Cyber security news April 2022

This posting is here to collect cyber security news in April 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

425 Comments

  1. Tomi Engdahl says:

    F-Securen Hyppönen: Suomen ministeriöitä kurittaneet kyberhyökkäykset tulivat todennäköisesti Venäjältä – ja pahempaa on luvassa
    Ulko- ja puolustusministeriön verkkosivuille kohdistui perjantaina palvelunestohyökkäyksiä.
    https://www.iltalehti.fi/kotimaa/a/589ad7a0-cac7-46bb-80ab-f8d0ed5681d6

    Ulkoministeriön ja puolustusministeriön verkkosivuille kohdistuneet palvelunestohyökkäykset olivat todennäköisesti venäläistä alkuperää, arvioi F-Securen tutkimusjohtaja Mikko Hyppönen.

    – Pidän todennäköisenä, että hyökkäykset tulivat Venäjältä. Se, että saadaanko tähän koskaan varmuutta, onkin sitten epätodennäköisempää, Hyppönen toteaa.

    Hyppösen mukaan palvelunestohyökkäykset toteutetaan hyökkäysverkkojen eli bottiverkkojen avulla.

    – Sen, mikä bottiverkko oli kyseessä, selvittäminen usein onnistuu. Mutta se, että kenen bottiverkko on ja kuka hyökkäyksen ikään kuin tilasi, voikin olla ihan eri asia selvittää, Hyppönen toteaa.

    Hyppösen mukaan palvelunestohyökkäyksillä ei murtauduta tai varasteta tietoa järjestelmistä. Palvelunestohyökkäyksen tarkoituksena on yksinkertaisesti pyrkiä estämään verkkosivuston tarkoitettu käyttö.

    – Tänään, kun kohteena olivat suomalaiset ministeriöt, tarkoituksena oli aiheuttaa hämmennystä ja pelkoa suomalaisten keskuudessa, Hyppönen sanoo.

    Hyppönen korostaa, että perjantaisista palvelunestohyökkäyksistä ei seurannut ministeriöille minkäänlaista operatiivista ongelmaa.

    Toisin sanoen palvelunestohyökkäys puolustusministeriön sivuille ei vaikuta Suomen kykyyn puolustautua.

    – Se, että puolustusministeriön verkkosivut on nurin, ei haittaa yhtään mitään, Hyppönen toteaa.

    – Hyökkäykset eivät välttämättä ole tulleet Venäjän valtiolta, vaan yksittäisiltä venäjämielisiltä hakkereilta tai aktivisteilta, Hyppönen toteaa.

    Hyppönen uskoo, että hyökkäysten tarkoituksena on joka tapauksessa ollut pyrkimys vaikuttaa mielipiteisiin.

    – Ja sitten ollaankin lähempänä informaatiosodankäyntiä kuin kybersodankäyntiä, Hyppönen toteaa.

    Suojelupoliisi (Supo) arvioi kaksi viikkoa sitten julkaistussa vuosikirjassaan, että Venäjä kohdistaa todennäköisesti kyber- ja informaatio-operaatioita Suomea vastaan tulevina kuukausina.

    Supo arvioi, että suurin osa verkon kyberiskuista on nimenomaan palvelunestohyökkäyksiä ja verkkosivujen töhrintää, jotka eivät tosiasiassa vaaranna tietoa tai kriittisiä prosesseja, mutta vaikuttavat mielikuvaan yhteiskunnan toiminnan lamaantumisesta.

    – Tässä Supo oli täsmälleen oikeassa, Hyppönen toteaa.

    ”Hyökkäykset pahenevat”

    Hyppönen arvioi, että sitä mukaa, kun Suomi lähestyy Nato-päätöksentekoa, hyökkäykset pahenevat ja niitä tulee myös lisää.

    Hyppösen mukaan tulevaisuudessa voidaan nähdä hyökkäyksiä, joissa pyritään aiheuttamaan pysyvämpää vahinkoa.

    – Eli murtaudutaan palveluihin, pyritään estämään niiden järjestelmien toimintaa tai viedään jopa kansalaisten tietoja ja vuodetaan niitä, Hyppönen toteaa.

    Myös tavalliset kansalaiset voivat joutua hyökkäysten uhreiksi, mutta todennäköisempänä Hyppönen pitää sitä, että hyökkäykset kohdistetaan näyttäviin kohteisiin, kuten valtion tahoihin.

    – Oleellisinta siitä huolimatta on pitää pää kylmänä, eli varautua etukäteen, jotta voidaan minimoida erilaisten hyökkäysten aiheuttamat ongelmat, Hyppönen toteaa.

    Reply
  2. Tomi Engdahl says:

    Parrot TDS takes over web servers and threatens millions https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/
    A new Traffic Direction System (TDS) we are calling Parrot TDS, using tens of thousands of compromised websites, has emerged in recent months and is reaching users from around the world. The TDS has infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local government sites.

