Cyber Security moves much too quickly to wait for a weekly news recap. That’s why we’re here each and every weekday bringing you the relevant Information Security stories from overnight. Make InfoSec Overnights part of your daily routine to ensure you and your team are up to the minute on the thre…
A daily look at the relevant information security news from overnight - 29 July, 2022Episode 276 - 29 July 2022Kimsuky Stealing Emails- https://www.bleepingcomputer.com/news/security/cyberspies-use-google-chrome-extension-to-steal-emails-undetected/NPM Cards Discord - https://www.infosecurity-magazine.com/news/malicious-npm-packages-steal/Trojan Play Store Apps - https://thehackernews.com/2022/07/over-dozen-android-apps-on-google-play.htmlPhishing Countdown- https://www.zdnet.com/article/this-phishing-attack-uses-a-countdown-clock-to-panic-you-into-handing-over-passwords/ IP Camera Hack - https://thehackernews.com/2022/07/dahua-ip-camera-vulnerability-could-let.htmlHi, I'm Paul Torgersen. It's Friday July 29th, 2022 and this is a look at the information security news from overnight. From BleepingComputer.com:A North Korean-backed threat group tracked as Kimsuky is using a malicious browser extension to steal emails from Google Chrome or Microsoft Edge users reading their webmail. The malware, called SHARPEXT supports Chrome, Edge and Whale browsers and can steal mail from Gmail and AOL accounts. Details in the article. From InfoSecurity-Magazine.com: Researchers have discovered a supply chain attack using malicious npm packages, this time targeting Discord users. The purpose of the campaign, named LofyLife, appears to be to steal Discord tokens and users' credit card data. Kaspersky said it identified four suspicious packages which feature obfuscated Python and JavaScript code. Details and a link to the write up inside. From TheHackerNews.com:Another 17 so-called productivity apps have been uncovered and removed from the Google Play store. The apps did perform some basic tasks they advertise, but they were also dropping in malicious apps like Octo, Hydra, Ermac, and TeaBot. See the full list of affected apps in the article and make sure you delete those puppies. From ZDNet.com:A new phishing attack has taken a page out of the ransomware playbook by using a countdown clock to pressure victims into entering their username and password. At the end of the countdown they would be permanently locked out of whatever account is being targeted. Obviously nothing actually changes when the countdown reaches zero, but for some less sophisticated users, this could be very compelling. And last, from TheHackerNews.com:A security vulnerability in Dahua's Open Network Video Interface Forum standard implementation (ONVIF), can lead to a threat actor seizing control of IP cameras. ONVIF governs an open standard for how IP-based physical security products communicate with one another in a vendor-agnostic manner. I'm sure you can understand how some nation-state bad guys would be very interested in tapping into live video feeds. Get your patch on kids. That's all for me. Have a great weekend. If you like this podcast, please spread the word, and until next time, be safe out there.
A daily look at the relevant information security news from overnight - 28 July, 2022Episode 275 - 28 July 2022NetStandard Knocked Offline- https://www.bleepingcomputer.com/news/security/kansas-msp-shuts-down-cloud-services-to-fend-off-cyberattack/Moxa NPort Flaws - https://www.securityweek.com/moxa-nport-device-flaws-can-expose-critical-infrastructure-disruptive-attacksPost Macro Tactics - https://www.infosecurity-magazine.com/news/hackers-change-tactics-for-new/Naughty Knotweed- https://thehackernews.com/2022/07/microsoft-uncover-austrian-company.html Twitter Data Sale - https://www.infosecurity-magazine.com/news/criminal-twitter-users-data/Hi, I'm Paul Torgersen. It's Thursday July 28th, 2022 and this is a look at the information security news from overnight. From BleepingComputer.com:Managed service provider NetStandard suffered a cyberattack causing the company to shut down its MyAppsAnywhere cloud services. The company said Hosted GP, Hosted CRM, Hosted Exchange, and Hosted Sharepoint will be offline until further notice, but that no other services were impacted. That being said, their main website remains down as well. No word on threat actor or malware involved, but it is assumed to be a ransomware hit. From SecurityWeek.com:Two high severity flaws have been found in the NPort 5110 device servers from Moxa. The vulnerabilities can be exploited remotely to cause the targeted device to enter a denial of service condition. The only way to regain control of the device is to physically power it down, which might present a challenge as many of these devices are in very remote locations. These things are designed to connect to Ethernet networks and should not be exposed to the internet. However, a Shodan search found at least 5,300 of them that are. Now some of these may be honeypots, but they're not ALL honeypots. Customers should contact Moxa for a security patch. From InfoSecurity-Magazine.com:Since Microsoft announced they would disable macros by default, the use of macro-enabled attachments by threat actors decreased by around 66% between October 2021 and June 2022. Awesome. But, where there's a will there's a way. In that same timeframe, the number of malicious campaigns using container file formats jumped up 176%. These formats include ISO, RAR, ZIP and IMG files that contain macro-enabled docs. Now the ISO and RAR formats will still have the Mark of the Web, meaning they originated from the internet and their macros would be blocked, but the files within them would not. Link to the ProofPoint research in the article. From TheHackerNews.com:A threat actor tracked as Knotweed, used several Windows and Adobe zero-day exploits in highly-targeted attacks against targets in Europe and Central America. They are actually an Austrian outfit called DSIRF that supposedly sells general security and information analysis services to commercial customers. As a side gig, they created a cyberweapon called Subzero, which can hack phones, computers, and internet-connected devices. Talk about vertical integration. And last, from InfoSecurity-Magazine.com:A user named devil is selling a database of 5.4 million Twitter users' information on the Breached Forums site. They say it contains the phone numbers and email addresses of users, including celebrities and companies, and is asking for $30,000. Twitter is investigating the issue, which the seller said exploited a vulnerability in its systems that allows someone to find additional user information, even if that user has it hidden in privacy settings. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 27 July, 2022Episode 274 - 27 July 2022WordFly Breach- https://www.securityweek.com/mailing-list-provider-wordfly-scrambling-recover-following-ransomware-attackNow IIS See You - https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-increasingly-hacked-with-iis-backdoors/Messaging Threats - https://threatpost.com/messaging-apps-cybercriminals/180303/Robin Banks Phishing Service- https://www.bleepingcomputer.com/news/security/new-robin-banks-phishing-service-targets-bofa-citi-and-wells-fargo/ No Knock Nuki - https://www.securityweek.com/nuki-smart-lock-vulnerabilities-allow-hackers-open-doorsHi, I'm Paul Torgersen. It's Wednesday July 27th, 2022 and this is a look at the information security news from overnight. From SecurityWeek.com:Mailing list provider WordFly has been offline for more than two weeks after a ransomware attack encrypted data on some of its systems. The attack hit on July 10, and the company hasn't been able to restore service since. The company confirms data was exfiltrated, but believes it was subsequently deleted. They expect to be down at least another few days before they get systems operational again. No word on the malware or threat actor. From BleepingComputer.com:Attackers are increasingly using Internet Information Services, IIS, web server extensions to backdoor unpatched Exchange servers. Being installed in the exact location and using the same structure as legitimate modules, they provide attackers' with a perfect and durable persistence mechanism. Details and a link to the Microsoft report in the article. From ThreatPost.com:Threat actors are tapping the multi-feature nature of messaging apps such as Telegram and Discord as a foundation in persistent campaigns that threaten users. Intel 471 identified three key ways in which threat actors are leveraging the apps: storing stolen data, hosting malware payloads, and using bots that perform the dirty work. Details and a link inside. From BleepingComputer.com:A new phishing as a service platform has shown up with the name Robin Banks. As you may have guessed, it offers ready-made phishing kits targeting the customers of well-known banks. Companies like Citibank, Bank of America, Capital One, Wells Fargo, etc. Oh, they also offer templates to steal Microsoft, Google, Netflix, and T-Mobile accounts. Pricing from $50 to $200 a month. And last, from SecurityWeek.com:Security researchers have documented 11 vulnerabilities impacting Nuki smart lock products, you may not be able to see my air quotes. Nuki Smart Lock and Nuki Bridge, allow users to unlock their doors with their smartphones by simply walking in range. Brilliant. Exploiting the found vulnerabilities could result in a fully compromised device, including the ability to open and close the door without the owner even noticing. After being notified of the flaws in April, Nuki has issued patches this month. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 26 July, 2022Episode 273 - 26 July 2022Grails RCE Vuln- https://portswigger.net/daily-swig/critical-security-vulnerability-in-grails-could-lead-to-remote-code-executionPrestaShop Skimmer - https://thehackernews.com/2022/07/hackers-exploit-prestashop-zero-day-to.htmlLinkedIn Phishing for Admins - https://www.bleepingcomputer.com/news/security/linkedin-phishing-target-employees-managing-facebook-ad-accounts/PolicyBazaar Breached- https://www.infosecurity-magazine.com/news/indian-insurance-policybazaar/ FileWave Crit Flaws - https://thehackernews.com/2022/07/critical-filewave-mdm-flaws-open.htmlHi, I'm Paul Torgersen. It's Tuesday July 26th, 2022 and from Denver, this is a look at the information security news from overnight. From PortSwigger.net:A critical vulnerability within a Grails application runtime could allow an attacker to gain remote code execution. The attack exploits a section of the Grails data-binding logic, and has been confirmed on Grails framework versions 3.3.10 and higher, including Grails framework 4 and 5, that are running on Java 8. It has been observed in both the embedded Tomcat runtime and applications deployed as a Web Archive to a Tomcat instance. The company urges all users, even those using unaffected versions, to update as soon as possible. From TheHackerNews.com:Threat actors are exploiting a previously unknown security flaw in the open source PrestaShop e-commerce platform to inject malicious skimmer code. PrestaShop is the leading open-source e-commerce solution in Europe and Latin America, used by nearly 300,000 online merchants worldwide. The company said they found a zero-day flaw in its service that has been addressed in version 1.7.8.7, although they are not sure that was the only flaw vulnerable to the attack. From BleepingComputer.com:A new spear phishing campaign named Ducktail is targeting professionals on LinkedIn to take over Facebook business accounts. The threat actors are specifically targeting people who have admin privileges on their employer's social media accounts. Fingers point to a Vietnamese threat actor that has been active since at least 2021 and maybe back as far as 2018. From Infosecurity-Magazine.com:Indian insurance company Policybazaar has advised that it suffered a data breach, confirming an unauthorized access to their systems on July 19. The company has found and fixed the exploited vulnerability and claims that no significant customer data was exposed. And last, from TheHackerNews.com:FileWave's mobile device management system has been found vulnerable to two critical security flaws that could be leveraged to carry out remote attacks and seize control of a fleet of devices connected to it. The two flaws relate to an authentication bypass, and the use of a hard-coded cryptographic key. There are more than 1,100 internet-facing FileWave servers that are vulnerable to the attack. Get your patch on kids. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 25 July, 2022Episode 272 - 25 July 2022Entrust Breached- https://www.bleepingcomputer.com/news/security/digital-security-giant-entrust-breached-by-ransomware-gang/UEFI Rootkit - https://thehackernews.com/2022/07/experts-uncover-new-cosmicstrand-uefi.htmlUrgent SonicWall Patch - https://www.securityweek.com/sonicwall-warns-critical-gms-sql-injection-vulnerabilityCisco Nexus Patches Three- https://portswigger.net/daily-swig/cisco-patches-dangerous-bug-trio-in-nexus-dashboard Racoon Gets Buff - https://thehackernews.com/2022/07/racoon-stealer-is-back-how-to-protect.htmlHi, I'm Paul Torgersen. It's Monday July 25th, 2022, this is a look at the information security news from overnight. From BleepingComputer.com:Identity and access management company Entrust has confirmed that it was the victim of a cyberattack. Threat actors were able to breach their network and steal data from internal systems. The company says they have found no indication that the breach has impacted their operation or their products and services. No word on malware strain or threat actor involved. More to come I'm sure. From TheHackerNews.com:An unknown Chinese-speaking threat actor has been attributed with a new kind of UEFI firmware rootkit called CosmicStrand. The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and are related to designs using the H81 chipset. Victims identified so far are just individuals in China, Vietnam, Iran and Russia, with no discernable ties to business or government agencies. A link to the Kaspersky research in the article. From SecurityWeek.com:SonicWall has issued urgent patches for a critical flaw in its Global Management System software, warning that the issue exposes businesses to remote attacks. The 9.4 severity flaw provides a pathway for a remote attacker to execute arbitrary SQL queries in the database. The vulnerability exists due to insufficient sanitization of user-supplied data. From PortSwigger.net:Serious vulnerabilities in Cisco Nexus Dashboard give attackers a viable path to executing arbitrary commands as root, uploading container image files, or performing cross-site request forgery attacks. Cisco has issued patches for the three bugs, one of them carrying a 9.8 severity rating. The company said it was not aware of any of these bugs being exploited in-the-wild. Get your patch on kids. And last, from TheHackerNews.com:The new and vastly improved version of Raccoon Stealer has hit the scene. Not only can it steal browser passwords, cookies, and auto-fill data, it can now also steal credit card numbers, cryptocurrency and crypto wallets, harvest file data, drop files onto the system, list apps installed on the machine, and take screenshots. Fortunately, just like with the real world rodents, basic precautions should keep the varmint at bay: beware of spoofed messages and don't click any links you didn't know were specifically coming. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 22 July, 2022Episode 271 - 22 July 2022Drupal Updates- https://www.securityweek.com/code-execution-and-other-vulnerabilities-patched-drupalZyxel Firewall Patches - https://portswigger.net/daily-swig/zyxel-firewall-vulnerabilities-left-business-networks-open-to-abusePayPal Double Spear Phishing - https://www.infosecurity-magazine.com/news/paypal-used-send-malicious-double/Okta Too Open- https://threatpost.com/risks-okta-sso/180249/ Candiru's DevilsTongue - https://www.bleepingcomputer.com/news/security/chrome-zero-day-used-to-infect-journalists-with-candiru-spyware/Hi, I'm Paul Torgersen. It's Friday July 22nd, 2022, and from Victoria one last time, this is a look at the information security news from overnight. From SecurityWeek.com:Drupal has released patches for four vulnerabilities. The most critical flaw affects Drupal 9.3 and 9.4. and it can lead to arbitrary PHP code execution on Apache web servers. The other three vulnerabilities also impact the Drupal core and can lead to cross-site scripting attacks, information disclosure, or access bypass. Get your patch on kids. From PortSwigger.net:Zyxel has released patches for several of its firewall products following the discovery of two security vulnerabilities that left business networks open to exploitation. One is an authenticated directory traversal vulnerability in the Common Gateway Interface, and the other is a local privilege escalation vulnerability that was identified in the command-line interface. You should update to the latest versions as soon as you can. From Infosecurity-Magazine.com:Threat actors are using PayPal to send out phishing invoices. PayPal domains are usually “allow-listed” by organizations' email filters, so cyber-criminals are registering accounts and composing malicious invoices on the platform. Many are spoofing Norton products, but substituting their own information for payments. They even have someone answering the included Customer Service number to continue the charade to extract dollars from their victims. From ThreatPost.com:Four newly discovered attack paths in the products for IAM vendor Okta could lead to PII exposure, account takeover, or even organizational data destruction. Note that the researchers call these “attack paths” and not vulnerabilities. Okta says this is a non issue and all you need to do is tweak up your security profile a little, which is beyond what they offer as their default settings. You can see the details in the article. And last, from BleepingComputer.com:The Israeli spyware vendor Candiru was found using a Google Chrome zero day to spy on journalists and other high-interest individuals in the Middle East with their 'DevilsTongue' spyware. Threat researchers from Avast, who discovered the vulnerability and reported it to Google, revealed that they unearthed the flaw after investigating spyware attacks on their clients. The vuln was patched on July 4. Details and a link to the research in the article. That's all for me today. Have a great rest of your day. Like and subscribe, and until next next time, be safe out there.
