A daily look at the relevant information security news from overnight - 29 July, 2022Episode 276 - 29 July 2022Kimsuky Stealing Emails- https://www.bleepingcomputer.com/news/security/cyberspies-use-google-chrome-extension-to-steal-emails-undetected/NPM Cards Discord - https://www.infosecurity-magazine.com/news/malicious-npm-packages-steal/Trojan Play Store Apps - https://thehackernews.com/2022/07/over-dozen-android-apps-on-google-play.htmlPhishing Countdown- https://www.zdnet.com/article/this-phishing-attack-uses-a-countdown-clock-to-panic-you-into-handing-over-passwords/ IP Camera Hack - https://thehackernews.com/2022/07/dahua-ip-camera-vulnerability-could-let.htmlHi, I’m Paul Torgersen. It’s Friday July 29th, 2022 and this is a look at the information security news from overnight. From BleepingComputer.com:A North Korean-backed threat group tracked as Kimsuky is using a malicious browser extension to steal emails from Google Chrome or Microsoft Edge users reading their webmail. The malware, called SHARPEXT supports Chrome, Edge and Whale browsers and can steal mail from Gmail and AOL accounts. Details in the article. From InfoSecurity-Magazine.com: Researchers have discovered a supply chain attack using malicious npm packages, this time targeting Discord users. The purpose of the campaign, named LofyLife, appears to be to steal Discord tokens and users’ credit card data. Kaspersky said it identified four suspicious packages which feature obfuscated Python and JavaScript code. Details and a link to the write up inside. From TheHackerNews.com:Another 17 so-called productivity apps have been uncovered and removed from the Google Play store. The apps did perform some basic tasks they advertise, but they were also dropping in malicious apps like Octo, Hydra, Ermac, and TeaBot. See the full list of affected apps in the article and make sure you delete those puppies. From ZDNet.com:A new phishing attack has taken a page out of the ransomware playbook by using a countdown clock to pressure victims into entering their username and password. At the end of the countdown they would be permanently locked out of whatever account is being targeted. Obviously nothing actually changes when the countdown reaches zero, but for some less sophisticated users, this could be very compelling. And last, from TheHackerNews.com:A security vulnerability in Dahua's Open Network Video Interface Forum standard implementation (ONVIF), can lead to a threat actor seizing control of IP cameras. ONVIF governs an open standard for how IP-based physical security products communicate with one another in a vendor-agnostic manner. I’m sure you can understand how some nation-state bad guys would be very interested in tapping into live video feeds. Get your patch on kids. That’s all for me. Have a great weekend. If you like this podcast, please spread the word, and until next time, be safe out there.
A daily look at the relevant information security news from overnight - 28 July, 2022Episode 275 - 28 July 2022NetStandard Knocked Offline- https://www.bleepingcomputer.com/news/security/kansas-msp-shuts-down-cloud-services-to-fend-off-cyberattack/Moxa NPort Flaws - https://www.securityweek.com/moxa-nport-device-flaws-can-expose-critical-infrastructure-disruptive-attacksPost Macro Tactics - https://www.infosecurity-magazine.com/news/hackers-change-tactics-for-new/Naughty Knotweed- https://thehackernews.com/2022/07/microsoft-uncover-austrian-company.html Twitter Data Sale - https://www.infosecurity-magazine.com/news/criminal-twitter-users-data/Hi, I’m Paul Torgersen. It’s Thursday July 28th, 2022 and this is a look at the information security news from overnight. From BleepingComputer.com:Managed service provider NetStandard suffered a cyberattack causing the company to shut down its MyAppsAnywhere cloud services. The company said Hosted GP, Hosted CRM, Hosted Exchange, and Hosted Sharepoint will be offline until further notice, but that no other services were impacted. That being said, their main website remains down as well. No word on threat actor or malware involved, but it is assumed to be a ransomware hit. From SecurityWeek.com:Two high severity flaws have been found in the NPort 5110 device servers from Moxa. The vulnerabilities can be exploited remotely to cause the targeted device to enter a denial of service condition. The only way to regain control of the device is to physically power it down, which might present a challenge as many of these devices are in very remote locations. These things are designed to connect to Ethernet networks and should not be exposed to the internet. However, a Shodan search found at least 5,300 of them that are. Now some of these may be honeypots, but they’re not ALL honeypots. Customers should contact Moxa for a security patch. From InfoSecurity-Magazine.com:Since Microsoft announced they would disable macros by default, the use of macro-enabled attachments by threat actors decreased by around 66% between October 2021 and June 2022. Awesome. But, where there’s a will there's a way. In that same timeframe, the number of malicious campaigns using container file formats jumped up 176%. These formats include ISO, RAR, ZIP and IMG files that contain macro-enabled docs. Now the ISO and RAR formats will still have the Mark of the Web, meaning they originated from the internet and their macros would be blocked, but the files within them would not. Link to the ProofPoint research in the article. From TheHackerNews.com:A threat actor tracked as Knotweed, used several Windows and Adobe zero-day exploits in highly-targeted attacks against targets in Europe and Central America. They are actually an Austrian outfit called DSIRF that supposedly sells general security and information analysis services to commercial customers. As a side gig, they created a cyberweapon called Subzero, which can hack phones, computers, and internet-connected devices. Talk about vertical integration. And last, from InfoSecurity-Magazine.com:A user named devil is selling a database of 5.4 million Twitter users' information on the Breached Forums site. They say it contains the phone numbers and email addresses of users, including celebrities and companies, and is asking for $30,000. Twitter is investigating the issue, which the seller said exploited a vulnerability in its systems that allows someone to find additional user information, even if that user has it hidden in privacy settings. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 27 July, 2022Episode 274 - 27 July 2022WordFly Breach- https://www.securityweek.com/mailing-list-provider-wordfly-scrambling-recover-following-ransomware-attackNow IIS See You - https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-increasingly-hacked-with-iis-backdoors/Messaging Threats - https://threatpost.com/messaging-apps-cybercriminals/180303/Robin Banks Phishing Service- https://www.bleepingcomputer.com/news/security/new-robin-banks-phishing-service-targets-bofa-citi-and-wells-fargo/ No Knock Nuki - https://www.securityweek.com/nuki-smart-lock-vulnerabilities-allow-hackers-open-doorsHi, I’m Paul Torgersen. It’s Wednesday July 27th, 2022 and this is a look at the information security news from overnight. From SecurityWeek.com:Mailing list provider WordFly has been offline for more than two weeks after a ransomware attack encrypted data on some of its systems. The attack hit on July 10, and the company hasn’t been able to restore service since. The company confirms data was exfiltrated, but believes it was subsequently deleted. They expect to be down at least another few days before they get systems