This posting is here to collect cyber security news in May 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
379 Comments
Tomi Engdahl says:
BPFDoor Malware Evolves Stealthy Sniffing Backdoor Ups Its Game https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
BPFdoor is a Linux-specific, low-profile, passive backdoor intended to maintain a persistent, long-term foothold in already-breached networks and environments and functions primarily to ensure an attacker can re-enter an infected system over an extended period of time, post-compromise. The malware gets its name from its usage of a Berkley Packet Filter a fairly unique way of receiving its instructions and evading detection, which bypasses firewall restrictions on incoming traffic. The malware is associated with a Chinese threat actor, Red Menshen (AKA Red Dev 18), which has been observed targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors since 2021. Recently, Deep Instincts threat lab observed and analyzed a previously undocumented and fully undetected new variant of BPFdoor.
One of the most significant differences compared to the previous variant lies in the removal of many of its hardcoded indicators, making the newer version more difficult to detect. Since first seen on VirusTotal in February 2023, the new variant remained undetected and is still undetected as of this writing
Tomi Engdahl says:
Toyota: Car location data of 2 million customers exposed for ten years https://www.bleepingcomputer.com/news/security/toyota-car-location-data-of-2-million-customers-exposed-for-ten-years/
Toyota Motor Corporation disclosed a data breach on its cloud environment that exposed the car-location information of 2,150,000 customers for ten years, between November 6, 2013, and April 17, 2023.
According to a security notice published in the company’s Japanese newsroom, the data breach resulted from a database misconfiguration that allowed anyone to access its contents without a password
Tomi Engdahl says:
Let white-hat hackers stick a probe in those voting machines, say senators https://www.theregister.com/2023/05/11/us_voting_system_pen_testing/
US voting machines would undergo deeper examination for computer security holes under proposed bipartisan legislation. Senators Mark Warner (D-VA) and Susan Collins (R-ME) this week introduced an amendment to the Help America Vote Act (HAVA) that would require the nation’s Election Assistance Commission to include penetration testing in its certification process of voting hardware and software. That tech would need to undergo pen testing before it could be used in elections. Today’s HAVA regulations the law was passed in 2002 following that 2000 election require the commission to provide testing and certification, decertification, and recertification of electronic ballot box hardware and software by accredited laboratories. But the rules stop short of explicitly requiring pen testing of these voting machines something hackers at DEF CON have been doing for years
Tomi Engdahl says:
Smart devices: using them safely in your home https://www.ncsc.gov.uk/guidance/smart-devices-in-the-home
Smart devices are the everyday items that connect to the internet.
This can include both ‘hi-tech’ items (think smart speakers, fitness trackers and security cameras), and also standard household items (such as fridges, lightbulbs and doorbells). Unlike conventional household items, you can’t just switch on a smart device and forget it; you’ll need to check a few simple things to protect yourself. This page explains how to set up and manage your smart devices to keep your home – and your information – safe
Tomi Engdahl says:
CISA warns of critical Ruckus bug used to infect Wi-Fi access points https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-ruckus-bug-used-to-infect-wi-fi-access-points/
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned today of a critical remote code execution (RCE) flaw in the Ruckus Wireless Admin panel actively exploited by a recently discovered DDoS botnet. While this security bug (CVE-2023-25717) was addressed in early February, many owners are likely yet to patch their Wi-Fi access points. Furthermore, no patch is available for those who own end-of-life models affected by this issue. Attackers are abusing the bug to infect vulnerable Wi-Fi APs with AndoryuBot malware (first spotted in February 2023) via unauthenticated HTTP GET requests. Once compromised, the devices are added to a botnet designed to launch Distributed Denial-of-Service (DDoS) attacks
Tomi Engdahl says:
Google adds unwanted tracker detection to Find My Device network https://www.malwarebytes.com/blog/news/2023/05/google-adds-unwanted-tracker-detection-to-find-my-device-network
Last week we reported that Google and Apple were looking for input on a draft specification to alert users in the event of suspected unwanted tracking. Apple and Google said other tracker makers like Samsung, Tile, Chipolo, eufy Security, and Pebblebee have expressed interest in their draft. Now, Google has used its annual I/O conference keynote to announce updates to its Find My Device network aimed at stopping unwanted tracking by devices with built-in location-tracking capabilities. Examples of these accessories are the Apple AirTag, Tile Mate and Pro, Samsung SmartTag, and Googles expected Grogu
Tomi Engdahl says:
The Week in Ransomware – May 12th 2023 – New Gangs Emerge https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-12th-2023-new-gangs-emerge/
This week we have multiple reports of new ransomware families targeting the enterprise, named Cactus and Akira, both increasingly active as they target the enterprise. The Cactus operation launched in March and has been found to exploit VPN vulnerabilities to gain access to corporate networks. BleepingComputer also reported on the Akira ransomware, a new operation launched in March that quickly amassed sixteen victims on its data leak site
Tomi Engdahl says:
Hypervisor Ransomware | Multiple Threat Actor Groups Hop on Leaked Babuk Code to Build ESXi Lockers https://www.sentinelone.com/labs/hypervisor-ransomware-multiple-threat-actor-groups-hop-on-leaked-babuk-code-to-build-esxi-lockers/
Throughout early 2023, SentinelLabs observed an increase in VMware ESXi ransomware based on Babuk (aka Babak, Babyk). The Babuk leaks in September 2021 provided unprecedented insight into the development operations of an organized ransomware group. Due to the prevalence of ESXi in on-prem and hybrid enterprise networks, these hypervisors are valuable targets for ransomware. Over the past two years, organized ransomware groups adopted Linux lockers, including ALPHV, Black Basta, Conti, Lockbit, and REvil. These groups focus on ESXi before other Linux variants, leveraging built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files. We identified overlap between the leaked Babuk source code and ESXi lockers attributed to Conti and REvil, with iterations of the latter sharply resembling one another. We also compared them to the leaked Conti Windows locker source code, finding shared, bespoke function names and features
Tomi Engdahl says:
Millions of mobile phones come pre-infected with malware, say researchers https://www.theregister.com/2023/05/11/bh_asia_mobile_phones/
Miscreants have infected millions of Androids worldwide with malicious firmware before the devices even shipped from their factories, according to Trend Micro researchers at Black Hat Asia. This hardware is mainly cheapo Android mobile devices, though smartwatches, TVs, and other things are caught up in it. The gadgets have their manufacturing outsourced to an original equipment manufacturer (OEM). That outsourcing makes it possible for someone in the manufacturing pipeline such as a firmware supplier to infect products with malicious code as they ship out, the researchers said
Tomi Engdahl says:
Chaining Five Vulnerabilities to Exploit Netgear Nighthawk RAX30 Routers at Pwn2Own Toronto 2022
https://claroty.com/team82/research/chaining-five-vulnerabilities-to-exploit-netgear-nighthawk-rax30-routers-at-pwn2own-toronto-2022
The Internet of Things (IoT) has become an increasingly popular target for cyber attacks in recent years because these devices are often poorly secured and can be easily compromised. To highlight the vulnerabilities of IoT devices and encourage better security practices from manufacturers, the Zero Day Initiative (ZDI) organized a Pwn2Own competition last fall in Toronto that focused on hacking into IoT devices such as printers, network-attached storage (NAS) devices, routers, and smart speakers. This competition brought together experienced hackers to demonstrate their skills in finding and exploiting vulnerabilities in these devices. Here, we will explore the research we conducted on the Netgear RAX30 router, below, for the Pwn2Own competition
Tomi Engdahl says:
‘Top three Balkans drug kingpins’ arrested after cops crack their Sky ECC chats https://www.theregister.com/2023/05/13/drug_arrests_sky_ecc/
European police arrested three people in Belgrade described as “the biggest” drug lords in the Balkans in what cops are chalking up to another win in dismantling Sky ECC’s encrypted messaging app last year. On May 11, law enforcement in Serbia and the Netherlands carried out coordinated raids on the cartel’s alleged leaders and distribution infrastructure, according to Europol. During the swoop, officers arrested 13 suspects in Serbia, including the three alleged kingpins, searched 35 homes, and seized nearly 3 million ($3.26 million), 15 “high-end cars,” jewelry, watches, and weapons. Police had already arrested another 10 alleged members of the cartel in Belgium, Serbia, Peru, and the Netherlands, bringing the total arrests to 23. And all of these came about because of the Sky ECC takedown
Tomi Engdahl says:
Inside the Italian Mafias Encrypted Phone of Choice https://www.vice.com/en/article/88xgjz/inside-italian-mafias-encrypted-phone-no1bc
A collaborative investigation reveals alleged members of the mafia are using encrypted phones from “No. 1 Business Communication.” The company is linked to a high profile American businessman, a Ukrainian technologist, and multiple convicted criminals
Tomi Engdahl says:
EU Parliament calls for de facto moratorium on spyware https://www.euractiv.com/section/digital/news/eu-parliament-adopts-calls-for-de-facto-moratorium-on-spyware/
Lawmakers adopted on Monday (8 May) a non-binding report and recommendation on the use of Pegasus and other spyware in the EU, calling for an effective ban on the technology unless certain conditions are met by the end of the year. The documents result from an ad hoc committee set up last year to investigate Pegasus and equivalent surveillance software, following the 2021 revelations that governments worldwide had systematically deployed the NSO-provided spyware. The text, based on 15 months of investigation, also includes country-specific recommendations. The report was adopted with 30 votes in favour and three against; the recommendations received 30 for and five against. The two will be voted on by the full Parliament at its next plenary session
Tomi Engdahl says:
Bloomberg:
Swedish cybersecurity company Truesec and experts: Russia-linked “Anonymous Sudan” is one of the most prolific hacktivist groups targeting Swedish organizations — Since February, a mysterious hacker group calling itself Anonymous Sudan has targeted dozens of Swedish airports …
Posing as Islamists, Russian Hackers Take Aim at Sweden
https://www.bloomberg.com/news/features/2023-05-14/posing-as-islamists-russian-hackers-take-aim-at-sweden#xj4y7vzkg
A series of coordinated cyberattacks intended to jeopardize the Nordic country’s chances of joining NATO have been disrupting its biggest companies
Since February, a mysterious hacker group calling itself Anonymous Sudan has targeted dozens of Swedish airports, hospitals and banks with distributed denial-of-service attacks, ostensibly in response to the burning of a Koran in front of the Turkish embassy in Stockholm earlier this year.