A daily look at the relevant information security news from overnight - 21 July, 2022Episode 270 - 21 July 2022Patched Atlassian- https://www.bleepingcomputer.com/news/security/atlassian-fixes-critical-confluence-hardcoded-credentials-flaw/Linux Hit by Lightning - https://thehackernews.com/2022/07/new-linux-malware-framework-let.htmlRenewed Redeemer - https://www.bleepingcomputer.com/news/security/new-redeemer-ransomware-version-promoted-on-hacker-forums/Apple Pushed Update- https://www.securityweek.com/apple-ships-urgent-security-patches-macos-ios Neopets Nabbed - https://www.bleepingcomputer.com/news/security/neopets-data-breach-exposes-personal-data-of-69-million-members/Hi, I'm Paul Torgersen. It's Thursday July 21st, 2022, and from Victoria, this is a look at the information security news from overnight. From BleepingComputer.com:Atlassian has patched a critical hardcoded credentials vulnerability in Confluence Server and Data Center that could let remote, unauthenticated attackers log into vulnerable servers. The hardcoded password is added after installing the Questions for Confluence app, for an account with the username disabledsystemuser. It was designed to help admins with the migration of data from the app to the Confluence Cloud. From TheHackerNews.com:A never-before-seen malware called Lightning Framework targets Linux machines to install rootkits. The malware has been dubbed a "Swiss Army Knife" and is equipped with a plethora of features, making it one of the most intricate frameworks developed for targeting Linux systems. Details and a link to the research report in the article. From BleepingComputer.com:A threat actor is promoting a new version of their free-to-use Redeemer ransomware builder on hacker forums. According to its author, the 2.0 release was written entirely in C++ and works on Windows Vista, 7, 8, 10, and 11. This offers unskilled threat actors an easy entry to the world of encryption-backed extortion attacks. All they pay is 20% of any ransom they manage to collect. From SecurityWeek.com:Apple's security response team has pushed out software fixes for at least 39 vulnerabilities impacting macOS Catalina, iOS and iPadOS platforms. The patches provide updates for numerous memory safety flaws, some serious enough to expose users to remote code execution attacks. Apple is urging users to update straight away. Get your patch on kids. And last today, from BleepingComputer.com:Neopets has suffered a data breach leading to the theft of source code as well as a database containing the personal information of over 69 million members. A hacker known as 'TarTarX' began selling the source code and database for four bitcoins, about $94,000 at current prices. He did not confirm his attack vector, but it appears he still has active access to the database. That's all for me today. Have a great rest of your day. Like and subscribe, and until next tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 20 July, 2022Episode 269 - 20 July 2022Knauf Knocked Out- https://www.bleepingcomputer.com/news/security/building-materials-giant-knauf-hit-by-black-basta-ransomware-gang/Rusty Luna - https://thehackernews.com/2022/07/new-rust-based-ransomware-family.htmlGPS Over-Tracking - https://www.zdnet.com/article/flaws-in-a-popular-gps-tracker-could-allow-hackers-to-track-or-stop-vehicles-say-security-researchers/Oracle Patchfest- https://www.securityweek.com/oracle-releases-349-new-security-patches-july-2022-cpu Magicart Skim - https://docs.google.com/document/d/1Kse6lMi7hJEg1wDnVS_ZEND2pZOEMT4a9We3erCPsXE/editHi, I'm Paul Torgersen. It's Wednesday July 20th, 2022, and from Victoria, this is a look at the information security news from overnight. From BleepingComputer.com:The Knauf Group, a large Germany based building materials company, has announced it has been the target of a cyberattack that has disrupted its business operations. Their global IT team has shut down all systems to isolate the incident. Knauf has not confirmed it is a ransomware attack, but the Black Basta group has claimed responsibility for the attack on their extortion site. So far they claim to have released about 20% of the information they stole, which indicates they are likely still hopeful to receive a ransom from the victim. From TheHackerNews.com:Researchers have disclosed a brand-new ransomware family written in Rust, that Kaspersky Labs has named Luna. The ransomware is fairly simple and appears to be in its early development. It is designed to be used by Russian speaking threat actors, and can run on Windows, Linux, and ESXi systems. From ZDNet.com:Critical security vulnerabilities in the MiCODUS MV720 vehicle GPS tracker could be used to remotely track, stop or even take control of vehicles in which it is installed. These devices are popular with large companies and government entities, with approximately 1.5 million of them currently in use in 169 countries. Researchers at BitSight, who found the flaws, say these devices should not be used until patches are available. No word from MiCODUS on when that might be. From SecurityWeek.com:Oracle's quarterly Critical Patch Update has a total of 349 new security patches, including 230 for vulnerabilities that can be exploited by remote, unauthenticated attackers. 64 of the vulnerabilities are rated critical, with four of those scoring a ten out of ten. Financial Services Applications received the largest number of fixes, followed by Oracle Communications, then Fusion Middleware. Get your patch on kids. And last today, from ThreatPost.com:A Magecart campaign has been skimming payment-card credentials from customers using three online restaurant-ordering systems. The attack has affected over 300 restaurants and compromised at least 50,000 cards so far, which have already been offered up for sale on the dark web. The platforms impacted are MenuDrive, Harbortouch, and InTouchPOS. That's all for me today. Have a great rest of your day. Like and subscribe, and until next tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 19 July, 2022Episode 268 - 19 July 2022Mac is Back-Doored- https://www.bleepingcomputer.com/news/security/elastix-voip-systems-hacked-in-massive-campaign-to-install-php-web-shells/Fake Crypto Apps - https://www.zdnet.com/article/fbi-these-fake-apps-are-trying-to-steal-your-crypto-heres-what-to-watch-out-for/FlipKart Breach - https://techcrunch.com/2022/07/18/cleartrip-data-breach-dark-web/SATAn Air Gapped Attack- https://thehackernews.com/2022/07/new-air-gap-attack-uses-sata-cable-as.html Russians Hiding on the Cloud - https://www.bleepingcomputer.com/news/security/russian-svr-hackers-use-google-drive-dropbox-to-evade-detection/Hi, I'm Paul Torgersen. It's Tuesday July 19th, 2022, and from Port Angeles, this is a look at the information security news from overnight. From BleepingComputer.com:Unknown threat actors are using a previously undetected malware to backdoor macOS devices and exfiltrate information. ESET researchers named the malware CloudMensis because it uses pCloud, Yandex Disk, and Dropbox public cloud storage services for C2 communications. It is not known yet how the malware is distributed. Details in the article. From ZDNet.com:The FBI has warned that criminal groups are creating fraudulent apps that mimic real financial services brands that have so far duped investors into parting with $42.7 million over the past six months. Many of these are mimicking cryptocurrency services as there continue to be a flood of new players in the space and some ambiguity around crypto investing. Details and links to the advisory in the article. From TechCrunch.com:Cleartrip, a popular travel-booking platform in India, has confirmed a data breach after hackers claimed to post the stolen data on the dark web. Exact details of the stolen data are not yet known, however analysis of the screenshots posted make it appear that significant amounts of data were accessed, including forward looking information, which may indicate an insider was involved. From TheHackerNews.com:Researchers have developed a new method to steal data from an air gapped machine using the Serial ATA cable. Dubbed SATAn, the attack uses the SATA cable as a covert channel to emanate electromagnetic signals and transfer information to a nearby receiver just over a meter away. Fortunately, this technique does require physical access to the machine initially, which obviously makes it much more difficult. On the other hand, Stuxnet required physical access as well, so you never know. And last today, from BleepingComputer.com:State-backed Russian hackers have started using legitimate Google Drive cloud storage services to evade detection. It is akin to hiding in plain sight by getting lost in the crowd. Google cloud storage is ubiquitous and pretty much universally trusted. Russian threat actors are abusing that trust to render their attacks exceedingly difficult, if not impossible, to detect and block. That's all for me. Have a great rest of your day. Like and subscribe, and until next time, be safe out there.
A daily look at the relevant information security news from overnight - 18 July, 2022Episode 267 - 18 July 2022Elastix VoIP Attack- https://www.bleepingcomputer.com/news/security/elastix-voip-systems-hacked-in-massive-campaign-to-install-php-web-shells/ Botnet Targeting ICS - https://thehackernews.com/2022/07/hackers-distributing-password-cracking.htmlPlay Store Purge - https://threatpost.com/google-boots-malware-marketplace/180241/Juniper Patches- https://www.securityweek.com/juniper-networks-patches-over-200-third-party-component-vulnerabilities Blitz.JS Polluted - https://portswigger.net/daily-swig/prototype-pollution-in-blitz-js-leads-to-remote-code-executionHi, I'm Paul Torgersen. It's Monday July 18th, 2022, and from Port Angeles, this is a look at the information security news from overnight. From BleepingComputer.com:Threat analysts have uncovered a large-scale campaign targeting Elastix VoIP telephony servers with more than 500,000 malware samples over a period of about three months. The attackers are likely exploiting CVE-2021-45461, a remote code execution vulnerability with a 9.8 severity. The goal is to plant a PHP web shell that could run arbitrary commands on the compromised communications server. Details in the article. From TheHackerNews.com:Industrial engineers and operators are the target of a new campaign that leverages password cracking software to seize control of Programmable Logic Controllers and co-opt the machines to a botnet. Attackers are exploiting a vulnerability in the firmware which allows it to retrieve the password on command. They then drop the Sality malware and turn the host into a peer in Sality's peer-to-peer botnet. More details inside. From ThreatPost.com:Google has removed eight apps from its Play store that were propagating a new variant of the Joker spyware. Unfortunately those apps had already accounted for a total of over 3 million downloads. Those apps are: Vlog Star Video Editor, Creative 3D Launcher, Wow Beauty Camera, Gif Emoji Keyboard, (yes I said gif not jif) Freeglow Camera, Coco Camera, Funny Camera, and Razer Keyboard & Theme. From SecurityWeek.com:Juniper Networks has published 21 security advisories to inform customers about patches for more than 200 vulnerabilities. Six of those advisories impact their own products, including Junos OS, Junos Space, Contrail Networking, and Northstar Controller products. The rest were vulnerabilities affecting third-party components such as Nginx, OpenSSL, Samba, Java SE, SQLite and Linux. Details in the article. And last today, from PortSwigger.net:Blitz.js, a JavaScript web application framework, has patched a dangerous prototype pollution vulnerability that could lead to remote code execution on Node.js servers. The bug allows attackers to manipulate the code in the Blitz.js app to create a reverse shell and run arbitrary commands on the server. You can find all the dirty details in the article. That's all for me. Have a great rest of your day. Like and subscribe, and until next time, be safe out there.
A daily look at the relevant information security news from overnight - 15 July, 2022Episode 266 - 15 July 2022Hive Five Decryptor- https://www.techtarget.com/searchsecurity/news/252522715/Researcher-develops-Hive-ransomware-decryption-tool WordPress Scan - https://www.bleepingcomputer.com/news/security/attackers-scan-16-million-wordpress-sites-for-vulnerable-plugin/SMB H0lyGh0st - https://thehackernews.com/2022/07/north-korean-hackers-targeting-small.htmlSpoofing GitHub Commits- https://www.securityweek.com/supply-chain-attack-technique-spoofs-github-commit-metadata WordPress Phishes PayPal - https://www.bleepingcomputer.com/news/security/paypal-phishing-kit-added-to-hacked-wordpress-sites-for-full-id-theft/Hi, I'm Paul Torgersen. It's Friday July 15th, 2022, and this is a look at the information security news from overnight. From TechTarget.com:A malware researcher known as reecDeep, or reecDeep, I'm sorry if I am mispronouncing your handle, has developed and published a decryption tool on GitHub for version 5 of the Hive ransomware. reecDeep developed the tool with a fellow anonymous malware researcher known as rivitna. The post includes technical details of how Hive v5 works as well as how the researchers developed their brute-force decryption tool. From BleepingComputer.com:Security researchers have detected a massive campaign that scanned close to 1.6 million WordPress sites for the presence of a vulnerable plugin that allows uploading files without authentication. They were specifically targeting the Kaswara Modern WPBakery Page Builder, which had been abandoned by its author before receiving a patch for a critical severity flaw uncovered last year. Exploitation of the flaw could lead to a complete takeover of the site. From TheHackerNews.com:An emerging threat cluster originating from North Korea, which calls itself H0lyGh0st has been linked to developing and using ransomware with that same payload name targeting small businesses since September of last year. Targeted entities primarily include SMB such as manufacturing organizations, banks, schools, and event and meeting planning companies. From SecurityWeek.com:Security researchers are warning of a new supply chain attack technique that relies on spoofed commit metadata to add legitimacy to malicious GitHub repositories. Threat actors could tamper with commit data so that a repository would appear to be older than it actually is, or that reputable contributors have been involved in its maintenance. And last this week, from BleepingComputer.comA newly discovered phishing kit is targeting PayPal users in an attempt to steal your PII. The kit is hosted on legitimate WordPress websites that have been hacked, which allows it to evade detection, at least for a little while. The threat actor targets poorly secured WordPress sites and brute-forces their log in. They've also done a pretty nice job on the PayPal spoof site, which includes a Captcha challenge for a whiff of legitimacy. The ultimate goal is not only gathering login info, but financial and address details as well. That's all for me. Have a great weekend. Like and subscribe, and until next time, be safe out there.
