This posting is here to collect cyber security news in August 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in August 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
333 Comments
Tomi Engdahl says:
X glitch wipes out most pictures and links tweeted before December 2014 https://www.theverge.com/2023/8/20/23838823/twitter-x-deleted-pictures-links-2014-metadata-t-co-shortener
X, which was formerly known as Twitter until its recent rebranding, is having a problem displaying old posts that came with images attached or any hyperlinks converted through Twitter’s built-in URL shortener. Ellen [DeGeneres]’s famous ‘most retweeted’ selfie from the 2014 Oscars has had its image restored, but most old tweets have broken short links instead of the media or links that should be there.
Tomi Engdahl says:
Suspected N. Korean Hackers Target S. Korea-US Drills
https://www.securityweek.com/suspected-n-korean-hackers-target-s-korea-us-drills/
North Korea-linked “Kimsuky” hackers carried out “continuous malicious email attacks” on contractors working at the war simulation centre.
Tomi Engdahl says:
Rapid7 Says ROI for Ransomware Remains High; Zero-Day Usage Expands
https://www.securityweek.com/rapid7-says-roi-for-ransomware-remains-high-zero-day-usage-expands/
A new report from Rapid7 says a ransomware gang like Cl0p would easily be able to afford a bevy of zero-day exploits for vulnerable enterprise software.
The Rapid7 mid-year review of the threat landscape is not reassuring. Ransomware remains high, basic security defenses are not being used, security maturity is low, and the return on investment for criminality is potentially enormous.
The review is compiled from the observations of Rapid7’s researchers and its managed services teams. It finds there were more than 1500 ransomware victims worldwide in H1 2023. These included 526 LockBit victims, 212 Alphv/BlackCat victims, 178 ClOp victims, and 133 BianLian victims. The figures are compiled from leak site communications, public disclosures, and Rapid7 incident response data.
These figures should be seen as conservative. They won’t include organizations that quietly and successfully pay the ransom as if nothing happened. Furthermore, downstream victims are still being calculated – for example, notes the report, “The number of incidents attributed to Cl0p in this chart is likely to be (significantly) low, since the group is still actively claiming new victims from their May 2023 zero-day attack on MOVEit Transfer.”
Tomi Engdahl says:
Jenkins Patches High-Severity Vulnerabilities in Multiple Plugins
https://www.securityweek.com/jenkins-patches-high-severity-vulnerabilities-in-multiple-plugins/
Jenkins has announced patches for high and medium-severity vulnerabilities impacting several of the open source automation tool’s plugins.
Open source software development automation server Jenkins this week announced patches for high- and medium-severity vulnerabilities impacting multiple plugins.
The patches address three high-severity cross-site request forgery (CSRF) and cross-site scripting (XSS) issues in the Folders, Flaky Test Handler, and Shortcut Job plugins.
Tracked as CVE-2023-40336, the first bug exists because no POST requests were required for an HTTP endpoint in version 6.846.v23698686f0f6 and earlier of the Folders plugin, leading to CSRF.
“This vulnerability allows attackers to copy an item, which could potentially automatically approve unsandboxed scripts and allow the execution of unsafe scripts,” Jenkins explains in an advisory.
The second high-severity bug, CVE-2023-40342, impacts Flaky Test Handler plugin versions 1.2.2 and earlier, which do not escape JUnit test contents when they are displayed in the Jenkins UI, allowing attackers to perform XSS attacks.
Jenkins Security Advisory 2023-08-16
https://www.jenkins.io/security/advisory/2023-08-16/
Tomi Engdahl says:
Rapid7 Says ROI for Ransomware Remains High; Zero-Day Usage Expands
https://www.securityweek.com/rapid7-says-roi-for-ransomware-remains-high-zero-day-usage-expands/
A new report from Rapid7 says a ransomware gang like Cl0p would easily be able to afford a bevy of zero-day exploits for vulnerable enterprise software.
Tomi Engdahl says:
Stealthy ‘LabRat’ Campaign Abuses TryCloudflare to Hide Infrastructure
https://www.securityweek.com/stealthy-labrat-campaign-abuses-trycloudflare-to-hide-infrastructure/
The ‘LabRat’ cryptomining and proxyjacking operation relies on signature-based tools and stealthy cross-platform malware, and abuses TryCloudflare to hide its C&Cs.
