Cyber security news December 2022

This posting is here to collect cyber security news in December 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

355 Comments

  1. Tomi Engdahl says:

    Binance freezes $3 million worth of crypto stolen in Ankr hack https://therecord.media/binance-freezes-3-million-worth-of-crypto-stolen-in-ankr-hack/
    Binance, one of the last remaining crypto giants, froze about $3 million worth of cryptocurrency early on Friday morning after Web3 infrastructure provider Ankr was hacked. Ankr said $5 million worth of Binance coin was stolen from the platform and that it planned to cover all of the losses suffered by its users. Another platform, Helio, confirmed that it was also hit in a connected attack. The team at Ankr has assessed the damage and it is max 5M USD worth of BNB from the liquidity pools. We are currently working hard to resolve this issue efficiently and we would like to propose the following to address the current situation:

    Reply
  2. Tomi Engdahl says:

    Open source software host Fosshost shutting down as CEO unreachable https://www.bleepingcomputer.com/news/technology/open-source-software-host-fosshost-shutting-down-as-ceo-unreachable/
    Open source software hosting and cloud computing provider Fosshost will no longer be providing services as it reaches end of life.
    Fosshost project volunteers announced the development this weekend following months of difficulties in reaching the leadership including the CEO. Users are being urged to immediately backup their data and migrate to alternative hosting platforms. UK-based non-profit Fosshost has been providing services to several high profile open source projects like GNOME, Armbian, Debian and Free Software Foundation Europe (FSFE) completely free of charge. But that will soon change as the project reaches end of life.

    Reply
  3. Tomi Engdahl says:

    Securing Your SAP Environments: Going Beyond Access Control https://securityintelligence.com/securing-sap-environments-beyond-access-control/
    Many large businesses run SAP to manage their business operations and their customer relations. Security has become an increasingly critical priority due to the ongoing digitalization of society and the new opportunities that attackers exploit to achieve a system breach.
    Recent attacks related to corrupt data, stealing personal information and escalating privileges for remote code execution all highlight the new and varied entry points threat actors have taken advantage of.
    Attackers with the appropriate skills could be able to exploit specific SAP vulnerabilities to take full control of the SAP system and expose the critical information and processes of the company.

    Reply
  4. Tomi Engdahl says:

    Googlen sovelluskaupassa olevia haittasovelluksia on ladattu miljoonia kertoja poista nämä heti
    https://www.tivi.fi/uutiset/tv/25730fd9-0998-4dd2-bf9d-6a7404686e04
    Google Play -sovelluskaupasta on löytynyt joukko haittasovelluksia, joita on asennettu yhteensä kaksi miljoonaa kertaa. Sovellukset on naamioitu hyötyohjelmiksi, mutta todellisuudessa ne haittaavat puhelimen toimintaa merkittävästi. Bleeping Computerin mukaan miljoona kertaa ladattu TubeBox oli saatavilla Googlen sovelluskaupassa vielä 4. joulukuuta. Sovellus lupaa rahallisia palkkioita videoiden ja mainosten katsomisesta, mutta palkintoja lunastettaessa se tarjoilee käyttäjille vain virheilmoituksia.

    Reply
  5. Tomi Engdahl says:

    Severe AMI MegaRAC flaws impact servers from AMD, ARM, HPE, Dell, others https://www.bleepingcomputer.com/news/security/severe-ami-megarac-flaws-impact-servers-from-amd-arm-hpe-dell-others/
    Three vulnerabilities in the American Megatrends MegaRAC Baseboard Management Controller (BMC) software impact server equipment used in many cloud service and data center providers. The flaws were discovered by Eclypsium in August 2022 and could enable attackers, under certain conditions, to execute code, bypass authentication, and perform user enumeration. The researchers discovered the flaws after examining leaked proprietary code of American Megatrends, specifically, the MegaRAC BMC firmware. MegaRAC BMC is a solution for complete out-of-band and lights-out remote system management, allowing admins to troubleshoot servers remotely as if standing in front of the device.

    Reply
  6. Tomi Engdahl says:

    French hospital complex suspends operations, transfers patients after ransomware attack https://therecord.media/french-hospital-complex-suspends-operations-transfers-critical-patients-after-ransomware-attack/
    A hospital complex in France has suspended medical operations and transferred six patients following a ransomware attack this weekend.
    Frances health ministry said that the Hospital Centre of Versailles a complex including two hospitals and a retirement home was currently entirely without any computer systems. Three of the transferred patients were in intensive care and three others were from its neonatal unit. Francois Braun, the countrys health minister, warned on Sunday that more patients may need to be transferred to other facilities following the attack, which has led to a total reorganization of the hospital.

