This posting is here to collect cyber security news in April 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in April 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
425 Comments
Tomi Engdahl says:
Hackers steal $655K after picking MetaMask seed from iCloud backup
https://www.bleepingcomputer.com/news/security/hackers-steal-655k-after-picking-metamask-seed-from-icloud-backup/
MetaMask has published a warning for their iOS users about the seeds of cryptocurrency wallets being stored in Apple’s iCloud if app data backup is active.
MetaMask is a “hot” cryptocurrency wallet used by over 21 million investors to store their wallet tokens and manage their digital assets.
Tomi Engdahl says:
Court rules that data scraping is legal in LinkedIn appeal
https://www.zdnet.com/article/court-rules-that-data-scraping-is-legal-in-linkedin-appeal/
LinkedIn has lost its latest attempt to block companies from scraping information from its public pages, including member pages.
Tomi Engdahl says:
NATO Plays Cyberwar to Prep for a Real Russian Attack
https://gizmodo.com/nato-russia-ukraine-locked-shields-cyberattack-war-game-1848807942
Cybersecurity experts from 30 NATO members are cooperating to stave off an attack on the fictional island country of “Berylia.”
Tomi Engdahl says:
Okta Closes Lapsus$ Breach Probe, Adds New Security Controls
https://www.securityweek.com/okta-closes-lapsus-breach-probe-adds-new-security-controls
Identity and access management tech firm Okta says it has concluded an investigation into the embarrassing Lapsus$ hacking incident and has severed ties with a third-party company at the center of the breach.
Facing public criticism for communications hiccups after the breach was detected, Okta issued a public statement Wednesday to stress that the impact from the incident was “significantly smaller than we initially scoped.”
A statement from Okta’s Chief Information Security Officer (CISO) David Bradbury said the company initially determined that about 366 customers were affected but a third-party forensic audit showed the damage was contained.
Bradbury described the main conclusions from the audit, which was conducted by an unnamed globally recognized cybersecurity forensic firm:
The threat actor actively controlled a single workstation, used by a Sykes/Sitel support engineer, with access to Okta resources.
Control lasted for 25 consecutive minutes on January 21, 2022.
During that limited window of time, the threat actor accessed two active customer tenants within the SuperUser application (whom we have separately notified), and viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants.
The threat actor was unable to successfully perform any configuration changes, MFA or password resets, or customer support “impersonation” events.
The threat actor was unable to authenticate directly to any Okta accounts.
Tomi Engdahl says:
Firmware Flaws Allow Disabling Secure Boot on Lenovo Laptops
https://www.securityweek.com/firmware-flaws-allow-disabling-secure-boot-lenovo-laptops
Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.
Two of the security flaw — CVE-2021-3972 and CVE-2021-3971 — exist because drivers that should have been used during the manufacturing process only were mistakenly left in production UEFI firmware, potentially exposing devices to attacks.
According to a Lenovo advisory, exploitation of the driver flaws could allow attackers with elevated privileges to either modify the secure boot settings (CVE-2021-3972) or modify the firmware protection region (CVE-2021-3971).
Lenovo credited researchers at anti-malware firm ESET with reporting the vulnerabilities.
Tomi Engdahl says:
Fortress Raises $125 Million to Secure Critical Industry Supply Chains
https://www.securityweek.com/fortress-raises-125-million-secure-critical-industry-supply-chains
Fortress Information Security on Tuesday announced raising $125 million from Goldman Sachs, an investment that it plans on using to help critical industry operators and government agencies secure their supply chains.
The company previously raised roughly $40 million in several funding rounds between 2015 and 2020.
In addition to the new funding from Goldman Sachs Asset Management, Fortress says it continues to receive support from previous investors.
Fortress has developed a platform designed to help organizations in critical industries assess, manage and address supply chain risks associated with software, assets and vendors.
The solution was developed in collaboration with electric utilities and the company claims it’s now being used to secure 40% of the United States’ power grid.
Tomi Engdahl says:
Over 30 Countries Take Part in NATO’s ‘Locked Shields 2022′ Cyber Exercise
https://www.securityweek.com/over-30-countries-take-part-natos-locked-shields-2022-cyber-exercise
NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) on Tuesday kicked off the thirteenth installment of Locked Shields, its annual live-fire cyber defense exercise.
Locked Shields takes place in Estonia’s capital Tallinn and it will run until April 22. With more than 2,000 participants from over 32 countries, this complex international cyber exercise is meant to facilitate cooperation and coordination between nations, industries, and public and private organizations in preparing against state-sponsored cyberattacks.
Since 2010, the exercise has been testing the readiness of national, military, and civilian IT systems against attacks targeting vital services and critical infrastructure by simulating a realistic, large-scale assault against an entire nation.
This year’s scenario involves Berylia, a fictional island country in the northern Atlantic Ocean, victim of a series of crippling coordinated cyberattacks that disrupted the operation of government and military networks, communications, electric power grid, and water purification systems.
