Cyber security news April 2022

This posting is here to collect cyber security news in April 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

425 Comments

  1. Tomi Engdahl says:

    Chinese team breaks distance record for quantum secure direct communication
    https://phys.org/news/2022-04-chinese-team-distance-quantum.html

    Reply
  2. Tomi Engdahl says:

    Windows malware can steal social media credentials, banking logins and more
    https://www.komando.com/security-privacy/windows-malware-threats/834344/

    Reply
  3. Tomi Engdahl says:

    Powerful ‘Trojan horse’ spyware found on Downing Street phone, security researchers say
    The so-called ‘Pegasus’ attack is believed to have originated from the United Arab Emirates
    https://www.independent.co.uk/news/uk/politics/downing-street-spyware-pegasus-boris-johnson-b2060160.html#Echobox=1650293696

    Reply
  4. Tomi Engdahl says:

    Apple to roll out child safety feature that scans messages for nudity to UK iPhones
    Feature that searches messages will go ahead after delays over privacy and safety concerns
    https://www.theguardian.com/technology/2022/apr/20/apple-says-new-child-safety-feature-to-be-rolled-out-for-uk-iphones

    Reply
  5. Tomi Engdahl says:

    Ainakin kahdessa suomalais­hotellissa laaja tietovuoto Lähes 16000 asiakkaan varaus­tiedot vuotaneet, kertoo hotelliketju https://www.hs.fi/kotimaa/art-2000008773864.html
    Nordic Choice Hotels -ketjun hotelleista tietovuodon kohteeksi joutui vain kaksi, helsinkiläiset Kämp ja F6, kertoo Blom. Tarkalleen 15947 asiakkaan tiedot joutuivat vääriin käsiin.

    Reply
  6. Tomi Engdahl says:

    Iranian Hackers Exploiting VMware RCE Bug to Deploy ‘Core Impact’
    Backdoor
    https://thehackernews.com/2022/04/iranian-hackers-exploiting-vmware-rce.html
    An Iranian-linked threat actor known as Rocket Kitten has been observed actively exploiting a recently patched VMware vulnerability to gain initial access and deploy the Core Impact penetration testing tool on vulnerable systems.

    Reply
  7. Tomi Engdahl says:

    Microsoft finds new elevation of privilege Linux vulnerability, Nimbuspwn https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/
    Microsoft has discovered several vulnerabilities, collectively referred to as Nimbuspwn, that could allow an attacker to elevate privileges to root on many Linux desktop endpoints. The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution.

    Reply
  8. Tomi Engdahl says:

    Nation-state Hackers Target Journalists with Goldbackdoor Malware https://threatpost.com/hackers-target-journalists-goldbackdoor/179389/
    A campaign by APT37 used a sophisticated malware to steal information about sources , which appears to be a successor to Bluelight.

    Reply
  9. Tomi Engdahl says:

    Coca-Cola investigating claims of hack after ransomware group hawks stolen data https://therecord.media/coca-cola-investigating-claims-of-hack-after-ransomware-group-hawks-stolen-data/
    Coca-Cola said it is investigating reports of a data breach after a ransomware group claimed to have stolen documents from the beverage giant.

    Reply
  10. Tomi Engdahl says:

    Researchers Takeover Unpatched 3rd-Party Antivirus Sandboxes via VirusTotal https://thehackernews.com/2022/04/researchers-report-critical-rce.html
    Security researchers have disclosed a security issue that could have allowed attackers to weaponize the VirusTotal platform as a conduit to achieve remote code execution (RCE) on unpatched third-party sandboxing machines employed antivirus engines.

    Reply
  11. Tomi Engdahl says:

    Google Play Store now forces apps to disclose what data is collected https://www.bleepingcomputer.com/news/security/google-play-store-now-forces-apps-to-disclose-what-data-is-collected/
    Google is rolling out a new Data Safety section on the Play Store, Android’s official app repository, where developers must declare what data their software collects from users of their apps.

