This posting is here to collect cyber security news in May 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
408 Comments
Tomi Engdahl says:
Zyxel Firewall Vulnerability Exploitation Attempts Seen One Day After Disclosure
https://www.securityweek.com/zyxel-firewall-vulnerability-exploitation-attempts-seen-one-day-after-disclosure
Tomi Engdahl says:
CISA Removes Windows Vulnerability From ‘Must-Patch’ List Due to Buggy Update
https://www.securityweek.com/cisa-removes-windows-vulnerability-must-patch-list-due-buggy-update
The US Cybersecurity and Infrastructure Security Agency (CISA) has temporarily removed a Windows flaw from its Known Exploited Vulnerabilities Catalog after it was informed by Microsoft that a recent update can cause problems on some types of systems.
The vulnerability in question is CVE-2022-26925, which Microsoft describes as a Windows LSA spoofing vulnerability. The issue was addressed with the May 2022 Patch Tuesday updates and Microsoft warned at the time that the vulnerability has been publicly disclosed and exploited in attacks.
Tomi Engdahl says:
Patch Tuesday: Microsoft Warns of New Zero-Day Being Exploited
https://www.securityweek.com/patch-tuesday-microsoft-warns-new-zero-day-being-exploited
Microsoft on Tuesday released critical software updates to fix at least 73 documented security flaws in the Windows ecosystem and warned that unknown attackers are already launching zero-day man-in-the-middle attacks.
The zero-day, flagged as CVE-2022-26925, is described as a Windows LSA spoofing vulnerability that provides a path for attackers to authenticate to domain controllers.
“An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM,” Microsoft warned in a barebones advisory that acknowledged the zero-day exploitation.
Tomi Engdahl says:
‘Sysrv’ Botnet Targeting Recent Spring Cloud Gateway Vulnerability
https://www.securityweek.com/sysrv-botnet-targeting-recent-spring-cloud-gateway-vulnerability
Tomi Engdahl says:
US, EU to Ramp Up Chip Making and Raise Pressure on Russia
https://www.securityweek.com/us-eu-ramp-chip-making-and-raise-pressure-russia
The United States and the European Union announced on Monday a joint effort to boost microchip manufacturing and tackle Russian disinformation around the war in Ukraine.
The two sides met outside Paris as part of the Trade and Technology Council, a forum created last year aimed partially at countering China’s increasingly powerful position in the technology sector.
But EU and US officials focused much of their efforts instead on the difficulties created by Russia’s invasion of Ukraine, particularly with disinformation.
In its final statement, the council accused Russia of an “all-out assault on the truth” in Ukraine and promised an “early response framework” to tackle disinformation in future crises.
And it promised action over Russian disinformation elsewhere in the world, accusing Moscow of seeking to deflect blame over food supply shortages caused by its war in Ukraine.
“We see the damage from the Russian invasion spreading across the world,” said Margrethe Vestager, the European Commissioner for Competition.
Tomi Engdahl says:
Hackers Can Abuse Low-Power Mode to Run Malware on Powered-Off iPhones
https://www.securityweek.com/hackers-can-abuse-low-power-mode-run-malware-powered-iphones
Researchers from a university in Germany have analyzed the low-power mode (LPM) implementation on iPhones and found that it introduces potentially serious security risks, even allowing attackers to run malware on powered-off devices.
LPM is activated when the user switches off the iPhone or when the device shuts down due to low battery. While the device appears completely turned off, LPM ensures that certain features are still available, including the Find My service (for locating a device), digital car keys, payment apps, and travel cards.
While LPM has many benefits, it also introduces some security risks that cannot be ignored, particularly by journalists, activists and other individuals who are more likely to be targeted by well-funded threat actors.
An analysis conducted by a team of researchers from the Secure Mobile Networking Lab at TU Darmstadt showed that, on recent iPhone models, Bluetooth, NFC and Ultra-wideband (UWB) wireless communication systems remain active even after the device has been shut down. They conducted an analysis of the features introduced in iOS 15.
“The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM. Since LPM support is implemented in hardware, it cannot be removed by changing software components. As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown,” the researchers explained.
Tomi Engdahl says:
Ransomware Gang Threatens to Overthrow Costa Rica Government
https://www.securityweek.com/ransomware-gang-threatens-overthrow-costa-rica-government
Tomi Engdahl says:
Researchers Devise New Type of Bluetooth LE Relay Attacks
https://www.securityweek.com/researchers-devise-new-type-bluetooth-le-relay-attacks
Security researchers at NCC Group have created a new tool capable of launching a new type of Bluetooth Low Energy (BLE) relay attack that bypasses existing protections and mitigations.
Meant to provide significantly reduced power consumption and costs at communication ranges similar to those provided by Bluetooth, BLE is used for a broad range of applications in sectors such as automotive, healthcare, security, home entertainment, and more.
BLE proximity authentication is typically to unlock or keep unlocked products such as cars, smart locks, access control systems, and laptops, as long as a trusted BLE device is in range.
Because BLE proximity authentication is prone to relay attacks, various mitigations were introduced, including detectable levels of latency (strict GATT response time limits), encrypted link layer, and localization techniques.
The new NCC Group tool can conduct a new type of relay attack that operate at the link layer, successfully bypassing existing mitigations. The attack can forward encrypted link layer PDUs and can also detect encrypted changes to connection parameters and adapt to them.
The researchers have tested the attack against Tesla vehicles that rely on a BLE-based passive entry system where users can unlock and operate the vehicle using an authorized mobile device or key fob.
Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks
https://research.nccgroup.com/2022/05/15/technical-advisory-ble-proximity-authentication-vulnerable-to-relay-attacks/
Tomi Engdahl says:
Natasha Lomas / TechCrunch:
Report: the real-time bidding industry exposes a person’s online activity and location 747 times per day on average in the US and 376 times per day in Europe — New data about the real-time-bidding (RTB) system’s use of web users’ info for tracking and ad targeting, released today …
Report spotlights vast scale of adtech’s ‘biggest data breach’
https://techcrunch.com/2022/05/16/iccl-rtb-report-google-gdpr/
New data about the real-time-bidding (RTB) system’s use of web users’ info for tracking and ad targeting, released today by the Irish Council for Civil Liberties (ICCL), suggests Google and other key players in the high velocity, surveillance-based ad auction system are processing and passing people’s data billions of times per day.
“RTB is the biggest data breach ever recorded,” argues the ICCL. “It tracks and shares what people view online and their real-world location 294 billion times in the U.S. and 197 billion times in Europe every day.”
The ICCL’s report, which is based on industry figures that the rights organization says it obtained from a confidential source, offers an estimate of RTB per person per day across U.S. states and European countries which suggests that web users in Colorado and the U.K. are among the most exposed by the system — with 987 and 462 RTB broadcasts apiece per person per day.
Tomi Engdahl says:
T&T: Venäjältä tehty kyberhyökkäyksiä Suomen sähköjärjestelmään
Vakavissaan tehtyjä hyökkäyksiä maailmalta tulee noin viikoittain, uutisoi Tekniikka&Talous.
https://www.iltalehti.fi/kotimaa/a/d06a525e-9e3d-400f-b470-93f02d0af868
Tekniikka&Talous-lehden mukaan Suomen sähkön kantaverkkoyhtiö Fingridin tietojärjestelmiin kohdistuu useita kymmeniä kyberhyökkäyksiä päivässä
Asian vahvistaa T&T:lle yhtiön ict-johtaja Kari Suominen. Ylivoimaisesti suurin osa hyökkäyksistä on kuitenkin varsin arkipäiväisiä kalasteluyrityksiä.
Selkeästi kohdennettuja, tosissaan tehtyjä hyökkäyksiä Fingridin tietoverkkoa kohtaan sattuu lehden mukaan viikkotasolla.
Hyökkäyksistä osa tulee suurvalloista päin, mutta osa tulee jostakin muualta. Suominen mainitsee Tekniikka&Talouden haastattelussa valtioista Kiinan, Venäjän, Yhdysvallat ja Intian.
Tekniikka&Talouden mukaan sekä arkipäiväiset että vakavammat hyökkäykset Fingridiä kohtaan ovat luonteeltaan lähes yksinomaan tunkeutumisyrityksiä, eli tietojen hankkimiseen tai järjestelmään sisään pääsyyn tähtääviä. Järjestelmän lamauttamiseen tähtääviä palvelunestohyökkäyksiä sattuu hyvin vähän.
Venäjältä tehty kyberhyökkäyksiä Suomen sähköjärjestelmään
Tuomas Kangasniemi17.5.2022 10:04|päivitetty17.5.2022 12:37TietoturvaSähköEnergia
https://www.tekniikkatalous.fi/uutiset/venajalta-tehty-kyberhyokkayksia-suomen-sahkojarjestelmaan/b97ed96b-fd7c-4788-a7a2-f9277dcce3ca
Vakavissaan tehtyjä hyökkäyksiä maailmalta tulee noin viikoittain. Kulloinenkin maantieteellinen suunta on helppo nähdä, mutta millainen toimija on asialla, on vaikeaa tai mahdotonta arvioida.
Suomen sähkön kantaverkkoyhtiö Fingridin tietojärjestelmiin kohdistuu useita kymmeniä kyberhyökkäyksiä päivässä, kertoo yhtiön ict-johtaja Kari Suominen. Ylivoimaisesti suurin osa niistä on kuitenkin varsin arkipäiväisiä kalasteluyrityksiä.
Tomi Engdahl says:
8 erilaista kyberiskua – näin Suomea vastaan voidaan hyökätä https://www.is.fi/digitoday/tietoturva/art-2000008819316.html
Tomi Engdahl says:
Useimmat tietävät 72 tunnin säännön – mutta myös tämä valmistautumisohje tulisi tuntea https://www.is.fi/digitoday/art-2000008680515.html
Tomi Engdahl says:
US warning: North Korea’s tech workers posing as freelance developers https://www.zdnet.com/article/us-warning-north-koreas-tech-workers-posing-as-freelance-developers/
Skilled software and mobile app developers from North Korea are posing as US-based remote workers to land contract work as developers in US and European tech and crypto firms.
Tomi Engdahl says:
Hackers target Tatsu WordPress plugin in millions of attacks https://www.bleepingcomputer.com/news/security/hackers-target-tatsu-wordpress-plugin-in-millions-of-attacks/
Hackers are massively exploiting a remote code execution vulnerability, CVE-2021-25094, in the Tatsu Builder plugin for WordPress, which is installed on about 100, 000 websites. Up to 50,
000 websites are estimated to still run a vulnerable version of the plugin, although a patch has been available since early April. Large attack waves started on May 10, 2022 and peaked four days later.
Exploitation is currently ongoing.
Tomi Engdahl says:
“Look what I found here” phish targets Facebook users https://blog.malwarebytes.com/scams/2022/05/look-what-i-found-here-phish-targets-facebook-users/
One such phishing message is currently doing the rounds in Dutch, and it plugs into a sense of FOMO to encourage you to click the link. It was first observed back in March, and appears to be making a comeback.