    Reply
  7. Tomi Engdahl says:

    SiriusXM Vulnerability Lets Hackers Remotely Unlock and Start Connected Cars https://thehackernews.com/2022/12/siriusxm-vulnerability-lets-hackers.html
    Cybersecurity researchers have discovered a security vulnerability that exposes cars from Honda, Nissan, Infiniti, and Acura to remote attacks through a connected vehicle service provided by SiriusXM. The issue could be exploited to unlock, start, locate, and honk any car in an unauthorized manner just by knowing the vehicle’s vehicle identification number (VIN), researcher Sam Curry said in a Twitter thread last week. SiriusXM’s Connected Vehicles (CV) Services are said to be used by more than 10 million vehicles in North America, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota.

    Reply
  8. Tomi Engdahl says:

    Discovered new BYOF technique to cryptomining with PRoot https://sysdig.com/blog/proot-post-explotation-cryptomining/
    The Sysdig Threat Research Team (TRT) recently discovered threat actors leveraging an open source tool called PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. Typically, the scope of an attack is limited by the varying configurations of each Linux distribution. Enter PRoot, an open source tool that provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities which allow for malware built on other architectures, such as ARM, to be run.

    Reply
  9. Tomi Engdahl says:

    Ruotsissa iso kyberhyökkäys Näin voidaan osoittaa, että Ruotsi on vakavasti uhattuna
    https://www.iltalehti.fi/ulkomaat/a/4839faab-d0d0-4569-83ac-a664b63afd22
    Jopa 35 000 ruotsalaista on vaarassa jäädä ilman etuuksiaan Ruotsin työttömyyskassaan, A-kassaniin, kohdistuneen kyberhyökkäyksen takia.
    Hyökkäys havaittiin perjantaina ja viikonloppuna työttömyyskassan järjestelmät päätettiin sulkea kokonaan. Ruotsin työmarkkina- ja integraatioministeri Johan Pehrson kommentoi tilannetta SVT:lle maanantaina.Poliisi sekä Ruotsin yhteiskunta- ja valmiusvirasto selvittävät tilannetta parhaillaan. Viranomaiset eivät ole tarkentaneet hyökkäyksen yksityiskohtia tai mahdollisia tarkoitusperiä.

    Reply
  10. Tomi Engdahl says:

    DEV-0139 launches targeted attacks against the cryptocurrency industry https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/
    Over the past several years, the cryptocurrency market has considerably expanded, gaining the interest of investors and threat actors. Cryptocurrency itself has been used by cybercriminals for their operations, notably for ransom payment in ransomware attacks, but we have also observed threat actors directly targeting organizations within the cryptocurrency industry for financial gain.
    Attacks targeting this market have taken many forms, including fraud, vulnerability exploitation, fake applications, and usage of info stealers, as attackers attempt to get their hands on cryptocurrency funds.

    Reply
  11. Tomi Engdahl says:

    Multiple government departments in New Zealand affected by ransomware attack on IT provider https://therecord.media/multiple-government-departments-in-new-zealand-affected-by-ransomware-attack-on-it-provider/
    A ransomware attack on Mercury IT, a widely used managed service provider (MSP) in New Zealand, is feared to have disrupted dozens of organizations in the country, including several government departments and public authorities. The Ministry of Justice and Te Whatu Ora (Health New Zealand) are among the public authorities that have announced being impacted by a cyberattack on a third-party IT support provider.

    Reply
  12. Tomi Engdahl says:

    Suspects arrested for hacking US networks to steal employee data https://www.bleepingcomputer.com/news/security/suspects-arrested-for-hacking-us-networks-to-steal-employee-data/
    Four men suspected of hacking into US networks to steal employee data for identity theft and the filing of fraudulent US tax returns have been arrested in London, UK, and Malmo, Sweden, at the request of the U.S. law enforcement authorities. The suspects identified in four recently unsealed U.S. indictments are Akinola Taylor (Nigeria), Olayemi Adafin (United Kingdom), Olakunle Oyebanjo (Nigeria), and Kazeem Olanrewaju Runsewe (Nigeria). The four men are accused of transnational wire fraud and identity theft for filing false tax claims with the United States Internal Revenue Service (IRS) to steal money from the agency through tax refunds.

