Cyber security news April 2022

This posting is here to collect cyber security news in April 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

425 Comments

  1. Tomi Engdahl says:

    Russian-linked Android malware records audio, tracks your location
    https://www.bleepingcomputer.com/news/security/russian-linked-android-malware-records-audio-tracks-your-location/
    After receiving the permissions, the spyware removes its icon and runs in the background with only a permanent notification indicating its presence.

    This aspect is quite strange for spyware that should usually strive to remain hidden from the victim, especially if this is the work of a sophisticated APT (advanced persistent threat) group.

    The information collected by the device, including lists, logs, SMS, recordings, and event notifications, are sent in JSON format to the command and control server at 82.146.35[.]240.

    Keep malware out
    Users of Android devices are advised to review the app permissions they have granted, which should be fairly easy on versions from Android 10 and later, and revoke those that appear overly risky.

    Also, starting from Android 12, the OS pushes indications when the camera or microphone is active, so if these appear orphaned, spyware is hiding in your device.

    These tools are particularly dangerous when nesting inside IoTs that run older Android versions, generating money for their remote operators for prolonged periods without anyone realizing the compromise.

    https://www.virustotal.com/gui/file/e0eacd72afe39de3b327a164f9c69a78c9c0f672d3ad202271772d816db4fad8

    Reply
  2. Tomi Engdahl says:

    ‘Geofence Warrant’ for All Cell Location Data From Area Near Robbery Is Ruled Unconstitutional
    Plus: New rules on sex discrimination in education, economists warn of housing market exuberance, and more…
    https://reason.com/2022/04/01/geofence-warrant-for-all-cell-location-data-from-area-near-robbery-is-ruled-unconstitutional/

    “Geofence warrant” was unconstitutional, says judge. Can the cops use Google location data to find anyone in an area at a given time? That’s what a federal court was asked to decide recently.

    The case stems from a 2019 bank robbery in Virginia. Police got a “geofence warrant” to find anyone who was near the scene around the time the robbery took place.

    U.S. District Judge Hannah Lauck has now held that the search—which relied on cellphone data location histories—violated the Fourth Amendment’s protection against unreasonable searches, since it collected information on myriad people without having any evidence of their involvement in the crime. “The warrant simply did not include any facts to establish probable cause to collect such broad and intrusive data from each of these individuals,” wrote Lauck in her decision.

    The judge stressed that she was ruling on this particular situation—not on geofence warrants broadly—and there could be a situation in which their use was constitutional.

    But “the decision — believed to be the first of its kind — could make it more difficult for police to continue using an investigative technique that has exploded in popularity in recent years,” the Associated Press reports.

    https://news.yahoo.com/geofence-warrant-unconstitutional-judge-rules-230601269.html

    Reply
  3. Tomi Engdahl says:

    Venäjä voi häiritä Suomen Nato-keskustelua iskemällä arkaan paikkaan https://www.is.fi/digitoday/art-2000008719816.html
    VENÄJÄN odotetaan kohdistavan lähikuukausien aikana Suomeen kyber- ja informaatiovaikuttamista. Suojelupoliisi kertoi tiistaina pitämässään tiedotustilaisuudessa pitävänsä todennäköisenä, että etenkin Suomessa käytävään Nato-keskusteluun pyritään vaikuttamaan. Tekniikan tohtori ja kyberturvallisuuden asiantuntija Catharina Candolin uskoo Nato-keskustelussa kuultavan virheellistä ja negatiivista tietoa.

    Reply
  4. Tomi Engdahl says:

    Google: Russian credential thieves target NATO, Eastern European military https://www.theregister.com/2022/04/01/russian_credential_phishing/
    A Russian cybercrime gang has lately sent credential-phishing emails to the military of Eastern European countries and a NATO Center of Excellence, according to a Google threat report this week.

    Reply
  5. Tomi Engdahl says:

    Facebook ja Apple luovuttivat käyttäjätietoja hakkereille – apupyyntö näytti tulevan viranomaisilta
    https://www.kauppalehti.fi/uutiset/facebook-ja-apple-luovuttivat-kayttajatietoja-hakkereille-apupyynto-naytti-tulevan-viranomaisilta/3437b731-d1ca-48bf-a334-69c313a69c80
    Applen ja Facebookin emoyhtiö Metan väitetään menneen halpaan ja antaneen viranomaisina esiintyneille hakkereille käyttäjätietoja.
    Uutistoimisto Bloombergin mukaan kolme tapaukset tuntevaa lähdettä on kertonut tapauksista, mutta tarkemmin yhtiö ei lähteitään nimeä.

    Reply
  6. Tomi Engdahl says:

    Verkkolaiteyhtiö haastoi tietomurrosta raportoineen toimittajan oikeuteen vaatii yli 400 000 dollarin korvauksia https://www.tivi.fi/uutiset/tv/5d870266-7629-4c1e-bb89-967509c832ba
    Verkkolaitteita valmistava Ubiquiti on haastanut tietoturvajournalisti Brian Krebsin oikeuteen tämän vuodentakaisista artikkeleista. Yhtiö syyttää Krebsiä valheellisesta uutisoinnista, jonka mukaan yhtiö olisi yrittänyt peitellä tulleensa tietomurron kohteeksi loppuvuodesta 2020.
    SC Magazinen mukaan Ubiquiti vaatii Krebsiltä 425 000 dollarin vahingonkorvauksia.

