Cyber security news July 2022

This posting is here to collect cyber security news in July 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

260 Comments

  1. Tomi Engdahl says:

    OpenSSL Releases Security Update
    https://www.cisa.gov/uscert/ncas/current-activity/2022/07/06/openssl-releases-security-update
    OpenSSL has released a security update to address a vulnerability affecting OpenSSL 3.0.4. An attacker could exploit this vulnerability to take control of an affected system.

    Reply
  2. Tomi Engdahl says:

    CISA Alert (AA22-187A) – North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector https://www.cisa.gov/uscert/ncas/alerts/aa22-187a
    Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare servicesincluding electronic health records services, diagnostics services, imaging services, and intranet services. In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods.

    Reply
  3. Tomi Engdahl says:

    Marriott says hackers attempted to extort company with Baltimore hotel data theft https://therecord.media/marriott-says-hackers-attempted-to-extort-company-with-baltimore-hotel-data-theft/
    Marriott confirmed reports that hackers tried to extort the company after 20 GB of employee and customer data was stolen from BWI Airport Marriott in Baltimore. In a statement, Marriott International shared more information about a Tuesday report from Databreaches.net that an unnamed hacking group had breached servers at BWI Airport Marriott and stolen data that included credit card numbers and other personal information.

    Reply
  4. Tomi Engdahl says:

    Apple expands industry-leading commitment to protect users from highly targeted mercenary spyware https://www.apple.com/newsroom/2022/07/apple-expands-commitment-to-protect-users-from-mercenary-spyware/
    Apple is previewing a groundbreaking security capability that offers specialized additional protection to users who may be at risk of highly targeted cyberattacks from private companies developing state-sponsored mercenary spyware.

    Reply
  5. Tomi Engdahl says:

    NIST Announces Post Quantum Encryption Competition Winners
    https://www.securityweek.com/nist-announces-post-quantum-encryption-competition-winners
    The National Institute of Standards and Technology (NIST) announced July 5, 2022, the first group of four encryption tools designed to tackle the looming threat of quantum computer crypto cracking capabilities. Four more are still being evaluated, and finalists from these will be announced in the future.
    The intention has always been to have more than one quantum resistant standard option for each category. The four announced on July 5, 2022, are CRYSTALS-Kyber (for general encryption), and CRYSTALS-Dilithium, FALCON, and SPHINCS+ (for digital signatures).

    Reply
  6. Tomi Engdahl says:

    Apple Adds ‘Lockdown Mode’ to Thwart .Gov Mercenary Spyware
    https://www.securityweek.com/apple-adds-lockdown-mode-thwart-gov-mercenary-spyware

    Faced with a surge in state-sponsored mercenary spyware attacks targeting its flagship iOS platform, Apple plans to add a new ‘Lockdown Mode’ that significantly reduces attack surface and adds technical roadblocks to limit sophisticated software exploits.

    Reply
  7. Tomi Engdahl says:

    Turun funikulaarin sivut kaapattu, aulojen näytöissä näkyi ”hupijuttuja” – pitkä vaatimuslista ilmestyi Twitteriin https://www.iltalehti.fi/kotimaa/a/e935d248-814e-4a35-aca4-8873ff8ba475

    Reply
  8. Tomi Engdahl says:

    Chinese hackers targeting Russian government, telecoms: report https://therecord.media/chinese-hackers-targeting-russian-government-telecoms-report/
    Chinese hacking groups are targeting the Russian government and organizations in the telecommunications industry, according to a new report from cybersecurity company SentinelOne. The report found that there has been a noticeable increase in Russian targeting by suspected Chinese threat actors. Tom Hegel, senior threat researcher at SentinelOne, attributed the targeting to state-sponsored espionage groups deploying a decade-old Remote Access Trojan (RAT) called Bisonal. The RAT has long been associated with Chinese hackers who have previously been seen targeting organizations in Russia, Japan, South Korea and others. In the latest campaign, SentinelOne found Microsoft Office documents and phishing emails spoofing RU-CERT the country’s cybersecurity incident response center as well as Russian government bodies regulating the telecoms industry. The report:
    https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/

