Cyber security news August 2022

This posting is here to collect cyber security news in August 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

543 Comments

  1. Tomi Engdahl says:

    Posti vaatii pääsyä jopa vuoden tilitietoihin ja lähettää ne Norjaan – ”Täysin kohtuutonta” https://www.is.fi/digitoday/tietoturva/art-2000008996422.html

    Reply
  2. Tomi Engdahl says:

    The Hacking of Starlink Terminals Has Begun
    https://www.wired.com/story/starlink-internet-dish-hack/

    It cost a researcher only $25 worth of parts to create a tool that allows custom code to run on the satellite dishes.

    SINCE 2018, ELON Musk’s Starlink has launched more than 3,000 small satellites into orbit. This satellite network beams internet connections to hard-to-reach locations on Earth and has been a vital source of connectivity during Russia’s war in Ukraine. Thousands more satellites are planned for launch as the industry booms. Now, like any emerging technology, those satellite components are being hacked.

    Today, Lennert Wouters, a security researcher at the Belgian university KU Leuven, will reveal one of the first security breakdowns of Starlink’s user terminals, the satellite dishes (dubbed Dishy McFlatface) that are positioned on people’s homes and buildings.

    At the Black Hat security conference in Las Vegas, Wouters will detail how a series of hardware vulnerabilities allow attackers to access the Starlink system and run custom code on the devices.

    To access the satellite dish’s software, Wouters physically stripped down a dish he purchased and created a custom hacking tool that can be attached to the Starlink dish. The hacking tool, a custom circuit board known as a modchip, uses off-the-shelf parts that cost around $25. Once attached to the Starlink dish, the homemade printed circuit board (PCB) is able to launch a fault injection attack—temporarily shorting the system—to help bypass Starlink’s security protections. 0

    Reply
  3. Tomi Engdahl says:

    Venäläinen hakkeriryhmä väittää tehneensä jo toisen palvelunestohyökkäyksen kohteena valtioneuvoston julkaisuarkisto
    https://yle.fi/uutiset/3-12571164
    Valtioneuvoston julkaisuarkisto Valtoon kohdistui keskiviikkona iltapäivästä palvelunestohyökkäys. Venäläinen hakkeriryhmä
    Noname057(16) ilmoittautui Telegram-kanavallaan(siirryt toiseen
    palveluun) hyökkäyksen tekijäksi, kohteenaan julkaisut.valtioneuvosto.fi(siirryt toiseen palveluun) -sivusto.
    Kyseessä on sama ryhmä, joka väittää tehneensä tiistaina palvelunestohyökkäyksen eduskunnan verkkosivuille. Valtioneuvosto kertoi Twitterissä iltapäivällä, että sivusto ei välttämättä toimi kunnolla eivätkä julkaisut näy ministeriöiden verkkosivuilla. Kello 17 aikaan valtioneuvosto kertoi Twitterissä sivuston toimivan jälleen normaalisti.

    Reply
  4. Tomi Engdahl says:

    KRP: Tämä hyökkäyksestä edus­kunnan verkko­sivuille tiedetään nyt https://www.is.fi/kotimaa/art-2000008996716.html
    KESKUSRIKOSPOLIISI (KRP) tutkii eduskunnan verkkosivuihin kohdistunutta palvelunestohyökkäystä rikosnimikkeellä tietojärjestelmän häirintä. Poliisi epäilee, että palvelunestohyökkäys toteutettiin kymmenistä IP-osoitteista ulkomailta.
    Palvelunestohyökkäys vaikutti eduskunnan verkkosivujen toimintaan eilen tiistaina. Hyökkäyksen sanoi tehneensä Telegram-viestipalveluun venäjäksi kirjoittava hakkeriryhmä NoName057(16). Ryhmä kirjoitti hyökänneensä Suomen eduskunnan verkkosivuille. Viestissä kerrottiin, että paikalliset tiedotusvälineet olivat uutisoineet hyökkäyksestä.
    Siihen oli myös liitetty linkit Helsingin Sanomien ja Ylen verkkosivustoille.

    Reply
  5. Tomi Engdahl says:

    BlueSky Ransomware: Fast Encryption via Multithreading https://unit42.paloaltonetworks.com/bluesky-ransomware/
    BlueSky ransomware is an emerging family that has adopted modern techniques to evade security defenses. Ransomware is a malicious program designed to encrypt a users data and demand a ransom for the decryption. BlueSky ransomware predominantly targets Windows hosts and utilizes multithreading to encrypt files on the host for faster encryption. In our analysis, we found code fingerprints from samples of BlueSky ransomware that can be connected to the Conti ransomware group. In particular, the multithreaded architecture of BlueSky bears code similarities with Conti v3, and the network search module is an exact replica of it.

    Reply
  6. Tomi Engdahl says:

    Hacker uses new RAT malware in Cuba Ransomware attacks https://www.bleepingcomputer.com/news/security/hacker-uses-new-rat-malware-in-cuba-ransomware-attacks/
    A member of the Cuba ransomware operation is employing previously unseen tactics, techniques, and procedures (TTPs), including a novel RAT (remote access trojan) and a new local privilege escalation tool.
    The threat actor was named Tropical Scorpius by researchers at Palo Alto Networks Unit 42 and is likely an affiliate of the Cuba ransomware operation. Cuba ransomware underwent a minor refresh in Q1 2022, using an updated encryptor with more nuanced options and adding quTox for live victim support. However, Tropical Scorpius marks a shift to new tactics, making the Cuba operation potentially more dangerous and intrusive.

