This posting is here to collect cyber security news in February 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in February 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
390 Comments
Tomi Engdahl says:
Until further notice, think twice before using Google to download software
Over the past month, Google has been outgunned by malvertisers with new tricks.
https://arstechnica.com/information-technology/2023/02/until-further-notice-think-twice-before-using-google-to-download-software/
Tomi Engdahl says:
OpenSSH fixes double-free memory bug that’s pokable over the network
https://nakedsecurity.sophos.com/2023/02/03/openssh-fixes-double-free-memory-bug-thats-pokable-over-the-network/
Double-free bug fix
OpenSSH version 9.2 just came out, and the release notes report as follows:
This release contains fixes for […] a memory safety problem. [This bug] is not believed to be exploitable, but we report most network-reachable memory faults as security bugs.
The bug affects sshd, the OpenSSH server (the -d suffix stands for daemon, the Unix name for the sort of background process that Windows calls a service)
sshd(8): fix a pre-authentication double-free memory fault introduced in OpenSSH 9.1. This is not believed to be exploitable, and it occurs in the unprivileged pre-auth process that is subject to chroot(2) and is further sandboxed on most major platforms.
The double-free bug happens in code that needs to run after a client has initiated a remote session, but before any key-agreement or authentication has taken place, so the vulnerability can, in theory, be triggered before any passwords or cryptographic keys have been presented for validation.
What to do?
As the OpenSSH team suggests, exploiting this bug will be hard, not least because of the limited privileges that the sshd program has while it’s setting up the connection for use.
Nevertheless, they reported it as a security hole because that’s what it is, so make sure you’ve updated to OpenSSH 9.2.
And if you’re writing code in C, remember that no matter how experienced you get, memory management is easy to get wrong…
…so take care out there.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/hackers-use-new-swiftslicer-wiper-to-destroy-windows-domains/
Tomi Engdahl says:
PODCAST: AUSTRALIA, THE GLOBE’S MOST HACKED NATION
https://www.cybersecurityconnect.com.au/industry/8664-podcast-australia-the-globe-s-most-hacked-nation
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/massive-microsoft-365-outage-caused-by-wan-router-ip-change/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/microsoft-over-100-threat-actors-deploy-ransomware-in-attacks/
Tomi Engdahl says:
Bad batch of Android apps with millions of downloads discovered in Play Store — delete them now
By Anthony Spadafora published 6 days ago
These misleading and malicious apps lead you to phishing pages
https://www.tomsguide.com/news/bad-batch-of-android-apps-with-millions-of-downloads-discovered-in-play-store-delete-them-now
Tomi Engdahl says:
https://techcrunch.com/2023/01/30/facebook-two-factor-bypass-bug/
Tomi Engdahl says:
Bloomberg:
The LockBit ransomware gang claims that ION Trading UK paid a ransom after the group’s cyberattack on the software company upended derivatives trading globally — The hacking group behind the attack on ION Trading UK — the software firm that was struck by a cyberattack earlier this week …
Ransomware Gang in Trading Hack Says Ransom Was Paid
https://www.bloomberg.com/news/articles/2023-02-03/ion-removed-from-hacker-s-target-list-deadline-for-ransom-suspended
Ion Trading representative declines to comment on ransom claim
Hack of ION Trading upended derivatives trading around world
Tomi Engdahl says:
Lawrence Abrams / BleepingComputer:
Background check services TruthFinder and Instant Checkmate confirm a data breach after hackers leaked a 2019 database allegedly containing 20M customers’ info — PeopleConnect, the owners of the TruthFinder and Instant Checkmate background check services, confirmed they suffered a data breach …
TruthFinder, Instant Checkmate confirm data breach affecting 20M customers
https://www.bleepingcomputer.com/news/security/truthfinder-instant-checkmate-confirm-data-breach-affecting-20m-customers/
Tomi Engdahl says:
Ryan Gallagher / Bloomberg:
Interviews detail the Conti ransomware group’s 2021 attack on Ireland’s public health system; Conti seemingly called off the hack without getting a ransom
When Hackers Hobbled Ireland’s Hospitals, They Took Themselves Down, Too
https://www.bloomberg.com/news/features/2023-02-03/ireland-hospital-ransomware-attack-fractured-hacker-group-conti
A 2021 ransomware attack froze the country’s biggest health system, showing some cybercriminals the line they didn’t want to cross.
