This posting is here to collect cyber security news in September 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in September 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
411 Comments
Tomi Engdahl says:
Chromium browsers can write to the system clipboard without your permission https://www.malwarebytes.com/blog/news/2022/08/chromium-browsers-can-write-to-the-system-clipboard
If you are a user of Google Chrome or any other Chromium-based web browser, then websites may push anything they want to the operating system’s clipboard without your permission or any user interaction.
Tomi Engdahl says:
Linuxiin hyökätään nyt kiristysohjelmilla
https://etn.fi/index.php/13-news/13949-linuxiin-hyoekaetaeaen-nyt-kiristysohjelmilla
Tietoturvayhtiö Trend Micro on julkistanut tietoturvaraporttinsa vuoden ensimmäiseltä puoliskolta. Yksi raportin ennusteista sanoo, että kiristyshaittaohjelmahyökkäyksiä tehtailevat verkkorikolliset kohdistavat tulevina vuosina iskujaan Linux-palvelimiin ja sulautettuihin järjestelmiin aiempaa enemmän.
Näihin järjestelmiin kohdistuneiden hyökkäysten määrä kasvoi jo nyt merkittävästi edellisvuoden vastaavaan ajanjaksoon verrattuna. Kaikkiaan Trend Micro pysäytti 63 miljardia uhkaa vuoden 2022 ensimmäisellä puoliskolla. Tässä on 52 prosentin kasvu edellisvuoden alkupuoliskoon verrattuna. Haittaohjelmahyökkäyksiä kohdistettiin erityisesti julkishallinnon, teollisuuden ja terveydenhuollon järjestelmiin.
Vuoden 2022 alkupuoliskolla havaittiin raju kasvu kiristyshaittaohjelma palveluna -hyökkäyksissä. Käytetyimpiä kiristyshaittaohjelmia havaittiin dramaattisesti enemmän kuin vuoden 2021 alkupuoliskolla: LockBit ja Conti -hyökkäyksiä havaittiin 500 prosenttia edellisvuotta enemmän ja havaintojen lukumäärä lähes kaksinkertaistui kuudessa kuukaudessa.
Tomi Engdahl says:
CRYPTO DEV ENTERS WRONG COMMAND, DESTROYS ENTIRE COMPANY
“WE SINCERELY APOLOGIZE…”
https://futurism.com/the-byte/crypto-dev-command-company?utm_campaign=trueanthem_manual&utm_medium=social&utm_source=facebook
Big Oopsie
Staff at decentralized finance platform OptiFi must be having a really bad day.
Why? The company says a coding error accidentally — and permanently — shut the entire Solana blockchain-based platform down, wiping out $661,000 worth of a stablecoin called USDC.
“We sincerely apologize for a program incident leading to the sudden closure of the OptiFi mainnet program and we could not recover it,” the company’s blog post on the blunder reads. “We will compensate all users’ funds and prevent it from happening again.”
Tomi Engdahl says:
Microsoft found TikTok Android flaw that let hackers hijack accounts
https://www.bleepingcomputer.com/news/security/microsoft-found-tiktok-android-flaw-that-let-hackers-hijack-accounts/
Tomi Engdahl says:
Top cybersecurity expert claims that more than 80 percent of Twitter accounts are probably bots
https://www.businessinsider.in/tech/news/more-than-80-percent-of-twitter-accounts-are-probably-bots/amp_articleshow/93919184.cms
Top cybersecurity expert claimed that eight out of ten Twitter accounts are fake.
Dan Woods, a top cybersecurity expert has also worked with the US federal law enforcement and intelligence organisations.
Earlier, Musk terminated a $44 billion Twitter deal over bots and spam.
Dan Woods, Global Head of Intelligence at cybersecurity company F5, who spent more than 20 years with the US federal law enforcement and intelligence organisations, told The Australian that more than 80 per cent of Twitter accounts are probably bots — a massive claim as Twitter says only 5 per cent of its users are bots/spams.
“Sure sounds higher than 5 per cent,” tweeted Musk, along with tagging the news article.
“On a $/bot basis, this deal is awesome,” he chuckled.
Musk has terminated the $44 billion Twitter takeover deal, and the matter is now in a US court, over the presence of bots on the platform, and seeks answers from Agrawal via an open debate.
According to Woods, a former CIA and FBI cybersecurity specialist, both Musk and Twitter have underestimated the bot problem on the micro-blogging platform.
