Cyber security news November 2022

This posting is here to collect cyber security news in November 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

349 Comments

  1. Tomi Engdahl says:

    Asiantuntija pitää puhelinten vakoilua mahdollisena Suomessakin – antaa suojautumis­ohjeet https://www.is.fi/digitoday/tietoturva/art-2000009170395.html

    Reply
  2. Tomi Engdahl says:

    World’s second largest copper producer recovering from cyberattack https://therecord.media/worlds-second-largest-copper-producer-recovering-from-cyberattack/
    The second largest copper producer in the world said it is recovering from a cyberattack that forced it to shut off several IT systems.
    German firm Aurubis did not respond to requests for comment but released a statement on Friday saying that overnight, the company faced a cyberattack that “was apparently part of a larger attack on the metals and mining industry.”

    Reply
  3. Tomi Engdahl says:

    Google ad for GIMP.org served info-stealing malware via lookalike site https://www.bleepingcomputer.com/news/security/google-ad-for-gimporg-served-info-stealing-malware-via-lookalike-site/
    Searching for ‘GIMP’ on Google as recently as last week would show visitors an ad for ‘GIMP.org, ‘ the official website of the well known graphics editor, GNU Image Manipulation Program. This ad would appear to be legitimate as it’d state ‘GIMP.org’ as the destination domain.
    But clicking on it drove visitors to a lookalike phishing website that provided them with a 700 MB executable disguised as GIMP which, in reality, was malware.

    Reply
  4. Tomi Engdahl says:

    New Hampshire set to pilot voting machines that use software everyone can see https://therecord.media/new-hampshire-set-to-pilot-voting-machines-that-use-software-everyone-can-see/
    Next week, three towns in New Hampshire will embark on a grand electoral experiment, Click Here and The Record have learned. On November 8, the Granite State will pilot a new kind of voting machine that will use open-source software software that everyone can examine to tally the votes.

    Reply
  5. Tomi Engdahl says:

    Ecuador’s military denies ransomware attack after website goes offline https://therecord.media/ecuadors-military-denies-ransomware-attack-after-website-goes-offline/
    Military officials in Ecuador denied reports that a ransomware group launched an attack on their systems and stole confidential data. On Saturday, the Joint Command of the Armed Forces of Ecuador released a statement on Twitter addressing rumors that emerged when the BlackCat ransomware group added the organization to its leak site on October 26. The country’s Cyber Defense Command conducted an investigation after the ransomware rumors began and “determined that the digital systems and website of the Joint Command of the Armed Forces have not been compromised at any level.”. “These systems are currently in a process of preventive maintenance as a safety measure, ” the statement said, adding that systems would be restored once “technical work” is completed.

    Reply
  6. Tomi Engdahl says:

    CosMiss’ vulnerability found in Microsoft Azure developer tool https://therecord.media/cosmiss-vulnerability-found-in-microsoft-azure-developer-tool/
    Microsoft addressed a vulnerability affecting a tool used by developers within its Azure cloud computing service, according to researchers from the tech giant and cybersecurity firm Orca Security.
    Both released a report on Tuesday outlining a vulnerability dubbed “CosMiss” in Jupyter Notebooks for Azure Cosmos DB an open-source interactive developer environment allowing users to create and share documents that have live code, equations and more.

    Reply
  7. Tomi Engdahl says:

    HACKED DOCUMENTS: HOW IRAN CAN TRACK AND CONTROL PROTESTERS’ PHONES https://theintercept.com/2022/10/28/iran-protests-phone-surveillance/
    The documents provide an inside look at an Iranian government program that lets authorities monitor and manipulate people’s phones.

    Reply
  8. Tomi Engdahl says:

    Microsoft Patches Azure Cosmos DB Flaw Leading to Remote Code Execution
    https://www.securityweek.com/microsoft-patches-azure-cosmos-db-flaw-leading-remote-code-execution

    A missing authentication check vulnerability in Azure Cosmos DB could have allowed an attacker to execute arbitrary code remotely, Orca Security warns.

