Feed aggregator

W najbliższą środę prowadzimy bezpłatne szkolenie o bezpieczeństwie [dla wszystkich]. Ostatnia chwila na zapisy :-)

Sekurak.pl - Tue, 09/13/2022 - 06:42

Phishing / ataki głosowe / świeże scamy (czasem dosłownie z ostatnich paru dni) / bezpieczeństwo w podróży / nieco bardziej zaawansowane ataki na użytkowników czy dwa słowa o ransomware – to w skrócie agenda 1.5 godzinnego szkolenia: nie daj się cyberzbójom. Szkolenie odbywa się on-line (są dwa terminy: 10:00 oraz...

Artykuł W najbliższą środę prowadzimy bezpłatne szkolenie o bezpieczeństwie [dla wszystkich]. Ostatnia chwila na zapisy :-) pochodzi z serwisu Sekurak.

Asian Governments and Organizations Targeted in Latest Cyber Espionage Attacks

The Hacker News - Tue, 09/13/2022 - 06:34
Government and state-owned organizations in a number of Asian countries have been targeted by a distinct group of espionage hackers as part of an intelligence gathering mission that has been underway since early 2021. "A notable feature of these attacks is that the attackers leveraged a wide range of legitimate software packages in order to load their malware payloads using a technique known as 
Categories: Cyber Security News

Jest okazja, by zagrać w grę – i to cyber, a do tego strategiczną

ZaufanaTrzeciaStrona.pl - Tue, 09/13/2022 - 05:34

Jak naciągnąć budżetową kołderkę na wszystkie ryzyka cyber naraz? Jak ustalić priorytety wydatków, aby najlepiej przygotować się na niespodziewane ataki? To trudne pytania, dlatego warto odpowiedzi przećwiczyć „na sucho” – a do tego wygrać nagrody.

Już 30 września w Warszawie odbędzie się finał II sezonu Ligi Cyber Twierdzy, gry strategicznej poświęconej budowaniu systemu zabezpieczeń IT oraz reagowania na losowo wybrane lub z góry określone ataki.… Czytaj dalej

The post Jest okazja, by zagrać w grę – i to cyber, a do tego strategiczną first appeared on Zaufana Trzecia Strona.

Iranian Hackers Target High-Value Targets in Nuclear Security and Genomic Research

The Hacker News - Tue, 09/13/2022 - 05:25
Hackers tied to the Iranian government have been targeting individuals specializing in Middle Eastern affairs, nuclear security and genome research as part of a new social engineering campaign designed to hunt for sensitive information. Enterprise security firm attributed the targeted attacks to a threat actor named TA453, which broadly overlaps with cyber activities monitored under the monikers
Categories: Cyber Security News

Montenegro and its allies are working to recover from the massive cyber attack

Security Affairs - Tue, 09/13/2022 - 03:09
A massive cyberattack hit Montenegro, officials believe that it was launched by pro-Russian hackers and the security services of Moscow.

A massive cyberattack hit Montenegro, the offensive forced government headquarters to disconnect the systems from the Internet. The attack started on August 20 and impacted online government information platforms. According to the media, the critical infrastructure of the country, including banking, water and electrical power systems are at high risk.

Government officials attribute the attack to pro-Russian hackers and to Russian security services.

The National Security Agency said that Montenegro was “under a hybrid war at the moment.”

The state has been a Russian ally since 2017 when it joined NATO despite strong opposition from Russia, it also expressed support to Ukraine after its invasion.

Now Moscow has added the state to its list of “enemy states” for this reason it is suspected to be the source of the attacks.

“Coordinated Russian services are behind the cyber attack,” the ANB said in a statement. “This kind of attack was carried out for the first time in Montenegro and it has been prepared for a long period of time.”

“I can say with certainty that this attack that Montenegro is experiencing these days comes directly from Russia.” said Dusan Polovic, a government official.

However, a cybercriminal extortion gang has claimed responsibility for at least part of the attack, the systems at a parliamentary office were infected with a variant of Cuba ransomware.

In early September, a team of cybersecurity experts from the US FBI was sent to Montenegro to help the authorities to investigate the cyberattack.

