This posting is here to collect cyber security news in August 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in August 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
543 Comments
Tomi Engdahl says:
Kristin Robinson / Billboard:
Docs and sources: how two men in Phoenix, Arizona ran one of the largest known YouTube music royalty scams, leading to a 30-count indictment in November 2021
How Did Two Unknown Latin Music Operators Make $23 Million From YouTube? The IRS Says They Stole It
https://www.billboard.com/pro/youtube-fraud-royalties-scam-irs-latin-chenel-yenddi-mediamuv-adrev/
Inside the brazen but surprisingly simple scheme that took royalties from songs by artists like Daddy Yankee, Anuel AA, Julio Iglesias and more.
Their newfound flashy lifestyles understandably sparked considerable gossip among those who work in Phoenix’s music business, like Ricardo, who couldn’t fathom why Teran and Batista were suddenly living so much larger than everyone else. “Phoenix is one of the main points for drug smuggling. So my first thought was, ‘Oh, they’re doing something like that,’ or maybe they won the lottery and they’re not telling people,” Ricardo remembers. “It just didn’t make any sense to me.”
In November 2021, the source of the duo’s newfound wealth was revealed: according to the government, Teran and Batista had been running what is now one of the largest – if not the largest – known YouTube music royalty scams in history, one that led to an investigation by the IRS and their indictment that month on 30 counts of conspiracy, wire fraud, money laundering and aggravated identity theft.
According to documents filed in Arizona federal court, over about a four-year period, Teran and Batista (along with a number of alleged conspirators) devised a company they called MediaMuv to siphon off $23 million in master and publishing royalties for Latin music copyrights they did not control. Much of these royalties were claimed through the popular rights management company AdRev, which is owned by Downtown Music Holdings. Teran, whose attorneys did not respond to requests for comment, pleaded not guilty and awaits trial in November. Batista, on the other hand, took a plea deal on April 21, admitting guilt to one count of wire fraud and one count of conspiracy. As part of the plea agreement, he revealed key insights to the court as to how the MediaMuv scam was committed. Batista’s attorney and an IRS representative declined to comment on this story because the case is still ongoing.
The indictments and Batista’s plea deal took some in the Latin music industry by surprise. A representative from Puerto Rican rapper-singer Anuel AA’s camp had not even been aware that MediaMuv had stolen tens of thousands of dollars of royalties for the artist’s music until Billboard inquired with Anuel AA’s team about the case. Though AdRev and YouTube have not been accused of any wrongdoing, sources in the rights management business who were interviewed for this story expressed incredulity that theft of this magnitude happened on AdRev’s watch.
‘Hotbed of Piracy’
Batista’s plea agreement revealed that it didn’t take a criminal mastermind to rob music creators of their rightful royalties. According to multiple industry sources, hustles similar to MediaMuv’s are well-known among those in the music business who work in digital rights management, but Teran and Batista’s scheme was particularly brazen, both for the tens of millions of dollars the IRS says they stole from Latin acts and the way they did it.
Sources say YouTube scammers commonly claim small fractions of songs that they suspect have not been claimed properly and might not be noticed. This is especially prevalent on the music publishing side, where there are usually more rights holders — particularly on contemporary songs that credit many songwriters — so the division of ownership and royalties can be more difficult to track. If one or more of the songwriters is known to be without a publisher, there is a strong chance that the writer does not know if their share of the composition is being claimed correctly. MediaMuv, in contrast, often claimed 100% of royalties for master recordings or publishing.
YouTube’s content management system (CMS), or “content manager,” and its Content ID tool, which identifies matching sound recordings, enables larger rights holders — including labels, publishers and multichannel networks — to monitor royalty collection and metadata for their musical copyrights. “These scams happen all the time in every sector, on every service, and also within music rights collections agencies around the world,” says Jeff Price, founder of TuneCore, a global distributor and music publishing administrator; Audiam, a rights management company; and founder/CEO of Word Collections, a global copyright administration company. “The upside is when they happen on YouTube, the system they built allows for greater transparency and the ability to identify and potentially fix the problem.”
However, that transparency is not accessible to everyone. YouTube’s CMS and Content ID tools are available only to select users approved by the video-sharing platform. This means that many artists, songwriters and their teams — especially less established ones — are not able to monitor their copyrights and royalty collection on YouTube on their own.
“It was nearly impossible for us to know we were stolen from,”
“Samuray had something like $65,000 stolen by MediaMuv, but we didn’t even know there was money there,”
In an effort to remove some of these barriers, Maria Schneider, a Grammy-winning jazz musician and advocate for independent artists, and a company called Pirate Monitor filed a proposed class-action lawsuit against YouTube in July 2020, alleging that ordinary creators of copyrighted works are “left behind by YouTube’s copyright enforcement system” and that they are forced to police their own copyrights, yet “provided no meaningful ability” to do so because they are often not able to use YouTube’s Content ID themselves. As a result, the lawsuit claims YouTube has become a “hotbed of piracy.” (Pirate Monitor dropped out of the case last year after YouTube countersued the company for using “deceptive behavior” to gain access to Content ID.)
To serve the needs of rights holders who do not have access to YouTube’s tools on their own, a cottage industry of rights management companies like AdRev sprang up during YouTube’s adolescence. These companies have access to CMS and Content ID, and specialize in the collection of royalties and police content for independent talents as well as labels and publishers, looking to outsource the often time-intensive labor of monitoring copyrights. Though YouTube’s creator support information includes a services directory of rights management companies, sources say many copyright owners remain unaware or choose not to use these third parties.
“They don’t give access to their CMS to everyone for a reason,” argues Gabriel (also a pseudonym), who works for a different rights management firm and who represents a number of MediaMuv’s victims. “YouTube wants to have trustworthy partners, understandably.” In the wrong hands, sources say, the transparency of the CMS and Content ID tools can be exploited.