A newly discovered financially motivated operation is relying on signature-based tools and stealthy cross-platform malware to remain undetected, and abuses TryCloudflare to hide its command-and-control (C&C) infrastructure, cloud security company Sysdig reports.
Dubbed LabRat and focused on cryptomining and proxyjacking, the campaign was seen relying on binaries written in Go and .NET, kernel-based rootkits, and C&C tools to bypass firewalls.
The attackers exploited CVE-2021-22205, a critical-severity vulnerability impacting GitLab Community Edition (CE) and Enterprise Edition (EE) versions 11.9 to 13.10.3, 13.9.6, and 13.8.8. Patched in April 2021, the vulnerability has a CVSS score of 10.
Tomi Engdahl says:
Venäjän lähetystön väitettiin pystyvän salakuuntelemaan matkapuhelimia Helsingissä – asiantuntija eri linjoilla https://www.is.fi/kotimaa/art-2000009796766.html
Tomi Engdahl says:
https://www.mikrobitti.fi/uutiset/intel-suorittimissa-haijy-haavoittuvuus-koskettaa-kaikkia-internetissa/b9b7ce43-37f6-42d8-86aa-d835d82da9be
Tomi Engdahl says:
https://thehackernews.com/2023/08/how-to-investigate-oauth-grant-for.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/google/google-chrome-to-warn-when-installed-extensions-are-malware/
Tomi Engdahl says:
https://thehackernews.com/2023/08/this-malware-turned-thousands-of-hacked.html
Tomi Engdahl says:
https://www.techradar.com/phones/android/your-android-phone-can-now-detect-unwanted-airtags-heres-how-to-set-it-up
Tomi Engdahl says:
https://www.theverge.com/2023/8/16/23064592/bambu-print-asleep-cloud-outage
Tomi Engdahl says:
Ivanti warns of new actively exploited MobileIron zero-day bug https://www.bleepingcomputer.com/news/security/ivanti-warns-of-new-actively-exploited-mobileiron-zero-day-bug/
US-based IT software company Ivanti warned customers today that a critical Sentry API authentication bypass vulnerability is being exploited in the wild.
Discovered and reported by security researchers at cybersecurity company mnemonic, the critical vulnerability (CVE-2023-38035) enables unauthenticated attackers to gain access to sensitive admin portal configuration APIs exposed over port 8443, used by MobileIron Configuration Service (MICS).
Tomi Engdahl says:
British intelligence is tipping off ransomware targets to disrupt attacks https://therecord.media/gchq-ncsc-tipping-off-ransomware-targets-early-warning
On average, every 72 hours for the past three months, cyber experts inside one of the United Kingdom’s security and intelligence services have detected the beginnings of a new ransomware attack against a British organization and then tipped off the target in a bid to prevent the attack from being executed.
Tomi Engdahl says:
Japanese watchmaker Seiko breached by BlackCat ransomware gang https://www.bleepingcomputer.com/news/security/japanese-watchmaker-seiko-breached-by-blackcat-ransomware-gang/
The BlackCat/ALPHV ransomware gang has added Seiko to its extortion site, claiming responsibility for a cyberattack disclosed by the Japanese firm earlier this month.
Tomi Engdahl says:
Tesla points to ‘insider wrongdoing’ as cause of massive employee data leak https://www.theverge.com/2023/8/21/23839940/tesla-data-leak-inside-job-handelsblatt
Tesla’s massive data leak in May includes personally identifiable information on over 75,000 workers, and the automaker has pinned the breach on two former employees.
Tomi Engdahl says:
Researchers Uncover Real Identity of CypherRAT and CraxsRAT Malware Developer https://www.securityweek.com/researchers-uncover-real-identity-of-cypherrat-and-craxsrat-malware-developer/
Using the online handle of ‘EVLF DEV’ and operating out of Syria for the past eight years, the individual is believed to have made over $75,000 from selling the two RATs to various threat actors. The same person is also a malware-as-a-service (MaaS) operator, according to Cyfirma.
