This posting is here to collect cyber security news in October 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
265 Comments
Tomi Engdahl says:
Kampanja tunnisti ja korjasi toimitusketjuihin liittyviä kyberriskejä https://www.huoltovarmuuskeskus.fi/a/kampanja-tunnisti-ja-korjasi-toimitusketjuihin-liittyvia-kyberriskeja
Traficomin Kyberturvallisuuskeskuksen Ketjutonttu-kampanja paransi suomalaisen yrityskentän tietoturvaa tunnistamalla ja korjaamalla riskejä niiden toimitusketjuissa. Huoltovarmuuskeskuksen Digitaalinen turvallisuus 2030 -ohjelmasta rahoitettuun kampanjaan osallistui 150 organisaatiota ja yritystä.
Kampanja osoitti, että kyberturvallisuutta voidaan parantaa keveilläkin menetelmillä. Kampanjaan osallistuneiden organisaatioiden toimittajat saavat maksuttoman, avoimiin tietolähteisiin perustuvan tietoturvan tarkastuksen ja lisäksi apua korjausten tekemiseen.
Yksittäistä osallistujaa kohtaan tunnistettiin keskimäärin 35 toimittajaa.
Yhteensä kampanjan aikana tarkastettiin 2 312 toimittajaa, joille tarjottiin haavaraportit sekä apua korjauksiin. Kampanjan aikana raportoitiin 856 tietoturvahavaintoa. Avoimiin tietolähteisiin perustuvan lähestymistavan ansiosta tarkastus voitiin suorittaa laajalle toimittajajoukolle ilman erillistä sopimista. Avunannossa keskityttiin niihin toimittajiin, joilta tietoturvaongelmia löytyi.
Tomi Engdahl says:
Exploits released for Linux flaw giving root on major distros https://www.bleepingcomputer.com/news/security/exploits-released-for-linux-flaw-giving-root-on-major-distros/
Proof-of-concept exploits have already surfaced online for a high-severity flaw in GNU C Library’s dynamic loader, allowing local attackers to gain root privileges on major Linux distributions. Dubbed ‘Looney Tunables’ and tracked as CVE-2023-4911, this security vulnerability is due to a buffer overflow weakness, and it affects default installations of Debian 12 and 13, Ubuntu
22.04 and 23.04, and Fedora 37 and 38.
Attackers can trigger it using a maliciously crafted GLIBC_TUNABLES environment variable processed by the ld.so dynamic loader to gain arbitrary code execution with root privileges when launching binaries with SUID permission. Since Qualys’ Threat Research Unit disclosed it on Tuesday, several security researchers have already published proof-of-concept (PoC) exploit code that works for some system configurations.
One of these PoC exploits, confirmed as working by vulnerability and exploit expert Will Dormann, was released by independent security researcher Peter Geissler (blasty) earlier today. While his exploit can be used against a limited number of targets, the PoC also includes instructions on adding additional ones by identifying workable offset for each system’s ld.so dynamic loader.
Tomi Engdahl says:
Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement https://www.microsoft.com/en-us/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/
Microsoft security researchers recently identified a campaign where attackers attempted to move laterally to a cloud environment through a SQL Server instance. This attack technique demonstrates an approach we’ve seen in other cloud services such as VMs and Kubernetes cluster, but not in SQL Server. The attackers initially exploited a SQL injection vulnerability in an application within the target’s environment. This allowed the attacker to gain access and elevated permissions on a Microsoft SQL Server instance deployed in Azure Virtual Machine (VM).
The attackers then used the acquired elevated permission to attempt to move laterally to additional cloud resources by abusing the server’s cloud identity. Cloud identities are commonly used in cloud services including SQL Server and may possess elevated permissions to carry out actions in the cloud.
This attack highlights the need to properly secure cloud identities to defend SQL Server instances and cloud resources from unauthorized access.
Tomi Engdahl says:
Qakbot-affiliated actors distribute Ransom Knight malware despite infrastructure takedown https://blog.talosintelligence.com/qakbot-affiliated-actors-distribute-ransom/
The threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails. Notably, this activity appeared to begin before the FBI seized Qakbot infrastructure in late August and has been ongoing since, indicating the law enforcement operation may not have impacted Qakbot operators’ spam delivery infrastructure but rather only their command and control (C2) servers.
Talos attributed this new campaign to Qakbot affiliates as the metadata found in LNK files used in this campaign matches the metadata from machines used in previous Qakbot campaigns “AA” and ”BB.” Though we have not seen the threat actors distributing Qakbot itself post-infrastructure takedown, we assess the malware will continue to pose a significant threat moving forward. We see this as likely as the developers were not arrested and are still operational, opening the possibility that they may choose to rebuild the Qakbot infrastructure.
