This posting is here to collect cyber security news in April 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in April 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
352 Comments
Tomi Engdahl says:
TikTok Attorney: China Can’t Get U.S. Data Under Plan
https://www.securityweek.com/tiktok-attorney-china-cant-get-u-s-data-under-plan/
TikTok general counsel says company is trying to make it physically impossible for any government, including China, to access to U.S. user data.
Tomi Engdahl says:
Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
https://www.securityweek.com/mandiant-investigating-3cx-hack-as-evidence-shows-attackers-had-access-for-months/
Several cybersecurity companies have published blog posts, advisories and tools to help organizations that may have been hit by the 3CX supply chain attack.
3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component
https://www.securityweek.com/3cx-confirms-supply-chain-attack-as-researchers-uncover-mac-component/
3CX confirms investigating a security breach as the cybersecurity community is sharing more information on what appears to be a sophisticated supply chain attack.
Tomi Engdahl says:
Italy Temporarily Blocks ChatGPT Over Privacy Concerns
https://www.securityweek.com/italy-temporarily-blocks-chatgpt-over-privacy-concerns/
Italy is temporarily blocking the artificial intelligence software ChatGPT in the wake of a data breach as it investigates a possible violation of stringent European Union data protection rules.
Italy is temporarily blocking the artificial intelligence software ChatGPT in the wake of a data breach as it investigates a possible violation of stringent European Union data protection rules, the government’s privacy watchdog said Friday.
The Italian Data Protection Authority said it was taking provisional action “until ChatGPT respects privacy,” including temporarily limiting the company from processing Italian users’ data.
U.S.-based OpenAI, which developed the chatbot, said late Friday night it has disabled ChatGPT for Italian users at the government’s request. The company said it believes its practices comply with European privacy laws and hopes to make ChatGPT available again soon.
While some public schools and universities around the world have blocked ChatGPT from their local networks over student plagiarism concerns, Italy’s action is “the first nation-scale restriction of a mainstream AI platform by a democracy,” said Alp Toker, director of the advocacy group NetBlocks, which monitors internet access worldwide.
The restriction affects the web version of ChatGPT, popularly used as a writing assistant, but is unlikely to affect software applications from companies that already have licenses with OpenAI to use the same technology driving the chatbot, such as Microsoft’s Bing search engine.
Tomi Engdahl says:
Cyberwarfare
Report: Chinese State-Sponsored Hacking Group Highly Active
https://www.securityweek.com/report-chinese-state-sponsored-hacking-group-highly-active/
Chinese hacking group linked previously to attacks on U.S. state government computers is still “highly active”
A Chinese hacking group that is likely state-sponsored and has been linked previously to attacks on U.S. state government computers is still “highly active” and is focusing on a broad range of targets that may be of strategic interest to China’s government and security services, a private American cybersecurity firm said in a new report Thursday.
The hacking group, which the report calls RedGolf, shares such close overlap with groups tracked by other security companies under the names APT41 and BARIUM that it is thought they are either the same or very closely affiliated, said Jon Condra, director of strategic and persistent threats for Insikt Group, the threat research division of Massachusetts-based cybersecurity company Recorded Future.
Following up on previous reports of APT41 and BARIUM activities and monitoring the targets that were attacked, Insikt Group said it had identified a cluster of domains and infrastructure “highly likely used across multiple campaigns by RedGolf” over the past two years.
Tomi Engdahl says:
Ransomware
Lumen Technologies Hit by Two Cyberattacks
https://www.securityweek.com/lumen-technologies-hit-by-two-cyberattacks/
Communications and IT company Lumen Technologies fell victim to two cyberattacks that led to data theft.
Tomi Engdahl says:
Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
https://www.securityweek.com/leaked-documents-detail-russias-cyberwarfare-tools-including-for-ot-attacks/
Documents show that Russian IT company NTC Vulkan was requested to develop offensive tools for government-backed hacking group Sandworm.
Documents leaked from Russian IT contractor NTC Vulkan show the company’s possible involvement in the development of offensive hacking tools, including for the advanced persistent threat (APT) actor known as Sandworm, Mandiant reports.
Based in Moscow, NTC Vulkan advertises its collaboration with Russian organizations and government agencies, without mentioning any involvement in the operations of state-sponsored groups or intelligence services.
Documents dated between 2016 and 2020, however, show that the company has been contracted by Russian intelligence, including the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) Unit 74455 (also known as Sandworm, Telebots, Iron Viking and Voodoo Bear), for the development of tools, training programs, and an intrusion platform.
While it is unclear whether the required capabilities have been indeed implemented, the documents, which Mandiant believes to be legitimate, do show NTC Vulkan’s involvement in projects to enable Russia’s cyber and information operations (IO), potentially targeting operational technology (OT) systems.
“Mandiant did not identify any evidence indicating how or when the tools could be used. However, based on our analysis of the capabilities, we consider it feasible that the projects represent only some pieces of a variety of capabilities pursued by Russian-sponsored actors to conduct different types of cyber operations,” Mandiant notes.
Tomi Engdahl says:
Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
https://www.securityweek.com/severe-azure-vulnerability-led-to-unauthenticated-remote-code-execution/
A high-severity vulnerability in Azure Service Fabric Explorer could have allowed a remote, unauthenticated attacker to execute arbitrary code.
