This posting is here to collect cyber security news in September 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in September 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
411 Comments
Tomi Engdahl says:
North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns https://thehackernews.com/2022/09/north-korean-hackers-spotted-using-new.html
The prolific North Korean nation-state actor known as the Lazarus Group has been linked to a new remote access trojan called MagicRAT.
The previously unknown piece of malware is said to have been deployed in victim networks that had been initially breached via successful exploitation of internet-facing VMware Horizon servers, Cisco Talos said in a report shared with The Hacker News. “While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely, ” Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura said.
Tomi Engdahl says:
Cisco won’t fix authentication bypass zero-day in EoL routers https://www.bleepingcomputer.com/news/security/cisco-won-t-fix-authentication-bypass-zero-day-in-eol-routers/
Cisco says that a new authentication bypass flaw affecting multiple small business VPN routers will not be patched because the devices have reached end-of-life (EoL). This zero-day bug (CVE-2022-20923) is caused by a faulty password validation algorithm that attackers could exploit to log into the VPN on vulnerable devices using what the company describes as “crafted credentials” if the IPSec VPN Server feature is enabled. “A successful exploit could allow the attacker to bypass authentication and access the IPSec VPN network, ” Cisco explained in a security advisory issued on Wednesday.
Tomi Engdahl says:
200, 000 North Face accounts hacked in credential stuffing attack https://www.bleepingcomputer.com/news/security/200-000-north-face-accounts-hacked-in-credential-stuffing-attack/
Outdoor apparel brand The North Face’ was targeted in a large-scale credential stuffing attack that has resulted in the hacking of 194,
905 accounts on the thenorthface.com website. A credential stuffing attack is when threat actors use email addresses/usernames and password combinations obtained from data breaches to attempt to hack into user accounts on other websites. The success of these attacks relies on the practice of password recycling, where a person uses the same credentials across multiple online platforms. The credential stuffing attack on The North Face website began on July 26, 2022, but the website’s administrators detected the unusual activity on August 11, 2022, and were able to stop it on August 19, 2022
Tomi Engdahl says:
Major UK transport company Go-Ahead battles cyber-attack https://www.theguardian.com/business/2022/sep/06/go-ahead-cyberattack-bus-services-thameslink-rail
Go-Ahead, one of the UK’s biggest transport companies, has said it is managing a cyber-attack that has affected software used to schedule bus drivers and services. The company, an important provider of UK bus services and London’s biggest operator, said it became aware of a fault on its server late on Sunday and was working hard to keep buses running without disruption. The issues became more widespread on Monday, affecting several back office systems, including bus services and payroll software.
Tomi Engdahl says:
EasyPark- pysäköintifirmaan murto asiakkaiden tietoja varastettiin https://www.is.fi/digitoday/tietoturva/art-2000009053292.html
PYSÄKÖINTIYRITYS EasyPark tiedottaa tietoturvaloukkauksesta. Yhtiö havaitsi elokuun 29. päivänä luvatonta toimintaa sisäisissä järjestelmissään ja pyrki estämään sen. Tästä huolimatta tunkeutujat saivat varastettua tietoja. Muotoilun perusteella EasyPark ei pidä asiakkaiden nimiä, sähköpostiosoitteita ja puhelinnumeroita sensitiivisinä tietoina. Maajohtaja Aleksi Kolehmaisen mukaan syynä muotoiluun on yleinen tietosuoja-asetus gdpr, jossa perustietoja ei ole luokiteltu sensitiiviseksi tiedoksi. EasyPark sanoo olevansa erittäin pahoillaan tilanteesta, ja siitä raportoidaan viranomaisille.
Asiakkailta ei vaadita toimenpiteitä.
Tomi Engdahl says:
Multiple ransomware data leak sites experience DDoS attacks, facing intermittent outages and connectivity issues https://blog.talosintelligence.com/2022/09/ransomware-leaksite-ddos.html
Since Aug. 20, 2022, Cisco Talos has been monitoring suspected distributed denial-of-service (DDoS) attacks resulting in intermittent downtime and outages affecting several ransomware-as-a-service (RaaS) data leak sites. While the source and origin of this activity remain unknown, this appears to be a concentrated effort against RaaS leak sites to disrupt their efforts to announce and post new victim information. Actors’ responses have varied, with LockBit and ALPHV implementing new measures to counteract DDoS attacks against their sites while other groups like Quantum have simply resorted to redirecting web traffic elsewhere. LockBit also appears to have co-opted this technique by advertising that they are now adding DDoS as an extortion tactic in addition to encrypting and leaking data.
