Cyber security news April 2023

This posting is here to collect cyber security news in April 2023.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

352 Comments

  1. Tomi Engdahl says:

    DoJ: Estonian Man Tried to Acquire US-Made Hacking Tools for Russia
    https://www.securityweek.com/doj-estonian-man-tried-to-acquire-us-made-hacking-tools-for-russia/

    Andrey Shevlyakov was charged in the US for helping the Russian government and military purchase US-made electronics and hacking tools.

    An Estonian national has been charged in the United States for purchasing US-made electronics and computer hacking tools on behalf of the Russian government and military.

    The man, Andrey Shevlyakov, was arrested in Estonia on March 28. He was charged in the US on 18 counts of conspiracy and other charges.

    According to the indictment, Shevlyakov did business through several Estonian-based shell companies that he and his co-conspirators used to export microelectronics from the US to Estonia. The goods were then shipped to Russia, thus circumventing export regulations.

    Since 2012, the indictment says, Shevlyakov was placed by the US government on a ban list for procuring and delivering export-restricted items to Russia. To evade the list’s restrictions, he used false names and shell companies to order items and pay for them.

    Reply
  2. Tomi Engdahl says:

    Australian Finance Company Refuses Hackers’ Ransom Demand
    https://www.securityweek.com/australian-finance-company-refuses-hackers-ransom-demand/
    Latitude Financial said it had recently received a ransom threat from the group behind the cyberattack, which it was ignoring in line with government advice.

    Reply
  3. Tomi Engdahl says:

    Privacy
    Tesla Sued Over Workers’ Alleged Access to Car Video Imagery
    https://www.securityweek.com/tesla-sued-over-workers-alleged-access-to-car-video-imagery/

    A Tesla owner is seeking class action status for a lawsuit accusing the automaker of allowing its workers to use intimate or embarrassing imagery captured by the electric vehicles.

    Reply
  4. Tomi Engdahl says:

    Veritas Vulnerabilities Exploited in Ransomware Attacks Added to CISA ‘Must Patch’ List
    https://www.securityweek.com/veritas-vulnerabilities-exploited-in-ransomware-attacks-added-to-cisa-must-patch-list/
    CISO ordered federal agencies to patch Veritas Backup Exec vulnerabilities exploited in ransomware attacks.

    Reply
  5. Tomi Engdahl says:

    Tesla Retail Tool Vulnerability Led to Account Takeover
    https://www.securityweek.com/tesla-retail-tool-vulnerability-led-to-account-takeover/

    A vulnerability in Tesla’s Retail Tool application allowed a researcher to take over accounts of former employees.

    Reply
  6. Tomi Engdahl says:

    Binance says internal source code published online
    The company filed a subpoena request in federal court seeking to unmask the person who posted the code to GitHub.
    https://thedesk.net/2023/04/binance-internal-source-code-leaked-github/?utm_content=cmp-true

    Cryptocurrency exchange Binance has asked a federal court to help it unmask a person who leaked some of its proprietary internal source code online, The Desk has learned.

    The request was made in a petition for a subpoena against Microsoft’s GitHub code repository after someone using the name “Bonald” apparently uploaded and distributed some of Binance’s internal source code, which was discovered by the company in March.

    Reply
  7. Tomi Engdahl says:

    Gone in a Minute or So: How a Headlight Leads to a CAN Bus Injection Attack and a Stolen Vehicle
    Removing the headlight of a Toyota RAV4 turns out to be enough to gain access to the CAN bus — while an injection attack opens the door.
    https://www.hackster.io/news/gone-in-a-minute-or-so-how-a-headlight-leads-to-a-can-bus-injection-attack-and-a-stolen-vehicle-e037a2bc847e

    Reply
  8. Tomi Engdahl says:

    New Wi-Fi Protocol Security Flaw Affecting Linux, Android and iOS Devices
    https://thehackernews.com/2023/03/new-wi-fi-protocol-security-flaw.html

    Reply
  9. Tomi Engdahl says:

    TWITTER ACCIDENTALLY MADE USERS’ SECRET NUDES PUBLIC
    https://futurism.com/the-byte/twitter-accidentally-made-users-secret-nudes-public

    “TWITTER SEEMS TO BE OUTRIGHT FAILING TO FILTER OUT PRIVATE CONTENT BEFORE SERVING IT TO USERS.”

