This posting is here to collect cyber security news in July 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in July 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
183 Comments
Tomi Engdahl says:
https://www.securityweek.com/former-contractor-employee-charged-for-hacking-california-water-treatment-facility/
Tomi Engdahl says:
https://www.securityweek.com/in-other-news-healthcare-product-flaws-free-email-security-testing-new-attack-techniques/
Details disclosed for Siemens vulnerabilities that could threaten power grids
SEC Consult has published a technical advisory for several vulnerabilities affecting Siemens’ Sicam A8000 remote terminal units (RTUs), including a critical flaw that could allow malicious hackers to destabilize a power grid.
Multiple Vulnerabilities including Unauthenticated Remote Code Execution in Siemens A8000
https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-siemens-a8000/
The Siemens A8000 CP-8050 and CP-8031 PLCs are affected by an unauthenticated Remote Code Execution (RCE) vulnerability. By sending a crafted HTTP request to the Siemens Toolbox II port 80/443, arbitrary commands can be executed without any authentication. This will lead to a full compromise of the device and may affect its operation. Furthermore, any user with access to the SICAM WEB interface can inject system commands executed as “root” via the Ethernet package capture diagnostic feature. Also a “root” password hash is hard-coded on all devices.
https://www.securityweek.com/critical-siemens-rtu-vulnerability-could-allow-hackers-to-destabilize-power-grid/
‘
Tomi Engdahl says:
Cybercrime
After Zero-Day Attacks, MOVEit Turns to Security Service Packs
https://www.securityweek.com/after-zero-day-attacks-moveit-turns-to-security-service-packs/
Facing ransomware zero-days, Progress Software will release regular service packs to help customers mitigate critical security flaws.
Tomi Engdahl says:
Shell Confirms MOVEit-Related Breach After Ransomware Group Leaks Data
Shell confirms that employee personal information has been stolen after the Cl0p ransomware group leaked data allegedly stolen from the energy giant.
https://www.securityweek.com/shell-confirms-moveit-related-breach-after-ransomware-group-leaks-data/
Tomi Engdahl says:
https://www.securityweek.com/japans-nagoya-port-suspends-cargo-operations-following-ransomware-attack/
Tomi Engdahl says:
Vulnerability in Cisco Enterprise Switches Allows Attackers to Modify Encrypted Traffic
https://www.securityweek.com/vulnerability-in-cisco-enterprise-switches-allows-attackers-to-modify-encrypted-traffic/
Cisco says a high-severity vulnerability in Nexus 9000 series switches could allow attackers to intercept and modify encrypted traffic.
Tomi Engdahl says:
https://www.securityweek.com/interpol-alleged-member-of-major-cybercrime-group-arrested-in-africa/
Tomi Engdahl says:
StackRot Linux Kernel Vulnerability Shows Exploitability of UAFBR Bugs
https://www.securityweek.com/stackrot-linux-kernel-vulnerability-shows-exploitability-of-uafbr-bugs/
A new Linux kernel vulnerability tracked as StackRot and CVE-2023-3269 shows the exploitability of use-after-free-by-RCU (UAFBR) bugs.
A researcher has disclosed a Linux kernel vulnerability that he claims is the first to demonstrate that a type of bug called use-after-free-by-RCU (UAFBR) is exploitable.
The vulnerability, named StackRot and officially tracked as CVE-2023-3269, was reported to Linux kernel developers on June 15 by researcher Ruihan Li.
The flaw has been present in the kernel since version 6.1 and patches were made available on July 1 with the release of versions 6.1.37, 6.3.11 and 6.4.1.
The researcher made public some information on StackRot this week, but a complete exploit and a detailed write-up are expected to be released at the end of July.
According to the researcher, the issue impacts the memory management subsystem and it can allow an unprivileged local user to compromise the kernel and escalate privileges.
According to the researcher, the issue impacts the memory management subsystem and it can allow an unprivileged local user to compromise the kernel and escalate privileges.
StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability
https://github.com/lrh2000/StackRot#stackrot-cve-2023-3269-linux-kernel-privilege-escalation-vulnerability
Tomi Engdahl says:
https://www.securityweek.com/shell-confirms-moveit-related-breach-after-ransomware-group-leaks-data/
Tomi Engdahl says:
https://www.securityweek.com/28000-impacted-by-data-breach-at-pepsi-bottling-ventures/
Tomi Engdahl says:
Android Security Updates Patch 3 Exploited Vulnerabilities
https://www.securityweek.com/android-security-updates-patches-3-exploited-vulnerabilities/
Google’s July 2023 security updates for Android patches 43 vulnerabilities, including three exploited in the wild.
