This posting is here to collect cyber security news in June 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in June 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
323 Comments
Tomi Engdahl says:
Dozens of Malicious Extensions Found in Chrome Web Store
https://www.securityweek.com/dozens-of-malicious-extensions-found-in-chrome-web-store/
Security researchers have identified over 30 malicious extensions with millions of installs in the Chrome web store.
Security researchers recently identified more than 30 malicious extensions that had made their way into the Chrome web store, potentially infecting millions.
The first to raise the alarm on these extensions was security researcher Wladimir Palant, who discovered three weeks ago that the PDF Toolbox extension for Chrome contained obfuscated code that allowed a third-party website to inject JavaScript code into all websites that the user visited.
After being tipped off that another extension was also making requests to the same third-party website, namely serasearchtop[.]com, the researcher discovered two more versions of the code (including one connecting to tryimv3srvsts[.]com) and a total of 34 extensions containing it, in the Chrome web store.
Overall, the identified extensions showed an install base of roughly 87 million users, with the most popular of them being Autoskip for Youtube (9 million users), Soundboost (7 million), Crystal Ad block (6 million), and Brisk VPN (5 million).
What is alarming, however, is the large number of extensions that were found to contain the obfuscated code. According to Avast, aside from the 32 extensions it identified, 50 more were removed from the Chrome web store on the same grounds.
Tomi Engdahl says:
Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security
https://www.securityweek.com/microsoft-makes-smb-signing-default-requirement-in-windows-11-to-boost-security/
Microsoft is making SMB signing a default requirement in Windows 11 Enterprise editions, starting with insider preview build 25381.
Microsoft on Friday announced that SMB signing is now a default requirement in Windows 11 Enterprise editions, starting with insider preview build 25381.
Also known as security signatures, SMB signing (Server Message Block signing) is a security mechanism where every SMB message contains a signature meant to confirm the identities of the sender and the receiver.
Available since Windows 98 and Windows 2000, SMB signing would block modified messages by checking the hash of the entire message, which the client puts into the signature field.
The security mechanism is meant to prevent relay attacks, but it has not been enabled by default in Windows 10 and Windows 11, except for connections to shares named SYSVOL and NETLOGON and if Active Directory (AD) domain controllers were set to require SMB signing for client connections.
All Windows and Windows Server versions support SMB signing, and the feature is now enabled by default for all connections, starting with Windows 11 insider preview build 25381 Enterprise editions, released in the Canary channel.
Overview of Server Message Block signing
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing
Tomi Engdahl says:
Network Security
Zyxel Urges Customers to Patch Firewalls Against Exploited Vulnerabilities
https://www.securityweek.com/zyxel-urges-customers-to-patch-firewalls-against-exploited-vulnerabilities/
Zyxel urges customers to update ATP, USG Flex, VPN, and ZyWALL/USG firewalls to prevent exploitation of recent vulnerabilities.
Taiwan-based networking device manufacturer Zyxel is urging customers to update the firmware of ATP, USG Flex, VPN, and ZyWALL/USG firewall devices, to prevent the exploitation of recently patched vulnerabilities.
Tracked as CVE-2023-28771, CVE-2023-33009 and CVE-2023-33010, the issues can lead to OS command execution, remote code execution (RCE), and denial-of-service (DoS).
The first of the issues came to light in late April, when Zyxel released patches for it, warning that it can be exploited remotely without authentication by sending specially crafted packets to a vulnerable device.
Tomi Engdahl says:
Microsoft’s Outlook.com is down again on mobile, web
https://www.bleepingcomputer.com/news/microsoft/microsofts-outlookcom-is-down-again-on-mobile-web/
Tomi Engdahl says:
Zyxel Firewalls Under Attack! Urgent Patching Required
https://thehackernews.com/2023/06/zyxel-firewalls-under-attack-urgent.html
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday placed two recently disclosed flaws in Zyxel firewalls to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The vulnerabilities, tracked as CVE-2023-33009 and CVE-2023-33010, are buffer overflow vulnerabilities that could enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and remote code execution.
