This posting is here to collect cyber security news in May 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
379 Comments
Tomi Engdahl says:
Ingrid Lunden / TechCrunch:
IBM acquires cloud data protection startup Polar Security, a source says for ~$60M, and plans to integrate Polar into its Guardium unit, itself acquired in 2019 — Update: IBM has now confirmed the news and said Polar will be integrated into its Guardium unit (itself based on an acquisition from way back in 2009).
Confirmed: IBM acquires Polar Security for $60M to automate cloud data management
https://techcrunch.com/2023/05/16/ibm-polar-security/
Tomi Engdahl says:
Suomalaisten satamien verkkosivuja kaadettiin palvelunestohyökkyäksillä – venäläinen hakkeriryhmä ilmoittautui tekijäksi
https://yle.fi/a/74-20032321
Useiden Suomen satamien verkkosivut ovat joutuneet tänään palvelunestohyökkäyksen kohteeksi.
Helsingin Satama tiedotti palvelunestohyökkäyksestä Twitterissä (siirryt toiseen
palveluun) aamupäivällä ennen kello yhtätoista.
Venäläinen hakkeriryhmä NoName 057(16) on ilmoittanut Telegram-kanavallaan (siirryt toiseen palveluun) olevansa palvelunestohyökkäysten takana.
Hakkeriryhmä viittaa Helsingin Sataman sivujen kaatumista koskevassa julkaisussaan Suomen itärajalle rakennettavaa aitaa. Palvelunestohyökkäys vaikuttaisi olevan hakkeriryhmän vastaus.
Tomi Engdahl says:
Cisco warns of critical switch bugs with public exploit code https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-switch-bugs-with-public-exploit-code/
Cisco warned customers today of four critical remote code execution vulnerabilities with public exploit code affecting multiple Small Business Series Switches.
All four security flaws received almost maximum severity ratings with CVSS base scores of 9.8/10. Successful exploitation allows unauthenticated attackers to execute arbitrary code with root privileges on compromised devices.
The vulnerabilities—tracked as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189—are caused by improper validation of requests sent to the targeted switches’ web interfaces.
Attackers can exploit them via maliciously crafted requests sent through targeted devices’ web-based user interfaces in low-complexity attacks that don’t require user interaction.
Tomi Engdahl says:
Saitko oudon viestin, jossa oli käyttäjätunnus ja salasana? Tästä on kyse https://www.is.fi/digitoday/tietoturva/art-2000009590311.html
Suomalaisia lähestytään uudenlaisella huijauksella. Sähköpostitse tulleissa viesteissä annetaan verkkosivun osoite sekä salasana ja käyttäjätunnus, joilla sivustolle pääsee kirjautumaan sisään.
Viestissä kehotetaan myös olemaan jakamatta verkkosivun tietoja eteenpäin. Lisäksi annetaan ymmärtää, että sivuston takana on suuri määrä rahaa.
Alkuperäisissä viesteissä olevat käyttäjätunnukset eivät ole uniikkeja, sillä useat ihmiset ovat saaneet saman viestin ja ”käyttäjätunnuksen”. Sellaista kuitenkin edellytetään, sillä sivustoille ei pysty kirjautumaan sisään kirjoittamalla tunnus- ja salasanakohtiin mitä tahansa.
Tomi Engdahl says:
SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack https://www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial
In 2022, Mandiant identified attacker activity centered in Microsoft Azure that Mandiant attributed to UNC3944. Mandiant’s investigation revealed that the attacker employed malicious use of the Serial Console on Azure Virtual Machines (VM) to install third-party remote management software within client environments.
This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM. Unfortunately, cloud resources are often poorly misunderstood, leading to misconfigurations that can leave these assets vulnerable to attackers.
While methods of initial access, lateral movement, and persistence vary from one attacker to another, one thing is clear: Attackers have their eyes on the cloud.
