This posting is here to collect cyber security news in June 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in June 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
381 Comments
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-chromeloader-malware-surge-threatens-browsers-worldwide/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/darknet-market-versus-shuts-down-after-hacker-leaks-security-flaw/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/tails-50-linux-users-warned-against-using-it-for-sensitive-information/
Tomi Engdahl says:
https://fletch.ai/USE-CASE/Monitor-Emerging-Threats-and-How-They-Impact-Your-Environment?utm_campaign=search&utm_source=facebook&utm_medium=cpc&fbclid=IwAR2srYzQrozyHSSSxoJ8dDvmolQ3a98ylveq9MAMORS4_1B7tQr21sQN5ew
Tomi Engdahl says:
https://www.makeuseof.com/tag/stop-google-android-listening/
Tomi Engdahl says:
https://thehackernews.com/2022/05/sim-based-authentication-aims-to.html
Tomi Engdahl says:
https://arstechnica.com/information-technology/2022/05/digital-drivers-license-used-by-4m-australians-is-a-snap-to-forge/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/duckduckgo-browser-allows-microsoft-trackers-due-to-search-agreement/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/
Tomi Engdahl says:
Tiedätkö, missä laitteessa on kaikkein turvallisin Windows? Vastaus yllättää https://www.is.fi/digitoday/tietoturva/art-2000008862723.html
Tomi Engdahl says:
Kriittinen haavoittuvuus Atlassian Confluence -tuotteissa mahdollistaa hyökkäykset ilman tunnistautumista
https://www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_11/2022
Kriittinen haavoittuvuus Confluence Server ja Data Center -tuotteissa mahdollistaa komentojen suorittamisen etänä ilman tunnistautumista.
Haavoittuvuutta on jo hyödynnetty maailmalla, eikä siihen ole korjausta. Atlassian suosittelee rajoittamaan haavoittuvuuden hyväksikäyttömahdollisuuksia rajaamalla haavoittuvien tuotteiden näkyvyyttä julkiseen verkkoon. See also:
https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/.
See also:
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
Tomi Engdahl says:
Atlassian fixes Confluence zero-day widely exploited in attacks https://www.bleepingcomputer.com/news/security/atlassian-fixes-confluence-zero-day-widely-exploited-in-attacks/
Atlassian has released security updates to address a critical zero-day vulnerability in Confluence Server and Data Center actively exploited in the wild to backdoor Internet-exposed servers. The zero-day
(CVE-2022-26134) affects all supported versions of Confluence Server and Data Center and allows unauthenticated attackers to gain remote code execution on unpatched servers. Since it was disclosed as an actively exploited bug, the Cybersecurity and Infrastructure Security Agency (CISA) has also added it to its ‘Known Exploited Vulnerabilities Catalog’ requiring federal agencies to block all internet traffic to Confluence servers on their networks. The company has now released patches and advises all customers to upgrade their appliances to versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1, which contain a fix for this flaw.
Active Exploitation of Confluence CVE-2022-26134 – PoC and technical analysis https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
CVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability resulting in code execution in the context of the Confluence server (typically the confluence user on Linux installations). Given the nature of the vulnerability, internet-facing Confluence servers are at very high risk. As stated, the vulnerability is an OGNL injection vulnerability affecting the HTTP server. The OGNL payload is placed in the URI of an HTTP request. Any type of HTTP method appears to work, whether valid (GET, POST, PUT, etc) or invalid (e.g. “BALH”).
Tomi Engdahl says:
GitLab security update fixes critical account take over flaw https://www.bleepingcomputer.com/news/security/gitlab-security-update-fixes-critical-account-take-over-flaw/
GitLab has released a critical security update for multiple versions of its Community and Enterprise Edition products to address eight vulnerabilities, one of which allows account takeover. GitLab is a web-based Git repository for developer teams that need to manage their code remotely. It has approximately 30 million registered users and one million paying customers. Getting control over a GitLab account comes with severe consequences as hackers could gain access to developers’ projects and steal source code. Tracked as CVE-2022-1680 and rated with a critical severity score of of 9.9, the vulnerability affects all GitLab versions 11.10 through 14.9.4, 14.10 through 14.10.3, and version 15.0. See also:
https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/
Tomi Engdahl says:
The Fight Against Robocall Spam and Scams Heats Up in India https://www.wired.com/story/india-robocall-spam-caller-id/
Indian phone users may not have to wonder who that “unknown” caller is for too much longer. Regulatory changes being considered might help them avoid that pesky telemarketer and the annoying call from a bank customer care executive trying to sell insurance. In an attempt to combat the plague of spam calls, India’s telecom regulator is in the process of drafting a consultation paper supporting a mechanism that would allow phones to display the name of a caller even if the number is not saved on that person’s phone. This name will be sourced from the Know Your Customer (KYC) data that telecom operators are required to collect from users before providing them with a SIM card.
Tomi Engdahl says:
Trend Micro Partners With Interpol and Nigeria’s EFCC for Operation Killer Bee, Takes Down Nigerian BEC Actors https://www.trendmicro.com/en_us/research/22/f/trend-micro-partners-with-interpol-and-nigeria-efcc-for-operatio.html
Nigeria’s Economic and Financial Crimes Commission (EFCC) arrested three suspected scammers from Nigeria who were involved in global scamming campaigns via a sting operation that is part of Operation Killer Bee. The operation was led by Interpol and National Central Bureaus and law enforcement agencies in various Southeast Asian countries in partnership with Trend Micro, which provided information on the group and their modus operandi.
Tomi Engdahl says:
SMSFactory Android malware sneakily subscribes to premium services https://www.bleepingcomputer.com/news/security/smsfactory-android-malware-sneakily-subscribes-to-premium-services/
Security researchers are warning of an Android malware named SMSFactory that adds unwanted costs to the phone bill by subscribing victims to premium services. SMSFactory has multiple distribution channels that include malvertising, push notifications, promotional pop-ups on sites, videos promising game hacks or adult content access.
According to Avast, SMSFactory targeted more than 165, 000 of its Android customers between May 2021 to May 2022, most of them located in Russia, Brazil, Argentina, Turkey, and Ukraine. While SMSFactory’s main goal is to send premium text and make calls to premium phone numbers, Avast researchers noticed a malware variant that can also steal the contact list on compromised devices, likely to be used as another distribution method for the threat.
