This posting is here to collect cyber security news in April 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in April 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
425 Comments
Tomi Engdahl says:
https://mashable.com/article/beware-qr-code-scams
Tomi Engdahl says:
US warns a novel malware could disrupt nations’ critical infrastructure
https://cybernews.com/cyber-war/us-warns-a-novel-malware-could-disrupt-nations-critical-infrastructure/?utm_source=facebook&utm_medium=social&utm_campaign=cybernews&utm_content=post
“By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions,” reads the advisory.
The advisory urges critical infrastructure firms, especially ones working in the energy sector, to mitigate these risks.
A blog post from cybersecurity firm Dragos claims that security researchers have been monitoring the malware since early 2022. Researchers think the malware, they named ‘Pipedream,’ has not yet been employed for destructive effects.
“Dragos assesses with high confidence this was developed by a state actor with the intent on deploying it to disrupt key infrastructure sites,” Dragos’ CEO Robert M. Lee explained in a Twitter post.
https://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/
Tomi Engdahl says:
Emergency Security Update For 3.2 Billion Google Chrome Users—Attacks Underway
https://www.forbes.com/sites/daveywinder/2022/04/17/emergency-security-update-for-32-billion-google-chrome-users-attacks-underway/
Google has now released three emergency, out-of-band, security updates for the Chrome browser in as many weeks. What’s more this one, like the first, is to fix a high-severity zero-day vulnerability that is already being exploited by attackers.
Google issued yet another emergency security update for all 3.2 billion users of the Chrome web browser. The third such update, which discloses a single high-severity vulnerability, to be rushed out in three weeks. This one, like the first of this worrying threat triumvirate, is a zero-day vulnerability: one that Google has confirmed is already being exploited by attackers.
How serious is CVE-2022-1364?
The similarities don’t end there though. CVE-2022-1364, the vulnerability in question, is another ‘Type Confusion in V8′ one. This means it impacts the JavaScript engine that is employed by Chromium-powered browsers such as Google Chrome, Microsoft Edge, Brave and others. As before, Google is not making any further technical details available, and the update confirmation states that “we will also retain restriction” which suggests this is a particularly serious vulnerability indeed.
The security update process will have already started and the fix should become available to you in the course of the coming days and weeks. This emergency update takes Chrome to version 100.0.4896.127, across the Windows, Mac and Linux desktop platforms. Users of browsers such as Microsoft Edge, Brave, Vivaldi and Opera are advised to be alert to likely updates for those becoming available shortly.
Chrome should automatically update itself as the fix becomes available to you. However, you are advised to kickstart the updating process as soon as possible given that attacks are underway.
Head for the Help|About option in your Google Chrome menu. If your version of Chrome is not showing as 100.0.4896.127 then it will be vulnerable to the known exploit. The update should, however, now start downloading automatically. It may take a few days for the update to reach everyone, so be patient if you are not seeing it yet.
Also, remember to restart your browser after the update has been installed, or it will not activate, and you will still be vulnerable to attack.
Tomi Engdahl says:
https://thehackernews.com/2022/04/github-says-hackers-breach-dozens-of.html
Tomi Engdahl says:
https://securityaffairs.co/wordpress/130213/security/google-chrome-zeroday-cve-2022-1364.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/github-attacker-breached-dozens-of-orgs-using-stolen-oauth-tokens/
Tomi Engdahl says:
https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html
Tomi Engdahl says:
An old satellite was hacked to broadcast signals across North America
The demonstration reveals the vulnerability of decommissioned, but not dead, satellites.
https://www.freethink.com/space/decommissioned-satellite-hacking
A group of security researchers have hacked a decommissioned communications satellite, called Anik F1R, originally shot into orbit in 2005.
Tomi Engdahl says:
‘Mute’ button in conferencing apps may not actually mute your mic
https://www.bleepingcomputer.com/news/security/mute-button-in-conferencing-apps-may-not-actually-mute-your-mic/
A new study shows that pressing the mute button on popular video conferencing apps (VCA) may not actually work like you think it should, with apps still listening in on your microphone.
More specifically, in the studied software, pressing mute does not prevent audio from being transmitted to the apps’ servers, either continually or periodically.