A daily look at the relevant information security news from overnight - 14 July, 2022Episode 265 - 14 July 2022Lilith Not-Fair- https://www.bleepingcomputer.com/news/security/new-lilith-ransomware-emerges-with-extortion-site-lists-first-victim/ Retbleed Spectre - https://www.securityweek.com/retbleed-new-speculative-execution-attack-targets-intel-amd-processorsAWS Kubernetes Flaw - https://portswigger.net/daily-swig/vulnerability-in-aws-iam-authenticator-for-kubernetes-could-allow-user-impersonation-privilege-escalation-attacksTeams Sticker Shock- https://portswigger.net/daily-swig/microsoft-teams-security-vulnerability-left-users-open-to-xss-via-flawed-stickers-feature Bandai Namco Gamed - https://www.bleepingcomputer.com/news/security/bandai-namco-confirms-hack-after-alphv-ransomware-data-leak-threat/Hi, I'm Paul Torgersen. It's Thursday July 14th 2022, and this is a look at the information security news from overnight. From BleepingComputer.com:There's a new ransomware group that has just hit the scene named Lilith. They have created the standard double-extortion leak site and added their first victim, a large construction group in South America, which has since been removed from the site. Analysis of the new family shows it does not appear to introduce any novelties, but another someone to keep an eye on. Details in the article. From SecurityWeek.com:Researchers have devised a new speculative execution attack called Retbleed, that can lead to information leaks and works on both Intel and AMD processors. The attack targets retpolines, or return trampolines, which was one of the defenses proposed in back 2018 to mitigate the Spectre side-channel attacks. You can see all the details and a link to the research paper in the article. From PortSwigger.net:A vulnerability in AWS IAM Authenticator for Kubernetes could allow a malicious actor to impersonate other users and escalate privileges in Kubernetes clusters. This impacts Elastic Kubernetes Service clusters configured with the AccessKeyID template parameter. If this is you, make sure you are running version 0.5.9. Also from PortSwigger.net:Attackers could abuse the sticker feature in Microsoft Teams to conduct cross-site scripting attacks. The Teams platform converts stickers into an image and uploads the content as RichText/HTML in the subsequent message. This can be manipulated for a potential HTML injection attack against multiple domains. All the sticky details in the article. And last today, from BleepingComputer.comJapanese game publishing giant Bandai Namco has confirmed that they suffered a cyberattack. The BlackCat ransomware gang has claimed responsibility for the attack on their data leak site. The company says the breach occurred on July 3rd to their internal systems in Asian regions other than Japan, and they are still evaluating the scope and type of information compromised. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 13 July, 2022Episode 264 - 13 July 2022Qakbot Glows Up- https://thehackernews.com/2022/07/researchers-uncover-new-attempts-by.html AiTM Phishing - https://threatpost.com/large-scale-hishing-bypasses-mfa/180212/Lenovo Firmware Flaw - https://thehackernews.com/2022/07/new-uefi-firmware-vulnerabilities.htmlMicrosoft Patches Zero Day- https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2022-patch-tuesday-fixes-exploited-zero-day-84-flaws/Luna Moth Flutters In - https://www.bleepingcomputer.com/news/security/new-luna-moth-hackers-breach-orgs-via-fake-subscription-renewals/Hi, I'm Paul Torgersen. It's Wednesday July 13th 2022, and this is a look at the information security news from overnight. From TheHackerNews.comResearchers at Zscaler have found that the operators behind the Qakbot malware are trying to sidestep detection by altering their delivery vectors. Most recently by using ZIP file extensions, code obfuscation, utilizing multiple URLs, and using unknown file extensions such as .OCX, .ooccxx, .gyp, etc. Looks like this little workhorse just won't go away. A link to that research in the article. From ThreatPost.com:Microsoft has uncovered a massive phishing campaign that can steal credentials even if you have multi-factor authentication enabled. The campaign uses adversary-in-the-middle phishing sites to hijack session cookies so the attacker gets authenticated to a session on the user's behalf regardless of the sign-in method used. The ultimate goal seems to be payment fraud through Business Email Compromise attacks and has targeted over 10,000 organizations to date. Details in the article. From TheHackerNews.com:Lenovo rolled out fixes for three security flaws in its UEFI firmware affecting over 70 product models. The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot. All three bugs relate to buffer overflow vulnerabilities. Lenovo had to patch three UEFI vulnerabilities earlier this year as well. From BleepingComputer.comMicrosoft's July Patch Tuesday included fixes for 84 total vulnerabilities. Four of those were critical, one of which was a zero day being actively exploited in the wild. That one could gain an attacker SYSTEM privileges, but no attack details were provided. This is in addition to fixes rolled out from SAP, Siemens, Schneider and others. Get your patch on kids. And last today, also from BleepingComputer.comA new data extortion group has been trying to breach companies to steal confidential information. The group, called Luna Moth, has been active since at least March with phishing campaigns that claim to be subscription renewal invoices, but really deliver remote access tools. The emails spoof the relevant brand, but actually all come from gmail accounts. The techniques and tools used indicate these guys are not very sophisticated. On the other hand, sometimes our users are not very sophisticated, so better to be aware. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 12 July, 2022Episode 263 - 12 July 2022OAuth Dirty Dancing- https://portswigger.net/daily-swig/dirty-dancing-in-oauth-researcher-discloses-how-cyber-attacks-can-lead-to-account-hijacking Crypto Mining in the Cloud - https://thehackernews.com/2022/07/cloud-based-cryptocurrency-miners.htmlRolling-PWN a Honda - https://www.bleepingcomputer.com/news/security/hackers-can-unlock-honda-cars-remotely-in-rolling-pwn-attacks/Amazon Scam Days- https://www.infosecurity-magazine.com/news/spike-amazon-prime-scams/Ransom Return - https://www.bleepingcomputer.com/news/security/new-0mega-ransomware-targets-businesses-in-double-extortion-attacks/Hi, I'm Paul Torgersen. It's Tuesday July 12th 2022, and this is a look at the information security news from overnight. From PortSwigger.netA researcher has discovered a way to perform single-click account hijacking by abusing the OAuth process flow. He calls it Dirty Dancing because attackers can dance around the OAuth authentication process and how it communicates between a browser and a service provider. All the dirty details in the article. From TheHackerNews.com:GitHub Actions and Azure virtual machines are being leveraged for cloud-based crypto mining operations. At least 1,000 repositories and 550 code samples have been found taking advantage of the GitHub runners for mining. No number was provided for the Azure VMs. Details and a link to the Trend Micro research in the article. From BleepingComputer.com:Researchers found that several modern Honda models have a vulnerable rolling code mechanism that allows unlocking the cars or even starting the engine remotely. It has to do with intercepting signals from the fob and how the pseudorandom number generator works. The Hondas will re-sync when the car gets lock/unlock commands in succession, which allow codes from a previous session to be successful instead of invalidated. Details inside. From Infosecurity-Magazine.comWith Amazon Prime Days come Amazon Prime Days scams. In 2021 there was nearly double the amount of phishing scams related to the sale than typical Amazon focused attempts. Be on the lookout for imposter websites and lots of “get an Amazon gift card if you fill out this survey.” Remember, if something looks too good to be true, it probably is. And last today, from BleepingComputer.comIn a bit of good news, back in December of 2019, Maastricht University, a Dutch university with more than 22,000 students, fell victim to a ransomware attack. To get their files decrypted, they paid a ransom of 30 bitcoins, about 200,000 Euro at the time. Flash forward to February of this year when Dutch authorities found a wallet containing part of the paid ransom, which they promptly returned to the university. But because of the increase in value of the crypto, the amount returned was right about 500,000 Euro. Sometimes being the victim of a crime does pay. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 11 July, 2022Episode 262 - 11 July 2022Mangatoon Mega Breach- https://www.bleepingcomputer.com/news/security/mangatoon-data-breach-exposes-data-from-23-million-accounts/ Security Companies as Phishing Bait - https://www.zdnet.com/article/brazen-crooks-are-now-posing-as-cybersecurity-companies-to-trick-you-into-installing-malware/La Poste Mobile Attacked - https://www.infosecurity-magazine.com/news/ransomware-french-telecomes/Edge Zero Day Patch- https://www.techradar.com/news/microsoft-edge-gets-emergency-patch-for-severe-zero-day-vulnerability0mega Ransomware - https://www.bleepingcomputer.com/news/security/new-0mega-ransomware-targets-businesses-in-double-extortion-attacks/Hi, I'm Paul Torgersen. It's Monday July 11th 2022, and this is a look at the information security news from overnight. From BleepingComputer.comComic reading platform Mangatoon has suffered a data breach that exposed information belonging to 23 million user accounts. It appears to have been stolen from an unsecured Elasticsearch database. There has been no response whatsoever from the company, so if you want to know if your information was involved you will have to head over to haveibeenpwned (.) com to check. From ZDNet.com:Criminals are posing as cybersecurity companies in phishing campaigns which claim that the recipient has been hit by a cyber attack. They are urged to respond in order to protect their network from being further compromised. Of course that response then opens the door to the hackers to actually compromise their network. The article has a link to the research by Crowdstrike, who also happens to be one of the companies being impersonated. From Infosecurity-Magazine.com:A ransomware attack, most likely LockBit, has hit French telecoms operator La Poste Mobile. The company took down their public facing website and customer area as a precaution and they remain down a week later. They claim their routers were secure, but employee desktops may have been breached. They are urging customers to be extra alert for targeted phishing or identity theft attacks. From TechRadar.comA few days after Google patched a zero day flaw in Chrome, Microsoft has now patched that same flaw in Edge. While both companies are keeping mum on details, we do know it is a heap-based buffer overflow weakness and it has been compromised in the wild. Get your patch on kids. And last today, from BleepingComputer.comA new ransomware operation named 0mega, with a zero instead of an O, targets organizations worldwide in double-extortion attacks. No sample has yet been examined, so there is not a lot of data about how the ransomware encrypts files. We do know that it appends the .0mega extension to the encrypted file's names and creates ransom notes named DECRYPT-FILES.txt. These notes are customized per victim, usually containing the company name and describing the different types of data stolen in the attack. Victims are directed to a Tor payment site with a support chat that they can use to contact the ransomware gang. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 08 July, 2022Episode 261 - 08 July 2022QNAP Calls Checkmate- https://www.bleepingcomputer.com/news/security/qnap-warns-of-new-checkmate-ransomware-targeting-nas-devices/ Fake Google Delivers HavanaCrypt - https://www.securityweek.com/new-havanacrypt-ransomware-distributed-fake-google-software-updateIcedID on Yandex - https://www.bleepingcomputer.com/news/security/fake-copyright-complaints-push-icedid-malware-using-yandex-forms/ABCsoup Browser- https://thehackernews.com/2022/07/experts-uncover-350-browser-extension.htmlNode.js Patch - https://portswigger.net/daily-swig/node-js-fixes-multiple-bugs-that-could-lead-to-rce-http-request-smugglingHi, I'm Paul Torgersen. It's Friday July 8th 2022, and this is a look at the information security news from overnight. From BleepingComputer.comQNAP is warning customers to secure their network attached storage devices against attacks using Checkmate ransomware. The company says the attacks are focused on Internet-exposed devices with the SMB service enabled, and accounts with weak passwords that can be cracked in brute-force, or dictionary attacks. Ransom notes seen so far put the price tag of the decryptor at about $15,000 of bitcoin. From SecurityWeek.com:Security researchers have identified a new ransomware family called HavanaCrypt, that is being delivered as a fake Google Software Update application. The ransomware performs multiple anti-virtualization checks and uses a Microsoft web hosting service IP address for its C2 server, which helps it to evade detection. More details in the article. From BleepingComputer.com:Website owners are being targeted with fake copyright infringement complaints to distribute the IcedID banking malware, as well as the BazarLoader and BumbleBee loaders. Instead of using Google Drive or Google Sites to host their alleged reports, this time around the threat actors are using Yandex Forms. Details in the article. From TheHackerNews.comResearchers uncovered a malicious browser extension with 350 variants that is masquerading as a Google Translate add-on. The malware family, dubbed ABCsoup, is part of an adware campaign targeting Russian users of Chrome, Opera, and Firefox browsers. The threat group appears to be well organized and originating out of Eastern Europe or Russia. And last today, from PortSwigger.netThe maintainers of Node.js have released multiple fixes for vulnerabilities in the JavaScript runtime environment. Exploitation of the seven newly patched bugs could lead to arbitrary code execution and HTTP request smuggling, among other attacks. The flaws impact all versions of the 18.x, 16.x and 14.x releases. Get your patch on kids. That's all for me this week. Have a fantastic weekend. Like and subscribe, and until next time, be safe out there.
A daily look at the relevant information security news from overnight - 07 July, 2022Episode 260 - 07 July 2022North Korean Maui Zowie- https://www.zdnet.com/article/fbi-these-hackers-are-targeting-healthcare-records-and-it-systems-with-maui-ransomware/ Linux and Windows RedAlert - https://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/CuteBoi NPM Mining - https://thehackernews.com/2022/07/over-1200-npm-packages-found-involved.htmlSHI Attacked- https://www.bleepingcomputer.com/news/security/it-services-giant-shi-hit-by-professional-malware-attack/Linux in OrBit - https://thehackernews.com/2022/07/researchers-warn-of-new-orbit-linux.htmlHi, I'm Paul Torgersen. It's Thursday July 7th 2022, and this is a look at the information security news from overnight. From ZDNet.comSeveral US agencies have issued an alert that North Korean sponsored attackers are targeting healthcare and public health organizations with the Maui ransomware. The warnings say these attacks have been going on since at least May of 2021, but they are still not sure of the initial attack vector. Early analysis suggests the malware is designed for attackers to manually select files for encryption, as opposed to encrypting all files wholesale. Details and a link to the advisory in the article. From BleepingComputer.com:A new ransomware operation called RedAlert, or N13V, targets both Windows and Linux VMWare ESXi servers with command-line options that allow the threat actors to shut down any running virtual machines before encrypting files. Victims are directed to a TOR site to pay a ransom in Monero to receive the decryptors. Details in the article. From TheHackerNews.com:Researchers have found a large-scale crypto mining campaign targeting the NPM JavaScript package repository. The malicious activity, attributed to a threat actor called CuteBoi, involves an array of 1,283 rogue modules from over 1,000 different user accounts using automation which includes the ability to pass the NPM 2FA challenge. Much of the source code in this attack is nearly identical to EazyMiner. From BleepingComputer.comSHI International has confirmed that a malware attack forced them to bring some of their systems, including email and public websites, offline. They described it as a coordinated and professional malware attack. The company says no customer data was exfiltrated and that third party systems in its supply chain were unaffected. No word on the threat actor or malware strain involved. And last today, from TheHackerNews.comResearchers have uncovered a new Linux threat dubbed OrBit, the fourth Linux targeting malware discovered in the past three months. This one can be installed either with persistence capabilities or as a volatile implant, and implements advanced evasion techniques. It ultimately provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands. Details on the article. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 06 July, 2022Episode 259 - 06 July 2022Spring Data Bad SpEL- https://portswigger.net/daily-swig/spring-data-mongodb-hit-by-another-critical-spel-injection-flaw Hive Gets Rust-ed - https://thehackernews.com/2022/07/hive-ransomware-upgrades-to-rust-for.htmlSilent Shadow Fix - https://www.bleepingcomputer.com/news/microsoft/microsoft-quietly-fixes-shadowcoerce-windows-ntlm-relay-bug/Google to Delete Sensitive Tracking- https://www.infosecurity-magazine.com/news/british-army-social-media-accounts/Cozy Bear Leverages BRc4 - https://thehackernews.com/2022/07/hackers-abusing-brc4-red-team.htmlHi, I'm Paul Torgersen. It's Wednesday July 6th 2022, and this is a look at the information security news from overnight. From PortSwigger.netA critical SpEL injection vulnerability has been patched in Spring Data MongoDB. The 9.8 severity bug could be exploited to achieve remote code execution. First.org has ranked the flaw among the top 10 CVEs likely to be used in the wild over the last 30 days. The ease-of-exploitation and the number of proof of concepts available will likely make this vulnerability very popular. Get your patch on kids. From TheHackerNews.com:The operators of the Hive ransomware have completely rewritten the malware, moving from the Go language to Rust. This gains them the benefit of memory safety and deeper control over low-level resources as well as making use of a wide range of cryptographic libraries. It also makes it more difficult to reverse engineer. These changes continue to show Hive as one of the fastest evolving ransomware families out there. From ZDNet.com:Four more Android apps have been removed from the Google Play store after it was discovered they were being used to deliver the Joker malware to smartphones. The apps, which have over 100,000 downloads between them are: Smart SMS Messages, Blood Pressure Monitor, Voice Language Translator and Quick Text SMS. They join at least 11 other apps that have been removed recently for the same issue. Details in the article. From BleepingComputer.comMicrosoft has confirmed that they silently patched the ShadowCoerce vulnerability as part of their June 2022 updates. They say the vuln was mitigated along with CVE-2022-30154 because they both affect the same component. The question is, why have they not yet publicly provided any details, or even assigned a CVE ID. Strange actions for a vulnerability of this magnitude. No clarification yet from Redmond. And last today, from TheHackerNews.comMalicious actors have been observed abusing Brute Ratel C4, a relatively new and quite sophisticated toolkit designed to avoid detection by EDR and AV capabilities. BRc4 is a customized command-and-control center for red team and adversary simulation. Evidently the bad guys thought it was ready for prime time. The bad guys in this case probably being APT29, or Cozy Bear. You may remember them from the SolarWinds supply chain attack last year. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 05 July, 2022Episode 258 - 05 July 2022WeWork Exposure- https://techcrunch.com/2022/07/04/wework-exposed-visitors-data/ Django Injection - https://www.bleepingcomputer.com/news/security/django-fixes-sql-injection-vulnerability-in-new-releases/AstraLocker Expires - https://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/Google to Delete Sensitive Tracking- https://www.infosecurity-magazine.com/news/british-army-social-media-accounts/Google Zero-Day Patch - https://threatpost.com/actively-exploited-chrome-bug/180118/Hi, I'm Paul Torgersen. It's Tuesday July 5th 2022, and this is a look at the information security news from overnight. From TechCrunch.comWeWork India had a security lapse that exposed the personal information and selfies of tens of thousands of people who used the WeWork coworking spaces in the country. The bug made it possible to access the check-in record of any visitor by manually typing in a check-in ID, with no safeguards against accessing the data in bulk. The company is fixing the issue. From BleepingComputer.com:Django, an open source Python-based web framework, has patched a high-severity SQL injection vulnerability. The flaw affects Django's main branch, and versions 4.1 (currently in beta), 4.0, and 3.2. Developers are urged to upgrade to Django versions 4.0.6 and 3.2.14 as soon as possible. Also from BleepingComputer.com:The threat actor behind the AstraLocker ransomware says they're shutting down the operation and plan to switch to cryptojacking. The ransomware's developer even submitted a ZIP archive with the AstraLocker decryptors to VirusTotal. The decryptors appear to be legit and worked on the one sample the team at BleepingComputer tried out. Details and a link to that zip file in the article. From ZDNet.comGoogle says it will automatically wipe user location history for visits to healthcare clinics, including abortion and fertility clinics, domestic abuse shelters, and other sensitive areas. The fear is that, in a post-Roe world, this location tracking data could be used in persecutions, excuse me, prosecutions. These changes will be rolling out in the coming weeks. And last today, from ThreatPost.comGoogle quietly rolled out a stable channel update for Chrome to patch an actively exploited zero-day vulnerability. This is the fourth such flaw the vendor has had to patch so far this year. The bug is a buffer overflow that was just reported on July 1. The company also tidied up a few other bugs while it was at it. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 04 July, 2022Episode 257 - 04 July 2022Giant China Data Breach- https://www.zdnet.com/article/giant-data-breach-leaked-personal-data-of-one-billion-people-has-been-spotted-for-sale-on-the-dark-web/ Raspberry Robin - https://www.bleepingcomputer.com/news/security/microsoft-finds-raspberry-robin-worm-in-hundreds-of-windows-networks/British Army Hawks Crypto Scam- https://www.infosecurity-magazine.com/news/british-army-social-media-accounts/LockBit Black - https://www.itpro.co.uk/security/ransomware/368418/latest-lockbit-ransomware-strain-strikingly-similar-to-blackmatterMicrosoft Backdoor - https://thehackernews.com/2022/07/new-sessionmanager-backdoor-targeting.htmlZoho RCE POC - https://www.bleepingcomputer.com/news/security/zoho-manageengine-adaudit-plus-bug-gets-public-rce-exploit/Hi, I'm Paul Torgersen. It's Monday July 4th 2022, happy birthday America, and this is a look at the information security news from overnight. From zdnet.comDetailed personal information for 1 billion Chinese residents has been found for sale on the dark web. Obviously this would be one of the largest data breaches in history. The information in the 23 terabytes of data includes names, addresses, national ID numbers, mobile phone numbers, as well as police and medical records. Hackers claim the information came from the Shanghai National Police database and are offering it for sale for 10 bitcoin, which right now is less than $200,000. From BleepingComputer.com:Microsoft recently spotted a Windows worm on the networks of hundreds of organizations from various industry sectors. The malware, Raspberry Robin, spreads via infected USB devices, you know, those ones the boss finds lying in the parking lot and plugs in to see what's on it? Microsoft observed the malware connecting to addresses on the Tor network, although it appears the threat actors are yet to exploit any access they gained to victims' networks. Details in the article. From Infosecurity-Magazine.com:The British Army confirmed its Twitter and YouTube accounts were compromised by a third party and used to direct visitors to cryptocurrency scams. There are reports that their Facebook account was compromised also. The YouTube account was completely rebranded to resemble investment firm Ark Invest, posting live stream videos featuring Elon Musk and Jack Dorsey. The social media accounts all appear to be back under proper control. From ITPro.co.ukSecurity researchers have acquired a sample of LockBit 3.0, which the hacking group internally calls LockBit Black. Analysis shows that large portions of the code are ripped straight from the BlackMatter ransomware developed by the Darkside group. You will remember them as the group that shut down last year after their huge Colonial Pipeline hit brought a lot of national security heat down on them. Evidently LockBit hired some of those developers. Details and a link to the analysis in the article. And last today, from BleepingComputer.comSecurity researchers have published technical details and proof-of-concept for a critical vulnerability in the Zoho ManageEngine ADAudit Plus tool for monitoring activities in the Active Directory. The vulnerability could lead to remote code execution and compromise of Active Directory accounts, and comes with a severity score of 9.8. Get your patch on kids. That's all for me today. Have a great Fourth of July, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 01 July, 2022Episode 256 - 01 June 2022Critical Gitlab Patch- https://portswigger.net/daily-swig/gitlab-patches-critical-rce-bug-in-latest-security-release Jenkins Janky Plugins - https://www.bleepingcomputer.com/news/security/jenkins-discloses-dozens-of-zero-day-bugs-in-multiple-plugins/WAP Fraud- https://www.zdnet.com/article/microsoft-this-android-malware-will-switch-off-your-wi-fi-empty-your-wallet/Macmillan Incident - https://www.securityweek.com/brocade-vulnerabilities-could-impact-storage-solutions-several-major-companiesMicrosoft Backdoor - https://thehackernews.com/2022/07/new-sessionmanager-backdoor-targeting.htmlDangling Chromium - https://portswigger.net/daily-swig/chromium-browsers-vulnerable-to-dangling-markup-injectionHi, I'm Paul Torgersen. It's Friday July 1st 2022, and this is a look at the information security news from overnight. From PortSwigger.netGitlab has patched a vulnerability that could allow remote code execution. The critical severity flaw affects all versions of GitLab. A fix has been released for this and a number of other vulnerabilities, including two separate cross-site scripting bugs. Link to the Gitlab advisory in the article. From BleepingComputer.com:Jenkins announced 34 security vulnerabilities affecting 29 plugins for the Jenkins open source automation server, 29 of the bugs being zero-days still waiting to be patched. Jenkins supports over 1,700 plugins, with those affected by this disclosure having more than 22,000 installs. Fortunately none of these are rated critical as there are no fixes as of yet for most of them. See the list of affected plugins in the article. From ZDNet.com:Microsoft shared its detailed technical analysis of what it says is one of the most prevalent types of Android malware. It's called 'toll billing', or Wireless Application Protocol fraud. This involves using an infected device to connect to payment pages of a premium service via a device's WAP connection. From there, payments are automatically charged to a device's phone bill. Details and a link to the analysis in the article. From BleepingComputer.comPublishing giant Macmillan was forced to shut down their network and offices while recovering from a security incident. In emails to customers, Macmillan stated the incident involves the encryption of certain files on their network, so this is almost certainly a ransomware attack. No word on the threat actor as Macmillian has slowly started to bring systems back online. And last today, from TheHackerNews.comA newly discovered malware called SessionManager, has backdoored Microsoft Exchange servers since at least March of 2021. If you recall, that was right after the ProxyLogon flaw was discovered. The malware masquerades as a module for Internet Information Services, with capabilities to read, write, and delete arbitrary files; execute binaries from the server; and establish communications with other endpoints in the network. That's all for me this week. Have a great Fourth of July long weekend, and until next time, be safe out there.
