This posting is here to collect cyber security news in May 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
408 Comments
Tomi Engdahl says:
Microsoft warns Exchange Online basic auth will be disabled
https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-exchange-online-basic-auth-will-be-disabled/
Microsoft warned customers today that it will start disabling Basic Authentication in random tenants worldwide on October 1, 2022.
Tomi Engdahl says:
Jopa 200 euron päiväpalkka varo tällaista työtarjousta https://www.tivi.fi/uutiset/tv/faefae6c-d97f-40e4-ad3f-13eba4ceefcb
Uusi huijausviesti houkuttelee suomalaisia ottamaan yhteyttä “työnantajaan” WhatsAppin kautta
Tomi Engdahl says:
Pro-Ukraine hackers use Docker images to DDoS Russian sites https://www.bleepingcomputer.com/news/security/pro-ukraine-hackers-use-docker-images-to-ddos-russian-sites/
Docker images with a download count of over 150, 000 have been used to run distributed denial-of-service (DDoS) attacks against a dozen Russian and Belarusian websites managed by government, military, and news organizations. [Source https://www.crowdstrike.com/blog/compromised-docker-honeypots-used-for-pro-ukrainian-dos-attack/
Tomi Engdahl says:
F5 warns of critical BIG-IP RCE bug allowing device takeover https://www.bleepingcomputer.com/news/security/f5-warns-of-critical-big-ip-rce-bug-allowing-device-takeover/
F5 has issued a security advisory warning about a flaw that may allow unauthenticated attackers with network access to execute arbitrary system commands, perform file actions, and disable services on BIG-IP.
The vulnerability is tracked as CVE-2022-1388 and has a CVSS v3 severity rating of 9.8, categorized as critical. Its exploitation can potentially lead up to a complete system takeover.
Tomi Engdahl says:
FBI warns of new reverse instant payments banking scam https://www.pandasecurity.com/en/mediacenter/security/reverse-payment-scam/
FBI issued an alert earlier this month detailing a new way scammers have been successfully swindling victims in the USA. The criminals use social engineering to trick victims into thinking that they are transferring funds to themselves. Bad actors initially approach the potential victims via text messages and then continue the interaction via phone. The engagement with the scammers sometimes continues for days until the cybercriminals complete one or more fraudulent transactions and leave the victim wondering where all the money went.
Tomi Engdahl says:
Cloudflare blocks 15M rps HTTPS DDoS attack https://blog.cloudflare.com/15m-rps-ddos-attack/
Earlier this month, Cloudflare’s systems automatically detected and mitigated a 15.3 million request-per-second (rps) DDoS attack one of the largest HTTPS DDoS attacks on record. While this isn’t the largest application-layer attack we’ve seen, it is the largest we’ve seen over HTTPS.
Tomi Engdahl says:
Microsoft, Apple, and Google to support FIDO passwordless logins https://www.bleepingcomputer.com/news/security/microsoft-apple-and-google-to-support-fido-passwordless-logins/
Today, Microsoft, Apple, and Google announced plans to support a common passwordless sign-in standard (known as passkeys) developed by the World Wide Web Consortium (W3C) and the FIDO Alliance. Once implemented, these new Web Authentication (WebAuthn) credentials (aka FIDO credentials) will allow the three tech giants’ users to log in to their accounts without using a password.
Tomi Engdahl says:
Cyberattack Causes Disruptions at Car Rental Giant Sixt
https://www.securityweek.com/cyberattack-causes-disruptions-car-rental-giant-sixt
Sixt, a major car rental company that has more than 2,000 locations across over 110 countries, has been targeted in a cyberattack that caused some temporary disruptions.
Sixt said it detected suspicious activity on IT systems on April 29 and soon confirmed that it had been hit by a cyberattack.
The Germany-based company claimed the incident was “contained in an early stage” and that an investigation has been launched with assistance from external experts.
“As a standard precautionary measure, access to IT systems was immediately restricted and the pre-planned recovery processes were initiated,” Sixt said in a statement.
It added, “Many central Sixt systems, in particular the website and apps were kept up and running. Thereby, impacts on the company, its operations and services have been minimized to provide business continuity for customers. However, temporary disruptions, in particular in customer care centers and selective branches, are likely to occur in the short term.”
