Cyber security news January 2023

This posting is here to collect cyber security news in January 2023.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

446 Comments

  1. Tomi Engdahl says:

    Microsoft Azure-Based Kerberos Attacks Crack Open Cloud Accounts
    https://www.darkreading.com/cloud/microsoft-azure-kerberos-attacks-open-cloud-accounts

    Two common attacks against on-premises Kerberos authentication servers — known as Pass the Ticket and Silver Ticket — can be used against Microsoft’s Azure AD Kerberos, a security firms says.

    Reply
  2. Tomi Engdahl says:

    Malware exploited critical Realtek SDK bug in millions of attacks
    https://www.bleepingcomputer.com/news/security/malware-exploited-critical-realtek-sdk-bug-in-millions-of-attacks/

    Hackers have leveraged a critical remote code execution vulnerability in Realtek Jungle SDK 134 million attacks trying to infect smart devices in the second half of 2022.

    Exploited by multiple threat actors, the vulnerability is tracked as CVE-2021-35394 and comes with a severity score of 9.8 out of 10.

    Between August and October last year, sensors from Palo Alto Networks observed significant exploitation activity for this security issue, accounting for more than 40% of the total number of incidents.

    High exploitation levels
    Starting September 2022, a new sizable botnet malware named ‘RedGoBot’ appeared in the wild targeting IoT devices vulnerable to CVE-2021-35394.

    Three different payloads were delivered as a result of these attacks:

    a script that executes a shell command on the target server to download malware
    an injected command that writes a binary payload to a file and executes it
    an injected command that reboots the server
    Most of these attacks originate from botnet malware families like Mirai, Gafgyt, Mozi, and derivatives of them. In April 2022, the Fodcha botnet was spotted exploiting CVE-2021-35394 for distributed denial-of-service (DDoS) operations.

    Reply
  3. Tomi Engdahl says:

    Tietomurron uhriksi joutunut hittipelin kehittäjä ei lähtenyt mukaan rikollisten leikkiin – seuraukset olivat odotettavissa
    https://www.tivi.fi/uutiset/tietomurron-uhriksi-joutunut-hittipelin-kehittaja-ei-lahtenyt-mukaan-rikollisten-leikkiin-seuraukset-olivat-odotettavissa/c67fc101-90dd-42bb-95e3-0dbb1db42e59

    League of Legendsin väitettyä lähdekoodia myydään huutokaupalla.

    Hittipeli League of Legendsin kehittänyt Riot Games joutui hiljattain tietomurron kohteeksi. Rikolliset pääsivät käsiksi yhtiön kehitysjärjestelmiin ja saivat mukaansa League of Legendsin, Teamfight Tacticsin sekä huijauksenestoalusta Packmanin lähdekoodin.

    Reply
  4. Tomi Engdahl says:

    The Register® — Biting the hand that feeds IT

    BOOTNOTES
    92 comment bubble on white
    Three seconds of audio could end up costing Fox $500,000
    And that, kids, is why we don’t play the Emergency Alert System tone on TV
    iconRichard Currie
    Fri 27 Jan 2023 // 19:00 UTC
    https://www.theregister.com/2023/01/27/fox_eas_tones_fine/

    Despite being a well-known illegal sound that many film and television productions have been fined over, US media titan Fox stands accused of playing the Emergency Alert System attention tone to promote an NFL show on dozens of TV channels.

    The Federal Communications Commission, which polices use of the sound to protect its integrity, now wants to fine the organization $504,000 – just as it did for Hollywood action film Olympus Has Fallen ($1.9 million, 2014) right down to Jimmy Kimmel Live ($395,000, 2019).