“We have been faced with serious challenges related to the cyberattack for about 20 days, and the entire state system, the system of state administration, and the system of services to citizens are functioning at a rather restrictive level,” Defense Minister Rasko Konjevic told The Associated Press. “In such attacks, there are usually organizations that are a mask for state intelligence services,” Konjevic added.

Konjevic added that government allies are helping Montenegro to recover the government’s infrastructure and are working together to find the source of the attack.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Montenegro)

The post Montenegro and its allies are working to recover from the massive cyber attack appeared first on Security Affairs.

Categories: Cyber Security News

Pro-Palestinian group GhostSec hacked Berghof PLCs in Israel

Security Affairs - Tue, 09/13/2022 - 01:15
The hacktivist collective GhostSec claimed to have compromised 55 Berghof PLCs used by Israeli organizations.

Pro-Palestinian Hacking Group GhostSec claimed to have compromised 55 Berghof programmable logic controllers (PLCs) used by Israeli organizations as part of a Free Palestine campaign.

On September, 4th, 2022, GhostSec announced on social media and its Telegram channel that it has compromised 55 Berghof PLCs used by organizations in Israel.

hope you all can understand our decision on not attacking their PH levels and risking a chance to harm the innocents of #Israel

Our "war" has always been FOR the people not against them. #FreePalestine

Details:https://t.co/7hczY9Owh1 pic.twitter.com/wGa7YXCbfV

— GhostSec (@ghost_s3curity) September 11, 2022

GhostSec also published a video demonstrating a successful log-in to the PLC’s admin panel along with screenshots of an HMI screen showing some phases of the attack, including the block of the PLC.

“In the message it published, GhostSec attached a video demonstrating a successful log-in to the PLC’s admin panel, together with an image of an HMI screen showing its current state and control of the PLC process, and another image showing that the PLC had been stopped. In the following message (inset) the group published the dumped data from the breached PLCs.” reported the analysis published by Industrial cybersecurity firm OTORIO.

The analysis of the system dumps published by the collective (part_1.zip and part_2.zip) revealed the public IP addresses of the affected PLCs, OTORIO experts speculate that they were exposed online at the time of the attack.

The leaked archives contained system dumps and HMI screenshots, obtained from the Berghof admin panel of the compromised PLCs.

The experts believe that the threat actors gained access to the admin panel of the PLCs by using default and common credentials.

The experts pointed out that although access to the admin panel provides full control over some of the PLC’s functionality, it does allow operators to directly control the industrial process.

“It is possible to affect the process to some extent, but the actual process configuration itself isn’t available solely from the admin panel.” continues the experts.

The researchers explained that even if the attack was not sophisticated, the compromise of an OT infrastructure can be extremely dangerous. They added that GhostSec likely hasn’t capabilities to conduct cyber attacks in the OT domain.

“Unlike cyber attacks on IT infrastructure, OT security breaches can be extremely dangerous since they can affect physical processes and, in some cases, even lead to life-threatening situations.” concludes the report. “While GhostSec’s claims are of a sophisticated cyber attack, the incident reviewed here is simply an unfortunate case where easily overlooked misconfigurations of industrial systems led to an extremely unsophisticated attempt to breach the systems themselves. The fact that the HMI probably wasn’t accessed, nor manipulated by GhostSec, and the hackers were not exploiting the Modbus interface, shows an unfamiliarity with the OT domain. To the best of our knowledge, GhostSec hadn’t brought critical damage to the affected systems, but only sought to draw attention to the hacktivist group and its activities.

GhostSec also published other screenshots, claiming to have gained access to another control panel that can be used to modify the level of chlorine and pH levels in the water.

hope you all can understand our decision on not attacking their PH levels and risking a chance to harm the innocents of #Israel

Our "war" has always been FOR the people not against them. #FreePalestine

Details:https://t.co/7hczY9Owh1 pic.twitter.com/wGa7YXCbfV

— GhostSec (@ghost_s3curity) September 11, 2022

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, PLCs)

The post Pro-Palestinian group GhostSec hacked Berghof PLCs in Israel appeared first on Security Affairs.

