A daily look at the relevant information security news from overnight.

Episode 238 - 17 May 2022

Apple attack - https://www.bleepingcomputer.com/news/security/apple-emergency-update-fixes-zero-day-used-to-hack-macs-watches/

Conti hits Parker -
https://www.infosecurity-magazine.com/news/parker-conti-ransomware/

Tesla BLE - https://www.bleepingcomputer.com/news/security/hackers-can-steal-your-tesla-model-3-y-using-new-bluetooth-attack/

Card skimming - https://www.zdnet.com/article/fbi-hackers-used-malicious-php-code-to-grab-credit-card-data/

iPhone vulv- https://threatpost.com/iphones-attack-turned-off/179641/

Hi, I’m Paul Torgersen. It’s Tuesday May 17th, 2022, and this is a look at the information security news from overnight.

From BleepingComputer.com:
Apple has released security updates to address a zero-day vulnerability that threat actors can exploit in attacks targeting Macs and Apple Watches. The flaw is an out-of-bounds write issue in the AppleAVD, the kernel extension for audio and video decoding. Apple says it is likely this has already been exploited in the wild.

From Infosecurity-magazine.com:
US manufacturer Parker-Hannifin has announced a data breach exposing employees’ PII after being the target of a Conti ransomware attack. The company said that an unauthorized third party gained access to its IT systems between 11 and 14 of March this year. On the plus side, if you‘re information was involved, you just got two free years of identity theft monitoring.

From BleepingComputer.com:
Security researchers at the NCC Group have developed a tool to carry out a Bluetooth Low Energy relay attack that bypasses all existing protections to authenticate on target devices. What target devices, you ask? Teslas. Details in the article.

From ZDNet.com:
The FBI put out a warning that someone is scraping credit card data from the checkout pages of US businesses' websites. The bad actor is injecting malicious PHP Hypertext Preprocessor code into the business' online checkout page and sending the scraped data to a server that spoofed a legitimate card processing server. They also left a backdoor into the victims system.

And last today, from ThreatPost.com
Because of how Apple implements standalone wireless features such as Bluetooth, Near Field Communication and Ultra-wideband technologies, researchers have found that iPhones are vulnerable to malware loading attacks even when the device is turned off. The root cause of the issue is how iPhones implement low power mode for wireless chips. No comment yet from Apple, but there is a link to the research report in the article.

That’s all for me today. Remember to LIKE and SUBSCRIBE. And as always, until next time, be safe out there.

A daily look at the relevant information security news from overnight.

Episode 237 - 12 May 2022

Eurovision saved - https://www.reuters.com/world/europe/italian-police-prevents-pro-russian-hacker-attacks-during-eurovision-contest-2022-05-15/

SonicWall crack -
https://www.bleepingcomputer.com/news/security/sonicwall-strongly-urges-admins-to-patch-sslvpn-sma1000-bugs/

Multi phish - https://www.zdnet.com/article/this-phishing-attack-delivers-three-forms-of-malware-and-they-all-want-to-steal-your-data/

Pixelmon phony - https://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware

sysrv botnet- https://www.zdnet.com/article/microsoft-warns-this-botnet-has-new-tricks-to-target-linux-and-windows-systems/

Hi, I’m Paul Torgersen. It’s Monday May 16th, 2022, and this is a look at the information security news from overnight.

From Reuters.com:
Italian police thwarted hacker attacks by pro-Russian groups that were trying to change the results in the Eurovision Song Contest. Ukraine's Kalush Orchestra won the contest with their entry "Stefania". Evidently Vladimer didn’t think too highly of that.

From BleepingComputer.com:
SonicWall is strongly urging customers to patch several high-risk security flaws impacting its Secure Mobile Access 1000 Series line of products. The vulnerability can let attackers bypass authorization and compromise unpatched appliances. The company says there is no evidence of this yet being exploited in the wild, and that there are no temporary mitigations. Get your patch on kids.



From ZDNet.com:
A new phishing campaign has been spotted targeting Microsoft Windows users. This little over-achiever delivers three different forms of malware, AveMariaRAT, BitRAT and the PandoraHVNC trojan malware. BitRAT is particularly nasty, as it can take full control of infected Windows systems, including the ability to view through the webcam and listen through the microphone

From BleepingComputer.com:
A fake Pixelmon NFT site entices fans with free tokens and collectibles, but what they really get is a chunk of malware that steals their crypto wallets. They’ve done a credible job of replicating the actual website, but use a .pw url instead of the actual .club. Details in the article.

