Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

[ctg]

Microsoft has warned of yet another vulnerability that’s been discovered in its Windows Print Spooler that can allow attackers to elevate privilege to gain full user rights to a system. The advisory comes on the heels of patching two other remote code-execution (RCE) bugs found in the print service that collectively became known as PrintNightmare.

The company released the advisory late Thursday for the latest bug, a Windows Print Spooler elevation-of-privilege vulnerability tracked as CVE-2021-34481. Microsoft credited Dragos vulnerability researcher Jacob Baines for identifying the issue.

The vulnerability “exists when the Windows Print Spooler service improperly performs privileged file operations,” according to Microsoft.

Microsoft: New Unpatched Bug in Windows Print Spooler

Another vulnerability separate from PrintNightmare allows for local elevation of privilege and system takeover.

threatpost.com

MS Spooler. Ongelmat sen kanssa vain jatkuu vaikka ne on olleet olemassa lähes kolme vuosikymmentä. Ehkä se vaatii kokonaan uudelleen kirjoittamisen, sillä verkko spooler on yksi porteista jotka on automaagisesti skannaus listalla. Hardening tip niille jotka eivät tiedä, disable MS spooler service listalta jos teillä ei ole printteriä. Jos tarvetta tulee niin sen voi kääntää takaisin päälle.

 

[ctg]

The US government blamed the Chinese government on Monday for attacks on thousands of Microsoft Exchange servers.

China's Ministry of State Security (MSS) "has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain," US Secretary of State Antony Blinken said in a statement that blamed the MSS for the Microsoft Exchange hacks. The US government and its allies "formally confirmed that cyber actors affiliated with the MSS exploited vulnerabilities in Microsoft Exchange Server in a massive cyber espionage operation that indiscriminately compromised thousands of computers and networks, mostly belonging to private sector victims," Blinken said.

Blinken's statement was released alongside a Justice Department announcement that three MSS officers and one other Chinese national were indicted by a federal grand jury on charges related to a different series of hacks into the "computer systems of dozens of victim companies, universities, and government entities in the United States and abroad between 2011 and 2018." Blinken said that the US "and countries around the world are holding the People's Republic of China (PRC) accountable for its pattern of irresponsible, disruptive, and destabilizing behavior in cyberspace, which poses a major threat to our economic and national security."

The US did not announce any new sanctions against China, but Blinken said the indictment is evidence that "the United States will impose consequences on PRC malicious cyber actors for their irresponsible behavior in cyberspace."

US warns China over state-sponsored hacking, citing mass attacks on Exchange

US: Chinese state-backed hackers perpetrated “massive cyber espionage operation.”…

arstechnica.com

 

[magitsu]

Ranskan ympäristöminsteriä oli ilmeisesti myös vakoiltu NSO Groupin tuotteella.

French minister’s phone shows traces linked to NSO spyware

Former environment minister François de Rugy ‘astonished’ by forensics discovery after he appeared on leaked database

www.theguardian.com

 

[magitsu]

Suomi on ollut NSO:n myyntitoimenpiteiden kohteena. Lyhennelmä sivun 199 Suomi-annista.

This Is How They Tell Me the World Ends By Nicole Perlroth - (PDF/READ)

(PDF/READ) This Is How They Tell Me the World Ends By Nicole Perlroth (PDF/READ) This Is How They Tell Me the World Ends: The Cyberweapons Arms Race By Nicole Perlroth “Part John le Carré and more parts Michael Crichton . . . spellbinding.” –The New Yorker From The New York Times cybersecurity...

www.pdfread.net

 

[ctg]

China state hackers are compromising large numbers of home and office routers for use in a vast and ongoing attack against organizations in France, authorities from that county said.

The hacking group—known in security circles as APT31, Zirconium, Panda, and other names—has historically conducted espionage campaigns targeting government, financial, aerospace and defense organizations as well as businesses in the technology, construction, engineering, telecommunications, media, and insurance industries, security firm FireEye has said. APT31 is also one of three hacker groups sponsored by the Chinese government that participated in a recent hacking spree of Microsoft Exchange servers, the UK’s National Cyber Security Center said on Monday.

Home and office routers come under attack by China state hackers, France warns

Compromised routers give the hackers anonymity in ongoing large-scale attacks.

arstechnica.com

 

[ctg]

The software company at the center of a huge ransomware attack this month has obtained a universal key to unlock files of the hundreds of businesses and public organizations crippled by the hack.

