This posting is here to collect cyber security news in December 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in December 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
355 Comments
Tomi Engdahl says:
https://www.securityweek.com/tiktok-hit-us-lawsuits-over-child-safety-security-fears
Tomi Engdahl says:
https://www.securityweek.com/lighting-giant-acuity-brands-discloses-two-data-breaches
Tomi Engdahl says:
https://www.securityweek.com/iranian-hackers-deliver-new-fantasy-wiper-diamond-industry-supply-chain-attack
Tomi Engdahl says:
WAFs of Several Major Vendors Bypassed With Generic Attack Method
https://www.securityweek.com/wafs-several-major-vendors-bypassed-generic-attack-method
Researchers at industrial and IoT cybersecurity firm Claroty have identified a generic method for bypassing the web application firewalls (WAFs) of several major vendors.
Claroty’s researchers discovered the method following an analysis of Cambium Networks’ wireless device management platform. They discovered a SQL injection vulnerability that could be used to obtain sensitive information, such as session cookies, tokens, SSH keys and password hashes.
Exploitation of the flaw worked against the on-premises version, but an attempt to exploit it against the cloud version was blocked by the Amazon Web Services (AWS) WAF, which flagged the SQL injection payload as malicious.
Further analysis revealed that the WAF could be bypassed by abusing the JSON data sharing format. JSON syntax is supported by all major SQL engines and it’s enabled by default.
Claroty researchers used a JSON syntax to craft a new SQL injection payload that would bypass the WAF — because the WAF did not understand it — while still being valid for the database engine to parse. They achieved this by using the JSON operator ‘@<’, which threw the WAF into a loop and allowed the payload to pass to the targeted database.
After they verified the bypass method against the AWS WAF, the researchers checked if it would work against firewalls from other vendors as well. They successfully reproduced the bypass — with few or no changes to the payload — against products from Palo Alto Networks, Cloudflare, F5, and Imperva.
Tomi Engdahl says:
Kelan verkkopalvelu on kaatunut
Vikaa selvitetään.
https://www.is.fi/taloussanomat/art-2000009255206.html
Kelan verkkosivut ovat väliaikaisesti poissa käytöstä, Kela tiedottaa sivuillaan. Vian syytä ja laajuutta selvitetään parhaillaan.
Tomi Engdahl says:
Vulnerabilities Allow Researcher to Turn Security Products Into Wipers
https://www.securityweek.com/vulnerabilities-allow-researcher-turn-security-products-wipers
SafeBreach Labs security researcher Or Yair discovered several vulnerabilities that allowed him to turn endpoint detection and response (EDR) and antivirus (AV) products into wipers.
The identified issues, which were presented on Wednesday at the Black Hat Europe cybersecurity conference, allowed the researcher to trick the vulnerable security products into deleting arbitrary files and directories on the system and render the machine unusable.
Dubbed Aikido, the researcher’s wiper abuses the extended privileges that EDR and AV products have on the system, relying on decoy directories containing specially crafted paths to trigger the deletion of legitimate files.
“This wiper runs with the permissions of an unprivileged user yet has the ability to wipe almost any file on a system, including system files, and make a computer completely unbootable. It does all that without implementing code that touches the target files, making it fully undetectable,” the researcher explains.
Yair explains that an unprivileged user cannot delete system (.sys) files, because they do not have the required permissions, but he successfully tricked the security product into performing the deletion by creating a decoy directory and placing in it a crafted path like the one intended for deletion (such as C:\temp\Windows\System32\drivers vs C:\Windows\System32\drivers).
Yair points out that the exploit also bypasses Controlled Folder Access in Windows – a feature meant to prevent tampering with files inside folders that are on a Protected Folders list – because the EDR/AV has permissions to delete these files.
