Cyber security news June 2022

This posting is here to collect cyber security news in June 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

381 Comments

  1. Tomi Engdahl says:

    ”Kyberspetznaz” hyökkää Liettuaan – laajoja kosto­iskuja verkossa
    Kyberhyökkäyksen taustalla vaikuttavat Liettuan Kaliningradin rautatieliikenteelle asettamat rajoitukset. Todellinen tavoite saattaa olla psykologinen vaikuttaminen.
    https://www.is.fi/digitoday/tietoturva/art-2000008904089.html

    Lithuania warns of rise in DDoS attacks against government sites
    https://www.bleepingcomputer.com/news/security/lithuania-warns-of-rise-in-ddos-attacks-against-government-sites/

    NKSC fiksuoja iaugus paslaug trikdymo kibernetini atak skaii Lietuvoje https://www.nksc.lt/naujienos/nksc_fiksuoja_isaugusi_paslaugu_trikdymo_kiberneti.html
    Nacionalinis kibernetinio saugumo centras prie Krato apsaugos ministerijos (NKSC) fiksuoja iaugus paskirstyt paslaug trikdymo kibernetini atak (angl. Distributed Denial of Service, DDoS) skaii.
    Lisäksi:
    https://www.bleepingcomputer.com/news/security/lithuania-warns-of-rise-in-ddos-attacks-against-government-sites/.
    Lisäksi: https://www.is.fi/digitoday/tietoturva/art-2000008904089.

    Reply
  2. Tomi Engdahl says:

    Chinese hackers distributing sms bomber
    https://thehackernews.com/2022/06/chinese-hackers-distributing-sms-bomber.html
    A threat cluster with ties to a hacking group called Tropic Trooper has been spotted using a previously undocumented malware coded in Nim language to strike targets as part of a newly discovered campaign.

    Reply
  3. Tomi Engdahl says:

    Conti ransomware hacking spree breaches over 40 orgs in a month https://www.bleepingcomputer.com/news/security/conti-ransomware-hacking-spree-breaches-over-40-orgs-in-a-month/
    The Conti cybercrime syndicate runs one of the most aggressive ransomware operations and has grown highly organized, to the point that affiliates were able to hack more than 40 companies in a little over a month.

    Reply
  4. Tomi Engdahl says:

    June Windows preview updates fix VPN, RDP, RRAS, and Wi-Fi issues https://www.bleepingcomputer.com/news/microsoft/june-windows-preview-updates-fix-vpn-rdp-rras-and-wi-fi-issues/
    The optional Windows update previews released by Microsoft this week come with more than the regular performance improvements and bug fixes.

    Reply
  5. Tomi Engdahl says:

    Scalper bots are snapping up appointments for government services in Israel https://www.zdnet.com/article/scalper-bots-are-snapping-up-appointments-for-government-services-in-israel
    Scalper bots are causing chaos for the Israeli government by trying to turn access to public services into a cash cow.

    Reply
  6. Tomi Engdahl says:

    Mitel zero-day used by hackers in suspected ransomware attack https://www.bleepingcomputer.com/news/security/mitel-zero-day-used-by-hackers-in-suspected-ransomware-attack/
    Hackers used a zero-day exploit on Linux-based Mitel MiVoice VOIP appliances for initial access in what is believed to be the beginning of a ransomware attack. Lisäksi:
    https://thehackernews.com/2022/06/hackers-exploit-mitel-voip-zero-day-bug.html

    Reply
  7. Tomi Engdahl says:

    FBI investigating $100 million theft from blockchain company Harmony https://therecord.media/fbi-investigating-100-million-theft-from-blockchain-company-harmony/
    Blockchain company Harmony said $100 million in cryptocurrency was stolen from the platform on Thursday evening. The company said the FBI is now investigating the theft alongside several cybersecurity firms.

