Cyber security news March 2023

This posting is here to collect cyber security news in March 2023.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

374 Comments

  1. Tomi Engdahl says:

    Microsoft SmartScreen Zero-Day Exploited to Deliver Magniber Ransomware
    https://www.securityweek.com/microsoft-smartscreen-zero-day-exploited-to-deliver-magniber-ransomware/

    A cybercrime group has been exploiting a Microsoft SmartScreen zero-day vulnerability tracked as CVE-2023-24880 to deliver the Magniber ransomware.

    A cybercrime group has been exploiting a zero-day vulnerability in the Microsoft SmartScreen security feature to deliver the Magniber ransomware, Google warned on Tuesday.

    Google’s Threat Analysis Group (TAG) said the vulnerability, tracked as CVE-2023-24880, has been exploited since at least January. The internet giant’s researchers reported their findings to Microsoft on February 15 and a fix has been released with Microsoft’s latest Patch Tuesday updates.

    Reply
  2. Tomi Engdahl says:

    Microsoft Warns of Outlook Zero-Day Exploitation, Patches 80 Security Vulns
    https://www.securityweek.com/microsoft-patch-tuesday-zero-day-attacks/

    Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

    Reply
  3. Tomi Engdahl says:

    Adobe Warns of ‘Very Limited Attacks’ Exploiting ColdFusion Zero-Day
    https://www.securityweek.com/adobe-warns-of-very-limited-attacks-exploiting-coldfusion-zero-day/

    Adobe issues urgent warning for “very limited attacks” exploiting a zero-day vulnerability in its ColdFusion web app development platform.

    Reply
  4. Tomi Engdahl says:

    Ransomware Group Claims Theft of Valuable SpaceX Data From Contractor
    https://www.securityweek.com/ransomware-group-claims-theft-of-valuable-spacex-data-from-contractor/

    The LockBit ransomware group claims to have stolen valuable SpaceX data after breaching the systems of Maximum Industries.

    The LockBit ransomware group claims to have stolen valuable SpaceX files after breaching the systems of piece part production company Maximum Industries.

    The Texas-based Maximum Industries specializes in waterjet and laser cutting and CNC machining services, and advertises itself as a contract manufacturing facility.

    The LockBit hackers claim Elon Musk’s rocket and spacecraft maker SpaceX uses Maximum Industries services. They also claim that on Maximum Industries’ systems they found roughly 3,000 “drawings certified by space-x engineers”, which they plan on selling through an auction.

    Reply
  5. Tomi Engdahl says:

    ICS Patch Tuesday: Siemens, Schneider Electric Address Over 100 Vulnerabilities
    https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-over-100-vulnerabilities/

    Siemens and Schneider Electric have addressed more than 100 vulnerabilities with their March 2023 Patch Tuesday security advisories.

    Reply
  6. Tomi Engdahl says:

    Vulnerabilities
    Fortinet Finds Zero-Day Exploit in Government Attacks After Devices Detect Integrity Breach
    https://www.securityweek.com/fortinet-finds-zero-day-exploit-in-government-attacks-after-devices-detect-integrity-breach/

    Reply
  7. Tomi Engdahl says:

    Brian Krebs / Krebs on Security:
    Two US members of the ViLE cybercriminal group have been charged for a May 2022 hack into a DEA portal that taps into 16 federal law enforcement databases

    Two U.S. Men Charged in 2022 Hacking of DEA Portal
    https://krebsonsecurity.com/2023/03/two-us-men-charged-in-2022-hacking-of-dea-portal/

    Reply
  8. Tomi Engdahl says:

    Tesla Driver Freaked Out After App Allows Him to Drive Off With the Wrong Car
    “My family is not feeling safe right now.”
    https://futurism.com/tesla-driver-unlocks-wrong-car-app

    It’s not every day that you catch yourself accidentally driving somebody else’s car.

    According to the Washington Post, a weird bug is allowing Tesla owners to drive off with somebody else’s Tesla by using the EV maker’s bespoke smartphone app.

    Owner Rajesh Randev told WaPo that earlier this month, he walked up to a nearly identical white Model 3 in Vancouver without realizing it wasn’t his, used the app to unlock it, and drove around a bit before realizing that it wasn’t, in fact, his car.

