Cyber security news July 2022

This posting is here to collect cyber security news in July 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

260 Comments

  1. Tomi Engdahl says:

    AMD processors are not negatively impacted by the bug.

    Intel CPU Performance Takes a Big Hit Due to Windows Defender Bug
    AMD processors are not negatively impacted by the bug.
    https://uk.pcmag.com/migrated-3765-windows-10/141261/intel-cpu-performance-takes-a-big-hit-due-to-windows-defender-bug

    If you’re running Windows 10 or Windows 11 on an Intel processor, chances are your performance is being negatively impacted by a Windows Defender bug.

    The problem was discovered by TechPowerUp (TPU) associate software author Kevin Glynn. TPU is known for developing popular system utilities such as GPU-Z, MemTest64, ThrottleStop, and RealTemp. It was while Glynn was working on ThrottleStop that the Windows Defender bug reared its head.

    According to Glynn’s testing, Defender will “randomly start using all seven hardware performance counters provided by Intel Core processors.” This causes excessive CPU time to be grabbed by Defender, which can equate to a significant performance drop for your system. The example Glynn gives is a “Core i9-10850K running at 5.00 GHz all-core loses 1000 Cinebench points (or 6%).”

    The problem is solely caused by Windows Defender and therefore not a fault of Intel’s chips. There’s no official fix as that would require Microsoft to figure out why Defender is doing this, take the time to solve the problem, then release an update.

    In the meantime, a third-party fix is available if you don’t mind installing some software. TPU’s ThrottleStop v9.5 includes a feature you’ll find in “Options” called “Windows Defender Boost.” Enabling it sees ThrottleStop activate a programmable timer, which Windows Defender detects as user software trying to use one of the counters and reacts by ceasing to use all of them. TPU’s new Counter Control utility can also achieve the same result, but it does so using a “Reset” button which can identify when Defender starts using all seven performance counters and reacts to it.

    Usining either of Glynn’s mitigation techniques won’t impact Windows Defender’s ability to work, but this should just be a temporary fix.

    Reply
  2. Tomi Engdahl says:

    Dlinject – Inject A Shared Library (I.E. Arbitrary Code) Into A Live Linux Process, Without Ptrace

    https://www.kitploit.com/2022/07/dlinject-inject-shared-library-ie.html?m=1

    Why?
    Because I can.

    There are various anti-ptrace techniques, which this evades by simply not using ptrace.

    I don’t like ptrace.

    Using LD_PRELOAD can sometimes be fiddly or impossible, if the process you want to inject into is spawned by another process with a clean environment.

    Reply
  3. Tomi Engdahl says:

    CISA orders agencies to patch Windows LSA bug exploited in the wild
    https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-windows-lsa-bug-exploited-in-the-wild/

    CISA has re-added a security bug affecting Windows devices to its list of bugs exploited in the wild after removing it in May due to Active Directory (AD) certificate authentication issues caused by Microsoft’s May 2022 updates.

    The flaw is an actively exploited Windows LSA (Local Security Authority) spoofing vulnerability tracked as CVE-2022-26925 and confirmed to be a new PetitPotam Windows NTLM Relay attack vector.

    Unauthenticated attackers can exploit this bug to force domain controllers to authenticate them remotely via the Windows NT LAN Manager (NTLM) security protocol and, likely, take over the entire Windows domain.

    PetitPotam was discovered by security researcher GILLES Lionel in July 2021, with Microsoft trying to block new variations that have been unearthed since then.

    However, at this point, despite Redmond’s efforts, official mitigations and subsequently issued security updates still don’t entirely block all PetitPotam vectors.

    To put the severity of these bugs into perspective, multiple threat actors have been exploiting them in the wild.

    Among them, LockFile ransomware affiliates have compromised Windows domains in PetitPotam NTLM relay attacks to deploy malicious payloads.

    Federal agencies ordered to patch until July 22
    As CISA had already warned when it removed CVE-2022-26925 from its Known Exploited Vulnerability Catalog, the May 2022 Patch Tuesday security updates patched this bug also triggered service authentication problems when deployed on Windows Server domain controllers.

