From SBF to the GRU, these were the most disruptive forces of online chaos this year.

Russian soldiers poured into Ukraine, accompanied by a wave of cyberattacks across the country. A major cryptocurrency exchange imploded and declared bankruptcy, vaporizing billions of dollars from that digital economy. The once-biggest dark-web drug market—after being demolished by law enforcement—clawed back to the top of the online underworld after doggedly resurrecting itself.

It's not 2014, though you could be forgiven for being confused. No, all these episodes of global chaos occurred in 2022, each one a rerun of previous events, but now with the threat they posed vastly multiplied in scale.

This year, some of the phantoms of the Trump era and the Covid-19 pandemic finally seemed to recede—only to make room for new threats and the return of ghosts of years past. The same dictators—Vladimir Putin, Xi Jinping, Kim Jong Un—who have long threatened the global order, their geographic neighbors, and their countries' own citizens. Fresher digital threats like India's slide into online repression, and brazen cybercriminals displaying more ruthlessness than ever. And then there were some vestiges of the Trump era that seemed to have hung on, such as one particularly loud and quixotic billionaire with a large, cultlike following, seemingly doing his best to singlehandedly corrupt social media.

Every year, WIRED assembles a list of the most dangerous people on the internet. For the first time since 2015, Donald Trump doesn't top this list. But there's no shortage of new sources of instability and disruption online. Here are our picks for 2022.

Sam Bankman-Fried

For its entire existence, the cryptocurrency world has been plagued with money laundering, theft, and scams, from Bitcoin-powered dark-web drug markets to billions of dollars stolen from crypto companies by rogue hackers. But one of the most dangerous players in the crypto economy, it seems, was hiding in plain sight. In the collapse of cryptocurrency exchange FTX, a poster boy for cryptocurrency’s growing legitimacy, Sam Bankman-Fried, now stands accused of more than $8 billion in fraud. The rippling fallout for the cryptocurrency economy could be far larger, and the tangled dealings and mismanagement of user funds in FTX's meltdown have yet to be fully unraveled—even the company's new CEO John Ray, who also handled the bankruptcy of Enron, says he's never seen a bigger mess. Under Bankman-Fried's hands-on leadership, FTX invested vast sums of users' cryptocurrency in his own trading platform Alameda Research, which has also gone bankrupt. Aside from those enormous losses, Bankman-Fried represents a particularly troubling figure for the ills of the crypto economy: Unlike so many others in the crypto world, he had appeared to actually _welcome_ tighter government controls of the industry. Now, like a hybrid of Elizabeth Holmes and Lehman Brothers, he's come to represent the face of regulatory capture.

Elon Musk

The antics of Elon Musk, as a Willy Wonka figure with his mercuriality dialed up to 11, seemed harmless enough—or possibly even a net good for human progress—when he was focused on next-generation rockets and electric cars. But with his acquisition of Twitter, the dark side of Musk was put on display, and the fickle power of the (sometimes) world's richest man suddenly threatened a central institution of the internet. Musk's immediate, summary layoffs of thousands of Twitter's staffers put at risk key functions of a service that serves as a central artery of digital conversation. Sure, he justified lifting Twitter's ban on neo-Nazis like Andrew Anglin as well as former president Donald Trump (after the latter was removed from Twitter after using it to incite the January 6 riots and invasion of the US Capitol building) with free speech arguments. But Twitter's new emperor has also decimated its staff of content moderators, leading to situations like a single staffer being left to police child abuse content on Twitter for all of Japan and the Asia-Pacific region. Under Musk's watch, Twitter has also banned left-wing accounts he described as "antifa," contradicting his stance on free speech. Just days after the acquisition, Musk briefly tweeted—then deleted—disinformation that the man who attacked US House speaker Nancy Pelosi’s husband in October was his gay lover. Later, he seemed to call for the prosecution of the White House’s chief medical advisor Anthony Fauci for his handling of the Covid-19 pandemic, without explanation. In doing so, he offered a glimpse of the conspiracy-minded politics and trolling that truly drive his actions. Twitter hasn't collapsed under Musk, as some of its doomsayers predicted. But it may be morphing into the worst version of itself.

Xi Jinping

Xi Jinping has presided over some of China's worst human rights abuses, including its mass internment of Uyghur Muslims in Xinjiang and the crackdown on protestors in Hong Kong. Each of those waves of repression has come with its own accompanying tightening of restrictions online, as censors scoured social media for any reference to protests and Han Chinese police in Xinjiang even demanded that Uyghurs download an app that scans their phones for banned content. This year, the protests against China's draconian zero-Covid lockdowns have triggered a new online crackdown, one in which even "liking" a post about protests is deemed illegal and signs of misbehavior are tracked in a regulated "credit system" that can lead to users being summarily banned from online platforms. Xi has already established himself as the most powerful figure in China's government in decades, taking an unprecedented third term as head of the Chinese Communist Party. He's made clear that authoritarian power will extend deep into the digital lives of the world's biggest population of internet users.

Narendra Modi

Under Modi and his party, the BJP, India has become increasingly China-like in its repression of protests both physical and digital. In just the past few years, the Indian government temporarily shut down the internet in the embattled region of Kashmir, banned a large collection of China-based apps including TikTok, and just weeks ago delegated oversight of content moderation decisions on social media to a three-person group—a move widely seen as the latest step in the government's attempts to tighten its grip on those platforms. In perhaps the most appalling case of digital repression, security researchers this year revealed that hackers who fabricated evidence on the computers of activists in the region near the city of Pune had ties to the very same Pune police who arrested those activists. One of the activists targeted in that frame job died in detention. Eleven other defendants in the case remain in jail. Modi's India has proven that even a so-called democracy offers no guarantees of a remotely free internet.

GRU

Russia's GRU military intelligence agency has, for years, been home to some of the most aggressive and dangerous hackers in the world. The GRU groups known as Sandworm and APT28 have, in just the past seven years, triggered two blackouts in Ukraine, launched the hack-and-leak operation designed to sway the US 2016 election, released the NotPetya malware that spread worldwide and caused at least $10 billion in damage, and tried to destroy the backend of the 2018 Olympics. In 2022, thanks to Russia's unprovoked and brutal war in Ukraine, the GRU's focus zeroed in again on the country that has long been Russia's favorite hacking victim. In 2022, it launched countless cyberattacks designed to destroy data on Ukrainian government and corporate networks, often in tandem with physical attacks carried out by the invasion forces. One GRU malware attack went so far as to disable communications to 5,000 wind turbines across Germany in a case of collateral damage reminiscent of NotPetya. The GRU's Sandworm hackers also attempted a third blackout attack in Ukraine, which—according to Ukraine's government at least—defenders managed to foil this time. A+ for continued wanton, reckless aggression. B- for execution.