Tomi Engdahl says:
Suomalaisten satamien verkkosivuja kaadettiin palvelunestohyökkyäksillä venäläinen hakkeriryhmä ilmoittautui tekijäksi
https://yle.fi/a/74-20032321
Useiden Suomen satamien verkkosivut ovat joutuneet tänään palvelunestohyökkäyksen kohteeksi. Helsingin Satama tiedotti palvelunestohyökkäyksestä Twitterissä (siirryt toiseen palveluun) aamupäivällä ennen kello yhtätoista. Venäläinen hakkeriryhmä NoName
057(16) on ilmoittanut Telegram-kanavallaan (siirryt toiseen
palveluun) olevansa palvelunestohyökkäysten takana. Hakkeriryhmä viittaa Helsingin Sataman sivujen kaatumista koskevassa julkaisussaan Suomen itärajalle rakennettavaa aitaa. Palvelunestohyökkäys vaikuttaisi olevan hakkeriryhmän vastaus
Tomi Engdahl says:
KeePass exploit helps retrieve cleartext master password, fix coming soon https://www.bleepingcomputer.com/news/security/keepass-exploit-helps-retrieve-cleartext-master-password-fix-coming-soon/
The popular KeePass password manager is vulnerable to extracting the master password from the application’s memory, allowing attackers who compromise a device to retrieve the password even with the database is locked.
The issue was discovered by a security researcher known as ‘vdohney,’ who published a proof-of-concept tool allowing attackers to extract the KeePass master password from memory as a proof-of-concept (PoC).
A new KeePass vulnerability tracked as CVE-2023-3278 makes it possible to recover the KeePass master password, apart from the first one or two characters, in cleartext form, regardless of whether the KeePass workspace is locked, or possibly, even if the program is closed.
“KeePass Master Password Dumper is a simple proof-of-concept tool used to dump the master password from KeePass’s memory. Apart from the first password character, it is mostly able to recover the password in plaintext,” warns the security researcher on the GitHub page for the exploit tool.
Tomi Engdahl says:
Cybercrime gang pre-infects millions of Android devices with malware https://www.bleepingcomputer.com/news/security/cybercrime-gang-pre-infects-millions-of-android-devices-with-malware/
A large cybercrime enterprise tracked as the “Lemon Group” has reportedly pre-installed malware known as ‘Guerilla’ on almost 9 million Android-based smartphones, watches, TVs, and TV boxes.
The threat actors use Guerilla to load additional payloads, intercept one-time passwords from SMS, set up a reverse proxy from the infected device, hijack WhatsApp sessions, and more.
According to a report by Trend Micro, whose analysts discovered the massive criminal enterprise and presented details about it at the recent BlackHat Asia conference, some of the attackers’ infrastructure overlaps with the Triada trojan operation from 2016.
Triada was a banking trojan found pre-installed in 42 Android smartphone models from low-cost Chinese brands that sell their products globally.
Tomi Engdahl says:
MalasLocker ransomware targets Zimbra servers, demands charity donation https://www.bleepingcomputer.com/news/security/malaslocker-ransomware-targets-zimbra-servers-demands-charity-donation/
A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files.
However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking.
The ransomware operation, dubbed MalasLocker by BleepingComputer, began encrypting Zimbra servers towards the end of March 2023, with victims reporting in both the BleepingComputer and Zimbra forums that their emails were encrypted.
The encryptor will also create ransom notes named README.txt that come with an unusual ransom demand to receive a decryptor and prevent the leaking of stolen data: a donation to a non-profit charity that they “approve of.”
“Unlike traditional ransomware groups, we’re not asking you to send us money. We just dislike corporations and economic inequality,” reads the MalasLocker ransom note.
Tomi Engdahl says:
US Offering $10M Reward for Russian Man Charged With Ransomware Attacks
https://www.securityweek.com/us-offering-10m-reward-for-russian-man-charged-with-ransomware-attacks/
The US is offering a $10 million reward for information on a Russian man accused of launching ransomware attacks on critical infrastructure.
Tomi Engdahl says:
Chrome 113 Security Update Patches Critical Vulnerability
https://www.securityweek.com/chrome-113-security-update-patches-critical-vulnerability/
Google has released a Chrome 113 update to patch 12 vulnerabilities, including a critical use-after-free flaw.
Google this week announced the release of a Chrome 113 security update that resolves a total of 12 vulnerabilities, including one rated ‘critical’. Six of the flaws were reported by external researchers.