    Today, the cybersecurity agency released new guidance with CVE-2022-26925 mitigation steps that must be followed to prevent service outages.

    https://www.cisa.gov/guidance-applying-june-microsoft-patch

    Reply
  4. Tomi Engdahl says:

    A breakthrough algorithm developed in the US can predict crimes a week ahead
    Is a Minority Report-like future already here?
    https://interestingengineering.com/algorithm-predicts-crimes-a-week-ahead

    Social scientists at the University of Chicago have developed an algorithm that can forecast crime in urban areas up to a week in advance, Bloomberg reported on Thursday.

    Over the past few years, there has been a steep rise in the use of algorithms around us. From predicting weather to driving cars, making shopping recommendations, and finding cures for diseases, algorithms are at work everywhere. It would hardly be a surprise if they were not used to fighting crimes.

    https://www.bloomberg.com/news/articles/2022-06-30/new-algorithm-can-predict-crime-in-us-cities-a-week-before-it-happens

    Reply
  5. Tomi Engdahl says:

    https://arstechnica.com/information-technology/2022/06/a-wide-range-of-routers-are-under-attack-by-new-unusually-sophisticated-malware/

    A New, Remarkably Sophisticated Malware Is Attacking Routers
    Researchers say the remote-access Trojan ZuoRAT is likely the work of a nation-state and has infected at least 80 different targets.

    Reply
  6. Tomi Engdahl says:

    Jenkins discloses dozens of zero-day bugs in multiple plugins https://www.bleepingcomputer.com/news/security/jenkins-discloses-dozens-of-zero-day-bugs-in-multiple-plugins/
    On Thursday, the Jenkins security team announced 34 security vulnerabilities affecting 29 plugins for the Jenkins open source automation server, 29 of the bugs being zero-days still waiting to be patched. The zero-days’ CVSS base scores range from low to high severity, and, according to Jenkins’ stats, the impacted plugins have a total of more than 22, 000 installs. The complete list of flaws yet to be patched includes XSS, Stored XSS, Cross-Site Request Forgery
    (CSRF) bugs, missing or incorrect permission checks, as well as passwords, secrets, API keys, and tokens stored in plain text.
    Luckily, most of the dangerous ones, the high severity zero-days, require user interaction to be exploited in low complexity attacks by remote attackers with low privileges. The advisory:
    https://www.jenkins.io/security/advisory/2022-06-30/

    Reply
  7. Tomi Engdahl says:

    Google Improves Its Password Manager to Boost Security Across All Platforms https://thehackernews.com/2022/07/google-improves-its-password-manager-to.html
    Google on Thursday announced a slew of improvements to its password manager service aimed at creating a more consistent look and feel across different platforms. Central to the changes is a “simplified and unified management experience that’s the same in Chrome and Android settings, ” Ali Sarraf, Google Chrome product manager, said in a blog post. The updates are also expected to automatically group multiple passwords for the same sites as well as introduce an option to manually add passwords. Although Google appears to be not ready yet to make Password Manager as a standalone app, users on Android can now add a shortcut to it on the homescreen.

    Reply
  8. Tomi Engdahl says:

    Varo näitä viestejä katala pankkihuijaus tyhjentää tilin hetkessä https://www.is.fi/digitoday/tietoturva/art-2000008919086.html
    Toissa viikolla käynnistynyt S-Pankin nimissä tehtävä pankkihuijaus jatkuu yhä. Nyt rikolliset ovat jälleen vaihtaneet osoitetta, jonka avulla ihmisten pankkitietoja yritetään varastaa. Tavanomainen huijaus alkaa tekstiviestillä, joka tulee S-Pankin aidolla lähettäjänimellä SPankki. Viesti on peräisin väärennetystä osoitteesta, mutta asettuu samaan viestiketjuun pankin aitojen viestien kanssa. Vaikka osoitteet katoavatkin äkkiä, kannattaa silti pysyä varuillaan. IS:llä on tiedossaan tapauksia, joissa uhrien tilille on tunkeuduttu välittömästi pankkitietojen petossivustoille antamisen jälkeen.
    Tileiltä on nostettu mahdollisimman paljon rahaa, ja tunnuksilla on yritetty ottaa lainaa.

