This posting is here to collect cyber security news in November 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in November 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
349 Comments
Tomi Engdahl says:
iPhone zero-day. Update your devices now!
https://www.malwarebytes.com/blog/news/2022/10/zero-day-threat-discovered-for-iphones-and-ipads.-update-your-devices-now
Tomi Engdahl says:
https://cybernews.com/news/linkedin-woes-pile-up-as-200k-records-are-leaked/
Tomi Engdahl says:
Why Is My Cat Using Baidu? And Other IoT DNS Oddities
https://mobile.slashdot.org/story/22/10/29/0447211/why-is-my-cat-using-baidu-and-other-iot-dns-oddities
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-out-of-band-updates-to-fix-onedrive-crashes/
Tomi Engdahl says:
Henry Johanssonin epäilykset heräsivät, kun äiti löysi upean miehen netistä – pian hän joutui mukaan sotkuun, joka tuhosi äidiltä kaiken
https://yle.fi/uutiset/74-20003389
Rakkaushuijaukset ovat nousseet taloudellisesti merkittävimmäksi petosmuodoksi Suomessa. Poliisihallituksen tietojen mukaan yli 80 prosenttia huijatuksi joutuneista menettää antamansa rahat. Uusi tuttavuus paljastui rakkaushuijariksi, jolle äiti menetti kaikki rahansa. Hän lähetti eri tileille yhteensä 130 000 euroa.
Tomi Engdahl says:
ACE seizes 42 soccer and live TV piracy web domains with millions of visitors https://www.bleepingcomputer.com/news/technology/ace-seizes-42-soccer-and-live-tv-piracy-web-domains-with-millions-of-visitors/
The Alliance for Creativity and Entertainment (ACE) has shut down 42 websites for the pirated streaming of televised soccer games and live TV, seizing their domains and taking down the illegal streaming services. The now-defunct websites accumulated over 308 million visits in the past six months. Due to the upcoming 2022 FIFA World Cup in Qatar, set to begin on November 20, 2022, interest was growing steadily.
Tomi Engdahl says:
Insurance giant settles NotPetya lawsuit, signaling cyber insurance shakeup https://www.cyberscoop.com/insurance-giant-settles-notpetya-lawsuit/
The settlement last week in a $100 million lawsuit over whether insurance giant Zurich should cover losses Mondelez International suffered from NotPetya may very well reshape the entire cyber insurance marketplace.
Tomi Engdahl says:
Researchers Uncover 29 Malicious PyPI Packages Targeted Developers with W4SP Stealer https://thehackernews.com/2022/11/researchers-uncover-29-malicious-pypi.html
Cybersecurity researchers have uncovered 29 packages in Python Package Index (PyPI), the official third-party software repository for the Python programming language, that aim to infect developers’ machines with a malware called W4SP Stealer. “The main attack seems to have started around October 12, 2022, slowly picking up steam to a concentrated effort around October 22, ” software supply chain security company Phylum said in a report published this week. Phylum
report:
https://blog.phylum.io/phylum-discovers-dozens-more-pypi-packages-attempting-to-deliver-w4sp-stealer-in-ongoing-supply-chain-attack
Tomi Engdahl says:
Phishers Abuse Microsoft Voicemail Service to Trick Users https://www.infosecurity-magazine.com/news/phishers-abuse-microsoft-voicemail/
Security researchers are warning of a new phishing campaign that abuses Microsoft Dynamics 365 Customer Voice to trick recipients into handing over their credentials. also:
https://www.avanan.com/blog/abusing-microsoft-customer-voice-to-send-phishing-links
Tomi Engdahl says:
At the end of October, a cyber attack caused the trains to stop in Denmark, the attack hit a third-party IT service provider https://securityaffairs.co/wordpress/138127/cyber-crime/cyberattack-blocked-trains-denmark.html
A cyber attack caused training the trains operated by DSB to stop in Denmark the last weekend, threat actors hit a third-party IT service provider. The attack hit the Danish company Supeo which provides enterprise asset management solutions to railway companies, transportation infrastructure operators and public passenger authorities. DSB is the largest train operating company in Denmark.
also:
https://www.dr.dk/nyheder/indland/leverandoer-lukkede-it-system-efter-sikkerhedsbrist-og-pludselig-stod-alle-tog-i
Tomi Engdahl says:
LockBit 3.0 gang claims to have stolen data from Kearney & Company https://securityaffairs.co/wordpress/138136/cyber-crime/lockbit-ransomware-kearney-company.html
The ransomware group LockBit claimed to have stolen data from consulting and IT services provider Kearney & Company.
