Cyber security news September 2022

This posting is here to collect cyber security news in September 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

411 Comments

  1. Tomi Engdahl says:

    Weaponizing game code to attack a company https://www.kaspersky.com/blog/genshin-driver-attack/45494/
    Released on PC and consoles in September 2020, the action-adventure video game Genshin Impact was created by miHoYo Limited of China. The Windows version comes with a module combating gaming cheats, which incorporates a driver named mhyprot2.sys. It provides the game’s defense mechanism with broad system privileges, and has a digital signature to prove its rights. In August 2022, Trend Micro released a report about an unusual attack on corporate infrastructure. The attack used this particular driver mhyprot2.sys. In a nutshell, a hacker group figured out that it could use virtually unlimited system privileges afforded by the driver and the associated legitimate digital certificate as tools for a targeted attack. And you don’t even need to install the game itself to become a victim.

    Reply
  2. Tomi Engdahl says:

    You never walk alone: The SideWalk backdoor gets a Linux variant https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/
    SET researchers have discovered a Linux variant of the SideWalk backdoor, one of the multiple custom implants used by the SparklingGoblin APT group. This variant was deployed against a Hong Kong university in February 2021, the same university that had already been targeted by SparklingGoblin during the student protests in May 2020. We originally named this backdoor StageClient, but now refer to it simply as SideWalk Linux. We also discovered that a previously known Linux backdoor the Specter RAT, first documented by 360 Netlab is also actually a SideWalk Linux variant, having multiple commonalities with the samples we identified. SparklingGoblin is an APT group whose tactics, techniques, and procedures (TTPs) partially overlap with APT41 and BARIUM. While the group targets mostly East and Southeast Asia, we have also seen SparklingGoblin targeting a broad range of organizations and verticals around the world, with a particular focus on the academic sector. SparklingGoblin is one of the groups with access to the ShadowPad backdoor.

    Reply
  3. Tomi Engdahl says:

    A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html
    We have recently observed malicious actors exploiting both recently disclosed and older Oracle WebLogic Server vulnerabilities to deliver cryptocurrency-mining malware. Oracle WebLogic Server is typically used for developing and deploying high-traffic enterprise applications on cloud environments and engineered and conventional systems. One of the older vulnerabilities that is still being actively exploited by malicious actors is CVE-2020-14882, a remote code execution (RCE) vulnerability that takes advantage of improper input validation in Oracle WebLogic Server. It also has a CVSS v3.0 score of 9.8.

    Reply
  4. Tomi Engdahl says:

    Google Improves Chrome Protections Against Use-After-Free Bug Exploitation
    https://www.securityweek.com/google-improves-chrome-protections-against-use-after-free-bug-exploitation

    Google this week has shared more information on recently introduced technology meant to reduce the exploitability of use-after-free vulnerabilities in the Chrome browser.

    A type of memory corruption bugs, use-after-free issues occur when a program does not clear the pointer after freeing memory allocation. These flaws could lead to arbitrary code execution, data corruption, or denial of service.

    Use-after-free vulnerabilities may also be combined with other security flaws, leading to complete system compromise.

    The exploitation of use-after-free issues in Chrome can result in a sandbox escape. For this to happen, however, the attacker needs to target either a bug in the underlying operating system, or a flaw in a privileged part of Chrome, such as the browser process.

    Reply
  5. Tomi Engdahl says:

    WordPress Sites Hacked via Zero-Day Vulnerability in WPGateway Plugin
    https://www.securityweek.com/wordpress-sites-hacked-zero-day-vulnerability-wpgateway-plugin

    Many WordPress sites are at risk of full compromise as attackers are actively exploiting a zero-day vulnerability in the WPGateway plugin, Defiant’s WordFence team warns.

    A premium plugin for the WPGateway cloud service, the WPGateway plugin provides users with WordPress installation, backup, and cloning capabilities.

    Tracked as CVE-2022-3180 (CVSS score of 9.8), the recently identified vulnerability allows an unauthenticated attacker to add an administrator account to websites running WPGateway.

    “An attacker with administrator privileges has effectively achieved a complete site takeover,” Wordfence points out.

    The WordPress security firm says that a copy of the WPGateway plugin obtained on September 9 is still vulnerable. Wordfence has reported the security bug to the WPGateway developer, but no patch has been released yet.

    “As this is an actively exploited zero-day vulnerability, and attackers are already aware of the mechanism required to exploit it, we are releasing this public service announcement (PSA) to all of our users,” Wordfence notes.

    The security firm has not provided technical details on the vulnerability, to prevent further exploitation, but did share some indicators of compromise (IoCs), to help site administrators check whether their installations have been targeted.