    Reply
  9. Tomi Engdahl says:

    DotRunpeX demystifying new virtualized .NET injector used in the wild https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/
    During the past few months, we have been monitoring the dotRunpeX malware, its usage in the wild, and infection vectors related to dozens of campaigns. The monitoring showed that this new dotnet injector is still evolving and in high development. We uncovered several different methods of distribution where in all cases, the dotRunpeX was a part of the second-stage infection. This new threat is used to deliver numerous different malware families, primarily related to stealers, RATs, loaders, and downloaders. The oldest sample related to the new version of dotRunpeX is dated 2022-10-17. The first public information about this threat is dated 2022-10-26. The main subject of this research is an in-depth analysis of both versions of the dotRunpeX injector, focusing on interesting techniques, similarities between them, and an introduction to the PoC technique used to analyze a new version of dotRunpeX as it is being delivered virtualized by a customized version of KoiVM .NET protector

    Reply
  10. Tomi Engdahl says:

    A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM https://research.nccgroup.com/2023/03/15/a-race-to-report-a-toctou-analysis-of-a-bug-collision-in-intel-smm/
    About four months ago, in October 2022, I was idly poking around the ICE TEA leak. This leak was of particular interest to me, because it happened to expose the source code for Intels Alder Lake platform BIOS. Its always fun to finally get to see the code for modules that you previously reverse engineered. Soon enough, on October 13th, I discovered a time-of-check-time-of-use (TOCTOU) vulnerability in a SMI handler and reported it to Intel. The vulnerability was high risk (CVSS 7.9) because it enabled a local/physical DMA-capable adversary to corrupt SMRAM and escalate privilege into System Management Mode (SMM). Upon reviewing Intels advisory, I felt that it lacked sufficient technical detail. So, in this blog post I want to present my own root-cause analysis and description of the bug. I think this bug serves as a good illustration of a classic SMI handler TOCTOU vulnerability. Lets dive on in

    Reply
  11. Tomi Engdahl says:

    Hacker selling data allegedly stolen in US Marshals Service hack https://www.bleepingcomputer.com/news/security/hacker-selling-data-allegedly-stolen-in-us-marshals-service-hack/
    A threat actor is selling on a Russian-speaking hacking forum what they claim to be hundreds of gigabytes of data allegedly stolen from U.S. Marshals Service (USMS) servers. USMS is a Justice Department bureau that provides support to the federal justice system by executing federal court orders, assuring the safety of government witnesses and their families, seizing illegally obtained assets, and more. According to the seller, the database is being sold for $150,000 and contains “documents from file servers and work computers from 2021 to February 2023, without flooding like exe files and libraries,”
    according to the seller. The information includes aerial footage and photos of military bases and other high-security areas, copies of passports and identification documents, and details on wiretapping and surveillance of citizens. The files also contain information on convicts, gang leaders, and cartels. The threat actor also claims that some files are marked as SECRET or TOP SECRET

    Reply
  12. Tomi Engdahl says:

    First-known Dero cryptojacking operation seen targeting Kubernetes https://www.bleepingcomputer.com/news/security/first-known-dero-cryptojacking-operation-seen-targeting-kubernetes/
    The first known cryptojacking operation mining the Dero coin has been found targeting vulnerable Kubernetes container orchestrator infrastructure with exposed APIs. Dero is a privacy coin promoted as an alternative to Monero with even more robust anonymity protection.
    Compared to Monero or other cryptocurrencies, Dero promises faster and higher monetary mining rewards, which is probably why it has caught the attention of threat actors. In a new report by CrowdStrike, researchers explain how the ongoing campaign was discovered in February 2023 after finding unusual behavior when monitoring customers’ Kubernetes clusters

    Reply
  13. Tomi Engdahl says:

    IPFS phishing and the need for correctly set HTTP security headers
    https://isc.sans.edu/diary/rss/29638
    In the last couple of weeks, Ive noticed a small spike in the number of phishing messages that carried links to fake HTML login pages hosted on the InterPlanetary File System (IPFS) an interesting web-based decentralized/peer-to-peer data storage system.
    Unfortunately, pretty much any type of internet-connected data storage solution is used to host malicious content by threat actors these days, and the IPFS is no exception. In fact, it seems to have been used to host phishing pages since at least the beginning of 2022. The recent wave of phishing messages is therefore not new in its use of the distributed file system, nor in the social engineering techniques it uses. What makes it somewhat interesting, besides the fact that it depends on IPFS, is that it also shows quite nicely the need for organizations to ensure that security-related headers are set by their web servers. However, as this phishing shows (and as do many others weve seen before), the lack of these headers on almost any website can potentially be a problem. Therefore, maybe the time has come to make CSP and other HTTP security headers the norm and not the exception.
    Although their use can sometimes be a little problematic, the corresponding issues can always be solved, and the simple use of few HTTP headers can make phishing attempts, such as the ones mentioned above, much less effective

    Reply
  14. Tomi Engdahl says:

    IS kysyi Facebookilta, miksi huijauksia ei poisteta ilmi­annoista huolimatta näin yhtiö vastasi https://www.is.fi/digitoday/art-2000009455235.html
    Ilta-Sanomat Digitoday kertoi aamulla Facebookissa olevista huijaussivuista, jotka tekeytyvät ABC-huoltoasemaketjuksi. Palvelussa on kaikkiaan yhdeksän sivua, joiden nimi on johdettu jollain tapaa Polttoainekorttien jakelu -nimestä. Huijaussivut lupaavat 250 euron tankkauslahjakorttia ABC-huoltoasemille. Todellisuudessa ne saattavat uhrinsa tilausansaan, jonka kustannukset eivät ole tiedossa.
    Huijaussivut ovat olleet Facebookissa noin kahden viikon ajan. ABC kertoo raportoineensa niistä Facebookille, joka lupasi poistaa ne 440 tunnin kuluessa. Näin ei ole kuitenkaan tapahtunut

    Reply
  15. Tomi Engdahl says:

    Crypto Mixer Laundered $700 Million For Customers, Including Russian And North Korean Spies, DOJ Says https://www.forbes.com/sites/thomasbrewster/2023/03/15/us-shuts-down-crypto-mixer-chipmixer-used-by-russian-and-north-korea-spies/
    An international law enforcement operation has taken down ChipMixer, a dark web mixer that helped criminals launder over $700 million, Europol and other policing agencies announced on Wednesday. Amongst its users were North Korean hackers and Russian spies, according to the Department of Justice. ChipMixer charged a small fee to take in clients cryptocurrency and spread it across different accounts, in order to complicate law enforcement tracking of criminal proceeds, police said. In total, it processed $3 billion, nearly a billion of which has been traced to crimes, including ransomware incidents and darknet market drug sales, the DOJ said. According to the FBI, it traced $17 million in ransomware proceeds linked to 37 different groups to ChipMixers services. Over $800,000 in bitcoin laundered via the mixer was from a ransomware strain known as Sodinokibi, otherwise known as REvil. Its most significant breach came in 2021 when it targeted customers of IT software supplier Kaseya, with as many as
    1,500 businesses breached and a $70 million ransom demanded

    Reply
  16. Tomi Engdahl says:

    Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
    Today saw Microsoft patch an interesting vulnerability in Microsoft Outlook. The vulnerability is described as follows: Microsoft Office Outlook contains a privilege escalation vulnerability that allows for a NTLM Relay attack against another service to authenticate as the user. At MDSec, were continually looking to weaponise both private and public vulnerabilities to assist us during our red team operations.
    Having recently given a talk on leveraging NTLM relaying during red team engagements at FiestaCon, this vulnerability particularly stood out to me and warranted further analysis. While no particular details were provided, Microsoft did provide a script to audit your Exchange server for mail items that might be being used to exploit the issue

    Reply
  17. Tomi Engdahl says:

    Analyysi: SVB-pankin kaatumisen taustalla on sama ilmiö, joka sai meemiosakkeet nousuun pari vuotta sitten
    Reddit-sivustolla muodostunut yhteisö sai alkuvuonna 2021 osakemarkkinat hetkessä sekaisin. Viime viikolla Twitteristä alkanut paniikki johti Yhdysvaltain 16. suurimman pankin romahdukseen.
    https://yle.fi/a/74-20022532

    Kuinka ajauduit konkurssiin?