Out of 11 security products that were tested, six were found vulnerable to this exploit. The security flaws were reported to the affected vendors and three CVE identifiers were issued: CVE-2022-37971 for Microsoft Defender and Defender for Endpoint, CVE-2022-45797 for Trend Micro Apex One, and CVE-2022-4173 for Avast and AVG Antivirus for Windows.
Available on GitHub, the wiper contains exploits for the bugs impacting SentinelOne’s EDR and Microsoft Defender and Defender for Endpoint. For Microsoft’s products, however, only deletion of arbitrary directories is possible.
https://github.com/SafeBreach-Labs/aikido_wiper
Tomi Engdahl says:
4 000 suomalaisen tiedot myynnissä bottimarkkinoilla
https://etn.fi/index.php/13-news/14348-4-000-suomalaisen-tiedot-myynnissae-bottimarkkinoilla
Ainakin viiden miljoonan ihmisen verkkohenkilöllisyys on varastettu ja myyty bottimarkkinoilla keskimäärin 6 euron hintaan. Näistä henkilöistä yli 4 000 on Suomesta. Vertailun vuoksi: bottimarkkinoilla oli myynnissä myös 15 000 ruotsalaisen, 8 000 tanskalaisen ja 5 000 norjalaisen tietoja. Tiedot ovat peräisin kyberturvallisuusyritys NordVPN:n tutkimuksesta.
Tomi Engdahl says:
Anuran Sadhu / Reuters:
NordVPN: stolen data of 5 million people globally, including 600,000 Indians, have been sold on the Genesis, Russian, and 2easy bot markets for ~$6 on average — Around five million people globally have had their data stolen and sold on the bot market till date, of which 600,000 are from India …
https://www.reuters.com/technology/stolen-data-600000-indians-sold-bot-markets-so-far-study-2022-12-08/
Tomi Engdahl says:
https://www.securityweek.com/google-documents-ie-browser-zero-day-exploited-north-korean-hackers
Tomi Engdahl says:
Zerobot – New Go-Based Botnet Campaign Targets Multiple Vulnerabilities
https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities
Tomi Engdahl says:
https://hackaday.com/2022/12/02/this-week-in-security-huawei-gets-the-banhammer-lastpass-and-old-code-breaking/
Tomi Engdahl says:
Palvelunestohyökkäykset kaatoivat Kelan ja Kanta-palvelut
Kelan verkkopalvelut ovat kärsineet pitkin perjantaita erilaisista häiriöistä.
https://www.iltalehti.fi/kotimaa/a/9587e159-c6bc-4f64-972f-74367c77f475
Kelan verkkopalvelut ja Kanta-palvelut ovat olleet perjantaina poissa käytöstä palvelunestohyökkäysten vuoksi.
Kelan mukaan hyökkäys on kohdistunut laajasti Kelan verkkosivustoihin ja verkkopalveluihin, joihin sisältyvät myös Kanta-palvelut.
– Palvelunestohyökkäyksiä on liikkeellä paljon, ja olemme Kelassa varautuneet siihen, että ne kohdistuvat ennemmin tai myöhemmin myös meihin. Oma varautumisemme ja prosessimme ovat kunnossa, joten tilanne on meillä hallinnassa, sanoo Kelan IT-johtaja Jukka Melanen tiedotteessa.
Tiedotteen mukaan Kela on ryhtynyt vastatoimiin. Korjaustoimenpiteet jatkuvat edelleen ja käyttökatkoja voi vielä esiintyä.
Kelan mukaan asiakkaiden tiedot eivät ole olleet vaarassa.
Tomi Engdahl says:
Pwn2Own Toronto 2022 has ended with competitors earning $989,750 for 63 zero-day exploits (and multiple bug collisions) targeting consumer products between December 6th and December 9th.
During this hacking competition, 26 teams and security researchers have targeted devices in the mobile phones, home automation hubs, printers, wireless routers, network-attached storage, and smart speakers categories, all up-to-date and in their default configuration.
