This posting is here to collect cyber security news in October 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
395 Comments
Tomi Engdahl says:
Critical Vulnerabilities Expose Parking Management System to Hacker Attacks
https://www.securityweek.com/critical-vulnerabilities-expose-parking-management-system-hacker-attacks
Nearly a dozen vulnerabilities have been found in a car parking management system made by Italian company Carlo Gavazzi, which makes electronic control components for building and industrial automation.
The flaws were discovered by researchers at industrial cybersecurity firm Claroty in Carlo Gavazzi’s CPY Car Park Server and UWP 3.0 monitoring gateway and controller products. The vendor released patches for the impacted products earlier this year.
Carlo Gavazzi parking management product affected by critical vulnerabilitiesThe Germany-based CERT@VDE, which coordinates the disclosure of vulnerabilities impacting the industrial control system (ICS) and operational technology (OT) products of European vendors, has published an advisory describing the Carlo Gavazzi issues. CERT@VDE’s advisory describes 11 vulnerabilities, and the agency warns that an attacker could exploit them to “get full access to the affected devices”.
Vera Mens, the Claroty security researcher credited by CERT@VDE for reporting the vulnerabilities, told SecurityWeek that the impacted UWP product is a web-based application designed for remotely managing building automation, energy management, and car park guidance systems, which provide drivers with information about parking spot availability within parking facilities.
“The UWP monitoring gateway is a multi-purpose device that is capable of running a variety of monitoring servers, each intended for a different purpose,” Mens explained. “For example, the CPY Car Park Server is a function of the UWP 3.0 device dedicated to monitor and control other devices in a parking lot that keep track of available parking spots. In this example, there are sensors in each parking spot that detect whether a car is there. The sensors report to the CPY Car Park Server which aggregates the data, provides analytics (e.g. capacity over time), and orchestrates the entire operation.”
These products have been found to be affected by critical vulnerabilities related to hardcoded credentials, SQL injection, missing authentication, improper input validation, and path traversals, as well as several high-severity issues. These security holes can be exploited to bypass authentication, obtain information, and execute commands, allowing an attacker to take full control of the targeted system.
Fortunately, Mens said Claroty is not aware of any UWP devices exposed on the internet, which means an attacker would have to gain access to the targeted network to exploit the vulnerabilities.
The researcher said the vendor quickly fixed all the vulnerabilities. According to CERT@VDE, UWP3.0 version 8.5.0.3 and newer and CPY Car Park Server version 2.8.3 and newer address the flaws. The cybersecurity agency has also shared some general recommendations for preventing these types of attacks.
Carlo Gavazzi Controls: Multiple Vulnerabilities in Controller UWP 3.0
https://cert.vde.com/de/advisories/VDE-2022-029/
Impact
An attacker can get full access to the affected devices. See the vulnerability descriptions for details.
Solution
General recommendations
Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
Use firewalls to protect and separate the control system network from other networks
Use VPN (Virtual Private Networks) tunnels if remote access is required
Activate and apply user management and password features
Use encrypted communication links
Limit the access to both set-up and control system by physical means, operating system features, etc.
Protect the set-up and control system by using up to date virus detecting solutions
Remediation
Please update to software/firmware versions as described
Tomi Engdahl says:
https://www.securityweek.com/web-security-company-detectify-raises-10-million
Sweden-based domain and web application security firm Detectify has received a $10 million investment from Insight Partners, bringing the total raised by the company to $42 million.
Tomi Engdahl says:
Suzanne Smalley / CyberScoop:
A CISA report finds multiple government hacking groups kept “long-term” access to a US military contractor’s network via the open-source Python toolkit Impacket — U.S. cybersecurity, law enforcement and intelligence officials revealed on Tuesday that sophisticated hackers infiltrated …
https://www.cyberscoop.com/feds-release-advisory-apts/
Tomi Engdahl says:
Mitä tapahtuisi, jos Itämeren pohjassa oleva tietoliikennekaapeli menisi poikki? – Viranomainen vastaa
https://www.kauppalehti.fi/uutiset/mita-tapahtuisi-jos-itameren-pohjassa-oleva-tietoliikennekaapeli-menisi-poikki-viranomainen-vastaa/81d26302-46fc-4151-86d6-a552a6f7ef3e
Mitä jos Itämeren pohjassa kulkeville tietoliikennekaapeleille kävisi samoin kuin Nord Stream -kaasuputkille?
Nord Stream -kaasuputkien rikkoutuminen on kohahduttanut Euroopassa ja sen ulkopuolella. Julkisuudessa on epäilty, että vuodon taustalla on ollut valtiollinen toimija.
Kiristyneessä poliittisessa tilanteessa huolta onkin herättänyt ajatus siitä, että vastaavanlainen tuhotyö voisi kohdistua Itämeren pohjassa lepääville tietoliikennekaapeleille. Suomesta niitä lähtee lukuisia esimerkiksi Ruotsin, Saksan ja Viron suuntaan.
Huoltovarmuuskeskuksen julkaisemassa tiedotteessa todetaan, että kansainvälisiä tietoliikenneyhteyksiä suojataan useilla eri keinoilla. Yhteyksien katkeaminen vaatisi useita samanaikaisia poikkeamia. Tällaisilta tilanteilta varautumiseen on panostettu jo pitemmän aikaa.
Lakiin on asetettu vaatimukset sähköisen viestinnän palveluista. Viestintäverkkojen ja viestintäpalveluiden on kestettävä ilmastolliset, mekaaniset, sähkömagneettiset ja muut ulkoiset häiriöt. Kaapeleiden vikaantuminen pitää olla havaittavissa.