    Reply
  3. Tomi Engdahl says:

    Parrot TDS takes over web servers and threatens millions
    https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/
    A new Traffic Direction System (TDS) we are calling Parrot TDS, using tens of thousands of compromised websites, has emerged in recent months and is reaching users from around the world. The TDS has infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local government sites.
    Parrot TDS acts as a gateway for further malicious campaigns to reach potential victims. In this particular case, the infected sites’ appearances are altered by a campaign called FakeUpdate (also known as SocGholish), which uses JavaScript to display fake notices for users to update their browser, offering an update file for download. The file observed being delivered to victims is a remote access tool.
    One of the main things that distinguishes Parrot TDS from other TDS is how widespread it is and how many potential victims it has. The compromised websites we found appear to have nothing in common apart from servers hosting poorly secured CMS sites, like WordPress sites.
    The proxied version communicates with the TDS infrastructure via a malicious PHP script, usually located on the same web server, and executes the response content.
    The final payload is then delivered in two phases. In the first phase, a PowerShell script is dropped and run by the malicious JavaScript code. This PowerShell script is downloaded to a temporary folder under a random eight character name (e.g. %Temp%\1c017f89.ps1). However, the name of this PowerShell is hardcoded in the JavaScript code. The content of this script is usually a simple whoami /all command. The result is sent back to the C2 server.
    In the second phase, the final payload is delivered. This payload is downloaded to the AppData\Roaming folder. Here, a folder with a random name containing several files is dropped. The payloads we have observed so far are part of the NetSupport Client remote access tool and allow the attacker to gain easy access to the compromised machines
    The RAT is commonly named ctfmon.exe (mimicking the name of a legitimate program). It is also automatically started when the computer is switched on by setting an HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.
    We identified several infected servers hosting phishing sites. These phishing sites, imitating, for example, a Microsoft office login page, were hosted on compromised servers in the form of PHP scripts.

    Reply
  4. Tomi Engdahl says:

    New Octo Banking Trojan Spreading via Fake Apps on Google Play Store https://thehackernews.com/2022/04/new-octo-banking-trojan-spreading-via.html
    The rental banking trojan, dubbed Octo, is said to be a rebrand of another Android malware called ExobotCompact, which, in turn, is a “lite” replacement for its Exobot predecessor, Dutch mobile security firm ThreatFabric said in a report shared with The Hacker News.

    Reply
  5. Tomi Engdahl says:

    FFDroider Stealer Targeting Social Media Platform Users
    https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users
    Recently, ThreatLabz identified a novel windows based malware creating a registry key as FFDroider. Based on this observation, ThreatLabz named this new malware the Win32.PWS.FFDroider. Designed to send stolen credentials and cookies to a Command & Control server, FFDroider disguises itself on victim’s machines to look like the instant messaging application “Telegram”.

    Reply
  6. Tomi Engdahl says:

    Finland Hit by Cyber Attack, Airspace Breach as NATO Bid Weighed https://www.bloomberg.com/news/articles/2022-04-08/finland-hit-by-cyber-attack-airspace-breach-as-nato-bid-weighed
    Finland reported an attack on government websites and a suspected airspace violation by Russian aircraft just as speculation mounts that the Nordic nation will opt to apply for membership in the NATO alliance.. Also https://www.theregister.com/2022/04/09/dos_attacks_finland_russia/

    Reply
  7. Tomi Engdahl says:

    A Bad Luck BlackCat
    https://securelist.com/a-bad-luck-blackcat/106254/
    After the REvil and BlackMatter groups shut down their operations, it was only a matter of time before another ransomware group took over the niche. Knowledge of malware development, a new written-from-scratch sample in an unusual programming language, and experience in maintaining infrastructure is turning the BlackCat group into a major player on the ransomware market.. Here we present a new data point connecting BlackCat with past BlackMatter activity – the reuse of the exfiltration malware Fendr. The group modified the malware for a new set of victims collected from data stores commonly seen in industrial network environments.

    Reply
  8. Tomi Engdahl says:

    New SolarMarker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns https://unit42.paloaltonetworks.com/solarmarker-malware/
    Recently, we’ve identified a new version of SolarMarker, a malware family known for its infostealing and backdoor capabilities, mainly delivered through search engine optimization (SEO) manipulation to convince users to download malicious documents.

    Reply
  9. Tomi Engdahl says:

    Hackers use Conti’s leaked ransomware to attack Russian companies https://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/
    A hacking group used the Conti’s leaked ransomware source code to create their own ransomware to use in cyberattacks against Russian organizations. [...] a hacking group known as NB65 now targeting Russian organizations with ransomware attacks.

    Reply
  10. Tomi Engdahl says:

    MoqHao Part 2: Continued European Expansion https://team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion/
    MoqHao (also referred to as Wroba and XLoader) is a malware family commonly associated with the Roaming Mantis threat actor group. MoqHao is generally used to target Android users, often via an initial attack vector of phishing SMS messages (smishing).. In the recent past, several vendors (e.g., Kaspersky) have noted an expansion in Roaming Mantis’ operations to include several European countries.

    Reply
  11. Tomi Engdahl says:

    Microsoft rampautti Venäjän sotilas­tiedustelun verkko-operaation https://www.is.fi/digitoday/tietoturva/art-2000008743633.html

    Reply
  12. Tomi Engdahl says:

    Miten suomalaispankit varautuvat nyt kyberhyökkäyksiin? Nordea:
    “Hyökkääjien resurssit parantuneet”
    https://www.kauppalehti.fi/uutiset/miten-suomalaispankit-varautuvat-nyt-kyberhyokkayksiin-nordea-hyokkaajien-resurssit-parantuneet/fe67775b-38c6-49e6-aa88-e3489b7c14ce
    Kysyimme, miten Venäjän hyökkäys Ukrainaan on vaikuttanut pankkien tietoturvatoimiin. Pankit ovat varautumissuunnitelmistaan vaitonaisia.