Tomi Engdahl says:
Suomen Pankki ja Verohallinto palvelunestohyökkäyksen kohteena – venäläishakkerit ilmoittautuivat tekijäksi https://www.hs.fi/talous/art-2000009901387.html
Suomen Pankin sivustolle on tehty palvelunestohyökkäys, keskuspankki kertoo sosiaalisen median palvelu X:ssä eli entisessä Twitterissä. Suomen Pankin X-viestin mukaan palvelunestohyökkäys häiritsee suomenpankki.fi-sivustoa.
Korjaustoimet hyökkäyksen estämiseksi ovat käynnissä, keskuspankki kertoo.
”Keskiviikkona alkanut palvelunestohyökkäys on sama, joka estää pääsyn tälläkin hetkellä suomenpankki.fi-, bofit.fi- ja rahamuseo.fi-verkkopalveluihin. Venäjän hyökkäyssodan myötä verkkopalveluhyökkäysten määrä on ollut hienoisessa kasvussa”, Suomen Pankin viestinnästä kerrotaan HS:lle.
Tomi Engdahl says:
Chinese State-Sponsored Cyber Espionage Activity Targeting Semiconductor Industry in East Asia https://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia
EclecticIQ analysts identified a cyber espionage campaign where threat actors used a variant of HyperBro loader with a Taiwan Semiconductor Manufacturing
(TSMC) lure, likely to target the semiconductor industry in Mandarin/Chinese speaking East Asian regions (Taiwan, Hong Kong, Singapore). Operational tactics, techniques, and procedures (TTPs) overlap with previously reported activities attributed to People’s Republic of China (PRC) backed cyber espionage group.
The HyperBro loader variant leverages a digitally signed CyberArk binary for DLL-Side loading, resulting in in-memory execution of a Cobalt Strike beacon.
[1] Pivoting the beacon, EclecticIQ analysts identified a previously undocumented malware downloader. This downloader utilizes the BitsTransfer module in PowerShell to fetch malicious binaries from a very likely compromised Cobra DocGuard server.
Tomi Engdahl says:
Vulnerabilities in Supermicro BMCs could allow for unkillable server rootkits https://arstechnica.com/security/2023/10/vulnerabilities-in-supermicro-bmcs-could-allow-for-unkillable-server-rootkits/
If your organization uses servers that are equipped with baseboard management controllers from Supermicro, it may be time, once again, to patch seven high-severity vulnerabilities that attackers could exploit to gain control of them. And sorry, but the fixes must be installed manually.
Typically abbreviated as BMCs, baseboard management controllers are small chips that are soldered onto the motherboard of servers inside data centers.
Administrators rely on these powerful controllers for various remote management capabilities, including installing updates, monitoring temperatures and setting fan speeds accordingly, and reflashing the UEFI system firmware that allows servers to load their operating systems during reboots. BMCs provide these capabilities and more, even when the servers they’re connected to are turned off.
Tomi Engdahl says:
Security researchers believe mass exploitation attempts against WS_FTP have begun https://www.theregister.com/2023/10/02/ws_ftp_update/
Security researchers have spotted what they believe to be a “possible mass exploitation” of vulnerabilities in Progress Software’s WS_FTP Server.
Researchers at Rapid7 began noticing evidence of exploitation on 30 September across multiple instances of WS_FTP. Progress released fixes for eight separate vulnerabilities in WS_FTP on Wednesday, including one rated a maximum score of 10 on the CVSS severity scale. Days later, the company said there was no evidence of exploitation at the time.
Researchers didn’t specify which of the vulnerabilities were being exploited, but noted it appeared that “one or more” of those included in Progress’
eight-vulnerability advisory were the subject of exploit attempts. Attacks began in the evening of September 30 and Rapid7 received alerts from multiple customer environments of attempted attacks within minutes of each other, according to the blog post from Caitlin Condon, senior manager of vulnerability research at Rapid7.
Also:
https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/
Tomi Engdahl says:
Arm warns of Mali GPU flaws likely exploited in targeted attacks https://www.bleepingcomputer.com/news/security/arm-warns-of-mali-gpu-flaws-likely-exploited-in-targeted-attacks/
Arm in a security advisory today is warning of an actively exploited vulnerability affecting the widely-used Mali GPU drivers. The flaw is currently tracked as CVE-2023-4211 and was discovered and reported to Arm by researchers of Google’s Threat Analysis Group (TAG) and Project Zero.
Details are not publicly available but the security issue is described as an improper access to freed memory, a problem that could allow compromising or manipulating sensitive data. “A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory,” Arm explains in the advisory. The company adds that it has found evidence that the vulnerability “may be under limited, targeted exploitation.”
