This posting is here to collect cyber security news in October 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
395 Comments
Tomi Engdahl says:
Spyware Maker Intellexa Sued by Journalist https://www.schneier.com/blog/archives/2022/10/spyware-maker-intellexa-sued-by-journalist.html
The Greek journalist Thanasis Koukakis was spied on by his own government, with a commercial spyware product called “Predator.” That product is sold by a company in North Macedonia called Cytrox, which is in turn owned by an Israeli company called Intellexa.
Tomi Engdahl says:
Facebook Detects 400 Android and iOS Apps Stealing Users Log-in Credentials https://thehackernews.com/2022/10/facebook-detects-400-android-and-ios.html
Meta Platforms on Friday disclosed that it had identified over 400 malicious apps on Android and iOS that it said targeted online users with the goal of stealing their Facebook login information.
Tomi Engdahl says:
Hackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite https://thehackernews.com/2022/10/hackers-exploiting-unpatched-rce-flaw.html
A severe remote code execution vulnerability in Zimbra’s enterprise collaboration software and email platform is being actively exploited, with no patch currently available to remediate the issue. The shortcoming, assigned CVE-2022-41352, carries a critical-severity rating of CVSS 9.8, providing a pathway for attackers to upload arbitrary files and carry out malicious actions on affected installations.
Tomi Engdahl says:
Suomalaisten tileille murtauduttiin, mutta miten? Näin vastaa Zalando https://www.iltalehti.fi/tietoturva/a/4c44d72d-106a-4008-ad25-d988ea524d9c
Saksalainen Zalando on vastannut Iltalehden kysymyksiin liittyen yhtiön verkkokaupassa tapahtuneisiin hyökkäyksiin. Iltalehti uutisoi torstaina, miten suomalaisten Zalando-tilejä on saatettu käyttää tuotteiden tilaamiseen ympäri Eurooppaa.
Tomi Engdahl says:
Fortinet Warns of New Auth Bypass Flaw Affecting FortiGate and FortiProxy https://thehackernews.com/2022/10/fortinet-warns-of-new-auth-bypass-flaw.html
Fortinet has privately warned its customers of a security flaw affecting FortiGate firewalls and FortiProxy web proxies that could potentially allow an attacker to perform unauthorized actions on susceptible devices.
Tomi Engdahl says:
Microsoft Issues Improved Mitigations for Unpatched Exchange Server Vulnerabilities https://thehackernews.com/2022/10/microsoft-issues-improved-mitigations.html
Microsoft on Friday disclosed it has made more improvements to the mitigation method offered as a means to prevent exploitation attempts against the newly disclosed unpatched security flaws in Exchange Server.
Tomi Engdahl says:
ADATA denies RansomHouse cyberattack, says leaked data from 2021 breach https://www.bleepingcomputer.com/news/security/adata-denies-ransomhouse-cyberattack-says-leaked-data-from-2021-breach/
Taiwanese chip maker ADATA denies claims of a RansomHouse cyberattack after the threat actors began posting stolen files on their data leak site. The RansomHouse gang added ADATA files to their data leak site on Tuesday, claiming they stole 1TB worth of documents in a 2022 cyberattack.The threat actors also leaked samples of allegedly stolen files, which appear to belong to the company.
Tomi Engdahl says:
Do You Need To Delete WhatsApp’ After Serious New Warning?
https://www.forbes.com/sites/zakdoffman/2022/10/09/do-you-need-to-delete-whatsapp-on-your-apple-iphone-or-google-android-and-use-imessage-or-telegram
More alarming headlines for WhatsApp this week, as its latest security threat prompted a warning for its 2 billion users to “stay away from WhatsApp, ” claiming that the world’s most popular messenger “has now been a surveillance tool for 13 years.”
Tomi Engdahl says:
Ransomware attack delays patient care at hospitals across the U.S
https://www.nbcnews.com/tech/security/ransomware-attack-delays-patient-care-hospitals-us-rcna50919
One of the largest hospital chains in the U.S. was hit with a suspected ransomware cyberattack this week, leading to delayed surgeries, hold ups in patient care and rescheduled doctor appointments across the country.
