This posting is here to collect cyber security news in April 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in April 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
352 Comments
Tomi Engdahl says:
Lawrence Abrams / BleepingComputer:
The US, the UK, and Cisco warn Russian hacking group APT28 is deploying custom malware on Cisco IOS routers, allowing unauthenticated access to the devices — The US, UK, and Cisco are warning of Russian state-sponsored APT28 hackers deploying a custom malware named ‘Jaguar Tooth’ on Cisco IOS routers …
US, UK warn of govt hackers using custom malware on Cisco routers
https://www.bleepingcomputer.com/news/security/us-uk-warn-of-govt-hackers-using-custom-malware-on-cisco-routers/
The US, UK, and Cisco are warning of Russian state-sponsored APT28 hackers deploying a custom malware named ‘Jaguar Tooth’ on Cisco IOS routers, allowing unauthenticated access to the device.
APT28, also known as Fancy Bear, STRONTIUM, Sednit, and Sofacy, is a state-sponsored hacking group linked to Russia’s General Staff Main Intelligence Directorate (GRU). This hacking group has been attributed to a wide range of attacks on European and US interests and is known to abuse zero-day exploits to conduct cyber espionage.
Tomi Engdahl says:
Financial Times:
In a joint statement, the FBI, Interpol, and 13 other law enforcement agencies say Meta’s plan to expand the use of E2EE in its apps “blindfolds” them to CSAM
Meta encryption ‘blindfolds’ authorities to child abuse, crime agencies claim
FBI, Interpol and UK National Crime Agency among law enforcement groups warning about tech company’s plans
https://www.ft.com/content/8540f9c0-672f-4ef4-b6c4-e5f6c36b3b8b
Tomi Engdahl says:
Dark Webissä myydään jo ChatGPT-premiumtilejä
https://etn.fi/index.php/13-news/14863-dark-webissae-myydaeaen-jo-chatgpt-premiumtilejae
Tietoturvayhtiö Check Pointin tutkimusosasto kertoo, että Dark Webissä myydään jo kaapattuja premium-tilejä ChatGPT:n käyttöön. Samalla yhtiö raportoi, etteivät keskustelubotin käyttöä estävät rajoitukset toimi.
Joulukuusta 2022 lähtien Check Point Research (CPR) on kiinnittänyt huomiota ChatGPT:n vaikutuksista kyberturvallisuuteen. Nyt CPR varoittaa myös, että varastettujen ChatGPT Premium -tilien kauppa on lisääntynyt, minkä ansiosta verkkorikolliset voivat kiertää OpenAI:n maarajoitukset ja saada rajattoman pääsyn ChatGPT:hen.
Eri verkkopalveluiden varastettujen tilien markkinat (ATO) ovat yksi menestyneimmistä harmaista tai pimeistä markkinoista. Perinteisesti näiden markkinoiden painopiste on ollut esimerkiksi varastetuissa rahoituspalvelutileissä (pankit, verkkomaksujärjestelmät jne.), sosiaalinen median tileissä, online-treffisivustoissa, sähköposteissa.
Tomi Engdahl says:
Vastaamon surkea tietoturva oli vain jäävuoren huippu
https://etn.fi/index.php/13-news/14865-vastaamon-surkea-tietoturva-oli-vain-jaeaevuoren-huippu
Tietoturvayhtiö Palo Alto Networks on julkaissut Cloud Threat Report Volume 7 -raportin, joka on yhtiön mukaan tähän asti kattavin pilvipalveluiden uhkia käsittelevä raportti. Raportista nousee esille se, että suurin osa verkkoihin murtautumisista perustuu pieneen määrään turvallisuussääntöjä, joiden noudattamista laiminlyödään.
Palo Alton Unit 42 -tutkimusosaston raportista käy ilmi, että noin 80 prosenttia turvallisuushälytyksistä syntyy vain viidestä prosentista useimpien organisaatioiden pilviympäristöjen turvallisuussääntöjen laiminlyönneistä. Näitä ovat huolimattomasti määritellyt palomuurit, todennuskäytäntöjen puuttumisesta ja suojaamattomista tietokannoista.
