This posting is here to collect cyber security news in April 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in April 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
352 Comments
Tomi Engdahl says:
Apache Superset Vulnerability: Insecure Default Configuration Exposes Servers to RCE Attacks
https://thehackernews.com/2023/04/apache-superset-vulnerability-insecure.html
The maintainers of the Apache Superset open source data visualization software have released fixes to plug an insecure default configuration that could lead to remote code execution.
The vulnerability, tracked as CVE-2023-27524 (CVSS score: 8.9), impacts versions up to and including 2.0.1 and relates to the use of a default SECRET_KEY that could be abused by attackers to authenticate and access unauthorized resources on internet-exposed installations.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-removes-lsa-protection-from-windows-settings-to-fix-bug/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-zero-day-exploit-chain-used-at-pwn2own/
Tomi Engdahl says:
https://www.theverge.com/2023/4/25/23697532/microsoft-edge-browser-url-leak-bing-privacy
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/tp-link-archer-wifi-router-flaw-exploited-by-mirai-malware/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-update-causes-windows-hardware-stack-protection-mess/
Tomi Engdahl says:
https://mobiili.fi/2023/04/24/google-authenticator-sai-kenties-historiansa-merkittavimman-paivityksen-tunnistautumistiedot-voi-jatkossa-synkronoida-google-tilille/
Tomi Engdahl says:
Terrifying study shows how fast AI can crack your passwords; here’s how to protect yourself
https://9to5mac.com/2023/04/07/ai-cracks-passwords-this-fast-how-to-protect/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/wifi-protocol-flaw-allows-attackers-to-hijack-network-traffic/
Tomi Engdahl says:
https://blog.dataparty.xyz/blog/wtf-is-a-kdf/
Tomi Engdahl says:
Microsoft issues PowerShell scripts for multiple Windows 11, Windows 10 security flaws
https://www.neowin.net/news/microsoft-issues-powershell-scripts-for-multiple-windows-11-windows-10-security-flaws/
Tomi Engdahl says:
https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
Tomi Engdahl says:
https://dev.to/aws-builders/secure-your-media-files-by-removing-metadata-with-aws-lambda-1hkp
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/ghosttoken-gcp-flaw-let-attackers-backdoor-google-accounts/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/ransomware-gangs-abuse-process-explorer-driver-to-kill-security-software/
Tomi Engdahl says:
https://www.enfo.fi/blogi/identiteetin-ja-paasynhallinta-zero-trustin-peruskivi-molemmissa-tarvitaan-jatkuvaa
Tomi Engdahl says:
“The FBI Called Me”: Meet Aric Toler, the Bellingcat Sleuth Who Helped The New York Times Find Suspected Pentagon Leaker Jack Teixeira
https://www.vanityfair.com/news/2023/04/leaked-documents-nyt
The Times publicly identified the man believed to have leaked intelligence documents before law enforcement did. Toler helped the paper’s Visual Investigations team—and dodged a meeting with the FBI. “They’re probably listening to me right now,” he said.
Tomi Engdahl says:
A better link to the story written by the investigator himself:
https://www.bellingcat.com/news/2023/04/09/from-discord-to-4chan-the-improbable-journey-of-a-us-defence-leak/
Tomi Engdahl says:
https://www.nytimes.com/2023/04/21/us/politics/jack-teixeira-leaks-russia-ukraine.html?unlocked_article_code=OUxX6P34fGSv69j_xvQqDsC1eFk7jCljHInKU8MosUiKPIJjJT9oZNFcf_27UtVEZGvIegtWYdr23MYQJiupFno-LL8fh4Oe1rr0AjFI6O5Yxev6baiSRAl1pXefB0Zw740dDWtZ0N9SOMwH_p3X7QzBVuNl2rZlSc6w7odQ_X-Rc9f02r5xlYlj-B2YFWQU8iqtozTj-yMgq0TLqKtkOKvmd63TA0wVhtUMNtX7mezFqI60TI3U4D0svHWLqpvej7y5FJd4167f4R7WHzPpCN6tDF4N5hiQDWOffnhg2P8ndYDJ0CV3Ev5OMIzx0Tem-bVRsIn-SQIGwXvcNVwKEL8cmzzoHUsjB-Gr7a7uZMIG&smid=nytcore-ios-share&referringSource=articleShare
Tomi Engdahl says:
FBI warns against using public phone charging stations
https://www.cnbc.com/amp/2023/04/10/fbi-says-you-shouldnt-use-public-phone-charging-stations.html
The FBI is warning consumers about “juice jacking,” where bad actors use public chargers to infect phones and devices with malware.
