This posting is here to collect cyber security news in May 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
379 Comments
Tomi Engdahl says:
Cloned CapCut websites push information stealing malware https://www.bleepingcomputer.com/news/security/cloned-capcut-websites-push-information-stealing-malware/
A new malware distribution campaign is underway impersonating the CapCut video editing tool to push various malware strains to unsuspecting victims. CapCut is ByteDance’s official video editor and maker for TikTok, supporting music mixing, color filters, animation, slow-mo effects, picture-in-picture, stabilization, and more
Tomi Engdahl says:
HP rushes to fix bricked printers after faulty firmware update https://www.bleepingcomputer.com/news/technology/hp-rushes-to-fix-bricked-printers-after-faulty-firmware-update/
HP is working to address a bad firmware update that has been bricking HP Office Jet printers worldwide since it was released earlier this month. While HP has yet to issue a public statement regarding these ongoing problems affecting a subset of its customer base, the company told BleepingComputer that it’s addressing the blue screen errors seen by a “limited number” of users
Tomi Engdahl says:
Meet ‘Jack’ from Romania! Mastermind Behind Golden Chickens Malware https://thehackernews.com/2023/05/meet-jack-from-romania-mastermind.html
The identity of the second threat actor behind the Golden Chickens malware has been uncovered courtesy of a fatal operational security blunder, cybersecurity firm eSentire said. The individual in question, who lives in Bucharest, Romania, has been given the codename Jack. He is one of the two criminals operating an account on the Russian-language Exploit.in forum under the name “badbullzvenom,” the other being “Chuck from Montreal.”
Tomi Engdahl says:
Android phones are vulnerable to fingerprint brute-force attacks https://www.bleepingcomputer.com/news/security/android-phones-are-vulnerable-to-fingerprint-brute-force-attacks/
Researchers at Tencent Labs and Zhejiang University have presented a new attack called ‘BrutePrint,’ which brute-forces fingerprints on modern smartphones to bypass user authentication and take control of the device. Brute-force attacks rely on many trial-and-error attempts to crack a code, key, or password and gain unauthorized access to accounts, systems, or networks
Tomi Engdahl says:
Sidhartha Shukla / Bloomberg:
A researcher says crypto mixer Tornado Cash was taken over by hackers on Saturday through a malicious governance proposal that gave them a majority of votes — Tornado Cash, a service that allows users to mask cryptocurrency transactions, suffered a hostile takeover by hackers through a malicious governance proposal.
Sanctioned Crypto Mixer Tornado Cash Hijacked by Hackers
https://www.bloomberg.com/news/articles/2023-05-21/sanctioned-crypto-mixer-tornado-cash-hijacked-by-hackers#xj4y7vzkg
Malicious governance proposal was used to take over protocol
Service’s native token TORN tumbled in wake of the incident
Tomi Engdahl says:
Pimcore Platform Flaws Exposed Users to Code Execution
https://www.securityweek.com/pimcore-platform-flaws-exposed-users-to-code-execution/
Security researchers are warning that newly patched vulnerabilities in the Pimcore platform bring code execution risks.
Security researchers are warning that vulnerabilities patched in the open-source Pimcore platform could have led to the execution of arbitrary code when clicking on a link.
A digital experience platform, Pimcore provides data and user experience management capabilities to over 100,000 organizations worldwide.
In March 2023, version 10.5.19 of the Pimcore platform resolved two issues that could have been used together to achieve arbitrary code execution, open source software security company Sonar Source says.
The two vulnerabilities, a path traversal bug and an SQL injection flaw, were identified in a GET request endpoint only accessible to admins, but which lacked CSRF protections.
Because the value of the endpoint’s exportFile parameter was not sanitized prior to being appended to the web root path, an attacker could “control the extension as well as traverse back in the folder path”, Sonar Source says.
This allowed an attacker to control the “CSV output file path, name, and extension”, leading to the creation of PHP files on the server.
To be able to control the content of the file for code execution, the attacker could then exploit an SQL injection flaw in the same endpoint, which allowed for the execution of arbitrary SQL queries.
The two vulnerabilities, which are tracked together as CVE-2023-28438, could be chained together in a single GET request by creating a malicious link and tricking an administrator to click on it, resulting in the deployment of a web shell on the server.