Tomi Engdahl says:
Nyt nähtiin huijaussivu, jossa on fi-pääte ja pankin nimi – viranomaiselta selkeä ohje https://www.is.fi/digitoday/tietoturva/art-2000008759791.html
Tomi Engdahl says:
7-Zip App Vulnerability Grants Admin Privilege to Attackers
But while we wait for an update it is quite easy to mitigate.
https://www.tomshardware.com/news/7-zip-zero-day-exploit
A vulnerability has been discovered in 7-zip, the popular archiving program. This is an active zero-day vulnerability and is characterized as allowing privilege escalation and command execution. In other words, someone with limited access to your computer would be able to gain higher-level control, usually admin access, to run commands or apps. GitHub user Kagancapar seems to have unearthed this 7-zip Windows vulnerability, and it has reference CVE-2022-29072.
7-zip is a cross-platform app, but this vulnerability is tied to Windows, as it relies on 7-zip’s interactivity with the Windows help application, hh.exe. For example, the GitHub readme file for CVE-2022029072 surmises “Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area.”
Kagancapar provided some enlightening background information on the vulnerability and its discovery. First, they mention that 7-zip isn’t entirely happy to shoulder the blame for this vulnerability, as it seems dependent on the Microsoft Help system. However, the dropping of the custom .7z extension file on the Help window causes a heap overflow in 7zFM.exe and resulting privilege elevation – so that means 7-zip authors should accept part of the blame.
At the time of writing the current version of 7-zip for Windows, v21.07, is not patched for the vulnerability demonstrated in the video. If the vulnerability is of concern to you, with regard to your personal computer or systems you administer, please take some comfort from two easy ways to mitigate the issue:
• First method: If 7-zip does not update, deleting the 7-zip.chm file will be sufficient to close the vulnerability.
• Second method: The 7-zip program should only have read and run permissions. (For all users)
Tomi Engdahl says:
Haven’t read yet, but it seemed interesting enough to share & save for later..
“Security researchers believe data was probably stolen from the UK prime minister’s office in a cyberattack launched from the United Arab Emirates using Pegasus software.:
UK prime minister’s office smartphones targeted by Pegasus spyware
Researchers claim to have uncovered cyberattacks using Pegasus software against 10 Downing Street and the Foreign and Commonwealth Office
Read more: https://www.newscientist.com/article/2316485-uk-prime-ministers-office-smartphones-targeted-by-pegasus-spyware/#ixzz7R0AmEd4V
Tomi Engdahl says:
Oracle releases massive Critical Patch Update containing 520 security patches https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/oracle-releases-massive-critical-patch-update-containing-520-security-patches/
Oracle has issued a Critical Patch Update which contains 520 new security patches across various product families. A few of these updates may need your urgent attention if you are a user of the affected product.. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).
Tomi Engdahl says:
CVE-2022-21449: Psychic Signatures in Java https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/
The long-running BBC sci-fi show Doctor Who has a recurring plot device where the Doctor manages to get out of trouble by showing an identity card which is actually completely blank. Of course, this being Doctor Who, the card is really made out of a special psychic paper, which causes the person looking at it to see whatever the Doctor wants them to see: a security pass, a warrant, or whatever.
Tomi Engdahl says:
Oracle already wins ‘crypto bug of the year’ with Java digital signature bypass https://www.theregister.com/2022/04/20/java_authentication_bug/
Java versions 15 to 18 contain a flaw in its ECDSA signature validation that makes it trivial for miscreants to digitally sign files and other data as if they were legit organizations..
Cyber-criminals could therefore pass off cryptographically signed malicious downloads and bogus information as if it were real, and affected Java applications and services won’t know the difference..
Also:
https://nakedsecurity.sophos.com/2022/04/20/critical-cryptographic-java-security-blunder-patched-update-now/
Tomi Engdahl says:
Alert (AA22-110A) – Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure https://www.cisa.gov/uscert/ncas/alerts/aa22-110a
he cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom are releasing this joint Cybersecurity Advisory (CSA). The intent of this joint CSA is to warn organizations that Russias invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity . This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners.
Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks (see the March 21, 2022, Statement by U.S. President Biden for more information).
Tomi Engdahl says:
Okta Concludes its Investigation Into the January 2022 Compromise https://www.okta.com/blog/2022/04/okta-concludes-its-investigation-into-the-january-2022-compromise/
We have concluded our investigation into the January 2022 compromise of our third-party vendor. At the outset of our investigation, we focused on a five-day window of time, between January 16 and 21, when the third-party forensic firm, engaged by our vendor Sitel, indicated that the threat actor had access to their environment.. Based on that window of time, we determined that the maximum potential impact of the incident was 366 Okta customers whose tenants were accessed by any Sitel customer support engineer within that time.
Tomi Engdahl says:
FBI warns of ransomware attacks targeting US agriculture sector https://www.bleepingcomputer.com/news/security/fbi-warns-of-ransomware-attacks-targeting-us-agriculture-sector/
The US Federal Bureau of Investigation (FBI) warned Food and Agriculture (FA) sector organizations today of an increased risk that ransomware gangs “may be more likely” to attack them during the harvest and planting seasons.. While ransomware groups regularly target the US agriculture sector, the FBI noted that the number of attacks against such entities during such critical seasons stands out.. The FBI revealed this in a joint flash alert released on Wednesday in coordination with the United States Department of Agriculture (USDA) and the Cybersecurity and Infrastructure Security Agency (DHS/CISA).