And last today, from ZDNet.com
Microsoft has warned that a new variant of the Sysrv botnet is targeting a critical flaw in the Spring Framework to install crypto miners on Linux and Windows systems. The flaw being exploited affects VMware's Spring Cloud Gateway and Oracle's Communications Cloud Native Core Network Exposure Function. It was given a critical rating by both firms.

That’s all for me today. Remember to LIKE and SUBSCRIBE. And as always, until next time, be safe out there.

A daily look at the relevant information security news from overnight.

Episode 238 - 13 May 2022

REvil killer - https://portswigger.net/daily-swig/researcher-stops-revil-ransomware-in-its-tracks-with-dll-hijacking-exploit

Tricky phish -
https://www.bleepingcomputer.com/news/security/iranian-hackers-exposed-in-a-highly-targeted-espionage-campaign/

Zyxel flaw - https://www.securityweek.com/critical-vulnerability-allows-remote-hacking-zyxel-firewalls

InHand out of hand - https://www.securityweek.com/critical-vulnerabilities-provide-root-access-inhand-industrial-routers

Top Aces locked- https://therecord.media/top-aces-ransomware-attack-lockbit/

Hi, I’m Paul Torgersen. It’s Friday the 13th of May, 2022, and this is a look at the information security news from overnight.

From PortSwigger.net:
John Page at Malvuln.com has discovered a vulnerability in the REvil ransomware that can be exploited to deactivate the malware before it encrypts any files. REvil searches for and executes DLLs in the directory where it is located. By hijacking a vulnerable DLL and executing specially crafted code, he was able to stop and terminate REvil before it started encrypting. Details, including a proof of concept, in the article.

From BleepingComputer.com:
Threat analysts have spotted a novel attack attributed to the Iranian hacking group APT34 or Oilrig, targeting Jordanian diplomats with custom-crafted tools. The spear-phishing email has an Excel attachment that contains VBA macro code to load a malicious executable, a configuration file, and a signed and clean DLL. It also checks for the existence of a mouse, which if you are playing in a sandbox, may not be there.

From SecurityWeek.com:
Thousands of Zyxel firewalls could be vulnerable to remote attacks which affect ATP, VPN and USG FLEX series firewalls. The vulnerability can be exploited by a remote, unauthenticated attacker for arbitrary code execution as the “nobody” user. The company has already released a fix. Details in the article.

Also from SecurityWeek.com:
A total of 17 vulnerabilities have been found in the InHand Networks wireless industrial routers which could be exploited to gain root access. The weaknesses affect IR302 version 3.5.37 and prior. If that is you, make sure to update to version 3.5.45. Get your patch on kids.

And last today, from TheRecord.media:
Top Aces, a Canadian company that supplies fighter jets for airborne training exercises has been hit with a ransomware attack. The company works extensively with the armed forces of Canada, Germany, United States, Israel and others. The LockBit ransomware group gave Top Aces a deadline of May 15 before it leaks the 44GB of data it allegedly stole.

That’s all for me today. Remember to LIKE and SUBSCRIBE. And as always, until next time, be safe out there.

A daily look at the relevant information security news from overnight.

Episode 237 - 12 May 2022

HP broken BIOS - https://www.bleepingcomputer.com/news/security/hp-fixes-bug-letting-attackers-overwrite-firmware-in-over-200-models/

New Nerbian -
https://threatpost.com/nerbian-rat-advanced-trick/179600/

Bitter at Bangladesh - https://www.bleepingcomputer.com/news/security/bitter-cyberspies-target-south-asian-govts-with-new-malware/

Fake Vanity - https://portswigger.net/daily-swig/box-zoom-google-docs-offer-phishing-boost-with-vanity-url-flaws

Konica cure- https://www.securityweek.com/konica-minolta-printers-vulnerable-hacking-physical-access

Hi, I’m Paul Torgersen. It’s Thursday May 12th, 2022, and this is a look at the information security news from overnight.

From BleepingComputer.com:
HP has released BIOS updates to fix two 8.8 severity vulnerabilities that would allow code to run with Kernel privileges, and affects over 200 PC and notebook products. The problem appears to be that an SMI handler can be triggered from the OS environment. You can see the details and a couple important links in the article.

