CERT-SE:s veckobrev v.22

Veckobrev

Efter en vecka med intensivt nyhetsflöde och två 0-day-sårbarheter kommer här ett extra långt nyhetsbrev. Det blir allt ifrån svenska och internationella händelser, som nertagande av Flubot, till varningar och analyser.

Trevlig helg önskar CERT-SE!

Nyheter i veckan

GitHub saved plaintext passwords of npm users in log files, post mortem reveals (27 maj)
https://www.theregister.com/2022/05/27/github_publishes_a_post_mortem/

npm security update: Attack campaign using stolen OAuth tokens (26 maj)
https://github.blog/2022-05-26-npm-security-update-oauth-tokens/

Exposed Kubernetes Clusters, Kubelet Ports Can Be Abused in Cyberattacks (27 maj)
https://www.darkreading.com/dr-tech/exposed-kubernetes-clusters-kubelet-ports-can-be-abused-in-cyberattacks

CISA adds 75 actively exploited bugs to its must-patch list in just a week (27 maj)
https://www.zdnet.com/article/cisa-adds-75-actively-exploited-bugs-to-its-must-patch-list-in-just-a-week/

Android apps with millions of downloads exposed to high-severity vulnerabilities (27 maj)
https://www.microsoft.com/security/blog/2022/05/27/android-apps-with-millions-of-downloads-exposed-to-high-severity-vulnerabilities/

Follina — a Microsoft Office code execution vulnerability (29 maj)
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

New ‘GoodWill’ Ransomware Forces Victims to Donate Money and Clothes to the Poor (29 maj)
https://thehackernews.com/2022/05/new-goodwill-ransomware-forces-victims.html

That critical vulnerability might not be the first you should patch (30 maj)
https://www.theregister.com/2022/05/30/rezilion-vulnerability-patching/

Italy warns organizations to brace for incoming DDoS attacks (30 maj)
https://www.bleepingcomputer.com/news/security/italy-warns-organizations-to-brace-for-incoming-ddos-attacks/

Rilevato potenziale rischio di attacco informatico ai danni di enti ed organizzazioni nazionali (AL01/220529/CSIRT-ITA) (29 maj)
https://www.csirt.gov.it/contenuti/rilevato-potenziale-rischio-di-attacco-informatico-ai-danni-di-enti-ed-organizzazioni-nazionali-al01-220529-csirt-ita

EnemyBot Linux Botnet Now Exploits Web Server, Android and CMS Vulnerabilities (30 maj)
https://thehackernews.com/2022/05/enemybot-linux-botnet-now-exploits-web.html

Is 3rd Party App Access the New Executable File? (30 maj)
https://thehackernews.com/2022/05/is-3rd-party-app-access-new-executable.html

ICS Security in Healthcare: Why Software Vulnerabilities Pose a Threat to Patient Safety (30 maj)
https://www.tripwire.com/state-of-security/healthcare/ics-security-healthcare-software-vulnerabilities-threat-patient-safety/

Cyber Agency: Voting Software Vulnerable in Some States (31 maj)
https://www.securityweek.com/cyber-agency-voting-software-vulnerable-some-states

Germany issues fresh warning to banks of cyber attacks due to Ukraine war (31 maj)
https://www.reuters.com/technology/german-regulator-issues-fresh-warning-banks-cyber-attacks-2022-05-31/

The FBI Warns of Scammers Soliciting Donations Related to the Crisis in Ukraine (31 maj)
https://www.ic3.gov/Media/Y2022/PSA220531

Costa Rica May Be Pawn in Conti Ransomware Group’s Bid to Rebrand, Evade Sanctions (31 maj)
https://krebsonsecurity.com/2022/05/costa-rica-may-be-pawn-in-conti-ransomware-groups-bid-to-rebrand-evade-sanctions/

Industrial IoT ransomware attacks control systems directly (1 jun)
https://www.scmagazine.com/analysis/device-security/industrial-iot-ransomware-attacks-control-systems-directly

Transport systems give hackers a moving target (1 jun)
https://www.ft.com/content/dc3cccb0-533c-4c5b-bc20-5ee3d422909f

Ransomware gang now hacks corporate websites to show ransom notes (2 jun)
https://www.bleepingcomputer.com/news/security/ransomware-gang-now-hacks-corporate-websites-to-show-ransom-notes/

CrowdStrike Uncovers New MacOS Browser Hijacking Campaign (2 jun)
https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign/

