This posting is here to collect cyber security news in September 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in September 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
314 Comments
John Watson says:
Great
Tomi Engdahl says:
Tätä ei ole ennen nähty: Näin hakkerit pääsivät vakoilemaan turvallisina pidettyjä viestejä https://www.is.fi/digitoday/tietoturva/art-2000009826650.html
Tomi Engdahl says:
Chromeen tuli salasanoja koskeva muutos – näin käytät https://www.is.fi/digitoday/tietoturva/art-2000009823976.html
Salasanojen hallinta on mahdollista erottaa Chromesta omaksi sovellukseksi, jonka voi klikata auki työpöydältä.
Tomi Engdahl says:
Huijauspuheluiden rinnalle pesiytyi viheliäinen vedätys – näin suomalaisia huijataan nyt https://www.is.fi/digitoday/tietoturva/art-2000009817840.html
Tomi Engdahl says:
Threat Actors Target MSSQL Servers in DB#JAMMER to Deliver FreeWorld Ransomware https://www.securonix.com/blog/securonix-threat-labs-security-advisory-threat-actors-target-mssql-servers-in-dbjammer-to-deliver-freeworld-ransomware/
Threat actors working as part of DB#JAMMER attack campaigns are compromising exposed MSSQL databases using brute force attacks and appear to be well tooled and ready to deliver ransomware and Cobalt Strike payloads.
In an interesting attack campaign, the Securonix Threat Research team has identified threat actors targeting exposed Microsoft SQL (MSSQL) services using brute force attacks. One of the things that makes DB#JAMMER standout is how the attacker’s tooling infrastructure and payloads are used.
Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads. The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld. The FreeWorld text was present in the binary file names as well as ransomware extensions.
Tomi Engdahl says:
Hacker gains admin control of Sourcegraph and gives free access to the masses https://arstechnica.com/security/2023/09/pii-leaked-after-sourcegraph-an-ai-driven-service-for-code-development-is-hacked/
An unknown hacker gained administrative control of Sourcegraph, an AI-driven service used by developers at Uber, Reddit, Dropbox, and other companies, and used it to provide free access to resources that normally would have required payment.
In the process, the hacker(s) may have accessed personal information belonging to Sourcegraph users, Diego Comas, Sourcegraph’s head of security, said in a post on Wednesday. For paid users, the information exposed included license keys and the names and email addresses of license key holders. For non-paying users, it was limited to email addresses associated with their accounts.
Private code, emails, passwords, usernames, or other personal information were inaccessible.
Tomi Engdahl says:
Johtaja klikkasi Särkänniemen viestiä ja pian lähti 400 outoa sähköpostia:
huijausviestit leviävät nyt Tampereella
https://yle.fi/a/74-20048065
Huijausviestit leviävät nyt nopeasti Tampereen kaupungin yksiköistä toiseen.
Visit Tampereen toimitusjohtaja Jari Ahjoharju klikkasi torstaina vahingossa viestiä, joka näytti tulleen Särkänniemen huvipuistosta.
– Oli todella hyvin tehty. Ei mitenkään voinut huomata, että oli huijaus, kun sähköposti oli ihan aito. Tai ainakin näytti siltä.
Ahjoharjulta lähti 400 ihmiselle samanlainen tietoja kalasteleva huijaussähköposti kuin jonka hän oli saanut Särkänniemeltä.
Tomi Engdahl says:
More Okta customers trapped in Scattered Spider’s web https://www.theregister.com/2023/09/01/okta_scattered_spider/
Customers of cloudy identification vendor Okta are reporting social engineering attacks targeting their IT service desks in attempts to compromise user accounts with administrator permissions.
“Multiple US-based Okta customers” have reported these phishing attempts, “in which the caller’s strategy was to convince service desk personnel to reset all Multi-factor Authentication (MFA) factors enrolled by highly privileged users,” according to a security alert published on Thursday.
Tomi Engdahl says:
Pennsylvania school district to stay open despite ransomware attack https://therecord.media/pennsylvania-school-district-stays-open-after-ransomware-attack
A school district in Pennsylvania kept its doors open on Friday despite announcing a ransomware attack that caused disruptions to its computer systems.
On Thursday, the Chambersburg Area School District published a message on its website and social media channels announcing that it had become yet another
K-12 school district attacked by a ransomware gang.
“As you are aware, we have been experiencing a network disruption affecting the operability of certain CASD computer systems. In working with various specialists, at this time we can confirm that this disruption is related to a ransomware event,” district officials said.
Tomi Engdahl says:
Exploit released for critical VMware SSH auth bypass vulnerability https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-vmware-ssh-auth-bypass-vulnerability/
Proof-of-concept exploit code has been released for a critical SSH authentication bypass vulnerability in VMware’s Aria Operations for Networks analysis tool (formerly known as vRealize Network Insight).
The flaw (tracked as CVE-2023-34039) was found by security analysts at ProjectDiscovery Research and patched by VMware on Wednesday with the release of version 6.11.