Tomi Engdahl says:
Infra Used in Cisco Hack Also Targeted Workforce Management Solution https://thehackernews.com/2022/09/infra-used-in-cisco-hack-also-targeted.html
The attack infrastructure used to target Cisco in the May 2022 incident was also employed against an attempted compromise of an unnamed workforce management solutions holding company a month earlier in April 2022. Cybersecurity firm Sentire, which disclosed the findings, raised the possibility that the intrusions could be the work of a criminal actor known as mx1r, who is said to be a member of the Evil Corp affiliate cluster dubbed UNC2165.
Tomi Engdahl says:
Apple backports fix for actively exploited iOS zero-day to older iPhones https://www.bleepingcomputer.com/news/apple/apple-backports-fix-for-actively-exploited-ios-zero-day-to-older-iphones/
Apple has released new security updates to backport patches released earlier this month to older iPhones and iPads addressing a remotely exploitable WebKit zero-day that allows attackers to execute arbitrary code on unpatched devices. This zero-day vulnerability is the same one Apple patched for macOS Monterey and iPhone/iPad devices on August 17, and for Safari on August 18. The flaw is tracked as CVE-2022-3289 and is an out-of-bounds write vulnerability in WebKit, the web browser engine used by Safari and other apps to access the web.
Tomi Engdahl says:
Montenegro hit by ransomware attack, hackers demand $10 million https://www.bleepingcomputer.com/news/security/montenegro-hit-by-ransomware-attack-hackers-demand-10-million/
The government of Montenegro has provided more information about the attack on its critical infrastructure saying that ransomware is responsible for the damage and disruptions. Public Administration Minister Maras Dukaj stated on local television yesterday that behind the attack is an organized cybercrime group. The effects of the incindet continue for the tenth day. The minister added that a “special virus” is used in this attack and there is a ransom demand of
$10 million. Cuba ransomware gang listed the Parliament of Montenegro
(Skupstina) as its victim and claimed to have stolen financial documents, correspondence with banks, balance sheets, tax documents, compensation, and even source code.
Tomi Engdahl says:
New ransomware hits Windows, Linux servers of Chile govt agency https://www.bleepingcomputer.com/news/security/new-ransomware-hits-windows-linux-servers-of-chile-govt-agency/
Chile’s national computer security and incident response team (CSIRT) has announced that a ransomware attack has impacted operations and online services of a government agency in the country. The attack started on Thursday, August 25, targeting Microsoft and VMware ESXi servers operated by the agency. The hackers stopped all running virtual machines and encrypted their files, appending the “.crypt”
filename extension.
Tomi Engdahl says:
Over 1, 000 iOS apps found exposing hardcoded AWS credentials https://www.bleepingcomputer.com/news/security/over-1-000-ios-apps-found-exposing-hardcoded-aws-credentials/
Security researchers are raising the alarm about mobile app developers relying on insecure practices that expose Amazon Web Services (AWS) credentials, making the supply chain vulnerable. Malicious actors could take advantage of this to access private databases, leading to data breaches and the exposure of customers’ personal data.
Researchers at Symantec’s Threat Hunting team, part of Broadcom Software, found 1, 859 applications containing hard-coded AWS credentials, most of them being iOS apps and just 37 for Android.
Roughly 77% of those applications contained valid AWS access tokens that could be used for direct access to private cloud services.
Additionally, 874 applications contained valid AWS tokens that hackers can use for accessing cloud instances containing live-service databases that hold millions of records.
Tomi Engdahl says:
Migration policy org confirms cyberattack after extortion group touts theft https://therecord.media/migration-policy-org-confirms-cyberattack-after-extortion-group-touts-theft/
The International Centre for Migration Policy Development (ICMPD) confirmed on Wednesday it suffered a cyberattack that led to a data breach. ICMPD operates in 90 countries conducting research, projects and activities centered around migration. It currently has 19 member states most of which are European and has observer status at the United Nations. It works with several UN and European agencies as well as states across Africa, Asia and South America. The organization is in the process of investigating what information was compromised, according to Schragl, who added that they have reported the incident to law enforcement agencies.