Tomi Engdahl says:
Atlassian Confluence Servers Hacked via Zero-Day Vulnerability
https://www.securityweek.com/atlassian-confluence-servers-hacked-zero-day-vulnerability
Atlassian scrambling to patch Confluence Server zero-day exploited by multiple threat groups
Atlassian customers have been warned that hackers are exploiting a Confluence Server zero-day vulnerability. The flaw is currently unpatched and it appears to have been exploited by multiple threat groups.
According to Atlassian, Confluence Server and Data Center are affected by a critical vulnerability that can be exploited by an unauthenticated attacker for remote code execution. The vendor warned in an advisory published on Thursday that the security hole, tracked as CVE-2022-26134, has been exploited in the wild.
All supported versions of Confluence Server and Data Center are affected. Until a patch becomes available, users have been advised to prevent access to their Confluence servers from the internet, or simply disable these instances. Users can also reduce the risk of attacks by using a firewall to block URLs containing “${“.
Atlassian expects fixes to become available by the end of the day on Friday, June 3.
Tomi Engdahl says:
TXOne Unveils New OT Network Security Appliance for SMB Manufacturers
https://www.securityweek.com/txone-unveils-new-ot-network-security-appliance-smb-manufacturers
TXOne Networks this week unveiled a new security appliance designed to help small and medium-sized manufacturers protect their operational technology (OT) networks against cyber threats.
The new appliance, named EdgeIPS Pro 216, is compact and it can be deployed in a cabinet or IT rackmount.
EdgeIPS Pro 216 The product, advertised as ideal for harsh environments, leverages one-pass deep packet inspection technology, and offers IPS-based network segmentation with ICS/OT protocol filtering. Other capabilities include virtual patching and antivirus scanning.
“By deeply analyzing network traffic on levels 2 through 7 and allowing for interoperability between key nodes, EdgeIPS Pro 216 provides attack information, event logs, early attack detection, and trust list-based filtering of control commands,” TXOne says.
The device has eight sets of paired ports, provides 2Gbps of bandwidth, and supports a wide range of industrial protocols.
EdgeIPS Pro 216 is expected to become available worldwide in July.
TXOne Networks is a joint venture between cybersecurity firm Trend Micro and industrial networking solutions provider Moxa.
https://www.txone.com/products/network-defense/edgeips-pro-216/
Tomi Engdahl says:
Lebanese Threat Actor ‘Polonium’ Targets Israeli Organizations
https://www.securityweek.com/lebanese-threat-actor-polonium-targets-israeli-organizations
Microsoft says it has uncovered and disabled the OneDrive infrastructure of a Lebanon-based threat actor targeting organizations in Israel.
Based on victimology and tool and techniques overlaps, the previously-undocumented group, which is tracked by the tech giant as Polonium, appears to be collaborating with adversaries affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
According to Microsoft, such collaborations are not surprising, given that the government of Iran has been observed for roughly two years employing third parties to carry out its cyberoperations.
Tomi Engdahl says:
CISA Warns of Critical Vulnerabilities in Illumina Genetic Analysis Deviceshttps://www.securityweek.com/cisa-warns-critical-vulnerabilities-illumina-genetic-analysis-devices
The US Cybersecurity and Infrastructure Security Agency (CISA) this week issued an advisory to warn of critical vulnerabilities in Illumina genetic analysis devices that could allow a remote, unauthenticated attacker to take over an impacted product.
The flaws affect Illumina Local Run Manager (LRM), which is used by sequencing instruments designed for clinical diagnostic use in the sequencing of a person’s DNA, testing for various genetic conditions, as well as research.
The vulnerabilities CISA is warning about – four “critical severity” and one “high severity” – can be exploited to execute arbitrary code, to achieve directory traversal, upload arbitrary files, connect without authentication, and perform man-in-the-middle attacks.
Tracked as CVE-2022-1517, CVE-2022-1518, and CVE-2022-1519, the most severe of these vulnerabilities feature a CVSS score of 10. They allow for remote code execution at operating system level (LRM runs with elevated privileges), the upload of data outside the intended directory structure, and the upload of arbitrary files, respectively.
The fourth critical issue – CVE-2022-1521, CVSS score of 9.1 – exists because, by default, LRM does not feature authentication or authorization, which may allow an attacker to inject, intercept, or tamper with sensitive data.
Tracked as CVE-2022-1524 (CVSS score of 7.4), the fifth vulnerability exists because TLS encryption is missing in LRM version 2.4 and lower, thus allowing a malicious actor to perform a man-in-the-middle attack and access in-transit sensitive data.
“Successful exploitation of these vulnerabilities may allow an unauthenticated malicious actor to take control of the affected product remotely and take any action at the operating system level. An attacker could impact settings, configurations, software, or data on the affected product and interact through the affected product with the connected network,” CISA notes.
Tomi Engdahl says:
Foxconn Confirms Ransomware Hit Factory in Mexico
https://www.securityweek.com/foxconn-confirms-ransomware-hit-factory-mexico
Electronics manufacturing giant Foxconn has confirmed that its Tijuana-based Foxconn Baja California factory was hit by ransomware in late May.
Specialized in consumer electronics, industrial operations, and medical devices, the facility employs roughly 5,000 people.
“It is confirmed that one of our factories in Mexico experienced a ransomware cyberattack in late May. The company’s cybersecurity team has been carrying out the recovery plan accordingly,” Foxconn said, responding to a SecurityWeek inquiry.
Foxconn also said that it is currently in the process of restoring normal operations at the factory, but did not provide a specific timeframe for completing the process.
The electronics manufacturer also said that the impact of this attack on its overall operations is expected to be minimal.
“The disruption caused to business operations will be handled through production capacity adjustment. The cybersecurity attack is estimated to have little impact on the Group’s overall operations,” the company said.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/13669-kriittinen-aukko-uhkaa-jopa-joka-kymmenettae-android-puhelinta
Tomi Engdahl says:
This Is The Worst Microsoft Office Virus I’ve Ever Seen
https://www.youtube.com/watch?v=gRON5Ovd1XQ
Its one thing For MS Office to have a vulnerability, its another for that vulnerability to lead to RCE, but a NO CLICK RCE vulnerability codenamed Follina in Microsoft Word that doesn’t even require macros? That’s just insane, good thing I use LibreOffice!
