This posting is here to collect cyber security news in December 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in December 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
355 Comments
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
LastPass says customer data was accessed after hackers breached its third-party cloud storage shared with parent GoTo using info stolen in an August 2022 breach — LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022.
Lastpass says hackers accessed customer data in new breach
https://www.bleepingcomputer.com/news/security/lastpass-says-hackers-accessed-customer-data-in-new-breach/
Tomi Engdahl says:
Had he waited he could have saved some money…
Probably more holes left.
5.4 million Twitter users’ stolen data leaked online — more shared privately
https://www.bleepingcomputer.com/news/security/54-million-twitter-users-stolen-data-leaked-online-more-shared-privately/
Over 5.4 million Twitter user records containing non-public information stolen using an API vulnerability fixed in January have been shared for free on a hacker forum.
Another massive, potentially more significant, data dump of millions of Twitter records has also been disclosed by a security researcher, demonstrating how widely abused this bug was by threat actors.
The data consists of scraped public information as well as private phone numbers and email addresses that are not meant to be public.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/critical-rce-bugs-in-android-remote-keyboard-apps-with-2m-installs/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/goto-says-hackers-breached-its-dev-environment-cloud-storage/
Tomi Engdahl says:
https://www.theregister.com/2022/12/01/cloudflare_price_rises_annual_exemptions/
Tomi Engdahl says:
Killnet Gloats About DDoS Attacks Downing Starlink, White House
Elon Musk-owned Starlink, WhiteHouse.gov, and the Prince of Wales were targeted by Killnet in apparent retaliation for its support of Ukraine.
https://www.darkreading.com/threat-intelligence/killnet-gloats-ddos-attacks-starlink-whitehouse-gov
Tomi Engdahl says:
Drop What You’re Doing and Update iOS, Android, and Windows
Plus: Major patches dropped this month for Chrome, Firefox, VMware, Cisco, Citrix, and SAP.
https://www.wired.com/story/ios-android-windows-vulnerability-patches-november-2022/
Tomi Engdahl says:
https://securityaffairs.co/wordpress/139091/data-breach/enc-security-data-leak-sony-lexar.html
Tomi Engdahl says:
https://voidsec.com/windows-exploitation-challenge-blue-frost-security-2022/
Tomi Engdahl says:
Vatican hit by suspected cyber attack days after Pope criticises Russia https://www.euronews.com/2022/12/01/vatican-hit-by-suspected-cyber-attack
The Vatican’s website was down on Wednesday evening amid “abnormal access attempts”, according to the Holy See. Technical investigations are ongoing due to abnormal attempts to access the site, Vatican spokesman Matteo Bruni said. He did not give any further information.
Throughout Wednesday, several Vatican sites were offline and the official Vatican.va website was inaccessible well into the evening.
The suspected hack came a day after Moscow rebuked Pope Franciss latest condemnation of Russias invasion of Ukraine. In an interview with a Jesuit magazine, the pope had singled out troops from Chechnya and other ethnic minorities in Russia for their particular cruelty during the war.
Tomi Engdahl says:
LockBit 3.0 Black attacks and leaks reveal wormable capabilities and tooling https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling/
Reverse-engineering reveals close similarities to BlackMatter ransomware, with some improvements. A postmortem analysis of multiple incidents in which attackers eventually launched the latest version of LockBit ransomware (known variously as LockBit 3.0 or LockBit Black), revealed the tooling used by at least one affiliate. Sophos Managed Detection and Response (MDR) team has observed both ransomware affiliates and legitimate penetration testers use the same collection of tooling over the past 3 months.
Tomi Engdahl says:
Accidentally Crashing a Botnet
https://www.akamai.com/blog/security-research/kmsdbot-part-two-crashing-a-botnet
Earlier this month, Akamai Security Research released a blog post about KmsdBot, a cryptomining botnet that infected victims via SSH and weak credentials. We promptly analyzed and reported on this botnet after it infected one of our honeypots. However, after that publication, we continued to monitor the botnet, and we have some updates to share in this blog post like the fact that we rendered it useless. In this post, we will outline the steps we took to inspect KmsdBot, which led to our ability to execute our commands and ultimately led to its demise.
