two man hiking on snow mountain

L’hebdo des cyber-menaces (12 déc 2021)

Voici le rapport de veille de la semaine faisant le tour des actualités les plus intéressantes. Certaines d’entre elles seront développées dans les prochains articles. Bonne lecture et merci pour le café 😉

un petit clic pour ma veille

Vol / perte de données

Online avatar service Gravatar allows mass collection of user info

A user enumeration technique discovered by security researcher Carlo Di Dato demonstrates how Gravatar can be abused for mass data collection of its profiles by web crawlers and bots. Gravatar is an online avatar service that lets users set and use a profile picture (avatar) across multiple websites that support Gravatar.

French Transport Giant Exposes 57,000 Employees and Source Code

A state-owned French transportation giant has inadvertently exposed nearly 60,000 employees to identity fraud after leaking their personal information via an unsecured HTTP server, according to researchers. A team at vpnMentor found the server on October 13, and deduced from the file names that the culprit was Régie Autonome des Transports Parisiens (RATP), which runs public transport across the French capital and beyond.

Volvo announces some R&D files stolen during cyberattack | ZDNet

Volvo Cars has released a statement confirming a breach of sensitive files that resulted from a cyberattack. Volvo said it is now aware that « one of its file repositories has been illegally accessed by a third party. » « Investigations so far confirm that a limited amount of the company’s R&D property has been stolen during the intrusion.

Cyberattaques / fraudes

Cyber-attack on Hellmann Worldwide Logistics

A cyber-attack has been carried out against major German logistics provider Hellmann Worldwide Logistics. The security incident forced Hellmann to take its central data center offline yesterday. Today, operations at the Osnabrück-based company remain disrupted. Hellmann said that since the attack was discovered, it has been under the constant observation of its Global Crisis Taskforce, which is analyzing the incident.

Spar shops across northern England close after cyber attack

The British arm of Dutch supermarket chain Spar has shut hundreds of shops after suffering an « online attack, » the company has confirmed to The Register. « This has not affected all SPAR stores across the North of England, » a Spar spokesman told us, « but a number have been impacted over the past 24 hours and we are working to resolve this situation as quickly as possible. »

Le ransomware BlackCat prêt à faire un malheur – Le Monde Informatique

S’attaquant à ses victimes en volant et chiffrant leurs données puis en menaçant de les publier en cas de non versement de rançon, BlackCat se présente comme digne successeur des ransomwares BlackMatter et REvil. Hautement configurable et sécurisé, son avenir semble malheureusement tout tracé.

Emotet now drops Cobalt Strike, fast forwards ransomware attacks

In a concerning development, the notorious Emotet malware now installs Cobalt Strike beacons directly, giving immediate network access to threat actors and making ransomware attacks imminent. Emotet is a malware infection that spreads through spam emails containing malicious Word or Excel documents.

Ransomware Jerks Helped Cause the Cream Cheese Shortage

Following attacks on our , municipal governments, and fuel supplies, hackers have finally gone too far: They fucked with America’s cream cheese. There’s been a serious shortage of cream cheese in recent weeks-one of the many seemingly random products that have come into short supply amid widespread supply chain disruption and labor shortages.

Brazilian Ministry of Health suffers cyberattack and COVID-19 vaccination data vanishes | ZDNet

Websites under Brazil’s Ministry of Health (MoH) have suffered a major ransomware attack that resulted in the unavailability of COVID-19 vaccination data of millions of citizens. Following that attack that took place at around 1 am today, all of MoH’s websites including ConecteSUS, which tracks the trajectory of citizens in the public healthcare system, became unavailable.

Massive attack against 1.6 million WordPress sites underway

Wordfence analysts report having detected a massive wave of attacks in the last couple of days, originating from 16,000 IPs and targeting over 1.6 million WordPress sites. The threat actors target four WordPress plugins and fifteen Epsilon Framework themes, one of which has no available patch.

Ransomware attack locks hotel guests out of rooms

Earlier this week, Nordic Choice Hotels announced an attack on its IT systems, which they believed to be a « computer virus ». However it has since been revealed that it was the target of Conti ransomware, leading to hotel guests being locked out of their rooms. As IoT becomes more connected the threat of home and corporate security systems being targeted will only increase.

BitMart : des pirates ont siphonné plus de 150 millions de dollars en cryptoactifs

La place de marché s’est fait subtiliser la clé privée de deux de ses portefeuilles. L’entreprise compte rembourser intégralement ses clients.

