This posting is here to collect cyber security news in November 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in November 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
349 Comments
Tomi Engdahl says:
Asianajotoimisto haksahti kalasteluviestiin, oikeus määräsi ilmoittamaan siitä asiakkaille https://www.hs.fi/kotimaa/art-2000009220259.html
Korkeimman hallinto-oikeuden mukaan tietomurron kohteeksi joutuneen asianajotoimiston asiakkaille koitui todennäköinen ja vakava riski siitä, että kalasteluviestin lähettäjä sai pääsyn yhtiön tietoihin.
Tomi Engdahl says:
European Parliament website hit by cyberattack after Russian terrorism vote https://www.politico.eu/article/cyber-attack-european-parliament-website-after-russian-terrorism/
“I confirm that the Parliament has been subject to an external cyber attack, but the Parliamentary services are doing well to defend the Parliament,” Dita Charanzová, Czech MEP and Parliament vice president responsible for cybersecurity, said in a statement.
Tomi Engdahl says:
Backdoored Chrome extension installed by 200,000 Roblox players https://www.bleepingcomputer.com/news/security/backdoored-chrome-extension-installed-by-200-000-roblox-players/
Chrome browser extension ‘SearchBlox’ installed by more than 200,000 users has been discovered to contain a backdoor that can steal your Roblox credentials as well as your assets on Rolimons, a Roblox trading platform.
Tomi Engdahl says:
Suomessa harjoitellaan parhaillaan tilannetta, jossa sähköt katkeavat ja pankkien toiminta hyytyy https://www.is.fi/digitoday/tietoturva/art-2000009223351.html
Suomessa on tulossa päätökseensä Taisto-digiturvaharjoitus, jossa yritykset ja organisaatiot harjoittelevat toimintaa tietoturvan ja
- -suojan loukkauksen jälkeisissä tilanteissa. Vuosittain marraskuussa
Digi- ja väestötietoviraston (DVV) järjestämä harjoitus on osallistujamäärältään Suomen suurin. Harjoituksessa on kuvitteellinen organisaatio, jonka toimintaa peilataan omaan organisaatioon, selittää harjoituksen johtaja, DVV:n erityisasiantuntija Hanna Heikkinen.
Organisaatioissa harjoiteltavia asioita ovat muun muassa toimintamallien rakentaminen, roolien jakaminen, viranomaisilmoitukset ja viestintä kriisitilanteissa sekä tilannekuvan rakentaminen.
Tomi Engdahl says:
Ukraine and Moldova suffer internet disruptions after Russian missile strikes https://therecord.media/ukraine-and-moldova-suffer-internet-disruptions-after-russian-missile-strikes/
Internet connectivity was disrupted in Ukraine and neighboring Moldova after dozens of Russian missiles hit Ukrainian cities on Wednesday, causing massive power outages across the country. The energy infrastructure in urban areas has been hit hardest, leading to worse internet access in cities than elsewhere. For example, the entire city of Lviv in the west of Ukraine was without electricity for at least several hours during the day. More than half of Moldova was also left without electricity, including its capital Chisinau and the breakaway Russian-backed region of Transnistria, according to Moldovas deputy prime minister Andrei Spinu. The countrys President Maia Sandu said that Moldova cant trust a regime that leaves it in the dark and cold.
Tomi Engdahl says:
Scammers, bots dominate threat landscape ahead of Black Friday and Cyber Monday https://therecord.media/scammers-bots-dominate-threat-landscape-ahead-of-black-friday-and-cyber-monday/
As Black Friday and Cyber Monday approach, cybersecurity experts and the U.S. government are warning consumers to beware of scams, and retailers are being informed of bots scooping up troves of inventory.
On Wednesday, the Cybersecurity and Infrastructure Security Agency
(CISA) said the holiday shopping season is a prime opportunity for scammers and cybercriminals to take advantage of shoppers through fake websites, malicious links, and even fake charities in an effort to steal information and money. CISA suggested shoppers follow basic cybersecurity advice: always use multi-factor authentication, double check website addresses and make sure any emails offering sales are legitimate.
Tomi Engdahl says:
Guadeloupe kickstarts continuity plan after wide-ranging cyberattack https://therecord.media/guadeloupe-kickstarts-continuity-plan-after-wide-ranging-cyberattack/
The French island of Guadeloupe is dealing with the aftereffects of a cyberattack, according to a notice on the governments website.