The law enforcement agency says consumers should avoid using public chargers at malls and airports, and stick to their own USB cables and charging plugs.
The FBI recently warned consumers against using free public charging stations, saying crooks have managed to hijack public chargers that can infect devices with malware, or software that can give hackers access to your phone, tablet or computer.
“Avoid using free charging stations in airports, hotels or shopping centers,” a tweet from the FBI’s Denver field office said. “Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead.”
The FBI offers similar guidance on its website to avoid public chargers. The bulletin didn’t point to any recent instances of consumer harm from juice jacking. The FBI’s Denver field office said the message was meant as an advisory, and that there was no specific case that prompted it.
The Federal Communications Commission has also warned about “juice jacking,” as the malware loading scheme is known, since 2021.
https://www.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/on-the-internet
Tomi Engdahl says:
https://www.autoblog.com/2023/04/10/vehicle-headlight-can-bus-injection-theft-method/
Someone has developed a tool (disguised as a JBL Bluetooth speaker and sold on the dark web) that when wired into a vehicle’s control CAN bus, can impersonate the vehicle’s key fob. The vehicle used as an example is a current-generation Toyota RAV4, but it’s vital to note that this vulnerability is not specific to any particular OEM or model — this is an industry-wide problem at the moment.
Details..
Tomi Engdahl says:
Microsoft Edge is leaking the sites you visit to Bing https://www.theverge.com/2023/4/25/23697532/microsoft-edge-browser-url-leak-bing-privacy
Microsofts Edge browser appears to be sending URLs you visit to its Bing API website. Reddit users first spotted the privacy issues with Edge last week, noticing that the latest version of Microsoft Edge sends a request to bingapis.com with the full URL of nearly every page you navigate to. Microsoft tells The Verge its investigating the reports. Searching for references to this URL give very few results, no documentation on this feature at all, said hackermchackface, the Reddit user who first discovered the issue. While Reddit users werent able to uncover why Microsoft Edge is sending the URLs you visit to its Bing API site, we asked Rafael Rivera, a software engineer and one of the developers behind EarTrumpet, to investigate, and he discovered its part of a poorly implemented new feature in Edge. Microsoft Edge now has a creator follow feature that is enabled by default, says Rivera in a conversation with The Verge. It appears the intent was to notify Bing when youre on certain pages, such as YouTube, The Verge, and Reddit. But it doesnt appear to be working correctly, instead sending nearly every domain you visit to Bing.
Tomi Engdahl says:
Microsoft: Clop and LockBit ransomware behind PaperCut server hacks https://www.bleepingcomputer.com/news/security/microsoft-clop-and-lockbit-ransomware-behind-papercut-server-hacks/
Microsoft has attributed recent attacks on PaperCut servers to the Clop and LockBit ransomware operations, which used the vulnerabilities to steal corporate data. On April 19th, PaperCut disclosed that these flaws were actively exploited in the wild, urging admins to upgrade their servers to the latest version. A PoC exploit for the RCE flaw was released a few days later, allowing further threat actors to breach the servers using these exploits
Tomi Engdahl says:
Israel’s Prime Minister has his Facebook account hijacked, website knocked offline https://www.bitdefender.com/blog/hotforsecurity/israels-prime-minister-has-his-facebook-account-hijacked-website-knocked-offline/
Yesterday was the official Independence Day of Israel, and the event was “celebrated” in typical style by malicious hackers. In other words, the Facebook account of Israel’s Prime Minister was hijacked (albeit briefly) by unauthorised parties who managed to update it with a video of prayers at a mosque, accompanied by Arabic verses from the Quran. At the same time, the official personal website of PM Benjamin Netanyahu was also briefly knocked offline, seemingly by a distributed denial-of-service (DDoS) attack
Tomi Engdahl says:
New Atomic macOS info-stealing malware targets 50 crypto wallets https://www.bleepingcomputer.com/news/security/new-atomic-macos-info-stealing-malware-targets-50-crypto-wallets/
A new macOS information-stealing malware named ‘Atomic’ (aka ‘AMOS’) is being sold to cybercriminals via private Telegram channels for a subscription of $1,000 per month. For this hefty price, buyers get a DMG file containing a 64-bit Go-based malware designed to target macOS systems and steal keychain passwords, files from the local filesystem, passwords, cookies, and credit cards stored in browsers. The malware also attempts to steal data from over 50 cryptocurrency extensions, which have become a popular target for information-stealing malware.