Tomi Engdahl says:
Neopets says hackers had access to its systems for 18 months https://www.bleepingcomputer.com/news/security/neopets-says-hackers-had-access-to-its-systems-for-18-months/
Neopets has released details about the recently disclosed data breach incident that exposed personal information of more than 69 million members. Findings of the investigation launched on July 20, 2022 revealed that attackers had access to the Neopets IT systems from January 3, 2021 until July 19, 2022. The company learned about the breach only after a hacker offered to sell a Neopets database for four bitcoins. The hacker claimed the database contained 460MB of source code and sensitive personal information for 69 million members.
Tomi Engdahl says:
Tech Tool Offers Police ‘Mass Surveillance on a Budget’
https://www.securityweek.com/tech-tool-offers-police-mass-surveillance-budget
Local law enforcement agencies from suburban Southern California to rural North Carolina have been using an obscure cellphone tracking tool, at times without search warrants, that gives them the power to follow people’s movements months back in time, according to public records and internal emails obtained by The Associated Press.
Police have used “Fog Reveal” to search hundreds of billions of records from 250 million mobile devices, and harnessed the data to create location analyses known among law enforcement as “patterns of life,” according to thousands of pages of records about the company.
Tomi Engdahl says:
Hardcoded AWS Credentials in 1,800 Mobile Apps Highlight Supply Chain Issues
https://www.securityweek.com/hardcoded-aws-credentials-1800-mobile-apps-highlight-supply-chain-issues
Symantec has discovered hardcoded AWS credentials in more than 1,800 mobile applications and warned of the potential risks associated with poor security practices.
While Symantec’s threat hunting team has looked at both Android and iOS apps, nearly all of the applications containing hardcoded credentials were developed for iOS.
A closer analysis revealed that 77% of the apps contained valid AWS access tokens that provide access to private cloud services, and nearly half contained tokens that provide full access to files — in some cases millions of files — in the Amazon S3 storage service.
The study highlights a supply chain issue with potentially serious implications. More than half of the mobile applications were using the same AWS access tokens that were present in other apps, often created by different developers and companies.
The source of the problem is often a component that is used by multiple developers, such as a third-party library or SDK. While in some cases the access keys found in an application are needed to download or upload assets or resources, to access configuration files, or to access cloud services, sometimes they are simply there because the developer forgot about them.
The credentials might only allow access a specific asset, in which case their exposure has limited impact. However, in some cases, the developer may unwittingly be using and exposing an access token that leaves all of an organization’s files and storage at risk.
“Imagine a business-to-business (B2B) company providing access to its service using a third-party SDK and embedding an AWS hard-coded access key, exposing not only the private data of the app using the third-party SDK, but also the private data of all apps using the third-party component,” Symantec explained.
Tomi Engdahl says:
Chrome Bug Allows Webpages to Replace Clipboard Contents
https://www.securityweek.com/chrome-bug-allows-webpages-replace-clipboard-contents
A vulnerability in Google Chrome – and in all Chromium-based browsers – allows webpages to replace the contents of the system clipboard without the user’s consent or interaction.
The issue exists because the browser does not have the necessary safeguards to prevent sites from writing to the clipboard.
According to developer Jeff Johnson, the bug was introduced in Chrome 104, when a requirement for a user gesture to copy content to the clipboard was broken.
Because of that, when a user visits a specially crafted webpage, the content of the system clipboard may be replaced with content defined on that page.
The same issue is present in Firefox and Safari as well, the developer says. However, while the bug can be triggered in Chrome without user interaction, some form of gesture is required to exploit it in Firefox and Safari.
According to Johnson, when on the crafted page, if the user triggers a ‘copy’ or ‘cut’ command, clicks on a link, or simply scrolls down or up (using either the mouse or the keyboard), the page is granted the permission to overwrite the system clipboard.
The developer has created a demo webpage to showcase the vulnerability. SecurityWeek was able to verify the issue on the most recent Chrome release (version 105), but could not reproduce it in Firefox.
https://webplatform.news/
Tomi Engdahl says:
Ransomware Gang Claims Customer Data Stolen in TAP Air Portugal Hack
https://www.securityweek.com/ransomware-gang-claims-customer-data-stolen-tap-air-portugal-hack
The Ragnar Locker ransomware gang says it has exfiltrated customer data in a cyberattack on Portuguese state-owned flag carrier airline TAP Air Portugal.
https://twitter.com/tapairportugal/status/1563138200536682496
TAP was the target of a cyber-attack, now blocked. Operational integrity is guaranteed. No facts have been found that allow us to conclude that there has been improper access to customer data. The website and app still have some instability. Thank you for your understanding.