Security updates that Google released this week for Android resolve 43 vulnerabilities, including three that have been exploited in attacks.
The exploited flaws, tracked as CVE-2023-2136, CVE-2023-26083, and CVE-2021-29256, impact Android’s System and Arm Mali components.
The internet giant says “there are indications” that these security defects “may be under limited, targeted exploitation”.
CVE-2023-2136 was disclosed in April as a zero-day vulnerability in the Chrome browser, and is described as an integer overflow issue in Skia.
Tomi Engdahl says:
JumpCloud Says All API Keys Invalidated to Protect Customers
https://www.securityweek.com/jumpcloud-says-all-api-keys-invalidated-to-protect-customers/
JumpCloud is responding to an incident that has triggered a reset of all API keys in order to protect customers and their operations.
Tomi Engdahl says:
https://thehackernews.com/2023/07/researchers-uncover-new-linux-kernel.html
Tomi Engdahl says:
Application Security
Truebot Hackers Exploiting Netwrix Auditor Flaw: CISA, FBI Alert
Hackers linked to the Truebot malware are exploiting a year-old Netwrix Auditor flaw to break into organizations in the U.S. and Canada.
https://www.securityweek.com/cisa-fbi-warning-truebot-hackers-exploiting-netwrix-auditor-flaw/
Tomi Engdahl says:
Hakkerit käynnistivät kyberhyökkäysten aallon Liettuaan
https://www.is.fi/digitoday/art-2000009709911.html
Liettuaan on kohdistunut kyberhyökkäysten aalto Nato-huippukokouksen aattona, kertoo Liettuan hallitus. Naton johtajien on määrä kokoontua Liettuan pääkaupungissa Vilnassa huomenna.
– Tälläkin hetkellä maahamme kohdistuu hajautettuja palvelunestohyökkäyksiä, Liettuan kansallisen kyberturvallisuuskeskuksen johtaja Liudas Alisauskas sanoi toimittajille.
Kyberhyökkäykset kohdistuvat Vilnan kaupungin verkkosivuihin, mukaan lukien matkailuneuvontasivustoon ja joukkoliikennesovellukseen.
Tomi Engdahl says:
RomCom Threat Actor Suspected of Targeting Ukraine’s NATO Membership Talks at the NATO Summit
https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
On July 4, the BlackBerry Threat Research and Intelligence team found two malicious documents submitted from an IP address in Hungary, sent as lures to an organization supporting Ukraine abroad, and a document targeting upcoming NATO Summit guests who may also be providing support to Ukraine.
Our analysis based on the tactics, techniques, and procedures (TTPs), code similarity, and threat actor network infrastructure leads us to conclude that the threat actor known as RomCom is likely behind this operation.
Based on our internal telemetry, network data analysis, and the full set of cyber weapons we collected, we believe the threat actor behind this campaign ran their first drills on June 22, and also a few days before the command-and-control (C2) mentioned in this report was registered and went live.
Tomi Engdahl says:
Razer investigates data breach claims, resets user sessions
https://www.bleepingcomputer.com/news/security/razer-investigates-data-breach-claims-resets-user-sessions/
Gaming gear company Razer reacted to recent rumors of a massive data breach with a short statement on Twitter, letting users know that they started an investigation into the matter.
Razer is a popular American-Singaporean tech firm focusing on gaming hardware, selling high-quality peripherals, powerful laptops, and apparel.
Information about a potential data breach at the company emerged on Saturday, when someone posted on a hacker forum that they had stolen the source code, database, encryption keys, and backend access logins for Razer.com, the company’s main website.
Cybersecurity analysts at FalconFeedsio spotted the announcement on the hacker forum and shared with the public. Replying to the tweet, Razer said that it was looking into the potential incident by starting an investigation.
Tomi Engdahl says:
Genesis Market gang tries to sell platform after FBI disruption https://therecord.media/genesis-market-fraud-platform-for-sale-dark-web
The criminals behind the cyber fraud platform Genesis Market are attempting to sell their enterprise almost three months on from an FBI-led operation that seized their clear web domains and added the platform to the U.S. Treasury’s sanctions list.
An account that appears to be associated with Genesis Market’s operators has made several posts across darknet hacking forums to advertise the sale. The posts, which were made on June 28, have not previously been reported.
Back in April, within the first 24 hours of the platform’s clear web domains being replaced by police splash pages, international law enforcement agencies announced the arrests of almost 120 people globally who had been using the platform to commit fraud.
Tomi Engdahl says:
Apple Ships Urgent iOS Patch for WebKit Zero-Day
https://www.securityweek.com/apple-ships-urgent-ios-patch-for-webkit-zero-day/
Apple rolls out urgent iOS and iPadOS software updates and warned that zero-day exploitation has already been detected.
Apple on Monday rolled out an urgent software update to its iOS and iPadOS mobile operating systems and warned that zero-day exploitation has already been detected.
For the second time since adopting the “rapid security responses” process to address zero-day attacks, Apple pushed iOS 16.5.1 (a) and iPadOS 16.5.1 (a) to devices globally after an anonymous researcher disclosed the underlying vulnerability.
A barebones advisory from Cupertino said the security defect exists in WebKit, the browser engine used by Safari, Mail, AppStore and many other apps on iOS- and macOS-powered devices.
“Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” the company said. “The issue was addressed with improved checks.”
The vulnerability has been tagged as CVE-2023-37450.
https://support.apple.com/en-us/HT213823
Tomi Engdahl says:
Exploit Code Published for Remote Root Flaw in VMware Logging Software
https://www.securityweek.com/exploit-code-published-for-remote-root-flaw-in-vmware-logging-software/
VMware confirmed that exploit code for CVE-2023-20864 has been published, underscoring the urgency for enterprise network admins to apply available patches.
Virtualization technology giant VMware on Monday warned that exploit code has been publicly released for a pre-authentication remote code execution flaw in its enterprise-facing VMware Aria Operations for Logs product.
In an update to a critical-level advisory originally released in April this year, VMware said it has confirmed that exploit code for CVE-2023-20864 has been published, underscoring the urgency for enterprise network admins to apply available patches.
The vulnerability, which carries a CVSS severity score of 9.8 out of 10, allows an unauthenticated, malicious actor with network access to VMware Aria Operations to execute arbitrary code as root, VMware said in its documentation of the CVE-2023-20864 flaw.
VMware Aria Operations for Logs, (formerly vRealize Log Insight), is a centralized log management tool that promises operational visibility and analytics for troubleshooting and auditing data flowing through private, hybrid and multi-cloud environments.
Tomi Engdahl says:
TPG to Acquire Forcepoint’s Government Cybersecurity Business Unit
https://www.securityweek.com/tpg-to-acquire-forcepoints-government-cybersecurity-business-unit/
Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.
Private equity giant TPG on Monday announced plans to acquire Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit in a deal reportedly valued in the range of $2.5 billion.
The Global Governments and Critical Infrastructure (G2CI) business, created in 2018 to serve as Forcepoint’s government cybersecurity unit, will be spun out as an independent entity pushing the company’s data-first SASE offering with new capabilities and third-party integrations.
The two sides did not officially put a price tag on the deal but the Wall Street Journal pegged the transaction in the range of $2.45 billion, more than double what Francisco Partners paid for Forcepoint in 2021.
Tomi Engdahl says:
Critical Infrastructure Services Firm Ventia Takes Systems Offline Due to Cyberattack
https://www.securityweek.com/critical-infrastructure-services-firm-ventia-takes-systems-offline-due-to-cyberattack/
Critical infrastructure services provider Ventia has taken some systems offline following a cyberattack.
Critical infrastructure services provider Ventia over the weekend announced that it has taken some of its systems offline to contain a cyberattack.
Ventia provides long-term management, maintenance, and operations services for critical infrastructure organizations and for private entities across the defense, electricity and gas, environmental services, and water industries.
The company says it operates more than 400 sites in Australia and New Zealand, with a combined employee base of over 35,000.
Tomi Engdahl says:
Honeywell Boosting OT Cybersecurity Offering With Acquisition of SCADAfence
https://www.securityweek.com/honeywell-boosting-ot-cybersecurity-offering-with-acquisition-of-scadafence/
Industrial giant Honeywell wants to extend its OT cybersecurity portfolio with the acquisition of Israel-based OT/IoT security firm SCADAfence.
Industrial giant Honeywell wants to extend its operational technology (OT) cybersecurity portfolio with the acquisition of Tel Aviv, Israel-based OT and IoT security firm SCADAfence.
Honeywell has agreed to acquire SCADAfence for an undisclosed amount and plans on integrating its solutions into the company’s Forge Cybersecurity+ suite. The deal is expected to close in the second half of the year.
SCADAfence provides manufacturing and critical infrastructure organizations with solutions for OT network protection, including threat detection, asset visibility, remote access, traffic analysis, vulnerability management, threat intelligence, and governance.
Tomi Engdahl says:
PoC Exploit Published for Recent Ubiquiti EdgeRouter Vulnerability
https://www.securityweek.com/poc-exploit-published-for-recent-ubiquiti-edgerouter-vulnerability/
PoC exploit has been published for a recently patched Ubiquiti EdgeRouter vulnerability leading to arbitrary code execution.
A recently patched vulnerability in Ubiquiti EdgeRouter and AirCube devices could be exploited to execute arbitrary code, vulnerability reporting firm SSD Secure Disclosure warns.
Tracked as CVE-2023-31998, the issue is described as a heap overflow vulnerability that can be exploited over a LAN connection.
According to Ubiquiti, an attacker exploiting this bug may interrupt UPnP service to a vulnerable device.
An SSD Secure Disclosure advisory notes that the vulnerability resides in the MiniUPnPd service of the impacted devices and that LAN attackers may exploit it “to overflow an internal heap and potentially execute arbitrary code”.
SSD Secure Disclosure, which provides technical details on the vulnerability itself, reveals that proof-of-concept (PoC) code targeting the issue is also available, but that it targets the bug on Ubiquiti EdgeRouterX devices, which are also impacted.
https://community.ui.com/releases/Security-Advisory-Bulletin-033-033/17f7c7c0-830b-4625-a2ee-e90e514e7b0f
https://ssd-disclosure.com/ssd-advisory-edgerouters-and-aircube-miniupnpd-heap-overflow/
Tomi Engdahl says:
Critical Vulnerability Can Allow Takeover of Mastodon Servers
https://www.securityweek.com/critical-vulnerability-can-allow-takeover-of-mastodon-servers/
A critical vulnerability in the Mastodon social networking platform may allow attackers to take over target servers.
A critical vulnerability in the decentralized social networking platform Mastodon could be exploited to take over servers.
The issue was disclosed last week, when Mastodon announced patches for five vulnerabilities in the open source software, including two rated ‘critical’.
The most important of these is CVE-2023-36460 (CVSS score of 9.9), an arbitrary file creation issue that could lead to complete server compromise.
“Using carefully crafted media files, attackers can cause Mastodon’s media processing code to create arbitrary files at any location. This allows attackers to create and overwrite any file Mastodon has access to, allowing denial-of-service and arbitrary remote code execution,” Mastodon notes in an advisory.
https://github.com/mastodon/mastodon/security/advisories
Arbitrary file creation through media attachments
https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/microsoft-unpatched-office-zero-day-exploited-in-nato-summit-attacks/
Tomi Engdahl says:
In Defcon First, Hackers Will Test an Orbiting Satellite’s Defenses
Previous competitions have involved satellites that weren’t in orbit, but this is the real deal.
https://www.extremetech.com/defense/in-defcon-first-hackers-will-test-an-orbiting-satellites-defenses
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/vmware-warns-of-exploit-available-for-critical-vrealize-rce-bug/
Tomi Engdahl says:
https://thehackernews.com/2023/07/apple-issues-urgent-patch-for-zero-day.html
Tomi Engdahl says:
https://arstechnica.com/security/2023/07/hackers-exploit-gaping-windows-loophole-to-give-their-malware-kernel-access/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/critical-tootroot-bug-lets-attackers-hijack-mastodon-servers/
Tomi Engdahl says:
https://www.darkreading.com/endpoint/moveit-transfer-another-critical-data-theft-bug?fbclid=IwAR3DURn7WF5mrkEHFuJrl4RX7tqMPAppi7l8NW60b1IkzFiA3rfjEC1jAJo
Tomi Engdahl says:
https://www.darkreading.com/perimeter/microsoft-teams-exploit-toll-autodeliver-malware
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-bug-behind-windows-lsa-protection-warnings-again/
Tomi Engdahl says:
https://www.windowscentral.com/software-apps/edge-sending-visited-url-to-bing-microsoft-responds
Tomi Engdahl says:
https://www.malwarebytes.com/blog/news/2023/07/brave-browser-will-prevent-websites-from-port-scanning-visitors
Tomi Engdahl says:
https://www.iltalehti.fi/ulkomaat/a/2bead526-95fc-4647-b34e-b918c021ba4d
Typo sends millions of US military emails to Russian ally Mali
https://www.bbc.com/news/world-us-canada-66226873
Tomi Engdahl says:
OPENSSH HAS AN RCE
But don’t panic. Yes, there’s an RCE. And yes it bypasses Address Space Layour Randomization, Position Independent Executables, and the No eXecute bit. The good news is that it’s only reachable by going back down an SSH connection that has ssh-agent forwarding enabled.