Tomi Engdahl says:
Lazarus backdoor in DeFi wallet
https://www.kaspersky.com/blog/lazarus-defi-wallet-backdoor/44138/
In mid-December last year, a suspicious file was uploaded to VirusTotal the online service that scans files for malware. At first glance, it looked like a cryptocurrency wallet installer. But our experts analyzed it and found that, besides the wallet, it delivers malware to a users device. And it seems that the program isnt the work of small-time crooks but the infamous cybercriminals behind Lazarus.
Tomi Engdahl says:
Analyzing Attempts to Exploit the Spring4Shell Vulnerability
CVE-2022-22965 to Deploy Cryptocurrency Miners https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
To generate more profit, operators of cryptocurrency miners constantly look for ways to deploy their malware on vulnerable machines. These often involve the exploitation of in-the-wild vulnerabilities in different types of operating systems. Recently, we observed active attempts to exploit Spring4Shell vulnerability a remote code execution bug, assigned as CVE-2022-22965, that exists in the Spring MVC (model-view-controller) and WebFlux applications running on Java Development Kit version 9 or higher and that was previously linked to
the Mirai botnet by malicious actors to deploy cryptocurrency
miners.
Tomi Engdahl says:
“aa” distribution Qakbot (Qbot) infection with DarkVNC traffic https://isc.sans.edu/forums/diary/aa+distribution+Qakbot+Qbot+infection+with+DarkVNC+traffic/28568/
Chain of Events: Email –> link –> downloaded zip archive –> extracted Excel file –> enable macros –> HTTPS traffic for Qakbot DLL files –> Qakbot C2 activity –> DarkVNC traffic
Tomi Engdahl says:
Nettirikolliset toimivat kuin yritykset: oma hr-osasto, kehityskeskusteluja, kuukauden työntekijä https://www.tivi.fi/uutiset/tv/bb806f64-3c14-444d-bb51-3d05f5c8aeea
Vuodetuista tiedoista paljastuu, että Conti-kiristyshaittaohjelmaa ylläpitävä joukkio toimii pitkälti samoin kuin laillinen it-yritys.
Tietojen perusteella osa työntekijöistä ei edes tiennyt osallistuvansa rikolliseen toimintaan. Heille oli valehdeltu, että kyseessä olisi mainostoimisto. Rikollisjärjestön tiedot vuodettiin sen jälkeen, kun Conti julisti olevansa Venäjän puolella maan hyökättyä Ukrainaan.
Tiedot vuotanut henkilö sanoi Twitter-viesteissään olevansa tietoturvatutkija. Mukana oli niin sisäisiä keskusteluja kuin Contin lähdekoodiakin.
Tomi Engdahl says:
Nyt nähtiin huijaussivu, jossa on fi-pääte ja pankin nimi viranomaiselta selkeä ohje https://www.is.fi/digitoday/tietoturva/art-2000008759791.html
VERKKOPANKKIHUIJAUKSISSA saavutettiin uusi virstanpylväs pääsiäisen aikana, kun verkkoon ilmestyi fi-maatunnuksella varustettu verkkopankiksi naamioitu huijaussivu. Verkko-osoitteessa e-aktia.fi ollut huijaussivu pyrki varastamaan ihmisten verkkopankkitunnuksia.
Osoitteesta tekee uskottavan kaksi asiaa: se päättyy Suomen fi-maatunnukseen ja siinä on pankin nimi kokonaisuudessaan e-etulisäkkeellä varustettuna. Sivuston taustalla olevasta tekijästä ei ole tietoa. Sivusto ei ole enää toiminnassa.
Tomi Engdahl says:
Nato harjoittelee kybersotaa kuvitteellisella saarella taustalla varautuminen Venäjän iskuihin
https://www.tivi.fi/uutiset/tv/c8853ed8-bd51-40da-ab91-8a910794f9e0
Kyberasiantuntijat harjoittelevat tällä viikolla digitaalista sodankäyntiä puolustaakseen kuvitteellista Berylian saarivaltiota Naton Kyberosaamiskeskuksen johtamassa Locked Shields -harjoituksessa.
Vaikka kyseessä on lavastettu tilanne kuvitteellisessa valtiossa, toivovat asiantuntijat sen valmistavan mahdolliseen Venäjän hyökkäykseen Ukrainan sodan ollessa käynnissä.
Tomi Engdahl says:
Emotet botnet switches to 64-bit modules, increases activity https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/
The Emotet malware is having a burst in distribution and is likely to soon switch to new payloads that are currently detected by fewer antivirus engines. Security researchers monitoring the botnet are observing that emails carrying malicious payloads last month have increased tenfold. Emotet is a self-propagating modular trojan that can maintain persistence on the host. It is used for stealing user data, performing network reconnaissance, moving laterally, or dropping additional payloads such as Cobalt Strike and ransomware in particular.