The so-called DDoS attacks, which push websites and services offline by overwhelming them with internet traffic, disrupted online programming at Sweden’s national public broadcaster and knocked out the websites of Scandinavian Airlines, state-owned power company Vattenfall, and defense firm Saab AB. Extensive media coverage has made the attacks — and Anonymous Sudan’s claim
Tomi Engdahl says:
https://hackaday.com/2023/05/12/this-week-in-security-tpm-and-bootguard-drones-and-coverups/
Full disk encryption is the go-to solution for hardening a laptop against the worst-case scenario of physical access. One way that encryption can be managed is through a Trusted Platform Module (TPM), a chip on the motherboard that manages the disk encryption key, and only hands it over for boot after the user has authenticated. We’ve seen some clever tricks deployed against these discrete TPMs, like sniffing the data going over the physical traces. So in theory, an integrated TPM might be more secure. Such a technique does exist, going by the name fTPM, or firmware TPM. It uses a Trusted Execution Environment, a TEE, to store and run the TPM code. And there’s another clever attack against that concept (PDF).
It’s chip glitching via a voltage fault. This particular attack works against AMD processors, and the voltage fault is triggered by injecting commands into the Serial Voltage Identification Interface 2.0 (SVI2). Dropping the voltage momentarily to the AMD Secure Processor (AMD-SP) can cause a key verification step to succeed even against an untrusted key, bypassing the need for an AMD Root Key (ARK) signed board firmware. That’s not a simple process, and pulling it off takes about $200 of gear, and about 3 hours. This exposes the CPU-unique seed, the board NVRAM, and all the protected TPM objects.
faulTPM: Exposing AMD fTPMs’ Deepest Secrets
https://arxiv.org/pdf/2304.14717.pdf
Tomi Engdahl says:
https://hackaday.com/2023/05/12/this-week-in-security-tpm-and-bootguard-drones-and-coverups/
And if hardware glitching a computer seems to complicated, why not just use the leaked MSI keys? Now to be fair, this only seems to allow a bypass of Intel’s BootGuard, but it’s still a blow. MSI suffered a ransomware-style breach in March, but rather than encrypt data, the attackers simply threatened to release the copied data to the world. MSI apparently refused to pay up, and source code and signing keys are now floating in the dark corners of the Internet. There have been suggestions that this leak impacts the entire line of Intel processors, but it seems likely that MSI only had their own signing keys to lose. But that’s plenty bad, given the lack of a revocation system or automatic update procedure for MSI firmware.
Intel investigating leak of Intel Boot Guard private keys after MSI breach
https://www.bleepingcomputer.com/news/security/intel-investigating-leak-of-intel-boot-guard-private-keys-after-msi-breach/
Intel is investigating the leak of alleged private keys used by the Intel Boot Guard security feature, potentially impacting its ability to block the installation of malicious UEFI firmware on MSI devices.
In March, the Money Message extortion gang attacked computer hardware make MSI, claiming to have stolen 1.5TB of data during the attack, including firmware, source code, and databases.
As first reported by BleepingComputer, the ransomware gang demanded a $4,000,000 ransom and, after not being paid, began leaking the data for MSI on their data leak site.
Money Message ransomware gang claims MSI breach, demands $4 million
https://www.bleepingcomputer.com/news/security/money-message-ransomware-gang-claims-msi-breach-demands-4-million/
Leak of MSI UEFI signing keys stokes fears of “doomsday” supply chain attack
With no easy way to revoke compromised keys, MSI, and its customers, are in a real pickle.
https://arstechnica.com/information-technology/2023/05/leak-of-msi-uefi-signing-keys-stokes-concerns-of-doomsday-supply-chain-attack/
Tomi Engdahl says:
Drone goggles maker claims firmware sabotaged to ‘brick’ devices
https://www.bleepingcomputer.com/news/technology/drone-goggles-maker-claims-firmware-sabotaged-to-brick-devices/
Orqa, a maker of First Person View (FPV) drone racing goggles, claims that a contractor introduced code into its devices’ firmware that acted as a time bomb designed to brick them.
On early Saturday, Orqa started receiving reports from customers surprised to see their FPV.One V1 goggles enter bootloader mode and become unusable.
“We first started getting the reports from our pilots in Japan, very early in the morning while we were all still asleep (or partying — it was Friday after all!). Then in the early morning hours here in Europe, we started getting reports from a race event in Turkey,” the company said.
Tomi Engdahl says:
https://hackaday.com/2023/05/12/this-week-in-security-tpm-and-bootguard-drones-and-coverups/
It’s Not the Crime, It’s the Coverup
If you needed it, here’s another reason not to pay the ransom. Well, more specifically, don’t pay the ransom, try to cover it up as a bug bounty, and then lie to investigators about the whole incident. Joseph Sullivan was found guilty of Obstruction of Justice and Misrepresenting a Felony, both in relation to an event while he was chief security officer at Uber.
Sullivan was let off easy with three years of probation, 200 hours of community service, and a $50,000 fine. Read the articles linked above, and let us know what you think. Was this a reasonable charge and punishment for the cover-up, or was this a perversion of justice to punish the victim trying to clean up after an attack?
Ex-Uber security chief sentenced over covering up hack
https://www.bbc.com/news/technology-65497186
Uber’s former chief security officer has avoided jail and been sentenced to three years’ probation for covering up a cyber-attack from authorities.
Joseph Sullivan was found guilty of paying hackers $100,000 (£79,000) after they gained access to 57 million records of Uber customers, including names and phone numbers.
He must also pay a fine of $50,000, and serve 200 hours of community service.
Prosecutors originally asked for a 15-month prison sentence.
