctuates and depends quite a bit on which Axie you wish to buy, but the cheapest ones (prior to the hack) were around $25 each. During peak Axie popularity, the cheapest Axies cost more than $100.1 Given that a player needs at least three Axies to play, this is a substantial barrier to entry, and so “scholarship programs” have developed in which organizations buy the Axies and provide them to players, who in turn give the “scholarship” organization a cut of their earnings. This has resulted in many such organizations relying on players located where wages are low—more than half of Axie players were based in the Philippines as of November 2021. During May–August 2021, back when the game’s economy was fairly nascent and had not yet hit an inflection point with regards to its inevitable inflation, skilled players were able to make considerably more than the roughly $41/day average wage in the Philippines, even after accounting for the cut taken by the scholarship organizations. By November 2021, only the skilled players were making above even minimum wage—and only barely—despite the continuing narrative that Axie was changing lives in the Philippines by allowing people to play video games for a living.2
How does it work?
After assembling their team of “Axies”, bought with WETH, players battle against each other to earn “smooth love potions” (SLP). These SLP can then be spent to breed Axies, or cashed out into other forms of cryptocurrency and then, potentially, into real-world money. Axie Infinity also has a separate token, AXS, which is used both for governance and for breeding, and another token, RON, which is used to pay transaction fees. There are, of course, speculative markets for each of these. Ronin also supports USDC, a stablecoin that is pegged to the US dollar, for people who like to hedge against the volatility of the other supported tokens. And finally there are the NFTs—the Axie characters that are battled, bred, bought, and sold are each represented as an NFT. Are you keeping up?
Why doesn’t the game just use the Ethereum network, like so many other applications? Well, it does, sort of. The problem with the Ethereum network is that it’s quite slow and expensive to use. Depending on network congestion, transactions can take minutes or even days to be confirmed, and if you want your transactions to go through more quickly you have to pay more. Transaction fees cost between a few dollars and many tens of dollars. This is not exactly a hospitable environment in which to build a video game.
So, Sky Mavis (the company behind Axie Infinity) created what is called a sidechain. It’s based on the same protocol as Ethereum, but it operates independently from the Ethereum mainnet and uses a different consensus mechanism. Instead of the Ethereum miners that continuously grind away solving math problems in hopes of validating the next transaction (proof-of-work), the Ronin sidechain is based on proof-of-authority—that is, all of the validators are operated by known, trusted parties, and so don’t have to do all that expensive work to establish that they’re following the rules. It is more efficient than proof-of-work, but at the expense of decentralization.
So how does one get their crypto to Ronin, or cash out their Ronin crypto? And how does one “wrap” their Ether? This is where the Ronin Bridge comes in. Although Binance and two other (small) exchanges that support the Ronin network allow users to exchange some of the tokens from Ethereum to Ronin and back again, the safest and most common way people move their tokens around is via the Ronin Bridge. A bridge is really just two corresponding smart contracts on two networks—in this case, one on the Ethereum network, and one on the Ronin network. When someone sends a token like ETH to the Ronin Bridge, it is “locked” in the Ronin bridge—held so that it can’t be spent elsewhere on the Ethereum network. Simultaneously, the contract on the Ronin side creates an equivalent token—WETH—and deposits it into the user’s Ronin wallet. To the user it looks like their Ethereum moved from one network to the next, but the details of how this works are important.
Blockchain bridges work somewhat like a casino. When you go to a casino, you take your regular dollars and trade them for casino chips. You can do whatever you please with your casino chips inside the casino, but they’re not much use to you anywhere else. When you’re all finished, you go back to the desk and trade your casino chips back out for dollars. Although they’re just plastic, your stack of casino chips might represent quite a lot of money. But if something happened such that the person at the desk no longer had sufficient cash for you to cash out your casino chips, you might suddenly find your stack of chips aren’t worth very much.
The hack
As I mentioned earlier, the Ronin network relies on a number of trusted validators to process transactions in the network. As it turns out, there were only nine validators in total (Ethereum, by comparison, has thousands of miners). This increased the risk of what is known as a 51% attack—when a malicious actor is able to compromise more than half of the validators on the network—since the attacker only needed to compromise five of the nine validators. And sure enough, an attacker was able to compromise four of the validators run by Sky Mavis, plus a fifth validator run by Axie DAO (a community-run organization supporting the Axie Infinity project). They then forged withdrawals, used their five compromised validators to validate the transactions, and drained 173,600 ETH and 25.5 million USDC that had been locked in the bridge. At today’s prices, assuming they were able to cash it out, this would be more than $625 million.