Patches to plug the security holes were released by Zyxel on May 24, 2023
Tomi Engdahl says:
Android security update fixes Mali GPU flaw exploited by spyware https://www.bleepingcomputer.com/news/security/android-security-update-fixes-mali-gpu-flaw-exploited-by-spyware/
Google has released the monthly security update for the Android platform, adding fixes for 56 vulnerabilities, five of them with a critical severity rating and one exploited since at least last December.
The new security patch level 2023-06-05 integrates a patch for CVE-2022-22706, a high-severity flaw in the Mali GPU kernel driver from Arm that Google’s Threat Analysis Group (TAG) believes it may have been used in a spyware campaign targeting Samsung phones.
“There are indications that CVE-2022-22706 may be under limited, targeted exploitation,” reads Google’s latest bulletin. CISA also highlighted the active exploitation of CVE-2022-22706 in an advisory released in late March.
Tomi Engdahl says:
Google Patches Third Chrome Zero-Day of 2023
https://www.securityweek.com/google-patches-third-chrome-zero-day-of-2023/
Google has released a Chrome 114 security update that patches CVE-2023-3079, the third zero-day vulnerability patched in the browser in 2023.
Google on Monday released a Chrome 114 security update that patches the third zero-day vulnerability found in the web browser in 2023.
Google said the latest version of Chrome patches two flaws, including CVE-2023-3079, a type confusion issue affecting the V8 JavaScript engine.
The internet giant noted that the vulnerability, discovered on June 1, has been exploited in the wild, but has not shared any information on the attacks.
However, the fact that the security hole and its exploitation were discovered by Clement Lecigne of Google’s Threat Analysis Group suggests that CVE-2023-3079 has likely been exploited by a commercial spyware vendor.
https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop.html?m=1
Tomi Engdahl says:
KeePass Update Patches Vulnerability Exposing Master Password
https://www.securityweek.com/keepass-update-patches-vulnerability-exposing-master-password/
KeePass 2.54 patches a vulnerability allowing attackers to retrieve the cleartext master password from a memory dump.
Open source password manager KeePass was updated over the weekend to patch a vulnerability allowing attackers to retrieve the cleartext master password from a memory dump.
Tracked as CVE-2023-32784 and impacting KeePass 2.x versions, the issue is related to the custom-developed textbox used for password entry, which creates a leftover string in memory for each character that the user types.
An attacker can use a KeePass process dump, a hibernation file, a swap file, or even a RAM dump of the entire system to retrieve the strings and reconstruct the typed password. Because the strings are ordered in memory, even multiple typed-in passwords can be retrieved.
Several weeks ago, a security researcher published a proof-of-concept (PoC) tool that can exploit the vulnerability to retrieve passwords from memory dumps.
https://www.securityweek.com/poc-tool-exploits-unpatched-keepass-vulnerability-to-retrieve-master-passwords/
Tomi Engdahl says:
Identity & Access
Google Workspace Gets Passkey Authentication
https://www.securityweek.com/google-workspace-gets-passkey-authentication/
Google Workspace now offers support for passwordless authentication using passkeys, in beta.
Tomi Engdahl says:
Gigabyte Rolls Out BIOS Updates to Remove Backdoor From Motherboards
https://www.securityweek.com/gigabyte-rolls-out-bios-updates-to-remove-backdoor-from-motherboards/
Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards.
Taiwanese computer components maker Gigabyte has announced BIOS updates meant to remove a backdoor feature that was recently found in hundreds of its motherboards.
The issue, disclosed last week by firmware and hardware security company Eclypsium, is that the firmware of more than 270 Gigabyte motherboards drops a Windows binary that is executed at boot-up to fetch and execute a payload from Gigabyte’s servers.
A feature related to the Gigabyte App Center, the backdoor does not appear to have been exploited for malicious purposes, but threat actors are known to have abused such tools in previous attacks.
When it made its findings public, Eclypsium said it was unclear whether the backdoor was the result of a malicious insider, a compromise of Gigabyte’s servers, or a supply chain attack.
Shortly after Eclypsium published its report, Gigabyte announced the release of BIOS updates that address the vulnerability.
