This posting is here to collect cyber security news in September 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in September 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
411 Comments
Tomi Engdahl says:
Google Completes $5.4 Billion Acquisition of Mandiant
https://www.securityweek.com/google-completes-54-billion-acquisition-mandiant
Tomi Engdahl says:
Apple Warns of macOS Kernel Zero-Day Exploitation
https://www.securityweek.com/apple-warns-macos-kernel-zero-day-exploitation
Apple’s security response engine revved into high gear Monday with patches for security defects in a wide range of products, including fixes for a pair of critical macOS kernel vulnerabilities already being exploited in the wild.
Apple acknowledged the macOS zero-days in an advisory but did not share technical details or indicators of compromise to help defenders hunt for signs of infections.
The two vulnerabilities — CVE-2022-32894 and CVE-2022-32917 — affect macOS Big Sur and were reported to Cupertino by an anonymous researcher. “An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited,” the company warned.
Apple said the bugs were addressed with improved bounds checks.
Tomi Engdahl says:
Peiter ‘Mudge’ Zatko: The Wild Card in Musk’s Clash With Twitter
https://www.securityweek.com/peiter-mudge-zatko-wild-card-musks-clash-twitter
Respected in cybersecurity circles, former Twitter security chief Peiter “Mudge” Zatko is a wild card in Elon Musk’s legal gambit to break a $44 billion deal to buy the social network.
Zatko’s whistleblower complaint of “extreme, egregious deficiencies” in Twitter defenses against hackers and “meager efforts to fight spam” plays into Musk’s quest to convince a judge that he was duped when he foisted his unsolicited offer on the company.
Twitter has dismissed 51-year-old Zatko’s complaint as being without merit, and vowed to show it did nothing wrong at an October trial in a Delaware court.
If the court focuses on the fact that the world’s richest man declined to do fact gathering typically associated with big-money mergers, Zatko’s allegations could wind up being moot.
He is to testify on Tuesday before a US Senate committee looking into whether security practices at Twitter were dangerously lax.
Zatko first testified before Congress 24 years ago, when he was a long-haired hacker determined to warn about the perils of poorly protected government computer systems.
This time, he will be called on to provide details about his accusations that Twitter hid flaws in its security as well as its fight against accounts run by spammers or software instead of genuine users.
– ‘Big problems’ -
“If Mudge says Twitter has cybersecurity problems, Twitter has big problems,” said Vectra cybersecurity firm chief technology officer Aaron Turner, who says he has known Zatko since the 1980s.
US President Joe Biden’s team offered Zatko a position as White House security director early last year but he declined the job, believing he had work left to do at Twitter, his attorneys said.
- House of cards? -
Twitter fired Zatko in January, citing “ineffective leadership and poor performance.”
Zatko’s lawyers rejected Twitter’s claim, contending instead that he was terminated after a clash with top executives who refused to acknowledge his concerns about platform security.
“Mr Zatko put his career on the line because of his concerns about Twitter users, the public and the company’s shareholders,” his attorneys said.
Andrew Hay, director of operations at the Lares cybersecurity consulting firm, said “those in the industry who know Mudge know that his intentions have historically been honorable, non-partisan, and designed to benefit the world.”
Zatko’s whistleblower complaint, filed just days after Twitter agreed to give him a multi-million dollar severance package, is not necessarily evidence that the company misrepresented user numbers, according to analysts.
Musk’s lawyers will “try to prove that Twitter tried to sell him a house of cards,” but security flaws would have to be “really serious,” said University of California, Berkeley law school professor Adam Badawi.
Tomi Engdahl says:
Apple releasing iOS 16 with Lockdown, Safety Check security features https://www.bleepingcomputer.com/news/apple/apple-releasing-ios-16-with-lockdown-safety-check-security-features/
As Apple said in July when it first unveiled it, the Lockdown Mode security feature is not meant for everyday usage but, instead, designed to defend high-risk individuals (e.g., human rights defenders, journalists, and dissidents) from targeted attacks with mercenary spyware. “Turning on Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura further hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware, ”
Apple said. Once toggled on, Lockdown Mode provides additional messaging, web browsing, and connectivity protection that blocks commercial spyware (like NSO Group’s Pegasus) used by government-backed attackers to monitor compromised Apple devices.
Tomi Engdahl says:
Apple fixes eighth zero-day used to hack iPhones and Macs this year https://www.bleepingcomputer.com/news/security/apple-fixes-eighth-zero-day-used-to-hack-iphones-and-macs-this-year/
Apple has released security updates to address the eighth zero-day vulnerability used in attacks against iPhones and Macs since the start of the year. In security advisories issued on Monday, Apple revealed they’re aware of reports saying this security flaw “may have been actively exploited.”. The bug (tracked as CVE-2022-32917) may allow maliciously crafted applications to execute arbitrary code with kernel privileges. Reported to Apple by an anonymous researcher, it was addressed in iOS 15.7 and iPadOS 15.7, macOS Monterey 12.6, and macOS Big Sur 11.7 with improved bounds checks. See also:
https://support.apple.com/en-us/HT201222
Tomi Engdahl says:
Kiero hyökkäys työpuhelimeen vei 37000 euroa vakuutus ei korvannut https://www.is.fi/digitoday/tietoturva/art-2000009063794.html
Kuka korvaa vahingon, kun työpuhelimen liittymä kaapataan ja pankkitilit tyhjennetään? Ainakin tuoreessa tapauksessa uhri itse.
Vakuutus- ja rahoitusneuvonta FINE käsitteli tapausta, jossa nimeämättömän yrityksen hallituksen puheenjohtaja kärsi niin sanotusta sim swapping -hyökkäyksestä. Siinä rikolliset hankkivat sim-kortin uhrin nimissä ja pääsevät tällä tavalla käsiksi uhrin pankkitileihin.
Puheenjohtaja katsoi, että hänen yrityksensä vastuuvakuutuksen tulisi kattaa maksuvälinepetoksen vahingot, kaikkiaan 37000 euroa. Perusteena on se, että vahinko on johtunut yrityksen omistamasta puhelimesta.
Vakuutusyhtiö puolestaan päätti vuosi sitten syyskuussa, että vahinkoa ei korvata vastuuvakuutuksesta. Vakuutuksen rajoitusehdon mukaan vakuutuksesta ei korvata rahallista menetystä, joka ei liity esine- tai henkilövahinkoon.
Tomi Engdahl says:
Google Cloud closes $5.4b Mandiant acquisition https://www.theregister.com/2022/09/12/google_closes_mandiant_acquisition/
The two companies first announced the deal one of Google’s largest purchases in March after a rumored Microsoft buy fell through. Six months and one shareholder lawsuit later, the two companies’ combined services and products help customers shift to a “more proactive approach” to security operations, according to Google Cloud CEO Thomas Kurian.