Internationella händelser

Hacker Steals Database of Hundreds of Verizon Employees (26 maj)
https://www.vice.com/en/article/wxdwxn/hacker-steals-database-of-hundreds-of-verizon-employees

Hundreds stranded after ransomware attack on Indian airline (26 maj)
https://www.digitaljournal.com/business/hundreds-stranded-after-ransomware-attack-on-indian-airline

BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state (27 maj)
https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-asks-5-million-to-unlock-austrian-state/

Ransomware attack sends US county back to 1977 (29 maj)
https://www.theregister.com/2022/05/29/security_roundup/

Turkish Based Airline’s Sensitive EFB Data Leaked (30 maj)
https://www.safetydetectives.com/news/pegasus-leak-report/

Online scamming fraud: three Nigerians arrested in INTERPOL Operation Killer Bee (30 maj)
https://www.interpol.int/News-and-Events/News/2022/Online-scamming-fraud-three-Nigerians-arrested-in-INTERPOL-Operation-Killer-Bee

Takedown of SMS-based FluBot spyware infecting Android phones (1 jun)
https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones

Unsecured Elasticsearch Data Replaced with Ransom Note (1 jun)
https://www.secureworks.com/blog/unsecured-elasticsearch-data-replaced-with-ransom-note

FBI Director Christopher Wray says agency blocked planned cyberattack on children’s hospital (1 jun)
https://www.pbs.org/newshour/politics/fbi-director-christopher-wray-says-agency-blocked-planned-cyberattack-on-childrens-hospital .. FBI Director Christopher Wray expected to reveal details of Boston hacking case during BC speech (1 jun)
https://www.youtube.com/watch?v=N_q4Loy5srk

US military hackers conducting offensive operations in support of Ukraine, says head of Cyber Command (1 jun)
https://news.sky.com/story/us-military-hackers-conducting-offensive-operations-in-support-of-ukraine-says-head-of-cyber-command-12625139

Sverige

Ny form av Swish-bedrägerier drabbar butiker (28 maj)
https://www.svd.se/a/9KaveE/ny-form-av-swish-bedragerier-drabbar-butiker

Svenska verksamheter sårbara för cyberattacker enligt cheferna (30 maj)
https://via.tt.se/pressmeddelande/svenska-verksamheter-sarbara-for-cyberattacker-enligt-cheferna?publisherId=3236480&releaseId=3324031

Telia efter myndigheternas it-kaos: Underhåll gick fel (31 maj)
https://www.svt.se/nyheter/inrikes/transportstyrelsen-och-sjofartve

Informationssäkerhet och blandat

The Subversive Trilemma: Why Cyber Operations Fall Short of Expectations (25 okt)
https://direct.mit.edu/isec/article/46/2/51/107693/The-Subversive-Trilemma-Why-Cyber-Operations-Fall

How to Use Phishing Benchmarks Effectively to Assess Your Program - Part 3 (26 maj)
https://www.sans.org/blog/how-to-use-phishing-benchmarks-effectively-to-assess-your-program-part-3/

Taking the Danger Out of IT/OT Convergence (27 maj)
https://www.darkreading.com/dr-tech/taking-the-danger-out-of-it-ot-convergence

2022 mobile threat landscape update (maj)
https://threatfabric.com/blogs/h1-2022-mobile-threat-landscape.html

Countdown to Ransomware: Analysis of Ransomware Attack Timelines (1 jun)
https://securityintelligence.com/posts/analysis-of-ransomware/

Karakurt Data Extortion Group (1 jun)
https://www.ic3.gov/Media/News/2022/220601.pdf

How to support women in cybersecurity (2 jun)
https://www.helpnetsecurity.com/2022/06/02/support-women-in-cybersecurity/

Election Infrastructure Insider Threat Mitigation Guide
https://www.cisa.gov/sites/default/files/publications/election_insider_threat_mitigation_guide_508_0.pdf

Secure Tomorrow Series Toolkit
https://www.cisa.gov/secure-tomorrow-series-toolkit

R4IoT Next-Generation Ransomware
https://www.forescout.com/resources/r4iot-next-generation-ransomware-report/

CERT-SE i veckan

Kritisk 0-day-sårbarhet i Confluence (Uppdaterad 2022-06-03)Allvarlig 0-day-sårbarhet i Microsoft OfficeFlera kritiska sårbarheter i Zoom Client