    Reply
  12. Tomi Engdahl says:

    Hive0117 Continues Fileless Malware Delivery in Eastern Europe https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/
    Through continued research into the ongoing cyber activity throughout Eastern Europe, IBM Security X-Force identified a phishing email campaign by Hive0117, likely a financially motivated cybercriminal group, from February 2022, designed to deliver the fileless malware variant dubbed DarkWatchman.

    Reply
  13. Tomi Engdahl says:

    Emotet Testing New Delivery Ideas After Microsoft Disables VBA Macros by Default https://thehackernews.com/2022/04/emotet-testing-new-delivery-ideas-after.html
    The threat actor behind the prolific Emotet botnet is testing new attack methods on a small scale before co-opting them into their larger volume malspam campaigns, potentially in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default across its products.

    Reply
  14. Tomi Engdahl says:

    Noin 20000 asiakkaan varaustiedot vuosivat kahdesta suomalais­hotellista poliisi aloitti tietomurtotutkinnan https://www.hs.fi/kotimaa/art-2000008774004.html
    Scandic, Sokos Hotels, Lapland Hotels ja Omenahotellit-ketjuilta kerrotaan HS:lle, ettei tietomurto ole kohdistunut heidän asiakkaisiinsa. maksukortti­tietoja ei vuotanut. Tietovuoto rajoittuu Sabren mukaan lähes kokonaan niihin muutamiin hotelleihin Suomessa, jotka yritykselle vuodosta ilmoittivatkin. Sabresta ei haluttu antaa haastattelua aiheesta tiistaina. Viestinnästä ei myöskään vastattu tarkentaviin kysymyksiin esimerkiksi tietomurron kohteena olevien hotellien määrästä.

    Reply
  15. Tomi Engdahl says:

    BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx
    The threat groups targeting shift could reflect a change in Chinas intelligence collection requirements due to the war in Ukraine.

    US offers $10 million reward for tips on Russian Sandworm hackers https://www.bleepingcomputer.com/news/security/us-offers-10-million-reward-for-tips-on-russian-sandworm-hackers/
    The U.S. is offering up to $10 million to identify or locate six Russian GRU hackers who are part of the notorious Sandworm hacking group.

    Reply
  16. Tomi Engdahl says:

    Long-running North Korean operation hacked into engineering firm, Symantec says https://therecord.media/north-korea-hackers-stonefly-symantec/
    An unnamed engineering company with energy and military customers was recently the target of a North Korean hacking group that has been operating since at least 2009, researchers said Wednesday.

    Reply
  17. Tomi Engdahl says:

    NPM Bug Allowed Attackers to Distribute Malware as Legitimate Packages https://thehackernews.com/2022/04/npm-bug-allowed-attackers-to-distribute.html
    A “logical flaw” has been disclosed in NPM, the default package manager for the Node.js JavaScript runtime environment, that enables malicious actors to pass off rogue libraries as legitimate and trick unsuspecting developers into installing them.

    Reply
  18. Tomi Engdahl says:

    Assembling the Russian Nesting Doll: UNC2452 Merged into APT29
    https://www.mandiant.com/resources/unc2452-merged-into-apt29
    Mandiant has gathered sufficient evidence to assess that the activity tracked as UNC2452, the group name used to track the SolarWinds compromise in December 2020, is attributable to APT29.

    Reply
  19. Tomi Engdahl says:

    Russian govt impersonators target telcos in phishing attacks https://www.bleepingcomputer.com/news/security/russian-govt-impersonators-target-telcos-in-phishing-attacks/
    A previously unknown and financially motivated hacking group is impersonating a Russian agency in a phishing campaign targeting entities in Eastern European countries.

    Reply
  20. Tomi Engdahl says:

    Emotet fixes bug in code, resumes spam campaign https://blog.malwarebytes.com/cybercrime/malware/2022/04/emotet-fixes-bug-in-code-resumes-spam-campaign/
    Emotet threat actors resumed their email spam campaign on Monday after stopping it late last week to fix a bug.