Tomi Engdahl says:
Hacktivist Group GhostSec Compromises 55 Berghof PLCs Across Israel https://thehackernews.com/2022/09/palestinian-hacktivist-group-ghostsec.html
A hacktivist collective called GhostSec has claimed credit for compromising as many as 55 Berghof programmable logic controllers
(PLCs) used by Israeli organizations as part of a “Free Palestine”
campaign. Industrial cybersecurity firm OTORIO, which dug deeper into the incident, said the breach was made possible owing to the fact that the PLCs were accessible through the Internet and were secured by trivially guessable credentials. Details of the compromise first came to light on September 4 after GhostSec shared a video on its Telegram channel demonstrating a successful login to the PLC’s admin panel, in addition to dumping data from the hacked controllers.
herryylauu says:
So far, there have been no reports of attacks on stumble guys.-based websites or services. But as more security experts weigh in on these threats, we may be able to anticipate how they might affect our digital infrastructure in the future.
Tomi Engdahl says:
CNN:
Internal Twitter memo: extreme heat in California takes its Sacramento data center region offline; losing other centers could result in downtime for all users
Extreme California heat knocks key Twitter data center offline
https://edition.cnn.com/2022/09/12/tech/twitter-data-center-california-heat-wave/
Extreme heat in California has left Twitter without one of its key data centers, and a company executive warned in an internal memo obtained by CNN that another outage elsewhere could result in the service going dark for some of its users.
Twitter (TWTR), like all major social media platforms, relies on data centers, which are essentially huge warehouses full of computers, including servers and storage systems. Controlling the temperature in those centers is critical to ensuring the computers don’t overheat and malfunction. To save on cooling costs, some tech companies have increasingly looked to place their data centers in colder climates; Google, for example, opened a data center in Finland in 2011, and Meta has had one center in northern Sweden since 2013.
“On September 5th, Twitter experienced the loss of its Sacramento (SMF) datacenter region due to extreme weather. The unprecedented event resulted in the total shutdown of physical equipment in SMF,” Carrie Fernandez, the company’s vice president of engineering, said in an internal message to Twitter engineers on Friday.
Major tech companies usually have multiple data centers, in part to ensure their service can stay online if one center fails; this is known as redundancy.
Tomi Engdahl says:
Kommentti: S-Pankin katastrofi iski arkaan paikkaan – nyt koetellaan ihmisten luottamusta https://www.is.fi/digitoday/tietoturva/art-2000009066441.html
Yhteiskunta perustuu – tai sen pitäisi perustua – luottamukseen. Jos tunkeutujille annetaan avaimet käteen, usko sähköisten palveluiden luotettavuuteen on koetuksella, kirjoittaa Ilta-Sanomien digitoimittaja Henrik Kärkkäinen.
S-PANKIN tänään julkisuuteen kertoma järjestelmähäiriö on samaan aikaan suhteellisen pieni että massiivinen asia.
Suhteellisen pieni se on siksi, että sen mittakaava on kaukana massiivisista tietovuodoista, kuten historiaan jäävästä Vastaamosta, jossa kymmenien tuhansien ihmisten psykoterapiatiedot päätyivät vääriin käsiin.
Se on suuri asia siksi, että se iskee tietoyhteiskunnan arkaan paikkaan: luottamusverkostoon. Ei ole liioiteltua kutsua sitä ainakin pieneksi katastrofiksi.
Luottamusverkosto on ketju, joka muodostuu vahvaa tunnistautumista edellyttävien palveluiden verkostosta. Siellä ovat viranomaisten ja pankkien lisäksi lukemattomat yritykset ja muut toimijat. Se on täynnä luottamuksellista ja henkilökohtaista tietoa pankki-, ja veroasioista aina terveysasioihin. Pankkitunnukset ovat avain tähän verkostoon mobiilivarmenteen ja sähköisen henkilökortin ohella.
Tämäkin ketju on yhtä vahva kuin heikoin lenkkinsä. Kun avaimet ovat väärissä käsissä, jälki voi olla rumaa. Samalla verkkopankkitunnuksella aukeaa sähköinen ovi kuin ovi.
PANKIN ilmoitus ongelman syystä on oireellinen. Se kertoi ongelman olevan ”tunnistautumisen järjestelmähäiriö yhdessä komponentissa” asiaa sen kummemmin kysyttäessäkään erittelemättä.
Tämä tarkoittaa yleensä ohjelmistovirhettä, mikä on paha asia.
Digitaalisten palveluiden tunnistautumis- ja asiointiohjelmistot ovat monimutkaisia, ja koodaamista tehdään usein alihankinnan alihankintana. Vaikka tunnistusohjelmistot epäilemättä auditoidaan eli verifioidaan toiminnallisuudeltaan tarkasti, ne ovat monimutkaisia, helposti kymmenien tuhansien koodirivien hirviöitä. Virheitä syntyy niin koodattaessa kuin tarkistettaessa.
Tämä ei ole lohduttava ajatus. Vastaavanlaisia aukkoja on epäilemättä monissa muissakin ohjelmistoissa, joiden varassa henkilökohtaisimmat ja intiimeimmät tietomme sijaitsevat. Kysymys onkin, kuka ne löytää ja miten niitä käytetään.
Sähköisessä tunnistautumisessa on kyse luottamuksesta digitaaliseen yhteiskuntaan.
S-Pankin virhe avasi ovet satojen asiakkaiden tileille, terveystietoihin, mahdollisti pikavipit… – pankki kertoo, mistä on kyse https://www.is.fi/digitoday/tietoturva/art-2000009066089.html
S-Pankin kuukausia kestänyt järjestelmävirhe mahdollisti vahvan sisäänkirjautumisen niin verkkopankkiin kuin vahvaa tunnistautumista edellyttäviin kolmannen osapuolen palveluihin.
SATOJEN S-Pankin asiakkaiden tunnuksilla on kirjauduttu järjestelmävirheen vuoksi kevään, kesän ja syksyn aikana luvatta sekä pankin että kolmannen osapuolen palveluihin. Tunnuksilla on tehty muun muassa luvattomia tilisiirtoja. Verkkopankissa vieraiden katseltavaksi ovat saattaneet joutua muun muassa tilitapahtumat, sopimukset, verkkopankin viestit tai lainatiedot.
Virhe on mahdollistanut väärinkäytökset myös vahvaa tunnistautumista edellyttävissä kolmannen osapuolen palveluissa, joita ovat muun muassa pikavippiyhtiöt, terveystiedot sisältävä Omakanta, Kela, verohallinto sekä vakuutusyhtiöt.
S-Pankki on alkanut tiedottaa tapahtuneesta eilen niille asiakkaille, joita asia koskee.
Holmbergin mukaan pankki sanoo kantavansa vastuun asiassa. Jos asiakkaille on koitunut taloudellisia menetyksiä, pankki korvaa ne.
Miten isoa asiakasjoukkoa tämä koskee?
– Jokainen asiakas on liikaa. Tämä koskee pientä määrää asiakkaista, ja vielä pienempi on määrä, joiden kohdalla väärinkäyttöä on tapahtunut.
Näyttää pahalta, jos ette kerro lukumäärää julkisuuteen. Ihmiset alkavat spekuloida.