For the price, cybercriminals also get a ready-to-use web panel for easy victim management, a MetaMask brute-forcer, a cryptocurrency checker, a dmg installer, and the ability to receive stolen logs on Telegram
Tomi Engdahl says:
Fake Flipper Zero sellers are after your money https://www.malwarebytes.com/blog/news/2023/04/fake-flipper-zero-sellers-are-after-your-money
Flipper Zero, a “multi-tool device for hackers”, is frequently out of stock due to its popularity in hardware circles. Flipper Zero combines research and penetration hardware tools into a single unit. It can be used straight out of the box, but it’s also open-source and customizable, so users can extend its functionality however they like.
A steady stream of influencers promoting the product only makes the device ever more desirable, and the lack of availability makes it a big draw for fraudsters looking to turn a quick profit. Sites claiming to sell Flipper Zero have previously been spotted on both Instagram and Twitter. Our researchers have recently found several bogus sites that claim to sell Flipper Zero. We’re going to walk you through one
Tomi Engdahl says:
https://www.securityweek.com/fin7-hackers-caught-exploiting-recent-veeam-vulnerability/
Tomi Engdahl says:
https://www.securityweek.com/aadya-raises-5-million-for-smb-focused-security-platform/
Tomi Engdahl says:
Chinese Cyberspies Delivered Malware via Legitimate Software Updates
https://www.securityweek.com/chinese-cyberspies-delivered-malware-via-legitimate-software-updates/
Chinese APT Evasive Panda has been observed targeting local members of an international NGO with the MgBot backdoor, delivered via legitimate software updates.
A Chinese APT actor tracked as Evasive Panda has been observed targeting in-country members of an international non-governmental organization (NGO) with the MgBot backdoor, and the malware was likely delivered through the legitimate update channels of popular Chinese software, cybersecurity firm ESET reports.
Active since at least 2012 and also referred to as Bronze Highland and Daggerfly, Evasive Panda is a cyberespionage group historically targeting individuals and government entities in mainland China, India, Hong Kong, Macao, Malaysia, Myanmar, the Philippines, Nigeria, Taiwan, and Vietnam.
For roughly a decade, the APT has been relying on a custom, modular malware framework that includes the MgBot backdoor to spy on victims.
While investigating a MgBot backdoor attack observed in January 2022, ESET discovered a broader malicious campaign that started in 2020 and continued throughout 2021, and which targeted individuals in China’s Gansu, Guangdong, and Jiangsu provinces.
Tomi Engdahl says:
Google Obtains Court Order to Disrupt CryptBot Distribution
https://www.securityweek.com/google-obtains-court-order-to-disrupt-cryptbot-distribution/
Court grants Google a temporary restraining order to disrupt CryptBot information stealer’s distribution
Google this week announced that it has obtained a court order that helped it disrupt the CryptBot information stealer’s distribution.
Initially designed to harvest and exfiltrate sensitive information such as credentials, cryptocurrency wallets, and more, CryptBot was also seen distributing banking trojans.
Over the past year alone, the malware infected roughly 670,000 computers, Google estimates.
The malware has been distributed via modified versions of legitimate software, including Google Earth Pro and Chrome, with recent CryptBot versions focusing heavily on the users of the Chrome browser.
According to Google, its investigation into the malware has identified several major CryptBot distributors based in Pakistan, which operate a global criminal enterprise.
To disrupt the operation, Google filed a legal complaint in the Southern District of New York, and a judge has granted the internet giant a temporary restraining order to act against the identified distributors.
“We’re targeting the distributors who are paid to spread malware broadly for users to download and install, which subsequently infects machines and steals user data. […] The legal complaint is based on a variety of claims, including computer fraud and abuse and trademark infringement,” Google says.
