This posting is here to collect cyber security news in January 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in January 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
446 Comments
Tomi Engdahl says:
Website of Canadian Liquor Distributor LCBO Infected With Web Skimmer
https://www.securityweek.com/website-canadian-liquor-distributor-lcbo-infected-web-skimmer
Tomi Engdahl says:
Hack the Pentagon 3.0 Bug Bounty Program to Focus on Facility Control Systems
https://www.securityweek.com/hack-pentagon-30-bug-bounty-program-focus-facility-control-systems
The US Department of Defense (DoD) is getting ready to launch the third installment of its ‘Hack the Pentagon’ bug bounty program, which will focus on the Facility Related Controls System (FRCS) network.
According to a draft solicitation released on Friday, as part of Hack the Pentagon 3.0, DoD will rely on ethical hackers to identify vulnerabilities in FRCS.
The DoD’s FRCS includes control systems that are used to monitor and control equipment and systems related to real property facilities, such as HVAC, utilities, physical security systems, and fire and safety systems.
“The overall objective is to obtain support from a pool of innovative information security researchers via crowdsourcing for vulnerability discovery, coordination and disclosure activities and to assess the current cybersecurity posture of the FRCS network, identify weaknesses and vulnerabilities, and provide recommendations to improve and strengthen the overall security posture,” the draft reads.
Per the document, the DoD is looking to engage with a private organization that has expertise in commercial crowdsourcing, to select “a private community of skilled and trusted researchers, which may be limited to US persons only” to participate in the program.
Hack the Pentagon 3.0 CVDD
https://sam.gov/opp/be855762a82543bcba2a4eac18b7202f/view
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/msi-accidentally-breaks-secure-boot-for-hundreds-of-motherboards/
Tomi Engdahl says:
Security alert! Data of 2.5 billion Google Chrome users is at risk
https://www.livemint.com/technology/tech-news/security-alert-data-of-2-5-billion-google-chrome-users-is-at-risk-11673762110571.html
Google Chrome is a popular web browser used by billions of people worldwide. In a grim episode of security breach, Imperva Red – a cyber security firm has detected a flaw in Google Chrome and Chromium-based browsers, risking data of over 2.5 billion users. Dubbed CVE-2022-3656, this vulnerability allowed for the theft of sensitive files, such as crypto wallets and cloud provider credentials, the firm says in the post.
“The vulnerability was discovered through a review of the ways the browser interacts with the file system, specifically looking for common vulnerabilities related to the way browsers process symlinks,” the blog reads.
How symlinks affected Google Chrome?
Explaining how the vulnerability impacted Google Chrome, the firm says that an attacker could create a fake website that offers a new crypto wallet service. The website, then could trick the user into creating a new wallet by requesting that they download their ‘recovery’ keys.
“These keys would actually be a zip file containing a symlink to a sensitive file or folder on the user’s computer, such as a cloud provider credential. When the user unzips and uploads the ‘recovery’ keys back to the website, the symlink would be processed and the attacker would gain access to the sensitive file,” the blog states.
Tomi Engdahl says:
https://industrialcyber.co/industrial-cyber-attacks/hacker-group-discloses-ability-to-encrypt-an-rtu-device-using-ransomware-industry-reacts/
Tomi Engdahl says:
Are you aware of the dark side of #ChatGPT? This impressive language model developed by #OpenAI can generate sophisticated malware that evades security products with minimal effort by the adversary. Not only that, but content filters can also be bypassed by using multiple constraints and demands. The API version of ChatGPT even bypasses content filters altogether. And to make matters worse, ChatGPT can also mutate code, creating multiple variations of the same #malware. It’s time to raise awareness about these potential risks and encourage further research on the topic.
#AI #Cybersecurity #CyberArkLabs
https://www.cyberark.com/resources/threat-research-blog/chatting-our-way-into-creating-a-polymorphic-malware
Tomi Engdahl says:
Researchers to release PoC exploit for critical Zoho RCE bug, patch now https://www.bleepingcomputer.com/news/security/researchers-to-release-poc-exploit-for-critical-zoho-rce-bug-patch-now/
Proof-of-concept exploit code will be released later this week for a critical vulnerability allowing remote code execution (RCE) without authentication in several VMware products. Tracked as CVE-2022-47966, this pre-auth RCE security flaw is due to using an outdated and vulnerable third-party dependency, Apache Santuario. Successful exploitation enables unauthenticated threat actors to execute arbitrary code on ManageEngine servers if the SAML-based single-sign-on (SSO) is or was enabled at least once before the attack. also:
https://www.horizon3.ai/manageengine-cve-2022-47966-iocs/
Tomi Engdahl says:
MSI accidentally breaks Secure Boot for hundreds of motherboards https://www.bleepingcomputer.com/news/security/msi-accidentally-breaks-secure-boot-for-hundreds-of-motherboards/
Over 290 MSI motherboards are reportedly affected by an insecure default UEFI Secure Boot setting settings that allows any operating system image to run regardless of whether it has a wrong or missing signature. This discovery comes from a Polish security researcher named Dawid Potocki, who claims that he did not receive a response despite his efforts to contact MSI and inform them about the issue.