Nineteen days after the initial attack over the Fourth of July weekend, the Florida-based IT management provider, Kaseya, has received the universal key that can unlock the scrambled data of all the attack’s victims, bringing the worst of the fallout to a close.

The so-called supply-chain attack on Kaseya is being labeled the worst ransomware attack to date because it spread through software that companies, known as managed service providers, use to administer multiple customer networks, delivering software updates and security patches.

It affected 800 to 2,000 businesses and organizations – including supermarkets in Sweden and schools in New Zealand whose systems were frozen for days.

News of the key comes after the Russia-linked criminal syndicate that supplied the malware, REvil, disappeared from the internet on 13 July.

The group had asked for $50m to $70m for a master key that would unlock all infections. It is not clear how many victims may have paid ransoms before REvil went dark.

A Kaseya spokesperson, Dana Liedholm, would not say on Thursday how the key had been obtained or whether a ransom had been paid. She said only that it had come from a “trusted third party” and that Kaseya was distributing it to all victims. The cybersecurity firm Emsisoft confirmed that the key worked and was providing support.

Tech firm hit by giant ransomware hack gets key to unlock victims’ data

Kaseya’s universal key can free the files of hundreds of organizations, ending the worst of the attack’s fallout

www.theguardian.com

 

[ctg]

In the paper, the authors lay out a playbook for how a hacker might design a malware-loaded machine learning model and have it spread in the wild:

"First, the attacker needs to design the neural network. To ensure more malware can be embedded, the attacker can introduce more neurons. Then the attacker needs to train the network with the prepared dataset to get a well-performed model. If there are suitable well-trained models, the attacker can choose to use the existing models. After that, the attacker selects the best layer and embeds the malware. After embedding malware, the attacker needs to evaluate the model’s performance to ensure the loss is acceptable. If the loss on the model is beyond an acceptable range, the attacker needs to retrain the model with the dataset to gain higher performance. Once the model is prepared, the attacker can publish it on public repositories or other places using methods like supply chain pollution, etc."

Researchers Hid Malware Inside an AI’s ‘Neurons’ and It Worked Scarily Well

In a proof-of-concept, researchers reported they could embed malware in up to half of an AI model’s nodes and still obtain very high accuracy.

www.vice.com

 

[ctg]

The investigation has been based on forensic analysis of phones and analysis of a leaked database of 50,000 numbers, including that of Macron and those of heads of state and senior government, diplomatic and military officials, in 34 countries.

In multiple statements, NSO said the fact a number appeared on the leaked list was in no way indicative of whether it was selected for surveillance using Pegasus. “The list is not a list of Pegasus targets or potential targets,” the company said. “The numbers in the list are not related to NSO Group in any way.”

But the list is believed to provide insights into those identified as persons of interest by NSO’s clients. It includes people whose phones showed traces of NSO’s signature phone-hacking spyware, Pegasus, according to forensic analysis of their devices. The analysis was conducted by Amnesty International’s security lab, which discovered traces of Pegasus-related activity on 37 out of 67 phones that it analysed.

Emmanuel Macron ‘pushes for Israeli inquiry’ into NSO spyware concerns

French president reportedly spoke to Naftali Bennett to ensure ‘proper investigation’ after Pegasus project

www.theguardian.com

Selkeesti NSO on valinnut linjansa, "Kukaan ei tehnyt mitään ja jos teki niin he eivät tehneet sitä meidän ohjauksessa. Se oli ne isot pojat. Ne pakotti. Oikeesti."

 

[ctg]

Malware authors are increasingly using rarely spotted programming languages such as Go, Rust, Nim and DLang in order to create new tools and to hinder analysis, researchers have found.

Use of those four languages is escalating in the number of malware families being identified, according to a report published on Monday by BlackBerry Research and Intelligence Team. The team chose those four languages to examine, partly because they fit its detection methodologies, but also since the languages have strong community backing and could be considered more developed.

“These uncommon programming languages are no longer as rarely used as once thought,” according to the writeup. “Threat actors have begun to adopt them to rewrite known malware families or create tools for new malware sets.”

Malware Makers Using ‘Exotic’ Programming Languages

Sprechen Sie Rust? Polyglot malware authors are increasingly using obscure programming languages to evade detection.

threatpost.com

 

[ctg]

Boffins in Finland have scanned the open-source software libraries in the Python Package Index, better known as PyPI, for security issues and found that nearly half contain potentially vulnerable code.