    Reply
  10. Tomi Engdahl says:

    20 vuotta vanhasta Nokia-puhelimesta maksetaan nyt satoja euroja – syy on karu https://www.is.fi/digitoday/mobiili/art-2000009506316.html

    Reply
  11. Tomi Engdahl says:

    Microsoft Patches Another Already-Exploited Windows Zero-Day
    https://www.securityweek.com/microsoft-patches-another-already-exploited-windows-zero-day/

    For the second month in a row, Microsoft patches an already-exploited vulnerability in its flagship Windows operating system.

    For the second month in a row, Microsoft is pushing out urgent patches to cover an already-exploited vulnerability in its flagship Windows operating system.

    The vulnerability, flagged as zero-day by researchers at Mandiant, is described as an elevation of privilege issue in the Windows Common Log File System driver.

    In an advisory documenting the CVE-2023-28252, Redmond warns that an attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

    As is customary, Microsoft did not provide any additional details on the zero-day exploitation or release IOCs (indicators of compromise) to help defenders hunt for signs of infections.

    The latest zero-day warning headlines a busy Patch Tuesday that includes fixes for at least 98 documented vulnerabilities across the Windows ecosystem. It comes exactly a month after Redmond confirmed a major no-interaction Outlook vulnerability exploited by Russian hackers since at least April 2022.

    So far this year, there have been at least 19 in-the-wild zero-day attacks. Security defects in code from Microsoft feature in about one-third of all observed exploitation in 2023.

    Reply
  12. Tomi Engdahl says:

    Uutta israelilaista vakoilu­ohjelmaa käytetty journalistien ja oppositio­poliitikoiden tarkkailuun https://www.is.fi/digitoday/art-2000009513427.html

    Ohjelma voi varastaa tietoja sekä tallentaa ääntä ja ottaa kuvia uhrin laitteilla. Tietoja käyttäjien laitteilta on lähetetty kymmeneen eri maahan.

    ISRAELISSA on kehitetty uusi, pahamaineista Pegasus-vakoiluohjelmaa muistuttava ohjelma, jota on käytetty toimittajien ja oppositiopoliitikoiden vakoiluun useissa maissa, kertoo Toronton yliopiston alainen Citizen Lab -tutkimuskeskus.

    Vakoiluohjelma ja siihen liittyvät hakkerointiohjelmistot on luotu QuaDream-yrityksessä, jonka ovat Citizen Labin mukaan perustaneet entinen Israelin armeijan työntekijä ja Pegasoksen luoneen NSO Groupin entiset työntekijät.

    QuaDreamin vakoiluohjelmalla on urkittu tietoja tutkimuskeskuksen mukaan ainakin viideltä ihmiseltä Pohjois-Amerikassa, Keski-Aasiassa, Kaakkois-Aasiassa, Euroopassa ja Lähi-idässä.”

    Reply
  13. Tomi Engdahl says:

    Suurtutkimus paljastaa: suurimmalla osalla on netissä turvaton olo – yhteen asiaan suomalaiset suhtautuvat poikkeuksellisen rennosti https://www.is.fi/mainos/art-2000009496444.html

    Reply
  14. Tomi Engdahl says:

    Microsoft April 2023 Patch Tuesday fixes 1 zero-day, 97 flaws https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2023-patch-tuesday-fixes-1-zero-day-97-flaws/
    Today is Microsoft’s April 2023 Patch Tuesday, and security updates fix one actively exploited zero-day vulnerability and a total of 97 flaws. Seven vulnerabilities have been classified as ‘Critical’ for allowing remote code execution, the most serious of vulnerabilities.
    This count does not include seventeen Microsoft Edge vulnerabilities fixed on April 6th. This month’s Patch Tuesday fixes one zero-day vulnerability actively exploited in attacks. Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. Also:
    https://isc.sans.edu/diary/Microsoft+April+2023+Patch+Tuesday/29736

    Reply
  15. Tomi Engdahl says:

    Nokoyawa ransomware attacks with Windows zero-day https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/
    In February 2023, Kaspersky technologies detected a number of attempts to execute similar elevation-of-privilege exploits on Microsoft Windows servers belonging to small and medium-sized businesses in the Middle East, in North America, and previously in Asia regions. These exploits were very similar to already known Common Log File System
    (CLFS) driver exploits that we analyzed previously, but we decided to double check and it was worth it one of the exploits turned out to be a zero-day, supporting different versions and builds of Windows, including Windows 11. The exploit was highly obfuscated with more than 80% of the its code being junk elegantly compiled into the binary, but we quickly fully reverse-engineered it and reported our findings to Microsoft. Microsoft assigned CVE-2023-28252 to the Common Log File System elevation-of-privilege vulnerability, and a patch was released on April 11, 2023, as part of April Patch Tuesday

    Reply
  16. Tomi Engdahl says:

    - From listKeys to Glory: How We Achieved a Subscription Privilege Escalation and RCE by Abusing Azure Storage Account Keys https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/
    Here at Orca Security, our team of cloud researchers are continually pushing the cloud security limits to ensure that we cover the latest cloud security risks on our Orca Platform and find cloud infrastructure vulnerabilities before bad actors do. On what started as one of these typical days, we went on to discover a surprisingly critical exploitation path utilizing Microsoft Azure Shared Key authorization a secret key-based authentication method to storage accounts. With this key, obtained either through a leakage or appropriate AD Role, an attacker can not only gain full access to storage accounts and potentially critical business assets, but also move laterally in the environment and even execute remote code. Read
    also:
    https://msrc.microsoft.com/blog/2023/04/best-practices-regarding-azure-storage-keys-azure-functions-and-azure-role-based-access/

    Reply
  17. Tomi Engdahl says:

    DEV-0196: QuaDreams KingsPawn malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/
    Microsoft Threat Intelligence analysts assess with high confidence that a threat group tracked by Microsoft as DEV-0196 is linked to an Israel-based private sector offensive actor (PSOA) known as QuaDream.
    QuaDream reportedly sells a platform they call REIGN to governments for law enforcement purposes. REIGN is a suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices. In this blog, Microsoft analyzes DEV-0196, discusses technical details of the actors iOS malware, which we call KingsPawn, and shares both host and network indicators of compromise that can be used to aid in detection

    Reply
  18. Tomi Engdahl says:

    3CX confirms North Korean hackers behind supply chain attack https://www.bleepingcomputer.com/news/security/3cx-confirms-north-korean-hackers-behind-supply-chain-attack/
    VoIP communications company 3CX confirmed today that a North Korean hacking group was behind last month’s supply chain attack. “Based on the Mandiant investigation into the 3CX intrusion and supply chain attack thus far, they attribute the activity to a cluster named UNC4736. Mandiant assesses with high confidence that UNC4736 has a North Korean nexus,” 3CX CISO Pierre Jourdan said today. The attackers infected 3CX systems with malware known as Taxhaul (or TxRLoader), which deployed a second-stage malware downloader named Coldcat by Mandiant. The malware achieved persistence on compromised systems through DLL side-loading via legitimate Microsoft Windows binaries, making it harder to detect

    Reply
  19. Tomi Engdahl says:

    Malware Disguised as Document from Ukraine’s Energoatom Delivers Havoc Demon Backdoor https://www.fortinet.com/blog/threat-research/malware-disguised-as-document-ukraine-energoatom-delivers-havoc-demon-backdoor
    As part of our ongoing research on malware being used in the Russian-Ukrainian conflict, FortiGuard Labs has encountered a malicious spoofed document pretending to be from the Ukrainian company, Energoatom, a state-owned enterprise that operates Ukraines nuclear power plants. Since the war with Russia began, Ukraines energy sector has been under constant cyberattack. For example, in April 2022, an attack deploying INDUSTROYER2 and CADDYWIPER wiper malware targeted energy companies. On 16 August 2022, the Energoatom corporate website was the target of a DDoS attack. And in October 2022, yet another wiper attack, this one using the wiper dubbed NikoWiper, targeted the energy sector

    Reply
  20. Tomi Engdahl says:

    Miksi Lemonsoft ei tiedottanut heti vakavasta kyberhyökkäyksestä?
    https://www.tivi.fi/uutiset/tv/1e8003dc-e2c5-4c3c-b774-de084c230b64
    Helsingin pörssin First North -listalle listattu ohjelmistoyhtiö Lemonsoft joutui kyberhyökkäyksen kohteeksi. Myös Panostaja-konserniin kuuluvassa Oscar Softwaressa on ollut kyberhyökkäys. Kumpikaan yrityksistä ei välittömästi julkaissut tiedotetta, vaan asioista kerrottiin häiriösivuilla. Lemonsoft julkaisi tapahtuneesta lehdistötiedotteen perjantaina 31. maaliskuuta vajaa viikko sen jälkeen, kun hyökkäys oli yhtiön häiriötiedotteen mukaan tehty lauantaina 25. maaliskuuta klo 15.00. Kyseessä ei ollut kuitenkaan pörssitiedote

    Reply
  21. Tomi Engdahl says:

    OP:n nimissä leviää uusi huijausviesti Kohteena myös muiden pankkien asiakkaita https://www.kauppalehti.fi/uutiset/opn-nimissa-leviaa-uusi-huijausviesti-kohteena-myos-muiden-pankkien-asiakkaita/3b75914a-1496-4182-a510-2e7321eb8bfb
    Osuuspankin nimissä leviää jälleen huijausviesti, jota on syytä varoa.
    Viesti saapuu tekstiviestillä, ja sen lähettäjän nimenä näkyy Osuuspankki. Viestejä on tullut myös muiden pankkien asiakkaille.
    Heilläkin lähettäjänä näkyy Osuuspankki. Viestissä väitetään, että käyttäjän pankkitiedot voivat olla vaarassa Tukholmassa ilmoitetun kirjautumisyrityksen takia. Kirjautumisyritys ilmoitettiin Tukholmassa klo 9.00. Pankkitietosi voivat olla vaarassa. Suojaa pankkisi seuraamalla linkkia, viestissä kirjoitetaan

    Reply
  22. Tomi Engdahl says:

    Stepping Insyde System Management Mode
    https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-mode/
    In October of 2022, Intels Alder Lake BIOS source code was leaked online. The leaked code was comprised of firmware components that originated from three sources: The independent BIOS vendor (IBV) named Insyde Software, Intels proprietary Alder Lake BIOS reference code, The Tianocore EDK2 open-source UEFI reference implementation. I obtained a copy of the leaked code and began to hunt for vulnerabilities. This writeup focuses on the vulnerabilities that I found and reported to Insyde Software. These bugs span various System Management Mode (SMM) modules

    Reply
  23. Tomi Engdahl says:

    Announcing the deps.dev API: critical dependency data for secure supply chains https://security.googleblog.com/2023/04/announcing-depsdev-api-critical.html
    Today, we are excited to announce the deps.dev API, which provides free access to the deps.dev dataset of security metadata, including dependencies, licenses, advisories, and other critical health and security signals for more than 50 million open source package versions. Software supply chain attacks are increasingly common and harmful, with high profile incidents such as Log4Shell, Codecov, and the recent 3CX hack. The overwhelming complexity of the software ecosystem causes trouble for even the most diligent and well-resourced developers. We hope the deps.dev API will help the community make sense of complex dependency data that allows them to respond toor even preventthese types of attacks

    Reply
  24. Tomi Engdahl says:

    Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
    This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface
    (UEFI) bootkit called BlackLotus. UEFI bootkits are particularly dangerous as they run at computer startup, prior to the operating system loading, and therefore can interfere with or deactivate various operating system (OS) security mechanisms such as BitLocker, hypervisor-protected code integrity (HVCI), and Microsoft Defender Antivirus. Though this could impede investigations and threat hunting efforts, several artifacts can still be leveraged to identify affected devices

    Reply
  25. Tomi Engdahl says:

    ChatGPT Creator OpenAI Ready to Pay Hackers for Security Flaws
    https://www.securityweek.com/chatgpt-creator-openai-ready-to-pay-hackers-via-new-bug-bounty-program/

    OpenAI announced a bug bounty program that will pay hackers up to $20,000 for security vulnerabilities found in ChatGPT and other products and OpenAI corporate assets.

    OpenAI, the company behind the wildly popular ChatGPT artificial-intelligence (AI) chatbot, on Tuesday launched a bug bounty program offering up to $20,000 for advance notice on security vulnerabilities found by hackers.

