This posting is here to collect cyber security news in December 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in December 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
355 Comments
Tomi Engdahl says:
Two Men Arrested for JFK Airport Taxi Hacking Scheme
https://www.securityweek.com/two-men-arrested-jfk-airport-taxi-hacking-scheme
The US Justice Department has announced the arrest of two men allegedly involved in a hacking scheme targeting the taxi dispatch system at John F. Kennedy International Airport.
According to authorities, the suspects, Daniel Abayev and Peter Leyman, both residing in New York, hacked into the dispatch system at JFK in an effort to make modifications so that certain taxi drivers would be sent to the front of the line.
At JFK, taxis are required to wait in a holding lot before being dispatched to a terminal in the order in which they arrived. Taxis may need to wait several hours in this lot before being dispatched.
Tomi Engdahl says:
Ransomware Uses New Exploit to Bypass ProxyNotShell Mitigations
https://www.securityweek.com/ransomware-uses-new-exploit-bypass-proxynotshell-mitigations
Recent Play ransomware attacks targeting Exchange servers were observed using a new exploit chain that bypasses Microsoft’s ProxyNotShell mitigations.
Similar to the old ProxyShell vulnerability, ProxyNotShell consists of two security defects in Exchange Server: CVE-2022-41040, a server-side request forgery (SSRF) bug with a CVSS score of 8.8; and CVE-2022-41082, a remote code execution (RCE) flaw with a CVSS score of 8.0.
The two vulnerabilities were initially reported in September, when they were already being exploited in attacks. Microsoft addressed these bugs as part of its November 2022 Patch Tuesday security updates.
The ProxyNotShell exploit chain targets CVE-2022-41040 to access the Autodiscover endpoint and reach the Exchange backend for arbitrary URLs, after which CVE-2022-41082 is exploited to execute arbitrary code. In response, Microsoft deployed a series of URL rewrite mitigations for the Autodiscover endpoint.
Tomi Engdahl says:
Critical Vulnerability in Hikvision Wireless Bridges Allows CCTV Hacking
https://www.securityweek.com/critical-vulnerability-hikvision-wireless-bridges-allows-cctv-hacking
Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV hacking, according to the researchers who found it.
In an advisory published on December 16, Hikvision revealed that two of its wireless bridge products, designed for elevator and other video surveillance systems, are affected by CVE-2022-28173, a critical access control vulnerability.
The security hole can be exploited by sending specially crafted messages to affected devices, allowing the attacker to gain administrator permissions.
Hikvision wireless bridge vulnerable to hacker attacksFirmware patches have been made available for DS-3WF0AC-2NT and DS-3WF01C-2N/O products. The issue was reported to the vendor in September through CERT India and a patch was released earlier this month.
Tomi Engdahl says:
Industrial Giant Thyssenkrupp Again Targeted by Cybercriminals
https://www.securityweek.com/industrial-giant-thyssenkrupp-again-targeted-cybercriminals
German industrial engineering and steel production giant Thyssenkrupp has again confirmed being targeted by cybercriminals.
The company told SecurityWeek that ‘organized crime’ is believed to be behind the attack.
“Parts of the Materials Services and Corporate segment of Thyssenkrupp are currently affected. The possibility of the other segments and business units being affected can be ruled out at this time,” a spokesperson of Thyssenkrupp Materials Services said in an emailed statement.
According to the same statement, the company’s IT security team detected the incident at an early stage and the attackers did not manage to cause any damage. In addition, there is no evidence that data has been stolen or modified.
“An interdisciplinary crisis team has been set up and is working together with the group’s IT security to limit the attack and ideally end it as quickly as possible,” Thyssenkrupp said, adding that authorities have been notified.
The company would not say whether the attack was conducted by a known ransomware group.
Tomi Engdahl says:
Godfather Android Banking Trojan Targeting Over 400 Applications
https://www.securityweek.com/godfather-android-banking-trojan-targeting-over-400-applications
The Godfather Android banking trojan has been observed targeting over 400 banking and crypto applications in 16 countries, threat intelligence firm Group-IB warns.
Godfather was initially observed in June 2021 and is believed to be the successor of the Anubis banking trojan, likely built on top of the Anubis source code that leaked in 2019.