    Reply
  21. Tomi Engdahl says:

    RIG Exploit Kit drops RedLine malware via Internet Explorer bug https://www.bleepingcomputer.com/news/security/rig-exploit-kit-drops-redline-malware-via-internet-explorer-bug/
    Threat analysts have uncovered yet a new campaign that uses the RIG Exploit Kit to deliver the RedLine stealer malware.

    Reply
  22. Tomi Engdahl says:

    New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html
    We recently discovered a new advanced persistent threat (APT) group that we have dubbed Earth Berberoka (aka GamblingPuppet). Based on our analysis, this group targets gambling websites. Our investigation has also uncovered that Earth Berberoka targets the Windows, Linux, and macOS platforms, and uses malware families that have been historically aimed at Chinese-speaking individuals.

    Reply
  23. Tomi Engdahl says:

    Kelan verkkosivusto kerännyt kävijöistä tietoja ilman lupaa https://www.is.fi/digitoday/art-2000008779279.html
    Kelan mukaan verkkosivustolla on ollut 28. maaliskuuta ja 19.
    huhtikuuta välisenä aikana evästeitä, jotka ovat keränneet kävijöiden IP-osoitteita, vaikka suostumusta evästeiden käyttämiseen ei olisi annettu. Kela.fissä on ollut kyseisellä aikavälillä noin 1, 25 miljoonaa kävijää.

    Reply
  24. Tomi Engdahl says:

    Experts Detail 3 Hacking Teams Working Under the Umbrella of TA410 Group https://thehackernews.com/2022/04/experts-detail-3-hacking-teams-working.html
    A cyberespionage threat actor known for targeting a variety of critical infrastructure sectors in Africa, the Middle East, and the U.S. has been observed using an upgraded version of a remote access trojan with information stealing capabilities.

    Reply
  25. Tomi Engdahl says:

    Cyberattacks Rage in Ukraine, Support Military Operations https://threatpost.com/cyberwar-ukraine-military/179421/
    At least five APTs are believed involved with attacks tied ground campaigns and designed to damage Ukraine’s digital infrastructure.

    Reply
  26. Tomi Engdahl says:

    QNAP customers urged to disable AFP to protect against severe vulnerabilities https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/qnap-customers-urged-to-disable-afp-to-protect-against-severe-vulnerabilities/
    MacOS users that have a network-attached storage (NAS) device made by QNAP are being advised to disable the Apple Filing Protocol (AFP) on their devices until some severe vulnerabilities have been fixed. But QNAP is not the only vendor that needed to fix these vulnerabilities.
    Others have already done so, or have taken more drastic measures.

    Reply
  27. Tomi Engdahl says:

    New Bumblebee malware replaces Conti’s BazarLoader in cyberattacks https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/
    A newly discovered malware loader called Bumblebee is likely the latest development of the Conti syndicate, designed to replace the BazarLoader backdoor used to deliver ransomware payloads.

    Reply
  28. Tomi Engdahl says:

    WhatsAppissa vaanii uusi huijaus: näin kannattaa toimia
    https://www.tivi.fi/uutiset/tv/e025ff02-4aab-4e4f-8b63-8d77f7124d89
    WhatsApp-käyttäjiä vaanii uusi huijaus, jossa rikolliset esiintyvät sovelluksen tukipalveluna. Asiasta kertoi ensimmäisenä WABetaInfo-blogi

    Reply
  29. Tomi Engdahl says:

    Cloudflare blocks 15M rps HTTPS DDoS attack https://blog.cloudflare.com/15m-rps-ddos-attack/
    Earlier this month, Cloudflare’s systems automatically detected and mitigated a 15.3 million request-per-second (rps) DDoS attack one of the largest HTTPS DDoS attacks on record.

    Reply
  30. Tomi Engdahl says:

    Ukraine targeted by DDoS attacks from compromised WordPress sites https://www.bleepingcomputer.com/news/security/ukraine-targeted-by-ddos-attacks-from-compromised-wordpress-sites/
    Ukraine’s computer emergency response team (CERT-UA) has published an announcement warning of ongoing DDoS (distributed denial of service) attacks targeting pro-Ukraine sites and the government web portal.