    PSA: Zero-Day Vulnerability in WPGateway Actively Exploited in the Wild
    https://www.wordfence.com/blog/2022/09/psa-zero-day-vulnerability-in-wpgateway-actively-exploited-in-the-wild/

    Reply
  6. Tomi Engdahl says:

    US Indicts Iranians Who Hacked Power Company, Women’s Shelter
    https://www.securityweek.com/us-indicts-iranians-who-hacked-power-company-womens-shelter

    The US Department of Justice announced an indictment Wednesday against three Iranian hackers who used ransomware to extort a battered women’s shelter and a power company.

    Authorities said the trio launched ransomware attacks at “hundreds” of victims, including inside Britain, Australia, Iran, Russia and the United States, saying they extorted money “largely” for their own accounts, and not for the Iranian government.

    But a separate US Treasury announcement of sanctions said the three were part of a larger hacking group tied to Iran’s powerful Islamic Revolutionary Guard Corps (IRGC), and the US State Department has offered a $10 million reward for information on them.

    Reply
  7. Tomi Engdahl says:

    Taylor Hatmaker / TechCrunch:
    In a Senate committee hearing, Meta, YouTube, TikTok, and Twitter execs defended their platforms and dodged questions about security, privacy, and moderation

    Meta, TikTok, YouTube and Twitter dodge questions on social media and national security
    Taylor Hatmaker
    https://techcrunch.com/2022/09/14/meta-tiktok-youtube-and-twitter-senate-hearing/

    Executives from four of the biggest social media companies testified before the Senate Homeland Security Committee Wednesday, defending their platforms and their respective safety, privacy and moderation failures in recent years.

    Congress managed to drag in a relatively fresh set of product-focused executives this time around, including TikTok COO Vanessa Pappas, who testified for the first time before lawmakers, and longtime Meta executive Chris Cox. The hearing was convened to explore social media’s impact on national security broadly and touched on topics ranging from domestic extremism and misinformation to CSAM and China.

    Reply
  8. Tomi Engdahl says:

    Kevin Collier / NBC News:
    Seesaw, a messaging app for parents and teachers with 10M users, says it suffered a credential stuffing attack, after users said they received an explicit image — A messaging app for parents and teachers said Wednesday that it was hacked after some parents said they had received messages …

    Popular school messaging app hacked to send explicit image to parents
    https://www.nbcnews.com/tech/security/popular-school-messaging-app-hacked-send-explicit-image-parents-rcna47687

    School districts in Illinois, New York, Oklahoma and Texas all said the photo was sent through the app Seesaw to parents and teachers in private chats.

    A messaging app for parents and teachers said Wednesday that it was hacked after some parents said they had received messages with an explicit photo that is infamous on the internet.

    School districts in Illinois, New York, Oklahoma and Texas all said Wednesday that the photo was sent through the app, Seesaw, to parents and teachers in private chats.

    Seesaw, which, according to its website, is used by 10 million teachers, students and family members, declined to say how many users were affected.

    In an emailed statement, its vice president of marketing, Sunniya Saleem, said that “specific user accounts were compromised by an outside actor” and that “we are taking this extremely seriously.”

    Reply
  9. Tomi Engdahl says:

    CNN:
    After an employee claimed a package exploded at Northeastern University’s VR lab, sources say it included a “rambling” note criticizing Mark Zuckerberg and VR

    Northeastern University reopens after an employee says a package exploded. Officials are investigating the incident as a possible hoax, sources say
    https://edition.cnn.com/2022/09/14/us/northeastern-university-boston-package-detonation-wednesday/

    Reply
  10. Tomi Engdahl says:

    Tämä S-Pankin tilanteesta tiedetään nyt: 150 tieto­murtoa, 53 petosta, miljoona­saalis, asialla kaveri­porukka https://www.is.fi/digitoday/art-2000009070994.html

    S-PANKIN asiakkaiden tileiltä tehtiin oikeudettomia siirtoja pankin tietojärjestelmässä ollutta haavoittuvuutta hyväksikäyttäen, kertoo poliisi. Tutkinnanjohtaja, rikoskomisario Klaus Geiger kertoo STT:lle, että epäilty rikoshyöty on noin miljoonan euron luokkaa.

    S-Pankki tiedotti tiistaina haavoittuvuudesta, joka esiintyi verkkopankkitunnuksilla tunnistautumisessa keväällä ja kesällä. Pankin mukaan häiriötä hyödynnettiin ”erittäin pienessä määrin” myös väärinkäytöksiin, kun kirjautuminen onnistui toisen henkilön tunnuksilla.

    Poliisi epäilee petossarjan alkaneen toukokuussa ja jatkuneen kesän ajan. Maksuvälinepetoksia on poliisin tämänhetkisen tiedon mukaan 53, minkä lisäksi poliisi tutkii noin 150:tä tietomurtoa, joiden kohdalla petos on jäänyt yrityksen asteelle.

    Rikoslaissa tietomurto ei tarkoita vain tietojärjestelmän luvatonta ohittamista, vaan myös järjestelmään tunkeutumista käyttäjätunnusta luvattomasti käyttämällä.