Tomi Engdahl says:
US Teenager Indicted for Credential Stuffing Attack on Fantasy Sports Website
https://www.securityweek.com/us-teenager-indicted-for-credential-stuffing-attack-on-fantasy-sports-website/
Wisconsin teen Joseph Garrison is charged with launching a credential stuffing attack that affected roughly 60,000 user accounts.
A Wisconsin teenager has been charged with accessing tens of thousands of user accounts at a fantasy sports and betting website after launching a credential stuffing attack on the site.
According to a six-count criminal complaint (PDF), the teenager, Joseph Garrison, of Wisconsin, launched the attack on the betting website on November 18, 2022, accessing roughly 60,000 accounts without authorization.
In some cases, the defendant and others added a new payment method to the compromised accounts, deposited $5 using the new payment method, and then withdrew all the victims’ funds to financial accounts controlled by the attackers.
According to the complaint, the attackers used this method on roughly 1,600 victim accounts, stealing approximately $600,000.
Tomi Engdahl says:
Apple Patches 3 Exploited WebKit Zero-Day Vulnerabilities
https://www.securityweek.com/apple-patches-3-exploited-webkit-zero-day-vulnerabilities/
Apple has patched 3 zero-days, two of which are the vulnerabilities patched with the tech giant’s first Rapid Security Response updates.
Tomi Engdahl says:
Ritva, 65, sai oudon viestin sukulaisnaisen nimissä seurasi todellinen läheltä piti -tilanne ja yöunet menivät https://www.is.fi/digitoday/tietoturva/art-2000009573008.html
Suomalaisten Facebook- ja Instagram-tilejä sekä jopa WhatsApp-tilejä yritetään varastaa säännöllisesti. Verkkorikollisten tarkoituksena on tyypillisesti lähestyä kaapatulla tilillä uhrin tuttuja luovuttamaan maksukorttitietojaan sekä kaappaamaan myös näiden tilit. Yleensä tämä tapahtuu ottamalla yhteyttä uhriin aiemmin varastetulta tililtä sosiaalisessa mediassa tai pikaviestimin. Tällaisen yhteydenoton sai 65-vuotias keskisuomalainen Ritva toissa viikon sunnuntaiaamuna
Tomi Engdahl says:
G7-johtajat peräänkuuluttivat tekoälyille yhteisiä pelisääntöjä lainsäädäntö ei ole pysynyt nopean kehityksen mukana https://www.tivi.fi/uutiset/tv/e3ee7bc7-bee6-430d-83da-87c25539a92b
G7-maat peräänkuuluttavat maailmanlaajuista sääntelyä tekoälyteknologialle. Japanin Hiroshimassa käytävän G7-huippukokoukseen kuulumisista raportoi muassa uutistoimisto Reuters. Kokoukseen osallistuvien johtajien mukaan yhteiset pelisäännöt tekoälykehitykselle ovat tarpeen, sillä lainsäädäntö ei ole pysynyt nopeasti etenevän teknologian mukana
Tomi Engdahl says:
CISA orders govt agencies to patch iPhone bugs exploited in attacks https://www.bleepingcomputer.com/news/security/cisa-orders-govt-agencies-to-patch-iphone-bugs-exploited-in-attacks/
Today, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) ordered federal agencies to address three recently patched zero-day flaws affecting iPhones, Macs, and iPads known to be exploited in attacks. The security bugs are tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, all found in the WebKit browser engine
Tomi Engdahl says:
EU slaps Meta with $1.3 billion fine for moving data to US servers https://www.bleepingcomputer.com/news/technology/eu-slaps-meta-with-13-billion-fine-for-moving-data-to-us-servers/
The Irish Data Protection Commission (DPC) has announced a $1.3 billion fine on Facebook after claiming that the company violated Article 46(1) of the GDPR (General Data Protection Regulation). More specifically, it was found that Facebook transferred data of EU-based users of the platform to the United States, where data protection regulations vary per state and have been deemed inadequate to protect the rights of EU data subjects
Tomi Engdahl says:
U.K. Fraudster Behind iSpoof Scam Receives 13-Year Jail Term for Cyber Crimes https://thehackernews.com/2023/05/uk-fraudster-behind-ispoof-scam.html
