Cyber security news March 2023

This posting is here to collect cyber security news in March 2023.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

374 Comments

  1. Tomi Engdahl says:

    ICS/OTCritical Vulnerabilities Allow Hackers to Take Full Control of Wago PLCs
    Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).
    https://www.securityweek.com/critical-vulnerabilities-allow-hackers-to-take-full-control-of-wago-plcs/

    Reply
  2. Tomi Engdahl says:

    Helsingin seudun liikenteen verkkosivut nurin – sovelluksen lipunmyynti takkuaa
    HSL:n mukaan Reittiopas toimii ja myös lipunmyynti pääosin. HSL on ohjeistanut kuljettajia ja lipuntarkastajia käyttämään tilannekohtaista harkintaa.
    https://yle.fi/a/74-20021981

    Reply
  3. Tomi Engdahl says:

    The long, solder-heavy way to get root access to a Starlink terminal
    Zapping the satellite board at just the right time can grant deeper access.
    https://arstechnica.com/gadgets/2022/11/the-long-solder-heavy-way-to-get-root-access-to-a-starlink-terminal/

    Reply
  4. Tomi Engdahl says:

    Katso itse: Uusi OmaVero-huijaus on poikkeuksellisen kiero erottaisitko aidon sivun?
    https://www.is.fi/digitoday/tietoturva/art-2000009445268.html
    Suomalaisia on huijattu kuluneella viikolla OmaVero-huijauksilla, joissa hakukone saattaa viedä tietojenkalastelusivuille aitojen OmaVero-sivujen sijaan. Huijauslinkki ohjaa tietojenkalastelusivustolle mobiililaitteilla. Kyse on sponsoroiduista hakutuloksista eli mainoksista, jotka on helppo sekoittaa aitoihin hakutuloksiin. Huijauslinkki on näkynyt Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen mukaan Googlen lisäksi muillakin hakukoneilla. Huijauksen uskottavuus jatkuu kuitenkin loppuun asti.
    Petollinen sisäänkirjautumissivu on melkein yksi yhteen aidon kanssa.
    Kyberturvallisuuskeskuksen mukaan sivun erottaa vain katsomalla selaimen osoitekenttää

    Reply
  5. Tomi Engdahl says:

    GitHub rolls out mandatory 2FA for loads of devs next week https://www.theregister.com/2023/03/09/github_2fa_requirement/
    Microsoft’s GitHub code hosting biz plans to begin requiring developers who contribute to public projects secure their accounts using two-factor authentication (2FA) by Monday, March 13. The heightened security posture has been in the works since last year when the company announced it would make 2FA obligatory by the end of 2023, following a prior, more targeted 2FA mandate. The reason for the bother is that compromising the account of a software developer has the potential to provide the attacker with access to all the devices running the developer’s code possibly a huge attack surface expansion given the widespread code sharing GitHub enables

    Reply
  6. Tomi Engdahl says:

    GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/
    Unit 42 researchers recently discovered a new sample of Golang-based malware. We have dubbed it GoBruteforcer, and it targets web servers, specifically those running phpMyAdmin, MySQL, FTP and Postgres services. The sample was originally captured from our Next-Generation Firewall. Upon further research, we found that the malware was hosted on a legitimate website. Further investigation revealed that the attacker hosted binaries for x86, x64 and ARM processor architectures.
    We also discovered that GoBruteforcer had deployed an internet relay chat (IRC) bot on the victim server, which communicates with the attackers server. This blog details information collected based on a static overview of the GoBruteforcer attack chain components. For successful execution, the samples require special conditions on the victim system like specific arguments being used and targeted services already being installed (with weak passwords)

    Reply
  7. Tomi Engdahl says:

    Stealing the LIGHTSHOW (Part One) North Korea’s UNC2970
    https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970
    Since June 2022, Mandiant has been tracking a campaign targeting Western Media and Technology companies from a suspected North Korean espionage group tracked as UNC2970. In June 2022, Mandiant Managed Defense detected and responded to an UNC2970 phishing campaign targeting a U.S.-based technology company. During this operation, Mandiant observed UNC2970 leverage three new code families: TOUCHMOVE, SIDESHOW, and TOUCHSHIFT. Mandiant suspects UNC2970 specifically targeted security researchers in this operation. Following the identification of this campaign, Mandiant responded to multiple
    UNC2970 intrusions targeting U.S. and European Media organizations through spear-phishing that used a job recruitment theme and demonstrated advancements in the groups ability to operate in cloud environments and against Endpoint Detection and Response (EDR) tools.
    UNC2970 is suspected with high confidence to be UNC577, also known as Temp.Hermit. UNC577 is a cluster of North Korean cyber activity that has been active since at least 2013. The group has significant malware overlaps with other North Korean operators and is believed to share resources, such as code and complete malware tools with other distinct actors

