Login
Researchers say that nearly 336,000 devices exposed to the Internet remain vulnerable to a critical vulnerability in firewalls sold by Fortinet because admins have yet to install patches the company released three weeks ago.
CVE-2023-27997 is a remote code execution in Fortigate VPNs, which are included in the company’s firewalls. The vulnerability, which stems from a heap overflow bug, has a severity rating of 9.8 out of 10. Fortinet released updates silently patching the flaw on June 8 and disclosed it four days later in an advisory that said it may have been exploited in targeted attacks. That same day, the US Cybersecurity and Infrastructure Security Administration added it to its catalog of known exploited vulnerabilities and gave federal agencies until Tuesday to patch it.
Despite the severity and the availability of a patch, admins have been slow to fix it, researchers said.
Enlarge / Infrared image of a person jimmying open a vehicle. (credit: Getty Images)
When a London man discovered the front left-side bumper of his Toyota RAV4 torn off and the headlight partially dismantled not once but twice in three months last year, he suspected the acts were senseless vandalism. When the vehicle went missing a few days after the second incident, and a neighbor found their Toyota Land Cruiser gone shortly afterward, he discovered they were part of a new and sophisticated technique for performing keyless thefts.
It just so happened that the owner, Ian Tabor, is a cybersecurity researcher specializing in automobiles. While investigating how his RAV4 was taken, he stumbled on a new technique called CAN injection attacks.
Tabor began by poring over the “MyT” telematics system that Toyota uses to track vehicle anomalies known as DTCs (Diagnostic Trouble Codes). It turned out his vehicle had recorded many DTCs around the time of the theft.
Enlarge (credit: Getty Images)
Threat actors connected to the North Korean government have been targeting security researchers in a hacking campaign that uses new techniques and malware in hopes of gaining a foothold inside the companies the targets work for, researchers said.
Researchers from security firm Mandiant said on Thursday that they first spotted the campaign last June while tracking a phishing campaign targeting a US-based customer in the technology industry. The hackers in this campaign attempted to infect targets with three new malware families, dubbed by Mandiant as Touchmove, Sideshow, and Touchshift. The hackers in these attacks also demonstrated new capabilities to counter endpoint detection tools while operating inside targets’ cloud environments.
“Mandiant suspects UNC2970 specifically targeted security researchers in this operation,” Mandiant researchers wrote.
Enlarge (credit: Getty Images)
Researchers have uncovered advanced malware that’s turning business-grade routers into attacker-controlled listening posts that can sniff email and steal files in an ongoing campaign hitting North and South America and Europe.
Besides passively capturing IMAP, SMTP, and POP email, the malware also backdoors routers with a remote-access Trojan that allows the attackers to download files and run commands of their choice. The backdoor also enables attackers to funnel data from other servers through the router, turning the device into a covert proxy for concealing the true origin of malicious activity.
“This type of agent demonstrates that anyone with a router who uses the Internet can potentially be a target—and they can be used as proxy for another campaign—even if the entity that owns the router does not view themselves as an intelligence target,” researchers from security firm Lumen’s Black Lotus Labs wrote. “We suspect that threat actors are going to continue to utilize multiple compromised assets in conjunction with one another to avoid detection.”
Enlarge (credit: Aurich Lawson | Getty Images)
Researchers on Wednesday announced a major cybersecurity find—the world’s first-known instance of real-world malware that can hijack a computer’s boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.
Dubbed BlackLotus, the malware is what’s known as a UEFI bootkit. These sophisticated pieces of malware hijack the UEFI—short for Unified Extensible Firmware Interface—the low-level and complex chain of firmware responsible for booting up virtually every modern computer. As the mechanism that bridges a PC’s device firmware with its operating system, the UEFI is an OS in its own right. It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch.
Because the UEFI is the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows. These traits make the UEFI the perfect place to launch malware. When successful, UEFI bootkits disable OS security mechanisms and ensure that a computer remains infected with stealthy malware that runs at the kernel mode or user mode, even after the operating system is reinstalled or a hard drive is replaced.
Enlarge (credit: Getty Images)
The Biden administration on Thursday pushed for new mandatory regulations and liabilities to be imposed on software makers and service providers in an attempt to shift the burden of defending US cyberspace away from small organizations and individuals.
"The most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem,” administration officials wrote in a highly anticipated updated National Cybersecurity Strategy document. “Today, end users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities, yet these actors’ choices can have a significant impact on our national cybersecurity."
The 39-page document cited recent ransomware attacks that have disrupted hospitals, schools, government services, pipeline operations, and other critical infrastructure and essential services. One of the most visible such attacks occurred in 2021 with a ransomware attack on the Colonial Pipeline, which delivers gasoline and jet fuel to much of the Southeastern US. The attack shut down the vast pipeline for several days, prompting fuel shortages in some states.
Enlarge (credit: Getty Images)
GoDaddy said on Friday that its network suffered a multi-year security compromise that allowed unknown attackers to steal company source code, customer and employee login credentials, and install malware that redirected customer websites to malicious sites.
GoDaddy is one of the world’s largest domain registrars, with nearly 21 million customers and revenue in 2022 of almost $4 billion. In a filing Thursday with the Securities and Exchange Commission, the company said that three serious security events starting in 2020 and lasting through 2022 were carried out by the same intruder.
“Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy,” the company stated. The filing said the company’s investigation is ongoing.
Enlarge (credit: Getty Images)
Popular discussion website Reddit proved this week that its security still isn’t up to snuff when it disclosed yet another security breach that was the result of an attack that successfully phished an employee’s login credentials.