Tomi Engdahl says:
Aqua Nautilus Discovers Redigo New Redis Backdoor Malware https://blog.aquasec.com/redigo-redis-backdoor-malware
Aqua Nautilus discovered new Go based malware that targets Redis servers. The attack was executed against one of our deliberately vulnerable Redis honeypots (CVE-2022-0543). Our investigation revealed new undetected malware written in Golang designed to target Redis servers to allow the attacking server to dominate the compromised machine. Therefore, the malware received the name Redigo. In this blog, well examine how adversaries exploit this Redis vulnerability and use it to run the new malware. Moreover, well review the attack process and recommend methods to protect against future attacks
Tomi Engdahl says:
Keralty ransomware attack impacts Colombia’s health care system https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/
The Keralty multinational healthcare organization suffered a RansomHouse ransomware attack on Sunday, disrupting the websites and operations of the company and its subsidiaries. Keralty is a Colombian healthcare provider that operates an international network of 12 hospitals and 371 medical centers in Latin America, Spain, the US, and Asia. The group employs 24,000 people and 10,000 medical doctors who provide healthcare to over 6 million patients.The company offers further healthcare services through its subsidiaries, Colsanitas, Sanitas USA, and EPS Sanitas.
Tomi Engdahl says:
LastPass Suffers Another Security Breach; Exposed Some Customers Information https://thehackernews.com/2022/12/lastpass-suffers-another-security.html
Popular password management service LastPass said it’s investigating a second security incident that involved attackers accessing some of its customer information. “We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo,” LastPass CEO Karim Toubba said.
GoTo, formerly called LogMeIn, acquired LastPass in October 2015. In December 2021, the Boston-based firm announced plans to spin off LastPass as an independent company. The digital break-in resulted in the unauthorized third-party leveraging information obtained following a previous breach in August 2022 to access “certain elements of our customers’ information.”
Tomi Engdahl says:
Ransomware group may have stolen customer bank details from British water company https://therecord.media/ransomware-group-may-have-stolen-customer-bank-details-from-british-water-company/
South Staffordshire Water, which supplies water for more than 1.7 million people in England, has said that an attempted ransomware attack in August may have enabled cybercriminals to steal customer bank details. At the time of the incident the company stressed that water supply was not affected, although its corporate network was experiencing disruptions. The company said in an update on Wednesday that customers who paid by direct debit may have had their bank details stolen. Since the incident, weve been working with leading forensic experts to investigate fully what happened. Our investigation has now found that the incident resulted in unauthorized access to some of the personal data we hold for a subset of our customers, the company announced.
Tomi Engdahl says:
Alert (AA22-335A) #StopRansomware: Cuba Ransomware https://www.cisa.gov/uscert/ncas/alerts/aa22-335a
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Cuba ransomware IOCs and TTPs associated with Cuba ransomware actors identified through FBI investigations, third-party reporting, and open-source reporting. This advisory updates the December 2021 FBI Flash: Indicators of Compromise Associated with Cuba Ransomware. This year, Cuba ransomware actors have added to their TTPs, and third-party and open-source reports have identified a possible link between Cuba ransomware actors, RomCom Remote Access Trojan (RAT) actors, and Industrial Spy ransomware actors.
Tomi Engdahl says:
Contrast discovers zero-day flaw in popular Quarkus Java framework https://www.contrastsecurity.com/security-influencers/localhost-attack-against-quarkus-developers-contrast-security
While preparing a talk for the recent DeepSec Conference about attacking the developer environment through drive-by localhost, I reviewed some popular Java frameworks to see if they were vulnerable.
They were. During my research, I had discovered a high-severity zero day in the Red Hat build of Quarkus a popular, full-stack, Kubernetes-native Java framework optimized for Java virtual machines
(JVMs) and native compilation thats used as a platform for serverless, cloud and Kubernetes environments.
Tomi Engdahl says:
Nigeria-based group Lilac Wolverine using COVID-19, emotional lures in BEC scams https://therecord.media/nigeria-based-group-lilac-wolverine-using-covid-19-emotional-lures-in-bec-scams/
A cybercrime group based in Nigeria is targeting businesses in the United States and Western Europe with a plethora of scam emails as part of a larger campaign of business email compromise (BEC) attacks.