A high-severity vulnerability in Microsoft’s Azure Service Fabric Explorer could have allowed a remote, unauthenticated attacker to execute arbitrary code, cloud security firm Orca says.
Tracked as CVE-2023-23383 (CVSS score of 8.2), the bug is described as a cross-site scripting (XSS) issue that could lead to the execution of code on containers hosted on a Service Fabric node.
Referred to as ‘Super FabriXss’, the flaw resided in a ‘Node Name’ parameter, which allowed an attacker to embed an iframe to retrieve files from a remote server controlled by the attacker.
By exploiting the security defect, an attacker could execute a malicious PowerShell reverse shell, allowing them to run code on the container deployed to the cluster, potentially leading to system takeover. Both Linux and Windows clusters were found vulnerable to the attack.
After creating a new Azure Service Fabric, the researchers observed that modifying a Node name in the user interface is reflected in the Node’s independent dashboard.
Microsoft addressed the vulnerability as part of the March 2023 Patch Tuesday security updates, marking it as ‘important’. Due to the complexity of an attack and required user interaction, the tech giant believes that exploitation of this bug is ‘less likely’.
Super FabriXss: From XSS to an RCE in Azure Service Fabric Explorer by Abusing an Event Tab Cluster Toggle (CVE-2023-23383)
https://orca.security/resources/blog/super-fabrixss-azure-vulnerability/
Today, at BlueHat IL 2023, we proudly announced our discovery of a new vulnerability in Azure, which we’ve dubbed ‘Super FabriXss.’ In our presentation, we demonstrated how we were able to escalate a reflected XSS vulnerability in Azure Service Fabric Explorer to an unauthenticated Remote Code Execution by abusing the metrics tab and enabling a specific option in the console – the ‘Cluster Type’ toggle. For the full story, please read our blog post below.
Super FabriXss (CVE-2023-23383) is a dangerous Cross-Site Scripting (XSS) vulnerability discovered by the Orca Research Pod that affects Azure Service Fabric Explorer (SFX). This vulnerability enables unauthenticated remote attackers to execute code on a container hosted on a Service Fabric node.
Orca Security immediately reported the vulnerability to the Microsoft Security Response Center (MSRC), who investigated the issue and assigned it CVE-2023-23383 (CVSS 8.2) with ‘Important’ severity. Microsoft released a fix and included it in their March 2023 Patch Tuesday.
Tomi Engdahl says:
10-year-old Windows bug with ‘opt-in’ fix exploited in 3CX attack https://www.bleepingcomputer.com/news/microsoft/10-year-old-windows-bug-with-opt-in-fix-exploited-in-3cx-attack/
A 10-year-old Windows vulnerability is still being exploited in attacks to make it appear that executables are legitimately signed, with the fix from Microsoft still “opt-in” after all these years. Even worse, the fix is removed after upgrading to Windows 11. One of the malicious DLLs used in the attack is usually a legitimate DLL signed by Microsoft named d3dcompiler_47.dll. However, the threat actors modified the DLL to include an encrypted malicious payload at the end of the file. As first noted yesterday, even though the file was modified, Windows still showed it as correctly signed by Microsoft.
After contacting Will Dormann, a senior vulnerability analyst at ANALYGENCE, about this behavior and sharing the DLL, we were told that the DLL is exploiting the CVE-2013-3900 flaw, a “WinVerifyTrust Signature Validation Vulnerability.”
Tomi Engdahl says:
Hackers exploit bug in Elementor Pro WordPress plugin with 11M installs https://www.bleepingcomputer.com/news/security/hackers-exploit-bug-in-elementor-pro-wordpress-plugin-with-11m-installs/
Hackers are actively exploiting a high-severity vulnerability in the popular Elementor Pro WordPress plugin used by over eleven million websites. Elementor Pro is a WordPress page builder plugin allowing users to easily build professional-looking sites without knowing how to code, featuring drag and drop, theme building, a template collection, custom widget support, and a WooCommerce builder for online shops. The issue, which impacts v3.11.6 and all versions before it, allows authenticated users, like shop customers or site members, to change the site’s settings and even perform a complete site takeover
Tomi Engdahl says:
Winter Vivern hackers exploit Zimbra flaw to steal NATO emails https://www.bleepingcomputer.com/news/security/winter-vivern-hackers-exploit-zimbra-flaw-to-steal-nato-emails/
A Russian hacking group tracked as TA473, aka ‘Winter Vivern,’ has been actively exploiting vulnerabilities in unpatched Zimbra endpoints since February 2023 to steal the emails of NATO officials, governments, military personnel, and diplomats. Two weeks ago, Sentinel Labs reported on a recent operation by ‘Winter Vivern’ using sites mimicking European agencies fighting cybercrime to spread malware that pretends to be a virus scanner. Today, Proofpoint has published a new report on how the threat actor exploits CVE-2022-27926 on Zimbra Collaboration servers to access the communications of NATO-aligned organizations and persons