    Reply
  5. Tomi Engdahl says:

    ESET: Sandworm could be behind new file-deleting malware targeting Ukraine https://therecord.media/sandworm-swiftslicer-malware-ukraine-russia-eset/
    The notorious state-backed Russian hacking group known as Sandworm may be behind new malware targeting Ukraine, according to research published Friday by cybersecurity company ESET. Malware called SwiftSlicer hit one organization in Ukraine before it was discovered by the Slovakia-based firm this week. SwiftSlicer malware “is relatively simple but effective,” according to Boutin. Once executed, it deletes backup copies of computer files, overwrites files located on specific drives and then reboots the computer

    Reply
  6. Tomi Engdahl says:

    Researchers Discover New PlugX Malware Variant Spreading via Removable USB Devices https://thehackernews.com/2023/01/researchers-discover-new-plugx-malware.html
    Cybersecurity researchers have uncovered a PlugX sample that employs sneaky methods to infect attached removable USB media devices in order to propagate the malware to additional systems. “This PlugX variant is wormable and infects USB devices in such a way that it conceals itself from the Windows operating file system,” Palo Alto Networks Unit 42 researchers Mike Harbison and Jen Miller-Osborn said. “A user would not know their USB device is infected or possibly used to exfiltrate data out of their networks.” The cybersecurity company said it uncovered the artifact during an incident response effort following a Black Basta ransomware attack against an unnamed victim. Among other tools discovered in the compromised environment include the Gootkit malware loader and the Brute Ratel C4 red team framework

    Reply
  7. Tomi Engdahl says:

    Microsoft urges admins to patch on-premises Exchange servers https://www.bleepingcomputer.com/news/security/microsoft-urges-admins-to-patch-on-premises-exchange-servers/
    Microsoft urged customers today to keep their on-premises Exchange servers patched by applying the latest supported Cumulative Update
    (CU) to have them always ready to deploy an emergency security update.
    Redmond says that the Exchange server update process is “straightforward” (something that many admins might disagree with) and recommends always running the Exchange Server Health Checker script after installing updates. “To defend your Exchange servers against attacks that exploit known vulnerabilities, you must install the latest supported CU and the latest SU,” The Exchange Team said

    Reply
  8. Tomi Engdahl says:

    #GermanyRIP. Kremlin-loyal hacktivists wage DDoSes to retaliate for tank aid https://arstechnica.com/information-technology/2023/01/germanyrip-kremlin-loyal-hacktivists-wage-ddoses-to-retaliate-for-tank-aid/
    Threat actors loyal to the Kremlin have stepped up attacks in support of its invasion of Ukraine, with denial-of-service attacks hitting German banks and other organizations and the unleashing of a new destructive data wiper on Ukraine. Germany’s BSI agency, which monitors cybersecurity in that country, said the attacks caused small outages but ultimately did little damage

    Reply
  9. Tomi Engdahl says:

    Massive Microsoft 365 outage caused by WAN router IP change https://www.bleepingcomputer.com/news/microsoft/massive-microsoft-365-outage-caused-by-wan-router-ip-change/
    Microsoft says this week’s five-hour-long Microsoft 365 worldwide outage was caused by a router IP address change that led to packet forwarding issues between all other routers in its Wide Area Network (WAN). Redmond said at the time that the outage resulted from DNS and WAN networking configuration issues caused by a WAN update and that users across all regions serviced by the impacted infrastructure were having problems accessing the affected Microsoft 365 services. The issue led to service impact in waves, peaking approximately every 30 minutes as shared on the Microsoft Azure service status page (this status page was also affected as it intermittently displayed “504 Gateway Time-out” errors). In all, it took Redmond over five hours to address the issue, from 7:05 AM UTC when it started investigating up until 12:43 PM UTC when service was restored

    Reply
  10. Tomi Engdahl says:

    Facebook two-factor authentication bypass issue patched https://portswigger.net/daily-swig/facebook-two-factor-authentication-bypass-issue-patched
    Meta has patched a vulnerability in Facebook that could have allowed an attacker to bypass SMS-based two-factor authentication (2FA). The bug – which earned its finder a $27,200 bounty – did this by confirming the targeted users already-verified Facebook mobile number using the Meta Accounts Center in Instagram. It exploited a rate-limiting issue in Instagram that enabled an attacker to brute force the verification pin required to confirm someones phone number