The incident was initially disclosed on August 26, when TAP announced on Twitter that it managed to foil the cyberattack before the threat actor could access any customer data.
“TAP was the target of a cyberattack, now blocked. Operational integrity is guaranteed. No facts have been found that allow us to conclude that there has been improper access to customer data. The website and app still have some instability. Thank you for your understanding,” the company said.
Tomi Engdahl says:
Hakkeri-isku synnytti liikennekaaoksen Moskovaan – Anonymous otti vastuun https://www.is.fi/digitoday/tietoturva/art-2000009044255.html
Hakkerikollektiivi väittää hakkeroineensa Yandex Taksin järjestelmät.
HAKKERIKOLLEKTIIVI Anonymous sanoo iskeneensä Yandex-taksipalvelun järjestelmiin Venäjällä ja aiheuttaneensa liikenneruuhkan torstaina tilaamalla suuren määrä takseja samaan osoitteeseen Moskovassa.
Anonymousiin kytkeytyvä kuuluva Twitter-tili julkaisi videon, jossa näkyy takseja ruuhkassa Kutuzovski Prospektilla. Minuutin mittaisessa videossa näkyy useita kymmeniä takseja, jotka tukkivat katua. Lähellä ovat Voitonpuisto sekä Ukraina-hotelli.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/google-chrome-emergency-update-fixes-new-zero-day-used-in-attacks/
Tomi Engdahl says:
Hive ransomware hits Damart clothing store with $2 million ransom https://www.bleepingcomputer.com/news/security/hive-ransomware-hits-damart-clothing-store-with-2-million-ransom/
Damart, a French clothing company with over 130 stores across the world, is being extorted for $2 million after a cyberattack from the Hive ransomware gang. Some of the company’s systems have been encrypted and operations have been disrupted since August 15. A report from Valéry Marchive, who was able to retrieve a leaked ransom note and published details on LeMagIT, notes that the hackers are not willing to negotiate and expect parent company Damartex to pay the full ransom.
Tomi Engdahl says:
Dev backdoors own malware to steal data from other hackers https://www.bleepingcomputer.com/news/security/dev-backdoors-own-malware-to-steal-data-from-other-hackers/
Cybercriminals using Prynt Stealer to collect data from victims are being swindled by the malware developer, who also receives a copy of the info over Telegram messaging service. The malware developer has planted in the builder for the infostealer a backdoor that is present in every resulting copy that is being rented to cybercriminals for prices between $100 per month or $700 per year to $900 for a lifetime subscription. Prynt Stealer can steal cryptocurrency wallet information, sensitive info stored in web browsers (credentials credit cards), VPN account data, cloud gaming account details. According to a report from cloud security company Zscaler, the malware comes with an additional, hardcoded Telegram token and ID to send stolen data to the author behind the operator’s back.
Tomi Engdahl says:
Samsung discloses data breach after July hack https://www.bleepingcomputer.com/news/security/samsung-discloses-data-breach-after-july-hack/
Electronics giant Samsung has confirmed a new data breach today after some of its U.S. systems were hacked to steal customer data. The company said its systems were compromised in late July 2022. Samsung later discovered on August 4 that customer personal information was accessed and exfiltrated out of its network. While the attackers did not steal Social Security or credit card numbers during the breach, they snatched Samsung customers’ names, contacts and demographic information, dates of birth, and product registration data. “Samsung detected the incident and has taken actions to secure the affected systems. As part of our ongoing investigation, we have engaged a leading outside cybersecurity firm and are coordinating with law enforcement, ” Samsung said.
Tomi Engdahl says:
Data broker sued for allegedly selling individuals’ sensitive location data https://www.malwarebytes.com/blog/news/2022/08/data-broker-kochava-sued-for-allegedly-selling-location-data
The Federal Trade Commission (FTC) has sued data broker Kochava for allegedly selling information that would allow for individuals’
whereabouts to be traced to sensitive locations. The information included location data from hundreds of millions of phones, including sensitive locations that could be tied to an individual. As we can read in the complaint, the Federal Trade Commission filed the lawsuit against Kochava for selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations. As examples of sensitive locations the FTC lists: reproductive health clinics, places of worship, homeless and domestic violence shelters and addiction recovery facilities
Tomi Engdahl says:
Linux-järjestelmiin kohdistuvat hyökkäykset kovassa kasvussa tilanne on riistäytymässä käsistä
https://www.tivi.fi/uutiset/tv/388e9775-5a13-4942-acfe-7615d4a98930
Trend Micron julkaiseman tietoturvaraportin mukaan kiristyshaittaohjelmahyökkäyksiä tehtailevat verkkorikolliset kohdistavat tulevina vuosina iskujaan enenevissä määrin Linux-palvelimiin ja sulautettuihin järjestelmiin. Trend Micron mukaan tällaisiin järjestelmiin kohdistuneiden hyökkäysten määrä on kasvanut jo nyt merkittävissä määrin edellisvuoden vastaavaan ajanjaksoon verrattaessa.
