This posting is here to collect cyber security news in September 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in September 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
314 Comments
Tomi Engdahl says:
After Apple and Google, Mozilla Also Patches Zero-Day Exploited for Spyware Delivery
https://www.securityweek.com/after-apple-and-google-mozilla-also-patches-zero-day-exploited-for-spyware-delivery/
After Apple and Google, Mozilla has also patched an image processing-related zero-day vulnerability exploited by spyware
After Apple and Google, Mozilla has also released patches for an image processing-related zero-day vulnerability that has been exploited to deliver spyware.
The existence of a new zero-day came to light on September 7, when Apple announced iOS and macOS updates to patch an exploited vulnerability tracked as CVE-2023-41064. The tech giant described the zero-day as a buffer overflow in the ImageIO component that can be exploited for arbitrary code execution using specially crafted images.
On the same day, the Citizen Lab group at the University of Torontoʼs Munk School reported that the vulnerability is part of a new zero-click exploit dubbed BlastPass that has been used to target iPhones running the latest version of iOS.
Citizen Lab said the exploit, which had been used to deliver the NSO Group’s notorious Pegasus spyware via malicious images sent through iMessage, targeted an employee at a “Washington DC-based civil society organization with international offices”.
On September 11, Google also announced Chrome updates to patch a critical zero-day vulnerability whose existence was reported by Apple and Citizen Lab. Google, which tracks the flaw as CVE-2023-4863, said the issue impacts the WebP component used by its web browser.
WebP, an image format developed by Google, is offered as an alternative to JPEG, PNG and GIF. The significantly smaller size of WebP images results in web pages loading much faster.
The WebP format is also supported by Mozilla’s Firefox web browser
Tomi Engdahl says:
Microsoft: Pohjois-Korea murtautui Suomen puolustusteollisuuteen
Viranomaiset kommentoivat asiaa hyvin niukkasanaisesti.
https://www.is.fi/digitoday/tietoturva/art-2000009849732.html
Pohjois-Korean hakkerit ovat murtautuneet Suomen puolustusteollisuuteen, kertoo ohjelmistoyhtiö Microsoft Digital threats from East Asia increase in breadth and effectiveness -raportissaan.
Microsoftin mukaan Pohjois-Koreaa kiinnostaa erityisesti merisotateknologia, etenkin sukellusveneistä laukaistavat ohjukset sekä miehittämättömät vedenalaiset dronet. Laivastoteknologiaa vakoilee ainakin kolme pohjoiskorealaista kybertiedusteluyksikköä, jotka tunnetaan länsimaissa koodinimillä Ruby Sleet, Diamond Sleet sekä Sapphire Sleet.
– Tammikuun 2023 jälkeen Diamond Sleet on murtautunut puolustusteknologian yrityksiin ainakin Brasiliassa, Tshekissä, Suomessa, Italiassa, Norjassa ja Puolassa.
Suojelupoliisi (supo) kommentoi asiaa niukkasanaisesti ja mainitsee Pohjois-Korean sijaan Kiinan ja Venäjän.
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW
Tomi Engdahl says:
Caesars paid millions in ransom to cybercrime group prior to MGM hack
https://www.cnbc.com/2023/09/14/caesars-paid-millions-in-ransom-to-cybercrime-group-prior-to-mgm-hack.html?fbclid=IwAR1zL6fEqKIgFLeKlRXj1nBuCO1uPVuMU49o0qBt_ttuuQEkRxuXcLlz8C0
KEY POINTS
Days before MGM’s computer systems were taken down in a cyberattack, casino operator Caesars paid out a ransom worth $15 million to a cybercrime group that managed to infiltrate and disrupt its systems.
Caesars does not anticipate the ransom payment or fallout will have a material effect on the company’s bottom line, according to an 8-K filing.
Bloomberg previously reported that the same cybercrime group is behind the attacks on both companies.
Days before MGM’s
computer systems were taken down in a cyberattack, casino operator Caesars
paid out a ransom worth $15 million to a cybercrime group that managed to infiltrate and disrupt its systems, sources familiar with the matter told CNBC.
The cybercrime group has made a ransom demand to MGM as well, those sources told CNBC’s Contessa Brewer.
There have now been two highly disruptive attacks on the gaming industry in a matter of weeks. Caesars reported its incident in a U.S. Securities and Exchange Commission filing Thursday morning. The 8-K report, similar to one filed by MGM Resorts on Wednesday, acknowledges the hack as a material event.
The cybercrime group demanded a $30 million ransom from Caesars, but the company ultimately agreed to pay about half that, sources said. The costs will be partially mitigated by Caesars’ cyber insurance policies.
But Caesars does not anticipate the ransom payment or fallout will have a material effect on the company’s bottom line, according to the filing.
“Although members of the group may be less experienced and younger than many of the established multifaceted extortion and ransomware groups, they are a serious threat to large companies in the United States,”
“Many members are native English speakers and are incredibly effective social engineers.”
Bloomberg previously reported the ransom and that the same group is behind the attacks on both companies. The group, known as UNC3944 or Roasted 0ktapus, was also linked to the MGM attack
SEC rules require that companies file reports within four days of a “material” event. It wasn’t immediately clear why Caesars delayed filing the report disclosing the hack and ransom for weeks. The SEC pushed to introduce a new cybersecurity disclosure rule earlier this year, requiring that companies file an 8-K report disclosing the nature of a cyberattack and the effect on its business. That new rule kicks in by year-end.
Tomi Engdahl says:
With 0-days hitting Chrome, iOS, and dozens more this month, is no software safe?
https://arstechnica.com/security/2023/09/with-0-days-hitting-chrome-ios-and-dozens-more-this-month-is-no-software-safe/
End users, admins, and researchers better brace yourselves: The number of apps being patched for zero-day vulnerabilities has skyrocketed this month and is likely to get worse in the following weeks.
