Cyber security news November 2022

This posting is here to collect cyber security news in November 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

349 Comments

  1. Tomi Engdahl says:

    Netflix Phishing Emails Surge 78%
    https://www.infosecurity-magazine.com/news/netflix-phishing-emails-surge-78/
    Security researchers are warning that corporate accounts could be at risk after noting a 78% increase in email impersonation attacks spoofing the Netflix brand since October. If employees use the same credentials for personal accounts like Netflix as their work accounts, campaigns like this may imperil corporate systems and data, warned Egress.

    Reply
  2. Tomi Engdahl says:

    New attacks use Windows security bypass zero-day to drop malware https://www.bleepingcomputer.com/news/security/new-attacks-use-windows-security-bypass-zero-day-to-drop-malware/
    New phishing attacks use a Windows zero-day vulnerability to drop the Qbot malware without displaying Mark of the Web security warnings. In a new QBot phishing campaign discovered by security researcher ProxyLife, the threat actors have switched to the Windows Mark of the Web zero-day vulnerability by distributing JS files signed with malformed signatures.

    Reply
  3. Tomi Engdahl says:

    New ransomware encrypts files, then steals your Discord account https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/
    The new ‘AXLocker’ ransomware family is not only encrypting victims’
    files and demanding a ransom payment but also stealing the Discord accounts of infected users.

    Reply
  4. Tomi Engdahl says:

    A Confused Deputy Vulnerability in AWS AppSync https://securitylabs.datadoghq.com/articles/appsync-vulnerability-disclosure/
    We have identified a cross-tenant vulnerability in Amazon Web Services
    (AWS) that exploits AWS AppSync. This attack abuses the AppSync service to assume IAM roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts. This blog post describes how we discovered the vulnerability, a proof of concept showing how we performed sts:AssumeRole into roles that trust the AppSync service, and our disclosure process with the AWS team.

    Reply
  5. Tomi Engdahl says:

    Kyberhyökkäys pysäytti suomalaisen pörssiyhtiön koko tuotannon – Nyt tuli tulosvaroitus
    https://www.talouselama.fi/uutiset/kyberhyokkays-pysaytti-suomalaisen-porssiyhtion-koko-tuotannon-nyt-tuli-tulosvaroitus/a39293f2-bf17-4ac4-88f2-373da0041010
    Uponor joutui marraskuun alussa kiristysohjelman uhriksi, joka ajoi sen varotoimenpiteenä tuotantoseisokkiin. Yhtiö poistaa vuoden 2022 ohjeistuksensa, koska menetetyn myynnin kattaminen tämän vuoden puolella ei ole varmaa.
    Rakennus- ja ympäristötekniikan järjestelmätoimittaja Uponor on antanut tulosvaroituksen ja poistaa vuodelle 2022 antamansa taloudellisen ohjeistuksen kyberhyökkäyksen seurauksena.
    Uponor on kertonut, että siihen 5. marraskuuta kohdistunut kiristysohjelmahyökkäys vaikuttaa edelleen yhtiön toimintoihin. Hyökkäyksen jälkeen yhtiö sulki varotoimenpiteenä tuotantonsa ja kaikki järjestelmänsä.
    Viikon kestäneen tuotantokatkoksen jälkeen tuotantotasot ovat alkaneet palautua, ja asiakastoimitukset ovat käynnistyneet kaikissa divisioonissa viime viikon aikana, tiedotteessa kerrotaan.
    Tuotanto pyritään saamaan hyökkäystä edeltäneelle tasolle mahdollisimman pian varmistaen samalla tietojärjestelmien turvallisuuden.
    Koska hyökkäys tapahtui lähellä vuoden loppua, ei ole varmaa pystyykö Uponor kattamaan menetetyn myyntinsä ennen tilikauden päättymistä. Tästä syystä se poistaa ohjeistuksensa, kunnes yhtiöllä on parempi käsitys hyökkäyksen vaikutuksista viimeisen vuosineljänneksen lukuihin.