    Reply
  11. Tomi Engdahl says:

    Target says data sold on dark web is ‘outdated,’ likely ‘released by third party’
    https://therecord.media/target-says-data-sold-on-dark-web-is-outdated-likely-released-by-third-party/
    Following the posting of an alleged database of customer information on a hacker forum, Target is denying that the data being sold on the dark web is current and says that the information was not taken directly from its systems. On Thursday, the hacker posted the trove, which contains names, addresses, and transaction information, purportedly for more than 800,000 Target customers. But Target spokesperson Brian Harper-Tibaldo told The Record that the data is “outdated” and “may have been released by a third party.”

    Reply
  12. Tomi Engdahl says:

    HUSin verkkosivut eivät aukea teknisen ongelman vuoksi taustalla saattavat olla venäläishakkerit
    https://yle.fi/a/74-20015216
    Helsingin ja Uudenmaan sairaanhoitopiirin verkkosivuilla (siirryt toiseen palveluun) on ollut lauantaina teknisiä ongelmia. Sivut eivät aukea, ja latautuvassa näkymässä kerrotaan katkon syyn olevan selvityksessä. Teknisten ongelmien taustalla saattavat olla venäläishakkerit. Venäläinen hakkeriryhmä KillMilk on tänään julkaissut Telegram-kanavallaan listan terveydenhuollon laitoksista, joihin uusi palvelunestohyökkäys kohdistuu, ja Ilmoittanut sen alkamisesta. HUS ei osaa arvioida häiriötilanteen kestoa

    Reply
  13. Tomi Engdahl says:

    British Cyber Agency Warns of Russian and Iranian Hackers Targeting Key Industries https://thehackernews.com/2023/01/british-cyber-agency-warns-of-russian.html
    The U.K. National Cyber Security Centre (NCSC) on Thursday warned of spear-phishing attacks mounted by Russian and Iranian state-sponsored actors for information-gathering operations. “The attacks are not aimed at the general public but targets in specified sectors, including academia, defense, government organizations, NGOs, think tanks, as well as politicians, journalists and activists,” the NCSC said. The agency attributed the intrusions to SEABORGIUM (aka Callisto, COLDRIVER, and TA446) and APT42 (aka ITG18, TA453, and Yellow Garuda). The similarities in the modus operandi aside, there is no evidence the two groups are collaborating with each other

    Reply
  14. Tomi Engdahl says:

    Charter Communications says vendor breach exposed some customer data https://therecord.media/telecom-giant-charter-communications-says-third-party-vendor-had-security-breach/
    Telecommunications company Charter Communications said one of its third-party vendors suffered from a security breach after data from the company showed up on a hacking forum. On Thursday, a forum user posted information allegedly stolen from the company that included names, account numbers, addresses and more for about 550,000 customers

    Reply
  15. Tomi Engdahl says:

    Latvia confirms phishing attack on Ministry of Defense, linking it to Russian hacking group https://therecord.media/latvia-confirms-phishing-attack-on-ministry-of-defense-linking-it-to-russian-hacking-group/
    The Russian cyber-espionage group known as Gamaredon may have been behind a phishing attack on Latvias Ministry of Defense last week, the ministry told The Record on Friday. Hackers sent malicious emails to several employees of the ministry, pretending to be Ukrainian government officials. The attempted cyberattack was unsuccessful, the ministry added

    Reply
  16. Tomi Engdahl says:

    Gootkit Malware Continues to Evolve with New Components and Obfuscations https://thehackernews.com/2023/01/gootkit-malware-continues-to-evolve.html
    The threat actors associated with the Gootkit malware have made “notable changes” to their toolset, adding new components and obfuscations to their infection chains. Google-owned Mandiant is monitoring the activity cluster under the moniker UNC2565, noting that the usage of the malware is “exclusive to this group.” Gootkit, also called Gootloader, is spread through compromised websites that victims are tricked into visiting when searching for business-related documents like agreements and contracts via a technique called search engine optimization (SEO) poisoning. The purported documents take the form of ZIP archives that harbor the JavaScript malware, which, when launched, paves the way for additional payloads such as Cobalt Strike Beacon, FONELAUNCH, and SNOWCONE