Tracked as CVE-2023-2721 and reported by Qihoo 360 researcher Guang Gong, the issue is described as a use-after-free flaw in Navigation.
A remote attacker could craft an HTML page to trigger a heap corruption when a user accesses the page. The attacker would have to convince the user to visit the page.
Use-after-free vulnerabilities are memory corruption bugs that occur when the pointer is not cleared after memory allocation is freed, which could lead to arbitrary code execution, denial-of-service, or data corruption.
In Chrome, use-after-free issues can be exploited to escape the browser sandbox, which also requires for the attacker to target a vulnerability in the underlying system or in Chrome’s browser process.
The latest Chrome update addressed three other externally reported use-after-free flaws, all rated ‘high’ severity. The vulnerabilities impact the browser’s Autofill UI, DevTools, and Guest View components.
Tomi Engdahl says:
Apple Patches 3 Exploited WebKit Zero-Day Vulnerabilities
https://www.securityweek.com/apple-patches-3-exploited-webkit-zero-day-vulnerabilities/
Apple has patched 3 zero-days, two of which are the vulnerabilities patched with the tech giant’s first Rapid Security Response updates.
Tomi Engdahl says:
Lacroix Closes Production Sites Following Ransomware Attack
https://www.securityweek.com/lacroix-closes-production-sites-following-ransomware-attack/
Technological equipment supplier Lacroix has closed three production sites after experiencing a ransomware attack.
Technological equipment giant Lacroix Group says it has closed three production sites for the week after experiencing a ransomware attack.
Lacroix is an international designer and producer of embedded and industrial internet of things (IIoT) systems, including automotive and aerospace equipment, water and energy infrastructure equipment, and smart road infrastructure solutions.
According to the company, on the night of May 12, it detected a targeted cyberattack that hit its French (Beaupréau), German (Willich) and Tunisian (Zriba) sites that produce electronics systems.
The company shut down computer systems at these sites and launched an investigation to determine if the attack was fully contained and if any data was exfiltrated.
Before the attack was intercepted, however, file-encrypting ransomware was deployed and some of the local infrastructures were encrypted.
“The time needed to carry out these actions and to use the backups to restart should take a few days, which is why the three sites are closed for the week,” Lacroix says.
Tomi Engdahl says:
Researchers Identify Second Developer of ‘Golden Chickens’ Malware
https://www.securityweek.com/researchers-identify-second-developer-of-golden-chickens-malware/
Security researchers have identified the second developer of Golden Chickens, a malware suite used by financially-motivated hacking groups Cobalt Group and FIN6.
Tomi Engdahl says:
PoC Tool Exploits Unpatched KeePass Vulnerability to Retrieve Master Passwords
https://www.securityweek.com/poc-tool-exploits-unpatched-keepass-vulnerability-to-retrieve-master-passwords/
Researcher publishes PoC tool that exploits unpatched KeePass vulnerability to retrieve the master password from memory.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cisa-warns-of-samsung-aslr-bypass-flaw-exploited-in-attacks/
Tomi Engdahl says:
https://www.schneier.com/blog/archives/2023/05/security-risks-of-new-zip-and-mov-domains.html
Tomi Engdahl says:
https://www.neowin.net/news/microsoft-we-havent-yet-been-able-to-fix-start-uwp-office-issues-on-windows-11-and-10/
Tomi Engdahl says:
Microsoft: Windows 11 also haunted by this SATA BIOS bug just like Windows 7, 8, 8.1 and 10
https://www.neowin.net/news/microsoft-windows-11-also-haunted-by-this-sata-bios-bug-just-like-windows-7-8-81-and-10/
Microsoft has confirmed that Windows 11, too, is affected by an age-old bug related to Serial Advanced Technology Attachment (SATA).
The bug is related to the firmware wherein an internal SATA drive, be it a slower, mechanical hard disk drive (HDD) or a faster NAND flash-based Solid-state drive (SSD), is misread as removable media in the Windows taskbar.
This issue is really ancient (by technology standards) as Microsoft says it affects anything newer than Windows Vista, ie, Windows 7, Windows 8, Windows 8.1, Windows 10, and finally Windows 11.