In a research paper distributed via ArXiv, Jukka Ruohonen, Kalle Hjerppe, and Kalle Rindell from the University of Turku describe how they subjected some 197,000 Python packages available through PyPI to a static analysis tool called Bandit and found more than 749,000 instances of insecure code.

"Even under the constraints imposed by static analysis, the results indicate [the] prevalence of security issues; at least one issue is present for about 46 per cent of the Python packages," the researchers said.

Of the issues identified, most (442,373) are low severity. About 227,426 are moderate severity, present in about 25 per cent of PyPI packages. And about 80,065 are high severity, present in about 11 per cent of PyPI packages.

Of the 46 per cent of packages with issues, the median number of problems is three. But a few packages were much worse than most.

About half of Python libraries in PyPI may have security issues, boffins say

Coding lingo's community says it has a plan to mitigate supply chain vulnerabilities, though

www.theregister.com

Ei hirvittävä yllätys. Koodi kirjastot menevät ysärille ja nyt vasta on herätty isosti niihin ongelmiin. Ehkä pitäisi suosiolla laittaa kaikki koodi alle 20 luvun legacy koodiksi, ja aloittaa uudestaan.

 

[ctg]

So much for darkened servers at the headquarters of DarkSide or REvil ransomware groups. Turns out, we’ve got either their rebranded versions or two new ransomware gangs to contend with.

The first new group to appear this month was Haron, and the second is named BlackMatter. As Ars Technica‘s Dan Goodin points out, there may be more still out there.

They’re both claiming to be focused on targets with deep pockets that can pay ransoms in the millions of dollars. They’re also virtue-signaling a la DarkSide, with similar language about sparing hospitals, critical infrastructure, nonprofits, etc.

BlackMatter & Haron: Evil Ransomware Newborns or Rebirths

They’re either new or old REvil & DarkSide wine in new bottles. Both have a taste for apex companies and DarkSide-esque virtue-signaling.

threatpost.com

Ransonwaretus tulee kiihtymään syksyn aikana. Biden varoitti kineettisestä operaatiosta. Saa nähdä mitä tapahtuu.

 

[ctg]

An attack earlier this month on Iran’s train system, which disrupted rail service and taunted Iran’s leadership via hacked public transit display screens, used a never-before-seen wiper malware called Meteor that appears to have been design for reuse, a security researcher has found.

The initial attack, dubbed MeteorExpress, occurred July 9, when “a wiper attack paralyzed the Iranian train system,” according to a report by Juan Andres Guerrero-Saade at Sentinel Systems.

That attack disrupted service and directed customers via all of the displays and message boards at the train station to call “64411”–the number for the office of Supreme Leader Ali Khamenei—for more information.

Novel Meteor Wiper Used in Attack that Crippled Iranian Train System

A July 9th attack disrupted service and taunted Iran’s leadership with hacked screens directing customers to call the phone of Iranian Supreme Leader Khamenei with complaints.

threatpost.com

“Batch files spawn other batch files, different RARarchives contain intermingled executables, and even the intended action is separated into three payloads: Meteor wipes the filesystem, mssetup.exe locks the user out, and nti.exe presumably corrupts the MBR,” Guerrero-Saade wrote.

The wiper also includes much more functionality that was not used in the Iranian train attack, he noted. It can: change passwords for all users; disable screensavers; terminate processes based on a list of target processes; install a screenlocker; disable recovery mode; changesboot policy error handling; create scheduled tasks; and log off local sessions, among other actions.

 

[ctg]

"Telcos are a prime target for nation-state espionage programs for various reasons, among them, the ability to collect information about the telco's subscribers," Assaf Dahan, senior director and head of threat research at Cybereason, told The Register. "Knowing the location of individuals, with whom they conversed or texted, can be key to facilitating cyber-espionage and to build profiles on a given list of targets.

"We identified hundreds of gigabytes of data exfiltrated from the environment during our investigation. The threat actors were after high value targets, including business leaders, government officials, politicians, political activists, law enforcement officials, human rights activists, and anyone the Chinese government feels is of interest."

Perhaps the most surprising – and concerning – finding in the report: the intruders were operating in some of the systems for years, in one case all the way back to 2017. As to how they could stay undetected for so long: "It's not an easy question to answer," Dahan told us. "However, I'll provide possible explanations.

