Cyber security news May 2023

This posting is here to collect cyber security news in May 2023.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

379 Comments

  1. Tomi Engdahl says:

    Beware! A new phishing technique called “file archiver in the browser” has emerged. It cleverly imitates legitimate file archiver software, like WinRAR, right in your web browser using a .ZIP domain.

    #infosec #cybersecurity #hacking

    https://thehackernews.com/2023/05/dont-click-that-zip-file-phishers.html?m=1

    A new phishing technique called “file archiver in the browser” can be leveraged to “emulate” a file archiver software in a web browser when a victim visits a .ZIP domain.

    Threat actors, in a nutshell, could create a realistic-looking phishing landing page using HTML and CSS that mimics legitimate file archive software, and host it on a .zip domain, thus elevating social engineering campaigns.

    In a potential attack scenario, a miscreant could resort to such trickery to redirect users to a credential harvesting page when a file “contained” within the fake ZIP archive is clicked.

    “Another interesting use case is listing a non-executable file and when the user clicks to initiate a download, it downloads an executable file,” mr.d0x noted. “Let’s say you have an ‘invoice.pdf’ file. When a user clicks on this file, it will initiate the download of a .exe or any other file.”

    On top of that, the search bar in the Windows File Explorer can emerge as a sneaky conduit where searching for a non-existent .ZIP file opens it directly in the web browser should the file name correspond to a legitimate .zip domain.

    “This is perfect for this scenario since the user would be expecting to see a ZIP file,” the researcher said. “Once the user performs this, it will auto-launch the .zip domain which has the file archive template, appearing pretty legitimate.”

    The development comes as Google rolled out eight new top-level domains (TLDs), including “.zip” and “.mov,” that have raised some concerns that it could invite phishing and other types of online scams.

    This is because .ZIP and .MOV are both legitimate file extension names, potentially confusing unsuspecting users into visiting a malicious website rather than opening a file and dupe them into accidentally downloading malware.

    “ZIP files are often used as part of the initial stage of an attack chain, typically being downloaded after a user accesses a malicious URL or opens an email attachment,”

    The discovery also comes as cybersecurity company Group-IB said it detected a 25% surge in the use of phishing kits in 2022, identifying 3,677 unique kits, when compared to the preceding year.

    “Phishing operators create random website folders that are only accessible by the recipient of a personalized phishing URL and cannot be accessed without the initial link,” the Singapore-headquartered firm said.

    “This technique allows phishers to evade detection and blacklisting as the phishing content will not reveal itself.”

    Reply
  2. Tomi Engdahl says:

    Youtuben lasten palvelussa leviää pornoa ja teloitusvideoita – Naamioitu lastenohjelmiksi
    https://www.iltalehti.fi/digiuutiset/a/863a1a19-16b2-4096-8f46-7fbfb6a0a19c

    Reply
  3. Tomi Engdahl says:

    Huijauspankki jymäytti suomalais­­miestä, asian­tuntija järkyttyi vahingon koosta https://www.is.fi/digitoday/tietoturva/art-2000009620592.html

    TIETOTURVA-ASIANTUNTIJA Petteri Järvinen varoittaa verkkohuijauksesta, joka on jo saanut ainakin yhden uhrin Suomessa.

    – Uhri langennut nettihuijaukseen, todella iso summa rahaa menetetty.
    Ilmeisesti valepankki ”Oak Financial Credit Union” liittyy asiaan.
    Toivottavasti Suomesta ei löydy lisää uhreja, Järvinen kirjoittaa Twitterissä.

    Pankiksi esittäytyvä verkkosivusto nimeltä Oak Financial Credit Union on perustettu viime marraskuussa. Verkko-osoitteen nimettömänä pysyttelevä rekisteröijä on antanut osoitteekseen uudehkon toimistorakennuksen Reykjavikissa Islannissa.

    Reply
  4. Tomi Engdahl says:

    Rikolliset joutuivat maistamaan omaa lääkettään – liki 500 000 pahamaineisen hakkerifoorumin jäsenen tiedot julkaistiin verkossa https://www.tivi.fi/uutiset/tv/81ad884d-b004-42d9-83fc-48386b69013d

    Pahamaineisen hakkerifoorumi RaidForumsin tietokanta on vuotanut verkkoon paljastaen sivustolla toistuvasti vierailleiden käyttäjien tiedot. RaidForum on hyviin suosittu ja tunnettu hakkeri- ja vuotosivusto, jossa julkaistaan, myydään ja säilytetään tietomurroissa varastettua dataa.