    Reply
  6. Tomi Engdahl says:

    California County Says Personal Information Compromised in Data Breach
    https://www.securityweek.com/california-county-says-personal-information-compromised-data-breach

    The County of Tehama, California, has started informing employees, recipients of services, and affiliates that their personal information might have been compromised in a data breach.

    The incident, Tehama County says, was identified on April 9, but the investigation into the matter stretched to August 19, when it was determined that personally identifiable information (PII) was compromised.

    The investigation revealed that an unauthorized third-party had access to the county’s systems between November 18, 2021, and April 9, 2022, and that files on the county’s department of social services systems were accessed.

    Reply
  7. Tomi Engdahl says:

    Google Making Cobalt Strike Pentesting Tool Harder to Abuse
    https://www.securityweek.com/google-making-cobalt-strike-pentesting-tool-harder-abuse

    Google has announced the release of YARA rules and a VirusTotal Collection to help detect Cobalt Strike and disrupt its malicious use.

    Released in 2012, Cobalt Strike is a legitimate red teaming tool that consists of a collection of utilities in a JAR file that can emulate real cyberthreats. It uses a server/client approach to provide the attacker with control over infected systems, from a single interface.

    Cobalt Strike has evolved into a point-and-click system for deploying remote access tools on targeted systems, with threat actors abusing its capabilities for lateral movement into victim environments.

    The tool’s vendor has in place a vetting system to prevent selling the software to malicious entities, but cracked versions of Cobalt Strike have been available for years.

    “These unauthorized versions of Cobalt Strike are just as powerful as their retail cousins except that they don’t have active licenses, so they can’t be upgraded easily,” Google notes.

    By releasing open-source YARA rules and a VirusTotal Collection that integrates them, Google aims to help organizations flag and identify Cobalt Strike’s components, to improve protections.

    Reply
  8. Tomi Engdahl says:

    PoC Code Published for High-Severity macOS Sandbox Escape Vulnerability
    https://www.securityweek.com/poc-code-published-high-severity-macos-sandbox-escape-vulnerability

    A security researcher has published details and proof-of-concept (PoC) code for a macOS vulnerability that could be exploited to escape a sandbox and execute code within Terminal.

    Tracked as CVE-2022-26696 (CVSS score of 7.8), the security defect was identified and reported last year, with a patch available since the release of macOS Monterey 12.4 in May.

    https://support.apple.com/en-us/HT213257

    Reply
  9. Tomi Engdahl says:

    Atlassian Patches Critical Vulnerabilities in Bitbucket, Crowd
    https://www.securityweek.com/atlassian-patches-critical-vulnerabilities-bitbucket-crowd

    Atlassian informed customers this week that it has patched critical vulnerabilities in its Crowd and Bitbucket products.

    In the Bitbucket source code repository hosting service, Atlassian fixed CVE-2022-43781, a critical command injection vulnerability that affects Bitbucket Server and Data Center version 7 and, in some cases, version 8.

    “There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the system,” Atlassian explained.

    Updates that patch the flaw have been released for both BitBucket 7 and 8. Atlassian Cloud sites are not affected.

    In the case of Crowd, an application security framework that handles authentication and authorization for web-based applications, Atlassian fixed CVE-2022-43782, a critical security misconfiguration issue affecting all versions starting with 3.0.0.

    Reply
  10. Tomi Engdahl says:

    Microsoft Warns of Cybercrime Group Delivering Royal Ransomware, Other Malware
    https://www.securityweek.com/microsoft-warns-cybercrime-group-delivering-royal-ransomware-other-malware

    A threat actor tracked as DEV-0569 and known for the distribution of various malicious payloads was recently observed updating its delivery methods, Microsoft warns.

    DEV-0569 has been relying on malicious ads (malvertising), blog comments, fake forum pages, and phishing links for the distribution of malware.

    Over the past few months, however, Microsoft noticed that the threat actor has started using contact forms to deliver phishing links, while choosing to host fake installers on legitimate-looking software download sites and legitimate repositories, such as GitHub and OneDrive.

    The adversary continues to rely on malvertising for malware distribution, and even expanded the technique by employing Google Ads in one of the campaigns.