DeSnake

When the dark-web market for drugs and hacked data known as AlphaBay was shut down in 2017 and its creator Alexandre Cazes was found dead in a Thai jail cell, it seemed the story of AlphaBay was over. Then, in the summer of last year, fully four years after that massive bust, AlphaBay relaunched under the command of its cofounder and Cazes' top lieutenant, known only as DeSnake. In the year-plus since then, DeSnake has dragged AlphaBay back to the top of the dark web's competing scrum of criminal markets. To his credit, he's set more rules for what can be sold on his black market than Cazes ever did, banning the sale of fentanyl and ransomware tools, for instance. But AlphaBay remains a bustling criminal bazaar for hard drugs and stolen data, and it may be harder to shut down than ever. DeSnake has implemented security upgrades to the site, such as allowing only the harder-to-trace cryptocurrency Monero instead of Bitcoin. And he also claims to be located in the former Soviet Union—potentially putting him far farther beyond the reach of law enforcement than his unlucky predecessor.

Lazarus

In 2022, North Korea continued to distinguish itself as the world's top perpetrator of state-sponsored cybercrime: Its government hackers continued to steal hundreds of millions of dollars worth of loot, largely in the form of cryptocurrency, from targets around the globe. That spree of burglaries actually seems to be escalating. According to the blockchain analysis firm Chainalysis, North Korean thieves took in $840 million in the first five months of 2022 alone, more than the previous two years combined. Some $600 million of that came from just one heist. All of it goes toward funding one of the worst regimes in the world, with hundreds of thousands of political prisoners in concentration camps and a tendency to fire missiles over its neighbors' heads.

Conti

The scourge of ransomware continued to plague the world in 2022, and no group illustrated that threat better than Conti. In the first months of the year, the group hit dozens of corporate and government targets. Most catastrophically, it launched a wave of crippling cyberattacks across Costa Rica, shutting down 27 government bodies and medical services there and leading to a national state of emergency. After Russia's invasion of Ukraine, Conti declared its full support for that war—a decision that led to one of its disgruntled members leaking a vast trove of the group's internal communications online. Conti has subsequently shut down, but likely only in name. Its hackers may have rebranded and splintered, but the chaos that is their business model will no doubt persist.

Lapsus$

The only thing more dangerous than a group of ruthless ransomware hackers is a group of ruthless ransomware hackers who are also teenagers. In December of 2021, Lapsus$ made its entrance onto the hacking scene with a cyberattack on the Brazilian Ministry of Health in the midst of its Covid-19 response. It's since carried out a spree of splashy, often nihilistic breaches of major tech firms including Uber, Okta, Rockstar Games, Nvidia, Microsoft, Samsung, and Vodafone. Last spring, British law enforcement arrested seven people suspected of being members of the group, all ages 16 to 21. Those arrests included Lapsus$'s alleged 16-year-old "mastermind." But inexplicably, those suspects were released without charges, and the group's "hacker joyride" rolls on.

APT41

For years, China's hackers focused on by-the-book espionage. But more recently, one group, known as APT41, has proven itself to be the closest thing China has to North Korean state-sponsored cybercriminals. That group, which the US Department of Justice tied in an indictment to the Ministry of State Security contractor known as Chengdu 404, has for years moonlighted as a for-profit cybercriminal outfit. Just this month, the group was linked to the theft of $20 million in Covid-19 relief funds, an unprecedented robbery of US government money by a Chinese state-sponsored hacking outfit. Meanwhile, APT41 was also responsible for dozens of espionage-focused intrusions across the world this year, according to analysts at PricewaterhouseCoopers, which calls the group the most prolific cyberspying operation in the world. Despite the Justice Department charging seven of the group's members in 2020, they remain at large, and their unique blend of espionage and outright theft continues unabated.

The Most Dangerous People on the Internet in 2022

**SAN FRANCISCO****,** **Dec. 22, 2022** **/PRNewswire/ --** The global passwordless authentication market size is expected to reach USD 55.70 billion by 2030, growing at promising 18.2% CAGR, according to a new report by Grand View Research, Inc. Passwordless authentication is a security procedure that uses unique biological traits of a person to validate their authenticity.

**Key Industry Insights & Findings from the report:**

*   Growing investments in developed countries such as the U.S., Canada, Germany, France, and the U.K. for implementing passwordless authentication technology is a crucial factor driving the growth.
*   Fingerprint recognition and facial recognition provide various benefits. The increased security, accountability, convenience, and their non-transferable nature are crucial drivers for the growth.
*   The surge in e-commerce and internet banking, as well as legislations by various authorities such as central banks mandates large organizations to utilize robust authentication mechanisms to authenticate customers.
*   Multi-factor authentication protects clients from phishing attempts and fraudulent purchases and secures transactions.

Read 117-page market research report, "Passwordless Authentication Market Size, Share & Trends Analysis Report By Component, By Product Type (Facial Recognition, Fingerprint, Iris), By Authentication Type, By Portability, By End-user, By Region, And Segment Forecasts, 2022 - 2030", published by Grand View Research.

**Passwordless Authentication Market Growth & Trends**

The increasing adoption of smartphones and other electronic gadgets is a crucial element driving the biometric authentication market forward. According to a July 2022 Oxford Economics and Samsung study, up to 85% of small and midsize enterprises allow all or most of their staff to use mobile devices for work. Personal laptops and smartphones used by employees might expose a small firm to the dangers of unauthorized access to proprietary data, files, and systems. Such solutions remain the need of the hour and growing focus of many companies around the world.

For instance, in September 2022, AaDya Security, a cyber-security firm, announced the availability of passwordless authentication for Judy, the first all-in-one cybersecurity solution for SMEs. The new security feature protects how small business employees access company resources, mainly when they operate remotely and on mobile phones and personal laptops.

The growing requirement for an additional layer of protection beyond passwords fuels the growth of the passwordless authentication industry. To authenticate identities, fingerprint sensors and smartcards are utilized, and these security points allow for a seamless experience and data flow across locations. Most businesses are using voice biometric authentication in their workplaces for their personnel.