My thoughts
This is just a shocking amount of money. This appears to be the largest hack in the history of defi—at least in terms of the value of money at the time of theft. It’s second to the August 2021 Poly Network hack of $611 million, although in that case the majority of those stolen funds were later returned by the exploiter, who claimed to have been a white hat hacker demonstrating the vulnerability.4
I’m quite concerned for the Axie userbase, given the narrative that playing Axie Infinity can become someone’s job—particularly in developing countries.
Molly White:
An analysis of the Axie Infinity hack: Sky Mavis taking six days to disclose is irresponsible and users likely lost money they need to live, not just spare cash
The Axie Infinity hack, what happened, and why people keep talking about bridges
I was also startled by Sky Mavis’s claim that they were not aware of the hack (perpetrated on March 23) until March 29 when a user reported issues withdrawing funds. If we take them at their word, that means they were missing $625 million for six days without realizing it, which is jaw-dropping. The alternative explanation is that they were aware and didn’t publicly announce it, which would mean they left their bridge and exchange operational for days despite a huge vulnerability, and were allowing users to buy in and transact with tokens that were largely unbacked. Either they are handling money in a completely irresponsible way, or they acted irresponsibly toward their users, and neither is good.
As far as the attacker, they have transferred relatively little out of the wallet that is known to be associated with the hack. This is somewhat unusual—typically after big hacks like this we see the hackers try to launder the crypto as quickly as they can before exchanges start freezing wallets. Sky Mavis has spoken about trying to recover the stolen funds—I think only time will tell how that goes. It’s not an easy task, but $625 million is certainly a strong motivator both for Sky Mavis, their investors, and law enforcement.
If Sky Mavis doesn’t recover the funds, they’re in a tough spot. The various tokens that operate on the Ronin network are now majorly unbacked. They could go the Wormhole route, and come up with $625 million to restore backing.6 I would say this seems unlikely, but I would’ve said Wormhole coming up with $320 million was unlikely too, and I was shown to be wrong on that one. The company lists some pretty big names among its investors—they raised $152 million in Series B funding in October 2021 from firms including Andreessen Horowitz, Accel, and Paradigm, valuing the company around $3 billion.
Sky Mavis has been continuing to make promises to reimburse their users regardless of whether the funds are recovered. However, even if they know they won’t be able to come up with that kind of money, they have a strong incentive to keep people believing that they can: the promise of a bailout is likely the only reason the various Axie tokens have any value left at all. The tokens have plummeted in value, but not to zero—we saw a similar thing happen in the aftermath of the Wormhole exploit, which seemed to be users holding out for good news.
https://web3isgoinggreat.com/?id=2021-08-11-0
Tomi Engdahl says:
Hackers Gaining Power of Subpoena Via Fake “Emergency Data Requests”
https://krebsonsecurity.com/2022/03/hackers-gaining-power-of-subpoena-via-fake-emergency-data-requests/
There is a terrifying and highly effective “method” that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies and social media firms. It involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.
Tomi Engdahl says:
Estonian Tied to 13 Ransomware Attacks Gets 66 Months in Prison
https://krebsonsecurity.com/2022/03/estonian-tied-to-13-ransomware-attacks-gets-66-months-in-prison/
Tomi Engdahl says:
Spoiler: chrome dev tools, view source, etc. No “hacking” here.
Man ‘hacks’ IndiGo website to find lost luggage, airline says ‘at no point…’
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.hindustantimes.com%2Findia-news%2Fman-hacks-indigo-website-to-find-lost-luggage-airline-says-at-no-point-101648687010363.html&h=AT3mj7855Rbn1ZGwXUOBKLc9b-yxfFDsoY-Zn0v9QK7PcEOrLaOSx__HyHNYa8u_60r70xT88Fi2qWSI7YapOcD1QgjsOY1D_AotO4SGJJwCOkbaCC00g4G_4P9P87jOqg
An IndiGo passenger has claimed to find a “vulnerability” in the airline’s website using which he was able to find the phone number of a co-passenger with whom his bag was mistakenly swapped. In a series of tweets, a user, who goes by the name Nandan Kumar, explained how he was able to find that IndiGo’s website “leaks sensitive data” which the airlines need to “get it fixed”.
When the IndiGo passenger didn’t get any call in the morning, he started digging into the airline’s website by using the co-passenger’s PNR, or Passenger Name Record, written on the bag tag.
“So now, after all the failed attempts, my [developer] instinct kicked in and I pressed the F12 button on my computer keyboard and opened the developer console on the @IndiGo6E website and started the whole checkin flow with network log record on,” he tweeted.
He said he was finally able to find the phone number and email ID of his co-passenger.
“I made note of the details and decided to call the person and try to get the bags swapped,” Kumar wrote on Twitter as he advised IndiGo to improve its customer care service and IVR.
IndiGo said in a statement that its IT processes are “completely robust and, at no point was the IndiGo website compromised.”