Cyber security news August 2022

This posting is here to collect cyber security news in August 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

543 Comments

  1. Tomi Engdahl says:

    Leaked Docs Show Spyware Firm Offering iOS, Android Hacking Services for $8 Million
    https://www.securityweek.com/leaked-docs-show-spyware-firm-offering-ios-android-hacking-services-8-million

    Leaked documents appear to show a little-known spyware company offering services that include Android and iOS device exploits for €8 million (roughly $8 million).

    Exploit brokers and mercenary spyware providers have been in the spotlight recently, mainly due to revelations surrounding the use of the controversial Pegasus solution of Israeli company NSO Group.

    One of NSO’s fairly new competitors is Intellexa, a company founded by Israeli entrepreneur Tal Dilian. The company claims on its website that it’s offering technologies that empower law enforcement and intelligence agencies to ‘help protect communities’. The company says it’s based in the EU and regulated, with six sites and R&D labs in Europe.

    Vx-undergroud, which provides malware source code and other cybersecurity resources, posted some screenshots on Twitter on Wednesday showing several documents apparently representing a commercial proposal from Intellexa.

    Reply
  2. Tomi Engdahl says:

    Cisco Patches High-Severity Vulnerabilities in Business Switches
    https://www.securityweek.com/cisco-patches-high-severity-vulnerabilities-business-switches

    Cisco this week announced patches for two vulnerabilities impacting the NX-OS software that powers its Nexus-series business switches.

    Impacting the OSPF version 3 (OSPFv3) feature of NX-OS, the first of these issues is tracked as CVE-2022-20823 and could be exploited remotely, without authentication, to cause a denial-of-service (DoS) condition.

    The flaw exists due to incomplete input validation of specific OSPFv3 packets, allowing an attacker to send a malicious OSPFv3 link-state advertisement (LSA) to a vulnerable device in order to trigger the bug.

    “A successful exploit could allow the attacker to cause the OSPFv3 process to crash and restart multiple times, causing the affected device to reload and resulting in a DoS condition,” Cisco notes in an advisory.

    The tech giant also notes that the OSPFv3 feature is disabled by default and that an attacker can exploit the vulnerability if they can “establish a full OSPFv3 neighbor state with an affected device”.

    The second NX-OS vulnerability that Cisco addressed this week can also be exploited to cause a DoS condition. Tracked as CVE-2022-20824, the bug resides in the Cisco Discovery Protocol feature and impacts the FXOS software as well.

    Reply
  3. Tomi Engdahl says:

    Googlen pilveen kohdistui historian suurin verkkohyökkäys
    https://etn.fi/index.php/13-news/13925-googlen-pilveen-kohdistui-historian-suurin-verkkohyoekkaeys

    Muutaman viime vuoden aikana Google on havainnut, että hajautetut palvelunestohyökkäykset (DDoS) yleistyvät ja niiden koko kasvaa eksponentiaalisesti. Nyt yhtiö kertoo, että kesäkuun ensimmäisenä päivänä sen pilviasiakkaaseen kohdistettiin sarja HTTPS DDoS -hyökkäyksiä, jotka huipussaan yltyivät 46 miljoonaa pyyntöön sekunnissa.

    Tämä on suurin tähän mennessä raportoitu Layer 7 DDoS -hyökkäys ja itse asiassa 76 prosenttia suurempi kuin mikään aiemmin raportoitu. Hyökkäyksen laajuuyya kuvaa se, että sama liikenne tulisi, mikäli sivusto vastaanottaisi kaikki päivittäiset pyynnöt Wikipediaan 10 sekunnin aikana.

    Asiakkaan sivusto oli kuitenkin suojattu Cloud Armor Adaptive Protection -ratkaisulla, Google kertoo. Se pystyi havaitsemaan ja analysoimaan liikenteen varhaisessa vaiheessa hyökkäyksen elinkaaren aikana. Cloud Armor varoitti asiakasta suositellulla suojasäännöllä, joka otettiin käyttöön ennen kuin hyökkäys nousi täyteen voimakkuuteensa. Suojaus siis esti hyökkäyksen.