Reduced fraud exposure and lower authentication costs often drive organizations to implement voice biometric technology in their facilities. For instance, in July 2022, Turant Inc., a voice biometric AI firm, launched its cutting-edge AI solution in India. The company seeks to eliminate OTP-related fraud in transactions across use cases across business/industry domains, including e-commerce deliveries, by making it available in all Indian languages and roughly 20,000 dialects.

Furthermore, due to the increasing number of incidences of data theft around the world, passwordless authentication has gained popularity. Data theft issues in devices such as computers, cellphones, and tablets have increased the requirement for protection beyond passwords. fingerprint sensors and facial recognition are ways modern gadgets can be secured to prevent data theft.

For instance, in August 2022, ForgeRock, an international identity and access management software business, established strategic cooperation with Israeli software company Secret Double Octopus. ForgeRock will use SDO technology to provide employees, contractors, and vendors with a unified multi-factor secure experience. ForgeRock Enterprise Connect, the new solution, connects effortlessly with any ForgeRock deployment option, allowing organizations to gain increased security for databases, workstations, VPNs, and servers.

**Passwordless Authentication Market Segmentation**

Grand View Research has segmented the global passwordless authentication market based on component, product type, authentication type, portability, end-user, and region:

**Passwordless Authentication Market - Component Outlook (Revenue, USD Million, 2017 - 2030)**

*   Hardware
*   Software
*   Services

**Passwordless Authentication Market - Product Type Outlook (Revenue, USD Million, 2017 - 2030)**

*   Fingerprint Authentication
*   Palm Recognition
*   Iris Recognition
*   Face Recognition
*   Voice Recognition
*   Smart Card
*   Others

**Passwordless Authentication Market - Type Outlook (Revenue, USD Million, 2017 - 2030)**

*   Single-factor Authentication
*   Multi-factor Authentication

**Passwordless Authentication Market - Portability Outlook (Revenue, USD Million, 2017 - 2030)**

*   Fixed
*   Mobile

**Passwordless Authentication Market - End-user Outlook (Revenue, USD Million, 2017 - 2030)**

*   IT & Telecom
*   Retail
*   Transportation & Logistics
*   Aerospace & Defense
*   BFSI
*   Healthcare
*   Government
*   Others

**Passwordless Authentication Market - Regional Outlook (Revenue, USD Million, 2017 - 2030)**

*   North America

*   U.S.
*   Canada
*   Mexico

*   Europe

*   U.K.
*   Germany
*   France

*   Asia Pacific

*   China
*   India
*   Japan

*   Central & South America

*   Brazil

*   Middle East and Africa (MEA)

**List of Key Players in the Passwordless Authentication Market**

*   ASSA ABLOY
*   DERMALOG Identification Systems GmbH
*   East Shore Technology, LLC
*   Fujitsu
*   HID Global Corporation
*   M2SYS Technology
*   Microsoft
*   NEC Corporation
*   Safran
*   Thales.

**Check out more related studies published by Grand View Research:**

*   Facial Recognition Market **\-** The global facial recognition market size is expected to reach USD 12.11 billion by 2028 according to a new report by Grand View Research, Inc. The market is anticipated to expand at a CAGR of 15.4% from 2021 to 2028. Facial recognition is a contactless biometric solution that is a critical factor contributing the market growth.
*   Multi-factor Authentication Market \- The global multi-factor authentication (MFA) market size is expected to reach USD 17.76 billion by 2025, according to a new study by Grand View Research, Inc., experiencing a CAGR of 15.07% during the forecast period. Increasing implementation of BYOD and cloud-based services across enterprises, along with the growing security regulations and mandates, is benefiting market growth.
*   3D Secure Payment Authentication Market \- The global 3D secure payment authentication market size is expected to reach USD 2.76 billion by 2030, growing at a CAGR of 12.2% from 2022 to 2030, according to a new study conducted by Grand View Research, Inc. The rising demand for e-commerce has augmented the use of Card Not Present (CNP) transactions. As a result of such an increase in CNP transactions, the growth in CNP fraud transactions has been observed over the past few years.

**Browse through Grand View Research's** Next Generation Technologies Industry **Research Reports.**

**About Grand View Research**

Grand View Research, U.S.-based market research and consulting company, provides syndicated as well as customized research reports and consulting services. Registered in California and headquartered in San Francisco, the company comprises over 425 analysts and consultants, adding more than 1200 market research reports to its vast database each year. These reports offer in-depth analysis on 46 industries across 25 major countries worldwide. With the help of an interactive market intelligence platform, Grand View Research Helps Fortune 500 companies and renowned academic institutes understand the global and regional business environment and gauge the opportunities that lie ahead.

Passwordless Authentication Market to Be Worth $55.7 Billion by 2030: Grand View Research, Inc.

By Deeba Ahmed
Okta has, however, confirmed that attackers couldn’t access its customer data or services. Authentication giant Okta has suffered…
This is a post from HackRead.com Read the original post: GitHub Attack Allowed Attackers to Steal Okta’s Source Code

Okta has, however, confirmed that attackers couldn’t access its customer data or services.

Authentication giant Okta has suffered yet another security breach. Reportedly, someone stole Okta’s source code after attacking its repositories on **GitHub**.

Okta’s chief security officer, David Bradbury, issued a “confidential” email notification to their “security contacts,” revealing that the suspicious activity the company detected earlier in December 2022 has led to the leaking of its code repositories.

“Upon investigation, we have concluded that such access was used to copy Okta code repositories,” Okta’s notification read.

“We have decided to share this information consistent with our commitment to transparency and partnership with our customers,” Okta explained.

According to Bradbury, GitHub notified it about a possible suspicious activity and that someone accessed its code repositories. Okta launched an investigation and concluded that the access had indeed occurred. In response, the company temporarily restricted access to Okta GitHub repositories and suspected all GitHub integrations with 3rd party apps.

Okta has confirmed that the attackers couldn’t access its customer data or services, **reports** Bleeping Computer. Hence, users of its different services, including HIPAA, DoD, and FedRAMP, were unaffected by this incident and didn’t need to adopt threat-prevention practices.

It is worth noting that the users of these services are mainly US-based government, healthcare, and defence organizations.

**Okta and Cyber Attacks**

Okta is a cloud-based identity and access management platform that provides secure single sign-on, user provisioning, data security and mobile device management.