    Reply
  8. Tomi Engdahl says:

    CafePress fined $500, 000 for breach affecting 23 million users https://www.bleepingcomputer.com/news/security/cafepress-fined-500-000-for-breach-affecting-23-million-users/
    The U.S. Federal Trade Commission (FTC) has ordered Residual Pumpkin Entity, the former owner of the CafePress t-shirt and merchandise site, to pay a $500, 000 fine for covering up a data breach impacting more than 23 million customers and failing to protect their data.

    Reply
  9. Tomi Engdahl says:

    PyPi python packages caught sending stolen AWS keys to unsecured sites https://www.bleepingcomputer.com/news/security/pypi-python-packages-caught-sending-stolen-aws-keys-to-unsecured-sites/
    Multiple malicious Python packages available on the PyPI repository were caught stealing sensitive information like AWS credentials and transmitting it to publicly exposed endpoints accessible by anyone.

    Reply
  10. Tomi Engdahl says:

    Hacker selling access to 50 vulnerable networks through Atlassian vulnerability https://therecord.media/hacker-selling-access-to-50-vulnerable-networks-through-atlassian-vulnerability/
    A hacker is selling access to 50 vulnerable networks on a cybercriminal forum after breaking into systems through the recently-discovered Atlassian Confluence zero-day.

    Reply
  11. Tomi Engdahl says:

    Automotive fabric supplier TB Kawashima announces cyberattack https://www.bleepingcomputer.com/news/security/automotive-fabric-supplier-tb-kawashima-announces-cyberattack/
    TB Kawashima, part of the Japanese automotive component manufacturer Toyota Boshoku of the Toyota Group of companies, announced that one of its subsidiaries has been hit by a cyberattack.

    Reply
  12. Tomi Engdahl says:

    Russia fines Google for spreading unreliable’ info defaming its army https://www.bleepingcomputer.com/news/google/russia-fines-google-for-spreading-unreliable-info-defaming-its-army/
    Roskomnadzor, Russia’s telecommunications watchdog, has fined Google
    68 million rubles (roughly $1.2 million) for helping spread what it called “unreliable” information on the war in Ukraine and the failure to remove it from its platforms.

    Reply
  13. Tomi Engdahl says:

    Malicious Code Passed to PowerShell via the Clipboard
    https://isc.sans.edu/diary/rss/28784
    Another day, another malicious script was found! Today, the script is a Windows bat file that executes malicious PowerShell code but the way it works is interesting. The script has a VT score of 16/54 ( )[1].
    The script uses the Windows command-line tool “clip.exe” which is often unknown to people

    Reply
  14. Tomi Engdahl says:

    Fake copyright infringement emails install LockBit ransomware https://www.bleepingcomputer.com/news/security/fake-copyright-infringement-emails-install-lockbit-ransomware/
    n LockBit ransomware affiliates are using an interesting trick to get people into infecting their devices by disguising their malware as copyright claims.

    Reply
  15. Tomi Engdahl says:

    Clever phishing method bypasses MFA using Microsoft WebView2 apps https://www.bleepingcomputer.com/news/security/clever-phishing-method-bypasses-mfa-using-microsoft-webview2-apps/
    n A clever, new phishing technique uses Microsoft Edge WebView2 applications to steal victim’s authentication cookies, allowing threat actors to bypass multi-factor authentication when logging into stolen accounts.. n This new social engineering attack is called WebView2-Cookie-Stealer and consists of a WebView2 executable that, when launched, opens up a legitimate website’s login form inside the application.

    Reply
  16. Tomi Engdahl says:

    US Agencies Warn Organizations of Log4Shell Attacks Against VMware Products
    https://www.securityweek.com/us-agencies-warn-organizations-log4shell-attacks-against-vmware-products
    The United States Cybersecurity and Infrastructure Security Agency (CISA) and the Coast Guard Cyber Command (CGCYBER) have issued a joint advisory to warn organizations that threat actors continue to exploit the Log4Shell vulnerability in VMware Horizon and Unified Access Gateway (UAG) servers.
    Tracked as CVE-2021-44228, the infamous Log4Shell vulnerability that was disclosed in November 2021 impacts the widely used Apache Log4j logging tool, and is described as a critical-severity flaw leading to remote code execution.
    Exploitation of the vulnerability started less than two weeks after the bug was reported, prompting organizations to prioritize the deployment of available patches.

    Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems https://www.cisa.gov/uscert/ncas/alerts/aa22-174a
    The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors,. including state-sponsored advanced persistent threat
    (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds.

    Reply
  17. Tomi Engdahl says:

    https://hackaday.com/2022/06/24/this-week-in-security-iot-in-the-hot-tub-app-double-fail-and-freebsd-badbeacon/

    OpenSSL AVX512 Bug

    There’s a bug in OpenSSL 3.0.4, and may be a particularly nasty one, but it only occurs on CPUs with the AVX512 extensions. The problem is triggered in ossl_rsaz_mod_exp_avx512_x2(), which makes a call off to bn_reduce_once_in_place(). The call includes the value factor_size, which is supposed to be the number of words to process, but the old code was instead sending the bit size. This worked most of the time, but in certain cases, resulted in a heap buffer overflow. The spooky part of this is that it can be triggered by a TLS handshake, and other potentially attacker-controlled inputs. The only thing lacking to call this a 10.0 CVSS CVE is an actual demonstration of exploitation. As it is, it’s easy to demonstrate a crash. A 3.0.5 release will be made soon, containing the fix, but it’s unclear when that will happen. Most distros seem to be delaying shipping the 3.0.4 release, waiting for the fix for this potentially serious issue

    AVX512-specific heap buffer overflow with 3.0.4 release #18625
    https://github.com/openssl/openssl/issues/18625

    Reply
  18. Tomi Engdahl says:

    Vice Society claims ransomware attack on Med. University of Innsbruck https://www.bleepingcomputer.com/news/security/vice-society-claims-ransomware-attack-on-med-university-of-innsbruck/
    The Vice Society ransomware gang has claimed responsibility for last week’s cyberattack against the Medical University of Innsbruck, which caused severe IT service disruption and the alleged theft of data.

    Reply
  19. Tomi Engdahl says:

    Russia’s Killnet hacker group says it attacked Lithuania https://www.reuters.com/technology/russias-killnet-hacker-group-says-it-attacked-lithuania-2022-06-27/
    Russian hacker group Killnet claimed responsibility on Monday for a DDOS cyber attack on Lithuania, saying it was in response to Vilnius’s decision to block the transit of goods sanctioned by the European Union to the Russian exclave of Kaliningrad.

    Reply
  20. Tomi Engdahl says:

    Microsoft Exchange bug abused to hack building automation systems https://www.bleepingcomputer.com/news/security/microsoft-exchange-bug-abused-to-hack-building-automation-systems/
    A Chinese-speaking threat actor has hacked into the building automation systems (used to control HVAC, fire, and security
    functions) of several Asian organizations to backdoor their networks and gain access to more secured areas in their networks. Lisäksi:
    https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/

    Reply
  21. Tomi Engdahl says:

    Oracle patches miracle exploit’ impacting Middleware Fusion, cloud services https://portswigger.net/daily-swig/oracle-patches-miracle-exploit-impacting-middleware-fusion-cloud-services
    Oracle has patched a remote code execution (RCE) vulnerability impacting Oracle Fusion Middleware and various other Oracle systems.

    Reply
  22. Tomi Engdahl says:

    Cybersecurity Experts Warn of Emerging Threat of “Black Basta”
    Ransomware
    https://thehackernews.com/2022/06/cybersecurity-experts-warn-of-emerging.html
    The Black Basta ransomware-as-a-service (RaaS) syndicate has amassed nearly 50 victims in the U.S., Canada, the U.K., Australia, and New Zealand within two months of its emergence in the wild, making it a prominent threat in a short window.