Tomi Engdahl says:
Some Members of Conti Group Targeting Ukraine in Financially Motivated Attacks https://thehackernews.com/2022/09/some-members-of-conti-group-targeting.html
Former members of the Conti cybercrime cartel have been implicated in five different campaigns targeting Ukraine from April to August 2022.
The findings, which come from Google’s Threat Analysis Group (TAG), builds upon a prior report published in July 2022, detailing the continued cyber activity aimed at the Eastern European nation amid the ongoing Russo-Ukrainian war. “UAC-0098 is a threat actor that historically delivered the IcedID banking trojan, leading to human-operated ransomware attacks, ” TAG researcher Pierre-Marc Bureau said in a report shared with The Hacker News. “The attacker has recently shifted their focus to targeting Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit organizations.”
Tomi Engdahl says:
Zyxel Patches Critical Vulnerability in NAS Firmware
https://www.securityweek.com/zyxel-patches-critical-vulnerability-nas-firmware
Networking solutions provider Zyxel has released patches for a critical-severity vulnerability impacting the firmware of multiple network attached storage (NAS) device models.
The security defect, tracked as CVE-2022-34747, carries a CVSS score of 9.8/10 and is publicly documented as a format string vulnerability impacting Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0.
An attacker could exploit the vulnerability by sending specially crafted UDP packets to the affected products. Successful exploitation of the bug could allow an attacker to execute arbitrary code on the impacted device, the company said in an advisory.
“A format string vulnerability was found in a specific binary of Zyxel NAS products that could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet,” the company added.
Tomi Engdahl says:
Google Details Recent Ukraine Cyberattacks
https://www.securityweek.com/google-details-recent-ukraine-cyberattacks
Over the past five months, Google has been tracking a financially motivated threat actor known as UAC-0098, which has been conducting multiple malicious campaigns targeting various entities in Ukraine and Europe.
The group’s activities closely align with those of Russian government-backed attackers, and Google’s Threat Analysis Group (TAG) believes that at least some of UAC-0098’s members are former members of the Conti ransomware gang.
UAC-0098 is widely known for using the IcedID banking trojan in attacks that led to the deployment of human-operated ransomware, operating as an access broker for ransomware groups such as Quantum and Conti.
Recently, however, the threat actor has been targeting the Ukrainian government, various organizations in the country, and European humanitarian and non-profit organizations.
In late April, UAC-0098 was seen launching an email phishing campaign to deliver AnchorMail, a variant of the Anchor backdoor developed by the Conti group, which was previously installed as a TrickBot module.
Tomi Engdahl says:
CISO Conversations: U.S. Marine Corps, SAIC Security Leaders on Organizational Differences
https://www.securityweek.com/ciso-conversations-us-marine-corps-saic-security-leaders-organizational-differences
https://www.securityweek.com/ciso-conversations-us-marine-corps-saic-security-leaders-organizational-differences
In this installment of SecurityWeek’s CISO Conversations series, we talk to two CISOs with a military theme: Renata Spinks, CISO at the United States Marine Corps, and Kevin Brown, CISO at SAIC. The former is ‘in’ government, (military) while the latter provides services ‘to’ government (military).
Our purpose is to discuss the similarities and differences in being a security leader inside government with being a security leader in related private enterprise.
Tomi Engdahl says:
Albania Cuts Diplomatic Ties With Iran Over July Cyberattack
https://www.securityweek.com/albania-cuts-diplomatic-ties-iran-over-july-cyberattack
Albania cut diplomatic ties with Iran and expelled the country’s embassy staff over a major cyberattack nearly two months ago that was allegedly carried out by Tehran on Albanian government websites, the prime minister said Wednesday.
The move by NATO member Albania was the first known case of a country cutting diplomatic relations over a cyberattack.
The White House vowed unspecified retaliation Wednesday against Iran for what it called “a troubling precedent for cyberspace.”
