This posting is here to collect cyber security news in August 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in August 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
333 Comments
Tomi Engdahl says:
LockBit’s dirty little secret: ransomware gang is failing to publish victims’
data
https://grahamcluley.com/lockbits-dirty-little-secret-ransomware-gang-is-failing-to-publish-victims-data/
According to a fascinating report by Jon DiMaggio of Analyst1, who spent a year undercover gathering intelligence on the LockBit group, the ransomware gang is trying to cover up “the fact it often cannot consistently publish stolen data.”
And that’s obviously a problem for a cybercriminal gang which is using the threat of publishing exfiltrated data as its primary lever for extorting a ransom from its victims.
DiMaggio claims that the problem “is due to limitations in [LockBit’s] backend infrastructure and available bandwidth.”
Tomi Engdahl says:
Experts Uncover Weaknesses in PowerShell Gallery Enabling Supply Chain Attacks https://thehackernews.com/2023/08/experts-uncover-weaknesses-in.html
Active flaws in the PowerShell Gallery could be weaponized by threat actors to pull off supply chain attacks against the registry’s users.
Maintained by Microsoft, PowerShell Gallery is a central repository for sharing and acquiring PowerShell code, including PowerShell modules, scripts, and Desired State Configuration (DSC) resources. The registry boasts 11,829 unique packages and 244,615 packages in total.
The issues identified by the cloud security firm have to do with the service’s lax policy surrounding package names, lacking protections against typosquatting attacks, as a result enabling attackers to upload malicious PowerShell modules that appear genuine to unsuspecting users.
Tomi Engdahl says:
https://www.securityweek.com/github-paid-out-1-5-million-in-bug-bounties-in-2022/
Tomi Engdahl says:
Chrome 116 Patches 26 Vulnerabilities
https://www.securityweek.com/chrome-116-patches-26-vulnerabilities/
Google has released Chrome 116 with patches for 26 vulnerabilities and plans to ship weekly security updates for the popular web browser.
Tomi Engdahl says:
Cleaning Products Giant Clorox Takes Systems Offline Following Cyberattack
https://www.securityweek.com/cleaning-products-giant-clorox-takes-systems-offline-following-cyberattack/
Cleaning products manufacturer and marketer Clorox Company has taken certain systems offline after falling victim to a cyberattack.
Tomi Engdahl says:
Ivanti Patches Critical Vulnerability in Avalanche Enterprise MDM Solution
https://www.securityweek.com/ivanti-patches-critical-vulnerability-in-avalanche-enterprise-mdm-solution/
Ivanti has patched critical- and high-severity vulnerabilities with the latest release of Avalanche, its enterprise mobile device management solution.
Ivanti has released patches for seven critical- and high-severity vulnerabilities in Avalanche, its enterprise mobile device management (MDM) solution.
The most severe of the flaws is CVE-2023-32563 (CVSS score of 9.8), a directory traversal bug that can be exploited to execute arbitrary code remotely.
Reported by security researchers with Trend Micro’s ZDI, the issue exists in the ‘updateSkin’ method of the MDM solution and can be exploited without authentication.
“The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of System,” ZDI’s advisory reads.
The latest Avalanche iteration also resolves multiple stack-based buffer overflow bugs that are collectively tracked as CVE-2023-32560 (CVSS score of 8.8).
Tomi Engdahl says:
Google Releases Security Key Implementation Resilient to Quantum Attacks
https://www.securityweek.com/google-releases-security-key-implementation-resilient-to-quantum-attacks/
Google has released the first quantum-resilient FIDO2 security key implementation as part of its OpenSK project.
Google on Tuesday released what it described as the first FIDO2 security key implementation that should be resistant to quantum attacks.
There has been significant progress in quantum computing in the past years and tech giants are increasingly focusing on quantum security. The main concern is related to encryption — current cryptography will not be able to protect information against quantum attacks, which is why quantum-resilient cryptography is needed.
