Cyber security news August 2023

This posting is here to collect cyber security news in August 2023.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

333 Comments

  1. Tomi Engdahl says:

    Edge wants to take screenshots of every webpage you visit, here is why and how to disable it
    https://www.neowin.net/news/edge-wants-to-take-screenshots-of-every-webpage-you-visit-here-is-why-and-how-to-disable-it/#google_vignette

    Microsoft Edge has numerous features to make the browsing experience better. For example, Startup Boost ensures Edge launches instantly, and improved text rendering delivers better fonts on Windows. These, in addition to several more, make Edge stand out among competitors. However, some services are head-scratching at best or outright bewildering at first sight.

    Recently we covered a feature that could make one think Microsoft can see every picture you view online. Here is another one: an upcoming release will add a toggle enabling Edge to take screenshots of each page you visit. And no, it is not a clickbait-like assumption: Microsoft clearly states it wants to screenshot everything you view online.

    Microsoft Edge 117, currently available for testing in the Canary and Dev channels, has a new toggle called “Save screenshots of site for History”

    We’ll take screenshots of the sites you visit and save it so that you can quickly revisit the site you want from history.

    Reply
  2. Tomi Engdahl says:

    Knight ransomware distributed in fake Tripadvisor complaint emails https://www.bleepingcomputer.com/news/security/knight-ransomware-distributed-in-fake-tripadvisor-complaint-emails/

    The Knight ransomware is being distributed in an ongoing spam campaign that pretends to be TripAdvisor complaints. Knight ransomware is a recent rebrand of the Cyclop Ransomware-as-a-Service, which switched its name at the end of July 2023.
    The Cyclops ransomware operation launched in May 2023 when the operators began recruiting affiliates for the new ransomware-as-a-service (RaaS) on the RAMP hacking forum.
    A report by Uptycs explains that the operation launched with encryptors for Windows, macOS, and Linux/ESXi. The operation also offers affiliates information-stealing malware for Windows and Linux, which is not normally seen in RaaS operations.

    Reply
  3. Tomi Engdahl says:

    XWorm, Remcos RAT Evade EDRs to Infect Critical Infrastructure https://www.darkreading.com/ics-ot/xworm-remcos-rat-evade-edrs-infect-critical-infrastructure

    The Rust-based injector Freeze[.]rs has been weaponized to introduce a raft of malware to targets, in a sophisticated phishing campaign containing a malicious PDF file that gets around endpoint detection and response (EDR).
    First discovered by Fortinet’s FortiGuard Labs in July, the campaign is targeting victims across Europe and North America, including specialty chemical or industrial product suppliers.

    Reply
  4. Tomi Engdahl says:

    This Is What Happens When People Start Actually Reading Privacy Policies https://themarkup.org/hello-world/2023/08/12/this-is-what-happens-when-people-start-actually-reading-privacy-policies

    A recent controversy about Zoom’s ability to train AI on users’ conversations shows the importance of reading the fine print Over the past quarter-century, privacy policies—the lengthy, dense legal language you quickly scroll through before mindlessly hitting “agree”—have grown both longer and denser. A study released last year found that not only did the average length of a privacy policy quadruple between 1996 and 2021, they also became considerably more difficult to understand.
    While machine learning can be a useful tool in understanding the universe of privacy policies, its presence inside of a privacy policy can set off a firestorm. Case in point: Zoom.

    Reply
  5. Tomi Engdahl says:

    Microsoft Warns Of Exchange Server Failures, Pulls August 8 Security Update https://www.forbes.com/sites/daveywinder/2023/08/11/microsoft-warns-of-exchange-server-failures-pulls-august-8-security-update/

    The latest Patch Tuesday security update from Microsoft rolled out August 8, complete with six critical reasons to install it as soon as possible. When it came to certain Exchange Server admins, however, timely installation proved to be a big mistake, as the August security update caused server deactivation.
    Microsoft has confirmed the issue that caused these Exchange Server installations to be left disabled, and the August Exchange Server security updates have been temporarily removed.