    The rollout of the new bug bounty program comes on the heels of OpenAI patching account takeover vulnerabilities in ChatGPT that were being exploited in the wild.

    The Microsoft-backed AI company plans to offer bounties for bugs in its flagship ChatGPT, along with APIs, API keys, third-party corporate targets and assets belonging to the OpenAI research organization.

    The company is specifically looking for security defects in the ChatGPT chatbot, including ChatGPT Plus, logins, subscriptions, OpenAI-created plugins and third-party plugins.

    Reply
  26. Tomi Engdahl says:

    Potential Outcomes of the US National Cybersecurity Strategy
    https://www.securityweek.com/potential-outcomes-of-the-us-national-cybersecurity-strategy/

    The national strategy outlined by the Federal Government on March 1, 2023, is a monumental attempt to weave a consistent approach to cybersecurity for the whole nation.

    Reply
  27. Tomi Engdahl says:

    Karu luku Suomesta – riittää kun yksikin mokaa, niin koko firma on vaarassa https://www.is.fi/digitoday/tietoturva/art-2000009502132.html

    Reply
  28. Tomi Engdahl says:

    Russian hackers linked to widespread attacks targeting NATO and EU https://www.bleepingcomputer.com/news/security/russian-hackers-linked-to-widespread-attacks-targeting-nato-and-eu/
    Poland’s Military Counterintelligence Service and its Computer Emergency Response Team have linked APT29 state-sponsored hackers, part of the Russian government’s Foreign Intelligence Service (SVR), to widespread attacks targeting NATO and European Union countries. As part of this campaign, the cyberespionage group (also tracked as Cozy Bear and Nobelium) aimed to harvest information from diplomatic entities and foreign ministries.”At the time of publication of the report, the campaign is still ongoing and in development,” an advisory published today warns:
    https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services

    Reply
  29. Tomi Engdahl says:

    ChatGPT Could Return to Italy if OpenAI Complies With Rules
    https://www.securityweek.com/chatgpt-could-return-to-italy-if-openai-complies-with-rules/

    ChatGPT could return to Italy if its maker, OpenAI, complies with measures to satisfy regulators who imposed a temporary ban on the AI software over privacy worries.

    ChatGPT could return to Italy soon if its maker, OpenAI, complies with measures to satisfy regulators who had imposed a temporary ban on the artificial intelligence software over privacy worries.

    The Italian data protection authority on Wednesday outlined a raft of requirements that OpenAI will have to satisfy by April 30 for the the ban on AI chatbot to be lifted.

    The watchdog known as Garante last month ordered the company to temporarily stop processing Italian users’ personal information while it investigated a possible data breach. The authority said it didn’t want to hamper AI’s development but emphasized the importance of following the European Union’s strict data privacy rules.

    OpenAI, which had responded by proposing remedies to ease the concerns, on Wednesday welcomed the Italian regulators’ move.

    Reply
  30. Tomi Engdahl says:

    Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data
    https://www.securityweek.com/critical-vulnerability-in-hikvision-storage-solutions-exposes-video-security-data/

    Hikvision patches CVE-2023-28808, a critical authentication bypass vulnerability that exposes video data stored on its Hybrid SAN and cluster storage products.

    Video surveillance giant Hikvision this week informed customers that it has patched a critical vulnerability affecting its Hybrid SAN and cluster storage products.

    The vulnerability, tracked as CVE-2023-28808, has been described by the vendor as an access control issue that can be exploited to obtain administrator permissions by sending specially crafted messages to the targeted device.

    The impacted products are used by organizations to store video security data, and an attacker exploiting the vulnerability could gain access to that data.

    In a notification sent by Hikvision to partners — a copy was also shared with SecurityWeek — the company said it’s not aware of in-the-wild exploitation.

    Reply
  31. Tomi Engdahl says:

    Microsoft Shares Resources for BlackLotus UEFI Bootkit Hunting
    https://www.securityweek.com/microsoft-shares-resources-for-blacklotus-uefi-bootkit-hunting/

    Microsoft has shared details on how threat hunters can check their systems for BlackLotus UEFI bootkit infections.

    Microsoft this week has shared information on how threat hunters can identify BlackLotus bootkit infections in their environments.