Categories: Cyber Security News

Apple Releases iOS and macOS Updates to Patch Actively Exploited Zero-Day Flaw

The Hacker News - Mon, 09/12/2022 - 23:36
Apple has released another round of security updates to address multiple vulnerabilities in iOS and macOS, including a new zero-day flaw that has been used in attacks in the wild. The issue, assigned the identifier CVE-2022-32917, is rooted in the Kernel component and could enable a malicious app to execute arbitrary code with kernel privileges. "Apple is aware of a report that this issue may
Categories: Cyber Security News

Apple fixed the eighth actively exploited zero-day this year

Security Affairs - Mon, 09/12/2022 - 16:21
Apple has addressed the eighth zero-day vulnerability that is actively exploited in attacks against iPhones and Macs since January.

Apple has released security updates to fix a zero-day vulnerability, tracked as CVE-2022-32917, which is actively exploited in attacks against iPhone and Mac devices. This is the eighth zero-day vulnerability fixed by the IT giant since the start of the year.

“An application may be able to execute arbitrary code with kernel privileges.” reads the advisory published by Apple for this vulnerability. “The issue was addressed with improved bounds checks.”

The vulnerability impacts iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation and Macs running macOS Big Sur 11.7 and macOS Monterey 12.6

Threat actors could exploit this bug creating specially crafted applications to execute arbitrary code with kernel privileges.

The vulnerability was reported by an anonymous researcher and Apple confirmed that it is aware that this flaw “may have been actively exploited.”

Apple addressed by releasing iOS 15.7 and iPadOS 15.7macOS Monterey 12.6, and macOS Big Sur 11.7 versions.

Apple also released security patches for the CVE-2022-32894 zero-day that address the issue for Macs running macOS Big Sur 11.7. The company initially released security updates for this issue on August 31 that fixed the bug in iOS versions running on older iPhones and iPads.

Apple did not disclose technical details of the attack that are exploiting this vulnerability in the wild to allow its customers to install the security patches.

Apple addressed other sever zero-day since the start of the year:

Apple has addressed other six zero-day vulnerabilities since January, below is the list of fixed issues:

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

The post Apple fixed the eighth actively exploited zero-day this year appeared first on Security Affairs.

Categories: Cyber Security News

Google announced the completion of the acquisition of Mandiant for $5.4 billion

Security Affairs - Mon, 09/12/2022 - 12:36
Google completed the acquisition of the threat intelligence firm Mandiant, the IT giant will pay $5.4 billion.

Google announced the completion of the $5.4 billion acquisition of threat intelligence firm Mandiant. The acquisition was announced in March 2022 by both companies:

RESTON, Va., March 8, 2022 – Mandiant, Inc. (NASDAQ: MNDT) today announced that it has entered into a definitive agreement to be acquired by Google LLC for $23.00 per share in an all-cash transaction valued at approximately $5.4 billion, inclusive of Mandiant’s net cash.” reported the press release.

Mandiant is considered a leading cyber security firm, in 2013 FireEye acquired it, but FireEye separated Mandiant Solutions in 2021 as part of a $1.2 billion private equity transaction.

The cybersecurity firm will join Google Cloud, but despite the acquisition, Google will maintain the Mandiant brand.

Google is expanding its offer adding cybersecurity services to its portfolio, as part of this strategy the company also acquired the Israeli Israeli startup Siemplify which has developed a SOAR (security orchestration, automation and response) technology.

“Today we’re excited to share the next step in this journey with the completion of our acquisition of Mandiant, a leader in dynamic cyber defense, threat intelligence and incident response services. Mandiant shares our cybersecurity vision and will join Google Cloud to help organizations improve their threat, incident and exposure management.” reads the Google’s announcement.

“Combining Google Cloud’s existing security portfolio with Mandiant’s leading cyber threat intelligence will allow us to deliver a security operations suite to help enterprises globally stay protected at every stage of the security lifecycle. With the scale of Google’s data processing, novel analytics approaches with AI and machine learning, and a focus on eliminating entire classes of threats, Google Cloud and Mandiant will help organizations reinvent security to meet the requirements of our rapidly changing world.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Google)

The post Google announced the completion of the acquisition of Mandiant for $5.4 billion appeared first on Security Affairs.

