This posting is here to collect cyber security news in June 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in June 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
381 Comments
Tomi Engdahl says:
Germany’s Green Party Says Email System Hit by Cyberattack
https://www.securityweek.com/germanys-green-party-says-email-system-hit-cyberattack
The German Green party, which is part of the country’s governing coalition, says its IT system was hit by a cyberattack last month that affected email accounts belonging to Foreign Minister Annalena Baerbock and Economy Minister Robert Habeck.
The party confirmed a report Saturday by German weekly Der Spiegel, but said the two hadn’t actively used their party accounts since January.
A total of 14 accounts — including those of party leaders Ricarda Lang and Omid Nouripour — were compromised in such a way that some emails were forwarded to addresses outside the party, the Greens said.
Tomi Engdahl says:
AutomationDirect Patches Vulnerabilities in PLC, HMI Products
https://www.securityweek.com/automationdirect-patches-vulnerabilities-plc-hmi-products
The US Cybersecurity and Infrastructure Security Agency (CISA) has informed organizations that AutomationDirect has patched several high-severity vulnerabilities in some of its programmable logic controller (PLC) and human-machine interface (HMI) products.
Cumming, Georgia-based AutomationDirect provides a wide range of industrial control systems (ICS). The company sells its devices directly in the United States and Canada, but the products are also sold to organizations in other regions of the world through international distributors.
Researchers at industrial cybersecurity firm Dragos discovered that some of the company’s PLC and HMI products are affected by vulnerabilities that could allow an attacker to cause disruption and make unauthorized changes to targeted devices.
CISA has published three advisories. One of them describes two vulnerabilities affecting C-more EA9 industrial touchscreen HMIs, including a DLL hijacking flaw affecting the installer and an issue related to the insecure transmission of credentials.
https://www.cisa.gov/uscert/ics/advisories/icsa-22-167-01
Tomi Engdahl says:
QNAP Appliances Targeted in New DeadBolt, eCh0raix Ransomware Campaigns
https://www.securityweek.com/qnap-appliances-targeted-new-deadbolt-ech0raix-ransomware-campaigns
Tomi Engdahl says:
ALPHV Ransomware Operators Pressure Victim With Dedicated Leak Site
https://www.securityweek.com/alphv-ransomware-operators-pressure-victim-dedicated-leak-site
Cybercriminals who are using the ALPHV ransomware created a dedicated leak website in an apparent attempt to pressure one of their victims into paying the ransom.
First observed in November 2021 and also known as BlackCat and Noberus, ALPHV is the first ransomware family to have been developed using the Rust programming language.
ALPHV, which is believed to have ties with the cybercrime group behind the Darkside/Blackmatter ransomware, has compromised at least 100 organizations to date, based on the list of victims published on their Tor website.
The threat operates under the Ransomware-as-a-Service (RaaS) business model, with affiliates compromising organizations (via stolen credentials or by exploiting unpatched Microsoft Exchange servers) and stealing and encrypting data.
https://www.securityweek.com/fbi-shares-information-blackcat-ransomware-attacks
Tomi Engdahl says:
Massive Cloudflare outage caused by network configuration error
https://www.bleepingcomputer.com/news/technology/massive-cloudflare-outage-caused-by-network-configuration-error/
Cloudflare says a massive outage that affected more than a dozen of its data centers and hundreds of major online platforms and services today was caused by a change that should have increased network resilience.
“Today, June 21, 2022, Cloudflare suffered an outage that affected traffic in 19 of our data centers,” Cloudflare said after investigating the incident.
“Unfortunately, these 19 locations handle a significant proportion of our global traffic. This outage was caused by a change that was part of a long-running project to increase resilience in our busiest locations.”
According to user reports, the full list of affected websites and services includes, but it’s not limited to, Amazon, Twitch, Amazon Web Services, Steam, Coinbase, Telegram, Discord, DoorDash, Gitlab, and more.
Tomi Engdahl says:
You can be tracked online using your Chrome browser extensions https://blog.malwarebytes.com/privacy-2/2022/06/you-can-be-tracked-online-using-your-chrome-browser-extensions/
A researcher has found a way to generate a fingerprint of your device from your installed Google Chrome extensions, and then use that fingerprint to track you online.