Tomi Engdahl says:
Microsoft Defender falsely detects Win32/Hive.ZY in Google Chrome, Electron apps https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-falsely-detects-win32-hivezy-in-google-chrome-electron-apps/
A bad Microsoft Defender signature update mistakenly detects Google Chrome, Microsoft Edge, Discord, and other Electron apps as Win32/Hive.ZY’ each time the apps are opened in Windows. The issue started Sunday morning when Microsoft pushed out Defender signature update 1.373.1508.0 to include two new threat detections, including Behavior:Win32/Hive.ZY. “This generic detection for suspicious behaviors is designed to catch potentially malicious files. If you downloaded a file or received it through email, ensure that it is from a reliable source before opening it, ” reads the Microsoft detection page for Win32/Hive.ZY. According to BornCity, the false positive is widespread, with users reporting on BleepingComputer, Twitter, and Reddit that the detections appear each time they open their browser or an Electron app.
Tomi Engdahl says:
SharkBot malware sneaks back on Google Play to steal your logins https://www.bleepingcomputer.com/news/security/sharkbot-malware-sneaks-back-on-google-play-to-steal-your-logins/
A new and upgraded version of the SharkBot malware has returned to Google’s Play Store, targeting banking logins of Android users through apps that have tens of thousands of installations. The malware was present in two Android apps that did not feature any malicious code when submitted to Google’s automatic review. However, SharkBot is added in an update occurring after the user installs and launches the dropper apps. According to a blog post by Fox IT, part of the NCC Group, the two malicious apps are “Mister Phone Cleaner” and “Kylhavy Mobile Security, ” collectively counting 60, 000 installations.
Tomi Engdahl says:
IRS data leak exposes personal info of 120, 000 taxpayers https://www.bleepingcomputer.com/news/security/irs-data-leak-exposes-personal-info-of-120-000-taxpayers/
The Internal Revenue Service has accidentally leaked confidential information for approximately 120, 000 taxpayers who filed a form 990-T as part of their tax returns. On Friday, the IRS disclosed that in addition to sharing Form 990-T data for charities, they also accidentally included data for taxpayers’ IRAs that was not meant to be public. “The IRS recently discovered that some machine-readable
(XML) Form 990-T data made available for bulk download section on the Tax Exempt Organization Search (TEOS) should not have been made public, ” the IRS disclosed on Friday.
Tomi Engdahl says:
Hackers stole personal data including Social Security numbers, addresses and account numbers of home mortgage holders at KeyBank, the bank reports, in the breach of a third-party vendor that serves multiple corporate clients.
https://www.securityweek.com/keybank-hackers-third-party-provider-stole-customer-data
Tomi Engdahl says:
https://www.securityweek.com/tech-tool-offers-police-mass-surveillance-budget
Tomi Engdahl says:
Chrome Bug Allows Webpages to Replace Clipboard Contents
https://www.securityweek.com/chrome-bug-allows-webpages-replace-clipboard-contents
A vulnerability in Google Chrome – and in all Chromium-based browsers – allows webpages to replace the contents of the system clipboard without the user’s consent or interaction.
The issue exists because the browser does not have the necessary safeguards to prevent sites from writing to the clipboard.
According to developer Jeff Johnson, the bug was introduced in Chrome 104, when a requirement for a user gesture to copy content to the clipboard was broken.
Because of that, when a user visits a specially crafted webpage, the content of the system clipboard may be replaced with content defined on that page.
The same issue is present in Firefox and Safari as well, the developer says. However, while the bug can be triggered in Chrome without user interaction, some form of gesture is required to exploit it in Firefox and Safari.
