This posting is here to collect cyber security news in February 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in February 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
390 Comments
Tomi Engdahl says:
Pohjois-Korean hakkerit mokasivat, suomalaiset pääsivät jäljille – Tekivät vakoiluhyökkäyksiä energia-alaa vastaan
Suvi Korhonen6.2.202306:39TIETOTURVAKIRISTYSHAITTAOHJELMATHAKKERIT
Withsecure epäilee Lazarus-ryhmän kehittäneen toimintatapojaan.
https://www.tekniikkatalous.fi/uutiset/pohjois-korean-hakkerit-mokasivat-suomalaiset-paasivat-jaljille-tekivat-vakoiluhyokkayksia-energia-alaa-vastaan/c0ff39b1-2f47-463a-9e81-8641ea99c51d
Tietoturvayhtiö Withsecure on onnistunut jäljittämään lääketieteellisiin tutkimuslaitoksiin ja energiaorganisaatioihin kohdistuneiden vakoiluhyökkäysten tekijän. Jäljille päästiin osin oletetun virheen vuoksi.
Tomi Engdahl says:
Linux version of Royal Ransomware targets VMware ESXi servers
https://www.bleepingcomputer.com/news/security/linux-version-of-royal-ransomware-targets-vmware-esxi-servers/
Royal Ransomware is the latest ransomware operation to add support for encrypting Linux devices to its most recent malware variants, specifically targeting VMware ESXi virtual machines.
BleepingComputer has been reporting on similar Linux ransomware encryptors released by multiple other gangs, including Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.
When encrypting files the ransomware will append the .royal_u extension to all encrypted files on the VM.
While anti-malware solutions had issues detecting Royal Ransomware samples that bundle the new targeting capabilities, they’re now detected by 23 out of 62 malware scanning engines on VirusTotal.
Tomi Engdahl says:
Apurva Venkat / CSO:
The US, France, Italy, and others warn about a ransomware attack on VMware ESXi servers, despite a February 2021 patch; Censys: 3,200+ servers have been hacked — A global ransomware attack has targeted thousands of servers running the VMware ESxi hypervisor, with many more servers expected to be affected …
Massive ransomware attack targets VMware ESXi servers worldwide
Cybersecurity agencies globally — including in Italy, France, the US and Singapore — have issued alerts about a ransomware attack targeting the VMware ESXi hypervisor.
https://www.csoonline.com/article/3687095/massive-ransomware-attack-targets-vmware-esxi-servers-worldwide.html
Tomi Engdahl says:
Aktian tietovuodossa lähes kuusinkertainen määrä uhreja aiemmin ilmoitettuun https://www.is.fi/digitoday/tietoturva/art-2000009376707.html
Aktian tietoturvavahinko oli selvästi aiemmin arvioitua suurempi.
AKTIA-PANKIN järjestelmissä oli kaksi viikkoa sitten virhe, jonka seurauksena pankin tunnistautumista muissa palveluissa, kuten verohallinnossa tai Kelassa, käyttäneet näkivät muiden ihmisten henkilökohtaisia tietoja.
Vahingon jälkeen Aktia arvioi, että kaikkiaan 62 asiakkaan tiedot vuotivat ulkopuolisille. Nyt pankki kertoo, että luku on selvästi suurempi.
– Olemme selvittäneet tapausta erittäin huolellisesti, ja jatkoselvityksen aikana on käynyt ilmi, että virheellisiä tunnistautumisia on ollut yhteensä noin 350. Olemme olleet yhteydessä kaikkiin asiakkaisiin välittömästi tämän jälkeen, Aktian ulkoisen viestinnän päällikkö Mia Smeds kertoo IS:lle.
Eräs asiakas kuitenkin kertoi IS:lle, että hän sai Aktian viestin asiasta vasta puolitoista viikkoa tapahtuneen jälkeen.
VIRHE johtui Aktian pieleen menneestä järjestelmäpäivityksestä. Pankki päivitti järjestelmää tunnistuksen yksinkertaistamiseksi, mutta siinä yhteydessä järjestelmään jäi vääriä määrityksiä.