operational again. No word on the malware or threat actor. From BleepingComputer.com:Attackers are increasingly using Internet Information Services, IIS, web server extensions to backdoor unpatched Exchange servers. Being installed in the exact location and using the same structure as legitimate modules, they provide attackers' with a perfect and durable persistence mechanism. Details and a link to the Microsoft report in the article. From ThreatPost.com:Threat actors are tapping the multi-feature nature of messaging apps such as Telegram and Discord as a foundation in persistent campaigns that threaten users. Intel 471 identified three key ways in which threat actors are leveraging the apps: storing stolen data, hosting malware payloads, and using bots that perform the dirty work. Details and a link inside. From BleepingComputer.com:A new phishing as a service platform has shown up with the name Robin Banks. As you may have guessed, it offers ready-made phishing kits targeting the customers of well-known banks. Companies like Citibank, Bank of America, Capital One, Wells Fargo, etc. Oh, they also offer templates to steal Microsoft, Google, Netflix, and T-Mobile accounts. Pricing from $50 to $200 a month. And last, from SecurityWeek.com:Security researchers have documented 11 vulnerabilities impacting Nuki smart lock products, you may not be able to see my air quotes. Nuki Smart Lock and Nuki Bridge, allow users to unlock their doors with their smartphones by simply walking in range. Brilliant. Exploiting the found vulnerabilities could result in a fully compromised device, including the ability to open and close the door without the owner even noticing. After being notified of the flaws in April, Nuki has issued patches this month. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 26 July, 2022Episode 273 - 26 July 2022Grails RCE Vuln- https://portswigger.net/daily-swig/critical-security-vulnerability-in-grails-could-lead-to-remote-code-executionPrestaShop Skimmer - https://thehackernews.com/2022/07/hackers-exploit-prestashop-zero-day-to.htmlLinkedIn Phishing for Admins - https://www.bleepingcomputer.com/news/security/linkedin-phishing-target-employees-managing-facebook-ad-accounts/PolicyBazaar Breached- https://www.infosecurity-magazine.com/news/indian-insurance-policybazaar/ FileWave Crit Flaws - https://thehackernews.com/2022/07/critical-filewave-mdm-flaws-open.htmlHi, I’m Paul Torgersen. It’s Tuesday July 26th, 2022 and from Denver, this is a look at the information security news from overnight. From PortSwigger.net:A critical vulnerability within a Grails application runtime could allow an attacker to gain remote code execution. The attack exploits a section of the Grails data-binding logic, and has been confirmed on Grails framework versions 3.3.10 and higher, including Grails framework 4 and 5, that are running on Java 8. It has been observed in both the embedded Tomcat runtime and applications deployed as a Web Archive to a Tomcat instance. The company urges all users, even those using unaffected versions, to update as soon as possible. From TheHackerNews.com:Threat actors are exploiting a previously unknown security flaw in the open source PrestaShop e-commerce platform to inject malicious skimmer code. PrestaShop is the leading open-source e-commerce solution in Europe and Latin America, used by nearly 300,000 online merchants worldwide. The company said they found a zero-day flaw in its service that has been addressed in version 1.7.8.7, although they are not sure that was the only flaw vulnerable to the attack. From BleepingComputer.com:A new spear phishing campaign named Ducktail is targeting professionals on LinkedIn to take over Facebook business accounts. The threat actors are specifically targeting people who have admin privileges on their employer’s social media accounts. Fingers point to a Vietnamese threat actor that has been active since at least 2021 and maybe back as far as 2018. From Infosecurity-Magazine.com:Indian insurance company Policybazaar has advised that it suffered a data breach, confirming an unauthorized access to their systems on July 19. The company has found and fixed the exploited vulnerability and claims that no significant customer data was exposed. And last, from TheHackerNews.com:FileWave's mobile device management system has been found vulnerable to two critical security flaws that could be leveraged to carry out remote attacks and seize control of a fleet of devices connected to it. The two flaws relate to an authentication bypass, and the use of a hard-coded cryptographic key. There are more than 1,100 internet-facing FileWave servers that are vulnerable to the attack. Get your patch on kids. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 25 July, 2022Episode 272 - 25 July 2022Entrust Breached- https://www.bleepingcomputer.com/news/security/digital-security-giant-entrust-breached-by-ransomware-gang/UEFI Rootkit - https://thehackernews.com/2022/07/experts-uncover-new-cosmicstrand-uefi.htmlUrgent SonicWall Patch - https://www.securityweek.com/sonicwall-warns-critical-gms-sql-injection-vulnerabilityCisco Nexus Patches Three- https://portswigger.net/daily-swig/cisco-patches-dangerous-bug-trio-in-nexus-dashboard Racoon Gets Buff - https://thehackernews.com/2022/07/racoon-stealer-is-back-how-to-protect.htmlHi, I’m Paul Torgersen. It’s Monday July 25th, 2022, this is a look at the information security news from overnight. From BleepingComputer.com:Identity and access management company Entrust has confirmed that it was the victim of a cyberattack. Threat actors were able to breach their network and steal data from internal systems. The company says they have found no indication that the breach has impacted their operation or their products and services. No word on malware strain or threat actor involved. More to come I’m sure. From TheHackerNews.com:An unknown Chinese-speaking threat actor has been attributed with a new kind of UEFI firmware rootkit called CosmicStrand. The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and are related to designs using the H81 chipset. Victims identified so far are just individuals in China, Vietnam, Iran and Russia, with no discernable ties to business or government agencies. A link to the Kaspersky research in the article. From SecurityWeek.com:SonicWall has issued urgent patches for a critical flaw in its Global Management System software, warning that the issue exposes businesses to remote attacks. The 9.4 severity flaw provides a pathway for a remote attacker to execute arbitrary SQL queries in the database. The vulnerability exists due to insufficient sanitization of user-supplied data. From PortSwigger.net:Serious vulnerabilities in Cisco Nexus Dashboard give attackers a viable path to executing arbitrary commands as root, uploading container image files, or performing cross-site request forgery attacks. Cisco has issued patches for the three bugs, one of them carrying a 9.8 severity rating. The company said it was not aware of any of these bugs being exploited in-the-wild. Get your patch on kids. And last, from TheHackerNews.com:The new and vastly improved version of Raccoon Stealer has hit the scene. Not only can it steal browser passwords, cookies, and auto-fill data, it can now also steal credit card numbers, cryptocurrency and crypto wallets, harvest file data, drop files onto the system, list apps installed on the machine, and take screenshots. Fortunately, just like with the real world rodents, basic precautions should keep the varmint at bay: beware of spoofed messages and don’t click any links you didn’t know were specifically coming. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 22 July, 2022Episode 271 - 22 July 2022Drupal Updates- https://www.securityweek.com/code-execution-and-other-vulnerabilities-patched-drupalZyxel Firewall Patches - https://portswigger.net/daily-swig/zyxel-firewall-vulnerabilities-left-business-networks-open-to-abusePayPal Double Spear Phishing - https://www.infosecurity-magazine.com/news/paypal-used-send-malicious-double/Okta Too Open- https://threatpost.com/risks-okta-sso/180249/ Candiru’s DevilsTongue - https://www.bleepingcomputer.com/news/security/chrome-zero-day-used-to-infect-journalists-with-candiru-spyware/Hi, I’m Paul Torgersen. It’s Friday July 22nd, 2022, and from Victoria one last time, this is a look at the information security news from overnight. From SecurityWeek.com:Drupal has released patches for four vulnerabilities. The most critical flaw affects Drupal 9.3 and 9.4. and it can lead to arbitrary PHP code execution on Apache web servers. The other three vulnerabilities also impact the Drupal core and can lead to cross-site scripting attacks, information disclosure, or access bypass. Get your patch on kids. From PortSwigger.net:Zyxel has released patches for several of its firewall products following the discovery of two security vulnerabilities that left business networks open to exploitation. One is an authenticated directory traversal vulnerability in the Common Gateway Interface, and the other is a local privilege escalation vulnerability that was identified in the command-line interface. You should update to the latest versions as soon as you can. From Infosecurity-Magazine.com:Threat actors are using PayPal to send out phishing invoices. PayPal domains are usually “allow-listed” by organizations’ email filters, so cyber-criminals are registering accounts and composing malicious invoices on the platform. Many are spoofing Norton products, but substituting their own information for payments. They even have someone answering the included Customer Service number to continue the charade to extract dollars from their victims. From ThreatPost.com:Four newly discovered attack paths in the products for IAM vendor Okta could lead to PII exposure, account takeover, or even organizational data destruction. Note that the researchers call these “attack paths” and not vulnerabilities. Okta says this is a non issue and all you need to do is tweak up your security profile a little, which is beyond what they offer as their default settings. You can see the details in the article. And last, from BleepingComputer.com:The Israeli spyware vendor Candiru was found using a Google Chrome zero day to spy on journalists and other high-interest individuals in the Middle East with their 'DevilsTongue' spyware. Threat researchers from Avast, who discovered the vulnerability and reported it to Google, revealed that they unearthed the flaw after investigating spyware attacks on their clients. The vuln was patched on July 4. Details and a link to the research in the article. That’s all for me today. Have a great rest of your day. Like and subscribe, and until next next time, be safe out there.
A daily look at the relevant information security news from overnight - 21 July, 2022Episode 270 - 21 July 2022Patched Atlassian- https://www.bleepingcomputer.com/news/security/atlassian-fixes-critical-confluence-hardcoded-credentials-flaw/Linux Hit by Lightning - https://thehackernews.com/2022/07/new-linux-malware-framework-let.htmlRenewed Redeemer - https://www.bleepingcomputer.com/news/security/new-redeemer-ransomware-version-promoted-on-hacker-forums/Apple Pushed Update- https://www.securityweek.com/apple-ships-urgent-security-patches-macos-ios Neopets Nabbed - https://www.bleepingcomputer.com/news/security/neopets-data-breach-exposes-personal-data-of-69-million-members/Hi, I’m Paul Torgersen. It’s Thursday July 21st, 2022, and from Victoria, this is a look at the information security news from overnight. From BleepingComputer.com:Atlassian has patched a critical hardcoded credentials vulnerability in Confluence Server and Data Center that could let remote, unauthenticated attackers log into vulnerable servers. The hardcoded password is added after installing the Questions for Confluence app, for an account with the username disabledsystemuser. It was designed to help admins with the migration of data from the app to the Confluence Cloud. From TheHackerNews.com:A never-before-seen malware called Lightning Framework targets Linux machines to install rootkits. The malware has been dubbed a "Swiss Army Knife" and is equipped with a plethora of features, making it one of the most intricate frameworks developed for targeting Linux systems. Details and a link to the research report in the article. From BleepingComputer.com:A threat actor is promoting a new version of their free-to-use Redeemer ransomware builder on hacker forums. According to its author, the 2.0 release was written entirely in C++ and works on Windows Vista, 7, 8, 10, and 11. This offers unskilled threat actors an easy entry to the world of encryption-backed extortion attacks. All they pay is 20% of any ransom they manage to collect. From SecurityWeek.com:Apple's security response team has pushed out software fixes for at least 39 vulnerabilities impacting macOS Catalina, iOS and iPadOS platforms. The patches provide updates for numerous memory safety flaws, some serious enough to expose users to remote code execution attacks. Apple is urging users to update straight away. Get your patch on kids. And last today, from BleepingComputer.com:Neopets has suffered a data breach leading to the theft of source code as well as a database containing the personal information of over 69 million members. A hacker known as 'TarTarX' began selling the source code and database for four bitcoins, about $94,000 at current prices. He did not confirm his attack vector, but it appears he still has active access to the database. That’s all for me today. Have a great rest of your day. Like and subscribe, and until next tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 20 July, 2022Episode 269 - 20 July 2022Knauf Knocked Out- https://www.bleepingcomputer.com/news/security/building-materials-giant-knauf-hit-by-black-basta-ransomware-gang/Rusty Luna - https://thehackernews.com/2022/07/new-rust-based-ransomware-family.htmlGPS Over-Tracking - https://www.zdnet.com/article/flaws-in-a-popular-gps-tracker-could-allow-hackers-to-track-or-stop-vehicles-say-security-researchers/Oracle Patchfest- https://www.securityweek.com/oracle-releases-349-new-security-patches-july-2022-cpu Magicart Skim - https://docs.google.com/document/d/1Kse6lMi7hJEg1wDnVS_ZEND2pZOEMT4a9We3erCPsXE/editHi, I’m Paul Torgersen. It’s Wednesday July 20th, 2022, and from Victoria, this is a look at the information security news from overnight. From BleepingComputer.com:The Knauf Group, a large Germany based building materials company, has announced it has been the target of a cyberattack that has disrupted its business operations. Their global IT team has shut down all systems to isolate the incident. Knauf has not confirmed it is a ransomware attack, but the Black Basta group has claimed responsibility for the attack on their extortion site. So far they claim to have released about 20% of the information they stole, which indicates they are likely still hopeful to receive a ransom from the victim. From TheHackerNews.com:Researchers have disclosed a brand-new ransomware family written in Rust, that Kaspersky Labs has named Luna. The ransomware is fairly simple and appears to be in its early development. It is designed to be used by Russian speaking threat actors, and can run on Windows, Linux, and ESXi systems. From ZDNet.com:Critical security vulnerabilities in the MiCODUS MV720 vehicle GPS tracker could be used to remotely track, stop or even take control of vehicles in which it is installed. These devices are popular with large companies and government entities, with approximately 1.5 million of them currently in use in 169 countries. Researchers at BitSight, who found the flaws, say these devices should not be used until patches are available. No word from MiCODUS on when that might be. From SecurityWeek.com:Oracle’s quarterly Critical Patch Update has a total of 349 new security patches, including 230 for vulnerabilities that can be exploited by remote, unauthenticated attackers. 