Successful exploitation enables remote attackers to bypass SSH authentication on unpatched appliances and access the tool’s command line interface in low-complexity attacks that don’t require user interaction because of what the company describes as “a lack of unique cryptographic key generation.”
Tomi Engdahl says:
A firsthand perspective on the recent LinkedIn account takeover campaign https://www.malwarebytes.com/blog/news/2023/09/first-hand-experience-with-a-linkedin-account-takeover-attempt
Not long ago I wrote about a recent campaign to hold LinkedIn users’ accounts to ransom. Shortly after I published the article, a co-worker, Peace, reached out to me told me they’d been a target of the campaign.
His story begins with an SMS text from LinkedIn telling him to reset his password. He found this confusing: It arrived in the middle of the night, and he hadn’t asked for a password reset. Since he doesn’t use the LinkedIn app on his mobile he checked his account on his laptop first thing in the morning.
The current sessions (Profile Picture > Settings > Sign in & security > Where you’re signed in) showed an unknown IP address in Texas logged into his account.
Tomi Engdahl says:
Freecycle users told to change passwords after data breach https://grahamcluley.com/freecycle-users-told-to-change-passwords-after-data-breach/
Freecycle, an online community that encourages sharing unwanted items with eachother than chucking them in the bin or taking them to landfill, has told users to change their passwords after it suffered a data breach.
An announcement on the Freecycle website was the first I knew about the security breach, as – at the time of writing – despite being a member of the site I still haven’t received any other notification from the community.
Tomi Engdahl says:
Chrome extensions can steal plaintext passwords from websites https://www.bleepingcomputer.com/news/security/chrome-extensions-can-steal-plaintext-passwords-from-websites/
A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website’s source code.
An examination of the text input fields in web browsers revealed that the coarse-grained permission model underpinning Chrome extensions violates the principles of least privilege and complete mediation.
Additionally, the researchers found that numerous websites with millions of visitors, including some Google and Cloudflare portals, store passwords in plaintext within the HTML source code of their web pages, allowing extensions to retrieve them.
Tomi Engdahl says:
University of Sydney data breach impacts recent applicants https://www.bleepingcomputer.com/news/security/university-of-sydney-data-breach-impacts-recent-applicants/
The University of Sydney (USYD) announced that a breach at a third-party service provider exposed personal information of recently applied and enrolled international applicants.
The public university started operations in 1850 and has nearly 70,000 students and about 8,500 academic and administrative personnel. It is considered one of Australia’s most important educational institutes.
In the data breach announcement, the university says that incident had a limited impact and the preliminary investigation found no evidence that local students, staff, or alumni have been impacted.
Tomi Engdahl says:
Industry Reactions to Qakbot Botnet Disruption: Feedback Friday
https://www.securityweek.com/industry-reactions-to-qakbot-botnet-disruption-feedback-friday/
Industry professionals comment on the law enforcement operation targeting the Qakbot botnet and its implications.
US authorities announced this week the results of an international operation whose goal was the disruption of the notorious Qakbot botnet.
The operation, dubbed ‘Duck Hunt’, involved the takeover of Qakbot infrastructure and the distribution of a utility designed to automatically remove the malware from infected systems. Authorities also announced seizing more than $8.6 million in cryptocurrency as part of the operation.
Qakbot malware infected at least 700,000 systems worldwide, often being used to deliver ransomware to compromised devices. Investigators believe that Qakbot administrators made roughly $58 million in ransoms in less than two years.
Industry professionals have commented on various aspects of the takedown attempt, including its implications and whether this is the end of Qakbot.
https://www.securityweek.com/operation-duck-hunt-qakbot-malware-disrupted-8-6-million-in-cryptocurrency-seized/
Tomi Engdahl says:
Free Decryptor Available for ‘Key Group’ Ransomware
EclecticIQ has released a free decryption tool to help victims of the Key Group ransomware recover their data without paying a ransom
https://www.securityweek.com/free-decryptor-available-for-key-group-ransomware/
Tomi Engdahl says:
Threat Actors Adopt, Modify Open Source ‘SapphireStealer’ Information Stealer
Cisco has observed multiple threat actors adopting the SapphireStealer information stealer after its source code was released on GitHub.
https://www.securityweek.com/threat-actors-adopt-modify-open-source-sapphirestealer-information-stealer/
Multiple threat actors have adopted ‘SapphireStealer’ after the information stealer’s source code was published on GitHub, Cisco’s Talos security researchers report.
Written in .NET, the information stealer can harvest system data (such as IP address, hostname, screen resolution, OS version, and CPU and GPU information), screenshots, files with specific extensions, and cached browser credentials.
The threat was observed targeting Chrome, Yandex, Edge, and Opera to kill their processes. The malware also searches for credential databases associated with 16 browsers, including Chrome, Edge, Brave, Opera, Comodo, and Yandex.
SapphireStealer dumps the harvested data in a working directory to stage it for exfiltration, and creates a subdirectory to collect victim files that have the .txt, .pdf, .doc, .docx, .xml, .img, .jpg, and .png extensions. The harvested data is sent to the attackers over the Simple Mail Transfer Protocol (SMTP).
