This posting is here to collect cyber security news in July 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in July 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
260 Comments
Tomi Engdahl says:
Microsoft reminder: Windows Server 20H2 reaches EOS next month https://www.bleepingcomputer.com/news/microsoft/microsoft-reminder-windows-server-20h2-reaches-eos-next-month/
Microsoft has reminded customers once again that Windows Server, version 20H2, will be reaching its End of Service (EOS) in less than a month, on August 9.
Tomi Engdahl says:
CosmicStrand UEFI malware found in Gigabyte, ASUS motherboards https://www.bleepingcomputer.com/news/security/cosmicstrand-uefi-malware-found-in-gigabyte-asus-motherboards/
Chinese-speaking hackers have been using since at least 2016 malware that lies virtually undetected in the firmware images for some motherboards, one of the most persistent threats commonly known as a UEFI rootkit. Researchers at cybersecurity company Kaspersky called it CosmicStrand but an earlier variant of the threat was discovered by malware analysts at Qihoo360, who named it Spy Shadow Trojan. It is unclear how the threat actor managed to inject the rootkit into the firmware images of the target machines but researchers found the malware on machines with ASUS and Gigabyte motherboards.
Tomi Engdahl says:
Source code for Rust-based info-stealer released on hacker forums https://www.bleepingcomputer.com/news/security/source-code-for-rust-based-info-stealer-released-on-hacker-forums/
The source code for an information-stealing malware coded in Rust has been released for free on hacking forums, with security analysts already reporting that the malware is actively used in attacks. The malware, which the author claims to have developed in just six hours, is quite stealthy, with VirusTotal returning a detection rate of around 22%. As the info-stealer is written in Rust, a cross-platform language, it allows threat actors to target multiple operating systems. However, in its current form, the new info-stealer only targets Windows operating systems.
Tomi Engdahl says:
LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant–lockbit-3-.html
In March 2022, less than a year after LockBit 2.0 first emerged, researchers caught wind of an upcoming new variant of the LockBit ransomware. LockBit 3.0, aka “LockBit Black, ” wouldn’t be unveiled until late June, coinciding with the launch of the group’s new leak site and bug bounty program. A researcher has since shared a sample of LockBit 3.0, along with his initial analysis of the new variant.
Tomi Engdahl says:
Novel Malware Hijacks Facebook Business Accounts https://threatpost.com/malware-hijacks-facebook/180285/
A new malware is hijacking high-profile Meta Facebook Business and advertising platform accounts through a phishing campaign that targets LinkedIn accounts. The malware, dubbed Ducktail, uses browser cookies from authenticated user sessions to take over accounts and steal data, researchers said. Researchers from WithSecure, formerly F-Secure, discovered the ongoing campaign, which appears to be the work of financially driven Vietnamese threat actors, they wrote in a report published Tuesday. The campaign itself appears to have been active since at least the second half of 2021, while the threat actors behind it may have been on the cybercriminal scene since 2018, researchers said.
Tomi Engdahl says:
DoJ approves Google’s acquisition of Mandiant https://www.theregister.com/2022/07/25/security_in_brief/
IN BRIEF Google’s legally fraught journey to buy cybersecurity business Mandiant is in its final stretch, with the US Department of Justice closing its investigation and giving the go-ahead for the sale to proceed. In a regulatory filing submitted to the Security and Exchange Commission by Mandiant, the company said the DoJ also waived the mandatory merger waiting period, which was apparently a condition of the sale. The ball is now in Google and Mandiant’s court to decide on the conclusion of the merger. The deal, announced in March, would bring the security provider under the Google Cloud umbrella. At $5.4 billion, it’s the second-largest purchase ever made by Google, bested only by its its 2011 purchase of Motorola’s phone division, Mobility, for $12.5 billion.
