This posting is here to collect cyber security news in June 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in June 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
323 Comments
Tomi Engdahl says:
WhatsApp saa uuden ominaisuuden – sen yhteydessä annetaan huolestuttava varoitus, joka jää helposti huomaamatta https://www.is.fi/digitoday/mobiili/art-2000009623179.html
WhatsApp aikoo tarjota käyttäjilleen mahdollisuuden jakaa ruudun näkymän toisen käyttäjän kanssa. WABetaInfon kuvakaappauksessa piilee kuitenkin huolestuttava yksityiskohta.
WHATSAPP on tuomassa mahdollisuuden jakaa ruutu videopuhelun aikana. Todisteen löysi WABetaInfo, joka tutki WhatsAppin kokeellista versiota Androidissa. Nappi näkyi sovelluksen alareunassa ja muistuttaa puhelinta, josta lähtee nuoli oikealle.
Tomi Engdahl says:
https://wabetainfo.com/whatsapp-beta-for-android-2-23-11-19-whats-new/
Tomi Engdahl says:
Millions of WordPress Sites Patched Against Critical Jetpack Vulnerability
https://www.securityweek.com/millions-of-wordpress-sites-patched-against-critical-jetpack-vulnerability/
A decade-old critical vulnerability in Jetpack was force-patched on five million WordPress sites over the past few days.
Tomi Engdahl says:
Spyware Found in Google Play Apps With Over 420 Million Downloads
https://www.securityweek.com/spyware-found-in-google-play-apps-with-over-420-million-downloads/
Security researchers have discovered spyware code in 101 Android applications that had over 421 million downloads in Google Play.
Tomi Engdahl says:
Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
https://www.securityweek.com/organizations-warned-of-backdoor-feature-in-hundreds-of-gigabyte-motherboards/
A backdoor feature found in hundreds of Gigabyte motherboard models can pose a significant supply chain risk to organizations.
Researchers at firmware and hardware security company Eclypsium discovered that hundreds of motherboard models made by Taiwanese computer components giant Gigabyte include backdoor functionality that could pose a significant risk to organizations.
The backdoor was discovered by Eclypsium based on behavior associated with the functionality, which triggered an alert in the company’s platform.
Specifically, the researchers determined that the firmware on many Gigabyte systems drops a Windows binary that is executed when the operating system boots up. The dropped file then downloads and runs another payload fetched from Gigabyte servers.
The payload is downloaded over an insecure connection – HTTP or improperly configured HTTPS — and the file’s legitimacy is not verified.
Tomi Engdahl says:
Chrome 114 Released With 18 Security Fixes
https://www.securityweek.com/chrome-114-released-with-18-security-fixes/
Chrome 114 stable brings 18 security fixes, including 13 for vulnerabilities reported by external researchers.
Google this week announced the release of Chrome 114 to the stable channel with a total of 18 security fixes inside, including 13 that resolve vulnerabilities reported by external researchers.
Of the externally reported flaws, eight have a severity rating of ‘high’, with six of them being memory safety bugs.
Based on the awarded bug bounty, the most important of these is CVE-2023-2929, an out-of-bounds write issue in Swiftshader. Security researcher Jaehun Jeong received a $15,000 reward for reporting the flaw, Google notes in an advisory.
Next in line is CVE-2023-2930, a use-after-free bug in Extensions, for which Google handed out a $10,000 bug bounty.
Tomi Engdahl says:
Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
https://www.securityweek.com/barracuda-zero-day-exploited-to-deliver-malware-for-months-before-discovery/
The recently discovered Barracuda zero-day vulnerability CVE-2023-2868 has been exploited to deliver malware and steal data since at least October 2022.
Tomi Engdahl says:
Critical vulnerability in Gigabyte Motherboards discovered
https://www.ghacks.net/2023/06/01/critical-vulnerability-in-gigabyte-motherboards-discovered-mitigation-available/
Millions of PC devices with Gigabyte motherboards are in danger. Researchers at Eclypsium have discovered backdoor-like tools in hundreds of Gigabyte motherboard models. The legitimate tools are used by Gigabyte for updating purposes, but they may be abused by threat-actors to attack systems and install persistent malware.
