This posting is here to collect cyber security news in September 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in September 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
314 Comments
Tomi Engdahl says:
Cybercriminals Exploit the Moroccan Tragedy in New Scam Campaign https://www.trendmicro.com/en_us/research/23/i/cybercriminals-exploit-the-moroccan-tragedy-in-new-scam-campaign.html
Cybercriminals have always exploited instances of natural calamities to prey on innocent people. This blog post exposes a scam that has taken advantage of the earthquake in Morocco by deceiving users to buy relief equipment purportedly meant to aid quake victims.
Tomi Engdahl says:
P2PInfect botnet activity surges 600x with stealthier malware variants https://www.bleepingcomputer.com/news/security/p2pinfect-botnet-activity-surges-600x-with-stealthier-malware-variants/
The P2PInfect botnet worm is going through a period of highly elevated activity volumes starting in late August and then picking up again in September 2023.
Cado Security researchers who have been following the botnet since late July 2023, report today seeing global activity, with most breaches impacting systems in China, the United States, Germany, Singapore, Hong Kong, the UK, and Japan.
The P2PInfect botnet worm is going through a period of highly elevated activity volumes starting in late August and then picking up again in September 2023.
P2PInfect was first documented by Unit 42 in July 2023 as a peer-to-peer malware that breaches Redis instances using a remote code execution flaw on internet-exposed Windows and Linux systems.
Tomi Engdahl says:
Police warn new Android malware scam can factory reset phones; over S$10 million lost in first half of 2023
https://www.channelnewsasia.com/singapore/android-malware-scam-factory-reset-phone-police-3785801
SINGAPORE: The police on Wednesday (Sep 20) issued an advisory about a new variant of Android malware scams, where scammers would initiate a factory reset on infected devices after the malware executes unauthorised transactions on the phone’s i-banking app.
Tomi Engdahl says:
Remote Code Execution in Tutanota Desktop due to Code Flaw https://www.sonarsource.com/blog/remote-code-execution-in-tutanota-desktop-due-to-code-flaw/
In June 2022, the Sonar Research team discovered critical code vulnerabilities in multiple encrypted email solutions, including Proton Mail, Skiff, and Tutanota. These privacy-oriented webmail services provide end-to-end encryption, making communications safe in transit and at rest. Our findings affect their web clients, where the messages are decrypted with the user’s keys; mobile clients were unaffected.
The vulnerabilities would have allowed attackers to steal emails and impersonate victims if they interacted with malicious messages. The issue has been fixed, and there are no signs of in-the-wild exploitation.
Tomi Engdahl says:
Vanha troijalainen iskee päivittämättömään Exceliin
https://etn.fi/index.php/13-news/15346-vanha-troijalainen-iskee-paeivittaemaettoemaeaen-exceliin
Kyberturvallisuusyhtiö Fortinet on julkaissut raportin, joka käsittelee pahamaineisen Agent Tesla -troijalaisen uutta versiota. Tämä tunnettu haittaohjelmaperhe tunkeutuu koneelle .NET-pohjaisen etäohjattavan troijalaisen ja niin sanotun tietovarkaan avulla.
Agent Tesla -hyökkäykset toteutetaan usein haittaohjelmapalveluna eli hyökkäyspakettina, joka on mahdollista toteuttaa ilman erityistä teknistä osaamista. Troijalainen on tunnettu useita vuosia. Uuden version levittämisessä hyödynnetään Excel-tiedostoja, joiden tunnettuja CVE-2017–11882- ja CVE-2018-haavoittuvuuksia kyberrikolliset käyttävät haittaohjelmien suorittamiseen.
Tomi Engdahl says:
https://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document
Tomi Engdahl says:
Tor-Based Drug Marketplace Piilopuoti Shut Down by Law Enforcement
https://www.securityweek.com/tor-based-drug-marketplace-piilopuoti-shut-down-by-law-enforcement/
Finnish authorities have seized the drugs marketplace Piilopuoti, which has been operating on the Tor network since May 2022.
Tomi Engdahl says:
https://www.securityweek.com/hiddenlayer-raises-hefty-50m-round-for-ai-security-tech/
Tomi Engdahl says:
https://www.securityweek.com/crowdstrike-to-acquire-bionic/
Tomi Engdahl says:
Microsoft AI Researchers Expose 38TB of Data, Including Keys, Passwords and Internal Messages
Exposed data includes backup of employees workstations, secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages.
https://www.securityweek.com/microsoft-ai-researchers-expose-38tb-of-data-including-keys-passwords-and-internal-messages/
Tomi Engdahl says:
Vulnerabilities
Fortinet Patches High-Severity Vulnerabilities in FortiOS, FortiProxy, FortiWeb Products
https://www.securityweek.com/fortinet-patches-high-severity-vulnerabilities-in-fortios-fortiproxy-fortiweb-products/
Fortinet has released patches for a high-severity cross-site scripting vulnerability impacting its enterprise firewalls and switches.