    Reply
  17. Tomi Engdahl says:

    Hackers use new SwiftSlicer wiper to destroy Windows domains https://www.bleepingcomputer.com/news/security/hackers-use-new-swiftslicer-wiper-to-destroy-windows-domains/
    Security researchers have identified a new data-wiping malware they named SwiftSlicer that aims to overwrite crucial files used by the Windows operating system. The new malware was discovered in a recent cyberattack against a target in Ukraine and has been attributed to Sandworm, a hacking group working for Russias General Staff Main Intelligence Directorate (GRU) as part of the Main Center for Special Technologies (GTsST) military unit 74455. While details are scant regarding SwiftSlicer at the moment, security researchers at cybersecurity company ESET say that they found the destructive malware deployed during a cyberattack in Ukraine

    Reply
  18. Tomi Engdahl says:

    A Blog with NoName – Further Insight into the Hacktivist Operation Targeting NATO and Affiliated Nations https://www.team-cymru.com/post/a-blog-with-noname
    NoName057(16) attacks have targeted government / military departments in Ukraine and NATO countries, as well as organizations from core sectors such as finance, freight, and media. Recent reporting (Avast,
    SentinelLabs) has revealed that NoName057(16) relies upon a volunteer system (rather than a botnet of infected hosts), in which the volunteers are rewarded financially for contributing attack infrastructure. This system is managed via two Telegram channels
    (@noname05716 and @nn05716chat)

    Reply
  19. Tomi Engdahl says:

    Microsoft Urges Customers to Secure On-Premises Exchange Servers https://thehackernews.com/2023/01/microsoft-urges-customers-to-secure-on.html
    Microsoft is urging customers to keep their Exchange servers updated as well as take steps to bolster the environment, such as enabling Windows Extended Protection and configuring certificate-based signing of PowerShell serialization payloads. “Attackers looking to exploit unpatched Exchange servers are not going to go away,” the tech giant’s Exchange Team said in a post. “There are too many aspects of unpatched on-premises Exchange environments that are valuable to bad actors looking to exfiltrate data or commit other malicious acts.”

    Reply
  20. Tomi Engdahl says:

    Researchers to release VMware vRealize Log RCE exploit, patch now https://www.bleepingcomputer.com/news/security/researchers-to-release-vmware-vrealize-log-rce-exploit-patch-now/
    Security researchers with Horizon3′s Attack Team will release an exploit targeting a vulnerability chain next week for gaining remote code execution on unpatched VMware vRealize Log Insight appliances.
    Now known as VMware Aria Operations for Logs, vRealize Log Insight makes it easier for VMware admins to analyze and manage terabytes of infrastructure and application logs. On Tuesday, VMware patched four security vulnerabilities in this log analysis tool, two of which are critical and allow attackers to execute code remotely without authentication

    Reply
  21. Tomi Engdahl says:

    Royal Mail resumes some international parcel services from UK
    https://www.computerweekly.com/news/252529609/Royal-Mail-resumes-some-international-parcel-services-from-UK?utm_campaign=20230127_Lords+question+%E2%80%98extensive%E2%80%99+government+online+safety+powers&utm_medium=EM&utm_source=MDN&source_ad_id=252529609&asrc=EM_MDN_259195383&bt_ee=pvJwYXzI2G%2FlOgyww9U%2FsVlQwSgLMMOX5tApK1CudOLPkStF7sWvLXoWdifxY%2FTo&bt_ts=1675009671105

    Royal Mail has successfully stood up its International Tracked and Signed, and International Signed, services as it continues to recover from a ransomware attack

    Royal Mail continues to make steady progress on recovering its international letter and parcel export services following a suspected LockBit ransomware attack earlier in January.