Tomi Engdahl says:
Kyberturvallisuuskeskuksen viikkokatsaus – 44/2022
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/kyberturvallisuuskeskuksen-viikkokatsaus-442022
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso 28.10. – 3.11.2022). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.
Tomi Engdahl says:
A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-samsung-in-the-wild-exploit-chain.html
As defenders, in-the-wild exploit samples give us important insight into what attackers are really doing. We get the “ground truth” data about the vulnerabilities and exploit techniques they’re using, which then informs our further research and guidance to security teams on what could have the biggest impact or return on investment. This in-the-wild exploit chain is a great example of different attack surfaces and “shape” than many of the Android exploits we’ve seen in the past. All three vulnerabilities in this chain were in the manufacturer’s custom components rather than in the AOSP platform or the Linux kernel. The analysis of this exploit chain has provided us with new and important insights into how attackers are targeting Android devices. It highlights a need for more research into manufacturer specific components.
Tomi Engdahl says:
British govt is scanning all Internet devices hosted in UK https://www.bleepingcomputer.com/news/security/british-govt-is-scanning-all-internet-devices-hosted-in-uk/
The United Kingdom’s National Cyber Security Centre (NCSC), the government agency that leads the country’s cyber security mission, is now scanning all Internet-exposed devices hosted in the UK for vulnerabilities. The goal is to assess UK’s vulnerability to cyber-attacks and to help the owners of Internet-connected systems understand their security posture. “These activities cover any internet-accessible system that is hosted within the UK and vulnerabilities that are common or particularly important due to their high impact, ” the agency said.
Tomi Engdahl says:
https://www.securityweek.com/surveillance-existential-danger-tech-signal-boss
Tomi Engdahl says:
Medibank Confirms Data Breach Impacts 9.7 Million Customers
https://www.securityweek.com/medibank-confirms-data-breach-impacts-97-million-customers
Australian health insurer Medibank today confirmed that the data of 9.7 million customers was compromised in a recent cyberattack.
The incident was identified on October 12, before threat actors could deploy file-encrypting ransomware, but not before they stole data from the company’s systems.
Medibank, which immediately initiated incident response and launched an investigation into the attack, could not determine whether customer data was compromised until contacted by the threat actor behind the data breach.
Two weeks ago, the company estimated that roughly 4 million customers might have been impacted by the cyberattack, but it has now increased that estimate to 9.7 million.
The attackers accessed the data of “around 9.7 million current and former customers and some of their authorized representatives. This figure represents around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers,” the company said earlier today.
Tomi Engdahl says:
Google Playhyn livahtanut haittaohjelma tallensi näppäilyt mobiilipankissa https://www.is.fi/digitoday/tietoturva/art-2000009184873.html
Tomi Engdahl says:
Another 130.000+ installations of malicious droppers from official store
https://www.threatfabric.com/blogs/the-attack-of-the-droppers.html#sharkbot-targets
Tomi Engdahl says:
Miljardiyhtiö Uponor joutui kiristyksen kohteeksi https://www.is.fi/digitoday/tietoturva/art-2000009183957.html
Sisäilmasto- ja putkijärjestelmiä tuottava rakennusteknologiayhtiö Uponor on joutunut kiristysohjelmahyökkäyksen kohteeksi. Hyökkäys tapahtui toissa päivänä 5.11. Kiristys vaikuttaa yhtiön toimintoihin Euroopassa ja Pohjois-Amerikassa. Uponor sanoo aloittaneensa välittömät toimet tilanteen selvittämiseksi ja korjaamiseksi. – Pyrimme kaikin tavoin varmistamaan Uponorin liiketoiminnan jatkuvuuden ja pitämään vaikutuksen yhtiön asiakkaisiin mahdollisimman vähäisenä.