    Reply
  8. Tomi Engdahl says:

    cURL, the omnipresent data tool, is getting a 25th birthday party this month https://arstechnica.com/information-technology/2023/03/curl-the-omnipresent-data-tool-is-getting-a-25th-birthday-party-this-month/
    When you first start messing with the command line, it can feel like there’s an impermeable wall between the local space you’re messing around in and the greater Internet. On your side, you’ve got your commands and files, and beyond the wall, there are servers, images, APIs, webpages, and more bits of useful, ever-changing data. One of the most popular ways through that wall has been cURL, or “client URL,” which turns 25 this month. The cURL tool started as a way for programmer Daniel Stenberg to let Internet Chat Relay users quickly fetch currency exchange rates while still inside their chat window. As detailed in an archived history of the project, it was originally built off an existing command-line tool, httpget, built by Rafael Sagula. A 1.0 version was released in 1997, then changed names to urlget by 2.0, as it had added in GOPHER, FTP, and other protocols. By 1998, the tool could upload as well as download, and so version 4.0 was named cURL

    Reply
  9. Tomi Engdahl says:

    Microsoft OneNote to get enhanced security after recent malware abuse https://www.bleepingcomputer.com/news/microsoft/microsoft-onenote-to-get-enhanced-security-after-recent-malware-abuse/
    Microsoft will introduce improved protection against phishing attacks pushing malware via malicious Microsoft OneNote files. In a new Microsoft 365 roadmap entry published today titled “Microsoft OneNote
    : improved protection against known high risk phishing file types,”
    the company revealed that this change would likely reach general availability sometime before the end of April 2023. “We add enhanced protection when users open or download an embedded file in OneNote,”
    Redmond explained. “Users will receive a notification when the files deem dangerous to improve the file protection experience in OneNote on Windows.”

    Reply
  10. Tomi Engdahl says:

    TikTok “a loaded gun” says NSA
    https://www.malwarebytes.com/blog/news/2023/03/tiktok-closer-to-getting-banned-because-it-could-use-data-to-influence-opinions
    America’s TikTok-addicted youth is playing with a “loaded gun”
    according to General Paul Nakasone, Director of the National Security Agency (NSA). Speaking at a US Senate hearing on Wednesday, the general said “one third of Americans get their news from TikTok”, adding “one sixth of American youth say they’re constantly on TikTok.
    That’s a loaded gun.” TikTok is an immensely popular social media platform that allows users to create, share, and discover, short video clips. It’s enjoyed explosive growth since it first appeared in 2017, and now it claims to have 1 billion users, an estimated 100 million of them in the US. Unique among major social media apps, TikTok is owned by a Chinese company Bytedance. Due to its ties with China and the ruling Chinese Communist Party (CCP), the platform has been under a national security review by the governments Committee on Foreign Investment in the US, or CFIUS, and will soon be banned on federal devices

    Reply
  11. Tomi Engdahl says:

    Brazil seizing Flipper Zero shipments to prevent use in crime https://www.bleepingcomputer.com/news/security/brazil-seizing-flipper-zero-shipments-to-prevent-use-in-crime/
    The Brazilian National Telecommunications Agency is seizing incoming Flipper Zero purchases due to its alleged use in criminal activity, with purchasers stating that the government agency has rejected all attempts to certify the equipment. Flipper Zero is a portable multi-function cybersecurity tool that allows pentesters and hacking enthusiasts to tinker with a wide range of hardware by supporting RFID emulation, digital access key cloning, radio communications, NFC, infrared, Bluetooth, and more. Since it was released, security researchers have demonstrated Flipper Zero’s features on social media, showing how it can trigger doorbells, perform replay attacks to open garage doors and unlock cars, and be used as a digital key

    Reply
  12. Tomi Engdahl says:

    Silicon Valley Bank Seized by FDIC as Depositors Pull Cash
    https://www.securityweek.com/silicon-valley-bank-seized-by-fdic-as-depositors-pull-cash/

    The FDIC seized the assets of Silicon Valley Bank on Friday, which could impact cybersecurity firms that use the bank’s services.

    The Federal Deposit Insurance Corporation seized the assets of Silicon Valley Bank on Friday, marking the largest bank failure since Washington Mutual during the height of the 2008 financial crisis.

    The bank failed after depositors — mostly technology workers and venture capital-backed companies — began withdrawing their money creating a run on the bank.

    Silicon Valley was heavily exposed to tech industry and there is little chance of contagion in the banking sector as there was in the months leading up to the Great Recession more than a decade ago. Major banks have sufficient capital to avoid a similar situation.

    The FDIC ordered the closure of Silicon Valley Bank and immediately took position of all deposits at the bank Friday. The bank had $209 billion in assets and $175.4 billion in deposits as the time of failure, the FDIC said in a statement. It was unclear how much of deposits was above the $250,000 insurance limit at the moment.

    Reply
  13. Tomi Engdahl says:

    Unpatched Akuvox Smart Intercom Vulnerabilities Can Be Exploited for Spying
    https://www.securityweek.com/unpatched-akuvox-smart-intercom-vulnerabilities-can-be-exploited-for-spying/

    Researchers discover a dozen serious vulnerabilities in Akuvox smart intercom, but the vendor has not released any patches.

