This posting is here to collect cyber security news in November 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in November 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
349 Comments
Tomi Engdahl says:
Asiantuntija pitää puhelinten vakoilua mahdollisena Suomessakin – antaa suojautumisohjeet https://www.is.fi/digitoday/tietoturva/art-2000009170395.html
Tomi Engdahl says:
Bed Bath & Beyond Investigating Data Breach After Employee Falls for Phishing Attack
https://www.securityweek.com/bed-bath-beyond-investigating-data-breach-after-employee-falls-phishing-attack
Tomi Engdahl says:
World’s second largest copper producer recovering from cyberattack https://therecord.media/worlds-second-largest-copper-producer-recovering-from-cyberattack/
The second largest copper producer in the world said it is recovering from a cyberattack that forced it to shut off several IT systems.
German firm Aurubis did not respond to requests for comment but released a statement on Friday saying that overnight, the company faced a cyberattack that “was apparently part of a larger attack on the metals and mining industry.”
Tomi Engdahl says:
Google ad for GIMP.org served info-stealing malware via lookalike site https://www.bleepingcomputer.com/news/security/google-ad-for-gimporg-served-info-stealing-malware-via-lookalike-site/
Searching for ‘GIMP’ on Google as recently as last week would show visitors an ad for ‘GIMP.org, ‘ the official website of the well known graphics editor, GNU Image Manipulation Program. This ad would appear to be legitimate as it’d state ‘GIMP.org’ as the destination domain.
But clicking on it drove visitors to a lookalike phishing website that provided them with a 700 MB executable disguised as GIMP which, in reality, was malware.
Tomi Engdahl says:
New Hampshire set to pilot voting machines that use software everyone can see https://therecord.media/new-hampshire-set-to-pilot-voting-machines-that-use-software-everyone-can-see/
Next week, three towns in New Hampshire will embark on a grand electoral experiment, Click Here and The Record have learned. On November 8, the Granite State will pilot a new kind of voting machine that will use open-source software software that everyone can examine to tally the votes.
Tomi Engdahl says:
Ecuador’s military denies ransomware attack after website goes offline https://therecord.media/ecuadors-military-denies-ransomware-attack-after-website-goes-offline/
Military officials in Ecuador denied reports that a ransomware group launched an attack on their systems and stole confidential data. On Saturday, the Joint Command of the Armed Forces of Ecuador released a statement on Twitter addressing rumors that emerged when the BlackCat ransomware group added the organization to its leak site on October 26. The country’s Cyber Defense Command conducted an investigation after the ransomware rumors began and “determined that the digital systems and website of the Joint Command of the Armed Forces have not been compromised at any level.”. “These systems are currently in a process of preventive maintenance as a safety measure, ” the statement said, adding that systems would be restored once “technical work” is completed.
Tomi Engdahl says:
CosMiss’ vulnerability found in Microsoft Azure developer tool https://therecord.media/cosmiss-vulnerability-found-in-microsoft-azure-developer-tool/
Microsoft addressed a vulnerability affecting a tool used by developers within its Azure cloud computing service, according to researchers from the tech giant and cybersecurity firm Orca Security.
Both released a report on Tuesday outlining a vulnerability dubbed “CosMiss” in Jupyter Notebooks for Azure Cosmos DB an open-source interactive developer environment allowing users to create and share documents that have live code, equations and more.
Tomi Engdahl says:
HACKED DOCUMENTS: HOW IRAN CAN TRACK AND CONTROL PROTESTERS’ PHONES https://theintercept.com/2022/10/28/iran-protests-phone-surveillance/
The documents provide an inside look at an Iranian government program that lets authorities monitor and manipulate people’s phones.
Tomi Engdahl says:
Microsoft Patches Azure Cosmos DB Flaw Leading to Remote Code Execution
https://www.securityweek.com/microsoft-patches-azure-cosmos-db-flaw-leading-remote-code-execution
A missing authentication check vulnerability in Azure Cosmos DB could have allowed an attacker to execute arbitrary code remotely, Orca Security warns.