Uponor suhtautuu kyberturvallisuushyökkäykseen erittäin vakavasti, ja pahoittelemme siitä sidosryhmillemme mahdollisesti aiheutuvaa vaivaa, toimitusjohtaja Michael Rauterkus sanoo tiedotteessa.
Tomi Engdahl says:
Ransomware gang threatens to release stolen Medibank data https://www.bleepingcomputer.com/news/security/ransomware-gang-threatens-to-release-stolen-medibank-data/
A ransomware gang that some believe is a relaunch of REvil and others track as BlogXX has claimed responsibility for last month’s ransomware attack against Australian health insurance provider Medibank Private Limited. Medibank is one of Australia’s largest private health insurers, covering over 3.9 million people and having 4, 000 employees. Although Medibank is yet to confirm what hacking group is behind this attack, the company said in a press release published today that it refused a ransom demand made by the attackers. “Today, we’ve announced that no ransom payment will be made to the criminal responsible for this data theft, ” Medibank said.
Tomi Engdahl says:
Maple Leaf Foods suffers outage following weekend cyberattack https://www.bleepingcomputer.com/news/security/maple-leaf-foods-suffers-outage-following-weekend-cyberattack/
Maple Leaf Foods confirmed on Sunday that it experienced a cybersecurity incident causing a system outage and disruption of operations. Maple Leaf Foods is Canada’s largest prepared meats and poultry food producer, operating 21 manufacturing facilities, employing 14, 000 people, and contracting over 700 barns. In 2021, the firm generated $3.3 billion in sales.
Tomi Engdahl says:
Killnet targets Eastern Bloc government sites, but fails to keep them offline https://therecord.media/killnet-targets-eastern-bloc-government-sites-but-fails-to-keep-them-offline/
Websites belonging to several state intelligence agencies across the former Eastern Bloc are online and functioning despite attempted distributed denial-of-service (DDoS) attacks from a pro-Kremlin group over the weekend. The hacking group Killnet, which for months has targeted government agencies and companies that criticize Russia or support Ukraine, listed the sites for the intelligence services of Estonia, Poland, Romania, Bulgaria, and Moldova on its Telegram channel, suggesting it had successfully targeted them.
Tomi Engdahl says:
DDoS attacks in Q3 2022
https://securelist.com/ddos-report-q3-2022/107860/
In Q3 2022, DDoS attacks were, more often than not, it seemed, politically motivated. As before, most news was focused on the conflict between Russia and Ukraine, but other high-profile events also affected the DDoS landscape this quarter.
Tomi Engdahl says:
Experts Find Urlscan Security Scanner Inadvertently Leaks Sensitive URLs and Data https://thehackernews.com/2022/11/experts-find-urlscan-security-scanner.html
Security researchers are warning of “a trove of sensitive information”
leaking through urlscan.io, a website scanner for suspicious and malicious URLs. “Sensitive URLs to shared documents, password reset pages, team invites, payment invoices and more are publicly listed and searchable, ” Positive Security co-founder, Fabian Bräunlein, said in a report published on November 2, 2022.
Tomi Engdahl says:
DOJ says it seized billions in Bitcoin stolen by hacker from Silk Road darknet marketplace https://therecord.media/doj-says-it-seized-billions-in-bitcoin-stolen-by-hacker-from-silk-road-darknet-marketplace/
According to the Justice Department and Internal Revenue Service, the 32-year-old committed wire fraud in September 2012 when he stole more than 50, 000 Bitcoin from Silk Road. The stolen funds were seized during a raid on Zhong’s Gainesville, Georgia home in November 2021.
“For almost ten years, the whereabouts of this massive chunk of missing Bitcoin had ballooned into an over $3.3 billion mystery, ”
U.S. Attorney Damian Williams said.