    Reply
  9. Tomi Engdahl says:

    Zoho ManageEngine ADAudit Plus bug gets public RCE exploit https://www.bleepingcomputer.com/news/security/zoho-manageengine-adaudit-plus-bug-gets-public-rce-exploit/
    Security researchers have published technical details and proof-of-concept exploit code for CVE-2022-28219, a critical vulnerability in the Zoho ManageEngine ADAudit Plus tool for monitoring activities in the Active Directory. The vulnerability allows an unauthenticated attacker to execute code remotely and compromise Active Directory accounts. It comes with a critical severity score of 9.8 out of 10. Zoho addressed the issue at the end of March in ADAudit Plus build 7060 after security researcher Naveen Sunkavally at Horizon3.ai reported it to the company. The horizon3.ai write-up and PoC:
    https://www.horizon3.ai/red-team-blog-cve-2022-28219/

    Reply
  10. Tomi Engdahl says:

    Rogue HackerOne employee steals bug reports to sell on the side https://www.bleepingcomputer.com/news/security/rogue-hackerone-employee-steals-bug-reports-to-sell-on-the-side/
    A HackerOne employee stole vulnerability reports submitted through the bug bounty platform and disclosed them to affected customers to claim financial rewards. The rogue worker had contacted about half a dozen HackerOne customers and collected bounties “in a handful of disclosures, ” the company said on Friday. The rogue employee received bounties for some of the reports they submitted, the company said.
    This allowed HackerOne to follow the money trail and identify the perpetrator as one of its workers that triaged vulnerability disclosures for “numerous customer programs.”

    Reply
  11. Tomi Engdahl says:

    Verified Twitter accounts hacked to send fake suspension notices https://www.bleepingcomputer.com/news/security/verified-twitter-accounts-hacked-to-send-fake-suspension-notices/
    Threat actors are hacking verified Twitter accounts to send fake but well-written suspension messages that attempt to steal other verified users’ credentials. To receive the verified ‘blue badge, ‘ Twitter users must apply for verification and submit supporting documentation to show why their account is ‘notable.’. As it is not easy to gain a blue badge, threats of suspension can lead to people reacting without thinking, making them prime targets for threat actors who value these types of accounts for their own scams.

    Reply
  12. Tomi Engdahl says:

    Facebook 2FA phish arrives just 28 minutes after scam domain created https://nakedsecurity.sophos.com/2022/07/01/facebook-2fa-phish-arrives-just-28-minutes-after-scam-domain-created/
    We’ll tell this story primarily through the medium of images, because a picture is worth 1024 words. This cybercrime is a visual reminder of three things: -It’s easy to fall for a phishing scam if you’re in a hurry. -Cybercriminals don’t waste any time getting new scams going.
    - -2FA isn’t a cybersecurity panacea, so you still need your wits about you.

    Reply
  13. Tomi Engdahl says:

    https://www.securityweek.com/cyberattack-disrupts-unemployment-benefits-some-states

    A cyberattack on a software company has disrupted unemployment benefits and job seeking assistance for thousands of people in several states.

    In Tennessee, the website for unemployment benefits remained down Thursday morning after the vendor, Geographic Solutions Inc., told the state Sunday that service would be interrupted. Some 12,000 Tennesseans rely on the unemployment program, and for now, they’re not getting their payments.

    The company said that it expects Tennessee’s system to be back online before July 4.

    “With a recession looming, it is unacceptable that Tennesseans cannot receive the unemployment benefits they deserve,” said state Republican Sen. Paul Bailey, commerce and labor committee chairman.

    Reply
  14. Tomi Engdahl says:

    QuSecure Scores Post-Quantum Cybersecurity Contract Worth More Than $100M Annually
    https://www.securityweek.com/qusecure-scores-post-quantum-cybersecurity-contract-worth-more-100m-annually

    Post-Quantum company awarded SBIR III contract to combat ‘harvest now, decrypt later’ threat from quantum computing

    QuSecure, a provider of post-quantum, or quantum-proof, cryptography, has been awarded a small business innovation research (SBIR) Phase III contract by the federal government. If funding is like last year’s phase III awards, QuSecure will gain access to more than $100 million to speed development and help commercialize its product for federal government and private industry use.