The issue, according to Potocki, impacts many Intel and AMD-based MSI motherboards that use a recent firmware version, affecting even brand-new MSI motherboard models. also:
https://dawidpotocki.com/en/2023/01/13/msi-insecure-boot/
Tomi Engdahl says:
Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures https://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html
We discovered an active campaign ongoing since at least mid-2022 which uses Middle Eastern geopolitical-themed lures to distribute NjRAT (also known as Bladabindi) to infect victims across the Middle East and North Africa
Tomi Engdahl says:
Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html
In this blog entry, we discuss notable Batloader campaigns that weve observed in the last quarter of 2022, . including the abuse of custom action scripts from the Advanced Installer software and Windows Installer XML (WiX) toolset, the use of obfuscated JavaScript files as a first-stage payload, and the use of PyArmor tool to obfuscate Batloader Python scripts. We also shed light on noteworthy Water Minyades-related events and give a detailed look at Batloaders
Tomi Engdahl says:
Microsoft resolves four SSRF vulnerabilities in Azure cloud services https://msrc-blog.microsoft.com/2023/01/17/microsoft-resolves-four-ssrf-vulnerabilities-in-azure-cloud-services/
Microsoft recently fixed a set of Server-Side Request Forgery (SSRF) vulnerabilities in four Azure services (Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins) reported by Orca Security. No customer action is required for the four impacted Azure services. also:
https://orca.security/resources/blog/ssrf-vulnerabilities-in-four-azure-services/
Tomi Engdahl says:
Over 4,000 Sophos Firewall devices vulnerable to RCE attacks https://www.bleepingcomputer.com/news/security/over-4-000-sophos-firewall-devices-vulnerable-to-rce-attacks/
Sophos disclosed this code injection flaw (CVE-2022-3236) found in the User Portal and Webadmin of Sophos Firewall in September and also released hotfixes for multiple Sophos Firewall versions (official fixes were issued three months later, in December 2022). While scanning the Internet for Sophos Firewall devices, VulnCheck vulnerability researcher Jacob Baines found that out of more than
88,000 instances, around 6% or more than 4,000 are running versions that haven’t received a hotfix and are vulnerable to CVE-2022-3236 attacks. also: https://vulncheck.com/blog/sophos-cve-2022-3236
Tomi Engdahl says:
Ransomware attack on maritime software impacts 1,000 ships https://therecord.media/ransomware-attack-on-maritime-software-impacts-1000-ships/
Oslo-based DNV one of the worlds largest maritime organizations said it was hit with ransomware on the evening of January 7 and was forced to shut down the IT servers connected to their ShipManager system. DNV is communicating daily with all 70 affected customers to update them on findings of the ongoing forensic investigations. In total around
1000 vessels are affected, DNV said in a statement on Monday
Tomi Engdahl says:
Pääkaupunkiseudun kirjastoista livahti asiakkaiden tietoja laittomasti Yhdysvaltoihin
https://yle.fi/a/74-20013223
Apulaistietosuojavaltuutettu antoi pääkaupunkiseudun kaupungeille huomautuksen tietosuojalainsäädännön vastaisesta henkilötietojen käsittelystä.
Apulaistietosuojavaltuutettu Heljä-Tuulia Pihamaa on antanut Helsingin, Espoon, Vantaan ja Kauniaisten kaupungeille huomautuksen tietosuojalainsäädännön vastaisesta henkilötietojen käsittelystä.
Pääkaupunkiseudun kirjastojen sivuilla on ollut käytössä seurantateknologioita, joiden kautta tietoja käyttäjän hakemista kirjoista ja muusta aineistosta on voinut välittyä sivullisille. Henkilötietoja on myös siirretty lainvastaisesti Yhdysvaltoihin.
Helmet.fi-sivuilla on käytetty seurantateknologioita niin, että tietoja verkkosivustolla vierailijasta ja hänen hakemistaan teoksista on voinut päätyä yhdysvaltalaisyritys Googlelle. Helmet-kirjastot ovat käyttäneet sivustollaan Google Analytics -analytiikkatyökalua ja Google Tag Manager -palvelua. Kerättyjä henkilötietoja on siirretty Yhdysvaltoihin ilman riittäviä suojatoimia.
Kesällä 2020 EU-tuomioistuin totesi Schrems II -ratkaisussaan (C-311/18) EU:n ja Yhdysvaltojen välisen Privacy Shield -järjestelyn pätemättömäksi, koska tiedonsiirroissa EU:n ja Yhdysvaltojen välillä ei ollut turvattu riittävää tietosuojan tasoa.
Tomi Engdahl says:
PyPI Users Targeted With ‘Wacatac’ Trojan in New Supply Chain Attack
https://www.securityweek.com/pypi-users-targeted-wacatac-trojan-new-supply-chain-attack
Fortinet warns of three new malicious PyPI packages containing code designed to fetch the Wacatac trojan and information stealer as a next stage payload.
The three Python packages, ‘colorslib’, ‘httpslib’ and ‘libhttps’ were uploaded to PyPI (Python Package Index) on January 7 and January 12.
All three packages were published by the same author from a user account named ‘Lolip0p’, which joined the repository shortly before the packages were published.
The Python packages feature legitimate-looking descriptions, meant to trick users into believing they are clean. However, Fortinet discovered that all versions of these packages are, in fact, malicious.
Each package, the cybersecurity firm says, contains the same setup.py script and attempt to run a PowerShell script to download an executable binary from an external link.
The download URL has not been flagged as malicious by any of the antivirus products on VirusTotal, but the downloaded file is detected as malicious by a few of them.
Tomi Engdahl says:
Azure Services SSRF Vulnerabilities Exposed Internal Endpoints, Sensitive Data
https://www.securityweek.com/azure-services-ssrf-vulnerabilities-exposed-internal-endpoints-sensitive-data
Cloud security company Orca has published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services, including two bugs that could have been exploited without authentication.
SSRF flaws, Orca explains, typically allow attackers to access the host’s IMDS (Cloud Instance Metadata Service), enabling them to view information such as hostnames, MAC addresses, and security groups.
