CERT-SE:s veckobrev v.36

VECKOBREV

Det har varit en händelserik vecka på it-säkerhetsområdet, både nationellt och internationellt. Här hittar du blandade nyheter och inlägg från veckan som gått.

Trevlig helg!

Nyheter i veckan

Toronto school board confirms students’ info stolen as LockBit claims breach (30 aug)https://therecord.media/toronto-school-district-board-ransomware

Researcher sued for sharing data stolen by ransomware with media (30 aug)https://www.bleepingcomputer.com/news/security/researcher-sued-for-sharing-data-stolen-by-ransomware-with-media/

Check your IP cameras: There’s a new Mirai botnet on the rise (31 aug)https://www.theregister.com/2024/08/31/ip_cameras_mirai_botnet/

Linux version of new Cicada ransomware targets VMware ESXi servers (1 sep)https://www.bleepingcomputer.com/news/security/cicada3301-ransomwares-linux-encryptor-targets-vmware-esxi-systems/

German air traffic control agency confirms cyberattack, says operations unaffected (2 sep)https://therecord.media/german-air-traffic-control-company-deutsche-flugsicherung-cyberattack

Få svenska företag har en genomtänkt strategi för AI (2 sep)https://computersweden.se/article/3499748/fa-svenska-foretag-har-en-genomtankt-strategi-for-ai.html

Transport for London (TfL) is dealing with an ongoing cyberattack (2 sep)https://securityaffairs.com/167946/hacking/transport-for-london-tfl-ongoing-cyberattack.html

Säkerhetskollen: Varning för kryptobedrägeri (2 sep)https://sakerhetskollen.se/aktuella-brott/varning-for-kryptobedrageri

Ransomware Gangs Pummel Southeast Asia (2 sep)https://www.darkreading.com/cyber-risk/ransomware-gangs-pummel-southeast-asia

Ex-Engineer Charged in Missouri for Failed $750,000 Bitcoin Extortion Attempt (3 sep)https://thehackernews.com/2024/09/ex-engineer-charged-in-missouri-for.html

Oil titan Halliburton confirms data was stolen in cyberattack (3 sep)https://therecord.media/halliburton-confirms-data-stolen-in-incident

The government isn’t ready for cyber chaos in the food and agriculture sector (3 sep)https://therecord.media/government-is-not-ready-for-food-agriculture-cybersecurity-usda

YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel (3 sep)https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

Clearview AI Faces €30.5M Fine for Building Illegal Facial Recognition Database (4 sep)https://thehackernews.com/2024/09/clearview-ai-faces-305m-fine-for.html

Ängelholm kommun satsar på brottsförebyggande arbete i den digitala miljön (4 sep)https://www.aktuellsakerhet.se/angelholm-kommun-satsar-pa-brottsforebyggande-arbete-i-den-digitala-miljon/

Cyberattack confirmed by Planned Parenthood of Montana amid RansomHub claims (5 sep)https://www.scmagazine.com/brief/cyberattack-confirmed-by-planned-parenthood-of-montana-amid-ransomhub-claims

Sommar och sol – då surfar svenskarna som mest (5 sep)https://computersweden.se/article/3505465/sommar-och-sol-da-surfar-svenskarna-som-mest.html

Three Billion Packets Per Second DDoS Attack Stopped (5 sep)https://insight.scmagazineuk.com/three-billion-packets-per-second-ddos-attack-stopped

Elektroskandia hackade – centrallagret i Örebro påverkat (5 sep)https://www.svt.se/nyheter/lokalt/orebro/elektroskandia-hackade-centrallagret-i-orebro-paverkat

Pavel Durov Criticizes Outdated Laws After Arrest Over Telegram Criminal Activity (6 sep)https://thehackernews.com/2024/09/paul-durov-criticizes-outdated-laws.html

Rapporter och fördjupningar

State-backed attackers and commercial surveillance vendors repeatedly use the same exploits (29 aug)https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/

Dissecting the Cicada (30 aug)https://www.truesec.com/hub/blog/dissecting-the-cicada

Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant (2 sep)https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wikiloader/

CERT-EU Threat Intelligence: Cyber Brief August 2024 (4 sep)https://www.cert.europa.eu/publications/threat-intelligence/cb24-09/

Getting “in tune” with an enterprise: Detecting Intune lateral movement (4 sep)https://securityintelligence.com/x-force/detecting-intune-lateral-movement/

SANS: Enrichment Data – Keeping it Fresh (5 sep)https://isc.sans.edu/diary/Enrichment%20Data%3A%20Keeping%20it%20Fresh/31236

Informationssäkerhet och blandat

Connected Communities Guidance: Zero Trust to Protect Interconnected Systems (29 aug)https://www.cisa.gov/resources-tools/resources/connected-communities-guidance-zero-trust-protect-interconnected-systems

Internationella Sudoku-dagen 9 september: No Such Puzzle – Bite-sized Sudoku (31 aug)https://www.nsa.gov/Puzzles/View/Article/3891254/no-such-puzzle-bite-sized-sudoku/

Digital twins: secure design and development (2 sep)https://www.ncsc.gov.uk/blog-post/digital-twins-secure-design-development

Här är Folkhälsomyndighetens nya rekommendationer kring barns skärmtid (2 sep)https://www.svt.se/nyheter/inrikes/ungas-skarmanvandning-kan-skada-halsan-nu-foreslas-rekommendationer

White House Office of the National Cyber Director Releases Roadmap to Enhance Internet Routing Security (3 sep)https://www.whitehouse.gov/oncd/briefing-room/2024/09/03/press-release-white-house-office-of-the-national-cyber-director-releases-roadmap-to-enhance-internet-routing-security/

Förtroendet för biometri ökar – var tredje svensk vill låsa upp allt med fingeravtryck (4 sep)https://www.aktuellsakerhet.se/fortroendet-for-biometri-okar-var-tredje-svensk-vill-lasa-upp-allt-med-fingeravtryck/

CERT-SE i veckan

Kritisk sårbarhet i Zyxel-produkter (3 sep)https://www.cert.se/2024/09/kritisk-sarbarhet-i-zyxel-produkter.html

CERT-SE:s veckobrev v.35

VECKOBREV

Ett matigt veckobrev med flera händelser från Sverige och omvärlden denna sista vecka i augusti. Vi vill uppmärksamma att Informationssäkerhet.se efter lång och trogen tjänst gått i pension och att informationen nu finns samlad på msb.se. Där hittar du även MSB:s metodstöd för systematiskt informationssäkerhet.

https://www.msb.se/sv/aktuellt/nyheter/2024/augusti/informationssakerhet.se-har-gatt-i-pension-och-metodstodet-har-ny-webbplats

Trevlig helg!