Tomi Engdahl says:
Venäjällä syytetään Suomea kyberhyökkäyksestä https://www.is.fi/digitoday/art-2000009626224.html
VENÄJÄLLÄ Yhtenäinen Venäjä -puolueen ennakkoäänestysjärjestelmä on joutunut kyberhyökkäyksen kohteeksi, kertoo Venäjän valtiollinen uutistoimisto Tass.
Suomi nostettiin esiin yhtenä keskeisenä maana, josta hyökkäys tuli. Asiasta kertoi Tassin mukaan Yhtenäisen Venäjän puoluesihteeri Andrei Turtshak.
– Pääasiassa hyökkäykset tulivat Yhdysvalloista, Saksasta ja Suomesta.
Hyökkäysten havaittiin tulevan yli 31 000 ip-osoitteesta, mutta ne eivät saaneet järjestelmää kaatumaan, Turtshak sanoi Tassin mukaan.
Käytännössä hyökkäävät koneet ovat tässäkin tapauksessa todennäköisesti olleet ympäri maailmaa – myös Suomessa – ja varsinainen hyökkääjä voi olla missä tahansa. Vaikka palvelunestohyökkäykset olisikin jäljitetty tiettyihin maihin, se ei välttämättä tarkoita, että hyökkäykset olisi alun perin näistä maista laukaistu.
Tomi Engdahl says:
Uusi kyberhyökkäys uhkaa Mac-käyttäjiä – ”vain muutamat tietoturvapalvelut voivat havaita”
https://www.tivi.fi/uutiset/tv/ed73d4f1-d8a9-4dbb-beda-5de36d5db7a9
RustBucket-nimisen haittaohjelman takana epäillään olevan Pohjois-Korean tukema BlueNoroff-ryhmä. BlueNoroffin puolestaan uskotaan olevan alaryhmä tunnetulle Lazarus-ryhmälle, joka on jo pitkään kohdistanut hyökkäyksiä juuri Apple-laitteisiin.
Aluksi käyttäjää houkutellaan lataamaan pdf-lukusovellus. Kun sillä avataan tietty pdf-tiedosto, ohjelmisto ottaa yhteyttä hyökkääjään ja käynnistää yhteyden sen ja haitallisen ohjelmiston välillä.
Kun pdf-lukuohjelma on asennettu, RustBucketilla on kyky ladata lisää haitallisia komponentteja, minkä ansiosta hyökkääjä voi saada hallinnan tartunnan saaneesta järjestelmästä.
RustBucketin leviämistapa ei ole vielä täysin selvä. On kuitenkin todennäköistä, että haittaohjelmaa levitetään kalasteluviesteillä, joissa käyttäjää huijataan uskomaan, että pdf-sovelluksen voi turvallisesti ladata ja käynnistää.
Tomi Engdahl says:
New Horabot campaign targets the Americas https://blog.talosintelligence.com/new-horabot-targets-americas/
Cisco Talos has observed a threat actor deploying a previously unidentified botnet program Talos is calling “Horabot,” which delivers a known banking trojan and spam tool onto victim machines in a campaign that has been ongoing since at least November 2020.
The threat actor appears to be targeting Spanish-speaking users in the Americas and, based on our analysis, may be located in Brazil.
Horabot enables the threat actor to control the victim’s Outlook mailbox, exfiltrate contacts’ email addresses, and send phishing emails with malicious HTML attachments to all addresses in the victim’s mailbox.
The banking trojan can collect the victim’s login credentials for various online accounts, operating system information and keystrokes. It also steals one-time security codes or soft tokens from the victim’s online banking applications.
The spam tool compromises Yahoo, Gmail and Outlook webmail accounts, enabling the threat actor to take control of those mailboxes, exfiltrate their contacts’ email addresses, and send spam emails.
Tomi Engdahl says:
Evasive QBot Malware Leverages Short-lived Residential IPs for Dynamic Attacks https://thehackernews.com/2023/06/evasive-qbot-malware-leverages-short.html
An analysis of the “evasive and tenacious” malware known as QBot has revealed that 25% of its command-and-control (C2) servers are merely active for a single day.
What’s more, 50% of the servers don’t remain active for more than a week, indicating the use of an adaptable and dynamic C2 infrastructure, Lumen Black Lotus Labs said in a report shared with The Hacker News.
“This botnet has adapted techniques to conceal its infrastructure in residential IP space and infected web servers, as opposed to hiding in a network of hosted virtual private servers (VPSs),” security researchers Chris Formosa and Steve Rudd said.
Tomi Engdahl says:
Malicious PyPI Packages Using Compiled Python Code to Bypass Detection https://thehackernews.com/2023/06/malicious-pypi-packages-using-compiled.html
Researchers have discovered a novel attack on the Python Package Index (PyPI) repository that employs compiled Python code to sidestep detection by application security tools.
“It may be the first supply chain attack to take advantage of the fact that Python bytecode (PYC) files can be directly executed,” ReversingLabs analyst Karlo Zanki said in a report shared with The Hacker News.
The package in question is fshec2, which was removed from the package registry on April 17, 2023, following responsible disclosure on the same day.
Tomi Engdahl says:
Miljoonissa pc-koneiden emolevyissä piilotettu takaovi kuin odottamassa verkkorikollisia hiipimään sisään
https://www.tivi.fi/uutiset/tv/8ab71d54-6a24-4e9b-842b-e98c70c4faf7
Kun kyseisellä mekanismilla varustettu emolevy käynnistyy, laiteohjelmisto tarkastaa mahdollisen ohjelmistopäivityksen saatavuuden ja asentaa päivityksen, jos sellainen on tarjolla. Mekanismi itsessään on viaton ja tarkoitettu pitämään laiteohjelmisto ajan tasalla. Ongelmana on, että Gigabyten toteutus vaikuttaa turvattomalta.
Tomi Engdahl says:
Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
https://www.securityweek.com/organizations-warned-of-backdoor-feature-in-hundreds-of-gigabyte-motherboards/
A backdoor feature found in hundreds of Gigabyte motherboard models can pose a significant supply chain risk to organizations.
Tomi Engdahl says:
Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
https://www.securityweek.com/google-temporarily-offering-180000-for-full-chain-chrome-exploit/
Google is offering a bug bounty reward of up to $180,000 for a full chain exploit leading to a sandbox escape in the Chrome browser.
Tomi Engdahl says:
Toyota Discloses New Data Breach Involving Vehicle, Customer Information
https://www.securityweek.com/toyota-discloses-new-data-breach-involving-vehicle-customer-information/
Toyota says improper cloud configurations exposed vehicle and customer information in Japan and overseas for years.
Tomi Engdahl says:
Cisco Acquiring Armorblox for Predictive and Generative AI Technology
https://www.securityweek.com/cisco-acquiring-armorblox-for-predictive-and-generative-ai-technology/
Cisco is in the process of acquiring email security firm Armorblox for its predictive and generative artificial intelligence (AI) technology.
Tomi Engdahl says:
Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
https://www.securityweek.com/moxa-patches-mxsecurity-vulnerabilities-that-could-be-exploited-in-ot-attacks/
Critical authentication bypass and high-severity command injection vulnerabilities have been patched in Moxa’s MXsecurity product.
Organizations using Moxa’s MXsecurity product have been informed about two potentially serious vulnerabilities that could be exploited by malicious hackers targeting operational technology (OT) networks.
MXsecurity is an industrial network security management software designed for OT environments.
Security researcher Simon Janz discovered recently that the product is impacted by a critical vulnerability that can be exploited remotely to bypass authentication (CVE-2023-33235) and a high-severity flaw in the SSH command-line interface that can lead to remote command execution (CVE-2023-33236).
Moxa patched the security holes with the release of version 1.0.1. The industrial networking, computing and automation solutions provider has published an advisory describing the vulnerabilities.
Tomi Engdahl says:
Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
https://www.securityweek.com/organizations-warned-of-salesforce-ghost-sites-exposing-sensitive-information/
Salesforce ghost sites — domains that are no longer maintained but still accessible — can expose personal information and business data.
Some organizations can expose sensitive personal and corporate information by failing to properly deactivate Salesforce Community websites that are no longer used, according to data security and analytics company Varonis.
Varonis reported identifying many such improperly deactivated websites, which the company has dubbed ‘Salesforce ghost sites’. These sites have been found to expose personally identifiable information and business data that should not be accessible.
“The exposed data is not restricted to only old data from when the site was in use; it also includes new records that were shared with the guest user due to the sharing configuration in their Salesforce environment,” Varonis warned.
Ghost sites are Salesforce Communities that have been abandoned — they are still accessible, but no longer monitored or protected.
Tomi Engdahl says:
https://www.wired.com/story/gigabyte-motherboard-firmware-backdoor/
Tomi Engdahl says:
https://www.nbcnews.com/now/video/how-ai-hacking-event-will-help-developers-secure-their-technology-177004613512
Tomi Engdahl says:
https://nakedsecurity.sophos.com/2023/05/30/serious-security-verification-is-vital-examining-an-oauth-login-bug/
Tomi Engdahl says:
New GobRAT Remote Access Trojan Targeting Linux Routers in Japan
https://thehackernews.com/2023/05/new-gobrat-remote-access-trojan.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/microsoft-finds-macos-bug-that-lets-hackers-bypass-sip-root-restrictions/
Tomi Engdahl says:
https://thehackernews.com/2023/05/new-bruteprint-attack-lets-attackers.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/android-apps-with-spyware-installed-421-million-times-from-google-play/
Tomi Engdahl says:
Venäläishakkerien karmea tietomurto: 9 miljoonan potilaan tiedot paljastuivat, uhrien joukossa myös lapsia
Antti Kailio1.6.202308:16|päivitetty1.6.202308:16KIRISTYSHAITTAOHJELMATTIETOTURVAHAMMASLÄÄKETIEDE
Venäläinen hakkerijengi LockBit on ilmoittautunut terveysvakuutusyhtiöön tehdyn kyberiskun tekijäksi.
https://www.tivi.fi/uutiset/venalaishakkerien-karmea-tietomurto-9-miljoonan-potilaan-tiedot-paljastuivat-uhrien-joukossa-myos-lapsia/214f14d5-ee4f-4624-9d16-85826e652047
Tomi Engdahl says:
https://nakedsecurity.sophos.com/2023/06/02/researchers-claim-windows-backdoor-affects-hundreds-of-gigabyte-motherboards/
Tomi Engdahl says:
Millions of Gigabyte PC motherboards backdoored? What’s the actual score?
It’s the 2020s and we’re still running code automatically fetched over HTTP
https://www.theregister.com/2023/06/02/gigabyte_uefi_backdoor/
Tomi Engdahl says:
https://www.dna.fi/yrityksille/kyberrosvot-podcast?fbclid=IwAR00kQFsEy7_pSAW5ZRFDlF7AUCxQwSa7QX-uJjLA5UCCRhYhdcS0pcrIGM_aem_AY8wooF8XAm67Rh_wiARKAFvUMKKW4qMdPXWbyfjMyd1m5lQ4By-cnRe3QC9ZzySQtkZRFouK86Z01oMgpAl3zD_I2o2Yzr5lgXiT4E_PuQX3nT1ImHGCi_N9wJjPqBjsx4#vastaamo?utm_source=facebook&utm_medium=linkad&utm_content=ALL-podcast-kyberrosvot-podcast#vastaamo&utm_campaign=T_ALL_ALL_23-17-17_kyberrosvot
Tomi Engdahl says:
MOVEit Transfer Under Attack: Zero-Day Vulnerability Actively Being Exploited https://thehackernews.com/2023/06/moveit-transfer-under-attack-zero-day.html
A critical flaw in Progress Software’s in MOVEit Transfer managed file transfer application has come under widespread exploitation in the wild to take over vulnerable systems.
The shortcoming, which is yet to be assigned a CVE identifier, relates to a severe SQL injection vulnerability that could lead to escalated privileges and potential unauthorized access to the environment.
“An SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database,” the company said.
Patches for the bug have been made available by the Massachusetts-based company, which also owns Telerik, in the following versions: 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and
2023.0.1 (15.0.1).
Tomi Engdahl says:
Amazon’s Ring cameras were used to spy on customers https://www.malwarebytes.com/blog/news/2023/06/amazons-ring-camera-used-to-spy-on-customers
Every single Amazon Ring employee was able to access every single customer video, even when it wasn’t necessary for their jobs.