Furthermore, such security defects could be exploited to retrieve tokens, execute code remotely, and move to another host.
Impacting Azure Functions and Azure Digital Twins, the two unauthenticated vulnerabilities could be exploited without an Azure account to send requests on behalf of the server.
The remaining two security issues, which were identified in Azure API Management and Azure Machine Learning, require authentication for successful exploitation.
Tomi Engdahl says:
Attackers Can Abuse GitHub Codespaces for Malware Delivery
https://www.securityweek.com/attackers-can-abuse-github-codespaces-malware-delivery
A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery, Trend Micro reports.
Generally available since November 2022, following a private preview period, GitHub Codespaces is a free cloud-based integrated development environment (IDE) that allows developers to create, edit, and run code in their browsers via a container-based environment that runs in a virtual machine (VM).
One of the features that GitHub Codespaces provides enables developers to share forwarded ports from the VM, either privately or publicly, for real-time collaboration purposes.
The private port can only be accessed via its URL, while publicly shared ports can be accessed by anyone with the URL, without any form of authentication.
Tomi Engdahl says:
Mehul Srivastava / Financial Times:
A look at LockBit, a Russia-linked hacking group that claimed responsibility for compromising 40 organizations in the past month, including the UK’s Royal Mail — LockBit claims it has compromised 40 organisations around the world in just the past month — As the UK’s Royal Mail grappled …
How Royal Mail’s hacker became the world’s most prolific ransomware group
https://www.ft.com/content/5d53c9fe-ce36-444b-bcf0-f55f81cff93d?utm_source=dlvr.it&utm_medium=twitter
Tomi Engdahl says:
Hackers Can Exploit GE Historian Vulnerabilities for ICS Espionage, Disruption
https://www.securityweek.com/hackers-can-exploit-ge-historian-vulnerabilities-ics-espionage-disruption
Vulnerabilities found in GE’s Proficy Historian product could be exploited by hackers for espionage and to cause damage and disruption in industrial environments.
The US Cybersecurity and Infrastructure Security Agency (CISA) informed organizations about these vulnerabilities on Tuesday, when industrial cybersecurity firm Claroty, whose researchers discovered the flaws, also released a blog post detailing the findings.
Historian servers are designed to collect data from industrial control systems (ICS) in an effort to help organizations monitor and improve their processes. The data collected and processed by historians can be useful for IT applications, such as enterprise resource planning (ERP) and analytics systems, which is why they can be located between the IT and OT networks.
Claroty researchers discovered a total of five critical and high-severity vulnerabilities in the widely used GE Digital Proficy Historian product. The flaws include authentication bypass, arbitrary file upload, information disclosure, and file removal issues.
GE patched the vulnerabilities with the release of Proficy Historian 2023.
In its blog post, the cybersecurity firm explained how an attacker could chain two of these vulnerabilities — an authentication bypass tracked as CVE-2022-46732 and a remote code execution bug tracked as CVE-2022-46660 — for pre-authentication remote code execution on the Proficy Historian server.
Tomi Engdahl says:
18k Nissan Customers Affected by Data Breach at Third-Party Software Developer
https://www.securityweek.com/18k-nissan-customers-affected-data-breach-third-party-software-developer
Nissan North America is informing roughly 18,000 customers that their personal information was exposed in a data breach at a third-party services provider.
The breach occurred after data provided by Nissan to the services provider was inadvertently exposed on the internet, the company notes in a notification letter sent to the impacted customers.
“The impacted third-party service provider provides software development services to Nissan. Nissan provided certain information to this service provider for processing during the testing of the software,” the car maker says.
According to Nissan, the services provider temporarily stored Nissan-provided data in a cloud-based public repository.
Tomi Engdahl says:
Ransomware Attack on DNV Ship Management Software Impacts 1,000 Vessels
https://www.securityweek.com/ransomware-attack-dnv-ship-management-software-impacts-1000-vessels
Norway-based industrial risk management and assurance solutions provider DNV said a recent ransomware attack on its ship management software impacted 1,000 vessels.
DNV revealed on January 9 that its ShipManager software was targeted in a cyberattack on January 7, which forced the company to shut down associated servers.
In an update shared on January 17, the company clarified that it was targeted in a ransomware attack that impacted 70 of its customers and roughly 1,000 vessels.
“There are no indications that any other software or data by DNV is affected. The server outage does not impact any other DNV services,” DNV said in a press release.
It’s unclear which ransomware group is behind the attack and whether any data has been stolen. SecurityWeek has checked the websites of several major groups, but found no mention of DNV. However, threat actors typically name victims and threaten to leak stolen data only after initial negotiations have failed.
DNV provides a wide range of services for the maritime, power, oil and gas, automotive and aerospace, food and beverage, and the healthcare industries. The company’s ShipManager software for the maritime industry is designed for ship management operations and ship design.
Tomi Engdahl says:
Oracle’s First Security Update for 2023 Includes 327 New Patches
https://www.securityweek.com/oracles-first-security-update-2023-includes-327-new-patches
Oracle on Tuesday announced the release of its first Critical Patch Update for 2023, which includes 327 new security patches. More than 70 fixes address critical-severity vulnerabilities.
Over 200 of the patches resolve security defects that can be exploited remotely without authentication. Some of the resolved bugs impact multiple products.
The highest number of new fixes was released by the tech giant for Oracle Communications, at 79. Of these, 63 vulnerabilities are remotely exploitable without authentication and 19 have a ‘critical severity’ rating.