Azure Cosmos DB is a NoSQL database used on e-commerce platforms to store catalog data, and in order processing pipelines for event sourcing.
The security defect was identified in Azure Cosmos DB Jupyter notebooks, an open-source interactive developer environment (IDE) that allows developers to share documents, live code, visualizations, and more. Built into Azure Cosmos DB, Jupyter notebooks may contain secrets and private keys.
Referred to as CosMiss, the flaw could have allowed an attacker with knowledge of the notebook workspace UUID, also known as ‘forwardingId’, to access the notebook without authentication.
https://orca.security/resources/blog/cosmiss-vulnerability-azure-cosmos-db/
Tomi Engdahl says:
Anxiously Awaited OpenSSL Vulnerability’s Severity Downgraded From Critical to High
https://www.securityweek.com/anxiously-awaited-openssl-vulnerabilitys-severity-downgraded-critical-high
The OpenSSL Project on Tuesday announced the release of OpenSSL 3.0.7. Everyone was anxiously awaiting to learn the details of the first critical vulnerability discovered since 2016, but the project’s developers decided to downgrade the flaw’s severity rating.
The OpenSSL Project revealed last week that an update for OpenSSL 3.0 would address a critical vulnerability. That flaw is tracked as CVE-2022-3602 and it has been described as a buffer overrun that can be triggered in X.509 certificate verification. Exploitation of the flaw could lead to a denial-of-service (DoS) condition caused by a crash, or even remote code execution.
“An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack,” explains the advisory for CVE-2022-3602.
The advisory adds, “In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.”
However, mitigating factors have led developers to reassess its impact and assign it a ‘high’ severity rating instead of ‘critical’.
“Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler,” the OpenSSL team explained.
In a blog post, the OpenSSL Project shared more information on why the vulnerability’s severity rating was downgraded.
CVE-2022-3602 was originally assessed by the OpenSSL project as CRITICAL as it is an arbitrary 4-byte stack buffer overflow, and such vulnerabilities may lead to remote code execution (RCE).
During the week of prenotification, several organisations performed testing and gave us feedback on the issue, looking at the technical details of the overflow and stack layout on common architectures and platforms.
Firstly, we had reports that on certain Linux distributions the stack layout was such that the 4 bytes overwrote an adjacent buffer that was yet to be used and therefore there was no crash or ability to cause remote code execution.
Secondly, many modern platforms implement stack overflow protections which would mitigate against the risk of remote code execution and usually lead to a crash instead.
However as OpenSSL is distributed as source code we have no way of knowing how every platform and compiler combination has arranged the buffers on the stack and therefore remote code execution may still be possible on some platforms.
OpenSSL 3.0.7 also patches another similar high-severity vulnerability, CVE-2022-3786, which can result in a crash and a DoS condition.
While none of the security holes are critical, users are still encouraged to update their dependencies.
CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
Today we published an advisory about CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) and CVE-2022-3602 (“X.509 Email Address 4-byte Buffer Overflow”).
Q: The 3.0.7 release was announced as fixing a CRITICAL vulnerability, but CVE-2022-3786 and CVE-2022-3602 are both HIGH. What happened to the CRITICAL vulnerability?
A: CVE-2022-3602 was originally assessed by the OpenSSL project as CRITICAL as it is an arbitrary 4-byte stack buffer overflow, and such vulnerabilities may lead to remote code execution (RCE).
During the week of prenotification, several organisations performed testing and gave us feedback on the issue, looking at the technical details of the overflow and stack layout on common architectures and platforms.
Firstly, we had reports that on certain Linux distributions the stack layout was such that the 4 bytes overwrote an adjacent buffer that was yet to be used and therefore there was no crash or ability to cause remote code execution.
Secondly, many modern platforms implement stack overflow protections which would mitigate against the risk of remote code execution and usually lead to a crash instead.
However as OpenSSL is distributed as source code we have no way of knowing how every platform and compiler combination has arranged the buffers on the stack and therefore remote code execution may still be possible on some platforms.