Myös merikaapeleiden rantautumispaikkojen suojaamiselle on asetettu vaatimuksia.
Huoltovarmuuskeskuksen mukaan yksittäisellä kaapelikatkolla ei olisi merkittävää vaikutusta suomalaisiin viestintäpalveluihin, sillä liikenne reitittyisi tällaisissa tilanteissa automaattisesti muiden yhteyksien kautta. Sen sijaan kaapelin putoaminen pelistä voisi aiheuttaa hetkellisiä katkoksia tai hitautta datan liikkumiselle.
Huoltovarmuuskeskus kuitenkin muistuttaa, että täydellistä tietoturvallisuutta tai toimintavarmuutta ei ole olemassa. Häiriöiden havaitseminen ja niihin reagoiminen on tästä syystä tärkeää.
Traficom puolestaan kertoo omassa tiedotteessaan, että tärkeimmät järjestelmät ovat kahdennettuja ja merkittävimmät tietoliikenneyhteydet ovat reittivarmistettuja.
Tomi Engdahl says:
David Voreacos / Bloomberg:
US prosecutors accuse a man of remotely swiping 713 bitcoins from a hardware wallet seized in a case against his brother, who ran crypto mixing service Helix — Gary Harmon grinned as he lounged in a bathtub full of dollar bills surrounded by scantily clad women.
Millions in Cryptocurrency Vanished as Agents Watched Helplessly
https://www.bloomberg.com/news/articles/2022-10-03/feds-seized-311m-in-bitcoin-btc-the-crypto-hacker-stole-it-back#xj4y7vzkg
Feds locked up a storage device full of ill-gotten tokens. Then someone started stealing the loot.
Gary Harmon grinned as he lounged in a bathtub full of dollar bills surrounded by scantily clad women. The moment, captured in a photo on his cellphone, could be part of his undoing. To US prosecutors, it’s evidence that he suddenly came into a lot of money.
The prosecutors accuse Harmon of a very unusual crime: remotely swiping Bitcoin stored on a computer device the government had already seized in another case, brought against his older brother, Larry. As authorities watched helplessly, 713 digital tokens—then worth almost $5 million—were somehow spirited away from the “hardware wallet” they were holding in an evidence locker.
Tomi Engdahl says:
Associated Press:
A US judge sentences Capital One hacker Paige Thompson, who accessed data on over 100M people, to five years of probation; DOJ says it is “very disappointed”
Seattle woman gets probation for massive Capital One hack
https://apnews.com/article/technology-business-seattle-sentencing-paige-thompson-6eab17de7a88d0c6a33d3f44dbfa4d2a
SEATTLE (AP) — A former Seattle tech worker convicted of several charges related to a massive hack of Capital One bank and other companies in 2019 was sentenced Tuesday to time served and five years of probation.
U.S. District Judge Robert S. Lasnik said sentencing former Amazon software engineer Paige Thompson to time in prison would have been particularly difficult on her “because of her mental health and transgender status,” the Department of Justice said in a statement.
U.S. Attorney Nick Brown said his office was “very disappointed” with the sentencing decision, adding prosecutors had asked for Thompson to serve seven years in prison.
“This is not what justice looks like,” Brown said in the statement.
In June, a Seattle jury found her guilty of wire fraud, unauthorized access to a protected computer and damaging a protected computer. The jury acquitted her of other charges, including access device fraud and aggravated identity theft.
Tomi Engdahl says:
Avast releases free decryptor for Hades ransomware variants https://www.bleepingcomputer.com/news/security/avast-releases-free-decryptor-for-hades-ransomware-variants/
Avast has released a decryptor for variants of the Hades ransomware known as MafiaWare666′, Jcrypt’, RIP Lmao’, and BrutusptCrypt, ‘
allowing victims to recover their files for free. The security company says it discovered a flaw in the encryption scheme of the Hades strain, allowing some of the variants to be unlocked. However, this may not apply to newer or unknown samples that use a different encryption system. Utilizing Avast’s tool, victims of the supported ransomware variants can decrypt and access their files again without paying a ransom to the attackers, which ranges between $50 and $300.
However, ransom demands reached tens of thousands in some cases.
Tomi Engdahl says:
Hundreds of Microsoft SQL servers backdoored with new malware https://www.bleepingcomputer.com/news/security/hundreds-of-microsoft-sql-servers-backdoored-with-new-malware/
Security researchers have found a new piece of malware targeting Microsoft SQL servers. Named Maggie, the backdoor has already infected hundreds of machines all over the world. Maggie is controlled through SQL queries that instruct it to run commands and interact with files.
Its capabilities extend to brute-forcing administrator logins to other Microsoft SQL servers and doubling as a bridge head into the server’s network environment. The backdoor was discovered by German analysts Johann Aydinbas and Axel Wauer of the DCSO CyTec. Telemetry data shows that Maggie is more prevalent in South Korea, India, Vietnam, China, Russia, Thailand, Germany, and the United States.
Tomi Engdahl says:
New Android malware RatMilad’ can steal your data, record audio https://www.bleepingcomputer.com/news/security/new-android-malware-ratmilad-can-steal-your-data-record-audio/
A new Android spyware named RatMilad’ was discovered targeting mobile devices in the Middle East, used to spy on victims and steal data. The RatMilad spyware was discovered by mobile security firm Zimperium who warned that the malware could be used for cyber espionage, extortion, or to eavesdrop on victim’s conversations. “Similar to other mobile spyware we have seen, the data stolen from these devices could be used to access private corporate systems, blackmail a victim, and more, ”
warned a new report by Zimperium Labs shared with BleepingComputer before publication.
