This posting is here to collect cyber security news in August 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in August 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
543 Comments
Tomi Engdahl says:
ETHERLED: Air-gapped systems leak data via network card LEDs https://www.bleepingcomputer.com/news/security/etherled-air-gapped-systems-leak-data-via-network-card-leds/
Israeli researcher Mordechai Guri has discovered a new method to exfiltrate data from air-gapped systems using the LED indicators on network cards. Dubbed ‘ETHERLED’, the method turns the blinking lights into Morse code signals that can be decoded by an attacker. Capturing the signals requires a camera with a direct line of sight to LED lights on the air-gapped computer’s card. These can be translated into binary data to steal information. The attack begins with planting on the target computer malware that contains a modified version of the firmware for the network card. This allows taking control of the LED blinking frequency, duration, and color. Alternatively, the malware can directly attack the drive for the network interface controller
(NIC) to change connectivity status or to modulate the LEDs required for generating the signals. The researcher found that the malicious driver can exploit documented or undocumented hardware functionality to fiddle with network connection speeds and to enable or disable the Ethernet interface, resulting in light blinks and color changes.
Guri’s tests show that each data frame begins with a sequence of ’1010′, to mark the start of the package, followed by a payload of 64 bits. For data exfiltration through single status LEDs, Morse code dots and dashes lasting between 100 ms and 300 ms were generated, separated by indicator deactivation spaces between 100 ms and 700 ms.
To capture the signals remotely, threat actors can use anything from smartphone cameras (up to 30 meters), drones (up to 50m), hacked webcams (10m), hacked surveillance cameras (30m), and telescopes or cameras with telephoto or superzoom lenses (over 100 meters). The time needed to leak secrets such as passwords through ETHERLED ranges between 1 second and 1.5 minutes, depending on the attack method used,
2.5 sec to 4.2 minutes for private Bitcoin keys, and 42 seconds to an hour for 4096-bit RSA keys.
Tomi Engdahl says:
Google: Iranian hackers use new tool to steal email from victims https://www.bleepingcomputer.com/review/gaming/google-iranian-hackers-use-new-tool-to-steal-email-from-victims/
State-sponsored Iranian hacking group Charming Kitten has been using a new tool to download email messages from targeted Gmail, Yahoo, and Microsoft Outlook accounts. The name of the utility is Hyperscraper and like many of the threat actor’s tools and operations, it is far from sophisticated. The researchers found Hyperscraper in December
2021 and analyzed it using a test Gmail account. It is not a hacking tool but an instrument that helps the attacker steal email data and store it on their machine after logging into the victim’s email account. Getting the credentials (username and password, authentication cookies) for the target inbox is done in a previous step of the attack, typically by stealing them. Hyperscraper has an embedded browser and spoofs the user agent to mimic an outdated web browser, which provides a basic HTML view of the Gmail account’s content. Once logged in, the tool changes the account’s language settings to English and iterates through the contents of the mailbox, individually downloading messages as.eml files and marking them unread. When the exfiltration completes, Hyperscraper changes the language to the original setting and deleted the security alerts from Google for a minimum footprint.
Tomi Engdahl says:
Major airline technology provider Accelya attacked by ransomware group https://therecord.media/major-airline-technology-provider-accelya-attacked-by-ransomware-group/
A technology provider for many of the world’s largest airlines said it recently dealt with a ransomware attack impacting some of its systems.
Accelya a technology firm providing services to Delta, British Airways, JetBlue, United, Virgin Atlantic, American Airlines and many more confirmed Tuesday that two of the security firms it hired to address the incident discovered that company data was posted on a ransomware leak site. The AlphV/Black Cat ransomware group published data it allegedly stole from Accelya last Thursday. The group claimed to have stolen emails, worker contracts and more.
