This posting is here to collect cyber security news in October 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
395 Comments
Tomi Engdahl says:
Optus takes out full-page newspaper advertisements to apologise over data breach
https://www.abc.net.au/news/2022-10-01/optus-data-breach-full-page-ads-newspapers-deeply-sorry/101493700
Optus has apologised to people affected by last week’s cyber attack, admitting that it needs to communicate better with people caught up in the data breach.
The telecommunications company took out full-page advertisements in major newspapers around the country to say how “deeply sorry” it was.
“We’ve heard your message that we need to communicate more clearly,” the ad says.
“That’s why we’ve now put together easily accessible materials for you to stay informed on the actions you can take.”
Tomi Engdahl says:
Critical WhatsApp vulnerabilities patched: Check you’ve updated!
https://www.malwarebytes.com/blog/news/2022/09/critical-whatsapp-vulnerabilities-patched-check-youve-updated/amp
WhatsApp has fixed two remote code execution vulnerabilities in its September update, according to its security advisory. These could have allowed an attacker to remotely access a device and execute commands from afar.
These versions of WhatsApp are affected by at least one of the vulnerabilities:
WhatsApp for Android prior to v2.22.16.12
WhatsApp Business for Android prior to v2.22.16.12
WhatsApp for iOS prior to v2.22.16.12
WhatsApp Business for iOS prior to v2.22.16.12
WhatsApp for Android prior to v2.22.16.2 and WhatsApp for iOS v2.22.15.9 are affected by both.
Tomi Engdahl says:
Shangri-La Hotels Customer Database Hacked
https://www.securityweek.com/shangri-la-hotels-customer-database-hacked
The Shangri-La hotel group has said a database containing the personal information of customers at eight of its Asian properties between May and July has been hacked.
The breach covered hotels in Hong Kong, Singapore, Chiang Mai, Taipei and Tokyo but the company said it had not yet been able to determine what data had been stolen.
It said in a statement on its website dated September 30 that it had “recently discovered unauthorised activities” on its IT network.
A “sophisticated threat actor managed to bypass Shangri-La’s IT security monitoring systems undetected, and illegally accessed the guest databases”, the firm said.
Tomi Engdahl says:
Hack Puts Latin American Security Agencies on Edge
https://www.securityweek.com/hack-puts-latin-american-security-agencies-edge
A massive trove of emails from Mexico’s Defense Department is among electronic communications taken by a group of hackers from military and police agencies across several Latin American countries, Mexico’s president confirmed Friday.
The acknowledgement by President Andrés Manuel López Obrador comes after Chile’s government said last week that emails had been taken from its Joint Chiefs of Staff.
The Mexican president spoke at his daily news conference following a local media report that the hack revealed previously unknown details about a health scare he had in January.
López Obrador downplayed the hack, saying that “there’s nothing that isn’t known.” He said the intrusion apparently occurred during a change of Defense Department systems.
Tomi Engdahl says:
Canon Medical Product Vulnerabilities Expose Patient Information
https://www.securityweek.com/canon-medical-product-vulnerabilities-expose-patient-information
Trustwave is warning healthcare organizations of two cross-site scripting (XSS) vulnerabilities in Canon Medical’s popular medical imaging sharing tool Vitrea View.
Touted as an enterprise viewing solution, Vitrea View is used by healthcare providers, physicians, and radiologists to securely share medical images that can then be accessed directly from the browser, on both desktop and mobile devices.
The two security holes, which are tracked collectively as CVE-2022-37461, are described as reflected XSS bugs in an error message and in the administrative panel.
According to Trustwave, the flaws could be exploited to retrieve patient information, including stored images and scans, as well as to modify the information. The bugs could also lead to the compromise of sensitive information and credentials for services that are integrated with Vitrea View.
Tomi Engdahl says:
Microsoft: Two New 0-Day Flaws in Exchange Server https://krebsonsecurity.com/2022/09/microsoft-two-new-0-day-flaws-in-exchange-server/
Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server, a technology many organizations rely on to send and receive email.
Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks. In customer guidance released Thursday, Microsoft said it is investigating two reported zero-day flaws affecting Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability that can enable an authenticated attacker to remotely trigger the second zero-day vulnerability CVE-2022-41082 which allows remote code execution (RCE) when PowerShell is accessible to the attacker. Microsoft said Exchange Online has detections and mitigation in place to protect customers. Customers using on-premises Microsoft Exchange servers are urged to review the mitigations suggested in the security advisory, which Microsoft says should block the known attack patterns. Customer guidance is available at https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
Tomi Engdahl says:
Suomen tietoliikenneyhteydet suojattu monin tavoin https://www.huoltovarmuuskeskus.fi/a/suomen-tietoliikenneyhteydet-suojattu-monin-tavoin
Itämeren pohjassa rikkoutuneet Nord Stream -kaasuputket ovat herättäneet huolen siitä, voisiko samoin käydä Itämeren pohjassa kulkeville tietoliikennekaapeleille. Kansainvälisiä tietoliikenneyhteyksiä kuitenkin suojataan monin tavoin, ja yhteyksien katkeamiseen vaadittaisiin useampia samanaikaisia poikkeamia.
Tomi Engdahl says:
Covert CIA websites could have been found by an amateur’, research finds https://www.theguardian.com/us-news/2022/sep/29/cia-websites-security-sources-communication-safety
The CIA used hundreds of websites for covert communications that were severely flawed and could have been identified by even an “amateur sleuth”, according to security researchers. The flaws reportedly led to the death of more than two dozen US sources in China in 2011 and
2012 and also reportedly led Iran to execute or imprison other CIA assets. The group said it was not publishing a full detailed technical report of its findings to avoid putting CIA assets or employees at risk. But its limited findings raise serious doubts about the intelligence agency’s handling of safety measures. Using just a single website and publicly available material, Citizen Lab said it identified a network of 885 websites that it attributed “with high confidence” as having been used by the CIA. It found that the websites purported to be concerned with news, weather, healthcare and other legitimate websites.