64 of the vulnerabilities are rated critical, with four of those scoring a ten out of ten. Financial Services Applications received the largest number of fixes, followed by Oracle Communications, then Fusion Middleware. Get your patch on kids. And last today, from ThreatPost.com:A Magecart campaign has been skimming payment-card credentials from customers using three online restaurant-ordering systems. The attack has affected over 300 restaurants and compromised at least 50,000 cards so far, which have already been offered up for sale on the dark web. The platforms impacted are MenuDrive, Harbortouch, and InTouchPOS. That’s all for me today. Have a great rest of your day. Like and subscribe, and until next tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 19 July, 2022Episode 268 - 19 July 2022Mac is Back-Doored- https://www.bleepingcomputer.com/news/security/elastix-voip-systems-hacked-in-massive-campaign-to-install-php-web-shells/Fake Crypto Apps - https://www.zdnet.com/article/fbi-these-fake-apps-are-trying-to-steal-your-crypto-heres-what-to-watch-out-for/FlipKart Breach - https://techcrunch.com/2022/07/18/cleartrip-data-breach-dark-web/SATAn Air Gapped Attack- https://thehackernews.com/2022/07/new-air-gap-attack-uses-sata-cable-as.html Russians Hiding on the Cloud - https://www.bleepingcomputer.com/news/security/russian-svr-hackers-use-google-drive-dropbox-to-evade-detection/Hi, I’m Paul Torgersen. It’s Tuesday July 19th, 2022, and from Port Angeles, this is a look at the information security news from overnight. From BleepingComputer.com:Unknown threat actors are using a previously undetected malware to backdoor macOS devices and exfiltrate information. ESET researchers named the malware CloudMensis because it uses pCloud, Yandex Disk, and Dropbox public cloud storage services for C2 communications. It is not known yet how the malware is distributed. Details in the article. From ZDNet.com:The FBI has warned that criminal groups are creating fraudulent apps that mimic real financial services brands that have so far duped investors into parting with $42.7 million over the past six months. Many of these are mimicking cryptocurrency services as there continue to be a flood of new players in the space and some ambiguity around crypto investing. Details and links to the advisory in the article. From TechCrunch.com:Cleartrip, a popular travel-booking platform in India, has confirmed a data breach after hackers claimed to post the stolen data on the dark web. Exact details of the stolen data are not yet known, however analysis of the screenshots posted make it appear that significant amounts of data were accessed, including forward looking information, which may indicate an insider was involved. From TheHackerNews.com:Researchers have developed a new method to steal data from an air gapped machine using the Serial ATA cable. Dubbed SATAn, the attack uses the SATA cable as a covert channel to emanate electromagnetic signals and transfer information to a nearby receiver just over a meter away. Fortunately, this technique does require physical access to the machine initially, which obviously makes it much more difficult. On the other hand, Stuxnet required physical access as well, so you never know. And last today, from BleepingComputer.com:State-backed Russian hackers have started using legitimate Google Drive cloud storage services to evade detection. It is akin to hiding in plain sight by getting lost in the crowd. Google cloud storage is ubiquitous and pretty much universally trusted. Russian threat actors are abusing that trust to render their attacks exceedingly difficult, if not impossible, to detect and block. That’s all for me. Have a great rest of your day. Like and subscribe, and until next time, be safe out there.
A daily look at the relevant information security news from overnight - 18 July, 2022Episode 267 - 18 July 2022Elastix VoIP Attack- https://www.bleepingcomputer.com/news/security/elastix-voip-systems-hacked-in-massive-campaign-to-install-php-web-shells/ Botnet Targeting ICS - https://thehackernews.com/2022/07/hackers-distributing-password-cracking.htmlPlay Store Purge - https://threatpost.com/google-boots-malware-marketplace/180241/Juniper Patches- https://www.securityweek.com/juniper-networks-patches-over-200-third-party-component-vulnerabilities Blitz.JS Polluted - https://portswigger.net/daily-swig/prototype-pollution-in-blitz-js-leads-to-remote-code-executionHi, I’m Paul Torgersen. It’s Monday July 18th, 2022, and from Port Angeles, this is a look at the information security news from overnight. From BleepingComputer.com:Threat analysts have uncovered a large-scale campaign targeting Elastix VoIP telephony servers with more than 500,000 malware samples over a period of about three months. The attackers are likely exploiting CVE-2021-45461, a remote code execution vulnerability with a 9.8 severity. The goal is to plant a PHP web shell that could run arbitrary commands on the compromised communications server. Details in the article. From TheHackerNews.com:Industrial engineers and operators are the target of a new campaign that leverages password cracking software to seize control of Programmable Logic Controllers and co-opt the machines to a botnet. Attackers are exploiting a vulnerability in the firmware which allows it to retrieve the password on command. They then drop the Sality malware and turn the host into a peer in Sality's peer-to-peer botnet. More details inside. From ThreatPost.com:Google has removed eight apps from its Play store that were propagating a new variant of the Joker spyware. Unfortunately those apps had already accounted for a total of over 3 million downloads. Those apps are: Vlog Star Video Editor, Creative 3D Launcher, Wow Beauty Camera, Gif Emoji Keyboard, (yes I said gif not jif) Freeglow Camera, Coco Camera, Funny Camera, and Razer Keyboard & Theme. From SecurityWeek.com:Juniper Networks has published 21 security advisories to inform customers about patches for more than 200 vulnerabilities. Six of those advisories impact their own products, including Junos OS, Junos Space, Contrail Networking, and Northstar Controller products. The rest were vulnerabilities affecting third-party components such as Nginx, OpenSSL, Samba, Java SE, SQLite and Linux. Details in the article. And last today, from PortSwigger.net:Blitz.js, a JavaScript web application framework, has patched a dangerous prototype pollution vulnerability that could lead to remote code execution on Node.js servers. The bug allows attackers to manipulate the code in the Blitz.js app to create a reverse shell and run arbitrary commands on the server. You can find all the dirty details in the article. That’s all for me. Have a great rest of your day. Like and subscribe, and until next time, be safe out there.