Tomi Engdahl says:
German Finance Watchdog Sees ‘Very Big’ Risk of Cyberattacks
By AFP on May 03, 2022
https://www.securityweek.com/german-finance-watchdog-sees-very-big-risk-cyberattacks
Germany’s financial regulator BaFin warned Tuesday of the “very big” risk of cyberattacks targeting the financial sector, a threat it said had become “more likely” since Russia’s war on Ukraine.
“The risk that companies in the financial sector will fall victim to cyberattacks or that internal IT security incidents will occur is very big and very present,” BaFin president Mark Branson told a press conference.
In extreme cases, “such incidents could damage the stability of the financial system”, he said.
“Are we prepared for a really serious security incident? If we are honest, we don’t know,” Branson added.
Ukraine and its Western allies have been on heightened alert for potential Russian hacking attempts since Moscow invaded its neighbour on February 24.
The “Five Eyes” intelligence sharing network — consisting of the United States, Britain, Canada, Australia and New Zealand — warned in April that “evolving intelligence” indicated Russia was planning massive cyberattacks against rivals supporting Ukraine.
Tomi Engdahl says:
https://www.theregister.com/2022/05/03/aruba_avaya_critical_vulns/
Tomi Engdahl says:
https://www.scmagazine.com/analysis/vulnerability-management/avast-patches-decade-old-vulnerabilities-in-antivirus-product
Synersoft Technologies says:
Thank you for sharing such a useful article. I had a great time. This article was fantastic to read. Continue to publish more articles on
Keep sharing! very informative stuff for Cyber security
Source: Synersoft Technologies
https://www.synersoft.in/data-loss-prevention
Tomi Engdahl says:
Hackers Are Targeting EV Charging Stations
https://www.motorbiscuit.com/hackers-targeting-ev-charging-stations/
The growing number of EV charging stations in the U.S. and worldwide allows more drivers to easily access the convenience and eco-friendliness of driving an electric vehicle. However, there’s a major downside to these rapidly appearing EV charging stations: they are surprisingly vulnerable to cyberattacks from hackers.
Per Automotive News, most EV hacking used to come from “white-hat” hackers—professionals electric-vehicle companies hire to test their security systems. These white-hat hackers break into systems to help manufacturers find weaknesses and fix them. But for the first time in 2021, “black-hat” hackers were the majority. These attackers operate illegally and usually are looking for ways to make money.
The consequences of EV hacking range from inconvenient to devastating. In April, cyber attackers broke into three EV charging stations in England—but the hackers just displayed pornography on the screens. Likey, that was just a prank. However, attackers have hacked some electric cars in ways that affect the car’s abilities.
These include decreasing the battery’s capacity, messing with headlights, disabling the brakes, or even taking control of the steering mechanism. The possibilities are scary. Typically, cybercriminals hack electric cars to hold the vehicle, or the charging station, for ransom.
Not all hackers are looking to profit, though. In February, hackers carried out an attack against a Russian EV charging station, displaying insults and pro-Ukrainian slogans to protest the war.
Jin Ye, an assistant professor at UGA and the director of the Intelligent Power Electronics and Electric Machines Laboratory, provides a few critical areas for automakers to focus on:
Secure on-board diagnostics port
Secure software updates
Better firewall
Penetration testing
Reliable hardware
Code reviews
One way to protect your EV from hackers is to ensure that your vehicle receives all necessary and recommended software updates.
Tomi Engdahl says:
A number of newer Apple devices are carrying a unique flaw, and the problem lies in the company’s home-built CPUs.
Apple’s PC and mobile chips suffer from world-first data theft exploit
By Sead Fadilpašić published 4 days ago
Unique chips, unique vulnerabilities
https://www.techradar.com/news/apples-pc-and-mobile-chips-suffer-from-world-first-data-theft-exploit?utm_medium=social&utm_source=facebook.com&utm_content=techradar&utm_campaign=socialflow
A number of newer Apple devices are carrying a unique flaw, eerily reminiscent of Spectre/Meltdown, that could allow threat actors to steal sensitive data, experts have warned.
A team of researchers from the University of Illinois Urbana-Champaign, Tel Aviv University, and the University of Washington, have discovered a flaw in a feature unique to Apple silicon, called Data Memory-Dependent Prefetcher (DMP).