Tomi Engdahl says:
Espionage Group Wields Steganographic Backdoor Against Govs, Stock Exchange https://www.darkreading.com/attacks-breaches/espionage-steganographic-backdoor-against-govs-stock-exchange
An emerging cyber-espionage threat group has been hitting targets in the Middle East and Africa with a novel backdoor dubbed “Stegmap, ”
which uses the rarely seen steganography technique to hide malicious code in a hosted image. Recent attacks show the group called Witchetty, aka LookingFrog fortifying its tool set, adding sophisticated evasion tactics, and exploiting known Microsoft Exchange vulnerabilities ProxyShell and ProxyLogon. Researchers from Symantec Threat Hunter observed the group installing webshells on public-facing servers, stealing credentials, and then spreading laterally across networks to propagate malware, they revealed in a blog post published Sept. 29.
Tomi Engdahl says:
A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion/
This post explores some of the TTPs employed by a threat actor who was observed deploying ShadowPad during an incident response engagement.
This blog looks to build on the work of other security research done by SecureWorks and PwC with firsthand experience of TTPs used in a recent incident where ShadowPad was deployed. ShadowPad is a modular remote access trojan (RAT) which is thought to be used almost exclusively by China-Based threat actors.
Tomi Engdahl says:
Watchfinder warns customers that hackers stole their data https://grahamcluley.com/watchfinder-warns-customers-that-hackers-stole-their-data/
Luxury pre-owned watch website Watchfinder has warned its user base that their personal data has been accessed after an employee’s account was broken into and a customer list accessed. Although the company says that postal addresses, passwords, and financial details, were not amongst the records stolen by the hacker, personal details which were taken include customers’ email addresses, telephone numbers, and lists of which watches they may have purchased or expressed an interest in.
Tomi Engdahl says:
Fake CISO Profiles on LinkedIn Target Fortune 500s https://krebsonsecurity.com/2022/09/fake-ciso-profiles-on-linkedin-target-fortune-500s/
Someone has recently created a large number of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. It’s not clear who’s behind this network of fake CISOs or what their intentions may be. But the fabricated LinkedIn identities are confusing search engine results for CISO roles at major companies, and they are being indexed as gospel by various downstream data-scraping sources. If one searches LinkedIn for the CISO of the energy giant Chevron, one might find the profile for a Victor Sites, who says he’s from Westerville, Ohio and is a graduate of Texas A&M University. Of course, Sites is not the real CISO of Chevron. That role is currently occupied by Christopher Lukas of Danville, Calif. If you were confused at this point, you might ask Google who it thinks is the current Chief Information Security Officer of Chevron. When KrebsOnSecurity did that earlier this morning, the fake CISO profile was the very first search result returned (followed by the LinkedIn profile for the real Chevron CISO).
Tomi Engdahl says:
Fake US govt job offers push Cobalt Strike in phishing attacks https://www.bleepingcomputer.com/news/security/fake-us-govt-job-offers-push-cobalt-strike-in-phishing-attacks/
A new phishing campaign targets US and New Zealand job seekers with malicious documents installing Cobalt Strike beacons for remote access to victims’ devices. The attack is modularized and multi-staged, with most steps relying on executing obfuscated scripts from the host’s memory and abusing the Bitbucket code hosting service to evade detection. The discovery comes from researchers at Cisco Talos who observed two different phishing lures, both targeting job seekers and leading to the deployment of Cobalt Strike. However, the threat actors keep copies of Amadey and RedLine stealer handy in the dropping repository, so the malware delivery may vary depending on the target.
Tomi Engdahl says:
Fast Company hacked to send obscene and racist messages https://www.malwarebytes.com/blog/news/2022/09/fast-company-is-currently-investigating-how-it-got-hacked
Yesterday, Apple News announced it had disabled the channel of Fast Company, a US-based business magazine, after surprised Twitter users reported it was tweeting offensive comments. Fast Company was hacked on Sunday, September 25. The attacker responsible modified article titles to obscene and racist things.
Tomi Engdahl says:
Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082 https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
In this blog post Microsoft analyzes observed activity related to the lately released 0day vulnerabilities. MSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and
CVE-2022-41082 in a small number of targeted attacks. These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration. Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization. For more information including what happened after the vulnerability was made public, please review the blog post.
Tomi Engdahl says:
Lazarus hackers abuse Dell driver bug using new FudModule rootkit https://www.bleepingcomputer.com/news/security/lazarus-hackers-abuse-dell-driver-bug-using-new-fudmodule-rootkit/
The notorious North Korean hacking group Lazarus’ was seen installing a Windows rootkit that abuses a Dell hardware driver in a Bring Your Own Vulnerable Driver attack. The spear-phishing campaign unfolded in the autumn of 2021, and the confirmed targets include an aerospace expert in the Netherlands and a political journalist in Belgium.
According to ESET, which published a report on the campaign today, the primary goal was espionage and data theft.