Tomi Engdahl says:
Criminals adopting new methods to bypass improved defenses, says Zscaler https://www.theregister.com/2022/04/20/phishing-attempts-on-rise-zscaler/
The number of phishing attacks worldwide jumped 29 percent last year as threat actors countered stronger enterprise defenses with newer methods, according to researchers with Zscaler’s ThreatLabz research team. Cybercriminals have adapted to multi-factor authentication (MFA), employee security awareness training, and security controls by broadening who and where they will attack
Tomi Engdahl says:
CISA expands cyber defense initiative with industrial control systems partnership https://therecord.media/cisa-expands-cyber-defense-initiative-with-industrial-control-systems-partnership/
Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly announced Wednesday the expansion of the Joint Cyber Defense Collaborative (JCDC) to incorporate industry leaders including security vendors, integrators, and distributors. As the U.S.
government continues to build upon and push for public cooperation in cybersecurity and resilience initiatives, the announced partnership with industrial control systems and operational technology (ICS/OT) experts is expected to enhance public and private collaboration.
Tomi Engdahl says:
New BotenaGo Variant Infects Lilin Security Cameras With Mirai
https://www.securityweek.com/new-botenago-variant-infects-lilin-security-cameras-mirai
A newly identified variant of the BotenaGo malware is specifically targeting security cameras manufactured by Taiwan-based Lilin, warns OT and IoT security firm Nozomi Networks.
The threat is based on the source code of the Go-written BotenaGo malware, which was leaked online in October 2021, but its sole purpose appears to be the infection of compromised devices with Mirai.
The original BotenaGo contained over 30 exploits for known vulnerabilities in routers and other types of IoT devices. The malware could create two backdoor ports on infected devices, and execute remote shell commands.
With a low detection rate, the new variant of the malware – which Nozomi refers to as Lillin scanner – was stripped of most of the 30 exploits in the original source code and repurposed to target a two-year-old vulnerability in Lillin security camera DVR devices.
Tomi Engdahl says:
US, Allies Say New Intel Suggests Coming Russian Cyberattack
https://www.securityweek.com/us-allies-say-new-intel-suggests-coming-russian-cyberattack
Five allied countries including the United States warned Wednesday that “evolving intelligence” indicated Russia was poised to launch powerful cyberattacks against rivals supporting Ukraine.
The members of the “Five Eyes” intelligence sharing network — the US, Britain, Canada, Australia and New Zealand — said Moscow could also involve existing cybercrime groups in launching attacks on governments, institutions and businesses.
“Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks,” they said in an official cyber threat alert.
“Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and US allies and partners,” it said.
In addition, it said, “some cybercrime groups have recently publicly pledged support for the Russian government. ”
“Some groups have also threatened to conduct cyber operations against countries and organizations providing materiel support to Ukraine,” it said.
Washington has warned since Russia invaded Ukraine on February 24 that a part of its campaign could involve hefty cyberattacks against Kyiv and its Western supporters.
But such threats have yet to materialize in a substantial way.
Tomi Engdahl says:
ThreatLocker Raises $100 Million for Zero Trust Endpoint Security Solution
https://www.securityweek.com/threatlocker-raises-100-million-zero-trust-endpoint-security-solution
Tomi Engdahl says:
FBI Warns of Ransomware Attacks on Farming Co-ops During Planting, Harvest Seasons
https://www.securityweek.com/fbi-warns-ransomware-attacks-farming-co-ops-during-planting-harvest-seasons
Tomi Engdahl says:
Organizations Warned of Attacks Exploiting Recently Patched Windows Vulnerability
https://www.securityweek.com/organizations-warned-attacks-exploiting-recently-patched-windows-vulnerability
The US Cybersecurity and Infrastructure Security Agency (CISA) says a recently patched Windows Print Spooler vulnerability has been exploited in attacks.
The security hole, tracked as CVE-2022-22718, was fixed by Microsoft with its February 2022 Patch Tuesday updates. It was one of the four Print Spooler issues addressed at the time.
According to Microsoft, CVE-2022-22718 can be exploited by a local attacker to escalate privileges, without the need for any user interaction.
CISA on Tuesday added the vulnerability to its Known Exploited Vulnerabilities Catalog, which currently tracks nearly 650 exploited flaws. Federal agencies have been given until May 10 to address this security hole, but CISA advises all organizations to prioritize the patching of the vulnerabilities included in this catalog, referred to by some as a “Must Patch” list.
Tomi Engdahl says:
Oracle Releases 520 New Security Patches With April 2022 CPU
https://www.securityweek.com/oracle-releases-520-new-security-patches-april-2022-cpu
Oracle on Tuesday announced the release of 520 security fixes as part of its April 2022 Critical Patch Update (CPU), including nearly 300 for vulnerabilities that can be exploited remotely without authentication.
Roughly 75 of the patches deal with security holes rated “critical severity,” including three that feature a CVSS score of 10. Over 40 of the remaining vulnerabilities have a CVSS score between 8 and 9.
Several of the patches that Oracle included in this month’s CPU deal with CVE-2022-22965 – also known as Spring4Shell and SpringShell – a critical remote code execution (RCE) bug in the Spring Framework. One of these patches also resolves CVE-2022-22963, a critical RCE flaw in the Spring Cloud Function.
