When the US Air Force shot down some suspected Chinese spy balloons a couple of weeks ago, it was widely reported that one of the targets might have been a much more harmless amateur radio craft. The so-called pico balloon K9YO was a helium-inflated Mylar balloon carrying a tiny solar-powered WSPR beacon, and it abruptly disappeared in the same place and time in which the USAF claimed one of their targets. When we covered the story it garnered a huge number of comments both for and against the balloonists, so perhaps it’s worth returning with the views of a high-altitude-ballooning expert.

https://www.daveakerman.com/?p=3137

So was an “pico balloon” shot down by an F22?

The circumstantial evidence very strongly suggests that this is the case. One of these balloons has not been seen on the amateur tracking map since the USAF shot down an object matching the description in the area that the balloon was known to be. It was launched in the USA in October 2022 and was about to complete its 7’th circumnavigation of the globe before it went missing from the tracking map.
And what are “pico” balloons?

This is the name given to them by the high altitude balloon community. They are small, plastic (often silvered) balloons, with very light payloads of the order of 10-20 grams. By using plastic with a small amount of helium, instead of bursting they float near the top of the troposphere, for days or sometimes months.

Joomla’s Force Persuasion

Joomla has a critical vulnerability, CVE-2023-23752, which is a trivial information leak from a web endpoint. This flaw is present in all of the 4.x releases, up to 4.2.8, which contains the fix. The issue is the Rest API, which gives access to pretty much everything about a given site. It has an authentication component, of course. The bypass is to simply append ?public=true. Yes, it’s a good old “You don’t need to see his identification” force suggestion.

Security Announcements
[20230201] – Core – Improper access check in webservice endpoints
https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html

There’s even a PoC script that runs the request and spits out the most interesting data: the username, password, and user id contained in the data. It’s not quite as disastrous as that sounds — the API isn’t actually leaking the administrative username and password, or even password hash. It’s leaking the SQL database information. Though if your database is accessible from the Internet, then that’s pretty much as bad as it could be.

https://github.com/WhiteOwl-Pub/CVE-2023-23752

We’ve seen some rough security fails over the years, and GoDaddy’s recent news about a breach leading to rogue website redirects might make the highlight reel. The real juicy part is buried on page 30 of a PDF filing to the SEC.

Statement on recent website redirect issues
https://aboutus.godaddy.net/newsroom/company-news/news-details/2023/Statement-on-recent-website-redirect-issues/default.aspx

A critical vulnerability in the Houzez premium WordPress theme and plugin has been exploited in the wild.

Russian authorities said that several television and radio stations that have recently broadcast air raid alerts had been breached by hackers.

“As a result of hacking of servers of radio stations and TV channels, in some regions of the country, information about the announcement of an air raid alert was broadcast,” Russia’s emergencies ministry said in a statement.

A recently identified post-exploitation framework ‘Exfiltrator-22’ uses the same C&C infrastructure as the LockBit ransomware.

A recently identified post-exploitation framework offered as a service appears to be operated by former affiliates of the LockBit ransomware, cybersecurity company Cyfirma reports.

Dubbed Exfiltrator-22 or EX-22, the tool was created using the leaked source code of other post-exploitation frameworks, and uses the same command-and-control (C&C) infrastructure as LockBit 3.0.

The malicious tool appears to have been created by skilled developers with knowledge of anti-analysis and defense evasion techniques, who are employing an aggressive marketing strategy, claiming that their solution is fully undetectable.

Exfiltrator-22’s operators, Cyfirma says, are likely operating from Asia and are interested in building their own affiliation program, using a subscription-based payment model: the malware is offered at $1,000 for a month, or $5,000 for lifetime access.

The US Marshals Service has confirmed that ransomware was deployed on one of its systems that contains sensitive law enforcement information.