image
The mobile app that all attendees and athletes of the upcoming Beijing Winter Olympics must use to manage communications and documentation at the event has a “devastating” flaw in the way it encrypts data that can allow for man-in-the-middle attacks that access sensitive user information, researchers have found. MY2022 is an app mandated for use by all attendees – including members of the press and athletes – of the 2022 Olympic Games in Beijing. The problem is, it poses a significant security risk because the encryption used to protect users’ voice audio and file transfers “can be trivially sidestepped” due to two vulnerabilities in how it handles data transport, according to a blog post from Citizen Lab posted online Tuesday. Additionally, “server responses can also be spoofed, allowing an attacker to display fake instructions to users,” Citizen Lab’s Jeffrey Knockel wrote in the post. MY2022 collects info such as health customs forms that transmit passport details, demographic information, and medical and travel history, which are vulnerable due to the flaw, he said. It’s also not clear with whom or which organizations this info is shared. MY2022 also includes a feature that allow users to report “politically sensitive” content, as well as a censorship keyword list. While the latter is “presently inactive,” it targets a variety of political topics, including domestic issues such as Xinjiang and Tibet as well as references to Chinese government agencies, Knockel wrote….

Source

image
A new phishing campaign is targeting aspiring government vendors with an invitation to bid on various fake federal projects with the U.S. Department of Labor. Emails branded to look like legitimate communications from the DoL contain malicious links that, rather than leading to a government procurement portal, harvest the credentials of anyone who attempts to login, according to a new report from threat researchers at INKY. “In this campaign, the majority of phishing attempts had sender email addresses spoofed to look as if they came from no-reply@dol[.]gov, which is the real DoL site,” the INKY team reported in a Wednesday report. “A small subset were spoofed to look as if they came from no-reply@dol[.]com, which is, of course, not the real DoL domain.” The remainder were sent by phishers from lookalikes dol-gov[.]com, dol-gov[.]us and bids-dolgov[.]us. The phishing lure email texts claim that the DoL is soliciting bids for “ongoing government projects,” and included a .PDF file attached with government branding. The threat researchers said the efforts were “well-crafted.” “Click on the button below to access our website to bid,” the phishing email instructs. Once clicked, the link takes victims to various domains impersonating the DoL. Copy & Paste Spoof of DoL Site The malicious site was a copy-and-paste of the website styling code (both HTML and CSS) from the actual Department of Labor site, with the addition of a bright red link directing victims to a credential…

Source

image
Here, have a can of soup. Nah, we don’t know what’s in it. Could be 30 percent insect parts, could be seasoned with rat hair, who can say? The ingredients keep changing anyway. Just pour it into your network and pray. That, unfortunately, is the current state of cybersecurity: a teeth-grinding situation in which supply-chain attacks force companies to sift through their software to find out where bugs are hiding before cyberattackers beat them to the punch. It’s a lot easier said than done. The problem has been underscored by the massive SolarWinds supply-chain attack and by organizations’ frustrating, ongoing hunt for the ubiquitous, much-exploited Log4j Apache logging library. The problem predates both, of course: In fact, it’s one of the “never got around to it, keeping meaning to” issues that one security expert – Sophos principal security researcher Paul Ducklin – stuck an elbow in our rib about when it came time for end-of-year coverage. “We’re awash in supply chain attacks, whether they’re caused by active and purposeful hacking into software providers to poison code on purpose (e.g. Kesaya), or by an inattentive and casual attitude to sucking software components into our own products and services without even being aware (e.g. Log4Shell),” Ducklin said. “For years, we’ve batted around the idea that computer software and cloud services ought to have a credible Bill of Materials that would make it easy to figure out which newsworthy bugs might apply to each and every…

