Security News – December 2022

Read our roundup of cybersecurity news from December 2022. Each month, we’ll bring you security cases and interesting insights to help you stay secure. 

Politics 

In Ireland, Meta was fined €265 million for failing to adequately protect users (GDPR) from automated data collection which caused a data leak. Meta’s defense is that the data leak was caused by a bug that was fixed in 2019.

As a part of the anti-government protests, Iran’s government news agency was hacked. The Black Reard attackers claim to have deleted more than 250 TB of data from the servers.

A North Korean state-sponsored group (APT37) is actively exploiting an unknown vulnerability in Internet Explorer, which enables them to remotely download an exploit. This is possible even when Internet Explorer is not used as the default browser. Microsoft released an update on November 8.

Mandiant published results of its analysis of the Chinese espionage campaign and how to detect it. The campaign was aimed at Southeast Asia.

Investigations and research

Google Project Zero points out a problem with deploying software package updates across third-party products. The driver vulnerability was already fixed back in January, but major manufacturers (Pixel, Samsug, Xiaomi, Oppo,…) hadn’t applied the change to their products by November.

An interesting statistic of the most commonly used passwords came out.

Vulnerabilities enable an attack on Honda and Nissan vehicles with their VIN numbers. This allows the attackers to unlock the doors, honk the horn, or start the vehicle. The previously mentioned VIN number was the only required input for authorization.

Microsoft warns that the Boa webserver, which has not been supported for several years and is therefore outdated, is becoming a target for hackers. There are millions of devices using this webserver (especially IoT devices). They have also published recommendations on how to minimize the risks.

Police in Spain arrested 55 criminals. They were cloning SIM cards, which allowed them e.g. to gain access to e-banking.

Researchers have discovered three new vulnerabilities that can be used in attacks on millions of smart devices used in critical infrastructure. The disclosed vulnerabilities include a lack of authentication for multiple functions and protocols or poorly implemented encryption.

Researchers have uncovered new vulnerabilities that can be exploited in an attack on the supply chain servers using BCM. At risk are also servers from major manufacturers such as AMD, ASRock, Asus, ARM, Dell EMC, Gigabyte, Lenovo, HP, and others. The problem is exacerbated by the fact that these vulnerabilities are firmware-level which makes them harder to deal with.

The NSA and CISA are warning about hackers with ties to the Chinese government that are exploiting vulnerabilities in Citrix products. It is highly recommended to update the firmware to newer versions, which should eliminate these vulnerabilities.

New studies compared the characteristics of cyber criminals with the “classic” ones as well as with the general population. They break down the stereotypes about lonely and socially inept individuals.

The researchers were able to use the ChatGPT tool to generate a variety of defensive and offensive behaviors – from generating functional YARA rules to generating iOS-targeted malware.

Attacks

A ransomware gang accidentally attacked the local police force in Belgium. They confirmed the leakage of a number of license plates, fines, personal information, investigation reports, etc. The police released information that the intrusion was not into the whole network, but even the affected part contained sensitive information.

The “invisible body” challenge on TikTok is being exploited by attackers who are offering apps that are supposed to lift the filter and show the naked bodies of the participants. This way they managed to infect thousands of devices.

A French hospital near Paris has canceled operations and transferred some patients due to a ransomware attack on its infrastructure. In France, laws prohibit state and public institutions to pay ransoms.

The California Department of Finance fell victim to the Lockbit ransomware gang. The gang claims to have stolen 76 GB of data, including confidential information. However, the state’s finances were not compromised.

Other

The products of Huawei, ZTE, Hyter, Hikvision and Dahua and their subsidiaries and affiliates have been evaluated as an unacceptably high risk to national security in the USA. This led to a ban on the sale of their products in the US.

Google is releasing another emergency update for Chrome. They are fixing the eighth and ninth zero-day vulnerabilities that are already being actively exploited.

The data of more than 5.4 million Twitter users was leaked due to an API bug. There was also another private data leakage, which is expected to be even bigger.

A significant number of the US defense subcontractors are not meeting basic cybersecurity requirements. In the majority of cases, there is a lack of investment in IT, cybersecurity, people, and processes. Outdated infrastructure struggles to handle the threats of the 21st Century.

Fortinet urges its customers to update their devices in order to avoid the actively exploited vulnerability targeting FortiOS SSL-VPN. The vulnerability enables a remotely connected unauthenticated attacker to launch an arbitrary code.

A Pwn2Own hacking competition was held. During the competition, attendees tried to crack the security of smartphones, wireless routers, smart speakers and other devices. On the very first day, the new Samsung Galaxy S22 and devices from Canon, Mikrotik, NETGEAR, TP-Link, Lexmark, Synology and HP were hacked twice. In the end, they found 26 previously unknown vulnerabilities.