Tomi Engdahl says:
https://www.uusiteknologia.fi/2023/04/20/uusi-ohjeisto-turvattujen-ohjelmien-suunnitteluun/
Tomi Engdahl says:
Bill Toulas / BleepingComputer:
NCC Group measured a record 459 ransomware attacks in March 2023, up 91% MoM and 62% YoY, saying the surge is likely due to exploits of Fortra’s GoAnywhere MFT — March 2023 was the most prolific month recorded by cybersecurity analysts in recent years, measuring 459 attacks …
March 2023 broke ransomware attack records with 459 incidents
https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/
March 2023 was the most prolific month recorded by cybersecurity analysts in recent years, measuring 459 attacks, an increase of 91% from the previous month and 62% compared to March 2022.
According to NCC Group, which compiled a report based on statistics derived from its observations, the reason last month broke all ransomware attack records was CVE-2023-0669.
This is a vulnerability in Fortra’s GoAnywhere MFT secure file transfer tool that the Clop ransomware gang exploited as a zero-day to steal data from 130 companies within ten days.
Tomi Engdahl says:
Matt Novak / Forbes:
Twitter suspends Wired’s Dell Cameron for reporting on anti-trans activist Matt Walsh’s hacked account; Wired denies violating Twitter’s hacked materials policy — A reporter at Wired magazine has been banned from Twitter after he wrote about the fact that anti-trans activist Matt Walsh had his Twitter account hacked.
Wired Journalist Banned From Twitter For Reporting On Hack Of Anti-Trans Activist Matt Walsh
https://www.forbes.com/sites/mattnovak/2023/04/19/wired-journalist-banned-from-twitter-for-reporting-on-hack-of-anti-trans-activist-matt-walsh/
A reporter at Wired magazine has been banned from Twitter after he wrote about the fact that anti-trans activist Matt Walsh had his Twitter account hacked. Walsh’s account was hacked on Tuesday and started posting offensive tweets about other popular right-wing figures like Andrew Tate and Ben Shapiro.
Dell Cameron, a senior writer at Wired who covers Big Tech, wrote about the hack on Wednesday and even interviewed the person allegedly responsible for posting to Walsh’s account. That interview was apparently enough to get Cameron banned for violating Twitter’s rules on “distribution of hacked material.”
The hacker, known only as Doomed, told Cameron he was able to gain access to Walsh’s account through a technique known as SIM swapping. The technique typically involves spoofing the target’s phone number in a way that allows the hacker to intercept text messages in order to circumvent protections like two-factor authentication. But Doomed reportedly told Cameron that they had help from an “insider.”
Doomed also claimed that he gained access to Walsh’s Google and Microsoft accounts, a claim that couldn’t be independently verified, though Doomed reportedly sent Cameron a copy of Walsh’s W2 tax form. Doomed also provided Wired with messages between Walsh and conservative commentator Steven Crowder as well as Ben Shapiro.
Tomi Engdahl says:
Hakkerit iskivät Euroopan lennonjohtojärjestöön
Lentoliikenteen ei sanota olevan vaarassa hakkerihyökkäyksen takia.
https://www.iltalehti.fi/ulkomaat/a/51b9f6dd-d8ed-4a25-96ed-8a02adebbfab
Yhdysvaltalainen Wall Street Journal-lehti kertoo, että Euroopan lennonjohtojärjestö on joutunut Venäjä-myönteisten hakkerien hyökkäyksen kohteeksi.
Lehden tietojen mukaan Euroopan lennonjohtojärjestö Eurocontrolin verkkosivuilla tehty kyberhyökkäys alkoi 19. huhtikuuta.
Eurocontrolin tiedottaja sanoi Wall Street Journal-lehdelle, että hakkerihyökkäys ei ole vaikuttanut lennonjohtotoimintoihin.
Hakkerihyökkäysten taustalla arvellaan olevan Lännen ja Venäjän välisten suhteiden kiristyminen.
Europe’s Air-Traffic Agency Under Attack From Pro-Russian Hackers
Air traffic isn’t at risk but the attack is ongoing, Eurocontrol said, amid fears about the safety of Europe’s critical infrastructure
https://www.wsj.com/articles/europes-air-traffic-agency-under-attack-from-pro-russian-hackers-54b4514d?mod=hp_lead_pos4
Europe’s air-traffic control agency said Thursday that it was under attack from pro-Russian hackers amid fears that Moscow could interfere with the region’s critical infrastructure as its confrontation with the West escalates.