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/
Tomi Engdahl says:
Cloudflare observations of Confluence zero day (CVE-2022-26134)
https://blog.cloudflare.com/cloudflare-observations-of-confluence-zero-day-cve-2022-26134/
Tomi Engdahl says:
https://nakedsecurity.sophos.com/2022/06/02/yet-another-zero-day-sort-of-in-windows-search-url-handling/
Tomi Engdahl says:
Researchers Demonstrate Ransomware for IoT Devices That Targets IT and OT Networks
https://thehackernews.com/2022/06/researchers-demonstrate-ransomware-for.html
Tomi Engdahl says:
Huolestuttava Google-selvitys: ainoastaan neljännes vaarallisista nettisivuista pystytään estämään
Selvityksen mukaan Googlen selain ei pysty estämään pääsyä haitallisille sivustoille.
https://www.iltalehti.fi/tietoturva/a/7cf6fd1f-5f00-4fe1-a483-c8e0d881161a
Tuoreen selvityksen mukaan Googlen Chrome-selain pystyy estämään käyttäjien pääsyn haitallisille sivustoille vain noin joka neljännessä tapauksessa. Selvityksen on tehnyt kuluttajaselvityksiin erikoistunut Which? ja siitä uutisoi Independent.
Selvityksessä käytiin läpi 800 hiljattain löydettyä kalastelusivustoa. Näistä sivustoista Chrome esti ainoastaan 28 prosenttia Windowsia käytettäessä ja 25 prosenttia Macia käytettäessä.
Which? toisti testin muillakin selaimilla. Mozillan Firefox pärjäsi paljon paremmin estäen pääsyn 85 % tapauksista Windowsilla ja 78 % Macilla.
Kalastelusivustoja on liikkeellä todella paljon. Rikolliset yrittävät johdattaa ihmisiä näille sivuille täyttämään henkilö- ja pankkitietojaan erilaisten huijausviestien kautta. Näiden sivustojen kautta voidaan yrittää myös saada levitettyä haittaohjelmia ja viruksia.
Google Chrome only blocking a quarter of phishing websites, researchers claim
A new study by Which? said it found Google’s web browser was failing to block access to suspicious websites.
https://www.independent.co.uk/tech/google-chrome-phishing-websites-block-b2087239.html
Google’s Chrome web browser is only preventing users from visiting around a quarter of suspicious sites that are likely to be part of phishing scams, Which? has claimed.
The consumer group said a study searching the web addresses of 800 newly discovered phishing sites in a web browser saw Chrome block only 28% when used on Windows and 25% on an Apple Mac computer.
Tomi Engdahl says:
Mandiant: “No evidence” we were hacked by LockBit ransomware https://www.bleepingcomputer.com/news/security/mandiant-no-evidence-we-were-hacked-by-lockbit-ransomware/
American cybersecurity firm Mandiant is investigating LockBit ransomware gang’s claims that they hacked the company’s network and stole data. The ransomware group published a new page on its data leak website earlier today, saying that the 356, 841 files they allegedly stole from Mandiant will be leaked online. LockBit is yet to reveal what files it claims to have stolen from Mandiant’s systems since the file listing on the leak page is empty. When BleepingComputer reached out for more details on LockBit’s claims, the threat intel firm said it hadn’t yet found evidence of a breach.
Tomi Engdahl says:
Hakkerit iskivät Venäjän rakennusministeriöön: “Kunnia Ukrainalle”
https://www.tivi.fi/uutiset/tv/94d23a73-da93-4e90-b765-fcf8e0728181
Venäjän rakennus-, asunto- ja julkisten palveluiden ministeriöön kohdistui kyberhyökkäys 5. kesäkuuta. Ministeriön venäjänkielisellä etusivulla ollut hakkerien viesti kertoo, että ministeriön koko tietokanta on varastettu ja se saatetaan julkaista hakkerifoorumilla.
Riippumattoman Novaja Gazeta Europen mukaan iskun takana ovat DumpForums.com-ryhmään kuuluvat hakkerit. Kyseessä on luultavimmin kiristysisku, sillä hakkerit vaativat ministeriötä maksamaan 0, 5 bitcoinia, mikäli varastettuja tietoja ei haluta julkisuuteen.
Tomi Engdahl says:
Windows zero-day exploited in US local govt phishing attacks https://www.bleepingcomputer.com/news/security/windows-zero-day-exploited-in-us-local-govt-phishing-attacks/
European governments and US local governments were the targets of a phishing campaign using malicious Rich Text Format (RTF) documents designed to exploit a critical Windows zero-day vulnerability known as Follina. “Proofpoint blocked a suspected state aligned phishing campaign targeting less than 10 Proofpoint customers (European gov & local US gov) attempting to exploit Follina/CVE_2022_30190, ” security researchers at enterprise security firm Proofpoint revealed. The attackers used salary increase promises to bait employees to open the lure documents, which would deploy a Powershell script as the final payload. As BleepingComputer found while checking the final PowerShell payload of this attack, the threat actors are harvesting large amounts of info revealing this campaign’s reconnaissance attack nature since the collected data can be used for initial access. “While Proofpoint suspects this campaign to be by a state aligned actor based on both the extensive recon of the Powershell and tight concentration of targeting, we do not currently attribute it to a numbered TA, ” the security researchers said.
Tomi Engdahl says:
Italian city of Palermo shuts down all systems to fend off cyberattack https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/
The municipality of Palermo in Southern Italy suffered a cyberattack on Friday, which appears to have had a massive impact on a broad range of operations and services to both citizens and visiting tourists.
Palermo is home to about 1.3 million people, the fifth most populous city in Italy. The area is visited by another 2.3 million tourists every year. Although local IT experts have been trying to restore the systems for the past three days, all services, public websites, and online portals remain offline. Italy recently received threats from the Killnet group, a pro-Russian hacktivist who attacks countries that support Ukraine with resource-depleting cyberattacks known as DDoS (distributed denial of service). While some were quick to point the finger at Killnet, the cyberattack on Palermo bears the signs of a ransomware attack rather than a DDoS.
