This posting is here to collect cyber security news in May 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
379 Comments
Tomi Engdahl says:
GitHub Secret-Blocking Feature Now Generally Available
https://www.securityweek.com/github-secret-blocking-feature-now-generally-available/
GitHub makes push protection generally available to warn developers whenever they include a secret in a commit.
GitHub today announced the general availability of push protection, a feature designed to prevent developers from unknowingly exposing secrets in their code.
Push protection was initially announced in December 2022 as part of secret scanning, a new feature meant to help developers and organizations identify any secrets exposed in their repositories.
In March 2023, the Microsoft-owned code hosting platform announced the general availability of secret scanning, after previously making it available for free for public repositories.
Now, the push protection feature is also generally available and is free for all public repositories. It can also be used for private repositories with a GitHub Advanced Security (GHAS) license.
Tomi Engdahl says:
ICS Patch Tuesday: Siemens, Schneider Electric Address Few Dozen Vulnerabilities
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-few-dozen-vulnerabilities/
Siemens and Schneider Electric’s Patch Tuesday advisories for May 2023 address a few dozen vulnerabilities found in their products.
Siemens and Schneider Electric’s Patch Tuesday advisories for May 2023 address a few dozen vulnerabilities found in their products.
Siemens
Siemens has published six new advisories describing 26 vulnerabilities. The company has informed customers about two critical flaws in Siveillance Video products that can be exploited for authenticated remote code execution.
The Scalance local processing engine (LPE) is affected by one critical and four low-severity issues. The flaws can be exploited to access the underlying operating system with elevated privileges, access data, and cause a DoS condition.
Several critical and high-severity vulnerabilities have been patched in third-party components used by the Sinec network management system.
Tomi Engdahl says:
https://www.blackhatethicalhacking.com/news/critical-linux-kernel-flaw-unprivileged-users-gain-root-control/
Tomi Engdahl says:
https://thehackernews.com/2023/05/new-ransomware-strain-cactus-exploits.html
Tomi Engdahl says:
https://www.tivi.fi/uutiset/hakkerit-iskivat-usan-sheriffien-jarjestelmaan-sheriffit-kieltaytyivat-maksamasta-lunnaita-ja-nolostihan-siina-kavi/c0acb1cc-ed4a-4a66-9392-2578d7b812a2
Tomi Engdahl says:
https://www.washingtonpost.com/national-security/2023/05/01/marshals-hack-fugitives-surveillance-shutdown/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-issues-optional-fix-for-secure-boot-zero-day-used-by-malware/
Tomi Engdahl says:
https://www.techspot.com/news/98612-hackers-publish-msi-private-keys-enabling-signed-malware.html
Tomi Engdahl says:
https://arstechnica.com/information-technology/2023/05/passwordless-google-accounts-are-easier-and-more-secure-than-passwords-heres-why/
Tomi Engdahl says:
https://arstechnica.com/gaming/2023/05/nintendo-files-dmca-takedowns-on-switch-emulation-tools-just-before-tears-debut/
Tomi Engdahl says:
Pankkitunnuksilla kirjautumiseen tulee muutos näin se näkyy sinulle https://www.is.fi/digitoday/tietoturva/art-2000009572641.html
Sähköinen asiointi Suomessa muuttuu. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen mukaan tavalliselle käyttäjälle tämä näkyy muun muassa tunnistautumisen yksinkertaistamisena.