Shortly after the malware’s source code was released on December 25, threat actors started using it in attacks and modifying it to expand its capabilities and to make detection more difficult, with the newly compiled variants starting to emerge as soon as mid-January.
Tomi Engdahl says:
Data Breaches
Sourcegraph Discloses Data Breach Following Access Token Leak
Sourcegraph says customer information was breached after an engineer accidentally leaked an admin access token
https://www.securityweek.com/sourcegraph-discloses-data-breach-following-access-token-leak/
Tomi Engdahl says:
Dangling DNS Used to Hijack Subdomains of Major Organizations
https://www.securityweek.com/dangling-dns-used-to-hijack-subdomains-of-major-organizations/
Dangling DNS records were abused by researchers to hijack subdomains belonging to major organizations, warning that thousands of entities are impacted.
Researchers have abused dangling DNS records to hijack subdomains belonging to over a dozen major organizations, and they warn that thousands of entities are vulnerable to such attacks.
The research was conducted by Vienna-based IT security consulting firm Certitude Consulting, whose employees managed to take control of subdomains belonging to governments, political parties, universities, and media companies in an effort to demonstrate the potential risk.
They targeted subdomains belonging to government organizations in the US, Canada, UK and Australia; the Austrian political party FPÖ; cybersecurity firm Netscout; US insurance giant Penn Mutual; CNN; several major universities in the United States (UCLA, Stanford, and University of Pennsylvania); and a couple of financial institutions.
The Certitude researchers configured the hijacked subdomains to redirect visitors to a ‘security awareness notice’ page explaining who they are, what they have done, and how they did it, along with instructions for preventing subdomain hijacking and recovering the subdomain.
Tomi Engdahl says:
What’s in a name? Strange behaviors at top-level domains creates uncertainty in DNS
https://blog.talosintelligence.com/whats-in-a-name/
What’s in a name? Strange behaviors at top-level domains creates uncertainty in DNS
By Jaeson Schultz, Adam Katz
Tuesday, August 29, 2023 08:08
DNS email
Google introduced the new “.zip” Top Level Domain (TLD) on May 3, 2023, igniting a firestorm of controversy as security organizations warned against the confusion that was certain to occur.
When clicking on a name that ends in “.zip” are people intending to open an archive file or an internet URL? The confusion that arises between the ZIP file extension and the ZIP TLD is called a “name collision” — and is not a new phenomenon.
According to ICANN, a name collision occurs “when a user unknowingly accesses a name that has been delegated in the public DNS when the user’s intent is to access a resource identified by the same name in a private network.” Name collisions have been an issue dating back years. Back in 2013 when ICANN introduced several new TLDs they also introduced a Name Collision Occurrence Management Framework to deal with the problem.
Users and programs alike depend on DNS to navigate the internet. In the worst case, confusion over whether some name is a public DNS name or another private resource can cause sensitive data to fall into the hands of unintended recipients.
Tomi Engdahl says:
Ajoitko Yango-taksilla, etkä halua tietojesi päätyvän Venäjälle? Toimi näin https://www.is.fi/digitoday/art-2000009831038.html
Venäläisomisteinen Yango-taksinvälityspalvelu joutuu luovuttamaan asiakastietojaan Venäjän viranomaisille. Tämä tarkoittaa sitä, että muun muassa turvallisuuspalvelu FSB pääsee halutessaan käsiksi suomalaisten asiakkaiden tietoihin.
Tietosuojavaltuutettu kertoi elokuun alussa kieltävänsä Yangon tietojen siirtämisen, mutta Yangon taustayhtiöt valittivat asiasta Helsingin hallinto-oikeuteen. Hallinto-oikeus kumosi valituksen, mutta tietojen luovutuskielto on voimassa vain marraskuun viimeiseen päivään asti. Tämän jälkeisestä ajasta ei ole tietoa.
Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus muistuttaa, että asiakkaat voivat vaatia tietojensa poistamista Yangon järjestelmistä EU:n tietosuoja-asetuksen eli gdpr:n nojalla.
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/miten-pyydan-tietojeni-poistamista-yango-taksipalvelulta
Tomi Engdahl says:
Freecycle confirms massive data breach impacting 7 million users https://www.bleepingcomputer.com/news/security/freecycle-confirms-massive-data-breach-impacting-7-million-users/
Freecycle, an online forum dedicated to exchanging used items rather than trashing them, confirmed a massive data breach that affected more than 7 million users.
The nonprofit organization says it discovered the breach on Wednesday, weeks after a threat actor put the stolen data for sale on a hacking forum on May 30, warning affected people to switch passwords immediately.
The stolen information includes usernames, User IDs, email addresses, and MD5-hashed passwords, with no other information exposed, according to Freecycle.
Tomi Engdahl says:
Hackers Exploit MinIO Storage System Vulnerabilities to Compromise Servers https://thehackernews.com/2023/09/hackers-exploit-minio-storage-system.html
An unknown threat actor has been observed weaponizing high-severity security flaws in the MinIO high-performance object storage system to achieve unauthorized code execution on affected servers.
