This posting is here to collect cyber security news in May 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
257 Comments
Tomi Engdahl says:
Zachary Small / New York Times:
The hacking group RansomHub claims to be behind the attack that hit Christie’s, and threatens to release sensitive information about the auction house’s clients
https://www.nytimes.com/2024/05/27/arts/design/hackers-claim-christies-attack.html?unlocked_article_code=1.vE0._XLj.6wpoMCYnfgcv&smid=url-share
Tomi Engdahl says:
Foo Yun Chee / Reuters:
Meta adds safety features to CrowdTangle for use during the EU elections, in a bid to address EU concerns over Meta’s plan to shut down the tool in August 2024
Meta adds safety features to CrowdTangle in bid to address EU concerns
https://www.reuters.com/technology/meta-adds-safety-features-crowdtangle-bid-address-eu-concerns-2024-05-27/
BRUSSELS, May 27 (Reuters) – Meta Platforms (META.O)
, opens new tab has added safety features to its misinformation tracking tool CrowdTangle for use during European Parliament elections in an attempt to allay EU concerns that triggered an investigation last month into the impact of its decision to phase out the tool.
The U.S. social media platform last week said candidates for next month’s polls will be shown a notification at the top of their feed in Facebook and Instagram on how to protect themselves and their accounts.
Tomi Engdahl says:
Konsultit katselivat potilastietoja hyvinvointialueella – poliisi aloitti esitutkinnan tietosuojarikoksesta
https://yle.fi/a/74-20090906
Taustalla on Savoa Partnersiin liittyvä konsulttisotku. Konsultit ovat saaneet nähdä ja kuulla luvatta potilastietoja Satakunnan hyvinvointialueella.
Tomi Engdahl says:
Christie’s Confirms Data Breach After Ransomware Group Claims Attack
Auction house Christie’s has confirmed suffering a data breach following a ransomware attack launched earlier this month.
https://www.securityweek.com/christies-confirms-data-breach-after-ransomware-group-claims-attack/
Tomi Engdahl says:
Data Stolen From MediSecure for Sale on Dark Web
A threat actor is asking $50,000 for data allegedly stolen from Australian digital prescription services provider MediSecure.
https://www.securityweek.com/data-stolen-from-medisecure-for-sale-on-dark-web/
Tomi Engdahl says:
2.8 Million Impacted by Data Breach at Prescription Services Firm Sav-Rx
Pharmacy prescription services provider Sav-Rx says the personal information of 2.8 million was stolen in a cyberattack.
https://www.securityweek.com/2-8-million-impacted-by-data-breach-at-prescription-services-firm-sav-rx/
Tomi Engdahl says:
Check Point VPN Targeted for Initial Access in Enterprise Attacks
Check Point is warning customers that threat actors are targeting insecure VPN instances for initial access to enterprise networks.
https://www.securityweek.com/check-point-vpn-targeted-for-initial-access-in-enterprise-attacks/
Tomi Engdahl says:
All Starlink dish locations identified via AirTag-like tracking bug as Elon Musk says ‘significant resources’ go to prevent jamming
https://www.notebookcheck.net/All-Starlink-dish-locations-identified-via-AirTag-like-tracking-bug-as-Elon-Musk-says-significant-resources-go-to-prevent-jamming.841495.0.html?fbclid=IwZXh0bgNhZW0CMTEAAR2L65PCshhLiMaNyxU9sDJNMifRcvz_uk1iz3hhFwVpSTKVTCQyBQ4ci1Y_aem_ZmFrZWR1bW15MTZieXRlcw
The precise geolocation that Apple considers to be a feature of its device tracking system has been deemed a security bug that allowed the mapping of all Starlink access points.
Unlike Google’s Wi-Fi Positioning Systems (WPS) that calculates and reports exact location based on at least two nearby access points, Apple casts a much wider net.
It scoops up the Basic Service Set Identifier (BSSID) MAC addresses of up to 400 devices in the vicinity, and uses eight of those on average for a more precise geolocation.
This has allowed for the famed iPhone tracking, for example, to ping their whereabouts globally, so for Apple this is more of a feature rather than a bug.
Researchers from the University of Maryland, however, managed to exploit Apple’s generous BSSID sharing function to discover 488 million devices already stored in its system.
These included a subset of all Starlink satellite Internet kit locations, for example, and about the only places they couldn’t geolocate anything were deserts, rainforests, and China.