    Having started to despatch standard export letters, and letters and parcels from Northern Ireland into Ireland, on Thursday 19 January, the postal service now says that having made progress on clearing the backlog of items in the system before the attack, it is now in a position to stand up two key parcel services, International Tracked and Signed, and International Signed.

    “We have made further progress in exporting an increasing number of items to a growing number of international destinations,” Royal Mail said in a statement. “We are using alternative solutions and systems, which were not affected by the recent cyber incident.

    Reply
  22. Tomi Engdahl says:

    BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
    https://www.securityweek.com/bind-updates-patch-high-severity-remotely-exploitable-dos-flaws/

    The latest BIND updates patch multiple remotely exploitable vulnerabilities that could lead to denial-of-service (DoS).

    The Internet Systems Consortium (ISC) this week announced patches for multiple high-severity denial-of-service (DoS) vulnerabilities in the DNS software suite BIND.

    The addressed issues could be exploited remotely to cause named – the BIND daemon that acts both as an authoritative name server and as a recursive resolver – to crash, or could lead to the exhaustion of the available memory.

    The first of the security defects, tracked as CVE-2022-3094, can be exploited by sending a flood of dynamic DNS updates, which would cause named to allocate large amounts of memory, resulting in a crash due to a lack of free memory.

    According to ISC, because allocated memory is only retained for clients for which access credentials are accepted, the scope of the vulnerability is limited to trusted clients that are allowed to make dynamic zone changes.

    For BIND 9.11 and earlier branches, the flaw can be exploited to exhaust internal resources, which results in performance issues, but not a crash.

    Tracked as CVE-2022-3736, the second issue leads to a crash “when stale cache and stale answers are enabled, option stale-answer-client-timeout is set to a positive integer, and the resolver receives an RRSIG query,” ISC explains. A remote attacker can trigger the bug by sending crafted queries to the resolver.

    Reply
  23. Tomi Engdahl says:

    CVE-2022-3094: An UPDATE message flood may cause named to exhaust all available memory
    https://kb.isc.org/v1/docs/cve-2022-3094
    CVE: CVE-2022-3094
    Document version: 2.1
    Posting date: 25 January 2023
    Program impacted: BIND 9
    Versions affected:
    BIND
    9.16.0 -> 9.16.36
    9.18.0 -> 9.18.10
    9.19.0 -> 9.19.8
    (Versions prior to 9.11.37 were not assessed.)
    BIND Supported Preview Edition
    9.16.8-S1 -> 9.16.36-S1
    (Versions prior to 9.11.37-S1 were not assessed.)
    Severity: High
    Exploitable: Remotely
    Sending a flood of dynamic DNS updates may cause named to allocate large amounts of memory. This, in turn, may cause named to exit due to a lack of free memory. We are not aware of any cases where this has been exploited.
    Impact:
    By flooding the target server with UPDATE requests, the attacker can exhaust all available memory on that server.
    CVSS Score: 7.5
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    Reply
  24. Tomi Engdahl says:

    Mies osti uunin ja hämmästyi – ottaa yhteyden Venäjälle ja Kiinaan 12 kertaa tunnissa https://www.is.fi/digitoday/tietoturva/art-2000009359273.html

    AEG:n uunit tarkistavat nettiyhteyden toimivuuden ottamalla yhteyden jatkuvasti kolmeen hakukoneeseen. Tutkija on huolissaan.

    KUN ostat kodinkoneen, et ehkä tule ajatelleeksi mitä kaikkea se tekee ilmeisen käyttötarkoituksensa lisäksi. Hyvän esimerkin antaa ohjelmistoasiantuntija Stephan van Rooij, joka huomasi kahden AEG-merkkisen uuninsa ottavan yhteyttä kolmeen hakukoneeseen 5 minuutin välein.

    Hakukoneet ovat yhdysvaltalainen Google, kiinalainen Baidu ja venäläinen Yandex. Kyseiset uunit, AEG:n BSK798280B ja KMK768080B, käyvät näiden hakukoneiden pääsivuilla tarkistaakseen, että nettiyhteys on kunnossa.