    Reply
  9. Tomi Engdahl says:

    OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/
    In this blog we will provide a deep technical analysis of a new and fully undetected Linux threat we named OrBit, because this is one of the filenames that is being used by the malware to temporarily store the output of executed commands. It can be installed either with persistence capabilities or as a volatile implant. The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands. Once the malware is installed it will infect all of the running processes, including new processes, that are running on the machine. Unlike other threats that hijack shared libraries by modifying the environment variable LD_PRELOAD, this malware uses 2 different ways to load the malicious library. The first way is by adding the shared object to the configuration file that is used by the loader. The second way is by patching the binary of the loader itself so it will load the malicious shared object.

    Reply
  10. Tomi Engdahl says:

    QNAP: Checkmate ransomware group targeting customers through SMB Services https://therecord.media/qnap-checkmate-ransomware-group-targeting-customers-through-smb-services/
    Taiwanese hardware vendor QNAP sent out a warning on Thursday about a new ransomware called Checkmate that is being used to target customers via Server Message Block (SMB) services exposed to the internet. In an advisory, QNAP’s security team said the issue was recently brought to their attention and that they are in the process of investigating the ransomware. “Preliminary investigation indicates that Checkmate employs a dictionary attack to break accounts with weak passwords, ”
    QNAP explained, referring to a strategy in which hackers systematically enter every word in a dictionary as a way to break into a password-protected device. QNAP did not respond to follow-up questions about how they knew the Checkmate ransomware group was using this method as opposed to others.

    Reply
  11. Tomi Engdahl says:

    “CuteBoi” Detected Preparing a Large-Scale Crypto Mining Campaign on NPM Users https://checkmarx.com/blog/cuteboi-detected-preparing-a-large-scale-crypto-mining-campaign-on-npm-users/
    Checkmarx SCS team detected over 1200 npm packages released to the registry by over a thousand different user accounts. This was done using automation which includes the ability to pass NPM 2FA challenge.
    This cluster of packages seems to be a part of an attacker experimenting at this point. We dubbed this new actor “CuteBoi” as a tribute to the “cute” username hardcoded in many of the packages’
    configuration files and to one of the non-random NPM usernames the Attacker is using, “cloudyboi12″. We expect this actor to continue their experimentation and eventually launch an attack that might cause real damage. Therefore, we have signed several traits of this Attacker’s behavior and continue to track them. The findings will be available to all on our dedicated tracker page cuteboi.info.

    Reply
  12. Tomi Engdahl says:

    OpenSSL Patches Remote Code Execution Vulnerability
    https://www.securityweek.com/openssl-patches-remote-code-execution-vulnerability

    OpenSSL has issued an urgent advisory to warn of a memory corruption vulnerability that exposes servers to remote code execution attacks.

    The vulnerability, tracked as CVE-2022-2274, was introduced in OpenSSL 3.0.4 and could potentially allow malicious hackers to launch remote code attacks on unpatched SSL/TLS server side devices.

    The open source group rates this a “high-severity” issue and urged users to upgrade to OpenSSL 3.0.5.

    Reply
  13. Tomi Engdahl says:

    The commercialization of chiplets is expected to increase the number and breadth of attack surfaces in electronic systems, making it harder to keep track of all the hardened IP jammed into a package and to verify its authenticity and robustness against hackers. https://semiengineering.com/security-risks-widen-with-commercial-chiplets/
    #chiplets

    Reply
  14. Tomi Engdahl says:

    Pentester says he broke into datacenter via hidden route running behind toilets
    Lock down your ‘piss corridor’ – or even better, don’t have one at all
    https://www.theregister.com/2022/07/07/lock_down_your_piss_corridor/

    Reply
  15. Tomi Engdahl says:

    Experts Uncover 350 Browser Extension Variants Used in ABCsoup Adware Campaign
    https://thehackernews.com/2022/07/experts-uncover-350-browser-extension.html

    Reply
  16. Tomi Engdahl says:

    Canada’s national police force admits use of spyware to hack phones
    The RCMP says it needs to use malware because encryption has made surveillance “exponentially more difficult.”
    https://www.politico.com/news/2022/06/29/canada-national-police-spyware-phones-00043092