Tomi Engdahl says:
Hiding a phishing attack behind the AWS cloud https://www.theregister.com/2022/08/22/aws_cloud_phishing/
In a report this week, researchers with Avanan acquired last year by cybersecurity company Check Point outlined a phishing campaign that uses AWS and unusual syntax construction in the messages to get past scanners. “Email services that use static Allow or Block Lists to determine if email content is safe or not are not immune to these attacks, ” they wrote. “Essentially, these services will determine whether a website is safe or not. Amazon Web Services will always be marked as safe. It’s too big and too prevalent to block.”. Alkup.
https://www.avanan.com/blog/hackers-build-phishing-pages-using-aws-apps
Tomi Engdahl says:
Ex-Security Chief Accuses Twitter of Hiding Major Flaws
https://www.securityweek.com/ex-security-chief-accuses-twitter-hiding-major-flaws
Twitter misled users and federal regulators about glaring weaknesses in its ability to protect personal data, the platform’s former security chief claimed in whistleblower testimony likely to impact the company’s bitter legal battle over Elon Musk’s takeover bid.
In a complaint filed with the US Securities and Exchange Commission and published in part Tuesday by The Washington Post and CNN, Peiter Zatko also accused Twitter of significantly underestimating the number of automated bots on the platform — a key element in Musk’s argument for withdrawing his $44 billion buyout deal.
CNN quotes the disclosure by Zatko as accusing Twitter of “negligence, willful ignorance, and threats to national security and democracy.”
Zatko, who Twitter says it fired earlier this year for poor performance, warns of obsolete servers, software vulnerable to computer attacks and executives seeking to hide the number of hacking attempts, both to US authorities and to the company’s board of directors.
Tomi Engdahl says:
LockBit Ransomware Site Hit by DDoS Attack as Hackers Start Leaking Entrust Data
https://www.securityweek.com/lockbit-ransomware-site-hit-ddos-attack-hackers-start-leaking-entrust-data
The leak website of the LockBit ransomware operation has been taken offline by a distributed denial-of-service (DDoS) attack that appears to have been launched in response to the cybercriminals publishing data stolen from security company Entrust.
The Entrust breach was discovered on June 18 and the firm started notifying customers on July 6. However, the intrusion only came to light on July 21, when a security researcher came across a copy of the notification sent by Entrust to customers.
Some researchers said at the time that Entrust had likely fallen victim to ransomware, but no group was named. On August 18, however, the LockBit group took credit for the attack, threatening to leak all the stolen files in 24 hours unless Entrust paid a ransom.
Shortly after the black hat hackers started publishing the Entrust data, their Tor-based leak website was hit by a DDoS attack. The attack requests aimed at the LockBit website included a string urging the cybercrime group to delete the stolen Entrust data
Tomi Engdahl says:
https://www.securityweek.com/data-california-prisons-visitors-staff-inmates-exposed
Tomi Engdahl says:
‘DirtyCred’ Vulnerability Haunting Linux Kernel for 8 Years
https://www.securityweek.com/dirtycred-vulnerability-haunting-linux-kernel-8-years
Academic researchers from Northwestern University have shared details on ‘DirtyCred’, a previously unknown privilege escalation vulnerability affecting the Linux kernel.
Tracked as CVE-2022-2588, the security flaw can be exploited to escalate privileges, and can also lead to a container escape. The academics say the vulnerability has been present in Linux for eight years.
Described as a use-after-free in the cls_route filter implementation of the Linux kernel, the bug exists because an old filter is not removed from the hashtable before it is freed. The issue can be exploited by a local user with the CAP_NET_ADMIN capability and could lead to a system crash or arbitrary code execution.
PhD students Zhenpeng Lin and Yuhang Wu, and associate professor Xinyu Xing explained earlier this month during the Black Hat conference that the issue is similar to the Dirty Pipe vulnerability (CVE-2022-0847) impacting Linux kernel versions 5.8 and later.
What made Dirty Pipe reputable was its easy exploitation despite protections such as kernel address randomization and pointer integrity check, coupled with the fact that it could be exploited without modifications on all impacted kernel versions.
Tomi Engdahl says:
Security Firm Discloses CrowdStrike Issue After ‘Ridiculous Disclosure Process’
https://www.securityweek.com/security-firm-discloses-crowdstrike-issue-after-ridiculous-disclosure-process
A security firm has disclosed the details of an issue affecting a CrowdStrike product after what it described as a ‘ridiculous vulnerability disclosure process’. CrowdStrike has provided some clarifications following the disclosure.