Abnormal Securitys Crane Hassold told The Record that the group named Lilac Wolverine stood out to them among the thousands of BEC threat actors they see each week because of its significant volume. We consistently see 5-10 campaigns from them a day and their unique combination of tactics exploiting compromised personal accounts, setting up look-alike free webmail accounts, using emotionally-charged themes (cancer/COVID) really stuck out as one of the more notable groups we
Tomi Engdahl says:
GoTo says hackers breached its dev environment, cloud storage https://www.bleepingcomputer.com/news/security/goto-says-hackers-breached-its-dev-environment-cloud-storage/
Remote access and collaboration company GoTo disclosed today that they suffered a security breach where threat actors gained access to their development environment and third-party cloud storage service. GoTo (formerly LogMeIn) began emailing customers Wednesday afternoon, warning that they have started investigating the cyberattack with the help of Mandiant and have alerted law enforcement. The company says they first learned of the incident after detecting unusual activity in their development environment and third-party cloud storage service.
Tomi Engdahl says:
Nilay Patel / The Verge:
In a rare interview, TikTok CEO Shou Zi Chew explains how US data will be kept out of China through “Project Texas”, discusses “booktok”, algorithms, and more
TikTok CEO Shou Zi Chew explains how US data will be kept out of China
/ ‘Nobody organizes data like this.’
https://www.theverge.com/2022/11/30/23486771/tiktok-ceo-shou-zi-chew-data-protection-us-users
TikTok CEO Shou Zi Chew gave a rare public interview at The New York Times’ DealBook conference today, telling host Andrew Ross Sorkin that he is “responsible for all the strategic decisions at TikTok” in response to a question about interference from the Chinese government.
The 40-year-old Chew was funny and relaxed for most of the interview, even if many of his answers sounded straight from the 2010s Mark Zuckerberg / Jack Dorsey social networking is good for the world playbook. Did you know TikTok enables people to express themselves and build communities around shared interests?
t the same time, Chew was prepared and ready for questions about Chinese interference in TikTok, whose ownership by China-based ByteDance has led to calls for the app to be banned on both sides of the aisle. “We take all these concerns seriously, we study them, we have been working with [the Committee on Foreign Investment in the United States] to solve what we think is a very solvable problem,” he said to Sorkin.
The solution is “Project Texas,” in which TikTok will move its data from Virginia and Singapore to a new cloud infrastructure in the United States run by Oracle, which only a team made up of US residents will have access to. The system is “expensive to build, and it’s challenging to do it, but we are doing it to address these concerns,” Chew said.
“We are ahead of the curve on data localization,” Chew said. “No company organizes data like this.”
Tomi Engdahl says:
Vanuatu Struggles Back Online After Cyberattack
https://www.securityweek.com/vanuatu-struggles-back-online-after-cyberattack
Vanuatu’s government said Thursday it was slowly getting its communications back online following a cyberattack that knocked out emergency services, emails and phone lines for weeks.
Chief information officer Gerard Metsan said “70 percent of the government network” had now been restored, including crucial emergency lines for ambulance, police and fire services.
He did not give details of which services remained affected but said all government departments were back online after some hardware was replaced.
Government servers and websites on the Pacific island nation had been out since November 6, when suspicious activity was first detected.
The attack knocked out online services, email and network-sharing systems, in many cases forcing officials to use other platforms to communicate.
Experts from Australia were called in to help, Vanuatu’s newly elected Prime Minister Ishmael Kalsakau told reporters Wednesday, adding it remained unclear who was behind the cyberattack.
Tomi Engdahl says:
https://www.securityweek.com/vulnerabilities-popular-keyboard-and-mouse-android-apps-expose-user-data
Tomi Engdahl says:
Nvidia Patches Many Vulnerabilities in Windows, Linux Display Drivers
https://www.securityweek.com/nvidia-patches-many-vulnerabilities-windows-linux-display-drivers
Nvidia’s November 2022 display driver updates patch 29 vulnerabilities impacting Windows and Linux products, including ten high-severity issues.
The most severe of the security defects is CVE‑2022‑34669 (CVSS score of 8.8), an issue in the user mode layer of Nvidia’s Windows driver that could be exploited by an unprivileged attacker to access or tamper with system files or other files that the driver uses.
Successful exploitation of the bug, Nvidia says, could allow the attacker to execute arbitrary code, cause a denial-of-service (DoS) condition, escalate privileges, access restricted information, or modify data.
Another severe flaw in the Windows driver is CVE‑2022‑34671 (CVSS score of 8.5), an out-of-bounds write that could have similar effects.
A vulnerability in Nvidia Control Panel for Windows could allow an unauthorized attacker to escalate privileges, leak sensitive data, or execute commands. The bug is tracked as CVE‑2022‑34672 (CVSS score of 7.8).