Tomi Engdahl says:
Varo tällaista puhelua! Inhottava huijaustapa on palannut
Vuosia liikkeellä ollut huijauspuhelu yleistyy taas Suomessa. Usein huijari väittää soittavansa Microsoftilta tai Amazonilta.
https://www.iltalehti.fi/digiuutiset/a/2e4a9ada-a768-4978-8c94-a45b3a3ed225
Teknisen tuen huijauspuhelut ovat jälleen yleistyneet Suomessa, tiedottaa Liikenne- ja viestintävirasto Traficom.
Teknisen tuen huijauspuhelussa soittaja esittää pelastajaa: hän ilmoittaa soittavansa esimerkiksi Microsoftin teknisestä tuesta ja kertoo puhelun vastaanottajalla olevan viruksia tietokoneessa.
Puhelun edetessä huijari pyytää uhria lataamaan koneelleen etäyhteyden mahdollistavan ohjelman. Hän väittää, että ladattavan ohjelman avulla virukset saadaan poistettua tietokoneesta. Todellisuudessa etäyhteyden mahdollistava ohjelma saattaa itseasiassa olla haittaohjelma. Ladattu ohjelma voi myös luoda tietokoneeseen ”takaportin”, jonka avulla huijari pääsee käsiksi laitteeseen myös jatkossa.
Teknisen tuen huijauspuhelu on jo vuosia Suomessa sekä maailmalla pyörinyt huijaustapa.
Tomi Engdahl says:
CV:n valehtelu Linkedinissä ei enää kannata – Valetilit ja liioitellut ansioluettelot laitetaan kuriin
Palvelun riesana ovat olleet liioitellut ansioluettelot sekä tekoälyllä tehdyt valetilit.
https://www.iltalehti.fi/digiuutiset/a/c306c5d1-8487-4a91-b3da-31e512bbadc5
Työhön liittyvän sosiaalisen median palvelu Linkedin julkaisi kauan kaivatun uudistuksen, joka mahdollistaa työkokemuksen varmentamisen. Linkedinissä työnantajat voivat ilmoittaa avoimesta työpaikasta ja käyttäjät voivat myös jakaa ammatillista osaamista, sekä siihen liittyviä julkaisuja.
Palvelun riesana ovat olleet valetilit, joissa liioitellaan omaa osaamista ja tehdään valheellisia ansioluetteloja. Lisäksi myös tekoälyllä tehtyjä valetilejä on käytetty palvelussa esimerkiksi kryptovaluuttahuijausten tekemiseksi.
Uudistus on tällä hetkellä kokeiluvaiheessa. Uudistuksen käyttöönotto ei ole myöskään pakollista tilin käyttämiseksi.
Tomi Engdahl says:
Energy giant warns of ‘catastrophic damage’ if government bans payment of cyber ransoms
https://www.9news.com.au/national/cyberattack-agl-warns-of-catastrophic-damage-if-ransom-to-hackers-is-banned-by-government/4680f6f2-9594-44fc-9cf7-faa2449ff04c
A government-imposed ban on companies paying cyber ransoms to hackers could cause “catastrophic damage” and even lead to the loss of Australian lives, the nation’s biggest energy producer has warned.
AGL Energy, whose board was recently reshuffled by Atlassian billionaire Mike Cannon-Brookes, described ransom bans as a dangerous double-edged sword.
Prohibiting ransoms may reduce the volume of attacks, AGL said, but it could also result in “potentially avoidable catastrophic damage, harm to community, loss of life, disruption of essential services or disclosure of sensitive information”.
“In some circumstances and for some organisations, the payment of a ransom demand may be the only path to achieving acceptable outcomes,” AGL said in its 15-page submission towards a review of Australia’s cyber security strategy.
The nightmare scenario for many governments is a cyberattack on power grids, paralysing vital infrastructure for massive swathes of the population.
AGL said the government should instead strongly discourage payments and revisit imposing a ban when Australia has more resilient cyber security capabilities in place.
Tomi Engdahl says:
EU antoi varoituksen Twitterille – Elon Musk sallii Kremlin propagandan
Twitter on ongelmissa moderointikäytäntöjensä kanssa. Uhkana ovat suuret sakot.
https://www.iltalehti.fi/digiuutiset/a/32af1ef2-48cd-4d00-8ecd-d1cc2390fd80
Teknologiamiljardööri Elon Muskin omistaman sosiaalisen median palvelu Twitterin uudistuksista ovat tutkijoiden mukaan hyötyneet Venäjän, Kiinan ja Iranin propagandakoneistot.
Musk on uudistanut Twitteriä viime aikoina kovalla kädellä. Epämääräisimmät uudistukset koskevat lähinnä yhtiön antamia varmennemerkintöjä, jotka Musk on linjannut maksettaviksi. Tämän myötä varmenteen ovat voineet ostaa myös valetilit.
Tutkijat toteavat, että uudistuksien myötä propagandaa ja harhaanjohtavaa tietoa jakavat tilit saavat uudistusten myötä tehokkaammin seuraajia, ja näiden sanoma leviää tehokkaammin laajalle yleisölle.
Twitter changes stoke Russian, Chinese propaganda surge
https://apnews.com/article/twitter-russia-china-elon-musk-ukraine-2eedeabf7d555dc1d0a68b3724cfdd55
FILE – A Twitter logo hangs outside the company’s offices in San Francisco, on Dec. 19, 2022. Russia, China and Iran are exploiting recent changes at Twitter to spread disinformation faster and farther. Under new owner Elon Musk, Twitter recently ended its policy of labeling foreign propaganda agencies like RT or Sputnik. (AP Photo/Jeff Chiu, File)
FILE – A Twitter logo hangs outside the company’s offices in San Francisco, on Dec. 19, 2022. Russia, China and Iran are exploiting recent changes at Twitter to spread disinformation faster and farther. Under new owner Elon Musk, Twitter recently ended its policy of labeling foreign propaganda agencies like RT or Sputnik. (AP Photo/Jeff Chiu, File)
WASHINGTON (AP) — Twitter accounts operated by authoritarian governments in Russia, China and Iran are benefiting from recent changes at the social media company, researchers said Monday, making it easier for them to attract new followers and broadcast propaganda and disinformation to a larger audience.
The platform is no longer labeling state-controlled media and propaganda agencies, and will no longer prohibit their content from being automatically promoted or recommended to users. Together, the two changes, both made in recent weeks, have supercharged the Kremlin’s ability to use the U.S.-based platform to spread lies and misleading claims about its invasion of Ukraine, U.S. politics and other topics.
Tomi Engdahl says:
Management & Strategy
RSA Conference 2023 – Announcements Summary (Day 2)
https://www.securityweek.com/rsa-conference-2023-announcements-summary-day-2/
Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.
Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.
To help cut through the clutter, the SecurityWeek team is publishing a daily digest summarizing some of the announcements made by vendors.
Accenture and Google Cloud expand partnership
Accenture and Google Cloud have expanded their partnership. Accenture is enhancing its adaptive detection and response offering and MxDR service by integrating Google capabilities and technologies, including for security operations, threat intelligence, generative AI, and managed crisis and incident response.
AI Spera launches cyber threat intelligence search engine
AI Spera’s Criminal IP OSINT-based search engine has launched a cyber threat intelligence search engine that collects and analyzes IP addresses to detect cyber threats.
Akamai launches Prolexic Network Cloud Firewall
Akamai has launched the Prolexic Network Cloud Firewall, a new capability that allows users to define and manage their own ACLs, providing greater flexibility for securing the network edge.
Apiiro launches application attack surface exploration tool
Apiiro has launched Risk Graph Explorer, a tool that helps security teams understand their application attack surface. SecurityWeek has published an article detailing the new tool.
Eclypsium launches supply chain security platform
Eclypsium has launched a supply chain security platform that is designed to enable IT security and operations teams to continuously identify and monitor the software bill of materials (SBOM), integrity, and vulnerability of components and system code in each device.
Google Cloud adds ChromeOS data controls and security integrations
Google Cloud has announced new data controls and security integrations for ChromeOS to enhance business data protection.
SentinelOne launches security data platform
SentinelOne has launched Singularity Security DataLake, a security data platform designed to provide insights to identify trends, detect anomalies, and respond to threats in real time.