Häiriö koski vain Aktian asiakkaita, mutta ei verkko- tai mobiilipankkia. Verkkopankkitunnukset eivät vaarantuneet häiriön vuoksi.
Smedsin mukaan Aktia on ryhtynyt toimiin, jotta vastaavaa ei tapahtuisi. Aktia on tapauksesta hyvin pahoillaan.
Aktia suosittelee viestin saaneita harkitsemaan viittä toimintaohjetta:
Omaehtoisen luottokiellon tekeminen Suomen Asiakastiedolle ja Bisnodelle. Aktia lupaa korvata luottokiellosta aiheutuneet kustannukset.
Muuttoilmoituksen estäminen Digi- ja väestötietovirastolle.
Muuttosuojauksen tekeminen Postille.
Rekisteröintikiellon tekeminen Patentti- ja rekisterihallitukselle kauppa-, yhdistys- ja säätiörekistereihin.
Laskutuspalveluissa käytettävien tietojen poistaminen ja niiden käytön kieltäminen.
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
The LockBit ransomware gang claims responsibility for an attack on the UK’s Royal Mail that halted international shipping, contradicting an earlier statement
LockBit ransomware gang claims Royal Mail cyberattack
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-royal-mail-cyberattack/
The LockBit ransomware operation has claimed the cyberattack on UK’s leading mail delivery service Royal Mail that forced the company to halt its international shipping services due to “severe service disruption.”
This comes after LockBitSupport, the ransomware gang public-facing representative, previously told BleepingComputer that the LockBit cybercrime group did not attack Royal Mail.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/hackers-backdoor-windows-devices-in-sliver-and-byovd-attacks/
Tomi Engdahl says:
The VMWare issue apparently took down servers at one of the biggest radio syndicates in the United States, leaving hundreds of stations without network news updates and other programming.
Skyview starts to recover from security incident
https://thedesk.net/2023/02/skyview-networks-service-restored-xds-server-cyberattack/
Ransomware attack left hundreds of radio stations without network news and syndicated programming for more than a week.
Tomi Engdahl says:
Aktian tietovuodossa lähes kuusinkertainen määrä uhreja aiemmin ilmoitettuun https://www.is.fi/digitoday/tietoturva/art-2000009376707.html
AKTIA-PANKIN järjestelmissä oli kaksi viikkoa sitten virhe, jonka seurauksena pankin tunnistautumista muissa palveluissa, kuten verohallinnossa tai Kelassa, käyttäneet näkivät muiden ihmisten henkilökohtaisia tietoja. Vahingon jälkeen Aktia arvioi, että kaikkiaan 62 asiakkaan tiedot vuotivat ulkopuolisille. Nyt pankki kertoo, että luku on selvästi suurempi. Olemme selvittäneet tapausta erittäin huolellisesti, ja jatkoselvityksen aikana on käynyt ilmi, että virheellisiä tunnistautumisia on ollut yhteensä noin 350. Olemme olleet yhteydessä kaikkiin asiakkaisiin välittömästi tämän jälkeen, Aktian ulkoisen viestinnän päällikkö Mia Smeds kertoo IS:lle.
Tomi Engdahl says:
Linux Variant of Cl0p Ransomware Emerges
https://www.securityweek.com/linux-variant-of-cl0p-ransomware-emerges/
A Cl0p ransomware variant targeting Linux systems emerged recently, but a flaw in the encryption algorithm has already allowed for the creation of a free decryptor.
Tomi Engdahl says:
Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
https://www.securityweek.com/patch-released-for-actively-exploited-goanywhere-mft-zero-day/
A patch has been released for the GoAnywhere MFT zero-day vulnerability that has been exploited in attacks.
A patch has been released for the GoAnywhere managed file transfer (MFT) software zero-day vulnerability whose existence came to light recently. News of active exploitation emerged roughly a week ago, but details about the attacks are still not available.