    Poliisi kertoo, että S-Pankki on ollut tai on lähipäivinä yhteydessä kaikkiin rikossarjan uhreihin. Myös poliisi on esitutkinnan myötä yhteydessä heihin.

    Reply
  11. Tomi Engdahl says:

    Yhdeltä S-pankin asiakkaalta vietiin yli 400 000 euroa – näin epäilty kaksikko pääsi rahoihin käsiksi
    Poliisin mukaan S-Pankin järjestelmässä oli tietoturva-aukko, jota tavalliset kansalaiset pääsivät käyttämään hyväkseen.
    https://www.iltalehti.fi/digiuutiset/a/6925a835-dbcb-4d13-9680-83ca4167a124

    Kaksi nuorta on epäiltynä mittavasta petosvyyhdistä, jossa suomalaisten tileiltä vietiin liki miljoona euroa.

    Kyse on epäillystä tietomurrosta S-Pankin tileillä. Poliisi epäilee, että kaksi nuorta miestä käytti pankin järjestelmän haavoittuvuutta hyväkseen ja vei asiakkaiden tileiltä mittavan määrän rahaa.

    16- ja 23-vuotiaat miehet on vangittu muun muassa törkeästä maksuvälinepetoksesta epäiltyinä. He ovat vyyhdin pääepäillyt, joiden poliisi uskoo masinoineen koko touhua. Kaksikko tunsi toisensa.

    – Varovasti arvioiden yhteensä 7–8 henkilöä on ollut enemmän tai vähemmän tekemisissä asian kanssa, sanoo rikoskomisario Klaus Geiger Länsi-Uudenmaan poliisista.

    Reply
  12. Tomi Engdahl says:

    Asiantuntija ällistyi S-pankin tietoturvaongelmasta
    S-pankin mukaan ongelma kosketti niin pientä joukkoa, ettei sitä huomattu omista järjestelmistä.
    https://www.iltalehti.fi/digiuutiset/a/28886125-7e57-4faa-9241-a79b103e125d

    Tietoturva-asiantuntija Petteri Järvinen luonnehtii S-pankin tietoturvaongelmaa ”hämmästyttäväksi”. Kummallista on etenkin se, miten ongelmaa ei havaittu pian.

    S-pankki tiedotti tiistaina, että sen tunnistautumisessa oli järjestelmähäiriö, joka kesti huhtikuusta elokuuhun.

    Liki neljän kuukauden ajan joillain asiakkailla oli mahdollisuus kirjautua toisen asiakkaan verkkopankkiin. Häiriötä käytettiin muun muassa rahojen siirtoihin tileiltä ja verkkopankkitunnuksilla tunnistauduttiin erilaisiin verkkopalveluihin.

    – Ihan maallikkojärki sanoo, että ongelma olisi pitänyt havaita ainakin siitä, että ihmiset aiempaa useammin ottavat yhteyttä ja kysyvät, miksi tililtä on hävinnyt rahaa, Järvinen sanoo.

    Hän toteaa, että yrityksen olisi tullut huomata yhteydenottojen kasvava määrä asiakaspalautteita seuraamalla.

    Suomessa verkkopankkitunnukset ovat sähköisen järjestelmän olennainen pala. Niillä kirjaudutaan paitsi pankkipalveluihin myös muihin järjestelmiin ja pääsee tarkastelemaan esimerkiksi terveystietoja. Verkkopankkitunnuksia käytetään myös sähköiseen allekirjoitukseen ja niiden vahvaan tunnistautumiseen nojaamalla voi allekirjoittaa itselleen lainoja ja muita sopimuksia.

    – Periaatteellisella tasolla tämä on ihan hämmästyttävä ongelma. Suomalaisen tietoturvayhteiskunnan tukijalkana oleva sähköinen tunnistautuminen on rikki, eikä sitä kukaan huomaa, Järvinen ihmettelee.

    ”Pieni joukko”

    S-pankin digitaalisesta kehityksestä vastaavan johtajan Carl-Edvard Holmbergin mukaan häiriön havaitsemisessa kesti useamman kuukauden verran, koska se koski niin rajattua joukkoa.

    – Jokainen näistä tapauksista on tietenkin liikaa. Puhutaan muutamista sadoista asiakkaista, ja heistä vain osan verkkopankkiin kirjauduttiin toisen toimesta. Ja sitten se, kuinka monen tililtä tehtiin mahdollisia väärinkäyttömaksutapahtumia, puhutaan vielä pienemmästä joukosta, hän sanoo.

    Holmbergin mukaan häiriö koski siis niin pientä joukkoa pankin yli 3 miljoonasta asiakkaasta, ettei se noussut pankin datasta esiin huomattavasti.

    – Nyt kun tiedämme, mitä on tapahtunut, pystymme itse tutkimaan aiempia asiakastapahtumia ja toteamaan missä niistä on kyse taloudellisesta väärinkäytöstä, Holmberg sanoo.

