Cyber security news August 2022

This posting is here to collect cyber security news in August 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

543 Comments

  1. Tomi Engdahl says:

    A Slack Bug Exposed Some Users’ Hashed Passwords for 5 Years >
    https://www.wired.com/story/slack-hashed-passwords-exposed/

    Reply
  2. Tomi Engdahl says:

    Roaming Mantis hits Android and iOS users in malware, phishing attacks https://www.bleepingcomputer.com/news/security/roaming-mantis-hits-android-and-ios-users-in-malware-phishing-attacks/
    After hitting Germany, Taiwan, South Korea, Japan, the US, and the U.K. the Roaming Mantis operation moved to targeting Android and iOS users in France, likely compromising tens of thousands of devices.
    Roaming Mantis is believed to be a financially-motivated threat actor that started targeting European users in February. In a recently observed campaign, the threat actor uses SMS communication to lure users into downloading malware on their Android devices. If the potential victim uses iOS, they are redirected to a phishing page for Apple credentials.

    Reply
  3. Tomi Engdahl says:

    Microsoft reminder: Windows Server 20H2 reaches EOS next month https://www.bleepingcomputer.com/news/microsoft/microsoft-reminder-windows-server-20h2-reaches-eos-next-month/
    Microsoft has reminded customers once again that Windows Server, version 20H2, will be reaching its End of Service (EOS) in less than a month, on August 9.

    Reply
  4. Tomi Engdahl says:

    Facebook ads push Android adware with 7 million installs on Google Play https://www.bleepingcomputer.com/news/security/facebook-ads-push-android-adware-with-7-million-installs-on-google-play/
    Several adware apps promoted aggressively on Facebook as system cleaners and optimizers for Android devices are counting millions of installations on Google Play store.

    Reply
  5. Tomi Engdahl says:

    Brisbane teenager built spyware used by domestic violence perpetrators across world, police allege https://www.theguardian.com/australia-news/2022/jul/30/brisbane-teenager-built-spyware-used-by-domestic-violence-perpetrators-across-world-police-allege
    Police allege that a teenager living in the suburbs of Brisbane created and sold a sophisticated hacking tool used by domestic violence perpetrators and child sex offenders to spy on tens of thousands of people across the globe and then used the proceeds to buy takeaway food.

    Reply
  6. Tomi Engdahl says:

    Huge network of 11, 000 fake investment sites targets Europe https://www.bleepingcomputer.com/news/security/huge-network-of-11-000-fake-investment-sites-targets-europe/
    Researchers have uncovered a gigantic network of more than 11, 000 domains used to promote numerous fake investment schemes to users in Europe.

    Reply
  7. Tomi Engdahl says:

    Meta, US hospitals sued for using healthcare data to target ads https://www.bleepingcomputer.com/news/security/meta-us-hospitals-sued-for-using-healthcare-data-to-target-ads/
    A class action lawsuit has been filed in the Northern District of California against Meta (Facebook), the UCSF Medical Center, and the Dignity Health Medical Foundation, alleging that the organizations are unlawfully collecting sensitive healthcare data about patients for targeted advertising

    Reply
  8. Tomi Engdahl says:

    Threat actor claims to have hacked European manufacturer of missiles MBDA https://securityaffairs.co/wordpress/133881/data-breach/mbda-alleged-data-breach.html
    MBDA is a European multinational developer and manufacturer of missiles that was the result of the merger of the main French, British and Italian missile systems companies (AérospatialeMatra, BAE Systems, and Finmeccanica (now Leonardo). The name MBDA comes from the initialism of the names missile companies: Matra, BAe Dynamics and Alenia.

    Reply
  9. Tomi Engdahl says:

    BlackCat ransomware claims attack on European gas pipeline https://www.bleepingcomputer.com/news/security/blackcat-ransomware-claims-attack-on-european-gas-pipeline/
    The ALPHV ransomware gang, aka BlackCat, claimed responsibility for a cyberattack against Creos Luxembourg S.A. last week, a natural gas pipeline and electricity network operator in the central European country.