    Reply
  13. Tomi Engdahl says:

    Rackspace confirms outage was caused by ransomware attack https://www.bleepingcomputer.com/news/security/rackspace-confirms-outage-was-caused-by-ransomware-attack/
    Texas-based cloud computing provider Rackspace has confirmed today that a ransomware attack is behind an ongoing Hosted Exchange outage described as an “isolated disruption”. “As you know, on Friday, December 2nd, 2022, we became aware of suspicious activity and immediately took proactive measures to isolate the Hosted Exchange environment to contain the incident,” the company said in an update to the initial incident report.

    Reply
  14. Tomi Engdahl says:

    Samsung’s Android app-signing key has leaked, is being used to sign malware | Ars Technica
    https://arstechnica.com/gadgets/2022/12/samsungs-android-app-signing-key-has-leaked-is-being-used-to-sign-malware/
    A developer’s cryptographic signing key is one of the major linchpins of Android security. Any time Android updates an app, the signing key of the old app on your phone needs to match the key of the update you’re installing. The matching keys ensure the update actually comes from the company that originally made your app and isn’t some malicious hijacking plot. If a developer’s signing key got leaked, anyone could distribute malicious app updates and Android would happily install them, thinking they are legit.
    On Android, the app-updating process isn’t just for apps downloaded from an app store, you can also update bundled-in system apps made by Google, your device manufacturer, and any other bundled apps. While downloaded apps have a strict set of permissions and controls, bundled-in Android system apps have access to much more powerful and invasive permissions and aren’t subject to the usual Play Store limitations (this is why Facebook always pays to be a bundled app). If a third-party developer ever lost their signing key, it would be bad. If an Android OEM ever lost their system app signing key, it would be really, really bad.
    Guess what has happened! Łukasz Siewierski, a member of Google’s Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google’s VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart’s Onn tablets.

    Reply
  15. Tomi Engdahl says:

    Kari sai postiinsa 46 vieraan ihmisen potilas­tiedot Mehiläisestä – ”Kyllä tämä valitettavasti pitää paikkansa” https://www.is.fi/digitoday/art-2000009245082.html

    Reply
  16. Tomi Engdahl says:

    Over 75 Vulnerabilities Patched in Android With December 2022 Security Updates
    https://www.securityweek.com/over-75-vulnerabilities-patched-android-december-2022-security-updates
    Google this week announced the December 2022 Android updates with patches for over 75 vulnerabilities, including multiple critical remote code execution (RCE) flaws.
    The most severe of the RCE bugs is CVE-2022-20411, an issue in Android’s System component that could be exploited over Bluetooth.
    “The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed,” Google explains in its advisory.
    Two other critical-severity RCE flaws (CVE-2022-20472 and CVE-2022-20473) were resolved in the Framework component. Google also patched a critical information disclosure (CVE-2022-20498) in the System component.
    All four issues were resolved as part of the 2022-12-01 security patch level, which addresses a total of 41 vulnerabilities in Android Runtime (1), Framework (20), Media framework (1), and System (19).
    Most of the addressed security defects are high-severity flaws, with escalation of privilege being the most common type. Information disclosure and denial-of-service (DoS) issues were also resolved.

    Reply
  17. Tomi Engdahl says:

    Critical Vulnerabilities Force Twitter Alternative Hive Social Offline
    https://www.securityweek.com/critical-vulnerabilities-force-twitter-alternative-hive-social-offline

    Social media platform Hive Social has taken its servers offline after security researchers identified and reported critical vulnerabilities in its code.

    Founded in 2019, Hive Social is seen by many as an alternative to Twitter, which is having its own troubles now, with the resignation of a top security chief and new information emerging on a recent data breach.

    With numerous concerned users fleeing Twitter following its acquisition by Elon Musk, Hive Social has registered a spike in new accounts, and announced in November 2022 that it has surpassed 1.5 million accounts.

    On November 30, German security collective Zerforschung published a blog post to warn of many security vulnerabilities identified in Hive Social’s code.

    “We found a number of critical vulnerabilities, which we confidentially reported to the company,” Zerforschung notes.