Thales launches new USB tokens
Thales has launched the SafeNet eToken Fusion series, USB tokens combining Fast IDentity Online 2.0 (FIDO2) with PKI/CBA in a single authenticator. The new tokens are designed to protect Microsoft Azure Active Directory users against account compromise and provide stronger security for access to cloud and web applications.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/linux-version-of-rtm-locker-ransomware-targets-vmware-esxi-servers/
Tomi Engdahl says:
https://www.wepardi.fi/2023/04/17/immunifyav/
Tomi Engdahl says:
Rikosseuraamuslaitoksen järjestelmä pimeni 7 tunniksi: ”Asiaan liittyy mahdollisia riskejä” https://www.is.fi/digitoday/art-2000009550014.html
Tomi Engdahl says:
Suomessa tietomurtojen sarja: ”Turvaposti” onkin ansa https://www.is.fi/digitoday/tietoturva/art-2000009550831.html
Viranomainen varoittaa aktiivisesta kampanjasta kuntia ja julkishallintoa vastaan.
USEIDEN suomalaisten organisaatioiden Microsoft 365 -käyttäjätileille on murtauduttu turvapostiteemaisten kalasteluviestien avulla. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus kertoo saaneensa merkittävän määrän ilmoituksia huijauksesta.
Uusi kampanja käynnistyi aktiivisena huhtikuun puolivälissä, ja murrettuja sähköpostitilejä on havaittu 20 organisaatiossa. Viestit lasketaan kymmenissä tuhansissa.
Vääriin viesteihin on lisätty esimerkiksi kuntien, Kansaneläkelaitoksen, lääkäriaseman, hyvinvointialueen tai vakuutusyhtiön logo. Viestien otsikoissa on havaittu viime aikoina esimerkiksi sanoja muistutus, matkalippu, tilaus, lasku tai hakija, ja ne sisältävät aidonnäköisen turvapostipohjan.
Vastaanottajaa houkutellaan klikkaamaan viestin linkkiä ja syöttämään sähköpostitunnuksensa ja salasanansa väärällä Microsoft 365 -kirjautumissivulla.
Vastaava kampanja nähtiin viime syksynä ja alkuvuonna 2022. Julkishallinnon Microsoft 365 -tilejä pyrittiin kaappaamaan isojen yritysten turvaposteiksi naamioiduilla viesteillä.
MONET rikolliset ovat kääntäneet huomionsa organisaatioiden sähköpostiin esimerkiksi luottokorttitietojen sijaan. Sähköpostitilit ovat rikollisille rahanarvoisia hyödykkeitä ja niiltä voi paljastua arkaluonteista tietoa, joka auttaa viemään hyökkäyksen syvemmälle organisaatioon ja aiheuttamaan vakavia taloudellisia vahinkoja.
Tomi Engdahl says:
Microsoft is busy rewriting core Windows code in memory-safe Rust https://www.theregister.com/2023/04/27/microsoft_windows_rust/
Microsoft is rewriting core Windows libraries in the Rust programming language, and the more memory-safe code is already reaching developers. Microsoft showed interest in Rust several years ago as a way to catch and squash memory safety bugs before the code lands in the hands of users; these kinds of bugs were at the heart of about 70 percent of the CVE-listed security vulnerabilities patched by the Windows maker in its own products since 2006
Tomi Engdahl says:
ChatGPT writes insecure code
https://www.malwarebytes.com/blog/news/2023/04/chatgpt-creates-not-so-secure-code-study-finds
Research by computer scientists associated with the Université du Québec in Canada has found that ChatGPT, OpenAI’s popular chatbot, is prone to generating insecure code. “How Secure is Code Generated by ChatGPT?” is the work of Raphaël Khoury, Anderson Avila, Jacob Brunelle, and Baba Mamadou Camara. The paper concludes that ChatGPT generates code that isn’t robust, despite claiming awareness of its vulnerabilities
Tomi Engdahl says:
“Ashamed” LockBit ransomware gang apologises to hacked school, offers free decryption tool https://www.bitdefender.com/blog/hotforsecurity/ashamed-lockbit-ransomware-gang-apologises-to-hacked-school-offers-free-decryption-tool/
Last month, a school district in Illinois was reported to be working closely with a cybersecurity insurance firm to determine the extent of damage it had sustained from a ransomware attack. Olympia Community Unit School District 16 – the largest school district in Illinois – realized on Sunday February 26, 2023, that it had suffered a ransomware attack, after being targeted by an affiliate of the notorious LockBit ransomware group. In this instance, it appears that the affiliates who launched the ransomware attack are not in LockBit’s good books, as the group has expressed remorse for the hacking into servers used by innocent school children
Tomi Engdahl says:
Magecart threat actor rolls out convincing modal forms https://www.malwarebytes.com/blog/threat-intelligence/2023/04/kritec-art
To ensnare new victims, criminals will often devise schemes that attempt to look as realistic as possible. Having said that, it is not every day that we see the fraudulent copy exceed the original piece.