A U.K. national responsible for his role as the administrator of the now-defunct iSpoof online phone number spoofing service has been sentenced to 13 years and 4 months in prison. Tejay Fletcher, 35, of Western Gateway, London, was awarded the sentence on May 18, 2023. He pleaded guilty last month to a number of cyber offenses, including facilitating fraud and possessing and transferring criminal property
Tomi Engdahl says:
Crypto phishing service Inferno Drainer defrauds thousands of victims https://www.bleepingcomputer.com/news/security/crypto-phishing-service-inferno-drainer-defrauds-thousands-of-victims/
A cryptocurrency phishing and scam service called ‘Inferno Drainer’
has reportedly stolen over $5.9 million worth of crypto from 4,888 victims. According to a report by the Web3Anti-Scam firm ‘Scam Sniffer,’ the phishing service has created at least 689 fake websites since March 27, 2023
Tomi Engdahl says:
BlackCat Ransomware Deploys New Signed Kernel Driver https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html
In late December 2022, Mandiant, Sophos and Sentinel One, via a coordinated disclosure, reported malicious kernel drivers being signed through several Microsoft hardware developer accounts (certified by Microsofts Windows Hardware Developer Program). These profiles had been used in a number of cyberattacks that included ransomware-based incidents. Microsoft subsequently revoked several Microsoft hardware developer accounts that were abused in these attacks. In this blog post, we will provide details on a BlackCat ransomware incident that occurred in February 2023, where we observed a new capability, mainly used for the defense evasion phase, that overlaps with the earlier malicious drivers disclosed by the three vendors
Tomi Engdahl says:
https://www.securityweek.com/facebook-parent-meta-hit-with-record-fine-for-transferring-european-user-data-to-us/
Tomi Engdahl says:
https://www.securityweek.com/china-tells-tech-manufacturers-to-stop-using-micron-chips-stepping-up-feud-with-united-states/
Tomi Engdahl says:
Samsung Smartphone Users Warned of Actively Exploited Vulnerability
https://www.securityweek.com/samsung-smartphone-users-warned-of-actively-exploited-vulnerability/
Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.
Tomi Engdahl says:
https://www.securityweek.com/food-distributor-sysco-says-cyberattack-affects-126000-individuals/
Tomi Engdahl says:
https://www.securityweek.com/dish-ransomware-attack-impacted-nearly-300000-people/
Tomi Engdahl says:
Tämä kaverilta tuleva viesti on myrkkyä toimi näin, jos saat sellaisen https://www.is.fi/digitoday/tietoturva/art-2000009604253.html
Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus varoittaa kaverin nimissä tulevista pikaviesteistä, joissa pyydetään puhelinnumeroa. Tällaisen viestin tarkoitus on tilisi kaappaaminen.
Viesti on lähetetty kaapatulta tililtä. Tyypillisesti perusteena puhelinnumeron pyytämiselle on kilpailu, johon kaveri kertoo ilmoittaneensa uhrin ja johon edellytetään numeroa
Tomi Engdahl says:
Arms maker Rheinmetall confirms BlackBasta ransomware attack https://www.bleepingcomputer.com/news/security/arms-maker-rheinmetall-confirms-blackbasta-ransomware-attack/
German automotive and arms manufacturer Rheinmetall AG confirms that it suffered a BlackBasta ransomware attack that impacted its civilian business. Rheinmetall is a German manufacturer of automotive, military vehicles, armaments, air defense systems, engines, and various steel products, which employs over 25,000 people and has an annual revenue of over $7 billion
Tomi Engdahl says:
Suzuki motorcycle plant shut down by cyber attack https://www.bitdefender.com/blog/hotforsecurity/suzuki-motorcycle-plant-shut-down-by-cyber-attack/
The Indian manufacturing plant responsible for manufacturing Suzuki motorcycles has been forced to shut down following a cyber attack.
