Cyber Command Issues Rare Warning to Patch Atlassian Confluence Critical Flaw

Germany blames Russia for attacks on German politicians, Russian man arrested in Seoul for creating TrickBot malware, ProtonMail under fire after French authorities obtain IPs, much more

On Friday, U.S. Cyber Command issued a rare warning that mass exploitation of a vulnerability (CVE 2021-26084) in Atlassian Confluence servers is ongoing and expected to accelerate and urged admins to patch their affected servers immediately if they haven’t already.

CISA also underscored the warning. On August 25, Atlassian issued security updates to address the actively exploited Confluence remote code execution (RCE) vulnerability. (Sergiu Gatlan / Bleeping Computer)

Related: The Hacker News, PC MagDataBreachToday.comThe Register - SecuritySilicon Angle, IT ProInfosecurity Magazine, Kaspersky Lab official blogCISO MAGBleeping ComputerDataBreachToday.comSiliconANGLE, Verdict, The Record, CISA

German Foreign Ministry spokeswoman Andrea Sasse blamed a Russian government hacking group called Ghostwriter for a recent wave of cyberattacks targeting German politicians.

Sasse also said that ahead of Germany's federal election on September 26, there were attempts to obtain personal login details of federal and state lawmakers intending to commit identity theft. She further said that Germany demanded the Russian government end such activity immediately. (Deutsche Welle)

Related: ReutersTASS, Financial Times

A Russian man, identified in local media reports only as Mr. A, was arrested last week at the Seoul international airport on accusations of developing code for the TrickBot malware gang.

South Korean news outlet KBS said the suspect was arraigned in a Seoul court on Wednesday, September 2, on an international arrest warrant and extradition request to the US. (Catalin Cimpanu / The Record)

Related: Bleeping Computer, KBS News

End-to-end encrypted email service ProtonMail has come under fire for a French police report indicating that French authorities managed to obtain the IP address of a French activist who was using the online service.

The company says that it doesn’t log IP addresses by default, and it only complies with local regulation, in this particular case, Swiss law. Company CEO Andy Yen said that his company didn’t cooperate with French police nor Europol but that Europol acted as the communication channel between French authorities and Swiss authorities. (Natasha Lomas, Romain Dillet / TechCrunch)

Related: TechaerisMediaNamaExplicaTech Wire AsiaAiThorityWRAL Tech Wire, The Record, Slashdot, iTnews - SecurityZDNet SecurityRT NewsEngadgetSecurity Affairs, The Register

Networking gear maker Netgear patched three vulnerabilities, dubbed Demon’s Cries, Draconian Fear, and Seventh Inferno in its smart switches which were discovered by a Polish security researcher who uses the pseudonym of Gynvael Coldwind.

The three vulnerabilities can allow threat actors to bypass authentication and take over devices. Demon’s Cries is the most serious flaw, with a severity rating of 9.8 out of a maximum of 10, on the CVSSv3 scale. (Catalin Cimpanu / The Record)

Related: Security AffairsThe Hacker News, Bleeping ComputerSecurity Affairs, The Hacker News

In an announcement published on Ragnar Locker's darknet leak site this week, the gang is threatening to publish full data of victims who seek the help of law enforcement and investigative agencies such as the FBI following a ransomware attack.

The threat also extends to contacting data recovery experts to attempt decryption and conduct the negotiation process. "So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the police/FBI/investigators, we will consider this as a hostile intent, and we will initiate the publication of whole compromised data immediately," the group said on its leak site. (Ax Sharma / Bleeping Computer)

Related: Security Affairs

Researchers at KELA released a profile of an ideal ransomware victim. They compiled a list of criteria that the larger enterprise-targeting operations look for in a company for their attacks based on ransomware gangs’ “want ads.”

KELA’s analysis concludes that ransomware gangs prefer victims in the USA, Canada, Australia, and Europe and typically target firms with revenues above $100 million. Among the countries that the crews avoid are Russia, Ukraine, Moldova, Belarus, Kyrgyzstan, Kazakhstan, Armenia, Tajikistan, Turkmenistan, and Uzbekistan. (Lawrence Abrams / Bleeping Computer)

Related: Reddit - cybersecurityHeimdal Security Blog,, KELA, ZDNet

After Texas passed its anti-abortion “whistleblower” law that allows ordinary citizens to become vigilantes to report women who seek abortions, along with any individuals who may aid them in doing so, GoDaddy kicked the “whistleblower” site off its servers for violating its rule that prohibits customers from collecting or harvesting nonpublic information about anyone without their “prior written consent.”

Hard-right website hosting company Epik, the second hosting provider that Texas sought to house the site, also refused to host it, saying that the site similarly violated its terms of use. These hosting problems followed hacktivists posting false vigilante reports on the site. (Nicole Perlroth / New York Times)

Related: MashableRaw StoryMercury NewsAlterNet.orgRaw StoryWashington ExaminerAOLLaw & Crime

Researchers at Anomali warn that threat actors, likely the FIN7 cybercrime group, also known as Carbanak and Navigator, have deployed a malware campaign recently that used a Windows 11 theme to lure recipients into activating malicious code placed inside Microsoft Word documents.

The cybercriminals laced Microsoft Word documents with macro code that ultimately downloads a JavaScript backdoor that lets the attacker deliver any payload they want. FIN7, which focuses on stealing payment data, has been around since at least 2013 but became known on a larger scale since 2015. (Ionut Ilascu / Bleeping Computer)

Related: NeowinSecurity AffairsgHacks, TechradarHotHardware.comTech.CoWindows CentralCISO MAGThe Hacker News

In a recent filing, software and security company Autodesk told the Securities and Exchange Commission that it had been compromised by the Russian hackers who infiltrated SolarWinds software with malware.

Autodesk said it discovered that one of its servers had been compromised and that it had taken steps to remediate the fallout. (Jeff Stone / Cyberscoop)

Related: GovInfoSecurity, Bleeping Computer

The Garda National Cyber Crime Bureau of Ireland seized several domains used in the Health and Safety Executive (HSE) cyberattack and other ransomware attacks earlier this year. The authorities claimed that they have significantly disrupted its infrastructure.

Authorities in Ireland say they are also working with Europol and Interpol to provide details of the URLs to member countries so that infected systems can be decontaminated. (Colman O'Sullivan / RTE)

Related: Cybersecurity InsidersIT, Databreachtoday, Irish Times

A Russian security researcher named ValdikSS discovered malicious code inside the firmware of four low-budget push-button mobile phones sold through Russian online stores.

The researcher found that push-button phones such as DEXP SD2810, Itel it2160, Irbis SF63, and F+ Flip 3 were caught subscribing users to premium SMS services and intercepting incoming SMS messages to prevent detection. ValdikSS blamed these incidents on the local operators and vendors who re-sold the phones without prior security audits. (Catalin Cimpanu / The Record)

Related: IB TimesSecurity AffairsSlashdot, TechStory

Shipping records reveal that a lesser-known affiliate of the spyware maker NSO Group called Circles supplied equipment in 2020 to Uzbekistan’s national intelligence agency (SGB), often referred to as a “secret police” force with a record of brutality and oppression.

A bill of lading between a Circles subsidiary called MS Magnet Solutions and Uztelecom from August 2020 indicates that the cyber espionage firm sold hard drives to the autocratic state. (Scott Stedman / Forensic News)

Erik Finman, a 22-year-old who calls himself a Bitcoin millionaire, has been promoting a $500 so-called ultra-secure“Freedom Phone” that was initially panned by experts as nothing more than an overpriced cheap Chinese phone.

Unable to master the complexities of manufacturing, distributing, and servicing the Freedom Phone, he foisted those tasks onto a 13-year-old firm in Orem, Utah, called ClearCellular. Reviews of that device have been likewise brutally negative. (Jack Nicas / New York Times)

Related: CNET

Photo by Taylor Vick on Unsplash