Tomi Engdahl says:
https://etn.fi/index.php/new-products/15227-taemae-usb-muistitikku-kestaeae-brute-force-hyoekkaeykset
Kingston Digital Europe on lanseerannut uuden muistitikun, joka on tarkoitettu vastaamaan viranomaisten tiukkoihin turvallisuusvaatimuksiin. IronKey Keypad 200C tuo datan siirtelyyn FIPS 140-3 -standardin 3-tason sertifioidun suojauksen käyttöjärjestelmästä riippumatta.
Tikussa on aakkosnumeerinen näppäimistö, jolla sen datan saa PIN-koodin avulla purettua. Tikku sisältää 256-bittisen XTS-AES-laitteistopohjaisen salauksen, Brute Force -salasanahyökkäyssuojauksen ja BadUSB-suojauksen digitaalisesti allekirjoitetun laiteohjelmiston kanssa.
Tomi Engdahl says:
https://valta.media/2023/08/15/suomalaisyhtiolta-rankkaa-kritiikkia-teamsilla-voi-hyokata-yrityksiin-microsoft-ei-tee-mitaan/
Tomi Engdahl says:
New ‘Deep Learning Attack’ Deciphers Laptop Keystrokes with 95% Accuracy
https://thehackernews.com/2023/08/new-deep-learning-attack-deciphers.html
Tomi Engdahl says:
Continued MOVEit Exploitation Drives Record Ransomware Attacks https://www.infosecurity-magazine.com/news/movit-exploit-record-ransomware/
Ransomware attacks hit record levels in July 2023, driven by the Clop gang’s continued exploitation of the MOVEit vulnerability, according to NCC Group’s Threat Intelligence team.
The researchers observed the largest volume of ransomware attacks in a single month in July, at 502. This represents a 154% year-on-year rise compared to July 2022, and a 16% increase on the previous month, June 2023.
Tomi Engdahl says:
Akira ransomware targets Cisco VPNs to breach organizations https://www.bleepingcomputer.com/news/security/akira-ransomware-targets-cisco-vpns-to-breach-organizations/
Reportedly, Akira has been using compromised Cisco VPN accounts to breach corporate networks without needing to drop additional backdoors or set up persistence mechanisms that could give them away. Sophos first noted Akira’s abuse of VPN accounts in May, when researchers stated that the ransomware gang breached a network using “VPN access using Single Factor authentication.”
Tomi Engdahl says:
Microsoft Excel to let you run Python scripts as formulas https://www.bleepingcomputer.com/news/microsoft/microsoft-excel-to-let-you-run-python-scripts-as-formulas/
[...] instead of running the Python scripts locally, Excel will execute the code in the cloud using a hypervisor-isolated container on Azure Container Instances. Microsoft says this container environment will include Python and a curated set of Anaconda libraries to prevent security issues. As the Python scripts will run in an isolated container, they will not have access to any local resources, including the local network, computer, files, and a Microsoft
365 authentication token.
Tomi Engdahl says:
Cyberattack on Belgian social service centers forces them to close https://therecord.media/charleroi-belgium-cpas-cyberattack
The Public Center for Social Action (CPAS) in Charleroi, Belgium, announced its social branches would be closed on Tuesday “except for absolute emergencies” as a result of a cyberattack.
Tomi Engdahl says:
QR codes used to phish for Microsoft credentials https://www.malwarebytes.com/blog/news/2023/08/qr-codes-deployed-in-targeted-phishing-campaigns
Researchers have published details about a phishing campaign that uses QR codes to phish for Microsoft credentials. For cybercriminals, the use of QR codes usually has the disadvantage that they need to be scanned by a mobile device, which is more complex than simply giving targets a link to click on.
But in a corporate environment this can also be an advantage as the mobile device might be outside of the protection of the enterprise environment.
Tomi Engdahl says:
MacOS version of info-stealing XLoader gets an upgrade https://therecord.media/apple-macos-malware-xloader-infostealer
Researchers have discovered a new variant of the XLoader malware that is better at dodging Apple’s security measures as it tries to steal sensitive information from macOS devices.
Tomi Engdahl says:
Scharon Harding / Ars Technica:
3D printer maker Bambu Lab blames a cloud outage for an issue that caused some of its customers’ devices to start printing without their consent — Bambu Lab says it will help with repairs, replacement parts. — Imagine waking in the middle of the night to the sound of your 3D printer, printing away.