    Hyvitykset työn alla

    Petteri Järvinen nostaa esiin pankin asiakkaan ja suuren pankkilaitoksen epätasa-arvoisen valtasuhteen. Pankeilla on pääsy lokitietoihin tilitapahtumista ja käytössään asiantuntijat ja asianajajat.

    –Pankin tiedollinen ylivoima on niin suurta, että asiakas usein häviää mahdolliset kiistatilanteet, Järvinen sanoo.

    S-pankki vakuuttaa, että nyt käsittelyssä olevaan häiriöön liittyvissä vahinkotapauksissa asiakkaan ei tarvitse erikseen todistaa syntynyttä taloudellista vahinkoa tai edes tehdä reklamaatiota tapahtumista.

    – Olemme olleet yhteydessä kaikkiin, keitä asia koskee.

    Reply
  13. Tomi Engdahl says:

    Puhelimeen murtauduttiin yksinkertaisella kikalla – pankkitili tyhjeni hetkessä
    Hyökkääjä tyhjensi uhrin pankkitilit työpuhelimen kautta.
    https://www.iltalehti.fi/digiuutiset/a/ac24ccb3-474f-4bee-999b-714b8c004f81

    Vakuutus- ja rahoitusneuvonta FINE kertoo maksuvälinepetoksesta, joka tehtiin yrityksen hallituksen puheenjohtajan työpuhelimella. Hyökkääjä sai vietyä uhrin pankkitileiltä 37 000 euroa sim swapping -hyökkäyksellä, jossa uhrin liittymä kaapataan toiselle sim-kortille, vanha sim-kortti poistamalla käytöstä.

    Ratkaisussa kerrotaan, että rikolliset olivat tunnistautuneet operaattorille asiakkaan henkilötunnuksilla ja tilanneet yrityksen omistamaan puhelimeen uuden sim-kortin, jonka vaihtopäiväksi oli asetettu 9.6.2021. Kyseisenä päivänä puhelin lakkasi toimimasta, jolloin rikolliset tyhjensivät uhrin tilit tämän tietämättä, sillä puhelimeen ei tullut pankeilta vahvistusviestejä rahojen siirroista.

    Reply
  14. Tomi Engdahl says:

    I’m sure it’s just a coincidence they’re wrongfully being treated like criminals while selling hacking tools.

    A tech startup with a wildly successful GoFundMe is now at the mercy of PayPal, which is holding over $1.3 million in sales hostage
    PayPal is making Flipper jump through hoops.
    https://www.dailydot.com/debug/flipper-zero-paypal/

    Nearly 38,000 people backed the Flipper Zero pen testing tool when it launched on Kickstarter in 2020. The open-source, multi-tool device can be used to reverse engineer access to radio protocols, hardware, and systems such as TVs and garage doors.

    Reply
  15. Tomi Engdahl says:

    Zoom is down in a major outage
    https://techcrunch.com/2022/09/15/zoom-is-experiencing-a-major-outage/?tpcc=tcplusfacebook

    If you had a meeting you really didn’t want to attend this morning, it’s your lucky day. Zoom’s status website shows there is a major outage, affecting users’ ability to join meetings. According to the crowd-sourced DownDetector, tens of thousands of Zoom users are reporting outages this morning, beginning around 10:30 AM ET.

    “We are aware of issues currently impacting Zoom. Our engineering team is investigating this matter,”

    Reply
  16. Tomi Engdahl says:

    Viranomainen tutkii S-pankin tietoturvan pettämistä: Olisi hyvä, jos verkkopankkitunnusten käyttöä voisi rajata maksukorttien tapaan
    https://yle.fi/uutiset/3-12624627
    Asiakasmäärältään Suomen suurimpiin pankkeihin kuuluvan S-pankin tietoturvan pettäminen on huojuttanut monien luottamusta sähköiseen asiointiin. Häiriö mahdollisti sähköisen tunnistautumisen väärinkäytön huhtikuusta 2022 elokuun 2022 alkuun. Sähköisen tunnistamisen viranomaisvalvonta kuuluu Suomessa Liikenne- ja viestintävirasto Traficomille.

    Reply
  17. Tomi Engdahl says:

    Gamaredon APT targets Ukrainian government agencies in new campaign https://blog.talosintelligence.com/2022/09/gamaredon-apt-targets-ukrainian-agencies.html
    Cisco Talos discovered Gamaredon APT activity targeting users in Ukraine with malicious LNK files distributed in RAR archives. The campaign, part of an ongoing espionage operation observed as recently as August 2022, aims to deliver information-stealing malware to Ukrainian victim machines and makes heavy use of multiple modular PowerShell and VBScript (VBS) scripts as part of the infection chain.
    The infostealer is a dual-purpose malware that includes capabilities for exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint.

