Created with Sketch.
Infosec Overnights - Daily Security News
3 minutes | Jul 29, 2022
Kimsuky Stealing Emails, NPM Cards Discord, IP Camera Hack, and more.
4 minutes | Jul 28, 2022
NetStandard Knocked Offline, Moxa NPort Flaws, Twitter Data Sale, and more.
A daily look at the relevant information security news from overnight - 28 July, 2022 Episode 275 - 28 July 2022 NetStandard Knocked Offline- https://www.bleepingcomputer.com/news/security/kansas-msp-shuts-down-cloud-services-to-fend-off-cyberattack/ Moxa NPort Flaws - https://www.securityweek.com/moxa-nport-device-flaws-can-expose-critical-infrastructure-disruptive-attacks Post Macro Tactics - https://www.infosecurity-magazine.com/news/hackers-change-tactics-for-new/ Naughty Knotweed- https://thehackernews.com/2022/07/microsoft-uncover-austrian-company.html Twitter Data Sale - https://www.infosecurity-magazine.com/news/criminal-twitter-users-data/ Hi, I’m Paul Torgersen. It’s Thursday July 28th, 2022 and this is a look at the information security news from overnight. From BleepingComputer.com: Managed service provider NetStandard suffered a cyberattack causing the company to shut down its MyAppsAnywhere cloud services. The company said Hosted GP, Hosted CRM, Hosted Exchange, and Hosted Sharepoint will be offline until further notice, but that no other services were impacted. That being said, their main website remains down as well. No word on threat actor or malware involved, but it is assumed to be a ransomware hit. From SecurityWeek.com: Two high severity flaws have been found in the NPort 5110 device servers from Moxa. The vulnerabilities can be exploited remotely to cause the targeted device to enter a denial of service condition. The only way to regain control of the device is to physically power it down, which might present a challenge as many of these devices are in very remote locations. These things are designed to connect to Ethernet networks and should not be exposed to the internet. However, a Shodan search found at least 5,300 of them that are. Now some of these may be honeypots, but they’re not ALL honeypots. Customers should contact Moxa for a security patch. From InfoSecurity-Magazine.com: Since Microsoft announced they would disable macros by default, the use of macro-enabled attachments by threat actors decreased by around 66% between October 2021 and June 2022. Awesome. But, where there’s a will there's a way. In that same timeframe, the number of malicious campaigns using container file formats jumped up 176%. These formats include ISO, RAR, ZIP and IMG files that contain macro-enabled docs. Now the ISO and RAR formats will still have the Mark of the Web, meaning they originated from the internet and their macros would be blocked, but the files within them would not. Link to the ProofPoint research in the article. From TheHackerNews.com: A threat actor tracked as Knotweed, used several Windows and Adobe zero-day exploits in highly-targeted attacks against targets in Europe and Central America. They are actually an Austrian outfit called DSIRF that supposedly sells general security and information analysis services to commercial customers. As a side gig, they created a cyberweapon called Subzero, which can hack phones, computers, and internet-connected devices. Talk about vertical integration. And last, from InfoSecurity-Magazine.com: A user named devil is selling a database of 5.4 million Twitter users' information on the Breached Forums site. They say it contains the phone numbers and email addresses of users, including celebrities and companies, and is asking for $30,000. Twitter is investigating the issue, which the seller said exploited a vulnerability in its systems that allows someone to find additional user information, even if that user has it hidden in privacy settings. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
3 minutes | Jul 28, 2022
WordFly Breach, Now IIS See You, No Knock Nuki, and more.
A daily look at the relevant information security news from overnight - 27 July, 2022 Episode 274 - 27 July 2022 WordFly Breach- https://www.securityweek.com/mailing-list-provider-wordfly-scrambling-recover-following-ransomware-attack Now IIS See You - https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-increasingly-hacked-with-iis-backdoors/ Messaging Threats - https://threatpost.com/messaging-apps-cybercriminals/180303/ Robin Banks Phishing Service- https://www.bleepingcomputer.com/news/security/new-robin-banks-phishing-service-targets-bofa-citi-and-wells-fargo/ No Knock Nuki - https://www.securityweek.com/nuki-smart-lock-vulnerabilities-allow-hackers-open-doors Hi, I’m Paul Torgersen. It’s Wednesday July 27th, 2022 and this is a look at the information security news from overnight. From SecurityWeek.com: Mailing list provider WordFly has been offline for more than two weeks after a ransomware attack encrypted data on some of its systems. The attack hit on July 10, and the company hasn’t been able to restore service since. The company confirms data was exfiltrated, but believes it was subsequently deleted. They expect to be down at least another few days before they get systems operational again. No word on the malware or threat actor. From BleepingComputer.com: Attackers are increasingly using Internet Information Services, IIS, web server extensions to backdoor unpatched Exchange servers. Being installed in the exact location and using the same structure as legitimate modules, they provide attackers' with a perfect and durable persistence mechanism. Details and a link to the Microsoft report in the article. From ThreatPost.com: Threat actors are tapping the multi-feature nature of messaging apps such as Telegram and Discord as a foundation in persistent campaigns that threaten users. Intel 471 identified three key ways in which threat actors are leveraging the apps: storing stolen data, hosting malware payloads, and using bots that perform the dirty work. Details and a link inside. From BleepingComputer.com: A new phishing as a service platform has shown up with the name Robin Banks. As you may have guessed, it offers ready-made phishing kits targeting the customers of well-known banks. Companies like Citibank, Bank of America, Capital One, Wells Fargo, etc. Oh, they also offer templates to steal Microsoft, Google, Netflix, and T-Mobile accounts. Pricing from $50 to $200 a month. And last, from SecurityWeek.com: Security researchers have documented 11 vulnerabilities impacting Nuki smart lock products, you may not be able to see my air quotes. Nuki Smart Lock and Nuki Bridge, allow users to unlock their doors with their smartphones by simply walking in range. Brilliant. Exploiting the found vulnerabilities could result in a fully compromised device, including the ability to open and close the door without the owner even noticing. After being notified of the flaws in April, Nuki has issued patches this month. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
3 minutes | Jul 26, 2022
Grails RCE Vuln, PrestaShop Skimmed, FileWave Crit Flaws, and more.