Tomi Engdahl says:
Apple’s new crash detection feature for the iPhone 14 and Apple Watch is calling 911 when people ride roller coasters
https://finance.yahoo.com/news/apples-crash-detection-feature-iphone-203043205.html?guccounter=1&guce_referrer=aHR0cDovL20uZmFjZWJvb2suY29tLw&guce_referrer_sig=AQAAABA0QbfOPjqkGLG0B9F6OqNN6WTla9HgHZAOVyF42YzKiqy6qUO4_S5GaX2Hnctc8kswBA1MRoNr_ApmYCNE2WFJtOgMTguqIeNQWIekKOe7pl9HhlvqeZBWSh1jhqzXmd9nh5BwUn5RllACcTK5usnvaftvxD9WwBV8bB5bC_SY
Apple recently introduced crash detection for iPhone 14 and Apple Watch. It’s supposed to detect when users get into a crash and help them reach emergency services.
It seems to be overreacting in some cases, though.
Crash detection is calling 911 when users go on roller coaster rides, WSJ and Coaster101 report.
Tomi Engdahl says:
Kyberturvallisuuden tila Suomessa https://www.is.fi/digitoday/tietoturva/art-2000009120795.html
Tomi Engdahl says:
Uusi iPhone soittaa hätänumeroihin vuoristoradoissa https://www.is.fi/digitoday/mobiili/art-2000009124347.html
APPLEN uusien iPhone 14 -puhelinten automaattinen kolarintunnistus synnyttää vääriä hälytyksiä yllättävissä tilanteissa. Wall Street Journal kertoo tapauksista eri huvipuistoissa Yhdysvalloissa, joissa iPhone on soittanut hätänumeroon vuoristorata-ajelun aikana.
Tomi Engdahl says:
Saksalaismediat: Saksan kyberturvallisuusjohtajaa uhkaa irtisanominen Venäjä-kytkösten vuoksi
https://yle.fi/uutiset/3-12654361
Saksalaisten mediatietojen mukaan liittovaltion tietoturvaviraston pääjohtajalla epäillään olevan yhteyksiä ihmisiin, jotka on yhdistetty Venäjän turvallisuuspalveluun.
Tomi Engdahl says:
Fake adult sites push data wipers disguised as ransomware https://www.bleepingcomputer.com/news/security/fake-adult-sites-push-data-wipers-disguised-as-ransomware/
Malicious adult websites push fake ransomware which, in reality, acts as a wiper that quietly tries to delete almost all of the data on your device.
Tomi Engdahl says:
Criminal multitool LilithBot arrives on malware-as-a-service scene https://www.theregister.com/2022/10/10/eternity_lilithbot_malware_bundle/
A Russia based threat group that set up a malware distribution shop earlier this year is behind a Swiss Army knife-like botnet that comes with a range of other malicious capabilities, from stealing information to mining cryptocurrency.
Tomi Engdahl says:
EU-US Data Sharing Deal Is Signed Off – But May Face Further Challenges https://www.forbes.com/sites/emmawoollacott/2022/10/10/eu-us-data-sharing-deal-is-signed-offbut-may-face-further-challenges
US president Joe Biden has signed an executive order limiting the ability of US national security agencies to access European citizens’
personal information, as part of a data-sharing deal with the EU.
Tomi Engdahl says:
Darkweb market BidenCash gives away 1.2 million credit cards for free https://www.bleepingcomputer.com/news/security/darkweb-market-bidencash-gives-away-12-million-credit-cards-for-free/
A dark web carding market named ‘BidenCash’ has released a massive dump of 1, 221, 551 credit cards to promote their marketplace, allowing anyone to download them for free to conduct financial fraud.
Carding is the trafficking and use of credit cards stolen through point-of-sale malware, magecart attacks on websites, or information-stealing malware.
Tomi Engdahl says:
US airports’ sites taken down in DDoS attacks by pro-Russian hackers https://www.bleepingcomputer.com/news/security/us-airports-sites-taken-down-in-ddos-attacks-by-pro-russian-hackers/
The pro-Russian hacktivist group ‘KillNet’ is claiming large-scale distributed denial-of-service (DDoS) attacks against websites of several major airports in the U.S., making them unaccessible.
Tomi Engdahl says:
Zimbra remote code execution vulnerability actively exploited in the wild https://portswigger.net/daily-swig/zimbra-remote-code-execution-vulnerability-actively-exploited-in-the-wild
The bug was assigned the tracker CVE-2022-41352 in late September.
Issued a CVSS severity score of 9.8, the critical issue can be exploited to plant a shell in the software’s root directly, achieving RCE and enabling attackers to wreak havoc on a vulnerable system.
Tomi Engdahl says:
US Airport Websites Hit by Suspected Pro-Russian Cyberattacks
https://www.securityweek.com/us-airport-websites-hit-suspected-pro-russian-cyberattacks
The websites for a number of major US airports were briefly taken offline Monday after a cyberattack promoted by a pro-Russian hacking group.
