Posts

Cybersecurity Updates For Week 17 of 2022

New Nimbuspwn Linux vulnerability gives hackers root privileges

A new set of vulnerabilities collectively tracked as Nimbuspwn could let local attackers escalate privileges on Linux systems to deploy malware ranging from backdoors to ransomware.

Read more:
https://www.bleepingcomputer.com/news/security/new-nimbuspwn-linux-vulnerability-gives-hackers-root-privileges/

Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators

On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm. Read on to learn more about the impact to GitHub, npm, and our users.

Read more:
https://thehackernews.com/2022/04/cybercriminals-using-new-malware-loader.html

Millions of Java Apps Remain Vulnerable to Log4Shell

Four months after the critical flaw was discovered, attackers have a massive attack surface from which they can exploit the flaw and take over systems, researchers found.

Read More:
https://threatpost.com/java-apps-vulnerable-log4shell/179397/

Other news worth mentioning:

Quantum ransomware seen deployed in rapid network attacks
Over 18.8 million IPs vulnerable to Middlebox TCP reflection DDoS attacks
Cybercriminals Using New Malware Loader ‘Bumblebee’ in the Wild
Synopsys to Acquire White Hat Security in $330M All-Cash Deal
Microsoft Azure Vulnerability Exposes PostgreSQL Databases to Other Customers

Cybersecurity Updates For Week 15 of 2022

Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities

Microsoft’s Patch Tuesday updates for the month of April have addressed a total of 128 security vulnerabilities spanning across its software product portfolio, including Windows, Defender, Office, Exchange Server, Visual Studio, and Print Spooler, among others.

Read more:
https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html

Menswear Brand Zegna Reveals Ransomware Attack

Accounting materials from the Italy-based luxury fashion house were leaked online by RansomExx because the company refused to pay.

Read more:
https://threatpost.com/menswear-zegna-ransomware/179266/

Critical flaw in Elementor WordPress plugin may affect 500k sites

The authors of the Elementor Website Builder plugin for WordPress have just released version 3.6.3 to address a critical remote code execution flaw that may impact as many as 500,000 websites.

Read More:
https://www.bleepingcomputer.com/news/security/critical-flaw-in-elementor-wordpress-plugin-may-affect-500k-sites/

Other news worth mentioning:

CISA Warns Against Russian Hackers Exploiting a Critical Bug
Black-hat hackers: bad to the bone or just victims of society?
No plain sailing: modern pirates hack superyachts’ cybersecurity
Microsoft Takes Down Domains Used in Cyberattack Against Ukraine
VMware Confirms Workspace One Exploits in the Wild

Cybersecurity Updates For Week 14 of 2022

Cado Discovers Denonia: The First Malware Specifically Targeting Lambda

Cado Labs routinely analyses cloud environments to look for the latest threats. As part of ongoing research, we found the first publicly-known case of malware specifically designed to execute in an AWS Lambda environment.

Read more:
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/

VMware Patches Multiple Vulnerabilities in Workspace ONE, Identity and Lifecycle Manager and vRealize (VMSA-2022-0011)

VMware cautions organizations to patch or mitigate several serious vulnerabilities across multiple products.

Read more:
https://www.tenable.com/blog/vmware-patches-multiple-vulnerabilities-in-workspace-one-vmsa-2022-0011

Microsoft’s New Autopatch Feature to Help Businesses Keep Their Systems Up-to-Date

Microsoft last week announced that it intends to make generally available a feature called Autopatch as part of Windows Enterprise E3 in July 2022.

Read More:
https://thehackernews.com/2022/04/microsofts-new-autopatch-feature-to.html

Other news worth mentioning:

Google Play Bitten by Sharkbot Info-stealer ‘AV Solution’
Adobe Creative Cloud Experience makes it easier to run malware
Linux Systems Are Becoming Bigger Targets
The US is trying to fix medical devices’ big cybersecurity problem

Cybersecurity Updates For Week 13 of 2022

Spring Core on JDK9+ is vulnerable to remote code executio

Spring Core on JDK9+ is vulnerable to remote code execution due to a bypass for CVE-2010-1622. At the time of writing, this vulnerability is unpatched in Spring Framework and there is a public proof-of-concept available. As we have remediation advice for customers (see below), we have elected to share this information publicly.

