Cyber security news April 2023

This posting is here to collect cyber security news in April 2023.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

352 Comments

  1. Tomi Engdahl says:

    Android malware infiltrates 60 Google Play apps with 100M installs https://www.bleepingcomputer.com/news/security/android-malware-infiltrates-60-google-play-apps-with-100m-installs/
    A new Android malware named ‘Goldoson’ has infiltrated Google Play through 60 legitimate apps that collectively have 100 million downloads. The malicious malware component is part of a third-party library used by all sixty apps that the developers unknowingly added to their apps

    Reply
  2. Tomi Engdahl says:

    Vice Society ransomware uses new PowerShell data theft tool in attacks https://www.bleepingcomputer.com/news/security/vice-society-ransomware-uses-new-powershell-data-theft-tool-in-attacks/
    The Vice Society ransomware gang is deploying a new, rather sophisticated PowerShell script to automate data theft from compromised networks. Stealing corporate and customer data is a standard tactic in ransomware attacks for use as further leverage when extorting victims or reselling the data to other cybercriminals for maximum profit. Vice Society’s new data exfiltrator is fully automated and uses “living off the land” binaries and scripts that are unlikely to trigger alarms from security software, keeping their activities stealthy before the final step of the ransomware attack, the encrypting of data

    Reply
  3. Tomi Engdahl says:

    Why is Juice Jacking Suddenly Back in the News?
    https://krebsonsecurity.com/2023/04/why-is-juice-jacking-suddenly-back-in-the-news/
    The term juice jacking crept into the collective paranoia of gadget geeks in the summer of 2011, thanks to the headline for a story here about researchers at the DEFCON hacker convention in Vegas whod set up a mobile charging station designed to educate the unwary to the reality that many mobile devices connected to a computer would sync their data by default. Since then, Apple, Google and other mobile device makers have changed the way their hardware and software works so that their devices no longer automatically sync data when one plugs them into a computer with a USB charging cable. Instead, users are presented with a prompt asking if they wish to trust a connected computer before any data transfer can take place

    Reply
  4. Tomi Engdahl says:

    Lazarus Hacker Group Evolves Tactics, Tools, and Targets in DeathNote Campaign https://thehackernews.com/2023/04/lazarus-hacker-group-evolves-tactics.html
    he North Korean threat actor known as the Lazarus Group has been observed shifting its focus and rapidly evolving its tools and tactics as part of a long-running campaign called DeathNote. While the nation-state adversary is known for persistently singling out the cryptocurrency sector, recent attacks have also targeted automotive, academic, and defense sectors in Eastern Europe and other parts of the world, in what’s perceived as a “significant” pivot

    Reply
  5. Tomi Engdahl says:

    New Mirai Variant Employs Uncommon Tactics to Distribute Malware https://www.darkreading.com/remote-workforce/new-mirai-variant-employs-uncommon-tactics-to-distribute-malware
    A new version of a Mirai variant called RapperBot is the latest example of malware using relatively uncommon or previously unknown infection vectors to try and spread widely. RapperBot first surfaced last year as Internet of Things (IoT) malware containing large chunks of Mirai source code but with some substantially different functionality compared with other Mirai variants. The differences included the use of a new protocol for command-and-control (C2) communications and a built-in feature for brute-forcing SSH servers rather than Telnet services, as is common in Mirai variants

    Reply
  6. Tomi Engdahl says:

    Hackers claim vast access to Western Digital systems https://techcrunch.com/2023/04/13/hackers-claim-vast-access-to-western-digital-systems/
    The hackers who breached data storage giant Western Digital claim to have stolen around 10 terabytes of data from the company, including reams of customer information. The extortionists are pushing the company to negotiate a ransom of a minimum 8 figures in exchange for not publishing the stolen data

    Reply
  7. Tomi Engdahl says:

    LockBit ransomware encryptors found targeting Mac devices https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/
    The LockBit ransomware gang has created encryptors targeting Macs for the first time, likely becoming the first major ransomware operation to ever specifically target macOS. The new ransomware encryptors were discovered by cybersecurity researcher MalwareHunterTeam who found a ZIP archive on VirusTotal that contained what appears to be all of the available LockBit encryptors. Historically, the LockBit operation uses encryptors designed for attacks on Windows, Linux, and VMware ESXi servers. However, as shown below, this archive also contained previously unknown encryptors for macOS, ARM, FreeBSD, MIPS, and SPARC CPUs

    Reply
  8. Tomi Engdahl says:

    Suuroperaatio: Varastettujen käyttäjä­tunnusten kauppa­paikka suljettiin KRP auttoi Yhdysvaltoja https://www.is.fi/digitoday/art-2000009522527.html
    Verkossa toiminut varastettujen käyttäjätunnusten kauppapaikka Genesis Market suljettiin viime viikolla kansainvälisessä operaatiossa, jota johtivat Yhdysvaltojen liittovaltion poliisi FBI ja Hollannin poliisi

    Reply
  9. Tomi Engdahl says:

    Cybercrims hop geofences, clamor for stolen ChatGPT Plus accounts https://www.theregister.com/2023/04/15/cybercrims_hop_chatgpt_geofences/
    The market for stolen ChatGPT accounts, and especially Plus subscriptions, is on the rise as miscreants in countries blocked by OpenAI try to hop the chatbot’s geofences. This uptick began in March, according to Check Point bods who say they’ve noticed an “increase in the chatter in underground forums related to leaking or selling compromised ChatGPT premium accounts.”

    Reply
  10. Tomi Engdahl says:

    CISA warns of Android bug exploited by Chinese app to spy on users https://www.bleepingcomputer.com/news/security/cisa-warns-of-android-bug-exploited-by-chinese-app-to-spy-on-users/
    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned today of a high-severity Android vulnerability believed to have been exploited by a Chinese e-commerce app Pinduoduo as a zero-day to spy on its users. This Android Framework security flaw (tracked as
    CVE-2023-20963) allows attackers to escalate privileges on unpatched Android devices without requiring user interaction. “Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed,” CISA explains

    Reply
  11. Tomi Engdahl says:

    Google Warns of New Chrome Zero-Day Attack
    https://www.securityweek.com/google-warns-of-new-chrome-zero-day-attack/

    The high-severity vulnerability, tracked as CVE-2023-2033, is described as a type confusion in the Chrome V8 JavaScript engine.

    Another day, another zero-day attack hitting widely deployed software from a big tech provider.

    Google on Friday joined the list of vendors dealing with zero-day attacks, rolling out a major Chrome Desktop update to fix a security defect that’s already been exploited in the wild.

    The high-severity vulnerability, tracked as CVE-2023-2033, is described as a type confusion in the Chrome V8 JavaScript engine.

    “Google is aware that an exploit for CVE-2023-2033 exists in the wild,” the company said in a barebones advisory that credits Clément Lecigne of Google’s Threat Analysis Group for reporting the issue.

    The company did not provide any additional details of the bug, the in-the-wild exploitation, indicators of compromise (IOCs) or any guidance on the profile of targeted machines.

    Google said access to bug details and links may be kept restricted until a majority of users are updated with a fix.

    The patch is being pushed to Chrome 112.0.5615.121 for Windows Mac and Linux and will roll out via the software’s automatic patching mechanism over the coming days/weeks.

    Reply
  12. Tomi Engdahl says:

    Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data
    https://www.securityweek.com/critical-vulnerability-in-hikvision-storage-solutions-exposes-video-security-data/

    Hikvision patches CVE-2023-28808, a critical authentication bypass vulnerability that exposes video data stored on its Hybrid SAN and cluster storage products.