While no team signed up to hack the Apple iPhone 13 and Google Pixel 6 smartphones, the contestants hacked a fully patched Samsung Galaxy S22 four times
https://www.bleepingcomputer.com/news/security/hackers-earn-989-750-for-63-zero-days-exploited-at-pwn2own-toronto/
Throughout the contest, hackers have successfully demoed exploits targeting zero-day bugs in devices from multiple vendors, including Canon, HP, Mikrotik, NETGEAR, Sonos, TP-Link, Lexmark, Synology, Ubiquiti, Western Digital, Mikrotik, and HP.
You can find the complete schedule of the competition here and the program and results for each day of Pwn2Own Toronto 2022 here.
After the zero-day vulnerabilities exploited during the Pwn2Own event are reported, vendors are given 120 days to release patches before ZDI publicly discloses them.
https://www.zerodayinitiative.com/blog?tag=Pwn2Own
Tomi Engdahl says:
And the hits just keep on coming…
Optus (Singtel), then Telstra, then Medibank, then the Smith Family Charity… now Telstra again.
Telstra apologises for accidentally publishing data of thousands of customers online
https://www.abc.net.au/news/2022-12-11/telstra-apologises-for-online-data-leak/101759006
Telstra has apologised to thousands of Australians who had their details published accidentally online by the communications giant.
Key points:
Names, numbers and addresses of some unlisted customers released online
Telstra has blamed a “misalignment of databases”
Impacted customers are being contacted and offered free services to combat identity theft
The company said the release of the names, numbers and addresses of some unlisted customers was not the result of any malicious cyber attack and was a mistake.
Tomi Engdahl says:
US Dept of Health warns of increased Royal ransomware attacks on hospitals https://therecord.media/us-dept-of-health-warns-of-increased-royal-ransomware-attacks-on-hospitals/
The U.S. Department of Health and Human Services (HHS) warned hospitals and organizations in the healthcare sector to stay on alert for attacks from the Royal ransomware group, a relatively new gang that emerged in September.
Tomi Engdahl says:
Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver https://thehackernews.com/2022/12/researchers-uncover-new-drokbk-malware.html
The subgroup of an Iranian nation-state group known as Nemesis Kitten has been attributed as behind a previously undocumented custom malware dubbed Drokbk that uses GitHub as a dead drop resolver to exfiltrate data from an infected computer, or to receive commands.
Tomi Engdahl says:
Kyberhyökkäykset runtelevat Ruotsia, miten käy Suomen? Asiantuntija vastaa https://www.is.fi/digitoday/tietoturva/art-2000009254227.html
RUOTSIA koettelee poikkeuksellinen kyberhyökkäysten rysäys. Sekä julkishallintoon että teollisuuteen kohdistuu erilaisia hyökkäyksiä vaihtelevine motiiveineen. Yksi kohteista on työttömyyskassa A-kassa, joka ei pysty maksamaan rahoja ajallaan.
Tomi Engdahl says:
Verkkohyökkäys kaatoi Omakannan ja Kelan palvelut https://www.is.fi/digitoday/art-2000009256092.html
Kelan verkkosivuilla oli aamulla häiriöitä, nyt niistä kärsivät Kelan ylläpitämät Kanta-palvelut. Taustalla oli palvelunestohyökkäys.
Ihmisten tiedot eivät ole olleet vaarassa.
Tomi Engdahl says:
Antivirus and EDR solutions tricked into acting as data wipers https://www.bleepingcomputer.com/news/security/antivirus-and-edr-solutions-tricked-into-acting-as-data-wipers/
A security researcher has found a way to exploit the data deletion capabilities of widely used endpoint detection and response (EDR) and antivirus (AV) software from Microsoft, SentinelOne, TrendMicro, Avast, and AVG to turn them into data wipers.