    Reply
  23. Tomi Engdahl says:

    LockBit 3.0 introduces the first ransomware bug bounty program https://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-first-ransomware-bug-bounty-program/
    The LockBit ransomware operation has released ‘LockBit 3.0, ‘
    introducing the first ransomware bug bounty program and leaking new extortion tactics and Zcash cryptocurrency payment options

    Reply
  24. Tomi Engdahl says:

    Researchers crack MEGA’s privacy by design’ storage, encryption https://portswigger.net/daily-swig/researchers-crack-megas-privacy-by-design-storage-encryption
    However, according to the ETH Zurich University, based in Switzerland, in-depth testing of the platform has revealed “security holes that would allow the provider to decrypt and manipulate customer data”, despite its marketing claims to the contrary. Lisäksi:
    https://mega-awry.io/pdf/mega-malleable-encryption-goes-awry.pdf

    Reply
  25. Tomi Engdahl says:

    Untrusted types: Researcher demos trick to beat Trusted Types protection in Google Chrome https://portswigger.net/daily-swig/untrusted-types-researcher-demos-trick-to-beat-trusted-types-protection-in-google-chrome
    Techniques that might be abused to bypass the Trusted Types security mechanism in earlier versions of Chrome have been unveiled. Security researchers have uncovered multiple unprotected properties to bypass Trusted Types, a widely used web security mechanism, in some scenarios.

    Reply
  26. Tomi Engdahl says:

    Cerby Emerges From Stealth With Security Platform for Unmanageable Apps
    https://www.securityweek.com/cerby-emerges-stealth-security-platform-unmanageable-apps

    California-based company Cerby on Monday announced that it has emerged from stealth mode with a security platform for unmanageable applications, as well as $12 million in seed funding.

    Cerby aims to provide a solution that creates a balance between allowing employees to use the applications they need to do their job and the enterprise being able to address shadow IT risks and secure its systems.

    The company has commissioned a survey of 500 business professionals in North America and the UK. The study found that a vast majority of respondents want to have full control over the applications they use for work-related purposes, and 51% said they have continued using preferred applications even after they were specifically banned by their employer.

    Cerby wants to address this problem with a platform that can help organizations secure their systems while enabling employees to use the applications they need.

    Employees can register their own applications and the platform helps ensure they are securely configured and that they don’t violate any security policies.

    https://www.cerby.com/

    Reply
  27. Tomi Engdahl says:

    Oracle patches ‘miracle exploit’ impacting Middleware Fusion, cloud services
    https://portswigger.net/daily-swig/oracle-patches-miracle-exploit-impacting-middleware-fusion-cloud-services

    Researchers describe discovery of ‘mega’ zero-day

    Oracle has patched a remote code execution (RCE) vulnerability impacting Oracle Fusion Middleware and various other Oracle systems.

    Security researchers ‘Peterjson’ and ‘Jang’ reported a pair of severe flaws to Oracle that can be chained to achieve RCE, which they dubbed the ‘Miracle Exploit’.

    The researchers said they privately told Oracle about a serious vulnerability they discovered in Oracle Access Manager, tracked as CVE-2021–35587. The CVSS 9.8 bug is described as an “easily exploitable” flaw that allows unauthenticated attackers with network access via HTTP for application takeover.

    Jang said the flaw was discovered by accident when the duo were “building a PoC [proof of concept exploit code] for another mega 0-day”.

    While working with the Zero Day Initiative (ZDI), this research led to the discovery of CVE-2022–21445. This ‘mega’ bug, issued a severity score of 9.8, was found in the Oracle Application Development Framework (ADF) Faces architecture, a component of Oracle Fusion Middleware.

    The deserialization of trusted data issue can be chained with CVE-2022–21497 (CVSS 8.1), a takeover flaw in Oracle Web Services Manager, to achieve pre-authentication RCE.

    CVE-2022–21445 impacts a variety of products and services based on Fusion Middleware, various Oracle systems, and even Oracle’s cloud infrastructure. Unauthenticated attackers with network access, via HTTP, can abuse the vulnerability chain.

    “One more thing to note, any website was developed by ADF Faces framework are affected,” Peterjson said.

    After testing Oracle services and domains, the vulnerability report was submitted to the vendor on October 25, 2021. In the same month, Oracle confirmed receipt of the report and said it was investigating. However, it took the best part of six months for a patch to be issued.