    Reply
  13. Tomi Engdahl says:

    Researchers uncover a hardware security vulnerability on Android phones https://techxplore.com/news/2022-04-uncover-hardware-vulnerability-android.html
    A phone’s GPU processes all of the images that appear on the screen, including the pop-up animations when a letter of the on-screen keyboard is pressed. The researchers were able to correctly infer which letters or numbers were pressed more than 80 percent of the time, based only on how the GPU produces the displayed keyboard animations.

    Reply
  14. Tomi Engdahl says:

    Spring4Shell

    https://hackaday.com/2022/04/08/this-week-in-security-vulnerable-boxes-government-responses-and-new-tools/
    Spring4Shell Fallout

    Spring4Shell is being exploited in the wild, with tens of thousands of attempts to trigger the vulnerability being observed by groups like CheckPoint. No word yet on how many of those attempts have been successful, but there’s sure to be some. While it’s not as serious a vulnerability as Log4Shell, at least one botnet has started spreading using the flaw.

    Microsoft’s coverage of the flaw has been great, with a helpful one-liner to check for vulnerable Tomcat installs: $ curl host:port/path?class.module.classLoader.URLs%5B0%5D=0 An HTTP 400 response means that you’re likely vulnerable.

    Explaining Spring4Shell: The Internet security disaster that wasn’t
    Vulnerability in the Spring Java Framework is important, but it’s no Log4Shell.
    https://arstechnica.com/information-technology/2022/04/explaining-spring4shell-the-internet-security-disaster-that-wasnt/

    Hype and hyperbole were on full display this week as the security world reacted to reports of yet another Log4Shell. The vulnerability came to light in December and is arguably one of the gravest Internet threats in years. Christened Spring4Shell—the new code-execution bug is in the widely used Spring Java framework—the threat quickly set the security world on fire as researchers scrambled to assess its severity.

    One of the first posts to report on the flaw was on tech news site Cyber Kendra, which warned of severe damage the flaw might cause to “tonnes of applications” and claimed that the bug “can ruin the Internet.” Almost immediately, security companies, many of them pushing snake oil, were falling all over themselves to warn of the imminent danger we would all face. And all of that before a vulnerability tracking designation or advisory from Spring maintainers was even available.

    The vulnerability resides in two Spring products: Spring MVC and Spring WebFlux, which allow developers to write and test apps. The flaw results from changes introduced in JDK9 that resurrected a decade-old vulnerability tracked as CVE-2010-1622. Given the abundance of systems that combine the Spring framework and JDK9 or later, no wonder people were concerned, particularly since exploit code was already in the wild (the initial leaker quickly took down the PoC, but by then it was too late.)

    The leaked code, Spring maintainers said, ran only when a Spring-developed app ran on top of Apache Tomcat and then only when the app is deployed as a file type known as a WAR, short for web archive.

    “If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit,” the Spring maintainers wrote. “However, the nature of the vulnerability is more general, and there may be other ways to exploit it.”

    While the post left open the possibility that the PoC exploit could be improved to work against other configurations, no one has unearthed a variation that does, at least for now.

    “It’s a thing that developers should fix, if they’re using an affected version,” Will Dormann, a vulnerability analyst at CERT, said in a private message. “But we’re still in the boat of not knowing of a single application out there that is exploitable.”

    “Ways that Cyber Kendra made this worse for everyone,” he wrote. “1) Sensational blog post indicating that this is going to ruin the internet (red flag!) 2) Linking to a git commit about deserialization that has absolutely nothing to do with the issue demonstrated by the original party.”

    https://blog.checkpoint.com/2022/04/05/16-of-organizations-worldwide-impacted-by-spring4shell-zero-day-vulnerability-exploitation-attempts-since-outbreak/

    SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965
    https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/

    April 8, 2022 update – Azure Web Application Firewall (WAF) customers with Azure Front Door now has enhanced protection for SpringShell exploits – CVE-2022-22963, CVE-2022-22965, and CVE-2022-22947. See Detect and protect with Azure Web Application Firewall (Azure WAF) section for details.

    On March 31, 2022, vulnerabilities in the Spring Framework for Java were publicly disclosed. Microsoft is currently assessing the impact associated with these vulnerabilities. This blog is for customers looking for protection against exploitation and ways to detect vulnerable installations on their network of the critical remote code execution (RCE) vulnerability CVE-2022-22965 (also known as SpringShell or Spring4Shell).

    The Spring Framework is the most widely used lightweight open-source framework for Java. In Java Development Kit (JDK) version 9.0 or later, a remote attacker can obtain an AccessLogValve object through the framework’s parameter binding feature and use malicious field values to trigger the pipeline mechanism and write to a file in an arbitrary path, if certain conditions are met.

    The vulnerability in Spring Core—referred to in the security community as SpringShell or Spring4Shell—can be exploited when an attacker sends a specially crafted query to a web server running the Spring Core framework. Other vulnerabilities disclosed in the same component are less critical and not tracked as part of this blog.
    Impacted systems have the following traits:
    • Running JDK 9.0 or later
    • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions
    • Apache Tomcat as the Servlet container:
    o Packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance; typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted
    o Tomcat has spring-webmvc or spring-webflux dependencies
    Any system using JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable.

    Trend says hackers have weaponized SpringShell to install Mirai malware
    Researchers have been in search of vulnerable real-world apps. The wait continues.
    https://arstechnica.com/information-technology/2022/04/trend-says-hackers-have-weaponized-springshell-to-install-mirai-malware/

    Researchers on Friday said that hackers are exploiting the recently discovered SpringShell vulnerability to successfully infect vulnerable Internet of Things devices with Mirai, an open source piece of malware that wrangles routers and other network-connected devices into sprawling botnets.