CVE-2022-3786 was NOT rated as CRITICAL from the outset, because only the length and not the content of the overwrite is attacker controlled. Exposure to remote code execution is not expected on any platforms.
Tomi Engdahl says:
OpenSSL-reikä paikattiin, ei ilmeisesti ehditty hyödyntää
https://etn.fi/index.php/13-news/14190-openssl-reikae-paikattiin-ei-ilmeisesti-ehditty-hyoedyntaeae
Isoa osaa internet-liikenteestä salaavassa OpenSSL-kirjastossa raportoitiin viikko sitten kriittinen haavoittuvuus. OpenSSL-projekti sai eilen jakoon päivitysversion 3.0.7. Tiettävästi haavoittuvuutta ei ehditty hyödyntää millään tavalla.
Haavoittuvuus koski OpenSSL:n versioita 3.0:sta eteenpäin. Aiempia versioita se ei koskenut, sillä buugien hyödyntämä koodi tuotiin kirjastoihin vasta versiossa 3.0. OpenSSL on toki julkistanut pivityksiä myös aiempiin versioihin, mutta nämä ovat projektin mukaan normaaleja päivityksiä.
Tomi Engdahl says:
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
Tomi Engdahl says:
Yle: Venäjä tunkeutui suomalaisiin yrityksiin – asiantuntija varoittaa vaikenemisesta https://www.is.fi/digitoday/tietoturva/art-2000009175170.html
Tomi Engdahl says:
Ulosottolaitos varoittaa nimissään liikkuvista huijausviesteistä
https://www.kauppalehti.fi/uutiset/ulosottolaitos-varoittaa-nimissaan-liikkuvista-huijausviesteista/228af845-c57d-4a5c-b45e-1fb7a93d9e71
Ulosottolaitoksen nimissä liikkuu huijausviestejä, laitos tiedottaa.
Tiedotteen mukaan laitoksen nimissä lähetetyissä tekstiviesteissä vastaanottajaa uhataan takavarikolla, jolta välttyäkseen vastaanottajaa pyydetään maksamaan rahaa viestissä olevan linkin kautta.
Tomi Engdahl says:
Näin toimii Putinin hakkeriarmeija, joka on soluttautunut myös suomalaisyrityksiin https://yle.fi/uutiset/74-20002614?origin=rss
Venäjän hakkerit pyrkivät jatkuvasti sisään Suomen turvallisuudelle tärkeisiin tahoihin. Asiantuntijoiden mukaan ne ovat onnistuneet siinä.
Tomi Engdahl says:
Emotet botnet starts blasting malware again after 5 month break https://www.bleepingcomputer.com/news/security/emotet-botnet-starts-blasting-malware-again-after-5-month-break/
The Emotet malware operation is again spamming malicious emails after almost a five-month “vacation” that saw little activity from the notorious cybercrime operation. Emotet is a malware infection distributed through phishing campaigns containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL will be downloaded and loaded into memory. Once loaded, the malware will search for and steal emails to use in future spam campaigns and drop additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks.
Tomi Engdahl says:
Dozens of PyPI packages caught dropping ‘W4SP’ info-stealing malware https://www.bleepingcomputer.com/news/security/dozens-of-pypi-packages-caught-dropping-w4sp-info-stealing-malware/
Researchers have discovered over two dozen Python packages on the PyPI registry that are pushing info-stealing malware. Most of these contain obfuscated code that drops “W4SP” info-stealer on infected machines, while others make use of malware purportedly created for “educational purposes” only.
Tomi Engdahl says:
Dropbox admits 130 of its private GitHub repos were copied after phishing attack https://www.theregister.com/2022/11/01/dropbox_phishing_code_leak/
Dropbox has said it was successfully phished, resulting in someone copying 130 of its private GitHub code repositories and swiping some of its secret API credentials. The cloud storage locker on Tuesday detailed the intrusion, and stated “no one’s content, passwords, or payment information was accessed, and the issue was quickly resolved.”. “We believe the risk to customers is minimal, ” the biz added.