Tomi Engdahl says:
Googlen sähköpostipalvelu Gmail palautumassa ennalleen maailmanlaajuinen häiriö haittasi sähköpostien vastaanottamista
https://yle.fi/a/74-20008146
Googlen sähköpostipalvelu Gmail on palautumassa ennalleen. Esimerkiksi brittilehti Mirror kertoi aiemmin iltapäivällä satojen käyttäjien Britanniassa raportoineen ongelmista.
Tomi Engdahl says:
Hackers earn $989,750 for 63 zero-days exploited at Pwn2Own Toronto https://www.bleepingcomputer.com/news/security/hackers-earn-989-750-for-63-zero-days-exploited-at-pwn2own-toronto/
Pwn2Own Toronto 2022 has ended with competitors earning $989,750 for
63 zero-day exploits (and multiple bug collisions) targeting consumer products between December 6th and December 9th.
Tomi Engdahl says:
Air-gapped PCs vulnerable to data theft via power supply radiation https://www.bleepingcomputer.com/news/security/air-gapped-pcs-vulnerable-to-data-theft-via-power-supply-radiation/
A new attack method named COVID-bit uses electromagnetic waves to transmit data from air-gapped systems isolated from the internet over a distance of at least two meters (6.5 ft), where its captured by a receiver.
Tomi Engdahl says:
Healthcare Organizations Warned of Royal Ransomware Attacks
https://www.securityweek.com/healthcare-organizations-warned-royal-ransomware-attacks
The US Department of Health and Human Services (HHS) is warning healthcare organizations of the threat posed by ongoing Royal ransomware attacks.
Initially spotted in September 2022, the ransomware family is employed by a financially-motivated threat actor that also uses known tools for persistence, credential exfiltration, and lateral movement.
“Royal is a human-operated ransomware that was first observed in 2022 and has increased in appearance. It has demanded ransoms up to millions of dollars. Since its appearance, HC3 is aware of attacks against the Healthcare and Public Healthcare (HPH) sector,” the HHS warns.
Tomi Engdahl says:
Cisco Working on Patch for Publicly Disclosed IP Phone Vulnerability
https://www.securityweek.com/cisco-working-patch-publicly-disclosed-ip-phone-vulnerability
Cisco informed customers on Thursday that it’s working on patches for a high-severity vulnerability affecting some of its IP phones.
The flaw, tracked as CVE-2022-20968, impacts 7800 series and 8800 series (except 8821) Cisco IP phones. There are no workarounds, but Cisco did provide a mitigation that can be used until patches are released by the company.
CVE-2022-20968 has been described by the networking giant as a stack buffer overflow related to the Discovery Protocol processing feature.
Tomi Engdahl says:
SOHO Exploits Earn Hackers Over $100,000 on Day 3 of Pwn2Own Toronto 2022
https://www.securityweek.com/soho-exploits-earn-hackers-over-100000-day-3-pwn2own-toronto-2022
Trend Micro’s Zero Day Initiative (ZDI) announced total payouts nearing $1 million after the first three days of Pwn2Own Toronto 2022, and there is one day left to go.
On the third day of the event, participants earned a total of $253,500 for hacking NAS devices, printers, smart speakers, routers, and smartphones. ZDI said $681,000 was paid out in the first two days.
The new SOHO Smashup category earned participants the highest amounts on the third day. In this category, a small office / home office (SOHO) scenario is simulated, with the goal being to hack a router on the WAN interface and then pivoting to the LAN, where a second device needs to be hacked, such as a smart speaker, NAS appliance, or printer.
Tomi Engdahl says:
Over 4,000 Vulnerable Pulse Connect Secure Hosts Exposed to Internet
https://www.securityweek.com/over-4000-vulnerable-pulse-connect-secure-hosts-exposed-internet
More than 4,000 internet-accessible Pulse Connect Secure hosts are impacted by at least one known vulnerability, attack surface management firm Censys warns.
Touted as the most widely deployed SSL VPN solution, Pulse Connect Secure provides remote and mobile users with secure access to corporate resources. The VPN appliance is part of Ivanti’s portfolio, after it acquired Pulse Secure in 2020.