Tomi Engdahl says:
Microsoft: Windows, Adobe zero-days used to deploy Subzero malware https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-adobe-zero-days-used-to-deploy-subzero-malware/
Microsoft has linked a threat group known as Knotweed to an Austrian spyware vendor also operating as a cyber mercenary outfit named DSIRF that targets European and Central American entities using a malware toolset dubbed Subzero. On its website, DSIRF promotes itself as a company that provides information research, forensics, and data-driven intelligence services to corporations. However, it has been linked to the development of the Subzero malware that its customers can use to hack targets’ phones, computers, and network and internet-connected devices. Using passive DNS data while investigating Knotweed attacks, threat intelligence firm RiskIQ also found that infrastructure actively serving malware since February 2020 linked to DSIRF, including its official website and domains likely used to debug and stage the Subzero malware.
Tomi Engdahl says:
FileWave patches two vulnerabilities that impacted more than 1, 000 orgs https://therecord.media/filewave-patches-two-vulnerabilities-that-impacted-more-than-1000-orgs/
Swiss device management company FileWave confirmed on Tuesday that two vulnerabilities in their platform have been patched after being discovered by researchers from Claroty’s Team82. The vulnerabilities
CVE-2022-34907 and CVE-2022-34906 were found in FileWave’s mobile device management (MDM) system and affect thousands of companies that use the system. The vulnerabilities are remotely exploitable and allow an attacker to bypass authentication mechanisms and gain full control over the MDM platform and its managed devices.
Tomi Engdahl says:
Anti-vaxxer dating site exposes user data https://blog.malwarebytes.com/privacy-2/2022/07/anti-vaxxer-dating-site-exposes-user-data/
An anti-vax dating site has been revealed as shockingly easy to compromise by security researchers. Many major aspects of the site, from membership subscriptions to support tickets, were found to be vulnerable. The site, called Unjected, has been around since last year. It functions as a sort of social media/dating platform for folks averse to vaccinations. The site also offers a “blood and fertility match” directory, with some pretty personal details being entered as a result. Sadly for the site and its users, the site’s administration dashboard was openly accessible. Anyone with access could add, edit, or deactivate pages and user accounts. The researcher who discovered this was able to demonstrate their new-found admin powers on a test account set up by Daily Dot, enabling them to edit the private email address, username, and profile image, as well as the wording on a public post. Site back ups? Downloadable. $15 a month subscriptions?
Able to give them away like candy if so desired. Incredibly, help center tickets could be replied to. Given help tickets tend to contain more sensitive user data than what people post publicly, this is rather worrying.
A Retrospective on the 2015 Ashley Madison Breach https://krebsonsecurity.com/2022/07/a-retrospective-on-the-2015-ashley-madison-breach/
It’s been seven years since the online cheating site AshleyMadison.com was hacked and highly sensitive data about its users posted online.
The leak led to the public shaming and extortion of many Ashley Madison users, and to at least two suicides. To date, little is publicly known about the perpetrators or the true motivation for the attack. But a recent review of Ashley Madison mentions across Russian cybercrime forums and far-right websites in the months leading up to the hack revealed some previously unreported details that may deserve further scrutiny.
Tomi Engdahl says:
Spain arrests suspected hackers who sabotaged radiation alert system https://www.bleepingcomputer.com/news/security/spain-arrests-suspected-hackers-who-sabotaged-radiation-alert-system/
The Spanish police have announced the arrest of two hackers believed to be responsible for cyberattacks on the country’s radioactivity alert network (RAR), which took place between March and June 2021. The two arrested individuals are former workers of a company contracted by the General Directorate of Civil Protection and Emergencies (DGPGE) to maintain the RAR system, so they had a deep knowledge of its operation and how to deliver an effective cyberattack. The two arrested individuals gained illegitimate access to DGPGE’s network and attempted to delete the RAR management web application in the control center.
Tomi Engdahl says:
Critical Samba bug could let anyone become Domain Admin patch now!
https://nakedsecurity.sophos.com/2022/07/27/critical-samba-bug-could-let-anyone-become-domain-admin-patch-now/
Samba just got updated to fix a number of security vulnerabilities, including a critical bug related to password resets.
Tomi Engdahl says:
LofyLife: malicious npm packages steal Discord tokens and bank card data https://securelist.com/lofylife-malicious-npm-packages/107014/
On July 26, using the internal automated system for monitoring open-source repositories, we identified four suspicious packages in the Node Package Manager (npm) repository. All these packages contained highly obfuscated malicious Python and JavaScript code. We dubbed this malicious campaign “LofyLife”.