The cyberattack on the agency’s website started on April 19, a spokeswoman for the European Organisation for the Safety of Air Navigation, also known as Eurocontrol, said, adding that it wasn’t affecting the agency’s air-traffic control activities.
[The Wall Street Journal]
Tomi Engdahl says:
CISA Releases Malware Analysis Report on ICONICSTEALER https://www.cisa.gov/news-events/alerts/2023/04/20/cisa-releases-malware-analysis-report-iconicstealer
CISA has released a new Malware Analysis Report (MAR) on an infostealer known as ICONICSTEALER. This trojan has been identified as a variant of malware used in the supply chain attack against 3CXs Desktop App
Tomi Engdahl says:
Instagram scam promises money in exchange for your image https://www.malwarebytes.com/blog/news/2023/04/instagram-scam-promises-money-in-exchange-for-your-image
Were seeing a number of complaints on Reddit and elsewhere regarding a scam which flares up every so often. Its called the Muse scam, and targets users of Instagram
Tomi Engdahl says:
3CX hack caused by trading software supply chain attack https://www.bleepingcomputer.com/news/security/3cx-hack-caused-by-trading-software-supply-chain-attack/
An investigation into last month’s 3CX supply chain attack discovered that it was caused by another supply chain compromise where suspected North Korean attackers breached the site of stock trading automation company Trading Technologies to push trojanized software builds
Tomi Engdahl says:
‘AuKill’ Malware Hunts & Kills EDR Processes https://www.darkreading.com/attacks-breaches/aukill-malware-hunts-kills-edr-processes
The “AuKill” cybercrime tool has emerged, which threat actors are using to disable endpoint detection and response (EDR) defenses used by enterprises before deploying ransomware. It makes use of malicious device drivers to infiltrate systems. In two recent incidents, researchers from Sophos observed an adversary using AuKill prior to deploying Medusa Locker ransomware; another time, the security vendor discovered an attacker using the EDR killer on an already compromised system before installing the LockBit ransomware
Tomi Engdahl says:
Microsoft Defender update causes Windows Hardware Stack Protection mess https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-update-causes-windows-hardware-stack-protection-mess/
In a confusing mess, a recent Microsoft Defender update rolled out a new security feature called ‘Kernel-mode Hardware-enforced Stack Protection,’ while removing the LSA protection feature. Unfortunately, Microsoft has not provided any documentation on this change, leading to more questions than answers. Local Security Authority Protection, aka LSA Protection, is a security feature that protects sensitive information, like credentials, from being stolen by blocking untrusted code from being injected into the LSASS process and LSASS process memory dumping
Tomi Engdahl says:
https://www.uusiteknologia.fi/2023/04/21/tekoalyn-chatgpt-huijaukset-rajussa-kasvussa/?utm_source=rss&utm_medium=rss&utm_campaign=tekoalyn-chatgpt-huijaukset-rajussa-kasvussa
Tomi Engdahl says:
Cascading Supply Chain Attack: 3CX Hacked After Employee Downloaded Trojanized App
https://www.securityweek.com/cascading-supply-chain-attack-3cx-hacked-after-employee-downloaded-trojanized-app/
3CX hack is the first known cascading supply chain attack, with the breach starting after an employee downloaded compromised software from a different firm.
More information was made available on Thursday about the recent 3CX hack, and it turns out that the incident was what cybersecurity experts are calling a cascading software supply chain attack.
The hack came to light in late March, after 3CX customers started complaining that various cybersecurity products had been triggering warnings for the company’s software.
An investigation revealed that hackers had compromised 3CX’s Windows and macOS build environments and used their access to push trojanized software to the company’s customers.
Mandiant, which helped 3CX investigate the breach, found that the business communication company’s systems were penetrated after an employee downloaded on their personal computer a trojanized installer for the X_Trader trading software from Trading Technologies.
https://www.securityweek.com/topics/3CX/
Tomi Engdahl says:
PaperCut Warns of Exploited Vulnerability in Print Management Solutions
Print management solutions provider PaperCut warns that exploitation of a recently patched vulnerability has commenced.
https://www.securityweek.com/papercut-warns-of-exploited-vulnerability-in-print-management-solutions/
Tomi Engdahl says:
VMware Patches Pre-Auth Code Execution Flaw in Logging Product
https://www.securityweek.com/vmware-patches-pre-auth-code-execution-flaw-in-logging-product/
VMware warns of two critical vulnerabilities — CVE-2023-20864 and CVE-2023-20865 — in the VMware Aria Operations for Logs product.
