Skip to content

Instantly share code, notes, and snippets.

@malwaremily

malwaremily/security_news_2021.md

Last active October 16, 2021 19:11
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save malwaremily/db62ffae735091f6ec4030ee032a4654 to your computer and use it in GitHub Desktop.
Save malwaremily/db62ffae735091f6ec4030ee032a4654 to your computer and use it in GitHub Desktop.
Download ZIP
Security News 2021
Raw
security_news_2021.md

** IVE MOVED TO THIS REPO!: https://github.com/malwaremily/infosec-news-briefs/

Security News in 2021

Jump to a Month

JANUARY
FEBRUARY
MARCH
APRIL
MAY
JUNE
JULY
AUGUST
SEPTEMBER
OCTOBER
NOVEMBER
DECEMBER

JANUARY

2021/01/19

Dnsmasq is vulnerable to memory corruption and cache poisoning

  • CERT Coordination Center : "Dnsmasq is vulnerable to a set of memory corruption issues handling DNSSEC data and a second set of issues validating DNS responses. These vulnerabilities could allow an attacker to corrupt memory on a vulnerable system and perform cache poisoning attacks against a vulnerable environment... Moshe Kol and Shlomi Oberman of JSOF researched and reported these vulnerabilities." Written by Vijay Sarvepalli.

2021/01/25

New campaign targeting security researchers

  • Google TAG : "Over the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers which we will outline below. We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with."

FEBRUARY

2021/02/04

Heap-Based Buffer Overflow in Sudo

  • CERT Coordination Center : "A heap-based overflow has been discovered in sudo, which may allow a local attacker to execute commands with elevated administrator privileges... This vulnerability was researched and reported by the Qualys Research Team." Written by Timur Snoke.

2021/02/12

Yandex Insider Threat

  • ThreatPost : "In a security notice, Yandex [a popular russian search engine] said an employee had been providing unauthorized access to users’ email accounts 'for personal gain.'"

2021/02/17

Alert (AA21-048A) AppleJeus: Analysis of North Korea’s Cryptocurrency Malware

  • US-CERT : "The North Korean government has used multiple versions of AppleJeus since the malware was initially discovered in 2018. This section outlines seven of the versions below. The MARs listed above provide further technical details of these versions. Initially, HIDDEN COBRA actors used websites that appeared to host legitimate cryptocurrency trading platforms to infect victims with AppleJeus; however, these actors are now also using other initial infection vectors, such as phishing, social networking, and social engineering techniques, to get users to download the malware."

Kia Motors Outage & Alleged Dopple Ransomware

  • BleepingComputer : "Kia Motors America has suffered a ransomware attack by the DoppelPaymer gang, demanding $20 million for a decryptor and not to leak stolen data."

2021/02/18

Solorigate Response Final Update from Microsoft

  • Microsoft : "We have now completed our internal investigation into the activity of the actor and want to share our findings"

Silver Sparrow

  • Red Canary : "Silver Sparrow is an activity cluster that includes a binary compiled to run on Apple’s new M1 chips but lacks one very important feature: a payload."
  • Ars Technica : "Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute... the lack of a final payload suggests that the malware may spring into action once an unknown condition is met."

2021/02/24

Unauth RCE in VMware vCenter

  • PT SWARM : "In this article, I will cover how I discovered the VMware vSphere client RCE vulnerability, divulge the technical details, and explain how it can be exploited on various platforms."
  • ZDnet : "More than 6,700 VMware vCenter servers are currently exposed online and vulnerable to a new attack that can allow hackers to take over unpatched devices and effectively take over companies' entire networks. "

Mozilla Releases Security Updates for Thunderbird, Firefox ESR, and Firefox

  • US-CERT : "Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Mozilla security advisories for Firefox 86, Firefox ESR 78.8, and Thunderbird 78.8 and apply the necessary updates."

2021/02/26

Ryuk ransomeware now self spreads to other Windows LAN devices

2021/02/26

NSA releases guidance on Zero Trust Security Model

  • US-CERT : "...which provides information about, and recommendations for, implementing Zero Trust within networks. The Zero Trust security model is a coordinated system management strategy that assumes breaches are inevitable or have already occurred."

2021/02/27

Google shares PoC exploit for critical Windows 10 Graphics RCE bug

MARCH

2021/03/02

HAFNIUM targeting Exchange Servers with 0-day exploits

  • Microsoft Security Blog : "In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures."

2021/03/03

Cybersecurity firm Qualys likely latest victim of Accellion hacks

  • BleepingComputer : "Yesterday, the Clop ransomware gang posted screenshots of files allegedly belonging to the cybersecurity firm Qualys. The leaked data includes purchase orders, invoices, tax documents, and scan reports."

Okta acquires cloud identity startup Auth0 for $6.5B

  • TechCrunch
  • MarketWatch : "Okta to buy competitor Auth0 for $6.5 billion, stock drops as earnings outlook comes up short"

2021/03/04

Accellion zero-day claims a new victim in cybersecurity company Qualys

  • ZDnet : "Qualys has revealed that a "limited" number of customers may have been impacted by a data breach connected to an Accellion zero-day vulnerability. The cloud security and compliance firm said on Wednesday that the security incident did not have any 'operational impact,' but 'unauthorized access' had been obtained to an Accellion FTA server used by the company."

Mazafaka, Verified and Exploit cybercriminal forums suffer data breaches

  • ZDnet : "The Maza cybercriminal forum has reportedly suffered a data breach leading to the leak of user information."
  • KrebsonSecurity : "Over the past few weeks, three of the longest running and most venerated Russian-language online forums serving thousands of experienced cybercriminals have been hacked. In two of the intrusions, the attackers made off with the forums’ user databases, including email and Internet addresses and hashed passwords. Members of all three forums are worried the incidents could serve as a virtual Rosetta Stone for connecting the real-life identities of the same users across multiple crime forums."

