This posting is here to collect cyber security news in May 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
379 Comments
Tomi Engdahl says:
Varo tätä suomenkielistä vaatekauppaa – Tarjousvaatteita ostaneet tulleet huijatuksi
https://www.iltalehti.fi/digiuutiset/a/76948f94-ad99-47d8-a966-bc1b92013185
Vaateliikehuijaukset piinaavat suomalaisia. Vähänkin epämääräisiin kauppasivuihin tai hyviltä tuntuviin tarjouksiin kannattaa tutustua tarkemmin ennen tilaamista.
Dopetakit.com -niminen verkkovaateliike tarjoaa hyvällä alennuksella merkkivaatteita, mutta on todellisuudessa huijaussivusto. Palvelusta vaatteita tilanneet ovat saaneet jotain täysin muuta, mitä tilaus on luvannut.
Sivusto vaikuttaa pikaisesti katsottuna samanlaiselta, kuin brändin virallinen luotettava jälleenmyyjä dopesnow.com-sivusto. Eron kuitenkin huomaa kömpelöstä kirjoitusasusta ja epämääräisestä tietosuojalausekkeesta.
Palvelussa maksuvälineenä toimii ainoastaan debit-kortti. Sivusto ei myöskään käytä salattua https-yhteyttä, vaan salaamatonta http-yhteyttä.
Ei uusi ilmiö
Samanlaisia huijausverkkokauppoja on ollut liikkeellä pidemmän aikaa. Tietoturvan parissa toimiva tietokirjailija Petteri Järvinen on huomannut samanlaisen ilmiön toistuvan myös monien muiden brändien varjolla.
https://twitter.com/petterij/status/1633534668166291472?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1633534668166291472%7Ctwgr%5Edcad06bc1f9ce659be5ab0a8d995b484e353d448%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.iltalehti.fi%2Fdigiuutiset%2Fa%2F76948f94-ad99-47d8-a966-bc1b92013185
Varoittava ketju nettivaatekauppojen huijauksista. Jos googlaat tunnettuja brändejä, saatat päätyä suomenkieliseen huijauskauppaan. Selvittelin kauppoja tänään ja löysin muutamia vakioformaatteja. Seuraavassa kuvina, koska Twitter estäisi suorat linkit. (1/8)
Tomi Engdahl says:
Listasta ei ole paljon apua, uusia kauppoja tulee koko ajan. Tärkeämpää on oppia tunnistamaan huijaus: liian halvat hinnat, kirjoitusvirheet, yhteystietojen puute, ei eväste-popupia yms.
Tomi Engdahl says:
APT28 Targets Ukrainian Government Entities with Fake “Windows Update”
Emails
https://thehackernews.com/2023/05/apt28-targets-ukrainian-government.html
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks perpetrated by Russian nation-state hackers targeting various government bodies in the country. The agency attributed the phishing campaign to APT28, which is also known by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy.
The email messages come with the subject line “Windows Update” and purportedly contain instructions in the Ukrainian language to run a PowerShell command under the pretext of security updates
Tomi Engdahl says:
Hackers leak images to taunt Western Digital’s cyberattack response https://www.bleepingcomputer.com/news/security/hackers-leak-images-to-taunt-western-digitals-cyberattack-response/
The ALPHV ransomware operation, aka BlackCat, has published screenshots of internal emails and video conferences stolen from Western Digital, indicating they likely had continued access to the company’s systems even as the company responded to the breach
Tomi Engdahl says:
New LOBSHOT malware gives hackers hidden VNC access to Windows devices https://www.bleepingcomputer.com/news/security/new-lobshot-malware-gives-hackers-hidden-vnc-access-to-windows-devices/
A new malware known as LOBSHOT distributed using Google ads allows threat actors to stealthily take over infected Windows devices using hVNC. Earlier this year, BleepingComputer and numerous cybersecurity researchers reported a dramatic increase in threat actors utilizing Google ads to distribute malware in search results. These advertising campaigns impersonated websites for 7-ZIP, VLC, OBS, Notepad++, CCleaner, TradingView, Rufus, and many more applications
Tomi Engdahl says:
Apple Releases Rapid Security Response Updates for iOS 16.4.1 and macOS 13.3.1 https://www.macrumors.com/2023/05/01/rapid-security-response-16-4-1/
Rapid Security Response updates 16.4.1 (a) and macOS 13.3.1 (a) are designed to provide iOS 16.4.1 users and macOS 13.3.1 users with security fixes without the need to install a full software update. iOS Security Response 16.4.1 is available through the standard Software Update mechanism in the iPhone or iPad Settings app, but is a quick update, requiring just a couple of minutes to download the update and then a quick restart for the install process. The macOS update can be installed through System Settings
Tomi Engdahl says:
Leaked Files Show Extent of Ransomware Group’s Access to Western Digital Systems
https://www.securityweek.com/leaked-files-show-extent-of-ransomware-groups-access-to-western-digital-systems/
Ransomware group leaked files showing the extent of their access to Western Digital systems and how they monitored the company’s initial response to the breach.
A ransomware group has leaked files showing the extent of their access to Western Digital systems and it appears that the hackers were closely monitoring the company’s initial response to the breach from within its network.
The digital storage giant announced a service outage on April 2 and the next day it confirmed that the cause was a cyberattack. The company at the time admitted that the hackers had gained access to some data, but it did not share any details.
The company has not provided any updates on the incident since its initial statement one month ago.
However, the ransomware group known as Alphv/BlackCat has taken credit for the attack and they recently published dozens of screenshots showing the extent of their access.
Tomi Engdahl says:
Chinese Cyberspies Delivered Malware via Legitimate Software Updates
https://www.securityweek.com/chinese-cyberspies-delivered-malware-via-legitimate-software-updates/
Chinese APT Evasive Panda has been observed targeting local members of an international NGO with the MgBot backdoor, delivered via legitimate software updates.
Tomi Engdahl says:
Exploitation of 5-Year-Old TBK DVR Vulnerability Spikes
https://www.securityweek.com/exploitation-of-5-year-old-tbk-dvr-vulnerability-spikes/
Fortinet warns of a massive spike in malicious attacks targeting a five-year-old authentication bypass vulnerability in TBK DVR devices.
Fortinet warns of a massive spike in exploitation attempts targeting a five-year-old authentication bypass vulnerability in TBK DVR devices.
A video surveillance company, TBK Vision provides network CCTV devices, DVRs, and other types of related equipment for protecting industrial and critical infrastructure facilities.
The vendor claims it has over 600,000 cameras, 50,000 CCTV recorders, and other devices being used by organizations in banking, government, retail, and other sectors.