Despite YouTube’s gatekeeping of its CMS, Batista said in his plea agreement that MediaMuv had been granted direct access to YouTube’s CMS in addition to its access through AdRev. And while by-the-book rights managers have been duped by bad actors claiming to be copyright owners, sources in this field say that some of their competitors are not diligent about corroborating clients’ copyright ownership before claiming royalties for them. With clients paying fees of 10%-25% of the royalties that are collected, rights managers are incentivized to collect as much money as possible.
“MediaMuv: A Detestable Company”
According to his plea deal, Batista explained that MediaMuv initiated the scam by signing a CMS administration agreement with AdRev “to assist [MediaMuv] in administering the music [it] fraudulently claimed”
Tomi Engdahl says:
Viranomaiselta rajuja lukuja – Suomeen tehdään tuhansia verkkohyökkäyksiä vuodessa https://www.is.fi/digitoday/tietoturva/art-2000008998809.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-workarounds-for-outlook-crashing-after-launch/
Tomi Engdahl says:
CVE-2022-2590: Linux kernel privilege escalation vulnerability
https://securityonline.info/cve-2022-2590-linux-kernel-privilege-escalation-vulnerability/
Tracked as CVE-2022-2590, the vulnerability allows a local, unprivileged attacker to gain write access to read-only memory mappings, increasing their privileges on the system through handling the copy-on-write (COW) breakage of private read-only shared memory mappings.
An unprivileged user can modify the file content of a shmem (tmpfs) file, even if that user does not have write permissions to the underlying file. The file could be an executable and similar consideration as for Dirty COW (CVE-2016-5195) should apply.
Linux >= v5.16 is affected on x86-64 and aarch64 if the kernel is compiled with CONFIG_USERFAULTFD=y. For Linux < v5.19 it’s sufficient to revert the problematic commit, which is possible with minor contextual conflicts.
The vulnerability allows an attacker to modify any running process that is readable. Even if the process is not readable, they can use cat /proc/{pid}/maps to find if readable ELF modules have been loaded. On Android, the actor can dynamically modify an Android Runtime (ART) process in the same way: as long as the attacker can run an application on a vulnerable device, they can modify a readable process and inject code and control the context of any process.
By leveraging this attack, an actor is no longer limited to only read/write to files but also gains the ability to write code directly to memory. Thus, a successful attack could result in root access without causing a crash or requiring a device reboot.
Tomi Engdahl says:
FAANGs failing on keeping user data safe from bug hunters
Time to call in the legal team
https://www.theregister.com/2022/08/12/faang_bug_hunters/
Dylan Ayrey, a bug hunter and CEO of Truffle Security, discovered a big data company credential dump containing personal information belonging to about 50,000 of its users, and still hasn’t fixed it.
This happened while he was researching cross-site scripting (XXS) vulnerabilities, and through the disclosure and reporting process, this data passed through several third-party systems.The bug bounty platform, XXS Hunter and Gmail, among them, not to mention his own hard drive and backups.
Turns out the FAANG (Facebook, Amazon, Apple, Netflix and Google in the pre-Alphabet days) biz never disclosed the dump, and Ayrey and the third parties still have access to the sensitive data.
Ayrey detailed this bug hunting expedition onstage at the Black Hat conference in Las Vegas, and the punch line is that this isn’t an isolated experience. There’s a ton of personal data stored on researchers’ laptops and bug bounty platforms, some of which don’t require multi-factor authentication to access, Ayrey said.
“I talked to a couple of friends that I know that are pretty good bug hunters, and 100 percent of them said that their Bugcrowd accounts and Hacker One accounts are exactly the same,” he said. Once they’re logged into their accounts, researchers can access and download data associated with a now-closed vulnerability tickets.
Tomi Engdahl says:
Ionut Ilascu / BleepingComputer:
Microsoft and CISA warn users about DogWalk, a now-patched actively exploited RCE vulnerability in Windows 7, 10, 11, and Server 2008 through 2022
CISA warns of Windows and UnRAR flaws exploited in the wild
https://www.bleepingcomputer.com/news/security/cisa-warns-of-windows-and-unrar-flaws-exploited-in-the-wild/
Tomi Engdahl says:
Amid backlash from privacy advocates, Meta expands end-to-end encryption trial
E2EE prevents anyone other than the sender and receiver from reading messages.
https://arstechnica.com/information-technology/2022/08/meta-is-ever-so-slowly-expanding-its-testing-of-end-to-end-encryption/
Tomi Engdahl says:
WHITE PAPER
Why Rapid Recovery is Safer than Paying the Ransom
https://www.veeam.com/wp-rapid-recovery-safer-than-paying-the-ransom.html
Tomi Engdahl says:
New Vulnerability Affects All AMD Zen CPUs: Threading May Need to Be Disabled
By Anton Shilov published 2 days ago
Side-channel SQUIP vulnerability affects all SMT-enabled Zen CPUs.
https://www.tomshardware.com/news/new-vulnerability-affects-all-amd-zen-cpus
Contemporary superscalar microprocessors with out-of-order execution use a number of ways to boost their performance. Simultaneous multi-threading (executing more than one threads of code on a CPU core) is one of the most efficient ways to improve processor performance.