    Warning: do not use Hive Social
    https://zerforschung.org/posts/hive-en/

    Reply
  18. Tomi Engdahl says:

    Security Flaws in AMI BMC Can Expose Many Data Centers, Clouds to Attacks
    https://www.securityweek.com/security-flaws-ami-bmc-can-expose-many-data-centers-clouds-attacks

    Researchers at firmware and hardware security company Eclypsium have identified several potentially serious vulnerabilities in baseboard management controller (BMC) firmware made by AMI (American Megatrends) and used by some of the world’s biggest server manufacturers.

    Eclypsium started analyzing the firmware in August, after it came across a data leak allegedly originating from AMI. The firm decided to analyze the leaked software to see if it could find any vulnerabilities, to ensure that they get patched in case malicious actors would also be looking for security flaws to exploit.

    The analysis focused on AMI’s MegaRAC BMC, which is used by companies such as AMD, Ampere, Asrock, Asus, Arm, Dell, Gigabyte, HPE, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan.

    “This firmware is a foundational component of modern computing found in hundreds of thousands of servers in data centers, server farms, and cloud infrastructure around the world. And since devices in these environments typically standardize on a hardware configuration, a vulnerable configuration could likely be shared across thousands of devices,” Eclypsium said.

    Reply
  19. Tomi Engdahl says:

    Amnesty International Canada Says It Was Hacked by Beijing
    https://www.securityweek.com/amnesty-international-canada-says-it-was-hacked-beijing

    The Canadian branch of Amnesty International said Monday it was the target of a cyberattack sponsored by China.

    The human rights organization said it first detected the breach Oct. 5 and hired forensic investigators and cybersecurity experts to investigate.

    Ketty Nivyabandi, Secretary General of Amnesty International Canada, said the searches in their systems were specifically and solely related to China and Hong Kong, as well as a few prominent Chinese activists. The hack left the organization offline for nearly three weeks.

    U.S. cybersecurity firm Secureworks said there was no attempt to monetize the access, and “a threat group sponsored or tasked by the Chinese state” was likely behind the attack because of the nature of the searches, the level of sophistication and the use of specific tools that are distinctive of China-sponsored actors.

    Nivyabandi encouraged activists and journalists to update their cybersecurity protocols in light of it.

    Reply
  20. Tomi Engdahl says:

    Netgear Neutralizes Pwn2Own Exploits With Last-Minute Nighthawk Router Patches
    https://www.securityweek.com/netgear-neutralizes-pwn2own-exploits-last-minute-nighthawk-router-patches

    Last week, Netgear released hotfixes for a network misconfiguration in Nighthawk RAX30 (AX2400) routers that could allow a remote attacker to gain unrestricted access to services otherwise intended for the local network.

    The bug existed because the WAN interface of these devices had IPv6 enabled by default, but did not apply for IPv6 traffic access restrictions that were otherwise applied for IPv4 traffic.

    Due to this misconfiguration, services running on the router that may be inadvertently listening via IPv6, including SSH and Telnet on ports 22 and 23, may be accessible from the internet.

    “This misconfiguration could allow an attacker to interact with services only intended to be accessible by clients on the local network,” cybersecurity firm Tenable says.

    Reply
  21. Tomi Engdahl says:

    Several Code Execution Vulnerabilities Patched in Sophos Firewall
    https://www.securityweek.com/several-code-execution-vulnerabilities-patched-sophos-firewall

    Sophos has informed customers that Sophos Firewall version 19.5, whose general availability was announced in mid-November, patches several vulnerabilities, including ones that can lead to arbitrary code execution.

    In addition to resiliency improvements and a performance boost, the latest Sophos Firewall version brings patches for seven vulnerabilities.

    According to a security advisory released on December 1, one of the vulnerabilities patched in version 19.5 is CVE-2022-3236, which has a ‘critical’ severity rating.

    Reply
  22. Tomi Engdahl says:

    ‘Scattered Spider’ Cybercrime Group Targets Mobile Carriers via Telecom, BPO Firms
    https://www.securityweek.com/scattered-spider-cybercrime-group-targets-mobile-carriers-telecom-bpo-firms

    A threat actor tracked as ‘Scattered Spider’ is targeting telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile carrier networks and perform SIM swapping, cybersecurity firm CrowdStrike warns.