    Reply
  13. Tomi Engdahl says:

    Darktrace Denies Getting Hacked After Ransomware Group Names Company on Leak Site
    https://www.securityweek.com/darktrace-denies-getting-hacked-after-ransomware-group-names-firm-on-leak-site/

    Cybersecurity firm Darktrace has issued a statement after it was listed on the leak website of the LockBit ransomware group.

    Cybersecurity company Darktrace issued a statement on Thursday after it was named on the leak website of the LockBit ransomware group.

    “Earlier this morning we became aware of tweets from LockBit, the cyber-criminal gang, claiming that they had compromised Darktrace’s internal security systems and had accessed our data. Our security teams have run a full review of our internal systems and can see no evidence of compromise,” Darktrace said.

    “None of the LockBit social media posts link to any compromised Darktrace data. We will continue to monitor the situation extremely closely, but based on our current investigations we are confident that our systems remain secure and all customer data is fully protected,” it added.

    Updated statement regarding LockBit claims
    https://darktrace.com/statement-darktrace

    Reply
  14. Tomi Engdahl says:

    Vulnerabilities
    Juniper Networks Patches Critical Third-Party Component Vulnerabilities
    https://www.securityweek.com/juniper-networks-patches-critical-third-party-component-vulnerabilities/

    Juniper Networks this week announced patches for tens of vulnerabilities across its product portfolio, including critical bugs in Junos OS and STRM.

    Reply
  15. Tomi Engdahl says:

    Google, CISA Warn of Android Flaw After Reports of Chinese App Zero-Day Exploitation
    https://www.securityweek.com/google-cisa-warn-of-android-flaw-after-reports-of-chinese-app-zero-day-exploitation/

    The Android vulnerability CVE-2023-20963, reportedly exploited as a zero-day by a Chinese app against millions of devices, was added to CISA’s KEV catalog.

    An Android vulnerability that was reportedly exploited as a zero-day by a Chinese application against millions of devices has been added to the known exploited vulnerabilities catalog maintained by the US Cybersecurity and Infrastructure Security Agency (CISA) after Google confirmed exploitation.

    Google said on March 21 that it had suspended the popular Chinese shopping application Pinduoduo on its app store after malware was discovered in versions of the app distributed through other websites. The Chinese company at the time denied the allegations.

    Reply
  16. Tomi Engdahl says:

    Microsoft Warns Accounting, Tax Return Preparation Firms of Remcos RAT Attacks
    https://www.securityweek.com/microsoft-warns-accounting-tax-return-preparation-firms-of-remcos-rat-attacks/

    A new Remcos RAT campaign is targeting US accounting and tax return preparation firms as Tax Day approaches.

    Reply
  17. Tomi Engdahl says:

    Online Gaming Chats Have Long Been Spy Risk for US Military
    https://www.securityweek.com/online-gaming-chats-have-long-been-spy-risk-for-us-military/

    Online gaming forums have long been a particular worry of the military because of their lure for young service members.

    Step into a U.S. military recreation hall at a base almost anywhere in the world and you’re bound to see it: young troops immersed in the world of online games, using government-funded gaming machines or their own consoles.

    The enthusiasm military personnel have for gaming — and the risk that carries — is in the spotlight after Jack Teixeira, a 21-year-old Massachusetts Air National Guardsman, was charged with illegally taking and posting highly classified material in a geopolitical chat room on Discord, a social media platform that started as a hangout for gamers.

    Reply
  18. Tomi Engdahl says:

    FBI Arrests 21-Year-Old Guardsman in Leak of Classified Military Documents
    https://www.securityweek.com/fbi-arrests-21-year-old-guardsman-in-leak-of-classified-military-documents/

    A Massachusetts Air National Guard member was arrested Thursday in connection with the disclosure of highly classified military documents about the Ukraine war and other top national security issues.