Tracked as CVE-2018-9995 (CVSS score of 9.8), the issue can be exploited remotely by sending a crafted HTTP cookie, providing the attacker with administrative access to a vulnerable device. The attacker could then access camera video feeds.
Details on this critical-severity bug were published in April 2018, when security researcher Fernandez Ezequiel also published proof-of-concept (PoC) code exploiting it. To date, however, the vendor has not provided a patch to address the bug.
The issue impacts TBK’s DVR4104 and DVR4216 devices, which are also rebranded and sold under the CeNova, DVR Login, HVR Login, MDVR Login, Night OWL, Novo, QSee, Pulnix, Securus, and XVR 5 in 1 brands, a NIST advisory reads.
According to Fortinet, during April 2023 alone, its intrusion prevention systems (IPSs) detected more than 50,000 exploitation attempts targeting CVE-2018-9995.
Tomi Engdahl says:
Cyberwarfare
Russian APT Hacked Tajikistani Carrier to Spy on Government, Public Services
https://www.securityweek.com/russian-apt-hacked-tajikistani-carrier-to-spy-on-government-public-services/
Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.
Tomi Engdahl says:
Cisco Working on Patch for Vulnerability Reported by NATO Pentester
https://www.securityweek.com/cisco-working-on-patch-for-vulnerability-reported-by-nato-pentester/
Cisco is working on a patch for an XSS vulnerability found in Prime Collaboration Deployment by a pentester from NATO’s Cyber Security Centre (NCSC).
Cisco informed customers this week that it’s working on a patch for a vulnerability found in the company’s Prime Collaboration Deployment product by a member of NATO’s Cyber Security Centre (NCSC).
Prime Collaboration Deployment is a tool designed to assist in the management of Unified Communications (UC) applications.
The security hole, identified as CVE-2023-20060, is a cross-site scripting (XSS) issue affecting the product’s web-based management interface.
“An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information,” Cisco explained in its advisory.
Cisco said there was no evidence of exploitation in the wild, but vulnerabilities found in the company’s products have been known to be targeted in attacks.
Cisco Prime Collaboration Deployment Cross-Site Scripting Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pcd-xss-jDXpjm7
A vulnerability in the web-based management interface of Cisco Prime Collaboration Deployment could allow an unauthenticated, remote attacker to conduct a cross-site scripting attack against a user of the interface.
This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Tomi Engdahl says:
New ‘Lobshot’ hVNC Malware Used by Russian Cybercriminals
https://www.securityweek.com/new-lobshot-hvnc-malware-used-by-russian-cybercriminals/
Russian cybercrime group TA505 has been observed using new hVNC malware called Lobshot in recent attacks.
Russian cybercrime group TA505 has been observed using new hVNC (Hidden Virtual Network Computing) malware in recent attacks, threat intelligence company Elastic reports.
Called Lobshot, the malware allows attackers to bypass fraud detection engines and provides them with stealthy, direct access to the infected machines.
The threat actor distributes the malware through malvertising, abusing Google Ads and a network of fake websites to trick users into downloading legitimate-looking installers containing backdoors.
To evade detection, Lobshot relies on dynamic import resolution, where the names of the required Windows APIs are resolved at runtime. Upon execution, the threat performs a Windows Defender anti-emulation check and exits its process if the anti-malware solution is detected.
In the cases where it continues with its execution, the malware builds a custom structure based on data harvested from the machine, and only then it initiates network connection. Lobshot also copies itself to a new location, spawns a new process using exporer.exe, and erases the original file.
Elastic Security Labs discovers the LOBSHOT malware
https://www.elastic.co/security-labs/elastic-security-labs-discovers-lobshot-malware
An analysis of LOBSHOT, an hVNC malware family spreading through Google Ads.
Key takeaways
Adversaries continue to abuse and increase reach through malvertising such as Google Ads by impersonating legitimate software
Elastic Security Labs is shedding light on an undiscovered hVNC malware that has been quietly collecting a large install base
This malware we are calling LOBSHOT appears to be leveraged for financial purposes employing banking trojan and info-stealing capabilities
In this post, we will highlight one malware family we observed from this spike we’re calling LOBSHOT. LOBSHOT continues to collect victims while staying under the radar.
One of LOBSHOT’s core capabilities is around its hVNC (Hidden Virtual Network Computing) component. These kinds of modules allow for direct and unobserved access to the machine. This feature continues to be successful in bypassing fraud detection systems and is often baked into many popular families as plugins.
We will walk through the LOBSHOT infection chain and its behaviors. Additionally, we will provide a YARA signature and configuration extractor for this family.
Campaign context
Earlier this year, Elastic Security Labs observed multiple infections with an interesting chain of events that resulted in the execution of an unknown hVNC malware, which we are calling LOBSHOT. Around this same time, similar infection chains were observed in the security community with commonalities of users searching for legitimate software downloads that ended up getting served illegitimate software from promoted ads from Google [1, 2, 3, 4].
In one example, the malicious ad was for a legitimate remote desktop solution, AnyDesk. Careful examination of the URL goes to https://www.amydecke.website instead of the legitimate AnyDesk URL, https://www.anydesk.com.
The landing pages were very convincing with similar branding as the legitimate software and included Download Now buttons that pointed to an MSI installer.
Tomi Engdahl says:
T-Mobile Says Personal Information Stolen in New Data Breach
https://www.securityweek.com/t-mobile-says-personal-information-stolen-in-new-data-breach/
Wireless carrier T-Mobile says the personal information of a small number of individuals was exposed in a recent data breach.
US wireless carrier T-Mobile is informing some customers that their personal information was compromised in a recent data breach.
After being alerted to unauthorized activity on its systems, the company discovered that a malicious actor had access to a “small number” of T-Mobile accounts between late February and March 2023.
The exposed information varies, but includes customer names, birth dates, contact information, T-Mobile account PINs, account numbers and phone numbers, number of lines, Social Security numbers, IDs, balance, and internal T-Mobile codes used to service customer accounts.
According to the wireless carrier, no personal financial account information or call records were compromised in the incident.
T-Mobile reset the impacted customers’ account PINs and recommends that they update the PINs, either by logging in to T-Mobile.com or by contacting the company’s customer support.
The firm told the Maine Attorney General’s Office that only 836 individuals were impacted by the data breach.
Tomi Engdahl says:
Neiman Marcus Says Hackers Breached Customer Accounts
https://www.securityweek.com/neiman-marcus-says-hackers-breached-customer-accounts/
Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.
Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.
According to the company, cybercriminals used an automated attack to try various username and password combinations in an attempt to gain access to customer accounts on Neiman Marcus, Last Call, Bergdorf Goodman, Horchow, and CUSP websites. The attack is said to have started on or around December 26.
