Todays Threat feed

US Adds Kaspersky to List of Firms Posing Threat to National Security By Waqas HackerOne and Dicker Data have also cut ties with Kaspersky after FCC’s decision amid the ongoing conflict between… This is a post from HackRead.com Read the original post: US Adds Kaspersky to List of Firms Posing Threat to National Security https://www.hackread.com/?p=93865

Todays Threat feed

Security Affairs newsletter Round 358 by Pierluigi Paganini A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box. If you want to also receive for free the newsletter with the international press subscribe here. FCC adds Kaspersky to Covered List due to unacceptable risks to national security Anonymous […] The post Security Affairs newsletter Round 358 by Pierluigi Paganini appeared first on Security Affairs . https://securityaffairs.co/wordpress/?p=129515

Todays Threat feed

Western Digital addressed a critical bug in My Cloud OS 5 Western Digital fixed a critical flaw affecting My Cloud OS 5 devices that allowed attackers to gain remote code execution with root privileges. Western Digital has addressed a critical vulnerability, tracked as CVE-2021-44142, that could have allowed attackers to gain remote code execution with root privileges on unpatched My Cloud OS 5 devices. The CVE-2021-44142 […] The post Western Digital addressed a critical bug in My Cloud OS 5 appeared first on Security Affairs . https://securityaffairs.co/wordpress/?p=129507

10

A researcher discovered critical flaws that can be exploited by remote attackers to hack a building controller popular in Russia. *A researcher has identified critical vulnerabilities that can allegedly be exploited to remotely hack a building controller predominantly used by organizations in Russia.* Researcher Jose Bertin discovered critical flaws affecting a controller made by Russian company Tekon Avtomatika which is widely used by organizations in Russia. Tekon Avtomatika is an equipment supplier company dispatching elevators and buildings, water and heat metering. Querying the Shodan search engine, Bertin discovered more than 117 devices connected to the internet located in Russia that are running with default credentials. The expert explained that anyone can access the Internet-facing systems and perform changes and actions as “admin” only. [image: building controller 2] The expert found the default credentials (default credentials are *admin:secret*) in manuals firmware and software for its building controller models. The researchers demonstrated that using default credentials could gain admin privileges to the user interface of the Tekon building controller. The was also able to execute code with root privileges by abusing a feature implemented by the vendor to allow users to upload their custom LUA scripts “plugins” through a section of the UI. Upon clicking the “Save/Load” button, the uploaded code will be executed. The researcher created a proof-of-concept (PoC) script that allowed him to obtain root privileges and take complete control of the targeted device and potentially cause significant disruption. The expert published a blog post that describes a step by step procedure to achieve remote code execution with root privileges. *“Well i got RCE and privilege escalation from an admin user to root , now we can do whatever, more critically those devices can be shut down at once the 100 creating an impact in russian scada systems , remotely.” wrote the expert. “From this point now we can create custom cgi files and call them from cgi/bin path and do whatever.”* Bertin told SecurityWeek that he did not contact the vendor before publicly disclosing the issues. Clearly, the public disclosure of the post could allow threat actors to use the procedure to take over the building controller devices and conduct malicious activities, including sabotage. Follow me on Twitter: *@securityaffairs* and *Facebook* *Pierluigi Paganini* *(**SecurityAffairs** –* *hacking, Building Controller)* The post Experts explained how to hack a building controller widely adopted in Russia appeared first on Security Affairs. https://securityaffairs.co/wordpress/129452/hacking/russian-building-controller-hack.html?utm_source=rss&utm_medium=rss&utm_campaign=russian-building-controller-hack

