This posting is here to collect cyber security news in March 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in March 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
888 Comments
Tomi Engdahl says:
Fake Purchase Order Used to Deliver Agent Tesla
https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla
FortiGuard Labs recently came across an interesting phishing e-mail masquerading as a purchase order addressed to a Ukrainian manufacturing organization that deals with raw materials and chemicals. The e-mail contained a PowerPoint attachment that is in reality a sophisticated, multi-stage effort to deploy the Agent Tesla RAT (Remote Access Trojan). What makes this campaign unique is the usage of PPAM, which is a file format that is not very common. A PPAM is a Microsoft PowerPoint add-in that gives developers extra functionality, such as extra commands, custom macros, and new tools.
This blog will detail the infection process and subsequent malware deployment.
Tomi Engdahl says:
Google Enters Bidding War for Mandiant: Reports
https://www.securityweek.com/google-enters-bidding-war-mandiant-reports
Tomi Engdahl says:
U.S. Security Vendors Launch Critical Infrastructure Defense Project
https://www.securityweek.com/us-security-vendors-launch-critical-infrastructure-defense-project
Amid rising Russia tensions, Cloudflare, CrowdStrike and Ping Identity offer free security for Critical National Infrastructure operators
Government warnings of heightened cyber risk to U.S. organizations as a by-product of the war in Ukraine are almost a daily occurrence. The government considers increased cyber activity aimed at U.S. and NATO organizations ‒ and particularly critical infrastructure organizations ‒ to be a serious threat.
CISA has a ‘Shields Up’ page that states, “While there are no specific or credible cyber threats to the U.S. homeland at this time, Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region. Every organization—large and small—must be prepared to respond to disruptive cyber activity.”
You can see SecurityWeek’s take on how and why cyber threats could escalate from Ukraine into a formal or informal cyberwar here: Russia-Ukraine: Threat of Local Cyber Operations Escalating Into Global Cyberwar. Failing the rapid withdrawal of Russian troops from Ukraine, which doesn’t seem likely, it is difficult to see anything other than increased cyber activity aimed against the U.S. and its allies.
Tomi Engdahl says:
Scott Chipolina / Decrypt:
Coinbase blocks 25K+ addresses related to Russian individuals or entities believed to be engaged in illicit activity and shares them with the US government — Crypto exchange Coinbase has said it has blocked over 25,000 Russia-linked addresses it believes were associated with illicit activity.
Coinbase Blocks Over 25,000 Addresses Linked to Illicit Russian Activity
Crypto exchange Coinbase has said it has blocked over 25,000 Russia-linked addresses it believes were associated with illicit activity.
https://decrypt.co/94513/coinbase-blocks-25000-addresses-linked-illicit-russian-activity
Tomi Engdahl says:
Bloomberg:
Samsung confirms a breach that exposed internal company data, including source code related to its Galaxy phones, but says users’ personal data was not affected — Samsung Electronics Co. suffered a cybersecurity breach that exposed internal company data, including source code for the operation …
https://www.bloomberg.com/news/articles/2022-03-07/samsung-says-hackers-breached-company-data-galaxy-source-code
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Akamai says attackers are exploiting a fleet of 100K+ misconfigured servers to amplify DDoS attacks on banking, travel, gaming, media, and web-hosting sites — 100,000 misconfigured servers are creating a new way to knock sites offline. — Last August, academic researchers discovered …
DDoSers are using a potent new method to deliver attacks of unthinkable size
100,000 misconfigured servers are creating a new way to knock sites offline.
https://arstechnica.com/information-technology/2022/03/unending-data-floods-and-complete-resource-exhaustion-ddoses-get-meaner/
Last August, academic researchers discovered a potent new method for knocking sites offline: a fleet of misconfigured servers more than 100,000 strong that can amplify floods of junk data to once-unthinkable sizes. These attacks, in many cases, could result in an infinite routing loop that causes a self-perpetuating flood of traffic. Now, content-delivery network Akamai says attackers are exploiting the servers to target sites in the banking, travel, gaming, media, and web-hosting industries.
These servers—known as middleboxes—are deployed by nation-states such as China to censor restricted content and by large organizations to block sites pushing porn, gambling, and pirated downloads. The servers fail to follow transmission control protocol specifications that require a three-way handshake—comprising an SYN packet sent by the client, an SYN+ACK response from the server, followed by a confirmation ACK packet from the client—before a connection is established.
This handshake limits the TCP-based app from being abused as amplifiers because the ACK confirmation must come from the gaming company or other target rather than an attacker spoofing the target’s IP address. But given the need to handle asymmetric routing, in which the middlebox can monitor packets delivered from the client but not the final destination that’s being censored or blocked, many such servers drop the requirement by design.