Tomi Engdahl says:
New DFSCoerce NTLM Relay attack allows Windows domain takeover https://www.bleepingcomputer.com/news/microsoft/new-dfscoerce-ntlm-relay-attack-allows-windows-domain-takeover/
A new DFSCoerce Windows NTLM relay attack has been discovered that uses MS-DFSNM, Microsoft’s Distributed File System, to completely take over a Windows domain. Many organizations utilize Microsoft Active Directory Certificate Services, a public key infrastructure (PKI) service that is used to authenticate users, services, and devices on a Windows domain. However, this service is vulnerable to NTLM relay attacks, which is when threat actors force, or coerce, a domain controller to authenticate against a malicious NTLM relay under an attacker’s control. This week, security researcher Filip Dragovic released a proof-of-concept script for a new NTLM relay attack called ‘DFSCoerce’ that uses Microsoft’s Distributed File System (MS-DFSNM) protocol to relay authentication against an arbitrary server.
Tomi Engdahl says:
Recent Windows Server updates break VPN, RDP, RRAS connections https://www.bleepingcomputer.com/news/microsoft/recent-windows-server-updates-break-vpn-rdp-rras-connections/
This month’s Windows Server updates are causing a wide range of issues, including VPN and RDP connectivity problems on servers with Routing and Remote Access Service (RRAS) enabled.
Tomi Engdahl says:
Massive Cloudflare outage caused by network configuration error https://www.bleepingcomputer.com/news/technology/massive-cloudflare-outage-caused-by-network-configuration-error/
Cloudflare says a massive outage that affected more than a dozen of its data centers and hundreds of major online platforms and services today was caused by a change that should have increased network resilience. According to user reports, the full list of affected websites and services includes, but it’s not limited to, Amazon, Twitch, Amazon Web Services, Steam, Coinbase, Telegram, Discord, DoorDash, Gitlab, and more. “This outage was caused by a change that was part of a long-running project to increase resilience in our busiest locations, ” the Cloudflare team added. “A change to the network configuration in those locations caused an outage which started at 06:27 UTC. At 06:58 UTC the first data center was brought back online and by 07:42 UTC all data centers were online and working correctly.
Tomi Engdahl says:
New ToddyCat Hacker Group on Experts’ Radar After Targeting MS Exchange Servers https://thehackernews.com/2022/06/new-toddycat-hacker-group-on-experts.html
An advanced persistent threat (APT) actor codenamed ToddyCat has been linked to a string of attacks aimed at high-profile entities in Europe and Asia since at least December 2020. The relatively new adversarial collective is said to have commenced its operations by targeting Microsoft Exchange servers in Taiwan and Vietnam using an unknown exploit to deploy the China Chopper web shell and activate a multi-stage infection chain.
Tomi Engdahl says:
Cyberattack on Yodel package delivery service causing delays https://therecord.media/cyberattack-on-yodel-package-delivery-service-causing-delays/
Popular United Kingdom package delivery service Yodel has been hit with a cyberattack disrupting service. In a statement to The Record, a spokesperson for the company said it is dealing with a “cyber incident” that has impacted its package tracking services.
Tomi Engdahl says:
Siemens, Motorola, Honeywell and more affected by 56 ICEFALL’
vulnerabilities
https://therecord.media/siemens-motorola-honeywell-and-more-affected-by-56-icefall-vulnerabilities/
Security researchers have discovered 56 new vulnerabilities collectively known as “ICEFALL” that affect several of the largest operational technology (OT) equipment manufacturers supplying critical infrastructure organizations. The vulnerabilities affect Siemens, Motorola, Honeywell, Yokogawa, ProConOS, Emerson, Phoenix Contract, Bentley Nevada, Omron and JTEKT. Discovered by researchers with Forescout, the 56 vulnerabilities were disclosed in coordination with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and other government agencies around the world.