    Initially identified in late 2022, BlackLotus provides nation-state-level capabilities that include user access control (UAC) and secure boot bypass, evasion, and disabling of protections, including hypervisor-protected code integrity (HVCI), BitLocker, and Microsoft Defender.

    To disable secure boot, the bootkit exploits a Windows vulnerability (CVE-2022-21894) for which proof-of-concept (PoC) code has been available since August 2022.

    “It is critical to note that a threat actor’s use of this bootkit is primarily a persistence and defense evasion mechanism. It is not a first-stage payload or an initial access vector and can only be deployed to a device to which a threat actor has already gained either privileged access or physical access,” Microsoft says in a recent blog post.

    https://www.securityweek.com/blacklotus-bootkit-can-target-fully-patched-windows-11-systems/

    Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign
    https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/

    This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. UEFI bootkits are particularly dangerous as they run at computer startup, prior to the operating system loading, and therefore can interfere with or deactivate various operating system (OS) security mechanisms such as BitLocker, hypervisor-protected code integrity (HVCI), and Microsoft Defender Antivirus. Though this could impede investigations and threat hunting efforts, several artifacts can still be leveraged to identify affected devices. This document covers:

    Techniques to determine if devices in an organization are infected
    Recovery and prevention strategies to protect your environment

    Reply
  32. Tomi Engdahl says:

    Irrigation Systems in Israel Disrupted by Hacker Attacks on ICS
    https://www.securityweek.com/irrigation-systems-in-israel-disrupted-by-hacker-attacks-on-ics/

    Irrigation systems were disrupted recently in Israel in an attack that once again shows how easy it is to hack industrial control systems (ICS).

    Automated irrigation systems in the Northern part of Israel were briefly disrupted recently in an attack that once again shows how easy it can be to hack industrial control systems (ICS).

    The Jerusalem Post reported that hackers targeted water controllers for irrigation systems at farms in the Jordan Valley, as well as wastewater treatment control systems belonging to the Galil Sewage Corporation.

    Farms were warned by Israel’s National Cyber Directorate prior to the incident, being instructed to disable remote connections to these systems due to the high risk of cyberattacks. Roughly a dozen farms in the Jordan Valley and other areas failed to do so and had their water controllers hacked. This led to automated irrigation systems being temporarily disabled, forcing farmers to turn to manual irrigation.

    Langer said the hackers targeted programmable logic controllers (PLCs) made by Israeli company Unitronics. Information about these controllers, including default passwords and configuration options, is available online, and the devices run various software components that can be targeted by hackers.

    The attacks on water systems in Israel appear to be part of OpIsrael, an anti-Israel hacktivist campaign that has intensified every year in early April in the past decade.

    Reply
  33. Tomi Engdahl says:

    400,000 Users Hit by Data Breach at Media Player Maker Kodi
    https://www.securityweek.com/400000-users-hit-by-data-breach-at-media-player-maker-kodi/

    Media player maker Kodi has started rebuilding its user forum after hackers stole databases containing user posts, messages, and login credentials.

    Open source home theater software developer Kodi this week announced that it has started rebuilding its user forum following a February 2023 data breach.

    The incident was disclosed last week, after a threat actor started advertising on underground forums a dump of Kodi’s user forum (MyBB) software. The hacker offered the data of 400,000 Kodi users, including on the now-defunct BreachForums cybercrime website.

    The attackers compromised the account of an inactive administrator and accessed the web-based MyBB admin console on February 16 and 21, creating database backups and downloading existing nightly full backups.

    “The nightly full backups that were downloaded expose all public forum posts, all team forum posts, all messages sent through the user-to-user messaging system, and user data including forum username, email address used for notifications, and an encrypted (hashed and salted) password generated by the MyBB (v1.8.27) software,” Kodi said last week.

    Reply
  34. Tomi Engdahl says:

    Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks
    https://www.securityweek.com/windows-zero-day-exploited-in-nokoyawa-ransomware-attacks/

    A Windows zero-day tracked as CVE-2023-28252 and fixed by Microsoft with its April Patch Tuesday updates has been exploited in Nokoyawa ransomware attacks.