Since May 10, production of bikes and scooters at Suzuki Motorcycle’s Indian plant has reportedly been temporarily suspended with the loss of an estimated 20,000 vehicles. In addition, Suzuki Motorcycle has postponed its annual supplier conference, which was due to start this week
Tomi Engdahl says:
Google launches bug bounty program for its Android applications https://www.bleepingcomputer.com/news/google/google-launches-bug-bounty-program-for-its-android-applications/
Google has launched the Mobile Vulnerability Rewards Program (Mobile VRP), a new bug bounty program that will pay security researchers for flaws found in the company’s Android applications. “We are excited to announce the new Mobile VRP! We are looking for bughunters to help us find and fix vulnerabilities in our mobile applications,” Google VRP tweeted
Tomi Engdahl says:
Suspicion stalks Genesis Markets competitors following FBI takedown https://therecord.media/genesis-market-russian-market-2easy-shop-cybercrime-fraud
A month on from an international operation that culminated in the FBI seizing the web domains used by the fraud platform Genesis Market, the cybercrime underworld remains suspicious of its surviving darknet site and slow to move to its competitors. Researchers and law enforcement intelligence officials monitoring Genesis Markets primary alternatives, Russian Market and 2easy Shop sites that similarly sold browser data that allowed scammers to commit fraud say the takedown has had a global impact on online crime
Tomi Engdahl says:
IT employee impersonates ransomware gang to extort employer https://www.bleepingcomputer.com/news/security/it-employee-impersonates-ransomware-gang-to-extort-employer/
A 28-year-old United Kingdom man from Fleetwood, Hertfordshire, has been convicted of unauthorized computer access with criminal intent and blackmailing his employer. A press release published yesterday by the South East Regional Organised Crime Unit (SEROCU) explains that in February 2018, the convicted man, Ashley Liles, worked as an IT Security Analyst at an Oxford-based company that suffered a ransomware attack
Tomi Engdahl says:
“Our research discovers how the rolling shutter and movable lens structures widely found in smartphone cameras modulate structure-borne sounds onto camera images, creating a point-of-view (POV) optical-acoustic side channel for acoustic eavesdropping. The movement of smartphone camera hardware leaks acoustic information because images unwittingly modulate ambient sound as imperceptible distortions. Our experiments find that the side channel is further amplified by intrinsic behaviors of Complementary Metal-oxide–Semiconductor (CMOS) rolling shutters and movable lenses such as in Optical Image Stabi- lization (OIS) and Auto Focus (AF).”
https://arxiv.org/ftp/arxiv/papers/2301/2301.10056.pdf
Tomi Engdahl says:
Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own
https://www.securityweek.com/mikrotik-belatedly-patches-routeros-flaw-exploited-at-pwn2own/
MikroTik patches a major security defect in its RouterOS product a full five months after it was exploited at Pwn2Own Toronto.
Latvian network equipment manufacturer MikroTik has shipped a patch for a major security defect in its RouterOS product and confirmed the vulnerability was exploited five months ago at the Pwn2Own Toronto hacking contest.
In a barebones advisory documenting the CVE-2023-32154 flaw, Mikrotik confirmed the issue affects devices running MikroTik RouterOS versions v6.xx and v7.xx with enabled IPv6 advertisement receiver functionality.
According to ZDI, organizers of the Pwn2Own software exploitation event, the vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Mikrotik RouterOS.
Tomi Engdahl says:
https://www.securityweek.com/mikrotik-belatedly-patches-routeros-flaw-exploited-at-pwn2own/
Tomi Engdahl says:
Iranian Hackers Using New Windows Kernel Driver in Attacks
https://www.securityweek.com/iranian-hackers-target-middle-east-entities-with-new-windows-kernel-driver/
Iranian threat actors use a Windows kernel driver called ‘Wintapix’ in attacks against Middle East targets.
Tomi Engdahl says:
Threat Actor Abuses SuperMailer for Large-scale Phishing Campaign
A credential phishing campaign using the legitimate SuperMailer newsletter distribution app has doubled in size each month since January 2023.
https://www.securityweek.com/threat-actor-abuses-supermailer-for-large-scale-phishing-campaign/
Tomi Engdahl says:
New ‘GoldenJackal’ APT Targets Middle East, South Asia Governments
The newly detailed GoldenJackal APT has been targeting government and diplomatic entities in the Middle East and South Asia since 2019.
https://www.securityweek.com/new-goldenjackal-apt-targets-middle-east-south-asia-governments/
Tomi Engdahl says:
Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Rheinmetall confirms being hit by Black Basta ransomware group, but says its military business is not affected.