    “These methods allow the group to potentially reach more targets and ultimately achieve their goal of deploying various post-compromise payloads,” Microsoft says.

    https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/

    Reply
  11. Tomi Engdahl says:

    https://www.actionnetwork.com/legal-online-sports-betting/draftkings-users-hacked-money-in-account-cashed-out

    Seems that Draft Kings may have been compromised, as members are getting shafted and their bank accounts are being drained, even with 2FA activated. Not a good day to be a member.

    Reply
  12. Tomi Engdahl says:

    Tax filing websites have been sending users’ financial information to Facebook
    “The data, sent through widely used code called the Meta Pixel, includes not only information like names and email addresses but often even more detailed information, including data on users’ income, filing status, refund amounts, and dependents’ college scholarship amounts.”

    Tax filing websites have been sending users’ financial information to Facebook
    https://www.theverge.com/2022/11/22/23471842/facebook-hr-block-taxact-taxslayer-info-sharing

    The Markup found services including TaxAct, TaxSlayer, and H&R Block sending sensitive data.

    Reply
  13. Tomi Engdahl says:

    EU Parliament website hit by cyber attack after Russia ‘terrorism’ vote – AFP
    https://www.reuters.com/world/europe/eu-parliament-website-hit-by-cyber-attack-after-russia-terrorism-vote-afp-2022-11-23/

    Nov 23 (Reuters) – The European Union Parliament website was hit by a cyber attack on Wednesday after it designated Russia a state sponsor of terrorism, AFP news agency reported.

    Reply
  14. Tomi Engdahl says:

    Suffolk cyberattack: Driver’s license numbers of 470,000 people may have been compromised
    https://www.newsday.com/long-island/suffolk/cyberhack-drivers-license-numbers-yg5iml90

    Reply
  15. Tomi Engdahl says:

    Attackers bypass Coinbase and MetaMask 2FA via TeamViewer, fake support chat
    https://www.bleepingcomputer.com/news/security/attackers-bypass-coinbase-and-metamask-2fa-via-teamviewer-fake-support-chat/

    A crypto-stealing phishing campaign is underway to bypass multi-factor authentication and gain access to accounts on Coinbase, MetaMask, Crypto.com, and KuCoin and steal cryptocurrency.

    The threat actors abuse the Microsoft Azure Web Apps service to host a network of phishing sites and lure victims to them via phishing messages impersonating bogus transaction confirmation requests or suspicious activity detection.

    Reply
  16. Tomi Engdahl says:

    1 381 569 suomalaisen puhelin­numerot päätyivät myyntiin nettiin – ”Jos pitää paikkansa…” https://www.is.fi/digitoday/tietoturva/art-2000009226905.html

    Reply
  17. Tomi Engdahl says:

    USA uhosi: 50 000 dollaria supertason salauksen murtajalle – Hakkerit tekivät sen alle tunnissa kotikoneella: Tajusivat yhtälön, josta muilla ei ollut hajuakaan
    Tuomas Kangasniemi24.11.202213:34|päivitetty24.11.202213:34TIEDESALAUSTIETOTURVA
    Useimmat kryptografia-alan asiantuntijat eivät osaa matematiikkaa riittävän hyvin, harmittelee atomeiksi jauhetun salausmenetelmän keksijä.
    https://www.tekniikkatalous.fi/uutiset/tt/fc7b6188-09ba-4b1d-8cda-b96c8201ee05?utm_term=Autofeed&utm_medium=Social&utm_source=Facebook#Echobox=1669289925

    Salausalgoritmit täytyy koodata virheettömästi ja laatia kestämään niin sanottuja raa’an voiman (engl. brute force ) hyökkäyksiä. Tuntematon matematiikka, joka repii jonkin salausalgoritmin kappaleiksi perusperiaatteitaan myöten, saattaa kuitenkin olla tehokkaita laitteita ja tietoturva-aukkoja vakavampi uhka.

