This posting is here to collect cyber security news in February 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in February 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
390 Comments
Tomi Engdahl says:
OTORIO Research Team Uncovers RCE affecting Siemens Servers Including PCS 7
https://www.otorio.com/blog/otorio-research-team-uncovers-rce-affecting-siemens-servers-including-pcs-7/
License to Breach: RCE Affecting Siemens Servers Including PCS 7, Historian, WinCC, and Engineering Servers
Recent findings by our team have uncovered two vulnerabilities in the Siemens Automation License Manager (ALM), a license management service used to control and manage the usage of Siemens’ industrial automation products (CVE-2022-43513 and CVE-2022-43514). The discovered vulnerabilities, chained together, allow remote code execution (RCE) and privilege escalation (PE) on the affected systems, which allow an attacker to gain unauthorized access to the system with elevated privileges.
The impact of these vulnerabilities is significant, as they can be used to disrupt the normal operation of industrial systems and cause severe damage. The vulnerabilities affect a wide range of Siemens’ products, including PCS 7 Historian, WinCC, TIA Portal, DIGSI, SICAM Device Manager, and others. These products are widely used in various industries such as manufacturing, oil and gas, energy, and smart transportation.
The PCS 7, for example, is one of the most common DCS solutions. It plays a critical role in supervising normal operations on the industrial shop floor and by design, has high privileges on the entire process.
Tomi Engdahl says:
Russian Admits in US Court to Laundering Money for Ryuk Ransomware Gang
https://www.securityweek.com/russian-admits-in-us-court-to-laundering-money-for-ryuk-ransomware-gang/
Denis Mihaqlovic Dubnikov, of Russia, has admitted in an US court to laundering cryptocurrency for the Ryuk ransomware gang.
Tomi Engdahl says:
Malware & Threats
A Deep Dive Into the Growing GootLoader Threat
https://www.securityweek.com/a-deep-dive-into-the-growing-gootloader-threat/
Cybereason GootLoader as a ‘severe’ threat, as the malware uses a combination of evasion and living off the land techniques, making its presence difficult to detect.
GootLoader was born from GootKit, a banking trojan that first appeared around 2014. In recent years GootKit has evolved into a sophisticated and evasive loader — and it was given a new name to reflect its new purpose in 2021. The same group is responsible for both versions of the malware, and is monitored by Mandiant as UNC2565.
Tomi Engdahl says:
CISA Releases Open Source Recovery Tool for ESXiArgs Ransomware
https://www.securityweek.com/cisa-releases-open-source-recovery-tool-for-esxiargs-ransomware/
It may be possible to recover some virtual machines impacted by the ESXiArgs ransomware and CISA has released a tool for the task.
Tomi Engdahl says:
https://www.securityweek.com/patient-information-compromised-in-data-breach-at-san-diego-healthcare-provider/
Tomi Engdahl says:
Third Chinese spy balloon is ‘operating near US interests’ – but officials won’t say where, after shooting down first balloon off South Carolina coast
https://www.dailymail.co.uk/news/article-11713963/Third-Chinese-spy-balloon-operating-near-interests-officials-wont-say-where.html
Tomi Engdahl says:
Critical Infrastructure at Risk from New Vulnerabilities Found in Wireless IIoT Devices
https://thehackernews.com/2023/02/critical-infrastructure-at-risk-from.html
A set of 38 security vulnerabilities has been uncovered in wireless industrial internet of things (IIoT) devices from four different vendors that could pose a significant attack surface for threat actors looking to exploit operational technology (OT) environments.
“Threat actors can exploit vulnerabilities in Wireless IIoT devices to gain initial access to internal OT networks,” Israeli industrial cybersecurity company Otorio said. “They can use these vulnerabilities to bypass security layers and infiltrate target networks, putting critical infrastructure at risk or interrupting manufacturing.”
Tomi Engdahl says:
Hackers are mass infecting servers worldwide by exploiting a patched hole
Servers running unpatched versions of ESXi are sitting ducks for ESXiArgs attacks.
https://arstechnica.com/information-technology/2023/02/hackers-are-mass-infecting-servers-worldwide-by-exploiting-a-patched-hole/
Tomi Engdahl says:
Alert (AA23-040A): Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities https://www.cisa.gov/uscert/ncas/alerts/aa23-040a
This Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and various ransomware threat actors. These #StopRansomware advisories detail historically and recently observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. This CSA is supplementary to previous reports on malicious cyber actor activities involving DPRK ransomware campaignsnamely Maui and H0lyGh0st ransomware. The authoring agencies are issuing this advisory to highlight additional observed TTPs DPRK cyber actors are using to conduct ransomware attacks targeting South Korean and U.S.
healthcare systems.