2021/03/06

Ransomware gang [sells] plans to call victim's business partners about attacks

  • BleepingComputer : "The REvil ransomware operation announced this week that they are using DDoS attacks and voice calls to journalists and victim's business partners to generate ransom payments. The REvil ransomware operation, also known as Sodinokibi, is a ransomware-as-a-service (RaaS) where the ransomware operators develop the malware and payment site, and affiliates (adverts) compromise corporate networks to deploy the ransomware."

2021/03/08

Ransomware Gang Fully Doxes Bank Employees in Extortion Attempt

  • The Verge : "Hackers posted the alleged names, social security numbers, and home addresses of several Flagstar Bank workers."

GitHub fixes bug causing users to log into other accounts

  • BleepingComputer : "Last night, GitHub automatically logged out many users by invalidating their GitHub.com sessions to protect user accounts against a potentially serious security vulnerability. Earlier this month GitHub had received a report of anomalous behavior from an external party. The anomalous behavior stemmed from a rare race condition vulnerability in which a GitHub user's login session was misrouted to the web browser of another logged-in user, giving the latter an authenticated session cookie of and access to the former user's account."

2021/03/09

Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021

  • Microsoft : "Microsoft previously blogged our strong recommendation that customers upgrade their on-premises Exchange environments to the latest supported version. For customers that are not able to quickly apply updates, we are providing the following alternative mitigation techniques to help Microsoft Exchange customers who need more time to patch their deployments and are willing to make risk and service function trade-offs."

Heap-Based Buffer Overflow in Sudo

  • US-CERT : "It is possible for a local Non-administrative user to exploit this vulnerability to elevate their privileges so that they can execute commands with administrator privileges. The team at Qualys assigned this vulnerability CVE-2021-3156 and found multiple *nix operating systems were vulnerable, including Fedora, Debian, and Ubuntu. A blog update from February 3, 2021, reports that macOS, AIX, and Solaris may be vulnerable, but Qualys had not yet confirmed this. There is additional reporting that other operating systems are affected, including Apple’s Big Sur."

2021/03/10

About the March 8 & 9, 2021 Verkada camera hack

  • Cloudflare Security Blog : "Yesterday, we were notified of a breach of Verkada that allowed a hacker to access Verkada’s internal support tools to manage those cameras remotely, as well as access them through a remote root shell. As soon as we were notified of the breach, we proceeded to shut down the cameras in all our office locations to prevent further access. To be clear: this hack affected the cameras and nothing else. No customer data was accessed, no production systems, no databases, no encryption keys, nothing."

Embedded TCP/IP stacks have memory corruption vulnerabilities

  • US-CERT : "Multiple open-source embedded TCP/IP stacks, commonly used in Internet of Things (IoT) and embedded devices, have several vulnerabilities stemming from improper memory management. These vulnerabilities are also tracked as ICS-VU-633937 and JVNVU#96491057 as well as the name AMNESIA:33... The impact of these vulnerabilities vary widely due to the combination of build and runtime options customized while including these in embedded devices. In summary, a remote, unauthenticated attacker may be able to use specially-crafted network packets to cause the vulnerable device to behave in unexpected ways such as a failure (denial of service), disclosure of private information, or execution of arbitrary code."

2021/03/11

Critics fume after Github removes exploit code for Exchange vulnerabilities

  • ArsTechnica : "On Wednesday, a researcher published what’s believed to be the first largely working proof-of-concept (PoC) exploit for the vulnerabilities. Based in Vietnam, the researcher also published a post on Medium describing how the exploit works. With a few tweaks, hackers would have most of what they needed to launch their own in-the-wild RCEs... Critics accused Microsoft of censoring content of vital interest to the security community because it harmed Microsoft interests. Some critics pledged to remove large bodies of their work on Github in response."
  • DarkReading : "Exploit code for two Microsoft Exchange Server vulnerabilities under attack was published to GitHub earlier today. The Microsoft-owned platform quickly took down the proof-of-concept (PoC). The PoC combines CVE-2021-26855 and CVE-202127065, two of the four Exchange Server zero-days that attackers are using to break into Exchange Servers and deploy Web shells to steal data from target businesses. Since the flaws were patched on March 2, attacks have rapidly increased. At least 10 advanced persistent threat groups have started to weaponize these vulnerabilities to target servers."

Molson Coors Beer Operations Halted by Hack

  • DarkReading : "Molson Coors, one of the nation's largest beer makers, halted production this week after hackers disrupted company operations. In a regulatory filing, company officials said the cyberattack has taken its systems offline, and delayed production and shipments. Details about the nature of the attack were not disclosed. 'Molson Coors experienced a systems outage that was caused by a cybersecurity incident,' the company said in a statement. The company is looking into the incident and is working to get systems back up as quickly as possible. A forensic IT firm is assisting with the investigation."

2021/03/12

New ZHtrap botnet malware deploys honeypots to find more targets

  • BleepingComputer : "A new botnet is hunting down and transforming infected routers, DVRs, and UPnP network devices into honeypots that help it find other targets to infect... The malware, dubbed ZHtrap by the 360 Netlab security researchers who spotted it, is loosely based on Mirai's source code, and it comes with support for x86, ARM, MIPS, and other CPU architectures.To propagate, ZHtrap uses exploits targeting four N-day security vulnerabilities in Realtek SDK Miniigd UPnP SOAP endpoints, MVPower DVR, Netgear DGN1000, and a long list of CCTV-DVR devices. It also scans for devices with weak Telnet passwords from a list of randomly generated IP addresses and collected with the help of the honeypot it deploys on devices already ensnared in the botnet."

Microsoft Reports 'DearCry' Ransomware Targeting Exchange Servers

  • DarkReading : "Attackers have begun to deploy ransomware on Microsoft Exchange Servers compromised by the ProxyLogon exploits... the new ransomware family [is] tracked as Ransom:Win32/DoejoCrypt.A and nicknamed "DearCry," which is using the Microsoft Exchange vulnerabilities to target customers."

