Cyber security news December 2022

This posting is here to collect cyber security news in December 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

355 Comments

  1. Tomi Engdahl says:

    Malware Strains Targeting Python and JavaScript Developers Through Official Repositories https://thehackernews.com/2022/12/malware-strains-targeting-python-and.html
    An active malware campaign is targeting the Python Package Index
    (PyPI) and npm repositories for Python and JavaScript with typosquatted and fake modules that deploy a ransomware strain, marking the latest security issue to affect software supply chains.

    Reply
  2. Tomi Engdahl says:

    Crisis situation declared as two Swedish municipalities hit by cyberattack https://therecord.media/crisis-situation-declared-as-two-swedish-municipalities-hit-by-cyberattack/
    A crisis situation has been declared across the Swedish municipalities of Borgholm and Mörbylånga after a cyberattack was discovered late on Monday. An intrusion has been confirmed into the joint IT system used by the two municipalities, which together make up the island of Öland with a total population of just over 25,000.

    Reply
  3. Tomi Engdahl says:

    Twitter confirms recent user data leak is from 2021 breach https://www.bleepingcomputer.com/news/security/twitter-confirms-recent-user-data-leak-is-from-2021-breach/
    Twitter confirmed today that the recent leak of millions of members’
    profiles, including private phone numbers and email addresses, resulted from the same data breach the company disclosed in August 2022. Twitter says its incident response team analyzed the user data leaked in November 2022 and confirms it was collected using the same vulnerability before it was fixed in January 2022.

    Reply
  4. Tomi Engdahl says:

    New Python malware backdoors VMware ESXi servers for remote access https://www.bleepingcomputer.com/news/security/new-python-malware-backdoors-vmware-esxi-servers-for-remote-access/
    A previously undocumented Python backdoor targeting VMware ESXi servers has been spotted, enabling hackers to execute commands remotely on a compromised system. VMware ESXi is a virtualization platform commonly used in the enterprise to host numerous servers on one device while using CPU and memory resources more effectively.

    Reply
  5. Tomi Engdahl says:

    Passkeys Now Fully Supported in Google Chrome
    https://www.securityweek.com/passkeys-now-fully-supported-google-chrome

    Google has made passkey support available in the stable version of Chrome after initially rolling it out to Chrome Canary in October.

    Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised.

    Usable with both applications and websites, passkeys can be synced between devices but cannot be reused and cannot be leaked. Passkeys work cross-platform.

    Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication, eliminating the risks associated with phishing or the use of poor passwords.

    “Passkeys are a significantly safer replacement for passwords and other phishable authentication factors. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks,” Google notes.

    The latest version of Chrome comes with support for passkeys on Windows 11, macOS, and Android, the internet giant announced.

    Reply
  6. Tomi Engdahl says:

    VMware Patches VM Escape Flaw Exploited at Geekpwn Event
    https://www.securityweek.com/vmware-patches-vm-escape-flaw-exploited-geekpwn-event
    Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine escape bug exploited at the GeekPwn 2022 hacking challenge.
    The VM escape flaw, documented as CVE-2022-31705, was exploited by Ant Security researcher Yuhao Jiang on systems running fully patched VMware Fusion, ESXi and Workstation products.
    The exploit took the top prize at Geekpwn, a hacking contest run by China-based Tencent Keen Security Lab.
    In a security bulletin issued Tuesday, VMWare slapped a CVSS severity rating of 9.3/10 and warned that a malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host
    “On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed,” VMware added.
    VMware documented the bug as a heap out-of-bounds write vulnerability in the USB 2.0 controller (EHCI).

    Reply
  7. Tomi Engdahl says:

    Patch Tuesday: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks
    https://www.securityweek.com/patch-tuesday-microsoft-plugs-windows-hole-exploited-ransomware-attacks

    Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.

    The operating system update, released as part of Microsoft’s scheduled Patch Tuesday, addresses a flaw that lets malicious attackers use rigged files to evade MOTW (Mart of the Web) defenses.