11

Anonymous launches its offensive against Wester companies still operating in Russia, it ‘DDoSed’ Auchan, Leroy Merlin e Decathlon websites. Since the start of the Russian invasion of Ukraine on February 24, Anonymous has declared war on Russia and launched multiple cyber-attacks against Russian entities, including Russian government sites, state-run media websites, and energy firms. Anonymous recently declared war on all companies that decided to continue to operate in Russia by paying taxes to the Russian government. Press Release: We call on all companies that continue to operate in Russia by paying taxes to the budget of the Kremlin's criminal regime: Pull out of Russia! We give you 48 hours to reflect and withdraw from Russia or else you will be under our target! #Anonymous #OpRussia pic.twitter.com/7HO9UzeBoc — Anonymous TV [image: 🇺🇦] (@YourAnonTV) March 20, 2022 The first company hacked by the collective, for this reason, was Nestlè and Anonymous first threatened the company then hacked it. The hacktivists claim to have stolen 10 GB of sensitive data, including company emails, passwords, and data related to business customers. The group leaked a sample of data containing more than 50K Nestlé business customers. MORE: Only a sample of data has been published with more than 50K Nestlé business customers. Leak: https://t.co/lPjCcUvP0z (No Virus detected) Currently the weight is 10GB in SQL Format. #Anonymous #OpRussia #BoycottNestle — Anonymous TV [image: 🇺🇦] (@YourAnonTV) March 22, 2022 Today the Twitter account Anonymous TV announced the start of an offensive against the companies that opted to continue operating in Russia. The hacktivists have launched powerful DDoS attacks against the Russian websites of Auchan, Leroy Merlin and Decathlon bringing them down. The tweet includes the screenshots showing that the targeted sites are not reachable. JUST IN: #Anonymous is targeting companies that continue to operate in Russia. https://t.co/6aJxERLPNK | DOWNhttps://t.co/Pbr4FiEBvr | DOWN https://t.co/1skWyQCS2d | DOWN#PullOutOfRussia #OpRussia pic.twitter.com/0BEOSRq6uM — Anonymous TV [image: 🇺🇦] (@YourAnonTV) March 23, 2022 Today the popular hacker collective claimed to have compromised the systems of the Central Bank of Russia and stole 35,000 files, it announced that will leak them in 48 hours. Follow me on Twitter: *@securityaffairs* and *Facebook* *Pierluigi Paganini* *(**SecurityAffairs** –* *hacking, Russia)* The post Anonymous targets western companies still active in Russia, including Auchan, Leroy Merlin e Decathlon appeared first on Security Affairs. https://securityaffairs.co/wordpress/129447/hacking/anonymous-companies-active-russia.html?utm_source=rss&utm_medium=rss&utm_campaign=anonymous-companies-active-russia