    Reply
  18. myccpay says:

    A crypto-stealing phishing campaign is underway to bypass multi-factor authentication and gain access to accounts on Coinbase, MetaMask, Crypto.com, and KuCoin and steal cryptocurrency. The adversary continues to rely on malvertising for malware distribution, and even expanded the technique by employing Google Ads in one of the campaigns.

    Reply
  19. Tomi Engdahl says:

    Suomessa harjoitellaan parhaillaan tilannetta, jossa sähköt katkeavat ja pankkien toiminta hyytyy
    Taisto-valmiusharjoitus on tulossa juuri päätökseensä.
    https://www.is.fi/digitoday/tietoturva/art-2000009223351.html

    Reply
  20. Tomi Engdahl says:

    https://phys.org/news/2022-11-mathematical-theorem-encryption-algorithm.html

    In July, the US National Institute of Standards and Technology (NIST) selected four encryption algorithms and posed some challenge problems to test their security, offering a $50,000 reward for whomever managed to break them. It happened in less than an hour: one of the promising algorithm candidates, named SIKE, was hacked with a single personal computer. The attack did not rely on a powerful machine, but on powerful mathematics based on a theorem developed by a Queen’s professor decades ago.

    Reply
  21. Tomi Engdahl says:

    Edmonton man could see private data of other Brinks customers through his home security system — for months
    https://www.cbc.ca/news/canada/edmonton/brinks-online-portal-information-leak-1.6660440

    Company says less than .01% of its customers could see others’ data

    The Edmonton man — a systems architect for a telecommunications company and self-professed gadget enthusiast — had added a little extra home security when, in October 2021, he signed a 36-month contract for a Brinks system.

    But things took a strange turn when he called technical support to troubleshoot those wonky door sensors.

    He told Go Public he signed into his system’s online portal “and that’s when I noticed that I had a drop-down [menu] to select a whole bunch of addresses.”

    There on his screen were approximately 100 other customers’ addresses.

    Every click of the mouse revealed more of someone else’s information: name, address, phone number, emergency contacts and account payment history.

    Kopp could even view specific things about other customers’ home security systems, like security equipment details and locations of security zones within their homes.

    “My reaction is, [this is] kind of crazy. I really don’t feel that they’re safeguarding other people’s information,” he said.

    “I wanted to know whether my data was compromised in the same way.”

    That remains unclear. Though Kopp did not see his own details on the screen, Brinks has not notified any of the customers who were affected by the leak, which went unfixed for months.

    Brinks says no financial or banking data was included in the leak.

    But one expert says it was still a “very serious privacy breach.”

    “Of course, it’s a breach of security as well,” said Ann Cavoukian, a former three-term privacy commissioner of Ontario.

    “It allows people to potentially break into your home and into your information online. Identity theft could result.”

    Kopp assumed the breach would be quickly fixed after he discovered and reported it in early 2022. In April, he was surprised to find out he still had access to the same drop-down menu with the same customer information.

    He says he reported it again, waited a few more months, and called Brinks yet again in early July.

    Kopp got a recording of that call. In it, he clearly says the issue needs to be escalated: “I’m going to need a manager,” he told the agent as he explained that he was able to access others’ data.

    “It’s a huge customer information problem, which is why I need to speak to a manager.”

    He was promised a manager would call him back, but he got no response until Go Public began investigating.

    “Nobody contacted me regarding a data breach at all,” he says.

    That makes Cavoukian “cringe.”

    “It just makes me so angry that this type of infringement isn’t taken seriously, as it should be immediately acted upon,” she said.

    Brinks declined an interview request from Go Public. In a statement, the company said the agent on the July call, who worked for a third party, “did not follow the proper protocols and procedures” for when a customer asks for a problem to be escalated.

    Prof. Teresa Scassa of the University of Ottawa says companies are required to report such leaks to the Privacy Commissioner of Canada. (Submitted by Teresa Scassa)

    The company called it an “isolated issue” that leaked the data of “a small subset” of its customers. “No banking or financial information was visible,” it said.

    Brinks did not answer Go Public’s question of how many of its Canadian customers were affected.

    The company said the sensitive data was visible to “less than .01% of Brinks total customer base.” Brink has some 900,000 home and commercial security subscribers according to a 2021 corporate press release, which works out to about 90 customers.