Researchers at Swiss security firm Modzero discovered an issue related to CrowdStrike’s Falcon endpoint detection and response product. Specifically, the problem is related to the Falcon Sensor, a lightweight agent deployed on each end device. The sensor can be configured with uninstall protection, which prevents its removal without a special token.
Modzero discovered that an attacker with admin privileges can bypass the token check on Windows devices and uninstall the sensor in an effort to remove the protection provided by CrowdStrike’s product.
The firm admitted that ‘the overall risk of the vulnerability is very limited’ due to the fact that elevated privileges are required for exploitation, but it wanted to publish a blog post — in addition to a technical advisory describing the issue — to complain about the disclosure process.
Modzero did not want to report its findings through CrowdStrike’s HackerOne-based bug bounty program and the disclosure process did not go smoothly.
In early June, Modzero started asking CrowdStrike about an alternative way to report its findings, one that did not involve HackerOne or signing a non-disclosure agreement.
Modzero ultimately sent its findings via email in late June, but CrowdStrike initially could not reproduce the issue and later said it did not appear to be a valid vulnerability.
Tomi Engdahl says:
Privilege Escalation Flaw Haunts VMware Tools
https://www.securityweek.com/privilege-escalation-flaw-haunts-vmware-tools
Virtualization technology software giant VMware on Tuesday released patches to fix an important-severity security flaw in the VMware Tools suite of utilities.
The vulnerability, tracked as CVE-2022-31676, could be exploited by attackers to escalate privileges on a compromised system.
“VMware Tools was impacted by a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine,” VMWare said in an advisory.
VMSA-2022-0024
https://www.vmware.com/security/advisories/VMSA-2022-0024.html
Tomi Engdahl says:
https://www.securityweek.com/gitlab-patches-critical-remote-code-execution-
DevOps platform GitLab has issued patches for a critical remote code execution vulnerability impacting its GitLab Community Edition (CE) and Enterprise Edition (EE) releases.
Tracked as CVE-2022-2884 (CVSS 9.9/10 severity), the security flaw can be exploited via the GitHub import API, but requires authentication to be triggered.
Tomi Engdahl says:
Backdoors Found on Counterfeit Android Phones
https://www.securityweek.com/backdoors-found-counterfeit-android-phones
ussian cybersecurity firm Doctor Web has identified multiple backdoors on the system partitions of several Android devices that are counterfeit versions of popular phones.
The identified smartphones – all pretending to be popular brand-name models such as P48pro, Redmi Note 8, Note30u, and Mate40 – are budget phones powered by an obsolete operating system version (Android 4.4.2), while pretending to run a more recent platform iteration.
Running an older Android version represents in itself a security risk, considering the large number of vulnerabilities that Google has been addressing every month over the past several years.
On top of that, Doctor Web discovered on the system partitions of these devices modified libraries designed to launch malware when in use by any application.
Tomi Engdahl says:
Oracle Faces Class-Action Lawsuit Over Tracking 5 Billion People
The company stands accused of running a ‘Worldwide Surveillance Machine’ and earning billions every year from it.
https://uk.pcmag.com/security/142225/oracle-faces-class-action-lawsuit-over-tracking-5-billion-people
American multinational tech company Oracle is facing a class-action lawsuit claiming it tracks and collects personal information on billions of people, generating revenue of over $40 billion a year in the process.