The distributed denial of service (DDoS) attacks hit the airport websites of several major US cities including Atlanta, Chicago, Los Angeles, New York, Phoenix and St Louis.
A DDoS attack involves knocking a website offline by flooding it with traffic.
The airport websites were targeted after the pro-Russian hacking group known as “KillNet” published a list of sites and encouraged its followers to attack them.
The DDoS attacks only affected the public-facing websites of the airports, which supply flight and services information and do not have any impact on operations.
Tomi Engdahl says:
State Bar of Georgia Confirms Data Breach Following Ransomware Attack
https://www.securityweek.com/state-bar-georgia-confirms-data-breach-following-ransomware-attack
The State Bar of Georgia was hit by a ransomware attack earlier this year and the organization has now confirmed that member and employee information was compromised.
The incident occured in April 2022 and was disclosed in early May, when few details were shared by the organization. Roughly one month later, the bar revealed that the attack involved BitLocker ransomware, which encrypted tens of servers and workstations.
“Although this has been officially described as a ransomware attack, no monetary demand has been made and no proof of possession of any personally identifiable information or other data has been provided,” a State Bar of Georgia representative said at the time.
The bar initially said there was no evidence that personal information had been compromised, but a statement released last week revealed that some information on current and former employees, as well as members, may have been obtained by the attacker.
Exposed personal information includes names, addresses, dates of birth, social security numbers, driver’s license numbers, direct deposit information, or name change information.
“Although we had security protocols and technology in place to help prevent unauthorized access, some of those defenses were evaded,” the bar said.
Every individual authorized to practice law in the State of Georgia is required to be a member, and the organization claims to have more than 50,000 members.
Tomi Engdahl says:
Several Horner PLC Software Vulnerabilities Allow Code Execution via Malicious Font Files
https://www.securityweek.com/several-horner-plc-software-vulnerabilities-allow-code-execution-malicious-font-files
A cybersecurity researcher has discovered a total of seven high-severity remote code execution vulnerabilities in Horner Automation’s Cscape product and they can all be exploited using malicious font files.
Horner Automation is a US-based company that provides solutions for industrial process and building automation. Its Cscape programmable logic controller (PLC) software provides ladder diagram programming and operator interface development capabilities. According to the US Cybersecurity and Infrastructure Security Agency (CISA), Cscape is used worldwide, including in the critical manufacturing sector.
Researcher Michael Heinzl has discovered seven vulnerabilities in Cscape: four in 2021 and three in 2022. The first round of vulnerabilities was disclosed in May 2022, and CISA and the researcher published advisories for the second round of vulnerabilities in early October. According to CISA, the vendor has released updates that should patch all of these security holes.
Tomi Engdahl says:
Second Australia-Based Singtel Subsidiary Hacked
https://www.securityweek.com/second-australia-based-singtel-subsidiary-hacked
Hackers have attacked a second subsidiary of Singapore Telecommunications Ltd (Singtel), the company said Monday, but analysts said it appeared the Southeast Asian telecom giant was not being specifically targeted.
In a filing with the Singapore Exchange, Singtel included a statement from Dialog, an Australia-based IT services consulting company it acquired in April, confirming that “an unauthorized third party may have accessed company data”.
Dialog said “fewer than 20″ of its clients and about 1,000 current and former employees may have been affected.
The unauthorised access was detected on September 10, and on October 7 it was discovered that “a very small sample of Dialog’s data, including some employee personal information, was published on the Dark Web”, the company said.
Optus, Australia’s second-biggest telecom firm and also a Singtel subsidiary, revealed last month that information on up to 9.8 million of its customers — more than a third of the country’s population — may have been compromised in a massive cyberattack.
The Optus breach, one of the largest hacks in Australia’s history, led to the theft of customers’ names, birth dates, phone numbers, addresses, driver’s licence information and passport numbers, the company said.
Tomi Engdahl says:
Critical Remote Code Execution Vulnerability Found in vm2 Sandbox Library
https://www.securityweek.com/critical-remote-code-execution-vulnerability-found-vm2-sandbox-library
A critical vulnerability in vm2 may allow a remote attacker to escape the sandbox and execute arbitrary code on the host.
A highly popular JavaScript sandbox library with more than 16 million monthly downloads, vm2 supports the execution of untrusted code synchronously in a single process.
In August 2022, security researchers with Oxeye discovered CVE-2022-36067, a critical-severity defect in vm2 assessed with a CVSS score of 10 and which should put all vm2 users on alert, due to its potential widespread impact.