Tomi Engdahl says:
TgToxic Malwares Automated Framework Targets Southeast Asia Android Users https://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html
We look into an ongoing malware campaign we named TgToxic, targeting Android mobile users in Taiwan, Thailand, and Indonesia since July 2022. The malware steals users credentials and assets such as cryptocurrency from digital wallets, as well as money from bank and finance apps. Analyzing the automated features of the malware, we found that the threat actor abused legitimate test framework Easyclick to write a Javascript-based automation script for functions such as clicks and gestures.
Tomi Engdahl says:
Vastaamon tietomurrosta epäilty Julius Kivimäki on otettu kiinni Ranskassa https://www.is.fi/digitoday/art-2000009369911.html
PSYKOTERAPIAKESKUS Vastaamoon kohdistuneesta tietomurrosta epäilty Julius Kivimäki otettiin Ranskassa kiinni perjantaina. Ranskan poliisi otti Kivimäen kiinni Suomen eurooppalaisen pidätysmääräyksen nojalla.
Poliisi käynnistää välittömästi toimenpiteet epäillyn luovuttamiseksi Suomeen.
Tomi Engdahl says:
Florida hospital takes IT systems offline after cyberattack https://www.bleepingcomputer.com/news/security/florida-hospital-takes-it-systems-offline-after-cyberattack/
Tallahassee Memorial HealthCare (TMH) has taken its IT systems offline and suspended non-emergency procedures following a late Thursday cyberattack. While all its network systems were taken online, TMH says this attack only impacted some of them.
Tomi Engdahl says:
Post-Macro World Sees Rise in Microsoft OneNote Documents Delivering Malware https://thehackernews.com/2023/02/post-macro-world-sees-rise-in-microsoft.html
In a continuing sign that threat actors are adapting well to a post-macro world, it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise. Some of the notable malware families that are being distributed using this method include AsyncRAT, RedLine Stealer, Agent Tesla, DOUBLEBACK, Quasar RAT, XWorm, Qakbot, BATLOADER, and FormBook. Enterprise firm Proofpoint said it detected over 50 campaigns leveraging OneNote attachments in the month of January 2023 alone.
Tomi Engdahl says:
Iranian OilRig Hackers Using New Backdoor to Exfiltrate Data from Govt. Organizations https://thehackernews.com/2023/02/iranian-oilrig-hackers-using-new.html
The Iranian nation-state hacking group known as OilRig has continued to target government organizations in the Middle East as part of a cyber espionage campaign that leverages a new backdoor to exfiltrate data. “The campaign abuses legitimate but compromised email accounts to send stolen data to external mail accounts controlled by the attackers,” Trend Micro researchers Mohamed Fahmy, Sherif Magdy, and Mahmoud Zohdy said. While the technique in itself is not unheard of, the development marks the first time OilRig has adopted it in its playbook, indicating the continued evolution of its methods to bypass security protections. The advanced persistent threat (APT) group, also referred to as APT34, Cobalt Gypsy, Europium, and Helix Kitten, has been documented for its targeted phishing attacks in the Middle East since at least 2014.
Tomi Engdahl says:
Switzerlands largest university confirms serious cyberattack https://therecord.media/switzerlands-largest-university-confirms-serious-cyberattack/
The University of Zurich, Switzerlands largest university, announced on Friday it was the target of a serious cyberattack, which comes amid a wave of hacks targeting German-speaking institutions. The universitys website is currently inaccessible, but the phone line to the press office is working. In a statement sent to The Record, a spokesperson described the incident as part of a current accumulation of attacks on educational and health institutions. Explaining this accumulation, they cited several attacks that have been carried out on universities in German-speaking countries in recent weeks, resulting in suspension of their IT services for extended periods of time. The attacks are usually carried out by compromising several individual accounts and systems. The identity of the attackers and nature of the attack was not disclosed. The university said it was conducted by perpetrators acting in a very professional manner.
Tomi Engdahl says:
Stealthy HeadCrab malware compromised 1,200 Redis servers worldwide https://www.scmagazine.com/analysis/vulnerability-management/stealthy-headcrab-malware-compromised-1200-redis-servers-worldwide
At least 1,200 Redis database servers worldwide have been compromised by a sophisticated piece of malware since September 2021, while more than 2,800 uninfected servers remain at high risk of exploitation.