Tomi Engdahl says:
https://www.securityweek.com/el-salvador-journalists-sue-nso-group-us-over-alleged-pegasus-attacks
Tomi Engdahl says:
Albanian IT Staff Charged With Negligence Over Cyberattack
https://www.securityweek.com/albanian-it-staff-charged-negligence-over-cyberattack
Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by alleged Iranian hackers.
Prosecutors said the five IT officials of the public administration department had failed to check the security of the system and update it with the most recent antivirus software.
They are accused of “abuse of post,” which can attract a prison sentence of up to seven years.
In September, Albania cut diplomatic ties with Iran over a July 15 cyberattack that temporarily shut down numerous Albanian government digital services and websites. Tirana called the disruption an act of “state aggression.”
Albania, a NATO member, has been helped by the alliance, the U.S. and the EU to investigate and install better cyber defenses.
Tomi Engdahl says:
Investors Double Down on Pangea Cyber API Security Bet
https://www.securityweek.com/investors-double-down-pangea-cyber-api-security-bet
Tomi Engdahl says:
‘Schoolyard Bully’ Android Trojan Targeted Facebook Credentials of 300,000 Users
https://www.securityweek.com/schoolyard-bully-android-trojan-targeted-facebook-credentials-300000-users
Tomi Engdahl says:
Several Car Brands Exposed to Hacking by Flaw in Sirius XM Connected Vehicle Service
https://www.securityweek.com/several-car-brands-exposed-hacking-flaw-sirius-xm-connected-vehicle-service
Cybersecurity researchers discovered that several car brands were exposed to remote hacker attacks due to a vulnerability in a connected vehicle service provided by Sirius XM.
Sirius XM claims on its website that its connected services are used by more than 12 million vehicles in North America, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota cars.
Researcher Sam Curry on Wednesday described a recent car hacking project targeting Sirius XM, which he and his team learned about when looking for a telematic solution shared by multiple car brands.
An analysis led to the discovery of a domain used when enrolling vehicles in the Sirius XM remote management functionality, Curry said in a Twitter thread.
Tomi Engdahl says:
GoTo, LastPass Notify Customers of New Data Breach Related to Previous Incident
https://www.securityweek.com/goto-lastpass-notify-customers-new-data-breach-related-previous-incident
Tomi Engdahl says:
How wonderful.. “Samsung’s Android app-signing key has leaked, is being used to sign malware”
Samsung’s Android app-signing key has leaked, is being used to sign malware
https://arstechnica.com/gadgets/2022/12/samsungs-android-app-signing-key-has-leaked-is-being-used-to-sign-malware/
The cryptographic key proves an update is legit, assuming your OEM doesn’t lose it.
A developer’s cryptographic signing key is one of the major linchpins of Android security. Any time Android updates an app, the signing key of the old app on your phone needs to match the key of the update you’re installing. The matching keys ensure the update actually comes from the company that originally made your app and isn’t some malicious hijacking plot. If a developer’s signing key got leaked, anyone could distribute malicious app updates and Android would happily install them, thinking they are legit.
On Android, the app-updating process isn’t just for apps downloaded from an app store, you can also update bundled-in system apps made by Google, your device manufacturer, and any other bundled apps. While downloaded apps have a strict set of permissions and controls, bundled-in Android system apps have access to much more powerful and invasive permissions and aren’t subject to the usual Play Store limitations (this is why Facebook always pays to be a bundled app). If a third-party developer ever lost their signing key, it would be bad. If an Android OEM ever lost their system app signing key, it would be really, really bad.
Guess what has happened! Łukasz Siewierski, a member of Google’s Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google’s VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart’s Onn tablets.
Tomi Engdahl says:
Eufy’s camera footage is stored locally, but with the right URL, you can also watch it from anywhere, unencrypted. It’s complicated.
Eufy’s “local storage” cameras can be streamed from anywhere, unencrypted
https://arstechnica.com/gadgets/2022/12/more-eufy-camera-flaws-found-including-remote-unencrypted-feed-viewing/?utm_medium=social&utm_social-type=owned&utm_source=facebook&utm_brand=ars
The URLs for accessing your camera streams are also way too easy to brute-force.