The root cause of the vulnerability, which Oxeye’s researchers have named SandBreak, resides in the way vm2 maintainers implemented a Node.js feature that allows them to customize the call stack of errors in the software testing framework.
“While reviewing the previous bugs disclosed to the vm2 maintainers, we noticed an interesting technique: the bug reporter abused the error mechanism in Node.js to escape the sandbox,” Oxeye senior security researcher Gal Goldshtein said.
When an error occurs, Node.js calls a specific method and provides it with an array of ‘CallSite’ objects as arguments. Some of the CallSite objects, the researchers explain, may return objects created outside the sandbox.
An attacker controlling one of the returned objects may “access Node’s global objects and execute arbitrary system commands from there”, Oxeye says.
Tomi Engdahl says:
Android Security Updates Patch Critical Vulnerabilities
https://www.securityweek.com/android-security-updates-patch-critical-vulnerabilities
The October 2022 security updates for Android started rolling out last week with patches for roughly 50 vulnerabilities, including a critical-severity flaw in the Framework component.
Tracked as CVE-2022-20419 and described as an information disclosure bug, the critical flaw has been resolved with the ‘2022-10-01 security patch level’, along with five other vulnerabilities in Framework that could lead to elevation of privilege, information disclosure and denial of service (DoS).
“The most severe of these issues is a critical security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed,” Google notes in its advisory.
The ‘2022-10-01 security patch level’ resolves nine other security holes, impacting two components: Media Framework (two information disclosure bugs) and System (three elevation of privilege, three information disclosure, and one DoS issue).
https://source.android.com/docs/security/bulletin/2022-10-01
Tomi Engdahl says:
Mikko Hyppösen synkkä ennustus kävi toteen: ”Ihmiset kysyivät, oliko minulla sisäpiiritietoa” https://www.is.fi/digitoday/tietoturva/art-2000009125512.html
Tomi Engdahl says:
Securing Developer Tools: A New Supply Chain Attack on PHP
https://blog.sonarsource.com/securing-developer-tools-a-new-supply-chain-attack-on-php/
Key facts
Sonar discovered and responsibly disclosed a critical vulnerability in Packagist, a central component of the PHP supply chain, to help secure developer tools.
This vulnerability allows gaining control of Packagist. It is used by the PHP package manager Composer to determine and download software dependencies that are included by developers in their projects.
Virtually all organizations running PHP code are using Composer, which serves 2 billion software packages every month. More than a hundred million of these requests could have been hijacked to distribute malicious dependencies and compromise millions of servers.
This new research came out a year after a similar finding in the same service, documented in PHP Supply Chain Attack on Composer.
This vulnerability was fixed within hours by the maintainers of the affected service.
One year after our first publication about a critical vulnerability in the PHP supply chain (read more in PHP Supply Chain Attack on Composer), the Sonar R&D team uncovered a new critical vulnerability in similar components. It allowed taking control of the server distributing information about existing PHP software packages, and ultimately compromising every organization that uses them.
Tomi Engdahl says:
Toyota Discloses Data Breach Impacting Source Code, Customer Email Addresses
https://www.securityweek.com/toyota-discloses-data-breach-impacting-source-code-customer-email-addresses
Japanese car manufacturer Toyota has disclosed a security incident that involved source code hosted on GitHub and which may have resulted in unauthorized access to roughly 300,000 customer email addresses.
The incident, the company says, impacts customers who have subscribed to the T-Connect website, a service and mobile application that provides users with car management features such as find my car, maintenance reminders, concierge services, and vehicle information.
In a data breach notice, the carmaker explains that the root cause of the data breach was a subcontractor uploading Toyota source code to a GitHub repository that was inadvertently set to public access.
Because of this misconfiguration, the source code remained exposed to the internet between December 2017 and September 2022, when public access to the repository was revoked.
The source code, the company says, contained an access key to a server where customer information such as email addresses and management numbers (assigned automatically to each user) were stored.
Toyota says that, immediately after identifying the data breach, it made the GitHub repository private and changed the access key to the impacted server.
Tomi Engdahl says:
Intel Confirms UEFI Source Code Leak as Security Experts Raise Concerns
https://www.securityweek.com/intel-confirms-uefi-source-code-leak-security-experts-raise-concerns
Intel has confirmed that some of its UEFI source code has been leaked, and while some security experts believe the incident could have serious implications the chipmaker says it’s not concerned.