– Puhutaan muutamasta sadasta asiakkaasta, jotka ovat kokonaisuudessaan asian kohteena. Ja heissä on pienempi joukko, joiden kohdalle on osunut taloudellista väärinkäyttöä.
Onko myös tämän isomman joukon tunnuksilla kirjauduttu sisälle?
– Isomman joukon, joihin ei ole kohdistunut taloudellisia väärinkäytöksiä, myös heidän verkkopankkiinsa on kirjauduttu.
Ilmeisesti ette kerro tarkemmin asiakasjoukon kokoa?
– Emme. Se on pieni joukko, kun ottaa kokonaisasiakasmäärän ja palveluiden käytön huomioon. Mutta ei vähäpätöinen joukko perspektiivistämme.
Pystytkö kommentoimaan väärinkäytösten kohteeksi joutuneen joukon kokoa?
– Tämä on poliisiasia. Olemme tehneet poliisille tutkintapyynnön, ja toimitamme poliisille kaikki tarvittavat tiedot tutkinnan edistämiseksi. Siksi en voi tuota lukua tarkemmin avata.
Onko mahdollista selvittää, minkä palvelun kohdalla tunnuksia on käytetty väärin, eli onko niillä kirjauduttu esimerkiksi Kelaan tai Omakantaan?
– Tämä on meillä selvityksessä. Toimimme luottamusverkostossa [vahvan sisäänkirjautumisen takana olevien palveluiden verkostossa]. Olemme tehneet tästä ilmoituksen Traficomille, ja olemme luottamusverkostossa kontaktoineet tunnistusvälityspalveluiden tarjoajia ja toimitamme heille tarvittavat tiedot kirjautumisten selvittämiseksi. Luottamusverkoston sisällä me emme näe sisäänkirjautumisten kohteita.
Saavatko asiakkaat esimerkiksi tiedon siitä, että heidän terveystietojaan on käyty katselemassa, jos näin on tapahtunut?
– Kyllä, relevantit rekisterinpitäjät informoivat asiakkaitaan sääntelyn mukaisesti.
Tomi Engdahl says:
Satojen asiakkaiden tileille mentiin luvatta, ovi auki jopa viranomaispalveluihin – vakava häiriö S-Pankissa https://www.is.fi/digitoday/tietoturva/art-2000009066099.html
Tomi Engdahl says:
Twitter Whistleblower Testifies on Security Issues
Peiter “Mudge” Zatko, a former Twitter security executive, testified on privacy and security issues relating to the social media company…
https://www.c-span.org/video/?522489-1/twitter-executive-stands-whistleblower-complaint&vod=
Tomi Engdahl says:
S-Pankin virhe avasi ovet satojen asiakkaiden tileille, terveystietoihin, mahdollisti pikavipit… pankki kertoo, mistä on kyse https://www.is.fi/digitoday/tietoturva/art-2000009066089.html
Satojen S-Pankin asiakkaiden tunnuksilla on kirjauduttu järjestelmävirheen vuoksi kevään, kesän ja syksyn aikana luvatta sekä pankin että kolmannen osapuolen palveluihin. Tunnuksilla on tehty muun muassa luvattomia tilisiirtoja. Verkkopankissa vieraiden katseltavaksi ovat saattaneet joutua muun muassa tilitapahtumat, sopimukset, verkkopankin viestit tai lainatiedot. Virhe on mahdollistanut väärinkäytökset myös vahvaa tunnistautumista edellyttävissä kolmannen osapuolen palveluissa, joita ovat muun muassa pikavippiyhtiöt, terveystiedot sisältävä Omakanta, Kela, verohallinto sekä vakuutusyhtiöt. S-Pankki on alkanut tiedottaa tapahtuneesta eilen niille asiakkaille, joita asia koskee.
Tomi Engdahl says:
Wilma plus -sovellus näytti muiden oppilaiden nimiä teknisen virheen vuoksi Kuopiossa ongelma koski noin sataa käyttäjää
https://yle.fi/uutiset/3-12620432
Koulujen Wilma plus -sovelluksen käyttäjillä on ollut mahdollisuus nähdä heille kuulumattomia tietoja. Noin sadan kuopiolaisen Wilma plus
- -sovellusta käyttävän oppilaan ja alaikäisen oppilaan huoltajan on ollut mahdollista nähdä myös muiden ryhmässä olevien oppilaiden nimet ja opetustoimen henkilöstön tietoja. Syynä tähän oli sovelluksen rajapintaongelma. Vika huomattiin syyskuun alussa ja tilanne on nyt korjattu. Tämän lisäksi Wilman ylläpitäjä ja kehittäjä Visma Enterprise Oy poisti vielä varotoimena kolmansien osapuolien rajapinnat käytöstä.
Tomi Engdahl says:
Microsoft September 2022 Patch Tuesday fixes zero-day used in attacks,
63 flaws
https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2022-patch-tuesday-fixes-zero-day-used-in-attacks-63-flaws/
Today is Microsoft’s September 2022 Patch Tuesday, and with it comes fixes for an actively exploited Windows vulnerability and a total of
63 flaws. Five of the 63 vulnerabilities fixed in today’s update are classified as ‘Critical’ as they allow remote code execution, one of the most severe types of vulnerabilities. This month’s Patch Tuesday fixes two publicly disclosed zero-day vulnerabilities, with one actively exploited in attacks. The actively exploited zero-day vulnerability fixed today is tracked as ‘CVE-2022-37969 – Windows Common Log File System Driver Elevation of Privilege Vulnerability.’.
The other publicly disclosed vulnerability is tracked as
‘CVE-2022-23960 – Arm: CVE-2022-23960 Cache Speculation Restriction Vulnerability.’
Tomi Engdahl says:
Hackers breach software vendor for Magento supply-chain attacks https://www.bleepingcomputer.com/news/security/hackers-breach-software-vendor-for-magento-supply-chain-attacks/
Hackers have injected malware in multiple extensions from FishPig, a vendor of Magento-WordPress integrations that count over 200, 000 downloads. Magento is a popular open-source eCommerce platform used for building electronic shops, supporting the sale of tens of billions USD worth of goods annually. The intruders took control of FishPig’s server infrastructure and added malicious code to the vendor’s software to gain access to websites using the products, in what is described as a supply-chain attack. See also:
https://sansec.io/research/rekoobe-fishpig-magento
Tomi Engdahl says:
Letting off steam
https://blog.group-ib.com/steam
“I want to tell you the story of how I was scammed and lost my Steam account, including more than 100 games bought and donations totaling more than $200.” Or, “I spent hundreds of dollars on my Steam account and bought at least 20 games, some with add-ons.”. There are dozens if not hundreds of similar stories. In July alone, CERT-GIB specialists identified more than 150 fraudulent resources mimicking Steam, a major online gaming platform. To steal Steam credentials, hackers have been using a new phishing technique called browser-in-the-browser, which tricks users into thinking that a fake webpage is a legal resource.