Tomi Engdahl says:
BIOS-aukko uhkaa yli sataa Lenovon läppärimallia
https://etn.fi/index.php/13-news/13455-bios-aukko-uhkaa-yli-sataa-lenovon-laeppaerimallia
Tietoturvayritys ESETin tutkijat ovat löytäneet Lenovon BIOS-koodista, tai UEFIsta kun puhutaan Windows-lppäreistä, kolme haavoittuvuutta. Kyse on laiteohjelmiston eli firmwaren ajureista, jotka voivat päästää hyökkääjään muokkaamaan konetta.
ESET on raportoinut aukoista Lenovolle jo marraskuussa ja yhtiö on joko toimittanut tai toimittamassa päivityksiä laiteohjelmistoonsa. Kaksi haavoittuvuuksista (CVE-2021-3971 ja CVE-2021-3972) vaikuttavat UEFI-laiteohjelmiston ohjaimiin, jotka oli alun perin tarkoitettu käytettäväksi vain Lenovon kuluttajatietokoneiden valmistusprosessissa. Valitettavasti ne sisällytettiin vahingossa myös tuotanto-BIOSin levykuvatiedostoissa.
ESETin mukaan hyökkääjä voi aktivoida nämä laiteohjelmiston ohjaimet ja poistaa suoraan SPI-flash-suojaukset (BIOS-ohjausrekisteribitit ja Protected Range -rekisterit) tai UEFI Secure Boot -ominaisuuden pääkäyttäjätilasta käyttöjärjestelmän ajon aikana.
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
Cybersecurity authorities of Five Eyes countries warn of Russia-backed hacking groups targeting critical infrastructure organizations in and outside Ukraine — Today, Five Eyes cybersecurity authorities warned critical infrastructure network defenders of an increased risk that Russia-backed hacking groups …
US and allies warn of Russian hacking threat to critical infrastructure
https://www.bleepingcomputer.com/news/security/us-and-allies-warn-of-russian-hacking-threat-to-critical-infrastructure/
Today, Five Eyes cybersecurity authorities warned critical infrastructure network defenders of an increased risk that Russia-backed hacking groups could target organizations within and outside Ukraine’s borders.
The warning comes from cybersecurity agencies in the United States, Australia, Canada, New Zealand, and the United Kingdom in a joint cybersecurity advisory with info on Russian state-backed hacking operations and Russian-aligned cybercrime groups.
“Critical infrastructure organizations should maintain a heightened state of alert against Russian cyber threats. Stay vigilant and follow the mitigations from our joint advisory to harden your IT and OT networks now,” the NSA warned today.
The Five Eyes cybersecurity agencies recommends measures critical infrastructure orgs should take to harden their defenses and protect their information technology (IT) and operational technology (OT) networks against Russian state-sponsored and criminal cyber threats, including ransomware, destructive malware, DDoS attacks, and cyber espionage.
Defenders are advised to immediately prioritize patching actively exploited vulnerabilities, enforce multifactor authentication, secure and monitor remote desktop protocol (RDP), and provide end-user awareness and training.
Today’s joint advisory builds upon a similar one issued in January by the FBI, CISA, and NSA, exposing Russian hacking groups (including APT29, APT28, and the Sandworm Team) who have targeted organizations from US critical infrastructure sectors.
The US government is also offering a reward of up to $10 million for information on malicious cyber activities conducted by state-backed hacking groups targeting the country’s critical infrastructure sectors.
Tomi Engdahl says:
Largest Mobile Chipset Manufacturers used Vulnerable Audio Decoder,
2/3 of Android users Privacy around the World were at Risk https://blog.checkpoint.com/2022/04/21/largest-mobile-chipset-manufacturers-used-vulnerable-audio-decoder-2-3-of-android-users-privacy-around-the-world-were-at-risk/
Check Point Research discovered vulnerabilities in the ALAC format that could have led an attacker to remotely get access to its media and audio conversations. MediaTek and Qualcomm, the two largest mobile chipset manufacturers in the world, used the ALAC audio coding in their widely distributed mobile handsets, putting millions of Android users privacy at risk. Qualcomm and MediaTek acknowledged the vulnerabilities flagged by CPR, putting patches and fixes in response
Tomi Engdahl says:
Okta says two customers breached during January security incident https://therecord.media/okta-says-two-customers-breached-during-january-security-incident/
Okta this week concluded its investigation into a headline-grabbing security incident that came to light in March, finding that two of its customers were breached through its customer support partner Sitel.
Tomi Engdahl says:
Venäjä häiritsi Elon Muskin satelliittiyhteyksiä iskun torjumisesta tuli oppikirjaesimerkki https://www.is.fi/digitoday/art-2000008764642.html
USA:n puolustusministeriön mukaan elektronista sodankäyntiä nähdään sodissa jatkossa yhä enemmän, ja sen torjumisen on oltava nykyistä tehokkaampaa.
Tomi Engdahl says:
Lenovo issues fixes for laptop backdoors https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/lenovo-issues-fixes-for-laptop-backdoors/
Researchers have discovered three vulnerabilities affecting various Lenovo consumer laptop models. The vulnerabilities were found in UEFI firmware drivers originally meant to be used only during the manufacturing process, along with a vulnerability in the SW SMI handler function.. Lenovo issued firmware updates to patch these vulnerabilities on April 12, 2022.