    Reply
  10. Tomi Engdahl says:

    VMware urges admins to patch critical auth bypass bug immediately https://www.bleepingcomputer.com/news/security/vmware-urges-admins-to-patch-critical-auth-bypass-bug-immediately/
    VMware has warned admins today to patch a critical authentication bypass security flaw affecting local domain users in multiple products and enabling unauthenticated attackers to gain admin privileges.

    VMware has warned admins today to patch a critical authentication bypass security flaw affecting local domain users in multiple products and enabling unauthenticated attackers to gain admin privileges.
    The flaw (CVE-2022-31656) was reported by Petrus Viet of VNG Security, who found that it impacts VMware Workspace ONE Access, Identity Manager, and vRealize Automation.

    Reply
  11. Tomi Engdahl says:

    2 Vendor Hacks Affect Nearly 1.5 Million and Counting
    https://www.bankinfosecurity.com/two-vendor-hacks-affect-nearly-15-million-counting-a-19673
    Two hacking incidents involving vendors providing IT-related and other services to dozens of covered entity clients demonstrate how mounting reliance on third parties creates increased risk to patient data.

    Reply
  12. Tomi Engdahl says:

    Over 3, 200 apps leak Twitter API keys, some allowing account hijacks https://www.bleepingcomputer.com/news/security/over-3-200-apps-leak-twitter-api-keys-some-allowing-account-hijacks/
    Cybersecurity researchers have uncovered a set of 3, 207 mobile apps that are exposing Twitter API keys to the public, potentially enabling a threat actor to take over users’ Twitter accounts that are associated with the app.

    Reply
  13. Tomi Engdahl says:

    Taiwanese government sites disrupted by hackers ahead of Pelosi trip https://therecord.media/taiwanese-government-sites-disrupted-by-hackers-ahead-of-pelosi-trip/
    Several websites run by the government of Taiwan were disrupted by distributed denial-of-service (DDoS) attacks hours before U.S. House Speaker Nancy Pelosi became the first high-ranking U.S. official in 25 years to visit the country.

    Reply
  14. Tomi Engdahl says:

    Hackers stole passwords for accessing 140, 000 payment terminals https://techcrunch.com/2022/08/01/wiseasy-android-payment-passwords/
    Hackers had access to dashboards used to remotely manage and control thousands of credit card payment terminals manufactured by digital payments giant Wiseasy, a cybersecurity startup told TechCrunch.

    Reply
  15. Tomi Engdahl says:

    Mobile store owner hacked T-Mobile employees to unlock phones https://www.bleepingcomputer.com/news/security/mobile-store-owner-hacked-t-mobile-employees-to-unlock-phones/
    A former owner of a T-Mobile retail store in California has been found guilty of a $25 million scheme where he illegally accessed T-Mobile’s internal systems to unlock and unblock cell phones.

    Reply
  16. Tomi Engdahl says:

    Cisco fixes critical remote code execution bug in VPN routers https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-remote-code-execution-bug-in-vpn-routers/
    Cisco has fixed critical security vulnerabilities affecting Small Business VPN routers and enabling unauthenticated, remote attackers to execute arbitrary code or commands and trigger denial of service (DoS) conditions on vulnerable devices.

    Reply
  17. Tomi Engdahl says:

    Google Patches Critical Android Flaw Allowing Remote Code Execution via Bluetooth https://www.securityweek.com/google-patches-critical-android-flaw-allowing-remote-code-execution-bluetooth
    Google on Monday published a security bulletin describing the latest round of patches for the Android operating system. Three dozen vulnerabilities have been fixed, including a critical issue that can be exploited for remote code execution over Bluetooth.