    Both issues have been resolved in Oracle’s April round of patches.

    Companies utilizing vulnerable Oracle software are urged to apply the patch immediately.

    Peterjson told The Stack that companies have been informed if they have not applied Oracle’s fix, and that he believes the number of exposed instances is “huge”.

    “Why [did] we hack some Oracle’s sites? Because we want to demonstrate the impact to Oracle and let them know this vulnerability is super dangerous, it affects Oracle system[s] and Oracle’s customers,” Peterjson commented.

    “That’s why we want Oracle take an action ASAP. But as you can see, 6 months for Oracle to patch it, I don’t know why, but we have to accept it and follow Oracle’s policy.”

    Oracle vuln left scores of blue chips exposed to pre-auth RCE exploit for 6 MONTHS post disclosure
    https://thestack.technology/oracle-middleware-vulnerability-blue-chips-exposed-6-months/

    A critical Oracle Fusion Middleware vulnerability, that sat unpatched for six months after disclosure, exposed companies including Starbucks, BestBuy and Dell to potential pre-auth RCE attacks, said the finders of the Oracle exploit.

    The Oracle exploit was found and reported by security researchers “peterjson” and “Jang” in October 2021. But the Oracle middleware vulnerability, which they named “Miracle”, did not receive a patch until April 2022 under Oracle’s often-overlooked patch cycle. The two have now posted further details about the vulnerability, allocated CVE-2022–21445 with a critical CVSS score of 9.8 and urged rapid patching.

    The two, working from Vietnam under the Zero Day Initiative (ZDI) bug bounty programme, said they also popped login.oracle.com “which is play [sic] an important role in oracle’s online services” in a bid to emphasise the severity of the flaw after Oracle took longer than they had expected to patch the vulnerability.

    The Miracle exploit is enabled by an ADF Faces vulnerability (CVE-2022–21445), and an Oracle Web Services Manager flaw (CVE-2022–21497, rated 8.1). Both Oracle middleware vulnerability patches are covered by the vendor’s April 2022 critical patch update.

    “After [we] disclosed this bug with Oracle, Oracle took almost 6 months to patch this vulnerability in each product inside Oracle Fusion Middleware. We also reported pre-auth RCEs to BestBuy, Starbucks, USAA, NAB Group, Regions Bank, Dell, … via their bug bounty program after the patch was released,” said the researchers’ post.

    Any unauthenticated attacker with network access via HTTP can abuse the vulnerability.

    He declined to give a hard number for total potentially exposed instances but said “we believe it’s huge” as the vulnerability in theory affects Oracle online services, Oracle Cloud Infrastructure and on-prem instances.

    Any product which uses ADF Faces becomes vulnerable to attack, and the researchers were able to use the Oracle exploit to get at least some access to products including Business Intelligence, Enterprise Manager, Identity Management, SOA Suite, WebCentre Portal, Application Testing Suite and Transportation Management.

    But for Oracle Access Manager (OAM), they found two ways to achieve pre-auth RCE: “We want to focus on this because OAM plays an important role on each company infrastructure. Also, many Oracle’s online services / cloud services run OAM as SSO service for users” — detailing the technical attack chain here.

    In a separate post on a different but related Oracle middleware vulnerability, Jang listed users of OAM as including Huawei, VMware and Qualcomm

    By combining the ADF Faces deserialization vulnerability with a flaw in the Oracle Web Services Manager, the researchers were able to gain access to Oracle servers. These included edelivery.oracle.com , businessnetwork.oracle.com – as well as login.oracle.com.

    “Why we hack some Oracle’s sites? Because we want to demonstrate the impact to Oracle and let them know this vulnerability is super dangerous , it affects Oracle system and Oracle’s customers. That’s why we want Oracle take an action ASAP. But as you can see, 6 months for Oracle to patch it, I don’t know why, but we have to accept it and follow Oracle’s policy,” said peterjson in the blog post.

