This posting is here to collect cyber security news in October 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
265 Comments
Tomi Engdahl says:
https://www.tomsguide.com/news/fake-chrome-updates-infecting-pcs-with-malware-what-you-need-to-know?fbclid=IwAR0YC560ytPzKPUT8P2MRaAXFSE-Jwk4VZpfyDr45gQxEYhbw_m5FS7PKYw
Tomi Engdahl says:
Tietomurtoaalto leviää organisaatiosta toiseen – katkaise tietojenkalastelu https://www.kyberturvallisuuskeskus.fi/fi/tietomurtoaalto-leviaa-organisaatiosta-toiseen-katkaise-tietojenkalastelu
Suomalaisten organisaatioiden sähköpostitilejä kaapataan laajalle levinneen tietojenkalastelukampanjan avulla. Rikolliset ovat kalastelleet yritysten työntekijöiden käyttäjätunnuksia ja salasanoja sähköpostitse ja huijaussivujen avulla, sekä kirjautuneet saamillaan tunnuksilla Microsoft 365 -sähköpostijärjestelmiin. Kaapattuja tilejä käytetään uusien tietojenkalasteluviestien lähettämiseen sekä sisäisesti että muihin organisaatioihin.
Tomi Engdahl says:
Over 40,000 Cisco IOS XE devices infected with backdoor using zero-day https://www.bleepingcomputer.com/news/security/over-40-000-cisco-ios-xe-devices-infected-with-backdoor-using-zero-day/
More than 40,000 Cisco devices running the IOS XE operating system have been compromised after hackers exploited a recently disclosed maximum severity vulnerability tracked as CVE-2023-20198. Networking gear running Cisco IOS XE includes enterprise switches, industrial routers, access points, wireless controllers, aggregation, and branch routers.
There is no patch or a workaround available and the only recommendation for customers to secure the devices is to “disable the HTTP Server feature on all internet-facing systems.”
Tomi Engdahl says:
E-Root admin faces 20 years for selling stolen RDP, SSH accounts https://www.bleepingcomputer.com/news/security/e-root-admin-faces-20-years-for-selling-stolen-rdp-ssh-accounts/
Sandu Diaconu, the operator of the E-Root marketplace, has been extradited to the U.S. to face a maximum imprisonment penalty of 20 years for selling access to compromised computers.
The Moldovan defendant was arrested in the U.K. in May 2021 while attempting to flee the country following the authorities’ seizure of E-Root’s domains in late 2020.
Last month, Diaconu consented to be extradited to the United States for wire fraud, money laundering, computer fraud, and access device fraud.
Tomi Engdahl says:
War crimes tribunal says September cyberattack was act of espionage https://therecord.media/war-crimes-tribunal-cyberattack-espionage
The International Criminal Court (ICC) said on Friday that the serious cybersecurity incident it detected in September was an act of espionage.
In a statement on the Court’s website, it said the attack can be “interpreted as a serious attempt to undermine the Court’s mandate.”
The statement did not suggest a perpetrator, but the Court — which is based in The Hague in the Netherlands — said that Dutch law enforcement authorities are conducting a criminal investigation.
Tomi Engdahl says:
Casio says customers in 148 countries affected by breach https://therecord.media/casio-data-breach-classpad-education-app
Thousands of customers of Japanese tech manufacturer Casio had their information leaked in a data breach that occurred in one of its software subsidiaries last week.
In a lengthy explainer this week, the company said hackers accessed the company’s education web application ClassPad.net, resulting in the leak of personal information from customers in 148 countries.
“On the evening of Wednesday, October 11, when the person in charge attempted to work in the development environment, it was discovered that a database failure had occurred, and the company assessed the situation,” the company explained.
Tomi Engdahl says:
Fake KeePass site uses Google Ads and Punycode to push malware https://www.bleepingcomputer.com/news/security/fake-keepass-site-uses-google-ads-and-punycode-to-push-malware/
A Google Ads campaign was found pushing a fake KeePass download site that used Punycode to appear as the official domain of the KeePass password manager to distribute malware.
Google has been battling with ongoing malvertising campaigns that allow threat actors to take out sponsored ads that appear above search results. Even worse, Google Ads can be abused to show the legitimate domain for Keepass in the advertisements, making the threat hard to spot even for more diligent and security-conscious users.