Fortinet has released patches for a high-severity cross-site scripting (XSS) vulnerability impacting multiple FortiOS and FortiProxy versions.
Tracked as CVE-2023-29183 (CVSS score of 7.3), the security defect is described as an “improper neutralization of input during web page generation”.
Tomi Engdahl says:
https://www.securityweek.com/trend-micro-patches-exploited-zero-day-vulnerability-in-endpoint-security-products/
Tomi Engdahl says:
https://www.securityweek.com/venafi-leverages-generative-ai-to-manage-machine-identities/
Machine identity firm Venafi has launched a proprietary generative AI (gen-AI) model to help with the mammoth, complex, and expanding problem of managing machine identities.
Tomi Engdahl says:
Cisco to Acquire Splunk for $28 Billion
https://www.securityweek.com/cisco-boosts-cybersecurity-capabilities-with-28-billion-splunk-acquisition/
Cisco will boost its cybersecurity capabilities by shelling out $28 billion to buy Splunk, which Cisco says will drive the next generation of AI-enabled security and observability.
Cisco on Thursday announced that it has entered into a definitive agreement to acquire data analysis, security and observability solutions provider Splunk (NASDAQ: SPLK) in a deal valued at $28 billion.
The networking giant is prepared to pay $157 per share in cash for Splunk, with the acquisition expected to close by the end of the third quarter calendar year 2024. Cisco said the deal will help accelerate revenue growth and gross margin expansion.
Following the acquisition, Splunk President and CEO Gary Steele will join Cisco’s executive team and will report to Cisco CEO and Chair Chuck Robbins.
Splunk’s AI, security and observability capabilities complement Cisco’s offering.
“Uniting with Cisco represents the next phase of Splunk’s growth journey, accelerating our mission to help organizations worldwide become more resilient, while delivering immediate and compelling value to our shareholders,” Steele said.
Tomi Engdahl says:
The entire point of the CVE system is to identify the origin of a vulnerability so anyone making or using software downstream from the origin can easily tell if they’re vulnerable. And if the CVEs cover the same underlying vulnerability, the teams involved in its discovery should have coordinated and made that clear.
Incomplete disclosures by Apple and Google create “huge blindspot” for 0-day hunters
No one mentioned that libwebp, a library found in millions of apps, was a 0-day origin.
https://arstechnica.com/security/2023/09/incomplete-disclosures-by-apple-and-google-create-huge-blindspot-for-0-day-hunters/?utm_source=facebook&utm_brand=ars&utm_social-type=owned&utm_medium=social&fbclid=IwAR0adkCktQ_P1gH5jQEurWump7XTHgSFF8JWu3EdY9pipu2zOJW2eOHz4Do
Incomplete information included in recent disclosures by Apple and Google reporting critical zero-day vulnerabilities under active exploitation in their products has created a “huge blindspot” that’s causing a large number of offerings from other developers to go unpatched, researchers said Thursday.
Two weeks ago, Apple reported that threat actors were actively exploiting a critical vulnerability in iOS so they could install espionage spyware known as Pegasus. The attacks used a zero-click method, meaning they required no interaction on the part of targets. Simply receiving a call or text on an iPhone was enough to become infected by the Pegasus, which is among the world’s most advanced pieces of known malware.
Four days later, Google reported a critical vulnerability in its Chrome browser. The company said the vulnerability was what’s known as a heap buffer overflow that was present in WebP. Google went on to warn that an exploit for the vulnerability existed in the wild. Google said that the vulnerability, designated as CVE-2023-4863, was reported by the Apple Security Engineering and Architecture team and Citizen Lab.
On Thursday, researchers from security firm Rezillion published evidence that they said made it “highly likely” both indeed stemmed from the same bug, specifically in libwebp, the code library that apps, operating systems, and other code libraries incorporate to process WebP images.
Rather than Apple, Google, and Citizen Lab coordinating and accurately reporting the common origin of the vulnerability, they chose to use a separate CVE designation, the researchers said. The researchers concluded that “millions of different applications” would remain vulnerable until they, too, incorporated the libwebp fix. That, in turn, they said, was preventing automated systems that developers use to track known vulnerabilities in their offerings from detecting a critical vulnerability that’s under active exploitation.
“Since the vulnerability is scoped under the overarching product containing the vulnerable dependency, the vulnerability will only be flagged by vulnerability scanners for these specific products,” Rezillion researchers Ofri Ouzan and Yotam Perkal wrote. “This creates a HUGE blindspot for organizations blindly relying on the output of their vulnerability scanner.”
Google has further come under criticism for limiting the scope of CVE-2023-4863 to Chrome rather than in libwebp. Further, the official description describes the vulnerability as a heap buffer overflow in WebP in Google Chrome.
