Cyber security news May 2024

This posting is here to collect cyber security news in May 2024.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

257 Comments

  1. Tomi Engdahl says:

    Dell Says Customer Names, Addresses Stolen in Database Breach
    https://www.securityweek.com/dell-says-customer-names-addresses-stolen-in-database-breach/

    Tech giant notifies millions of customers that full names and physical mailing addresses were stolen during a security incident.

    Reply
  2. Tomi Engdahl says:

    LockBit Takes Credit for City of Wichita Ransomware Attack
    The LockBit cybercrime group has taken credit for the recent ransomware attack that disrupted City of Wichita systems.
    https://www.securityweek.com/lockbit-takes-credit-for-city-of-wichita-ransomware-attack/

    The notorious LockBit cybercrime group has taken credit for the recent ransomware attack that forced the City of Wichita, Kansas, to shut down many of its systems.

    The city disclosed the incident on May 6, one day after the intrusion was discovered. Wichita said the hackers had deployed file-encrypting malware on some of its systems.

    The incident appears to have impacted water utility, municipal court, cultural, and public transportation payments. The city also announced that public Wi-Fi was not working at the airport, and arrival and departure screens stopped working due to the hack. It’s unclear when these systems would become operational again.

    Wichita is apparently still investigating whether any information was stolen during the cyberattack.

    The city was added to the LockBit website on May 7, with the cybercriminals threatening to leak files stolen from its systems in seven days, unless a ransom is paid.

    Reply
  3. Tomi Engdahl says:

    Lawrence Abrams / BleepingComputer:
    Dell warns customers of a data breach after a threat actor claimed to have stolen data for ~49M customers, but says financial and payment data was not stolen — Dell is warning customers of a data breach, after a threat actor claimed to have stolen information for approximately 49 million customers.
    https://www.bleepingcomputer.com/news/security/dell-warns-of-data-breach-49-million-customers-allegedly-affected/

    Reply
  4. Tomi Engdahl says:

    Anthony Capaccio / Bloomberg:
    The Pentagon says it worked with Ukraine and SpaceX to successfully block Russian military use of Starlink; some Russian users complain of connectivity issues — – Russian military has used Starlink internet in Ukraine war — Departing space policy chief calls SpaceX ‘very reliable’

    Pentagon Teams Up With SpaceX to Block Russia From Using Starlink
    https://www.bloomberg.com/news/articles/2024-05-09/russia-starlink-access-blocked-by-pentagon-spacex-ukraine

    Russian military has used Starlink internet in Ukraine war
    Departing space policy chief calls SpaceX ‘very reliable

    Reply
  5. Tomi Engdahl says:

    Pratik Jain / Reuters:
    US hospital operator Ascension reports disruptions to its clinical operations due to a suspected cybersecurity incident and engages Mandiant to help investigate

    Ascension warns of suspected cyberattack; clinical operations disrupted
    https://www.reuters.com/technology/cybersecurity/ascension-warns-suspected-cyberattack-clinical-operations-disrupted-2024-05-08/

    Reply
  6. Tomi Engdahl says:

    Suomalaisia vaanii tälläkin hetkellä vaara, jota ei osata pelätä
    Suomen yleisimpiin lukeutuvan haittaohjelman torjuminen on asiantuntijan mukaan viheliäinen ongelma, johon tulisi suhtautua vakavasti.
    https://www.iltalehti.fi/digiuutiset/a/4758e540-7c88-45a5-a603-0791f8304209?utm_medium=Social&utm_source=Facebook&fbclid=IwZXh0bgNhZW0CMTEAAR0K66GTi9e1Dt4oee1Pvl4zCKTcEp2DEJp4wQFzwQxbIIug11h79AK5kds_aem_ATSBOexSqwXd_bbSeLUO9CFD7sVDfLELYPxO3h0RD_EplEbR8IVXINNcoXqedMNEBNy0KqSBvF6KYrr5-GmJ4HUy#Echobox=1715313216

    Haittaohjelma Mirai tulee olemaan suomalaistenkin riesana vielä pitkään.
    Siltä voi suojautua pitämällä huolta laitteiden tietoturvasta.
    Asiantuntija toivoo laitehankintoja tekeviltä harkintaa myös etukäteen.