    Vuodettu tietokanta on yksittäinen sql-tiedosto, joka sisältää 478 870:n RaidForumsin käyttäjän sisäänkirjautumistietoja. Vuodetut tiedot sisältävät käyttäjänimiä, sähköpostiosoitteita, salasanoja, rekisteröitymispäivämääriä ja paljon muuta tietoa.

    Alkup.
    https://www.bleepingcomputer.com/news/security/new-hacking-forum-leaks-data-of-478-000-raidforums-members/

    Reply
  5. Tomi Engdahl says:

    Android apps with spyware installed 421 million times from Google Play https://www.bleepingcomputer.com/news/security/android-apps-with-spyware-installed-421-million-times-from-google-play/

    A new Android malware distributed as an advertisement SDK has been discovered in multiple apps, many previously on Google Play and collectively downloaded over 400 million times.

    Security researchers at Dr. Web discovered the spyware module and tracked it as ‘SpinOk,’ warning that it can steal private data stored on users’ devices and send it to a remote server.

    The antivirus company says SpinOk demonstrates a seemingly legitimate behavior, using minigames that lead to “daily rewards” to spark user interest.

    In the background, though, the trojan SDK checks the Android device’s sensor data (gyroscope, magnetometer) to confirm that it’s not running in a sandboxed environment, commonly used by researchers when analyzing potentially malicious Android apps. The app then connects to a remote server to download a list of URLs opened used to display expected minigames.

    While the minigames are displayed to the apps’ users as expected, Dr. Web says that in the background, the SDK is capable of additional malicious functionality, including listing files in directories, searching for particular files, uploading files from the device, or copying and replacing clipboard contents. The file exfiltration functionality is particularly concerning as it could expose private images, videos, and documents.

    Reply
  6. Tomi Engdahl says:

    Rackspace datacenter infrastructure down in London, Sydney, Hong Kong https://www.theregister.com/2023/05/30/rackspace_outage/

    Rackspace is in a mess again. The cloudy concern’s status page reports outages in its SYD2, LON5, LON3, and HKG5 datacenter infrastructure across May 29 and 30.

    Rackspace has warned customers of its London datacenters that whatever’s causing the issue may disrupt their backups, and offered instructions on how to detect any failures.

    Reply
  7. Tomi Engdahl says:

    ABB confirms data stolen in Black Basta ransomware attack https://www.scmagazine.com/news/ransomware/abb-basta-ransomware-attack

    Global industrial automation company ABB has confirmed it had data stolen in an attack attributed to the Black Basta ransomware group.

    Reply
  8. Tomi Engdahl says:

    Yhdysvaltojen sotilassaarelta löytyi Kiinan haittakoodia – hakkeroinnin uskotaan liittyvän laajempaan operaatioon
    https://www.tivi.fi/uutiset/tv/d077fa79-3dee-463c-99d7-36b798466ac3

    Microsoft ja Yhdysvaltain Kansallinen turvallisuusvirasto NSA kertovat, että Kiinan valtion tukema hakkeriryhmä on asentanut haittaohjelmia Yhdysvaltojen kriittisiin järjestelmiin. Volt Typhoon -hakkeriryhmän väitetty kybervakoilu on tapahtunut Guamin saarella Tyynellämerellä, jossa sijaitsee Yhdysvaltojen strategisesti merkittäviä sotilastukikohtia. Haittakoodia on havaittu myös muualla Yhdysvalloissa.

    Kybervakoilusta epäilty hakkeriryhmä Volt Typhoon on ollut aktiivinen vuoden
    2021 puolivälistä alkaen. Se on murtautunut hallitusten järjestelmiin, jotka liittyvät muun muassa viestiliikenteeseen, teollisuuteen tai koulutukseen.