9

The U.S. has indicted four Russian government employees for their involvement in attacks on entities in critical infrastructure. The U.S. has indicted four Russian government employees for their role in cyberattacks targeting hundreds of companies and organizations in the energy sector worldwide between 2012 and 2018. *“The Department of Justice unsealed two indictments today charging four defendants, all Russian nationals who worked for the Russian government, with attempting, supporting and conducting computer intrusions that together, in two separate conspiracies, targeted the global energy sector between 2012 and 2018.” reads a press release published by DoJ. “In total, these hacking campaigns targeted thousands of computers, at hundreds of companies and organizations, in approximately 135 countries.” * The two indictments, one from June 2021 and one from August 2021, are charging one employee of the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) and three officers of Russia’s Federal Security Service (FSB). According to the June 2021 indictment, an employee of the Russian Ministry of Defense research institute, Evgeny Viktorovich Gladkikh, and his co-conspirators attempted to damage critical infrastructure outside the US. The attacks caused two separate emergency shutdowns at a foreign targeted facility. The group also attempted to hack the systems of a US company operating critical infrastructure in the United States. *“According to the indictment, between May and September 2017, the defendant and co-conspirators hacked the systems of a foreign refinery and installed malware, which cyber security researchers have referred to as “Triton” or “Trisis,” on a safety system produced by Schneider Electric, a multinational corporation. The conspirators designed the Triton malware to prevent the refinery’s safety systems from functioning (i.e., by causing the ICS to operate in an unsafe manner while appearing to be operating normally), granting the defendant and his co-conspirators the ability to cause damage to the refinery, injury to anyone nearby, and economic harm.” continues the DoJ. “However, when the defendant deployed the Triton malware, it caused a fault that led the refinery’s Schneider Electric safety systems to initiate two automatic emergency shutdowns of the refinery’s operations.”* On August 2021, the US DoJ charged three FSB officers (Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov), working in Military Unit 71330 or ‘Center 16.’ (aka Dragonfly, Berzerk Bear, Energetic Bear, and Crouching Yeti). Between 2012 and 2017, the Dragonfly APT conducted multiple attacks targeting ICS or Supervisory Control and Data Acquisition (SCADA) systems used in the energy industry, including oil and gas firms, nuclear power plants, as well as utility and power transmission companies. According to the indictment, the campaigns against the energy sector campaign involved two phases. In the first phase, which took place between 2012 and 2014, the nation-state actor was tracked as “Dragonfly” or “Havex” and engaged in a supply chain attack, compromising OT networks system manufacturers and software providers deploying the “Havex” implant. The attackers also launched spear-phishing and “watering hole” attacks that allowed them to instal malware on more than 17,000 unique devices in the United States and abroad, including ICS/SCADA controllers used by power and energy companies. In the second phase, which took place between 2014 and 2017, the APT group tracked as “Dragonfly 2.0” focused on more targeted attacks on specific energy sector entities and individuals and engineers who worked with ICS/SCADA systems. The group targeted more than 3,300 users at more than 500 U.S. and international companies and entities, in addition to U.S. government agencies such as the Nuclear Regulatory Commission. *“In some cases, the spearphishing attacks were successful, including in the compromise of the business network (i.e., involving computers not directly connected to ICS/SCADA equipment) of the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas, which operates a nuclear power plant. Moreover, after establishing an illegal foothold in a particular network, the conspirators typically used that foothold to penetrate further into the network by obtaining access to other computers and networks at the victim entity.” states the DoJ.* DoJ warns of attacks from Russia-linked APT groups against critical infrastructure on a global scale. CISA, the FBI, and the U.S. Department of Energy also published a joint cybersecurity advisory detailing tactics, techniques, and procedures (TTPs) of indicted state-sponsored Russia-lineìked threat actors. *“This joint Cybersecurity Advisory (CSA)—coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE)—provides information on multiple intrusion campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 and targeted U.S. and international Energy Sector organizations. CISA, the FBI, and DOE responded to these campaigns with appropriate action in and around the time that they occurred.” reads the joint advisory.* Follow me on Twitter: *@securityaffairs* and *Facebook* *Pierluigi Paganini* *(**SecurityAffairs** –* *hacking, Russian government employees)* The post US indicted 4 Russian government employees for attacks on critical infrastructure appeared first on Security Affairs. https://securityaffairs.co/wordpress/129460/cyber-warfare-2/doj-indicted-russian-government-employees.html?utm_source=rss&utm_medium=rss&utm_campaign=doj-indicted-russian-government-employees

12

VMware addressed two critical arbitrary code execution vulnerabilities affecting its Carbon Black App Control platform. VMware released this week, software updates to address two critical security vulnerabilities, CVE-2022-22951 and CVE-2022-22952 (both received a CVSS score of 10), affecting its Carbon Black App Control platform that could be exploited by a threat actor to execute arbitrary code on affected installations on Windows systems. The Carbon Black App Control is an application that allows listing solution that is designed to enable security operations teams to lock down new and legacy systems against unwanted change, simplify the compliance process, and provide protection for corporate systems. The vulnerabilities were reported by security researchers Jari Jääskelä. *“Multiple vulnerabilities in VMware Carbon Black App Control were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.” reads the advisory published by VMware. * The issues could be only exploited by authenticated attackers with high privileges. The first bug, tracked as CVE-2022-22951, is an OS command injection vulnerability in Carbon Black App Control. The issue is due to improper input validation leading to remote code execution. *“An authenticated, high privileged malicious actor with network access to the VMware App Control administration interface may be able to execute commands on the server due to improper input validation leading to remote code execution.”* reads the advisory. The second flaw, tracked as CVE-2022-22952, is a file upload vulnerability in VMware Carbon Black App Control. An attacker can trigger the flaw by uploading a specially crafted file. *“A malicious actor with administrative access to the VMware App Control administration interface may be able to execute code on the Windows instance where AppC Server is installed by uploading a specially crafted file.” continues the advisory.* Impacted versions are 8.5.x, 8.6.x, 8.7.x, and 8.8.x, the virtualization giant addressed the flaws with the release of versions 8.5.14, 8.6.6, 8.7.4, and 8.8.2. Customers are recommended to install security updates immediately. Follow me on Twitter: *@securityaffairs* and *Facebook* *Pierluigi Paganini* *(**SecurityAffairs** –* *hacking, Carbon Black App Control)* The post VMware Issues Patches for Critical Flaws Affecting Carbon Black App Control appeared first on Security Affairs. https://securityaffairs.co/wordpress/129440/security/vmware-carbon-black-app-control-flaws.html?utm_source=rss&utm_medium=rss&utm_campaign=vmware-carbon-black-app-control-flaws

8

UK police suspect that a 16-year-old from Oxford is one of the leaders of the popular Lapsus$ extortion group. The City of London Police announced to have arrested seven teenagers suspected of being members of the notorious Lapsus$ extortion gang, which is believed to be based in South America. *“Four researchers investigating the hacking group Lapsus$, on behalf of companies that were attacked, said they believe the teenager is the mastermind.” states Bloomberg that first reported the news. “Lapsus$ has befuddled cybersecurity experts as it has embarked on a rampage of high-profile hacks.”* Over the last months, the Lapsus$ gang compromised many prominent companies such as NVIDIA, Samsung, Ubisoft, Mercado Libre, Vodafone. This week the group announced the hack of Microsoft and Okta. The father of a 16-year-old from Oxford that was identified by law enforcement told the BBC his family was concerned and was trying to keep him away from his computers. *“I had never heard about any of this until recently. He’s never talked about any hacking, but he is very good on computers and spends a lot of time on the computer. I always thought he was playing games.” The boy’s father told the BBC. “We’re going to try to stop him from going on computers.”* The youngster that goes online with the moniker “White” or “Breachbase” has autism, for this reason he attends a special educational school in Oxford The teenager, who can’t be named for legal reasons, attends a special educational school in Oxford. *“Seven people between the ages of 16 and 21 have been arrested in connection with an investigation into a hacking group. They have all been released under investigation. Our inquiries remain ongoing.” City of London Police said. * The teenager was identified after his identity was revealed (“doxxed”) on a hacker forum after an apparent falling out with business partners. Security investigator Brian Krebs reported that the teenager purchased Doxbin last year, a platform used for doing activities. Then he gave up control of the site in January and leaked the entire Doxbin archive to Telegram. Clearly the hacking community behind Doxbin retaliated by releasing White’s personal information, including his home address, social media photos and details about his parents. *“Nixon said that in January 2022, WhiteDoxbin reluctantly agreed to relinquish control over Doxbin, selling the forum back to its previous owner at a considerable loss. However, just before giving up the forum, WhiteDoxbin leaked the entire Doxbin data set (including private doxes that had remained unpublished on the site as drafts) to the public via Telegram.” states Krebs who cited the investigation conducted by Allison Nixon, chief research officer at Unit 221B. “The Doxbin community responded ferociously, posting on WhiteDoxbin perhaps the most thorough dox the community had ever produced, including videos supposedly shot at night outside his home in the United Kingdom.”* According to the post, White amassed 300BTC during his cybercrime career. *“After a few years his net worth accumulated to well over 300BTC [close to $14m]… [he is] now is affiliated with a wannabe ransomware group known as ‘Lapsus$’, who has been extorting & ‘hacking’ several organisations.”* states the post. Follow me on Twitter: *@securityaffairs* and *Facebook* *Pierluigi Paganini* *(**SecurityAffairs** –* *hacking, Lapsus$)* The post UK police arrested 7 alleged members of Lapsus$ extortion gang appeared first on Security Affairs. https://securityaffairs.co/wordpress/129470/cyber-crime/uk-police-members-lapsus-gang.html?utm_source=rss&utm_medium=rss&utm_campaign=uk-police-members-lapsus-gang