Not only that, but the employees—along with workers from a third-party contractor in Ukraine—could also download any of those videos and then save and share them as they liked, before July 2017.
That’s what the FTC has alleged in a recent complaint, for which Amazon is facing a settlement of $5.8 million.
And, unsurprisingly, some employees abused that access right.
Tomi Engdahl says:
New Horabot campaign takes over victim’s Gmail, Outlook accounts https://www.bleepingcomputer.com/news/security/new-horabot-campaign-takes-over-victims-gmail-outlook-accounts/
A previously unknown campaign involving the Hotabot botnet malware has targeted Spanish-speaking users in Latin America since at least November 2020, infecting them with a banking trojan and spam tool.
The malware enables the operators to take control of the victim’s Gmail, Outlook, Hotmail, or Yahoo email accounts, steal email data and 2FA codes arriving in the inbox, and send phishing emails from the compromised accounts.
The new Horabot operation was discovered by analysts at Cisco Talos, who report that the threat actor behind it is likely based in Brazil.
Tomi Engdahl says:
Zyxel shares tips on protecting firewalls from ongoing attacks https://www.bleepingcomputer.com/news/security/zyxel-shares-tips-on-protecting-firewalls-from-ongoing-attacks/
Zyxel has published a security advisory containing guidance on protecting firewall and VPN devices from ongoing attacks and detecting signs of exploitation.
This warning comes in response to multiple reports of widespread exploitation of the CVE-2023-28771 and the exploitability and severity of CVE-2023-33009 and CVE-2023-33010, all impacting Zyxel VPN and firewall devices.
“Zyxel has been urging users to install the patches through multiple channels, including issuing several security advisory newsletters to registered users and advisory subscribers; notifying users to upgrade via the Web GUI’s push notification for on-premises devices; and enforcing scheduled firmware upgrades for cloud-based devices that haven’t yet done so,” warns Zyxel’s security advisory.
Tomi Engdahl says:
Online sellers targeted by new information-stealing malware campaign https://www.bleepingcomputer.com/news/security/online-sellers-targeted-by-new-information-stealing-malware-campaign/
Online sellers are targeted in a new campaign to push the Vidar information-stealing malware, allowing threat actors to steal credentials for more damaging attacks.
The new campaign launched this week, with threat actors sending complaints to online store admins through email and website contact forms.
These emails pretend to be from a customer of an online store who had $550 deducted from their bank account after an alleged order did not properly go through.
BleepingComputer received one of these emails this week and, after researching the attack, has found it widespread with many submissions to VirusTotal over the past week.
Tomi Engdahl says:
In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
https://www.securityweek.com/in-other-news-government-use-of-spyware-new-industrial-security-tools-japan-router-hack/
Cybersecurity news that you may have missed this week: the spyware used by various governments, new vulnerabilities, industrial security products, and Linux router attacks.
Spyware used in Israel, the Middle East and the US
Separate reports published this week detail the spyware used by Israeli Police (Echo tool offered by Israeli firm Rayzone), Arab intelligence services (spying tools offered by Swiss company In The Cyber), and the US Drug Enforcement Agency (spyware called Paragon Graphite).
Google shuts down YouTube channels used for influence operations
Google in April shut down many YouTube channels that were part of coordinated influence operations linked to Russia, Turkey, Iran, China, Azerbaijan, and Uzbekistan. The Chinese operation was powered by roughly 3,500 channels.
Iranian government websites and networks targeted by local hacktivists
90 organizations notify UK ICO of data breaches related to Capita hack
The BBC reported that 90 organizations in the UK have informed the country’s privacy and data watchdog about being hit by the recent data breach at British business process outsourcing firm Capita. The impacted organizations handle the data of millions of people. Capita said recently it expects the ransomware attack to cost it up to $25 million.
Linux routers in Japan targeted with GobRAT malware
Japan’s JPCERT/CC issued a warning about Linux routers in the country being targeted with the GobRAT malware since February. The attackers are using a loader to disable the device’s firewall function, download GobRAT, and ensure persistence on a device. Compromised routers can be abused for various types of malicious purposes.