Compared to Anubis, Godfather features updated command-and-control (C&C) communication and implementation, a modified traffic encryption algorithm, a new module for managing virtual network computing (VNC) connections, and updated functionality such as Google Authenticator OTPs.
On the infected devices, the trojan uses web overlays (convincing fake HTML pages that are displayed on top of the legitimate applications) to steal login credentials, bypass two-factor authentication (2FA), and gain access to the victim’s account.
The malware can also record the device’s screen, create VNC connections, launch a keylogger, exfiltrate push notifications and SMS messages (to bypass 2FA), send SMS messages, forward calls, execute USSD requests, launch proxy servers, enable silent mode, and establish WebSocket connections.
Tomi Engdahl says:
Bill Toulas / BleepingComputer:
Reports: an Android malware called Godfather is using overlaid login screens to get users’ credentials on 400+ banking apps and crypto exchanges in 16 countries — An Android banking malware named ‘Godfather’ has been targeting users in 16 countries, attempting to steal account credentials …
GodFather Android malware targets 400 banks, crypto exchanges
https://www.bleepingcomputer.com/news/security/godfather-android-malware-targets-400-banks-crypto-exchanges/
An Android banking malware named ‘Godfather’ has been targeting users in 16 countries, attempting to steal account credentials for over 400 online banking sites and cryptocurrency exchanges.
The malware generates login screens overlaid on top of the banking and crypto exchange apps’ login forms when victims attempt to log in to the site, tricking the user into entering their credentials on well-crafted HTML phishing pages.
The Godfather trojan was discovered by Group-IB analysts, who believe it is the successor of Anubis, a once widely-used banking trojan that gradually fell out of use due to its inability to bypass newer Android defenses.
Tomi Engdahl says:
Ax Sharma / BleepingComputer:
Okta tells customers that hackers breached its GitHub repositories in December and stole its source code but that they did not access service or customer data
Okta’s source code stolen after GitHub repositories hacked
https://www.bleepingcomputer.com/news/security/oktas-source-code-stolen-after-github-repositories-hacked/
Tomi Engdahl says:
Zerobot malware now spreads by exploiting Apache vulnerabilities
https://www.bleepingcomputer.com/news/security/zerobot-malware-now-spreads-by-exploiting-apache-vulnerabilities/
The Zerobot botnet has been upgraded to infect new devices by exploiting security vulnerabilities affecting Internet-exposed and unpatched Apache servers.
The Microsoft Defender for IoT research team also observed that this latest version adds new distributed denial-of-service (DDoS) capabilities.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-kb5021233-causes-blue-screens-with-0xc000021a-errors/
Tomi Engdahl says:
https://arstechnica.com/information-technology/2022/12/critical-windows-code-execution-vulnerability-went-undetected-until-now/
Tomi Engdahl says:
Play ransomware claims attack on German hotel chain H-Hotels
https://www.bleepingcomputer.com/news/security/play-ransomware-claims-attack-on-german-hotel-chain-h-hotels/
The Play ransomware gang has claimed responsibility for a cyber attack on H-Hotels (h-hotels.com) that has resulted in communication outages for the company.
H-Hotels is a hospitality business with 60 hotels in 50 locations across Germany, Austria, and Switzerland, offering a total capacity of 9,600 rooms.
The hotel chain employs 2,500 people and is one of the largest in the DACH region, operating under ‘H-Hotels’ and the sub-brands Hyperion, H4 Hotels, H2 Hotels, H + Hotels, H.ostels, and H.omes.
Tomi Engdahl says:
‘Blindside’ Attack Subverts EDR Platforms From Windows Kernel
The technique loads a nonmonitored and unhooked DLL, and leverages debug techniques that could allow for running arbitrary code.
https://www.darkreading.com/attacks-breaches/-blindside-attack-subverts-edr-platforms-windows-kernel
Tomi Engdahl says:
FIN7 hackers create auto-attack platform to breach Exchange servers https://www.bleepingcomputer.com/news/security/fin7-hackers-create-auto-attack-platform-to-breach-exchange-servers/
The notorious FIN7 hacking group uses an automated attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to breach corporate networks, steal data, and select targets for ransomware attacks based on financial size. This system was discovered by Prodaft’s threat intelligence team, which has been closely following FIN7 operations for years now. In a report shared with BleepingComputer before publication, Prodaft reveals details about FIN7′s internal hierarchy, affiliations with various ransomware projects, and a new SSH backdoor system used for stealing files from compromised networks. FIN7 is a Russian-speaking and financially motivated threat actor active since at least 2012.