    Reply
  7. Tomi Engdahl says:

    Saitko veronpalautusviestin? Tilisi yritetään tyhjentää
    https://www.iltalehti.fi/tietoturva/a/f6db469b-73e6-4747-95f0-488929dfa058
    Veronpalautuksien maksaminen on alkanut, mikä on saanut huijarit liikkeelle. Rikolliset lähettävät viestejä, jotka on yritetty saada näyttämään siltä, että ne olisivat tulleet Verohallinnolta. Viestissä väitetään, että vastaanottajaa odottaa hyvitys, jonka saamiseksi pitää vierailla viestiin linkatulla sivustolla. Viesti kuuluu kokonaisuudessaan näin:. Veroviranomaiset ovat päättäneet että saat hyvityksen. Saadaksesi tämän summan voit vierailla verkkosivuillamme
    kautta: XXX.. Jos linkkiä seuraa, päätyy kalastelusivustolle, jossa uhria pyydetään kirjautumaan verkkopankkitunnuksilla. Rikolliset yrittävät siis päästä käsiksi uhrin pankkitietoihin ja näin tämän varoihin.

    Reply
  8. Tomi Engdahl says:

    Yesterday, August 8, 2022, Twilio shared that theyd been compromised by a targeted phishing attack. Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflares employees https://blog.cloudflare.com/2022-07-sms-phishing-attacks/
    While individual employees did fall for the phishing messages, we were able to thwart the attack through our own use of Cloudflare One products, and physical security keys issued to every employee that are required to access all our applications.. We have confirmed that no Cloudflare systems were compromised. Our Cloudforce One threat intelligence team was able to perform additional analysis to further dissect the mechanism of the attack and gather critical evidence to assist in tracking down the attacker.

    Reply
  9. Tomi Engdahl says:

    CISA warns of Windows and UnRAR flaws exploited in the wild https://www.bleepingcomputer.com/news/security/cisa-warns-of-windows-and-unrar-flaws-exploited-in-the-wild/
    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two more flaws to its catalog of Known Exploited Vulnerabilities, based on evidence of active exploitation. One of them has spent more than two years as a zero-day bug in the Windows Support Diagnostic Tool (MSDT) and it has exploit code publicly available.
    Both security issues have received a high-severity score and are directory traversal vulnerabilities that could help attackers plant malware on a target system.

    Reply
  10. Tomi Engdahl says:

    Sierra Leone internet cut amid anti-government protests https://therecord.media/sierra-leone-internet-cut-amid-anti-government-protests/
    The West African nation of Sierra Leone experienced a near-total internet blackout on Wednesday, in the midst of anti-government protests sparked by the rising cost of living. Internet governance watchdog NetBlocks found that, beginning at noon local time, national connectivity fell to about 5% of its normal level, with multiple mobile and fixed-line Internet operators going dark. Isik Mater, Netblocks director of research, said connectivity was largely restored after approximately two hours, but service remains somewhat impacted..
    According to Mater, the disruption affected providers routed through Sierra Leone Cable, which controls the countrys internet gateway.

    Reply
  11. Tomi Engdahl says:

    APIC/EPIC! Intel chips leak secrets even the kernel shouldnt see https://nakedsecurity.sophos.com/2022/08/10/apic-epic-intel-chips-leak-secrets-even-the-kernel-shouldnt-see/
    Heres this weeks BWAIN, our jocular term for a Bug With An Impressive Name. BWAIN is an accolade that we hand out when a new cybersecurity flaw not only turns out to be interesting and important, but also turns up with its own logo, domain name and website. This one is dubbed ÆPIC Leak, a pun on the words APIC and EPIC. The former is short for Advanced Programmable Interrupt Controller, and the latter is simply the word epic, as in giant, massive, extreme, mega, humongous.

    Reply
  12. Tomi Engdahl says:

    Cisco fixes bug allowing RSA private key theft on ASA, FTD devices https://www.bleepingcomputer.com/news/security/cisco-fixes-bug-allowing-rsa-private-key-theft-on-asa-ftd-devices/
    Cisco has addressed a high severity vulnerability affecting its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. Tracked as CVE-2022-20866, this security flaw is due to a weakness in handling RSA keys on ASA and FTD devices. If successfully exploited, it can let unauthenticated attackers retrieve an RSA private key remotely, which they can use to decrypt the device traffic or impersonate Cisco ASA/FTD devices.. “This vulnerability is due to a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography,” Cisco said in a security advisory published on Wednesday.

    Reply
  13. Tomi Engdahl says:

    One of 5Gs Biggest Features Is a Security Minefield https://www.wired.com/story/5g-api-flaws/
    TRUE 5G WIRELESS data, with its ultrafast speeds and enhanced security protections, has been slow to roll out around the world. As the mobile technology proliferatescombining expanded speed and bandwidth with low-latency connectionsone of its most touted features is starting to come in to focus. But the upgrade comes with its own raft of potential security exposures. A massive new population of 5G-capable devices, from smart-city sensors to agriculture robots and beyond, are gaining the ability to connect to the internet in places where Wi-Fi isn’t practical or available. Individuals may even elect to trade their fiber-optic internet connection for a home 5G receiver. But the interfaces that carriers have set up to manage internet-of-things data are riddled with security vulnerabilities, according to research that will be presented on Wednesday at the Black Hat security conference in Las Vegas.

