This posting is here to collect cyber security news in June 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in June 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
381 Comments
Tomi Engdahl says:
Chinese ‘Gallium’ Hackers Using New PingPull Malware in Cyberespionage Attacks https://thehackernews.com/2022/06/chinese-gallium-hackers-using-new.html
A Chinese advanced persistent threat (APT) known as Gallium has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa.
Tomi Engdahl says:
Multiple Vulnerabilities in Infiray IRAY-A8Z3 thermal camera https://sec-consult.com/vulnerability-lab/advisory/infiray-iray-thermal-camera-multiple-vulnerabilities/
The IRAY A8Z3 thermal camera for industrial application, manufactured by Infiray/IRay Technologies is affected by multiple vulnerabilities.
Tomi Engdahl says:
Linux malware Symbiote’ used to attack Latin American financial sector https://therecord.media/linux-malware-symbiote-used-to-attack-latin-american-financial-sector/
esearchers at BlackBerry and Intezer have discovered a new Linux malware named “Symbiote” that is being used to target financial institutions across Latin America.
Tomi Engdahl says:
PyPI package ‘keep’ mistakenly included a password stealer https://www.bleepingcomputer.com/news/security/pypi-package-keep-mistakenly-included-a-password-stealer/
PyPI packages ‘keep, ‘ ‘pyanxdns, ‘ ‘api-res-py’ were found to be containing a backdoor due to the presence of malicious ‘request’
dependency within some versions.
Tomi Engdahl says:
Chinese Hackers Distribute Backdoored Web3 Wallets for iOS and Android Users https://thehackernews.com/2022/06/chinese-hackers-distribute-backdoored.html
A technically sophisticated threat actor known as SeaFlower has been targeting Android and iOS users as part of an extensive campaign that mimics official cryptocurrency wallet websites intending to distribute backdoored apps that drain victims’ funds.
Tomi Engdahl says:
Researchers Disclose Rooting Backdoor in Mitel IP Phones for Businesses https://thehackernews.com/2022/06/researchers-disclose-rooting-backdoor.html
Cybersecurity researchers have disclosed details of two medium-security flaws in Mitel 6800/6900 desk phones that, if successfully exploited, could allow an attacker to gain root privileges on the devices.
Tomi Engdahl says:
New Syslogk Linux rootkit uses magic packets to trigger backdoor https://www.bleepingcomputer.com/news/security/new-syslogk-linux-rootkit-uses-magic-packets-to-trigger-backdoor/
A new Linux rootkit malware named Syslogk’ is being used in attacks to hide malicious processes, using specially crafted “magic packets” to awaken a backdoor laying dormant on the device.
Tomi Engdahl says:
Microsoft helps prevent lateral movement from compromised unmanaged devices https://www.helpnetsecurity.com/2022/06/13/microsoft-prevent-lateral-movement/
A new feature in Microsoft Defender for Endpoint can make it more difficult for attackers to perform lateral movement within company networks, as it allows admins to prevent traffic flowing to and from unmanaged devices that have been compromised.
Tomi Engdahl says:
Iranian Spear-Phishing Operation Targets Former Israeli and US High-Ranking Officials https://research.checkpoint.com/2022/check-point-research-exposes-an-iranian-phishing-campaign-targeting-former-israeli-foreign-minister-former-us-ambassador-idf-general-and-defense-industry-executives/
Check Point Research uncovers a recent Iranian-based spear-phishing operation aimed against former Israeli officials, high-ranking military personnel, research fellows in research institutions, think tanks, and against Israeli citizens.
Tomi Engdahl says:
Technical Details Released for ‘SynLapse’ RCE Vulnerability Reported in Microsoft Azure https://thehackernews.com/2022/06/technical-details-released-for-synlapse.html
Microsoft has incorporated additional improvements to address the recently disclosed SynLapse security vulnerability in order to meet comprehensive tenant isolation requirements in Azure Data Factory and Azure Synapse Pipelines.
Tomi Engdahl says:
CISA Recommends Organizations Update to the Latest Version of Google Chrome https://www.darkreading.com/vulnerabilities-threats/cisa-encourages-organizations-to-updated-to-latest-chrome-version
The US Cybersecurity and Infrastructure Agency (CISA) Friday urged users and administrators to update to a new version of Chrome that Google released last week to fix a total of seven vulnerabilities in its browser
Tomi Engdahl says:
New Zimbra Email Vulnerability Could Let Attackers Steal Your Login Credentials
https://thehackernews.com/2022/06/new-zimbra-email-vulnerability-could.html
A new high-severity vulnerability has been disclosed in the Zimbra email suite that, if successfully exploited, enables an unauthenticated attacker to steal cleartext passwords of users sans any user interaction.