    “An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” according to Microsoft’s barebones documentation of the issue.

    The security defect, tracked as CVE-2022-44698, is marked as publicly disclosed and exploited, adding to the urgency for Windows fleet administrators to prioritize this month’s patches.

    SecurityWeek understands that hackers linked to the the notorious Magniber ransomware group have exploited the security feature bypass bug in data-theft and extortion attacks.

    Microsoft is also calling special attention to CVE-2022-44710, a privilege escalation flaw affecting the DirectX graphics kernel. Microsoft described the bug as a race condition issue that’s already been publicly disclosed. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Redmond said.

    Reply
  8. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Microsoft says some drivers certified by its Windows Hardware Developer Program were used to sign malware, but that no network breach has been detected — Code-signing is supposed to make people safer. In this case, it made them less so. — Microsoft has once again been caught allowing …
    Microsoft digital certificates have once again been abused to sign malware
    Code-signing is supposed to make people safer. In this case, it made them less so.
    https://arstechnica.com/information-technology/2022/12/microsoft-digital-certificates-have-once-again-been-abused-to-sign-malware/

    Microsoft has once again been caught allowing its legitimate digital certificates to sign malware in the wild, a lapse that allows the malicious files to pass strict security checks designed to prevent them from running on the Windows operating system.

    Multiple threat actors were involved in the misuse of Microsoft’s digital imprimatur, which they used to give Windows and endpoint security applications the impression malicious system drivers had been certified as safe by Microsoft. That has led to speculation that there may be one or more malicious organizations selling malicious driver-signing as a service. In all, researchers have identified at least nine separate developer entities that abused the certificates in recent months.

    The abuse was independently discovered by four third-party security companies, which then privately reported it to Microsoft. On Tuesday, during Microsoft’s monthly Patch Tuesday, the company confirmed the findings and said it has determined the abuse came from several developer accounts and that no network breach has been detected.

    The software maker has now suspended the developer accounts and implemented blocking detections to prevent Windows from trusting the certificates used to sign the compromised certificates. “Microsoft recommends that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks,” company officials wrote.

    Code-signing primer

    Because most drivers have direct access to the kernel—the core of Windows where the most sensitive parts of the OS reside—Microsoft requires them to be digitally signed using a company internal process known as attestation. Without this digital signature, Windows won’t load the driver. Attestation has also become a de facto means for third-party security products to decide if a driver is trustworthy. Microsoft has a separate driver validation process known as the Microsoft Windows Hardware Compatibility Program, in which the drivers run various additional tests to ensure compatibility.

    To get drivers signed by Microsoft, a hardware developer first must obtain an extended validation certificate, which requires the developer to prove its identity to a Windows trusted certificate authority and provide additional security assurances. The developer then attaches the EV certificate to their Windows Hardware Developer Program account. Developers then submit their driver package to Microsoft for testing.

    Researchers from SentinelOne, one of three security firms that discovered the certificate misuse and privately reported it to Microsoft

    Mandiant, another security firm to discover the abuse, said that “several distinct malware families, associated with distinct threat actors, have been signed through the Windows Hardware Compatibility Program.”

    Reply
  9. Tomi Engdahl says:

    Helsingin seudun julkiseen liikenteeseen verkko­hyökkäys https://www.is.fi/digitoday/tietoturva/art-2000009265719.html

    Helsingin seudun liikenteen digitaaliset palvelut ovat olleet keskiviikkona palvelunestohyökkäyksen kohteena.

    HSL tiedottaa Twitterissä ongelmista digitaalisissa palveluissaan. Tilanne elää, mutta uutisen kirjoitushetkellä kaikkien palvelujen pitäisi toimia normaalisti.

    Aiemmin keskiviikkona HSL-sovellus toimi normaalisti Reittiopasta lukuun ottamatta. Eli lipun hankkiminen onnistui, mutta verkkosivut osoitteessa http://hsl.fi ja Reittiopas olivat epäkunnossa. Myöskään matkakortin lataaminen verkossa ei onnistunut.