    – En todellakaan pidä siitä, että uunini ottaa yhteyttä Kiinaan ja Venäjälle vain tarkistaakseen, että sillä on internet-yhteys. Jos tämä on ainoa asia, jonka se tekee, van Rooij kirjoittaa.

    I disconnected our smart oven, and maybe you should as well
    https://svrooij.io/2023/01/25/disconnect-your-smart-appliance/

    Arstechnica published an article yesterday, called “Appliance makers sad that 50% of customers won’t connect smart appliances”. Let me tell you, I’m glad people don’t connect their oven to the internet. We own two of these smart appliances from AEG and I disconnected them as soon as I discovered what they do.

    When would I use the smart part of these appliances?
    We did not explicitly bought “smart” appliances. We noticed they had wifi after we installed them. Here are some use cases of the “smart” functionality.

    I’m was working late, on the way back in the grocery store, thinking I’ll just take some pizza and pre-heat my oven while still in the store.
    While waking up deciding we want fresh baked buns in the morning, and we want to pre-heat the oven.
    Maybe receiving notifications on the phone when the pre-set timer finishes
    These three use cases are probably the only reason why people even consider buying a “smart” oven.

    Devices check for internet access
    Every smart devices (laptop/phone/appliance) wants to know if the wifi they are connected to is actually providing access to internet. Microsoft created a special endpoint that is used by your Windows device to check for internet connectivity. Apple and Google follow a similar strategy, I cannot find the exact documentation on it.

    If a company doesn’t want to setup an external api for this, or you have an api that is not really stable, you can always use public websites to check if you have an internet connection. In my opinion your should always setup your own api to do the checking, because you don’t want to report to the user that the device does not have internet access because some external website is down.

    And if you already have an api, just make sure your api is stable!

    How AEG smart appliances check internet connectivity?
    AEG choose the easy route, and checks three public websites every 5 minutes when connected to your wifi. The AEG smart appliances also have this hidden cloud api which is used for controlling the devices, so there should not be a reason to connect to these websites:

    google.com no shock there, that is the number one website I personally use if I have to check internet connectivity.
    baidu.cn yes, every 5 minutes your oven sends a message to the Chinese google alternative.
    yandex.ru yes, not even just China, also the Russian google alternative.

    I really don’t like the fact that my oven connects to China and Russia just to check if it has an internet connection. If that is the only thing it’s doing.

    Reply
  25. Tomi Engdahl says:

    Microsoft Urges Customers to Patch Exchange Servers
    https://www.securityweek.com/microsoft-urges-customers-to-patch-exchange-servers/

    Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

    Reply
  26. Tomi Engdahl says:

    Cyberwarfare
    Iranian APT Leaks Data From Saudi Arabia Government Under New Persona

    Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham’s Ax persona

    https://www.securityweek.com/iranian-apt-leaks-data-from-saudi-arabia-government-under-new-persona/

    Reply
  27. Tomi Engdahl says:

    US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware

    US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive operation.

    https://www.securityweek.com/us-reiterates-10-million-reward-offer-after-disruption-of-hive-ransomware/

    Reply
  28. Tomi Engdahl says:

    KSMBD Again
    https://hackaday.com/2023/01/27/this-week-in-security-gta-apple-and-android-and-insecure-boot/

    It’s beginning to look like a bad idea to put the Server Message Block Daemon driver in the Linux kernel, as we have another pre-auth integer underflow leading to denial of service. Researchers at Sysdig found the flaw this time, researching based on the previous ZDI-22-1690, which was a more serious RCE in the same kernel module. This one is a bit different from other integer underflows we’ve looked at. The wrap-around nature of integers instead saves this vulnerability from being a more serious one.

    The real problem is that during SMB authentication, the data structure from the remote user contains a pair of length values, which are used to parse the incoming authentication data. It’s obvious that these values aren’t implicitly trusted, and some good error checking is done to prevent a trivial buffer overflow.