—
Tomi Engdahl says:
Cisco warns of attempted exploitation of zero-day in VPN software https://therecord.media/cisco-vpn-software-zero-day-vulnerability
Cisco has discovered that hackers are attempting to exploit a vulnerability affecting one of its VPN products. The tech giant published several advisories last week about vulnerabilities, but experts honed in on one affecting the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software. The vulnerability, tagged as CVE-2023-20109, could allow a hacker to take actions on an affected device or cause the device to crash. It carries a CVSS severity score of 6.6 out of 10 and was announced Sept. 27.
“A successful exploit could allow the attacker to execute arbitrary code and gain full control of the affected system or cause the affected system to reload, resulting in a denial of service (DoS) condition,” the company said, adding that the vulnerability “can only be exploited in one of two ways” and “both ways would require previous infiltration of the environment.”
Tomi Engdahl says:
Malicious Packages Hidden in NPM
https://www.fortinet.com/blog/threat-research/malicious-packages-hiddin-in-npm
Over the past few months, the FortiGuard Labs team has discovered several malicious packages hidden in NPM (Node Package Manager), the largest software registry for the JavaScript programming language. These packages were found through a system dedicated to discover malicious open-source packages from various ecosystems e.g. PyPI, NPM. In this blog, we will look at some of these packages, grouping them based on similar styles of code or functions.
Tomi Engdahl says:
Ransomware gangs now exploiting critical TeamCity RCE flaw https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-exploiting-critical-teamcity-rce-flaw/
Ransomware gangs are now targeting a recently patched critical vulnerability in JetBrains’ TeamCity continuous integration and deployment server. The flaw (tracked as CVE-2023-42793 and tagged with a 9.8/10 severity score) allows unauthenticated attackers to gain remote code execution (RCE) after successfully exploiting an authentication bypass weakness in low-complexity attacks that don’t require user interaction.
Swiss security firm Sonar (whose researchers discovered and reported the
vulnerability) published full technical details one week after JetBrains addressed the critical security issue with the release of TeamCity 2023.05.4 on September 21st. JetBrains says the flaw impacts all TeamCity versions prior to the patched release but only On-Premises servers installed on Windows, Linux, and macOS, or that run in Docker.
Tomi Engdahl says:
Hackers steal user database from European telecommunications standards body https://therecord.media/etsi-telecommunications-standards-body-hack-database-stolen
A nonprofit institution for developing communications standards said hackers have stolen a database identifying its users. The European Telecommunications Standards Institute (ETSI) announced the incident last week. It is not yet clear whether the attack was financially motivated or if the hackers had intended to acquire the list of users for espionage purposes.
Following the incident, ETSI, which is based in the Sophia Antipolis technology park in the French Riviera, said it brought in France’s cybersecurity agency ANSSI “to investigate and repair the information systems.” The nonprofit said the “vulnerability on which the attack was based has been fixed,” although it did not identify the vulnerability. A spokesperson declined to clarify whether this had been a known vulnerability or a zero-day at the time of the attack.
“Under the guidance of ANSSI experts, ETSI has fixed the vulnerability, undertaken additional security actions and significantly strengthened its IT security procedures. Following this incident, ETSI asked their online service users to change their passwords,” the institution stated.
Tomi Engdahl says:
Motel One discloses data breach following ransomware attack https://www.bleepingcomputer.com/news/security/motel-one-discloses-data-breach-following-ransomware-attack/
The Motel One Group has announced that it has been targeted by ransomware actors who managed to steal some customer data, including the details of 150 credit cards. Motel One is a low-budget hotel chain that operates over ninety hotels with 25,000 rooms in Germany, Austria, the UK, Denmark, Belgium, the Netherlands, Spain, Poland, the Czech Republic, and the United States.
According to the company’s press release, a group of unknown attackers infiltrated its network, intending to launch a ransomware attack, but had limited success thanks to its effective protective measures. “The currently unknown perpetrators infiltrated the hotel operator’s internal systems and most likely tried to carry out a so-called ransomware attack,” reads the press release.
“Thanks to extensive measures, the impact was kept to a relative minimum. The business operation of one of Europe’s largest hotel groups was never at risk.”