    Reply
  18. Tomi Engdahl says:

    Webworm: Espionage Attackers Testing and Using Older Modified RATs https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats
    Symantec, by Broadcom Software, has gained insight into the current activities of a group we call Webworm. The group has developed customized versions of three older remote access Trojans (RATs), including Trochilus, Gh0st RAT, and 9002 RAT. At least one of the indicators of compromise (IOCs) observed by Symantec was used in an attack against an IT service provider operating in multiple Asian countries, while others appear to be in pre-deployment or testing stages.

    Reply
  19. Tomi Engdahl says:

    Iranians hacked US companies, sent ransom demands to printers, indictment says https://arstechnica.com/tech-policy/2022/09/iranians-hacked-us-companies-sent-ransom-demands-to-printers-indictment-says/
    Three Iranian nationals charged with hacking into US-based computer networks sent ransom demands to the printers of at least some of their victims, according to an indictment unsealed today. The ransom demands allegedly sought payments in exchange for BitLocker decryption keys that the victims could use to regain access to their data. The three defendants remain at large and outside the US, the DOJ said.

    Reply
  20. Tomi Engdahl says:

    Self-spreading stealer attacks gamers via YouTube https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/
    An unusual malicious bundle (a collection of malicious programs distributed in the form of a single installation file, self-extracting archive or other file with installer-type functionality) recently caught our eye. Its main payload is the widespread RedLine stealer..
    Discovered in March 2020, RedLine is currently one of the most common Trojans used to steal passwords and credentials from browsers, FTP clients and desktop messengers. It is openly available on underground hacker forums for just a few hundred dollars, a relatively small price tag for malware.

    Reply
  21. Tomi Engdahl says:

    Record-Breaking DDoS Attack in Europe
    https://www.akamai.com/blog/security/record-breaking-ddos-attack-in-europe
    Or, more accurately, the cybercriminals responsible for Julys record-setting European DDoS attack may have never left. In the weeks following our coverage of the previous incident, the victim (a customer based in Eastern Europe) has been bombarded relentlessly with sophisticated distributed denial-of-service (DDoS) attacks, ultimately paving the way for a new European packets per second (pps) DDoS record. On Monday, September 12, 2022, Akamai successfully detected and mitigated the now-largest DDoS attack ever launched against a European customer on the Prolexic platform, with attack traffic abruptly spiking to 704.8 Mpps in an aggressive attempt to cripple the organizations business operations.

    Reply
  22. Tomi Engdahl says:

    Hive ransomware claims cyberattack on Bell Canada subsidiary https://www.bleepingcomputer.com/news/security/hive-ransomware-claims-cyberattack-on-bell-canada-subsidiary/
    The Hive ransomware gang claimed responsibility for an attack that hit the systems of Bell Canada subsidiary Bell Technical Solutions (BTS).
    BTS is an independent subsidiary with more than 4,500 employees, specializing in installing Bell services for residential and small business customers across the Ontario and Québec provinces. While the Canadian telecommunications company didn’t reveal when its network was breached or the attack happened, Hive claims in a new entry added to its data leak blog that it encrypted BTS’ systems almost a month ago, on August 20, 2022.

    Reply
  23. Tomi Engdahl says:

    FBI warns of criminals attacking healthcare payment processors https://www.tripwire.com/state-of-security/healthcare/fbi-warns-hackers-attacking-healthcare-payment-processors/
    Millions of dollars have been stolen from healthcare companies after fraudsters gained access to customer accounts and redirected payments.
    In a newly-published advisory directed at the healthcare payment industry, the FBI warns that cybercriminals are using a cocktail of publicly-available Personally Identifiable Information (PII) and social engineering techniques to impersonate victims and obtain access to files, healthcare portals, payment information, and websites.

    Reply
  24. Tomi Engdahl says:

    EU proposes security standards for IoT products https://therecord.media/eu-proposes-security-standards-for-iot-products/
    European Union lawmakers introduced new security standards Thursday for internet-connected products from smartphones to fridges as the bloc attempts to address the growing threat posed by cyberattacks. The proposed Cyber Resilience Act (CRA) introduces several key measures including basic security requirements for products to be considered safe for the market and obligations on their manufacturers about handling vulnerabilities after any are discovered.

    Reply
  25. Tomi Engdahl says:

    Malicious Word Document with a Frameset
    https://isc.sans.edu/diary/Malicious+Word+Document+with+a+Frameset/29052
    This is definitively new, but I did not see this type of document for a while. I spotted a malicious Word OOXML document (the new “.docx”
    format) that is a simple downloader. Usually, malicious documents contain an embedded file, a VBA macro, or the recent vulnerability MS-MSDT. This time, the document does not contain any malicious code but just refers to a second stage that will be delivered when the document is opened.