Nyheter i veckan

Latvian Hacker Extradited to U.S. for Role in Karakurt Cybercrime Group (23 aug)https://thehackernews.com/2024/08/latvian-hacker-extradited-to-us-for.html

Färre cyberattacker i Sverige efter Natointrädet (23 aug)https://sverigesradio.se/artikel/farre-cyberattacker-i-sverige-efter-natointradet

Telegram Founder Pavel Durov Arrested in France for Content Moderation Failures (25 aug)https://thehackernews.com/2024/08/telegram-founder-pavel-durov-arrested.html

Seattle-Tacoma Airport In The Crosshairs Of Hackers (25 aug)https://www.forbes.com/sites/emilsayegh/2024/08/25/seattle-tacoma-airport-in-the-crosshairs-of-hackers/

Cyberattacker mot myndigheter blir mer avancerade (25 aug)https://sverigesradio.se/artikel/cyberattacker-mot-myndigheter-blir-mer-avancerade

Patelco notifies 726,000 customers of ransomware data breach (26 aug)https://www.bleepingcomputer.com/news/security/patelco-notifies-726-000-customers-of-ransomware-data-breach/

Stor driftstörning för Telenor i Göteborg (26 aug)https://www.gp.se/nyheter/goteborg/stor-driftstorning-for-telenor-i-goteborg.371848fd-dd5b-4674-955d-fbda33aa0e97

Liseberg varnar kunder – efter anställds felklick (27 aug)https://www.aftonbladet.se/nyheter/a/GyPjAV/liseberg-varnar-kunder-utsatts-for-dataintrang

Falske mails fra CFCS i omløb (27 aug)https://www.cfcs.dk/da/nyheder/2024/falske-mails-fra-cfcs/

BlackSuit ransomware stole data of 950,000 from software vendor (27 aug)https://www.bleepingcomputer.com/news/security/blacksuit-ransomware-stole-data-of-950-000-from-software-vendor/

US Marshals Service disputes ransomware gang’s breach claims (27 aug)https://www.bleepingcomputer.com/news/security/us-marshals-service-disputes-ransomware-gangs-breach-claims/

Intel officials say they anticipate more hacking attempts as US election nears (28 aug)https://therecord.media/intel-officials-anticipate-more-hacking-attempts-us-election-trump-harris

‘Malfunction’ at Dutch defense ministry datacenter causing mass disruption (28 aug)https://therecord.media/netherlands-defense-ministry-data-center-malfunction-outages

Employee arrested for locking Windows admins out of 254 servers in extortion plot (28 aug)https://www.bleepingcomputer.com/news/security/employee-arrested-for-locking-windows-admins-out-of-254-servers-in-extortion-plot/

Dataintrång hos Region Värmlands leverantör av sms-tjänster (28 aug)https://lakartidningen.se/aktuellt/nyheter/2024/08/dataintrang-hos-region-varmlands-leverantor-av-sms-tjanster/

Postnord i Jönköping i normalläge efter cyberattack (28 aug)https://www.svt.se/nyheter/lokalt/jonkoping/cyberattack-tvingade-postnord-till-isolering

NHS staff mobile numbers revealed in data breach (29 aug)https://www.bbc.com/news/articles/cly3g49pkz4o

Center for Cybersikkerhed overføres til Ministerium for Samfundssikkerhed og Beredskab (30 aug)https://www.cfcs.dk/da/nyheder/2024/center-for-cybersikkerhed-overfores/

Rapporter och fördjupningar

Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware (23 aug)https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/

PSA: These ‘Microsoft Support’ ploys may just fool you (26 aug)https://www.malwarebytes.com/blog/scams/2024/08/psa-these-microsoft-support-ploys-may-just-fool-you

Linux malware sedexp uses udev rules for persistence and evasion (26 aug)https://securityaffairs.com/167567/malware/linux-malware-sedexp.html

China’s Volt Typhoon Exploits Zero-Day in Versa’s SD-WAN Director Servers (27 aug)https://www.darkreading.com/cyberattacks-data-breaches/china-s-volt-typhoon-actively-exploiting-now-patched-0-day-in-versa-director-servers
Taking the Crossroads: The Versa Director Zero-Day Exploitation (27 aug)https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/

Windows Downdate tool lets you ‘unpatch’ Windows systems (27 aug)https://www.bleepingcomputer.com/news/microsoft/windows-downdate-tool-lets-you-unpatch-windows-systems/

Lösenord och flerfaktorsautentisering (27 aug)https://www.ncsc.se/aktuellt/losenord-och-flerfaktorsautentisering/

Attack tool update impairs Windows computers (27 aug)https://news.sophos.com/en-us/2024/08/27/burnt-cigar-2/

5 Key Takeaways: Ransomware Attacks on Healthcare, Education, and Public Sector (27 aug)https://www.zscaler.com/blogs/security-research/5-key-takeaways-ransomware-attacks-healthcare-education-and-public-sector

Microsoft Sway abused in massive QR code phishing campaign (27 aug)https://www.bleepingcomputer.com/news/security/microsoft-sway-abused-in-massive-qr-code-phishing-campaign/

Cybercriminals capitalize on travel industry’s peak season (28 aug)https://www.helpnetsecurity.com/2024/08/28/cybercriminals-capitalize-travel-season/

Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations (28 aug)https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a

Cisco: BlackByte ransomware gang only posting 20% to 30% of successful attacks (28 aug)https://therecord.media/blackbyte-ransomware-group-posting-fraction-of-leaks
https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/

Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations (28 aug)https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/

When Get-Out-The-Vote Efforts Look Like Phishing (28 aug)https://krebsonsecurity.com/2024/08/when-get-out-the-vote-efforts-look-like-phishing/

Deep Analysis of Snake Keylogger’s New Variant (28 aug)https://www.fortinet.com/blog/threat-research/deep-analysis-of-snake-keylogger-new-variant

State-backed attackers and commercial surveillance vendors repeatedly use the same exploits (29 aug)https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/

#StopRansomware: RansomHub Ransomware (29 aug)https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a

Gartner: Allt vanligare att AI används vid cyberattacker (29 aug)https://computersweden.se/article/3498239/gartner-allt-vanligare-att-ai-anvands-vid-cyberattacker.html

Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence (30 aug)https://www.trendmicro.com/en_se/research/24/h/godzilla-fileless-backdoors.html

Informationssäkerhet och blandat

Cyberungdom – Cyberlovhttps://www.fro.se/education/cyberungdom-cyberlov/

NSA releases copy of internal lecture delivered by computing giant Rear Adm. Grace Hopper (26 aug)https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3884041/nsa-releases-copy-of-internal-lecture-delivered-by-computing-giant-rear-adm-gra/

Vad gör vi om en undervattenskabel sprängs – kan rymden rädda internet då? (26 aug)https://computersweden.se/article/3491918/vad-gor-vi-om-en-undervattenskabel-sprangs-kan-rymden-radda-internet-da.html

EU-parlamentet anmäls för brott mot GDPR (26 aug>https://computersweden.se/article/3496027/eu-parlamentet-anmals-for-brott-mot-gdpr.html

Amerikanska företag kritiska till regeringsförslag om cybersäkerhet (26 aug)https://www.securityworldmarket.com/se/Nyheter/Foretagsnyheter/amerikanska-foretag-starkt-kritiska-till-regeringsforslag-om-cybersakerhet

How a Scottish university’s £2.5 million ‘telescope’ will tackle space debris and cyberattacks (28 aug)https://www.scotsman.com/business/how-a-scottish-universitys-ps25-million-telescope-will-tackle-space-debris-and-cyberattacks-4757160

En av Europas kraftfullaste AI-datorer byggs i Falun – investering på åtta miljarder kronor (28 aug)https://www.svt.se/nyheter/lokalt/dalarna/europas-kraftfullaste-ai-dator-byggs-i-falun-investering-pa-atta-miljarder-kronor

Google Now Offering Up to $250,000 for Chrome Vulnerabilities (28 aug)https://www.securityweek.com/google-now-offering-up-to-250000-for-chrome-vulnerabilities/

Säpo: Ökad risk för ryskt sabotage på svensk mark (29 aug)https://www.svt.se/nyheter/inrikes/sapo-okad-risk-for-ryskt-sabotage-pa-svensk-mark

Informationssäkerhet.se har gått i pension och metodstödet har ny webbplats (29 aug)https://www.msb.se/sv/aktuellt/nyheter/2024/augusti/informationssakerhet.se-har-gatt-i-pension-och-metodstodet-har-ny-webbplats/

CERT-SE:s veckobrev v.34

VECKOBREV

Denna vecka bjuder vi på läsning om allt från nätfiske via fildelningsverktyg till nattliga utpressningsangrepp och hur man bäst upptäcker skadlig DNS-trafik. Trevlig helg önskar CERT-SE!