Tomi Engdahl says:
Number of hacked Cisco IOS XE devices plummets from 50K to hundreds https://www.bleepingcomputer.com/news/security/number-of-hacked-cisco-ios-xe-devices-plummets-from-50k-to-hundreds/
The number of Cisco IOS XE devices hacked with a malicious backdoor implant has mysteriously plummeted from over 50,000 impacted devices to only a few hundred, with researchers unsure what is causing the sharp decline.
This week, Cisco warned that hackers exploited two zero-day vulnerabilities,
CVE-2023-20198 and CVE-2023-20273, to hack over 50,000 Cisco IOS XE devices to create privileged user accounts and install a malicious LUA backdoor implant.
This LUA implant allows the threat actors to remotely execute commands at privilege level 15, the highest privilege level on the device.
Tomi Engdahl says:
American Family Insurance confirms cyberattack is behind IT outages https://www.bleepingcomputer.com/news/security/american-family-insurance-confirms-cyberattack-is-behind-it-outages/
Insurance giant American Family Insurance has confirmed it suffered a cyberattack and shut down portions of its IT systems after customers reported website outages all week.
American Family Insurance (AmFam) is an insurance company focusing on commercial and personal property, casualty, auto, and life insurance, as well as offering investment and retirement planning The company employs 13,000 people and has a 2022 revenue of $14.4 billion.
In an email to BleepingComputer, American Family Insurance confirmed that they detected unusual activity on their network and shut off IT systems to prevent the spread of the cyberattack.
Tomi Engdahl says:
New TetrisPhantom hackers steal data from secure USB drives on govt systems https://www.bleepingcomputer.com/news/security/new-tetrisphantom-hackers-steal-data-from-secure-usb-drives-on-govt-systems/
A new sophisticated threat tracked as ‘TetrisPhantom’ has been using compromised secure USB drives to target government systems in the Asia-Pacific region.
Secure USB drives store files in an encrypted part of the device and are used to safely transfer data between systems, including those in an air-gapped environment. Access to the protected partition is possible through custom software that decrypts the contents based on a user-provided password. One such software is UTetris.exe, which is bundled on an unencrypted part of the USB drive.
Tomi Engdahl says:
Synkät raportit paljastavat, kuinka Venäjä uhkaa Suomen lähimaita – yksi maa nostaa esiin sotilaallisen konfliktin mahdollisuuden https://www.is.fi/ulkomaat/art-2000009930597.html
https://www.securityweek.com/okta-support-system-hacked-sensitive-customer-data-stolen/
Tomi Engdahl says:
Iranian Hackers Lurked for 8 Months in Government Network
https://www.securityweek.com/iranian-hackers-lurked-for-8-months-in-government-network/
Iran-linked hacking group Crambus spent eight months inside a compromised network of a Middle Eastern government, Broadcom’s Symantec cybersecurity unit reports.
Tomi Engdahl says:
Lost and Stolen Devices: A Gateway to Data Breaches and Leaks
https://www.securityweek.com/lost-and-stolen-devices-a-gateway-to-data-breaches-and-leaks/
By implementing strong security practices,, organizations can significantly reduce the risks associated with lost and stolen computers and safeguard their sensitive information.
Tomi Engdahl says:
Cybercrime
In Other News: Energy Services Firm Hacked, Tech CEO Gets Prison Time, X Glitch Leads to CIA Channel Hijack
https://www.securityweek.com/in-other-news-energy-services-firm-hacked-tech-ceo-gets-prison-time-x-glitch-leads-to-cia-channel-hijack/
Summary of notable cybersecurity news stories that may be top headlines, but are important for the week of October 16, 2023.
Tech CEO Sentenced to prison for wire fraud
Micfo LLC CEO Amir Golestan has been sentenced to five years in prison for using a network of shell companies to deceive ARIN and obtain the rights to more than 735,000 IP addresses, with an estimated value between $10 million and $14 million. The “sentence sends an important message of deterrence to other parties contemplating fraudulent schemes to obtain or transfer Internet resources”, ARIN said.
Energy industry services firm hacked
Weymouth, Massachusetts-based BHI Energy has revealed that the PII and PHI of more than 91,000 individuals was exposed in a June 2023 cyber incident. Compromised data includes names, addresses, dates of birth, Social Security numbers, and potential medical and claims information related to the company’s health plan. BHI provides services and staffing solutions to the industrial, oil & gas, and power generation markets.