Categories: Cyber Security News

China Accuses NSA's TAO Unit of Hacking its Military Research University

The Hacker News - Mon, 09/12/2022 - 09:39
China has accused the U.S. National Security Agency (NSA) of conducting a string of cyberattacks aimed at aeronautical and military research-oriented Northwestern Polytechnical University in the city of Xi'an in June 2022. The National Computer Virus Emergency Response Centre (NCVERC) disclosed its findings last week, and accused the Office of Tailored Access Operations (TAO) at the USA's
Categories: Cyber Security News

Palestinian Hacktivist Group GhostSec Compromises 55 Berghof PLCs Across Israel

The Hacker News - Mon, 09/12/2022 - 07:18
A hacktivist collective called GhostSec has claimed credit for compromising as many as 55 Berghof programmable logic controllers (PLCs) used by Israeli organizations as part of a "Free Palestine" campaign. Industrial cybersecurity firm OTORIO, which dug deeper into the incident, said the breach was made possible owing to the fact that the PLCs were accessible through the Internet and were
Categories: Cyber Security News

Why Vulnerability Scanning is Critical for SOC 2

The Hacker News - Mon, 09/12/2022 - 07:04
SOC 2 may be a voluntary standard, but for today's security-conscious business, it's a minimal requirement when considering a SaaS provider. Compliance can be a long and complicated process, but a scanner like Intruder makes it easy to tick the vulnerability management box. Security is critical for all organisations, including those that outsource key business operations to third parties like
Categories: Cyber Security News

Cisco confirms that data leaked by the Yanluowang ransomware gang were stolen from its systems

Security Affairs - Mon, 09/12/2022 - 04:57
Cisco confirmed the May attack and that the data leaked by the Yanluowang ransomware group was stolen from its systems.

In August, Cisco disclosed a security breach, the Yanluowang ransomware gang breached its corporate network in late May and stole internal data.

The investigation conducted by Cisco Security Incident Response (CSIRT) and Cisco Talos revealed that threat actors compromised a Cisco employee’s credentials after they gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized. 

Once obtained the credentials, the attackers launched voice phishing attacks in an attempt to trick the victim into accepting the MFA push notification started by the attacker.

Upon achieving an MFA push acceptance, the attacker had access to the VPN in the context of the targeted user. The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user. 

According to Talos, once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. Then the threat actors escalated to administrative privileges before logging into multiple systems. Then threat actors were able to drop multiple tools in the target network, including remote access tools like LogMeIn and TeamViewer, Cobalt Strike, PowerSploit, Mimikatz, and Impacket.

Over the weekend, Cisco confirmed that the data recently leaked by the Yanluowang ransomware gang have been authentic and was stolen from its network during the May intrusion. However, the company pointed out that the security breach has no impact on the business because the stolen data doesn’t include sensitive information.

“On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed.” reads an update published by Cisco on September September 11, 2022. “Our previous analysis of this incident remains unchanged-we continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.”

According to BleepinComputer, which has contacted the leader of the ransomware gang, the Yanluowang group claims to have stolen 55GB of files which included classified documents, technical schematics, and source code.

Cisco continues to deny that the threat actors had access to the source code of its products.

Recently, researchers from cybersecurity firm eSentire discovered that the attack infrastructure used in the Cisco hack was also used to attack a top Workforce Management corporation in April 2022.

The experts also speculate that the attack was orchestrated by a threat actor known as mx1r, who is an alleged member of the Evil Corp affiliate cluster dubbed UNC2165.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco)

The post Cisco confirms that data leaked by the Yanluowang ransomware gang were stolen from its systems appeared first on Security Affairs.

Categories: Cyber Security News

Some firmware bugs in HP business devices are yet to be fixed

Security Affairs - Mon, 09/12/2022 - 03:27
Six high-severity firmware bugs affecting several HP Enterprise devices are yet to be patched, some of them since July 2021.

The Binarly security research team reported several HP Enterprise devices are affected by six high-severity firmware vulnerabilities that are yet to be patched, and some of them have been disclosed more than a year ago.

The researchers disclosed technical details of some of the vulnerabilities at the Black Hat 2022 conference.

The bugs affect HP EliteBook devices and multiple additional HP product lines, the experts reported that the issues are arbitrary code execution vulnerabilities related to System Management Mode (SMM) of the of the Unified Extensible Firmware Interface (UEFI).

The SMM is an operating mode of x86 CPUs in which all normal execution, including the operating system, is suspended.