Well now we have yet another reason not to do ssh-agent forwarding. The core observation made by researchers at Qualsys was that the remote machine can trigger a load and unload of all the shared libraries in the /usr/lib* folders. And notably, those libraries load in the context of the ssh-agent application, which is not the intended behavior of many of those libraries. The question then becomes, what mischief can be had with just those two primitives?
It’s brilliant, and thankfully a very narrow windows of exposure for most of us. The flaw was fixed in an update of OpenSSH this Wednesday. The broader suggestion is to avoid using ssh-agent forwarding, and instead use ssh jump hosts. Or there’s always ssh port forwarding.
https://hackaday.com/2023/07/21/this-week-in-security-dating-app-woocommerce-and-openssh/
Tomi Engdahl says:
https://trufflesecurity.com/blog/introducing-forager/
Forager: Browse Millions of Leaked API keys Found With TruffleHog
Tomi Engdahl says:
WOOCOMMERCE UNDER SIEGE
Back in March, CVE-2023-28121 was fixed in the WooCommerce plugin for WordPress. The issue here is an authentication bypass that allows an unauthenticated user to commandeer other user accounts.
Within a few months, working exploits had been derived from the details of the patch plugging the hole. It wasn’t hard. A function for determining the current user was explicitly trusting the contents of the X-WCPAY-PLATFORM-CHECKOUT-USER request header. Set that value in a request sent to the server, and ding, you’re administrator.
https://hackaday.com/2023/07/21/this-week-in-security-dating-app-woocommerce-and-openssh/
Tomi Engdahl says:
This is why open standards are important
Code Kept Secret for Years Reveals Its Flaw—a Backdoor
https://www.wired.com/story/tetra-radio-encryption-backdoor/?fbclid=IwAR3Q3O0gNHvfW0NCRR8dIKM_JODbjPqAxf8qvdPdRcKi-mmPJvDy3emnT0o
A secret encryption cipher baked into radio systems used by critical infrastructure workers, police, and others around the world is finally seeing sunlight. Researchers say it isn’t pretty.
The backdoor, known for years by vendors that sold the technology but not necessarily by customers, exists in an encryption algorithm baked into radios sold for commercial use in critical infrastructure. It’s used to transmit encrypted data and commands in pipelines, railways, the electric grid, mass transit, and freight trains. It would allow someone to snoop on communications to learn how a system
Tomi Engdahl says:
‘ChatGPT’s evil twin’ WormGPT is devoid of morals and just €60 a month on the darkweb
By Katie Wickens published 19 July 2023
Cybersecurity expert at NordVPN issues warnings over the new darkweb AI chatbot phenomenon.
https://www.pcgamer.com/chatgpts-evil-twin-wormgpt-is-devoid-of-morals-and-just-dollar60-a-month-on-the-darkweb/
Tomi Engdahl says:
New MLS protocol provides groups better and more efficient security at Internet scale
18 Jul 2023
https://www.ietf.org/blog/mls-protocol-published/?fbclid=IwAR1epnu5CHpS62bW3DAs-J4pyyHfo2TMyvQcYiDzsoY8-DukkzHUg7k8eoM
The core specification for Messaging Layer Security (MLS), which is already making it easy for apps to provide the highest level of end-to-end security for their users, has been published as an RFC.
MLS provides unsurpassed security and privacy for users of group communications applications. Using MLS, participants always know which other members of a group will receive the messages they send, and the validity of new participants joining a group is verified by all the other participants. During its development in the IETF, MLS underwent formal security analysis and industry review. It currently supports multiple ciphersuites, and makes it straightforward to add quantum attack resistant ciphersuites in the future.
The open processes and “running code” that are hallmarks of the IETF, mean that MLS is already proven to be efficient at Internet scale, working efficiently with groups that have thousands of participants.