    Reply
  18. Tomi Engdahl says:

    Google Patches Critical Android Flaw Allowing Remote Code Execution via Bluetooth https://www.securityweek.com/google-patches-critical-android-flaw-allowing-remote-code-execution-bluetooth
    Google on Monday published a security bulletin describing the latest round of patches for the Android operating system. Three dozen vulnerabilities have been fixed, including a critical issue that can be exploited for remote code execution over Bluetooth.
    The critical vulnerability is tracked as CVE-2022-20345 and it affects the System component. It has been patched with Android 12 and 12L updates.
    According to Google, an attacker does not require additional execution privileges to remotely execute arbitrary code over a Bluetooth attack. No additional details are available about the vulnerability.
    The remaining security bugs have all been assigned a ‘high severity’ rating. They impact components such as Framework, Media Framework, System, Kernel, Imagination Technologies, MediaTek, Unisoc and Qualcomm components. Many of them can lead to privilege escalation or information disclosure.

    Reply
  19. Tomi Engdahl says:

    New ‘ParseThru’ Parameter Smuggling Vulnerability Affects Golang-based Applications https://thehackernews.com/2022/08/new-parsethru-parameter-smuggling.html
    Security researchers have discovered a new vulnerability called ParseThru affecting Golang-based applications that could be abused to gain unauthorized access to cloud-based applications.

    Reply
  20. Tomi Engdahl says:

    35, 000 code repos not hackedbut clones flood GitHub to serve malware https://www.bleepingcomputer.com/news/security/35-000-code-repos-not-hacked-but-clones-flood-github-to-serve-malware/
    Thousands of GitHub repositories were forked (copied) with their clones altered to include malware, a software engineer discovered today.

    Reply
  21. Tomi Engdahl says:

    Semiconductor manufacturer Semikron hit by LV ransomware attack https://www.bleepingcomputer.com/news/security/semiconductor-manufacturer-semikron-hit-by-lv-ransomware-attack/
    German power electronics manufacturer Semikron has disclosed that it was hit by a ransomware attack that partially encrypted the company’s network.

    Reply
  22. Tomi Engdahl says:

    Thousands of Solana wallets drained in attack using unknown exploit https://www.bleepingcomputer.com/news/security/thousands-of-solana-wallets-drained-in-attack-using-unknown-exploit/
    An overnight attack on the Solana blockchain platform drained thousands of software wallets of cryptocurrency worth millions of U.S.
    dollars.

    Reply
  23. Tomi Engdahl says:

    Microsoft accounts targeted with new MFA-bypassing phishing kit https://www.bleepingcomputer.com/news/security/microsoft-accounts-targeted-with-new-mfa-bypassing-phishing-kit/
    A new large-scale phishing campaign targeting credentials for Microsoft email services use a custom proxy-based phishing kit to bypass multi-factor authentication.

    Reply
  24. Tomi Engdahl says:

    New Linux malware brute-forces SSH servers to breach networks
    https://www.bleepingcomputer.com/news/security/new-linux-malware-brute-forces-ssh-servers-to-breach-networks/
    A new botnet called ‘RapperBot’ is being used in attacks since mid-June 2022, focusing on brute-forcing its way into Linux SSH servers to establish a foothold on the device.
    The researchers show that RapperBot is based on the Mirai trojan but deviates from the the original malware’s normal behavior, which is uncontrolled propagation to as many devices as possible.
    Instead, RapperBot is more tightly controlled, has limited DDoS capabilities, and its operation appears geared towards initial server access, likely to be used as stepping stones for lateral movement within a network.
    Over the past 1.5 months since its discovery, the new botnet used over 3,500 unique IPs worldwide to scan and attempt brute-forcing Linux SSH servers.
    Mirai-based, but different
    RapperBot proved to be a Mirai fork, but with its own command and control (C2) protocol, unique features, and atypical (for a botnet) post-compromise activity.
    “Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication,” explains the Fortinet report.
    https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery

    Reply
  25. Tomi Engdahl says:

    Taiwan Defense Ministry says DDoS incident briefly took down network after Pelosi visit https://therecord.media/taiwan-defense-ministry-says-ddos-incident-briefly-took-down-network-after-pelosi-visit/
    Taiwans Ministry of National Defense said its network was taken offline by a distributed denial-of-service (DDoS) incident for about two hours following a visit to the island from U.S. House Speaker Nancy Pelosi. The attack started shortly after Pelosi left the island.
    Chinese government officials were furious about the visit the first by a high-ranking U.S. official in 25 years arguing that it violated the countrys one China policy. In a statement, Taiwans Ministry of National Defense said the DDoS attacks began around 11:40 p.m. local time and ended around 12:30 a.m. The ministry said it was working with other agencies and the Presidents office to defend the governments information security infrastructure

    Reply
  26. Tomi Engdahl says:

    Hacktivists Deface Chinese Government Website to Welcome Nancy Pelosi to Taiwan https://www.vice.com/amp/en/article/xgyykz/hacktivists-deface-chinese-government-website-to-welcome-nancy-pelosi-to-taiwan
    Hackers claiming to be affiliated with the collective Anonymous defaced a Chinese government website in retaliation for alleged cyberattacks on several Taiwanese government websites. On Wednesday, the hackers defaced the website replacing its content with a message in support of House speaker Nancy Pelosis visit to the country. Taiwan numbah wan! the message, which is a racist imitation of a Chinese accent that has become a gaming meme, read. This hack is a retaliation of the DDoS attacks on the presidential website, it continued, according to an archived version of the site.

    Reply
  27. Tomi Engdahl says:

    German Chambers of Industry and Commerce hit by ‘massive’ cyberattack https://www.bleepingcomputer.com/news/security/german-chambers-of-industry-and-commerce-hit-by-massive-cyberattack/
    The Association of German Chambers of Industry and Commerce (DIHK) was forced to shut down all of its IT systems and switch off digital services, telephones, and email servers, in response to a cyberattack.
    DIHK is a coalition of 79 chambers representing companies within the German state, with over three million members comprising businesses ranging from small shops to large enterprises in the country. The organization deals with legal representation, consultation, foreign trade promotion, training, regional economic development, and offers general support services to its members.

    Reply
  28. Tomi Engdahl says:

    So RapperBot, What Ya Bruting For?
    https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery
    FortiGuard Labs has been tracking a rapidly evolving IoT malware family known as RapperBot since mid-June 2022. This family borrows heavily from the original Mirai source code, but what separates it from other IoT malware families is its built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai. In addition, recent samples show that its developers have started adding code to maintain persistence, which is rarely done in other Mirai variants. This provides threat actors with continued access to infected devices via SSH even after the device is rebooted or the malware has been removed.

    Reply
  29. Tomi Engdahl says:

    Several crypto platforms targeted in multimillion-dollar attacks https://therecord.media/several-crypto-platforms-targeted-in-multimillion-dollar-attacks/
    A handful of crypto platforms have been hacked over the last 24 hours, resulting in millions of dollars in stolen funds, a day after a brazen attack on the platform Nomad nearly emptied its coffers. The incident that drew the most concern was a wide-ranging attack on thousands of digital wallets. Blockchain security firm PeckShield told The Record that more than 7,000 cryptocurrency wallets had been attacked, leading to a total theft of about $8 million, mostly in Solanas SOL coin.

    Reply
  30. Tomi Engdahl says:

    Pro-PRC HaiEnergy Information Operations Campaign Leverages Infrastructure from Public Relations Firm to Disseminate Content on Inauthentic News Sites https://www.mandiant.com/resources/pro-prc-information-operations-campaign-haienergy
    Mandiant has identified an ongoing information operations (IO) campaign leveraging a network of at least 72 suspected inauthentic news sites and a number of suspected inauthentic social media assets to disseminate content strategically aligned with the political interests of the Peoples Republic of China (PRC). The sites present themselves primarily as independent news outlets from different regions across the world and publish content in 11 languages. Based on technical indicators we detail in this blog, we believe these sites are linked to Shanghai Haixun Technology Co., Ltd , a Chinese public relations (PR) firm.