Des activistes kazakhs visés par le logiciel espion Pegasus

Le logiciel espion Pegasus a été utilisé pour pirater les téléphones de quatre activistes kazakhs, a révélé jeudi 9 décembre l’ONG Amnesty International. Tamina Ospanova, Dimash Alzhanov, Aizat Abilseit et Darkhan Sharipov font partie du mouvement de jeunesse Oyan, Qazaqstan ( » Debout, Kazakhstan « ), critique envers le pouvoir en place.

FBI warns that Cuba ransomware group has compromised 49 entities in five critical infrastructure sectors

The FBI has identified, as of early November 2021 that Cuba ransomware actors have compromised at least 49 entities in five critical infrastructure sectors, including but not limited to the financial, government, healthcare, manufacturing, and information technology sectors, an alert posted last Thursday by the agency stated.

Microsoft seizes domains used to attack 29 global governments | ZDNet

Microsoft has announced the seizure of dozens of domains used in attacks by the China-based APT group Nickel on governments and NGOs across Europe, the Americas and the Caribbean.

Failles / vulnérabilités

Zero Day in Ubiquitous Apache Log4j Tool Under Active Attack

An excruciating, easily exploited flaw in the ubiquitous Java logging library Apache Log4j could allow unauthenticated remote code execution (RCE) and complete server takeover – and it’s being exploited in the wild. The flaw first turned up on sites that cater to users of the world’s favorite game, Minecraft, on Thursday.

Ireland Conti ransomware attack vector was spam email

Ireland’s Health Service Executive (HSE) was almost paralysed by ransomware after a single user opened a malicious file attached to a phishing email, a consultancy’s damning report has revealed. Issued today, the report from PWC (formerly known as PriceWaterhouseCoopers) said that the hugely harmful Conti ransomware infection was caused because of the simplest attack vector known to infosec: spam.

New zero-day exploit for Log4j Java library is an enterprise nightmare

Proof-of-concept exploits for a critical zero-day vulnerability in the ubiquitous Apache Log4j Java-based logging library are currently being shared online, exposing home users and enterprises alike to ongoing remote code execution attacks. Log4j is developed by the Apache Foundation and is widely used by both enterprise apps and cloud services.

Justice / police / réglementation

Cyber Command boss acknowledges US military actions against ransomware groups – CyberScoop

The U.S. military has taken offensive measures against ransomware groups, U.S. Cyber Command leader Gen. Paul Nakasone confirmed Saturday. « Before, during and since, with a number of elements of our government, we have taken actions and we have imposed costs, » Nakasone told The New York Times in an interview.

Canada Charges Its « Most Prolific Cybercriminal »

A 31-year-old Canadian man has been arrested and charged with fraud in connection with numerous ransomware attacks against businesses, government agencies and private citizens throughout Canada and the United States. Canadian authorities describe him as « the most prolific cybercriminal we’ve identified in Canada, » but so far they’ve released few other details about the investigation or the defendant.

Suisse

Mitto AG, ce partenaire de Google et WhatsApp qui offre en secret des services de surveillance de mobiles

Mitto AG dispose de deux activités. L’une est officielle et concerne l’envoi de SMS en masse. L’autre est officieuse et permet d’espionner des personnes au moyen de leurs smartphones.

CVE – 2021 News & Events

CVE® is a list of records – each containing an identification number, a description, and at least one public reference – for publicly known cybersecurity vulnerabilities. The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.

Switzerland National Cyber Security Centre (NCSC) is now a CVE Numbering Authority (CNA) for the Switzerland Government Common Vulnerability Program.

Divers

Germany’s new government will firmly defend encryption, key Social Democrat says

The next German government intends to speak more strongly in favour of end-to-end encryption and against the introduction of backdoors, Jens Zimmermann, the digital policy expert for the Social Democrats (SPD) who co-negotiated the coalition agreement’s chapter on digitalisation, told EURACTIV in an interview.

Comment Google bataille contre le botnet Glupteba qui exploite la blockchain

Google a annoncé avoir pris des mesures pour perturber les opérations de Glupteba, un botnet à plusieurs composants ciblant les ordinateurs Windows. Ce réseau de machines zombies (PC et serveurs infectés servant de relais) a la particularité d’exploiter la blockchain pour assurer la résilience de son infrastructure.

Veilleur et spécialiste en cybersécurité