Cyber security news February 2023

This posting is here to collect cyber security news in February 2023.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

390 Comments

  1. Tomi Engdahl says:

    Sean Hollister / The Verge:
    Anker admits its Eufy security cameras are not natively E2E encrypted and produced unencrypted video streams for Eufy’s web portal, but says the flaws are fixed — / Anker admits its always-encrypted cameras weren’t always encrypted — and promises to do better. … First, Anker told us it was impossible.

    Anker finally comes clean about its Eufy security cameras
    https://www.theverge.com/23573362/anker-eufy-security-camera-answers-encryption

    Anker admits its always-encrypted cameras weren’t always encrypted — and promises to do better.

    First, Anker told us it was impossible. Then, it covered its tracks. It repeatedly deflected while utterly ignoring our emails. So shortly before Christmas, we gave the company an ultimatum: if Anker wouldn’t answer why its supposedly always-encrypted Eufy cameras were producing unencrypted streams — among other questions — we would publish a story about the company’s lack of answers.

    It worked.

    In a series of emails to The Verge, Anker has finally admitted its Eufy security cameras are not natively end-to-end encrypted — they can and did produce unencrypted video streams for Eufy’s web portal, like the ones we accessed from across the United States using an ordinary media player.

    But Anker says that’s now largely fixed. Every video stream request originating from Eufy’s web portal will now be end-to-end encrypted — like they are with Eufy’s app — and the company says it’s updating every single Eufy camera to use WebRTC, which is encrypted by default. Reading between the lines, though, it seems that these cameras could still produce unencrypted footage upon request.

    Reply
  2. Tomi Engdahl says:

    Bill Toulas / BleepingComputer:
    Microsoft disabled multiple fraudulent, verified Microsoft Cloud Partner Program accounts for creating malicious OAuth apps used to steal customers’ emails — Microsoft has disabled multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications …

    https://www.bleepingcomputer.com/news/security/microsoft-disables-verified-partner-accounts-used-for-oauth-phishing/

    Reply
  3. Tomi Engdahl says:

    Varo, vaarallinen kiinalainen haittaohjelma saastuttaa USB-tikut
    https://etn.fi/index.php/13-news/14537-varo-vaarallinen-kiinalainen-haittaohjelma-saastuttaa-usb-tikut

    Tietoturvayhtiö Palo Alto Networksin turvallisuusuhkien yksikkö Unit 42 on julkaissut tietopaketin USB-laitteita tartuttavasta haittaohjelmasta. Erikoiseksi löydöksen tekee se, että haittakoodi kykeni ja pyrki tartuttamaan irrotettavia USB-laitteita ja piilottamaan itsensä.

    Tutkiessaan Black Basta -murtautumistapausta, Unit 42 havaitsi erityislaatuisen yhdistelmän haittaohjelmia. GootLoader- ja Brute Ratel C4 -haittaohjelmien lisäksi Unit 42 löysi hyökkäystoimien kohteesta vanhan näytteen PlugX-haittaohjelmasta. Matomainen virusohjelma kykenee siirtymään esimerkiksi USB-muistitikulle ja monistamaan siitä itsensä muihin tietokoneisiin, joissa samaa USB-laitetta käytetään.

    Reply
  4. Tomi Engdahl says:

    Counterfeit Cisco Hardware Bypasses Security Checks With Modchips
    https://hackaday.com/2023/02/01/counterfeit-cisco-hardware-bypasses-security-checks-with-modchips/

    Some pictures recently surfaced on social media, showing a small PCB tapped into four points on Cisco-branded boards. What is this about? A NSA backdoor so data can be exfiltrated to some third party? Well, that’s theoretically possible, but it’s actually used for bypassing hardware authenticity checks in Cisco hardware being cloned — a sizable industry. Of course, “can’t believe it’s not Cisco” hardware is only valuable insofar that it’s able to run the Cisco software, and that’s where the bodge boards play a major role.

    A 2020 report by F-Secure details an investigation, comparing three switches marked as Cisco 2960X – one known genuine and two known counterfeits. The counterfeits had the aforementioned implants either soldered to the bottom of the PCB or added to the board as a separate component, and the paper goes into why they’re important for successful counterfeiting.