Tomi Engdahl says:
CISA: Multiple government hacking groups had long-term’ access to defense company https://therecord.media/cisa-multiple-government-hacking-groups-had-long-term-access-to-defense-company/
Several U.S. agencies said it is likely that multiple government hacking groups had “long-term” access to the network of a defense company. In a report from the Cybersecurity and Infrastructure Security Agency (CISA), FBI and National Security Agency (NSA), the agencies said some of the hackers exploited Microsoft Exchange vulnerabilities on the unnamed organization’s server to gain access remotely and compromise legitimate company accounts to access emails, meetings, and contacts belonging to other employees. CISA said it initially discovered the issues while responding to hacker activity on the defense company’s network from November 2021 to January 2022.
Tomi Engdahl says:
City of Tucson discloses data breach affecting over 125, 000 people https://www.bleepingcomputer.com/news/security/city-of-tucson-discloses-data-breach-affecting-over-125-000-people/
The City of Tucson, Arizona, has disclosed a data breach affecting the personal information of more than 125, 000 individuals. As revealed in a notice of data breach sent to affected people, an attacker breached the city’s network and exfiltrated an undisclosed number of files containing sensitive information. The threat actors had access to the network between May 17 and May 31 and might have accessed or stolen documents containing the information of 123, 513 individuals. “On May 29, 2022, the City learned of suspicious activity involving a user’s network account credential, ” the data breach notification reads.
Tomi Engdahl says:
Colombia National Food and Drug Surveillance Institute hit with cyberattack https://therecord.media/colombia-national-food-and-drug-surveillance-institute-hit-with-cyberattack/
Colombia’s National Food and Drug Surveillance Institute (INVIMA) said it is dealing with a cyberattack that has disrupted operations at the agency. The organization said in a statement on Monday it has disabled its website, as well as connections to its servers while it investigates the attack. As of Wednesday, its website was still offline. “Thanks to the timely response of our technical team, it has been possible to verify that the information, privacy and confidentiality of the data that the entity manages are protected, ”
the institute said in a statement on Monday.
Tomi Engdahl says:
Huge increase in smishing scams, warns IRS https://www.malwarebytes.com/blog/news/2022/09/huge-increase-in-smishing-scams-warns-irs
The Internal Revenue Service (IRS) has issued a warning for taxpayers about a recent increase in IRS-themed smishing scams aimed at stealing personal and financial information. Smishing is short for SMS phishing, where the phishes are sent via text message. The IRS has identified and reported thousands of fraudulent domains tied to multiple smishing scams targeting taxpayers. The most prevalent campaigns the IRS is warning about are scam messages that look like they’re coming from the IRS. These messages offer lures like fake COVID relief, tax credits, or help setting up an IRS online account.
Tomi Engdahl says:
Microsoft updates mitigation for ProxyNotShell Exchange zero days https://www.bleepingcomputer.com/news/security/microsoft-updates-mitigation-for-proxynotshell-exchange-zero-days/
Microsoft has updated the mitigations for the latest Exchange zero-day vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082, also referred to ProxyNotShell. The initial recommendations were insufficient as researchers showed that they can be easily bypassed to allow new attacks exploiting the two bugs. Unfortunately, the current recommendations are still not enough and the proposed mitigation can still allow ProxyNotShell attacks.
Tomi Engdahl says:
NetWalker ransomware affiliate sentenced to 20 years by Florida court https://nakedsecurity.sophos.com/2022/10/05/netwalker-ransomware-affiliate-sentenced-to-20-years-by-florida-court/
Naked Security has written and talked about Sebastien Vachon-Desjardins before, in both article and podcast form.
Vachon-Desjardins had been a federal government worker in the Canadian Capital Region (he comes from Gatineau in Quebec, directly across the river from the federal capital Ottawa in Ontario). but he seems to have decided that joining the cybercrime underworld would be much more lucrative than his government job, and it seems that did indeed rack up a small fortune in illegal earnings. He was tracked down, arrested, and convicted in his native Canada, and sentenced to nearly seven years in a Canadian prison.
Tomi Engdahl says:
Former Uber CISO Joe Sullivan Found Guilty Over Breach Cover Up
https://www.securityweek.com/former-uber-ciso-joe-sullivan-found-guilty
A San Francisco jury on Wednesday found former Uber security chief Joe Sullivan guilty of covering up a 2016 data breach and concealing information on a felony from law enforcement.
After a month-long trial that included testimony from Uber CEO Dara Khosrowshahi, the jury found Sullivan guilty of both charges — obstructing an FTC investigation of a data breach at Uber, and deliberately hiding a felony from authorities.
Sullivan, who was most recently CISO at Cloudflare, faces up to 8 years in prison.
According to the New York Times, the jury of six men and six women took more than 19 hours to reach a verdict.
Tomi Engdahl says:
Iranian Hackers Target Enterprise Android Users With New RatMilad Spyware
https://www.securityweek.com/iranian-hackers-target-enterprise-android-users-new-ratmilad-spyware
Zimperium is warning of an Iranian hacking group using a new piece of Android spyware in a broad campaign that has also targeted enterprise users.
Dubbed RatMilad, the threat can perform a variety of malicious actions once installed on a victim’s device, including manipulating files, recording audio, and modifying application permissions.
The first spyware sample that Zimperium observed was using the VPN and phone number spoofing app Text Me to hide itself. The mobile security firm also identified a live RatMilad sample distributed through NumRent, a variant of Text Me.