    Reply
  7. Tomi Engdahl says:

    Chinese network behind one of world’s ‘largest online scams’
    Exclusive: Vast web of fake shops touting designer brands took money and personal details from 800,000 people in Europe and US, data suggests
    https://www.theguardian.com/money/article/2024/may/08/chinese-network-behind-one-of-worlds-largest-online-scams

    Reply
  8. Tomi Engdahl says:

    New Spectre-Style ‘Pathfinder’ Attack Targets Intel CPU, Leak Encryption Keys and Data
    https://thehackernews.com/2024/05/new-spectre-style-pathfinder-attack.html

    Researchers have discovered two novel attack methods targeting high-performance Intel CPUs that could be exploited to stage a key recovery attack against the Advanced Encryption Standard (AES) algorithm.

    The techniques have been collectively dubbed Pathfinder by a group of academics from the University of California San Diego, Purdue University, UNC Chapel Hill, Georgia Institute of Technology, and Google.

    “Pathfinder allows attackers to read and manipulate key components of the branch predictor, enabling two main types of attacks: reconstructing program control flow history and launching high-resolution Spectre attacks,” Hosein Yavarzadeh, the lead author of the paper, said in a statement shared with The Hacker News.

    “Pathfinder allows attackers to read and manipulate key components of the branch predictor, enabling two main types of attacks: reconstructing program control flow history and launching high-resolution Spectre attacks,” Hosein Yavarzadeh, the lead author of the paper, said in a statement shared with The Hacker News.

    Reply
  9. Tomi Engdahl says:

    Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution
    https://thehackernews.com/2024/05/critical-tinyproxy-flaw-opens-over.html

    More than 50% of the 90,310 hosts have been found exposing a Tinyproxy service on the internet that’s vulnerable to a critical unpatched security flaw in the HTTP/HTTPS proxy tool.

    The issue, tracked as CVE-2023-49606, carries a CVSS score of 9.8 out of a maximum of 10, per Cisco Talos, which described it as a use-after-free bug impacting versions 1.10.0 and 1.11.1, the latter of which is the latest version.

    “A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution,” Talos said in an advisory last week. “An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.”

    Reply
  10. Tomi Engdahl says:

    Hakkerit iskivät: Tällainen oli näky televisioissa Venäjällä voiton­päivän paraatin aikana
    Hakkerit olivat aktiivisia molemmin puolin rajaa voitonpäivän aikana.
    https://www.is.fi/digitoday/tietoturva/art-2000010416171.html

    VENÄJÄN suurimpiin kuuluvana juhlapäivänä eli voitonpäivänä 9. toukokuuta nähtiin laajoja verkkohyökkäyksiä sekä Venäjälle että Venäjältä. Kybersodassa tavallisten palvelunestohyökkäysten lisäksi nähtiin myös iskuja televisiolähetyksiin molemmin puolin rajaa.

    Venäläisen internet- ja kaapelitelevisio-operaattori Ufanetin verkkoon tehtiin hyökkäys voitonpäivän paraatin aikana ja lähetys korvattiin vajaan parin minuutin mittaisella videolla, kertovat RBC, Meduza ja Delfi.

    MYÖS Kremliä tukevat hakkerit aktivoituivat voitonpäivänä. Nämä iskivät latvialaisen Balticomin ja ukrainalaisten StarLightMedian ja Inter Media Groupin televisiolähetyksiin. Televisiokanavilla alettiin näyttää voitonpäivän paraatia Moskovasta normaalin lähetyksen sijaan.