Tomi Engdahl says:
IN BRIEF The BlackCat ransomware gang, also known as ALPHV, has allegedly broken into IT firm NJVC, a provider of services to civilian US government agencies and the Department of Defense https://www.theregister.com/2022/10/02/in-brief-security/
DarkFeed, which monitors the dark web for ransomware intelligence, tweeted this week that BlackCat had added NJVC to its victims’ list, along with sharing a screenshot allegedly of ALPHV’s blog notifying NJVC that it had stolen data during its intrusion. “We strongly recommend that you contact us to discuss your situation. Otherwise, the confidential data in our possession will be released in stages every 12 hours. There is a lot of material, ” ALPHV said, per the screenshot.
Tomi Engdahl says:
Russians dodging mobilization behind flourishing scam market https://www.bleepingcomputer.com/news/security/russians-dodging-mobilization-behind-flourishing-scam-market/
Ever since Russian president Vladimir Putin ordered partial mobilization after facing setbacks on the Ukrainian front, men in Russia and the state’s conscript officers are playing a cat and mouse’
game involving technology and cybercrime services. More specifically, many Russian men eligible for enlistment have resorted to illegal channels that provide them with fabricated exemptions, while those fleeing the country to neighboring regions turn to use identity masking tools. This situation has created a highly lucrative environment for sellers of illicit services to flourish. Similarly, scammers and fraudsters also see an excellent opportunity to exploit panicking people in a great hurry.
Tomi Engdahl says:
Microsoft to let Office 365 users report Teams phishing messages https://www.bleepingcomputer.com/news/microsoft/microsoft-to-let-office-365-users-report-teams-phishing-messages/
Microsoft is working on updating Microsoft Defender for Office 365 to allow Microsoft Teams users to alert their organization’s security team of any dodgy messages they receive. Microsoft Defender for Office
365 (formerly Office 365 Advanced Threat Protection or Office 365 ATP) protects organizations from malicious threats from email messages, links, and collaboration tools. This in-development feature aims to allow admins to filter potentially dangerous messages targeting employees with malicious payloads or trying to redirect them to phishing websites.
Tomi Engdahl says:
Koteihin lähetettiin erikoinen Wilma-viesti Mikkelissä: “Tilejä yritetty käyttää Suomen alueen ulkopuolella”
https://www.is.fi/digitoday/art-2000009106246.html
MIKKELISSÄ joidenkin opiskelijoiden koteihin lähetettiin torstaina Wilma-viesti, jonka mukaan Mikkelin kaupungin opiskelijoiden käyttäjätunnuksia on yritetty käyttää Suomen alueen ulkopuolella.
Mikkelin kaupungin tietohallintopäällikkö Jussi Linnala kertoo, että noin kymmenen opiskelijan käyttäjätunnuksiin on yritetty päästä käsiksi ja väärinkäyttää tilejä. Väärinkäyttöyritykset havaittiin torstaina, mutta Linnalan mukaan tilanne saatiin heti hallintaan.
Tämänhetkisen tiedon mukaan minkäänlaista tietoturvauhkaa ei ole.
Epäillyistä tileistä on vaihdettu salasanat ja kirjautuminen maan rajojen ulkopuolelta on estetty. Sen perusteella mitä olemme tutkineet, mitään dataa ei ole hävinnyt.
Tomi Engdahl says:
DoD Announces Final Results of ‘Hack US’ Bug Bounty Program
https://www.securityweek.com/dod-announces-final-results-hack-us-bug-bounty-program
The US Department of Defense (DoD) and HackerOne this week announced the results of the Hack US one-week bug bounty challenge that ran from July 4 to July 11, 2022.
Launched by the Chief Digital and Artificial Intelligence Office (CDAO) Directorate for Digital Services and the Department of Defense Cyber Crime Center (DC3), the challenge was an extension of DoD’s vulnerability disclosure program (VDP) running on the HackerOne bug bounty platform.
The DoD announced it was offering a total bounty pool of $110,000, representing $75,000 in rewards for submitted vulnerability reports, and $35,000 for bonus awards.
This week, the department said that the entire bounty pool was exhausted. A total of 267 ethical hackers participated in the challenge, 139 of them being new to DoD’s VDP.
In total, the ethical hackers submitted 648 reports during the Hack US event, including 349 actionable reports, the DoD announced.
According to DoD VDP director at DC3 Melissa Vice, many of the submitted reports “could have been critical had they not been identified and remediated during this bug bounty challenge”.
Tomi Engdahl says:
Microsoft Confirms Exploitation of Two Exchange Server Zero-Days
https://www.securityweek.com/microsoft-confirms-exploitation-two-exchange-server-zero-days
Microsoft has confirmed that it’s aware of two Exchange Server zero-day vulnerabilities that have been exploited in targeted attacks. The tech giant is working on patches.
GTSC, a cybersecurity company based in Vietnam, reported seeing attacks exploiting two new Microsoft Exchange zero-day vulnerabilities. The firm believes the attacks, which were first seen in August and aimed at critical infrastructure, were launched by a Chinese threat group.
ProxyNotShellTechnical details on the vulnerabilities have not been made public, but GTSC did say that the threat actor’s post-exploitation activities included the deployment of backdoors, lateral movement, and the delivery of malware.
The vulnerabilities were reported to Microsoft through Trend Micro’s Zero Day Initiative (ZDI). Microsoft has now published a blog post to inform customers that it is investigating two reported zero-day flaws.
The tech giant says one of the flaws is a server-side request forgery (SSRF) issue tracked as CVE-2022-41040 and the second is a remote code execution vulnerability tracked as CVE-2022-41082. The security holes have been found to impact Exchange Server 2013, 2016 and 2019.
“At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities,” Microsoft said.