Tomi Engdahl says:
Office 365 Config Loophole Opens OneDrive, SharePoint Data to Ransomware Attack https://threatpost.com/office-365-opens-ransomware-attacks-on-onedrive-sharepoint/180010/
Researchers are warning attackers can abuse Microsoft Office 365 functionality to target files stored on SharePoint and OneDrive in ransomware attacks. Those files, stored via “auto-save” and backed-up in the cloud, typically leave end users with the impression data is shielded from a ransomware attack. However, researchers say that is not always the case and files stored on SharePoint and OneDrive can be vulnerable to a ransomware attack. The attack chain assumes the worst and starts with an initial compromise of an Office 365 user’s account credentials. This leads to an account takeover, then discovery of data within the SharePoint and OneDrive environment and eventually a breach of data and ransomware attack.
Tomi Engdahl says:
False Air Raid Sirens in Israel Possibly Triggered by Iranian Cyberattack
https://www.securityweek.com/false-air-raid-sirens-israel-possibly-triggered-iranian-cyberattack
Air raid sirens sounded in the Israeli cities of Jerusalem and Eilat on Sunday evening and it appears that they were triggered by a cyberattack, possibly conducted by Iranian hackers.
The sirens, which warn the population about rocket attacks, blared for nearly an hour, according to local media reports.
An investigation conducted by the Israeli military found that the alarms were likely triggered by a cyberattack that appears to have targeted municipal public address systems rather than the military’s systems.
While it has yet to be confirmed, the main suspect is Iran, whose hackers often target Israeli organizations and systems.
“Whether this siren attack by Iran was a false flag or accidental triggering remains to be seen but the lack of municipal cybersecurity is clear,” said Ilan Barda, co-founder and CEO of industrial cybersecurity firm Radiflow. “If this was meant to cause disruption to civilian life, it would make more sense to conduct this incident during a religious holiday or time of large gatherings to shatter any sense of security.”
Was Iran behind siren cyberattacks in Jerusalem, Eilat?
A diplomatic source said the hacker identity is uncertain, but suspicions have been raised that the cyberattack was carried out by Iran.
https://www.jpost.com/israel-news/article-709867
False rocket warning sirens that were activated in Jerusalem and Eilat on Sunday evening were likely caused by a cyberattack, the Israel National Cyber Directorate (INCD) confirmed on Monday morning.
By Monday, there was rampant speculation that Iran was the perpetrator of the hack, with a slew of cyber experts opining as such in interviews about the possibility of Iranian involvement.
However, a diplomatic source said there was still uncertainty whether the Islamic Republic was the source of the attack.
The diplomatic source also downplayed the significance of the attack, saying, “There is constant cyber activity against Israel. In terms of Israel working on increasing its cyber resilience, it is not in a bad place. Part of the [state’s] multi-year plan is to build a cyber iron dome in cooperation with other nations. The headlines exaggerated about the sirens yesterday.”
On Sunday evening, rocket sirens sounded for almost an hour in Eilat and across several Jerusalem neighborhoods including Talpiot, Katamon and Beit Hakerem.
Was it really a cyberattack?
The IDF initially said there was a system malfunction by the IDF, although the actual cause was unknown.
The INCD said the attack was directed against the municipal siren systems rather than through the IDF Home Front Command alert system, which is usually viewed as more secure.
The relevant authorities were instructed to take preventative measures against the threat.
Cyberattacks on Iran
Last week, Iran claimed that it had uncovered a cyberattack on the municipality of Tehran. The attack impacted traffic cameras and other electronic services, but an Iranian official said it did not compromise any critical data.
Most cyberattacks on Iran have been laid at Israel’s doorstep, though there are some Iranian dissidents and human rights activists who have also hacked the Islamic Republic.
If Iran was behind Sunday night’s cyberattack, it would be another move in a long and cyclical cyberwarfare game between the countries that has escalated since spring 2020.
“The hackers attacked where they found loopholes.”
Omree Wechsler, senior researcher, Blavatnik Interdisciplinary Cyber Research Center
Wechsler added, “As many cyberattacks in the world are focused on financial or espionage targets, the Iranian activity against Israel is in accordance with the pattern of causing damage or creating panic. Such attacks are common and are part of a daily routine that includes thousands of attempts to hack into any system or server whose damage would cause media coverage.”