    Reply
  14. Tomi Engdahl says:

    Chrome 111 Patches 40 Vulnerabilities
    https://www.securityweek.com/chrome-111-patches-40-vulnerabilities/

    Google has released Chrome 111 in the stable channel with patches for 40 vulnerabilities, including eight high-severity bugs

    Google this week announced the release of Chrome 111 to the stable channel with patches for 40 vulnerabilities.

    A total of 24 of the addressed security defects were reported by external researchers. These include eight high-severity flaws, 11 medium-severity bugs, and five low-severity issues.

    Three of the high-severity vulnerabilities reported by external researchers are use-after-free bugs impacting Swiftshader, DevTools, and WebRTC, for which Google handed out bounty rewards of $15,000, $4,000, and $3,000, respectively.

    The internet giant’s advisory also mentions two type confusion flaws in V8 and CSS, awarded $10,000 and $7,000, respectively; a stack buffer overflow issue in Crash reporting, for which a $3,000 reward was paid; and two heap buffer overflow bugs in Metrics and UMA, for which rewards have yet to be determined.

    Reply
  15. Tomi Engdahl says:

    Cybercrime site shows off with a free leak of 2 million stolen card numbers https://therecord.media/bidencash-2million-credit-cards-cybercrime-market/
    A Russian-language dark web shop known as BidenCash recently attracted attention from cybersecurity researchers by posting a leak – for free
    - – of 2 million stolen payment card numbers. The good news, researchers say, is that many of the compromised numbers have been available for purchase on the dark web for a while – meaning they likely have been exposed to fraud already, causing financial institutions to cancel them

    Reply
  16. Tomi Engdahl says:

    Chinese hackers use new custom backdoor to evade detection https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-custom-backdoor-to-evade-detection/
    The Chinese cyber espionage hacking group Mustang Panda was seen deploying a new custom backdoor named ‘MQsTTang’ in attacks starting this year. The backdoor malware does not appear to be based on previous malware, indicating the hackers likely developed it to evade detection and make attribution harder. ESET’s researchers discovered MQsTTang in a campaign that started in January 2023 and is still ongoing. The campaign targets government and political organizations in Europe and Asia, focusing on Taiwan and Ukraine

    Reply
  17. Tomi Engdahl says:

    Disobey, Museokortti & NCSC-FI
    https://underfl0w.com/disobey-ncsc-fi-and-museokortti/
    Underfl0w’s infosec corner wrote a short post about reporting a vulnerability to NCSC-FI

    Reply
  18. Tomi Engdahl says:

    Outlook app to get built-in Microsoft 365 MFA on Android, iOS https://www.bleepingcomputer.com/news/microsoft/outlook-app-to-get-built-in-microsoft-365-mfa-on-android-ios/
    Microsoft will soon fast-track multi-factor authentication (MFA) adoption for its Microsoft 365 cloud productivity platform by adding MFA capabilities to the Outlook email client. The company says in a new Microsoft 365 roadmap entry that users will be able to complete MFA requests for Microsoft 365 apps directly in the Outlook app via a new feature dubbed Authenticator Lite. With Authenticator Lite, users will be able to log into their work or school account via Outlook with an extra layer of security. The feature will be available in Outlook mobile apps for iOS and Android devices, and it will likely require users to enter a code or approve a notification after entering their password

    Reply
  19. Tomi Engdahl says:

    Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware https://cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware
    Since November 2022 there has been a 200-300% month-on-month increase in Youtube videos containing links to stealer malware such as Vidar, RedLine, and Raccoon in their descriptions. The videos lure users by pretending to be tutorials on how to download cracked versions of software such as Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and other products that are licensed products available only to paid users. Usually, the videos use a screen recording or audio walkthrough of the steps to download and install the software. However, there has recently been an increase in the use of AI-generated videos from platforms such as Synthesia and D-ID, being used in the videos. It is well known that videos featuring humans, especially those with certain facial features, appear more familiar and trustworthy

    Reply
  20. Tomi Engdahl says:

    Emotet Returns, Now Adopts Binary Padding for Evasion https://www.trendmicro.com/en_us/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html
    Following a three-month hiatus, Emotet spam activities resumed in March 2023, when a botnet known as Epoch 4 began delivering malicious documents embedded in Zip files that were attached to the emails. The threat actors behind Emotet continue to use malicious documents containing macros to deliver the malicious payload. Note that while Microsoft disabled macros from the internet by default in 2022, the document template employs social engineering techniques to trick users into enabling macros to allow the attack to proceed as intended

    Reply
  21. Tomi Engdahl says:

    Dark Pink APT Group Strikes Government Entities in South Asian Countries https://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries
    In February 2023, EclecticIQ researchers identified multiple KamiKakaBot malwares which are very likely used to target government entities in ASEAN (Association of Southeast Asian Nations) countries.
    The latest attacks, which took place in February 2023, were almost identical to previous attacks reported by Group-IB on January 11, 2023 (1). In January 2023, the threat actors used ISO images to deliver KamiKakaBot, which was executed using a DLL side-loading technique.
    The main difference in the February campaign is that the malware’s obfuscation routine has improved to better evade anti-malware measures. Multiple overlaps in this new campaign aided EclecticIQ analysts in attributing it very likely to the Dark Pink APT group