Tomi Engdahl says:
Ransomware Gang Claims Customer Data Stolen in TAP Air Portugal Hack
https://www.epanorama.net/newepa/2021/12/31/cyber-security-trends-for-2022/comment-page-44/#comment-1779081
The Ragnar Locker ransomware gang says it has exfiltrated customer data in a cyberattack on Portuguese state-owned flag carrier airline TAP Air Portugal.
The incident was initially disclosed on August 26, when TAP announced on Twitter that it managed to foil the cyberattack before the threat actor could access any customer data.
“TAP was the target of a cyberattack, now blocked. Operational integrity is guaranteed. No facts have been found that allow us to conclude that there has been improper access to customer data. The website and app still have some instability. Thank you for your understanding,” the company said.
On August 31, however, the Ragnar Locker ransomware gang boasted on their leaks website that the airline’s systems were in fact breached and that customer data was exfiltrated.
Tomi Engdahl says:
Aaron Gordon / VICE:
Yandex confirms hackers created a traffic jam in Moscow on September 1 by ordering dozens of taxis from Yandex Taxi to converge on the same location
Hackers Create Traffic Jam in Moscow by Ordering Dozens of Taxis at Once Through App
Attackers attempted to disrupt ride-hailing app service on Thursday, the company confirmed.
https://www.vice.com/en/article/y3pbgy/hackers-create-traffic-jam-in-moscow-by-ordering-dozens-of-taxis-at-once-through-app
Hackers created a traffic jam in Moscow on Thursday by ordering dozens of taxis from the ride-hailing app Yandex Taxi to converge on the same location in one of the first known instances of attackers using an app-based taxi company to create chaos on the roads.
Video circulated on social media showing a very long traffic jam of taxis along an otherwise lightly trafficked road. The video was then shared by the account @runews where it was retweeted more than 6,500 times as of this writing.
Tomi Engdahl says:
https://nakedsecurity.sophos.com/2022/09/04/peter-eckersley-co-creator-of-lets-encrypt-dies-at-just-43/
Tomi Engdahl says:
You know there’s a serious security problem when credentials for one Microsoft service are exposed on another.
Microsoft Employees Exposed Their Azure Server Logins on GitHub
https://uk.pcmag.com/security/142130/microsoft-employees-exposed-their-azure-server-logins-on-github
You know there’s a serious security problem when credentials for one Microsoft service are exposed on another.
Cybersecurity research company spiderSilk discovered Microsoft employees had accidentally exposed their login credentials for servers hosted on Microsoft Azure.
As Vice reports, the credentials appeared on the Microsoft-owned GitHub code hosting and version control service. A total of seven logins were discovered, three of which were still active and allowed access to Microsoft Azure web servers.
https://www.vice.com/en/article/m7gb43/microsoft-employees-exposed-login-credentials-azure-github
Tomi Engdahl says:
QNAP patches zero-day used in new Deadbolt ransomware attacks https://www.bleepingcomputer.com/news/security/qnap-patches-zero-day-used-in-new-deadbolt-ransomware-attacks/
QNAP is warning customers of ongoing DeadBolt ransomware attacks that started on Saturday by exploiting a zero-day vulnerability in Photo Station. The company has patched the security flaw but attacks continue today. “QNAP Systems, Inc. today detected the security threat DEADBOLT leveraging exploitation of Photo Station vulnerability to encrypt QNAP NAS that are directly connected to the Internet, ”
explains the security notice. The attacks were widespread, with the ID Ransomware service seeing a surge in submissions on Saturday and Sunday.
Tomi Engdahl says:
TikTok denies security breach after hackers leak user data, source code https://www.bleepingcomputer.com/news/security/tiktok-denies-security-breach-after-hackers-leak-user-data-source-code/
TikTok denies recent claims it was breached, and source code and user data were stolen, telling BleepingComputer that data posted to a hacking forum is “completely unrelated” to the company. On Friday, a hacking group known as AgainstTheWest’ created a topic on a hacking forum claiming to have breached both TikTok and WeChat. The user shared screenshots of an alleged database belonging to the companies, which they say was accessed on an Alibaba cloud instance containing data for both TikTok and WeChat users. The threat actor says this server holds 2.05 billion records in a massive 790GB database containing user data, platform statistics, software code, cookies, auth tokens, server info, and many more.