Tomi Engdahl says:
Flagstar Bank Data Breach Affects 1.5 Million Customers
https://www.securityweek.com/flagstar-bank-data-breach-affects-15-million-customers
Michigan-based Flagstar Bank, which has more than 150 branches across several US states, has disclosed a data breach that involved threat actors accessing files containing the personal information of 1.5 million individuals.
According to a data breach notification posted on Flagstar’s website and information provided by the company to authorities, the breach occurred in early December 2021. An investigation finalized on June 2 showed that the attackers had accessed files storing personal information.
It seems that different types of data were compromised for different customers, but the attacker appears to have obtained the social security numbers of at least some people. Affected individuals are being notified through snail mail.
The company said it does not have evidence that the compromised information has been misused, but it has decided to provide affected individuals two years of free identity monitoring services.
Tomi Engdahl says:
Critical PHP flaw exposes QNAP NAS devices to RCE attacks
https://www.bleepingcomputer.com/news/security/critical-php-flaw-exposes-qnap-nas-devices-to-rce-attacks/
QNAP has warned customers today that some of its Network Attached Storage (NAS) devices (with non-default configurations) are vulnerable to attacks that would exploit a three-year-old critical PHP vulnerability allowing remote code execution.
“A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11. If exploited, the vulnerability allows attackers to gain remote code execution,” QNAP explained in a security advisory released today.
“To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes.”
The Taiwanese hardware vendor has already patched the security flaw (CVE-2019-11043)
QNAP devices targeted by ransomware
Today’s warning comes after the NAS maker warned its customers on Thursday to secure their devices against active attacks deploying DeadBolt ransomware payloads.
https://nvd.nist.gov/vuln/detail/CVE-2019-11043
Tomi Engdahl says:
“The amount of data I was allowed to was staggering. I could view the details of every spa, see its owner and even remove their ownership,” according to a security researcher.
Security flaws in internet-connected hot tubs exposed owners’ personal data
https://techcrunch.com/2022/06/22/jacuzzi-flaws-admin-exposed-users/?tpcc=tcplusfacebook
A security researcher found vulnerabilities in Jacuzzi’s SmartTub interface that allowed access to the personal data of every hot tub owner.
Jacuzzi’s SmartTub feature, like most Internet of Things (IoT) systems, lets users connect to their hot tub remotely via a companion Android or iPhone app. Marketed as a “personal hot tub assistant,” users can make use of the app to control water temperature, switch on and off jets, and change the lights.
But as documented by hacker Eaton Zveare, this functionality could also be abused by threat actors to access the personal information of hot tub owners worldwide, including their names and email addresses.
It’s unclear how many users are potentially impacted, but the SmartTub app has been downloaded more than 10,000 times on Google Play.
“The main concern is their name and email being leaked,” Zveare told TechCrunch, adding that attackers could also potentially heat up someone else’s hot tub or change the filtration cycles. “That would make things unpleasant the next time the person checked their tub,” he said. “But I don’t think there is anything truly dangerous that could have been done — you have to do all chemicals by hand.“
Eaton first noticed a problem when he tried to log in using the SmartTub web interface, which uses third-party identity provider Auth0, and found that the login page returned an “unauthorized” error. But for the briefest moment Zveare saw the full admin panel populated with user data flash on his screen.
“I was surprised to discover it was an admin panel populated with user data. Glancing at the data, there is information for multiple brands, and not just from the U.S.”
Eaton then tried to bypass the restrictions and obtain full access. He used a tool called Fiddler to intercept and modify some code that told the website that he was an admin rather than an ordinary user. The bypass was successful, enabling Zveare to access the admin panel in full.
“Once into the admin panel, the amount of data I was allowed to [access] was staggering. I could view the details of every spa, see its owner and even remove their ownership,” he said. “It would be trivial to create a script to download all user information. It’s possible it’s already been done.”
Things got worse when Zveare discovered a second admin panel while reviewing the source code of the Android app allowing him to view and modify the serial numbers of products, see a list of licensed hot tub dealers and view manufacturing logs.