Tomi Engdahl says:
Initial access broker or ransomware gang has exclusive’ access to Mitel zero-day exploit: report https://therecord.media/initial-access-broker-or-ransomware-gang-has-exclusive-access-to-mitel-zero-day-exploit-report/
Ransomware groups are continuing to target a vulnerability discovered earlier this year affecting popular Mitel MiVoice Connect VOIP devices, according to a new report from cybersecurity firm Arctic Wolf. The company released a detailed breakdown of one incident involving the Lorenz ransomware group’s exploitation of CVE-2022-29499 a vulnerability patched in April by Mitel after CrowdStrike researcher Patrick Bennett discovered the issue during a ransomware investigation. Adrian Korn, manager of threat intelligence research at Arctic Wolf Labs, told The Record that what stood out about the attack his team examined was the fact that no public proof-of-concept (PoC) exploit code for this vulnerability has ever been released, “and there is very little known about which threat actors possess the exploit.”
Tomi Engdahl says:
Washington Post:
A rundown of Twitter whistleblower Peiter “Mudge” Zatko’s testimony before US Senate Judiciary Committee lawmakers — A Twitter whistleblower on Tuesday testified before Congress that the company’s failure to secure sensitive data causes “real harm to real people,” …
https://www.washingtonpost.com/technology/2022/09/13/twitter-whistleblower-peiter-zatko-testifies/
Ronan Farrow / New Yorker:
A look at the efforts by at least six research groups to find dirt on Twitter whistleblower Peiter Zatko, including offers to pay his former colleagues for info — Many of Peiter (Mudge) Zatko’s former colleagues have received offers of payment for information about him.
https://www.newyorker.com/news/news-desk/the-search-for-dirt-on-the-twitter-whistle-blower
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Mudge details Twitter’s lack of logging, ignoring hackers’ ongoing efforts to access its systems, how the FTC let the company “grade its own homework”, and more — A ticking bomb of security vulnerabilities. Covering up security failures. Duping regulators and misleading lawmakers.
What we learned when Twitter whistleblower Mudge testified to Congress
https://techcrunch.com/2022/09/13/twitter-whistleblower-mudge-congress/
A ticking bomb of security vulnerabilities. Covering up security failures. Duping regulators and misleading lawmakers.
These are just some of the allegations when Twitter’s ex-security lead turned whistleblower, Peiter Zatko, testified to the Senate Judiciary Committee on Tuesday, less than a month after the release of his explosive whistleblower complaint filed with federal regulators. Zatko, better known as Mudge, made his first comments since the public release of his complaint.
Twitter did not respond to a request for comment.
These are the key takeaways from Mudge’s testimony to lawmakers and what we learned from Tuesday’s hearing.
FBI warned Twitter it had a Chinese spy on staff
Thousands of attempts to hack into Twitter weekly
What Twitter knows about its users and why spies want it
U.S. government agencies let companies “grade their own homework”
Tomi Engdahl says:
David McCabe / New York Times:
In his Senate testimony, ex-head of Twitter security and whistleblower Peiter Zatko says the company was told of “at least one [Chinese] agent” on its payroll
https://www.nytimes.com/2022/09/13/technology/twitter-whistle-blower-security-flaws.html
Tomi Engdahl says:
Microsoft Raises Alert for Under-Attack Windows Flaw
https://www.securityweek.com/microsoft-raises-alert-under-attack-windows-flaw
Microsoft on Tuesday warned that its security teams have detected zero-day exploitation of a critical vulnerability in its flagship Windows platform.
Redmond included a fix for the latest zero-day in the September batch of Patch Tuesday updates and warned that attackers are already exploiting the flaw to gain SYSTEM privileges on fully patched Windows machines.
Microsoft released a barebones bulletin acknowledging the bug exists in Windows Common Log File System (CLFS), a subsystem used for data and event logging.
From the bulletin:
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. An attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system.”
The vulnerability, tracked as CVE-2022-37969, was reported to Microsoft by four different organizations, suggesting it was used in an exploit chain linked to limited, targeted attacks.
Microsoft did not release any technical details on the bug or any indicators of compromise (IOCs) to help defenders hunt for signs of infection.
The already-exploited CLFS flaw carries a CVSS score of 7.8 out of 10.
Tomi Engdahl says:
According to ZDI, The Trend Micro unit that closely tracks vulnerability warnings, Windows admins should pay urgent attention to these additional issues:
CVE-2022-34718 — Windows TCP/IP Remote Code Execution Vulnerability — This Critical-rated bug could allow a remote, unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction. That officially puts it into the “wormable” category and earns it a CVSS rating of 9.8. However, only systems with IPv6 enabled and IPSec configured are vulnerable. While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly.
CVE-2022-34724 — Windows DNS Server Denial of Service Vulnerability — This bug is only rated Important since there’s no chance of code execution, but you should probably treat it as Critical due to its potential impact. A remote, unauthenticated attacker could create a denial-of-service (DoS) condition on your DNS server. It’s not clear if the DoS just kills the DNS service or the whole system. Shutting down DNS is always bad, but with so many resources in the cloud, a loss of DNS pointing the way to those resources could be catastrophic for many enterprises.
CVE-2022-3075 — Chromium: CVE-2022-3075 Insufficient data validation in Mojo — This patch was released by the Google Chrome team back on September 2, so this is more of an “in case you missed it.” This vulnerability allows code execution on affected Chromium-based browsers (like Edge) and has been detected in the wild. This is the sixth Chrome exploit detected in the wild this year. The trend shows the near-ubiquitous browser platform has become a popular target for attackers. Make sure to update all of your systems based on Chromium.
https://www.securityweek.com/microsoft-raises-alert-under-attack-windows-flaw
Tomi Engdahl says:
Adobe Patches 63 Security Flaws in Patch Tuesday Bundle
https://www.securityweek.com/adobe-patches-63-security-flaws-patch-tuesday-bundle
Software maker Adobe has rolled out security fixes for at least 63 security vulnerabilities in a wide range of widely deployed Windows and macOS software products.
As part of the scheduled September batch of Patch Tuesday updates, Adobe called attention to critical-rated bulletins affecting the Adobe Bridge, InDesign, Photoshop, InCopy, Animage and Illustrator software products.
Tomi Engdahl says:
Whistleblower: China, India Had Agents Working for Twitter
https://www.securityweek.com/whistleblower-china-india-had-agents-working-twitter
Tomi Engdahl says:
Twitter Ex-Security Chief Tells US Congress of Security Concerns
https://www.securityweek.com/twitter-ex-security-chief-tells-us-congress-security-concerns
Tomi Engdahl says:
https://www.securityweek.com/opus-security-scores-10m-cloud-security-orchestration
Tomi Engdahl says:
FBI Warns of Unpatched and Outdated Medical Device Risks
https://www.securityweek.com/fbi-warns-unpatched-and-outdated-medical-device-risks
The FBI is warning healthcare facilities of the risks associated with unpatched and outdated medical devices.