Tomi Engdahl says:
Vice Society ransomware gang switches to new custom encryptor https://www.bleepingcomputer.com/news/security/vice-society-ransomware-gang-switches-to-new-custom-encryptor/
The Vice Society ransomware operation has switched to using a custom ransomware encrypt that implements a strong, hybrid encryption scheme based on NTRUEncrypt and ChaCha20-Poly1305. According to cybersecurity firm SentinelOne, which discovered the new strain and named it “PolyVice,” it’s likely that Vice Society sourced it from a vendor who supplies similar tools to other ransomware groups. Vice Society first appeared in the summer of 2021, when they began stealing data from corporate networks and encrypting devices. The threat actors would then perform double-extortion attacks, threatening to publish the data if a ransom is not paid. Historically, Vice Society has used other ransomware operations’ encryptors during attacks, including Zeppelin, Five Hands, and HelloKitty. However, this appears to have changed, with Vice Society now using a new encryptor that is believed to be generated by a commodity ransomware builder.
Tomi Engdahl says:
Ransomware and wiper signed with stolen certificates https://securelist.com/ransomware-and-wiper-signed-with-stolen-certificates/108350/
On July 17, 2022, Albanian news outlets reported a massive cyberattack that affected Albanian government e-services. A few weeks later, it was revealed that the cyberattacks were part of a coordinated effort likely intended to cripple the countrys computer systems. On September 10, 2022, Albanian local news reported a second wave of cyberattacks targeting Albanias TIMS, ADAM and MEMEX systems the latter two systems critical for law enforcement reportedly using the same attack type and by the same actors. Around the same time, we identified ransomware and wiper malware samples resembling those used in the first wave, though with a few interesting modifications that likely allowed evasion of security controls and better attack speeds. Chief among those changes are the embedding of a raw disk driver, providing direct hard disk access inside the malware itself, modified metadata, and the use of Nvidias leaked code signing certificate to sign the malware.
Tomi Engdahl says:
Microsoft research uncovers new Zerobot capabilities https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/
Zerobot, a Go-based botnet that spreads primarily through IoT and web application vulnerabilities, is an example of an evolving threat, with operators continuously adding new exploits and capabilities to the malware. The Microsoft Defender for IoT research team has been monitoring Zerobot (also called ZeroStresser by its operators) for months. Microsoft has previously reported on the evolving threat ecosystem. The shift toward malware as a service in the cyber economy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and maintain access to compromised networks, and utilize ready-made tools to perform their attacks.
Tomi Engdahl says:
BEC scammers go after more than just money https://www.malwarebytes.com/blog/news/2022/12/bec-scammers-go-after-more-than-just-money
In a joint Cybersecurity Advisory (CSA) the Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the US Department of Agriculture (USDA) recently observed incidents of Business Email Compromise (BEC) with a new twist. In these incidents the threat actors didn’t go for money, instead stealing whole shipments of food products and ingredients valued at hundreds of thousands of dollars.
Tomi Engdahl says:
Researchers Link Royal Ransomware to Conti Group
https://www.securityweek.com/researchers-link-royal-ransomware-conti-group
Tomi Engdahl says:
Zerobot IoT Botnet Adds More Exploits, DDoS Capabilities
https://www.securityweek.com/zerobot-iot-botnet-adds-more-exploits-ddos-capabilities
Tomi Engdahl says:
LastPass Says Password Vault Data Stolen in Data Breach’¨
https://www.securityweek.com/lastpass-says-password-vault-data-stolen-data-breach
Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that could be exposed by brute-forcing or guessing master passwords.
Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that could be exposed by brute-forcing or guessing master passwords.
The company, which is owned by GoTo (formerly LogMeIn), said the hackers broke into its network in August and used information from that hack to return and hijack customer data that included company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
In addition, the unidentified actor was also able to copy a backup of customer vault data from an encrypted storage container, LastPass chief executive Karim Toubba said in a notice published on Thursday.