    Azure Cosmos DB is a NoSQL database used on e-commerce platforms to store catalog data, and in order processing pipelines for event sourcing.

    The security defect was identified in Azure Cosmos DB Jupyter notebooks, an open-source interactive developer environment (IDE) that allows developers to share documents, live code, visualizations, and more. Built into Azure Cosmos DB, Jupyter notebooks may contain secrets and private keys.

    Referred to as CosMiss, the flaw could have allowed an attacker with knowledge of the notebook workspace UUID, also known as ‘forwardingId’, to access the notebook without authentication.

    https://orca.security/resources/blog/cosmiss-vulnerability-azure-cosmos-db/

    Reply
  9. Tomi Engdahl says:

    Anxiously Awaited OpenSSL Vulnerability’s Severity Downgraded From Critical to High
    https://www.securityweek.com/anxiously-awaited-openssl-vulnerabilitys-severity-downgraded-critical-high

    The OpenSSL Project on Tuesday announced the release of OpenSSL 3.0.7. Everyone was anxiously awaiting to learn the details of the first critical vulnerability discovered since 2016, but the project’s developers decided to downgrade the flaw’s severity rating.

    The OpenSSL Project revealed last week that an update for OpenSSL 3.0 would address a critical vulnerability. That flaw is tracked as CVE-2022-3602 and it has been described as a buffer overrun that can be triggered in X.509 certificate verification. Exploitation of the flaw could lead to a denial-of-service (DoS) condition caused by a crash, or even remote code execution.

    “An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack,” explains the advisory for CVE-2022-3602.

    The advisory adds, “In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.”

    However, mitigating factors have led developers to reassess its impact and assign it a ‘high’ severity rating instead of ‘critical’.

    “Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler,” the OpenSSL team explained.

    In a blog post, the OpenSSL Project shared more information on why the vulnerability’s severity rating was downgraded.

    CVE-2022-3602 was originally assessed by the OpenSSL project as CRITICAL as it is an arbitrary 4-byte stack buffer overflow, and such vulnerabilities may lead to remote code execution (RCE).

    During the week of prenotification, several organisations performed testing and gave us feedback on the issue, looking at the technical details of the overflow and stack layout on common architectures and platforms.

    Firstly, we had reports that on certain Linux distributions the stack layout was such that the 4 bytes overwrote an adjacent buffer that was yet to be used and therefore there was no crash or ability to cause remote code execution.

    Secondly, many modern platforms implement stack overflow protections which would mitigate against the risk of remote code execution and usually lead to a crash instead.

    However as OpenSSL is distributed as source code we have no way of knowing how every platform and compiler combination has arranged the buffers on the stack and therefore remote code execution may still be possible on some platforms.

    OpenSSL 3.0.7 also patches another similar high-severity vulnerability, CVE-2022-3786, which can result in a crash and a DoS condition.

    While none of the security holes are critical, users are still encouraged to update their dependencies.

    CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows
    https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

    Today we published an advisory about CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) and CVE-2022-3602 (“X.509 Email Address 4-byte Buffer Overflow”).

    Q: The 3.0.7 release was announced as fixing a CRITICAL vulnerability, but CVE-2022-3786 and CVE-2022-3602 are both HIGH. What happened to the CRITICAL vulnerability?

    A: CVE-2022-3602 was originally assessed by the OpenSSL project as CRITICAL as it is an arbitrary 4-byte stack buffer overflow, and such vulnerabilities may lead to remote code execution (RCE).

    During the week of prenotification, several organisations performed testing and gave us feedback on the issue, looking at the technical details of the overflow and stack layout on common architectures and platforms.

    Firstly, we had reports that on certain Linux distributions the stack layout was such that the 4 bytes overwrote an adjacent buffer that was yet to be used and therefore there was no crash or ability to cause remote code execution.

    Secondly, many modern platforms implement stack overflow protections which would mitigate against the risk of remote code execution and usually lead to a crash instead.