Tomi Engdahl says:
LF Electromagnetic Radiation Used for Stealthy Data Theft From Air-Gapped Systems
https://www.securityweek.com/lf-electromagnetic-radiation-used-stealthy-data-theft-air-gapped-systems
Mordechai Guri, a cybersecurity researcher from the Ben-Gurion University of the Negev in Israel who specializes in air gap jumping, has released a paper detailing yet another method that can be used to stealthily exfiltrate data from systems isolated from the internet and local networks.
The new method involves using the dynamic power consumption of modern computers and manipulation of CPU loads in order to cause the device to generate specific low-frequency (LF) electromagnetic radiation in the 0-60 kHz band.
Guri showed how a malicious actor who has managed to plant a piece of malware on the targeted device — this can be achieved through insiders, supply chain attacks or social engineering — can exfiltrate small pieces of highly sensitive information, such as passwords or encryption keys.
The researcher demonstrated that the attack can be conducted over distances of 2 meters (6.5 feet) and even more. The attack method has been named COVID-bit because this distance is often recommended for preventing Covid-19 transmission.
Mordechai Guri, a cybersecurity researcher from the Ben-Gurion University of the Negev in Israel who specializes in air gap jumping, has released a paper detailing yet another method that can be used to stealthily exfiltrate data from systems isolated from the internet and local networks.
The new method involves using the dynamic power consumption of modern computers and manipulation of CPU loads in order to cause the device to generate specific low-frequency (LF) electromagnetic radiation in the 0-60 kHz band.
Guri showed how a malicious actor who has managed to plant a piece of malware on the targeted device — this can be achieved through insiders, supply chain attacks or social engineering — can exfiltrate small pieces of highly sensitive information, such as passwords or encryption keys.
The researcher demonstrated that the attack can be conducted over distances of 2 meters (6.5 feet) and even more. The attack method has been named COVID-bit because this distance is often recommended for preventing Covid-19 transmission.
Tomi Engdahl says:
https://hackaday.com/2022/12/09/this-week-in-security-rackspace-falls-over-poison-ping-and-the-wordpress-race/
Tomi Engdahl says:
Microsoft osti siivun Lontoon pörssistä
https://www.tivi.fi/uutiset/tv/a8e4aada-22b6-4117-9278-4ac1b3cde3dd
Microsoft ja Lontoon pörssiä pyörittävä London Stock Exchange Group
(Lse) ovat lyöneet kättä päälle yhteistyön merkiksi. Lse ostaa Microsoftilta pilveä seuraavien kymmenen vuoden aikana yhteensä 2,8 miljardilla dollarilla. Microsoft puolestaan osti itselleen osuuden pörssistä, kertoo Evening Standard.
Tomi Engdahl says:
Kelaan kohdistunut palvelunestohyökkäys jatkuu häiriöitä voi esiintyä edelleen https://www.tivi.fi/uutiset/tv/c3e65e92-d850-48eb-9057-207ea74de9aa
Kelaan kohdistuvat palvelunestohyökkäykset ovat jatkuneet maanantain 12. joulukuuta aikana. Kelan ja Kannan verkkopalvelut toimivat tästä huolimatta lähes normaalisti, Kela kirjoittaa Twitterissä.
Tomi Engdahl says:
PLAY ransomware group claims responsibility for Antwerp attack as second Belgian city confirms new incident https://therecord.media/play-ransomware-group-claims-responsibility-for-antwerp-attack-as-second-belgian-city-confirms-new-incident/
The PLAY ransomware group has claimed responsibility for a ransomware attack on the Belgian city of Antwerp last week, just as the city of Diest about an hours drive east confirmed on Monday that it has been hit by a cyberattack.