The exposed container contained both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data, Toubba said..
“LastPass production services currently operate from on-premises data centers with cloud-based storage used for various purposes such as storing backups and regional data residency requirements. The cloud storage service accessed by the threat actor is physically separate from our production environment,” he added.
Tomi Engdahl says:
LastPass Admits to Severe Data Breach, Encrypted Password Vaults Stolen
https://thehackernews.com/2022/12/lastpass-admits-to-severe-data-breach.html
https://techcrunch.com/2022/12/22/lastpass-customer-password-vaults-stolen/
https://techcrunch.com/2022/12/22/lastpass-customer-password-vaults-stolen/
Tomi Engdahl says:
BetMGM Confirms Breach as Hackers Offer to Sell Data of 1.5 Million Customers
https://www.securityweek.com/betmgm-confirms-breach-hackers-offer-sell-data-15-million-customers
MGM Resorts-owned online sports betting company BetMGM confirmed suffering a data breach the same day hackers offered to sell a database containing the information of 1.5 million BetMGM customers.
In a statement posted on its website on December 21, BetMGM said “patron records were obtained in an unauthorized manner”.
The company said the compromised information includes name, email address, postal address, phone number, date of birth, hashed Social Security number, account identifier, and information related to transactions.
“The affected information varied by patron,” according to the statement.
https://www.betmgminc.com/notice-regarding-patron-personal-information/
Tomi Engdahl says:
China’s ByteDance Admits Using TikTok Data to Track Journalists
https://www.securityweek.com/chinas-bytedance-admits-using-tiktok-data-track-journalists
Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source of leaks to the media, the company admitted Friday.
TikTok has gone to great lengths to convince customers and governments of major markets like the United States that users’ data privacy is protected and that it poses no threat to national security.
But parent company ByteDance told AFP on Friday that several staffers accessed two journalists’ data as part of an internal probe into leaks of company information to the media.
They had hoped to identify links between staff and a Financial Times reporter and a former BuzzFeed journalist, an email from ByteDance’s general counsel Erich Andersen seen by AFP said.
Both journalists previously reported on the contents of leaked company materials.
Tomi Engdahl says:
Lastpass: Notice of Recent Security Incident https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/ Attackers got access to the vaults and the threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took. FYI, LastPass attackers now know all websites you have passwords stored for and the blobs, encrypted only by your master password.
Tomi Engdahl says:
NordPass, the password management tool, released its list of the 200 most common passwords in 2022— and people are still using notoriously weak passwords.
Hackers guessed the world’s most common password in under 1 second—make sure yours isn’t on the list
https://www.cnbc.com/2022/11/23/most-common-passwords-of-2022-make-sure-yours-isnt-on-the-list.html?utm_term=Autofeed&utm_medium=Social&utm_content=Intl&utm_source=Facebook#Echobox=1671773323
NordPass, the password management tool from the team behind NordVPN, released its list of the 200 most common passwords in 2022 — and it turns out people are still using notoriously weak passwords.
The most common password in the world this year was the infamously bad “password”, and it took hackers under one second to crack it. The same goes for the second and third most common passwords: “123456″ and “123456789”, respectively.
Bitwarden, an open source password manager, found 31% of survey respondents in the U.S. experienced a data breach within the last 18 months, according to its 2022 password management survey. To avoid adding to that statistic, NordPass recommends choosing a complex password of at least 12 characters with a variety of upper and lowercase letters, symbols and numbers. A password generator is a helpful way to form these kinds of complex passwords.
You should also refrain from reusing a single password for multiple accounts, though the impulse is understandable — and common. The Bitwarden 2022 password management survey found more than 8 in 10 Americans reuse passwords across websites, with 49% of respondents saying they rely on memory to oversee their passwords.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/comcast-xfinity-accounts-hacked-in-widespread-2fa-bypass-attacks/
Tomi Engdahl says:
This is bad. Good thing I use KeePass.