In a post published Thursday, Reddit Chief Technical Officer Chris "KeyserSosa" Slowe said that after the breach of the employee account, the attacker accessed source code, internal documents, internal dashboards, business systems, and contact details for hundreds of Reddit employees. An investigation into the breach over the past few days, Slowe said, hasn’t turned up any evidence that the company’s primary production systems or that user password data was accessed.
“On late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees,” Slowe wrote. “As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.”
(credit: Valve)
Researchers have unearthed four game modes that could successfully exploit a critical vulnerability that remained unpatched in the popular Dota 2 video game for 15 months after a fix had become available.
The vulnerability, tracked as CVE-2021-38003, resided in the open source JavaScript engine from Google known as V8, which is incorporated into Dota 2. Although Google patched the vulnerability in October 2021, Dota 2 developer Valve didn’t update its software to use the patched V8 engine until last month after researchers privately alerted the company that the critical vulnerability was being targeted.
A hacker took advantage of the delay by publishing a custom game mode last March that exploited the vulnerability, researchers from security firm Avast said. That same month, the same hacker published three additional game modes that very likely also exploited the vulnerability. Besides patching the vulnerability last month, Valve also removed all four modes.
Microsoft said on Friday that an Iranian nation-state group already sanctioned by the US government was behind an attack last month that targeted the satirical French magazine Charlie Hebdo and thousands of its readers.
The attack came to light on January 4, when a previously unknown group calling itself Holy Souls took to the Internet to claim it had obtained a Charlie Hebdo database that contained personal information for 230,000 of its customers. The post said the database was available for sale at the price of 20 BTC, or roughly $340,000 at the time. The group also released a sample of the data that included the full names, telephone numbers, and home and email addresses of people who had subscribed to, or purchased merchandise from, the publication. French media confirmed the veracity of the leaked data.
The release of the sample put the customers at risk of online targeting or physical violence by extremist groups, which have retaliated against Charlie Hebdo in recent years for its satirical treatment of matters pertaining to the Muslim religion and Islamic countries such as Iran. The retaliation included the 2015 shooting by two French Muslim terrorists and brothers at Charlie Hebdo offices that killed 12 and injured 11 others. To further gin up attention to the breached data, a flurry of fake personas—one falsely claiming to be a Charlie Hebdo editor—took to social media to discuss and publicize the leak.
GitHub said unknown intruders gained unauthorized access to some of its code repositories and stole code-signing certificates for two of its desktop applications: Desktop and Atom.
Code-signing certificates place a cryptographic stamp on code to verify it was developed by the listed organization, which in this case is GitHub. If decrypted, the certificates could allow an attacker to sign unofficial versions of the apps that had been maliciously tampered with and pass them off as legitimate updates from GitHub. Current versions of Desktop and Atom are unaffected by the credential theft.
“A set of encrypted code signing certificates were exfiltrated; however, the certificates were password-protected and we have no evidence of malicious use,” the company wrote in an advisory. “As a preventative measure, we will revoke the exposed certificates used for the GitHub Desktop and Atom applications.”
Enlarge / An iteration of what happens when your site gets shut down by a DDoS attack.
Threat actors loyal to the Kremlin have stepped up attacks in support of its invasion of Ukraine, with denial-of-service attacks hitting German banks and other organizations and the unleashing of a new destructive data wiper on Ukraine.
Germany's BSI agency, which monitors cybersecurity in that country, said the attacks caused small outages but ultimately did little damage.
“Currently, some websites are not accessible,” the BSI said in a statement to news agencies. “There are currently no indications of direct effects on the respective service and, according to the BSI's assessment, these are not to be expected if the usual protective measures are taken.”
Enlarge / DNS hijacking concept.
Researchers have uncovered a malicious Android app that can tamper with the wireless router the infected phone is connected to and force the router to send all network devices to malicious sites.
The malicious app, found by Kaspersky, uses a technique known as DNS (Domain Name System) hijacking. Once the app is installed, it connects to the router and attempts to log in to its administrative account by using default or commonly used credentials, such as admin:admin. When successful, the app then changes the DNS server to a malicious one controlled by the attackers. From then on, devices on the network can be directed to imposter sites that mimic legitimate ones but spread malware or log user credentials or other sensitive information.
“We believe that the discovery of this new DNS changer implementation is very important in terms of security,” Kaspersky researchers wrote. “The attacker can use it to manage all communications from devices using a compromised Wi-Fi router with the rogue DNS settings.”
Enlarge (credit: Getty Images)
Federal authorities on Wednesday arrested the founder of Bitzlato, a cryptocurrency exchange they said has been a financial haven for Russia-aligned criminals engaged in ransomware and illicit drug sales on the dark web.
Anatoly Legkodymov, a 40-year-old Russian national residing in Shenzhen, China, was arrested on Wednesday in Miami, US prosecutors said. The prosecutors alleged that on Legkodymov’s watch, Bitzlato processed roughly $4.58 billion worth of cryptocurrency transactions and that a “substantial portion of those transactions constitute the proceeds of crime, as well as funds intended for use in criminal transactions.” Bitzlato is known as a virtual asset service provider (VASP).
The US Justice Department took action in conjunction with the US Treasury Department's Financial Crimes Enforcement Network (FinCEN), which enforces laws prohibiting domestic and international money laundering, terrorist financing, and other financial crimes. A centerpiece of the FinCEN agenda is enforcing sanctions against Russian entities, including ransomware groups affiliated with that country.
FreshRSS 