Source

image
It’s not my intention to be alarmist about the Log4j vulnerability (CVE-2021-44228), known as Log4Shell, but this one is pretty bad. First of all, Log4j is a ubiquitous logging library that is very widely used by millions of computers. Second, the director of the U.S. Cybersecurity & Infrastructure Security Agency (CISA) says this is the most serious vulnerability she has ever seen in her career spanning decades, and many security experts agree. Third, researchers say that cyberattackers are already exploiting the vulnerability hundreds of times_ every minute._ The fact is, Log4Shell is relatively easy to exploit, so even low-skilled hackers can take advantage. OK, maybe it is time for alarm. Log4j is open-source software from the Apache Software Foundation. As explained by The Conversation, this logging library is widely used to record events such as routine system operations and errors, and to communicate diagnostic messages regarding those events. A feature in Log4j allows users of the software to specify custom code for formatting a log message. This feature also allows third-party servers to submit software code that can perform all kinds of actions – including malicious ones – on the targeted computer. The result of an exploit for the bug is that an attacker can control a targeted server remotely. Attackers Took Early Advantage Within weeks of discovery of the flaw in mid-December, it was already reported that nation-state actors linked to North Korea, China, Iran…

Source

image
Organizations running sophisticated virtual networks with VMware’s vSphere service are actively being targeted by cryptojackers, who have figured out how to inject the XMRig commercial cryptominer into the environment, undetected. Uptycs’ Siddharth Sharma has released research showing threat actors are using malicious shell scripts to make modifications and run the cryptominer on vSphere virtual networks. “Cryptojacking campaigns mostly target the systems having high-end resources,” Sharma pointed out. “In this campaign as we saw the attackers tried to register the XMRig miner itself as a service (daemon), which runs whenever the system gets rebooted.” To avoid detection, the script also downloads a user-mode rootkit from the command-and-control server (C2), the report added. “The shell script also contains commands which download the miner, the config file and the user mode rootkit from the attacker’s web server,” the report explained. “The attackers used [the] wget utility to fetch the malicious components and chmod utility to make the components executable.” The report said the rootkit gets saved as “libload.so” and the script modifies vSphere to run the XMRig cryptominer. Source: Uptycs. After the cryptominer is dropped, the script reloads the service to get the miner started, Sharma explained. The report also reported the attacker’s wallet has been paid 8.942 XMR, the report said, or about $1,790 as of press time. VMware Services Under Attack VMware services have…

Source

image
A new ransomware family, White Rabbit, chewed through a local U.S. bank last month — and it may be connected to the financially motivated advanced persistent threat (APT) group known as FIN8, researchers said. In a Tuesday report, Trend Micro researchers said that this twicky wabbit knows how to burrow away where it can’t be spotted. In fact, it looks like the operators behind the White Rabbit ransomware have taken a page from the more established ransomware family known as Egregor when it comes to hiding their malicious activity, researchers said. Egregor, which claimed responsibility for a well-publicized cyberattack on Barnes & Noble in October 2020, is a ransomware-as-a-service (RaaS) player that sparked an FBI warning after compromising more than 150 organizations in short order after its birth. White Rabbit may be sneaky, but it leaves tracks. The ransomware was spotted by multiple security outfits, and was first detected on Dec. 14 by the Lodestone Forensic Investigations team, which said that it had seen some White Rabbit activity a few days earlier, on Dec. 11. But the earliest stirrings date back to July 10, when a PowerShell script was executed – a script that held script blocks that matched those described in a July 27 Bitdefender article on FIN8. The Dec. 14 White Rabbit attack was also publicly disclosed on Twitter that same day by security researcher Michael Gillespie (@demonslay355). 🔒 #Ransomware Hunt: "White Rabbit" with extension ".scrypt", drops note…

Source

image
A critical security vulnerability in the Zoho ManageEngine Desktop Central and Desktop Central MSP platforms could allow authentication bypass, the company has warned. The bug (CVE-2021-44757) could allow a remote user to “perform unauthorized actions in the server,” according to the company’s Monday security advisory. “If exploited, this vulnerability may allow an attacker to read unauthorized data or write an arbitrary .ZIP file on the server.” Zoho’s ManageEngine Desktop Central is a unified endpoint management (UEM) solution that lets IT admins manage servers, laptops, desktops, smartphones and tablets from a central location. Users can automate routines like installing patches, deploying software, imaging and deploying OS, according to the company’s documentation. It can also be used to manage assets and software licenses, monitor software-usage statistics, manage USB device usage, take control of remote desktops, and more. On the mobile side, users can deploy profiles and policies; configure devices for Wi-Fi, VPNs, email accounts and so on; apply restrictions on application installs, camera usage and the browser; and manage security with passcodes and remote lock/wipe functionality. As such, the platform offers far-reaching access into the guts of an organization’s IT footprint, making for an information-disclosure nightmare in the case of an exploit, potentially. As well, the ability to install a .ZIP file paves the way for the installation of malware on all of the…

