Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Follina (CVE-2022-30 ...

 Business

Researchers have discovered another serious vulnerability in Microsoft products that potentially allows attackers to execute arbitrary code. MITRE designated this vulnerability as CVE-2022-30190, while researchers somewhat poetically named it Follina. The most disturbing thing is that there is no fix for this bug yet.   show more ...

Whats even worse, the vulnerability is already being actively exploited by cybercriminals. While the update is under development, all Windows users and administrators are advised to use temporary workarounds. What is CVE-2022-30190 and what products does it affect The CVE-2022-30190 vulnerability is contained in the Microsoft Windows Support Diagnostic Tool (MSDT) which doesnt sound like a big deal. Unfortunately, due to the implementation of this tool, the vulnerability can be exploited via a malicious office document. MSDT is an application that is used to automatically collect diagnostic information and send it to Microsoft when something is going wrong with Windows. The tool can be called from another applications (Microsoft Word being the most popular example) through the special MSDT URL protocol. If the vulnerability is successfully exploited, an attacker is able to run arbitrary code with the privileges of the application that called the MSDT — that is, in this case, with the rights of the user who opened the malicious file. Vulnerability CVE-2022-30190 can be exploited in all operating systems of the Windows family, both desktop and server. How attackers exploit CVE-2022-30190 As a demonstration of the attack, the researchers describe the following scenario. Attackers create a malicious office document and slip it to the victim. The most common way to do this is to send an e-mail with a malicious attachment, spiced up with some classic social engineering ploy to convince the recipient to open the file. Something like Urgently check the contract, signing tomorrow morning can easily do the trick. The infected file contains a link to an HTML file that contains JavaScript code that executes malicious code in the command line via MSDT. As a result of successful exploitation, the attackers can install programs, view, modify or destroy data, as well as create new accounts — that is, do everything that is possible with the victims privileges in the system. How to stay safe As mentioned at the beginning, there is no patch yet. To counteract, Microsoft recommends disabling the MSDT URL protocol. To do this, you need to run a command prompt with administrator rights and execute the command reg delete HKEY_CLASSES_ROOTms-msdt /f. Before doing this, it would be useful to back up the registry by executing reg export HKEY_CLASSES_ROOTms-msdt filename. This way you can quickly restore the registry with the reg import filename command as soon as this workaround is no longer needed, Of course, this is only a temporary measure and you should install an update that closes the Follina vulnerability as soon as it becomes available. The described methods of exploiting this vulnerability involve the use of e-mails with malicious attachments and social engineering methods. Therefore we recommend to be even more careful than usual with e-mails from unknown senders, especially with attached MS Office documents. For companies it makes sense to regularly raise employee awareness about most relevant hackers tricks. In addition, all devices with an Internet access should be equipped with robust security solutions. Even when someone is exploiting an unknown vulnerability, such solutions can prevent malicious code from running on a users machine.

image for Costa Rica May Be Pa ...

 A Little Sunshine

Costa Rica’s national health service was hacked sometime earlier this morning by a Russian ransomware group known as Hive. The intrusion comes just weeks after Costa Rican President Rodrigo Chaves declared a state of emergency in response to a data ransom attack from a different Russian ransomware gang —   show more ...