‘Migraine’ macOS vulnerability discovered by Microsoft
Microsoft has disclosed the details of CVE-2023-32369, a recently patched macOS vulnerability that could allow an attacker with root access to automatically bypass System Integrity Protection (SIP) and perform arbitrary operations on the targeted computer. Microsoft has dubbed the flaw ‘Migraine’.
Vulnerabilities patched in OpenSSL and VMware
The latest OpenSSL updates patch CVE-2023-2650, a medium-severity vulnerability that can be exploited to cause a DoS condition.
In addition, VMware announced that it has fixed a medium-severity information disclosure vulnerability in Workspace One Access and Identity Manager. The issue is tracked as CVE-2023-20884.
Tomi Engdahl says:
Vulnerabilities patched in OpenSSL and VMware
https://www.securityweek.com/in-other-news-government-use-of-spyware-new-industrial-security-tools-japan-router-hack/
The latest OpenSSL updates patch CVE-2023-2650, a medium-severity vulnerability that can be exploited to cause a DoS condition.
Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)
https://www.openssl.org/news/secadv/20230530.txt
Severity: Moderate
Issue summary: Processing some specially crafted ASN.1 object identifiers or
data containing them may be very slow.
Impact summary: Applications that use OBJ_obj2txt() directly, or use any of
the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message
size limit may experience notable to very long delays when processing those
messages, which may lead to a Denial of Service.
In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,
CMS, CMP/CRMF or TS. It also impacts anything that processes X.509
certificates, including simple things like verifying its signature.
The impact on TLS is relatively low, because all versions of OpenSSL have a
100KiB limit on the peer’s certificate chain. Additionally, this only
impacts clients, or servers that have explicitly enabled client
authentication.
In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,
such as X.509 certificates. This is assumed to not happen in such a way
that it would cause a Denial of Service, so these versions are considered
not affected by this issue in such a way that it would be cause for concern,
and the severity is therefore considered low.
Tomi Engdahl says:
Hackers hijack legitimate sites to host credit card stealer scripts https://www.bleepingcomputer.com/news/security/hackers-hijack-legitimate-sites-to-host-credit-card-stealer-scripts/
A new Magecart credit card stealing campaign hijacks legitimate sites to act as “makeshift” command and control (C2) servers to inject and hide the skimmers on targeted eCommerce sites.
A Magecart attack is when hackers breach online stores to inject malicious scripts that steal customers’ credit cards and personal information during checkout.
According to Akamai’s researchers monitoring this campaign, it has compromised organizations in the United States, the United Kingdom, Australia, Brazil, Peru, and Estonia.
The cybersecurity firm also points out that many of the victims have not realized they were breached for over a month, which is a testament to the stealthiness of these attacks.
Tomi Engdahl says:
CISA orders govt agencies to patch MOVEit bug used for data theft https://www.bleepingcomputer.com/news/security/cisa-orders-govt-agencies-to-patch-moveit-bug-used-for-data-theft/
CISA has added an actively exploited security bug in the Progress MOVEit Transfer managed file transfer (MFT) solution to its list of known exploited vulnerabilities, ordering U.S. federal agencies to patch their systems by June 23.
The critical flaw (tracked as CVE-2023-34362) is an SQL injection vulnerability that enables unauthenticated, remote attackers to gain access to MOVEit Transfer’s database and execute arbitrary code.
According to the November 2022 binding operational directive (BOD 22-01), Federal Civilian Executive Branch Agencies (FCEB) must patch this security vulnerability once added to CISA’s Known Exploited Vulnerabilities catalog.
Tomi Engdahl says:
Large Spanish bank confirms ransomware attack https://therecord.media/spain-globalcaja-bank-confirms-ransomware-attack
A major lender in Spain said it is dealing with a ransomware attack affecting several offices.
Globalcaja – based in the Spanish city of Albacete – has more than 300 offices across Spain and serves nearly half a million people with a variety of banking services. It manages more than $4.6 billion in consumer loans and has 1,000 employees.
The Play ransomware group claimed this week that it attacked the bank and stole an undisclosed amount of private and personal confidential data, client and employee documents, passports, contracts and more.
The bank published a statement on Friday confirming that computers at several local offices were dealing with ransomware.