Tomi Engdahl says:
Warning issued about Vice Society ransomware targeting the education sector https://www.malwarebytes.com/blog/news/2022/09/authorities-issue-warning-about-vice-society-ransomware-targeting-the-education-sector
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint Cybersecurity Advisory (CSA) after observing Vice Society threat actors disproportionately targeting the education sector with ransomware attacks. Over the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks. School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable. The advisory:
https://www.cisa.gov/uscert/ncas/alerts/aa22-249a
Tomi Engdahl says:
This Clever Anti-Censorship Tool Lets Russians Read Blocked News https://www.wired.com/story/russia-internet-censorship-samizdat-online/
Samizdat Online syndicates banned news sites by hosting them on uncensored domainsallowing people to access independent reporting.
Yevgeny Simkin, the cofounder of Samizdat Online and founder of a software engineering firm, says it is designed to help people in Russia and other oppressed countries access uncensored news and information. The organization has permission from more than a dozen blocked publications in Russia and Belarus to syndicate their content.
Its homepage currently lists websites that it is syndicating, but from next week on will appear as a more traditional news site, suggesting articles from publications it syndicates and providing shareable SOS-Links to their websites.
Tomi Engdahl says:
BRONZE PRESIDENT Targets Government Officials https://www.secureworks.com/blog/bronze-president-targets-government-officials
The likely Chinese government-sponsored threat group uses decoy documents and PlugX malware to compromise targets. In June and July 2022, Secureworks® Counter Threat Unit (CTU) researchers identified a PlugX malware campaign targeting computers belonging to government officials of several countries in Europe, the Middle East, and South America. PlugX is modular malware that contacts a command and control
(C2) server for tasking and can download additional plugins to enhance its capability beyond basic information gathering. Several characteristics of this campaign indicate that it was conducted by the likely Chinese government-sponsored BRONZE PRESIDENT threat group, including the use of PlugX, file paths and naming schemes previously used by the threat group, the presence of shellcode in executable file headers, and politically-themed decoy documents that align with regions where China has interests.
Tomi Engdahl says:
Classified NATO documents stolen from Portugal, now sold on darkweb https://www.bleepingcomputer.com/news/security/classified-nato-documents-stolen-from-portugal-now-sold-on-darkweb/
The Armed Forces General Staff agency of Portugal (EMGFA) has suffered a cyberattack that allegedly allowed the theft of classified NATO documents, which are now sold on the dark web. EMGFA is the government agency responsible for the control, planning, and operations of the armed forces of Portugal. The agency only realized they suffered a cyberattack after hackers posted samples of the stolen material on the dark web, offering to sell the files to interested individuals.
American cyber-intelligence agents noticed the sale of stolen documents and alerted the U.S. embassy in Lisbon, which in turn warned the Portuguese government about the data breach.
Tomi Engdahl says:
Microsoft investigates Iranian attacks against the Albanian government https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/
Shortly after the destructive cyberattacks against the Albanian government in mid-July, the Microsoft Detection and Response Team
(DART) was engaged by the Albanian government to lead an investigation into the attacks. Microsoft assessed with high confidence that on July 15, 2022, actors sponsored by the Iranian government conducted a destructive cyberattack against the Albanian government, disrupting government websites and public services. At the same time, and in addition to the destructive cyberattack, MSTIC assesses that a separate Iranian state-sponsored actor leaked sensitive information that had been exfiltrated months earlier. Various websites and social media outlets were used to leak this information.
Tomi Engdahl says:
New ‘Shikitega’ Linux Malware Grabs Complete Control of Infected Systems
https://www.securityweek.com/new-shikitega-linux-malware-grabs-complete-control-infected-systems
Security researchers with AT&T Alien Labs are warning of a new piece of malware that can take full control of infected Linux systems, including Internet of Things (IoT) devices.
Dubbed Shikitega, the threat is delivered as part of a multi-stage infection chain, where each step is responsible for a part of the payload and fetches and executes the next module.
To ensure it can gain full control over an infected system, the malware downloads and executes Metasploit’s ‘Mettle’ meterpreter. It also attempts to exploit system vulnerabilities to escalate privileges and achieve persistence.