Tomi Engdahl says:
Pankkitilisi yritetään tyhjentää salaa tämä viesti ei ole pankilta vaan rikollisilta
https://www.iltalehti.fi/tietoturva/a/75dbd5e3-59db-400e-b9e6-0d69c6ecab76
Erilaisia huijauskampanjoita on jälleen reilusti liikkeellä. Nyt varsinkin pankkiaiheiset huijausviestit näyttäisivät olevan nousussa.
Huijarit esittävät Suomessa toimivien pankkien asiakaspalveluita lähettäen sähköpostiviestejä, joissa väitetään, että tilillä on havaittu epäilyttävää toimintaa tai että tilin käyttö on estetty.
Viestit on kirjoitettu suomeksi ja niiden kieli on pääosin hyvää.
Huijausviestejä on ollut liikkeellä aiemmin myös tekstiviestien muodossa. Viestissä on linkki tietojenkalastelusivustolle, jonne uhria yritetään saada täyttämään pankkitunnukset. Jos pankkitunnukset täyttää ja varmistusluvun antaa, voivat rikolliset päästä käsiksi tiliin.
Tomi Engdahl says:
Ransomware gangs now give victims time to save their reputation https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-give-victims-time-to-save-their-reputation/
Threat analysts have observed an unusual trend in ransomware group tactics, reporting that initial phases of victim extortion are becoming less open to the public as the actors tend to use hidden or anonymous entries. By not disclosing the victim’s name immediately, the ransomware operatives give their targets a more extended opportunity to negotiate the ransom payment in secrecy while still maintaining a level of pressure in the form of a future data leak.
KELA, an Israeli cyber-intelligence specialist, has published its Q1
2022 ransomware report that illustrates this trend and highlights various changes in the field. The report:
https://ke-la.com/wp-content/uploads/2022/06/KELA-RESEARCH-RANSOMWARE-VICTIMS-AND-NETWORK-ACCESS-SALES-IN-Q1-2022.pdf
Tomi Engdahl says:
https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/
This blog post documents some of the TTPs employed by a threat actor group who were observed deploying Black Basta ransomware during a recent incident response engagement, as well as a breakdown of the executable file which performs the encryption. Black Basta are a ransomware group who have recently emerged, with the first public reports of attacks occurring in April this year. As is popular with other ransomware groups, Black Basta uses double-extortion attacks where data is first exfiltrated from the network before the ransomware is deployed. The threat actor then threatens to leak the data on the “Black Basta Blog” or “Basta News” Tor site.
Tomi Engdahl says:
Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files on the server and dumped credentials using a web shell, moved laterally to key servers using Plink and RDP and exfiltrated sensitive information using the web shell and RDP. The FBI and CISA published an advisory noting that APT attackers were using CVE-2021-44077 to gain initial access to the networks of organizations of Critical Infrastructure Sectors such as healthcare, financial, electronics and IT consulting industries.
Tomi Engdahl says:
Atlassian Patches Confluence Zero-Day as Exploitation Attempts Surge
https://www.securityweek.com/atlassian-patches-confluence-zero-day-exploitation-attempts-surge
Atlassian informed customers on Friday that it has released patches for the critical Confluence Server vulnerability that has been exploited in attacks. The announcement came just before cybersecurity organizations warned that exploitation attempts have spiked.
Volexity informed Atlassian on May 31 that its employees had become aware of a Confluence Server zero-day vulnerability following an incident response investigation.
The flaw, tracked as CVE-2022-26134, appears to affect all supported versions of Confluence Server and Data Center. The vendor initially made available workarounds and mitigations on June 2, and on Friday it released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 to patch the vulnerability.
The vendor said no Atlassian Cloud sites have been impacted. All potentially vulnerable customers have been notified directly about the fix.
Tomi Engdahl says:
Critical Account Takeover Vulnerability Patched in GitLab Enterprise Edition
https://www.securityweek.com/critical-account-takeover-vulnerability-patched-gitlab-enterprise-edition
DevOps platform GitLab has announced security updates that resolve multiple vulnerabilities, including a critical-severity bug leading to account takeover.
Tracked as CVE-2022-1680 (CVSS score of 9.9), the security issue was identified in GitLab Enterprise Edition (EE) and it affects all versions from 11.10 before 14.9.5, from 14.10 before 14.10.4, and from 15.0 before 15.0.1.
“When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users’ email addresses via SCIM to an attacker-controlled email address,” GitLab explains.
Thus, should no two-factor authentication option be enabled on the impacted accounts, such actions would result in the attacker taking them over. The attacker would then be able to change the display name and username of the accounts.
The platform recommends that self-managed administrators check whether group_saml is enabled on their deployments. The Configuring Group SAML on a self-managed GitLab instance documentation provides further information on this.
GitLab says it has also addressed two high-severity flaws in GitLab EE and GitLab Community Edition (CE).
Tracked as CVE-2022-1940 (CVSS score of 7.7), the first of these issues is described as a cross-site scripting (XSS) in GitLab EE’s Jira integration, which could allow an attacker to craft Jira issues and achieve arbitrary JavaScript code execution.
Tomi Engdahl says:
Critical U-Boot Vulnerability Allows Rooting of Embedded Systems
https://www.securityweek.com/critical-u-boot-vulnerability-allows-rooting-embedded-systems
A critical vulnerability in the U-Boot boot loader could be exploited to write arbitrary data, which can allow an attacker to root Linux-based embedded systems, according to NCC Group.
An open-source boot loader, U-Boot is used in various types of embedded systems, including ChromeOS and Android. It supports multiple architectures, including 68k, ARM, x86, MIPS, Nios, PPC, and more.
NCC Group explains that the IP defragmentation algorithm implemented in U-Boot is plagued by two vulnerabilities that can be exploited from the local network by crafting malformed packets.
Tracked as CVE-2022-30790 (CVSS score of 9.6), the first of the vulnerabilities exposes the defragmentation algorithm to a hole descriptor overwrite attack, NCC’s researchers say.
Because of this security bug, the metadata and fragment can be forged to point to the same location, which leads to the metadata being overwritten with fragmented data.
An attacker can trigger an arbitrary write by sending a second fragment, “whose offset and length only need to fit within the hole pointed to by the previously controlled metadata.”
Tomi Engdahl says:
Patrick Radden Keefe / New Yorker:
An in-depth look at attempts by the US to prosecute hot-headed coder Joshua Schulte, who allegedly leaked the CIA’s hacking arsenal, ahead of his June 13 trial
The Surreal Case of a C.I.A. Hacker’s Revenge
A hot-headed coder is accused of exposing the agency’s hacking arsenal. Did he betray his country because he was pissed off at his colleagues?
https://www.newyorker.com/magazine/2022/06/13/the-surreal-case-of-a-cia-hackers-revenge?currentPage=all
C.I.A. office with an ostentatiously bland name: the Operations Support Branch. It is the agency’s secret hacker unit, in which a cadre of élite engineers create cyberweapons.
“O.S.B. was focussed on what we referred to as ‘physical-access operations,’ ” a senior developer from the unit, Jeremy Weber—a pseudonym—explained. This is not dragnet mass surveillance of the kind more often associated with the National Security Agency. These are hacks, or “exploits,” designed for individual targets. Sometimes a foreign terrorist or a finance minister is too sophisticated to be hacked remotely, and so the agency is obliged to seek “physical access” to that person’s devices. Such operations are incredibly dangerous: a C.I.A. officer or an asset recruited to work secretly for the agency—a courier for the terrorist; the finance minister’s personal chef—must surreptitiously implant the malware by hand. “It could be somebody who was willing to type on a keyboard for us,” Weber said. “It often was somebody who was willing to plug a thumb drive into the machine.” In this manner, human spies, armed with the secret digital payloads designed by the Operations Support Branch, have been able to compromise smartphones, laptops, tablets, and even TVs: when Samsung developed a set that responded to voice commands, the wizards at the O.S.B. exploited a software vulnerability that turned it into a listening device.
The members of the O.S.B. “built quick-reaction tools,” Anthony Leonis, the chief of another cyberintelligence unit of the C.I.A., said. “That branch was really good at taking ideas and prototypes and turning them into tools that could be used in the mission, very quickly.” According to the man who supervised the O.S.B., Sean, the unit could be “a high-stress environment,” because it was supporting life-or-death operations. (With a few exceptions, this piece refers to agency employees by pseudonyms or by their first names.)
But, while these jobs were cutting edge and—at least vicariously—dangerous, the O.S.B. was, in other respects, just like any office. There was a bullpen of cubicle workstations. A dozen or so people clocked in every day. “We were kind of known as the social branch,”
Sometimes people got carried away, and work was paused for some sustained bombardment. But Silicon Valley was known for tricking out offices with foosball tables and climbing walls, and it’s likely that the C.I.A. wanted to foster a loose culture on the hacking team, to help engineers remain innovative and, when necessary, blow off steam.
On March 7, 2017, the Web site WikiLeaks launched a series of disclosures that were catastrophic for the C.I.A. As much as thirty-four terabytes of data—more than two billion pages’ worth—had been stolen from the agency. The trove, billed as Vault 7, represented the single largest leak of classified information in the agency’s history. Along with a subsequent installment known as Vault 8, it exposed the C.I.A.’s hacking methods, including the tools that had been developed in secret by the O.S.B., complete with some of the source code. “This extraordinary collection . . . gives its possessor the entire hacking capacity of the C.I.A.,” WikiLeaks announced. The leak dumped out the C.I.A.’s toolbox: the custom-made techniques that it had used to compromise Wi-Fi networks, Skype, antivirus software. It exposed Brutal Kangaroo and AngerQuake. It even exposed McNugget.
But who could have stolen the data? In a statement, WikiLeaks suggested that the person who shared the intelligence wished “to initiate a public debate” about the use of cyberweapons. But WikiLeaks had also shown, quite recently, a willingness to be a mouthpiece for foreign intelligence services: in 2016, the site had released e-mails from the Democratic National Committee which had been stolen by hackers working on behalf of the Kremlin. Vault 7, some observers speculated, might also be the work of a hostile government.
As the intelligence community mobilized to identify the source of the leak, the federal government found itself in an awkward position—because Donald Trump, shortly before being elected President, had celebrated the hacking of Democratic officials, declaring, “I love WikiLeaks.”
The F.B.I. began an investigation, and agents worked around the clock. But an atmosphere of paranoia enshrouded the inquiry. One F.B.I. agent described how a C.I.A. officer who was approached for an interview reacted with reflexive suspicion, pointing out that anyone “can say they’re an F.B.I. agent.”
The Bureau was pursuing what it calls an “unsub”—or “unknown subject”—investigation. “A crime had been committed; we didn’t yet know who had committed it,” one of the lead investigators, Richard Evanchec, later testified. Fairly quickly, the agents ruled out a foreign power as the culprit, deciding that the unsub must be a C.I.A. insider. They zeroed in on the classified computer network from which the data had been stolen—and on the agency employees who had access to that network. Among those who did were the O.S.B. hackers on the ninth floor of the agency’s secret cyber installation in Virginia.
This was a befuddling prospect: the O.S.B. engineers devoted their professional lives to concocting clandestine digital weapons. Making public the source code would render their inventions useless. Why destroy your own work? As the F.B.I. interviewed members of the team, a suspect came into focus: Joshua Schulte. Voldemort.
Schulte felt that his superiors weren’t taking his accusations seriously. He neither liked nor respected Karen, his ultimate boss, referring to her as a “dumb bitch.” One C.I.A. security official responded to the dispute by saying that he couldn’t play “high school counselor,” which only exacerbated Schulte’s anger.
Schulte escalated the matter by complaining to the director of the cyberintelligence division, Bonnie Stith—an agency veteran who oversaw several thousand employees. One might suppose that she had more pressing matters to contend with, but she offered to sit down with Schulte and Amol and try to broker peace.
Schulte was furious to learn that he had to switch desks. He said that he would relocate only if his managers issued the directive in writing. So they did. Even then, he refused to fully move. He didn’t like the new location. It had no window. It was an “intern desk,” he scoffed; Amol, meanwhile, had been “ ‘promoted’ to a better desk,” leaving Schulte “exposed to questions and ridicule about why I was demoted.”