    CVE-2023-0210
    Linux Kernel Unauthenticated Remote Heap Overflow Within KSMBD
    https://sysdig.com/blog/cve-2023-0210-linux-kernel-unauthenticated-remote-heap-overflow/

    KSMBD, as defined by the kernel documentation1, is a linux kernel server which implements SMB3 protocol in kernel space for sharing files over network. It was introduced in kernel version ‘v5.15-rc1’ so it’s still relatively new. Most distributions do not have KSMBD compiled into the kernel or enabled by default.

    Recently, another vulnerability (ZDI-22-16902) was discovered in KSMBD, which allowed for unauthenticated remote code execution in the kernel context. This provided a motivation to look further into KSMBD’s code, where we found a new heap overflow in KSMBD’s authentication code.

    Conclusion

    As scary as these bugs sound, they aren’t that big of a deal for most Linux users, mainly because of two reasons: KSMBD is not enabled by default but it is a module, which means that the user has to enable and configure it by themselves, as documented here6. It is also worth noting that, given the nature of the SMB protocol and its historical implication in large scale security incidents, one might rarely need to expose the SMB port directly to the internet, a practice that is generally discouraged.

    Reply
  29. Tomi Engdahl says:

    The QT suite has an issue, where Javascript embedded in QML (Qt Modeling Language) code could trigger one of two memory handling issues, and achieve RCE. There’s a bit of disagreement between Cisco Talos and QT, as to whether this is a simple bug, or security vulnerability. QML code is explicitly intended to be user interface code for applications, and should never execute untrusted code.

    Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML
    https://blog.talosintelligence.com/vulnerability-spotlight-integer-and-buffer-overflow-vulnerabilities-found-in-qt-qml/

    Emma Reuter and Theo Morales of ASIG and Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.

    Cisco ASIG and Cisco Talos recently discovered code execution vulnerabilities in QT QML.

    Qt is a popular software suite primarily used to create graphical user interfaces. It also contains several supporting libraries which all aim to enable cross-platform application development with a unified programming API.

    QT has responded to vulnerability notifications with this statement: “We have analyzed your report, and our evaluation is that this is not a security issue, even though it is a real bug. Qt’s QML and JavaScript support is explicitly not designed for untrusted content… Each application that is passing untrusted input to QtQml needs to have an advisory instead and must thoroughly check their inputs.”

    This advisory concerns:

    TALOS-2022-1617 (CVE-2022-40983), in which Javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. A target application would need to access a malicious web page to trigger this vulnerability.

    Secondarily, TALOS-2022-1650 (CVE-2022-43591) can involve an out-of-bounds memory access, leading to arbitrary code execution.

    Cisco Talos believes these are potential security issues and notified QT of the issues all in adherence to Cisco’s vulnerability disclosure policy.

    Reply
  30. Tomi Engdahl says:

    ”Olemme kaapanneet tilisi” – Hannele Laurilta kiristettiin tänä aamuna rahaa julmalla viestillä, menetti elinkeinonsa
    https://www.iltalehti.fi/viihdeuutiset/a/6431acae-9971-4392-bb81-c9f4c18ab94a

    Hannele Laurin nyt jo poistuneella Instagram-käyttäjällä oli yli 22 tuhatta seuraajaa.

    Näyttelijä Hannele Lauri sai tiistaina 31. tammikuuta pelottavan viestin puhelimeensa. Tuntematon numero kirjoitti Whatsapp-viestissä Laurille, että hänen täytyy lähettää rahaa tai hänen Instagram-tilinsä poistuu.

    – Olemme kaapanneet tilisi. Jos haluat tilisi takaisin, joudut maksamaan. Ota yhteyttä, viestissä luki englanniksi.

    Lauri ei suostunut kiristykseen, ja pian hän huomasi Instagram-tilinsä olevan poissa. Lauri kertoo Iltalehdelle olevansa todella raivoissaan tilanteen takia.