Shikitega hosts some of its command and control (C&C) servers on legitimate cloud services, uses a polymorphic encoder to evade detection, and deploys a cryptocurrency miner on the infected machines.
With the help of Mettle, the attackers can execute attacks such as webcam controls, sniffers, various reverse shells, shell commands, process controls, and more.
AT&T Alien Labs also observed the malware using wget to fetch and run a next stage dropper. Shell commands are used to download and execute additional payloads.
Shikitega, the security researchers say, exploits two known Linux vulnerabilities – CVE-2021-4034 and CVE-2021-3493 – to fetch and execute the final payload – a persistent cryptocurrency miner – with root privileges.
The researchers says the malware is using five shell scripts to achieve persistence. The threat sets crontabs for the current user and for the user root – the malware first checks for the presence of crontab command on the machine and creates it if it does not exist.
Shikitega – New stealthy malware targeting Linux
https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
AT&T Alien Labs has discovered a new malware targeting endpoints and IoT devices that are running Linux operating systems. Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one. An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist.
Key takeaways:
The malware downloads and executes the Metasploit’s “Mettle” meterpreter to maximize its control on infected machines.
Shikitega exploits system vulnerabilities to gain high privileges, persist and execute crypto miner.
The malware uses a polymorphic encoder to make it more difficult to detect by anti-virus engines.
Shikitega abuse legitimate cloud services to store some of its command and control servers (C&C).
With a rise of nearly 650% in malware and ransomware for Linux this year, reaching an all-time high in the first half year of 2022, threat actors find servers, endpoints and IoT devices based on Linux operating systems more and more valuable and find new ways to deliver their malicious payloads. New malwares like BotenaGo and EnemyBot are examples of how malware writers rapidly incorporate recently discovered vulnerabilities to find new victims and increase their reach.
Shikitega uses an infection chain in multiple layers, where the first one contains only a few hundred bytes, and each module is responsible for a specific task, from downloading and executing Metasploit meterpreter, exploiting Linux vulnerabilities, setting persistence in the infected machine to downloading and executing a cryptominer.
Tomi Engdahl says:
Rapid7 Flags Multiple Flaws in Sigma Spectrum Infusion Pumps
https://www.securityweek.com/rapid7-flags-multiple-flaws-sigma-spectrum-infusion-pumps
Security researchers at Rapid7 are warning about multiple secuirty vulnerabilities impacting Baxter’s Sigma Spectrum infusion pumps, including issues that could lead to the leakage of credential.
In an advisory published Thursday, Rapid7 called attention to five vulnerabilities found in Sigma Spectrum infusion pumps and the Sigma WiFi batteries.
The Sigma Spectrum infusion pumps have been designed so that, when powered up after a WiFi battery is connected, unencrypted data is sent to the battery via universal asynchronous receiver-transmitter (UART).
Because of that, the transmitted data is potentially at risk of compromise by attackers with access to the infusion pumps, who could either place a communication shim between the units to capture the data, or could use their own battery to exfiltrate data.
The first block of transmitted data contains the WiFi configuration information, which is then stored on the battery’s non-volatile memory. An attacker able to attach their own battery to a pump could then extract from the unit credentials that allows them to access an organization’s WiFi network.
Tomi Engdahl says:
https://www.securityweek.com/nato-condemns-alleged-iranian-cyberattack-albania
Tomi Engdahl says:
https://www.securityweek.com/darktrace-share-price-crashes-takeover-pulled
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cisco-won-t-fix-authentication-bypass-zero-day-in-eol-routers/
Tomi Engdahl says:
https://techcrunch.com/2022/09/08/north-korea-lazarus-united-states-energy/
Tomi Engdahl says:
https://thehackernews.com/2022/09/researchers-detail-emerging-cross.html
Tomi Engdahl says:
That ‘clean’ Google Translate app is actually Windows crypto-mining malware
Ah, nothing like a classic Trojan horse
https://www.theregister.com/2022/08/30/nitrokod_crypto_malware_google/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/hp-fixes-severe-bug-in-pre-installed-support-assistant-tool/
Tomi Engdahl says:
Viron ex-presidentti lyttää podcastissa Euroopan verkkopuolustuksen – ja Venäjän: ”He ovat hyviä ihmisten tappamisessa, eivät muussa” https://www.is.fi/digitoday/tietoturva/art-2000009054102.html
Tomi Engdahl says:
GoDaddy Sued Over Sale of Ethereum Domain Name Service’s Vital Eth.link Address
https://www.coindesk.com/policy/2022/09/08/firm-behind-ethereum-name-service-and-virgil-griffith-sue-godaddy-over-sale-of-ethlink/
Company behind Web3 domain service Ethereum Name Service and Virgil Griffith allege that GoDaddy falsely announced the domain had expired, and then prematurely allowed it to be sold to a third party.