Fortra, known until recently as HelpSystems, alerted GoAnywhere MFT users on February 1 about a ‘zero-day remote code injection exploit’. The company has since released two other security notifications, each of them providing mitigations and indicators of compromise (IoCs).
Tomi Engdahl says:
Vulnerability Provided Access to Toyota Supplier Management Network
https://www.securityweek.com/vulnerability-provided-access-to-toyota-supplier-management-network/
Security researcher finds severe vulnerability providing system admin access to Toyota’s global supplier management network.
Tomi Engdahl says:
ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
https://www.securityweek.com/ics-cybersecurity-firm-opscura-launches-with-9-4-million-in-series-a-funding/
Opscura, an ICS cybersecurity company founded as Enigmedia, launches with $9.4 million in Series A funding.
Opscura is a new brand and the company has a new global management team, but it’s not new in the ICS cybersecurity sector. The company was founded in Spain as Enigmedia and it has been around for more than a decade.
Opscura provides solutions designed to protect industrial networks by isolating, cloaking and authenticating sensitive assets and data in operational technology (OT) networks. Its cloaking technology obscures deep OT Level 2 network and Layer 2 data without disrupting operations.
The company says its solutions enable organizations to gain deep OT visibility, provide access control capabilities between IT and OT networks, provide protection for critical legacy endpoints, and help reduce the OT attack surface.
Opscura says its solutions are designed to complement the offerings of companies such as Nozomi Networks, Claroty and Fortinet.
The ICS security firm claims to have customers in the transportation, renewable energy, government, manufacturing and chemical sectors.
Tomi Engdahl says:
Germany Appoints Central Bank IT Chief to Head Cybersecurity
https://www.securityweek.com/germany-appoints-central-bank-it-chief-to-head-cybersecurity/
Germany appointed Claudia Plattner to lead its cybersecurity agency, months after her predecessor was removed following reports of possible problematic ties to Russia.
Tomi Engdahl says:
Software Supply Chain Security Firm Lineaje Raises $7 Million
https://www.securityweek.com/software-supply-chain-security-firm-lineaje-raises-7-million/
Software supply chain security management startup Lineaje raises $7 million in a seed funding round led by Tenable Ventures.
Tomi Engdahl says:
OpenSSL Ships Patch for High-Severity Flaws
https://www.securityweek.com/openssl-ships-patch-for-high-severity-flaws/
The most serious of the vulnerabilities may allow an attacker to read memory contents or launch denial-of-service exploits.
The OpenSSL Project on Tuesday shipped a major security update to cover at least eight documented security flaws that expose OpenSSL users to malicious hacker attacks.
The most serious of the bugs, a type confusion issue tracked as CVE-2023-0286, may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or launch denial-of-service exploits.
The OpenSSL maintainers slapped a high-severity rating on the flaw but notes that the vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
Organizations running OpenSSL versions 3.0, 1.1.1 and 1.0.2 are urged to apply available upgrades immediately.
Tomi Engdahl says:
VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
https://www.securityweek.com/vmware-says-no-evidence-of-zero-day-exploitation-in-esxiargs-ransomware-attacks/
ESXiArgs ransomware attacks continue, with thousands of unpatched ESXi servers compromised within a few days via CVE-2021-21974.
VMware has urged customers to take action as unpatched ESXi servers continue to be targeted in ESXiArgs ransomware attacks.
Hackers are exploiting CVE-2021-21974, a high-severity ESXi remote code execution vulnerability related to OpenSLP that VMware patched in February 2021. Following successful exploitation, unidentified threat actors have deployed file-encrypting ransomware that targets virtual machines.
Technical details and a proof-of-concept (PoC) exploit for CVE-2021-21974 have been around for nearly two years, but there is no indication that in-the-wild exploitation has been observed until now.
In a blog post published on its Security Response Center on Monday, VMware said there is no evidence that the attacks involve exploitation of a zero-day vulnerability.
“Most reports state that End of General Support (EOGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories,” the virtualization giant said.