    Reply
  6. Tomi Engdahl says:

    CISA: ‘Whirlpool’ Backdoor Sends Barracuda ESG Security Down the Drain https://www.darkreading.com/threat-intelligence/cisa-whirlpool-backdoor-barracuda-esg-security

    The US Cybersecurity and Infrastructure Security Agency (CISA) this week issued yet another alert related to the recent advanced persistent threat
    (APT) attacks targeting a command-injection vulnerability in Barracuda’s Email Security Gateway (ESG) appliances.

    The alert pertains to a backdoor dubbed “Whirlpool” that the group behind the attacks — China-based UNC4841 — has been deploying in an aggressive cyber espionage campaign that stretches back to at least last October. So far, the campaign has affected private and public sector organizations across multiple industries in as many as 16 countries.

    Reply
  7. Tomi Engdahl says:

    5 arrested in Poland for running bulletproof hosting service for cybercrime gangs https://www.europol.europa.eu/media-press/newsroom/news/5-arrested-in-poland-for-running-bulletproof-hosting-service-for-cybercrime-gangs

    This week, the Polish Central Cybercrime Bureau (Centralne Biuro Zwalczania
    Cyberprzestępczości) under the supervision of the Regional Prosecutor’s Office in Katowice (Prokuratura Regionalna w Katowicach) took action against LolekHosted.net, a bulletproof hosting service used by criminals to launch cyber-attacks across the world.

    Reply
  8. Tomi Engdahl says:

    There’s a good chance your VPN is vulnerable to privacy-menacing TunnelCrack attack https://www.theregister.com/2023/08/10/tunnelcrack_vpn/

    A couple of techniques collectively known as TunnelCrack can, in the right circumstances, be used by snoops to force victims’ network traffic to go outside their encrypted VPNs, it was demonstrated this week.

    A team of academics on Tuesday explained how the attacks work, released proof-of-concept exploits, and reckoned “every VPN product is vulnerable on at least one device.”
    The researchers said they tested more than 60 VPN clients, and found that “all VPN apps” on iOS are vulnerable. Android appears to be most secure of the bunch.

    Reply
  9. Tomi Engdahl says:

    Interpol sulki tietojenkalastelu-ohjelmistoja tarjonneen 16shop-palvelun https://www.iltalehti.fi/tietoturva/a/4bf8e96a-8c82-4a9f-9989-0d55bba4038f

    Kyseinen palvelu myi ohjelmistojaan verkkorikollisille, joita käytettiin muun muassa huijaussähköpostien yhteydessä.
    Uhrien saamissa sähköposteissa on ollut joko haittaohjelmaksi naamioitunut pdf-tiedosto tai haitallinen linkki, jota kautta avulla on voitu saada tietoon esimerkiksi uhrin pankkikorttitiedot. Interpol arvioi uhrien määrän olevan yli
    70 000 henkilöä, 43:sta eri maasta.

    Reply
  10. Tomi Engdahl says:

    Ruotsissa etsitään nyt teini-ikäistä hakkeria, jota epäillään yli 700 000 ihmisen tietojen vuotamisesta
    https://yle.fi/a/74-20044934

    Uppsalan läänissä asuvaa teiniä epäillään kahdesta suuresta tietomurrosta ja tuhansien ihmisten henkilökohtaisten tietojen vuotamisesta.
    Viime viikolla Uppsalan alue kertoi Uplannin julkisen liikenteen sovellukseen tehdystä tietomurrosta, jonka myötä yli 700 000 ihmisen henkilökohtaiset tiedot vuotivat julki. Vuodetut tiedot koskivat muun muassa ihmisten puhelinnumeroita, ostohistoriaa ja sähköpostiosoitteita.

    Reply
  11. Tomi Engdahl says:

    Suomalaiset menettäneet kuluneen vuorokauden aikana huimia summia – poliisi varoittaa ikävästä huijauksesta https://www.is.fi/digitoday/art-2000009780145.html

    Poliisi varoittaa, että pankkien nimissä lähetettyjä huijausviestejä on jälleen paljon liikkeellä. Poliisi suosittelee olemaan tarkkana ja käyttämään pankkien palveluita ainoastaan niiden virallisten sivujen ja sovellusten kautta.
    Poliisin tietoon on tullut kuluvan viikonlopun aikana tapauksia, joissa uhrit ovat menettäneet huomattavia rahasummia klikkaamalla pankin nimissä tulleiden tekstiviestien linkkejä.