Due to this activity not being documented in related privacy policies, users have a poor understanding of how the mute system works, falsely assuming that audio input is cut when they activate it.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cisco-vulnerability-lets-hackers-craft-their-own-login-credentials/
Tomi Engdahl says:
According to the FBI, around $620 million worth of crypto was swiped in the attack.
https://www.iflscience.com/technology/north-korean-hackers-steal-620-million-in-one-of-the-biggest-ever-crypto-heists/
North Korean hackers have recently pulled off one of the biggest cryptocurrency hacks of all time. Axie Infinity, a popular NFT video game that allows users to earn money as they play, announced in a blog post that they were the victims of a cyberattack on March 29 that saw the loss of 173,600 Ethereum and 25.5 million USDC, a digital stable coin that is pegged to the US dollar.
According to the FBI, around $620 million worth of crypto was swiped in the attack.
https://roninblockchain.substack.com/p/community-alert-ronin-validators?s=w
Tomi Engdahl says:
Suomalaisten ministeriöiden verkkosivut kaatoi hyökkääjä nimeltä Ahneus, joka on ollut Ukrainan kimpussa jo kolmesti https://www.hs.fi/ulkomaat/art-2000008753032.html
KUN Ukrainan presidentti Volodymyr Zelenskyi viime viikolla puhui Suomen eduskunnalle, kohdistui puolustusministeriön ja ulkoministeriön verkkosivuihin voimakas palvelunestohyökkäys. Yhdysvaltalaisen Security Scorecard -yhtiön mukaan ministeriöihin kohdistunut palvelunestohyökkäys tehtiin samalla bottiverkolla, jolla on hyökätty Ukrainan valtionhallinnon ja pankkien kimppuun. Security Scorecard
(SSC) on antanut maaliskuussa tunnistamalleen bottiverkolle nimen Zhadnost (adnost). Sana on venäjää ja tarkoittaa ahneutta.
Tomi Engdahl says:
ESET takes part in global operation to disrupt Zloader botnets https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/
ESET has collaborated with partners Microsofts Digital Crimes Unit, Lumens Black Lotus Labs, Palo Alto Networks Unit 42, and others in an attempt to disrupt known Zloader botnets. ESET contributed to the project by providing technical analysis, statistical information, and known command and control server domain names and IP addresses.
Zloader started life as a banking trojan, but lately evolved to become a distributor of several malware families, including various ransomware families.
Tomi Engdahl says:
CVE-2021-1782, an iOS in-the-wild vulnerability in vouchers https://googleprojectzero.blogspot.com/2022/04/cve-2021-1782-ios-in-wild-vulnerability.html
This blog post is my analysis of a vulnerability exploited in the wild and patched in early 2021. Like the writeup published last week looking at an ASN.1 parser bug, this blog post is based on the notes I took as I was analyzing the patch and trying to understand the XNU vouchers subsystem. I hope that this writeup serves as the missing documentation for how some of the internals of the voucher subsystem works and its quirks which lead to this vulnerability.
Tomi Engdahl says:
Check Point Research detects Vulnerability in the Rarible NFT Marketplace, Preventing Risk of Account Takeover and Cryptocurrency Theft https://research.checkpoint.com/2022/check-point-research-detects-vulnerability-in-the-rarible-nft-marketplace-preventing-risk-of-account-take-over-and-cryptocurrency-theft/
Check Point Research identifies a vulnerability within the Rarible NFT Marketplace that allows attackers to take over cryptocurrency wallets.
By luring victims to click on a malicious NFT, an attacker can take full control of the victims crypto wallet to steal funds. CPR immediately reported this flaw to Rarible, which acknowledged and installed a fix. CPR urges users to remain aware and offers preventive actions.
Tomi Engdahl says:
Threat Spotlight: “Haskers Gang” Introduces New ZingoStealer https://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html
Cisco Talos recently observed a new information stealer, called “ZingoStealer” that has been released for free by a threat actor known as “Haskers Gang.”. This information stealer, first introduced to the wild in March 2022, is currently undergoing active development and multiple releases of new versions have been observed recently. The malware leverages Telegram chat features to facilitate malware executable build delivery and data exfiltration.