Tomi Engdahl says:
https://thehackernews.com/2023/10/researcher-reveal-new-technique-to.html?fbclid=IwAR0a7C2gvLtAe77l0RPwRIrYQk31-JGufo9W6amkqm4k1GN5ZOQQazKDnZA&m=1
Tomi Engdahl says:
This why you don’t recycle login credentials! Or give strangers your genetic materials!
https://www.darkreading.com/attacks-breaches/23andme-cyberbreach-exposed-dna-data-family-ties
“recycled login credentials accessed from other cyber incidents were used to gain access to accounts with the DNA company”
Tomi Engdahl says:
https://thehackernews.com/2023/10/rogue-npm-package-deploys-open-source.html?fbclid=IwAR36lmupaaQ8ebzWXUwdSBLlbwGhXzXJDRbkjYOxQqO_x96PmunAzueSyCw&m=1
A new deceptive package hidden within the npm package registry has been uncovered deploying an open-source rootkit called r77, marking the first time a rogue package has delivered rootkit functionality.
The package in question is node-hide-console-windows, which mimics the legitimate npm package node-hide-console-window in what’s an instance of a typosquatting campaign. It was downloaded 704 times over the past two months before it was taken down.
The malicious code, per the software supply chain security firm, is contained within the package’s index.js file that, upon execution, fetches an executable that’s automatically run.
The executable in question is a C#-based open-source trojan known as DiscordRAT 2.0, which comes with features to remotely commandeer a victim host over Discord using over 40 commands that facilitate the collection of sensitive data, while disabling security software.
What’s more, two different versions of node-hide-console-windows have been found to fetch an open-source information stealer dubbed Blank-Grabber alongside DiscordRAT 2.0, masquerading it as a “visual code update.”
A notable aspect of the campaign is that it’s entirely built atop the foundations of components that are freely and publicly available online, requiring little effort for threat actors to put it all together and opening the supply chain attack door to low-stakes hacking groups.
The research findings underscore the need for caution among developers when installing packages from open-source repositories.
“The malicious actor or actors made an effort to make their packages appear trustworthy,” security researcher Lucija Valentić said.
Tomi Engdahl says:
https://www.malwarebytes.com/blog/news/2023/10/update-your-android-devices-now-google-patches-two-actively-exploited-vulnerabilities?utm_campaign=RT&utm_medium=social&fbclid=IwAR1jkcq4C_BDyyk-zphIicL14fbPgdkwNZQzd9qn7CeEyVkUnsrjmOi1KFE
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/bounty-offered-for-secret-nsa-seeds-behind-nist-elliptic-curves-algo/?fbclid=IwAR0iR9VwBbqS2UBFai9tuuEsFv6IQI2wigh8Oz2SGI6qRWZKgyIQ4WvD2JE
Tomi Engdahl says:
Lily Hay Newman / Wired:
Hackers posted a 23andMe data sample on BreachForums, claiming that it has 1M data points exclusively about Ashkenazi Jews; it appears to lack raw genetic data — At least a million data points from 23andMe accounts appear to have been exposed on BreachForums.
23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews
https://www.wired.com/story/23andme-credential-stuffing-data-stolen/
At least a million data points from 23andMe accounts appear to have been exposed on BreachForums. While the scale of the campaign is unknown, 23andMe says it’s working to verify the data.
Tomi Engdahl says:
Venäjämielisten verkkoiskut lisääntyneet: ”Vähäisten vaikutusten takia ei kannata pelästyä”, opastaa tietoturva-asiantuntija
https://yle.fi/a/74-20054002
Kyse on niin sanotusta palvelunestohyökkäyksestä, jossa tarkoitus on suunnata sivustolle niin paljon verkkoliikennettä kuin mahdollista. Liikenteellä sivuston toiminta heikentyy tai pahimmillaan menee täysin jumiin.
– Kyse on informaatiovaikuttamisesta. Hyökkäysten vaikutukset ovat jääneet pieniksi, vaikka ryhmä omilla kanavillaan korostaa iskujen merkitystä, kertoo tietoturva-asiantuntija Samuli Könönen Kyberturvallisuuskeskuksesta.
Tomi Engdahl says:
Kysyimme, mitä Pohjois-Pohjanmaan hyvinvointialueen tietomurroista nyt
tiedetään: ”Tässä oli vakavamman tapahtuman merkkejä”
https://yle.fi/a/74-20053967
Pohjois-Pohjanmaan hyvinvointialue Pohteen jakeluasiakkaisiin kohdistuneet tietomurrot koskettavat tällä hetkellä yhteensä noin tuhatta henkilöä.
Eilen kerrottiin, että Pohjois-Pohjanmaalla Rochen diabetestuotteiden jakeluasiakkaisiin kohdistuneen tietoturvaloukkauksen kohteena on 402 asiakasta. Syyskuussa ilmi tulleessa tietoturvaloukkauksessa on vaarantunut yhteensä yli 630 Tena-tuotteita tilanneen henkilön tietoturva.