Tomi Engdahl says:
One-Third of Popular PyPI Packages Mistakenly Flagged as Malicious > https://www.darkreading.com/application-security/one-third-pypi-packages-mistakenly-flagged-malicious
But was it wrong? haha
Tomi Engdahl says:
https://edition.cnn.com/2022/08/23/tech/twitter-whistleblower-peiter-zatko-security/index.html
Tomi Engdahl says:
https://www.malwarebytes.com/blog/news/2022/08/thousands-of-hikvision-video-cameras-remain-unpatched-and-vulnerable-to-takeover
Tomi Engdahl says:
Finland’s PM is a young woman in power. Her partying is the total opposite of disgrace
https://www.theguardian.com/commentisfree/2022/aug/24/finlands-pm-is-a-young-woman-in-power-her-partying-is-the-total-opposite-of-disgrace
Tomi Engdahl says:
Joseph Menn / Washington Post:
A profile of Peiter Zatko, aka Mudge, who worked at DARPA, Google, and Stripe before Twitter, and was a member of hacker groups L0pht and Cult of the Dead Cow
https://www.washingtonpost.com/technology/2022/08/23/peiter-mudge-zatko-twitter-whistleblower/
Tomi Engdahl says:
Reuters:
Peiter Zatko’s whistleblower complaint alleges India forced Twitter to hire one of its agents, who could have accessed sensitive user data due to weak security
India forced Twitter to put agent on payroll, whistleblower says
https://www.reuters.com/world/india/india-forced-twitter-put-agent-payroll-whistleblower-says-2022-08-23/
A former Twitter Inc (TWTR.N) security chief has alleged that the Indian government forced the social media firm to put a government agent on the payroll, according to a whistleblower disclosure with U.S. regulators.
Peiter ‘Mudge’ Zatko raised the issue with the U.S. Securities and Exchange Commission among other security lapse claims at Twitter. read more
He said the government agent would have had access to sensitive user data due to Twitter’s weak security infrastructure, according to a redacted version of the complaint uploaded by the Washington Post newspaper and verified by Zatko’s attorney at Whistleblower Aid.
Twitter misled U.S. regulators on hackers, spam, whistleblower says
https://www.reuters.com/markets/deals/twitters-former-security-head-alleges-company-misled-regulators-about-security-2022-08-23/
Aug 23 (Reuters) – Twitter Inc (TWTR.N) misled federal regulators about its defenses against hackers and spam accounts, the social media company’s former security chief Peiter Zatko said in a whistleblower complaint.
In an 84-page complaint, Zatko, a famed hacker widely known as “Mudge,” alleged Twitter falsely claimed it had a solid security plan, according to documents relayed by congressional investigators. Twitter’s shares fell 7.3% to close at $39.86.
The document alleges Twitter prioritized user growth over reducing spam, with executives eligible to win individual bonuses of as much as $10 million tied to increases in daily users, and nothing explicitly for cutting spam.
Tomi Engdahl says:
Jon Porter / The Verge:
Facebook fixes a bizarre bug that filled user feeds with endless posts from celebrity accounts for over three hours
A Facebook bug spammed celebrity comments to everyone for hours
Followers posted memes to take advantage of the carnage
https://www.theverge.com/2022/8/24/23319552/facebook-bug-celebrity-spam-memes-carnage?scrolla=5eb6d68b7fedc32c19ef33b4
Tomi Engdahl says:
Mariella Moon / Engadget:
Plex tells users to reset passwords immediately after a hacker accessed some data, including emails, usernames, and encrypted passwords — Plex users may want to change their passwords as soon as they’re able. The digital media player and streaming service said a bad actor had infiltrated …
https://www.engadget.com/plex-reset-passwords-potential-data-breach-082347517.html
Tomi Engdahl says:
Musk Subpoenas Ex-Security Chief Whistleblower In Battle For Twitter
The courts are heating up.
Tomi Engdahl says:
The company formerly known as Square is facing a class action suit in which the Twitter cofounder’s business is accused of being “negligent.” It comes as a former Twitter security exec dropped bombshell allegations about the ways in which it handles data. https://trib.al/Q9C1pUr
Tomi Engdahl says:
https://hackersonlineclub.com/plex-hacked-change-your-password-now/
Tomi Engdahl says:
RansomEXX claims ransomware attack on Sea-Doo, Ski-Doo maker https://www.bleepingcomputer.com/news/security/ransomexx-claims-ransomware-attack-on-sea-doo-ski-doo-maker/
The RansomEXX ransomware gang is claiming responsibility for the cyberattack against Bombardier Recreational Products (BRP), disclosed by the company on August 8, 2022.