Tomi Engdahl says:
Microsoft November 2022 Patch Tuesday
https://isc.sans.edu/diary/rss/29230
This month we got patches for 68 vulnerabilities. Of these, 10 are critical, 1 was previously disclosed, and 4 are already being exploited, according to Microsoft. The previously disclosed (and
exploited) vulnerability is a security feature bypass on Windows Mark of the Web (MOTW) (CVE-2022-41091). Another exploited vulnerability is a Remote Code Execution (RCE) on Windows Script Languages (CVE-2022-41128). Among critical vulnerabilities, there is an elevation of privilege vulnerability affecting the Microsoft Exchange Server (CVE-2022-41080). The CVSS for this vulnerability is the highest for this month: 8.8. The advisory says that this vulnerability is not exploited, but marks it as “Exploitation More Likely”. Last but not least, there is an important elevation of privilege vulnerability affecting Microsoft Windows Sysmon (CVE-2022-41120) that you should also dedicate special attention to. An attacker who successfully exploited this vulnerability could gain administrator privileges by manipulating information on the Sysinternals services.
Tomi Engdahl says:
Citrix urges admins to patch critical ADC, Gateway auth bypass https://www.bleepingcomputer.com/news/security/citrix-urges-admins-to-patch-critical-adc-gateway-auth-bypass/
Citrix is urging customers to install security updates for a critical authentication bypass vulnerability in Citrix ADC and Citrix Gateway.
Under specific configurations, the three vulnerabilities can enable attackers to gain unauthorized access to the device, perform remote desktop takeover, or bypass the login brute force protection
Tomi Engdahl says:
Tietomurto Postin Viron-liiketoimintoihin – pakettien lähetystietoja vuotanut
https://www.tivi.fi/uutiset/tv/a44bb85f-01e2-465c-9047-46295f12b518
Tietomurto koskee 69 Itella Estonian yritysasiakkaan pakettilähetystietoja. Näihin yritysasiakkaisiin on jo oltu asiasta yhteydessä, ja lähetyksiin liittyviin yksityisasiakkaisiin ollaan yhteydessä pian.
Tomi Engdahl says:
Muuramen kuntaan tietomurto: “Häiriötila kestää jopa koko viikon”
https://www.is.fi/digitoday/tietoturva/art-2000009188066.html
Muuramen kunta kertoo laajasta häiriötilasta tietojärjestelmissään.
Syynä on kunnan palvelimille sunnuntaina 6. marraskuuta tehty tietomurto. Maanantaisen tiedotteen mukaan tilanne vaikuttaa toistaiseksi muun muassa kunnan päätöksenteon pöytäkirjojen ja esityslistojen tarkasteluun. Myös sosiaali- ja terveydenhoidon verkkopalveluiden saatavuudessa saattaa ilmetä häiriöitä.
Tomi Engdahl says:
Azov Ransomware is a wiper, destroying data 666 bytes at a time https://www.bleepingcomputer.com/news/security/azov-ransomware-is-a-wiper-destroying-data-666-bytes-at-a-time/
The Azov Ransomware continues to be heavily distributed worldwide, now proven to be a data wiper that intentionally destroys victims’ data and infects other programs. Today, the threat actor continues distributing the malware through the Smokeloader botnet, commonly found in fake pirated software and crack sites. At the time of this writing, there are already pages of submissions of this malware to VirusTotal for today alone, showing how many victims have been affected by this malware over the past two weeks.
Tomi Engdahl says:
October’s Most Wanted Malware: AgentTesla Knocks Formbook off Top Spot and New Text4Shell Vulnerability Disclosed https://blog.checkpoint.com/2022/11/08/octobers-most-wanted-malware-agenttesla-knocks-formbook-off-top-spot-and-new-text4shell-vulnerability-disclosed/
Check Point Research reports a significant increase in Lokibot attacks in October, taking it to third place for the first time in five months. New vulnerability, Text4Shell, was disclosed for the first time, and AgentTesla took the top spot as the most prevalent malware
Tomi Engdahl says:
SmokeLoader campaign distributes new Laplas Clipper malware https://securityaffairs.co/wordpress/138251/malware/smokeloader-delivers-laplas-clipper.html
Researchers observed a SmokeLoader campaign that is distributing a new clipper malware dubbed Laplas Clipper that targets cryptocurrency users.
Tomi Engdahl says:
Microsoft Scrambles to Thwart New Zero-Day Attacks
https://www.securityweek.com/patch-tuesday-microsoft-scrambles-thwart-new-zero-day-attacks
he zero-day attacks against Microsoft’s software products are showing no signs of slowing down.