    Reply
  26. Tomi Engdahl says:

    White House: U.S. agencies have 90 days to create inventory of all software https://therecord.media/white-house-u-s-agencies-have-90-days-to-create-inventory-of-all-software/
    The White House released new guidance this week ordering federal agencies to create a full inventory of the software they use within 90 days. In a letter to all heads of executive departments and agencies, White House Office of Management and Budget (OMB) director Shalanda Young said a wide-ranging cybersecurity executive order handed down last May by President Joe Biden directed the NIST to publish guidance on how the agencies can better protect government systems through more secure software.

    Reply
  27. Tomi Engdahl says:

    WordPress-powered sites backdoored after FishPig suffers supply chain attack https://www.theregister.com/2022/09/15/magento_wordpress_fishpig/
    It’s only been a week or so, and obviously there are at least three critical holes in WordPress plugins and tools that are being exploited in the wild right now to compromise loads of websites. We’ll start with FishPig, a UK-based maker of software that integrates Adobe’s Magento ecommerce suite into WordPress-powered websites. FishPig’s distribution systems were compromised and its products altered so that installations of the code semi-automatically downloaded and ran the Rekoobe Linux trojan.

    Reply
  28. Tomi Engdahl says:

    Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations https://www.cisa.gov/uscert/ncas/alerts/aa22-257a
    This joint Cybersecurity Advisory (CSA) is to highlight continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies assess are affiliated with the Iranian Governments Islamic Revolutionary Guard Corps (IRGC). The IRGC is an Iranian Government agency tasked with defending the Iranian Regime from perceived internal and external threats. Hereafter, this advisory refers to all the coauthors of this advisory as “the authoring agencies.”

    Reply
  29. Tomi Engdahl says:

    Uber suffers computer system breach, alerts authorities
    The company said in a tweet it was “responding to a cybersecurity incident”
    https://www.washingtonpost.com/technology/2022/09/15/uber-hack/

    Uber’s computer systems were breached and the company has alerted authorities, the ride-hailing giant said Thursday.

    The ride-hailing company said in a tweet that it was “responding to a cybersecurity incident.”

    The hacker surfaced in a message posted in Slack, according to two people familiar with the matter, who spoke on the condition of anonymity because of the sensitive nature of the incident.

    “I announce i am a hacker and uber has suffered a data breach,” the message said.

    Because of the hack, the people said, some systems including Slack and internal tools were temporarily disabled.

    Internal screenshots obtained by The Washington Post showed the hacker claiming to have wide-ranging access insider Uber’s corporate networks and appeared to indicate the hacker was motivated by the company’s treatment of its drivers. The person claimed to have taken data from common software used by Uber employees to write new programs.

    Uber pointed to its tweeted statement when asked for comment on the matter. The company did not immediately respond to questions about the extent to which internal information may have been compromised.

    The New York Times first reported the incident.

    Uber previously suffered a breach in 2016 that exposed personal information of 57 million people around the world, including names, email addresses and phone numbers. It also included drivers license info from roughly 600,000 U.S. drivers. Two individuals accessed the information via “a third-party cloud-based service” used by Uber at the time.

    Uber, which is based in San Francisco, employs thousands of people globally who may have been affected by the hacker’s obstruction of systems. The company has also come under fire for its treatment of drivers, who it has fought to keep as contractors.

    In that chat, which was viewed by The Post, the alleged hacker claimed access to Uber’s Amazon Web Services account.

    In a subsequent interview on a messaging app, the alleged hacker told The Post that they had breached the company for fun and might leak source code “in a few months.”

    The person described Uber security as “awful.”

    Uber employees were caught off guard by the sudden disruption to their workday, and some initially reacted to the alarming messages as if they were a joke, according to the screenshots.

    Reply
  30. Tomi Engdahl says:

    Uber murrettu – hakkeri varasti tietoja ja julkaisi pornoa https://www.is.fi/digitoday/tietoturva/art-2000009073947.html

    Reply
  31. Tomi Engdahl says:

    S-Pankkiin liittyvistä petoksista epäillään 16- ja 23-vuotiaita espoolaisia – rahat makeaan elämään https://www.is.fi/digitoday/tietoturva/art-2000009073760.html

    Reply
  32. Tomi Engdahl says:

    Huijari varasti 37 000 € tilaamalla sim-kortin pohjalais­miehen nimissä – DNA: ”Ei operaattorin virhe” https://www.is.fi/digitoday/tietoturva/art-2000009070262.html

    Reply
  33. Tomi Engdahl says:

    https://www.securityweek.com/rust-gets-dedicated-security-team

    The non-profit Rust Foundation has scored funding to build a dedicated security team to proactively identify and address security defects in the popular Rust programming language.

    Reply
  34. Tomi Engdahl says:

    https://etn.fi/index.php/13-news/14012-suomen-yritysmarkkinoille-uusi-kyberturvaosaaja

    Suomeen on rantautunut uusi kyberturvayritys. Truesec on aloittanut toimintansa kyberturva-asiantuntija Sami Laihon johdolla vastatakseen kasvaneeseen kyberhyökkäysten määrään. Truesecin käynnisti Suomen toiminnot Laihon (kuvassa oik.) ja toimitusjohtaja Matti Vainion voimin elokuussa. Yrityksen taustalla on pääomasijoittaja IK Partners.