A daily look at the relevant information security news from overnight - 15 July, 2022Episode 266 - 15 July 2022Hive Five Decryptor- https://www.techtarget.com/searchsecurity/news/252522715/Researcher-develops-Hive-ransomware-decryption-tool WordPress Scan - https://www.bleepingcomputer.com/news/security/attackers-scan-16-million-wordpress-sites-for-vulnerable-plugin/SMB H0lyGh0st - https://thehackernews.com/2022/07/north-korean-hackers-targeting-small.htmlSpoofing GitHub Commits- https://www.securityweek.com/supply-chain-attack-technique-spoofs-github-commit-metadata WordPress Phishes PayPal - https://www.bleepingcomputer.com/news/security/paypal-phishing-kit-added-to-hacked-wordpress-sites-for-full-id-theft/Hi, I’m Paul Torgersen. It’s Friday July 15th, 2022, and this is a look at the information security news from overnight. From TechTarget.com:A malware researcher known as reecDeep, or reecDeep, I’m sorry if I am mispronouncing your handle, has developed and published a decryption tool on GitHub for version 5 of the Hive ransomware. reecDeep developed the tool with a fellow anonymous malware researcher known as rivitna. The post includes technical details of how Hive v5 works as well as how the researchers developed their brute-force decryption tool. From BleepingComputer.com:Security researchers have detected a massive campaign that scanned close to 1.6 million WordPress sites for the presence of a vulnerable plugin that allows uploading files without authentication. They were specifically targeting the Kaswara Modern WPBakery Page Builder, which had been abandoned by its author before receiving a patch for a critical severity flaw uncovered last year. Exploitation of the flaw could lead to a complete takeover of the site. From TheHackerNews.com:An emerging threat cluster originating from North Korea, which calls itself H0lyGh0st has been linked to developing and using ransomware with that same payload name targeting small businesses since September of last year. Targeted entities primarily include SMB such as manufacturing organizations, banks, schools, and event and meeting planning companies. From SecurityWeek.com:Security researchers are warning of a new supply chain attack technique that relies on spoofed commit metadata to add legitimacy to malicious GitHub repositories. Threat actors could tamper with commit data so that a repository would appear to be older than it actually is, or that reputable contributors have been involved in its maintenance. And last this week, from BleepingComputer.comA newly discovered phishing kit is targeting PayPal users in an attempt to steal your PII. The kit is hosted on legitimate WordPress websites that have been hacked, which allows it to evade detection, at least for a little while. The threat actor targets poorly secured WordPress sites and brute-forces their log in. They’ve also done a pretty nice job on the PayPal spoof site, which includes a Captcha challenge for a whiff of legitimacy. The ultimate goal is not only gathering login info, but financial and address details as well. That’s all for me. Have a great weekend. Like and subscribe, and until next time, be safe out there.
A daily look at the relevant information security news from overnight - 14 July, 2022Episode 265 - 14 July 2022Lilith Not-Fair- https://www.bleepingcomputer.com/news/security/new-lilith-ransomware-emerges-with-extortion-site-lists-first-victim/ Retbleed Spectre - https://www.securityweek.com/retbleed-new-speculative-execution-attack-targets-intel-amd-processorsAWS Kubernetes Flaw - https://portswigger.net/daily-swig/vulnerability-in-aws-iam-authenticator-for-kubernetes-could-allow-user-impersonation-privilege-escalation-attacksTeams Sticker Shock- https://portswigger.net/daily-swig/microsoft-teams-security-vulnerability-left-users-open-to-xss-via-flawed-stickers-feature Bandai Namco Gamed - https://www.bleepingcomputer.com/news/security/bandai-namco-confirms-hack-after-alphv-ransomware-data-leak-threat/Hi, I’m Paul Torgersen. It’s Thursday July 14th 2022, and this is a look at the information security news from overnight. From BleepingComputer.com:There’s a new ransomware group that has just hit the scene named Lilith. They have created the standard double-extortion leak site and added their first victim, a large construction group in South America, which has since been removed from the site. Analysis of the new family shows it does not appear to introduce any novelties, but another someone to keep an eye on. Details in the article. From SecurityWeek.com:Researchers have devised a new speculative execution attack called Retbleed, that can lead to information leaks and works on both Intel and AMD processors. The attack targets retpolines, or return trampolines, which was one of the defenses proposed in back 2018 to mitigate the Spectre side-channel attacks. You can see all the details and a link to the research paper in the article. From PortSwigger.net:A vulnerability in AWS IAM Authenticator for Kubernetes could allow a malicious actor to impersonate other users and escalate privileges in Kubernetes clusters. This impacts Elastic Kubernetes Service clusters configured with the AccessKeyID template parameter. If this is you, make sure you are running version 0.5.9. Also from PortSwigger.net:Attackers could abuse the sticker feature in Microsoft Teams to conduct cross-site scripting attacks. The Teams platform converts stickers into an image and uploads the content as RichText/HTML in the subsequent message. This can be manipulated for a potential HTML injection attack against multiple domains. All the sticky details in the article. And last today, from BleepingComputer.comJapanese game publishing giant Bandai Namco has confirmed that they suffered a cyberattack. The BlackCat ransomware gang has claimed responsibility for the attack on their data leak site. The company says the breach occurred on July 3rd to their internal systems in Asian regions other than Japan, and they are still evaluating the scope and type of information compromised. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 13 July, 2022Episode 264 - 13 July 2022Qakbot Glows Up- https://thehackernews.com/2022/07/researchers-uncover-new-attempts-by.html AiTM Phishing - https://threatpost.com/large-scale-hishing-bypasses-mfa/180212/Lenovo Firmware Flaw - https://thehackernews.com/2022/07/new-uefi-firmware-vulnerabilities.htmlMicrosoft Patches Zero Day- https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2022-patch-tuesday-fixes-exploited-zero-day-84-flaws/Luna Moth Flutters In - https://www.bleepingcomputer.com/news/security/new-luna-moth-hackers-breach-orgs-via-fake-subscription-renewals/Hi, I’m Paul Torgersen. It’s Wednesday July 13th 2022, and this is a look at the information security news from overnight. From TheHackerNews.comResearchers at Zscaler have found that the operators behind the Qakbot malware are trying to sidestep detection by altering their delivery vectors. Most recently by using ZIP file extensions, code obfuscation, utilizing multiple URLs, and using unknown file extensions such as .OCX, .ooccxx, .gyp, etc. Looks like this little workhorse just won't go away. A link to that research in the article. From ThreatPost.com:Microsoft has uncovered a massive phishing campaign that can steal credentials even if you have multi-factor authentication enabled. The campaign uses adversary-in-the-middle phishing sites