“With the consequent access to the victims’ mailboxes, attackers can potentially escalate their access to targeted organizations and gain access to various internal services and steal highly sensitive information,” SonarSource said in a report shared with The Hacker News.
Tracked as CVE-2022-27924 (CVSS score: 7.5), the issue has been characterized as a case of “Memcached poisoning with unauthenticated request,” leading to a scenario where an adversary can inject malicious commands and siphon sensitive information.
Given that Memcached parses incoming requests line-by-line, the vulnerability permits an attacker to send a specially crafted lookup request to the server containing CRLF characters, causing the server to execute unintended commands.
Tomi Engdahl says:
Microsoft Patch Tuesday for June 2022 Snort rules and prominent vulnerabilities https://blog.talosintelligence.com/2022/06/microsoft-patch-tuesday-for-june-2022.html
Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities in the company’s firmware and software. One of these vulnerabilities is considered critical, 40 are listed as high severity, and the remainder is considered “moderate.”
Tomi Engdahl says:
Researchers Detail PureCrypter Loader Cyber Criminals Using to Distribute Malware https://thehackernews.com/2022/06/researchers-detail-purecrypter-loader.html
Cybersecurity researchers have detailed the workings of a fully-featured malware loader dubbed PureCrypter that’s being purchased by cyber criminals to deliver remote access trojans (RATs) and information stealers.
Tomi Engdahl says:
Unpatched Travis CI API Bug Exposes Thousands of Secret User Access Tokens https://thehackernews.com/2022/06/unpatched-travis-ci-api-bug-exposes.html
An unpatched security issue in the Travis CI API has left tens of thousands of developers’ user tokens exposed to potential attacks, effectively allowing threat actors to breach cloud infrastructures, make unauthorized code changes, and initiate supply chain attacks.
Tomi Engdahl says:
Poliisille useita ilmoituksia huijauksista: ostajilta viety rahat tekaistun kuriiripalvelun linkin kautta, näin vältät huijauksia
https://yle.fi/uutiset/3-12491718
Sisä-Suomen poliisille on tehty useita ilmoituksia rikoksista, joissa ilmoittaja on myynyt tuotetta verkon kauppapaikalla ja on tullut huijatuksi.
Tomi Engdahl says:
Cloudflare mitigates record-breaking HTTPS DDoS attack https://www.bleepingcomputer.com/news/security/cloudflare-mitigates-record-breaking-https-ddos-attack/
Internet infrastructure firm Cloudflare said today that it mitigated a
26 million request per second distributed denial-of-service (DDoS) attack, the largest HTTPS DDoS attack detected to date.
Tomi Engdahl says:
“Downthem” DDoS-for-Hire Boss Gets 2 Years in Prison https://krebsonsecurity.com/2022/06/downthem-ddos-for-hire-boss-gets-2-years-in-prison/
A 33-year-old Illinois man was sentenced to two years in prison today following his conviction last year for operating services that allowed paying customers to launch powerful distributed denial-of-service
(DDoS) attacks against hundreds of thousands of Internet users and websites.
Tomi Engdahl says:
Cloudflare mitigates record-breaking HTTPS DDoS attack https://www.bleepingcomputer.com/news/security/cloudflare-mitigates-record-breaking-https-ddos-attack/
Internet infrastructure firm Cloudflare said today that it mitigated a
26 million request per second distributed denial-of-service (DDoS) attack, the largest HTTPS DDoS attack detected to date.
Internet infrastructure firm Cloudflare said today that it mitigated a 26 million request per second distributed denial-of-service (DDoS) attack, the largest HTTPS DDoS attack detected to date.
The record-breaking attack occurred last week and targeted one of Cloudflare’s customers using the Free plan.
The threat actor behind it likely used hijacked servers and virtual machines seeing that the attack originated from Cloud Service Providers instead of weaker Internet of Things (IoT) devices from compromised Residential Internet Service Providers.