    Reply
  31. Tomi Engdahl says:

    Attackers leveraging Dark Utilities “C2aaS” platform in malware campaigns https://blog.talosintelligence.com/2022/08/dark-utilities.html
    Dark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries. It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems. Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention. Since its initial release, we’ve observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining.

    Reply
  32. Tomi Engdahl says:

    Cisco Business Routers Found Vulnerable to Critical Remote Hacking Flaws https://thehackernews.com/2022/08/cisco-business-routers-found-vulnerable.html
    Cisco on Wednesday rolled out patches to address eight security vulnerabilities, three of which could be weaponized by an unauthenticated attacker to gain remote code execution (RCE) or cause a denial-of-service (DoS) condition on affected devices. The most critical of the flaws impact Cisco Small Business RV160, RV260, RV340, and RV345 Series routers. Tracked as CVE-2022-20842 (CVSS score: 9.8), the weakness stems from an insufficient validation of user-supplied input to the web-based management interface of the appliances.

    Reply
  33. Tomi Engdahl says:

    Deepwatch ATI detects and responds to never before discovered backdoor deployed using Confluence vulnerability for suspected Espionage https://www.deepwatch.com/labs/deepwatch-ati-detects-and-responds-to-never-before-discovered-backdoor-deployed-using-confluence-vulnerability-for-suspected-espionage/
    Deepwatchs Adversary Tactics and Intelligence group (ATI) recently responded to an incident after a suspicious tool, nb.exe (NBTscan, a tool that scans for open NETBIOS nameservers to find open shares), was observed and escalated to the victim, an organization in the research and technical services sector, by Deepwatch Squad analysts. ATIs thorough analysis determined that the attack occurred during the end of May over a seven day period. TAC-040 highly likely exploited a vulnerability in an Atlassian Confluence server. The evidence indicates that the threat actor executed malicious commands with a parent process of tomcat9.exe in Atlassians Confluence directory.

    Reply
  34. Tomi Engdahl says:

    Unauthenticated Remote Code Execution in a Wide Range of DrayTek Vigor Routers https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/rce-in-dratyek-routers.html
    The Trellix Threat Labs Vulnerability Research team has found an unauthenticated remote code execution vulnerability, filed under
    CVE-2022-32548 affecting multiple DrayTek routers. The attack can be performed without user interaction if the management interface of the device has been configured to be internet facing. A one-click attack can also be performed from within the LAN in the default device configuration. The attack can lead to a full compromise of the device and may lead to a network breach and unauthorized access to internal resources. All the affected models have a patched firmware available for download on the vendors website.

    Reply
  35. Tomi Engdahl says:

    Cloned Atomic Wallet website is pushing Mars Stealer malware https://www.bleepingcomputer.com/news/security/cloned-atomic-wallet-website-is-pushing-mars-stealer-malware/
    A fake website impersonating the official portal for the Atomic wallet, a popular decentralized wallet that also operates as a cryptocurrency exchange portal, is, in reality, distributing copies of the Mars Stealer information-stealing malware. The phony website was disclosed by a malware researcher known as Dee on Monday, but at the time of writing this, it remains online, serving copies of the said malware.

    Reply
  36. Tomi Engdahl says:

    Woody RAT: A new feature-rich malware spotted in the wild https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/
    The Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year. This advanced custom Rat is mainly the work of a threat actor that targets Russian entities by using lures in archive file format and more recently Office documents leveraging the Follina vulnerability. Based on a fake domain registered by the threat actors, we know that they tried to target a Russian aerospace and defense entity known as OAK.