In partnership with the Swiss university ETH Zurich, Google has developed a quantum-resilient security key implementation that leverages a hybrid signature scheme involving traditional elliptic-curve cryptography (specifically ECDSA) and CRYSTALS-Dilithium, a quantum scheme that NIST recently standardized, saying it offers “strong security and excellent performance”.
Tomi Engdahl says:
Huijarit veivät ikäihmisiltä lähes 90 000 euroa kolmessa päivässä – houkuttelivat ikäihmisiä siirtämään rahat ”turvatilille”
https://yle.fi/a/74-20045685
Itä-Uudenmaan poliisi on saanut valmiiksi laajan petossarjan esitutkinnan.
Porvoosta käsin toimineet epäillyt huijasivat kesäkuussa ikäihmisiltä yhteensä noin 87 000 euroa kolmessa päivässä.
Epäiltyjä on yhteensä 15, joista yksi on edelleen vangittuna. Epäillyt rikokset tehtiin 6.–8. kesäkuuta.
Iäkkäille ihmisille soitettiin puhelimella, heitä varoitettiin käynnissä olevista virus- ja kyberhyökkäyksistä, ja heidät erehdytettiin siirtämään varojaan pikaisesti pois omilta pankkitileiltään.
Epäillyt pyysivät uhreja siirtämään rahat niin sanotuille turvatileille.
Uhreille väitettiin, että turvatileillä varat olisivat turvassa kyberhyökkäyksiltä.
Todellisuudessa mitään häiriö- tai kiiretilannetta ei ollut.
Tomi Engdahl says:
New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode https://thehackernews.com/2023/08/new-apple-ios-16-exploit-enables.html
Cybersecurity researchers have documented a novel post-exploit persistence technique on iOS 16 that could be abused to fly under the radar and main access to an Apple device even when the victim believes it is offline.
The method “tricks the victim into thinking their device’s Airplane Mode works when in reality the attacker (following successful device exploit) has planted an artificial Airplane Mode which edits the UI to display Airplane Mode icon and cuts internet connection to all apps except the attacker application,”
Jamf Threat Labs researchers Hu Ke and Nir Avraham said in a report shared with The Hacker News.
Airplane Mode, as the name implies, allows users to turn off wireless features in their devices, effectively preventing them from connecting to Wi-Fi networks, cellular data, and Bluetooth as well as sending or receiving calls and text messages.
Tomi Engdahl says:
LinkedIn Suffers ‘Significant’ Wave of Account Hacks https://www.darkreading.com/attacks-breaches/linkedin-suffers-significant-wave-of-account-hacks
Hackers are on a spree of hijacking LinkedIn accounts, in some cases monetizing the attacks by demanding a small ransom from users to regain access and threatening permanent deletion.
Though LinkedIn, a subsidiary of Microsoft, has not yet commented publicly about the campaign, it has affected people worldwide over the last few weeks.
Conversations on social media and Google searches indicate a “significant surge in the past 90 days” of account hacks on the professional-oriented social media platform, according to a recent report published by Cyberint.
LinkedIn support response time for users has lengthened under the high volume of support requests, indicating that something is amiss, Coral Tayar, a security researcher at Cyberint, wrote in the report.
Tomi Engdahl says:
New LABRAT Campaign Exploits GitLab Flaw for Cryptojacking and Proxyjacking Activities https://thehackernews.com/2023/08/new-labrat-campaign-exploits-gitlab.html
A new, financially motivated operation dubbed LABRAT has been observed weaponizing a now-patched critical flaw in GitLab as part of a cryptojacking and proxyjacking campaign.
“The attacker utilized undetected signature-based tools, sophisticated and stealthy cross-platform malware, command-and-control (C2) tools which bypassed firewalls, and kernel-based rootkits to hide their presence,” Sysdig said in a report shared with The Hacker News.
“Furthermore, the attacker abused a legitimate service, TryCloudflare, to obfuscate their C2 network.”
Proxyjacking allows the attacker to rent the compromised host out to a proxy network, making it possible to monetize the unused bandwidth. Cryptojacking, on the other hand, refers to the abuse of the system resources to mine cryptocurrency.