From ThreatPost.com:
A newly discovered and complex remote access trojan dubbed Nerbian RAT, is spreading via malicious email campaigns using COVID-19 as a lure. This multi-feature baddie, including the ability to evade analysis or detection by researchers. The majority of the attacks have been centered in Spain and the United Kingdom.

From BleepingComputer.com:
APT cyberespionage group Bitter has been found targeting the government of Bangladesh with a new malware with remote file execution capabilities. These messages are sent via spoofed email addresses that appear to come from Pakistani government organizations. This was likely possible by exploiting a flaw in the Zimbra mail server that allows attackers to send messages from a non-existent mail domain. Full details from the Talos research in the article.

From PortSwigger.net:
Threat actors are enhancing their phishing campaigns by exploiting a failure to validate subdomains within so-called ‘vanity URLs’ used in SaaS applications. Apps such as Box, Zoom, and Google Docs validate vanity URLs’ URI (the unique sequence of characters at the end of the link), but not its descriptive subdomain, which is the portion preceding the URI.

And last today, from SecurityWeek.com:
Hundreds of thousands of Konica printers are vulnerable to hacking via ​​physical access. The vendor produced firmware and operating system patches in early 2020, but details are only being disclosed now because in many cases the patches need to be manually installed by a service technician. That was a bit tough in the midst of the Covid shutdowns.

That’s all for me today. Remember to LIKE and SUBSCRIBE. And as always, until next time, be safe out there.

A daily look at the relevant information security news from overnight.

Episode 236 - 11 May 2022

Windows zero-days patched - https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-new-ntlm-relay-zero-day-in-all-windows-versions/

Intel bad memory -
https://threatpost.com/intel-memory-bug-poses-risk-for-hundreds-of-products/179595/

Siemens and Schneider patches - https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-43-vulnerabilities

IceApple bites - https://www.bleepingcomputer.com/news/security/new-iceapple-exploit-toolset-deployed-on-microsoft-exchange-servers/

Adobe patches -
https://www.securityweek.com/adobe-warns-critical-security-flaws-enterprise-products

@ phishing- https://threatpost.com/novel-phishing-trick-uses-weird-links-to-bypass-spam-filters/179587/
Hi, I’m Paul Torgersen. It’s Wednesday May 11th, 2022, and this is a look at the information security news from overnight.

From BleepingComputer.com:
Microsoft has patched 75 flaws on Mays’ Patch Tuesday including an actively exploited Windows LSA spoofing zero-day that attackers can exploit remotely to force domain controllers to authenticate them via the Windows NT LAN Manager. This particular bug affects all Windows versions from Windows 7 and Windows Server 2008 through Windows 11 and Windows 2022. Two other zero-days were also addressed in the update.



From ThreatPost.com:
Intel is reporting a memory bug impacting microprocessor firmware used in hundreds of products. The vulnerability resides inside some of the Intel Optane SSD and Intel Optane Data Center products, which allows privilege escalation, denial of service, or information disclosure. Details in the article.

From SecurityWeek.com:
Schneider Electric has released three advisories to inform customers about eight vulnerabilities, and Siemens has released 12 advisories covering 35 vulnerabilities, including one with a critical severity rating. Details and links to the advisory statements in the article.

From BleepingComputer.com:
CrowdStrike researchers have found a new post-exploitation framework that they dubbed IceApple, deployed mainly on Microsoft Exchange servers across a wide geography. This stealthy little framework is .NET-based and comes with at least 18 modules, each for a specific task, that help the attacker discover relevant machines on the network, steal credentials, delete files and directories, or exfiltrate data. Details and a link to download the CrowdStrike report in the article.

From SecurityWeek.com:
Adobe used this Patch Tuesday to cover at least 18 serious security defects in multiple enterprise-facing products and warned that unpatched systems are at risk of remote code execution attacks. Link to the advisory in the article, and in what has become a bit of a theme today, get your patch on kids.



And last today, from ThreatPost.com:
Researchers have identified a never-before-seen method for sneaking malicious links into phishing emails. The trick takes advantage of a key...

A daily look at the relevant information security news from overnight.