Read more:
https://www.praetorian.com/blog/spring-core-jdk9-rce/

Microsoft Exchange targeted for IcedID reply-chain hijacking attacks

The distribution of the IcedID malware has seen a spike recently due to a new campaign that hijacks existing email conversation threads and injects malicious payloads that are hard to spot.

Read more:
https://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/amp/

Critical Sophos Security Bug Allows RCE on Firewalls

Cybersecurity stalwart Sophos has plugged a critical vulnerability in its firewall product, which could allow remote code-execution.

Read More:
https://threatpost.com/critical-sophos-security-bug-rce-firewalls/179127/

Other news worth mentioning:

Apple Issues Patches for 2 Actively Exploited Zero-Days in iPhone, iPad and Mac Devices
Critical hijacking bugs that took months to patch in Microsoft Azure Defender for IoT
Cybercriminals Fighting Over Cloud Workloads for Cryptomining
New Version of PCI DSS Designed to Tackle Emerging Payment Threats

Cybersecurity Updates For Week 12 of 2022

Okta’s Investigation of the January 2022 Compromise

On March 22, 2022, nearly 24 hours ago, a number of screenshots were published online that were taken from a computer used by one of Okta’s third-party customer support engineers.

Read more:
https://www.okta.com/blog/2022/03/oktas-investigation-of-the-january-2022-compromise/

Microsoft confirms Lapsus$ breach after hackers publish Bing, Cortana source code

Microsoft has confirmed that it was breached by the Lapsus$ hacking group.

Read more:
https://techcrunch.com/2022/03/23/microsoft-lapsus-hack-source-code/

North Korean Hackers Exploited Chrome Zero-Day to Target Fintech, IT, and Media Firms

Google’s Threat Analysis Group (TAG) on Thursday disclosed that it acted to mitigate threats from two distinct government-backed attacker groups based in North Korea that exploited a recently-uncovered remote code execution flaw in the Chrome web browser.

Read More:
https://thehackernews.com/2022/03/north-korean-hackers-exploited-chrome.html

Other news worth mentioning:

7 Suspected Members of LAPSUS$ Hacker Gang, Aged 16 to 21, Arrested in U.K.
FBI: Cybercrime Victims Suffered Losses of Over $6.9B in 2021
Feds Allege Destructive Russian Hackers Targeted US Refineries
Western Digital My Cloud OS update fixes critical vulnerability

Cybersecurity Updates For Week 10 of 2022

Intel and Arm CPUs have a major security flaw

A new Spectre class speculative execution vulnerability, called Branch History Injection (BHI) or Spectre-BHB, was jointly disclosed on Tuesday by VUSec security research group and Intel.

Read more:
https://www.techspot.com/news/93706-arm-intel-cpus-vulnerable-new-spectre-style-attack.html

Microsoft tests new cloud-based Microsoft Defender for home users

Microsoft has announced that the company’s new cloud-based Microsoft Defender security solution has entered preview for home customers in the United States.

Read more:
https://www.bleepingcomputer.com/news/microsoft/microsoft-tests-new-cloud-based-microsoft-defender-for-home-users/

Mozilla fixes Firefox zero-days exploited in the wild (CVE-2022-26485, CVE-2022-26486)

Mozilla has released an out-of-band security update for Firefox, Firefox Focus, and Thunderbird, fixing two critical vulnerabilities (CVE-2022-26485, CVE-2022-26486) exploited by attackers in the wild.

Read More:
https://www.helpnetsecurity.com/2022/03/07/cve-2022-26485-cve-2022-26486/

Other news worth mentioning:

New Linux bug gives root on all major distros, exploit released
CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector
Microsoft Addresses 3 Zero-Days & 3 Critical Bugs for March Patch Tuesday
Computer science professor takes a ‘hands-on’ approach to smartphone security

Cybersecurity Updates For Week 8 of 2022

New Data-Wiping Malware Discovered on Systems in Ukraine

Researchers were scrambling to analyze a newly discovered piece of data-wiping malware found in the wild.