According to Cloudflare, the attacker also used a rather small yet very powerful botnet of 5,067 devices, each capable of generating roughly 5,200 rps when peaking.
“To contrast the size of this botnet, we’ve been tracking another much larger but less powerful botnet of over 730,000 devices,”
Also noteworthy is that the June and April attacks were volumetric attacks that used gigantic junk requests to exhaust the targeted server’s resources (CPU and RAM) and were both carried out over HTTPS.
“HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection,” Yoachimik explained.
“Therefore, it costs the attacker more to launch the attack, and for the victim to mitigate it. We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale.”
Tomi Engdahl says:
ICS Patch Tuesday: Siemens, Schneider Electric Address Over 80 Vulnerabilities
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-over-80-vulnerabilities
Siemens and Schneider Electric have released their Patch Tuesday advisories for June 2022. The industrial giants have addressed a total of more than 80 vulnerabilities affecting their products.
Siemens has released 14 advisories covering 59 vulnerabilities. Thirty of these flaws, including many rated “critical” and “high severity,” impact SINEMA Remote Connect Server.
Several critical vulnerabilities, some of which can be exploited without authentication, have been found and patched in the SICAM GridEdge application.
Critical vulnerabilities have also been found in third-party components used by the SCALANCE LPE9000 local processing engine. In addition, some Apache HTTP server vulnerabilities, including critical bugs, have been found to impact RUGGEDCOM, SINEC and SINEMA products.
a high-severity DoS vulnerability in OpenSSL has been found to impact tens of Siemens products, but patches have yet to be released for most of them.
For many of these vulnerabilities, Siemens has only released mitigations and is still working on patches.
Seven critical flaws that could be exploited for remote code execution have been found in the Data Server module for the IGSS SCADA product.
Tomi Engdahl says:
Adobe Plugs 46 Security Flaws on Patch Tuesday
https://www.securityweek.com/adobe-plugs-46-security-flaws-patch-tuesday
Adobe’s security response team has pushed out a massive batch of patches to cover at least 46 vulnerabilities in a wide range of enterprise-facing software products.
As part of its scheduled Patch Tuesday release for June, Adobe warned of “critical” code execution flaws that expose both Windows and macOS users to malicious hacker attacks.
The most serious of the documented flaws affect Adobe Animate, Adobe Bridge, Adobe Illustrator, Adobe InCopy and Adobe InDesign.
Tomi Engdahl says:
Windows Updates Patch Actively Exploited ‘Follina’ Vulnerability
https://www.securityweek.com/windows-updates-patch-actively-exploited-follina-vulnerability
Microsoft has fixed roughly 50 vulnerabilities with its June 2022 Patch Tuesday updates, including the actively exploited flaw known as Follina and CVE-2022-30190.
The Follina vulnerability can and has been exploited for remote code execution using specially crafted documents. The root cause of the vulnerability has been known for at least a couple of years, but Microsoft appears to have largely ignored the issue until a researcher saw it being exploited in May.
The first attacks leveraging Follina seem to have been launched in April, but exploitation attempts have increased following its disclosure.
A Chinese threat actor has been using it in attacks aimed at the Tibetan community and cybercriminals have been leveraging it to deliver Qbot, AsyncRAT and other malware.
While an official patch has only now been released, Microsoft made available workarounds and mitigations shortly after its disclosure.
Tomi Engdahl says:
https://www.securityweek.com/sap-patches-high-severity-netweaver-vulnerabilities
Tomi Engdahl says:
Microsoft to Acquire Cyber Threat Analysis Company Miburo
https://www.securityweek.com/microsoft-acquire-cyber-threat-analysis-company-miburo
Tomi Engdahl says:
https://www.securityweek.com/attackers-can-exploit-critical-citrix-adm-vulnerability-reset-admin-passwords
Tomi Engdahl says:
Microsoft has just confirmed three critical vulnerabilities that impact millions of Windows and Windows Server users.
Critical New Security Update For Millions Of Windows 10, 11 & Server Users
https://www.forbes.com/sites/daveywinder/2022/06/15/critical-new-security-update-for-millions-of-windows-10-11–server-users/?sh=779796da53d9&utm_campaign=socialflowForbesMainFB&utm_source=ForbesMainFacebook&utm_medium=social
As well as fixing the already under attack Follina zero-day exploit, Microsoft has just confirmed three critical vulnerabilities that impact millions of Windows and Windows Server users.