Tomi Engdahl says:
Experts warn of concerns around Microsoft RPC bug https://therecord.media/experts-warn-of-concerns-around-microsoft-rpc-bug/
Cybersecurity experts and researchers have raised alarms around a vulnerability disclosed by Microsoft Tuesday concerning Windows hosts running the Remote Procedure Call Runtime (RPC). CVE-2022-26809 has a CVSS score of 9.8 and has already been patched by Microsoft. Windows hosts running the Server Message Block protocol (SMB protocol) are vulnerable to this bug. SMB protocols allow users to share access to files and tools on remote servers.
Tomi Engdahl says:
Hackers target Ukrainian govt with IcedID malware, Zimbra exploits https://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/
Hackers are targeting Ukrainian government agencies with new attacks exploiting Zimbra exploits and phishing attacks pushing the IcedID malware. The Computer Emergency Response Team of Ukraine (CERT-UA) detected the new campaigns and attributed the IcedID phishing attack to the UAC-0041 threat cluster, previously connected with AgentTesla distribution, and the second to UAC-0097, a currently unknown actor.
Tomi Engdahl says:
An Update on CVE-2022-26809 – MSRPC Vulnerabliity – PATCH NOW https://isc.sans.edu/forums/diary/An+Update+on+CVE202226809+MSRPC+Vulnerabliity+PATCH+NOW/28550/
The stand-out vulnerability for this month’s Microsoft Patch Tuesday was CVE-2022-26809 [msft]. An integer overflow in MSRPC that, if exploited, allows for arbitrary code execution over the network without requiring authentication or user interaction. There is no doubt that the vulnerability is critical, and the patch must be applied quickly. But how big of an issue is it? How soon should we expect an exploit? And what other mitigation techniques may be helpful?
Tomi Engdahl says:
FBI links largest crypto hack ever to Lazarus state hackers https://www.bleepingcomputer.com/news/security/fbi-links-largest-crypto-hack-ever-to-lazarus-state-hackers/
The Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned the address that received the cryptocurrency stolen in the largest cryptocurrency hack ever, the hack of Axie Infinity’s Ronin network bridge. Blockchain data platform Chainalysis first spotted that a new ETH address added by OFAC to the SDN list as part of a Lazarus Group update was also used in March to collect the ETH and USDC tokens stolen in the Ronin hack.
Tomi Engdahl says:
Your AppIe lD has been locked spam email takes you on a website mystery tour https://blog.malwarebytes.com/scams/2022/04/your-appie-ld-has-bee/
Spam which claims your account has been locked out and needs to be fixed are common. They drive people to phishing campaigns on a daily basis. The mail below follows the same pattern with one key difference. It looks like a phish, but goes somewhere else entirely.
Tomi Engdahl says:
Suomalaisille sataa petollisia WhatsApp- ja tekstiviestejä tällainen on uusi huijaus https://www.is.fi/digitoday/tietoturva/art-2000008750216.html
Suomalaisille lähetetään uudenlaisia huijausviestejä. Vaihtelevista puhelinnumeroista tulevissa viesteissä tarjotaan rahakasta osa-aikatyötä pienellä työpanoksella tai kerrotaan vastaanottajan tulleen valituksi töihin. Viestejä on ainakin kahdenlaisia. Osa niistä on Fenton-nimisen yhtiön nimissä, ja niissä tarjotaan töitä. Toisessa kerrotaan vastaanottajan tulleen valituksi, mutta viesteissä ei ole firman nimeä. Yhteydenottoja tulee ainakin teksti- sekä WhatsApp-viesteinä
Tomi Engdahl says:
Google Releases Urgent Chrome Update to Patch Actively Exploited Zero-Day Flaw https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html
Google on Thursday shipped emergency patches to address two security issues in its Chrome web browser, one of which it says is being actively exploited in the wild. Tracked as CVE-2022-1364, the tech giant described the high-severity bug as a case of type confusion in the V8 JavaScript engine. Clément Lecigne of Google’s Threat Analysis Group has been credited with reporting the flaw on April 13, 2022.