Tomi Engdahl says:
Britain and US make major move against ransomware gangs by sanctioning seven individuals https://therecord.media/ransomware-sactions-conti-ryuk-trickbot-uk-us/
The United Kingdom and United States on Thursday sanctioned seven people connected to what officials have told The Record is a single network behind the Conti and Ryuk ransomware gangs as well as the Trickbot banking trojan. The sanctions are described as the first major move of a new campaign of concerted action between Britain and the United States, and insiders say that further actions should be expected later this year. The sanctions mean the individuals have their assets frozen and face travel bans, according to the British government. In addition to the sanctions, the U.S. Department of Justice also charged the hacker known as Bentley alleged real name Vitaly Kovalev with conspiracy to commit bank fraud and eight counts of bank fraud.
Tomi Engdahl says:
New ESXiArgs ransomware version prevents VMware ESXi recovery https://www.bleepingcomputer.com/news/security/new-esxiargs-ransomware-version-prevents-vmware-esxi-recovery/
New ESXiArgs ransomware attacks are now encrypting more extensive amounts of data, making it much harder, if not impossible, to recover encrypted VMware ESXi virtual machines. Last Friday, a massive and widespread automated ransomware attack encrypted over 3,000 Internet-exposed VMware ESXi servers using a new ESXiArgs ransomware.
Preliminary reports indicated that the devices were breached using old VMware SLP vulnerabilities. However, some victims have stated that SLP was disabled on their devices and were still breached and encrypted.
Tomi Engdahl says:
Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs https://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html
We recently found an active campaign that uses a fake employment pretext targeting Eastern Europeans in the cryptocurrency industry to install an information stealer. In this campaign, the suspected Russian threat actors, use several highly obfuscated and underdevelopment custom loaders in order to infect those involved in the cryptocurrency industry with Enigma stealer (detected as TrojanSpy.MSIL.ENGIMASTEALER.YXDBC), which is a modified version of the Stealerium information stealer. In addition to these loaders, the attacker also exploits CVE-2015-2291, an Intel driver vulnerability, to load a malicious driver designed to reduce the token integrity of Microsoft Defender.
Tomi Engdahl says:
Tor and I2P networks hit by wave of ongoing DDoS attacks https://www.bleepingcomputer.com/news/security/tor-and-i2p-networks-hit-by-wave-of-ongoing-ddos-attacks/
If you’ve been experiencing Tor network connectivity and performance issues lately, you’re not the only one since many others have had problems with onion and i2p sites loading slower or not loading at all. Tor Project’s Executive Director Isabela Dias Fernandes revealed on Tuesday that a wave of distributed denial-of-service (DDoS) attacks has been targeting the network since at least July 2022. “At some points, the attacks impacted the network severely enough that users could not load pages or access onion services,” Fernandes said on Tuesday. “We have been working hard to mitigate the impacts and defend the network from these attacks. The methods and targets of these attacks have changed over time and we are adapting as these attacks continue.”
Tomi Engdahl says:
Hackers used fake websites to target state agencies in Ukraine and Poland https://therecord.media/hackers-used-fake-websites-to-target-state-agencies-in-ukraine-and-poland/
Hackers attempted last week to infect Ukrainian government computer systems with malware hosted on fake websites impersonating legitimate state services. Ukraines computer emergency response team, CERT-UA, attributed the attack to a group called WinterVivern. The group has been active since at least June and includes Russian-speaking members.
In addition to its Ukrainian targets, it has also targeted government agencies in Poland, according to a report released Wednesday.
Tomi Engdahl says:
Largest Canadian bookstore Indigo shuts down site after cyberattack https://www.bleepingcomputer.com/news/security/largest-canadian-bookstore-indigo-shuts-down-site-after-cyberattack/
Indigo Books & Music, the largest bookstore chain in Canada, has been struck by a cyberattack yesterday, causing the company to make the website unavailable to customers and to only accept cash payments. The exact nature of the incident remains unclear but Indigo is not ruling out that hackers may have stolen customer data.On Wednesday, Indigo announced that technical issues were preventing access to the website and customers at physical stores could pay only by cash. Additionally, the company announced that gift card transactions were not possible and that there may be delays with online orders.