Virtualization technology powerhouse VMware continues to encounter major security problems in its enterprise-facing log analysis product.
The company shipped urgent patches on Thursday to cover critical security defects in the VMware Aria Operations for Logs (formerly vRealize Log Insight) product line and warned of the risk of pre-authentication remote root exploits.
A critical-level advisory from VMware documents two separate vulnerabilities — CVE-2023-20864 and CVE-2023-20865 — in the VMware Aria Operations for Logs suite and provides guidance to help businesses mitigate the issues.
“An unauthenticated, malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root,” the company said in its documentation of the CVE-2023-20864 vulnerability. The flaw carries a CVSS severity score of 9.8 out of 10.
The second vulnerability is described as a command injection issue with a CVSS score of 7.2/10.
“A malicious actor with administrative privileges in VMware Aria Operations for Logs can execute arbitrary commands as root,” according to the advisory.
Tomi Engdahl says:
Ransomware Attack Hits Health Insurer Point32Health
https://www.securityweek.com/ransomware-attack-hits-health-insurer-point32health/
Health insurer Point32Health takes systems offline after falling victim to ransomware attack.
Non-profit health insurer Point32Health says it has taken systems offline to contain a ransomware attack identified this week.
Established in 2021 as the merger between Harvard Pilgrim Health Care and Tufts Health Plan, Point32Health is the second largest health insurer in Massachusetts, serving more than 2 million customers.
In a notification published this week, the organization revealed that it fell victim to a ransomware attack on April 17, which forced it to take systems offline to contain the incident.
The attack, Point32Health says, impacted systems it uses “to service members, accounts, brokers, and providers”, with most of them related to Harvard Pilgrim Health Care.
Tomi Engdahl says:
Air Force Unit in Document Leaks Case Loses Intel Mission
https://www.securityweek.com/phylum-adds-open-policy-agent-to-open-source-analysis-engine/
The Air Force is investigating how a lone airman could access and distribute possibly hundreds of highly classified documents, and in the meantime has taken away the intelligence mission from the unit where the leaks took place
The Air Force is investigating how a lone airman could access and distribute possibly hundreds of highly classified documents, and in the meantime has taken away the intelligence mission from the unit where the leaks took place, Air Force leaders said Tuesday.
Air Force Secretary Frank Kendall told Congress he has directed the Air Force inspector general to go look at the Air National Guard 102nd Intelligence Wing based in Cape Cod, Massachusetts, where Airman 1st Class Jack Teixeira served and look at “anything associated with this leak that could have gone wrong.”
Teixeira, 21, was charged Friday in the U.S. District Court in Boston with unauthorized removal and retention of classified and national defense information. He is expected back in court for a hearing Wednesday.
The leaks have raised questions as to how a single airman could have removed so many documents without being detected, why there were not safety checks in place and how the documents could have lingered online undetected for months.
“How could this guardsman take this information and distribute it electronically for weeks, if not months, and nobody knew about it?” Democratic Sen. Jon Tester of Montana asked the Air Force leaders testifying before a Senate defense appropriations subcommittee.
Tomi Engdahl says:
UK Warns of Russian Hackers Targeting Critical Infrastructure
https://www.securityweek.com/uk-warns-of-russian-hackers-targeting-critical-infrastructure/
The UK government’s information security arm warns of Russian state-aligned groups aiming to disrupt and destroy critical infrastructure in Western countries.
The UK government’s intelligence and security arm this week issued an alert on Russian state-aligned threat actors aiming to conduct disruptive and destructive attacks against critical infrastructure in Western countries.
To date, says the National Cyber Security Centre (NCSC), the information security arm of the UK’s Government Communications Headquarters (GCHQ), these threat groups have focused on distributed denial-of-service (DDoS) attacks, defacements, and misinformation attacks.
“Some have stated a desire to achieve a more disruptive and destructive impact against western critical national infrastructure (CNI), including in the UK,” the NCSC warns.