"First, the groups involved in these intrusions are considered top-tier APT [Advanced Persistent Threat] groups, known for their sophistication, advanced techniques, and stealth. One of their main goals was to maintain access inside the telcos' networks and to remain under-the-radar for as long as possible and the APT groups invest heavily in efforts to cover their tracks.

"Second, each organisation has its own security posture, relying on different security measures and tools put in place to protect the network," Dahan continued. "Not all security tools are born equal, and unfortunately, traditional security tools can often miss sophisticated attacks. Third, even the best security solution needs to be operated by humans at the end of the day – and humans can make mistakes."

Research finds cyber-snoops working for 'Chinese state interests' lurking in SE Asian telco networks since 2017

Handy way to keep tabs on 'activists, politicians, business leaders, and more'

www.theregister.com

 

[ctg]

Let’s say you’re a large company that has just shipped an employee a brand-new replacement laptop. And let’s say it comes preconfigured to use all the latest, best security practices, including full-disk encryption using a trusted platform module, password-protected BIOS settings, UEFI SecureBoot, and virtually all other recommendations from the National Security Agency and NIST for locking down federal computer systems. And let’s say an attacker manages to intercept the machine. Can the attacker use it to hack your network?

Research published last week shows that the answer is a resounding "yes." Not only that, but a hacker who has done her homework needs a surprisingly short stretch of time alone with the machine to carry out the attack. With that, the hacker can gain the ability to write not only to the stolen laptop but to the fortified network it was configured to connect to.

Researchers at the security consultancy Dolos Group, hired to test the security of one client’s network, received a new Lenovo computer preconfigured to use the standard security stack for the organization. They received no test credentials, configuration details, or other information about the machine. An analysis of the BIOS settings, boot operation, and hardware quickly revealed that the security measures in place were going to preclude the usual hacks, including:

• pcileech/DMA attacks because Intel’s VT-d BIOS protection was enabled
• Authentication bypasses using tools such as Kon-boot
• Use of tools such as LAN turtle and Responder to exfiltrate data from USB ethernet adapters

Trusted platform module security defeated in 30 minutes, no soldering required

Sometimes, locking down a laptop with the latest defenses isn’t enough.

arstechnica.com

 

[ctg]

Russia has put forward a draft convention to the United Nations ostensibly to fight cyber-crime.

The proposal, titled "United Nations Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes," [PDF] calls for member states to develop domestic laws to punish a far broader set of offenses than current international rules recognize.

Russia, the ransomware hotbed whose cyber-spies were blamed for attacking US and allied networks, did not join the 2001 Budapest Convention on Cybercrime because it allowed cross-border operations, which it considers a threat to national sovereignty.

Russian media outlet Tass also said the 2001 rules are flawed because they only criminalize nine types of cyber offenses. The new draft convention from Russia, submitted last week, defines 23 cybercrimes for discussion.

Russia's proposed rule expansion, for example, calls for domestic laws to criminalize changing digital information without permission – "the intentional unauthorized interference with digital information by damaging, deleting, altering, blocking, modifying it, or copying of digital information."

The draft also directs members states to formulate domestic laws to disallow unsanctioned malware research – "the intentional creation, including adaptation, use and distribution of malicious software intended for the unauthorized destruction, blocking, modification, copying, dissemination of digital information, or neutralization of its security features, except for lawful research."

It would forbid "the creation and use of digital data to mislead the user," such as deep fakes – "the intentional unlawful creation and use of digital data capable of being mistaken for data already known and trusted by a user that causes substantial harm."

The proposal also contemplates a broader basis for extradition by stating that, where allowed by domestic law, the listed cybercrimes should not be considered "political offenses" (mostly exempt from extradition under current international conventions).

Russia tells UN it wants vast expansion of cybercrime offenses, plus network backdoors, online censorship

And said entirely with a straight face, too

www.theregister.com

 

[ctg]

Taiwanese chip designer Realtek has warned of four vulnerabilities in three SDKs accompanying its Wi-Fi modules, which are used in almost 200 products made by more than five dozen vendors.