    Reply
  19. Tomi Engdahl says:

    Mobile & Wireless
    Google, CISA Warn of Android Flaw After Reports of Chinese App Zero-Day Exploitation
    https://www.securityweek.com/google-cisa-warn-of-android-flaw-after-reports-of-chinese-app-zero-day-exploitation/

    The Android vulnerability CVE-2023-20963, reportedly exploited as a zero-day by a Chinese app against millions of devices, was added to CISA’s KEV catalog.

    Reply
  20. Tomi Engdahl says:

    Google Warns of New Chrome Zero-Day Attack
    https://www.securityweek.com/google-warns-of-new-chrome-zero-day-attack/

    The high-severity vulnerability, tracked as CVE-2023-2033, is described as a type confusion in the Chrome V8 JavaScript engine.

    Reply
  21. Tomi Engdahl says:

    QBot banker delivered through business correspondence https://securelist.com/qbot-banker-business-correspondence/109535/
    In early April, we detected a significant increase in attacks that use banking Trojans of the QBot family (aka QakBot, QuackBot, and Pinkslipbot). The malware would be delivered through e-mail letters written in different languages variations of them were coming in English, German, Italian, and French. The messages were based on real business letters the attackers had gotten access to, which afforded them the opportunity to join the correspondence thread with messages of their own. As a general rule, such letters would be urging the addressee under a plausible pretext to open an enclosed PDF file. As an example, they could be asking to provide all the documentation pertaining to the attached application or to calculate the contract value based on the attached cost estimate.

    Reply
  22. Tomi Engdahl says:

    New Zaraza Bot Credential-Stealer Sold on Telegram Targeting 38 Web Browsers https://thehackernews.com/2023/04/new-zaraza-bot-credential-stealer-sold.html
    A novel credential-stealing malware called Zaraza bot is being offered for sale on Telegram while also using the popular messaging service as a command-and-control (C2). “Zaraza bot targets a large number of web browsers and is being actively distributed on a Russian Telegram hacker channel popular with threat actors,” cybersecurity company Uptycs said in a report published last week. “Once the malware infects a victim’s computer, it retrieves sensitive data and sends it to a Telegram server where the attackers can access it immediately.”

    Reply
  23. Tomi Engdahl says:

    Hackers start abusing Action1 RMM in ransomware attacks https://www.bleepingcomputer.com/news/security/hackers-start-abusing-action1-rmm-in-ransomware-attacks/
    Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries.
    Action1 is a remote monitoring and management (RMM) product that is commonly used by managed service providers (MSPs) and the enterprise to remotely manage endpoints on a network. The software allows admins to automate patch management and the deploying of security updates, install software remotely, catalog hosts, troubleshoot problems on endpoints, and get real-time reports. While these types of tools are extremely helpful for admins, they are also valuable to threat actors who can use them to deploy malware or gain persistence to networks.

    Reply
  24. Tomi Engdahl says:

    Google Uncovers APT41′s Use of Open Source GC2 Tool to Target Media and Job Sites https://thehackernews.com/2023/04/google-uncovers-apt41s-use-of-open.html
    A Chinese nation-state group targeted an unnamed Taiwanese media organization to deliver an open source red teaming tool known as Google Command and Control (GC2) amid broader abuse of Google’s infrastructure for malicious ends.

    Reply
  25. Tomi Engdahl says:

    New Chameleon Android malware mimics bank, govt, and crypto apps https://www.bleepingcomputer.com/news/security/new-chameleon-android-malware-mimics-bank-govt-and-crypto-apps/
    A new Android trojan called Chameleon has been targeting users in Australia and Poland since the start of the year, mimicking the CoinSpot cryptocurrency exchange, an Australian government agency, and the IKO bank. The mobile malware was discovered by cybersecurity firm Cyble, which reports seeing distribution through compromised websites, Discord attachments, and Bitbucket hosting services. Chameleon includes a wide range of malicious functionality, including stealing user credentials through overlay injections and keylogging, cookies, and SMS texts from the infected device.