In an email, a Google representative wrote: “Many platforms implement WebP differently. We do not have any details about how the bug impacts other products
The representative noted that the WebP image format is mentioned in its disclosure and the official CVE page. The representative didn’t explain why the official CVE and Google’s disclosure did not mention the widely used libwebp library or that other software was also likely to be vulnerable.
The Google representative didn’t answer a question asking if CVE-2023-4863 and CVE-2023-41064 stemmed from the same vulnerability.
The number of apps, frameworks, code libraries, and other packages that incorporate libwebp and have yet to receive a patch is unknown. While Microsoft patched CVE-2023-4863 in its Edge browser, the company confirmed in an email on Thursday that other vulnerable products and code packages had yet to be patched.
Microsoft offerings known to remain vulnerable are Teams, a widely used collaboration platform, and the developer tool Visual Studio Code.
Both products are built on the Electron framework, which was also affected by CVE-2023-4863.
The number of affected software packages is too large to check all of them.
Tomi Engdahl says:
Tietomurto Tena-tuotteita kuljettavaan yritykseen – tuhansien asiakkaiden henkilötietoja vaarassa
https://yle.fi/a/74-20051516
Tena- eli inkontinenssituotteita kuljettava Westlog Oy on joutunut kyberhyökkäyksen ja henkilötietomurron kohteeksi.
Henkilötietovuoto on kohdistunut alueella kyseisiä tuotteita käyttäviin asiakkaisiin palvelutaloissa ja kotihoidossa sekä asiakkaisiin, jotka käyttävät tuotteita hoitotarvikkeena.
Satakunnan hyvinvointialueen tiedotteessa kerrotaan, että tietomurto voi koskea asiakkaiden nimeä, yhteystietoja, tietoa tehdyistä tilauksista ja mahdollista järjestelmässä ollutta henkilötunnusta. Henkilötunnus on saattanut vaarantua niillä asiakkailla, jotka ovat tilanneet tuotteita paperilaskulla ja erityisellä valtakirjalla.
Tämänhetkisten tietojen mukaan tietomurto koskee useita tuhansia asiakkaita.
Tomi Engdahl says:
Hotel hackers redirect guests to fake Booking.com to steal cards https://www.bleepingcomputer.com/news/security/hotel-hackers-redirect-guests-to-fake-bookingcom-to-steal-cards/
Security researchers discovered a multi-step information stealing campaign where hackers breach the systems of hotels, booking sites, and travel agencies and then use their access to go after financial data belonging to customers.
By using this indirect approach and a fake Booking.com payment page, cybercriminals have found a combination that ensures a significantly better success rate at collecting credit card information.
Tomi Engdahl says:
‘Sandman’ hackers backdoor telcos with new LuaDream malware https://www.bleepingcomputer.com/news/security/sandman-hackers-backdoor-telcos-with-new-luadream-malware/
A previously unknown threat actor dubbed ‘Sandman’ targets telecommunication service providers in the Middle East, Western Europe, and South Asia, using a modular info-stealing malware named ‘LuaDream.’
This malicious activity was discovered by SentinelLabs in collaboration with QGroup GmbH in August 2023, who named the threat actor and malware after the backdoor’s internal name of ‘DreamLand client.’
The operational style of Sandman is to keep a low profile to evade detection while performing lateral movement and maintaining long-term access to breached systems to maximize its cyberespionage operations.
Tomi Engdahl says:
AI-generated books force Amazon to cap e-book publications to 3 per day https://arstechnica.com/information-technology/2023/09/ai-generated-books-force-amazon-to-cap-ebook-publications-to-3-per-day/
On Monday, Amazon introduced a new policy that limits Kindle authors from self-publishing more than three books per day on its platform, reports The Guardian. The rule comes as Amazon works to curb abuses of its publication system from an influx of AI-generated books.
Since the launch of ChatGPT, an AI assistant that can compose text in almost any style, some news outlets have reported a marked increase in AI-authored books, including some that seek to fool others by using established author names. Despite the anecdotal observations, Amazon is keeping its cool about the scale of the AI-generated book issue for now. “While we have not seen a spike in our publishing numbers,” they write, “in order to help protect against abuse, we are lowering the volume limits we have in place on new title creations.”
Tomi Engdahl says:
US govt IT help desk techie ‘leaked top secrets’ to foreign nation https://www.theregister.com/2023/09/21/it_help_desk_guy_arrested/
A US government worker has been arrested and charged with spying for Ethiopia, according to court documents unsealed Thursday.
Abraham Lemma, 50, a Silver Springs, Maryland resident and a naturalized United States citizen who was born in Ethiopia, was detained on August 24 after allegedly sending classified US national defense information to an Ethiopian intelligence agent. He has worked in various American government agencies since 2019.