Cybersecurity and incident response firm Security Joes said the intrusion leveraged a publicly available exploit chain to backdoor the MinIO instance.
The comprises CVE-2023-28432 (CVSS score: 7.5) and CVE-2023-28434 (CVSS score:
8.8), the former of which was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog on April 21, 2023.
Tomi Engdahl says:
Attackers accessed UK military data through high-security fencing firm’s Windows 7 rig https://www.theregister.com/2023/09/04/zaun_breach_windows_7/
The risk of running obsolete code and hardware was highlighted after attackers exfiltrated data from a UK supplier of high-security fencing for military bases. The initial entry point? A Windows 7 PC.
While the supplier, Wolverhampton-based Zaun, said it believed that no classified information was downloaded, reports indicated that attackers were able to obtain data that could be used to gain access to some of the UK’s most sensitive military and research sites.
The LockBit Ransom group conducted the attack on the company’s network, and Zaun admitted the group may have exfiltrated 10GB of data. The company also confessed that the attack might have reached its server beyond the Windows 7 entry point.
Tomi Engdahl says:
German financial agency site disrupted by DDoS attack since Friday https://www.bleepingcomputer.com/news/security/german-financial-agency-site-disrupted-by-ddos-attack-since-friday/
The German Federal Financial Supervisory Authority (BaFin) announced today that an ongoing distributed denial-of-service (DDoS) attack has been impacting its website since Friday.
BaFin is Germany’s financial regulatory authority, part of the Federal Ministry of Finance, responsible for supervising 2,700 banks, 800 financial, and 700 insurance service providers.
The regulator is known for its law enforcement role in Germany and internationally. In recent years, it imposed $10M and $5M fines on the Deutsche Bank and the Bank of America, respectively, for various violations.
Tomi Engdahl says:
Vietnamese Cybercriminals Targeting Facebook Business Accounts with Malvertising https://thehackernews.com/2023/09/vietnamese-cybercriminals-targeting.html
Malicious actors associated with the Vietnamese cybercrime ecosystem are leveraging advertising-as-a-vector on social media platforms such as Meta-owned Facebook to distribute malware.
“Threat actors have long used fraudulent ads as a vector to target victims with scams, malvertising, and more,” WithSecure researcher Mohammad Kazem Hassan Nejad said. “And with businesses now leveraging the reach of social media for advertising, attackers have a new, highly-lucrative type of attack to add to their arsenal – hijacking business accounts.”
Cyber attacks targeting Meta Business and Facebook accounts have gained popularity over the past year, courtesy of activity clusters such as Ducktail and NodeStealer that are known to raid businesses and individuals operating on Facebook.
—
Tomi Engdahl says:
https://www.securityweek.com/exploit-code-published-for-critical-severity-vmware-security-defect/
Tomi Engdahl says:
WhatsAppissa pelottava ongelma – Siviä sai puhelimeensa vieraan ihmisen viestit
WhatsApp näytti Siviälle väärän ihmisen viestejä ja profiilikuvan.
https://www.is.fi/digitoday/tietoturva/art-2000009792470.html
Satakuntalainen Siviä hämmästyi elokuun puolessa välissä isomman kerran vaihdettuaan puhelinnumeronsa. Uuden numeron käyttöönoton jälkeen WhatsApp-pikaviestimeen tuli näkyville toisen ihmisen yksityisviestejä ja ryhmiä.
Siviä vaihtoi numeronsa, koska vanhaan liittymään tuli rasittavan paljon huijaussoittoja. Nyt tilalle tuli uusi ongelma.
Numeron vaihdon jälkeisiin kummallisuuksiin kuului myös se, että WhatsAppin asetuksiin mennessä yläreunassa näkyi normaalisti hänen profiilikuvansa. Mutta klikkaamalla kuvaa profiilinäkymässä aukesi vanhemman naishenkilön, todennäköisesti numeron edellisen omistajan kuva.
Numeron vaihtamisen jälkeisenä päivänä Siviä sai myös puhelun, jossa tavoiteltiin liittymän edellistä omistajaa.
Siviä oli yhteydessä teleoperaattori DNA:n asiakaspalveluun. Sielläkin tilanne koettiin hämmentäväksi.
Siviän teleoperaattori DNA tutki hänen luvallaan, miten numeron tapauksessa oli menetelty. Marjut Salmela DNA:n viestinnästä vahvistaa, että numeron uudelleenluovuttamisen suhteen on noudatettu teleoperaattorin 6 kuukauden karenssia.
– Numeroon tullut soitto entiselle numeron omistajalle johtunee siitä, että numerosta luopunut henkilö ei ole viestinyt kaikille/laajasti puhelinnumeronsa vaihtuneen eli soittaja ei ole tiennyt tavoitellun henkilön uutta numeroa, DNA:n Salmela sanoo.