Officials said the attack occurred on Monday and that they immediately put in place a service continuity plan in order for them to carry out the essential missions of the administration. The government hired cybersecurity experts and mobilized a team to limit the impact of the incident. In an update on Friday, the government announced they are still analyzing the attack to understand the extent of it and restore systems to their normal activity.
Tomi Engdahl says:
Google rushes out Chrome browser fix for new zero-day flaw https://www.zdnet.com/article/google-rushes-out-chrome-browser-fix-for-new-zero-day-flaw/
Google has released an update for Chrome to address a previously undisclosed or zero-day flaw that is under attack. According to Google, the high-severity flaw, which is tracked as CVE-2022-4135, is due to a memory-related “heap buffer overflow in GPU”. “Google is aware that an exploit for CVE-2022-4135 exists in the wild,” Google says in its advisory.
Tomi Engdahl says:
XSS Vulnerability Found in ConnectWise Remote Access Platform With Great Potential For Misuse by Scammers https://labs.guard.io/xss-vulnerability-found-in-connectwise-remote-access-platform-with-great-potential-for-misuse-by-scammers-a0773da2aacf
Following our analysis of Remote Access Tool (RAT) abuse, we turned to analyze the misuse of one of the most powerful platforms in that market ConnectWise. During the analysis a vulnerability in the hosted platform was found, one that can be exploited by scammers to take control of this powerful tool with no limitations and not a penny spent. In this write-up we will share the technical details of this Stored XSS vulnerability, exploiting it, and also how ConnectWise quickly responded to this disclosure and helped make their platform much safer for the benefit of us all.
Tomi Engdahl says:
Ransomware gang targets Belgian municipality, hits police instead https://www.bleepingcomputer.com/news/security/ransomware-gang-targets-belgian-municipality-hits-police-instead/
The Ragnar Locker ransomware gang has published stolen data from what they thought was the municipality of Zwijndrecht, but turned out to be stolen from Zwijndrecht police, a local police unit in Antwerp, Belgium. The leaked data reportedly exposed thousands of car number plates, fines, crime report files, personnel details, investigation reports, and more. This type of data can potentially expose people who reported crimes or abuse and could compromise ongoing law enforcement operations and investigations. Belgian media outlets call this data leak one of the biggest of this kind that has impacted a public service in the country, exposing all data kept by Zwijndrecht police from 2006 until September 2022.
Tomi Engdahl says:
5.4 million Twitter users’ stolen data leaked online more shared privately https://www.bleepingcomputer.com/news/security/54-million-twitter-users-stolen-data-leaked-online-more-shared-privately/
Over 5.4 million Twitter user records containing non-public information stolen using an API vulnerability fixed in January have been shared for free on a hacker forum. Another massive, potentially more significant, data dump of millions of Twitter records has also been disclosed by a security researcher, demonstrating how widely abused this bug was by threat actors. The data consists of scraped public information as well as private phone numbers and email addresses that are not meant to be public.
Tomi Engdahl says:
Koulutuskuntayhtymä Keudaan on tehty kyberhyökkäys keskusrikospoliisi selvittää asiaa
https://yle.fi/a/74-20006365
Keski-Uudenmaan koulutuskuntayhtymä Keudaan on tehty kyberhyökkäys.
Hyökkäys havaittiin maanantaina aamulla. Keudan verkko- ja palvelinyhteydet on suljettu. Hyökkäyksen laajuudesta ei ole vielä tarkempaa tietoa. Keuda kertoo tapahtuneesta verkkosivuillaan (siirryt toiseen palveluun) sekä viestipalvelu Twitterissä (siirryt toiseen palveluun). Keuda tiedotti (siirryt toiseen palveluun) maanantaina iltapäivällä, että asiaa tutkitaan tietoturvayhtiön kanssa. Myös keskusrikospoliisi (KRP) selvittää asiaa.
Tomi Engdahl says:
Viranomaiset suosittelevat valppautta verkkohyökkäykset Suomeen lisääntyivät https://www.is.fi/digitoday/tietoturva/art-2000009230577.html
Euroopan parlamentin viime viikolla hyväksymä julkilausuma Venäjästä terrorismia tukevana ja sen keinoja käyttävänä valtiona ei ole aiheuttanut Suomessa piikkiä valtionhallintoon tai keskeiseen infrastruktuuriin kohdistuvissa verkkohyökkäyksissä. Näin kertoi valtion kyberturvallisuusjohtaja Rauli Paananen perjantaina tiedotustilaisuudessa Suomen kyberturvallisuustilanteesta.