Episode 235 - 07 May 2022

Putin pwned - https://www.bleepingcomputer.com/news/security/hackers-display-blood-is-on-your-hands-on-russian-tv-take-down-rutube/

EU Points finger -
https://www.securityweek.com/eu-blames-russia-satellite-hack-ahead-ukraine-invasion

Chemical phish - https://www.bleepingcomputer.com/news/security/ukraine-warns-of-chemical-attack-phishing-pushing-stealer-malware/

Azure RCE - https://www.bleepingcomputer.com/news/security/microsoft-releases-fixes-for-azure-flaw-allowing-rce-attacks/

NCF counter attack- https://www.zdnet.com/article/government-hackers-made-hundreds-of-thousands-of-stolen-credit-cards-worthless-to-crooks/

Hi, I’m Paul Torgersen. It’s Tuesday May 10th, 2022, and this is a look at the information security news from overnight.

From BleepingComputer.com:
While Russian President Vladimir Putin was giving his "Victory Day" speech, pro-Ukrainian hacking groups defaced the online Russian TV schedule page to display anti-war messages. The name of every programme was changed to "On your hands is the blood of thousands of Ukrainians and their hundreds of murdered children. TV and the authorities are lying. No to war” At the same time, a cyberattack took down the Russian video sharing site RuTube. More details in the link.

From SecurityWeek.com:
The European Union this week accused Russian authorities of carrying out a cyberattack against a satellite network an hour before they invaded Ukraine. The target was the KA-SAT network operated by Viasat. This is significant as it marks the first time the EU has ever formally accused Russia of carrying out a cyber attack.

From BleepingComputer.com:
Ukraine's Computer Emergency Response Team is warning of the mass phishing campaign distributing the Jester Stealer malware. The emails warn of impending chemical attacks to scare recipients into opening the XLS attachments, which are of course laced with malicious macros. Additional details in the article.

Also from BleepingComputer.com:
Microsoft has released updates to address a security flaw affecting Azure Synapse and Azure Data Factory pipelines that could allow remote code execution across the Integration Runtime infrastructure. The vulnerability was found in the third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime, in Azure Synapse Pipelines, and Azure Data Factory. Details and a link to the security advisory in the article.

And last today, from ZDNet.com:
From the One for the Good Guys file. Britain's National Cyber Force, which is a joint effort using the combined resources of the GCHQ and the Ministry of Defence, took direct action against computer networks used by cyber criminals, and made hundreds of thousands of stolen credit cards, worthless to the crooks that stole them. Well done you.

That’s all for me today. Remember to LIKE and SUBSCRIBE. And as always, until next time, be safe out there.

Episode 235 - 07 May 2022

IKEA breach - https://www.infosecurity-magazine.com/news/data-breach-ikea-canada/

Agco attack -
https://www.securityweek.com/ransomware-attack-hits-production-facilities-agricultural-equipment-giant-agco

DCRat upgrade - https://www.zdnet.com/article/beware-this-cheap-and-homemade-malware-is-surprisingly-effective/

Trend Micro miss - https://www.bleepingcomputer.com/news/security/trend-micro-antivirus-modified-windows-registry-by-mistake-how-to-fix/

BIG-IP PoC- https://portswigger.net/daily-swig/big-ip-proof-of-concept-released-for-rce-vulnerability-in-f5-network-management-tool

Hi, I’m Paul Torgersen. It’s Monday May 9th, 2022, and this is a look at the information security news from overnight.

From Infosecurity-Magazine.com:
IKEA has notified the Canadian government about a data breach involving the personal information of about 95,000 customers. The company said that no financial or banking information was involved. How and why the data got out is not known. IKEA says there is no action required by their customers at this time.

From SecurityWeek.com:
Agco announced that it has been the victim of a ransomware attack that impacted some of its production facilities. The company has launched an investigation but says it will be at least several days before they can repair their systems and return operations to normal. No word yet on the threat actor or the malware strain involved.

From ZDNet.com:
The DCRat backdoor malware has been redesigned and relaunched, and it is quite the little Swiss Army knife. It can steal a variety of information, take screenshots, clipboard contents, even has a keylogger. But the two really amazing things? This baby was developed and maintained by one person, not a big syndicate. And you can buy it on the dark web for about $5 bucks.

From BleepingComputer.com:
Trend Micro antivirus has fixed a false positive affecting its Apex One endpoint security solution that caused Microsoft Edge updates to be tagged as malware and the Windows registry to be incorrectly modified. Trend Micro says they have updated the pattern to alleviate the problem, and also published a work around in case the pattern fix didn’t. Details in the article.

And last today, from PortSwigger.net:
We talked last week about the critical vulnerability in F5’s BIG-IP networking software. Well, now a proof-of-concept has been released. If you are one of the more than 35,000 companies using this network management software, get your updates taken care of. And App developers using BIG-IP services should immediately take steps to mitigate the vulnerability until the patch is installed.

