Security News

Moscow has set up its own certificate authority to issue TLS certs to Russians affected by sanctions or otherwise punished for president Putin's invasion of Ukraine. A notice on the government's unified public service portal states that the certificates will be made available to Russian websites unable to renew or obtain security certificates as a knock-on effect of Western sanctions and organizations refusing to support Russian customers.

Ukraine's Computer Emergency Response Team warned of new phishing attacks aimed at its citizens by leveraging compromised email accounts belonging to three different Indian entities with the goal of compromising their inboxes and stealing sensitive information. "In this way, they gain access to the email inboxes of Ukrainian citizens."

Two of Nvidia's code-signing certificates were part of the Feb. 23 Lapsus$ Group ransomware attack the company suffered - certificates that are now being used to sign malware so malicious programs can slide past security safeguards on Windows machines. Security researchers noted last week that binaries that hadn't been developed by Nvidia, but which had been signed with its stolen certificate to come off like legitimate Nvidia programs, had appeared in the malware sample database VirusTotal.

Ransomware remains a prime threat, putting millions of organizations at risk. An analysis of the rise in major threats is made available in the Agency's 2021 Annual Threat Landscape report.

Microsoft says Samsung devices enrolled in Microsoft Intune using a work profile will experience email and VPN connectivity issues due to missing certificates after upgrading to Android 12. Microsoft Intune is a cloud-based service designed to help admins manage Windows, macOS, iOS/iPadOS, and Android apps and devices in enterprise environments.

Google researchers spotted malware developers creating malformed code signatures seen as valid in Windows to bypass security software. Roughly a month ago, Google Threat Analysis Group security researcher Neel Mehta discovered that the developers of an unwanted software known as OpenSUpdater started signing their samples with legitimate but intentionally malformed certificates, accepted by Windows but rejected by OpenSSL. By breaking certificate parsing for OpenSSL, the malicious samples would not be detected by some security solutions that use OpenSSL-powered detection rules and allowed to perform their malicious tasks on victims' PCs. "Since mid-August, OpenSUpdater samples have carried an invalid signature, and further investigation showed this was a deliberate attempt to evade detection," Mehta said.

Indonesian authorities have admitted that the COVID-19 vaccination certificate of the nation's President has circulated online and tried to explain that it's an indication of admirable transparency, rather than lamentable security. In one camp are those who argue that the document's unplanned public debut is more evidence that Indonesia's government is bad at securing information.

Carnegie Mellon University's Software Engineering Institute announced the appointment of Gregory J. Touhill as director of the SEI's CERT Division. The SEI's CERT Division is known around the world for its culture of innovation in cybersecurity areas such as cyber incident management, malicious software analysis, cyber resilience, insider threat detection and mitigation, and cyber workforce development.

Two high-severity vulnerabilities in the OpenSSL software library were disclosed on Thursday alongside the release of a patched version of the software, OpenSSL 1.1.1k. OpenSSL is widely used to implement the Transport Layer Security and Secure Sockets Layer protocols, which support encrypted network connections. "In order to be affected, an application must explicitly set the X509 V FLAG X509 STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose," the OpenSSL advisory explains.

Sectigo's chief compliance officer has hit out at Google for minimizing the visibility of Extended Validation HTTPS certificates in Chrome. In a chat with The Register, Sectigo CCO Tim Callan said his biz, which among other things is one of the biggest sellers of EV HTTPS certificates, was "Going to remove street and postal information from all of our public sites," seeing as Google thinks no one cares where a business is based.