LastPass users: Your info and password vault data are now in hackers’ hands
Password manager says breach it disclosed in August was much worse than thought.
https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/
Tomi Engdahl says:
TikTok confirms that journalists’ data was accessed by employees of its parent company
https://edition.cnn.com/2022/12/22/tech/tiktok-bytedance-journalist-data/index.html
Tomi Engdahl says:
Asiantuntija neuvoo käyttämään pilkkua salasanassa – taustalla vinha logiikka https://www.is.fi/digitoday/tietoturva/art-2000009286209.html
KUN luot salasanoja tai paremminkin salasanalauseita, kannattaa niihin laittaa mukaan pilkkuja. Finavian kyberturvallisuusjohtajaksi siirtyvä Erka Koivunen kertoi Twitterissä tekevänsä itsekin tällä tavalla.
Koivunen lainasi Twitter-tili vx-undergroundin vinkkiä pilkkujen lisäämiseksi. Vx-undergroundin mukaan pilkut hämäävät taulukkomuotoisia csv (comma sepatated values) -muotoisia tiedostoja, jotka ovat yleinen tapa varastettujen salasanojen keräämiseen ja levittämiseen. Jekku on se, että pilkku katkaisee taulukossa salasanan, jolloin sitä ei voi ainakaan suoraan käyttää hyväksi.
Tomi Engdahl says:
Patch now: Serious Linux kernel security hole uncovered
https://www.zdnet.com/article/patch-now-serious-linux-kernel-security-hole-uncovered/
The Zero Day Initiative originally rated this Linux 5.15 in-kernel SMB server, ksmbd, bug a perfectly awful 10.
steven-vaughan-nichols
How bad is it? Originally, the ZDI rated it a perfect 10 on the 0 to 10 common Vulnerability Scoring System (CVSS) scale. Now, the hole’s “only” a 9.6. That still counts as a “Patch it! Patch it now!” bug on anyone’s Linux server.
The problem lies in the Linux 5.15 in-kernel Server Message Block (SMB) server, ksmbd. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the kernel context.
This new program, which was introduced to the kernel in 2021, was developed by Samsung. Its point was to deliver speedy SMB3 file-serving performance. SMB is used in Windows in Linux, via Samba as a vital file server protocol. Ksmbd is not intended to replace Samba but to complement it. Samba and ksmbd developers are working on getting the programs to work in concert.
Any distro using the Linux kernel 5.15 or above is potentially vulnerable. This includes Ubuntu 22.04, and its descendants; Deepin Linux 20.3; and Slackware 15. For server purposes, Ubuntu is the most concerning. Other enterprise distros, such as the Red Hat Enterprise Linux (RHEL) family, do not use the 5.15 kernel. Not sure? Just run:
$ uname -r
To see which kernel version you’re running.
Then, if you’re running the susceptible kernel, to see if the vulnerable module is present and active run:
$ modinfo ksmb
What you want to see is that the module wasn’t found. If it’s loaded, you’ll want to upgrade to the Linux 5.15.61 kernel. Many distros, unfortunately, have not moved to this kernel release yet.
Tomi Engdahl says:
Salasanapalvelu myönsi: Salasanat päätyivät rikollisille – jos olet käyttäjä, toimi näin https://www.is.fi/digitoday/tietoturva/art-2000009287110.html
Tomi Engdahl says:
https://nakedsecurity.sophos.com/2022/12/23/lastpass-finally-admits-they-did-steal-your-password-vaults-after-all/
Tomi Engdahl says:
Hakkeri väittää saaneensa 400 miljoonan Twitter-käyttäjän tiedot ja pyrkii myymään niitä https://www.is.fi/digitoday/art-2000009290513.html
Tomi Engdahl says:
A threat actor is claiming they have obtained data of 400,000,000 Twitter users and is offering it for sale.
https://securityaffairs.co/wordpress/139993/data-breach/twitter-400-million-users-leak.html
The seller claims the database is private, he provided a sample of 1,000 accounts as proof of claims which included the private information of prominent users such as Donald Trump JR, Brian Krebs, and many more.
The seller, a member of data breach forums named Ryushi, claims the data was scraped via a vulnerability, it includes emails and phone numbers of celebrities, politicians, companies, normal users, and a lot of OG and special usernames.
The seller is also inviting Twitter and Elon Musk to buy the data to avoid GDPR lawsuits.