Tomi Engdahl says:
NewsPenguin, a Previously Unknown Threat Actor, Targets Pakistan with Advanced Espionage Tool https://blogs.blackberry.com/en/2023/02/newspenguin-a-previously-unknown-threat-actor-targets-pakistan-with-advanced-espionage-tool
A previously unknown threat actor is targeting organizations in Pakistan using a complex payload delivery mechanism. The threat actor abuses the upcoming Pakistan International Maritime Expo & Conference
(PIMEC-2023) as a lure to trick their victims. The attacker sent out targeted phishing emails with a weaponized document attached that purports to be an exhibitor manual for PIMEC-23. The document utilizes a remote template injection technique and embedded malicious Visual Basic for Applications (VBA) macro code to deliver the next stage of the attack, which leads to the final payload execution.
Tomi Engdahl says:
Wireless IIoT Security: The Elephant in OT Environments https://www.otorio.com/blog/wireless-iiot-security-the-elephant-in-ot-environments/
Wireless IIoT allows industrial companies to improve performance and productivity by digitizing processes and transforming business models.
Industrial wireless IoT devices can be found throughout OT and critical infrastructure. While these devices have many benefits, they also introduce OT networks to new risks and make them susceptible to cyber attacks. Recent research conducted by OTORIO examined the security of industrial wireless IoT devices, including industrial Wi-Fi access points and industrial cellular gateways and routers.
Tomi Engdahl says:
THREAT ALERT: GootLoader – SEO Poisoning and Large Payloads Leading to Compromise https://www.cybereason.com/blog/threat-alert-gootloader-seo-poisoning-and-large-payloads-leading-to-compromise
The Cybereason Incident Response (IR) team investigated an incident which involved new deployment methods of the GootLoader malware loader through heavily-obfuscated JavaScript files. In addition to the new techniques used to load GootLoader, Cybereason also observed the deployment of additional C2 frameworks, including Cobalt Strike and SystemBC, which is usually leveraged for data exfiltration. Cybereason also observed the use of SEO poisoning techniques to place infected pages higher in internet browser search results. It is likely the higher the search engines results, the more likely victims will click on the links.
Tomi Engdahl says:
New hacking group targets Pakistans Navy and maritime industry https://therecord.media/new-hacking-group-targets-pakistans-navy-and-maritime-industry/
A previously unknown hacking group is using espionage tools to target Pakistans Navy, according to new research. Dmitry Bestuzhev, a threat Researcher at BlackBerry, told The Record that the group which they named NewsPenguin is a targeted attack group focused on militaries and the defense industry. The group used the upcoming Pakistan International Maritime Expo & Conference (PIMEC-2023) as a lure to trick victims into opening phishing emails containing malware. The whole campaign is about cyber espionage. We discovered NewsPenguin about a month ago. We realized that based on the lure document, the nature of the target, and the code analysis, that this is a cyber espionage campaign with no financial motivation, he said. It appears the objective of this operation is to spy on the attendees of the conference and its organizers.
Tomi Engdahl says:
Cybercrime
ESXiArgs Ransomware Hits Over 3,800 Servers as Hackers Continue Improving Malware
https://www.securityweek.com/esxiargs-ransomware-hits-over-3800-servers-as-hackers-continue-improving-malware/
More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.
Tomi Engdahl says:
OpenSSL Ships Patch for High-Severity Flaws
https://www.securityweek.com/openssl-ships-patch-for-high-severity-flaws/
The most serious of the vulnerabilities may allow an attacker to read memory contents or launch denial-of-service exploits.
Tomi Engdahl says:
Vulnerability Allows Hackers to Remotely Tamper With Dahua Security Cameras
https://www.securityweek.com/vulnerability-allows-hackers-to-remotely-tamper-with-dahua-security-cameras/
A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.
Researchers have discovered a vulnerability that can be exploited by remote hackers to tamper with the timestamp of videos recorded by Dahua security cameras.
The flaw, tracked as CVE-2022-30564, was discovered last year by India-based CCTV and IoT cybersecurity company Redinent Innovations. Advisories describing the vulnerability were published on Wednesday by both Dahua and Redinent.
