This posting is here to collect cyber security news in July 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in July 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
183 Comments
Tomi Engdahl says:
Sairaala saastui haittaohjelmasta – syyksi paljastui pieni huomaamaton uhka https://www.is.fi/digitoday/tietoturva/art-2000009733643.html
Terveydenhuollon asiantuntija matkusti Aasiaan konferenssiin. Siellä hän jakoi esityksensä muille kytkemällä usb-tikkunsa heidän kannettaviin tietokoneisiinsa. Yksi näistä koneista sisälsi HopperTick-haittaohjelman, joka saastutti usb-tikun. Asiantuntijan palatessa kotiinsa, hän tuli saastuttaneeksi eurooppalaisen sairaalan haittaohjelmalla.
Tietoturvayhtiö Check Pointin kuvaama todellisen elämän tapaus alkuvuodelta on tärkeä muistutus usb-tikkujen avulla tehtävistä hyökkäyksistä
Tomi Engdahl says:
VirusTotal apologizes for data leak affecting 5,600 customers https://www.bleepingcomputer.com/news/security/virustotal-apologizes-for-data-leak-affecting-5-600-customers/
VirusTotal apologized on Friday for leaking the information of over 5,600 customers after an employee mistakenly uploaded a CSV file containing their info to the platform last month.
The data leak impacted only Premium account customers, with the uploaded file containing their names and corporate email addresses.
Emiliano Martines, the online malware scanning service’s head of product management, also assured impacted customers that the incident was caused by human error and was not the result of a cyber-attack or any vulnerability with VirusTotal.
Tomi Engdahl says:
GitHub warns of Lazarus hackers targeting devs with malicious projects https://www.bleepingcomputer.com/news/security/github-warns-of-lazarus-hackers-targeting-devs-with-malicious-projects/
GitHub is warning of a social engineering campaign targeting the accounts of developers in the blockchain, cryptocurrency, online gambling, and cybersecurity sectors to infect their devices with malware.
The campaign was linked to the North Korean state-sponsored Lazarus hacking group, also known as Jade Sleet (Microsoft Threat Intelligence) and TraderTraitor (CISA). The US government released a report in 2022 detailing the threat actors’ tactics.
Tomi Engdahl says:
CISA: Citrix RCE bug exploited to breach critical infrastructure org https://www.bleepingcomputer.com/news/security/cisa-citrix-rce-bug-exploited-to-breach-critical-infrastructure-org/
Threat actors have breached the network of a U.S. organization in the critical infrastructure sector after exploiting a zero-day RCE vulnerability currently identified as CVE-2023-3519, a critical-severity issue in NetScaler ADC and Gateway that Citrix patched this week.
The Cybersecurity and Infrastructure Security Agency (CISA) says that the attack occurred in June and hackers used their access to steal Active Directory data.
Tomi Engdahl says:
HotRat: New Variant of AsyncRAT Malware Spreading Through Pirated Software https://thehackernews.com/2023/07/hotrat-new-variant-of-asyncrat-malware.html
A new variant of AsyncRAT malware dubbed HotRat is being distributed via free, pirated versions of popular software and utilities such as video games, image and sound editing software, and Microsoft Office.
“HotRat malware equips attackers with a wide array of capabilities, such as stealing login credentials, cryptocurrency wallets, screen capturing, keylogging, installing more malware, and gaining access to or altering clipboard data,” Avast security researcher Martin a Milánek said.
Tomi Engdahl says:
Zyxel users still getting hacked by DDoS botnet emerge as public nuisance No.
1
https://arstechnica.com/security/2023/07/ddos-botnets-are-still-feeding-on-zyxel-devices-with-vulnerable-critical-flaw/
Organizations that have yet to patch a 9.8-severity vulnerability in network devices made by Zyxel have emerged as public nuisance No. 1 as a sizable number of them continue to be exploited and wrangled into botnets that wage DDoS attacks.