Nyheter i veckan

Planning for mandatory multifactor authentication for Azure and other administration portals (15 aug)https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication

Serious flaws in Microsoft apps on macOS could let hackers spy on users (19 aug)https://www.itpro.com/security/serious-flaws-in-microsoft-apps-on-macos-could-let-hackers-spy-on-users

Cybercriminals Exploit Popular Software Searches to Spread FakeBat Malware (19 aug)https://thehackernews.com/2024/08/cybercriminals-exploit-popular-software.html

National Public Data Says Breach Impacts 1.3 Million People (19 aug)https://www.securityweek.com/national-public-data-says-breach-impacts-1-3-million-people

FBI and CISA Assure Public on Election Ransomware Security (19 aug)https://www.infosecurity-magazine.com/news/cisa-assure-public-election

Microsoft har en lösning för att förhindra nästa Crowdstrike-fiasko. Men är det en bra lösning? (20 aug)https://computersweden.se/article/3488305/microsoft-har-en-losning-for-att-forhindra-nasta-crowdstrike-fiasko-men-ar-det-en-bra-losning.html

Most Ransomware Attacks Occur When Security Staff Are Asleep, Study Finds (20 aug)https://www.techrepublic.com/article/ransomware-trends-malwarebytes

Abnormal sees 350% uptick in phishing via file-sharing sites (20 aug)https://securitybrief.co.nz/story/abnormal-sees-350-uptick-in-phishing-via-file-sharing-sites

City council faces £216.5M loss over Oracle system debacle (20 aug)https://www.theregister.com/2024/08/20/birmingham_oracle_cost

Helsinki braced for elevated cyber attacks (20 aug)https://www.computerweekly.com/news/366605792/Helsinki-braced-for-elevated-cyber-attacks

Granngården kräver Tietoevry på skadestånd – förlorade 100 miljoner på it-attacken (21 aug)https://computersweden.se/article/3489598/granngarden-kraver-tietoevry-pa-skadestand-forlorade-100-miljoner-pa-it-attacken.html

Top US oilfield firm Halliburton hit by cyberattack, source says (21 aug)https://www.reuters.com/technology/cybersecurity/top-us-oilfield-firm-halliburton-hit-by-cyberattack-2024-08-21

Hackers steal banking creds from iOS, Android users via PWA apps (21 aug)https://www.bleepingcomputer.com/news/security/hackers-steal-banking-creds-from-ios-android-users-via-pwa-apps

FAA proposes new cybersecurity rules for airplanes (21 aug)https://therecord.media/faa-new-cybersecurity-rules-airplanes

Cyberattack Disrupts Microchip Technology Manufacturing Facilities (21 aug)https://www.securityweek.com/cyberattack-disrupts-microchip-technology-manufacturing-facilities

Average DDoS attack costs $6,000 per minute (21 aug)https://www.helpnetsecurity.com/2024/08/21/ddos-attacks-duration-surge

Cisco calls for United Nations to revisit cyber crime Convention (22 aug)https://www.theregister.com/2024/08/22/cisco_criticizes_un_cybercrime_convention

This uni thought it would be a good idea to do a phishing test with a fake Ebola scare (22 aug)https://www.theregister.com/2024/08/22/ucsc_phishing_test_ebola

Färre cyberattacker i Sverige efter Natointrädet (23 aug)https://sverigesradio.se/artikel/farre-cyberattacker-i-sverige-efter-natointradet

Rapporter och analyser

Don’t get Mad, get wise (13 aug)https://news.sophos.com/en-us/2024/08/13/dont-get-mad-get-wise

Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments (15 aug)https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation

Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove (16 aug)https://research.checkpoint.com/2024/unmasking-styx-stealer-how-a-hackers-slip-led-to-an-intelligence-treasure-trove

Surge in Software Supply Chain Attacks Demands Heightened Third-Party Vigilance (20 aug)https://cyble.com/blog/surge-in-software-supply-chain-attacks-heightens-third-party-vigilance

ASD’s ACSC, CISA, FBI, and NSA, with the support of International Partners Release Best Practices for Event Logging and Threat Detection (21 aug)https://www.cisa.gov/news-events/alerts/2024/08/21/asds-acsc-cisa-fbi-and-nsa-support-international-partners-release-best-practices-event-logging-and

Threat Spotlight: How ransomware for rent rules the threat landscape (21 aug)https://blog.barracuda.com/2024/08/21/threat-spotlight-ransomware-rent-threat-landscape

Autoencoder Is All You Need: Profiling and Detecting Malicious DNS Traffic (21 aug)https://unit42.paloaltonetworks.com/profiling-detecting-malicious-dns-traffic

Ransomware Landscape H1/2024 (22 aug)https://labs.withsecure.com/publications/ransomware-landscape-h1-2024

Informationssäkerhet och blandat

Varning för nya nätfiskekampanjer (16 aug)https://sakerhetskollen.se/aktuella-brott/varning-for-nya-natfiskekampanjer

Nyt sekretariat i CFCS skal hjælpe organisationer med at overgå til kvantesikker kryptografi (19 aug)https://www.cfcs.dk/da/nyheder/2024/nyt-sekretariat-i-cfcs

Varning för bluffmejl (22 aug)https://www.skatteverket.se/omoss/pressochmedia/nyheter/2024/nyheter/varningforbluffmejl.5.5dc1d8b31903014b1bf400a.html

CERT-SE i veckan

Kritisk sårbarhet i SolarWinds Web Help Desk (15 aug)https://www.cert.se/2024/08/kritisk-sarbarhet-i-solarwinds-web-help-desk.html

Ytterligare en kritisk sårbarhet i Solarwinds Web Help Desk (22 aug)https://www.cert.se/2024/08/ytterligare-en-kritisk-sarbarhet-i-solarwinds-web-help-desk.html

CERT-SE:s veckobrev v.33

VECKOBREV

Det har varit patchtisdag och CERT-SE har uppmärksammat sårbarheter i flertalet artiklar på vår webbplats denna vecka. För många är detta första veckan tillbaka från semestern och frågar du oss är en genomgång av potentiellt sårbara system i den egna it-miljön ett bra sätt att kickstarta höstterminen.

Trevlig helg önskar vi på CERT-SE!