Sky Global Executive and Associate Indicted for Providing Encrypted Communication Devices to Help International Drug Traffickers Avoid Law Enforcement

  • : "A federal grand jury today returned an indictment against the Chief Executive Officer and an associate of the Canada-based firm Sky Global on charges that they knowingly and intentionally participated in a criminal enterprise that facilitated the transnational importation and distribution of narcotics through the sale and service of encrypted communications devices."

New old bugs in the linux kernel

  • GRIMM : "CVE-2021-27365"

2021/03/13

Updates on Microsoft Exchange Server Vulnerabilities

  • US-CERT : "CISA has added seven Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Each MAR identifies a webshell associated with exploitation of the vulnerabilities in Microsoft Exchange Server products. After successful exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actors can upload a webshell to enable remote administration of the affected system. In addition to the MARs, CISA added information on ransomware activity associated with exploitation of the Exchange Server products, including DearCry ransomware."

Google will face lawsuit over Incognito mode tracking

  • Engadget : Lawsuit claims Google didn't do enough to warn users about tracking during incognito mode. Google argues it warned users that they may still be tracked.

2021/03/14

Twitter bug automatically suspends you when tweeting 'Memphis'

  • BleepingComputer : "A bug on Twitter is causing users to become temporarily suspended if they tweet the word 'Memphis,' BleepingComputer has confirmed."

Stripe closes 600 Million Round at a 95 Billion Valuation

  • TechCrunch : "On the heels of reports that Stripe was raising yet more money, the payments giant has now confirmed the details. The company has closed in on another $600 million, at a valuation of $95 billion. Stripe said it will use the funding to expand its business in Europe, with a focus on its European HQ, and also to beef up its global payments and treasury network."

2021/03/15

Microsoft Teams, Exchange and more went down for four hours on Monday

  • The Verge : "Microsoft Teams went down for around four hours on Monday, alongside Azure and other Microsoft 365 services. Microsoft blamed the issues on 'a recent change to an authentication system' took some Microsoft 365 services down. A roll back to the change took longer than Microsoft expected, with the company confirming at 12:35AM ET that 'impact has been largely mitigated.'"
  • Twitter:Microsoft 365 Status : "We're investigating an issue for access to multiple M365 services. Please visit the admin center post M0244568 for more information. We'll provide additional information here as it becomes available."

Microsoft Releases One-Click Microsoft Exchange On-Premises Mitigation Tool (EOMT)

  • Microsoft : "Microsoft has released a new, one-click mitigation tool, Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates."

Blender website in maintenance mode after hacking attempt

  • BleepingComputer : "Blender.org, the official website of the popular 3D computer graphics software Blender, is now in maintenance mode according to a message displayed on the site. 'The http://blender.org website is undergoing maintenance due to a hacking attempt,' the official Blender account on Twitter said earlier today, adding that 'the website will be back as soon as possible.'"

Phishing sites now detect VMs to bypass detection using Javascript

  • BleepingComputer : "Phishing sites are now using JavaScript to evade detection by checking whether a visitor is browsing the site from a virtual machine or headless device... To bypass detection, a phishing kit utilizes JavaScript to check whether a browser is running under a virtual machine or without an attached monitor. If it discovers any signs of analysis attempts, it shows a blank page instead of displaying the phishing page."

A Hacker Got All My Texts for $16

  • VICE : "A gaping flaw in SMS lets hackers take over phone numbers in minutes by simply paying a company to reroute text messages."

Microsoft could reap more than $150 million in new U.S. cyber spending, upsetting some lawmakers

  • Reuters : Written by Joseph Menn, Christopher Bing, Raphael Satter "Microsoft stands to receive nearly a quarter of Covid relief funds destined for U.S. cybersecurity defenders, sources told Reuters, angering some lawmakers who don’t want to increase funding for a company whose software was recently at the heart of two big hacks."

Signal is down in China

  • TechCrunch : "Chinese users of the instant messenger Signal knew that the good times wouldn’t last long. The app, which is used for encrypted conversations, is unavailable in mainland China as of the morning of March 16, a test by TechCrunch shows. The website of the app has been banned in mainland China since March 15, according to censorship-tracking website Greatfire.org... The encrypted chat app was one of the few Western social networks that remained accessible in China without the use of a virtual private network. The likes of Facebook, Twitter and Instagram have long been blocked."

2021/03/16

Hacker leaks payment data from defunct WeLeakInfo breach site

  • BleepingComputer : "The now-defunct WeLeakInfo data breach site has suffered its own data breach after a threat actor leaked the service's payment information and customer info..."

Teen hacker agrees to 3 years in prison for Twitter Bitcoin scam

  • BleepingComputer : "A Florida teenager has pleaded guilty to fraud charges after coordinating the hack of high-profile Twitter accounts to run a cryptocurrency scam that collected roughly $120,000 worth of bitcoins... Using credentials of Twitter employees with access to internal support tools, they targeted 130 high-profile accounts, accessing the direct messages of 36 (including the inbox of Dutch Member of House of Representatives Geert Wilders), eventually downloading the Twitter Data for seven accounts. He also sold access to those accounts and, later, used the high-profile and verified Twitter accounts to run a cryptocurrency scam on the social network's platform."

Mimecast says SolarWinds hackers breached its network and spied on customers

  • ArsTechnica : "Email-management provider Mimecast has confirmed that a network intrusion used to spy on its customers was conducted by the same advanced hackers responsible for the SolarWinds supply chain attack."

FBI warns of escalating Pysa ransomware attacks on K-12 education orgs

  • BleepingComputer : "The Federal Bureau of Investigation (FBI) Cyber Division has warned system administrators and cybersecurity professionals of increased Pysa ransomware activity targeting educational institutions. The CP-000142-MW flash alert issued by the FBI today was coordinated with DHS-CISA and it provides indicators of compromise to help guard against the malicious actions of this ransomware gang."

U.S. intelligence: Putin authorized influence operations to hurt Biden's candidacy

  • AXIOS : "The U.S. intelligence community found that Russia and Iran conducted influence operations aimed at affecting the outcome of the election, but that China did not. The report found no indications that foreign actors attempted to alter any technical aspect of the voting process."