Tomi Engdahl says:
Cloudflare sulki pahamaineisen stalkkaus- ja häirintäsivuston “Tämä on poikkeuksellinen päätös”
https://www.tivi.fi/uutiset/tv/f0737668-2750-4c2a-9f52-676880d10fa3
Yhdysvaltalainen pilvipalveluita sekä sisällönjakeluverkkoa tarjoava Cloudflare on sulkenut pahamaineisen stalkkaus- ja häirintäsivuston Kiwi Farmsin. Yhtiön mukaan sivusto muodosti välittömän uhkan ihmiselämälle, uutisoi Associated Press. “Tämä on poikkeuksellinen päätös ja ottaen huomioon Cloudflaren roolin internet-infrastruktuurin tarjoajana, se on myös vaarallinen eikä tunnu helpolta”, yhtiön toimitusjohtaja Matthew Prince kirjoitti lauantaina.
Tomi Engdahl says:
New Worok cyber-espionage group targets governments, high-profile firms https://www.bleepingcomputer.com/news/security/new-worok-cyber-espionage-group-targets-governments-high-profile-firms/
A newly discovered cyber-espionage group has been hacking governments and high-profile companies in Asia since at least 2020 using a combination of custom and existing malicious tools. The threat group, tracked as Worok by ESET security researchers who first spotted it, has also attacked targets from Africa and the Middle East. To date, Worok has been linked to attacks against telecommunications, banking, maritime, and energy companies, as well as military, government, and public sector entities. In late 2020, Worok targeted a telecommunications company in East Asia, a bank in Central Asia, a maritime industry company in Southeast Asia, a government entity in the Middle East, and a private company in southern Africa. While there have been no sightings until February 2022, ESET once again linked the group with new attacks against an energy company in Central Asia and a public sector entity in Southeast Asia.
Tomi Engdahl says:
Zyxel releases new NAS firmware to fix critical RCE vulnerability https://www.bleepingcomputer.com/news/security/zyxel-releases-new-nas-firmware-to-fix-critical-rce-vulnerability/
Networking device maker Zyxel is warning customers today of a new critical remote code execution (RCE) vulnerability impacting three models of its Networked Attached Storage (NAS) products. The vulnerability is tracked as CVE-2022-34747 and has received a CVSS v3 severity score of 9.8, rated critical, but not many details have been disclosed. “A format string vulnerability was found in a specific binary of Zyxel NAS products that could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet, ”
explains the advisory.
Tomi Engdahl says:
New Linux malware evades detection using multi-stage deployment https://www.bleepingcomputer.com/news/security/new-linux-malware-evades-detection-using-multi-stage-deployment/
A new stealthy Linux malware known as Shikitega has been discovered infecting computers and IoT devices with additional payloads. The malware exploits vulnerabilities to elevate its privileges, adds persistence on the host via crontab, and eventually launches a cryptocurrency miner on infected devices. Shikitega is quite stealthy, managing to evade anti-virus detection using a polymorphic encoder that makes static, signature-based detection impossible.
Tomi Engdahl says:
Mirai Variant MooBot Targeting D-Link Devices https://unit42.paloaltonetworks.com/moobot-d-link-devices/
In early August, Unit 42 researchers discovered attacks leveraging several vulnerabilities in devices made by D-Link, a company that specializes in network and connectivity products. If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks. The exploit attempts captured by Unit 42 researchers leverage the aforementioned vulnerabilities to spread MooBot, a Mirai variant, which targets exposed networking devices running Linux.
Tomi Engdahl says:
InterContinental Hotels Group cyberattack disrupts booking systems https://www.bleepingcomputer.com/news/security/intercontinental-hotels-group-cyberattack-disrupts-booking-systems/
Leading hospitality company InterContinental Hotels Group PLC (also known as IHG Hotels & Resorts) says its information technology (IT) systems have been disrupted since yesterday after its network was breached. IHG is a British multinational company that currently operates 6, 028 hotels in more than 100 countries and has more than 1,
800 in the development pipeline. Its brands include luxury, premium, and essential hotel chains such as InterContinental, Regent, Six Senses, Crowne Plaza, Holiday Inn, and many others. “InterContinental Hotels Group PLC (IHG or the Company) reports that parts of the Company’s technology systems have been subject to unauthorised activity, ” the company said in a filing with the London Stock Exchange on Tuesday.
Tomi Engdahl says:
https://www.howtogeek.com/830364/samsung-just-had-a-data-breach/
Samsung announced on Friday, September 2 that the company “recently discovered a cybersecurity incident that affected some of their information.” According to Samsung, “an unauthorized third party” gained access to some of the company’s U.S. systems in late July, and Samsung learned in August that some personal information was affected.