Tomi Engdahl says:
Klein ISD student accused of orchestrating cyber attack that disrupted STAAR testing
https://www.click2houston.com/news/local/2024/05/28/klein-isd-student-accused-of-orchestrating-cyber-attack-that-disrupted-staar-testing/?fbclid=IwZXh0bgNhZW0CMTEAAR03Nfs7RKiLe8AYE8BAqHqo6WYpIOw-bq1JtqAl2XZQr7QfuutgqYjHKPM_aem_ZmFrZWR1bW15MTZieXRlcw
HARRIS COUNTY, Texas – A 18-year-old student at Klein Forest High School is currently wanted by police after they say he was responsible for cyber attacks that disrupted STAAR testing for thousands of students in the district.
Keontra Lamont Kenemore is accused of electronic access interference, which is a third degree felony. A warrant for his arrest was filed Thursday and records show he hasn’t been taken into custody.
Kenemore allegedly used his school-issued Chromebook to access sites that initiated Distributed Denial of Service (DDoS) attacks, causing major internet disruptions during State Mandated Testing (STAAR) in the district back in April.
Tomi Engdahl says:
https://www.securityweek.com/abn-amro-client-data-possibly-stolen-in-addcomm-ransomware-attack/
Tomi Engdahl says:
Congresswomen Advocate for Cybersecurity Jobs for Formerly Incarcerated
While reintegration of formerly incarcerated people into the workforce is important, the government should be cautious about what positions those with a criminal history are put into.
https://www.securityweek.com/congresswomen-advocate-for-cybersecurity-jobs-for-formerly-incarcerated/
Two democratic Congresswomen have introduced new legislation to promote cybersecurity education and jobs to “underrepresented” and “disadvantaged” people, including those who may be fresh out of prison.
Shontel Brown (OH-11) and Haley Stevens (MI-11) introduced the new Diverse Cybersecurity Workforce Act (H.R.8469), which is currently supported by 32 other cosponsors. Under the initiative, the US cybersecurity agency (CISA) will be tasked with expanding education and outreach activities and promoting cybersecurity careers to disadvantaged communities.
Supporters of the bill believe the cybersecurity field should be promoted more to ethnic and racial minorities, women, older individuals, people with disabilities, geographically and socioeconomically diverse communities, veterans, individuals from nontraditional educational paths, and individuals who were formerly incarcerated.
While reintegration of formerly incarcerated people into the workforce is important, the government needs be cautious about what positions those with a criminal history are put into.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/16262-hakkerit-loeytaeneet-uusia-tapoja-kaeyttaeae-qr-koodeja
Tietoturvayritys Check Point varoittaa kasvavasta QR-koodien käytöstä tietojenkalasteluun. Viime elokuusta lähtien tämä QR-kalastelu eli Quishing on yleistynyt voimakkaasti.
Sähköposteja tutkiva Harmony-tiimi on löytäneet uuden QR-kampanjan, jossa hakkerit käyttävät kullekin organisaatiolle räätälöityjä malleja. Tämä tekee jokaisesta hyökkäyksestä ainutlaatuisen yritykselle ja yksilölle.
Check Point kertoo havainneensa viimeisten 14 päivän aikana yli 2000 kustomoitua QR-haitaketta, joita on lähetetty yli 1100 asiakkaalle.
Tomi Engdahl says:
https://www.uusiteknologia.fi/2024/05/28/suomi-saa-salatut-gps-signaalit-kayttoonsa/
Tomi Engdahl says:
https://cybersecuritynews.com/zscaler-client-connector-privilege-escalation-exploit/
Tomi Engdahl says:
Rand Fishkin / SparkToro:
A leak purports to show thousands of pages of internal API documentation for Google Search, some of which appear to contradict Google’s public statements — On Sunday, May 5th, I received an email from a person claiming to have access to a massive leak of API documentation from inside Google’s Search division.
An Anonymous Source Shared Thousands of Leaked Google Search API Documents with Me; Everyone in SEO Should See Them
https://sparktoro.com/blog/an-anonymous-source-shared-thousands-of-leaked-google-search-api-documents-with-me-everyone-in-seo-should-see-them/
On Sunday, May 5th, I received an email from a person claiming to have access to a massive leak of API documentation from inside Google’s Search division. The email further claimed that these leaked documents were confirmed as authentic by ex-Google employees, and that those ex-employees and others had shared additional, private information about Google’s search operations.
Many of their claims directly contradict public statements made by Googlers over the years, in particular the company’s repeated denial that click-centric user signals are employed, denial that subdomains are considered separately in rankings, denials of a sandbox for newer websites, denials that a domain’s age is collected or considered, and more.
Extraordinary claims require extraordinary evidence. And while some of these overlap with information revealed during the Google/DOJ case (some of which you can read about on this thread from 2020), many are novel and suggest insider knowledge.
During our call, Erfan showed me the leak itself: more than 2,500 pages of API documentation containing 14,014 attributes (API features) that appear to come from Google’s internal “Content API Warehouse.” Based on the document’s commit history, this code was uploaded to GitHub on Mar 27, 2024th and not removed until May 7, 2024th. (Note: because this piece was, post-publishing, edited to reflect Erfan’s identity, he’s referred to below as “the anonymous source”).