Tomi Engdahl says:
Karakurt revealed as data extortion arm of Conti cybercrime syndicate https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/
After breaching servers managed by the cybercriminals, security researchers found a connection between Conti ransomware and the recently emerged Karakurt data extortion group, showing that the two gangs are part of the same operation. The Conti ransomware syndicate is one of the most prolific cybercriminal groups today that operates unabated despite the massive leak of internal conversations and source code that a hacking group already used to cripple Russian organizations.
Tomi Engdahl says:
Lazarus Targets Chemical Sector
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
Symantec, a division of Broadcom Software, has observed the North Korea-linked advanced persistent threat (APT) group known as Lazarus conducting an espionage campaign targeting organizations operating within the chemical sector. The campaign appears to be a continuation of Lazarus activity dubbed Operation Dream Job, which was first observed in August 2020. Symantec tracks this sub-set of Lazarus activity under the name Pompilus.
Tomi Engdahl says:
Suomen kantaverkon tietoturvan kestävyyttä “koputellaan” jatkuvasti koko maan pimentäminen on psykologisestikin tehokas kyberuhka
https://yle.fi/uutiset/3-12400753
Suomen sähkönsiirron perusrunko, kantaverkko, kiinnostaa.
Käyttötoiminnan johtaja Reima Päivinen Fingridistä puhuu palomuurin “koputteluista”, joita on edelleen jatkuvasti. Ne ovat jo kauan olleet arkipäivää. Mitään suurta ja massiivista ei kuitenkaan ole tullut, hän kertoo. Tämän hetken maailmantilanne ei myöskään ole lisännyt ainakaan vielä kantaverkkoon kohdistuvia verkkohyökkäyksiä.
Tomi Engdahl says:
Cybercriminals Trick Victims into Transferring Funds to “Reverse”
Instant Payments
https://www.ic3.gov/Media/Y2022/PSA220414
Cybercriminals are targeting victims by sending text messages with what appear to be bank fraud alerts asking if the customer initiated an instant money transfer using digital payment applications (apps).
Once the victim responds to the alert, the cybercriminal then calls from a number which appears to match the financial institution’s legitimate 1-800 support number. Under the pretext of reversing the fake money transfer, victims are swindled into sending payment to bank accounts under the control of the cyber actors.
Tomi Engdahl says:
The Karakurt Web: Threat Intel and Blockchain Analysis Reveals Extension of Conti Business Model https://arcticwolf.com/resources/blog/karakurt-web
Tetra Defense, an Arctic Wolf® company, partnered with Chainalysis and Northwave to analyze the link between the Karakurt cyber extortion group to both Conti and Diavol ransomware through Tetras digital forensics and Chainalysis blockchain analytics. As recent leaks have revealed, Conti and Trickbot are complicated operations with sophisticated structures. But, our findings indicate that web is even wider than originally thought, to include additional exfiltration-only operations.
Tomi Engdahl says:
Wind turbine firm Nordex hit by Conti ransomware attack https://www.bleepingcomputer.com/news/security/wind-turbine-firm-nordex-hit-by-conti-ransomware-attack/
The Conti ransomware operation has claimed responsibility for a cyberattack on wind turbine giant Nordex, which was forced to shut down IT systems and remote access to the managed turbines earlier this month. Nordex is one of the largest developers and manufacturers of wind turbines globally, with more than 8,500 employees worldwide. On April 2nd, Nordex disclosed that they had suffered a cyberattack that was detected early and that the company had shut down its IT systems to prevent the spread of the attack.
Tomi Engdahl says:
CISA Adds Nine Known Exploited Vulnerabilities to Catalog https://www.cisa.gov/uscert/ncas/current-activity/2022/04/15/cisa-adds-nine-known-exploited-vulnerabilities-catalog
CISA has added nine new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow on the of the “Date Added to Catalog”
column, which will sort by descending dates.
Tomi Engdahl says:
Trends in the Recent Emotet Maldoc Outbreak https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak
Emotet is a malware family that steals sensitive and private information from victims’ computers. The malware has infected more than a million devices and is considered one of the most dangerous threats of the decade. In addition to analyzing threats, FortiGuard Labs also focuses on how malware spreads. We have observed that the recent Emotet outbreak is being spread through a variety of malicious Microsoft Office files, or maldocs, attached to phishing emails. Once a victim opens the attached document, a VBA Macro or Excel 4.0 Macro is used to execute malicious code that downloads and runs the Emotet malware.