    However as OpenSSL is distributed as source code we have no way of knowing how every platform and compiler combination has arranged the buffers on the stack and therefore remote code execution may still be possible on some platforms.

    CVE-2022-3786 was NOT rated as CRITICAL from the outset, because only the length and not the content of the overwrite is attacker controlled. Exposure to remote code execution is not expected on any platforms.

    Reply
  10. Tomi Engdahl says:

    OpenSSL-reikä paikattiin, ei ilmeisesti ehditty hyödyntää
    https://etn.fi/index.php/13-news/14190-openssl-reikae-paikattiin-ei-ilmeisesti-ehditty-hyoedyntaeae

    Isoa osaa internet-liikenteestä salaavassa OpenSSL-kirjastossa raportoitiin viikko sitten kriittinen haavoittuvuus. OpenSSL-projekti sai eilen jakoon päivitysversion 3.0.7. Tiettävästi haavoittuvuutta ei ehditty hyödyntää millään tavalla.

    Haavoittuvuus koski OpenSSL:n versioita 3.0:sta eteenpäin. Aiempia versioita se ei koskenut, sillä buugien hyödyntämä koodi tuotiin kirjastoihin vasta versiossa 3.0. OpenSSL on toki julkistanut pivityksiä myös aiempiin versioihin, mutta nämä ovat projektin mukaan normaaleja päivityksiä.

    Reply
  11. Tomi Engdahl says:

    Yle: Venäjä tunkeutui suomalaisiin yrityksiin – asian­tuntija varoittaa vaikenemisesta https://www.is.fi/digitoday/tietoturva/art-2000009175170.html

    Reply
  12. Tomi Engdahl says:

    Ulosottolaitos varoittaa nimissään liikkuvista huijausviesteistä
    https://www.kauppalehti.fi/uutiset/ulosottolaitos-varoittaa-nimissaan-liikkuvista-huijausviesteista/228af845-c57d-4a5c-b45e-1fb7a93d9e71
    Ulosottolaitoksen nimissä liikkuu huijausviestejä, laitos tiedottaa.
    Tiedotteen mukaan laitoksen nimissä lähetetyissä tekstiviesteissä vastaanottajaa uhataan takavarikolla, jolta välttyäkseen vastaanottajaa pyydetään maksamaan rahaa viestissä olevan linkin kautta.

    Reply
  13. Tomi Engdahl says:

    Näin toimii Putinin hakkeriarmeija, joka on soluttautunut myös suomalaisyrityksiin https://yle.fi/uutiset/74-20002614?origin=rss
    Venäjän hakkerit pyrkivät jatkuvasti sisään Suomen turvallisuudelle tärkeisiin tahoihin. Asiantuntijoiden mukaan ne ovat onnistuneet siinä.

    Reply
  14. Tomi Engdahl says:

    Emotet botnet starts blasting malware again after 5 month break https://www.bleepingcomputer.com/news/security/emotet-botnet-starts-blasting-malware-again-after-5-month-break/
    The Emotet malware operation is again spamming malicious emails after almost a five-month “vacation” that saw little activity from the notorious cybercrime operation. Emotet is a malware infection distributed through phishing campaigns containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL will be downloaded and loaded into memory. Once loaded, the malware will search for and steal emails to use in future spam campaigns and drop additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks.

    Reply
  15. Tomi Engdahl says:

    Dozens of PyPI packages caught dropping ‘W4SP’ info-stealing malware https://www.bleepingcomputer.com/news/security/dozens-of-pypi-packages-caught-dropping-w4sp-info-stealing-malware/
    Researchers have discovered over two dozen Python packages on the PyPI registry that are pushing info-stealing malware. Most of these contain obfuscated code that drops “W4SP” info-stealer on infected machines, while others make use of malware purportedly created for “educational purposes” only.