A daily look at the relevant information security news from overnight - 26 July, 2022 Episode 273 - 26 July 2022 Grails RCE Vuln- https://portswigger.net/daily-swig/critical-security-vulnerability-in-grails-could-lead-to-remote-code-execution PrestaShop Skimmer - https://thehackernews.com/2022/07/hackers-exploit-prestashop-zero-day-to.html LinkedIn Phishing for Admins - https://www.bleepingcomputer.com/news/security/linkedin-phishing-target-employees-managing-facebook-ad-accounts/ PolicyBazaar Breached- https://www.infosecurity-magazine.com/news/indian-insurance-policybazaar/ FileWave Crit Flaws - https://thehackernews.com/2022/07/critical-filewave-mdm-flaws-open.html Hi, I’m Paul Torgersen. It’s Tuesday July 26th, 2022 and from Denver, this is a look at the information security news from overnight. From PortSwigger.net: A critical vulnerability within a Grails application runtime could allow an attacker to gain remote code execution. The attack exploits a section of the Grails data-binding logic, and has been confirmed on Grails framework versions 3.3.10 and higher, including Grails framework 4 and 5, that are running on Java 8. It has been observed in both the embedded Tomcat runtime and applications deployed as a Web Archive to a Tomcat instance. The company urges all users, even those using unaffected versions, to update as soon as possible. From TheHackerNews.com: Threat actors are exploiting a previously unknown security flaw in the open source PrestaShop e-commerce platform to inject malicious skimmer code. PrestaShop is the leading open-source e-commerce solution in Europe and Latin America, used by nearly 300,000 online merchants worldwide. The company said they found a zero-day flaw in its service that has been addressed in version 220.127.116.11, although they are not sure that was the only flaw vulnerable to the attack. From BleepingComputer.com: A new spear phishing campaign named Ducktail is targeting professionals on LinkedIn to take over Facebook business accounts. The threat actors are specifically targeting people who have admin privileges on their employer’s social media accounts. Fingers point to a Vietnamese threat actor that has been active since at least 2021 and maybe back as far as 2018. From Infosecurity-Magazine.com: Indian insurance company Policybazaar has advised that it suffered a data breach, confirming an unauthorized access to their systems on July 19. The company has found and fixed the exploited vulnerability and claims that no significant customer data was exposed. And last, from TheHackerNews.com: FileWave's mobile device management system has been found vulnerable to two critical security flaws that could be leveraged to carry out remote attacks and seize control of a fleet of devices connected to it. The two flaws relate to an authentication bypass, and the use of a hard-coded cryptographic key. There are more than 1,100 internet-facing FileWave servers that are vulnerable to the attack. Get your patch on kids. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
3 minutes | Jul 25, 2022
Entrust Breached, UEFI Rootkit, Racoon Get Buff, and more.
A daily look at the relevant information security news from overnight - 25 July, 2022 Episode 272 - 25 July 2022 Entrust Breached- https://www.bleepingcomputer.com/news/security/digital-security-giant-entrust-breached-by-ransomware-gang/ UEFI Rootkit - https://thehackernews.com/2022/07/experts-uncover-new-cosmicstrand-uefi.html Urgent SonicWall Patch - https://www.securityweek.com/sonicwall-warns-critical-gms-sql-injection-vulnerability Cisco Nexus Patches Three- https://portswigger.net/daily-swig/cisco-patches-dangerous-bug-trio-in-nexus-dashboard Racoon Gets Buff - https://thehackernews.com/2022/07/racoon-stealer-is-back-how-to-protect.html Hi, I’m Paul Torgersen. It’s Monday July 25th, 2022, this is a look at the information security news from overnight. From BleepingComputer.com: Identity and access management company Entrust has confirmed that it was the victim of a cyberattack. Threat actors were able to breach their network and steal data from internal systems. The company says they have found no indication that the breach has impacted their operation or their products and services. No word on malware strain or threat actor involved. More to come I’m sure. From TheHackerNews.com: An unknown Chinese-speaking threat actor has been attributed with a new kind of UEFI firmware rootkit called CosmicStrand. The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and are related to designs using the H81 chipset. Victims identified so far are just individuals in China, Vietnam, Iran and Russia, with no discernable ties to business or government agencies. A link to the Kaspersky research in the article. From SecurityWeek.com: SonicWall has issued urgent patches for a critical flaw in its Global Management System software, warning that the issue exposes businesses to remote attacks. The 9.4 severity flaw provides a pathway for a remote attacker to execute arbitrary SQL queries in the database. The vulnerability exists due to insufficient sanitization of user-supplied data. From PortSwigger.net: Serious vulnerabilities in Cisco Nexus Dashboard give attackers a viable path to executing arbitrary commands as root, uploading container image files, or performing cross-site request forgery attacks. Cisco has issued patches for the three bugs, one of them carrying a 9.8 severity rating. The company said it was not aware of any of these bugs being exploited in-the-wild. Get your patch on kids. And last, from TheHackerNews.com: The new and vastly improved version of Raccoon Stealer has hit the scene. Not only can it steal browser passwords, cookies, and auto-fill data, it can now also steal credit card numbers, cryptocurrency and crypto wallets, harvest file data, drop files onto the system, list apps installed on the machine, and take screenshots. Fortunately, just like with the real world rodents, basic precautions should keep the varmint at bay: beware of spoofed messages and don’t click any links you didn’t know were specifically coming. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
3 minutes | Jul 22, 2022
Drupal Updates, Zyxel Firewall Patches, Candiru’s DevilsTongue, and more.