Tomi Engdahl says:
Plex warns users to reset passwords after a data breach https://www.bleepingcomputer.com/news/security/plex-warns-users-to-reset-passwords-after-a-data-breach/
The Plex media streaming platform is sending password reset notices to many of its users in response to discovering unauthorized access to one of its databases. According to the letter that a reader shared with BleepingComputer, the intruder potentially accessed a limited subset of data, including email addresses, usernames, and encrypted passwords.
Tomi Engdahl says:
Hackers Using Fake DDoS Protection Pages to Distribute Malware https://thehackernews.com/2022/08/hackers-using-fake-ddos-protection.html
WordPress sites are being hacked to display fraudulent Cloudflare DDoS protection pages that lead to the delivery of malware such as NetSupport RAT and Raccoon Stealer. “A recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead victims to download remote access trojan malware, ”
Sucuri’s Ben Martin said in a write-up published last week. The new attack vector involves hijacking WordPress sites to display fake DDoS protection pop-ups that, when clicked, ultimately lead to the download of a malicious ISO file (“security_install.iso”) to the victim’s systems.
Tomi Engdahl says:
Researchers Warn of AiTM Attack Targeting Google G-Suite Enterprise Users https://thehackernews.com/2022/08/researchers-warn-of-aitm-attack.html
The threat actors behind a large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services have also set their sights on Google Workspace users. “This campaign specifically targeted chief executives and other senior members of various organizations which use [Google Workspace], ”
Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu detailed in a report published this month.
Tomi Engdahl says:
New Air Gap-Jumping Attack Uses Ultrasonic Tones and Smartphone Gyroscope
https://www.securityweek.com/new-air-gap-jumping-attack-uses-ultrasonic-tones-and-smartphone-gyroscope
A researcher from the Ben-Gurion University of the Negev in Israel has shown how a threat actor could stealthily exfiltrate data from air-gapped computers using ultrasonic tones and smartphone gyroscopes.
The attack method, named GAIROSCOPE, assumes that the attacker has somehow managed to plant malware on the air-gapped computer from which they want to steal data, as well as on a smartphone that is likely to go near the isolated device.
According to researcher Mordechai Guri, the malware that is on the air-gapped computer can transmit ultrasonic tones using the device’s loudspeakers. These tones are inaudible and on a frequency that is picked up by a gyroscope.
The malware that is on the isolated device collects valuable data such as passwords and encryption keys, and encodes it using audio frequency-shift keying, where one specified frequency represents a ‘0’ bit and a different frequency represents a ‘1’ bit. The malware uses the device’s speakers to transmit inaudible sounds at those frequencies.
On the phone side of the attack, the infected device’s gyroscope picks up those tones when it’s near the air-gapped computer. The method leverages previous research that showed how gyroscopes are vulnerable to acoustic attacks.
GAIROSCOPE: Injecting Data from Air-Gapped
Computers to Nearby Gyroscopes
https://arxiv.org/pdf/2208.09764.pdf
Tomi Engdahl says:
https://www.securityweek.com/plex-confirms-database-breach-data-theft
Tomi Engdahl says:
https://www.securityweek.com/class-action-lawsuit-filed-against-oracle-over-data-collection-practices
A class action lawsuit filed against Oracle on Friday in the Northern District of California claims that the tech giant has built a worldwide surveillance machine.
Tomi Engdahl says:
Over 80,000 Unpatched Hikvision Cameras Exposed to Takeover
https://www.securityweek.com/over-80000-unpatched-hikvision-cameras-exposed-takeover‘
Cybersecurity firm Cyfirma has identified more than 80,000 Hikvision cameras that haven’t been patched against a critical code execution vulnerability exploited in the wild.
Tracked as CVE-2021-36260, the vulnerability leads to root access and allows an attacker to take full control of a device and potentially compromise the entire network. More than 70 Hikvision device models are impacted.
The security bug has a CVSS rating of 9.8, given that exploitation only requires access to the HTTP(S) server port (typically 80/443), without authentication.