“Twitter or Elon Musk if you are reading this you are already risking a GDPR fine over 5.4m breach imaging the fine of 400m users breach source. Your best option to avoid paying $276 million USD in GDPR breach fines like facebook did (due to 533m users being scraped) is to buy this data exclusively.” reads the advertising.
The seller also announced that the sale is covered by the escrow service
Tomi Engdahl says:
LastPass finally admits: They did steal your password vaults after all https://nakedsecurity.sophos.com/2022/12/23/lastpass-finally-admits-they-did-steal-your-password-vaults-after-all/
Popular password management company LastPass has been under the pump this year, following a network intrusion back in August 2022. Details of how the attackers first got in are still scarce, with LastPasss first official comment cautiously stating that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account. The threat actor was able to copy a backup of customer vault data.
Tomi Engdahl says:
Don’t click too quick! FBI warns of malicious search engine ads https://www.tripwire.com/state-of-security/dont-click-too-quick-fbi-warns-malicious-search-engine-ads
The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. In a public service announcement issued this week, the FBI describes how cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware.
Tomi Engdahl says:
Hackers exploit bug in WordPress gift card plugin with 50K installs https://www.bleepingcomputer.com/news/security/hackers-exploit-bug-in-wordpress-gift-card-plugin-with-50k-installs/
Hackers are actively targeting a critical flaw in YITH WooCommerce Gift Cards Premium, a WordPress plugin used on over 50,000 websites.
YITH WooCommerce Gift Cards Premium is a plugin that website operators to sell gift cards in their online stores. Exploiting the vulnerability, tracked as CVE-2022-45359 (CVSS v3: 9.8), allows unauthenticated attackers to upload files to vulnerable sites, including web shells that provide full access to the site.
CVE-2022-45359 was disclosed to the public on November 22, 2022, impacting all plugin versions up to 3.19.0. The security update that addressed the problem was version 3.20.0, while the vendor has already released 3.21.0 by now, which is the recommended upgrade target.
Tomi Engdahl says:
Kyberturvallisuuskeskuksen ohjeet murretun salasanapalvelun
käyttäjille: näin suojaat tietosi
https://www.tivi.fi/uutiset/tv/7855d65e-30b4-406e-b5be-e94591a76108
Salasananhallintapalvelu LastPassiin on kohdistunut tietomurto, jonka tekijä sai haltuunsa käyttäjien arkaluontoisia tietoja. Iskussa käytettiin elokuussa varastettuja lähdekoodin osia sekä kehitysympäristön teknisiä tietoja, joiden avulla hyökkääjä pääsi murtautumaan LastPassin työntekijän tilille. Työntekijän tililtä vietiin varmenteita sekä avaimia, joiden avulla iskun tekijä pääsi käsiksi asiakkaiden varmuuskopioita varastoivaan pilveen. Lisäksi hyökkääjä tunkeutui salasanasäilöihin, mutta ei saanut käyttäjien salasanojen suojausta murrettua. Pääsalasanoja ei sen sijaan ole edes tallennettuna palveluun. Tästä huolimatta Kyberturvallisuuskeskuksen tietoturva-asiantuntija Olli Hönö kehottaa vaihtamaan LastPassiin tallennetut salasanat. Mikäli LastPassiin tallennettuja salasanoja on useita kymmeniä, Hönö neuvoo valikoimaan tärkeimmät salasanat ja vaihtamaan ainakin ne.
Tomi Engdahl says:
Threat Brief: OWASSRF Vulnerability Exploitation https://unit42.paloaltonetworks.com/threat-brief-owassrf/
On Dec. 20, 2022, CrowdStrike published a blog discussing a new exploit method for Microsoft Exchange Server, which they named OWASSRF, referring to server-side request forgery in relation to Outlook on the web. (Outlook on the web is known as both Outlook Web Access and Outlook Web Application.) Unit 42 observed that active exploitation of the OWASSRF vulnerability was occurring in late November and early December 2022. Unit 42 did observe threat actor activity exploiting these vulnerabilities, in which the actor used a PowerShell-based backdoor that we are tracking as SilverArrow to run commands on the Exchange Server. The actors ran commands to do the
following:
Tomi Engdahl says:
Leading sports betting firm BetMGM discloses data breach https://www.bleepingcomputer.com/news/security/leading-sports-betting-firm-betmgm-discloses-data-breach/
Leading sports betting company BetMGM disclosed a data breach after a threat actor stole personal information belonging to an undisclosed number of customers. While the personal info stolen in the attack varies for each customer, the attackers obtained a wide range of data, including names, contact info (like postal addresses, email addresses, and phone numbers), dates of birth, hashed Social Security numbers, account identifiers (like player IDs and screen names) and info related to transactions with BetMGM. The company added that it discovered the incident on November 2022 but believes the breach occurred in May 2022. “BetMGM currently has no evidence that patron passwords or account funds were accessed in connection with this issue,” a press release issued on Wednesday says.