Tomi Engdahl says:
No, Dropbox Hacker’ Hasn’t Stolen Passwords Or Data Of 700 Million Users
https://www.forbes.com/sites/daveywinder/2022/11/02/no-dropbox-hacker-hasnt-stolen-passwords-or-data-of-700-million-users/?sh=3436351329b3
So, what did the threat actor get access to? The Dropbox security team says that “these repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team.
Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled.”. Importantly, it is confirmed that at no time did the threat actor have access to anyone’s Dropbox account, passwords or payment information.
Tomi Engdahl says:
Malware on the Google Play store leads to harmful phishing sites https://www.malwarebytes.com/blog/news/2022/11/malware-on-the-google-play-store-leads-to-harmful-phishing-sites
A family of malicious apps from developer Mobile apps Group are listed on Google Play and infected with Android/Trojan.HiddenAds.BTGTHB. In total, four apps are listed, and together they have amassed at least one million downloads. Older versions of these apps have been detected in the past as different variants of Android/Trojan.HiddenAds. Yet, the developer is still on Google Play dispensing its latest HiddenAds malware.
Tomi Engdahl says:
WhatsApp-kielto peruttiin Rovaniemi ottaa aikalisän
https://www.tivi.fi/uutiset/tv/6e3e55a2-3d10-4634-afc0-c5941ef1ca22
Aikaisemmin uutisoimme siitä, miten Rovaniemen kaupunki oli päätynyt kieltämään kaupungin työntekijöitä käyttämästä mitään kaupallisia pikaviestisovellusta työasioissa. Kielto ei kuitenkaan koskenut vain näiden sovellusten käyttämistä, vaan pannassa olisi ollut myös näiden sovellusten asentaminen omalle työlaitteelle. Nyt päätös on kuitenkin pyörretty, vaikka sovellusten käyttöä suositellaan edelleen vältettävän työkäytössä. Pikaviestisovellusten käyttöä koskeva esitys joutuu uudelleen valmisteluun, minkä jälkeen se tulee vielä kaupunginjohtajan päätettäväksi.
Tomi Engdahl says:
Näin salainen operaatio turvasi lähtevien suomalaisyritysten tiedot Venäjällä it-pomo: “Käytimme kuolleen miehen kytkintä”
https://yle.fi/uutiset/74-20003230?origin=rss
Operaatio piti tehdä salaa niin, etteivät venäläiset it-osaston työntekijät saaneet siitä vihiä.
Tomi Engdahl says:
Over 250 US News Websites Deliver Malware via Supply Chain Attack
https://www.securityweek.com/over-250-us-news-websites-deliver-malware-supply-chain-attack
Hundreds of regional and national news websites in the United States are delivering malware as a result of a supply chain attack involving one of their service providers.
Cybersecurity company Proofpoint reported on Wednesday that a threat actor it tracks as TA569 appears to be behind the attack. The hackers have targeted an unnamed media company that serves many news outlets in the US.
The service provider delivers content to its partners via a JavaScript file. The attacker modified the codebase of that script to push a piece of malware known as SocGholish to the affected news websites’ visitors.
More than 250 news sites are impacted, including in Boston, New York, Chicago, Washington DC, Miami, Palm Beach and Cincinnati. The actual number of victims could be higher.
“TA569 historically removed and reinstated these malicious JS injects on a rotating basis. Therefore the presence of the payload and malicious content can vary from hour to hour and shouldn’t be considered a false positive,” Proofpoint explained in a Twitter thread.
https://twitter.com/threatinsight/status/1587865920130752515
Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via #Javascript to its partners. By modifying the codebase of this otherwise benign JS, it is now used to deploy #SocGholish.
Tomi Engdahl says:
French-Speaking Cybercrime Group Stole Millions From Banks
https://www.securityweek.com/french-speaking-cybercrime-group-stole-millions-banks
A French-speaking cybercrime group may have stolen more than $30 million from banks and other types of organizations in the past years, according to a new report published by cybersecurity firm Group-IB.
