Cyber security aggregate rss news

Cyber security aggregator - feeds history

image for Red Cross Hack Linke ...

 Data Breaches

A network intrusion at the International Committee for the Red Cross (ICRC) in January led to the theft of personal information on more than 500,000 people receiving assistance from the group. KrebsOnSecurity has learned that the email address used by a cybercriminal actor who offered to sell the stolen ICRC data also   show more ...

was used to register multiple domain names the FBI says are tied to a sprawling media influence operation originating from Iran. On Jan. 19, the ICRC disclosed the compromise of servers hosting the personal information of more than 500,000 people receiving services from the Red Cross and Red Crescent Movement. The ICRC said the hacked servers contained data relating to the organization’s Restoring Family Links services, which works to reconnect people separated by war, violence, migration and other causes. The same day the ICRC went public with its breach, someone using the nickname “Sheriff” on the English-language cybercrime forum RaidForums advertised the sale of data from the Red Cross and Red Crescent Movement. Sheriff’s sales thread suggests the ICRC was asked to pay a ransom to guarantee the data wouldn’t be leaked or sold online. “Mr. Mardini, your words have been heard,” Sheriff wrote, posting a link to the Twitter profile of ICRC General Director Robert Mardini and urging forum members to tell him to check his email. “Check your email and send a figure you can pay.” RaidForums member “unindicted” aka Sheriff selling access to the International Red Cross and Red Crescent Movement data. Image: Ke-la.com In their online statement about the hack (updated on Feb. 7) the ICRC said it had not had any contact with the hackers, and no ransom demand had been made. “In line with our standing practice to engage with any actor who can facilitate or impede our humanitarian work, we are willing to communicate directly and confidentially with whoever may be responsible for this operation to impress upon them the need to respect our humanitarian action,” the ICRC statement reads. Asked to comment on Sheriff’s claims, the ICRC issued the following statement: “Right now, we do not have any conclusive evidence that this information from the data breach has been published or is being traded. Our cybersecurity team has looked into any reported allegation of data being available on the dark web.” Update, 2:00 p.m., ET: The ICRC just published an update to its FAQ on the breach. The ICRC now says the hackers broke in on Nov. 9, 2021, using an unpatched critical vulnerability (CVE-2021-40539). “This vulnerability allows malicious cyber actors to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators. This in turn allowed them to access the data, despite this data being encrypted.” Original story: The email address that Sheriff used to register at RaidForums — kelvinmiddelkoop@hotmail.com — appears in an affidavit for a search warrant filed by the FBI roughly a year ago. That FBI warrant came on the heels of an investigation published by security firm FireEye, which examined an Iranian-based network of inauthentic news sites and social media accounts aimed at the United States., U.K. and other western audiences. “This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests,” FireEye researchers wrote. “These narratives include anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific U.S. policies favorable to Iran.” The FBI says the domains registered by the email address tied to Sheriff’s RaidForums account were used in service of the Liberty Front Press, a network of phony news sites thought to originate from Iran. According to the FBI affidavit, the address kelvinmiddelkoop@hotmail.com was used to register at least three different domains for phony news sites, including awdnews[.]com, sachtimes[.]com, and whatsupic[.]com. A reverse WHOIS search on that email address at DomainTools.com (an advertiser on this site) shows it was used to register 17 domains between 2012 and 2021, including moslimyouthmedia[.]com, moslempress[.]com, and realneinovosti[.]net. A review of Sheriff’s postings to RaidForum reveals he has used two other nicknames since registering on the forum in December 2021: “Unindicted,” and “threat_actor.” In several posts, Sheriff taunts one FireEye employee by name. In a Jan. 3, 2022 post, Sheriff says their “team” is seeking licenses for the Cobalt Strike penetration testing tool, and that they’re prepared to pay $3,000 – $4,000 per license. Cobalt Strike is a legitimate security product that is sold only to vetted partners, but compromised or ill-gotten Cobalt Strike licenses frequently are used in the run-up to ransomware attacks. “We will buy constantly, make contact,” Sheriff advised. “Do not ask if we still need)) the team is interested in licenses indefinitely.” On Jan. 4, 2022, Sheriff tells RaidForums that their team is in need of access to a specific data broker platform, and offers to pay as much as $35,000 for that access. Sheriff says they will only accept offers that are guaranteed through the forum’s escrow account. The demand for escrow in a sales thread is almost universally a sign that someone means business and they are ready to transact on whatever was advertised or requested. That’s because escrow transactions necessarily force the buyer to make a deposit with the forum’s administrators before proceeding on any transaction. Sheriff appears to have been part of a group on RaidForums that offered to buy access to organizations that could be extorted with ransomware or threatened with the publication of stolen data (PDF screenshot from threat intelligence firm KELA). In a “scam report” filed against Sheriff by another RaidForums member on Dec. 31, 2021, the claimant says Sheriff bought access from them and agreed to pay 70 percent of any ransom paid by the victim organization. Instead, the claimant maintains, Sheriff only paid them roughly 25 percent. “The company pay $1.35 million ransom and only payment was made of $350k to me, so i ask for $600k to fix this dispute,” the affiliate wrote. In another post on RaidForums, a user aptly named “FBI Agent” advised other denizens to steer clear of Sheriff’s ransomware affiliate program, noting that transacting with this person could run afoul of sanctions from the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) that restrict commerce with people residing in Iran. “To make it clear, we don’t work with individuals under the OFAC sanctions list, which @Sheriff is under,” the ransomware affiliate program administrator wrote in reply. RaidForums says Sheriff was referred to the forum by Pompompurin, the same hacker who used a security hole in the FBI’s website last year to blast a phony alert about a cybercrime investigation to state and local authorities. Pompompurin has been quite active on RaidForums for the past few years, frequently posting databases from newly-hacked organizations, and selling access to stolen information. Reach via Twitter, Pompompurin said they had no idea who might have offered money and information on Sheriff, and that they would never “snitch” on Sheriff. “I know who he is but I’m not saying anything,” Pompompurin replied. The information about Sheriff was brought to my attention by an anonymous person who initially contacted KrebsOnSecurity saying they wanted to make a donation to the publication. When the person offering the gift asked if it was okay that the money came from a ransomware transaction, I naturally declined the offer. That person then proceeded to share the information about the connection between Sheriff’s email address and the FBI search warrant, as well as the account’s credentials. The same identity approached several other security researchers and journalists, one of whom was able to validate that the kelvinmiddelkoop@hotmail.com address actually belonged to Sheriff’s account. Those researchers were likewise offered tainted donations, except the individual offering the donation seemed to use a different story with each person about who they were or why they were offering money. Others contacted by the same anonymous user said they also received unsolicited details about Sheriff. It seems clear that whoever offered that money and information has their own agenda, which may also involve attempts to make members of the news media appear untrustworthy for agreeing to accept stolen funds. However, the information they shared checks out, and since there is precious little public reporting on the source of the ICRC intrusion, the potential connection to hacker groups based in Iran seems worth noting.