Discovered by Asaf Eitnai and Nitzan Yaakov, the Aqua Nautilus security researchers posted on the companys blog that the malware, which theyre calling HeadCrab, was meticulously built by attackers and is undetectable using agentless and conventional anti-virus solutions.
“The attackers seem to mainly target Redis servers and have a deep understanding and expertise in Redis modules and APIs as demonstrated by the malware,” the post read.
Tomi Engdahl says:
US Downs Chinese Balloon Off Carolina Coast
https://www.securityweek.com/us-downs-chinese-balloon-off-carolina-coast/
U.S. fighter jets successfully shot down the high altitude spy balloon launched by and belonging to China.
President Joe Biden said on Saturday that he ordered U.S. officials to shoot down the suspected Chinese spy balloon earlier this week and that national security leaders decided the best time for the operation was when the it got over water.
“They successfully took it down and I want to complement our aviators who did it,” Biden said after getting off Air Force One en route to Camp David.
Fighter jets shot down the giant white balloon off the Carolina coast after it traversed sensitive military sites across North America and became the latest flashpoint in tensions between Washington and Beijing.
Defense Secretary Lloyd Austin said in a statement that Biden approved the shootdown on Wednesday, saying it should be done “as soon as the mission could be accomplished without undue risk to American lives under the balloon’s path.”
Tomi Engdahl says:
TruthFinder, Instant Checkmate confirm data breach affecting 20M customers https://www.bleepingcomputer.com/news/security/truthfinder-instant-checkmate-confirm-data-breach-affecting-20m-customers/
PeopleConnect, the owners of the TruthFinder and Instant Checkmate background check services, confirmed they suffered a data breach after hackers leaked a 2019 backup database containing the info of millions of customers. TruthFinder and Instant Checkmate are subscription-based services allowing customers to perform background checks on other people. When conducting background checks, the sites will use publicly scraped data, federal, state, and court records, criminal records, social media, and other sources.
Tomi Engdahl says:
Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/
Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy ransomware. Tracked as CVE-2021-21974, the security flaw is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks.
“As current investigations, these attack campaigns appear to be exploiting the vulnerability CVE-2021-21974, for which a patch has been available since 23 February 2021,” CERT-FR said. “The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7.”
Tomi Engdahl says:
Dashlane publishes its source code to GitHub in transparency push https://techcrunch.com/2023/02/02/dashlane-publishes-its-source-code-to-github-in-transparency-push/
Password management company Dashlane has made its mobile app code available on GitHub for public perusal, a first step it says in a broader push to make its platform more transparent. The Dashlane Android app code is available now alongside the iOS incarnation, though it also appears to include the codebase for its Apple Watch and Mac apps even though Dashlane hasnt specifically announced that. The company said that it eventually plans to make the code for its web extension available on GitHub too. At first, the code will be open for auditing purposes only, but in the future it may start accepting contributions too however, there is no suggestion that it will go all-in and allow the public to fork or otherwise re-use the code in their own applications.
Tomi Engdahl says:
Microsoft alleges attacks on French magazine came from Iranian-backed group https://arstechnica.com/information-technology/2023/02/microsoft-alleges-attacks-on-french-magazine-came-from-iranian-backed-group/
Microsoft said on Friday that an Iranian nation-state group already sanctioned by the US government was behind an attack last month that targeted the satirical French magazine Charlie Hebdo and thousands of its readers. The attack came to light on January 4, when a previously unknown group calling itself Holy Souls took to the Internet to claim it had obtained a Charlie Hebdo database that contained personal information for 230,000 of its customers. The post said the database was available for sale at the price of 20 BTC, or roughly $340,000 at the time. The group also released a sample of the data that included the full names, telephone numbers, and home and email addresses of people who had subscribed to, or purchased merchandise from, the publication. French media confirmed the veracity of the leaked data.
Tomi Engdahl says:
NY attorney general forces spyware vendor to alert victims https://www.bleepingcomputer.com/news/security/ny-attorney-general-forces-spyware-vendor-to-alert-victims/
The New York attorney general’s office has announced a $410,000 fine for a stalkerware developer who used 16 companies to promote surveillance tools illegally. Stalkerware (or spyware) platforms allow their customers to monitor other people’s phones without the users’
knowledge. In some, if not most cases, they’re also used to monitor the targets’ online activity and collect sensitive user information like their location that later could be used for blackmail or various other malicious purposes. Patrick Hinchy, the spyware vendor, also agreed to alert his customers’ victims that their phones are being secretly monitored using one of his multiple apps, including Auto Forward, Easy Spy, DDI Utilities, Highster Mobile, PhoneSpector, Surepoint, or TurboSpy.