    Hyökkäys alkoi niin, että asiakkaan IP-liikennettä tasapainottavaan ja jakavaan HTTP/S Load Balanceriin kohdistui ensin yli 10 000 pyyntöä sekunnissa. Kahdeksan minuuttia myöhemmin pyyntöjen määrä kasvoi 100 000 pyyntöön sekunnissa. Cloud Armor -suojaus havaitsi hyökkäyksen ja loi hyökkäyksen allekirjoituksen sisältävän hälytyksen arvioimalla liikennettä useiden kymmenien ominaisuuksien ja attribuuttien kautta. Hälytys sisälsi myös suositellun säännön haitallisen allekirjoituksen estämiseksi.

    Reply
  4. Tomi Engdahl says:

    DoorDash hit by data breach linked to Twilio hackers
    Hackers accessed DoorDash customer information and some partial payment data
    https://techcrunch.com/2022/08/25/doordash-customer-data-breach-twilio/

    Reply
  5. Tomi Engdahl says:

    Meta Takes Offensive Posture With Privacy Red Team
    Engineering manager Scott Tenaglia describes how Meta extended the security red team model to aggressively protect data privacy.
    https://www.darkreading.com/edge/meta-takes-offensive-posture-with-privacy-red-team

    Reply
  6. Tomi Engdahl says:

    Class-Action Lawsuit Accuses Oracle of Tracking 5 Billion People
    The company stands accused of earning billions from a ‘Worldwide Surveillance Machine.’
    https://uk.pcmag.com/security/142225/oracle-faces-class-action-lawsuit-over-tracking-5-billion-people

    Reply
  7. Tomi Engdahl says:

    Binance exec says scammers made a ‘deep fake hologram’ of him to fool victims
    That wasn’t actually me on a Zoom call, it was a malicious AI clone built from TV interviews, claims PR
    https://www.theregister.com/2022/08/23/binance_deepfake_scam/

    Reply
  8. Tomi Engdahl says:

    This app beeps every time your computer sends data to Google
    https://9to5google.com/2022/08/22/app-beeps-send-data-google/

    Reply
  9. Tomi Engdahl says:

    Microsoft finds critical hole in operating system that for once isn’t Windows
    Oh wow, get a load of Google using strcpy() all wrong – strcpy! Haha, you’ll never ever catch us doing that
    https://www.theregister.com/2022/08/23/microsoft_chromeos_bug/

    Reply
  10. Tomi Engdahl says:

    Britain’s AA president takes the “microwave” measure to prevent keyless car theft
    Signal-blocking bags and metal cases aren’t enough
    https://www.techspot.com/news/95542-britain-aa-president-takes-extra-measures-prevent-keyless.html

    Reply
  11. Tomi Engdahl says:

    Emergency Alert System
    (EAS) Vulnerability
    https://content.govdelivery.com/accounts/USDHSFEMA/bulletins/3263326

    We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network).

    Reply
  12. Tomi Engdahl says:

    TIME:
    An interview with Twitter whistleblower Peiter Zatko; some current and former Twitter employees say his allegations are misleading, overblown, or lack context — Peiter Zatko, the Twitter whistle-blower, is a black belt in jiu-jitsu. The day before his complaint against the social media company …

    The Twitter Whistleblower Needs You to Trust Him
    https://time.com/6208696/twitter-whistleblower-peiter-mudge-zatko-musk-interview/

    Peiter Zatko, the Twitter whistle-blower, is a black belt in jiu-jitsu. The day before his complaint against the social media company was published, Zatko was sitting in his lawyer’s office in Washington, scrolling through his camera roll to find a photo of his legs locked around someone’s neck. The move is called a side-triangle. It’s totally safe, he says, because the opponent will black out before a lack of blood flow to the brain can cause any lasting damage. One of the things Zatko likes about the martial art, he explains, is that it’s less about brute strength than finding creative ways to maneuver your opponent into a weaker position.

    That talent translates to cybersecurity. In Nov. 2020, Zatko, the hacker known as “Mudge,” was hired as Twitter’s security lead, with a global remit to fix gaping vulnerabilities in one of the world’s most important communications platforms. But 14 months later, he was fired. Six months after that, he filed a sweeping whistle-blower complaint that paints a damning portrait of a company in crisis. In an 84-page complaint to federal regulatory agencies and the Department of Justice, which was first reported by the Washington Post and CNN and which TIME obtained from a congressional source, he describes Twitter as crippled by rudderless and dishonest leadership, beset by “egregious” privacy and security flaws, tainted by foreign influence, a danger to national security, and susceptible even to total collapse.