Tomi Engdahl says:
Artificial Intelligence
OpenAI Unveils Million-Dollar Cybersecurity Grant Program
https://www.securityweek.com/openai-unveils-million-dollar-cybersecurity-grant-program/
OpenAI plans to shell out $1 million in grants for projects that empower defensive use-cases for generative AI technology.
Tomi Engdahl says:
Russia Blames US Intelligence for iOS Zero-Click Attacks
https://www.securityweek.com/russia-blames-us-intelligence-for-ios-zero-click-attacks/
Kaspersky said its corporate network has been targeted with a zero-click iOS exploit, just as Russia’s FSB said iPhones have been targeted by US intelligence.
Tomi Engdahl says:
Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
https://www.securityweek.com/zero-day-in-moveit-file-transfer-software-exploited-to-steal-data-from-organizations/
A zero-day vulnerability in Progress Software’s MOVEit Transfer product has been exploited to hack organizations and steal their data.
Tomi Engdahl says:
Google has removed many but not all of the malicious entries, but only after they were reported, and by then, they were on millions of devices—and possibly hundreds of millions. Understandably, some security-minded folks aren’t pleased.
Google’s Android and Chrome extensions are a very sad place. Here’s why
It was a bad week for millions of people who rely on Google for apps and Chrome extensions.
https://arstechnica.com/information-technology/2023/06/injecting-strange-code-into-websites-file-snooping-google-marketplaces-are-a-mess/?utm_brand=ars&utm_medium=social&utm_social-type=owned&utm_source=facebook
Tomi Engdahl says:
Pankkihuijauksella 421 uhria – epäilty on 20-vuotias mies https://www.is.fi/digitoday/tietoturva/art-2000009634221.html
KESKUSRIKOSPOLIISI ja Lounais-Suomen poliisilaitos kertovat saaneensa loppuun esitutkinnan, jossa 20-vuotiasta miestä epäillään 421 törkeästä maksuvälinepetoksesta. Tapaus siirtyy syyteharkintaan.
Kyseessä olivat verkkopankkihuijaukset, joissa uhrit ohjattiin pankkitunnuksia kalasteleville verkkosivuille tekstiviesteillä. IS on kirjoittanut vastaavista tapauksista useaan otteeseen.
Tomi Engdahl says:
Microsoft links Clop ransomware gang to MOVEit data-theft attacks https://www.bleepingcomputer.com/news/security/microsoft-links-clop-ransomware-gang-to-moveit-data-theft-attacks/
Microsoft has linked the Clop ransomware gang to recent attacks exploiting a zero-day vulnerability in the MOVEit Transfer platform to steal data from organizations.
“Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site,” the Microsoft Threat Intelligence team tweeted Sunday night.
Tomi Engdahl says:
Magento, WooCommerce, WordPress, and Shopify Exploited in Web Skimmer Attack https://thehackernews.com/2023/06/magento-woocommerce-wordpress-and.html
Cybersecurity researchers have unearthed a new ongoing Magecart-style web skimmer campaign that’s designed to steal personally identifiable information
(PII) and credit card data from e-commerce websites.
A noteworthy aspect that sets it apart from other Magecart campaigns is that the hijacked sites further serve as “makeshift” command-and-control (C2) servers, using the cover to facilitate the distribution of malicious code without the knowledge of the victim sites.
Web security company Akamai said it identified victims of varying sizes in North America, Latin America, and Europe, potentially putting the personal data of thousands of site visitors at risk of being harvested and sold for illicit profits.
Tomi Engdahl says:
Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft
Mandiant has observed wide exploitation of a zero-day vulnerability in the MOVEit Transfer secure managed file transfer software for subsequent data theft.
Based on initial analysis from Mandiant incident response engagements, the earliest evidence of exploitation occurred on May 27, 2023 resulting in deployment of web shells and data theft. In some instances, data theft has occurred within minutes of the deployment of web shells. Mandiant currently attributes this activity to UNC4857, a newly created threat cluster with unknown motivations
Tomi Engdahl says:
Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
https://www.securityweek.com/ransomware-group-used-moveit-exploit-to-steal-data-from-dozens-of-organizations/
The recent MOVEit zero-day attack has been linked to a known ransomware group, which reportedly stole data from dozens of organizations.