Zyxel patched the flaw on April 25. Five weeks later, Shadowserver, an organization that monitors Internet threats in real time, warned that many Zyxel firewalls and VPN servers had been compromised in attacks that showed no signs of stopping. The Shadowserver assessment at the time was: “If you have a vulnerable device exposed, assume compromise.”
Tomi Engdahl says:
DHL investigating MOVEit breach as number of victims surpasses 20 million https://therecord.media/dhl-moveit-breach-investigation
The United Kingdom arm of shipping giant DHL said it is investigating a data breach sourced back to its use of the MOVEit software, which has been exploited by a Russia-based ransomware group for nearly two months.
In a statement to Recorded Future News, DHL confirmed that one of its software providers was impacted by the vulnerability affecting MOVEit, a file-sharing tool from Progress Software.
Tomi Engdahl says:
CISA warns govt agencies to patch Adobe ColdFusion servers https://www.bleepingcomputer.com/news/security/cisa-warns-govt-agencies-to-patch-adobe-coldfusion-servers/
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two critical security flaws exploited in attacks, one of them as a zero-day.
According to the binding operational directive (BOD 22-01) issued by CISA in November 2021, Federal Civilian Executive Branch Agencies (FCEB) are required to patch their systems against all bugs added to the Known Exploited Vulnerabilities (KEV) catalog.
Tomi Engdahl says:
Kyberhyökkäys Norjaa vastaan – 12 eri ministeriötä kohteena https://www.tivi.fi/uutiset/tv/74cbc42b-6a66-495d-86a4-b08d5991d33a
Kahteentoista Norjan ministeriöön on kohdistunut kyberhyökkäys, maan hallitus kertoi maanantaina.
”Havaitsimme haavoittuvuuden erään toimittajamme alustassa. Tämä haavoittuvuus on nyt korjattu”, kertoi Norjan hallituksen palveluista vastaavan Departementenes sikkerhets- og serviceorganisasjon -viraston (DSS) johtaja Erik Hope lehdistötilaisuudessa.
Hopen mukaan hyökkäykset havaittiin 12. heinäkuuta epätavallisen verkkoliikenteen johdosta. Hänen mukaansa on vielä liian aikaista sanoa, mikä taho on hyökkäyksen takana ja miten laaja hyökkäys on ollut. Hän ei myöskään kertonut lisätietoja haavoittuvuuden luonteesta, alustasta tai sen toimittajasta.
Tomi Engdahl says:
Clop now leaks data stolen in MOVEit attacks on clearweb sites https://www.bleepingcomputer.com/news/security/clop-now-leaks-data-stolen-in-moveit-attacks-on-clearweb-sites/
The Clop ransomware gang is copying an ALPHV ransomware gang extortion tactic by creating Internet-accessible websites dedicated to specific victims, making it easier to leak stolen data and further pressuring victims into paying a ransom.
When a ransomware gang attacks a corporate target, they first steal data from the network and then encrypt files. This stolen data is used as leverage in double-extortion attacks, warning victims that the data will be leaked if a ransom is not paid.
Tomi Engdahl says:
New OpenSSH Vulnerability Exposes Linux Systems to Remote Command Injection https://thehackernews.com/2023/07/new-openssh-vulnerability-exposes-linux.html
Details have emerged about a now-patched flaw in OpenSSH that could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions.
“This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent,” Saeed Abbasi, manager of vulnerability research at Qualys, said in an analysis last week. The vulnerability is being tracked under the CVE identifier CVE-2023-38408 (CVSS
score: N/A). It impacts all versions of OpenSSH before 9.3p2.
Tomi Engdahl says:
North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack https://www.mandiant.com/resources/blog/north-korea-supply-chain
In July 2023, Mandiant Consulting responded to a supply chain compromise affecting a US-based software solutions entity. We believe the compromise ultimately began as a result of a sophisticated spear phishing campaign aimed at JumpCloud, a zero-trust directory platform service used for identity and access management.
JumpCloud reported this unauthorized access impacted fewer than five customers and less than 10 devices.The details in this blog post are based on Mandiant’s investigation into the attack against one of JumpCloud’s impacted customers.