Tomi Engdahl says:
File sharing site Anonfiles shuts down due to overwhelming abuse https://www.bleepingcomputer.com/news/security/file-sharing-site-anonfiles-shuts-down-due-to-overwhelming-abuse/
Anonfiles, a popular service for sharing files anonymously, has shut down after saying it can no longer deal with the overwhelming abuse by its users.
Anonfiles is an anonymous file-sharing site that allows people to share files anonymously without their activity being logged.
However, it soon became one of the most popular file-sharing services used by threat actors to share samples of stolen data, stolen credentials, and copyrighted material.
Five days ago, Anonfiles users began reporting that the service would time out when attempting to upload files.
As spotted by cybersecurity researcher g0njxa, the Anonfiles operators have now shut down the service, stating that their proxy provider recently shut them down and that they can no longer deal with the overwhelming amount of abusive material uploaded to the site.
Tomi Engdahl says:
https://www.securityweek.com/exploitation-of-citrix-sharefile-vulnerability-spikes-as-cisa-issues-warning/
Tomi Engdahl says:
Malicious QR Codes Used in Phishing Attack Targeting US Energy Company
https://www.securityweek.com/malicious-qr-codes-used-in-phishing-attack-targeting-us-energy-company/
A widespread phishing campaign utilizing malicious QR codes has hit organizations in various industries, including a major energy company in the US.
A widespread phishing campaign ongoing since May 2023 has been targeting organizations in various industries, including a major US energy company, threat intelligence firm Cofense reports.
Aimed at harvesting the Microsoft account credentials of the targeted organizations’ employees, the attacks rely on malicious QR codes embedded inside PNG images or PDF documents. The phishing links, Cofense explains, have been hidden in the QR codes.
As part of the campaign, the attackers have sent more than 1,000 phishing emails, with roughly 29% of them targeting the US energy company. Organizations in manufacturing, insurance, technology, and financial services received 15%, 9%, 7%, and 6% of the emails, respectively.
The observed emails have been spoofing Microsoft security notifications. Most of the identified phishing links have been Bing redirect URLs (26%), followed by two domains associated with the Salesforce application (15%) and Cloudflare’s Web3 services.
The number of observed attacks, Cofense notes, has been growing roughly 270% on a monthly basis, with the highest spike observed between May and June. Following a weeks-long campaign in July, however, the number of observed attacks has diminished in August.
Most of the emails contained lures referring to updating account information, including two- and multi-factor authentication, or general account security details.
The use of Bing URL redirects, coupled with hiding the phishing links in QR codes embedded in images or documents and with other obfuscation tactics, helped the malicious messages bypass security controls and land in the recipients’ inboxes.
According to Confense, despite being able to land in inboxes, phishing emails carrying QR codes might not be as efficient in finalizing the attack, as they require the user to scan the codes – typically by using a mobile phone – and follow the phishing link.
Tomi Engdahl says:
Vulnerabilities
Cisco Patches High-Severity Vulnerabilities in Enterprise Applications
https://www.securityweek.com/cisco-patches-high-severity-vulnerabilities-in-enterprise-applications/
Cisco has patched high-severity vulnerabilities in enterprise applications that could lead to privilege escalation, SQL injection, and denial-of-service.
Cisco on Wednesday announced security updates for several enterprise applications to patch high-severity vulnerabilities leading to privilege escalation, SQL injection, directory traversal, and denial-of-service (DoS).
The most severe of these impacts the web management interface of Cisco Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME).
Tracked as CVE-2023-20211 (CVSS score of 8.1), the bug is described as an improper validation of user-supplied input that could allow a remote, authenticated attacker to perform an SQL injection attack.
Tomi Engdahl says:
Malware & Threats
Thousands of Systems Turned Into Proxy Exit Nodes via Malware
https://www.securityweek.com/thousands-of-systems-turned-into-proxy-exit-nodes-via-malware/
Threat actors have been observed deploying a proxy application on Windows and macOS systems that were infected with malware.
Threat actors are leveraging access to malware-infected Windows and macOS systems to deploy a proxy application, AT&T’s Alien Labs reports.