According to Zimperium, an Iran-based hacker group named AppMilad is distributing the phone spoofing app through links on social media and various messaging services, luring intended victims into sideloading it on their devices.
“The malicious actors have also developed a product website advertising the app to socially engineer victims into believing it is legitimate,” Zimperium says.
Tomi Engdahl says:
Admin from hell facing 10 years for sabotaging ex-employer’s network https://www.malwarebytes.com/blog/news/2022/10/ex-employee-faces-10-years-in-prison-for-misusing-login-details
The perils of the insider threats are often talked about in abstract terms, probably because most organisations want to keep a lid on internally-based bad actors. Every so often, concrete details emerge to highlight what a thoroughly rotten day a rogue employee can inflict on everybody else though.
Tomi Engdahl says:
Ransomware-affected school district refuses to pay, gets stolen data released https://www.malwarebytes.com/blog/news/2022/10/public-school-district-has-data-leaked-by-ransomware-gang
Data stolen from Los Angeles Unified School District has been leaked online, after staff refused to pay the ransom related to a ransomware attack. The attackers threatened to release the data if the ransom wasn’t paid, and so release it they did.
Tomi Engdahl says:
Former Uber CSO convicted of covering up megabreach back in 2016 https://nakedsecurity.sophos.com/2022/10/06/former-uber-cso-convicted-of-covering-up-megabreach-back-in-2016/
Joe Sullivan, who was Chief Security Officer at Uber from 2015 to 2017, has been convicted in a US federal court of covering up a data breach at the company in 2016. Sullivan was charged with obstructing proceedings conducted by the FTC (the Federal Trade Commission, the US consumer rights body), and concealing a crime, an offence known in legal terminology by the peculiar name of misprision.
Tomi Engdahl says:
Microsoft investigates Windows 11 22H2 Remote Desktop issues https://www.bleepingcomputer.com/news/microsoft/microsoft-investigates-windows-11-22h2-remote-desktop-issues/
Affected administrators and home users have been sharing their experiences across several online platforms, including Microsoft’s Q&A community platform for IT professionals. Installing the Windows 11
22H2 feature update will cause Remote Desktop clients not to connect, randomly disconnect, or freeze unexpectedly.
Tomi Engdahl says:
Cyber-snoops broke into US military contractor, stole data, hid for months https://www.theregister.com/2022/10/05/military_contractor_hack/
Spies for months hid inside a US military contractor’s enterprise network and stole sensitive data, according to a joint alert from the US government’s Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and NSA.
Tomi Engdahl says:
Australian Federal Police arrest man suspected of exploiting Optus cyberattack https://www.theregister.com/2022/10/06/optus_blackmail_arrest/
Customers were allegedly sent texts demanding $1, 300 or face having ID used in financial crime
Australia moots changes to privacy laws after Optus data breach https://www.zdnet.com/article/australia-moots-changes-to-privacy-laws-after-optus-data-breach
Government is revising regulations to allow telcos to temporarily share some of their customers’ personal information, such as driver’s licence and passport numbers, with financial services institutions to facilitate monitoring and remediation in the event of a data breach.
Tomi Engdahl says:
Linux Kernel 5.19.12 bug could damage Intel laptop displays https://www.bleepingcomputer.com/news/linux/linux-kernel-51912-bug-could-damage-intel-laptop-displays/
Linux users have reported seeing weird white flashes and rapid blinking on their Intel laptop displays after upgrading to Linux kernel version 5.19.12, leading to warnings that the bug may damage displays. Linux kernel version 5.19.12 isn’t experimental or beta but a point release of the stable branch that came out on September 28, 2022.
Tomi Engdahl says:
https://www.securityweek.com/australian-police-make-first-arrest-optus-hack-probe
Tomi Engdahl says:
BlackByte Ransomware Abuses Legitimate Driver to Disable Security Protections
https://www.securityweek.com/blackbyte-ransomware-abuses-legitimate-driver-disable-security-protections
The BlackByte ransomware has been observed targeting a vulnerability in a legitimate driver to disable endpoint detection and response (EDR) solutions running on the victim machine.
Although a decryptor for BlackByte ransomware was released in October last year, the threat has continued to remain active, with the FBI warning of attacks targeting critical infrastructure sectors, including government, financial, and food and agriculture organizations.
While investigating recent activity surrounding the ransomware-as-a-service (RaaS) and its new data leak site, Sophos security researchers discovered that the threat has been using a sophisticated technique that allows it to bypass security products.
Called ‘Bring Your Own Driver’, the technique involves dropping a vulnerable driver version on the victim’s machine, executing it, and abusing it to remove process creation callbacks from the kernel memory.
For this, BlackByte ransomware abuses drivers that Micro-Star’s graphics card overclocking utility MSI AfterBurner 4.6.2.15658 uses to gain extended control over graphic cards on the system. The ransomware operators also use valid code signing certificates to sign those drivers.
Tomi Engdahl says:
New ‘Maggie’ Backdoor Targeting Microsoft SQL Servers
https://www.securityweek.com/new-maggie-backdoor-targeting-microsoft-sql-servers
Security researchers with threat hunting firm DCSO CyTec are warning of a new backdoor that has been targeting Microsoft SQL (MSSQL) servers.
Dubbed Maggie, the threat is being deployed in the form of a signed Extended Stored Procedure (ESP) DLL file, a type of extension used by MSSQL. Once up and running on a target server, it can be controlled solely using SQL queries.
The backdoor supports numerous functions, including the ability to run commands and interact with files, and can be used by the attackers to gain a foothold into the compromised environment.