    QuSecure is the only post-quantum product to achieve this status, so it effectively becomes the government’s preferred supplier to counter the ‘harvest now, decrypt later’ threat of future adversarial quantum computing.

    NIST is currently engaged in a competition to choose a preferred or possibly multiple preferred quantum-proof encryption algorithms. All encrypted communications that have been stolen by bad actors – criminal gangs and adversarial nations – will become available to the adversaries as soon as a quantum computer powerful enough to run Shor’s algorithm is developed.

    “We need to do something now,” Pete Ford, QuSecure’s SVP of government operations, told SecurityWeek. The encrypted data adversaries already have is lost, but there is a need to prevent the collection and decryption of future communications. “This is a matter of not just national importance, but whole of government importance. And if we don’t do something now, we’re just going to be bouncing around like a pinball going from problem to problem. We need greater threat protection and less vulnerability than we currently have.”

    Reply
  15. Tomi Engdahl says:

    Experts: California Lacked Safeguards for Gun Owner Info
    https://www.securityweek.com/experts-california-lacked-safeguards-gun-owner-info

    Cybersecurity experts say the California Department of Justice apparently failed to follow basic security procedures on its website, exposing the personal information of potentially hundreds of thousands of gun owners.

    The website was designed to only show general data about the number and location of concealed carry gun permits, broken down by year and county. But for about 24 hours starting Monday a spreadsheet with names and personal information was just a few clicks away, ready for review or downloading.

    Katie Moussouris, founder and CEO of Luta Security, said there should have been access controls to make sure the information stayed out of the reach of unwanted parties, and the sensitive data should have been encrypted so it would have been unusable.

    The damage done depends on who accessed the data, she said. Criminals could sell or use the private identifying information, or use permit-seekers’ criminal histories “for blackmail and leverage,” she said.

    Already some are attempting to use the information to criticize gun control advocates who they say were revealed as having concealed carry permits.

    Five other firearms databases were also compromised, but Attorney General Rob Bonta’s office has been unable to say what happened or even how many people are in the databases.

    “We are conducting a comprehensive and through investigation into all aspects of the incident and will take any and all appropriate measures in response to what we learn,” his office said in a statement Friday.

    It said one of the other databases listed handguns but not people, while the others, including on gun violence restraining orders, did not contain names but may have had other identifying information.

    “The volume of information is so incredibly sensitive,” said Sam Paredes, executive director of Gun Owners of California.

    “Deputy DAs, police officers, judges, they do everything they can to protect their residential addresses,” he said. “The peril that the attorney general has put hundreds of thousands of people … in is incalculable.”

    No evidence has so far revealed that the leak was deliberate. Independent cybersecurity experts said the release could easily have been lax oversight.

    Bonta’s office has been unable to say whether and how often the databases were downloaded. Moussouris said the agency has that information if it was keeping access logs, which she called a basic and necessary step to protect sensitive data.

    Tim Marley, a vice president for risk management at the cybersecurity firm Cerberus Sentinel, questioned the speed of the agency’s response to a problem with a website that should have been constantly monitored.

    Reply
  16. Tomi Engdahl says:

    Ionut Ilascu / BleepingComputer:
    HackerOne says an employee stole vulnerability reports submitted through its bug bounty platform and disclosed them to seven companies for financial rewards — A HackerOne employee stole vulnerability reports submitted through the bug bounty platform and disclosed them to affected customers to claim financial rewards.
    https://www.bleepingcomputer.com/news/security/rogue-hackerone-employee-steals-bug-reports-to-sell-on-the-side/

    Reply
  17. Tomi Engdahl says:

    OpenSSL
    https://hackaday.com/2022/07/01/this-week-in-security-zimbra-rce-routers-under-attack-and-old-tricks-in-webassembly/
    The OpenSSL bug we talked about last week is still being looked into, with [Guido Vranken] leading the charge. He found a separate bug that specifically isn’t a security problem back in May, and it’s the fix for that bug that introduced the AVX512 problem we’re interested in. There still looks to be a potential for RCE here, but at least it’s proving to be non-trivial to put such an attack together.
    Notes on OpenSSL remote memory corruption
    https://guidovranken.com/2022/06/27/notes-on-openssl-remote-memory-corruption/
    OpenSSL version 3.0.4, released on June 21th 2022, is susceptible to remote memory corruption which can be triggered trivially by an attacker. BoringSSL, LibreSSL and the OpenSSL 1.1.1 branch are not affected. Furthermore, only x64 systems with AVX512 support are affected. The bug is fixed in the repository but a new release is still pending.
    Somewhat peculiarly, almost nobody is talking about this. If RCE exploitation is possible this makes it worse than Heartbleed in an isolated severity assessment, though the potential blast radius is limited by the fact that many people are still using the 1.1.1 tree rather than 3, libssl has forked into LibreSSL and BoringSSL, the vulnerability has only existed for a week (HB existed for years) and an AVX512-capable CPU is required.

    Reply
  18. Tomi Engdahl says:

    WebAssembly and Old Tricks
    https://hackaday.com/2022/07/01/this-week-in-security-zimbra-rce-routers-under-attack-and-old-tricks-in-webassembly/
    One of the most interesting concepts to happen recently in the browser space is WebAssembly. You have a library written in C, and want to use it with JavaScript in a browser? Compile it to WebAssembly, and you have a solution that’s faster than JavaScript, and easier to use than a traditionally compiled binary. It’s a very clever solution, and allows for some crazy feats, like Google Earth in the browser. Could there be any down side to running C in the browser? The good folks at Grav have an example of the sort of thing that could go wrong: good old buffer overflows.
    Now it’s a bit different from how a standard overflow exploit works. One reason, Wasm doesn’t have address layout randomization or Data Execution Prevention. On the other hand, web assembly functions don’t reside at a memory address, but simply a function index. The RET instruction equivalent can’t jump to arbitrary locations, but just to function indexes. However, it’s still a stack, and overflowing a buffer can result in overwriting important data, like the return pointer. Time will tell whether WebAssembly exploits are going to be a big deal, or will forever be a novelty.
    https://blog.protekkt.com/blog/basic-webassembly-buffer-overflow-exploitation-example

    Reply
  19. Tomi Engdahl says:

    Sarah Zheng / Bloomberg:
    In a forum post, an unidentified hacker claims to have stolen 23TB of data on up to 1B Chinese residents after breaching a Shanghai police database

    Hackers Claim Theft of Police Info in China’s Largest Data Leak
    https://www.bloomberg.com/news/articles/2022-07-04/hackers-claim-theft-of-police-info-in-china-s-largest-data-leak#xj4y7vzkg

    Unknown cyberattackers claim to have info on a billion Chinese
    The claim triggered speculation online and in security circles

    Reply
  20. Tomi Engdahl says:

    JThe company, which raised $750 million in funding late last year, reaching a valuation of $3 billion, offered interest-bearing products to customers who deposit their cryptocurrencies with the company, and lends out cryptocurrencies to earn a return. As of May 17, the company had processed $8.2 billion worth of loans and had $11.8 billion in assets, according to its website.

    British army confirms breach of its Twitter and YouTube accounts
    https://www.theguardian.com/uk-news/2022/jul/03/british-army-confirms-breach-of-its-twitter-and-youtube-accounts

    Investigation under way after interview with Elon Musk uploaded to video channel and picture of cartoon monkey seen on Twitter

    Reply
  21. Tomi Engdahl says:

    Mitchell Clark / The Verge:
    Google plans to auto-delete visits to abortion clinics, domestic violence shelters, weight loss centers, and other sensitive places from users’ location history

    Google will start auto-deleting abortion clinic visits from user location history
    Along with visits to other potentially sensitive locations
    https://www.theverge.com/2022/7/1/23191965/google-abortion-privacy-policy-location-history-period-tracking-deletion?scrolla=5eb6d68b7fedc32c19ef33b4

    Google says it’ll start automatically deleting visits to abortion clinics, domestic violence shelters, weight loss clinics, and other potentially sensitive locations from users’ location histories in the coming weeks. In a blog post on Friday, the company says that the deletion will happen “soon after” the visit, once its systems have identified that a trip was made to one of the locations. This change is happening in the wake of the Supreme Court’s decision to overturn Roe v. Wade and the moves several states have immediately made to outlaw abortions.

    https://blog.google/technology/safety-security/protecting-peoples-privacy-on-health-topics/

    Reply
  22. Tomi Engdahl says:

    AstraLocker ransomware shuts down and releases decryptors https://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/
    The threat actor behind the lesser-known AstraLocker ransomware told BleepingComputer they’re shutting down the operation and plan to switch to cryptojacking. The ransomware’s developer submitted a ZIP archive with AstraLocker decryptors to the VirusTotal malware analysis platform.