    Reply
  9. Tomi Engdahl says:

    Hackers Win $105,000 for Reporting Critical Security Flaws in Sonos One Speakers
    https://thehackernews.com/2023/05/hackers-win-105000-for-reporting.html

    Reply
  10. Tomi Engdahl says:

    Millions of PC Motherboards Were Sold With a Firmware Backdoor
    Hidden code in hundreds of models of Gigabyte motherboards invisibly and insecurely downloads programs—a feature ripe for abuse, researchers say
    https://www.wired.com/story/gigabyte-motherboard-firmware-backdoor/

    HIDING MALICIOUS PROGRAMS in a computer’s UEFI firmware, the deep-seated code that tells a PC how to load its operating system, has become an insidious trick in the toolkit of stealthy hackers. But when a motherboard manufacturer installs its own hidden backdoor in the firmware of millions of computers—and doesn’t even put a proper lock on that hidden back entrance—they’re practically doing hackers’ work for them.

    Reply
  11. Tomi Engdahl says:

    Nordea varoittaa kaikkien pankkien asiakkaisiin kohdistuvasta kaksi­vaiheisesta huijauksesta – näin se toimii https://www.is.fi/digitoday/tietoturva/art-2000009621630.html

    SUOMESSA on parin viime kuukauden aikana nähty uudenlaista huijausta. Nordean mukaan tavoitteena on varastaa rahaa uhrin pankkitililtä, mutta menetelmä on poikkeuksellinen. Huijausviestin ja puhelinsoiton yhdistelmään perustuvaa menetelmää voi luonnehtia kaksivaiheiseksi huijaukseksi.

    Näissä huijauksissa uhria lähestytään ensin perinteisen huijauksen tapaan tekstiviestillä esimerkiksi Ulosottolaitoksen nimissä hänen houkuttelemisekseen verkkopankkitunnuksia utelevalle kalastelusivulle.
    Seuraavaksi uhrille soitetaan kyseisen pankin nimissä petoksesta varoittaen ja annetaan ohjeet rahojen siirtämiseksi ”turvatilille”.

    – Ilmoituksia tällaisista ”hybridipetoksista”, joissa ensin lähetetään kalastelutekstiviesti ja sitten tehdään soitto perään, on tullut Nordeaan viimeisten viikkojen aikana yhteensä noin parikymmentä kappaletta, Nordean petosasiantuntija Sara Helin kertoo.

    Reply
  12. Tomi Engdahl says:

    Poista tämä sovellus puhelimestasi heti – Päivityksen sisään oli ujuttautunut haittaohjelma
    https://www.iltalehti.fi/tietoturva/a/0c8a2b65-376a-4752-8730-e8e67627b3f3

    Slovakialainen kyberturvallisuusyhtiö ESET varoittaa iRecorder – Screen recorder näytöntallennus-sovelluksesta. Sovellus on ollut saatavilla android-käyttäjille.

    ESET:in mukaan kyseinen sovellus ajaa käyttäjän huomaamatta haittaohjelmaa normaalin käytön taustalla. Sovellus nauhoittaa minuutin mittaisen äänipätkän
    15 minuutin välein. Lisäksi sovellus kerää tietoja puhelimen tiedostoista sekä verkkoselaimesta.

    Sovellus lähettää kerätyt tiedot haittaohjelman ylläpitäjälle.

    Reply
  13. Tomi Engdahl says:

    SAS Airlines hit by $3 million ransom demand following DDoS attacks https://www.bitdefender.com/blog/hotforsecurity/sas-airlines-hit-by-3-million-ransom-demand-following-ddos-attacks/

    Scandinavian Airlines (SAS) has received a US $3 million ransom demand following a prolonged campaign of distributed denial-of-service (DDoS) attacks against its online services.

    As Cybernews reports, the Anonymous Sudan hacktivist group published their financial demand on its Telegram channel after disrupting the airline’s website and smartphone app.

    In a post on its encrypted channel, Anonymous Sudan said it was increasing its ransom demand to US $3 million, and that the airline should “expect this to keep increasing more and more.”

    Reply
  14. Tomi Engdahl says:

    New macOS vulnerability, Migraine, could bypass System Integrity Protection https://www.microsoft.com/en-us/security/blog/2023/05/30/new-macos-vulnerability-migraine-could-bypass-system-integrity-protection/

    A new vulnerability, which we refer to as “Migraine” for its involvement with macOS migration, could allow an attacker with root access to automatically bypass System Integrity Protection (SIP) in macOS and perform arbitrary operations on a device.

    A fix for this vulnerability, now identified as CVE-2023-32369, was included in the security updates released by Apple on May 18, 2023.

    SIP is a security technology in macOS that restricts a root user from performing operations that may compromise system integrity. Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, and expand the attack surface for additional techniques and exploits.