    Kyseessä on hyökkäys HSL:n palveluja vastaan.

    – Tässä on taustalla palvelunestohyökkäys. Se on alkuviikon ongelmat aiheuttanut

    Reply
  10. Tomi Engdahl says:

    New GoTrim Botnet Attempting to Break into WordPress Sites’ Admin Accounts https://thehackernews.com/2022/12/new-gotrim-botnet-attempting-to-break.html
    A new Go-based botnet has been spotted scanning and brute-forcing self-hosted websites using the WordPress content management system
    (CMS) to seize control of the targeted systems.

    “This new brute forcer is part of a new campaign we have named GoTrim because it was written in Go and uses ‘:::trim:::’ to split data communicated to and from the C2 server,” Fortinet FortiGuard Labs researchers Eduardo Altares, Joie Salvio, and Roy Tay said.

    The active campaign, observed since September 2022, utilizes a bot network to perform distributed brute-force attacks in an attempt to login to the targeted web server.

    A successful break-in is followed by the operator installing a downloader PHP script in the newly compromised host that, in turn, is designed to deploy the “bot client” from a hard-coded URL, effectively adding the machine to the growing network.

    In its present form, GoTrim does not have self-propagation capabilities of its own, nor can it distribute other malware or maintain persistence in the infected system.

    The primary purpose of the malware is to receive further commands from an actor-controlled server that include conducting brute-force attacks against WordPress and OpenCart using a set of provided credentials.

    Reply
  11. Tomi Engdahl says:

    Palvelunestohyökkäyksissä selvää kasvua joulukuussa https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/palvelunestohyokkayksissa-selvaa-kasvua-joulukuussa
    Kyberturvallisuuskeskus on saanut joulukuussa poikkeuksellisen paljon ilmoituksia palvelunestohyökkäyksistä. Suurin osa hyökkäyksistä ei ole aiheuttanut näkyvää haittaa.

    Reply
  12. Tomi Engdahl says:

    Googlelta avoimen koodin kehittäjille joululahja: työkalu automatisoi reikien etsimisen ja tilkitsemisen
    https://www.tivi.fi/uutiset/tv/3941c009-3a09-4974-9210-124f857bd9b7
    Google on julkaissut OSV-Scanner-nimisen ilmaisen haavoittuvuusskannerin, jonka on tarkoitus auttaa ohjelmistokehittäjiä avoimen koodin sovellusten tietoturvan ylläpitämisessä, VentureBeat kertoo.

    Reply
  13. Tomi Engdahl says:

    Apple security update fixes new iOS zero-day used to hack iPhones https://www.bleepingcomputer.com/news/apple/apple-security-update-fixes-new-ios-zero-day-used-to-hack-iphones/
    In security updates released today, Apple has fixed the tenth zero-day vulnerability since the start of the year, with this latest one actively used in attacks against iPhones.

    Reply
  14. Tomi Engdahl says:

    Ransomware Gang Abused Microsoft Certificates to Sign Malware https://www.wired.com/story/microsoft-certificates-ransomware-cuba-malware/
    LESS THAN TWO weeks ago, the United States CISA and FBI released a joint advisory about the threat of ransomware attacks from a gang that calls itself Cuba. The group, which researchers believe is, in fact, based in Russia, has been on a rampage over the past year targeting an increasing number of businesses and other institutions in the US and abroad.

    Reply
  15. Tomi Engdahl says:

    LockBit threatens to leak confidential info stolen from California’s beancounters https://www.theregister.com/2022/12/13/california_finance_department_lockbit/
    LockBit claims it was behind a cyber-attack on the California Department of Finance, bragging it stole data during the intrusion.

    Reply
  16. Tomi Engdahl says:

    Helsingin seudun julkiseen liikenteeseen verkko­hyökkäys https://www.is.fi/digitoday/tietoturva/art-2000009265719.html
    Helsingin seudun liikenteen digitaaliset palvelut ovat olleet keskiviikkona palvelunestohyökkäyksen kohteena. HSL tiedottaa Twitterissä ongelmista digitaalisissa palveluissaan. Tilanne elää, mutta uutisen kirjoitushetkellä kaikkien palvelujen pitäisi toimia normaalisti.