Tomi Engdahl says:
ASUS routers knocked offline worldwide by bad security update
https://www.bleepingcomputer.com/news/hardware/asus-routers-knocked-offline-worldwide-by-bad-security-update/
ASUS has apologized to its customers for a server-side security maintenance error that has caused a wide range of impacted router models to lose network connectivity.
The problem has been extensively reported on social media and discussion platforms since May 16, 2023, with people appearing puzzled by the simultaneous connectivity issues on multiple ASUS routers and others complaining about the lack of communication from the vendor’s side.
While the company’s statement does not explicitly state what kind of error occurred and how exactly it impacted remote routers, a user on Reddit explained that the connectivity issues were caused by a corrupted definition file for ASD (ASUS AiProtection).
“Updating the firmware has pretty much universally fixed this, but so does simply resetting the router to factory defaults so long as it clears the NVRAM,” explained the user on Reddit.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-more-info-on-the-end-of-internet-explorer/
Tomi Engdahl says:
Fearing leaks, Apple restricts ChatGPT use among employees
Cloud AI tools could leak confidential Apple company data; Apple works on its own LLM.
https://arstechnica.com/information-technology/2023/05/fearing-leaks-apple-restricts-its-employees-from-using-chatgpt-and-ai-tools/
According to internal sources and company documents reviewed by The Wall Street Journal, Apple has restricted its employees’ use of ChatGPT and AI coding tools such as GitHub Copilot for fear of leaking confidential data to outside sources. Meanwhile, Apple is also reportedly developing similar AI technology.
Tomi Engdahl says:
Technology 14:11, 17-May-2023
Chip giant Qualcomm reported to secretly collect, transmit user data
https://news.cgtn.com/news/2023-05-17/Chip-giant-Qualcomm-reported-to-secretly-collect-transmit-user-data-1jSlvv9bSeI/index.html
Smartphones with Qualcomm chips were found to send private user information, including IP address, unique ID, mobile country code, back to the U.S. chipmaker, according to a report by the German security company Nitrokey first released on April 25.
Such personal information was sent “without user consent, unencrypted, and even when using a Google-free Android distribution,” said the report.
Nitrokey tested with a Sony Xperia XA2 smartphone which was equipped with a Qualcomm Snapdragon 630 chip and installed /e/OS, an open-source version of Android free of Google services.
No SIM-card was inserted in the phone, nor was the GPS location service turned on. The device can only access the internet through WiFi.
The company monitored the data with Wireshark, a network traffic software, and found that the data will be transmitted to izatcloud.net server, which attributes to Qualcomm.
The report said the data packages were “sent via the HTTP protocol and are not encrypted using HTTPS, SSL or TLS,” making them vulnerable to attacks as anyone accessible to the network “can easily spy on us by collecting this data, store them, and establish a record history using the phone’s unique ID and serial number Qualcomm is sending over to their mysteriously called Izat Cloud.”
It added that the data sharing with Qualcomm is not mentioned in the terms of service from Sony or Android or /e/OS, which violated the General Data Protection Regulation.
While a Sony smartphone was used, Nitrokey said “many more Android phones” with popular Qualcomm chips such as Fairphone are likely to be affected.
Qualcomm’s response
The chipmaker reacted in a statement sent to Nitrokey that the data sharing was in accordance with its XTRA Service Privacy Policy.
“Through these software applications, we may collect location data, unique identifiers (such as a chipset serial number or international subscriber ID), data about the applications installed and/or running on the device, configuration data such as the make, model, and wireless carrier, the operating system and version data, software build data, and data about the performance of the device such as performance of the chipset, battery use, and thermal data,” said the statement.
In its statement sent to cybernews.com, Qualcomm called the Nitrokey report “riddled with inaccuracies and appears to be motivated by the author’s desire to sell his product,” and noted that it only collects personal data permitted by applicable law.
Nitrokey said the chipmaker, however, didn’t mention IP addresses were being collected originally, but added IP addresses into its data collection list after the research was completed.
‘Not a backdoor’
The report triggered heated discussion after release.