This documentation doesn’t show things like the weight of particular elements in the search ranking algorithm, nor does it prove which elements are used in the ranking systems. But, it does show incredible details about data Google collects.
After walking me through a handful of these API modules, the source explained their motivations (around transparency, holding Google to account, etc.) and their hope: that I would publish an article sharing this leak, revealing some of the many interesting pieces of data it contained, and refuting some “lies” Googlers “had been spreading for years.”
Is this API Leak Authentic? Can We Trust It?
During a 40-minute phone call on Friday afternoon, Mike reviewed the leak and confirmed my suspicions: this appears to be a legitimate set of documents from inside Google’s Search division, and contains an extraordinary amount of previously-unconfirmed information about Google’s inner workings.
2,500 technical documents is an unreasonable amount of material to ask one man (a dad, husband, and entrepreneur, no less) to review in a single weekend. But, that didn’t stop Mike from doing his best.
So why publish on this topic?
Because when I spoke to the party that sent me this information, I found them credible, thoughtful, and deeply knowledgeable. Despite going into the conversation deeply skeptical, I could identify no red flags, nor any malicious motivation. This person’s sole aim appeared quite aligned with my own: to hold Google accountable for public statements that conflict with private conversations and leaked documentation, and to bring greater transparency to the field of search marketing. And they believed that, despite my years removed from SEO, I was the best person to share this publicly.
These are goals I cared about deeply for almost two decades.
What can we learn from the Data Warehouse Leak?
I expect that interesting and marketing-applicable insights will be mined from this massive file set for years to come. It’s simply too big and too dense to think that a weekend of browsing could unearth a comprehensive set of takeaways, or even come close.
Tomi Engdahl says:
Kate Irwin / PCMag:
The Internet Archive says it has been under an intermittent DDoS attack for the past three days, making access inconsistent, but “the data is not affected” — The California-based nonprofit that archives books and webpages online experiences distributed denial-of-service attacks …
Internet Archive Hit With DDoS Attacks
The California-based nonprofit that archives books and webpages online experiences distributed denial-of-service attacks, making it difficult for users to access the site.
https://uk.pcmag.com/security/152505/internet-archive-hit-with-ddos-attack
Tomi Engdahl says:
Spyware found on US hotel check-in computers
The check-in computers at several hotels around the US are running a remote access app, which is leaking screenshots of guest information to the internet
https://techcrunch.com/2024/05/22/spyware-found-on-hotel-check-in-computers/?guce_referrer=aHR0cHM6Ly9sbS5mYWNlYm9vay5jb20v&guce_referrer_sig=AQAAAJQZyBj7WzYhwicJEjmg5xfhon3MDkxqI3jvLjcsV0SiFUcpO747MbtKuZtKpm_CJZasdMCEEF7B63vb6OyenDE_kS1o8mDXueepMyHeG4JOkJWWSqOhKffJjhfuQhlSQ9GrNXvApOVptzhRJ8K0hZv-rCJO_pA7LbY2IfGRuHDP&fbclid=IwZXh0bgNhZW0CMTEAAR029GCwTgQlAuY4YVtS2Fkdpl6thriUCoQ4KaQKIt-e7LCrDMYQ6EWvvo0_aem_ZmFrZWR1bW15MTZieXRlcw
A consumer-grade spyware app has been found running on the check-in systems of at least three Wyndham hotels across the United States, TechCrunch has learned.
The app, called pcTattletale, stealthily and continually captured screenshots of the hotel booking systems, which contained guest details and customer information. Thanks to a security flaw in the spyware, these screenshots are available to anyone on the internet, not just the spyware’s intended users.
This is the most recent example of consumer-grade spyware exposing sensitive information because of a security flaw in the spyware itself. It’s also the second known time that pcTattletale has exposed screenshots of the devices on which the app is installed. Several other spyware apps in recent years had security bugs or misconfigurations that exposed the private and personal data of unwitting device owners, in some cases prompting action by government regulators.
Guest and reservation details captured and exposed
pcTattletale allows whomever controls it to remotely view the target’s Android or Windows device and its data, from anywhere in the world. pcTattletale’s website says the app “runs invisibly in the background on their workstations and can not be detected.”
But the bug means that anyone on the internet who understands how the security flaw works can download the screenshots captured by the spyware directly from pcTattletale’s servers.