Nyheter i veckan

Problem för e-tidningar (10 aug)https://www.aftonbladet.se/nyheter/a/Rr77qd/aftonbladet-direkt?pinnedEntry=1283967

Hackers leak 2.7 billion data records with Social Security numbers (11 aug)https://www.bleepingcomputer.com/news/security/hackers-leak-27-billion-data-records-with-social-security-numbers/

Kivra låg nere i flera timmar (13 aug)https://www.tv4.se/artikel/4FhWsNmcz0UUoS1Ygu7UXO/tekniska-problem-foer-kivra

Dispossessor ransomware group shut down by US, European authorities (13 aug)https://www.reuters.com/technology/cybersecurity/dispossessor-ransomware-group-shut-down-by-us-european-authorities-2024-08-13/

Elon Musk claims live Trump interview on X derailed by DDoS (13 aug)https://www.theregister.com/2024/08/13/trump_musk_livestream_ddos_delay/

Ukraine Warns of New Phishing Campaign Targeting Government Computers (13 aug)https://thehackernews.com/2024/08/ukraine-warns-of-new-phishing-campaign.html

‘Prolific’ malvertising scammer arrested and extradited to US to face charges (13 aug)https://therecord.media/prolific-scammer-arrested-extradited-us

Google says Iranian efforts to hack US presidential campaigns are ongoing and wide-ranging (14 aug)https://edition.cnn.com/2024/08/14/politics/google-iran-hacking-presidential-election/index.html

Rapporter och fördjupningar

Unit42 – Ransomware Review: First Half of 2024 (9 aug)https://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/

New AMD SinkClose flaw helps install nearly undetectable malware (9 aug)https://www.bleepingcomputer.com/news/security/new-amd-sinkclose-flaw-helps-install-nearly-undetectable-malware/

How Phishing Attacks Adapt Quickly to Capitalize on Current Events (12 aug)https://thehackernews.com/2024/08/how-phishing-attacks-adapt-quickly-to.html

Server-Side Template Injection: Transforming Web Applications from Assets to Liabilities (12 aug)https://research.checkpoint.com/2024/server-side-template-injection-transforming-web-applications-from-assets-to-liabilities/

ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts (13 aug)https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/

GhostWrite: New T-Head CPU Bugs Expose Devices to Unrestricted Attacks (13 aug)https://thehackernews.com/2024/08/ghostwrite-new-t-head-cpu-bugs-expose.html

Compromising Microsoft’s AI Healthcare Chatbot Service (13 aug)https://www.tenable.com/blog/compromising-microsofts-ai-healthcare-chatbot-service

DDoS Attacks Surge 46% in First Half of 2024, Gcore Report Reveals (14 aug)https://thehackernews.com/2024/08/ddos-attacks-surge-46-in-first-half-of.html

Ransomware attackers introduce new EDR killer to their arsenal (14 aug)https://news.sophos.com/en-us/2024/08/14/edr-kill-shifter/

Rivers of Phish – Sophisticated Phishing Targets Russia’s Perceived Enemies Around the Globe (14 aug)https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/

Cyclops: a likely replacement for BellaCiao (14 aug)https://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/

Dragos Industrial Ransomware Analysis: Q2 2024 (14 aug)https://www.dragos.com/blog/dragos-industrial-ransomware-analysis-q2-2024/

Ransomware gangs rake in more than $450 million in first half of 2024 (15 aug)https://therecord.media/ransomware-gangs-set-record-for-money-extorted

Informationssäkerhet och blandat

As he retires after two decades at Homeland Security, Brandon Wales reflects on CISA’s future (12 aug)https://therecord.media/retires-dhs-brandon-wales-cisa-future

92 procent av alla it-jobb förändras av AI (13 aug)https://computersweden.se/article/3485997/92-procent-av-alla-it-jobb-forandras-av-ai.html

NIST Releases First 3 Finalized Post-Quantum Encryption Standards (13 aug)https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards

MIT releases comprehensive database of AI risks (14 aug)https://venturebeat.com/ai/mit-releases-comprehensive-database-of-ai-risks/https://airisk.mit.edu/

CERT-SE i veckan

Kritisk sårbarhet i Jenkins (12 aug)https://www.cert.se/2024/08/kritisk-sarbarhet-i-jenkins.html

Microsofts månatliga säkerhetsuppdateringar för augusti 2024 (14 aug)https://www.cert.se/2024/08/microsofts-manatliga-sakerhetsuppdateringar-for-augisti-2024.html

SAP:s månatliga säkerhetsuppdateringar för augusti 2024https://www.cert.se/2024/08/saps-manatliga-sakerhetsuppdateringar-for-augusti-2024.html

Kritiska sårbarheter i produkter från Ivanti (14 aug)https://www.cert.se/2024/08/kritiska-sarbarheter-i-produkter-fran-ivanti.html

Kritisk sårbarhet i Apache HTTP Server (15 aug)https://www.cert.se/2024/08/kritisk-sarbarhet-i-apache-http-server.html

Allvarliga sårbarheter i Zimbra Collaboration Suite (15 aug)https://www.cert.se/2024/08/allvarliga-sarbarheter-i-zimbra-collaboration-suite.html

Kritisk sårbarhet i SolarWinds Web Help Desk (15 aug)https://www.cert.se/2024/08/kritisk-sarbarhet-i-solarwinds-web-help-desk.html

Adobes månatliga säkerhetsuppdateringar för augusti 2024 (15 aug)https://www.cert.se/2024/08/adobes-manatliga-sakerhetsuppdateringar-for-augisti-2024.html

CERT-SE:s veckobrev v.32

VECKOBREV

I Las Vegas har denna vecka Black Hat gått av stapeln, men vi vill också pusha för att i Linköping anordnar Frivilliga Radioorganisaitonen den 20-22 september en tjejhelg med cybersäkerhetstema. Mer information och länk för anmälan finns nedan. I övrigt blandade nyheter för veckan. Trevlig helg!

Nyheter i veckan

Linux kernel impacted by new SLUBStick cross-cache attack (3 aug)https://www.bleepingcomputer.com/news/security/linux-kernel-impacted-by-new-slubstick-cross-cache-attack/

Surge in Magniber ransomware attacks impact home users worldwide (4 aug)https://www.bleepingcomputer.com/news/security/surge-in-magniber-ransomware-attacks-impact-home-users-worldwide/amp/

Olympic venue among 40 museums hit by ransomware attack: French police source (5 aug)https://www.digitaljournal.com/world/olympic-venue-among-40-museums-hit-by-ransomware-attack-french-police-source/article

Microsoft Azure outage takes down services across North America (5 aug)https://www.bleepingcomputer.com/news/microsoft/microsoft-azure-outage-takes-down-services-across-north-america/

Ransomware gang targets IT workers with new SharpRhino malware (5 aug)https://www.bleepingcomputer.com/news/security/hunters-international-ransomware-gang-targets-it-workers-with-new-sharprhino-malware/

New LianSpy malware hides by blocking Android security feature (5 aug)https://www.bleepingcomputer.com/news/security/new-lianspy-malware-hides-by-blocking-android-security-feature/

Cyberattack Wipes 13,000 School Devices in Mobile Guardian Breach (6 aug)https://hackread.com/cyberattack-wipes-school-devices-mobile-guardian-breach/

Microsoft 365 anti-phishing feature can be bypassed with CSS (7 aug)https://www.bleepingcomputer.com/news/security/microsoft-365-anti-phishing-feature-can-be-bypassed-with-css/