A Reddit post said that Nitrokey proves a backdoor by Qualcomm chips, which the security firm denied, saying it did not discover a backdoor, and “this is not a backdoor.”
British tech news website The Register said that the Izat Cloud, part of Qualcomm’s XTRA service, is “basically a way to make GPS more precise and reliable while reducing use of energy-intensive radio hardware.”
It cited a source familiar with Qualcomm technology saying that all chipmakers “are going to have all kinds of different fetches that they’re going to make [over the network].”
While on the other hand, The Register cautioned that data transmission on mobile device can cause problems in high-risk environments in that “network identifiers such as IP addresses can be considered personal data, particularly when paired with hardware identifiers or other sorts of data. ”
Martijn Braam, an IT expert said in his critique titled “Nitrokey disappoints me” that what’s in the HTTP traffic “does not contain any private data” but just downloads an GPS almanac from Qualcomm for A-GPS, which is to “make getting a GPS fix quicker and more reliable.”
Also, “The thing that gets leaked is your IP address which is required because that’s how you connect to things on the internet. This system does not actually send any of your private information like the title of the article claims,” Braam said.
He added the feature “happens in practically all devices that have both GPS and internet,” and also called the Nitrokey article a marketing piece for selling their own phones.
Tomi Engdahl says:
https://www.helpnetsecurity.com/2023/05/17/cve-2023-32784/
KeePass flaw allows retrieval of master password, PoC is public (CVE-2023-32784)
A vulnerability (CVE-2023-32784) in the open-source password manager KeePass can be exploited to retrieve the master password from the software’s memory, says the researcher who unearthed the flaw.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/hackers-use-azure-serial-console-for-stealthy-access-to-vms/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-switch-bugs-with-public-exploit-code/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/technology/github-reveals-reason-behind-last-weeks-string-of-outages/
Tomi Engdahl says:
https://www.helpnetsecurity.com/2023/05/17/cve-2023-32784/
Tomi Engdahl says:
https://arstechnica.com/information-technology/2023/05/malware-turns-home-routers-into-proxies-for-chinese-state-sponsored-hackers/
Tomi Engdahl says:
https://cybernews.com/news/android-phone-chip-collecting-user-data/
Tomi Engdahl says:
https://arstechnica.com/information-technology/2023/05/leak-of-msi-uefi-signing-keys-stokes-concerns-of-doomsday-supply-chain-attack/
Tomi Engdahl says:
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/vahvan-sahkoisen-tunnistuksen-uudet-vaatimukset-tekevat-asioinnista-entista
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/wordpress-elementor-plugin-bug-let-attackers-hijack-accounts-on-1m-sites/
Tomi Engdahl says:
https://thehackernews.com/2023/05/new-variant-of-linux-backdoor-bpfdoor.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/hackers-start-using-double-dll-sideloading-to-evade-detection/
Tomi Engdahl says:
Tältä näyttää liikennemerkki, jolla poliisi ilmoittaa teknisestä valvonnasta
Poliisi on ennenkin kuvannut esimerkiksi suuria tapahtumia. Nyt kameroiden resoluutio on parantunut niin paljon, että kuvista voi erottaa henkilöiden kasvoja. Siitä kerrotaan liikennemerkillä.
https://yle.fi/a/74-20032574
Tomi Engdahl says:
Unpatched Wemo Smart Plug Bug Opens Countless Networks to Cyberattacks
Cyberattckers can easily exploit a command-injection bug in the popular device, but Belkin has no plans to address the security vulnerability.
https://www.darkreading.com/ics-ot/belkins-wemo-smart-plug-opens-networks-cyberattacks
Tomi Engdahl says:
https://nakedsecurity.sophos.com/2023/05/16/belkin-wemo-smart-plug-v2-the-buffer-overflow-that-wont-be-patched/
Tomi Engdahl says:
https://arstechnica.com/information-technology/2023/05/microsoft-is-scanning-the-inside-of-password-protected-zip-files-for-malware/
Tomi Engdahl says:
https://thehackernews.com/2023/05/industrial-cellular-routers-at-risk-11.html
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researchers reveal many low-cost Android phones and smart TVs from lesser-known brands, sold in the US and owned by millions, come with malware preinstalled — The bane of low-cost Android devices is showing no signs of going away. — Overall, Android devices have earned a decidedly mixed reputation for security.