    The reserchers’ blog post contains a very detailed explanation of how they uncovered the Oracle middleware vulnerability, which is worth a read – and given it exists, the time is ripe to patch the Oracle exploit as fast as possible.

    Miracle – One Vulnerability To Rule Them All
    https://peterjson.medium.com/miracle-one-vulnerability-to-rule-them-all-c3aed9edeea2

    # Summary

    Let us name this attack The Miracle Exploit because it affects many products based on Oracle Fusion Middleware and Oracle online systems. Miracle means Middleware Fusion with Oracle

    Firstly, we found many pre-auth RCEs which affect Oracle’s Product in Oracle Middleware Fusion and they also affect Oracle online systems, Oracle Cloud Infrastructure. After a month try to explore as much as we can and end up with multiple pre-auth RCEs in many products inside Oracle Middleware.

    One more thing to note, any website was developed by ADF Faces framework are affected. This means many Oracle’s online systems, Oracle Cloud Infrastructure are also affected!

    Reply
  28. Tomi Engdahl says:

    Cyberattack Forces Iran Steel Company to Halt Production
    https://www.securityweek.com/cyberattack-forces-iran-steel-company-halt-production

    One of Iran’s major steel companies said Monday it was forced to halt production after being hit by a cyberattack that also targeted two other plants, apparently marking one of the biggest such assaults on the country’s strategic industrial sector in recent memory.

    The Iranian government did not acknowledge the disruption or blame any specific group for the assault on the state-owned Khuzestan Steel Co. and Iran’s two other major steel producers, which constitutes just the latest example of an attack crippling the country’s services in recent months amid heightened tensions in the region.

    An anonymous hacking group claimed responsibility for the attack on social media, saying it targeted Iran’s three biggest steel companies in response to the “aggression of the Islamic Republic.”

    The group, calling itself “Gonjeshke Darande,” shared what purported to be closed-circuit footage from the Khuzestan Steel Co. factory floor that showed a piece of heavy machinery on a steel billet production line malfunction and cause a massive fire.

    “These companies are subject to international sanctions and continue their operations despite the restrictions,” the group said, citing their links to Iran’s paramilitary Revolutionary Guard.

    Reply
  29. Tomi Engdahl says:

    Google warns of ‘hermit spyware’ infecting Android and iOS devices
    Google has already identified victims in Italy and Kazahkstan
    https://mashable.com/article/google-warns-spyware-android-ios

    Reply
  30. Tomi Engdahl says:

    LockBit 3.0 Ransomware Emerges With Bug Bounty Program
    https://www.securityweek.com/lockbit-30-ransomware-emerges-bug-bounty-program

    The LockBit 3.0 ransomware operation was launched recently and it includes a bug bounty program offering up to $1 million for vulnerabilities and various other types of information.

    LockBit has been around since 2019 and the LockBit 2.0 ransomware-as-a-service operation emerged in June 2021. It has been one of the most active ransomware operations, accounting for nearly half of all ransomware attacks in 2022, with more than 800 victims being named on the LockBit 2.0 leak website.

    The cybercriminals are encrypting files on compromised systems and also stealing potentially valuable information that they threaten to make public if the victim refuses to pay up. With the launch of LockBit 3.0, it seems they are reinvesting some of the profit in their own security via a “bug bounty program”.LockBit 3.0

    Similar to how legitimate companies reward researchers to help them improve their security, LockBit operators claim they are prepared to pay out between $1,000 and $1 million to security researchers and ethical or unethical hackers.

    Reply
  31. Tomi Engdahl says:

    Google Introduces New Capabilities for Cloud Armor Web Security Service
    https://www.securityweek.com/google-introduces-new-capabilities-cloud-armor-web-security-service

    Google today announced a new set of features for Cloud Armor, its distributed denial-of-service (DDoS) mitigation service and web application firewall (WAF).

    Using the same infrastructure and technology that Google relies on to keep its internet-facing resources protected, Cloud Armor was made generally available in 2019 to keep customers’ resources safe from DDoS attacks, regardless of whether they are located on-premises or in the cloud.