    - Nyt kun Truesec ja sen 250 huippuosaajan joukko saadaan osaksi Suomessa tarjottavia palveluita, nostamme kykymme suojata organisaatioita ja vastata kyberhyökkäyksiin täysin uudelle tasolle, tutkimusjohtaja Sami Laiho sanoo.

    Reply
  35. Tomi Engdahl says:

    New York Times:
    Uber is investigating a breach of its systems and has taken some of its internal communications and engineering systems offline; Uber stock is down 5%+ — The company said on Thursday that it was looking into the scope of the apparent hack. — Uber’s computer network was breached on Thursday …

    https://www.nytimes.com/2022/09/15/technology/uber-hacking-breach.html

    Reply
  36. Tomi Engdahl says:

    Washington Post:
    The Uber hacker, who reportedly claims to be 18 years old, says they had breached the company for fun and might leak its source code “in a few months” — The company said in a tweet it was “responding to a cybersecurity incident” — SAN FRANCISCO — Uber’s computer systems …
    https://www.washingtonpost.com/technology/2022/09/15/uber-hack/

    Lawrence Abrams / BleepingComputer:
    Security engineer says Uber hacker had access to its HackerOne bug bounty program; source: the hacker downloaded all vulnerability reports before losing access — Uber suffered a cyberattack Thursday afternoon with a hacker gaining access to vulnerability reports and sharing screenshots …

    Uber hacked, internal systems breached and vulnerability reports stolen
    https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/

    Uber suffered a cyberattack Thursday afternoon with a hacker gaining access to vulnerability reports and sharing screenshots of the company’s internal systems, email dashboard, and Slack server.

    The screenshots shared by the hacker and seen by BleepingComputer show what appears to be full access to many critical Uber IT systems, including the company’s security software and Windows domain.

    Other systems the hacker accessed include the company’s Amazon Web Services console, VMware ESXi virtual machines, Google Workspace email admin dashboard, and Slack server, to which the hacker posted messages.

    Uber has since confirmed the attack, tweeting that they are in touch with law enforcement and will post additional information as it becomes available.

    “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available,” tweeted the Uber Communications account.

    HackerOne vulnerability reports exposed

    While it’s possible that the threat actor stole data and source code from Uber during this attack, they also had access to what could be an even more valuable asset.

    According to Yuga Labs security engineer Sam Curry, the hacker also had access to the company’s HackerOne bug bounty program, where they commented on all of the company’s bug bounty tickets.

    Curry told BleepingComputer that he first learned of the breach after the attacker left the above comment on a vulnerability report he submitted to Uber two years ago.

    Uber runs a HackerOne bug bounty program that allows security researchers to privately disclose vulnerabilities in their systems and apps in exchange for a monetary bug bounty reward. These vulnerability reports are meant to be kept confidential until a fix can be released to prevent attackers from exploiting them in attacks.

    Curry further shared that an Uber employee said the threat actor had access to all of the company’s private vulnerability submissions on HackerOne.

    BleepingComputer was also told by a source that the attacker downloaded all vulnerability reports before they lost access to Uber’s bug bounty program. This likely includes vulnerability reports that have not been fixed, presenting a severe security risk to Uber.

    HackerOne has since disabled the Uber bug bounty program, cutting off access to the disclosed vulnerabilities.

    However, it would not be surprising if the threat actor had already downloaded the vulnerability reports and would likely sell them to other threat actors to cash out on the attack quickly.

    Reply
  37. Tomi Engdahl says:

    Trojanized versions of PuTTY utility being used to spread backdoor
    Threat actor has connections to hackers backed by North Korean government.
    https://arstechnica.com/information-technology/2022/09/trojanized-versions-of-putty-utility-being-used-to-spread-backdoor/

    Reply
  38. Tomi Engdahl says:

    Pariskunta hakkeroi hotellijätin tietokannan ”huvin vuoksi” – Tieto­kannan salasanaksi paljastui Qwerty1234
    https://www.hs.fi/ulkomaat/art-2000009076600.html

    Hotellijätin tietokannan salasana oli Qwerty1234. Kirjainyhdistelmä qwerty pääsee toistuvasti lähelle kärkisijoja, kun listataan yleisimpiä salasanoja niin Suomessa kuin maailmalla. Myöskään numeroyhdistelmä 1234 ei ole järin uniikki salasanoissa.

    BRITTILÄINEN Intercontinental Hotels Group (IHG) joutui viime viikolla kyberhyökkäyksen kohteeksi. Viime viikon maanantaina IHG:n asiakkaat valittivat laajasta varaus- ja kirjautumisongelmasta, mutta IHG väitti, että kyse on ”järjestelmän huoltotoimenpiteistä”.