    When SpringShell (also known as Spring4Shell) came to light last Sunday, some reports compared it to Log4Shell, the critical zero-day vulnerability in the popular logging utility Log4J that affected a sizable portion of apps on the Internet. That comparison proved to be exaggerated because the configurations required for SpringShell to work were by no means common. To date, there are no real-world apps known to be vulnerable.

    Researchers at Trend Micro now say that hackers have developed a weaponized exploit that successfully installs Mirai. A blog post they published didn’t identify the type of device or the CPU used in the infected devices. The post did, however, say a malware file server they found stored multiple variants of the malware for different CPU architectures.
    “We observed active exploitation of Spring4Shell wherein malicious actors were able to weaponize and execute the Mirai botnet malware on vulnerable servers, specifically in the Singapore region,” Trend Micro researchers Deep Patel, Nitesh Surana, and Ashish Verma wrote. The exploits allow threat actors to download Mirai to the “/tmp” folder of the device and execute it following a permission change using “chmod.”

    The attacks began appearing in researchers’ honeypots early this month. Most of the vulnerable setups were configured to these dependencies:
    • Spring Framework versions before 5.2.20, 5.3.18, and Java Development Kit (JDK) version 9 or higher
    • Apache Tomcat
    • Spring-webmvc or spring-webflux dependency
    • Using Spring parameter binding that is configured to use a non-basic parameter type, such as Plain Old Java Objects (POJOs)
    • Deployable, packaged as a web application archive (WAR)
    Trend said the success the hackers had in weaponizing the exploit was largely due to their skill in using exposed class objects, which offered them multiple avenues.

    Reply
  15. Tomi Engdahl says:

    Spring4Shell Vulnerability Exploited by Mirai Botnet
    https://www.securityweek.com/spring4shell-vulnerability-exploited-mirai-botnet

    Cybersecurity firm Trend Micro on Friday confirmed some earlier reports that the new Spring4Shell vulnerability has been exploited by the Mirai botnet.

    Two critical vulnerabilities have been patched recently in the popular Java application development framework Spring: CVE-2022-22965 (aka Spring4Shell and SpringShell) and CVE-2022-22963.

    The flaws can be used for remote code execution and they both appear to have been exploited by malicious actors, with attacks reportedly starting before patches were made available by Spring developers.

    https://www.securityweek.com/spring4shell-exploitation-attempts-confirmed-patches-are-released

    Reply
  16. Tomi Engdahl says:

    Google Updates Target API Level Requirements for Android Apps
    https://www.securityweek.com/google-updates-target-api-level-requirements-android-apps

    Google this week announced updated target level API requirements for Android applications in an attempt to improve the overall security of the ecosystem.

    Per the updated requirements, all applications will have to target “an API level within two years of the latest major Android release” to remain discoverable for new users with devices running newer Android versions.

    Basically, once the change enters into effect, users on the newest Android iterations will not be able to install older applications, which may lack some of the latest protections the mobile platform offers.

    “Users with the latest devices or those who are fully caught up on Android updates expect to realize the full potential of all the privacy and security protections Android has to offer,” Google says.

    Expanding Play’s Target Level API Requirements to Strengthen User Security
    https://android-developers.googleblog.com/2022/04/expanding-plays-target-level-api-requirements-to-strengthen-user-security.html

    Reply
  17. Tomi Engdahl says:

    DOJ’s Sandworm operation raises questions about how far feds can go to disarm botnets https://www.cyberscoop.com/dojs-sandworm-operation-raises-questions-about-how-far-the-feds-can-go-to-disarm-botnets/
    There is some debate in legal circles around how far law enforcement can go when using remote access technology and how appropriate it is to leverage the tool to disrupt cybercrimes as opposed to investigate them, according to Christopher Painter, a former federal prosecutor who prosecuted several high-profile cybercrimes before becoming the top cyber diplomat at the State Department.

    Reply
  18. Tomi Engdahl says:

    Inside the Bitcoin Bust That Took Down the Web’s Biggest Child Abuse Site https://www.wired.com/story/tracers-in-the-dark-welcome-to-video-crypto-anonymity-myth/
    They thought their payments were untraceable. They couldn’t have been more wrong. The untold story of the case that shredded the myth of Bitcoin’s anonymity.

    Reply
  19. Tomi Engdahl says:

    OpenSSH now defaults to protecting against quantum computer attacks https://www.zdnet.com/article/openssh-now-defaults-to-protecting-against-quantum-computer-attacks/
    “The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo,”
    the release notes said.

    Reply
  20. Tomi Engdahl says:

    Don’t enter your recovery phrase! Phishers target Ledger crypto-wallet users https://blog.malwarebytes.com/privacy-2/2022/04/dont-enter-your-recovery-phrase-phishers-target-ledger-crypto-wallet-users/
    Phising emails are being sent that refer to a non-existent breach. The “solution” to this breach is to update the 24 word phrase as soon as possible and set up a new wallet PIN.

    Reply
  21. Tomi Engdahl says:

    Varo poikkeuksellisen häijyä huijausta – perustuu aitoon Postin seurantakoodiin https://www.is.fi/digitoday/tietoturva/art-2000008744326.html
    POSTIN nimissä toteutetaan uutta huijausta, jonka tarkoitus on varastaa vastaanottajan maksukortin tiedot. Huijaus on poikkeuksellisen uskottava sikäli, että se perustuu todelliseen lähetyksen seurantakoodiin.