    Reply
  17. Tomi Engdahl says:

    CISA Warns Veeam Backup & Replication Vulnerabilities Exploited in Attacks
    https://www.securityweek.com/cisa-warns-veeam-backup-replication-vulnerabilities-exploited-attacks

    The US Cybersecurity and Infrastructure Security Agency (CISA) has added two flaws affecting Veeam’s Backup & Replication product to its Known Exploited Vulnerabilities Catalog.

    CISA added five flaws to its catalog on Tuesday, including ones affecting Veeam, Fortinet, Microsoft and Citrix products.

    Two security holes affecting Veeam’s Backup & Replication enterprise backup solution have been added to the list. The product is designed for automating workload backups and discovery across cloud, virtual, physical and NAS environments.

    The vulnerabilities, tracked as CVE-2022-26500 and CVE-2022-26501, have been rated ‘critical’ and they can be exploited by a remote, unauthenticated attacker for arbitrary code execution, which can lead to the hacker taking control of the targeted system.

    The security holes, discovered by researchers at Positive Technologies, were patched in March, alongside two other code execution vulnerabilities, tracked as CVE-2022-26503 and CVE-2022-26504.

    Reply
  18. Tomi Engdahl says:

    Al Weaver / The Hill:
    The US Senate unanimously passed the “No TikTok on Government Devices Act” over security concerns related to the app, after 13 states imposed similar bans

    Senate votes to ban TikTok use on government devices
    https://thehill.com/policy/technology/3775845-senate-votes-to-ban-tiktok-use-on-government-devices/

    Reply
  19. Tomi Engdahl says:

    William Turton / Bloomberg:
    The US DOJ starts seizing 48 websites and charges six people for allegedly running “booter” DDoS-for-hire services used to launch millions of attacks globally — The US seized dozens of internet domains and charged six people in a sting intended to bring down a network of cyberattack …

    US Is Seizing 48 Websites in Sting of Cyberattack-for-Hire Services
    https://www.bloomberg.com/news/articles/2022-12-14/us-seizing-48-websites-that-offered-ready-made-ddos-attacks?leadSource=uverify%20wall

    Domains sold the ability to knock victims offline, US says
    Six people charged by DOJ in connection with running the sites

    Reply
  20. Tomi Engdahl says:

    Hacker Claims Breach of FBI’s Critical-Infrastructure Portal
    https://www.securityweek.com/hacker-claims-breach-fbis-critical-infrastructure-portal

    A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of InfraGard, an FBI-run outreach program that shares sensitive information on national security and cybersecurity threats with public officials and private sector actors who run U.S. critical infrastructure.

    Reply
  21. Tomi Engdahl says:

    This is…not great. And Twitter has known about the issue since at least mid-November — and continued telling people to turn the feature on.

    Glitch prevents Twitter accounts from receiving verification codes
    https://thedesk.net/2022/12/twitter-two-factor-authentication-bug-2fa-glitch-elon-musk-locked-out/

    A bug involving two-factor authentication codes has left some users of the social media website Twitter unable to access their accounts for several weeks.

    Starting in mid-November, Twitter users began complaining that they were unable to log in to their accounts on new devices because Twitter was no longer sending the six-digit authentication codes by text message.

    In a tweet, a Twitter official said the company was “looking into the few cases where SMS codes aren’t being delivered,” but affirmed that the platform still recommended two-factor authentication as a way to secure account profiles.

    Since then, dozens of Twitter users say the problem has only escalated, with some unable to login to their accounts at all. The total lockout occurs when a user attempts to bypass two-factor authentication by resetting their password. The reset automatically logs the user out of all devices, including smartphone and tablet apps.

    Reply
  22. Tomi Engdahl says:

    Fubo TV didn’t say if customer information was compromised.