    Reply
  12. Tomi Engdahl says:

    Monti ransomware targets VMware ESXi servers with new Linux locker https://www.bleepingcomputer.com/news/security/monti-ransomware-targets-vmware-esxi-servers-with-new-linux-locker/

    The Monti ransomware gang has returned, after a two-month break from publishing victims on their data leak site, using a new Linux locker to target VMware ESXi servers, legal, and government organizations.

    Researchers at Trend Micro analyzing the new encryption tool from Monti found that it has “significant deviations from its other Linux-based predecessors.

    Previous versions of the Monti locker were heavily based (99%) on the leaked code from Conti ransomware but the similarities in the new locker are just 29%.

    Reply
  13. Tomi Engdahl says:

    Health Data of 4M Stolen in Cl0p MOVEit Breach of Colorado Department https://www.darkreading.com/attacks-breaches/clop-gang-steals-personal-health-data-of-4-million-in-colorado-breach

    A government department in Colorado is the latest victim of a third-party attack by Russia’s Cl0p ransomware group in connection with the MOVEit Managed File Transfer platform. Department officials say that the group stole the personal health data of about 4 million members of state health programs from IBM-managed systems.

    Reply
  14. Tomi Engdahl says:

    MaginotDNS attacks exploit weak checks for DNS cache poisoning https://www.bleepingcomputer.com/news/security/maginotdns-attacks-exploit-weak-checks-for-dns-cache-poisoning/

    A team of researchers from UC Irvine and Tsinghua University has developed a new powerful cache poisoning attack named ‘MaginotDNS,’ that targets Conditional DNS (CDNS) resolvers and can compromise entire TLDs top-level domains.

    The attack is made possible thanks to inconsistencies in implementing security checks in different DNS software and server modes (recursive resolvers and forwarders), leaving roughly one-third of all CDNS servers vulnerable.

    The researchers presented the attack and paper earlier this week at Black Hat 2023, reporting that the identified problems have now been remediated at the software level.

    Reply
  15. Tomi Engdahl says:

    Hacktivists attack Japanese government over Fukushima wastewater release https://www.theregister.com/2023/08/14/hactivitsts_claim_japanese_government_attack/

    Entities using the name and iconography of Anonymous (EUTNAIOA) claim to have conducted cyber protests against the Japanese government for actions related to the release of wastewater from the Fukushima Daini Nuclear Power Plant.

    In an operation dubbed “Tango Down,” The Anonymous Italia Collective claims to have attacked 21 government and other websites associated with the Fukushima facility, which in 2011 infamously experienced damage to three reactor cores after an earthquake and tsunami disabled safety systems.

    Reply
  16. Tomi Engdahl says:

    New CVE-2023-3519 scanner detects hacked Citrix ADC, Gateway devices https://www.bleepingcomputer.com/news/security/new-cve-2023-3519-scanner-detects-hacked-citrix-adc-gateway-devices/

    Mandiant has released a scanner to check if a Citrix NetScaler Application Delivery Controller (ADC) or NetScaler Gateway Appliance was compromised in widespread attacks exploiting the CVE-2023-3519 vulnerability.

    The critical CVE-2023-3519 Citrix flaw was discovered in mid-July 2023 as a zero-day, with hackers actively exploiting it to execute code remotely without authentication on vulnerable devices.

    However, even for organizations that installed the security updates, the risk of being compromised remains, as the patch does not remove malware, backdoors, and webshells planted by the attackers in the post-compromise phase.

    Reply
  17. Tomi Engdahl says:

    Intel insiders go undercover revealing fresh details into NoName hacktivist operations https://cybernews.com/cyber-war/new-undercover-intel-noname-russian-hacktivist-operations/

    In a Black Hat exclusive interview with Cybernews, two Radware threat researchers turned ‘undercover hacktivists’ pose as pro-Russian sympathizers, revealing new insights into the inner workings of the cyberterrorist gang NoName057(16).