Tomi Engdahl says:
Pelätty Pegasus-vakoiluohjelma iski vallan huipulle Euroopassa Apple varoitti korkean tason poliitikkoa https://www.tivi.fi/uutiset/tv/8c0f646d-4d84-4db2-8ba5-c3cdd8411d9f
Tutkimukset murrosta ovat edelleen käynnistä, mutta merkkejä vakoiluohjelmasta on jo löydetty.
Tomi Engdahl says:
“Uusi maksunsaaja lisätty” kavala pankkihuijaus yleistyy hurjaa vauhtia https://www.is.fi/digitoday/tietoturva/art-2000008970078.html
“Uusi maksunsaaja lisätty”. Tällaisia tekstiviestejä on lähetetty suomalaisiin puhelimiin tuhansittain viime kuukausina pankkien nimissä, ja huijaukset ovat edelleen varsin aktiivisia. Muitakin pankkihuijauksia on, ja verottajan nimissä vedätetään lupauksilla veronpalautuksista.
Tomi Engdahl says:
Akamai blocked largest DDoS in Europe against one of its customers https://www.bleepingcomputer.com/news/security/akamai-blocked-largest-ddos-in-europe-against-one-of-its-customers/
The largest distributed denial-of-service (DDoS) attack that Europe has ever seen occurred earlier this month and hit an organization in Eastern Europe.
Tomi Engdahl says:
Apple network traffic takes mysterious detour through Russia https://www.theregister.com/2022/07/27/apple_networking_traffic_russia_bgp/
Apple’s internet traffic took an unwelcome detour through Russian networking equipment for about twelve hours between July 26 and July 27.
Tomi Engdahl says:
Keski-Suomen sairaanhoitopiirin it-järjestelmät pahasti solmussa leikkauksia perutaan
https://www.tivi.fi/uutiset/tv/513966c8-b1b4-427a-99b7-45f3114627c3
Keski-Suomen sairaanhoitopiirissä (KSSHP) havaittiin eilen illalla laaja sairaalan tietojärjestelmäympäristöä koskeva häiriö, joka vaikuttaa merkittävästi Jyväskylässä sijaitsevan Sairaala Novan toimintaan. Häiriö aiheuttaa ongelmia verkkoon kirjautumisessa, mikä estää pääsyn sairaalan tietojärjestelmiin.
Tomi Engdahl says:
Spain arrests suspected hackers who sabotaged radiation alert system https://www.bleepingcomputer.com/news/security/spain-arrests-suspected-hackers-who-sabotaged-radiation-alert-system/
The Spanish police have announced the arrest of two hackers believed to be responsible for cyberattacks on the country’s radioactivity alert network (RAR), which took place between March and June 2021.
Tomi Engdahl says:
Synkkä tieto: hakkerit iskevät paljastuneeseen haavaan 15 minuutissa
https://www.tivi.fi/uutiset/tv/1233ee2d-3fd8-4b39-a4b5-7874659d9896
Tietoturvayhtiö Palo Alto Networksin Unit 42 -yksikön mukaan aikaikkuna haavoittuvuuden löytymisen ja mahdollisen iskun välillä on kaventumassa.
Tomi Engdahl says:
Microsoft Uncovers Austrian Company Exploiting Windows and Adobe Zero-Day Exploits https://thehackernews.com/2022/07/microsoft-uncover-austrian-company.html
A cyber mercenary that “ostensibly sells general security and information analysis services to commercial customers” used several Windows and Adobe zero-day exploits in limited and highly-targeted attacks against European and Central American entities.
Tomi Engdahl says:
Cyberspies use Google Chrome extension to steal emails undetected https://www.bleepingcomputer.com/news/security/cyberspies-use-google-chrome-extension-to-steal-emails-undetected/
A North Korean-backed threat group tracked as Kimsuky is using a malicious browser extension to steal emails from Google Chrome or Microsoft Edge users reading their webmail.
