This posting is here to collect cyber security news in June 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in June 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
323 Comments
Tomi Engdahl says:
+300 prosenttia! Myrsky suomalaisten sometilien murroissa – näin suojaudut
https://www.is.fi/digitoday/tietoturva/art-2000009643074.html
Kybersää oli toukokuussa myrskyinen sosiaalisen median tilien kaappausten osalta.
Toukokuussa nähtiin valtavaa kasvua sosiaalisen median tilimurtojen ilmoitusmäärissä. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen mukaan toukokuussa ilmoitusten määrä kasvoi noin 300 prosenttia alkuvuoden keskiarvoon verrattuna.
Ilta-Sanomat on kertonut kampanjasta, jonka tavoitteena on kaapata suomalaisten Facebook-tilejä. Tilejä kaapataan vastaanottajan kilpailuun ilmoittamisen verukkeella. Tutulta tililtä tulevissa viesteissä pyydetään puhelinnumeroa ja tekstiviestinä tulevaa koodia, joiden avulla rikollinen saa tilin haltuunsa.
Paras tapa suojautua tilikaappauksilta on kaksivaiheisen tunnistautumisen käyttäminen. Jutun alussa olevalla videolla näytetään sen käyttöönotto.
Kaksivaiheinen tunnistautuminen
Puhutaan myös kaksivaiheisesta tunnistuksesta, monivaiheisesta tunnistautumisesta tai 2FA:sta (two-factor authentication).
Tarkoittaa sitä, että pelkkä sähköposti/käyttäjätunnus ja salasana eivät riitä sisäänkirjautumiseen, vaan kirjautuminen on vahvistettava erikseen. Tämä estää tunkeutujaa pääsemästä käyttäjätilille, vaikka hän tietäisi salasanan.
Suuri osa nettipalveluista tukee kaksivaiheista tunnistautumista, mutta se on otettava erikseen käyttöön.
Ei ole sama asia kuin vahva tunnistautuminen. Jälkimmäinen tarkoittaa sitä, että kirjautuminen tapahtuu käyttäjän henkilöllisyyden vahvistavalla tavalla kuten pankkitunnuksin tai mobiilivarmenteella.
Yleensä vahvistus tehdään puhelimella. Joskus käytetään myös erillisiä tunnistuslaitteita.
Vahvistus on usein sisäänkirjautumisessa syötettävä koodi, joka tulee tekstiviestitse tai tunnistussovelluksen kautta. Toinen vaihtoehto on sisäänkirjautumisen hyväksyminen sovelluksessa.
Tunnistussovelluksia ovat esimerkiksi OP:n Mobiiliavain, Nordea ID, Microsoft Authenticator ja Google Authenticator.
Lisäksi ilmoitukset M365-tietomurroista jatkoivat nousua alkukuusta. Kyberturvallisuuskeskuksen mukaan noin 60 organisaatiossa vähintään yksi M365-sähköpostitili on murrettu huhtikuun jälkeen. Toukokuun lopulla havaittiin kuitenkin pientä muutosta parempaan.
Tomi Engdahl says:
Salattua haittaohjelmaa levitetään julkisen pilven avulla
https://etn.fi/index.php/13-news/15077-salattua-haittaohjelmaa-levitetaeaen-julkisen-pilven-avulla
Tietoturvayhtiön Check Pointin tutkimusosasto on julkaissut toukokuun haittaohjelmakatsauksensa. Qbot-pankkitroijalainen on edelleen yleisin riesa, neljänneksi yleisimmäksi on noussut GuLoader-haittaohjelman versio, joka voidaan tallentaa havaitsematta tunnettuihin julkisiin pilvipalveluihin, mukaan lukien Google Driveen.
GuLoader-haittaohjelmaan, jota kyberrikolliset käyttävät laajalti virustorjunnan ohittamiseen, on tehty merkittäviä muutoksia. Viimeisimmässä versiossa käytetään kehittynyttä tekniikkaa, jossa haittaohjelma korvaa koodin laillisessa prosessissa. Tämä tekniikka auttaa sitä välttämään tietoturvatyökaluja, jotka seuraavat prosesseja.
Haittaohjelman kuormat ovat täysin salattuja ja ne on tallennettu havaitsemattomina tunnettuihin julkisiin pilvipalveluihin, kuten Google Driveen. Tämä ainutlaatuinen yhdistelmä salausta, raakaa binäärimuotoa ja lataajasta erottelua tekee haittaohjelman kuormista näkymättömiä virustorjuntaohjelmille. Tämä on merkittävä uhka käyttäjille ja yrityksille ympäri maailmaa.