The company says the breach “may have affected” names, contact information, demographics, dates of birth, and product registration information, but not Social Security numbers or credit/debit card numbers.
Tomi Engdahl says:
Source Code of New ‘CodeRAT’ Backdoor Published Online
https://www.securityweek.com/source-code-new-coderat-backdoor-published-online
The developer of the new ‘CodeRAT’ backdoor has released their malware’s source code online after being confronted by security researchers, cybersecurity firm SafeBreach reports.
The new remote access trojan (RAT) was seen being deployed via a malicious Word document carrying a Dynamic Data Exchange (DDE) exploit.
Packing support for roughly 50 commands, CodeRAT is designed to monitor a victim’s activity on a local machine (documents, databases, integrated development environments (IDEs)) and online (social networks, games, and pornographic sites), and appears targeted at Iranian users.
“This type of monitoring—specifically of pornographic sites, use of anonymous browsing tools, and social network activities—leads us to believe CodeRAT is an intelligence tool used by a threat actor tied to a government,” SafeBreach says.
SafeBreach Labs Researchers Uncover New Remote Access Trojan (RAT)
https://www.safebreach.com/resources/blog/remote-access-trojan-coderat/
Dubbed CodeRAT, the new RAT is used in attacks targeting Farsi-speaking code developers using a Microsoft Dynamic Data Exchange (DDE) exploit.
Tomi Engdahl says:
https://www.securityweek.com/israeli-defence-ministers-cleaner-sentenced-spying-attempt
Tomi Engdahl says:
Google Patches Sixth Chrome Zero-Day of 2022
https://www.securityweek.com/google-patches-sixth-chrome-zero-day-2022
Google has released an emergency update to patch a high-severity vulnerability in its Chrome web browser that is already being exploited in the wild.
The zero-day is described as an insufficient data validation issue impacting Mojo, a Chrome component consisting of a collection of runtime libraries facilitating messaging across inter- and intra-process boundaries.
Tracked as CVE-2022-3075, the high-severity security bug was reported by an anonymous researcher. Google has yet to determine the bug bounty reward to be handed out for the report.
In its advisory, the internet giant warns that an exploit targeting this vulnerability already exists publicly, but it does not provide additional information on any observed exploitation attempts.
“Google is aware of reports that an exploit for CVE-2022-3075 exists in the wild,” the company said.
The security hole was addressed with the release of Chrome version 105.0.5195.102, which is now rolling out to Windows, Mac, and Linux users. This is the only vulnerability resolved with this browser update.
CVE-2022-3075 is the sixth Chrome zero-day that Google has patched so far in 2022 and the third to be resolved over the past two months.
https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop.html
Tomi Engdahl says:
How Google Cloud blocked the largest Layer 7 DDoS attack at 46 million rps
https://cloud.google.com/blog/products/identity-security/how-google-cloud-blocked-largest-layer-7-ddos-attack-at-46-million-rps
Tomi Engdahl says:
Announcing the Open Sourcing of Paranoid’s Library
https://security.googleblog.com/2022/08/announcing-open-sourcing-of-paranoids.html?m=1
Tomi Engdahl says:
EasyPark-pysäköintifirmaan murto – asiakkaiden tietoja varastettiin https://www.is.fi/digitoday/tietoturva/art-2000009053292.html
Tomi Engdahl says:
Sydney high school uses fingerprint technology to stop vandalism in toilets
https://www.abc.net.au/news/2022-09-06/moorebank-high-school-fingerprints-students-going-to-toilet/101410544
Tomi Engdahl says:
New Iranian hacking group APT42 deploys custom Android spyware https://www.bleepingcomputer.com/news/security/new-iranian-hacking-group-apt42-deploys-custom-android-spyware/
A new Iranian state-sponsored hacking group known as APT42 has been discovered using a custom Android malware to spy on targets of interest. The cybersecurity firm has collected enough evidence to determine that APT42 is a state-sponsored threat actor who engages in cyberespionage against individuals and organizations of particular interest to the Iranian government. APT42′s first signs of activity date back to seven years ago and revolve around lengthy spear-phishing campaigns that targeted government officials, policymakers, journalists, academics across the globe, and Iranian dissidents. The hackers’ goal is to steal account credentials. However, in many cases, they also deploy a custom Android malware strain capable of tracking victims, accessing the device’s storage, and extracting communication data.