    Reply
  16. Tomi Engdahl says:

    Dropbox admits 130 of its private GitHub repos were copied after phishing attack https://www.theregister.com/2022/11/01/dropbox_phishing_code_leak/
    Dropbox has said it was successfully phished, resulting in someone copying 130 of its private GitHub code repositories and swiping some of its secret API credentials. The cloud storage locker on Tuesday detailed the intrusion, and stated “no one’s content, passwords, or payment information was accessed, and the issue was quickly resolved.”. “We believe the risk to customers is minimal, ” the biz added.

    Reply
  17. Tomi Engdahl says:

    No, Dropbox Hacker’ Hasn’t Stolen Passwords Or Data Of 700 Million Users
    https://www.forbes.com/sites/daveywinder/2022/11/02/no-dropbox-hacker-hasnt-stolen-passwords-or-data-of-700-million-users/?sh=3436351329b3
    So, what did the threat actor get access to? The Dropbox security team says that “these repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team.
    Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled.”. Importantly, it is confirmed that at no time did the threat actor have access to anyone’s Dropbox account, passwords or payment information.

    Reply
  18. Tomi Engdahl says:

    Malware on the Google Play store leads to harmful phishing sites https://www.malwarebytes.com/blog/news/2022/11/malware-on-the-google-play-store-leads-to-harmful-phishing-sites
    A family of malicious apps from developer Mobile apps Group are listed on Google Play and infected with Android/Trojan.HiddenAds.BTGTHB. In total, four apps are listed, and together they have amassed at least one million downloads. Older versions of these apps have been detected in the past as different variants of Android/Trojan.HiddenAds. Yet, the developer is still on Google Play dispensing its latest HiddenAds malware.

    Reply
  19. Tomi Engdahl says:

    WhatsApp-kielto peruttiin Rovaniemi ottaa aikalisän
    https://www.tivi.fi/uutiset/tv/6e3e55a2-3d10-4634-afc0-c5941ef1ca22
    Aikaisemmin uutisoimme siitä, miten Rovaniemen kaupunki oli päätynyt kieltämään kaupungin työntekijöitä käyttämästä mitään kaupallisia pikaviestisovellusta työasioissa. Kielto ei kuitenkaan koskenut vain näiden sovellusten käyttämistä, vaan pannassa olisi ollut myös näiden sovellusten asentaminen omalle työlaitteelle. Nyt päätös on kuitenkin pyörretty, vaikka sovellusten käyttöä suositellaan edelleen vältettävän työkäytössä. Pikaviestisovellusten käyttöä koskeva esitys joutuu uudelleen valmisteluun, minkä jälkeen se tulee vielä kaupunginjohtajan päätettäväksi.

    Reply
  20. Tomi Engdahl says:

    Näin salainen operaatio turvasi lähtevien suomalaisyritysten tiedot Venäjällä it-pomo: “Käytimme kuolleen miehen kytkintä”
    https://yle.fi/uutiset/74-20003230?origin=rss
    Operaatio piti tehdä salaa niin, etteivät venäläiset it-osaston työntekijät saaneet siitä vihiä.

    Reply
  21. Tomi Engdahl says:

    Over 250 US News Websites Deliver Malware via Supply Chain Attack
    https://www.securityweek.com/over-250-us-news-websites-deliver-malware-supply-chain-attack

    Hundreds of regional and national news websites in the United States are delivering malware as a result of a supply chain attack involving one of their service providers.

    Cybersecurity company Proofpoint reported on Wednesday that a threat actor it tracks as TA569 appears to be behind the attack. The hackers have targeted an unnamed media company that serves many news outlets in the US.

    The service provider delivers content to its partners via a JavaScript file. The attacker modified the codebase of that script to push a piece of malware known as SocGholish to the affected news websites’ visitors.

    More than 250 news sites are impacted, including in Boston, New York, Chicago, Washington DC, Miami, Palm Beach and Cincinnati. The actual number of victims could be higher.

    “TA569 historically removed and reinstated these malicious JS injects on a rotating basis. Therefore the presence of the payload and malicious content can vary from hour to hour and shouldn’t be considered a false positive,” Proofpoint explained in a Twitter thread.

    https://twitter.com/threatinsight/status/1587865920130752515

    Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via #Javascript to its partners. By modifying the codebase of this otherwise benign JS, it is now used to deploy #SocGholish.