The flaw possibly affects a whole host of Apple silicon, including its own in-house M1 and M1 Max chips, the team has warned.
The idea behind DMP is to boost system performance by pre-fetching data, even before it’s needed – data that’s essentially at rest. Usually, due to security reasons, data would be limited and split between various compartments, and only pulled out when needed.
With DMP, data gets fetched in advance, and it’s this data that can be accessed by unauthorized third parties, similar to the Spectre/Meltdown flaw. With the latter, however, the silicon would try to speculate which data could be used in the near future, somewhat limiting the attack surface. With Apple’s DMP, the entire contents of the memory could be leaked.
The researchers named the flaw “Augury”. So far, Apple’s A14 System on Chip (SoC), found in 4th Gen iPad Air and 12th Gen iPhone devices, M1, and M1 Max were all found to be vulnerable. While they’re suspecting older silicon (M1 Pro, and M1 Ultra, for example) might also be vulnerable to Augury, they’ve yet only managed to showcase the flaw on these endpoints.
Tomi Engdahl says:
Exploits created for critical F5 BIG-IP flaw, install patch immediately
https://www.bleepingcomputer.com/news/security/exploits-created-for-critical-f5-big-ip-flaw-install-patch-immediately/
Tomi Engdahl says:
New Fileless Malware Hides Shellcode in Windows Event Logs https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html
A new malicious campaign has been spotted taking advantage of Windows event logs to stash chunks of shellcode for the first time in the wild. “It allows the ‘fileless’ last stage trojan to be hidden from plain sight in the file system, ” Kaspersky researcher Denis Legezo said in a technical write-up published this week. The stealthy infection process, not attributed to a known actor, is believed to have commenced in September 2021 when the intended targets were lured into downloading compressed.RAR files containing Cobalt Strike and Silent Break.
Tomi Engdahl says:
Android is getting new sideloading restrictions, but they are good https://www.androidauthority.com/android-13-sideloading-apps-restrictions-3161162/
Android 13 will bring new restrictions on sideloaded apps. No, sideloading is not going away from Android phones. Google just wants to make it safer to sideload apps so bad actors can’t misuse them and inject malware into your devices. According to Mishaal Rahman, Senior Technical Editor at Esper, Google won’t allow sideloaded apps to use the Accessibility API starting with Android 13.
Tomi Engdahl says:
Raspberry Robin – USB-based Wormable Malware Targets Windows Installer https://redcanary.com/blog/raspberry-robin/
Red Canary is tracking a worm spread by external drives that leverages Windows Installer to reach out to QNAP-associated domains and download a malicious DLL. “Raspberry Robin” is Red Canary’s name for a cluster of activity we first observed in September 2021 involving a worm that is often installed via USB drive. This activity cluster relies on msiexec.exe to call out to its infrastructure, often compromised QNAP devices, using HTTP requests that contain a victim’s user and device names. We also observed Raspberry Robin use TOR exit nodes as additional command and control (C2) infrastructure.
Tomi Engdahl says:
Steer clear of fake premium mobile app unlockers https://blog.malwarebytes.com/scams/2022/05/steer-clear-of-fake-premium-mobile-app-unlockers/
A site has been bouncing around YouTube comments for the past couple of weeks. The site sometimes changes, the messages alter slightly, but the essence remains the same: In all cases, people acting in suspiciously automated fashion ask if everyone is using this “glitch”
or generator without ever clarifying what, exactly, either of them are, or do. The site offers “tweaked apps”, apparently available with a single click and requiring “no jailbreak, no root.” That’s what they claim, anyway. There’s an OnlyFans Premium, Netflix Premium, a Pokemon Go Spoofer Injector, Robux Generator, and many more.
Tomi Engdahl says:
India’s ongoing outrage over Pegasus malware tells a bigger story about privacy law problems https://www.theregister.com/2022/05/08/pegasus_india_data_law_controversy/
NSO Group’s Pegasus spyware-for-governments keeps returning to the headlines thanks to revelations such as its use against Spain’s prime minister and senior British officials. But there’s one nation where outrage about Pegasus has been constant for nearly a year and shows little sign of abating: India.