Zveare contacted Jacuzzi to alert them to the vulnerabilities, beginning with an initial notification just hours after discovering the flaws on December 3. Zveare received a response asking for more details three days later. But after one month of no further communication, Zveare enlisted the help of Auth0, which reached out to Jacuzzi and got it to shut down the vulnerable SmartTub admin panel. The second admin panel was eventually fixed on June 4, despite no formal acknowledgement from Jacuzzi that they have addressed the issues.
“After multiple contact attempts through three different Jacuzzi/SmartTub email addresses and Twitter, a dialog was not established until Auth0 stepped in,”
As noted by Zveare, Jacuzzi is incorporated in California, which has data breach notification and Internet of Things security laws. The latter requires manufacturers of connected devices to include “reasonable security feature[s]”
Tomi Engdahl says:
Suomalaisten työntekijöiden paikkatietoja kerätty laajasti näin kommentoi viranomainen https://www.is.fi/digitoday/art-2000008902559.html
TIETOSUOJAVALTUUTETUN toimisto paljastaa sijaintitietoja kerätyn laajamittaisesti Suomen julkisella sektorilla Windows 10
- -tietokoneissa. Tietojen kerääminen on ollut tahatonta ja johtui siitä, ettei käyttöjärjestelmän oletusasetusta ollut muutettu.
Toimisto selvitti sijaintitietotoiminnon käyttöä kuntasektorin ja valtionhallinnon työntekijöiden tietokoneissa Pohjois-Savon sairaanhoitopiirin tekemän tietoturvaloukkausilmoituksen perusteella.
Sen mukaan sijaintitietojen keräämisen sallivat asetukset ovat olleet päällä työntekijöiden Windows 10 -työasemissa, vaikka tietoja ei ollut tarkoitus kerätä. Ilmoituksen jälkeen Tietosuojavaltuutetun toimisto pyysi asiasta selvitystä Pohjois-Savon sairaanhoitopiirin ict-palvelut tuottavalta Istekki Oy:ltä ja Valtion tieto- ja viestintätekniikkakeskus Valtorilta. Tiedotteen mukaan kumpikin kertoi, että sijaintitietojen kerääminen on oletusarvoisesti päällä Windows 10 -käyttöjärjestelmässä, eivätkä asiakkaat ole ohjeistaneet muuta.
Tomi Engdahl says:
Petollisessa PayPal-huijauksessa ei ole linkkiä ollenkaan juuri siksi se on niin tehokas https://www.is.fi/digitoday/tietoturva/art-2000008899767.html
UUSI sähköpostihyökkäys tulee maksupalvelu PayPalin nimissä ja väittää uhrin ostaneen yli 500 dollarin edestä dogecoin-kryptovaluuttaa.
Ratkaisuksi annetaan puhelinnumero eikä mitään muuta. Kun numeroon soittaa, uhrin puhelinnumero varastetaan. Lisäksi häneltä tiedustellaan luottokortin numeroa ja kortin takapuolella olevaa CVV-varmistusnumeroa, jotta “dogecoin-tilaus” voidaan perua. Teoriassa tällä tavalla olisi mahdollista myös aiheuttaa uhrille suuria kuluja, mikäli annettu numero olisi maksullinen. Kaapatun puhelinnumeron avulla hyökkääjät voivat suorittaa uusia hyökkäyksiä esimerkiksi tekstiviestien, puhelinsoittojen tai WhatsApp-viestien kautta.
Tomi Engdahl says:
MEGA claims it can’t decrypt your files. But someone’s managed to..
https://blog.malwarebytes.com/reports/2022/06/mega-claims-it-cant-decrypt-your-files-but-someones-managed-to/
MEGA, the cloud storage provider and file hosting service, is very proud of its end-to-end encryption. It says it couldn’t decrypt your stored files, even if it wanted to. But there’s a problem. A Swiss team of researchers has just proved those claims wrong. And that’s not all. The research went one step further, finding that an attacker could insert malicious files into the storage, passing all authenticity checks of the client.