    Reply
  22. Tomi Engdahl says:

    French-Speaking Cybercrime Group Stole Millions From Banks
    https://www.securityweek.com/french-speaking-cybercrime-group-stole-millions-banks

    A French-speaking cybercrime group may have stolen more than $30 million from banks and other types of organizations in the past years, according to a new report published by cybersecurity firm Group-IB.

    The threat actor is tracked by Group-IB as Opera1er. Some of its activities were previously investigated by others, who have named it Common Raven, Desktop-Group, and NXSMS.

    The cybersecurity company is aware of 30 successful attacks conducted between 2019 and 2021 — in many cases the same victim was attacked multiple times. Most of the attacks targeted African banks, but the list of victims also includes financial services, mobile banking services, and telecoms firms. Victims were spotted across 15 countries in Africa, Latin America and Asia.

    Group-IB has confirmed the theft of $11 million from victims since 2019, but believes the cybercriminals could have made more than $30 million.

    Reply
  23. Tomi Engdahl says:

    Checkmk Vulnerabilities Can Be Chained for Remote Code Execution
    https://www.securityweek.com/checkmk-vulnerabilities-can-be-chained-remote-code-execution

    Researchers at code security firm Sonar Source have shared details on multiple Checkmk vulnerabilities that could be chained together to execute code remotely, without authentication.

    Written in Python and C++, Checkmk is an IT Infrastructure monitoring solution that allows organizations to monitor servers, containers, cloud infrastructure, networks, databases, and other assets using a single web interface.

    “According to the vendor’s website, more than 2,000 customers rely on Checkmk. Due to its purpose, Checkmk is a central component usually deployed at a privileged position in a company’s network. This makes it a high-profile target for threat actors,” Sonar Source notes.

    The company has identified four vulnerabilities in Checkmk and its NagVis integration, including two with a ‘critical’ severity rating (CVSS score of 9.1).

    https://blog.sonarsource.com/checkmk-rce-chain-1/

    Reply
  24. Tomi Engdahl says:

    Splunk Patches 9 High-Severity Vulnerabilities in Enterprise Product
    https://www.securityweek.com/splunk-patches-9-high-severity-vulnerabilities-enterprise-product

    Splunk announced on November 2 the release of a new set of quarterly patches for Splunk Enterprise, which include fixes for nine high-severity vulnerabilities.

    The most severe of these security defects have a CVSS score of 8.8 and are described as remote code execution (RCE), XML external entity (XXE) injection, and reflected cross-site scripting (XSS) bugs.

    Reply
  25. Tomi Engdahl says:

    Yle: Lihatuottaja Snellmaniin tieto­murto – haavoittuvuus oli yhtiöllä tiedossa https://www.is.fi/digitoday/tietoturva/art-2000009179795.html

    Snellman on uusimassa järjestelmänsä, mutta tuntematon hyökkääjä ehti sisälle ensin, Yle kertoo.

    LIHAYHTIÖ Snellmanin tuottajille tarkoitetusta Anelma-tietojärjestelmässä havaittiin maanantaina tietomurto. Ylen mukaan yhtiöstä on mahdollisesti viety 4000 henkilön tietoja viime viikonlopun aikana.

    Lihanjalostusyhtiö Snellman joutunut tietomurron kohteeksi – jopa tuhansien sopimustuottajien henkilötietoja voinut päätyä vääriin käsiin
    https://yle.fi/uutiset/74-20003459

    Snellmanin IT-päällikön John Aspnäsin mukaan tietovuodon kohteeksi on voinut joutua 4 000 henkilöä. Hän arvioi lokitietojen perusteella kuitenkin, että vuoto on ollut vähäinen.