Palvelunestohyökkäykset saavat paljon huomiota näkyvyytensä vuoksi, mutta niiden aiheuttamat haitat ovat pahimmillaankin tilapäisiä, muistutti kyberturvallisuusjohtaja Paananen tiedotustilaisuudessa. Ne eivät käytännössä vaaranna tiedon turvallisuutta millään tavoin.
Suomessa tehdään kymmeniä tuhansia palvelunestohyökkäyksiä vuodessa, mutta niistä ei näy vaikutuksia, koska olemme niin hyvin varautuneet niihin, Paananen sanoi.
Tomi Engdahl says:
TikTok Invisible Body challenge exploited to push malware https://www.bleepingcomputer.com/news/security/tiktok-invisible-body-challenge-exploited-to-push-malware/
A new and trending TikTok challenge requires you to film yourself naked while using TikTok’s “Invisible Body” filter, which removes the body from the video and replaces it with a blurry background. This challenge has led to people posting videos of them allegedly naked but obscured by the filter. To capitalize on this, threat actors are creating TikTok videos that claim to offer a special “unfiltering”
filter to remove TikTok’s body masking effect and expose the TikTokers’ nude bodies. However, this software is fake and installs the “WASP Stealer (Discord Token Grabber)” malware, capable of stealing Discord accounts, passwords and credit cards stored on browsers, cryptocurrency wallets, and even files from a victim’s computer.
Tomi Engdahl says:
Project Zero Flags ‘Patch Gap’ Problems on Android
https://www.securityweek.com/project-zero-flags-patch-gap-problems-android
Vulnerability researchers at Google Project Zero are calling attention to the ongoing “patch-gap” problem in the Android ecosystem, warning that downstream vendors continue to be tardy at delivering security fixes to Android-powered devices.
In this case, he said Project Zero test devices that used Mali are still vulnerable to these issues. “CVE-2022-36449 is not mentioned in any downstream security bulletins,” he declared.
Tomi Engdahl says:
Google Making Cobalt Strike Pentesting Tool Harder to Abuse
https://www.securityweek.com/google-making-cobalt-strike-pentesting-tool-harder-abuse
Tomi Engdahl says:
Cisco Secure Email Gateway Filters Bypassed Due to Malware Scanner Issue
https://www.securityweek.com/cisco-secure-email-gateway-filters-bypassed-due-malware-scanner-issue
An anonymous researcher has disclosed several methods that can be used to bypass some of the filters in Cisco’s Secure Email Gateway appliance and deliver malware using specially crafted emails.
Tomi Engdahl says:
Leaked Algolia API Keys Exposed Data of Millions of Users
https://www.securityweek.com/leaked-algolia-api-keys-exposed-data-millions-users
Threat detection firm CloudSEK has identified thousands of applications leaking Algolia API keys, and tens of applications with hardcoded admin secrets, which could allow attackers to steal the data of millions of users.
Organizations can use Algolia’s API to incorporate into their applications functions such as search, discovery, and recommendations. The API is used by over 11,000 companies, including Lacoste, Slack, Medium, and Zendesk.
CloudSEK says it has identified 1,550 applications that leaked Algolia API keys, including 32 apps that had hardcoded admin secrets, providing attackers with access to pre-defined Algolia API keys.
Tomi Engdahl says:
Microsoft Releases Out-of-Band Update After Security Patch Causes Kerberos Issues
https://www.securityweek.com/microsoft-releases-out-band-update-after-security-patch-causes-kerberos-issues
Microsoft has released an out-of-band update after learning that a recent Windows security patch started causing Kerberos authentication issues.
The Patch Tuesday updates released on November 8 addressed CVE-2022-37966, a privilege escalation vulnerability affecting Windows Server. This high-severity flaw can allow an attacker who can collect information about the targeted system to gain admin privileges.
“An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment,” Microsoft explained in its advisory for CVE-2022-37966.
However, a few days after the patch was released, users started complaining about issues related to Kerberos authentication.