Tomi Engdahl says:
Chinese Cyberespionage Group ‘Witchetty’ Updates Toolset in Recent Attacks
https://www.securityweek.com/chinese-cyberespionage-group-witchetty-updates-toolset-recent-attacks
Chinese cyberespionage group Witchetty has been observed updating its toolset in recent attacks targeting entities in the Middle East and Africa, Symantec reports.
Also referred to as LookingFrog, Witchetty is believed to be part of Cicada, the Chinese advanced persistent threat (APT) actor also known as APT10 and Stone Panda.
Initially focused on Japanese targets, earlier this year Cicada was seen expanding its target list to include entities in multiple countries worldwide, including Europe, Asia, and North America.
Tomi Engdahl says:
Cisco Patches High-Severity Vulnerabilities in Networking Software
https://www.securityweek.com/cisco-patches-high-severity-vulnerabilities-networking-software
Cisco this week announced IOS and IOS XE software updates that address 12 vulnerabilities, including 10 high-severity security flaws.
The bugs were resolved as part of Cisco’s semiannual bundle patches for its networking software, which it releases in March and September.
With a CVSS score of 8.6, the most severe of the newly addressed issues are six vulnerabilities that could lead to denial-of-service (DoS) conditions.
The issues exist because of improper processing or insufficient input validation of certain packages, improper management of resources, and logic errors.
An attacker could exploit these vulnerabilities by sending malformed CIP packets, crafted DNS packets, a malformed packet out of an affected MPLS-enabled interface, malicious UDP datagrams, crafted CAPWAP Mobility packets, or malicious DHCP messages.
According to Cisco, these vulnerabilities impact multiple product series, including Catalyst 9100 access points (APs), Catalyst 9800 wireless controllers, Catalyst 3650, Catalyst 3850, and Catalyst 9000 switches, ASR 1000 embedded services processors, and Catalyst 8500 edge platforms.
Of the remaining four high-severity vulnerabilities, two could allow an attacker to cause a DoS condition by sending crafted SSH requests or IPv6 packets.
Cisco has released software updates that address these vulnerabilities. The tech giant says it is not aware of any of these vulnerabilities being exploited in attacks.
Tomi Engdahl says:
Microsoft Exchange Attacks: Zero-Day or New ProxyShell Exploit?
https://www.securityweek.com/microsoft-exchange-attacks-zero-day-or-new-proxyshell-exploit
A cybersecurity company based in Vietnam has reported seeing attacks exploiting a new Microsoft Exchange zero-day vulnerability, but it may just be a variation of the old ProxyShell exploit.
Vietnamese firm GTSC published a blog post this week to provide information and indicators of compromise (IoC) associated with an attack campaign leveraging what appear to be a couple of previously unknown Microsoft Exchange flaws that allow an authenticated attacker — even one with low-privileged credentials — to execute arbitrary code.
GTSC detected an attack, aimed at critical infrastructure, at the beginning of August. The attack appeared to involve at least two new flaws, to which CVSS scores of 8.8 and 6.3 have been assigned.
GTSC reported that the detected exploit requests had the same format as those used to exploit the Exchange vulnerability known as ProxyShell, which has been exploited in the wild for more than a year.
Based on this and other available information, researcher Kevin Beaumont, who has confirmed seeing a significant number of Exchange servers getting backdoored, believes it’s possible that the attacks observed by GTSC involve a new exploit, but not a new vulnerability.
One possibility is that someone has managed to create a more efficient ProxyShell exploit and they are now targeting the many Exchange servers that remain unpatched, said the researcher, who has named this activity ProxyNotShell.
“Many of the ProxyShell exploits needed a valid administrator mailbox and were clunky as hell. It is possible somebody has an exploit which works properly… and now you’re seeing unpatched servers finally get owned,” Beaumont explained.
“If you don’t run Microsoft Exchange on premise, and don’t have Outlook Web App facing the internet, you are not impacted.”
Tomi Engdahl says:
Dan De Luce / NBC News:
Kentik: Iran’s three main mobile operators shut down service for about eight hours in the evening for 10 consecutive days, causing an uptick in landline traffic — Internet freedom activists are scrambling to help Iranians evade Tehran’s online crackdown and are urging the U.S. government …
Internet freedom activists scramble to help Iranians evade Tehran’s digital crackdown
https://www.nbcnews.com/news/world/internet-freedom-activists-scramble-help-iranians-evade-tehrans-digita-rcna50232
Tech-savvy protesters and Iranian authorities play a cat and mouse game as the regime tries to muzzle angry demonstrations.
Tomi Engdahl says:
Microsoft Exchange server zero-day mitigation can be bypassed https://www.bleepingcomputer.com/news/security/microsoft-exchange-server-zero-day-mitigation-can-be-bypassed/
Microsoft has shared mitigations for two new Microsoft Exchange zero-day vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082, but researchers warn that the mitigation for on-premise servers is far from enough. Threat actors are already chaining both of these zero-day bugs in active attacks to breach Microsoft Exchange servers and achieve remote code execution. Both security flaws were reported privately through the Zero Day Initiative program about three weeks ago by Vietnamese cybersecurity company GTSC, who shared the details publicly last week.
Tomi Engdahl says:
Mexican journalists targeted by zero-click spyware infections https://therecord.media/mexican-journalists-targeted-by-zero-click-spyware-infections/
Mexican journalists and a human rights defender investigating links between extrajudicial killings, drugs cartels, and the Mexican military, were infected with NSO Group’s spyware after being hacked through zero-click attacks, a new investigation has alleged. The investigation follows a series of eight reports published in 2017 detailing “widespread Pegasus targeting” in Mexico. It suggests such targeting has continued despite repeated commitments by the current president, Andrés Manuel López Obrador, that his government would not use the spyware. The new cases, which took place between 2019 and 2021, were uncovered by the Mexican digital rights organization R3D (Red en los Defensa de los Derechos Digitales) with technical support provided by the Citizen Lab at Toronto University. Citizen Lab said that while technical data available doesn’t enable them to attribute the hacking to a particular NSO customer, “each of the victims would be of intense interest to entities within the Mexican government and in some cases, troublingly, to cartels.”