Former Chief Security Officer Of Uber Convicted Of Federal Charges For Covering Up Data Breach Involving Millions Of Uber User Records
https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach
Federal Jury Finds Joseph Sullivan Guilty of Obstruction of the Federal Trade Commission and Misprision of a Felony
SAN FRANCISCO – A federal jury convicted Joseph Sullivan, the former Chief Security Officer of Uber Technologies, Inc. (“Uber”), of obstruction of proceedings of the Federal Trade Commission (“FTC”) and misprision of felony in connection with his attempted cover-up of a 2016 hack of Uber. The announcement was made by United States Attorney Stephanie M. Hinds and FBI San Francisco Special Agent in Charge Robert K. Tripp following a four week trial before the Hon. William H. Orrick, United States District Judge.
“Technology companies in the Northern District of California collect and store vast amounts of data from users,” said U.S. Attorney Hinds. “We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers. Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught. We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”
“The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” said FBI Special Agent In Charge Tripp. “The FBI and our government partners will not allow rogue technology company executives to put American consumers’ personal information at risk for their own gain.”
Tomi Engdahl says:
https://hackaday.com/2023/05/12/this-week-in-security-tpm-and-bootguard-drones-and-coverups/
And to cap off the week’s news, Home Assistant had a nasty one, where an unauthenticated user can access the Supervisor API. The bug is a sneaky path traversal that bypasses an authentication check regex. Check it yourself, by fetching http://a.b.c.d:8123/api/hassio/app/.%252e/supervisor/info on your Home Assistant install. The fixes have been bypassed a couple of times, and it’s release 2023.03.3 that’s safe to use, for now.
https://www.elttam.com/blog/pwnassistant/
This write-up describes a vulnerability (CVE-2023-27482) found in Home Assistant, a popular open source home automation software. The original vulnerability was found to affect versions before 2023.3.0 where a mitigation is introduced. Bypasses were discovered which meant the vulnerable versions include Home Assistant Core 2023.3.0 and 2023.3.1 and Home Assistant Supervisor 2023.03.2. Home Assistant installations running Home Assistant Core 2023.3.2 or later, and Home Assistant Supervisor 2023.03.3 or later are not affected.
https://github.com/elttam/publications/blob/master/writeups/home-assistant/supervisor-authentication-bypass-advisory.md
Tomi Engdahl says:
Cybercriminals remotely turn up the voltage on motherboards to brick servers >
Some potential: How bad software updates could over-volt, brick remote servers
PMFault – from the eggheads who brought you Plundervolt and Voltpillager
https://www.theregister.com/2023/05/15/pmfault_attack
Presenting at Black Hat Asia 2023, two infosec researchers detailed how remote updates can be exploited to modify voltage on a Supermicro motherboard and remotely brick machines.
The duo behind the discovery, both at the University of Birmingham in England, like to play around with voltage. They were already known for revealing a vulnerability in Intel’s Software Guard Extensions (SGX) feature – a hole exploitable via their technique dubbed Plundervolt – and a $30 2020 Intel SGX cloud server attack called Voltpillager.
When the voltage of these systems is altered, their cryptographic processes can be manipulated or compromised, and attackers can potentially extract sensitive data. Voltpillager was not a remote attack and required physical proximity
Intel issued firmware updates to prevent Plundervolt, and stated at the time that techniques that require an attacker to physically open a case – such as Voltpillager – were not considered vulnerabilities.
This latest power management tampering, or PMFault, can be carried out by a privileged software adversary who doesn’t have access to Board Management Controller (BMC) login credentials. It allows the same data extraction as its predecessor attacks, but through the BMC flash memory chip. In other words, you need to be able to update the BMC firmware to include malicious code to perform the attack, which means you’ll need root access pretty much.
The two researchers, PhD student Zitai Chen and Professor David Oswald, said in a January academic publication that “undervolting through the PMBus allows breaking the integrity guarantees of SGX enclaves, bypassing Intel’s countermeasures against previous undervolting attacks like Plundervolt.”
By then overvolting – sending 2.84 volts to the 1.52 spec’d CPU – the pair permanently bricked two separate Xeon CPUs used in the experiment. This was done by a malicious software update.
They pinned the vulnerabilities on insecure firmware encryption and signing mechanisms, a lack of authentication when it comes to firmware and IPMI KCS control interface upgrades, and the overall motherboard design.
“With this attack we only need the Ethernet cable to connect to the server. And that’s it. We don’t need to open the box anymore.”
The duo’s big takeaway is that trusted execution environments “like SGX must not only rely on the security of the CPU itself, but also of that of management components [in] the hardware design of the platform.”
Chen and Oswald offer a PMBusDetect tool for identifying if a voltage regulator modeule is connected to the PMBus. However, they’ve only yet tested it on Reneseas ISL68137 and Monolithic MP2955.
Supermicro did respond to Chen and Oswald’s disclosure back in January. The hardware maker rated the vulnerability’s severity as “high” and issued new signed BMC firmware for all affected Supermicro motherboard SKUs.
PMFault: Faulting and Bricking Server CPUs through Management Interfaces
https://github.com/zt-chen/PMFault
Disclaimer: The code in this repo can cause PERMANENT DAMAGE to your server. Use at your own risk.
This repo contains the supplementary materials for the paper “PMFault: Faulting and Bricking Server CPUs through Management Interfaces”, which will appear in CHES 2023.
Check our website for a brief introduction of the PMFault attack.
https://zt-chen.github.io/PMFault/
Tomi Engdahl says:
Airline exposes passenger info to others due to a ‘technical error’
https://www.bleepingcomputer.com/news/security/airline-exposes-passenger-info-to-others-due-to-a-technical-error/
airBaltic, Latvia’s flag carrier has acknowledged that a ‘technical error’ exposed reservation details of some of its passengers to other airBaltic passengers.