Tomi Engdahl says:
New Incident Report Reveals How Hive Ransomware Targets Organizations https://thehackernews.com/2022/04/new-incident-report-reveals-how-hive.html
A recent Hive ransomware attack carried out by an affiliate involved the exploitation of “ProxyShell” vulnerabilities in the Microsoft Exchange Server that were disclosed last year to encrypt an unnamed customer’s network.
Tomi Engdahl says:
REvil’s TOR sites come alive to redirect to new ransomware operation https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/
REvil ransomwares servers in the TOR network are back up after months of inactivity are now redirecting to a new operation that launched recently.
Emotet reestablishes itself at the top of the malware world https://www.theregister.com/2022/04/21/emotet-resurgence-email/
Botnet infrastructure shut down last year, now central to a fast-spreading email scam, researchers say
Tomi Engdahl says:
LemonDuck Targets Docker for Cryptomining Operations https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/
LemonDuck, a well-known cryptomining botnet, is targeting Docker to mine cryptocurrency on Linux systems. This campaign is currently active.
Tomi Engdahl says:
Miljoonat käyttäjät vaarassa: Valmistajan virhe avaa oven haitta¬ohjelmalle, joka ei poistu edes kiinto¬levyä vaihtamalla
https://www.is.fi/digitoday/tietoturva/art-2000008764675.html
Hyökkäys on vaikea toteuttaa, mutta onnistuessaan se voi aiheuttaa pahaa jälkeä.
Tietokonevalmistaja Lenovon mallistosta on löytynyt kolme haavoittuvuutta. Useita kuluttajien käyttämiä kannettavia tietokoneita koskevat aukot päästävät osaavat hakkerit asentamaan laitteeseen haitallisen laiteohjelmiston eli firmwaren, jota voi olla lähes mahdotonta poistaa tai edes tunnistaa.
Asiasta uutisoi muun muassa Ars Technica. Ongelma majailee tietokoneen uefi-ohjelmistossa (Unified Extensible Firmware Interface), joka siltaa firmwaren tietokoneen käyttöjärjestelmään. Uefi-ohjelmisto suoritetaan ensimmäisenä, kun tietokone käynnistetään.
Aukkojen avulla on mahdollista asentaa tietokoneisiin sellaisia haittaohjelmia, jotka ohittavat tietokoneen normaalit suojaukset ja voivat tehdä pahempaa jälkeä kuin perinteiset haittaohjelmat. Esimerkki tällaisesta haittaohjelmasta on vuonna 2018 havaittu Lojax, josta syytettiin Venäjän valtiota.
Esetin mukaan aukot koskevat yli sataa kuluttajamallia, joilla on miljoonia käyttäjiä ympäri maailman. Lenovo on julkaissut listan kaikista tietokoneista, joita aukot koskettavat. Yhtiö tarjoaa myös päivityksiä aukkojen korjaamiseksi. Ne voi asentaa käsipelillä seuraamalla samalla tukisivulla olevia ohjeita, mutta tarjolla on myös työkaluja, kuten Lenovo Vantage, jotka tekevät sen automaattisesti.
Hackers can infect >100 Lenovo models with unremovable malware. Are you patched?
Exploiting critical UEFI vulnerabilities could allow malware to hide in firmware.
https://arstechnica.com/information-technology/2022/04/bugs-in-100-lenovo-models-fixed-to-prevent-unremovable-infections/
Two of the vulnerabilities—tracked as CVE-2021-3971 and CVE-2021-3972—reside in UEFI firmware drivers intended for use only during the manufacturing process of Lenovo consumer notebooks. Lenovo engineers inadvertently included the drivers in the production BIOS images without being properly deactivated. Hackers can exploit these buggy drivers to disable protections, including UEFI secure boot, BIOS control register bits, and protected range register, which are baked into the serial peripheral interface (SPI) and designed to prevent unauthorized changes to the firmware it runs.
After discovering and analyzing the vulnerabilities, researchers from security firm ESET found a third vulnerability, CVE-2021-3970. It allows hackers to run malicious firmware when a machine is put into system management mode, a high-privilege operating mode typically used by hardware manufacturers for low-level system management.
When “secure” isn’t secure at all: High‑impact UEFI vulnerabilities discovered in Lenovo consumer laptops
https://www.welivesecurity.com/2022/04/19/when-secure-isnt-secure-uefi-vulnerabilities-lenovo-consumer-laptops/
ESET researchers discover multiple vulnerabilities in various Lenovo laptop models that allow an attacker with admin privileges to expose the user to firmware-level malware
ESET researchers have discovered and analyzed three vulnerabilities affecting various Lenovo consumer laptop models. The first two of these vulnerabilities – CVE-2021-3971, CVE-2021-3972 – affect UEFI firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks. Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated. These affected firmware drivers can be activated by attacker to directly disable SPI flash protections (BIOS Control Register bits and Protected Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during OS runtime. It means that exploitation of these vulnerabilities would allow attackers to deploy and successfully execute SPI flash or ESP implants, like LoJax or our latest UEFI malware discovery ESPecter, on the affected devices.