3D printers printing without consent is a cautionary tale on cloud reliance
Bambu Lab says it will help with repairs, replacement parts.
https://arstechnica.com/gadgets/2023/08/3d-printers-print-break-on-their-own-due-to-cloud-outage/
Imagine waking in the middle of the night to the sound of your 3D printer, printing away. You know you didn’t request a print. In fact, you’re sure of it, because your previous project is still on the printer. It sounds like an eerie technological haunting or as if the machines have finally become self-aware. Thankfully, the problem stems from something less creepy but perhaps just as scary: a cloud outage.
As reported by The Verge, on August 15, numerous owners of Bambu Lab 3D printers reported that their device started printing without their consent. It didn’t matter if said printing resulted in bent or broken nozzles or other components or if it involved printing a project on top of another. It didn’t matter if it was an ungodly time, like 4 in the morning; the printers, which cost anywhere from $599 to $1,449, were printing.
“Started a print @ 11 PM. Time-lapse shows it finish successfully at just before 2 AM. At ~2:30 AM while I slept, the machine started itself again with the last print still on the bed. I see a timestamped time-lapse video that starts at about 2:30 AM,” a Reddit user going by u/beehphy complained on the r/BambuLab subreddit.
The user continued by saying, “filament spilled out the side and coiled up all inside the chamber, and it only stopped feeding once the temperature sensor was ripped out.”
The company announced a “cloud printing failure” on its system status page and wrote an August 16 blog post saying it would look into the problem.
Also contributing to the problem was a “large number of API access requests” performed simultaneously, preventing a timely response. This is because the printers’ Bambu Studio software uses a logic that “reinitiate[s] a print request immediately after accessing the cloud.”
Cloud conundrum
The confusion, concern, and chaos created by a 3D printer activating in the middle of the night is a reminder of the risk inherent to consumer tech products that rely on the cloud. The concerns are especially notable when considering that these 3D printers are remotely controllable devices with heating elements. Further, 3D printer owners often leave their printers either to print without overseeing the project or powered on while unattended.
“I’m glad I was home and was able to turn it off, looks like it was burning into yesterdays print job and damaging the hot end at the same time,” a user going by u/SyntheticStart on Reddit said of their experience. “This is my first issue with the machine, but I’m scared to do longer prints now when I’m not available to monitor it.”
Last week’s fiasco also brings to mind security concerns. Of course, cloud security concerns aren’t new. But it’s always worth considering if a product that doesn’t need the cloud for its most important functions should rely on it. This incident has shown that it’s possible for 3D printers to be controlled outside of owners’ desires. Did we mention that these printers have integrated cameras?
In the past, Bambu admitted that it had to educate itself on network security since “the security design of the whole Bambu Lab system was not the best from the very beginning.” This was because “the initial team has a background in robotics, but very little experience in network security,” the company said in 2022.
Bambu’s response
Bambu was quick to apologize to owners, and some users online reported that the company told them it would send replacement parts promptly.
On the technical side, Bambu said it updated its Cloud Service’s SDK service logic and “increased the database connection sizes for better throughput.” It plans to update the Cloud Printing logic so that “every time print is initiated, the printer will check the timestamp and automatically discard any outdated print which does not follow our strict configuration.”
Its printers will also get firmware updates to help prevent a new project from printing when the printer’s plate isn’t cleared, including pop-up notifications that users must dismiss, Bambu said.
Printers will also be updated to “continuously monitor the hotend and heatbed temperature. If a fault is detected, an error message will be prompted on the printer screen, Bambu Studio, and Bambu Handy,” and “the heaters will be turned off to further minimize any potential risk,” Bambu added.
Tomi Engdahl says:
Ioannis Kouvakas / Just Security:
A look at the UK government’s planned revisions to its Investigatory Powers Act, including potential unintended consequences like slowing down security updates — The United Kingdom (U.K.) government has recently unveiled plans to revise the Investigatory Powers Act 2016 (IPA) …
Changes to UK Surveillance Regime May Violate International Law
https://www.justsecurity.org/87615/changes-to-uk-surveillance-regime-may-violate-international-law/
Tomi Engdahl says:
Australian Energy Software Firm Energy One Hit by Cyberattack
https://www.securityweek.com/australian-energy-software-firm-energy-one-hit-by-cyberattack/
Energy One, an Australian company that provides software products and services to the energy sector, has been hit by a cyberattack.