    Reply
  7. Tomi Engdahl says:

    Beastmode botnet boosts DDoS power with new router exploits https://www.bleepingcomputer.com/news/security/beastmode-botnet-boosts-ddos-power-with-new-router-exploits/
    A Mirai-based distributed denial-of-service (DDoS) botnet tracked as Beastmode (aka B3astmode) has updated its list of exploits to include several new ones, three of them targeting various models of Totolink routers. Totolink is a popular electronics sub-brand belonging to Zioncom that recently released firmware updates to fix three critical-severity vulnerabilities.

    Reply
  8. Tomi Engdahl says:

    Zyxel Releases Patches for Critical Bug Affecting Business Firewall and VPN Devices https://thehackernews.com/2022/03/zyxel-releases-patches-for-critical-bug.html
    Networking equipment maker Zyxel has pushed security updates for a critical vulnerability affecting some of its business firewall and VPN products that could enable an attacker to take control of the devices.

    Reply
  9. Tomi Engdahl says:

    New UAC-0056 activity: There’s a Go Elephant in the room https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/
    UAC-0056 also known as SaintBear, UNC2589 and TA471 is a cyber espionage actor that has been active since early 2021 and has mainly targeted Ukraine and Georgia. The group is known to have performed a wiper attack in January 2022 on multiple Ukrainian government computers and websites.

    Reply
  10. Tomi Engdahl says:

    GitLab Releases Patch for Critical Vulnerability That Could Let Attackers Hijack Accounts https://thehackernews.com/2022/04/gitlab-releases-patch-for-critical.html
    DevOps platform GitLab has released software updates to address a critical security vulnerability that, if potentially exploited, could permit an adversary to seize control of accounts. Tracked as CVE-2022-1162, the issue has a CVSS score of 9.1 and is said to have been discovered internally by the GitLab team.

    Reply
  11. Tomi Engdahl says:

    American Express down in outage: users report login and payment issues https://www.bleepingcomputer.com/news/security/american-express-down-in-outage-users-report-login-and-payment-issues/
    Yesterday, American Express users across the world including US, UK, and Europe, experienced widespread outages lasting hours. And, the payment services giant advises that some users may continue to experience issues online or over the phone. The issues reported by users included being unable to log in to their Amex accounts, make payments, or get to an Amex customer service representative over the phone.

    Reply
  12. Tomi Engdahl says:

    Russian-linked Android malware records audio, tracks your location https://www.bleepingcomputer.com/news/security/russian-linked-android-malware-records-audio-tracks-your-location/
    After receiving the permissions, the spyware removes its icon and runs in the background with only a permanent notification indicating its presence. Researchers from Lab52 identified a malicious APK [VirusTotal] named “Process Manager” that acts as Android spyware, uploading information to the threat actors. While it is not clear how the spyware is distributed, once installed, Process Manager attempts to hide on an Android device using a gear-shaped icon, pretending to be a system component. It is unclear if the malware abuses the Android Accessibility service to grant itself permissions or if it’s tricking the user into approving a request. The information collected by the device, including lists, logs, SMS, recordings, and event notifications, are sent in JSON format to the command and control server at 82.146.35[.]240. The method of distribution for the APK is unknown, but if it is Turla, they commonly use social engineering, phishing, watering hole attacks, etc., so it could be anything.

    Reply
  13. Tomi Engdahl says:

    Cloud Atlas Maldoc
    https://inquest.net/blog/2022/03/30/cloud-atlas-maldoc
    For several weeks, eyes around the world have been set on the war in Ukraine and events that have transpired as a result. The economic sanctions affecting Russian banks and enterprises are some of many consequences that persist as main talking points across international media outlets. This presented yet another opportunity for attackers to leverage this subject for targeted attacks and/or phishing campaigns..
    We uncovered a very interesting document that was observed impersonating the United States Securities and Exchange Commission. It is our assumption with a high degree of probability that an attacker called Cloud Atlas is responsible for this malicious campaign. We believe that this is one of the malicious tools of the Cloud Atlas APT group. It beacons out to a remote server, waiting for further commands. Initially, this sample collects information about the system it is running on, which is then exfiltrated to the remote server. This attacker has been active for many years, identified in 2014, the group is known for using documents to infect government organizations such as embassies or organizations affiliated with the aerospace industry.

    Reply
  14. Tomi Engdahl says:

    Trezor wallets hacked? Don’t be duped by phishing attack email https://grahamcluley.com/trezor-wallets-hacked-dont-be-duped-by-phishing-attack-email/
    Owners of hardware Trezor cryptocurrency wallets should be on their guard after an email was sent out by thieves attempting to dupe them into downloading new software to their devices. The emails claim that Trezor, which has been making physical USB-connected devices to protect the cryptocurrency and tokens of users since 2014, “experienced a security incident” yesterday that breached the data of
    106.856 of its customers. However, in reality, the email is not from Trezor at all but is instead an attempt to dupe unsuspecting owners of Trezor devices into downloading a bogus version of the company’s desktop suite software from a lookalike website.

    Reply
  15. Tomi Engdahl says:

    Rehashed NYT yarn on Russian surveillance shot down by Nokia https://itwire.com/business-it-news/business-technology/rehashed-nyt-yarn-on-russian-surveillance-shot-down-by-nokia.html
    Finnish telecommunications equipment provider Nokia has termed as “misleading” claims made by The New York Times about the company’s role in Russia’s lawful intercept system.

    Reply
  16. Tomi Engdahl says:

    Blockchains Have a Bridge’ Problem, and Hackers Know It https://www.wired.com/story/blockchain-network-bridge-hacks/
    THIS WEEK, THE cryptocurrency network Ronin disclosed a breach in which attackers made off with $540 million worth of Ethereum and USDC stablecoin. The incident, which is one of the biggest heists in the history of cryptocurrency, specifically siphoned funds from a service known as the Ronin Bridge. Successful attacks on “blockchain bridges”
    have become increasingly common over the past couple of years, and the situation with Ronin is a prominent reminder of the urgency of the problem. Blockchain bridges, also known as network bridges, are applications that allow people to move digital assets from one blockchain to another. Cryptocurrencies are typically siloed and can’t interoperateyou can’t do a transaction on the Bitcoin blockchain using Dogecoinsso “bridges” have become a crucial mechanism, almost a missing link, in the cryptocurrency economy. Ronin discovered the breach that day, but the platform’s “validator nodes” had been compromised on March 23. Attackers stole 173, 600 Ethereum and 25.5 million USDC. Ronin Bridge has been down ever since, and users can’t carry out transactions on the platform.

    Reply
  17. Tomi Engdahl says:

    Experts Warn Defenders: Don’t Relax on Log4j
    https://www.securityweek.com/experts-warn-defenders-dont-relax-log4j

    It’s been four months since the Log4j issue exploded onto the internet. All the major software vendors affected by it have by now released patches – but even where companies have patched, it would be wrong to relax.

    Log4j is the name of a logging software library used by many different applications. It has also become the name of an attack using the Log4j library (the attack is also known as Log4Shell). The attack is not so much a vulnerability but the manipulation of a feature of the library – and because ‘exploitation’ is merely the effect of using this feature in a malicious manner, widescale exploitation began within 48 hours of the possibility becoming public knowledge.

    All that is required by an attacker is getting the log to contain a specific text message. If the library has internet access, that message effectively beacons out to a server controlled by the attacker, and the attacker can gain access.

    There are two solutions: one is waiting for software vendors to release patches and implementing those patches as quickly as possible; and the other is to use basic cyber resilience (in this case blocking and tackling, or ‘default deny’ on firewalls) to prevent Log4j beaconing out to the malicious server. The problem is that many companies do not have default deny properly implemented, while in the best patching scenario there was most likely a delay of several weeks before the patch was tested, delivered and implemented.

    Reply
  18. Tomi Engdahl says:

    FBI Warns of Ransomware Attacks Targeting Local Governments
    https://www.securityweek.com/fbi-warns-ransomware-attacks-targeting-local-governments

    The Federal Bureau of Investigation (FBI) this week warned local government entities of ransomware attacks disrupting operational services, causing public safety risks, and causing financial losses.

    In a Private Industry Notification (PIN), the FBI underlined the significance of such attacks, due to the public’s dependency on services overseen by local governments, including critical utilities, education, and emergency services.

    According to the FBI, local government entities within the government facilities sector (GFS) represented the second most targeted group following academia, based on victim incident reporting throughout 2021.

    Last year, smaller counties and municipalities represented the majority of victimized local government agencies, “likely indicative of their cybersecurity resource and budget limitations,” the FBI says.

    Based on an independently-conducted survey, local governments are the least able to prevent ransomware attacks and recover from backups, and often pay the ransom to get the data back.

    Ransomware Attacks Straining Local US Governments and Public Services
    https://www.ic3.gov/Media/News/2022/220330.pdf

    Reply
  19. Tomi Engdahl says:

    New Vulnerabilities Allow Stuxnet-Style Attacks Against Rockwell PLCs
    https://www.securityweek.com/new-vulnerabilities-allow-stuxnet-style-attacks-against-rockwell-plcs

    Researchers at industrial cybersecurity firm Claroty have identified two serious vulnerabilities that could allow malicious actors to launch Stuxnet-style attacks against programmable logic controllers (PLCs) made by Rockwell Automation.

    Claroty on Thursday published a blog post describing its findings. Separate advisories for the two vulnerabilities were also released on Thursday by the US Cybersecurity and Infrastructure Security Agency (CISA) and Rockwell Automation (account required).

    One of the security holes, tracked as CVE-2022-1161 and classified as “critical,” affects various CompactLogix, ControlLogix, GuardLogix, FlexLogix, DriveLogix and SoftLogix controllers. The second flaw, tracked as CVE-2022-1159 and rated “high severity,” affects the Studio 5000 Logix Designer programming software that runs on engineering workstations.

    According to Rockwell Automation and Claroty, the vulnerabilities can allow an attacker who has access to the victim’s systems to make changes to PLC program code and modify automation processes without being detected. This could result in significant damage, depending on the type of system controlled by the PLC.

    Stuxnet targeted Siemens devices, but vulnerabilities that can be exploited to achieve a similar goal have also been found in recent years in PLCs made by Schneider Electric and other vendors.

    Reply
  20. Tomi Engdahl says:

    Trend Micro Patches Apex Central Zero-Day Exploited in Targeted Attacks
    https://www.securityweek.com/trend-micro-patches-apex-central-zero-day-exploited-targeted-attacks

    Trend Micro this week announced patches for a high-severity arbitrary file upload vulnerability in Apex Central that has already been exploited in what appear to be targeted attacks.

    Impacting both on-premises and Software-as-a-Service (SaaS) versions of the centralized management console, the security hole is tracked as CVE-2022-26871 (CVSS score of 8.6) and it was discovered by Trend Micro’s own research team.

    After deploying patches for the SaaS version in early March, Trend Micro has now released Patch 3 (Build 6016) for on-premises installations of Apex Central.

    The security hole, the company explains, allows an unauthenticated attacker to upload an arbitrary file remotely, which could result in remote code execution.

    The cybersecurity solutions provider says it has already observed attempts to exploit the bug, albeit in a “very limited number of instances.” However, the company did not provide specific information on these attacks.

    Reply
  21. Tomi Engdahl says:

    Spring4Shell Exploitation Attempts Confirmed as Patches Are Released
    https://www.securityweek.com/spring4shell-exploitation-attempts-confirmed-patches-are-released

    The Spring zero-day vulnerability named Spring4Shell (SpringShell) has been patched, just as several cybersecurity firms have confirmed seeing exploitation attempts.

    The disclosure of several Spring vulnerabilities this week — including a critical flaw that was likely inadvertently disclosed — has led to confusion and concerns that organizations may be dealing with another Log4Shell.

    The developers of Spring, which is owned by VMware and said to be the world’s most popular Java application development framework, announced patches for one medium-severity DoS vulnerability on March 28 (CVE-2022-22950), and another flaw affecting Spring Cloud Function (CVE-2022-22963) on March 29.

    The advisory for CVE-2022-22963 initially said it was a medium-severity bug that could allow access to local resources, but its severity was later changed to “critical” after it came to light that it could also be exploited for remote code execution.

    Spring4Shell, which on Thursday was assigned the CVE identifier CVE-2022-22965, was initially conflated with CVE-2022-22963 by many in the cybersecurity community, which led to a lot of confusion.

    Spring4Shell is a remote code execution vulnerability in Spring Framework that can be exploited for remote code execution without authentication.

    Reply
  22. Tomi Engdahl says:

    Apple Ships Emergency Patches for ‘Actively Exploited’ macOS, iOS Flaws
    https://www.securityweek.com/apple-ships-emergency-patches-actively-exploited-macos-ios-flaws

    Apple’s security response team on Thursday released emergency patches to cover a pair of “actively exploited” vulnerabilities affecting macOS, iOS and iPadOS devices.

    Apple confirmed the two security defects — CVE-2022-22675 and CVE-2022-22674 — in all its major operating systems and warned that remote code execution attacks may already be underway.

    One of the two vulnerabilities, described as an out-of-bounds memory corruption issue in AppleAVD, affects both iOS and macOS devices.

    iOS update 15.4.1 fixes CVE-2022-22675 and CVE-2022-22674 “An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited,” the Cupertino, California company said in a barebones advisory.

    Apple released iOS 15.4.1 and iPadOS 15.4.1 and urged users to apply the updates to reduce exposure to risk.

    Reply
  23. Tomi Engdahl says:

    Pääkirjoitus: Pankkipalveluiden häiriöihin tulee varautua https://www.kauppalehti.fi/uutiset/pankkipalveluiden-hairioihin-tulee-varautua/2d126a18-3672-42aa-becb-b5676d117c7d
    Venäjän Ukrainaan kohdistaman hyökkäyssodan seurauksena kyberhyökkäysten riski on kohonnut myös Suomessa. Yhtenä niin sanotun hybridisodankäynnin muotona ovat kyberiskut kriittistä infrastruktuuria vastaan. Kriittistä infrastruktuuria ovat esimerkiksi sähkönjakelu, telekommunikaatio ja pankkitoiminnot.

    Reply
  24. Tomi Engdahl says:

    Vaarallista sabotaasia: venäläisvakoojia syytetään ydinvoimalan hakkeroinnista
    https://www.tivi.fi/uutiset/tv/30eee4ec-decc-46e8-8399-43e036d29bd7
    Yhdysvaltain oikeusministeriö syyttää neljää venäläistä viranomaista pitkäaikaisesta hakkerointikampanjasta. Tech Crunchin mukaan syytteet koskevat iskuja muun muassa ydinvoimalaan Yhdysvalloissa ja öljyteollisuuteen liittyvään laitokseen Saudi-Arabiassa. Syytetyistä ainakin osa on töissä turvallisuuspalvelu FSB:ssä ja Venäjän puolustusministeriössä. Ministeriön työntekijän epäillään apulaisineen kehittäneen Triton-haittaohjelman, jolla iskettiin Saudi-Arabiassa öljynjalostamoon 2017. Ohjelmalla yritettiin vioittaa turvallisuusjärjestelmää, joka estää vuotoja ja räjähdyksiä. Toinen syyte koskee FSB:n palveluksessa olevia miehiä, joiden epäillään ujuttaneen Havax-haittaohjelmaa teollisuuslaitteiden ohjelmistopäivityksiin.

    Reply
  25. Tomi Engdahl says:

    Tuulivoimayhtiö kertoi tietomurrosta it-järjestelmät suljettiin heti
    https://www.tivi.fi/uutiset/tv/f1da001e-4616-4362-ac4b-af852dbc0017
    Saksalainen tuulivoimaloiden valmistaja Nordex ilmoitti viikonloppuna havainneensa yhtiöön kohdistuneen kyberiskun. Tiedotteen mukaan isku havaittiin onneksi varhaisessa vaiheessa. Havainnon jälkeen yhtiö päätti osana kriisitoimia sulkea it-järjestelmänsä useissa toimipaikoissa, jotta ongelma saadaan hallintaan. Yhtiö ei kertonut, onko kyseessä kiristyshaittaohjelma vai jonkin muunlainen hyökkäys.

    Reply
  26. Tomi Engdahl says:

    Hackers breach MailChimp’s internal tools to target crypto customers https://www.bleepingcomputer.com/news/security/hackers-breach-mailchimps-internal-tools-to-target-crypto-customers/
    Email marketing firm MailChimp disclosed on Sunday that they had beenMultiple Hacker Groups Capitalizing on Ukraine Conflict for Distributing Malware hit by hackers who gained access to internal customer support and account management tools to steal audience data and conduct phishing attacks. Sunday morning, Twitter was abuzz with reports from owners of Trezor hardware cryptocurrency wallets who received phishing notifications claiming that the company suffered a data breach.

    Reply
  27. Tomi Engdahl says:

    TOTOLINK Routers, Other Device Exploits Added to Beastmode Botnet
    https://www.securityweek.com/totolink-routers-other-device-exploits-added-beastmode-botnet

    The Mirai-based DDoS botnet known as Beastmode continues to expand its arsenal with at least five new exploits added over the last two months.

    The new exploits include three targeting TOTOLINK routers, one targeting the discontinued D-Link routers DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L and DIR-836L, and one targeting the TP-Link Tapo C200 IP camera.

    The new exploits in Beastmode (aka B3eastmode after text within the code and an HTTP User-Agent header ‘b3astmode’ within the exploit requests) were discovered by the FortiGuard Labs researchers from Fortinet.

    The researchers report, “Even though the original Mirai author was arrested in fall 2018, this… highlights how threat actors, such as those behind the Beastmode campaign, continue to rapidly incorporate newly published exploit code to infect unpatched devices using the Mirai malware.” Noticeably, an error found in a sample caught on February 20, 2022, had been corrected in samples caught just three days later.

    The TOTOLINK exploits were added by the botnet’s authors just a week after the exploit codes were made public on GitHub – stressing the need to employ any available workarounds immediately a vulnerability is publicized, and rapid patching as soon as patches become available. TOTOLINK has released updated firmware, available from its download center.

    Reply
  28. Tomi Engdahl says:

    Vendors Assessing Impact of Spring4Shell Vulnerability
    https://www.securityweek.com/vendors-assessing-impact-spring4shell-vulnerability

    Companies are assessing the impact of the Spring vulnerability dubbed Spring4Shell on their products, and while some vendors have started releasing patches, many have determined that their products do not appear to be affected.
    One of them is tracked as CVE-2022-22965, Spring4Shell and SpringShell, and it has been described as a critical remote code execution vulnerability in Spring Framework that can be exploited without authentication.
    Another critical flaw is CVE-2022-22963, which affects the Spring Cloud Function and which also allows remote code execution. The third security hole is CVE-2022-22950, a medium-severity DoS vulnerability.
    The possibly accidental disclosure of Spring4Shell by a researcher before patches were made available led to a lot of confusion and concerns that the flaw could be worse than the Log4j vulnerability tracked as Log4Shell, which has been exploited in attacks by many threat actors.
    Proof-of-concept (PoC) exploits are available for both Spring4Shell and CVE-2022-22963, and Akamai has reported seeing exploitation attempts targeting both vulnerabilities.

    Reply
  29. Tomi Engdahl says:

    Eliza Gkritsi / CoinDesk:
    German police shut down darknet market Hydra Market, which had €1.23B in 2020 revenue, and seize 543 bitcoins

    German Authorities Shut Down Russian Darknet Market, Seize $25M in Bitcoin
    The Hydra Market’s bitcoin privacy mixer complicated the investigation, police said.
    https://www.coindesk.com/policy/2022/04/05/german-authorities-shut-down-russian-darknet-market-seize-25m-in-bitcoin/

    The market was mainly used for narcotics, and served Russia, Ukraine, Belarus, Kazakhstan, Azerbaijan, Armenia, Kyrgyzstan, Uzbekistan, Tajikistan and Moldova, according to blockchain forensics firm Ciphertrace.

    Reply
  30. Tomi Engdahl says:

    Defenders Provided Tools and Information for Dealing With Spring4Shell
    https://www.securityweek.com/defenders-provided-tools-and-information-dealing-spring4shell

    US Government Agencies Instructed to Patch Spring4Shell Vulnerability

    Enterprise defenders have been provided information and tools to help them deal with Spring4Shell and potential attacks exploiting the vulnerability.

    The developers of Spring, the world’s most popular Java application development framework, announced patches for three vulnerabilities last week. The most serious of them — both allowing remote code execution — are CVE-2022-22965 (aka Spring4Shell and SpringShell) and CVE-2022-22963.

    The possibly accidental disclosure of Spring4Shell by a researcher before patches were made available led to a lot of confusion and concerns that the flaw could be worse than Log4Shell, but for the time being that does not appear to be the case.

    Nevertheless, cybersecurity firms have been seeing attempts to exploit both CVE-2022-22965 and CVE-2022-22963.

    While new findings could show that Spring4Shell is more widely exploitable, the information available to date indicates that some conditions need to be met for exploitation, including the use of JDK 9 or higher, Apache Tomcat as the servlet container, spring-webmvc or spring-webflux dependency, and packaging of the application as a WAR.

    Spring Framework 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions are impacted. Spring Framework 5.3.18 and 5.2.20 contain fixes for the vulnerability, but mitigations are also available.

    Sonatype has created a dashboard that can be used to track the deployment of patches. The dashboard currently shows that 80% of the Spring (spring-beans) downloads since March 31 were for a potentially vulnerable version. However, the company noted that the specific conditions required for exploitation are the most likely reason for the relatively slow update rate.

    https://www.springcloud.io/post/2022-03/spring-framework-rce-early-announcement/#gsc.tab=0

    Reply
  31. Tomi Engdahl says:

    Yokogawa Patches Flaws Allowing Disruption, Manipulation of Physical Processes
    https://www.securityweek.com/yokogawa-patches-flaws-allowing-disruption-manipulation-physical-processes

    Japanese automation giant Yokogawa recently patched a series of vulnerabilities in control system products that, according to researchers, can be exploited for the disruption or manipulation of physical processes.

    Researchers from industrial cybersecurity company Dragos have discovered a total of ten vulnerabilities in Yokogawa’s CENTUM VP distributed control system (DCS) and the Exaopc OPC server for CENTUM systems.

    Yokogawa shared information about the security holes in January and February, and the US Cybersecurity and Infrastructure Security Agency (CISA) published its own advisory in late March.

    The vulnerabilities are related to hardcoded credentials, path traversal, command injection, DLL hijacking, inappropriate access privileges, and uncontrolled resource consumption. The flaws, several of which have been assigned a “high severity” rating, can be exploited to access data, suppress alarms, overwrite or delete files, execute arbitrary commands, crash servers, and escalate privileges.

    Exploitation of some vulnerabilities requires local access to the targeted system, while others can be exploited by sending specially crafted packets to the Consolidated Alarm Management Software (CAMS) for the human interface station (HIS or HMI).

    ICS Advisory (ICSA-22-083-01)
    Yokogawa CENTUM and Exaopc
    https://www.cisa.gov/uscert/ics/advisories/icsa-22-083-01

    CVSS v3 8.6
    ATTENTION: Exploitable remotely/low skill level to exploit
    Vendor: Yokogawa
    Equipment: CENTUM and Exaopc
    Vulnerabilities: Use of Hard-coded Credentials, Relative Path Traversal, Improper Output Neutralization for Logs, OS Command Injection, Permissions, Privileges, and Access Controls, Uncontrolled Search Path Element

    Reply
  32. Tomi Engdahl says:

    Airgap Networks Raises $13 Million for Ransomware Kill Switch
    https://www.securityweek.com/airgap-networks-raises-13-million-ransomware-kill-switch

    Airgap Networks on Tuesday announced raising $13.4 million in a Series A funding round that brings the total raised by the company to $18.6 million.

    The funding round was led by Storm Ventures, with participation from Cervin Ventures, Engineering Capital, Sorenson Ventures, and various angel investors.

    Airgap NetworksAirgap has developed what it describes as an agentless, universal segmentation solution that can protect IT, OT and cloud systems by providing visibility and management capabilities.

    Airgap’s platform uses an “agentless ringfencing architecture” to confine threats to a single endpoint. It also enforces MFA access for high-value assets, and aims to eliminate unauthorized communication channels inside an organization.

    Reply
  33. Tomi Engdahl says:

    Wind Turbine Giant Nordex Shuts Down IT Systems in Response to Cyberattack
    https://www.securityweek.com/wind-turbine-giant-nordex-shuts-down-it-systems-response-cyberattack

    Nordex Group, one of the world’s largest manufacturers of wind turbines, fell victim to a cyberattack that forced it to take down multiple systems.

    The Hamburg, Germany-based company announced over the weekend that it detected the intrusion on Thursday, March 31, and that it immediately deployed measures “in line with crisis management protocols.”

    According to Nordex, the cyberattack was discovered at an early stage but, as a precautionary measure, the company decided to shut down “IT systems across multiple locations and business units.”

    Nordex is not the first wind turbine giant targeted by cybercriminals. Last year, profit-driven hackers leaked thousands of files stolen from Danish company Vestas Wind Systems.

    Reply
  34. Tomi Engdahl says:

    Academics Devise Side-Channel Attack Targeting Multi-GPU Systems
    https://www.securityweek.com/academics-devise-side-channel-attack-targeting-multi-gpu-systems

    A group of academic researchers has devised a side-channel attack targeting architectures that rely on multiple graphics processing units (GPUs) for resource-intensive computational operations.

    Used in high performance computing and cloud data centers, multi-GPU machines are shared between multiple users, meaning that the protection of applications and data flowing through them is critical.

    “These systems are emerging and increasingly important computational platforms, critical to continuing to scale the performance of important applications such as deep learning. They are already offered as cloud instances offering opportunities for an attacker to spy on a co-located victim,” the researchers say in their paper.

    When reverse-engineering the sharing of caches, the researchers discovered that one GPU can remotely access the caches of others, which allowed them to develop eviction sets – “collections of memory addresses hashing to the same cache set” – from both GPUs.

    https://arxiv.org/pdf/2203.15981.pdf

    Reply
  35. Tomi Engdahl says:

    Palestinian Lawyer Sues Pegasus Spyware Maker in France
    https://www.securityweek.com/palestinian-lawyer-sues-pegasus-spyware-maker-france

    Palestinian lawyer Salah Hamouri, who is in Israeli detention, filed a complaint in France Tuesday against surveillance firm NSO Group for having “illegally infiltrated” his mobile phone with the spyware Pegasus.

    Hamouri, who also holds French citizenship, is serving a four-month term of administrative detention ordered by an Israeli military court in March on the claim he is a “threat to security”.

    Reply
  36. Tomi Engdahl says:

    Cash App Suffers Breach, With Ex-Employee Accessing US Customer Data
    Block, the company behind the mobile payment service, is contacting 8.2 million current and former customers about the breach.
    https://www.cnet.com/tech/services-and-software/cash-app-suffered-breach-after-ex-employee-accessed-us-customer-data/

    Block, the company behind the mobile payment service Cash App, has acknowledged a Cash App data breach in which a former employee accessed reports that included US customer information.

    “Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm,” a spokesperson said Tuesday in an emailed statement. “We know how these reports were accessed, and we have notified law enforcement. We are also contacting customers whose data was impacted. In addition, we continue to review and strengthen administrative and technical safeguards to protect information.”

    Reply
  37. Tomi Engdahl says:

    Saitko pankkitunnuksia kyselevän soiton poliisin numerosta? Ilmoita heti viran­omaisille ja pankkiisi https://www.is.fi/digitoday/tietoturva/art-2000008730939.html
    HUIJARIT ovat yrittäneet poliisin mukaan kalastella ihmisten pankkitunnuksia puhelinsoitoilla. Kalastelijat ovat esiintyneet esimerkiksi poliisilaitoksen talousrikostutkijoina, ja ovat sillä verukkeella pyytäneet uhrien tunnuksia. Huijarit ovat muuttaneet puhelinnumerojaan keinotekoisesti, jotta vastaanottaja luulee puhelinsoiton tulevan jonkun poliisilaitoksen vaihdenumerosta.

    Reply
  38. Tomi Engdahl says:

    Hakkerit käyttävät WhatsAppin ääniviestejä härskisti hyväkseen https://www.tivi.fi/uutiset/tv/8c726196-6c14-4bc0-b517-29469624730f
    Tietoturvatutkijat ovat löytäneet uuden WhatsAppin ääniviestejä sekä sähköpostia hyväkseen käyttävän haittakampanjan. Kampanjan avulla on tähän mennessä pyritty levittämään haittaohjelmaa ainakin 27 655 sähköpostiosoitteeseen. Kampanjan tavoite on saada käyttäjä asentamaan tietoja varastava haittaohjelma. Ohjelmaa levitetään useilla aggressiivisillakin keinoilla, mutta tällä kertaa käytetään hyväksi sähköpostia. Lähetetyissä sähköpostiviesteissä väitetään, että käyttäjä on saanut WhatsAppiin ääniviestin. WhatsApp-ilmoitukseksi naamioitu viesti sisältää play-painikkeen, joka vie käyttäjän JS/Kryptic-troijalaisen asentavalle verkkosivulle. Sivustolla käyttäjältä kysytään “varmennus” siitä, onko käyttäjä robotti. Mikäli kysymykseen vastaa kieltävästi, sivusto asentaa haittaohjelman.
    Mielenkiintoista kalasteluviesteissä on se, että niiden lähettäjä käyttää Moskovan alueen liikenneturvallisuuskeskuksen sähköpostiosoitetta. Alkup.
    https://www.bleepingcomputer.com/news/security/whatsapp-voice-message-phishing-emails-push-info-stealing-malware/

    Reply
  39. Tomi Engdahl says:

    SpringShell attacks target about one in six vulnerable orgs https://www.bleepingcomputer.com/news/security/springshell-attacks-target-about-one-in-six-vulnerable-orgs/
    Roughly one out of six organizations worldwide that are impacted by the Spring4Shell zero-day vulnerability have already been targeted by threat actors, according to statistics from one cybersecurity company.
    The exploitation attempts took place in the first four days since the disclosure of the severe remote code execution (RCE) flaw, tracked as CVE-2022-22965, and the associated exploit code. According to Check Point, who compiled the report based on their telemetry data, 37, 000 Spring4Shell attacks were detected over the past weekend alone. The most impacted industry appears to be software vendors, accounting for 28% of the total, potentially due to being excellent candidates for supply chain attacks. As for the most targeted region, Check Point ranks Europe first with 20%, based on their visibility.