Tomi Engdahl says:
Uber suffers new data breach after attack on vendor, info leaked online https://www.bleepingcomputer.com/news/security/uber-suffers-new-data-breach-after-attack-on-vendor-info-leaked-online/
Uber has suffered a new data breach after a threat actor leaked employee email addresses, corporate reports, and IT asset information stolen from a third-party vendor in a cybersecurity incident. Early Saturday morning, a threat actor named ‘UberLeaks’ began leaking data allegedly stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches.
Tomi Engdahl says:
UK arrests five for selling ‘dodgy’ point of sale software https://www.theregister.com/2022/12/12/j5_electronic_sales_suppression_software_probe/
Tax authorities from Australia, Canada, France, the UK and the USA have conducted a joint probe into “electronic sales suppression software” applications that falsify point of sale data to help merchants avoid paying tax on their true revenue.
Tomi Engdahl says:
Naton kyberjohtaja varoittaa suomalaisia kyberhyökkäysten
tulevaisuudesta: Käy helposti kuin sammakolle kuumassa vedessä
https://www.kauppalehti.fi/uutiset/naton-kyberjohtaja-varoittaa-suomalaisia-kyberhyokkaysten-tulevaisuudesta-kay-helposti-kuin-sammakolle-kuumassa-vedessa/aa47fa4d-836b-4a27-a2cb-201d129fe108
Kyberhyökkäyksissä on vielä pahin näkemättä, ennustaa Naton Christian-Marc Lifländer.
Tomi Engdahl says:
Fortinet says SSL-VPN pre-auth RCE bug is exploited in attacks https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/
Fortinet urges customers to patch their appliances against an actively exploited FortiOS SSL-VPN vulnerability that could allow unauthenticated remote code execution on devices. The security flaw is tracked as CVE-2022-40684 and is a heap-based buffer overflow bug in FortiOS sslvpnd. When exploited, the flaw could allow unauthenticated users to crash devices remotely and potentially perform code execution
Tomi Engdahl says:
Hive ransomware gang claims responsibility for attack on Intersport that left cash registers disabled https://www.bitdefender.com/blog/hotforsecurity/hive-ransomware-gang-claims-responsibility-for-attack-on-intersport-that-left-cash-registers-disabled/
Sports retail giant Intersport, which boasts some 6000 stores worldwide in 57 countries, has fallen victim to a ransomware attack which disabled checkouts in France during what should have been one of the busiest times of the year.
Tomi Engdahl says:
Fortinet Ships Emergency Patch for Already-Exploited VPN Flaw
https://www.securityweek.com/fortinet-ships-emergency-patch-already-exploited-vpn-flaw
Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the flaw in the wild.
A critical-level advisory from Fortinet described the bug as a memory corruption that allows a “remote unauthenticated attacker” to launch harmful code or execute commands on a target system.
“A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests,” the company warned.
Underscoring the urgency, Fortinet warned that the vulnerability has already been exploited in the wild.
“Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise,” the company said, listing artifacts and connections to suspicious IP addresses that can help defenders hunt for infections.
Tomi Engdahl says:
https://www.securityweek.com/us-announces-charges-arrests-over-multi-million-dollar-cybercrime-schemes
Tomi Engdahl says:
Python, JavaScript Developers Targeted With Fake Packages Delivering Ransomware
https://www.securityweek.com/python-javascript-developers-targeted-fake-packages-delivering-ransomware
Phylum security researchers warn of a new software supply chain attack relying on typosquatting to target Python and JavaScript developers.
On Friday, the researchers warned that a threat actor was typosquatting popular PyPI packages to direct developers to malicious dependencies containing code to download payloads written in Golang (Go).
The purpose of the attack is to infect victims with ransomware variants designed to update the desktop background with a message impersonating the CIA and instructing the victim to open a ‘readme’ file. The malware also attempts to encrypt some of the victim’s files.
The ‘readme’ file is, in fact, a ransom note that tells the victim they need to pay the attackers $100 in cryptocurrency to receive a decryption key.