Passengers also reported receiving unexpected emails which addressed them by the name of another customer.
The Riga-based airline, incorporated as AS Air Baltic Corporation operates flights to 80 destinations and is 97% government-owned. Although the air carrier says the leak impacts a small percentage of its customers and that no financial or payment data was exposed, the airline has yet to disclose the total number of impacted passengers.
Tomi Engdahl says:
Hackers target WordPress plugin flaw after PoC exploit released https://www.bleepingcomputer.com/news/security/hackers-target-wordpress-plugin-flaw-after-poc-exploit-released/
Hackers are actively exploiting a recently fixed vulnerability in the WordPress Advanced Custom Fields plugin roughly 24 hours after a proof-of-concept (PoC) exploit was made public.
The vulnerability in question is CVE-2023-30777, a high-severity reflected cross-site scripting (XSS) flaw that allows unauthenticated attackers to steal sensitive information and escalate their privileges on impacted WordPress sites.
The flaw was discovered by website security company Patchstack on May 2nd, 2023, and was disclosed along with a proof-of-concept exploit on May 5th, a day after the plugin vendor had released a security update with version 6.1.6.
Tomi Engdahl says:
More Supply Chain Attacks via Malicious Python Packages https://www.fortinet.com/blog/threat-research/more-supply-chain-attacks-via-malicious-python-packages
The FortiGuard Labs team discovered over 30 new zero-day attacks in PyPI packages (Python Package Index). These were found between late March and late April by monitoring an open-source ecosystem. In this blog, we will cover all the packages that were found, grouping them into similar attacks or behavior. Some of these sets may have been shown in a previous blog.
Tomi Engdahl says:
No more macros? No problem, say miscreants, we’ll adapt https://www.theregister.com/2023/05/15/proofpoint_microsoft_macros_cybercrime/
Microsoft’s decision to block internet-sourced macros by default last year is forcing attackers to find new and creative ways to compromise systems and deliver malware, according to threat researchers at Proofpoint.
“The cybercriminal ecosystem has experienced a monumental shift in activity and threat behavior over the last year in a way not previously observed by threat researchers,” the security team wrote in a report just before the weekend. “Financially motivated threat actors that gain initial access via email are no longer using static, predictable attack chains, but rather dynamic, rapidly changing techniques.”
There were more than 700 cyber campaigns in 2021 that used Visual Basic for Applications
(VBA) macros in their attacks, and almost the same number used XL4 macros, which are specific to Excel, the researchers wrote.
Tomi Engdahl says:
Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor
The Lancefly advanced persistent threat (APT) group is using a custom-written backdoor in attacks targeting organizations in South and Southeast Asia, in activity that has been ongoing for several years.
Lancefly may have some links to previously known groups, but these are low confidence, which led researchers at Symantec, by Broadcom Software, to classify this activity under a new group name.
Lancefly’s custom malware, which we have dubbed Merdoor, is a powerful backdoor that appears to have existed since 2018. Symantec researchers observed it being used in some activity in 2020 and 2021, as well as this more recent campaign, which continued into the first quarter of 2023. The motivation behind both these campaigns is believed to be intelligence gathering.
The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted.
The attackers in this campaign also have access to an updated version of the ZXShell rootkit.
Tomi Engdahl says:
Water Orthrus’s New Campaigns Deliver Rootkit and Phishing Modules https://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html
Since 2021, we have been tracking the activities of a threat actor we called Water Orthrus, which distributed CopperStealer malware via pay-per-install (PPI) networks.
The threat actor has upgraded and modified the malware multiple times for different purposes, such as injecting network advertisements, acquiring personal information, and stealing cryptocurrency. We believe that they are associated with the threat campaign reported as “Scranos” in 2019.
In March 2023, we observed two campaigns delivering new malware that we named CopperStealth and CopperPhish. Both malware have characteristics that are similar to those of CopperStealer and are likely developed by the same author, leading us to believe that these campaigns are likely Water Orthrus’ new activities.
Tomi Engdahl says:
Newly identified RA Group compromises companies in U.S. and South Korea with leaked Babuk source code https://blog.talosintelligence.com/ra-group-ransomware/
Talos recently discovered a new ransomware actor, RA Group, who emerged in April 2023 and seems to be using leaked Babuk source code in its attacks. After an alleged member of the Babuk group leaked the full source code of its ransomware in September 2021, various ransomware families have emerged leveraging the leaked Babuk code. Talos has compiled a timeline of these attacks conducted by different actors using ransomware families that branched off the leaked source code.
The group is launching double extortion attacks. Like other ransomware actors, RA Group also operates a data leak site in which they threaten to publish the data exfiltrated from victims who fail to contact them within a specified time or do not meet their ransom demands. This form of double extortion increases the chances that a victim will pay the requested ransom.
Tomi Engdahl says:
Not-Too-Safe Boot: Remotely Bypassing Endpoint Security Solutions (AV/EDR/…) and Anti-Tampering Mechanisms https://zerodayzone.com/2023/05/12/not-too-safe-boot-remotely-bypassing-endpoint-security-solutions-av-edr-and-anti-tampering-mechanisms/
In this article, we provide an in-depth analysis of the Not-Too-Safe Boot technique, which has been designed to bypass Endpoint Security Solutions like antivirus (AV), endpoint detection and response (EDR) and anti-tampering mechanisms remotely.
This method builds on a local execution technique first published in 2007 and later utilized in a real world scenario by a ransomware in 2019.