The retailer said the hackers managed to access roughly 5,200 accounts, but highlighted that the username/password combinations had not been stolen from its systems. Instead, the company believes the attackers used credentials stolen from other breached organizations and attempted to abuse them knowing that many people use the same username and password for multiple online services.
Tomi Engdahl says:
CISA Warns of Attacks Exploiting Oracle WebLogic Vulnerability Patched in January
https://www.securityweek.com/cisa-warns-of-attacks-exploiting-oracle-weblogic-vulnerability-patched-in-january/
CISA warns of attacks exploiting an Oracle WebLogic vulnerability tracked as CVE-2023-21839, which was patched with the January 2023 CPU.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added three vulnerabilities to its known exploited vulnerabilities catalog, including an Oracle WebLogic flaw patched by the vendor in January.
There do not appear to be any public reports describing exploitation of the WebLogic vulnerability. The security hole, tracked as CVE-2023-21839, can be exploited for remote code execution, allowing an attacker to take complete control of the targeted server. It was fixed by Oracle with its January 2023 critical patch update (CPU).
Oracle has credited several researchers for informing it about the vulnerability, which is described by the company as being remotely exploitable without authentication and without user interaction.
Several proof-of-concept (PoC) exploits targeting CVE-2023-21839 have been made public since late February and an expert warned in early March that vulnerable systems could be identified using the Shodan search engine.
Tomi Engdahl says:
Mobile & Wireless
iPhone Users Report Problems Installing Apple’s First Rapid Security Response Update
https://www.securityweek.com/iphone-users-report-problems-installing-apples-first-rapid-security-response-update/
Apple has released its first Rapid Security Response patch, but iPhone users are complaining that they are having problems installing it.
Apple has released its first Rapid Security Response update, but many iPhone users have complained that they are having problems installing the ‘iOS Security Response’.
The tech giant announced Rapid Security Response in June 2022, when it informed customers that the feature would become available in iOS 16 and macOS Ventura.
This feature enables Apple to deliver important security patches to Macs and iPhones between standard software updates, and the company initially said the fixes would be applied automatically without requiring a reboot.
The first Rapid Security Response update was rolled out to iPhones running iOS 16.4.1 and Macs running macOS 13.3.1 on Monday. However, Apple has not published any new security advisories so it’s unclear what vulnerabilities have been addressed with the update.
Tomi Engdahl says:
New ‘Lobshot’ hVNC Malware Used by Russian Cybercriminals
https://www.securityweek.com/new-lobshot-hvnc-malware-used-by-russian-cybercriminals/
Russian cybercrime group TA505 has been observed using new hVNC malware called Lobshot in recent attacks.
Tomi Engdahl says:
‘BouldSpy’ Android Malware Used in Iranian Government Surveillance Operations
https://www.securityweek.com/bouldspy-android-malware-used-in-iranian-government-surveillance-operations/
The Iranian government has been using the BouldSpy Android malware to spy on minorities and traffickers.
Mobile security firm Lookout has analyzed a piece of Android spyware used by the Iranian government to surveil minority groups in the country and monitor arms, alcohol, and drugs trafficking.
Dubbed BouldSpy, the malware is likely installed by the Law Enforcement Command of the Islamic Republic of Iran (FARAJA) using physical access to victim devices, supposedly obtained during detention.
The spyware has been in use since at least 2020, with more than 300 victims identified to date, including Iranian Kurds, Azeris, Baluchis, and possibly Armenian Christian groups. Evidence also suggests potential law enforcement use of the malware to counter and monitor trafficking.
Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy
https://www.lookout.com/blog/iranian-spyware-bouldspy
Tomi Engdahl says:
Autovarkaat kiinnostuivat legendaarisesta Nokia 3310:sta: ”Moottori käyntiin 15 sekunnissa” https://www.is.fi/digitoday/mobiili/art-2000009542535.html
Nokia 3310 -puhelimiksi naamioituja vempeleitä myydään autovarkaiden avuksi, Vice Motherboard kertoo.
VERKOSSA myydään legendaarisia Nokia 3310 -puhelimia, mutta keräilyn sijaan ostajilla voi olla katalammat motiivit. Vice Motherboardin mukaan osaa puhelimista on muokattu niin, että niillä voidaan varastaa ilman perinteistä avainta käynnistyviä autoja.
Vaikka puhelimeen piilotetut osat maksavat paikoin vain noin 10 euroa, verkossa kaupitellaan 3310 -puhelimia tuhansilla euroilla. Eräässä ilmoituksessa hinta oli 4000 euroa. Myös samanlaisia bluetooth-kaiuttimiksi naamioituja laitteita on kaupan samalla teknologialla varustettuina. Käytännössä alkuperäisestä puhelimesta tai kaiuttimesta on lähinnä kuoret jäljellä.
Ei ole tiedossa, miksi rikolliset ovat valinneet tekniikan yhdeksi koteloksi juuri Nokia 3310:n.
Ensin autosta on poistettava etulyhdyt, jotta tarvittaviin kaapeleihin pääsee käsiksi. Sitten puhelimen voi kytkeä kaapelilla autoon, ja hetken kuluttua moottori hyrrää.
VICEN mukaan Yhdysvalloissa leviävä hyökkäys onnistuu, koska puhelimen autolle lähettämiä vääriä viestejä ei tarkisteta. Auto luulee niiden olevan peräisin älyavaimen vastaanottimesta. Toistaiseksi tietyt ajoneuvot ovat hyökkäykselle avoimia, koska tätä viestiliikennettä ei ole salattu. Tilanteen voisi todennäköisesti korjata ohjelmistopäivityksellä.
On epäselvää, miten varkaat ensin ohittavat auton ovien lukituksen. Lisäksi mainittua Toyota-videota on arvosteltu siitä, että varkauden onnistumiseksi virrat pitäisi ensin saada päälle ja sen ei pitäisi onnistua ilman avaimenperää. Vicen mukaan hyökkäykseen ei kuitenkaan tarvita avaimen läsnäoloa.
NOKIAN ikimuistoinen ja tuhoutumattoman puhelimen maineesta nauttiva 3310 ei ole ainoa vanha nokialainen, joka kiinnostaa rikollisia.
Tiettyä Nokia 1100 -mallin versiota on myyty jopa reippaasti yli tuhannella eurolla, koska siinä on pahantekijöitä kiinnostava ohjelmistoaukko.
Aukon avulla on oletettavasti mahdollista ohjelmoida puhelin ottamaan vastaan toiseen puhelinnumeroon lähetettyjä tekstiviestejä. Näin olisi mahdollista kaapata esimerkiksi verkkopankkitietoja.