Tomi Engdahl says:
The latest Windows 11 update will help you ditch passwords for good https://www.theverge.com/2023/9/22/23885212/microsoft-windows-11-update-passkey-support-availability-date
Microsoft’s incoming Windows 11 update will introduce public support for passkeys — a passwordless login technology that instead uses your face, fingerprint, or device PIN to sign into accounts. Announced at Microsoft’s AI and Surface launch event on Thursday, the latest Windows 11 update (available from September 26th) will allow users to create, manage, and store passkeys, and use them to access supported websites and services using their device’s own authentication systems.
Microsoft began testing passkey management in the Windows Insider developer channel back in June, so this Windows 11 update is bringing the technology into general availability.
Tomi Engdahl says:
Recently patched Apple, Chrome zero-days exploited in spyware attacks https://www.bleepingcomputer.com/news/security/recently-patched-apple-chrome-zero-days-exploited-in-spyware-attacks/
Security researchers with The Citizen Lab and Google’s Threat Analysis Group
(TAG) revealed today that three zero-days patched by Apple on Thursday were abused as part of an exploit chain to install Cytrox’s Predator spyware.
Between May and September 2023, the attackers exploited the bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) in attacks using decoy SMS and WhatsApp messages to target former Egyptian MP Ahmed Eltantawy after announcing plans to join the Egyptian presidential election in 2024.
Google TAG also observed the attackers using a separate exploit chain to drop Predator spyware on Android devices in Egypt, exploiting CVE-2023-4762—a Chrome bug patched on September 5th—as a zero-day to gain remote code execution.
Tomi Engdahl says:
Traficomiin kohdistui jälleen palvelunestohyökkäys https://www.is.fi/digitoday/art-2000009875748.html
Traficom kertoi lauantaina aamupäivällä muun muassa viestipalvelu X:ssä, että sen sähköiset asiointipalvelut olivat palvelunestohyökkäyksen kohteena ja hyökkäyksen estotoimet olivat käynnissä. Tilanne kuitenkin päättyi melko nopeasti ja palveluihin pääsi Traficomin mukaan jälleen puolenpäivän aikoihin.
Traficom on joutunut palvelunestohyökkäysten kohteeksi useampaan otteeseen viime aikoina. Virasto kertoi viimeksi maanantaina palvelunestohyökkäyksestä verkkosivuilleen. Sitä edeltävän kerran Traficomiin kohdistuneesta hyökkäyksestä kerrottiin toissa viikolla.
Tomi Engdahl says:
”Perusoikeudet romukoppaan” – EU:n aikomus vakoilla kaikkea viestiliikennettä saa raskasta kritiikkiä
https://www.kauppalehti.fi/uutiset/perusoikeudet-romukoppaan-eun-aikomus-vakoilla-kaikkea-viestiliikennetta-saa-raskasta-kritiikkia/6c311186-7ac8-4a17-82a9-53277909e719
Tietoliikenteen ja tietotekniikan keskusliitto Ficom kritisoi Euroopan komission asetusehdotusta lapsiin kohdistuvan seksuaaliväkivallan ehkäisyä ja torjuntaa koskevista säännöistä.
”Tämä johtaisi vakavaan perus- ja ihmisoikeuksien rajoitukseen sekä rajoittaisi muiden oikeutettujen tavoitteiden, kuten tietoturvan, varmistamista”, Ficomin lakimies Asko Metsola kirjoittaa.
Euroopan parlamentin oma ylimääräinen vaikutustenarviointi on Ficomin kanssa samoilla linjoilla, Ficom kertoo.
Tomi Engdahl says:
Tor-verkossa toiminut huumeiden myyntisivusto jäi Tullin haaviin
https://www.tivi.fi/uutiset/tv/72a25f56-8d86-40a4-930d-da357b89d930
Suomen Tulli kertoo sulkeneensa yhteistyössä ulkomaisten viranomaisten kanssa Tor-verkossa vuodesta 2022 toimineen Piilopuodin verkkopalvelimen ja takavarikoinut sen sisällön.
Piilopuoti oli salatussa tor-verkossa toiminut, 18.5.2022 avattu suomenkielinen huumausaineiden myyntisivusto. Sivustoa on käytetty rikollisiin tarkoituksiin, kuten huumausaineiden myymiseen anonymiteetin suojissa.
Sivustolla myydyt huumausaineet on salakuljetettu pääsääntöisesti ulkomailta Suomeen.
Tomi Engdahl says:
Dallas says Royal ransomware breached its network using stolen account https://www.bleepingcomputer.com/news/security/dallas-says-royal-ransomware-breached-its-network-using-stolen-account/
The City of Dallas, Texas, said this week that the Royal ransomware attack that forced it to shut down all IT systems in May started with a stolen account.
Royal gained access to the City’s network using a stolen domain service account in early April and maintained access to the compromised systems between April 7 and May 4.
During this period, they successfully collected and exfiltrated 1.169 TB worth of files based on system log data analysis conducted by city officials and external cybersecurity experts.
The Royal ransomware gang is believed to have emerged as an offshoot of the Conti cybercrime gang, gaining prominence after Conti shut down operations.