Redinent has assigned the vulnerability a ‘high’ severity rating, but Dahua has calculated a 5.3 CVSS score for it, which makes it ‘medium severity’.
According to the Chinese video surveillance equipment maker, the flaw impacts several types of widely used cameras and video recorders, including IPC, SD, NVR, and XVR products.
Australian Defense Department to Remove Chinese-Made Cameras
https://www.securityweek.com/australian-defense-department-to-remove-chinese-made-cameras/
Australia’s Defense Department said that they will remove surveillance cameras made by Chinese Communist Party-linked companies from its buildings.
Australia’s Defense Department will remove surveillance cameras made by Chinese Communist Party-linked companies from its buildings, the government said Thursday after the U.S. and Britain made similar moves.
Tomi Engdahl says:
https://www.securityweek.com/vulncheck-raises-3-2m-seed-round-for-threat-intel/
Tomi Engdahl says:
UN Experts: North Korean Hackers Stole Record Virtual Assets
https://www.securityweek.com/un-experts-north-korean-hackers-stole-record-virtual-assets/
North Korean hackers working for the government stole virtual assets last year estimated to be worth between $630 million and more than $1 billion, U.N. experts said in a report.
Tomi Engdahl says:
US Says Chinese Military Behind Vast Aerial Spy Program
https://www.securityweek.com/us-says-chinese-military-behind-vast-aerial-spy-program/
China’s spy balloon that crossed the US could collect intelligence signals and was part of a multi-national, military-linked aerial spy program, the Biden administration said.
Tomi Engdahl says:
Google Describes Privacy, Security Improvements in Android 14
https://www.securityweek.com/google-describes-privacy-security-improvements-in-android-14/
Google has released the first Android 14 developer preview and has announced some of the security improvements the platform update will include.
Google this week announced the availability of the first Android 14 developer preview and also shared details on some of the security and privacy improvements the platform update will bring.
Expected to arrive on devices sometime in fall, Android 14 brings new features and APIs, as well as behavioral changes that might impact applications. The purpose of the developer preview is to help application developers learn about these changes and test their applications for compatibility issues.
One of the security enhancements the platform update is set to bring is related to runtime receivers and builds on changes introduced in Android 13, when Google instructed developers to specify whether their application’s registered broadcast receiver should be visible to other apps on the device.
Before Android 13, any application could send unprotected broadcasts to dynamically-registered receivers that were not protected by a signature permission.
To help protect apps from security vulnerabilities, “apps and services that target Android 14 and use context-registered receivers are required to specify a flag to indicate whether or not the receiver should be exported to all other apps on the device,” Google says.
Tomi Engdahl says:
Android’s February 2023 Updates Patch 40 Vulnerabilities
https://www.securityweek.com/androids-february-2023-updates-patch-40-vulnerabilities/
The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.
Google this week announced the release of patches for 40 vulnerabilities as part of the February 2023 security updates for the Android operating system.
The first part of the update arrives on devices as a 2023-02-01 security patch level and resolves a total of 17 high-severity vulnerabilities impacting components such as Framework, Media Framework, and System.
“The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed,” Google notes in its advisory.
While most of the vulnerabilities addressed with this patch level could lead to escalation of privilege, several information disclosure and denial-of-service (DoS) bugs were also resolved.
The second part of the update arrives on devices as the 2023-02-05 security patch level and resolves 23 security defects in Kernel, MediaTek, Unisoc, Qualcomm, and Qualcomm closed-source components.
https://source.android.com/docs/security/bulletin/2023-02-01
Tomi Engdahl says:
Cybercrime Gang Uses Screenlogger to Identify High-Value Targets in US, Germany
https://www.securityweek.com/cybercrime-gang-uses-screenlogger-to-identify-high-value-targets-in-us-germany/
Russia-linked financially motivated threat actor TA866 targeting companies with custom malware, including a screenlogger, a bot, and an information stealer
A recently identified financially motivated threat actor is targeting companies in the United States and Germany with custom malware, including a screenlogger it uses for reconnaissance, Proofpoint reports.
Tracked as TA866, the adversary appears to have started the infection campaign in October 2022, with the activity continuing into January 2023.
As part of the campaign, which Proofpoint refers to as Screentime, victims are targeted with malicious emails containing an attachment or a URL that leads to the deployment of malware. In some cases, based on the attacker’s assessment of the victim, post-exploitation activity may commence.