    Brittiomisteinen IHG omistaa yhteensä 6 000 hotellia maailmanlaajuisesti. Se omistaa muun muassa Holiday Inn -hotellibrändin.

    Asian todellinen laita paljastui tiistai-iltapäivänä, kun IHG kertoi sijoittajilleen, että se on joutunut kyberhyökkäyksen kohteeksi. Lauantaina taasen brittiläinen BBC kertoi, että itse hakkerit olivat ottaneet yhteyttä siihen ja selittäneet tapahtunutta.

    VIETNAMILAINEN pariskunta kertoi hakkeroineensa ”huvin vuoksi” IHG:n verkkosivut.

    Pariskunta kertoo ensin yrittäneensä kiristyshaittaohjelman hyödyntämistä, mutta kun se ei onnistunut, he päätyivät poistamaan suuren määrän tiedostoja yhtiön tietokannasta.

    Se onnistui verrattain helposti, sillä yhtiön salasana tietokantaan oli kiusallisen yksinkertainen: Qwerty1234.

    Hakkerit, jotka kutsuvat itseään nimellä Tea Pea, olivat lähestyneet BBC:ta anonyymissa viestipalvelu Telegramissa ja lähettäneet kuvakaappauksia todisteeksi hakkeroinnista. Kuvat, jotka IHG on vahvistanut, näyttävät, että pariskunta pääsi yrityksen Outlook-sähköpostiin, Teams-chattiin ja palveluhakemistoihin.

    ”Hyökkäyksemme oli alun perin suunniteltu kiristysohjelmaksi, mutta IHG eristi palvelimia ennen kuin meillä oli mahdollisuus ottaa se käyttöön. Siksi ajattelimme pitää vähän hauskaa. Teimme sen sijaan ’pyyhkimishyökkäyksen’ (kyberhyökkäyksen muoto, joka tuhoaa peruuttamattomasti aineistoa, asiakirjoja ja dokumentteja)”, toinen hakkereista kertoi BBC:lle.

    IHG hack: ‘Vindictive’ couple deleted hotel chain data for fun
    https://www.bbc.com/news/technology-62937678

    Hackers have told the BBC they carried out a destructive cyber-attack against Holiday Inn owner Intercontinental Hotels Group (IHG) “for fun”.

    Describing themselves as a couple from Vietnam, they say they first tried a ransomware attack, then deleted large amounts of data when they were foiled.

    They accessed the FTSE 100 firm’s databases thanks to an easily found and weak password, Qwerty1234.

    UK-based IHG operates 6,000 hotels around the world, including the Holiday Inn, Crowne Plaza and Regent brands.

    On Monday last week, customers reported widespread problems with booking and check-in.

    For 24 hours IHG responded to complaints on social media by saying that the company was “undergoing system maintenance”

    Reply
  39. Tomi Engdahl says:

    Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability
    https://thehackernews.com/2022/09/over-280000-wordpress-sites-attacked.html

    A zero-day flaw in the latest version of a WordPress premium plugin known as WPGateway is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites.

    Tracked as CVE-2022-3180 (CVSS score: 9.8), the issue is being weaponized to add a malicious administrator user to sites running the WPGateway plugin, WordPress security company Wordfence noted.

    Reply
  40. Tomi Engdahl says:

    Shape-shifting cryptominer savages Linux endpoints and IoT
    Also, Authorities seize WT1SHOP selling 5.8m sets of PII, The North Face users face tough security hike
    Brandon Vigliarolo
    Sat 10 Sep 2022 // 11:00 UTC
    10 comment bubble on white
    https://www.theregister.com/2022/09/10/in_brief_security/

    Reply
  41. Tomi Engdahl says:

    Marvell Unveils LiquidSecurity 2 HSM: Up to 1,000,000 AES Ops/s
    By Anton Shilov published 4 days ago
    Marvell launches next-generation LiquidSecurity 2 hardware security module.
    https://www.tomshardware.com/news/marvell-unveils-liquidsecurity-2-hsm-up-to-1000000-aes-opss

    Reply
  42. Tomi Engdahl says:

    A hacker bought a voting machine on eBay. Michigan officials are now investigating
    https://www.npr.org/2022/09/08/1121682138/a-hacker-bought-a-voting-machine-on-ebay-michigan-officials-are-now-investigatin

    Harri Hursti has bought about 200 used voting machines without incident, but the one he purchased on eBay last month is now the subject of a state investigation, with Michigan officials determined to find out how the device ended up for sale online.

    “We are actively working with law enforcement to investigate allegations of an illegal attempt to sell a voter assist terminal acquired in Michigan,” Secretary of State Jocelyn Benson, who is up for reelection in November, announced in a statement last week.

    And, in an additional tweet, Benson noted that the voting machine was originally from Wexford County and clarified that it was not used to tabulate ballots. (The Dominion-made apparatuses are built to function as voting machines or ballot printing devices. In Michigan, they were used to print voter ballots.)

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*