Tomi Engdahl says:
Bloomberg:
TikTok suspends livestreaming and new content uploads in Russia in response to the country’s new law that would impose prison terms for spreading “fake news”
https://www.bloomberg.com/news/articles/2022-03-06/tiktok-says-it-is-suspending-livestreaming-in-russia
Tomi Engdahl says:
Oy Teboil Ab pyysi sanomalehti Kalevaa korvaamaan sota-sanat Venäjälle ystävällisemmillä termeillä https://www.is.fi/autot/art-2000008667168.html
Tomi Engdahl says:
Kommentti: Sota uhkaa vakautta jo muuallakin kuin Euroopassa – helvetti voi levitä https://www.is.fi/ulkomaat/art-2000008666662.html
Tomi Engdahl says:
Britannia: Venäjä iskee nyt Ukrainan viestimiin – Harkovan TV-tornia pommitettiin https://www.is.fi/digitoday/art-2000008664463.html
Tomi Engdahl says:
https://www.reuters.com/technology/ukraine-gets-starlink-internet-terminals-friendly-warning-about-safety-2022-02-28/
Tomi Engdahl says:
Kybersota Ukrainassa – mitä on tapahtunut ja mitä tapahtuu seuraavaksi? https://www.is.fi/digitoday/tietoturva/art-2000008666529.html
Tomi Engdahl says:
Android’s March 2022 Security Updates Patch 39 Vulnerabilities
https://www.securityweek.com/androids-march-2022-security-updates-patch-39-vulnerabilities
Google this week announced the release of patches for 39 vulnerabilities as part of the March 2022 security update for Android.
The most serious vulnerability is CVE-2021-39708, a remotely exploitable elevation of privilege issue identified in the System component.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation,” Google notes in its advisory.
The first part of this month’s set of patches arrives on devices as the 2022-03-01 security patch level and addresses CVE-2021-39708, along with 17 other bugs.
https://source.android.com/security/bulletin/2022-03-01
Tomi Engdahl says:
Millions of APC Smart UPS Devices Can Be Remotely Hacked, Damaged
https://www.securityweek.com/millions-apc-smart-ups-devices-can-be-remotely-hacked-damaged
Uninterruptible power supply (UPS) products made by Schneider Electric subsidiary APC are affected by critical vulnerabilities that can be exploited to remotely hack and damage devices, according to enterprise device security company Armis.
Armis researchers have identified three vulnerabilities in APC Smart-UPS devices, which they collectively named TLStorm.
APC says it has sold more than 20 million UPS devices worldwide and data from Armis shows that nearly 80% of companies are exposed to TLStorm attacks. UPS devices are used in data centers, hospitals and industrial facilities, and attacks targeting these systems can have serious consequences.
APC UPS vulnerabilitiesArmis researchers have analyzed the communications between the APC Smart-UPS devices and their remote management services, and discovered vulnerabilities in the TLS implementation and a design flaw related to firmware upgrades.
One security hole, tracked as CVE-2022-22806, has been described as a TLS authentication bypass issue that can lead to remote code execution. The second TLS-related flaw, CVE-2022-22805, has been described as a buffer overflow related to packet reassembly and it can also lead to remote code execution.
These vulnerabilities can be exploited remotely — including from the internet — by an unauthenticated attacker to “alter the operations of the UPS to physically damage the device itself or other assets connected to it,” Armis said.
The third vulnerability, CVE-2022-0715, is related to unsigned firmware updates. Due to the fact that firmware updates are not cryptographically signed, an attacker could create a malicious piece of firmware and install it from a USB drive, the network and even from the internet.
“This can allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network from which additional attacks can be carried,” Armis explained.
In a security advisory released on Tuesday, Schneider Electric said the vulnerabilities, which have been classified as “critical” and “high severity,” impact SMT, SMC, SCL, SMX, SRT, and SMTL series products. The company has started releasing firmware updates that contain patches for these vulnerabilities. In the case of products for which firmware patches are not available, Schneider has provided a series of mitigations for reducing the risk of exploitation.
TLStorm
https://www.armis.com/research/tlstorm/
Three critical vulnerabilities discovered in APC Smart-UPS devices can allow attackers to remotely manipulate the power of millions of enterprise devices.
Armis has discovered a set of three critical zero-day vulnerabilities in APC Smart-UPS devices that can allow remote attackers to take over Smart-UPS devices and carry out extreme attacks targeting both physical devices and IT assets. Uninterruptible power supply (UPS) devices provide emergency backup power for mission-critical assets and can be found in data centers, industrial facilities, hospitals and more.