This was a startling departure from normal conduct for the C.I.A. The agency has an estimated twenty thousand employees, and, because of the sensitivity of its work, it enjoys remarkable autonomy within the federal government, sometimes appearing to operate as a self-governing fief
And so Schulte, without asking for authorization, reassigned himself access to his old project. When his managers learned of this, they were so alarmed that they stripped Schulte of his administrator privileges. Weber later said of Schulte’s transgression, “The agency exists in a world of trust. We are granted access to classified information, and we are trusted to only use that information for the expressed reasons we’re given access to it.” If you can’t “trust the person that you’re working with,” he pointed out, you’re in trouble.
Official secrecy is a slippery phenomenon. Organizations such as WikiLeaks espouse an absolutist commitment to transparency, but, in a world where genuinely bad actors exist and the interests of nation-states don’t always align, most Americans would acknowledge the need for some degree of secrecy, as a prerogative of statecraft and national defense. Nevertheless, the U.S. system of classification has grown wildly out of control.
One could debate whether the term “whistle-blower” is adequate to describe someone who leaks gigabytes of data. But it’s clear that these wholesale digital disclosures are themselves an unintended consequence of overclassification.
Unlike other prominent digital leakers, Schulte did not seem like an ideological whistle-blower.
Even as F.B.I. investigators pinpointed Schulte as the prime suspect, their work was frustrated by the pageantry of overclassification. WikiLeaks had posted the Vault 7 tools on the Web, where anyone could see them, but officially the C.I.A. and the F.B.I. maintained that the documents remained classified. As a result, only investigators who held the necessary security clearances were permitted even to access WikiLeaks to see what had been stolen. F.B.I. officials were so nervous about visiting the Web site using Bureau computers or Internet connections (thereby possibly exposing their own networks to a cyber intrusion) that they dispatched an agent to purchase a new laptop and visit the Web site from the safety of a Starbucks. Once the Vault 7 materials had been downloaded from the Internet, the laptop itself became officially classified, and had to be stored in a secure location. But the evidence locker normally used by agents, which held drugs and other seized evidence, wouldn’t do, because it was classified only up to the Secret level. Instead, the investigators stored the laptop in a supervisor’s office, in a special safe that had been certified to hold Top Secret documents—even though anyone could go to the Internet to see the materials that were on it.
The F.B.I. seized his computer hardware, for forensic analysis. When computer scientists at the Bureau examined Schulte’s desktop, they discovered a “virtual machine”—an entire operating system nested within the computer’s standard operating system. The virtual machine was locked with strong encryption, meaning that, unless they could break the code or get the key from Schulte—both of which seemed unlikely—they couldn’t access it. But they also had Schulte’s cell phone, and when they checked it they discovered another startling lapse in operational security: he had stored a bunch of passwords on his phone.
One of the passwords let the investigators bypass the encryption on the virtual machine. Inside, they found a home directory—also encrypted. They consulted Schulte’s phone again, and, sure enough, another stored password unlocked the directory. Next, they found an encrypted digital lockbox—a third line of defense. But, using encryption software and the same password that had unlocked the virtual machine, they managed to access the contents. Inside was a series of folders. When the investigators opened them, they found an enormous trove of child pornography.
When Schulte was in college, he argued on his blog that pornography is a form of free expression which “is not degrading to women” and “does not incite violence.”
When F.B.I. investigators searched Schulte’s phone, they found something especially alarming: a photograph that looked as though it had been taken inside the house in Sterling, Virginia, where he had lived while working for the C.I.A. The photograph was of a woman who looked like she was passed out on the bathroom floor.
Schulte reflected, “I’ve lost my job, health insurance, friends, my reputation, and an entire year of my life—and this is only the beginning.” But he vowed to go down swinging and “bring this ‘justice’ system crumbling to its knees.”
First, he would need a phone. At the prison, he could make calls on pay phones—but they were monitored and did not offer Internet access. Luckily, black-market smartphones were easy to come by
Schulte figured out a way to hot-wire a light switch in his cell so that it worked as a cell-phone charger. (The person who knew Schulte during this period praised his innovation, saying, “After that, all M.C.C. phones were charged that way.”)
On an encrypted Samsung phone, Schulte created an anonymous Facebook page called John Galt’s Legal Defense Fund and posted some of his prison writings. He set up a Twitter account, @FreeJasonBourne, and, in a drafts folder, he saved a tweet that said, “The @Department of Justice arrested the wrong man for Vault 7. I personally know exactly what happened, as do many others. Why are they covering it up?” Schulte also contacted Shane Harris, a journalist at the Washington Post. In messages to Harris, Schulte pretended to be other people
Astonishingly, it appears that Schulte may have even made contact with WikiLeaks during this period. In a Twitter post on June 19, 2018, WikiLeaks released seven installments of Schulte’s prison writings, billing them as an account in which the “Alleged CIA #Vault7 whistleblower” would finally speak out in “his own words.”
Carlos Luna, informed prison authorities that Schulte had a cell phone.
When this news reached the F.B.I., officials panicked: if Schulte could surreptitiously make calls and access the Internet, there was a danger that he was continuing to leak. “There was a great deal of urgency to find the phone,” one Bureau official later acknowledged.
After they recovered the device, investigators found that it was encrypted—but also that Schulte, true to form, had written the password down in one of his notebooks. He was placed in solitary confinement.
The criminal trial of Joshua Schulte, which commenced on February 4, 2020, at the federal courthouse in Manhattan, was unlike any other in U.S. history. A decision had been made to postpone the child-pornography indictment and the Virginia sexual-assault charge; both cases could be pursued at a later date. For now, the government focussed on Vault 7, issuing ten charges, ranging from lying to the F.B.I. to illegal transmission of classified information. It had taken federal prosecutors three years to assemble the evidence that they would present in court,
As the proceedings got under way, the theatre of secrecy was conspicuous: most of the C.I.A. witnesses would appear using pseudonyms, or would be identified only by their first names.
The parade of witnesses from the C.I.A. offered a rare glimpse of the office dynamics in a Top Secret unit.
But Shroff’s defense strategy rested on a sly pivot: she readily conceded that Schulte was an asshole.