    Reply
  11. Tomi Engdahl says:

    Google Cloud accidentally deletes UniSuper’s online account due to ‘unprecedented misconfiguration’
    Super fund boss and Google Cloud global CEO issue joint statement apologising for ‘extremely frustrating and disappointing’ outage
    https://www.theguardian.com/australia-news/article/2024/may/09/unisuper-google-cloud-issue-account-access?fbclid=IwZXh0bgNhZW0CMTEAAR2JJMiYnjOrLzEffzLvo-109YTSYGbok3WUXzcAH7V7c5UJqB0Jd2AHzdY_aem_Acrbhiz7KLuUW74lmXzveLIc_mOQ-FhJRNE5OVZYp9Izxh_RmstqROUvYmiXRI4yR_ekVEEXFO9n6RJTKFz8rvT3

    More than half a million UniSuper fund members went a week with no access to their superannuation accounts after a “one-of-a-kind” Google Cloud “misconfiguration” led to the financial services provider’s private cloud account being deleted, Google and UniSuper have revealed.

    Services began being restored for UniSuper customers on Thursday, more than a week after the system went offline. Investment account balances would reflect last week’s figures and UniSuper said those would be updated as quickly as possible.

    Reply
  12. Tomi Engdahl says:

    Revontulet olivat vasta alkua: Aurinko syytää Maahan pian jotain äärimmäistä, Ilmatieteen laitos puhuu vuosituhannen myrskystä
    https://www.iltalehti.fi/ulkomaat/a/07d56936-09f4-4410-834f-646b5f7fb634

    Ensi yönä jatkuva aurinkomyrsky jatkaa eilistä revontuliin johtaneiden tapahtumien sarjaa. Ilmatieteen laitos povaa edessä olevan yksi vuosituhannen suurimmista geomagneettisista myrskyistä.

    Perjantaiyönä maapallon taivaan valaisivat hurjana leimuavat revontulet. Jopa Helsingissä nähtiin vihreää, punaista ja violettia valojen loistetta. Revontulia näkyi myös esimerkiksi Ukrainassa, Sveitsissä, Saksassa, Espanjassa ja jopa Kaliforniassa.

    Ihmeellisen luonnonilmiön taustalla on geomagneettinen myrsky. Mutta perjantainen näytös ei jää tähän, vaan toinen erä on jo saapumassa, kertoo Ilmatieteen laitos viestipalvelu X:ssä.

    Ja tuleva myrsky saattaa olla jopa historiallinen.

    – Seuraava erä taitaa olla alkamassa jo yhdessä vuosituhannen suurimmista geomagneettisista myrskyistä, Ilmatieteen laitos kertoo.

    Avaruusfysiikan professori Minna Palmroth kertoo viestipalvelu X:ssä, että tällä hetkellä käynnissä oleva geomagneettinen myrsky on suurin 20 vuoteen.

    Reply
  13. Tomi Engdahl says:

    Thanks to some arbitrary code execution, Tetris players may be able to line up scores previously thought to be unobtainable: https://trib.al/XvdJVsQ

    Aurich Lawson]

    Reply
  14. Tomi Engdahl says:

    500,000 Impacted by Ohio Lottery Ransomware Attack

    The Ohio Lottery cyberattack conducted by the DragonForce ransomware group has impacted more than 500,000 individuals.

    https://www.securityweek.com/500000-impacted-by-ohio-lottery-ransomware-attack/

    Reply
  15. Tomi Engdahl says:

    In Other News: European Parliament Breach, DocGo Hack, VMware Advisories Moved

    Noteworthy stories that might have slipped under the radar: European Parliament application breached, DocGo hacked, VMware advisories moved to Broadcom portal.

    https://www.securityweek.com/in-other-news-european-parliament-breach-docgo-hack-vmware-advisories-moved/

    European Parliament data breach

    As part of preparations made for the upcoming elections, the European Parliament discovered recently that an external recruitment application was breached in early 2024. The compromised application stored sensitive information related to roughly 8,000 candidates for temporary positions. The origin of the attack remains unknown.

    Reply
  16. Tomi Engdahl says:

    Healthcare Giant Ascension Hacked, Hospitals Diverting Emergency Service

    One of the largest healthcare systems in the United States is scrambling to contain a hack that’s causing disruption and “downtime procedures” at hospitals around the country.

    https://www.securityweek.com/healthcare-giant-ascension-hacked-hospitals-diverting-emergency-service/

    Reply
  17. Tomi Engdahl says:

    Exploited Chrome Zero-Day Patched by Google
    https://www.securityweek.com/exploited-chrome-zero-day-patched-by-google/

    A Chrome 124 update patches the second Chrome zero-day that has been found to be exploited in malicious attacks in 2024.