 Companies to Watch

The $12 million Series A funding round will enable Netacea to expand its presence in the U.K. and the U.S., where the business sees significant opportunities for further growth.

 Expert Blogs and Opinion

Supply chain issues are already one of the weakest links for an organization, even in the best of times. Challenges are not just in production capabilities, but also in security of the final product.

 Threat Intel & Info Sharing

The CISA has added more flaws in its catalog of known exploited vulnerabilities. They were found in products of top tech giants, such as Microsoft, Oracle, Apache, and Apple. Also, there are some priority ones, for which the CISA has asked FCEB agencies to patch the vulnerabilities within February. Last month, the agency had warned federal agencies to fix old unpatched vulnerabilities.

 Trends, Reports, Analysis

According to Atlas VPN, nearly 50% of malicious Office documents were downloaded from Google Drive in 2021. Until 2020, Microsoft OneDrive was the major source of malicious office documents at 34% share. Cybercriminals spread these by creating free accounts on cloud apps hosting services, upload malicious files and   show more ...

share them publicly or with selected individuals. Organizations must secure their cloud apps with user authentication and threat monitoring tools.

 Expert Blogs and Opinion

An attacker could use this notorious vulnerability (dubbed Log4Shell) to force a victim to download, install and execute externally hosted malicious payloads with relative ease.

 Feed

Red Hat Security Advisory 2022-0483-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.8.31. Issues addressed include a cross site request forgery vulnerability.