“Gigabyte engineers have already mitigated potential risks and uploaded the Intel 700/600 and AMD 500/400 series Beta BIOS to the official website after conducting thorough testing and validation of the new BIOS on Gigabyte motherboards,” the company announced late last week.
https://www.securityweek.com/organizations-warned-of-backdoor-feature-in-hundreds-of-gigabyte-motherboards/
https://www.securityweek.com/russia-linked-hackers-exploit-lojack-recovery-tool-attacks/
The update resolves “the download assistant vulnerabilities reported by Eclypsium”, read the release notes for the latest BIOS available for the A520 Aorus Elite rev 1.0 motherboards.
https://www.gigabyte.com/Motherboard/A520-AORUS-ELITE-rev-10/support#support-dl-bios
The new security enhancements, the company says, should prevent attackers from inserting malicious code during boot and should guarantee that any files downloaded during this process come from servers with valid and trusted certificates.
Tomi Engdahl says:
Joe Tidy / BBC:
The Clop ransomware group tells the BBC, British Airways, Boots, and others to email them or data stolen via the MOVEit hack will be released on June 14 — A prolific cyber crime gang thought to be based in Russia has issued an ultimatum to victims of a hack that has hit organisations around the world.
BBC, BA and Boots issued with ultimatum by cyber gang Clop
https://www.bbc.com/news/technology-65829726
A prolific cyber crime gang thought to be based in Russia has issued an ultimatum to victims of a hack that has hit organisations around the world.
The Clop group posted a notice on the dark web warning firms affected by the MOVEit hack to email them before 14 June or stolen data will be published.
More than 100,000 staff at the BBC, British Airways and Boots have been told payroll data may have been taken.
Employers are being urged not to pay up if the hackers demand a ransom.
Tomi Engdahl says:
New Fractureiser malware used CurseForge Minecraft mods to infect Windows, Linux https://www.bleepingcomputer.com/news/security/new-fractureiser-malware-used-curseforge-minecraft-mods-to-infect-windows-linux/
Hackers used the popular Minecraft modding platforms Bukkit and CurseForge to distribute a new ‘Fractureiser’ information-stealing malware through uploaded modifications and by injecting malicious code into existing projects.
According to multiple reports, the attack began when several CurseForge and Bukkit accounts were compromised and used to inject malicious code into plugins and mods, which were then adopted by popular modpacks such as ‘Better Minecraft,’ which has over 4.6 million downloads.
Notably, many of the impacted modpacks were compromised even though they were allegedly protected by two-factor authentication. At the same time, the updates were archived immediately to not appear in public but were nonetheless pushed to users via the API.
Tomi Engdahl says:
VMware fixes critical vulnerability in vRealize network analytics tool https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-vulnerability-in-vrealize-network-analytics-tool/
VMware issued multiple security patches today to address critical and high-severity vulnerabilities in VMware Aria Operations for Networks, allowing attackers to gain remote execution or access sensitive information.
Previously known as vRealize Network Insight (vRNI), this network visibility and analytics tool helps admins optimize network performance or manage and scale various VMware and Kubernetes deployments.
The most severe of the three security bugs fixed today is a command injection vulnerability tracked as CVE-2023-20887, which unauthenticated threat actors can exploit in low-complexity attacks that don’t require user interaction.
Tomi Engdahl says:
BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
https://www.securityweek.com/bbc-british-airways-novia-scotia-among-first-big-name-victims-in-global-supply-chain-hack/
The Cl0p cyber-extortion gang’s hack of the MOVEit file-transfer program popular with enterprises could have widespread global impact.
Tomi Engdahl says:
VMware Plugs Critical Flaws in Network Monitoring Product
https://www.securityweek.com/vmware-plugs-critical-flaws-in-network-monitoring-product/
VMware ships urgent patches to cover security defects that expose businesses to remote code execution attacks.