Tomi Engdahl says:
Smart home assistants at risk from “NUIT” ultrasound attack https://www.malwarebytes.com/blog/news/2023/03/smart-home-assistants-at-risk-from-nuit-ultrasound-attack
A new form of attack named Near Ultrasound Inaudible Trojan (NUIT) has been unveiled by researchers from the University of Texas. NUIT is designed to attack voice assistants with malicious commands remotely via the internet. Impacted assistants include Siri, Alexa, Cortana, and Google Assistant. This attack relies on abusing the high sensitivity of microphones found in these IoT devices. Theyre able to pick up what is described as the near-ultrasound frequency range (16kHz – 20kHz), and this is where NUIT lurks
Tomi Engdahl says:
15 million public-facing services vulnerable to CISA KEV flaws https://www.bleepingcomputer.com/news/security/15-million-public-facing-services-vulnerable-to-cisa-kev-flaws/
Over 15 million publicly facing services are susceptible to at least one of the 896 vulnerabilities listed in CISA’s KEV (known exploitable
vulnerabilities) catalog. This massive number is reported by cybersecurity company Rezilion, which conducted large-scale research to identify vulnerable systems exposed to cyberattacks from threat actors, whether state-sponsored or ransomware gangs. Rezilion’s findings are particularly worrying because the examined vulnerabilities are known and highlighted in CISA’s KEV catalog as actively exploited by hackers, so any delays in their patching maintain a large attack surface, giving threat actors numerous potential targets
Tomi Engdahl says:
Cacti, Realtek, and IBM Aspera Faspex Vulnerabilities Under Active Exploitation https://thehackernews.com/2023/04/cacti-realtek-and-ibm-aspera-faspex.html
Critical security flaws in Cacti, Realtek, and IBM Aspera Faspex are being exploited by various threat actors in hacks targeting unpatched systems. This entails the abuse of CVE-2022-46169 (CVSS score: 9.8) and CVE-2021-35394 (CVSS score: 9.8) to deliver MooBot and ShellBot (aka PerlBot), Fortinet FortiGuard Labs said in a report published this week
Tomi Engdahl says:
Fake ransomware gang targets U.S. orgs with empty data leak threats https://www.bleepingcomputer.com/news/security/fake-ransomware-gang-targets-us-orgs-with-empty-data-leak-threats/
Fake extortionists are piggybacking on data breaches and ransomware incidents, threatening U.S. companies with publishing or selling allegedly stolen data unless they get paid. Sometimes the actors add the menace of a distributed denial-of-service (DDoS) attack if the message recipient does not comply with the instructions in the message. Midnight Groups extortion scam is not new. The tactic has been observed in 2019 by ransomware incident response company Coveware who calls it Phantom Incident Extortion
Tomi Engdahl says:
Microsoft Fixes New Azure AD Vulnerability Impacting Bing Search and Major Apps https://thehackernews.com/2023/04/microsoft-fixes-new-azure-ad.html
Microsoft has patched a misconfiguration issue impacting the Azure Active Directory (AAD) identity and access management service that exposed several “high-impact” applications to unauthorized access.
“One of these apps is a content management system (CMS) that powers Bing.com and allowed us to not only modify search results, but also launch high-impact XSS attacks on Bing users,” cloud security firm Wiz said in a report. “Those attacks could compromise users’ personal data, including Outlook emails and SharePoint documents.”
Tomi Engdahl says:
Pro-Islam ‘Anonymous Sudan’ Hacktivists Likely a Front for Russia’s Killnet Operation https://www.darkreading.com/attacks-breaches/pro-islam-anonymous-sudan-hacktivists-front-russia-killnet-operation
An apparently pro-Islamic group that has hit numerous targets in Europe with distributed denial of service (DDoS) attacks over the past few months may actually be a subgroup of the Russian hacktivist collective known as Killnet. The group, which calls itself “Anonymous Sudan,” has claimed responsibility for recent DDoS attacks against targets in France, Germany, the Netherlands, and Sweden. All the attacks were apparently in retaliation for perceived anti-Islamic activity in each of these countries. The attacks on Swedish government and business entities, for instance, followed an incident of Quran-burning in Stockholm. The same, or similar, reason was the trigger for DDoS attacks against Dutch government agencies and an attack on Air France, where the group in a break from character stole data from the airline’s website rather than DDoSing it
Tomi Engdahl says:
New Money Message ransomware demands million dollar ransoms https://www.bleepingcomputer.com/news/security/new-money-message-ransomware-demands-million-dollar-ransoms/
A new ransomware gang named ‘Money Message’ has appeared, targeting victims worldwide and demanding million-dollar ransoms not to leak data and release a decryptor. The new ransomware was first reported by a victim on the BleepingComputer forums on March 28, 2023, with Zscaler’s ThreatLabz soon after sharing information on Twitter.