A daily look at the relevant information security news from overnight - 30 June, 2022Episode 255 - 30 June 2022OpenSea Makes Waves- https://techcrunch.com/2022/06/30/nft-opensea-data-breach/ XFiles XPands - https://www.bleepingcomputer.com/news/security/xfiles-info-stealing-malware-adds-support-for-follina-delivery/8220 Miner Upgrade- https://www.zdnet.com/article/microsoft-warning-this-malware-that-targets-linux-just-got-a-big-update/Brocade Broken - https://www.securityweek.com/brocade-vulnerabilities-could-impact-storage-solutions-several-major-companiesAstraLocker Attack - https://www.bleepingcomputer.com/news/security/astralocker-20-infects-users-directly-from-word-attachments/Dangling Chromium - https://portswigger.net/daily-swig/chromium-browsers-vulnerable-to-dangling-markup-injectionHi, I'm Paul Torgersen. It's Thursday June 30th 2022, happy birthday Jayden, and this is a look at the information security news from overnight. From TechCrunch.comNFT marketplace OpenSea, has suffered a massive data breach. It seems a staffer at their vendor Customer.io shared the entire email database with a third party. If you have shared your email with OpenSea at any time in the past, you should assume you were impacted. Be on the lookout for targeted phishing emails coming your way. From BleepingComputer.com:These next two are quick hits on malware strains upgrading their exploits. The XFiles info-stealer has added a delivery module that exploits the Windows Follina vulnerability. On a side note, XFiles has also recruited new members recently and is launching new products. Details in the article. From ZDNet.com:Along those same lines, Microsoft is warning about notable updates to malware targeting Linux servers to install cryptominers and IRC bots. The 8220 gang has added new functionality to exploit the recent Confluence vulnerability, as well as an old 2019 WebLogic bug. Details in the article. From SecurityWeek.com:Broadcom revealed that the Brocade SANnav storage area network is affected by nine vulnerabilities, some of which could impact the products of their partner companies, such as HPE, NetApp, Oracle, Dell, Fujitsu, IBM, Lenovo and others. There is no evidence as of yet that these have been exploited in the wild, but get your patch on kids. From BleepingComputer.comThe ransomware strain called AstraLocker has recently released its second major version that drops its payload directly from email attachments. Specifically Word docs. Obviously this smash and grab type of attack is looking for quick payouts and not trying for persistence or lateral movement. Full write up in the article. And last today, from PortSwigger.netA recently-patched security hole in Chromium browsers allowed attackers to bypass safeguards against dangling markup injection, and extract sensitive information from webpages. While dangling markup injection is well-known and -addressed in Chrome, the new attack took advantage of an unaddressed case in how the browser upgrades unsafe HTTP connections. You know where to find the details. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 29 June, 2022Episode 254 - 29 June 2022Android Photo Overshare- https://www.bleepingcomputer.com/news/security/amazon-fixes-high-severity-vulnerability-in-android-photos-app/ Linux PWNkit - https://www.securityweek.com/cisa-says-pwnkit-linux-vulnerability-exploited-attacksService Fabric Fix- https://www.bleepingcomputer.com/news/security/microsoft-fixes-bug-that-let-hackers-hijack-azure-linux-clusters/Firefox 102 - https://www.securityweek.com/firefox-102-patches-19-vulnerabilities-improves-privacyUnRAR Vuln - https://thehackernews.com/2022/06/new-unrar-vulnerability-could-let.htmlHi, I'm Paul Torgersen. It's Wednesday June 29th, 2022, and this is a look at the information security news from overnight. From BleepingComputer.comAmazon has fixed a vulnerability in its Photos app for Android, which has over 50 million downloads on the Google Play Store. The image and video storage app enables users to share files with up to five family members. Unfortunately, if the flaw is exploited, it also shares access tokens for Amazon API authentication with the bad guys. From SecurityWeek.com:The CISA says a Linux vulnerability known as PwnKit has been exploited in the wild. The flaw is a memory corruption issue that affects Polkit, a component designed for controlling system-wide privileges in Unix-like operating systems. Proof-of-concepts are available and exploitation is easy, which is why the CISA has added the vulnerability to its must patch list. Government orgs have until July 18 to install patches, but you private orgs should really get your patch on too. From BleepingComputer.com:Microsoft has fixed a container escape vulnerability in the Service Fabric application hosting platform. Exploitation could allow threat actors to escalate privileges to root, gain control of the host node, and compromise the entire SF Linux cluster. According to Microsoft, Service Fabric hosts over a million apps and powers many of their Azure products, as well as others. Not only should you get your patch on, but Microsoft recommends that customers continue to review all containerized workloads (both Linux and Windows) which are permitted access to their host clusters. From SecurityWeek.com:Mozilla has launched Firefox 102 that includes patches for 19 vulnerabilities, including four high-severity bugs. The new version also improves user privacy by mitigating query parameter tracking when navigating the internet with Enhanced Tracking Protection in strict mode. This confines cookies to the sites that created them, preventing cross-site tracking And last today, from TheHackerNews.comA new security vulnerability has been disclosed in RARlab's UnRAR utility that could permit a remote attacker to execute arbitrary code on a system that relies on the binary. The flaw relates to a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive. Other versions of the software, including those for Windows and Android, are not impacted. Any software that utilizes an unpatched version of UnRAR to extract untrusted archives is affected by the flaw. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 27 June, 2022Episode 253 - 27 June 2022BBVA 2FA Clone- https://thehackernews.com/2022/06/new-android-banking-trojan-revive.html ICS ShadowPad - https://www.bleepingcomputer.com/news/security/microsoft-exchange-bug-abused-to-hack-building-automation-systems/LockBit Bounty- https://www.pcmag.com/news/ransomware-gang-offers-bug-bounty-promises-payouts-up-to-1-millionRaccoon 2.0 - https://www.bleepingcomputer.com/news/security/raccoon-stealer-is-back-with-a-new-version-to-steal-your-passwords/OpenSSL Bad Memory - https://www.theregister.com/2022/06/27/openssl_304_memory_corruption_bug/?td=rt-3aHi, I'm Paul Torgersen. It's Tuesday June 28th, 2022, and I want to say a quick thank you as I have just passed 100 subscribers on YouTube. Which is great, but let's not stop there. If you find this valuable, please share with your networks and colleagues. Let's see if we can't add a zero or two to that number. And now, this is a look at the information security news from overnight. From TheHackerNews.comA new Android banking trojan called Revive has been discovered specifically targeting users of the Spanish financial services company BBVA. Phishing campaigns push a look alike website where victims download an app which impersonates the bank's two factor authentication app. Italian cybersecurity firm Cleafy first spotted the malware in mid June, and says it appears to be in its early stages of development. From BleepingComputer.com:A new Chinese-speaking threat actor is hacking into the building automation systems of several Asian organizations and loading the ShadowPad backdoor. The group focused on devices that have not yet patched the Microsoft Exchange vulnerability collectively known as ProxyLogon. According to Dutch research, there are about 46,000 such machines. Kaspersky believes the group is ultimately hunting for sensitive information. From PCMag.com:In what seems to be a first, the LockBit ransomware group has launched a bug bounty program. Evidently they have been successful enough to be able to afford to buy new zero-days. Their current rates run from $1,000 to $1 million, although the million bucks for is you can dox the LockBit leader. If this is compelling to any of you, keep in mind that the main targets for this group are healthcare and education, two of the most vulnerable populations out there. Do you really want to help somebody like that? From BleepingComputer.com:I mentioned last week that the Raccoon Stealer group had temporarily shuttered operations after one of their leaders was killed in the Russian invasion of Ukraine. Well, they're back in action with 2.0, a new and completely re-coded version of their malware offering elevated password-stealing functionality and upgraded operational capacity. Details in the article. And last today, from TheRegister.comOpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability that they hadn't quite completely patched earlier. Unfortunately, the new release contains a memory corruption which can be triggered trivially by an attacker. This targets the Intel Advanced Vector Extensions 512, or AVX512. The researcher said that if this bug can be exploited remotely, and they are not certain yet that it can, it could be more severe than Heartbleed, at least from a purely technical point of view. Details in the link. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 27 June, 2022Episode 253 - 27 June 2022Auto Supplier Attacked- https://www.bleepingcomputer.com/news/security/automotive-fabric-supplier-tb-kawashima-announces-cyberattack/ Iranian Factory Lucky Break - https://www.securityweek.com/cyberattack-forces-iran-steel-company-halt-productionOracle Miracle Fix- https://portswigger.net/daily-swig/oracle-patches-miracle-exploit-impacting-middleware-fusion-cloud-servicesMega Vuln - https://www.securityweek.com/top-cryptographers-flag-devastating-flaws-mega-cloud-storageCODESYS ICS Flaws - https://thehackernews.com/2022/06/critical-security-flaws-identified-in.htmlHi, I'm Paul Torgersen. It's Monday June 27th, 2022, and this is a look at the information security news from overnight. From BleepingComputer.comTB Kawashima, part of the Toyota Group of companies, announced that one of its subsidiaries has been hit by a cyberattack. The company responded by turning off all systems and devices in the network and says that production has not been impacted, but their website was down. No confirmation from the company, but the LockBit ransomware group has claimed responsibility and started leaking data supposedly acquired in the attack. From SecurityWeek.com:Iranian state owned Khuzestan Steel Company, one of three in the country, had to stop work until further notice following a cyberattack. The company's CEO claimed they were able to thwart the attack and prevent structural damage to production lines. In a bit of a lucky break, it appears the attack at least partially failed because the factory happened to be non-operational at the time due to an electricity outage. From PortSwigger.net:Oracle has finally patched a remote code execution vulnerability impacting Oracle Fusion Middleware and other Oracle systems. The vulnerability, dubbed Miracle Exploit, carries a 9.8 severity and is said to be easily exploitable. The bug was found on accident while researchers were building a proof of concept for a different zero-day. Oracle was first notified of the flaw back in October of last year and has now issued a fix. Get your patch on kids. From SecurityWeek.com:Cryptographers at a Swiss university have found at least five exploitable security flaws in the privacy-themed MEGA cloud storage service that could lead to devastating attacks on the confidentiality and integrity of user data in the MEGA cloud. The company released an advisory and patches, but said the vulnerabilities would be exceedingly difficult to exploit, basically requiring Mega to become a bad actor against itself. And last today, from TheHackerNews.comCODESYS has released patches to address 11 security flaws in its ICS automation software, two of which were rated critical, that could result in information disclosure and denial-of-service. These vulnerabilities are considered simple to exploit, and impacted at least seven of their Programmable Logic Controller applications. More details in the article. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 24 June, 2022Episode 252 - 24 June 2022Ransomware Decoy- https://www.theregister.com/2022/06/24/ransomware_as_espionage_distraction/ Quantum .LNK Builder - https://www.bleepingcomputer.com/news/security/malicious-windows-lnk-attacks-made-easy-with-new-quantum-builder/Python Backdoor- https://thehackernews.com/2022/06/multiple-backdoored-python-libraries.htmlHermit Spies Android and iOS - https://www.securityweek.com/sma-technologies-patches-critical-security-issue-workload-automation-solutionMitel VoIP Zero-Day - https://thehackernews.com/2022/06/hackers-exploit-mitel-voip-zero-day-bug.htmlHi, I'm Paul Torgersen. It's Friday June 24th, 2022, and this is a look at the information security news from overnight. From TheRegister.comA state-sponsored Chinese threat group that Secureworks has named Bronze Starlight, has a ransomware campaign that is targeting pharmaceutical companies, electronic component designers and manufacturers, US law firms, and aerospace and defense companies. The thing is, the ransomware is just a decoy. Researchers believe the true aim is cyber espionage, which explains why these specific types of companies are being targeted. Link to that research in the article. From BleepingComputer.com:Researchers have noticed a new tool they call Quantum that helps cybercriminals build malicious .LNK files to deliver payloads. These are especially popular in phishing campaigns, currently being used by Emotet, Bumblebee, Qbot, and IcedID. Quantum features a graphical interface and hundreds of icon and extension spoofing options, and you can rent it starting at less than 200 Euros a month. A link to the Cyble research in the article. From The HackerNews.com:Researchers have discovered a number of malicious Python packages in the official third-party software repository that are engineered to exfiltrate AWS credentials and environment variables to a publicly exposed endpoint. What's not for certain is if this is the result of an attack, or some sort of pen-test situation. This would be at least the third such example of a pen tester making a point in the last month or so. From ThreatPost.com:Google is warning that the Hermit spyware by RCS Labs out of Italy, is being deployed against Android and iOS users. The campaign is targeting victims in Kazakhstan and Italy. Last week it was learned that the Kazak government was using this same spyware against its own citizens. Google says the fake apps containing the spyware are not in the Google Play or Apple stores and are only downloaded from third party websites. And last today, from TheHackerNews.comA suspected ransomware intrusion against an unnamed target is leveraging a Linux based Mitel VoIP appliance as an entry point. CrowdStrike says the threat actor is exploiting a 9.8 severity bug that Mitel had patched back in April and are utilizing a couple of anti-forensic measures to erase traces of their actions. Details and links in the article. That's all for me today. Have a great weekend. Like and subscribe, and until next week, be safe out there.