    Apparently, these chips emulate or bypass an I2C EEPROM containing part of the code executed during the boot sequence, and Cisco depends on this EEPROM’s contents for authenticity verification.

    https://twitter.com/viniciusferrao/status/1285639870082363395

    https://www.f-secure.com/content/dam/press/ja/media-library/reports/F-Secure%20Report%20-%20The%20Fake%20Cisco%20(English).pdf

    Reply
  5. Tomi Engdahl says:

    Ransomware Leads to Nantucket Public Schools Shutdown
    https://www.securityweek.com/ransomware-leads-to-nantucket-public-schools-shutdown/

    Nantucket’s public schools shut its doors to students and teachers after a data encryption and extortion attack on its computer systems.

    Reply
  6. Tomi Engdahl says:

    Google Fi Data Breach Reportedly Led to SIM Swapping
    https://www.securityweek.com/google-fi-data-breach-reportedly-led-to-sim-swapping/

    Google Fi informs customers about a data breach related to the recent T-Mobile cyberattack and some users claim they were targeted in a SIM swapping attack

    The Google Fi telecommunications service has informed customers about a data breach that appears to be related to the recently disclosed T-Mobile cyberattack.

    Google Fi, which provides wireless phone and internet services, has told customers that the breach is related to its primary network provider, without naming it.

    However, T-Mobile is Google Fi’s primary network provider, which means the incident is likely related to the hacker attack disclosed by the wireless carrier in mid-January.

    Google Fi said there had been unauthorized access to a third-party customer support system containing a “limited amount” of customer data. This data includes phone number, account activation date, mobile service plan, SIM card serial number, and account status.

    Reply
  7. Tomi Engdahl says:

    Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
    https://www.securityweek.com/unpatched-econolite-traffic-controller-vulnerabilities-allow-remote-hacking/

    Serious vulnerabilities found in Econolite EOS traffic controller software can be exploited to control traffic lights, but the flaws remain unpatched.

    A researcher has discovered two potentially serious vulnerabilities affecting Econolite traffic controllers. Exploitation of the security flaws can have serious real-world impact, but they remain unpatched.

    Cyber offensive researcher Rustam Amin informed the US Cybersecurity and Infrastructure Security Agency (CISA) that he had identified critical and high-severity vulnerabilities in Econolite EOS, a traffic controller software developed for the Econolite Cobalt and other advanced transportation controllers (ATC).

    The California-based vendor’s website says it has deployed more than 360 systems, 150,000 traffic cabinets, 120,000 traffic controllers, and over 160,000 sensors. In December 2022, the company reported reaching more than 10,000 installations of its EOS software.

    Amin discovered two types of vulnerabilities. One, rated ‘critical severity’ and tracked as CVE-2023-0452, has been described by CISA as an issue related to the use of a weak algorithm for hashing privileged user credentials.

    “A configuration file that is accessible without authentication uses MD5 hashes for encrypting credentials, including those of administrators and technicians,” CISA said in its advisory.

    Reply
  8. Tomi Engdahl says:

    30k Internet-Exposed QNAP NAS Devices Affected by Recent Vulnerability
    https://www.securityweek.com/30k-internet-exposed-qnap-nas-devices-affected-by-recent-vulnerability/

    Censys finds 30,000 internet-exposed QNAP appliances that are likely affected by a recently disclosed critical code injection vulnerability.

    Reply
  9. Tomi Engdahl says:

    Prilex PoS Malware Blocks NFC Transactions to Steal Credit Card Data
    https://www.securityweek.com/prilex-pos-malware-blocks-nfc-transactions-to-steal-credit-card-data/

    The Prilex point-of-sale (PoS) malware has been modified to block contactless transactions to force the insertion of credit cards and steal their information.