    A Chrome 124 update released by Google on Thursday patches a zero-day vulnerability for which, according to the internet giant, an exploit exists in the wild.

    The zero-day is tracked as CVE-2024-4671 and it has been described by Google as a high-severity use-after-free bug in the Visuals component.

    The company has credited an anonymous researcher for reporting the vulnerability on May 7, which means it only took two days to develop and release a patch.

    Google’s advisory provides no information on a bug bounty.

    In addition, no information is available on the attacks exploiting CVE-2024-4671, but Chrome vulnerabilities are often targeted by commercial spyware vendors.

    Chrome 124.0.6367.201/.202 for Mac and Windows and Chrome 124.0.6367.201 for Linux contain the patch for CVE-2024-4671.

    According to Google, this is the second Chrome vulnerability of 2024 that has been exploited in malicious attacks. The first is CVE-2024-0519, which the company patched in January.

    Reply
  18. Tomi Engdahl says:

    Matthew Green / @matthew_d_green:
    Following attempts to malign Signal as insecure by Telegram’s CEO and Elon Musk, a look at why Signal is widely regarded by experts as more secure than Telegram — Telegram has launched a pretty intense campaign to malign Signal as insecure, with assistance from Elon Musk. The goal seems to be to get activists to switch away from encrypted Signal to mostly-unencrypted Telegram. I want to talk about this a bit. 1/

    https://twitter.com/matthew_d_green/status/1789687898863792453
    Telegram has launched a pretty intense campaign to malign Signal as insecure, with assistance from Elon Musk. The goal seems to be to get activists to switch away from encrypted Signal to mostly-unencrypted Telegram. I want to talk about this a bit. 1/

    Reply
  19. Tomi Engdahl says:

    Heather Somerville / Wall Street Journal:
    As VC firms pivot to investing in startups developing defense tech for the US and its allies, some of their business ties with China still linger — Investors with connections to China are backing startups developing tech that the U.S. wants to counter Beijing

    As Silicon Valley Pivots to Patriotic Capital, China Ties Linger
    Investors with connections to China are backing startups developing tech that the U.S. wants to counter Beijing
    Silicon Valley investors are targeting what they hope will be a huge business opportunity—new defense technology for the U.S. and allies.
    https://www.wsj.com/finance/investing/as-silicon-valley-pivots-to-patriotic-capital-china-ties-linger-7030bf93?st=czpxperejfbh3li&reflink=desktopwebshare_permalink

    Reply
  20. Tomi Engdahl says:

    Henry Mance / Financial Times:
    Researcher Sonia Livingstone says constraining tech companies and empowering young people and parents are better alternatives to banning kids from social media — Social psychologist Sonia Livingstone says there are alternatives to banning the young from social media

    https://www.ft.com/content/c122775a-f664-4c06-90c2-eba077367757

    Reply
  21. Tomi Engdahl says:

    Helsingin kaupungin tieto­murto on poikkeuksellisen vakava: Henkilö­tunnuksia viety, koskee jopa 80 000:ta ihmistä
    Murto on laaja, ja kymmenien tuhansien tiedot saattoivat vaarantua.
    https://www.is.fi/digitoday/tietoturva/art-2000010423091.html

    Reply
  22. Tomi Engdahl says:

    This Week In Security: TunnelVision, Scarecrows, And Poutine
    http://hackaday.com/2024/05/10/this-week-in-security-tunnelvision-scarecrows-and-poutine/

    There’s a clever “new” attack against VPNs, called TunnelVision, done by researchers at Leviathan Security. To explain why we put “new” in quotation marks, I’ll just share my note-to-self on this one written before reading the write-up: “Doesn’t using a more specific DHCP route do this already?” And indeed, that’s the secret here: in routing, the more specific route wins. I could not have told you that DHCP option 121 is used to set extra static routes, so that part was new to me. So let’s break this down a bit, for those that haven’t spent the last 20 years thinking about DHCP, networking, and VPNs.