Tarkoituksena on parantaa turvallisuutta. Syynä muutokseen on Traficomin määräys vahvasta sähköisestä tunnistuksesta ja luottamuspalveluista. Määräys astuu täysimääräisinä voimaan kesäkuussa tänä vuonna
Tomi Engdahl says:
Mastermind Behind Twitter 2020 Hack Pleads Guilty and Faces up to 70 Years in Prison https://thehackernews.com/2023/05/mastermind-behind-twitter-2020-hack.html
A U.K. national has pleaded guilty in connection with the July 2020 Twitter attack affecting numerous high-profile accounts and defrauding other users of the platform. Joseph James O’Connor, who also went by the online alias PlugwalkJoe, admitted to “his role in cyberstalking and multiple schemes that involve computer hacking, including the July
2020 hack of Twitter,” the U.S. Department of Justice (DoJ) said
Tomi Engdahl says:
Spanish police dismantle phishing operation linked to crime ring https://www.bleepingcomputer.com/news/security/spanish-police-dismantle-phishing-operation-linked-to-crime-ring/
The National Police of Spain have arrested two hackers, 15 members of a criminal organization, and another 23 people involved in illegal financial operations in Madrid and Seville for alleged bank scams. The cybercrime operation is an email and SMS-based phishing campaign that allegedly scammed over 300,000 people and resulted in confirmed losses of at least 700,000 euros ($770k)
Tomi Engdahl says:
New phishing-as-a-service tool Greatness already seen in the wild https://blog.talosintelligence.com/new-phishing-as-a-service-tool-greatness-already-seen-in-the-wild/
A previously unreported phishing-as-a-service (PaaS) offering named Greatness has been used in several phishing campaigns since at least mid-2022. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots
Tomi Engdahl says:
Fake system update drops Aurora stealer via Invalid Printer loader https://www.malwarebytes.com/blog/threat-intelligence/2023/05/fake-system-update-drops-new-highly-evasive-loader
Malvertising seems to be enjoying a renaissance as of late, whether it is from ads on search engine results pages or via popular websites.
Because browsers are more secure today than they were 5 or 10 years ago, the attacks that we are seeing all involve some form of social engineering. A threat actor is using malicious ads to redirect users to what looks like a Windows security update. The scheme is very well designed as it relies on the web browser to display a full screen animation that very much resembles what you’d expect from Microsoft
Tomi Engdahl says:
New ransomware decryptor recovers data from partially encrypted files https://www.bleepingcomputer.com/news/security/new-ransomware-decryptor-recovers-data-from-partially-encrypted-files/
A new ‘White Phoenix’ ransomware decryptor allows victims to partially recover files encrypted by ransomware strains that use intermittent encryption. Intermittent encryption is a strategy employed by several ransomware groups that alternates between encrypting and not encrypting chunks of data. This method allows a file to be encrypted much faster while still leaving the data unusable by the victim
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
Industrial cybersecurity firm Dragos says a known cybercrime group gained access to its SharePoint cloud service on May 8 but didn’t breach its internal network — Industrial cybersecurity company Dragos today disclosed what it describes as a “cybersecurity event” after a known cybercrime gang attempted …
Cybersecurity firm Dragos discloses cybersecurity incident, extortion attempt
https://www.bleepingcomputer.com/news/security/cybersecurity-firm-dragos-discloses-cybersecurity-incident-extortion-attempt/
Industrial cybersecurity company Dragos today disclosed what it describes as a “cybersecurity event” after a known cybercrime gang attempted to breach its defenses and infiltrate the internal network to encrypt devices.
While Dragos states that the threat actors did not breach its network or cybersecurity platform, they got access to the company’s SharePoint cloud service and contract management system.
“On May 8, 2023, a known cybercriminal group attempted and failed at an extortion scheme against Dragos. No Dragos systems were breached, including anything related to the Dragos Platform,” the company said.
Deconstructing a Cybersecurity Event
https://www.dragos.com/blog/deconstructing-a-cybersecurity-event/
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
Microsoft released at least 48 security fixes for Windows and other software, including for two zero-day vulnerabilities under active exploitation — Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software …
Microsoft Patch Tuesday, May 2023 Edition
https://krebsonsecurity.com/2023/05/microsoft-patch-tuesday-may-2023-edition/
Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.
First up in May’s zero-day flaws is CVE-2023-29336, which is an “elevation of privilege” weakness in Windows which has a low attack complexity, requires low privileges, and no user interaction. However, as the SANS Internet Storm Center points out, the attack vector for this bug is local.
The zero-day patch that has received the most attention so far is CVE-2023-24932, which is a Secure Boot Security Feature Bypass flaw that is being actively exploited by “bootkit” malware known as “BlackLotus.” A bootkit is dangerous because it allows the attacker to load malicious software before the operating system even starts up.