    Reply
  31. Tomi Engdahl says:

    Realtek Vulnerability Under Attack: Over 134 Million Attempts to Hack IoT Devices https://thehackernews.com/2023/01/realtek-vulnerability-under-attack-134.html
    Researchers are warning about a spike in exploitation attempts weaponizing a now-patched critical remote code execution flaw in Realtek Jungle SDK since the start of August 2022. According to Palo Alto Networks Unit 42, the ongoing campaign is said to have recorded
    134 million exploit attempts as of December 2022, with 97% of the attacks occurring in the past four months

    Reply
  32. Tomi Engdahl says:

    Riot Games refuses to pay ransom to avoid League of Legends leak https://www.malwarebytes.com/blog/news/2023/01/stolen-code-from-riot-games-already-being-auctioned-off
    After confirming threat actors were able to steal some of its code, Riot Games has also revealed that it received a ransom email from its attacker. The attackers demanding $10 million to stop them leaking source code from League of Legend’s and other games

    Reply
  33. Tomi Engdahl says:

    Pro-Russian DDoS attacks raise alarm in Denmark, U.S.
    https://therecord.media/ddos-denmark-us-russia-killnet/
    Distributed denial-of-service (DDoS) attacks by pro-Russian hacking groups are causing alarm in the U.S. and Denmark after several incidents affected websites of hospitals and government offices in both countries. On Tuesday, Denmark announced that it was raising its cyber risk alert level after weeks of attacks on banks and the countrys defense ministry

    Reply
  34. Tomi Engdahl says:

    Microsoft releases emergency updates to fix XPS display issues https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-updates-to-fix-xps-display-issues/
    Microsoft has released out-of-band (OOB) updates for some .NET Framework and .NET versions to address XPS display issues triggered by December 2022 cumulative security updates. Users will experience null reference exceptions and images or glyphs displaying incorrectly when viewing XPS documents rendered using affected Windows Presentation Foundation (WPF) based apps

    Reply
  35. Tomi Engdahl says:

    Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
    https://www.securityweek.com/microsofts-verified-publisher-status-abused-in-email-theft-campaign/

    Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

    Reply
  36. Tomi Engdahl says:

    Vulnerabilities
    Critical QNAP Vulnerability Leads to Code Injection
    https://www.securityweek.com/critical-qnap-vulnerability-leads-to-code-injection/

    QNAP warns users of a critical vulnerability that allows attackers to inject malicious code on NAS devices.

    Reply
  37. Tomi Engdahl says:

    GitHub Revokes Code Signing Certificates Following Cyberattack
    https://www.securityweek.com/github-revokes-code-signing-certificates-following-cyberattack/

    GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

    Reply
  38. Tomi Engdahl says:

    Russian Millionaire on Trial in Hack, Insider Trade Scheme
    https://www.securityweek.com/russian-millionaire-on-trial-in-hack-insider-trade-scheme/

    Russian Vladislav Klyushin made tens of millions of dollars by hacking into U.S. computer networks to steal insider information.

    A wealthy Russian businessman and associates made tens of millions of dollars by cheating the stock market in an elaborate scheme that involved hacking into U.S. computer networks to steal insider information about companies such as Microsoft and Tesla, a prosecutor told jurors on Monday.

    Vladislav Klyushin, the owner a Moscow-based information technology company with ties to the upper levels of the Russian government, is standing in trial in a Boston federal court nearly two years after he was arrested after landing in Switzerland on a private jet for a skiing trip.

    He’s the only Russian national charged in the nearly $90 million scheme who has been arrested and extradited to the U.S.; four accused co-conspirators — including a Russian military intelligence officer who’s also been charged with meddling in the 2016 presidential election — remain at large.

    Reply
  39. Tomi Engdahl says:

    Data Breaches
    British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
    https://www.securityweek.com/british-retailer-jd-sports-discloses-data-breach-affecting-10-million-customers/

    JD Sports discovers unauthorized access to information from orders placed by customers between 2018 and 2020.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*