Tomi Engdahl says:
RubyGems fixes unauthorized package takeover bug https://www.bleepingcomputer.com/news/security/check-your-gems-rubygems-fixes-unauthorized-package-takeover-bug/
The RubyGems package repository has fixed a critical vulnerability that would allow anyone to unpublish (“yank”) certain Ruby packages from the repository and republish their tainted or malicious versions with the same file names and version numbers. An initial audit from RubyGems reveals that the vulnerability has not been exploited within the last 18 months to alter any gems, but a deeper audit is still in progress with results yet to be announced.
Tomi Engdahl says:
Catalan: Spain Spy Chief Admits Legally Hacking Some Phones
https://www.securityweek.com/catalan-spain-spy-chief-admits-legally-hacking-some-phones
Tomi Engdahl says:
https://www.securityweek.com/heroku-shares-details-recent-github-attack
Platform-as-a-service company Heroku this week shared additional details on an April cyberattack that resulted in unauthorized access to multiple customers’ GitHub repositories.
Tomi Engdahl says:
Zero Trust VPN Company Tailscale Raises $100 Million
https://www.securityweek.com/zero-trust-vpn-company-tailscale-raises-100-million
Zero trust enterprise VPN provider Tailscale this week announced that it has closed a $100 million Series B funding round that brings the total raised by the company to $115 million.
The investment round was led by CRV and Insight Partners, with participation from existing investors Accel, Heavybit, Uncork Capital, and angel investors.
Founded in 2019, the Toronto-based company offers a WireGuard-based private network connectivity solution with zero-config and end-to-end encryption, which integrates with services such as Google Workspace, Microsoft 365, Okta, Caddy Server, Syncthing, and VScode.
Tomi Engdahl says:
Cyberattack takes down network of State Bar of Georgia
Officials with the State Bar of Georgia have spent much of the week responding to a cyberattack that crippled the organization’s network, website and email system.
The State Bar is not part of the state government, but the Supreme Court of Georgia authorizes it to hold ethics investigations into the state’s lawyers and sanction those who violate state rules. The organization also provides guidance and assistance to lawyers in the state as well as a directory of attorneys.
https://therecord.media/state-bar-of-georgia-cyberattack/
Tomi Engdahl says:
Avast, AVG release security updates for decade-old vulnerability
https://therecord.media/avast-avg-release-security-updates-for-decade-old-vulnerability/
SentinelOne disclosed two high-severity vulnerabilities – tracked as CVE-2022-26522 and CVE-2022-26523 – that went undiscovered for years and affect the “Anti Rootkit” driver in security products from Avast and AVG.
The two anti-virus companies joined forces in 2016 when Avast bought AVG for about $1.3 billion. NortonLifeLock announced in 2021 that it reached an agreement to merge with the Czech antivirus maker in a stock-based deal that could be worth between $8.1 billion to $8.6 billion.
On December 20, SentinelOne notified Avast of the two vulnerabilities that could lead to privilege escalation “by running code in the kernel from a non-administrator user.”
“According to Avast, the vulnerable feature was introduced in Avast 12.1. Given the longevity of this flaw, we estimate that millions of users were likely exposed,” Sentinel One explained. Avast 12.1 was released in early 2012.
“While we haven’t seen any indicators that these vulnerabilities have been exploited in the wild up till now, with dozens of millions of users affected, it is possible that attackers will seek out those that do not take the appropriate action.”
Tomi Engdahl says:
Mark Gurman / Bloomberg:
Opinion: Apple has the technical chops to safely open up its NFC chip for third party payments apps, and the main reason it is not doing it is the revenue
Apple Keeps Its Tap-to-Pay Feature to Itself to Protect Revenue
https://www.bloomberg.com/news/newsletters/2022-05-08/can-third-party-banks-and-apps-use-apple-aapl-iphone-nfc-for-tap-to-pay-l2xckg5e
Apple’s latest antitrust battle is all about Apple Pay and how the company reserves the tap-to-pay feature for its own service. Also: Apple hires a big name from Ford for its car project, and employees continue to push back on an office return.
After facing mounting antitrust scrutiny in recent years—from both App Store developers and government regulators—Apple Inc. has started to loosen up.
Two years ago, the company began letting users choose third-party web browser or email apps as their system default. That means when you click a link in Messages, you can have those launch in Chrome instead of Safari. Or when you want to click an email address, you can have the new message window open up in Microsoft Outlook instead of Apple Mail.