WhatsApp kertoo yksityisyyskäytännössään poistavansa käyttäjän tilin, jos sitä ei käytetä 120 päivään eli neljään kuukauteen. Palvelun muotoilu ”poistamme (yleensä) tilisi, jos puhelimesi ei ole ollut paikalla 120 päivään” jättää kuitenkin tulkinnanvaraa.
Nyt nähdyn kaltaisen tilanteen ei siis pitäisi olla mahdollinen.
Ohjekeskuksessaan WhatsApp myös kirjoittaa:
– Käyttäjän laitteella ennen tilin poistamista säilytetty sisältö säilyy, kunnes WhatsApp poistetaan laitteelta. Kun käyttäjä rekisteröityy WhatsAppiin uudelleen samalla laitteella, sisältö palaa.
Tomi Engdahl says:
– Jos kaikki menee WhatsAppin puolelta dokumentoidusti, niin aikaisemman käyttäjätilin ja siihen liittyvien viestien olisi pitänyt poistua 120 päivän kuluessa. Jossain kuitenkin selkeästi kiikastaa, kun näin ei ole tapahtunut. – – Kyseessä voi olla myös bugi WhatsAppin päässä, mutta tätä on tässä tilanteessa vaikea arvioida ulkoapäin, Kankaala sanoo.
Tomi Engdahl says:
– Ennen uuden puhelinnumeron käyttöönottoa olisi hyvä selvittää kaikki aktiivisesti käyttämänsä palvelut ja päivittää niihin uusi puhelinnumero. WhatsAppin kaltaisten pikaviestimien lisäksi puhelinnumero on useasti liitetty myös sometileihin, Kankaala muistuttaa.
Tomi Engdahl says:
https://www.facebook.com/groups/rtlsdrfinland/permalink/1428431171060002/
Wiredille puhunut Olejnik sanoo, että kuka tahansa voi puhua puolalaisten junien radiotaajuuksilla käyttämällä apuna 30 dollarin radiolaitetta.
Junien hätäpysäytyskomennon välittäminen onnistuu lähettämällä kolme akustista ääntä tietyllä taajuudella. Kun junan radiolaitteisto vastaanottaa äänet, juna pysähtyy välittömästi. Hätäpysäytystä on puitu Puolan radiokanavilla, keskustelupalstoilla ja Youtubessa jo vuosia.
”Kuka tahansa voisi tehdä tämän, jopa trollaavat teinit. Taajuudet tiedetään, äänet tiedetään ja varusteet ovat halpoja”, Olejnik sanoo.
Puolan junaliikenteeseen tehdystä iskusta uutta tietoa – kaksi miestä pidätetty
Joakim Kullas4.9.202315:56|päivitetty4.9.202315:56HAKKERITLIIKENNE
https://www.tivi.fi/uutiset/tv/fbb35895-8809-4dd9-84bd-ddb78831093d?fbclid=IwAR1G4e96SCWloN4G9UkE56GrP49t6QPAAmvJFLvG3VeLtU-qkh5rRP44MHI
Junaliikenteen käyttämät radiojärjestelmät on tarkoitus päivittää vuoteen 2025 mennessä, mutta siihen saakka junien suojaamattomat radioverkot ovat alttiita häirinnälle.
https://www.tivi.fi/uutiset/tv/fbb35895-8809-4dd9-84bd-ddb78831093d?fbclid=IwAR1G4e96SCWloN4G9UkE56GrP49t6QPAAmvJFLvG3VeLtU-qkh5rRP44MHI
Wiredille puhunut Olejnik sanoo, että kuka tahansa voi puhua puolalaisten junien radiotaajuuksilla käyttämällä apuna 30 dollarin radiolaitetta. Junien hätäpysäytyskomennon välittäminen onnistuu lähettämällä kolme akustista ääntä tietyllä taajuudella. Kun junan radiolaitteisto vastaanottaa äänet, juna pysähtyy välittömästi. Hätäpysäytystä on puitu Puolan radiokanavilla, keskustelupalstoilla ja Youtubessa jo vuosia.
”Kuka tahansa voisi tehdä tämän, jopa trollaavat teinit. Taajuudet tiedetään, äänet tiedetään ja varusteet ovat halpoja”, Olejnik sanoo.
Tomi Engdahl says:
Simon Calder: What is causing the air traffic control chaos? The authorities have some explaining to do
https://www.independent.co.uk/travel/news-and-advice/air-traffic-control-airports-flights-b2401157.html
Nats boss appears to confirm reports that a ‘dodgy flight plan’ was responsible for calamitous shutdown
UK air traffic woes caused by ‘invalid flight plan data’
Former BA boss slams resilience, says explanation ‘doesn’t stand up from what I know of the system’
https://www.theregister.com/2023/08/30/uk_air_traffic_woes_invalid_data/
Mystery still surrounds the technical issue at the UK’s National Air Traffic Service (NATS) on Monday, which is being blamed on incorrect flight plan data being received, leading to the system reverting to manual processing and causing delays and cancellations of flights.