Last week, someone announced leaking source code associated with the Alder Lake BIOS — Alder Lake is Intel’s codename for its 12th generation Core processors. The files total nearly 6 Gb and they were made public on GitHub and other websites.
Mark Ermolov, a security researcher who specializes in Intel products, analyzed the leaked code and reported finding a private signing key which, he claimed, meant the Intel Boot Guard feature, which is designed to protect the integrity of the boot process, could no longer be trusted.
Intel has confirmed the unauthorized disclosure of proprietary UEFI code and blamed the leak on an unnamed third-party.
“Intel does not believe this exposes, or creates, any new security vulnerabilities as we do not rely on obfuscation of information as a security measure,” the tech giant told SecurityWeek.
“This code is covered under Intel Bug Bounty Program within a Project Circuit Breaker campaign, and we encourage any security researchers who may identify potential vulnerabilities to bring them to our attention through this program or our vulnerability disclosure program. We are reaching out to customers, partners and the security research community to keep them informed of this situation,” Intel added.
Tomi Engdahl says:
LofyGang Cybercrime Group Used 200 Malicious NPM Packages for Supply Chain Attacks
https://www.securityweek.com/lofygang-cybercrime-group-used-200-malicious-npm-packages-supply-chain-attacks
A cybercrime group named LofyGang has distributed roughly 200 malicious NPM packages that have been downloaded thousands of times over the past year, according to Checkmarx.
Likely operating out of Brazil, LofyGang appears to be an organized crime group focused on multiple hacking activities, including credit card data theft and Discord premium upgrades, as well as the hacking of games and streaming service accounts.
LofyGang has been observed abusing multiple public cloud services for command and control (C&C) purposes, including Discord, GitHub, glitch, Heroku, and Repl.it, creating sock-puppet accounts using a closed dictionary of names (slight permutations of evil, devil, lofy, polar, panda, kakau, and vilão).
Since October 2021, the group has been using a Discord server for communication between administrators and members, and to provide technical support for its hacking tools.
Tomi Engdahl says:
Caffeine service lets anyone launch Microsoft 365 phishing attacks https://www.bleepingcomputer.com/news/security/caffeine-service-lets-anyone-launch-microsoft-365-phishing-attacks/
A phishing-as-a-service (PhaaS) platform named ‘Caffeine’ makes it easy for threat actors to launch attacks, featuring an open registration process allowing anyone to jump in and start their own phishing campaigns.
Tomi Engdahl says:
Hackers behind IcedID malware attacks diversify delivery tactics https://www.bleepingcomputer.com/news/security/hackers-behind-icedid-malware-attacks-diversify-delivery-tactics/
The threat actors behind IcedID malware phishing campaigns are utilizing a wide variety of distribution methods, likely to determine what works best against different targets.
Tomi Engdahl says:
Kyberturvallisuus ei hetkauta nuoria aikuisia “nuorille sota on historiallisesti etäinen ajanjakso”
https://www.tivi.fi/uutiset/tv/7ab73d4f-0f92-471d-a78e-bdb6b4c96525
Deloitten teettämästä selvityksestä käy ilmi, että muuttunut maailmantilanne on saanut suomalaiset kiinnostumaan kyberturvallisuudesta.
Tomi Engdahl says:
Toyota pyytää anteeksi: asiakkaiden tietoja oli julkisesti verkossa saatavilla vuosien ajan https://www.tivi.fi/uutiset/tv/449e53fa-af32-45c2-8045-0063cff70caa
Autovalmistaja Toyota on julkaissut pahoittelun ja tiedotteen erikoisesta kömmähdyksestä. Alihankkijan mokan seurauksena satojen tuhansien asiakkaiden tietoja oli julkisesti verkossa saatavilla useiden vuosien ajan. Pahojen väärinkäytösten riskiä ei onneksi ole.
Tomi Engdahl says:
Microsoft Warns of New Zero-Day; No Fix Yet for Exploited Exchange Server Flaws
https://www.securityweek.com/microsoft-warns-new-zero-day-no-fix-yet-exploited-exchange-server-flaws
Microsoft on Tuesday released software fixes to address more than 90 security defects affecting products in the Windows ecosystem and warned that one of the vulnerabilities was already being exploited as zero-day in the wild.
The exploited vulnerability – documented as CVE-2022-41033 – affects the Windows COM+ event system service and has been exploited in elevation of privilege attacks, suggesting it was used as part of an exploit chain detected in the wild.
The latest zero-day was reported anonymously to Microsoft.