When a code is sent to the SMM, the operating system is suspended and a portion of the UEFI/BIOS firmware executes various commands with elevated privileges and with access to all the data and hardware.

Below is the list of the vulnerabilities:

VulnerabilitiesBRLY IDCVE IDCVSS scoreSMM Memory Corruption
(Arbitrary Code Execution)
BRLY-2022-010
BRLY-2022-011
BRLY-2022-012
BRLY-2022-013
BRLY-2021-046
BRLY-2021-047CVE-2022-23930
CVE-2022-31644
CVE-2022-31645
CVE-2022-31646
CVE-2022-31640
CVE-2022-316418.2 High
7.5 High
8.2 High
8.2 High
7.5 High
7.5 High

Three vulnerabilities have been reported to HP in July 2021, while other three issues were disclosed in April 2022.

Vulnerabilities in the SMM can be exploited to to bypass the Secure Boot, threat actors can bypass this security feature to create stealth rootkits.

In February 2022, HP addressed the CVE-2022-23930 with the release of HP PC BIOS Security Updates.

The tech giant addressed CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646 in August 2022, but several business notebooks and desktops, and workstations have yet to receive updates.

The remaining issues, tracked as CVE-2022-31640 and CVE-2022-31641, were addressed on September 2022, but many workstations are yet to be patched.

“Based on the Binarly’s telemetry data, we are experiencing the same effect. In terms of impact at scale, firmware supply chain problems are one of the major challenges.” concludes Binarly speaking about firmware vulnerabilities. “Approximately 20% of firmware updates contain at least two or three known vulnerabilities (previously disclosed), according to Binarly Platform data (based on enterprise-grade vendors study).”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, firmware bugs)

The post Some firmware bugs in HP business devices are yet to be fixed appeared first on Security Affairs.

Categories: Cyber Security News

High-Severity Firmware Security Flaws Left Unpatched in HP Enterprise Devices

The Hacker News - Mon, 09/12/2022 - 03:06
A number of firmware security flaws uncovered in HP's business-oriented high-end notebooks continue to be left unpatched in some devices even months after public disclosure. Binarly, which first revealed details of the issues at the Black Hat USA conference in mid-August 2022, said the vulnerabilities "can't be detected by firmware integrity monitoring systems due to limitations of the Trusted
Categories: Cyber Security News

Albania was hit by a new cyberattack and blames Iran

Security Affairs - Sun, 09/11/2022 - 17:35
Albania blamed Iran for a new cyberattack that hit computer systems used by the state police on Friday.

Albania blamed the government of Teheran for a new cyberattack that hit computer systems used by the state police on Saturday.

“The national police’s computer systems were hit Friday by a cyberattack which, according to initial information, was committed by the same actors who in July attacked the country’s public and government service systems,” reads a statement issued by the Albanian interior ministry.

“In order to neutralize the criminal act and secure the systems,” the authorities have shut down computer control systems at seaports, airports and border posts, the statement added. 

Prime Minister Edi Rama confirmed the attribution of this new cyber attack to the same Iran-lined threat actor that launched the attack in July against Albania.

Një tjetër sulm kibernetik nga të njëjtët agresorë, tanimë të ekspozuar dhe dënuar prej vendeve aleate e mike të Shqipërisë, është shënuar mbrëmë mbi sistemin TIMS! Ndërkohë vazhdojmë punojmë përditë pa orar me aleatët për t'i bërë të papenetrueshme sistemet tona digjitale.

— Edi Rama (@ediramaal) September 10, 2022

“Another cyber attack by the same attackers, already exposed and condemned by the friendly and allied countries of Albania, was recorded last night on the TIMS system! In the meantime, we continue to work around the clock with our allies to make our digital systems impenetrable.” said Edi Rama.

Last week, the Albanian Prime Minister announced that Albania interrupted diplomatic ties with Iran and expelled the country’s embassy staff over the massive cyber attack that hit the country in mid-July.

The cyberattack hit the servers of the National Agency for Information Society (AKSHI), which handles many government services. Most of the desk services for the population were interrupted, and only several important services, such as online tax filing, were working because they are provided by servers not targeted in the attack. Albania reported the attack to the NATO Member States and other allies.