Conti. Ransomware experts say there is good reason to believe the same cybercriminals are behind both attacks, and that Hive has been helping Conti rebrand and evade international sanctions targeting extortion payouts to cybercriminals operating in Russia. The Costa Rican publication CRprensa.com reports that affected systems at the Costa Rican Social Security Fund (CCSS) were taken offline on the morning of May 31, but that the extent of the breach was still unclear. The CCSS is responsible for Costa Rica’s public health sector, and worker and employer contributions are mandated by law. The fallout from this latest attack is not yet clear, but it is likely to be disruptive: A hand-written sign posted outside a public health center in Costa Rica today explained that all systems are down until further notice (thanks to @Xyb3rb3nd3r for sharing this photo). A hand-written notice posted outside a public health clinic today in Costa Rica warned of system outages due to a cyberattack on the nation’s healthcare systems. The message reads: “Dear Users: We would like to inform you that due a problem related to the information systems of the institution, we are unable to expend any medicine prescriptions today until further notice. Thank you for your understanding- The pharmacy.” Esteban Jimenez, founder of the Costa Rican cybersecurity consultancy ATTI Cyber, told KrebsOnSecurity the CCSS suffered a cyber attack that compromised the Unique Digital Medical File (EDUS) and the National Prescriptions System for the public pharmacies, and as a result medical centers have turned to paper forms and manual contingencies. “Many smaller health centers located in rural areas have been forced to close due to not having the required equipment or communication with their respective central health areas and the National Retirement Fund (IVM) was completely blocked,” Jimenez said. “Taking into account that salaries of around fifty thousand employees and deposits for retired citizens were due today, so now the payments are in danger.” Jimenez said the head of the CCSS has addressed the local media, confirming that the Hive ransomware was deployed on at least 30 out of 1,500 government servers, and that any estimation of time to recovery remains unknown. He added that many printers within the government agency this morning began churning out copies of the Hive ransom note. Printers at the Costa Rican government health ministry went crazy this morning after the Hive ransomware group attacked. Image: Esteban Jimenez. “HIVE has not yet released their ransom fee but attacks are expected to follow, other organizations are trying to get a hold on the emergency declaration to obtain additional funds to purchase new pieces of infrastructure, improve their backup structure amongst others,” Jimenez said. A copy of the ransom note left behind by the intruders and subsequently uploaded to Virustotal.com indicates the CCSS intrusion was the work of Hive, which typically demands payment for a digital key needed to unlock files and servers compromised by the group’s ransomware. A HIVE ransomware chat page for a specific victim (redacted). On May 8, President Chaves used his first day in office to declare a national state of emergency after the Conti ransomware group threatened to publish gigabytes of sensitive data stolen from Costa Rica’s Ministry of Finance and other government agencies. Conti initially demanded $10 million, and later doubled the amount when Costa Rica refused to pay. On May 20, Conti leaked more than 670 gigabytes of data taken from Costa Rican government servers. As CyberScoop reported on May 17, Chaves told local media he believed that collaborators within Costa Rica were helping Conti extort the government. Chaves offered no information to support this claim, but the timeline of Conti’s descent on Costa Rica is worth examining. Most of Conti’s public communications about the Costa Rica attack have very clearly assigned credit for the intrusion to an individual or group calling itself “unc1756.” In March 2022, a new user by the same name registered on the Russian language crime forum Exploit. A message Conti posted to its dark web blog on May 20. On the evening of April 18, Costa Rica’s Ministry of Finance disclosed the Conti intrusion via Twitter. Earlier that same day, the user unc1756 posted a help wanted ad on Exploit saying they were looking to buy access to “special networks” in Costa Rica. “By special networks I mean something like Haciendas,” unc1756 wrote on Exploit. Costa Rica’s Ministry of Finance is known in Spanish as the “Ministerio Hacienda de Costa Rica.” Unc1756 said they would pay $USD 500 or more for such access, and would work only with Russian-speaking people. THE NAME GAME DISTRACTION Experts say there are clues to suggest Conti and Hive are working together in their attacks on Costa Rica, and that the intrusions are tied to a rebranding effort by Conti. Shortly after Russia invaded Ukraine at the end of February, Conti declared its full support, aligning itself directly with Russia and against anyone who would stand against the motherland. Conti’s threatening message this week regarding international interference in Ukraine. Conti quickly deleted the declaration from its website, but the damage had already been done, and any favor or esteem that Conti had earned among the Ukrainian cybercriminal underground effectively evaporated overnight. Shortly thereafter, a Ukrainian security expert leaked many months worth of internal chat records between Conti personnel as they plotted and executed attacks against hundreds of victim organizations. Those candid messages exposed what it’s like to work for Conti, how they undermined the security of their targets, as well as how the group’s leaders strategized for the upper hand in ransom negotiations. But Conti’s declaration of solidarity with the Kremlin also made it increasingly ineffective as an instrument of financial extortion. According to cyber intelligence firm ADVIntel, Conti’s alliance with the Russian state soon left it largely unable to receive ransom payments because victim companies are being advised that paying a Conti ransom demand could mean violating U.S. economic sanctions on Russia. “Conti as a brand became associated with the Russian state — a state that is currently undergoing extreme sanctions,” ADVIntel wrote in a lengthy analysis (PDF). “In the eyes of the state, each ransom payment going to Conti may have potentially gone to an individual under sanction, turning simple data extortion into a violation of OFAC regulation and sanction policies against Russia.” Conti is by far the most aggressive and profitable ransomware group in operation today. Image: Chainalysis ADVIntel says it first learned of Conti’s intrusion into Costa Rican government systems on April 14, and that it has seen internal Conti communications indicating that getting paid in the Costa Rica attack was not the goal. Rather, ADVIntel argues, Conti was simply using it as a way to appear publicly that it was still operating as the world’s most lucrative ransomware collective, when in reality the core Conti leadership was busy dismantling the crime group and folding themselves and top affiliates into other ransomware groups that are already on friendly terms with Conti. “The only goal Conti had wanted to meet with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived,” ADVIntel concluded. ADVIntel says Conti’s leaders and core affiliates are dispersing to several Conti-loyal crime collectives that use either ransomware lockers or strictly engage in data theft for ransom, including AlphV/BlackCat, AvosLocker, BlackByte, HelloKitty, Hive, and Karakurt. Still, Hive appears to be perhaps the biggest beneficiary of any attrition from Conti: Twice over the past week, both Conti and Hive and claimed responsibility for hacking the same companies. When the discrepancy was called out on Twitter, Hive updated its website to claim it was not affiliated with Conti. Conti and Hive’s Costa Rican exploits mark the latest in a string of recent cyberattacks against government targets across Latin America. Around the same time it hacked Costa Rica in April, Conti announced it had hacked Peru’s National Directorate of Intelligence, threatening to publish sensitive stolen data if the government did not pay a ransom. But Conti and Hive are not alone in targeting Latin American victims of late. According to data gathered from the victim shaming blogs maintained by multiple ransomware groups, over the past 90 days ransom actors have hacked and sought to extort 15 government agencies in Brazil, nine in Argentina, six in Colombia, four in Ecuador and three in Chile. A recent report (PDF) by the Inter-American Development Bank suggests many Latin American countries lack the technical expertise or cybercrime laws to deal with today’s threats and threat actors. “This study shows that the Latin American and Caribbean (LAC) region is not sufficiently prepared to handle cyberattacks,” the IADB document explains. “Only 7 of the 32 countries studied have a critical infrastructure protection plan, while 20 have established cybersecurity incident response teams, often called CERTs or CSIRTs. This limits their ability to identify and respond to attacks.”