The agency believes that these groups will focus on identifying poorly protected critical infrastructure systems, to cause disruptions.
Heightened threat of state-aligned groups against western critical national infrastructure
https://www.ncsc.gov.uk/news/heightened-threat-of-state-aligned-groups
This alert highlights the emerging risk posed by state-aligned adversaries following the Russian invasion of Ukraine.
Tomi Engdahl says:
Kyberhyökkäyksiä hälyttävä määrä – Supo ja Traficom varuillaan
https://www.iltalehti.fi/kotimaa/a/7bbd92a7-0e9b-4714-aaab-872c16c832c2
Suomalaisorganisaatioihin on kohdistettu enenevissä määrin kyberhyökkäyksiä.
Tomi Engdahl says:
Britannia varoitti, että Venäjä aikoo aloittaa tuhoisia ja häiritseviä hyökkäyksiä kriittiseen infrastruktuuriin – näin Supo vastaa https://www.is.fi/digitoday/art-2000009535453.html
Tomi Engdahl says:
https://futurism.com/the-byte/tesla-lawsuit-cameras
Tomi Engdahl says:
https://thehackernews.com/2023/04/pakistani-hackers-use-linux-malware.html
Tomi Engdahl says:
https://www.popsci.com/smartphone-leave-no-traces/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-laps-is-incompatible-with-legacy-policies/
Tomi Engdahl says:
https://www.neowin.net/news/new-windows-laps-is-now-a-built-in-feature-available-via-latest-patch-tuesday/
Tomi Engdahl says:
Cisco and VMware Release Security Updates to Patch Critical Flaws in their Products https://thehackernews.com/2023/04/cisco-and-vmware-release-security.html
Cisco and VMware have released security updates to address critical security flaws in their products that could be exploited by malicious actors to execute arbitrary code on affected systems. The most severe of the vulnerabilities is a command injection flaw in Cisco Industrial Network Director (CVE-2023-20036, CVSS score: 9.9), which resides in the web UI component and arises as a result of improper input validation when uploading a Device Pack. “A successful exploit could allow the attacker to execute arbitrary commands as NT AUTHORITY\SYSTEM on the underlying operating system of an affected device,” Cisco said in an advisory released on April 19, 2023
Tomi Engdahl says:
Supon ja Traficomin arvio: Kyberturvallisuuden uhkataso pysynyt kohonneena ja kohdistettujen hyökkäysten määrä Suomessa noussut
https://yle.fi/a/74-20028240
Suomalaisiin organisaatioihin kohdistuu suojelupoliisin ja Traficomin mukaan jatkuvasti kasvavaa kiinnostusta ja kyberhyökkäysten luonne on muuttunut. Erityisesti kohdistettujen kyberhyökkäysten määrä, joissa kohdeorganisaatio on tarkkaan valittu, on kasvanut. Tapausmäärän kasvusta huolimatta Traficom ja suojelupoliisi pitävät yhteiskuntaa lamauttavaa kyberhyökkäystä epätodennäköisenä
Tomi Engdahl says:
QBot changes tactic, remains a menace to business networks https://www.malwarebytes.com/blog/news/2023/04/qbot-changes-tactic-remains-a-menace-to-business-networks
QBot, an infostealer-turned-dropper that aids criminal gangs in their malicious campaigns, is now being distributed as part of a phishing campaign using PDFs and Windows Script Files (WSF), according to recent discoveries by malware hunter Proxylife (@pr0xylife) and the Cryptolaemus group (@Cryptolaemus1). The last time QBot (aka QakBot) had its modus operandi changed was in November. Campaign operators adopted tactics from Magnibers playbook to successfully exploit a Mark of the Web (MotW) zero-day flaw to run a JavaScript (JS) that executed QBot. The attack starts with a reply-chain phishing email, when threat actors reply to a chain of emails with a malicious link or attachment.