    Reply
  14. Tomi Engdahl says:

    Sergiu Gatlan / BleepingComputer:
    Cisco confirms the Yanluowang ransomware group breached its network in May 2022; Yanluowang claimed to have stolen 2.75GB of data, or ~3.1K files including NDAs — Cisco confirmed today that the Yanluowang ransomware group breached its corporate network in late May and that the actor tried …

    Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen
    https://www.bleepingcomputer.com/news/security/cisco-hacked-by-yanluowang-ransomware-gang-28gb-allegedly-stolen/

    Cisco confirmed today that the Yanluowang ransomware group breached its corporate network in late May and that the actor tried to extort them under the threat of leaking stolen files online.

    The company revealed that the attackers could only harvest and steal non-sensitive data from a Box folder linked to a compromised employee’s account.

    “Cisco experienced a security incident on our corporate network in late May 2022, and we immediately took action to contain and eradicate the bad actors,” a Cisco spokesperson told BleepingComputer.

    “Cisco did not identify any impact to our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.

    Stolen employee credentials used to breach Cisco’s network

    The Yanluowang threat actors gained access to Cisco’s network using an employee’s stolen credentials after hijacking the employee’s personal Google account containing credentials synced from their browser.

    The attacker convinced the Cisco employee to accept multi-factor authentication (MFA) push notifications through MFA fatigue and a series of sophisticated voice phishing attacks initiated by the Yanluowang gang that impersonated trusted support organizations.

    The threat actors finally tricked the victim into accepting one of the MFA notifications and gained access to the VPN in the context of the targeted user.

    Once they gained a foothold on the company’s corporate network, Yanluowang operators spread laterally to Citrix servers and domain controllers.

    “They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers,” Cisco Talos said.

    After gaining domain admin, they used enumeration tools like ntdsutil, adfind, and secretsdump to collect more information and installed a series of payloads onto compromised systems, including a backdoor.

    Ultimately, Cisco detected and evicted them from its environment, but they continued trying to regain access over the following weeks.

    “After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment,” Cisco Talos added.

    Hackers claim to steal data from Cisco

    Last week, the threat actor behind the Cisco hack emailed BleepingComputer a directory listing of files allegedly stolen during the attack.

    The threat actor claimed to have stolen 2.75GB of data, consisting of approximately 3,100 files. Many of these files are non-disclosure agreements, data dumps, and engineering drawings.

    Today, the extortionists announced the Cisco breach on their data leak site and published the same directory listing previously sent to BleepingComputer.

    https://twitter.com/Cyberknow20/status/1557419082210676736

    No ransomware deployed on Cisco’s systems

    Cisco also said that, even though the Yanluowang gang is known for encrypting their victims’ files, it found no evidence of ransomware payloads during the attack.

    “We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators.”

    Reply
  15. Tomi Engdahl says:

    https://www.securityweek.com/sap-patches-information-disclosure-vulnerabilities-businessobjects

    Of the five new security notes, four address information disclosure vulnerabilities, three of which impact SAP’s BusinessObjects Business Intelligence Platform.

    The most severe of these vulnerabilities is CVE-2022-32245 (CVSS score of 8.2), which could allow an unauthenticated attacker “to retrieve sensitive information in plain text over the network,” enterprise application security firm Onapsis notes.

    Reply
  16. Tomi Engdahl says:

    UnRAR Vulnerability Exploited in the Wild, Likely Against Zimbra Servers
    https://www.securityweek.com/unrar-vulnerability-exploited-wild-likely-against-zimbra-servers

    The US Cybersecurity and Infrastructure Security Agency (CISA) revealed on Tuesday that a recently patched vulnerability affecting the UnRAR archive extraction tool is being exploited in the wild.

    The UnRAR vulnerability, tracked as CVE-2022-30333 and described as a path traversal issue, can allow an attacker to write a file anywhere on the filesystem with the privileges of the user executing UnRAR, which can lead to remote code execution. The exploit is triggered when a specially crafted archive file is extracted using UnRAR.

    The security hole was patched by WinRAR developer Rarlab in May and its details were first disclosed in late June by Sonar, the cybersecurity company whose researchers found a way to exploit the flaw against Zimbra email servers.

    CVE-2022-30333 affects any application that uses UnRAR on Linux or UNIX to extract RAR archives, but attacks targeting Zimbra enterprise email servers can have a significant impact.

    Reply
  17. Tomi Engdahl says:

    Intel Patches Severe Vulnerabilities in Firmware, Management Software
    https://www.securityweek.com/intel-patches-severe-vulnerabilities-firmware-management-software

    Intel on Tuesday published 27 security advisories detailing roughly 60 vulnerabilities across firmware, software libraries, and endpoint and data center management products.

    The most severe of these – based on its CVSS score – is a privilege escalation bug in the Intel-maintained Open AMT Cloud Toolkit, an open-source toolkit for integrating OOB management solutions.