 Trends, Reports, Analysis

Scammers are now attracting specific groups of victims to increase conversion rates. Social media are more often becoming the first point of contact between scammers and their potential victims.

 Malware and Vulnerabilities

An Australian digital driver's license (DDL) implementation that officials claimed is more secure than a physical license has been shown to easily defaced, but authorities insist the credential remains secure.

 Companies to Watch

Hoxhunt, a Helsinki, Finland–based cybersecurity training platform provider, raised $40 million in Series B funding. The round was led by Level Equity Management, with participation from existing investor Icebreaker.vc.

 Threat Intel & Info Sharing

The type of cyberattack the Italian organization refers to is DDoS (distributed denial-of-service), which may not be catastrophic but can still cause damage, financial or otherwise, due to service outages and disruptions.

 Trends, Reports, Analysis

According to the report, ransomware attacks continue to mount pressure on organizations worldwide as researchers recorded a 13% increase in such attacks. While 40% of ransomware incidents were executed via desktop sharing software, 35% involved the use of email. 

 Feed

This Metasploit module exploits an improper input validation vulnerability in MyBB versions prior to 1.8.30 to execute arbitrary code in the context of the user running the application. The MyBB Admin Control setting page calls the PHP eval function with unsanitized user input. The exploit adds a new setting,   show more ...

injecting the payload in the vulnerable field, and triggers its execution with a second request. Finally, it takes care of cleaning up and removes the setting. Note that authentication is required for this exploit to work and the account must have rights to add or update settings (typically, the myBB administrator role).

 Feed

Ubuntu Security Notice 5454-1 - Joshua Mason discovered that CUPS incorrectly handled the secret key used to access the administrative web interface. A remote attacker could possibly use this issue to open a session as an administrator and execute arbitrary code. It was discovered that CUPS incorrectly handled certain   show more ...

memory operations when handling IPP printing. A remote attacker could possibly use this issue to cause CUPS to crash, leading to a denial of service, or obtain sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.

 Feed

Red Hat Security Advisory 2022-4824-01 - Fapolicyd implements application whitelisting to decide file access rights. Applications that are known via a reputation source are allowed access while unknown applications are not. The daemon makes use of the kernel's fanotify interface to determine file access rights.