Tomi Engdahl says:
U.S. Charges Venezuelan Doctor for Using and Selling Thanos Ransomware https://thehackernews.com/2022/05/us-charges-venezuelan-doctor-for-using.html
The U.S. Justice Department on Monday accused a 55-year-old cardiologist from Venezuela of being the mastermind behind Thanos ransomware, charging him with the use and sale of the malicious tool and entering into profit sharing arrangements. Moises Luis Zagala Gonzalez, also known by the monikers Nosophoros, Aesculapius, and Nebuchadnezzar, is alleged to have both developed and marketed the ransomware to other cybercriminals to facilitate the intrusions and get a share of the bitcoin payment.
Tomi Engdahl says:
UpdateAgent Returns with New macOS Malware Dropper Written in Swift https://thehackernews.com/2022/05/updateagent-returns-with-new-macos.html
A new variant of the macOS malware tracked as UpdateAgent has been spotted in the wild, indicating ongoing attempts on the part of its authors to upgrade its functionalities. “Perhaps one of the most identifiable features of the malware is that it relies on the AWS infrastructure to host its various payloads and perform its infection status updates to the server, ” researchers from Jamf Threat Labs said in a report. UpdateAgent, first detected in late 2020, has since evolved into a malware dropper, facilitating the distribution of second-stage payloads such as adware while also bypassing macOS Gatekeeper protections. also:
https://www.jamf.com/blog/updateagent-adapts-again/
Tomi Engdahl says:
Hakkeri näytti, miten Tesla varastetaan ovet aukesivat 10 sekunnissa
https://www.tivi.fi/uutiset/tv/5641141c-08d5-44a4-88f8-d621cf268b43
Teknisen osaamisen lisäksi siistiin murtoon riittää 150 dollarin panostus.
Tomi Engdahl says:
US Accuses Venezuelan Doctor of Creating and Selling Ransomware
https://www.securityweek.com/us-accuses-venezuelan-doctor-creating-and-selling-ransomware
Tomi Engdahl says:
Detecting and Preventing F5 Big-IP Critical Vulnerability – CVE-2022-1388
https://www.socinvestigation.com/detecting-and-preventing-f5-big-ip-critical-vulnerability-cve-2022-1388/
Tomi Engdahl says:
Millions of U.S. government employees and contractors have been issued a secure smart ID card that enables physical access to buildings and controlled spaces, and provides access to government computer networks and systems at the cardholder’s appropriate security level. But many government employees aren’t issued an approved card reader device that lets them use these cards at home or remotely, and so turn to low-cost readers they find online. What could go wrong? Here’s one example.
Apparently infected drivers may be little more than a case of a technology company having their site hacked and responding poorly. “Doing a web search for drivers is a VERY dangerous (in terms of legit/malicious hit ratio) search to perform”
When Your Smart ID Card Reader Comes With Malware
https://krebsonsecurity.com/2022/05/when-your-smart-id-card-reader-comes-with-malware/
KrebsOnSecurity recently heard from a reader — we’ll call him “Mark” because he wasn’t authorized to speak to the press — who works in IT for a major government defense contractor and was issued a Personal Identity Verification (PIV) government smart card designed for civilian employees. Not having a smart card reader at home and lacking any obvious guidance from his co-workers on how to get one, Mark opted to purchase a $15 reader from Amazon that said it was made to handle U.S. government smart cards.
The USB-based device Mark settled on is the first result that currently comes up one when searches on Amazon.com for “PIV card reader.” The card reader Mark bought was sold by a company called Saicoo, whose sponsored Amazon listing advertises a “DOD Military USB Common Access Card (CAC) Reader” and has more than 11,700 mostly positive ratings.
The Common Access Card (CAC) is the standard identification for active duty uniformed service personnel, selected reserve, DoD civilian employees, and eligible contractor personnel. It is the principal card used to enable physical access to buildings and controlled spaces, and provides access to DoD computer networks and systems.
Mark said when he received the reader and plugged it into his Windows 10 PC, the operating system complained that the device’s hardware drivers weren’t functioning properly. Windows suggested consulting the vendor’s website for newer drivers.
So Mark went to the website mentioned on Saicoo’s packaging and found a ZIP file containing drivers for Linux, Mac OS and Windows
Out of an abundance of caution, Mark submitted Saicoo’s drivers file to Virustotal.com, which simultaneously scans any shared files with more than five dozen antivirus and security products. Virustotal reported that some 43 different security tools detected the Saicoo drivers as malicious. The consensus seems to be that the ZIP file currently harbors a malware threat known as Ramnit, a fairly common but dangerous trojan horse that spreads by appending itself to other files.
Amazon said in a written statement that it was investigating the reports.
“Seems like a potentially significant national security risk, considering that many end users might have elevated clearance levels who are using PIV cards for secure access,” Mark said.
Mark said he contacted Saicoo about their website serving up malware, and received a response saying the company’s newest hardware did not require any additional drivers. He said Saicoo did not address his concern that the driver package on its website was bundled with malware.
In response to KrebsOnSecurity’s request for comment, Saicoo sent a somewhat less reassuring reply.
“From the details you offered, issue may probably caused by your computer security defense system as it seems not recognized our rarely used driver & detected it as malicious or a virus,” Saicoo’s support team wrote in an email.
“Actually, it’s not carrying any virus as you can trust us, if you have our reader on hand, please just ignore it and continue the installation steps,” the message continued. “When driver installed, this message will vanish out of sight. Don’t worry.”