Tomi Engdahl says:
Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
https://www.securityweek.com/hackers-issue-ultimatum-over-payroll-data-breach/
The Clop ransomware gang issued “an ultimatum” companies targeted in a recent large-scale hack of payroll data
Alice says:
I found a great video download site!
https://www.dvdfab.cn/
Tomi Engdahl says:
Barracuda says hacked ESG appliances must be replaced immediately https://www.bleepingcomputer.com/news/security/barracuda-says-hacked-esg-appliances-must-be-replaced-immediately/
Email and network security company Barracuda warns customers they must replace Email Security Gateway (ESG) appliances hacked in attacks targeting a now-patched zero-day vulnerability.
“Impacted ESG appliances must be immediately replaced regardless of patch version level,” the company warned in a Tuesday update to the initial advisory.
“Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.”
Tomi Engdahl says:
Experts Unveil Exploit for Recent Windows Vulnerability Under Active Exploitation https://thehackernews.com/2023/06/experts-unveil-poc-exploit-for-recent.html
Details have emerged about a now-patched actively exploited security flaw in Microsoft Windows that could be abused by a threat actor to gain elevated privileges on affected systems.
The vulnerability, tracked as CVE-2023-29336, is rated 7.8 for severity and concerns an elevation of privilege bug in the Win32k component.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft disclosed in an advisory issued last month as part of Patch Tuesday updates.
Tomi Engdahl says:
Honda API flaws exposed customer data, dealer panels, internal docs https://www.bleepingcomputer.com/news/security/honda-api-flaws-exposed-customer-data-dealer-panels-internal-docs/
Honda’s e-commerce platform for power equipment, marine, lawn & garden, was vulnerable to unauthorized access by anyone due to API flaws that allow password reset for any account.
Honda is a Japanese manufacturer of automobiles, motorcycles, and power equipment. In this case, only the latter division is impacted, so owners of Honda cars or motorcycles aren’t affected.
The security gap in Honda’s systems was discovered by security researcher Eaton Zveare, the same who breached Toyota’s supplier portal a few months back, leveraging similar vulnerabilities
Tomi Engdahl says:
Cybercrime group ‘Asylum Ambuscade’ adds espionage to its activities https://therecord.media/cybercrime-group-adds-cyberespionage-asylum-abuscade
A previously recognized group of cybercriminals is also running several espionage campaigns against governments in Central Asia and Europe, researchers said Thursday.
Cybersecurity company ESET is warning about Asylum Ambuscade, a cybercrime group that has operated since at least 2020, targeting businesses, banks and cryptocurrency firms in North America.
Lately the group has conducted espionage against government entities in Europe and Central Asia, ESET said. The report does not link the group with a specific country.
Tomi Engdahl says:
Royal ransomware gang adds BlackSuit encryptor to their arsenal https://www.bleepingcomputer.com/news/security/royal-ransomware-gang-adds-blacksuit-encryptor-to-their-arsenal/
The Royal ransomware gang has begun testing a new encryptor called BlackSuit that shares many similarities with the operation’s usual encryptor.
Royal launched in January 2023, believed to be the direct successor to the notorious Conti operation, which shut down in June 2022.
This group is a private ransomware operation comprised of pentesters, affiliates from ‘Conti Team 1,’ and affiliates they recruited from other enterprise-targeting ransomware gangs.
Tomi Engdahl says:
Chrome zero-day: “This exploit is in the wild”, so check your version now >
https://nakedsecurity.sophos.com/2023/06/06/chrome-zero-day-this-exploit-is-in-the-wild-so-check-your-version-now/?fbclid=IwAR27ZsnVmOgGcwkbAbCiNDqdLnS9WUrFcfYZFhcVaF_g6uBMjhRuY5QgnJA
Tomi Engdahl says:
Online muggers make serious moves on unpatched Microsoft bugs
Win32k and Visual Studio flaws are under attack
https://www.theregister.com/2023/06/09/microsoft_systems_flaws_patch/
Two flaws in Microsoft software are under attack on systems that haven’t been patched by admins.
Redmond issued fixes for the vulnerabilities – one affecting Visual Studio and the other the Win32k subsystem – in April and May, but in separate reports this week, security researchers with Varonis Threat Labs and Numen Cyber warned that unpatched systems are already being exploited.
Numen analysts noted that the privilege escalation Win32k.sys flaw – tracked as CVE-2023-29336 with a CVS severity rating of 7.8 out of 10 – has been exploited by miscreants, adding that while it does not affect Windows 11, older versions of Windows 10, Windows 8, and Windows Server are at risk.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsofts-azure-portal-down-following-new-claims-of-ddos-attacks/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cisco-fixes-anyconnect-bug-giving-windows-system-privileges/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/malicious-chrome-extensions-with-75m-installs-removed-from-web-store/
Tomi Engdahl says:
https://thehackernews.com/2023/06/new-linux-ransomware-strain-blacksuit.html
Tomi Engdahl says:
https://www.elastic.co/security-labs/elastic-charms-spectralviper
Targeting vietnamese public computers.
Tomi Engdahl says:
Security News This Week: 9 Years After the Mt. Gox Hack, Feds Indict Alleged Culprits
Plus: Instagram’s CSAM network gets exposed, Clop hackers claim credit for MOVEit Transfer exploit, and a $35 million crypto heist has North Korean ties.
https://www.wired.com/story/mt-gox-indictment-security-roundup/?fbclid=IwAR11LBAibMtkVZihpWiSqyD6hK4dG-2WQcTeGkC0jniHz2oJh83WCXnsl6Q
Tomi Engdahl says:
RANSOMWARESaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.
https://www.securityweek.com/saas-ransomware-attack-hit-sharepoint-online-without-using-a-compromised-endpoint/?fbclid=IwAR2cw9VWGjgb_cEWbLy0Oc6qWD855LPKpLLP4vJKdEVjGeUzdLBA3GzYlBc
Cybersecurity firm Obsidian has observed a successful ransomware attack against Sharepoint Online (Microsoft 365) via a Microsoft Global SaaS admin account rather than the more usual route of a compromised endpoint.
The attack was analyzed post-compromise when the victim employed the Obsidian product and research team to determine the finer points of the attack. In its blog account of the incident, Obsidian did not disclose the victim, but believes the attacker was the group known as 0mega.
Tomi Engdahl says:
https://www.bbc.com/news/world-asia-china-65830185?fbclid=IwAR1J_Vy_1ejrRmMYtQVe60ZB8EmFjb5j0L8kb4kwL6W6JN-hf4GtRT0EijM
China wants to restrict the use of mobile file-sharing services such as AirDrop and Bluetooth in a move that will expand its censorship machine.
The national internet regulator on Tuesday launched a month-long public consultation on the proposals.
Tomi Engdahl says:
MOVEit Transfer and MOVEit Cloud Vulnerability https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability
In addition to the ongoing investigation into vulnerability (CVE-2023-34362), we have partnered with third-party cybersecurity experts to conduct further detailed code reviews as an added layer of protection for our customers. As part of these code reviews, cybersecurity firm Huntress has helped us to uncover additional vulnerabilities that could potentially be used by a bad actor to stage an exploit. These newly discovered vulnerabilities are distinct from the previously reported vulnerability shared on May 31, 2023.
All MOVEit Transfer customers must apply the new patch, released on June 9.
2023.
Tomi Engdahl says:
Clop Ransomware Likely Sitting on MOVEit Transfer Vulnerability
(CVE-2023-34362) Since 2021
https://www.kroll.com/en/insights/publications/cyber/clop-ransomware-moveit-transfer-vulnerability-cve-2023-34362
On June 5, 2023, the Clop ransomware group publicly claimed responsibility for exploitation of a zero-day vulnerability in the MOVEit Transfer secure file transfer web application (CVE-2023-34362).
Subsequent Kroll analysis of this exploitation has confirmed that threat actors are using this vulnerability to upload a web shell and exfiltrate data.
However, Kroll forensic review has also identified activity indicating that the Clop threat actors were likely experimenting with ways to exploit this particular vulnerability as far back as 2021.
Tomi Engdahl says:
Pro-Ukraine hackers claim to take down Russian internet provider https://therecord.media/proukraine-hackers-claim-to-take-down-russian-isp
Pro-Ukrainian hacktivists have hit a Russian internet and telecommunications company used mostly by banks and online stores with a “massive” cyberattack.
Tomi Engdahl says:
Detecting and mitigating a multi-stage AiTM phishing and BEC campaign https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/
Microsoft Defender Experts uncovered a multi-stage adversary-in-the-middle
(AiTM) phishing and business email compromise (BEC) attack against banking and financial services organizations. The attack originated from a compromised trusted vendor and transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple organizations. This attack shows the complexity of AiTM and BEC threats, which abuse trusted relationships between vendors, suppliers, and other partner organizations with the intent of financial fraud.
Tomi Engdahl says:
Analyzing the FUD Malware Obfuscation Engine BatCloak https://www.trendmicro.com/en_us/research/23/f/analyzing-the-fud-malware-obfuscation-engine-batcloak.html
In our recent investigation, we discovered the use of heavily obfuscated batch files utilizing the advanced BatCloak engine to deploy various malware families at different instances.
This is the first entry in a three-part technical research series taking an in-depth look at the continuing evolution of the highly evasive batch obfuscation engine BatCloak.
Tomi Engdahl says:
STEALTH SOLDIER BACKDOOR USED IN TARGETED ESPIONAGE ATTACKS IN NORTH AFRICA https://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/
Check Point Research identified an ongoing operation against targets in North Africa involving a previously undisclosed multi-stage backdoor called Stealth Soldier.
In this article, we discuss the different techniques and tools used in this operation and its infrastructure. We also provide technical analysis of the different Stealth Soldier versions.
Tomi Engdahl says:
COSMICENERGY Malware Is Not an Immediate Threat to Industrial Control Systems https://www.dragos.com/blog/cosmicenergy-malware-is-not-an-immediate-threat-to-industrial-control-systems/
Dragos recently analyzed the new industrial control systems (ICS) malware dubbed COSMICENERGY by Mandiant on May 25, 2023. This malware, designed to target IEC 104 devices, exploits existing Microsoft SQL (MS SQL) servers that are connected to remote terminal units (RTUs). Dragos Threat Intelligence independently analyzed the malware and, counter to media headlines claiming power disruption or grid crippling abilities, concluded that COSMICENERGY is not an immediate threat to operational technology.
Tomi Engdahl says:
Ransomware scum hit Japanese pharma giant Eisai Group https://www.theregister.com/2023/06/09/eisai_group_hit_by_ransomware/
Some servers encrypted in weekend attack, but product supply not affected
Tomi Engdahl says:
Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaw-in-fortigate-ssl-vpn-devices-patch-now/
Fortinet has released new Fortigate firmware updates that fix an undisclosed, critical pre-authentication remote code execution vulnerability in SSL VPN devices.
The security fixes were released on Friday in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.
While not mentioned in the release notes, security professionals and admins have hinted that the updates quietly fixed a critical SSL-VPN RCE vulnerability that would be disclosed on Tuesday, June 13th, 2023.
“The flaw would allow a hostile agent to interfere via the VPN, even if the MFA is activated,” reads an advisory from French cybersecurity firm Olympe Cyberdefense.
“To date, all versions would be affected, we are waiting for the release of the CVE on June 13, 2023 to confirm this information.”
Tomi Engdahl says:
Ransomware review: June 2023
https://www.malwarebytes.com/blog/threat-intelligence/2023/06/ransomware-review-june-2023
Ransomware gangs seem to be adopting a new modus operandi: Exploiting known vulnerabilities for multi-target attacks. This year we have seen Cl0p and MalasLocker attack multiple targets simultaneously with (presumably automated) targeting of specific system weaknesses, expanding the scale and impact of their ransomware operations.
Tomi Engdahl says:
”Soitettu sekä huijaus- että häiriöpuheluita” – vanha vitsaus palasi Suomeen https://www.is.fi/digitoday/tietoturva/art-2000009645098.html
Viranomainen kertoo suomalaisten puhelinnumeroita väärennettävän ahkerasti.
Touhuun toivotaan stoppia syksyllä.
Tomi Engdahl says:
Elastic charms SPECTRALVIPER
https://www.elastic.co/security-labs/elastic-charms-spectralviper
Elastic Security Labs has discovered the SPECTRALVIPER malware targeting a national Vietnamese agribusiness.
Tomi Engdahl says:
Ransomware
SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
https://www.securityweek.com/saas-ransomware-attack-hit-sharepoint-online-without-using-a-compromised-endpoint/
A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.
Cybersecurity firm Obsidian has observed a successful ransomware attack against Sharepoint Online (Microsoft 365) via a Microsoft Global SaaS admin account rather than the more usual route of a compromised endpoint.
The attack was analyzed post-compromise when the victim employed the Obsidian product and research team to determine the finer points of the attack. In its blog account of the incident, Obsidian did not disclose the victim, but believes the attacker was the group known as 0mega.
Once in, the attacker created a new Active Directory (AD) user called Omega with elevated privileges, including Global Administrator, SharePoint Administrator, Exchange Administrator, and Teams Administrator; and site collection administrator capabilities to multiple Sharepoint sites and collections. The attacker also removed existing administrators (more than 200) in a 2-hour period.
Tomi Engdahl says:
Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
https://www.securityweek.com/evidence-suggests-ransomware-group-knew-about-moveit-zero-day-since-2021/
Evidence suggests that the Cl0p ransomware group has known about and conducted tests with the recently patched MOVEit zero-day since mid-2021.
Tomi Engdahl says:
‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
https://www.securityweek.com/asylum-ambuscade-group-hit-thousands-in-cybercrime-espionage-campaigns/
ESET has linked several cybercrime and espionage campaigns to a threat actor tracked as Asylum Ambuscade.
Tomi Engdahl says:
In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
https://www.securityweek.com/in-other-news-ai-regulation-layoffs-us-aerospace-attacks-post-quantum-encryption/
Cybersecurity news that you may have missed this week: AI regulation, layoffs, US aerospace malware attacks, and post-quantum encryption.
AI regulation still a long way off
The EU was thought to be close to AI regulation, but progress on the AI Act has stumbled. Blame is being laid on the EPP party for apparently wishing to change the rules. The problem appears to be the detail involved in remote biometric identification. Meanwhile, in the US, MeriTalk reports that “Congress appears to be just lining up at the starting gate with its own efforts to explore possible regulation of the technology.” One obvious complication is whether GPT-speak should be protected under the First Amendment.
https://www.securityweek.com/in-global-rush-to-regulate-ai-europe-set-to-be-trailblazer/
Tomi Engdahl says:
Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
https://www.securityweek.com/pharmaceutical-giant-eisai-takes-systems-offline-following-ransomware-attack/
Japanese pharmaceutical company Eisai says it has taken systems offline after falling victim to a ransomware attack.
Tomi Engdahl says:
Poliisilta vakava varoitus huijauksesta Facebookissa: ”Tyhjentää pankkitilin heti”
https://www.is.fi/digitoday/tietoturva/art-2000009650470.html
Pankkitilit tyhjentävien Facebook-tilikaappareiden vaaravyöhykkeessä ovat erityisesti ikäihmiset.
Poliisi varoittaa Facebook-tilejä kaappaavista ja uhriensa pankkitilit tyhjentävistä digihuijareista. Nämä lähestyvät uhrejaan Facebookissa kaverin nimissä kaapatulta tililtä käsin.
Rikollisen uhriksi on joutunut hiljattain useampi Facebook-käyttäjä Pohjois-Pohjanmaalla ja Kainuussa.
Yllä olevalla videolla kerrotaan, miten voit estää Facebook-tilisi kaappaamisen.
Yleinen huijaus alkaa yksityisviestillä, jossa Facebook-kaveri pyytää uhrin puhelinnumeroa ja sanoo ilmoittaneensa itsensä ja uhrinsa arvontaan. ”Rahapalkinnon saamiseksi” tämä pyytää uhriltaan tilinumeroa ja pankkitunnuksia.