    Today, Google announced the general availability of Cloud Armor features such as per-client rate limiting, bot management with reCAPTCHA Enterprise, and machine learning-based Adaptive Protection.

    The new rate limiting feature allows customers to restrict traffic to backend resources based on request volume, thus preventing resource depletion and service disruption. Cloud Armor for TCP/SSL Proxy allows users to also rate-limit at the connection level.

    Reply
  32. Tomi Engdahl says:

    CISA Says ‘PwnKit’ Linux Vulnerability Exploited in Attacks
    https://www.securityweek.com/cisa-says-pwnkit-linux-vulnerability-exploited-attacks

    The US Cybersecurity and Infrastructure Security Agency (CISA) says a Linux vulnerability tracked as CVE-2021-4034 and PwnKit has been exploited in attacks.

    The flaw, which came to light in January, affects Polkit, a component designed for controlling system-wide privileges in Unix-like operating systems. Polkit is developed by Red Hat, but it’s also used by other Linux distributions.

    PwnKit has been described as a memory corruption issue that can be exploited for privilege escalation — it allows any unprivileged local user to elevate permissions to root.

    The vulnerability has been found to impact the products of several major companies. Juniper Networks, Moxa, IBM, VMware, Siemens and others have released advisories to describe the impact of CVE-2021-4034.

    Proof-of-concept (PoC) exploits have been available and exploitation is easy, which is why experts have been warning that the likelihood of malicious exploitation is high.

    CISA on Monday added the vulnerability to its Known Exploited Vulnerabilities Catalog — also known as the agency’s “Must Patch” list — and instructed federal agencies to install patches until July 18.

    Reply
  33. Tomi Engdahl says:

    Chinese Threat Actor Targets Rare Earth Mining Companies in North America, Australia
    https://www.securityweek.com/chinese-threat-actor-targets-rare-earth-mining-companies-north-america-australia

    Mandiant’s security researchers have been tracking influence campaigns that a Chinese threat actor named Dragonbridge has been conducting against rare earth mining companies in Australia, Canada, and the United States.

    Active since at least 2019, Dragonbridge has been using a network of thousands of inauthentic accounts on social platforms, websites, and forums to promote narratives in support of China’s political interests.

    More recently, the threat actor has started a social media campaign focused on rare earth mining companies, including Lynas Rare Earths Ltd (Australia), Appia Rare Earths & Uranium Corp (Canada), and USA Rare Earth.

    As Mandiant notes, the targeted industry is of strategic significance to China, with the three victim companies challenging the country’s supply chain dominance in the industry. Rare earth metals represent a critical component of consumer and military products, including aircraft engines and missile guidance systems.

    Reply
  34. Tomi Engdahl says:

    New Database Catalogs Cloud Vulnerabilities, Security Issues
    https://www.securityweek.com/new-database-catalogs-cloud-vulnerabilities-security-issues

    Cloud security company Wiz has announced the launch of a new database whose goal is to keep track of vulnerabilities and other security issues affecting cloud services.

    Cybersecurity researchers often find vulnerabilities in widely used cloud services offered by companies such as AWS, Microsoft and Google. ​​While some cloud vulnerabilities don’t require any action from the user, there are situations where impacted customers do need to take certain steps, such as rotating keys.

    According to Wiz, there are several problems when it comes to the disclosure and handling of cloud vulnerabilities, including that there is no standardized notification channel across service providers and CVE identifiers are in many cases not assigned, which makes it more difficult to track issues. In addition, there is no severity scoring to help users prioritize vulnerabilities, and there is no transparency into the flaws and their detection.

    Wiz has been urging the community to improve the response to cloud security vulnerabilities, including by creating a public and standardized database for reporting and enumerating vulnerabilities.

    The company has now announced the launch of such a database — hosted at cloudvulndb.org — which aims to catalog all known vulnerabilities and other types of security issues affecting cloud services.