The key thing about these changes, though, is that most of them were forced on Apple. The U.S. government and others questioned why users couldn’t switch default apps. Spotify Technology SA attacked Apple left and right over its practices. And the change to subscription app payments was part of a settlement with Japan’s trade commission. The ruling in Apple’s case with Epic Games Inc. also helped push the company in this direction.
Apple’s next antitrust battle is over payments. More specifically, its control of the iPhone chip that handles NFC, or near field communications. For now, iPhone users must use Apple Pay if they want to buy something via phone tap, and that’s been increasingly frustrating to rival financial apps.
Apple’s policy means PayPal and Square—as well as financial institutions like Chase, Citi and American Express—can’t launch tap-to-pay iPhone apps with their own features and interface. It also means if they want to access the iPhone user base, they must pay an up-to-0.15% fee for every Apple Pay credit card transaction.
This issue isn’t new (I first covered it more than two years ago), but the European Union is now throwing its weight into the fight by making a formal antitrust complaint.
There’s a reason Apple doesn’t want to open up its tap-to-pay feature to third-party apps, and that’s revenue.
Today, sales from Apple Pay and other financial services are a small slice of the company’s services business. I’ve seen estimates of Apple Pay bringing in north of $1 billion per year on fees, compared with the nearly $20 billion a quarter Apple now makes from services overall.
While $1 billion per year may seem small for Apple, that could be the difference between reaching or not reaching annual growth targets in the services segment.
The bigger concern is future revenue. Visa Inc. said earlier this year that 20% of its U.S. transactions are contactless. Imagine what that ratio will be in three, five or 10 years. If Apple gives the tap-to-pay option to third-party apps today, the current impact might just be a couple of hundred million dollars. In the future, though? It might be many billions.
Apple says its insistence on reserving tap-to-pay capabilities for Apple Pay isn’t about money, but rather about privacy and security. The company says that opening up NFC could harm its system and pointed to a report from 2016 that said NFC access on Android has been compromised by hackers.
It’s hard to believe that the user experience and security are the only elements being considered here, though. Chief Executive Officer Tim Cook said during the Epic Games trial that even if Apple were to open up its payment system, the company would still ask developers to pay a commission retroactively.
Apple has the technical chops to figure out a safe way to free up its NFC capabilities to outside services.
After all, the company is already planning to do just that for merchants, which will be able to use the tap-to-pay feature to accept certain credit cards and smartphones via third-party apps. In other words, Apple will let users take payments via NFC but not make them. The company also has opened up NFC for scanning physical items and unlocking doors.
While I do agree that Apple Pay is probably far more convenient than anything third-party banks may come up with, I don’t see the harm for consumers to at least have the option.
With the European Commission threatening fines, Apple may ultimately be forced yet again to make a change.
Tomi Engdahl says:
Venäjän kyberuhkaan pitää varautua – häiriöitä tulee varmasti
https://etn.fi/index.php/13-news/13532-venaejaen-kyberuhkaan-pitaeae-varautua-haeirioeitae-tulee-varmasti
Venäjän hyökkäyssota Ukrainaan puhutti myös eilen päättyneillä Teknologia22-messuilla. Asiantuntijapaneelissa muistutettiin, että mediassa näkyvä fyysinen sota alkaa aina kyberhyökkäyksillä. Meilläkin pitää varautua erilaisiin häiriöihin, kun Nato-hakemuksemme etenee.
Näin sanoi Cyberwatch Finlandin toimitusjohtaja Aapo Cederberg (kuvassa vasemmalla). Huoltovarmuuskeskuksen varautumispäällikkö Jarna Hartikainen muistutti, että kyberhyökkäyksiä tulee jo nyt päivittäin. – Meidän pitää pitää pää kylmänä, Hartikainen kehotti.
Fortumin turvallisuusjohtaja Juha Härkönen kehotti organisaatioita varautumaan siihen, miten toimitaan jos it-järjestelmät eivät toimikaan. – Miten kommunikoimme henkilöstön kanssa, miten asiakkaiden kanssa? Nämä pitää selvittää nyt.