The new warning comes less than a month after Microsoft’s security response team scrambled to issue mitigations for a pair of Exchange Server flaws targeted by a nation state-level threat actor.
Those two Exchange Server vulnerabilities – CVE-2022-41040 and CVE-2022-21082 — remain unpatched.
Tomi Engdahl says:
Patch Tuesday: Critical Flaws in ColdFusion, Adobe Commerce
https://www.securityweek.com/patch-tuesday-critical-flaws-coldfusion-adobe-commerce
Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs to take complete control of vulnerable machines.
As part of its scheduled Patch Tuesday release cycle, Adobe warned the vulnerabilities could expose both Windows and macOS users to arbitrary code execution, arbitrary file system write, security feature bypass and privilege escalation attacks.
The most urgent of the patches cover security defects in ColdFusion versions 2021 and 2018. According to an Adobe critical-rated advisory, a total of 13 ColdFusion flaws were fixed, including some carrying a CVSS 9.8/10 severity rating.
Adobe’s security response team also shipped a high-priority patch for the Adobe Commerce and Magento Open Source software with a warning that a critical-level bug could expose users to arbitrary code execution attacks.
Tomi Engdahl says:
Siemens Not Ruling Out Future Attacks Exploiting Global Private Keys for PLC Hacking
https://www.securityweek.com/siemens-not-ruling-out-future-attacks-exploiting-global-private-keys-plc-hacking
Researchers have demonstrated that threat actors could obtain global private keys that protect some of Siemens’ industrial devices, and the vendor says it cannot rule out malicious exploitation in the future.
Details were disclosed on Tuesday by industrial cybersecurity firm Claroty, whose researchers have been looking into ways to achieve native code execution on programmable logic controllers (PLCs).
Siemens PLC hardcoded private keyThe vulnerability is tracked as CVE-2022-38465 and it has been rated ‘critical’. Siemens has announced the availability of fixes for affected PLCs and the TIA Portal in one of its Patch Tuesday advisories.
Siemens has also released a separate security bulletin highlighting the vulnerability. According to the company, in 2013, it introduced asymmetric cryptography into the security architecture of its Simatic S7-1200 and S7-1500 CPUs in an effort to protect devices, customer programs, and communications between devices.
The Race to Native Code Execution in PLCs: Using RCE to Uncover Siemens SIMATIC S7-1200/1500 Hardcoded Cryptographic Keys
https://claroty.com/team82/research/the-race-to-native-code-execution-in-plcs-using-rce-to-uncover-siemens-simatic-s7-1200-1500-hardcoded-cryptographic-keys
Executive Summary
Team82 has developed a new, innovative method to extract heavily guarded, hardcoded, global private cryptographic keys embedded within the Siemens SIMATIC S7-1200/1500 PLC and TIA Portal product lines.
An attacker can use these keys to perform multiple advanced attacks against Siemens SIMATIC devices and the related TIA Portal, while bypassing all four of its access level protections.
A malicious actor could use this secret information to compromise the entire SIMATIC S7-1200/1500 product line in an irreparable way.
All technical information was disclosed to Siemens, which released new versions of the affected PLCs and engineering workstation that address this vulnerability.
CVE-2022-38465 has been assigned, and a CVSS v3 score of 9.3 was assessed.
# SSA-568427: Weak Key Protection Vulnerability in SIMATIC S7-1200 and S7-1500 CPU
Families
Publication Date: 2022-10-11
Last Update: 2022-10-11
Current Version: 1.0
CVSS v3.1 Base Score: 9.3
https://cert-portal.siemens.com/productcert/txt/ssa-568427.txt
Tomi Engdahl says:
https://www.securityweek.com/oort-raises-15-million-identity-threat-detection-and-response-platform
Tomi Engdahl says:
LofyGang Cybercrime Group Used 200 Malicious NPM Packages for Supply Chain Attacks
https://www.securityweek.com/lofygang-cybercrime-group-used-200-malicious-npm-packages-supply-chain-attacks
A cybercrime group named LofyGang has distributed roughly 200 malicious NPM packages that have been downloaded thousands of times over the past year, according to Checkmarx.
Likely operating out of Brazil, LofyGang appears to be an organized crime group focused on multiple hacking activities, including credit card data theft and Discord premium upgrades, as well as the hacking of games and streaming service accounts.
LofyGang has been observed abusing multiple public cloud services for command and control (C&C) purposes, including Discord, GitHub, glitch, Heroku, and Repl.it, creating sock-puppet accounts using a closed dictionary of names (slight permutations of evil, devil, lofy, polar, panda, kakau, and vilão).