    Reply
  35. Tomi Engdahl says:

    ZuoRAT Hijacks SOHO Routers to Silently Stalk Networks https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/
    Actors can leverage SOHO router access to maintain a low-detection presence on the target network and exploit sensitive information transiting the LAN. Lisäksi:
    https://www.bleepingcomputer.com/news/security/new-zuorat-malware-targets-soho-routers-in-north-america-europe/

    Reply
  36. Tomi Engdahl says:

    Dozens of cryptography libraries vulnerable to private key theft https://portswigger.net/daily-swig/dozens-of-cryptography-libraries-vulnerable-to-private-key-theft
    A poor implementation of Ed25519, a popular digital signature algorithm, has left dozens of cryptography libraries vulnerable to attacks.

    Reply
  37. Tomi Engdahl says:

    APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor https://thehackernews.com/2022/06/apt-hackers-targeting-industrial.html
    Entities located in Afghanistan, Malaysia, and Pakistan are in the crosshairs of an attack campaign that targets unpatched Microsoft Exchange Servers as an initial access vector to deploy the ShadowPad malware.

    Reply
  38. Tomi Engdahl says:

    AMD investigates RansomHouse hack claims, theft of 450GB data https://www.bleepingcomputer.com/news/security/amd-investigates-ransomhouse-hack-claims-theft-of-450gb-data/
    Semiconductor giant AMD says they are investigating a cyberattack after the RansomHouse gang claimed to have stolen 450 GB of data from the company last year.

    Reply
  39. Tomi Engdahl says:

    FBI: Stolen PII and deepfakes used to apply for remote tech jobs https://www.bleepingcomputer.com/news/security/fbi-stolen-pii-and-deepfakes-used-to-apply-for-remote-tech-jobs/
    The Federal Bureau of Investigation (FBI) warns of increasing complaints that cybercriminals are using Americans’ stolen Personally Identifiable Information (PII) and deepfakes to apply for remote work positions.

    Reply
  40. Tomi Engdahl says:

    Pro-PRC DRAGONBRIDGE Influence Campaign Targets Rare Earths Mining Companies in Attempt to Thwart Rivalry to PRC Market Dominance https://www.mandiant.com/resources/dragonbridge-targets-rare-earths-mining-companies
    Since June 2019, Mandiant has reported to customers on an influence campaign known as DRAGONBRIDGE, comprising a network of thousands of inauthentic accounts across numerous social media platforms, websites, and forums that have promoted various narratives in support of the political interests of the People’s Republic of China (PRC).

    Reply
  41. Tomi Engdahl says:

    Over 900, 000 Kubernetes instances found exposed online https://www.bleepingcomputer.com/news/security/over-900-000-kubernetes-instances-found-exposed-online/
    Over 900, 000 misconfigured Kubernetes clusters were found exposed on the Internet to potentially malicious scans, some even vulnerable to data-exposing cyberattacks.

    Reply
  42. Tomi Engdahl says:

    OpenSSL to Release Security Patch for Remote Memory Corruption Vulnerability https://thehackernews.com/2022/06/openssh-to-release-security-patch-for.html
    The latest version of the OpenSSL library has been discovered as susceptible to a remote memory-corruption vulnerability on select systems. The issue has been identified in OpenSSL version 3.0.4, which was released on June 21, 2022, and impacts x64 systems with the
    AVX-512 instruction set. OpenSSL 1.1.1 as well as OpenSSL forks BoringSSL and LibreSSL are not affected.

    Reply
  43. Tomi Engdahl says:

    Android malware Revive’ impersonates BBVA bank’s 2FA app https://www.bleepingcomputer.com/news/security/android-malware-revive-impersonates-bbva-bank-s-2fa-app/
    A new Android banking malware named Revive has been discovered that impersonates a 2FA application required to log into BBVA bank accounts in Spain.

    Reply
  44. Tomi Engdahl says:

    A wide range of routers are under attack by new, unusually sophisticated malware
    Router-stalking ZuoRAT is likely the work of a sophisticated nation-state, researchers say.
    https://arstechnica.com/information-technology/2022/06/a-wide-range-of-routers-are-under-attack-by-new-unusually-sophisticated-malware/

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*