Molempien taustalla on kyberhyökkäys, joka kohdistui jakelupalvelu Westlog Oy:n palvelimelle. Tietoturvaloukkaus koskee asiakkaita, joille on tilattu Rochen diabetestuotteita tai Essity Oy:n Tena-virtsankarkailusuojuksia Westlogin jakelupalvelun kautta.
Tomi Engdahl says:
MGM Resorts ransomware attack led to $100 million loss, data theft https://www.bleepingcomputer.com/news/security/mgm-resorts-ransomware-attack-led-to-100-million-loss-data-theft/
MGM Resorts reveals that last month’s cyberattack cost the company $100 million and allowed the hackers to steal customers’ personal information.
Tomi Engdahl says:
CDW data to be leaked next week after negotiations with LockBit break down https://www.theregister.com/2023/10/06/cdw_lockbit_negotiations/
CDW, one of the largest resellers on the planet, will have its data leaked by LockBit after negotiations over the ransom fee broke down, a spokesperson for the cybercrime gang says.
Speaking to The Register, the spokesperson, who uses the alias LockBitSupp, implied that during negotiations CDW offered a sum that was so low it insulted the crooks.
“We published them because in the negotiation process a $20 billion company refuses to pay adequate money,” the source said.
Tomi Engdahl says:
Record $7 billion in crypto laundered through cross-chain services https://www.elliptic.co/blog/record-7-billion-in-crypto-laundered-through-cross-chain-services
Cross-chain crime refers to the swapping of cryptoassets between different tokens or blockchains – often in rapid succession and with no legitimate business purpose – to obfuscate their criminal origin. Known also as “chain-”
or “asset-hopping”, cross-chain crime is on course to become the dominant means of laundering cryptoassets.
Our latest figures suggest that it is fast becoming the preferred money laundering method for a range of cybercrimes, including scams and crypto thefts, as enforcement actions continue to target criminals’ traditional means of obfuscating funds.
Tomi Engdahl says:
X-Force uncovers global NetScaler Gateway credential harvesting campaign https://securityintelligence.com/posts/x-force-uncovers-global-netscaler-gateway-credential-harvesting-campaign/
In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials.
This post will cover the initial incident that led to uncovering the larger campaign, the credential harvesting campaign, as well as the new artifact, considerations and recommendations for responding to remediating an incident involving CVE-2023-3519.
Tomi Engdahl says:
Let’s dig deeper: dissecting the new Android Trojan GoldDigger with Group-IB Fraud Matrix https://www.group-ib.com/blog/golddigger-fraud-matrix/
Delve into the tactics of the GoldDigger Trojan and discover ways to safeguard your customers
Tomi Engdahl says:
Genetics firm 23andMe says user data stolen in credential stuffing attack https://www.bleepingcomputer.com/news/security/genetics-firm-23andme-says-user-data-stolen-in-credential-stuffing-attack/
23andMe has confirmed to BleepingComputer that it is aware of user data from its platform circulating on hacker forums and attributes the leak to a credential-stuffing attack.
23andMe is a U.S. biotechnology and genomics firm offering genetic testing services to customers who send a saliva sample to its labs and get back an ancestry and genetic predispositions report.
Recently, a threat actor leaked samples of data that was allegedly stolen from a genetics firm and, a few days later, offered to sell data packs belonging to 23andMe customers.
Tomi Engdahl says:
Rhysida ransomware gang claims attacks on governments in Portugal, Dominican Republic https://therecord.media/rhysida-ransomware-gang-attacks-on-portugal-dominican-republic-governments
A notorious ransomware gang has claimed attacks against two government institutions this week, both of which confirmed they faced a range of issues due to the incidents.
The city of Gondomar – a suburb about 20 minutes away from the Portuguese city of Porto – said on September 27 that it was the target of a cyberattack that forced officials to take systems offline and contact the country’s National Cybersecurity Center and the National Data Protection Commission and local law enforcement.
Tomi Engdahl says:
China-based Supply Chain Cyberattacks Hit Thousands of Android Devices https://www.msspalert.com/news/human-security-disrupts-supply-chain-android-attacks
Human Security has disrupted a sophisticated, ongoing digital supply chain threat operating out of China targeting Android devices, the company said.
The cyber defender, which specializes in disrupting bot attacks, digital fraud and abuse, said it impeded a “key monitization mechanism” of a number of criminal operations involving “backdoored” off-brand mobile and CTV Android devices sold to end users through retailers in China.
Tomi Engdahl says:
Maintainers warn of vulnerability affecting foundational open-source tool https://therecord.media/curl-vulnerabilities-to-be-announced-open-source
A curl update will be released on October 11 to address both issues.