The company already had a troublesome year regarding security. **In March 2022**, Okta confirmed a data breach by the ransomware group LAPSUS$, and in September, Auth0, which is owned by Okta, reported the theft of its old source code.

**Possible Repercussions?**

There’s no doubt that source code is a valuable asset, and its stealing or leaking can have far-reaching consequences. Okta, a mainstream authentication platform, should be really concerned because attackers can use its source code to discover hidden flaws and launch new attacks against its customers.

So far, this breach seems limited to Okta’s Workforce Identity Cloud product and not Auth0 Customer Identity Cloud. Okta plans to share more findings about the incident soon.

1.  **LastPass Security Breach – Hackers Steal Source Code**
2.  **Source codes exposed in Microsoft Azure Blob account leak**
3.  **Lapsus$ Hackers Stole T-Mobile’s Source Code, Systems Data**
4.  **Twitch hacked- Source code, Streamer payment figures leaked**
5.  **Samsung confirms data breach as Lapsus$ leak its source code**

GitHub Attack Allowed Attackers to Steal Okta’s Source Code

More zero knowledge attacks, more leaked credentials, more Gen-Z cyber crimes - 2022 trends and 2023 predictions.
Cybercrime remains a major threat to individuals, businesses, and governments around the world. Cybercriminals continue to take advantage of the prevalence of digital devices and the internet to perpetrate their crimes. As the internet of things continues to develop, cybercriminals

More zero knowledge attacks, more leaked credentials, more Gen-Z cyber crimes - 2022 trends and 2023 predictions.

Cybercrime remains a major threat to individuals, businesses, and governments around the world. Cybercriminals continue to take advantage of the prevalence of digital devices and the internet to perpetrate their crimes. As the internet of things continues to develop, cybercriminals will have access to a greater number of vulnerable devices, allowing them to carry out more sophisticated attacks. Cybercrime is expected to become increasingly profitable as criminals continue to find new and better ways to monetize their attack as entry barriers to cybercrime keep going down.

This article discusses key trends we've noticed in 2022 that will likely continue in 2023, which we'll also elaborate on in the upcoming webinar "The Rise of the Rookie Hacker - a new trend to reckon with" on January 11th.

****Leaked credentials will continue to be the main attack vector for initial access****

According to IBM's cost of a breach 2022 report, use of stolen or compromised credentials remains the most common cause of a data breach.

The main source for leaked credentials in 2022 was Info-Stealers - a malware that can steal stored credentials from browsers, cookies (used for session hijacking and to bypass MFA), crypto wallets, and more. Redline Stealer, in particular, gained a lot of popularity among threat actors which led to the creation of several other stealers such as the "Luca stealer" and the "eternity stealer". The latter is part of an end-to-end offering named the eternity project, which allows threat actors to buy or rent any tool they need to launch an attack against a target of their choosing.

Stolen or compromised credentials were the primary attack vector in 19% of breaches in the 2022 study and also the top attack vector in the 2021 study. This trend is most likely to keep in its upward trajectory as a whopping 59% of organizations don't deploy zero-trust, incurring an average of 1 million USD in greater breach costs compared to those that do deploy. Until organizations' cybersecurity will mature, the volume and cost of breaches will continue to rise.

****A rise in zero-knowledge attacks****

Cybercrimes such as DDoS, malware, and ransomware are all offered as subscription services, lowering the entry barrier into cybercrime. For example, per the Microsoft Digital Defense Report 2022, phishing kits are offered on the dark web from as little as $6 and DDoS attack subscriptions for as little as $500. Ransomware-as-a-Service offered as an affiliates model is the preferred method by actors, this means "renting" an already made operation and splitting the revenue based on income and activity. The rise of "clearnet malware" - malware that can be purchased on everyday platforms like Telegram (Hello again eternity project!) helps simplify setting up a cybercrime campaign or operation. The proliferation of crypto payment platforms makes it even easier to trade in cybercrime products and services, pushing the entire cybercrime ecosystem even further.

****Younger threat actors - average age will continue to drop****

In terms of cyberattacks, 2022 was Gen Z's time to shine, leading with UK teen group Lapsus$ that went on a hacking spree targeting tech titans like Microsoft, Nvidia, Samsung, Ubisoft, and Okta. Generation Z is currently the largest generation on earth. Besides their strength in numbers, they are "digital natives", being born into a world with the internet, smartphones, cloud technologies, and social networks. Being young, they naturally crave social validation which they get in the digital sphere. Lapsus$'s main motivator was "Kudos" - they were "doing it for the lulz". The ease of launching zero-knowledge attacks, combined with Gen Z's digital nativeness and their need for social validation in the digital sphere will most likely contribute to the continuous drop in the average age of cyber criminals.

****We'll still need humans in the loop****

Enterprises invest billions of dollars deploying multi-layered security frameworks, platforms, and programs, but at the end of the day, enterprises are made of people, and people can be tricked.

Social engineering is an increasingly popular tactic used by cyberattackers to gain access to sensitive data. It involves exploiting human psychology to manipulate victims into providing confidential information or taking certain actions in order to gain access to a system or network.

LAPSUS$'s modus operandi was based on a text-book sim swapping scam. They bought credentials of the person with the right access to resources within an enterprise, called the phone provider, reporting the phone stolen, rerouted the sim to their own phone, triggered multi factor authentication on an enterprise access point (e.g. Office365 login page), and did a password reset. It was ridiculously simple and devastatingly efficient.

The best technology in the world can't completely remove the risk of human vulnerability. For that you need other humans trained in that. The cybersecurity workforce gap compelled enterprises to outsource this part of their cybersecurity to a managed detection and response (MDR) service. In fact, (according to Reportlinker.com) the global MDR market size is expected to grow from an estimated value of 2.6 billion USD in 2022 to 5.6 billion USD by 2027, at a Compound Annual Growth Rate (CAGR) of 16.0%. Technology is great, machines are great, but we still need humans.