to hijack session cookies so the attacker gets authenticated to a session on the user’s behalf regardless of the sign-in method used. The ultimate goal seems to be payment fraud through Business Email Compromise attacks and has targeted over 10,000 organizations to date. Details in the article. From TheHackerNews.com:Lenovo rolled out fixes for three security flaws in its UEFI firmware affecting over 70 product models. The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot. All three bugs relate to buffer overflow vulnerabilities. Lenovo had to patch three UEFI vulnerabilities earlier this year as well. From BleepingComputer.comMicrosoft's July Patch Tuesday included fixes for 84 total vulnerabilities. Four of those were critical, one of which was a zero day being actively exploited in the wild. That one could gain an attacker SYSTEM privileges, but no attack details were provided. This is in addition to fixes rolled out from SAP, Siemens, Schneider and others. Get your patch on kids. And last today, also from BleepingComputer.comA new data extortion group has been trying to breach companies to steal confidential information. The group, called Luna Moth, has been active since at least March with phishing campaigns that claim to be subscription renewal invoices, but really deliver remote access tools. The emails spoof the relevant brand, but actually all come from gmail accounts. The techniques and tools used indicate these guys are not very sophisticated. On the other hand, sometimes our users are not very sophisticated, so better to be aware. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 12 July, 2022Episode 263 - 12 July 2022OAuth Dirty Dancing- https://portswigger.net/daily-swig/dirty-dancing-in-oauth-researcher-discloses-how-cyber-attacks-can-lead-to-account-hijacking Crypto Mining in the Cloud - https://thehackernews.com/2022/07/cloud-based-cryptocurrency-miners.htmlRolling-PWN a Honda - https://www.bleepingcomputer.com/news/security/hackers-can-unlock-honda-cars-remotely-in-rolling-pwn-attacks/Amazon Scam Days- https://www.infosecurity-magazine.com/news/spike-amazon-prime-scams/Ransom Return - https://www.bleepingcomputer.com/news/security/new-0mega-ransomware-targets-businesses-in-double-extortion-attacks/Hi, I’m Paul Torgersen. It’s Tuesday July 12th 2022, and this is a look at the information security news from overnight. From PortSwigger.netA researcher has discovered a way to perform single-click account hijacking by abusing the OAuth process flow. He calls it Dirty Dancing because attackers can dance around the OAuth authentication process and how it communicates between a browser and a service provider. All the dirty details in the article. From TheHackerNews.com:GitHub Actions and Azure virtual machines are being leveraged for cloud-based crypto mining operations. At least 1,000 repositories and 550 code samples have been found taking advantage of the GitHub runners for mining. No number was provided for the Azure VMs. Details and a link to the Trend Micro research in the article. From BleepingComputer.com:Researchers found that several modern Honda models have a vulnerable rolling code mechanism that allows unlocking the cars or even starting the engine remotely. It has to do with intercepting signals from the fob and how the pseudorandom number generator works. The Hondas will re-sync when the car gets lock/unlock commands in succession, which allow codes from a previous session to be successful instead of invalidated. Details inside. From Infosecurity-Magazine.comWith Amazon Prime Days come Amazon Prime Days scams. In 2021 there was nearly double the amount of phishing scams related to the sale than typical Amazon focused attempts. Be on the lookout for imposter websites and lots of “get an Amazon gift card if you fill out this survey.” Remember, if something looks too good to be true, it probably is. And last today, from BleepingComputer.comIn a bit of good news, back in December of 2019, Maastricht University, a Dutch university with more than 22,000 students, fell victim to a ransomware attack. To get their files decrypted, they paid a ransom of 30 bitcoins, about 200,000 Euro at the time. Flash forward to February of this year when Dutch authorities found a wallet containing part of the paid ransom, which they promptly returned to the university. But because of the increase in value of the crypto, the amount returned was right about 500,000 Euro. Sometimes being the victim of a crime does pay. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 11 July, 2022Episode 262 - 11 July 2022Mangatoon Mega Breach- https://www.bleepingcomputer.com/news/security/mangatoon-data-breach-exposes-data-from-23-million-accounts/ Security Companies as Phishing Bait - https://www.zdnet.com/article/brazen-crooks-are-now-posing-as-cybersecurity-companies-to-trick-you-into-installing-malware/La Poste Mobile Attacked - https://www.infosecurity-magazine.com/news/ransomware-french-telecomes/Edge Zero Day Patch- https://www.techradar.com/news/microsoft-edge-gets-emergency-patch-for-severe-zero-day-vulnerability0mega Ransomware - https://www.bleepingcomputer.com/news/security/new-0mega-ransomware-targets-businesses-in-double-extortion-attacks/Hi, I’m Paul Torgersen. It’s Monday July 11th 2022, and this is a look at the information security news from overnight. From BleepingComputer.comComic reading platform Mangatoon has suffered a data breach that exposed information belonging to 23 million user accounts. It appears to have been stolen from an unsecured Elasticsearch database. There has been no response whatsoever from the company, so if you want to know if your information was involved you will have to head over to haveibeenpwned (.) com to check. From ZDNet.com:Criminals are posing as cybersecurity companies in phishing campaigns which claim that the recipient has been hit by a cyber attack. They are urged to respond in order to protect their network from being further compromised. Of course that response then opens the door to the hackers to actually compromise their network. The article has a link to the research by Crowdstrike, who also happens to be one of the companies being impersonated. From Infosecurity-Magazine.com:A ransomware attack, most likely LockBit, has hit French telecoms operator La Poste Mobile. The company took down their public facing website and customer area as a precaution and they remain down a week later. They claim their routers were secure, but employee desktops may have been breached. They are urging customers to be extra alert for targeted phishing or identity theft attacks. From TechRadar.comA few days after Google patched a zero day flaw in Chrome, Microsoft has now patched that same flaw in Edge. While both companies are keeping mum on details, we do know it is a heap-based buffer overflow weakness and it has been compromised in the wild. Get your patch on kids. And last today, from BleepingComputer.comA new ransomware operation named 0mega, with a zero instead of an O, targets organizations worldwide in double-extortion attacks. No sample has yet been examined, so there is not a lot of data about how the ransomware encrypts files. We do know that it appends the .0mega extension to the encrypted file’s names and creates ransom notes named DECRYPT-FILES.txt. These notes are customized per victim, usually containing the company name and describing the different types of data stolen in the attack. Victims are directed to a Tor payment site with a support chat that they can use to contact the ransomware gang. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 08 July, 2022Episode 261 - 08 July 2022QNAP Calls Checkmate- https://www.bleepingcomputer.com/news/security/qnap-warns-of-new-checkmate-ransomware-targeting-nas-devices/ Fake Google Delivers HavanaCrypt - https://www.securityweek.com/new-havanacrypt-ransomware-distributed-fake-google-software-updateIcedID on Yandex - https://www.bleepingcomputer.com/news/security/fake-copyright-complaints-push-icedid-malware-using-yandex-forms/ABCsoup Browser- https://thehackernews.com/2022/07/experts-uncover-350-browser-extension.htmlNode.js Patch - https://portswigger.net/daily-swig/node-js-fixes-multiple-bugs-that-could-lead-to-rce-http-request-smugglingHi, I’m Paul Torgersen. It’s Friday July 8th 2022, and this is a look at the information security news from overnight. From BleepingComputer.comQNAP is warning customers to secure their network attached storage devices against attacks using Checkmate ransomware. The company says the attacks are focused on Internet-exposed devices with the SMB service enabled, and accounts with weak passwords that can be cracked in brute-force, or dictionary attacks. Ransom notes seen so far put the price tag of the decryptor at about $15,000 of bitcoin. From SecurityWeek.com:Security researchers have identified a new ransomware family called HavanaCrypt, that is being delivered as a fake Google Software Update application. The ransomware performs multiple anti-virtualization checks and uses a Microsoft web hosting service IP address for its C2 server, which helps it to evade detection. More details in the article. From BleepingComputer.com:Website owners are being targeted with fake copyright infringement complaints to distribute the IcedID banking malware, as well as the BazarLoader and BumbleBee loaders. Instead of using Google Drive or Google Sites to host their alleged reports, this time around the threat actors are using Yandex Forms. Details in the article. From TheHackerNews.comResearchers uncovered a malicious browser extension with 350 variants that is masquerading as a Google Translate add-on. The malware family, dubbed ABCsoup, is part of an adware campaign targeting Russian users of Chrome, Opera, and Firefox browsers. The threat group appears to be well organized and originating out of Eastern Europe or Russia. And last today, from PortSwigger.netThe maintainers of Node.js have released multiple fixes for vulnerabilities in the JavaScript runtime environment. Exploitation of the seven newly patched bugs could lead to arbitrary code execution and HTTP request smuggling, among other attacks. The flaws impact all versions of the 18.x, 16.x and 14.x releases. Get your patch on kids. That’s all for me this week. Have a fantastic weekend. Like and subscribe, and until next time, be safe out there.
A daily look at the relevant information security news from overnight - 07 July, 2022Episode 260 - 07 July 2022North Korean Maui Zowie- https://www.zdnet.com/article/fbi-these-hackers-are-targeting-healthcare-records-and-it-systems-with-maui-ransomware/ Linux and Windows RedAlert - https://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/CuteBoi NPM Mining - https://thehackernews.com/2022/07/over-1200-npm-packages-found-involved.htmlSHI Attacked- https://www.bleepingcomputer.com/news/security/it-services-giant-shi-hit-by-professional-malware-attack/Linux in OrBit - https://thehackernews.com/2022/07/researchers-warn-of-new-orbit-linux.htmlHi, I’m Paul Torgersen. It’s Thursday July 7th 2022, and this is a look at the information security news from overnight. From ZDNet.comSeveral US agencies have issued an alert that North Korean sponsored attackers are targeting healthcare and public health organizations with the Maui ransomware. The warnings say these attacks have been going on since at least May of 2021, but they are still not sure of the initial attack vector. Early analysis suggests the malware is designed for attackers to manually select files for encryption, as opposed to encrypting all files wholesale. Details and a link to the advisory in the article. From BleepingComputer.com:A new ransomware operation called RedAlert, or N13V, targets both Windows and Linux VMWare ESXi servers with command-line options that allow the threat actors to shut down any running virtual machines before encrypting files. Victims are directed to a TOR site to pay a ransom in Monero to receive the decryptors. Details in the article. From TheHackerNews.com:Researchers have found a large-scale crypto mining campaign targeting the NPM JavaScript package repository. The malicious activity, attributed to a threat actor called CuteBoi, involves an array of 1,283 rogue modules from over 1,000 different user accounts using automation which includes the ability to pass the NPM 2FA challenge. Much of the source code in this attack is nearly identical to EazyMiner. From BleepingComputer.comSHI International has confirmed that a malware attack forced them to bring some of their systems, including email and public websites, offline. They described it as a coordinated and professional malware attack. The company says no customer data was exfiltrated and that third party systems in its supply chain were unaffected. No word on the threat actor or malware strain involved. And last today, from TheHackerNews.comResearchers have uncovered a new Linux threat dubbed OrBit, the fourth Linux targeting malware discovered in the past three months. This one can be installed either with persistence capabilities or as a volatile implant, and implements advanced evasion techniques. It ultimately provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands. Details on the article. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 06 July, 2022Episode 259 - 06 July 2022Spring Data Bad SpEL- https://portswigger.net/daily-swig/spring-data-mongodb-hit-by-another-critical-spel-injection-flaw Hive Gets Rust-ed - https://thehackernews.com/2022/07/hive-ransomware-upgrades-to-rust-for.htmlSilent Shadow Fix - https://www.bleepingcomputer.com/news/microsoft/microsoft-quietly-fixes-shadowcoerce-windows-ntlm-relay-bug/Google to Delete Sensitive Tracking- https://www.infosecurity-magazine.com/news/british-army-social-media-accounts/Cozy Bear Leverages BRc4 - https://thehackernews.com/2022/07/hackers-abusing-brc4-red-team.htmlHi, I’m Paul Torgersen. It’s Wednesday July 6th 2022, and this is a look at the information security news from overnight. From PortSwigger.netA critical SpEL injection vulnerability has been patched in Spring Data MongoDB. The 9.8 severity bug could be exploited to achieve remote code execution. First.org has ranked the flaw among the top 10 CVEs likely to be used in the wild over the last 30 days. The ease-of-exploitation and the number of proof of concepts available will likely make this vulnerability very popular. Get your patch on kids. From TheHackerNews.com:The operators of the Hive ransomware have completely rewritten the malware, moving from the Go language to Rust. This gains them the benefit of memory safety and deeper control over low-level resources as well as making use of a wide range of cryptographic libraries. It also makes it more difficult to reverse engineer. These changes continue to show Hive as one of the fastest evolving ransomware