6

Google addresses an actively exploited zero-day flaw with the release of Chrome 99.0.4844.84 for Windows, Mac, and Linux. Google fixed an actively exploited high-severity zero-day vulnerability with the release of Chrome 99.0.4844.84 for Windows, Mac, and Linux. Google has released Chrome 99.0.4844.84 for Windows, Mac, and Linux users to address a high-severity zero-day bug, tracked as CVE-2022-1096, exploited in the wild. The CVE-2022-1096 vulnerability is a Type Confusion in V8 JavaScript engine, the bug was reported by an anonymous on 2022-03-23. *“The Stable channel has been updated to 99.0.4844.84 for Windows, Mac and Linux which will roll out over the coming days/weeks.” reads the security advisory published by Google. * *“Google is aware that an exploit for CVE-2022-1096 exists in the wild.” * At this time, Google has yet to publish technical details about the flaw ether how it was exploited by threat actors in the wild. “*Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.*” continues the advisory. CVE-2022-0609 is the second zero-day vulnerability addressed by the IT giant this year in Chrome. In February Google fixed a high-severity zero-day flaw, tracked as CVE-2022-0609, which was actively exploited. Google released a Chrome emergency update for Windows, Mac, and Linux to fix the CVE-2022-0609 bug. The CVE-2022-0609 zero-day is a use after free issue that resides in Animation, the bug was reported by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group. The flaw was exploited by North Korea-linked threat actors since January 4, 2022. Follow me on Twitter: *@securityaffairs* and *Facebook* *Pierluigi Paganini* *(**SecurityAffairs** –* *hacking, Chrome)* The post Chrome emergency update fixes actively exploited a zero-day bug appeared first on Security Affairs. https://securityaffairs.co/wordpress/129483/security/chrome-2nd-zero-day-2022.html?utm_source=rss&utm_medium=rss&utm_campaign=chrome-2nd-zero-day-2022

3

The US Cybersecurity and Infrastructure Security Agency (CISA) added 66 new flaws to its Known Exploited Vulnerabilities Catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 15 vulnerabilities to its Known Exploited Vulnerabilities Catalog.ⓘ According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure. The new vulnerabilities added to the catalog have to be addressed by federal agencies by April 15, 2022. The oldest flaws in the set of 66 recently added issues are dated back to 2005. One of the 66 flaws added to the catalog is the recently discovered Windows CVE-2022-21999 vulnerability, which is a Windows Print Spooler Elevation of Privilege bug. Microsoft addressed this bug with the release of the February 2022 Patch Tuesday updates. Another issue added to the catalog, tracked as CVE-2022-26318, is an arbitrary code execution in WatchGuard Firebox and XTM Appliances. CISA also added the CVE-2022-26143 vulnerability affecting Mitel MiCollab and MiVoice Business Express that can be exploited by a threat actor to gain unauthorized access to sensitive information and services, cause performance degradations or a denial of service condition on the affected system. The CISA Catalog has reached a total of 570 entries with the latest added issues. Follow me on Twitter: *@securityaffairs* and *Facebook* *Pierluigi Paganini* *(**SecurityAffairs** –* *hacking, CISA)* The post CISA adds 66 new flaws to the Known Exploited Vulnerabilities Catalog appeared first on Security Affairs. https://securityaffairs.co/wordpress/129502/hacking/cisa-known-exploited-vulnerabilities-catalog-66.html?utm_source=rss&utm_medium=rss&utm_campaign=cisa-known-exploited-vulnerabilities-catalog-66