MITÄ autovarkauksiin tulee, varsinkin Kanadassa on nähty paljon tapauksia, joissa apuna on käytetty Applen AirTag-paikannuspompulaa.
Autovarkaat ovat asettaneet AirTagin kiikarissaan olevaan ajoneuvoon esimerkiksi bensatankin luukun taakse tai vetokoukun alueelle ja ovat sitten iPhonea käyttämällä paikantaneet ajoneuvon varastaakseen sen sopivalla hetkellä.
Tomi Engdahl says:
by Sayan Sen — Microsoft has released its blog post about the latest May 2023 Windows Autopatch update. The blog post outlines all the new features and Microsoft says the latest release is its most “impactful”.
https://www.neowin.net/news/microsoft-says-latest-may-2023-windows-autopatch-update-is-its-most-impactful/
Microsoft, earlier today, published a new Tech Community blog post outlining its latest May 2023 Windows Autopatch public preview. (In case you aren’t familiar with Autopatch, check out this article.) The blog post notes that this month’s update is its most impactful ever since Autopatch was first introduced back in April 2022.
One of the reasons for saying this is because the May 2023 Autopatch will now bring greater control over how IT admins and system admins are able to deploy feature updates. For example, certain updates can be configured for specific Autopatch groups only, meanwhile for others these updates can be rolled out in a staggered manner. These various Autopatch groups are identified as “Deployment rings”.
The latest Autopatch update also brings alerts and notifications for when it detects missing or modified policies inside the Tenant Management section.
Tomi Engdahl says:
Medusa ransomware gang leaks students’ psychological reports and abuse allegations https://www.bitdefender.com/blog/hotforsecurity/medusa-ransomware-gang-leaks-students-psychological-reports-and-abuse-allegations/
Students and teachers at the Minneapolis Public School (MPS) District, which suffered a huge ransomware attack at the end of February, have had highly sensitive information about themselves published on the web, including allegations of abuse by teachers and psychological reports. Contained in the published data were: names and birthdates of children with special needs, details of their home lives and any disorders, results of intelligence tests, and details of what medication they might be taking
Tomi Engdahl says:
FBI seizes 9 crypto exchanges used to launder ransomware payments https://www.bleepingcomputer.com/news/security/fbi-seizes-9-crypto-exchanges-used-to-launder-ransomware-payments/
The FBI and Ukrainian police have seized nine cryptocurrency exchange websites that facilitated money laundering for scammers and cybercriminals, including ransomware actors. In its announcement, the FBI says the operation was carried out with the help of the Virtual Currency Response Team, the National Police of Urkaine, and legal prosecutors in the country
Tomi Engdahl says:
AMD TPM Exploit: faulTPM Attack Defeats BitLocker and TPM-Based Security (Updated)
By Paul Alcorn
published about 8 hours ago
Zen 2 and Zen 3 are vulnerable to voltage glitching.
https://www.tomshardware.com/news/amd-tpm-hacked-faultpm
Original Article, 9:16am PT : A new paper released by security researchers at the Technical University of Berlin reveals that AMD’s firmware-based Trusted Platform Module (fTPM / TPM) can be fully compromised via a voltage fault injection attack, thus allowing full access to the cryptographic data held inside the fTPM in an attack called ‘faulTPM.’ Ultimately this allows an attacker to fully compromise any application or encryption, like BitLocker, that relies solely upon TPM-based security.
The researchers accomplished this feat using off-the-shelf componentry that cost roughly $200 to attack AMD’s Platform Security Processor (PSP) present in Zen 2 and Zen 3 chips. The report does not specify if Zen 4 CPUs are vulnerable, and the attack does require physical access to the machine for ‘several hours.’ The researchers have also shared the code used for the attack on GitHub and a list of the inexpensive hardware used for the attack.
The report is especially pertinent now that Microsoft has added TPMs to its system requirements for Windows 11, a move met with resistance due to its deleterious impact on gaming performance even when it works correctly, and severe stuttering issues when it does not. Yes, the TPM requirement is easily circumvented. Still, Microsoft’s push for the feature has increased the number of applications relying solely on TPM 2.0 for security features, thus increasing the cross-section of applications vulnerable to the new faulTPM hack.
As a reminder, discrete TPMs plug into a motherboard and communicate with the processor to provide security, but the external bus between the CPU and TPM has proven to be hackable with multiple different approaches. As such, the firmware TPM, or fTPM, was created to embed the functionality inside of the chip, thus providing TPM 2.0-class security without an easily-hackable interface exposed to attackers.
The faulTPM attack centers on attacking the fTPM, which, to our knowledge, hasn’t been possible before. As you can see from the above picture of the Lenovo Ideapad 5 Pro system the researchers used to execute the attack, this isn’t a simple endeavor and will require a few hours of physical access to the machine. In the case of nation-states or the highest-end levels of espionage or corporate espionage, this is fairly easy to accomplish, though.
Here we can see the multiple connections to the power supply, BIOS SPI chip, and SVI2 bus (a power management interface) the researchers used on the Lenovo test subject. These connections are used to execute a voltage fault injection attack against the PSP present in Zen 2 and Zen 3 CPUs, thus acquiring the chip-unique secret that allows the decryption of the objects stored within the TPM.
The researchers contend that this attack vector isn’t easy to mitigate due to the voltage fault injection, so the earliest intercept point for AMD to fix the issue would presumably be with its next-gen CPU microarchitectures. According to the researchers, Intel’s Converged Security and Manageability Engine (CSME) prevents these types of attacks.
We haven’t seen any official communication from AMD on the matter, so the release doesn’t appear to be part of an industry-standard coordinated disclosure.
faulTPM: Exposing AMD fTPMs’ Deepest Secrets
https://arxiv.org/abs/2304.14717
Trusted Platform Modules constitute an integral building block of modern security features. Moreover, as Windows 11 made a TPM 2.0 mandatory, they are subject to an ever-increasing academic challenge. While discrete TPMs – as found in higher-end systems – have been susceptible to attacks on their exposed communication interface, more common firmware TPMs (fTPMs) are immune to this attack vector as they do not communicate with the CPU via an exposed bus. In this paper, we analyze a new class of attacks against fTPMs: Attacking their Trusted Execution Environment can lead to a full TPM state compromise. We experimentally verify this attack by compromising the AMD Secure Processor, which constitutes the TEE for AMD’s fTPMs. In contrast to previous dTPM sniffing attacks, this vulnerability exposes the complete internal TPM state of the fTPM. It allows us to extract any cryptographic material stored or sealed by the fTPM regardless of authentication mechanisms such as Platform Configuration Register validation or passphrases with anti-hammering protection.