    https://www.leviathansecurity.com/blog/tunnelvision

    Reply
  23. Tomi Engdahl says:

    Kommentti: Helsingin tieto­murto nostaa 3 polttavaa kysymystä – saisiko näihin vastaukset, kiitos!
    Helsingin kaupunki tuntuu rikkoneen nykyistä tietoturva-ajattelua vastaan ainakin kahdella tavalla, kirjoittaa Ilta-Sanomien digitoimittaja Henrik Kärkkäinen.
    https://www.is.fi/digitoday/tietoturva/art-2000010423314.html

    HELSINGIN kaupunki pudotti maanantaina todellisen pommin: Toukokuun alussa kaupungin kasvatuksen ja koulutuksen toimialaan kohdistunut tietomurto on massiivinen. Se koskee jopa 80 000 ihmistä.

    Tämä tarkoittaa sitä, että näiden osoitetiedot, mahdollisesti henkilötunnukset sekä hyvinkin arkaluontoiset tiedot on varastettu kaupungin palvelimilta.

    Tilanteesta tekee erityisen ikävän se, että vielä ei tiedetä, mitä tietoja on viety. Tämä on laajoissa tietomurroissa enemmän sääntö kuin poikkeus. Digitaalinen forensiikka eli rikospaikkatutkinta on hidasta ja hankalaa. Jos murtautuja on osannut hommansa, hän on osannut myös peittää jälkensä.

    Tällä hetkellä tiedetään vaan, että suurinta osaa asioista ei tiedetä.

    Tilanne on erityisen ikävä kaikkien kasvatuksen ja koulutuksen toimialan kanssa tekemisissä olevien – siis myös kymmenien tuhansien lasten.

    Ja samaan aikaan on todettava, että tämä on uusi normaali. Tietomme sijaitsevat niin monessa paikassa, että todennäköisyys sille, että ne vuotavat jossain vaiheessa, on valitettavan suuri.

    UUSI normaali ei tarkoita, että asioiden pitäisi olla näin. Tapahtuneessa haisee vakava laiminlyönti.

    Tietomurto herättää kolme hyvin vakavaa kysymystä. Kaksi niistä kohdistuu Helsingin kaupunkiin ja yksi valtiovaltaan.

    Kysymys yksi: Murto tapahtui päivittämättömän etäyhteyspalvelimen haavoittuvuutta käyttämällä. Tietoturvan ykkösnyrkkisääntöjä on päivittää kriittiset järjestelmät heti, kun päivitys on saatavilla. Miksi verkkolaite oli päivittämätön?

    Kysymys kaksi: Helsinki kertoi tiedotustilaisuudessaan, että hyökkääjä on pystynyt liikkumaan verkossa vapaasti. Nykyisen tietoturva-ajattelun mukaan oletetaan, että järjestelmä joutuu väkisinkin jossain vaiheessa murron kohteeksi. Siksi verkot tulee segmentoida eli lohkoa osiin, joiden välillä kulku ei ole vapaata. Miksi Helsingissä ei noudatettu tätä modernin tietoturvan kulmakiveä?

    Miksi tietomurron uhri joutuu edelleen kantamaan murron seuraukset itse ja tekemään maksulliset luottokiellot ja muut palvelut omalla rahallaan?

    Reply
  24. Tomi Engdahl says:

    “I’ve never dealt with anything like this.”

    SOLAR STORM SO POWERFUL IT SHUT DOWN FARM EQUIPMENT ACROSS THE US AND CANADA
    https://futurism.com/the-byte/solar-storm-shut-down-farm-equipment

    A massive solar storm rocked the Earth’s atmosphere with charged particles this weekend, triggering spectacular auroras in the night sky across a substantial swath of both North America and Europe.