Daigle said he attempted to warn pcTattletale of the issue, but the company has not responded, and the flaw remains unfixed at the time of publication. Daigle disclosed limited details of pcTattletale’s leaking screenshot bug in a short blog post,
https://www.ericdaigle.ca/pctattletale-leaking-screen-captures/
Tomi Engdahl says:
https://www.tomsguide.com/computing/online-security/hackers-have-leaked-the-criminal-records-of-millions-of-americans-online-how-to-stay-safe
Tomi Engdahl says:
https://thehackernews.com/2024/05/fake-antivirus-websites-deliver-malware.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/hackers-target-check-point-vpns-to-breach-enterprise-networks/?fbclid=IwZXh0bgNhZW0CMTEAAR3R3yuNGa288bxKsfPVqKv0fhD-ZWyUhUA_rH_1BrkPKGG1RHcg5Ulic-w_aem_ZmFrZWR1bW15MTZieXRlcw
Tomi Engdahl says:
https://thehackernews.com/2024/05/tp-link-gaming-router-vulnerability.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/hackers-target-check-point-vpns-to-breach-enterprise-networks/
Tomi Engdahl says:
Vulnerabilities in Eclipse ThreadX Could Lead to Code Execution
https://www.securityweek.com/vulnerabilities-in-eclipse-threadx-could-lead-to-code-execution/
Vulnerabilities in the real-time IoT operating system Eclipse ThreadX before version 6.4 could lead to denial-of-service and code execution.
Humanativa Group has published information on several vulnerabilities found in Eclipse ThreadX, a real-time operating system for IoT devices
Previously known as Azure RTOS, the platform was initially developed by Microsoft, which contributed the technology to the Eclipse Foundation in January 2024, where it was rebranded as Eclipse ThreadX.
Designed for devices with limited resources, Eclipse ThreadX is an open source platform for real-time applications and an advanced embedded development suite.
Analyzing the publicly available ThreadX source code, Humanativa Group’s Marco Ivaldi identified multiple vulnerabilities that could lead to memory corruption and which could be exploited to cause denial-of-service (DoS) conditions or to execute arbitrary code.
Tracked as CVE-2024-2214, the first issue is described as a missing array size check that could lead to buffer overflow and memory overwrite.
The second bug, CVE-2024-2212, exists because the FreeRTOS compatibility API in ThreadX is missing parameter checks for two functions, leading to integer wraparounds, under-allocations, and heap buffer overflows.
According to Ivaldi, an attacker able to control the vulnerable functions could cause an integer wraparound, causing the allocation of a small amount of memory, which would lead to heap buffer overflows.
The third flaw, CVE-2024-2452, impacts the Eclipse ThreadX NetX Duo industrial-grade TCP/IP network stack developed specifically for deeply embedded real-time and IoT applications, and could lead to integer wraparounds, under-allocations, and heap buffer overflows.
The vulnerabilities were reported to Microsoft and the Eclipse Foundation in December 2023 and January 2024, and were addressed in Eclipse ThreadX version 6.4.0.
Tomi Engdahl says:
US Sanctions Three Chinese Men for Operating 911 S5 Botnet
The US government has announced sanctions against three Chinese nationals accused of creating and operating the 911 S5 proxy botnet.
https://www.securityweek.com/us-sanctions-three-chinese-men-for-operating-911-s5-botnet/
Tomi Engdahl says:
Cyberwarfare
Europe’s Cybersecurity Chief Says Disruptive Attacks Have Doubled in 2024, Sees Russia Behind Many
Disruptive digital attacks – many traced to Russia-backed groups – have doubled in the European Union in 2024 and are also targeting election-related services, according to the EU’s top cybersecurity official.
https://www.securityweek.com/europes-cybersecurity-chief-says-disruptive-attacks-have-doubled-in-2024-sees-russia-behind-many/
Tomi Engdahl says:
https://www.securityweek.com/new-north-korean-threat-actor-engaging-in-espionage-revenue-generation-attacks/
Tomi Engdahl says:
https://www.securityweek.com/new-endpoint-protection-platform-by-cigent-blocks-ransomware-at-the-data-level/
A new endpoint data protection platform from Cigent Technology refocuses ransomware prevention onto protecting customer data from both encryption and exfiltration. With no loss of data, criminal extortion is prevented.