Tomi Engdahl says:
InterContinental Hotels’ booking systems disrupted by cyberattack https://www.malwarebytes.com/blog/news/2022/09/intercontinental-hotels-booking-systems-disrupted-by-cyberattack
In a statement filed at the London Stock Exchange, InterContinental Hotels Group PLC reports that parts of the company’s technology systems have been subject to unauthorized activity. The activity significantly disrupted IHG’s booking channels and other applications.
Tomi Engdahl says:
Ransomware review: August 2022
https://www.malwarebytes.com/blog/threat-intelligence/2022/09/ransomware-review-august-2022
As expected, LockBit remained the dominant ransomware variant in August, as it has all year. At the other end of the scale REvil’s revival in slow motion continued with a single victim listed, RansomEXX posted its first victim for four months, and Snatch posted a single victim after fourty days of inactivity. Intriguingly, the victim listed on the Snatch site was also listed by REvil in April.
It’s not unusual for victims to be attacked multiple times, so this is not necessarily a sign of cooperation.
Tomi Engdahl says:
US sanctions Iran’s Ministry of Intelligence over Albania cyberattack https://www.bleepingcomputer.com/news/security/us-sanctions-iran-s-ministry-of-intelligence-over-albania-cyberattack/
The U.S. Treasury Department announced sanctions today against Iran’s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence for their role in the July cyberattack against the government of Albania, a U.S. ally and a NATO member state. MOIS is the Iranian government’s leading intelligence agency, tasked with coordinating intelligence and counterintelligence efforts, as well as covert actions supporting the Islamic regime’s goals beyond the country’s borders.
Tomi Engdahl says:
Bumblebee malware adds post-exploitation tool for stealthy infections https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/
A new version of the Bumblebee malware loader has been spotted in the wild, featuring a new infection chain that uses the PowerSploit framework for stealthy reflective injection of a DLL payload into memory.
Tomi Engdahl says:
Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts https://thehackernews.com/2022/09/hackers-exploit-zero-day-in-wordpress.html
A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited, WordPress security company Wordfence has disclosed. “This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information, ” it said.
Tomi Engdahl says:
GIFShell attack creates reverse shell using Microsoft Teams GIFs https://www.bleepingcomputer.com/news/security/gifshell-attack-creates-reverse-shell-using-microsoft-teams-gifs/
A new attack technique called GIFShell’ allows threat actors to abuse Microsoft Teams for novel phishing attacks and covertly executing commands to steal data using… GIFs. The new attack scenario, shared exclusively with BleepingComputer, illustrates how attackers can string together numerous Microsoft Teams vulnerabilities and flaws to abuse legitimate Microsoft infrastructure to deliver malicious files, commands, and perform exfiltrating data via GIFs.
Tomi Engdahl says:
Dump these small-biz routers, says Cisco, because we won’t patch their flawed VPN https://www.theregister.com/2022/09/08/cisco_routers_vulnerability/
Cisco patched three security vulnerabilities in its products this week, and said it will leave unpatched a VPN-hijacking flaw that affects four small business routers. Those small-biz routers the RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router have reached their end-of-life (EoL) and the networking vendor is recommending customers upgrade to devices that aren’t vulnerable. To give you an idea of the potential age of this kit, Cisco stopped selling the RV110W and RV130 in 2017, and ended support for them this year.