Tomi Engdahl says:
DeftTorero: tactics, techniques and procedures of intrusions revealed https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
Earlier this year, we started hunting for possible new DeftTorero (aka Lebanese Cedar, Volatile Cedar) artifacts. This threat actor is believed to originate from the Middle East and was publicly disclosed to the cybersecurity community as early as 2015. Notably, no other intelligence was shared until 2021, which led us to speculate on a possible shift by the threat actor to more fileless/LOLBINS techniques, and the use of known/common offensive tools publicly available on the internet that allows them to blend in. The public reports available to date expose and discuss the final payload Explosive RAT and the webshells used in the initial foothold such as Caterpillar and ASPXSpy, with little on the tactics, techniques and procedures (TTPs); this post focuses primarily on the TTPs used by the threat actor in intrusions between late 2019 and mid-2021 to compromise victims.
Tomi Engdahl says:
Student data leaked after LA school district says it won’t pay ransom https://www.bitdefender.com/blog/hotforsecurity/student-data-leaked-after-la-school-district-says-it-wont-pay-ransom/
Hackers have leaked data stolen from the United States’s second-largest school district, after the Los Angeles Unified School District (LAUSD) announced it would not be giving in to ransom demands. LAUSD was hit at the start of last month, just before classes were scheduled to resume after the summer break, by the Vice Society ransomware gang, who have been responsible for a series of attacks against the education sector across the country. Initially it was believed that disruption to the school’s email systems and network infrastructure would be the biggest headache following the security breach. But it has since emerged that Vice Society did most likely exfiltrate sensitive data from LAUSD’s systems. Local media reports have suggested that data stolen and leaked by Vice Society includes confidential psychological assessments of students, contract and legal documents, and business records, amongst other sensitive data.
Tomi Engdahl says:
Live support service hacked to spread malware in supply chain attack https://www.bleepingcomputer.com/news/security/live-support-service-hacked-to-spread-malware-in-supply-chain-attack/
The official installer for the Comm100 Live Chat application, a widely deployed SaaS (software-as-a-service) that businesses use for customer communication and website visitors, was trojanized as part of a new supply-chain attack. A report from CrowdStrike says that the infected variant was available from the vendor’s website from at least September 26 until as the morning of September 29. Because the trojanized installer used a valid digital signature, antivirus solutions would not trigger warnings during its launch, allowing for a stealthy supply-chain attack.
Tomi Engdahl says:
Yhdysvalloissa 1, 8 miljardin sakot yrityksille WhatsAppin käytöstä
https://www.kauppalehti.fi/uutiset/yhdysvalloissa-1-8-miljardin-sakot-yrityksille-whatsappin-kaytosta/a47a1a2a-f9c9-403c-a4a4-81ca9ddc7647
Yhdysvaltain arvopaperi- ja pörssikomissio SEC sekä futuurimarkkinoita valvova CFTC ovat lätkäisseet kaikkiaan 16 pankille ja rahoitusalan toimijalle yhteensä yli 1, 8 miljardin dollarin sakot. Syynä ovat väärät yhteydenpitovälineet. Aiheesta uutisoi The Register. Tarkalleen ottaen rangaistusmaksujen taustalla on yhtiöiden kyvyttömyys huolehtia, että niiden työntekijät keskittävät työhön liittyvän yhteydenpitonsa virallisille alustoille. Pankkien väki oli kuitenkin keskenään jutustellut myös työasioita hyväksymättömillä alustoilla, kuten WhatsAppissa. Tämä puolestaan johtaa siihen, ettei rahoitusalan yhtiöiden kirjanpitovelvollisuus ja viranomaisten mahdollisuudet valvoa toimintaa täyty lain edellyttämällä tavalla.
Tomi Engdahl says:
Supply Chain Attack Targets Customer Engagement Firm Comm100
https://www.securityweek.com/supply-chain-attack-targets-customer-engagement-firm-comm100
CrowdStrike is warning of a recently identified supply chain attack involving Canada-based customer engagement software provider Comm100.
As part of the attack, a trojanized Comm100 Live Chat installer signed with a valid Comm100 Network Corporation certificate on September 26 was distributed from the company’s website from at least September 27 until September 29, 2022. The vendor claims to have more than 15,000 customers across 51 countries.
“The trojanized file was identified at organizations in the industrial, healthcare, technology, manufacturing, insurance and telecommunications sectors in North America and Europe,” CrowdStike says.
The Comm100 installer is an Electron application in which the attackers injected a JavaScript backdoor, within the main.js file of the embedded archive. When executed, the backdoor fetches and runs a second-stage script from an external resource.
Tomi Engdahl says:
Report: Mexico Continued to Use Spyware Against Activists
https://www.securityweek.com/report-mexico-continued-use-spyware-against-activists
Tomi Engdahl says:
CISA Warns of Attacks Exploiting Recent Atlassian Bitbucket Vulnerability
https://www.securityweek.com/cisa-warns-attacks-exploiting-recent-atlassian-bitbucket-vulnerability
Tomi Engdahl says:
Optus Says ID Numbers of 2.1 Million Compromised in Data Breach
https://www.securityweek.com/optus-says-id-numbers-21-million-compromised-data-breach
Australian telecommunications company Optus says that 2.1 million of its customers had numbers associated with their identification documents compromised in a recent data breach.