A daily look at the relevant information security news from overnight - 22 July, 2022 Episode 271 - 22 July 2022 Drupal Updates- https://www.securityweek.com/code-execution-and-other-vulnerabilities-patched-drupal Zyxel Firewall Patches - https://portswigger.net/daily-swig/zyxel-firewall-vulnerabilities-left-business-networks-open-to-abuse PayPal Double Spear Phishing - https://www.infosecurity-magazine.com/news/paypal-used-send-malicious-double/ Okta Too Open- https://threatpost.com/risks-okta-sso/180249/ Candiru’s DevilsTongue - https://www.bleepingcomputer.com/news/security/chrome-zero-day-used-to-infect-journalists-with-candiru-spyware/ Hi, I’m Paul Torgersen. It’s Friday July 22nd, 2022, and from Victoria one last time, this is a look at the information security news from overnight. From SecurityWeek.com: Drupal has released patches for four vulnerabilities. The most critical flaw affects Drupal 9.3 and 9.4. and it can lead to arbitrary PHP code execution on Apache web servers. The other three vulnerabilities also impact the Drupal core and can lead to cross-site scripting attacks, information disclosure, or access bypass. Get your patch on kids. From PortSwigger.net: Zyxel has released patches for several of its firewall products following the discovery of two security vulnerabilities that left business networks open to exploitation. One is an authenticated directory traversal vulnerability in the Common Gateway Interface, and the other is a local privilege escalation vulnerability that was identified in the command-line interface. You should update to the latest versions as soon as you can. From Infosecurity-Magazine.com: Threat actors are using PayPal to send out phishing invoices. PayPal domains are usually “allow-listed” by organizations’ email filters, so cyber-criminals are registering accounts and composing malicious invoices on the platform. Many are spoofing Norton products, but substituting their own information for payments. They even have someone answering the included Customer Service number to continue the charade to extract dollars from their victims. From ThreatPost.com: Four newly discovered attack paths in the products for IAM vendor Okta could lead to PII exposure, account takeover, or even organizational data destruction. Note that the researchers call these “attack paths” and not vulnerabilities. Okta says this is a non issue and all you need to do is tweak up your security profile a little, which is beyond what they offer as their default settings. You can see the details in the article. And last, from BleepingComputer.com: The Israeli spyware vendor Candiru was found using a Google Chrome zero day to spy on journalists and other high-interest individuals in the Middle East with their 'DevilsTongue' spyware. Threat researchers from Avast, who discovered the vulnerability and reported it to Google, revealed that they unearthed the flaw after investigating spyware attacks on their clients. The vuln was patched on July 4. Details and a link to the research in the article. That’s all for me today. Have a great rest of your day. Like and subscribe, and until next next time, be safe out there.
3 minutes | Jul 21, 2022
Patched Atlassian, Linux Hit by Lightning, Neopets Nabbed, and more.
A daily look at the relevant information security news from overnight - 21 July, 2022 Episode 270 - 21 July 2022 Patched Atlassian- https://www.bleepingcomputer.com/news/security/atlassian-fixes-critical-confluence-hardcoded-credentials-flaw/ Linux Hit by Lightning - https://thehackernews.com/2022/07/new-linux-malware-framework-let.html Renewed Redeemer - https://www.bleepingcomputer.com/news/security/new-redeemer-ransomware-version-promoted-on-hacker-forums/ Apple Pushed Update- https://www.securityweek.com/apple-ships-urgent-security-patches-macos-ios Neopets Nabbed - https://www.bleepingcomputer.com/news/security/neopets-data-breach-exposes-personal-data-of-69-million-members/ Hi, I’m Paul Torgersen. It’s Thursday July 21st, 2022, and from Victoria, this is a look at the information security news from overnight. From BleepingComputer.com: Atlassian has patched a critical hardcoded credentials vulnerability in Confluence Server and Data Center that could let remote, unauthenticated attackers log into vulnerable servers. The hardcoded password is added after installing the Questions for Confluence app, for an account with the username disabledsystemuser. It was designed to help admins with the migration of data from the app to the Confluence Cloud. From TheHackerNews.com: A never-before-seen malware called Lightning Framework targets Linux machines to install rootkits. The malware has been dubbed a "Swiss Army Knife" and is equipped with a plethora of features, making it one of the most intricate frameworks developed for targeting Linux systems. Details and a link to the research report in the article. From BleepingComputer.com: A threat actor is promoting a new version of their free-to-use Redeemer ransomware builder on hacker forums. According to its author, the 2.0 release was written entirely in C++ and works on Windows Vista, 7, 8, 10, and 11. This offers unskilled threat actors an easy entry to the world of encryption-backed extortion attacks. All they pay is 20% of any ransom they manage to collect. From SecurityWeek.com: Apple's security response team has pushed out software fixes for at least 39 vulnerabilities impacting macOS Catalina, iOS and iPadOS platforms. The patches provide updates for numerous memory safety flaws, some serious enough to expose users to remote code execution attacks. Apple is urging users to update straight away. Get your patch on kids. And last today, from BleepingComputer.com: Neopets has suffered a data breach leading to the theft of source code as well as a database containing the personal information of over 69 million members. A hacker known as 'TarTarX' began selling the source code and database for four bitcoins, about $94,000 at current prices. He did not confirm his attack vector, but it appears he still has active access to the database. That’s all for me today. Have a great rest of your day. Like and subscribe, and until next tomorrow, be safe out there.
3 minutes | Jul 20, 2022
Knauf Knocked Out, Rusty Luna, Magecart Skim, and more.