The flaws allow a remote, unauthenticated attacker to deny service, crash devices, and inject arbitrary commands, the advisory states [PDF]:

• CVE-2021-35392, Wi-Fi Simple Config stack buffer overflow via UPnP
• CVE-2021-35393, Wi-Fi Simple Config heap buffer overflow via SSDP
• CVE-2021-35394, MP Daemon diagnostic tool command injection
• CVE-2021-35395, management web interface multiple vulnerabilities

The first two are rated high in terms of severity (8.1 on the CVSS scale); the second two are rated critical severity (9.8). These flaws require an attacker to be on the same network as the device, or be able to reach it over the internet, to achieve successful exploitation. As such, these bugs are likely to be abused by malware on someone's PC to hijack their cable internet router and smart home gear; by miscreants to commandeer public Wi-Fi spots; and so on.

Security firm IoT Inspector, based in Bad Homburg, Germany, disclosed the vulnerabilities to Realtek in May, and said more than 65 hardware makers' products incorporate the Realtek RTL819xD module, which implements wireless access point functions and includes one of the vulnerable SDKs.

"By exploiting these vulnerabilities, remote unauthenticated attackers can fully compromise the target device and execute arbitrary code with the highest level of privilege," the biz said in its advisory, estimating – conservatively, we think – that almost a million vulnerable devices may be in use, including VoIP and wireless routers, repeaters, IP cameras, and smart lighting controls.

Remote code execution flaws lurk in countless routers, IoT gear, cameras using Realtek Wi-Fi module SDKs

Devices from 60+ manufacturers affected, says infosec outfit

www.theregister.com

No voi kyrpä RealTek tuotteita on joka puolella. Odotettavissa tietomurtoja jne

 

[ctg]

In an award-winning paper today, academics said they discovered a way to abuse the TCP protocol, firewalls, and other network middleboxes to launch giant distributed denial of service (DDoS) attacks against any target on the internet.

Authored by computer scientists from the University of Maryland and the University of Colorado Boulder, the research is the first of its kind to describe a method to carry out DDoS reflective amplification attacks via the TCP protocol, previously thought to be unusable for such operations.

Making matters worse, researchers said the amplification factor for these TCP-based attacks is also far larger than UDP protocols, making TCP protocol abuse one of the most dangerous forms of carrying out a DDoS attack known to date and very likely to be abused in the future.

The flaw they found was in the design of middleboxes, which are equipment installed inside large organizations that inspect network traffic.

Middleboxes usually include the likes of firewalls, network address translators (NATs), load balancers, and deep packet inspection (DPI) systems.

The research team said they found that instead of trying to replicate the entire three-way handshake in a TCP connection, they could send a combination of non-standard packet sequences to the middlebox that would trick it into thinking the TCP handshake has finished and allow it to process the connection.

Under normal circumstances, this wouldn’t be an issue, but if the attacker tried to access a forbidden website, then the middlebox would respond with a “block page,” which would typically be much larger than the initial packet—hence an amplification effect.

Following extensive experiments that began last year, the research team said that the best TCP DDoS vectors appeared to be websites typically blocked by nation-state censorship systems or by enterprise policies.

Attackers would send a malformed sequence of TCP packets to a middlebox (firewall, DPI box, etc.) that tried to connect to pornography or gambling sites, and the middlebox would reply with an HTML block page that it would send to victims that wouldn’t even reside on their internal networks—thanks to IP spoofing.

Firewalls and middleboxes can be weaponized for gigantic DDoS attacks

In an award-winning paper today, academics said they discovered a way to abuse the TCP protocol, firewalls, and other network middleboxes to launch giant distributed denial of service (DDoS) attacks against any target on the internet.

therecord.media

Many of these systems work with huge traffic loads and are sometimes misconfigured with traffic loops that send the same malformed TCP packet multiple times through the same or other middleboxes, effectively allowing for infinite-loop DDoS attacks. Researchers said such situations were common in the censorship systems employed by China and Russia.

 

[notareal]

BlackBerry resisted announcing major flaw in software powering cars, hospital equipment

The former smartphone maker turned software firm resisted announcing a major vulnerability until after federal officials stepped in.

www.politico.com

 

[ctg]

 

[notareal]

Mitäs suotta vakoilemaan, kun satamäärin porukkaa luovuttaa tietonsa pyytämällä ja itkee vielä perään, kun joku sanoo rumasti - mokasit.

Sähköposti-isku Oulun yliopistoon, 900 salasanaa vääriin käsiin – ylläpidolta uhreille käsittämätön viesti

Kaapattuja tilejä ehdittiin käyttää uusien kalasteluviestien lähettämiseen. Opiskelijoille lähetetyssä tiedotteessa tunnusten lukkiutumisen sanottiin johtuvan heidän omasta toiminnastaan.

www.is.fi