Tomi Engdahl says:
LibreOffice Releases Software Update to Patch 3 New Vulnerabilities https://thehackernews.com/2022/07/libreoffice-releases-software-security.html
Tracked as CVE-2022-26305, the issue has been described as a case of improper certificate validation when checking whether a macro is signed by a trusted author, leading to the execution of rogue code packaged within the macros.
Tomi Engdahl says:
Threat actors are actively exploiting the recently patched critical flaw in Atlassian Confluence Server and Data Center https://securityaffairs.co/wordpress/133798/hacking/atlassian-cve-2022-26138-actively-exploited.html
Recenlty Atlassian released security updates to address a critical hardcoded credentials vulnerability in Confluence Server and Data Center tracked as CVE-2022-26138.
Tomi Engdahl says:
CISA Releases Log4Shell-Related MAR
https://www.cisa.gov/uscert/ncas/current-activity/2022/07/28/cisa-releases-log4shell-related-mar-0
- From May through June 2022, CISA responded to an organization that was compromised by an exploitation of an unpatched and unmitigated Log4Shell vulnerability in a VMware Horizon server. CISA analyzed five malware samples obtained from the organization’s network and released a Malware Analysis Report of the findings. [Report https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-203a
Tomi Engdahl says:
Microsoft links Raspberry Robin malware to Evil Corp attacks https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-malware-to-evil-corp-attacks/
Microsoft has discovered that an access broker it tracks as DEV-0206 uses the Raspberry Robin Windows worm to deploy a malware downloader on networks where it also found evidence of malicious activity matching Evil Corp tactics.
Tomi Engdahl says:
LockBit operator abuses Windows Defender to load Cobalt Strike https://www.bleepingcomputer.com/news/security/lockbit-operator-abuses-windows-defender-to-load-cobalt-strike/
A threat actor associated with the LockBit 3.0 ransomware operation is abusing the Windows Defender command line tool to load Cobalt Strike beacons on compromised systems and evade detection by security software.
Tomi Engdahl says:
US court system suffered ‘incredibly significant attack’ sealed files at risk https://www.theregister.com/2022/07/29/us_judiciary_attack/
The United States’ federal court system “faced an incredibly significant and sophisticated cyber security breach, one which has since had lingering impacts on the department and other agencies.”
Tomi Engdahl says:
This phishing attack uses a countdown clock to panic you into handing over passwords https://www.zdnet.com/article/this-phishing-attack-uses-a-countdown-clock-to-panic-you-into-handing-over-passwords/
A sneaky new phishing attack attempts to manipulate victims into entering their username and password by claiming their account will be deleted if they don’t – and it uses a countdown timer to pile on the pressure
Tomi Engdahl says:
Uutistoimisto STT:n tietojärjestelmiin kohdistui perjantaina laaja hyökkäys, osa järjestelmistä on ajettu varotoimena alas
https://yle.fi/uutiset/3-12556769
Suomen Tietotoimiston STT:n tietojärjestelmiin on kohdistunut laaja verkkohyökkäys perjantaina. Hyökkäys havaittiin torstain ja perjantain vastaisena yönä, ja osa STT:n käyttämistä järjestelmistä ajettiin sen vuoksi alas varotoimena.
Tomi Engdahl says:
Tim Hortons offer free coffee and donut to settle data privacy invasion claims https://www.theregister.com/2022/07/30/in_brief_security/
IN BRIEF Canadian fast food chain Tim Hortons is settling multiple data privacy class-action lawsuits against it by offering something it knows it’s good for: a donut and coffee.
Tomi Engdahl says:
STT:n mukaan toimittajien muistiinpanoja ei ole vuotanut eikä lähdesuoja vaarantunut verkkohyökkäyksessä muita vahinkoja selvitetään
https://yle.fi/uutiset/3-12557548
STT:n vastaava päätoimittaja Minna Holopainen kertoo Ylelle, että tämän hetken tietojen mukaan tietotoimistoon kohdistuneessa verkkohyökkäyksessä ei ole päätynyt vääriin käsiin esimerkiksi toimittajien muistiinpanoja tai mitään muutakaan lähdesuojan alaista materiaalia.