    Obliged to report
    It wasn’t until almost two and a half months later, in mid-September, that Kopp saw that it seemed to be fixed. He estimates he was able to access other customers’ data for seven to ten months.

    But Teresa Scassa, Canada Research Chair in Information Law and Policy at the University of Ottawa, says that may not close the book on Brinks’s obligations.

    “If the company is aware that there’s been a data security breach, then they are obliged to report that to the Privacy Commissioner of Canada,” she said.

    “A company would ignore something like this at their own peril. There’s no ‘it didn’t happen’ if it did. If it did, you have to get out in front of it and fix it.”

    Brinks said that its own review with internal and external counsel concluded: “The nature of the data that was visible did not require a customer notification.”

    “The thing that bothered me, or I guess was a bit unnerving is the fact that I never heard from Brinks about it,” Scott said.

    As for Kopp — he’s wondering if he’s really getting what he signed up for.

    “It worries me because I paid for a security company because I wanted security, and they can’t safeguard my personal information, never mind everything else,” he said.

    Reply
  22. Tomi Engdahl says:

    Mastodon is getting hundreds of thousands of new users as people migrate away from Twitter, here’s how to secure your account. https://trib.al/VEZCmEH

    Reply
  23. Tomi Engdahl says:

    Tietoturva­yhtiö: Näitä sovelluksia hakkeroidaan ensi vuonna https://www.is.fi/digitoday/tietoturva/art-2000009226112.html

    Reply
  24. Tomi Engdahl says:

    Chromeen tuli 5 päivää sitten hätä­päivitys, jota kaikki eivät ole saaneet – toimi näin https://www.is.fi/digitoday/tietoturva/art-2000009231075.html

    Reply
  25. Tomi Engdahl says:

    Cyber as important as missile defences – ex-NATO general https://www.reuters.com/world/cyber-important-missile-defences-ex-nato-general-2022-11-21/
    A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.

    Reply
  26. Tomi Engdahl says:

    Android file manager apps infect thousands with Sharkbot malware https://www.bleepingcomputer.com/news/security/android-file-manager-apps-infect-thousands-with-sharkbot-malware/
    A new collection of malicious Android apps posing as harmless file managers had infiltrated the official Google Play app store, infecting users with the Sharkbot banking trojan.

    Reply
  27. Tomi Engdahl says:

    Ouch! Ransomware gang says it wont attack AirAsia again due to the chaotic organisation and sloppy security of hacked companys network https://grahamcluley.com/ouch-ransomware-gang-says-it-wont-attack-airasia-again-due-to-the-chaotic-organisation-and-sloppy-security-of-hacked-companys-network/
    The chaotic organization of the network, the absence of any standards, caused the irritation of the group and a complete unwillingness to repeat the attack, the spokesperson for Daixin Team said. The group refused to pick through the garbage for a long time. As our pentester said, Let the newcomers sort this trash, they have a lot of time.

    Reply
  28. Tomi Engdahl says:

    Apple Device Analytics Contain Identifying iCloud User Data, Claim Security Researchers https://www.macrumors.com/2022/11/21/apple-device-analytics-identifying-user/
    On Twitter, security researchers Tommy Mysk and Talal Haj Bakry have found that Apple’s device analytics data includes an ID called “dsId,”
    which stands for Directory Services Identifier. The analysis found that the dsId identifier is unique to every iCloud account and can be linked directly to a specific user, including their name, date of birth, email, and associated information stored on iCloud.

    Reply
  29. Tomi Engdahl says:

    Log4Shell campaigns are using Nashorn to get reverse shell on victim’s machines
    https://isc.sans.edu/diary/rss/29266
    In an incident case I got last week, attackers started a reverse shell on the victims machine in a way I have not seen in Log4Shell exploitations. The reverse shell was issued using Nashorn, a JavaScript scripting engine used to execute JavaScript code dynamically at JVM. Similar use of Nashorn was seen in Confluence
    CVE-2022-26134 exploitations.