Currently, the threat actor lists two victims on its extortion site, one of which is an Asian airline with annual revenue close to $1 billion. Additionally, the threat actors claim to have stolen files from the company and include a screenshot of the accessed file system as proof of the breach
Tomi Engdahl says:
https://etn.fi/index.php/13-news/14794-italia-kielsi-chatgpt-n
Tomi Engdahl says:
Cryptocurrency companies backdoored in 3CX supply chain attack https://www.bleepingcomputer.com/news/security/cryptocurrency-companies-backdoored-in-3cx-supply-chain-attack/
Some of the victims affected by the 3CX supply chain attack have also had their systems backdoored with Gopuram malware, with the threat actors specifically targeting cryptocurrency companies with this additional malicious payload. Gopuram is a modular backdoor that can be used by its operators to manipulate the Windows registry and services, perform file timestomping to evade detection, inject payloads into already running processes, load unsigned Windows drivers using the open-source Kernel Driver Utility, as well as partial user management via the net command on infected devices
Tomi Engdahl says:
Researchers claim they can bypass Wi-Fi encryption (briefly, at least) https://nakedsecurity.sophos.com/2023/04/03/researchers-claim-they-can-bypass-wi-fi-encryption-briefly-at-least/
Cybersecurity researchers in Belgium and the US recently published a paper scheduled for presentation later this year at the USENIX 2023 conference. The three co-authors couldnt resist a punning title, dubbing their attack Framing Frames, with a slightly easier-to-follow strapline that says Bypassing Wi-Fi encryption by manipulating transmit queues. As security researchers are wont to do, the trio asked themselves, What happens when a Wi-Fi user disconnects temporarily from the network, either accidentally or on purpose, but might very well reappear online after a short outage?
Tomi Engdahl says:
Malicious ISO File Leads to Domain Wide Ransomware https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/
IcedID continues to deliver malspam emails to facilitate a compromise.
This case covers the activity from a campaign in late September of 2022. Post exploitation activities detail some familiar and some new techniques and tooling, which led to domain wide ransomware
Tomi Engdahl says:
Mobile Device Malware Analysis
https://www.pwndefend.com/2023/04/02/mobile-device-malware-analysis/
Mobile devices present interesting challenges when it comes to incident response, malware analysis and digital forensics. If you look at the architecture of mobile platforms (such as IOS) you have quite a difference from a general-purpose computer. You have a restrictive environment with sandboxes etc. You dont have root (unless you have a jailbroken device) and there are other variables at play
Tomi Engdahl says:
ChatGPT, the AI Revolution, and the Security, Privacy and Ethical Implications
https://www.securityweek.com/chatgpt-the-ai-revolution-and-the-security-privacy-and-ethical-implications/
Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.
This is the Age of artificial intelligence (AI). We think it is new, but it isn’t. The AI Revolution has been in progress for many years. What is new is the public appearance of the large scale generative pre-trained transformer (GPT) known as ChatGPT (an application of Large Language Models – LLMs).
ChatGPT has breached our absolute sensory threshold for AI. Before this point, the evolution of AI was progressing, but largely unnoticed. Now we are suddenly very aware, as if AI happened overnight. But it’s an ongoing evolution – and is one that we cannot stop. The genius is out of the bottle, and we have little understanding of where it will take us.
At a very basic level, these implications can be divided into areas such as social, business, political, economic and more. There are no clear boundaries between them. For example, social and business combine in areas such as the future of employment.
OpenAI, the developer of ChatGPT published its own research in this area: An Early Look at the Labor Market Impact Potential of Large Language Models. (PDF). It concludes, among other things, “around 19% of workers may see at least 50% of their tasks impacted.”
But we must be clear – these wider effects of AI on society and economics are not our concern here. We are limiting ourselves to discussing the cybersecurity, privacy and ethical implications emerging from the GPT and LLM elements of AI.
working paper
gpts are gptsZ an early look at the labor market impact potential of large language models
https://arxiv.org/pdf/2303.10130.pdf
we investigate the potential implications of large language models HllmsIL such as generative preM
trained transformers HgptsIL on the uNsN labor marketL focusing on the increased capabilities arising from
llmMpowered software compared to llms on their ownN using a new rubricL we assess occupations based
on their alignment with llm capabilitiesL integrating both human expertise and gptMT classi<cationsN
our <ndings reveal that around XPE of the uNsN workforce could have at least QPE of their work tasks
a;ected by the introduction of llmsL while approximately QYE of workers may see at least UPE of their
tasks impactedN we do not make predictions about the development or adoption timeline of such llmsN
the projected e;ects span all wage levelsL with higherMincome jobs potentially facing greater exposure to
llm capabilities and llmMpowered softwareN signi<cantlyL these impacts are not restricted to industries
with higher recent productivity growthN our analysis suggests thatL with access to an llmL about QUE
of all worker tasks in the us could be completed signi<cantly faster at the same level of qualityN when
incorporating software and tooling built on top of llmsL this share increases to between TW and UVE
of all tasksN this <nding implies that llmMpowered software will have a substantial e;ect on scaling
the economic impacts of the underlying modelsN we conclude that llms such as gpts exhibit traits of
generalMpurpose technologiesL indicating that they could have considerable economicL socialL and policy
implications
Tomi Engdahl says:
US Defense Department Launches ‘Hack the Pentagon’ Website
https://www.securityweek.com/us-defense-department-launches-hack-the-pentagon-website/
New ‘Hack the Pentagon’ website helps DoD organizations launch bug bounty programs and recruit security researchers.
The US Department of Defense (DoD) has launched a new website to help organizations within the department to launch bug bounty programs and recruit security researchers.