Microsoft acted quickly and a few days later it provided mitigations. Then, on November 17, it released an out-of-band update that should address the issue.
https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d
Tomi Engdahl says:
Cisco ISE Vulnerabilities Can Be Chained in One-Click Exploit
https://www.securityweek.com/cisco-ise-vulnerabilities-can-be-chained-one-click-exploit
Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow remote attackers to inject arbitrary commands, bypass existing security protections, or perform cross-site scripting (XSS) attacks.
An identity-based network access control (NAC) and policy enforcement system, Cisco ISE allows administrators to control endpoint access and manage network devices.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/google-pushes-emergency-chrome-update-to-fix-8th-zero-day-in-2022/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/
Tomi Engdahl says:
Black Basta Gang Deploys Qakbot Malware in Aggressive Cyber Campaign
The ransomware group is using Qakbot to make the initial point of entry before moving laterally within an organization’s network.
https://www.darkreading.com/threat-intelligence/black-basta-gang-deploys-qakbot-malware-cyber-campaign
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/new-windows-server-updates-cause-domain-controller-freezes-restarts/
Tomi Engdahl says:
CISA Warns of Actively Exploited Critical Oracle Fusion Middleware Vulnerability https://thehackernews.com/2022/11/cisa-warns-of-actively-exploited.html
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical flaw impacting Oracle Fusion Middleware to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2021-35587, carries a CVSS score of 9.8 and impacts Oracle Access Manager (OAM) versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0. Successful exploitation of the remote command execution bug could enable an unauthenticated attacker with network access to completely compromise and take over Access Manager instances. “It may give the attacker access to OAM server, to create any user with any privileges, or just get code execution in the victim’s server,” Vietnamese security researcher Nguyen Jang (Janggggg), who reported the bug alongside peterjson, noted earlier this March.
Tomi Engdahl says:
Spanish police dismantle operation that made 12M via investment scams https://www.bleepingcomputer.com/news/security/spanish-police-dismantle-operation-that-made-12m-via-investment-scams/
Spanish National Police have dismantled a cybercrime organization that used fake investment sites to defraud over 12.3 million ($12.8
million) from 300 victims across Europe. The malicious campaigns involved creating fake cryptocurrency investment sites with a similar appearance to well-known, legitimate platforms. The threat actors then laundered money stolen from victims by moving it from Spanish banks to foreign financial entities where the criminals hoped it was away from the authorities’ scrutiny or tracing ability.
Tomi Engdahl says:
New Flaw in Acer Laptops Could Let Attackers Disable Secure Boot Protection https://thehackernews.com/2022/11/new-flaw-in-acer-laptops-could-let.html
Acer has released a firmware update to address a security vulnerability that could be potentially weaponized to turn off UEFI Secure Boot on affected machines. Tracked as CVE-2022-4020, the high-severity vulnerability affects five different models that consist of Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G. CyberSecurity The PC maker described the vulnerability as an issue that “may allow changes to Secure Boot settings by creating NVRAM variables.” Credited with discovering the flaw is ESET researcher Martin Smolár, who previously disclosed similar bugs in Lenovo computers.
Tomi Engdahl says:
Anker’s Eufy Cameras Caught Uploading Content to the Cloud Without User Consent https://www.macrumors.com/2022/11/29/eufy-camera-cloud-uploads-no-user-consent/
Anker’s popular Eufy-branded security cameras appear to be sending some data to the cloud, even when cloud storage is disabled and local only storage settings are turned on. The information comes from security consultant Paul Moore, who last week published a video outlining the issue. According to Moore, he purchased a Eufy Doorbell Dual, which was meant to be a device that stored video recording on device. He found that Eufy is uploading thumbnail images of faces and user information to its cloud service when cloud functionality is not enabled. Moore suggests that Eufy is also able to link facial recognition data collected from two separate cameras and two separate apps to users, all without camera owners being aware.
Tomi Engdahl says:
Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia
Mandiant Managed Defense recently identified cyber espionage activity that heavily leverages USB devices as an initial infection vector and concentrates on the Philippines. Mandiant tracks this activity as
UNC4191 and we assess it has a China nexus. UNC4191 operations have affected a range of public and private sector entities primarily in Southeast Asia and extending to the U.S., Europe, and APJ; however, even when targeted organizations were based in other locations, the specific systems targeted by UNC4191 were also found to be physically located in the Philippines. Following initial infection via USB devices, the threat actor leveraged legitimately signed binaries to side-load malware, including three new families we refer to as MISTCLOAK, DARKDEW, and BLUEHAZE. Successful compromise led to the deployment of a renamed NCAT binary and execution of a reverse shell on the victims system, providing backdoor access to the threat actor.