Join Ronen Ahdut, Head of Cyber Threat Intelligence at Cynet for a webinar "The Rise of the Rookie Hacker - a new trend to reckon with" on January 11th at 10AM ET / 15:00 GMT. The webinar will deep-dive into 2023 cybersecurity trends, threats, and technology, including the need for human oversight in cybersecurity and how to detect these new threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Rise of the Rookie Hacker - A New Trend to Reckon With

Microsoft on Tuesday disclosed it took steps to suspend accounts that were used to publish malicious drivers that were certified by its Windows Hardware Developer Program were used to sign malware.
The tech giant said its investigation revealed the activity was restricted to a number of developer program accounts and that no further compromise was detected.
Cryptographically signing malware is

Microsoft on Tuesday disclosed it took steps to suspend accounts that were used to publish malicious drivers that were certified by its Windows Hardware Developer Program were used to sign malware.

The tech giant said its investigation revealed the activity was restricted to a number of developer program accounts and that no further compromise was detected.

Cryptographically signing malware is concerning not least because it not only undermines a key security mechanism but also allows threat actors to subvert traditional detection methods and infiltrate target networks to perform highly privileged operations.

The probe, Redmond stated, was initiated after it was notified of rogue drivers being used in post-exploitation efforts, including deploying ransomware, by cybersecurity firms Mandiant, SentinelOne, and Sophos on October 19, 2022.

One notable aspect of these attacks was that the adversary had already obtained administrative privileges on compromised systems before using the drivers.

"Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature," Microsoft explained. "A new attempt at submitting a malicious driver for signing on September 29, 2022, led to the suspension of the sellers' accounts in early October."

According to an analysis from Sophos threat actors affiliated with the Cuba ransomware (aka COLDDRAW) planted a malicious signed driver in a failed attempt at disabling endpoint detection tools via a novel malware loader dubbed BURNTCIGAR, which was first revealed by Mandiant in February 2022.

The company also identified three variants of the driver signed by code signing certificates that belong to two Chinese companies, Zhuhai Liancheng Technology and Beijing JoinHope Image Technology.

The reasoning behind using signed drivers is that it offers a way for threat actors to get around crucial security measures which require kernel-mode drivers to be signed in order for Windows to load the package. What's more, the technique misuses the de facto trust security tools place in Microsoft-attested drivers to their advantage.

"Threat actors are moving up the trust pyramid, attempting to use increasingly more well-trusted cryptographic keys to digitally sign their drivers," Sophos researchers Andreas Klopsch and Andrew Brandt said. "Signatures from a large, trustworthy software publisher make it more likely the driver will load into Windows without hindrance."

Google-owned Mandiant, in a coordinate disclosure, said it observed a financially motivated threat group known as UNC3944 employing a loader named STONESTOP to install a malicious driver dubbed POORTRY that's designed to terminate processes associated with security software and delete files.

Stating that it has "continually observed threat actors use compromised, stolen, and illicitly purchased code-signing certificates to sign malware," the threat intelligence and incident response firm noted that "several distinct malware families, associated with distinct threat actors, have been signed with this process."

This has given rise to the possibility that these hacking groups could be leveraging a criminal service for code signing (i.e., malicious driver signing as a service), wherein the provider gets the malware artifacts signed through Microsoft's attestation process on behalf of the actors.

STONESTOP and POORTRY are said to have been used by UNC3944 in attacks aimed at telecommunication, BPO, MSSP, financial services, cryptocurrency, entertainment, and transportation sectors, SentinelOne said, adding a different threat actor utilized a similar signed driver that resulted in the deployment of Hive ransomware.

Microsoft has since revoked the certificates for impacted files and suspended the partners' seller accounts to counter the threats as part of its December 2022 Patch Tuesday update.

This is not the first time digital certificates have been abused to sign malware. Last year, a Netfilter driver certified by Microsoft turned out to be a malicious Windows rootkit that was observed communicating with command-and-control (C2) servers located in China.

It's not a Windows-only phenomenon, however, as Google this month published findings that compromised platform certificates managed by Android device makers including Samsung and LG had been used to sign malicious apps distributed through unofficial channels.

The development also comes amid a broader abuse of signed drivers to sabotage security software in recent months. The attack, referred to as Bring Your Own Vulnerable Driver (BYOVD), involves exploiting legitimate drivers that contain known shortcomings to escalate privileges and execute post-compromise actions.

Microsoft, in late October, said it's enabling the vulnerable driver blocklist (DriverSiPolicy.p7b) by default for all devices with Windows 11 2022 update, alongside validating that it's the same across different operating system versions, following an Ars Technica report that highlighted inconsistencies in updating the blocklist for Windows 10 machines.

"Code signing mechanisms are an important feature in modern operating systems," SentinelOne said. "The introduction of driver signing enforcement was key in stemming the tide of rootkits for years. The receding effectiveness of code signing represents a threat to security and verification mechanisms at all OS layers."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ransomware Attackers Use Microsoft-Signed Drivers to Gain Access to Systems

The company has taken measures to mitigate the risks, but security researchers warn of a broader threat.

Less than two weeks ago, the United States Cybersecurity & Infrastructure Security Agency and FBI released a joint advisory about the threat of ransomware attacks from a gang that calls itself “Cuba.” The group, which researchers believe is, in fact, based in Russia, has been on a rampage over the past year targeting an increasing number of businesses and other institutions in the US and abroad. New research released today indicates that Cuba has been using pieces of malware in its attacks that were certified, or given a seal of approval, by Microsoft.

Cuba used these cryptographically signed “drivers” after compromising a target's systems as part of efforts to disable security scanning tools and change settings. The activity was meant to fly under the radar, but it was flagged by monitoring tools from the security firm Sophos. Researchers from Palo Alto Networks Unit 42 previously observed Cuba signing a privileged piece of software known as a “kernel driver” with an NVIDIA certificate that was leaked earlier this year by the Lapsus$ hacking group. And Sophos says it has also seen the group use the strategy with compromised certificates from at least one other Chinese tech company, which security firm Mandiant identified as Zhuhai Liancheng Technology Co. 

“Microsoft was recently informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity,” the company said in a security advisory today. “Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature … The signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware.”

Sophos notified Microsoft about the activity on October 19 along with Mandiant and security firm SentinelOne. Microsoft says it has suspended the Partner Center accounts that were being abused, revoked the rogue certificates, and released security updates for Windows related to the situation. The company adds that it hasn't identified any compromise of its systems beyond the partner account abuse.

Microsoft declined WIRED's request to comment beyond the advisory.