APC is a subsidiary of Schneider Electric, and is one of the leading vendors of UPS devices with over 20 million devices sold worldwide. If exploited, these vulnerabilities, dubbed TLStorm, allow for complete remote take-over of Smart-UPS devices and the ability to carry out extreme cyber-physical attacks. According to Armis data, almost 8 out of 10 companies are exposed to TLStorm vulnerabilities. This blog post provides a high-level overview of this research and its implications.
Attackers can remotely take over devices via the Internet.
The latest APC Smart-UPS models are controlled through a Cloud connection. Armis researchers found that an attacker exploiting the TLStorm vulnerabilities could remotely take over devices via the Internet without any user interaction or signs of attack. As a result, attackers can perform a remote-code execution (RCE) attack on a device, which in turn could be used to alter the operations of the UPS to physically damage the device itself or other assets connected to it.
Schneider Electric Security Notification
08-Mar-22 Document Reference Number – SEVD-2022-067-02 Page 1 of 5
APC Smart-UPS SMT, SMC, SMX, SCL, SMTL and SRT Series
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-067-02
Tomi Engdahl says:
CISA Urges Organizations to Patch Recent Firefox Zero-Days
https://www.securityweek.com/cisa-urges-organizations-patch-recent-firefox-zero-days
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday announced the inclusion of 11 security holes in its Known Exploited Vulnerabilities Catalog.
CISA created the list – which now contains roughly 500 flaws – to help federal agencies prioritize patching within their environments. CISA told SecurityWeek it has evidence of in-the-wild exploitation for all of the security issues on the list.
The most recent of the newly added bugs are two zero-day vulnerabilities in Firefox, for which Mozilla issued an emergency update over the weekend.
Tracked as CVE-2022-26485 and CVE-2022-26486 and rated “critical severity,” the security holes are described as use-after-free issues. This type of flaw usually leads to arbitrary code execution.
Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 address the bugs and federal agencies have until March 21 to update to a patched version. By default, Firefox is configured to automatically install updates and manual patching is required only if this default setting is disabled.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Linux developers fix Dirty Pipe, a high-severity vulnerability in the kernel that let hackers carry out a host of malicious actions, like installing backdoors — Dirty Pipe has the potential to smudge people using Linux and Linux derivitives. — Linux has yet another high-severity vulnerability …
https://arstechnica.com/information-technology/2022/03/linux-has-been-bitten-by-its-most-high-severity-vulnerability-in-years/
When Nobody becomes all-powerful
The name Dirty Pipe is meant to both signal similarities to Dirty Cow and provide clues about the new vulnerability’s origins. “Pipe” refers to a pipeline, a Linux mechanism for one OS process to send data to another process. In essence, a pipeline is two or more processes that are chained together so that the output text of one process (stdout) is passed directly as input (stdin) to the next one.
Tracked as CVE-2022-0847, the vulnerability came to light when a researcher for website builder CM4all was troubleshooting a series of corrupted files that kept appearing on a customer’s Linux machine. After months of analysis, the researcher finally found that the customer’s corrupted files were the result of a bug in the Linux kernel.
The researcher—Max Kellermann of CM4all parent company Ionos—eventually figured out how to weaponize the vulnerability to allow anyone with an account—including least privileged “nobody” accounts—to add an SSH key to the root user’s account. With that, the untrusted user could remotely access the server with an SSH window that has full root privileges.
Tomi Engdahl says:
The vulnerability first appeared in Linux kernel version 5.8, which was released in August 2020. The vulnerability persisted until last month, when it was fixed with the release of versions 5.16.11, 5.15.25, and 5.10.102.
https://arstechnica.com/information-technology/2022/03/linux-has-been-bitten-by-its-most-high-severity-vulnerability-in-years/
Tomi Engdahl says:
Duncan Riley / SiliconANGLE:
Cloudflare, CrowdStrike, and Ping Identity form the Critical Infrastructure Defense Project, offering their services to US hospitals and utilities for free — Cloudflare Inc., CrowdStrike Holdings Inc. and Ping Identity Corp. today are teaming up to form the Critical Infrastructure Defense Project …
Cloudflare, CrowdStrike and Ping Identity to provide free cybersecurity to vulnerable industries
https://siliconangle.com/2022/03/07/cloudflare-cloudstrike-ping-identity-provide-free-cybersecurity-vulnerable-industries/
Cloudflare Inc., CrowdStrike Holdings Inc. and Ping Identity Corp. today are teaming up to form the Critical Infrastructure Defense Project, a project that will provide free cybersecurity services to vulnerable industries.
The project is designed to enhance defenses against critical areas of enterprise risk. Under the project, eligible organizations will have access to the full suite of Cloudflare zero-trust security solutions, endpoint protection and intelligence services from CrowdStrike and zero-trust identity solutions from Ping Identity.