You’d might be thinking the system and its operators would reject malformed or incorrect input, and continue on as normal without drama. The Register understands that invalid flight plan messages submitted to the Flight Plan Processing System are automatically detected and collect in the invalid queue. At this point, we understand, air traffic control staff have responsibility for processing the invalid entries by manually correcting them in a first come, first served basis, suggesting that such issues are not uncommon.
Tomi Engdahl says:
Microsoft 365 is down, stopping people from opening Office, Outlook, and OneDrive
Microsoft 365 is down, stopping people from opening Office, Outlook, and OneDrive
By Sean Endicott published about 17 hours ago
A Microsoft 365 outage could cause a stressful start to your workday.
https://www.windowscentral.com/software-apps/microsoft-365-is-down-stopping-people-from-opening-office-outlook-and-onedrive?fbclid=IwAR2hFfxpmf6Ms0pSDoB8GNU6pDnSVLLA3wepdnbTfkaRiqmU2p7aje-Xoto
What you need to know
Microsoft 365 is down right now for several people.
Outage reports started spiking around 6 AM ET and have increased steadily since then.
Affected users are unable to open Microsoft 365 apps, such as Word, Excel, and Outlook.
Tomi Engdahl says:
CISA, MITRE shore up operational tech networks with adversary emulation platform https://therecord.media/cisa-creates-adversary-emulation-platform
The Cybersecurity and Infrastructure Security Agency (CISA) has partnered with the nonprofit MITRE to develop a cyberattack emulation platform specifically for operational technology (OT) networks.
The project is an extension of MITRE Caldera — an open-source tool designed to help cybersecurity officials reduce the amount of time and resources needed for routine cybersecurity testing. Caldera helps cybersecurity teams emulate adversaries, test how platforms respond to attacks, and more.
The platform for OT extensions was developed in partnership between the Homeland Security Systems Engineering and Development Institute (HSSEDI) — a federally funded research and development center that is managed and operated by MITRE for the Department of Homeland Security (DHS) — and CISA in an effort to increase the resiliency of critical infrastructure. The tool is now publicly available as an extension of the original Caldera platform.
Tomi Engdahl says:
ASUS routers vulnerable to critical remote code execution flaws https://www.bleepingcomputer.com/news/security/asus-routers-vulnerable-to-critical-remote-code-execution-flaws/
Three critical-severity remote code execution vulnerabilities impact ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U routers, potentially allowing threat actors to hijack devices if security updates are not installed.
These three WiFi routers are popular high-end models within the consumer networking market, currently available on the ASUS website, favored by gamers and users with demanding performance needs.
The flaws, which all have a CVSS v3.1 score of 9.8 out of 10.0, are format string vulnerabilities that can be exploited remotely and without authentication, potentially allowing remote code execution, service interruptions, and performing arbitrary operations on the device.
Tomi Engdahl says:
New Agent Tesla Variant Being Spread by Crafted Excel Document https://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document
Our FortiGuard Labs captured a phishing campaign that spreads a new Agent Tesla variant. This well-known malware family uses a .Net-based Remote Access Trojan (RAT) and data stealer to gain initial access. It is often used for Malware-as-a-Service (MaaS).
I performed an in-depth analysis of this campaign, from the initial phishing email to the actions of Agent Tesla installed on the victim’s machine to the collecting of sensitive information from the affected device. In this analysis, you will learn about the contents of this attack, such as how the phishing email starts the campaign, how the CVE-2017-11882/CVE-2018-0802 vulnerability (and not the VBS macro) is exploited to download and execute the Agent Tesla file on the victim’s device, as well as how Agent Tesla collects the sensitive data from the victim’s device, such as the credentials, key loggings, and screenshots of the victim’s screen.
Tomi Engdahl says:
Chae$ 4: New Chaes Malware Variant Targeting Financial and Logistics Customers https://blog.morphisec.com/chaes4-new-chaes-malware-variant-targeting-financial-and-logistics-customers
As the world of cyber threats evolves at an astonishing pace, staying ahead of these digital dangers becomes increasingly critical for businesses. In January 2023, Morphisec identified an alarming trend where numerous clients, primarily within the logistics and financial sectors, were under the onslaught of a new and advanced variant of Chaes malware. The sophistication of the threat was observed to increase over multiple iterations from April to June 2023.
Thanks to Morphisec’s cutting-edge AMTD (Automatic Moving Target Defense) technology, many of these attacks were thwarted before causing significant damage.
This isn’t just any ordinary Chaes variant. It has undergone major overhauls:
from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol. Additionally, it now boasts a suite of new modules that further its malicious capabilities.
Tomi Engdahl says:
Analysis of Andariel’s New Attack Activities https://asec.ahnlab.com/en/56405/
The Andariel threat group which usually targets Korean corporations and organizations is known to be affiliated with the Lazarus threat group or one of its subsidiaries. Attacks against Korean targets have been identified since 2008. Major target industries are those related to national security such as national defense, political organizations, shipbuilding, energy, and communications. Various other companies and institutes in Korea including universities, logistics, and ICT companies are also becoming attack targets.