    Reply
  15. Tomi Engdahl says:

    Stealthy SeroXen RAT malware increasingly used to target gamers https://www.bleepingcomputer.com/news/security/stealthy-seroxen-rat-malware-increasingly-used-to-target-gamers/

    A stealthy remote access trojan (RAT) named ‘SeroXen’ has recently gained popularity as cybercriminals begin using it for its low detection rates and powerful capabilities.

    AT&T reports that the malware is sold under the guise of a legitimate remote access tool for Windows 11 and 10 for $15/month or a single “lifetime” license payment of $60.

    While marketed as a legitimate program, the Flare Systems cyber intel platform has shown that SeroXen is promoted as a remote access trojan on hacking forums. It is unclear if those promoting it on the forums are the developers or shady resellers.

    Reply
  16. Tomi Engdahl says:

    Toyota finds more misconfigured servers leaking customer info https://www.bleepingcomputer.com/news/security/toyota-finds-more-misconfigured-servers-leaking-customer-info/

    Toyota Motor Corporation has discovered two additional misconfigured cloud services that leaked car owners’ personal information for over seven years.

    This finding came after the Japanese carmaker conducted a thorough investigation on all cloud environments managed by Toyota Connected Corporation after previously discovering a misconfigured server that exposed the location data of over 2 million customers for ten years.

    Reply
  17. Tomi Engdahl says:

    WordPress force installs critical Jetpack patch on 5 million sites https://www.bleepingcomputer.com/news/security/wordpress-force-installs-critical-jetpack-patch-on-5-million-sites/

    Automattic, the company behind the open-source WordPress content management system, has started force installing a security patch on millions of websites today to address a critical vulnerability in the Jetpack WordPress plug-in.

    Jetpack is an immensely popular plug-in that provides free security, performance, and website management improvements, including site backups, brute-force attack protection, secure logins, malware scanning, and more.

    According to the official WordPress plug-in repository, the plug-in is maintained by Automattic, and it now has over 5 million active installations.

    Reply
  18. Tomi Engdahl says:

    Barracuda zero-day abused since 2022 to drop new malware, steal data https://www.bleepingcomputer.com/news/security/barracuda-zero-day-abused-since-2022-to-drop-new-malware-steal-data/

    Network and email security firm Barracuda today revealed that a recently patched zero-day vulnerability had been exploited for at least seven months to backdoor customers’ Email Security Gateway (ESG) appliances with custom malware and steal data.

    The company says an ongoing investigation found that the bug (tracked as
    CVE-2023-2868) was first exploited in October 2022 to gain access to “a subset of ESG appliances” and deploy backdoors designed to provide the attackers with persistent access to the compromised systems.

    The security flaw was identified on May 19, one day after being alerted of suspicious traffic from ESG appliances and hiring cybersecurity firm Mandiant to help with the investigation.

    The company addressed the issue on May 20 by applying a security patch to all ESG appliances and blocked the attackers’ access to the compromised devices one day later by deploying a dedicated script.

    Reply
  19. Tomi Engdahl says:

    WordPress plugin ‘Gravity Forms’ vulnerable to PHP object injection https://www.bleepingcomputer.com/news/security/wordpress-plugin-gravity-forms-vulnerable-to-php-object-injection/

    The premium WordPress plugin ‘Gravity Forms,’ currently used by over 930,000 websites, is vulnerable to unauthenticated PHP Object Injection.

    Gravity Forms is a custom form builder website owners use for creating payment, registration, file upload, or any other form required for visitor-site interactions or transactions.

    On its website, Gravity Forms claims it is used by a wide variety of large companies, including Airbnb, ESPN, Nike, NASA, PennState, and Unicef.

    Reply
  20. Tomi Engdahl says:

    RomCom malware spread via Google Ads for ChatGPT, GIMP, more https://www.bleepingcomputer.com/news/security/romcom-malware-spread-via-google-ads-for-chatgpt-gimp-more/

    A new campaign distributing the RomCom backdoor malware is impersonating the websites of well-known or fictional software, tricking users into downloading and launching malicious installers.

    The latest campaign was uncovered by Trend Micro, who have followed RomCom since the summer of 2022. The researchers report that the threat actors behind the malware have escalated its evasion by using payload encryption and obfuscation and expanded the tool’s capabilities by introducing new and powerful commands.