Tomi Engdahl says:
Personal Information of 44,000 Compromised in First American Cyberattack
First American will notify 44,000 individuals that their personal information was stolen in a December 2023 ransomware attack.
https://www.securityweek.com/personal-information-of-44000-compromised-in-first-american-cyberattack/
Tomi Engdahl says:
https://www.securityweek.com/social-distortion-the-threat-of-fear-uncertainty-and-deception-in-creating-security-risk/
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
The US and global partners dismantle the 911 S5 proxy botnet, “likely the world’s largest botnet ever” affecting 19M+ IPs, and arrest its alleged administrator — The U.S. Justice Department and international partners dismantled the 911 S5 proxy botnet and arrested 35-year-old …
https://www.bleepingcomputer.com/news/security/us-dismantles-911-s5-residential-proxy-botnet-used-for-cyberattacks-arrests-admin/
Tomi Engdahl says:
Mia Sato / The Verge:
Google confirms the authenticity of the 2,500 pages of leaked Search documents filled with details about data the company collects — A collection of 2,500 leaked internal documents from Google filled with details about data the company collects is authentic, the company confirmed today.
https://www.theverge.com/2024/5/29/24167407/google-search-algorithm-documents-leak-confirmation
Tomi Engdahl says:
Matt Binder / Mashable:
Ticketmaster appears to have been breached by hacker group ShinyHunters, which claims it stole 560M customers’ sensitive data and is trying to sell it for $500K — Emails, phone numbers, addresses, and even financial details have allegedly been exposed by a notorious hacker group.
Ticketmaster hacked. Breach affects more than half a billion users.
Emails, phone numbers, addresses, and even financial details have allegedly been exposed by a notorious hacker group.
https://mashable.com/article/ticketmaster-data-breach-shinyhunters-hack
To its critics, it seems Ticketmaster may be experiencing some karma lately for years of being the bane of concertgoers’ existence. Unfortunately its latest hassle — a massive data leak — also negatively impacts consumers.
Just last week, the U.S. Justice Department filed an antitrust lawsuit against the ticketing conglomerate. The DOJ is seeking to break up the alleged monopoly its parent company, Live Nation Entertainment, holds over the live music and entertainment industry – potentially a good thing for consumers.
But Amid this nightmare for the company, a hacker group is now claiming to have stolen more than 500 million Ticketmaster customers’ data in an attack.
Originally reported by cybersecurity outlets like Hackread and Cyber Daily, The “notorious hacker group” ShinyHunters is claiming responsibility for the breach affecting roughly 560 million Ticketmaster customers. The hacker group is selling the 1.3 terabyte-sized trove of data for a one-time price of $500,000 on a popular hacking forum.
The group allegedly has Ticketmaster customers’ full names, addresses, phone numbers, email addresses, and order history information including ticket purchase details and Ticketmaster event information.
Tomi Engdahl says:
Steven Lee Myers / New York Times:
Researchers: an ex-Florida deputy sheriff who received asylum in Russia has built a network of 160+ fake news sites with the help of ChatGPT and other AI tools — In 2016, Russia used an army of trolls to interfere in the U.S. presidential election. This year, an American given asylum …
https://www.nytimes.com/2024/05/29/business/mark-dougan-russia-disinformation.html
Tomi Engdahl says:
Aisha Counts / Bloomberg:
Meta removed hundreds of Facebook accounts linked to influence campaigns from China, Israel, Iran, and more, some of which used AI to generate disinformation — Meta, the parent of Facebook, Instagram and WhatsApp, has seen threat actors rely on AI to produce fake images, videos and text in an effort to influence users on its sites.
Meta Removes AI-Generated Influence Campaigns in China, Israel
https://www.bloomberg.com/news/articles/2024-05-29/meta-removes-ai-generated-influence-campaigns-in-israel-china
Tomi Engdahl says:
Derek Gatopoulos / Associated Press:
EU Agency for Cybersecurity head Juhan Lepassaar says disruptive digital attacks, many tied to Russia-backed groups, have doubled in the EU in recent months
Europe’s cybersecurity chief says disruptive attacks have doubled in 2024, sees Russia behind many
https://apnews.com/article/europe-election-cybersecurity-russia-ukraine-5b0cca725d17a028dd458df77a60440c
Tomi Engdahl says:
Security around SSL VPN
https://forums.lawrencesystems.com/t/security-around-ssl-vpn/21483
Although OpenVPN has been touted as a secure SSL VPNs, when deploying a pfSense especially, is it better to run IPsec or OVPN? They seem to have the same feature set and integration with Active Directory.
As a best practice should we be avoiding SSL vpns?
As it reads to me it brought up fortigate (no surprise there) and a few other instances of not complete configurations and gamin authentication access. OpenVPN has multiple layers of authentication with TLS key, user certificates and username and password. I would say this has better security than most. Unless I am missing something?
OpenVPN in pfsnese uses certificates by default to establish the secure connection, the SSL VPN setups they are probably referring to are using public web interfaces that ask for user / pass which means that is all you need to get connected. But for example having my user/pass for my OpenVPN get’s you no where without also having my certificate.
Tomi Engdahl says:
https://www.techradar.com/vpn/norway-tells-businesses-to-replace-their-ssl-vpn
In a bid to reduce the vulnerability and attack surface for secure remote access, the Norwegian National Cyber Security Centre (NCSC) invites all businesses to replace their SSLVPN/WebVPN solutions.