https://www.securityweek.com/rheinmetall-says-military-business-not-impacted-by-ransomware-attack/
Tomi Engdahl says:
Tietoturvahaavoittuvuuden löytäjä voi tienata jatkossa 100 000 euroa LähiTapiola tuplasi maksimipalkkionsa hyvishakkereille https://www.epressi.com/tiedotteet/vakuutus/tietoturvahaavoittuvuuden-loytaja-voi-tienata-jatkossa-100-000-euroa-lahitapiola-tuplasi-maksimipalkkionsa-hyvishakkereille.html
LähiTapiola on päättänyt tuplata Bug Bounty -ohjelmansa kautta valkohattuhakkereille tarjoamansa maksimipalkkion. Aiemmin tietoturvahaavoittuvuuksien löytämiseen tähtäävän ohjelman enimmäispalkkiona oli 50 000 euroa. Nyt 100 000 euroon nostettu summa on kansainväliselläkin mittapuulla houkutteleva. Suomessa yhdenkään yrityksen palkkiot eivät ole aiemmin yltäneet samalle tasolle
Tomi Engdahl says:
Barracuda warns of email gateways breached via zero-day flaw https://www.bleepingcomputer.com/news/security/barracuda-warns-of-email-gateways-breached-via-zero-day-flaw/
Barracuda, a company known for its email and network security solutions, warned customers today that some of their Email Security Gateway (ESG) appliances were breached last week by targeting a now-patched zero-day vulnerability. On Friday, May 19, a vulnerability was discovered in the email attachment scanning module. The issue was addressed by applying two security patches on May 20 and 21
Tomi Engdahl says:
N. Korean Lazarus Group Targets Microsoft IIS Servers to Deploy Espionage Malware https://thehackernews.com/2023/05/n-korean-lazarus-group-targets.html
The infamous Lazarus Group actor has been targeting vulnerable versions of Microsoft Internet Information Services (IIS) servers as an initial breach route to deploy malware on targeted systems. The findings come from the AhnLab Security Emergency response Center (ASEC), which detailed the advanced persistent threat’s (APT) continued abuse of DLL side-loading techniques to run arbitrary payloads
Tomi Engdahl says:
Ransomware gang pulls Philadelphia Inquirer listing after victim questions documents https://therecord.media/philadelphia-inquirer-cyber-incident-cuba-ransomware-group
On Tuesday, the Cuba ransomware gang which has attacked at least 100 organizations globally and brought in more than $60 million as of last August, according to U.S. authorities added the Inquirer to its websites list of victims. However, within 24 hours, that listing has been removed. While this normally occurs when victims make an extortion payment, or begin negotiating one, this listing disappeared following questions about whether the documents uploaded were actually from the cited victim
Tomi Engdahl says:
https://www.securityweek.com/apple-patches-3-exploited-webkit-zero-day-vulnerabilities/
Tomi Engdahl says:
Samsung Smartphone Users Warned of Actively Exploited Vulnerability
https://www.securityweek.com/samsung-smartphone-users-warned-of-actively-exploited-vulnerability/
Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.
Samsung smartphone users have been warned by the vendor and the US Cybersecurity and Infrastructure Security Agency (CISA) about a recently patched vulnerability being exploited in attacks.
The flaw in question is CVE-2023-21492, described as a kernel pointer exposure issue related to log files. The security hole can allow a privileged local attacker to bypass the ASLR exploit mitigation technique. This indicates that it has likely been chained with other bugs.
Samsung patched CVE-2023-21492 with its May 2023 security updates and said it learned about the flaw in mid-January. The company said certain Android 11, 12 and 13 devices are impacted.
CISA added the bug to its Known Exploited Vulnerabilities (KEV) catalog on Friday, instructing government agencies to patch it by June 9.
The vulnerability was discovered by Google’s Threat Analysis Group, which suggests that it has likely been exploited by a commercial spyware vendor. Google noted in its zero-day exploitation database that CVE-2023-21492 was discovered in 2021.
Tomi Engdahl says:
US Sanctions North Korean University for Training Hackers
https://www.securityweek.com/us-sanctions-north-korean-university-for-training-hackers/
The US government has announced sanctions against four entities and one individual engaging in cyber activities on behalf of the North Korean government.
The US Department of the Treasury on Tuesday announced sanctions against four entities and one individual for engaging in malicious cyber activities on behalf of the North Korean government.
North Korean threat actors, such as the infamous Lazarus group, launch malicious campaigns targeting organizations and individuals worldwide to generate illicit revenue to support the Pyongyang regime and its priorities, the US says.