The threat actor is tracked by Group-IB as Opera1er. Some of its activities were previously investigated by others, who have named it Common Raven, Desktop-Group, and NXSMS.
The cybersecurity company is aware of 30 successful attacks conducted between 2019 and 2021 — in many cases the same victim was attacked multiple times. Most of the attacks targeted African banks, but the list of victims also includes financial services, mobile banking services, and telecoms firms. Victims were spotted across 15 countries in Africa, Latin America and Asia.
Group-IB has confirmed the theft of $11 million from victims since 2019, but believes the cybercriminals could have made more than $30 million.
Tomi Engdahl says:
Checkmk Vulnerabilities Can Be Chained for Remote Code Execution
https://www.securityweek.com/checkmk-vulnerabilities-can-be-chained-remote-code-execution
Researchers at code security firm Sonar Source have shared details on multiple Checkmk vulnerabilities that could be chained together to execute code remotely, without authentication.
Written in Python and C++, Checkmk is an IT Infrastructure monitoring solution that allows organizations to monitor servers, containers, cloud infrastructure, networks, databases, and other assets using a single web interface.
“According to the vendor’s website, more than 2,000 customers rely on Checkmk. Due to its purpose, Checkmk is a central component usually deployed at a privileged position in a company’s network. This makes it a high-profile target for threat actors,” Sonar Source notes.
The company has identified four vulnerabilities in Checkmk and its NagVis integration, including two with a ‘critical’ severity rating (CVSS score of 9.1).
https://blog.sonarsource.com/checkmk-rce-chain-1/
Tomi Engdahl says:
Splunk Patches 9 High-Severity Vulnerabilities in Enterprise Product
https://www.securityweek.com/splunk-patches-9-high-severity-vulnerabilities-enterprise-product
Splunk announced on November 2 the release of a new set of quarterly patches for Splunk Enterprise, which include fixes for nine high-severity vulnerabilities.
The most severe of these security defects have a CVSS score of 8.8 and are described as remote code execution (RCE), XML external entity (XXE) injection, and reflected cross-site scripting (XSS) bugs.
Tomi Engdahl says:
Yle: Lihatuottaja Snellmaniin tietomurto – haavoittuvuus oli yhtiöllä tiedossa https://www.is.fi/digitoday/tietoturva/art-2000009179795.html
Snellman on uusimassa järjestelmänsä, mutta tuntematon hyökkääjä ehti sisälle ensin, Yle kertoo.
LIHAYHTIÖ Snellmanin tuottajille tarkoitetusta Anelma-tietojärjestelmässä havaittiin maanantaina tietomurto. Ylen mukaan yhtiöstä on mahdollisesti viety 4000 henkilön tietoja viime viikonlopun aikana.
Lihanjalostusyhtiö Snellman joutunut tietomurron kohteeksi – jopa tuhansien sopimustuottajien henkilötietoja voinut päätyä vääriin käsiin
https://yle.fi/uutiset/74-20003459
Snellmanin IT-päällikön John Aspnäsin mukaan tietovuodon kohteeksi on voinut joutua 4 000 henkilöä. Hän arvioi lokitietojen perusteella kuitenkin, että vuoto on ollut vähäinen.
Tomi Engdahl says:
Lihanjalostusyhtiö Snellman joutunut tietomurron kohteeksi – jopa tuhansien sopimustuottajien henkilötietoja voinut päätyä vääriin käsiin
https://yle.fi/uutiset/74-20003459
Snellmanin IT-päällikön John Aspnäsin mukaan tietovuodon kohteeksi on voinut joutua 4 000 henkilöä. Hän arvioi lokitietojen perusteella kuitenkin, että vuoto on ollut vähäinen.