    Reply
  23. Tomi Engdahl says:

    Official British Army Twitter and YouTube accounts hijacked by NFT scammers https://www.bitdefender.com/blog/hotforsecurity/official-british-army-twitter-and-youtube-accounts-hijacked-by-nft-scammers/
    Hundreds of thousands of people who follow the official social media accounts of the British Army may have been surprised to see that it had been hijacked by hackers yesterday. Although many might have imagined those responsible for the hack might have been a foreign state’s cyberwarfare unit, the perpetrators appear to have been scammers exploiting interest in non-fungible tokens (NFTs). The British Army’s verified Twitter account was flooded with promotions related to giveaways and competitions related to NFTs, aimed at enticing its 362,000 followers to visit a scam minting website.

    Reply
  24. Tomi Engdahl says:

    HackerOne insider fired for trying to claim other people’s bounties https://blog.malwarebytes.com/reports/2022/07/hackerone-insider-fired-for-trying-to-claim-other-peoples-bounties/
    On June 22, 2022, a customer asked HackerOne to investigate a suspicious vulnerability disclosure made outside of the HackerOne platform. The vulnerability was suspiciously similar to one that was already under investigation. And the hacker, operating under the handle “rzlr” used intimidating language. Bug collision, where two bug bounty hunters find the same vulnerability around the same time, happens on occasion, but the customer was able to convince HackerOne that this was not a coincidence. According to HackerOne, it quickly became clear that this must have been an inside job, and a day after the customer’s inquiry HackerOne had a suspect on its radar. They terminated the suspect’s system access and remotely locked their laptop.

    Reply
  25. Tomi Engdahl says:

    Massive telecom outage in Japan kicks 40 million mobile users offline https://www.theregister.com/2022/07/04/massive_telecom_outage_in_japan/
    Almost 40 million residents of Japan spent the weekend in The Time Before Smartphones after local telco KDDI Corp. experienced its biggest outage to date affecting both voice calls and data communications. Of the almost 40 million users, 260, 000 were corporate customers. The outages disrupted the Meteorological Agency’s weather data, bank teller machines, payment machines, parcel deliveries and more.

    Reply
  26. Tomi Engdahl says:

    Hacker claims to have stolen data on 1 billion Chinese citizens https://www.bleepingcomputer.com/news/security/hacker-claims-to-have-stolen-data-on-1-billion-chinese-citizens/
    An anonymous threat actor is selling several databases they claim to contain more than 22 terabytes of stolen information on roughly 1 billion Chinese citizens for 10 bitcoins (approximately $195, 000).
    The announcement was posted on a hacker forum by someone using the handle ‘ChinaDan, ‘ saying that the information was leaked from the Shanghai National Police (SHGA) database. Based on the information they shared regarding the allegedly stolen data, the databases contain Chinese national residents’ names, addresses, national ID numbers, contact info numbers, and several billion criminal records. ChinaDan also shared a sample with 750, 000 records containing delivery info, ID information, and police call records. These records would allow interested buyers to verify that the data for sale is not fake.

    Reply
  27. Tomi Engdahl says:

    Sergiu Gatlan / BleepingComputer:
    Google releases a Chrome update for Windows to address a high-severity zero-day vulnerability exploited in the wild, its fourth Chrome zero-day patch in 2022

    Google patches new Chrome zero-day flaw exploited in attacks
    https://www.bleepingcomputer.com/news/security/google-patches-new-chrome-zero-day-flaw-exploited-in-attacks/

    Google has released Chrome 103.0.5060.114 for Windows users to address a high-severity zero-day vulnerability exploited by attackers in the wild, the fourth Chrome zero-day patched in 2022.