Shroff further suggested that the story of Vault 7 was a parable not about the rash decision of one traitor but about the systemic ineptitude of the C.I.A. The agency didn’t even realize that it had been robbed, she pointed out, until WikiLeaks began posting the disclosures. “For God’s sakes,” Shroff said in court. “They went a whole year without knowing that their super-secure system had been hacked.” Then the agency embarked on a witch hunt, she continued, and quickly settled on an “easy target”: Schulte. Within this narrative, the string of prosecution witnesses recounting horror stories about Schulte’s workplace behavior almost seemed to play in Shroff’s favor. Her client was a scapegoat, she insisted—the guy nobody liked.
The government had amassed a powerful case indicating that Schulte was the leaker. It was abundantly clear that he had motivations for taking revenge on the C.I.A.
Even after Schulte was stripped of his administrative privileges, he had secretly retained the ability to access the O.S.B. network through a back door, by using a special key that he had set up. The password was KingJosh3000. The government contended that on April 20, 2016, Schulte had used his key to enter the system. The files were backed up every day, and while he was logged on Schulte accessed one particular backup—not from that day but from six weeks earlier, on March 3rd. The O.S.B. files released by WikiLeaks were identical to the backup from March 3, 2016. As Denton told the jurors, it was the “exact backup, the exact secrets, put out by WikiLeaks.”
But all this was quite a complex fact pattern to present to a jury, involving virtual machines and administrative privileges and backups and logs; much of the expert testimony presented by the prosecutors was bewilderingly technical. Shroff, meanwhile, insisted that Schulte hadn’t stolen the data. Perhaps someone else in the office—or at the agency—had done it. The real outrage was that a crucial C.I.A. computer network, Devlan, had been unprotected. Hundreds of people had access to Devlan, including not just C.I.A. employees but contractors. The C.I.A.’s hackers appear to have disregarded even the kinds of elementary information-security protocols that any civilian worker bee can recite from mandatory corporate training. Coders exchanged passwords with one another, and sometimes shared sensitive details on Post-it notes. They used passwords that were laughably weak, including 123ABCdef. (A classified damage assessment conducted by the C.I.A. after the Vault 7 exposure concluded that security procedures had indeed been “woefully lax,” and that the agency’s hackers “prioritized building cyber weapons at the expense of securing their own systems.”)
Nevertheless, the prosecutors presented striking circumstantial evidence indicating that Schulte had probably transmitted the material to WikiLeaks. On April 24th, he downloaded Tails, an operating system that WikiLeaks recommends for submitting data to the organization; on April 30th, he stayed up all night, frequently checking his computer, and at 3:21 a.m. he consulted a Web page that offered guidance on how to make sure that a terabyte of data has been “transferred correctly.” That evening, he also searched for tips on how to wipe a device of its contents. What the government could not prove was any direct communication between Schulte and WikiLeaks.
Hovering over the proceedings was a dark question: how much harm had been caused by the leak? When Shroff cross-examined Sean Roche, the C.I.A. official who described Vault 7 as a “digital Pearl Harbor,” she asked, “How many people died in Pearl Harbor?”
“More than three thousand,” Roche replied.
How many people died as a result of Vault 7? she asked.
“I don’t have an answer to that,” Roche said.
“In fact, none, correct?” Shroff said.
Roche was probably being hyperbolic. But this may have been an instance in which the secrecy surrounding the case put the government at a disadvantage.
After China uncovered a network of U.S. intelligence assets operating inside its borders in 2010, authorities in Beijing systematically rounded up a dozen people who had secretly been working for the C.I.A. and murdered them, crippling American espionage efforts in the country for years to come. That deadly purge did not become public knowledge until it was reported in the press, in 2017.
As the jurors began deliberations, they sent out a series of notes with questions that seemed to indicate some genuine confusion about the technical aspects of the government’s case. On March 9th, they convicted Schulte of two lesser charges—contempt of court and lying to the F.B.I.—but hung on the eight more serious counts, including those accusing him of transmitting national-security secrets to WikiLeaks. Judge Crotty declared a mistrial.
The prosecution had clearly blundered by getting so mired in technical minutiae, and Shroff had ably defended her client.
Endless revelations concerning warrantless wiretapping, the use of torture, and extrajudicial killing have done little to enhance the prestige or the moral standing of America’s defense and intelligence establishment. And many people consider Snowden and Manning, along with Julian Assange, the founder of WikiLeaks, to be heroes. Of course, in Schulte’s case there did not appear to be any moral imperative driving the leak. If he did it, he wasn’t blowing the whistle but seeking payback. And he continued to deny that he did it.
The mistrial was a devastating turn for the government
“You mean he wasn’t acquitted?” The child-pornography and sexual-assault cases have still not been resolved.
Schulte currently resides at the Metropolitan Detention Center, in Brooklyn, where he has been preparing for his new trial
The new trial is scheduled to begin on June 13th. The government seems unlikely to present quite as much evidence of Schulte’s antisocial behavior this time. It may abbreviate the technical evidence, too.
The government does not bring a lawsuit every time it identifies somebody who has inappropriately leaked classified information. On the contrary, a decision is often made to settle the matter quietly, rather than risk further exposure of secrets in a public trial. Schulte might well attempt to force the disclosure of so many secrets that the authorities will feel compelled to drop the charges against him or to offer an attractive plea deal. There may be some threshold of disclosure beyond which the C.I.A. will not venture.
Tomi Engdahl says:
Critical U-Boot Vulnerability Allows Rooting of Embedded Systems
https://www.securityweek.com/critical-u-boot-vulnerability-allows-rooting-embedded-systems
Technical Advisory – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)
https://research.nccgroup.com/2022/06/03/technical-advisory-multiple-vulnerabilities-in-u-boot-cve-2022-30790-cve-2022-30552/
https://www.reddit.com/r/netsec/comments/v4ht0r/technical_advisory_multiple_vulnerabilities_in/
Tomi Engdahl says:
Apple’s New Feature Will Install Security Updates Automatically Without Full OS Update https://thehackernews.com/2022/06/apples-new-feature-will-install.html
Apple has introduced a Rapid Security Response feature in iOS 16 and macOS Ventura that’s designed to deploy security fixes without the need for a full operating system version update. The feature, which also works on iOS, aims to separate regular software updates from critical security improvements and are applied automatically so that users are quickly protected against in-the-wild attacks and unexpected threats. It’s worth noting that Apple tested an analogous option in iOS 14.5. Rapid Security Response, viewed in that light, mirrors a similar approach taken by Google through Play Services and Play Protect to secure Android devices from malware and other kinds of fraud.
Tomi Engdahl says:
Android June 2022 updates bring fix for critical RCE vulnerability
https://www.bleepingcomputer.com/news/security/android-june-2022-updates-bring-fix-for-critical-rce-vulnerability/
Google has released the June 2022 security updates for Android devices running OS versions 10, 11, and 12, fixing 41 vulnerabilities, five rated critical. The security update is separated into two levels, released on June 1 and June 5. The first one contains patches for Android system and framework components and the second one includes updates for kernel and third-party vendor closed source components. Of the five critical vulnerabilities addressed this month, the one that stands out is CVE-2022-20210, a remote code execution flaw that threat actors can leverage without very demanding prerequisites.
Tomi Engdahl says:
Apple passkeys’ could finally kill off the password for good
https://techcrunch.com/2022/06/06/apple-passkeys-look-to-kill-off-the-password-for-good/
It’s no secret that passwords are insecure, with easily guessable credentials accounting for more than 80% of all data breaches, per Verizon’s annual data breach report. Passkeys eliminate the need for passwords entirely, according to Apple, and are much less susceptible to being stolen in the case of a data breach or phishing attempt.
Passkeys are based on the Web Authentication API (WebAuthn), a standard that uses public-key cryptography instead of passwords for authenticating users to websites and applications, and are stored on-device rather than on a web server. The digital password replacement uses Touch ID or Face ID for biometric verification, which means that rather than having to input a long string of characters, an app or website you’re logging into will push a request to your phone for authentication.
Tomi Engdahl says:
Apple’s Safety Check combats domestic abuse but timing its use is critical https://www.zdnet.com/article/apples-safety-check-combats-domestic-abuse-but-timing-its-use-is-critical/
Apple has debuted a new mobile tool to wrestle away control in coercive, domestic violence situations — but timing is crucial if you have to use this feature. The feature, Apple Safety Check, has been designed to help tackle domestic abuse and intimate partner violence (IPV). Apple has worked with organizations, including the National Network To End Domestic Violence (NNEDV) and the National Center for Victims of Crime (NCV) to design this new feature. Safety Check is making its debut in iOS 16, the next upgrade to Apple’s mobile operating system. iOS 16 is in beta and is expected to become widely available in the fall.
Tomi Engdahl says:
Researchers Warn of Spam Campaign Targeting Victims with SVCReady Malware https://thehackernews.com/2022/06/researchers-warn-of-spam-campaign.html
A new wave of phishing campaigns has been observed spreading a previously documented malware called SVCReady. “The malware is notable for the unusual way it is delivered to target PCs using shellcode hidden in the properties of Microsoft Office documents, ” Patrick Schläpfer, a threat analyst at HP, said in a technical write-up.
SVCReady is said to be in its early stage of development, with the authors iteratively updating the malware several times last month.
First signs of activity date back to April 22, 2022.
Tomi Engdahl says:
Hackers can take over accounts you haven’t even created yet https://blog.malwarebytes.com/hacking-2/2022/06/hackers-can-take-over-accounts-you-havent-even-created-yet/
Account hijacking has sadly become a regular, everyday occurrence. But when it comes to hijacking accounts before they are even created?
That’s something you’d never think possiblebut it is. Two security researchers, Avinash Sudhodanan and Andrew Paverd, call this new class of attack a “pre-hijacking attack.” Unfortunately, many websites and online services, including high-traffic ones, are not immune to it. In fact, the researchers found that more than 35 of the 75 most popular websites are vulnerable to at least one pre-hijacking attack.
Tomi Engdahl says:
Keskuskauppakamarin selvitys: Yrityksiin kohdistuva hybridivaikuttaminen lisääntynyt sähkönjakelun keskeytyminen yrityksille suurin uhka https://kauppakamari.fi/tiedote/keskuskauppakamarin-selvitys-yrityksiin-kohdistuva-hybridivaikuttaminen-lisaantynyt-sahkonjakelun-keskeytyminen-yrityksille-suurin-uhka/
Keskuskauppakamarin yhdessä Huoltovarmuuskeskuksen kanssa toteuttaman Yrityksiin kohdistuva hybiridivaikuttaminen 2022- selvityksen mukaan sähkönjakelun keskeytyessä puolet yrityksistä ei kykenisi pysymään toiminnassa tai siirtämään toimintaansa uuteen paikkaan. Myös digitaalisten palvelujen ja internetin estyminen nousevat yritysten huolissa korkealle. Erityisesti suuriin yrityksiin kohdistuva hybridivaikuttaminen on selvityksen mukaan lisääntynyt ja todennäköisyys yrityksiin kohdistuvaan vaikuttamiseen on kasvanut.
Yritykset kaipaavat tietoa median rinnalla myös viranomaisilta.
Tomi Engdahl says:
Black basta Ransomware Goes Cross-Platform, Now Targets ESXi Systems https://www.uptycs.com/blog/black-basta-ransomware-goes-cross-platform-now-targets-esxi-systems
The Uptycs Threat research team recently observed an advancement in the Black basta ransomware, where we saw that the ransomware binaries are now targeting ESXi servers. The Black Basta was first seen this year during the month of April, in which its variants targeted windows systems. This blog highlights the recent addition of the *nix component in the Black Basta ransomware by the ransomware authors.
Tomi Engdahl says:
HTTP/3 evolves into RFC 9114 a security advantage, but not without challenges https://portswigger.net/daily-swig/http-3-evolves-into-rfc-9114-a-security-advantage-but-not-without-challenges
This week, the Internet Engineering Task Force (IETF) released HTTP/3, published as RFC 9114. The HTTP protocol is the backbone of the web.
The Hypertext Transfer Protocol (HTTP) acts as an application layer for facilitating communication between servers and browsers, fetching resources, and transferring data. HTTPS is HTTP with additional security via encryption. HTTP/3 is the latest revision of the HTTP protocol, taking over from 2015′s HTTP/2. HTTP/3 is designed to address some of the performance issues inherent in HTTP/2, improving the user experience, decreasing the impact of packet loss without head-of-line blocking, speeding up handshake requirements, and enabling encryption by default. The protocol utilizes space congestion control over User Datagram Protocol (UDP).