The recommendation is to switch to services offering Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2) or, when this isn’t possible, using 5G broadband instead. The suggested date to complete the transition is by the end of 2025. The good news is that all the best business VPN services on the market right now already include this system by default (more on this below).
Norway joined the likes of the US and UK to recommend using a VPN with IPsec connections for better security. Let’s now see why this matters in more detail.
The main difference between the two is where encryption and authentication are performed. IPsec with IKEv2 VPNs do that on the network level. This means that they encrypt data packets sent between systems that can be defined by an IP address, while periodically refreshing a set of encryption keys.
SSL VPNs, also known as WebVPN or clientless VPN services, operate on the data in transit by encrypting data sent between any devices identifiable by port numbers on network-connected hosts. Contrary to IPsec products, SSL VPNs don’t require the installation of additional hardware or software. Yet, this ease seems to come with a drawback.
“NCSC has for a long time observed and notified about critical vulnerabilities in VPN solutions that use Secure Socket Layer/Transport Layer Security (SSL/TLS),” the NCS wrote in its official announcement.
The biggest issue with SSL VPN is that, contrary to IPsec, it does not have an open industry standard meaning that different manufacturers create their own implementation on a case-by-case basis. Throughout the years, this approach has led to numerous security flaws.
For instance, two of Fortinet’s SSL VPN credential exposures were the most exploited security vulnerabilities of 2022. These were also exploited by the Chinese Volt Typhoon hacking group again in 2023, Fortinet revealed in February.
“The severity of the vulnerabilities and the repeated exploitation of this type of vulnerability by actors means that the NCSC recommends replacing solutions for secure remote access that use SSL/TLS with more secure alternatives. NCSC recommends Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2).”
Specifically, Norway’s recommendations include:
Reconfiguring existing VPN solution to support IPsec IKEv2: in case this isn’t possible, businesses should plan for and replace the solution with one that does like 5G broadband systems.
Migrating users and systems: using SSLVPN to IPsec IKEv2.
Turning off SSLVPN functionality: while verifying that any endpoints are not responding.
Blocking all incoming TLS traffic to the VPN server.
Adopting certificate-based authentication.
Take for example the Ivanti VPN case. In 2023, Ivanti discovered multiple security vulnerabilities in its VPN products, which different threat actors exploited to drop infostealers, malware, and ransomware, on vulnerable targets. After fixing these flaws, the provider found even more problems in February this year.
Nonetheless, the NCSC explained, “This choice of technology [IPsec] entails a smaller attack surface and a lower degree of fault tolerance in the configuration of the solution.”
https://medium.com/@netgaingroupinc/norway-tells-businesses-to-replace-their-ssl-vpn-bb7f7150529c
Norway tells businesses to replace their SSL VPN
Norway joined other countries in recommending IPsec VPNs. In a bid to reduce the vulnerability and attack surface for secure remote access, the Norwegian National Cyber Security Centre (NCSC) invites all businesses to replace their SSLVPN/WebVPN solutions.
The recommendation is to switch to services offering Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2) or, when this isn’t possible, using 5G broadband instead. The suggested date to complete the transition is by the end of 2025. The good news is that all the best business VPN services on the market right now already include this system by default (more on this below).
Norway joined the likes of the US and UK to recommend using a VPN with IPsec connections for better security. Let’s now see why this matters in more detail.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/norway-recommends-replacing-ssl-vpn-to-prevent-breaches/
While the cybersecurity organization admits IPsec with IKEv2 isn’t free of flaws, it believes switching to it would significantly reduce the attack surface for secure remote access incidents due to having reduced tolerance for configuration errors compared to SSLVPN.
Where IPsec connections are not possible, the NCSC suggests using 5G broadband instead.
Meanwhile, NCSC has also shared interim measures for organizations whose VPN solutions do not offer the IPsec with IKEv2 option and need time to plan and execute the migration.
These include implementing centralized VPN activity logging, strict geofencing restrictions, and blocking access from VPN providers, Tor exit nodes, and VPS providers.
Other countries have also recommended using IPsec over other protocols, including the USA and the UK.
Tomi Engdahl says:
Unlike IPsec, which is an open standard that most companies follow, SSLVPN does not have a standard, causing network device manufacturers to create their own implementation of the protocol.