    Reply
  22. Tomi Engdahl says:

    DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit https://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/
    Adversary-in-the-middle (AiTM) phishing kits are part of an increasing trend that is observed supplanting many other less advanced forms of phishing. AiTM phishing is capable of circumventing multifactor authentication (MFA) through reverse-proxy functionality. DEV-1101 is an actor tracked by Microsoft responsible for the development, support, and advertising of several AiTM phishing kits, which other cybercriminals can buy or rent. The availability of such phishing kits for purchase by attackers is part of the industrialization of the cybercriminal economy and lowers the barrier of entry for cybercrime.
    DEV-1101 offers an open-source kit that automates setting up and launching phishing activity and provides support services to attackers. The threat actor group began offering their AiTM phishing kit in 2022, and since then has made several enhancements to their kit, such as the capability to manage campaigns from mobile devices, as well as evasion features like CAPTCHA pages. These attributes make the kit attractive to many different actors who have continually put it to use since it became available in May 2022. Actors using this kit have varying motivations and targeting and might target any industry or sector

    Reply
  23. Tomi Engdahl says:

    CISA Warns of Plex Vulnerability Linked to LastPass Hack
    https://www.securityweek.com/cisa-warns-of-plex-vulnerability-linked-to-lastpass-hack/

    CISA has added vulnerabilities in Plex Media Server and VMware NSX-V to its Known Exploited Vulnerabilities catalog.

    The US Cybersecurity and Infrastructure Security Agency (CISA) has added vulnerabilities impacting Plex and VMware products to its Known Exploited Vulnerabilities (KEV) catalog.

    Tracked as CVE-2020-5741, the first is a high-severity flaw in Plex Media Server that is described as a deserialization issue that can be exploited to execute arbitrary Python code, remotely.

    “This issue allowed an attacker with access to the server administrator’s Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it,” Plex noted in a May 2020 advisory.

    Addressed with the release of Plex Media Server 1.19.3, the vulnerability requires for the attacker to have admin access to a Plex Media Server for successful exploitation, which made it unlikely to be targeted in attacks.

    Reply
  24. Tomi Engdahl says:

    Data Breaches
    Zoll Medical Data Breach Impacts 1 Million Individuals
    https://www.securityweek.com/zoll-medical-data-breach-impacts-1-million-individuals/

    Zoll Medical is notifying one million individuals that their personal information was compromised in a data breach earlier this year.

    Medical technology developer Zoll Medical is notifying roughly one million individuals that their personal information might have been compromised in a recent data breach.

    Zoll develops and markets medical equipment and software for advanced emergency care, including cardiac monitoring, oxygen therapy, ventilation, data management, and more.

    The data breach, the company says, was identified at the end of January, when it discovered unusual activity on its internal network.

    “We determined that your information may have been affected on or about February 2, 2023. Our investigation into the incident is ongoing,” Zoll wrote in a notification letter, a copy of which was submitted to the Maine Attorney General’s office.

    Reply
  25. Tomi Engdahl says:

    Millions of AT&T Customers Notified of Data Breach at Third-Party Vendor
    https://www.securityweek.com/millions-of-att-customers-notified-of-data-breach-at-third-party-vendor/

    AT&T is notifying millions of wireless customers that their CPNI was compromised in a data breach at a third-party vendor.

    US mobile phone carrier AT&T is notifying millions of wireless customers that their customer proprietary network information (CPNI) was compromised in a data breach at a third-party vendor.

    One of the largest carriers in the US, AT&T has roughly 200 million wireless customers, but only a small percentage of the total has been impacted by the incident.

    “Approximately 9 million wireless accounts had their Customer Proprietary Network Information accessed,” AT&T said in an emailed statement.

    “We recently determined that an unauthorized person breached a vendor’s system and gained access to your ‘customer proprietary network information’ (CPNI),” the company told impacted customers in an email notification, copies of which were shared by users on AT&T’s community forums.

    Reply
  26. Tomi Engdahl says:

    Euler Loses Nearly $200 Million to Flash Loan Attack
    https://www.securityweek.com/euler-loses-nearly-200-million-to-flash-loan-attack/

    London, UK based De-Fi platform company Euler has lost a reported $196 million to a flash loan attack.

    London, UK based De-Fi platform company Euler has lost a reported $196 million to a flash loan attack.

    A flash loan is an instant unsecured loan controlled by smart contracts. It allows a borrower to obtain collateral, use that collateral for its purposes, and return the collateral to its source provided it all occurs within a single transaction. It consequently relies on a sequence of complex conditions.

    A legitimate example could be a trader wishing to take instant advantage of different coin values on different platforms: borrow the money without collateral, buy at the low price and sell at the high price, and return the loan instantly.

    The concept was pioneered in 2020 by the Ethereum lending platform Aave, which states in its documentation, “There is no real-world analogy to Flash Loans.” Coindesk adds, “The concept is new and still has a lot of kinks [as] new hacks are making abundantly clear.”