According to the Treasury’s Office of Foreign Assets Control (OFAC), North Korean threat actors are trained at the Pyongyang University of Automation, with many of them landing jobs within units of the Reconnaissance General Bureau (RGB), the country’s primary intelligence bureau.
RGB, which was designated by OFAC in 2015 as being subordinated to the North Korean government, also controls the Technical Reconnaissance Bureau and its cyber unit, the 110th Research Center.
Treasury Targets DPRK Malicious Cyber and Illicit IT Worker Activities
https://home.treasury.gov/news/press-releases/jy1498
Tomi Engdahl says:
Malware & Threats
Android App With 50,000 Downloads in Google Play Turned Into Spyware via Update
https://www.securityweek.com/android-app-with-50000-downloads-in-google-play-turned-into-spyware-via-update/
The AhRat trojan was injected in a screen recording application that had amassed more than 50,000 downloads via Google Play.
A screen recording application that had amassed more than 50,000 downloads in Google Play was trojanized via an update last year, cybersecurity firm ESET reports.
The application, ‘iRecorder – Screen Recorder’, was initially published on Google Play in September 2021, without malicious functionality. When updated to version 1.3.8 in August last year, the AhMyth-based remote access trojan called AhRat was injected into the app.
According to ESET, the AhRat trojan, which has not been observed in the wild elsewhere, can record audio using the microphone and exfiltrate the recordings and other files from the infected devices, suggesting its use in an espionage campaign.
AhMyth is a cross-platform RAT previously used by APT36, a Pakistan-linked state-sponsored threat actor also known as Transparent Tribe and Mythic Leopard, but the AhRat observed in this incident could not be linked to any known advanced persistent threat (APT) actor.
Tomi Engdahl says:
OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
OAuth vulnerabilities found in the widely used Expo application development platform could have been exploited for account takeovers.
https://www.securityweek.com/oauth-vulnerabilities-in-widely-used-expo-framework-allowed-account-takeovers/
Tomi Engdahl says:
Biden Picks New NSA head, Key to Support of Ukraine, Defense of US Elections
https://www.securityweek.com/biden-picks-new-nsa-head-key-to-support-of-ukraine-defense-of-us-elections/
U.S. President Joe Biden has picked a new NSA and Cyber Command leader to oversee America’s cyber warfare and defense.
WASHINGTON (AP) — President Joe Biden has chosen a new leader for the National Security Agency and U.S. Cyber Command, a joint position that oversees much of America’s cyber warfare and defense.
Air Force Lt. Gen. Timothy Haugh, the current deputy commander of Cyber Command, would replace Army Gen. Paul Nakasone, who has led both organizations since May 2018 and was expected to step down this year, according to a notice sent by the Air Force this week and confirmed by a person familiar with the announcement. The person spoke on condition of anonymity to discuss personnel matters not yet made public.
If confirmed, Haugh will take charge of highly influential U.S. efforts to bolster Ukraine’s cybersecurity and share information with Ukrainian forces fighting Russia’s invasion. He will also oversee programs to detect and stop foreign influence and interference in American elections, as well as those targeting criminals behind ransomware attacks that have shut down hospital systems and at one point a key U.S. fuel pipeline.
Tomi Engdahl says:
Microsoft Catches Chinese .Gov Hackers in Guam Critical Infrastructure Orgs
https://www.securityweek.com/microsoft-catches-chinese-gov-hackers-in-guam-critical-infrastructure-orgs/
Microsoft says it has caught Chinese government hackers siphoning data from critical infrastructure organizations in Guam, a U.S. territory in the Pacific Ocean.
Microsoft says it has caught Chinese state-backed hackers siphoning data from critical infrastructure organizations in Guam, a U.S. territory in the Pacific Ocean.
The discovery of Chinese-made cyberespionage malware in Guam is raising eyebrows because the tiny island is considered an important part of a future China/Taiwan military conflict.
“Microsoft assesses with moderate confidence that this [Chinese cyberespionage] campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” the software giant said in a note documenting the APT discovery.
The U.S. government’s cybersecurity response agency CISA has issued an urgent bulletin calling attention to the threat actor and providing mitigation guidance, IOCs and other telemetry to help defenders hunt for signs of compromise.