People have worked overtime in recent weeks to patch a raft of vulnerabilities actively exploited in the wild, with offerings from Apple, Microsoft, Google, Mozilla, Adobe, and Cisco all being affected since the beginning of the month.
The number of zero-days tracked this month is considerably higher than the monthly average this year. September so far is at 10, compared with a total of
60 from January through August, according to security firm Mandiant. The company tracked 55 zero-days in 2022 and 81 in 2021.
A sampling of the affected companies and products includes iOS and macOS, Windows, Chrome, Firefox, Acrobat and Reader, the Atlas VPN, and Cisco’s Adaptive Security Appliance Software and its Firepower Threat Defense. The number of apps is likely to grow because a single vulnerability that allows hackers to execute malicious code when users open a booby-trapped image included in a message or web page is present in possibly hundreds of apps.
Tomi Engdahl says:
Windows 11 ‘ThemeBleed’ RCE bug gets proof-of-concept exploit https://www.bleepingcomputer.com/news/security/windows-11-themebleed-rce-bug-gets-proof-of-concept-exploit/
Proof-of-concept exploit code has been published for a Windows Themes vulnerability tracked as CVE-2023-38146 that allows remote attackers to execute code.
The security issue is also referred to as ThemeBleed, and received a high-severity score of 8.8. It can be exploited if the target user opens a malicious .THEME file crafted by the attacker.
The exploit code was released by Gabe Kirkpatrick, one of the researchers who reported the vulnerability to Microsoft on May 15 and received $5,000 for the bug.
Tomi Engdahl says:
A phone call to helpdesk was likely all it took to hack MGM https://arstechnica.com/security/2023/09/a-phone-call-to-helpdesk-was-likely-all-it-took-to-hack-mgm/
A cyber criminal gang proficient in impersonation and malware has been identified as the likely culprit for an attack that paralized networks at US casino operator MGM Resorts International.
The group, which security researchers call “Scattered Spider,” uses fraudulent phone calls to employees and help desks to “phish” for login credentials. It has targeted MGM and dozens of other Western companies with the aim of extracting ransom payments, according to two people familiar with the situation.
The operator of hotel casinos on the Las Vegas Strip, including the Bellagio, Aria, Cosmopolitan, and Excalibur, preemptively shut down large parts of its internal networks after discovering the breach on Sunday, one of the people said.
Tomi Engdahl says:
Uncursing the ncurses: Memory corruption vulnerabilities found in library https://www.microsoft.com/en-us/security/blog/2023/09/14/uncursing-the-ncurses-memory-corruption-vulnerabilities-found-in-library/
Microsoft has discovered a set of memory corruption vulnerabilities in a library called ncurses, which provides APIs that support text-based user interfaces (TUI). Released in 1993, the ncurses library is commonly used by various programs on Portable Operating System Interface (POSIX) operating systems, including Linux, macOS, and FreeBSD. Using environment variable poisoning, attackers could chain these vulnerabilities to elevate privileges and run code in the targeted program’s context or perform other malicious actions.
One of the most common vulnerabilities found in modern software, memory corruption vulnerabilities, can allow attackers to gain unauthorized access to systems and data by modifying a program’s memory. The impact of memory corruption vulnerabilities can range from leaking sensitive information and performing a simple denial-of-service (DoS) to elevating privileges and executing arbitrary code.
Tomi Engdahl says:
Google Patches Chrome Zero-Day Reported by Apple, Spyware Hunters
https://www.securityweek.com/google-patches-chrome-zero-day-reported-by-apple-spyware-hunters/
Google has released a Chrome 116 security update to patch CVE-2023-4863, the fourth Chrome zero-day vulnerability documented in 2023.
Tomi Engdahl says:
Cybercrime
A Second Major British Police Force Suffers a Cyberattack in Less Than a Month
https://www.securityweek.com/a-second-major-british-police-force-suffers-a-cyberattack-in-less-than-a-month/
Personal details of thousands of police officers and staff from Greater Manchester Police have been hacked from a company that makes identity cards.
Personal details of thousands of police officers and staff from Greater Manchester Police have been hacked from a company that makes identity cards, the second such cyberattack to affect a major British police force in less than a month.
Details on identity badges and warrant cards, including names, photos and identity numbers or police collar numbers, were stolen in the ransomware attack, Greater Manchester Police said Thursday. The third-party supplier was not identified.
The force said no home addresses of officers or any financial information about individuals was stolen.
“This is being treated extremely seriously, with a nationally led criminal investigation into the attack,” Assistant Chief Constable Colin McFarlane said in a statement.
Britain’s National Crime Agency is leading the investigation into the ransomware attack.
Tomi Engdahl says:
Data Breaches
Caesars Confirms Ransomware Hack, Stolen Loyalty Program Database
https://www.securityweek.com/caesars-confirms-ransomware-hack-stolen-loyalty-program-database/
The hijacked data includes driver’s license numbers and/or social security numbers from a Caesars Entertainment loyalty database.
Caesars Entertainment, Inc., a well-known global hospitality brand, has been hacked by a cybercrime gang that stole a vast chunk of data, including the company’s loyalty program database.
In a filing with the SEC, Caesars said the hijacked data includes driver’s license numbers and/or social security numbers for a significant number of members in the database and provided a hint that a ransomware demand was paid to minimize the damage.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” Caesars said in the 8-K filing. We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused.”
Caesars said it currently has no evidence that member passwords/PINs, bank account information, or payment card information (PCI) were part of the data copied by the cybercriminal group.
Tomi Engdahl says:
Azure HDInsight Flaws Allowed Data Access, Session Hijacking, Payload Delivery
https://www.securityweek.com/azure-hdinsight-flaws-allowed-data-access-session-hijacking-payload-delivery/
Orca Security details eight XSS vulnerabilities in Azure HDInsight that could lead to information leaks, session hijacking, and payload delivery
Orca Security has published details on eight cross-site scripting (XSS) vulnerabilities impacting Azure HDInsight, which could be exploited to access data, hijack sessions, or deliver malicious payloads.