Tomi Engdahl says:
Nation-State
FBI: Thousands of Remote IT Workers Sent Wages to North Korea to Help Fund Weapons Program
https://www.securityweek.com/fbi-thousands-of-remote-it-workers-sent-wages-to-north-korea-to-help-fund-weapons-program/
Thousands of IT workers contracting with U.S. firms have secretly sent millions of dollars to North Korea to fund its missile program.
Tomi Engdahl says:
https://www.securityweek.com/authorities-seize-control-of-ragnarlocker-ransomware-dark-web-site/
Tomi Engdahl says:
Yle: Rautavaaran kunnassa käynnissä kriisitilanne – Taustalla kyberhyökkäys
Rautavaaran kunnassa herättiin aamulla kyberhyökkäykseen.
https://www.iltalehti.fi/kotimaa/a/e0f0199c-196e-42d1-8a0c-8279f225e723
Pohjois-Savossa sijaitsevassa Rautavaaran kunnassa on tehty kyberhyökkäys kunnan sähköisiin järjestelmiin. Asiasta uutisoi ensimmäisenä Yle.
Muun muassa kouluissa käytettävä Wilma-järjestelmä on käyttökiellossa hyökkäyksen takia.
Rautavaaran kuntaan tehty kyberhyökkäys – kaikki tietotekniikka laitettu käyttökieltoon
https://yle.fi/a/74-20056493
Rautavaaran kuntaan on tehty kyberhyökkäys, jonka takia kunnassa ei käytetä toistaiseksi tietokoneita lainkaan.
Rautavaaran kuntaan on tehty maanantaina aamuyöllä kyberhyökkäys.
– Viime yönä Rautavaaran kunnan tietotekniikkaan on kohdistunut kyberhyökkäys. Varotoimenpiteenä emme käytä tietokoneita ja -järjestelmiä tai sähköpostia. Ainoastaan puhelimella voi olla yhteydessä, kertoo kunnanjohtaja Vesa Lötjönen.
Hyökkääjästä ei ole tietoa. Tarkkaa tietoa ei ole siitäkään, mihin kunnan tietojärjestelmissä on hyökätty.
Hyökkäyksestä on tehty ilmoitus kyberturvallisuuskeskukselle. Hyökkäys havaittiin aamulla, kun kunnan työntekijät aloittivat työpäiväänsä.
– Siellä tuli ilmoituksia, joku englanninkielinen teksti oli tullut. Sen jälkeen otettiin tähän meidän ICT-asiantuntija ja he antoivat meille käskyn, että ei saa käyttää mitään, ettei vaaranneta mitään asioita, kertoo Lötjönen.
Kunnan sähköiset järjestelmät, mukaan luettuna koulun Wilma, ovat tällä hetkellä käyttökiellossa. Muuten kunnan palvelut, kuten koulut, päiväkodit ja kirjasto sekä vesilaitos ovat toiminnassa.
Tomi Engdahl says:
Huizhong Wu / Associated Press:
China’s crackdown on cyber scams in Southeast Asia, often run by powerful Chinese crime syndicates, netted thousands of people but have left the networks intact
China crackdown on cyber scams in Southeast Asia nets thousands but leaves networks intact
https://apnews.com/article/china-southeast-asia-cyberscam-criminal-myanmar-4d749243cd4c95d697060d8cef59cabb
BANGKOK (AP) — Zhang Hongliang, a former restaurant manager in central China, took various gigs in and outside China to support his family after losing his job during the COVID-19 pandemic.
In March, a job offer to teach Chinese cooking at a restaurant led him into a cyber scam compound in Myanmar, where he was instead ordered to lure Chinese into giving up their savings for fake investment schemes via social media platforms.
Tomi Engdahl says:
Helpottavaa tietoa Rautavaaran kuntaan kohdistetusta kyberhyökkäyksestä:
henkilötiedot eivät vaarantuneet
https://yle.fi/a/74-20056614
Rautavaaran kuntaan kohdistuneessa kyberhyökkäyksessä ei vaarantunut henkilötietoja. Maanantaiyönä tapahtunut hyökkäys kohdistui erityisesti kunnan hallintoverkkoon.
Hyökkäyksen seurauksena Rautavaaran kunnan sähköisiä järjestelmiä on ollut pois käytöstä. Asukkaille tilanne ei kuitenkaan ole suuresti näkynyt.
Esimerkiksi koulut, päiväkodit ja vesihuolto ovat toimineet normaalisti.