4

The Federal Communications Commission (FCC) added Kaspersky to its Covered List because it poses unacceptable risks to U.S. national security. The Federal Communications Commission (FCC) added multiple Kaspersky products and services to its Covered List saying that they pose unacceptable risks to U.S. national security. *“The Federal Communications Commission’s Public Safety and Homeland Security Bureau today added equipment and services from three entities – AO Kaspersky Lab, China Telecom (Americas) Corp, and China Mobile International USA Inc. – to its list of communications equipment and services that have been deemed a threat to national security, consistent with requirements in the Secure and Trusted Communications Networks Act of 2019.” reads the FCC’s press release.* The Covered List, published by Public Safety and Homeland Security Bureau published, included products and services that could pose an unacceptable risk to the national security of the United States or the security and safety of United States persons. The US commission also added Chinese state-owned mobile service providers China Mobile International USA and China Telecom Americas to the list. Below is the list of Covered Equipment or Services added on March 25, 2022: - Information security products, solutions, and services supplied, directly or indirectly, by *AO Kaspersky Lab* or any of its predecessors, successors, parents, subsidiaries, or affiliates. - International telecommunications services provided by *China Mobile International USA Inc*. subject to section 214 of the Communications Act of 1934. - Telecommunications services provided by *China Telecom (Americas) Corp.* subject to section 214 of the Communications Act of 1934. FCC banned Kaspersky security solutions and services supplied by Kaspersky or any linked companies. *“The FCC’s decision to add these three entities to our Covered List is welcome news. The FCC plays a critical role in securing our nation’s communications networks, and keeping our Covered List up to date is an important tool we have at our disposal to do just that. In particular, I am pleased that our national security agencies agreed with my assessment that China Mobile and China Telecom appeared to meet the threshold necessary to add these entities to our list. Their addition, as well as Kaspersky Labs, will help secure our networks from threats posed by Chinese and Russian state backed entities seeking to engage in espionage and otherwise harm America’s interests.” said FCC Commissioner Brendan Carr. “I applaud Chairwoman Rosenworcel for working closely with our partners in the Executive Branch on these updates. As we continue our work to secure America’s communications networks, I am confident that we will have more entities to add to our Covered List.”* In Mid March, the German Federal Office for Information Security agency, aka BSI, recommended consumers uninstall Kaspersky anti-virus software. The Agency warns the cybersecurity firm could be implicated in hacking attacks during the ongoing Russian invasion of Ukraine. According to §7 BSI law, the BSI warns against the use of Kaspersky Antivirus and recommends replacing it asap with defense solutions from other vendors. Nach §7 BSI-Gesetz warnen wir vor dem Einsatz von Virenschutzsoftware des russischen Herstellers Kaspersky. Wir empfehlen, solche Anwendungen durch Produkte anderer Hersteller zu ersetzen. Zur Pressemitteilung: [image: ➡]https://t.co/VC20wRlj4W #DeutschlandDigitalSicherBSI — BSI (@BSI_Bund) March 15, 2022 Follow me on Twitter: *@securityaffairs* and *Facebook* *Pierluigi Paganini* *(**SecurityAffairs** –* *hacking, Kaspersky)* The post FCC adds Kaspersky to Covered List due to unacceptable risks to national security appeared first on Security Affairs. https://securityaffairs.co/wordpress/129496/security/us-fcc-bans-kaspersky.html?utm_source=rss&utm_medium=rss&utm_campaign=us-fcc-bans-kaspersky

7

Ukraine CERT (CERT-UA) released details about a campaign that SentinelLabs linked with the suspected Chinese threat actor tracked as Scarab. Ukraine CERT (CERT-UA) published technical details about a malicious activity tracked as UAC-0026, which SentinelLabs associated with China-linked Scarab APT. Scarab APT was first spotted in 2015, but experts believe it has been active since at least 2012, conducting surgical attacks against a small number of individuals across the world, including Russia and the United States. Scarab has conducted multiple cyberspionage campaigns over the years, it employed the custom backdoor Scieron and later the HeaderTip implant. Experts pointed out that the UAC-0026 activity is the first public example of a Chinese threat actor targeting Ukraine since the beginning of the invasion. The attacker spread their malware through phishing messages using weaponized documents that deploy the HeaderTip malware. The messages use a RAR-archive titled *“On the preservation of video recordings of the criminal actions of the army of the Russian Federation.rar”* which included an executable with the same name. The lure document employed in the campaign spotted by CERT-UA mimics the National Police of Ukraine. *“Running the executable file will create a lure document “# 2163_02_33-2022.pdf” (applies to a letter from the National Police of Ukraine), as well as a DLL file with the MZ header “officecleaner.dat” and the BAT file “officecleaner” removed. .bat “, which will ensure the formation of the correct DLL-file, run it and write to the Windows registry to ensure consistency.” reads the advisory published by CERT-UA. “The mentioned DLL-file is classified as a malicious program HeaderTip, the main purpose of which is to download and execute other DLL-files.”* [image: Scarab APT] SentinelLab experts analyzed the infrastructure used by Scarab and several samples of the HeaderTip malware shared by CERT-UA. *“We assess with high confidence the recent CERT-UA activity attributed to UAC-0026 is the Scarab APT group.” reads the analysis published by SentinelLabs. “An initial link can be made through the design of the malware samples and their associated loaders from at least 2020. Further relationships can be identified through the reuse of actor-unique infrastructure between the malware families associated with the groups*: - *508d106ea0a71f2fd360fda518e1e533e7e584ed (HeaderTip – 2021)* - *121ea06f391d6b792b3e697191d69dc500436604 (Scieron 2018)* - *Dynamic.ddns[.]mobi (Reused C2 Server)”* The analysis of metadata associated with lure documents suggests the author is using the Windows operating system in a Chinese language setting. The HeaderTip samples employed by threat actors are 32-bit DLL files written in C++. Experts reported that the HeaderTip malware implements backdoor capabilities and can be also used as a first stage malware. *“ConclusionWe assess with high confidence the recent CERT-UA activity attributed to UAC-0026 is the Scarab APT group and represents the first publicly-reported attack on Ukraine from a non-Russian APT.” concludes SentinelOne. “The HeaderTip malware and associated phishing campaign utilizing Macro-enabled documents appears to be a first-stage infection attempt. At this point in time, the threat actor’s further objectives and motivations remain unclear.”* Follow me on Twitter: *@securityaffairs* and *Facebook* *Pierluigi Paganini* *(**SecurityAffairs** –* *hacking, Ukraine)* The post Chinese threat actor Scarab targets Ukraine, CERT-UA warns appeared first on Security Affairs. https://securityaffairs.co/wordpress/129477/apt/chinese-threat-actor-scarab-targets-ukraine-cert-ua-warns.html?utm_source=rss&utm_medium=rss&utm_campaign=chinese-threat-actor-scarab-targets-ukraine-cert-ua-warns