During the initial compromise stage, the Andariel threat group usually employs spear phishing, watering hole, and supply chain attacks. Additionally, there are cases where the group abuses central management solutions during the malware installation process. A notable fact about the group is its creation and use of various malware types in its attacks. There are many backdoor types, including Andarat, Andaratm, Phandoor, and Rifdoor used in the past attacks, as well as TigerRAT and MagicRAT which have been detected for the past few years.
AhnLab Security Emergency response Center (ASEC) is continuously monitoring the attacks of the Andariel threat group. This blog post will cover details surrounding the recently identified attacks deemed to be perpetrated by the Andariel group.
Tomi Engdahl says:
FBI’s Qakbot operation opens door for more botnet takedowns https://therecord.media/fbi-qakbot-operation-more-operations
The FBI’s recent takedown of the QakBot botnet sent shockwaves throughout the cybersecurity community when it was first announced last week. QakBot had become the malware of choice for dozens of hacking groups and ransomware outfits that used it to set the table for devastating attacks.
Since emerging in 2007 as a tool used to attack banks, the malware evolved into one of the most commonly-seen strains in the world, luring an ever-increasing number of machines into its powerful web of compromised devices. Justice Department officials said their access to the botnet’s control panel revealed it was harnessing the power of more than 700,000 machines, including over 200,000 in the U.S. alone.
But almost as interesting as the takedown was the way law enforcement agencies pulled off the disruption.
Tomi Engdahl says:
New BLISTER Malware Update Fuelling Stealthy Network Infiltration https://thehackernews.com/2023/09/new-blister-malware-update-fuelling.html
An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called Mythic. “New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments,” Elastic Security Labs researchers Salim Bitam and Daniel Stepanic said in a technical report published late last month.
BLISTER was first uncovered by the company in December 2021 acting as a conduit to distribute Cobalt Strike and BitRAT payloads on compromised systems. The use of the malware alongside SocGholish (aka FakeUpdates), a JavaScript-based downloader malware, to deliver Mythic was previously disclosed by Palo Alto Networks Unit 42 in July 2023.
Tomi Engdahl says:
Analyzing a Facebook Profile Stealer Written in Node.js https://www.trendmicro.com/en_us/research/23/i/analyzing-a-facebook-profile-stealer-written-in-node-js.html
During our previous analysis of a campaign involving a Facebook stealer, we discovered another interesting stealer. It was written in Node.js, packaged into an executable, exfiltrated stolen data via both Telegram bot API and a command-and-control (C&C) server, and employed GraphQL as a channel for C&C communication. This blog entry investigates this new stealer and provides an in-depth analysis of its routines and capabilities
Like the earlier campaign, we noticed that this stealer was distributed via malicious Large Language Model (LLM)-themed Facebook ads. These malicious ads contain a link to a page hosted on Google Sites, which then contains a link to an archive hosted on Trello (an online project and task management tool).
Tomi Engdahl says:
What’s in a NoName? Researchers see a lone-wolf DDoS group https://therecord.media/noname-hacking-group-targets-ukraine-and-allies
Every morning at roughly the same time, a Russian hacker group known as
NoName057(16) carries out distributed denial-of-service (DDoS) attacks on European financial institutions, government websites or transportation services.
Last week, the group claimed responsibility for disrupting the websites of several banks and financial institutions in the Czech Republic and Poland, which it considers hostile to the Russian state because of its support to Ukraine.
Like other pro-Kremlin hacktivist gangs, including Killnet or the Cyber Army of Russia, NoName057(16) orchestrates relatively simple and short-lived DDoS incidents with the help of hundreds of volunteers. The goal is to disrupt daily life, even for a few minutes.
But there are some things that set this group apart, researchers say.
Tomi Engdahl says:
How a Man in Prison Stole Millions from Billionaires
https://www.newyorker.com/news/letter-from-the-south/how-a-man-in-prison-stole-millions-from-billionaires?fbclid=IwAR2_GxFsBEg3fs9NMjkWmJgpQJz_WE64eH2NthpBYHcizQ7ItLcvcW50gR8
With smuggled cell phones and a handful of accomplices, Arthur Lee Cofield, Jr., took money from large bank accounts and bought houses, cars, clothes, and gold.
Tomi Engdahl says:
Malware & Threats
Developers Warned of Malicious PyPI, NPM, Ruby Packages Targeting Macs
https://www.securityweek.com/developers-warned-of-malicious-pypi-npm-ruby-packages-targeting-macs/
Malicious packages uploaded to PyPI, NPM, and Ruby repositories are targeting macOS users with information stealing malware.
Threat actors have started uploading malicious packages to PyPI, NPM, and RubyGems repositories in a new campaign aimed at stealing user information, software supply chain security firm Phylum reports.
The first malicious packages were uploaded to PyPI and NPM repositories over the weekend, specifically targeting macOS users.
The PyPI package that Phylum initially observed was designed to harvest information about the victim’s machine and exfiltrate it to an attacker-controlled server. The code would also publish subsequent versions with additional malicious payloads.
The malicious package, however, would only collect data if the victim’s machine was running macOS, the cybersecurity firm explains.