To date, AT&T Alien Labs researchers have identified over 400,000 systems that act as proxy exit nodes in this network. However, it is unclear how many of these were infected, and the company that offers the proxy service claims that all devices pertain to users who are aware of the proxy application’s functionality.
Last week, the company said it identified roughly 10,000 macOS systems behaving as proxy exit nodes, with some of them potentially repurposed after being infected with the AdLoad adware.
Tomi Engdahl says:
WinRAR flaw lets hackers run programs when you open RAR archives
https://www.bleepingcomputer.com/news/security/winrar-flaw-lets-hackers-run-programs-when-you-open-rar-archives/
Tomi Engdahl says:
Hakkerit kaappasivat satelliitin ja ottivat valokuvan
Yhdysvaltain ilmavoimien järjestämässä hakkeritapahtumassa hyökättiin todelliseen Maata kiertävään satelliittiin.
https://www.is.fi/digitoday/tietoturva/art-2000009789712.html
LAS Vegasin valkohattuhakkerien vuotuisessa kohtaamisessa DEF CONissa nähtiin huimia temppuja. Italialaisen tiimin onnistui saada Maata kiertävä satelliitti tottelemaan käskyjään.
Cyberscoop-uutispalvelun mukaan kyseinen pieni satelliitti Moonlighter laukaistiin avaruuteen kesäkuussa varustettuna erilaisilla tehtävillä, jotka hakkerien piti selvittää. Pääpalkintona jaettiin 50 000 dollaria eli noin 46 000 euroa.
How a hacking crew overtook a satellite from inside a Las Vegas convention center and won $50,000
The first capture the flag with an real-time in-orbit satellite took place over the weekend at the DEF CON conference.
https://cyberscoop.com/mhackeroni-hackasat-space-def-con/
Tomi Engdahl says:
https://cyberscoop.com/def-con-hackers-las-vegas-ai/
Tomi Engdahl says:
https://thehackernews.com/2023/08/nofilter-attack-sneaky-privilege.html
Tomi Engdahl says:
https://arstechnica.com/security/2023/08/windows-feature-that-resets-system-clocks-based-on-random-data-is-wreaking-havoc/
Tomi Engdahl says:
https://www.theregister.com/2023/08/14/def_con_bomb_scare/
Tomi Engdahl says:
https://www.extremetech.com/cars/unfixable-amd-chip-vulnerability-unlocks-paid-tesla-features-for-free
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/linkedin-accounts-hacked-in-widespread-hijacking-campaign/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/discordio-confirms-breach-after-hacker-steals-data-of-760k-users/
Tomi Engdahl says:
https://thehackernews.com/2023/07/new-p2pinfect-worm-targets-redis.html?fbclid=IwAR0J8kwJ5QsCZ_4XFC6-wHo2SDwB5GfRO5WYhNGQzRSIjAVqMo1z-l_xq3E&m=1
Tomi Engdahl says:
People rush to ATMs after windfall from Bank of Ireland app glitch
https://www.reuters.com/markets/europe/bank-ireland-fixes-it-problem-that-sparked-flurry-withdrawals-2023-08-16/
DUBLIN, Aug 16 (Reuters) – Bank of Ireland (BIRG.I) has fixed technical problems that allowed some customers to withdraw or transfer funds above what was in their accounts, it said on Wednesday morning, after social media posts about the glitch prompted queues at ATMs.
Among other issues, a glitch with the bank’s online app had allowed customers with low balances or no money in their account to transfer up to 1,000 euros ($1,090) into a linked account with a digital banking app, such as Revolut, that could be withdrawn via an ATM, local media reported on Tuesday.
Tomi Engdahl says:
How fame-seeking teenagers hacked some of the world’s biggest targets
With no skill in software exploitation or encryption busting, Lapsus$ wins anyway.
https://arstechnica.com/security/2023/08/homeland-security-details-how-teen-hackers-breached-some-of-the-biggest-targets/
A ragtag bunch of amateur hackers, many of them teenagers with little technical training, have been so adept at breaching large targets, including Microsoft, Okta, Nvidia, and Globant, that the federal government is studying their methods to get a better grounding in cybersecurity.