Oracle’s January 2023 CPU includes 50 security patches that resolve flaws in Fusion Middleware. Thirty-nine of the bugs can be exploited by a remote, unauthenticated attacker, and 14 are rated ‘critical’.
Many patches were also released for Communications Applications (39 patches, including 31 for remotely exploitable without authentication) and for MySQL (37 fixes, eight for unauthenticated, remotely exploitable flaws).
Other Oracle enterprise software that received numerous patches this month includes Financial Services Applications (16 patches – 12 remotely exploitable, unauthenticated issues), E-Business Suite (12 – 10), PeopleSoft (12 – 10), Database Server (9 – 1), Supply Chain (8 – 5), Utilities Applications (7 – 7), Construction and Engineering (7 – 4), Food and Beverage Applications (7 – 2), Support Tools (6 – 6), and Virtualization (6 – 1).
https://www.oracle.com/security-alerts/cpujan2023.html
Tomi Engdahl says:
Turvallisena pidetty salaustekniikka petti käyttäjänsä – terrorismin avustamisesta epäilty paljastui https://www.is.fi/digitoday/tietoturva/art-2000009334711.html
FBI tunnisti anonyymin Tor-verkon käyttäjän. Tämä on tehokas muistutus siitä, etteivät edes sen käyttäjät ole täysin nimettömiä. Asiasta kertoi Vice Motherboard.
YHDYSVALTAIN liittovaltion poliisin FBI:n onnistui tunnistaa terroristiorganisaatio ISISiä käsittelevällä pimeällä verkkosivulla väitetysti käynyt henkilö, Vice Motherboard kertoo. Henkilöä on epäilty aseiden ja varusteiden hankkimisesta ja toimittamisesta terroristisiin tarkoituksiin.
Henkilö tunnistettiin ip-osoitteen eli yksilöllisen verkko-osoitteen avulla.
The FBI Won’t Say Whether It Hacked Dark Web ISIS Site
https://www.vice.com/en/article/z34dx3/fbi-wont-say-hacked-dark-web-isis-site-nit
The FBI somehow obtained the IP address of someone who allegedly visited an ISIS-related site on the dark web. The DOJ is blocking discussion of the issue from entering the public docket.
U.S. government lawyers are hampering efforts that could reveal how the FBI managed to obtain the real IP address of an alleged visitor to an ISIS website on the dark web, according to court records reviewed by Motherboard.
Tomi Engdahl says:
https://fin.afterdawn.com/uutiset/2023/01/17/helmet-kirjasto-google-analytics-laiton jaahas…pitääkö olla huolissaan? Ja jos pitää, niin mikä ratkaisuksi?
Tomi Engdahl says:
Yksi väärä klikkaus Googlessa vei rahat: ”Jokainen tilini hakkeroitiin” https://www.is.fi/digitoday/tietoturva/art-2000009335468.html
Rikolliset nostavat mainoksiaan ohi aitojen toimijoiden Googlessa, Bleeping Computer kertoo.
KRYPTOVALUUTTAPIIREISSÄ tunnettu Alex, nimimerkiltään NFT God, erehtyi klikkaamaan Googlessa rikollisten mainosta, joka ohjasi suosittua video- ja striimaussovellus OBS:ää jäljittelevälle verkkosivulle. Asentaessaan sivulta ohjelman, hän tuli käynnistäneeksi tietoja varastavan haittaohjelman.
– Viime yönä koko digitaalista elantoani loukattiin. Jokainen henkilökohtainen ja ammatillinen tilini hakkeroitiin ja niitä käytettiin muiden vahingoittamiseksi. Siinä samassa menetin elämänmuuttavan summan nettovarallisuudestani, Alex kirjoittaa.
BLEEPING Computer löysi Googlesta useita muitakin haitallisia mainoksia. Verkkorikolliset tarjoavat sivujaan ilmaisten ja suosittujen avoimen koodin ohjelmistojen nimissä. Sellaisia ohjelmistoja ovat esimerkiksi usb-levytyökalu Rufus, tekstin ja lähdekoodin editori Notepad++ sekä pakkausohjelmistot 7-Zip ja WinRAR.
Joissakin tapauksissa rikolliset saivat mainoksensa näkymään aitojen mainosten yläpuolella ilmeisesti maksamalla eniten. Google sanoo tarkastaneensa paljastuneet mainokset ja poistaneensa ne.
Uhkalta voi suojautua välttämällä mainosten klikkailua Googlessa ja muualla. Tosin ainakin Googlen tapauksessa mainokset on merkitty sen verran huonosti, että niitä saattaa tulla klikanneeksi vahingossa. Myös Alex sanoo, ettei hän ymmärtänyt klikkaavansa mainosta.
KATSO kahteen kertaan, millaista hakutulosta olet klikkaamassa ja millaiseen osoitteeseen se johtaa.
Hackers push malware via Google search ads for VLC, 7-Zip, CCleaner
https://www.bleepingcomputer.com/news/security/hackers-push-malware-via-google-search-ads-for-vlc-7-zip-ccleaner/
Hackers are setting up fake websites for popular free and open-source software to promote malicious downloads through advertisements in Google search results.
“Nothing happened when I clicked the EXE,” Alex wrote in a Twitter thread recounting their experience over the weekend. However, a few hours later friends alerted them that their Twitter account had been hacked.
Unbeknownst to Alex, this was likely an information-stealing malware that stole their saved browser passwords, cookies, Discord tokens, and cryptocurrency wallets and sent them to a remote attacker.
Soon, Alex found that their account at the OpenSea NFT marketplace had also been compromised and a different wallet was listed as the owner of one of their digital assets.