    Reply
  23. Tomi Engdahl says:

    Inadvertently, a researcher crashes the KmsdBot Cryptocurrency mining Botnet
    https://www.realinfosec.net/trending-infosec-news/inadvertently-a-researcher-crashes-the-kmsdbot-cryptocurrency-mining-botnet/

    KmsdBot, a new cryptocurrency mining botnet, was unintentionally shut down as a result of an ongoing study.

    Reply
  24. Tomi Engdahl says:

    Internet Explorer 0-day exploited by North Korean actor APT37 https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/
    To protect our users, Googles Threat Analysis Group (TAG) routinely hunts for 0-day vulnerabilities exploited in-the-wild. This blog will describe a 0-day vulnerability, discovered by TAG in late October 2022, embedded in malicious documents and used to target users in South Korea. We attribute this activity to a group of North Korean government-backed actors known as APT37. These malicious documents exploited an Internet Explorer 0-day vulnerability in the JScript engine, CVE-2022-41128. Our policy is to quickly report vulnerabilities to vendors, and within a few hours of discovering this 0-day, we reported it to Microsoft and patches were released to protect users from these attacks.

    Reply
  25. Tomi Engdahl says:

    Fantasy a new Agrius wiper deployed through a supplychain attack https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/
    ESET researchers discovered a new wiper and its execution tool, both attributed to the Agrius APT group, while analyzing a supply-chain attack abusing an Israeli software developer. The group is known for its destructive operations. In February 2022, Agrius began targeting Israeli HR and IT consulting firms, and users of an Israeli software suite used in the diamond industry. We believe that Agrius operators conducted a supply-chain attack abusing the Israeli software developer to deploy their new wiper, Fantasy, and a new lateral movement and Fantasy execution tool, Sandals.

    Reply
  26. Tomi Engdahl says:

    Zerobot New Go-Based Botnet Campaign Targets Multiple Vulnerabilities https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities
    In November, FortiGuard Labs observed a unique botnet written in the Go language being distributed through IoT vulnerabilities. This botnet, known as Zerobot, contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol. Based on some IPS signatures trigger count (shown in Figure 1), this campaign started its distribution of the current version sometime after mid-November.

    Reply
  27. Tomi Engdahl says:

    Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
    As part of ongoing hunting and continuous monitoring efforts regarding the advanced persistent threat (APT) group Mustang Panda, the BlackBerry Threat Research and Intelligence team recently came across an interesting RAR file titled Political Guidance for the new EU approach towards Russia.rar. This file captured our interest due to the ongoing geopolitical situation in Eastern Europe. An examination of its contents revealed a decoy document matching the naming convention of the RAR, along with additional components that are often seen as part of a typical PlugX infection chain.

    Reply
  28. Tomi Engdahl says:

    Antwerp’s city services down after hackers attack digital partner https://www.bleepingcomputer.com/news/security/antwerps-city-services-down-after-hackers-attack-digital-partner/
    The city of Antwerp, Belgium, is working to restore its digital services that were disrupted last night by a cyberattack on its digital provider. The disruption has affected services used by citizens, schools, daycare centers, and the police, which have been working intermittently today. An investigation is ongoing, but the little information available points to a ransomware attack from a threat actor that has yet to be disclosed. According to Het Laatste Nieuws (HLN), the hackers were able to disrupt Antwerp’s services after breaching the servers of Digipolis, the city’s digital partner that provides administrative software.

    Reply
  29. Tomi Engdahl says:

    Amnesty International Canada breached by suspected Chinese hackers https://www.bleepingcomputer.com/news/security/amnesty-international-canada-breached-by-suspected-chinese-hackers/
    Amnesty International’s Canadian branch has disclosed a security breach detected in early October and linked to a threat group likely sponsored by China. The international human rights non-governmental organization (NGO) says it first detected the breach on October 5, when it spotted suspicious activity on its IT infrastructure. After detecting the attack, the NGO hired the services of cybersecurity firm Secureworks to investigate the attack and secure its systems.

    Reply
  30. Tomi Engdahl says:

    CloudSEK claims it was hacked by another cybersecurity firm https://www.bleepingcomputer.com/news/security/cloudsek-claims-it-was-hacked-by-another-cybersecurity-firm/
    Indian cybersecurity firm CloudSEK says a threat actor gained access to its Confluence server using stolen credentials for one of its employees’ Jira accounts. While some internal information, including screenshots of product dashboards and three customers’ names and purchase orders, was exfiltrated from its Confluence wiki, CloudSEK says the attackers didn’t compromise its databases.