Tomi Engdahl says:
Hundreds of U.S. news sites push malware in supply-chain attack https://www.bleepingcomputer.com/news/security/hundreds-of-us-news-sites-push-malware-in-supply-chain-attack/
Threat actors are using the compromised infrastructure of an undisclosed media company to deploy the SocGholish JavaScript malware framework (also known as FakeUpdates) on the websites of hundreds of newspapers across the U.S. The threat actor behind this supply-chain attack (tracked by Proofpoint as TA569) has injected malicious code into a benign JavaScript file that gets loaded by the news outlets’
websites. This malicious JavaScript file is used to install SocGholish, which will infect those who visit the compromised websites with malware payloads camouflaged as fake browser updates delivered as ZIP archives (e.g., Chrom.Udat.zip, Chrome.Updater.zip, Firefo.Udat.zip, Oper.Updte.zip, Oper.Updte.zip) via fake update alerts.
Tomi Engdahl says:
RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass
In our latest discovery, our team found RomCom leveraging the following products in their campaigns: SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro. In preparation for an attack, the RomCom threat actor performs the following simplified scheme: scraping the original legitimate HTML code from the vendor to spoof, registering a malicious domain similar to the legitimate one,. Trojanizing a legitimate application, uploading a malicious bundle to the decoy website, deploying targeted phishing emails to the victims, or in some instances, using additional infector vectors, which we will go into in more detail below.
Tomi Engdahl says:
Four-year cybercrime campaign targeting African banks netted $30 million https://www.cyberscoop.com/cybercriminals-hit-african-banks/
A French-speaking cybercrime group has pulled off a series of heists over the last four years targeting firms in Africa, Asia and Latin America that have netted the group perhaps as much as $30 million.
Using a combination of high-quality spear phishing and off-the-shelf tools the group has carried out more than 30 attacks targeting banks, financial services, and telecommunications firms, according to research on the group’s activities published Thursday. also:
https://www.group-ib.com/resources/threat-research/opera1er.html
Tomi Engdahl says:
New SandStrike spyware targets Android users with booby-trapped VPN application https://www.kaspersky.com/about/press-releases/2022_new-sandstrike-spyware-targets-android-users-with-booby-trapped-vpn-application
In the third quarter of 2022, Kaspersky researchers uncovered a previously unknown Android espionage campaign dubbed SandStrike. The actor targets a Persian-speaking religion minority, Baháí, via distributing VPN app that contains highly sophisticated spyware.
Kaspersky experts also discovered an advanced upgrade of DeathNote cluster and – together with SentinelOne – investigated never-seen-before malware Metatron. This, and other discoveries are revealed in Kaspersky’s latest quarterly threat intelligence summary.
Tomi Engdahl says:
Ministerit saavat käyttää Whatsappia ja valtioneuvosto suosittelee Signalia Rovaniemen päiväkodeissa molemmat kiellettiin
https://yle.fi/uutiset/74-20003374
Rovaniemen alkuviikosta julistama ja sitten peruma pikaviestisovelluskielto on varsin ainutlaatuinen. Kaupunki kielsi työntekijöiltään kaupallisten pikaviestisovellusten kuten Whatsappin, Signalin ja Telegramin käytön.
Tomi Engdahl says:
LockBit ransomware claims attack on Continental automotive giant https://www.bleepingcomputer.com/news/security/lockbit-ransomware-claims-attack-on-continental-automotive-giant/
The LockBit ransomware gang has claimed responsibility for a cyberattack against the German multinational automotive group Continental. Continental’s VP of Communications & Marketing, Kathryn Blackwell, didn’t confirm LockBit’s claims and would not share any details regarding the attack when BleepingComputer reached out but, instead, linked to a press release from August 24 regarding a cyberattack that led to a breach of Continental’s systems.
Tomi Engdahl says:
Cyber incident at Boeing subsidiary causes flight planning disruptions https://therecord.media/cyber-incident-at-boeing-subsidiary-causes-flight-planning-disruptions/
Jeppesen, a wholly-owned Boeing subsidiary that provides navigation and flight planning tools, confirmed on Thursday that it is dealing with a cybersecurity incident that has caused some flight disruptions.