BleepingComputer has noted that these phishing emails use a variety of languages. This means the language barrier is absent in such an attack, so any business from any part of the world could be affected
Tomi Engdahl says:
3CX Breach Was a Double Supply Chain Compromise https://krebsonsecurity.com/2023/04/3cx-breach-was-a-double-supply-chain-compromise/
We learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider 3CX. The lengthy, complex intrusion has all the makings of a cyberpunk spy novel: North Korean hackers using legions of fake executive accounts on LinkedIn to lure people into opening malware disguised as a job offer; malware targeting Mac and Linux users working at defense and cryptocurrency firms; and software supply-chain attacks nested within earlier supply chain attacks. 3CX hired incident response firm Mandiant, which released a report on Wednesday that said the compromise began in 2022 when a 3CX employee installed a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER, a software package provided by Trading Technologies. This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack, reads the April 20 Mandiant report
Tomi Engdahl says:
University websites using MediaWiki, TWiki hacked to serve Fortnite spam https://www.bleepingcomputer.com/news/security/university-websites-using-mediawiki-twiki-hacked-to-serve-fortnite-spam/
Websites of multiple U.S. universities are serving Fortnite and ‘gift card’ spam. Researchers observed Wiki and documentation pages being hosted by universities including Stanford, MIT, Berkeley, UMass Amherst, Northeastern, Caltech, among others, were compromised.
BleepingComputer confirmed the malicious campaign was live, and had targeted additional scholastic websites including that of the University of Michigan
Tomi Engdahl says:
GhostToken Flaw Could Let Attackers Hide Malicious Apps in Google Cloud Platform https://thehackernews.com/2023/04/ghosttoken-flaw-could-let-attackers.html
Cybersecurity researchers have disclosed details of a now-patched zero-day flaw in Google Cloud Platform (GCP) that could have enabled threat actors to conceal an unremovable, malicious application inside a victim’s Google account. Dubbed GhostToken by Israeli cybersecurity startup Astrix Security, the shortcoming impacts all Google accounts, including enterprise-focused Workspace accounts. It was discovered and reported to Google on June 19, 2022. The company deployed a global-patch more than nine months later on April 7, 2023. “The vulnerability [...] allows attackers to gain permanent and unremovable access to a victim’s Google account by converting an already authorized third-party application into a malicious trojan app, leaving the victim’s personal data exposed forever,” Astrix said in a report
Tomi Engdahl says:
Critical infrastructure also hit by supply chain attack behind 3CX breach https://www.bleepingcomputer.com/news/security/critical-infrastructure-also-hit-by-supply-chain-attack-behind-3cx-breach/
The X_Trader software supply chain attack that led to last month’s 3CX breach has also impacted at least several critical infrastructure organizations in the United States and Europe, according to Symantec’s Threat Hunter Team. “Initial investigation by Symantec’s Threat Hunter Team has, to date, found that among the victims are two critical infrastructure organizations in the energy sector, one in the U.S. and the other in Europe,” the company said in a report published today.
“In addition to this, two other organizations involved in financial trading were also breached.”
Tomi Engdahl says:
EvilExtractor malware activity spikes in Europe and the U.S.
https://www.bleepingcomputer.com/news/security/evilextractor-malware-activity-spikes-in-europe-and-the-us/
Researchers are seeing a rise in attacks spreading the EvilExtractor data theft tool, used to steal users’ sensitive data in Europe and the U.S. EvilExtractor is sold by a company named Kodex for $59/month, featuring seven attack modules, including ransomware, credential extraction, and Windows Defender bypassing.While marketed as a legitimate tool, BleepingComputer was told that EvilExtractor is primarily promoted to threat actors on hacking forums. “Recorded Future first observed Evil Extractor being sold on the Cracked and Nulled forums in October of 2022,” Allan Liska, a threat intelligence analyst at Recorded Future, told BleepingComputer
Tomi Engdahl says:
VMware patches break-and-enter hole in logging tools: update now!