Tomi Engdahl says:
Anker’s Eufy Cameras Caught Uploading Content to the Cloud Without User Consent [Updated]
https://www.macrumors.com/2022/11/29/eufy-camera-cloud-uploads-no-user-consent/
Tomi Engdahl says:
https://www.infosecurity-magazine.com/news/us-defense-contractors/
Tomi Engdahl says:
A new #Linux flaw can be chained with other two bugs to gain full root privileges
https://securityaffairs.co/wordpress/139209/hacking/three-linux-bugs-full-root-privileges.html
#securityaffairs #hacking
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/blackproxies-proxy-service-increasingly-popular-among-hackers/
Tomi Engdahl says:
https://doublepulsar.com/rackspace-cloud-office-suffers-security-breach-958e6c755d7f
Tomi Engdahl says:
https://securityaffairs.co/wordpress/139209/hacking/three-linux-bugs-full-root-privileges.html
Tomi Engdahl says:
Never-before-seen malware is nuking data in Russia’s courts and mayors’ offices
CryWiper masquerades as ransomware, but its real purpose is to permanently destroy data.
https://arstechnica.com/information-technology/2022/12/never-before-seen-malware-is-nuking-data-in-russias-courts-and-mayors-offices/
Tomi Engdahl says:
CryWiper: fake ransomware
https://www.kaspersky.com/blog/crywiper-pseudo-ransomware/46480/
Our experts have discovered an attack of a new Trojan, which theyve dubbed CryWiper. At the first glance, this malware looks like
ransomware: it modifies files, adds a .CRY extension to them (unique to CryWiper), and saves a README.txt file with a ransom note, which contains the bitcoin wallet address, the contact e-mail address of the malware creators, and the infection ID. However, in fact, this malware is a wiper: a file modified by CryWiper cannot be restored to its original state ever. So if you see a ransom note and your files have a new .CRY extension, dont hurry to pay the ransom: its pointless.
Tomi Engdahl says:
Blowing Cobalt Strike Out of the Water With Memory Analysis https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/
Unit 42 researchers examine several malware samples that incorporate Cobalt Strike components, and discuss some of the ways that we catch these samples by analyzing artifacts from the deltas in process memory at key points of execution. We will also discuss the evasion tactics used by these threats, and other issues that make their analysis problematic. Cobalt Strike is a clear example of the type of evasive malware that has been a thorn in the side of detection engines for many years. It is one of the most well-known adversary simulation frameworks for red team operations. However, its not only popular among red teams, but it is also abused by many threat actors for malicious purposes
Tomi Engdahl says:
Vaarallinen Android-aukko havaittu haittaohjelmat käyttäneet kieroa kikkaa https://www.tivi.fi/uutiset/tv/3f0a571b-22b6-4525-818c-239ec8d896ae
Android-puhelinvalmistajien käyttämiä todennusavaimia on päässyt lipsahtamaan haittaohjelmiin. Havainnon tehnyt Googlen ukasz Siewierski kertoi jakamassaan Twitter-päivityksessä Android Partner Vulnerability Initiative -ohjelman julkisesti paljastaneen, miten useiden Android-laitevalmistajien (Android oem) käyttämät Android-todennusavaimet ovat päässeet vuotamaan ulkopuolisten tahojen käsiin. Kyseisiä avaimia tai varmenteita käytetään esimerkiksi tarkistamaan, että käyttäjän käyttämä Android-versio on aito ja laitekehittäjän luoma, 9To5Google kirjoittaa. Avainta käytetään myös eri sovelluksissa
Tomi Engdahl says:
Hells Keychain: Supply-chain vulnerability in IBM Cloud Databases for PostgreSQL allows potential for unauthorized database access https://www.wiz.io/blog/hells-keychain-supply-chain-attack-in-ibm-cloud-databases-for-postgresql
In this blog post we will demonstrate how we were able to leverage a privilege escalation vulnerability in PostgreSQL to uncover a long-lasting secret that could have been abused to authenticate to internal IBM Cloud CI/CD services and intervene with IBM Clouds internal image building processin effect potentially exposing its customers to a supply-chain attack. Wiz and IBM Cloud worked closely together to fix this issue. Wiz Research found Hells Keychain, a first-of-its-kind, cloud service provider supply-chain vulnerability in IBM Cloud Databases for PostgreSQL.