Tomi Engdahl says:
Video: Analyzing Malicious OneNote Documents
https://isc.sans.edu/diary/rss/29512
Didier Stevens: I recorded a video for my diary entry “Detecting
(Malicious) OneNote Files”. It shows how I familiarized myzelf with the .one file format, enough to know how to extract embedded files, wrote a tool (onedump.py) and take a look at detection rules.
https://youtu.be/PJ5oluVlEb8
Tomi Engdahl says:
Hakkerit tekivät tuhansia hyökkäyksiä viikonlopun aikana myös Suomeen iskettiin
https://yle.fi/a/74-20016489
Italian kansallinen kyberturvallisuusvirasto (ACN) kertoo, että tuhannet tietokonepalvelimet ympäri maailmaa ovat joutuneet hakkereiden kohteeksi viikonlopun aikana. Italialaisen uutistoimisto Ansan mukaan iskuja on tehty esimerkiksi Ranskaan, Suomeen, Kanadaan ja Yhdysvaltoihin. Enemmistö hyökkäyksistä on ollut niin kutsuttuja ransomware-hyökkäyksiä, eli hakkerit ovat yrittäneet kiristää organisaatioita ja yrityksiä haittaohjelmilla ja vaatineet lunnaita palvelimien vapauttamiseksi. Yhdysvaltain kyberturvallisuusviranomainen ilmoitti sunnuntai-iltana, että se selvittää parhaillaan iskujen vaikutuksia ja laajuutta.
Tomi Engdahl says:
https://hackaday.com/2023/02/03/this-week-in-security-github-google-and-realtek/
GitHub Desktop may have stopped working for you yesterday, Febuary 2nd. The reason was an unauthorized access to some decidedly non-public repositories. The most serious bit of information that escaped was code signing certificates, notably used for GitHub Desktop and Atom. Those certificates were password protected, so it’s unlikely they’ve been abused yet. Even so, Github is taking the proper steps of revoking those certificates.
The only active certificate that was revoked was used for signing the Mac releases of GitHub Desktop, so quite a few older versions of that software is no longer easily installed. If nothing else, it’s a reminder that even a project with a well run security team can have problems.
Action needed for GitHub Desktop and Atom users
Update to the latest version of Desktop and previous version of Atom before February 2.
https://github.blog/2023-01-30-action-needed-for-github-desktop-and-atom-users/
February 2, 2023 update: We have revoked all three certificates: two Digicert code signing certificates used for Windows and one Apple Developer ID certificate. If needed, you can download the latest version of GitHub Desktop from desktop.github.com and the latest version of Atom from atom/atom
Tomi Engdahl says:
Feds Say Cyberattack Caused Suicide Helpline’s Outage
https://www.securityweek.com/feds-say-cyberattack-caused-suicide-helplines-outage/
A cyberattack caused a nearly daylong outage of the nation’s new 988 mental health helpline on Dec. 1, 2022, federal officials said
Tomi Engdahl says:
F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
https://www.securityweek.com/f5-working-on-patch-for-big-ip-flaw-that-can-lead-to-dos-code-execution/
A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.
Tomi Engdahl says:
Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
https://www.securityweek.com/microsoft-iran-unit-behind-charlie-hebdo-hack-and-leak-p/
After French satirical magazine Charlie Hebdo’s launched a cartoon contest to mock Iran, an Iranian cyber retaliated in January.
Tomi Engdahl says:
Cybercrime
Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.
https://www.securityweek.com/fraudulent-cryptorom-apps-slip-through-apple-and-google-app-store-review-process/
Tomi Engdahl says:
US Downs Chinese Balloon Off Carolina Coast
https://www.securityweek.com/us-downs-chinese-balloon-off-carolina-coast/
U.S. fighter jets successfully shot down the high altitude spy balloon launched by and belonging to China.
Tomi Engdahl says:
High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
https://www.securityweek.com/high-severity-privilege-escalation-vulnerability-patched-in-vmware-workstation/
VMware patches CVE-2023-20854, a vulnerability that can be exploited by a malicious hacker to delete arbitrary files.