Tomi Engdahl says:
Critical Zero-Days in Atera Windows Installers Expose Users to Privilege Escalation Attacks https://thehackernews.com/2023/07/critical-zero-days-in-atera-windows.html
Zero-day vulnerabilities in Windows Installers for the Atera remote monitoring and management software could act as a springboard to launch privilege escalation attacks.
The flaws, discovered by Mandiant on February 28, 2023, have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078, with the issues remediated in versions 1.8.3.7 and 1.8.4.9 released by Atera on April 17, 2023, and June 26, 2023, respectively.
Tomi Engdahl says:
Apple Rolls Out Urgent Patches for Zero-Day Flaws Impacting iPhones, iPads and Macs https://thehackernews.com/2023/07/apple-rolls-out-urgent-patches-for-zero.html
Apple has rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild.
Tracked as CVE-2023-38606, the shortcoming resides in the kernel and permits a malicious app to modify sensitive kernel state potentially. The company said it was addressed with improved state management.
Tomi Engdahl says:
Casbaneiro Banking Malware Goes Under the Radar with UAC Bypass Technique https://thehackernews.com/2023/07/casbaneiro-banking-malware-goes-under.html
The financially motivated threat actors behind the Casbaneiro banking malware family have been observed making use of a User Account Control (UAC) bypass technique to gain full administrative privileges on a machine, a sign that the threat actor is evolving their tactics to avoid detection and execute malicious code on compromised assets.
“They are still heavily focused on Latin American financial institutions, but the changes in their techniques represent a significant risk to multi-regional financial organizations as well,” Sygnia said in a statement shared with The Hacker News.
Tomi Engdahl says:
Norway says Ivanti zero-day was used to hack govt IT systems https://www.bleepingcomputer.com/news/security/norway-says-ivanti-zero-day-was-used-to-hack-govt-it-systems/
The Norwegian National Security Authority (NSM) has confirmed that attackers used a zero-day vulnerability in Ivanti’s Endpoint Manager Mobile (EPMM) solution to breach a software platform used by 12 ministries in the country.
The Norwegian Security and Service Organization (DSS) said on Monday that the cyberattack did not affect Norway’s Prime Minister’s Office, the Ministry of Defense, the Ministry of Justice, and the Ministry of Foreign Affairs.
—
Tomi Engdahl says:
Yamaha confirms cyberattack after multiple ransomware gangs claim attacks https://therecord.media/yamaha-confirms-cyberattack-after-multiple-ransomware-gangs-claim
Yamaha’s Canadian music division confirmed that it recently dealt with a cyberattack after two different ransomware groups claimed to have attacked the company.
The Yamaha Corporation — different from the spun-off motorcycle division — is a Japanese manufacturing giant producing musical instruments and audio equipment. It is considered the world’s largest producer of musical equipment.
In a statement last Thursday, Yamaha Canada Music said it “recently encountered a cyberattack that led to unauthorized access and data theft.”
Tomi Engdahl says:
Viranomaiselta vakava varoitus Apple-käyttäjille: ”Asenna välittömästi”
https://www.is.fi/digitoday/tietoturva/art-2000009741468.html
Jos aiemmin ohitit hyökkäyksissä käytettyjen aukkojen paikkaukset, nyt ne on viimeistään syytä asentaa.
Useissa Applen tuotteissa sekä Safari verkkoselaimessa on korjattu kriittisiä haavoittuvuuksia, Liikenne- ja viestintävirasto Traficom hälyttää.
“Haavoittuvuudet korjaavat päivitykset on suositeltavaa asentaa välittömästi, sillä haavoittuvuuksien hyväksikäyttöä on jo havaittu maailmalla.”
Tomi Engdahl says:
ALPHV ransomware adds data leak API in new extortion strategy https://www.bleepingcomputer.com/news/security/alphv-ransomware-adds-data-leak-api-in-new-extortion-strategy/
The ALPHV ransomware gang, also referred to as BlackCat, is trying to put more pressure on their victims to pay a ransom by providing an API for their leak site to increase visibility for their attacks.