    Reply
  17. Tomi Engdahl says:

    A huge data leak of 1 billion records exposes China’s vast surveillance state
    One billion resident records were allegedly siphoned from a police database
    https://techcrunch.com/2022/07/07/china-leak-police-database/

    Reply
  18. Tomi Engdahl says:

    Researchers Warn of New OrBit Linux Malware That Hijacks Execution Flow
    https://thehackernews.com/2022/07/researchers-warn-of-new-orbit-linux.html

    Cybersecurity researchers have taken the wraps off a new and entirely undetected Linux threat dubbed OrBit, signally a growing trend of malware attacks geared towards the popular operating system.

    The malware gets its name from one of the filenames that’s utilized to temporarily store the output of executed commands (“/tmp/.orbit”), according to cybersecurity firm Intezer.

    “It can be installed either with persistence capabilities or as a volatile implant,” security researcher Nicole Fishbein said. “The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands.”

    Reply
  19. Tomi Engdahl says:

    CEO Arrested for Selling $1 Billion in Fake Cisco Hardware on Amazon, eBay
    Onur Aksoy allegedly imported thousands of fake Cisco networking devices from China.
    https://uk.pcmag.com/networking/141398/ceo-arrested-for-selling-1-billion-in-fake-cisco-hardware-on-amazon-ebay

    Reply
  20. Tomi Engdahl says:

    MAN LOSES DOWN PAYMENT FOR HOUSE WHEN CRYPTO EXCHANGE GOES BANKRUPT
    byMAGGIE HARRISON
    https://futurism.com/the-byte/man-loses-down-payment-crypto-exchange-bankrupt

    Reply
  21. Tomi Engdahl says:

    Hackers pulled off a $620 million crypto heist by tricking an engineer into applying for a fake job and opening an offer letter containing spyware, report says
    https://www.businessinsider.com/axie-infinity-crypto-hack-fake-job-offer-letter-spyware-phishing-2022-7

    Reply
  22. Tomi Engdahl says:

    4chan explodes after user allegedly cracks Hunter Biden’s iCloud
    https://www.dailydot.com/debug/hunter-biden-icloud/

    Reply
  23. Tomi Engdahl says:

    ‘Very, very alarming’: B.C. technology expert weighs in on Rogers’ outage
    https://globalnews.ca/news/8978487/b-c-tech-expert-on-rogers-outage/

    Reply
  24. Tomi Engdahl says:

    Dangerous new malware dances past more than 50 antivirus services
    The threat actor leverages a weaponized ISO file
    https://www.techradar.com/news/dangerous-new-malware-dances-past-more-than-50-antivirus-services

    Reply
  25. Tomi Engdahl says:

    Twitter Hit By One Of Its Biggest Global Outages In Years
    The site is now back to life and, of course, #Twitterdown is trending.
    https://www.iflscience.com/twitter-hit-by-one-of-its-biggest-global-outages-in-years-64456

    Twitter became unavailable at around 11:54 UTC and stayed off for 45 minutes, according to Downdetector.co.uk. Users were unable to refresh their feed and were met with an error message.

    Twitter became unavailable at around 11:54 UTC and stayed off for 45 minutes, according to Downdetector.co.uk. Users were unable to refresh their feed and were met with an error message.

    “where do i complain about twitter being down when twitter is down!?”

    Reply
  26. Tomi Engdahl says:

    A New Attack Can Unmask Anonymous Users on Any Major Browser
    Researchers have found a way to use the web’s basic functions to identify who visits a site—without the user detecting the hack.
    https://www.wired.com/story/web-deanonymization-side-channel-attack-njit/

    EVERYONE FROM ADVERTISERS and marketers to government-backed hackers and spyware makers wants to identify and track users across the web. And while a staggering amount of infrastructure is already in place to do exactly that, the appetite for data and new tools to collect it has proved insatiable. With that reality in mind, researchers from the New Jersey Institute of Technology are warning this week about a novel technique attackers could use to de-anonymize website visitors and potentially connect the dots on many components of targets’ digital lives.

    The findings, which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data.