2021/03/17

Alert (AA21-076A) TrickBot Malware

  • US-CERT : "TrickBot is an advanced Trojan that malicious actors spread primarily by spearphishing campaigns using tailored emails that contain malicious attachments or links, which—if enabled—execute malware (Phishing: Spearphishing Attachment [T1566.001], Phishing: Spearphishing Link [T1566.002]). CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation, to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s command and control (C2) server to download TrickBot to the victim’s system. Attackers can use TrickBot to: Drop other malware, such as Ryuk and Conti ransomware, or Serve as an Emotet downloader."

2021/03/18

Using CHIRP to Detect Post-Compromise Threat Activity in On-Premises Environments

  • US-CERT : "CISA Hunt and Incident Response Program (CHIRP) is a new forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with the SolarWinds and Active Directory/M365 Compromise. CHIRP is freely available on the CISA GitHub repository."

Cisco Small Business RV132W and RV134W Routers Management Interface Remote Command Execution and Denial of Service Vulnerability

  • Cisco : "A vulnerability in the web-based management interface of Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the device to restart unexpectedly."

2021/03/19

Mozilla, Reddit, and Vimeo urge FCC to bring back net neutrality

  • The Verge : "Tech companies like Mozilla, Reddit, and Vimeo called on the Federal Communications Commission Friday to reinstate the net neutrality rules repealed by the Trump administration. In a letter to FCC Acting Chair Jessica Rosenworcel on Friday, internet companies Dropbox, Eventbrite, Reddit, Wikimedia, and Vimeo joined onto a letter led by Mozilla urging the agency to immediately bring back net neutrality once a third Democrat to the commission, nominated by President Joe Biden, is confirmed."

APRIL

2021/04/20

Hacking 3,000,000 apps at once through CocoaPods

  • Max Justicz: "tl;dr CocoaPods is a popular package manager used by lots of iOS apps (among other Swift and Objective-C Cocoa applications). I found a remote code execution bug in the central CocoaPods server holding keys for the Specs repo (https://trunk.cocoapods.org/). This bug would have allowed an attacker to poison any package download. It’s fixed now."

MAY

2021/05/24

Audio maker Bose discloses data breach after ransomware attack

  • BleepingComputer : Sergiu Gatlan "Bose Corporation (Bose) has disclosed a data breach following a ransomware attack that hit the company's systems in early March. In a breach notification letter filed with New Hampshire's Office of the Attorney General, Bose said that it 'experienced a sophisticated cyber-incident that resulted in the deployment of malware/ransomware across' its 'environment.'"

JUNE

2021/06/04

RCE in unpatched VMware vCenter Server & VMware Cloud Foundation

  • US-CERT : CVE-2021-21985 exploits in the wild; "remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation."

2021/06/10

Google Releases Security Updates for Chrome

  • US-CERT : "Google has released Chrome version 91.0.4472.101 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. One of these vulnerabilities—CVE-2021-30551—has been detected in exploits in the wild."

2021/06/15

Apple Releases Security Updates for iOS 12.5.4

  • US-CERT : "Apple has released security updates to address vulnerabilities in iOS 12.5.4. An attacker could exploit these vulnerabilities to take control of an affected system."

2021/06/18

Google Releases Security Updates for Chrome

  • US-CERT : "Google has released Chrome version 91.0.4472.114 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. One of these vulnerabilities—CVE-2021-30554—has been detected in exploits in the wild."

2021/06/23

VMware Releases Security Updates

  • US-CERT : "VMware has released security updates to address vulnerabilities in the VMware Carbon Black App Control management server as well as VMware Tools for Windows, VMware Remote Console for Windows, and VMware App Volumes. An attacker could exploit these vulnerabilities to take control of an affected system."

2021/06/25

Citrix Releases Security Updates for Hypervisor

  • US-CERT : "Citrix has released security updates to address vulnerabilities in Hypervisor. An attacker could exploit these vulnerabilities to cause a denial-of-service condition."

2021/06/28

New Ransomware Variant Uses Golang Packer

  • Crowdstrike : Alexandru Ghita "ransomware sample borrowing implementations from previous HelloKitty and FiveHands variants and using a Golang packer compiled with the most recent version of Golang ... this variant uses a unique executable packer that requires a key value to decrypt the payload in memory using a command-line switch“-key”."

2021/06/30

PrintNightmare, Critical Windows Print Spooler Vulnerability

  • US-CERT : " The CERT Coordination Center (CERT/CC) has released a VulNote for a critical remote code execution vulnerability in the Windows Print spooler service, noting: 'while Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does not address the public exploits that also identify as CVE-2021-1675.' An attacker can exploit this vulnerability—nicknamed PrintNightmare—to take control of an affected system."

JULY

2021/07/02

Kaseya VSA Supply-Chain Ransomware Attack

2021/07/06

Microsoft Releases Out-of-Band Security Updates for PrintNightmare

  • US-CERT : "... to address a remote code execution (RCE) vulnerability—known as PrintNightmare (CVE-2021-34527)—in the Windows Print spooler service. According to the CERT Coordination Center (CERT/CC), 'The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.'"

CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack

2021/07/08

Cisco Releases Security Updates for Multiple Products

  • US-CERT : "Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system."

2021/07/12

Kaseya Provides Security Updates for VSA On-Premises Software Vulnerabilities

  • US-CERT : "Kaseya has released VSA version 9.5.7a for their VSA On-Premises software. This version addresses vulnerabilities that enabled the ransomware attacks on Kaseya’s customers."

2021/07/13

Apache Releases Security Advisory for Tomcat

  • US-CERT : "The Apache Software Foundation has released a security advisory to address a vulnerability in multiple versions of Tomcat. An attacker could exploit this vulnerability to obtain sensitive information."

Mozilla Releases Security Updates for Firefox, Thunderbird

  • US-CERT : "Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system."

Adobe Releases Security Updates for Multiple Products 

  • US-CERT : "Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system."