Phylum has compiled a list of packages targeted in the campaign. As of Friday, the list included: dequests, fequests, gequests, rdquests, reauests, reduests, reeuests, reqhests, reqkests, requesfs, requesta, requeste, requestw, requfsts, resuests, rewuests, rfquests, rrquests, rwquests, telnservrr, and tequests.
Shortly after publishing the initial report, Phylum updated it to warn that NPM packages were also being targeted as part of the same campaign.
Tomi Engdahl says:
https://blog.phylum.io/phylum-detects-active-typosquatting-campaign-in-pypi
Tomi Engdahl says:
Users Warned of New Aerst, ScareCrow, and Vohuk Ransomware Families
https://www.securityweek.com/users-warned-new-aerst-scarecrow-and-vohuk-ransomware-families
Fortinet’s security researchers have shared information on three new ransomware families named Aerst, ScareCrow, and Vohuk.
Targeting Windows computers, these are typical ransomware families that encrypt victim files and demand a ransom payment in exchange for a decryption key. This new ransomware has been used in an increasing number of attacks.
Aerst was seen appending to encrypted files the ‘.aerst’ extension and displaying a popup window containing the attacker’s email address, instead of dropping a typical ransom note.
The popup window contains a field where the victim can enter a purchase key required to restore the encrypted data. Aerst deletes Volume Shadow copies to prevent file recovery.
Vohuk does drop a ransom note – readme.txt – asking the victim to contact the attackers via email. Seemingly under continuous development, the malware assigns a unique ID to each victim.
This ransomware family appends the ‘.vohuk’ extension to the encrypted files, replaces file icons with a red lock icon, and changes the desktop wallpaper with its own.
“The ransomware leaves a distinctive mutex, ‘Global\\VohukMutex’, which prevents different instances of Vohuk ransomware from running on the same system,” Fortinet explains.
The malware has been mainly targeting users in Germany and India.
ScareCrow’s ransom note, named ‘readme.txt’, instructs victims to contact the attacker using one of three Telegram channels. The threat appears to be the most widespread, with files submitted from the United States, Germany, India, Italy, the Philippines, and Russia.
Tomi Engdahl says:
Rackspace Hit With Lawsuits Over Ransomware Attack
https://www.securityweek.com/rackspace-hit-lawsuits-over-ransomware-attack
At least two lawsuits have been filed against Texas-based cloud company Rackspace over the recently disclosed ransomware attack.
Rackspace’s Hosted Exchange environment started experiencing problems on December 2. The firm revealed one day later that it was dealing with a security incident that forced it to shut down its hosted Microsoft Exchange service.
Tomi Engdahl says:
Device Exploits Earn Hackers Nearly $1 Million at Pwn2Own Toronto 2022
https://www.securityweek.com/device-exploits-earn-hackers-nearly-1-million-pwn2own-toronto-2022
Tomi Engdahl says:
New Python malware backdoors VMware ESXi servers for remote access
https://www.bleepingcomputer.com/news/security/new-python-malware-backdoors-vmware-esxi-servers-for-remote-access/
A previously undocumented Python backdoor targeting VMware ESXi servers has been spotted, enabling hackers to execute commands remotely on a compromised system.
VMware ESXi is a virtualization platform commonly used in the enterprise to host numerous servers on one device while using CPU and memory resources more effectively.
The new backdoor was discovered by Juniper Networks researchers, who found the backdoor on a VMware ESXi server. However, they could not determine how the server was compromised due to limited log retention.
They believe the server may have been compromised using the CVE-2019-5544 and CVE-2020-3992 vulnerabilities in ESXi’s OpenSLP service.
While the malware is technically capable of targeting Linux and Unix systems, too, Juniper’s analysts found multiple indications it was designed for attacks against ESXi.
The new python backdoor adds seven lines inside “/etc/rc.local.d/local.sh,” one of the few ESXi files that survive between reboots and is executed at startup.