We reported all discovered vulnerabilities to Lenovo on October 11th, 2021. Altogether, the list of affected devices contains more than one hundred different consumer laptop models with millions of users worldwide, from affordable models like Ideapad-3 to more advanced ones like Legion 5 Pro-16ACH6 H or Yoga Slim 9-14ITL05. The full list of affected models with active development support is published in the Lenovo Advisory.
Lenovo Notebook BIOS Vulnerabilities
https://support.lenovo.com/us/en/product_security/LEN-73440
CVE Identifier: CVE-2021-3970, CVE-2021-3971, CVE-2021-3972
The following vulnerabilities were reported in Lenovo Notebook BIOS.
CVE-2021-3970: A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.
CVE-2021-3971: A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM variable.
CVE-2021-3972: A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.
Lenovo issues fixes for laptop backdoors https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/lenovo-issues-fixes-for-laptop-backdoors/
Researchers have discovered three vulnerabilities affecting various Lenovo consumer laptop models. The vulnerabilities were found in UEFI firmware drivers originally meant to be used only during the manufacturing process, along with a vulnerability in the SW SMI handler function.. Lenovo issued firmware updates to patch these vulnerabilities on April 12, 2022.
Tomi Engdahl says:
Meta Offers Rewards for Flaws Allowing Attackers to Bypass Integrity Checks
https://www.securityweek.com/meta-offers-rewards-flaws-allowing-attackers-bypass-integrity-checks
Facebook parent company Meta today announced that its bug bounty program will cover vulnerabilities that can be exploited to bypass integrity safeguards.
The program expansion, the company says, is meant to steer researchers’ attention to security issues that attackers may exploit to bypass specific integrity checks meant to limit abuse behaviors.
Such checks include mandatory two-factor authentication for specific business manager accounts, Facebook’s own application verification process, or feature restriction enforcements.
Tomi Engdahl says:
ICS Exploits Earn Hackers $400,000 at Pwn2Own Miami 2022
https://www.securityweek.com/ics-exploits-earn-hackers-400000-pwn2own-miami-2022
Pwn2Own Miami 2022, a hacking contest focusing on industrial control systems (ICS), has come to an end, with contestants earning a total of $400,000 for their exploits.
The contest, organized by Trend Micro’s Zero Day Initiative (ZDI), saw 11 contestants demonstrating their exploits in the OPC UA Server, Control Server, Human Machine Interface, and Data Gateway categories.
Participants demonstrated a total of 26 unique zero-day exploits against products from Unified Automation, Iconics, Inductive Automation, Prosys, Aveva, Triangle MicroWorks, OPC Foundation, Kepware, and Softing.
A majority of the 32 hacking attempts were successful — two failed and eight involved previously known bugs. These “bug collisions” still earned participants $5,000 for each attempt.
Pwn2Own Miami 2022 Results
https://www.zerodayinitiative.com/blog/2022/4/14/pwn2own-miami-2022-results
Tomi Engdahl says:
Catalan Chief Accuses Spain’s Intelligence Agency of Hacking
https://www.securityweek.com/catalan-chief-accuses-spains-intelligence-agency-hacking
The head of Catalonia’s regional government is accusing Spain’s intelligence agency of conducting what he calls “massive political espionage” on the northeastern region’s independence movement and says that relations with Spain’s national authorities are “on hold” as a consequence.
Tomi Engdahl says:
Google, Mandiant Share Data on Record Pace of Zero-Day Discoveries
https://www.securityweek.com/google-mandiant-share-data-record-pace-zero-day-discoveries
Google and Mandiant separately called attention to a dramatic surge in the discovery of in-the-wild zero-day attacks and warned that nation-state APT actors, ransomware gangs and private mercenary exploit firms are burning through zero-days at record pace.
According to data from Google’s Project Zero outfit, there were 58 in-the-wild zero-day discoveries last year, the most ever recorded since the company started tracking the problem.
A separate report from Mandiant said its threat intelligence team monitored a whopping 80 zero-days exploited in 2021, more than double the previous record seen in 2019.
“As an industry we’re not making 0-day hard,” Project Zero’s Maddie Stone said in a note documenting the attacks seen in 2021. “Attackers are having success using vulnerabilities similar to what we’ve seen previously and in components that have previously been discussed as attack surfaces,” Stone added.
”The proportion of financially motivated actors — particularly ransomware groups — deploying zero-day exploits also grew significantly, and nearly 1 in 3 identified actors exploiting zero-days in 2021 was financially motivated,” Sadowski said, noting that threat actors exploited zero-days in Microsoft, Apple, and Google products most frequently, likely reflecting the popularity of these vendors.
Among nation state-backed threat actors, Mandiant said Chinese groups consistently lead the way in the deployment of malware via zero-day exploitation.
“From 2012 to 2021, China exploited more zero-days than any other nation. However, we observed an increase in the number of nations likely exploiting zero-days, particularly over the last several years, and at least 10 separate countries have likely exploited zero-days since 2012,” according to the Mandiant data.
Mandiant said it also observed private vendors emerging as “significant exploit brokers” in 2021.