MEGA fixes critical flaws that allowed the decryption of user data https://www.bleepingcomputer.com/news/security/mega-fixes-critical-flaws-that-allowed-the-decryption-of-user-data/
MEGA has released a security update to address a set of severe vulnerabilities that could have exposed user data, even if the data had been stored in encrypted form.
Tomi Engdahl says:
Microsoft: Russia stepped up cyberattacks against Ukraine’s allies https://www.bleepingcomputer.com/news/securithttps://thehackernews.com/2022/06/newly-discovered-magecart.htmly/microsoft-russia-stepped-up-cyberattacks-against-ukraine-s-allies/
Microsoft said today that Russian intelligence agencies have stepped up cyberattacks against governments of countries that have allied themselves with Ukraine after Russia’s invasion. “MSTIC has detected Russian network intrusion efforts on 128 targets in 42 countries outside Ukraine, ” said Microsoft’s President and Vice-Chair Brad Smith. “These represent a range of strategic espionage targets likely to be involved in direct or indirect support of Ukraine’s defense, 49 percent of which have been government agencies.”. The vast majority of these attacks are, as expected, primarily focused on obtaining sensitive information from government agencies in countries currently playing crucial roles in NATO’s and the West’s response to Russia’s war.
Tomi Engdahl says:
Microsoft reveals cause behind this week’s Microsoft 365 outage https://www.bleepingcomputer.com/news/microsoft/microsoft-reveals-cause-behind-this-week-s-microsoft-365-outage/
Microsoft has revealed that this week’s Microsoft 365 worldwide outage was caused by an infrastructure power outage that led to traffic management servicing failovers in multiple regions.
Tomi Engdahl says:
Elusive ToddyCat APT Targets Microsoft Exchange Servers https://threatpost.com/elusive-toddycat-apt-targets-microsoft-exchange-servers/180031/
An advanced persistent threat (APT) group, dubbed ToddyCat, is believed behind a series of attacks targeting Microsoft Exchange servers of high-profile government and military installations in Asia and Europe. The campaigns, according to researchers, began in December 2020, and have been largely poorly understood in their complexity until now. Researchers said ToddyCat a is relatively new APT and there is “little information about this actor.”. The APT leverages two passive backdoors within the Exchange Server environment with malware called Samurai and Ninja, which researchers say are used by the adversaries to take complete control of the victim’s hardware and network.
Tomi Engdahl says:
New NTLM Relay Attack Lets Attackers Take Control Over Windows Domain
https://thehackernews.com/2022/06/new-ntlm-relay-attack-lets-attackers.html
A new kind of Windows NTLM relay attack dubbed DFSCoerce has been uncovered that leverages the Distributed File System (DFS): Namespace Management Protocol (MS-DFSNM) to seize control of a domain.
“Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay [Domain Controller authentication to [Active Directory Certificate Services]? Don’t worry MS-DFSNM have (sic) your back,” security researcher Filip Dragovic said in a tweet.
The discovery of DFSCoerce follows a similar method called PetitPotam that abuses Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) to coerce Windows servers, including domain controllers, into authenticating with a relay under an attacker’s control, letting threat actors potentially take over an entire domain.
“By relaying an NTLM authentication request from a domain controller to the Certificate Authority Web Enrollment or the Certificate Enrollment Web Service on an AD CS system, an attacker can obtain a certificate that can be used to obtain a Ticket Granting Ticket (TGT) from the domain controller,” the CERT Coordination Center (CERT/CC) noted, detailing the attack chain.
https://github.com/Wh04m1001/DFSCoerce
Tomi Engdahl says:
https://www.securityweek.com/firmware-security-startup-binarly-raises-36-million-seed-funding
Tomi Engdahl says:
https://www.securityweek.com/sma-technologies-patches-critical-security-issue-workload-automation-solution
Tomi Engdahl says:
https://www.securityweek.com/delivery-firm-yodel-scrambling-restore-operations-following-cyberattack
Tomi Engdahl says:
Belgian, Dutch Police Dismantle Cybercrime Group
https://www.securityweek.com/belgian-dutch-police-dismantle-cybercrime-group
Europol announced on Tuesday that police have dismantled a cybercrime group that made millions of euros through phishing and other types of schemes.