“While the Python script used in this attack is cross-platform and can be used with little or no modification on Linux or other UNIX-like systems, there are several indications that this attack was designed specifically to target ESXi,” explains Juniper Networks’ report.
A Custom Python Backdoor for VMWare ESXi Servers
https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers
Tomi Engdahl says:
HSL:n digipalveluissa hitautta ja toimintakatkoksia https://www.tivi.fi/uutiset/tv/61e39447-ebbc-49bf-a8e5-159e869a9a7e
HSL:n sovelluksessa ja digipalveluissa on esiintynyt hitautta ja katkoksia maanantaista alkaen. Palvelunestohyökkäyksen mahdollisuutta ei voida sulkea pois, yhtymä kertoo tiedotteessa.
Tomi Engdahl says:
Serious Attacks Could Have Been Staged Through This Amazon ECR Public Gallery Vulnerability https://thehackernews.com/2022/12/serious-attacks-could-have-been-staged.html
A critical security flaw has been disclosed in Amazon Elastic Container Registry (ECR) Public Gallery that could have been potentially exploited to stage a multitude of attacks, according to cloud security firm Lightspin.
Tomi Engdahl says:
Hackers exploit critical Citrix ADC and Gateway zero day, patch now https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-citrix-adc-and-gateway-zero-day-patch-now/
Citrix strongly urges admins to apply security updates for an ‘Critical’ zero-day vulnerability (CVE-2022-27518) in Citrix ADC and Gateway that is actively exploited by state-sponsored hackers to gain access to corporate networks.
Tomi Engdahl says:
Kansanedustaja meinasi narahtaa WhatsApp-huijaukseen ja varoittaa
muita: Täsmällisen uskottavasti jäljitteli lastani https://www.is.fi/digitoday/tietoturva/art-2000009264009.html
KANSANEDUSTAJA Hanna Kosonen (kesk) kertoo Twitterissä lähes langenneensa WhatsAppissa tapahtuneeseen huijausyritykseen.
Tomi Engdahl says:
Kansanedustaja meinasi haksahtaa WhatsApp-huijaukseen ja varoittaa muita: ”Täsmällisen uskottavasti jäljitteli lastani”
Varo WhatsAppissa tehtävää ”hei äiti!” -huijausta!
https://www.is.fi/digitoday/tietoturva/art-2000009264009.html
Kososen saama ”hei äiti!” -viesti on osa marraskuun lopussa alkanutta huijauskampanjaa. Siinä tulee WhatsApp-viesti tuntemattomasta numerosta, ja lähettäjä väittää olevansa vastaanottajan lapsi ja puhelimen olevan rikki.
Huijauksen edetessä ”lapsi” alkaa pyytää rahaa.
Huijausta alettiin nähdä ensimmäisen kerran viime vuoden kesällä. Silloin ”lapsi” väitti kännykkänsä joutuneen pesukoneeseen ja viestin tulevan siksi tuntemattomasta numerosta. Seuraava huijausaalto nähtiin viime vuoden syksyllä.
Puhelinnumeroita hyödyntäviä huijauksia helpottavat könttinä myytävät tietokannat eri lähteistä kaavituista puhelinnumeroista. 1 381 569 suomalaisen numerot sisältävää pakettia kaupitellaan parhaillaan verkon hakkerifoorumeilla.
Saadessasi huijausviestin WhatsAppissa kannattaa se raportoida huijaukseksi heti viestin saatuasi. Tämä auttaa laittamaan rikollisten käyttämät puhelinnumerot mustalle listalle.
Tomi Engdahl says:
Twitter merkitsi norjalaiset päättäjät nigerialaisiksi
https://www.tivi.fi/uutiset/tv/344b0597-060c-43dc-8da5-165ab51bed26
Twitterissä on herättänyt hämmästelyä Norjan ulkoministeriön sekä ministereiden tilit, joiden tilivarmenteeseen on merkitty somepalvelun taholta väärän valtion nimi.