    “The importance of NoName for us, if you look at the number of attacks that their doing, it’s much bigger than, for example, Anonymous Sudan or even Killnet,” said the Radware researchers, who asked to remain anonymous for security reasons.

    Calling Killnet media savvy, the researchers pointed out that “Killnet makes it a lot into the news, but actually, in terms of attacks and targeting, they don’t do that much anymore.”

    Reply
  18. Tomi Engdahl says:

    Threat actors use beta apps to bypass mobile app store security https://www.bleepingcomputer.com/news/security/threat-actors-use-beta-apps-to-bypass-mobile-app-store-security/

    The FBI is warning of a new tactic used by cybercriminals where they promote malicious “beta” versions of cryptocurrency investment apps on popular mobile app stores that are then used to steal crypto.

    The threat actors submit the malicious apps to the mobile app stores as “betas,” meaning that they are in an early development phase and are meant to be used by tech enthusiasts or fans to test and submit feedback to developers before the software is officially released.

    The benefit of this approach is that beta apps do not go through a standard, rigorous code review process but are instead superficially scrutinized for their safety.

    This less thorough code review process is insufficient to uncover the hidden malicious code that activates post-installation to perform various hostile actions.

    Reply
  19. Tomi Engdahl says:

    Gigabud RAT Android Banking Malware Targets Institutions Across Countries https://thehackernews.com/2023/08/gigabud-rat-android-banking-malware.html

    ccount holders of over numerous financial institutions in Thailand, Indonesia, Vietnam, the Philippines, and Peru are being targeted by an Android banking malware called Gigabud RAT.

    “One of Gigabud RAT’s unique features is that it doesn’t execute any malicious actions until the user is authorized into the malicious application by a fraudster, [...] which makes it harder to detect,” Group-IB researchers Pavel Naumov and Artem Grischenko said.

    “Instead of using HTML overlay attacks, Gigabud RAT gathers sensitive information primarily through screen recording.”

    Gigabud RAT was first documented by Cyble in January 2023 after it was spotted impersonating bank and government apps to siphon sensitive data. It’s known to be active in the wild since at least July 2022.

    Reply
  20. Tomi Engdahl says:

    2,000 Citrix NetScaler Instances Backdoored via Recent Vulnerability
    https://www.securityweek.com/2000-citrix-netscaler-instances-backdoored-via-recent-vulnerability/

    A threat actor has exploited a recent Citrix vulnerability (CVE-2023-3519) to infect roughly 2,000 NetScaler instances with a backdoor.

    Reply
  21. Tomi Engdahl says:

    Iagona ScrutisWeb Vulnerabilities Could Expose ATMs to Remote Hacking
    https://www.securityweek.com/iagona-scrutisweb-vulnerabilities-could-expose-atms-to-remote-hacking/

    Several vulnerabilities discovered in Iagona ScrutisWeb ATM fleet monitoring software could be exploited to remotely hack ATMs.

    Several vulnerabilities discovered in the ScrutisWeb ATM fleet monitoring software made by French company Iagona could be exploited to remotely hack ATMs.

    The security holes were discovered by Synack Red Team members and they were patched by the vendor in July 2023 with the release of ScrutisWeb version 2.1.38.

    ScrutisWeb allows organizations to monitor banking or retail ATM fleets from a web browser, enabling them to quickly respond to problems. The solution can be used to monitor hardware, reboot or shut down a terminal, send and receive files, and modify data remotely. It’s worth noting that ATM fleets can include check deposit machines and payment terminals in a restaurant chain.

    The Synack researchers identified four types of vulnerabilities that have been assigned the CVE identifiers CVE-2023-33871, CVE-2023-38257, CVE-2023-35763 and CVE-2023-35189.

    Reply
  22. Tomi Engdahl says:

    Hacker Forum Credentials Found on 120,000 PCs Infected With Info-Stealer Malware
    https://www.securityweek.com/hacker-forum-credentials-found-on-120000-pcs-infected-with-info-stealer-malware/

    Hudson Rock security researchers have identified credentials for hacker forums on roughly 120,000 computers infected with information stealers.

    Reply
  23. Tomi Engdahl says:

    SecureWorks Laying Off 15% of Employees
    https://www.securityweek.com/secureworks-laying-off-15-of-employees/

    Threat detection and response firm SecureWorks is laying off 15% of its staff (roughly 300 people) in the second round of firings this year.

    Reply
  24. Tomi Engdahl says:

    Data Breaches
    1.5 Million Impacted by Ransomware Attack at Canadian Dental Service
    https://www.securityweek.com/1-5-million-impacted-by-ransomware-attack-at-canadian-dental-service/

    The personal information of 1.5 million individuals was compromised in a ransomware attack at Alberta Dental Service Corporation (ADSC).

    Reply
  25. Tomi Engdahl says:

    Colorado Health Agency Says 4 Million Impacted by MOVEit Hack
    https://www.securityweek.com/colorado-health-agency-says-4-million-impacted-by-moveit-hack/

    Colorado’s health programs administrator says the personal information of 4 million individuals was compromised in the recent MOVEit hack.

    Reply
  26. Tomi Engdahl says:

    Power Management Product Flaws Can Expose Data Centers to Damaging Attacks, Spying
    https://www.securityweek.com/power-management-product-flaws-can-expose-data-centers-to-damaging-attacks-spying/

    Vulnerabilities in CyberPower and Dataprobe power management products could be exploited in data center attacks, including to cause damage and for spying.

    Vulnerabilities in power management products made by CyberPower and Dataprobe could be exploited in attacks aimed at data centers, allowing threat actors to spy on organizations or cause damage, according to threat detection and response firm Trellix.

    Trellix researchers have analyzed CyberPower’s PowerPanel Enterprise data center power management software and Dataprobe’s iBoot power distribution unit (PDU). They discovered a total of nine vulnerabilities, including ones allowing an attacker to gain full access to the targeted system.

    Previous research showed that many PDUs, including the iBoot product, are often exposed to the internet, making it possible to launch remote attacks against organizations using them.

    In the CyberPower PowerPanel Enterprise product, Trellix researchers discovered four vulnerabilities, including hardcoded credentials, authentication bypass, and OS command injection issues.

    Reply
  27. Tomi Engdahl says:

    Suomen viranomaisverkoissa ei haavoittuvuusuhkaa
    https://www.uusiteknologia.fi/2023/08/15/suomen-viranomaisverkoissa-ei-haavoittuvuusuhkaa/

    Kolme hollantilaisen tutkijaryhmän aiemmin esille nostamasta viidestä tietoturvahaavoittuvuudesta koski myös suomalaista Virve-viranomaisverkkoa. Niiden osalta Suomen Erillisverkko on ryhtynyt korjaaviin toimiin. eikä heidän tiedon mukaan haavoittuvuuksia ole hyödynnetty. Tulossa oleva Virve2 ei sisällä esitettyjä haavoittuvuuksia.

    Suomessa viranomaisverkkoja operoiva Erillisverkot on tiedottanut asiakkailleen haavoittuvuuksista ja antanut ohjeistuksen, kuinka haavoittuvuudet ovat korjattavissa. Keskeisille käyttäjäorganisaatioille on lisäksi esitelty tietoja lisätoimista, joilla verkon salausta voidaan tarvittaessa vahvistaa.

    Tutkijoiden keskeisin algoritmiin liittyvä löydös ei koskenut suomalaista Virve-verkkoa, jossa käytetään TEA2-algoritmia. Lisäksi Testaus- ja käyttöönottovaiheessa olevan Erillisverkkojen Virve 2 -viranomaisviestintä- palvelun laajakaistateknologia ei sisällä nyt löydettyjä haavoittuvuuksia.

    Reply
  28. Tomi Engdahl says:

    Poliisi vastasi tavalliseen viestiin, aiheuttikin massiivisen vuodon – tietojen pelätään päätyneen vääriin käsiin
    https://www.is.fi/ulkomaat/art-2000009786498.html
    Tietovuoto koskettaa kaikkiaan yli 10 000 henkilöä.

    Pohjois-Irlannin poliisi julkaisi vahingossa poliisien henkilötietoja verkkoon viime viikolla.

    Tietovuoto koskee jokaista Pohjois-Irlannin poliisissa työskentelevää. Vuodossa nettiin julkaistiin muun muassa viranomaisten sukunimet ja sijainti sekä osasto, jossa he työskentelevät. Henkilökohtaisia osoitteita ei The Guardianin tietojen mukaan ole vuotanut.

    Tietovuoto koskettaa kaikkiaan yli 10 000 henkilöä.

    Tiedot julkaistiin vahingossa rutiininomaisessa toimenpiteessä, jossa vastattiin tietopyyntöön.

    – Vastasimme pyyntöön, jossa meiltä kysyttiin poliisien kokonaismäärää koko organisaatiossa eri tasoilla. Valitettavasti yksi kollegoistamme oli upottanut vastaukseen lähdedatan, kertoi apulaispääkonstaapeli Chris Todd Guardianille.

    Nyt maan poliisilaitos on huolissaan, sillä tietoja on todennäköisesti päätynyt puolisotilaallisten ryhmittymien käsiin.

    Pääkonstaapeli Simon Byrne kertoi olevansa ”syvästi pahoillaan” tietovuodosta Belfastissa pidetyssä lehdistötilaisuudessa. Kaikkia poliisissa työskenteleviä on tiedotettu potentiaalisesta uhasta ja riskeistä sekä kehotettu varovaisuuteen.

    Northern Ireland police officers’ details exposed in ‘monumental’ breach
    https://www.theguardian.com/uk-news/2023/aug/08/major-data-breach-involving-northern-ireland-police-officers-and-staff

    All officers’ names and ranks erroneously published online for up to three hours, but private addresses thought to be safe

    A “monumental” data breach has exposed the names and rank of every serving police officer in Northern Ireland.

    A spreadsheet was mistakenly published online detailing the surname, initial, rank or grade, location and the departments of all current Police Service of Northern Ireland officers and civilian staff members. It is understood that the breach does not involve private addresses.

    The data was published in response to a freedom of information request at about 2.30pm, the PSNI said.

    Its assistant chief constable, Chris Todd, has apologised to officers and said the severe terrorist threat facing officers has made news of the extensive data breach the “last thing that anybody in the organisation wants to be hearing”.

    Todd added: “Regrettably, this evening, I’ve had to inform the Information Commissioner’s Office of a significant data breach that we’re responsible for. What’s happened is we’ve received a freedom of information request, that’s quite a routine inquiry, nothing untoward in that.

    “We’ve responded to that request, which was seeking to understand the total numbers of officers and staff at all ranks and grade across the organisation, and in the response, unfortunately, one of our colleagues has embedded the source data, which informed that request.

    “So, what was within that data was the surname, initial, the rank or grade, the location and the departments for each of our current employees across the police service.”

    When asked if the chief constable, Simon Byrne, would be coming back from his summer break, Todd added: “I can’t speak on behalf of the chief constable, but he is certainly aware of this situation as it’s developed today.”

    The data was available to the public for between two and a half to three hours, Todd said.

    “We believe it was uploaded about 2.30 this afternoon,” he said. “It came to my attention as the senior information risk owner at about 4pm, with the cooperation of the host provider it was taken down within the hour.”

    The chair of the Police Federation for Northern Ireland has called for an urgent inquiry. Liam Kelly said: “This is a breach of monumental proportions.

    “Even if it was done accidentally, it still represents a data and security breach that should never have happened. Rigorous safeguards ought to have been in place to protect this valuable information which, if in the wrong hands, could do incalculable damage.

    “Inadequate or poor oversight of FOI procedures must be addressed and addressed urgently. New safeguards are obviously required to prevent this from ever happening again.”

    The Northern Ireland secretary, Chris Heaton-Harris, said he was “deeply concerned” about the data breach. The Alliance leader Naomi Long MLA said the scale of the PSNI data breach was of “profound concern”, adding: “Immediate action must be taken to offer … proper information, support, guidance and necessary reassurances regarding their and their families’ security.

    “Whilst the personal data has now been removed, once such information has been published online, it leaves an indelible footprint.”

    Mike Nesbitt, the Ulster Unionist representative on the Policing Board of Northern Ireland, has called for an emergency meeting of the Policing Board on Wednesday.

    Reply
  29. Tomi Engdahl says:

    UHAB – Cyberdeck
    https://hackaday.io/project/192333-uhab-cyberdeck

    This cyberdeck build is the control center of the shore. It will connect to our underwater habitat, providing comms and power.

    Reply
  30. Tomi Engdahl says:

    G-EDM
    https://hackaday.io/project/190371-g-edm

    Sinker EDM with drill chuck and multi-toolhead for cutting and drilling metal

    Reply
  31. Tomi Engdahl says:

    Toddler’s Cyberdeck
    https://hackaday.io/project/191912-toddlers-cyberdeck

    I’m building a cyberdeck for my son. He just turned 2.

    Reply
  32. Tomi Engdahl says:

    Microsoft Discloses Codesys Flaws Allowing Shutdown of Industrial Operations, Spying
    https://www.securityweek.com/microsoft-discloses-codesys-flaws-allowing-shutdown-of-industrial-operations-spying/

    Over a dozen Codesys vulnerabilities discovered by Microsoft researchers can be exploited to shut down industrial processes or deploy backdoors.

    Over a dozen vulnerabilities discovered by Microsoft researchers in Codesys products can be exploited to cause disruption to industrial processes or deploy backdoors that allow the theft of sensitive information.

    Germany-based Codesys makes automation software for engineering control systems. Its products are used by some of the world’s largest industrial control system (ICS) manufacturers, the vendor claiming that its software is found in millions of devices — roughly 1,000 different types of products made by over 500 manufacturers.

    Microsoft researchers specializing in the security of cyberphysical systems have discovered a total of 16 vulnerabilities in Codesys Control V3 versions prior to 3.5.19.0. The security holes were reported to Codesys in September 2022 and patches were announced in April 2023.

    All of the vulnerabilities have been assigned a ‘high severity’ rating. They can be exploited for denial-of-service (DoS) attacks or for remote code execution (RCE).

    Threat actors could exploit them to target programmable logic controllers (PLCs) and other ICS devices using Codesys software. Microsoft’s research focused on PLCs made by Schneider Electric and Wago.

    Reply
  33. Tomi Engdahl says:

    Microsoft Discloses Codesys Flaws Allowing Shutdown of Industrial Operations, Spying
    https://www.securityweek.com/microsoft-discloses-codesys-flaws-allowing-shutdown-of-industrial-operations-spying/

    Over a dozen Codesys vulnerabilities discovered by Microsoft researchers can be exploited to shut down industrial processes or deploy backdoors.

    Reply
  34. Tomi Engdahl says:

    Approximately 2000 Citrix NetScalers backdoored in mass-exploitation campaign https://research.nccgroup.com/2023/08/15/approximately-2000-citrix-netscalers-backdoored-in-mass-exploitation-campaign/

    Fox-IT (part of NCC Group) has uncovered a large-scale exploitation campaign of Citrix NetScalers in a joint effort with the Dutch Institute of Vulnerability Disclosure (DIVD). An adversary appears to have exploited
    CVE-2023-3519 in an automated fashion, placing webshells on vulnerable NetScalers to gain persistent access. The adversary can execute arbitrary commands with this webshell, even when a NetScaler is patched and/or rebooted.

    Reply
  35. Tomi Engdahl says:

    Massive 400,000 proxy botnet built with stealthy malware infections https://www.bleepingcomputer.com/news/security/massive-400-000-proxy-botnet-built-with-stealthy-malware-infections/

    Researchers have uncovered a massive campaign that delivered proxy server apps to at least 400,000 Windows systems. The devices act as residential exit nodes without users’ consent and a company is charging for the proxy traffic running through the machines..

    Residential proxies are valuable to cybercriminals because they can help with deploying large-scale credential stuffing attacks from fresh IP addresses.
    They also have legitimate purposes like ad verification, data scraping, website testing, or privacy-enhancing rerouting.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*