By leveraging native Windows functionalities, Not-Too-Safe Boot is a review of the original technique (that was used only locally) that enables attackers, with administrative privileges over the victim system, to remotely force to boot in safe mode and carry out malicious activities.
Tomi Engdahl says:
Cops crack gang that used bots to book and resell immigration appointments https://www.theregister.com/2023/05/16/spain_bot_immigration_booking_scam/
Police have arrested 69 people alleged to have used bots to book up nearly all of Spain’s available appointments with immigration officials, and then sold those meeting slots for between €30 and €200 ($33 to $218) to aspiring migrants.
The bots essentially shut down the nation’s online booking system by overloading it, according to Spanish National Police, who identified 94 people allegedly involved in the automation caper. In addition to cuffing dozens of those individuals, officers are still investigating the remaining 25.
Those arrested include the four alleged leaders of the crime ring, plus lawyers, managers, advisors, recruiters, and intermediaries, who reportedly received “large amounts of money” from the sale of the immigration appointments.
Tomi Engdahl says:
The Dragon Who Sold His Camaro: Analyzing Custom Router Implant https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/
Over the past few months, Check Point Research has closely monitored a series of targeted attacks aimed at European foreign affairs entities. These campaigns have been linked to a Chinese state-sponsored APT group we track as Camaro Dragon, which shares similarities with previously reported activities conducted by state-sponsored Chinese threat actors, namely Mustang Panda.
Our comprehensive analysis of these attacks has uncovered a malicious firmware implant tailored for TP-Link routers. The implant features several malicious components, including a custom backdoor named “Horse Shell” that enables the attackers to maintain persistent access, build anonymous infrastructure and enable lateral movement into compromised networks.
The discovery is yet another example of a long-standing trend of Chinese threat actors to exploit Internet-facing network devices and modify their underlying software or firmware. This blog post will delve into the intricate details of analyzing the “Horse Shell” router implant. We will share our insights into the implant’s functionality and compare it to other router implants associated with Chinese state-sponsored groups.
By examining this implant, we hope to shed light on the techniques and tactics utilized by the Camaro Dragon APT group and provide a better understanding of how threat actors utilize malicious firmware implants in network devices in their attacks.
Tomi Engdahl says:
Geacon Brings Cobalt Strike Capabilities to macOS Threat Actors https://www.sentinelone.com/blog/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors/
The red-teaming and attack simulation tool Cobalt Strike has a long and widely observed history of abuse by threat actors targeting Windows platforms, but it has only occasionally been seen used against macOS devices. That, however, appears to be changing with the development of a Go implementation of Cobalt Strike called ‘Geacon’.
We have observed a number of Geacon payloads appearing on VirusTotal in recent months.
While some of these are likely red-team operations, others bear the characteristics of genuine malicious attacks. In this post, we highlight two recent Geacon samples and describe their delivery mechanisms and main characteristics. A list of IoCs is provided to aid threat hunters and security teams identify Geacon payloads.
Tomi Engdahl says:
Malicious VSCode extensions with more than 45K downloads steal PII and enable backdoors https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-with-more-than-45k-downloads-steal-pii-and-enable-backdoors/
VSCode (short for Visual Studio Code) is a popular and free source code editor developed by Microsoft. It’s an efficient and customizable coding environment that can support a wide range of programming languages, frameworks, and tools. VSCode has gained much popularity in recent years and has become one of developers’ most popular code editors.
One of the main reasons is the VSCode Extensions Marketplace, a central hub where developers can discover and install new extensions to enhance their coding experience.
The marketplace includes official Microsoft and third-party extensions developed by the community.
As part of our analysis, we found and disclosed a few malicious extensions to the VSCode team with a total count of more than 45K installs. We’ve also found extensions with suspicious code patterns but no clear malicious indicators. Once detected, we disclosed our findings to the VSCode team, and the extensions were removed.
These continued findings highlight the need to verify every open-source component, not just assume it will be ok.
Tomi Engdahl says:
VirusTotal AI code analysis expands Windows, Linux script support https://www.bleepingcomputer.com/news/security/virustotal-ai-code-analysis-expands-windows-linux-script-support/
Google has added support for more scripting languages to VirusTotal Code Insight, a recently introduced artificial intelligence-based code analysis feature.
While launched only with support for analyzing a subset of PowerShell files, Code Insight can now also spot malicious Batch (BAT), Command Prompt (CMD), Shell (SH), and VBScript (VBS) scripts.
Besides the list of additions included in Google’s announcement, BleepingComputer was also able to discover that the company added support for AutoHotkey (AHK) and Python
(PY) scripting languages.
Tomi Engdahl says:
PSA: time to recycle your old Wemo smart plugs (if you haven’t already) https://www.theverge.com/2023/5/16/23725290/wemo-smart-plug-v2-smart-home-security-vulnerability
Security researchers at Sternum report they’ve found an exploitable vulnerability in the Wemo Smart Plug Mini V2 (via 9to5Mac). The plug debuted in 2019, offering cross-platform compatibility with Apple HomeKit, Google Assistant, and Alexa.
The bug would let a savvy hacker gain remote command of your Wemo plug by circumventing the Wemo app with a community-made Python app called PyWeMo. Once connected, an attacker can change the device name to something with more than 30 characters, resulting in a buffer overflow that allows the attacker to inject commands remotely.
When Sternum disclosed the vulnerability to Belkin, it was told that since the device was at the end of its life, it would not be receiving a fix. Sternum then reported the issue to not-for-profit cybersecurity org The Mitre Corporation, which then created CVE-2023-27217.