A daily look at the relevant information security news from overnight - 23 June, 2022Episode 251 - 23 June 2022Russian Bears- https://threatpost.com/fancy-bear-nuke-threat-lure/180056/ Auto Supplier Hosed - https://www.reuters.com/technology/japanese-automotive-hose-maker-nichirin-hit-by-ransomware-attack-2022-06-22/NIMble Trooper- https://thehackernews.com/2022/06/chinese-hackers-distributing-sms-bomber.htmlSMA UNIX Root - https://www.securityweek.com/sma-technologies-patches-critical-security-issue-workload-automation-solutionParse Bug No Game - https://portswigger.net/daily-swig/severe-parse-server-bug-impacts-apple-game-centerHi, I'm Paul Torgersen. It's Thursday June 23rd, 2022, and from Chicago‘s O'Hare airport, this is a look at the information security news from overnight. From ThreatPost.comRussian APT group Fancy Bear is targeting Ukranians with a phishing campaign that uses the threat of nuclear war to exploit the Microsoft Follina vulnerability. The goal is to deliver a .Net stealer that can nab credentials from the Chrome, Firefox and Edge browsers. The group is strongly believed to be working at the behest of Russian Intelligence. From Reuters.com:Japanese automotive hose maker Nichirin said that a U.S. subsidiary had been hit by a ransomware attack that has forced it to entirely shut down its computerized production controls. The company has switched to manual production and shipping in order to keep parts flowing to customers. No word on the threat actor or malware strain. From The HackerNews.com:A threat cluster out of China with ties to a hacking group called Tropic Trooper has been spotted using a previously undocumented malware coded in Nim language. The novel loader, dubbed Nimbda, is bundled with a Chinese language 'SMS Bomber' tool that is most likely illegally distributed in the Chinese-speaking web. The Nim loader has the same executable icon as the SMS Bomber, so the entire bundle works as a trojanized binary. More details in the article. From SecurityWeek.com:A critical vulnerability in the SMA Technologies OpCon UNIX agent results in the same SSH key being deployed with all installations. The installation files also include a corresponding, unencrypted private key named “sma_id_rsa.” An attacker with access to that key can gain SSH access as root on affected systems. The key even remains on the system after the OpCon software has been removed. Details and a link to the advisory in the article. And last today, from PortSwigger.netA vulnerability in Parse Server software has led to the discovery of an authentication bypass impacting Apple Game Center. Exploitation of this 8.6 severity bug could result in authentication being bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object. Attack complexity is considered low and no privileges are required. A fix has been issued, so get your patch on kids. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 22 June, 2022Episode 250 - 22 June 2022Yodel Sings the Blues- https://www.bleepingcomputer.com/news/security/yodel-parcel-company-confirms-cyberattack-is-disrupting-delivery/ Chrome Release - https://www.securityweek.com/google-patches-14-vulnerabilities-release-chrome-103Acrobat Blocks PFD Checks- https://www.bleepingcomputer.com/news/security/adobe-acrobat-may-block-antivirus-tools-from-monitoring-pdf-files/Apple Removes the Stop Signs - https://www.zdnet.com/article/apples-ios-16-will-give-you-an-alternative-to-irritating-captcha-tests/Racoon Out - Dridex In - https://thehackernews.com/2022/06/rig-exploit-kit-now-infects-victims-pcs.htmlHi, I'm Paul Torgersen. It's Wednesday June 22nd, 2022, and once again from Chicago this is a look at the information security news from overnight. From BleepingComputer.comYodel delivery service company out of the UK says they have been disrupted due to a cyberattack. Deliveries were delayed and package tracking was down, but the company says that customer payment information has not been compromised. No word on the threat actor or specific malware used, but it is assumed to be a ransomware attack. From SecurityWeek.com:Google announced the release of Chrome 103 with patches for a total of 14 vulnerabilities, including nine reported by external researchers. The most severe of these bugs is a critical-severity use-after-free issue in Base. The company paid out $44,000 in bug bounties for this batch of fixes and said they have seen no indication that any of them have been exploited in the wild. From BleepingComputer.com:Adobe Acrobat is blocking security software from having visibility into the PDF files it opens, creating a security risk for users. These security tools work by injecting DLLs into software products being launched on a machine. Acrobat is actively checking if components from 30 security products are loaded into its processes and blocks them, essentially denying them from doing their job. Adobe says they are currently working with these vendors to address the issue. Details on the article. From ZDNet.com:In a move that will break absolutely nobody's heart, when Apple rolls out iOS 16 and MacOS Ventura, it will be the first to utilize Private Access Tokens instead of CAPTCHA challenges. Cloudflare estimates that up to 500 man-years are wasted each day looking for those grainy stop signs. No word from Google on when they will introduce this for Android, but they have been in the working group with Apple shaping the authentication standard. And last today, from TheHackerNews.comThe group behind the Raccoon Stealer malware have temporarily shuttered operations after the death of one of their team members. So the operators behind the Rig Exploit Kit have swapped the Raccoon out for the Dridex financial trojan. This little nasty has the capability to download additional payloads, steal customer login information from banking websites, capture screenshots, log keystrokes, and more. You can find additional details in the article. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 21 June, 2022Episode 249 - 21 June 2022ToddyCat Tracked- https://www.bleepingcomputer.com/news/security/new-toddycat-apt-group-targets-exchange-servers-in-asia-europe/ NTLM Relay Attack - https://thehackernews.com/2022/06/new-ntlm-relay-attack-lets-attackers.htmlOT Insecure by Design- https://www.securityweek.com/basecamp-icefall-secure-design-ot-makes-little-headwayMicrosoft Re-Arms Windows - https://www.zdnet.com/article/microsoft-this-out-of-band-windows-security-update-fixes-microsoft-365-sign-in-issues-for-arm-devices/Beware Zombie Bugs - https://www.theregister.com/2022/06/21/apple-safari-zombie-exploit/Hi, I'm Paul Torgersen. It's Tuesday June 21st, 2022, and from Chicago this is a look at the information security news from overnight. From BleepingComputer.comA new APT group dubbed ToddyCat has been targeting Microsoft Exchange servers throughout Asia and Europe. According to the Kaspersky researchers, it looks like they have been in action since at least December of 2020. Kaspersky has also found a previously unknown passive backdoor they named Samurai and new trojan malware dubbed Ninja Trojan. Both malware strains allow the attackers to take control of infected systems and move laterally within the victims' networks. From TheHackerNews.com:A new Windows NTLM relay attack dubbed DFSCoerce has been uncovered that leverages the Distributed File System: Namespace Management Protocol to seize control of a domain. This follows a similar method called PetitPotam that abuses Microsoft's Encrypting File System Remote Protocol to coerce Windows servers into authenticating with a relay under an attacker's control. To mitigate NTLM relay attacks, Microsoft recommends enabling Extended Protection for Authentication, SMB signing, and turning off HTTP on AD CS servers. From SecurityWeek.com:Ten years after project Basecamp, Forescout has conducted an updated project, dubbed OT:Icefall, to gauge the current state of Security By Design in OT products. They found 56 insecure by design problems stemming from ten manufacturers. Forescout says the flaws are not programming error vulnerabilities, but rather flaws in the protocols, authorizations, and certifications built into the designs. Seems not enough has changed in the last 10 years. From ZDNet.com:Microsoft has issued an out-of-band update for Windows 11 and Windows 10 to fix an issue that emerged with Arm devices after their latest Patch Tuesday update. It seems some users were prevented from signing into applications including VPN connections, Microsoft Teams, and Microsoft Outlook. The issue only affects Windows devices that use Arm processors; machines using other processors are not affected. If that is you and you have not yet applied the June 14 updates, you should use this out of band update instead. And last today, from TheRegister.comBeware of zombie vulnerabilities. The Safari browser had a vulnerability that was completely patched by Apple back in 2013 when it was discovered. Unfortunately that fix was regressed in 2016 during some code refactoring. That same bug was found being exploited earlier this year. It is unsure for how many of those five years the de-patched bug was being exploited in the wild. See the details and a link to the Google Project Zero research in the article. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 20 June, 2022Episode 248 - 20 June 2022Bank Breach Flagged- https://www.bleepingcomputer.com/news/security/flagstar-bank-discloses-data-breach-impacting-15-million-customers/ BRATA Bulks Up - https://www.zdnet.com/article/this-phone-wiping-android-banking-trojan-is-getting-nastier/No End of Life Support- https://cybersecuritynews.com/cisco-says-zero-day-flaws/ICS Vulns - https://www.securityweek.com/automationdirect-patches-vulnerabilities-plc-hmi-productsOnline Extension Tracking - https://www.bleepingcomputer.com/news/security/google-chrome-extensions-can-be-fingerprinted-to-track-you-online/Hi, I'm Paul Torgersen. It's Monday June 20th, 2022, a day to recognize Juneteenth, and this is a look at the information security news from overnight. From BleepingComputer.comFlagstar Bank is notifying 1.5 million customers of a data breach where hackers accessed personal data including full names and social security numbers. The breach actually took place back in December, but the bank did not realize this until the beginning of June. No word of why the breach remained hidden for so long, or what other information was compromised. If you are one of the 1.5 million, you are the lucky recipient of 2 years of free credit monitoring. From ZDNet.com:With the nasty Android banking trojan known as BRATA, which is Brazilian Remote Access Tool, Android, used to be you only had to worry about it wiping your smartphone with a factory reset to cover its tracks. Recently it has added new features to improve its ability at phishing online-banking credentials and intercepting SMS two-factor authentication codes. See all the details from the Cleafy research in the article. From CyberSecurityNews.com:We talked last week about the 9.8 severity flaw in Cisco routers, for which the company has released an update. However, if Cisco has previously noted that your router was reaching end of life, they will NOT be releasing a patch nor a workaround for this vulnerability. These include the Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers. Time to upgrade kids. From SecutiyWeek.com:AutomationDirect has patched several high-severity vulnerabilities in some of its programmable logic controller (PLC) and human-machine interface (HMI) products. Exploitation of these ICS vulnerabilities could allow an attacker to make unauthorized changes to the targeted devices. See details from the Dragos report in the article. And last today, from BleepingComputer.comA researcher has found a way to use your installed Google Chrome extensions to generate a fingerprint of your device that can be used to track you online. He built a website to create fingerprints, or tracking hashes, based on various characteristics of a device, including GPU performance, installed Windows applications, screen resolution, hardware configuration, and even the installed fonts. See all the creepy details in the article. That's all for me today from Chicago. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 17 June, 2022Episode 247 - 17 June 2022Office 365 Attack- https://thehackernews.com/2022/06/a-microsoft-office-365-feature-could.htmlWallet Recovery Flaw - https://www.bleepingcomputer.com/news/security/metamask-phantom-warn-of-flaw-that-could-steal-your-crypto-wallets/Naked Phishing- https://www.infosecurity-magazine.com/news/nakedpages-phishing-toolkit/QNAP DeadBolted - https://www.bleepingcomputer.com/news/security/qnap-thoroughly-investigating-new-deadbolt-ransomware-attacks/WordPress Ninja vuln - https://www.securityweek.com/exploited-vulnerability-patched-wordpress-plugin-over-1-million-installationsHi, I'm Paul Torgersen. It's Friday June 17th, 2022, and this is a look at the information security news from overnight. From HackerNews.comA potentially dangerous piece of functionality has been discovered in the Microsoft 365 suite that could help threat actors encrypt files stored on SharePoint and OneDrive. The attack hinges on the AutoSave feature, which allows a number of older file versions after users make edits. As the number is reached, the oldest file version gets deleted as the newest is saved. So attackers can either encrypt that available number plus 1, or reduce the number available to something smaller, like 1. Details and a link to the Proofpoint research in the article. From BleepingComputer.com:MetaMask and Phantom are warning of a new vulnerability called Demonic, that could expose a crypto wallet's seed phrase and allow attackers to steal any NFTs and crypto stored there. It is caused by how web browsers save contents of non-password fields as part of a standard “restore session”. Browser wallet extensions, such as Metamask, Phantom, and Brave, use an input field that is not designated as a password field, so the recovery phrase is saved in plain text form. MetaMask and Phantom have both patched the flaw, however, no word yet from Brave. From Infosecurity-Magazine.com:Researchers at CloudSEK have spotted a new phishing toolkit for sale across the various cybercrime forums. The “NakedPages,” toolkit is designed to run on Linux machines, runs JavaScript, is fully automated, and comes preloaded with more than 50 phishing templates and site projects. A link to the CloudSEK advisory in the article. From BleepingComputer.com:QNAP is warning customers to secure their devices against a new campaign of attacks pushing the DeadBolt ransomware. The company is urging users to update their Network Attached Storage devices to the latest firmware version and ensure they're not exposed to remote access over the Internet. The campaign appears to target QNAP NAS devices running QTS 4.x. And last today, from SecurityWeek.comThe WordPress Ninja Forms plugin, which helps administrators add customizable forms to their WordPress sites, has a vulnerability that appears to have been exploited in the wild. The flaw was identified in the Merge Tag functionality of the plugin, and carries a severity rating of 9.8. The Ninja Forms plugin has over a million installations. WordPress performed a forced update to fix the issue, but administrators are urged to confirm they are using the fixed version. That's all for me this week. Have a great weekend. Like and subscribe, and until Monday, be safe out there.