Source

image
After a banner year for vulnerabilities and cyberattacks in 2021, organizations believe they are fighting a “losing battle” against security vulnerabilities and threats, “despite the billions of dollars spent collectively on cybersecurity technology,” according to an annual security report from Bugcrowd. This perception comes after 2021 found organizations grappling with the complexities of hybrid environments—with many corporate workers still at home due to the pandemic– plus an explosion of ransomware, and the emergence of the supply chain as a major attack surface, according to the Priority One Report 2022. The collective feeling of defeat among security professionals—as well as a continued cybersecurity skills gap, with 2.7 million cybersecurity roles still to be filled–will “fuel an interest in more innovative and proactive approaches to security in 2022,” predicted the report. This will include turning to the global research community and its programs for bug bounties and vulnerability disclosure for help in uncovering and combating threats, researchers said. Bugcrowd provides a crowdsourced approach to manage organizations’ pen test, bug bounty, vulnerability disclosure and attack-surface management. The 2022 report—which compiles data from the company’s activity over the year–highlights some of the top trends in terms of vulnerabilities that organizations reported in 2021 as well as the types of attacks that occurred most prevalently. Vulnerability Notes Cross-site…

Source

image
The Russian government said today it arrested 14 people accused of working for "REvil," a particularly aggressive ransomware group that has extorted hundreds of millions of dollars from victim organizations. The Russian Federal Security Service (FSB) said the actions were taken in response to a request from U.S. officials, but many experts believe the crackdown is part of an effort to reduce tensions over Russian President Vladimir Putin's decision to station 100,000 troops along the nation's border with Ukraine. The FSB headquarters at Lubyanka Square, Moscow. Image: Wikipedia. The FSB said it arrested 14 REvil ransomware members, and searched more than two dozen addresses in Moscow, St. Petersburg, Leningrad and Lipetsk. As part of the raids, the FSB seized more than $600,000 US dollars, 426 million rubles (~$USD 5.5 million), 500,000 euros, and 20 "premium cars" purchased with funds obtained from cybercrime. "The search activities were based on the appeal of the US authorities, who reported on the leader of the criminal community and his involvement in encroaching on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption," the FSB said. "Representatives of the US competent authorities have been informed about the results of the operation." The FSB did not release the names of any of the individuals arrested, although a report from the Russian news agency TASS mentions two…

Source

image
A top underground market for buying and selling stolen credit-card details, UniCC, has announced it’s shutting down operations. The site accounted for about 30 percent of carding scam business and, since it was launched in 2013, handled about $358 million in cryptocurrency transactions, according to the Elliptic Threat Intel team, which published the announcement from UniCC leadership. “Our team retires,” the UniCC leadership posted on underground carding sites in both English and Russian. “Don’t build any conspiracy theories about us leaving, it is (a) weighted decision, we are not young and our health do(es) not allow to (us) work like this any longer.” The post, signed “your Unicc Team,” gives users 10 days to spend their balances. “We ask you to be smart and not follow any fakes tied to our comeback and other things,” the notice concluded. Carding Marketplace Shakeup UniCC’s business was booming after the December 2020 takedown of Joker’s Stash, formerly the carding marketplace of choice. Elliptic noted the overall market for stolen credit-card data last year topped more than $1.4 billion just in Bitcoin. But in recent months, Elliptic pointed out that other underground marketplaces appear to be hanging up the towel. The White House Market announced it was shutting down in October; and by November, Cannazon went dark. In December it was Torrez’ turn. By early January, Monopoly Market was unexpectedly inaccessible, the report added. The departures could be a reaction to…

Source