This posting is here to collect cyber security news in August 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in August 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
333 Comments
Tomi Engdahl says:
Laptops, smartphones and tablets, even when hidden or locked in the trunk, continue to emit a signal, and Rob Enderle, principal analyst with the Enderle Group, says criminals know how to track that signal.
Thieves use tech devices to scan cars before breaking into them
https://www.nbcbayarea.com/news/local/car-break-ins-tech-devices/3285126/
Car break-ins across the Bay Area are an epidemic, and now, criminals are using tech devices that can tell what’s inside a vehicle before they even approach it.
Laptops, smartphones and tablets, even when hidden or locked in the trunk, continue to emit a signal, and Rob Enderle, principal analyst with the Enderle Group, says criminals know how to track that signal.
“It might be just as easy as picking up a smartphone and looking for Bluetooth signals, and if they see it, they can triangulate approximately where it is,” Enderle said.
More sophisticated signal detectors can better locate the source of the signal. They cost up to several hundred dollars. Their intended use is to locate surveillance equipment planted in buildings and vehicles.
In the city’s Marina District on Monday, Jacqui Lewis said she’s seen the crooks in action and what they leave in their wake.
“If you power down the device, it doesn’t have the ability to broadcast, and when in doubt, remove the battery because when the battery’s gone, it’s not doing anything,” Enderle said.
Tomi Engdahl says:
Well, that’s worrying for Minecraft users.
Minecraft exploit makes it ‘completely dangerous’ to play with unpatched mods right now
By Katie Wickens published 1 day ago
Exploit leaves users on countless servers open to remote code execution attacks.
https://www.pcgamer.com/minecraft-exploit-makes-it-completely-dangerous-to-play-with-unpatched-mods-right-now/?utm_medium=social&utm_campaign=socialflow&utm_source=facebook.com&fbclid=IwAR1ypbzijwMaeEE1rPJ6d1GQLEdIOYeoz3Vj6kA__UhHyC1B_2SaBcG_SkM
Minecraft server admins better lock up their Echo Shards because this newsroom is about to get deep and dark. According to the Minecraft Malware Prevention Alliance (MMPA)—yep, that’s a thing—users have spotted a vulnerability affecting a whole lot of Minecraft servers, citing many popular mods able to be exploited by hackers looking to take over players’ machines.
“This vulnerability is well known in the Java community, and has been fixed before in other mods,” the MMPA blog post notes (via Tom’s Hardware). It’s not a new thing, then. Though the post makes it clear that “none have been of this scale in the Minecraft community.”
One Computer Science student, known as Dogboy21 on GitHub, spotted something like 36 mods that are vulnerable to the so-called Bleeding Pipe exploit. They warn that, right now: “It is completely dangerous to play with unpatched mods currently.”
“Attackers already attempted (and succeeded in some cases) Microsoft access token and browser session steals. But since they can literally execute any code they want on a target system, the possibilities are endless.”
The exploit utilises a Java deserialization attack/gadget chain that’s able to take advantage of “unsafe use of the Java serialization feature in network packets sent by servers to clients or clients to servers.”
Mods such as EnderCore, AetherCraft mode, LogisticsPipes, Immersive Armors and ttCore are just a few of those affected, though the Git page warns users to “KEEP IN MIND THAT THIS LIST IS DEFINITELY NOT COMPLETE”,
Tomi Engdahl says:
Spyware maker LetMeSpy shuts down after hacker deletes server data
Zack Whittaker
@zackwhittaker / 6:30 am PDT • August 5, 2023
https://techcrunch.com/2023/08/05/letmespy-spyware-shuts-down-wiped-server/amp/?fbclid=IwAR1rCqshnzxEYIq1k6Jr9GYoxaCuHNNHQk2mdaa2bPfoVsSDhw0OG7pgocA&guccounter=1&guce_referrer=aHR0cHM6Ly9sbS5mYWNlYm9vay5jb20v&guce_referrer_sig=AQAAAD_SaG-K44spn-L1NkaTXTXkq48-xoKpkGVAXiYp-R-ZKJttiiZchDcwBDMxbAzn9QnwWdRPh414WmY0Tyy18ZNxfElteWxEELu7iOHpE9lPVsOzilVU9YOmxATAnXQxdybeBBTHiyHuPjs9qRXyahScKn3dprglF7SALJ1f69E1
Poland-based spyware LetMeSpy is no longer operational and said it will shut down after a June data breach wiped out its servers, including its huge trove of data stolen from thousands of victims’ phones.
In a notice on its website in both English and Polish, LetMeSpy confirmed the “permanent shutdown” of the spyware service and that it would cease operations by the end of August. The notice said LetMeSpy is blocking users from logging in or signing up with new accounts.
“The breach consisted of unauthorized access to the LetMeSpy website’s database, downloading and at the same time deleting data from the website by the author of the attack,” the notice reads.