Tomi Engdahl says:
Poikkeuksellisen röyhkeä huijaus S-Pankin nimissä näin tunnistat vaarallisen puhelun https://www.is.fi/digitoday/tietoturva/art-2000009610332.html
S-Pankki varoittaa huijauspuheluista, joissa S-Pankin edustajaksi esittäytynyt henkilö on yrittänyt saada asiakkaalta varoja tai pankkitunnukset haltuunsa. Pankilla on tiedossa toistaiseksi vain muutama tapaus, mutta haluamme varoittaa asiakkaitamme ilmiöstä.
Erilaisia pankkien nimissä tehtyjä huijausyrityksiä liikenteessä koko ajan, ja huijarit käyttävät jatkuvasti uusia erilaisia keinoja huijatakseen asiakkaalta rahanarvoisia tietoja kuten pankkitunnuksia, kertoo S-Pankin fraud-kehityspäällikkö Jouni Määttä tiedotteessa
Tomi Engdahl says:
USA ja Microsoft varoittavat: Kiinaan liitetty kyberryhmä tunkeutui kriittisiin järjestelmiin https://www.hs.fi/ulkomaat/art-2000009609582.html
Yhdysvallat, useat sen liittolaismaat ja laitevalmistaja Microsoft varoittavat, että Kiinan valtioon liitetty kybertoimija Volt Typhoon on onnistunut tunkeutumaan Yhdysvaltain kriittiseen infrastruktuuriin verkossa, ja että vastaavaa toimintaa voi olla käynnissä muissakin maissa. Yhdysvaltojen, Britannian, Kanadan, Australian ja Uuden-Seelannin viranomaiset kertoivat havainnosta yhteisessä kyberturvallisuuden tiedonannossaan
Tomi Engdahl says:
Suosituissa palomuureissa kriittisiä haavoittuvuuksia hyödynnetty jo Suomessa, päivitä heti https://www.tivi.fi/uutiset/tv/c38a7b9d-28fc-480d-90f5-c9e83d08a62b
Verkkolaitevalmistaja Zyxel on julkaissut korjauspäivitykset kahteen kriittiseen haavoittuvuuteen, jotka koskevat useita sen palomuurituoteperheitä. Kyberturvallisuuskeskuksen tiedotteen mukaan muistin käsittelyyn liittyvillä haavoittuvuuksilla hyökkääjä voi aiheuttaa laitteille palveluestotilan tai ajaa haitallista koodia laitteilla. Keskuksen tietoon on jo tullut tapaus, jossa yhtä haavoittuvuuksista on hyväksikäytetty Suomessa
Tomi Engdahl says:
Hackers target 1.5M WordPress sites with cookie consent plugin exploit https://www.bleepingcomputer.com/news/security/hackers-target-15m-wordpress-sites-with-cookie-consent-plugin-exploit/
Ongoing attacks are targeting an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in a WordPress cookie consent plugin named Beautiful Cookie Consent Banner with more than 40,000 active installs. In XSS attacks, threat actors inject malicious JavaScript scripts into vulnerable websites that will execute within the visitors’ web browsers. The security flaw exploited in this campaign was patched in January with the release of version 2.10.2
Tomi Engdahl says:
GitLab ‘strongly recommends’ patching max severity flaw ASAP https://www.bleepingcomputer.com/news/security/gitlab-strongly-recommends-patching-max-severity-flaw-asap/
GitLab has released an emergency security update, version 16.0.1, to address a maximum severity (CVSS v3.1 score: 10.0) path traversal flaw tracked as CVE-2023-2825. The vulnerability impacts GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0, but all versions older than this aren’t affected. GitLab is a web-based Git repository for developer teams that need to manage their code remotely and has approximately 30 million registered users and one million paying customers
Tomi Engdahl says:
Dark Frost Botnet Launches Devastating DDoS Attacks on Gaming Industry https://thehackernews.com/2023/05/dark-frost-botnet-launches-devastating.html
A new botnet called Dark Frost has been observed launching distributed denial-of-service (DDoS) attacks against the gaming industry. “The Dark Frost botnet, modeled after Gafgyt, QBot, Mirai, and other malware strains, has expanded to encompass hundreds of compromised devices,” Akamai security researcher Allen West said in a new technical analysis shared with The Hacker News. Targets include gaming companies, game server hosting providers, online streamers, and even other gaming community members with whom the threat actor has interacted directly