Tomi Engdahl says:
CatalanGate – Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/
The Citizen Lab, in collaboration with Catalan civil society groups, has identified at least 65 individuals targeted or infected with mercenary spyware. At least 63 were targeted or infected with Pegasus, and four others with Candiru. At least two were targeted or infected with both. Victims included Members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organisations. Family members were also infected in some cases. We identified evidence of HOMAGE, a previously-undisclosed iOS zero-click vulnerability used by NSO Group that was effective against some versions prior to 13.2.
Tomi Engdahl says:
Beanstalk DeFi platform loses $182 million in flash-load attack https://www.bleepingcomputer.com/news/security/beanstalk-defi-platform-loses-182-million-in-flash-load-attack/
The decentralized, credit-based finance system Beanstalk disclosed on Sunday that it suffered a security breach that resulted in financial losses of $182 million, the attacker stealing $80 million in crypto assets. As a result of this attack, trust in Beanstalk’s market has been compromised, and the value of its decentralized credit-based BEAN stablecoin has collapsed from a little over $1 on Sunday to $0.11 right now.
Tomi Engdahl says:
XSS vulnerability in open source tool PrivateBin patched https://portswigger.net/daily-swig/xss-vulnerability-in-open-source-tool-privatebin-patched
A cross-site scripting (XSS) vulnerability in PrivateBin, the open source secure pastebin, has been patched. PrivateBin, a fork of the popular ZeroBin, is an online tool used to store information and is is encrypted/decrypted in the browser using 256 bits AES, meaning that the server has zero knowledge of pasted data. Discovered by Ian Budd of security firm Nethemba, the flaw allows malicious JavaScript code to be embedded in an SVG image file, which can then be attached to pastes.
Tomi Engdahl says:
New SolarMarker Malware Variant Using Updated Techniques to Stay Under the Radar https://thehackernews.com/2022/04/new-solarmarker-malware-variant-using.html
Cybersecurity researchers have disclosed a new version of the SolarMarker malware that packs in new improvements with the goal of updating its defense evasion abilities and staying under the radar.
“The recent version demonstrated an evolution from Windows Portable Executables (EXE files) to working with Windows installer package files (MSI files),” Palo Alto Networks Unit 42 researchers said in a report published this month. “This campaign is still in development and going back to using executables files (EXE) as it did in its earlier versions.”
Tomi Engdahl says:
BlackCat new player in the ransomware business https://www.kaspersky.com/blog/black-cat-ransomware/44120/
No market tolerates emptiness and that alos applies to ransomware.
After the BlackMatter and REvil gangs ceased their operations, the emergence of new players was only a matter of time. nd here is one of them last December, advertisements for the services of the ALPHV group, also known as BlackCat, appeared on hacker forums. After several incidents, our experts from the Global Research and Analysis Team (GReAT) decided to carefully study the activity of this group and publish a comprehensive report on the Securelist website.
Tomi Engdahl says:
New Industrial Spy stolen data market promoted through cracks, adware https://www.bleepingcomputer.com/news/security/new-industrial-spy-stolen-data-market-promoted-through-cracks-adware/
Threat actors have launched a new marketplace called Industrial Spy that sells stolen data from breached companies, as well as offering free stolen data to its members. While stolen data marketplaces are not new, instead of extorting companies and scaring them with GDPR fines, Industrial Spy promotes itself as a marketplace where businesses can purchase their competitors’ data to gain access to trade secrets, manufacturing diagrams, accounting reports, and client databases.
Tomi Engdahl says:
Citizen Lab Documents Israeli Surveillance Spyware Infections in Spain
https://www.securityweek.com/citizen-lab-documents-israeli-surveillance-spyware-infections-spain
Tomi Engdahl says:
Webex Monitors Microphone Even When Muted, Researchers Say
https://www.securityweek.com/webex-monitors-microphone-even-when-muted-researchers-say
Cisco’s enterprise-facing Webex video conferencing and messaging utility monitors the microphone at all times, even when the user’s microphone is muted in the software, according to warning from a group of academic researchers.