In addition, in collaboration with core partners across the public sector, the project will also offer an easy-to-follow roadmap that businesses in any industry can use to implement step-by-step security measures to defend themselves from cyberattacks.
https://criticalinfrastructuredefense.org/
Tomi Engdahl says:
Mandiant:
Google acquires cybersecurity company Mandiant for ~$5.4B, or $23 per share, in an all-cash deal set to close later in 2022; Mandiant will join Google Cloud — Acquisition to bring Google speed and scale to Mandiant’s unparalleled intelligence and expertise – at a time when security has never been more important
Google to Acquire Mandiant
https://www.mandiant.com/company/press-release/mgc
RESTON, Va., March 8, 2022 – Mandiant, Inc. (NASDAQ: MNDT) today announced that it has entered into a definitive agreement to be acquired by Google LLC for $23.00 per share in an all-cash transaction valued at approximately $5.4 billion, inclusive of Mandiant’s net cash. The offer price represents a 57% premium to the undisturbed 10-day trailing volume weighted average price as of February 7, 2022, the last full trading day prior to published market speculation regarding a potential sale of the Company. Upon the close of the acquisition, Mandiant will join Google Cloud.
Tomi Engdahl says:
Adi Robertson / The Verge:
Google releases the code for its open-source Harassment Manager, which helps journalists and other public figures manage abusive comments, starting with Twitter — Starting with Thomson Reuters Foundation reporters in June — Google’s Jigsaw unit is releasing the code …
Google is releasing an open source harassment filter for journalists
Starting with Thomson Reuters Foundation reporters in June
https://www.theverge.com/2022/3/8/22966204/google-jigsaw-perspective-ai-twitter-moderation-harassment-manager-journalists?scrolla=5eb6d68b7fedc32c19ef33b4
Tomi Engdahl says:
Richard Lawler / The Verge:
After experiencing an outage on Tuesday, Spotify says it is back up, and Discord says its services are coming back online with some limitations
Spotify and Discord are coming back online after outages
Unrelated issues disconnected both services this afternoon
https://www.theverge.com/2022/3/8/22967531/spotify-discord-logout-outage-offline-server-problem?scrolla=5eb6d68b7fedc32c19ef33b4
If you can’t connect to Spotify or Discord, then no, it’s not just you or your internet connection. Both services acknowledged problems on Tuesday afternoon. However, this time, the culprit doesn’t appear to be any kind of massive DNS or Amazon Web Services (AWS) problem. Sure, Apple’s event servers are still operational, and we haven’t lost access to security cameras or robot vacuums, but the coincidence is still unusual.
According to Discord, after restarting its streaming service to fix one problem, a new issue caused a failure of its API, and as of about 30 minutes ago, they were still investigating. The Spotify Status account tweeted at 1:22PM ET that “we’re looking into it” but didn’t offer any other details about what’s going on.
Tomi Engdahl says:
Kelsey Ables / Washington Post:
Some international news outlets circumvent Russia’s censorship by pointing readers to VPNs, the encrypted Tor browser, and in the BBC’s case, shortwave radio
https://www.washingtonpost.com/media/2022/03/05/international-news-media-response-russian-censorship/
Tomi Engdahl says:
Joseph Menn / Washington Post:
Google: Russia’s Fancy Bear launched phishing campaigns against Ukrainians before the invasion and Belarus’ Ghostwriter targeted Ukrainian and Polish militaries — Belarus conducted widespread phishing attacks against members of the Polish military as well as Ukrainian officials …
https://www.washingtonpost.com/technology/2022/03/07/russia-belarus-conducted-widespread-phishing-campaigns-ukraine-google-says/
Tomi Engdahl says:
Spotifyn ohella lukuisat muut sovellusjätit kärsineet ongelmista – syy ei tiedossa https://www.is.fi/digitoday/art-2000008668946.html
https://downdetector.fi/
Tomi Engdahl says:
Onko Telegram turvallinen? Sodan alusta kestänyt hiljaisuus rikkoutui https://www.is.fi/digitoday/tietoturva/art-2000008666954.html
Tomi Engdahl says:
https://krebsonsecurity.com/2022/03/internet-backbone-giant-lumen-shuns-ru/
Lumen Technologies, an American company that operates one of the largest Internet backbones and carries a significant percentage of the world’s Internet traffic, said today it will stop routing traffic for organizations based in Russia. Lumen’s decision comes just days after a similar exit by backbone provider Cogent, and amid a news media crackdown in Russia that has already left millions of Russians in the dark about what is really going on with their president’s war in Ukraine.