    The storm reached “extreme” levels — Category G5 — on Friday and Saturday, enough to wreak havoc on communications equipment and even the power grid, believed to be the strongest storm of its type in over 20 years.

    And as the New York Times reports, the storm was particularly devastating for farmers in the US and Canada, whose tractors and other equipment broke down in the middle of planting season — a fascinating and rare example of just how fearsome space weather can become despite our planet’s protective shell.

    Tractors that rely on GPS and other navigation tech shut down after the Sun’s ferocious storm, with seed-sowing operations grinding to a halt.

    “I’ve never dealt with anything like this,” Minnesota corn and soybean farmer Patrick O’Connor told the NYT, noting that he was warned his GPS system may experience an outage.

    “All the tractors are sitting at the ends of the field right now shut down because of the solar storm,” a Nebraska-based farmer told 404 Media. “No GPS. We’re right in the middle of corn planting. I’ll bet the commodity markets spike Monday.”

    Farm equipment company John Deere’s “StarFire” receivers that combine GPS with other sensor data were hit particularly hard, and issues may persist going forward.

    “When you head back into these fields to side dress, spray, cultivate, harvest, etc. over the next several months, we expect that the rows won’t be where the AutoPath lines think they are,” John Deere’s statement to farmers reads, as quoted by 404 Media. “This will only affect the fields that are planted during times of reduced accuracy.”

    Reply
  25. Tomi Engdahl says:

    Vakava haavoittuvuus paljastui: Vain Android-käyttäjät ovat turvassa
    VPN-yhteyden käyttäjä ei pysty salaamaan surffailuaan, mikäli hyökkääjä hyödyntää pitkään olemassa ollutta haavoittuvuutta.
    https://www.iltalehti.fi/digiuutiset/a/d66969b9-80ae-458c-ab5e-4e7c32aa7320

    Tietoturvayhtiö Leviathan Security varoittaa käytännössä kaikkia VPN-palveluita koskevasta vaarasta.

    Yhtiön omat tutkijat ovat onnistuneet hyödyntämään haavoittuvuutta, joka pakottaa verkkoliikenteen kulkemaan turvallisen ja salatun ”tunnelin” ohi. Samalla hyökkääjä pääsee käsiksi liikenteeseen käyttäjän tietämättä.

    Haavoittuvuus on ollut olemassa niinkin pitkään kuin vuodesta 2002, mikä tarkoittaa, että se on voinut olla rikollisten tiedossa ja käytössä jo pitkään.

    Tutkijoiden mukaan Tunnelvision-niminen hyökkäys toimii kaikkien VPN-palveluiden kohdalla, eikä sitä pysty tällä hetkellä estämään.

    Ainoan poikkeuksen muodostavat Android-käyttöjärjestelmään asennetut VPN-palvelut, jotka eivät tiettävästi ole alttiita Tunnelvision-hyökkäykselle.

    Leviathan Securityn mukaan tietokoneella hyökkäykseltä voi suojautua parhaiten käyttämällä VPN-yhteyksiä virtuaalikoneilta, joiden verkkoyhteydet eivät ole siltaavassa tilassa (eng. bridged mode) tai jakamalla netin puhelimesta ja yhdistämällä sillä luotuun verkkoon.

    Yhtiö varoittaa tuntemattomien verkkojen käyttämisestä, mikäli oman verkkoliikenteen salaaminen on tärkeää.

    TunnelVision (CVE-2024-3661): How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak
    https://www.leviathansecurity.com/blog/tunnelvision

    Reply
  26. Tomi Engdahl says:

    Malware & Threats
    Apple Patch Day: Code Execution Flaws in iPhones, iPads, macOS

    Apple documents another zero-day flaw being exploited on older iPhones and documents security problems in macOS, iOS and iPadOS.

    https://www.securityweek.com/apple-patch-day-code-execution-flaws-in-iphones-ipads-macos/

    Reply
  27. Tomi Engdahl says:

    Artificial Intelligence
    China and US Envoys Will Hold First Top-Level Dialogue on Artificial Intelligence

    China’s official Xinhua news agency said the two sides would take up issues including the technological risks of AI and global governance.