    Reply
  22. Tomi Engdahl says:

    Android banking malware intercepts calls to customer support https://www.bleepingcomputer.com/news/security/android-banking-malware-intercepts-calls-to-customer-support/
    Disguised as a mobile app from a popular bank, Fakecalls displays all the marks of the entity it impersonates, including the official logo and the customer support number. When the victim tries to call the bank, the malware breaks the connection and shows its call screen, which is almost indistinguishable from the real one.. [Original at https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/

    Reply
  23. Tomi Engdahl says:

    New Meta information stealer distributed in malspam campaign https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/
    A malspam campaign has been found distributing the new META malware, a new info-stealer malware that appears to be rising in popularity among cybercriminals.. META is one of the novel info-stealers, along with Mars Stealer and BlackGuard, whose operators wish to take advantage of Raccoon Stealer’s exit from the market that left many searching for their next platform.

    Reply
  24. Tomi Engdahl says:

    Spring: It isn’t just about Spring4Shell. Spring Cloud Function Vulnerabilities are being probed too.
    https://isc.sans.edu/diary/rss/28538
    The scan for /actuator/gateway/routes may be looking for systems that are possibly vulnerable to CVE-2022-22947 or other vulnerabilities in the Spring Cloud function (we had at least three different vulnerabilities recently). This vulnerability was patched at the beginning of March, and exploits are available. The actual exploit would include a JSON formated payload with the actual command to be executed. A simple code injection vulnerability, exploitation is trivial. But to be vulnerable, a system needs to use the Spring Cloud functions, which are not as popular as the basic Spring Core library vulnerable to Spring4Shell (cve-2022-22965).

    Reply
  25. Tomi Engdahl says:

    Exclusive: Senior EU officials were targeted with Israeli spyware
    https://www.reuters.com/technology/exclusive-senior-eu-officials-were-targeted-with-israeli-spyware-sources-2022-04-11/
    Senior officials at the European Commission were targeted last year with spy software designed by an Israeli surveillance firm, according to two EU officials and documentation reviewed by Reuters.

    Reply
  26. Tomi Engdahl says:

    NSO Turns to US Supreme Court for Immunity in WhatsApp Suit
    https://www.securityweek.com/nso-turns-us-supreme-court-immunity-whatsapp-suit

    The Israeli spyware maker NSO Group is turning to the U.S. Supreme Court as it seeks to head off a high-profile lawsuit filed by the WhatsApp messaging service.

    In a filing to the Supreme Court, NSO said it should be recognized as a foreign government agent and therefore be entitled to immunity under U.S. law limiting lawsuits against foreign countries. The request appeals a pair of earlier federal court rulings that rejected similar arguments by the Israeli company.

    WhatsApp parent Facebook, now called Meta Platforms Inc., sued NSO in 2019 for allegedly targeting some 1,400 users of its encrypted messaging service with highly sophisticated spyware. It is trying to block NSO from Facebook platforms and servers and seeks unspecified damages.

    Granting sovereign immunity to NSO would greatly hinder WhatsApp’s case. It also could provide protection from a potentially risky discovery process that could reveal its customers and technological secrets. NSO is seeking to have the entire case dismissed.

    Reply
  27. Tomi Engdahl says:

    Varo poikkeuksellisen häijyä huijausta – perustuu aitoon Postin seuranta­koodiin
    Huijaus vie uhrinsa osoitetiedot ja maksukortin tiedot.
    https://www.is.fi/digitoday/tietoturva/art-2000008744326.html

    Postin nimissä toteutetaan uutta huijausta, jonka tarkoitus on varastaa vastaanottajan maksukortin tiedot. Huijaus on poikkeuksellisen uskottava sikäli, että se perustuu todelliseen lähetyksen seurantakoodiin.

    Postin nimissä tulee sähköposti, joka kertoo paketin saapumisesta Helsingin päärautatieasemalle. Sähköpostissa on lähetyksen seurantakoodi ja sen perässä vahvista-painike.

    Kun seurantakoodilla tekee haun oikeilla Postin sivuilla, lähetys paljastuu todelliseksi. Koodia vastaava paketti on todella saapunut Postin Helsingin Keskuskadun-noutopisteeseen ja odottaa hakemista.

    Vahvista-painike puolestaan vie verkkosivulle, jossa on sama seurantakoodi kuin sähköpostissa ja kehotus maksaa 2,84 euron maksu. Verkkosivu pyytää katuosoitetta sekä luottokortin tietoja tai sisäänkirjautumista PayPalilla.

    Huijauksen havaitsi helsinkiläinen Mikko Rautalahti, joka sai Postin nimissä tulleen huijaussähköpostin. Tarkasteltuaan asiaa ja huomattuaan sen huijaukseksi, hän varoitti siitä Facebook-ystäviään ja soitti Postin asiakaspalveluun.

    – En kykene näkemään paketin lähettäjän tai vastaanottajan tietoja, koska pakettia ei ole osoitettu minulle (samasta syystä en myöskään näe sen Keskuskadun postiautomaatin lokeron numeroa tai koodia). [...] Tämä on aika ovela juju, joka tekee koko kuviosta merkittävästi uskottavamman, koska kuka tahansa voi Postin järjestelmästä nähdä, että paketti todellakin on olemassa ja jotain on todellakin lähetetty. Se, että se on todellisuudessa lähetetty jollekulle muulle on jotain, joka ei Postin seurannasta varsinaisesti ilmene, järjestelmä ei yksinkertaisesti ota mitään kantaa siihen, Rautalahti kertoo.