    Reply
  37. Tomi Engdahl says:

    GitHub blighted by researcher who created thousands of malicious projects https://nakedsecurity.sophos.com/2022/08/04/github-blighted-by-researcher-who-created-thousands-of-malicious-projects/
    Just over a year ago, we wrote about a cybersecurity researcher who posted almost 4000 pointlessly poisoned Python packages to the popular repository PyPI. This person went by the curious nickname of Remind Supply Chain Risks, and the packages had project names that were generally similar to well-known projects, presumably in the hope that some of them would get installed by mistake, thanks to users using slightly incorrect search terms or making minor typing mistakes when typing in PyPI URLs.

    Reply
  38. Tomi Engdahl says:

    FEMA issues warning to emergency alert system managers that devices could be hacked https://therecord.media/fema-issues-warning-to-emergency-alert-system-managers-that-devices-could-be-hacked/
    The Federal Emergency Management Agency (FEMA) issued a warning this week to participants in the emergency alert system (EAS) that vulnerabilities can be used to allow threat actors to issue alerts over TV, radio, and cable networks. EAS allows the federal government, the president or state-level officials to send out emergency warnings about potential weather issues or AMBER alerts for missing children.
    The alerts are typically sent over broadcast, cable, and satellite TV as well as radio channels and other outlets.

    Reply
  39. Tomi Engdahl says:

    CISA Adds Zimbra Email Vulnerability to its Exploited Vulnerabilities Catalog https://thehackernews.com/2022/08/cisa-adds-zimbra-email-vulnerability-to.html
    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a recently disclosed high-severity vulnerability in the Zimbra email suite to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation.
    https://www.cisa.gov/uscert/ncas/current-activity/2022/08/04/cisa-adds-one-known-exploited-vulnerability-catalog

    Reply
  40. Tomi Engdahl says:

    Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations https://www.mandiant.com/resources/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against
    Mandiant identified the ROADSWEEP ransomware family and a Telegram persona which targeted the Albanian government in a politically motivated disruptive operation ahead of an Iranian opposition organizations conference in late July 2022. A previously unknown backdoor CHIMNEYSWEEP and a new variant of the ZEROCLEAR wiper may also have been involved. CHIMNEYSWEEP malware distribution data and decoy content, the operations timing and politically themed content, and the possible involvement of the ZEROCLEAR wiper indicate an Iranian threat actor is likely responsible.

    Reply
  41. Tomi Engdahl says:

    Facebook finds new Android malware used by APT hackers https://www.bleepingcomputer.com/news/security/facebook-finds-new-android-malware-used-by-apt-hackers/
    Meta (Facebook) has released its Q2 2022 adversarial threat report, and among the highlights is the discovery of two cyber-espionage clusters connected to hacker groups known as ‘Bitter APT’ and APT36 (aka ‘Transparent Tribe’) using new Android malware. These cyberspying operatives use social media platforms like Facebook to collect intelligence (OSINT) or to befriend victims using fake personas and then drag them to external platforms to download malware.

    Reply
  42. Tomi Engdahl says:

    Open Redirect Flaw Snags Amex, Snapchat User Data https://threatpost.com/open-redirect-flaw-snags-amex-snapchat-user-data/180354/
    Attackers are exploiting a well-known open redirect flaw to phish peoples credentials and personally identifiable information (PII) using American Express and Snapchat domains, researchers have found.
    Threat actors impersonated Microsoft and FedEx among other brands in two different campaigns, which researchers from INKY observed from mid-May through late July, they said in a blog post published online.

    Reply
  43. Tomi Engdahl says:

    Slack resets passwords after exposing hashes in invitation links https://www.bleepingcomputer.com/news/security/slack-resets-passwords-after-exposing-hashes-in-invitation-links/
    Slack notified roughly 0.5% of its users that it reset their passwords after fixing a bug exposing salted password hashes when creating or revoking shared invitation links for workspaces. “When a user performed either of these actions, Slack transmitted a hashed version of their password (not plaintext) to other workspace members,” Slack told BleepingComputer. “Although this data was shared via the new or deactivated invitation link, the Slack client did not store or display this data to members of that workspace.”