For the second consecutive month, the world’s largest software maker rushed out patches to cover vulnerabilities that were already exploited as zero-days in the wild, including a pair of belated fixes for Microsoft Exchange Server security defects targeted by a state-sponsored threat actor for several months.
As part of its scheduled Patch Tuesday update process, Microsoft flagged six distinct vulnerabilities in the “exploitation detected” category and urged Windows administrators to treat these updates with utmost urgency.
Redmond’s security response team documented four new exploited zero-days — CVE-2022-41125, CVE-2022-41073, CVE-2022-41091 and CVE-2022-41128 — alongside two Exchange Server bugs (CVE-2022-41040 and CVE-2022-41082) and warned that exploits are swirling in privilege escalation, feature bypass and remote code execution attacks.
The four new zero-days affect the Windows CNG Key Isolation Service, the Windows Print Spooler, Windows Mark of the Web Security, and Windows Scripting Languages.
Tomi Engdahl says:
Google Patches High-Severity Privilege Escalation Vulnerabilities in Android
https://www.securityweek.com/google-patches-high-severity-privilege-escalation-vulnerabilities-android
Rolling out this week, Android’s November 2022 security updates patch over 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.
The first part of the update, the ‘2022-11-01 patch level’, includes fixes for 17 security defects, 12 of which could lead to escalation of privilege (EoP), three to denial of service (DoS), and two leading to information disclosure.
All of these are high-severity vulnerabilities impacting Android 10 and newer releases. Except for one bug, all of them impact Android 13 as well.
“The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed,” Google notes in its advisory.
The internet giant also mentions two additional vulnerabilities addressed as part of the Google Play system updates, namely CVE-2022-2209 (impacting Media framework components) and CVE-2022-20463 (impacting Wi-Fi).
Tomi Engdahl says:
Hackers Leak Australian Health Records on Dark Web
https://www.securityweek.com/hackers-leak-australian-health-records-dark-web
Hackers on Wednesday began leaking sensitive medical records stolen from an Australian health insurer with nearly 10 million customers, including the prime minister, after the firm refused to pay a ransom.
Medibank told investors that a “sample” of data from some 9.7 million clients had been posted on a “dark web forum” — and that more leaks were likely.
Sensitive records were posted anonymously in the early hours of Wednesday and included names, birth dates, passport numbers and information on medical claims for hundreds of customers.
The victims were separated into a “naughty” list and a “nice” list.
Some on the “naughty” list had numeric codes that appeared to link them to drug addiction, alcohol abuse and HIV.
Prime Minister Anthony Albanese, himself a Medibank customer, said the attack was a “wake-up call” for corporate Australia.
“I am a Medibank Private customer as well and it will be of concern that some of this information has been put out there,” he said.
The leaked data was posted on a dark web forum that cannot be found using conventional web browsers.
Medibank — which provides private health insurance to Australians wishing to supplement universal public healthcare — informed the Australian Securities Exchange about the leak shortly before the market opened.
“The files appear to be a sample of the data that we earlier determined was accessed by the criminal,” the company said in a statement.
“We expect the criminal to continue to release files on the dark web.”
The hackers were following through on an earlier threat to publish the data unless Medibank paid an undisclosed ransom.
“P.S I recommend to sell Medibank stocks,” the purported hackers wrote on the forum about 24 hours before the first batch of data was released.
Tomi Engdahl says:
Wib Launches API Security Platform After Raising $16 Million
https://www.securityweek.com/wib-launches-api-security-platform-after-raising-16-million
Israel-based API security company Wib on Tuesday announced the launch of its product, as well as a $16 million funding round.
The company says its API security platform provides complete visibility and control. Its capabilities include automated inventory and change management, and the platform enables organizations to identify rogue and shadow APIs, and analyze business risk and impact.
Wib was founded in August 2021 by serial entrepreneur Gil Don (CEO), Ran Ohayon (CRO) and Tal Steinherz. The company’s headquarters are in Tel Aviv, Israel, but it also has offices in the United States and United Kingdom.