The trouble with Saicoo’s apparently infected drivers may be little more than a case of a technology company having their site hacked and responding poorly. Will Dormann, a vulnerability analyst at CERT/CC, wrote on Twitter that the executable files (.exe) in the Saicoo drivers ZIP file were not altered by the Ramnit malware — only the included HTML files.
Dormann said it’s bad enough that searching for device drivers online is one of the riskiest activities one can undertake online.
“Doing a web search for drivers is a VERY dangerous (in terms of legit/malicious hit ratio) search to perform, based on results of any time I’ve tried to do it,” Dormann added. “Combine that with the apparent due diligence of the vendor outlined here, and well, it ain’t a pretty picture.”
But by all accounts, the potential attack surface here is enormous, as many federal employees clearly will purchase these readers from a myriad of online vendors when the need arises. Saicoo’s product listings, for example, are replete with comments from customers who self-state that they work at a federal agency (and several who reported problems installing drivers).
A thread about Mark’s experience on Twitter generated a strong response from some of my followers, many of whom apparently work for the U.S. government in some capacity and have government-issued CAC or PIV cards.
Two things emerged clearly from that conversation. The first was general confusion about whether the U.S. government has any sort of list of approved vendors. It does. The General Services Administration (GSA), the agency which handles procurement for federal civilian agencies, maintains a list of approved card reader vendors at idmanagement.gov (Saicoo is not on that list).
The other theme that ran through the Twitter discussion was the reality that many people find buying off-the-shelf readers more expedient than going through the GSA’s official procurement process, whether it’s because they were never issued one or the reader they were using simply no longer worked or was lost and they needed another one quickly.
“Almost every officer and NCO [non-commissioned officer] I know in the Reserve Component has a CAC reader they bought because they had to get to their DOD email at home and they’ve never been issued a laptop or a CAC reader,”
“When your boss tells you to check your email at home and you’re in the National Guard and you live 2 hours from the nearest [non-classified military network installation], what do you think is going to happen?”
Interestingly, anyone asking on Twitter about how to navigate purchasing the right smart card reader and getting it all to work properly is invariably steered toward militarycac.com
Dixon said Danberry has “done more to keep the Army running and connected than all the G6s [Army Chief Information Officers] put together.”
In many ways, Mr. Danberry is the equivalent of that little known software developer whose tiny open-sourced code project ends up becoming widely adopted and eventually folded into the fabric of the Internet. I wonder if he ever imagined 15 years ago that his website would one day become “critical infrastructure” for Uncle Sam?
Tomi Engdahl says:
Bill Toulas / BleepingComputer:
Researchers detail a BLE relay attack to unlock and operate a Tesla outside its BLE range; when told in April, Tesla said relay attacks are a “known limitation”
Hackers can steal your Tesla Model 3, Y using new Bluetooth attack
https://www.bleepingcomputer.com/news/security/hackers-can-steal-your-tesla-model-3-y-using-new-bluetooth-attack/
Security researchers at the NCC Group have developed a tool to carry out a Bluetooth Low Energy (BLE) relay attack that bypasses all existing protections to authenticate on target devices.
BLE technology is used in a wide spectrum of products, from electronics like laptops, mobile phones, smart locks, and building access control systems to cars like Tesla Model 3 and Model Y.
Pushing out fixes for this security problem is complicated, and even if the response is immediate and coordinated, it would still take a long time for the updates to trickle to impacted products.
How the attack works
In this type of relay attacks, an adversary intercepts and can manipulate the communication between two parties, such as the key fob that unlocks and operates the car and the vehicle itself.
This places the attacker in the middle of the two ends of the communication, allowing them to relay the signal as if they were standing right next to the car.
Products that rely on BLE for proximity-based authentication protect against known relay attack methods by introducing checks based on precise amounts of latency and also link-layer encryption.
NCC Group has developed a tool that operates at the link layer and with a latency of 8ms that is within the accepted 30ms range of the GATT (Generic ATTribute Profile) response.
According to Sultan Qasim Khan, a senior security consultant at NCC Group, it takes about ten seconds to run the attack and it can be repeated endlessly.
Both the Tesla Model 3 and Model Y use a BLE-based entry system, so NCC’s attack could be used to unlock and start the cars.
While technical details behind this new BLE relay attack have not been published, the researchers say that they tested the method on a Tesla Model 3 from 2020 using an iPhone 13 mini running version 4.6.1-891 of the Tesla app.
“NCC Group was able to use this newly developed relay attack tool to unlock and operate the vehicle while the iPhone was outside the BLE range of the vehicle” – NCC Group
During the experiment, they were able to deliver to the car the communication from the iPhone via two relay devices, one placed seven meters away from the phone, the other sitting three meters from the car. The distance between the phone and the car was 25 meters.
The experiment was also replicated successfully on a Tesla Model Y from 2021, since it uses similar technologies.
These findings were reported to Tesla on April 21st. A week later, the company responded by saying “that relay attacks are a known limitation of the passive entry system.”
The researchers also notified Spectrum Brands, the parent company behind Kwikset (makers of the Kevo line of smart locks).
What can be done
NCC Group’s research on this new proximity attack is available in three separate advisories, for BLE in general, one for Tesla cars, and another for Kwikset/Weiser smart locks, each illustrating the issue on the tested devices and how it affects a larger set of products from other vendors.
The Bluetooth Core Specification warns device makers about relay attacks and notes that proximity-based authentication shouldn’t be used for valuable assets.
This leaves users with few possibilities, one being to disable it, if possible, and switch to an alternative authentication method that requires user interaction.
Another solution would be for makers to adopt a distance bounding solution such as UWB (ultra-wideband) radio technology instead of Bluetooth.