Tomi Engdahl says:
Pankkitilin tyhjentävä haittaohjelma palasi erittäin vaikea tunnistaa https://www.is.fi/digitoday/tietoturva/art-2000009052032.html
ALKUVUONNA havaittu pankkihaittaohjelma Sharkbot on taas leviämässä, kertoo tietoturvayhtiö Fox-IT. Se havaitsi Androidin virallisesta sovelluskaupasta Google Playsta kaksi sovellusta, jotka pyrkivät lataamaan puhelimeen varsinaisen Sharkbot-haitakkeen. Sovellukset tekeytyvät puhelimen putsaajaksi tai virustorjunnaksi. Sovelluksilla on kymmeniä tuhansia latauksia. Puhelimessa Sharkbot pystyy esittämään omaa kuvaansa aitojen sovelluksien päällä. Se tarkoittaa, että pankkisovelluksen ollessa käynnissä Sharkbot voi jäljitellä verkkopankin sisäänkirjautumisnäkymää, jota voi olla vaikea erottaa aidosta. Tällä tavalla uhri tulee syöttäneeksi kirjautumistietonsa rikollisille. Alkup.
https://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/
Tomi Engdahl says:
Evasive Shikitega Linux malware drops Monero cryptominer https://www.malwarebytes.com/blog/news/2022/09/evasive-shikitega-linux-malware-drops-monero-cryptominer
Researchers from the AT&T Alien Labs Resarch have discovered a new and stealthy Linux malware it’s dubbed Shikitega. Once it’s on a machine or device, Shitega executes a “multistage infection chain” involving small files, a couple of vulnerabilities, and the use of Mettle, a portable Metasploit Meterpreter. Shikitega can give threat actors complete control of an infected system, with a persistent cryptominer churning out Monero in the background. Alkup.
https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
Tomi Engdahl says:
ESET Research uncovers new APT group Worok Week in security with Tony Anscombe https://www.welivesecurity.com/videos/eset-new-apt-group-worok-week-security-tony-anscombe/
ESET researchers have revealed their findings about a previously unknown cyberespionage group that they named Worok. This APT group takes aim at various high-profile organizations that operate in multiple sectors and are located primarily in Asia, but also in the Middle East and Africa. Worok uses both its own toolkit and existing tools to compromise its targets and has in some cases exploited the infamous ProxyShell vulnerabilities to gain initial access and harvest information. The full analysis is available here:
https://www.welivesecurity.com/2022/09/06/worok-big-picture/
Tomi Engdahl says:
Cisco: Log4j vulnerability used to attack energy companies in Canada, US and Japan https://therecord.media/cisco-log4j-vulnerability-used-to-attack-energy-companies-in-canada-us-and-japan/
Hackers continue to abuse the endemic Log4j vulnerability months after its discovery, according to a new report from Cisco researchers who discovered a campaign targeting energy companies across the U.S., Canada, Japan and other countries. “In this campaign, Lazarus was primarily targeting energy companies in Canada, the U.S. and Japan.
The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives, ” the researchers said. “This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”
Tomi Engdahl says:
Firmware bugs in many HP computer models left unfixed for over a year https://www.bleepingcomputer.com/news/security/firmware-bugs-in-many-hp-computer-models-left-unfixed-for-over-a-year/
A set of six high-severity firmware vulnerabilities impacting a broad range of HP devices used in enterprise environments are still waiting to be patched, although some of them were publicly disclosed since July 2021. Firmware flaws are particularly dangerous because they can lead to malware infections that persist even between OS re-installations or allow long-term compromises that would not trigger standard security tools.
Tomi Engdahl says:
https://www.securityweek.com/google-patches-critical-vulnerabilities-pixel-phones
Tomi Engdahl says:
Critical KEPServerEX Flaws Can Put Attackers in ‘Powerful Position’ in OT Networks
https://www.securityweek.com/critical-kepserverex-flaws-can-put-attackers-powerful-position-ot-networks
Critical KEPServerEX vulnerabilities that impact the products of several major industrial automation vendors can put attackers in a powerful position in OT networks.
PTC’s Kepware KEPServerEX product is a platform designed for connecting, managing, monitoring, and controlling various industrial automation devices and software through a single user interface. The product uses the OPC industrial interoperability standard.
Researchers at industrial cybersecurity firm Claroty discovered that KEPServerEX is affected by two critical vulnerabilities that could allow an attacker to crash a server, obtain data, or remotely execute arbitrary code by sending specially crafted OPC UA messages to the targeted system.