A daily look at the relevant information security news from overnight - 20 July, 2022 Episode 269 - 20 July 2022 Knauf Knocked Out- https://www.bleepingcomputer.com/news/security/building-materials-giant-knauf-hit-by-black-basta-ransomware-gang/ Rusty Luna - https://thehackernews.com/2022/07/new-rust-based-ransomware-family.html GPS Over-Tracking - https://www.zdnet.com/article/flaws-in-a-popular-gps-tracker-could-allow-hackers-to-track-or-stop-vehicles-say-security-researchers/ Oracle Patchfest- https://www.securityweek.com/oracle-releases-349-new-security-patches-july-2022-cpu Magicart Skim - https://docs.google.com/document/d/1Kse6lMi7hJEg1wDnVS_ZEND2pZOEMT4a9We3erCPsXE/edit Hi, I’m Paul Torgersen. It’s Wednesday July 20th, 2022, and from Victoria, this is a look at the information security news from overnight. From BleepingComputer.com: The Knauf Group, a large Germany based building materials company, has announced it has been the target of a cyberattack that has disrupted its business operations. Their global IT team has shut down all systems to isolate the incident. Knauf has not confirmed it is a ransomware attack, but the Black Basta group has claimed responsibility for the attack on their extortion site. So far they claim to have released about 20% of the information they stole, which indicates they are likely still hopeful to receive a ransom from the victim. From TheHackerNews.com: Researchers have disclosed a brand-new ransomware family written in Rust, that Kaspersky Labs has named Luna. The ransomware is fairly simple and appears to be in its early development. It is designed to be used by Russian speaking threat actors, and can run on Windows, Linux, and ESXi systems. From ZDNet.com: Critical security vulnerabilities in the MiCODUS MV720 vehicle GPS tracker could be used to remotely track, stop or even take control of vehicles in which it is installed. These devices are popular with large companies and government entities, with approximately 1.5 million of them currently in use in 169 countries. Researchers at BitSight, who found the flaws, say these devices should not be used until patches are available. No word from MiCODUS on when that might be. From SecurityWeek.com: Oracle’s quarterly Critical Patch Update has a total of 349 new security patches, including 230 for vulnerabilities that can be exploited by remote, unauthenticated attackers. 64 of the vulnerabilities are rated critical, with four of those scoring a ten out of ten. Financial Services Applications received the largest number of fixes, followed by Oracle Communications, then Fusion Middleware. Get your patch on kids. And last today, from ThreatPost.com: A Magecart campaign has been skimming payment-card credentials from customers using three online restaurant-ordering systems. The attack has affected over 300 restaurants and compromised at least 50,000 cards so far, which have already been offered up for sale on the dark web. The platforms impacted are MenuDrive, Harbortouch, and InTouchPOS. That’s all for me today. Have a great rest of your day. Like and subscribe, and until next tomorrow, be safe out there.
3 minutes | Jul 19, 2022
Mac is Back-Doored, Fake Crypto Apps, Russians Hiding in the Cloud, and more.
A daily look at the relevant information security news from overnight - 19 July, 2022 Episode 268 - 19 July 2022 Mac is Back-Doored- https://www.bleepingcomputer.com/news/security/elastix-voip-systems-hacked-in-massive-campaign-to-install-php-web-shells/ Fake Crypto Apps - https://www.zdnet.com/article/fbi-these-fake-apps-are-trying-to-steal-your-crypto-heres-what-to-watch-out-for/ FlipKart Breach - https://techcrunch.com/2022/07/18/cleartrip-data-breach-dark-web/ SATAn Air Gapped Attack- https://thehackernews.com/2022/07/new-air-gap-attack-uses-sata-cable-as.html Russians Hiding on the Cloud - https://www.bleepingcomputer.com/news/security/russian-svr-hackers-use-google-drive-dropbox-to-evade-detection/ Hi, I’m Paul Torgersen. It’s Tuesday July 19th, 2022, and from Port Angeles, this is a look at the information security news from overnight. From BleepingComputer.com: Unknown threat actors are using a previously undetected malware to backdoor macOS devices and exfiltrate information. ESET researchers named the malware CloudMensis because it uses pCloud, Yandex Disk, and Dropbox public cloud storage services for C2 communications. It is not known yet how the malware is distributed. Details in the article. From ZDNet.com: The FBI has warned that criminal groups are creating fraudulent apps that mimic real financial services brands that have so far duped investors into parting with $42.7 million over the past six months. Many of these are mimicking cryptocurrency services as there continue to be a flood of new players in the space and some ambiguity around crypto investing. Details and links to the advisory in the article. From TechCrunch.com: Cleartrip, a popular travel-booking platform in India, has confirmed a data breach after hackers claimed to post the stolen data on the dark web. Exact details of the stolen data are not yet known, however analysis of the screenshots posted make it appear that significant amounts of data were accessed, including forward looking information, which may indicate an insider was involved. From TheHackerNews.com: Researchers have developed a new method to steal data from an air gapped machine using the Serial ATA cable. Dubbed SATAn, the attack uses the SATA cable as a covert channel to emanate electromagnetic signals and transfer information to a nearby receiver just over a meter away. Fortunately, this technique does require physical access to the machine initially, which obviously makes it much more difficult. On the other hand, Stuxnet required physical access as well, so you never know. And last today, from BleepingComputer.com: State-backed Russian hackers have started using legitimate Google Drive cloud storage services to evade detection. It is akin to hiding in plain sight by getting lost in the crowd. Google cloud storage is ubiquitous and pretty much universally trusted. Russian threat actors are abusing that trust to render their attacks exceedingly difficult, if not impossible, to detect and block. That’s all for me. Have a great rest of your day. Like and subscribe, and until next time, be safe out there.