Screentime: Sometimes It Feels Like Somebody’s Watching Me
https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me
Key Findings
Proofpoint began tracking a new threat actor, TA866.
Proofpoint researchers first observed campaigns in October 2022 and activity has continued into 2023.
The activity appears to be financially motivated, largely targeting organizations in the United States and Germany.
With its custom toolset including WasabiSeed and Screenshotter, TA866 analyzes victim activity via screenshots before installing a bot and stealer.
Since October 2022 and continuing into January 2023, Proofpoint has observed a cluster of evolving financially motivated activity which we are referring to as “Screentime”. The attack chain starts with an email containing a malicious attachment or URL and leads to malware that Proofpoint dubbed WasabiSeed and Screenshotter. In some cases, Proofpoint observed post-exploitation activity involving AHK Bot and Rhadamanthys Stealer.
Proofpoint is tracking this activity under threat actor designation TA866. Proofpoint assesses that TA866 is an organized actor able to perform well thought-out attacks at scale based on their availability of custom tools; ability and connections to purchase tools and services from other vendors; and increasing activity volumes.
Tomi Engdahl says:
https://www.immuniweb.com/blog/french-police-arrested-notorious-hackers-wanted-by-finland-authorities.html
Tomi Engdahl says:
Documents, Code, Business Systems Accessed in Reddit Hack
Reddit says its systems were hacked following a sophisticated phishing attack aimed at employees.
https://www.securityweek.com/documents-code-business-systems-accessed-in-reddit-hack/
Tomi Engdahl says:
Reddit Confirms It Was Hacked—Recommends Users Set Up 2FA
https://www.forbes.com/sites/daveywinder/2023/02/10/reddit-confirms-it-was-hacked-recommends-users-set-up-2fa/?sh=587fac6b68e9
Reddit, the social news and discussion site with 50 million daily users, has confirmed that it has been hacked. In a February 9 security incident posting on the site itself, Reddit said it first became aware of the successful breach of its systems late on February 5. In what it refers to as a ” sophisticated phishing campaign that targeted Reddit employees,” the incident alert confirmed that the attacker gained access to internal documents and coder, as well as internal dashboards and business systems. However, Reddit also stated that there was no evidence the systems used to run Reddit itself and store the majority of data, the primary production systems in other words, was breached.
Tomi Engdahl says:
GoAnywhere MFT Zero-Day Exploitation Linked to Ransomware Attacks
https://www.securityweek.com/goanywhere-mft-zero-day-exploitation-linked-to-ransomware-attacks/
The exploitation of a GoAnywhere MFT zero-day vulnerability has been linked to a cybercrime group and ransomware attacks.
The recent exploitation of a zero-day vulnerability in the GoAnywhere managed file transfer (MFT) software has been linked by a cybersecurity firm to a known cybercrime group that has likely attempted to exploit the flaw in a ransomware attack.
On February 1, Fortra alerted GoAnywhere MFT users about a zero-day remote code injection exploit. The vendor immediately provided indicators of compromise (IoCs) and mitigations, but released a patch only a week later.
Users, particularly those who are running an admin portal that is exposed to the internet, have been instructed to urgently install the patch.
There appear to be more than 1,000 internet-exposed instances of GoAnywhere. However, according to the vendor, exploitation requires access to the application’s admin console, and at least some of the exposed instances are associated with the product’s web client interface, which is not impacted.
Huntress has linked the attack to a malware family named Truebot, which was previously associated with a Russian-speaking threat actor named Silence. This group has also been linked to TA505, a threat group known for distributing the notorious Cl0p ransomware.
“Based on observed actions and previous reporting, we can conclude with moderate confidence that the activity Huntress observed was intended to deploy ransomware, with potentially additional opportunistic exploitation of GoAnywhere MFT taking place for the same purpose,” Huntress said in a blog post.