A daily look at the relevant information security news from overnight - 16 June, 2022Episode 246 - 16 June 2022Cisco Email Patch- https://www.bleepingcomputer.com/news/security/cisco-secure-email-bug-can-let-attackers-bypass-authentication/Android Malibot - https://www.zdnet.com/article/this-new-android-malware-bypasses-multi-factor-authentication-to-steal-your-passwords/PrintNightmare Still Exposed- https://www.infosecurity-magazine.com/news/new-printnightmare-patch-bypassed/Shoprite Compromised - https://www.bleepingcomputer.com/news/security/extortion-gang-ransoms-shoprite-largest-supermarket-chain-in-africa/Zimbra Zinger - https://portswigger.net/daily-swig/business-email-platform-zimbra-patches-memcached-injection-flaw-that-imperils-user-credentialsHi, I'm Paul Torgersen. It's Thursday June 16th, 2022, and this is a look at the information security news from overnight. From BleepingComputer.comCisco is warning customers to patch a critical vulnerability that could allow attackers to login into the web management interface of Cisco Email Security Appliance (ESA) and Cisco Secure Email and Web Manager appliances. The flaw is due to improper authentication checks on affected devices using Lightweight Directory Access Protocol (LDAP) for external authentication. From ZDNet.com:A new Android malware called Malibot steals passwords, bank details and crypto wallets, and bypasses multi-factor authentication. Oh, it can also access text messages, steal browser cookies and take screenshots. It is distributed through smishing and fake websites, one of which spoofs a legit crypto tracker that has more than a million downloads on the Play Store. Current targets are customers of Spanish and Italian banks. From Infosecurity-Magazine.com:On Tuesday, Microsoft released a partial patch for the PrintNightmare zero-day. On Wednesday they pushed an out of band patch for the remaining affected products. Later Wednesday, researchers found a way around the new patch to still exploit the original vulnerability. The ongoing flaw relates to the Point and Print function, which microsoft says is not directly related to the flaw, but has a weak security posture which makes exploitation possible. From BleepingComputer.com:Africa's largest supermarket chain, Shoprite, has been hit by a ransomware attack. The company, which operates almost three thousand stores across twelve countries in the continent, warned customers Eswatini, Namibia and Zambia that their personal information may have been compromised. A threat group called RansomHouse has claimed responsibility for the attack. There has been no mention of any business disruptions or operational issues, so this may be a straight data theft with no files encrypted. And last today, from ZPortSwigger.net Business webmail platform Zimbra has patched a memcached injection vulnerability that could allow attackers to steal login credentials without user interaction. It would steal cleartext credentials from the Zimbra instance, when the mail client connects to the server to check their mail. Details and a link to the Sonar research in the article. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
Follina's Tuesday Patch, Hertzbleed Attack, Mighty Bot, and more.A daily look at the relevant information security news from overnight - 15 June, 2022Episode 245 - 15 June 2022Follina's Tuesday PAtch- https://www.zdnet.com/article/microsoft-june-2022-patch-tuesday-55-fixes-remote-code-execution-in-abundance/Hertzbleed Attack - https://www.securityweek.com/new-hertzbleed-remote-side-channel-attack-affects-intel-amd-processorsTravis Exposed Tokens- https://www.bleepingcomputer.com/news/security/thousands-of-github-aws-docker-tokens-exposed-in-travis-ci-logs/Citrix ADM Error - https://www.securityweek.com/attackers-can-exploit-critical-citrix-adm-vulnerability-reset-admin-passwordsLinux Panchan Bot - https://www.bleepingcomputer.com/news/security/new-go-botnet-panchan-spreading-rapidly-in-education-networks/Mighty Bot - https://www.zdnet.com/article/a-tiny-botnet-launched-the-largest-ddos-attack-on-record/Hi, I'm Paul Torgersen. It's Wednesday June 15th, 2022, and this is a look at the information security news from overnight. From ZDNet.comJune Patch Tuesday is a popular one with everyone from Siemens to Schneider to Adobe to SAP rolling out updates. In fact, 141 updates just from those four. The one I am going to call out is Microsoft. Redmond rolled out 55 fixes, That's down from 74 last month, and only three of which are critical, but one of those is a fix for the Follina zero-day. At long last. Get your patch on kids. From SecurityWeek.com:Researchers have identified a new side-channel attack that can allow hackers to remotely extract sensitive information from a targeted system through a CPU timing attack they are calling Hertzbleed. This impacts devices powered by Intel and AMD and possibly others. Details on the article. From BleepingComputer.com:The Travis CI platform, which is used for software development and testing, has exposed user data containing tens of thousands of authentication tokens for GitHub, AWS, and Docker Hub. Aqua Security, who discovered the flaw, shared their findings with Travis hoping for a fix, but they were told that the issue was “by design” and left the data exposed. From SecurityWeek.com:Citrix has warned of a critical vulnerability in their Citrix Application Delivery Management that could essentially allow an attacker to trigger an administrator password reset at the next reboot. The vulnerabilities impact all supported versions of Citrix ADM server and Citrix ADM agent. Customers will need to update the server as well as all associated agents. The company says it has already taken care of the ADM cloud service and no additional action is required there. From BleepingComputer.comA new peer-to-peer botnet named Panchan has popped up targeting Linux servers in the education sector to mine crypto. It is empowered with SSH worm functions to move laterally within the compromised network, and has powerful detection avoidance capabilities, such as using memory-mapped miners and dynamically detecting process monitoring to pause the mining module. And last today, from ZDNet.comSpeaking of botnets, Cloudflare says it mitigated a DDoS attack that peaked at 26 million requests per second, and was caused by a botnet of only just over 5,000 devices. Rather than being based in IoT devices, this botnet was hiding in cloud service providers. For this particular attack, each device was averaging 5,200 requests per second, which is about 4,000 times more than a typical IoT botnet can generate. Details on the article. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 14 June, 2022Episode 244 - 14 June 2022Linux Root Malware- https://www.bleepingcomputer.com/news/security/new-syslogk-linux-rootkit-uses-magic-packets-to-trigger-backdoor/Gallium's PingPull RAT - https://www.theregister.com/2022/06/14/gallium-pingpull-rat/Metasploit Upgrades- https://www.bleepingcomputer.com/news/security/metasploit-620-improves-credential-theft-smb-support-features-more/Reach Out and GhostTouch Someone - https://portswigger.net/daily-swig/ghosttouch-hackers-can-reach-your-phones-touchscreen-without-even-touching-itGuzzle Drupal Patch - https://threatpost.com/bluetooth-signals-track-smartphones/179937/Hi, I'm Paul Torgersen. It's Tuesday June 14th, 2022, and this is a look at the information security news from overnight. From BleepingComputer.comA new Linux rootkit malware named ‘Syslogk' can force-load its modules into the Linux kernel, and hide directories and network traffic. It also loads a backdoor called Rekoobe, which lays dormant until specially crafted "magic packets" are used to wake it up. The malware is currently under heavy development. From TheRegister.com:The Gallium group, believed to be a Chinese state-sponsored team, has begun using an upgraded remote access trojan called PingPull, that is very difficult to detect. The group is also broadening its scope, adding financial service firms and government agencies to the telecoms companies it usually targets. Their geographic focus continues to be Asia, Southeast Asia, Europe and Africa, From BleepingComputer.com:Metasploit 6.2.0 has been released with 138 new modules, 148 new improvements or features, and 156 bug fixes since version 6.1.0 was released almost a year ago. Great for the pen teasters. Unfortunately, also great for the threat actors that use it as well. Details in the article. From PortSwigger.net:Attacks on smartphones require physical access to the device and interactions with the touchscreen. Or at least they used to. According to new research an attack can execute taps and swipes on the phone's screen from a distance of up to 40 millimeters. The attack, called GhostTouch, uses electromagnetic interference to manipulate the touchscreen and can initiate calls or even download malware. And last today, from SecurityWeek.comThe Drupal team has released a moderately critical advisory for serious vulnerabilities in the third-party library Guzzle that handles HTTP requests and responses to external services, and can be exploited to remotely hijack Drupal-powered websites. The vulnerabilities do not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites. Details and a link to the advisory in the article. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 13 June, 2022Episode 243 - 13 June 2022Hello XD upgrades- https://www.bleepingcomputer.com/news/security/hello-xd-ransomware-now-drops-a-backdoor-while-encrypting/Conti targets Intel - https://www.cpomagazine.com/cyber-security/conti-ransomware-develops-proof-of-concept-code-for-firmware-attacks/WannaFriendMe out of the Blox- https://www.techradar.com/news/this-ransomware-can-only-be-decrypted-by-going-to-the-roblox-storeWeb3 Wallet seed stealer - https://www.securityweek.com/chinese-hackers-adding-backdoor-ios-android-web3-wallets-seaflower-campaignBluetooth fingerprint - https://threatpost.com/bluetooth-signals-track-smartphones/179937/Sentient AI? - https://www.theregister.com/2022/06/13/google_lamda_sentient_claims/Hi, I'm Paul Torgersen. It's Monday June 13th, 2022, and this is a look at the information security news from overnight. From BleepingComputer.comResearchers report increased activity of the Hello XD ransomware, which is based on the leaked source code of Babuk, with two significant notes. One is that the operators are now deploying an upgraded sample featuring stronger encryption that includes custom packing for detection avoidance and encryption algorithm changes. And two, they are now including an open-source backdoor named MicroBackdoor. Lots of details in the article. From CPOMagazine.comm:An analysis of leaked chats from the Conti ransomware group have found two items of note. Evidently the cybercrime group was planning firmware attacks targeting the Intel Management Engine. Such a compromise would allow threat actors to introduce a backdoor on Intel devices and execute commands without detection by OS-based security tools. The other interesting piece is that the chat logs seem to confirm a link between the Conti group and the Russian Foreign Services Bureau. Color me not surprised. From TechRadar.com:A new ransomware group called WannaFriendMe, is targeting gamers with the Chaos ransomware, which tries to pass itself off as Ryuk. The strange thing is, the decryptor is so easy, my kid can get it. I only say that because to get the decryptor, you need to log into a Roblox account and buy a specific game pass. Costs about $20. From SecurityWeek.com:Cybercriminals likely operating out of China are distributing backdoored versions of iOS and Android Web3 wallets in an effort to steal users' seed phrase. This previously unreported campaign, dubbed SeaFlower, has been described as one of the most technically sophisticated threats targeting users of Web3 wallets ever seen. Details in the article. From ThreatPost.comResearchers warn Bluetooth signals can be used to track device owners via a unique fingerprinting of the radio signal. Their paper suggests that minor manufacturing imperfections in hardware are unique to each device, and cause measurable distortions which can be used as a basically a fingerprint to track a specific device. Details and a link to the research in the article. And last today, from The Register.comYou ever see the movie Her? Well, since 2021, Google's Responsible AI team, has been tasked with talking to LaMDA, or Language Model for Dialogue Applications. This project was built by fine-tuning a family of Transformer-based neural language models specialized for dialog, with up to 137 billion model parameters. Someone on that team has recently been placed on paid administrative leave for violating Google's confidentiality policies. This person has gone on record stating that they believe the application has exhibited self-awareness and is now a sentient being. That is quite enough from me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 10 June, 2022Episode 242 - 10 June 2022Massive Messenger Mess- https://www.bleepingcomputer.com/news/security/massive-facebook-messenger-phishing-operation-generates-millions/Fujitsu Flaws - https://portswigger.net/daily-swig/separate-fujitsu-cloud-storage-vulnerabilities-could-enable-attackers-to-destroy-virtual-backupsPalermo popped- https://www.bleepingcomputer.com/news/security/vice-society-ransomware-claims-attack-on-italian-city-of-palermo/HID Switched Can't Hide - https://www.securityweek.com/vulnerabilities-hid-mercury-access-controllers-allow-hackers-unlock-doorsAoqin Dragon Rears - https://www.bleepingcomputer.com/news/security/chinese-hacking-group-aoqin-dragon-quietly-spied-orgs-for-a-decade/Hi, I'm Paul Torgersen. It's Friday June 10th, 2022, and once again from Chicago, this is a look at the information security news from overnight. From BleepingComputer.comA massive phishing operation is abusing Facebook and Messenger to lure millions of users and tricking them into entering their account credentials and seeing advertisements. The campaign operators then use these stolen accounts to send further phishing messages to their friends, generating a significant revenue via online advertising commissions. The activity peaked in April and May of this year, but has been going on since at least September of last year. From PortSwigger.net:Two flaws in the web interface of a Fujitsu cloud storage system could allow remote code execution, and ultimately be exploited to read, write, and destroy backed up files. The vulnerabilities impact the enterprise-grade Fujitsu Eternus CS8000 Control Center version 8.1. Details in the article. From BleepingComputer.com:The city of Palermo, Italy, has taken all systems offline in response to a ransomware attack, impacting 1.3 million residents and tens of thousands of tourists visiting the city. The Vice Society ransomware group has claimed responsibility for the attack via an entry on their dark web data leak site. From SecurityWeek.com:Access control products using HID Mercury controllers are affected by critical vulnerabilities that can be exploited to remotely unlock doors. The issues were found in products from LenelS2, a subsidiary of Carrier, but HID Global said that all OEM partners that use these hardware controllers are affected. A total of eight vulnerabilities were found, seven of which were rated high or critical severity. Either upgrade to the latest firmware, or make sure those babies are behind a firewall. And last today, from BleepingComputer.comA previously unknown Chinese-speaking threat actor has been discovered and named Aoqin Dragon. Researchers were able to link it to malicious activity going as far back as 2013. This hacking group is focused on cyber-espionage, targeting government, education, and telecommunication organizations based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia. Details, including a link to the research, in the article. That's all for me this week. Have a great weekend. And until next week, be safe out there.