    https://www.securityweek.com/china-and-us-envoys-will-hold-first-top-level-dialogue-on-artificial-intelligence/

    Reply
  28. Tomi Engdahl says:

    Data Breaches
    Europol Investigating Breach After Hacker Offers to Sell Classified Data

    Europol is investigating a data breach, but says no core systems are impacted and no operational data has been compromised.

    https://www.securityweek.com/europol-investigating-breach-after-hacker-offers-to-sell-classified-data/

    Reply
  29. Tomi Engdahl says:

    Cyberwarfare
    NATO Draws a Cyber Red Line in Tensions With Russia

    Weakening liberal democracies and weakening the NATO alliance are conjoined in the hybrid war that Russia is conducting against Ukraine.

    https://www.securityweek.com/nato-draws-a-cyber-red-line-in-tensions-with-russia/

    On May 3, the German government denounced APT28 for a cyberattack against the SPD political party using a Microsoft Outlook vulnerability that allowed “data to be leaked without user interaction”. Germany took a very strong diplomatic position, summoning Russia’s representative, and then recalling its own Russian ambassador for talks. Annalena Baerbock, the German foreign minister, added, “This is absolutely intolerable and unacceptable and will have consequences.”

    On the same day, but separately, Czechia’s Ministry of Foreign Affairs (MFA) issued a statement: “[Czechia] strongly condemns activities of the Russian state-controlled actor APT28, who has been conducting a long-term cyber espionage campaign in European countries.”

    On the same day, but separately, NATO released a statement: “We stand in solidarity with Germany following the malicious cyber campaign against a political party, in this case the Social Democratic Party…” The statement notes further malicious activity “in Lithuania, Poland, Slovakia and Sweden.”

    On the same day, but separately, an EU statement declared: “[The EU and member states] strongly condemn the malicious cyber campaign conducted by the Russia-controlled Advanced Persistent Threat Actor 28 (APT28) against Germany and Czechia.”

    On the same day, but separately, the UK issued a statement: “The United Kingdom has joined with its international partners to condemn malicious cyber activity by the Russian Intelligence Services.”

    This is clearly a strong and coordinated statement by NATO allies warning Russia to curtail the activity of APT28. However, the only specific accusation is an attack against a political party, which would normally be classified as cyberespionage rather than cyberwar. Espionage is generally denounced but tolerated because it is statecraft used by everyone rather than warcraft practiced by nations in a declared state of war.

    Reply
  30. Tomi Engdahl says:

    ICS/OT
    Cinterion Modem Flaws Pose Risk to Millions of Devices in Industrial, Other Sectors

    A critical vulnerability in the Cinterion cellular modems can be exploited for remote code execution via SMS messages.

    https://www.securityweek.com/cinterion-modem-flaws-pose-risk-to-millions-of-devices-in-industrial-other-sectors/

    Kaspersky on Friday raised the alarm on a series of vulnerabilities in Cinterion cellular modems that expose millions of devices to remote code execution attacks.

    A series of seven security defects identified in the widely deployed modems could lead to information leaks, elevation of privilege, sandbox escape, arbitrary code execution, and unauthorized access to files and directories on the target system.

    The most severe of these flaws is CVE-2023-47610 (CVSS score of 9.8), a buffer overflow issue that “could allow a remote unauthenticated attacker to execute arbitrary code on the targeted system by sending a specially crafted SMS message.”

    According to Kaspersky, the successful exploitation of this bug could provide attackers with “unprecedented access” to devices containing the Cinterion BGS5, Cinterion EHS5/6/8, Cinterion PDS5/6/8, Cinterion ELS61/81, and Cinterion PLS62 modems.

    “This access also facilitates the manipulation of RAM and flash memory, increasing the potential to seize complete control over the modem’s functionalities—all without authentication or requiring physical access to the device,” Kaspersky says.

    To mitigate the risk posed by this bug, users are advised to disable the nonessential SMS messaging capabilities, by contacting the mobile operator, and using a private APN with strict security settings.