Number of incidents affecting GitHub, Bitbucket, GitLab, and Jira continues to rise (7 aug)https://www.helpnetsecurity.com/2024/08/07/github-bitbucket-gitlab-jira-incidents/

Windows Update downgrade attack “unpatches” fully-updated systems (7 aug)https://www.bleepingcomputer.com/news/microsoft/windows-update-downgrade-attack-unpatches-fully-updated-systems/

Las Vegas police issues cyber advisory with cybersecurity, hacker conventions in town (8 aug)https://www.fox5vegas.com/2024/08/08/las-vegas-police-issues-cyber-advisory-with-cybersecurity-hacker-conventions-town/

0.0.0.0 Day: 18-Year-Old Browser Vulnerability Impacts MacOS and Linux Devices (8 aug)https://thehackernews.com/2024/08/0000-day-18-year-old-browser.html

Exclusive: Russian spies hacked UK government systems earlier this year, stole data and emails (8 aug)https://therecord.media/russia-hack-uk-government-home-office-microsoft

Rapporter och fördjupningar

Email attacks skyrocket 293% (6 aug)https://www.helpnetsecurity.com/2024/08/06/email-attacks-h1-2024/

External Technical Root Cause Analysis — Channel File 291 (6 aug)https://www.crowdstrike.com/wp-content/uploads/2024/08/Channel-File-291-Incident-Root-Cause-Analysis-08.06.2024.pdf

Dismantling Smart App Control (6 aug)https://www.elastic.co/security-labs/dismantling-smart-app-control

#StopRansomware: Blacksuit (Royal) Ransomware (7 aug)https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a

Malware-as-a-Service and Ransomware-as-a-Service lower barriers for cybercriminals (9 aug)https://www.helpnetsecurity.com/2024/08/09/maas-threat-landscape/

Informationssäkerhet och blandat

Sam Altman accused of being shady about OpenAI’s safety efforts (2 aug)https://arstechnica.com/tech-policy/2024/08/sam-altman-accused-of-being-shady-about-openais-safety-efforts/

Introducing Active Cyber Defence 2.0 (2 aug)https://www.ncsc.gov.uk/blog-post/introducing-active-cyber-defence-2

Windows Smart App Control, SmartScreen bypass exploited since 2018 (5 aug)https://www.bleepingcomputer.com/news/microsoft/windows-smart-app-control-smartscreen-bypass-exploited-since-2018/

INTERPOL Recovers $41 Million in Largest Ever BEC Scam in Singapore (6 aug)https://thehackernews.com/2024/08/interpol-recovers-41-million-in-largest.html

CISA Releases Secure by Demand Guidance (6 aug)https://www.cisa.gov/news-events/alerts/2024/08/06/cisa-releases-secure-demand-guidance

Royal ransomware successor BlackSuit has demanded more than $500 million (7 aug)https://therecord.media/royal-ransomware-blacksuit-half-billion

Best Practices for Cisco Device Configuration (8 aug)https://www.cisa.gov/news-events/alerts/2024/08/08/best-practices-cisco-device-configuration

Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystemhttps://www.cisa.gov/resources-tools/resources/secure-demand-guide

Tjejhelg med FRO – Upptäck cybersäkerhethttps://linkopingsciencepark.se/event/tjejhelg-med-fro-upptack-cybersakerhet/

CERT-SE i veckan

Sårbarheter i Roundcube (6 aug)https://www.cert.se/2024/08/sarbarheter-i-roundcube.html

CERT-SE:s veckobrev v.31

VECKOBREV

Vi kliver in i augusti med ett matigt och varierat nyhetssvep med djupdykningar i skadlig kod och angreppsmetoder, kritiska säkerhetshål och cybersäkerhetshändelser från världen över.

Trevlig helg önskar CERT-SE!

Nyheter i veckan

Acronis warns of Cyber Infrastructure default password abused in attacks (26 jul)https://www.bleepingcomputer.com/news/security/acronis-warns-of-cyber-infrastructure-default-password-abused-in-attacks/

French Internet Lines Cut in Latest Attack During Olympics (28 jul)https://www.bnnbloomberg.ca/business/company-news/2024/07/29/french-internet-cables-severed-in-latest-attack-during-olympics/

French authorities launch disinfection operation to eradicate PlugX malware from infected hosts (28 jul)https://securityaffairs.com/166213/cyber-crime/plugx-malware-disinfection-operation.html

ServiceNow Critical RCE Bugs Under Active Exploit (29 jul)https://www.darkreading.com/cloud-security/patchnow-servicenow-critical-rce-bugs-active-exploit

Transportstyrelsen varnar för falska mejl (29 jul)https://sakerhetskollen.se/aktuella-brott/transportstyrelsen-varnar-for-falska-mejl

Intruders at HealthEquity rifled through storage, stole 4.3M people’s data (29 jul)https://www.theregister.com/2024/07/29/healthequity_says_data_breach_affects/

Proofpoint Email Routing Flaw Exploited to Send Millions of Spoofed Phishing Emails (29 jul)https://thehackernews.com/2024/07/proofpoint-email-routing-flaw-exploited.html..https://labs.guard.io/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch-3dd6b5417db6

New Jersey City University hacked by ransomware group demanding $700K (29 jul)https://www.nj.com/hudson/2024/07/new-jersey-city-university-hacked-by-ransomware-group-demanding-700k.html

Microsoft 365 users targeted by phishers abusing Microsoft Forms (29 jul)https://www.helpnetsecurity.com/2024/07/29/microsoft-365-phishing-forms/

Attackers (Crowd)Strike with Infostealer Malware (29 jul)https://perception-point.io/blog/attackers-crowdstrike-with-infostealer-malware/

Dark Angels ransomware receives record-breaking $75 million ransom (30 jul)https://www.bleepingcomputer.com/news/security/dark-angels-ransomware-receives-record-breaking-75-million-ransom/

Microsoft: Latest outage was sparked by cyber attack on Azure platform (30 jul)https://www.standard.co.uk/business/business-news/microsoft-latest-outage-was-sparked-by-cyber-attack-on-azure-platform-b1173933.html..https://www.bleepingcomputer.com/news/microsoft/microsoft-365-and-azure-outage-takes-down-multiple-services/

New SideWinder Cyber Attacks Target Maritime Facilities in Multiple Countries (30 jul)https://thehackernews.com/2024/07/new-sidewinder-cyber-attacks-target.html

Ransomware attack on major US blood center prompts hundreds of hospitals to implement shortage protocols (31 jul)https://therecord.media/ransomware-attack-blood-center-shortage-protocols-hospitals..https://www.securityweek.com/ransomware-attack-hits-oneblood-blood-bank-disrupts-medical-operations/

Exploited Vulnerability Could Impact 20k Internet-Exposed VMware ESXi Instances (1 aug)https://www.securityweek.com/exploited-vulnerability-could-impact-20k-internet-exposed-vmware-esxi-instances/..https://thehackernews.com/2024/07/vmware-esxi-flaw-exploited-by.html

Over 1 Million Domains at Risk of ‘Sitting Ducks’ Domain Hijacking Technique (1 aug)https://thehackernews.com/2024/08/over-1-million-domains-at-risk-of.html?m=1

StackExchange abused to spread malicious PyPi packages as answers (1 aug)https://www.bleepingcomputer.com/news/security/stackexchange-abused-to-spread-malicious-pypi-packages-as-answers/