    Zatko says he felt an ethical duty to come forward. “Being a public whistle-blower is the last resort, something that I would only ever do after I had exhausted all other means,”

    Twitter quickly hit back. Zatko was fired for “ineffective leadership and poor performance,” CEO Parag Agrawal wrote in an email to employees, calling the disclosures a “false narrative that is riddled with inconsistencies and inaccuracies” and presented out of context. “Mudge was accountable for many aspects of this work that he is now inaccurately portraying more than six months after his termination,” Agrawal said.

    Mike Masnick / Techdirt:
    Peiter Zatko’s whistleblower report is framed as though it supports Musk’s claims that Twitter is lying about spam, but the details actually show the opposite — We already wrote a long story looking at many of the eye-opening claims from Peiter “Mudge” Zatko in his whistleblower report …

    Twitter Whistleblowing Report Actually Seems To Confirm Twitter’s Legal Argument, While Pretending To Support Musk’s
    https://www.techdirt.com/2022/08/24/twitter-whistleblowing-report-actually-seems-to-confirm-twitters-legal-argument-while-pretending-to-support-musks/

    Reply
  13. Tomi Engdahl says:

    Tonya Riley / CyberScoop:
    Analysis of data sent to the FCC: 10 of the top 15 US carriers collect geolocation data and don’t let users opt out; most keep the data for two years on average — Ten of the top 15 mobile carriers collect geolocation data and provide no way for consumers to opt-out, according to information …

    https://www.cyberscoop.com/fcc-geolocation-data-verizon-t-mobile/

    Reply
  14. Tomi Engdahl says:

    33 miljoonan käyttäjän sala­sana­palvelu hakkeroitiin https://www.is.fi/digitoday/tietoturva/art-2000009028955.html
    SALASANAPALVELU LastPass kertoo joutuneensa tietomurron uhriksi.
    Yhtiön toimitusjohtaja Karim Toubba kertoo, että LastPass havaitsi outoa liikennettä kehitysympäristössään kaksi viikkoa sitten. Yhtiö käynnisti nopeasti turvatoimet ja alkoi tutkia tapahtunutta. Toubban mukaan tällä hetkellä tilanne näyttää siltä, ettei murtautuja ole onnistunut anastamaan salasanoja tai asiakkaiden tietoja. Myöskään käyttäjien salasanoihin käsiksi pääsemiseen vaadittuja pääsalasanoja ei murrossa vuotanut. Sen sijaan murtautuja onnistui varastamaan LastPassin lähdekoodia ja joitakin yhtiön salaisia teknisiä tietoja.
    Hyökkääjä käytti tietojen ryöstöön eräältä kehittäjältä anastamaansa käyttäjätunnusta, mutta toistaiseksi yhtiö ei kerro, miten siihen oli päästy käsiksi.

    Reply
  15. Tomi Engdahl says:

    Porkkalan saarten nimet korvautuivat venäläisillä Google Mapsissa https://www.is.fi/digitoday/art-2000009030340.html
    GOOGLE Mapsista paljastui perjantaina erikoinen yksityiskohta: Kolmen Porkkalanniemen edustalta löytyvän saaren nimet olivat vaihtuneet venäjänkieliseen muotoonsa. Tiedossa ei ole, milloin saarten nimet ovat sovelluksessa vaihtuneet, eikä myöskään sitä kuka tai mikä syy vaihtamisen taustalta löytyy. Google Mapsissa paikkojen nimiä voi vaihtaa ilmoittamalla virheistä, joten oletettavasti myös näiden saarten tapauksessa näin on tehty. Mikäli nimenvaihdoksen takana olisi tarkoituksellinen häiriköinti, ei kyseessä olisi ensimmäinen kerta tänä vuonna.