    Details of this attack are not yet clear.

    Reply
  27. Tomi Engdahl says:

    New ‘GoBruteforcer’ Botnet Targets Web Servers
    https://www.securityweek.com/new-gobruteforcer-botnet-targets-web-servers/

    The recently identified Golang-based GoBruteforcer botnet is targeting web servers running FTP, MySQL, phpMyAdmin, and Postgres services.

    A recently identified Golang-based botnet is targeting web servers running FTP, MySQL, phpMyAdmin, and Postgres services, Palo Alto Networks reports.

    Dubbed GoBruteforcer and found hosted on a legitimate domain, the malware targets multiple architectures, including x86 and ARM, and was seen deploying an internet relay chat (IRC) bot on a compromised server, for communication purposes.

    The malware spreads using classless inter-domain routing (CIDR) block scanning to identify target hosts within a network, and then attempts to compromise the identified server using brute force.

    Upon successful compromise, it deploys the IRC bot on the server. At a later stage, it uses a PHP web shell to query the victim system.

    GoBruteforcer, which appears to still be in development, is packed with UPX Packer and has a multi-scan module it uses to identify open ports for targeted services. Once a port is identified, it uses hardcoded credentials to brute-force the server.

    For phpMyAdmin services, it scans for any open port 80, after which it attempts to deploy the IRC bot for communication.

    For MySQL and Postgres services, the malware checks for open ports 3306 and 5432, then pings the host’s database using specific credentials. For FTP services, it checks for open port 21, and then attempts to authenticate using the Goftp library.

    On victim servers, Palo Alto Networks found a PHP web shell that provides attackers with reverse shell and bind shell capabilities.

    GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers
    https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/

    Unit 42 researchers recently discovered a new sample of Golang-based malware. We have dubbed it GoBruteforcer, and it targets web servers, specifically those running phpMyAdmin, MySQL, FTP and Postgres services. The sample was originally captured from our Next-Generation Firewall. Upon further research, we found that the malware was hosted on a legitimate website.

    Further investigation revealed that the attacker hosted binaries for x86, x64 and ARM processor architectures. We also discovered that GoBruteforcer had deployed an internet relay chat (IRC) bot on the victim server, which communicates with the attacker’s server.

    Reply
  28. Tomi Engdahl says:

    Zoll Medical Data Breach Impacts 1 Million Individuals
    https://www.securityweek.com/zoll-medical-data-breach-impacts-1-million-individuals/

    Zoll Medical is notifying one million individuals that their personal information was compromised in a data breach earlier this year.

    Reply
  29. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Trend Micro: the Emotet botnet, which has returned after a months-long hiatus, is using binary padding and other new tricks to get users to download malware — Quoting Herman Melville is only one of Emotet’s latest innovations. — Widely regarded as one of the Internet’s top threats …

    Botnet that knows your name and quotes your email is back with new tricks
    Quoting Herman Melville is only one of Emotet’s latest innovations.
    https://arstechnica.com/information-technology/2023/03/botnet-that-knows-your-name-and-quotes-your-email-is-back-with-new-tricks/

    Widely regarded as one of the Internet’s top threats, the Emotet botnet has returned after a months-long hiatus—and it has some new tricks.

    Last week, Emotet appeared for the first time this year after a four-month hiatus. It returned with its trademark activity—a wave of malicious spam messages that appear to come from a known contact, address the recipient by name, and seem to be replying to an existing email thread. When Emotet has returned from previous breaks, it brought new techniques designed to evade endpoint security products and to trick users into clicking on links or enabling dangerous macros in attached Microsoft Office documents. Last week’s resumption of activity was no different.

    A malicious email sent last Tuesday, for instance, attached a Word document that had a massive amount of extraneous data added to the end. As a result, the file was more than 500MB in size, big enough to prevent some security products from being able to scan the contents. This technique, known as binary padding or file pumping, works by adding zeros to the end of the document. In the event someone is tricked into enabling the macro, the malicious Windows DLL file that’s delivered is also pumped, causing it to mushroom from 616kB to 548.1MB, researchers from security firm Trend Micro said on Monday.

    Emotet Returns, Now Adopts Binary Padding for Evasion
    https://www.trendmicro.com/en_us/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html?PID=100017430&SID=100098X1555750Xe690167841c28cd7c5f0524b174403cc&cjevent=ec907490c24d11ed81a002f60a18b8f9&cjdata=MXxZfDB8WXww

    Reply
  30. Tomi Engdahl says:

    CNBC:
    New York shuts down Signature Bank as US regulators cite a “systemic risk exception” like for SVB, announcing all of Signature’s depositors will be “made whole”

    Regulators close crypto-focused Signature Bank, citing systemic risk
    https://www.cnbc.com/2023/03/12/regulators-close-new-yorks-signature-bank-citing-systemic-risk.html

    New York state regulators on Sunday shut down Signature Bank, a big lender in the crypto industry.
    “All depositors of this institution will be made whole. As with the resolution of Silicon Valley Bank, no losses will be borne by the taxpayer,” the regulators said.