families out there. From ZDNet.com:Four more Android apps have been removed from the Google Play store after it was discovered they were being used to deliver the Joker malware to smartphones. The apps, which have over 100,000 downloads between them are: Smart SMS Messages, Blood Pressure Monitor, Voice Language Translator and Quick Text SMS. They join at least 11 other apps that have been removed recently for the same issue. Details in the article. From BleepingComputer.comMicrosoft has confirmed that they silently patched the ShadowCoerce vulnerability as part of their June 2022 updates. They say the vuln was mitigated along with CVE-2022-30154 because they both affect the same component. The question is, why have they not yet publicly provided any details, or even assigned a CVE ID. Strange actions for a vulnerability of this magnitude. No clarification yet from Redmond. And last today, from TheHackerNews.comMalicious actors have been observed abusing Brute Ratel C4, a relatively new and quite sophisticated toolkit designed to avoid detection by EDR and AV capabilities. BRc4 is a customized command-and-control center for red team and adversary simulation. Evidently the bad guys thought it was ready for prime time. The bad guys in this case probably being APT29, or Cozy Bear. You may remember them from the SolarWinds supply chain attack last year. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 05 July, 2022Episode 258 - 05 July 2022WeWork Exposure- https://techcrunch.com/2022/07/04/wework-exposed-visitors-data/ Django Injection - https://www.bleepingcomputer.com/news/security/django-fixes-sql-injection-vulnerability-in-new-releases/AstraLocker Expires - https://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/Google to Delete Sensitive Tracking- https://www.infosecurity-magazine.com/news/british-army-social-media-accounts/Google Zero-Day Patch - https://threatpost.com/actively-exploited-chrome-bug/180118/Hi, I’m Paul Torgersen. It’s Tuesday July 5th 2022, and this is a look at the information security news from overnight. From TechCrunch.comWeWork India had a security lapse that exposed the personal information and selfies of tens of thousands of people who used the WeWork coworking spaces in the country. The bug made it possible to access the check-in record of any visitor by manually typing in a check-in ID, with no safeguards against accessing the data in bulk. The company is fixing the issue. From BleepingComputer.com:Django, an open source Python-based web framework, has patched a high-severity SQL injection vulnerability. The flaw affects Django's main branch, and versions 4.1 (currently in beta), 4.0, and 3.2. Developers are urged to upgrade to Django versions 4.0.6 and 3.2.14 as soon as possible. Also from BleepingComputer.com:The threat actor behind the AstraLocker ransomware says they're shutting down the operation and plan to switch to cryptojacking. The ransomware's developer even submitted a ZIP archive with the AstraLocker decryptors to VirusTotal. The decryptors appear to be legit and worked on the one sample the team at BleepingComputer tried out. Details and a link to that zip file in the article. From ZDNet.comGoogle says it will automatically wipe user location history for visits to healthcare clinics, including abortion and fertility clinics, domestic abuse shelters, and other sensitive areas. The fear is that, in a post-Roe world, this location tracking data could be used in persecutions, excuse me, prosecutions. These changes will be rolling out in the coming weeks. And last today, from ThreatPost.comGoogle quietly rolled out a stable channel update for Chrome to patch an actively exploited zero-day vulnerability. This is the fourth such flaw the vendor has had to patch so far this year. The bug is a buffer overflow that was just reported on July 1. The company also tidied up a few other bugs while it was at it. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
A daily look at the relevant information security news from overnight - 04 July, 2022Episode 257 - 04 July 2022Giant China Data Breach- https://www.zdnet.com/article/giant-data-breach-leaked-personal-data-of-one-billion-people-has-been-spotted-for-sale-on-the-dark-web/ Raspberry Robin - https://www.bleepingcomputer.com/news/security/microsoft-finds-raspberry-robin-worm-in-hundreds-of-windows-networks/British Army Hawks Crypto Scam- https://www.infosecurity-magazine.com/news/british-army-social-media-accounts/LockBit Black - https://www.itpro.co.uk/security/ransomware/368418/latest-lockbit-ransomware-strain-strikingly-similar-to-blackmatterMicrosoft Backdoor - https://thehackernews.com/2022/07/new-sessionmanager-backdoor-targeting.htmlZoho RCE POC - https://www.bleepingcomputer.com/news/security/zoho-manageengine-adaudit-plus-bug-gets-public-rce-exploit/Hi, I’m Paul Torgersen. It’s Monday July 4th 2022, happy birthday America, and this is a look at the information security news from overnight. From zdnet.comDetailed personal information for 1 billion Chinese residents has been found for sale on the dark web. Obviously this would be one of the largest data breaches in history. The information in the 23 terabytes of data includes names, addresses, national ID numbers, mobile phone numbers, as well as police and medical records. Hackers claim the information came from the Shanghai National Police database and are offering it for sale for 10 bitcoin, which right now is less than $200,000. From BleepingComputer.com:Microsoft recently spotted a Windows worm on the networks of hundreds of organizations from various industry sectors. The malware, Raspberry Robin, spreads via infected USB devices, you know, those ones the boss finds lying in the parking lot and plugs in to see what’s on it? Microsoft observed the malware connecting to addresses on the Tor network, although it appears the threat actors are yet to exploit any access they gained to victims' networks. Details in the article. From Infosecurity-Magazine.com:The British Army confirmed its Twitter and YouTube accounts were compromised by a third party and used to direct visitors to cryptocurrency scams. There are reports that their Facebook account was compromised also. The YouTube account was completely rebranded to resemble investment firm Ark Invest, posting live stream videos featuring Elon Musk and Jack Dorsey. The social media accounts all appear to be back under proper control. From ITPro.co.ukSecurity researchers have acquired a sample of LockBit 3.0, which the hacking group internally calls LockBit Black. Analysis shows that large portions of the code are ripped straight from the BlackMatter ransomware developed by the Darkside group. You will remember them as the group that shut down last year after their huge Colonial Pipeline hit brought a lot of national security heat down on them. Evidently LockBit hired some of those developers. Details and a link to the analysis in the article. And last today, from BleepingComputer.comSecurity researchers have published technical details and proof-of-concept for a critical vulnerability in the Zoho ManageEngine ADAudit Plus tool for monitoring activities in the Active Directory. The vulnerability could lead to remote code execution and compromise of Active Directory accounts, and comes with a severity score of 9.8. Get your patch on kids. That’s all for me today. Have a great Fourth of July, and until tomorrow, be safe out there.