According to researchers from the University of Wisconsin-Madison and Loyola University Chicago, popular video conferencing applications (VCAs), including those used within enterprise environments, can actively query the microphone even when the user is muted.
The researchers discovered not only that some applications are continuously monitoring the microphone input when the participant is muted, but also that the telemetry data they transmit to their servers can be used to accurately identify different types of background activities that the users perform.
Tomi Engdahl says:
FBI Warns of ‘Reverse’ Instant Payments Phishing Schemes
https://www.securityweek.com/fbi-warns-reverse-instant-payments-phishing-schemes
The Federal Bureau of Investigation (FBI) has issued an alert on a new phishing scheme aimed at tricking victims into making money transfers to accounts controlled by cybercriminals.
As part of these attacks, the cybercriminals target users of digital payment applications with fake text messages pretending to be from legitimate financial institutions, asking customers to verify they has initiated instant money transfers.
“Cybercriminals are targeting victims with a sophisticated phishing and social engineering scam which results in victims unwittingly sending funds to the actors using digital payment apps. The actors take advantage of payment apps connected to bank accounts,” according to the FBI advisory.
If the recipient responds to the automated text message, the criminals – “who typically speak English without a discernable accent,” according to the FBI – call the victim from a number that appears to match the legitimate 1-800 support number for the financial institution.
https://www.ic3.gov/Media/Y2022/PSA220414
Tomi Engdahl says:
https://www.securityweek.com/github-warns-private-repositories-downloaded-using-stolen-oauth-tokens
Tomi Engdahl says:
North Korea APT Lazarus Targeting Chemical Sector
https://www.securityweek.com/north-korea-apt-lazarus-targeting-chemical-sector
Threat hunters at Symantec have spotted signs that North Korea’s Lazarus APT group is targeting companies in the chemical sector in an ongoing cyberespionage campaign that includes fake job lures and clever social engineering.
Lazarus, which is considered a nasetion state-backed threat actor, has pulled off some of the biggest cryptocurrency heists ever seen, but the latest targeting of chemical sector and IT companies in South Korea suggests an expansion beyond big-game financial crime.
Symantec’s threat intelligence team shared notes on the latest Lazarus discovery and noted that this targeting is a continuation of a malware campaign dubbed Operation Dream Job that was previously linked to the notorious North Korean hacking group.
The company provided technical details and IOCs (indicators of compromise) on the latest malware campaigns alongside a word of warning to global businesses.
Tomi Engdahl says:
Juniper Networks Patches Vulnerabilities in Contrail Networking, Junos OS
https://www.securityweek.com/juniper-networks-patches-vulnerabilities-contrail-networking-junos-os
Juniper Networks this week announced the release of patches for more than 30 vulnerabilities across its portfolio, including severe flaws in Contrail Networking and Junos OS.
Two advisories describing a total of 13 security holes in the Contrail Networking software-defined networking (SDN) solution were published this week, with seven of the bugs carrying a CVSS score above 9.0.
The first of the advisories covers ten issues impacting Contrail Networking releases prior to 2011.L4. Five of these security defects are rated critical and all of them were identified last year.
The most severe of these are two buffer overflow vulnerabilities in Pillow (CVE-2021-25289 and CVE-2021-34552) and a heap overflow in Apache HTTP Server (CVE-2021-26691). All three have a CVSS score of 9.8.
With a CVSS score of 9.4, the other two impact the nginx resolver (CVE-2021-23017) and the xmlhttprequest-ssl package (CVE-2021-31597).
https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=date%20descending&f:ctype=Security%20Advisories
Tomi Engdahl says:
House Panels Probe Gov’t Use of Facial Recognition Software
https://www.securityweek.com/house-panels-probe-govt-use-facial-recognition-software
Two House committees have launched an investigation into the government’s use of facial recognition software that was most recently used by the Internal Revenue Service, but stopped after complaints from lawmakers and privacy advocates.
Tomi Engdahl says:
Ransomware Gang Claims Cyberattack on Wind Turbine Giant Nordex
https://www.securityweek.com/conti-ransomware-gang-claims-cyberattack-wind-turbine-giant-nordex
The Conti ransomware gang has claimed responsibility for a cyberattack that forced wind turbine giant Nordex to shut down internal systems on March 31.