Potentially millions of Android TVs and phones come with malware preinstalled
The bane of low-cost Android devices is showing no signs of going away.
https://arstechnica.com/information-technology/2023/05/potentially-millions-of-android-tvs-and-phones-come-with-malware-preinstalled/
Tomi Engdahl says:
Bloomberg:
China says Micron’s products caused “significant security risks to our critical information infrastructure supply chain” and warns operators against buying them — China delivered the latest salvo in an escalating semiconductor war with the US, announcing that Micron Technology Inc. products …
China Bars Micron Chips in Escalation of US Tech Clash
https://www.bloomberg.com/news/articles/2023-05-21/china-says-micron-products-failed-in-its-cybersecurity-review
Joe Biden says he expects China relations to improve soon
Company says it’s assessing next steps, will engage in talks
China delivered the latest salvo in an escalating semiconductor war with the US, announcing that Micron Technology Inc. products have failed to pass a cybersecurity review in the country.
In a statement Sunday, Beijing warned operators of key infrastructure against buying the company’s goods, saying it found “relatively serious” cybersecurity risks in Micron products sold in the country.
The components caused “significant security risks to our critical information infrastructure supply chain,” which would affect national security, according to the statement from the Cyberspace Administration of China, or CAC.
The results come more than a month after China announced an investigation of imports from America’s largest memory-chip maker. The tech sector has become a key battlefield over national security between the two largest economies, with Washington having already blacklisted Chinese tech firms, cut off the flow of sophisticated processors and banned its citizens from providing certain help to the Chinese chip industry. In a statement, the US Commerce Department said Beijing’s conclusion had “no basis in fact” and Washington will continue to try and limit industry disruptions with its allies.
Shares in Micron’s biggest industry rivals, Samsung Electronics Co. and SK Hynix Inc., gained in Seoul. Chinese chip stocks including sector bellwethers Semiconductor Manufacturing International Corp. and Hua Hong Semiconductor Ltd. climbed more than 3% in Hong Kong.
Tomi Engdahl says:
ASUS routers knocked offline worldwide by bad security update https://www.bleepingcomputer.com/news/hardware/asus-routers-knocked-offline-worldwide-by-bad-security-update/
ASUS has apologized to its customers for a server-side security maintenance error that has caused a wide range of impacted router models to lose network connectivity. The problem has been extensively reported on social media and discussion platforms since May 16, 2023, with people appearing puzzled by the simultaneous connectivity issues on multiple ASUS routers and others complaining about the lack of communication from the vendor’s side
Tomi Engdahl says:
Developer Alert: NPM Packages for Node.js Hiding Dangerous TurkoRat Malware https://thehackernews.com/2023/05/developer-alert-npm-packages-for-nodejs.html
Two malicious packages discovered in the npm package repository have been found to conceal an open source information stealer malware called TurkoRat. The packages named nodejs-encrypt-agent and nodejs-cookie-proxy-agent were collectively downloaded approximately
1,200 times and were available for more than two months before they were identified and taken down
Tomi Engdahl says:
Take action now to avoid BianLian ransomware attacks, US Government warns organisations https://www.tripwire.com/state-of-security/take-action-now-avoid-bianlian-ransomware-attacks-us-government-warns
The US Cybersecurity and Infrastructure Security Agency (CISA), FBI, and others have issued a joint alert, advising organisations of the steps they should take to mitigate the threat posed by BianLian ransomware attacks. BianLian, which has been targeting different industry sectors since June 2022, is a ransomware developer, deployer and data extortion group which has predominantly targeted enterprises.