On September 22, the wireless carrier announced it had fallen victim to a cyberattack that resulted in the potential compromise of the personally identifiable information of some of its customers, without providing specifics on the number of impacted individuals.
Days after the attack was identified and addressed, a threat actor posted 10,000 Optus customer records on the dark web, threatening to make more information public unless the wireless carrier paid a $1 million ransom in cryptocurrency.
During the data breach, the attackers accessed user data such as names, dates of birth, email and home addresses, phone numbers, and personal identification document numbers.
The incident appears to have impacted the data of all of Optus’ 9.8 million customers, but the wireless carrier says that only the records of 1.2 million customers included a valid personal ID number.
Tomi Engdahl says:
North Korean Hackers Exploit Dell Driver Vulnerability to Disable Windows Security
https://www.securityweek.com/north-korean-hackers-exploit-dell-driver-vulnerability-disable-windows-security
North Korean state-sponsored hacking group Lazarus was seen exploiting a Dell DBUtil driver vulnerability to disable the security mechanisms on the targeted Windows machines.
Tracked as CVE‑2021‑21551 (CVSS score of 8.8), the security flaw is described as an insufficient access control issue that could allow authenticated attackers to escalate privileges, cause a denial-of-service (DoS) condition, or leak information.
Impacting the ‘dbutil_2_3.sys’ driver, the vulnerability is a collection of five security defects estimated to impact hundreds of millions of Dell desktops, laptops, notebooks, and tablets. Dell released a patch for this issue in May 2021.
As part of the newly analyzed attacks, Lazarus deployed on target systems a tool that exploited the Dell DBUtil flaw to disable “the monitoring of all security solutions on compromised machines”, using never-before-seen techniques against Windows kernel mechanisms. This is the first known attack exploiting CVE‑2021‑21551.
According to ESET, Lazarus used the tool in attacks targeting an employee of a Dutch aerospace company, and a political journalist at a media outlet in Belgium, likely for espionage purposes.
Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
ESET researchers have discovered Lazarus attacks against targets in the Netherlands and Belgium that use spearphishing emails connected to fake job offers
https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/
Tomi Engdahl says:
“The Los Angeles Unified School District became the victim of a second cyber attack in less than a month this weekend, when a ransomware gang [reportedly published 500 gigabytes](https://techcrunch.com/2022/10/03/los-angeles-school-district-ransomware-data/) of potentially sensitive data involving the schools’ students and employees.
On Sunday, district superintendent Alberto M. Carvalho [confirmed, via Twitter](https://twitter.com/LAUSDSup/status/1576636549994717184), that “a criminal organization” released the data set.
Ransomware gang Vice Society has claimed responsibility for [the ransomware attack](https://www.cisa.gov/uscert/ncas/alerts/aa22-249a), and apparently leaked the data on its dark web site.”
https://www.newsmax.com/newsfront/los-angeles-schools-ransomware/2022/10/03/id/1090287/
Tomi Engdahl says:
https://www.glitched.online/the-ps5-has-been-jailbroken-custom-packages-can-now-be-installed/
Tomi Engdahl says:
Former NSA employee charged with violating Espionage Act after trying to sell US secrets https://edition.cnn.com/2022/09/29/politics/jareh-sebastian-dalke-nsa-espionage-sell-secrets-charged/index.html
A former employee of the National Security Agency was arrested Wednesday on espionage-related charges for allegedly trying to sell US secrets, the Justice Department announced. Jareh Dalke, 30, attempted to transmit classified national defense information (NDI) to a representative of a foreign government, the department said in a news release. He faces charges related to three violations of the Espionage Act and made his first appearance in court Thursday. The Colorado man, who worked at the NSA for less than a month as an information system security designer, used an encrypted email to send excerpts of three classified documents to someone he believed to be a representative of a foreign government, according to an affidavit. The person was an undercover FBI agent.
Tomi Engdahl says:
Cheerscrypt ransomware linked to a Chinese hacking group https://www.bleepingcomputer.com/news/security/cheerscrypt-ransomware-linked-to-a-chinese-hacking-group/
The Cheerscrypt ransomware has been linked to a Chinese hacking group named Emperor Dragonfly, ‘ known to frequently switch between ransomware families to evade attribution. The ransomware gang is tracked under different names, such as Bronze Starlight (Secureworks) and DEV-0401 (Microsoft), and has been seen using a wide variety of ransomware families since 2021. While the hacking group appears to operate as a ransomware operation, previous research indicates that many of their victims are targets of interest for the Chinese government. This has led researchers to believe that the ransomware activities of the hacking group could be a cover for Chinese government-sponsored cyber espionage campaigns.
Tomi Engdahl says:
Actively exploited vulnerability in Bitbucket Server and Data Center https://www.malwarebytes.com/blog/news/2022/10/warnings-about-actively-exploited-vulnerability-in-bitbucket-server-and-data-center
On September 29, 2022 the Cybersecurity & Infrastructure Security Agency (CISA) added three vulnerabilities to the catalog of known to be exploited vulnerabilities. One of them is a vulnerability in Atlassian’s Bitbucket Server and Data Center. The other two are the Exchange Server zero-day vulnerabilities we wrote about last week. The Bitbucket vulnerability is no zero-day. Fixed versions were made available on August 24, 2022. The vulnerability allows an attacker who has read permissions to execute arbitrary code by sending a malicious HTTP request.