FBI warns of scammers posing as crypto exchange employees (1 aug)https://www.bleepingcomputer.com/news/security/fbi-warns-of-scammers-posing-as-crypto-exchange-employees/

ICO reprimands UK Electoral Commission over cyberattack that left voter data exposed (1 aug)https://www.techradar.com/pro/ico-reprimands-uk-electoral-commission-over-cyberattack-that-left-voter-data-exposed

Columbus investigating potential data leak after ransomware attack (1 aug)https://therecord.media/columbus-investigating-data-leak-ransomware-attack

Over 300 Indian banks suffer payment disruption from ransomware attack (1 aug)https://www.csoonline.com/article/3480250/over-300-indian-banks-suffer-payment-disruption-from-ransomware-attack.html

Acadian Ambulance Services Leaks Protected Health Information After Cyber Attack (1 aug)https://www.cpomagazine.com/cyber-security/acadian-ambulance-services-leaks-protected-health-information-after-cyber-attack/

NCA shuts down major fraud platform responsible for 1.8 million scam calls (1 aug)https://www.nationalcrimeagency.gov.uk/news/nca-shuts-down-major-fraud-platform-responsible-for-1-8-million-scam-calls

Rapporter och fördjupningar

Årsrapport 2023: Latvian Cybersecurity and CERT.LV Technical Activities (26 jul)https://cert.lv/en/2024/07/latvian-cybersecurity-and-cert-lv-technical-activities-annual-report-2023

Vägledning: CIS Critical Security Controls 8.1 (27 jul)https://cstromblad.com/posts/cis81-vagledning-introduktion/

WhatsApp for Windows lets Python, PHP scripts execute with no warning (27 jul)https://www.bleepingcomputer.com/news/security/whatsapp-for-windows-lets-python-php-scripts-execute-with-no-warning/

“Cyber weather” juni månad från finska cybersäkerhetscentret (29 jul)https://www.kyberturvallisuuskeskus.fi/en/ajankohtaista/kybersaa_06/2024

UNC4393 Goes Gently into the SILENTNIGHT (29 jul)https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight

Over 1 Million websites are at risk of sensitive information leakage – XSS is dead. Long live XSS (29 jul)https://salt.security/blog/over-1-million-websites-are-at-risk-of-sensitive-information-leakage—xss-is-dead-long-live-xss..https://hackread.com/xss-oauth-threatens-millions-hotjar-flaw/

Phishing targeting Polish SMBs continues via ModiLoader (30 jul)https://www.welivesecurity.com/en/eset-research/phishing-targeting-polish-smbs-continues-modiloader/

OneDrive Phishing Scam Tricks Users into Running Malicious PowerShell Script (30 jul)https://thehackernews.com/2024/07/onedrive-phishing-scam-tricks-users.html

Five months after takedown, LockBit is a shadow of its former self (31 jul)https://www.theregister.com/2024/07/31/five_months_after_lockbit/

New PyPI Package Zlibxjson Steals Discord, Browser Data (31 jul)https://www.infosecurity-magazine.com/news/pypi-package-steals-discord/

Research update: Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to Target Software Developers via Social Engineering (31 jul)https://www.securonix.com/blog/research-update-threat-actors-behind-the-devpopper-campaign-have-retooled-and-are-continuing-to-target-software-developers-via-social-engineering/

There is no real fix to the security issues recently found in GitHub and other similar software (1 aug)https://blog.talosintelligence.com/threat-source-newsletter-aug-1-2024/

IBM: Data breaches are costing UK companies millions every time (1 aug)https://www.techradar.com/pro/data-breaches-are-costing-uk-companies-millions-every-time..https://computersweden.se/article/3479480/kostnaden-for-dataintrang-bara-stiger-storsta-okningen-sedan-pandemin.html

BfV CYBER INSIGHT – The i-Soon-Leaks: Industrialization of Cyber Espionagehttps://www.verfassungsschutz.de/SharedDocs/kurzmeldungen/EN/2024/2024-08-01-bfv-cybersecurity-insight-part-1.html

Informationssäkerhet och blandat

Google apologizes for breaking password manager for millions of Windows users with iffy Chrome update (29 jul)https://www.theregister.com/2024/07/29/google_password_manager_outage/

Tech Orgs Feel ‘Abandoned’ as UN Finalizes Cybercrime Treaty (29 jul)https://www.govinfosecurity.com/tech-orgs-feel-abandoned-as-un-finalizes-cybercrime-treaty-a-25875

United Nations: Hundreds of thousands forced to scam in Southeast Asia (30 aug)https://www.bbc.com/news/world-asia-66655047

CISA and FBI: DDoS attacks won’t impact US election integrity (31 jul)https://www.bleepingcomputer.com/news/security/cisa-and-fbi-ddos-attacks-wont-impact-us-election-integrity/

Argentina will use AI to ‘predict future crimes’ but experts worry for citizens’ rights (2 aug)https://www.theguardian.com/world/article/2024/aug/01/argentina-ai-predicting-future-crimes-citizen-rights

50 years ago, CP/M started the microcomputer revolution (2 aug)https://www.theregister.com/2024/08/02/cpm_50th_anniversary/..https://computerhistory.org/blog/fifty-years-of-the-personal-computer-operating-system/

CERT-SE i veckan

Kritiska sårbarheter i IBM-produkter (2 aug)https://www.cert.se/2024/08/kritiska-sarbarheter-i-ibm-produkter.html

Dell åtgärdar kritisk sårbarhet (31 jul)https://www.cert.se/2024/07/dell-atgardar-en-kritisk-sarbarhet.html

Kritisk sårbarhet i GeoServer (30 juli)https://www.cert.se/2024/07/kritisk-sarbarhet-i-geoserver.html

Sårbarhet i VMware ESXi hypervisor utnyttjas aktivt (30 juli)https://www.cert.se/2024/07/sarbarhet-i-vmware-esxi-utnyttjas-aktivt.html

Kritiska sårbarheter i ServiceNow (30 juli)https://www.cert.se/2024/07/kritiska-sarbarheter-i-servicenow.html

CERT-SE:s veckobrev v.30

VECKOBREV

I efterdyningarna av störningarna hos CrowdStrike har företaget publicerat en rapport om vad som hände. Det har också uppmärksammats hur angripare utnyttjat incidenten för att sprida skadlig kod och för nätfiske.

I veckan har CERT-SE publicerat artiklar om sårbarheter i produkter från HPE, SolarWinds ARM och Ivanti Endpoint Manager.