Additionally, Maggie can launch brute force attacks against other MSSQL servers, targeting admin accounts to add a hardcoded backdoor user.
To execute the backdoor on the target server, the attacker must place the ESP file in a directory that the MSSQL server can access, and needs valid credentials to load the ESP on the server.
DCSO CyTec notes that Maggie is manually loaded onto the server, after which it can start receiving SQL queries as commands.
MSSQL, meet Maggie
https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01
Tomi Engdahl says:
Insurance Giant Lloyd’s of London Investigating Cybersecurity Incident
https://www.securityweek.com/insurance-giant-lloyds-london-investigating-cybersecurity-incident
Insurance giant Lloyd’s of London is investigating a cybersecurity incident that has forced it to disconnect some systems.
The company says it has detected unusual activity and decided to ‘reset’ its network and systems as a precaution. It shut down all external connectivity, including its delegated authority platforms, in response to the incident.
“Following the unusual activity detected on Lloyd’s network, our precautionary work to secure systems has been completed overnight,” a Lloyd’s spokesperson told SecurityWeek on Thursday.
“Working with specialist partners and a dedicated team, we are currently evaluating the best options for reconnecting these systems. and we continue to investigate the issue. We continue to keep market participants and relevant parties updated,” the spokesperson added.
Tomi Engdahl says:
Cisco Patches High-Severity Vulnerabilities in Communications, Networking Products
https://www.securityweek.com/cisco-patches-high-severity-vulnerabilities-communications-networking-products
Cisco announced on Wednesday that it has patched potentially serious vulnerabilities in some of its networking and communications products, including Enterprise NFV, Expressway and TelePresence.
Tomi Engdahl says:
Hospital Chain Says ‘IT Security Issue’ Disrupts Operations
https://www.securityweek.com/hospital-chain-says-it-security-issue-disrupts-operations
A major nonprofit health system with 140 hospitals in 21 states, CommonSpirit Health, is reporting an “IT security issue” that has disrupted operations in multiple states.
A company spokesperson would not explain the nature of the apparent cyberattack, such as whether the organization’s IT network was hit by ransomware.
The Des Moines Register said the incident occurred Monday and forced the diversion of ambulances from the emergency department of the city’s Mercy One Medical Center to other medical facilities. The Chattanoogan reported that CHI Memorial Hospital was among facilities impacted.
In a statement Tuesday, CommonSpirit said it had taken “certain IT systems offline” including electronic health records as a precaution and rescheduled some patient appointments. It would not say whether patient records were accessed. Nor did it say when the apparent breach was detected.
https://eu.desmoinesregister.com/story/news/health/2022/10/04/mercyone-online-systems-shut-down-cybersecurity-incident-des-moines-hospital/69538349007/
https://www.commonspirit.org/news-and-perspectives/news/Statement-IT-Security-Issue
Tomi Engdahl says:
https://www.securityweek.com/personal-information-123k-individuals-exposed-city-tucson-data-breach
Tomi Engdahl says:
Karissa Bell / Engadget:
Meta warns 1M Facebook users that their account info may have been stolen by 400+ apps, often via a “Login with Facebook” button, on App Store and Google Play
Meta warns 1 million Facebook users who installed password-stealing apps
The apps were disguised as “fun or useful” services and were in Google and Apple’s stores.
https://www.engadget.com/meta-warns-malicious-third-party-apps-apple-google-120049486.html
Meta is warning 1 million Facebook users that their account information may have been compromised by third-party apps from Apple or Google’s stores. In a new report, the company’s security researchers say that in the last year they’ve identified more than 400 scammy apps designed to hijack users’ Facebook account credentials.
According to the company, the apps are disguised as “fun or useful” services, like photo editors, camera apps, VPN services, horoscope apps, and fitness tracking tools. The apps often require users to “Log In with Facebook” before they can access the promised features. But these login features are merely a means of stealing Facebook users’ account info. And Meta’s Director of Threat Disruption, David Agranovich, noted that many of the apps Meta identified were barely functional.
“Many of the apps provided little to no functionality before you logged in, and most provided no functionality even after a person agreed to login,” Agranovich said during a briefing with reporters.
Tomi Engdahl says:
Elizabeth Howcroft / Reuters:
Binance says 2M BNB, worth ~$570M, were stolen from its BNB Chain in an exploit; “majority” of BNB are in the hacker’s wallet, ~$100M worth were “unrecovered” — Hackers have stolen around $100 million worth of cryptocurrency from a Binance-linked blockchain …
Binance-linked blockchain hit by $570 million crypto hack
https://www.reuters.com/technology/hackers-steal-around-100-million-cryptocurrency-binance-linked-blockchain-2022-10-07/
A blockchain linked to Binance, the world’s largest crypto exchange, has been hit by a $570 million hack, a Binance spokesperson said on Friday, the latest in a series of hacks to hit the crypto sector this year.
Binance CEO Changpeng Zhao said in a tweet that tokens were stolen from a blockchain “bridge” used in the BNB Chain, known until February as Binance Smart Chain.
Blockchain bridges are tools used to transfer cryptocurrencies between different applications. Criminals have increasingly targeted them, with some $2 billion stolen in 13 different hacks, mostly this year, researcher Chainalysis said in August.
The hackers stole around $100 million worth of crypto, Zhao said in his tweet. BNB Chain later said in a blog post that a total of 2 million of the BNB cryptocurrency – worth around $570 million – was withdrawn by the hacker.
The majority of the BNB remained in the hacker’s digital wallet address, while about $100 million worth was “unrecovered,” the Binance spokesperson said by email.