“I knew at that moment it was all gone. Everything. All my crypto and NFTs ripped from me,” NFT God says in the thread.
Soon, Alex discovered that their Substack, Gmail, Discord, and cryptocurrency wallets suffered the same fate and were controlled by the hackers.
Flurry of malicious ads in Google search results
Following NFT God’s thread, BleepingComputer conducted its own research and uncovered that OBS is one in a long list of software that threat actors impersonate to push malicious downloads in Google Ads search results.
Security researcher Will Dormann found that fake Notepad++ downloads in the sponsored section of Google search were available from additional URLs, all files being marked as malicious by various antivirus (AV) engines on the Virus Total scanning platform.
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Mailchimp says a hacker accessed data about 133 accounts via a staff social engineering attack, first detected on January 11 and its second breach in six months — Email marketing and newsletter giant Mailchimp says it was hacked and that dozens of customers’ data was exposed.
Mailchimp says it was hacked — again
https://techcrunch.com/2023/01/18/mailchimp-hacked/
Tomi Engdahl says:
Jennifer Gollan / ProPublica:
An analysis of 11 online pharmacies selling abortion pills: at least nine use third-party trackers such as Google Analytics to collect and share sensitive data — Some sites selling abortion pills use technology that shares information with third parties like Google.
Websites Selling Abortion Pills Are Sharing Sensitive Data With Google
https://www.propublica.org/article/websites-selling-abortion-pills-share-sensitive-data-with-google
Some sites selling abortion pills use technology that shares information with third parties like Google. Law enforcement can potentially use this data to prosecute people who end their pregnancies with medication.
Tomi Engdahl says:
Helen Thomas / Financial Times:
The UK failed to avoid making a complex and confusing Online Safety Bill, leaving social media companies grappling with implementing rules like age verification
Where the UK’s ‘world-leading’ online rules lost their way
https://www.ft.com/content/70c36e06-9727-471b-8fe9-b7fef7e7e47d
Tomi Engdahl says:
Vendors Actively Bypass Security Patch for Year-Old Magento Vulnerability
https://www.securityweek.com/vendors-actively-bypass-security-patch-year-old-magento-vulnerability
Vendors and agencies are actively bypassing the security patch that Adobe released in February 2022 to address CVE-2022-24086, a critical mail template vulnerability in Adobe Commerce and Magento stores, ecommerce security firm Sansec warns.
The CVE-2022-24086 bug (CVSS score of 9.8) is described as an improper input validation bug in the checkout process. It could be exploited to achieve arbitrary code execution, with in-the-wild exploitation observed roughly one week after patches were made available for it.
The initial fixes were found to be easily bypassed, and Adobe issued a second round of patches and a new CVE identifier (CVE-2022-24087) for the bug only days later. A proof-of-concept (PoC) exploit targeting the flaw was released around the same time.
To address the vulnerability, Adobe removed ‘smart’ mail templates and replaced the old mail template variable resolver with a new one, to prevent potential injection attacks.
Tomi Engdahl says:
Exploited Control Web Panel Flaw Added to CISA ‘Must-Patch’ List
https://www.securityweek.com/exploited-control-web-panel-flaw-added-cisa-must-patch-list
The US government’s cybersecurity agency CISA is giving federal agencies an early February deadline to patch a critical — and already exploited — security vulnerability in the widely used CentOS Control Web Panel utility.
The agency added the CVE-2022-44877 flaw to its KEV (Known Exploited Vulnerabilities) catalog and set a February 7th deadline for federal agencies to test and deploy an available fix.
Security researchers warned earlier this month that the publication of proof-of-concept code and a YouTube video demonstration would lead to live attacks. Soon after, threat-hunting outfits GreyNoise and Shadowserver spotted signs of exploitation in the wild.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise,” CISA warned in a note posted alongside the catalog update.
The CWP Control Web Panel utility, previously known as CentOS Web Panel, is a popular, free web hosting panel for enterprise-based Linux systems, offering support for the management and security of both servers and clients.
Tomi Engdahl says:
Critical Git Vulnerabilities Discovered in Source Code Security Audit
https://www.securityweek.com/critical-git-vulnerabilities-discovered-source-code-security-audit
A source code security audit has led to the discovery of several vulnerabilities in Git, the widely used distributed version control system.
The results of the security audit, sponsored by OSTIF and conducted by X41 and GitLab, were made public this week.
Git could be a tempting target for threat actors as a vulnerability affecting the system could be exploited to compromise developer systems or source code repositories.
The security holes found during the audit included two critical-, one high-, one medium- and four low-severity bugs, with the auditors also sharing more than two dozen informational notes. The critical vulnerabilities have been assigned the CVE identifiers CVE-2022-23521 and CVE-2022-41903.
Exploitation of the critical vulnerabilities can lead to remote code execution. Many of the other flaws can result in denial of service or information disclosure.
“The Git codebase shows several security issues and the sheer size of the codebase makes it challenging to address all potential instances of these issues,” the auditors said. “The use of safe wrappers can improve the overall security of the software as a short term strategy. As a long term improvement strategy, we recommend to alternate between time-boxed code base refactoring sprints and subsequent security reviews.”
Tomi Engdahl says:
Sudoedit can edit arbitrary files
https://www.sudo.ws/security/advisories/sudoedit_any/
A flaw in exists in sudo’s -e option (aka sudoedit) that allows a malicious user with sudoedit privileges to edit arbitrary files.
Sudo versions affected:
Sudo versions 1.8.0 through 1.9.12p1 inclusive are affected. Versions of sudo prior to 1.8.0 construct the argument vector differently and are not affected.