The flaws, tracked as CVE-2022-2848 and CVE-2022-2825, have been found to impact several of PTC’s ThingWorx products. In addition, the security holes affect the Rockwell Automation KEPServer Enterprise, GE Digital Industrial Gateway Server (IGS), and Software Toolbox TOP Server products, all of which rely on the KEPServerEX OPC UA engine.
Tomi Engdahl says:
https://www.securityweek.com/albania-suffers-renewed-cyberattack-blames-iran
Tomi Engdahl says:
Cisco Patches High-Severity Vulnerability in SD-WAN vManage
https://www.securityweek.com/cisco-patches-high-severity-vulnerability-sd-wan-vmanage
Cisco has announced patches for a high-severity vulnerability in the binding configuration of SD-WAN vManage software containers.
Tracked as CVE-2022-20696, the issue exists because of insufficient protection mechanisms on messaging server container ports, allowing an unauthenticated attacker to connect to an affected system using these ports.
“To exploit this vulnerability, the attacker must be able to send network traffic to interfaces within the VPN0 logical network. A successful exploit could allow the attacker to view and inject messages into the messaging service, which can cause configuration changes or cause the system to reload,” Cisco notes in an advisory.
The vulnerability impacts IOS XE SD-WAN, SD-WAN vBond Orchestrator, and SD-WAN vSmart Controller software, SD-WAN vEdge cloud routers, and SD-WAN vEdge routers.
Cisco recommends updating to SD-WAN vManage software releases 20.6.4 or 20.9.1, which include patches for this vulnerability.
Cisco SD-WAN vManage Software Unauthenticated Access to Messaging Services Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-msg-serv-AqTup7vs
Tomi Engdahl says:
Eavesdropping on the eavesdroppers:
Using a Raspberry Pi and a Software Defined Radio to determine if a laptop microphone is activated
Boffins build microphone safety kit to detect eavesdroppers
TickTock mic lock won’t work on Apple
https://www.theregister.com/2022/09/12/mic_monitoring_spying/
Scientists from the National University of Singapore and Yonsei University in the Republic of Korea have developed a device for verifying whether your laptop microphone is secretly recording your conversations.
The researchers – Soundarya Ramesh, Ghozali Suhariyanto Hadi, Sihun Yang, Mun Choon Chan, and Jun Han – call the device TickTock. That may suit a lab project but would obviously invite a trademark lawsuit from a similarly named social media company were commercialization ever considered.
The mic-monitoring gadget is described in an ArXiv paper titled, “TickTock: Detecting Microphone Status in Laptops Leveraging Electromagnetic Leakage of Clock Signals.”
TickTock as a prototype consists of a near-field probe, a radio-frequency amplifier, software defined radio (SDR) and a Raspberry Pi 4 Model B. The researchers envision the device’s final form will be similar to a USB drive, one that can be placed next to, or clipped to, a laptop to alert the user to any change in the device’s mic status.
TickTock, they explain, relies on the fact that digital MEMS microphones on commodity laptops emanate electromagnetic (EM) signals when active.
“The emanation stems from the cables and connectors that carry the clock signals to the mic hardware, ultimately to operate its analog-to-digital converter (ADC),” they explain. “TickTock captures this leakage to identify the on/off status of the laptop mic.”
Creating the mic status sensor required overcoming several challenges. One is that the frequency of the mic clock signal differs depending on the audio codec chip in a given laptop.
Another is that the area of the laptop that will leak the strongest EM signal differs based on how the device was wired. And finally, captured EM signals include noise from other circuits that needs to be filtered out to prevent false positives.
The end result was fairly successful, apart from on Apple’s hardware. “Although our approach works well on 90 percent of the tested laptops, including all tested models from popular vendors such as Lenovo, Dell, HP and Asus, TickTock fails to detect the mic clock signals in three laptops, all of which are Apple MacBooks,” the boffins state in their paper.
TickTock had less success against 40 other devices, meaning smartphones, tablets, smart speakers and USB web-cameras. There, it managed to detect a mic clock frequency in 21 out of 40 devices.