The group, known as Lapsus$, is a loosely organized group that employs hacking techniques that, while decidedly unsophisticated, have proved highly effective. What the group lacks in software exploitation, it makes up for with persistence and creativity. One example is their technique for bypassing MFA (multi-factor authentication) at well-defended organizations.
Tomi Engdahl says:
https://thehackernews.com/2023/08/thousands-of-android-malware-apps-using.html
Tomi Engdahl says:
https://arstechnica.com/gadgets/2023/08/microsoft-adobe-and-others-have-dropped-support-for-old-postscript-fonts/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/maginotdns-attacks-exploit-weak-checks-for-dns-cache-poisoning/
Tomi Engdahl says:
New Python URL Parsing Flaw Could Enable Command Execution Attacks
https://thehackernews.com/2023/08/new-python-url-parsing-flaw-enables.html
Tomi Engdahl says:
https://mobiili.fi/2023/08/09/merkittava-muutos-google-chrome-alkaa-paivittya-viikon-valein-tassa-syy/
Tomi Engdahl says:
https://thehackernews.com/2023/08/qwixxrat-new-remote-access-trojan.html
Tomi Engdahl says:
https://www.theverge.com/23837513/western-digital-sandisk-ssd-corrupted-deleted-questions
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/hotmail-email-delivery-fails-after-microsoft-misconfigures-dns/?fbclid=IwAR2xk0XI7Rwjdks_5D-tcBA4X3soSlJuMhMYbzybrmgUjrQHxMTCiqRpbZU
Tomi Engdahl says:
HS: Venäjä pystyy lähetystöstään käsin seuraamaan matkapuhelinten käyttöä ja sijainteja Helsingin ydinkeskustassa https://www.is.fi/kotimaa/art-2000009795975.html
Tomi Engdahl says:
https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html
Tomi Engdahl says:
https://www.neowin.net/news/microsoft-fails-to-fix-major-powershell-gallery-security-flaws-even-after-claiming-it-did/
Tomi Engdahl says:
WinRAR flaw lets hackers run programs when you open RAR archives
https://www.bleepingcomputer.com/news/security/winrar-flaw-lets-hackers-run-programs-when-you-open-rar-archives/
A high-severity vulnerability has been fixed in WinRAR, the popular file archiver utility for Windows used by millions, that can execute commands on a computer simply by opening an archive.
The flaw is tracked as CVE-2023-40477 and could give remote attackers arbitrary code execution on the target system after a specially crafted RAR file is opened.
The vulnerability was discovered by researcher “goodbyeselene” of Zero Day Initiative, who reported the flaw to the vendor, RARLAB, on June 8th, 2023.
“The specific flaw exists within the processing of recovery volumes,” reads the security advisory released on ZDI’s site.
“The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer.”
As a target needs to trick a victim into opening an archive, the vulnerability’s severity rating drops down to 7.8, as per the CVSS.
Mitigating the risk
RARLAB released WinRAR version 6.23 on August 2nd, 2023, effectively addressing CVE-2023-40477. Therefore, WinRAR users are strongly advised to apply the available security update immediately.
It should also be noted that Microsoft is now testing native support on Windows 11 for RAR, 7-Zip, and GZ files, so third-party software like WinRAR will no longer be required in this version unless its advanced features are needed.
Tomi Engdahl says:
Hotmail email delivery fails after Microsoft misconfigures DNS https://www.bleepingcomputer.com/news/microsoft/hotmail-email-delivery-fails-after-microsoft-misconfigures-dns/
Hotmail users worldwide have problems sending emails, with messages flagged as spam or not delivered after Microsoft misconfigured the domain’s DNS SPF record.
Tomi Engdahl says:
Germany’s national bar association investigating ransomware attack https://therecord.media/german-national-bar-association-investigating-cyberattack
A bar association representing German lawyers nationwide is investigating a cyberattack on its office in Brussels. On Monday, the NoEscape ransomware group claimed it attacked the organization after BRAK announced last week that it was investigating a cyberattack.