Tomi Engdahl says:
U.S. Govt. Apps Bundled Russian Code With Ties to Mobile Malware Developer https://krebsonsecurity.com/2022/11/u-s-govt-apps-bundled-russian-code-with-ties-to-mobile-malware-developer/
A recent scoop by Reuters revealed that mobile apps for the U.S. Army and the Centers for Disease Control and Prevention (CDC) were integrating software that sends visitor data to a Russian company called Pushwoosh, which claims to be based in the United States. But that story omitted an important historical detail about Pushwoosh: In 2013, one of its developers admitted to authoring the Pincer Trojan, malware designed to surreptitiously intercept and forward text messages from Android mobile devices. Pushwooshs software also was found in apps for a wide array of international companies, influential nonprofits and government agencies from global consumer goods company Unilever and the Union of European Football Associations (UEFA) to the politically powerful U.S. gun lobby, the National Rifle Association (NRA), and Britains Labour Party.
Tomi Engdahl says:
Lockheed Martin’s Army cyber training platform goes civilian https://www.theregister.com/2022/11/29/lockheed_martin_cyber_training/
Locheed Martin has bagged a government contract to train 17,000 remote US Army civilian employees on security readiness, and wants to also extend the offer to private entities. The defense contractor will supply the Army’s Civilian Career Management Activity with its new Mission Readiness and Reporting (MR2) platform, which was originally designed for the US military’s Joint Cyber Command and Control ecosystem. For the Army’s civilian application, MR2 will be used to train employees in best practices “according to an individual’s capabilities,” while continually monitoring training statuses and providing predictive analysis for future mission needs.
Tomi Engdahl says:
https://www.securityweek.com/project-zero-flags-patch-gap-problems-android
Tomi Engdahl says:
Virginia County Confirms Personal Information Stolen in Ransomware Attack
https://www.securityweek.com/virginia-county-confirms-personal-information-stolen-ransomware-attack
Tomi Engdahl says:
Cybercriminals Selling Access to Networks Compromised via Recent Fortinet Vulnerability
https://www.securityweek.com/cybercriminals-selling-access-networks-compromised-recent-fortinet-vulnerability
Security researchers at Cyble have observed initial access brokers (IABs) selling access to enterprise networks likely compromised via a recently patched critical vulnerability in Fortinet products.
Tracked as CVE-2022-40684 and impacting FortiOS, FortiProxy, and FortiSwitchManager products, the vulnerability was publicly disclosed in early October, when it was already exploited in malicious attacks.
The issue is an authentication bypass allowing a remote attacker to use specially crafted HTTP or HTTPS requests to perform unauthorized operations on a vulnerable appliance’s admin interface.
Tomi Engdahl says:
https://www.securityweek.com/oracle-fusion-middleware-vulnerability-exploited-wild
Tomi Engdahl says:
https://www.securityweek.com/vulnerability-acer-laptops-allows-attackers-disable-secure-boot
Tomi Engdahl says:
Ransomware Gang Takes Credit for Maple Leaf Foods Hack
https://www.securityweek.com/ransomware-gang-takes-credit-maple-leaf-foods-hack
Tomi Engdahl says:
OT:Icefall Continues With Vulnerabilities in Festo, Codesys Products
https://www.securityweek.com/oticefall-continues-vulnerabilities-festo-codesys-products
Forescout Technologies has disclosed the details of three new vulnerabilities identified by its researchers in operational technology (OT) products from Festo and Codesys.
Identified as part of the OT:Icefall research that led to the public disclosure of 56 vulnerabilities in OT products from multiple vendors, these issues are another exemplification of an insecure-by-design approach common at the time the impacted products were launched.
Codesys is an automation suite used in over 1,000 device models from over 500 manufacturers. Any vulnerability potentially impacts millions of products. Festo’s automation platform is employed in electric and pneumatic systems, mainly in the manufacturing sector.
Two of the newly disclosed vulnerabilities (CVE-2022-3079 and CVE-2022-3270) impact several Festo automation controllers, while the third (CVE-2022-4048) was identified in the Codesys runtime.