“These attackers, most likely affiliates of the Cuba ransomware group, know what they’re doing—and they’re persistent," says Christopher Budd, director of threat research at Sophos. “We’ve found a total of 10 malicious drivers, all variants of the initial discovery. These drivers show a concerted effort to move up the trust chain, starting at least this past July. Creating a malicious driver from scratch and getting it signed by a legitimate authority is difficult. However, it’s incredibly effective, because the driver can essentially carry out any processes without question."

Cryptographic software signing is an important validation mechanism meant to ensure that software has been vetted and anointed by a trusted party or “certificate authority.” Attackers are always looking for weaknesses in this infrastructure, though, where they can compromise certificates or otherwise undermine and abuse the signing process to legitimize their malware. 

“Mandiant has previously observed scenarios when it is suspected that groups leverage a common criminal service for code signing,” the company wrote in a report published today. “The use of stolen or fraudulently obtained code signing certificates by threat actors has been a common tactic, and providing these certificates or signing services has proven a lucrative niche in the underground economy.”

Earlier this month, Google published findings that a number of compromised “platform certificates” managed by Android device makers including Samsung and LG had been used to sign malicious Android apps distributed through third-party channels. It appears that at least some of the compromised certificates were used to sign components of the Manuscrypt remote access tool. The FBI and CISA have previously attributed activity associated with the Manuscrypt malware family to North Korean state-backed hackers targeting cryptocurrency platforms and exchanges.

“In 2022, we’ve seen ransomware attackers increasingly attempting to bypass endpoint detection and response products of many, if not most, major vendors,” Sophos' Budd says. “The security community needs to be aware of this threat so that they can implement additional security measures. What’s more, we may see other attackers attempt to emulate this type of attack.”

With so many compromised certificates flying around, it seems that many attackers have already gotten the memo about shifting toward this strategy.

Cuba Ransomware Gang Abused Microsoft Certificates to Sign Malware

By Waqas
Another day, another data breach at Uber - This time around, a hacker has leaked stolen data on a prominent cybercrime and hacking forum.
This is a post from HackRead.com Read the original post: New Uber Data Breach – Hacker Leaks Employee and Other Sensitive Data

Another day, **another data breach at Uber**. This time, one of the world’s leading ride-sharing platforms has suffered yet another security incident, after which hackers posted sensitive employee information and internal corporate data.

It is worth noting that the data has been leaked on BreachForums, which surfaced as an alternative to the now-defunct **now-sized Raidforums**.

**Incident Details**

The cyberattack targeting Uber and Uber Eats occurred over the weekend. The news was first broken by RestorePrivacy on Saturday morning when a hacker with the username UberLeaks started leaking data stolen from the company on a popular data leak platform.

The hacker created four different topics to post the data. This includes Uber MDM at uberhub.uberinternal.com, Uber Eats MDM, and third-party platforms Teqtivity MDM and TripActions MDM.

Image source: Waqas – Hackread.com

**What Data Was Leaked?**

Hackread.com has seen the data and it can be confirmed that it contains several archives, including the source code linked with mobile device management platforms that Uber Eats and Uber both use, along with third-party vendor services.

The leaked data also includes data destruction reports, IT asset management reports, Windows domain login names, and email IDs, apart from corporate info. The Windows Active Director information and email IDs category contained over 77,000 records of Uber employees.

It is possible that this data doesn’t belong to the September breach because the files are unrelated to that incident, and Uber doesn’t own the code. Though Uber users don’t need to feel scared by this data breach, the company’s employees should be worried as they could become a **target of phishing attacks**.

Screengrab source: Waqas – Hackread.com

**Who Could be the Perpetrator?**

Each of the four data leak category titles refers to a **Lapsus$ hacking group** member, also known for high-profile cyberattacks on Samsung, Nvidia, Microsoft, and Ubisoft. It is suspected that the same hacking group has targeted Uber because Lapsus$ had already **attacked Uber in September** and managed to access its internal network and Slack server.

1.  **Hundreds of Uber Eats User records leaked on Dark Web**
2.  **Uber Hacker Targets Rockstar Games, Leaks Trove of GTA 6 Data**
3.  **Uber Rival Careem Hacked, 14 million customer & driver data stolen**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

New Uber Data Breach – Hacker Leaks Employee and Other Sensitive Data

In findAllDeAccounts of AccountsDb.java, there is a possible denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-169762606

*   Docs
    *   Getting Started
    *   Security
    *   Core Topics
    *   Compatibility
    *   Android Devices
    *   Reference
*   GO TO CODE ➚

Stay organized with collections Save and categorize content based on your preferences.

_Published December 5, 2022 | Updated December 7, 2022_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-12-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2022-12-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-12-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Android Runtime**

The vulnerability in this section could lead to local information disclosure with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20502

A-222166527

ID

High

13

**Framework**

The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20472

A-239210579

RCE

Critical

10, 11, 12, 12L, 13

CVE-2022-20473

A-239267173

RCE

Critical

10, 11, 12, 12L, 13

CVE-2021-39617

A-175190844

EoP

High

11, 12, 12L

CVE-2021-39795

A-201667614

EoP

High

11, 12, 12L, 13

CVE-2022-20124

A-170646036

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20442

A-176094367

EoP

High

10, 11, 12, 12L

CVE-2022-20444

A-197296414 \[2\] \[3\] \[4\] \[5\]

EoP

High

11, 12

CVE-2022-20470

A-234013191

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20474

A-240138294 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20475

A-240663194

EoP

High

11, 12, 12L, 13

CVE-2022-20477

A-241611867

EoP

High

13

CVE-2022-20485

A-242702935 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20486

A-242703118 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20491

A-242703556 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20611

A-242996180

EoP

High

10, 11, 12, 12L, 13

CVE-2021-0934

A-169762606

DoS

High

10, 11, 12, 12L, 13

CVE-2022-20449

A-239701237

DoS

High

10, 11, 12, 12L, 13

CVE-2022-20476

A-240936919

DoS

High

10, 11, 12, 12L

CVE-2022-20482

A-240422263

DoS

High

12, 12L, 13

CVE-2022-20500

A-246540168

DoS

High

10, 11, 12, 12L, 13

**Media Framework**

The vulnerability in this section could lead to local information disclosure with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20496

A-245242273

ID

High

12, 12L, 13

**System**

The most severe vulnerability in this section could lead to remote code execution over Bluetooth with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20411

A-232023771 \[2\]