Tomi Engdahl says:
Fake Microsoft Exchange ProxyNotShell exploits for sale on GitHub https://www.bleepingcomputer.com/news/security/fake-microsoft-exchange-proxynotshell-exploits-for-sale-on-github/
Scammers are impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits for newly discovered Microsoft Exchange zero-day vulnerabilities. Security researchers are keeping the technical details of the vulnerabilities private, and it appears only a small number of threat actors are exploiting them. Due to this, other researchers and threat actors are awaiting the first public disclosure of the vulnerabilities to use in their own activities, whether defending a network or hacking into one. To take advantage of this lull before the storm, a scammer has begun creating GitHub repositories where they attempt to sell fake proof-of-concept exploits for the Exchange CVE-2022-41040 and CVE-2022-41082 vulnerabilities.
Tomi Engdahl says:
OnionPoison: infected Tor Browser installer distributed through popular YouTube channel https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/107627/
While performing regular threat hunting activities, we identified multiple downloads of previously unclustered malicious Tor Browser installers. According to our telemetry, all the victims targeted by these installers are located in China. As the Tor Browser website is blocked in China, individuals from this country often resort to downloading Tor from third-party websites. In our case, a link to a malicious Tor installer was posted on a popular Chinese-language YouTube channel devoted to anonymity on the internet. The channel has more than 180, 000 subscribers, while the view count on the video with the malicious link exceeds 64, 000. The video was posted in January 2022, and the campaign’s first victims started to appear in our telemetry in March 2022. The installation of the malicious Tor Browser is configured to be less private than the original Tor. Unlike the legitimate one, the infected Tor Browser stores browsing history and data entered into website forms. More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server. The spyware also provides the functionality to execute shell commands on the victim machine, giving the attacker control over it.
Tomi Engdahl says:
Optus confirms 2.1 million ID numbers exposed in data breach https://www.bleepingcomputer.com/news/security/optus-confirms-21-million-id-numbers-exposed-in-data-breach/
Optus confirmed yesterday that 2.1 million customers had government identification numbers compromised during a cyberattack last month. In a press statement released yesterday, the mobile carrier updated the information regarding the personal data of 9.8 million customers exposed during the attack. In an investigation, Optus confirmed that a total of 2.1 million customers had valid or expired ID document numbers exposed to the hackers. Of these 2.1 million customers, 1.2 million had at least one number from a current and valid form of identification compromised, and 900, 000 had ID numbers exposed but from documents that are now expired.
Tomi Engdahl says:
Romance scammer and BEC fraudster sent to prison for 25 years https://nakedsecurity.sophos.com/2022/10/04/romance-scammer-and-bec-fraudster-sent-to-prison-for-25-years/
Elvis, you might say, has left the building, but only to be transported from court to federal prison. In this case, we’re referring to Elvis Eghosa Ogiekpolor, jailed for 25 years in Atlanta, Georgia for running a cybercrime group that scammed close to $10, 000,
000 in under two years from individuals and business caught up in so-called romance and BEC scams. Five other co-conspirators who seem to have “worked for” Ogiekpolor have already pleaded guilty in this case; as far as we know, they haven’t been sentenced yet.
Tomi Engdahl says:
This sneaky fraud attack looks like an email forwarded by your boss
https://www.zdnet.com/article/this-sneaky-fraud-attack-looks-like-an-email-forwarded-by-your-boss/#ftag=RSSbaffb68
A business email compromise (BEC) campaign is using an email thread that pretends to have been forwarded by the boss in a bid to trick targets into handing over big sums of money. Not only are BEC attacks one of the most lucrative forms of cybercrime the FBI says they’ve cost victims a combined total of more than $43 billion in recent years but they’re also one of the simplest to carry out because all attackers really need is an internet connection, an email account and perhaps some background research into their targets. Often, BEC emails seem to be from a colleague or a boss, claiming that a wire transfer must be made quickly and quietly, with scammers hoping that generating a sense of urgency will be enough to trick the unfortunate target into making a bogus payment.
Tomi Engdahl says:
New Hacktivism Model Trends Worldwide
https://blog.checkpoint.com/2022/10/03/new-hacktivism-model-trends-worldwide/
Check Point Research outlines a new model of hacktivism now trending worldwide. Five characteristics mark today’s form of hacktivism, according to researchers: political ideology, leadership hierarchy, formal recruiting, advanced tools and public relations. CPR gives the hacktivist group Killnet as an example of the latest model, detailing its attacks by country and attack timeline. CPR warns that hacktivism that originates in conflict-related geographies has the potential to scale worldwide. Before, hacktivism was mostly focused on few individuals carrying small scale DDoS and defacement attacks. Now, hacktivism is better organized, structured and sophisticated. CPR believes the new model of hacktivism began in conflict areas in the Middle East and Eastern Europe and proliferated to other areas during
2022
Tomi Engdahl says:
Microsoft Exchange server zero-day mitigation can be bypassed https://www.bleepingcomputer.com/news/security/microsoft-exchange-server-zero-day-mitigation-can-be-bypassed/
Microsoft has shared mitigations for two new Microsoft Exchange zero-day vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082, but researchers warn that the mitigation for on-premise servers is far from enough. Threat actors are already chaining both of these zero-day bugs in active attacks to breach Microsoft Exchange servers and achieve remote code execution. Both security flaws were reported privately through the Zero Day Initiative program about three weeks ago by Vietnamese cybersecurity company GTSC, who shared the details publicly last week.