    – Kahdella tavalla. Ensin vähitellen, sitten äkillisesti.

    Kirjailija Ernest Hemingwayn huomio yritysmaailmasta on viime päivinä noussut useaan otteeseen esille, kun keskustelun aiheena on ollut piilaaksolaisen Silicon Valley Bankin romahdus.

    SVB:n osakekurssi oli jo ennen viime torstain äkillistä romahdusta ollut laskussa yli vuoden ajan. Tasainen alamäki muuttui pystysuoraksi pudotukseksi, kun piilaakson startup-yhteisössä havahduttiin siihen, ettei pankin omistamien arvopaperien markkina-arvo riittänyt talletusten maksamiseen.

    Herääminen sai alkunsa 23. helmikuuta, kun talouden ja teknologian kiemuroista uutiskirjettä kirjoittava Byrne Hobart twiittasi(siirryt toiseen palveluun) SVB:n käytännössä ajautuneen edellisen vuosineljänneksen aikana maksukyvyttömyyteen.

    Reply
  18. Tomi Engdahl says:

    Google finds 18 zero-day vulnerabilities in Samsung Exynos chipsets https://www.bleepingcomputer.com/news/security/google-finds-18-zero-day-vulnerabilities-in-samsung-exynos-chipsets/
    Project Zero, Google’s zero-day bug-hunting team, discovered and reported 18 zero-day vulnerabilities in Samsungs Exynos chipsets used in mobile devices, wearables, and cars. The Exynos modem security flaws were reported between late 2022 and early 2023. Four of the eighteen zero-days were identified as the most serious, enabling remote code execution from the Internet to the baseband. These Internet-to-baseband remote code execution (RCE) bugs (including
    CVE-2023-24033 and three others still waiting for a CVE-ID) allow attackers to hack phones at the baseband level remotely and without any user interaction. Each manufacturer’s patch timeline for their devices will differ but, for instance, Google has already addressed
    CVE-2023-24033 for impacted Pixel devices in its March 2023 security updates

    Reply
  19. Tomi Engdahl says:

    Bee-Ware of Trigona, An Emerging Ransomware Strain https://unit42.paloaltonetworks.com/trigona-ransomware-update/
    Trigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42 incident response, we determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised. Affected organizations are in the manufacturing, finance, construction, agriculture, marketing and high technology industries. Unit 42 researchers identified two new Trigona ransom notes in January 2023 and two in February 2023. Trigonas ransom notes are unique; rather than the usual text file, they are instead presented in an HTML Application with embedded JavaScript containing unique computer IDs (CID) and victim IDs (VID)

    Reply
  20. Tomi Engdahl says:

    Notsoprivate messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets https://www.welivesecurity.com/2023/03/16/not-so-private-messaging-trojanized-whatsapp-telegram-cryptocurrency-wallets/
    ESET researchers have discovered dozens of copycat Telegram and WhatsApp websites targeting mainly Android and Windows users with trojanized versions of these instant messaging apps. Most of the malicious apps we identified are clippers a type of malware that steals or modifies the contents of the clipboard. All of them are after victims cryptocurrency funds, with several targeting cryptocurrency wallets. This was the first time we have seen Android clippers focusing specifically on instant messaging. Moreover, some of these apps use optical character recognition (OCR) to recognize text from screenshots stored on the compromised devices, which is another first for Android malware

    Reply
  21. Tomi Engdahl says:

    Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
    In mid-2022, Mandiant, in collaboration with Fortinet, investigated the exploitation and deployment of malware across multiple Fortinet solutions including FortiGate (firewall), FortiManager (centralized management solution), and FortiAnalyzer (log management, analytics, and reporting platform). Mandiant attributes this activity to UNC3886, a group we suspect has a China-nexus and is associated with the novel VMware ESXi hypervisor malware framework disclosed in September 2022.
    At the time of the ESXi hypervisor compromises, Mandiant observed
    UNC3886 directly connect from FortiGate and FortiManager devices to VIRTUALPITA backdoors on multiple occasions. The activity discussed in this blog post is further evidence that advanced cyber espionage threat actors are taking advantage of any technology available to persist and traverse a target environment, especially those technologies that do not support EDR solutions

    Reply
  22. Tomi Engdahl says:

    Conti-based ransomware MeowCorp gets free decryptor https://www.bleepingcomputer.com/news/security/conti-based-ransomware-meowcorp-gets-free-decryptor/
    A decryption tool for a modified version of the Conti ransomware could help hundreds of victims recover their files for free. The utility works with data encrypted with a strain of the ransomware that emerged after the source code for Conti was leaked last year in March.
    Researchers at cybersecurity company Kaspersky found the leak on a forum where the threat actors released a cache of 258 private keys from a modified version of the Conti ransomware

    Reply
  23. Tomi Engdahl says:

    Hands up who DIDN’T exploit this years-old flaw to ransack a US govt web server…
    https://www.theregister.com/2023/03/15/cisa_us_microsoft_hacked/
    Multiple criminals, including at least potentially one nation-state group, broke into a US federal government agency’s Microsoft Internet Information Services web server by exploiting a critical three-year-old Telerik bug to achieve remote code execution. The snafu happened between November 2022 and early January, according to a joint alert from the FBI, CISA, and America’s Multi-State Information Sharing and Analysis Center (MS-ISAC) this week. This particular Telerik bug, which received a 9.8 out of 10 CVSS severity score, was first discovered in 2019 and is especially popular with Beijing-backed criminals. In 2020 made the list of the top 25 computer security vulnerabilities Chinese government hackers are using to break into networks and steal data

    Reply
  24. Tomi Engdahl says:

    Yli kymmenientuhansien tiedot vuotivat: suomalaisyritys sai viralliset nuhteet https://www.tivi.fi/uutiset/tv/1e348813-bec7-4716-a079-cb98e62ce65e
    Majoitusalan yritys Forenom on joutunut tietomurron kohteeksi.
    Tietomurto koski kymmeniätuhansia henkilötietoja.
    Tietosuojavaltuutettu antoi yritykselle huomautuksen puutteellisista tietosuojatoimista ja määräyksen lyhentää asiakastietojen säilytysaikaa

    Reply
  25. Tomi Engdahl says:

    Microsoft: Suomi on Venäjän kyber­hyökkäysten kohteena
    Venäjä on käyttänyt tuhoavia kyberaseita myös Ukrainan ulkopuolella.
    https://www.is.fi/digitoday/tietoturva/art-2000009457862.html

    Microsoft on julkaissut Venäjän kyberoperaatioita näkyväksi tekevän A year of Russian hybrid warfare in Ukraine -raportin (pdf). Selvityksestä käy ilmi, että Venäjä kohdistaa Suomeen kyberoperaatioita.

    Selvitys käsittelee pääosin Ukrainaa, mutta siitä käy ilmi Venäjän operoineen vuoden aikana verkossa myös 74 muuta maata vastaan. Raportti mainitsee erikseen 14 maata, jotka ovat Suomen lisäksi USA, Puola, Britannia, Liettua, Latvia, Turkki, Peru, Norja, Romania, Tanska, Ranska, Kanada ja Ruotsi.

    Microsoft ei nimeä kohteita, mutta suurin osa on valtion ja hallinnon organisaatioihin ja viestintä- sekä IT-yrityksiin kytkeytyviä. Toiminnan uskotaan lisääntyvän etenkin Ukrainan asetoimituksiin kytkeytyvien yritysten sekä sotilaskohteiden suhteen.

    Kolme Venäjän tiedusteluorganisaatiota eli sotilastiedustelu GRU, turvallisuuspalvelu FSB ja ulkomaantiedustelu SVR ovat mahdollisesti saaneet jalansijan kriittisen infrastruktuurin järjestelmissä Amerikoissa ja Euroopassa. Microsoftin mukaan etenkin GRU:n kyberosastot ovat osoittaneet halua käyttää tuhoavia kyberaseita myös Ukrainan ulkopuolella tarvittaessa.

    A year of Russian
    hybrid warfare in Ukraine
    https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf

    What we have learned about nation state tactics so far
    and what may be on the horizon

    Reply
  26. Tomi Engdahl says:

    Hawaii Health Department Says Death Records Compromised in Recent Data Breach
    https://www.securityweek.com/hawaii-health-department-says-death-records-compromised-in-recent-data-breach/
    The Hawaii DOH says roughly 3,400 death records were accessed via the compromised account of a former employee.

    Reply
  27. Tomi Engdahl says:

    CISA Seeks Public Opinion on Cloud Application Security Guidance
    https://www.securityweek.com/cisa-seeks-public-opinion-on-cloud-application-security-guidance/

    CISA this week announced it is seeking public input on draft guidance for securing cloud business applications.

    The US Cybersecurity and Infrastructure Security Agency (CISA) is seeking public comment on guidance for securing cloud business applications.

    Titled Secure Cloud Business Applications (SCuBA) Hybrid Identity Solutions Architecture, the document is meant to help federal agencies securely integrate cloud-based solutions with existing on-premises infrastructure.

    The SCuBA project includes two CISA-developed guidance documents providing agencies with recommendations on adopting the best security and resilience practices required for utilizing cloud services.

    “SCuBA will help secure federal civilian executive branch (FCEB) information assets stored within cloud environments through consistent, effective, modern, and manageable security configurations,” CISA notes.

    While they are primarily intended for federal agencies, these documents can be used by any organization.

    The first document, (SCuBA) Technical Reference Architecture (TRA), is meant to provide context, standard views, and terminology that align with SCuBA.

    Reply
  28. Tomi Engdahl says:

    Data Security Firm Rubrik Targeted With GoAnywhere Zero-Day Exploit
    https://www.securityweek.com/data-security-firm-rubrik-targeted-with-goanywhere-zero-day-exploit/

    Cybersecurity firm Rubrik has confirmed being hit by the GoAnywhere zero-day exploit after the Cl0p ransomware group named the company on its leak website.

    Reply
  29. Tomi Engdahl says:

    Cyberwarfare
    Russian Cyberspies Abuse EU Information Exchange Systems in Government Attacks
    https://www.securityweek.com/russian-cyberspies-abuse-eu-information-exchange-systems-in-government-attacks/

    Russia-linked APT29 was seen abusing the legitimate information exchange systems used by European countries in attacks aimed at governments.

    Russia-linked cyberespionage group APT29 has been observed abusing two legitimate information exchange systems used by European countries, BlackBerry reports.

    APT29 is a Russian advanced persistent threat (APT) actor mainly focused on cyberespionage. The group, believed to be sponsored by the Russian Foreign Intelligence Service (SVR), is also tracked as Cozy Bear, the Dukes, Nobelium, and Yttrium.

    As part of a recently observed campaign aimed at EU governments, the group was seen sending phishing emails with a malicious document attached, using the Polish Foreign Minister’s recent visit to the US as a lure.

    Another lure, BlackBerry says, abuses multiple legitimate systems, including LegisWrite and eTrustEx, two official services used for information and data sharing among the governments of European countries.

    NOBELIUM Uses Poland’s Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine
    https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine

    Reply
  30. Tomi Engdahl says:

    Dero, Monero Cryptojackers Fighting for Same Kubernetes Clusters
    https://www.securityweek.com/dero-monero-cryptojackers-fighting-for-same-kubernetes-clusters/

    Dero cryptojacking operation infecting Kubernetes infrastructure is being targeted by Monero criptojackers for control over the same clusters.

    Reply
  31. Tomi Engdahl says:

    Cybercrime
    US Charges Two Men Over Use of Hacked Law Enforcement Database for Doxing
    https://www.securityweek.com/us-charges-two-men-over-use-of-hacked-law-enforcement-database-for-doxing/

    Sagar Singh and Nicholas Ceraolo have been charged for their alleged roles in a doxing operation that involved hacking a law enforcement platform and email account.

    Reply
  32. Tomi Engdahl says:

    Microsoft Pins Outlook Zero-Day Attacks on Russian Actor, Offers Detection Script
    https://www.securityweek.com/microsoft-pins-outlook-zero-day-attacks-on-russian-actor-offers-detection-script/

    Microsoft blames a “Russian-based threat actor” for in-the-wild attacks hitting its flagship Microsoft Outlook and has released a detection script to help defenders.

    Reply
  33. Tomi Engdahl says:

    Chinese Cyberspies Hacked DLP Company Serving Military, Government Orgs
    https://www.securityweek.com/chinese-cyberspies-hacked-dlp-company-serving-military-government-orgs/

    The Chinese hacker group Tick has targeted an East Asian data loss prevention firm whose customers include military and other government organizations.

    Reply
  34. Tomi Engdahl says:

    Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111
    https://www.securityweek.com/mozilla-patches-high-severity-vulnerabilities-with-release-of-firefox-111/

    Firefox 111 patches 13 CVEs, including several vulnerabilities classified as high severity.

    Mozilla announced this week the release of Firefox 111, which patches over a dozen vulnerabilities, including potentially serious issues.

    Of the 13 CVEs, seven have been assigned a ‘high’ severity rating. Three of them only impact Firefox for Android, and they can allow a hacker to hide fullscreen notifications — this can lead to user confusion or spoofing attacks — and open third-party apps without a prompt.

    Other high-severity flaws patched with the latest Firefox updates can lead to arbitrary code execution and information disclosure.

    Reply
  35. Tomi Engdahl says:

    CheckMate
    https://research.checkpoint.com/2023/checkmate/
    Chess.com is the world leading platform for online chess games. It is an internet chess server, news website, and social networking website.
    Chess.com has a strong focus on community-based forums and blogs.
    These social features allow players to connect with each other, become friends, share their thoughts and experiences, and learn from each other. In 2022, Magnus Carlsen (Norwegian World champion since 2013) decided to withdraw from a tournament because he believed that Hans Niemann (American Grand Master) was a cheater. Chess.com decided to remove Niemann from the platform and from the Global Chess Championship the day after he beat GM Magnus Carlsen. This decision has been made because Hans admitted that he cheated in chess games on the popular website in 2020. Chess.com used its cheating-detection software and discovered suspicious play

    Reply
  36. Tomi Engdahl says:

    This is the most terrifying of them all ‘Internet to baseband’. Exactly what I’ve been preaching about for years. Here are 18 of them 4 of which are severe. These impact phones/wearables/cars. Many of these attacks have to jump off of other attacks, which we call pivoting. How long did the [#NSA](https://www.facebook.com/hashtag/nsa?__eep__=6&__cft__0=AZWt3E1MsWwsXUTnsnh-AfNxMoEt1a7hwVnbu2nPWu6yOQuSAzjfe23brvWXqZa2MxTsR-vFHfUDDqTPEce-3RWiWBz9u4dg2wR_AFx-TPjAug&__tn__=*NK-R) sit on these? Of course not, we’re not gonna burn our bridges.

    #Google ‘Project Zero’ finds 18 zero-day vulnerabilities in #Samsung #Exynos chipsets

    https://www.bleepingcomputer.com/news/security/google-finds-18-zero-day-vulnerabilities-in-samsung-exynos-chipsets/

    Reply
  37. Tomi Engdahl says:

    Hakkeri vei majoitus­yhtiöltä 60 000 asiakkaan tiedot – viran­omainen tyytyi antamaan moitteet https://www.is.fi/digitoday/tietoturva/art-2000009458034.html

    Majoitusalan yritys Forenom sai tietosuojavaltuutetulta huomautuksen henkilötietojen puutteellisesta suojauksesta.

    TIETOSUOJAVALTUUTETTU kertoi torstaina antaneensa majoituspalveluja tarjoavalle Forenomille huomautuksen henkilötietojen käsittelystä. Huomautus liittyy kolmen vuoden takaiseen tietomurtoon, jolloin hyökkääjä sai muun muassa käsiinsä 60 569 kappaletta asiakastietoja.

    Reply
  38. Tomi Engdahl says:

    ColdFusion March 2023 emergency update, and what to do about it https://www.carehart.org/blog/2023/3/17/coldfusion_march_2023_emergency_update/
    If you’ve not heard, a new update has been released (March 14, 2023) for ColdFusion 2021 and 2018. Despite what you may hear, this is an URGENT (rated “Priority 1″ by Adobe) update that everyone should apply ASAP, for reasons I will explain in this post. In. fact, Hackernews reported yesterday (Mar 16) that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) had issued an urgent warning about this, giving federal agencies a deadline to apply the update.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*