According to a statement published by the government, the damages may be considered minimal compared to the goals of the threat actors. The country’s Embassy staff was asked to leave Albany within 24 hours.

The relations between Albania and Iran have deteriorated since the government of Tirana offered asylum to thousands of Iranian dissidents.

The United States government issued a statement condemning Iran for attacking Albania.

“The United States strongly condemns Iran’s cyberattack against our NATO Ally, Albania. We join in Prime Minister Rama’s call for Iran to be held accountable for this unprecedented cyber incident. The United States will take further action to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace.” U.S. National Security Council spokesperson Adrienne Watson said. “We have concluded that the Government of Iran conducted this reckless and irresponsible cyberattack and that it is responsible for subsequent hack and leak operations.”

NATO, and the U.K. also formally blamed the Iranian government for the cyberattacks against Albania.

The U.S. Treasury Department announced sanctions against Iran ‘s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence over the cyber attack that hit Albania in July.

MOIS is the primary intelligence agency of the Islamic Republic of Iran and a member of the Iran Intelligence Community. It is also known as VAJA and previously as VEVAK (Vezarat-e Ettela’at va Amniyat-e Keshvar) or alternatively MOIS.

The Iranian government denied it was behind the cyberattack and labeled Albania’s decision to sever diplomatic ties “an ill-considered and short-sighted action”.

“Iran as one of the target countries of cyberattacks on its critical infrastructure rejects and condemns any use of cyber space as a tool to attack the critical infrastructure of other countries,” the Iranian foreign ministry said.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Albania)

The post Albania was hit by a new cyberattack and blames Iran appeared first on Security Affairs.

Categories: Cyber Security News

Security Affairs newsletter Round 383

Security Affairs - Sun, 09/11/2022 - 10:30
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

IHG suffered a cyberattack that severely impacted its booking processChina-Linked BRONZE PRESIDENT APT targets Government officials worldwideScammers live-streamed on YouTube a fake Apple crypto eventUS Treasury sanctioned Iran ’s Ministry of Intelligence over Albania cyberattack$30 Million worth of cryptocurrency stolen by Lazarus from Axie Infinity was recoveredExperts warn of attacks exploiting zero-day in WordPress BackupBuddy pluginIran-linked DEV-0270 group abuses BitLocker to encrypt victims’ devicesCISA adds 12 new flaws to its Known Exploited Vulnerabilities CatalogClassified NATO documents sold on darkweb after they were stolen from Portugal
North Korea-linked Lazarus APT targets energy providers around the world
Cisco will not fix the authentication bypass flaw in EoL routersEx-members of the Conti ransomware gang target UkraineAlbania interrupted diplomatic ties with Iran over the mid-July attackExperts spotted a new stealthy Linux malware dubbed ShikitegaChallenges of User Authentication: What You Need to KnowZyxel addressed a critical RCE flaw in its NAS devicesMoobot botnet is back and targets vulnerable D-Link routersThe Los Angeles Unified School District hit by a ransomware attackA new Android malware used to spy on the Uyghur Community
Experts discovered TeslaGun Panel used by TA505 to manage its ServHelper Backdoor
China accuses the US of cyberattacksInterpol dismantled sextortion ring in AsiaQNAP warns new Deadbolt ransomware attacks exploiting zero-dayTikTok denies data breach following leak of user dataWindows Defender identified Chromium, Electron apps as Hive RansomwareEvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark WebA new SharkBot variant bypassed Google Play checks againA new phishing scam targets American Express cardholdersAnonymous hacked Yandex taxi causing a massive traffic jam in Moscow
IRS mistakenly published confidential info for roughly 120K taxpayers
Alleged Iranian threat actors leak the code of their CodeRAT malware

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 383 appeared first on Security Affairs.

Categories: Cyber Security News

Iran-linked APT42 is behind over 30 espionage attacks

Security Affairs - Sun, 09/11/2022 - 09:31
Iran-linked APT42 (formerly UNC788) is suspected to be the actor behind over 30 cyber espionage attacks against activists and dissidents.

Experts attribute over 30 cyber espionage attacks against activists and dissidents to the Iran-linked APT42 (formerly UNC788).