Tomi Engdahl says:
https://www.securityweek.com/ibm-patches-severe-vulnerabilities-mq-messaging-middleware
Tomi Engdahl says:
Mozilla Patches High-Severity Vulnerabilities in Firefox, Thunderbird
https://www.securityweek.com/mozilla-patches-high-severity-vulnerabilities-firefox-thunderbird-0
Mozilla this week patched several high-severity vulnerabilities in its Firefox and Thunderbird products.
Firefox 104 — as well as Firefox ESR 91.13 and 102.2 — patches a high-severity address bar spoofing issue related to XSLT error handling. The flaw, tracked as CVE-2022-38472, could be exploited for phishing.
The latest Firefox release also resolves CVE-2022-38473, an issue related to cross-origin XSLT documents that could pose security and privacy risks.
“A cross-origin iframe referencing an XSLT document would inherit the parent domain’s permissions (such as microphone or camera access),” Mozilla explained in its advisory.
Both vulnerabilities were reported to Mozilla by researcher Armin Ebert.
Another microphone-related issue patched in Firefox is CVE-2022-38474. On Android, a website with permission to access the microphone could record audio without displaying a notification. Since it does not actually allow an attacker to bypass the permission prompt, the flaw only has a severity rating of ‘low’.
In addition, two CVE identifiers, CVE-2022-38477 and CVE-2022-38478, have been assigned to multiple memory safety bugs that could lead to arbitrary code execution.
Most of these vulnerabilities have also been fixed in Thunderbird.
https://www.mozilla.org/en-US/security/advisories/mfsa2022-33/
Tomi Engdahl says:
Microsoft Details New Post-Compromise Malware Used by Russian Cyberspies
https://www.securityweek.com/microsoft-details-new-post-compromise-malware-used-russian-cyberspies
Microsoft this week published technical details on ‘MagicWeb’, a new post-exploitation tool used by Russia-linked cyberespionage group APT29.
Tracked by Microsoft as Nobelium, the threat actor is also referred to as Cozy Bear, the Dukes, and Yttrium, and is believed to have orchestrated the 2020 SolarWinds hack and the 2016 attack against the Democratic National Committee (DNC).
Last year, Microsoft published an analysis of FoggyWeb, a persistent, highly targeted data-collection tool that the state-sponsored group was deploying on compromised Active Directory Federation Services (AD FS) servers.
Now, the tech giant is sharing details on MagicWeb, a backdoor that adds covert access capabilities on top of data stealing, and which allows the attackers to sign in to the compromised Active Directory as virtually any user.
“MagicWeb is a malicious DLL that allows manipulation of the claims passed in tokens generated by an Active Directory Federated Services (AD FS) server. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML,” Microsoft says.
https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/
Tomi Engdahl says:
Musk Lawyers Seize on Twitter Whistleblower Revelations
https://www.securityweek.com/musk-lawyers-seize-twitter-whistleblower-revelations
Tomi Engdahl says:
Privacy Activists Target Google Over French ‘Spam’ Emails
https://www.securityweek.com/privacy-activists-target-google-over-french-spam-emails
Google is breaking EU law by sending users of its email service Gmail direct advertising messages, activists said in a complaint sent to French regulators on Wednesday.
It is the latest in a long line of complaints filed by the activist group NOYB (None of Your Business), which has fought the tech giant for years on data privacy.
The French data regulator CNIL has been among the most active in Europe, doling out huge fines against Google and Facebook in particular.
The activist group provided screenshots to CNIL that showed marketing messages at the top of a user’s inbox.
The messages were marked with a green box and the word “annonce”, French for advert.
Tomi Engdahl says:
https://thehackernews.com/2022/08/google-uncovers-tool-used-by-iranian.html?m=1
Adrian says:
The constant need to have an updated data security
https://remotoworkforce.com/
Tomi Engdahl says:
Twitter-asiakirjavuoto on Elon Muskin kaipaama onnenpotku Paljastuksen mukaan iso osa Twitterin työntekijöistä pääsee arkaluontoiseen dataan käsiksi ilman kummempaa valvontaa
https://www.kauppalehti.fi/uutiset/twitter-asiakirjavuoto-on-elon-muskin-kaipaama-onnenpotku-paljastuksen-mukaan-iso-osa-twitterin-tyontekijoista-paasee-arkaluontoiseen-dataan-kasiksi-ilman-kummempaa-valvontaa/f16175fc-153c-454f-b1d1-f5f7c261d882
Twitterin entisen tietoturvapäällikkö Peiter “Mudge” Zatkon mukaan sosiaalisen median jätti on suhtautunut leväperäisesti tietoturvaan.