    Reply
  10. Tomi Engdahl says:

    Google sponsored ads malvertising targets password manager https://www.malwarebytes.com/blog/threat-intelligence/2023/01/google-sponsored-ads-malvertising-targets-password-manager
    Searching for “1password” we noticed two different sponsored advertisements as the top results. The first one leads to the legitimate domain 1password[.]com, but the second one points to start1password[.]com. Both claim to be for 1Password and both are https sites. Which makes it very hard for someone who is unfamiliar with the brand to determine which one to follow

    Reply
  11. Tomi Engdahl says:

    New data wipers deployed against Ukraine https://www.malwarebytes.com/blog/threat-intelligence/2023/01/new-data-wipers-deployed-by-sandworm-group-against-ukraine
    As war in Ukraine rages, new destructive malware continues to be discovered. In a recent tweet, the Ukrainian Computer Emergency Response Team (CERT-UA) named five wipers used against Ukrinform, Ukraines national news agency. It suspects a link to

    Reply
  12. Tomi Engdahl says:

    Attackers abuse Microsofts ‘verified publisher’ status to steal data https://www.theregister.com/2023/02/01/microsoft_oauth_attack_proofpoint/
    Miscreants using malicious OAuth applications abused Microsoft’s “verified publisher” status to gain access to organizations’ cloud environments, then steal data and pry into to users’ mailboxes, calendars, and meetings. According to researchers with Proofpoint, which uncovered the campaign in early December, hijacking the “verified publisher” status enabled the cybercriminals to satisfy some of Microsoft’s requirements for distributing OAuth applications

    Reply
  13. Tomi Engdahl says:

    New DDoS-as-a-Service platform used in recent attacks on hospitals https://www.bleepingcomputer.com/news/security/new-ddos-as-a-service-platform-used-in-recent-attacks-on-hospitals/
    A new DDoS-as-a-Service (DDoSaaS) platform named ‘Passion’ was seen used in recent attacks by pro-Russian hacktivists against medical institutions in the United States and Europe. A DDoS (distributed denial of service) attack is when threat actors send many requests and garbage traffic to a target server to overwhelm the server and cause it to stop responding to legitimate requests. DDoSaaS platforms rent their available firepower to those looking to launch disruptive attacks on their targets, absolving them from the need to build their own large botnets or coordinate volunteer action

    Reply
  14. Tomi Engdahl says:

    Natasha Singer / New York Times:
    Drug discount app GoodRx agrees to pay $1.5M to settle with the FTC, which said the company wrongfully gave intimate health info to Meta, Google, and others — The popular drug discount app deceptively shared details on users’ illnesses and medicines with ad firms, regulators said in a legal complaint.

    https://www.nytimes.com/2023/02/01/business/goodrx-user-data-facebook-google.html

    Reply
  15. Tomi Engdahl says:

    VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities
    https://www.securityweek.com/vmware-confirms-exploit-code-released-for-critical-vrealize-logging-vulnerabilities/

    VMware confirms the publication of exploit code and urged VMware vRealize Log Insight users to implement mitigations immediately.

    The urgency to patch a trio of dangerous security flaws in a VMware virtual appliance product escalated this week after exploit code was published on the internet.

    VMware confirmed the publication of exploit code in an update to its VMSA-2023-0001 bulletin and called on customers using its VMware vRealize Log Insight product to implement mitigations as a matter of urgency.

    The vulnerabilities, tracked as CVE-2022-31706, CVE-2022-31704 and CVE-2022-31710, are rated critical with CVSS severity scores of 9.8 out of 10.

    The security defects affect users of its VMware vRealize Log Insight and could be exploited by an unauthenticated attacker to take full control of a target system.

    Reply
  16. Tomi Engdahl says:

    Malicious NPM, PyPI Packages Stealing User Information
    https://www.securityweek.com/malicious-npm-pypi-packages-stealing-user-information/

    Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

    Node.js (NPM) and Python (PyPI) repositories are the preferred targets for malicious packages, mainly because code execution can be triggered during package installation, Check Point notes.

    In a new report, the cybersecurity firm says it has identified two malicious Python packages that fit this description.