Since October 2021, the group has been using a Discord server for communication between administrators and members, and to provide technical support for its hacking tools.
The group also operates the GitHub account PolarLofy – which offers tools and bots for Discord, including a spammer, a password stealer, a Nitro generator, and a chat wiper, among others – and operates a YouTube account that contains self-promotion content.
Tomi Engdahl says:
Nyt kannattaa varoa Zoom-linkkejä
https://etn.fi/index.php/13-news/14110-nyt-kannattaa-varoa-zoom-linkkejae
Check Point Research varoittaa syyskuun haittaohjelmakatsauksessaan väärennettyjen Zoom-linkkien kautta leviävästä Vidar-haitakkeesta, joka nousi yleisimpien haittaohjelmien listalla jo sijalle kahdeksan. Maailman yleisimmin käytettynä haittaohjelmana jatkoi Windows-laitteiden datavaras Formbook.
Vidar on ohjelmoitu avaamaan takaovi, jonka kautta pahantahtoinen vieras pääsee käsiksi tartunnan saaneella laitteella oleviin pankkitietoihin, salasanoihin, IP-osoitteisiin, selaushistoriaan ja kryptolompakoihin. Vidarin yleistyminen on seurausta kampanjasta, jossa on käytetty väärennettyjä Zoom-sivustoja houkuttelemaan viattomia uhreja lataamaan haittaohjelma koneelleen.
Tomi Engdahl says:
Helpommin ja turvallisemin nettiin lentokoneessa
https://etn.fi/index.php/13-news/14109-helpommin-ja-turvallisemin-nettiin-lentokoneessa
Helpommin ja turvallisemin nettiin lentokoneessa
Julkaistu: 12.10.2022
Networks Software
Lentomatkustajille on jo usein tarjolla internet-yhteyksiä, mutta usein verkkoihin liittyminen on ongelma. Esimerkiksi yritysten VPN-yhteydet voivat jopa estää liittymisen koneen verkoon. WBA-järjestö (Wireless Broadband Alliance) on nyt julkaissut suuntaviivat sille, miten lentoyhtiöt voivat poistaa esteitä Wi-Fi-käytön tieltä.
WBA:n raportti “In-Flight Wi-Fi Connectivity: Improving Passenger Experience, Engagement and Utake” kattaa tärkeimmät liiketoiminta- ja teknologiset haasteet, joita sidosryhmät, kuten lentoyhtiöt, identiteetin tarjoajat, mukaan lukien matkapuhelinoperaattorit, satelliitti- ja ilma-maa-backhaul-palvelut, avioniikkatoimittajat ja verkkovierailua helpottavat hub-palvelut kohtaavat.
Vaikka lennon aikana Wi-Fi on nyt laajalti saatavilla monissa kaupallisissa lentokoneissa, matkustajat eivät ole yhteyksistä vielä innostuneet. Yksi suuri syy on perinteisen captive portal -menetelmän aiheuttamat vaikeudet muodostaa yhteys Internetiin. Matkustajien on yhdistettävä oikeaan Wi-Fi-verkkoon, navigoitava sitten oikealle aloitussivulle ja lopuksi määritettävä, minkälaisesta yhteydestä he haluavat maksaa.
Tutkimusten mukaan jokainen vaihe johtaa ongelmien ilmaantuessa yleensä keskeyttämiseen, ja lentoyhtiöille, palveluntarjoajille ja muille ekosysteemin jäsenille jokainen tästä tarpeettoman monimutkaisesta yhteysprosessista johtuva keskeyttäminen tarkoittaa tulonmenetyksiä.
Lentoyhtiöt ovat investoineet lennon portaalipalveluihin, ja työnantajan VPN on este niitä käyttäville liikematkustajille. Kun heillä on Internet-yhteys, yhteyden muodostaminen VPN-verkkoon estää heitä pääsemästä näihin sisäisiin palveluihin. Saadakseen yhteyden heidän on katkaistava VPN-yhteys. Tämä edestakaisin liikkuminen vähentää todennäköisyyttä ostaa lennon aikana palveluita.
WBA:n raportissa tarkastellaan, kuinka sidosryhmät voivat voittaa nämä ja muut suuret esteet ja parantaa prosessia. Esimerkiksi Passpoint-kirjautumisen käyttöönotto vapauttaa matkustajat joka kerta kirjautumistietojen manuaalisen syöttämisen vaivasta. Sen sijaan lentokoneen verkko tunnistaa laitteet automaattisesti ja yhdistää ne jokaisella lennolla automaattisesti ja turvallisesti.