    Reply
  31. Tomi Engdahl says:

    LAPSUS$: Recent techniques, tactics and procedures https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/
    This post describes the techniques, tactics and procedures we observed during recent LAPSUS$ incidents.

    Reply
  32. Tomi Engdahl says:

    Cisco Patches 11 High-Severity Vulnerabilities in Security Products
    https://www.securityweek.com/cisco-patches-11-high-severity-vulnerabilities-security-products

    Cisco this week announced the release of its April 2022 bundle of security advisories for Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC).

    The semiannual bundled advisories describe a total of 19 vulnerabilities in Cisco’s security products, including 11 that were assessed with a severity rating of “high.”

    The most severe of these is CVE-2022-20746 (CVSS score of 8.8), an FTD security hole that exists because TCP flows aren’t properly handled, and which could be exploited remotely without authentication to cause a denial of service (DoS) condition.

    “An attacker could exploit this vulnerability by sending a crafted stream of TCP traffic through an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition,” Cisco explains in an advisory.

    Reply
  33. Tomi Engdahl says:

    Critical Vulnerabilities in Azure PostgreSQL Exposed User Databases
    https://www.securityweek.com/critical-vulnerabilities-azure-postgresql-exposed-user-databases

    Cloud security company Wiz has released the details of a series of critical vulnerabilities that could have been exploited to access databases belonging to Azure customers.

    The security holes discovered by Wiz researchers are collectively tracked as ExtraReplica — the name stems from the fact that the flaws affected a database replication feature. They impacted Azure Database for PostgreSQL Flexible Server, a fully managed PostgreSQL database-as-a-service offering.

    Reply
  34. Tomi Engdahl says:

    Cloudflare Customer Targeted in Record HTTPS DDoS Attack
    https://www.securityweek.com/cloudflare-customer-targeted-record-https-ddos-attack

    Security and web performance services provider Cloudflare recently mitigated the largest HTTPS distributed denial-of-service (DDoS) attack it has seen to date.

    Peaking at 15.3 million request-per-second (RPS), this was not the largest application-layer DDoS attack ever recorded, but Cloudflare says it was the largest to be carried out over HTTPS.

    In August 2021, Cloudflare announced it had mitigated a 17.2 million RPS DDoS attack. Shortly after, the company said it observed the Mēris botnet launching a 21.8 million RPS attack.

    The new assault, observed by Cloudflare earlier this month, stands out because HTTPS DDoS attacks require significantly higher computational resources due to the costs associated with establishing a secure TLS encrypted connection.

    “Therefore it costs the attacker more to launch the attack, and for the victim to mitigate it. We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale,” Cloudflare notes.

    Reply
  35. Tomi Engdahl says:

    Noin 20 000 asiakkaan varaustiedot vuosivat kahdesta suomalais­hotellista – poliisi aloitti tietomurtotutkinnan
    Scandic, Sokos Hotels, Lapland Hotels ja Omenahotellit-ketjuilta kerrotaan HS:lle, ettei tietomurto ole kohdistunut heidän asiakkaisiinsa. maksukortti­tietoja ei vuotanut
    https://www.hs.fi/kotimaa/art-2000008774004.html

    Reply
  36. Tomi Engdahl says:

    Chrome 101 Patches 30 Vulnerabilities
    https://www.securityweek.com/chrome-101-patches-30-vulnerabilities

    Google this week announced that Chrome 101 was released to the stable channel with 30 security fixes inside, including 25 for vulnerabilities identified by external security researchers.

    The most important of these fixes resolves a high-severity use-after-free issue in the 3D graphics and computing open standard Vulkan. Tracked as CVE-2022-1477, the bug was reported by SeongHwan Park (SeHwa), who received a $10,000 bug bounty payout for it.

    Six other externally reported high-severity flaws were addressed with the release of Chrome 101, four of which are use-after-free vulnerabilities that impact the SwiftShader 3D renderer, the Angle WebGL backend, the Device API, and the Sharing component.’

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*