The researchers say this is likely due to the usage of analog rather than digital mics in some smartphone models, to the lack of power constraints in plugged in mic-equipped hardware like smart speakers, and to the way in which small form factor hardware relies on shorter wire lengths that reduce EM emissions.
Tomi Engdahl says:
Kyberympäristön uhkataso on noussut – aktiviteetti Suomeakin kohtaan on lisääntynyt https://www.traficom.fi/fi/ajankohtaista/kyberympariston-uhkataso-noussut-aktiviteetti-suomeakin-kohtaan-lisaantynyt
Kyberhyökkäykset ovat lisääntyneet maailmanlaajuisesti kuluvan vuoden aikana. Samalla niitä kohdistuu hiljaisemman kevään jälkeen kasvavassa määrin myös Suomeen. Traficomin Kyberturvallisuuskeskuksen saamien ilmoitusten mukaan suomalaisiin organisaatioihin kohdistuvissa kyberhyökkäyksissä, erityisesti haittaohjelmien, tietojenkalastelun ja palvelunestohyökkäysten lukumäärät ovat kasvaneet.
Tomi Engdahl says:
Beijing rebukes U.S. over alleged cyberattack on Chinese university https://therecord.media/beijing-rebukes-u-s-over-alleged-cyberattack-on-chinese-university/
China denounced the U.S. Embassy in Beijing following a joint report from two of the country’s most prominent cyber authorities accusing the National Security Agency of stealing “sensitive information” from Chinese institutions. In a statement published Sunday, Yang Tao, the director-general of American affairs at China’s Ministry of Foreign Affairs, said: “The actions of the U.S. side have seriously violated the technical secrets of relevant Chinese institutions and seriously endangered the security of China’s critical infrastructure, institutions and personal information, and must be stopped immediately.”
Tomi Engdahl says:
Ransomware Group Leaks Files Stolen From Cisco
https://www.securityweek.com/ransomware-group-leaks-files-stolen-cisco
A cybercrime group has leaked files stolen earlier this year from Cisco, but the networking giant stands by its initial assessment of the incident and says there is no impact to its business.
Cisco admitted on August 10 that it had detected a security breach on May 24. The admission was prompted by a ransomware group named Yanluowang claiming to have obtained gigabytes of information and publishing a list of files allegedly stolen from Cisco.
The hackers have now published the actual files stolen from Cisco and the company has confirmed that they originated from its systems.
“The content of these files match what we already identified and disclosed,” Cisco said in an update shared on Sunday. “Our previous analysis of this incident remains unchanged—we continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.”
In August, Cisco attributed the attack to an initial access broker with ties to the Russia-linked threat actor UNC2447, the Lapsus$ gang, and the Yanluowang ransomware group.
Cisco confirms Yanluowang ransomware leaked stolen company data https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/
Cisco has confirmed that the data leaked yesterday by the Yanluowang ransomware gang was stolen from the company network during a cyberattack in May. However, the company says in an update that the leak does not change the initial assessment that the incident has no impact on the business. In a report in August, Cisco announced that its network had been breached by the Yanluowang ransomware after the hackers compromised an employee’s VPN account.
Tomi Engdahl says:
Vulnerability in BackupBuddy Plugin Exploited to Hack WordPress Sites
https://www.securityweek.com/vulnerability-backupbuddy-plugin-exploited-hack-wordpress-sites
Tomi Engdahl says:
Montenegro Wrestles With Massive Cyberattack, Russia Blamed
https://www.securityweek.com/montenegro-wrestles-massive-cyberattack-russia-blamed
At the government headquarters in NATO-member Montenegro, the computers are unplugged, the internet is switched off and the state’s main websites are down. The blackout comes amid a massive cyberattack against the small Balkan state which officials say bears the hallmark of pro-Russian hackers and its security services.
The coordinated attack that started around Aug. 20 crippled online government information platforms and put Montenegro’s essential infrastructure, including banking, water and electricity power systems, at high risk.
The attack, described by experts as unprecedented in its intensity and the longest in the tiny nation’s recent history, capped a string of cyberattacks since Russia invaded Ukraine in which hackers targeted Montenegro and other European nations, most of them NATO members.
Tomi Engdahl says:
https://www.securityweek.com/new-cyberespionage-group-worok-targeting-entities-asia