“These issues are similar to others we have recently disclosed as part of OT:Icefall. CVE-2022-4048 is an example of weak cryptography, CVE-2022-3079 exemplifies lack of authentication and CVE-2022-3270 falls in the category of insecure engineering protocols,” Forescout notes.
During their investigation, Forescout security researchers also discovered that several Festo products are impacted by known Codesys vulnerabilities, including CVE-2022-31806 and CVE-2022-22515, which were patched roughly six months ago.
These products are “shipped with an unsafe configuration of the Codesys runtime environment. This is yet another example of a supply chain issue where a vulnerability has not been disclosed for all the products it affects,” Forescout says.
https://www.forescout.com/blog/oticefall-continues-vedere-labs-discloses-three-new-vulnerabilities-affecting-ot-products-how-to-mitigate/
Tomi Engdahl says:
Self-Replicating Malware Used by Chinese Cyberspies Spreads via USB Drives
https://www.securityweek.com/self-replicating-malware-used-chinese-cyberspies-spreads-usb-drives
A China-linked cyberespionage group tracked as UNC4191 has been observed using self-replicating malware on USB drives to infect targets, and the technique could allow them to steal data from air-gapped systems, Google-owned Mandiant reports.
UNC4191 has been observed targeting public and private entities in Southeast Asia, Asia-Pacific, Europe, and the US, with a focus on the Philippines, deploying legitimately signed binaries to side-load malware.
As part of the investigated activity, the threat actor has used malware families such as the Mistcloak launcher, the Darkdew dropper, and the Bluehaze launcher.
Tomi Engdahl says:
Developers Warned of Critical Remote Code Execution Flaw in Quarkus Java Framework
https://www.securityweek.com/developers-warned-critical-remote-code-execution-flaw-quarkus-java-framework
Developers have been warned that the popular Quarkus framework is affected by a critical vulnerability that could lead to remote code execution.
Available since 2019, Quarkus is an open source Kubernetes-native Java framework designed for GraalVM and HotSpot virtual machines.
Tracked as CVE-2022-4116 (CVSS score of 9.8), the security defect was identified in the Dev UI Config Editor and can be exploited via drive-by localhost attacks.
“Exploiting the vulnerability isn’t difficult and can be done by a malicious actor without any privileges,” Contrast Security researcher Joseph Beeton, who discovered the bug, explains.
Contrast discovers zero-day flaw in popular Quarkus Java framework
https://www.contrastsecurity.com/security-influencers/localhost-attack-against-quarkus-developers-contrast-security
Tomi Engdahl says:
Delta Electronics Patches Serious Flaws in Industrial Networking Devices
https://www.securityweek.com/delta-electronics-patches-serious-flaws-industrial-networking-devices
Taiwan-based Delta Electronics has patched potentially serious vulnerabilities in two of its industrial networking products.
The flaws were identified by researchers at CyberDanube, a new industrial cybersecurity company based in Austria, in Delta’s DX-2100-L1-CN 3G cloud router and the DVW-W02W2-E2 industrial wireless access point.
Delta Electronics router vulnerability The researchers conducted their analysis on so-called digital twins, which involve virtualization techniques, rather than by looking at the actual devices.
In the 3G router, they discovered an authenticated command injection issue and a stored cross-site scripting (XSS) flaw. The command injection vulnerability can allow an attacker who has credentials for the web service to execute system commands on the OS with root privileges.
Tomi Engdahl says:
Chrome 108 Patches High-Severity Memory Safety Bugs
https://www.securityweek.com/chrome-108-patches-high-severity-memory-safety-bugs
Google this week announced the release of Chrome 108 in the stable channel with patches for 28 vulnerabilities, including 22 reported by external researchers.
Of the externally reported security defects, eight are high-severity issues and 14 are medium-severity flaws.
The most severe of these bugs, based on the paid bug bounty reward, is CVE-2022-4174, a type confusion issue in the web browser’s V8 JavaScript engine.
Google credited security researcher Zhenghang Xiao for reporting the vulnerability and says it paid a $15,000 reward for it.