This move follows the gang’s recent breach of Estée Lauder that ended with the beauty company completely ignoring the threat actor’s effort to engage in negotiations for a ransom payment.
Tomi Engdahl says:
New Nitrogen malware pushed via Google Ads for ransomware attacks https://www.bleepingcomputer.com/news/security/new-nitrogen-malware-pushed-via-google-ads-for-ransomware-attacks/
A new ‘Nitrogen’ initial access malware campaign uses Google and Bing search ads to promote fake software sites that infect unsuspecting users with Cobalt Strike and ransomware payloads.
The goal of the Nitrogen malware is to provide the threat actors initial access to corporate networks, allowing them to conduct data-theft, cyberespionage, and ultimately deploying the BlackCat/ALPHV ransomware.
Tomi Engdahl says:
British ambulances unable to access patient records system following cyberattack https://therecord.media/british-ambulances-unable-to-access-patient-records
A cyberattack impacting Swedish software company Ortivus has left at least two British ambulance services without access to electronic patient records.
Ortivus, which last week announced an incident impacting United Kingdom customer systems, said the attack took place on July 18.
Tomi Engdahl says:
NATO investigates alleged data theft by SiegedSec hackers https://www.bleepingcomputer.com/news/security/nato-investigates-alleged-data-theft-by-siegedsec-hackers/
NATO has confirmed that its IT team is investigating claims about an alleged data-theft hack on the Communities of Interest (COI) Cooperation Portal by a hacking group known as SiegedSec.
The COI Cooperation Portal (dnbl.ncia.nato.int) is the military alliance’s unclassified information-sharing and collaboration environment, dedicated to supporting NATO organizations and member nations. Yesterday, the hacking group ‘SiegedSec’ posted on Telegram what they claimed to be hundreds of documents stolen from the COI Cooperation Portal.
Tomi Engdahl says:
Heart monitor manufacturer hit by cyberattack, takes systems offline https://www.bitdefender.com/blog/hotforsecurity/heart-monitor-manufacturer-hit-by-cyberattack-takes-systems-offline/
CardioComm, a Canadian company which provides heart-monitoring technology to hospitals and consumers, has revealed that it has been forced to take its systems offline following a cyberattack.
The firm, which sells solutions for recording and analysing ECGs of cardiac patients, posted a curt message on a temporary landing page on its website.
—
Tomi Engdahl says:
N. Korea-linked operation combines US military lures, S. Korean e-commerce sites https://therecord.media/north-korea-hackers-us-military-mnrs-south-korean-ecommerce
Hackers allegedly connected to the North Korean government are using fake U.S.
military job-recruitment documents to lure people into downloading malware staged on legitimate — but compromised — South Korean e-commerce sites.
Tomi Engdahl says:
Kenya reports cyber attacks causing government system outages https://www.semafor.com/article/07/28/2023/kenya-cyber-attacks-claimed-by-sudan-hackers
NAIROBI — Cyber attackers targeted a digital platform used by Kenya’s government to deliver services, the country’s technology minister said, highlighting the vulnerabilities of the system.
The attack on the e-Citizen platform in recent days caused system outages that left users unable to access a broad range of government services, ranging from passport applications to electricity payments. Some private companies were also affected.
Tomi Engdahl says:
Ryanair haastettiin oikeuteen kasvontunnistuksen käytöstä – vaadittiin tietyiltä asiakkailta
https://www.tivi.fi/uutiset/tv/8df0a65b-cede-46ef-8232-b9626e4671e5
Halpalentoyhtiö Ryanair on haastettu oikeuteen häiritsevästä kasvojentunnistusteknologian käytöstä. Reutersin mukaan syyte on nostettu Espanjassa Euroopan digitaalisten oikeuksien keskuksen (NYOB) toimesta.
Kasvojentunnistus vaaditaan tietyiltä asiakkailta. NYOB:n mukaan vaatimukset ilmenevät silloin, kun asiakas on ostanut yhtiön lennon matkatoimistolta heidän omien nettisivujen tai sovelluksen sijasta.