    Reply
  16. Tomi Engdahl says:

    IPhonen turvatila voikin toimia itseään vastaan
    https://www.tivi.fi/uutiset/tv/499c4152-ff1f-45c7-bc21-2e034ad036a6
    Yksityisyysaktivisti ja verkon yksityisyyteen erikoistuneen Cryptee-yhtiön toimitusjohtaja John Ozbay pisti pystyyn verkkosivun, joka havainnollistaa ongelmaa. Sivu voi tunnistaa tietyistä seikoista, onko laitteessa käytössä suojaustila. Ozbayn mukaan helpoimpia keinoja on havaita se, ettei laite sivuille saapuessaan lataa sivun erikoisfontteja. Kun suojaustilaa käyttävä laite on kerran havaittu, siitä tulee vakoilijoille välittömästi mielenkiinnon kohde ja sen ip-osoite tallentuu sivujen ylläpitäjälle.

    Reply
  17. Tomi Engdahl says:

    The number of companies caught up in in recent hacks keeps growing https://arstechnica.com/information-technology/2022/08/the-number-of-companies-caught-up-in-the-twilio-hack-keeps-growing/
    In recent weeks, security provider Twilio revealed it was breached by well resourced phishers, who used their access to steal data from 163 of its customers. Security firm Group-IB, meanwhile said that the same phishers who hit Twilio breached at least 136 companies in similar advanced attacks. Three companies — Twilio-owned Authy, password manager LastPass, and food delivery network DoorDash in recent days have all disclosed data breaches that appear to be related to the same activity. Authentication service Okta and secure messenger provider Signal, both recently said their data was accessed as a result of the Twilio breach.

    Why the Twilio Breach Cuts So Deep
    https://www.wired.com/story/twilio-breach-phishing-supply-chain-attacks/
    THE COMMUNICATION COMPANY Twilio suffered a breach at the beginning of August that it says impacted 163 of its customer organizations. Out of Twilio’s 270, 000 clients, 0.06 percent might seem trivial, but the company’s particular role in the digital ecosystem means that that fractional slice of victims had an outsized value and influence. The secure messaging app Signal, two-factor authentication app Authy, and authentication firm Okta are all Twilio customers that were secondary victims of the breach. “The biggest point here is the fact that SMS was used as the initial attack vector in this campaign instead of email, ” says Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI.
    “We’ve started to see more actors pivoting away from email as initial targeting and as text message alerts become more common within organizations it’s going to make these types of phishing messages more successful. Anecdotally, I get text messages from different companies I do business with all the time now, and that wasn’t the case a year ago.”

    Reply
  18. Tomi Engdahl says:

    CISA: Vulnerability in ​​Delta Electronics ICS Software Exploited in Attacks
    https://www.securityweek.com/cisa-vulnerability-delta-ics-software-exploited-attacks

    A vulnerability affecting industrial automation software from Delta Electronics appears to have been exploited in attacks, and the US Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to take action as soon as possible.

    CISA on Thursday added 10 security flaws to its Known Exploited Vulnerabilities Catalog and instructed federal agencies to address them by September 15.

    One of the flaws is CVE-2021-38406, a high-severity remote code execution vulnerability affecting the Delta Electronics DOPSoft 2 software, which is used for designing and programming human-machine interfaces (HMIs). The vulnerability is an out-of-bounds write issue and it can be exploited by getting the targeted user to open a specially crafted project file.

    Reply
  19. Tomi Engdahl says:

    New ‘Agenda’ Ransomware Customized for Each Victim
    https://www.securityweek.com/new-agenda-ransomware-customized-each-victim

    Cybersecurity company Trend Micro is raising the alarm on a new ransomware family called Agenda, which has been used in attacks on organizations in Asia and Africa.

    Written in the Golang (Go) cross-platform programming language, the threat has the ability to reboot systems in safe mode and to stop server-specific processes and services.

    Agenda targets Windows-based systems and has been used in attacks against healthcare and education organizations in Indonesia, Saudi Arabia, South Africa, and Thailand.

    More importantly, Trend Micro says the observed samples have been customized for each victim, with the requested ransom amount being different for each victim as well – it ranges between $50,000 and $800,000.

    “Every ransomware sample was customized for the intended victim. Our investigation showed that the samples had leaked accounts, customer passwords, and unique company IDs used as extensions of encrypted files,” Trend Micro notes.