Tomi Engdahl says:
Nigerian man pleads guilty to attempted $6 million BEC email heist https://www.bleepingcomputer.com/news/security/nigerian-man-pleads-guilty-to-attempted-6-million-bec-email-heist/
Kosi Goodness Simon-Ebo, a 29-year-old Nigerian national extradited from Canada to the United States last April, pleaded guilty to wire fraud and money laundering through business email compromise (BEC).
Simon-Ebo admitted that in 2017, while he resided in South Africa, he conspired with others in the U.S. to compromise business and employee email accounts. The scammers then used these accounts to contact businesses with spoofed sender addresses to make it appear that the emails came from trustworthy partners.
The emails contained payment requests and wiring instructions that resulted in the victims sending money to bank accounts controlled by Simo-Ebo and his co-conspirators.
Tomi Engdahl says:
New Apple Zero-Days Exploited to Target Egyptian ex-MP with Predator Spyware https://thehackernews.com/2023/09/latest-apple-zero-days-used-to-hack.html
The three zero-day flaws addressed by Apple on September 21, 2023, were leveraged as part of an iPhone exploit chain in an attempt to deliver a spyware strain called Predator targeting former Egyptian member of parliament Ahmed Eltantawy between May and September 2023.
“The targeting took place after Eltantawy publicly stated his plans to run for President in the 2024 Egyptian elections,” the Citizen Lab said, attributing the attack with high confidence to the Egyptian government owing to it being a known customer of the commercial spying tool.
According to a joint investigation conducted by the Canadian interdisciplinary laboratory and Google’s Threat Analysis Group (TAG), the mercenary surveillance tool is said to have been delivered via links sent on SMS and WhatsApp.
Tomi Engdahl says:
Käytetyn auton ostaja osaa vaatia avaimia, mutta auton sovelluksen poistaminen entisen omistajan puhelimesta ei välttämättä tule mieleen
https://yle.fi/a/74-20049325
EU:n tietosuojaviranomaiset käsittelevät useassa maassa autojen sovelluksista tehtyjä kanteluja. Yhdessä tapauksessa vanhalla omistajalla oli edelleen pääsy myymänsä auton tietoihin sovelluksessa.
Sähköistymisen myötä autojen omat sovellukset ovat yleistyneet vauhdilla.
Puhelin on kätevä laite latauksen hallinnointiin ja seurantaan.
Mutta ovat sovellukset yleistyneet myös polttomoottorilla varustettujen autojen kohdalla. Autoliike Deltan toimitusjohtaja Pekka Pättiniemi arvioi, että tällä hetkellä kaikissa keskihintaisissa ja sitä kalliimmissa uusissa autoissa on jo oma sovellus.
– Yleisin käytetty yhdistettävyysominaisuus on lämmityksen laittaminen päälle etänä. Toinen on lukituksen varmistaminen. Ja sitten on auton sijainnin seuranta, Pättiniemi kertoo.
Kaikki nämä ominaisuudet ovat hyödyllisiä – etenkin silloin, kun sovellus on liitetty omaan autoon.
Viime vuosina internetin keskustelupalstoilta on voinut lukea tapauksista, joissa käytettynä myydyn auton tiedot ovat unohtuneet edellisen omistajan sovellukseen. Tällaisissa tapauksissa vanha omistaja on voinut seurata auton liikkeitä ja halutessaan säätää asetuksia.
– Jos uusi omistaja ei tiedä ominaisuudesta, eikä huomaa siirtää sitä omalle puhelimelleen, niin silloin näin voi käydä, Pättiniemi sanoo.
Tomi Engdahl says:
Air Canada discloses data breach of employee and ‘certain records’
https://www.bleepingcomputer.com/news/security/air-canada-discloses-data-breach-of-employee-and-certain-records/
Air Canada, the flag carrier and the largest airline of Canada, disclosed a cyber security incident this week in which hackers “briefly” obtained limited access to its internal systems.
According to the airline, the incident resulted in the theft of a limited amount of personal information of some of its employees and “certain records.”
Customer data was not affected.
Tomi Engdahl says:
Egyptian opposition politician hacked with Predator spyware, researchers confirm https://therecord.media/egyptian-opposition-politican-ahmed-altantawy-spyware-predator
The phone of Egyptian opposition politician Ahmed Eltantawy was recently targeted with Predator spyware, in a campaign that researchers at the digital forensics organization Citizen Lab believe was carried out with the knowledge of the Egyptian government.
Along with Google’s Threat Analysis Group, the University of Toronto-affiliated Citizen Lab published the results of the investigation on Friday, saying Eltantawy was targeted with spyware between May and September of this year. Three zero-day vulnerabilities patched by Apple on Thursday were exploited in the attacks.
The attempted surveillance began after Eltantawy, a former member of Parliament, announced that he would run for president in March, the report said. Twelve members of his family and his supporters have been arrested.