Security flaws in medical devices could adversely impact the operations of healthcare facilities, while also affecting the safety of patients and data confidentiality and integrity, the FBI says.
Both hardware design and device software management faults could lead to security vulnerabilities, especially if specific configurations are used, embedded security features are missing or cannot be updated, or there are too many devices to manage.
Some medical devices may remain in use for up to 30 years, which provides threat actors with enough time to identify and exploit vulnerabilities, especially if the software running on them has reached end of life (EOL).
“Legacy medical devices contain outdated software because they do not receive manufacturer support for patches or updates, making them especially vulnerable to cyberattacks,” the FBI says.
https://www.ic3.gov/Media/News/2022/220912.pdf
Tomi Engdahl says:
ICS Patch Tuesday: Siemens, Schneider Electric Fix High-Severity Vulnerabilities
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-fix-high-severity-vulnerabilities
Siemens and Schneider Electric have released their Patch Tuesday security advisories to inform customers about dozens of vulnerabilities affecting their industrial products.
Siemens has released five new advisories describing a total of 37 patched vulnerabilities. One of the advisories covers third-party component flaws in the Sinec INS (Infrastructure Network Services) web-based application for managing network services.
A total of 14 high- and medium-severity vulnerabilities have been found in third-party components used by the product, including BIND, ISC DHCP, OpenSSL, Lodash, and Axios. Siemens says these weaknesses could allow an attacker to cause a DoS condition, obtain sensitive data, or violate system integrity.
Schneider Electric has only released one new advisory, but the company has updated over a dozen existing advisories.
The new advisory describes multiple high-severity deserialization issues in EcoStruxure Machine SCADA Expert and Pro-face Blue Open Studio products that could lead to arbitrary code execution, information disclosure, or DoS.
Tomi Engdahl says:
Huh, siis tää oli S-pankilla tiedossa jo toukokuussa mutta eivät ottaneet vakavissaan ennen syyskuuta https://www.hs.fi/talous/art-2000009066864.html
Tomi Engdahl says:
https://pjarvinen.blogspot.com/2022/09/s-pankki-koettelee-luottamusta.html
S-pankki koettelee luottamusta verkkopankkeihin
S-pankki kertoi tänään tietoturvamokasta, joka on periaatteellisella tasolla yhtä iso juttu kuin Vastaamon tietovuoto kaksi vuotta sitten. Yksityiskohtia ei (taaskaan) kerrota, mutta useat ihmiset ovat päässeet kirjautumaan S-pankin tunnuksilla toisten henkilöiden nimissä. Tilillä ei ehkä ole paljon rahaa, mutta tunnuksilla on voinut tehdä kaikenlaista muuta pahaa.
Ihmeellisintä on, että asiakkaan tunnistus on saanut olla rikki lähes neljä kuukautta ilman, että pankki on huomannut sitä. Virheitä sattuu ja ohjelmissa on bugeja. Mikään ei kuitenkaan selitä sitä, ettei pankki ole havahtunut edes asiakkaiden valitettua aiheettomista veloituksista tai muista outouksista. Ongelma paljastui vasta valkohattuhakkerin ilmoitettua siitä pankille.
Pankkitunnukset ovat suomalaisen tietoyhteiskunnan kivijalka. Aiemmin niitä niihin on luotettu kuin vuoreen, koska tunnuksilla voi tehdä sitovia toimeksiantoja, asioida Kelassa tai Omakannan terveystiedoissa ja niin edelleen. Nyt tuo luottamus on vähintäänkin koetuksella.
Pankki on sentään pyytänyt reilusti anteeksi.
Anteeksipyyntö ei kuitenkaan kata sitä peruuttamatonta vahinkoa, joka verkkopankeille tästä aiheutuu. Viime aikoina on ollut monia huijauksia, joissa asiakkaat ovat menettäneet tilillään olleet rahat. Pankki on aina vedonnut siihen, että asiakas on toiminut huolimattomasti ja huijaus olisi pitänyt torjua. Pankilla on lokit, osaaminen ja asiantuntijat. Asiakas ei pärjää oikeudessa pankkia vastaan.
Nyt on käynyt selväksi, että vika voi olla myös pankissa. Tämä tulee näkymään tulevissa riidoissa. Pankki ei välttämättä olekaan aina oikeassa eikä asiakas väärässä.
Pahinta S-Pankin kannalta on, ettei tämä ole ensimmäinen kerta. Vuonna 2019 S-pankki huomasi, että uusi mobiilisovellus saattoi näyttää toisten asiakkaiden tilitietoja. Niin kävi noin 300 asiakkaalle, ennen kuin mobiilipankki saatiin suljettua ja ongelma korjattua.
Turvallisen verkkoasioinnin kulmakivet ovat vaarassa. Operaattorien ja pankkien on otettava ryhtiliike ja käytävä läpi omat prosessinsa huijausten estämiseksi.
Tomi Engdahl says:
Kannattaa hankkia kakkospuhelin, jossa on ainakin pankkitunnistuksen ohjelma kaiken varalta. Ei kaikkia munia yhteen koriin. Ilmeisesti yksittäinen käyttäjä voi asentaa mobiilipankin vaikka kuinka moneen puhelimeen samanaikaisesti.
Tomi Engdahl says:
Mielestäni uutinen S-Pankin haavoittuvuudesta on erittäin merkittävä. Ilmeisesti kyseessä todellakin on tunnistuksessa ollut tekninen haavoittuvuus, johon käyttäjä itse ei ole voinut mitenkään vaikuttaa. Tässä S-Pankin oma pitkä tiedote asiasta:
https://www.s-pankki.fi/fi/tiedotteet/2022/s-pankin-tunnistautumisessa-jarjestelmahairio-kesalla–tilanne-on-korjattu-ja-kaikkiin-asiakkaisiin-joita-hairio-koski-ollaan-yhteydessa/
Kieltämättä asia on jopa pelottava. Tiedotteessa puhutaan ohjelmistokomponentin toiminnasta. Onkohan kyse valmiista komponentista, johon koodarit ovat luottaneet, mutta josta onkin paljastunut haavoittuvuus myöhemmin. Itse IT-alan ihmisenä tiedän näiden asioiden olevan monimutkaisia ja harvalla on ymmärrystä niitä käsitellä. Ongelmana on myös se, että tutkinnassa usein on mukana valtava joukko ihmisiä, joista 90% saattaa olla täysiä turisteja teknisessä ymmärryksessä.