A daily look at the relevant information security news from overnight - 09 June, 2022Episode 241 - 09 June 2022Linux Symbiote- https://www.zdnet.com/article/this-new-linux-malware-is-almost-impossible-to-detect/Black Basta hearts Qbot - https://threatpost.com/black-basta-ransomware-qbot/179909/Emotet gets Chromed- https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-credit-cards-from-google-chrome-users/Cuba upgrade - https://www.bleepingcomputer.com/news/security/cuba-ransomware-returns-to-extorting-victims-with-updated-encryptor/China hacking telecoms - https://www.securityweek.com/us-details-chinese-attacks-against-telecoms-providersHi, I'm Paul Torgersen. It's Thursday June 9th, 2022, and from Chicago, this is a look at the information security news from overnight. From ZDNet.comA joint research effort has discovered a new form of Linux malware they've called Symbiote that is almost impossible to detect. Instead of attempting to compromise running processes, Symbiote instead acts as a shared object library that is loaded on all running processes via LD_PRELOAD. It appears to have been developed to target financial institutions in Latin America, although that is not definitive. Details and a link to the research blog post in the article. From ThreatPost.com:Here's a mashup I never wanted to hear: Black Basta is now leveraging the Qbot network to spread its ransomware and move laterally through the infected networks. You can link to the NCC Group research for all the nasty details in the article. From BleepingComputer.com:The Emotet botnet is now attempting to infect potential victims with a credit card stealer module designed to harvest credit card information stored in Google Chrome user profiles. In an odd twist, once card details are collected they were exfiltrated to a different C2 server than the module loader. Details in the article. Also from BleepingComputer.com:The Cuba ransomware group has returned to regular operations with a new and improved version of its malware. Cuba ransomware's activity reached a peak last year when it partnered with the Hancitor malware gang for initial access, breaching 49 US organizations. This year has seen much lower activity from them, but that appears to be changing with the upgrade to the malware. And last today, from SecurityWeek.comThe NSA, CISA and FBI have issued a joint cybersecurity advisory warning of China-linked threat actors compromising telecom companies and network services providers. The advisory details some of the techniques and tactics the APTs use, as well as specify many of the vulnerabilities they have been targeting. See the article for details and a link to that advisory. That's all for me today. Have a great rest of your day. Like and subscribe. Tell a friend. And until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 08 June, 2022Episode 240 - 08 June 2022Properties loader- https://www.bleepingcomputer.com/news/security/new-svcready-malware-loads-from-word-doc-properties/Shields down - https://www.securityweek.com/data-breach-shields-health-care-group-impacts-2-million-patientsWho let the Dogs out- https://www.bleepingcomputer.com/news/security/new-dogwalk-windows-zero-day-bug-gets-free-unofficial-patches/Owl be watching you - https://www.securityweek.com/owl-labs-patches-severe-vulnerability-video-conferencing-devicesBad Pirates - https://www.bleepingcomputer.com/news/security/pirated-ccleaner-search-results-spread-information-stealing-malware/Hi, I'm Paul Torgersen. It's Wednesday June 8th, 2022, and this is a look at the information security news from overnight. From BleepingComputer.comA previously unknown malware loader named SVCReady has been discovered in phishing attacks, featuring an unusual way of loading the malware from Word documents. Specifically, it uses VBA macro code to execute shellcode stored in the properties of the document. HP reports that the malware has been under deployment since April of this year, and received several updates in May. This indicates it is currently under heavy development, and is likely still at an early stage. From SecurityWeek.com:Shields Health Care Group of Massachusetts has informed roughly two million individuals of a cybersecurity incident that potentially impacted a robust set of their PII and PHI. No word on the threat actor or attack vector in this breach that happened between March 7 and March 21 of this year. No free monitoring was offered, but they do guide you on how to lock down your three credit reports. Gee, thanks. From BleepingComputer.com:Yet another Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool has come to light. The security flaw dubbed DogWalk, is a path traversal flaw attackers can exploit to copy an executable to the Windows Startup folder from a .diagcab file. This flaw has actually been known for over two years, but Microsoft said that Outlook users are not at risk because .diagcab files are automatically blocked. Opatch says yea, but here's a free patch anyway, you know, just in case. From SecurityWeek.com:Video conferencing company Owl Labs has released patches for a severe vulnerability affecting its Meeting Owl Pro and Whiteboard Owl devices. These flaws can be exploited to find registered devices worldwide and access sensitive data, or even gain access to the owners' networks. The company says updating to firmware version 5.4.1.4 should eliminate the threat of unauthorized access. And last today, from BleepingComputer.comA new malware distribution campaign dubbed “FakeCrack,” is being promoted through search results for a pirated copy of the CCleaner Pro Windows optimization program. What you really get is a nasty that steals your passwords, credit cards and crypto wallets. On the other hand, if you are pirating software anyway, maybe you get what you deserve. That's all for me today . Have a great rest of your day. Like and subscribe. And until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 07 June, 2022Episode 239 - 07 June 2022Mandiant not locked- https://www.bleepingcomputer.com/news/security/mandiant-no-evidence-we-were-hacked-by-lockbit-ransomware/Google patches - https://www.securityweek.com/google-patches-critical-android-vulnerabilities-june-2022-updatesKarakut phones it in- https://www.zdnet.com/article/fbi-warning-this-gang-steals-data-for-ransom-then-makes-harassing-phone-calls-to-pile-on-the-pressure/Not so smart scale baddie - https://portswigger.net/daily-swig/unpatched-bug-chain-poses-mass-account-takeover-threat-to-yunmai-weight-monitoring-appFollina phishing - https://www.bleepingcomputer.com/news/security/windows-zero-day-exploited-in-us-local-govt-phishing-attacks/Hi, I'm Paul Torgersen. It's Tuesday June 7th, 2022, which means a good chunk of you are probably at RSA, and this is a look at the information security news from overnight. From BleepingComputer.comThe LockBit ransomware group published a new page on its data leak website, saying that they have 356,000 files they allegedly stole from Mandiant, and will be leaked online. Mandiant says, no way dude. They can find no evidence of any sort of breach. Mandiant, if you recall, is being acquired by Google in an all cash deal valued at $5.4 billion. From SecurityWeek.com:Google's Patch Tuesday resolves a total of 40 Android vulnerabilities, including at least four rated critical. The company also announced it addressed roughly 80 vulnerabilities in its Pixel devices. Get your patch on kids. From ZDNet.com:A cyber-criminal gang, Karakut, is stealing sensitive data from businesses and demanding a ransom payment in exchange for deleting the stolen information. Pretty standard stuff, right? Well, these guys don't stop there. According to an advisory from the FBI and CISA, next comes an extensive harassment campaign, with emails and even phone calls to employees, business partners, and clients with warnings that the company needs to pay the ransom. From PortSwigger.net:Several zero-day vulnerabilities in the Yunmai Smart Scale app could be chained together and exploited for full account takeover and access to all user details. The company, Zhuhai Yunmai Technologies, had tried to patch one of the flaws, but it was unsuccessful. The app currently has about a half a million downloads. And last today, from BleepingComputer.comPhishing campaigns against European governments and US local governments have ramped up recently using malicious Rich Text Format documents to exploit the unpatched critical Windows zero-day vulnerability known as Follina. The threat actor is suspected to be a State sponsored group, but no attribution has been confirmed as of yet. Details in the article. That's all for me today . Have a great rest of your day. Like and subscribe. And until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 06 June, 2022Episode 238 - 06 June 2022Patched Atlassian- https://www.securityweek.com/atlassian-patches-confluence-zero-day-exploitation-attempts-surgeYuga Labs phished - https://www.bleepingcomputer.com/news/security/bored-ape-yacht-club-otherside-nfts-stolen-in-discord-server-hack/Novartis data sale - https://www.bleepingcomputer.com/news/security/novartis-says-no-sensitive-data-was-compromised-in-cyberattack/U-Boot baddie - https://www.securityweek.com/critical-u-boot-vulnerability-allows-rooting-embedded-systemsReverse Tunnel phishing - https://www.bleepingcomputer.com/news/security/evasive-phishing-mixes-reverse-tunnels-and-url-shortening-services/Hi, I'm Paul Torgersen. It's Monday June 6th, 2022, and this is a look at the information security news from overnight. From SecurityWeek.comWe talked Friday about the zero-day affecting Atlassian Confluence Server and Data Center. Well, two things have happened since then; Atlassian has issued a patch, and attempts to exploit the vulnerability have gone through the roof. According to a Cloudflare report, they say they have seen evidence suggesting that potentially malicious payloads have been delivered since at least May 26. We may not have seen the full impact of this vulnerability quite yet. And in the meantime, get your patch on kids. From BleepingComputer.com:Hackers reportedly stole over $257,000 in Ethereum and thirty-two NFTs after the Yuga Lab's Bored Ape Yacht Club and Otherside Metaverse Discord servers were compromised in a phishing scam. The scam pretended to be an exclusive, limited giveaway for existing NFT holders, which included a link to a webpage that allowed a visitor to mint a free NFT. You can imagine where the link really went. Details in the article. Also from BleepingComputer.com:Data extortion group Industrial Spy began selling data allegedly stolen from Novartis on their Tor extortion marketplace for $500,000 in bitcoin. The data is supposed to be related to RNA and DNA-based drug technology, although Novartis says that no sensitive data was compromised. There are 7.7 MB of PDF files for sale, but it is unclear if that is the extent of the data that was taken. Novartis has no comment yet about how and when the data was accessed. From SecurityWeek.com:A critical vulnerability in the U-Boot, boot loader could be exploited to write arbitrary data, and ultimately allow an attacker to gain root on Linux-based embedded systems. The open-source boot loader is used in various types of embedded systems, including ChromeOS and Android, and supports multiple architectures. NCC Group says a patch is in the works. And last today, from BleepingComputer.comResearchers are seeing an uptick in phishing campaigns utilizing reverse tunnel services along with URL shorteners, which makes them a bear to get shut down. With reverse tunnels, threat actors can host the phishing pages locally on their own computers and then route connections through external services. Often, they refresh those phishing links in less than 24 hours, making it nearly impossible to shut down the sites before they get moved. Details in the article. That's all for me today . Have a great rest of your day. Like and subscribe. And until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 03 June, 2022Episode 237 - 03 June 2022Windows opatch- https://www.bleepingcomputer.com/news/security/windows-msdt-zero-day-vulnerability-gets-free-unofficial-patch/UNISOC DoS - https://www.securityweek.com/millions-budget-smartphones-unisoc-chips-vulnerable-remote-dos-attacksAsian app attack - https://www.bleepingcomputer.com/news/security/chinese-luoyu-hackers-deploy-cyber-espionage-malware-via-app-updates/Atlassian critical - https://www.securityweek.com/atlassian-confluence-servers-hacked-zero-day-vulnerabilityGitLb patch - https://www.bleepingcomputer.com/news/security/gitlab-security-update-fixes-critical-account-take-over-flaw/Hi, I'm Paul Torgersen. It's Friday, June 3rd, 2022, and this is a look at the information security news from overnight. From BleepingComputer.comWhile Microsoft has still not released a patch for the Windows critical vulnerability known as Follina, our friends at opatch have. Instead of just disabling the MSDT URL protocol handler which is the Microsoft suggested mitigation for the issue, opatch has added sanitization of the user-provided path to avoid rendering the Windows diagnostic wizardry inoperable across the Operating System for all applications. Details in the article. From SecurityWeek.com:Millions of budget smartphones that use UNISOC chipsets could have a critical vulnerability that leads to a denial of service attack. UNISOC has about 11% of the smartphone chip market, with the majority of these chips sold in Asia and Africa. The company has already issued the appropriate patch. Google will also address this flaw in an upcoming Android patch. From BleepingComputer.com:Chinese hacking group LuoYu is infecting victims with the WinDealer information stealer by switching legitimate app updates with a man-on-the-side attack. They are currently targeting popular Asian apps such as QQ, WeChat, and WangWang. Details in the article. From SecurityWeek.com:Atlassian Confluence Servers and Data Centers are affected by a critical vulnerability that can be leveraged for remote code execution and is being actively exploited in the wild. All supported versions of Confluence Server and Data Center are affected. Until a patch becomes available, users have been advised to prevent access to their Confluence servers from the internet, or simply disable these instances. The company hopes to have a patch ready by the end of today. And last today, from BleepingComputer.comGitLab has released a critical security update for multiple versions of its Community and Enterprise Edition products to address eight vulnerabilities, one of which that could lead to account takeover. That 9.9 severity vulnerability affects all GitLab versions 11.10 through 14.9.4, 14.10 through 14.10.3, and version 15.0. Get your patch on kids. That's all for me today . Have a great rest of your day. Like and subscribe. And until next time, be safe out there.
A daily look at the relevant information security news from overnight - 02 June, 2022Episode 236 - 02 June 2022WhatsApp hack- https://www.bleepingcomputer.com/news/security/hackers-steal-whatsapp-accounts-using-call-forwarding-trick/Sowing Discord - https://threatpost.com/scammers-target-nft-discord-channel/179827/New Windows zero-day - https://www.bleepingcomputer.com/news/security/new-windows-search-zero-day-added-to-microsoft-protocol-nightmare/Elasticsearch snatched - https://www.securityweek.com/cybercriminals-hold-1200-unsecured-elasticsearch-databases-ransomHorde zero-day - https://portswigger.net/daily-swig/horde-webmail-contains-zero-day-rce-bug-with-no-patch-on-the-horizonHi, I'm Paul Torgersen. It's Thursday June 2nd, 2022, I think I said yesterday was Tuesday, and Tuesday was Monday. Obviously my brain is not comprehending the holiday very well. Anyway, this is a look at the information security news from overnight. From BleepingComputer.comHackers are going after WhatsApp accounts to gain access to personal messages and contact lists. The method relies on the mobile carriers' automated service to forward calls to a different phone number, and WhatsApp's option to send a one-time password verification code via voice call. You can pursue all the details in the article. From ThreatPost.com:Hackers are escalating phishing and scamming attacks targeting NFT servers to exploit a popular Discord bot and persuade users to click on the malicious links. The discord bot mee6, which is used to automate welcome messages and inform visitors about the server rules, etc., seems to be compromised across several high profile servers. As always, when in doubt, don't click the link. From BleepingComputer.com:A new Windows Search zero-day vulnerability can be used to automatically open a search window containing malware executables simply by launching a Word document. This error stems from Windows support of a URI protocol handler called 'search-ms' that allows applications and HTML links to launch customized searches on a device. Details in the article. From SecurityWeek.com:Over 1,200 Elasticsearch databases that could be accessed without authentication have fallen victim to a ransomware attacker, which replaced their indexes with a note demanding a payment of 0.012 Bitcoin in exchange for their data. In each case, data held in the databases was replaced with a ransom note stored in the 'message' field of an index called 'read_me_to_recover_database'. Inside the 'email' field is a contact email address. THe article has a link to the full Secureworks write up. And last today, from PortSwigger.netA zero-day vulnerability in Horde Webmail enables attackers to execute arbitrary code on the underlying server. Going from bad to worse, Horde has already flagged this version of their webmail to be their final release, so it is likely that a patch will not be forthcoming. That's all for me today . Have a great rest of your day. Like and subscribe, And until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 01 June, 2022Episode 235 - 01 June 2022Costa Rica Hive- https://www.bleepingcomputer.com/news/security/costa-rica-s-public-health-agency-hit-by-hive-ransomware/Foxconn Locked - https://www.securityweek.com/ransomware-group-claims-have-breached-foxconn-factoryWait ‘till I get my Hanes on you - https://www.marketwatch.com/story/hanesbrands-says-it-suffered-a-ransomware-attack-on-may-24-and-has-informed-law-enforcement-2022-05-31Sidewinder VPN - https://www.bleepingcomputer.com/news/security/sidewinder-hackers-plant-fake-android-vpn-app-in-google-play-store/JetPort backdoor - https://www.securityweek.com/vendor-refuses-remove-backdoor-account-can-facilitate-attacks-industrial-firmsHi, I'm Paul Torgersen. It's Tuesday June 1st, 2022, and this is a look at the information security news from overnight. From BleepingComputer.comCosta Rica, after declaring a national emergency because of ransomware attacks from the Conti group, has now been hit with a Hive ransomware attack. All computer systems of Costa Rica's public health service are now offline after every printer in the system started printing early this morning. It is thought that the threat actors behind this Hive attack may come from Conti as that organization continues being disbanded and moved to smaller entities. From SecurityWeek.com:Cybercriminals say they have breached the systems of the Foxconn factory in Mexico, using the LockBit 2.0 ransomware. They are threatening to leak stolen files if the company doesn't pay up. It is unclear if the attack has impacted the company's OT systems. You may recall, the US systems of Foxconn were hit about a year and a half ago with the DopplePaymer ransomware. From MarketWatch.com:Speaking of ransomware, Hanesbrands said it was the subject of a ransomware attack on May 24 and activated business continuity and incident response plans to contain it. The company says they are in the early stages of their investigation and have not determined the full impact of the attack. From BleepingComputer.com:Phishing campaigns attributed to an APT called SideWinder involved a fake VPN app for Android devices published on Google Play Store. They even have a custom tool that filters victims for better targeting. SideWinder has been active since at least 2012, and is believed to be of Indian origin with a relatively high level of sophistication. They have been attributed with close to 1,000 attacks in the past two years. Details in the article. And last today, from SecurityWeek.comKorenix JetPort industrial serial device servers have a backdoor account that can take full control of the device. This was found back in 2020, but it was only made public now, after a lengthy disclosure process that ended with the vendor saying that the account will not be removed. They say it is needed for customer support. The password for the account is in the firmware, so is the same for every device and cannot be changed by the customer. But don't worry, the manufacturer says the password can't be cracked in a reasonable amount of time. Buyer beware. Or at least be aware. That's all for me today . Have a great rest of your day. And until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight.Episode 234 - 27 May 2022Word backdoor- https://www.zdnet.com/article/this-zero-day-windows-flaw-opens-a-backdoor-to-hackers-via-microsoft-word-heres-how-to-fix-it/WSL attack surface - https://www.bleepingcomputer.com/news/security/new-windows-subsystem-for-linux-malware-steals-browser-auth-cookies/Killnet warns Italy - https://www.thesundaily.my/world/italy-on-alert-over-killnet-cyber-attack-threat-DA9266005Spirit Super suckered - https://portswigger.net/daily-swig/data-breach-at-australian-pension-provider-spirit-super-impacts-50k-victims-following-phishing-attackEnemyBot adapting - https://threatpost.com/enemybot-malware-targets-web-servers-cms-tools-and-android-os/179765/Hi, I'm Paul Torgersen. It's Monday May 31st, 2022, and this is a look at the information security news from overnight. From ZDNet.comSecurity researchers discovered a zero-day flaw called Follina that enables a malicious Word document to execute code via the Microsoft Support Diagnostic Tool, even when macros are disabled. There is no patch yet. For mitigation, Microsoft recommends disabling a protocol used for troubleshooting Windows bugs. Details and links in the article. From BleepingComputer.com:Hackers are showing an increased interest in the Windows Subsystem for Linux, or WSL, as an attack surface for new malware. Some of the more advanced samples are suitable for espionage and downloading additional modules. After the first malicious Linux binary for WSL was discovered just over a year ago, Black Lotus Labs says that since last fall, they have tracked more than 100 samples of WSL-based malware. From TheSunDaily.my:Italy is on high alert after the pro-Russian ‘Killnet' hacker group said it would launch a cyber attack that would inflict “irreparable” damage on the country. Killnet has staged several attacks on Italian public institutions in recent weeks, including on the websites of the Senate and the defense ministry. All this in response to Italy backing Western sanctions on Russia following its invasion of Ukraine. From PortSwigger.net:A phishing attack on Australian pension provider Spirit Super has resulted in PII being leaked on some 50,000 customers. The personal data includes names and other sensitive information, but according to the company, does not include birthday, tax ID or driver's license numbers, or bank account details. And last today, from ThreatPost.comA rapidly evolving IoT malware dubbed EnemyBot is targeting content management systems, web servers and Android devices, taking advantage of recently disclosed vulnerabilities in VMWare, Adobe, WordPress and others. The threat actor group Keksec is believed to be behind the distribution of the malware, which borrows code heavily from other botnets, such as Mirai, Qbot and Zbot. Details in the article. That's all for me today . Have a great rest of your day. And until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight.Episode 234 - 27 May 2022Buggy Android apps- https://www.bleepingcomputer.com/news/security/microsoft-finds-severe-bugs-in-android-apps-from-large-mobile-providers/Guzzle cookies crumble - https://portswigger.net/daily-swig/patch-released-for-cross-domain-cookie-leakage-flaw-in-guzzleRansome besets Somerset - https://www.cnn.com/2022/05/26/politics/new-jersey-somerset-county-ransomware-attack/index.htmlBlackCat slashes Austria - https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-asks-5-million-to-unlock-austrian-state/Crital OAS flaws- https://threatpost.com/critical-flaws-in-popular-ics-platform-can-trigger-rce/179750/New Windows update not Trend-y - https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/Hi, I'm Paul Torgersen. It's Friday May 27th, 2022, and this is a look at the information security news from overnight. From BleepingComputer.com:Microsoft security researchers have found high severity vulnerabilities in a framework owned by MCE Systems that is used by Android apps. The vulnerabilities expose users to command injection and privilege escalation attacks. The apps have millions of downloads on Google's Play Store and come pre-installed as system applications on devices bought from operators including AT&T, TELUS, Rogers Communications, Bell Canada, and Freedom Mobile. Patches have been issued. From PortSwigger.net:Guzzle, the popular HTTP client for PHP applications, has addressed a high severity vulnerability leading to cross-domain cookie leakage. The flaw resides in Guzzle's cookie middleware, which is fortunately disabled by default, so most library consumers will not be affected. Drupel is one of the applications that use the third-party library and has released updates to address the issue. From CNN.com:A ransomware attack has forced officials in Somerset County New Jersey to switch off their computers and set up temporary Gmail accounts so the public can communicate with key agencies like health, emergency and sheriff's departments. The county says the attack has only affected email and IT systems and that phone lines and emergency service systems are all working properly. No word on the threat actor or specific malware involved. From BleepingComputer.com:The Austrian state of Carinthia has been hit by the BlackCat ransomware gang, who demanded $5 million to unlock their encrypted computer systems. Evidently thousands of workstations have been locked by the attack. The government says there is no evidence that BlackCat actually managed to exfiltrate any data, and that the plan is to restore the machines from backups. From ThreatPost.com:Multiple flaws have been found in Open Automation Software, a popular platform used by industrial control systems. The two critical and five high severity vulnerabilities could allow unauthorized device access, remote code execution, or denial of service that could ultimately threaten the stability of critical infrastructure. The flaws affect OAS Platform version 16.00.0112. See the full Cisco Talos report in the article. And last today, from BleepingComputer.comWindows previewed its upcoming cumulative update, which unfortunately has some compatibility issues with some of Trend Micro's security products, including the ransomware protection feature. The issue affects the User Mode Hooking component used by several Trend Micro endpoint solutions. The company is working on a fix to address this issue before the updates are pushed to all Windows customers as part of their June Patch Tuesday. That's all for me this week . Have a great holiday weekend. Take a moment to remember those that gave their last full measure to secure the freedoms of the rest of us. And until next time, be safe out there.