Nyheter i veckan

Greece’s Land Registry agency breached in wave of 400 cyberattacks (22 jul)https://www.bleepingcomputer.com/news/security/greeces-land-registry-agency-breached-in-wave-of-400-cyberattacks/

US sanctions Russian hacktivists who breached water facilities (22 jul)https://www.bleepingcomputer.com/news/security/us-sanctions-russian-hacktivists-who-breached-water-facilities/

Telegram Zero-Day Vulnerability Exploited Using Malicious Video Files (23 jul)https://cybersecuritynews.com/telegram-zero-day-vulnerability-exploited/

Novel ICS Malware Sabotaged Water-Heating Services in Ukraine (23 jul)https://www.darkreading.com/ics-ot-security/novel-ics-malware-sabotaged-water-heating-services-in-ukraine

Hackare hotar sprida försäkringstagares uppgifter (23 jul)https://sverigesradio.se/artikel/hackare-hotar-sprida-forsakringstagares-uppgifter

Spyware fears mount after another MEP is targeted (25 jul)https://www.politico.eu/newsletter/brussels-playbook/orban-critic-mep-targeted-with-spyware/

Störningar i CrowdStrike-plattformen

CrowdStrike IT outage affected 8.5 million Windows devices, Microsoft says (20 jul)https://www.bbc.com/news/articles/cpe3zgznwjno

Slow recovery from IT outage begins as experts warn of future risks (20 jul)https://www.theguardian.com/australia-news/article/2024/jul/19/microsoft-windows-pcs-outage-blue-screen-of-death

Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware (20 jul)https://thehackernews.com/2024/07/cybercriminals-exploit-crowdstrike.html

Threat Actor Uses Fake CrowdStrike Recovery Manual to Deliver Unidentified Stealer (22 jul)https://www.crowdstrike.com/blog/fake-recovery-manual-used-to-deliver-unidentified-stealer/

Learning from the Recent Windows/Falcon Sensor Outage – Causes and Potential Improvement Strategies in Linux with Open Source (22 jul)https://www.circl.lu/pub/learning-from-falcon-sensor-outage/

Preliminary Post Incident Review (24 jul)https://www.crowdstrike.com/blog/falcon-content-update-preliminary-post-incident-report/

Rapporter och analyser

Mandiant: North Korean Hackers Targeting Healthcare, Energy (25 jul)https://www.govinfosecurity.com/mandiant-north-korean-hackers-targeting-healthcare-energy-a-25845

IR Trends: Ransomware on the rise, while technology becomes most targeted sector (25 jul)https://blog.talosintelligence.com/ir-trends-ransomware-on-the-rise-q2-2024/

Secure Boot is completely broken on 200+ models from 5 big device makers (25 jul)https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/

Internet Organised Crime Threat Assessment (IOCTA) 2024 (26 jul)https://www.europol.europa.eu/publication-events/main-reports/internet-organised-crime-threat-assessment-iocta-2024

Informationssäkerhet och blandat

NCA infiltrates DDoS-for-hire site as suspected controller arrested in Northern Ireland (22 jul)https://therecord.media/ddos-for-hire-site-digitalstress-takedown-arrest-uk-nca

Kommuner drabbas när Lantmäteriet stängt sina digitala tjänster efter misstänkta försvarsläckan (23 jul)https://www.svt.se/nyheter/lokalt/sormland/kommuner-drabbas-nar-lantmateriet-stangt-sina-digitala-tjanster-efter-misstankta-forsvarslackan

Women in IT Security Lack Opportunities, Not Talent (23 jul)https://www.itprotoday.com/it-security/women-in-it-security-lack-opportunities-not-talent

How a North Korean Fake IT Worker Tried to Infiltrate Us (23 jul)https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us

FYI: Data from deleted GitHub repos may not actually be deleted (25 jul)https://www.theregister.com/2024/07/25/data_from_deleted_github_repos/

CERT-SE i veckan

Kritisk sårbarhet i Ivanti Endpoint Manager for Mobile (22 jul)https://www.cert.se/2024/07/kritisk-sarbarhet-i-ivanti-endpoint-manager-for-mobile.html

Kritiska sårbarheter i Solarwinds ARM (22 jul)https://www.cert.se/2024/07/kritiska-sarbarheter-i-solarwinds-arm.html

Kritisk sårbarhet i Citrix Netscaler ADC och Netscaler Gateway (uppdaterad) (23 jul)https://www.cert.se/2024/01/kritisk-sarbarhet-i-citrix-netscaler-adc-och-netscaler-gateway.html

Kritisk sårbarhet drabbar flera produkter från HPE (24 jul)https://www.cert.se/2024/07/kritisk-sarbarhet-drabbar-flera-produkter-fran-hpe.html

Allvarliga störningar i CrowdStrike påverkar många organisationers it-miljöer (uppdaterad) (25 jul)https://www.cert.se/2024/07/allvarliga-storningar-i-crowdstrike-paverkar-manga-organisationers-it-miljoer.html

CERT-SE:s veckobrev v.29

VECKOBREV

En händelserik vecka på it-säkerhetsområdet. Den 18 juli skickade CERT-SE ut ett blixtmeddelande med anledning av kritiska sårbarheter i Cisco Secure Email Gateway och den 19 juli orsakade ett tekniskt fel i CrowdStrike Falcon Sensor omfattande driftstörningar i flera delar av världen. Du hittar CERT-SE:s artiklar om dessa händelser här:

Båda dessa kan komma att uppdateras med ytterligare information.

Med det vill CERT-SE önska en trevlig helg!

Nyheter i veckan

iPhone users in 98 countries warned about spyware by Apple (12 jul)https://www.malwarebytes.com/blog/news/2024/07/iphone-users-in-98-countries-warned-about-spyware-by-apple

Hacktivist Groups “People’s Cyber Army” And “HackNeT” Launch Trial DDoS Attacks on French Websites; prior to the Onslaught during Paris Olympics (15 jul)https://cyble.com/blog/hacktivist-groups-peoples-cyber-army-and-hacknet-launch-trial-ddos-attacks-on-french-websites-prior-to-the-onslaught-during-paris-olympics/
Paris 2024 Olympics to face complex cyber threats (16 jul)https://www.helpnetsecurity.com/2024/07/16/france-olympic-games-2024-cybersecurity-services-spending/

Email addresses of 15 million Trello users leaked on hacking forum (16 jul)https://www.bleepingcomputer.com/news/security/email-addresses-of-15-million-trello-users-leaked-on-hacking-forum/

Major Microsoft 365 outage caused by Azure configuration change (19 jul)https://www.bleepingcomputer.com/news/microsoft/major-microsoft-365-outage-caused-by-azure-configuration-change/

Globala it-störningar – flyg ställs in över hela världen (19 jul)https://www.svt.se/nyheter/utrikes/it-storningar-varlden-over
Larm om it-strul världen över (19 jul)https://www.aftonbladet.se/nyheter/a/MnnWWm/larm-om-it-strul-varlden-over

Rapporter och analyser

Fake AWS Packages Ship Command and Control Malware In JPEG Files (14 jul)https://blog.phylum.io/fake-aws-packages-ship-command-and-control-malware-in-jpeg-files/

HardBit ransomware version 4.0 supports new obfuscation techniques (15 jul)https://securityaffairs.com/165735/malware/hardbit-ransomware-version-4-0.html

Threat Spotlight: Attackers abuse URL protection services to mask phishing links (15 jul)https://blog.barracuda.com/2024/07/15/threat-spotlight-attackers-abuse-url-protection-services

SEXi ransomware rebrands to APT INC, continues VMware ESXi attacks (15 jul)https://www.bleepingcomputer.com/news/security/sexi-ransomware-rebrands-to-apt-inc-continues-vmware-esxi-attacks/

The Importance of Data Security in Hospitality (15 jul)https://www.devx.com/technology/the-importance-of-data-security-in-hospitality/

DarkGate, the Swiss Army knife of malware, sees boom after rival Qbot crushed (16 jul)https://www.theregister.com/2024/07/16/darkgate_malware/