    Reply
  26. Tomi Engdahl says:

    Lihanjalostusyhtiö Snellman joutunut tietomurron kohteeksi – jopa tuhansien sopimustuottajien henkilötietoja voinut päätyä vääriin käsiin
    https://yle.fi/uutiset/74-20003459
    Snellmanin IT-päällikön John Aspnäsin mukaan tietovuodon kohteeksi on voinut joutua 4 000 henkilöä. Hän arvioi lokitietojen perusteella kuitenkin, että vuoto on ollut vähäinen.

    Reply
  27. Tomi Engdahl says:

    Hundreds of U.S. news sites push malware in supply-chain attack https://www.bleepingcomputer.com/news/security/hundreds-of-us-news-sites-push-malware-in-supply-chain-attack/
    Threat actors are using the compromised infrastructure of an undisclosed media company to deploy the SocGholish JavaScript malware framework (also known as FakeUpdates) on the websites of hundreds of newspapers across the U.S. The threat actor behind this supply-chain attack (tracked by Proofpoint as TA569) has injected malicious code into a benign JavaScript file that gets loaded by the news outlets’
    websites. This malicious JavaScript file is used to install SocGholish, which will infect those who visit the compromised websites with malware payloads camouflaged as fake browser updates delivered as ZIP archives (e.g., Chrom.Udat.zip, Chrome.Updater.zip, Firefo.Udat.zip, Oper.Updte.zip, Oper.Updte.zip) via fake update alerts.

    Reply
  28. Tomi Engdahl says:

    RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass
    In our latest discovery, our team found RomCom leveraging the following products in their campaigns: SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro. In preparation for an attack, the RomCom threat actor performs the following simplified scheme: scraping the original legitimate HTML code from the vendor to spoof, registering a malicious domain similar to the legitimate one,. Trojanizing a legitimate application, uploading a malicious bundle to the decoy website, deploying targeted phishing emails to the victims, or in some instances, using additional infector vectors, which we will go into in more detail below.

    Reply
  29. Tomi Engdahl says:

    Four-year cybercrime campaign targeting African banks netted $30 million https://www.cyberscoop.com/cybercriminals-hit-african-banks/
    A French-speaking cybercrime group has pulled off a series of heists over the last four years targeting firms in Africa, Asia and Latin America that have netted the group perhaps as much as $30 million.
    Using a combination of high-quality spear phishing and off-the-shelf tools the group has carried out more than 30 attacks targeting banks, financial services, and telecommunications firms, according to research on the group’s activities published Thursday. also:
    https://www.group-ib.com/resources/threat-research/opera1er.html

    Reply
  30. Tomi Engdahl says:

    New SandStrike spyware targets Android users with booby-trapped VPN application https://www.kaspersky.com/about/press-releases/2022_new-sandstrike-spyware-targets-android-users-with-booby-trapped-vpn-application
    In the third quarter of 2022, Kaspersky researchers uncovered a previously unknown Android espionage campaign dubbed SandStrike. The actor targets a Persian-speaking religion minority, Baháí, via distributing VPN app that contains highly sophisticated spyware.
    Kaspersky experts also discovered an advanced upgrade of DeathNote cluster and – together with SentinelOne – investigated never-seen-before malware Metatron. This, and other discoveries are revealed in Kaspersky’s latest quarterly threat intelligence summary.

    Reply
  31. Tomi Engdahl says:

    Ministerit saavat käyttää Whatsappia ja valtioneuvosto suosittelee Signalia Rovaniemen päiväkodeissa molemmat kiellettiin
    https://yle.fi/uutiset/74-20003374
    Rovaniemen alkuviikosta julistama ja sitten peruma pikaviestisovelluskielto on varsin ainutlaatuinen. Kaupunki kielsi työntekijöiltään kaupallisten pikaviestisovellusten kuten Whatsappin, Signalin ja Telegramin käytön.

    Reply
  32. Tomi Engdahl says:

    LockBit ransomware claims attack on Continental automotive giant https://www.bleepingcomputer.com/news/security/lockbit-ransomware-claims-attack-on-continental-automotive-giant/
    The LockBit ransomware gang has claimed responsibility for a cyberattack against the German multinational automotive group Continental. Continental’s VP of Communications & Marketing, Kathryn Blackwell, didn’t confirm LockBit’s claims and would not share any details regarding the attack when BleepingComputer reached out but, instead, linked to a press release from August 24 regarding a cyberattack that led to a breach of Continental’s systems.