Cybersecurity firm Rapid7 has analyzed the vulnerability and assigned it the CVE identifier CVE-2023-0669.
https://attackerkb.com/topics/mg883Nbeva/cve-2023-0669
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/vmware-warns-admins-to-patch-esxi-servers-disable-openslp-service/
Tomi Engdahl says:
Hackers are selling a service that bypasses ChatGPT restrictions on malware
ChatGPT restrictions on the creation of illicit content are easy to circumvent.
https://arstechnica.com/information-technology/2023/02/now-open-fee-based-telegram-service-that-uses-chatgpt-to-generate-malware/
Tomi Engdahl says:
Backdoor in Dingo Cryptocurrency Allows Creator to Steal (Nearly) Everything
https://www.darkreading.com/risk/backdoor-dingo-cryptocurrency-allows-creator-steal-nearly-everything
A tax variable in the software implementing the Dingo Token allows the creators to charge 99% in fees per transaction, essentially stealing funds, an analysis finds.
Tomi Engdahl says:
Näin hurjasti kiinalaiset älypuhelimet seuraavat käyttäjiään – tieto liikkuu, vaikka käyttäjä lähtisi maasta
7.2.202310:20|päivitetty7.2.202310:35
Kiinassa myytävät älypuhelimet ovat täynnä esiasennettuja sovelluksia, jotka seuraavat käyttäjiään ja lähettävät tietoa kiinalaisille yhtiöille.
https://www.mikrobitti.fi/uutiset/nain-hurjasti-kiinalaiset-alypuhelimet-seuraavat-kayttajiaan-tieto-liikkuu-vaikka-kayttaja-lahtisi-maasta/c64705b5-6fa7-45b5-8201-f96d500caeed
Tomi Engdahl says:
Hackers backdoor Windows devices in Sliver and BYOVD attacks
https://www.bleepingcomputer.com/news/security/hackers-backdoor-windows-devices-in-sliver-and-byovd-attacks/
Tomi Engdahl says:
US NIST unveils winning encryption algorithm for IoT data protection
https://www.bleepingcomputer.com/news/security/us-nist-unveils-winning-encryption-algorithm-for-iot-data-protection/
The National Institute of Standards and Technology (NIST) announced that ASCON is the winning bid for the “lightweight cryptography” program to find the best algorithm to protect small IoT (Internet of Things) devices with limited hardware resources.
Small IoT devices are becoming increasingly popular and omnipresent, used in wearable tech, “smart home” applications, etc. However, they are still used to store and handle sensitive personal information, such as health data, financial details, and more.
That said, implementing a standard for encrypting data is crucial in securing people’s data.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-says-intel-driver-bug-crashes-apps-on-windows-pcs/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-to-retire-its-support-diagnostic-tool-msdt-in-2025/
Tomi Engdahl says:
Ransomware crooks steal 3m+ patients’ medical records, personal info
All that data coming soon to a darkweb crime forum near you?
https://www.theregister.com/2023/02/11/ransomware_regal_medical_group/
Tomi Engdahl says:
Microsoft WinGet package manager failing from expired SSL certificate
https://www.bleepingcomputer.com/news/security/microsoft-winget-package-manager-failing-from-expired-ssl-certificate/
Microsoft’s WinGet package manager is currently having problems installing or upgrading packages after WinGet CDN’s SSL/TLS certificate expired.
Released in May 2020, the open source Windows Package Manager (WinGet) allows users to install applications directly from the command line.
WinGet down after CDN’s SSL expires
Both the warning and the certificate details confirm that WinGet CDN’s certificate stopped being valid over the weekend
What is a temporary solution?
Until Microsoft renews the SSL certificate, WinGet users can rest easy knowing there’s an alternate workaround to address the situation.
Once Microsoft has renewed the primary CDN’s certificate, users can optionally choose to reset their source URLs
Tomi Engdahl says:
Reddit admits it was hacked and data stolen, says Dont panic https://nakedsecurity.sophos.com/2023/02/10/reddit-admits-it-was-hacked-and-data-stolen-says-dont-panic/
Popular social media site Reddit orange Usenet with ads, as weve somewhat ungraciously heard it described is the latest well-known web property to suffer a data breach in which its own source code was stolen. In recent weeks, LastPass and GitHub have confessed to similar experiences, with cyercriminals apparently breaking and entering in much the same way: by figuring out a live access code or password for an individual staff member, and sneaking in under cover of that individuals corporate identity.
Tomi Engdahl says:
North Korean ransomware attacks on healthcare fund govt operations https://www.bleepingcomputer.com/news/security/north-korean-ransomware-attacks-on-healthcare-fund-govt-operations/
A new cybersecurity advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) describes recently observed tactics, techniques, and procedures (TTPs) observed with North Korean ransomware operations against public health and other critical infrastructure sectors. The document is a joint report from the NSA, FBI, CISA, U.S. HHS, and the Republic of Korea National Intelligence Service and Defense Security Agency, and notes that the funds extorted this way went to support North Korean government’s national-level priorities and objectives.