RCE

Critical

10, 11, 12, 12L, 13

CVE-2022-20498

A-246465319

ID

Critical

10, 11, 12, 12L, 13

CVE-2022-20469

A-230867224

RCE

High

10, 11, 12, 12L, 13

CVE-2022-20144

A-187702830 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20240

A-231496105 \[2\] \[3\] \[4\]

EoP

High

12, 12L

CVE-2022-20478

A-241764135 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20479

A-241764340 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20480

A-241764350 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20484

A-242702851 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20487

A-242703202 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20488

A-242703217 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20495

A-243849844

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20501

A-246933359

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20466

A-179725730 \[2\]

ID

Moderate

13

ID

High

10, 11, 12, 12L

CVE-2022-20471

A-238177877

ID

High

11, 12, 12L, 13

CVE-2022-20483

A-242459126

ID

High

10, 11, 12, 12L, 13

CVE-2022-20497

A-246301979

ID

High

12, 12L, 13

CVE-2022-20468

A-228450451

ID

Moderate

10, 11, 12, 12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Subcomponent

CVE

MediaProvider

CVE-2021-39795

Permission Controller

CVE-2021-39617, CVE-2022-20442

**2022-12-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-12-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The vulnerability in this section could lead to local information disclosure with no additional execution privileges needed.

    

CVE

References

Type

Severity

Subcomponent

CVE-2022-23960

A-215557547  
Upstream kernel \[2\] \[3\] \[4\] \[5\] \[6\] \[7\] \[8\] \[9\] \[10\] \[11\] \[12\] \[13\] \[14\] \[15\] \[16\] \[17\] \[18\] \[19\] \[20\] \[21\] \[22\] \[23\] \[24\] \[25\] \[26\]

ID

High

Kernel

**Imagination Technologies**

This vulnerability affects Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of this issue is provided directly by Imagination Technologies.

    

CVE

References

Severity

Subcomponent

CVE-2021-39660  

A-254742984 \*

High

PowerVR-GPU

**MediaTek components**

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

    

CVE

References

Severity

Subcomponent

CVE-2022-32594  

A-250331397  
M-ALPS07446207 \*

High

widevine

CVE-2022-32596  

A-250470698  
M-ALPS07446213 \*

High

widevine

CVE-2022-32597  

A-250470696  
M-ALPS07446228 \*

High

widevine

CVE-2022-32598  

A-250470697  
M-ALPS07446228 \*

High

widevine

CVE-2022-32619  

A-250441021  
M-ALPS07439659 \*

High

keyinstall

CVE-2022-32620  

A-250441023  
M-ALPS07541753 \*

High

mpu

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

    

CVE

References

Severity

Subcomponent

CVE-2022-39106  

A-252398972  
U-1830881 \*

High

kernel

CVE-2022-39131  

A-252950986  
U-1914157 \*

High

Kernel

CVE-2022-39132  

A-252951342  
U-1914157 \*

High

Kernel

CVE-2022-39133  

A-253957345  
U-1946077 \*

High

Kernel

CVE-2022-39134  

A-253333208  
U-1947682 \*

High

Kernel

CVE-2022-42754  

A-253344080  
U-1967614 \*

High

Kernel

CVE-2022-42755  

A-253957344  
U-1981296 \*

High

Kernel

CVE-2022-42756  

A-253337348  
U-1967535 \*

High

Kernel

CVE-2022-42770  

A-253978051  
U-1975103 \*

High

Kernel

CVE-2022-42771  

A-253978040  
U-1946329 \*

High

Kenel

CVE-2022-42772  

A-253978054  
U-1903041 \*

High

kernel

CVE-2022-39129  

A-252943954  
U-1957128 \*

High

Kernel

CVE-2022-39130  

A-252950982  
U-1957128 \*

High

Kernel

**Qualcomm components**

This vulnerability affects Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of this issue is provided directly by Qualcomm.

    

CVE

References

Severity

Subcomponent

CVE-2022-33268  

A-245992426  
QC-CR#3182085 \[2\]

High

Bluetooth

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Severity

Subcomponent

CVE-2022-25672  

A-231156083 \*

High

Closed-source component

CVE-2022-25673  

A-235102693 \*

High

Closed-source component

CVE-2022-25681  

A-238106628 \*

High

Closed-source component

CVE-2022-25682  

A-238102293 \*

High

Closed-source component

CVE-2022-25685  

A-235102504 \*

High

Closed-source component

CVE-2022-25689  

A-235102546 \*

High

Closed-source component

CVE-2022-25691  

A-235102879 \*

High

Closed-source component

CVE-2022-25692  

A-235102506 \*

High

Closed-source component

CVE-2022-25695  

A-235102757 \*

High

Closed-source component

CVE-2022-25697  

A-235102692 \*

High

Closed-source component

CVE-2022-25698  

A-235102566 \*

High

Closed-source component

CVE-2022-25702  

A-235102898 \*

High

Closed-source component

CVE-2022-33235  

A-245402984 \*

High

Closed-source component

CVE-2022-33238  

A-245402341 \*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2022-12-01 or later address all issues associated with the 2022-12-01 security patch level.
*   Security patch levels of 2022-12-05 or later address all issues associated with the 2022-12-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-12-01\]
*   \[ro.build.version.security\_patch\]:\[2022-12-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-12-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2022-12-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2022-12-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

December 5, 2022

Bulletin Published

1.1

December 7, 2022

Bulletin revised to include AOSP links

2.0

December 7, 2022

Revised CVE table

Content and code samples on this page are subject to the licenses described in the Content License. Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.

Last updated 2022-12-08 UTC.

CVE-2021-0934: Android Security Bulletin—December 2022  |  Android Open Source Project

The Samsung TV (2021 and 2022 model) smart remote control allows attackers to enable microphone access via Bluetooth spoofing when a user is activating remote control by pressing a button. This is fixed in xxx72510, E9172511 for 2021 models, xxxA1000, 4x2A0200 for 2022 models.

**Voimmeko auttaa löytämään jotakin?**

\* Kuva simuloitu. S Pen Fold Edition myydään erikseen ja se on yhteensopiva ainoastaan Galaxy Z Fold4:n ja Galaxy Z Fold3:n kanssa.

\* Kellon näytön kuva simuloitu asian havainnollistamiseksi. Värien, kokojen, mallien ja kellon rannekkeiden saatavuus voi vaihdella maan tai operaattorin mukaan.

\* Kuva on simuloitu. Galaxy Buds2 Pron värivalikoima voi vaihdella maan tai operaattorin mukaan.