 Feed

Red Hat Security Advisory 2022-4814-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include denial of service and memory exhaustion vulnerabilities.

 Feed

Red Hat Security Advisory 2022-4808-01 - The rsyslog packages provide an enhanced, multi-threaded syslog daemon. It supports MySQL, syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part, and fine-grained control over output format. The rsyslog7 packages provide an enhanced, multi-threaded syslog   show more ...

daemon. It supports on-demand disk buffering, reliable syslog over TCP, SSL, TLS and RELP, writing to databases, email alerting, fully configurable output formats, the ability to filter on any part of the syslog message, on-the-wire message compression, and the ability to convert text files to syslog. Issues addressed include a heap overflow vulnerability.

 Feed

Red Hat Security Advisory 2022-2281-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 3.11.705.

 Feed

Red Hat Security Advisory 2022-4835-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include a buffer overflow vulnerability.

 Feed

Red Hat Security Advisory 2022-4816-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include a privilege escalation vulnerability.

 Feed

Red Hat Security Advisory 2022-4809-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include a buffer overflow vulnerability.

 Feed

Red Hat Security Advisory 2022-2280-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.11.705. Issues addressed include cross site scripting and denial of service vulnerabilities.

 Feed

Ubuntu Security Notice 5446-2 - USN-5446-1 fixed a vulnerability in dpkg. This update provides the corresponding update for Ubuntu 16.04 ESM. Max Justicz discovered that dpkg incorrectly handled unpacking certain source packages. If a user or an automated system were tricked into unpacking a specially crafted source   show more ...

package, a remote attacker could modify files outside the target unpack directory, leading to a denial of service or potentially gaining access to the system.

 Feed

Red Hat Security Advisory 2022-4798-01 - The Apache Maven Shared Utils project aims to be an improved functional replacement for plexus-utils in Maven. Issues addressed include a code execution vulnerability.

 Feed

Red Hat Security Advisory 2022-4795-01 - The rsyslog packages provide an enhanced, multi-threaded syslog daemon. It supports MySQL, syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part, and fine-grained control over output format. Issues addressed include a heap overflow vulnerability.

 Feed

Red Hat Security Advisory 2022-4803-01 - The rsyslog packages provide an enhanced, multi-threaded syslog daemon. It supports MySQL, syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part, and fine-grained control over output format. Issues addressed include a heap overflow vulnerability.

 Feed

Red Hat Security Advisory 2022-4797-01 - The Apache Maven Shared Utils project aims to be an improved functional replacement for plexus-utils in Maven. Issues addressed include a code execution vulnerability.

 Feed

Interpol on Monday announced the arrest of three suspected global scammers in Nigeria for using remote access trojans (RATs) such as Agent Tesla to facilitate malware-enabled cyber fraud. "The men are thought to have used the RAT to reroute financial transactions, stealing confidential online connection details from corporate organizations, including oil and gas companies in South East Asia, the

 Feed

Microsoft on Monday published guidance for a newly discovered zero-day security flaw in its Office productivity suite that could be exploited to achieve code execution on affected systems. The weakness, now assigned the identifier CVE-2022-30190, is rated 7.8 out of 10 for severity on the CVSS vulnerability scoring system. Microsoft Office versions Office 2013, Office 2016, Office 2019, and

 Feed

An "aggressive" advanced persistent threat (APT) group known as SideWinder has been linked to over 1,000 new attacks since April 2020. "Some of the main characteristics of this threat actor that make it stand out among the others, are the sheer number, high frequency and persistence of their attacks and the large collection of encrypted and obfuscated malicious components used in their

 Feed

This is an exciting time for the Internet of Things. According to Deloitte research, the average U.S. household now has 25 connected devices — and new products are being launched every day. This rush of demand means that many tech companies are looking for developers with IoT knowledge. And even if you don’t want to specialize in this field, the programming skills are transferable. Featuring

 Feed

An analysis of the mobile threat landscape in 2022 shows that Spain and Turkey are the most targeted countries for malware campaigns, even as a mix of new and existing banking trojans are increasingly targeting Android devices to conduct on-device fraud (ODF). Other frequently targeted countries include Poland, Australia, the U.S., Germany, the U.K., Italy, France, and Portugal. "The most

2022-05
Aggregator history
Tuesday, May 31
SUN
MON
TUE
WED
THU
FRI
SAT
MayJuneJuly