Tomi Engdahl says:
ALMA Observatory shuts down operations due to a cyberattack https://www.bleepingcomputer.com/news/security/alma-observatory-shuts-down-operations-due-to-a-cyberattack/
The Atacama Large Millimeter Array (ALMA) Observatory in Chile has suspended all astronomical observation operations and taken its public website offline following a cyberattack on Saturday, October 29, 2022.
The organization informed the public about the security incident on Twitter yesterday, saying that at this time, given the nature of the episode, it is impossible to estimate a date for a return to normal operations.
Tomi Engdahl says:
Crimson Kingsnake: BEC Group Impersonates International Law Firms in Blind Third-Party Impersonation Attacks https://abnormalsecurity.com/blog/crimson-kingsnake-bec-group-attacks
Uncovering how threat group Crimson Kingsnake uses third-party impersonation tactics to swindle organizations across the world.
Tomi Engdahl says:
Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
Our research indicates that the individuals behind Black Basta ransomware develop and maintain their own toolkit and either exclude affiliates or only collaborate with a limited and trusted set of affiliates, in similar ways to other private’ ransomware groups such as Conti, TA505, and Evilcorp. SentinelLabs’ full report provides a detailed analysis of Black Basta’s operational TTPs, including the use of multiple custom tools likely developed by one or more FIN7 (aka
Carbanak) developers. In this post, we summarize the report’s key findings.
Tomi Engdahl says:
I love how the company responds after the Lock Picking Lawyer opens their $300+ lock, basically saying, “yea but not many break ins are from lock picking.”
https://www.techradar.com/news/the-apple-stores-dollar330-level-lock-plus-smart-lock-isnt-as-secure-as-youd-think
Tomi Engdahl says:
Lihanjalostusyhtiö Snellman joutunut tietomurron kohteeksi – jopa tuhansien sopimustuottajien henkilötietoja voinut päätyä vääriin käsiin
Snellmanin IT-päällikön John Aspnäsin mukaan tietovuodon kohteeksi on voinut joutua 4 000 henkilöä. Hän arvioi lokitietojen perusteella kuitenkin, että vuoto on ollut vähäinen.
https://yle.fi/uutiset/74-20003459
Tomi Engdahl says:
https://blog.cloudflare.com/cloudflare-is-not-affected-by-the-openssl-vulnerabilities-cve-2022-3602-and-cve-2022-37/
Tomi Engdahl says:
Näin salainen operaatio turvasi lähtevien suomalaisyritysten tiedot Venäjällä – it-pomo: “Käytimme kuolleen miehen kytkintä”
Operaatio piti tehdä salaa niin, etteivät venäläiset it-osaston työntekijät saaneet siitä vihiä.
https://yle.fi/uutiset/74-20003230
Tomi Engdahl says:
https://hothardware.com/news/hackers-stole-130-source-code-github-repos-dropbox-data-breach
Tomi Engdahl says:
Every ISP in the US has been ordered to block three pirate streaming services
ISPs ordered to block the pirate websites “by any technological means available.”
https://arstechnica.com/tech-policy/2022/05/judge-rules-every-isp-in-us-must-block-pirate-sites-run-by-mysterious-defendants/
Tomi Engdahl says:
https://www.laptopmag.com/news/3-android-apps-are-using-a-sneaky-trick-to-steal-banking-info-remove-them-asap-before-youre-next
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-domain-joins-may-fail-after-october-updates/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/hacking-group-abuses-antivirus-software-to-launch-lodeinfo-malware/
Tomi Engdahl says:
Firefox patches Windows 11 Ctrl+C hang, introduces new bug
Copying text now works without issue, so naturally pasting is getting iffy
https://www.theregister.com/2022/11/01/firefox_ctrlc_windows_11/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-azov-data-wiper-tries-to-frame-researchers-and-bleepingcomputer/
Tomi Engdahl says:
https://www.wired.com/story/satellite-hacking-anit-f1r-shadytel/#intcid=_wired-verso-hp-trending_1d942df1-65fe-4684-be2d-28c0b292f898_popular4-1