CVE-2023-38545 affects both curl and libcurl, the library behind the tool, but
CVE-2023-38546 only affects libcurl.
“The one rated HIGH is probably the worst curl security flaw in a long time,”
a maintainer said on GitHub.
Tomi Engdahl says:
Android Devices With Backdoored Firmware Found in US Schools
https://www.securityweek.com/android-devices-with-backdoored-firmware-found-in-us-schools/
A global cybercriminal operation called BadBox has infected the firmware of more than 70,000 Android smartphones, CTV boxes, and tablets with the Triada malware.
Tens of thousands of Android devices have been shipped to end-users with backdoored firmware, according to a warning from cybersecurity vendor Human Security.
As part of the global cybercriminal operation called BadBox (PDF), Human Security found a threat actor relied on supply chain compromise to infect the firmware of more than 70,000 Android smartphones, CTV boxes, and tablet devices with the Triada malware.
The infected devices come from at least one Chinese manufacturer but, before they are delivered to resellers, physical retail stores, and e-commerce warehouses, a backdoor was injected into their firmware.
“Products known to contain the backdoor have been found on public school networks throughout the United States,” Human says.
Discovered in 2016, Triada is a modular trojan residing in a device’s RAM, relying on the Zygote process to hook all applications on Android, actively using root privileges to substitute system files. Over time, the malware went through various iterations and was found pre-installed on low-cost Android devices on at least two occasions.
Trojans All the Way Down:
BADBOX and PEACHPIT
https://www.humansecurity.com/hubfs/HUMAN_Report_BADBOX-and-PEACHPIT.pdf
Tomi Engdahl says:
MGM Resorts Says Ransomware Hack Cost $110 Million
https://www.securityweek.com/mgm-resorts-says-ransomware-hack-cost-110-million/
MGM Resorts said costs from a disruptive ransomware hack has exceeded $110 million, including $10 million in one-time consulting cleanup fees.
Tomi Engdahl says:
Cybercrime
Android Devices With Backdoored Firmware Found in US Schools
https://www.securityweek.com/android-devices-with-backdoored-firmware-found-in-us-schools/
A global cybercriminal operation called BadBox has infected the firmware of more than 70,000 Android smartphones, CTV boxes, and tablets with the Triada malware.
Tomi Engdahl says:
ICE, CBP, Secret Service All Illegally Used Smartphone Location Data
Joseph Cox
JOSEPH COX
·
OCT 5, 2023 AT 5:42 PM
A bombshell government report also found that a CBP official used the data to track coworkers with no investigative purpose.
https://www.404media.co/ice-cbp-secret-service-all-broke-law-with-smartphone-location-data/?fbclid=IwAR0FyGE1W2vcG6M8eJYrROBdYZ2G1RKTCmVrhbGDlXuL8RMcBp4Kz9cV27o
Tomi Engdahl says:
Thousands of WordPress sites have been hacked through tagDiv plugin vulnerability
If a site is redirecting visitors to scam sites, it was likely hacked by Balada.
https://arstechnica.com/security/2023/10/thousands-of-wordpress-sites-have-been-hacked-through-tagdiv-plugin-vulnerability/?fbclid=IwAR1jKUUNq4X5FmBwzByjw41fVwLoILaIBShlW0UGRCPcKh_iak_-klOr1dA
Thousands of sites running the WordPress content management system have been hacked by a prolific threat actor that exploited a recently patched vulnerability in a widely used plugin.
The vulnerable plugin, known as tagDiv Composer, is a mandatory requirement for using two WordPress themes: Newspaper and Newsmag. The themes are available through the Theme Forest and Envato marketplaces and have more than 155,000 downloads.
Tracked as CVE-2023-3169, the vulnerability is what’s known as a cross-site scripting (XSS) flaw that allows hackers to inject malicious code into webpages. Discovered by Vietnamese researcher Truoc Phan, the vulnerability carries a severity rating of 7.1 out of a possible 10. It was partially fixed in tagDiv Composer version 4.1 and fully patched in 4.2.
According to a post authored by security researcher Denis Sinegubko, threat actors are exploiting the vulnerability to inject web scripts that redirect visitors to various scam sites. The redirections lead to sites pushing fake tech support, fraudulent lottery wins, and push notification scams, the latter of which trick visitors into subscribing to push notifications by displaying fake captcha dialogs.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-edge-teams-get-fixes-for-zero-days-in-open-source-libraries/
https://www.pcworld.com/article/2089208/firefox-118-0-1-chrome-0-day-vulnerability-also-affects-firefox.html
Tomi Engdahl says:
Kallis bensanhinta johti karuun ilmiöön USA:ssa: Röyhkeät varkaat ottavat koko huoltamon haltuunsa – Myyjät eivät voi kuin seurata avuttomina
https://www.kauppalehti.fi/uutiset/kallis-bensanhinta-johti-karuun-ilmioon-usassa-royhkeat-varkaat-ottavat-koko-huoltamon-haltuunsa-myyjat-eivat-voi-kuin-seurata-avuttomina/b25c36ab-ef1c-43fd-b4ce-571b95d22650
Huoltoasema Yhdysvalloissa on joutunut hakkereiden kiusanteon uhriksi.