\* Bespoke-tuotteiden valikoima ja värivaihtoehdot voivat vaihdella eri maissa.

\* Kuva on ainoastaan esimerkki. 

\*\* Värien ja mallien saatavuus voi vaihdella maan tai operaattorin mukaan.

\*\*\* Galaxy A53 5G -mallin luokitus on IP67. Luokitus perustuu testiolosuhteisiin, joissa puhelin upotetaan enintään 1 metrin syvyyteen makeaan veteen enintään 30 minuutin ajaksi. Suojaus koskee vain matalaa vedenpainetta.

\*Mukana Galaxy S22+

\*Kuva on ainoastaan esimerkki. Värien saatavuus voi vaihdella maan tai operaattorin mukaan.

\*Galaxy Z Fold3 - ja Galaxy Z Flip3 -puhelimen sekä S Pen Fold Edition -kynän kuvat on simuloitu havainnollistamistarkoituksessa.

\*S Pen Fold Edition -kynä myydään erikseen, ja se on yhteensopiva ainoastaan Galaxy Z Fold3 -puhelimen kanssa.

\*Kahden Galaxy Z Fold3 -puhelimen ja S Pen Fold Edition -kynän kuvat on simuloitu havainnollistamistarkoituksessa.

\*S Pen Fold Edition -kynä myydään erikseen, ja se on yhteensopiva ainoastaan Z Fold3 5G -puhelimen kanssa.

\*Video of Galaxy S21+ 5G phone in Phantom Violet and Galaxy S21 5G phone in Phantom Pink simulated for illustration purposes.

\*Kuva on simuloitu asian havainnollistamiseksi.

\*\*Kuvat voivat poiketa todellisesta tuotteesta.

\*Video havainnollistamistarkoituksiin yhdestätoista Galaxy S20 FE -puhelimesta useassa eri värissä.

\*Kuva esitetään ainoastaan havainnollistamistarkoituksessa.

\*Kuva simuloitu. Värien saatavuus voi vaihdella maasta tai operaattorista riippuen. Galaxy A52 ja Galaxy A72-puhelimen luokitus on IP67. Tämä perustuu testiolosuhteisiin, jossa puhelin upotetaan enintään 1 metrin syvyyteen makeaa vettä enintään 30 minuutin ajaksi. Ei suositella ranta- tai uima-allaskäyttöön tai käytettäväksi saippuaa sisältävässä vedessä. Jos puhelimen päälle läikkyy sokeria sisältäviä nesteitä, huuhtele laite puhtaalla, seisovalla vedellä samalla kun napsauttelet näppäimiä. Laite kestää vain matalaa vedenpainetta. Korkea vedenpaine, kuten juokseva vesijohtovesi tai suihku, voi vahingoittaa laitetta.

CVE-2022-44636: Samsung Suomi | Mobiili | TV | Kodinkoneet

Offensive security researchers found 63 previously unreported vulnerabilities in printers, phones, and network-attached storage devices in the Zero Day Initiative's latest hackathon.

Security researchers and hackers demonstrated 63 zero-day vulnerabilities in popular devices at the latest Pwn2Own, exploiting printers from Canon, HP, and Lexmark, and routers and network-attached storage device from Synology and Netgear.

According to Trend Micro's Zero Day Initiative (ZDI), which organized the competition last week, the collection of vulnerabilities earned $989,750 for the offensive cybersecurity specialists competing in the contest. While some attacks chained together a series of exploits to take control of the remote devices, including one that used five vulnerabilities, others found a single security weakness to target, such as the Pentest Limited team, which found a reliable single-click exploit in the Samsung Galaxy S22 mobile phone that required less than a minute to attack.

The Samsung exploit highlighted that significant vulnerabilities are out there to find, says Dustin Child, head of threat awareness at Trend Micro's Zero Day Initiative.

"Just click a link on an affected device and you get owned," he says. "It's a very reliable bug, too. Very impressive research and quite the effective demonstration of why clicking unknown links can be dangerous."

**Focusing on IoT and Mobile**

Pwn2Own started in 2007 as an annual contest connected with the annual CanSecWest conference, but has since branched out into two contests: one focused on computer operating systems and applications, and the other — which includes the latest contest — focused on devices and the Internet of Things.

Over the four days of the contest, offensive cybersecurity specialists discovered a significant number of vulnerabilities in printers and routers from major brands, but also targeted Bluetooth speakers and network-attached storage, ZDI stated in a summary of the contest results.

Because many of the devices are commonly used by small and medium-sized businesses (SMBs), companies should take the results of the competition as a warning, Child says.

"If anything, SMBs should understand that, while they may feel they aren't large enough to be a target, their devices can and will be targeted by threat actors," he says. "At \[this\] time, the attackers are just looking to add nodes to their botnet, but regardless of intent, the devices we rely on for business can be compromised if left undefended."

**Buffer Overflows Continue to Creep In**

Unfortunately, one of the classes of vulnerabilities that continues to represent a fertile field of exploitation for attackers is memory safety vulnerabilities, such as buffer overflows. While major software companies have begun using memory-safe programming languages to prevent memory-related issues, many device-makers are still behind the curve.

Many of the vulnerabilities discovered during the contest were buffer overflows, Child says.

"This form of memory corruption has been known for some time, so we were a bit surprised to see it still prevalent in multiple devices," he says.

Among the most targeted devices were printers, with Lexmark, HP, and Canon printers among those favored by participants. While routers also made up a significant share of targeted devices, they would have seen more abuse this year, except that last-minute patches from Netgear and TP-Link eliminated targeted weaknesses, forcing competitors to withdraw from the competition, Child says.

**Playing the Mario Theme on a Lexmark**

Some of the printer exploits showed additional creativity. In the past, hackers would settle for exploiting a system and forcing it to run Microsoft Paint or call up a calculator application as a demonstration of their potential to run arbitrary code. In the latest Pwn2Own, however, successful hackers displayed Pokemon or another anime character on the small printer control display. 

Perhaps most impressively, the Horizon3 AI team used the system alert sound on a Lexmark printer to play the theme from Mario, even though the device does not have that functionality.

"Since the printer doesn't have a speaker, we didn’t expect it to play a song, but they modulated the frequency of the beep to add the musical function," Child says.

Data management providers Synology and online giant Google both co-sponsored the contest.

Tag

#samsung