    “Google is aware that an exploit for CVE-2022-2294 exists in the wild.,” the browser vendor explained in a security advisory published on Monday.

    The 103.0.5060.114 version is rolling out worldwide in the Stable Desktop channel, with Google saying that it’s a matter of days or weeks until it reaches the entire userbase.

    Reply
  28. Tomi Engdahl says:

    Emergency Chrome 103 Update Patches Actively Exploited Vulnerability
    https://www.securityweek.com/emergency-chrome-103-update-patches-actively-exploited-vulnerability

    While many expected — or at least hoped — that the 4th of July would be quiet on the cybersecurity front, Google on Monday announced the release of an emergency Chrome update that patches an actively exploited zero-day vulnerability.

    The flaw, tracked as CVE-2022-2294, has been described as a heap buffer overflow in WebRTC. The security hole was reported to Google by a member of the Avast Threat Intelligence team on July 1.

    The zero-day has been patched with the release of Chrome 103.0.5060.114 for Windows.

    No information has been made available about the attacks exploiting CVE-2022-2294.

    Reply
  29. Tomi Engdahl says:

    EU laittoi aisat netti­jäteille: uudet digi­säädökset hyväksyttiin https://www.is.fi/digitoday/art-2000008927452.html

    Reply
  30. Tomi Engdahl says:

    Microsoft quietly fixes ShadowCoerce Windows NTLM Relay bug https://www.bleepingcomputer.com/news/microsoft/microsoft-quietly-fixes-shadowcoerce-windows-ntlm-relay-bug/
    Microsoft has confirmed it fixed a previously disclosed ‘ShadowCoerce’
    vulnerability as part of the June 2022 updates that enabled attackers to target Windows servers in NTLM relay attacks. This NTLM relay attack method can be used by threat actors to force unpatched servers to authenticate against servers under the attacker’s control, leading to a takeover of the Windows domain.

    Reply
  31. Tomi Engdahl says:

    New RedAlert Ransomware targets Windows, Linux VMware ESXi servers https://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/
    A new ransomware operation called RedAlert, or N13V, encrypts both Windows and Linux VMWare ESXi servers in attacks on corporate networks. The new operation was discovered today by MalwareHunterTeam, who tweeted various images of the gang’s data leak site.

    Reply
  32. Tomi Engdahl says:

    NPM supply-chain attack impacts hundreds of websites and apps https://www.bleepingcomputer.com/news/security/npm-supply-chain-attack-impacts-hundreds-of-websites-and-apps/
    An NPM supply-chain attack dating back to December 2021 used dozens of malicious NPM modules containing obfuscated Javascript code to compromise hundreds of downstream desktop apps and websites. As researchers at supply chain security firm ReversingLabs discovered, the threat actors behind this campaign (known as IconBurst) used typosquatting to infect developers looking for very popular packages, such as umbrellajs and ionic.io NPM modules. Some malicious modules still available for download.

    Reply
  33. Tomi Engdahl says:

    DoD issues call for hackers to dig into networks https://therecord.media/dod-issues-call-for-hackers-to-dig-into-networks/
    The Defense Department is offering monetary rewards to ethical hackers who discover critical or severe vulnerabilities within the massive agency’s networks. The Pentagon’s inaugural “Hack U.S” program run in conjunction with bug bounty platform HackerOne and under the auspices of the department’s vulnerability disclosure program launched on Monday. The pilot effort kicked off with $110,000 in funds up for grabs. Researchers will receive $1,000 for each flaw they find and report and $500 for any “high severity” weaknesses they uncover.
    Hackers can also earn $3,000 for what DoD calls “additional specialty categories” as well as one grand prize bonus of $5,000.

    Reply
  34. Tomi Engdahl says:

    Hacker Claims Major Chinese Citizens’ Data Theft
    https://www.securityweek.com/hacker-claims-major-chinese-citizens-data-theft

    A hacker claiming to have stolen personal data from hundreds of millions of Chinese citizens is now selling the information online.

    A sample of 750,000 entries posted online by the hacker showed citizens’ names, mobile phone numbers, national ID numbers, addresses, birthdays and police reports they had filed.