CVE ID:
This vulnerability has been assigned CVE-2023-22809 in the Common Vulnerabilities and Exposures database.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22809
Tomi Engdahl says:
Remote Code Execution Vulnerabilities Found in TP-Link, NetComm Routers
https://www.securityweek.com/remote-code-execution-vulnerabilities-found-tp-link-netcomm-routers
Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).
Two security defects were identified in TP-Link WR710N-V1-151022 and Archer-C5-V2-160201 SOHO (small office/home office) routers, allowing attackers to execute code, crash devices, or guess login credentials.
Tracked as CVE-2022-4498, the first issue is described as a heap overflow caused by crafted packets received during HTTP basic authentication mode. An attacker could exploit the bug to cause a denial-of-service (DoS) condition or for RCE.
The second issue, CVE-2022-4499, exists because a HTTPD function is susceptible to a side-channel attack that allows an attacker to guess each byte of the username and password strings.
According to the CERT Coordination Center (CERT/CC) at Carnegie Mellon University, TP-Link was notified of these flaws in November 2022, but both issues remain unpatched.
“These SOHO devices are sold by TP-Link and their latest firmware available as of January 11, 2023, have two vulnerabilities,” CERT/CC notes in an advisory.
Vulnerabilities in TP-Link routers, WR710N-V1-151022 and Archer C5 V2
Vulnerability Note VU#572615
https://kb.cert.org/vuls/id/572615
Tomi Engdahl says:
Hackers Can Exploit GE Historian Vulnerabilities for ICS Espionage, Disruption
https://www.securityweek.com/hackers-can-exploit-ge-historian-vulnerabilities-ics-espionage-disruption
Vulnerabilities found in GE’s Proficy Historian product could be exploited by hackers for espionage and to cause damage and disruption in industrial environments.
The US Cybersecurity and Infrastructure Security Agency (CISA) informed organizations about these vulnerabilities on Tuesday, when industrial cybersecurity firm Claroty, whose researchers discovered the flaws, also released a blog post detailing the findings.
Historian servers are designed to collect data from industrial control systems (ICS) in an effort to help organizations monitor and improve their processes. The data collected and processed by historians can be useful for IT applications, such as enterprise resource planning (ERP) and analytics systems, which is why they can be located between the IT and OT networks.
Claroty researchers discovered a total of five critical and high-severity vulnerabilities in the widely used GE Digital Proficy Historian product. The flaws include authentication bypass, arbitrary file upload, information disclosure, and file removal issues.
ICS Advisory (ICSA-23-017-01)
GE Digital Proficy Historian
https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-01
Tomi Engdahl says:
Prismoissa kaupatussa nettikamerassa vaarallinen takaportti – ainakin 1 300 laitetta myyty https://www.is.fi/digitoday/tietoturva/art-2000009324472.html
Laite on nyt vedetty pois Prismoista, mutta sitä on vielä myynnissä pienemmissä kaupoissa.
SUOMESSA myydään nettikameraa, jossa on vakava haavoittuvuus. Tietoturvatutkija ja valkohattuhakkeri Jarkko Vesiluoman mukaan kyse on laitteen ohjelmiston kehittäjän tarkoituksellisesti jättämästä aukosta eli takaovesta.
80–100 euroa maksavaa SWM Base -ip-kameraa on myyty Suomessa muun muassa Prismoissa sekä useammissa pienissä liikkeissä.
Webbikamerassa on tavalliseen tapaan pääkäyttäjän tili, jolla on kaikki käyttöoikeudet laitteeseen. Vesiluoma kertoo murtaneensa salasanan näytönohjainavusteisella laskennalla ja todentaneensa, että ulkopuolelta käsin voi hallinnoida kameraa täysin. Sama salasana on käytössä kaikissa kyseisen mallin kameroissa, joten kaikki sen tietävät voivat päästä kameraan kiinni.
Takaisinmallintamalla laitteen toimintaa Vesiluoma totesi, että pääkäyttäjän tiliin pääsee käsiksi lähettämällä sille ulkoapäin tietty tekstimuotoinen komento. Kameran haltuunotto mahdollistaa niin salakatselun kuin jatkohyökkäykset.
– Mikäli kamera on suoraan julkisessa verkossa kiinni, niin hyökkääjä pääsee esimerkiksi jatkamaan kameran kautta hyökkäystä eteenpäin uhrin sisäverkkoon tai katsomaan kameran lähettämää kuvaa. Hyökkääjä saa kameran täysin hallintaansa, Vesiluoma kertoo.
AVOIMET kamerat muodostavat käyttäjälleen uhkan kahdelta taholta: laitteen valmistaja tai tämän kanssa yhteistyössä oleva taho voi ottaa kameran haltuunsa, mutta näin voi tehdä myös verkkorikollinen, jolla on tietoa haavoittuvuudesta.
Vesiluoman tekemän laitehaun perusteella Suomessa oli tammikuun puolessa välissä käytössä ainakin 84 haavoittuvaa kameraa.
Kamerassa ei ole ohjelmiston päivitysmahdollisuutta. Vesiluoman mukaan SWM Basessa kysymys on samasta, mutta uudelleenbrändätystä laitteesta, jollaista on myyty maailmalla jo aikaisemmin. Laitteita yhdistää kiinalaisen Xiaongmain laiteohjelmisto. Samaa ohjelmistoa voi löytyä muistakin Suomessa myytävistä ip-kameroist
Vesiluoman mukaan on perusteltua kysyä, onko haavoittuvuus huonon suunnittelun tai kehityksen seurausta vai tarkoituksellista.