Within the collection of 55 new Microsoft security updates, yes it’s Patch Tuesday time again, there are three that are rated as critical. The good news is that none of these, in fact, none of the 55 listed vulnerabilities, are known to currently be under exploitation in the wild. I can say that despite the CVE-2022-30190 Follina fix being distributed as, bizarrely, Microsoft didn’t list it among the vulnerabilities patched.
CVE-2022-30136 impacts Windows Server (2012, 2016, 2019) users and is a remote code execution (RCE) threat that could be exploited over the network using a malicious call to a network file system (NFS) service.
CVE-2022-30139 impacts Windows (10 & 11) and Windows Server (2016, 2019, 20H2, 2022) users and is another RCE but this time impacting the Windows lightweight directory access protocol (LDAP)
CVE-2022-30163 impacts Windows (7, 8.1, 10 & 11) and Windows Server (2008, 2012, 2016, 2019, 20H2 & 2022) users and is another arbitrary remote code execution vulnerability. This time it targets Windows Hyper-V host using a malicious application on a Hyper-V guest.
Tomi Engdahl says:
Päivitä koneesi: Venäjä ja Kiina hyökkäävät Windowsin haavoittuvuuteen https://www.is.fi/digitoday/tietoturva/art-2000008886532.html
Tomi Engdahl says:
Citrix warns critical bug can let attackers reset admin passwords https://www.bleepingcomputer.com/news/security/citrix-warns-critical-bug-can-let-attackers-reset-admin-passwords/
Citrix warned customers to deploy security updates that address a critical Citrix Application Delivery Management (ADM) vulnerability that can let attackers reset admin passwords.
Tomi Engdahl says:
New peer-to-peer botnet infects Linux servers with cryptominers https://www.bleepingcomputer.com/news/security/new-peer-to-peer-botnet-infects-linux-servers-with-cryptominers/
A new peer-to-peer botnet named Panchan appeared in the wild around March 2022, targeting Linux servers in the education sector to mine cryptocurrency.
Tomi Engdahl says:
Ransomware gang publishes stolen victim data on the public Internet https://www.helpnetsecurity.com/2022/06/15/ransomware-victim-data-internet/
The Alphv (aka BlackCat) ransomware group is trying out a new tactic to push companies to pay for their post-breach silence: a clearnet (public Internet) website with sensitive data about the employees and customers stolen from a victim organization
Tomi Engdahl says:
Large supermarket chain in southern Africa hit with ransomware https://therecord.media/large-supermarket-chain-in-southern-africa-hit-with-ransomware/
Large supermarket chain in southern Africa hit with ransomware. One of the largest supermarket chains serving multiple countries across southern Africa has been hit with ransomware.
Tomi Engdahl says:
Unpatched Exchange server, stolen RDP logins… How miscreants get BlackCat ransomware on your network https://www.theregister.com/2022/06/15/blackcat-ransomware-microsoft/
Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service
(RaaS) offering.
Tomi Engdahl says:
Canadian internet outage attributed to beaver https://therecord.media/canadian-internet-outage-beaver/
Some residents of northwestern Canada lost network coverage for eight hours last week in an outage that has since been attributed to nature’s architect: the beaver.
Tomi Engdahl says:
https://therecord.media/canadian-internet-outage-beaver/
A similar incident occurred in April of last year, DatacenterDynamics reported, when a beaver chewed through a Telus cable and used related material in its dam — temporarily downing network coverage for 900 residents in the process.
Sharks, for instance, have long been known to have a taste for the submarine cables that make up a major part of global internet infrastructure. Back in 2014, Google was even reinforcing its undersea cables with a “kevlar-like” material after repeated shark bites, per Network World.
Some security practitioners have also long argued that squirrels represent a more practical threat to powergrids than cyberattackers. In fact, for several years the website Cyber Squirrel 1 tracked power outages attributed to critters.
https://cybersquirrel1.com/
Tomi Engdahl says:
Huoltotöiden yhteydessä sattunut yllättävä häiriö jumitti Ylen verkkopalveluja aamulla
https://yle.fi/uutiset/3-12494503
Ylen verkkosisältöjen päivitys takkuili varhain keskiviikkona useiden tuntien ajan. Häiriö juontui yöllä aloitetuista, tavanomaisista huoltotöistä.