    Reply
  35. Tomi Engdahl says:

    Ukrainian hackers say they have compromised Russian spy who hacked Democrats in 2016 https://www.reuters.com/world/ukrainian-hackers-say-they-have-compromised-russian-spy-who-hacked-democrats-2023-04-11/
    Ukrainian hackers claim to have broken into the emails of a senior Russian military spy wanted by the Federal Bureau of Investigation for hacking the Hillary Clinton campaign and other senior U.S. Democrats ahead of Donald Trump’s election to the presidency in 2016. In a message posted to Telegram on Monday, a group calling itself Cyber Resistance said it had stolen correspondence from Lt. Col. Sergey Morgachev, who was charged in 2018 with helping organize the hack and leak of emails from the Democratic National Committee (DNC) and the Clinton campaign. Reuters was not immediately able to fully corroborate the claim, but some of Morgachev’s purported personal information lines up with previously leaked data preserved by the cybersecurity research platform Constella Intelligence

    Reply
  36. Tomi Engdahl says:

    Exploring a Recent Microsoft Outlook Vulnerability: CVE-2023-23397
    https://www.fortinet.com/blog/threat-research/exploring-recent-microsoft-outlook-vulnerability-cve-2023-23397
    FortiGuard Labs recently investigated an Elevation of Privilege vulnerability in Microsoft Outlook that can be exploited by sending a crafted email to a vulnerable version of the software. When the victim receives the email, an attempt to connect to an attackers device is triggered, resulting in the victims NTLMv2 hash being leaked. The vulnerable property resides in the PidLidReminderFileParameter extended MAPI property, which specifies the filename of a sound to be played when a reminder for an object is overdue. To trigger the vulnerability, the sender simply modifies the PidLidReminderFileParameter message property to point to a malicious UNC path in a calendar or task item invite. To replicate this vulnerability, we used the Outlook AppointmentItem object to customize a malicious appointment email in the Calendar folder

    Reply
  37. Tomi Engdahl says:

    Windows admins warned to patch critical MSMQ QueueJumper bug https://www.bleepingcomputer.com/news/security/windows-admins-warned-to-patch-critical-msmq-queuejumper-bug/
    Security researchers and experts warn of a critical vulnerability in the Windows Message Queuing (MSMQ) middleware service patched by Microsoft during this month’s Patch Tuesday and exposing hundreds of thousands of systems to attacks. MSMQ is available on all Windows operating systems as an optional component that provides apps with network communication capabilities with “guaranteed message delivery,”
    and it can be enabled via PowerShell or the Control Panel. The flaw
    (CVE-2023-21554) enables unauthenticated attackers to gain remote code execution on unpatched Windows servers using specially crafted malicious MSMQ packets in low-complexity attacks that don’t require user interaction

    Reply
  38. Tomi Engdahl says:

    Are Internet Macros Dead or Alive?
    https://www.fortinet.com/blog/threat-research/are-internet-macros-dead-or-alive
    In early February of 2022, Microsoft announced that Internet Macros would be blocked by default to improve the security of Microsoft Office. According to their blog published in late Feb 2023, this change began rolling out in some update channels in April 2022. Other channels followed in July and October 2022, with the final rollout in January 2023. Office uses a specific algorithm to determine whether to run macros in files from the Internet. The process starts by checking the file attribute. If it has a Mark of the Web (MOTW) attribute, it verifies whether it is from a trusted location and performs other processes, and based on those outcomes, it decides whether to block or run the macro. Since that announcement, we have observed that cyber threat actors have begun to test and adopt new infection vectors to replace Office macros

    Reply
  39. Tomi Engdahl says:

    Recent IcedID (Bokbot) activity
    https://isc.sans.edu/forums/diary/Recent+IcedID+Bokbot+activity/29740/
    This week, we’ve seen IcedID (Bokbot) distributed through thread-hijacked emails with PDF attachments. The PDF files have links that redirect to Google Firebase Storage URLs hosting password-protected zip archives. The password for the downloaded zip archive is shown in the PDF file. The downloaded zip archives contain EXE files that are digitally-signed using a certificate issued by SSL.com. The EXE file is designed to install IcedID malware on a vulnerable Windows host

    Reply
  40. Tomi Engdahl says:

    Ensimmäinen osavaltio Yhdys­valloissa on kieltämässä Tiktokin https://www.is.fi/digitoday/art-2000009521801.html

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*