Tomi Engdahl says:
Spotify kaatui – syy vaikuttaa karun yksinkertaiselta https://www.is.fi/digitoday/art-2000008669441.html
Tomi Engdahl says:
CISA Urges Organizations to Patch Recent Firefox Zero-Days
https://www.securityweek.com/cisa-urges-organizations-patch-recent-firefox-zero-days
Tomi Engdahl says:
U.S. State Governments Targeted by Chinese Hackers via Zero-Day in Agriculture Tool
https://www.securityweek.com/us-state-governments-targeted-chinese-hackers-zero-day-agriculture-tool
A threat group believed to be sponsored by the Chinese government has breached the networks of U.S. state governments, including through the exploitation of a zero-day vulnerability.
In a blog post published on Tuesday, cybersecurity research and incident response company Mandiant said it became aware of the campaign in May 2021, when it was called in to investigate an attack on a U.S. state government network.
An analysis revealed that the attack had likely been carried out by a Chinese state-sponsored threat group known as APT41, Barium, Winnti, Double Dragon, Wicked Panda, and various other names. This prolific threat actor has conducted both cyberespionage operations and financially-motivated attacks, and is known for its sophisticated tools and techniques.
Mandiant has confirmed that the hackers have compromised the networks of at least six U.S. state government organizations between May 2021 and February 2022. The precise goal of the campaign remains unknown, but the fact that the attackers target governments and steal personal information suggests espionage.
The company’s investigation uncovered the use of new techniques, malware, evasion methods and capabilities.
Tomi Engdahl says:
SAP Patches Critical Security Flaws in Monitoring Solutions
https://www.securityweek.com/sap-patches-critical-security-flaws-monitoring-solutions
Tomi Engdahl says:
Patch Tuesday: Microsoft Fixes Multiple Code Execution Flaws
https://www.securityweek.com/patch-tuesday-microsoft-fixes-multiple-code-execution-flaws
Microsoft’s Patch Tuesday bundle for this month is a big one: 74 documented vulnerabilities in multiple Windows products and components, some serious enough to lead to remote code execution attacks.
The Redmond, Wash.-based software giant cautioned that exploit code is publicly available for three of the patched vulnerabilities — remote code execution bugs in Remote Desktop Client and .NET and Visual Studio, and a privilege escalation flaw in the Windows Fax and Scan service.
“In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client,” Microsoft explained in an ‘important’ advisory.
The March patch batch contains fixes for three issues rated “critical,” Microsoft’s highest severity rating. These include remote code execution vulnerabilities in Microsoft Exchange Server and the HEVC and VP0 video extensions.
Microsoft said it had no evidence that any of the vulnerabilities were exploited in the wild as zero-day.
Tomi Engdahl says:
Adobe Patches ‘Critical’ Security Flaws in Illustrator, After Effects
https://www.securityweek.com/adobe-patches-critical-security-flaws-illustrator-after-effects
Tomi Engdahl says:
FBI Warns of RagnarLocker Ransomware Attacks on Critical Infrastructure
https://www.securityweek.com/fbi-warns-ragnarlocker-ransomware-attacks-critical-infrastructure
The Federal Bureau of Investigation (FBI) this week published an alert to provide additional information on the RagnarLocker ransomware, along with indicators of compromise (IoCs) associated with the malware.
Active since the spring of 2020, the ransomware has been involved in numerous cyberattacks, including the attack on Capcom in November 2020.
According to the FBI, at least 52 entities across 10 critical infrastructure sectors have been infected with this malware family, including organizations in the energy, financial services, government, information technology, and manufacturing industries.
“RagnarLocker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention,” the FBI says in its alert.
The malware relies on VMProtect, UPX, and custom packing algorithms and is typically deployed on compromised systems within a custom virtual machine. It also uses the Windows API GetLocaleInfoW to identify the system’s location and terminates its process if the computer is in specific countries.
On the compromised machines, RagnarLocker checks for current infections to prevent potential corruption of the data, identifies attached hard drives, iterates through all running processes and terminates those associated with remote administration, and then attempts to delete all Volume Shadow copies, to prevent data recovery.
Next, the ransomware encrypts all data of interest – it avoids encrypting files in specific folders – and then leaves a .txt ransom note to provide the victim with instructions on how to pay the ransom.
RagnarLocker Ransomware Indicators of Compromise
https://www.ic3.gov/Media/News/2022/220307.pdf
The FBI first became aware of RagnarLocker in April 2020 and subsequently produced a FLASH
to disseminate known indicators of compromise (IOCs) at that time. This FLASH provides
updated and additional IOCs to supplement that report. As of January 2022, the FBI has
identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker
ransomware, including entities in the critical manufacturing, energy, financial services,
government, and information technology sectors. RagnarLocker ransomware actors work as
part of a ransomware family, frequently changing obfuscation techniques to avoid detection
and prevention.