    Reply
  31. Tomi Engdahl says:

    https://hackaday.com/2023/03/12/hackaday-links-march-12-2023/

    HP outrages printer users with firmware update suddenly bricking third-party ink
    HP’s approach to DRM continues rubbing people the wrong way.
    https://arstechnica.com/gadgets/2023/03/customers-fume-as-hp-blocks-third-party-ink-from-more-of-its-printers/

    HP customers are showing frustration online as the vendor continues to use firmware updates to discourage or, as users report, outright block the use of non-HP-brand ink cartridges in HP printers. HP has already faced class-action lawsuits and bad publicity from “dynamic security,” but that hasn’t stopped the company from expanding the practice.

    Dynamic security is a feature used by HP printers to authenticate ink cartridges and prevent use of cartridges that aren’t HP-approved. As the company explains:

    Dynamic security strikes again

    After paying up, it seems HP is set on continuing to use DRM to discourage its printer customers from spending ink and toner money outside of the HP family.

    Reply
  32. Tomi Engdahl says:

    Rajesh Randev was driving a white Tesla Model 3 for around 15 minutes before he noticed it wasn’t his car, he told The Washington Post.

    Tesla owner says his app unlocked a stranger’s car — and let him drive off with it
    https://bit.ly/3ThBLhd

    Tesla owner Rajesh Randev says he accidentally drove off in someone else’s Tesla.
    He said that the Tesla app granted him access to another man’s nearly identical Model 3 sedan.
    Tesla did not return a request for comment about the strange incident.

    Using a smartphone as a car key for your Tesla has many perks. It means one less thing to carry around and lets you conveniently unlock your car, hop in, and drive without ever turning a key.

    Sometimes, you can even jump in and drive somebody else’s electric car, according to Canada-based Tesla owner Rajesh Randev.

    Earlier in March, Randev got in his white Tesla Model 3, which was parked on a Vancouver street, and drove off to pick up his kids from school. The only problem: He didn’t actually get into his own white Model 3, but rather a nearly identical one parked next to it, he told The Washington Post.

    After about 15 minutes, he started to notice unfamiliar things about the car he was driving, like a crack in the windshield and a missing phone charger, he told the outlet. As he sees it, his Tesla phone app granted him access to someones else’s Tesla, he told the paper. 

    But that’s not all. The glitch appears to have worked in the opposite direction, too. The other Tesla driver involved in the mixup was able to unlock Randev’s parked car using his Tesla key card, according to the Post. That way, he was able to find Randev’s phone number on a document inside the car and inform him of the snafu. 

    In all, Randev was able to pick up his kids and return the stranger’s vehicle — driving for about 90 minutes — without a hitch, the Post reported. The experience left him questioning his car’s safety. 

    B.C. man says he accidentally unlocked and drove someone else’s Tesla using the app
    https://globalnews.ca/news/9541040/bc-tesla-driving-wrong-car-app/

    Reply
  33. Tomi Engdahl says:

    Microsoft March 2023 Patch Tuesday fixes 2 zero-days, 83 flaws https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2023-patch-tuesday-fixes-2-zero-days-83-flaws/
    Today is Microsoft’s March 2023 Patch Tuesday, and security updates fix two actively exploited zero-day vulnerabilities and a total of 83 flaws. Nine vulnerabilities have been classified as ‘Critical’ for allowing remote code execution, denial of service, or elevation of privileges attacks. This month’s Patch Tuesday fixes two zero-day vulnerabilities actively exploited in attacks

    Reply
  34. Tomi Engdahl says:

    Microsoft fixes Outlook zero-day used by Russian hackers since April
    2022
    https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-outlook-zero-day-used-by-russian-hackers-since-april-2022/
    Microsoft has patched an Outlook zero-day vulnerability
    (CVE-2023-23397) exploited by a hacking group linked to Russia’s military intelligence service GRU to target European organizations.
    The security vulnerability was exploited in attacks to target and breach the networks of fewer than 15 government, military, energy, and transportation organizations between mid-April and December 2022. The hacking group (tracked as APT28, STRONTIUM, Sednit, Sofacy, and Fancy
    Bear) sent malicious Outlook notes and tasks to steal NTLM hashes via NTLM negotiation requests by forcing the targets devices to authenticate to attacker-controlled SMB shares. The stolen credentials were used for lateral movement within the victims’ networks and to change Outlook mailbox folder permissions, a tactic allowing for email exfiltration for specific accounts

    Reply
  35. Tomi Engdahl says:

    Keuda toipuu edelleen kyberhyökkäyksestä Kustannukset yli satatuhatta euroa
    https://www.iltalehti.fi/tietoturva/a/ff3ee65f-78e0-4b41-ba6f-d713caf59391
    Keski-Uudenmaan koulutuskuntayhtymään (Keuda) kohdistui voimakas kyberhyökkäys marraskuun lopussa. Hyökkäys tehtiin LockBit kiristyshaittaohjelmalla, joka saastutti 60 prosenttia kaikista Keudan työasemista ja palvelimista. Keuda antoi tapahtuneesta loppuraportin viime viikon perjantaina. Tapausta tutkineen kyberturvayhtiö Nixu Oyj:n mukaan hyökkäys lamaannutti Keudan IT-ympäristön, ja kaikki tietoliikenne katkaistiin viikon ajaksi. Tilanteesta toipuminen jatkuu osittain vieläkin. Hyökkäyksestä palautumisen yhteydessä Keudan IT-ympäristöä ja tietoturvaa on kehitetty samalla huomattavasti, joka on osaltaan vaikuttanut toipumisajan pidentymiseen, Keudan tietohallintopäällikkö Veli-Heikki Anttolainen kertoo tiedotteessa

    Reply
  36. Tomi Engdahl says:

    Asiakkaille on lähetetty huijausviestejä Pohjanmaan hyvinvointialueella Vaasan sairaanhoitopiirin nimissä
    https://yle.fi/a/74-20022383
    Pohjanmaan hyvinvointialue tiedotti tiistaina illalla, että Vaasan sairaanhoitopiirin nimissä on lähetetty huijaustekstiviestejä.
    Vastaanottajalle tulleessa tekstiviestissä on pyydetty henkilötunnuksen loppuosaa, joka toimii koodina avata tekstiviesti.
    Viestissä mainitaan myös Vaasan sairaanhoitopiiri (VSHP). Pohjanmaan hyvinvointialueelta muistutetaan, että se ei pyydä asiakkailta henkilötunnusta tai sen osaa tekstiviestillä. Viesti kehotetaan poistamaan ja viestissä esitettyjä pyyntöjä ei saa noudattaa

    Reply
  37. Tomi Engdahl says:

    Talos uncovers espionage campaigns targeting CIS countries, embassies and EU health care agency https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/
    This new threat actor we are naming YoroTrooper has been targeting governments across Eastern Europe since at least June 2022, and Cisco Talos has found three different activity clusters with overlapping infrastructure that are all linked to the same threat actor. Cisco Talos does not have a full overview of this threat actor, as we were able to collect varying amounts of detail in each campaign. In some cases, for instance, we were able to fully profile a campaign, while in other cases, we only identified the infrastructure or compromised data. Our assessment is that the operators of this threat actor are Russian language speakers, but not necessarily living in Russia or Russian nationals since their victimology consists mostly of countries in the Commonwealth of Independent States (CIS). There are also snippets of Cyrillic in some of their implants, indicating that the actor is familiar with the language. Also, in some cases, the attackers are targeting Russian language endpoints (with Code Page 866), indicating a targeting of individuals speaking that specific language

    Reply
  38. Tomi Engdahl says:

    The slow Ticking time bomb: Tick APT group compromise of a DLP software developer in East Asia https://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/
    ESET researchers discovered a campaign that we attribute with high confidence to the APT group Tick. The incident took place in the network of an East Asian company that develops data-loss prevention
    (DLP) software. The attackers compromised the DLP companys internal update servers to deliver malware inside the software developers network, and trojanized installers of legitimate tools used by the company, which eventually resulted in the execution of malware on the computers of the companys customers. In this blogpost, we provide technical details about the malware detected in the networks of the compromised company and of its customers. During the intrusion, the attackers deployed a previously undocumented downloader named ShadowPy, and they also deployed the Netboy backdoor (aka Invader) and Ghostdown downloader

    Reply
  39. Tomi Engdahl says:

    Magniber ransomware actors used a variant of Microsoft SmartScreen bypass https://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/
    Googles Threat Analysis Group (TAG) recently discovered usage of an unpatched security bypass in Microsofts SmartScreen security feature, which financially motivated actors are using to deliver the Magniber ransomware without any security warnings. The attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature. The malformed signature causes SmartScreen to return an error that results in bypassing the security warning dialog displayed to users when an untrusted file contains a Mark-of-the-Web (MotW), which indicates a potentially malicious file has been downloaded from the internet. TAG reported its findings to Microsoft on February 15, 2023. The security bypass was patched today as CVE-2023-24880 in Microsofts Patch Tuesday release

    Reply
  40. Tomi Engdahl says:

    Joseph Cox / VICE:
    After the ALPHV ransomware group claimed to have hit Amazon’s Ring, the company says it was not breached but a third-party vendor has been hit with ransomware — The group is blackmailing Ring on its site: “There’s always an option to let us leak your data,” they posted.

    Ransomware Group Claims Hack of Amazon’s Ring
    https://www.vice.com/en/article/qjvd9q/ransomware-group-claims-hack-of-amazons-ring

    The group is blackmailing Ring on its site: “There’s always an option to let us leak your data,” they posted.