VMware Releases Security Update

  • US-CERT : "VMware has released a security update to address a vulnerability in VMware ESXi and VMware Cloud Foundation. An attacker could exploit this vulnerability to take control of an affected system."

Microsoft Releases July 2021 Security Updates

  • US-CERT : "Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit some of these vulnerabilities to take control of an affected system."

CISA Issues Emergency Directive on Microsoft Windows Print Spooler

  • US-CERT : "CISA has issued Emergency Directive (ED) 21-04: Mitigate Windows Print Spooler Service Vulnerability addressing CVE-2021-34527. Attackers can exploit this vulnerability to remotely execute code with system level privileges enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization."

Citrix Releases Security Updates for Virtual Apps and Desktops

  • US-CERT : "Citrix has released security updates to address a vulnerability in multiple versions of Virtual Apps and Desktops. An attacker could exploit this vulnerability to take control of an affected system."

2021/07/15

Ransomware Risk in Unpatched, EOL SonicWall SRA and SMA 8.x Products

  • US-CERT : "CISA is aware of threat actors actively targeting a known, previously patched, vulnerability in SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware. Threat actors can exploit this vulnerability to initiate a targeted ransomware attack."

2021/07/16

Google Releases Security Updates for Chrome

  • US-CERT : "Google has released Chrome version 91.0.4472.164 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. One of these vulnerabilities—CVE-2021-30563—has been detected in exploits in the wild."

2021/07/19

Fortinet Releases Security Updates for FortiManager and FortiAnalyzer

  • US-CERT : "Fortinet has released security advisory FG-IR-21-067 to address a use-after-free vulnerability in the FortiManager fgfmsd daemon. A use-after-free condition occurs when a program marks a section of memory as free but then subsequently tries to use that memory, which could result in a program crash. The use of previously freed memory in FortiManager fgfmsd daemon may allow a remote, unauthenticated attacker to execute arbitrary code as root. This occurs via sending a specifically crafted request to the fgfm port of the targeted device."

U.S. Government Releases Indictment and Several Advisories Detailing Chinese Cyber Threat Activity

  • US-CERT : "CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have observed increasingly sophisticated Chinese state-sponsored activity targeting U.S. political, economic, military, educational, and critical infrastructure personnel and organizations."

2021/07/20

Citrix Releases Security Updates 

  • US-CERT : "Citrix has released security updates to address multiple vulnerabilities in Application Delivery Controller, Gateway, and SD-WAN WANOP Edition. An attacker could exploit some of these vulnerabilities to take control of an affected system."

Oracle Releases July 2021 Critical Patch Update

  • US-CERT : "Oracle has released its Critical Patch Update for July 2021 to address 342 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system."

2021/07/21

Malware Targeting Pulse Secure Devices

Apple Releases Security Updates

  • US-CERT : "Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected device."

Google Releases Security Updates for Chrome

  • US-CERT : "Google has released Chrome version 92.0.4515.107 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system."

CISA Releases Security Advisory for Geutebruck Devices

  • US-CERT : "CISA has released an Industrial Control Systems (ICS) advisory detailing multiple vulnerabilities in multiple Geutebruck G-CAM E2 series devices and Encoder G-Code versions. A remote attacker could exploit some of these vulnerabilities to take control of an affected system."

2021/07/22

Drupal Releases Security Updates

  • US-CERT : "Drupal has released security updates to address a critical third-party-library vulnerability that could affect Drupal 7, 8.9, 9.1, and 9.2. An attacker could exploit this vulnerability to take control of an affected system."

2021/07/26

fail2ban – Remote Code Execution

  • securitum : Jakub Żoczek "This article is about the recently published security advisory for a pretty popular software – fail2ban (CVE-2021-32749). The vulnerability, which could be massively exploited and lead to root-level code execution on multiple boxes, however this task is rather hard to achieve by regular person. It all has its roots in mailutils package and I’ve found it by a total accident when playing with mail command."

2021/07/27

Apple Releases Security Updates

  • US-CERT : "Apple has released security updates to address a vulnerability in multiple products. An attacker could exploit this vulnerability to take control of an affected device."

Microsoft Releases Guidance for Mitigating PetitPotam NTLM Relay Attacks

  • US-CERT : "On July 23, Microsoft released KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) to address a NTLM Relay Attack named PetitPotam. CISA encourages users and administrators to review KB5005413 and apply the necessary mitigations."

2021/07/30

NSA Releases Guidance on Securing Wireless Devices While in Public

  • US-CERT : "The National Security Agency (NSA) has released an information sheet with guidance on securing wireless devices while in public for National Security System, Department of Defense, and Defense Industrial Base teleworkers, as well as the general public. This information sheet provides information on malicious techniques used by cyber actors to target wireless devices and ways to protect against it."

2021/07/31

CISA Announces Vulnerability Disclosure Policy (VDP) Platform

  • US-CERT : "CISA has announced the establishment of its Vulnerability Disclosure Policy (VDP) Platform for the federal civilian enterprise, which will allow the Federal Civilian Executive Branch to coordinate with the civilian security research community in a streamlined fashion. The VDP Platform provides a single, centrally managed website that agencies can leverage as the primary point of entry for intaking, triaging, and routing vulnerabilities disclosed by researchers. It enables researchers and members of the general public to find vulnerabilities in agency websites and submit reports for analysis."

AUGUST

2021/08/03

CISA Releases Security Advisory for Swisslog Healthcare

  • US-CERT : "CISA has released an Industrial Control Systems (ICS) advisory detailing multiple vulnerabilities in Swisslog Healthcare Translogic Pneumatic Tube Systems (PTS). An attacker could exploit some of these vulnerabilities to take control of an affected system."

2021/08/04

Google Releases Security Updates for Chrome

  • US-CERT : "Google has released Chrome version 92.0.4515.131 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system."

2021/08/05

Cisco Releases Security Updates 

  • US-CERT : "Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit these vulnerabilities to take control of an affected system."

VMware Releases Security Updates for Multiple Products

  • US-CERT : "VMware has released security updates to address vulnerabilities in multiple products. An attacker could exploit these vulnerabilities to gain access to confidential information."