Tomi Engdahl says:
W4SP Stealer Discovered in Multiple PyPI Packages Under Various Names https://thehackernews.com/2022/12/w4sp-stealer-discovered-in-multiple.html
Threat actors have published yet another round of malicious packages to Python Package Index (PyPI) with the goal of delivering information-stealing malware on compromised developer machines.
Interestingly, while the malware goes by a variety of names like ANGEL Stealer, Celestial Stealer, Fade Stealer, Leaf $tealer, PURE Stealer, Satan Stealer, and @skid Stealer, cybersecurity company Phylum found them all to be copies of W4SP Stealer. W4SP Stealer primarily functions to siphon user data, including credentials, cryptocurrency wallets, Discord tokens, and other files of interest. It’s created and published by an actor who goes by the aliases BillyV3, BillyTheGoat, and billythegoat356. “For some reason, each deployment appears to have simply tried to do a find/replace of the W4SP references in exchange for some other seemingly arbitrary name,” the researchers said in a report published earlier this week.
Tomi Engdahl says:
The Week in Ransomware – December 23rd 2022 – Targeting Microsoft Exchange https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-23rd-2022-targeting-microsoft-exchange/
Reports this week illustrate how threat actors consider Microsoft Exchange as a prime target for gaining initial access to corporate networks to steal data and deploy ransomware. CrowdStrike researchers reported this week that the Play ransomware operation utilized a new Microsoft Exchange attack dubbed ‘OWASSRF’ that chained exploits for
CVE-2022-41082 and CVE-2022-41080 to gain initial access to corporate networks. The ransomware operation then used this access to steal data and encrypt devices on the network. As another example of Microsoft Exchange being heavily targeted by threat actors, ProDaft revealed this week that the FIN7 hacking group created an auto-attack platform called ‘Checkmarks’ that targets Microsoft Exchange.
Tomi Engdahl says:
LastPass Breach – The danger of metadata https://www.pwndefend.com/2022/12/24/lastpass-breach-the-danger-of-metadata/
When an organisation suffers a data breach its usually bad. When an organisation that stores 25 million peoples passwords thats really bad. There are multiple risks here at play. But the metadata this is terrible just on its own. Its shows who Ive worked/work with, it leaks internal URLs, public URls, it gives away intel on technology (e.g.
PHPMYADMIN) it leaks real IP addresses that Ive obscured using CDNs and proxies, it shows honeypots and other sites I interface with.
Expand this out to a million people, then expand it to 25 million people.
Tomi Engdahl says:
Massive New Twitter Leak Allegedly Exposes 400M+ Users https://restoreprivacy.com/massive-new-twitter-leak-allegedly-exposes-400m-users/
In what appears to be yet another privacy blow to Twitter, a hacker is now selling data allegedly from 400+ million Twitter users. In the hacker forum Breached, the hacker explained that the data was acquired in 2021 and early 2022. This timeframe lines up with the Twitter data leak of 5.4 million users that we reported in July. It is not yet clear, however, if the data was obtained via the same vulnerability as before with the 5.4 million accounts.
Tomi Engdahl says:
New info-stealer malware infects software pirates via fake cracks sites https://www.bleepingcomputer.com/news/security/new-info-stealer-malware-infects-software-pirates-via-fake-cracks-sites/
A new information-stealing malware named RisePro is being distributed through fake cracks sites operated by the PrivateLoader pay-per-install (PPI) malware distribution service. RisePro is designed to help attackers steal victims credit cards, passwords, and crypto wallets from infected devices. The malware was spotted by analysts at Flashpoint and Sekoia this week, with both cybersecurity firms confirming that RisePro is a previously undocumented information stealer now being distributed via fake software cracks and key generators. Flashpoint reports that threat actors have already begun to sell thousands of RisePro logs (packages of data stolen from infected devices) on Russian dark web markets.