    Reply
  17. Tomi Engdahl says:

    Dutch, European Hospitals ‘Hit by Pro-Russian Hackers’
    https://www.securityweek.com/dutch-european-hospitals-hit-by-pro-russian-hackers/

    Dutch cyber authorities said several hospital websites in the Netherlands and Europe were likely targeted by a pro-Kremlin hacking group because of their countries’ support for Ukraine.

    Reply
  18. Tomi Engdahl says:

    Tietomurtojen sarjassa varastettiin sotilas­teknologiaa – suomalais­yhtiö nimesi tekijän https://www.is.fi/digitoday/tietoturva/art-2000009362904.html

    Reply
  19. Tomi Engdahl says:

    IoT Security
    EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
    https://www.securityweek.com/ev-charging-management-system-vulnerabilities-allow-disruption-energy-theft/

    Vulnerabilities in electric vehicle charging management systems can be exploited for DoS attacks and to steal energy or sensitive information.

    Researchers warn that many electric vehicle (EV) charging management systems are affected by vulnerabilities that could allow hackers to cause disruption, steal energy, or obtain driver information.

    The vulnerabilities were discovered by researchers working for SaiFlow, an Israel-based company that specializes in protecting EV charging infrastructure and distributed energy resources.

    The security holes are related to the communications between the charging system management service (CSMS) and the EV charge point (CP), specifically the use of the Open Charge Port Protocol (OCPP). The flaws have been confirmed to impact the CSMS offered by multiple vendors.

    The problem is related to the use of WebSocket communications by the OCPP and how it mishandles multiple connections. The protocol does not know how to handle more than one CP connection at a time and attackers could abuse this by opening a new connection to the CSMS. Another issue is related to what SaiFlow describes as “weak OCPP authentication and chargers identities policy”.

    By opening a new connection to the CSMS on behalf of a charge point, the attacker causes the original connection to be closed or to become nonfunctional.

    According to SaiFlow, an attacker can exploit the weaknesses to launch a distributed denial-of-service (DDoS) attack that disrupts the electric vehicle supply equipment (EVSE) network. In addition, if an attacker can connect to the CSMS, they may be able to obtain drivers’ personal information, including payment card data, as well as other sensitive data, such as server credentials.

    Reply
  20. Tomi Engdahl says:

    Suurin osa Pentagonin alihankkijoista ei täytä tietoturvavaatimuksia
    https://etn.fi/index.php/13-news/14547-suurin-osa-pentagonin-alihankkijoista-ei-taeytae-tietoturvavaatimuksia

    Ensimmäinen perusteellinen analyysi Yhdysvaltain puolustusteollisuuden kyberturvallisuuden tilasta paljastaa, että lähes 90 prosenttia puolustushallinnon urakoitsijoista ei täytä vaadittuja turvallisuusstandardeja. Näillä urakoitsijoilla on hallussaan arkaluonteisia kansallisia turvallisuustietoja, ja ne joutuvat jatkuvasti valtion tukemien hakkerien hyökkäysten kohteeksi, kertoo AtlasVPN.

    Puolustusteollisuuden perussektori on teollisuuskompleksi, joka vastaa sotilasasejärjestelmien tutkimuksesta, kehittämisestä, tuotannosta, toimittamisesta ja ylläpidosta. Pentagonin toimitusketjun perusteellisen analyysin toteutti Merrill Research. Heinäkuussa 2022 tehdyssä kyselyssä haastateltiin 300 Pentagonin amerikkalaista urakoitsijaa.

    Analyysi kattoi NASA,n puolustusministeriön, energiaministeriön, veteraanien asioiden ministeriön, kotimaan turvallisuuden osaston ja oikeusministeriön toiminnot. Kyseisten osastojen toimitusketjua arvioitiin SPRS-järjestelmällä, joka on puolustusministeriön ainoa valtuutettu järjestelmä toimittajien turvallisuuden suorituskykytietojen hakemiseen.

    Toimittajia pisteytetään suhteessa FARS-vaatimuksiin.

    Tulokset tarkoittavat, että käytännössä, että USA:n kansallinen turvallisuus on jatkuvasti uhattuna.

    Nearly 90% of the Pentagon supply chain fails basic cybersecurity requirements
    https://atlasvpn.com/blog/nearly-90-of-the-pentagon-supply-chain-fails-basic-cybersecurity-requirements

    The first-ever thorough analysis of the state of cybersecurity of the US defense industrial base (DIB) reveals that nearly 90% of its contractors do not meet the required security standards.

    Defense contractors possess sensitive national security information and are being constantly targeted with sophisticated hacking operations led by state-sponsored hackers.

    The defense industrial base sector is an industrial complex that is responsible for the research, development, production, delivery, and maintenance of military weapons systems. The DIB provides products and services that are essential to mobilize, deploy, and sustain military operations.

    Reply
  21. Tomi Engdahl says:

    Pohjois-Korea hyökkäsi viime syksynä nimeämätöntä tahoa vastaan ja varasti 100 gigatavua tietoa https://www.is.fi/digitoday/tietoturva/art-2000009362904.html
    SUOMALAINEN tietoturvayhtiö WithSecure on julkaissut tarkempia tietoja viime elokuussa alkaneesta verkkohyökkäyksestä, jossa nimeämättömän uhrin verkkoon tunkeuduttiin muun muassa Zimbra-sähköpostiohjelmiston haavoittuvuuksien ja vanhaa Windows XP -käyttöjärjestelmää käyttäneen tietokoneen avulla. Seurauksena uhrilta vietiin noin 100 gigatavua tietoa. WithSecure uskoo hyökkäyksen olevan osa kampanjaa, jossa iskettiin sekä julkisia että yksityisiä tahoja vastaan. Kohteena olivat tutkimusorganisaatiot, lääketieteellinen tutkimus, energiasektori ja sen toimitusketju. USEIN kyberhyökkäysten alkuperä on epäselvä, ja tekijöistä voidaan esittää korkeintaan valistuneita arvauksia. WithSecure uskaltaa kuitenkin sanoa luottavaisesti, että hyökkäyskampanjan takana oli Pohjois-Korean hallituksen tukema Lazarus-ryhmä.

    Reply
  22. Tomi Engdahl says:

    Usb-laitteisiin tarttuva haittaohjelma ei tarvitse nettiyhteyttä levitäkseen https://www.is.fi/digitoday/tietoturva/art-2000009360508.html
    WINDOWS-tietokoneisiin levitetään PlugX-nimistä haittaohjelmaa, tietoturvayhtiö Palo Alto Networks kertoo. Haittaohjelma sinänsä on vanha, mutta siitä on löytynyt muunnos, joka pystyy leviämään irrotettavien usb-laitteiden välityksellä ja piilottamaan itsensä.
    PlugX-haittaohjelmaa on tavattu monissa eri yhteyksissä. Se on jäljitetty muun muassa Kiinaan ja sitä on tavattu erilaisten rikollisryhmien käytössä PALO Alto ei nimeä usb-hyökkäysten tekijää, mutta yhtiön mukaan yksi mahdollinen syyllinen on Black Basta -niminen kiristysjengi, joka on hyökännyt lukuisia organisaatioita vastaan viime keväästä lukien.

    Reply
  23. Tomi Engdahl says:

    Valmistaja myönsi viimein: Suomessakin myydyissä turvakameroissa ei ollutkaan väitettyä salausta https://www.tivi.fi/uutiset/tv/bed27d6c-ec72-4f52-ad67-472a07ce256e
    Eufy-brändin alla myytäviä turvakameroita valmistava Anker on viimein myöntänyt ongelmat ja puutteet kameroidensa tietoturvassa. Samalla yhtiö myönsi sössineensä viestinnän perusteellisesti. Älykkäisiin valvontakameroihin ja niiden kanssa käytettäviin sovelluksiin ja palveluihin liittyi useita huolia. Yksi oli se, että kamerat saattoivat lähettää pilveen videoiden esikatselukuvakkeita, joista saattoi olla tunnistettavissa ihmisiä, eikä pilvitallennuksen vaatimustenmukaisuudesta juuri ollut selkoa. Mahdollisesti vielä huolestuttavampi oli tietoturvatutkijoiden esille nostama ja The Vergen vahvistama havainto, että kameroiden lähettämää suoraa videolähetystä saattoi katsella verkon yli aivan tavallisella mediasoitinsovelluksella, kunhan tiedossa oli verkko-osoite, josta lähetys löytyi. Näin siis oli siitä huolimatta, että valmistaja itse väitti kaiken videon liikkuvan verkossa täysin päästä päähän salattuna, jolloin kukaan sivullinen ei voisi siihen päästä käsiksi.