The law enforcement operation was conducted by police in Belgium and the Netherlands, with support from Europol. The Dutch police arrested nine individuals — eight men and one woman, aged between 25 and 36 — and searched 24 houses in the country.
Police have seized firearms, electronics, jewelry, cash and cryptocurrency from the suspects. The investigation was initiated by Belgian authorities and the individuals arrested in the Netherlands will be handed over to Belgium.
Tomi Engdahl says:
Google Patches 14 Vulnerabilities With Release of Chrome 103
https://www.securityweek.com/google-patches-14-vulnerabilities-release-chrome-103
Google this week announced the release of Chrome 103 to the stable channel with patches for a total of 14 vulnerabilities, including nine reported by external researchers.
The most severe of these bugs is CVE-2022-2156, which is described as a critical-severity use-after-free issue in Base.
The security flaw was identified by Mark Brand of Google Project Zero. Per Google’s policy, no bug bounty reward will be handed out for this vulnerability.
Leading to arbitrary code execution, corruption of data, or denial of service, use-after-free flaws are triggered when a program frees memory allocation but does not clear the pointer after that.
Tomi Engdahl says:
Adobe Acrobat Reader Shuns Security Products Due to Compatibility Issues
https://www.securityweek.com/adobe-acrobat-reader-shuns-security-products-due-compatibility-issues
Adobe Acrobat Reader blocks certain antimalware solutions from injecting their DLLs into its processes, essentially denying them visibility and creating security risks, ransomware prevention company Minerva Labs reports.
The behavior, which is similar to that of suspicious or malicious applications, is related to Acrobat Reader’s use of the Chromium Embedded Framework (CEF), which has some incompatibility issues with certain security products.
Minerva says it has observed a gradual uptick in this behavior starting March 2022, when libcef.dll – a CEF DLL employed by numerous applications – was updated. The library contains a list of DLLs that are known to cause conflicts, and which are blocked.
“However, any vendor that uses libcef.dll can easily change this DLL list. The hard-coded DLL list in the Adobe libcef.dll version we checked had been edited and was surprisingly longer and also contains the DLLs of […] security products,” Minerva noted.
Does Acrobat Reader Unload Injection of Security Products?
https://blog.minerva-labs.com/does-acrobat-reader-unload-injection-of-security-products
Since March of 2022 we’ve seen a gradual uptick in Adobe Acrobat Reader processes attempting to query which security product DLLs are loaded into it by acquiring a handle of the DLL. The significant rise over the recent months caught our attention as it is very unusual behavior for Adobe.
Tomi Engdahl says:
Industry Reactions to ‘OT:Icefall’ Vulnerabilities Found in ICS Products
https://www.securityweek.com/industry-reactions-oticefall-vulnerabilities-found-ics-products
Cybersecurity firm Forescout has disclosed OT:Icefall, a collection of 56 vulnerabilities discovered across the products of ten companies that make operational technology (OT) systems.
Forescout researchers discovered issues related to insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware update mechanisms, and native functionality abuse.
The security holes impact various types of industrial control systems (ICS), including engineering workstations, PLCs, distributed control systems, building controllers, safety instrumented systems, remote terminal units, and SCADA systems. Exploitation of the flaws can lead to remote code execution, DoS attacks, firmware manipulation, compromised credentials, and authentication bypass.
Affected vendors include Baker Hughes (Bentley Nevada), Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa. These companies have started sharing mitigations for the vulnerabilities.
From Basecamp to Icefall: Secure by Design OT Makes Little Headway
https://www.securityweek.com/basecamp-icefall-secure-design-ot-makes-little-headway
Tomi Engdahl says:
New ‘ToddyCat’ APT Targets High-Profile Entities in Europe, Asia
https://www.securityweek.com/new-toddycat-apt-targets-high-profile-entities-europe-asia
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cisa-log4shell-exploits-still-being-used-to-hack-vmware-servers/
Tomi Engdahl says:
Japanese man loses USB stick with entire city’s personal details
https://www.bbc.com/news/world-asia-61921222
For many, after-work drinks are a common way of relaxing after a busy week.