Tesla owners are encouraged to use the ‘PIN to Drive’ feature, so even if their car is unlocked, at least the attacker won’t be able to drive away with it.
Additionally, disabling the passive entry functionality in the mobile app when the phone is stationary would make the relay attack impossible to carry out.
If none of the above is possible on your device, keep in mind the possibility of relay attacks and implement additional protection measures accordingly.
Tomi Engdahl says:
VMware patches critical auth bypass flaw in multiple products https://www.bleepingcomputer.com/news/security/vmware-patches-critical-auth-bypass-flaw-in-multiple-products/
VMware warned customers today to immediately patch a critical authentication bypass vulnerability “affecting local domain users” in multiple products that can be exploited to obtain admin privileges.
The flaw (tracked as CVE-2022-22972) was reported by Bruno López of Innotec Security, who found that it impacts Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation. “A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate, ” the company explains. also:
https://core.vmware.com/vmsa-2022-0014-questions-answers-faq
Tomi Engdahl says:
DHS orders federal agencies to patch VMware bugs within 5 days https://www.bleepingcomputer.com/news/security/dhs-orders-federal-agencies-to-patch-vmware-bugs-within-5-days/
The Department of Homeland Security’s cybersecurity unit ordered Federal Civilian Executive Branch (FCEB) agencies today to urgently update or remove VMware products from their networks by Monday due to an increased risk of attacks. also:
https://www.cisa.gov/uscert/ncas/alerts/aa22-138b. also:
https://www.cisa.gov/uscert/ncas/current-activity/2022/05/18/cisa-issues-emergency-directive-and-releases-advisory-related
Tomi Engdahl says:
Threat Actors Exploiting F5 BIG-IP CVE-2022-1388 – Alert (AA22-138A) https://www.cisa.gov/uscert/ncas/alerts/aa22-138a
The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2022-1388. This recently disclosed vulnerability in certain versions of F5 Networks, Inc., (F5) BIG-IP enables an unauthenticated actor to gain control of affected systems via the management port or self-IP addresses. F5 released a patch for
CVE-2022-1388 on May 4, 2022, and proof of concept (POC) exploits have since been publicly released, enabling less sophisticated actors to exploit the vulnerability. Due to previous exploitation of F5 BIG-IP vulnerabilities, CISA and MS-ISAC assess unpatched F5 BIG-IP devices are an attractive target; organizations that have not applied the patch are vulnerable to actors taking control of their systems.
Tomi Engdahl says:
Suomi.fi varoittaa liikkeellä olevista huijauksista
https://www.tivi.fi/uutiset/tv/db6d09c3-2ddf-4fb2-a121-edefd2f178e2
Kansallinen tunnistuspalvelu Suomi.fi varoittaa, että sen nimissä on lähetetty huijausviestejä. “Suomi.fi-tunnistus ei koskaan lähetä sähköpostia tai tekstiviestejä asiakkailleen”, palvelu tiedottaa Twitterissä. Jos saat tällaisen epäilyttävän viestin, älä klikkaa siinä olevaa linkkiä. Se johtaa sivustolle, jonka kautta yritetään varastaa suomalaisten tunnistautumistietoja.
Tomi Engdahl says:
Gmail-linked Facebook accounts vulnerable to attack using a chain of bugsnow fixed https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/gmail-linked-facebook-accounts-vulnerable-to-attack-using-a-chain-of-bugs-now-fixed/
A security researcher has disclosed how he chained together multiple bugs in order to take over Facebook accounts that were linked to a Gmail account. Youssef Sammouda states it was possible to target all Facebook users but that it was more complicated to develop an exploit, and using Gmail was actually enough to demonstrate the impact of his discoveries. also: https://ysamm.com/?p=763
Tomi Engdahl says:
#ALHACK: Bad ALAC- one codec to hack the whole world https://research.checkpoint.com/2022/bad-alac-one-codec-to-hack-the-whole-world/
The open source ALAC decoder contains serious vulnerabilities. Apple keeps updating the proprietary version of the decoder and fixing security issues, but the shared code has not been patched since 2011.
Many third-party vendors use the Apple-supplied code as the basis for their own ALAC implementations, and it’s fair to assume that many of them do not maintain the external code. Our goal was not to find all the projects that integrate the ALAC decoder, but we easily found several popular Ubuntu packages in the Universe repository that are also based on the vulnerable ALAC code and can be targeted by an attacker for RCE on an Ubuntu machine. In this study, we focus on mobile devices.
Tomi Engdahl says:
Chaos Ransomware Variant Sides with Russia https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia
FortiGuard Labs recently came across a variant of the Chaos ransomware that appears to side with Russia. This blog explains the vicious consequences that the Chaos variant delivers to a compromised machine.
Tomi Engdahl says:
Millions of U.S. government employees and contractors have been issued a secure smart ID card that enables physical access to buildings and controlled spaces, and provides access to government computer networks and systems at the cardholder’s appropriate security level https://krebsonsecurity.com/2022/05/when-your-smart-id-card-reader-comes-with-malware/
But many government employees aren’t issued an approved card reader device that lets them use these cards at home or remotely, and so turn to low-cost readers they find online. What could go wrong? Here’s one example.
Tomi Engdahl says:
Venäjä julkaisi oman sovelluskaupan – hakkerit iskivät heti https://www.is.fi/digitoday/tietoturva/art-2000008824661.html
Venäjä on avannut oman sovelluskaupan Android-puhelinsovelluksille.
NashStore, suomalaisittain “meikäläisten kauppa”, aukesi sovelluskehittäjille voitonpäivänä eli 9. toukokuuta. Suurelle yleisölle kauppa avattiin maanantaina 16.5. Nashstore on joutunut heti julkistuksensa jälkeen Ukrainan koordinoiman IT Army of Ukraine
- -hakkerien hyökkäyksen kohteeksi. Sovelluskauppa on maalitettiin ryhmän Telegram-kanavalla eilen tiistaina eli päivää suurelle yleisölle aukeamisen jälkeen ja siihen on alettu kohdistaa vahvoja palvelunestohyökkäyksiä. Vaikka verkkohyökkäysten toteuttaminen Ukrainan tukemiseksi saattaisi tuntua hyvältä idealta, se on laitonta.
Toiminta paitsi rikkoo Suomen lakia, se vie tekijänsä osalliseksi konfliktia. Muun muassa WithSecuren tutkimusjohtaja Mikko Hyppönen on muistuttanut, että verkkohyökkäysten toteuttaminen on ukrainalaisille juridisesti sallittua, mutta suomalaisille ei.
Tomi Engdahl says:
Hackers Gain Fileless Persistence on Targeted SQL Servers Using a Built-in Utility https://thehackernews.com/2022/05/hackers-gain-fileless-persistence-on.html
Microsoft on Tuesday warned that it recently spotted a malicious campaign targeting SQL Servers that leverages a built-in PowerShell binary to achieve persistence on compromised systems. The intrusions, which leverage brute-force attacks as an initial compromise vector, stand out for their use of the utility “sqlps.exe, ” the tech giant said in a series of tweets. The ultimate goals of the campaign are unknown, as is the identity of the threat actor staging it. Microsoft is tracking the malware under the name “SuspSQLUsage.”
Tomi Engdahl says:
Uncovering a Kingminer Botnet Attack Using Trend Micro Managed XDR https://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
We observed malicious activities in a client’s SQL server that flagged a potential exploit in one public-facing device. A quick look at the Trend Micro Vision One Workbench showed that a Microsoft SQL server process created an obfuscated PowerShell command. This suggested that the machine had been compromised, prompting us to investigate further.
The tactics, techniques, and procedures (TTPs) discussed here reflect many of the TTPs that threat researchers have identified with the Kingminer botnet. According to reports in mid-2020, malicious actors deployed Kingminer to target SQL servers for cryptocurrency mining.
Tomi Engdahl says:
Kyberisku vei verkon liki 6000 tuulivoimalalta – Korjaamiseen meni kuukausia
https://www.tivi.fi/uutiset/tv/ad692ccc-5964-4373-9b15-4b2d49285bb9
Saksalaisen median mukaan maan tuulivoimatuottajiin on kohdistunut useita kyberiskuja viime kuukausina. Maassa epäillään, että kyberiskuja tekevät venäläiset mutta varmuutta asiasta ei ole. Suomen tuulivoimayhdistyksen mukaan Suomessa alaan ei ole kohdistunut tavallista enempää kyberiskuja tai niiden yrityksiä viime kuukausina.
Tomi Engdahl says:
Chinese Space Pirates’ are hacking Russian aerospace firms https://www.bleepingcomputer.com/news/security/chinese-space-pirates-are-hacking-russian-aerospace-firms/
A previously unknown Chinese hacking group known as ‘Space Pirates’
targets enterprises in the Russian aerospace industry with phishing emails to install novel malware on their systems. The threat group is believed to have started operating in 2017, and while it has links to known groups like APT41 (Winnti), Mustang Panda, and APT27, it is thought to be a new cluster of malicious activity. Russian threat analysts at Positive Technologies named the group “Space Pirates” due to their espionage operations focusing on stealing confidential information from companies in the aerospace field.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
The CISA orders US federal civilian agencies to patch or remove VMware products affected by a critical RCE vulnerability that hackers are actively exploiting — Security flaws in VMware and F5′s BIG-IP are being exploited by malicious hackers. — Malicious hackers, some believed to be state-backed …
2 vulnerabilities with 9.8 severity ratings are under exploit. A 3rd looms
Security flaws in VMware and F5′s BIG-IP are being exploited by malicious hackers.
https://arstechnica.com/information-technology/2022/05/2-vulnerabilities-with-9-8-severity-ratings-are-under-exploit-a-3rd-looms/
Malicious hackers, some believed to be state-backed, are actively exploiting two unrelated vulnerabilities—both with severity ratings of 9.8 out of a possible 10—in hopes of infecting sensitive enterprise networks with backdoors, botnet software, and other forms of malware.
The ongoing attacks target unpatched versions of multiple product lines from VMware and of BIG-IP software from F5, security researchers said. Both vulnerabilities give attackers the ability to remotely execute malicious code or commands that run with unfettered root system privileges. The largely uncoordinated exploits appear to be malicious, as opposed to benign scans that attempt to identify vulnerable servers and quantify their number.
First up: VMware
On April 6, VMware disclosed and patched a remote code execution vulnerability tracked as CVE-2022-22954 and a privilege escalation flaw tracked as CVE-2022-22960. According to an advisory published on Wednesday by the Cybersecurity and Infrastructure Security Agency, “malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices.”
CISA said the actors were likely part of an advanced persistent threat, a term for sophisticated and well-financed hacker groups typically backed by a nation-state. Once the hackers have compromised a device, they use their root access to install a webshell known as Dingo J-spy on the networks of at least three organizations.
“According to trusted third-party reporting, threat actors may chain these vulnerabilities. At one compromised organization, on or around April 12, 2022, an unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user,” Wednesday’s advisory stated. “The actor then exploited CVE-2022-22960 to escalate the user’s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems.”
One of the vulnerabilities, CVE-2022-22972, also carries a severity rating of—you guessed it—9.8. The other one, CVE-2022-22973, is rated 7.8.
Given the exploits already underway for the VMware vulnerabilities fixed last month, CISA said it “expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products.
Alert (AA22-138B)
Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control
https://www.cisa.gov/uscert/ncas/alerts/aa22-138b
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) to warn organizations that malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. Exploiting these vulnerabilities permits malicious actors to trigger a server-side template injection that may result in remote code execution (RCE) (CVE-2022-22954) or escalation of privileges to root (CVE-2022-22960).
VMware released updates for both vulnerabilities on April 6, 2022, and, according to a trusted third party, malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices.
BIG-IP also under fire
Meanwhile, enterprise networks are also under attack from hackers exploiting CVE-2022-1388, an unrelated vulnerability with a 9.8 severity rating found in BIG-IP, a software package from F5. Nine days ago, the company disclosed and patched the vulnerability, which hackers can exploit to execute commands that run with root system privileges. The scope and magnitude of the vulnerability prompted marvel and shock in some security circles and earned it a high severity rating.
Tomi Engdahl says:
Lauren Feiner / CNBC:
New York AG plans to investigate social media platforms “used to stream, promote, or plan” the Buffalo attack, including Twitch, Discord, 4chan, and 8chan — – New York Attorney General Letitia James will investigate social media companies in connection to the apparently racially motivated attack …
Amazon’s Twitch, Discord, 4chan face New York AG probe after Buffalo shooting
https://www.cnbc.com/2022/05/18/new-york-ag-will-probe-social-media-following-buffalo-shooting.html
New York Attorney General Letitia James will investigate social media companies in connection to the apparently racially motivated attack at a Buffalo supermarket that left 10 dead and three injured.
Amazon’s Twitch, Discord, 4chan and 8chan will be among the platforms her office will probe.
During the attack at Tops grocery store on Saturday, the gunman initially livestreamed his actions to Twitch.
Tomi Engdahl says:
“The fact that an individual can post detailed plans to commit such an act of hate without consequence, and then stream it for the world to see is bone-chilling and unfathomable,” James said in a statement. “As we continue to mourn and honor the lives that were stolen, we are taking serious action to investigate these companies for their roles in this attack. Time and time again, we have seen the real-world devastation that is borne of these dangerous and hateful platforms, and we are doing everything in our power to shine a spotlight on this alarming behavior and take action to ensure it never happens again.”
https://www.cnbc.com/2022/05/18/new-york-ag-will-probe-social-media-following-buffalo-shooting.html
Tomi Engdahl says:
Manish Singh / TechCrunch:
India says cloud providers and VPN operators that don’t comply with its cybersecurity rules, effective as of June 27, “will have to pull out” of the country — India is pushing ahead with its new cybersecurity rules that will require cloud service providers and VPN operators …
https://techcrunch.com/2022/05/18/india-reiterates-its-strict-vpn-rules-breach-disclosures-despite-concerns/
Tomi Engdahl says:
Cornami Raises $68 Million for Quantum Secure Computing on Encrypted Data
https://www.securityweek.com/cornami-raises-68-million-quantum-secure-computing-encrypted-data
Tomi Engdahl says:
US Government Says North Korean IT Workers Enable DPRK Hacking Operations
https://www.securityweek.com/us-government-says-north-korean-it-workers-enable-dprk-hacking-operations
The US government has warned companies that some of their IT workers may be from North Korea, and these individuals could be aiding their country’s hacking operations.
According to an unclassified advisory from the Department of State, Department of the Treasury, and the FBI, IT workers from the Democratic People’s Republic of Korea (DPRK) are posing as non-North Korean nationals in an effort to gain employment that they would otherwise not be able to obtain due to current sanctions.
The government has warned that thousands of highly skilled IT workers are being dispatched around the world to obtain money that can fund the North Korean regime, including its military programs.
These rogue workers can earn more than $300,000 per year for developing mobile and web applications, building digital currency exchange platforms, providing IT support, developing hardware and firmware, and creating and managing databases. They can be involved in the development of graphic animation, online gambling platforms, dating apps, AI, virtual reality platforms, and biometric recognition software.
The US government noted that while North Korean IT workers typically do not engage in malicious cyber activities, they have been known to leverage their privileged access to enable cyber intrusions.
Tomi Engdahl says:
Over 380,000 Kubernetes API Servers Exposed to Internet: Shadowserver
https://www.securityweek.com/over-380000-kubernetes-api-servers-exposed-internet-shadowserver
The Shadowserver Foundation has started scanning the internet for Kubernetes API servers and found roughly 380,000 that allow some form of access.
ShadowServer is conducting daily scans of the IPv4 space on ports 443 and 6443, looking for IP addresses that respond with an HTTP 200 OK status, which indicates that the request has succeeded.
Of the more than 450,000 Kubernetes API instances identified by Shadowserver, 381,645 responded with “200 OK”. This does not mean these servers are fully open or vulnerable to attacks, but Shadowserver believes they represent an “unnecessarily exposed attack surface” and this level of access was likely not intended.
More than half of the exposed instances are located in the United States, with many also seen in Western Europe, Southeast Asia, and Australia.
Tomi Engdahl says:
NVIDIA Patches Code Execution Vulnerabilities in Graphics Driver
https://www.securityweek.com/nvidia-patches-code-execution-vulnerabilities-graphics-driver
NVIDIA has announced the roll-out of updates for its graphics drivers to address multiple vulnerabilities, including four CVEs rated “high severity.”