MLS is either already available from—or soon will be implemented and deployed by—a wide range of companies and organizations, including:
AWS
Cisco
Cloudflare
Google
The Matrix.org Foundation
Meta
Mozilla
Phoenix R&D
Wire
MLS is also extensible, meaning it can be easily updated in a number of ways.
RFC 9420
The Messaging Layer Security (MLS) Protocol
https://www.rfc-editor.org/rfc/rfc9420.html
Tomi Engdahl says:
Critical TootRoot bug lets attackers hijack Mastodon servers
https://www.bleepingcomputer.com/news/security/critical-tootroot-bug-lets-attackers-hijack-mastodon-servers/
Tomi Engdahl says:
https://www.cyfirma.com/outofband/html-smuggling-a-stealthier-approach-to-deliver-malware/?fbclid=IwAR08bgHWblmwhDf_oYrPC-P8Ss46s4WYj9kMqOSeKH9iwPq0I0bLU1BfDAI
Tomi Engdahl says:
Microsoft-murto tuntuu vain pahenevan – kiinalaiset hyökkääjät saattoivat saada pääsyn myös Teamsiin ja OneDriveen
24.7.202318:36
Microsoft on kiistänyt väitteet ja sanoo katkaisseensa avaimen valtuutukset. Läpinäkymättömyys kuitenkin haittaa varmuutta.
https://www.mikrobitti.fi/uutiset/microsoft-murto-tuntuu-vain-pahenevan-kiinalaiset-hyokkaajat-saattoivat-saada-paasyn-myos-teamsiin-ja-onedriveen/e16131de-0d61-4bb2-bf03-d89c8b162c3d
Microsoft tiedotti toissa viikolla kiinalaistaustaisten murtautujien saaneen pääsyn erinäisten organisaatioiden Outlook-tileille. Näihin organisaatioihin sisältyi lukuisia Yhdysvaltain ministeriöitä ja ministereitä, kuten Yhdysvaltain Kiinan-suurlähettiläs Nicholas Burns, Yhdysvaltain Aasian apulaisulkoministeri Daniel Kritenbrink sekä kauppaministeri Gina Raimondo.
Microsoftin mukaan hyökkäyksessä käytettiin väärennettyjä pääsykoodeja, jotka oli luotu sen aitoa kryptografista MSA-avainta käyttäen. Microsoft kutsuu hyökkääjiä tunnisteella Storm-0558, ja sillä uskotaan olevan yhteyksiä Kiinan valtion tiedustelupalveluihin.
Tamarin mukaan hyökkääjien käyttämää MSA-avainta on ollut mahdollista käyttää myös muiden Azure Active Directory -sovellusten pääsykoodien luomiseen. Tällaisia ovat kaikki Microsoftin sovellukset jotka käyttävät OpenID v2.0 -pääsykoodeja; niitä ovat Outlookin lisäksi SharePoint, OneDrive ja Teams.
Stolen Microsoft key may have opened up a lot more than US govt email inboxes
How does the Azure giant come back from this?
https://www.theregister.com/2023/07/21/microsoft_key_skeleton/
A stolen Microsoft security key may have allowed Beijing-backed spies to break into a lot more than just Outlook and Exchange Online email accounts.
Incredibly as it sounds, and it really does deserve wider coverage, someone somehow obtained one of Microsoft’s internal private cryptographic keys used to digitally sign access tokens for its online services. With that key, the snoops were able to craft tokens to grant them access to Microsoft customers’ email systems and, crucially, sign those access tokens as the Windows giant to make it look as though they were legitimately issued.
With those golden tokens in hand, the snoops – believed to be based in China – were able to log into Microsoft cloud email accounts used by US government officials, including US Commerce Secretary Gina Raimondo. The cyber-trespassing was picked up by a federal government agency, which raised the alarm.
Tomi Engdahl says:
Compromised Microsoft Key: More Impactful Than We Thought
Our investigation of the security incident disclosed by Microsoft and CISA and attributed to Chinese threat actor Storm-0558, found that this incident seems to have a broader scope than originally assumed. Organizations using Microsoft and Azure services should take steps to assess potential impact.
https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr
Tomi Engdahl says:
Message from InfluxData Founder & CTO Paul Dix: Discontinuation of InfluxDB Cloud in AWS Sydney and GCP Belgium
https://www.influxdata.com/blog/update-from-influxdata-paul-dix-july-10/
Tomi Engdahl says:
InfluxDB Cloud shuts down in Belgium; some weren’t notified before data deletion
https://news.ycombinator.com/item?id=36657829
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/