The new Hack the Pentagon (HtP) website, launched by the Chief Digital and Artificial Intelligence Office (CDAO) Directorate for Digital Services (DDS), is meant as a companion for the DoD’s long-running bug bounty program with the same name.
Initially launched in 2016, the DoD’s bug bounty program has resulted in more than 1,600 white hat hackers reporting over 2,100 vulnerabilities in Pentagon systems and assets and earning over $650,000 in bounty payments.
Vetted security researchers have identified issues in networks, in planes, next-generation secure hardware, power and HVAC systems, water facilities, and more.
“DDS built the HtP website as a resource for Department of Defense organizations, vendors, and security researchers to learn how to conduct a bug bounty, partner with the CDAO DDS team to support bug bounties, and participate in DoD-wide bug bounties,” DoD says.
Previously, the DoD’s bug bounty program ran on a project-by-project basis, but the new website will help the department run continuous programs, offering access to lessons learned and best practices, and helping DoD organizations recruit security researchers for their bug bounty programs.
To date, the DoD has run more than 40 bug bounty projects
Tomi Engdahl says:
“I doubt it is possible to create a GPT model that can’t be abused,” adds Mike Parkin, senior technical engineer at Vulcan Cyber. “The challenge long term will be keeping threat actors from abusing the commercially available AI engines. Ultimately though, it will be impossible to keep them from creating their own and using them for whatever purposes they decide.”
https://www.securityweek.com/chatgpt-the-ai-revolution-and-the-security-privacy-and-ethical-implications/
Tomi Engdahl says:
https://www.hackthepentagon.mil/
Tomi Engdahl says:
Supply Chain Security
Europe, North America Most Impacted by 3CX Supply Chain Hack
https://www.securityweek.com/europe-north-america-most-impacted-by-3cx-supply-chain-hack/
Europe, the United States and Australia seem to be the most impacted by the 3CX supply chain hack, according to data from two cybersecurity firms.
Organizations in Europe, North America and Australia seem to account for the highest percentage of victims of the supply chain hack that hit business communication company 3CX.
According to data collected by Fortinet, based on the number of devices connecting to attacker-controlled infrastructure, the highest percentage of victims is in Italy, followed by Germany, Austria, the United States, South Africa, Australia, Switzerland, the Netherlands, Canada and the United Kingdom.
Looking at regional data, Europe is at the top of the chart with 60%, followed by North America with 16%.
“This may indicate that the threat actor is mainly targeting enterprises in those regions – however, this is uncertain. This could be indicative of 3CX product’s geographic customer base – including the possibility of various multinational corporations operating inside those regions,” Fortinet noted.
Tomi Engdahl says:
4.8 Million Impacted by Data Breach at TMX Finance
https://www.securityweek.com/4-8-million-impacted-by-data-breach-at-tmx-finance/
Consumer loan provider TMX Finance is informing over 4.8 million individuals that their personal information was stolen in a data breach.
Consumer loan company TMX Finance has started informing over 4.8 million individuals that their personal information was stolen in a data breach.
Operating roughly 1,100 stores in 15 states, TMX offers loans under three brands, namely TitleMax (title lending services), TitleBucks (car title loans), and InstaLoan (fast-approval personal loan services).
The data breach was identified on February 13, 2023, and impacted the customers of all services, reads the notification letter to the affected individuals, a copy of which was submitted to the Maine Attorney General’s Office.
According to TMX, the attackers accessed its systems in December 2022, but the data exfiltration only happened between February 3 and February 14, 2023.
Tomi Engdahl says:
Western Digital Shuts Down Services Due to Cybersecurity Breach
Western Digital shuts down several of its services after discovering a network security breach.
https://www.securityweek.com/western-digital-shuts-down-services-due-to-cybersecurity-breach/
Western Digital has shut down several of its services after detecting a security breach on its network, the digital storage giant announced on Monday.
The service outage, announced on April 2, impacts cloud, proxy, web, authentication, email, and push notification services, including My Cloud, My Cloud Home (Duo), My Cloud OS5, SanDisk Ibi, and SanDisk Ixpand Wireless Charger.
In a press release issued on April 3, the company said it’s responding to an ongoing network security incident that involves an unauthorized third party gaining access to “a number” of its systems.
“Upon discovery of the incident, the Company implemented incident response efforts and initiated an investigation with the assistance of leading outside security and forensic experts. This investigation is in its early stages and Western Digital is coordinating with law enforcement authorities,” WD said.
The company is working on restoring impacted services and infrastructure. At this point in the investigation, it confirmed that the hackers did manage to gain access to certain types of data stored on its systems. The nature and scope of the compromised data is being determined.
Tomi Engdahl says:
Microsoft OneNote Starts Blocking Dangerous File Extensions
https://www.securityweek.com/microsoft-onenote-starts-blocking-dangerous-file-extensions/
Microsoft is boosting the security of OneNote users by blocking embedded files with extensions that are considered dangerous.
Microsoft has announced improved protections for OneNote users with automatic blocking of embedded files with extensions that are considered dangerous.
OneNote is an Office suite component typically used by enterprise users for note taking and task management, which also provides multi-user collaboration capabilities, among others.