Tomi Engdahl says:
Oulussa ryhdytään kouluttamaan kyberturvamaistereita
https://etn.fi/index.php/13-news/14108-oulussa-ryhdytaeaen-kouluttamaan-kyberturvamaistereita
Oulun yliopisto vahvistaa kyberturvallisuuden osaajien koulutusta. Heitä arvioidaan jo nyt puuttuvan työelämästä useita tuhansia. Koulutusta tarjotaan opiskelijoille ensi keväästä lähtien opintojen maisterivaiheen suuntautumisvaihtoehtona tietotekniikan tutkinto-ohjelmassa tieto- ja sähkötekniikan tiedekunnassa.
Koulutus tulee painottumaan tekniseen osaamiseen, jota tarvitaan kyberturvallisuuden takaamiseksi. Laajentuvan koulutuksen päätavoite on, että kyberturvallisuuteen erikoistuva osaa suunnitella, kehittää, testata ja arvioida kyberturvallisia järjestelmiä, ohjelmistoja ja laitteita jatkuvasti muuttuvassa digitaalisessa ympäristössä.
Koulutuksesta vastaava kyberturvallisuuden professori Kimmo Halusen mukaan tarve on suuri. – Muun muassa Jyväskylän yliopiston tuore tutkimus osoittaa, että alan koulutusta on liian vähän eikä se vastaa teollisuuden tarpeita. Sama on havaittu myös Oulun yliopistossa, ja nyt diplomi-insinööriopiskelijoille avataan mahdollisuus suuntautua siihen.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/google/android-leaks-some-traffic-even-when-always-on-vpn-is-enabled/
Tomi Engdahl says:
Suomalainen löysi Linuxin ytimestä bugin: voi fyysisesti vahingoittaa lcd-näyttöä
Timo Tamminen5.10.202223:40|päivitetty5.10.202223:47LINUXKÄYTTÖJÄRJESTELMÄT
Linux-ytimen versiosta 5.19.12 on löytynyt paha vika.
https://www.tivi.fi/uutiset/suomalainen-loysi-linuxin-ytimesta-bugin-voi-fyysisesti-vahingoittaa-lcd-nayttoa/8f36c309-97d3-4685-9e23-0dfb8fcdb5d3
Tomi Engdahl says:
Suomalaisia pelotellaan nyt tietomurroilla: ”Sivustosi on hakkeroitu” https://www.is.fi/digitoday/tietoturva/art-2000009125357.html
Tomi Engdahl says:
Android leaks some traffic even when ‘Always-on VPN’ is enabled https://www.bleepingcomputer.com/news/google/android-leaks-some-traffic-even-when-always-on-vpn-is-enabled/
Mullvad VPN has discovered that Android leaks traffic every time the device connects to a WiFi network, even if the “Block connections without VPN, ” or “Always-on VPN, ” features is enabled.
Tomi Engdahl says:
How Wi-Fi spy drones snooped on financial firm https://www.theregister.com/2022/10/12/drone-roof-attack/
Modified off-the-shelf drones have been found carrying wireless network-intrusion kit in a very unlikely place
Tomi Engdahl says:
Microsoft Exchange servers hacked to deploy LockBit ransomware https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-lockbit-ransomware/
Microsoft is investigating reports of a new zero-day bug abused to hack Exchange servers which were later used to launch Lockbit ransomware attacks. In at least one such incident from July 2022, the attackers used a previously deployed web shell on a compromised Exchange server to escalate privileges to Active Directory admin, steal roughly 1.3 TB of data, and encrypt network systems.
Tomi Engdahl says:
Itä-Euroopan maissa on meneillään hurja kyberhyökkäysaalto https://www.epressi.com/tiedotteet/tietotekniikka/ita-euroopan-maissa-on-meneillaan-hurja-kyberhyokkaysaalto.html
Check Point Research varoittaa syyskuun haittaohjelmakatsauksessaan väärennettyjen Zoom-linkkien kautta leviävästä Vidar-haitakkeesta ja kertoo, että kyberhyökkäykset ovat yleistyneet Itä-Euroopan maissa dramaattisesti.
Tomi Engdahl says:
Apteekkien verkkokaupat kaatuivat jodiryntäyksessä https://www.tivi.fi/uutiset/tv/59439588-5c0d-452c-b55b-83c7671a975e
Tabletit on paikoitellen myyty loppuun. Kävijämäärät kuormittavat sivustoja.