Tomi Engdahl says:
FTC Explores Rules Cracking Down on Commercial Surveillance and Lax Data Security Practices
Agency Seeks Public Comment on Harms from Business of Collecting, Analyzing, and Monetizing Information About People
https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-explores-rules-cracking-down-commercial-surveillance-lax-data-security-practices
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/fbi-zeppelin-ransomware-may-encrypt-devices-multiple-times-in-attacks/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/zimbra-auth-bypass-bug-exploited-to-breach-over-1-000-servers/
Tomi Engdahl says:
Meta injecting code into websites to track its users, research says
Owner of Facebook and Instagram is using code to follow those who click links in its apps, according to an ex-Google engineer
https://www.theguardian.com/technology/2022/aug/11/meta-injecting-code-into-websites-visited-by-its-users-to-track-them-research-says?CMP=fb_a-technology_b-gdntech
Tomi Engdahl says:
Vulnerabilities Allowed Researchers to Remotely Lock and Unlock Doors
Security researchers found several vulnerabilities that allowed them to take remote control of internet-connected devices that control door locks.
https://www.vice.com/en/article/v7vb43/vulnerabilities-allowed-researchers-to-remotely-lock-and-unlock-doors
Tomi Engdahl says:
A Long-Awaited IoT Reverse Engineering Tool Is Finally Here
Ten years after it was first unveiled, the powerful firmware analysis platform Ofrak is now available to anyone.
https://www.wired.com/story/ofrak-iot-reverse-engineering-tool/
AT THE 2012 DefCon security conference in Las Vegas, Ang Cui, an embedded device security researcher, previewed a tool for analyzing firmware, the foundational software that underpins any computer and coordinates between hardware and software. The tool was specifically designed to elucidate internet-of-things (IoT) device firmware and the compiled “binaries” running on anything from a home printer to an industrial door controller. Dubbed FRAK, the Firmware Reverse Analysis Console aimed to reduce overhead so security researchers could make progress assessing the vast and ever-growing population of buggy and vulnerable embedded devices rather than getting bogged down in tedious reverse engineering prep work. Cui promised that the tool would soon be open source and available for anyone to use.
He was nothing if not thorough. A decade later, Cui and his company, Red Balloon Security, are launching Ofrak, or OpenFRAK, at DefCon in Las Vegas this week.
“Embedded security is a space that we absolutely need to have more good eyes and brains on. We needed it 10 years ago, and we finally found a way to give this capability out. So here it is.”
Though it hadn’t yet fulfilled its destiny as a publicly available tool, FRAK hasn’t been languishing all these years either. Red Balloon Security continued refining and expanding the platform for internal use in its work with both IoT device makers and customers who need a high level of security from the embedded devices they buy and deploy.
“What makes it unique is it’s designed to provide a common interface for other tools, so the benefit is that you can use all different tools depending on what you have at your disposal or what works best for a certain project,” Strieb says.
The platform is also unusual for offering advanced, automated repacking mechanisms for firmware binaries. Most reverse engineering tools aid in unpacking but lack extensive repacking capabilities, because even small modifications you make to firmware can incidentally break functionality or change how the program behaves. Repacking was always a core part of how Cui conceived FRAK, though, and Red Balloon has continued to improve it over the years for the company’s own work.
“Oftentimes, it’s cost prohibitive for organizations to hire reverse engineers with specialized skills to patch embedded devices,” says Sergey Bratus, a DARPA program manager. “A key goal of the AMP program is to make this capability readily available through automation. Automating the application of a fix turns out to be a hard computer science problem with fundamental research challenges. These challenges must be supported with new classes of modular, community-building, research-enabling tools such as Ofrak.”
In other words, Ofrak is not only useful for independent researchers who want to penetrate the black box of embedded devices. It can also help manufacturers assess their own products and play a role in patch development and distribution, a longtime challenge and frequent debacle in IoT.
Red Balloon’s Strieb says the company hopes Ofrak will be widely adopted and that people will develop add-on modules for community use. Red Balloon plans to maintain the tool long-term
https://github.com/redballoonsecurity/ofrak
Tomi Engdahl says:
21st Century wire tap? Spies could use fibre-optic broadband cables to EAVESDROP on people from over half a mile away, study shows
https://www.dailymail.co.uk/sciencetech/article-11057699/Fibre-optic-cables-used-eavesdrop-1km-away-study-says.html
Scientists have developed a system that picks up sound from fibre-optic cables
Fibre-optic cables use light pulses to transmit data and are used for broadband
But they are sensitive to changes in environmental pressure caused by sound
This security flaw may let snoopers eavesdrop on confidential conversations
Fibre-optic cables could be used to eavesdrop on people over half a mile away by detecting changes in light that occur when they speak, a new study shows.
Researchers in China have developed a system that picks up sound at one end of a fibre-optic cable and transmits the audio at the other end.
Fibre-optic cables use pulses of light to transmit data and are used to deliver full fibre broadband to people’s homes.
But they’re sensitive to changes in environmental pressure, which could be caused by acoustic waves, such as sound from someone speaking – a potential security risk.
‘These applications of optical fibre networks, including earthquake detection, urban traffic flow monitoring, underground geological structure exploration, have positive impacts on people’s production and life.
‘However, it also brings some potential security problems, which should be considered carefully.’
One type of broadband network architecture using optical fibre is known as fibre to the premises (FTTP).
As the name suggests, this is where fibre-optic cables run all the way to a premises, whether it be a house, flat building or office.
According to the current layout mode of FTTP, fibre up to several meters will be installed in residents’ homes.
But sound signals could be modulated onto the light wave that the fibre transmits, without installing any additional equipment in the resident’s home.
‘Optical fibres are very sensitive to vibration,’
For their study, the Chinese team created a system that detects changes in light that occur when someone speaks near optical fibre. Diagram from the paper presents the eavesdropping scheme
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/wolf-in-sheep-s-clothing-how-malware-tricks-users-and-antivirus/
Tomi Engdahl says:
https://medium.com/technology-hits/new-windows-remote-search-exploit-bb76b24819c3
Tomi Engdahl says:
Slack flaw exposed users’ hashed passwords https://www.malwarebytes.com/blog/news/2022/08/slack-flaw-exposed-users-hashed-passwords
Slack, the workplace communication platform, has notified some of its users that their hashed passwords have been subject to exposure for the last five years. The company wasn’t specific in its notice, but Wired said that the flaw was in one of its “low-friction features”.
The flaw exposed hashed passwords of users when creating or revoking shared invitation links for workspaces. “When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members, ” the company said in a notice. “It affected all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022.”
Tomi Engdahl says:
Palo Alto Networks: New PAN-OS DDoS flaw exploited in attacks https://www.bleepingcomputer.com/news/security/palo-alto-networks-new-pan-os-ddos-flaw-exploited-in-attacks/
Palo Alto Networks has issued a security advisory warning of an actively exploited high-severity vulnerability impacting PAN-OS, the operating system used by the company’s networking hardware products.
The issue, tracked as CVE-2022-0028 (CVSS v3 8.6), is an URL filtering policy misconfiguration that could allow an unauthenticated, remote attacker to carry out amplified TCP denial-of-service (DoS) attacks.
Palo Alto Networks states that they discovered this vulnerability after they were notified one of their devices was being used as part of an attempted reflected denial-of-service (RDoS) attack, meaning that the bug is actively used in attacks.
Tomi Engdahl says:
Nämä ovat Suomen yleisimmät haittaohjelmat pahamainen Emotet oli kesälomalla
https://www.tivi.fi/uutiset/tv/a27ddcd3-5125-489b-af10-9f43ddce1a04
Maailman käytetyimpänä haittaohjelmana jatkoi heinäkuussa Emotet siitä huolimatta, että sen esiintyvyys on romahtanut peräti 50 prosenttia edeltävään kuukauteen verrattuna, Check Point Research kertoo julkistamassaan haittaohjelmakatsauksessa. Syy pienentyneelle esiintyvyydelle on todennäköisesti varsin inhimillinen, nimittäin kesälomakausi. Potentiaaliset uhrit eivät ole olleet availemassa sähköpostien epäilyttäviä liitteitä. Kuitenkin Suomen yleisin haittaohjelma on modulaarinen pankkitroijalainen Ramnit. Kyseinen haitake on erikoistunut varastamaan verkkoistuntojen tietoja, jolloin tekijät saattavat saada käsiinsä uhrin käyttämien palvelujen tilitietoja.
Tomi Engdahl says:
Twilio: 125 customers affected by data breach, no passwords stolen https://www.bleepingcomputer.com/news/security/twilio-125-customers-affected-by-data-breach-no-passwords-stolen/
Cloud communications giant Twilio, the owner of the highly popular two-factor authentication (2FA) provider Authy, says that it has so far identified 125 customers who had their data accessed during a security breach discovered last week. The company added the attackers behind this incident weren’t able to gain access to the affected clients’ authentication information. “We have identified approximately
125 Twilio customers whose data was accessed by malicious actors for a limited period of time, and we have notified all of them, ” Twilio revealed in an update to the original disclosure. “There is no evidence that customer passwords, authentication tokens, or API keys were accessed without authorization.”
Tomi Engdahl says:
AT&T denies connection to database of 23 million SSNs, says it may be tied to credit agency breach https://therecord.media/att-denies-connection-to-database-of-23-million-ssns-says-it-may-be-tied-to-credit-agency-breach/
Telecommunications giant AT&T denied any connection to a database of stolen information that included the Social Security numbers of 23 million Americans. First reported by Brian Krebs, Milwaukee cybersecurity company Hold Security said it found a 3.6 GB file on a dark web platform that contained Social Security numbers and information belonging to 23 million people. The security company told Krebs that there is a trove of evidence tying the database to AT&T, including email addresses ending with “att.net, ” “SBCGLobal.net” or “Bellsouth.net” as well as links to an obscure AT&T broadband service and location data tying the information to the 21 states where AT&T operates. An AT&T spokesperson told The Record that the information “does not appear to have come from” their systems, adding that it “may be tied to a previous data incident at another company.”
Tomi Engdahl says:
Chinese criminals scam kids desperate to play games for more than three hours a week https://www.bitdefender.com/blog/hotforsecurity/chinese-criminals-scam-kids-desperate-to-play-games-for-more-than-three-hours-a-week/
As The Register reports, the Cyberspace Administration of China (CAC) has published a report detailing some of the 12, 000 incidents of online fraud it says have been handled this year. Amongst them are scams that steal money from children, with the alluring but bogus promise that China’s tough gaming ban can be subverted.
Tomi Engdahl says:
Vulnerabilities on Xiaomi’s mobile payment mechanism which could allow forged transactions : A Check Point Research analysis https://blog.checkpoint.com/2022/08/12/vulnerabilities-on-xiaomis-mobile-payment-mechanism/
Mobile payments became very popular and a common form of payments around the world. We all use it daily and comfortably, pushing doubts and uncertainties aside. But have you ever really wondered if this daily practice many of us are used to doing is really safe? Could someone steal money from your digital, daily used, wallet without your knowledge?. In this report, CPR (Mobile) researchers analyzed the payment system built into Xiaomi smartphones powered by MediaTek chips, which are very popular in China. During these reviews, CheckPoint discovered vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application.
Tomi Engdahl says:
Chinese hackers backdoor chat app with new Linux, macOS malware https://www.bleepingcomputer.com/news/security/chinese-hackers-backdoor-chat-app-with-new-linux-macos-malware/
Versions of a cross-platform instant messenger application focused on the Chinese market known as ‘MiMi’ have been trojanized to deliver a new backdoor (dubbed rshell) that can be used to steal data from Linux and macOS systems. SEKOIA’s Threat & Detection Research Team says that the app’s macOS 2.3.0 version has been backdoored for almost four months, since May 26, 2022. They discovered this after noticing unusual connections to this app while analyzing command-and-control
(C2) infrastructure for the HyperBro remote access trojan (RAT) malware linked to the APT27 Chinese-backed threat group.
Tomi Engdahl says:
CISA orders civilian agencies to patch Zimbra bug after mass exploitation https://therecord.media/cisa-orders-civilian-agencies-to-patch-zimbra-bug-after-mass-exploitation/
The Cybersecurity and Infrastructure Security Agency added two vulnerabilities found in products from digital collaboration platform Zimbra after a cybersecurity company reported mass exploitation of the bugs throughout July and in early August. On Wednesday, Zimbra released an advisory urging its customers running older versions of the software to immediately install updates. CISA ordered all civilian agencies to install the patches before September 1.
Tomi Engdahl says:
A Flaw in the VA’s Medical Records Platform May Put Patients at Risk https://www.wired.com/story/va-vista-medical-records-flaw/
THE U.S. DEPARTMENT of Veterans Affairs runs some interesting technology programs, but it’s not known for being a flexible or nimble organization. The department’s records platform, VistA, first instituted in the late 1970s, is lauded as effective, reliable, and even innovative, but decades of underinvestment have eroded the platform. Security researchers are finding real security issues in VistA that could affect patient care. They want to disclose them to the VA and get the issues fixed, but they haven’t found a way to do it because VistA itself is on death row. In practice, the security issues could allow an attacker on a hospital’s network to impersonate a health care provider within VistA, and possibly modify patient records, submit diagnoses, or even theoretically prescribe medications.
Tomi Engdahl says:
SOVA malware adds ransomware feature to encrypt Android devices https://www.bleepingcomputer.com/news/security/sova-malware-adds-ransomware-feature-to-encrypt-android-devices/
The SOVA Android banking trojan continues to evolve with new features, code improvements, and the addition of a new ransomware feature that encrypts files on mobile devices. With the latest release, the SOVA malware now targets over 200 banking, cryptocurrency exchange, and digital wallet applications, attempting to steal sensitive user data and cookies from them. Moreover, it features refactored and improved code that helps it operate more stealthy on the compromised device, while its latest version, 5.0, adds a ransomware module.
Tomi Engdahl says:
A New Jailbreak for John Deere Tractors Rides the Right-to-Repair Wave https://www.wired.com/story/john-deere-tractor-jailbreak-defcon-2022/
FARMERS AROUND THE world have turned to tractor hacking so they can bypass the digital locks that manufacturers impose on their vehicles.
Like insulin pump “looping” and iPhone jailbreaking, this allows farmers to modify and repair the expensive equipment that’s vital to their work, the way they could with analog tractors. At the DefCon security conference in Las Vegas on Saturday, the hacker known as Sick Codes is presenting a new jailbreak for John Deere & Co tractors that allows him to take control of multiple models through their touchscreens.
Tomi Engdahl says:
Over 9, 000 VNC servers exposed online without a password https://www.bleepingcomputer.com/news/security/over-9-000-vnc-servers-exposed-online-without-a-password/
Researchers have discovered at least 9, 000 exposed VNC (virtual network computing) endpoints that can be accessed and used without authentication, allowing threat actors easy access to internal networks. VNC (virtual network computing) is a platform-independent system meant to help users connect to systems that require monitoring and adjustments, offering control of a remote computer via RFB (remote frame buffer protocol) over a network connection. If these endpoints aren’t properly secured with a password, which is often the result of negligence, error, or a decision taken for convenience, they can serve as entry points for unauthorized users, including threat actors with malicious intentions. Depending on what systems lie behind the exposed VNCs, like, for example, water treatment facilities, the implications of abusing access could be devastating for entire communities.
Tomi Engdahl says:
Google fined $60 million over Android location data collection https://www.bleepingcomputer.com/news/google/google-fined-60-million-over-android-location-data-collection/
The Australian Competition and Consumer Commission (ACCC) announced that Google was fined $60 million for misleading Australian Android users regarding the collection and use of their location data for almost two years, between January 2017 and December 2018. The Australian competition watchdog said the tech giant continued tracking some of its users’ Android phones even though they had disabled “Location History” in the device’s settings. While customers were misled into thinking that setting would disable location tracking, another account setting turned on by default and named “Web & App Activity” enabled the company “to collect, store and use personally identifiable location data.”
Tomi Engdahl says:
https://www.securityweek.com/black-hat-usa-2022-announcements-summary
Tomi Engdahl says:
Black Hat USA 2022 – Announcements Summary
https://www.securityweek.com/black-hat-usa-2022-announcements-summary
Hundreds of companies and organizations showcased their products and services this week at the 2022 edition of the Black Hat conference in Las Vegas.
Cycode launches software composition analysis solution
Supply chain security firm Cycode has launched a software composition analysis (SCA) solution and expanded its platform to add static application security testing (SAST) and container scanning capabilities.
Cybersixgill announces vulnerability exploit intelligence solution
Threat intelligence company Cybersixgill has unveiled Dynamic Vulnerability Exploit (DVE) Intelligence, a solution that combines automation, advanced analytics, and vulnerability exploit intelligence to address all phases of the CVE lifecycle. The solution is designed to help organizations prioritize CVEs in order of urgency.
CrowdStrike introduces AI-powered Indicators of Attack
CrowdStrike has introduced AI-powered Indicators of Attack (IoAs) to its Falcon Platform. The new threat detection and response capability is designed to provide enhanced fileless attack prevention and visibility for stealthy cloud intrusions.
Defiant launches Wordfence Intelligence
Wordfence – Defiant’s WordPress security team – has announced Wordfence Intelligence, a new enterprise-focused product designed to provide web application protection to organizations and hosting providers. Wordfence Intelligence launches with three data feeds that cover malicious IP addresses, PHP malware, and WordPress vulnerabilities.
IBM launches source code management attack toolkit
IBM has launched a source code management attack toolkit (SCMKit), which allows users to launch simulated attacks against SCM platforms. The toolkit supports attack modules for reconnaissance, privilege escalation, and persistence.
NetSPI launches open source tools PowerHuntShares and PowerHunt
Enterprise penetration testing and attack surface management firm NetSPI has launched two open source tools named PowerHuntShares and PowerHunt. PowerHuntShares inventories, analyzes, and reports excessive privilege assigned to SMB shares on Active Directory domain joined computers. PowerHunt, a modular threat hunting framework, identifies signs of compromise based on artifacts from common MITRE ATT&CK techniques and detects anomalies and outliers specific to the target environment.
NetRise releases XIoT firmware security solution
XIoT security firm NetRise announced the release of the NetRise Platform, a solution providing insights into shared vulnerabilities across XIoT firmware images in an organization. NetRise is a cloud-based SaaS platform that analyzes and continuously monitors the firmware of XIoT devices. The firmware images are then dissected, presenting all of the key data, artifacts, and risk in an easy-to-consume interface.
OPSWAT presents new malware analysis capabilities for OT
OPSWAT has announced new malware analysis capabilities for IT and operational technology (OT). The enhancements include OPSWAT Sandbox for OT, with detection of malicious communications on OT network protocols, and support for open-source third-party tools in the company’s MetaDefender Malware Analyzer solution.
Rezilion launches open source vulnerability detection tool
Rezilion has released MI-X, a new open-source CLI tool that can help researchers and developers know if their containers and hosts are impacted by a specific vulnerability. Organizations can use MI-X to identify and establish the exploitability of over 20 high-profile CVEs within their environment, and the tool can easily be updated to include coverage for new vulnerabilities.
Tidal Cyber launches community edition of threat-informed defense platform
Tidal Cyber has launched the community edition of its threat-informed defense platform, which enables security analysts to efficiently explore the advanced knowledge of adversary behaviors as defined by the MITRE ATT&CK knowledge base. It also provides additional open-source threat intelligence sources, and a Tidal-curated registry of security product capabilities mapped to specific adversary techniques.
Tenable announces new cloud security features
Tenable announced Agentless Assessment and Live Results, two major updates to its cloud security solution. The new features help organizations remediate vulnerabilities faster and prevent them from being exploited.
TrustedSite launches Halo Security
Vulnerability scanning and certification provider TrustedSite has officially launched Halo Security, an attack surface management platform designed to provide organizations with full visibility into their internet-facing assets. The solution brings together vulnerability scanning and manual testing to identify risks and help organizations improve their security posture and protect their data from external threats.
Veracode improves Continuous Software Security Platform
Application security testing solutions provider Veracode has announced improvements to its Continuous Software Security Platform, including support for software composition analysis (SCA), a software bill of materials (SBOM) API, and expanded frameworks and languages support for static analysis – with the addition of Rails 7.0, Ruby 3.x, and PHP Symfony.
Tomi Engdahl says:
Zero-Day Vulnerability Exploited to Hack Over 1,000 Zimbra Email Servers
https://www.securityweek.com/zero-day-vulnerability-exploited-hack-over-1000-zimbra-email-servers
A new zero-day vulnerability affecting Zimbra has been exploited to hack more than 1,000 enterprise email servers, according to incident response firm Volexity.
In July and early August, Volexity was called in to investigate several Zimbra Collaboration Suite breaches. The company’s analysis showed that the attackers had most likely exploited CVE-2022-27925, a remote code execution vulnerability in Zimbra that the vendor patched in March 2022.
The problem was that exploitation of CVE-2022-27925 requires admin credentials, which makes mass exploitation less likely. In addition, there was no indication that the attackers had managed to obtain the required credentials.
Further analysis showed that it was possible to bypass authentication when accessing the same endpoint used by CVE-2022-27925.
Tomi Engdahl says:
Realtek SDK Vulnerability Exposes Routers From Many Vendors to Remote Attacks
https://www.securityweek.com/realtek-sdk-vulnerability-exposes-routers-many-vendors-remote-attacks
A serious vulnerability affecting the eCos SDK made by Taiwanese semiconductor company Realtek could expose the networking devices of many vendors to remote attacks.
The security hole, tracked as CVE-2022-27255 and rated ‘high severity’, has been described as a stack-based buffer overflow that can allow a remote attacker to cause a crash or achieve arbitrary code execution on devices that use the SDK. An attack can be carried out through the WAN interface using specially crafted SIP packets.
The Realtek eCos SDK is provided to companies that manufacture routers, access points and repeaters powered by RTL819x family SoCs. The SDK implements the base functionalities of the router, including the web administration interface and the networking stack. Vendors can build on top of this SDK to add custom functionality and their branding to the device.
Realtek informed customers about the eCos SDK vulnerability in March, when it announced the availability of a patch. However, it’s up to the OEMs using the SDK to ensure that the patch is distributed to end-user devices.
The researcher said the vulnerability can be exploited remotely — directly from the internet — to hack affected routers running with default settings. No user interaction is required for successful exploitation.
“The vulnerable code is part of the networking stack — if the device is connected to the internet, an attacker only needs to send a packet to take control of the device,” he explained.
“The process of identifying affected OEM products is daunting due to the lack of visibility of their supply chain,” Gianatiempo noted.
While there is no indication that the flaw has been exploited in the wild, there could be a significant number of devices that are exposed to attacks due to this vulnerability, so it may be tempting for malicious actors.
Faraday has conducted a Shodan search and identified more than 60,000 vulnerable routers with their administration panel exposed. In addition, Mercadolibre, the largest ecommerce site in Latin America, has sold 130,000 devices affected by the vulnerability, according to a sales counter displayed on product pages.
Threat actors have been known to target Realtek SDK vulnerabilities in their attacks. Last year, researchers spotted exploitation of a flaw just days after its disclosure.
Tomi Engdahl says:
CISA, FBI Warn Organizations of Zeppelin Ransomware Attacks
https://www.securityweek.com/cisa-fbi-warn-organizations-zeppelin-ransomware-attacks
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory detailing the Zeppelin ransomware.
Initially detailed in 2019, Zeppelin is a highly targeted piece of ransomware derived from the Delphi-based Vega (VegaLocker) Ransomware-as-a-Service (RaaS) family.
Over the past three years, Zeppelin has been used mainly against healthcare organizations. Victims also include defense contractors, educational institutions, manufacturers, and technology companies.
“Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars,” CISA and the FBI say.
Some of the tactics, techniques, and procedures (TTPs) associated with Zeppelin include the exploitation of RDP connections and SonicWall firewall vulnerabilities for initial access, as well as the use of phishing emails for target compromise.
Alert (AA22-223A)
#StopRansomware: Zeppelin Ransomware
https://www.cisa.gov/uscert/ncas/alerts/aa22-223a
Tomi Engdahl says:
US Government Shares Photo of Alleged Conti Ransomware Associate
https://www.securityweek.com/us-government-shares-photo-alleged-conti-ransomware-associate
The United States has been offering significant rewards for information on individuals involved in the Conti ransomware operation and the Department of State on Thursday provided additional details on who it’s looking for and even shared a photo of a suspect.
The State Department is looking for information on the hackers behind Conti, TrickBot and Wizard Spider, specifically the members known online as ‘Tramp’, ‘Dandis’, ‘Professor’, ‘Reshaev’ and ‘Target’.
The State Department has also released a photo showing the face of a man believed to be ‘Target’, who it describes as a Conti associate.
Tomi Engdahl says:
https://www.securityweek.com/zero-day-vulnerability-exploited-hack-over-1000-zimbra-email-servers
Tomi Engdahl says:
Killnet Releases ‘Proof’ of its Attack Against Lockheed Martin
https://www.securityweek.com/killnet-releases-proof-its-attack-against-lockheed-martin
On August 1, Lockheed Martin was supposedly targeted with a DDoS attack delivered by the pro-Russian hacker group Killnet. The information came via the Moscow Times who reported Killnet’s claim for responsibility.
Newsweek added that Killnet claimed to have stolen Lockheed Martin employee data and threatened to share that data.
There has been no word from Lockheed Martin about the supposed attack beyond telling Newsweek it is “aware of the reports and have policies and procedures in place to mitigate cyber threats to our business,” adding that “we remain confident in the integrity of our robust, multi-layered information systems and data security.”
Killnet is a pro-Russia group that specializes in DoS and DDoS attacks. It is thought to have been formed in March 2022, and that its primary motivation is retaliation against perceived enemies of Russia. It is believed to be responsible for politically motivated attacks in Romania, Moldova, the Czech Republic, Italy, Lithuania, Norway and Latvia – as well as Eurovision 2022.
Tomi Engdahl says:
https://hackaday.com/2022/08/12/this-week-in-security-breaches-aepic-squip-and-symbols/
The Point-to-Point Protocol in Windows has a flaw, CVE-2022-30133, where sending traffic to port 1723 can result in arbitrary code execution. The scary bit about this one is that it’s potentially wormable, and that the port might be intentionally exposed to the internet, as this was an early VPN solution in Windows. Yoiks.
Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability
CVE-2022-30133
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30133
Tomi Engdahl says:
https://mobile.twitter.com/vxunderground/status/1559341791563882496
Cl0p ransomware group has breached critical infrastructure in England responsible for the public water supply and waste management for London, Luton, Thames Valley, Surrey, and more.
They state they will not ransom it.
cl0p’s official statement:
https://share.vx-underground.org/cl0p-thameswater.txt
15 million Britons issued urgent water contamination alert as ‘Thames Water HACKED’
Tomi Engdahl says:
South Staffordshire Water assures customers water supply is safe after cyber attack
SOUTH STAFFORDSHIRE WATER customers have been assured their water supply is safe after the company confirmed it was the victim of a cyber attack.
https://www.express.co.uk/news/uk/1655751/south-staffordshire-water-supply-cyber-attack-ont
Tomi Engdahl says:
15 million Britons issued urgent water contamination alert as ‘Thames Water HACKED’
https://flipboard.com/article/15-million-britons-issued-urgent-water-contamination-alert-as-thames-water-hack/f-ad5d16ed9a%2Fco.uk#amp_tf=L%C3%A4hde%3A%20%251%24s&aoh=16606249676812&referrer=https%3A%2F%2Fwww.google.com&share=https%3A%2F%2Fflipboard.com%2Farticle%2F15-million-britons-issued-urgent-water-contamination-alert-as-thames-water-hack%2Ff-ad5d16ed9a%252Fco.uk
Tomi Engdahl says:
15 million Britons issued urgent water contamination alert as ‘Thames Water HACKED’
https://www.tamilbloggers.xyz/15-million-britons-issued-urgent-water-contamination-alert-as-thames-water-hacked/
A water supply firm, which covers an area containing 27 percent of the UK population, has reportedly been affected by Clop ransomware. The group allegedly claimed that it did not encrypt files but had access to a whopping 5TB of data and potentially changed the chemical composition of the water. HackNotice, a threat intelligence provider, wrote on its website: “THAMESWATER.CO.UK is suspected to have been hacked as reported by Clop ransomware.” Express.co.uk has contacted Thames Water for comment.
Torrential rain and thunderstorms could cause “dangerous” flooding in cities and countryside, but will not end the current drought sweeping across large parts of Britain, experts have warned.
A Thames Water spokesman said: “The prolonged hot weather and continued lack of rain means we are now planning to take our drought plans to the next stage which is to introduce temporary use restrictions.”
“Water companies need to get their house in order to prevent water leaks and improve infrastructure and, when there are leaks, make sure they are fixed as quickly as possible.
“But we also need to reduce water use. It’s a precious, limited resource.
Tomi Engdahl says:
Spyware Scandals Are Ripping Through Europe
The latest crisis that rocked the Greek government shows the bloc’s surveillance problem goes beyond the notorious NSO Group.
https://www.wired.com/story/europe-spyware-scandals-greece/?utm_source=facebook&utm_medium=news_tab
THE TEXT MESSAGE that dragged Thanasis Koukakis into what’s being called Europe’s Watergate scandal was so innocuous, he can barely remember receiving it. The Athens-based financial journalist received the note on his black iPhone 12 Pro on July 12 last year from a Greek number he didn’t have saved. That wasn’t unusual for Koukakis, who has spent the past three years investigating the changes the government has been making to financial crime regulation. He gets a lot of messages—both from numbers he’s saved and those he hasn’t. This one addressed him directly. “Thanasis,” it read, “Do you know about this issue?” Koukakis clicked on the link that followed, which took him to a news story about a Greek banking scandal. He replied with a terse: “No.”
Koukakis, 44, did not think about the message until months later. In the days that followed, he was oblivious to the fact that the website that hosted the story he was sent had disappeared. He also did not know that by clicking on that link, he had opened an invisible door inside his phone, allowing spyware software called Predator to creep in to silently watch the messages and calls he was sending and receiving.
His phone kept working as if everything was normal, he says. Then, in December, Koukakis read a report about how Facebook parent company Meta had detected commercial spyware being used by customers in 10 different countries, including Greece. One of the links used to trick people into downloading the spyware was designed to look like CNN Greece—where he worked as an editor.
Suddenly suspicious, he contacted Meta, which connected him with researchers at Citizen Lab, a research facility at the University of Toronto that specializes in spyware. In March, they told him that he was being spied on. He went public with that information the following month, prompting uproar and an investigation by a Greek prosecutor. But the scandal was only getting started. On July 26, another person revealed he had also received a link infected with Predator spyware: Nikos Androulakis, leader of PASOK, Greece’s third largest political party.
Androulakis did not click on the infected link. But the fact someone had attempted to hack the phone of a serving opposition leader tipped the Greek government into crisis. Two officials have resigned so far and pressure is mounting on Prime Minister, Kyriakos Mitsotakis, to explain who’s behind the spyware.
Tomi Engdahl says:
Disrupting SEABORGIUM’s ongoing phishing operations https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/
The Microsoft Threat Intelligence Center (MSTIC) has observed and taken actions to disrupt campaigns launched by SEABORGIUM, an actor Microsoft has tracked since 2017. SEABORGIUM is a threat actor that originates from Russia, with objectives and victimology that align closely with Russian state interests. Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries. This blog provides insights into SEABORGIUM’s activities and technical methods, with the goal of sharing context and raising awareness about a significant threat to Microsoft customers.
As an outcome of these service abuse investigations, MSTIC partnered with abuse teams in Microsoft to disable accounts used by the actor for reconnaissance, phishing, and email collection. Microsoft Defender SmartScreen has also implemented detections against the phishing domains represented in SEABORGIUM’s activities.
Tomi Engdahl says:
Zoom for Mac patches get-root bug update now!
https://nakedsecurity.sophos.com/2022/08/15/zoom-for-mac-patches-get-root-bug-update-now/
At the well-known DEF CON security shindig in Las Vegas, Nevada, last week, Mac cybersecurity researcher Patrick Wardle revealed a “get-root” elevation of privilege (EoP) bug in Zoom for Mac. In the tweet, which followed his talk [2022-08-12], Wardle noted:. “Currently there is no patch”
Tomi Engdahl says:
Healthcare provider Novant issues data breach warning after site tracking pixels sent patients’ information to Meta servers https://portswigger.net/daily-swig/healthcare-provider-novant-issues-data-breach-warning-after-site-tracking-pixels-sent-patients-information-to-meta-servers
Novant Health, a US healthcare provider, is warning patients of a potential data breach resulting from an incorrect configuration of an online tracking tool from the company behind Facebook. Novant, which operates more than 50 healthcare facilities across North Carolina, said it placed a snippet of JavaScript code on its website as part of a promotional campaign during the early stages of the coronavirus pandemic. The code was for Meta Pixel, a digital tracking tool that can be used by organizations to help them gauge the success of Facebook marketing campaigns. However, the tracking pixel in question was “configured incorrectly and may have allowed certain private information to be transmitted to Meta” from the Novant Health website and patient portal, the company said.
Tomi Engdahl says:
Black Hat Windows isn’t the only mass casualty platform anymore https://www.welivesecurity.com/2022/08/15/black-hat-cloud-hacking-casualty-platform/
In years past, a massive Windows exploit netted mass casualties, but here at Black Hat, talks turned toward other massive attack platforms like clouds and cars. Windows is no longer alone at the front of the pack, hackwise it has company. The cloud, by nature, is multi-tenant.
This means multiple clients rent a segment of a single shared resource from a cloud provider. But where the intersections exist between tenants and hardware, a single flaw can expose many tenants to badness, and how would they know? How would you know?