Daily NCSC-FI news followup 2022-01-04

Cyberattack against UK Ministry of Defence training academy revealed

www.zdnet.com/article/ex-officer-reveals-cyberattack-against-uk-ministry-of-defence-training-academy/ A retired military officer has disclosed a cyberattack that struck the UK Ministry of Defence (MoD) academy and had a “significant” impact on the organization. Air Marshal Edward Stringer, an officer in charge at the time, told Sky News that the cyberattack was discovered in March 2021. According to the retired officer, “unusual activity” was detected by IT outsourcer Serco but originally it was thought that this may have been due to some form of IT error rather than something malicious. The Defence Academy of the United Kingdom was the target. The organization is responsible for teaching and training thousands of military personnel, MoD employees, wider government figures, and overseas students. Courses on offer relate to topics including security, strategy, languages, and information warfare. While full attribution is not available as to whom was responsible, the publication reports that China or Russia was “possibly” involved.

Apple Home software bug could lock you out of your iPhone

nakedsecurity.sophos.com/2022/01/04/apple-home-software-bug-could-lock-you-out-of-your-iphone/ A security research called Trevor Spiniolas has just published information about a bug he claims has existed in Apple’s iOS operating system since at least version 14.7. The bug affects the Home app, Apple’s home automation software that lets you control home devices webcams, doorbells, thermostats, light bulbs, and so on that support Apple’s HomeKit ecosystem. Spiniolas has dubbed the bug doorLock, giving it both a logo and a dedicated web page, claiming that although he disclosed it to Apple back in August 2021, the company’s attempts to patch it so far have been incomplete, and his specified deadline of 01 January 2022 for “going live” with details of the flaw has now passed.

Log4j flaw attack levels remain high, Microsoft warns

www.zdnet.com/article/log4j-flaw-attacks-are-causing-lots-of-problems-microsoft-warns/ Microsoft has warned Windows and Azure customers to remain vigilant after observing state-sponsored and cyber-criminal attackers probing systems for the Log4j ‘Log4Shell’ flaw through December. Disclosed by the Apache Software Foundation on December 9, Log4Shell will likely take years to remediate because of how widely the error-logging software component is used in applications and services. Microsoft warns that customers might not be aware of how widespread the Log4j issue is in their environment. Over the past month, Microsoft has released numerous updates, including to its Defender security software, to help customers identify the issue as attackers stepped up scanning activity.

FTC warns companies to secure consumer data from Log4J attacks

www.bleepingcomputer.com/news/security/ftc-warns-companies-to-secure-consumer-data-from-log4j-attacks/ The US Federal Trade Commission (FTC) has warned today that it will go after any US company that fails to protect its customers’ data against ongoing Log4J attacks. “The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future, ” the US government agency said. “The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. “It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”

Purple Fox rootkit now bundled with Telegram installer

blog.malwarebytes.com/trojans/2022/01/purple-fox-rootkit-now-bundled-with-telegram-installer/ The Purple Fox rootkit is being spread as an installer for the popular Telegram instant messaging app for Windows, according to researchers. It’s not clear how the installer in this case was distributed, although it seems like at least some were delivered via email. Common distribution methods for this type of installer are phishing campaigns, forum spam, YouTube posts and comments, as well as untrustworthy software download sites. We’ve also seen the same malicious downloader in a combination with a WhatsApp for Windows installer. But what makes the newly found Telegram installer special is the fact that the malicious part of the install is done separately in several small files. This makes the malware harder to detect and makes it easier for the malware authors to replace parts that have a high detection rate. It starts with an installer called “Telegram Desktop.exe” which is an AutoIT script that drops a legitimate Telegram installer and a malicious downloader called “TextInputh.exe”. The legitimate Telegram installer is not executed, but the malicious downloader is immediately used as a downloader for the next stage of the attack. It downloads and executes more files, which get deleted after they have done their work. Then User Account Control (UAC) is disabled, specific antivirus initiations are blocked, and information about security tools on the affected system are gathered and sent to a hardcoded command and control (C2) address. The malware checks specifically for the presence of 360 AV software and will shut it down and block initiation. The final stage of the infection requires a reboot for the new registry settings to take effect, including the disabled UAC. The disabled UAC setting allows the malware to download and deploy the Purple Fox rootkit.

Have I Been Pwned warns of DatPiff data breach impacting millions

www.bleepingcomputer.com/news/security/have-i-been-pwned-warns-of-datpiff-data-breach-impacting-millions/ The cracked passwords for almost 7.5 million DatPiff members are being sold online, and users can check if they are part of the data breach through the Have I Been Pwned notification service. DatPiff is a popular mixtape hosting service used by over 15 million users, allowing unregistered users to download or upload samples for free.

Over 20 years of employee data leaked during McMenamins ransomware attack

www.zdnet.com/article/ransomware-attack-on-mcmenamins-leads-to-breach/ Oregon-based venue operator McMenamins said employee data was accessed during a ransomware attack that occurred on December 12. In a statement, the company explained that even though they managed to “block” the attack, employee information dating back to 1998 was compromised. The employee files included standard information (name, address, phone number, date of birth, race, disability status, and more) as well as sensitive information (Social Security numbers, bank account information, health insurance plans, income amount, and disciplinary notes).

Google acquires Israeli cybersecurity company Siemplify for $500 million

www.zdnet.com/article/google-acquires-israeli-cybersecurity-company-siemplify-for-500-million/ Google announced on Tuesday that it is acquiring Israeli cybersecurity startup Siemplify for a reported $500 million. Google Cloud Security vice president Sunil Potti said Siemplify is a leader in the security orchestration, automation and response (SOAR) field. Their platform will be integrated into Google Cloud’s security team “to help companies better manage their threat response

You might be interested in …

Daily NCSC-FI news followup 2019-08-06

QualPwn Bugs In Snapdragon SoC Can Attack Android Over the Air www.bleepingcomputer.com/news/security/qualpwn-bugs-in-snapdragon-soc-can-attack-android-over-the-air/ Two serious vulnerabilities in Qualcomm’s Snapdragon system-on-a-chip (SoC) WLAN firmware could be leveraged to compromise the modem and the Android kernel over the air.. The flaws were found in Qualcomm’s Snapdragon 835 and 845 WLAN component. The tests were made on Google Pixel […]

Read More

Daily NCSC-FI news followup 2021-04-07

Microsoft’s Windows 10, Exchange, and Teams hacked at Pwn2Own www.bleepingcomputer.com/news/security/microsofts-windows-10-exchange-and-teams-hacked-at-pwn2own/ During the first day of Pwn2Own 2021, contestants won $440, 000 after successfully exploiting previously unknown vulnerabilities to hack Microsoft’s Windows 10 OS, the Exchange mail server, and the Teams communication platform. The first to fall was Microsoft Exchange in the Server category after the […]

Read More

[NCSC-FI News] Jaw-dropping Coinbase security bug allowed users to steal unlimited cryptocurrency

A security researcher has netted a $250, 000 bug bounty for disclosing a vulnerability in Coinbase that could have allowed a user to sell’ currency they did not own. […] Alpha described on Twitter how they used 0.0243 ETH to sell 0.0243 BTC on the BTC-USD pair, “a pair I do not have access to, […]

Read More