Read more:
https://www.darkreading.com/attacks-breaches/new-data-wiping-malware-discovered-on-systems-in-ukraine

Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure

The modular Windows crimeware platform known as TrickBot formally shuttered its infrastructure on Thursday after reports emerged of its imminent retirement amid a lull in its activity for almost two months, marking an end to one of the most persistent malware campaigns in recent years.

Read more:
https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html

Microsoft Exchange Bugs Exploited by ‘Cuba’ Ransomware Gang

The ransomware gang known as “Cuba” is increasingly shifting to exploiting Microsoft Exchange vulnerabilities – including ProxyShell and ProxyLogon – as initial infection vectors, researchers have found.

Read More:
https://threatpost.com/microsoft-exchange-exploited-cuba-ransomware/178665/

Other news worth mentioning:

Russia Sanctions May Spark Escalating Cyber Conflict
Redcar and Cleveland Council: Four serious data breaches reported
How to Use Google Chrome’s Enhanced Safety Mode
Social Media Hijacking Malware Spreading Through Gaming Apps on Microsoft Store

0-days in Microsoft exchange servers


Published: 2021-03-02
CVE-2021-26855
CVE-2021-26857
CVE-2021-26858 
CVE-2021-27065 

“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.”

As these vulnerabilities are currently being exploited and used in targeted attacks, patching should be done as soon as possible.
Along with attack details and information about these vulnerabilities, Microsoft also published how to scan exchange log files for indicators of compromise, which is also recommended to do.

Update 2020-03-07: There are currently many published exploits for this vulnerability. Patching this vulnerability is not enough, one must also investigate for potential breaches.

Internally this is being tracked in BF-VLN-2229454.

Microsoft Windows Multiple Security Updates Affecting TCP/IP | CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086

Published: 2021-02-09
MITRE CVE-2021-24074
MITRE CVE-2021-24094
MITRE CVE-2021-24086

“Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074, CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely in the short term. We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move quickly to apply Windows security updates this month.”

CVSS Base Score is 9.8, 9.8 and 7.5.

All have potential workarounds that should have a minimal operational impact.

Currently there is no exploit in the wild. If an exploit is published this vulnerability will become critical to mitigate as fast as possible.

We are tracking this internally as BF-VLN-2216447 with the highest priority and is currently evaluating this vulnerability and how to best handle it and ensure operational stability for all our customers.

For further general details we point to the Microsoft Security Response Center blog post about the topic.

Security Software & Tools Tips – June 2019

In this monthly post, we try to make you aware of five different security related products.
This is a repost from my personal website Ulyaoth

This month we have chosen for the following:
* Attack Surface Analyzer
* Bandit
* Infection Monkey
* NetSpot
* Splunk

Attack Surface Analyzer

Information from the Attack Surface Analyzer website:

Attack Surface Analyzer is a Microsoft-developed open source security tool that analyzes the attack surface of a target system and reports on potential security vulnerabilities introduced during the installation of software or system misconfiguration.

Website:

https://github.com/microsoft/AttackSurfaceAnalyzer

Bandit

Information from the Bandit website:

Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.

Website:

https://github.com/PyCQA/bandit

Infection Monkey

Information from the Infection Monkey website:

The Infection Monkey is an open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement.

Website:

https://www.guardicore.com/infectionmonkey/

NetSpot

Information from the NetSpot website:

Use NetSpot to visualize, manage, troubleshoot, audit, plan, and deploy your wireless networks.

Website:

https://www.netspotapp.com/

Splunk

Information from the Splunk website:

Splunk turns machine data into answers with the leading platform to tackle the toughest IT, IoT and security challenges. Use Splunk to search, monitor, analyze and visualize machine data.

Website:

https://www.splunk.com/

Image by Pete Linforth from Pixabay