3 minutes | Jul 18, 2022
Elastix VoIP Attack, Botnet Targeting ICS, Blitz.JS Polluted, and more.
3 minutes | Jul 15, 2022
Hive Five Decryptor, WordPress Scan, WordPress Phishes PayPal, and more.
A daily look at the relevant information security news from overnight - 15 July, 2022 Episode 266 - 15 July 2022 Hive Five Decryptor- https://www.techtarget.com/searchsecurity/news/252522715/Researcher-develops-Hive-ransomware-decryption-tool WordPress Scan - https://www.bleepingcomputer.com/news/security/attackers-scan-16-million-wordpress-sites-for-vulnerable-plugin/ SMB H0lyGh0st - https://thehackernews.com/2022/07/north-korean-hackers-targeting-small.html Spoofing GitHub Commits- https://www.securityweek.com/supply-chain-attack-technique-spoofs-github-commit-metadata WordPress Phishes PayPal - https://www.bleepingcomputer.com/news/security/paypal-phishing-kit-added-to-hacked-wordpress-sites-for-full-id-theft/ Hi, I’m Paul Torgersen. It’s Friday July 15th, 2022, and this is a look at the information security news from overnight. From TechTarget.com: A malware researcher known as reecDeep, or reecDeep, I’m sorry if I am mispronouncing your handle, has developed and published a decryption tool on GitHub for version 5 of the Hive ransomware. reecDeep developed the tool with a fellow anonymous malware researcher known as rivitna. The post includes technical details of how Hive v5 works as well as how the researchers developed their brute-force decryption tool. From BleepingComputer.com: Security researchers have detected a massive campaign that scanned close to 1.6 million WordPress sites for the presence of a vulnerable plugin that allows uploading files without authentication. They were specifically targeting the Kaswara Modern WPBakery Page Builder, which had been abandoned by its author before receiving a patch for a critical severity flaw uncovered last year. Exploitation of the flaw could lead to a complete takeover of the site. From TheHackerNews.com: An emerging threat cluster originating from North Korea, which calls itself H0lyGh0st has been linked to developing and using ransomware with that same payload name targeting small businesses since September of last year. Targeted entities primarily include SMB such as manufacturing organizations, banks, schools, and event and meeting planning companies. From SecurityWeek.com: Security researchers are warning of a new supply chain attack technique that relies on spoofed commit metadata to add legitimacy to malicious GitHub repositories. Threat actors could tamper with commit data so that a repository would appear to be older than it actually is, or that reputable contributors have been involved in its maintenance. And last this week, from BleepingComputer.com A newly discovered phishing kit is targeting PayPal users in an attempt to steal your PII. The kit is hosted on legitimate WordPress websites that have been hacked, which allows it to evade detection, at least for a little while. The threat actor targets poorly secured WordPress sites and brute-forces their log in. They’ve also done a pretty nice job on the PayPal spoof site, which includes a Captcha challenge for a whiff of legitimacy. The ultimate goal is not only gathering login info, but financial and address details as well. That’s all for me. Have a great weekend. Like and subscribe, and until next time, be safe out there.
3 minutes | Jul 14, 2022
Lilith Not-Fair, Retbleed Spectre, Bandai Namco Gamed, and more.
A daily look at the relevant information security news from overnight - 14 July, 2022 Episode 265 - 14 July 2022 Lilith Not-Fair- https://www.bleepingcomputer.com/news/security/new-lilith-ransomware-emerges-with-extortion-site-lists-first-victim/ Retbleed Spectre - https://www.securityweek.com/retbleed-new-speculative-execution-attack-targets-intel-amd-processors AWS Kubernetes Flaw - https://portswigger.net/daily-swig/vulnerability-in-aws-iam-authenticator-for-kubernetes-could-allow-user-impersonation-privilege-escalation-attacks Teams Sticker Shock- https://portswigger.net/daily-swig/microsoft-teams-security-vulnerability-left-users-open-to-xss-via-flawed-stickers-feature Bandai Namco Gamed - https://www.bleepingcomputer.com/news/security/bandai-namco-confirms-hack-after-alphv-ransomware-data-leak-threat/ Hi, I’m Paul Torgersen. It’s Thursday July 14th 2022, and this is a look at the information security news from overnight. From BleepingComputer.com: There’s a new ransomware group that has just hit the scene named Lilith. They have created the standard double-extortion leak site and added their first victim, a large construction group in South America, which has since been removed from the site. Analysis of the new family shows it does not appear to introduce any novelties, but another someone to keep an eye on. Details in the article. From SecurityWeek.com: Researchers have devised a new speculative execution attack called Retbleed, that can lead to information leaks and works on both Intel and AMD processors. The attack targets retpolines, or return trampolines, which was one of the defenses proposed in back 2018 to mitigate the Spectre side-channel attacks. You can see all the details and a link to the research paper in the article. From PortSwigger.net: A vulnerability in AWS IAM Authenticator for Kubernetes could allow a malicious actor to impersonate other users and escalate privileges in Kubernetes clusters. This impacts Elastic Kubernetes Service clusters configured with the AccessKeyID template parameter. If this is you, make sure you are running version 0.5.9. Also from PortSwigger.net: Attackers could abuse the sticker feature in Microsoft Teams to conduct cross-site scripting attacks. The Teams platform converts stickers into an image and uploads the content as RichText/HTML in the subsequent message. This can be manipulated for a potential HTML injection attack against multiple domains. All the sticky details in the article. And last today, from BleepingComputer.com Japanese game publishing giant Bandai Namco has confirmed that they suffered a cyberattack. The BlackCat ransomware gang has claimed responsibility for the attack on their data leak site. The company says the breach occurred on July 3rd to their internal systems in Asian regions other than Japan, and they are still evaluating the scope and type of information compromised. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
3 minutes | Jul 13, 2022
Qakbot Glows Up, AiTM Phishing, Luna Moth Flutters In, and more.