Tomi Engdahl says:
The most impersonated brand in phishing attacks? Microsoft https://www.helpnetsecurity.com/2022/08/01/microsoft-brand-impersonation-phishing-attacks/
Vade announced its H1 2022 Phishers’ Favorites report, a ranking of the top 25 most impersonated brands in phishing attacks. Microsoft came in at #1 on the list, followed by Facebook. Rounding out the top five are Crédit Agricole, WhatsApp, and Orange.
Tomi Engdahl says:
Verkkohyökkäys STT:hen aiheutti laajaa tuhoa toimitusjohtaja kertoo, mitä iskulla on haettu
https://www.kauppalehti.fi/uutiset/verkkohyokkays-stthen-aiheutti-laajaa-tuhoa-toimitusjohtaja-kertoo-mita-iskulla-on-haettu/e86fcba7-14e6-4595-ba27-04dd8c1c1fa7
Uutistoimisto STT:n tietojärjestelmiin kohdistuneen verkkohyökkäyksen jälkiä korjaillaan kovaa vauhtia. STT havaitsi hyökkäyksen viime viikon torstain ja perjantain välisenä yönä ja ajoi valtaosan tietojärjestelmistään alas turvallisuussyistä, uutistoimisto tiedottaa.
Tomi Engdahl says:
STT joutui kiristyshaittaohjelmalla tehdyn hyökkäyksen kohteeksi hyökkääjä on esittänyt lunnasvaatimuksen https://www.aamulehti.fi/rikos/art-2000008984309.html
Suomen Tietotoimistoon STT:hen kohdistunut verkkohyökkäys oli kiristyshaittaohjelmalla tehty isku, jonka tekijäksi on ilmoittautunut LV-niminen kyberrikosryhmittymä. Ryhmä julkisti tiedon myös pimeässä Tor-verkossa torstaina. Vastaavan ryhmittymän on kerrottu olleen tekijänä myös konepajayhtiö Wärtsilään heinäkuussa kohdistuneessa hyökkäyksessä. LV-ryhmittymä pääsi Ylen mukaan käsiksi Wärtsilän
laskutus- ja ostotietoihin. Hyökkääjä on esittänyt lunnasvaatimuksen STT:lle. Vastaavan päätoimittajan Minna Holopaisen mukaan vaateeseen ei ole vastattu. Lähdesuoja ei myöskään ole hänen mukaansa vaarantunut. Myös: https://yle.fi/uutiset/3-12562753
Tomi Engdahl says:
Uutistoimisto STT:n verkkohyökkääjä on voinut saada haltuunsa tekstiviestiuutisten asiakastiedot tilaajina yhteiskunnan johtohenkilöitä
https://yle.fi/uutiset/3-12565159
Uutistoimisto STT:hen kohdistuneen verkkohyökkäyksen tekijä on voinut saada haltuunsa STT:n tekstiviestiuutisten tilaajien asiakastiedot.
Asiakastietoja ovat ainakin nimi ja puhelinnumero. STT:llä ei ole varmuutta tietovuodosta, mutta yhtiö halusi varmuuden vuoksi ilmoittaa asiakkailleen, että näin on saattanut käydä. Verkkohyökkäys tapahtui viikko sitten. Yhtiö kertoi tekstiviestiasiakkailleen mahdollisesta vuodosta tänään perjantaina, samalla tavalla kuin se lähettää tekstiviestiuutisensa. Asiasta kertoi aiemmin MTV:.
https://www.mtvuutiset.fi/artikkeli/stt-n-tietomurto-aiakkaiden-puhelin-ja-nimitiedot-saattaneet-vuotaa-hakkereille/8482788.
Myös: https://www.is.fi/digitoday/art-2000008988285.html
Tomi Engdahl says:
Asiantuntija STT:n ja Wärtsilän kiristyshyökkäyksistä: Osa tehostettua kampanjaa
https://www.tivi.fi/uutiset/tv/78a60897-d5b5-49ef-b936-452fa526f8e3
Uutistoimisto STT:hen ja Wärtsilään hyökännyt LV-kiristysohjelmaryhmä on lisännyt toimintaansa huomattavasti viime aikoina. Iskuja on tehty muun muassa Euroopassa, Pohjois-Amerikassa sekä Aasiassa.