    Reply
  41. Tomi Engdahl says:

    Jay Peters / The Verge:
    After an internal systems issue knocked Reddit offline for 4+ hours, the company says it has implemented a fix and “things are back in order” — Reddit is back after an hours-long outage that affected its websites and apps on Tuesday. During the outage, I was consistently seeing …

    Reddit is back after being down for hours
    https://www.theverge.com/2023/3/14/23640132/reddit-down-outage-offline-loading-posts-comments

    Reply
  42. Tomi Engdahl says:

    Edward Graham / Nextgov:
    CISA launches a pilot program to warn critical infrastructure owners with “internet-accessible vulnerabilities commonly associated with known ransomware actors” — The new pilot program will enable “timely risk reduction” by alerting critical infrastructure owners and operators …
    More: CISA, CISA, Qualys Security Blog, Infosecurity, and Risky Business News

    CISA Launches Ransomware Warning Pilot for Critical Infrastructure
    https://www.nextgov.com/cybersecurity/2023/03/cisa-launches-ransomware-warning-pilot-critical-infrastructure/383963/

    The new pilot program will enable “timely risk reduction” by alerting critical infrastructure owners and operators of vulnerabilities within their systems that are susceptible to ransomware attacks.

    The Cybersecurity and Infrastructure Security Agency publicly announced on Monday that it has established a pilot program to identify vulnerabilities within critical infrastructure systems that are known to be exploited by ransomware groups and threat actors.

    According to CISA, the ransomware vulnerability warning pilot—or RVWP—will “identify organizations with internet-accessible vulnerabilities commonly associated with known ransomware actors by using existing services, data sources, technologies and authorities, including our free Cyber Hygiene Vulnerability Scanning service.”

    The RVWP first began on Jan. 30, when CISA contacted 93 organizations “identified as running instances of Microsoft Exchange Service with a vulnerability called ‘ProxyNotShell,’ which has been widely exploited by ransomware actors.”

    “This initial round of notifications demonstrated the effectiveness of this model in enabling timely risk reduction as we further scale the RVWP to additional vulnerabilities and organizations,” CISA said.

    The pilot program was created in response to the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA, a 2022 law that required CISA “to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments” to the agency. CISA said the RVWP would be “coordinated by and aligned with the Joint Ransomware Task Force,” an interagency body that was also established by CIRCIA.

    Reply
  43. Tomi Engdahl says:

    Ransomware Attacks Have Entered a ‘Heinous’ New Phase
    https://www.wired.com/story/ransomware-tactics-cancer-photos-student-records/

    With victims refusing to pay, cybercriminal gangs are now releasing stolen photos of cancer patients and sensitive student records.

    Reply
  44. Tomi Engdahl says:

    CVE-2022-44666: Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability
    https://www.vicarius.io/vsociety/blog/cve-2022-44666-microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability?utm_campaign=Blogs&utm_content=240065391&utm_medium=social&utm_source=twitter&hss_channel=tw-745198592462364672

    CVE-2022-44666 (still 0day) is a Microsoft Windows Contacts (wab.exe) vulnerability while parsing “href” attributes into syslink controls, which was originally discovered, reported through ZDI and publicly disclosed by John Page (aka hyp3rlinx) of ApparitionSec long time ago (~ 5 years). Full credits for discovery go to him!

    Reply
  45. Tomi Engdahl says:

    Microsoft Warns of Outlook Zero-Day Exploitation, Patches 80 Security Vulns
    https://www.securityweek.com/microsoft-patch-tuesday-zero-day-attacks/

    Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

    Microsoft on Tuesday delivered a hefty batch of software security updates and issued warnings for a pair of already-exploited zero-days haunting Windows OS users.

    The Redmond, Wash. software giant pushed out fixes for at least 80 Windows flaws and called special attention to CVE-2023-23397, a critical-severity issue in Microsoft Outlook that has been exploited in zero-day attacks.

    As has become customary, Microsoft’s security response center did not provide details or indicators of compromise (IOCs) to help defenders hunt for signs of compromise.

    The company credited the Ukrainian CERT organization and its own MSTI threat intelligence team for the discovery, suggesting it was being exploited in advanced APT attacks in Europe.

    “An attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user,” Microsoft said in a barebones bulletin documenting the bug.

    Reply
  46. Tomi Engdahl says:

    Ring Denies Falling Victim to Ransomware Attack
    https://www.securityweek.com/ring-denies-falling-victim-to-ransomware-attack/

    Ring says it has no indications it has fallen victim to a ransomware attack after cybergang threatens to publish supposedly stolen data.

    Reply
  47. Tomi Engdahl says:

    Fortinet Finds Zero-Day Exploit in Government Attacks After Devices Detect Integrity Breach
    https://www.securityweek.com/fortinet-finds-zero-day-exploit-in-government-attacks-after-devices-detect-integrity-breach/

    Fortinet says recently patched FortiOS vulnerability was exploited in sophisticated attacks targeting government entities.

    Fortinet warns that a recently addressed FortiOS vulnerability has been exploited by a sophisticated threat actor in highly targeted attacks against governmental and government-related entities.

    Patched last week, the bug is tracked as CVE-2022-41328 and is described as a medium-severity path traversal issue leading to command execution. When it announced the availability of fixes, Fortinet failed to mention that this was actually a zero-day vulnerability.

    “An improper limitation of a pathname to a restricted directory vulnerability (‘path traversal’) in FortiOS may allow a privileged attacker to read and write arbitrary files via crafted CLI commands,” Fortinet notes in its advisory.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*