VMware has informed users about the availability of patches for a Workstation vulnerability that could be exploited by malicious hackers for privilege escalation.
The flaw, tracked as CVE-2023-20854 and rated ‘high severity’, has been described by VMware as an arbitrary file deletion vulnerability affecting version 17.x on Windows.
“A malicious actor with local user privileges on the victim’s machine may exploit this vulnerability to delete arbitrary files from the file system of the machine on which Workstation is installed,” VMware said in its advisory for CVE-2023-20854.
The virtualization giant has credited Frederik Reiter of German cybersecurity firm Cirosec for reporting the vulnerability.
In a message posted on Twitter, Cirosec said the security hole can be exploited by an attacker to escalate privileges to System. The company said it will release technical details in the upcoming period.
Tomi Engdahl says:
Uutinen Suomen joutumisesta kyberiskujen kohteeksi levisi nopeasti – näin kommentoi viranomainen https://www.is.fi/digitoday/art-2000009374688.html
Tomi Engdahl says:
Aktia-pankki lähetti 5 toimintaohjetta tietovuodon uhreille mutta se kesti 10 päivää https://www.is.fi/digitoday/art-2000009371482.html
AKTIA-PANKIN pieleen menneen järjestelmäpäivityksen takia kymmenet pankin asiakkaat näkivät väärien ihmisten henkilötietoja tunnistauduttuaan esimerkiksi verohallinnon tai Kelan verkkopalvelussa 24. tammikuuta. Aktia sai toimintaohjeet vasta puolitoista viikkoa myöhemmin niille asiakkaille, jotka olivat nähneet toisten tietoja tai joiden tietoja oli nähty. [...] Aktia-pankin ulkoisen viestinnän päällikkö Mia Smeds sanoo, että pankki on ollut mahdollisimman nopeasti yhteydessä kaikkiin niihin asiakkaisiin, joita asia on koskenut. Pankki on Smedsin mukaan ollut yhteydessä kaikkiin osallisiin verkkopankki- ja tekstiviestillä.
Tomi Engdahl says:
Uutinen Suomen joutumisesta kyberiskujen kohteeksi levisi nopeasti näin kommentoi viranomainen https://www.is.fi/digitoday/art-2000009374688.html
TUNTEMATON taho alkoi viikonloppuna hyökätä organisaatioita vastaan ympäri maailman. Hyökkääjien tavoitteena oli päästä sisälle kohteiden verkkoihin ja ottaa tietokoneet haltuun kiristämistä varten. Asiasta tiedotti Italian kyberviranomainen, jota uutistoimisto Ansa lainasi.
Aiheesta on uutisoitu myös Suomessa. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus ei ole kuitenkaan havainnut mitään poikkeuksellista toimintaa nimenomaan Suomea vastaan.
Tomi Engdahl says:
Hackers hit Vesuvius, UK engineering company shuts down affected systems
https://grahamcluley.com/hackers-hit-vesuvius-uk-engineering-company-shuts-down-affected-systems/
Vesuvius, the London Stock Exchange-listed molten metal flow engineering company, says it has been hit by a cyber attack.
This morning, Vesuvius issued an alert that it was “currently managing a cyber incident.”
Vesuvius plc, a global leader in molten metal flow engineering and technology, is currently managing a cyber incident. The incident has involved unauthorised access to our systems.
Immediately upon becoming aware of unauthorised activity on our networks, we have taken the necessary steps to investigate and respond to the incident, including shutting down affected systems. We are working with leading cyber security experts to support our investigations and identify the extent of the issue, including the impact on production and contract fulfilment.
We are taking steps to comply with all relevant regulatory obligations in light of the information that emerges from our ongoing investigations.
Tomi Engdahl says:
No evidence global ransomware hack was by state entity, Italy says
https://www.reuters.com/technology/italys-govt-global-cyber-attack-did-not-come-state-entity-2023-02-06/
Tomi Engdahl says:
Earthquake in Turkey and Syria: Be Aware of Possible Donation Scams
https://isc.sans.edu/diary/rss/29518
Last night, Turkey and Syria were affected by a significant earthquake. Sadly, experience teaches us that disasters like this will often be abused. The most common scam involves fake donation websites. But you may also see malware disguised as a video or images from the affected region.