Just as other Office applications, OneNote has been abused for malware delivery, especially since OneNote documents allow attackers to attach files that would be executed with few warnings to the user.
Specifically, users were informed that opening a OneNote attachment could be harmful, but were provided with the option to dismiss the warning and open the embedded file immediately.
After security researchers warned last year that the Mark-of-the-Web (MOTW) protection was not applied to OneNote documents and their attachments, the abuse of OneNote in malicious campaigns surged.
According to Microsoft, OneNote will block by default the same extensions that Word, Excel, Outlook, and PowerPoint block. However, Microsoft 365 administrators can set policies to block additional file types or to allow specific file types to be opened.
“Malicious scripts and executables can cause harm if clicked by the user. If extensions are added to this allow list, they can make OneNote and other applications, such as Word and Excel, less secure,” Microsoft warns.
https://www.securityweek.com/microsoft-onenote-abuse-for-malware-delivery-surges/
Tomi Engdahl says:
Elementor Pro Plugin Vulnerability Exploited to Hack WordPress Websites
https://www.securityweek.com/elementor-pro-plugin-vulnerability-exploited-to-hack-wordpress-websites/
A severe vulnerability in the Elementor Pro WordPress plugin is being exploited to inject malware into vulnerable websites.
Tomi Engdahl says:
Cisco to Acquire Cloud Security Firm Lightspin for Reported $200 Million
Cisco is set to acquire Israel-based cloud security company Lightspin for a reported $200-250 million.
https://www.securityweek.com/cisco-to-acquire-cloud-security-firm-lightspin-for-reported-200-million/
Lightspin’s platform provides infrastructure-as-code (IaC) security, cloud security posture management (CSPM) and Kubernetes security posture management (KSPM), workload scanning, attack path analysis, runtime protection, attack surface discovery, and SOC2 compliance capabilities.
According to Cisco, the addition of Lightspin to its cloud security portfolio will enable its customers to “identify, prioritize, and remediate critical cloud security risks without the hassle of extensive configuration requirements”.
Tomi Engdahl says:
Suomi on nyt Naton jäsen – Niinistö: ”Suuri päivä Suomelle” – IL seuraa hetki hetkeltä
Brysselissä nostetaan tänään salkoon Suomen siniristilippu.
https://www.iltalehti.fi/ulkomaat/a/003735fb-3c0c-49a6-b22f-7bc824d32f2f
Suomi on nyt sotilasliitto Naton jäsen!
Suomen ulkoministeri Pekka Haavisto (vihr) matkusti eilen Brysseliin Suomen Nato-dokumentit salkussaan. Paikan päällä on luonnollisesti myös tasavallan presidentti Sauli Niinistö.
Eduskuntaan kohdistuu palvelunestohyökkäys
Eduskunnan viestintä tiedotti palvelunestohyökkäyksestä.
https://www.iltalehti.fi/politiikka/a/d1368d2d-cfb8-458b-9e94-89f965904be5
Eduskunnan ulkoisia verkkosivuja vastaan kohdistuu palvelunestohyökkäys, kerrotaan Eduskunnan viestinnästä.
Eduskunnan viestinnästä kerrotaan, että tilannetta selvitetään edelleen.
– Eduskunnan ulkoisia verkkosivuja vastaan kohdistuu palvelunestohyökkäys. Eduskunta tekee toimia hyökkäyksen rajaamiseksi yhdessä palveluntoimittajien ja Kyberturvallisuuskeskuksen kanssa, kirjoitettiin Eduskunnan viralliselta Twitter-tililtä.
Tomi Engdahl says:
Suomeen tehtiin tiistaina verkkohyökkäyksiä Kyberturvallisuuskeskus:
Palvelunestohyökkäyksillä pyritään osoittamaan mieltä
https://yle.fi/a/74-20025844
Eduskunnan ja teknologian tutkimuskeskuksen VTT:n sivuille sekä pääministeri Sanna Marinin kotisivulle on tiistaina iltapäivällä tehty palvelunestohyökkäyksiä. Illalla myös Helsingin seudun liikenteen HSL:n verkkosivut olivat kaatuneet. Palvelunestohyökkäykset ovat yleensä vaikutuksiltaan pieniä ja niiden kestoa on Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen tietoturva-asiantuntijan Max Mäkisen mukaan vaikea arvioida. Mäkisen mukaan palvelunestohyökkäykset ovat nykyään melko arkipäiväisiä, mutta niillä on vain lieviä yhteiskunnallisia vaikutuksia, muutoin kuin informaation saatavuuden osalta kohteena olevan laitoksen sivuilta
Tomi Engdahl says:
New macOS malware steals sensitive info, including a user’s entire Keychain database https://www.malwarebytes.com/blog/news/2023/04/new-macos-malware-yoinks-a-trove-of-sensitive-information-including-a-users-entire-keychain-database
A new macOS malwarecalled MacStealerthat is capable of stealing various files, cryptocurrency wallets, and details stored in specific browsers like Firefox, Chrome, and Brave, was discovered by security researchers from Uptycs, a cybersecurity company specializing in cloud security. It can also extract the base64-encoded form of the database of Keychain, Apple’s password manager. Users of macOS Catalina (10.5) and versions dependent on Intel M1 and M2 are affected by this malware. And while MacStealer appears to be the mac malware to watch, it is pretty rudimentary, according to Thomas Reed, Malwarebytes’
director of core technology. “There is no persistence method, and it relies on the user opening the app,” he adds, considering the foreseeable features the developer wants to add to MacStealer in the future
Tomi Engdahl says:
IRS-authorized eFile.com tax return software caught serving JS malware https://www.bleepingcomputer.com/news/security/irs-authorized-efilecom-tax-return-software-caught-serving-js-malware/
eFile.com, an IRS-authorized e-file software service provider used by many for filing their tax returns, has been caught serving JavaScript malware. Security researchers state the malicious JavaScript file existed on eFile.com website for weeks. BleepingComputer has been able to confirm the existence of the malicious JavaScript file in question, at the time
Tomi Engdahl says:
New Rorschach ransomware is the fastest encryptor seen so far https://www.bleepingcomputer.com/news/security/new-rorschach-ransomware-is-the-fastest-encryptor-seen-so-far/
Following a cyberattack on a U.S.-based company, malware researchers discovered what appears to be a new ransomware strain with “technically unique features,” which they named Rorschach. Among the capabilities observed is the encryption speed, which, according to tests from the researchers, would make Rorschach the fastest ransomware threat today. The analysts found that the hackers deployed the malware on the victim network after leveraging a weakness in a threat detection and incident response tool
Tomi Engdahl says:
ALPHV ransomware exploits Veritas Backup Exec bugs for initial access https://www.bleepingcomputer.com/news/security/alphv-ransomware-exploits-veritas-backup-exec-bugs-for-initial-access/
An ALPHV/BlackCat ransomware affiliate was observed exploiting three vulnerabilities impacting the Veritas Backup product for initial access to the target network. The ALPHV ransomware operation emerged in December 2021 and is considered to be run by former members of the Darkside and Blackmatter programs that shut down abruptly to escape law enforcement pressure. Mandiant tracks the ALPHV affiliate as ‘UNC4466′ and notes that the method is a deviation from the typical intrusion that relies on stolen credentials
Tomi Engdahl says:
New Rilide Malware Targeting Chromium-Based Browsers to Steal Cryptocurrency https://thehackernews.com/2023/04/new-rilide-malware-targeting-chromium.html
Chromium-based web browsers are the target of a new malware called Rilide that masquerades itself as a seemingly legitimate extension to harvest sensitive data and siphon cryptocurrency. “Rilide malware is disguised as a legitimate Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges,” Trustwave SpiderLabs Research said in a report shared with The Hacker News
Tomi Engdahl says:
KPMG Tackles AI Security With Cranium Spinout
https://www.securityweek.com/kpmg-tackles-ai-security-with-cranium-spinout/
Consulting giant KPMG spins out a startup building technology to secure AI (artificial intelligence) applications and deployments.
Tomi Engdahl says:
Vulnerabilities
Chrome 112 Patches 16 Security Flaws
https://www.securityweek.com/chrome-112-patches-16-security-flaws/
Chrome 112 was released to the stable channel this week with 16 security fixes, including 14 for vulnerabilities reported by external researchers.
Tomi Engdahl says:
Android’s April 2023 Updates Patch Critical Remote Code Execution Vulnerabilities
https://www.securityweek.com/androids-april-2023-updates-patch-critical-remote-code-execution-vulnerabilities/
Android’s April 2023 security updates were released this week with patches for two critical-severity vulnerabilities leading to remote code execution.
Tomi Engdahl says:
Cybercrime Website Genesis Market Seized by FBI
The FBI has seized Genesis Market, a major cybercrime website offering stolen device fingerprints.
https://www.securityweek.com/cybercrime-website-genesis-market-seized-by-fbi/
Tomi Engdahl says:
Nexx Ignores Vulnerabilities Allowing Hackers to Remotely Open Garage Doors
https://www.securityweek.com/nexx-ignores-vulnerabilities-allowing-hackers-to-remotely-open-garage-doors/
Nexx has ignored repeated attempts to report critical product vulnerabilities that can be exploited to remotely open garage doors, and take control of alarms and smart plugs.
Texas-based smart home product provider Nexx appears to have ignored repeated attempts to report serious vulnerabilities that can be exploited by hackers to remotely open garage doors, and take control of alarms and smart plugs.
Nexx offers smart alarms, garage door controllers, and smart plugs, all of which can be controlled remotely from a dedicated mobile application.
Researcher Sam Sabetan discovered that these products are affected by serious vulnerabilities in late 2022 and disclosed their details on Tuesday.
The US Cybersecurity and Infrastructure Security Agency (CISA) has also released an advisory to warn individuals and organizations using Nexx products about the flaws identified by the researcher. The agency said the impacted products are used by commercial facilities worldwide.
The Uninvited Guest: IDORs, Garage Doors, and Stolen Secrets
https://medium.com/@samsabetan/the-uninvited-guest-idors-garage-doors-and-stolen-secrets-e4b49e02dadc
In late 2022, while conducting independent security research, I discovered a series of critical vulnerabilities in Nexx’s smart device product line, which encompasses Smart Garage Door Openers, Alarms, and Plugs. These vulnerabilities enabled remote attackers to open and close garage doors, take control of alarms, and switch smart plugs on and off for any customer.