    Reply
  26. Tomi Engdahl says:

    Google Warns of New Chrome Zero-Day Attack
    https://www.securityweek.com/google-warns-of-new-chrome-zero-day-attack/

    The high-severity vulnerability, tracked as CVE-2023-2033, is described as a type confusion in the Chrome V8 JavaScript engine.

    Reply
  27. Tomi Engdahl says:

    Payments Giant NCR Hit by Ransomware
    https://www.securityweek.com/payments-giant-ncr-hit-by-ransomware/

    US payments giant NCR has confirmed being targeted in a ransomware attack for which the BlackCat/Alphv group has taken credit.

    Reply
  28. Tomi Engdahl says:

    Used Routers Often Come Loaded With Corporate Secrets
    https://www.wired.com/story/used-enterprise-router-company-secrets/

    More than half of the enterprise routers researchers bought secondhand hadn’t been wiped, exposing sensitive info like login credentials and customer data.

    YOU KNOW THAT you’re supposed to wipe your smartphone or laptop before you resell it or give it to your cousin. After all, there’s a lot of valuable personal data on there that should stay in your control. Businesses and other institutions need to take the same approach, deleting their information from PCs, servers, and network equipment so it doesn’t fall into the wrong hands. At the RSA security conference in San Francisco next week, though, researchers from the security firm ESET will present findings showing that more than half of secondhand enterprise routers they bought for testing had been left completely intact by their previous owners. And the devices were brimming with network information, credentials, and confidential data about the institutions they had belonged to.

    The researchers bought 18 used routers in different models made by three mainstream vendors: Cisco, Fortinet, and Juniper Networks. Of those, nine were just as their owners had left them and fully accessible, while only five had been properly wiped. Two were encrypted, one was dead, and one was a mirror copy of another device.

    All nine of the unprotected devices contained credentials for the organization’s VPN, credentials for another secure network communication service, or hashed root administrator passwords. And all of them included enough identifying data to determine who the previous owner or operator of the router had been.

    Reply
  29. Tomi Engdahl says:

    Fake Chrome updates spread malware
    https://www.malwarebytes.com/blog/news/2023/04/fake-chrome-updates-spread-malware
    Compromised websites are causing big headaches for Chrome users. A campaign running since November 2022 is using hacked sites to push fake web browser updates to potential victims. Researcher Rintaro Koike says this campaign has now expanded to also target those who speak Korean, Spanish, and Japanese. Additionally, Bleeping Computer notes that some of the affected sites include news, stores, and adult portals. The attackers are likely to be primarily targeting sites based on vulnerability rather than content served. As a result, its difficult to predict where these bogus updates will appear next

    Reply
  30. Tomi Engdahl says:

    NSO hacked iPhones without user clicks in 3 new ways, researchers say https://www.washingtonpost.com/technology/2023/04/18/nso-apple-iphones-citizen-lab/
    Israeli spyware maker NSO Group deployed at least three new zero-click hacks against iPhones last year, finding ways to penetrate some of Apples latest software, researchers at Citizen Lab have discovered.
    The attacks struck phones with iOS 15 and early versions of iOS 16 operating software, Citizen Lab said in a report Tuesday. The lab, based at the University of Toronto, shared its results with Apple, which has now fixed the flaws that NSO had been exploiting

    Reply
  31. Tomi Engdahl says:

    YouTube Videos Distributing Aurora Stealer Malware via Highly Evasive Loader https://thehackernews.com/2023/04/youtube-videos-distributing-aurora.html
    Cybersecurity researchers have detailed the inner workings of a highly evasive loader named “in2al5d p3in4er” (read: invalid printer) that’s used to deliver the Aurora information stealer malware. “The in2al5d p3in4er loader is compiled with Embarcadero RAD Studio and targets endpoint workstations using advanced anti-VM (virtual machine) technique,” cybersecurity firm Morphisec said in a report shared with The Hacker News. Aurora is a Go-based information stealer that emerged on the threat landscape in late 2022. Offered as a commodity malware to other actors, it’s distributed through YouTube videos and SEO-poised fake cracked software download websites