    Postin turvallisuuspäällikkö Heikki Horn vahvistaa, että kyse on uudenlaisesta huijauksesta. Asia tuli Postin tietoon maanantaiaamuna. Asiasta on tehty ilmoitus viranomaisille. Posti tutkii parhaillaan huijauksessa käytettyä seurantakoodia.

    – Posti ei koskaan pyydä tällaisia veloituksia netissä, Horn muistuttaa.

    Reply
  28. Tomi Engdahl says:

    Raspberry Pi Removes Default User to Improve Security
    https://www.securityweek.com/raspberry-pi-removes-default-user-improve-security

    In an attempt to improve security, the latest Raspberry Pi OS release no longer creates a default “pi” account, requiring users to set up custom accounts instead.

    The “pi” user, which has been present in all Raspberry Pi installations since the beginning, does make it easier to conduct brute-force attacks (it is usually paired with the password “raspberry”), even if some don’t necessarily see it as a security weakness.

    With the latest change – which is also prompted by new legislation in some countries forbidding the use of default accounts – users will be required to create an account when booting a newly-flashed Raspberry Pi OS image.

    “This is in line with the way most operating systems work nowadays, and, while it may cause a few issues where software (and documentation) assumes the existence of the “pi” user, it feels like a sensible change to make at this point,” Raspberry Pi senior principal software engineer Simon Long explains.

    An update to Raspberry Pi OS Bullseye
    https://www.raspberrypi.com/news/raspberry-pi-bullseye-update-april-2022/

    Reply
  29. Tomi Engdahl says:

    ‘Octo’ Android Trojan Allows Cybercrooks to Conduct On-Device Fraud
    https://www.securityweek.com/octo-android-trojan-allows-cybercrooks-conduct-device-fraud

    Threat Fabric security researchers have analyzed an Android banking trojan that allows its operators to perform on-device fraud.

    Dubbed Octo, the botnet was first mentioned on dark web forums in January 2022, but an analysis of its code revealed a close connection with ExobotCompact, which is believed to be the successor of the Exobot Android trojan, which in turn was based on the source code of the Marcher trojan.

    Exobot was used in numerous attacks on financial institutions in Australia, France, Germany, Japan, Thailand, and Turkey, and was maintained until 2018.

    ExobotCompact emerged as a lite version of the trojan, with at least four variants observed to date, the most recent of which emerged in November 2021. The malware was even distributed via a dropper app published to Google Play – Fast Cleaner – where it gathered over 50,000 downloads.

    https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html#campaigns-and-actors

    Reply
  30. Tomi Engdahl says:

    The Art Exhibition That Fools Facial Recognition Systems
    https://www.securityweek.com/art-exhibition-fools-facial-recognition-systems

    The most boring art exhibition in the world has been launched online. It comprises just 100 images of the same painting: 100 copies of the Mona Lisa. But all is not what it seems – and that’s the whole point. Humans see 100 identical Mona Lisa images; but facial recognition systems see 100 different celebrities.

    The exhibition is the brainchild of Adversa, a startup company designed to find and help mitigate against the inevitable and exploitable insecurities in artificial intelligence. In this instance, the weaknesses in facial recognition systems are highlighted.

    The exhibition is predicated on the concept of an NFT sale. Security professionals who might dismiss NFTs as popular contemporary gimmickry should not be put off – the concept is used merely to attract a wider public audience to the insecurity of facial recognition. The purpose of the exhibition is altogether more serious than NFTs.

    The exhibition has 100 Mona Lisa images. “All look almost the same as the original one by da Vinci for people, though AI recognizes them as 100 different celebrities,” explains Adversa in a blog report. “Such perception differences are caused by the biases and security vulnerabilities of AI called adversarial examples, that can potentially be used by cybercriminals to hack facial recognition systems, autonomous cars, medical imaging, financial algorithms – or in fact any other AI technology.”

    Reply
  31. Tomi Engdahl says:

    SuperCare Health Data Breach Impacts Over 300,000 People
    https://www.securityweek.com/supercare-health-data-breach-impacts-over-300000-people

    California-based respiratory care provider SuperCare Health recently disclosed a data breach affecting more than 300,000 individuals.

    In a data security notice posted on its website, SuperCare said the intrusion was discovered on July 27, 2021, when it noticed unauthorized activity on some systems. An investigation revealed that someone had access to certain systems between July 23 and July 27, 2021.

    However, it took the company until February 4, 2022, to determine that the exposed files contained patient information, including name, address, date of birth, hospital or medical group, medical record number, patient account number, health-related information, and claim information. In some cases, social security numbers and driver’s license numbers were also stored in the compromised files.

    “Please note that to date, we have no reason to believe that any information was published, shared, or misused as a result of this incident,” the company said.

    SuperCare notified impacted individuals about the incident only on March 25.

    Reply
  32. Tomi Engdahl says:

    Snap-on Tools Hit by Cyberattack Claimed by Conti Ransomware Gang
    https://www.securityweek.com/high-end-tools-manufacturer-snap-discloses-data-breach

    Conti ransomware gang claimed responsibility for cyberattack on Wisconsin-based tool maker

    High-end tools manufacturer Snap-on is notifying employees that some of their personal information might have been compromised in a recent data breach.

    The maker of tools and equipment for automotive, aviation, marine, railroad, and heavy duty industries fell victim to a cyberattack in early March, when it was forced to take down parts of its network.

    “Since the event, we have continued to pursue our commercial activities, restoring our connections as system interfaces are cleared. Plants have been running, customer-facing applications are working, and we continue to communicate with impacted stakeholders,” the company says in a note on its website.