CISA Releases Security Advisory for InterNiche Products

  • US-CERT : "CISA has released an Industrial Control Systems (ICS) advisory detailing multiple vulnerabilities in InterNiche products. An attacker could exploit some of these vulnerabilities to take control of an affected system."

2021/08/06

Ivanti Releases Security Update for Pulse Connect Secure

  • US-CERT : "Ivanti has released Pulse Connect Secure system software version 9.1R12 to address multiple vulnerabilities an attacker could exploit to take control of an affected system."

2021/08/10

Intel Releases Multiple Security Updates

  • US-CERT : "Intel has released security updates to address vulnerabilities multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system."

SAP Releases August 2021 Security Updates

  • US-CERT : "SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system."

Mozilla Releases Security Updates for Firefox

  • US-CERT : "Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system."

Adobe Releases Security Updates for Multiple Products

  • US-CERT : "Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system."

Microsoft Releases August 2021 Security Updates

  • US-CERT : "Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system."

Citrix Releases Security Update for ShareFile Storage Zones Controller

  • US-CERT : "Citrix has released a security update to address a vulnerability affecting Citrix ShareFile storage zones controller. An attacker can exploit this vulnerability to obtain access to sensitive information."

2021/08/12

Mozilla Releases Security Updates for Thunderbird

  • US-CERT : "Mozilla has released security updates to address vulnerabilities in Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system."

Microsoft Exchange servers are getting hacked via ProxyShell exploits

  • BLEEPING COMPUTER : Lawrence Abrams "Threat actors are actively exploiting Microsoft Exchange servers using the ProxyShell vulnerability to install backdoors for later access. ProxyShell is the name of an attack that uses three chained Microsoft Exchange vulnerabilities to perform unauthenticated, remote code execution. The three vulnerabilities, listed below, were discovered by Devcore Principal Security Researcher Orange Tsai, who chained them together to take over a Microsoft Exchange server in April's Pwn2Own 2021 hacking contest."

2021/08/13

Drupal Releases Security Updates

  • US-CERT : "Drupal has released security updates to address vulnerabilities that could affect versions 8.9, 9.1, and 9.2. An attacker could exploit these vulnerabilities to take control of an affected system."

2021/08/15

Hacker claims to steal data of 100 million T-mobile customers

  • BEEPING COMPUTER Lawrence Abrams : "T-Mobile is actively investigating a data breach after a threat actor claims to have hacked T-Mobile's servers and stolen databases containing the personal data of approximately 100 million customers. The alleged data breach first surfaced on a hacking forum yesterday after the threat actor claimed to be selling a database for six bitcoin (~$280K) containing birth dates, driver's license numbers, and social security numbers for 30 million people."

Ford bug exposed customer and employee records from internal systems

  • BEEPING COMPUTER Ax Sharma : "A bug on Ford Motor Company's website allowed for accessing sensitive systems and obtaining proprietary data, such as customer databases, employee records, internal tickets, etc. The data exposure stemmed from a misconfigured instance of Pega Infinity customer engagement system running on Ford's servers."

2021/08/16

T-Mobile confirms servers were hacked, investigates data breach

  • BLEEPING COMPUTER Lawrence Abrams : "T-Mobile has confirmed that threat actors hacked their servers in a recent cyber attack but still investigate whether customer data was stolen. Yesterday, news broke that a threat actor was selling the alleged personal data for 100 million T-Mobile customers after they breached database servers operated by the mobile network. The hacker told BleepingComputer that the databases stolen during the attack contain the data for approximately 100 million T-Mobile customers, including IMSI numbers, IMEI numbers, phone numbers, customer names, security PINs, Social security numbers, driver's license numbers, and date of birth."

Malware dev infects own PC and data ends up on intel platform

  • BLEEPING COMPUTER Ionut Ilascu : "Additional information trawled from the Raccoon test computer revealed a name and multiple email addresses associated with the malware. Unfortunately, the details are insufficient to determine the identity of Raccoon’s developer. Gal says that the malware creator “likely infected [the machine] on purpose” and was careful enough to remove the details that could reveal who they are before unleashing the malware."

Education giant Pearson fined $1M for downplaying data breach

  • BLEEPING COMPUTER Sergiu Gatlan : "The US Securities and Exchange Commission (SEC) announced today that Pearson, a British multinational educational publishing and services company, has settled charges of mishandling the disclosure process for a 2018 data breach discovered in March 2019. Pearson agreed to pay a $1 million civil money penalty to settle charges 'without admitting or denying the findings' that it tried to hide and downplay the 2018 data breach that led to the theft of 'student data and administrator log-in credentials of 13,000 school, district and university customer accounts' in the United States."

Secret terrorist watchlist with 2 million records exposed online

  • BEEPING COMPUTER Ax Sharma : "A secret terrorist watchlist with 1.9 million records, including classified "no-fly" records was exposed on the internet. The list was left accessible on an Elasticsearch cluster that had no password on it."

SIM swap scammer pleads guilty to Instagram account hijacks, crypto theft

  • BEEPING COMPUTER Sergiu Gatlan : "Declan Harrington, a Massachusetts man charged two years ago for his alleged involvement in a series of SIM swapping attacks, pleaded guilty to stealing cryptocurrency from multiple victims and hijacking the Instagram account of others."

2021/08/31

Alert (AA21-243A) Ransomware Awareness for Holidays and Weekends

  • US-CERT : "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed—in the United States, as recently as the Fourth of July holiday in 2021. The FBI and CISA do not currently have any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday. However, the FBI and CISA are sharing the below information to provide awareness to be especially diligent in your network defense practices in the run up to holidays and weekends, based on recent actor tactics, techniques, and procedures (TTPs) and cyberattacks over holidays and weekends during the past few months."

SEPTEMBER

2021/09/20

Epik data breach impacts 15 million users, including non-customers

  • ArsTechnica: Ax Sharma "Epik has now confirmed that an "unauthorized intrusion" did in fact occur into its systems. The announcement follows last week's incident of hacktivist collective Anonymous leaking 180 GB of data stolen from online service provider Epik. To mock the company's initial response to the data breach claims, Anonymous had altered Epik's official knowledge base, as reported by Ars."