Tomi Engdahl says:
P2PInfect botnet activity surges 600x with stealthier malware variants
https://www.bleepingcomputer.com/news/security/p2pinfect-botnet-activity-surges-600x-with-stealthier-malware-variants/
The P2PInfect botnet worm is going through a period of highly elevated activity volumes starting in late August and then picking up again in September 2023.
P2PInfect was first documented by Unit 42 in July 2023 as a peer-to-peer malware that breaches Redis instances using a remote code execution flaw on internet-exposed Windows and Linux systems.
Cado Security researchers who have been following the botnet since late July 2023, report today seeing global activity, with most breaches impacting systems in China, the United States, Germany, Singapore, Hong Kong, the UK, and Japan.
“This increase in P2Pinfect traffic has coincided with a growing number of variants seen in the wild, suggesting that the malware’s developers are operating at an extremely high development cadence,” explains Cado.
Unclear goals
Cado reports that the P2PInfect variants it observed recently attempted to fetch a miner payload but did not see actual cryptomining activity on compromised devices. Therefore, it’s unclear if the malware operators are still experimenting with the final step of the attack.
The botnet’s operators may be enhancing the miner component or seeking buyers of subscriptions to P2PInfect, so they use the miner as a dummy for demonstration.
Given the current botnet’s size, spread, self-updating features, and fast expansion this month, P2PInfect is a substantial threat to keep an eye on.
Cado Security Labs Researchers Witness a 600X Increase in P2Pinfect Traffic
https://www.cadosecurity.com/cado-security-labs-researchers-witness-a-600x-increase-in-p2pinfect-traffic/
Key Takeaways
Cado Security Labs researchers have witnessed a 600x increase in P2Pinfect traffic since August 28th
A 12.3% increase in traffic occurred in the week prior to publication of this blog
P2Pinfect compromises have been observed in China, the United States, Germany, the United Kingdom, Singapore, Hong Kong and Japan
Instances in both East-asian and American Cloud Service Providers (CSPs) are being leveraged as P2Pinfect peers
Tomi Engdahl says:
Suomalainen tekniikka suojaa kvanttihyökkäyksiltä
https://etn.fi/index.php?option=com_content&view=article&id=15347&via=n&datum=2023-09-21_14:54:32&mottagare=31202
Tomi Engdahl says:
CYBERCRIMETor-Based Drug Marketplace Piilopuoti Shut Down by Law Enforcement
Finnish authorities have seized the drugs marketplace Piilopuoti, which has been operating on the Tor network since May 2022.
https://www.securityweek.com/tor-based-drug-marketplace-piilopuoti-shut-down-by-law-enforcement/
Authorities in Finland and Europol on Tuesday announced the seizure of Piilopuoti, a drugs marketplace operating on the Tor network since May 2022.
Designed to facilitate free and anonymous internet browsing and communication, the Tor network is also used by cybercriminals to conduct illegal activities, including the sales of malware, drugs, weapons, and other illicit goods.
A Finnish-language website, Piilopuoti was opened last year as a hidden service, enabling the anonymous trade of narcotics that were typically smuggled into Finland from abroad, the Finnish authorities say.
Finnish Customs investigated the dark web site in cooperation with German and Lithuanian authorities, Europol, Eurojust, and private cybersecurity companies.
Tomi Engdahl says:
https://thehackernews.com/2023/08/new-python-url-parsing-flaw-enables.html
Tomi Engdahl says:
Google failed to correct its map service despite warnings about the broken bridge two years before the accident, according to the lawsuit. https://trib.al/EwW0ycD
Tomi Engdahl says:
Kyberhyökkäys iski Tena-tuotteiden alihankkijaan – Päijät-Hämeen hyvinvointialueella noin 6200 asiakkaan tietoturva on voinut vaarantua https://yle.fi/a/74-20051778?origin=rss
Tena-tuotteiden kuljetuksia useilla hyvinvointialueilla hoitavan Westlog oy:n tietojärjestelmään on tehty elokuussa kyberhyökkäys.
Yritys toimii alihankkijana inkontinenssituotteita myyvälle Essity oy:lle.
Mahdollinen tietoturvaloukkaus koskee Päijät-Hämeessä noin 6 200:a asiakasta.
Kyberhyökkäys ei ole vaarantanut omia asiakas- ja potilastietojärjestelmiämme, kertoo Päijät-Hämeen hyvinvointialue tiedotteessa.
Tomi Engdahl says:
Xenomorph Android malware now targets U.S. banks and crypto wallets https://www.bleepingcomputer.com/news/security/xenomorph-android-malware-now-targets-us-banks-and-crypto-wallets/
Security researchers discovered a new campaign that distributes a new version of the Xenomorph malware to Android users in the United States, Canada, Spain, Italy, Portugal, and Belgium.
The latest version of Xenomorph is targeting users of cryptocurrency wallets and various U.S. financial institutions.