However, this has led to numerous bugs discovered over the years in SSL VPN implementations from Cisco, Fortinet, and SonicWall that hackers actively exploit to breach networks.
https://www.bleepingcomputer.com/news/security/norway-recommends-replacing-ssl-vpn-to-prevent-breaches/
Tomi Engdahl says:
Mystery malware destroys 600,000 routers from a single ISP during 72-hour span
An unknown threat actor with equally unknown motives forces ISP to replace routers.
https://arstechnica.com/security/2024/05/mystery-malware-destroys-600000-routers-from-a-single-isp-during-72-hour-span/?fbclid=IwZXh0bgNhZW0CMTEAAR3vhB-oNukYfE4RvGgwXjaMgchmgFzw8TeXAGLOeJuWLLct2wOUTZhg5l0_aem_ZmFrZWR1bW15MTZieXRlcw
One day last October, subscribers to an ISP known as Windstream began flooding message boards with reports their routers had suddenly stopped working and remained unresponsive to reboots and all other attempts to revive them.
“The routers now just sit there with a steady red light on the front,” one user wrote, referring to the ActionTec T3200 router models Windstream provided to both them and a next door neighbor. “They won’t even respond to a RESET.”
In the messages—which appeared over a few days beginning on October 25—many Windstream users blamed the ISP for the mass bricking. They said it was the result of the company pushing updates that poisoned the devices. Windstream’s Kinetic broadband service has about 1.6 million subscribers in 18 states, including Iowa, Alabama, Arkansas, Georgia, and Kentucky. For many customers, Kinetic provides an essential link to the outside world.
“We have 3 kids and both work from home,” another subscriber wrote in the same forum. “This has easily cost us $1,500+ in lost business, no tv, WiFi, hours on the phone, etc. So sad that a company can treat customers like this and not care.”
After eventually determining that the routers were permanently unusable, Windstream sent new routers to affected customers. Black Lotus has named the event Pumpkin Eclipse.
A deliberate act
A report published Thursday by security firm Lumen Technologies’ Black Lotus Labs may shed new light on the incident, which Windstream has yet to explain. Black Lotus Labs researchers said that over a 72-hour period beginning on October 25, malware took out more than 600,000 routers connected to a single autonomous system number, or ASN, belonging to an unnamed ISP.
According to Black Lotus, the routers—conservatively estimated at a minimum of 600,000—were taken out by an unknown threat actor with equally unknown motivations. The actor took deliberate steps to cover their tracks by using commodity malware known as Chalubo, rather than a custom-developed toolkit. A feature built into Chalubo allowed the actor to execute custom Lua scripts on the infected devices. The researchers believe the malware downloaded and ran code that permanently overwrote the router firmware.
This amounted to the disconnection of at least 179,000 ActionTec routers and more than 480,000 routers sold by Sagemcom.
There aren’t many known precedents for malware that wipes routers en masse in the way witnessed by the researchers. Perhaps the closest was the discovery in 2022 of AcidRain, the name given to malware that knocked out 10,000 modems for satellite Internet provider Viasat. The outage, hitting Ukraine and other parts of Europe, was timed to Russia’s invasion of the smaller neighboring country.
With no clear idea how the routers came to be infected, the researchers can only offer the usual generic advice for keeping such devices free of malware. That includes installing security updates, replacing default passwords with strong ones, and regular rebooting. ISPs and other organizations that manage routers should follow additional advice for securing the management interfaces for administering the devices.
Tomi Engdahl says:
RansomLord: Open-source anti-ransomware exploit tool
RansomLord is an open-source tool that automates the creation of PE files, which are used to exploit ransomware pre-encryption.
https://www.helpnetsecurity.com/2024/05/29/ransomlord-open-source-anti-ransomware-exploit-tool/
Tomi Engdahl says:
https://thehackernews.com/2024/05/cisa-alerts-federal-agencies-to-patch.html
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a security flaw impacting the Linux kernel to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Tracked as CVE-2024-1086 (CVSS score: 7.8), the high-severity issue relates to a use-after-free bug in the netfilter component that permits a local attacker to elevate privileges from a regular user to root and possibly execute arbitrary code.
Tomi Engdahl says:
Researchers Uncover Active Exploitation of WordPress Plugin Vulnerabilities
https://thehackernews.com/2024/05/researchers-uncover-active-exploitation.html
Cybersecurity researchers have warned that multiple high-severity security vulnerabilities in WordPress plugins are being actively exploited by threat actors to create rogue administrator accounts for follow-on exploitation.
“These vulnerabilities are found in various WordPress plugins and are prone to unauthenticated stored cross-site scripting (XSS) attacks due to inadequate input sanitization and output escaping, making it possible for attackers to inject malicious scripts,” Fastly researchers Simran Khalsa, Xavier Stevens, and Matthew Mathur said.
