This posting is here to collect cyber security news in June 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in June 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
381 Comments
Tomi Engdahl says:
Technical Details Released for Recently Patched Zyxel Firewall Vulnerabilities
https://www.securityweek.com/technical-details-released-recently-patched-zyxel-firewall-vulnerabilities
Security researchers with HN Security have published technical details on two vulnerabilities affecting many Zyxel products.
Tracked as CVE-2022-26531 and CVE-2022-26532, the two security holes were addressed in late May 2022 with patches for multiple firewalls, access points (APs), and AP controllers.
The vulnerabilities impact the Zyxel zysh binary, a restricted shell that implements the command-line interface (CLI) on a variety of Zyxel products. The CLI can be accessed via SSH and Telnet (which is not enabled by default), or via a web console, reachable via a browser.
HN Security’s researchers identified multiple issues in the binary, including several stack-based buffer overflows in code that handles diagnostic tests, two stack-based buffer overflows in the “debug” and “ssh” commands, several format string bugs, and a command injection bug.
Tomi Engdahl says:
Google Patches Critical Android Vulnerabilities With June 2022 Updates
https://www.securityweek.com/google-patches-critical-android-vulnerabilities-june-2022-updates
Google this week announced that the latest Android patches resolve a total of 40 vulnerabilities, including several rated “critical.”
The most severe of the flaws addressed with the June 2022 security updates, Google says, impacts the System component and could lead to remote code execution (RCE). Tracked as CVE-2022-20127, the vulnerability impacts Android versions 10, 11, 12, and 12L.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed,” Google notes in its advisory.
Two other critical-severity vulnerabilities were resolved in System with this month’s set of Android updates, both of which could lead to elevation of privilege.
Tracked as CVE-2022-20140, the first of these impacts Android 12 and 12L. The second bug, CVE-2022-20145, impacts Android 11.
Another critical-severity flaw patched in Android this month was found in the Media Framework. Tracked as CVE-2022-20130, it may lead to RCE on devices running Android 10 and newer.
All four vulnerabilities were resolved as part of the 2022-06-01 security patch level, which also includes fixes for five security bugs in Framework and 13 other vulnerabilities in the System component, all of which are rated “high severity.”
https://source.android.com/security/bulletin/2022-06-01
Tomi Engdahl says:
Spanish Judge to Seek Testimony From NSO on Pegasus Spyware
https://www.securityweek.com/spanish-judge-seek-testimony-nso-pegasus-spyware
A Spanish judge will travel to Israel to seek testimony from the head of tech company NSO, the maker of the controversial Pegasus spyware used in tapping politicians’ phones in Spain, the country’s National Court said Tuesday.
The court said that José Luis Calama has decided to lead a judicial commission that will travel to Israel to “take testimony from the CEO of the company that commercializes the Pegasus program.”
Shalev Hulio is the CEO of the Tel Aviv-based NSO Group. The court gave no date for the judge’s trip.
Tomi Engdahl says:
Apple Announces New Security Update Feature in iOS 16, macOS Ventura
https://www.securityweek.com/apple-announces-new-security-update-feature-ios-16-macos-ventura
Apple this week announced a new feature designed to ensure that important security updates will be delivered to its devices faster in an effort to protect users against potential threats.
The new feature, named Rapid Security Response, will become available in the upcoming iOS 16 and macOS Ventura, both scheduled for release in late 2022.
According to Apple, important security updates will be delivered to iPhones and Macs in between standard software updates. In addition, they can be applied automatically and they do not require a reboot.
The tech giant mentioned Rapid Security Response in a summary of the new features that will be available in iOS 16 and macOS Ventura, but it did not provide any additional details.
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
In a joint cybersecurity advisory, the NSA, CISA, and the FBI reveal China-backed hackers exploited publicly known vulnerabilities to snoop on network traffic — Several US federal agencies today revealed that Chinese-backed threat actors have targeted and compromised major telecommunications companies …
US: Chinese govt hackers breached telcos to snoop on network traffic
https://www.bleepingcomputer.com/news/security/us-chinese-govt-hackers-breached-telcos-to-snoop-on-network-traffic/
Several US federal agencies today revealed that Chinese-backed threat actors have targeted and compromised major telecommunications companies and network service providers to steal credentials and harvest data.
As the NSA, CISA, and the FBI said in a joint cybersecurity advisory published on Tuesday, Chinese hacking groups have exploited publicly known vulnerabilities to breach anything from unpatched small office/home office (SOHO) routers to medium and even large enterprise networks.
Once compromised, the threat actors used the devices as part of their own attack infrastructure as command-and-control servers and proxy systems they could use to breach more networks.
Tomi Engdahl says:
Lawrence Abrams / BleepingComputer:
The FBI and IRS led an international operation taking down online marketplace SSNDOB that sold the names, SSNs, and dates of birth of about 24 million US people — SSNDOB, an online marketplace that sold the names, social security numbers, and dates of birth of approximately 24 million US people …
US seizes SSNDOB market for selling personal info of 24 million people
https://www.bleepingcomputer.com/news/security/us-seizes-ssndob-market-for-selling-personal-info-of-24-million-people/
Tomi Engdahl says:
As the NSA, CISA, and the FBI said in a joint cybersecurity advisory published on Tuesday, Chinese hacking groups have exploited publicly known vulnerabilities to breach anything from unpatched small office/home office (SOHO) routers to medium and even large enterprise networks https://www.bleepingcomputer.com/news/security/us-chinese-govt-hackers-breached-telcos-to-snoop-on-network-traffic/
Once compromised, the threat actors used the devices as part of their own attack infrastructure as command-and-control servers and proxy systems they could use to breach more networks. The attackers then stole credentials to access underlying SQL databases and used SQL commands to dump user and admin credentials from critical Remote Authentication Dial-In User Service (RADIUS) servers. By exploiting these vulnerabilities, the Chinese-sponsored threat actors have established broad infrastructure networks that helped them further compromise an even wider range of public and private sector targets.
The advisory: https://www.cisa.gov/uscert/ncas/alerts/aa22-158a
Tomi Engdahl says:
Linux botnets now exploit critical Atlassian Confluence bug https://www.bleepingcomputer.com/news/security/linux-botnets-now-exploit-critical-atlassian-confluence-bug/
Several botnets are now using exploits targeting a critical remote code execution (RCE) vulnerability to infect Linux servers running unpatched Atlassian Confluence Server and Data Center installs.
Successful exploitation of this flaw (tracked as CVE-2021-26084) allows unauthenticated attackers to create new admin accounts, execute commands, and ultimately take over the server remotely to backdoor Internet-exposed servers. After proof-of-concept (PoC) exploits were published online, cybersecurity firm GreyNoise said it detected an almost ten-fold increase in active exploitation, from 23 IP addresses attempting to exploit it to more than 200. Among these attackers, Lacework Labs researchers found three botnets, tracked as Kinsing, Hezb, and Dark.IoT, known for targeting vulnerable Linux servers and deploying backdoors and cryptominers.
Tomi Engdahl says:
SSNDOB Shutdown: DOJ Announces Closure of Darknet Market Selling Social Security Numbers and Other Personally Identifiable Information https://blog.chainalysis.com/reports/ssndob-darknet-market-shutdown/
Today, the U.S. Department of Justice (DOJ) announced the shutdown of SSNDOB, a marketplace that sold personally identifiable information
(PII) of victims around the world on both the darknet and clearnet, following an investigation by IRS-Criminal Investigation and the FBI.
SSNDOB operated for several years using many different internet domains, and is believed to have held the PII of approximately 24 million U.S. citizens, the sale of which has enabled a variety of criminal schemes around the world and generated more than $19 million in revenue. Below, we’ll tell you more about SSNDOB’s operations and why this shutdown represents an important victory in the fight against cybercrime.
Tomi Engdahl says:
Emotet malware now steals credit cards from Google Chrome users https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-credit-cards-from-google-chrome-users/
The Emotet botnet is now attempting to infect potential victims with a credit card stealer module designed to harvest credit card information stored in Google Chrome user profiles. After stealing the credit card info (i.e., name, expiration month and year, card numbers), the malware will send it to command-and-control (C2) servers different than the ones the Emotet card stealer module. “On June 6th, Proofpoint observed a new #Emotet module being dropped by the E4 botnet, ” the Proofpoint Threat Insights team revealed. “To our surprise it was a credit card stealer that was solely targeting the Chrome browser. Once card details were collected they were exfiltrated to different C2 servers than the module loader.”
Tomi Engdahl says:
Massive Facebook Messenger phishing operation generates millions
https://www.bleepingcomputer.com/news/security/massive-facebook-messenger-phishing-operation-generates-millions/
Researchers have uncovered a large-scale phishing operation that abused Facebook and Messenger to lure millions of users to phishing pages, tricking them into entering their account credentials and seeing advertisements. The campaign operators used these stolen accounts to send further phishing messages to their friends, generating significant revenue via online advertising commissions.
According to PIXM, a New York-based AI-focused cybersecurity firm, the campaign peaked in April-May 2022 but has been active since at least September 2021. PIXM was able to trace the threat actor and map the campaign due to one of the identified phishing pages hosting a link to a traffic monitoring app (whos.amung.us) that was publicly accessible ithout authentication. While it is unknown how the campaign initially started, PIXM states victims arrived at phishing landing pages from a series of redirects originating from Facebook Messenger.
Tomi Engdahl says:
Hacking a powered-off iPhone: vulnerabilities never sleep https://www.kaspersky.com/blog/hacking-powered-off-iphone/44530/
Researchers from the Secure Mobile Networking Lab at the University of Darmstadt, Germany, have published a paper describing a theoretical method for hacking an iPhone even if the device is off. The study examined the operation of the wireless modules, found ways to analyze the Bluetooth firmware and, consequently, to introduce malware capable of running completely independently of iOS, the device’s operating system. With a little imagination, it’s not hard to conceive of a scenario in which an attacker holds an infected phone close to the victim’s device and transfers malware, which then steals payment card information or even a virtual car key. The paper:
https://arxiv.org/pdf/2205.06114.pdf
Tomi Engdahl says:
Data Breach at Shields Health Care Group Impacts 2 Million Patients
https://www.securityweek.com/data-breach-shields-health-care-group-impacts-2-million-patients
Shields Health Care Group has informed roughly two million individuals of a cybersecurity incident that potentially impacted their personal data.
The Massachusetts-based firm provides management and imaging services to more than 50 healthcare partners and facilities throughout New England.
In a data breach notice published on their website, Shields said the incident was identified on March 28, 2022, but the intrusion actually happened between March 7 and March 21.
Tomi Engdahl says:
Check Point: Varo pdf-tiedostoja!
https://etn.fi/index.php/13-news/13706-check-point-varo-pdf-tiedostoja
Tietoturvayhtiö Check Point Research kertoo toukokuun haittaohjelmakatsauksessaan, että käyttäjien näppäinpainalluksia taltioiva Snake Keylogger on palannut käytetyimpien haittaohjelmien listalle saavuttaen sijan 8. Haittaa on jaettu käyttäjien koneelle pdf-tiedostojen mukana.
CPR:n tutkijat raportoivat, että useat isot levityskampanjat nostivat kehittyneen, itsestään monistuvan ja modulaarisen Emotet-troijalaisen haittaohjelmalistan kärkeen. Sen esiintyvyys oli 8 prosenttia organisaatioista kautta maailman, kun se edellisessä kuussa oli 6 %.
Snake Keyloggerin päätoiminto on uhrin näppäintoimintojen tallentaminen ja kerättyjen tietojen lähettäminen toimeksiantajalle. Haitake on yleensä levinnyt sähköpostien liitteinä olevien, makroja sisältävien tekstitiedostojen kautta, mutta viime kuussa tutkijat havaitsivat sen luikertelevan uhrien laitteille PDF-tiedostojen mukana. Uusi toimintatapa voi johtua siitä, että Microsoft estää nykyään oletusarvoisesti makrot Office-ohjelmissa. Kyberrikollisten on ollut pakko kehittää uusia, luovia keinoja. Uusi levitystapa on todennäköisesti ollut tehokas, koska monet pitävät PDF-tiedostoja turvallisempina kuin Word-tiedostoja.
Emotet on monitaitoinen haittaohjelma, joka välttelee ketterästi tietoturvaohjelmistoja. Sinnikkyytensä ansiosta se jää helposti huomaamatta ja poistamatta laitteelta, mikä tekee siitä loistavan välineen kyberrikollisten työkalupakkiin. Emotet leviää yleisimmin haitallisia linkkejä tai liitteitä sisältävien sähköpostiviestien välityksellä. Se pystyy toimimaan väylänä myös muille haittaohjelmille, mikä tekee siitä vielä vaarallisemman.
Tomi Engdahl says:
New Symbiote malware infects all running processes on Linux systems https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/
A newly discovered Linux malware known as Symbiote infects all running processes on compromised systems, steals account credentials, and gives its operators backdoor access.
Tomi Engdahl says:
Even the Most Advanced Threats Rely on Unpatched Systems https://thehackernews.com/2022/06/even-most-advanced-threats-rely-on.html
Common cybercriminals are a menace, there’s no doubt about it from bedroom hackers through to ransomware groups, cybercriminals are causing a lot of damage. But both the tools used and the threat posed by common cybercriminals pale in comparison to the tools used by more professional groups such as the famous hacking groups and state-sponsored groups.
Tomi Engdahl says:
Tainted CCleaner Pro Cracker spreads via Black Seo campaign https://securityaffairs.co/wordpress/132076/cyber-crime/ccleaner-black-seo-malware-fakecrack.html
Threat actors spread info-stealing malware through the search results for a pirated copy of the CCleaner Pro Windows optimization program.
Tomi Engdahl says:
ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat https://blog.malwarebytes.com/threat-analysis/2022/06/asyncrat-surpasses-dridex-trickbot-and-emotet-to-become-dominant-email-threat/
Earlier this year Malwarebytes released its 2022 Threat Review, a review of the most important threats and cybersecurity trends of 2021, and what they could mean for 2022. Among other things it covers the year’s alarming rebound in malware detections, and a significant shift in the balance of email threats.
Tomi Engdahl says:
Now Windows Follina zero-day exploited to infect PCs with Qbot https://www.theregister.com/2022/06/09/qbot-malware-microsoft-follina/
Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach. [Also https://isc.sans.edu/diary/rss/28728
Tomi Engdahl says:
Google rolling out automatic updates in August for Cloud vulnerability https://therecord.media/google-rolling-out-automatic-updates-in-august-for-cloud-vulnerability/
Google said it is rolling out automatic updates to address a vulnerability affecting Authorized Networks and Cloud Run/Functions on Google Kubernetes Engine (GKE).
Tomi Engdahl says:
https://etn.fi/index.php/13-news/13706-check-point-varo-pdf-tiedostoja
Tomi Engdahl says:
Threat Actors Start Exploiting Meeting Owl Pro Vulnerability Days After Disclosure
https://www.securityweek.com/threat-actors-start-exploiting-meeting-owl-pro-vulnerability-days-after-disclosure
Threat actors have already started exploiting a severe vulnerability that Owl Labs addressed in its video conferencing devices earlier this week.
Tracked as CVE-2022-31460 (CVSS score of 7.4), the security bug can be exploited to turn a vulnerable device into a rogue access point to the Wi-Fi network it is connected to.
Impacting Owl Labs’ Meeting Owl Pro and Whiteboard Owl devices, the issue exists because, when in access point (AP) mode, the devices do not disconnect from the Wi-Fi network, but instead start routing all traffic to the network.
Tomi Engdahl says:
‘Follina’ Vulnerability Exploited to Deliver Qbot, AsyncRAT, Other Malware
https://www.securityweek.com/follina-vulnerability-exploited-deliver-qbot-asyncrat-other-malware
Tomi Engdahl says:
New Symbiote malware infects all running processes on Linux systems
https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/
A newly discovered Linux malware known as Symbiote infects all running processes on compromised systems, steals account credentials, and gives its operators backdoor access.
After injecting itself into all running processes, the malware acts as a system-wide parasite, leaving no identifiable signs of infection even during meticulous in-depth inspections.
Symbiote uses the BPF (Berkeley Packet Filter) hooking functionality to sniff network data packets and to hide its own communication channels from security tools.
Instead of having the typical form of an executable, Symbiote is a shared object (SO) library that gets loaded into running processes using the LD_PRELOAD directive to gain priority against other SOs.
By being the first to load, Symbiote can hook the “libc” and “libpcap” functions and perform various actions to conceal its presence, like hiding parasitic processes, hiding files deployed with the malware, and more.
“When it injects itself into processes, the malware can choose which results it displays,” the security researchers revealed in a report published today.
“If an administrator starts a packet capture on the infected machine to investigate some suspicious network traffic, Symbiote will inject itself into the inspection software’s process and use BPF hooking to filter out results that would reveal its activity.”
To hide its malicious network activity on the compromised machine, Symbiote scrubs connection entries it wants to hide, performs packet filtering via BPF, and removes UDP traffic to domain names in its list.
This stealthy new malware is primarily used for automated credential harvesting from hacked Linux devices by hooking the “libc read” function.
This is a crucial mission when targeting Linux servers in high-value networks, as stealing admin account credentials opens the way to unobstructed lateral movement and unlimited access to the entire system.
Symbiote also gives its operators remote SHH access to the machine via the PAM service, while it also provides a way for the threat actor to gain root privileges on the system.
The malware’s targets are mostly entities engaging in the financial sector in Latin America, impersonating Brazilian banks, the country’s Federal police, etc.
“Since the malware operates as a user-land level rootkit, detecting an infection may be difficult,” the researchers concluded.
“Network telemetry can be used to detect anomalous DNS requests and security tools such as AVs and EDRs should be statically linked to ensure they are not ‘infected’ by userland rootkits.”
Tomi Engdahl says:
Roblox Game Pass store used to sell ransomware decryptor https://www.bleepingcomputer.com/news/security/roblox-game-pass-store-used-to-sell-ransomware-decryptor/
A new ransomware is taking the unusual approach of selling its decryptor on the Roblox gaming platform using the service’s in-game Robux currency.
Tomi Engdahl says:
Vice Society ransomware claims attack on Italian city of Palermo https://www.bleepingcomputer.com/news/security/vice-society-ransomware-claims-attack-on-italian-city-of-palermo/
The Vice Society ransomware group has claimed responsibility for the recent cyber attack on the city of Palermo in Italy, which has caused a large-scale service outage.
Tomi Engdahl says:
MyEasyDocs Exposed 30GB of Israeli and Indian Students PII Data https://www.hackread.com/myeasydocs-exposed-30gb-israel-india-students-pii-data/
MyEasyDocs is a Chennai, India based online documents verification platform whose Microsoft Azure server exposed data of over 57, 000 students.
Tomi Engdahl says:
8 zero-day vulnerabilities discovered in popular industrial control system from Carrier https://therecord.media/8-zero-day-vulnerabilities-discovered-in-popular-industrial-control-system-from-carrier/
Eight zero-day vulnerabilities affecting a popular industrial control provided by Carrier have been identified and patched, according to security researchers from Trellix who discovered the issues.
Tomi Engdahl says:
Bluetoothista paljastui uusi tietoturvariski vain laitteen sammuttaminen kokonaan estää säteilyn
https://www.tivi.fi/uutiset/tv/7078eab9-3b9c-44da-8ae5-4c0b64853118
Pienet erot laitteiden valmistusprosesseissa muodostavat jokaiselle laitteelle yksilöllisen “sormenjäljen”.
Tomi Engdahl says:
Design Weakness Discovered in Apple M1 Kernel Protections https://www.darkreading.com/dr-tech/design-weakness-discovered-in-apple-m1-kernel-protections
The proof-of-concept attack from MIT CSAIL researchers undermines the pointer authentication feature used to defend the Apple chip’s OS kernel.
Tomi Engdahl says:
Europarlamentaarikko yllättyi: tietokoneelta löytyi 10 vuoden Yandex-eväste
https://www.tivi.fi/uutiset/tv/7e7e7839-b0b6-4249-8797-ceeeee8372d5
Poliittiset päättäjätkään eivät ole suojassa digijättien datankeruulta, kertoo Sitran Digivalta-selvitys. Tämä saattaa altistaa päättäjät hybridivaikuttamiselle.
Tomi Engdahl says:
New PACMAN hardware attack targets Macs with Apple M1 CPUs https://www.bleepingcomputer.com/news/security/new-pacman-hardware-attack-targets-macs-with-apple-m1-cpus/
A new hardware attack targeting Pointer Authentication in Apple M1 CPUs with speculative execution enables attackers to gain arbitrary code execution on Mac systems.
Tomi Engdahl says:
Confluence servers hacked to deploy AvosLocker, Cerber2021 ransomware https://www.bleepingcomputer.com/news/security/confluence-servers-hacked-to-deploy-avoslocker-cerber2021-ransomware/
Ransomware gangs are now targeting a recently patched and actively exploited remote code execution (RCE) vulnerability affecting Atlassian Confluence Server and Data Center instances for initial access to corporate networks.
Tomi Engdahl says:
Hello XD ransomware now drops a backdoor while encrypting https://www.bleepingcomputer.com/news/security/hello-xd-ransomware-now-drops-a-backdoor-while-encrypting/
Cybersecurity researchers report increased activity of the Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption.
Tomi Engdahl says:
Bluetoothista paljastui uusi tietoturvariski – vain laitteen sammuttaminen kokonaan estää säteilyn
https://www.tivi.fi/uutiset/tv/7078eab9-3b9c-44da-8ae5-4c0b64853118
Pienet erot laitteiden valmistusprosesseissa muodostavat jokaiselle laitteelle yksilöllisen ”sormenjäljen”.
Älypuhelinten ja muiden mobiililaitteiden bluetooth-signaaleja voidaan hyväksikäyttää laitteiden yksilöintiin ja seurantaan, selviää Kalifornian yliopiston tuoreesta tutkimuksesta. Aiempien tutkimusten valossa tämänkaltainen yksilöinti on ollut mahdollista vain wifi-signaalien avulla.
Älypuhelimet ja älykellot lähettävät ympärilleen bluetooth-yhteydellä pieniä datapaketteja ikään kuin majakan tapaan. Bluetooth-yhteyden ollessa päällä paketteja lähtee noin 500 kertaa minuutissa. Tähän perustuu muun muassa langattomien kuulokkeiden toiminta. Bluetooth-laitteita käytetään paljon ja monella yhteys onkin jatkuvasti kytkettynä päälle.
Tutkijat havaitsivat, että yksittäisten laitteiden bluetooth-signaaleille voidaan määrittää uniikki ”sormenjälki”, joka johtuu pienen pienistä yksilöllisistä eroista laitteiden valmistusprosesseissa.
Tutkijoiden kehittämä algoritmi osaa yksilöidä eri laitteiden lähettämät signaalit.
Käytännön testeissään tutkijat onnistuivat yksilöimään 40 prosenttia julkisilla paikoilla, kuten kahviloissa, havaitsemistaan 162 mobiililaitteesta. Toisessa, 647 mobiililaitetta käsittäneessä kokeessa tutkijat onnistuivat yksilöimään 47 prosenttia laitteista. Tutkimuksessa demonstroitiin myös, miten bluetooth-sormenjälkeä voi käyttää hyväksi hyökkäyksessä.
Kovin helppoa bluetoothin hyödyntäminen hakkeroinnissa ei ole. Esimerkiksi ympäröivän lämpötilan vaihtelut saattavat vaikuttaa signaalin yksilöllisiin säröihin. Signaalien voimakkuus myös vaihtelee laitteesta riippuen. Tästä johtuen joitakin laitteita ei pysty seuraamaan niin kaukaa kuin toisia. Hyökkäyksen toteuttaminen on teknisesti monimutkaista, mutta tarvittava laitteisto maksaa alle 200 dollaria.
Bluetooth-signaalien säröjen luomat ”sormenjäljet” voidaan tutkijatiimin mukaan piilottaa digitaalisella signaaliprosessoinnilla bluetooth-laitteen laiteohjelmistossa. Tutkijat myös muistuttavat, että menetelmä mahdollistaa ainoastaan laitteen seurannan, ei käyttäjätietojen keräämistä.
Bluetooth Signals Can be Used to Identify and Track Smartphones
It’s the first time researchers have demonstrated it’s feasible to track individuals using Bluetooth
https://ucsdnews.ucsd.edu/pressrelease/Bluetoothfingerprints
A team of engineers at the University of California San Diego has demonstrated for the first time that the Bluetooth signals emitted constantly by our mobile phones have a unique fingerprint that can be used to track individuals’ movements.
Mobile devices, including phones, smartwatches and fitness trackers, constantly transmit signals, known as Bluetooth beacons, at the rate of roughly 500 beacons per minute.These beacons enable features like Apple’s “Find My” lost device tracking service; COVID-19 tracing apps; and connect smartphones to other devices such as wireless earphones.
Prior research has shown that wireless fingerprinting exists in WiFi and other wireless technologies. The critical insight of the UC San Diego team was that this form of tracking can also be done with Bluetooth, in a highly accurate way.
“This is important because in today’s world Bluetooth poses a more significant threat as it is a frequent and constant wireless signal emitted from all our personal mobile devices,” said Nishant Bhaskar, a Ph.D. student in the UC San Diego Department of Computer Science and Engineering and one of the paper’s lead authors.
Tomi Engdahl says:
Vulnerabilities in HID Mercury Access Controllers Allow Hackers to Unlock Doors
https://www.securityweek.com/vulnerabilities-hid-mercury-access-controllers-allow-hackers-unlock-doors
Access control products using HID Mercury controllers are affected by critical vulnerabilities that can be exploited by hackers to remotely unlock doors.
The vulnerabilities were discovered by researchers at XDR firm Trellix, which launched earlier this year following the merger of McAfee Enterprise and FireEye.
The issues were found in products from LenelS2 — a subsidiary of HVAC giant Carrier that specializes in physical security solutions — but Trellix said it received confirmation from HID Global that all OEM partners that use certain hardware controllers are affected.
Trellix researchers identified a total of eight vulnerabilities, seven of which have been assigned “critical” or “high” severity ratings. The flaws can be exploited for remote code execution, command injection, denial-of-service (DoS), information spoofing, and writing arbitrary files.
Trellix Threat Labs Uncovers Critical Flaws in Widely Used Building Access Control System
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-threat-labs-uncovers-critical-flaws.html
Tomi Engdahl says:
Chrome 102 Update Patches High-Severity Vulnerabilities
https://www.securityweek.com/chrome-102-update-patches-high-severity-vulnerabilities
Google this week announced the release of a Chrome browser update that resolves seven vulnerabilities, including four issues reported by external researchers.
Tracked as CVE-2022-2007, the first of these bugs is described as a use-after-free in WebGPU. The security hole was reported by David Manouchehri, who received a $10,000 bug bounty reward for his finding.
Use-after-free issues are triggered when a program doesn’t clear the pointer after freeing memory allocation, and can be exploited for arbitrary code execution, denial of service, or data corruption, potentially leading to system compromise, if combined with other vulnerabilities. In the case of Chrome, they often lead to a sandbox escape.
Another use-after-free vulnerability addressed with this Chrome update is CVE-2022-2011, a flaw identified in ANGLE, Chrome’s graphics engine abstraction layer. The bug was reported by SeongHwan Park.
The latest Chrome update also resolves CVE-2022-2008, an out-of-bounds memory access in WebGL, which was reported by VinCSS Cybersecurity researcher Tran Van Khang.
Tomi Engdahl says:
InfiRay Thermal Camera Flaws Can Allow Hackers to Tamper With Industrial Processes
https://www.securityweek.com/infiray-thermal-camera-flaws-can-allow-hackers-tamper-industrial-processes
InfiRay thermal cameras are affected by vulnerabilities that could allow malicious hackers to tamper with industrial processes, including to disrupt production or to make modifications that result in lower quality products.
InfiRay is a brand of China-based iRay Technology, which manufactures optical components. InfiRay specializes in the development and manufacturing of infrared and thermal imaging solutions, with its products being sold in 89 countries and regions.
Researchers at Austria-based cybersecurity consultancy SEC Consult discovered that at least one of the vendor’s thermal cameras, the A8Z3 model, is affected by several potentially serious vulnerabilities.Vulnerabilities found in InfiRay industrial thermal cameras
The A8Z3 device, sold on the Chinese marketplace Alibaba for nearly $3,000, is designed for a wide range of industrial applications.
Tomi Engdahl says:
Highly-Evasive Linux Malware ‘Symbiote’ Infects All Running Processes
https://www.securityweek.com/highly-evasive-linux-malware-symbiote-infects-all-running-processes
Security researchers with BlackBerry and Intezer have shared details on a new Linux malware that “parasitically” infects all running processes on a target machine.
Once it has infected all running processes, the malware, which the researchers have named Symbiote, provides attackers with rootkit capabilities, as well as with remote backdoor access and the ability to harvest credentials.
The malware, BlackBerry and Intezer discovered, can execute commands with the highest privileges possible on an infected machine.
“What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD, and parasitically infects the machine,” the researchers explain.
Initially observed in November 2021, targeting the financial sector in Latin America, Symbiote is highly evasive, being capable of hiding itself and other malware employed by its operators, thus making infections very hard to detect, the researchers say.
“Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware,” they claim.
Tomi Engdahl says:
https://hackaday.com/2022/06/12/hackaday-links-june-12-2022/
From the “Let’s All Dunk on Tesla” files, it looks like an Austrian security researcher has discovered a new way to steal a Tesla. The exploit uses a recent change to how Teslas can be started within 130 seconds of being unlocked with the owner’s NFC card, rather than having to place the card on the center console for a second authorization. But strangely, the car will accept new keys without authorization during that interval, and without flashing any kind of warning on the dash. That makes it possible for a thief to add their phone as a recognized key just by lurking nearby while the car is unlocked with an NFC card. Seems like this would be an easy enough fix, but Tesla doesn’t seem to like having these vulnerabilities pointed out, let alone do anything about them, so Tesla owners should probably avoid the NFC card and choose another method for unlocking their cars.
Gone in 130 seconds: New Tesla hack gives thieves their own personal key
You may want to think twice before giving the parking attendant your Tesla-issued NFC card.
https://arstechnica.com/information-technology/2022/06/hackers-out-to-steal-a-tesla-can-create-their-very-own-personal-key/
Last year, Tesla issued an update that made its vehicles easier to start after being unlocked with their NFC key cards. Now, a researcher has shown how the feature can be exploited to steal cars.
For years, drivers who used their Tesla NFC key card to unlock their cars had to place the card on the center console to begin driving. Following the update, which was reported here last August, drivers could operate their cars immediately after unlocking them with the card. The NFC card is one of three means for unlocking a Tesla; a key fob and a phone app are the other two.
Enrolling your own key
Martin Herfurt, a security researcher in Austria, quickly noticed something odd about the new feature: Not only did it allow the car to automatically start within 130 seconds of being unlocked with the NFC card, but it also put the car in a state to accept entirely new keys—with no authentication required and zero indication given by the in-car display.
“The authorization given in the 130-second interval is too general… [it's] not only for drive,” Herfurt said in an online interview. “This timer has been introduced by Tesla… in order to make the use of the NFC card as a primary means of using the car more convenient. What should happen is that the car can be started and driven without the user having to use the key card a second time. The problem: within the 130-second period, not only the driving of the car is authorized, but also the [enrolling] of a new key.”
Tomi Engdahl says:
Researchers: Wi-Fi Probe Requests Expose User Data
https://www.securityweek.com/researchers-wi-fi-probe-requests-expose-user-data
A group of academic researchers from the University of Hamburg in Germany has discovered that mobile devices leak identifying information about their owners via Wi-Fi probe requests.
Mobile devices use these probe requests to receive information about nearby Wi-Fi access points and establish connections to them when a probe response is received.
Attackers that can sniff network traffic, the academics say, can use these probe requests to track and identify devices, and even pinpoint their location.
According to them, roughly a quarter of probe requests contain the Service Set Identifier (SSIDs) of networks the devices were previously connected to, which could be used to reveal home addresses or visited locations.
Furthermore, the probe requests can be used to “trilaterate the location of a device with an accuracy of up to 1.5 meters,” or to follow the movement of a device to essentially track their owner, the researchers note.
“This is in fact employed in 23% of the stores already. Companies and cities that conduct Wi-Fi tracking take the legal position that only the MAC address contained in probe requests is considered personal data according to GDPR Article 4(1), which protects personal data from unlawful collection and processing,” the researchers said in their paper.
Probing for Passwords –
Privacy Implications of SSIDs in Probe Requests
https://arxiv.org/pdf/2206.03745.pdf
Tomi Engdahl says:
Chinese Hackers Adding Backdoor to iOS, Android Web3 Wallets in ‘SeaFlower’ Campaign
https://www.securityweek.com/chinese-hackers-adding-backdoor-ios-android-web3-wallets-seaflower-campaign
Cybercriminals likely operating out of China are distributing backdoored versions of iOS and Android Web3 wallets in an effort to steal users’ seed phrase.
This previously unreported campaign has been analyzed by digital advertising security company Confiant, which dubbed it SeaFlower. The activity has been described as one of the most technically sophisticated threats targeting users of Web3 wallets.
According to Confiant, the hackers have targeted the iOS and Android versions of applications such as Coinbase Wallet, MetaMask Wallet, TokenPocket, and imToken.
Overview of web3 wallets
Web3 Wallets
Your gateway to web3, dapps, tokens, and more
https://www.alchemy.com/web3-wallets-overview
Intro to Web3 Wallets
Web3 Wallets have set a new industry standard in creating new ways to own and monetize our content, identity, and assets as we move on towards the next generation of the internet. Simply put, Web3 wallets are a way to use hardware or software not only to access funds, but to effortlessly allow you to interact with decentralized applications, serve as a gateway to bankless financial services, collect NFTs, create on-chain identity, collaborate with communities, and provide substantially more use cases beyond the scope of the traditional wallets we have today.
Just like how people have a physical wallet to store paper money, these wallets help store access to your digital currency instead. In addition, Web3 wallets are capable of storing digital assets such as NFTs and enable users to interact with Decentralized Apps (dApps). This is done all without the necessity of a middleman involved.
Web3 Wallets on Centralized Exchange (CEX) vs. Decentralized Exchange (DEX)
Centralized and decentralized exchanges have operated in parallel and occupy an important role throughout digital currencies. Although Decentralized Exchanges have not had their popularity until recently, they have played an increasing role today. With the rise of Defi enabling a new breed of financial products, it’s crucial to know how wallets play a role within the ecosystem.
Tomi Engdahl says:
Academics Devise New Speculative Execution Attack Against Apple M1 Chips
https://www.securityweek.com/academics-devise-new-speculative-execution-attack-against-apple-m1-chips
A group of academic researchers has devised a new hardware attack that bypasses pointer authentication protections on Apple’s M1 processor.
Pointer authentication (PA) is a mechanism to prevent the modification of pointers in memory using a cryptographic hash, or pointer authentication code (PAC). With the integrity of a pointer verified against the PAC, a crash is triggered if the values do not match.
First introduced by ARM in 2017 and adopted by Apple in 2018, pointer authentication basically requires the attacker to guess the PAC of a pointer after modification to prevent triggering a crash when modifying code in memory.
Dubbed PACMAN, a new attack technique devised by a group of researchers at the Massachusetts Institute of Technology’s (MIT) Computer Science and Artificial Intelligence Laboratory (CSAIL) uses micro-architectural side-channels to leak PAC verification results and bypass PA without triggering a crash.
“[W]e propose the PACMAN attack, which extends speculative execution attacks to bypass Pointer Authentication by constructing a PAC oracle. Given a pointer in a victim execution context, a PAC oracle can be used to precisely distinguish between a correct PAC and an incorrect one without causing any crashes,” the researchers note in a paper.
PACMAN: Attacking ARM Pointer Authentication with
Speculative Execution
https://pacmanattack.com/paper.pdf
Tomi Engdahl says:
Drupal Patches ‘High-Risk’ Third-Party Library Flaws
https://www.securityweek.com/drupal-patches-high-risk-third-party-library-flaws
The Drupal security team has released a “moderately critical” advisory to call attention to serious vulnerabilities in a third-party library and warned that hackers can exploit the bugs to remotely hijack Drupal-powered websites.
The vulnerabilities, tracked as CVE-2022-31042 and CVE-2022-31043, were found and fixed in Guzzle, a third-party library that Drupal uses to handle HTTP requests and responses to external services.
“These do not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites,” according to a Drupal advisory.
“We are issuing this security advisory outside our regular security release window schedule since Guzzle has already published information about the vulnerabilities, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests,” it added.
Guzzle has rated these vulnerabilities as high-risk and Drupal warns that the bugs may affect some contributed projects or custom code on Drupal sites.
“Exploitation of this vulnerability could allow a remote attacker to take control of an affected website,” the team warned.
https://www.drupal.org/sa-core-2022-011
Tomi Engdahl says:
Researchers: Wi-Fi Probe Requests Expose User Data
https://www.securityweek.com/researchers-wi-fi-probe-requests-expose-user-data
A group of academic researchers from the University of Hamburg in Germany has discovered that mobile devices leak identifying information about their owners via Wi-Fi probe requests.
Mobile devices use these probe requests to receive information about nearby Wi-Fi access points and establish connections to them when a probe response is received.
Attackers that can sniff network traffic, the academics say, can use these probe requests to track and identify devices, and even pinpoint their location.
According to them, roughly a quarter of probe requests contain the Service Set Identifier (SSIDs) of networks the devices were previously connected to, which could be used to reveal home addresses or visited locations.
Furthermore, the probe requests can be used to “trilaterate the location of a device with an accuracy of up to 1.5 meters,” or to follow the movement of a device to essentially track their owner, the researchers note.
Tomi Engdahl says:
Chinese Hackers Adding Backdoor to iOS, Android Web3 Wallets in ‘SeaFlower’ Campaign
https://www.securityweek.com/chinese-hackers-adding-backdoor-ios-android-web3-wallets-seaflower-campaign
Cybercriminals likely operating out of China are distributing backdoored versions of iOS and Android Web3 wallets in an effort to steal users’ seed phrase.
This previously unreported campaign has been analyzed by digital advertising security company Confiant, which dubbed it SeaFlower. The activity has been described as one of the most technically sophisticated threats targeting users of Web3 wallets.
According to Confiant, the hackers have targeted the iOS and Android versions of applications such as Coinbase Wallet, MetaMask Wallet, TokenPocket, and imToken.
https://www.alchemy.com/web3-wallets-overview
Tomi Engdahl says:
Academics Devise New Speculative Execution Attack Against Apple M1 Chips
https://www.securityweek.com/academics-devise-new-speculative-execution-attack-against-apple-m1-chips
A group of academic researchers has devised a new hardware attack that bypasses pointer authentication protections on Apple’s M1 processor.
Pointer authentication (PA) is a mechanism to prevent the modification of pointers in memory using a cryptographic hash, or pointer authentication code (PAC). With the integrity of a pointer verified against the PAC, a crash is triggered if the values do not match.
First introduced by ARM in 2017 and adopted by Apple in 2018, pointer authentication basically requires the attacker to guess the PAC of a pointer after modification to prevent triggering a crash when modifying code in memory.
Dubbed PACMAN, a new attack technique devised by a group of researchers at the Massachusetts Institute of Technology’s (MIT) Computer Science and Artificial Intelligence Laboratory (CSAIL) uses micro-architectural side-channels to leak PAC verification results and bypass PA without triggering a crash.
“[W]e propose the PACMAN attack, which extends speculative execution attacks to bypass Pointer Authentication by constructing a PAC oracle. Given a pointer in a victim execution context, a PAC oracle can be used to precisely distinguish between a correct PAC and an incorrect one without causing any crashes,” the researchers note in a paper.
Tomi Engdahl says:
Cybercriminals, State-Sponsored Threat Actors Exploiting Confluence Server Vulnerability
https://www.securityweek.com/cybercriminals-state-sponsored-threat-actors-exploiting-confluence-server-vulnerability
Tomi Engdahl says:
Researcher Shows How Tesla Key Card Feature Can Be Abused to Steal Cars
https://www.securityweek.com/researcher-shows-how-tesla-key-card-feature-can-be-abused-steal-cars
A researcher has shown how a key card feature introduced by Tesla last year could be abused to add an unauthorized key that allows an attacker to open and start a vehicle.
The research was conducted by Martin Herfurt, an Austria-based member of the Trifinite research group, which focuses on Bluetooth security.
Herfurt’s analysis targeted a change made by Tesla in August 2021 to key card access, removing the requirement for users to place the key card on the central console after using it to open the vehicle.
https://trifinite.org/stuff/project_tempa/
Tomi Engdahl says:
Russian hackers start targeting Ukraine with Follina exploits https://www.bleepingcomputer.com/news/security/russian-hackers-start-targeting-ukraine-with-follina-exploits/
Ukraine’s Computer Emergency Response Team (CERT) is warning that the Russian hacking group Sandworm may be exploiting Follina, a remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT) currently tracked as CVE-2022-30190.