The flaws were identified by the cloud security firm in several Apache services, such as Hadoop, Spark, Kafka, and Oozie, all operating under the Azure HDInsight umbrella.
An open source analytics service, Azure HDInsight allows organizations to use open source frameworks in their Azure environment for big data analysis, management, and processing.
The eight vulnerabilities, tracked under five different CVE identifiers – CVE-2023-36881, CVE-2023-35394, CVE-2023-38188, CVE-2023-35393, CVE-2023-36877 – were identified through the manipulation of variables and function exploitation.
“All 8 XSS vulnerabilities discovered in various platforms and components in Azure HDInsight primarily resulted from the lack of proper input sanitization. This omission allowed malicious characters to be rendered once the dashboard was loaded, demonstrating inadequate output encoding that fails to neutralize these characters when rendered,” Orca explains.
The first issue, tracked as CVE-2023-36881, was initially discovered in the Apache Ambari Background operations, which had multiple default parameters that could be modified to perform an XSS attack.
Tomi Engdahl says:
Cloud Security
Kubernetes Vulnerability Leads to Remote Code Execution
https://www.securityweek.com/kubernetes-vulnerability-leads-to-remote-code-execution/
A high-severity vulnerability can be exploited to execute code remotely on any Windows endpoint within a Kubernetes cluster.
A high-severity vulnerability in Kubernetes can be exploited to achieve remote code execution (RCE) on all Windows endpoints within the cluster, Akamai’s security researchers warn.
Tracked as CVE-2023-3676 (CVSS score of 8.8), the vulnerability impacts Kubernetes’ processing of YAML files, which are used within the container orchestration system for configuration, management, secret handling, and more.
Kubernetes relies on YAML for cluster configuration, and vulnerabilities in YAML files have been subject to numerous research projects over the past years.
Using previously identified vulnerabilities as a starting point for new research, Akamai discovered that an attacker with ‘apply’ privileges could inject code to be executed on the Windows machines within the Kubernetes cluster with System privileges.
The issue, Akamai explains, is related to how Kubernetes’ kubelet service processes YAML files containing information on where a shared directory (between the pod and the host) can be mounted.
The presence of this command and of unsanitized user-supplied input leads to a command injection bug that an attacker can exploit to insert any PowerShell command or threat.
“An attacker can abuse this subPath evaluation to reach the vulnerable code and execute any command they want with SYSTEM privileges (kubelet’s own context) from remote nodes, and gain control over all Windows nodes in the cluster,” Akamai explains.
Tomi Engdahl says:
Mehul Srivastava / Financial Times:
MGM was likely hacked by Scattered Spider, an English-speaking group that previously used help desk calls to get passwords and planned to hack the slot machines
MGM hack followed failed bid to rig slot machines, ‘Scattered Spider’ group claims
Person claiming to represent cybercriminals explains techniques used to evade detection by casino resort company
https://www.ft.com/content/a25d2897-b0ce-4ba7-92ed-ff5df09d1b47
The person declined to say how the group initially gained access to MGM’s systems. In the past, Scattered Spider has been known to use well-rehearsed phone calls to help desks to gain new passwords or generate multifactor authentication codes for an employee they had surveilled through social media, and compromised their corporate phone’s SIM through a practice called SIM-phishing.
In a trick reminiscent of a heist movie, the hackers who allegedly breached the security at MGM’s casinos this month originally planned to manipulate the software running the slot machines, and “recruit mules to gamble and milk the machines”.
they siphoned off the company’s data, encrypted some of it and are now demanding cryptocurrency to release it.
the technical descriptions given to the Financial Times matched attacks on at least 100 other victims over the past two years.
MGM, which has a market capitalisation of $14.6bn, did not reply to emails seeking comment. The Nevada Gaming Control Board said overnight that the state’s governor, Joe Lombardo, was working with law enforcement on the hack, which left thousands of guests without functioning key cards for their hotel rooms and forced slot machines offline in MGM casinos around the US.
The owner of some of those storied casinos on the Las Vegas strip, including the Bellagio, the Aria, the Cosmopolitan and Mandalay Bay, had to resort to “manual mode” gambling, including cash payouts and some handwritten IOUs
They ran their malware remotely and claim to have penetrated the system within five hours of starting the attack, and evaded detection for eight days.
the Scattered Spider crew speaks fluent English.
The goal is to put pressure on MGM to pay up before more embarrassing information is shared publicly.
MGM shut down large parts of its corporate intranet to contain the hackers
That protective measure triggered the chaos
Bloomberg News reported that Caesars Entertainment, an MGM rival, had recently paid a multimillion dollar ransom to a cybercriminal gang.
The plan to manipulate MGM’s slot machines probably failed because the attackers were unfamiliar with the code behind them
the hackers work off a generic toolkit designed to work across a large swath of companies, irrespective of the industry.
“If a company has money and it meets our requirements, it doesn’t matter what field it’s in, we’ll hit it,”
They avoid hacking hospitals, “because that’s a (jail) sentence just waiting to happen”, airports are “terrorism” and the gas industry has bespoke systems that are “cancerous to manoeuvre around”.
Most casino hacks had been much simpler
“Get into whatever building management system you have — the air conditioning, the elevators — and shut them down, or say that you will, and the (business) will pay.”
Tomi Engdahl says:
MGM casinos’ cyber attack blamed on western hacking group
https://www.ft.com/content/e7445618-c7b3-4299-8213-140e1225723c
Tomi Engdahl says:
More Russian journalists investigating possible spyware infections https://therecord.media/more-russians-investigating-spyware
More Russian journalists have come forward this week expressing concern that they too may have been targeted with spyware, following the news that the prominent media figure Galina Timchenko was hacked with Pegasus.