    Snap-on also notes that it has launched an investigation into the incident immediately after discovering it, and that it does not believe the attack has a “significant effect” on the company’s business.

    Reply
  33. Tomi Engdahl says:

    PSA: Replace vulnerable D-Link routers as soon as possible, says CISA
    These EOL models won’t receive security patches
    https://www.techspot.com/news/94144-cisa-warns-users-replace-vulnerable-d-link-routers.html

    The issue in question here is a “Remote Code Execution” vulnerability that exists in D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers. According to Malwarebytes Labs, attackers can take advantage of “diagnostic hooks” to make a Dynamic DNS call without proper authentication, allowing them to take control of affected routers.

    Just in case this seems like only a hypothetical threat, it’s worth noting that a proof-of-concept hack targeting this vulnerability already exists in the wild, thanks to Github user doudoudedi. As such, we — and D-Link itself — would recommend replacing any affected routers you might own as quickly as possible. It’s always a shame to generate more e-waste, but in this case, it’s the lesser of two evils.

    Reply
  34. Tomi Engdahl says:

    Critical bug allows attacker to remotely control medical robot
    CVSS 9.8 flaws are not what you want in a hospital robot
    https://www.theregister.com/2022/04/12/critical_vuln_hospital_robots/

    Mobile robot maker Aethon has fixed a series of vulnerabilities in its Tug hospital robots that, if exploited, could allow a cybercriminal to remotely control thousands of medical machines.

    Exploiting these five bugs, collectively called JekyllBot:5, required no special privileges or user interaction. And once used, they could allow miscreants to perform all sorts of evil deeds including accessing user credentials and medical records, locking down elevators and doors, surveilling facilities, disrupting patient care and meds, and launching further cyberattacks.

    IoT healthcare security firm Cynerio discovered the vulnerabilities, whose CVSS scores range from 7.7 to 9.8, while deploying the Tug robots for a customer hospital.

    Reply
  35. Tomi Engdahl says:

    HCL and HP named in unflattering audit of India’s biometric ID system https://www.theregister.com/2022/04/12/aadhaar_uadai_audit/
    The audit report found plenty of problems with the project, among them around 475,000 Aadhaars with the same biometric data used to describe different people. De-duplication efforts proved so poor that staff reverted to manual processes to address the problem. Many Aadhaar ID cards didn’t work as a result – attempts to authenticate users failed.. [Report at https://cag.gov.in/en/audit-report/download/116042

    Reply
  36. Tomi Engdahl says:

    One of the world’s biggest hacker forums taken down
    https://www.europol.europa.eu/media-press/newsroom/news/one-of-world%E2%80%99s-biggest-hacker-forums-taken-down
    The illegal marketplace ‘RaidForums’ has been shut down and its infrastructure seized as a result of Operation TOURNIQUET, a complex law enforcement effort coordinated by Europol to support independent investigations of the United States, United Kingdom, Sweden, Portugal, and Romania. The forum’s administrator and two of his accomplices have also been arrested..
    Also
    https://krebsonsecurity.com/2022/04/raidforums-get-raided-alleged-admin-arrested/

    Reply
  37. Tomi Engdahl says:

    Third npm protestware: ‘event-source-polyfill’ calls Russia out https://www.bleepingcomputer.com/news/security/third-npm-protestware-event-source-polyfill-calls-russia-out/
    Most recently, the developer of the ‘event-source-polyfill’ npm package has peacefully protested Russia’s “unreasonable invasion” of Ukraine, to Russian consumers.. [...] the package is used by well over
    135,000 GitHub repositories and downloaded over 600,000 times weekly on npm.

    Reply
  38. Tomi Engdahl says:

    Adobe Patches Gaping Security Holes in Acrobat, Reader, Photoshop
    https://www.securityweek.com/adobe-patches-gaping-security-holes-acrobat-reader-photoshop

    Adobe’s security update engine revved into overdrive this month with the release of patches for at least 78 documented software vulnerabilities, some serious enough to expose corporate customers to remote code execution attacks.

    The San Jose, California software maker’s Patch Tuesday drop this month covers holes in Adobe Acrobat and Reader, Adobe Photoshop, Adobe After Effects and Adobe Commerce.

    The Adobe Acrobat and Reader update, rated critical, covers a total of 62 vulnerabilities that the company acknowledges could be exploited to cause major damage. The update is available for both Windows and macOS users.

    “Successful exploitation could lead to arbitrary code execution, memory leak, security feature bypass and privilege escalation,” Adobe said.

    https://helpx.adobe.com/security/products/acrobat/apsb22-16.html

    Reply
  39. Tomi Engdahl says:

    Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA
    https://www.securityweek.com/microsoft-patches-128-windows-flaws-new-zero-day-reported-nsa

    Microsoft on Tuesday issued a warning for an in-the-wild zero-day attack hitting Windows users and raised eyebrows when it credited the U.S. government National Security Agency (NSA) with reporting the live exploitation.

    The warning was embedded in Microsoft’s documentation of a massive batch of software fixes being pushed as part of this month’s scheduled Patch Tuesday releases.

    This is the 15th confirmed zero-day attack seen so far in 2022 and Redmond’s crediting of the NSA suggests it was used by an advanced threat actor in targeted attacks. In addition to the NSA, Redmond credited a CrowdStrike researcher with reporting the issue.