https://nakedsecurity.sophos.com/2023/04/21/vmware-patches-break-and-enter-hole-in-logging-tools-update-now/
Logging software has made cyberinsecurity headlines many times before, notably in the case of the Apache Log4J bug known as Log4Shell that ruined Christmas for many sysadmins at the end of 2021. This time round, the logging-related bug were warning you about is CVE-2023-20864, a security hole in VMWares Aria Operations for Logs product (AOfL, which used to be known as vRealize Log Insight). The bad news is that VMWare has given this bug a CVSS security danger score of 9.8/10, presumably because the flaw can be abused for whats known as remote code execution (RCE), even by network users who havent yet logged into (or who dont have an account on) the AOfL system
Tomi Engdahl says:
Google ads push BumbleBee malware used by ransomware gangs https://www.bleepingcomputer.com/news/security/google-ads-push-bumblebee-malware-used-by-ransomware-gangs/
The enterprise-targeting Bumblebee malware is distributed through Google Ads and SEO poisoning that promote popular software like Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Bumblebee is a malware loader discovered in April 2022, thought to have been developed by the Conti team as a replacement for the BazarLoader backdoor, used for gaining initial access to networks and conducting ransomware attacks. In September 2022, a new version of the malware loader was observed in the wild, featuring a stealthier attack chain that used the PowerSploit framework for reflective DLL injection into memory
Tomi Engdahl says:
Hackers can breach networks using data on resold corporate routers https://www.bleepingcomputer.com/news/security/hackers-can-breach-networks-using-data-on-resold-corporate-routers/
Enterprise-level network equipment on the secondary market hide sensitive data that hackers could use to breach corporate environments or to obtain customer information. Looking at several used corporate-grade routers, researchers found that most of them had been improperly wiped during the decommissioning process and then sold online
Tomi Engdahl says:
Decoy Dog malware toolkit found after analyzing 70 billion DNS queries https://www.bleepingcomputer.com/news/security/decoy-dog-malware-toolkit-found-after-analyzing-70-billion-dns-queries/
A new enterprise-targeting malware toolkit called Decoy Dog has been discovered after inspecting anomalous DNS traffic that is distinctive from regular internet activity. Decoy Dog helps threat actors evade standard detection methods through strategic domain aging and DNS query dribbling, aiming to establish a good reputation with security vendors before switching to facilitating cybercrime operations
Tomi Engdahl says:
Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining https://thehackernews.com/2023/04/kubernetes-rbac-exploited-in-large.html
A large-scale attack campaign discovered in the wild has been exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) to create backdoors and run cryptocurrency miners. “The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack,” cloud security firm Aqua said in a report shared with The Hacker News. The Israeli company, which dubbed the attack RBAC Buster, said it found 60 exposed K8s clusters that have been exploited by the threat actor behind this campaign
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
GitHub’s private vulnerability reporting, which lets researchers confidentially disclose flaws to open-source project maintainers, hits general availability
GitHub now allows enabling private vulnerability reporting at scale
https://www.bleepingcomputer.com/news/security/github-now-allows-enabling-private-vulnerability-reporting-at-scale/
GitHub announced that private vulnerability reporting is now generally available and can be enabled at scale, on all repositories belonging to an organization.
Once toggled on, security researchers can use this dedicated communications channel to privately disclose security issues to an open-source project’s maintainers without accidentally leaking vulnerability details.
This is “a private collaboration channel that makes it easier for researchers and maintainers to report and fix vulnerabilities on public repositories,” GitHub’s Eric Tooley and Kate Catlin said.
Tomi Engdahl says:
Andy Greenberg / Wired:
Hacker group naming schemes, such as Microsoft’s new system, are counterproductive for cybersecurity analysis; a government body should set a naming convention — Pumpkin Sandstorm. Spandex Tempest. Charming Kitten. Is this really how we want to name the hackers wreaking havoc worldwide?
Hacker Group Names Are Now Absurdly Out of Control
Pumpkin Sandstorm. Spandex Tempest. Charming Kitten. Is this really how we want to name the hackers wreaking havoc worldwide?
https://www.wired.com/story/hacker-naming-schemes-spandex-tempest/
Hackers—particularly state-sponsored ones focused on espionage and cyberwar, and organized cybercriminals exploiting networks worldwide for profit—are not pets. They wreck businesses, sow chaos, disrupt critical infrastructure, support some of the world’s most harmful militaries and dictatorships, and help those governments spy on and oppress innocent people worldwide.
So why, when I write about these organized hacker groups as a cybersecurity reporter, do I find myself referring to them with cute pet names like Fancy Bear, Refined Kitten, and Sea Turtle?
Tomi Engdahl says:
https://www.securityweek.com/cascading-supply-chain-attack-3cx-hacked-after-employee-downloaded-trojanized-app/
Tomi Engdahl says:
Malware & Threats
Abandoned WordPress Plugin Abused for Backdoor Deployment
https://www.securityweek.com/abandoned-wordpress-plugin-abused-for-backdoor-deployment/
Attackers are installing the abandoned Eval PHP plugin on compromised WordPress sites to inject PHP code into web pages.