Tomi Engdahl says:
Satelliittipaikannuksessa outoja häiriöitä – Traficom seuraa
https://www.uusiteknologia.fi/2022/03/09/satelliittipaikannuksessa-outoja-hairioita-traficom-seuraa/
Sijainti
Etusivu > Yleinen > Satelliittipaikannuksessa outoja häiriöitä – Traficom seuraa
Satelliittipaikannuksessa outoja häiriöitä – Traficom seuraa
Yleinen
- 9.3.2022
Satelliittipohjaisen GPS-paikannuksen häiriöistä on tehty liikenne- ja viestintävirasto mukaan poikkeuksellisen paljon havaintoja itärajan läheisyydessä. Häiriöiden aiheuttajasta ei vielä ole, mutta Traficom seuraa tilannetta ja kerää lisätietoja.
Traficom on saanut viranomaistahona viime viikonlopun jälkeen poikkeamaraportoinnin kautta useilta ilma-aluksilta tietoja GPS-häiriöistä. Häiriöt ovat alkaneet viikonloppuna, ja ne jatkuvat edelleen.
Tiistaina usea ilma-alus on raportoinut Traficomille GPS-signaalin häiriöistä Mikkeli-Jyväskylä-Kuopio-akselilla. Lisäksi liettulaisen Transavibaltikan kone ei ole päässyt kolmeen päivään lentämään Tallinnasta Savonlinnaan.
Traficom on pyytänyt maanantaina Fintrafficin lennonvarmistusta julkaisemaan lentoliikennetiedotteen (NOTAM) sen jälkeen, kun virasto on saanut havaintoja GPS-häiriöistä. Lentoliikennetiedote on tapa ilmoittaa lentäjille seikoista, jotka tulee huomioida lentoturvallisuudessa.
Tomi Engdahl says:
It’s not WW3. Spotify, Discord, Google Cloud had a wobble https://www.theregister.com/2022/03/08/spotify_discord_outage/
Spotify, Discord, Google Cloud, and possibly some other online services suffered technical breakdowns today, preventing netizens from using them as expected. It may well be that Google Cloud’s intermittent issues caused a knock-on effect for Discord and Spotify today. “We have seen reports, ” a Cloudflare spokesperson to The Register. “We don’t see any issues with Cloudflare’s systems and traffic is flowing normally. There’s no evidence of an increase in attack traffic. Some services where outages are being reported are not Cloudflare customers, so it’s unlikely Cloudflare is the cause.”
Tomi Engdahl says:
Cloudflare to auto-brick servers that go offline in Ukraine, Russia https://www.bleepingcomputer.com/news/security/cloudflare-to-auto-brick-servers-that-go-offline-in-ukraine-russia/
To protect client data during the ongoing conflicts, Cloudflare has removed all customer encryption keys from data centers located in Ukraine, Russia, and Belarus, and deployed its “Keyless SSL”
technology. This technology enables organizations to use a cloud vendor for SSL/TLS encryption without giving them the master key. The system moves the private key handshake off of the vendor’s server and replaces it with secure “session keys”. The second measure is the addition of a forceful configuration on all servers located in Ukraine, Belarus, and Russia, to automatically brick in the case of a power loss or internet connection disruption.
Tomi Engdahl says:
Chinese Hackers Launch Attacks On European Officials In Russia-Ukraine War https://www.forbes.com/sites/thomasbrewster/2022/03/08/chinese-hackers-ramp-up-europe-attacks-in-time-with-russia-ukraine-war/
Google reported on Monday that a Chinese group called Mustang Panda targeted European entities with lures related to Russia’s invasion of Ukraine. The company’s Threat Analysis Group (TAG) spotted phishing emails with malicious attached files with names such as ‘Situation at the EU borders with Ukraine.zip’. Google said it had also seen Russian and Belarusian groups launching attacks centered on the Ukraine invasion. One, dubbed FancyBear or APT28, was previously attributed to Russia’s GRU intelligence agency. According to Google, it’s now launched “several large credential phishing campaigns targeting ukr.net users.” UkrNet is a Ukrainian media organization.
Tomi Engdahl says:
The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european
Proofpoint researchers have identified ongoing activity by the China-aligned APT actor TA416 in which the group is targeting European diplomatic entities, including an individual involved in refugee and migrant services. This targeting is consistent with other activity reported by Proofpoint, showing an interest in refugee policies and logistics across the APT actor landscape which coincides with increased tensions and now armed conflict between Russia and Ukraine.