While following up on an ongoing Magecart credit card skimmer campaign, we were almost fooled by a payment form that looked so well done we thought it was real. The threat actor used original logos from the compromised store and customized a web element known as a modal to perfectly hijack the checkout page. While the technique to insert frames or layers is not new, the remarkable thing here is that the skimmer looks more authentic than the original payment page. We were able to observe several more compromised sites with the same pattern of using a custom-made and fraudulent modal
Tomi Engdahl says:
Google wins court order to force ISPs to filter botnet traffic https://nakedsecurity.sophos.com/2023/04/28/google-wins-court-order-to-force-isps-to-filter-botnet-traffic/
A US court has recently unsealed a restraining order against a gang of alleged cybercrooks operating outside the country, based on a formal legal complaint from internet giant Google. Google said it obtained a temporary court order in the U.S. to disrupt the distribution of a Windows-based information-stealing malware called CryptBot and “decelerate” its growth
Tomi Engdahl says:
Many Public Salesforce Sites are Leaking Private Data https://krebsonsecurity.com/2023/04/many-public-salesforce-sites-are-leaking-private-data/
A shocking number of organizations including banks and healthcare providers are leaking private and sensitive information from their public Salesforce Community websites, KrebsOnSecurity has learned. The data exposures all stem from a misconfiguration in Salesforce Community that allows an unauthenticated user to access records that should only be available after logging in
Tomi Engdahl says:
Major UK banks including Lloyds, Halifax, TSB hit by outages https://www.bleepingcomputer.com/news/technology/major-uk-banks-including-lloyds-halifax-tsb-hit-by-outages/
“Websites and mobile apps of Lloyds Bank, Halifax, TSB Bank, and Bank of Scotland have experienced web and mobile app outages today leaving customers unable to access their account balances and information.
Lloyds Banking Group is the parent company behind household names including Lloyds Bank, Halifax, Bank of Scotland, and has former links to TSB. As such, it wouldn’t be surprising if the information systems of these banks relied on much of the same server infrastructure, as evident from visual and operational similarities between these websites.”
Tomi Engdahl says:
The DOJ Detected the SolarWinds Hack 6 Months Earlier Than First Disclosed https://www.wired.com/story/solarwinds-hack-public-disclosure/
“In May 2020, the US Department of Justice noticed Russian hackers in its network but did not realize the significance of what it had found for six months.”
Tomi Engdahl says:
APT groups working together to expand operations, target more industries https://www.scmagazine.com/news/threat-intelligence/apt-groups-working-together-to-expand-operations-target-more-industries
“Long-established threat groups appear to be cozying up to each other as a means of expanding their operations in the face of fresh competition from new APT players. [Kaspersky] says APT actors, old and new, have been busy updating their toolsets and expanding their attack vectors, both in terms of geographical location and target industries.” Source:
https://securelist.com/apt-trends-report-q1-2023/109581/
Tomi Engdahl says:
Mac malware-for-hire steals passwords and cryptocoins, sends crime logs via Telegram https://nakedsecurity.sophos.com/2023/04/30/mac-malware-for-hire-steals-passwords-and-cryptocoins-sends-crime-logs-via-telegram/
Researchers at dark web monitoring company Cyble recently wrote about a data-stealing-as-a-service toolkit that they found being advertised in an underground Telegram channel. One somewhat unusual aspect of this service (and in this context, we dont mean that word in any sort of positive sense!) is that it was specifically built to help would-be cyber criminals target Mac users. The malware peddlers’ focus on Apple fans was clearly reflected in the name they gave their “product”:
Atomic macOS Stealer, or AMOS for short
Tomi Engdahl says:
The Week in Ransomware – April 28th 2023 – Clop at it again https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-28th-2023-clop-at-it-again/
It has been a very quiet week for ransomware news, with only a few reports released and not much info about cyberattacks. However, an item of interest was Microsoft linking the recent PaperCut server attacks on the Clop and LockBit ransomware operation. Clop claims to have started exploiting PaperCut servers on April 13th, the same day Microsoft began seeing active exploitation of the vulnerabilities