    According to a barebones advisory from Microsoft, the vulnerability — CVE-2022-24521 (CVSS 7.8) — is a memory safety issue in the Windows Common Log File system driver that allows a local user to escalate privileges on the system.

    According to Microsoft, the flaw exists due to a boundary error, exposing a situation where a local user can run malicious code to trigger memory corruption and execute arbitrary code with elevated privileges.

    Windows Common Log File System Driver Elevation of Privilege Vulnerability
    CVE-2022-24521
    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521

    Reply
  40. Tomi Engdahl says:

    KKR to Acquire Barracuda Networks From Thoma Bravo
    https://www.securityweek.com/kkr-acquire-barracuda-networks-thoma-bravo

    Investment giant KKR has agreed to acquire Barracuda Networks from private equity firm Thoma Bravo, the firms announced Tuesday.

    Financial terms were not disclosed, but Reuters reported the value to be nearly $4 billion, citing sources familiar with the deal.

    Thoma Bravo took Barracuda private in a $1.6 billion deal that was completed in February 2018.

    Barracuda NetworksFounded in 2003, Barracuda is best known for its email, web and network security solutions, and counts than 200,000 customers around the world.

    Reply
  41. Tomi Engdahl says:

    Ukraine Says Potent Russian Hack Against Power Grid Thwarted
    https://www.securityweek.com/ukraine-says-potent-russian-hack-against-power-grid-thwarted

    Russian military hackers attempted to knock out power to millions of Ukrainians last week in a long-planned attack but were foiled, Ukrainian government officials said Tuesday.

    At one targeted high-voltage power station, the hackers succeeded in penetrating and disrupting part of the industrial control system, but people defending the station were able to prevent electrical outages, the Ukrainians said.

    “The threat was serious, but it was prevented in a timely manner,” a top Ukrainian cybersecurity official, Victor Zhora, told reporters through an interpreter. “It looks that we were very lucky.”

    Reply
  42. Tomi Engdahl says:

    March 2022′s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance https://blog.checkpoint.com/2022/04/12/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/
    Our latest Global Threat Index for March 2022 reveals that Emotet is continuing its reign as the most popular malware, impacting 10% of organizations worldwide, double that of February. [...]. Since its return in November last year and the recent news that Trickbot has shut down, Emotet has been strengthening its position as the most prevalent malware. This was solidified even further this month as many aggressive email campaigns have been distributing the botnet, including various Easter-themed phishing scams exploiting the buzz of the festivities. These emails were sent to victims all over the world with one such example using the subject “buona pasqua, happy easter”
    yet attached to the email was a malicious XLS file to deliver Emotet.

    Reply
  43. Tomi Engdahl says:

    Five zero days affecting Aethon hospital autonomous robots patched https://therecord.media/five-zero-days-affecting-aethon-hospital-autonomous-robots-patched/
    Multibillion-dollar engineering firm ST Engineering said it has patched five zero day vulnerabilities affecting its Aethon TUG autonomous mobile robots, devices that are now used widely in hospitals across the world.

    Reply
  44. Tomi Engdahl says:

    Microsoft April 2022 Patch Tuesday
    https://isc.sans.edu/diary/rss/28542
    This month we got patches for 145 vulnerabilities. Of these, 10 are critical, 1 was previously disclosed, and one is already being exploited according to Microsoft.. RCE affecting Remote Procedure Call Runtime (CVE-2022-26809). According to the advisory, exploitation of this vulnerability could result in remote code execution on the server-side with the same permissions as the RPC service. The vulnerability requires no user interaction, requires no privilege, has a low attack complexity and the attack vector is network. Due to those characteristics, this is a potential wormable vulnerability. The mitigation for the vulnerability is blocking port TCP/445 or protecting it as much as possible – mainly from access coming from the Internet.

    Reply
  45. Tomi Engdahl says:

    Internal AWS credentials swiped by researcher via SQL payload https://portswigger.net/daily-swig/internal-aws-credentials-swiped-by-researcher-via-sql-payload
    A security researcher said they seized credentials for an internal AWS service by exploiting a local file read vulnerability on a Relational Database Service (RDS) EC2 instance.

    Reply
  46. Tomi Engdahl says:

    Tarrask malware uses scheduled tasks for defense evasion https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
    As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. The Microsoft Detection and Response Team (DART) in collaboration with the Microsoft Threat Intelligence Center (MSTIC) identified a multi-stage attack targeting the Zoho Manage Engine Rest API authentication bypass vulnerability to initially implant a Godzilla web shell with similar properties detailed by the Unit42 team in a previous blog. Microsoft attributes this set of activity to HAFNIUM and not TG-3390/APT 27/IODINE as mentioned in the Unit42 blog.

    Reply
  47. Tomi Engdahl says:

    Pornosivut syöttivät haitta­ohjelmaa – sitten hakkerit kaappasivat tieto­koneen https://www.is.fi/digitoday/tietoturva/art-2000008749164.html

    Reply
  48. Tomi Engdahl says:

    Critical flaw in Elementor WordPress plugin may affect 500k sites
    https://www.bleepingcomputer.com/news/security/critical-flaw-in-elementor-wordpress-plugin-may-affect-500k-sites/

    The authors of the Elementor Website Builder plugin for WordPress have just released version 3.6.3 to address a critical remote code execution flaw that may impact as many as 500,000 websites.

    Although exploiting the flaw requires authentication, it’s critical severity is given by the fact that anyone logged into the vulnerable website can exploit it, including regular subscribers.

    A threat actor creating a normal user account on an affected website could change the name and theme of the affected site making it look entirely different.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*