A daily look at the relevant information security news from overnight - 13 July, 2022 Episode 264 - 13 July 2022 Qakbot Glows Up- https://thehackernews.com/2022/07/researchers-uncover-new-attempts-by.html AiTM Phishing - https://threatpost.com/large-scale-hishing-bypasses-mfa/180212/ Lenovo Firmware Flaw - https://thehackernews.com/2022/07/new-uefi-firmware-vulnerabilities.html Microsoft Patches Zero Day- https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2022-patch-tuesday-fixes-exploited-zero-day-84-flaws/ Luna Moth Flutters In - https://www.bleepingcomputer.com/news/security/new-luna-moth-hackers-breach-orgs-via-fake-subscription-renewals/ Hi, I’m Paul Torgersen. It’s Wednesday July 13th 2022, and this is a look at the information security news from overnight. From TheHackerNews.com Researchers at Zscaler have found that the operators behind the Qakbot malware are trying to sidestep detection by altering their delivery vectors. Most recently by using ZIP file extensions, code obfuscation, utilizing multiple URLs, and using unknown file extensions such as .OCX, .ooccxx, .gyp, etc. Looks like this little workhorse just won't go away. A link to that research in the article. From ThreatPost.com: Microsoft has uncovered a massive phishing campaign that can steal credentials even if you have multi-factor authentication enabled. The campaign uses adversary-in-the-middle phishing sites to hijack session cookies so the attacker gets authenticated to a session on the user’s behalf regardless of the sign-in method used. The ultimate goal seems to be payment fraud through Business Email Compromise attacks and has targeted over 10,000 organizations to date. Details in the article. From TheHackerNews.com: Lenovo rolled out fixes for three security flaws in its UEFI firmware affecting over 70 product models. The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot. All three bugs relate to buffer overflow vulnerabilities. Lenovo had to patch three UEFI vulnerabilities earlier this year as well. From BleepingComputer.com Microsoft's July Patch Tuesday included fixes for 84 total vulnerabilities. Four of those were critical, one of which was a zero day being actively exploited in the wild. That one could gain an attacker SYSTEM privileges, but no attack details were provided. This is in addition to fixes rolled out from SAP, Siemens, Schneider and others. Get your patch on kids. And last today, also from BleepingComputer.com A new data extortion group has been trying to breach companies to steal confidential information. The group, called Luna Moth, has been active since at least March with phishing campaigns that claim to be subscription renewal invoices, but really deliver remote access tools. The emails spoof the relevant brand, but actually all come from gmail accounts. The techniques and tools used indicate these guys are not very sophisticated. On the other hand, sometimes our users are not very sophisticated, so better to be aware. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
3 minutes | Jul 12, 2022
OAuth Dirty Dancing, Crypto Mining in the Cloud, Ransom Return, and more.
A daily look at the relevant information security news from overnight - 12 July, 2022 Episode 263 - 12 July 2022 OAuth Dirty Dancing- https://portswigger.net/daily-swig/dirty-dancing-in-oauth-researcher-discloses-how-cyber-attacks-can-lead-to-account-hijacking Crypto Mining in the Cloud - https://thehackernews.com/2022/07/cloud-based-cryptocurrency-miners.html Rolling-PWN a Honda - https://www.bleepingcomputer.com/news/security/hackers-can-unlock-honda-cars-remotely-in-rolling-pwn-attacks/ Amazon Scam Days- https://www.infosecurity-magazine.com/news/spike-amazon-prime-scams/ Ransom Return - https://www.bleepingcomputer.com/news/security/new-0mega-ransomware-targets-businesses-in-double-extortion-attacks/ Hi, I’m Paul Torgersen. It’s Tuesday July 12th 2022, and this is a look at the information security news from overnight. From PortSwigger.net A researcher has discovered a way to perform single-click account hijacking by abusing the OAuth process flow. He calls it Dirty Dancing because attackers can dance around the OAuth authentication process and how it communicates between a browser and a service provider. All the dirty details in the article. From TheHackerNews.com: GitHub Actions and Azure virtual machines are being leveraged for cloud-based crypto mining operations. At least 1,000 repositories and 550 code samples have been found taking advantage of the GitHub runners for mining. No number was provided for the Azure VMs. Details and a link to the Trend Micro research in the article. From BleepingComputer.com: Researchers found that several modern Honda models have a vulnerable rolling code mechanism that allows unlocking the cars or even starting the engine remotely. It has to do with intercepting signals from the fob and how the pseudorandom number generator works. The Hondas will re-sync when the car gets lock/unlock commands in succession, which allow codes from a previous session to be successful instead of invalidated. Details inside. From Infosecurity-Magazine.com With Amazon Prime Days come Amazon Prime Days scams. In 2021 there was nearly double the amount of phishing scams related to the sale than typical Amazon focused attempts. Be on the lookout for imposter websites and lots of “get an Amazon gift card if you fill out this survey.” Remember, if something looks too good to be true, it probably is. And last today, from BleepingComputer.com In a bit of good news, back in December of 2019, Maastricht University, a Dutch university with more than 22,000 students, fell victim to a ransomware attack. To get their files decrypted, they paid a ransom of 30 bitcoins, about 200,000 Euro at the time. Flash forward to February of this year when Dutch authorities found a wallet containing part of the paid ransom, which they promptly returned to the university. But because of the increase in value of the crypto, the amount returned was right about 500,000 Euro. Sometimes being the victim of a crime does pay. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
3 minutes | Jul 11, 2022
Mangatoon Mega Breach, Security Companies as Phishing Bait, 0mega Ransomware, and more.