Kommentti: https://pjarvinen.blogspot.com/2022/09/s-pankki-koettelee-luottamusta.html?m=1
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-psexec-spinoff-lets-hackers-bypass-network-security-defenses/
Tomi Engdahl says:
Kris Holt / Engadget:
EA unveils EA AntiCheat, a kernel-level anti-cheat system for some PC games, launching September 23 to take on cheat developers building kernel-level exploits — Electronic Arts is determined to keep cheaters at bay. The company has developed a kernel-level anti-cheat system for PC …
EA will debut new anti-cheat tech with ‘FIFA 23′ on PC
The company built a kernel-level tool to aid its ongoing battle against cheat developers.
https://www.engadget.com/ea-anti-cheat-tech-fifa-23-pc-kernel-191136885.html?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cudGVjaG1lbWUuY29tLw&guce_referrer_sig=AQAAAF8DkEPfrN1ghFsaLncEMRiUzjpDY1Bg-IbSkVy9ozgdUE8yaW6aoTl8qBgees4ybTDxA6_qNXLY7bgYbNGtM9rWiKC1es_rS72haPte6D9puPN8ji4bOXhT0TBwZ7JM0hN7yPNE8ukeY15E3b0ngeKJU0aNiYOk6JJquvzQ7WtI
Electronic Arts is determined to keep cheaters at bay. The company has developed a kernel-level anti-cheat system for PC that it will deploy alongside FIFA 23 when the game arrives on September 30th. According to the publisher, the move was necessary to “ensure fair play” by taking on PC cheat developers who are increasingly building kernel-level exploits that OS-level anti-cheat tools are unable to detect.
In a blog post, EA’s senior director of game security and anti-cheat Elise Murphy wrote that the company created EA AntiCheat (EAAC) because “third-party anti-cheat solutions are often opaque to our teams, and prevent us from implementing additional privacy controls or customizations that provide greater accuracy and granularity for EA-specific game modes.” It should also be able to address security issues head on.
A Deep Dive on EA AntiCheat for PC
https://www.ea.com/security/news/eaac-deep-dive
At Electronic Arts we are committed to creating a safe and fair experience for all of our players. As outlined in our Positive Player Charter, we ask everyone to play within the rules of the game and refrain from tampering or using cheats. Our Game Security & Anti-Cheat team has been hard at work building and supporting technologies that enable us to best protect our players’ interest in fair play, and that’s why we are announcing the launch of EA AntiCheat (EAAC) with FIFA 23 for PC this fall. EAAC is a kernel-mode anti-cheat and anti-tamper solution developed in-house at Electronic Arts. PC cheat developers have increasingly moved into the kernel, so we need to have kernel-mode protections to ensure fair play and tackle PC cheat developers on an even playing field.
As tech-inclined video gamers ourselves, it is important to us to make sure that any kernel anti-cheat included in our games acts with a strong focus on the privacy and security of our gamers that use a PC.
Third party anti-cheat solutions are often opaque to our teams, and prevent us from implementing additional privacy controls or customizations that provide greater accuracy and granularity for EA-specific game modes. With EAAC we have full stack ownership of the security & privacy posture, so we can fix security issues as soon as they may arise. With that in mind, let’s tackle a few of the common questions you may have.
Tomi Engdahl says:
Lawrence Abrams / BleepingComputer:
Microsoft releases 63 security fixes, including patches for two zero-day flaws, one of which is being actively exploited, and five critical RCE vulnerabilities — Today is Microsoft’s September 2022 Patch Tuesday, and with it comes fixes for an actively exploited Windows vulnerability and a total of 63 flaws.
Microsoft September 2022 Patch Tuesday fixes zero-day used in attacks, 63 flaws
https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2022-patch-tuesday-fixes-zero-day-used-in-attacks-63-flaws/
Today is Microsoft’s September 2022 Patch Tuesday, and with it comes fixes for an actively exploited Windows vulnerability and a total of 63 flaws.
Five of the 63 vulnerabilities fixed in today’s update are classified as ‘Critical’ as they allow remote code execution, one of the most severe types of vulnerabilities.
18 Elevation of Privilege Vulnerabilities
1 Security Feature Bypass Vulnerabilities
30 Remote Code Execution Vulnerabilities
7 Information Disclosure Vulnerabilities
7 Denial of Service Vulnerabilities
16 Edge – Chromium Vulnerabilities
The above counts do not include sixteen vulnerabilities fixed in Microsoft Edge before Patch Tuesday.
For information about the non-security Windows updates, you can read today’s Windows 10 KB5017308 and KB5017315 updates and the Windows 11 KB5017328 update.
https://www.bleepingcomputer.com/news/microsoft/windows-10-kb5017308-and-kb5017315-updates-released/
https://www.bleepingcomputer.com/news/microsoft/windows-11-kb5017328-update-fixes-usb-printing-audio-headset-issues/
Tomi Engdahl says:
Malware Infects Magento-Powered Stores via FishPig Distribution Server
https://www.securityweek.com/malware-infects-magento-powered-stores-fishpig-distribution-server
For the past several weeks, Magento stores have been injected with malware via a supply chain attack that targeted the FishPig distribution server.
Specialized in Magento optimizations and Magento-WordPress integrations, FishPig offers various Magento extensions that have gathered over 200,000 downloads.
On Tuesday, FishPig warned of an intrusion to its extension license system, which resulted in a threat actor injecting malicious PHP code into the Helper/License.php file.
“This file is included in most FishPig extensions so it is best to assume that all FishPig modules had been infected,” FishPig announced.
According to the company, the hackers likely had access to its servers since at least August 6.
The injected code would install another piece of malware, called Rekoobe, which hides itself as a background process on the compromised servers, according to security researchers with Sansec, who identified the intrusion.
Tomi Engdahl says:
Google Improves Chrome Protections Against Use-After-Free Bug Exploitation
https://www.securityweek.com/google-improves-chrome-protections-against-use-after-free-bug-exploitation
Google this week has shared more information on recently introduced technology meant to reduce the exploitability of use-after-free vulnerabilities in the Chrome browser.
A type of memory corruption bugs, use-after-free issues occur when a program does not clear the pointer after freeing memory allocation. These flaws could lead to arbitrary code execution, data corruption, or denial of service.
Use-after-free vulnerabilities may also be combined with other security flaws, leading to complete system compromise.
The exploitation of use-after-free issues in Chrome can result in a sandbox escape. For this to happen, however, the attacker needs to target either a bug in the underlying operating system, or a flaw in a privileged part of Chrome, such as the browser process.
According to Google, one way to reduce this attack surface is to minimize the number of operating system interfaces accessible from within the renderer process sandbox.
For security flaws in the browser process, Google has introduced MiraclePtr, which rewrites the codebase to use a smart pointer type called ‘raw_ptr’ to prevent the exploitation of use-after-free bugs.
The MiraclePtr implementation algorithm that Google has opted for is called BackupRefPtr. Based on reference counting, it supports Chrome’s heap allocator, PartitionAlloc, which was designed to keep memory regions quarantined, unless their reference count is 0.
https://security.googleblog.com/2022/09/use-after-freedom-miracleptr.html?m=1
Tomi Engdahl says:
Passengers Exposed to Hacking via Vulnerabilities in Airplane Wi-Fi Devices
https://www.securityweek.com/passengers-exposed-hacking-vulnerabilities-airplane-wi-fi-devices
Researchers have discovered two potentially serious vulnerabilities in wireless LAN devices that they say are often used in airplanes.