The campaigns have been conducted since 2015 and are aimed at conducting information collection and surveillance operations against individuals and organizations of strategic interest to Teheran. Mandiant researchers pointed out that the APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC)’s Intelligence Organization (IRGC-IO).

APT42’s TTPs overlap with another Iran-linked APT group tracked as APT35 (aka ‘Charming Kitten‘, ‘Phosphorus‘, Newscaster, and Ajax Security Team) which made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011. 

The APT group previously targeted medical research organizations in the US and Israel in late 2020, and for targeting academics from the US, France, and the Middle East region in 2019.

They have also previously targeted human rights activists, the media sector, and interfered with the US presidential elections.

APT42 focuses on highly targeted spear-phishing and social engineering techniques, its operations broadly fall into three categories, credential harvesting, surveillance operations, and malware deployment.

“Mandiant has observed over 30 confirmed targeted APT42 operations spanning these categories since early 2015. The total number of APT42 intrusion operations is almost certainly much higher based on the group’s high operational tempo, visibility gaps caused in part by the group’s targeting of personal email accounts and domestically focused efforts, and extensive open-source industry reporting on threat clusters likely associated with APT42.” reads the report published by Mandiant.

The APT42 activity varies according to the evolution of priorities and interests of the Iranian government, including campaigns pursuing domestic and foreign-based opposition groups prior to an Iranian presidential election. Mandiant researchers highlight that APT42 quickly reacts to geopolitical changes by adjusting its operations.

“In May 2017, APT42 targeted the senior leadership of an Iranian opposition group operating from Europe and North America with spear-phishing emails mimicking legitimate Google correspondence.” reads the report published by Mandiant. “The emails contained links to fake Google Books pages which redirected to sign-in pages designed to steal credentials and two-factor authentication codes.”

The surveillance operations conducted by the APT group involved the distribution of Android malware such as VINETHORN and PINEFLOWER. The attack chain starts with text messages sent to the victims, the malicious code allows spying on the recipients by recording audio and phone calls, harvesting multimedia content and SMSes, and tracking geolocations.

In September 2021, the Iran-Linked group compromised an European government email account and used it to send a phishing email to almost 150 email addresses associated with individuals or entities employed by or affiliated with civil society, government or intergovernmental organizations around the world. The bait email embedded a Google Drive link to a malicious macro document leading to TAMECAT, a PowerShell toehold backdoor

“the group has displayed its ability to rapidly alter its operational focus as Iran’s priorities change over time with evolving domestic and geopolitical conditions. We assess with high confidence that APT42 will continue to perform cyber espionage and surveillance operations aligned with evolving Iranian operational intelligence collection requirements.” the researchers conclude.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, APT42)

The post Iran-linked APT42 is behind over 30 espionage attacks appeared first on Security Affairs.

Categories: Cyber Security News

Weekendowa Lektura: odcinek 484 [2022-09-11]. Bierzcie i czytajcie

ZaufanaTrzeciaStrona.pl - Sun, 09/11/2022 - 07:48

Zapraszamy do nowego wydania Weekendowej Lektury. Co prawda, weekend zmierza już ku końcowi, ale wciąż jeszcze zostało trochę czasu na zapoznanie się z linkami, które dla was zgromadziliśmy. Życzymy zatem udanej lektury.

W dzisiejszym wydaniu szczególnie polecamy w części fabularnej nowy odcinek podcastu Panoptykon 4.0 o tym, jak administracja korzysta z algorytmów sztucznej inteligencji (pkt 1) oraz informacje o zamknięciu przestępczego marketu WT1SHOP (pkt 15).… Czytaj dalej

The post Weekendowa Lektura: odcinek 484 [2022-09-11]. Bierzcie i czytajcie first appeared on Zaufana Trzecia Strona.

Iranian APT42 Launched Over 30 Espionage Attacks Against Activists and Dissidents

The Hacker News - Sun, 09/11/2022 - 00:21
A state-sponsored advanced persistent threat (APT) actor newly christened APT42 (formerly UNC788) has been attributed to over 30 confirmed espionage attacks against individuals and organizations of strategic interest to the Iranian government at least since 2015. Cybersecurity firm Mandiant said the group operates as the intelligence gathering arm of Iran's Islamic Revolutionary Guard Corps (
Categories: Cyber Security News

Pages