Tomi Engdahl says:
ICS Patch Tuesday: Siemens Addresses Critical Vulnerabilities
https://www.securityweek.com/ics-patch-tuesday-siemens-addresses-critical-vulnerabilities
Siemens and Schneider Electric have released their Patch Tuesday advisories for November 2022. Siemens has released nine new security advisories covering a total of 30 vulnerabilities, but Schneider has only published one new advisory.
Of Siemens’ nine advisories, three describe vulnerabilities that have been rated ‘critical’. Four vulnerabilities — one high-severity and three critical flaws — have been found in Sicam Q100 power meter devices. They can allow an attacker to hijack user sessions, crash the device, or execute arbitrary code.
Scalance W1750D devices have more than a dozen vulnerabilities — including many rated ‘critical’
High-severity vulnerabilities have been patched in Teamcenter Visualization and JT2Go products (DoS and remote code execution), Parasolid (remote code execution), and QMS Automotive (credentials exposure).
Medium-severity flaws have been found in Ruggedcom ROS devices, industrial controllers, and the Sinec network management system.
In addition, between this and the previous Patch Tuesday, Siemens published an advisory describing a critical authentication bypass vulnerability affecting Siveillance Video mobile servers.
Tomi Engdahl says:
Canadian Meat Giant Maple Leaf Foods Disrupted by Cyberattack
https://www.securityweek.com/cyberattack-causes-disruptions-canadian-meat-giant-maple-leaf-foods
Canadian meat giant Maple Leaf Foods has confirmed that it is experiencing an outage after falling victim to a cyberattack.
Created in 1991 by the merger of Canada Packers and Maple Leaf Mills, the packaged meats company is headquartered in Mississauga, Ontario.
Maple Leaf Foods has more than 14,000 employees and has market presence in Canada, the US, and Asia, offering products under several brands, including Maple Leaf, Schneiders, Mina, Greenfield Natural Meat Co., Lightlife, and Field Roast.
Over the weekend, the company fell victim to a cyberattack that resulted in system disruptions, the company has announced, without sharing further details on the incident.
“Upon learning of the incident, Maple Leaf Foods took immediate action and engaged cybersecurity and recovery experts. Its team of information systems professionals and third-party experts are working diligently with all available resources to investigate the outage and resolve the situation,” the company said.
Tomi Engdahl says:
Lawrence Abrams / BleepingComputer:
Microsoft releases 68 security fixes, including patches for six actively exploited Windows zero-day flaws and 11 vulnerabilities classified as Critical — Today is Microsoft’s November 2022 Patch Tuesday, and with it comes fixes for six actively exploited Windows vulnerabilities and a total of 68 flaws.
Microsoft November 2022 Patch Tuesday fixes 6 exploited zero-days, 68 flaws
https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2022-patch-tuesday-fixes-6-exploited-zero-days-68-flaws/
Today is Microsoft’s November 2022 Patch Tuesday, and with it comes fixes for six actively exploited Windows vulnerabilities and a total of 68 flaws.
Eleven of the 68 vulnerabilities fixed in today’s update are classified as ‘Critical’ as they allow privilege elevation, spoofing, or remote code execution, one of the most severe types of vulnerabilities.
Tomi Engdahl says:
https://www.securityweek.com/gaping-authentication-bypass-holes-vmware-workspace-one
Tomi Engdahl says:
Jopa kuusi aukkoa hyökkäysten kohteena – asenna Microsoftin korjaukset nyt https://www.is.fi/digitoday/tietoturva/art-2000009189505.html
Tomi Engdahl says:
New hacking group uses custom ‘Symatic’ Cobalt Strike loaders
https://www.bleepingcomputer.com/news/security/new-hacking-group-uses-custom-symatic-cobalt-strike-loaders/
A previously unknown Chinese APT (advanced persistent threat) hacking group dubbed ‘Earth Longzhi’ targets organizations in East Asia, Southeast Asia, and Ukraine.
The threat actors have been active since at least 2020, using custom versions of Cobalt Strike loaders to plant persistent backdoors on victims’ systems.
The injection of the Cobalt Strike payload into a newly created process running in memory remains the same as in Symatic, never touching the disk to avoid risking detection.
To disable security products on the host, Earth Longzhi uses a tool named ‘ProcBurner,’ which abuses a vulnerable driver (RTCore64.sys) to modify the required kernel objects.