    Reply
  24. Tomi Engdahl says:

    Venäjän iskut saivat Tanskan ja Yhdysvallat nostamaan kybervalmiustasoaan myös suomalaisia kohteita nimetty
    https://www.tivi.fi/uutiset/tv/c062e3b8-b20a-4655-9ae3-340717d681c6
    Venäläisten hyökkääjien palvelunestohyökkäykset ovat kiinnittäneet huomiota Tanskassa ja Yhdysvalloissa. Iskuja on kohdistettu molemmissa maissa esimerkiksi sairaaloiden ja valtion virastojen sivustoihin, kertoo The Record. Hakkereiden Nato-maihin kohdistamat iskut saivat Tanskan nostamaan kyberriskivalmiustasoaan, maan kyberturvallisuuskeskus kertoi Twitterissä tiistaina. Myös suomalaisia sairaaloita on otettu venäläisen hakkeriryhmän tähtäimeen.
    Viikonloppuna 28.29. tammikuuta Husin verkkosivuilla oli toimimattomuutta ja häiriöitä palvelunestohyökkäyksen vuoksi.

    Reply
  25. Tomi Engdahl says:

    Password-stealing vulnerability reported in KeePass bug or feature?
    https://nakedsecurity.sophos.com/2023/02/01/password-stealing-vulnerability-reported-in-keypass-bug-or-feature/
    Now its KeePasss turn to be in the news, this time for yet another cybersecurity issue: an alleged vulnerability, the jargon term used for software bugs that lead to cybersecurity holes that attackers might be able to exploit for evil purposes. Were referring to it as a vulnerability here because it does have an official bug identifier, issued by the US National Institute for Standards and Technology. The bug has been dubbed CVE-2023-24055: Attacker who has write access to the XML configuration file can obtain the cleartext passwords by adding an export trigger. The tricky question, however, is, “Is this really a bug, or is it just a powerful feature that could be abused?”
    Simply put, is it a vulnerability if someone who already has control of your account can mess with files that your account is supposed to be able to access anyway?

    Reply
  26. Tomi Engdahl says:

    Google Fi data breach let hackers carry out SIM swap attacks https://www.bleepingcomputer.com/news/security/google-fi-data-breach-let-hackers-carry-out-sim-swap-attacks/
    Google Fi, Google’s U.S.-only telecommunications and mobile internet service, has informed customers that personal data was exposed by a data breach at one of its primary network providers, with some customers warned that it allowed SIM swapping attacks. Google sent notices of a data breach to Google Fi customers this week, informing them that the incident exposed their phone numbers, SIM card serial numbers, account status (active or inactive), account activation date, and mobile service plan details. Google clarified that the breached systems did not hold sensitive details such as full names, email addresses, payment card information, SSNs, tax IDs, government IDs, account passwords, or contents of SMS and phone calls.

    Reply
  27. Tomi Engdahl says:

    New Nevada Ransomware targets Windows and VMware ESXi systems https://www.bleepingcomputer.com/news/security/new-nevada-ransomware-targets-windows-and-vmware-esxi-systems/
    A relatively new ransomware operation known as Nevada seems to grow its capabilities quickly as security researchers noticed improved functionality for the locker targeting Windows and VMware ESXi systems. Nevada ransomware started to be promoted on the RAMP darknet forums on December 10, 2022, inviting Russian and Chinese-speaking cybercriminals to join it for an 85% cut from paid ransoms. Nevada ransomware features a Rust-based locker, real-time negotiation chat portal, separate domains in the Tor network for affiliates and victims.