Tomi Engdahl says:
Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments https://www.mandiant.com/resources/apt41-us-state-governments
In May 2021 Mandiant responded to an APT41 intrusion targeting a United States state government computer network. This was just the beginning of Mandiant’s insight into a persistent months-long campaign conducted by APT41 using vulnerable Internet facing web applications as their initial foothold into networks of interest. APT41 is a prolific Chinese state-sponsored espionage group known to target organizations in both the public and private sectors and also conducts financially motivated activity for personal gain. In this blog post, we detail APT41′s persistent effort that allowed them to successfully compromise at least six U.S. state government networks by exploiting vulnerable Internet facing web applications, including using a zero-day vulnerability in the USAHerds application as well as the now infamous zero-day in Log4j.
Tomi Engdahl says:
DDoS attacks now use new record-breaking amplification vector https://www.bleepingcomputer.com/news/security/ddos-attacks-now-use-new-record-breaking-amplification-vector/
For this new DDoS method, threat actors are abusing a vulnerability tracked as CVE-2022-26143 in a driver used by Mitel devices that incorporate the TP-240 VoIP interface, such as MiVoice Business Express and MiCollab. Akamai has counted 2, 600 exposed Mitel devices currently vulnerable to this amplification flaw, while the vendor is already handling remediation with the customers. One notable difference of this vector against most UDP reflection methodologies is that it can sustain lengthy DDoS attacks, lasting for up to 14 hours.
When evaluated from this perspective, the packet amplification ratio reaches 4, 294, 967, 296:1, and the attack traffic can go up to 400 mpps with a sustained flood of 393mb/sec. See also:
https://www.akamai.com/blog/security/phone-home-ddos-attack-vector
Tomi Engdahl says:
Google’s $5.4 Billion Acquisition Of Cybersecurity Firm Mandiant Comes As Tech Leaders Brace For Escalating Digital Threats https://www.forbes.com/sites/martingiles/2022/03/08/googles-54-billion-acquisition-of-cybersecurity-firm-mandiant-comes-as-tech-leaders-brace-for-escalating-digital-threats/
Google has announced it’s buying prominent cybersecurity firm Mandiant in an all-cash transaction that values the business at $5.4 billion.
The deal, which is slated to close later this year, sees Google snap up a coveted prize at a time when Russia’s war in Ukraine is fueling widespread concern about rising cyberthreats. Google’s bid for Mandiant comes a few weeks after rumors that Microsoft, a major rival in security and cloud computing, had been eyeing the business to further strengthen its own security offerings.
Tomi Engdahl says:
Richard Lawler / The Verge:
After experiencing outages on Tuesday, Spotify and Discord say their services have been restored — Unrelated issues disconnected both services this afternoon — If you can’t connect to Spotify or Discord, then no, it’s not just you or your internet connection. Both services acknowledged problems on Tuesday afternoon.
Spotify and Discord are back online after outages linked to Google Cloud
Google Cloud problems disconnected both services this afternoon
https://www.theverge.com/2022/3/8/22967531/spotify-discord-logout-outage-offline-server-problem?scrolla=5eb6d68b7fedc32c19ef33b4
Tomi Engdahl says:
Microsoft Warns of Spoofing Vulnerability in Defender for Endpoint
https://www.securityweek.com/microsoft-warns-spoofing-vulnerability-defender-endpoint
Tomi Engdahl says:
16 Vulnerabilities Found in Firmware of HP Enterprise Devices
https://www.securityweek.com/16-vulnerabilities-found-firmware-hp-enterprise-devices
Firmware security company Binarly has discovered more than a dozen potentially serious vulnerabilities affecting UEFI firmware present on devices from HP and possibly other vendors.
A total of 16 CVE identifiers have been assigned to the vulnerabilities, which have been described as stack overflow, heap overflow, and memory corruption bugs affecting the UEFI Runtime Driver eXecution Environment (DXE) and System Management Mode (SMM) components. All of these security holes have been assigned “high severity” ratings.
The flaws affect a wide range of enterprise products made by HP, including desktop, laptop, point-of-sale, and edge computing devices.
According to Binarly, exploitation can allow an attacker with privileged user permissions to execute arbitrary code in the firmware, which can be useful for delivering persistent malware and bypassing endpoint security products, Secure Boot, and virtualization-based security.
HP also said that exploitation could lead to denial of service (DoS) and information disclosure.
“All of these vulnerabilities can be exploited as a secondary stage to gain additional persistence or bypass virtualization-based memory isolation,” Claudiu Teodorescu, CTO of Binarly, told SecurityWeek.
Tomi Engdahl says:
https://www.securityweek.com/microsoft-warns-spoofing-vulnerability-defender-endpoint
Tomi Engdahl says:
Mitel Devices Abused for DDoS Vector With Record-Breaking Amplification Ratio
https://www.securityweek.com/mitel-devices-abused-ddos-vector-record-breaking-amplification-ratio
Mitel enterprise collaboration products have been abused for distributed denial-of-service (DDoS) attacks that employ a new vector with a massive potential amplification ratio.
Researchers from Akamai, Cloudflare, Lumen, NETSCOUT, Team Cymru, TELUS, and The Shadowserver Foundation have analyzed the attacks and they have released a blog post detailing their findings. Mitel has released an advisory and security bulletins describing impact on its products.
According to the organizations that investigated these DDoS attacks, malicious actors are abusing incorrectly provisioned Mitel MiCollab and MiVoice Business Express collaboration systems. The targeted devices incorporate TP-240 VoIP-processing interface cards and they are primarily used for internet-based site-to-site voice connectivity for PBX systems.
While tens of thousands of these Mitel devices are deployed in government and private sector organizations worldwide, researchers have identified only roughly 2,600 systems that have been incorrectly provisioned and exposed to the internet.
The attack method has been named TP240PhoneHome and the underlying vulnerability has been assigned the CVE identifier CVE-2022-26143.
“The abused service on affected Mitel systems is called tp240dvr (TP-240 driver) and appears to run as a software bridge to facilitate interactions with TDM/VoIP PCI interface cards. The service listens for commands on UDP/10074 and is not meant to be exposed to the internet, as confirmed by the manufacturer of these devices. It is this exposure to the internet that ultimately allows it to be abused,” researchers explained.
Tomi Engdahl says:
Siemens Addresses Over 90 Vulnerabilities Affecting Third-Party Components
https://www.securityweek.com/siemens-addresses-over-90-vulnerabilities-affecting-third-party-components
Siemens has released 15 new advisories to inform customers about more than 100 vulnerabilities affecting its products, including over 90 security flaws introduced by the use of third-party components.
Three advisories have an overall severity rating of “critical” and eight have a “high severity” rating. They describe vulnerabilities in Mendix, COMOS, Simcenter, SIMOTICS, SINEC, RUGGEDCOM, and SINUMERIK products.
Five of Siemens’ March 2022 Patch Tuesday advisories cover vulnerabilities affecting third-party components. One of them describes the impact on SINEC INS of 71 security holes affecting components such as Node.js, cURL, SQLite, CivetWeb and BIND.
Another advisory describes over a dozen vulnerabilities affecting COMOS, specifically the Drawings SDK used by the product. The SDK, provided by the Open Design Alliance, is affected by weaknesses that can be triggered for information disclosure and code execution using specially crafted files.
The other three advisories describing third-party component vulnerabilities are related to RUGGEDCOM ROX and ROS devices. The impacted components include NSS and ISC DHCP. Exploitation can lead to code execution, denial of service (DoS), or disclosure of sensitive information.
https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications
Tomi Engdahl says:
Cybersecurity firm says Chinese hackers breached six US state agencies
https://amp.cnn.com/cnn/2022/03/08/politics/china-hacking-state-governments-mandiant/index.html
Washington(CNN)A Chinese government-backed hacking group has breached local government agencies in at least six US states in the last 10 months as part of a persistent information-gathering operation, investigators at cybersecurity firm Mandiant said Tuesday.
The wide range of state agencies targeted include “health, transportation, labor (including unemployment benefit systems), higher education, agriculture, and court networks and systems,” the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) said in a separate, private advisory to state governments obtained by CNN.
Tomi Engdahl says:
Suora lähetys käynnissä: Miten sota näkyy verkossa? Äänessä Suomen huippuasiantuntijat https://www.is.fi/digitoday/tietoturva/art-2000008669335.html
Tomi Engdahl says:
Google Blocks Chinese Phishing Campaign Targeting U.S. Government
https://www.securityweek.com/google-blocks-chinese-phishing-campaign-targeting-us-government
Google says it has blocked a phishing campaign originating from China and aimed at Gmail users associated with the U.S. government.
The attacks, Google Threat Analysis Group (TAG) director Shane Huntley said on Tuesday, happened in February and were completely blocked. According to him, TAG has no evidence that these attacks are related to the war in Ukraine.
“In February, we detected an APT31 phishing campaign targeting high profile Gmail users affiliated with the U.S. government. 100% of these emails were automatically classified as spam and blocked by Gmail,” Huntley said.
Also tracked as Zirconium, Judgment Panda, and Red Keres, the Chinese hacking group is known for the targeting of entities in the United States, Canada, and various European countries, including Belarus, Finland, and France. Last year, the group also targeted Russia.
Likely working on behalf of the Chinese government, APT31 was previously observed targeting known vulnerabilities in Microsoft Exchange, and likely acquired and cloned an exploit associated with the NSA-linked Equation Group.