Energy One, an Australian company that provides software products and services to the energy sector, has been hit by a cyberattack.
In a statement issued on Monday, the company said the incident was detected on August 18 and it impacted some corporate systems in Australia and the UK.
“As part of its work to ensure customer security, Energy One has disabled some links between its corporate and customer-facing systems,” Energy One said.
Energy One is investigating the incident in an attempt to determine whether personal information and customer-facing systems have been impacted. The company is also working on determining the attacker’s initial point of entry.
While the firm has not shared any additional details about the attack, its statement suggests that it may have been targeted in a ransomware attack.
Tomi Engdahl says:
Ransomware
Ransomware Group Starts Leaking Data From Japanese Watchmaking Giant Seiko
https://www.securityweek.com/ransomware-group-starts-leaking-data-from-japanese-watchmaking-giant-seiko/
The BlackCat/ALPHV ransomware group has started publishing data allegedly stolen from Japanese watchmaking giant Seiko.
Tomi Engdahl says:
US Military Targeted in Recent HiatusRAT Attack
https://www.securityweek.com/us-military-targeted-in-recent-hiatusrat-attack/
The threat actor behind HiatusRAT was seen performing reconnaissance against a US military procurement system in June 2023.
Tomi Engdahl says:
https://www.securityweek.com/suspected-n-korean-hackers-target-s-korea-us-drills/
Tomi Engdahl says:
https://www.securityweek.com/researchers-uncover-real-identity-of-cypherrat-and-craxsrat-malware-developer/
Tomi Engdahl says:
Tesla Discloses Data Breach Related to Whistleblower Leak
https://www.securityweek.com/tesla-discloses-data-breach-related-to-whistleblower-leak/
Tesla has disclosed a data breach impacting 75,000 people, but it’s a result of a whistleblower leak, not a malicious cyberattack.
Tomi Engdahl says:
TP-Link Smart Bulb Vulnerabilities Expose Households to Hacker Attacks
https://www.securityweek.com/tp-link-smart-bulb-vulnerabilities-expose-households-to-hacker-attacks/
Vulnerabilities in the TP-Link Tapo L530E smart bulb and accompanying mobile application can be exploited to obtain the local Wi-Fi password.
Four vulnerabilities identified by academic researchers from Italy and the UK in the TP-Link Tapo L530E smart bulb and its accompanying mobile application can be exploited to obtain the local Wi-Fi network’s password.
Currently a best-seller on Amazon Italy, the TP-Link Tapo smart Wi-Fi light bulb (L530E) is cloud-enabled and can be controlled using a Tapo application (available on both Android and iOS) and a Tapo account.
The most severe of the identified issues is described as a “lack of authentication of the smart bulb with the Tapo app”, which allows an attacker to impersonate a smart bulb and authenticate to the application. The issue has a CVSS score of 8.8.
With a CVSS score of 7.6, the second bug impacts both the smart bulb and the Tapo app, which use a hardcoded, short shared secret exposed by code fragments.
Tomi Engdahl says:
By Sayan Sen – Microsoft and Intel have cautioned about a recent security vulnerability affecting 7th Gen, 8th Gen, 9th Gen, 10th Gen, and 11th Gen chips. This security vulnerability is called Downfall or GDS. #Intel #Microsoft #Downfall
https://www.neowin.net/news/gds-microsoft-intel-confirm-downfall-of-7th-8th-9th-10th-11th-gen-cpus-firmware-out/?fbclid=IwAR1pwmpyZ_-qtIDc7Z-aTa_wYtQhrk5-w92ITL3xpk2V9ia2jD5H7ZuryLQ
Tomi Engdahl says:
It-talo joutui tietomurron kohteeksi, asiakkaat menettivät kaiken datansa – ”En usko yrityksen selviytyvän”
https://www.tivi.fi/uutiset/it-talo-joutui-tietomurron-kohteeksi-asiakkaat-menettivat-kaiken-datansa-en-usko-yrityksen-selviytyvan/c985ea86-c921-48a2-ad50-3da676bac6d3
Aleksi Kolehmainen23.8.202312:18|päivitetty23.8.202313:35PILVIPALVELUTKIRISTYSHAITTAOHJELMAT
Tanskalaisen CloudNordicin asiakkaat joutuvat pystyttämään järjestelmänsä täysin puhtaalta pöydältä ilman mitään asiakastietoja.
Tanskalainen pilvipalveluiden tarjoaja CloudNordic on joutunut vakavan kiristyshaittaohjelmaiskun kohteeksi. Sen seurauksena yhtiön toiminta
Criminals go full Viking on CloudNordic, wipe all servers and customer data
IT outfit says it can’t — and won’t — pay the ransom demand
https://www.theregister.com/2023/08/23/ransomware_wipes_cloudnordic/
CloudNordic has told customers to consider all of their data lost following a ransomware infection that encrypted the large Danish cloud provider’s servers and “paralyzed CloudNordic completely,” according to the IT outfit’s online confession.
The intrusion happened in the early-morning hours of August 18 during which miscreants shut down all of CloudNordic’s systems, wiping both company and customers’ websites and email systems. Since then, the IT team and third-party responders have been working to restore punters’ data — but as of Tuesday, it’s not looking great.
“We cannot and do not want to meet the financial demands of the criminal hackers for ransom,” CloudNordic said in an online notice, translated from Danish.
“Unfortunately, it has proved impossible to recreate more data, and the majority of our customers have thus lost all data with us,” the alert continued. “This applies to everyone we have not contacted at this time.”
The self-proclaimed “Nordic cloud experts” said they reported the intrusion to the police.
CloudNordic does offer a slight silver lining: the biz doesn’t believe that the criminals exfiltrated any information before encrypting the systems.
“We have seen no evidence of a data breach,” the cloud provider said
CloudNordic says its “best estimate” is that the infection happened as servers were being moved from one datacenter to another.
the provider notes that it will take a “massive amount of time” to restore all of these services, even without data, and as such it encourages “critically affected” customers to find new providers “to minimize your downtime.”
Tomi Engdahl says:
It-talo joutui tietomurron kohteeksi, asiakkaat menettivät kaiken datansa
https://www.tivi.fi/uutiset/tv/c985ea86-c921-48a2-ad50-3da676bac6d3
Tanskalaisen CloudNordicin asiakkaat joutuvat pystyttämään järjestelmänsä täysin puhtaalta pöydältä ilman mitään asiakastietoja.
[Kiristyshaittaohjelmaiskun] seurauksena yhtiön toiminta on sen omien sanojen mukaan ”halvaantunut täysin”. Rikolliset ovat hyökkäyksen avulla onnistuneet kryptaamaan sekä CloudNordicin että sen asiakkaiden kaikki järjestelmät.
Tomi Engdahl says:
Muissa lähteissä:
https://www.theregister.com/2023/08/23/ransomware_wipes_cloudnordic/
https://www.bleepingcomputer.com/news/security/hosting-firm-says-it-lost-all-customer-data-after-ransomware-attack/
—
Tomi Engdahl says:
WinRAR zero-day exploited since April to hack trading accounts https://www.bleepingcomputer.com/news/security/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/
A WinRar zero-day vulnerability tracked as CVE-2023-38831 was actively exploited to install malware when clicking on harmless files in an archive, allowing the hackers to breach online cryptocurrency trading accounts. The vulnerability has been under active exploitation since April 2023, helping distribute various malware families, including DarkMe, GuLoader, and Remcos RAT.
Tomi Engdahl says:
Over a Dozen Malicious npm Packages Target Roblox Game Developers https://thehackernews.com/2023/08/over-dozen-malicious-npm-packages.html
More than a dozen malicious packages have been discovered on the npm package repository since the start of August 2023 with capabilities to deploy an open-source information stealer called Luna Token Grabber on systems belonging to Roblox developers.
Tomi Engdahl says:
North Korea’s Lazarus hackers behind recent crypto heists: FBI https://therecord.media/north-korea-lazarus-behind-crypto-heists
The FBI has attributed three recent cyberattacks on cryptocurrency platforms to the North Korean government’s APT38 hacking group — known by many researchers as Lazarus or TraderTraitor.
June saw three headline-grabbing incidents involving cryptocurrency companies:
a $100 million hack of Atomic Wallet on June 2, as well as two June 22 attacks in which cybercriminals stole $60 million from Alphapo and $37 million from CoinsPaid.
Tomi Engdahl says:
Industrial networks need better security as attacks gain scale https://www.zdnet.com/article/industrial-networks-need-better-security-as-attacks-gain-scale/
Critical infrastructures and operational technology systems will face increasing threats as they move toward common standards.
Tomi Engdahl says:
https://www.securityweek.com/cybersecurity-companies-report-surge-in-ransomware-attacks/
Tomi Engdahl says:
FBI Finds 1,580 Bitcoin in Crypto Wallets Linked to North Korean Hackers
The FBI has published information on six crypto wallets in which North Korean hackers moved roughly 1,580 Bitcoin from various heists.
https://www.securityweek.com/fbi-finds-1580-bitcoin-in-crypto-wallets-linked-to-north-korean-hackers/
Tomi Engdahl says:
The End of “Groundhog Day” for the Security in the Boardroom Discussion?
As the SEC cyber incident disclosure rules come into effect, organizations will be forced to seriously consider giving security leaders a seat at the table.
https://www.securityweek.com/the-end-of-groundhog-day-for-the-security-in-the-boardroom-discussion/
The positives of SEC involvement
Feedback from industry professionals highlights the pros and cons of the new SEC rules. But since the new rules are inevitable and disclosure reports are due beginning December 2023, the time has come to focus on the positives for the industry that the SEC is stepping-in.
Having some standardization of terminology, for example the definition of an incident and what is material and thus disclosure-worthy, will enable executive leadership to focus on exactly what is needed in the boardroom. This should save organizations from spending cycles setting their own policies, procedures, and reporting practices. The other positive is that the initiative will likely drive investments in security technology, which is a good thing for security professionals and organizations as they will be more protected.
Tomi Engdahl says:
3,000 Openfire Servers Exposed to Attacks Targeting Recent Vulnerability
https://www.securityweek.com/3000-openfire-servers-exposed-to-attacks-targeting-recent-vulnerability/
More than 3,000 Openfire servers are not patched against a recent vulnerability and are exposed to attacks employing a new exploit.
More than 3,000 Openfire servers have not been patched against a recent vulnerability and remain exposed to attacks relying on a new exploit, vulnerability intelligence firm VulnCheck reports.
Maintained by Ignite Realtime, Openfire is a cross-platform real time collaboration server written in Java that uses the XMPP protocol, and which supports administration via a web interface.
Tracked as CVE-2023-32315, the high-severity flaw was discovered in Openfire’s administration console and is described as a path traversal bug via the setup environment that allows unauthenticated attackers to access restricted pages in the admin console.
The issue exists because the path traversal protections in Openfire did not protect against ‘certain non-standard URL encoding for UTF-16 characters’ that were not supported by the webserver – support was added without updating the protections.
All Openfire iterations from version 3.10.0, which was released in April 2015, through versions 4.7.5 and 4.6.8, released in May 2023 to patch the vulnerability, are impacted.
Tomi Engdahl says:
First Weekly Chrome Security Update Patches High-Severity Vulnerabilities
https://www.securityweek.com/first-weekly-chrome-security-update-patches-high-severity-vulnerabilities/
Google has released the first weekly Chrome security update, which patches five memory safety vulnerabilities, including four rated ‘high severity’.
Tomi Engdahl says:
FBI: Patches for Recent Barracuda ESG Zero-Day Ineffective https://www.securityweek.com/fbi-patches-for-recent-barracuda-esg-zero-day-ineffective/
The FBI says that the patches Barracuda released in May for an exploited ESG zero-day vulnerability (CVE-2023-2868) were not effective. FBI warns (PDF) that the flaw is still being targeted in the wild, and that even ESG appliances running the patches released by Barracuda “remain at risk for continued computer network compromise from suspected [Chinese] cyber actors exploiting this vulnerability”.
See also:
https://www.bleepingcomputer.com/news/security/fbi-warns-of-patched-barracuda-esg-appliances-still-being-hacked/