Tomi Engdahl says:
https://www.securityweek.com/zero-trust-vpn-company-tailscale-raises-100-million
Tomi Engdahl says:
F5 BIG-IP in Attacker Crosshairs Following Disclosure of Critical Vulnerability
https://www.securityweek.com/f5-big-ip-attacker-crosshairs-following-disclosure-critical-vulnerability
Organizations using F5’s BIG-IP application delivery controllers are advised to immediately update their systems as a recently patched vulnerability is already being exploited in the wild.
F5 informed customers last week about more than 50 vulnerabilities and security exposures affecting its products. The only security hole that has been assigned a severity rating of “critical” is CVE-2022-1388, which can be exploited by an unauthenticated attacker for remote code execution.
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,” F5 explained in its advisory.
https://www.securityweek.com/f5-informs-big-ip-customers-about-18-serious-vulnerabilities
K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388
https://support.f5.com/csp/article/K23605346
Tomi Engdahl says:
RubyGems Fixes Critical Gem Takeover Vulnerability
https://www.securityweek.com/rubygems-fixes-critical-gem-takeover-vulnerability
RubyGems has addressed a critical vulnerability that could have allowed any RubyGems.org user to remove and replace certain Ruby gems.
A package hosting service for the Ruby programming language, RubyGems.org hosts more than 170,000 gems. RubyGems also functions as a package manager.
Tracked as CVE-2022-29176, the recently addressed vulnerability impacts the ‘yank’ action, and could be abused by any user on RubyGems.org to remove certain gems from the repository.
The unauthorized user could then replace the yanked gems with malicious ones having the same name, same version number, and different platform.
According to RubyGems’ maintainers, vulnerable packages were those with at least one dash in their names, where the word before the dash was the name of a gem controlled by the attacker, and which were created within 30 days or hadn’t been updated for more than 100 days.
Tomi Engdahl says:
https://www.securityweek.com/us-offers-15-million-bounty-leaders-conti-ransomware-gang
Tomi Engdahl says:
Ransomware Attack Hits Production Facilities of Agricultural Equipment Giant AGCO
https://www.securityweek.com/ransomware-attack-hits-production-facilities-agricultural-equipment-giant-agco
Agricultural equipment giant AGCO says its business operations have been impacted after falling victim to a ransomware attack last week.
AGCO designs, makes, and distributes agricultural machinery and precision technology, offering equipment under brands such as Challenger, Fendt, Massey Ferguson, and Valtra.
On Friday, the company announced that it fell victim to a ransomware attack that impacted some production facilities.
AGCO says it has launched an investigation into the incident and estimates that it might need at least several days before it could restore all operations to normal.
Tomi Engdahl says:
Update now! F5 BIG-IP vulnerability being actively exploited https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/update-now-exploits-are-active-for-f5-big-ip-vulnerability/
The Australian Cyber Security Centre (ACSC) has announced it is aware of the existence of Proof of Concept (PoC) code exploiting a F5 Security Advisory Addressing Multiple Vulnerabilities in its BIG-IP Product Range. The vulnerability listed as CVE-2022-1388 allows attackers to bypass authentication on internet-exposed iControl interfaces, potentially executing arbitrary commands, creating or deleting files, or disabling services.
Tomi Engdahl says:
Ukrainian CERT Warns Citizens of a New Wave of Attacks Distributing Jester Malware https://thehackernews.com/2022/05/ukrainian-cert-warns-citizens-of-new.html
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of phishing attacks that deploy an information-stealing malware called Jester Stealer on compromised systems. The mass email campaign carries the subject line “chemical attack” and contains a link to a macro-enabled Microsoft Excel file, opening which leads to computers getting infected with Jester Stealer.
Tomi Engdahl says:
Tractor giant AGCO hit by ransomware, halts production and sends home staff https://grahamcluley.com/tractor-giant-agco-hit-by-ransomware-halts-production-and-sends-home-staff/
A ransomware attack which hit agricultural equipment manufacturer AGCO has caused it to shut down some of its manufacturing facilities and send staff home. The firm acknowledged last week that its systems had been hit by ransomware, and that some of its production facilities had been impacted. Employees at its plant in Marktoberforf, Germany, were sent home, as we assembly line workers at production lines in Beauvais, France.