 Feed

Ubuntu Security Notice 5286-1 - Milan Broz discovered that cryptsetup incorrectly handled LUKS2 reencryption recovery. An attacker with physical access to modify the encrypted device header may trigger the device to be unencrypted the next time it is mounted by the user. On Ubuntu 20.04 LTS, this issue was fixed by disabling the online reencryption feature.

 Feed

Red Hat Security Advisory 2022-0553-01 - Red Hat Fuse provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat A-MQ is a standards compliant messaging system that is tailored for use in mission critical applications. This patch is an update to Red Hat Fuse 6.3 and Red   show more ...

Hat A-MQ 6.3. Issues addressed include code execution, deserialization, and remote SQL injection vulnerabilities.

 Feed

Ignition versions prior to 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.

 Feed

Red Hat Security Advisory 2022-0535-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.6.0. Issues addressed include a bypass vulnerability.

 Feed

Red Hat Security Advisory 2022-0539-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.6.0. Issues addressed include a bypass vulnerability.

 Feed

Red Hat Security Advisory 2022-0536-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.6.0. Issues addressed include a bypass vulnerability.

 Feed

Red Hat Security Advisory 2022-0537-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.6.0. Issues addressed include a bypass vulnerability.

 Feed

Red Hat Security Advisory 2022-0533-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include a use-after-free vulnerability.

 Feed

Red Hat Security Advisory 2022-0538-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.6.0. Issues addressed include a bypass vulnerability.

 Feed

Red Hat Security Advisory 2022-0540-01 - The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts are installed using a special build of Red Hat Enterprise Linux with only   show more ...

the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. Issues addressed include buffer overflow, heap overflow, and privilege escalation vulnerabilities.

 Feed

Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to gain remote code execution on affected installations. "This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra," Omer Kaspi,

 Feed

Meta Platforms has agreed to pay $90 million to settle a lawsuit over the company's use of cookies to allegedly track Facebook users' internet activity even after they had logged off from the platform. In addition, the social media company will be required to delete all of the data it illegally collected from those users. The development was first reported by Variety. <!--adsense--> The

 Feed

The European Union's data protection authority on Tuesday called for a ban on the development and the use of Pegasus-like commercial spyware in the region, calling out the technology's "unprecedented level of intrusiveness" that could endanger users' right to privacy. "Pegasus constitutes a   show more ...

paradigm shift in terms of access to private communications and devices, which is able to affect the very

 Feed

The notorious TrickBot malware is targeting customers of 60 financial and technology companies, including cryptocurrency firms, primarily located in the U.S., even as its operators have updated the botnet with new anti-analysis features. "TrickBot is a sophisticated and versatile malware with more than 20 modules that can be downloaded and executed on demand," Check Point researchers Aliaksandr

 Feed

VMware on Tuesday patched several high-severity vulnerabilities impacting ESXi, Workstation, Fusion, Cloud Foundation, and NSX Data Center for vSphere that could be exploited to execute arbitrary code and cause a denial-of-service (DoS) condition. As of writing, there's no evidence that any of the weaknesses are exploited in the wild. The list of six flaws is as follows – <!--adsense-->

 Feed

The increasing volume and sophistication of cyberattacks have naturally led many companies to invest in additional cybersecurity technologies. We know that expanded threat detection capabilities are necessary for protection, but they have also led to several unintended consequences. The “more is not always better” adage fits this situation perfectly. An upcoming webinar by cybersecurity company

 Malware

Bravo to Microsoft, because it sounds like they’re doing something to improve the security of Office users. Way back in 1995, Microsoft accidentally shipped a virus on CD ROM. At first Microsoft refused to call it a virus, preferring to call it a “Prank macro,” but WM/Concept as it became known was   show more ...

the first widespread … Continue reading "25 years on, Microsoft makes another stab at stopping macro malware"

 Video

If you don't understand what they are, don't feel too bad about it. The truth is that many people don't understand what NFTs are. It's not that people are dumb, but rather that they're too intelligent. Because NFTs simply don't make any sense to anyone with more than a peanut for a brain.

2022-02
Aggregator history
Wednesday, February 16
TUE
WED
THU
FRI
SAT
SUN
MON
FebruaryMarchApril