Tomi Engdahl says:
Security Infrastructure
Comcast Wants a Slice of the Enterprise Cybersecurity Business
https://www.securityweek.com/comcast-creates-enterprise-cybersecurity-business-unit/
Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.
Tomi Engdahl says:
Mobile & Wireless
Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
https://www.securityweek.com/critical-baicells-device-vulnerability-can-expose-telecoms-networks-to-snooping/
A critical vulnerability affecting wireless communications base stations from Baicells can be exploited to cause disruption or take complete control of data and voice traffic.
A critical vulnerability affecting wireless communication base stations from Baicells Technologies can be exploited to cause disruption in telecom networks or take complete control of data and voice traffic, according to a researcher.
Baicells Technologies is a US-based telecommunications equipment provider for 4G and 5G networks. The company says more than 100,000 of its base stations are deployed across 64 countries around the world.
Cyber offensive researcher Rustam Amin discovered that at least some of Baicells’ Nova base station products are affected by a critical command injection vulnerability that can be exploited remotely without authentication by sending specially crafted HTTP requests to the targeted device.
Exploitation of the vulnerability, tracked as CVE-2023-24508, can allow an attacker to run shell commands with root privileges and take complete control of a device, Amin told SecurityWeek.
The researcher explained that an attacker could, for instance, easily shut down a device to cause disruption. In addition, they could take full control over the traffic and phone calls going over a targeted network. A hacker could obtain information such as phone numbers, IMEI, and location data.
Tomi Engdahl says:
Malware & Threats
New York Attorney General Fines Vendor for Illegally Promoting Spyware
https://www.securityweek.com/new-york-attorney-general-fines-vendor-for-illegally-promoting-spyware/
The New York Office of the Attorney General has fined Patrick Hinchy and 16 of his companies for illegally promoting spyware.
The New York Office of the Attorney General has announced punitive measures against Patrick Hinchy and 16 of the companies he owns, for illegally promoting spyware.
Since 2011, Hinchy has owned and operated numerous companies, including the 16 investigated by the New York OAG, for selling and promoting spyware targeting Android and iOS devices, including Auto Forward, Easy Spy, DDI Utilities, Highster Mobile, PhoneSpector, Surepoint, and TurboSpy.
Once installed on victim devices, the spyware would collect and exfiltrate data such as call logs, text messages, photos, videos, emails, Chrome browser data, location, and data from messaging and social media applications, including WhatsApp, Skype, Facebook, Instagram, and Twitter.
The spyware was sold to ‘customers’ looking to spy on their spouse, colleagues, or other individuals, and was installed on the victims’ devices without their knowledge and without notifying them of the data collection and exfiltration activities.
Tomi Engdahl says:
VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
https://www.securityweek.com/many-vmware-esxi-servers-targeted-in-ransomware-attack-via-old-vulnerability/
Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.
Tomi Engdahl says:
Interpol hyppää metaversumiin näin virtuaalirötösten torjumiseen valmistaudutaan
https://www.tivi.fi/uutiset/tv/3d691efd-db12-4285-b246-a89723209226
Internetin tulevaisuutena nähty metaversumi on herättänyt myös kansainvälisen poliisijärjestö Interpolin huomion. Järjestön pääsihteeri Jurgen Stock sanoo Interpolin selvittävän, miten metaversumin rikollisuutta pystyttäisiin torjumaan. BBC:lle puhunut Stock näkee, ettei poliisijärjestö voi jäädä kehityksessä jälkeen.
Hänen mukaansa rikolliset ovat nopeita ottamaan uusia teknologioita käyttöönsä. [...] Virtuaalitodellisuuden ongelmia on alkanut nousta esille jo nyt. Julkisuudessa puidut tapaukset koskevat muun muassa erilaista seksuaalista häirintää Metan Horizon Worldissa.
Virtuaalitodellisuuden voi katsoa oleva tietynlainen metaversumin esiaste, mutta metaversumille ei toistaiseksi ole olemassa tiettyä yksittäistä määritelmää. Interpolin teknologia- ja innovaatiojohtaja, tohtori Madan Oberoi katsoo, ettei metaversumirikosten määrittely ole yksiselitteistä. Hänen mukaansa fyysisen maailman rikoksien määrittely metaversumissa on haastavaa.
Tomi Engdahl says:
Kiinan mysteeripallo saattoi olla tiedustelun täsmäisku tai jotain aivan muuta – katso, miten jättipallo toimii
Epäillyllä vakoilupallolla on voitu kerätä elektromagneettista säteilyä tai testata Yhdysvaltain ilmapuolustusjärjestelmää, arvioivat turvallisuusalan asiantuntijat.
https://yle.fi/a/74-20016631
Tomi Engdahl says:
GuLoader Malware Using Malicious NSIS Executables to Target E-Commerce Industry
https://thehackernews.com/2023/02/guloader-malware-using-malicious-nsis.html
E-commerce industries in South Korea and the U.S. are at the receiving end of an ongoing GuLoader malware campaign, cybersecurity firm Trellix disclosed late last month.
The malspam activity is notable for transitioning away from malware-laced Microsoft Word documents to NSIS executable files for loading the malware. Other countries targeted as part of the campaign include Germany, Saudi Arabia, Taiwan and Japan.
NSIS, short for Nullsoft Scriptable Install System, is a script-driven open source system used to develop installers for the Windows operating system.
While attack chains in 2021 leveraged a ZIP archive containing a macro-laced Word document to drop an executable file tasked with loading GuLoader, the new phishing wave employs NSIS files embedded within ZIP or ISO images to activate the infection.
“Embedding malicious executable files in archives and images can help threat actors evade detection,” Trellix researcher Nico Paulo Yturriaga said.
GuLoader: The NSIS Vantage Point
https://www.trellix.com/en-us/about/newsroom/stories/research/guloader-the-nsis-vantage-point.html
Tomi Engdahl says:
OpenSSH Releases Patch for New Pre-Auth Double Free Vulnerability
https://thehackernews.com/2023/02/openssh-releases-patch-for-new-pre-auth.html
The maintainers of OpenSSH have released OpenSSH 9.2 to address a number of security bugs, including a memory safety vulnerability in the OpenSSH server (sshd).
Tracked as CVE-2023-25136, the shortcoming has been classified as a pre-authentication double free vulnerability that was introduced in version 9.1.
“This is not believed to be exploitable, and it occurs in the unprivileged pre-auth process that is subject to chroot(2) and is further sandboxed on most major platforms,” OpenSSH disclosed in its release notes on February 2, 2023.
Tomi Engdahl says:
New Dingo crypto token found charging a 99% transaction fee
https://www.bleepingcomputer.com/news/security/new-dingo-crypto-token-found-charging-a-99-percent-transaction-fee/
Researchers at IT security company Check Point security have flagged Dingo Token as a potential scam after finding a function that allows the project’s owner to manipulate trading fees up to 99% of the transaction value.
The warning from Check Point comes after company researchers have already witnessed this malicious fee change 47 times.
Tomi Engdahl says:
Why stratospheric balloons are used in era of space-based intelligence
https://www.c4isrnet.com/battlefield-tech/space/2023/02/06/how-stratospheric-balloons-could-complement-space-based-intelligence/
WASHINGTON — When the Pentagon revealed last week that a high-flying, Chinese balloon was spotted over the United States, officials said they didn’t expect the airship would add much value to the intelligence China is already gathering through its network of spy satellites.
“Our best assessment at the moment is that whatever the surveillance payload is on this balloon, it does not create significant value added over and above what the [People’s Republic of China] is likely able to collect through things like satellites in low Earth orbit,” a senior defense official told reporters Feb. 2.
Tomi Engdahl says:
Huolettavatko tietoturvauhat? Et ole yksin, joka kolmas on huolissaan henkilötietojen menetyksestä
https://www.dna.fi/blogi/-/blogs/huolettavatko-tietoturvauhat-et-ole-yksin-joka-kolmas-on-huolissaan-henkilotietojen-menetyksesta?fbclid=IwAR0xrmTBeiS09zQsEXFsaJBZguFIJ49UD99YIqcZoztzeFVjqds2qllJhuo
Tietoturvauhat kuten verkkopankkitunnuksia kalastelevat huijaukset ja identiteettivarkaudet ovat tulleet jäädäkseen. DNA:n Digitaaliset elämäntavat 2022 -tutkimuksen mukaan erityisesti henkilötietojen menetys, identiteettivarkaudet ja pankkitilin hakkerointi huolettavat monia. Myös maksukorttitietojen vuotaminen, arkaluontoisen datan katoaminen sekä virukset ja haittaohjelmat nousivat tutkimuksessa esiin yleisinä huolenaiheina.