Liikenne- ja viestintävirasto Traficomin kyberturvallisuuskeskuksen erityisasiantuntija Jere Finnen mukaan digitalisaatio ja kyberrikollisuuden kasvu altistavat kuntia mahdollisille iskuille.
– Kyllä se lähtökohta näissä on, että motiivi on taloudellinen. Kunnat ovat isoja toimijoita ja siellä on paljon isoja palveluita, joita ne tuottavat.
Siinä on myös paljon hyökkäyspintaa, jota hyödyntää, Finne toteaa.
Tomi Engdahl says:
Ukraine security services involved in hack of Russia’s largest private bank https://therecord.media/sbu-involved-in-alfa-bank-hack
Ukrainian hackers collaborated with the country’s security services, the SBU, to breach Russia’s largest private bank, a source within the department confirmed to Recorded Future News.
Last week, two groups of pro-Ukrainian hackers, KibOrg and NLB, hacked into Alfa-Bank and claimed to obtain the data of more than 30 million customers, including their names, dates of birth, account numbers, and phone numbers, according to a post on their official website.
Alfa-Bank was sanctioned by the United States following Russia’s invasion of Ukraine last year. The bank is owned by the Russian-Israeli billionaire Mikhail Fridman, who is blacklisted by the U.S. and Europe as part of efforts to impose restrictions on Russia’s economy and its wealthiest businessmen.
Tomi Engdahl says:
Cisco patches IOS XE zero-days used to hack over 50,000 devices https://www.bleepingcomputer.com/news/security/cisco-patches-ios-xe-zero-days-used-to-hack-over-50-000-devices/
Cisco has addressed the two vulnerabilities (CVE-2023-20198 and
CVE-2023-20273) that hackers exploited to compromise tens of thousands of IOS XE devices over the past week.
The free software release comes after a threat actor leveraged the security issues as zero-days to compromise and take full control of more than 50,000 Cisco IOS XE hosts.
In an update to the original advisory, Cisco says that the first fixed software release is available from the company’s Software Download Center. At the moment, the first fixed release available is 17.9.4a, with updates to roll out at a yet undisclosed date.
Tomi Engdahl says:
Alleged covert wiretap on Russian messaging service blown by expired TLS certificate https://therecord.media/jabber-ru-alleged-government-wiretap-expired-tls-certificate
Security researchers have discovered what they believe may be a government attempt to covertly wiretap an instant messaging service in Germany — an attempt that was blown because the potential intercepting authorities failed to reissue a TLS certificate.
The suspected man-in-the-middle attack was identified when the administrator of jabber.ru, the largest Russian XMPP service, received a notification that one of the servers’ certificates had expired.
However, jabber.ru found no expired certificates on the server — as explained in a blog post by ValdikSS, a pseudonymous anti-censorship researcher based in Russia who collaborated on the investigation.
Tomi Engdahl says:
QNAP takes down server behind widespread brute-force attacks https://www.bleepingcomputer.com/news/security/qnap-takes-down-server-behind-widespread-brute-force-attacks/
QNAP took down a malicious server used in widespread brute-force attacks targeting Internet-exposed NAS (network-attached storage) devices with weak passwords.
The Taiwanese hardware vendor detected the attacks on the evening of October
14 and, with assistance from Digital Ocean, took down the command-and-control server (used to control a botnet of hundreds of infected systems) within two days.
“The QNAP Product Security Incident Response Team (QNAP PSIRT) swiftly took action by successfully blocking hundreds of zombie network IPs through QuFirewall within 7 hours, effectively protecting numerous internet-exposed QNAP NAS devices from further attack,” the company said.
Tomi Engdahl says:
Malware & Threats
Cisco Finds Second Zero-Day as Number of Hacked Devices Apparently Drops
https://www.securityweek.com/cisco-finds-second-zero-day-as-number-of-hacked-devices-drops/
Cisco has found a second zero-day vulnerability that has been exploited in recent attacks as the number of hacked devices has started dropping.
Cisco has found a second actively exploited IOS XE zero-day vulnerability, with the company disclosing it just as the number of hacked devices appears to have dropped significantly.
The networking giant warned customers last week that threat actors have exploited a zero-day since at least mid-September. The critical flaw, tracked as CVE-2023-20198, affects the IOS XE web interface and it can be exploited by remote, unauthenticated attackers to create high-privileged accounts on targeted Cisco devices.