    Reply
  33. Tomi Engdahl says:

    Cyber incident at Boeing subsidiary causes flight planning disruptions https://therecord.media/cyber-incident-at-boeing-subsidiary-causes-flight-planning-disruptions/
    Jeppesen, a wholly-owned Boeing subsidiary that provides navigation and flight planning tools, confirmed on Thursday that it is dealing with a cybersecurity incident that has caused some flight disruptions.

    Reply
  34. Tomi Engdahl says:

    ALMA Observatory shuts down operations due to a cyberattack https://www.bleepingcomputer.com/news/security/alma-observatory-shuts-down-operations-due-to-a-cyberattack/
    The Atacama Large Millimeter Array (ALMA) Observatory in Chile has suspended all astronomical observation operations and taken its public website offline following a cyberattack on Saturday, October 29, 2022.
    The organization informed the public about the security incident on Twitter yesterday, saying that at this time, given the nature of the episode, it is impossible to estimate a date for a return to normal operations.

    Reply
  35. Tomi Engdahl says:

    Crimson Kingsnake: BEC Group Impersonates International Law Firms in Blind Third-Party Impersonation Attacks https://abnormalsecurity.com/blog/crimson-kingsnake-bec-group-attacks
    Uncovering how threat group Crimson Kingsnake uses third-party impersonation tactics to swindle organizations across the world.

    Reply
  36. Tomi Engdahl says:

    Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
    Our research indicates that the individuals behind Black Basta ransomware develop and maintain their own toolkit and either exclude affiliates or only collaborate with a limited and trusted set of affiliates, in similar ways to other private’ ransomware groups such as Conti, TA505, and Evilcorp. SentinelLabs’ full report provides a detailed analysis of Black Basta’s operational TTPs, including the use of multiple custom tools likely developed by one or more FIN7 (aka
    Carbanak) developers. In this post, we summarize the report’s key findings.

    Reply
  37. Tomi Engdahl says:

    I love how the company responds after the Lock Picking Lawyer opens their $300+ lock, basically saying, “yea but not many break ins are from lock picking.”

    https://www.techradar.com/news/the-apple-stores-dollar330-level-lock-plus-smart-lock-isnt-as-secure-as-youd-think

    Reply
  38. Tomi Engdahl says:

    Lihanjalostusyhtiö Snellman joutunut tietomurron kohteeksi – jopa tuhansien sopimustuottajien henkilötietoja voinut päätyä vääriin käsiin
    Snellmanin IT-päällikön John Aspnäsin mukaan tietovuodon kohteeksi on voinut joutua 4 000 henkilöä. Hän arvioi lokitietojen perusteella kuitenkin, että vuoto on ollut vähäinen.
    https://yle.fi/uutiset/74-20003459

    Reply
  39. Tomi Engdahl says:

    Näin salainen operaatio turvasi lähtevien suomalaisyritysten tiedot Venäjällä – it-pomo: “Käytimme kuolleen miehen kytkintä”
    Operaatio piti tehdä salaa niin, etteivät venäläiset it-osaston työntekijät saaneet siitä vihiä.
    https://yle.fi/uutiset/74-20003230

    Reply
  40. Tomi Engdahl says:

    Every ISP in the US has been ordered to block three pirate streaming services
    ISPs ordered to block the pirate websites “by any technological means available.”
    https://arstechnica.com/tech-policy/2022/05/judge-rules-every-isp-in-us-must-block-pirate-sites-run-by-mysterious-defendants/

    Reply
  41. Tomi Engdahl says:

    Firefox patches Windows 11 Ctrl+C hang, introduces new bug
    Copying text now works without issue, so naturally pasting is getting iffy
    https://www.theregister.com/2022/11/01/firefox_ctrlc_windows_11/

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*