    Reply
  32. Tomi Engdahl says:

    Vastaamon ex-toimitusjohtaja Ville Tapiolle tuomio tietosuojarikoksesta
    https://yle.fi/a/74-20027598
    Helsingin käräjäoikeus on tuominnut Vastaamon entisen toimitusjohtajan Ville Tapion kolmen kuukauden ehdolliseen vankeusrangaistukseen tietosuojarikoksesta. Oikeuden mukaan Tapio syyllistyi tietosuojarikokseen, kun hän ei toteuttanut Vastaamossa yleisen tietosuoja-asetuksen vaatimusta käsiteltävien henkilötietojen pseudonymisoinnista ja salauksesta. Muilta osin syyte hylättiin

    Reply
  33. Tomi Engdahl says:

    NSO Group Used at Least 3 iOS Zero-Click Exploits in 2022: Citizen Lab
    https://www.securityweek.com/nso-group-used-at-least-3-ios-zero-click-exploits-in-2022-citizen-lab/

    NSO Group used at least three iOS zero-click exploits in Pegasus attacks in 2022: FindMyPwn, PwnYourHome, and LatentImage.

    Reply
  34. Tomi Engdahl says:

    New ‘Domino’ Malware Linked to FIN7 Group, Ex-Conti Members
    https://www.securityweek.com/new-domino-malware-linked-to-fin7-group-ex-conti-members/

    New Domino backdoor brings together former members of the Conti group and the FIN7 threat actors.

    Reply
  35. Tomi Engdahl says:

    Takedown of GitHub Repositories Disrupts RedLine Malware Operations
    https://www.securityweek.com/takedown-of-github-repositories-disrupts-redline-malware-operations/

    Four GitHub repositories used by RedLine stealer control panels were suspended, disrupting the malware’s operations.

    Reply
  36. Tomi Engdahl says:

    Härski yllätys vesitti Ylen roskien­keräämiskampanjan
    Ylen sivuilla olevaa laskuria väärinkäytettiin niin, että Suomen kartalle muodostui hakaristi.
    https://www.iltalehti.fi/kotimaa/a/03062cd1-1199-4540-bd33-48c396437e7a

    Yle järjesti tänä keväänä kampanjan, jossa koko Suomi kerää miljoona pussillista roskia kaksi kuukautta kestävissä siivoustalkoissa. Väärinkäytökset ovat kuitenkin vesittäneet hyväntahtoisen tempauksen, minkä vuoksi roskapussien laskeminen on jouduttu tilapäisesti keskeyttämään.

    Ylilauta-keskustelupalstalla Ylen kampanjaa on pyritty vesittämään, sillä jossain vaiheessa kampanjan aikana Suomen kartalle muodostui kunnista hakaristi. Väärinkäyttäjät olivat tarkoituksella merkinneet tietyt paikkakunnat roskalaskuriin, jotta haluttu symboli saataisiin näkymään kartalle.

    Reply
  37. Tomi Engdahl says:

    Used routers often come loaded with corporate secrets https://arstechnica.com/information-technology/2023/04/used-routers-often-come-loaded-with-corporate-secrets/
    You know that you’re supposed to wipe your smartphone or laptop before you resell it or give it to your cousin. After all, there’s a lot of valuable personal data on there that should stay in your control.
    Businesses and other institutions need to take the same approach, deleting their information from PCs, servers, and network equipment so it doesn’t fall into the wrong hands. At the RSA security conference in San Francisco next week, though, researchers from the security firm ESET will present findings showing that more than half of secondhand enterprise routers they bought for testing had been left completely intact by their previous owners. And the devices were brimming with network information, credentials, and confidential data about the institutions they had belonged to

    Reply
  38. Tomi Engdahl says:

    March 2023 broke ransomware attack records with 459 incidents https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/
    March 2023 was the most prolific month recorded by cybersecurity analysts in recent years, measuring 459 attacks, an increase of 91% from the previous month and 62% compared to March 2022. According to NCC Group, which compiled a report based on statistics derived from its observations, the reason last month broke all ransomware attack records was CVE-2023-0669. This is a vulnerability in Fortra’s GoAnywhere MFT secure file transfer tool that the Clop ransomware gang exploited as a zero-day to steal data from 130 companies within ten days

    Reply
  39. Tomi Engdahl says:

    Play ransomware gang uses custom Shadow Volume Copy data-theft tool https://www.bleepingcomputer.com/news/security/play-ransomware-gang-uses-custom-shadow-volume-copy-data-theft-tool/
    The Play ransomware group has developed two custom tools in .NET, namely Grixba and VSS Copying Tool, which it uses to improve the effectiveness of its cyberattacks. The two tools enable attackers to enumerate users and computers in compromised networks, gather information about security, backup, and remote administration software, and easily copy files from Volume Shadow Copy Service (VSS) to bypass locked files

    Reply
  40. Tomi Engdahl says:

    Google TAG Warns of Russian Hackers Conducting Phishing Attacks in Ukraine https://thehackernews.com/2023/04/google-tag-warns-of-russian-hackers.html
    Elite hackers associated with Russia’s military intelligence service have been linked to large-volume phishing campaigns aimed at hundreds of users in Ukraine to extract intelligence and influence public discourse related to the war. Google’s Threat Analysis Group (TAG), which is monitoring the activities of the actor under the name FROZENLAKE, said the attacks continue the “group’s 2022 focus on targeting webmail users in Eastern Europe.”

    Reply
  41. Tomi Engdahl says:

    Russian Man Who Laundered Money for Ryuk Ransomware Gang Sentenced
    https://www.securityweek.com/russian-man-who-laundered-money-for-ryuk-ransomware-gang-sentenced/

    Russian national Denis Dubnikov has been sentenced to time served after he pleaded guilty to charges related to laundering money for the Ryuk ransomware group.

    Reply
  42. Tomi Engdahl says:

    Oracle Releases 433 New Security Patches With April 2023 CPU
    https://www.securityweek.com/oracle-releases-433-new-security-patches-with-april-2023-cpu/

    Oracle’s April 2023 critical patch update (CPU) includes 433 new security patches, including more than 70 that fix critical vulnerabilities.

    Oracle on Tuesday announced the release of 433 new patches as part of its quarterly set of security updates, including more than 70 fixes for critical-severity vulnerabilities.

    More than 250 of the addressed vulnerabilities can be exploited remotely and without authentication. Some of the resolved bugs impact multiple products.

    For the third quarter in a row, Oracle Communications received the largest number of security patches, at 77.

    Other Oracle applications that received numerous patches include MySQL (34 patches – 11 remotely exploitable, unauthenticated vulnerabilities)

    Oracle also released patches for Java SE
    Virtualization (11 – 1)

    Customers are advised to apply the available patches as soon as possible. Unpatched Oracle applications are known to have been exploited in malicious attacks.

    “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible,” the tech giant notes.

    Reply
  43. Tomi Engdahl says:

    Neiman Marcus Says Hackers Breached Customer Accounts
    https://www.securityweek.com/neiman-marcus-says-hackers-breached-customer-accounts/

    Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

    Reply
  44. Tomi Engdahl says:

    Mandiant 2023 M-Trends Report Provides Factual Analysis of Emerging Threat Trends
    https://www.securityweek.com/mandiant-2023-m-trends-report-provides-factual-analysis-of-emerging-threat-trends/

    In a year dominated by kinetic/cyber war in Ukraine, North Korea doubles down on cryptocurrency thefts, China and Iran continue to take advantage, and a new form of personal intimidation of company personnel emerges.