Check Pointin tutkimusjohtaja Maya Horowitz pitää uutta kehitystä erittäin huolestuttavana. – Verkkorikolliset käyttävät yhä useammin julkisia työkaluja ja palveluja haittaohjelmakampanjoiden levittämiseen. Lähteen luotettavuus ei enää takaa täyttä turvaa.
Tomi Engdahl says:
Tällä yksinkertaisella menetelmällä Facebook-huijarit voivat tyhjentää tililtä jopa 150 000 euroa, jos et ole varuillasi
https://yle.fi/a/74-20036271
Facebook-huijauksien takana on järjestäytynyttä rikollisuutta, sanoo poliisi.
Huijauksen kohteeksi joutuneiden henkilöiden luottamusta käytetään häikäilemättömästi hyväksi.
myös: https://www.is.fi/digitoday/tietoturva/art-2000009650470.html
Tomi Engdahl says:
Tästä tunnistat, että sinulta yritetään huijata rahaa
https://www.iltalehti.fi/tietoturva/a/9b1e6062-f937-4a0e-8558-06eb16d536c8
Tekoäly tulee muuttamaan huijauksista entistä uskottavampia.
Tietoturvakouluttaja Sami Laiho kertoi suomalaisten kyberuhista, ja miten näiltä voi suojautua.
Tomi Engdahl says:
Yli 20 luotettua Minecraft-modia saastui tietomurrossa: katso, koskettaako riski sinua
https://yle.fi/a/74-20036199
Haittaohjelma on levinnyt kahdesta suosittuihin peleihin lisäosia tarjoavasta palvelusta. Uhka koskee PC- ja Linux-koneilla pelattavia Minecraft-versioita.
Tomi Engdahl says:
Sneaky DoubleFinger loads GreetingGhoul targeting your cryptocurrency https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/
Our analysis of the DoubleFinger loader and GreetingGhoul malware reveals a high level of sophistication and skill in crimeware development, akin to advanced persistent threats (APTs). The multi-staged, shellcode-style loader with steganographic capabilities, the use of Windows COM interfaces for stealthy execution, and the implementation of Process Doppelgänging for injection into remote processes all point to well-crafted and complex crimeware.
Tomi Engdahl says:
A Truly Graceful Wipe Out
https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment of the MBR Killer wiper. The threat actors deployed the wiper within 29 hours of initial access.
Tomi Engdahl says:
Swiss government warns of ongoing DDoS attacks, data leak https://www.bleepingcomputer.com/news/security/swiss-government-warns-of-ongoing-ddos-attacks-data-leak/
The Swiss government has disclosed that a recent ransomware attack on an IT supplier might have impacted its data, while today, it warns that it is now targeted in DDoS attacks.
Tomi Engdahl says:
MOVEit hack: Media watchdog Ofcom latest victim of mass hack
https://www.bbc.com/news/technology-65877210
Media watchdog Ofcom has confirmed that it is a victim of a cyber-attack by hackers linked to a notorious Russian ransomware group.
—
Exploit released for MOVEit RCE bug used in data theft attacks https://www.bleepingcomputer.com/news/security/exploit-released-for-moveit-rce-bug-used-in-data-theft-attacks/
Horizon3 security researchers have released proof-of-concept (PoC) exploit code for a remote code execution (RCE) bug in the MOVEit Transfer managed file transfer (MFT) solution abused by the Clop ransomware gang in data theft attacks.
Tomi Engdahl says:
New MOVEit Vulnerabilities Found as More Zero-Day Attack Victims Come Forward
Researchers discover new MOVEit vulnerabilities related to the zero-day, just as more organizations hit by the attack are coming forward.
https://www.securityweek.com/new-moveit-vulnerabilities-found-as-more-zero-day-attack-victims-come-forward/
Tomi Engdahl says:
US Charges Russians With Hacking Cryptocurrency Exchange
Two Russian nationals are charged in the US with hacking a cryptocurrency exchange and conspiring to launder the proceeds.
https://www.securityweek.com/us-charges-russians-with-hacking-cryptocurrency-exchange/
Two Russian nationals have been charged in the US with hacking the now-defunct cryptocurrency exchange Mt. Gox and conspiring to launder the proceeds.
The individuals, Alexey Bilyuchenko, 43, and Aleksandr Verner, 29, allegedly attempted to launder 647,000 Bitcoins from their hack of Mt. Gox.
According to court documents, the two and other co-conspirators hacked Mt. Gox, the largest Bitcoin exchange at the time, in September 2011. Launched in 2010, Mt. Gox was handling over 70% of Bitcoin transactions.
The Japan-based exchange service shut down operations in February 2014 and filed for bankruptcy protection, after the theft of cryptocurrency was publicly disclosed. Initially, the company estimated the loss of roughly 850,000 Bitcoins, but 200,000 Bitcoins were retrieved from an old wallet shortly after.
Tomi Engdahl says:
Intellihartx Informs 490k Patients of GoAnywhere-Related Data Breach
https://www.securityweek.com/intellihartx-informs-490k-patients-of-goanywhere-related-data-breach/
Intellihartx says the personal information of roughly 490,000 individuals was compromised in the GoAnywhere zero-day attack earlier this year.
Tomi Engdahl says:
Fortinet Patches Critical FortiGate SSL VPN Vulnerability
https://www.securityweek.com/fortinet-patches-critical-fortigate-ssl-vpn-vulnerability/
Fortinet has patched CVE-2023-27997, a critical FortiGate SSL VPN vulnerability that can be exploited for unauthenticated remote code execution.
Fortinet has patched a critical FortiGate vulnerability that can be exploited by an unauthenticated attacker for remote code execution, according to the researchers who reported the flaw to the vendor.
The vulnerability is tracked as CVE-2023-27997 and it was discovered by researchers at French offensive IT security firm Lexfo.
Charles Fol, one of the researchers, said on Twitter that the vulnerability affects every SSL VPN appliance and it can be exploited for remote code execution without authentication.
Fortinet has yet to publish an advisory for the flaw, but French cybersecurity company Olympe Cyberdefense reported that an advisory is expected to become public on June 13.
https://twitter.com/cfreal_/status/1667852157536616451
https://olympecyberdefense.fr/1193-2/
Tomi Engdahl says:
People Are Pirating GPT-4 By Scraping Exposed API Keys
Why pay for $150,000 worth of OpenAI access when you could just steal it?
https://www.vice.com/en/article/93kkky/people-pirating-gpt4-scraping-openai-api-keys
People on the Discord for the r/ChatGPT subreddit are advertising stolen OpenAI API tokens that have been scraped from other peoples’ code, according to chat logs, screenshots and interviews
Tomi Engdahl says:
Online muggers make serious moves on unpatched Microsoft bugs
Win32k and Visual Studio flaws are under attack
https://www.theregister.com/2023/06/09/microsoft_systems_flaws_patch/
Two flaws in Microsoft software are under attack on systems that haven’t been patched by admins.
Tomi Engdahl says:
Data of 8.8 Million Zacks Users Emerges Online
https://www.securityweek.com/data-of-8-8-million-zacks-users-emerges-online/
A database containing the personal information of roughly 9 million Zacks users has emerged online.
Tomi Engdahl says:
Ransomware Attack Played Major Role in Shutdown of Illinois Hospital
https://www.securityweek.com/ransomware-attack-played-major-role-in-shutdown-of-illinois-hospital/
St. Margaret’s Health in Illinois is shutting down hospitals partly due to a 2021 ransomware attack that caused serious payment system disruptions
St. Margaret’s Health is shutting down hospitals and other facilities in Peru and Spring Valley, Illinois, and says a 2021 ransomware attack is partly to blame.
The attack occurred in late February 2021 and forced the shutdown of the Spring Valley hospital’s computer network, impacting all web-based operations, including its patient portal. The Peru branch was not affected, as it operated on a separate system.
The incident, the hospital said on social media, impacted its ability to bill patients and get paid in a timely manner for the provided services. The systems were down for more than three months.
Compounded with impact from the Covid-19 pandemic, a shortage of staff, and rising costs of goods and services, the cyberattack forced the hospital to suspend some of its services in January this year.
Tomi Engdahl says:
Romanian Operator of Bulletproof Hosting Service Sentenced to Prison in US
https://www.securityweek.com/romanian-operator-of-bulletproof-hosting-service-sentenced-to-prison-in-us/
A Romanian national who operated a bulletproof hosting service used by malware operators was sentenced to prison in the US.
Tomi Engdahl says:
Fortinet Warns Customers of Possible Zero-Day Exploited in Limited Attacks
https://www.securityweek.com/fortinet-warns-customers-of-possible-zero-day-exploited-in-limited-attacks/
Fortinet has warned customers that the critical CVE-2023-27997 vulnerability that was patched recently could be a zero-day exploited in limited attacks.
Tomi Engdahl says:
New Research Shows Potential of Electromagnetic Fault Injection Attacks Against Drones
https://www.securityweek.com/new-research-shows-potential-of-electromagnetic-fault-injection-attacks-against-drones/
New research conducted by IOActive shows the potential of electromagnetic fault injection (EMFI) attacks against drones.
New research shows the potential of electromagnetic fault injection (EMFI) attacks against unmanned aerial vehicles, with experts showing how drones that don’t have any known vulnerabilities could be hacked.
The research was conducted by IOActive, a company specializing in cybersecurity research and assessments. The security firm previously found vulnerabilities affecting cars, ships, Boeing and other airplanes, industrial control systems, communication protocols, and operating systems.
The analysis was led by Gabriel Gonzalez, director of hardware security at IOActive, and it focused on electromagnetic side-channel and fault injection attacks with the goal of achieving arbitrary code execution on the targeted drone.
The research is ongoing, but initial results show that EMFI techniques can be efficient for black-box hacking, where the attacker does not have internal knowledge of the targeted system.
The experiments demonstrated that injecting a specific EM glitch at a specific time during the firmware update process could allow an attacker to execute arbitrary code on the main processor, giving them access to the Android operating system that implements core functionality.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researchers devise how to steal the encryption keys in smart cards and smartphones by video recording the devices’ power LEDs, with some real-world limitations
Hackers can steal cryptographic keys by video-recording power LEDs 60 feet away
Key-leaking side channels are a fact of life. Now they can be done by video-recording power LEDs.
https://arstechnica.com/information-technology/2023/06/hackers-can-steal-cryptographic-keys-by-video-recording-connected-power-leds-60-feet-away/
Researchers have devised a novel attack that recovers the secret encryption keys stored in smart cards and smartphones by using cameras in iPhones or commercial surveillance systems to video record power LEDs that show when the card reader or smartphone is turned on.
The attacks enable a new way to exploit two previously disclosed side channels, a class of attack that measures physical effects that leak from a device as it performs a cryptographic operation. By carefully monitoring characteristics such as power consumption, sound, electromagnetic emissions, or the amount of time it takes for an operation to occur, attackers can assemble enough information to recover secret keys that underpin the security and confidentiality of a cryptographic algorithm.
On Tuesday, academic researchers unveiled new research demonstrating attacks that provide a novel way to exploit these types of side channels. The first attack uses an Internet-connected surveillance camera to take a high-speed video of the power LED on a smart card reader—or of an attached peripheral device—during cryptographic operations. This technique allowed the researchers to pull a 256-bit ECDSA key off the same government-approved smart card used in Minerva. The other allowed the researchers to recover the private SIKE key of a Samsung Galaxy S8 phone by training the camera of an iPhone 13 on the power LED of a USB speaker connected to the handset, in a similar way to how Hertzbleed pulled SIKE keys off Intel and AMD CPUs.
Power LEDs are designed to indicate when a device is turned on. They typically cast a blue or violet light that varies in brightness and color depending on the power consumption of the device they are connected to.
There are limitations to both attacks that make them unfeasible in many (but not all) real-world scenarios (more on that later). Despite this, the published research is groundbreaking because it provides an entirely new way to facilitate side-channel attacks. Not only that, but the new method removes the biggest barrier holding back previously existing methods from exploiting side channels: the need to have instruments such as an oscilloscope, electric probes, or other objects touching or being in proximity to the device being attacked.
In Minerva’s case, the device hosting the smart card reader had to be compromised for researchers to collect precise-enough measurements. Hertzbleed, by contrast, didn’t rely on a compromised device but instead took 18 days of constant interaction with the vulnerable device to recover the private SIKE key.
The video-based attacks presented on Tuesday reduce or completely eliminate such requirements. All that’s required to steal the private key stored on the smart card is an Internet-connected surveillance camera that can be as far as 62 feet away from the targeted reader. The side-channel attack on the Samsung Galaxy handset can be performed by an iPhone 13 camera that’s already present in the same room.
“One of the most significant things of this paper is the fact that you don’t need to connect the probe, connect a scope, or use a software-defined radio,” Ben Nassi, the lead researcher of the attack, said in an interview. “It’s not intrusive, and you can use common or popular devices such as a smartphone in order to apply the attack. For the case of the Internet-connected video camera, you don’t even need to approach the physical scene in order to apply the attack, which is something you cannot do with a software-defined radio or with connecting probes or things like this.”
The technique has another benefit over more traditional side-channel attacks: precision and accuracy. Attacks such as Minerva and Hertzbleed leak information through networks, which introduces latency and adds noise that must be compensated for by collecting data from large numbers of operations. This limitation is what causes the Minerva attack to require a targeted device to be compromised and the Hertzbleed attack to take 18 days.
Rocking the rolling shutter
To many people’s surprise, a standard video camera recording a power LED provides a means of data collection that is much more efficient for measuring information leaking through a side channel. When a CPU performs different cryptographic operations, a targeted device consumes varying amounts of power. The variations cause changes in brightness and sometimes colors of the power LEDs of the device or of peripherals connected to the device.
To capture the LED variations in sufficient detail, the researchers activate the rolling shutter available in newer cameras. Rolling shutter is a form of image capture akin in someways to time-lapse photography. It rapidly records a frame line by line in a vertical, horizontal, or rotational fashion. Traditionally, a camera could only take pictures or videos at the speed of its frame rate, which maxed out at 60 to 120 frames per second.
Activating a rolling shutter can upsample the sampling rate to collect roughly 60,000 measurements per second. By completely filling a frame with the power LED that’s presently on or connected to a device while it performs cryptographic operations, the researchers exploited the rolling shutter, making it possible for an attacker to collect enough detail to deduce the secret key stored on a smart card, phone, or other device.
“This is possible because the intensity/brightness of the device’s power LED correlates with its power consumption, due to the fact that in many devices, the power LED is connected directly to the power line of the electrical circuit which lacks effective means (e.g., filters, voltage stabilizers) of decoupling the correlation,” the researchers wrote in Tuesday’s paper.
But by analyzing the video frames for different RGB values in the green channel, an attacker can identify the start and finish of a cryptographic operation.
Some restrictions apply
Here are the threat models assumed in the research:
A target device is creating a digital signature or performing a similar cryptographic operation on a device. The device has either a standard on/off type 1 or indicative power type 2 power LED, which maintains a constant color or a changing color in response to triggered cryptographic operations. If the device doesn’t have a type 1 or type 2 power LED, it must be connected to a peripheral device that does. The brightness or color of these power LEDs must correlate to the power consumption of the device.
The attacker is a malicious entity in a position to constantly video-record the power LED of either the device or a peripheral device such as USB speakers while the cryptographic operation is taking place.
When the camera is 60 feet away, the room lights must be turned off, but they can be turned on if the surveillance camera is at a distance of about 6 feet. (An attacker can also use an iPhone to record the smart card reader power LED.) The video must be captured for 65 minutes, during which the reader must constantly perform the operation.
Video-based Cryptanalysis
BH USA 23 & DEFCON 31
Exploiting a Video Camera’s Rolling Shutter to Recover Secret Keys from Devices Using Video Footage of Their Power LED
https://www.nassiben.com/video-based-crypta
Tomi Engdahl says:
June 2023 Microsoft Patch Tuesday
https://isc.sans.edu/diary/June+2023+Microsoft+Patch+Tuesday/29942
Today’s Microsoft patch Tuesday addresses 94 vulnerabilities. This includes 14 Chromium vulnerabilities patched in Microsoft Edge, and five GitHub vulnerabilites. Six of these vulnerabilities are rated as critical.
Three critical vulnerabilities are remote code execution vulnerabilities related to the Windows Pragmatic Multicast (PGM) service. Past PGM vulnerabilities were related to the Microsoft Message Queue (MSMQ), for example, CVE-2023-28250, which was patched in April.
Two of the important vulnerabilities are caused by Microsoft Exchange.
Exploitation requires authentication, so these remote code execution vulnerabilities are only regarded as important. But based on history with similar flaws, this issue is worth watching.
A critical vulnerability patched in Sharepoint allows the spoofing of JWT authentication tokens to gain access as an authenticated user.
This month, none of the vulnerabilities were made public before patch Tuesday, and none of them are already exploited.
Tomi Engdahl says:
Richard Lawler / The Verge:
Amazon says it has resolved an AWS outage that impacted the US-EAST-1 region for nearly four hours and affected multiple services, including fast-food apps
Amazon’s server outage broke fast food apps like McDonald’s and Taco Bell
https://www.theverge.com/2023/6/13/23759857/amazon-aws-down-outage-taco-bell-mcdonalds-burger-king
/ Amazon US-East-1 region’s bad day caused problems if you wanted to order Burger King or Taco Bell via their apps.
An outage within the Amazon Web Services (AWS) cloud server setup was affecting a number of internet services, including our website, but has been resolved. The AWS Health Dashboard noted problems of degradation on multiple services in the US-East-1 region that started around 3PM ET.
The most recent update from Amazon that was posted at 6:42PM ET reads, “Between 11:49 AM PDT and 3:37 PM PDT, we experienced increased error rates and latencies for multiple AWS Services in the US-EAST-1 Region. Our engineering teams were immediately engaged and began investigating. We quickly narrowed down the root cause to be an issue with a subsystem responsible for capacity management for AWS Lambda… As of 3:37 PM, the backlog was fully processed. The issue has been resolved and all AWS Services are operating normally.”
Tomi Engdahl says:
Sheridan Prasso / Bloomberg:
Researchers find 10+ items on Temu in the US that were made or sold by companies in Xinjiang, China, flouting a US ban on the region known for forced labor
Temu Sells Products in US Linked to Forced Labor in China’s Uyghur Region, Analysis Shows
https://www.bloomberg.com/news/articles/2023-06-13/temu-sells-products-in-us-linked-to-forced-labor-in-china-s-uyghur-region#xj4y7vzkg
Tomi Engdahl says:
Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign
Fortinet published a CVSS Critical PSIRT Advisory (FG-IR-23-097 /
CVE-2023-27997) along with several other SSL-VPN related fixes. This blog adds context to that advisory, providing our customers with additional details to help them make informed, risk-based decisions, and provides our perspective relative to recent events involving malicious actor activity.
The following write-up details our initial investigation into the incident that led to the discovery of this vulnerability and additional IoCs identified during our ongoing analysis.
At this time we are not linking FG-IR-23-097 to the Volt Typhoon campaign, however Fortinet expects all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices. For this reason, Fortinet urges immediate and ongoing mitigation through an aggressive patching campaign.
Tomi Engdahl says:
Xortigate, or CVE-2023-27997 – The Rumoured RCE That Was https://labs.watchtowr.com/xortigate-or-cve-2023-27997/
We hope this blog post is useful to those who are in the unfortunate position of making a patching decision, and helps to offset Fortinet’s usual tight-lipped approach to vulnerability disclosure.
Based on this, it seems unlikely (but at the same time, also plausible) that we’ll see widespread exploitation for RCE. However, this is not the only threat from this bug – it is important to note that it is very easy even for an unskilled attacker to craft an exploit which will crash the target device and force it to reboot. In contrast to full RCE, it seems likely that this will be exploited by unskilled attackers for their amusement.
Tomi Engdahl says:
Rikolliset voivat kaapata kenen tahansa numeron – näin kävi ”Merjalle”
https://yle.fi/a/74-20034979
Kyberturvallisuuskeskus on saanut ilmoituksia ilmoittajien puhelinnumeroiden käytöstä huijauspuheluissa. Ulkomailta soittavat rikolliset väärentävät suomalaisten kännykkänumeroita käyttöönsä
Tomi Engdahl says:
China’s cyber now aimed at infrastructure, warns CISA boss https://www.theregister.com/2023/06/13/china_cyber_threat_infrastructure/
China’s cyber-ops against the US have shifted from espionage activities to targeting infrastructure and societal disruption, the director of the Cybersecurity and Infrastructure Security Agency (CISA) Jen Easterly told an Aspen Institute event on Monday.
“PRC actors have been in the spotlight for years and years, the key difference here was for PRC actors the focus has been espionage,” said Easterly.
Easterly’s definition of espionage includes intellectual property theft and “the greatest transfer of intellectual wealth in history.”
“But what we are starting to see – and this was captured in the IC’s annual threat assessment – was targeting that was less about espionage and more about disruption and destruction,” she added.
Tomi Engdahl says:
Kyberiskun kohteeksi joutunut Säkylän kunta vaatii vahingonkorvauksia – it-kumppanin moka mahdollisti hyökkäyksen [TILAAJILLE]
https://www.tivi.fi/uutiset/tv/bfa689a7-86c0-4d9c-b7de-47e2691e7102
Joulukuussa kyberhyökkäyksen kohteeksi joutunut Säkylän kunta selvittää it-kumppaninsa korvausvastuuta tapauksesta. Kunnanhallituksen asiakirjoista selviää, että kunnanjohtaja Teijo Mäenpää on käynyt neuvotteluja it-palveluita tuottavan yrityksen kanssa, ja niiden kuvaillaan sujuneen suotuisasti.
Tunkeutumisen kunnan järjestelmiin aiheutti ulkopuolisen palveluntuottajan vakava virhe, jonka yksityiskohtia ei ole kerrottu julkisuuteen. Säkylän kunta on pysynyt myös hiljaa palveluita tuottavan yrityksen nimestä.
Tomi Engdahl says:
Bulletproof hoster gets 3 years for pushing Urfsnif, Zeus malware https://www.bleepingcomputer.com/news/security/bulletproof-hoster-gets-3-years-for-pushing-urfsnif-zeus-malware/
Romanian national Mihai Ionut Paunescu, aka “Virus,” was sentenced to three years in prison by a Manhattan federal court for running a bulletproof hosting service and facilitating the distribution of the Gozi (Ursnif), Zeus, SpyEye, and BlackEnergy malware.
Tomi Engdahl says:
VPX Gon’ Give It to Ya: VMware ESXi Zero-Day Used by Chinese Espionage Actor to Bypass Authentication Checks and Perform Privileged Guest Operations https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass
This blog post describes an expanded understanding of the attack path seen in Figure 1 and highlights the implications of both the zero-day vulnerability
(CVE-2023-20867) and VMCI communication sockets the attacker leveraged to complete their goal. In a followup post, we will provide artifacts present on hosts, which indicate historical attacker activity, optional logging to track Guest Operations at the guest level, and hardening suggestions for both vCenter and ESXi solutions.
https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass
Tomi Engdahl says:
Cadet Blizzard emerges as a novel and distinct Russian threat actor https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/
Today, Microsoft Threat Intelligence is sharing updated details about techniques of a threat actor formerly tracked as DEV-0586—a distinct Russian state-sponsored threat actor that has now been elevated to the name Cadet Blizzard. As a result of our investigation into their intrusion activity over the past year, we have gained high confidence in our analysis and knowledge of the actor’s tooling, victimology, and motivation, meeting the criteria to convert this group to a named threat actor.
Tomi Engdahl says:
New ‘Shampoo’ Chromeloader malware pushed via fake warez sites https://www.bleepingcomputer.com/news/security/new-shampoo-chromeloader-malware-pushed-via-fake-warez-sites/
A new ChromeLoader campaign is underway, infecting visitors of warez and pirated movie sites with a new variant of the search hijacker and adware browser extension named Shampoo.
This discovery of the new campaign comes from HP’s threat research team (Wolf Security), who report that the operation has been underway since March 2023.
Tomi Engdahl says:
Fake Security Researcher GitHub Repositories Deliver Malicious Implant https://vulncheck.com/blog/fake-repos-deliver-malicious-implant
In early May, VulnCheck came across a malicious GitHub repository that claimed to be a Signal 0-day. The team reported the repository to GitHub, and it was quickly taken down. The same scenario continued throughout May.
Recently, the individuals creating these repositories have put significant effort into making them look legitimate by creating a network of accounts and Twitter profiles, pretending to be part of a non-existent company called High Sierra Cyber Security, and even using headshots of legitimate security researchers from companies like Rapid7.
Tomi Engdahl says:
Behind the Scenes: Unveiling the Hidden Workings of Earth Preta https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
This blog entry discusses the more technical details on the most recent tools, techniques, and procedures (TTPs) leveraged by the Earth Preta APT group, and tackles how we were able to correlate different indicators connected to this threat actor.
Tomi Engdahl says:
Anne järkyttyi: Kaikki Nordean pankkitilit katosivat – Näin Nordea selittää
Nordea ilmoitti aamupäivästä aloittaneensa verkkopankissa olevien häiriöiden korjaamisen. Alkuillasta monella vika oli kuitenkin yhä olemassa.
https://www.iltalehti.fi/kotimaa/a/75b7e51a-1f3e-436c-97f6-47799d7a0ed6?fbclid=IwAR07piTPptKNsKcGcv28Op19lt3VAFPDURkthTYnYTvd2ZbKc6dilq6d3dU
Tomi Engdahl says:
Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
The sections that follow provide the technical details uncovered by Barracuda and Mandiant over the course of the investigation to include initial exploitation of the ESG appliance, the malware deployed, as well as UNC4841′s shift in tactics, techniques and procedures (TTPs) in response to Barracuda’s remediation efforts. The post concludes with Mandiant’s initial assessment on attribution, and provides hardening, remediation and hunting recommendations for organizations impacted.
Barracuda Email Security Gateway Appliance (ESG) Vulnerability https://www.barracuda.com/company/legal/esg-vulnerability
While our investigation is still ongoing, Barracuda now has a more comprehensive understanding of the incident, including that exploitation occurred on a subset of compromised Barracuda Email Security Gateway (ESG) appliances by an aggressive and highly skilled actor conducting targeted activity which, as reported by Mandiant, has suspected links to China.
Consistent with our previous updates, we are sharing additional technical details to support our customers and partners. We are also publishing additional indicators of compromise that organizations can leverage for their network defenses.
Tomi Engdahl says:
Exclusive: US government agencies hit in global cyberattack https://edition.cnn.com/2023/06/15/politics/us-government-hit-cybeattack/index.html
The US Cybersecurity and Infrastructure Security Agency “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” Eric Goldstein, the agency’s executive assistant director for cybersecurity, said in a statement on Thursday to CNN, referring to the software impacted. “We are working urgently to understand impacts and ensure timely remediation.”
—
Clop ransomware gang starts extorting MOVEit data-theft victims https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-starts-extorting-moveit-data-theft-victims/
The Clop ransomware gang has started extorting companies impacted by the MOVEit data theft attacks, first listing the company’s names on a data leak site—an often-employed tactic before public disclosure of stolen information
These entries come after the threat actors exploited a zero-day vulnerability in the MOVEit Transfer secure file transfer platform on May 27th to steal files stored on the server.
The Clop gang took responsibility for the attacks, claiming to have breached “hundreds of companies” and warning that their names would be added to a data leak site on June 14th if negotiations did not occur.
Tomi Engdahl says:
Oil and gas giant Shell confirms it was impacted by Clop ransomware attacks https://therecord.media/shell-impacted-in-clop-ransomware-attack
Shell confirmed on Thursday it had been impacted by the Clop ransomware gang’s breach of the MOVEit file transfer tool after the group listed the British oil and gas multinational on its extortion site.
Tomi Engdahl says:
Hijacking S3 Buckets: New Attack Technique Exploited in the Wild by Supply Chain Attackers https://checkmarx.com/blog/hijacking-s3-buckets-new-attack-technique-exploited-in-the-wild-by-supply-chain-attackers/
Without altering a single line of code, attackers poisoned the NPM package “bignum” by hijacking the S3 bucket serving binaries necessary for its function and replacing them with malicious ones. While this specific risk was mitigated, a quick glance through the open-source ecosystem reveals that dozens of packages are vulnerable to this same attack.
Tomi Engdahl says:
Android GravityRAT goes after WhatsApp backups https://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/
ESET researchers analyzed an updated version of Android GravityRAT spyware that steals WhatsApp backup files and can receive commands to delete files
Tomi Engdahl says:
Android Malware Impersonates ChatGPT-Themed Applications https://unit42.paloaltonetworks.com/android-malware-poses-as-chatgpt/
Unit 42 researchers have observed a surge of malware written for the Android platform that is attempting to impersonate the popular ChatGPT application.
These malware variants emerged along with the release by OpenAI of GPT-3.5, followed by GPT-4, infecting victims interested in using the ChatGPT tool.
Here, we provide an in-depth analysis of two types of currently active malware clusters. The first cluster is a Meterpreter Trojan disguised as a “SuperGPT”
app. The second is a “ChatGPT” app that sends short-text messages to premium-rate numbers in Thailand, resulting in charges for the victim that are pocketed by the threat actor.
Tomi Engdahl says:
https://www.securityweek.com/new-moveit-vulnerabilities-found-as-more-zero-day-attack-victims-come-forward/
Tomi Engdahl says:
Cyberwarfare
Barracuda Zero-Day Attacks Attributed to Chinese Cyberespionage Group
Attacks exploiting the Barracuda zero-day CVE-2023-2868 have been linked to a Chinese cyberespionage group that has targeted government and other organizations.
https://www.securityweek.com/barracuda-zero-day-attacks-attributed-to-chinese-cyberespionage-group/
Tomi Engdahl says:
Cloud Security
XSS Vulnerabilities in Azure Led to Unauthorized Access to User Sessions
https://www.securityweek.com/xss-vulnerabilities-in-azure-led-to-unauthorized-access-to-user-sessions/
Microsoft addressed two cross-site scripting (XSS) vulnerabilities in Azure Bastion and Azure Container Registry (ACR) leading to unauthorized access to user sessions.
Tomi Engdahl says:
OT Security Firm Shift5 Adds $33 Million in Funding
Shift5 has now raised $108 million in funding to bring cybersecurity to OT within fleet vehicles: planes and boats and trains – and military vehicles and weapon systems.
https://www.securityweek.com/ot-security-firm-shift5-adds-33-million-in-funding/
Tomi Engdahl says:
IoT Security
New Research Shows Potential of Electromagnetic Fault Injection Attacks Against Drones
https://www.securityweek.com/new-research-shows-potential-of-electromagnetic-fault-injection-attacks-against-drones/
New research conducted by IOActive shows the potential of electromagnetic fault injection (EMFI) attacks against drones.
Tomi Engdahl says:
Cyberwarfare
Chinese Cyberspies Caught Exploiting VMware ESXi Zero-Day
https://www.securityweek.com/chinese-cyberspies-caught-exploiting-vmware-esxi-zero-day/
Mandiant has observed a Chinese cyberespionage group exploiting a VMware ESXi zero-day vulnerability for privilege escalation.
Tomi Engdahl says:
Vulnerabilities
Hundreds of Thousands of eCommerce Sites Impacted by Critical Plugin Vulnerability
Hundreds of thousands of ecommerce sites are impacted by a critical vulnerability in the WooCommerce Stripe Payment Gateway plugin
https://www.securityweek.com/hundreds-of-thousands-of-ecommerce-sites-impacted-by-critical-plugin-vulnerability/
Tomi Engdahl says:
Microsoft Patches Critical Windows Vulns, Warns of Code Execution Risks
Patch Tuesday: Microsoft ships updates to over at least 70 documented vulnerabilities affecting the Windows ecosystem.
https://www.securityweek.com/microsoft-patches-critical-windows-vulns-warn-of-code-execution-risks/