    Reply
  44. Tomi Engdahl says:

    Ransomware review: July 2022
    https://blog.malwarebytes.com/threat-intelligence/2022/08/ransomware-review-july-2022/
    Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom. In July, LockBit maintained the place it has occupied all year as the most active ransomware variant. Notably, BlackBasta, a relatively new ransomware variant that first appeared in April, took the place occupied by Conti for much of the year as the second most active variant

    Reply
  45. Tomi Engdahl says:

    New GwisinLocker ransomware encrypts Windows and Linux ESXi servers https://www.bleepingcomputer.com/news/security/new-gwisinlocker-ransomware-encrypts-windows-and-linux-esxi-servers/
    A new ransomware family called ‘GwisinLocker’ targets South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors, including support for encrypting VMware ESXi servers and virtual machines. The new malware is the product of a lesser-known threat actor dubbed Gwisin, which means “ghost” in Korean. The actor is of unknown origin but appears to have a good knowledge of the Korean language. Also, the attacks coincided with Korean public holidays and occurred during early morning hours, so Gwisin has a good grasp of the country’s culture and business routines.

    Reply
  46. Tomi Engdahl says:

    Hackers Exploit Twitter Vulnerability to Exposes 5.4 Million Accounts https://thehackernews.com/2022/08/hackers-exploit-twitter-vulnerability.html
    Twitter on Friday revealed that a now-patched zero-day bug was used to link phone numbers and emails to user accounts on the social media platform. “As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any,” the company said in an advisory. Twitter said the bug, which it was made aware of in January 2022, stemmed from a code change introduced in June 2021.
    No passwords were exposed as a result of the incident.

    Reply
  47. Tomi Engdahl says:

    Class Action Targets Experian Over Account Security https://krebsonsecurity.com/2022/08/class-action-targets-experian-over-account-security/
    A class action lawsuit has been filed against big-three consumer credit bureau Experian over reports that the company did little to prevent identity thieves from hijacking consumer accounts. The legal filing cites liberally from an investigation KrebsOnSecurity published in July, which found that identity thieves were able to assume control over existing Experian accounts simply by signing up for new accounts using the victims personal information and a different email address.

    Reply
  48. Tomi Engdahl says:

    UK NHS suffers outage after cyberattack on managed service provider https://www.bleepingcomputer.com/news/security/uk-nhs-suffers-outage-after-cyberattack-on-managed-service-provider/
    United Kingdom’s National Health Service (NHS) 111 emergency services are affected by a significant and ongoing outage triggered by a cyberattack that hit the systems of British managed service provider
    (MSP) Advanced. Advanced’s Adastra client patient management solution, which is used by 85% of NHS 111 services, has been hit by a major outage together with several other services provided by the MSP, according to a status page. “There is a major outage of a computer system that is used to refer patients from NHS 111 Wales to out-of-hours GP providers,” the Welsh Ambulance Services said today.

    Reply
  49. Tomi Engdahl says:

    Microsoft Edge gets better security defaults on less popular sites https://www.bleepingcomputer.com/news/microsoft/microsoft-edge-gets-better-security-defaults-on-less-popular-sites/
    Microsoft is rolling out a new update to the Microsoft Edge Stable Channel over the coming days to improve the web browser’s security defaults when visiting less popular websites. Starting with version 104.0.1293.47, Edge will toggle on the “Basic” level of security when the “Enhance your security on the web” optional browsing mode is enabled in settings. When this mode is toggled on, it provides an additional layer of protection against memory-related vulnerabilities by disabling just-in-time (JIT) JavaScript compilation and enabling extra OS protections when browsing the web and unfamiliar sites.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*