    AFP and cybersecurity experts have verified some of the citizen data in the sample as authentic, but the scope of the entire database is hard to determine.

    Advertised on a forum late last month but only picked up by cybersecurity experts this week, the 23-terabyte database — which the hacker claims contains the records of a billion Chinese citizens — is being sold for 10 bitcoin (approximately $200,000).

    Reply
  35. Tomi Engdahl says:

    UK Military Investigates Hacks on Army Social Media Accounts
    https://www.securityweek.com/uk-military-investigates-hacks-army-social-media-accounts

    British military authorities are trying to find out who hacked the army’s social media accounts over the weekend, flooding them with cryptocurrency videos and posts related to collectible electronic art.

    The investigation was launched after authorized content on the army’s YouTube account was replaced with a video feed promoting cryptocurrencies that included images of billionaire Elon Musk. The Army’s Twitter account retweeted a number of posts about non-fungible tokens, unique digital images that can be bought and sold but have no physical counterpart.

    Reply
  36. Tomi Engdahl says:

    Data Breach at PFC USA Impacts Patients of 650 Healthcare Providers
    https://www.securityweek.com/data-breach-pfc-usa-impacts-patients-650-healthcare-providers

    Just ahead of the 4th of July weekend, accounts receivable management firm Professional Finance Company (PFC USA) started sending out data breach notification letters to patients of over 650 healthcare providers across the country.

    The Northern Colorado-based company has been engaged in debt recovery for over a century, working with organizations in healthcare, financial, retail, and government sectors.

    On July 1, PFC USA announced that it has started notifying impacted individuals that their personal and health information might have been compromised during a February 2022 ransomware attack.

    Reply
  37. Tomi Engdahl says:

    US Senators Call for Close Look at TikTok
    https://www.securityweek.com/us-senators-call-close-look-tiktok

    Leaders of the US Senate Intelligence Committee on Tuesday called for an investigation into whether Chinese officials are getting access to data about US users of video-snippet sharing sensation TikTok.

    In a letter to Federal Trade Commission (FTC) chairwoman Lina Khan, the senators urged her to scrutinize how well TikTok safeguards private data.

    “We write in response to public reports that individuals in the People’s Republic of China have been accessing data on US users, in contravention of several public representations,” the letter said.

    TikTok has consistently defended itself against such accusations, saying it gives no data about US users to the Chinese government despite its parent company, ByteDance, being based in China.

    Reply
  38. Tomi Engdahl says:

    Vakava kyberisku voi aktivoida Naton puolustusvelvoitteen, arvioi asiantuntija – ”Rimaa” ei voida asettaa julkisesti
    https://www.uusisuomi.fi/uutiset/vakava-kyberisku-voi-aktivoida-naton-puolustusvelvoitteen-arvioi-asiantuntija-rimaa-ei-voida-asettaa-julkisesti/338672c6-fac7-4e20-a72e-71d82b10291a

    Nato luo suomalaisille yrityksille mahdollisuuksia, sillä Suomella on paljon annettavaa kyberturvallisuudelle, uskoo Jarno Limnéll. Hän kertoo Venäjän kybersodan taktiikasta, joka vaikeuttaa iskuihin reagoimista.

    Reply
  39. Tomi Engdahl says:

    A security patch has been released for #OpenSSL to fix a high-severity bug (CVE-2022-2274) in the cryptographic library that could lead to remote code execution attacks in certain scenarios.
    https://thehackernews.com/2022/07/openssl-releases-patch-for-high.html?m=1

    The maintainers of the OpenSSL project have released patches to address a high-severity bug in the cryptographic library that could potentially lead to remote code execution under certain scenarios.

    The issue, now assigned the identifier CVE-2022-2274, has been described as a case of heap memory corruption with RSA private key operation that was introduced in OpenSSL version 3.0.4 released on June 21, 2022.

    “SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue,” the advisory noted.

    Calling it a “serious bug in the RSA implementation,” the maintainers said the flaw could lead to memory corruption during computation that could be weaponized by an attacker to trigger remote code execution on the machine performing the computation.

    Users of the library are recommended to upgrade to OpenSSL version 3.0.5 to mitigate any potential threats.

    https://www.openssl.org/news/vulnerabilities.html

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*