Researchers Thomas Knudsen and Samy Younsi of Necrum Security Labs identified the vulnerabilities in the Flexlan FX3000 and FX2000 series wireless LAN devices made by Contec, a Japan-based company that specializes in embedded computing, industrial automation, and IoT communication technology.
One of the security holes, CVE-2022-36158, is related to a hidden webpage that can be used to execute Linux commands on the device with root privileges. The device’s web-based management interface does not provide a link to this hidden page.
Flexlan wireless LAN device vulnerabilities could allow airplane hacking
“From here we had access to all the system files but also be able to open the telnet port and have full access on the device,” the researchers explained in a blog post.
The second vulnerability, CVE-2022-36159, is related to a backdoor account and the use of a weak hardcoded password. The researchers found a root user account with a default hardcoded password that is likely designed for maintenance purposes. The password is stored as a hash, but it was quickly cracked by the experts. An attacker can use this account to gain control of the device.
[CVE-2022-36158 / CVE-2022-36159] Contec FLEXLAN FXA2000 and FXA3000 series vulnerability report.
https://samy.link/blog/contec-flexlan-fxa2000-and-fxa3000-series-vulnerability-repo
Product Description:
The FLEXLAN FXA2000 and FXA3000 series devices from CONTEC are WiFi access point mainly used in airplanes and allows very high speed communication to provide movies, musics, but also buy foods and goodies during the flight trip.
Tomi Engdahl says:
S-pankissa jopa 150 epäiltyä tietomurtoa – kaksi vangittu
Poliisin mukaan rikoksista epäiltyjen joukko asuu Suomessa.
https://www.iltalehti.fi/digiuutiset/a/a80e3d4e-a1e4-4a7b-b824-ad3833dd1e25
Länsi-Uudenmaan poliisi on julkaissut tiedotteen S-Pankin tietomurtoon liittyen.
Poliisi tutkii toukokuussa 2022 alkanutta petossarjaa, jossa asianomistajien S-Pankin tileiltä on tehty oikeudettomia tilisiirtoja. Poliisin mukaan tilisiirrot ovat onnistuneet pankin tietojärjestelmässä ollutta haavoittuvuutta hyväksi käyttäen.
Poliisi on vanginnut tässä vaiheessa tutkintaa kaksi epäiltyä, joiden lisäksi muutamia muita on ollut kiinniotettuna ja pidätettynä. Rikosnimikkeitä ovat ainakin törkeä maksuvälinepetos, törkeä rahanpesu sekä tietomurto.
Poliisin mukaan tietomurtosarja jatkui kesän ajan. Toteutuneita tekoja eli maksuvälinepetoksia on poliisin tämän hetken tiedon mukaan 53. Näiden lisäksi poliisin tutkinnassa on arviolta noin 150 tietomurtoa. Rikoksen uhreja on koko valtakunnan alueella, mutta tutkinta on keskitetty Länsi- sekä Itä-Uudenmaan poliisilaitoksille
Tutkinnanjohtajan, rikoskomisario Klaus Geigerin mukaan rikossarjan tekee poikkeukselliseksi sekä se, että epäiltyjen joukko asuu ja teot on tehty Suomessa että se, että tekoon ei ole vaadittu asianomistajien myötävaikutusta eli heidän erehdyttämistään.
Tomi Engdahl says:
Aluksi oli puhetta, että oli muutama yksittäinen tapaus, nyt jo yli 150. Eikä S-Pankki ole huomannut mitään, vaikka uhrit ovat valittaneet.
S-pankin tietomurrosta vangittu on 16-vuotias – rikossarja kesti koko kesän
Poliisin mukaan rikoksista epäiltyjen joukko asuu Suomessa.
https://www.iltalehti.fi/digiuutiset/a/a80e3d4e-a1e4-4a7b-b824-ad3833dd1e25
Länsi-Uudenmaan poliisi on julkaissut tiedotteen S-Pankin tietomurtoon liittyen.
Poliisi tutkii toukokuussa 2022 alkanutta petossarjaa, jossa asianomistajien S-Pankin tileiltä on tehty oikeudettomia tilisiirtoja. Poliisin mukaan tilisiirrot ovat onnistuneet pankin tietojärjestelmässä ollutta haavoittuvuutta hyväksi käyttäen.
Poliisi on vanginnut tässä vaiheessa tutkintaa kaksi epäiltyä, joiden lisäksi muutamia muita on ollut kiinniotettuna ja pidätettynä. Rikosnimikkeitä ovat ainakin törkeä maksuvälinepetos, törkeä rahanpesu sekä tietomurto.
Iltalehden tietojen mukaan toinen vangituista, jota epäillään muun muassa kolmesta törkeästä maksuvälinepetoksesta, on vasta 16-vuotias.
Poliisin mukaan tietomurtosarja jatkui kesän ajan. Toteutuneita tekoja eli maksuvälinepetoksia on poliisin tämän hetken tiedon mukaan 53. Näiden lisäksi poliisin tutkinnassa on arviolta noin 150 tietomurtoa.
Tutkinnanjohtajan, rikoskomisario Klaus Geigerin mukaan rikossarjan tekee poikkeukselliseksi sekä se, että epäiltyjen joukko asuu ja teot on tehty Suomessa että se, että tekoon ei ole vaadittu asianomistajien myötävaikutusta eli heidän erehdyttämistään.
− Tutkinnassamme nyt oleva rikossarja on täysin erillinen valtakunnassa tapahtuneista niin sanotuista kalastelupetoksista, joita johdetaan ulkomailta käsin uhreja erehdyttämällä, Geiger painottaa.
S-pankki on ollut tai se tulee lähipäivinä olemaan yhteyksissä kaikkiin tämän rikossarjan uhreihin. Myös poliisi tulee ottamaan yhteyttä uhreihin esitutkinnan myötä.
Tomi Engdahl says:
New Microsoft Windows Zero-Day Attack Confirmed: Update Now
https://www.forbes.com/sites/daveywinder/2022/09/14/new-microsoft-windows-zero-day-attack-confirmed-update-now/?utm_medium=social&utm_campaign=socialflowForbesMainFB&utm_source=ForbesMainFacebook&sh=4a0be6c57ba3
In total, some 63 security vulnerabilities have been identified and patched this month. Of these, five are flagged as critical and one has been confirmed as already actively exploited by threat actors: CVE-2022-37969
What is CVE-2022-37969?
CVE-2022-3796 has a severity rating of 7.8 and impacts Windows versions from 7 right up to 11 as well as Windows Server 2008 and 2012.
This is an elevation of privilege vulnerability in the Windows Common Log File System. Microsoft has confirmed that a successful attack could gain system privileges to take control of the machine and that exploit code is available in the wild.
Tomi Engdahl says:
Vakavuustaso 9,8/10 – päivitä Windows nyt https://www.is.fi/digitoday/tietoturva/art-2000009068965.html
Microsoft julkaisi tiistaina illalla sarjan tietoturvakorjauksia. Yhteen haavoittuvuuteen hyökätään jo, toinen haavoittuvuus puolestaan on poikkeusellisen vakava.