Tomi Engdahl says:
GuLoader Malware Utilizing New Techniques to Evade Security Software https://thehackernews.com/2022/12/guloader-malware-utilizing-new.html
Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called GuLoader to evade security software. “New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any virtual machine (VM)-related strings,” CrowdStrike researchers Sarang Sonawane and Donato Onofri said in a technical write-up published last week. GuLoader, also called CloudEyE, is a Visual Basic Script (VBS) downloader that’s used to distribute remote access trojans on infected machines. It was first detected in the wild in 2019.
Tomi Engdahl says:
Mozilla Just Fixed an 18-Year-Old Firefox Bug https://www.howtogeek.com/856212/mozilla-just-fixed-an-18-year-old-firefox-bug/
We all have a to-do list with items that have been there for too long, as more important problems come up or procrastination kicks in. Thats even true for Mozilla, which recently fixed a Firefox bug that was first reported 18 years ago. Bug 290125 was first reported on April 12, 2005, only a few days before the release of Firefox 1.0.3, and outlined an issue with how Firefox rendered text with the ::first-letter CSS psuedo-element. The author said, when floating left a :first-letter (to produce a dropcap), Gecko ignores any declared line-height and inherits the line-height of the parent box. [] Both Opera 7.5+ and Safari 1.0+ correctly handle this.” The issue was still marked as low priority, so progress continued slowly, until it was finally marked as fixed on December 20, 2022. Firefox 110 should include the updated code, which is expected to roll out to everyone in February 2023.
Tomi Engdahl says:
Microsoft Patches Azure Cross-Tenant Data Access Flaw
https://www.securityweek.com/microsoft-patches-azure-cross-tenant-data-access-flaw
Microsoft has silently fixed an important-severity security flaw in its Azure Container Service (ACS) after an external researcher warned that a buggy feature allowed cross-tenant network bypass attacks.
The vulnerability, documented by researchers at Mnemonic, effectively removed the entire network and identity perimeter around internet-isolated Azure Cognitive Search instances and allowed cross-tenant access to the data plane of ACS instances from any location, including instances without any explicit network exposure.
According to Mnemonic researcher Emilien Socchi, the flaw was silently fixed by Microsoft at the end of August, 2022, approximately six months after it was first reported.
The exposure, nicknamed ACSESSED, impacted all Azure Container Service instances that enabled the “Allow access from portal” feature.
“By enabling that feature, customers effectively allowed cross-tenant access to the data plane of their ACS instances from any location, regardless of the actual network configurations of the latter. Note that this included instances exposed exclusively on private endpoints, as well as instances without any explicit network exposure, such as the one I deployed for investigation (i.e. instances without any private, service or public endpoint),” the researcher warned.
“By the simple click of a button, customers were able to turn on a vulnerable feature, which removed the entire network perimeter configured around their ACS instances, without providing any real identity perimeter (i.e. anybody could generate a valid access token for ARM),” Socchi added.
Tomi Engdahl says:
China’s ByteDance Admits Using TikTok Data to Track Journalists
https://www.securityweek.com/chinas-bytedance-admits-using-tiktok-data-track-journalists
Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source of leaks to the media, the company admitted Friday.
TikTok has gone to great lengths to convince customers and governments of major markets like the United States that users’ data privacy is protected and that it poses no threat to national security.
But parent company ByteDance told AFP on Friday that several staffers accessed two journalists’ data as part of an internal probe into leaks of company information to the media.
They had hoped to identify links between staff and a Financial Times reporter and a former BuzzFeed journalist, an email from ByteDance’s general counsel Erich Andersen seen by AFP said.
Both journalists previously reported on the contents of leaked company materials.
None of the employees found to have been involved remained employed by ByteDance, Andersen said, though he did not disclose how many had been fired.
Tomi Engdahl says:
BetMGM Confirms Breach as Hackers Offer to Sell Data of 1.5 Million Customers
https://www.securityweek.com/betmgm-confirms-breach-hackers-offer-sell-data-15-million-customers