Tomi Engdahl says:
Valtava tietokonehäiriö sulki Sveitsin ilmatilan “Useita lentoja on peruttu”
https://www.tivi.fi/uutiset/tv/06a1f2fa-3ad8-4810-a8fd-30937baa9f5d
Sveitsi sulki väliaikaisesti ilmatilansa tietokonehäiriön vuoksi keskiviikkona aamulla. Lennonjohtosysteemissä ilmenneen teknisen vian takia koneet eivät voineet nousta tai laskeutua sveitsiläisillä lentokentillä. Uutistoimisto ATS-Keystone kertoi, että kaikki lennot Sveitsiin ohjataan Milanoon.
Tomi Engdahl says:
Malaysia-linked DragonForce hacktivists attack Indian targets https://www.theregister.com/2022/06/15/dragonforce_malaysia_india_attacks/
A Malaysia-linked hacktivist group has attacked targets in India, seemingly in reprisal for a representative of the ruling Bharatiya Janata Party (BJP) making remarks felt to be insulting to the prophet Muhammad.
Tomi Engdahl says:
Microsoft: Windows update to permanently disable Internet Explorer https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-update-to-permanently-disable-internet-explorer/
Microsoft confirmed today that a future Windows update will permanently disable the Internet Explorer web browser on users’
systems.
Tomi Engdahl says:
by Sayan Sen — Several Intel CPUs from different generations have been found to be susceptible to new processor vulnerabilities related to MMIO Stale Data. Microsoft and Intel have published advisories about it.
https://lwn.net/Articles/898011/
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=441947019138
Processor MMIO Stale Data Vulnerabilities
+=========================================
+
+Processor MMIO Stale Data Vulnerabilities are a class of memory-mapped I/O
+(MMIO) vulnerabilities that can expose data. The sequences of operations for
+exposing data range from simple to very complex. Because most of the
+vulnerabilities require the attacker to have access to MMIO, many environments
+are not affected. System environments using virtualization where MMIO access is
+provided to untrusted guests may need mitigation. These vulnerabilities are
+not transient execution attacks. However, these vulnerabilities may propagate
+stale data into core fill buffers where the data can subsequently be inferred
+by an unmitigated transient execution attack. Mitigation for these
+vulnerabilities includes a combination of microcode update and software
+changes, depending on the platform and usage model. Some of these mitigations
+are similar to those used to mitigate Microarchitectural Data Sampling (MDS) or
+those used to mitigate Special Register Buffer Data Sampling (SRBDS).
Tomi Engdahl says:
https://techcrunch.com/2022/06/10/daily-crunch-apples-m1-chips-have-an-unpatchable-hardware-vulnerability-say-mit-researchers/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/iranian-hackers-target-energy-sector-with-new-dns-backdoor/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-vytal-chrome-extension-hides-location-info-that-your-vpn-cant/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cloudflare-mitigates-record-breaking-https-ddos-attack/
Tomi Engdahl says:
https://www.darkreading.com/threat-intelligence/new-linux-malware-nearly-impossible-to-detect-
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/linux-botnets-now-exploit-critical-atlassian-confluence-bug/
Tomi Engdahl says:
Elasticsearch server with no password or encryption leaks a million records
POS and online ordering vendor StoreHub offered free Asian info takeaways
https://www.theregister.com/2022/06/16/storehub_data_leak/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-peer-to-peer-botnet-infects-linux-servers-with-cryptominers/
Tomi Engdahl says:
Chinese hackers exploited years-old software flaws to break into telecom giants
A multi-year hacking campaign shows how dangerous old flaws can linger for years.
https://www.technologyreview.com/2022/06/08/1053375/chinese-hackers-exploited-years-old-software-flaws-to-break-into-telecom-giants/
Hackers employed by the Chinese government have broken into numerous major telecommunications firms around the world in a cyber-espionage campaign that has lasted at least two years, according to a new advisory from American security agencies.
The hackers allegedly breached their targets by exploiting old and well-known critical vulnerabilities in popular networking hardware. Once they had a foothold inside their targets, the hackers used the compromised devices to gain full access to the network traffic of numerous private companies and government agencies, US officials said.
Tomi Engdahl says:
https://securityaffairs.co/wordpress/131992/apt/nation-state-actors-follina-exploits.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/linux-version-of-black-basta-ransomware-targets-vmware-esxi-servers/