Tomi Engdahl says:
Medical files of 8M-plus people fall into hands of Clop via MOVEit mega-bug https://www.theregister.com/2023/07/27/maximus_deloitte_moveit_hack/
Accounting giant Deloitte, pizza and birthday party chain Chuck E. Cheese, government contractor Maximus, and the Hallmark Channel are among the latest victims that the Russian ransomware crew Clop claims to have compromised via the MOVEit vulnerability.
Tomi Engdahl says:
BreachForums database and private chats for sale in hacker data breach https://www.bleepingcomputer.com/news/security/breachforums-database-and-private-chats-for-sale-in-hacker-data-breach/
While consumers are usually the ones worried about their information being exposed in data breaches, it’s now the hacker’s turn, as the notorious Breached cybercrime forum’s database is up for sale and member data shared with Have I Been Pwned.
Yesterday, the Have I Been Pwned data breach notification service announced that visitors can check if their information was exposed in a data breach of the Breached cybercrime forum.
Tomi Engdahl says:
Zimbra patches zero-day vulnerability exploited in XSS attacks https://www.bleepingcomputer.com/news/security/zimbra-patches-zero-day-vulnerability-exploited-in-xss-attacks/
Two weeks after the initial disclosure, Zimbra has released security updates that patch a zero-day vulnerability exploited in attacks targeting Zimbra Collaboration Suite (ZCS) email servers.
Now tracked as CVE-2023-38750, the security flaw is a reflected Cross-Site Scripting (XSS) discovered by security researcher Clément Lecigne of Google Threat Analysis Group.
Tomi Engdahl says:
Apple demands app makers explain use of sensitive APIs https://www.theregister.com/2023/07/29/apple_developer_api/
Apple has told developers writing apps for its shiny stuff that they will soon have to explain why their programs use certain sensitive APIs.
Cupertino claims it’s doing so to discourage app makers from trying to track users through digital fingerprinting.
Tomi Engdahl says:
Cybercrime
CoinsPaid Blames North Korean Hackers for $37 Million Cryptocurrency Heist
https://www.securityweek.com/coinspaid-blames-north-korean-hackers-for-37-million-cryptocurrency-heist/
CoinsPaid says North Korean hacking group Lazarus is likely responsible for the recent theft of $37 million in cryptocurrency.
Tomi Engdahl says:
Exploitation of Recent Citrix ShareFile RCE Vulnerability Begins
The first attempts to exploit CVE-2023-24489, a recent critical Citrix ShareFile remote code execution vulnerability, have been observed
https://www.securityweek.com/exploitation-of-recent-citrix-sharefile-rce-vulnerability-begins/
Tomi Engdahl says:
Code Execution Vulnerability Impacts 900k MikroTik Devices
Over 900,000 devices are impacted by an arbitrary code execution vulnerability in MikroTik RouterOS.
https://www.securityweek.com/code-execution-vulnerability-impacts-900k-mikrotik-devices/
More than 900,000 MikroTik devices are impacted by a RouterOS vulnerability leading to arbitrary code execution, vulnerability intelligence provider VulnCheck reports.
Tracked as CVE-2023-30799 (CVSS score of 9.1), the issue is described as a privilege escalation bug impacting RouterOS versions before 6.49.7 and RouterOS long-term versions through 6.48.6.
“A remote and authenticated attacker can escalate privileges from admin to super-admin on the Winbox or HTTP interface. The attacker can abuse this vulnerability to execute arbitrary code on the system,” a NIST advisory reads.
The vulnerability was initially disclosed in June 2022, at the REcon conference, but no CVE identifier was assigned to it. Proof-of-concept (PoC) code demonstrating how a root shell can be obtained on a RouterOS x86 virtual machine was also published at the time.
MikroTik patched the bug in RouterOS stable 6.49.7 in October 2022, without detailing it, VulnCheck says. Patches were released for the RouterOS long-term version as well.
https://nvd.nist.gov/vuln/detail/CVE-2023-30799