The security flaws in question are listed below -
CVE-2023-6961 (CVSS score: 7.2) – Unauthenticated Stored Cross-Site Scripting in WP Meta SEO <= 4.5.12
CVE-2023-40000 (CVSS score: 8.3) – Unauthenticated Stored Cross-Site Scripting in LiteSpeed Cache <= 5.7
CVE-2024-2194 (CVSS score: 7.2) – Unauthenticated Stored Cross-Site Scripting in WP Statistics <= 14.5
Tomi Engdahl says:
Tämä arveluttava sovellus olisi Suomessa laiton – nyt se lopetetaan valtavan tietovuodon vuoksi
29.5.202419:05
Vakoiluohjelma Pctattletale ilmoitti lopettavansa toimintansa
https://www.mikrobitti.fi/uutiset/tama-arveluttava-sovellus-olisi-suomessa-laiton-nyt-se-lopetetaan-valtavan-tietovuodon-vuoksi/43b77ec3-2a2f-49ec-8d9e-6770e871ccb7
Pctattletale -firman nimikkosovellus on stalkerwareksikin kutsutun kaltainen ohjelma, joka voidaan asentaa kohteen laitteelle ja jonka kautta laitteen toimia voidaan seurata etänä. Pctattletale mainosti sovellustaan yrityksille työntekijöiden valvontaan.
Tomi Engdahl says:
Santander staff and ’30 million’ customers hacked
https://www.bbc.com/news/articles/c6ppv06e3n8o
Hackers are attempting to sell what they say is confidential information belonging to millions of Santander staff and customers.
They belong to the same gang which this week claimed to have hacked Ticketmaster.
The bank – which employs 200,000 people worldwide, including around 20,000 in the UK – has confirmed data has been stolen.
Santander has apologised for what it says is “the concern this will understandably cause” adding it is “proactively contacting affected customers and employees directly.”
“Following an investigation, we have now confirmed that certain information relating to customers of Santander Chile, Spain and Uruguay, as well as all current and some former Santander employees of the group had been accessed,” it said in a statement posted earlier this month.
In a post on a hacking forum – first spotted by researchers at Dark Web Informer- the group calling themselves ShinyHunters posted an advert saying they had data including
30 million people’s bank account details
6 million account numbers and balances
28 million credit card numbers
HR information for staff
Santander has not commented on the accuracy of those claims.
ShinyHunters have previously sold data confirmed to have been stolen from US telecoms firm AT&T.
The gang is also selling what it says is a huge amount of private data from Ticketmaster.
Tomi Engdahl says:
Why CVEs Are an Incentives Problem
It’s time to rethink the pivotal role incentives play in shaping behavior to find and disclose software vulnerabilities. More accurate guidance to reflect real-world risks and a tiered verification process to establish potential impact could slow misleading submissions.
https://www.darkreading.com/vulnerabilities-threats/why-cves-are-an-incentives-problem
Tomi Engdahl says:
Check Point vulnerability far worse than thought – exploited in wild since April
106,000 customers publicly exposed, initial searches suggest.
https://www.thestack.technology/check-point-vulnerability-cve-2024-24919/
Tomi Engdahl says:
Helsinki teki merkittävän päätöksen etäyhteyksistä – syynä tietomurto
https://www.tivi.fi/uutiset/helsinki-teki-merkittavan-paatoksen-etayhteyksista-syyna-tietomurto/c06ad6e6-734f-4005-a0ea-4586f6e61374
Tietomurron jälkeen Helsingissä ei haluta enää todeta etäyhteyksien olleen reikäjuustoa.
Helsingin kaupungin digitalisaatiojohtaja Hannu Heikkinen on päättänyt, että kaupunki laittaa nyt kerralla kuntoon etäyhteys- ja etäkäyttöratkaisunsa. Tiukka päätös koskee kaikkia kaupungin toimialoja, liikelaitoksia sekä virastoja.
Tomi Engdahl says:
How Researchers Cracked an 11-Year-Old Password to a $3 Million Crypto Wallet
Thanks to a flaw in a decade-old version of the RoboForm password manager and a bit of luck, researchers were able to unearth the password to a crypto wallet containing a fortune.
https://www.wired.com/story/roboform-password-3-million-dollar-crypto-wallet/
Tomi Engdahl says:
https://www.dna.fi/yrityksille/blogi/-/blogs/tekoaly-on-sita-mita-teemme-siita-ja-samaan-aikaan-seka-uhka-etta-mahdollisuus?utm_source=facebook&utm_medium=linkad&utm_content=JUJO-artikkeli-tekoaly-on-sita-mita-teemme-siita-ja-samaan-aikaan-seka-uhka-etta-mahdollisuus&utm_campaign=H_JUJO_LAS_24-18-22_artikkelikampanja&fbclid=IwAR1dgheZA-iyWQy0OpKkLwBODpVGXrJ-YQUJMm-cZ_3myD65pDZBOQ5lECI_aem_eN5tje_1JlJou4RsT3MKMQ