MICROSOFTIN kuukausittaiset tietoturvakorjaukset saapuivat eilen illalla niin kutsuttuna paikkaustiistaina. Niistä uutisoi muun muassa Bleeping Computer.
Wormable Flaw, 0days Lead Sept. 2022 Patch Tuesday
https://krebsonsecurity.com/2022/09/wormable-flaw-0days-lead-sept-2022-patch-tuesday/
This month’s Patch Tuesday offers a little something for everyone, including security updates for a zero-day flaw in Microsoft Windows that is under active attack, and another Windows weakness experts say could be used to power a fast-spreading computer worm. Also, Apple has also quashed a pair of zero-day bugs affecting certain macOS and iOS users, and released iOS 16, which offers a new privacy and security feature called “Lockdown Mode.” And Adobe axed 63 vulnerabilities in a range of products.
Tomi Engdahl says:
Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs
https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
Security analysts have found a severe security vulnerability in the desktop app for Microsoft Teams that gives threat actors access to authentication tokens and accounts with multi-factor authentication (MFA) turned on.
Microsoft Teams is a communication platform, included in the 365 product family, used by more than 270 million people for exchanging text messages, videoconferencing, and storing files.
The newly discovered security issue impacts versions of the application for Windows, Linux, and Mac and refers to Microsoft Teams storing user authentication tokens in clear text without protecting access to them.
An attacker with local access on a system where Microsoft Teams is installed could steal the tokens and use them to log into the victim’s account.
“This attack does not require special permissions or advanced malware to get away with major internal damage,” Connor Peoples at cybersecurity company Vectra explains in a report this week.
The researcher adds that by taking “control of critical seats–like a company’s Head of Engineering, CEO, or CFO—attackers can convince users to perform tasks damaging to the organization.”
Vectra researchers discovered the problem in August 2022 and reported it to Microsoft. However, Microsoft did not agree on the severity of the issue and said that it doesn’t meet the criteria for patching.
Tomi Engdahl says:
“University of Utah police are trying to find the person who hacked an electronic sign by the student life center to display porn for two days.”
University of Utah Police trying to find who hacked campus kiosk to display porn
https://ksltv.com/505622/university-of-utah-police-trying-to-find-who-hacked-campus-kiosk-to-display-porn/
University of Utah police are trying to find the person who hacked an electronic sign by the student life center to display porn for two days.
Someone who works at the U noticed it at approximately 2:06 p.m. Tuesday, and within an hour, staff had the kiosk shut down.
“After checking the kiosk’s browser history, crews determined the access occurred at 12:30 a.m. on Sunday, Sept. 11. Over the next two days, users logged in to multiple porn websites on the kiosk,” read a Tuesday evening statement from a University of Utah spokesperson.
“None of the other 19 outdoor, and approximately 100 indoor, electronic screens across campus were impacted. All other electronic signs on campus are secured,” the statement concluded.
Tomi Engdahl says:
Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
Security analysts have found a severe security vulnerability in the desktop app for Microsoft Teams that gives threat actors access to authentication tokens and accounts with multi-factor authentication
(MFA) turned on. The newly discovered security issue impacts versions of the application for Windows, Linux, and Mac and refers to Microsoft Teams storing user authentication tokens in clear text without protecting access to them. An attacker with local access on a system where Microsoft Teams is installed could steal the tokens and use them to log into the victim’s account. “This attack does not require special permissions or advanced malware to get away with major internal damage, ” Connor Peoples at cybersecurity company Vectra explains in a report this week. See also:
https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
Tomi Engdahl says:
Wormable Flaw, 0days Lead Sept. 2022 Patch Tuesday – Krebs on Security
https://krebsonsecurity.com/2022/09/wormable-flaw-0days-lead-sept-2022-patch-tuesday/
This month’s Patch Tuesday offers a little something for everyone, including security updates for a zero-day flaw in Microsoft Windows that is under active attack, and another Windows weakness experts say could be used to power a fast-spreading computer worm.
Microsoft today released software patches to plug at least 64 security holes in Windows and related products. Worst in terms of outright scariness is CVE-2022-37969, which is a “privilege escalation” weakness in the Windows Common Log File System Driver that allows attackers to gain SYSTEM-level privileges on a vulnerable host. Microsoft says this flaw is already being exploited in the wild.
Kevin Breen, director of cyber threat research at Immersive Labs, said any vulnerability that is actively targeted by attackers in the wild must be put to the top of any patching list.
“Not to be fooled by its relatively low CVSS score of 7.8, privilege escalation vulnerabilities are often highly sought after by cyber attackers,”
Another vulnerability Microsoft patched this month — CVE-2022-35803 — also seems to be related to the same Windows log file component. While there are no indications CVE-2022-35803 is being actively exploited, Microsoft suggests that exploitation of this flaw is more likely than not.
Trend Micro’s Dustin Childs called attention to CVE-2022-34718, a remote code execution flaw in the Windows TCP/IP service that could allow an unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction.
“That officially puts it into the ‘wormable’ category and earns it a CVSS rating of 9.8,” Childs said. “However, only systems with IPv6 enabled and IPSec configured are vulnerable. While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly.”
Tomi Engdahl says:
Kaksi vangittu epäiltynä rikoksista S-Pankin asiakkaita vastaan https://www.is.fi/digitoday/tietoturva/art-2000009069964.html
Poliisi uskoo tunnistaneensa pääepäillyn poikkeuksellisen vakavassa kyberrikoksessa, jonka uhreina on S-Pankin useita asiakkaita.
Länsi-Uudenmaan poliisi kertoi keskiviikkona poikkeuksellisesta rikossarjasta, jossa pankin tietojärjestelmässä ollut haavoittuvuus mahdollisti oikeudettomat tilisiirrot. Rikossarja alkoi toukokuussa.
S-Pankki kertoi tiistaina, että järjestelmähäiriö alkoi 20. huhtikuuta ja päättyi 5. elokuuta. Poliisin mukaan toteutuneita tekoja eli maksuvälinepetoksia on rikossarjaan liittyen tutkinnassa 53.
Maksuvälinepetosten lisäksi poliisin tutkinnassa on noin 150 tietomurtoa.
Tomi Engdahl says:
Iranians Hacked A Domestic Violence Shelter And U.S. Power Companies In Ransomware Rampage, DOJ Says https://www.forbes.com/sites/thomasbrewster/2022/09/14/fbi-iran-ransomware-hacks-the-planet/
The Justice Department announced charges on Tuesday against three Iranian nationals who, between October 2020 and 2022, allegedly hacked into hundreds of organizations across multiple countries, including the U.S., the U.K. and Russia. According to the DOJ, the hackers broke into computers and used Microsoft’s BitLocker security tool, which secures files, to lock up victims’ data. They then allegedly stole data and sent ransom demands, some of which were printed out using office printers. The victims were broad, from small businesses and utilities companies to local government agencies and nonprofits, including a domestic violence shelter in Pennsylvania. The Alert:
https://www.cisa.gov/uscert/ncas/alerts/aa22-257a