Tietoturvayhtiö Check Pointin Pohjois- ja Benelux-maiden aluejohtajan Jan Johannsenin mukaan ryhmä käyttää kaksinkertaista kiristysstrategiaa, jossa uhrin verkon salaamisen lisäksi varastetaan arkaluontoisia tietoja ja uhataan myydä ne. Hyökkäys on osa LV-kiristysohjelmaryhmän tehostettua kampanjaa, sillä myös muut organisaatiot joutuvat iskujen kohteeksi Johannsen kirjoittaa.
Tomi Engdahl says:
A major Rogers outage has cut off 25 percent of Canada’s internet traffic https://www.theverge.com/2022/7/8/23199945/rogers-down-outage-internet-issues911-canada
Canadian telecom Rogers is suffering a major outage affecting landline phones, cellular connections, and internet connectivity throughout Canada that started early this morning. Downdetector listed thousands of reports for the issues that flooded in as people started to get up around 5AM ET and couldn’t get online. Rogers first addressed the outage in a tweet from its official support account just before 9AM ET and then went silent for a couple of hours. Its most recent statement about the incident is this tweet that says technical teams are working to restore services “alongside our global technology partners, and are making progress.”. There is still no ETA for restoration, even after services have been available for about 12 hours nationwide.
Tomi Engdahl says:
French telecom company La Poste Mobile struggling to recover from ransomware attack https://therecord.media/french-telecom-company-la-poste-mobile-struggling-to-recover-from-ransomware-attack/
French mobile phone network La Poste Mobile is still struggling to recover from a ransomware attack that has crippled its administrative and management services. The company’s website is down, with a lengthy message to customers explaining that the ransomware attack began on July 4. While service has not been affected, the company noted that customer data may have been accessed. “As soon as we became aware of this incident, we took the necessary protective measures by immediately suspending the computer systems concerned. This protective action has led us to temporarily close our website and our customer area, ” the company said. “Our IT teams are currently diagnosing the situation. Our first analyses establish that our servers essential to the operation of your mobile line have been well protected. On the other hand, it is possible that files present in the computers of La Poste Mobile employees have been affected. Some of them may contain personal data.”
Tomi Engdahl says:
Apache “Commons Configuration” patches Log4Shell-style bug what you need to know https://nakedsecurity.sophos.com/2022/07/08/apache-commons-configuration-toolkit-patches-log4shell-like-bug/
Remember the Log4Shell bug that showed up in Apache Log4j late in 2021? Logfiles are a vital part of development, debugging, record keeping, program monitoring, and, in many industry sectors, of regulatory compliance. Unfortunately, not all text you logged even if it was sent in by an external user, for example as a username in a login form was treated literally. Recently, we saw a similar sort of bug called Follina, which affected Microsoft Windows. Well, the bug CVE-2022-33980, which doesn’t have a catchy name yet, is a very similar sort of blunder in the Apache Commons Configuration toolkit.
Tomi Engdahl says:
Callback Malware Campaigns Impersonate CrowdStrike and Other Cybersecurity Companies https://www.crowdstrike.com/blog/callback-malware-campaigns-impersonate-crowdstrike-and-other-cybersecurity-companies/
On July 8, 2022, CrowdStrike Intelligence identified a callback phishing campaign impersonating prominent cybersecurity companies, including CrowdStrike. The phishing email implies the recipient’s company has been breached and insists the victim call the included phone number. This campaign leverages similar social-engineering tactics to those employed in recent callback campaigns including WIZARD SPIDER’s 2021 BazarCall campaign. This campaign will highly likely include common legitimate remote administration tools (RATs) for initial access, off-the-shelf penetration testing tools for lateral movement, and the deployment of ransomware or data extortion.