After creating new accounts on devices and gaining root privileges on the system, the attackers have been observed delivering a Lua-based implant that enables them to execute arbitrary commands.
Tomi Engdahl says:
Funding/M&A
Rockwell Automation to Acquire ICS/OT Security Firm Verve Industrial
https://www.securityweek.com/rockwell-automation-acquires-ics-ot-security-firm-verve-industrial/
Rockwell Automation agreed to acquire ICS/OT cybersecurity firm Verve Industrial Protection to expand its offerings.
Industrial giant Rockwell Automation announced on Monday that it has signed a definitive agreement to acquire Verve Industrial Protection, a cybersecurity company specializing in industrial control systems (ICS) and operational technology (OT).
Verve’s managed OT/ICS security platform provides asset inventory, vulnerability management, patch management, configuration management, SIEM, incident response, and backup and restore capabilities.
In addition, the company provides network segmentation, vulnerability assessment, system hardening, automation engineering, and consulting services.
The deal enables Rockwell Automation to expand and strengthen its offering.
Financial details have not been disclosed. The acquisition is expected to close in the first quarter of Rockwell’s 2024 fiscal year. Once the deal has been completed, Verve will be part of Rockwell’s Lifecycle Services unit.
“With the Verve acquisition, our customers can quickly assess their assets, prioritize risk, and apply countermeasures to mitigate vulnerabilities – all within a single platform,” said Matt Fordenwalt, Rockwell’s senior vice president of Lifecycle Services. “The addition of Verve to our suite of solutions allows customers to further build resiliency and continuously improve the security, safety, and availability of their operations.”
Tomi Engdahl says:
Data Breaches
Casio Says Personal Information Accessed in Web Application Server Hack
https://www.securityweek.com/casio-says-personal-information-accessed-in-web-application-server-hack/
Hackers access the personal information of Casio customers after compromising the server for an education web application.
Tomi Engdahl says:
Identity & Access
SolarWinds Patches High-Severity Flaws in Access Rights Manager
https://www.securityweek.com/solarwinds-patches-high-severity-flaws-in-access-rights-manager/
SolarWinds patches high-severity flaws in its Access Rights Manager product, including three unauthenticated remote code execution issues.
Enterprise software vendor SolarWinds has released patches for eight high-severity vulnerabilities in its Access Rights Manager (ARM), including three remote code execution issues that can be exploited without authentication.
The three remote code execution flaws, tracked as CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187, were identified by Sina Kheirkhah of Summoning Team and reported to ZDI.
The first of the issues, ZDI warns in an advisory, exists because user-supplied data is not properly validated in the createGlobalServerChannelInternal method, leading to the deserialization of untrusted data.
The second and third issues exist because the OpenFile and the OpenClientUpdateFile methods do not properly validate “a user-supplied path prior to using it in file operations,” ZDI said. A remote, unauthenticated attacker can exploit these vulnerabilities to execute arbitrary code with System privileges.
Tomi Engdahl says:
Umar Shakir / The Verge:
Amazon rolls out passkey support in its iOS app and the web, letting users log in via their devices’ biometrics, and says support for Android is “coming soon” — Amazon’s rolling out passkey support for its online site and mobile shopping apps.
Amazon enables passwordless passkeys on iOS and the web
/ Amazon is launching passkey support starting with its shopping website and iOS shopping app, with Android support coming soon.
https://www.theverge.com/2023/10/23/23928589/amazon-passkey-support-web-ios-shopping-mobile-app
Tomi Engdahl says:
Mayank Parmar / BleepingComputer:
Google proposes IP Protection for Chrome, an opt-in privacy feature that masks IP addresses via proxy servers for “qualifying traffic”, to roll out in stages — Google is getting ready to test a new “IP Protection” feature for the Chrome browser that enhances users’ privacy …
Google Chrome’s new “IP Protection” will hide users’ IP addresses
https://www.bleepingcomputer.com/news/google/google-chromes-new-ip-protection-will-hide-users-ip-addresses/#google_vignette
Tomi Engdahl says:
Rautavaaran kunnan painajainen jatkuu: kyberhyökkääjä vaatii kiristysviestissä ”tiettyjä lunnaita”
https://yle.fi/a/74-20056785
Kyberhyökkäyksen kohteeksi sunnuntain ja maanantain välisenä yönä joutuneeseen Rautavaaran kuntaan on toimitettu englanninkielinen kiristysviesti, jossa vaaditaan rahaa, kertoo vt. kunnanjohtaja Vesa Lötjönen.