According to Microsoft’s advisory, an attacker would need physical access or administrative rights to a target device, and could then install an affected boot policy. Microsoft gives this flaw a CVSS score of just 6.7, rating it as “Important.”
Adam Barnett, lead software engineer at Rapid7, said CVE-2023-24932 deserves a considerably higher threat score.
In addition to the two zero-days fixed this month, Microsoft also patched five remote code execution (RCE) flaws in Windows, two of which have notably high CVSS scores.
CVE-2023-24941 affects the Windows Network File System, and can be exploited over the network by making an unauthenticated, specially crafted request. Microsoft’s advisory also includes mitigation advice. The CVSS for this vulnerability is 9.8 – the highest of all the flaws addressed this month.
Meanwhile, CVE-2023-28283 is a critical bug in the Windows Lightweight Directory Access Protocol (LDAP) that allows an unauthenticated attacker to execute malicious code on the vulnerable device. The CVSS for this vulnerability is 8.1, but Microsoft says exploiting the flaw may be tricky and unreliable for attackers.
Another vulnerability patched this month that was disclosed publicly before today (but not yet seen exploited in the wild) is CVE-2023-29325, a weakness in Microsoft Outlook and Explorer that can be exploited by attackers to remotely install malware. Microsoft says this vulnerability can be exploited merely by viewing a specially-crafted email in the Outlook Preview Pane.
“To help protect against this vulnerability, we recommend users read email messages in plain text format,” Microsoft’s writeup on CVE-2023-29325 advises.
Tomi Engdahl says:
Vivian Salama / Wall Street Journal:
Documents and officials: the US is investigating if Rockwell Automation’s software facility in China is exposing critical government assets to a cyberattack
Automation Giant Faces U.S. Government Probe Over China Operations
https://www.wsj.com/articles/automation-giant-faces-u-s-government-probe-over-china-operations-e12c831f?mod=djemalertNEWS
Investigation of Rockwell looks at whether its software might allow access to critical U.S. government and industrial infrastructure
WASHINGTON—The Biden administration is investigating whether Rockwell Automation, one of the world’s largest industrial technology and information companies, is exposing critical U.S. infrastructure, military and other government assets to a potentially serious cyberattack through one of its China-based facilities, according to U.S. officials and documents reviewed by The Wall Street Journal.
The Milwaukee-based information giant provides productivity-improvement software and cybersecurity services to computer platforms used in the national power grid as well as by the U.S. Navy and Coast Guard and other parts of the federal government, among other customers, according to the company’s website.
The U.S. government investigation is focused on employees based at the company’s facility in Dalian, China, who might have access to software codes that connect with those computer systems.
Investigators are looking into potential vulnerabilities that might allow access from China to critical U.S. government and industrial infrastructure and computer systems, according to a memorandum of investigative activity, which documents evidence in the course of a probe. The memorandum, dated Jan. 24, details testimony from a whistleblower interviewed by government investigators from the three agencies.
A spokeswoman for Rockwell Automation said the company hasn’t been notified of any investigation related to the company’s work in Dalian but would fully cooperate if it receives such a notification.
The focus of government investigators on business practices in China of a major U.S. government contractor shows the extent to which relations between the two countries have become defined by mutual suspicion and U.S. concerns over Beijing’s efforts to boost its technological prowess and intelligence-gathering by infiltrating American computer networks. The scrutiny of Rockwell comes after the U.S. government campaigned globally to stymie China’s Huawei Technologies, a provider of telecommunications-infrastructure hardware, saying it threatened U.S. national security because Beijing can compel Chinese companies to hand over data.
Tomi Engdahl says:
Bob Van Voris / Bloomberg:
A US judge sentences Nickolas Sharp, who worked for IoT maker Ubiquiti, to six years in prison, rejecting claims that his data theft made the company safer
Engineer Gets 6 Years After Saying His Theft Made Ubiquiti Safer
https://www.bloomberg.com/news/articles/2023-05-10/engineer-gets-6-years-after-saying-his-theft-made-ubiquiti-safer#xj4y7vzkg
Ubiquiti suffered $4 billion market-cap drop, US says
Nickolas Sharp claimed his crime began as ‘unsanctioned drill’
An engineer who worked for billionaire Robert Pera’s Ubiquiti Inc. got six years in prison after a judge rejected his claim that his plan to steal data from the company and demand $1.9 million for its return began as an “unsanctioned security drill” that made the computer network safer.
Nickolas Sharp, 37, was sentenced Wednesday after pleading guilty to charges of intentionally damaging a protected computer, wire fraud and making false statements to law enforcement. According to prosecutors, he extorted the money from the company at a time when he was purportedly working to fix the
Tomi Engdahl says:
https://www.securityweek.com/microsoft-patch-tuesday-40-vulnerabilities-2-zero-days/
Tomi Engdahl says:
https://www.securityweek.com/twitter-celebrity-hacker-pleads-guilty-in-us/
Tomi Engdahl says:
Chipmaker Patch Tuesday: Intel, AMD Address Over 100 Vulnerabilities
https://www.securityweek.com/chipmaker-patch-tuesday-intel-amd-address-over-100-vulnerabilities/
Intel and AMD have informed their customers about a total of more than 100 vulnerabilities found in their products.
Chipmakers Intel and AMD both released security advisories this Patch Tuesday. They have informed customers about a total of more than 100 vulnerabilities found in their products.
Intel
Intel has released 38 advisories covering over 80 vulnerabilities. The company has addressed nearly two dozen issues rated ‘high severity’ — the remaining bugs have been rated ‘medium severity’ and one is ‘low severity’.
High-severity vulnerabilities that can lead to privilege escalation have been resolved in QuickAssist Technology (QAT), the Retail Edge Mobile iOS application, Server Board BMC firmware, processors, WULT software, i915 Graphics drivers for Linux, Data Center Manager (DCM), Virtual RAID on CPU (VROC), Trace Analyzer and Collector, NUC firmware, System Usage Report (SUR), and One Boot Flash Update (OFU).
Medium-severity flaws have been addressed in Unite products, NUC products, Data Center Manager (DCM), Connect M Android application, MacCPUID, Integrated Performance Primitives (IPP), Setup and Configuration Software (SCS), Endpoint Management Assistant (EMA), Quartus Prime Pro, Smart Campus Android application, Digital Signal Processing (DSP), oneAPI Toolkit, FPGA firmware, and Pathfinder for RISC-V.
A majority of these vulnerabilities can be exploited for privilege escalation and some can lead to a DoS condition.
A low-severity issue that can lead to information disclosure was patched in the Open Cache Acceleration Software (CAS) for Linux maintained by Intel.
Patches are available for most vulnerabilities, and for some flaws the company has made available mitigations or workarounds.
AMD
AMD published two Patch Tuesday advisories: one describing 19 client vulnerabilities, and one covering 14 server vulnerabilities.
The client flaws — all with 2021 CVE identifiers — are low- and medium-severity issues affecting components of Athlon, Ryzen and Threadripper processors. Exploitation can lead to arbitrary code execution, DoS, or information disclosure.
AMD has released firmware updates that should address these vulnerabilities.
In the case of the server vulnerabilities, most of them have 2021 CVE identifiers and two have 2023 CVEs. There is one high- and 13 medium-severity issues that can lead to code execution, information disclosure, privilege escalation, or a DoS condition.
The security holes impact AMD Secure Processor (ASP), System Management Unit (SMU), Secure Encrypted Virtualization (SEV), and other platform components.
Tomi Engdahl says:
SAP Patches Critical Vulnerabilities With May 2023 Security Updates
https://www.securityweek.com/sap-patches-critical-vulnerabilities-with-may-2023-security-updates/
SAP released 18 new security notes on May 2023 Security Patch Day, including two that resolve critical vulnerabilities in 3D Visual Enterprise License Manager and BusinessObjects.
Tomi Engdahl says:
Capita Says Ransomware Attack Will Cost It Up to $25 Million
https://www.securityweek.com/capita-says-ransomware-attack-will-cost-it-up-to-25-million/
UK-based Capita says the recent ransomware attack will cost it up to $25 million, but it has not clarified whether that includes a ransom payment to the cybercriminals.
UK-based business process outsourcing and professional services company Capita said on Wednesday that it expects to incur costs ranging between roughly £15 million ($19 million) and £20 million ($25 million) as a result of the recent cybersecurity incident, but it has not clarified whether that includes a ransom payment to the hackers.
The breach came to light on March 31, when Capita said it was experiencing a major IT incident that had been causing disruptions, but it took until April 3 for the company to confirm that the cause was a cyberattack.
Tomi Engdahl says:
Webb Raises $7 Million for Blockchain Asset Transfer Privacy System
https://www.securityweek.com/webb-raises-7-million-for-blockchain-asset-transfer-privacy-system/
Blockchain company Webb Technologies has raised $7 million in seed funding for its privacy tools and protocol.
Tomi Engdahl says:
https://www.securityweek.com/dragos-says-ransomware-hackers-failed-at-elaborate-extortion-scheme/
Tomi Engdahl says:
https://www.securityweek.com/appeals-court-sides-with-corellium-in-apple-copyright-case/
Tomi Engdahl says:
Equifax Releases Security and Privacy Controls Framework
https://www.securityweek.com/equifax-releases-security-and-privacy-controls-framework/
Equifax released its security and privacy controls framework to provide a public blueprint to help organizations to build or enhance their own cybersecurity programs.
Tomi Engdahl says:
Fraud & Identity Theft
Google Now Lets US Users Search Dark Web for Their Gmail ID
https://www.securityweek.com/google-now-lets-us-users-search-dark-web-for-their-gmail-id/
Google is now letting Gmail users in the US run scans to learn whether their Gmail ID appears on the dark web.
Gmail users in the US can now run scans to find out whether their Gmail ID appears on the dark web, Google announced today at Google I/O, its annual developer conference.
The feature was initially announced in March, when the internet giant released it for Google One users only.
It allows users to run scans and receive a report informing them whether their information, including name, address, email address, phone number, and Social Security number, appears on dark web portals.
Such information typically ends up on the dark web following a data breach (cybercriminals are known to share or trade stolen personally identifiable information on underground forums), but could also be harvested from publicly available databases.
With the dark web report enabled, users are automatically notified when matching information is found. Google will also provide guidance on how to protect the exposed information.
The internet giant says it plans to make the dark web report available to international markets soon.
Tomi Engdahl says:
Building Automation System Exploit Brings KNX Security Back in Spotlight
https://www.securityweek.com/building-automation-system-exploit-brings-knx-security-back-in-spotlight/
A public exploit targeting building automation systems brings KNX security back into the spotlight, with Schneider Electric releasing a security bulletin.
Tomi Engdahl says:
US Disrupts Russia’s Sophisticated ‘Snake’ Cyberespionage Malware
https://www.securityweek.com/us-disrupts-russias-sophisticated-snake-cyberespionage-malware/
The US government has announced the disruption of Snake, a sophisticated cyberespionage malware officially attributed to a unit of Russia’s FSB agency.
Tomi Engdahl says:
Qbot-pankkitroijalainen Suomen yleisin haittaohjelma huhtikuussa
https://etn.fi/index.php/13-news/14960-qbot-pankitroijalainen-suomen-yleisin-haittaohjelma-huhtikuussa
Tietoturvayhtiö Check Pointin tutkimusosasto on julkaissut huhtikuun haittaohjelmakatsauksensa. Suomen yleisin haittaohjelma oli Qbot-pankkitroijalainen, joka oli globaalillakin listalla kakkosijalla.
Check Pointin tutkijat havaitsivat viime kuussa mittavan kampanjan, jossa Qbot-haittaohjelmaa levitettiin uudella jakelutavalla sähköposteihin liitettyjen haitallisten, suojattujen PDF-tiedostojen kautta. Kun tiedostot oli ladattu, haittaohjelma asennettiin laitteelle. Haittaohjelmaa levitettiin useilla eri kielillä ja kohteena oli organisaatioita ympäri maailmaa.
Tomi Engdahl says:
April 2023s Most Wanted Malware: Qbot Launches Substantial Malspam Campaign and Mirai Makes its Return https://blog.checkpoint.com/security/april-2023s-most-wanted-malware-qbot-launches-substantial-malspam-campaign-and-mirai-makes-its-return/
Check Point Research uncovered a substantial malspam campaign for Trojan Qbot, which came in second in last months threat index.
Meanwhile Internet-of-Things (IoT) malware Mirai made it back on the list for the first time in a year, and Healthcare moved up to become the second most exploited industry
Tomi Engdahl says:
GitHub now auto-blocks token and API key leaks for all repos https://www.bleepingcomputer.com/news/security/github-now-auto-blocks-token-and-api-key-leaks-for-all-repos/
GitHub is now automatically blocking the leak of sensitive information like API keys and access tokens for all public code repositories.
Today’s announcement comes after the company introduced push protection in beta more than one year ago, in April 2022. This feature proactively prevents leaks by scanning for secrets before ‘git push’
operations are accepted, and it works with 69 token types (API keys, private keys, secret keys, authentication tokens, access tokens, management certificates, credentials, and more) detectable with a low “false positive” detection rate
Tomi Engdahl says:
So much for Pakistans plan for digital economy its turned off the internet https://www.theregister.com/2023/05/11/pakistan_protest_internet_cut/
Pakistan has blocked internet access across much of the country perhaps indefinitely as protests erupt over the arrest of former prime minister Imran Khan. When he was arrested on charges of corruption early this week, protests quickly followed and became unusually widespread and violent. The authorities have responded with widespread internet blocks. Numerous reports suggest that in places connectivity persists, though social networks cannot be reached
Tomi Engdahl says:
ENISA leans into EU-based clouds with draft cybersecurity label https://www.theregister.com/2023/05/11/eu_cybersecurity_label_scheme_faces/
Cloud services providers that aren’t based in Europe like the Big Three may have to team up with a cloud that is operated and maintained from the EU if they want ENISA’s stamp of approval for handling sensitive data. ENISA, the European Union’s cybersecurity agency, is currently developing a cybersecurity certification scheme that aims to better protect member-state governments’ and businesses’
data. This reportedly includes a new proposal that would require any non-European cloud providers to form a joint-venture with an EU-based provider if they want to earn a coveted ENISA cybersecurity label
Tomi Engdahl says:
Reuters:
Toyota says the vehicle data of 2.15M users in Japan, or almost all of its cloud service customers, has been public since November 2013 due to a human error
More than 2 million Toyota users face risk of vehicle data leak in Japan
https://www.reuters.com/business/autos-transportation/toyota-flags-possible-leak-more-than-2-mln-users-vehicle-data-japan-2023-05-12/
TOKYO, May 12 (Reuters) – Toyota Motor Corp (7203.T) said on Friday the vehicle data of 2.15 million users in Japan, or almost the entire customer base who signed up for its main cloud service platforms since 2012, had been publicly available for a decade due to human error.
The incident, which also affected customers of its luxury brand Lexus, comes as the world’s biggest automaker by sales makes a push into vehicle connectivity and cloud-based data management which are seen as crucial to offering autonomous driving and other artificial intelligence-backed features.
The issue, which began in November 2013 and lasted until mid-April, stemmed from human error, leading to a cloud system being set to public instead of private, a Toyota spokesperson said. It could encompass details such as vehicle locations and identification numbers of vehicle devices, but there were no reports of malicious use, the company said.
“There was a lack of active detection mechanisms, and activities to detect the presence or absence of things that became public,” the spokesperson said in response to why it took time to realise there had been an error.
Toyota said it would introduce a system to audit cloud settings, establish a system to continuously monitor settings, and thoroughly educate employees on data handling rules.
Affected customers included those who signed up for the T-Connect service that provides a wide range of services including AI voice-enabled driving assistance, auto connection to call centres for vehicle management, and emergency support in such cases as a traffic accident or sudden illness.
Also affected were users of G-Link, a similar service for owners of Lexus vehicles.
Japan’s Personal Information Protection Commission has been informed about the incident
Toyota said steps to block outside access to the data were taken after the issue was discovered and an investigation into all cloud environments managed by Toyota Connected Corp was being carried out.