Apple notified two of the journalists — Maria Epifanova, the CEO of Novaya Gazeta Europe, and Evgeniy Pavlov, a correspondent for Novaya Gazeta Baltia — in August. The third, Evgeny Erlich, a journalist-in-exile at the Russian-language outlet Current Time, did not say when he was notified.
Tomi Engdahl says:
Several Colombian government ministries hampered by ransomware attack https://therecord.media/colombia-government-ministries-cyberattack
This week, the Ministry of Health and Social Protection, the country’s Judiciary Branch and the Superintendency of Industry and Commerce announced that a cyberattack on technology provider IFX Networks Colombia had caused a range of problems limiting the ability of both departments to function.
Tomi Engdahl says:
EU panel fines TikTok €345 million for child settings https://therecord.media/tiktok-gdpr-violations-child-accounts-fine
The Irish Data Protection Commission (DPC) fined social media giant TikTok
€345 million ($368 million) on Friday for violations of European Union privacy regulations related to how the platform dealt with its child users.
Tomi Engdahl says:
Probe reveals previously secret Israeli spyware that infects targets via ads https://www.theregister.com/2023/09/16/insanet_spyware/
Israeli software maker Insanet has reportedly developed a commercial product called Sherlock that can infect devices via online adverts to snoop on targets and collect data about them for the biz’s clients.
This is according to an investigation by Haaretz, which this week claimed the spyware system had been sold to a country that is not a democracy.
The newspaper’s report, we’re told, marks the first time details of Insanet and its surveillanceware have been made public. Furthermore, Sherlock is capable of drilling its way into Microsoft Windows, Google Android, and Apple iOS devices, according to cited marketing bumf.
Tomi Engdahl says:
Stealing More Than Towels: The New InfoStealer Campaign Hitting Hotels and Travel Agencies https://perception-point.io/blog/stealing-more-than-towels-the-new-infostealer-campaign-hitting-hotels-and-travel-agencies/
As cyberattacks continue to target and breach organizations across diverse sectors, the hospitality industry finds itself in the crosshairs of a new threat. Perception Point’s team of security researchers recently discovered a sophisticated phishing campaign targeting hotels and travel agencies. This campaign is particularly concerning due to its highly targeted nature and its use of advanced social engineering techniques.
Tomi Engdahl says:
MGM casino’s ESXi servers allegedly encrypted in ransomware attack https://www.bleepingcomputer.com/news/security/mgm-casinos-esxi-servers-allegedly-encrypted-in-ransomware-attack/
[T]he BlackCat ransomware group claims that they had infiltrated MGM’s infrastructure since Friday and encrypted more than 100 ESXi hypervisors after the company took down the internal infrastructure.
According to Bloomberg reporters, Scattered Spider has also breached the network of Caesars Entertainment, who, in a U.S. Securities and Exchange Commission on Thursday, provided a strong hint at paying the attacker to avoid a leak of customer data stolen in the attack. The ransom demand was allegedly
$30 million.
After [no intention from MGM] to engage in negotiations over the provided chat, the threat actor says that they deployed the ransomware attack.
“After waiting a day, we successfully launched ransomware attacks against more than 100 ESXi hypervisors in their environment on September 11th after trying to get in touch but failing. This was after they brought in external firms for assistance in containing the incident,” – BlackCat/ALPHV.
At this moment, the hackers say that they do not know what type of data they stole from MGM but promise to extract relevant information and share it online unless they reach an agreement with MGM.
Tomi Engdahl says:
MGM Hackers Broadening Targets, Monetization Strategies
https://www.securityweek.com/mgm-hackers-broadening-targets-monetization-strategies/
The financially motivated UNC3944 group that hacked MGM has hit at least 100 organizations, mainly in the US and Canada.
Google-owned Mandiant says the financially motivated threat actor responsible for the recent MGM Resorts hack has been expanding its targets, as well as its monetization strategies.
Tracked as UNC3944 and also referred to as 0ktapus, Scatter Swine, and Scattered Spider, the hacking group has targeted at least 100 organizations, mostly in the United States and Canada. The group typically engages in SMS phishing campaigns (smishing), but has been broadening its skills and arsenal of tools and is expected to start targeting more industries.
Mandiant also noticed that the group shifted to ransomware deployment in mid-2023, which can be highly profitable. In some attacks, they were seen using the ALPHV (BlackCat) ransomware, but Mandiant believes they could use other ransomware as well, and they may “incorporate additional monetization strategies to maximize their profits in the future.”
The threat actor has been active since late 2021, typically employing smishing to obtain valid employee credentials and contacting the victim organization’s help desk to obtain multi factor authentication (MFA) codes or reset account passwords, by impersonating the targeted employees.
Ransomware
Ransomware Gang Takes Credit for Disruptive MGM Resorts Cyberattack
A known ransomware gang has taken credit for the highly disruptive cyberattack on MGM Resorts, and the company has yet to restore impacted systems.
https://www.securityweek.com/ransomware-gang-takes-credit-for-highly-disruptive-mgm-resorts-attack/
Tomi Engdahl says:
https://www.securityweek.com/california-settles-with-google-over-location-privacy-practices-for-93-million/
Tomi Engdahl says:
Google Feature Blamed for Retool Breach That Led to Cryptocurrency Firm Hacks
https://www.securityweek.com/google-feature-blamed-for-retool-breach-that-led-to-cryptocurrency-firm-hacks/
A recently introduced Google account sync feature has been blamed after sophisticated hackers attacked 27 cryptocurrency firms via Retool.
A recently introduced Google account sync feature has been blamed by software development firm Retool after sophisticated hackers gained access to its systems and targeted over two dozen of its customers from the cryptocurrency sector.
Retool is a San Francisco, California-based company that provides a development platform designed for building custom business tools without the need for advanced programming skills. Its customers include major companies such as Amazon, DoorDash, Unity, NBC, Mercedes-Benz, Volvo, Lyft and Peloton.