A daily look at the relevant information security news from overnight - 11 July, 2022 Episode 262 - 11 July 2022 Mangatoon Mega Breach- https://www.bleepingcomputer.com/news/security/mangatoon-data-breach-exposes-data-from-23-million-accounts/ Security Companies as Phishing Bait - https://www.zdnet.com/article/brazen-crooks-are-now-posing-as-cybersecurity-companies-to-trick-you-into-installing-malware/ La Poste Mobile Attacked - https://www.infosecurity-magazine.com/news/ransomware-french-telecomes/ Edge Zero Day Patch- https://www.techradar.com/news/microsoft-edge-gets-emergency-patch-for-severe-zero-day-vulnerability 0mega Ransomware - https://www.bleepingcomputer.com/news/security/new-0mega-ransomware-targets-businesses-in-double-extortion-attacks/ Hi, I’m Paul Torgersen. It’s Monday July 11th 2022, and this is a look at the information security news from overnight. From BleepingComputer.com Comic reading platform Mangatoon has suffered a data breach that exposed information belonging to 23 million user accounts. It appears to have been stolen from an unsecured Elasticsearch database. There has been no response whatsoever from the company, so if you want to know if your information was involved you will have to head over to haveibeenpwned (.) com to check. From ZDNet.com: Criminals are posing as cybersecurity companies in phishing campaigns which claim that the recipient has been hit by a cyber attack. They are urged to respond in order to protect their network from being further compromised. Of course that response then opens the door to the hackers to actually compromise their network. The article has a link to the research by Crowdstrike, who also happens to be one of the companies being impersonated. From Infosecurity-Magazine.com: A ransomware attack, most likely LockBit, has hit French telecoms operator La Poste Mobile. The company took down their public facing website and customer area as a precaution and they remain down a week later. They claim their routers were secure, but employee desktops may have been breached. They are urging customers to be extra alert for targeted phishing or identity theft attacks. From TechRadar.com A few days after Google patched a zero day flaw in Chrome, Microsoft has now patched that same flaw in Edge. While both companies are keeping mum on details, we do know it is a heap-based buffer overflow weakness and it has been compromised in the wild. Get your patch on kids. And last today, from BleepingComputer.com A new ransomware operation named 0mega, with a zero instead of an O, targets organizations worldwide in double-extortion attacks. No sample has yet been examined, so there is not a lot of data about how the ransomware encrypts files. We do know that it appends the .0mega extension to the encrypted file’s names and creates ransom notes named DECRYPT-FILES.txt. These notes are customized per victim, usually containing the company name and describing the different types of data stolen in the attack. Victims are directed to a Tor payment site with a support chat that they can use to contact the ransomware gang. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
3 minutes | Jul 8, 2022
QNAP Calls Checkmate, Fake Google Delivers HavanaCrypt, Node.js Patch, and more.
3 minutes | Jul 7, 2022
North Korean Maui Zowie, Linux and Windows RedAlert, Linux in OrBit, and more.
3 minutes | Jul 6, 2022
Spring Data Bad SpEL, Hive Gets Rust-ed, Cozy Bear Leverages BRc4, and more.
A daily look at the relevant information security news from overnight - 06 July, 2022 Episode 259 - 06 July 2022 Spring Data Bad SpEL- https://portswigger.net/daily-swig/spring-data-mongodb-hit-by-another-critical-spel-injection-flaw Hive Gets Rust-ed - https://thehackernews.com/2022/07/hive-ransomware-upgrades-to-rust-for.html Silent Shadow Fix - https://www.bleepingcomputer.com/news/microsoft/microsoft-quietly-fixes-shadowcoerce-windows-ntlm-relay-bug/ Google to Delete Sensitive Tracking- https://www.infosecurity-magazine.com/news/british-army-social-media-accounts/ Cozy Bear Leverages BRc4 - https://thehackernews.com/2022/07/hackers-abusing-brc4-red-team.html Hi, I’m Paul Torgersen. It’s Wednesday July 6th 2022, and this is a look at the information security news from overnight. From PortSwigger.net A critical SpEL injection vulnerability has been patched in Spring Data MongoDB. The 9.8 severity bug could be exploited to achieve remote code execution. First.org has ranked the flaw among the top 10 CVEs likely to be used in the wild over the last 30 days. The ease-of-exploitation and the number of proof of concepts available will likely make this vulnerability very popular. Get your patch on kids. From TheHackerNews.com: The operators of the Hive ransomware have completely rewritten the malware, moving from the Go language to Rust. This gains them the benefit of memory safety and deeper control over low-level resources as well as making use of a wide range of cryptographic libraries. It also makes it more difficult to reverse engineer. These changes continue to show Hive as one of the fastest evolving ransomware families out there. From ZDNet.com: Four more Android apps have been removed from the Google Play store after it was discovered they were being used to deliver the Joker malware to smartphones. The apps, which have over 100,000 downloads between them are: Smart SMS Messages, Blood Pressure Monitor, Voice Language Translator and Quick Text SMS. They join at least 11 other apps that have been removed recently for the same issue. Details in the article. From BleepingComputer.com Microsoft has confirmed that they silently patched the ShadowCoerce vulnerability as part of their June 2022 updates. They say the vuln was mitigated along with CVE-2022-30154 because they both affect the same component. The question is, why have they not yet publicly provided any details, or even assigned a CVE ID. Strange actions for a vulnerability of this magnitude. No clarification yet from Redmond. And last today, from TheHackerNews.com Malicious actors have been observed abusing Brute Ratel C4, a relatively new and quite sophisticated toolkit designed to avoid detection by EDR and AV capabilities. BRc4 is a customized command-and-control center for red team and adversary simulation. Evidently the bad guys thought it was ready for prime time. The bad guys in this case probably being APT29, or Cozy Bear. You may remember them from the SolarWinds supply chain attack last year. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
3 minutes | Jul 5, 2022
WeWork Exposure, Django Injection, Google Zero-Day Patch, and more.