Xenomorph first appeared in the wild in early 2022, operating as a banking trojan that targeted 56 European banks through screen overlay phishing. It was distributed through Google Play, where it counted over 50,000 installations.
Its authors, “Hadoken Security,” continued development, and in June 2022, they released a rewritten version that made the malware modular and more flexible.
Tomi Engdahl says:
New stealthy and modular Deadglyph malware used in govt attacks https://www.bleepingcomputer.com/news/security/new-stealthy-and-modular-deadglyph-malware-used-in-govt-attacks/
A novel and sophisticated backdoor malware named ‘Deadglyph’ was seen used in a cyberespionage attack against a government agency in the Middle East.
The Deadglyph malware is attributed to the Stealth Falcon APT (aka Project Raven or FruityArmor), a state-sponsored hacking group from the United Arab Emirates (UAE).
The hacking group has been known for targeting activists, journalists, and dissidents for almost a decade.
Tomi Engdahl says:
Ransomware group Ransomed.vc claims to have successfully breached Sony Group and is threatening to sell a cache of data stolen from the Japanese company.
https://www.videogameschronicle.com/news/a-ransomware-group-claims-to-have-beached-all-sony-systems/
While its claims remain unverified, Cyber Security Connect reports that the relative ransomware newcomer “has racked up an impressive amount of victims”
since bursting onto the scene last month.
“We have successfully compromissed [sic] all of sony systems,” the group claimed on both the clear and dark nets. “We won’t ransom them! We will sell the data. Due to Sony not wanting to pay. DATA IS FOR SALE.”
Tomi Engdahl says:
Navigating the Digital Frontier in Cybersecurity Awareness Month 2023
https://www.securityweek.com/navigating-the-digital-frontier-in-cybersecurity-awareness-month-2023/
ZTNA stands out as a solution that enables organizations to minimize their attack surface while ensuring the productivity and security of their remote workforce.
This October will mark the 20th anniversary of Cybersecurity Awareness Month, a pivotal initiative launched under the guidance of the U.S. Department of Homeland Security and the National Cyber Security Alliance (NCSA). It’s primary goal is to empower Americans with knowledge that enables them to stay safe and secure online.
In the spirit of reflection, this year’s campaign theme, “20 Years of Cybersecurity Awareness Month”, takes a critical look at the evolution of security education and awareness, while also examining the path ahead in securing our interconnected world. This year’s NCSA campaign will put a spotlight on crucial cybersecurity practices, including the importance of regularly updating software, recognizing and reporting phishing attempts, enabling multi-factor authentication (MFA), using strong passwords, and employing password managers. While these fundamentals are undeniably vital, organizations must recognize the need to go beyond them to fortify their cyber resilience.
Hackers often choose the path of least resistance, typically targeting the weakest link in the cybersecurity chain—humans. As a result, a significant number of data breaches today stem from credential harvesting campaigns, often followed by credential stuffing attacks. Once attackers infiltrate a network, they can laterally traverse it, seeking privileged accounts and credentials that provide access to an organization’s most sensitive data and critical infrastructure. Consequently, it comes as no surprise that IBM Security’s Cost of Data Breach Report for 2023 identifies stolen or compromised credentials as the most common initial attack vector, accounting for 15% of data breaches.
Tomi Engdahl says:
Tracking & Law Enforcement
Researchers Discover Attempt to Infect Leading Egyptian Opposition Politician With Predator Spyware
https://www.securityweek.com/predator-spyware-delivered-to-ios-android-devices-via-zero-days-mitm-attacks/
Egyptian opposition politician Ahmed Altantawy was targeted with spyware after announcing a presidential bid, security researchers reported
A leading Egyptian opposition politician was targeted with spyware after announcing a presidential bid, security researchers reported Friday. They said Egyptian authorities were likely behind the attempted hack.
Discovery of the attempt last week by researchers at Citizen Lab and Google’s Threat Analysis Group prompted Apple to rush out operating system updates for iPhones, iPads, Mac computers and Apple Watches to patch the associated vulnerabilities.
Citizen Lab said in a blog post that recent attempts to hack former Egyptian lawmaker Ahmed Altantawy involved configuring his connection to the Vodaphone Egypt mobile network to automatically infect his devices with the Predator spyware if he visited certain websites not using the secure HTTPS protocol.
Tomi Engdahl says:
City of Dallas Details Ransomware Attack Impact, Costs
https://www.securityweek.com/city-of-dallas-details-ransomware-attack-impact-costs/
City of Dallas has approved an $8.5 million budget to restore systems following a Royal ransomware attack in May 2023.
Tomi Engdahl says:
Data Breaches
900 US Schools Impacted by MOVEit Hack at National Student Clearinghouse
https://www.securityweek.com/900-us-schools-impacted-by-moveit-hack-at-national-student-clearinghouse/
Nearly 900 US schools are impacted by the MOVEit hack at the educational nonprofit National Student Clearinghouse.