The incident adds to a raft of challenges facing Koji Sato who took over as Toyota CEO on April 1 from Akio Toyoda, grandson of the company’s founder.
Tomi Engdahl says:
Reuters:
EU lawmakers agree to ban facial recognition use in public and predictive policing tools, and set transparency rules on generative AI; details must be finalized
https://www.reuters.com/technology/eu-lawmakers-committees-agree-tougher-draft-ai-rules-2023-05-11/
Tomi Engdahl says:
Teltonika Remote Management System and RUT Model Routers
https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-08
Julie says:
Cybersecurity in the automotive industry refers to the protection of electronic systems, networks, and sensitive data within vehicles from unauthorized access, attack, or manipulation. It involves the use of various technologies and practices to prevent cyber threats such as hacking, theft, and cyberattacks on the vehicle’s electronic control units, telematics systems, and other digital components.
Tomi Engdahl says:
Multinational tech firm ABB hit by Black Basta ransomware attack https://www.bleepingcomputer.com/news/security/multinational-tech-firm-abb-hit-by-black-basta-ransomware-attack/
Swiss multinational company ABB, a leading electrification and automation technology provider, has suffered a Black Basta ransomware attack, reportedly impacting business operations. Headquartered in Zurich, Switzerland, ABB employs approximately 105,000 employees and has $29.4 billion in revenue for 2022. As part of its services, the company develops industrial control systems (ICS) and SCADA systems for manufacturing and energy suppliers. On May 7th, the company fell victim to a cyber attack conducted by the Black Basta ransomware gang, a cybercrime group that surfaced in April 2022. BleepingComputer has learned from multiple employees that the ransomware attack has affected the companys Windows Active Directory, affecting hundreds of devices
Tomi Engdahl says:
Varo tällaista sähköpostia Kyberturvallisuuskeskus saanut paljon ilmoituksia murroista https://www.tivi.fi/uutiset/tv/8929be07-95ff-4012-9a47-31269ce012cb
Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus varoittaa turvaposteihin liittyvistä kalasteluviesteistä, jotka ovat johtaneet tänä keväänä useisiin sähköpostitilimurtoihin. Kohteena ovat olleet etenkin kunnat ja julkishallinto. Näin murrettuja tilejä käytetään esimerkiksi laskutuspetosten yrityksiin. Välillä ilmoituksen tekee kolmas osapuoli, joka on vastaanottanut kalasteluviestejä murretulta sähköpostitililtä. Turvapostiksi naamioitu huijausviesti houkuttelee vastaanottajaa syöttämään sähköpostitunnuksen ja salasanan rikollisen hallitsemalle kalastelusivulle. Uhri luulee syöttävänsä tunnuksensa aidolle kirjautumissivulle, mutta tunnukset päätyvätkin rikollisen haltuun
Tomi Engdahl says:
Supo: Venäläinen Turla-ryhmä on vakoillut suomalaisiakin verkossa
https://yle.fi/a/74-20031601
Yhdysvallat kertoi tällä viikolla tehneensä vaarattomaksi venäläisen vakoiluhaittaohjelman. Supo huomauttaa, että Snake oli vain yksi Turla-ryhmän työkaluista. Suojelupoliisin (supo) mukaan venäläisen Snake-vakoiluhaittaohjelman vaarattomaksi tekeminen rajaa merkittävästi Venäjän turvallisuuspalvelu FSB:n edellytyksiä toteuttaa suunnitelmallisia ja pitkäjänteisiä kybervakoiluoperaatioita ulkomailla. Se ei kuitenkaan poista edellytyksiä kokonaan, vaan Venäjän kybervakoilu on supon mukaan edelleen varteenotettava uhka
Tomi Engdahl says:
FBI: Bl00dy Ransomware targets education orgs in PaperCut attacks https://www.bleepingcomputer.com/news/security/fbi-bl00dy-ransomware-targets-education-orgs-in-papercut-attacks/
The FBI and CISA issued a joint advisory to warn that the Bl00dy Ransomware gang is now also actively exploiting a PaperCut remote-code execution vulnerability to gain initial access to networks. The U.S.