5

Anonymous announced that the affiliate group Black Rabbit World has leaked 28 GB of data stolen from the Central Bank of Russia This week the Anonymous hacker collective claims to have hacked the Central Bank of Russia and stole accessed 35,000 documents. The group of hacktivists announced that will leak the stolen documents in 48 hours. Anonymous hacks Russia's Central Bank and more than 35,000 files will be exposed in 48 hours. pic.twitter.com/0VUhqVmo89 — Anonymous (@LatestAnonPress) March 23, 2022 Now the Anonymous TV Twitter account announced that Anonymous hackers The Black Rabbit World (@Thblckrbbtworld) have leaked 28 GB. [image: 🔴]MESSAGE FROM #ANONYMOUS RABBIT: "People shouldn't be afraid of their government, governments should be afraid of their people." The Central Bank of Russian Federation leak (28 GB) has been published by Anonymous[image: ❗]#Ukraine #OPRussia [image: 🔻] pic.twitter.com/BJJBMpZESZ — The Black Rabbit World (@Thblckrbbtworld) March 25, 2022 JUST IN: The Central Bank of Russian Federation leak (28 GB) has been published by #Anonymous hackers (@Thblckrbbtworld).#Ukraine #OpRussia [image: 🔻] https://t.co/msXQ24qDZ2 — Anonymous TV [image: 🇺🇦] (@YourAnonTV) March 25, 2022 The group shared two links to the cloud storage and file hosting service Mega NZ: - https://mega.nz/folder/NJoBUYSZ#uOAMx6s9m5PGNDTcMCR7NA - https://mega.nz/folder/xgllXCDB#XgBMAEpc9zNYHtq0TIAQjQ The group plans to distribute the stolen documents to various points of the internet to prevent that they are censored. The overall data are arranged in two folders named A and B, containing 9 parts and 1 part respectively. The folders contain Offices and TXT files, the documents are written in Cyrillic. [image: Central Bank of Russia data leak] Anonymous claims that the stolen documents include Russia’s economic secrets. The attack on the central bank of a state could have major repercussions on its domestic politics. The central bank sets the country’s economic policy, governs a country’s currency, maintains price stability, and oversees local banks. If the leaked data are authentic, this data leak is probably the greatest hack for the ongoing #OpRussia launched by anonymous against the Russian government since the beginning of the invasion. In the next few hours, intelligence experts, economists and activists will have a lot of work to do to translate the documents and reveal their contents. Follow me on Twitter: *@securityaffairs* and *Facebook* *Pierluigi Paganini* *(**SecurityAffairs** –* *hacking, Central Bank of Russia)* The post Anonymous leaked 28GB of data stolen from the Central Bank of Russia appeared first on Security Affairs. https://securityaffairs.co/wordpress/129490/hacking/central-bank-of-russia-data-leak-anonymous.html?utm_source=rss&utm_medium=rss&utm_campaign=central-bank-of-russia-data-leak-anonymous