    When you visit a website, the page can capture your IP address, but this doesn’t necessarily give the site owner enough information to individually identify you. Instead, the hack analyzes subtle features of a potential target’s browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser.

    Reply
  27. Tomi Engdahl says:

    Amazon finally admits giving cops Ring doorbell data without user consent
    Amazon Ring gave police data without user consent 11 times so far in 2022.
    https://arstechnica.com/tech-policy/2022/07/amazon-finally-admits-giving-cops-ring-doorbell-data-without-user-consent/

    Reply
  28. Tomi Engdahl says:

    Microsoft: Phishing bypassed MFA in attacks against 10,000 orgs
    https://www.bleepingcomputer.com/news/security/microsoft-phishing-bypassed-mfa-in-attacks-against-10-000-orgs/

    Microsoft says a massive series of phishing attacks has targeted more than 10,000 organizations starting with September 2021, using the gained access to victims’ mailboxes in follow-on business email compromise (BEC) attacks.

    The threat actors used landing pages designed to hijack the Office 365 authentication process (even on accounts protected by multifactor authentication (MFA) by spoofing the Office online authentication page.

    Reply
  29. Tomi Engdahl says:

    Experts warn of attacks on sites using flawed Kaswara Modern WPBakery Page Builder Addons
    https://securityaffairs.co/wordpress/133267/hacking/wpbakery-page-builder-attacks.html
    #securityaffairs #hacking #malware #WordPress

    Reply
  30. Tomi Engdahl says:

    National Vulnerability Database: CVE-2022-32274 > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-32274, 2022-07-13 14:15:09 +0000
    The Transition Scheduler add-on 6.5.0 for Atlassian Jira is prone to stored XSS via the project name to the creation function.
    National Vulnerability Database: CVE-2022-32065 > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-32065, 2022-07-13 15:15:10 +0000
    An arbitrary file upload vulnerability in the background management module of RuoYi v4.7.3 and below allows attackers to execute arbitrary code via a crafted HTML file.
    #infosec

    Reply
  31. Tomi Engdahl says:

    Ex-C.I.A. Engineer Convicted in Biggest Theft Ever of Agency Secrets
    The top federal prosecutor in Manhattan said Joshua Schulte had engaged in “one of the most brazen and damaging acts of espionage in American history.”
    https://www.nytimes.com/2022/07/13/nyregion/cia-engineer-joshua-schulte-theft-convicted.html?smid=fb-nytimes&smtyp=cur

    Reply
  32. Tomi Engdahl says:

    Hackers are targeting industrial systems with malware
    An entire ecosystem of sketchy software is targeting potentially critical infrastructure.
    https://arstechnica.com/information-technology/2022/07/malware-circulating-online-wrangles-industrial-systems-into-a-botnet/

    From the what-could-possibly-go-wrong file comes this: People hawking password-cracking software are targeting the hardware used in industrial-control facilities with malicious code that makes their systems part of a botnet, a researcher reported.

    Lost passwords happen in many organizations. A programmable logic controller—used to automate processes inside factories, electric plants, and other industrial settings, for example, may be set up and largely forgotten over the following years. When a replacement engineer later identifies a problem affecting the PLC, they may discover the now long-gone original engineer never left the passcode behind before departing the company.

    Reply
  33. Tomi Engdahl says:

    Runa Sandvik’s new startup Granitt secures at-risk people from hackers and nation states
    https://techcrunch.com/2022/07/15/granitt-journalist-security/

    Reply
  34. Tomi Engdahl says:

    So, here’s a bit of a mystery: Why does TeamViewer – the popular remote desktop program – install a font it doesn’t use on your computer? The abstract font (shown in the above image) doesn’t seem to serve any purpose in the software. Intentional or not, it enables websites to detect if you have TeamViewer installed on your computer.

    https://www.ctrl.blog/entry/teamviewer-font-privacy.html

    Reply
  35. Tomi Engdahl says:

    Anonymous Review Site Glassdoor Not So Anonymous
    A judge has ruled in favour of releasing anonymous user details posted on Glassdoor to billion-dollar NZ toy company, Zuru
    https://www.webworm.co/p/glassdoor

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*