In recent months the group’s attack model has changed from one where financial, business, client, and personal data has been exfiltrated for leverage followed by encryption of victims’ systems to one which primarily steals data while leaving systems intact
Tomi Engdahl says:
Many Android Phones Can Be Unlocked With A Photo https://www.forbes.com/sites/emmawoollacott/2023/05/19/many-android-phones-can-be-unlocked-with-a-photo/
Many phones that can be unlocked using facial recognition can be fooled by a photograph, research has found. According to consumer body “Which?”, scammers can bypass the screen lock on certain Android phones and access sensitive information. Researchers tested 48 phones and found that 19 could be unlocked with a photoeven a low-resolution one printed on normal paperof the owner
Tomi Engdahl says:
CloudWizard APT: the bad magic story goes on https://securelist.com/cloudwizard-apt/109722/
In March 2023, we uncovered a previously unknown APT campaign in the region of the Russo-Ukrainian conflict that involved the use of PowerMagic and CommonMagic implants. However, at the time it was not clear which threat actor was behind the attack. While looking for implants bearing similarities with PowerMagic and CommonMagic, we identified a cluster of even more sophisticated malicious activities originating from the same threat actor
Tomi Engdahl says:
Microsoft: Notorious FIN7 hackers return in Clop ransomware attacks https://www.bleepingcomputer.com/news/security/microsoft-notorious-fin7-hackers-return-in-clop-ransomware-attacks/
A financially motivated cybercriminal group known as FIN7 resurfaced last month, with Microsoft threat analysts linking it to attacks where the end goal was the deployment of Clop ransomware payloads on victims’ networks. “Financially motivated cybercriminal group Sangria Tempest (ELBRUS, FIN7) has come out of a long period of inactivity,”
the company said in a series of tweets from the Microsoft Security Intelligence Twitter account
Tomi Engdahl says:
CISA warns of Samsung ASLR bypass flaw exploited in attacks https://www.bleepingcomputer.com/news/security/cisa-warns-of-samsung-aslr-bypass-flaw-exploited-in-attacks/
CISA warned today of a security vulnerability affecting Samsung devices used in attacks to bypass Android address space layout randomization (ASLR) protection. The flaw (CVE-2023-21492) impacts Samsung mobile devices running Android 11, 12, and 13 and is due to an insertion of sensitive information into log files. In this month’s security updates, Samsung has addressed this issue by ensuring that the kernel pointers are no longer printed in log files
Tomi Engdahl says:
New hardware vulnerability in Intel processors https://www.kaspersky.com/blog/transient-cpu-eflags/48229/
Researchers at both the University of Maryland in the U.S. and Tsinghua University in China have published a scientific paper documenting a new side-channel attack method that exploits a previously unknown hardware vulnerability in Intel processors.
Although the vulnerability seems to affect the chipmakers latest processors, its most effective in attacking older models that are also exposed to the Meltdown vulnerability
Researchers at both the University of Maryland in the U.S. and Tsinghua University in China have published a scientific paper documenting a new side-channel attack method that exploits a previously unknown hardware vulnerability in Intel processors. Although the vulnerability seems to affect the chipmaker’s latest processors, it’s most effective in attacking older models that are also exposed to the Meltdown vulnerability. The paper would likely be purely of scientific interest were it not for one aspect: attackers steal sensitive information by changing flag register data.
Timing the Transient Execution:
A New Side-Channel Attack on Intel CPUs
https://arxiv.org/pdf/2304.10877.pdf
In this work, we discover a vulnerability that the change of the
EFLAGS register in transient execution may have a side effect
on the Jcc (jump on condition code) instruction after it in Intel
CPUs. Based on our discovery, we propose a new side-channel
attack that leverages the timing of both transient execution and
Jcc instructions to deliver data. This attack encodes secret data
to the change of register which makes the execution time of
context slightly slower, which can be measured by the attacker
to decode data. This attack doesn’t rely on the cache system
and doesn’t need to reset the EFLAGS register manually to its
initial state before the attack, which may make it more difficult to
detect or mitigate. We implemented this side-channel on machines
with Intel Core i7-6700, i7-7700, and i9-10980XE CPUs. In the
first two processors, we combined it as the side-channel of the
Meltdown attack, which could achieve 100% success leaking rate.
We evaluate and discuss potential defenses against the attack. Our
contributions include discovering security vulnerabilities in the
implementation of Jcc instructions and EFLAGS register and
proposing a new side-channel attack that does not rely on the
cache system.