Cybersecurity & Infrastructure Security Agency mentions that the threat actor has focused their attacks on the education sector, which has a significant public exposure of the flaw. “In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet,” reads the security advisory “Ultimately, some of these operations led to data exfiltration and encryption of victim systems.”
Tomi Engdahl says:
Microsoft patches bypass for recently fixed Outlook zero-click bug https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-bypass-for-recently-fixed-outlook-zero-click-bug/
Microsoft fixed a security vulnerability this week that could be used by remote attackers to bypass recent patches for a critical Outlook zero-day security flaw abused in the wild. This zero-click bypass
(CVE-2023-29324) impacts all supported versions of Windows and was reported by Akamai security researcher Ben Barnea. “All Windows versions are affected by the vulnerability. As a result, all Outlook client versions on Windows are exploitable,” Barnea explained. The Outlook zero-day bug patched in March (CVE-2023-23397) is a privilege escalation flaw in the Outlook client for Windows that enables attackers to steal NTLM hashes without user interaction in NTLM-relay attacks
Tomi Engdahl says:
Google Reveals New Security And Privacy Features For Android And Gmail https://www.forbes.com/sites/kateoflahertyuk/2023/05/12/google-reveals-new-security-and-privacy-features-for-android-and-gmail/
Google has launched a bunch of new security and privacy features for its search engine, browser, email service and Android operating system as part of an online safety push. The tech giant revealed the new features in a blog during the Google I/O 2023 conference. Among the features are tools to protect people from the dangers posed by AI such as ChatGPT. About This Image helps people to evaluate the reliability of visual content online. It does so via context such as when an image was first indexed by Google, where it may have first appeared, and where else its been seen onlinefor example, a news, social or fact-checking site
Tomi Engdahl says:
Microsoft will take nearly a year to finish patching new 0-day Secure Boot bug https://arstechnica.com/information-technology/2023/05/microsoft-patches-secure-boot-flaw-but-wont-enable-fix-by-default-until-early-2024/
Earlier this week, Microsoft released a patch to fix a Secure Boot bypass bug used by the BlackLotus bootkit we reported on in March. The original vulnerability, CVE-2022-21894, was patched in January, but the new patch for CVE-2023-24932 addresses another actively exploited workaround for systems running Windows 10 and 11 and Windows Server versions going back to Windows Server 2008. The BlackLotus bootkit is the first-known real-world malware that can bypass Secure Boot protections, allowing for the execution of malicious code before your PC begins loading Windows and its many security protections. We highlight the new fix partly because, unlike many high-priority Windows fixes, the update will be disabled by default for at least a few months after it’s installed and partly because it will eventually render current Windows boot media unbootable. The fix requires changes to the Windows boot manager that can’t be reversed once they’ve been enabled. Additionally, once the fixes have been enabled, your PC will no longer be able to boot from older bootable media that doesn’t include the fixes
Tomi Engdahl says:
Malicious AI Tool Ads Used to Deliver Redline Stealer https://www.trendmicro.com/en_us/research/23/e/malicious-ai-tool-ads-used-to-deliver-redline-stealer.html
The rising popularity of artificial intelligence (AI) tools such as ChatGPT has made them attractive targets for threat actors who are now exploiting them as social engineering ploys to entice victims into downloading malware droppers that ultimately result in the deployment of stealers like Vidar and Redline. Recently, weve been observing malicious advertisement campaigns in Googles search engine with themes that are related to AI tools. Figure 1 shows some examples of malicious ads served when a user searches for the keyword “midjourney”
in Google (note that Midjourney is an AI tool that generates images from natural language descriptions)
Tomi Engdahl says:
Ex-Ubiquiti dev jailed for 6 years after stealing internal corp data, extorting bosses https://www.theregister.com/2023/05/12/exubiquiti_developer_jailed/
Nickolas Sharp has been sentenced to six years in prison and ordered to pay almost $1.6 million to his former employer Ubiquiti after stealing gigabytes of corporate data and then trying to extort almost
$2 million from the biz while posing as an anonymous hacker. Last month, Sharp, 37, pleaded guilty to intentionally damaging a protected computer, wire fraud, and making false statements to the FBI