Hakkerit ovat varastaneet jo kuutiometreittäin bensiiniä.
Bensapumppujen hakkerointi on rikoslajina yleistynyt, sillä Yhdysvalloissakin polttoainehinnat ovat kasvussa. Helposti saatavissa olevia laitteita, jotka mahdollistavat bensapumppujen maksujärjestelmien kiertämisen helposti, on tulvinut internetiin.
Tomi Engdahl says:
Hackers Join In on Israel-Hamas War With Disruptive Cyberattacks https://www.securityweek.com/hackers-join-in-on-israel-hamas-war-with-disruptive-cyberattacks/
Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.
Tomi Engdahl says:
Coordinated Disclosure: 1-Click RCE on GNOME (CVE-2023-43641) https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
CVE-2023-43641 is a vulnerability in libcue, which can lead to code execution by downloading a file on GNOME.
Tomi Engdahl says:
UK opposition leader targeted by AI-generated fake audio smear https://therecord.media/keir-starmer-labour-party-leader-audio-smear-social-media-deepfake
An audio clip posted to social media on Sunday, purporting to show Britain’s opposition leader Keir Starmer verbally abusing his staff, has been debunked as being AI-generated by private-sector and British government analysis.
Tomi Engdahl says:
The Art of Concealment: A New Magecart Campaign That’s Abusing 404 Pages https://www.akamai.com/blog/security-research/magecart-new-technique-404-pages-skimmer
A new, sophisticated, and covert Magecart web skimming campaign has been targeting Magento and WooCommerce websites. Some of the victims of this campaign are associated with large organizations in the food and retail industries.
According to the evidence we’ve uncovered, this campaign has been active for a couple of weeks, and in some cases, even longer. This campaign managed to surprise us with a high-level concealment technique that we had not previously encountered.
Tomi Engdahl says:
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits
In September 2023, our FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign has aggressively updated its arsenal of exploits.
Thirteen payloads were included in this variant, including D-Link devices, Netis wireless router, Sunhillo SureLine, Geutebruck IP camera, Yealink Device Management, Zyxel devices, TP-Link Archer, Korenix Jetwave, and TOTOLINK routers.
Based on the trigger counts recorded by our IPS signatures, it is evident that peak exploitation occurred on September 6, with trigger counts ranging from the thousands to even tens of thousands. This highlights the campaign’s capacity to infect vulnerable devices and dramatically expand its botnet through the swift utilization of recently released exploit code, which encompasses numerous CVEs.
In this article, we will elaborate on how this threat leverages new vulnerabilities to control affected devices, along with the details of IZ1H9.
Tomi Engdahl says:
DC Board of Elections Discloses Data Breach
https://www.securityweek.com/dc-board-of-elections-discloses-data-breach/
The District of Columbia Board of Elections says voter records were compromised in a data breach at hosting provider DataNet.
The District of Columbia Board of Elections (DCBOE) on Friday confirmed that voter records were compromised in a data breach at a third-party services provider.
An independent agency of the District of Columbia Government, the DCBOE is responsible for the administration of ballot access, elections, and voter registration.
“On 10/5, DCBOE became aware of a cybersecurity incident involving DC voter records. While the incident remains under investigation, DCBOE’s internal databases and servers were not compromised,” the agency announced on Friday.
According to DCBOE’s official statement, the data breach occurred at DataNet, which provides website hosting services to the agency.
The incident came to light after a relatively new ransomware group named RansomedVC claimed to have breached DCBOE’s systems, exfiltrating more than 600,000 lines of US voter records.
The stolen information, DataBreaches reports, includes names, driver’s license numbers, phone numbers, birth dates, addresses, email addresses, partial Social Security numbers, voter IDs, registration dates, political party affiliation, and polling place.
https://www.databreaches.net/d-c-board-of-elections-voter-registration-data-up-for-sale-on-dark-web/
Tomi Engdahl says:
Credential Harvesting Campaign Targets Unpatched NetScaler Instances
https://www.securityweek.com/credential-harvesting-campaign-targets-unpatched-netscaler-instances/
Threat actors are targeting Citrix NetScaler instances unpatched against CVE-2023-3519 to steal user credentials.