– Tiettyjä lunnaita on pyydetty, mutta emme tietenkään niihin suostu.
Rakennamme ympäristön uudestaan, jotta tänne ei pääse, Lötjönen kertoo.
Kiristysviesti on Lötjösen mukaan vastaaville tapauksille hyvin tyypillinen.
Rahasummaa hän ei tiedä.
Tomi Engdahl says:
Liikkeellä on järkyttäviä huijausviestejä – poliisi: Näin tunnistat ja vältät vahingon https://www.is.fi/digitoday/tietoturva/art-2000009942107.html
Suomalaisille lähetetään parhaillaan poliisin nimissä huijaussähköposteja, joissa vaaditaan vastaanottajaa tilille tietokoneelta löytyneestä laittomasta pornografisesta aineistosta, johon kuuluu lapsiporno. Yleisimmässä huijausvariantissa säikytellään vastaanottajaa 4–6 vuoden vankeustuomiolla ja
78 000 euron sakoilla.
Sähköpostit sisältävät tyypillisesti pdf-tiedoston, ja viestiin on väärennetty jonkun korkean poliisiviranomaisen nimi. Viestit ovat siitä poikkeuksellisia, että ne usein ohittavat jopa Gmailin tehokkaat roskapostisuojaukset.
Viesteissä pyydetään tyypillisesti pikaista vastausta, henkilötietoja tai pankkitietoja. Joissakin viesteissä on linkkejä tai pyydetään henkilötietoja.
Tyypillisesti viestiin vaaditaan vastausta.
Tomi Engdahl says:
ServiceNow leak: thousands of companies at risk https://cybernews.com/news/servicenow-leak-thousands-companies-risk/
Digital business platform ServiceNow has a potential data vulnerability that could have compromised its users for years, a cybersecurity expert warns. The company has since tacitly acknowledged the warning, though it neither confirmed nor denied it.
“A potential data exposure issue within ServiceNow’s built-in capability has been identified,” said Daniel Miessler, in a post on X, aka Twitter. “This could allow unauthenticated users to extract data from records.”
Miessler appears to have been working off a longer report by fellow cybersecurity
Tomi Engdahl says:
1Password detects “suspicious activity” in its internal Okta account https://arstechnica.com/security/2023/10/1password-detects-suspicious-activity-in-its-internal-okta-account/
1Password, a password manager used by millions of people and more than 100,000 businesses, said it detected suspicious activity on a company account provided by Okta, the identity and authentication service that disclosed a breach on Friday.
“On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps,” 1Password CTO Pedro Canahuati wrote in an email. “We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.”
Tomi Engdahl says:
Citrix warns admins to patch NetScaler CVE-2023-4966 bug immediately https://www.bleepingcomputer.com/news/security/citrix-warns-admins-to-patch-netscaler-cve-2023-4966-bug-immediately/
Citrix warned admins today to secure all NetScaler ADC and Gateway appliances immediately against ongoing attacks exploiting the CVE-2023-4966 vulnerability.
The company patched this critical sensitive information disclosure flaw (tracked as CVE-2023-4966) two weeks ago, assigning it a 9.4/10 severity rating as it’s remotely exploitable by unauthenticated attackers in low-complexity attacks that don’t require user interaction. NetScaler appliances must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server to be vulnerable to attacks.
Tomi Engdahl says:
Cyberattackers Alter Implant on 30K Compromised Cisco IOS XE Devices
https://www.darkreading.com/remote-workforce/cyberattackers-alter-implant-30k-compromised-cisco-ios-xe-devices
Norway issues warning after ‘important businesses’ affected by Cisco zero-days https://therecord.media/norway-advisory-cisco-zero-days-important-businesses
The head of Norway’s National Security Authority (NSM) warned on Monday that the exploitation of two recently disclosed Cisco vulnerabilities has resulted in “important businesses” in the country being compromised by hackers.
Speaking to Norwegian newspaper Dagens Næringsliv, NSM chief Sofie Nystrøm said her agency was coordinating the national response to the pair of zero-day vulnerabilities affecting Cisco IOS XE.
Nystrøm declined to identify the businesses that had been affected beyond describing them as important and saying some provided community services. Her agency did not provide a count of how many organizations in the country had been hacked, nor whether any of them were in the public sector.
Tomi Engdahl says:
https://www.securityweek.com/rockwell-automation-warns-customers-of-cisco-zero-day-affecting-stratix-switches/
Tomi Engdahl says:
https://www.securityweek.com/personal-information-stolen-in-city-of-philadelphia-email-hack/
Tomi Engdahl says:
https://www.securityweek.com/securityweeks-2023-ics-cybersecurity-conference-kicks-off-in-atlanta/
Tomi Engdahl says:
https://www.securityweek.com/stealth-techniques-used-in-operation-triangulation-ios-attack-dissected/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/vmware-warns-admins-of-public-exploit-for-vrealize-rce-flaw/?fbclid=IwAR2aIJ4d1Bp28F8RhP4jfZHU500gBiCzz42wGmH79HpJf6ZtxH5JAkCrdwo
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researchers reveal an attack forcing iOS and macOS WebKit browsers to divulge secrets, like passwords and email content, of users who visit a malicious website
Hackers can force iOS and macOS browsers to divulge passwords and much more
iLeakage is practical and requires minimal resources. A patch isn’t (yet) available.
https://arstechnica.com/security/2023/10/hackers-can-force-ios-and-macos-browsers-to-divulge-passwords-and-a-whole-lot-more/
Tomi Engdahl says:
Natasha Lomas / TechCrunch:
Experts: an EU proposal requiring messaging services to scan for CSAM is the wrong response to a multifaceted problem and a direct threat to democratic values — A controversial child sexual abuse material (CSAM)-scanning proposal that’s under discussion by lawmakers in Europe …
Europe’s CSAM-scanning plan is a tipping point for democratic rights, experts warn
https://techcrunch.com/2023/10/24/eu-csam-scanning-edps-seminar/
Tomi Engdahl says:
Supo varoitti suomalaisia tästä joka kodin laitteesta – nyt on sinun vuorosi tarkistaa 3 asiaa https://www.is.fi/digitoday/tietoturva/art-2000009941787.html
Suomen tietoturvaviranomainen Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus muistuttaa kansalaisia laittamaan reitittimen asetukset reilaan.
Reitittimessä on kyse usein olohuoneessa tai työhuoneessa nököttävästä laatikosta, joka tuo internetin taloon ja jakaa sitä yleensä langattomasti tietokoneeseen ja muihin kodin laitteisiin.
– Modeemi tai reititin on portti kotiverkkoomme, ja sen turvallisuus on avainasemassa, Kyberturvallisuuskeskus korostaa.
Tomi Engdahl says:
Citrix Bleed exploit lets hackers hijack NetScaler accounts https://www.bleepingcomputer.com/news/security/citrix-bleed-exploit-lets-hackers-hijack-netscaler-accounts/
A proof-of-concept (PoC) exploit is released for the ‘Citrix Bleed’
vulnerability, tracked as CVE-2023-4966, that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances.
CVE-2023-4966 is a critical-severity remotely exploitable information disclosure flaw Citrix fixed on October 10 without providing many details. On October 17, Mandiant revealed that the flaw was abused as a zero-day in limited attacks since late August 2023.
Today, researchers at Assetnote shared more details about the exploitation method of CVE-2023-4966 and published a PoC exploit on GitHub to demonstrate their findings and help those who want to test for exposure.
Tomi Engdahl says:
VMware fixes critical code execution flaw in vCenter Server https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-code-execution-flaw-in-vcenter-server/
VMware issued security updates to fix a critical vCenter Server vulnerability that can be exploited to gain remote code execution attacks on vulnerable servers.
vCenter Server is the central management hub for VMware’s vSphere suite, and it helps administrators manage and monitor virtualized infrastructure.
The vulnerability (CVE-2023-34048) was reported by Grigory Dorodnov of Trend Micro’s Zero Day Initiative and is due to an out-of-bounds write weakness in vCenter’s DCE/RPC protocol implementation. Unauthenticated attackers can exploit it remotely in low-complexity attacks that don’t require user interaction. The company says it has no evidence that the CVE-2023-34048 RCE bug is currently used in attacks.
Tomi Engdahl says:
Critical OAuth Flaws Uncovered in Grammarly, Vidio, and Bukalapak Platforms https://thehackernews.com/2023/10/critical-oauth-flaws-uncovered-in.html
Critical security flaws have been disclosed in the Open Authorization (OAuth) implementation of popular online services such as Grammarly, Vidio, and Bukalapak, building upon previous shortcomings uncovered in Booking[.]com and Expo.