Tomi Engdahl says:
Cybercrime
Nigerian Pleads Guilty in US to Million-Dollar BEC Scheme Role
https://www.securityweek.com/nigerian-pleads-guilty-in-us-to-million-dollar-bec-scheme-role/
Kosi Goodness Simon-Ebo, a Nigerian national, pleaded guilty in a US court to his involvement in a million-dollar BEC fraud scheme.
Tomi Engdahl says:
New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
https://www.securityweek.com/new-sandman-apt-group-hitting-telcos-with-rare-luajit-malware/
New and mysterious APT Sandman spotted targeting telcos in Europe and Asia as part of a cyberespionage campaign.
A new and mysterious APT group has been spotted targeting telco service providers in Europe and Asia as part of what appears to be a cyberespionage campaign, according to a joint investigation by SentinelLabs and QGroup GmbH.
According to SentinelLabs researcher Aleksandar Milenkoski, the shadowy APT group is using a sophisticated modular backdoor based on Lua, the lightweight cross-platform programming language designed primarily for embedded use in applications.
“Sandman has deployed a novel modular backdoor utilizing the LuaJIT platform, a relatively rare occurrence in the threat landscape,” Milenkoski said, noting that the entire operation is characterized by a cautious and deliberate approach: minimal and strategic movements within infected networks, and a larger goal to minimize detection risk.
The advanced threat actor, tagged as Sandman, has been seen targeting telecommunications providers across the Middle East, Western Europe and the South Asian subcontinent.
Tomi Engdahl says:
Predator Spyware Delivered to iOS, Android Devices via Zero-Days, MitM Attacks
https://www.securityweek.com/predator-spyware-delivered-to-ios-android-devices-via-zero-days-mitm-attacks/
Predator spyware delivered to iPhones and Android devices using iOS and Chrome zero-day vulnerabilities and MitM attacks.
The Predator spyware has been delivered to iPhones and Android devices using iOS and Chrome zero-day vulnerabilities and man-in-the-middle (MitM) attacks, according to Google’s Threat Analysis Group.
Apple last week informed customers about the availability of patches for three zero-days tracked as CVE-2023-41991 (signature verification bypass), CVE-2023-41992 (local privilege escalation), and CVE-2023-41993 (arbitrary code execution via malicious webpage).
Apple fixed the vulnerabilities in iOS, macOS and other software, but the tech giant noted that it’s only aware of exploitation aimed at devices running iOS versions before 16.7.
The University of Toronto’s Citizen Lab group and Google’s Threat Analysis Group, which have been credited for reporting the vulnerabilities to Apple, revealed on Friday that the flaws have been chained in an attack targeting Ahmed Altantawy, a leading opposition politician in Egypt.
Tomi Engdahl says:
Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
https://www.securityweek.com/apple-patches-3-zero-days-likely-exploited-by-spyware-vendor-to-hack-iphones/
Apple has patched 3 zero-day vulnerabilities that have likely been exploited by a spyware vendor to hack iPhones.
Apple announced on Thursday that its latest operating system updates patch three new zero-day vulnerabilities. Based on the previous work of the organizations credited for reporting the flaws, they have likely been exploited by a spyware vendor.
The zero-days are tracked as CVE-2023-41991, which allows a malicious app to bypass signature verification, CVE-2023-41992, a kernel flaw that allows a local attacker to elevate privileges, and CVE-2023-41993, a WebKit bug that can be exploited for arbitrary code execution by luring the targeted user to a malicious webpage.
Apple patched some or all of these vulnerabilities in Safari, iOS and iPadOS (including versions 17 and 16), macOS (including Ventura and Monterey), and watchOS.
Tomi Engdahl says:
Trend Micro Patches Exploited Zero-Day Vulnerability in Endpoint Security Products
https://www.securityweek.com/trend-micro-patches-exploited-zero-day-vulnerability-in-endpoint-security-products/
Trend Micro has patched CVE-2023-41179, an Apex One zero-day code execution vulnerability that has been exploited in attacks.
Tomi Engdahl says:
Sidhartha Shukla / Bloomberg:
DeFi project Mixin Network suspends deposits and withdrawals after a hack involving $200M in crypto assets; SlowMist says Mixin’s cloud provider was compromised
Defi Project Mixin Network Suspends Services After $200 Million Crypto Hack
https://www.bloomberg.com/news/articles/2023-09-25/defi-project-mixin-suspends-services-after-200-million-hack#xj4y7vzkg
Compromise in cloud service provider’s database led to breach
Project expected to give details in a livestream later today
Decentralized finance project Mixin Network has suspended deposits and withdrawals after suffering a hack involving $200 million in crypto assets, the entity said through a post on X, the firm previously known as Twitter.
The breach was caused by a compromise in the project’s cloud service provider’s database, according to blockchain security firm SlowMist, which is assisting Mixin in the investigation.
More From Bloomberg