    Reply
  31. Tomi Engdahl says:

    Iranian hackers accused of targeting diamond industry with wiper malware https://therecord.media/iranian-hackers-accused-of-targeting-diamond-industry-with-wiper-malware/
    Hackers allegedly connected to the Iranian government have been accused of targeting diamond companies in South Africa, Israel and Hong Kong with a wiper malware built to destroy data. Researchers from ESET attributed the wiper tool named Fantasy to the Agrius APT group, which other researchers have indicated has ties to Irans government. ESET said the group is a newer Iran-aligned group targeting victims primarily in Israel and the United Arab Emirates since 2020. Their latest campaign began in February 2022 and has targeted Israeli HR and IT consulting firms as well as users of an Israeli software suite used in the diamond industry.

    Reply
  32. Tomi Engdahl says:

    Cyberattack on Top Indian Hospital Highlights Security Risk
    https://www.securityweek.com/cyberattack-top-indian-hospital-highlights-security-risk

    The leading hospital in India’s capital limped back to normalcy on Wednesday after a cyberattack crippled its operations for nearly two weeks.

    Online registration of patients resumed Tuesday after the hospital was able to access its server and recover lost data. The hospital worked with federal authorities to restore the system and strengthen its defenses.

    It’s unclear who conducted the Nov. 23 attack on the All India Institute of Medical Sciences or where it originated. Hospital authorities didn’t respond to requests for comment.

    The attack was followed by a series of failed attempts to hack India’s top medical research organization, the Indian Council of Medical Research. This raised further concerns about the vulnerability of India’s health system to attacks at a time when the government is pushing hospitals to digitize their records.

    More than 173,000 hospitals have registered with a federal program to digitize health records since its launch in September 2021.

    Reply
  33. Tomi Engdahl says:

    Google Documents IE Browser Zero-Day Exploited by North Korean Hackers
    https://www.securityweek.com/google-documents-ie-browser-zero-day-exploited-north-korean-hackers

    Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

    Tracked as CVE-2022-41128 (CVSS score of 8.8), the vulnerability was identified in the browser’s ‘JScript9’ JavaScript engine and can be exploited by remote attackers to execute arbitrary code on a target system.

    Google describes the security defect as an incorrect JIT optimization issue that leads to a type confusion. The bug is similar to CVE-2021-34480, a JScript9 flaw that was patched last year.

    Microsoft patched CVE-2022-41128 one week after being alerted on it, as part of the November 2022 Patch Tuesday security updates, warning that the vulnerability was being exploited in attacks.

    “This vulnerability requires that a user with an affected version of Windows accesses a malicious server. An attacker would have to host a specially crafted server share or website,” Microsoft warned at the time.

    Reply
  34. Tomi Engdahl says:

    Self-Propagating ‘Zerobot’ Botnet Targeting Spring4Shell, IoT Vulnerabilities
    https://www.securityweek.com/google-documents-ie-browser-zero-day-exploited-north-korean-hackers

    A newly observed botnet capable of self-replicating and self-propagation is targeting multiple Internet of Things (IoT) vulnerabilities for initial access, cybersecurity solutions provider Fortinet warns.

    Dubbed Zerobot, the malware is written in the Golang (Go) programming language and has several modules for self-replication, self-propagation, and for conducting attacks on different protocols.

    The malware has been observed communicating with its command-and-control (C&C) server via the WebSocket protocol and targeting twelve architectures, including i386, amd64, arm64, arm, mips, mipsle, mips64, mips64le, ppc64, ppc64le, riscv64, and s390x.

    To date, Fortinet has identified two variants of the botnet, one containing basic functions and used before November 24, and another that can replicate itself and target more endpoints, which has been distributed since mid-November.

    The malware includes 21 exploits, including code targeting recent Spring4Shell and F5 Big-IP flaws, other known vulnerabilities, and various security defects in IoT devices such as routers, surveillance cameras, and firewalls.

    https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities

    Reply
  35. Tomi Engdahl says:

    Lighting Giant Acuity Brands Discloses Two Data Breaches
    https://www.securityweek.com/lighting-giant-acuity-brands-discloses-two-data-breaches

    Lighting and building management giant Acuity Brands has publicly disclosed two data breaches suffered by the company in recent years, including one that may have involved ransomware.