The company revealed this week that 27 of its cloud customers were notified in late August that there had been unauthorized access to their accounts. Retool said on-prem and managed accounts were not impacted.
Hackers launched account takeover attacks against these customers, changing user emails and resetting passwords. All of the victims were from the cryptocurrency industry.
Tomi Engdahl says:
Agent Tesla’s Unique Approach: VBS and Steganography for Delivery and Intrusion https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/
McAfee Labs has detected a variation where Agent Tesla was delivered through VBScript (VBS) files, showcasing a departure from its usual methods of distribution. VBS files are script files used in Windows for automating tasks, configuring systems, and performing various actions. They can also be misused by cybercriminals to deliver malicious code and execute harmful actions on computers. The examined VBS file executed numerous PowerShell commands and then leveraged steganography to perform process injection into RegAsm.exe …
Tomi Engdahl says:
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html
In early 2021, we published a research paper discussing the operation of a China-linked threat actor we tracked as Earth Lusca. Since our initial research, the group has remained active and has even extended its operations, targeting countries around the world during the first half of 2023.
While monitoring the group, we managed to obtain an interesting, encrypted file hosted on the threat actor’s delivery server. We were able to find the original loader of the file on VirusTotal and successfully decrypted it.
Interestingly, the decrypted payload is a Linux-targeted backdoor that we have never seen before. The main execution routine and its strings show that it originates from the open-source Windows backdoor Trochilus, with several functions being re-implemented for Linux systems. We named this new Linux variant SprySOCKS, referring to the swift behaviors of Trochilus and the new Socket Secure (SOCKS) implementation inside the backdoor.
Tomi Engdahl says:
BlackCat ransomware hits Azure Storage with Sphynx encryptor https://www.bleepingcomputer.com/news/security/blackcat-ransomware-hits-azure-storage-with-sphynx-encryptor/
The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets’ Azure cloud storage.
[...] they encrypted the Sophos customer’s systems and remote Azure cloud storage and appended the .zk09cvt extension to all locked files. In total, the ransomware operators could encrypt 39 Azure Storage accounts successfully.
[...] They infiltrated the victim’s Azure portal using a stolen Azure key that provided them access to the targeted storage accounts.
Tomi Engdahl says:
AWS’s Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation https://sysdig.com/blog/ambersquid/
The Sysdig Threat Research Team (TRT) has uncovered a novel cloud-native cryptojacking operation which they’ve named AMBERSQUID. This operation leverages AWS services not commonly used by attackers, such as AWS Amplify, AWS Fargate, and Amazon SageMaker. The uncommon nature of these services means that they are often overlooked from a security perspective, and the AMBERSQUID operation can cost victims more than $10,000/day.
The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances. Targeting multiple services also poses additional challenges, like incident response, since it requires finding and killing all miners in each exploited service.
This dangerous container image didn’t raise any alarms during static scanning for known indicators or malicious binaries. It was only when the container was run that its cross-service cryptojacking activities became obvious. This is consistent with the findings of our 2023 Cloud Threat Report, in which we noted that 10% of malicious images are missed by static scanning alone.
Tomi Engdahl says:
38TB of data accidentally exposed by Microsoft AI researchers https://www.wiz.io/blog/38-terabytes-of-private-data-accidentally-exposed-by-microsoft-ai-researchers
Microsoft’s AI research team, while publishing a bucket of open-source training data on GitHub, accidentally exposed 38 terabytes of additional private data — including a disk backup of two employees’ workstations.
The backup includes secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages.
The researchers shared their files using an Azure feature called SAS tokens, which allows you to share data from Azure Storage accounts.
The access level can be limited to specific files only; however, in this case, the link was configured to share the entire storage account — including another 38TB of private files.
This case is an example of the new risks organizations face when starting to leverage the power of AI more broadly, as more of their engineers now work with massive amounts of training data. As data scientists and engineers race to bring new AI solutions to production, the massive amounts of data they handle require additional security checks and safeguards.
Tomi Engdahl says:
Microsoft mitigated exposure of internal information in a storage account due to overly-permissive SAS token https://msrc.microsoft.com/blog/2023/09/microsoft-mitigated-exposure-of-internal-information-in-a-storage-account-due-to-overly-permissive-sas-token/
[Microsoft response to the previous wiz.io post] As part of a recent Coordinated Vulnerability Disclosure (CVD) report from Wiz.io, Microsoft investigated and remediated an incident involving a Microsoft employee who shared a URL for a blob store in a public GitHub repository while contributing to open-source AI learning models. This URL included an overly-permissive Shared Access Signature (SAS) token for an internal storage account. Security researchers at Wiz were then able to use this token to access information in the storage account. Data exposed in this storage account included backups of two former employees’ workstation profiles and internal Microsoft Teams messages of these two employees with their colleagues. No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue. We are sharing the learnings and best practices below to inform our customers and help them avoid similar incidents in the future.
Tomi Engdahl says:
How Google Authenticator made one company’s network breach much, much worse https://arstechnica.com/security/2023/09/how-google-authenticator-gave-attackers-one-companys-keys-to-the-kingdom/
A security company is calling out a feature in Google’s authenticator app that it says made a recent internal network breach much worse.
Retool, which helps customers secure their software development platforms, made the criticism on Wednesday in a post disclosing a compromise of its customer support system. The breach gave the attackers responsible access to the accounts of 27 customers, all in the cryptocurrency industry.
[...]
The most important moral of this story is that FIDO2-compliant forms of MFA are the gold standard for account security. For those sticking with TOTPs, Google Authenticator is intended to provide a happy medium between usability and security. This balance may make the app useful for individuals who want some form of MFA but also don’t want to run the risk of being locked out of accounts in the event they lose a device. For enterprises like Retool, where security is paramount and admins can manage accounts, it’s woefully inadequate.