Lisäksi hänen mukaansa Twitterin johdolla ei ole käsitystä tai kiinnostusta saada tietää, miten suuri osa alustan käyttäjistä lopulta on botteja. Tämä käy ilmi Zatkon Yhdysvaltain kongressille sekä liittovaltion virastoille lähettämästä 200-sivuisesta paljastusasiakirjasta. CNN sekä The Washington Post kertovat nähneensä nämä dokumentit. CNN:
https://edition.cnn.com/2022/08/23/tech/twitter-whistleblower-peiter-zatko-security/index.html.
Post:
https://www.washingtonpost.com/technology/interactive/2022/twitter-whistleblower-sec-spam/?itid=hp-top-table-main
Tomi Engdahl says:
Yhdysvaltojen propagandaoperaatio poistettiin sosiaalisesta mediasta valetilien kohteena Kiina ja Venäjä https://www.tivi.fi/uutiset/tv/2b7fdc4c-f670-4fcd-9d23-1fd3e0628f6f
Twitter, Facebook ja Instagram ovat poistaneet useita käyttäjätilejä, jotka ovat levittäneet venäjänkielistä propagandaa Yhdysvaltojen puolesta. Propaganda-operaatiosta kertoivat Stanford Internet Observatoryn ja tutkimusyhtiö Grapihkan tutkijat. Uutissivusto Vicen mukaan viisi vuotta kestäneen kampanjan toimintatavat olivat pitkälti samanlaisia, mitä Venäjä käytti Yhdysvalloissa vuoden 2016 presidentinvaalien aikana. Sosiaalisessa mediassa levitettiin meemejä, vetoomuksia, valeuutisia, väärennettyjä kuvia sekä erilaisia tunnisteita.. Käyttäjätilien poistaminen on merkki siitä, että yhdysvaltalaiset teknologiayhtiöt ovat valmiita puuttumaan myös kotimaansa tekemään propagandaan. Harhauttavia taktiikoita käytettiin myös viidellä muulla sosiaalisen median alustalla.
Tomi Engdahl says:
Hus lähetti pelottavan kirjeen Apotti-virheestä Yle: veti myöhemmin sanansa takaisin
https://www.tivi.fi/uutiset/tv/fdb190f6-5481-48e7-9458-ff3115e93558
Helsingin ja Uudenmaan sairaanhoitopiiri (Hus) ilmoitti kirjeitse noin
500 asiakkaalle, että heidän potilastietojensa tallentamisessa on tapahtunut virhe, Yle uutisoi. Viestin mukaan Husin yksikössä tehdyn poliklinikkakäynnin kirjaukset ovat tallentuneet myös asiakkaan kotikunnan terveyskeskuksen potilasrekisteriin vaikka heillä oli tietojen luovutuskielto. Tilanteesta annetut tiedot muuttuivat keskiviikkona. Husin vs. hallintoylilääkäri Veli-Matti Ulander kommentoi Ylelle, että varsinaista tietoturvaloukkausta ei ole tapahtunut. Tiedot eivät olekaan menneet terveyskeskusten
järjestelmään: niistä on muodostunut uusi rekisteri, jonne pääsee vain Apotti-potilastietojärjestelmän pääkäyttäjäoikeuksilla.
Tomi Engdahl says:
MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
In recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team detected Iran-based threat actor MERCURY leveraging exploitation of Log4j 2 vulnerabilities in SysAid applications against organizations all located in Israel. MSTIC assesses with high confidence that MERCURY’s observed activity was affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
Tomi Engdahl says:
Microsoft: Russian malware hijacks ADFS to log in as anyone in Windows https://www.bleepingcomputer.com/news/security/microsoft-russian-malware-hijacks-adfs-to-log-in-as-anyone-in-windows/
Microsoft has discovered a new malware used by the Russian hacker group APT29 (a.k.a. NOBELIUM, Cozy Bear) that enables authentication as anyone in a compromised network. As a state-sponsored cyberespionage actor, APT29 employs the new capability to hide their presence on the networks of their targets, typically government and critical organizations across Europe, the U.S., and Asia. Dubbed MagicWeb’, the new malicious tool is an evolution of FoggyWeb’, which allowed hackers to exfiltrate the configuration database of compromised Active Directory Federation Services (ADFS) servers, decrypt token-signing and token-decryption certificates, and fetch additional payloads from the command and control (C2) server. The MagicWeb’ tool replaces a legitimate DLL used by ADFS with a malicious version to manipulate user authentication certificates and to modify claims passed in tokens generated by the compromised server. Because ADFS servers facilitate user authentication, MagicWeb can help APT29 validate authentication for any user account on that server, giving them persistence and an abundance of pivoting opportunities.
Tomi Engdahl says:
Twilio hackers hit over 130 orgs in massive Okta phishing attack https://www.bleepingcomputer.com/news/security/twilio-hackers-hit-over-130-orgs-in-massive-okta-phishing-attack/
Hackers responsible for a string of recent cyberattacks, including those on Twilio, MailChimp, and Klaviyo, compromised over 130 organizations in the same phishing campaign. This phishing campaign utilized a phishing kit codenamed ’0ktapus’ to steal 9, 931 login credentials that the hackers then used to gain access to corporate networks and systems through VPNs and other remote access devices.
According to a Group-IB report, the 0ktapus campaign has been underway since at least March 2022, aiming to steal Okta identity credentials and 2FA codes and use them to carry out subsequent supply chain attacks.
Tomi Engdahl says:
PyPI packages hijacked after developers fall for phishing emails https://www.bleepingcomputer.com/news/security/pypi-packages-hijacked-after-developers-fall-for-phishing-emails/
A phishing campaign caught yesterday was seen targeting maintainers of Python packages published to the PyPI registry. Python packages ‘exotel’ and ‘spam’ are among hundreds seen laced with malware after attackers successfully compromised accounts of maintainers who fell for the phishing email.
Tomi Engdahl says:
Researchers Uncover Kimusky Infra Targeting South Korean Politicians and Diplomats https://thehackernews.com/2022/08/researchers-uncover-kimusky-infra.html
The North Korean nation-state group Kimusky has been linked to a new set of malicious activities directed against political and diplomatic entities located in its southern counterpart in early 2022. Kimsuky, also known as Black Banshee, Thallium, and Velvet Chollima, is the name given to a prolific North Korean advanced persistent threat (APT) group that targets entities globally, but with a primary focus on South Korea, to gain intelligence on various topics of interest to the regime.
Tomi Engdahl says:
Palo Alto warns of firewall vulnerability used in DDoS attack on service provider https://therecord.media/palo-alto-warns-of-firewall-vulnerability-used-in-ddos-attack-on-service-provider/
Palo Alto Networks is urging customers to patch a line of firewall products after finding that the vulnerability was used in a distributed denial-of-service (DDoS) attack. On August 19, the company made all patches available for CVE-2022-0028 which affects the PA-Series, VM-Series and CN-Series of the PAN-OS firewall software.
Tomi Engdahl says:
https://www.securityweek.com/twitter-ordered-give-musk-additional-bot-account-data
Tomi Engdahl says:
LastPass Says Source Code Stolen in Data Breach
https://www.securityweek.com/lastpass-says-source-code-stolen-data-breach
Password management software firm LastPass has suffered a data breach that led to the theft of source code and proprietary technical information.
The company, which is owned by GoTo (formerly LogMeIn), disclosed the breach in an online notice posted Thursday but insisted that the customer master passwords or any encrypted password vault data were not compromised.
LastPass chief executive Karim Toubba said the company’s security team detected unusual activity within portions of the LastPass development environment two weeks ago and launched an investigation that confirmed the source code theft.
From the LastPass notice:
We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.