Tomi Engdahl says:
Researchers find bugs allowing access, remote control of cars https://therecord.media/researchers-find-bugs-allowing-access-remote-control-of-cars/
Several major car brands have addressed vulnerabilities that would have allowed hackers to remotely control the locks, engine, horn, headlights, and trunk of certain cars made after 2012, according to a security researcher. Yuga Labs staff security engineer Sam Curry published two threads on Twitter detailing his research into the mobile apps for several car brands that give customers the ability to remotely start, stop, lock and unlock their vehicles. Curry and several other researchers started with Hyundai and Genesis, finding that much of the verification process for getting access to a vehicle relied on registered email addresses. They found a way to bypass the email verification feature and gain full control.
Tomi Engdahl says:
https://techcrunch.com/2022/11/30/lastpass-goto-breached-customer-information/
Tomi Engdahl says:
Submarine cable damage brings internet pain to Asia, Africa https://www.theregister.com/2022/11/30/seamewe5_cut_outage_apac_africa/
Internet users across Asia appear to be suffering from degraded performance after a major submarine cable was severed. Pakistan’s telecoms authority flagged the cable cut. Internet-watching outfit Netblocks also spotted something amiss in Pakistan, other Asian nations, and parts of Africa. SEA-ME-WE-5 runs from France to Singapore with landings in Turkey, Saudi Arabia, Yemen, Djibouti, Oman, United Arab Emirates, Pakistan, Sri Lanka, Bangladesh, Myanmar, Malaysia, and Indonesia along the way. The cable is 20,000km in length and can carry 12.2Tb per fibre pair of which there are four from Egypt to France and three for the rest of the span.
Tomi Engdahl says:
Researchers Find a Way Malicious NPM Libraries Can Evade Vulnerability Detection https://thehackernews.com/2022/11/researchers-find-way-malicious-npm.html
New findings from cybersecurity firm JFrog show that malware targeting the npm ecosystem can evade security checks by taking advantage of an “unexpected behavior” in the npm command line interface (CLI) tool.
npm CLI’s install and audit commands have built-in capabilities to check a package and all of its dependencies for known vulnerabilities, effectively acting as a warning mechanism for developers by highlighting the flaws. But as JFrog established, the security advisories are not displayed when the packages follow certain version formats, creating a scenario where critical flaws could be introduced into their systems either directly or via the package’s dependencies.
Tomi Engdahl says:
Trigona ransomware spotted in increasing attacks worldwide https://www.bleepingcomputer.com/news/security/trigona-ransomware-spotted-in-increasing-attacks-worldwide/
A previously unnamed ransomware has rebranded under the name ‘Trigona,’ launching a new Tor negotiation site where they accept Monero as ransom payments. Trigona has been active for some time, with samples seen at the beginning of the year. However, those samples utilized email for negotiations and were not branded under a specific name. As discovered by MalwareHunterTeam, starting in late October 2022, the ransomware operation launched a new Tor negotiation site where they officially named themselves ‘Trigona.’
Tomi Engdahl says:
Whos swimming in South Korean waters? Meet ScarCrufts Dolphin https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/
ESET researchers have analyzed a previously unreported backdoor used by the ScarCruft APT group. The backdoor, which we named Dolphin, has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers. Its functionality is reserved for selected targets, to which the backdoor is deployed after initial compromise using less advanced malware. In line with other ScarCruft tools, Dolphin abuses cloud storage services specifically Google Drive for C&C communication. During our investigation, we saw continued development of the backdoor and attempts by the malware authors to evade detection. A notable feature of earlier Dolphin versions we analyzed is the ability to modify the settings of victims signed-in Google and Gmail accounts to lower their security, most likely to maintain access to victims email inboxes.
Tomi Engdahl says:
Hackers Dump Australian Health Data Online, Declare ‘Case Closed’
https://www.securityweek.com/hackers-dump-australian-health-data-online-declare-case-closed
The hackers leaking stolen Australian health records to the dark web on Thursday appeared to end their extortion attempt by dumping a final batch of data online and declaring:”Case closed.”
In November the hackers demanded health insurer Medibank pay US$9.7 million to keep the records off the internet — or one dollar for each of the company’s impacted customers, which included Prime Minister Anthony Albanese.
Medibank refused to pay at the urging of the federal government, which at the height of the crisis considered making it illegal for hacked companies to hand over ransoms.
On Thursday morning the hackers said they had posted the last of the data online, deliberately coinciding with International Computer Security Day.
“Happy Cyber Security Day,” they wrote.
“Added folder full. Case closed.”