Tomi Engdahl says:
Researchers Uncover Obfuscated Malicious Code in PyPI Python Packages https://thehackernews.com/2023/02/researchers-uncover-obfuscated.html
Four different rogue packages in the Python Package Index (PyPI) have been found to carry out a number of malicious actions, including dropping malware, deleting the netstat utility, and manipulating the SSH authorized_keys file. The packages in question are aptx, bingchilling2, httops, and tkint3rs, all of which were collectively downloaded about 450 times before they were taken down. While aptx is an attempt to impersonate Qualcomm’s highly popular audio codec of the same name, httops and tkint3rs are typosquats of https and tkinter, respectively.
Tomi Engdahl says:
Radio silence from DMS vendor quartet over XSS zero-days https://portswigger.net/daily-swig/radio-silence-from-dms-vendor-quartet-over-xss-zero-days
Researchers have disclosed a raft of serious document management system (DMS) vulnerabilities impacting four enterprise vendors who have not yet resolved the issues. In a blog post published on Tuesday (February 7), Tod Beardsley, director of research at Rapid7, said the cross-site scripting (XSS) flaws affected vendors ONLYOFFICE, OpenKM, LogicalDOC, and Mayan. All software examined by Rapid7 are on-prem, cloud, open source, or freemium DMS solutions.
Tomi Engdahl says:
Maine govt says state systems were not breached despite hacking groups claims https://therecord.media/maine-govt-says-state-systems-were-not-breached-despite-hacking-groups-claims/
Maine government officials denied that a notorious hacking group breached their systems after the gang boasted of stealing information this week. The GhostSec hacking group posted to Telegram on Thursday claiming that they stole 40 GB of data from Maines government websites. The group provided a zip file of the data they stole. But Sharon Huntley, director of communications for Maines Department of Administrative and Financial Services, said their IT team confirmed that the group simply downloaded public-facing information that is available on Maines Department of Environmental Protection (DEP) website.
Tomi Engdahl says:
California medical group data breach impacts 3.3 million patients https://www.bleepingcomputer.com/news/security/california-medical-group-data-breach-impacts-33-million-patients/
Multiple medical groups in the Heritage Provider Network in California have suffered a ransomware attack, exposing sensitive patient information to cybercriminals.The medical groups impacted by the cyberattack are Regal Medical Group, Lakeside Medical Organization, ADOC Medical Group, and Greater Covina Medical. The entities collectively issued a notice of data breach at the start of the month and shared a sample letter with the California Attorney General’s office earlier this week. Today, the healthcare organization reported on the U.S. Department of Health and Human Services breach portal that the data of 3,300,638 patients was exposed in the attack.
Tomi Engdahl says:
KillNet hits healthcare sector with DDoS attacks https://www.malwarebytes.com/blog/news/2023/02/killnet-group-targets-us-and-european-hospitals-with-ddos-attacks
At the end of January, the Health Sector Cybersecurity Coordination Center warned that the KillNet group is actively targeting the US healthcare sector with distributed denial-of-service (DDoS) attacks.
The Cybersecurity and Infrastructure Security Agency (CISA) says it helped dozens of hospitals respond to these DDoS incidents.A distributed denial-of-service attack uses numerous systems to send network communication requests to one specific target. Often the attackers use enslaved computers, “bots”, to send the requests. The result is that the receiving server is overloaded by nonsense requests that either crash the server or keep it so busy that normal users are unable to connect to it.
Tomi Engdahl says:
Clop ransomware claims to be behind GoAnywhere zero-day attacks https://www.bleepingcomputer.com/news/security/clop-ransomware-claims-to-be-behind-goanywhere-zero-day-attacks/
The Clop ransomware gang claims to be behind recent attacks that exploited a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool, saying they stole data from over 130 organizations. The security flaw, now tracked as CVE-2023-0669, enables attackers to gain remote code execution on unpatched GoAnywhere MFT instances with their administrative console exposed to Internet access. Clop reached out to BleepingComputer and told us that they had allegedly stolen the data over the course of ten days after breaching servers vulnerable to exploits targeting this bug.