Tomi Engdahl says:
Google Expands Bug Bounty Program With Chrome, Cloud CTF Events
https://www.securityweek.com/google-expands-bug-bounty-program-with-chrome-cloud-ctf-events/
Google is hosting capture the flag (CTF) events focused on Chrome’s V8 engine and on Kernel-based Virtual Machine (KVM).
Google has announced the expansion of its vulnerability rewards program with two events focused on Chrome’s V8 JavaScript rendering engine and on Kernel-based Virtual Machine (KVM).
The v8CTF, which has already started, allows security researchers to earn monetary rewards for successfully exploiting a V8 version running on Google’s infrastructure.
The challenge is meant to complement Google’s VRP, allowing researchers who identify vulnerabilities in the JavaScript engine to earn additional rewards by submitting exploits to the v8CTF. However, participating researchers can also submit exploits for already known V8 vulnerabilities.
https://github.com/google/security-research/tree/master/v8ctf
Tomi Engdahl says:
Cyberwarfare
Hackers Join In on Israel-Hamas War With Disruptive Cyberattacks
https://www.securityweek.com/patches-prepared-for-probably-worst-curl-vulnerability/
Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.
The maintainers of the cURL data transfer project are working on patching two vulnerabilities in the software, including a high-severity bug impacting both libcurl and curl.
cURL provides both a library (libcurl) and command-line tool (curl) for transferring data with URL syntax, supporting various network protocols, including SSL, TLS, HTTP, FTP, SMTP, and more.
The two issues are tracked as CVE-2023-38545 and CVE-2023-38546, and the maintainers are warning that the former has a ‘high severity’ rating and could be considered one of the most severe flaws in the open source tool.
“We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl security flaw in a long time,” the maintainers note in an advisory.
Details on the vulnerability itself and on the affected curl versions have yet to be disclosed, but the maintainers say that all iterations released over the “last several years” are vulnerable.
Severity HIGH security problem to be announced with curl 8.4.0 on Oct 11 #12026
https://github.com/curl/curl/discussions/12026
Tomi Engdahl says:
Cyberwarfare
Hackers Join In on Israel-Hamas War With Disruptive Cyberattacks
https://www.securityweek.com/hackers-join-in-on-israel-hamas-war-with-disruptive-cyberattacks/
Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.
Several hacker groups have joined in on the Israel-Hamas conflict escalation that started over the weekend after the Palestinian militant group launched a major attack.
Hamas launched an unprecedented attack on Israel out of Gaza, firing thousands of rockets and sending its fighters to the southern part of the country. In response, Israel declared war on Hamas and started to retaliate. Hundreds have been killed and thousands have been wounded on both sides as a result of the conflict escalation.
In addition to the state-sponsored actors that have likely ramped up their cyber efforts behind the scenes, known hacktivist groups supporting both sides have intensified their cyberattacks.
According to a timeline created by cybersecurity consultant and OSINT enthusiast Julian Botham, the first hacktivist attacks were launched against Israel by Anonymous Sudan less than one hour after the first rockets were fired by Hamas. The group targeted emergency warning systems, claiming to have taken down alerting applications in Israel.
https://apnews.com/article/israel-palestinians-gaza-hamas-rockets-airstrikes-tel-aviv-ca7903976387cfc1e1011ce9ea805a71
Tomi Engdahl says:
North Korea Suspected in Massive Hack of DeFi Project Mixin (1)
https://www.databreaches.net/north-korea-suspected-in-massive-hack-of-defi-project-mixin-1/
Tomi Engdahl says:
Näitkö kolikon auton kahvassa? Varaudu soittamaan pian poliisille
https://www.iltalehti.fi/autouutiset/a/d8150c26-c928-436b-88b2-3e03d990fe3d
Jos autosi ovenkahvasta pilkottaa kolikko, ole yhteydessä poliisiin.
Joissain autoissa ei tässä vaiheessa pysty havaitsemaan mitään tavallisuudesta poikkeavaa. Mutta kas kummaa, kolikko ovenkahvassa onkin estänyt ovien lukkiutumisen.
Ovenkahvan väliin tungettu pieni esine, esimerkiksi kolikko, merkitsee vaaraa. Asiasta on kirjoittanut tanskalainen Dagens.com-julkaisu.
Todennäköisimmin rikollinen ei ujuta kolikkoa kuljettajan kahvaan, vaan valitsee kohteeksi esimerkiksi vastakkaisen puolen kahvan. Yksin autoilevan ei yleensä tule tarkasteltua autonsa muita ovenkahvoja, varsikaan auton toiselta puolelta.