“We identified at least six zero-day vulnerabilities actively exploited in 2021, potentially by customers of malware vendors, including one reportedly exploited in tools developed by two separate vendors. In 2021, at least five zero-day vulnerabilities were reportedly exploited by an Israeli commercial vendor,” the company said.
Tomi Engdahl says:
Cisco Patches Virtual Conference Software Vulnerability Reported by NSA
https://www.securityweek.com/cisco-patches-virtual-conference-software-vulnerability-reported-nsa
Cisco on Wednesday announced the release of patches for several high-severity vulnerabilities in its products, including a bug reported by the National Security Agency (NSA).
Tracked as CVE-2022-20783 (CVSS score of 7.5), the NSA-reported flaw is a denial of service (DoS) issue in TelePresence Collaboration Endpoint (CE) and RoomOS software, which could be exploited remotely, without authentication.
Insufficient input validation, Cisco explains, allows an attacker to send crafted H.323 traffic to a vulnerable device and cause it to reboot, either normally or in maintenance mode, thus creating a DoS condition.
Cisco patched the security hole with TelePresence CE releases 9.15.10.8 and 10.11.2.2 and with the RoomOS January 2022 release.
Another high-severity vulnerability that Cisco addressed this week is CVE-2022-20732 (CVSS score of 7.8), which is described as an elevation of privilege issue in the company’s Virtualized Infrastructure Manager (VIM) product.
Tomi Engdahl says:
Access Bypass, Data Overwrite Vulnerabilities Patched in Drupal
https://www.securityweek.com/access-bypass-data-overwrite-vulnerabilities-patched-drupal
Drupal on Wednesday announced the release of security updates to resolve a couple vulnerabilities that could lead to access bypass and data overwrite.
The first of the bugs fixed with the latest iterations of the open source content management system (CMS) is an access bypass issue that exists because of an improperly implemented generic entity access API for entity revisions.
“This API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content,” Drupal explains.
The vulnerability impacts Drupal 9.3 versions only, and solely affects sites where Drupal’s revision system is in use.
https://www.drupal.org/sa-core-2022-009
Tomi Engdahl says:
Many Industrial Firms Say Cybersecurity Systems Cause Problems to Operations
https://www.securityweek.com/many-industrial-firms-say-cybersecurity-systems-cause-problems-operations
Despite an increase in cybersecurity incidents, many industrial organizations turn off security systems if they interrupt or otherwise impact operations, according to a global survey conducted earlier this year by Kaspersky.
Kaspersky reported recently that it only saw a small increase in the percentage of industrial control system (ICS) computers targeted in 2021, compared to the previous year.
However, of the more than 300 respondents who took part in the latest survey, half reported seeing an increase in security incidents affecting ICS or other operational technology (OT) systems since the end of 2019.
In the past year, nearly one-third of the organizations that took part in the survey experienced a high number of incidents (at least 20). These incidents are often related to staff violating IT security policies, devices getting infected with malware, or employees inappropriately using IT resources.
While many organizations have come to understand the importance of securing their OT environments, 40% of respondents admitted that the security tools they are currently using are not compatible with their automation systems, and 38% reported at least one event where cybersecurity products interrupted or in some way affected their operations.
When they experienced these disruptions, 30% of companies decided to turn off their security systems. Others made changes to production or automation systems to avoid conflicts, they changed security settings in an effort to find a balance between security and productivity, or they switched cybersecurity vendors.
Additional information, along with recommendations for improving OT security, is available in the “Kaspersky ICS Security Survey 2022” (PDF).
https://go.kaspersky.com/rs/kaspersky1/images/Kaspersky_ICS_Security_Survey_2022.pdf
Tomi Engdahl says:
FBI Shares Information on BlackCat Ransomware Attacks
https://www.securityweek.com/fbi-shares-information-blackcat-ransomware-attacks
The Federal Bureau of Investigation (FBI) this week published indicators of compromise (IOCs) associated with the BlackCat Ransomware-as-a-Service (RaaS).
Initially observed in November 2021 and also tracked as ALPHV and Noberus, BlackCat is the first ransomware family to be written in the Rust programming language.
As of March 2022, BlackCat had successfully compromised at least 60 organizations worldwide, the FBI said. The cybercriminals announced nine new victims in April – as of April 21.
Security researchers recently revealed an increased interest from BlackCat operators in targeting industrial organizations.
Security researchers have also connected BlackCat with the cybercrime group behind the Darkside/Blackmatter ransomware.
BlackCat affiliates often demand ransom payments of millions of dollars, but they have been observed accepting lower payments after negotiations with their victims.
For initial access, the FBI explains, BlackCat employs compromised user credentials. Next, Active Directory user and administrator accounts are compromised and malicious Group Policy Objects (GPOs) are used to deploy the ransomware, but not before victim data is exfiltrated.
Tomi Engdahl says:
BlackCat Ransomware Targets Industrial Companies
https://www.securityweek.com/blackcat-ransomware-targets-industrial-companies
BlackCat/ALPHV Ransomware Indicators of Compromise
https://www.ic3.gov/Media/News/2022/220420.pdf