Tomi Engdahl says:
DNA on suojannut verkkonsa monikerroksisesti
https://www.uusiteknologia.fi/2022/05/10/dna-on-suojannut-verkkonsa-monikerroksisesti/
DNA:lla toimia teknisen kyvykkyyden säilyttämiseksi poikkeustilanteissa on useita ja monikerroksisia, kertoo yrityksen tekninen johtaja Ville Virtanen. Esimerkiksi useimmat tukiasemat ovat aika- ja vaihesynkronoitu keskenään kellosignaalilla, joka tuodaan niihin GPS-satelliitin sijaan kiinteällä runkoyhteydellä, useimmissa tapauksissa kuidulla.
Viime aikoina uutisiin on noussut huoli Suomeen kohdistuvista vaikuttamisyrityksistä, mikä saa kysymään: kuinka hyvin verkkoyhteydet on suojattu Suomessa? Esimerkiksi DNA on sitoutunut noudattamaan Traficomin heinäkuussa voimaan tullutta määräystä siitä, että verkkojen palvelukyky on varmistettava erilaisissa tilanteissa.
DNA:lla kaikkia verkkoarkkitehtuurin – eli yhteyksien, tilojen ja järjestelmien – suunnitteluun liittyviä toimenpiteitä yhdistää yrityksen mukaan yksi perustavoite: jatkuvuuden varmistaminen siten, että vaikka verkkoyhteyteen tulisi hetkellinen katkos, kuluttaja ei ehdi kokea vikatilannetta.
Tukiaseman tekniikan rikkoutumiselle ja sähkölinjojen katkeamiselle on niillekin olemassa DNA:lla selvä toimintaprotokolla, oli vahingon syynä sitten luonnonilmiö tai tarkoituksellinen sabotaasi.
”Sähköverkon häiriötilanteessa jokainen tukiasema toimii akkujen varassa useita tunteja, minkä puitteissa valtaosa häiriöistä päästään korjaamaan. Jos sähköverkkoyhtiöt eivät näytä saavan virtaa palautetuksi tarpeeksi nopeasti, kriittisiin kohteisiin kuljetetaan generaattoreita tai muita varavoimakoneita”, DNA:n tekninen johtaja Ville Virtanen kertoo.
ydin-, runko- ja alueverkko on vähintään tuplavarmistettu
Myös DNA:n merikaapeleilla tuplavarmistus
Tomi Engdahl says:
Kohta miljoona viestiä päivässä – suomalaisten puhelimiin kohdistuva hyökkäys kiihtyy https://www.is.fi/digitoday/tietoturva/art-2000008806398.html
Tomi Engdahl says:
Worried that quantum computers will supercharge hacking, White House calls for encryption shift
National security memo envisions new cryptographic approach starting in 2024
https://www.science.org/content/article/worried-quantum-computers-will-supercharge-hacking-white-house-calls-encryption-shift
Tomi Engdahl says:
Microsoft May 2022 Patch Tuesday fixes 3 zero-days, 75 flaws https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2022-patch-tuesday-fixes-3-zero-days-75-flaws/
Today is Microsoft’s May 2022 Patch Tuesday, and with it comes fixes for three zero-day vulnerabilities, with one actively exploited, and a total of 75 flaws. Of the 75 vulnerabilities fixed in today’s update, eight are classified as ‘Critical’ as they allow remote code execution or elevation of privileges.
Tomi Engdahl says:
Microsoft fixes new NTLM relay zero-day in all Windows versions https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-new-ntlm-relay-zero-day-in-all-windows-versions/
Microsoft has addressed an actively exploited Windows LSA spoofing zero-day that unauthenticated attackers can exploit remotely to force domain controllers to authenticate them via the Windows NT LAN Manager
(NTLM) security protocol. LSA (short for Local Security Authority) is a protected Windows subsystem that enforces local security policies and validates users for local and remote sign-ins. The vulnerability, tracked as CVE-2022-26925 and reported by Bertelsmann Printing Group’s Raphael John, has been exploited in the wild and seems to be a new vector for the PetitPotam NTLM relay attack.
Tomi Engdahl says:
Examining the Black Basta Ransomware’s Infection Routine https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html
Black Basta, a new ransomware gang, has swiftly risen to prominence in recent weeks after it caused massive breaches to organizations in a short span of time. This blog entry takes a closer look at the Black Basta ransomware and analyzes this newcomer’s familiar infection techniques.