    Reply
  45. Tomi Engdahl says:

    Enterprises Exposed to Hacker Attacks Due to Failure to Wipe Discarded Routers
    https://www.securityweek.com/enterprises-exposed-to-hacker-attacks-due-to-failure-to-wipe-discarded-routers/

    Discarded enterprise routers are often not wiped and contain secrets that could be highly useful to malicious hackers.

    Discarded enterprise routers are often not wiped properly and store secrets that could be highly useful to malicious hackers, according to an analysis conducted by cybersecurity firm ESET.

    The company acquired 18 secondhand enterprise routers made by Cisco, Fortinet and Juniper Networks and found that nine devices, including core routers, contained complete configuration data. Only five devices had been properly wiped.

    In the case of the nine routers, ESET was able to determine with high confidence — based on the data still present on the devices — who their previous owner was. The list included a multinational tech company and a telecoms firm, both with more than 10,000 employees and over $1 billion in revenue.

    Reply
  46. Tomi Engdahl says:

    US, UK: Russia Exploiting Old Vulnerability to Hack Cisco Routers
    https://www.securityweek.com/us-uk-russia-exploiting-old-vulnerability-to-hack-cisco-routers

    US and UK government agencies have issued a joint warning for Russian group APT28 targeting Cisco routers by exploiting an old vulnerability.

    Government agencies in the United States and United Kingdom have issued a joint cybersecurity advisory to warn organizations about attacks in which a Russian threat group has exploited an old vulnerability to hack Cisco routers.

    The threat actor in question is APT28 (aka Fancy Bear, Strontium, Pawn Storm, Sednit Gang and Sofacy), which has officially been linked by the US and UK to a Russian military intelligence unit.

    The APT28 attacks detailed this week targeted Cisco routers in the United States, Ukraine and other European countries in 2021. However, the exploited vulnerabilities still pose a significant risk, with Cisco saying that it’s “deeply concerned by an increase in the rate of high-sophistication attacks on network infrastructure”.

    Reply
  47. Tomi Engdahl says:

    Vulnerabilities
    Google Patches Second Chrome Zero-Day Vulnerability of 2023
    https://www.securityweek.com/google-patches-second-chrome-zero-day-vulnerability-of-2023/

    Google warns of another zero-day vulnerability in Chrome, only days after addressing a similar issue.

    Google on Tuesday announced patches for another zero-day vulnerability found in the Chrome browser.

    Tracked as CVE-2023-2136, the security defect is described as a high-severity integer overflow issue in Skia. The bug was reported by Google Threat Analysis Group researcher Clement Lecigne and, per Google’s policy, no monetary reward was issued for it.

    “Google is aware that an exploit for CVE-2023-2136 exists in the wild,” the internet giant notes in its advisory.

    CVE-2023-2136 is the second zero-day vulnerability resolved in Chrome this year, after CVE-2023-2033, a type confusion issue in the V8 JavaScript engine, was addressed with an emergency patch last week.

    Reply
  48. Tomi Engdahl says:

    Bill Toulas / BleepingComputer:
    NCC Group measured a record 459 ransomware attacks in March 2023, up 91% MoM and 62% YoY, saying the surge is likely due to exploits of Fortra’s GoAnywhere MFT

    March 2023 broke ransomware attack records with 459 incidents
    https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/

    Reply
  49. Tomi Engdahl says:

    Tom Warren / The Verge:
    Microsoft starts naming threat actor groups after weather events, like typhoon, sandstorm, and blizzard; each name represents a nation state or a motivation — Microsoft has started naming hackers after the weather in a new naming taxonomy update. Hackers will now be named after events like storms …

    Microsoft is giving hackers weather-themed names like storm, typhoon, and blizzard
    / Crimson Sandstorm isn’t a fancy new Surface color — it’s Iranian state-aligned hackers.
    https://www.theverge.com/2023/4/19/23689456/microsoft-weather-cybersecurity-threat-actors-naming

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*