11

VMware addressed two critical arbitrary code execution vulnerabilities affecting its Carbon Black App Control platform. VMware released this week, software updates to address two critical security vulnerabilities, CVE-2022-22951 and CVE-2022-22952 (both received a CVSS score of 10), affecting its Carbon Black App Control platform that could be exploited by a threat actor to execute arbitrary code on affected installations on Windows systems. The Carbon Black App Control is an application that allows listing solution that is designed to enable security operations teams to lock down new and legacy systems against unwanted change, simplify the compliance process, and provide protection for corporate systems. The vulnerabilities were reported by security researchers Jari Jääskelä. *“Multiple vulnerabilities in VMware Carbon Black App Control were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.” reads the advisory published by VMware. * The issues could be only exploited by authenticated attackers with high privileges. The first bug, tracked as CVE-2022-22951, is an OS command injection vulnerability in Carbon Black App Control. The issue is due to improper input validation leading to remote code execution. *“An authenticated, high privileged malicious actor with network access to the VMware App Control administration interface may be able to execute commands on the server due to improper input validation leading to remote code execution.”* reads the advisory. The second flaw, tracked as CVE-2022-22952, is a file upload vulnerability in VMware Carbon Black App Control. An attacker can trigger the flaw by uploading a specially crafted file. *“A malicious actor with administrative access to the VMware App Control administration interface may be able to execute code on the Windows instance where AppC Server is installed by uploading a specially crafted file.” continues the advisory.* Impacted versions are 8.5.x, 8.6.x, 8.7.x, and 8.8.x, the virtualization giant addressed the flaws with the release of versions 8.5.14, 8.6.6, 8.7.4, and 8.8.2. Customers are recommended to install security updates immediately. Follow me on Twitter: *@securityaffairs* and *Facebook* *Pierluigi Paganini* *(**SecurityAffairs** –* *hacking, Carbon Black App Control)* The post VMware Issues Patches for Critical Flaws Affecting Carbon Black App Control appeared first on Security Affairs. https://securityaffairs.co/wordpress/129440/security/vmware-carbon-black-app-control-flaws.html?utm_source=rss&utm_medium=rss&utm_campaign=vmware-carbon-black-app-control-flaws

Todays Threat feed

Indictment of Russian National Offers Glimpse Into Methodical Targeting of Energy Firm Evgeny Viktorovich Gladkikh tried to cause catastrophic damage to Saudi oil refinery in 2017 via the Triton/Trisis malware, the US has alleged. https://www.darkreading.com/attacks-breaches/indictment-against-russian-national-offers-glimpse-into-methodical-targeting-of-energy-firm

Todays Threat feed

Indictment of Russian National Offers Glimpse Into Methodical Targeting of Energy Firm Evgeny Viktorovich Gladkikh tried to cause catastrophic damage to Saudi oil refinery in 2017 via the Triton/Trisis malware, the US has alleged. https://www.darkreading.com/attacks-breaches/indictment-against-russian-national-offers-glimpse-into-methodical-targeting-of-energy-firm https://www.darkreading.com/attacks-breaches/indictment-against-russian-national-offers-glimpse-into-methodical-targeting-of-energy-firm

Todays Threat feed

Indictment of Russian National Offers Glimpse Into Methodical Targeting of Energy FirmEvgeny Viktorovich Gladkikh tried to cause catastrophic damage to Saudi oil refinery in 2017 via the Triton/Trisis malware, the US has alleged.Evgeny Viktorovich Gladkikh tried to cause catastrophic damage to Saudi oil refinery in 2017 via the Triton/Trisis malware, the US has alleged.https://www.darkreading.com/attacks-breaches/indictment-against-russian-national-offers-glimpse-into-methodical-targeting-of-energy-firm