Mitigation for ProxyNotShell Exchange Vulnerabilities Easily Bypassed
A mitigation proposed by Microsoft and others for the Exchange server vulnerabilities tracked as ProxyNotShell can be easily bypassed.
https://www.securityweek.com/mitigation-proxynotshell-exchange-vulnerabilities-easily-bypassed
A mitigation proposed by Microsoft and others for the new Exchange Server zero-day vulnerabilities named ProxyNotShell can be easily bypassed, researchers warn.
The security holes, officially tracked as CVE-2022-41040 and CVE-2022-41082, can allow an attacker to remotely execute arbitrary code with elevated privileges.
Researcher Kevin Beaumont named the vulnerabilities ProxyNotShell due to similarities to the Exchange vulnerability dubbed ProxyShell, which has been exploited in the wild for more than a year. It seems that Microsoft’s patches for ProxyShell do not completely remove an attack vector.
However, unlike ProxyShell, the new issues can only be exploited by an authenticated attacker, although even standard email user credentials are sufficient.
Microsoft’s own analysis indicates that a single state-sponsored threat group has chained the Exchange vulnerabilities in attacks aimed at fewer than 10 organizations, but the tech giant expects other malicious actors to start leveraging them in their attacks.
Patches for these vulnerabilities have yet to be released, but Microsoft says it’s working on fixes on an accelerated timeline.
In the meantime, GTSC and Microsoft have proposed a mitigation that involves setting a URL rewrite rule that should block attack attempts. However, a researcher known as Jang noted that the rule is not efficient and can be easily bypassed. Jang did propose a very similar rule that should work.
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
https://twitter.com/testanull/status/1576774007826718720
Microsoft has released a tool that should automate the mitigation, but at this point it likely applies the rule that can be bypassed.
While details have not been made public for the vulnerabilities in order to prevent abuse, some individuals have been offering ProxyNotShell proof-of-concept (PoC) exploits that have turned out to be fake.
Microsoft has told Exchange Online customers that they don’t need to take any action, but Beaumont believes that is not true.
https://twitter.com/_JohnHammond/status/1575849524169523201
The CERT Coordination Center at Carnegie Mellon University has released its own advisory for CVE-2022-41040 and CVE-2022-41082, and provided an explanation regarding the problematic mitigation.
https://kb.cert.org/vuls/id/915563
Since exploitation of the vulnerabilities requires authentication, mass exploitation is unlikely at this point, but the flaws can be very valuable in targeted attacks. Some members of the cybersecurity community have released open source tools that can be used to detect the presence of the vulnerabilities.
https://twitter.com/q8fawazo/status/1576503359359832064
https://github.com/smokeme/ProxyNotShell
https://twitter.com/1ZRR4H/status/1576471006373613569
https://github.com/CronUp/Vulnerabilidades/blob/main/proxynotshell_checker.nse
Tomi Engdahl says:
Firmware Security Company Eclypsium Raises $25 Million in Series B Funding
https://www.securityweek.com/firmware-security-company-eclypsium-raises-25-million-series-b-funding
Firmware and hardware security company Eclypsium announced on Tuesday that it has raised $25 million in a Series B funding round, which brings the total invested in the firm to $50 million.
The funding was led by Ten Eleven Ventures, with participation from Global Brain’s KDDI Open Innovation Fund (KOIF), J-Ventures, Andreessen Horowitz, Madrona Venture Group, Alumni Ventures, AV8 Ventures, Intel Capital, Mindset Ventures, Oregon Venture Fund (OVF), Translink Capital, and Ubiquity Ventures.
Eclypsium said it will use the new capital to expand its product capabilities, to further accelerate sales momentum, and continue its supply chain security research. The company’s researchers have identified vulnerabilities affecting many devices.
Eclypsium has developed a SaaS platform that can help enterprises secure and protect their endpoints, network equipment, servers and connected devices.
“Eclypsium solves a critical and often overlooked dimension of the cybersecurity puzzle – ensuring every device is continuously protected against supply chain risk,” said Alex Doll of Ten Eleven Ventures, who has joined Eclypsium’s board.
Secure Boot Bypass Flaws Affect Bootloaders of Many Devices Made in Past Decade
https://www.securityweek.com/secure-boot-bypass-flaws-affect-bootloaders-many-devices-made-past-decade
Bootloaders present in a majority of computers made in the past 10 years are affected by Secure Boot bypass vulnerabilities, according to firmware security company Eclypsium.
Secure Boot is a mechanism designed to protect a device’s boot process from attacks, and bypassing it can allow an attacker to execute arbitrary code before the operating system loads. This can be useful for installing stealthy and persistent malware.
Eclypsium has identified Secure Boot bypass vulnerabilities in the Eurosoft (CVE-2022-34301) CVE-2022-34303, New Horizon Datasys (CVE-2022-34302), and CryptoPro Secure Disk for BitLocker (CVE-2022-34303) bootloaders. The company said these bootloaders are present in nearly all devices made in the past decade, including ARM and x86-64 devices.
The Eurosoft and CryptoPro Secure Disk bootloader bugs involve signed UEFI shells, with attackers being able to bypass Secure Boot by abusing built-in capabilities. For these security holes, exploitation can easily be automated using startup scripts, Eclypsium said.
The company noted, however, that these shells have a visual component that could be seen by a user on a monitor — although that might not be a problem on servers and industrial systems, which often run without a monitor.
Exploitation of the New Horizon Datasys vulnerability is easy and stealthy, which makes it a more likely candidate for exploitation in the wild.
“This bootloader contains a built-in bypass for Secure Boot that leaves Secure Boot on but disables the Secure Boot checks. This bypass can further enable even more complex evasions such as disabling security handlers. In this case, an attacker would not need scripting commands, and could directly run arbitrary unsigned code,” Eclypsium explained.