Tomi Engdahl says:
New REvil Samples Indicate Ransomware Gang is Back After Months of Inactivity https://thehackernews.com/2022/05/new-revil-samples-indicate-ransomware.html
The notorious ransomware operation known as REvil (aka Sodin or
Sodinokibi) has resumed after six months of inactivity, an analysis of new ransomware samples has revealed.
Tomi Engdahl says:
F5 BIG-IP – Threat Brief: CVE-2022-1388
https://unit42.paloaltonetworks.com/cve-2022-1388/
On May 4, 2022, F5 released a security advisory for a remote code execution vulnerability in the iControlREST component of its BIG-IP product tracked in CVE-2022-1388. Threat actors can exploit this vulnerability to bypass authentication and run arbitrary code on unpatched systems. This is a critical vulnerability that needs immediate attention, as it was given a 9.8 CVSS score. Since the release of this advisory, mass scanning activity has started to occur, seeking unpatched systems, and in-the-wild exploitation has begun.
Tomi Engdahl says:
Info-stealer Campaign targets German Car Dealerships and Manufacturers https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/
It started with a seemingly benign email, dealing with the purchase of a vehicle, and ended in a reveal of a months’ long campaign targeting German organizations. Most of the targets are related to the German auto-industry sector and the attacks were designed to deploy various types of info-stealing malware. The threat actors behind the operation registered multiple lookalike domains, all imitating existing German auto businesses that they later used to send phishing emails and to host the malware infrastructure.
Tomi Engdahl says:
GitHub announces enhanced 2FA experience for npm accounts https://www.bleepingcomputer.com/news/security/github-announces-enhanced-2fa-experience-for-npm-accounts/
Today, GitHub has launched a new public beta to notably improve the two-factor authentication (2FA) experience for all npm user accounts.
Myles Borins, Open Source Product Manager at GitHub, said that the code hosting platform now allows npm accounts to register “multiple second factors, such as security keys, biometric devices, and authentication applications.”
Tomi Engdahl says:
Kyberhyökkäys pysäytti tuotannon Valtran tehtaalla kiristyshaittaohjelmat yleistyvät, yritykset varautuvat yhä paremmin
https://yle.fi/uutiset/3-12439169
Tapauksesta ollaan varsin vaitonaisia, mutta traktoritehtaan omistajakonserni AGCO on kertonut tiedotteessa joutuneensa kiristyshaittaohjelman kohteeksi.
Tomi Engdahl says:
Hackers Hit Web Hosting Provider Linked to Oregon Elections
https://www.securityweek.com/hackers-hit-web-hosting-provider-linked-oregon-elections
A week before Oregon’s primary election, the secretary of state’s office is moving to protect the integrity of its online system where campaign finance records are published after a web hosting provider was hit by a ransomware attack.
Secretary of State Shemia Fagan’s office said people inputting records into the ORESTAR state campaign finance reporting system may have been affected, and have been sent detailed instructions on how to proceed.
“The Oregon Secretary of State has not been hacked,” Fagan’s office reassured voters in a statement late Monday. “No sensitive data on our systems has been exposed. No systems related to elections administration have been compromised.”
Tomi Engdahl says:
Patch Tuesday: Microsoft Warns of New Zero-Day Being Exploited
https://www.securityweek.com/patch-tuesday-microsoft-warns-new-zero-day-being-exploited
Microsoft on Tuesday released critical software updates to fix at least 73 documented security flaws in the Windows ecosystem and warned that unknown attackers are already launching zero-day man-in-the-middle attacks.
The zero-day, flagged as CVE-2022-26925, is described as a Windows LSA spoofing vulnerability that provides a path for attackers to authenticate to domain controllers.
“An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM,” Microsoft warned in a barebones advisory that acknowledged the zero-day exploitation.
“This security update detects anonymous connection attempts in LSARPC and disallows it,” Microsoft added.
As is customary, the company did not provide any additional details on the exploits seen in the wild or any IOCs (indicators of compromise) to help defenders hunt for signs of compromise.
Tomi Engdahl says:
New Malware Samples Indicate Return of REvil Ransomware
https://www.securityweek.com/new-malware-samples-indicate-return-revil-ransomware