BNB Chain supports BNB, formerly known as Binance Coin, which is the world’s fifth-largest token with a market value of over $45 billion, according to data site CoinGecko.
Elliptic, a London-based crypto blockchain researcher, told Reuters that the hacker had minted 2 million new BNB tokens before transferring most of the funds to other cryptocurrencies including Tether and USD Coin.
LONDON, Oct 7 (Reuters) – A blockchain linked to Binance, the world’s largest crypto exchange, has been hit by a $570 million hack, a Binance spokesperson said on Friday, the latest in a series of hacks to hit the crypto sector this year.
Binance CEO Changpeng Zhao said in a tweet that tokens were stolen from a blockchain “bridge” used in the BNB Chain, known until February as Binance Smart Chain.
Blockchain bridges are tools used to transfer cryptocurrencies between different applications. Criminals have increasingly targeted them, with some $2 billion stolen in 13 different hacks, mostly this year, researcher Chainalysis said in August.
The hackers stole around $100 million worth of crypto, Zhao said in his tweet. BNB Chain later said in a blog post that a total of 2 million of the BNB cryptocurrency – worth around $570 million – was withdrawn by the hacker.
The majority of the BNB remained in the hacker’s digital wallet address, while about $100 million worth was “unrecovered,” the Binance spokesperson said by email.
BNB Chain supports BNB, formerly known as Binance Coin, which is the world’s fifth-largest token with a market value of over $45 billion, according to data site CoinGecko.
Latest Updates
Elliptic, a London-based crypto blockchain researcher, told Reuters that the hacker had minted 2 million new BNB tokens before transferring most of the funds to other cryptocurrencies including Tether and USD Coin.
BNB Chain suspended its blockchain for several hours before resuming at around 0630 GMT, it said in a tweet.
BNB Chain was “able to stop the incident from spreading” by contacting the blockchain’s “validators,”
BNB Chain, described by Binance as a “community-driven, open-sourced and decentralized ecosystem,” said it would introduce a new “governance mechanism” to counter future hacks, as well as expand the number of validators.
Tomi Engdahl says:
Lauren Feiner / CNBC:
Biden signs an EO to implement Privacy Shield 2.0, the EU-US data transfer framework seeking to address EU concerns of surveillance by US intelligence agencies — – President Joe Biden signed an executive order to implement a new framework to protect the privacy of personal data shared between the U.S. and Europe.
Biden signs executive order with new framework to protect data transfers between the U.S. and EU
https://www.cnbc.com/2022/10/07/biden-signs-executive-order-to-protect-data-transfers-between-us-eu.html
President Joe Biden signed an executive order to implement a new framework to protect the privacy of personal data shared between the U.S. and Europe.
A European court undid an earlier version of the framework in 2020.
The new Privacy Shield seeks to address European concerns of surveillance by U.S. intelligence agencies.
President Joe Biden signed an executive order to implement a new framework to protect the privacy of personal data shared between the U.S. and Europe, the White House announced Friday.
The new framework fills a significant gap in data protections across the Atlantic since a European court undid a previous version in 2020. The court found the U.S. had too great an ability to surveil European data transferred through the earlier system.
The court case, known as Schrems II, “created enormous uncertainty about the ability of companies to transfer personal data from the European Union to the United States in a manner consistent with EU law,”
The so-called Privacy Shield 2.0 seeks to address European concerns about possible surveillance by U.S. intelligence agencies.
The new framework will allow individuals in the EU to seek redress through an independent Data Protection Review Court made up of members outside of the U.S. government. That body “would have full authority to adjudicate claims and direct remedial measures as needed,” according to the March fact sheet.
The executive order directs the U.S. intelligence community to update policies and procedures to fit the new privacy protections in the framework. It also instructs the Privacy and Civil Liberties Oversight Board, an independent agency, to examine those updates and conduct an annual review of whether the intelligence community has fully adhered to binding redress decisions.
“The EU-U.S. Data Privacy Framework includes robust commitment to strengthen the privacy and civil liberties safeguards for signals intelligence, which will ensure the privacy of EU personal data,” Commerce Secretary Gina Raimondo told reporters Thursday.
The EU will then conduct an “adequacy determination” of the measures, the White House said. It will assess the sufficiency of the data protection measures in order to restore the data transfer mechanism.
American tech companies and industry groups applauded the measure, with Meta’s president of global affairs, Nick Clegg, writing on Twitter, “We welcome this update to US law which will help to preserve the open internet and keep families, businesses and communities connected, wherever they are in the world.”
But some consumer and data privacy watchdogs critiqued the extent of the data protections.
BEUC, a European consumer group, said in a release that the framework “is likely still insufficient to protect Europeans’ privacy and personal data when it crosses the Atlantic.”
Tomi Engdahl says:
https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF
Tomi Engdahl says:
Twitter knows you took a screenshot, asks you to share instead
Users are being prompted to share (monetizable) links instead of screen images.
https://arstechnica.com/gadgets/2022/10/twitter-knows-you-took-a-screenshot-asks-you-to-share-instead
Twitter is seemingly working to remind people that interesting tweets are something you should click, load, and view while logged into the company’s ad-funded service, not merely see in a screenshot. That’s why some users are seeing a “Share Tweet?” pop-up whenever the Twitter app notices them taking a screenshot.
Social media analyst Matt Navarra noted the two kinds of nudge prompts in a tweet: “Copy link” and “Share Tweet.” TechCrunch noted that some of its staff members were receiving the prompt and pointed to another tweet in which Twitter provided both “Copy link” and “Share Tweet” buttons.