Furthermore, we lay out how any application relying solely on the security properties of the TPM – like Bitlocker’s TPM- only protector – can be defeated by an attacker with 2-3 hours of physical access to the target device. Lastly, we analyze the impact of our attack on FDE solutions protected by a TPM and PIN strategy. While a naive implementation also leaves the disk completely unprotected, we find that BitLocker’s FDE implementation withholds some protection depending on the complexity of the used PIN. Our results show that when an fTPM’s internal state is compromised, a TPM and PIN strategy for FDE is less secure than TPM-less protection with a reasonable passphrase.
https://github.com/PSPReverse/ftpm_attack
This repository aims to reproduce the results of our fTPM attack without any hardware access. Where physical steps and access to real hardware would be required, we provide sample data from a Lenovo Ideapad 5 Pro 16ACH6 laptop.
Tomi Engdahl says:
https://www.securityweek.com/iphone-users-report-problems-installing-apples-first-rapid-security-response-update/
Tomi Engdahl says:
Chinese APT Uses New ‘Stack Rumbling’ Technique to Disable Security Software
https://www.securityweek.com/chinese-apt-uses-new-stack-rumbling-technique-to-disable-security-software/
A subgroup of China-linked hacker group APT41 is using a new ‘stack rumbling’ DoS technique to disable security software.
A subgroup of the Chinese state-sponsored threat actor known as APT41 has been observed using a new denial-of-service (DoS) technique to disable security software, cybersecurity firm Trend Micro reports.
Tracked as Earth Longzhi, the APT41 subgroup is known for the targeting of organizations in the Philippines, Taiwan, and Thailand.
As part of the newly observed campaign, the threat actor was seen performing DLL sideloading via Windows Defender binaries and employing two methods of disabling security products: a bring-your-own-vulnerable-driver (BYOVD) attack, and a technique called ‘stack rumbling’ that involves Image File Execution Options (IFEO).
The attacks typically start with the exploitation of vulnerable public-facing applications and Internet Information Services (IIS) and Microsoft Exchange servers to deploy the Behinder web shell, which provides backdoor capabilities, remote code execution, and a Socks5 proxy.
Tomi Engdahl says:
Exploitation of BGP Implementation Vulnerabilities Can Lead to Disruptions
https://www.securityweek.com/exploitation-of-bgp-implementation-vulnerabilities-can-lead-to-disruptions/
Open source BGP implementation FRRouting is affected by three vulnerabilities that can be exploited to cause disruption via DoS attacks.
A widely used BGP implementation is affected by three vulnerabilities that can be exploited to cause disruption through denial-of-service (DoS) attacks, according to cybersecurity firm Forescout.
The Border Gateway Protocol (BGP) plays an important role in the way the internet works. It serves as the main routing protocol, allowing autonomous systems (AS) — networks or network groups that have a unified routing policy — to exchange information on routing and reachability.
BGP was not designed with security in mind and it can be abused to redirect traffic for malicious purposes. In addition, BGP incidents can lead to widespread disruption.
While BGP itself has long been found to be insecure, Forescout researchers decided to also analyze various projects that implement BGP. They have analyzed the open source tools FRRouting, BIRD and OpenBGPd, as well as the closed source software Mikrotik RouterOS, Juniper JunOS, Cisco IOS and Arista EOS.
On Tuesday, the company revealed that FRRouting (FFR), which implements BGP and various other internet routing protocols, is affected by three vulnerabilities that can be exploited for DoS attacks.
According to its website, FFR is used by ISPs, SaaS infrastructure, web 2.0 businesses, hyperscale services, and Fortune 500 private clouds.
The security holes are tracked as CVE-2022-40302, CVE-2022-40318 and CVE-2022-43681, and they have been described as out-of-bounds read issues related to the processing of malformed BGP OPEN messages.
The developer was informed about the vulnerabilities and released patches.
“Two of these issues (CVE-2022-40302 and CVE-2022-43681) can be triggered before FRRouting validates BGP Identifier and ASN fields. While FRRouting only allows connections between configured peers by default (e.g., OPEN messages from hosts not present in the config files will not be accepted), in this case attackers only need to spoof a valid IP address of a trusted peer,” Forescout explained.
Tomi Engdahl says:
US, Ukraine Shut Down Cryptocurrency Exchanges Used by Cybercriminals
https://www.securityweek.com/us-ukraine-shut-down-cryptocurrency-exchanges-used-by-cybercriminals/
Authorities in the United States and Ukraine have shut down nine websites that had been offering cryptocurrency exchange services to cybercriminals.
The takedowns are the result of cooperation between the FBI, its Virtual Currency Response Team (VCRT) team, the National Police of Ukraine, and Ukraine’s Prosecutor General.
The targeted domains, which now display a message informing visitors that they have been seized, are 24xbtc.com, 100btc.pro, pridechange.com, 101crypta.com, uxbtc.com, trust-exchange.org, bitcoin24.exchange, paybtc.pro and owl.gold.
Authorities claim they have not only seized the domains, but also shut down associated servers, including ones located in the United States.
Global Operation Takes Down Dark Web Drug Marketplace
https://www.securityweek.com/global-operation-takes-down-dark-web-drug-marketplace/
Law enforcement agencies around the world seized an online marketplace and arrested nearly 300 people allegedly involved in buying and selling drugs.
Authorities in the US and Ukraine have worked together to shut down nine websites offering cryptocurrency exchange services to cybercriminals.
Law enforcement agencies around the world seized an online marketplace and arrested nearly 300 people allegedly involved in buying and selling drugs, European Union law enforcement agency Europol said Tuesday.
The worldwide operation targeting the “Monopoly Market,” coordinated by Europol, is the latest major takedown of sales platforms for drugs and other illicit goods on the so-called dark web, a part of the internet hosted within an encrypted network and accessible only through specialized anonymity-providing tools.
“Our coalition of law enforcement authorities across three continents proves that we all do better when we work together,” Europol’s Executive Director, Catherine De Bolle, said in a statement. “This operation sends a strong message to criminals on the dark web: International law enforcement has the means and the ability to identify and hold you accountable for your illegal activities, even on the dark web.”
Europol said that 288 suspects were arrested and more than 50.8 million euros ($53.4 million) in cash and virtual currencies, 850 kilograms of drugs, and 117 firearms were seized in a series of raids in several countries.
Tomi Engdahl says:
IT Services Firm Bitmarck Takes Systems Offline Following Cyberattack
https://www.securityweek.com/it-services-firm-bitmarck-takes-systems-offline-following-cyberattack/
German IT services giant Bitmarck has taken customer and internal systems offline following a cyberattack
German IT services provider Bitmarck on Monday announced that it has shut down customer and internal systems following a cyberattack.
Headquartered in Essen, Bitmarck is one of the largest IT companies in Germany, providing technical infrastructure and services to over 80 organizations in the public health insurance sector.
On May 1, the company announced that its early warning systems were triggered by an attack on its internal network, to which it responded by promptly taking data centers and other systems offline.
According to Bitmarck, no customer or insured individuals’ data appears to have been stolen in the incident. Patient data, which is subject to special protection under German regulation, “was and is never endangered by the attack”, the company says.
The IT giant says it has already started restoration operations, but that some systems will take longer to restore, as the operation is performed in line with a ‘security and priority-oriented process’.
Tomi Engdahl says:
Suomenkielinen vaatekauppa on härski huijaus – jymäytetyiltä asiakkailta karuja kommentteja https://www.is.fi/digitoday/tietoturva/art-2000009555281.html
Dopetakit.com-sivusto on petollinen. Jotkut asiakkaat huomasivat tämän kantapään kautta.
SUOMENKIELINEN lasketteluvaatteiden verkkokauppa dopetakit.com huijaa asiakkaita. Kyseessä on vedätys, joka mukailee aitoa dopesnow.com-kauppaa varastaen sieltä esimerkiksi kuvia ja tarjoten mojovia ”alennuksia”.
Väärä sivusto on rekisteröity tammikuussa tänä vuonna, mutta on edelleen toiminnassa. Asiakaspalaute on tyrmäävää.
– Täysi huijaus! Tilasin takin. Maksu luottokortilla, toimi vain debitillä, ei luotolla. He lähettivät paketin, jossa oli joku halpislompakko, kommentoi nimimerkki Mathias Trustpilot-sivustolla.
– Kävi samalla tavalla kuin edelliselle kommentoijalle! Mutta mulle tuli feikki Ray Banit
Asiasta kertoi ensin Iltalehti.
Ostaminen vaatii rekisteröitymisen, eli sähköpostiosoitteen ja salasanan antamisen. Debit-kortin edellyttäminen tarkoittaa, että huijarit pääsevät heti kiinni asiakkaan rahoihin. Luottokorttia käyttämällä rahojen saaminen takaisin olisi paljon helpompaa uhrille.
VASTAAVA huijaus on myös intersport-hoka.com-sivusto, joka myy kenkiä samalla graafisella asettelulla kuin dopetakit.com. Myös Demonia-kenkien nimissä on samanlainen huijaus osoitteessa demonia-finland.com.
Maaliskuussa paljastui Helly Hansenia mukaileva väärä vaatekauppa. Sama pätee solovair-suomi.com-kenkäkauppaan ja arcteryx-suomi.comiin. Muitakin epäilemättä on.
PETOLLISTEN verkkokauppojen määrä on kasvanut, mutta sellaisen tunnistaminen voi olla vaikeaa. Sivustot saattavat olla ulkoasultaan täysin tunnettujen brändien verkkosivujen kopioita. Hiljattaisen tutkimuksen mukaan lähes puolet suomalaisista ei tiedä, miten varmistaa verkko-ostosten turvallisuus.
Joskus kaupat saattavat olla olemassa vain varastaakseen kuluttajien maksukorttitiedot tai pankkitunnukset. Toisaalta myös epäilyttävä verkkokauppa ei välttämättä ole petollinen. Mikäli yhteystiedot ovat saatavilla, voi myyjään koittaa olla yhteydessä, jos jokin asia tilaamisessa arveluttaa.
PAIKOIN huono suomi voi myös viitata huijaukseen. Ei kuitenkaan aina. Aito verkkokauppa Proshop otti äskettäin käyttöön automaattisen kielenkääntäjän, ja seuraukset olivat paikoin huvittavia.
Aiemmin vaarallisen verkkosivun saattoi usein tunnistaa lukon puuttumisesta selaimen osoiterivillä. Se tarkoittaa, että käyttäjän ja sivuston välistä tietoliikennettä ei ole salattu. Kuitenkin yhä useammin myös väärät sivustot käyttävät lukkoa.
Esimerkiksi Dopetakit.comin tapauksessa lukko on. Mutta vaikka tietoliikenne olisi salattu, se ei takaa itse verkkosivun turvallisuutta. On myös mahdollista, että esimerkiksi ostoksia maksettaessa yhteys muuttuu salaamattomaksi. Pidä verkkokaupassa silmällä, onko lukko aina esillä osoiterivillä.
Tomi Engdahl says:
So long passwords, thanks for all the phish https://security.googleblog.com/2023/05/so-long-passwords-thanks-for-all-phish.html
Starting today, you can create and use passkeys on your personal Google Account. When you do, Google will not ask for your password or 2-Step Verification (2SV) when you sign in. Passkeys are a more convenient and safer alternative to passwords. They work on all major platforms and browsers, and allow users to sign in by unlocking their computer or mobile device with their fingerprint, face recognition or a local PIN. Using passwords puts a lot of responsibility on users.
Choosing strong passwords and remembering them across various accounts can be hard. In addition, even the most savvy users are often misled into giving them up during phishing attempts. 2SV (2FA/MFA) helps, but again puts strain on the user with additional, unwanted friction and still doesnt fully protect against phishing attacks and targeted attacks like “SIM swaps” for SMS verification. Passkeys help address all these issues
Tomi Engdahl says:
Passkeys are the new standard to authenticate on the web https://www.passkeys.com/ Passkeys are a new way to sign in without passwords. With Touch ID and Face ID, passkeys are more secure and easier to use than passwords and any current two-factor authentication methods. Passkeys provide users a passwordless sign-in experience that is both more convenient and more secure. In a sense, Passkeys are similar to MFA, it’s a combination of something you have and something you are (your Face ID or Fingerprint). Different from passwords, Passkeys are resistant to phishing, are always strong, and they are not shared or stored on different databases. When a user sets up a passkey, a key is generated and synchronized to the cloud. When the user connects from another device in the same ecosystem, it will use the same key. Each time a passkey is being authenticated, a unique signature is generated, which expires within minutes
Tomi Engdahl says:
Police dismantles Try2Check credit card verifier used by dark web markets https://www.bleepingcomputer.com/news/security/police-dismantles-try2check-credit-card-verifier-used-by-dark-web-markets/
The U.S. Department of Justice announced today the indictment of Russian citizen Denis Gennadievich Kulkov, suspected of running a stolen credit card checking operation that generated tens of millions in revenue. Kulkov is believed to have created the Try2Check underground service in 2005, a platform that soon became highly popular among cybercriminals in the illegal credit card trade and helped the suspect make at least $18 million in bitcoin
Tomi Engdahl says:
Apple and Google Join Forces to Stop Unauthorized Location-Tracking Devices https://thehackernews.com/2023/05/apple-and-google-join-forces-to-stop.html
Apple and Google have teamed up to work on a draft industry-wide specification that’s designed to tackle safety risks and alert users when they are being tracked without their knowledge or permission using devices like AirTags
Tomi Engdahl says:
Fake Websites Impersonating Association To ChatGPT Poses High Risk, Warns Check Point Research https://blog.checkpoint.com/research/fake-websites-impersonating-association-to-chatgpt-poses-high-risk-warns-check-point-research/
In December 2022, Check Point Research (CPR) started raising concerns about ChatGPTs implications for cybersecurity. In our previous report, CPR put a spotlight on an increase in the trade of stolen ChatGPT Premium accounts, which enable cyber criminals to get around OpenAIs geofencing restrictions to secure unlimited access to ChatGPT. In this blog, we are reporting that Check Point Research have recently noticed a surge in cyberattacks leveraging websites associated with the ChatGPT brand. These attacks involve the distribution of malware and phishing attempts through websites that appear to be related to ChatGPT. We have identified numerous campaigns that mimic the ChatGPT website with the intention of luring users into downloading malicious files or disclosing sensitive information. The frequency of these attack attempts has been steadily increasing over the past few months, with tens of thousands of attempts to access these malicious ChatGPT websites
Tomi Engdahl says:
Ransomware Attack Affects Dallas Police, Court Websites
https://www.securityweek.com/ransomware-attack-affects-dallas-police-court-websites/
Dallas was hit with a ransomware attack that brought down its Police Department and City Hall websites on May 3rd.
Tomi Engdahl says:
Hackers Promise AI, Install Malware Instead
https://www.securityweek.com/hackers-promise-ai-install-malware-instead/
Facebook parent Meta warned that hackers are using the promise of generative artificial intelligence like ChatGPT to trick people into installing malware on devices.
Tomi Engdahl says:
Court Rules in Favor of Merck in $1.4 Billion Insurance Claim Over NotPetya Cyberattack
https://www.securityweek.com/court-rules-in-favor-of-merck-in-1-4-billion-insurance-claim-over-notpetya-cyberattack/
Court says insurers must pay Merck for losses related to the Russia-linked NotPetya cyberattack.
The Superior Court of New Jersey Appellate Division has ruled in favor of Merck in its $1.4 billion claim against the insurance industry for denying payment for damages caused by the 2017 NotPetya cyberattack. Merck did not have separate cyber insurance, and instead relied on the ‘all risks’ element of its property insurance.
According to Merck, within ninety seconds of the initial NotPetya infection, roughly 10,000 machines in its global network were infected by the malware, and over 40,000 machines were ultimately infected across the company globally.
The insurers claimed that the property insurance was subject to a war exclusion clause, and the “exclusion is clear and unambiguous, and it plainly applies to the NotPetya attack.”
Judges Currier, Mayer and Enright have now disagreed, and declared, “We have addressed the exclusion in terms of the presented circumstances before us. And we have found the Insurers have not satisfied their burden to show it could be fairly applied to the NotPetya cyberattack. That is the scope of our review. Therefore, we decline the Insurers’ request to delineate the exact scope of what cyberattacks might be encompassed under the hostile/warlike exclusion.”
This is an interesting position. While declining to accept the nation-state NotPetya attack as an act of war, they have also declined to define what type of cyberattack could be defined as an act of war.
But as far as this case is concerned, that is academic. The court concluded, “terms similar to ‘hostile or warlike action’ by a sovereign power are intended to relate to actions clearly connected to war or, at least, to a military action or objective. Therefore, in addition to the plain language interpretation of the exclusion requiring the inapplicability of the exclusion, the context and history of this and similarly worded exclusions and the manner in which similar exclusions have been interpreted by courts all compel the conclusion that the exclusion was inapplicable to bar coverage for Merck’s losses.”
“In many ways, this decision boils down to the Court’s thoughtful application of fundamental principles of insurance law: exclusionary provisions must be construed narrowly against the insurer, any ambiguities must be resolved in the insured’s favor and consistent with the insured’s reasonable expectations. On that score, the Court correctly determined that the plain language of the policies’ hostile/warlike action exclusion simply cannot reasonably be interpreted as encompassing a cyberattack on a non-military company providing commercial services to non-military customers.”
Cyber is, however, considered to be a modern theater of war – and cyber changes faster than any other modern arena. Discussion will likely continue over the validity of applying historical definitions to the new world.
Nevertheless, continued Cummings, “The mere presence of hostile or warlike action is not enough where, as here, the underlying activity is commercial in nature, and the damage is not caused by a warlike attack directed at the policyholder. In sum, the Court’s decision was a meaningful affirmation that plain language and the core, policyholder-friendly tenets of insurance law must ultimately prevail.”
This may or may not be the end of the Merck case, but it is probably just the beginning of future arguments about what can or cannot be construed as a cyber act of war. A $1.4 billion payout is no small matter for the insurance industry and is bound to have future ramifications on the cyber – and property – insurance industry.
Tomi Engdahl says:
Netgear Vulnerabilities Lead to Credentials Leak, Privilege Escalation
https://www.securityweek.com/netgear-vulnerabilities-lead-to-credentials-leak-privilege-escalation/
Vulnerabilities in Netgear network management system allow attackers to retrieve cleartext passwords and escalate privileges.
Vulnerabilities in Netgear’s NMS300 ProSAFE network management system allow attackers to retrieve cleartext credentials and escalate privileges, cybersecurity firm Flashpoint reports.
The tool provides users with a web-based interface for network device management. It uses TCP port 8080 for communication and supports administrator accounts and lower-privileged operator and observer account roles.
A user with an observer account can only view and monitor network functions, but the issues that Flashpoint identified in the product allow an attacker to gain administrative access to devices, starting from this low-privileged role.
Netgear NMS300, Flashpoint explains, allows administrators to manage user accounts from a ‘User management’ tab, where an observer account can only view information about other users, such as username, account type, contact details, and more.
What Flashpoint discovered was that, when the ‘User management’ tab is accessed, the system sends two requests, one to initiate the page and another to retrieve user information to populate the page.
Tomi Engdahl says:
Chrome 113 Released With 15 Security Patches
https://www.securityweek.com/chrome-113-released-with-15-security-patches/
Chrome 113 was released to the stable channel with 15 security fixes, including 10 that address vulnerabilities reported by external researchers.
Google this week announced the release of Chrome 113 to the stable channel with 15 security fixes, including patches for 10 vulnerabilities reported by external researchers.
Released roughly two weeks after Google resolved two zero-day vulnerabilities in the popular browser, the latest Chrome update only resolves medium- and low-severity flaws, despite the major version change.
Even if none of the externally reported flaws was severe, however, the internet giant paid over $30,000 in bug bounty rewards to the reporting researchers, its advisory reveals.
Tomi Engdahl says:
Cyberwarfare
Chinese APT Uses New ‘Stack Rumbling’ Technique to Disable Security Software
https://www.securityweek.com/chinese-apt-uses-new-stack-rumbling-technique-to-disable-security-software/
A subgroup of China-linked hacker group APT41 is using a new ‘stack rumbling’ DoS technique to disable security software.
Tomi Engdahl says:
Exploitation of BGP Implementation Vulnerabilities Can Lead to Disruptions
https://www.securityweek.com/exploitation-of-bgp-implementation-vulnerabilities-can-lead-to-disruptions/
Open source BGP implementation FRRouting is affected by three vulnerabilities that can be exploited to cause disruption via DoS attacks.
A widely used BGP implementation is affected by three vulnerabilities that can be exploited to cause disruption through denial-of-service (DoS) attacks, according to cybersecurity firm Forescout.
The Border Gateway Protocol (BGP) plays an important role in the way the internet works. It serves as the main routing protocol, allowing autonomous systems (AS) — networks or network groups that have a unified routing policy — to exchange information on routing and reachability.
BGP was not designed with security in mind and it can be abused to redirect traffic for malicious purposes. In addition, BGP incidents can lead to widespread disruption.
While BGP itself has long been found to be insecure, Forescout researchers decided to also analyze various projects that implement BGP. They have analyzed the open source tools FRRouting, BIRD and OpenBGPd, as well as the closed source software Mikrotik RouterOS, Juniper JunOS, Cisco IOS and Arista EOS.
On Tuesday, the company revealed that FRRouting (FFR), which implements BGP and various other internet routing protocols, is affected by three vulnerabilities that can be exploited for DoS attacks.
According to its website, FFR is used by ISPs, SaaS infrastructure, web 2.0 businesses, hyperscale services, and Fortune 500 private clouds.
The security holes are tracked as CVE-2022-40302, CVE-2022-40318 and CVE-2022-43681, and they have been described as out-of-bounds read issues related to the processing of malformed BGP OPEN messages.
Tomi Engdahl says:
Jess Weatherbed / The Verge:
Google enables passkeys, FIDO Alliance-developed cryptographic keys that require a preauthenticated device, on all accounts, to eventually replace passwords — Google’s next step into a passwordless future is here with the announcement that passkeys — a new cryptographic keys solution …
You no longer need a password to sign in to your Google account
https://www.theverge.com/2023/5/3/23709318/google-accounts-passkey-support-password-2fa-fido-security-phishing
Your Google account now supports passkeys to replace your password and 2FA.
Tomi Engdahl says:
Chinese Hacker Group Earth Longzhi Resurfaces with Advanced Malware Tactics https://thehackernews.com/2023/05/chinese-hacker-group-earth-longzhi.html
“A Chinese state-sponsored hacking outfit has resurfaced with a new campaign targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji after more than six months of no activity.”
Tomi Engdahl says:
Russian hackers use WinRAR to wipe Ukraine state agencys data https://www.bleepingcomputer.com/news/security/russian-hackers-use-winrar-to-wipe-ukraine-state-agencys-data/
“The Russian ‘Sandworm’ hacking group has been linked to an attack on Ukrainian state networks where WinRar was used to destroy data on government devices. [...] CERT-UA says the Russian hackers used compromised VPN accounts that weren’t protected with multi-factor authentication to access critical systems in Ukrainian state networks.
When WinRar is executed, the threat actors use the “-df” command-line option, which automatically deletes files as they are archived. The archives themselves were then deleted, effectively deleting the data on the device.”
Tomi Engdahl says:
Oracle WebLogic Server vulnerability added to CISA list as known to be exploited https://www.malwarebytes.com/blog/news/2023/05/oracle-weblogic-server-vulnerability-added-to-cisa-list-as-known-to-be-exploited
CVE-2023-21839 affects Oracle WebLogic Server. It can lead to an unauthenticated attacker with network access gaining unauthorized access to “critical data or complete access to all Oracle WebLogic Server accessible data.”
Tomi Engdahl says:
Hackers start using double DLL sideloading to evade detection https://www.bleepingcomputer.com/news/security/hackers-start-using-double-dll-sideloading-to-evade-detection/
“An APT hacking group known as “Dragon Breath,” “Golden Eye Dog,” or “APT-Q-27″ is demonstrating a new trend of using several complex variations of the classic DLL sideloading technique to evade detection. These attack variations begin with an initial vector that leverages a clean application, most often Telegram, that sideloads a second-stage payload, sometimes also clean, which in turn, sideloads a malicious malware loader DLL.”
Tomi Engdahl says:
Not quite an Easter egg: a new family of Trojan subscribers on Google Play https://securelist.com/fleckpe-a-new-family-of-trojan-subscribers-on-google-play/109643/
“Every once in a while, someone will come across malicious apps on Google Play that seem harmless at first. Some of the trickiest of these are subscription Trojans, which often go unnoticed until the user finds they have been charged for services they never intended to buy. This kind of malware often finds its way into the official marketplace for Android apps.”
Tomi Engdahl says:
Researchers Discover 3 Vulnerabilities in Microsoft Azure API Management Service https://thehackernews.com/2023/05/researchers-discover-3-vulnerabilities.html
“Three new security flaws have been disclosed in Microsoft Azure API Management service, which includes two server-side request forgery
(SSRF) flaws and one instance of unrestricted file upload functionality in the API Management developer portal, according to Israeli cloud security firm Ermetic. Exploitation of SSRF flaws can result in loss of confidentiality and integrity, permitting a threat actor to read internal Azure resources and execute unauthorized code.
An authenticated user can leverage the path traversal flaw to upload malicious files to the developer portal server and potentially even execute arbitrary code on the underlying system.”
Tomi Engdahl says:
Malicious HTML Attachment Volumes Surge
https://www.infosecurity-magazine.com/news/malicious-html-attachment-volumes/
The share of HTML attachments assessed to be malicious has more than doubled, from 21% last May to nearly 46% in March 2023, according to Barracuda
Tomi Engdahl says:
Researchers Uncover New BGP Flaws in Popular Internet Routing Protocol Software https://thehackernews.com/2023/05/researchers-uncover-new-bgp-flaws-in.html
“The three vulnerabilities reside in version 8.4 of FRRouting, a popular open source internet routing protocol suite for Linux and Unix platforms. The issues ‘could be exploited by attackers to achieve a DoS condition on vulnerable BGP peers, thus dropping all BGP sessions and routing tables and rendering the peer unresponsive.’”