LetMeSpy’s app no longer functions, a network traffic analysis by TechCrunch shows, and the spyware maker’s website no longer provides the spyware app for download.
LetMeSpy was an Android phone monitoring app that was purposefully designed to stay hidden on a victim’s phone home screen, making the app difficult to detect and remove. When planted on a person’s phone — often by someone with knowledge of their phone passcode — apps like LetMeSpy continually steal that person’s messages, call logs and real-time location data.
A copy of the database was obtained by nonprofit transparency collective DDoSecrets, which indexes leaked datasets in the public interest, and shared with TechCrunch for analysis. The data showed that LetMeSpy, until recently, had been used to steal data from more than 13,000 compromised Android devices worldwide, though LetMeSpy’s website claimed prior to the breach that it controlled more than 236,000 devices.
The database also contained information that shows the spyware was developed by a Krakow-based tech company called Radeal
LetMeSpy is the latest spyware operation to shut down in the past year in the wake of a security incident that exposed victims’ data, but also the identities of its real-world operators.
SpyTrac, a spyware with more than a million user records in its database, was confirmed to be operated by Support King, a tech company banned from the surveillance industry by federal regulators in 2021 for previously failing to secure stolen data from its then-flagship spyware app, SpyFone.
Tomi Engdahl says:
Lily Hay Newman / Wired:
Intel fixes a flaw found by a Google researcher that could let attackers steal passwords and other secrets, affecting Skylake, Tiger Lake, and Ice Lake chips — The vulnerability could allow attackers to take advantage of an information leak to steal sensitive details like private messages, passwords, and encryption keys.
New ‘Downfall’ Flaw Exposes Valuable Data in Generations of Intel Chips
https://www.wired.com/story/downfall-flaw-intel-chips/
The vulnerability could allow attackers to take advantage of an information leak to steal sensitive details like private messages, passwords, and encryption keys.
Intel is releasing fixes for a processor vulnerability that affects many models of its chips going back to 2015, including some that are currently sold, the company revealed today. The flaw does not impact Intel’s latest processor generations. The vulnerability could be exploited to circumvent barriers meant to keep data isolated, and therefore private, on a system. This could allow attackers to grab valuable and sensitive data from victims, including financial details, emails, and messages, but also passwords and encryption keys.
It’s been more than five years since the Spectre and Meltdown processor vulnerabilities sparked a wave of revisions to computer chip designs across the industry. The flaws represented specific bugs but also conceptual data protection vulnerabilities in the schemes chips were using to make data available for processing more quickly and speed that processing. Intel has invested heavily in the years since these so-called speculative execution issues surfaced to identify similar types of design issues that could be leaking data. But the need for speed remains a business imperative, and both researchers and chip companies still find flaws in efficiency measures.
This latest vulnerability, dubbed Downfall by Daniel Moghimi, the Google researcher who discovered it, occurs in chip code that can use an instruction known as Gather to access scattered data more quickly in memory. Intel refers to the flaw as Gather Data Sampling after one of the techniques Moghimi developed to exploit the vulnerability. Moghimi will present his findings at the Black Hat security conference in Las Vegas on Wednesday.
“Memory operations to access data that is scattered in memory are very useful and make things faster, but whenever things are faster there’s some type of optimization—something the designers do to make it faster,” Moghimi says. “Based on my past experience working on these types of vulnerabilities, I had an intuition that there could be some kind of information leak with this instruction.”
The vulnerability affects the Skylake chip family, which Intel produced from 2015 to 2019; the Tiger Lake family, which debuted in 2020 and will discontinue early next year; and the Ice Lake family, which debuted in 2019 and was largely discontinued in 2021. Intel’s current generation chips—including those in the Alder Lake, Raptor Lake, and Sapphire Rapids families—are not affected, because attempts to exploit the vulnerability would be blocked by defenses Intel has added recently.
The fixes are being released with an option to disable them because of the potential that they could have an intolerable impact on performance for certain enterprise users. “For most workloads, Intel has not observed reduced performance due to this mitigation. However, certain vectorization-heavy workloads may see some impact,” Intel said in a statement.
Releasing fixes for vulnerabilities like Downfall is always complicated, because in most cases, they must funnel through each manufacturer who makes devices that incorporate the affected chips, before actually reaching computers. These device-makers take code provided by Intel and create tailored patches that can then be downloaded by users. After years of releasing fixes in this complex ecosystem, Intel is practiced at coordinating the process, but it still takes time. Moghimi first disclosed Downfall to Intel a year ago.
Moghimi also notes that it is difficult to detect Downfall attacks, because they mostly manifest as benign software activity. He adds, though, that it might be possible to develop a detection system that monitors hardware behavior for signs of abuse like unusual cache activity.
Intel says that it would be “complex” and difficult to carry out Downfall attacks in real-world conditions, but Moghimi emphasizes that it took him only a few weeks to develop proofs of concept for the attack. And he says that relative to other speculative execution vulnerabilities and related bugs, Downfall would be one of the more doable flaws for a motivated and well-resourced attacker to exploit.