    Reply
  40. Tomi Engdahl says:

    Ukraine spots Russian-linked ‘Armageddon’ phishing attacks https://www.bleepingcomputer.com/news/security/ukraine-spots-russian-linked-armageddon-phishing-attacks/
    The Computer Emergency Response Team of Ukraine (CERT-UA) has spotted new phishing attempts attributed to the Russian threat group tracked as Armageddon (Gamaredon). The malicious emails attempt to trick the recipients with lures themed after the war in Ukraine and infect the target systems with espionage-focused malware. CERT-UA has identified two separate cases, one targeting Ukrainian organizations and the other focusing on government agencies in the European Union.
    Armageddon is a Russian state-sponsored threat actor who has been targeting Ukraine since at least 2014 and is considered part of the FSB (Russian Federal Security Service).

    Reply
  41. Tomi Engdahl says:

    Germany takes down Hydra, world’s largest darknet market https://www.bleepingcomputer.com/news/legal/germany-takes-down-hydra-worlds-largest-darknet-market/
    The servers of Hydra Market, the most prominent Russian darknet platform for selling drugs and money laundering, have been seized by the German police. The police were also able to seize 543 bitcoins from the profits of Hydra, which are currently worth a little over $25 million. The confiscated money indicate the size of the Hydra market, which counted around 19, 000 registered seller accounts that served at least 17 million customers around the world.

    Reply
  42. Tomi Engdahl says:

    The Works has been forced to close some stores because of a cyber attack
    https://www.zdnet.com/article/retailer-the-works-has-been-forced-to-close-some-stores-because-of-a-cyber-attack/#ftag=RSSbaffb68
    A cyber attack has forced arts, crafts, toys, books and stationery retailer The Works to temporarily close several stores, and caused disruption to stock resupplies and delayed deliveries of online orders. The retailer, which has over 500 stores across the UK, says it has been subjected to a “cybersecurity incident involving unauthorised access to its computer systems”. The retailer says customer payment details haven’t been accessed by intruders because credit and debit card details are stored securely outside of store systems by third-parties.

    Reply
  43. Tomi Engdahl says:

    These ten hacking groups have been targeting critical infrastructure and energy
    https://www.zdnet.com/article/these-ten-hacking-groups-have-been-targeting-critical-infrastructure-and-energy/#ftag=RSSbaffb68
    Electricity, oil and gas and other critical infrastructure vital to our everyday lives is increasingly at risk from cyber attackers who know that successfully compromising industrial control systems (ICS) and operational technology (OT) can enable them to disrupt or tamper with vital services. A report from cybersecurity company Dragos details ten different hacking operations which are known to have actively targeted industrial systems in North America and Europe and it’s warned that this activity is likely to grow in the next 12 months. The list includes several state-backed hacking operations, such as Electrum also known as Sandworm which is linked to the Russian military, Covellite, which is linked to North Korea’s Lazarus Group, and Vanadinite, which is lined to APT 41, a hacking operation working on behalf of China. Alkup.
    https://www.dragos.com/blog/industry-news/assessing-threats-to-european-industrial-infrastructure/

    Reply
  44. Tomi Engdahl says:

    Bank had no firewall license, intrusion or phishing protection guess the rest https://www.theregister.com/2022/04/05/mahesh_bank_no_firewall_attack/
    An Indian bank that did not have a valid firewall license, had not employed phishing protection, lacked an intrusion detection system and eschewed use of any intrusion prevention system has, shockingly, been compromised by criminals who made off with millions of rupees. The unfortunate institution is called the Andra Pradesh Mahesh Co-Operative Urban Bank. Its 45 branches and just under $400 million of deposits make it one of India’s smaller banks.

    Reply
  45. Tomi Engdahl says:

    Symantec: Chinese APT Group Targeting Global MSPs
    https://www.securityweek.com/symantec-chinese-apt-group-targeting-global-msps

    Malware hunters at Broadcom’s Symantec division have spotted signs that a long-running cyberespionage campaign linked to Chinese nation-state hackers is now going after managed service providers (MSPs) with a more global footprint.

    In a report issued Tuesday, Symantec said it observed a group known as Cicada (APT10, Stone Panda) expanding its target list to include government, legal, religious, and non-governmental organizations (NGOs) in multiple countries around the world, including in Europe, Asia, and North America.

    The company noted that Cicada’s initial activity several years ago was heavily focused on Japanese-linked companies but warned that the group is now hitting managed service providers (MSPs) around the world.

    In several newer cases, Symantec’s researchers found evidence that Microsoft Exchange Servers are an entry point for the attackers, suggesting the possibility that a known, unpatched vulnerability in Microsoft Exchange may have been used to gain access to victim networks in some cases.

    Reply
  46. Tomi Engdahl says:

    44 Vulnerabilities Patched in Android With April 2022 Security Updates
    https://www.securityweek.com/44-vulnerabilities-patched-android-april-2022-security-updates

    The Android updates released by Google for April 2022 include patches for 44 vulnerabilities, including several rated “critical severity.”

    As usual, the update was split into two parts, with the first of them arriving on devices as the “2022-04-01 security patch level” and addressing 14 security holes.

    The most important of these is a high-severity bug in Framework that could be exploited to escalate privileges, without any form of user interaction. What’s more, no additional execution privileges are needed either, Google says in its advisory.

    A total of seven vulnerabilities were resolved in the Framework component this month, all rated “high severity” and all leading to elevation of privilege.

    Android Security Bulletin—April 2022
    https://source.android.com/security/bulletin/2022-04-01

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*