– Jostain syystä näitä kovakoodattuja tunnuksia ja takaovia tuntuu löytyvän nimenomaan kiinalaisten valmistajien kameroista paljon. Mistä kuluttaja voi tietää, onko laite turvallinen vai ei?
Päätös laitteen maahantuonnista tehtiin vuonna 2018. Sen yhteydessä tarkistettiin, että laitteen oletussalasana on vaihdettavissa ja se on käytettävissä suojatussa wifi-verkossa.
Kameran ulko- ja sisämallia on myyty Suomessa yhteensä noin 1300 kappaletta. Turvakauppa ei ole toimittanut jälleenmyyjille kameran sisämallia syyskuun 2022 eikä ulkokameraa marraskuun 2021 jälkeen.
Tomi Engdahl says:
Catherine Larkin / Bloomberg:
SEC filing: T-Mobile says a hacker stole the data of ~37M customers, including names, addresses, and phone numbers, but not passwords, SSNs, or credit cards — T-Mobile US Inc. said a hacker obtained data for 37 million customer accounts, though it didn’t include payment card information or personal identifying numbers.
T-Mobile Says Hacker Stole Data for 37 Million Customers
https://www.bloomberg.com/news/articles/2023-01-19/t-mobile-tmus-says-hacker-stole-data-for-37-million-customers?leadSource=uverify%20wall
Information stolen includes name, address and account number
Credit card data and networks weren’t affected, company said
Tomi Engdahl says:
T-Mobile Says Hackers Used API to Steal Data on 37 Million Accounts
https://www.securityweek.com/t-mobile-says-hackers-used-api-steal-data-37-million-accounts
Wireless carrier T-Mobile on Thursday fessed up to another massive data breach affecting approximately 37 million current postpaid and prepaid customer accounts.
In a filing with the Security and Exchange Commission (SEC), T-Mobile said that an unidentified malicious actor abused an API without authorization to access customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features.
The telco provider said the data stolen did not include payment information, passwords or other sensitive data.
Tomi Engdahl says:
Meta Slapped With 5.5 Million Euro Fine for EU Data Breach
https://www.securityweek.com/meta-slapped-55-million-euro-fine-eu-data-breach
Social media giant Meta has been fined an additional 5.5 million euros ($5.9 million) for violating EU data protection regulations with its instant messaging platform WhatsApp, Ireland’s regulator announced Thursday.
The penalty follows a far larger 390-million-euro fine for Meta’s Instagram and Facebook platforms two weeks ago after they were found to have flouted the same EU rules.
In its new decision, the Irish Data Protection Commission (DPC) found the group acted “in breach of its obligations in relation to transparency,” the watchdog said in a statement.
Tomi Engdahl says:
Cisco Patches High-Severity SQL Injection Vulnerability in Unified CM
https://www.securityweek.com/cisco-patches-high-severity-sql-injection-vulnerability-unified-cm
Cisco on Wednesday announced patches for a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).
Designed as enterprise call and session management platforms, Cisco Unified CM and Unified CM SME ensure the interoperability of applications such as Webex, Jabber, and more, while also maintaining availability and security.
Tracked as CVE-2023-20010 (CVSS score of 8.1), the vulnerability exists because user input is improperly validated in the web-based management interface of the platforms. The bug allows a remote, authenticated attacker to launch an SQL injection attack on a vulnerable system.
Tomi Engdahl says:
International Arrests Over ‘Criminal’ Crypto Exchange
https://www.securityweek.com/international-arrests-over-criminal-crypto-exchange
The owner of China-based cryptocurrency exchange Bitzlato was arrested in Miami on Wednesday, along with five associates in Europe, during an international operation against “darknet” markets.
Anatoly Legkodymov, 40, a Russian living in Shenzhen, China, appeared in handcuffs and leg shackles in a Miami courtroom on money laundering charges, and was denied bail by a judge who deemed him a flight risk.
He was detained for his role in allegedly transmitting a total of $700 million in illicit funds, the US Department of Justice charged, with officials saying that criminals used the exchange as a haven for narcotics trading and selling stolen financial information.
Five other men, mainly of Russian and Ukrainian nationalities, were arrested in Spain, Portugal and Cyprus, as part of a complex police swoop led by French authorities, officials in Paris said.
Tomi Engdahl says:
CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services
https://www.securityweek.com/csrf-vulnerability-kudu-scm-allowed-code-execution-azure-services
A cross-site request forgery (CSRF) vulnerability impacting the source control management (SCM) service Kudu could be exploited to achieve remote code execution (RCE) in multiple Azure services, cloud infrastructure security firm Ermetic has discovered.
A web-based Git repository manager, Kudu is the engine behind several Azure App Service features, supporting the deployment and management of code in Azure. The service is used by Functions, App Service, Logic Apps, and other Azure services.
Administrators can manage Azure applications from the SCM panel, which uses Kudu and which requires Azure Active Directory (AAD) authentication. The SCM panel is deployed by default by the App Service, Function Apps, and Logic Apps Azure services.
Tomi Engdahl says:
Sophos Joins List of Cybersecurity Companies Cutting Staff
https://www.securityweek.com/sophos-joins-list-cybersecurity-companies-cutting-staff
Sophos has confirmed reports that it’s laying off employees. The company joins several other major cybersecurity companies that have announced cutting staff over the past year.
The first reports of layoffs at Sophos came from India. The company confirmed to TechCrunch that 10% of its global employee base is impacted. While an exact number has not been shared, the news website learned that roughly 450 people — potentially from all roles — have lost their job.
Sophos, which private equity firm Thoma Bravo acquired in 2020 for $3.9 billion, blamed the layoffs on the global economic slowdown. The company says it wants to focus more on cybersecurity services, including managed detection and response.