Tomi Engdahl says:
German spy chief warns of cyberattacks targeting liquefied natural gas terminals https://therecord.media/german-intelligence-warning-lng-terminals-cyberattacks
Bruno Kahl, the head of Germany’s foreign intelligence service, warned that liquefied natural gas (LNG) terminals in the country could be targeted by state-sponsored hackers.
As a result of the Russian invasion of Ukraine last year — believed to have cut Germany’s GDP by about 2.5% due to its dependence on gas pipelined from Russia — the country chartered three new LNG terminals, with plans for additional facilities in the future.
But these “new LNG landing facilities should be considered possible targets”
for future cyberattacks, warned the spy chief at the Baden-Württemberg Cybersecurity Forum on Friday.
Tomi Engdahl says:
Israeli railroad network targeted in cyberattack by pro-Palestine hackers:
Report
https://www.presstv.ir/Detail/2023/09/17/710988/Israeli-railroad-network-targeted-in-cyberattack-by-pro-Palestine-hackers
Pro-Palestinian hackers have knocked offline the Israeli railroad network, according to a report, less than a week after Iranian hackers reportedly breached the networks of more than 30 companies based in the Israeli-occupied territories.
According to Israeli media outlets, the Cyber Avengers hacker group has revealed information showing that it had targeted the electrical infrastructure of the network.
Last Monday, the Israeli Ynet news website, citing information security company ESET, announced that Iranian hackers had managed to penetrate the networks of about 32 Israeli companies.
Tomi Engdahl says:
Venäjä-mielinen hakkeriryhmä väittää tehneensä verkkohyökkäyksiä ”suomalaista kuljetusalaa” vastaan https://www.hs.fi/talous/art-2000009863515.html
VENÄJÄ-MIELINEN hakkeriryhmä Noname 057(16) väittää Telegram-sivullaan hyökänneensä ”suomalaista kuljetusalaa” vastaan palvelunestohyökkäyksillä.
Ryhmän Telegram-viestin mukaan taustalla on Suomen päätös kieltää Venäjällä rekisteröityjen henkilöautojen maahantulo ”solidaarisuuden osoituksena Baltian maita kohtaan”.
Hakkeriryhmä väitti Telegramissa ”vierailleensa” liikenne- ja viestintävirasto Traficomin, Väyläviraston, Expressbusin sekä Saimaan Saaristo- ja Veneilypalvelut oy:n verkkosivuilla.
Myös https://www.is.fi/digitoday/tietoturva/art-2000009862919.html
Tomi Engdahl says:
Kevin Collier / NBC News:
After over 100 internal Microsoft Xbox documents leaked, the FTC says that “Microsoft was responsible for the error in uploading these documents to the court”
Microsoft’s Xbox plans revealed in emails tied to FTC case
https://www.nbcnews.com/tech/video-games/microsofts-xbox-plans-revealed-emails-tied-ftc-case-rcna105766
The files include emails from corporate executives like Microsoft Gaming CEO Phil Spencer and timetables for gaming releases.
A huge collection of purported Xbox files related to the Federal Trade Commission’s case against Microsoft have been published online, spilling some of the company’s plans for the gaming console into public view.
The files were uploaded Friday to a website hosted by the U.S. District Court for the Northern District of California, where the FTC is suing to block Microsoft’s acquisition of the video game company Activision Blizzard. The court website stopped sharing the files sometime Tuesday morning.
They include more than 100 documents, many of them partially redacted, related to Microsoft’s Xbox plans.
Douglas Farrar, director of the FTC’s office of public affairs, told NBC News that “Microsoft was responsible for the error in uploading these documents to the court.”
Microsoft didn’t respond to a request for comment.
In an order filed Tuesday, Judge Jacqueline Scott Corley made it clear the files weren’t meant to be made public. Microsoft had provided a link to exhibits for the case Thursday, she wrote, and the court uploaded those files, but the parties in the case have since told the court those uploads contained nonpublic information.
Corley instructed both parties to resubmit the exhibits through a “secure cloud link” by Friday.
The files include emails from corporate executives like Microsoft Gaming CEO Phil Spencer and timetables for gaming releases.
ome of the documents include Microsoft Gaming senior employees discussing the value of the exclusive hold they have on key video game titles.
Spencer said in a post on X, the platform formerly known as Twitter, that it was “hard to see our team’s work shared in this way because so much has changed and there’s so much to be excited about right now, and in the future.”
One document shows a list of projections for some major game titles with release dates and the platforms on which they are planned to be made available. That list estimates that the highly anticipated game “The Elder Scrolls VI” won’t be released until 2026 or later and will not be available for PlayStation, which is owned by Sony.
The Verge:
Memo: Phil Spencer tells staff the FTC v. Microsoft documents leak is “disappointing” and that the company failed to live up to its confidentiality expectations — / ‘We all put incredible amounts of passion and energy into our work, and this is never how we want that hard work to be shared with the community.’
Microsoft addresses the huge Xbox leaks: here’s Phil Spencer’s full memo
https://www.theverge.com/2023/9/19/23881174/microsoft-xbox-leak-gaming-phil-spencer-memo
/ ‘We all put incredible amounts of passion and energy into our work, and this is never how we want that hard work to be shared with the community.’
Xbox chief Phil Spencer has just emailed Microsoft employees about the massive Xbox leak that happened earlier today. In the internal memo, obtained by The Verge, Spencer says Microsoft’s Xbox plans “were unintentionally disclosed” as part of the FTC v. Microsoft case. Documents revealed a lot: a disc-less Series X redesign, a 2028 Xbox that could deliver “cloud hybrid games,” a new Xbox controller, unannounced Bethesda games, and even discussions about acquiring Nintendo.
Spencer hints that Microsoft’s plans may have changed, particularly as some documents were from last year, but others were from years prior. “I know this is disappointing, even if many of the documents are well over a year old and our plans have evolved,” says Spencer in his internal memo.
Tomi Engdahl says:
Contents of the Piilopuoti web server seized by Finnish Customs – major breakthrough in the anonymous Tor network https://tulli.fi/en/-/contents-of-the-piilopuoti-web-server-seized-by-finnish-customs-major-breakthrough-in-the-anonymous-tor-network
Finnish Customs has seized the “Piilopuoti” web server in cooperation with foreign authorities, and seized the contents of the server. The web server was operational in the Tor network since 2022.
The Finnish-language website that sold narcotics opened on 18 May 2022. The site operated as a hidden service in the encrypted Tor network. The site has been used in anonymous criminal activities such as narcotics trade. As a rule, the narcotics sold on the site were smuggled to Finland from abroad.
During the preliminary investigation into the case, Finnish Customs has conducted extensive cooperation with German and Lithuanian authorities, as well as Europol, the European Union Agency for Criminal Justice Cooperation (Eurojust), authorities of other countries, and various police units in Finland.
Tomi Engdahl says:
Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT https://unit42.paloaltonetworks.com/fake-cve-2023-40477-poc-hides-venomrat/
Researchers should be aware of threat actors repurposing older proof of concept (PoC) code to quickly craft a fake PoC for a newly released vulnerability. On Aug. 17, 2023, the Zero Day Initiative publicly reported a remote code execution (RCE) vulnerability in WinRAR tracked as CVE-2023-40477.
They had disclosed it to the vendor on June 8, 2023. Four days after the public reporting of CVE-2023-40477, an actor using an alias of whalersplonk committed a fake PoC script to their GitHub repository. [...] We analyzed the fake PoC script and all the links in the infection chain, which ultimately installed a VenomRAT payload.
We do not think the threat actor created this fake PoC script to specifically target researchers. Rather, it is likely the actors are opportunistic and looking to compromise other miscreants trying to adopt new vulnerabilities into their operations.
Tomi Engdahl says:
Bumblebee malware returns in new attacks abusing WebDAV folders https://www.bleepingcomputer.com/news/security/bumblebee-malware-returns-in-new-attacks-abusing-webdav-folders/
Intel471′s researchers report that Bumblebee’s latest campaign, which started on September 7, 2023, abuses the 4shared WebDAV services to distribute the loader, accommodate the attack chain, and perform several post-infection actions.
4Shared is a file-sharing site that allows users to store files in the cloud and access them over WebDAV, FTP, and SFTP. The service was previously listed in the US government’s 2016 Notorious Markets report for the hosting of copyrighted content.
Tomi Engdahl says:
Silent Skimmer: Online Payment Scraping Campaign Shifts Targets From APAC to NALA https://blogs.blackberry.com/en/2023/09/silent-skimmer-online-payment-scraping-campaign-shifts-targets-from-apac-to-nala
In early May this year, the BlackBerry Threat Research and Intelligence team discovered a campaign targeting entities primarily in the Asia-Pacific region, and several victims across North America. The campaign operators exploit vulnerabilities in web applications, particularly those hosted on Internet Information Services (IIS). Their primary objective is to compromise the payment checkout page, and swipe visitors’ sensitive payment data.
Tomi Engdahl says:
CapraTube | Transparent Tribe’s CapraRAT Mimics YouTube to Hijack Android Phones https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/
Transparent Tribe is a suspected Pakistani actor known for targeting military and diplomatic personnel in both India and Pakistan, with a more recent expansion to the Indian Education sector. Since 2018, reports have detailed the group’s use of what is now called CapraRAT, an Android framework that hides RAT features inside of another application. The toolset has been used for surveillance against spear-phishing targets privy to affairs involving the disputed region of Kashmir, as well as human rights activists working on matters related to Pakistan.
Transparent Tribe distributes Android apps outside of the Google Play Store, relying on self-run websites and social engineering to entice users to install a weaponized application.
Tomi Engdahl says:
Chinese Spies Infected Dozens of Networks With Thumb Drive Malware https://www.wired.com/story/china-usb-sogu-malware/
At the mWise security conference today, researchers from cybersecurity firm Mandiant revealed that a China-linked hacker group they’re calling UNC53 has managed to hack at least 29 organizations around the world since the beginning of last year using the old-school approach of tricking their staff into plugging malware-infected USB drives into computers on their networks. While those victims span the United States, Europe, and Asia, Mandiant says many of the infections appear to originate from multinational organizations’
Africa-based operations, in countries including Egypt, Zimbabwe, Tanzania, Kenya, Ghana, and Madagascar. In some cases, the malware—in fact, several variants of a more than decade-old strain known as Sogu—appears to have traveled via USB stick from shared computers in print shops and internet cafés, indiscriminately infecting computers in a widespread data dragnet.
[...] The malware Mandiant found, known as Sogu or sometimes Korplug or PlugX, has been used in non-USB forms by a broad array of largely China-based hacking groups for well over a decade
Tomi Engdahl says:
New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants https://blog.talosintelligence.com/introducing-shrouded-snooper/
Cisco Talos recently discovered a new malware family we’re calling “HTTPSnoop”
being deployed against telecommunications providers in the Middle East.
HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint.
We identified DLL- and EXE-based versions of the implants that masquerade as legitimate security software components, specifically extended detection and response (XDR) agents, making them difficult to detect.
Tomi Engdahl says:
Thousands of Juniper Junos firewalls still open to hijacks, exploit code available to all https://www.theregister.com/2023/09/18/juniper_firewalls_rce/
About 79 percent of public-facing Juniper SRX firewalls remain vulnerable to a single security flaw can allow an unauthenticated attacker to remotely execute code on the devices, according to threat intelligence platform provider VulnCheck.