    Reply
  28. Tomi Engdahl says:

    Arnold Clark customer data stolen in attack claimed by Play ransomware https://www.bleepingcomputer.com/news/security/arnold-clark-customer-data-stolen-in-attack-claimed-by-play-ransomware/
    Arnold Clark, self-described as Europe’s largest independent car retailer, is notifying some customers that their personal information was stolen in a December 23 cyberattack claimed by the Play ransomware group. The company said in emails sent to affected clients on Tuesday that the stolen data includes ID information and banking details

    Reply
  29. Tomi Engdahl says:

    Prilex PoS Malware Evolves to Block Contactless Payments to Steal from NFC Cards https://thehackernews.com/2023/02/prilex-pos-malware-evolves-to-block.html
    The Brazilian threat actors behind an advanced and modular point-of-sale (PoS) malware known as Prilex have reared their head once again with new updates that allow it to block contactless payment transactions. Having evolved out of ATM-focused malware into PoS malware over the years since going operational in 2014, the threat actor steadily incorporated new features that are designed to facilitate credit card fraud, including a technique called GHOST transactions.

    Reply
  30. Tomi Engdahl says:

    Hackers Abused Microsoft’s “Verified Publisher” OAuth Apps to Breach Corporate Email Accounts https://thehackernews.com/2023/02/hackers-abused-microsofts-verified.html
    Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network (MPN) accounts that were used for creating malicious OAuth applications as part of a phishing campaign designed to breach organizations’ cloud environments and steal email. “The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps,” the tech giant said. “This phishing campaign targeted a subset of customers primarily based in the U.K. and Ireland.” Consent phishing is a social engineering attack wherein users are tricked into granting permissions to malicious cloud applications, which can then be weaponized to gain access to legitimate cloud services and sensitive user data.

    Reply
  31. Tomi Engdahl says:

    Titan Stealer: A New Golang-Based Information Stealer Malware Emerges https://thehackernews.com/2023/01/titan-stealer-new-golang-based.html
    A new Golang-based information stealer malware dubbed Titan Stealer is being advertised by threat actors through their Telegram channel. “The stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files,” Uptycs security researchers Karthickkumar Kathiresan and Shilpesh Trivedi said in a recent report.

    Reply
  32. Tomi Engdahl says:

    Global markets impacted by ransomware attack on financial software company https://therecord.media/global-markets-impacted-by-ransomware-attack-on-financial-software-company/
    A ransomware attack on Dublin-based software company ION Group has impacted the trading of financial derivatives on international markets. The ransomware attack was caused by the prolific Russia-based LockBit gang, according to ION correspondence cited by Bloomberg. The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing.
    Further updates will be posted when available, IONs statement said.
    The attack is impacting the trading and clearing of exchange traded derivatives by ION customers across global markets, according to the Futures Industry Association (FIA).

    Reply
  33. Tomi Engdahl says:

    New APT34 Malware Targets The Middle East https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html
    On December 2022, we identified a suspicious executable (detected by Trend Micro as Trojan.MSIL.REDCAP.AD) that was dropped and executed on multiple machines. Our investigation led us to link this attack to advanced persistent threat (APT) group APT34, and the main goal is to steal users credentials. Even in case of a password reset or change, the malware is capable of sending the new credentials to the threat actors. Moreover, after analyzing the backdoor variant deployed, we found the malware capable of new exfilteration techniques the abuse of compromised mailbox accounts to send stolen data from the internal mail boxes to external mail accounts controlled by the attackers. In this section, we describe the attack infection flow and its respective stages, as well as share details on how the group uses emails to steal and exfiltrate critical information.

    Reply
  34. Tomi Engdahl says:

    F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
    https://www.securityweek.com/f5-working-on-patch-for-big-ip-flaw-that-can-lead-to-dos-code-execution/

    A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

    F5 warns of a high-severity format string vulnerability in BIG-IP that could allow an authenticated attacker to cause a denial-of-service (DoS) condition and potentially execute arbitrary code.

    Tracked as CVE-2023-22374, the security defect impacts iControl SOAP, an open API that enables communication between systems, which runs as root.

    The SOAP interface is accessible from the network, either via the BIG-IP management port and/or self IP addresses, and is restricted to administrative accounts.

    Rapid7, which identified the bug, explains that exploitation is possible by inserting format string specifiers into specific parameters that are passed into the syslog function, resulting in the service reading and writing memory addresses referenced from the stack.

    Reply
  35. Tomi Engdahl says:

    Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
    https://www.securityweek.com/flaw-in-cisco-industrial-appliances-allows-malicious-code-to-persist-across-reboots/

    Cisco this week announced patches for a high-severity command injection vulnerability allowing malicious code to persist across reboots.

    Cisco on Wednesday announced patches for a high-severity command injection vulnerability in the IOx application hosting environment that could allow malicious code to persist across reboots.

    Tracked as CVE-2023-20076, the security defect exists because parameters that are passed for the activation of an application are not completely sanitized.

    “An attacker could exploit this vulnerability by deploying and activating an application in the Cisco IOx application hosting environment with a crafted activation payload file. A successful exploit could allow the attacker to execute arbitrary commands as root on the underlying host operating system,” the tech giant explains in an advisory.

    According to Trellix, the cybersecurity firm that discovered the vulnerability, the issue resides in the DHCP Client ID option within the Interface Settings, which is not being correctly sanitized, leading to command injection.

    Furthermore, the bug bypasses mitigations to prevent persistence across reboots and system resets.

    “CVE-2023-20076 gains unrestricted access, allowing malicious code to lurk in the system and persist across reboots and firmware upgrades. Side-stepping this security measure means that if an attacker exploits this vulnerability, the malicious package will keep running until the device is factory reset or until it is manually deleted,” Trellix explains.

    When Pwning Cisco, Persistence is Key – When Pwning Supply Chain, Cisco is Key
    https://www.trellix.com/en-us/about/newsroom/stories/research/when-pwning-cisco-persistence-is-key-when-pwning-supply-chain-cisco-is-key.html

    Reply
  36. Tomi Engdahl says:

    HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
    https://www.securityweek.com/headcrab-botnet-ensnares-1200-redis-servers-for-cryptomining/

    The sophisticated HeadCrab malware has infected at least 1,200 Redis servers and abused them for cryptomining.

    A sophisticated piece of malware named HeadCrab has ensnared at least 1,200 Redis servers worldwide, Aqua Security reports.

    Designed to run on secure networks, Redis servers do not have authentication enabled and are prone to unauthorized access if exposed to the internet.

    Redis servers can be set up in clusters, which allows for data to be divided and stored on multiple servers. The structure uses a master server and slave servers for data replication and synchronization, where the Slaveof command is used to designate slave servers.

    In an observed HeadCrab infection, this command was used to set victim servers as slaves to a Redis instance controlled by the attackers. Next, malicious modules from the master server were synchronized, to deploy the malware.

    https://blog.aquasec.com/headcrab-attacks-servers-worldwide-with-novel-state-of-art-redis-malware

    Reply
  37. Tomi Engdahl says:

    Sergiu Gatlan / BleepingComputer:
    A former employee of IoT manufacturer Ubiquiti pleaded guilty to stealing gigabytes of confidential data in December 2020 and extorting the company for ransom — Nickolas Sharp, a former Ubiquiti employee who managed the networking device maker’s cloud team, pled guilty today …

    Former Ubiquiti dev pleads guilty to trying to extort his employer
    https://www.bleepingcomputer.com/news/security/former-ubiquiti-dev-pleads-guilty-to-trying-to-extort-his-employer/

    Reply
  38. Tomi Engdahl says:

    Microsoft upgrades Defender to lock down Linux gear for its own good
    Ballmer thought this kernel was cancer, Nadella may disagree
    https://www.theregister.com/2023/01/31/microsoft_defender_linux/

    Reply
  39. Tomi Engdahl says:

    How Google’s Search Rival Could Use ChatGPT to Get a Leg Up
    The future of search is conversational, if ChatGPT’s viral success is anything to go by
    https://www.cnet.com/tech/mobile/how-google-search-rival-could-use-chatgpt-to-get-a-leg-up/

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*