    New Golang Ransomware Agenda Customizes Attacks
    https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html

    A new ransomware written in the Go language has been targeting healthcare and education enterprises in Asia and Africa. This ransomware is called Agenda and is customized per victim.

    Reply
  20. Tomi Engdahl says:

    Iranian Government Hackers Exploit Log4Shell in SysAid Apps for Initial Access
    https://www.securityweek.com/iranian-government-hackers-exploit-log4shell-sysaid-apps-initial-access

    A threat group linked to the Iranian government appears to be the first to exploit the Log4Shell vulnerability in SysAid applications for initial access to the targeted organizations.

    The Log4Shell vulnerability affecting the Apache Log4j logging utility came to light in December 2021. The flaw, identified as CVE-2021-44228, can be exploited for remote code execution and it has been leveraged by both profit-driven cybercriminals and state-sponsored cyberspies.

    Log4Shell impacts the products of several major companies that use Log4j, but in many attacks the vulnerability has been exploited against affected VMware software.

    Microsoft said the threat actor it tracks as Mercury has been known to exploit Log4j vulnerabilities, but it has done so against vulnerable VMware software, and this seems to be the first time they have targeted SysAid apps. The tech giant assesses with ‘moderate confidence’ that the hackers have exploited SysAid server instances.

    Reply
  21. Tomi Engdahl says:

    Ransomware Operator Abuses Anti-Cheat Driver to Disable Antiviruses
    https://www.securityweek.com/ransomware-operator-abuses-anti-cheat-driver-disable-antiviruses

    A vulnerable anti-cheat driver for the Genshin Impact video game has been abused by a threat actor to disable antivirus programs to facilitate the deployment of ransomware, cybersecurity firm Trend Micro reports.

    The driver, mhyprot2.sys, provides anti-cheat functions, but can be used to bypass privileges from user mode to kernel mode and to kill the processes and services associated with endpoint protection applications.

    The use of the driver, Trend Micro notes, is independent of the Genshin Impact game, and remains on user devices even after the game has been uninstalled.

    According to the cybersecurity firm, the driver is signed with a valid certificate, meaning that it continues to work on users’ computers, thus exposing them to malicious abuse. What’s more, Trend Micro believes that other malware families might soon start targeting it as well.

    Reply
  22. Tomi Engdahl says:

    Atlassian Ships Urgent Patch for Critical Bitbucket Vulnerability
    https://www.securityweek.com/atlassian-ships-urgent-patch-critical-bitbucket-vulnerability

    Atlassian’s security response team has issued an urgent advisory to warn of a critical command injection flaw in its Bitbucket Server and Data Center product.

    The vulnerability carries a CVSS severity score of 9.9 out of 10 and can be exploited remotely to launch code execution attacks, Atlassian said.

    Atlassian said the security defect, tracked as CVE-2022-36804, was introduced in version 7.0.0 of Bitbucket Server and Data Center.

    Reply
  23. Tomi Engdahl says:

    Twitter, Meta Remove Accounts Linked to US Influence Operations: Report
    https://www.securityweek.com/twitter-meta-remove-accounts-linked-us-influence-operations-report

    For years, hundreds of Twitter, Facebook and Instagram accounts engaged in manipulation and spam that promoted pro-Western narratives, a new report from Graphika and the Stanford Internet Observatory (SIO) reveals.

    As part of multiple covert campaigns, the troll farms were using deceptive tactics to promote pro-Western narratives to social media users in the Middle East and Central Asia. Two overlapping sets of accounts were removed in July and August 2022 by Twitter and Facebook parent Meta, Graphika and SIO report.

    “These campaigns consistently advanced narratives promoting the interests of the United States and its allies while opposing countries including Russia, China, and Iran,” the report reads.

    Reply
  24. Tomi Engdahl says:

    Montenegro Reports Massive Russian Cyberattack Against Govt
    https://www.securityweek.com/montenegro-reports-massive-russian-cyberattack-against-govt

    Montenegro’s security agency warned Friday that hackers from Russia have launched a massive, coordinated cyberattack against the small nation’s government and its services.