Tomi Engdahl says:
Saitko oudon viestin, jossa oli käyttäjätunnus ja salasana? Tästä on kyse https://www.is.fi/digitoday/tietoturva/art-2000009590311.html
Hämmentävän viestin takaa löytyy verkkosivusto, joka vaikuttaa erehdyttävästi kryptovaluuttapörssiltä.
Tomi Engdahl says:
Teltonika Vulnerabilities Could Expose Thousands of Industrial Organizations to Remote Attacks
https://www.securityweek.com/teltonika-vulnerabilities-could-expose-thousands-of-industrial-orgs-to-remote-attacks/
Critical vulnerabilities found in Teltonika products by industrial cybersecurity firms Otorio and Claroty expose thousands of internet-exposed devices to attacks.
Researchers at industrial cybersecurity companies Otorio and Claroty have teamed up to conduct a detailed analysis of products made by Teltonika and found potentially serious vulnerabilities that can expose many organizations to remote hacker attacks.
Teltonika Networks is a Lithuania-based company that makes LTE routers, gateways, modems and other networking solutions that are used worldwide in the industrial, energy, utilities, smart city, transportation, enterprise, and retail sectors.
Researchers at Otorio and Claroty have analyzed the company’s RUT241 and RUT955 cellular routers, as well as the Teltonika Remote Management System (RMS), a platform that can be deployed on-premises or in the cloud for monitoring and managing connected devices.
The research resulted in the discovery of eight types of security holes, which the US Cybersecurity and Infrastructure Security Agency (CISA) described briefly in an advisory published on May 11.
The vendor has been notified and it has released patches for both the RMS platform and the RUT routers.
https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-08
Tomi Engdahl says:
CISA: Several Old Linux Vulnerabilities Exploited in Attacks
https://www.securityweek.com/cisa-several-old-linux-vulnerabilities-exploited-in-attacks/
Several old Linux vulnerabilities for which there are no public reports of malicious exploitation have been added to CISA’s KEV catalog
The US Cybersecurity and Infrastructure Security Agency (CISA) has added several Linux and Linux-related flaws to its known exploited vulnerabilities (KEV) catalog.
The agency added seven new vulnerabilities to its KEV catalog on Friday: Ruckus AP remote code execution (CVE-2023-25717), Red Hat Polkit privilege escalation (CVE-2021-3560), Linux kernel privilege escalations (CVE-2014-0196 and CVE-2010-3904), Jenkins UI information disclosure (CVE-2015-5317), Apache Tomcat remote code execution (CVE-2016-8735), and an Oracle Java SE and JRockit issue (CVE-2016-3427).
The Ruckus product vulnerability has been exploited by a DDoS botnet named AndoryuBot.
Tomi Engdahl says:
Application Security
Executive Fired From TikTok’s Chinese Owner Says Beijing Had Access to App Data in Termination Suit
https://www.securityweek.com/executive-fired-from-tiktoks-chinese-owner-says-beijing-had-access-to-app-data-in-termination-suit/
Former ByteDance executive said China government officials maintained access to all TikTok data, including information stored in the United States.
A former executive fired from TikTok’s parent company ByteDance made a raft of accusations against the tech giant Friday, including that it stole content from competitors like Instagram and Snapchat, and served as a “propaganda tool” for the Chinese government by suppressing or promoting content favorable to the country’s interests.
Tomi Engdahl says:
Toyota: Data on More Than 2 Million Vehicles in Japan Were at Risk in Decade-Long Breach
https://www.securityweek.com/toyota-data-on-more-than-2-million-vehicles-in-japan-were-at-risk-in-decade-long-breach/
A decade-long data breach in Toyota’s online service put some information on more than 2 million vehicles at risk.
Tomi Engdahl says:
ChatGPT’s Chief Testifies Before Congress, Calls for New Agency to Regulate Artificial Intelligence
https://www.securityweek.com/chatgpts-chief-testifies-before-congress-calls-for-new-agency-to-regulate-artificial-intelligence/
The head of OpenAI, which makes ChatGPT, told Congress that government intervention “will be critical to mitigate the risks of increasingly powerful” AI systems.
Tomi Engdahl says:
https://www.securityweek.com/brightly-software-notifying-3-million-schooldude-users-of-data-breach/
Tomi Engdahl says:
https://www.securityweek.com/discord-informs-users-of-data-breach-involving-customer-support-provider/
Tomi Engdahl says:
WordPress Field Builder Plugin Vulnerability Exploited in Attacks Two Days After Patch
https://www.securityweek.com/wordpress-field-builder-plugin-vulnerability-exploited-in-attacks-two-days-after-patch/
PoC exploit targeting an XSS vulnerability in the Advanced Custom Fields WordPress plugin started being used in malicious attacks two days after patch.
Tomi Engdahl says:
PharMerica Discloses Data Breach Impacting 5.8 Million Individuals
https://www.securityweek.com/pharmerica-discloses-data-breach-impacting-5-8-million-individuals/
The personal information of more than 5.8 million was compromised in a data breach at national pharmacy network PharMerica.
Tomi Engdahl says:
Capita Cyberattack Hits UK Pension Funds
https://www.securityweek.com/capita-cyberattack-hits-uk-pension-funds/
The recent ransomware attack on Capita may impact millions of customers of hundreds of pension funds in the UK.
Tomi Engdahl says:
Philadelphia Inquirer Hit by Cyberattack Causing Newspaper’s Largest Disruption in Decades
https://www.securityweek.com/philadelphia-inquirer-hit-by-cyberattack-causing-newspapers-largest-disruption-in-decades/
The Philadelphia Inquirer experienced the most significant disruption to its operations in 27 years due to a cyberattack on Sunday, May 14, 2023.
The Philadelphia Inquirer experienced the most significant disruption to its operations in 27 years due to what the newspaper calls a cyberattack.
The company was working to restore print operations after a cyber incursion that prevented the printing of the newspaper’s Sunday print edition, the Inquirer reported on its website.
The news operation’s website was still operational Sunday, although updates were slower than normal, the Inquirer reported.
Inquirer publisher Lisa Hughes said Sunday “we are currently unable to provide an exact time line” for full restoration of the paper’s systems.
The Philadelphia Inquirer’s operations continue to be disrupted by a cyber incident
It was unclear when systems would be fully restored. The incident is the greatest disruption to Inquirer publication since 1996.
https://www.inquirer.com/news/philadelphia/philadelphia-inquirer-hack-cyber-disruption-20230514.html
Tomi Engdahl says:
Lawrence Abrams / BleepingComputer:
Cybersecurity researchers and IT admins raise concerns over Google’s new .zip and .mov TLDs, warning that threat actors could use them for phishing and malware — Cybersecurity researchers and IT admins have raised concerns over Google’s new ZIP and MOV Internet domains …
New ZIP domains spark debate among cybersecurity experts
https://www.bleepingcomputer.com/news/security/new-zip-domains-spark-debate-among-cybersecurity-experts/
Cybersecurity researchers and IT admins have raised concerns over Google’s new ZIP and MOV Internet domains, warning that threat actors could use them for phishing attacks and malware delivery.
Earlier this month, Google introduced eight new top-level domains (TLD) that could be purchased for hosting websites or email addresses.
The new domains are .dad, .esq, .prof, .phd, .nexus, .foo, and for the topic of our article, the .zip and .mov domain TLDs.
While the ZIP and MOV TLDs have been available since 2014, it wasn’t until this month that they became generally available, allowing anyone to purchase a domain, like bleepingcomputer.zip, for a website.
However, these domains could be perceived as risky as the TLDs are also extensions of files commonly shared in forum posts, messages, and online discussions, which will now be automatically converted into URLs by some online platforms or applications.
Two common file types seen online are ZIP archives and MPEG 4 videos, whose file names end in .zip (ZIP archive) or .mov (video file).
Therefore, it’s very common for people to post instructions containing filenames with the .zip and .mov extensions.
However, now that they are TLDs, some messaging platforms and social media sites will automatically convert file names with .zip and .mov extensions into URLs.
When people see URLs in instructions, they commonly think that the URL can be used to download the associated file and may click on the link. For example, linking filenames to downloads is how we usually provide instructions on BleepingComputer in our articles, tutorials, and discussion forums.
However, if a threat actor owned a .zip domain with the same name as a linkified filename, a person may mistakenly visit the site and fall for a phishing scam or download malware, thinking the URL is safe because it came from a trusted source.
While it’s very unlikely that threat actors will register thousands of domains to capture a few victims, you only need one corporate employee to mistakenly install malware for an entire network to be affected.
Tomi Engdahl says:
Douglas MacMillan / Washington Post:
An investigation finds some US public housing agencies use surveillance cameras with facial recognition and AI to evict residents, sometimes for minor breaches
Eyes on the poor: Cameras, facial recognition watch over public housing
https://www.washingtonpost.com/business/2023/05/16/surveillance-cameras-public-housing/
Surveillance cameras purchased with federal crime-fighting grants are being used to punish and evict public housing residents, sometimes for minor rule violations, a Washington Post investigation found
STEUBENVILLE, Ohio — When they installed the new surveillance system, local officials promised it would help tamp down a gang war menacing this forgotten steel town. But residents of Steubenville public housing soon learned the cameras were pointed at them.
One man was filmed spitting in a hallway. A woman was recorded removing a cart from a communal laundry room. Footage in both cases was presented to a judge to help evict the residents in court.
After the cameras caught her lending her key fob to an unauthorized guest, Melanie Otis, 52, also was threatened with eviction. Otis, who has vision loss, was allowed to stay after she explained the visitor was a friend bringing her groceries.
In public housing facilities across America, local officials are installing a new generation of powerful and pervasive surveillance systems, imposing an outsize level of scrutiny on some of the nation’s poorest citizens. Housing agencies have been purchasing the tools — some equipped with facial recognition and other artificial intelligence capabilities — with no guidance or limits on their use, though the risks are poorly understood and little evidence exists that they make communities safer.
Tomi Engdahl says:
Jonathan Greig / The Record:
Symantec says an APT called Lancefly used custom malware to attack governments, telcos, and other organizations in Asia from the middle of 2022 through Q1 2023 — A government-backed hacking group known as “Lancefly” has been seen using custom-made malware to attack governments, telecoms and other organizations across Asia.
https://therecord.media/lancefly-espionage-malware-backdoor-asia-apt
Tomi Engdahl says:
Tech Transparency Project:
Researchers find YouTube’s algorithm recommended videos on guns and shooting to young gamers, despite the platform’s policies against violent and gory content — YouTube says it delivers ‘responsible’ video recommendations. But its algorithms steered accounts for young gamers toward content on guns …
YouTube Leads Young Gamers to Videos of Guns, School Shootings
https://www.techtransparencyproject.org/articles/youtube-leads-young-gamers-to-videos-of-guns-school