A daily look at the relevant information security news from overnight.Episode 233 - 26 May 2022Curb Kerberos- https://www.zdnet.com/article/microsoft-heres-how-to-defend-windows-against-these-new-privilege-escalation-attacks/Tales from the Cheerscrypt - https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-targets-vmware-esxi-servers/Broadcom buy - https://www.securityweek.com/vmware-absorb-broadcom-security-solutions-following-61-billion-dealChromeloader rises - https://www.bleepingcomputer.com/news/security/new-chromeloader-malware-surge-threatens-browsers-worldwide/DuckDuck no- https://www.techradar.com/news/duckduckgo-in-hot-water-over-hidden-tracking-agreement-with-microsoftHi, I'm Paul Torgersen. It's Wednesday May 26th, 2022, and again from Las Vegas, this is a look at the information security news from overnight. From ZDNet.com:Microsoft has detailed mitigation techniques to help Windows users defend themselves from automated 'Kerberos Relay' attacks. The KrbRelayUp tool flaw can give an attacker System privileges on Windows machines. See the details in the article. From BleepingComputer.com:A new Cheers ransomware called Cheerscrypt has appeared and is starting its operations by targeting VMware ESXi servers. I guess they learned that from the LockBit and Hive ransomware crowd. There is the full Trend Micro writeup in the article. From SecurityWeek.com:Speaking of VMWare, Broadcom announced they are acquiring the company for about $61 billion in cash and stock. Man, just a small sliver of that and I can keep this podcast running forever. I need to find out who to talk to. If you recall, Broadcom acquired Symantec's enterprise unit back in 2019. Not sure how those technologies and services will migrate to VMWare. From BleepingComputer.com:The ChromeLoader malware is seeing a significant uptick this month, after being relatively stable through the beginning of the year. ChromeLoader is a browser hijacker that can modify web browser settings to show search results that promote unwanted software, fake giveaways and surveys, and adult games and dating sites. You know where to find the details. And last today, from TechRadar.comI'm sure many of you are DuckDuckGo users, wanting the privacy the search engine offers. Unfortunately, while Google and Facebook trackers are being blocked, Microsoft trackers are allowed to continue running, as are trackers related to the bing.com and linkedin.com domains. Apparently, DuckDuckGo has a search syndication agreement with Microsoft. For a company known for its transparency, strange how this agreement remained a secret for so long. DuckDuck, no. That's all for me today. Have a great rest of your day. And until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight.Episode 232 - 25 May 2022Mozilla un-pwned- https://www.bleepingcomputer.com/news/security/mozilla-fixes-firefox-thunderbird-zero-days-exploited-at-pwn2own/Chrome hardened - https://www.securityweek.com/chrome-102-patches-32-vulnerabilitiesMoshen Dragon Trend-ing - https://www.bleepingcomputer.com/news/security/trend-micro-fixes-bug-chinese-hackers-exploited-for-espionage/No TOR for Tails - https://portswigger.net/daily-swig/tails-users-warned-not-to-launch-bundled-tor-browser-until-security-fix-is-releasedBPFDoor goes deep- https://www.bleepingcomputer.com/news/security/bpfdoor-malware-uses-solaris-vulnerability-to-get-root-privileges/Hi, I'm Paul Torgersen. It's Wednesday May 25th, 2022, and again from Las Vegas, this is a look at the information security news from overnight. From BleepingComputer.com:Mozilla has released security updates to address zero-day vulnerabilities exploited during the Pwn2Own Vancouver 2022 hacking contest. The two critical flaws can let attackers gain JavaScript code execution on mobile and desktop devices running Firefox, Firefox ESR, Firefox for Android, and Thunderbird. On a side note: the total amount of bug bounties earned at Pwn2Own this year? $1.2 million. Well done. From SecurityWeek.com:Google announced the release of Chrome 102, which patches 32 vulnerabilities, including one critical and eight high-severity flaws. The critical security hole has been described as a use-after-free bug affecting Indexed DB. Somebody has a bug bounty coming to them for that one too. From BleepingComputer.com:Trend Micro has patched a flaw in Trend Micro Security that has been used by Chinese threat group Moshen Dragon to side-load malicious DLLs. The fix was deployed via ActiveUpdate, so if you have an active internet connection, you should have already received it. More details in the article. From PortSwigger.net:Tails is warning users to stop using Tor Browser that comes bundled with the privacy-focused operating system. They found a bug that could enable an attacker to corrupt the methods of an Array object in JavaScript via prototype pollution. This could end in the execution of attacker-controlled JavaScript code in a privileged context. And last this today, from BleepingComputer.comDuring a recent incident response, PwC has been able to dig into the inner workings of the BPFdoor malware for Linux and Solaris. BPFDoor is a custom backdoor that can't be stopped by firewalls, it can function without opening any ports and does not need a command and control server because it can receive commands from any IP address on the web. This nasty has been attributed to a China-based threat actor PwC tracks as Red Menshen. All the details in the article. That's all for me today. Have a great rest of your day. And as always, until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight.Episode 231 - 24 May 2022Yik Yak fixed that - https://portswigger.net/daily-swig/yik-yak-fixes-information-disclosure-bug-that-leaked-users-gps-locationAbusing the abused - https://www.bleepingcomputer.com/news/security/photos-of-abused-victims-used-in-new-id-verification-scam/Argo CD max severity - https://portswigger.net/daily-swig/critical-argo-cd-vulnerability-could-allow-attackers-admin-privilegesFake PoCs - https://www.bleepingcomputer.com/news/security/fake-windows-exploits-target-infosec-community-with-cobalt-strike/Hi, I'm Paul Torgersen. It's Tuesday May 24th, 2022, and from Las Vegas, this is a look at the information security news from overnight. From PortSwigger.net:Anonymous social network Yik Yak took more than three months, but finally fixed vulnerabilities that were submitted by two different security researchers. The flaw enabled threat actors to access users' precise locations, within like 10ft or 15ft. Not so hot for an anonymous site. From BleepingComputer.com:In a new low, scammers are leveraging dating apps like Tinder and Grindr to pose as former abuse victims to gain your trust and sell you bogus ID verification services. These catphishers show their target pictures of physical abuse and get them to register on a scam site to prove they are not a former sex offender. All the sketchy details in the article. From PortSwigger.net:The maintainers of Argo CD, the continuous delivery tool for Kubernetes, have patched a critical vulnerability that enabled attackers to forge JSON Web Tokens and become administrators. The bad news is, this bug has a severity rating of 10 out of 10. The good news is, anonymous access is deactivated by default, so if you haven't played with any settings, you were probably ok. But, you know, patch it. From BleepingComputer.com:A threat actor is targeting security researchers with fake Windows proof-of-concepts for recently patched vulnerabilities CVE-2022-24500 and -26809. When you go in to check out the PoCs, it loads the Cobalt Strike backdoor instead. Details in the article. And last this today, from Infosecurity-magazine.comHere's one to cheer about. Our friends Anonymous have announced on social media that they're launching a cyber-war against the pro-Russian group Killnet. Couldn't happen to a more deserving group. You know who my money's on. That's all for me today. Have a great rest of your day. Remember to LIKE, SUBSCRIBE, and share with your network. And as always, until next time, be safe out there.
A daily look at the relevant information security news from overnight.Episode 230 - 23 May 2022Chicago students breach - https://chicago.suntimes.com/education/2022/5/20/23132983/cps-public-schools-data-breach-students-employees-records-battelle-kidsPyPI infection - https://www.bleepingcomputer.com/news/security/malicious-pypi-package-opens-backdoors-on-windows-linux-and-macs/Record Etherium bounty - https://portswigger.net/daily-swig/blockchain-bridge-wormhole-pays-record-10m-bug-bounty-rewardPDF snake - https://threatpost.com/snake-keylogger-pdfs/179703/WordPress backdoor- https://www.bleepingcomputer.com/news/security/backdoor-baked-into-premium-school-management-plugin-for-wordpress/Hi, I'm Paul Torgersen. It's Monday May 23rd, 2022, and this is a look at the information security news from overnight. From the Chicago.SunTimes.com:A massive data breach has exposed four years' worth of records of about a half million Chicago Public Schools students and nearly 60,000 employees. The attack targeted a company that provides teacher evaluations and should not contain financial records or Social Security numbers. And in a dose of real world teaching, those students now get a free year of credit and identity theft monitoring. From BleepingComputer.com:Another malicious Python package has been spotted in the PyPI registry performing supply chain attacks to drop Cobalt Strike malware on Windows, Linux, and macOS systems. The malicious package is named 'pymafka', very similar to PyKafka, a widely used Apache Kafka client that counts over four million downloads. All the details in the article. From PortSwigger.net:An ethical hacker has earned a record $10 million bug bounty after discovering a critical security vulnerability in the Wormhole core bridge contract on Ethereum. The vulnerability would have allowed the wormhole to be bricked, forever losing the $736 million of assets that were in the contract at the time. From ThreatPost.com:A malicious email campaign using a weaponized PDF file and a 22-year-old Office bug is propagating the Snake keylogger. It also employs several evasion techniques, such as embedding malicious files, loading remotely-hosted exploits and shellcode encryption. You know where to find the details. And last this week, from BleepingComputer.comA backdoor has been discovered in a premium WordPress plugin designed as a complete management solution for schools. The name of the plugin is “School Management,” published by Weblizar, and multiple versions before 9.9.7 have the backdoor baked into its code. Although the latest version is clean, the developer did not disclose the source of the compromise. That's all for me today. Remember to LIKE, SUBSCRIBE, and share with your networks. And as always, until next time, be safe out there.
A daily look at the relevant information security news from overnight.Episode 239 - 20 May 2022Log4J exploit - https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-vmware-servers-with-log4shell-exploits/SQL brute - https://www.securityweek.com/new-brute-force-attacks-against-sql-servers-use-powershell-wrapperPhishing with Chat - https://www.bleepingcomputer.com/news/security/phishing-websites-now-use-chatbots-to-steal-your-credentials/Jupiter flawed - https://threatpost.com/vulnerability-wordpress-themes-site-takeover/179672/Flux flaw - https://portswigger.net/daily-swig/rogue-cloud-users-could-sabotage-fellow-off-prem-tenants-via-critical-flux-flawVidar delivery- https://www.zdnet.com/article/fake-domains-offer-windows-11-installers-but-deliver-malware-instead/Hi, I'm Paul Torgersen. It's Friday May 20th, 2022, and after a couple days under the weather, this is a look at the information security news from overnight. From BleepingComputer.com:The North Korean hacking group Lazarus is exploiting the Log4J remote code execution vulnerability on VMware Horizon servers. They use the weakness to execute a PowerShell command and ultimately install the NukeSped backdoor. Details in the article. From SecurityWeek.com:Microsoft has warned organizations of a new wave of brute force cyberattacks that target SQL servers and use a living-off-the-land binary. Specifically, the attackers rely on a legitimate utility called sqlps.exe to achieve fileless persistence on SQL servers that use weak or default passwords. From BleepingComputer.com:Phishing attacks are now using automated chatbots to guide visitors through the process of handing over their login credentials to the threat actors. How nice of them. Actually, the presence of a chatbot lends a sense of legitimacy to the malicious sites. See the full Trustwave report in the article. From ThreatPost.com:A critical privilege escalation flaw found in two WordPress site themes, can allow the threat actors to take over the sites completely. The Jupiter and JupiterX Core Plugin affect more than 90,000 sites. The vulnerability affects Jupiter Theme 6.10.1 or earlier, and JupiterX Core Plugin 2.0.7 or earlier. Updated versions have patched the flaws. From PortSwigger.net:A critical vulnerability in Flux2, the continuous delivery tool for Kubernetes, can enable rogue tenants in multi-tenancy deployments to sabotage their neighbors that are using the same off-premise infrastructure. The remote code execution flaw arises through improper validation of kubeconfig files, which “can define commands to be executed to generate on-demand authentication tokens”. In a single tenant deployment, this flaw is only a 6.8 severity. In multi tenant deployments, that rating jumps to a 9.9 And last this week, from ZDNet.comNewly registered domains that just appeared in April, mimic a legitimate Microsoft Windows 11 OS download portal. Unfortunately, what you actually get is a nasty little information stealer called Vidar. Link to the full Zscaler report in the article. That's all for me this week. Remember to LIKE and SUBSCRIBE. And as always, until next time, be safe out there.
A daily look at the relevant information security news from overnight.Episode 238 - 17 May 2022Apple attack - https://www.bleepingcomputer.com/news/security/apple-emergency-update-fixes-zero-day-used-to-hack-macs-watches/Conti hits Parker - https://www.infosecurity-magazine.com/news/parker-conti-ransomware/Tesla BLE - https://www.bleepingcomputer.com/news/security/hackers-can-steal-your-tesla-model-3-y-using-new-bluetooth-attack/Card skimming - https://www.zdnet.com/article/fbi-hackers-used-malicious-php-code-to-grab-credit-card-data/iPhone vulv- https://threatpost.com/iphones-attack-turned-off/179641/Hi, I'm Paul Torgersen. It's Tuesday May 17th, 2022, and this is a look at the information security news from overnight. From BleepingComputer.com:Apple has released security updates to address a zero-day vulnerability that threat actors can exploit in attacks targeting Macs and Apple Watches. The flaw is an out-of-bounds write issue in the AppleAVD, the kernel extension for audio and video decoding. Apple says it is likely this has already been exploited in the wild. From Infosecurity-magazine.com:US manufacturer Parker-Hannifin has announced a data breach exposing employees' PII after being the target of a Conti ransomware attack. The company said that an unauthorized third party gained access to its IT systems between 11 and 14 of March this year. On the plus side, if you‘re information was involved, you just got two free years of identity theft monitoring. From BleepingComputer.com:Security researchers at the NCC Group have developed a tool to carry out a Bluetooth Low Energy relay attack that bypasses all existing protections to authenticate on target devices. What target devices, you ask? Teslas. Details in the article. From ZDNet.com:The FBI put out a warning that someone is scraping credit card data from the checkout pages of US businesses' websites. The bad actor is injecting malicious PHP Hypertext Preprocessor code into the business' online checkout page and sending the scraped data to a server that spoofed a legitimate card processing server. They also left a backdoor into the victims system. And last today, from ThreatPost.comBecause of how Apple implements standalone wireless features such as Bluetooth, Near Field Communication and Ultra-wideband technologies, researchers have found that iPhones are vulnerable to malware loading attacks even when the device is turned off. The root cause of the issue is how iPhones implement low power mode for wireless chips. No comment yet from Apple, but there is a link to the research report in the article. That's all for me today. Remember to LIKE and SUBSCRIBE. And as always, until next time, be safe out there.