    Tracked as CVE-2022-25899 (CVSS score of 9.9), the vulnerability is described as an authentication bypass that an unauthenticated attacker may exploit over the network.

    Intel recommends updating to Open AMT Cloud Toolkit versions 2.0.2 or 2.2.2, which address the security issue.

    Another critical-severity vulnerability that Intel addressed this week impacts its Data Center Manager, a solution for monitoring operational information of devices within data centers.

    The issue – CVE-2022-21225, CVSS score of 9.0 – is described as an improper access control that an authenticated attacker could exploit to escalate privileges via adjacent access.

    The advisory for this vulnerability details three other bugs in Data Center Manager, including another improper access control issue, an improper initialization flaw, and an improper input validation bug.

    https://github.com/orgs/open-amt-cloud-toolkit/repositories

    Reply
  18. Tomi Engdahl says:

    Zero Trust Provider Mesh Security Emerges From Stealth Mode
    https://www.securityweek.com/zero-trust-provider-mesh-security-emerges-stealth-mode

    Israeli cybersecurity startup Mesh Security today emerged from stealth mode with a zero trust posture management (ZTPM) solution that helps organizations implement a zero trust architecture in the cloud.

    Reply
  19. Tomi Engdahl says:

    Security Firm Finds Flaws in Indian Online Insurance Broker
    https://www.securityweek.com/security-firm-finds-flaws-indian-online-insurance-broker

    Last month, a small cybersecurity firm told a major Indian online insurance brokerage it had found critical vulnerabilities in the company’s internet-facing network that could expose sensitive personal and financial data from at least 11 million customers to malicious hackers.

    The little-known firm followed the standard ethical-hacker playbook, giving Policybazaar, the insurance aggregator, time to patch the flaws and inform authorities. It did not seek authorization in advance to test Policybazaar’s system but said it considered itself justified, in part because it had employees who were customers.

    A week later, on July 24, Policybazaar, which is publicly traded and counts the Chinese conglomerate Tencent among its investors, notified India’s stock exchanges it had been illegally breached but “no significant customer data was exposed.”

    It said little more.

    The startup, CyberX9, is not keeping quiet. Its managing director wants Indians to know that the “multiple extremely critical” vulnerabilities were so easy to find it was almost as if Policybazaar intentionally left itself open to criminal or nation-state intrusion.

    Reply
  20. Tomi Engdahl says:

    Cloudflare Also Targeted by Hackers Who Breached Twilio
    https://www.securityweek.com/cloudflare-also-targeted-hackers-who-breached-twilio

    The threat actor that recently breached Twilio systems also targeted Cloudflare, and a few of the web security company’s employees fell for the phishing messages.

    Twilio revealed over the weekend that it became aware of unauthorized access to some of its systems on August 4. An investigation showed that the attackers had tricked some of its employees into providing their credentials, which they then used to access internal systems and obtain customer data.

    The threat actor sent phishing text messages to Twilio employees to trick them into entering their credentials on a malicious website. The messages informed recipients of expired passwords and schedule changes, and pointed to domains that included the words ‘Twilio’, ‘Okta’ and ‘SSO’.

    The enterprise communications firms noted that the attacker, which it described as well organized and sophisticated, “seemed to have sophisticated abilities to match employee names from sources with their phone numbers.”

    Reply
  21. Tomi Engdahl says:

    Organizations Warned of Critical Vulnerabilities in NetModule Routers
    https://www.securityweek.com/organizations-warned-critical-vulnerabilities-netmodule-routers
    Flashpoint is warning organizations of two newly identified critical vulnerabilities in NetModule Router Software (NRSW) that could be exploited in attacks.

    Acquired by Belden earlier this year, NetModule provides IIoT and industrial routers, vehicle routers, and other types of wireless M2M connectivity products.

    All of NetModule’s routers run the Linux-based NRSW by default, and can be managed remotely using a remote management platform.

    According to Flashpoint, its researchers recently identified two critical flaws in NetModule’s router software that remote attackers could exploit to bypass authentication and access administrative functionality.

    Reply
  22. Tomi Engdahl says:

    Vincent Manancourt / Politico:
    Ireland’s data regulator says it received objections from other EU regulators to its draft order to block Meta’s EU-US data sharing, a reprieve for the company

    Europe staves off Facebook blackout — for now
    EU regulators at odds over how to block Meta from sending Europeans’ data to the US.
    https://www.politico.eu/article/europe-eu-avoids-facebook-blackout-social-media/

    Europeans have been saved from a summer shutdown of social media sites Facebook and Instagram by … European Union bureaucracy.

    An Irish draft decision to block the social media sites’ parent company Meta’s data transfers from Europe to the U.S. is stuck in the process, as regulators from across the EU butt heads over the details.

    In July, POLITICO reported that Ireland’s privacy regulator had decided to block Facebook’s owner Meta from using a last legal mechanism called standard contractual clauses (SCCs) to transfer large chunks of data like family pictures and direct messages across the Atlantic. The Irish decision followed a 2020 European Court of Justice ruling that deemed major flows of data between Europe and the U.S. illegal because they expose Europeans to U.S. government surveillance risks.