    Reply
  30. Tomi Engdahl says:

    US, Estonian authorities arrest two over $575 million cryptocurrency fraud https://therecord.media/us-estonian-authorities-arrest-two-over-575-million-cryptocurrency-fraud/
    Sergei Potapenko and Ivan Turõgin, both 37, convinced hundreds of thousands of victims to invest in a cryptocurrency mining service called HashFlare and a virtual currency bank called Polybius, according to court documents published Monday. The two men, who are held pending extradition to the U.S., collected more than half of a billion dollars and used shell companies to launder the cash and use it to buy real estate and luxury cars.

    Reply
  31. Tomi Engdahl says:

    Bahamut cybermercenary group targets Android users with fake VPN apps https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/
    ESET researchers have identified an active campaign targeting Android users, conducted by the Bahamut APT group. This campaign has been active since January 2022 and malicious apps are distributed through a fake SecureVPN website that provides only Android apps to download.
    The malware is able to exfiltrate sensitive data such as contacts, SMS messages, call logs, device location, and recorded phone calls. It can also actively spy on chat messages exchanged through very popular messaging apps including Signal, Viber, WhatsApp, Telegram, and Facebook Messenger; the data exfiltration is done via the keylogging functionality of the malware, which misuses accessibility services.
    The campaign appears to be highly targeted, as we see no instances in our telemetry data.

    Reply
  32. Tomi Engdahl says:

    DUCKTAIL returns: Underneath the ruffled feathers https://labs.withsecure.com/publications/ducktail-returns
    In short, the operation consists of an information stealer malware that is delivered to targeted victims that primarily operate in the digital marketing and advertisement space. The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account. The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. The threat actor uses their gained access to run ads for monetary gain.

    Reply
  33. Tomi Engdahl says:

    ‘Pig butchering’ romance scam domains seized and slaughtered by the Feds https://www.theregister.com/2022/11/23/pig_butchering_domains_seized/
    The US government seized seven domain names used in so-called “pig butchering” scams that netted criminals more than $10 million. Pig butchering is a newish twist on romance scams in which fraudsters build a relationship with their victims and then con them into transferring money into accounts controlled by the crooks. In these cases, however, the fraudsters convince their marks to “invest” in cryptocurrency via phony websites, and then once the transfer goes through, the crooks disappear with all of the victim’s money.

    Reply
  34. Tomi Engdahl says:

    - From Zero to Hero Part 1: Bypassing Intel DCMs Authentication by Spoofing Kerberos and LDAP Responses (CVE-2022-33942) https://www.rcesecurity.com/2022/11/from-zero-to-hero-part-1-bypassing-intel-dcms-authentication-by-spoofing-kerberos-and-ldap-responses-cve-2022-33942/
    This small series of two blog posts covers an entire vulnerability chain to go from unauthenticated user to full remote code execution against Intels Data Center Manager (up to version 4.1.1.45749). All described issues were found purely based on a source code review of the decompiled application.

    Reply
  35. Tomi Engdahl says:

    Enterprise healthcare providers warned of Lorenz ransomware threat https://www.scmagazine.com/analysis/ransomware/enterprise-healthcare-providers-warned-of-lorenz-ransomware-threat
    Lorenz has been active for at least two years and operates a data leak site, per the typical extortion group model. However, the groups tactics are far more nefarious. HC3 warns that upon becoming frustrated with a victims unwillingness to pay, they first make the stolen data available for sale to other threat actors or competitors.

    Reply
  36. Tomi Engdahl says:

    Cisco Secure Email Gateway Filters Bypassed Due to Malware Scanner Issue https://www.securityweek.com/cisco-secure-email-gateway-filters-bypassed-due-malware-scanner-issue
    The company told SecurityWeek that this is not a vulnerability in the Secure Email Gateway product itself. The issue is due to improper identification of potentially malicious emails or attachments. An attacker could exploit this issue by sending a malicious email with malformed Content-Type headers (MIME Type) through an affected device.
    An exploit could allow the attacker to bypass default anti-malware filtering features based on the affected scanning engines and successfully deliver malicious messages to the end clients, Cisco explained

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*