Tomi Engdahl says:
Identity & Access
Okta Says US Customers Targeted in Sophisticated Attacks
https://www.securityweek.com/okta-says-us-customers-targeted-in-sophisticated-attacks/
Okta says some of its US-based customers have been targeted in social engineering attacks whose goal was to disable MFA and obtain high privileges.
Tomi Engdahl says:
IoT Security
Norfolk Southern Says a Software Defect — Not a Hacker — Forced It to Park Its Trains This Week
https://www.securityweek.com/norfolk-southern-says-a-software-defect-not-a-hacker-forced-it-to-park-its-trains-this-week/
Norfolk Southern believes a software defect — not a hacker — was the cause of the widespread computer outage that forced the railroad to park all of its trains.
Norfolk Southern believes a software defect — not a hacker — was the cause of the widespread computer outage that forced the railroad to park all of its trains for most of a day earlier this week.
The railroad said Friday that it traced Monday’s problem to a defect in the software one of its vendors was using to perform maintenance on its data storage systems.
Both the railroad’s primary and backup systems became unresponsive at the same time. The update was made to one system and then automatically copied to the other system allowing the defect to spread. Norfolk Southern didn’t identify the vendor except to call it “a leading global technology provider.”
The railroad, based in Atlanta, reiterated that it has found no evidence that the outage was caused by “an unauthorized cybersecurity incident.”
Norfolk Southern said it has been making progress in clearing up the backlog of trains that accumulated while its network of nearly 20,000 miles of track in the Eastern U.S. was shut down. The railroad has been working to keep its customers updated on their shipments, but it has said the effects of the outage could linger for a couple weeks.
Tomi Engdahl says:
9 Vulnerabilities Patched in SEL Power System Management Products
https://www.securityweek.com/9-vulnerabilities-patched-in-sel-power-system-management-products/
Nine vulnerabilities patched in SEL electric power management products, adding to the 19 other flaws fixed earlier this year.
Nine vulnerabilities, including potentially serious flaws, were patched recently in a couple of electric power management products made by Schweitzer Engineering Laboratories (SEL).
SEL is a US-based company that provides a wide range of products and services for the electric power sector, including control systems, generator and transmission protection, and distribution automation.
Researchers at industrial cybersecurity firm Nozomi Networks have analyzed the company’s SEL-5030 acSELerator QuickSet and SEL-5037 Grid Configurator, software products designed to allow engineers and technicians to configure and manage devices for power system protection, control, metering and monitoring, and to create and deploy settings for SEL power system devices.
Nozomi researchers discovered a total of nine vulnerabilities, including four that have been assigned a ‘high severity’ rating — the remaining five are ‘medium severity’.
The most severe, according to Nozomi, is CVE-2023-31171, which allows arbitrary code execution on the engineering workstation running the SEL software by getting the targeted user to import a device configuration from a specially crafted file. The flaw can be chained with CVE-2023-31175, which allows an attacker to escalate privileges.
Tomi Engdahl says:
By Sayan Sen – Microsoft and Intel, last month, confirmed a new CPU vulnerability called Downfall (GDS) which affects 7th, 8th 9th, 10th, and 11th Gen CPUs. The former has since deleted its mitigation-removal. #Microsoft #Intel #Downfall
https://www.neowin.net/news/microsoft-no-longer-suggests-overlooking-downfall-of-intel-7th-8th-9th-10th-11th-gen-cpus/?fbclid=IwAR1Ho2mHAkncr1ohRiNIJX26v9xd39NiIiyo7hX8zpiDKIAtUxy0_nkIMNA
Tomi Engdahl says:
Intel, Not Motherboard Makers, To Be Blamed For “Unsupported CPU” BSOD Issues, New Microcode On The Way
Intel Microcode Caused “Unsupported CPU” BSOD Issue, New BIOS With Updated Microcode Coming Soon
https://wccftech.com/intel-microcode-unsupported-cpu-bsod-issue-new-bios-updated-microcode-fix-soon/?fbclid=IwAR06EOS92l5kiwFlRcerAt32MEVGAy4ZBEPUI00JacG2pUxVQcMi-8ZP-fQ
Intel’s own microcode has been found to be the culprit causing various “Unsupported CPU” BSOD issues on 13th Gen CPUs & the company is already working on a new microcode.
Intel, Not Motherboard Makers, To Be Blamed For “Unsupported CPU” BSOD Issues, New Microcode On The Way
Tomi Engdahl says:
Results of Major Technical Investigations for Storm-0558 Key Acquisition https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/
On July 11, 2023, Microsoft published a blog post which details how the China-Based threat actor, Storm-0558, used an acquired Microsoft account (MSA) consumer key to forge tokens to access OWA and Outlook.com. Upon identifying that the threat actor had acquired the consumer key, Microsoft performed a comprehensive technical investigation into the acquisition of the Microsoft account consumer signing key, including how it was used to access enterprise email. Our technical investigation has concluded. As part of our commitment to transparency and trust, we are releasing our investigation findings.