Twitter makes money when people visit the site in a browser or load it in Twitter’s official apps, then see sponsored tweets or pre-roll advertisements on native videos (users can also sign up for a Twitter Blue subscription). Screenshots, whether shared directly or on competing social platforms, don’t create revenue. Engaging with Twitter itself could encourage people to sign up and do more of that.
Twitter reported 237.8 million “average monetizable daily active usage” in Q2 2022, up 16.6 percent compared to the same quarter in 2021. The company claims this increase was driven by “ongoing product improvements” and “global conversation around current events.” It makes sense why Twitter, the corporate entity, prefers tweet links to screenshots, enough so to A/B/C test a prompt that can make users feel like the Twitter app is both closely watching and scolding them.
But for Twitter, the cultural entity, screenshots are enormously valuable, likely more so than links alone. If you’ve been engaging in Internet culture for years, you’ve seen why.
Former President Donald Trump used Twitter as a primary means of making news, announcing policies, and, on occasion, leaving himself open to legislative and judicial action.
Screenshots also provide context that a link cannot capture. Tweets with notable like, retweet, quote-tweet, or reply activity and numbers can be captured in the moment with a screenshot, as seen in tweets that have been “ratioed” or in seemingly banal statements that pull in incredible numbers. A reply to a tweet may provide important context, something you can’t be sure will show up if you link the reply tweet or if another tweet in the thread is altered or deleted.
And while Twitter’s edit button currently shows the revision history of an edited tweet, it can be important to see an original tweet, with its replies at the time, to capture its impact and context.
All of this points to the larger issue: Twitter may not be around forever. And Internet services with user content that can be embedded on websites have a history of disappearing and exporting their brokenness onto the pages that touched them.
This phenomenon is known as link rot.
When Twitter asks users to rely on their servers instead of finding a home for an image file, the service is suggesting its servers and business are more important than the context you might be trying to capture. For some tweets, that may be an easy trade-off, and it might just point to something users didn’t notice before. But Twitter should keep in mind that there are very good, even historical, reasons to ignore buy-in and grab what you see.
Comment:
You should be able to take a screenshot without the app or website knowing it. I know you can record the screen as a video on the phone, and you can plug a box between the computer and a monitor and record the HDMI signal, and there’s no way to prevent or know that you are doing it. And given that you can do it anyway, not sure why there would be one particular way that will report it.
Tomi Engdahl says:
”Pysyttele kaukana WhatsAppista”, ”Vakoilutyökalu” – Telegram-mieheltä täysi tylytys https://www.is.fi/digitoday/tietoturva/art-2000009120453.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/hackers-now-sharing-cracked-brute-ratel-post-exploitation-kit-online/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/brave-browser-to-start-blocking-annoying-cookie-consent-banners/
Tomi Engdahl says:
https://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html
Tomi Engdahl says:
Iran State TV Hacked With Image of Supreme Leader in Crosshairs
https://www.securityweek.com/iran-state-tv-hacked-image-supreme-leader-crosshairs
Hackers backing Iran’s wave of women-led protests interrupted a state TV news broadcast with an image of gun-sight crosshairs and flames over the face of supreme leader Ayatollah Ali Khamenei, in footage widely shared online on Sunday.
In other anti-regime messages, activists have spray-painted “Death to Khamenei” and “The Police are the Murderers of the People” on public billboards in Tehran.
“The blood of our youths is on your hands,” read an on-screen message that flashed up briefly during the TV broadcast Saturday evening, as street protests sparked by the death of Mahsa Amini, 22, again rocked Tehran and other cities.
“Police forces used tear gas to disperse the crowds in dozens of locations in Tehran,” state news agency IRNA reported, adding the demonstrators “chanted slogans and set fire to and damaged public property, including a police booth”.
Anger has flared since the death of Amini on September 16, three days after the young Kurdish woman was arrested by the notorious morality police for an alleged breach of the Islamic republic’s strict dress code for women.
“Join us and rise up,” read another message in the TV hack claimed by the group Edalat-e Ali (Ali’s Justice).
Tomi Engdahl says:
Biden Signs Executive Order on US-EU Personal Data Privacy
https://www.securityweek.com/biden-signs-executive-order-us-eu-personal-data-privacy
Executive order requires that US signals intelligence activities be conducted “only in pursuit of defined national security objectives”
US President Joe Biden signed an executive order on Friday designed to protect the privacy of personal data transfers between the EU and the United States and address European concerns about US intelligence collection activities.
The executive order provides a new legal framework for trans-Atlantic data flows that are critical to the digital economy, the White House said.
It will be subject to review and ratification by the European Commission, a process expected to take several months.
“This is a culmination of our joint efforts to restore trust and stability to trans-Atlantic data flows,” Commerce Secretary Gina Raimondo told reporters.
“It will enable a continued flow of data that underpins more than a trillion dollars in cross-border trade and investment every year.”
US tech giants have faced a barrage of lawsuits from EU privacy activists concerned about the ability of US intelligence services to access the personal data of Europeans.
Europe’s top court has invalidated previous arrangements after hearing complaints that US laws violate the fundamental rights of EU citizens.
The White House said the executive order addresses concerns raised by the Court of Justice of the European Union when it ruled that the previous framework known as Privacy Shield did not provide adequate protection.
Privacy Shield, struck down in July 2020, was the successor to another EU-US deal, Safe Harbor, which was itself torpedoed by a court ruling in 2015.
Businesses have since resorted to legally uncertain workarounds to keep the data flow moving, with hope that the two sides could come up with something stronger in the long term.
US officials acknowledged that the new pact will almost certainly face intense legal scrutiny that began after revelations by Edward Snowden of mass digital spying by US agencies.
Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities
https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/
Tomi Engdahl says:
VMware Patches Code Execution Vulnerability in vCenter Server
https://www.securityweek.com/vmware-patches-code-execution-vulnerability-vcenter-server
Virtualization giant VMware on Thursday announced patches for a vCenter Server vulnerability that could lead to arbitrary code execution.
A centralized management utility, the vCenter Server is used for controlling virtual machines and ESXi hosts, along with their dependent components.
Tracked as CVE-2022-31680 (CVSS score of 7.2), the security bug is described as an unsafe deserialization vulnerability in the platform services controller (PSC).
“A malicious actor with admin access on vCenter server may exploit this issue to execute arbitrary code on the underlying operating system that hosts the vCenter Server,” the company explains in an advisory.
Reported by Cisco Talos security researcher Marcin Noga, the vulnerability was addressed with the release of VMware vCenter Server 6.5 U3u.
This week, VMware also released a patch for a low-severity denial-of-service (DoS) vulnerability in the VMware ESXi bare metal hypervisor.
Tracked as CVE-2022-31681, the issue is described as a null-pointer dereference flaw that could allow “a malicious actor with privileges within the VMX process only” to create a DoS condition on the host.
Reported by VictorV (Tangtianwen) of Cyber Kunlun Lab, the bug was addressed with ESXi versions ESXi70U3sf-20036586, ESXi670-202210101-SG, and ESXi650-202210101-SG. Cloud Foundation (ESXi) is also impacted by this vulnerability, VMware says.
VMware recommends that all customers update to a patched version of the impacted software. The company makes no mention of any of these vulnerabilities being exploited in attacks.
Tomi Engdahl says:
https://www.securityweek.com/cyberinsurance-startup-elpha-secure-raises-20-million
Tomi Engdahl says:
Meta Warns of Password Stealing Phone Apps
https://www.securityweek.com/meta-warns-password-stealing-phone-apps
Meta warned a million Facebook users Friday that they have been “exposed” to seemingly innocuous smartphone applications designed to steal passwords to the social network.
So far this year, Meta has identified more than 400 “malicious” apps tailored for smartphones powered by Apple or Android software and available at the Apple and Google app stores, director of threat disruption David Agranovich said during a briefing.
“These apps were listed on the Google Play Store and Apple’s App Store and disguised as photo editors, games, VPN services, business apps and other utilities to trick people into downloading them,” Meta said in a blog post.
The apps often ask people to login with their Facebook account information to use promised features, stealing usernames and passwords if entered, according to Meta’s security team.
“They are just trying to trick people into entering in their login information in a way that enables hackers to access their accounts,” Agranovich said of the apps.
“We will notify one million users that they may have been exposed to these applications; that is not to say they have been compromised.”
More than 40 percent of the apps Meta listed involved ways to edit or manipulate images, and some were as seemingly simple as using smartphones as flashlights.
Tomi Engdahl says:
Binance Bridge Hit by $560 Million Hack
https://www.securityweek.com/binance-bridge-hit-560-million-hack
Hackers have exploited a cross-chain bridge to divert more than $560 million worth of cryptocurrency from Binance Bridge.
Operating on the Binance Coins (BNB) Smart Chain, Binance Bridge is a blockchain bridge designed to help with the transfer of information and assets between blockchains.
On Thursday, Binance CEO Changpeng Zhao announced on Twitter that hackers exploited a vulnerability in the BSC (BNB Chain) Token Hub cross-chain bridge (blockchain bridge).
“An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly,” he said.
According to Zhao, the overall impact of the hack is of around $100 million worth of BNB. However, the attackers’ wallet reportedly received two transactions of 1,000,000 BNB each, worth a total of more than $560 million.
Soon after, the hackers started transferring funds to other cryptocurrency wallets, including over $50 million to Etherium and roughly the same amount to Fantom.
Tomi Engdahl says:
Hacker steals $566 million worth of crypto from Binance Bridge https://www.bleepingcomputer.com/news/security/hacker-steals-566-million-worth-of-crypto-from-binance-bridge/
Hackers have reportedly stolen 2 million Binance Coins (BNB), worth
$566 million, from the Binance Bridge. Details are scant at the moment, but the attack appears to have started at 2:30 PM EST today, with the attacker’s wallet receiving two transactions, each consisting of 1, 000, 000 BNB.
Tomi Engdahl says:
Meta sues app dev for stealing over 1 million WhatsApp accounts https://www.bleepingcomputer.com/news/security/meta-sues-app-dev-for-stealing-over-1-million-whatsapp-accounts/
Meta has sued several Chinese companies doing business as HeyMods, Highlight Mobi, and HeyWhatsApp for developing and allegedly using “unofficial” WhatsApp Android apps to steal over one million WhatsApp accounts starting May 2022.
Tomi Engdahl says:
Avast releases free decryptor for MafiaWare666 ransomware variants https://www.bleepingcomputer.com/news/security/avast-releases-free-decryptor-for-mafiaware666-ransomware-variants/
Avast has released a decryptor for variants of the MafiaWare666 ransomware known as ‘Jcrypt’, ‘RIP Lmao’, and ‘BrutusptCrypt, ‘
allowing victims to recover their files for free.
Tomi Engdahl says:
Eternity Group Hackers Offering New LilithBot Malware-as-a-Service to Cybercriminals https://thehackernews.com/2022/10/eternity-group-hackers-offering-new.html
The threat actor behind the malware-as-a-service (MaaS) known as Eternity Group has been linked to new piece of malware called LilithBot.