“This vulnerability enables an attacker to essentially spy on other processes and steal data by analyzing the data leak over time for a combination of patterns that indicates the information the attacker is looking for, like login credentials or encryption keys,” Moghimi says. He adds that it would likely take time, on the scale of hours or even weeks, for an attacker to develop the pattern or fingerprint of the data they’re looking for, but the payoff would be significant.
Tomi Engdahl says:
Tutkijat varoittavat: Tekoäly pystyy varastamaan salasanoja lähes sadan prosentin tarkkuudella https://www.is.fi/digitoday/tietoturva/art-2000009769708.html
Tutkimuksessa tekoälylle opetettiin, miltä MacBook Pron näppäimet kuulostavat.
Tomi Engdahl says:
Supply chain attacks disrupt emergency services communications https://www.malwarebytes.com/blog/news/2023/07/supply-chain-attacks-disrupts-emergency-services-communications
A supply chain attack rendered two ambulance trusts incapable of accessing electronic patient records in the UK. The two services, which operate in a region of 12 million people, were not targeted directly. Instead, the attack was aimed at a third-party technology provider used by both the South Central Ambulance Service (SCAS) and the South Western Ambulance Service (SWASFT).
Tomi Engdahl says:
Hackers steal Signal, WhatsApp user data with fake Android chat app https://www.bleepingcomputer.com/news/security/hackers-steal-signal-whatsapp-user-data-with-fake-android-chat-app/
Hackers are using a fake Android app named ‘SafeChat’ to infect devices with spyware malware that steals call logs, texts, and GPS locations from phones.
The Android spyware is suspected to be a variant of “Coverlm,” which steals data from communication apps such as Telegram, Signal, WhatsApp, Viber, and Facebook Messenger.
Tomi Engdahl says:
EU sanctions individuals, organizations connected to Russian disinformation network https://therecord.media/eu-sanctions-russian-operation-rnn-media
The European Union is drawing fresh attention to Russia’s information war against Ukraine.
The EU has imposed sanctions on a Kremlin-controlled disinformation network intended to undermine Western support for Ukraine. The sanctions, announced Friday, target seven Russian individuals and five entities involved in an operation called Recent Reliable News (RRN).
Tomi Engdahl says:
Suomi.fi-huijaus menee melkein täydestä – kaksi seikkaa paljastaa karun totuuden https://www.is.fi/digitoday/tietoturva/art-2000009753883.html
SUOMI.FI:N nimissä huijataan sähköpostiviesteillä, jotka ovat varsin aidon oloisia. Viime päivinä on esiintynyt viestiä, joka tulee näennäisesti aidosta osoitteesta [email protected] ja on muotoilultaan varsin samankaltainen kuin aito viesti.
Huijausviestissä väitetään virheellisesti, että Suomi.fi-sovelluksessa olisi tekninen virhe, jonka vuoksi viestin voi lukea vain selaimessa. Viestissä on verkkolinkki, jollaista aidossa viestissä ei ole. Linkin väitetään johtavan Suomi.fi-tunnistukseen, mutta oikeasti se vie tietoja kalastelevalle sivulle.
Tomi Engdahl says:
Multiple Chinese APTs establish major beachheads inside US infrastructure https://arstechnica.com/security/2023/08/multiple-chinese-apts-establish-major-beachheads-inside-us-infrastructure/
Hacking teams working for the Chinese government are intent on burrowing into the farthest reaches of US infrastructure and establishing permanent presences there if possible. In the past two years, they have scored some wins that could seriously threaten national security.
Tomi Engdahl says:
EU looks the other way as Greek spyware mess heralds more trouble https://www.euractiv.com/section/law-enforcement/news/eu-looks-the-other-way-as-greek-spyware-mess-heralds-more-trouble/
communicating with their European peers, according to the latest findings. But EU institutions insist on considering the matter a national affair.
Ninety-two Greeks, including politicians, ministers, and journalists, have received infected SMS associated with the Predator spyware, the Greek Data Protection Authority said on Thursday (27 July).
Tomi Engdahl says:
CISA and International Partner NCSC-NO Release Joint Cybersecurity Advisory on Threat Actors Exploiting Ivanti EPMM Vulnerabilities https://www.cisa.gov/news-events/alerts/2023/08/01/cisa-and-international-partner-ncsc-no-release-joint-cybersecurity-advisory-threat-actors-exploiting
The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint Cybersecurity Advisory (CSA), Threat Actors Exploiting Ivanti EPMM Vulnerabilities, in response to the active exploitation of CVE-2023-35078 and CVE-2023-35081 affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells.
Tomi Engdahl says:
Mobile & Wireless
200 Canon Printer Models May Expose Wi-Fi Connection Data
https://www.securityweek.com/200-canon-printer-models-may-expose-wi-fi-connection-data/
Canon says more than 200 inkjet printer models fail to properly erase Wi-Fi configuration settings.
Japanese imaging and optical products giant Canon on Monday warned that more than 200 of its inkjet printer models fail to properly erase Wi-Fi configuration settings.
The issue, the company says, impacts both home and office printer series, and could potentially lead to the exposure of sensitive information.
Printer owners might need to delete the Wi-Fi settings from the printer’s memory when sending the device to repair or when disposing of it.
However, because the impacted models do not properly erase this information, third-parties could extract it and potentially abuse it for nefarious purposes, such as gaining unauthorized access to internal networks.
“Sensitive information on the Wi-Fi connection settings stored in the memories of inkjet printers (home and office/large format) may not be deleted by the usual initialization process,” Canon says in its advisory.
https://psirt.canon/advisory-information/cp2023-003/
1 / 7
CP2023-003 Vulnerability Mitigation/Remediation for Inkjet Printers (Home
and Office/Large Format)
July 31, 2023
Canon Inc.
Affected Inkjet Printers, Business Inkjet Printers
https://canon.a.bigcontent.io/v1/static/affected-models_20230731_d04c0d9895124b65acd21ca68357dcdc
Tomi Engdahl says:
New hVNC macOS Malware Advertised on Hacker Forum
A new macOS-targeting hVNC malware family is being advertised on a prominent cybercrime forum.
https://www.securityweek.com/new-hvnc-macos-malware-advertised-on-hacker-forum/
Tomi Engdahl says:
Nearly All Modern CPUs Leak Data to New Collide+Power Side-Channel Attack
https://www.securityweek.com/nearly-all-modern-cpus-leak-data-to-new-collidepower-side-channel-attack/
A new power side-channel attack named Collide+Power can allow an attacker to obtain sensitive information and it works against nearly any modern CPU.
A new side-channel attack method that can lead to data leakage works against nearly any modern CPU, but we’re unlikely to see it being used in the wild any time soon.
The research was conducted by a group of eight researchers representing the Graz University of Technology in Austria and the CISPA Helmholtz Center for Information Security in Germany. Some of the experts involved in the research discovered the notorious Spectre and Meltdown vulnerabilities, as well as several other side-channel attack methods.
The new attack, dubbed Collide+Power, has been compared to Meltdown and a type of vulnerability named Microarchitectural Data Sampling (MDS).
Collide+Power is a generic software-based attack that works against devices powered by Intel, AMD or Arm processors and it’s applicable to any application and any type of data. The chipmakers are publishing their own advisories for the attack and the CVE-2023-20583 has been assigned.
However, the researchers pointed out that Collide+Power is not an actual processor vulnerability — it abuses the fact that some CPU components are designed to share data from different security domains.
An attacker can leverage such shared CPU components to combine their own data with data from user applications. The attacker measures CPU power consumption over thousands of iterations while changing the data they control, which enables them to determine the data associated with the user applications.
An unprivileged attacker — for instance, by using malware planted on the targeted device — can leverage the Collide+Power attack to obtain valuable data such as passwords or encryption keys.
The researchers noted that the Collide+Power attack enhances other power side-channel signals, such as the ones used in the PLATYPUS and Hertzbleed attacks.
The researchers have published a paper detailing their work, as well as a dedicated Collide+Power website that summarizes the findings.
https://collidepower.com/
Tomi Engdahl says:
Phishing
Shield and Visibility Solutions Target Phishing From Inside the Browser
Menlo Security introduced anti-phishing solutions that analyze what users see on a landing page rather than just analyzing the content of an email.
https://www.securityweek.com/shield-and-visibility-solutions-target-phishing-from-inside-the-browser/
Menlo Security has introduced two anti-phishing solutions that tackle the problem from within the browser; that is, by analyzing what the user sees on a landing page rather than just analyzing the content of an email.
Phishing has been a problem for decades. Far from being solved, it is a bigger problem today than ever. The reason is that phishers have become adept at evading traditional detection systems. “The threat actors have shifted the way that they get to their victims,” says Mark Guntrip, senior director of cybersecurity strategy at Menlo. They have become increasingly evasive and increasingly successful. “So, we’ve put in place something that does things a little differently to the more traditional and commonly deployed security.”
This is performed by new solutions, HEAT Shield and HEAT Visibility. Rather than concentrating on monitoring communications to detect phishing, HEAT looks at the threats as presented to the user on the attacker’s phishing page. The purpose is to recognize the threat at the point of presentation to the user and block the threat at that point. This approach means that any new phishing email that gets through to the user, and is clicked by the user, is still prevented from doing harm.
Tomi Engdahl says:
Google AMP Abused in Phishing Attacks Aimed at Enterprise Users
https://www.securityweek.com/google-amp-abused-in-phishing-attacks-aimed-at-enterprise-users/
Threat actors are using Google AMP URLs in phishing campaigns as a new detection evasion tactic.
Threat actors have been observed abusing Google Accelerated Mobile Pages (AMP) in phishing campaigns, as a new tactic to evade detection, email protection firm Cofense reports.
An open source HTML framework meant to improve the performance of mobile pages, Google AMP enables developers to create websites optimized for both desktop and mobile devices.
The phishing attacks, Cofense explains, have been abusing a Google AMP feature that allows site builders to host newly created pages on Google AMP URLs. Furthermore, the attackers are using Google Analytics to track the interaction with their pages.
Starting May 2023, Cofense has seen phishing emails containing Google AMP URLs leading to websites hosted on Google.com, allowing attackers to circumvent defenses. Starting June 15, however, the attackers switched to using Google.co.uk. Most of the phishing pages (77%) were hosted on Google.com.
Google AMP – The Newest of Evasive Phishing Tactic
https://cofense.com/blog/google-amp-the-newest-of-evasive-phishing-tactic/
Tomi Engdahl says:
Vulnerabilities
Firefox 116 Patches High-Severity Vulnerabilities
https://www.securityweek.com/firefox-116-patches-high-severity-vulnerabilities/
Firefox 116 was released with patches for 14 CVEs, including nine high-severity vulnerabilities, some of which can lead to remote code execution or sandbox escapes.
Tomi Engdahl says:
Hackers use new malware to breach air-gapped devices in Eastern Europe https://www.bleepingcomputer.com/news/security/hackers-use-new-malware-to-breach-air-gapped-devices-in-eastern-europe/
Chinese state-sponsored hackers have been targeting industrial organizations with new malware that can steal data from air-gapped systems.
Air-gapped systems typically fulfill critical roles and are isolated from the enterprise network and the public internet either physically or through software and network devices.
Tomi Engdahl says:
Compromised Barracuda appliances equipped with persistent backdoors by attackers https://www.malwarebytes.com/blog/news/2023/07/compromised-barracuda-appliances-equipped-with-persistent-backdoors-by-attackers
The Cybersecurity and Infrastructure Security Agency (CISA) has published three malware analysis reports based on malware variants associated with the exploitation of a known vulnerability in Barracuda ESG appliances.
Tomi Engdahl says:
Lawsuit: ByteDance’s CapCut app secretly reaps massive amounts of user data https://therecord.media/capcut-privacy-lawsuit-illinois-bipa-bytedance-china
The ByteDance-owned CapCut video editing app gathers significant amounts of private data, including facial scans, from its 200 million active users, generating huge profits and potentially allowing the Chinese government to access that data, according to a proposed class action lawsuit filed in an Illinois federal court.
Tomi Engdahl says:
Tietomurtaja varasti hyvinvointialueelta 30 000 euroa huostaanotetuille lapsille tarkoitettua rahaa
https://yle.fi/a/74-20043540
Erilaiset tietoturvahyökkäyset sosiaali- ja terveyspalveluiden toimijoihin ovat lisääntyneet, sanoo Päijät-Hämeen hyvinvointialueen tietoturvajohtaja.
Päijät-Hämeen perhe- ja sosiaalipalveluiden tileiltä vietiin luvattomasti noin
30 000 euroa.
Tomi Engdahl says:
Iranian Company Cloudzy Accused of Aiding Cybercriminals and Nation-State Hackers https://thehackernews.com/2023/08/iranian-company-cloudzy-accused-of.html
Services offered by an obscure Iranian company known as Cloudzy are being leveraged by multiple threat actors, including cybercrime groups and nation-state crews.
“Although Cloudzy is incorporated in the United States, it almost certainly operates out of Tehran, Iran – in possible violation of U.S. sanctions – under the direction of someone going by the name Hassan Nozari,” Halcyon said in a new report published Tuesday.
Tomi Engdahl says:
Phishers Exploit Salesforce’s Email Services Zero-Day in Targeted Facebook Campaign https://thehackernews.com/2023/08/phishers-exploit-salesforces-email.html
A sophisticated Facebook phishing campaign has been observed exploiting a zero-day flaw in Salesforce’s email services, allowing threat actors to craft targeted phishing messages using the company’s domain and infrastructure.
Tomi Engdahl says:
Vulnerabilities
Google Awards Over $60,000 for V8 Vulnerabilities Patched With Chrome 115 Update
https://www.securityweek.com/google-awards-60000-for-v8-vulnerabilities-patched-with-chrome-115-update/
Google has paid out over $60,000 for three high-severity type confusion vulnerabilities in Chrome’s V8 engine.
Tomi Engdahl says:
Finland sees fourfold spike in ransomware attacks since joining NATO, senior cyber official says https://therecord.media/finland-sees-fourfold-spike-in-rasomware-attacks-nato
Ransomware attacks targeting Finnish organizations have increased four-fold since the Nordic country began the process of joining NATO last year, according to a senior official.
In an interview with Recorded Future News on Thursday, Sauli Pahlman, the deputy director general for Finland’s National Cyber Security Centre (NCSC), cautioned that “correlation doesn’t equal causality,” but said he believed the surge in cases was linked to geopolitics.
Tomi Engdahl says:
Google Pays Apple $15,000 For Hacking Chrome Security https://www.forbes.com/sites/daveywinder/2023/08/03/google-pays-apple-15000-for-hacking-chrome-security/
Google has confirmed that a high-severity security vulnerability in the Chrome web browser was found by Apple’s Security Engineering and Architecture team.
Moreover, the SEAR team was awarded a bug bounty of $15,000 from Google for the discovery and disclosure. As surprising as it may sound to some readers, Google has paid Apple for effectively hacking Chrome security; and that’s a good thing.
Tomi Engdahl says:
Hundreds of Citrix NetScaler ADC and Gateway Servers Hacked in Major Cyber Attack https://thehackernews.com/2023/08/hundreds-of-citrix-netscaler-adc-and.html
Hundreds of Citrix NetScaler ADC and Gateway servers have been breached by malicious actors to deploy web shells, according to the Shadowserver Foundation.
The non-profit said the attacks take advantage of CVE-2023-3519, a critical code injection vulnerability that could lead to unauthenticated remote code execution.
The flaw, patched by Citrix last month, carries a CVSS score of 9.8.
Tomi Engdahl says:
Midnight Blizzard conducts targeted social engineering over Microsoft Teams https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/
Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM). This latest attack, combined with past activity, further demonstrates Midnight Blizzard’s ongoing execution of their objectives using both new and common techniques. In this latest activity, the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities.
Tomi Engdahl says:
CISA Calls Urgent Attention to UEFI Attack Surfaces
https://www.securityweek.com/cisa-calls-urgent-attention-to-uefi-attack-surfaces/
The US government’s cybersecurity agency describes UEFI as “critical attack surface” that requires urgent security attention.
The US government’s cybersecurity agency CISA is calling attention to under-researched attack surfaces in UEFI, warning that the dominant firmware standard presents a juicy target for malicious hackers.
“UEFI is a critical attack surface. Attackers have a clear value proposition for targeting UEFI software,” the agency said in a call-to-action penned by CISA technical advisor Jonathan Spring and vulnerability management director Sandra Radesky.
Noting that UEFI code represents a compilation of several components (security and platform initializers, drivers, bootloaders, power management interface, etc.), the agency warned that security defects expose computer systems to stealthy attacks that maintain persistence.
“What attackers achieve depends on which phase and what element of UEFI they are able to subvert. But every attack involves some kind of persistence,” CISA said. “As we evolve our responses to UEFI incidents and strengthen secure-by-design in the UEFI community, we should strive to create an environment where the threat from the adversary targeting UEFI is significantly reduced.”
The government agency used the example of the BlackLotus bootkit to call attention to major gaps in the way layers below the operating system are protected.
Tomi Engdahl says:
https://www.securityweek.com/decommissioned-medical-infusion-pumps-expose-wi-fi-configuration-data/
Tomi Engdahl says:
Cloud Security
Microsoft Catches Russian Government Hackers Phishing with Teams Chat App
https://www.securityweek.com/microsoft-catches-russian-government-hackers-phishing-with-teams-chat-app/
Microsoft says a Russian government-linked hacking group is using its Microsoft Teams chat app to phish for credentials at targeted organizations.
Tomi Engdahl says:
Verkkopankkitunnuksia kalastellaan väärennetyillä viesteillä https://www.epressi.com/tiedotteet/tietoturva/verkkopankkitunnuksia-kalastellaan-vaarennetyilla-viesteilla.html
Myös Traficomin Kyberturvallisuuskeskus on saanut viime viikkoina ilmoituksia Suomi.fi-palvelun ja Osuuspankin nimissä lähetetyistä huijausviesteistä.
Suomi.fi-palvelun nimissä liikkuva sähköpostiviesti kehottaa lukemaan viestin välittömästi. Sähköpostissa väitetään, että turvallisuussyiden tai teknisen virheen takia viestin voi lukea vain kirjautumalla toisaalla olevaan palveluun. Joissakin viesteissä on ollut mukana myös Suomen leijona lisäämässä viestin uskottavuutta.
Tomi Engdahl says:
Malicious npm Packages Found Exfiltrating Sensitive Data from Developers https://thehackernews.com/2023/08/malicious-npm-packages-found.html
Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information.
Software supply chain firm Phylum, which first identified the “test” packages on July 31, 2023, said they “demonstrated increasing functionality and refinement,” hours after which they were removed and re-uploaded under different, legitimate-sounding package names.
Tomi Engdahl says:
Threat Actors Abuse Cloudflare Tunnel for Persistent Access, Data Theft https://www.securityweek.com/threat-actors-abuse-cloudflare-tunnel-for-persistent-access-data-theft/
Threat actors have been observed abusing an open source tool named Cloudflared to maintain persistent access to compromised systems and to steal information without being detected, cybersecurity firm GuidePoint Security reports.
Cloudflared is a command-line client for Cloudflare Tunnel, a tunneling daemon for proxying traffic between the Cloudflare network and the user’s origin. The tool creates an outbound connection over HTTPS, with the connection’s settings manageable via the Cloudflare Zero Trust dashboard.
Tomi Engdahl says:
Teach a Man to Phish and He’s Set for Life https://krebsonsecurity.com/2023/08/teach-a-man-to-phish-and-hes-set-for-life/
KrebsOnSecurity goes through a phishing message received by an anonymous reader of the blog. The phishing site made to appear as if it were part of a mailbox delivery report from Microsoft 365 about messages that had failed to deliver.
The file included in this phishing scam uses what’s known as a “right-to-left override” or RLO character. RLO is a special character within unicode — an encoding system that allows computers to exchange information regardless of the language used — that supports languages written from right to left, such as Arabic and Hebrew.
Tomi Engdahl says:
A cyberattack has disrupted hospitals and health care in several states https://apnews.com/article/cyberattack-hospital-emergency-outage-4c808c1dad8686458ecbeababd08fecf
A cyberattack has disrupted hospital computer systems in several states in the US, forcing some emergency rooms to close and ambulances to be diverted, and many primary care services remained closed on Friday as security experts worked to determine the extent of the problem and resolve it.
The “data security incident” began Thursday at facilities operated by Prospect Medical Holdings, which is based in California and has hospitals and clinics there and in Texas, Connecticut, Rhode Island and Pennsylvania
Tomi Engdahl says:
Verkkorikolliset piinaavat kesätyöntekijöitä – tällainen on toimitusjohtajahuijaus
https://yle.fi/a/74-20043788
Verkkohuijarit iskevät kesäisin yritysten kesätyöntekijöihin. Kyse on niin sanotusta toimitusjohtajahuijauksesta, kertoo Kyberturvallisuuskeskuksen erityisasiantuntija Juha Tretjakov.
Toimitusjohtajahuijaukset ovat rahansiirtopetoksia.
– Huijari tekeytyy yrityksen johtajaksi ja kysyy, onko työntekijällä hetki aikaa auttaa rahansiirrossa. Huijari antaa tilinumeron, joka on ulkomailla huijarin hallinnassa.
Tomi Engdahl says:
FBI investigating ransomware attack crippling hospitals across 4 states https://therecord.media/hospital-network-facing-cyberattack
A major hospital network with arms in multiple states is dealing with widespread network outages due to a cyberattack, which the FBI confirms is ransomware.
Prospect Medical Holdings operates 16 hospitals in California, Connecticut, Pennsylvania, and Rhode Island as well as a network of 166 outpatient clinics and centers. On Thursday, the network began facing issues at its hospitals nationwide — some of which had to divert patients to other facilities and stop operation.
In a statement to Recorded Future News, the FBI said it is investigating the ransomware attacks but said they are unable to provide more information because it is an ongoing investigation. No ransomware gang has claimed the attack.
Tomi Engdahl says:
Microsoft resolves vulnerability following criticism from Tenable CEO https://therecord.media/microsoft-resolves-vulnerability-following-criticism
Microsoft has resolved a vulnerability that allows threat actors to gain access to information managed by Azure AD, a cloud offering used by large companies for managing user authentication.
Concerns about the issue burst into public view this week when Amit Yoran, the CEO of cybersecurity firm Tenable, published a scathing LinkedIn post bashing the tech giant for its handling of the vulnerability.
In his blog post, Yoran slammed Microsoft for not moving quicker to address the vulnerability and noted that without a fix, the bank that they originally tested the issue on was still vulnerable more than 120 days after it was reported.
Tomi Engdahl says:
Researchers Uncover New High-Severity Vulnerability in PaperCut Software https://thehackernews.com/2023/08/researchers-uncover-new-high-severity.html
Cybersecurity researchers have discovered a new high-severity security flaw in PaperCut print management software for Windows that could result in remote code execution under specific circumstances.
Tracked as CVE-2023-39143 (CVSS score: 8.4), the flaw impacts PaperCut NG/MF prior to version 22.1.3. It has been described as a combination of a path traversal and file upload vulnerability.
“CVE-2023-39143 enables unauthenticated attackers to potentially read, delete, and upload arbitrary files to the PaperCut MF/NG application server, resulting in remote code execution in certain configurations,” Horizon3.ai’s Naveen Sunkavally said.
—
Tomi Engdahl says:
Colorado Department of Higher Education warns of massive data breach https://www.bleepingcomputer.com/news/security/colorado-department-of-higher-education-warns-of-massive-data-breach/
The Colorado Department of Higher Education (CDHE) discloses a massive data breach impacting students, past students, and teachers after suffering a ransomware attack in June.
In a ‘Notice of Data Incident’ published on the CDHE website, the Department says they suffered a ransomware attack on June 19th, 2023.
“On June 19, 2023, CDHE became aware it was the victim of a cybersecurity ransomware incident that impacted its network systems,” explains the data breach notification.
Tomi Engdahl says:
New acoustic attack steals data from keystrokes with 95% accuracy https://www.bleepingcomputer.com/news/security/new-acoustic-attack-steals-data-from-keystrokes-with-95-percent-accuracy/
A team of researchers from British universities has trained a deep learning model that can steal data from keyboard keystrokes recorded using a microphone with an accuracy of 95%.
When Zoom was used for training the sound classification algorithm, the prediction accuracy dropped to 93%, which is still dangerously high, and a record for that medium.
Such an attack severely affects the target’s data security, as it could leak people’s passwords, discussions, messages, or other sensitive information to malicious third parties.
Tomi Engdahl says:
Clop ransomware now uses torrents to leak data and evade takedowns https://www.bleepingcomputer.com/news/security/clop-ransomware-now-uses-torrents-to-leak-data-and-evade-takedowns/
The Clop ransomware gang has once again altered extortion tactics and is now using torrents to leak data stolen in MOVEit attacks.
Starting on May 27th, the Clop ransomware gang launched a wave of data-theft attacks exploiting a zero-day vulnerability in the MOVEit Transfer secure file transfer platform. Exploiting this zero-day allowed the threat actors to steal data from almost 600 organizations worldwide before they realized they were hacked.
Tomi Engdahl says:
Spyware maker LetMeSpy shuts down after hacker deletes server data https://techcrunch.com/2023/08/05/letmespy-spyware-shuts-down-wiped-server/
Poland-based spyware LetMeSpy is no longer operational and said it will shut down after a June data breach wiped out its servers, including its huge trove of data stolen from thousands of victims’ phones.
LetMeSpy was an Android phone monitoring app that was purposefully designed to stay hidden on a victim’s phone home screen, making the app difficult to detect and remove. When planted on a person’s phone — often by someone with knowledge of their phone passcode — apps like LetMeSpy continually steal that person’s messages, call logs and real-time location data.
Tomi Engdahl says:
Lawsuit accuses hospital of sharing patient health data with Facebook https://therecord.media/lawsuit-accuses-hospital-data-sharing
A proposed class action lawsuit filed Thursday alleges that a Seattle-area hospital allowed Facebook’s online tracking tools to integrate with its website, leading to personal health data belonging to hundreds of thousands of people to be shared with Meta and other third parties.
The plaintiff, Jacq Nienaber, alleges that Meta Pixel as well as the company’s Conversions Application Programming Interface, typically embedded in websites for marketing purposes, were present in Overlake Hospital Medical Center’s systems, behaving as a “wiretap.”
Tomi Engdahl says:
TikTok unveils changes to meet tough new EU rules https://www.euractiv.com/section/digital/news/tiktok-unveils-changes-to-meet-tough-new-eu-rules/
Video-sharing platform TikTok announced on Friday (4 August) changes to meet strict EU rules including allowing European users to turn off the addictive feature that shows content based on their interests.
Under the new rules, internet giants will be forced to take stronger action on data privacy, child protection, disinformation and hate speech. The European Commissioner overseeing the digital market, Thierry Breton, warned TikTok last month to accelerate its adoption of the new standards.
Tomi Engdahl says:
Satoja S-Pankin asiakkaita huijannut mies sai viiden vuoden vankeustuomion
https://yle.fi/a/74-20044020
Helsingin käräjäoikeus on antanut tänään tuomion poikkeuksellisen laajassa tietojenkalastelutapauksessa. Syyttäjän mukaan S-Pankin asiakkailta vietiin huijaamalla lähes 2,4 miljoonaa euroa.
Haastehakemuksen mukaan parikymppinen mies lähetti viime vuonna sadoille ihmisille pankin nimissä tekstiviestejä, joilla hän sai heidät syöttämään pankkitunnuksensa huijaussivustolle.
Tomi Engdahl says:
Microsoft hits back at Tenable criticism of its infosec practices https://www.theregister.com/2023/08/07/microsoft_power_platform_tenable_criticism/
Microsoft has explained why it seemingly took its time to fix a flaw reported to it by infosec intelligence vendor Tenable.
As explained by the Microsoft Security Response Center, “Moving too quickly could result in more customer disruption (in terms of availability) than the risk customers bear from an embargoed security vulnerability.”
Tomi Engdahl says:
Google Play apps with 2.5M installs load ads when screen’s off https://www.bleepingcomputer.com/news/security/google-play-apps-with-25m-installs-load-ads-when-screens-off/
The Google Play store was infiltrated by 43 Android applications with 2.5 million installs that secretly displayed advertisements while a phone’s screen was off, running down a device’s battery.
McAfee’s Mobile Research Team discovered the malicious Android apps and reported them to Google as they violated Google Play Store’s policies. Google subsequently removed the apps from Android’s official store.
The applications were mainly media streaming apps and news aggregators, and the target audience was predominately Korean. However, the same deceptive tactics could very easily be applied to other app categories and more diverse user demographics.