That’s all for me today. Remember to LIKE and SUBSCRIBE. And as always, until next time, be safe out there.

A daily look at the relevant information security news from overnight.

Episode 234 - 06 May 2022

Thumbs suck - https://threatpost.com/usb-malware-targets-windows-installer/179521/

New NetDooka -
https://www.bleepingcomputer.com/news/security/new-netdooka-malware-spreads-via-poisoned-search-results/

CT swipe - https://portswigger.net/daily-swig/wordpress-sites-getting-hacked-within-seconds-of-tls-certificates-being-issued

Android updates - https://www.bleepingcomputer.com/news/security/google-fixes-actively-exploited-android-kernel-vulnerability/

And. And. It’s gone- https://www.zdnet.com/article/weird-bug-made-google-docs-crash-if-you-typed-one-word-five-times/

Hi, I’m Paul Torgersen. It’s Friday May 6th, 2022, and this is a look at the information security news from overnight.

From ThreatPost.com:
A new wormable malware called Raspberry Robin has been active since this past September and is delivered onto Windows machines through USB drives. Do people still do that? Remember when you used to go to a conference, and vendors would hand out thumb drives? Then people would go home and actually stick them into their computer? Don’t do that. There is more information in the article, but the answer is: don’t do that.

From BleepingComputer.com:
A new malware framework known as NetDooka has been discovered being distributed through the PrivateLoader pay-per-install malware distribution service. The framework features a loader, a dropper, a protection driver, and a powerful RAT component that relies on a custom network communication protocol. Researchers at TrendMicro warn that, while the tool is still in an early development phase, it is already very capable. Link to the research in the article.

From PortSwigger.com:
Attackers are abusing the Certificate Transparency system to compromise new WordPress sites in the brief window after web admins upload the WordPress files, but before they manage to secure the website with a password. Hackers are evidently monitoring the CT logs because sites are being hacked within minutes, sometimes seconds, of TLS certificates being requested. You know where to find the details.

From BleepingComputer.com:
Google has released the second part of their May security patch for Android, including a fix for an actively exploited Linux kernel vulnerability. Do note that if you are using Android 9 or older, this patch does not apply to you and you really should upgrade to a more recent Android OS. Also, if you have a Google Pixel, you have some additional patching to do. Get your patch on kids.

And last today, from ZDNet.com:
An obscure bug is making Google Docs crash after users typed in a simple, repeated word pattern. If you type the word and, with a capital A, and a period and space after it, five times in a row, it would crash your doc. And any attempts to reopen the doc would retrigger the crash. And “and” isn’t the only word that triggers this, but not ALL words trigger it. It appears that Google has now fixed the bug, but, but, but but, but beware.

That’s all for me today. Remember to LIKE and SUBSCRIBE. And as always, until next time, be safe out there.

A daily look at the relevant information security news from overnight.

Episode 233 - 055 May 2022

Cyberpunk Ape caper - https://www.bleepingcomputer.com/news/security/pixiv-deviantart-artists-hit-by-nft-job-offers-pushing-malware/

Windows log trojan -
https://www.securityweek.com/kaspersky-warns-fileless-malware-hidden-windows-event-logs

F5 RCE bug - https://threatpost.com/f5-critical-bugbig-ip-systems/179514/

More Cisco bugs - https://www.zdnet.com/article/vm-escape-and-root-access-bugs-fixed-in-cisco-nfv-infrastructure-software/

NHS phish- https://www.bleepingcomputer.com/news/security/attackers-hijack-uk-nhs-email-accounts-to-steal-microsoft-logins/

A daily look at the relevant information security news from overnight.

Episode 232 - 04 May 2022

Sixt sacked - https://www.securityweek.com/cyberattack-causes-disruptions-car-rental-giant-sixt

Twitter phish -
https://www.bleepingcomputer.com/news/security/new-phishing-warns-your-verified-twitter-account-may-be-at-risk/

ERP Spyder - https://www.zdnet.com/article/chinese-hackers-use-rarely-seen-windows-mechanism-abuse-in-campaign-undetected-for-years/

Chrome zero two - https://www.bollyinside.com/news/problems-with-google-a-chrome-update-has-been-released-to-address-a-rare-zero-day-vulnerability

Avaya Aruba a warning- https://www.theregister.com/2022/05/03/aruba_avaya_critical_vulns/?td=rt-3a