Tomi Engdahl says:
Google announces new algorithm that makes FIDO encryption safe from quantum computers https://arstechnica.com/security/2023/08/passkeys-are-great-but-not-safe-from-quantum-computers-dilithium-could-change-that/
New approach combines ECDSA with post-quantum algorithm called Dilithium.
Bleeping Computer:
https://www.bleepingcomputer.com/news/security/google-released-first-quantum-resilient-fido2-key-implementation/
Tomi Engdahl says:
Singapore cautions against security risks ahead of presidential election https://www.zdnet.com/article/singapore-cautions-against-security-risks-ahead-of-presidential-election/
With its citizens set to head to the polls in September, Singapore is readying the public and its election candidates for potential online threats.
Tomi Engdahl says:
Thousands of Android Malware Apps Using Stealthy APK Compression to Evade Detection https://thehackernews.com/2023/08/thousands-of-android-malware-apps-using.html
The APK files use “a technique that limits the possibility of decompiling the application for a large number of tools, reducing the possibilities of being analyzed,” security researcher Fernando Ortega said. “In order to do that, the APK (which is in essence a ZIP file), is using an unsupported decompression method.” In addition, Zimperium discovered that malware authors are also deliberately corrupting the APK files by having filenames with more than 256 bytes and malformed AndroidManifest.xml files to trigger crashes on analysis tools.
Tomi Engdahl says:
Companies Respond to ‘Downfall’ Intel CPU Vulnerability https://www.securityweek.com/companies-respond-to-downfall-intel-cpu-vulnerability/
Several major companies have published advisories in response to the Downfall vulnerability affecting Intel CPUs.
Related for AMD: *Zenbleed: new hardware vulnerability in AMD CPUs* https://www.kaspersky.com/blog/zenbleed-vulnerability/48836/
Tomi Engdahl says:
Interpol arrests 14 who allegedly scammed $40m from victims in ‘cyber surge’
https://www.theregister.com/2023/08/20/interpol_africa_arrests/
Africa Cyber Surge II, a combined police operation which began in April and lasted four months, was a coordinated effort between Interpol, African law enforcement, and private-sector security firms to disrupt online extortion, phishing, business email compromise (BEC) and other cyber scams. But given that BEC scams cost billions of dollars a year it’s small change.
Tomi Engdahl says:
Phishing Attack Targets Hundreds of Zimbra Customers in 4 Continents https://www.darkreading.com/attacks-breaches/phishing-attack-targets-hundreds-zimbra-customers-four-continents
Despite its simplicity, a phishing campaign targeting customers of the Zimbra Collaboration software suite has spread to hundreds of organizations in over a dozen countries. The country most affected by this campaign is Poland, followed by Ecuador and Italy, with attacks also reaching as far and wide as Mexico, Kazakhstan, and the Netherlands. Targets share nothing in common aside from their use of Zimbra.
Tomi Engdahl says:
Has Trump’s Patriot Legal Defense Fund Website Been Hacked?
https://www.forbes.com/sites/daveywinder/2023/08/20/has-trumps-patriot-defense-legal-fund-website-been-hacked/
The Patriot Legal Defense Fund website, seemingly established to support aides and employees of former President Donald Trump with their rapidly increasing legal expenses, has been hacked. The home page has been defaced to strike through Trump’s name and add an “America Is Already Great!” strapline. But the hacker has altered far more than just the banner.
Tomi Engdahl says:
Cuba ransomware uses Veeam exploit against critical U.S. organizations https://www.bleepingcomputer.com/news/security/cuba-ransomware-uses-veeam-exploit-against-critical-us-organizations/
The Cuba ransomware gang was observed in attacks targeting critical infrastructure organizations in the United States and IT firms in Latin America, using a combination of old and new tools. BlackBerry’s Threat Research and Intelligence team, which spotted the latest campaign in early June 2023, reports that Cuba now leverages CVE-2023-27532 to steal credentials from configuration files.