    Most websites used for distributing RomCom to victims concern remote desktop management applications, which increases the likelihood of attackers employing phishing or social engineering to approach their targets.

    Reply
  21. Tomi Engdahl says:

    Critical Firmware Vulnerability in Gigabyte Systems Exposes ~7 Million Devices https://thehackernews.com/2023/05/critical-firmware-vulnerability-in.html

    Cybersecurity researchers have found “backdoor-like behavior” within Gigabyte systems, which they say enables the UEFI firmware of the devices to drop a Windows executable and retrieve updates in an unsecure format.

    Firmware security firm Eclypsium said it first detected the anomaly in April 2023. Gigabyte has since acknowledged and addressed the issue.

    Reply
  22. Tomi Engdahl says:

    Cyberattack disrupts Greek national high school exams https://therecord.media/cyberattack-disrupts-greek-exams

    End-of-year high school exams in Greece were disrupted this week by “one of the most extensive cyberattacks in the country’s history,” according to the country’s Education Ministry.

    The distributed denial-of-service attack, or DDoS, targeted Greece’s online examination platform, which is designed to set a uniform exam standard nationwide. In a DDoS attack, a server is flooded with internet traffic from a variety of sources simultaneously.

    Reply
  23. Tomi Engdahl says:

    Russia’s ‘Silicon Valley’ hit by cyberattack; Ukrainian group claims deep access https://therecord.media/skolkovo-foundation-cyberattack-russia-ukraine

    Ukrainian hackers have breached the systems of Skolkovo Foundation, the agency which oversees the high-tech business area located on the outskirts of Moscow.
    The Foundation was founded and charged by Russian former President Dmitry Medvedev to rival Silicon Valley in the U.S.

    According to Skolkovo’s statement, the hackers managed to gain limited access to certain information systems of the organization, including its file hosting service on physical servers.

    A group of Ukrainian hacktivists took credit for the attack last week and shared screenshots on Telegram of systems they managed to access.

    Reply
  24. Tomi Engdahl says:

    Nearly 9 million people affected by data breach from cyberattack on dental insurer https://therecord.media/nearly-nine-million-affected-by-mcna-breach

    A ransomware attack on a major dental insurance provider leaked the personal information of nearly nine million people across the United States, according to documents filed with state regulators.

    Managed Care of North America (MCNA) is the largest dental insurer in the nation for government-sponsored Medicaid and Children’s Health Insurance Programs, providing services to more than five million members across eight states.

    On March 6, its IT team became aware of a hack and later discovered that “certain systems within the network may have been infected with malicious code.”

    On March 27, the LockBit ransomware group took credit for the attack, claiming to have stolen 700 gigabytes of data. An investigation — completed on May 3 and led by a cybersecurity firm — revealed that hackers had been in MCNA’s systems from February 26 to March 7 and had made copies of information.

    LockBit published all of the files on April 6 after a $10 million ransom was not paid.

    In a notice on their website, the company said the information stolen included more specific information about patient visits, like a dentist’s name, X-rays, photos, treatment and bills. Some of the information was for the parents or guardians of patients.

    Reply
  25. Tomi Engdahl says:

    Google Issues Android TV Security Warning https://www.forbes.com/sites/daveywinder/2023/05/30/google-issues-security-warning-for-android-tv-users/

    Google has issued a warning to users of Android TV OS devices to be aware that some TV boxes are not what they appear, certainly when it comes to the security implications for their users.

    In an official Google Android TV OS support forum posting, a Google employee confirms that the company has “recently received questions regarding TV boxes that are built with Android Open Source Project and are being marketed to appear as Android TV OS devices.”

    However, as we all know, appearances can be deceptive. Even though, the warning continues, these may have Google apps and even the Play Store installed, that doesn’t mean these are licensed by Google. Which means, it continues, “these devices are not Play Protect certified.”

    Alkup.
    https://support.google.com/androidtv/thread/217840369?hl=en&sjid=6644248032415929751-NA

    Reply
  26. Tomi Engdahl says:

    Viisi tietomurtoa samaan aikaan – pelottava ilmiö tuli kerralla näkyväksi
    Uhkatutkijan uutiset järjestäytyneestä verkkorikollisuudesta ovat huonoja.
    https://www.is.fi/digitoday/tietoturva/art-2000009618361.html

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*