The weaknesses, now addressed by the respective companies following responsible disclosure between February and April 2023, could have allowed malicious actors to obtain access tokens and potentially hijack user accounts.
OAuth is a standard that’s commonly used as a mechanism for cross-application access, granting websites or applications access to their information on other websites, such as Facebook, but without giving them the passwords.
Tomi Engdahl says:
Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/
ESET Research has been closely tracking the cyberespionage operations of Winter Vivern for more than a year and, during our routine monitoring, we found that the group began exploiting a zero-day XSS vulnerability in the Roundcube Webmail server on October 11th, 2023. This is a different vulnerability than CVE-2020-35730, which was also exploited by the group according to our research.
According to ESET telemetry data, the campaign targeted Roundcube Webmail servers belonging to governmental entities and a think tank, all in Europe.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researchers reveal an attack forcing iOS and macOS WebKit browsers to divulge secrets, like passwords and email content, of users who visit a malicious website — iLeakage is practical and requires minimal resources. A patch isn’t (yet) available. — Researchers have devised an attack …
Hackers can force iOS and macOS browsers to divulge passwords and much more
https://arstechnica.com/security/2023/10/hackers-can-force-ios-and-macos-browsers-to-divulge-passwords-and-a-whole-lot-more/
iLeakage is practical and requires minimal resources. A patch isn’t (yet) available.
Researchers have devised an attack that forces Apple’s Safari browser to divulge passwords, Gmail message content, and other secrets by exploiting a side channel vulnerability in the A- and M-series CPUs running modern iOS and macOS devices.
Further Reading
Intel SGX is vulnerable to an unfixable flaw that can steal crypto keys and more
iLeakage, as the academic researchers have named the attack, is practical and requires minimal resources to carry out. It does, however, require extensive reverse-engineering of Apple hardware and significant expertise in exploiting a class of vulnerability known as a side channel, which leaks secrets based on clues left in electromagnetic emanations, data caches, or other manifestations of a targeted system. The side channel in this case is speculative execution, a performance enhancement feature found in modern CPUs that has formed the basis of a wide corpus of attacks in recent years. The nearly endless stream of exploit variants has left chip makers—primarily Intel and, to a lesser extent, AMD—scrambling to devise mitigations.
Exploiting WebKit on Apple silicon
The researchers implement iLeakage as a website. When visited by a vulnerable macOS or iOS device, the website uses JavaScript to surreptitiously open a separate website of the attacker’s choice and recover site content rendered in a pop-up window. The researchers have successfully leveraged iLeakage to recover YouTube viewing history, the content of a Gmail inbox—when a target is logged in—and a password as it’s being autofilled by a credential manager. Once visited, the iLeakage site requires about five minutes to profile the target machine and, on average, roughly another 30 seconds to extract a 512-bit secret, such as a 64-character string.
“We show how an attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution,” the researchers wrote on an informational website. “In particular, we demonstrate how Safari allows a malicious webpage to recover secrets from popular high-value targets, such as Gmail inbox content. Finally, we demonstrate the recovery of passwords, in case these are autofilled by credential managers.”
While iLeakage works against Macs only when running Safari, iPhones and iPads can be attacked when running any browser because they’re all based on Apple’s WebKit browser engine. An Apple representative said iLeakage advances the company’s understanding and that the company is aware of the vulnerability and plans to address it in an upcoming software release. There is no CVE designation to track the vulnerability.
Tomi Engdahl says:
Wes Davis / The Verge:
Telegram blocks two channels used by Hamas for Android users, blaming Google Play Store guidelines, after Pavel Durov resisted calls to shut down Hamas channels
Telegram has blocked Hamas channels on Android because Google forced it to
/ As the war in Israel continues, Telegram has cut off the channels Hamas uses to communicate, but only for Android users.
https://www.theverge.com/2023/10/25/23931710/telegram-android-block-hamas-channels-google-play-guidelines-war-israel
Tomi Engdahl says:
Supantha Mukherjee / Reuters:
AWS plans to launch a sovereign cloud in Europe for governments and customers in regulated industries, storing data on EU servers and launching first in Germany
https://www.reuters.com/technology/amazon-web-services-launch-european-sovereign-cloud-2023-10-25/