A daily look at the relevant information security news from overnight - 05 July, 2022 Episode 258 - 05 July 2022 WeWork Exposure- https://techcrunch.com/2022/07/04/wework-exposed-visitors-data/ Django Injection - https://www.bleepingcomputer.com/news/security/django-fixes-sql-injection-vulnerability-in-new-releases/ AstraLocker Expires - https://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/ Google to Delete Sensitive Tracking- https://www.infosecurity-magazine.com/news/british-army-social-media-accounts/ Google Zero-Day Patch - https://threatpost.com/actively-exploited-chrome-bug/180118/ Hi, I’m Paul Torgersen. It’s Tuesday July 5th 2022, and this is a look at the information security news from overnight. From TechCrunch.com WeWork India had a security lapse that exposed the personal information and selfies of tens of thousands of people who used the WeWork coworking spaces in the country. The bug made it possible to access the check-in record of any visitor by manually typing in a check-in ID, with no safeguards against accessing the data in bulk. The company is fixing the issue. From BleepingComputer.com: Django, an open source Python-based web framework, has patched a high-severity SQL injection vulnerability. The flaw affects Django's main branch, and versions 4.1 (currently in beta), 4.0, and 3.2. Developers are urged to upgrade to Django versions 4.0.6 and 3.2.14 as soon as possible. Also from BleepingComputer.com: The threat actor behind the AstraLocker ransomware says they're shutting down the operation and plan to switch to cryptojacking. The ransomware's developer even submitted a ZIP archive with the AstraLocker decryptors to VirusTotal. The decryptors appear to be legit and worked on the one sample the team at BleepingComputer tried out. Details and a link to that zip file in the article. From ZDNet.com Google says it will automatically wipe user location history for visits to healthcare clinics, including abortion and fertility clinics, domestic abuse shelters, and other sensitive areas. The fear is that, in a post-Roe world, this location tracking data could be used in persecutions, excuse me, prosecutions. These changes will be rolling out in the coming weeks. And last today, from ThreatPost.com Google quietly rolled out a stable channel update for Chrome to patch an actively exploited zero-day vulnerability. This is the fourth such flaw the vendor has had to patch so far this year. The bug is a buffer overflow that was just reported on July 1. The company also tidied up a few other bugs while it was at it. That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
3 minutes | Jul 4, 2022
Giant China Data Breach, Raspberry Robin, Zoho RCE POC, and more.
A daily look at the relevant information security news from overnight - 04 July, 2022 Episode 257 - 04 July 2022 Giant China Data Breach- https://www.zdnet.com/article/giant-data-breach-leaked-personal-data-of-one-billion-people-has-been-spotted-for-sale-on-the-dark-web/ Raspberry Robin - https://www.bleepingcomputer.com/news/security/microsoft-finds-raspberry-robin-worm-in-hundreds-of-windows-networks/ British Army Hawks Crypto Scam- https://www.infosecurity-magazine.com/news/british-army-social-media-accounts/ LockBit Black - https://www.itpro.co.uk/security/ransomware/368418/latest-lockbit-ransomware-strain-strikingly-similar-to-blackmatter Microsoft Backdoor - https://thehackernews.com/2022/07/new-sessionmanager-backdoor-targeting.html Zoho RCE POC - https://www.bleepingcomputer.com/news/security/zoho-manageengine-adaudit-plus-bug-gets-public-rce-exploit/ Hi, I’m Paul Torgersen. It’s Monday July 4th 2022, happy birthday America, and this is a look at the information security news from overnight. From zdnet.com Detailed personal information for 1 billion Chinese residents has been found for sale on the dark web. Obviously this would be one of the largest data breaches in history. The information in the 23 terabytes of data includes names, addresses, national ID numbers, mobile phone numbers, as well as police and medical records. Hackers claim the information came from the Shanghai National Police database and are offering it for sale for 10 bitcoin, which right now is less than $200,000. From BleepingComputer.com: Microsoft recently spotted a Windows worm on the networks of hundreds of organizations from various industry sectors. The malware, Raspberry Robin, spreads via infected USB devices, you know, those ones the boss finds lying in the parking lot and plugs in to see what’s on it? Microsoft observed the malware connecting to addresses on the Tor network, although it appears the threat actors are yet to exploit any access they gained to victims' networks. Details in the article. From Infosecurity-Magazine.com: The British Army confirmed its Twitter and YouTube accounts were compromised by a third party and used to direct visitors to cryptocurrency scams. There are reports that their Facebook account was compromised also. The YouTube account was completely rebranded to resemble investment firm Ark Invest, posting live stream videos featuring Elon Musk and Jack Dorsey. The social media accounts all appear to be back under proper control. From ITPro.co.uk Security researchers have acquired a sample of LockBit 3.0, which the hacking group internally calls LockBit Black. Analysis shows that large portions of the code are ripped straight from the BlackMatter ransomware developed by the Darkside group. You will remember them as the group that shut down last year after their huge Colonial Pipeline hit brought a lot of national security heat down on them. Evidently LockBit hired some of those developers. Details and a link to the analysis in the article. And last today, from BleepingComputer.com Security researchers have published technical details and proof-of-concept for a critical vulnerability in the Zoho ManageEngine ADAudit Plus tool for monitoring activities in the Active Directory. The vulnerability could lead to remote code execution and compromise of Active Directory accounts, and comes with a severity score of 9.8. Get your patch on kids. That’s all for me today. Have a great Fourth of July, and until tomorrow, be safe out there.
Terms of Service
Your Privacy Choices
© Stitcher 2023