I collaborated closely with The United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency (“CISA”) to responsibly disclose the research results. CISA assigned the following five CVEs:
Use of Hard-coded Credentials CWE-798 (CVE-2023–1748, CVSS3.0: 8.6)
Authorization Bypass Through User-Controlled Key CWE-639 (CVE-2023–1749, CVSS3.0: 6.5)
Authorization Bypass Through User-Controlled Key CWE-639 (CVE-2023–1750, CVSS3.0: 7.1)
Improper Input Validation CWE-20 (CVE-2023–1751, CVSS3.0: 7.5)
Improper Authentication Validation CWE-287 (CVE-2023–1752, CVSS3.0: 8.1)
More details can be found on CISA’s disclosure ICSA-23–094–01.
Nexx has not replied to any correspondence from myself, DHS (CISA and US-CERT) or VICE Media Group. I have independently verified Nexx has purposefully ignored all our attempts to assist with remediation and has let these critical flaws continue to affect their customers.
Which devices are affected, and how many are impacted?
The vulnerabilities discussed in this post primarily involve the Smart Garage Door Controller and Smart Plugs, but the Smart Alarm is also susceptible to a similar class of vulnerabilities. As a result, all Nexx devices are affected by the vulnerabilities described here. It is estimated that over 40,000 devices, located in both residential and commercial properties, are impacted. Furthermore, I determined that more than 20,000 individuals have active Nexx accounts.
ICS Advisory
Nexx Smart Home Device
Release Date
April 04, 2023
Alert Code
ICSA-23-094-01
https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01
Tomi Engdahl says:
https://www.securityweek.com/3cx-supply-chain-attack-north-korean-hackers-likely-targeted-cryptocurrency-firms/
Tomi Engdahl says:
Zimbra Flaw Exploited by Russia Against NATO Countries Added to CISA ‘Must Patch’ List
https://www.securityweek.com/zimbra-flaw-exploited-by-russian-hackers-against-nato-added-to-cisa-must-patch-list/
CISA has added to its Known Exploited Vulnerabilities catalog a Zimbra vulnerability exploited in attacks targeting NATO countries
Tomi Engdahl says:
NATO Seeks Contractors to Test Security of Web Assets
https://www.securityweek.com/nato-seeks-contractors-to-test-security-of-web-assets/
NATO is looking for penetration testing vendors to assess the security of its internet-facing web assets.
The North Atlantic Treaty Organization (NATO) is looking for penetration testing vendors to assess the security posture of its internet-facing web assets.
A notice posted by the US Department of Commerce (DOC) last week shows that the NATO International Military Staff (IMS) plans to launch an invitation for International Competitive Bidding (ICB) in this regard.
“The requirement is to assess the cybersecurity posture of NATO internet-facing web assets through controlled penetration testing,” the notice reads.
For this job, NATO is looking for contractors that have a base in the US, which have been pre-approved for participation, and which have a declaration of eligibility (DOE) issued by the DOC.
https://sam.gov/opp/4bbbe729819e474faa23e5598e9f50c5/view
Tomi Engdahl says:
TikTok’s Trials and Tribulations Continue With UK Data Protection Fine
The UK’s data protection regulator fined TikTok £12.7 million for “failing to use children’s personal data lawfully”
https://www.securityweek.com/tiktoks-trials-and-tribulations-continue-with-uk-data-protection-fine/
Tomi Engdahl says:
Self-Propagating, Fast-Encrypting ‘Rorschach’ Ransomware Emerges
https://www.securityweek.com/self-propagating-fast-encrypting-rorschach-ransomware-emerges/
The sophisticated, self-propagating Rorschach ransomware is one of the fastest at encrypting victim’s files.
The newly identified ‘Rorschach’ ransomware uses a highly effective file-encrypting routine that makes it one of the fastest ransomware families out there, cybersecurity firm Check Point warns.
Already making at least one victim in the US, Rorschach can spread itself automatically if executed on a domain controller. The malware is highly configurable, and contains unique functions that separate it from other ransomware families out there.
While it seems to have been inspired by infamous ransomware, Rorschach does not appear linked to other malware families and its operator appears to have no affiliation with known ransomware groups.
Rorschach’s execution relies on three files: cy.exe (Cortex XDR Dump Service Tool) is executed to side-load winutils.dll (loader and injector), which in turn loads config.ini (the Rorschach ransomware itself) in memory and injects it into notepad.exe.
The ransomware spawns multiple processes and provides falsified arguments to them, which it uses to stop specific processes, delete shadow volumes and backups, clear Windows event logs, and disable the Windows firewall.
If executed on a domain controller, the malware creates a group policy that allows it to automatically spread to other machines on the domain.
Tomi Engdahl says:
CardinalOps Extends MITRE ATT&CK-based Detection Posture Management
https://www.securityweek.com/cardinalops-extends-mitre-attck-based-detection-posture-management/
Tel Aviv- and Boston-based CardinalOps has extended its detection posture management capability with MITRE ATT&CK Security Layers.