    The Atlanta, Georgia-based firm employs roughly 13,000 people and has operations in North America, Europe and Asia.

    In a data security incident notice published in recent days, Acuity Brands said it became aware of unauthorized access to its systems and data theft in early December 2021. The investigation into the incident revealed a separate, unrelated breach that occurred in October 2020, which also involved attempts to copy files from compromised systems.

    https://www.acuitybrands.com/-/media/abl/acuitybrands/files/data-security-incident-notice.pdf?forceBehavior=open

    Reply
  36. Tomi Engdahl says:

    Kyberhyökkäykset runtelevat Ruotsia, miten käy Suomen? Asian­tuntija vastaa https://www.is.fi/digitoday/tietoturva/art-2000009254227.html

    Reply
  37. Tomi Engdahl says:

    Malicious hackers exploit Seoul Halloween tragedy in zero-day attack https://www.tripwire.com/state-of-security/malicious-hackers-exploit-seoul-halloween-tragedy-zero-day-attack
    Malicious hackers, hell-bent on infiltrating an organisation, have no qualms about exploiting even the most tragic events. Google’s Threat Analysis Group (TAG) reports this week that it saw a North Korean government-backed hacking group using the Seoul Yongsan Itaewon tragedy as a lure to trick innocent individuals in South Korea into opening boobytrapped files.

    Reply
  38. Tomi Engdahl says:

    4 000 suomalaisen tietoja myydään netissä 5 miljoonan uhrin tieto­kannassa muun muassa sala­kuvia tieto­koneelta https://www.is.fi/digitoday/art-2000009251810.html
    HAKKERIT myyvät internetissä verkkokameran ottamia kuvia, ruutukaappauksia, toimivia kirjautumistietoja, evästeitä ja digitaalisia sormenjälkiä. Vpn-palveluntarjoaja NordVPN tarkasteli kolmea suurta bottimarkkinapaikkaa, joissa tiedot ovat kaupan.

    https://etn.fi/index.php/13-news/14348-4-000-suomalaisen-tiedot-myynnissae-bottimarkkinoilla

    Reply
  39. Tomi Engdahl says:

    Valtion uusi kyberturvallisuusjohtaja on valittu tehtävän sai tuttu konkari
    https://www.tivi.fi/uutiset/tv/a7ec4a0c-b6eb-4b73-8fa0-582057101289
    Valtioneuvosto on nimittänyt Rauli Paanasen valtion kyberturvallisuusjohtajaksi. Kyberturvallisuusjohtajan tehtäviin kuuluu muun muassa kansallisen kyberturvallisuuden kehittämisen koordinointi.

    Reply
  40. Tomi Engdahl says:

    Update now! NetGear routers’ default configuration allows remote attacks https://www.malwarebytes.com/blog/news/2022/12/update-now-netgear-routers-default-configuration-allows-remote-attacks
    NetGear has made a hotfix available for its Nighthawk routers after researchers found a network misconfiguration in the firmware allowed unrestricted communication with the internet facing ports of the device listening through IPv6.

    Reply
  41. Tomi Engdahl says:

    Eufy “no cloud” security cameras streaming data to the cloud https://www.malwarebytes.com/blog/news/2022/12/is-your-home-security-system-storing-data-100-locally
    Eufy home security cameras are currently in a spot of trouble as a result of door camera footage. This is because it turns out that data which should not have been going to the cloud was doing so anyway in certain conditions.

    Reply
  42. Tomi Engdahl says:

    Leaked Signing Keys Are Being Used to Sign Malware https://www.schneier.com/blog/archives/2022/12/leaked-signing-keys-are-being-used-to-sign-malware.html
    A bunch of Android OEM signing keys have been leaked or stolen, and they are actively being used to sign malware.

    Reply
  43. Tomi Engdahl says:

    Venäläistä jättipankkia pommitetaan rajulla verkkohyökkäyksellä “Historian suurin”
    https://www.tivi.fi/uutiset/venalaista-jattipankkia-pommitetaan-rajulla-verkkohyokkayksella-historian-suurin/2b79de41-a1b6-4418-ac52-e02672fbc986
    Isku näyttää olevan peräisin maan ulkopuolelta, mutta mukana on myös venäläisiä ip-osoitteita.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*