Tomi Engdahl says:
Spanish police arrest 55 people involved in wide-ranging cyberscam operation https://therecord.media/spanish-police-arrest-55-people-involved-in-wide-ranging-cyberscam-operation/
At least 55 people were arrested by the Spanish National Police on Thursday for their alleged involvement in a wide-ranging cybercrime operation that involved phishing scams, SIM-swapping and more. The group which called itself the Black Panthers and was based in Barcelona operated in four separate cells that stole about 250,000 from nearly 100 people through a variety of scams that involved the takeover of bank accounts.
Tomi Engdahl says:
Google: After using Rust, we slashed Android memory safety vulnerabilities https://www.zdnet.com/article/google-after-using-rust-we-slashed-android-memory-safety-vulnerabilities/
Google’s decision to use Rust for new code in Android in order to reduce memory-related flaws appears to be paying off. Memory safety vulnerabilities in Android have been more than halved — a milestone that coincides with Google’s switch from C and C++ to the memory-safe programming language, Rust. This is the first year that memory safety vulnerabilities are not the biggest category of security flaws, and comes a year after Google made Rust the default for new code in the Android Open Source Project (AOSP).
Tomi Engdahl says:
obama224 distribution Qakbot tries .vhd (virtual hard disk) images
https://isc.sans.edu/diary/obama224+distribution+Qakbot+tries+vhd+virtual+hard+disk+images/29294
Qakbot (also called Qbot) is a long-running malware family that has seen wide-spread distribution through malicious spam (malspam) in recent years. During an infection, Qakbot performs different functions as an information stealer, backdoor, and malware downloader. Metadata tags in the malware code are tied to a specific distribution campaign.
The “obama” series distribution tag includes a 3-digit suffix, and it currently represents thread-hijacked emails with attachments for HTML smuggling. When opened, the attached HTML file presents a password-protected zip archive to download, and the web page displays the password.
Tomi Engdahl says:
Google Rolls Out New Chrome Browser Update to Patch Yet Another Zero-Day Vulnerability https://thehackernews.com/2022/12/google-rolls-out-new-chrome-browser.html
Search giant Google on Friday released an out-of-band security update to fix a new actively exploited zero-day flaw in its Chrome web browser. The high-severity flaw, tracked as CVE-2022-4262, concerns a type confusion bug in the V8 JavaScript engine. Clement Lecigne of Google’s Threat Analysis Group (TAG) has been credited with reporting the issue on November 29, 2022. Type confusion vulnerabilities could be weaponized by threat actors to perform out-of-bounds memory access, or lead to a crash and arbitrary code execution.
Tomi Engdahl says:
Hackers use new, fake crypto app to breach networks, steal cryptocurrency https://www.bleepingcomputer.com/news/security/hackers-use-new-fake-crypto-app-to-breach-networks-steal-cryptocurrency/
The North Korean ‘Lazarus’ hacking group is linked to a new attack spreading fake cryptocurrency apps under the made-up brand, “BloxHolder,” to install the AppleJeus malware for initial access to networks and steal crypto assets. According to a joint FBI and CISA report from February 2021, AppleJeus has been in circulation since at least 2018, used by Lazarus in cryptocurrency hijacking and digital asset theft operations. A new report by Volexity has identified new, fake crypto programs and AppleJeus activity, with signs of evolution in the malware’s infection chain and abilities.
Tomi Engdahl says:
Rackspace rocked by security incident that has taken out some hosted Exchange services https://www.theregister.com/2022/12/03/rackspace_security_incident_hosted_exchange/
Some of Rackspaces hosted Microsoft Exchange services have been taken down by what the company has described as a security incident. The companys most recent incident report at the time of writing, time-stamped 01:57 Eastern Time on December 3rd, offers the following information. On Friday, Dec 2, 2022, we became aware of an issue impacting our Hosted Exchange environment. We proactively powered down and disconnected the Hosted Exchange environment while we triaged to understand the extent and the severity of the impact. After further analysis, we have determined that this is a security incident.
Tomi Engdahl says:
SIM swapper gets 18-months for involvement in $22 million crypto heist https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/
Florida man Nicholas Truglia was sentenced to 18 months in prison on Thursday for his involvement in a fraud scheme that led to the theft of millions from cryptocurrency investor Michael Terpin. The funds were stolen following a January 2018 SIM swap attack that allowed Truglia’s co-conspirators to hijack Terpin’s phone number and fraudulently transfer roughly $23.8 million in cryptocurrency from his crypto wallet to an online account under Truglia’s control.