2021/09/21

Report: FBI Had Ransomware Decryption Key for Weeks Before Giving It to Victims

  • Gizmodo: "After the Kaseya attack, the feds somehow came into possession of a decryption key but waited nearly a month before delivering it into the hands of businesses."

SSD Advisory - macOS Finder RCE

  • ssd-disclosure.com: "Find out how a vulnerability in macOS Finder system allows remote attackers to trick users into running arbitrary commands."

$5.9 million ransomware attack on farming co-op may cause food shortage

  • ArsTechnica: Ax Sharma "Attack on US farming provider NEW Cooperative may disrupt the food supply chain."

2021/09/23

The NSA and CIA Use Ad Blockers Because Online Advertising Is So Dangerous

  • VICE: "The Intelligence Community has deployed ad-blocking technology, according to a letter sent by Congress and shared with Motherboard."

2021/09/27

ROM & Emulation Site Pleasuredome Shuts Down After 15 Years of Gaming

  • TorrentFreak: "Pleasuredome, one of the world's most enduring ROM and emulation sites, has suddenly shut down after more than 15 years online. The torrent site first appeared in 2004 as the home of the MameFTP Group but over the weekend suddenly went offline, leaving thousands of users in the dark. Sources close to the site say there's "no drama" and quitting "while ahead" was the best option."

2021/09/28

New Azure Active Directory password brute-forcing flaw has no fix

  • ArsTechnica: "In June this year, researchers at Secureworks Counter Threat Unit (CTU) discovered a flaw in the protocol used by Azure Active Directory Seamless Single Sign-On service."

CISA and NSA Release Guidance on Selecting and Hardening VPNs

  • US-CERT : "The National Security Agency (NSA) and CISA have released the cybersecurity information sheet Selecting and Hardening Standards-based Remote Access VPN Solutions to address the potential security risks associated with using Virtual Private Networks (VPNs). Remote-access VPN servers allow off-site users to tunnel into protected networks, making these entry points vulnerable to exploitation by malicious cyber actors."

2021/09/29

Massive Phishing Campaign Impacted 75K Email Inboxes

  • Cybersecurity Log: George A.D. "Customers' systems in Office 365, Microsoft Exchange, and Google Workspace were all affected, according to Armorblox security analysts. Threat actors targeted small groups of personnel from several divisions inside a business in many of the attacks, in an apparent attempt to keep their activities under the radar, according to Dark Reading. Individuals targeted by the initiative include CFOs at companies, wellness firm senior vice presidents, directors, and professors of finance and operations."

Facebook open-sources tool to find Android app security flaws

  • BleepingComputer: Sergiu Gatlan "Facebook today open-sourced a static analysis tool its software and security engineers use internally to find potentially dangerous security and privacy flaws in the company's Android and Java applications. This security-focused tool, dubbed Mariana Trench (MT), can analyze large codebases of tens of millions of lines of code to spot vulnerabilities before they're introduced in the codebase."

CISA releases tool to help orgs fend off insider threat risks

  • BleepingComputer: "The US Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool that allows public and private sector organizations to assess their vulnerability to insider threats and devise their own defense plans against such risks. The Insider Risk Mitigation Self-Assessment Tool helps orgs determine their risk posture by answering a series of questions about the requirements needed to set up an insider risk program management, the levels of insider risk awareness and training among employees, and the organization's insider risk environment."

Phone companies must now block carriers that didn’t meet FCC robocall deadline

  • ArsTechnica: "In a new milestone for the US government's anti-robocall efforts, phone companies are now prohibited from accepting calls from providers that did not comply with a Federal Communications Commission deadline that passed this week. "Beginning today, if a voice service provider's certification and other required information does not appear in the FCC's Robocall Mitigation Database, intermediate providers and voice service providers will be prohibited from directly accepting that provider's traffic," the FCC said yesterday."

2021/09/30

Fortinet, Shopify and more report issues after root CA certificate from Lets Encrypt expires

  • ZDnet : Jonathan Greig - "A number of websites and services reported issues on Thursday thanks to the expiration of a root certificate provided by Let's Encrypt, one of the largest providers of HTTPS certificates."

OCTOBER

2021/10/04

Company That Routes Billions of Text Messages Quietly Says It Was Hacked

  • Vice : Lorenzo Franceschi-Bicchierai "Syniverse handles billions of text messages a year, and hackers had unauthorized access to its system for years."

2021/10/05

The REBOL Yell: A New Novel REBOL Exploit

  • FRSecure : "We recently discovered a REBOL exploit used for command-and-control."

Salesforce DX command line interface (CLI) does not adequately protect sfdxurl credentials

  • US-CERT : VU#883754 "The default security configuration in Salesforce allows an authenticated user with the Salesforce-CLI to create URL that will allow anyone, anywhere access to the Salesforce GUI with the same administrative credentials without a log trace of access or usage of the API."

Microsoft Windows Active Directory Certificate Services can allow for AD compromise via PetitPotam NTLM relay attacks

  • US-CERT : VU#405600 "Microsoft Windows Active Directory Certificate Services (AD CS) by default can be used as a target for NTLM relay attacks, which can allow a domain-joined computer to take over the entire Active Directory."

2021/10/06

Apache HTTP Server devs issue fix for critical data leak vulnerability – update now

  • The Daily Swig : Jessica Haworth "Web admins are urged to protect against a high-impact path traversal vulnerability in the latest version of Apache Server that is being exploited in the wild."

2021/10/07

Web Scrapers Claim to Possess and Sell Personal Data on 1.5 Billion Facebook Users on a Hacker Forum

  • PrivacyAffairs : Miklos Zoltan "The private and personal information of over 1.5 billion Facebook users is allegedly being sold on a popular hacking-related forum, potentially enabling cybercriminals and unscrupulous advertisers to target Internet users globally."