VMware Security Response Center (vSRC) Response to ‘ESXiArgs’ Ransomware Attacks
https://blogs.vmware.com/security/2023/02/83330.html
Tomi Engdahl says:
Näin kiinalaiset älypuhelimet seuraavat käyttäjiään data virtaa, vaikka poistuisi maasta https://www.tivi.fi/uutiset/tv/9f25bcc2-8c10-42f7-88eb-fcc28566239b
Kiinaan suuntautuvalla lomamatkalla saattaa tulla mieleen hankkia paikan päältä edullisesti jokin kiinalainen Android-puhelin.
Yksityisyyttään arvostavan kannattaa kuitenkin pysyä erossa Kiinassa myytävistä puhelimista, selviää tuoreesta tutkimuksesta. The Registerin mukaan Kiinassa myytävissä Android-puhelimissa on esiasennettuna runsaasti sovelluksia, jotka lähettävät arkaluontoista dataa kolmansille osapuolille kysymättä käyttäjän lupaa. Alkup.
https://www.theregister.com/2023/02/07/chinese_android_phones_leak_pii/
Tomi Engdahl says:
Vakoilusovellukset seurasivat lähes kaikkea toimintaa uhrien puhelimella kehittäjälle valtavat sakot https://www.tivi.fi/uutiset/tv/7b15bbe2-46d2-453c-8fca-714193ffc4fa
Useita seurantaohjelmia kehittänyt newyorkilainen mies tuomittiin maksamana 410 000 dollarin sakot ja muuttamaan ohjelmiaan niin, että käyttäjät tietävät olevansa seurannan kohteena. Sovellukset mahdollistivat muun muassa tekstiviestien, sijainnin, Gmailin, WhatsAppin, Skypen, puhelutietojen ja sosiaalisen median seuraamisen.
Sakkoihin tuomittu mies perusti ainakin 16 yhtiötä sovellustensa mainostamiseen. Yhtiöiden nimiä olivat muun muassa Data, DDI Data Solutions, Highster Data Services ja PhoneSpector.
Tomi Engdahl says:
Ei näin: venäläinen verkkokauppajätti jätti asiakkaidensa tiedot rikollisten saataville
https://www.tivi.fi/uutiset/tv/5d0a982e-6815-4f06-afac-3d630250e239
Venäjän suurin sähkötarvikeliike Elevel oli jättänyt asiakkaidensa yhteystiedot sisältäneen tietokannan suojaamatta, kirjoittaa Cybernews. Kyseessä on Venäjän suurin sähkötarvikkeita myyvä yritys.
Sen palveluihin kuuluvat verkkokauppa ja fyysiset sähkötukut.
Cybernewsin tietoturvatutkijat löysivät 1,1 teratavun kokoisen datapaketin 24. tammikuuta. Data oli peräisin Elevelin omistamasta e.way-verkkokaupasta, jolla kerrotaan olevan 25000 asiakasta kuukaudessa.
Tomi Engdahl says:
Salattu viestipalvelu murrettiin kymmeniä pidätetty, kaikki keskustelut poliisin hallussa https://www.tivi.fi/uutiset/tv/f09dbbbe-6e0a-4fc4-96ac-bcd8d381d30b
Alankomaiden poliisi ilmoitti perjantaina murtaneensa salatun viestittelyalusta Exclun seuratakseen rikollisjärjestöjen toimintaa.
Operaatio sisältää kaksi erillistä rikostutkintaa, jotka ovat alkaneet syyskuussa 2020 ja huhtikuussa 2022. Bleeping Computerin mukaan tutkintaan liittyen tehtiin 79 etsintää Alankomaissa, Saksassa ja Belgiassa. Pidätyksiä tehtiin yhteensä 42. Operaatioon osallistuivat myös Europol, EU:n rikosoikeudellisen yhteistyön virasto Eurojust sekä Italian, Ruotsin, Ranskan ja Saksan poliisi. Alkup.
https://www.bleepingcomputer.com/news/security/police-hacked-exclu-secure-message-platform-to-snoop-on-criminals/
Tomi Engdahl says:
Cybercriminals Bypass ChatGPT Restrictions to Generate Malicious Content https://blog.checkpoint.com/2023/02/07/cybercriminals-bypass-chatgpt-restrictions-to-generate-malicious-content/
There have been many discussions and research on how cybercriminals are leveraging the OpenAI platform, specifically ChatGPT, to generate malicious content such as phishing emails and malware. In Check Point Researchs (CPR) previous blog, we described how ChatGPT successfully conducted a full infection flow, from creating a convincing spear-phishing email to running a reverse shell, which can accept commands in English. CPR researchers recently found an instance of cybercriminals using ChatGPT to improve the code of a basic Infostealer malware from 2019. Although the code is not complicated or difficult to create, ChatGPT improved the Infostealers code.
Tomi Engdahl says:
Over 12% of analyzed online stores expose private data, backups https://www.bleepingcomputer.com/news/security/over-12-percent-of-analyzed-online-stores-expose-private-data-backups/
Many online stores are exposing private backups in public folders, including internal account passwords, which can be leveraged to take over the e-commerce sites and extort owners. According to a study by website security company Sansec, roughly 12% of online stores forget their backups in public folders due to human error or negligence.
Tomi Engdahl says:
Clop ransomware flaw allowed Linux victims to recover files for months https://www.bleepingcomputer.com/news/security/clop-ransomware-flaw-allowed-linux-victims-to-recover-files-for-months/
The Clop ransomware gang is now also using a malware variant that explicitly targets Linux servers, but a flaw in the encryption scheme has allowed victims to quietly recover their files for free for months. This new Linux version of Clop was spotted in December 2022 by Antonis Terefos, a researcher at SentinelLabs, after the threat group used it together with the Windows variant in an attack against a university in Colombia.
Tomi Engdahl says:
All classes canceled at Irish university as it announces significant IT breach https://therecord.media/all-classes-canceled-at-irish-university-as-it-announces-significant-it-breach/
Munster Technological University (MTU) in Ireland announced on Monday that its campuses in Cork would be closed following a significant IT breach and telephone outage.
Tomi Engdahl says:
Here’s a list of proxy IPs to help block KillNet’s DDoS bots https://www.theregister.com/2023/02/06/killnet_proxy_ip_list/
A free tool aims is helping organizations defend against KillNet distributed-denial-of-service (DDoS) bots and comes as the US government issued a warning that the Russian cybercrime gang is stepping up its network flooding attacks against hospitals and health clinics. At current count, the KillNet open proxy IP blocklist lists tens of thousands of proxy IP addresses used by the Russian hacktivists in their network-traffic flooding events.
SecurityScorecard’s threat researchers developed the list following their ongoing investigation into Killnet and other network-spamming miscreants. Lista:
https://github.com/securityscorecard/SSC-Threat-Intel-IoCs/blob/master/KillNet-DDoS-Blocklist/proxylist.txt
Tomi Engdahl says:
LockBit ransomware group threatens Royal Mail with data leak deadline https://therecord.media/lockbit-ransomware-group-threatens-royal-mail-data-leak-deadline/
Royal Mail is now listed on the LockBit ransomware groups extortion site, with the criminals giving the company a deadline of Thursday, February 9, to make an extortion payment. The listing, as is typical, claims all available data will be published without specifying what kinds of data the criminal group managed to steal. The British postage and courier companys ability to dispatch parcels and letters to international recipients ground to a halt last month following what Royal Mail announced as a cyber incident on January 11.
Tomi Engdahl says:
Exploit released for actively exploited GoAnywhere MFT zero-day https://www.bleepingcomputer.com/news/security/exploit-released-for-actively-exploited-goanywhere-mft-zero-day/
Exploit code has been released for an actively exploited zero-day vulnerability affecting Internet-exposed GoAnywhere MFT administrator consoles. GoAnywhere MFT is a web-based and managed file transfer tool designed to help organizations to transfer files securely with partners and keep audit logs of who accessed the shared files.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-outlook-outage-prevents-users-from-sending-receiving-emails/
Tomi Engdahl says:
OpenSSL fixes High Severity data-stealing bug – patch now!
https://nakedsecurity.sophos.com/2023/02/08/openssl-fixes-high-severity-data-stealing-bug-patch-now/
Tomi Engdahl says:
https://www.darkreading.com/endpoint/fresh-buggy-clop-ransomware-variant-targets-linux-systems
Tomi Engdahl says:
Varo! Uusi huijaus on hyvää suomea ja nettiosoite uskottava – näin hyökkäys etenee
Suomalaisiin puhelimiin lähetetään rikollista tekstiviestiä kuljetuspalvelu DHL:n nimissä.
https://www.is.fi/digitoday/tietoturva/art-2000009377444.html
Tomi Engdahl says:
2023-02-07 (TUESDAY) – ONENOTE FILE PUSHES UNIDENTIFIED MALWARE https://www.malware-traffic-analysis.net/2023/02/07/index.html
REFERENCE: I originally thought this was Matanbuchus, but it appears to be a new malware family. Initial tweet:
https://twitter.com/Unit42_Intel/status/1623349272061136900
Tomi Engdahl says:
Florida hospital takes entire IT systems offline after ‘ransomware attack’
https://www.malwarebytes.com/blog/news/2023/02/florida-hospital-takes-entire-it-systems-offline-after-ransomware-attack
Tallahassee Memorial Healthcare (TMH), a major hospital system in northern Florida, has reportedly been experiencing an “IT security issue” since Thursday evening, which impacted some of its IT systems.
When TMH learned of the issue, it took its entire IT systems offline as a precaution and contacted law enforcement.
Tomi Engdahl says:
OpenSSL fixes High Severity data-stealing bug patch now!
https://nakedsecurity.sophos.com/2023/02/08/openssl-fixes-high-severity-data-stealing-bug-patch-now/
OpenSSL, probably the best-known if not the most widely-used encryption library in the world, has just release a trifecta of security updates.
Tomi Engdahl says:
Malicious Dota 2 game modes infected players with malware https://www.bleepingcomputer.com/news/security/malicious-dota-2-game-modes-infected-players-with-malware/
Security researchers have discovered four malicious Dota 2 game modes that were used by a threat actor to backdoor the players’ systems. The unknown attacker created four game modes for the highly popular Dota 2 multiplayer online battle arena video game and published them on the Steam store to target the game’s fans, as Avast Threat Labs researchers found.
Tomi Engdahl says:
CISA releases recovery script for ESXiArgs ransomware victims https://www.bleepingcomputer.com/news/security/cisa-releases-recovery-script-for-esxiargs-ransomware-victims/
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a script to recover VMware ESXi servers encrypted by the recent widespread ESXiArgs ransomware attacks. Starting last Friday, exposed VMware ESXi servers were targeted in a widespread ESXiArgs ransomware attack. To assist users in recovering their servers, CISA released an ESXiArgs-Recover script on GitHub to automate the recovery process.
https://github.com/cisagov/ESXiArgs-Recover/blob/main/recover.sh
Tomi Engdahl says:
CISA says Killnet DDoS attacks on U.S. hospitals had little effect https://therecord.media/ddos-hospitals-cisa-killnet-limited-effects/
The Cybersecurity and Infrastructure Security Agency said it helped dozens of hospitals respond to a series of distributed denial-of-service (DDoS) incidents last week that were launched by a pro-Kremlin hacking group. A spokesperson for CISA told The Record that several of the incidents temporarily reduced the availability of the hospitals public-facing websites, but there were no reports of unauthorized access to hospital networks, disruption to health care delivery or impacts on patient safety. The hacking group, Killnet, has spent months launching DDoS attacks on governments across Europe and companies in the U.S. The gang targeted U.S. airlines in October and last week set its sights on U.S. hospitals.
Tomi Engdahl says:
ESXiArgs Ransomware Virtual Machine Recovery Guidance https://www.cisa.gov/uscert/ncas/alerts/aa23-039a
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) in response to the ongoing ransomware campaign, known as ESXiArgs. Malicious actors may be exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware . The ESXiArgs ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines (VMs) unusable. CISA has released an ESXiArgs recovery script at github.com/cisagov/ESXiArgs-Recover. Organizations that have fallen victim to ESXiArgs ransomware can use this script to attempt to recover their files. This CSA provides guidance on how to use the script. https://github.com/cisagov/ESXiArgs-Recover
Tomi Engdahl says:
Couple Used Apple AirTag to Track Luggage, Found It Was Donated to Charity
https://uk.pcmag.com/mobile-phone-accessories/145275/couple-used-apple-airtag-to-track-luggage-that-was-donated-to-charity
After a months-long hunt that involved the police and endless wrangling with Air Canada, the newlyweds found out their bag had been donated to a charity.
A newly married Canadian couple found out their luggage had been donated to a charity after a months-long search that involved the police, endless wrangling with Air Canada, and an AirTag.
Honeymoon returnees Nakita Rees and Tom Wilson, who documented their ordeal through TikTok updates, lost their luggage after being told to recheck it on a connecting flight in Montreal. As Business Insider reports, they found out their Apple AirTagged luggage was still in Montreal after landing in their home province of Ontario.
What followed was a months-long hunt that led them to find out their luggage had been donated to a charity by Air Canada, the airline they had flown with.
In a statement to CBC, Air Canada said: “This customer travelled late in the summer at a time when all air carriers in Canada were still recovering from the COVID-related, systemic disruption of the entire air transport industry. One consequence was an elevated rate of baggage delays.”
After receiving compensation of $2,300, reportedly the legal maximum for lost luggage, which Rees said covered a third of the value of what was inside the luggage, the couple turned up at the storage facility and asked a manager at Toronto Pearson Airport for assistance, but he had never heard of the facility, Insider reports.
It was at this point that the police went to the facility and opened it up for the couple. The storage facility reportedly contained “floor-to-ceiling, wall-to-wall luggage.” It was through the police that the couple found out that their luggage had been donated to a charity, which allegedly used the storage facility, but whose name the couple is still doesn’t know.
Rees announced their luggage had been returned on Jan. 23, via a TikTok update. This was after Air Canada had appointed a handler to look into their case, searched through 1,200 bags in the storage facility, and found it within 24 hours. The luggage was then delivered to their door, months after it had been reported missing. According to Rees, everything inside the bag was intact, including a bottle of wine.
Speaking to CBC, AirCanada said it worked hard to find the luggage: “In this particular case, the situation was compounded by the disconnection of the baggage tag at some point on the journey. Despite our best efforts, it was not possible for us to identify the bag’s owner. It was designated as unclaimed, and we moved to compensate the customer.”
Tomi Engdahl says:
Jonathan Greig / The Record:
The CISA publishes a recovery script for the ESXiArgs ransomware that encrypted files at 3,800+ organizations across the US, France, Italy, and other countries
https://therecord.media/esxiargs-ransomware-cisa-file-recovery-script/
Tomi Engdahl says:
Michael Potuck / 9to5Mac:
Many Twitter users reported issues on February 8, from outages to not being able to tweet except by scheduling or via an API; the issues seem to be almost fixed — Shortly after Twitter launched its huge increase in max character count to 4,000 today, many users aren’t able to tweet this afternoon.
Twitter goes down worldwide just minutes after launching expanded tweet counts [U: Fixed]
https://9to5mac.com/2023/02/08/twitter-goes-down-worldwide/
Tomi Engdahl says:
David Friend / Canadian Press:
Netflix rolls out its long-anticipated password sharing rules in Canada, New Zealand, Portugal, and Spain; other countries will be added in the next few months — Under new rules, premium and standard account holders will be given option to add extra members for $7.99 per month
Netflix Canada begins password sharing crackdown
https://torontosun.com/entertainment/television/netflix-canada-begins-password-sharing-crackdown
Under new rules, premium and standard account holders will be given option to add extra members for $7.99 per month
Tomi Engdahl says:
Brian Fung / CNN:
NetBlocks: Turkish ISPs restore Twitter access, limited after an earthquake, after officials “remind Twitter of its obligations” on takedowns and disinformation — Access to Twitter has been restored in Turkey, according to internet monitoring company Netblocks.
Twitter access in Turkey is restored, according to network monitoring firm
https://edition.cnn.com/2023/02/08/tech/turkey-twitter-restriction/
Tomi Engdahl says:
@twitterdev:
Twitter’s free APIs will work until February 13, when the company will launch a low-usage $100/month plan and a limited free plan and deprecates its Premium API — We have been busy with some updates to the Twitter API so you can continue to build and innovate with us. We’re excited to announce an extension of the current free Twitter API access through February 13. Here’s what we’re shipping then
https://twitter.com/twitterdev/status/1623467615539859456
Tomi Engdahl says:
Mysterious leak of Booking.com reservation data is being used to scam customers https://arstechnica.com/information-technology/2023/02/mysterious-leak-of-booking-com-reservation-data-is-being-used-to-scam-customers/
For almost five years, Booking.com customers have been on the receiving end of a continuous series of scams that clearly demonstrate that criminals have obtained travel plans and other personal information customers provided to the travel site.
Tomi Engdahl says:
https://www.securityweek.com/openssl-ships-patch-for-high-severity-flaws/
Tomi Engdahl says:
https://www.securityweek.com/vulnerability-provided-access-to-toyota-supplier-management-network/
Tomi Engdahl says:
Australian Man Sentenced for Scam Related to Optus Hack
https://www.securityweek.com/australian-man-sentenced-for-scam-related-to-optus-hack/
Australian authorities sentence Sydney man for using leaked data stolen from wireless carrier Optus to conduct SMS scams.
Tomi Engdahl says:
Chrome 110 Patches 15 Vulnerabilities
https://www.securityweek.com/chrome-110-patches-15-vulnerabilities/
The first stable release of Chrome 110 brings 15 security fixes, including 10 for externally reported vulnerabilities.
Google this week announced that the first stable release of Chrome 110 brings 15 security fixes, including 10 that address vulnerabilities reported by external researchers.
The internet giant makes no mention of any of these vulnerabilities being exploited in attacks.
The latest Chrome release is rolling out to users as versions 110.0.5481.77/.78 for Windows, and version 110.0.5481.77 for Mac and Linux.
The iOS and Android versions of the browser have been updated to 110.0.5481.83 and 110.0.5481.63/.64, respectively.
Tomi Engdahl says:
Siemens License Manager Vulnerabilities Allow ICS Hacking
https://www.securityweek.com/siemens-license-manager-vulnerabilities-allow-ics-hacking/
The Siemens Automation License Manager is affected by two serious vulnerabilities that could be chained to hack industrial control systems (ICS).
The Siemens Automation License Manager is affected by two serious vulnerabilities that could be chained to hack industrial control systems (ICS), according to industrial cybersecurity firm Otorio.
On January 10, Siemens released its first round of Patch Tuesday updates for 2023, addressing a total of 20 vulnerabilities affecting the company’s products.
One of the six advisories published at the time describes two high-severity security holes discovered by a researcher from Otorio in the Siemens Automation License Manager (ALM), which is designed for centrally managing license keys for Siemens software.
One of the flaws, tracked as CVE-2022-43513, can allow a remote, unauthenticated attacker to rename and move license files as a System user.
The second issue, CVE-2022-43514, allows a remote, unauthenticated attacker to execute operations on files outside the specified root folder. Chaining the two vulnerabilities can lead to remote code execution, Siemens said.
In a blog post published on Tuesday, Otorio explained that most of Siemens’ software products use the ALM by default for license management. This means the vulnerabilities impact organizations that use one of many Siemens products, including the Simatic PCS 7 historian, the Sicam Device Manager, WinCC, TIA Portal, and the DIGSI engineering tool.