“Sophos is taking these steps for two main reasons: first, to ensure that we achieve the optimal balance of growth and profitability to support Sophos’ long-term success, which is particularly important in the midst of a challenging and uncertain macro environment; and second, to allocate our investments across the company to support our strategic imperative to be a market leader in delivering cybersecurity as a service,” a Sophos spokesperson told TechCrunch.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/14484-pankkitunnuksia-varastava-troijalainen-on-nyt-yleisin
Tietoturvayritys Check Pointin tutkimusosasto kertoo joulukuun haittaohjelmakatsauksessaan, että Qbot ohitti Emotetin maailman yleisimpänä haittaohjelmana. Suomessa pankkitroijalainen Emotet pysyi edelleen riesalistan kärjessä.
Tomi Engdahl says:
Linux-haittaohjelmia on enemmän kuin koskaan aiemmin
https://etn.fi/index.php/13-news/14490-linux-haittaohjelmia-on-enemmaen-kuin-koskaan-aiemmin
Huolimatta Linuxin maineesta turvallisimpana käyttöjärjestelmänä, se ei ole immuuni haittaohjelmille. Itse asiassa Linux-haittaohjelmat ovat yleistyneet viime vuosina, kun yhä useammat laitteet ja palvelimet toimivat Linux-käyttöjärjestelmissä.
Atlas VPN:n analysoimien tietojen mukaan viime vuonna koodattiin yli 1,9 miljoonaa uutta Linux-haittaohjelmaa. Määrä on 50 prosenttia suurempi kuin edellisvuonna. Luvut perustuvat saksalaisen AV-TEST Gmb:n haittaohjelmauhkatilastoihin.
Tomi Engdahl says:
Thousands Of PayPal Accounts HackedIs Yours One Of Them?
https://www.forbes.com/sites/daveywinder/2023/01/19/thousands-of-paypal-accounts-hacked-is-yours-one-of-them/
According to a PayPal notice of security incident dated January 18, attackers got unauthorized access to the accounts of thousands of users between December 6 and 8, 2022. The total number of accounts that were accessed by threat actors using a credential stuffing attack is reported as being 34,942. While PayPal has no evidence of unauthorized transactions being made, the attackers did, it says, potentially have access to personal data, including “name, address, Social Security number, individual tax identification number, and/or date of birth.” Customers who have not received the notice of security incident from PayPal will not have been impacted by this particular concerted credential . However, if you are using login credentials that you also use elsewhere, you are advised to change to unique and strong passwords at all those services.
Tomi Engdahl says:
Ukraine links data-wiping attack on news agency to Russian hackers https://www.bleepingcomputer.com/news/security/ukraine-links-data-wiping-attack-on-news-agency-to-russian-hackers/
“According to preliminary data, provided by CERT-UA specialists, the attack have caused certain destructive effects on the agency’s information infrastructure, but the threat has been swiftly localized nonetheless,” the State Service of Special Communications and Information Protection (SSSCIP) of Ukraine said. CERT-UA says the cyberattack was likely carried out by the Sandworm group based on the threat actors’ tactics, which was previously linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). The attackers launched the CaddyWiper malware on the news agency’s systems using a Windows group policy (GPO), showing that they had breached the target’s network beforehand. Still, they failed to impact the news agency’s operations.
Tomi Engdahl says:
Mailchimp says it was hacked again
https://techcrunch.com/2023/01/18/mailchimp-hacked/
The Intuit-owned company said in an unattributed blog post that its security team detected an intruder on January 11 accessing one of its internal tools used by Mailchimp customer support and account administration, though the company did not say for how long the intruder was in its systems, if known. Mailchimp said the hacker targeted its employees and contractors with a social engineering attack, in which someone uses manipulation techniques by phone, email or text to gain private information, like passwords. The hacker then used those compromised employee passwords to gain access to data on
133 Mailchimp accounts, which the company notified of the intrusion.
One of those targeted accounts belongs to e-commerce giant WooCommerce. In a note to customers, WooCommerce said it was notified by Mailchimp a day later that the breach may have exposed the names, store web addresses and email addresses of its customers, though it said no customer passwords or other sensitive data was taken.
Tomi Engdahl says:
Exploiting null-dereferences in the Linux kernel https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html
For a fair amount of time, null-deref bugs were a highly exploitable kernel bug class. Back when the kernel was able to access userland memory without restriction, and userland programs were still able to map the zero page, there were many easy techniques for exploiting null-deref bugs. However with the introduction of modern exploit mitigations such as SMEP and SMAP, as well as mmap_min_addr preventing unprivileged programs from mmaping low addresses, null-deref bugs are generally not considered a security issue in modern kernel versions.
This blog post provides an exploit technique demonstrating that treating these bugs as universally innocuous often leads to faulty evaluations of their relevance to security.
Tomi Engdahl says:
New Boldmove Linux malware used to backdoor Fortinet devices
https://www.bleepingcomputer.com/news/security/new-boldmove-linux-malware-used-to-backdoor-fortinet-devices/
Suspected Chinese hackers exploited a recently disclosed FortiOS SSL-VPN vulnerability as a zero-day in December, targeting a European government and an African MSP with a new custom ‘BOLDMOVE’ Linux and Windows malware.
The vulnerability is tracked as CVE-2022-42475 and was quietly fixed by Fortinet in November. Fortinet publicly disclosed the vulnerability in December, urging customers to patch their devices as threat actors were actively exploiting the flaw.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-hook-android-malware-lets-hackers-remotely-control-your-phone/