    Meta has repeatedly said that a decision blocking its transfers would force it to shutter its Facebook and Instagram offerings in Europe.

    But the Irish decision is still pending review by other authorities in Europe. A spokesperson for the Irish regulator said Wednesday that it had received objections from several other EU regulators to its draft order, which effectively delays a final decision to shut down the data flows and buys Facebook time.

    The Irish regulator is now expected to take months to attempt to resolve the objections. It previously has taken the regulator up to four months to attempt to tweak decisions upon request of European peers.

    If the Irish regulator fails to resolve the dissenting opinions, as it has done in the majority of its decisions against Big Tech, it would have to trigger an official dispute resolution mechanism. This would bring in the European Data Protection Board, delaying the process by at least another month.

    All these delays would put Meta within touching distance of being able to keep its data flows to the U.S. alive through a new transatlantic data pact, which negotiators plan to complete within the first quarter of 2023. With the new EU-U.S. data deal in place, Meta and thousands of other companies would be able to use that agreement — not SCCs — to move people’s information across the Atlantic.

    The U.S. social media company could also still appeal the finalized Irish decision.

    Reply
  23. Tomi Engdahl says:

    Tietoturva-asiantuntija: Postin uusi maksupalvelu on kohtuuton – ”Ehdot ovat järkyttävät”
    Posti otti käyttöön Suomessa entuudestaan melko tuntemattoman Neonomics-maksupalvelun, joka pyytää tilisiirron yhteydessä valtavan määrän tilitietoja käyttöönsä.
    https://www.iltalehti.fi/kotimaa/a/b888f97e-2581-48f7-8f3e-39413f626531

    Posti keskeytti uuden maksupalvelunsa käytön lisäselvitysten ajaksi.

    Omaposti-palvelun osaksi otettu maksupalvelu ilmoittaa yksinkertaisen tilisiirron yhteydessä keräävänsä muun muassa tilin yksityiskohtaisen tapahtumahistorian vuoden ajalta. Uudistus on herättänyt närkästystä Omapostin käyttäjissä.

    Norjalainen Neonomics-maksupalvelu otettiin käyttöön toukokuussa. Tämän jälkeen Posti on saanut useita yhteydenottoja liittyen siihen, mitä tietoja asiakkaan luvalla kerätään laskun maksua varten.

    Neonomics kerää vuoden tilitietojen lisäksi tiedot tilinumerosta, valuutasta, tilin saldosta, tilin nimen, tyypin, statuksen, luottorajan sekä viimeisimmän tapahtumapäivämäärän.

    GDPR:n vastaista

    Tietoturva-asiantuntija Petteri Järvinen arvioi tämän olevan kohtuutonta ja EU:n yleisen tietosuoja-asetuksen, GDPR:n, vastaista.

    – Ehdot ovat ihan järkyttävät. Se on eri asia, mitä niillä tiedoilla oikeasti tehdään. Se, että ilmoittaa käyttävänsä vuosi taaksepäin (tilitietoja) ja varaavansa oikeuden kolmeksi kuukaudeksi eteenpäin ja lukee vielä jotain profilointia puoluemaksuista. Se on täysin kohtuutonta.

    Posti ilmoittaa Neonomicsilla olevan EU:n maksupalveludirektiivin PSD2 mukainen toimilupa, jota Finanssivalvonta valvoo.

    Välttämättömät tiedot

    Neonomics on ilmoittanut käyttävänsä vain välttämättömiä tietoja (maksajan nimi, tilinumero ja summa) sekä keräävänsä tietoja asiakkaan luvalla määräajaksi ja ainoastaan laskun maksua varten.

    Järvinen sanoo nimenomaan tämän olevan GDPR:n vastaista. Tietoja ei pitäisi kerätä turhaan. Miksi Neonomics kerää tietoja, joita se ei laskun suorittamiseen tarvitse?

    – Eivät he turhaan niitä kerää. Jotain niillä tehdään.

    Reply
  24. Tomi Engdahl says:

    Posti keskeyttää kyseen­alaisen maksutavan käytön – ”Ymmärrämme asiakkaidemme huolen” https://www.is.fi/digitoday/tietoturva/art-2000008997592.html

    Reply
  25. Tomi Engdahl says:

    Microsoft 365 outage triggered by Meraki firewall false positive
    https://www.bleepingcomputer.com/news/microsoft/microsoft-365-outage-triggered-by-meraki-firewall-false-positive/

    An ongoing outage affects multiple Microsoft 365 services, blocking users from connecting to Exchange Online, Microsoft Teams, Outlook desktop clients, and OneDrive for Business.

    While Microsoft says that this incident has only affected customers in the EMEA (Europe, the Middle East, and Africa) region, users have been reporting server connection issues and sign-in failures worldwide.

    While Microsoft says it’s still investigating the issue, this ongoing outage is most likely linked to a Cisco Meraki firewall Intrusion Detection and Prevention (IDR) false positive blocking Microsoft 365 connections with “Microsoft Windows IIS denial-of-service attempt” alerts.

    “We would like to make you aware of a vulnerability reported by Microsoft CVE-2022-35748 , triggering SNORT rule 1-60381,” a Cisco Meraki employee said on Wednesday.

    “SNORT is correctly protecting your networks from a known vulnerability and therefore operating as intended.

    “Our recommendation at this time is to follow Microsoft’s guidance and ensure that your Servers, OS and software are up to date with the latest security patches.”

    https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2022-35748

    Reply
  26. Tomi Engdahl says:

    While dual ransomware attacks are increasingly common, “this is the first incident we’ve seen where three separate ransomware actors used the same point of entry to attack a single organization,” Sophos X-Ops incident responders said in a report published Wednesday.
    https://news.sophos.com/en-us/2022/08/10/lockbit-hive-and-blackcat-attack-automotive-supplier-in-triple-ransomware-attack/

    Reply
  27. Tomi Engdahl says:

    Zimbra auth bypass bug exploited to breach over 1, 000 servers https://www.bleepingcomputer.com/news/security/zimbra-auth-bypass-bug-exploited-to-breach-over-1-000-servers/
    An authentication bypass Zimbra security vulnerability is actively exploited to compromise Zimbra Collaboration Suite (ZCS) email servers worldwide. According to threat intelligence firm Volexity, attackers have been abusing a ZCS remote code execution flaw tracked as
    CVE-2022-27925 requiring authentication with the help of an auth bypass bug (tracked as CVE-2022-37042 and patched yesterday) as early as the end of June. “Volexity believes this vulnerability was exploited in a manner consistent with what it saw with Microsoft Exchange 0-day vulnerabilities it discovered in early 2021, ” the company’s Threat Research team said. “Initially it was exploited by espionage-oriented threat actors, but was later picked up by other threat actors and used in mass-exploitation attempts.”. Successful exploitation allows the attackers to deploy web shells on specific locations on the compromised servers to gain persistent access.

    Reply
  28. Tomi Engdahl says:

    FBI: Zeppelin ransomware may encrypt devices multiple times in attacks https://www.bleepingcomputer.com/news/security/fbi-zeppelin-ransomware-may-encrypt-devices-multiple-times-in-attacks/
    The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned US organizations today that attackers deploying Zeppelin ransomware might encrypt their files multiple times. “The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys, ” a joint advisory published today revealed.
    Detected by the FBI as recently as June 21, Zeppelin is a Ransomware as a Service (RaaS) operation whose malware went through several name changes from VegaLocker to Buran, VegaLocker, Jamper, and now Zeppelin.

    Reply
  29. Tomi Engdahl says:

    7-Eleven Denmark confirms ransomware attack behind store closures https://www.bleepingcomputer.com/news/security/7-eleven-denmark-confirms-ransomware-attack-behind-store-closures/
    7-Eleven Denmark has confirmed that a ransomware attack was behind the closure of 175 stores in the country on Monday. The company did not provide any info on the gang responsible other than confirming that threat actors breached their network and encrypted systems. “This is a so-called ransomware attack, where the criminals have forced access to the network and locked the systems, ” 7-Eleven DK said in a statement on Facebook. “The case is being handled in cooperation with the police, and 7-Eleven is currently not going to go into further detail about the investigation, the scope and the consequences of the attack.”

    Reply
  30. Tomi Engdahl says:

    CopperStealer Distributes Malicious Chromium-based Browser Extension to Steal Cryptocurrencies https://www.trendmicro.com/en_us/research/22/h/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html
    TrendMicro published their analysis on CopperStealer distributing malware by abusing various components such as browser stealer, adware browser extension, or remote desktop. Tracking the cybercriminal group’s latest activities, TrendMicro found a malicious browser extension capable of creating and stealing API keys from infected machines when the victim is logged in to a major cryptocurrency exchange website. These API keys allow the extension to perform transactions and send cryptocurrencies from victims’ wallets to the attackers’ wallets. Similar to previous routines, this new component is spread via fake crack (also known as warez) websites. The component is usually distributed in one dropper together with a browser stealer and bundled with other unrelated pieces of malware. This bundle is compressed into a password-protected archive and has been distributed in the wild since July.

    Reply
  31. Tomi Engdahl says:

    Conti Cybercrime Cartel Using ‘BazarCall’ Phishing Attacks as Initial Attack Vector https://thehackernews.com/2022/08/conti-cybercrime-cartel-using-bazarcall.html
    Three different offshoots of the notorious Conti cybercrime cartel have resorted to the technique of call-back phishing as an initial access vector to breach targeted networks. “Three autonomous threat groups have since adopted and independently developed their own targeted phishing tactics derived from the call back phishing methodology, ” cybersecurity firm AdvIntel said in a Wednesday report.
    These targeted campaigns “substantially increased” attacks against entities in finance, technology, legal, and insurance sectors, the company added.

    Reply
  32. Tomi Engdahl says:

    Kavala verohuijaus muutti muotoaan: “Saat valtioneuvoston hyvityksen”
    https://www.is.fi/digitoday/tietoturva/art-2000008998007.html
    VERONPALAUTUSTEN maksaminen sai huijarit liikkeelle, ja tietojenkalastelukampanjasta on varoiteltu useaan kertaan viime kuukausien aikana. Nyt Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus (KTK) muistuttaa niistä. Kalasteluviestejä on lähetetty sekä organisaatioille että yksityishenkilöille ensimmäisten ilmoitusten saapuessa keskukselle toukokuussa tänä vuonna. KTK:n mukaan viestien kieliasussa on virheitä, joiden tulisi herätellä viestin vastaanottajaa. Huijauksesta on liikkeellä myös muunnos, joka verottajan sijaan tekeytyy valtioneuvoston lähettämäksi. Tekstiviesti näyttää tulevan valtioneuvoston virallisesta lyhyt-/tunnistenumerosta, ja viestissä lukee “Saat Valtioneuvoston hyvityksen 390, 21. Käy osoitteessa [verkko-osoite] Ja suorita suoran palautuksen hakeminen”.

    Reply
  33. Tomi Engdahl says:

    The Hacking of Starlink Terminals Has Begun https://www.wired.com/story/starlink-internet-dish-hack/
    SINCE 2018, ELON Musk’s Starlink has launched more than 3, 000 small satellites into orbit. This satellite network beams internet connections to hard-to-reach locations on Earth and has been a vital source of connectivity during Russia’s war in Ukraine. Today, Lennert Wouters, a security researcher at the Belgian university KU Leuven, will reveal one of the first security breakdowns of Starlink’s user terminals, the satellite dishes (dubbed Dishy McFlatface) that are positioned on people’s homes and buildings. To access the satellite dish’s software, Wouters physically stripped down a dish he purchased and created a custom hacking tool that can be attached to the Starlink dish. The hacking tool, a custom circuit board known as a modchip, uses off-the-shelf parts that cost around $25. Once attached to the Starlink dish, the homemade printed circuit board (PCB) is able to launch a fault injection attacktemporarily shorting the systemto help bypass Starlink’s security protections. This “glitch” allows Wouters to get into previously locked parts of the Starlink system.

    Reply
  34. Tomi Engdahl says:

    Years after claiming DogWalk wasn’t a vulnerability, Microsoft confirms flaw is being exploited and issues patch https://www.bitdefender.com/blog/hotforsecurity/years-after-claiming-dogwalk-wasnt-a-vulnerability-microsoft-confirms-flaw-is-being-exploited-and-issues-patch/
    This week Microsoft finally released a patch for a zero-day security flaw being exploited by hackers, that the company had claimed since
    2019 was not actually a vulnerability. The volte-face from Microsoft relates to “DogWalk”, a remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT), affecting all Windows versions going back as far as Windows 7 and Server 2008.
    Successful exploitation of DogWalk can see malicious attackers gain remote code execution on compromised computer systems. Due to the high severity of the DogWalk vulnerability (technically known by Microsoft as CVE-2022-34713), all users of Windows and Windows Server are being urged to ensure systems are properly updated as soon as possible.

    Reply
  35. Tomi Engdahl says:

    UK NHS service recovery may take a month after MSP ransomware attack https://www.bleepingcomputer.com/news/security/uk-nhs-service-recovery-may-take-a-month-after-msp-ransomware-attack/
    Managed service provider (MSP) Advanced confirmed that a ransomware attack on its systems disrupted emergency services (111) from the United Kingdom’s National Health Service (NHS). Customers of seven solutions from the British MSP have been impacted either directly or indirectly, the company said. The ransomware attack started to disrupt Advanced systems on Thursday, August 4 and was identified around 7 AM.
    It caused a major outage to NHS emergency services across the U.K.

    Reply
  36. Tomi Engdahl says:

    Cisco Patches High-Severity Vulnerability in Security Solutions
    https://www.securityweek.com/cisco-patches-high-severity-vulnerability-security-solutions

    Cisco this week announced the release of patches for a high-severity vulnerability in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that could allow an unauthenticated attacker to leak an RSA private key.

    The ASA software is the core operating system of Cisco’s ASA security devices, which provide protection to data centers and corporate networks, while the FTD software delivers next-generation firewall services.

    Tracked as CVE-2022-20866, the vulnerability exists because of “a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography,” Cisco notes in its advisory.

    A threat actor using a Lenstra side-channel attack against a vulnerable device could exploit the security bug to retrieve the RSA private key.

    “This vulnerability will apply to approximately 5 percent of the RSA keys on a device that is running a vulnerable release of Cisco ASA Software or Cisco FTD Software; not all RSA keys are expected to be affected due to mathematical calculations applied to the RSA key,” Cisco explains.

    Reply
  37. Tomi Engdahl says:

    Critical Vulnerabilities Found in Device42 Asset Management Platform
    https://www.securityweek.com/critical-vulnerabilities-found-device42-asset-management-platform

    Bitdefender warns of multiple critical vulnerabilities in the Device42 asset management platform, including bugs that could be exploited to execute arbitrary code.

    The Device42 platform helps administrators track applications, devices, and hardware, providing them with the ability to manage data center assets, passwords, and services, as well as with device discovery and asset tagging features.

    This week, Bitdefender shared information on three critical vulnerabilities in the Device42 platform and one in the Device42 ApplianceManager console, warning that attackers could exploit these to achieve remote code execution.

    “By exploiting these issues, an attacker could impersonate other users, obtain admin-level access in the application (by leaking session with an LFI) or obtain full access to the appliance files and database (through remote code execution),” Bitdefender says.

    The company’s security researchers discovered that, because the platform did not properly validate provided paths, it was possible to read sensitive files on the server without authentication (CVE-2022-1401).

    Because the platform contained hardcoded Exago encryption keys (CVE-2022-1400), an attacker could chain the two vulnerabilities to access files containing session IDs and decrypt them, and then bypass authentication by using the session information to access the application as an authenticated user.

    Bitdefender also notes that the attacker could then exploit the third vulnerability in Device42 (CVE-2022-1399) to achieve remote code execution “by creating an autodiscovery task (*nix/CISCO NX-OS) with crafted RCE payload as username.”

    Reply
  38. Tomi Engdahl says:

    Palo Alto Networks Firewalls Targeted for Reflected, Amplified DDoS Attacks
    https://www.securityweek.com/palo-alto-networks-firewalls-targeted-reflected-amplified-ddos-attack

    Palo Alto Networks is working on fixes for a reflected amplification denial-of-service (DoS) vulnerability that impacts PAN-OS, the platform powering its next-gen firewalls.

    The company has learned that a threat actor has attempted to abuse firewalls from multiple vendors for distributed denial-of-service (DDoS) attacks. No additional information appears to be available on these attacks and the other impacted firms.

    “Palo Alto Networks recently learned that an attempted reflected denial-of-service (RDoS) attack was identified by a service provider. This attempted attack took advantage of susceptible firewalls from multiple vendors, including Palo Alto Networks,” the company says.

    Tracked as CVE-2022-0028 (CVSS score of 8.6), the vulnerability exists because of a misconfiguration in the PAN-OS URL filtering policy, allowing a network-based attacker to conduct reflected and amplified TCP DoS attacks.

    “The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target,” Palo Alto Networks explains.

    Exploitation of the vulnerability, the company notes, requires for specific conditions to be met, such as for configurations not typical for URL filtering to be set and packet-based attack protection and flood protection through SYN cookies to not be enabled.

    Reply
  39. Tomi Engdahl says:

    Cisco Hacked by Ransomware Gang, Data Stolen
    https://www.securityweek.com/cybercriminals-breached-cisco-systems-and-stole-data

    According to Cisco, the attacker targeted one of its employees and only managed to steal files stored in a Box folder associated with that employee’s account, as well as employee authentication data from Active Directory. The company claims the information stored in the Box folder was not sensitive.

    For initial access, the attacker targeted the personal Google account of an employee. The hackers obtained the employee’s Cisco credentials via Chrome, which had been configured to sync passwords.

    In order to bypass multi-factor authentication (MFA), the attacker used a technique known as MFA fatigue, where they send a high volume of push requests to the target’s mobile device in hopes that they will accept the request either by accident or in an attempt to silence the notifications. The targeted employee also received multiple phone calls over a period of several days, where the caller — claiming to be associated with a support organization — attempted to trick them into handing over information.

    The attacker managed to enroll new devices for MFA and authenticated to the Cisco VPN. Once that was achieved, they started dropping remote access and post-exploitation tools. The hackers escalated their privileges, created backdoors for persistence, and moved to other systems in the environment, including Citrix servers and domain controllers.

    After the intrusion was detected and the threat actor’s access was terminated, Cisco observed continuous attempts to regain access, but the company says they all failed.”

    Cisco has attributed the attack to an initial access broker with ties to the threat actor UNC2447

    Reply
  40. Tomi Engdahl says:

    OT Security Firm Warns of Safety Risks Posed by Alerton Building System Vulnerabilities
    https://www.securityweek.com/ot-security-firm-warns-safety-risks-posed-alerton-building-system-vulnerabilities

    OT and IoT cybersecurity company SCADAfence has discovered potentially serious vulnerabilities in a widely used building management system made by Alerton, a brand of industrial giant Honeywell.

    Four vulnerabilities have been found in the Alerton Compass software, which is the product’s human-machine interface (HMI), the Ascent Control Module (ACM), and the Visual Logic component. SCADAfence says this is the first time CVE identifiers have been assigned to vulnerabilities in Alerton products.

    SCADAfence will soon publish a blog post detailing its findings. In the meantime, the company has issued a press release that points to National Vulnerability Database entries providing some technical information for each of the four security holes.

    The vulnerabilities, two of which have been rated ‘high severity’, can be exploited by sending specially crafted packets to the targeted system. Remote, unauthenticated attackers can make configuration changes or write unauthorized code on the controller, both of which can lead to changes in the controller’s functionality. If an attacker writes malicious code on the controller, the victim will need to overwrite the program in order to restore the original operational function.

    The cybersecurity firm pointed out that the malicious changes would not be reflected in the user interface, making it more likely for the attack to go unnoticed.

    https://www.securityweek.com/ot-security-firm-warns-safety-risks-posed-alerton-building-system-vulnerabilities

    Reply
  41. Tomi Engdahl says:

    The Guardian:
    Google has agreed to pay $60M to settle a court case with Australia’s ACCC over misleading some Android users about collection of personal location data — The tech giant kept track of some Android phone owners even when their location history was set to ‘off’

    Google to pay $60m fine for misleading Australians about collecting location data
    https://www.theguardian.com/technology/2022/aug/12/google-to-pay-60m-fine-for-misleading-australians-about-collecting-location-data

    The tech giant kept track of some Android phone owners even when their location history was set to ‘off’

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*