“ProcBurner is designed to terminate specific running processes,” explains Trend Micro in the report.
“Simply put, it tries to change the protection of the target process by forcibly patching the access permission in the kernel space using the vulnerable RTCore64.sys.”
Notably, the same MSI Afterburner driver is also used by BlackByte ransomware in Bring Your Own Vulnerable Drive (BYOVD) attacks that abuse it to bypass over a thousand security protections.
ProcBurner first detects the OS, as the kernel patching process changes depending on the version.
Tomi Engdahl says:
Hack the Real Box: APT41′s New Subgroup Earth Longzhi https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August.
Tomi Engdahl says:
They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming https://mandiant.com/resources/blog/apt29-windows-credential-roaming
In early 2022, Mandiant detected and responded to an incident where
APT29 successfully phished a European diplomatic entity and ultimately abused the Windows Credential Roaming feature. The diplomatic-centric targeting is consistent with Russian strategic priorities as well as historic APT29 targeting. Mandiant has been tracking APT29a Russian espionage group that is sponsored by the Foreign Intelligence Service (SVR)since at least 2014. Some APT29 activity is also publicly referred to as Nobelium by Microsoft. During the short timespan that
APT29 was determined to be active inside the victim network, Mandiant observed numerous LDAP queries with atypical properties (Figure 1) performed against the Active Directory system.
Tomi Engdahl says:
An Oil and Gas Weak Spot: Flow Computers https://claroty.com/team82/research/an-oil-and-gas-weak-spot-flow-computers
Flow computers calculate oil and gas volume and flow rates; these measurements are critical not only to process safety, but are also used as inputs in other areas, including billing. Team82 is disclosing details on a path-traversal vulnerability in ABB TotalFlow flow computers and controllers. An attacker could exploit a vulnerable system to inject and execute arbitrary code. CVE-2022-0902 (CVSS v3:
8.1) was addressed in a firmware update.
Tomi Engdahl says:
Having refused to pay ransom, health insurer Medibank sees customer data posted online by hackers https://www.bitdefender.com/blog/hotforsecurity/having-refused-to-pay-ransom-health-insurer-medibank-sees-customer-data-posted-online-by-hackers/
A ransomware gang has begun to publish data on the dark web stolen from Australia’s largest health insurer Medibank. The leaking of Mediabank’s client data comes shortly after the company announced it would not pay a ransom to the extortionists.
Tomi Engdahl says:
TeamTNT Returns – Or Does It?
https://www.trendmicro.com/en_us/research/22/j/teamtnt-returns-or-does-it.html
Our honeypots caught malicious cryptocurrency miner samples targeting the cloud and containers, and its routines are reminiscent of the routines employed by cybercriminal group TeamTNT, which was said to have quit in November 2021. Our investigation shows that another threat actor group, WatchDog, might be mimicking TeamTNT’s arsenal.
Tomi Engdahl says:
New updated IceXLoader claims thousands of victims around the world https://minerva-labs.com/blog/new-updated-icexloader-claims-thousands-of-victims-around-the-world/
IceXLoader was discovered last June by FortiGuard Labs. It is a commercial malware used to download and deploy additional malware on infected machines. While the version discovered in June (v3.0) looked like a work-in-progress, we recently observed a newer v3.3.3 loader which looks to be fully functionable and includes a multi-stage delivery chain.
Tomi Engdahl says:
Emotet coming in hot
https://blog.talosintelligence.com/emotet-coming-in-hot/
Emotet is back again with a new campaign displaying many characteristics of older runs, including the use of Auto_Open macros inside XLS documents. Cisco Talos has observed an increased activity of spam distributing this new strain beginning in early November 2022, and the volume of spam and Emotet infrastructure has been increasing since then to target multiple geographies around the world.
Tomi Engdahl says:
Nigerian scammer sentenced to 11 years in US prison https://therecord.media/nigerian-scammer-sentenced-to-11-years-in-us-prison/
A Nigerian influencer who attracted millions of followers on Instagram by showing off luxury cars and high-end clothing was sentenced on Monday to 11 years in prison for his role in business email compromise schemes and money laundering.