Defending Against APTs: A Learning Exercise with Kimsuky (16 jul)https://www.rapid7.com/blog/post/2024/07/16/defending-against-apts-a-learning-exercise-with-kimsuky/

Container Breakouts: Escape Techniques in Cloud Environments (18 jul)https://unit42.paloaltonetworks.com/container-escape-techniques/

Informationssäkerhet och blandat

Improving cyber resilience of frontline forces in Europe (15 jul)https://www.gov.uk/government/news/improving-cyber-resilience-of-frontline-forces-in-europe

Cybersecurity crisis communication: What to do (15 jul)https://securityintelligence.com/articles/cybersecurity-crisis-communication-what-to-do/

Discover the growing threats to data security (15 jul)https://www.helpnetsecurity.com/2024/07/15/pranava-adduri-bedrock-security-data-security-risks/

Punch Card Hacking – Exploring a Mainframe Attack Vector (16 jul)https://blog.nviso.eu/2024/07/16/punch-card-hacking-exploring-a-mainframe-attack-vector/

Forget Brexit – EU cybersecurity upgrade means UK too (16 jul)https://northwestbylines.co.uk/politics/brexit/forget-brexit-eu-cybersecurity-upgrade-means-uk-too/

UK Government Set to Introduce New Cyber Security and Resilience Bill (18 jul)https://www.infosecurity-magazine.com/news/government-cyber-security-bill-2024/

CERT-SE i veckan

Kritiska sårbarheter i flera produkter från IBM (16 jul)https://www.cert.se/2024/07/kritiska-sarbarheter-i-flera-produkter-fran-ibm.html

Oracles kvartalsvisa säkerhetsuppdatering för juli 2024 (17 jul)https://www.cert.se/2024/07/oracles-kvartalsvisa-sakerhetsuppdateringar-for-juli-2024.html

Kritiska sårbarheter i produkter från Cisco (18 jul)https://www.cert.se/2024/07/kritiska-sarbarheter-i-produkter-fran-cisco.html

BM24-004 Kritisk sårbarhet i Cisco Secure Email Gateway (18 jul)https://www.cert.se/2024/07/bm24-003-kritisk-sarbarhet-i-cisco-secure-email-gateway.html

Allvarliga störningar i CrowdStrike påverkar många organisationers it-miljöer (19 jul)https://www.cert.se/2024/07/allvarliga-storningar-i-crowdstrike-paverkar-manga-organisationers-it-miljoer.html

Allvarliga störningar i CrowdStrike påverkar många organisationers it-miljöer

Text: CERT.se (Myndigheten för Samhällsskydd och Beredskap, MSB)

SÅRBARHET CROWDSTRIKE

Under morgonen den 19 juli uppmärksammades störningar i säkerhetsplattformen CrowdStrike. Störningarna kan drabba servrar och klienter som kör Microsoft Windows där programvaran Falcon Sensor från CrowdStrike är installerad. Det finns rapporter om att dessa enheter kan bli otillgängliga.

CrowdStrike har bekräftat att de upplever störningar och arbetar med att lösa problemen. De rekommenderar följande tillfälliga åtgärder för de som drabbats:

1. Starta Windows i Safe Mode eller i Windows Recovery Environment
2. Gå till katalogen C:\Windows\System32\drivers\CrowdStrike
3. Hitta filen som matchar "C-00000291*.sys" och döp om den till "C-00000291*.renamed"
4. Starta enheten normalt

Att genomföra dessa åtgärder på enheter där BitLocker är aktiverat kräver särskild hantering, framför allt tillgång till administratörsbehörighet och giltig krypteringsnyckel.

Utbredningen av störningarna är i detta läge oklara, men drabbar flera delar av världen. CERT-SE följer utvecklingen löpande och kommer att uppdatera cert.se allteftersom mer information blir tillgänglig.

CERT-SE tar gärna emot information från svenska aktörer som drabbas av störningarna. Du når oss på 010-240 40 40 eller på cert@cert.se.

Uppdatering 2024-07-19 09:59

CrowdStrike ska ha avbrutit utrullningen av den felaktiga uppdatering som orsakat problemen.

Uppdatering 2024-07-19 11:23

Luxemburgs CSIRT har gått ut med IOC:er som stöd för att identifiera de drivrutiner som tros orsaka de tekniska problem som gör servrar och klienter otillgängliga. [1]

Uppdatering 2024-07-19 12:54

CrowdStrike har gått ut med ett första officiellt uttalande om de tekniska problemen i Falcon Agent. [2]

Uppdatering 2024-07-19 13:21

Kortare tillägg kopplat till CrowdStrikes rekommenderade åtgärder till drabbade som berör enheter där BitLocker är aktiverat. Microsoft och Amazon AWS har gått ut med rekommenderade åtgärder till kunder som drabbats av de tekniska problemen med CrowdStrike på virtuella maskiner i Azure respektive EC2 [3,4].

Källor

[1] https://www.circl.lu/pub/tr-87/
[2] https://www.crowdstrike.com/blog/statement-on-windows-sensor-update/
[3] https://azure.status.microsoft/en-us/status
[4] https://health.aws.amazon.com/health/status

Globalt IT-haveri efter allvarlig sårbarhet hos CrowdStrike

Uppdaterad: 2024-07-19; kl 23.45

Sedan igår kväll svensk tid har ett globalt IT-haveri drabbat flera stora verksamheter världen över. IT-haveriet orsakades av allvarliga fel i en uppdatering av programvaran Falcon Sensor som rullades ut för Microsoft Windows 10-användare. Även Google AWS och BitLocker påverkades i viss utsträckning. Följden blev att enheter över hela världen visade blå eller svart skärm. Under flera timmar var till exempel även denna sajt oåtkomlig på grund av problem hos vår leverantör.

Bolaget varnar användarna för att avinstallera CrowdStrikes programvara eftersom man då är helt utan skydd mot skadlig kod. Istället ber man användarna vänta tills en ny patch är klar. Enligt bolaget har man nu börjat distribuera ut en rättad uppdatering av Falcon Sensor. Det krävs dock en manuell hantering av varje server eller agent som har programmet installerat vilket gör att det kommer att ta längre tid för kunderna att avhjälpa IT-haveriet lokalt och regionalt.

Patchar ofta otillräckligt testade

Den 3:e torsdagen i månaden distribuerar bl a Microsoft och andra stora IT-leverantörer ut större uppdateringar. Innan en patch eller uppdatering får rullas ut ska den genomgå tester och granskningar för att se till att inga allvarliga fel finns eller kan uppstå när den når användarna. Men på senare tid har den 3:e torsdagen i månaden allt oftare förknippats med stora och allvarliga IT-haverier. Därför rekommenderas bolagen att framöver höja beredskapen och förmågan att hantera allvarliga IT-störningar och haverier.

Flyg, transport och sjukvård bland drabbade verksamheter

Bland de globalt drabbade verksamheterna fanns bland annat amerikanska och europeiska flygbolag och logistikbolag. Även sjukvården drabbades i vissa länder. Flygplanen som stod på marken fick inte lyfta och flyg i luften fick cirkulera runt flygplatserna. Andra verksamheter som påverkats i stor omfattning är bankverksamheter i Storbritannien, mediabolag och även IT-driftbolag.

Läs mer om IT-haveriet i Veckans nyhetsbrev från CERT.se.