This posting is here to collect cyber security news in June 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in June 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
381 Comments
Tomi Engdahl says:
Hyökkäysten alla olevasta Windows-aukosta paljastus: Microsoft sivuutti täysin https://www.is.fi/digitoday/tietoturva/art-2000008856496.html
Tomi Engdahl says:
Takedown of SMS-based FluBot spyware infecting Android phones https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones
An international law enforcement operation involving 11 countries has resulted in the takedown of one of the fastest-spreading mobile malware to date. Known as FluBot, this Android malware has been spreading aggressively through SMS, stealing passwords, online banking details and other sensitive information from infected smartphones across the world. Its infrastructure was successfully disrupted earlier in May by the Dutch Police (Politie), rendering this strain of malware inactive.
Tomi Engdahl says:
Hackers steal WhatsApp accounts using call forwarding trick https://www.bleepingcomputer.com/news/security/hackers-steal-whatsapp-accounts-using-call-forwarding-trick/
There’s a trick that allows attackers to hijack a victim’s WhatsApp account and gain access to personal messages and contact list. The method relies on the mobile carriers’ automated service to forward calls to a different phone number, and WhatsApp’s option to send a one-time password (OTP) verification code via voice call.
Tomi Engdahl says:
Windows MSDT zero-day now exploited by Chinese APT hackers https://www.bleepingcomputer.com/news/security/windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers/
Chinese-linked threat actors are now actively exploiting a Microsoft Office zero-day vulnerability (known as Follina’) to execute malicious code remotely on Windows systems. The TA413 APT group, a hacking outfit linked to Chinese state interests, has adopted this vulnerability in attacks against their favorite target, the international Tibetan community. As observed on May 30 by Proofpoint security researchers, they’re now using CVE-2022-30190 exploits to execute malicious code via the MSDT protocol when targets open or preview Word documents delivered in ZIP archives.
Tomi Engdahl says:
Over 3.6 million MySQL servers found exposed on the Internet https://www.bleepingcomputer.com/news/security/over-36-million-mysql-servers-found-exposed-on-the-internet/
Over 3.6 million MySQL servers are publicly exposed on the Internet and responding to queries, making them an attractive target to hackers and extortionists. Of these accessible MySQL servers, 2.3 million are connected over IPv4, with 1.3 million devices over IPv6. While it is common for web services and applications to connect to remote databases, these instances should be locked down so only authorized devices can connect to them.
Tomi Engdahl says:
Cybercriminal scams City of Portland, Ore. for $1.4 million https://therecord.media/cybercriminal-scams-city-of-portland-ore-for-1-4-million/
Portland, Ore. is investigating a cybersecurity breach that resulted in a $1.4 million fraudulent transaction with city funds in April one discovered after the same compromised account tried again the next month, the city said in a press release late last week. “Preliminary evidence indicates that an unauthorized, outside entity gained access to a City of Portland email account to conduct this illegal activity, ” according to the statement.
Tomi Engdahl says:
FBI director warns that Russia might resort to destructive cyberattacks https://therecord.media/fbi-director-warns-that-russia-might-resort-to-destructive-cyberattacks/
The director of the FBI on Wednesday said the intelligence agency is “laser focused” on thwarting Russian cyber operations, warning that the country has taken steps to launch potential destructive attacks.
In a far-reaching keynote address delivered at Boston College’s Conference on Cyber Security, FBI Director Christopher Wray spoke about immediate threats tied to Russia’s war on Ukraine, saying that the country’s “recklessness with human lives carries over to how they act in cyberspace.”
Tomi Engdahl says:
US export ban on hacking tools tweaked after public consultation https://portswigger.net/daily-swig/us-export-ban-on-hacking-tools-tweaked-after-public-consultation
As concern mounts about the security risks posed by overseas hackers, the US Commerce Department’s Bureau of Industry and Security (BIS) has published revisions to its ban on certain cybersecurity exports. The prohibition first announced last October effectively bans the export of hacking software and equipment to China, Russia, and a number of other countries without a license from the BIS.
Tomi Engdahl says:
SideWinder hackers plant fake Android VPN app in Google Play Store https://www.bleepingcomputer.com/news/security/sidewinder-hackers-plant-fake-android-vpn-app-in-google-play-store/
Phishing campaigns attributed to an advanced threat actor called SideWinder involved a fake VPN app for Android devices published on Google Play Store along with a custom tool that filters victims for better targeting. SideWinder is an APT group that’s been active since at least 2012, believed to be an actor of Indian origin with a relatively high level of sophistication.
Tomi Engdahl says:
YODA Tool Found ~47, 000 Malicious WordPress Plugins Installed in Over 24, 000 Sites https://thehackernews.com/2022/06/yoda-tool-found-47000-malicious.html
As many as 47, 337 malicious plugins have been uncovered on 24, 931 unique websites, out of which 3, 685 plugins were sold on legitimate marketplaces, netting the attackers $41, 500 in illegal revenues. The findings come from a new tool called YODA that aims to detect rogue WordPress plugins and track down their origin, according to an 8-year-long study conducted by a group of researchers from the Georgia Institute of Technology.
Tomi Engdahl says:
Ransomware Group Claims to Have Breached Foxconn Factory
https://www.securityweek.com/ransomware-group-claims-have-breached-foxconn-factory
Tomi Engdahl says:
Unpatched Vulnerability Exposes Horde Webmail Servers to Attacks
https://www.securityweek.com/unpatched-vulnerability-exposes-horde-webmail-servers-attacks
The Horde webmail software is affected by a serious vulnerability that can be exploited to gain complete access to an organization’s emails.
The flaw, discovered by researchers at application security firm Sonar (formerly SonarSource), is tracked as CVE-2022-30287 and it can be exploited by getting a user to open a specially crafted email. Sonar on Wednesday made public the technical details of the security bug.
Tomi Engdahl says:
Wray: FBI Blocked Planned Cyberattack on Children’s Hospital
https://www.securityweek.com/wray-fbi-blocked-planned-cyberattack-childrens-hospital
The FBI thwarted a planned cyberattack on a children’s hospital in Boston that was to have been carried out by hackers sponsored by the Iranian government, FBI Director Christopher Wray said Wednesday.
Wray told a Boston College cybersecurity conference that his agents learned of the planned digital attack from an unspecified intelligence partner and got Boston Children’s Hospital the information it needed last summer to block what would have been “one of the most despicable cyberattacks I’ve seen.”
“And quick actions by everyone involved, especially at the hospital, protected both the network and the sick kids who depended on it,” Wray said.
The FBI chief recounted that anecdote in a broader speech about ongoing cyber threats from Russia, China and Iran and the need for partnerships between the U.S. government and the private sector.
Tomi Engdahl says:
Europol Announces Takedown of FluBot Mobile Spyware
https://www.securityweek.com/europol-announces-takedown-flubot-mobile-spyware
Europol today announced the takedown of FluBot, a piece of mobile malware targeting both Android and iOS devices that has been fast-spreading via SMS messages.
Also referred to as Fedex Banker and Cabassous, the spyware has been around since late 2020, mainly focused on users in Europe, but with attacks also registered in the United States, Australia, Japan, New Zealand, and elsewhere.
The threat spreads using a technique known as smishing, which involves SMS phishing messages that attempt to lure victims into clicking a link to download the malicious payload.
Initially, the spyware only targeted Android devices, but recent campaigns were seen targeting iOS devices as well. Security researchers have reported seeing tens of thousands of SMS messages being sent hourly as part of these widespread attacks.
Tomi Engdahl says:
Over 3.6 million MySQL servers found exposed on the Internet
https://www.bleepingcomputer.com/news/security/over-36-million-mysql-servers-found-exposed-on-the-internet/
Tomi Engdahl says:
Tokmanni paljasti sähköpostitse asiakkaiden tietoja – koskee jopa 400 000 ihmistä https://www.is.fi/digitoday/tietoturva/art-2000008859502.html
Tomi Engdahl says:
Exiled Iran Group Claims Tehran Hacking Attack
https://www.securityweek.com/exiled-iran-group-claims-tehran-hacking-attack
An exiled Iranian opposition group Thursday claimed a hacking attack which it said temporarily took control of dozens of websites run by Tehran’s municipality and thousands of the capital’s surveillance cameras.
Iranian state media said earlier that the internal computer system of the municipality of Tehran was targeted in a “deliberate” shutdown Thursday in the latest apparent cyber attack in the country.
Tomi Engdahl says:
Millions of Budget Smartphones With UNISOC Chips Vulnerable to Remote DoS Attacks
https://www.securityweek.com/millions-budget-smartphones-unisoc-chips-vulnerable-remote-dos-attacks
Millions of budget smartphones that use UNISOC chipsets could have their communications remotely disrupted by hackers due to a critical vulnerability discovered recently by researchers at cybersecurity firm Check Point.
Chipsets made by UNISOC, one of China’s largest mobile phone chip designers, are widely used in budget smartphones, particularly ones sold in Asia and Africa. The company was called Spreadtrum until 2018, when it rebranded as UNISOC.
At the end of 2021, UNISOC had an 11% share of the smartphone application processor market, being ranked the fourth after Mediatek, Qualcomm and Apple.
Researchers at Check Point have analyzed UNISOC modem firmware and discovered that it’s affected by a serious vulnerability that can allow an attacker to launch a remote denial-of-service (DoS) attack against a device by using a specially crafted packet.
“We reverse-engineered the implementation of the LTE protocol stack and discovered a vulnerability that could be used to deny modem services and block communications,” the company explained in a blog post.
Tomi Engdahl says:
Dutch Used Pegasus Spyware on Most-Wanted Criminal: Report
https://www.securityweek.com/dutch-used-pegasus-spyware-most-wanted-criminal-report
Dutch secret services have used the controversial Israeli spyware known as Pegasus to hack targets including the country’s most-wanted criminal, a news report said on Thursday.
The Netherlands’ AIVD secret service in 2019 used the software bought from Israel’s NSO Group to access fugitive alleged drugs kingpin Ridouan Taghi, the Volkskrant daily reported.
Pegasus, which can switch on a phone’s camera or microphone and harvest its data, was engulfed in controversy last July after several media outlets reported that governments around the world had used it to spy on opponents.
Based on four anonymous sources, Volkskrant said although tracing criminals was not the AIVD’s role, it assisted Dutch police in finding Taghi, who was arrested in Dubai in 2019.
https://www.securityweek.com/google-says-nso-pegasus-zero-click-most-technically-sophisticated-exploit-ever-seen
Tomi Engdahl says:
US Authorities Seize Domains Selling Stolen Data, DDoS Services
https://www.securityweek.com/us-authorities-seize-domains-selling-stolen-data-ddos-services
US law enforcement agencies this week announced the seizure of three domains that sold compromised personal information and facilitated cyberattacks on victim networks.
The domains – weleakinfo.to, ipstress.in, and ovh-booter.com – were taken down as part of a coordinated operation, in which the National Police Corps of the Netherlands and the Federal Police of Belgium arrested the main suspect, searched several locations, and seized the underlying infrastructure. The identity of the suspect hasn’t been revealed.
The weleakinfo.to domain claimed to provide access to seven billion records containing personal information such as names, phone numbers, usernames, email addresses, and passwords, allegedly obtained from more than 10,000 data breaches.
Tomi Engdahl says:
Leaks Show Conti Ransomware Group Working on Firmware Exploits
https://www.securityweek.com/leaks-show-conti-ransomware-group-working-firmware-exploits
The recent Conti leaks show that the notorious ransomware group has been working on firmware exploits targeting the Intel Management Engine (ME) system.
In late February, after Conti expressed support for Russia following its invasion of Ukraine, a Ukrainian hacker started leaking information stolen from the cybercrime group, including chat logs, credentials, email addresses, C&C server details, and malware source code.
The leaked information showed that the cybercrime gang operated just like a regular company, with contractors, employees and HR problems.
An analysis of the leaked chats conducted by firmware and hardware security company Eclypsium showed that the Conti group has been looking into firmware-based attacks, specifically ones targeting Intel ME.
Intel ME provides various features for computers powered by Intel processors, including out-of-band management and anti-theft protection.
Tomi Engdahl says:
US Warns Organizations of ‘Karakurt’ Cyber Extortion Group
https://www.securityweek.com/us-warns-organizations-karakurt-cyber-extortion-group
Several government agencies in the United States have issued a joint cybersecurity alert to warn organizations about a data extortion group named “Karakurt.”
Also known as the Karakurt Team and Karakurt Lair, the group does not rely on malware to encrypt victims’ files, instead exfiltrating data and threatening to sell it or release it publicly if a ransom is not paid within a specific timeframe.
Typically, the Karakurt hackers give their victims one week to make the payment, with ransom demands ranging between $25,000 and $13 million in Bitcoin, reads the joint alert from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN).
Tomi Engdahl says:
Report: Clipminer Botnet Operators Rake in $1.7 Million
https://www.securityweek.com/report-clipminer-botnet-operators-rake-17-million
Cybercriminals operating the Clipminer botnet have raked in at least $1.7 million in illicit gains to date, according to an estimate by security researchers at Symantec.
Spreading via trojanized cracked or pirated software, the Clipminer trojan shows similarities with the cryptomining trojan KryptoCibule, suggesting that it could be either a copycat or an evolution of the latter.
According to Symantec, Clipminer was first spotted around January 2021, shortly after KryptoCibule was detailed in an ESET research project, suggesting a possible rebranding of the same threat.
Tomi Engdahl says:
Cybercriminals Hold 1,200 Unsecured Elasticsearch Databases for Ransom
https://www.securityweek.com/cybercriminals-hold-1200-unsecured-elasticsearch-databases-ransom
Secureworks warns of a new attack campaign targeting internet-exposed, improperly secured Elasticsearch databases to replace their data with a ransom note.
Over 1,200 databases that could be accessed without authentication have already fallen victim to the attackers, which replaced their indexes with a note demanding a payment of 0.012 Bitcoin in exchange for the data.
“In each case, data held in the databases was replaced with a ransom note stored in the ‘message’ field of an index called ‘read_me_to_recover_database’. Inside the ‘email’ field is a contact email address,” Secureworks notes.
The researchers identified four email addresses used in these attacks, as well as two different Bitcoin wallets. The ransom requests total roughly $280,000, but no payment appears to have been made to date, suggesting that the campaign has been unsuccessful.
What Secureworks could not determine was the number of potential victims, because the databases were hosted on networks maintained by cloud computing providers.
“It is likely that some databases belong to the same organization, but identifying specific victims was not possible in most cases,” the researchers say.
https://www.secureworks.com/blog/unsecured-elasticsearch-data-replaced-with-ransom-note
Tomi Engdahl says:
Access Brokers and Ransomware-as-a-Service Gangs Tighten Relationships
https://www.securityweek.com/access-brokers-and-ransomware-service-gangs-tighten-relationships
Access brokers sell compromised network access to help ransomware gangs launch attacks
Dark web watchers have noted the increasing professionalism of cybercrime groups over the last few years. Criminal groups are well-organized and have just one purpose: streamlining operations to maximize profits. An increasingly close relationship between access brokers and ransomware-as-a-service (RaaS) groups is an obvious development.
Analysts have been watching this unfold, and threat intelligence firm Intel 471 has posted an initial report: The relationship between access brokers and ransomware crews is growing.
The access brokers in this report are credential brokers. “They specialize in obtaining credentials to organizations’ IT stacks across the world,” Intel 471′s Greg Otto told SecurityWeek. “They sell that access to the highest bidders on the cybercrime underground; and the highest bidders are increasingly ransomware-as-a-service (RaaS) gangs.”
There are other categories of ‘access’ broker – such as vulnerability merchants who might auction the presence of a backdoor or the discovery of an unpatched vulnerability – or the availability of RDP access. But this report focuses on the growth of the credential broker over recent years, and the growing alliance of brokers with specific RaaS groups.
For RaaS groups and access brokers alike, the business advantages of a close – perhaps exclusive – relationship are clear. The ransomware operators can provide a better service to their affiliates delivering both the access and the malware. This makes the process shorter and increases their turnover – with their ransom percentages increasing in number and decreasing in wait time. Furthermore, as relationships strengthen, ransomware groups may identify a victim they wish to target, and the access merchant will provide the access once it is available.
Tomi Engdahl says:
Foxconn: Mexico factory operations gradually returning to normal’
after ransomware attack
https://therecord.media/foxconn-mexico-factory-operations-gradually-returning-to-normal-after-ransomware-attack/
The LockBit ransomware group claimed to have attacked the company’s offices in Tijuana last month. They threatened to leak the data stolen during the attack by June 11. A spokesperson from the Taiwanese company confirmed the attack. “The disruption caused to business operations will be handled through production capacity adjustment. The cybersecurity attack is estimated to have little impact on the Group’s overall operations. Relevant information about the incident is also provided instantly to our management, clients, and suppliers.”
Tomi Engdahl says:
Microsoft blocks Polonium hackers from using OneDrive in attacks https://www.bleepingcomputer.com/news/security/microsoft-blocks-polonium-hackers-from-using-onedrive-in-attacks/
Microsoft said it blocked a Lebanon-based hacking group it tracks as Polonium from using the OneDrive cloud storage platform for data exfiltration and command and control while targeting and compromising Israelian organizations. The company also suspended more than 20 malicious OneDrive applications used in Polonium’s attacks, notifying the targeted organizations and quarantining the threat actors’ tools via security intelligence updates. See also:
https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/
Tomi Engdahl says:
Volodymyr Zelensky on War, Technology, and the Future of Ukraine https://www.wired.com/story/volodymyr-zelensky-q-and-a-ukraine-war-technology/
In a one-on-one interview with WIRED, the embattled president expresses clarity amidst the chaos. Ever since Russian forces started their all-out invasion in February, Ukraine has been hailed as an exemplar of how to defend against violent tyranny on the 21st-century battlefield. The country spun up an “IT Army” of volunteer hackers to take down Russian websites, used the Starlink satellite internet system to maintain communications as its own infrastructure was being destroyed, and launched a social media blitzkrieg to win support from around the world.
Tomi Engdahl says:
Ransomware gang now hacks corporate websites to show ransom notes https://www.bleepingcomputer.com/news/security/ransomware-gang-now-hacks-corporate-websites-to-show-ransom-notes/
A ransomware gang is taking extortion to a new level by publicly hacking corporate websites to publicly display ransom notes. This new extortion strategy is being conducted by Industrial Spy, a data extortion gang that recently began using ransomware as part of their attacks. As part of their attacks, Industrial Spy will breach networks, steal data, and deploy ransomware on devices. The threat actors then threaten to sell the stolen data on their Tor marketplace if a ransom is not paid. While this tactic is outside the norm, it allows the ransomware gang to apply further pressure on a victim, as it pushes the attack into the spotlight where customers and business partners can more easily see it. It is not believed, though, that this new tactic will see widespread use as web servers are not typically hosted on corporate networks but rather with hosting providers.
Tomi Engdahl says:
Analysis of CVE-2022-30190: Microsoft Support Diagnostic Tool (MSDT) RCE Vulnerability “Follina”
https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day
At the end of last week, @nao_sec, an independent cyber security research team, tweeted about a malicious Microsoft Word document submitted from Belarus that leverages remote templates to execute a PowerShell payload using the “ms-msdt” MSProtocol URI scheme. A successful attack results in a remote, unauthenticated attacker taking control of an affected system. A publicly available Proof-of-Concept soon followed. As FortiGuard Labs is on high watch for updates and developments for CVE-2022-30190, this blog intends to raise awareness of this critical vulnerability and to urge administrators and various organizations to take quick corrective action until Microsoft releases a patch.
Tomi Engdahl says:
Vulnerability within the UNISOC baseband opens mobile phones communications to remote hacker attacks https://research.checkpoint.com/2022/vulnerability-within-the-unisoc-baseband/
UNISOC is extremely popular in Africa and Asia due to their low prices. By the end of 2021, UNISOC was firmly in fourth place among the largest smartphone chip manufacturers in the world (after MediaTek, Qualcomm and Apple), with 11% of the global market. In this study, CPR did a quick analysis of the UNISOC baseband to find a way to remotely attack UNISOC devices. We reverse-engineered the implementation of the LTE protocol stack and discovered a vulnerability that could be used to deny modem services and block communications.
Tomi Engdahl says:
Tokmannin sähköpostisotkussa vääriä tietoja 350 000 asiakkaalle: ”Olemme pahoillamme” https://www.is.fi/digitoday/tietoturva/art-2000008861761.html
Tomi Engdahl says:
Someone apparently leaked classified Chinese tank schematics to win an online argument
https://taskandpurpose.com/entertainment/war-thunder-player-leaks-chinese-tank-secrets/
Maybe an OPSEC briefing should be part of the game’s tutorial?
Fans of the free-to-play military video game “War Thunder” are so passionate about the game that they’ve taken to sharing actual classified schematics for real-life military vehicles in an effort to win arguments with complete strangers online.
Tomi Engdahl says:
New Windows Search zero-day added to Microsoft protocol nightmare
https://www.bleepingcomputer.com/news/security/new-windows-search-zero-day-added-to-microsoft-protocol-nightmare/
A new Windows Search zero-day vulnerability can be used to automatically open a search window containing remotely-hosted malware executables simply by launching a Word document.
The security issue can be leveraged because Windows supports a URI protocol handler called ‘search-ms’ that allows applications and HTML links to launch customized searches on a device.
While most Windows searches will look on the local device’s index, it is also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search window.
Tomi Engdahl says:
POC to replicate the full ‘Follina’ Office RCE vulnerability for testing purposes
https://github.com/chvancooten/follina.py
Tomi Engdahl says:
https://etn.fi/index.php/13-news/13671-laehes-kaikki-teollisuusyritykset-joutuneet-kyberiskun-kohteeksi
Tomi Engdahl says:
https://www.darkreading.com/threat-intelligence/fighting-follina-application-vulnerabilities-and-detection-possibilities
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-ermac-20-android-malware-steals-accounts-wallets-from-467-apps/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/over-36-million-mysql-servers-found-exposed-on-the-internet/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers/
Tomi Engdahl says:
https://arstechnica.com/information-technology/2022/05/code-execution-0day-in-windows-has-been-under-active-exploit-for-7-weeks/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-vmware-auth-bypass-bug-patch-now/
Tomi Engdahl says:
Gas pump manipulators steal ‘millions of dollars’ in fuel –and it’s legal In Florida
News 6 working with Cyber-Fraud Task Force and lawmakers to ban device
https://www.clickorlando.com/news/local/2022/05/24/gas-pump-manipulators-steal-millions-of-dollars-in-fuel-and-its-legal-in-florida/
Tomi Engdahl says:
https://securityaffairs.co/wordpress/131698/hacking/poc-exploit-code-vmware-cve-2022-22972.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/
Tomi Engdahl says:
https://securityaffairs.co/wordpress/131658/apt/unknown-apt-group-target-russia.html
Tomi Engdahl says:
https://www.darkreading.com/application-security/malicious-package-python-repository-cobalt-strike-windows-macos-linux
Tomi Engdahl says:
https://thehackernews.com/2022/05/critical-pantsdown-bmc-vulnerability.html
Tomi Engdahl says:
Experts Warn of Rise in ChromeLoader Malware Hijacking Users’ Browsers
https://thehackernews.com/2022/05/experts-warn-of-rise-in-chromeloader.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-targets-vmware-esxi-servers/