The incident, the company revealed in early April, was identified at an early stage, but resulted in multiple systems across Nordex’s branches being taken offline.
Earlier this week, the wind turbine maker said it was still working on restoring IT systems to return operations to normal, but did not provide an estimation as to when that might happen.
However, the company also said that the incident only impacted its internal systems and that wind turbine farms continued operating normally. Communication with customers wasn’t affected either, the company said.
Tomi Engdahl says:
New ‘Enemybot’ DDoS Botnet Targets Routers, Web Servers
https://www.securityweek.com/new-enemybot-ddos-botnet-targets-routers-web-servers
A recently identified DDoS botnet has targeted several router models and various types of web servers by exploiting known vulnerabilities, Fortinet warns.
Dubbed Enemybot, the botnet appears to be the work of Keksec, an established cybercrime group that specializes in DDoS attacks and cryptocurrency mining.
The malware was built using the source code of the Gafgyt (Bashlite) botnet – which leaked in 2015 – with some modules borrowed from the infamous Mirai botnet, including the scanner module and a bot killer module.
Enemybot employs several obfuscation techniques meant not only to prevent analysis, but also to keep it hidden from other botnets, and connects to a command and control (C&C) server on the Tor network.
The new botnet targets numerous architectures used within Internet of Things (IoT) products and can also target x86, which increases its chances of infection.
https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet
Tomi Engdahl says:
Google Patches Third Actively Exploited Chrome Zero-Day of 2022
https://www.securityweek.com/google-patches-third-actively-exploited-chrome-zero-day-2022
A Chrome 100 update that Google announced on Thursday resolves two vulnerabilities in the popular browser, including one already exploited in the wild.
Tracked as CVE-2022-1364 and considered “high severity,” the exploited security hole is described as a type confusion in the V8 JavaScript and WebAssembly engine.
Attacks targeting type confusion bugs in Chrome’s V8 engine may lead to arbitrary code execution. All Chromium-based browsers are impacted.
“Google is aware that an exploit for CVE-2022-1364 exists in the wild,” the internet giant warns.
Tomi Engdahl says:
U.S. Gov Blames North Korea Hackers for $600M Cryptocurrency Heist
https://www.securityweek.com/us-gov-blames-north-korea-hackers-600m-cryptocurrency-heist
The U.S. government says the recent $600 million Ronin Validator cryptocurrency heist was conducted by Lazarus Group, the notorious hacking outfit linked to the North Korean government.
The attribution was contained in a notice from the U.S. Treasury that announced sanctions against the Ethereum address that received the stolen funds.
The mega-million dollar heist is considered the second largest crypto theft of all time and included the siphoning of 173,600 Ether (ETH) and 25.5 million USD Coins stolen from the Ronin cross-chain bridge.
According to data from cryptocurrency security firm Elliptic, the total value of the stolen crypto-assets at the time of the theft was $540 million.
Tomi Engdahl says:
Critical Code Execution Flaw Haunts VMware Cloud Director
https://www.securityweek.com/critical-code-execution-flaw-haunts-vmware-cloud-director
Cloud computing and virtualization technology firm VMWare on Thursday rolled out patches for an extremely critical security flaw in the VMWare Cloud Director product, warning that unpatched systems are at risk of remote code execution attacks.
The vulnerability, which was privately reported by a security researcher who participates in bug bounty programs, carries a CVSS 3.1 score of 9.1 and should be considered a high-priority update for all VMWare Cloud Director users.
“An authenticated, high privileged malicious actor with network access to the VMware Cloud Director tenant or provider may be able to exploit a remote code execution vulnerability to gain access to the server,” VMWare said in an urgent advisory documenting the CVE-2022-22966 flaw.
Tomi Engdahl says:
GitHub Says Hackers Breached Dozens of Organizations Using Stolen OAuth Access Tokens https://thehackernews.com/2022/04/github-says-hackers-breach-dozens-of.html
Cloud-based repository hosting service GitHub on Friday revealed that it discovered evidence of an unnamed adversary capitalizing on stolen OAuth user tokens to unauthorizedly download private data from several organizations. “An attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM,” GitHub’s Mike Hanley disclosed in a report.