The most severe of these issues are CVE‑2022‑28181 and CVE‑2022‑28182 (CVSS score of 8.5), which could lead to “code execution, denial of service, escalation of privileges, information disclosure, and data tampering,” NVIDIA says.
Both security holes could be exploited by an “unauthorized attacker on the network” to cause “an out-of-bounds write through a specially crafted shader.”
While CVE‑2022‑28181 impacts both the Windows and Linux versions of NVIDIA’s GPU display drivers, CVE‑2022‑28182 exists in the Windows DirectX11 user mode driver, the company says.
The vulnerabilities were reported by Cisco Talos’ security researchers, who say that CVE‑2022‑28182 in fact describes three memory corruption issues identified in NVIDIA D3D10 Driver version 496.76, 30.0.14.9676.
“An attacker could exploit these vulnerabilities by sending the target a specially crafted executable or shader file. These issues could also allow an adversary to perform a guest-to-host escape if they target a guest machine running virtualization environments,” the researchers note.
Tomi Engdahl says:
Large-Scale Attack Targeting Tatsu Builder WordPress Plugin
https://www.securityweek.com/large-scale-attack-targeting-tatsu-builder-wordpress-plugin
Tens of thousands of WordPress websites are potentially at risk of compromise as part of an ongoing large-scale attack targeting a remote code execution vulnerability in the Tatsu Builder plugin.
Tracked as CVE-2021-25094 (CVSS score of 8.1), the vulnerability exists because one of the supported actions does not require authentication when uploading a zip file that is extracted under the WordPress upload directory.
While the plugin includes an extension control, this can be bypassed by adding a PHP shell with a filename that begins with a dot (“.”). Furthermore, a race condition in the extraction process allows for an attacker to call the shell file.
The security hole impacts both free and premium versions of Tatsu Builder, a proprietary plugin not available in the official WordPress repository, but which is estimated to have between 20,000 and 50,000 installations.
Although Tatsu sent an urgent email notification to its users in early April, at least a quarter of all installations are believed to still be vulnerable.
Affecting all Tatsu Builder versions prior to 3.3.13, the vulnerability can be exploited by remote, unauthenticated attackers to execute code on vulnerable installations.
Tomi Engdahl says:
You’ve seen it in the movies: smartphones that are switched off are bugs – so take the battery out and put it in a tin can in the fridge. When the iPhone is switched off, certain radio chips remain under power in order to “find my phone” or access data stored in the security chip. Researchers at the Technical University of Darmstadt show that malware can also be stored on the radio chips and still function when the device is switched off.
Researchers: Malware can run on iPhones that are switched off
https://borncity.com/win/2022/05/18/forscher-malware-kann-auf-ausgeschalteten-iphones-laufen/
Tomi Engdahl says:
Ikävä löydös: Jopa sammutettu iPhone voi kavaltaa käyttäjänsä https://www.is.fi/digitoday/tietoturva/art-2000008826003.html
Haittaohjelma voi elää jopa sammutetussa iPhonessa ja kääntää käyttäjien suojaksi tarkoitetun toiminnon päälaelleen. Julkaisu:
https://arxiv.org/pdf/2205.06114.pdf
Tomi Engdahl says:
Apple patches dozens of security flaws with iOS 15.5, over 50 fixes for macOS 12.4
https://9to5mac.com/2022/05/16/apple-patches-27-security-flaws-ios-15-5/
Apple has released iOS 15.5, macOS 12.4, and more today with updates like new features for Apple Cash, the Podcasts app, and the Studio Display webcam fix. However, a bigger reason to update your devices is the security patches with today’s releases. iOS 15.5 includes almost 30 security fixes while macOS 12.4 features over 50.
Apple shared all the details for the security fixes in its latest software for iPhone, iPad, Mac, and more on its support page.
For both iOS and Mac, many of the flaws could allow malicious apps to execute arbitrary code with kernel privileges. Another for iOS says “A remote attacker may be able to cause unexpected application termination or arbitrary code execution.”
Tomi Engdahl says:
Valtran omistajan AGCOn jättiongelmat jatkuvat, kaikki konsernin järjestelmät edelleen nurin MT:n tiedot: vaikuttaa jo varaosien saantiin, traktorien keväthuollot vaakalaudalla
https://www.maaseuduntulevaisuus.fi/maatalous/8c84f63f-9900-4e58-a55d-3016a7260d14
Muun muassa Valtra- ja Massey Ferguson -traktoreita valmistavan yhdysvaltalaisen AGCO-konekonsernin massiiviset ongelmat jatkuvat edelleen 5.5. tapahtuneen tietoturvahyökkäyksen jäljiltä.
Tomi Engdahl says:
Media giant Nikkei’s Asian unit hit by ransomware attack https://www.bleepingcomputer.com/news/security/media-giant-nikkei-s-asian-unit-hit-by-ransomware-attack/
Publishing giant Nikkei disclosed that the group’s headquarters in Singapore was hit by a ransomware attack almost one week ago, on May 13, 2022. “Unauthorized access to the server was first detected on May 13, prompting an internal probe, ” the company revealed in a press release published on Thursday. “The affected server likely contained customer data, and Nikkei is currently in the process of determining the nature and scope of the attack, ” Nikkei added. The media giant said that, until now, it found no evidence of a data leak while investigating the ransomware attack.
Tomi Engdahl says:
Greenland says health services severely limited’ after cyberattack https://therecord.media/greenland-cyberattack-healthcare-systems/
The government of Greenland confirmed reports this week that the island’s hospital system was “severely” impacted by a cyberattack.
Government officials did not respond to requests for comment about whether it was a ransomware attack, but in a statement, explained that the healthcare system’s digital network crashed because of the incident.