    The Agency for National Security, or ANB, said Montenegro is “under a hybrid war at the moment.”

    The Adriatic Sea state, once considered a strong Russian ally, in 2017 joined NATO despite strong opposition from Moscow. It has also joined Western sanctions against Russia for its invasion of Ukraine.

    In addition to most European countries, Russia has added Montenegro to its list of “enemy states” for acting against Kremlin’s interests.

    Reply
  25. Tomi Engdahl says:

    DoorDash Discloses Data Breach Related to Attack That Hit Twilio, Others
    https://www.securityweek.com/doordash-data-compromised-following-twilio-hack

    Reply
  26. Tomi Engdahl says:

    https://hackaday.com/2022/08/26/this-week-in-security-in-mudge-we-trust-dont-trust-that-app-browser-and-firefox-at-pwn2own/

    Mudge was terminated at Twitter January 2022, and it seems he immediately started putting together a whistleblower complaint. You can access his complaint packet on archive.org, with whistleblower_disclosure.pdf (PDF, and mirror) being the primary document. There are some interesting tidbits in here, like the real answer to how many spam bots are on Twitter: “We don’t really know.” The very public claim that “…<5% of reported mDAU for the quarter are spam accounts” is a bit of a handwave, as the monetizable Daily Active Users count is essentially defined as active accounts that are not bots. Perhaps Mr. Musk has a more legitimate complaint than was previously thought.

    https://archive.org/download/whistleblower_disclosure

    Reply
  27. Tomi Engdahl says:

    Bill Toulas / BleepingComputer:
    Kaspersky details how the North Korean Kimsuky threat actors use a multi-stage validation scheme to ensure their malware is only downloaded by specific targets

    How ‘Kimsuky’ hackers ensure their malware only reach valid targets
    https://www.bleepingcomputer.com/news/security/how-kimsuky-hackers-ensure-their-malware-only-reach-valid-targets/

    Reply
  28. Tomi Engdahl says:

    “Sanna Marin on tietoturvariski” | Petteri Järvinen
    https://www.youtube.com/watch?v=CDMpGy_2NGs

    Reply
  29. Tomi Engdahl says:

    Danske Bankin sovellus mahdollistaa huijaukset Suomessa: ”Onhan tämä noloa” https://www.is.fi/digitoday/tietoturva/art-2000009035059.html

    Helsinkiläinen Haaja kertoo tapauksesta LinkedInissä. Hän myi vanhan MacBook Pronsa 1 150 eurolla, ja ostaja maksoi sen hakiessaan Danske Bankin verkkopankki­sovelluksella. Paitsi että kyseessä oli verkkopankin testaamiseen tarkoitettu julkinen sovellus ja mitään maksua ei koskaan tapahtunut.

    Lopputuloksena Haaja menetti kannettavansa ja luottamuksensa Danskeen.

    – Ostaja otti kännykästään Danske Bankin applikaation. Hänen tilillä näytti olevan rahaa, ja näpyttelin itse tilinumeroni, ja maksu tapahtui. Otin jopa kuvan maksusuorituksesta. Rahoja ei kuitenkaan kuulunut, Haaja kirjoittaa.

    Jälkikäteen hän tajusi, että kyseessä on sama huijaus, josta Helsingin Sanomat kirjoitti kesäkuun alussa. Silloin uhrina oli iPhone 13 -puhelinta myynyt perhe. Haajan kirjoitusta on kahdessa päivässä kommentoitu LinkedInissä runsaasti, ja joukossa on useampi kertomus muista samanlaisista vedätyksistä.

    KYSEESSÄ on Danske Bankin vuosia vanha verkkopankin demosovellus, jota ei ole selvästi merkitty sellaiseksi. Nykyisessä versiossa on näkyvä punainen demoleima, ja alkuperäinen sovellus pakotetaan päivittymään uuteen.

    Ongelma vain on, että alkuperäinen sovellus toimii myös ilman verkkoyhteyttä. Eli jos puhelimen pitää irti verkosta, voi alkuperäistä sovellusta yhä käyttää. Danske veti sovelluksen pois virallisista sovelluskaupoista, mutta ei ole tiedossa, kuinka monella se on edelleen käytössään.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*