Tomi Engdahl says:
Fake copyright complaints push IcedID malware using Yandex Forms https://www.bleepingcomputer.com/news/security/fake-copyright-complaints-push-icedid-malware-using-yandex-forms/
Website owners are being targeted with fake copyright infringement complaints that utilize Yandex Forms to distribute the IcedID banking malware. For over a year, threat actors tracked as TA578 have been conducting these attacks where they use a website’s contact page to send legal threats to convince recipients to download a report of the offending material. These reports allegedly contain proof of DDoS attacks or copyrighted material used without permission but instead infect a target’s device with various malware, including BazarLoader, BumbleBee, and IcedID. This week, BleepingComputer received a new version of the “Copyright infringement” threat pretending to be from Zoho, stating that we are utilizing their copyrighted images.
Tomi Engdahl says:
How data on a billion people may have leaked from a Chinese police dashboard https://www.theregister.com/2022/07/10/stolen_shanghai_police_data/
Details have emerged on how more than a billion personal records were stolen in China and put up for sale on the dark web, and it all boils down to a unprotected online dashboard that left the data open to anyone who could find it. More than 23TB of details apparently stolen from the Shanghai police was put up for sale on the underground Breach Forums by someone with the handle ChinaDan for 10 Bitcoin ($215, 000 at time of writing). The data collection included names, addresses, birthplaces, national ID numbers, cellphone numbers, and details of any related police records. Wall Street Journal reporters were able to confirm at least some of the sample records, made available for free, were valid by calling the victims and confirming their personal details. However, it is still unknown if the entire database is legit.
Tomi Engdahl says:
Canada’s Federal Police Have Been Using Powerful Malware To Snoop On People’s Communications https://www.techdirt.com/2022/07/07/canadas-federal-police-have-been-using-powerful-malware-to-snoop-on-peoples-communications/
The Royal Canadian Mounted Police (RCMP) Canada’s federal Dudley Do-Whatevers is again belatedly admitting it has access to powerful surveillance tech its supposed oversight seems unaware the RCMP possessed. These disclosures by the RCMP often in response to oversight inquiries tend to come months or years after the fact. And that is the case here, as reported by Maura Forrest for Politico. Time passes, the RCMP deploys new surveillance tech, and very eventually the public learns about it. The disclosure is further limited by the RCMP’s refusal to discuss which vendors it’s buying exploits from.
There are only a handful of companies selling exploits that can compromise nearly any phone and every single one of those is currently in deep shit. Some are just facing unending negative news cycles. Some are facing sanctions. A few are facing both.
Tomi Engdahl says:
Scanning 1.7 million Australian domains and finding 1.62 million SPF & DMARC email security issues https://caniphish.com/phishing-resources/blog/australian-spf-scan
About 6 months ago I ran an experiment… I tried to find Australian domains which were vulnerable to IP takeover attacks through dangling SPF IP addresses. This experiment ended up being a huge success and I found 264 Australian organisations were vulnerable to this type of attack. At the outcome of that experiment, I found myself wondering…
what other issues could I find by conducting at-scale scans of Australian SPF & DMARC records? I ended up sitting on this research, but last week I decided to pick up where I left off!
Tomi Engdahl says:
Microsoft says decision to stop blocking Office VBA macros by default is temporary’
https://therecord.media/microsoft-says-decision-to-stop-blocking-office-vba-macros-by-default-is-temporary/
Microsoft said its decision to roll back a popular change that blocked Visual Basic for Applications (VBA) macros by default in a variety of Office apps will be “temporary.” The company faced significant backlash since it announced on Friday that it would be restoring the feature that was instituted earlier this year. “This is a temporary change, and we are fully committed to making the default change for all users, ” the company said in a statement. “We will provide additional details on timeline in the upcoming weeks.”. The company would not answer questions about what prompted the change and if it would be restored before the end of the year.
How to auto block macros in Microsoft Office docs from the internet https://www.bleepingcomputer.com/news/microsoft/how-to-auto-block-macros-in-microsoft-office-docs-from-the-internet/
With Microsoft temporarily rolling back a feature that automatically blocks macros in Microsoft Office files downloaded from the Internet, it is essential to learn how to configure this security setting manually. This article will explain why users should block macros in Internet downloads and how you can block them in Microsoft Office.