Threat actors are installing the abandoned Eval PHP plugin on compromised WordPress sites and using it to inject malicious PHP code into web pages, WordPress security company Sucuri warns.
An old plugin that has not been updated for over a decade, Eval PHP allows for the injection of PHP code into pages and posts. The code is executed whenever the injected page or post is opened in a browser.
Despite its age, the Eval PHP plugin continues to be available through the WordPress repository, and its use has spiked starting at the end of March 2023, jumping from roughly 40 installations to more than 100,000 within weeks, Sucuri reports.
Tomi Engdahl says:
North Korean 3CX Hackers Also Hit Critical Infrastructure Orgs: Symantec
https://www.securityweek.com/symantec-north-korean-3cx-hackers-also-hit-critical-infrastructure-orgs/
The North Korean hacking group behind the supply chain attack that hit 3CX also broke into two critical infrastructure organizations in the energy sector.
Tomi Engdahl says:
Capita Confirms Data Breach After Ransomware Group Offers to Sell Stolen Information
https://www.securityweek.com/capita-confirms-data-breach-after-ransomware-group-offers-to-sell-stolen-information/
Capita finally confirmed that hackers stole data after the Black Basta ransomware group offered to sell information allegedly stolen from the company.
Tomi Engdahl says:
This Week In Security: Spandex Tempest, Supply Chain Chain, And NTP
https://hackaday.com/2023/04/21/this-week-in-security-spandex-tempest-supply-chain-chain-and-ntp/
NTP Vulnerabilities
A quintet of vulnerabilities were identified in libntp, with the initial diagnosis that this out-of-bounds write could lead to Remote Code Execution. Further analysis has led developers to conclude that this is really two vulnerabilities, and that NTPD itself is only vulnerable if configured to talk to a very specific local GPS receiver. The other remaining vulnerability applies to ntpq, and that one would require querying a malicious NTP server to trigger the vulnerable code. So while an NTP vulnerability is unnerving, these appear to be quite minor issues, unlikely to cause serious issues.
ntpd is not vulnerable #1
https://github.com/spwpun/ntp-4.2.8p15-cves/issues/1
The first four of these CVEs affect a function in libntp that is only used by ntpq, but not by ntpd.
The last CVE affects the driver for a hardware clock (GPS receiver), so ntpd might be vulnerable to manipulated devices of that type, but not to remote attacks.
I meanwhile did a more in-depth analysis of refclock_palisade.c. It confirmed my former assumption that praecis_parse() only ever gets to see data that was received via a TTY from a certain GPS receiver, and only if such a GPS receiver is configured in ntp.conf, but it never gets called with data that was received over the network.
Indeed the palisade driver is for a specific (old) GPS device, and in fact the driver is only used at all if a palisade GPS receiver has explicitly been configured in ntp.conf. I doubt that this type of GPS receiver is widely used today.
The palisade driver actually supports eight different GPS receiver models or protocols, but only one of them (Praecis) is affected by the bug. And even if it were used more widely, an exploit would require a manipulated GPS receiver that sends overlong lines to the driver. This means physical access or a compromised host would be needed
hstenn commented Apr 13, 2023
I’m the NTP Project’s PM, and we never saw your reports.
To summarize, the first 4 do not affect ntpd and would seem to require the attacker to make malicious changes to an ntpd instance that would then send bogus data to a client ntpq process.
For completeness, there are five lines in the source code where the overflow can occur. The one that doesn’t have a CVE assigned corresponds to the “If we have more than three digits copy the excess over”
https://github.com/spwpun/ntp-4.2.8p15-cves
Tomi Engdahl says:
https://www.securityweek.com/microsoft-patches-another-already-exploited-windows-zero-day/
Tomi Engdahl says:
Microsoft: Iranian Gov Hackers Caught in Azure Wiper Attacks
Microsoft catches an Iranian government-backed APT launching destructive Azure wiper attacks disguised as ransomware.
https://www.securityweek.com/microsoft-iranian-gov-hackers-caught-in-azure-wiper-attacks/