Original at https://vulncheck.com/blog/juniper-cve-2023-36845
Tomi Engdahl says:
‘Cybersecurity Incident’ Hits ICC
The International Criminal Court was hit by what it called “anomalous activity” regarding its IT systems and that it was currently responding to this “cybersecurity incident.”
https://www.securityweek.com/cybersecurity-incident-hits-icc/
The International Criminal Court said Tuesday it had been affected by what it called “anomalous activity” regarding its IT systems and that it was currently responding to this “cybersecurity incident.”
The ICC, which among other things is investigating war crimes in Ukraine, declined to provide further details and said its priority was on ensuring it was able to continue its work.
“At the end of last week, the International Criminal Court’s services detected anomalous activity affecting its information systems,” the court said in a statement.
“Immediate measures were adopted to respond to this cybersecurity incident and to mitigate its impact,” it said.
Tomi Engdahl says:
Kansainvälisen rikostuomioistuimen järjestelmiin tehty tietomurto https://www.hs.fi/ulkomaat/art-2000009866587.html
KANSAINVÄLISEN rikostuomioistuimen (ICC) järjestelmiin on tehty tietomurto, ICC kertoi asiasta tiistaina.
Tietomurrosta kertoi uutistoimisto Reuters.
ICC kertoi havainneensa tietoverkoissaan tavallisesta poikkeavaa toimintaa viime viikon lopulla. ICC:n tiedottaja ei kommentoinut, kuinka vakava tietomurto oli, mihin tietoihin sillä oli päästy käsiksi tai mikä taho sen takana voisi olla.
Tomi Engdahl says:
Behind the scenes of BBtok: analyzing a banker’s server side components https://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/
Check Point Research recently discovered an active campaign operating and deploying a new variant of the BBTok banker in Latin America. In the research, we highlight newly discovered infection chains that use a unique combination of Living off the Land Binaries (LOLBins). This resulting in low detection rates, even though BBTok banker operates at least since 2020. As we analyzed the campaign, we came across some of the threat actor’s server-side resources used in the attacks, targeting hundreds of users in Brazil and Mexico.
Tomi Engdahl says:
Canada blames border checkpoint outages on cyberattack https://therecord.media/canada-border-checkpoint-outages-ddos-attack-russia
The Montreal Airport Authority (ADM) told the Canadian newspaper La Presse that a computer outage at check-in kiosks caused significant delays in the processing of arrivals for over an hour at border checkpoints throughout the country, including Montreal-Trudeau International Airport.
“We are working closely with our partners to assess and investigate the situation. The safety and security of Canadians and travelers is the CBSA’s top priority,” said CBSA. “No personal information has been disclosed following these attacks.”
Late last week, Russian hacking group NoName057(16) claimed responsibility for cyberattacks targeting several Canadian organizations, including CBSA, Canadian Air Transport Security Authority, as well as government and financial institutions.
Tomi Engdahl says:
Fresh Wave of Malicious npm Packages Threaten Kubernetes Configs and SSH Keys https://thehackernews.com/2023/09/fresh-wave-of-malicious-npm-packages.html
Cybersecurity researchers have discovered a fresh batch of malicious packages in the npm package registry that are designed to exfiltrate Kubernetes configurations and SSH keys from compromised machines to a remote server.
Sonatype said it has discovered 14 different npm packages so far:
@am-fe/hooks, @am-fe/provider, @am-fe/request, @am-fe/utils, @am-fe/watermark, @am-fe/watermark-core, @dynamic-form-components/mui, @dynamic-form-components/shineout, @expue/app, @fixedwidthtable/fixedwidthtable, @soc-fe/use, @spgy/eslint-plugin-spgy-fe, @virtualsearchtable/virtualsearchtable, and shineouts.
Tomi Engdahl says:
Varo ”MobilePayn” viestiä – tästä syystä viesti näyttää tulevan aidolta lähettäjältä https://www.is.fi/digitoday/tietoturva/art-2000009866036.html
SUOSITUN MobilePay-maksupalvelun nimissä lähetetään vääriä tekstiviestejä, jotka varoittavat olemattomasta 200 euron maksuyrityksestä. Huonolla suomella kirjoitettu viesti kehottaa avaamaan annetun verkkolinkin, mikäli vastaanottaja ei ollut tekemässä tätä maksua.
Tomi Engdahl says:
MGM Resorts Computers Back Up After 10 Days as Analysts Eye Effects of Casino Cyberattacks
https://www.securityweek.com/mgm-resorts-computers-back-up-after-10-days-as-analysts-eye-effects-of-casino-cyberattacks/
MGM Resorts brought its computer systems back online on September 20th after ransomware disrupted operations for 10 days.
MGM Resorts brought to an end a 10-day computer shutdown prompted by efforts to shield from a cyberattack data including hotel reservations and credit card processing, the casino giant said Wednesday, as analysts and academics measured the effects of the event.
“We are pleased that all of our hotels and casinos are operating normally,” the Las Vegas-based company posted on X, the platform formerly known as Twitter. It reported last week that the attack was detected Sept. 10.
Rival casino owner Caesars Entertainment also disclosed last week to federal regulators that it was hit by a cyberattack Sept. 7. It said that its casino and online operations were not disrupted but it could not guarantee that personal information about tens of millions of customers, including driver’s licenses and Social Security numbers of loyalty rewards members, had not been compromised.
Caesars, based in Reno, is widely reported to have paid $15 million of a $30 million ransom sought by a group called Scattered Spider for a promise to secure the data.
Tomi Engdahl says:
Apple emergency updates fix 3 new zero-days exploited in attacks https://www.bleepingcomputer.com/news/apple/apple-emergency-updates-fix-3-new-zero-days-exploited-in-attacks/
Apple released emergency security updates to patch three new zero-day vulnerabilities exploited in attacks targeting iPhone and Mac users, for a total of 16 zero-days fixed this year.
All three zero-days were found and reported by Bill Marczak of the Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group.