Tomi Engdahl says:
US military contractor moves to buy Israeli spy-tech company NSO Group https://www.theregister.com/2022/07/11/l3harris_nso_group/
US security technology provider L3Harris has courted controversial Israeli spyware firm NSO with an aim to buy it, according to reports.
The New York Times claims L3Harris in recent months sent a team to Israel to try to smooth passage of the deal, which was made challenging by US president Joe Biden’s decision to blacklist NSO following the use of its Pegasus software to crack phones of politicians and campaigners. The L3Harris executives delivered a message that the US government offers tacit support of its acquisition bid, although public statements were unlikely, according to five separate sources. The claims run counter to statements from US officials who were said to be outraged to learn about the negotiations for an American company to purchase a blacklisted spy-tech vendor.
Tomi Engdahl says:
Brand-New HavanaCrypt Ransomware Poses as Google Software Update App, Uses Microsoft Hosting Service IP Address as C&C Server https://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html
Ransomware is not at all novel, but it continues to be one of the top cyberthreats in the world today. In fact, according to data from Trend Micro Smart Protection Network, we detected and blocked more than 4.4 million ransomware threats across email, URL, and file layers in the first quarter of 2022 a 37% increase in overall ransomware threats from the fourth quarter of 2021. Recently, we found a brand-new ransomware family that employs a similar scheme: It disguises itself as a Google Software Update application and uses a Microsoft web hosting service IP address as its command-and-control (C&C) server to circumvent detection. Our investigation also shows that this ransomware uses the QueueUserWorkItem function, a.NET System.Threading namespace method that queues a method for execution, and the modules of KeePass Password Safe, an open-source password manager, during its file encryption routine. In this blog entry, we provide an in-depth technical analysis of the infection techniques of this new ransomware family, which we have dubbed HavanaCrypt.
Tomi Engdahl says:
Dirty dancing’ in OAuth: Researcher discloses how cyber-attacks can lead to account hijacking https://portswigger.net/daily-swig/dirty-dancing-in-oauth-researcher-discloses-how-cyber-attacks-can-lead-to-account-hijacking
It is possible to perform single-click account hijacking by abusing the OAuth process flow, a security researcher has found. OAuth, also known as Open Authentication, is a framework for managing identities and securing online areas across third-party services. Rather than leverage an account username and password combination, for example, service providers can utilize OAuth to provide temporary and secure access tokens. However, in some scenarios, attackers can abuse OAuth implementations to steal these tokens and perform one-click account hijacking. Detectify writeup:
https://labs.detectify.com/2022/07/06/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/
Tomi Engdahl says:
SELECT XMRig FROM SQLServer
https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
In March 2022, we observed an intrusion on a public-facing Microsoft SQL Server. The end goal of this intrusion was to deploy a coin miner.
Although deploying a coin miner on a vulnerable server after successful exploitation is a common objective for threat actors, this intrusion was slightly different and therefore more interesting. US CERT recently published a malware analysis report related to XMRig coin miner on 23rd June 2022
(https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-174a) and a security tip for defending against this threat (https://www.cisa.gov/uscert/ncas/tips/ST18-002). Over the month of March, we observed a cluster of activity targeting MSSQL servers. The activity started via password brute force attempts for the MSSQL SA account. These brute force attempts were observed repeatedly over the month. Examples included one cluster of 24, 000 failed attempts from the same source, over a 27 hour effort, before they finally managed to guess the password.
Tomi Engdahl says:
Microsoft July 2022 Patch Tuesday fixes exploited zero-day, 84 flaws https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2022-patch-tuesday-fixes-exploited-zero-day-84-flaws/
Today is Microsoft’s July 2022 Patch Tuesday, and with it comes fixes for one actively exploited zero-day vulnerability and a total of 84 flaws. Four of the 84 vulnerabilities fixed in today’s update are classified as ‘Critical’ as they allow remote code execution. This month’s Patch Tuesday fixes an actively exploited zero-day elevation of privileges vulnerability. Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. The actively exploited zero-day vulnerability fixed today is tracked as ‘CVE-2022-22047 – Windows CSRSS Elevation of Privilege Vulnerability.’ “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges, ” explains Microsoft in an advisory published today.