But one worker in Japan could be nursing a protracted hangover after he lost a USB memory stick following a night out with colleagues.
Why? It contained the personal details of nearly half a million people.
The Japanese broadcaster NHK reports that the man, said to be in his 40s, works for a company tasked with providing benefits to tax-exempt households.
He had transferred the personal information of the entire city’s residents onto the drive on Tuesday evening before meeting colleagues for a night on the town.
City officials said the memory stick included the names, birth dates, and addresses of all the city’s residents. It also included more sensitive information, including tax details, bank account numbers and information on families receiving social security.
Luckily for the man, city officials said the data contained on the drive is encrypted and locked with a password. They added that there has been no sign that anyone has attempted to access the information so far.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/malicious-windows-lnk-attacks-made-easy-with-new-quantum-builder/
Tomi Engdahl says:
https://www.theregister.com/2022/06/20/indian_government_infosec_guidance_leaks/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/microsoft-office-365-feature-can-help-cloud-ransomware-attacks/
Tomi Engdahl says:
https://techcrunch.com/2022/06/24/amsterdam-cyber-startup-hadrian-closes-e10-5m-seed-for-platform-which-simulates-hacker-attacks/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-by-new-toddycat-apt-gang/
Tomi Engdahl says:
https://www.zdnet.com/article/cisa-warns-over-software-flaws-in-industrial-control-systems/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/7-zip-now-supports-windows-mark-of-the-web-security-feature/
Tomi Engdahl says:
Adobe Acrobat May Block Antivirus Tools From Monitoring PDF Files
https://m.slashdot.org/story/401280
Tomi Engdahl says:
https://thehackernews.com/2022/06/new-syslogk-linux-rootkit-lets.html
Tomi Engdahl says:
https://www.darkreading.com/attacks-breaches/atlassian-confluence-server-vulnerability-active-attack-ransomware
Tomi Engdahl says:
https://radius.webinaze.com/operatiivisen-teknologian-tietoturva-2022
Tomi Engdahl says:
Conti ransomware group’s pulse stops, but did it fake its own death?
https://blog.malwarebytes.com/ransomware/2022/06/conti-ransomware-disappears-did-it-fake-its-own-death/
The dark web leak site used by the notorious Conti ransomware gang has disappeared, along with the chat function it used to negotiate ransoms with victims. For as long as this infrastructure is down the group is unable to operate and a significent threat is removed from the pantheon of ransomware threats.
Tomi Engdahl says:
Police seize and dismantle massive phishing operation https://blog.malwarebytes.com/social-engineering/2022/06/police-seize-and-dismantle-massive-phishing-operation/
Europol has coordinated a joint operation to arrest members of a cybercrime gang and effectively dismantle their campaigns that netted million in Euros.
Tomi Engdahl says:
Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems https://www.cisa.gov/uscert/ncas/alerts/aa22-174a
The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors,. including state-sponsored advanced persistent threat
(APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds.
Tomi Engdahl says:
CISA warns over software flaws in industrial control systems https://www.zdnet.com/article/cisa-warns-over-software-flaws-in-industrial-control-systems/
The US Cybersecurity and Infrastructure Agency (CISA) has warned organizations to check recently disclosed vulnerabilities affecting operational technology (OT) devices that should but aren’t always isolated from the internet.
Tomi Engdahl says:
Spyware vendor works with ISPs to infect iOS and Android users https://www.bleepingcomputer.com/news/security/spyware-vendor-works-with-isps-to-infect-ios-and-android-users/
Google’s Threat Analysis Group (TAG) revealed today that RCS Labs, an Italian spyware vendor, has received help from some Internet service providers (ISPs) to infect Android and iOS users in Italy and Kazakhstan with commercial surveillance tools. Alkup:
https://googleprojectzero.blogspot.com/2022/06/curious-case-carrier-app.html.
Lisäksi:
https://therecord.media/google-seven-zero-days-in-2021-developed-commercially-and-sold-to-governments/