    Fubo TV says outage during World Cup was cyberattack
    https://thedesk.net/2022/12/fubo-tv-cyberattack-world-cup-cybercrime/

    Reply
  23. Tomi Engdahl says:

    Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
    Mandiant uncovered a socially engineered supply chain operation focused on Ukrainian government entities that leveraged trojanized ISO files masquerading as legitimate Windows 10 Operating System installers. The trojanized ISOs were hosted on Ukrainian- and Russian-language torrent file sharing sites. Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it. At a subset of victims, additional tools are deployed to enable further intelligence gathering. In some instances, we discovered additional payloads that were likely deployed following initial reconnaissance including the STOWAWAY, BEACON, and SPAREPART backdoors.

    Reply
  24. Tomi Engdahl says:

    Google ads lead to fake software pages pushing IcedID (Bokbot)
    https://isc.sans.edu/diary/rss/29344
    Fake sites for popular software have occasionally been used by cyber criminal groups to push malware. Campaigns pushing IcedID malware (also known as Bokbot) also use this method as a distribution technique (we also commonly see IcedID sent through email).

    Reply
  25. Tomi Engdahl says:

    Microsoft Reclassifies SPNEGO Extended Negotiation Security Vulnerability as ‘Critical’
    https://thehackernews.com/2022/12/microsoft-reclassifies-spnego-extended.html
    Microsoft has revised the severity of a security vulnerability it originally patched in September 2022, upgrading it to “Critical” after it emerged that it could be exploited to achieve remote code execution.

    Reply
  26. Tomi Engdahl says:

    HTML smugglers turn to SVG images
    https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/
    There are multiple different ways attackers have been documented abusing the legitimate features of JavaScript and HTML to accomplish HTML smuggling. Recently, however, Talos has witnessed attackers deploying a relatively new HTML smuggling techniquethe use of Scalable Vector Graphics (SVG) images.

    Reply
  27. Tomi Engdahl says:

    Federal Prosecutors in Los Angeles and Alaska Charge 6 Defendants with Operating Websites that Offered Computer Attack Services https://www.justice.gov/usao-cdca/pr/federal-prosecutors-los-angeles-and-alaska-charge-6-defendants-operating-websites
    The Justice Department today announced the court-authorized seizure of
    48 internet domains associated with some of the worlds leading DDoS-for-hire services, as well as criminal charges against six defendants who allegedly oversaw computer attack platforms commonly called booter services. Also https://krebsonsecurity.com/2022/12/six-charged-in-mass-takedown-of-ddos-for-hire-sites/

    Reply
  28. Tomi Engdahl says:

    MCCrash: Cross-platform DDoS botnet targets private Minecraft servers https://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/
    The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices. … Our analysis of the DDoS botnet revealed functionalities specifically designed to target private Minecraft Java servers using crafted packets, most likely as a service sold on forums or darknet sites. A breakdown of the systems affected by the botnet over the three months from the time of this analysis also revealed that most of the devices were in
    Russia:

    Reply
  29. Tomi Engdahl says:

    Asenna Windows-päivitys nyt – Microsoft hyväksyi haitta­ohjelman ilman varoituksia https://www.is.fi/digitoday/tietoturva/art-2000009268430.html

    Reply
  30. Tomi Engdahl says:

    Amid Outrage, Rackspace Sends Users Email Touting Its Incident Response
    https://www.darkreading.com/remote-workforce/amid-outrage-rackspace-sends-users-email-touting-incident-response

    More than 10 days after a ransomware attack, affected Rackspace customers are being told the incident had a “limited impact,” and have been invited to a webinar for additional details.

    Reply
  31. Tomi Engdahl says:

    Security News This Week: Attackers Keep Targeting the US Electric Grid
    Plus: Chinese hackers stealing US Covid relief funds, a cyberattack on the Met Opera website, and more.
    https://www.wired.com/story/attacks-us-electrical-grid-security-roundup/

    Reply
  32. Tomi Engdahl says:

    Xnspy stalkerware spied on thousands of iPhones and Android devices
    https://techcrunch.com/2022/12/12/xnspy-stalkerware-iphone-android/

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*