Apache Releases HTTP Server version 2.4.51 to Address Vulnerabilities Under Exploitation

  • US-CERT : "On October 7, 2021, the Apache Software Foundation released Apache HTTP Server version 2.4.51 to address Path Traversal and Remote Code Execution vulnerabilities (CVE-2021-41773, CVE-2021-42013) in Apache HTTP Server 2.4.49 and 2.4.50. These vulnerabilities have been exploited in the wild. CISA is also seeing ongoing scanning of vulnerable systems, which is expected to accelerate, likely leading to exploitation. CISA urges organizations to patch immediately if they haven’t already—this cannot wait until after the holiday weekend."

Arcadyan-based routers and modems vulnerable to authentication bypass

  • Carnegie Mellon University : VU#914124 "A path traversal vulnerability exists in numerous routers manufactured by multiple vendors using Arcadyan based software. This vulnerability allows an unauthenticated user access to sensitive information and allows for the alteration of the router configuration."

US gov’t will slap contractors with civil lawsuits for hiding breaches

  • ArsTechnica : Ax Sharma "In a groundbreaking initiative announced by the Department of Justice this week, federal contractors will be sued if they fail to report a cyber attack or data breaches. The newly introduced "Civil Cyber-Fraud Initiative" will leverage the existing False Claims Act to pursue contractors and grant recipients involved in what the DOJ calls "cybersecurity fraud.""

2021/10/08

Mandiant Completes the Divestiture of its FireEye Products Business to McAfee Enterprise

  • Mandiant Press Release : "Mandiant, Inc. (NASDAQ: MNDT), the leader in dynamic cyber defense and response, today announced the completion of the previously announced transaction to sell the FireEye Products business to McAfee Enterprise, which is backed by a consortium led by Symphony Technology Group (STG), in an all-cash transaction for $1.2 billion, before taxes and transaction-related expenses."

NSA Releases Guidance on Avoiding the Dangers of Wildcard TLS Certificates and ALPACA Techniques

  • US-CERT : "The National Security Agency (NSA) has released a Cybersecurity Information (CSI) sheet with guidance to help secure ... organizations from poorly implemented wildcard Transport Layer Security (TLS) certificates and the exploitation of Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA). A malicious cyber actor with network access can exploit this vulnerability to access sensitive information."

2021/10/11

Apple releases iOS and iPadOS 15.0.2, with fixes for CarPlay, Photos, and more

  • ArsTechnica : Andrew Cunningham "Apple has just released a second bug-fix update for iOS 15 and iPadOS 15 focused on resolving small issues that have been discovered since the operating systems began rolling out in late September."

GitHub security update: revoking weakly-generated SSH keys

  • Github : "On September 28, 2021, we received notice from the developer Axosoft regarding a vulnerability in a dependency of their popular git GUI client – GitKraken. An underlying issue with a dependency, called keypair, resulted in the GitKraken client generating weak SSH keys... Today as of 1700 UTC, we’ve revoked all keys generated by these vulnerable versions of the GitKraken client that were in use on GitHub.com, along with other potentially weak keys created by other clients that may have used the same vulnerable dependency."

2021/10/12

Microsoft Azure fends off huge DDoS Attack; Microsoft successfully blocked a 2.4 Tbps Distributed Denial of Service (DDoS) attack on one of its European Azure cloud customers.

  • ZDNet : Steven J. Vaughan-Nichols "At 2.4 terabits per second (Tbps), the DDoS attack Microsoft just successfully defended European Azure cloud users against could be the biggest one to date. What we know for certain is it's the biggest DDoS attack on an Azure cloud customer. It was bigger than the previous high, 2020's Azure 1 Tbps attack, and Microsoft reported it was 'higher than any network volumetric event previously detected on Azure.'"

2021/10/13

Bugs allowing malicious NFT uploads uncovered in OpenSea marketplace

  • ZDnet : Charlie Osborne "On Wednesday, the Check Point Research (CPR) team said that flaws in the OpenSea NFT marketplace could have allowed 'hackers to hijack user accounts and steal entire crypto wallets of users, by sending malicious NFTs.' An investigation was launched after reports surfaced of malicious NFTs, airdropped for free, being used as conduits for cryptocurrency theft and account hijacking."

2021/10/14

Google Threat Analysis Group: Countering threats from Iran

  • Google : "Google’s Threat Analysis Group tracks actors involved in disinformation campaigns, government backed hacking, and financially motivated abuse. We have a long-standing policy to send you a warning if we detect that your account is a target of government-backed phishing or malware attempts. So far in 2021, we’ve sent over 50,000 warnings, a nearly 33% increase from this time in 2020. This spike is largely due to blocking an unusually large campaign from a Russian actor known as APT28 or Fancy Bear. We intentionally send these warnings in batches to all users who may be at risk, rather than at the moment we detect the threat itself, so that attackers cannot track our defense strategies. On any given day, TAG is tracking more than 270 targeted or government-backed attacker groups from more than 50 countries. This means that there is typically more than one threat actor behind the warnings."

Microsoft releases Linux version of the Windows Sysmon tool

  • BleepingComputer : Lawrence Abrams "Microsoft has released a Linux version of the very popular Sysmon system monitoring utility for Windows, allowing Linux administrators to monitor devices for malicious activity. "

Acer confirms breach of after-sales service systems in India

  • BleepingComputer : Sergiu Gatlan "Taiwanese computer giant Acer has confirmed that its after-sales service systems in India were recently breached in what the company called 'an isolated attack.'...To additional requests for more details, Acer replied by saying that 'there is an ongoing investigation and for the sake of security, we are unable to comment on details.' Advanced Intel's Vitali Kremez told BleepingComputer that Advanced Intel's Andariel cyber intelligence platform spotted the Revil gang targeting a Microsoft Exchange server on Acer's domain before the attack."

< THIS GIST CAN NOW BE FOUND HERE: https://github.com/malwaremily/infosec-news-briefs/ >

NOVEMBER

DECEMBER


Jump to Top

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment