Cyber Command Issues Rare Warning to Patch Atlassian Confluence Critical Flaw

Germany blames Russia for attacks on German politicians, Russian man arrested in Seoul for creating TrickBot malware, ProtonMail under fire after French authorities obtain IPs, much more

On Friday, U.S. Cyber Command issued a rare warning that mass exploitation of a vulnerability (CVE 2021-26084) in Atlassian Confluence servers is ongoing and expected to accelerate and urged admins to patch their affected servers immediately if they haven’t already.

CISA also underscored the warning. On August 25, Atlassian issued security updates to address the actively exploited Confluence remote code execution (RCE) vulnerability. (Sergiu Gatlan / Bleeping Computer)

Related: The Hacker News, PC Mag, DataBreachToday.com, The Register - Security, Silicon Angle, IT Pro, Infosecurity Magazine, Kaspersky Lab official blog, CISO MAG, Bleeping Computer, DataBreachToday.com, SiliconANGLE, Verdict, The Record, CISA

German Foreign Ministry spokeswoman Andrea Sasse blamed a Russian government hacking group called Ghostwriter for a recent wave of cyberattacks targeting German politicians.

Sasse also said that ahead of Germany's federal election on September 26, there were attempts to obtain personal login details of federal and state lawmakers intending to commit identity theft. She further said that Germany demanded the Russian government end such activity immediately. (Deutsche Welle)

Related: Reuters, TASS, Financial Times

A Russian man, identified in local media reports only as Mr. A, was arrested last week at the Seoul international airport on accusations of developing code for the TrickBot malware gang.

South Korean news outlet KBS said the suspect was arraigned in a Seoul court on Wednesday, September 2, on an international arrest warrant and extradition request to the US. (Catalin Cimpanu / The Record)

Related: Bleeping Computer, KBS News

End-to-end encrypted email service ProtonMail has come under fire for a French police report indicating that French authorities managed to obtain the IP address of a French activist who was using the online service.

The company says that it doesn’t log IP addresses by default, and it only complies with local regulation, in this particular case, Swiss law. Company CEO Andy Yen said that his company didn’t cooperate with French police nor Europol but that Europol acted as the communication channel between French authorities and Swiss authorities. (Natasha Lomas, Romain Dillet / TechCrunch)

Related: Techaeris, MediaNama, Explica, Tech Wire Asia, AiThority, WRAL Tech Wire, The Record, Slashdot, iTnews - Security, ZDNet Security, RT News, Engadget, Security Affairs, The Register

Networking gear maker Netgear patched three vulnerabilities, dubbed Demon’s Cries, Draconian Fear, and Seventh Inferno in its smart switches which were discovered by a Polish security researcher who uses the pseudonym of Gynvael Coldwind.

The three vulnerabilities can allow threat actors to bypass authentication and take over devices. Demon’s Cries is the most serious flaw, with a severity rating of 9.8 out of a maximum of 10, on the CVSSv3 scale. (Catalin Cimpanu / The Record)

Related: Security Affairs, The Hacker News, Bleeping Computer, Security Affairs, The Hacker News

In an announcement published on Ragnar Locker's darknet leak site this week, the gang is threatening to publish full data of victims who seek the help of law enforcement and investigative agencies such as the FBI following a ransomware attack.

The threat also extends to contacting data recovery experts to attempt decryption and conduct the negotiation process. "So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the police/FBI/investigators, we will consider this as a hostile intent, and we will initiate the publication of whole compromised data immediately," the group said on its leak site. (Ax Sharma / Bleeping Computer)

Related: Security Affairs

Researchers at KELA released a profile of an ideal ransomware victim. They compiled a list of criteria that the larger enterprise-targeting operations look for in a company for their attacks based on ransomware gangs’ “want ads.”

KELA’s analysis concludes that ransomware gangs prefer victims in the USA, Canada, Australia, and Europe and typically target firms with revenues above $100 million. Among the countries that the crews avoid are Russia, Ukraine, Moldova, Belarus, Kyrgyzstan, Kazakhstan, Armenia, Tajikistan, Turkmenistan, and Uzbekistan. (Lawrence Abrams / Bleeping Computer)

Related: Reddit - cybersecurity, Heimdal Security Blog, DataBreachToday.com, KELA, ZDNet

After Texas passed its anti-abortion “whistleblower” law that allows ordinary citizens to become vigilantes to report women who seek abortions, along with any individuals who may aid them in doing so, GoDaddy kicked the “whistleblower” site off its servers for violating its rule that prohibits customers from collecting or harvesting nonpublic information about anyone without their “prior written consent.”

Hard-right website hosting company Epik, the second hosting provider that Texas sought to house the site, also refused to host it, saying that the site similarly violated its terms of use. These hosting problems followed hacktivists posting false vigilante reports on the site. (Nicole Perlroth / New York Times)

Related: Mashable, Raw Story, Mercury News, AlterNet.org, Raw Story, Washington Examiner, AOL, Law & Crime

steven monacelli  @stevanzetti

NEW: Epik has dropped the anti abortion bounty website, citing violations of terms of service

September 5th 2021

518 Retweets3,548 Likes

Researchers at Anomali warn that threat actors, likely the FIN7 cybercrime group, also known as Carbanak and Navigator, have deployed a malware campaign recently that used a Windows 11 theme to lure recipients into activating malicious code placed inside Microsoft Word documents.

The cybercriminals laced Microsoft Word documents with macro code that ultimately downloads a JavaScript backdoor that lets the attacker deliver any payload they want. FIN7, which focuses on stealing payment data, has been around since at least 2013 but became known on a larger scale since 2015. (Ionut Ilascu / Bleeping Computer)

Related: Neowin, Security Affairs, gHacks, Techradar, HotHardware.com, Tech.Co, Windows Central, CISO MAG, The Hacker News

In a recent filing, software and security company Autodesk told the Securities and Exchange Commission that it had been compromised by the Russian hackers who infiltrated SolarWinds software with malware.

Autodesk said it discovered that one of its servers had been compromised and that it had taken steps to remediate the fallout. (Jeff Stone / Cyberscoop)

Related: GovInfoSecurity, Bleeping Computer

The Garda National Cyber Crime Bureau of Ireland seized several domains used in the Health and Safety Executive (HSE) cyberattack and other ransomware attacks earlier this year. The authorities claimed that they have significantly disrupted its infrastructure.

Authorities in Ireland say they are also working with Europol and Interpol to provide details of the URLs to member countries so that infected systems can be decontaminated. (Colman O'Sullivan / RTE)

Related: Cybersecurity Insiders, IT Pro, TechCentral.ie, Databreachtoday, Irish Times

A Russian security researcher named ValdikSS discovered malicious code inside the firmware of four low-budget push-button mobile phones sold through Russian online stores.

The researcher found that push-button phones such as DEXP SD2810, Itel it2160, Irbis SF63, and F+ Flip 3 were caught subscribing users to premium SMS services and intercepting incoming SMS messages to prevent detection. ValdikSS blamed these incidents on the local operators and vendors who re-sold the phones without prior security audits. (Catalin Cimpanu / The Record)

Related: IB Times, Security Affairs, Slashdot, TechStory

Shipping records reveal that a lesser-known affiliate of the spyware maker NSO Group called Circles supplied equipment in 2020 to Uzbekistan’s national intelligence agency (SGB), often referred to as a “secret police” force with a record of brutality and oppression.

A bill of lading between a Circles subsidiary called MS Magnet Solutions and Uztelecom from August 2020 indicates that the cyber espionage firm sold hard drives to the autocratic state. (Scott Stedman / Forensic News)

Ersin Çahmutoğlu @ersincmt

Interesting report by @ScottMStedman NSO Group’s affiliate, Circles, sold phone hacking tools to Uzbekistan intelligence service SGB. Cirles was founded by Tal Dilian. To remember, who Dilian is;👉forbes.com/sites/thomasbr… forensicnews.net/nso-group-affi… via @forensicnewsnet

September 4th 2021

16 Retweets27 Likes

Erik Finman, a 22-year-old who calls himself a Bitcoin millionaire, has been promoting a $500 so-called ultra-secure“Freedom Phone” that was initially panned by experts as nothing more than an overpriced cheap Chinese phone.

Unable to master the complexities of manufacturing, distributing, and servicing the Freedom Phone, he foisted those tasks onto a 13-year-old firm in Orem, Utah, called ClearCellular. Reviews of that device have been likewise brutally negative. (Jack Nicas / New York Times)

Related: CNET

Byron Tau @ByronTau

A look at the Freedom Phone, which is a cheap Chinese phone loaded with an Android fork stripped of Google software coded by some random engineers hired by a 22-year old 'Bitcoin millionaire.' Marketed at conservatives. Yours for $500. The Strange Tale of the Freedom Phone, a Smartphone for ConservativesA 22-year-old Bitcoin millionaire wants Republicans to ditch their iPhones for a low-end handset that he hopes to turn into a political tool.nytimes.com

September 6th 2021

40 Retweets74 Likes

Photo by Taylor Vick on Unsplash