    The issues, tracked as CVE-2023-47611 through CVE-2023-47616, can be mitigated by verifying the digital signature for MIDlets, by strictly controlling physical access to devices, and through regular audits and updates.

    Kaspersky reported the flaws to the vendor in February 2023 and published advisories on them in November. Originally developed by Gemalto, the Cinterion modems are now owned by Telit, which acquired the business from Thales last year.

    Reply
  31. Tomi Engdahl says:

    Ransomware
    Black Basta Ransomware Hit Over 500 Organizations

    The US government warns of Black Basta ransomware attacks targeting critical infrastructure organizations.

    https://www.securityweek.com/black-basta-ransomware-hit-over-500-organizations/

    Reply
  32. Tomi Engdahl says:

    Data Breaches
    FBCS Collection Agency Data Breach Impacts 2.7 Million

    Financial Business and Consumer Solutions (FBCS) says the personal information of 2.7 million was impacted in the recent data breach.

    https://www.securityweek.com/fbcs-collection-agency-data-breach-impacts-2-7-million/

    Reply
  33. Tomi Engdahl says:

    Biden Bans Chinese Bitcoin Mine Near U.S. Nuclear Missile Base
    An investigation identified national security risks posed by a crypto facility in Wyoming. It is near an Air Force base and a data center doing work for the Pentagon.
    https://www.nytimes.com/2024/05/13/us/bitcoin-mine-biden-ban.html?unlocked_article_code=1.r00.ampo.gQZPBmHeUUNQ&smid=url-share&fbclid=IwZXh0bgNhZW0CMTEAAR30vgJStbksoyy0St68bSl24LWHopMBhE7lwrULTzy5XO80azVSjKvxopk_aem_AZ6hanSWoYfOuU5mfgxL7KzyW8c5CmhZnpRWKS-ihclVmcbn0yWPyVdDFRwBqdsjWsdfUHqErMWDsaPwwxc_NmvY

    Reply
  34. Tomi Engdahl says:

    https://www.securityweek.com/student-personnel-information-stolen-in-city-of-helsinki-cyberattack/

    Student, Personnel Information Stolen in City of Helsinki Cyberattack

    The City of Helsinki says usernames, email addresses, and personal information was stolen in a recent cyberattack.

    Reply
  35. Tomi Engdahl says:

    IoT Security
    MITRE EMB3D Threat Model Officially Released
    https://www.securityweek.com/mitre-emb3d-threat-model-officially-released/

    MITRE announced the public availability of the EMB3D threat model for embedded devices used in critical infrastructure.

    MITRE, the non-profit technology and R&D company, on Monday announced the public availability of its EMB3D threat model for embedded devices used in critical infrastructure and other industries.

    EMB3D was developed by MITRE in collaboration with cybersecurity and industrial sector partners such as Red Balloon Security, Narf Industries, and Niyo ‘Little Thunder’ Pearson of ONE Gas.

    Unveiled in December 2023, the framework provides a knowledge base of cyber threats to embedded devices used in the critical infrastructure, IoT, healthcare, automotive, and manufacturing sectors.

    The resource is recommended for vendors, asset owners and operators, testing organizations and cybersecurity researchers.

    The MITRE EMB3D™ Threat Model
    https://emb3d.mitre.org/

    The EMB3D Threat Model provides a cultivated knowledge base of cyber threats to embedded devices, providing a common understanding of these threats with security mechanisms to mitigate them.

    This initial release of EMB3D includes the Device Properties and Threats enumerations. The full set of Mitigations will be available in the Summer 2024 update.

    What is EMB3D™
    EMB3D is a threat model for embedded devices found in industries such as critical infrastructure, Internet of Things, automotive, healthcare, manufacturing, and many more. The threat model is intended to be a resource to help vendors, asset owners/operators, test organizations, and security researchers to improve the overall security of embedded devices’ hardware and software. This threat model aims to serve as a central repository of information, defining known threats to embedded devices and their unique device features/properties that enable specific threat actions. By mapping the threats to the associated device features/properties, the the user can easily enumerate threat exposure based on the known device features.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*