My Shared Links — Week 02/2023

Xavier «X» Santolaria
7 min readJan 16, 2023

Collection of the {cyber,info}security resources and links I have found insightful and shared during week #02 of 2023.

Photo by FLY:D on Unsplash

Fortinet: Govt networks targeted with now-patched SSL-VPN zero-day

Fortinet says unknown attackers exploited a FortiOS SSL-VPN zero-day vulnerability patched last month in attacks against government organizations and government-related targets.

”The discovered Windows sample attributed to the attacker displayed artifacts of having been compiled on a machine in the UTC+8 timezone, which includes Australia, China, Russia, Singapore, and other Eastern Asian countries.”

Red Hat Insights malware detection service is now generally available

This malware detection service is a monitoring and assessment tool that scans Red Hat Enterprise Linux (RHEL) systems for the presence of malware, utilizing over 180 signatures of known Linux malware provided in partnership with the IBM X-Force Threat Intelligence team.

Italian Users Warned of Malware Attack Targeting Sensitive Information

A new malware campaign has been observed targeting Italy with phishing emails designed to deploy an information stealer on compromised Windows systems.

Black Hat Flashback: The Deadly Consequences of Weak Medical Device Security

Hacking to kill: Dark Reading’s Fahmida Y. Rashid reflects on the monumental Black Hat 2011 moment when

showed how to hack his insulin pump.

StrongPity Hackers Distribute Trojanized Telegram App to Target Android Users

The advanced persistent threat (APT) group known as StrongPity has targeted Android users with a trojanized version of the Telegram app through a fake website that impersonates a video chat service called Shagle.

Timeline of the latest LastPass data breaches

Timeline of the latest LastPass data breaches:

  • August 25, 2022: LastPass detects “unauthorized” access
  • September 15, 2022: LastPass says no customer data or passwords compromised
  • November 30, 2022: LastPass notifies customers of new security incident
  • December 1, 2022: Researcher urges LastPass customers to stay vigilant
  • December 22, 2022: LastPass confirms theft of source code and technical information

And trust me. It’s not an isolated case. Incident responder is a tough job.

GitHub Introduces Automatic Vulnerability Scanning Feature

Very good news coming from GitHub as they are now providing devs with the option to have their code repositories automatically scanned for vulnerabilities. Available for JavaScript, Python, and Ruby repositories.

Swiss Army’s Threema messaging app was full of holes — at least seven

A supposedly secure messaging app preferred by the Swiss government and army was infested with bugs — possibly for a long time — before an audit by ETH Zürich researchers.

… Another attempt to re-create wheels that backfired here. Again.

The January 2023 Patch Tuesday Security Update Review

  • Microsoft has released 98 new patches addressing vulnerabilities. Out of 98 patches, 11 are rated critical, and 87 are rated important.
  • Adobe has released four patches addressing 29 vulnerabilities, which contains fixes for 15 critical vulnerabilities in Reader, 6 in InDesign, 6 in InCopy and 2 in Dimension.

Data leak exposes information of 10,000 French social security beneficiaries

More than 10,000 beneficiaries of a local branch of the French social security agency CAF, or Family Allowance Fund, saw their data exposed for about 18 months, after a file containing personal information was sent to a service provider.

Severe Security Flaw Found in “jsonwebtoken” Library Used by 22,000+ Projects

A high-severity security flaw has been disclosed in the open source jsonwebtoken (JWT) library that, if successfully exploited, could lead to remote code execution (RCE) on a target server.

jsonwebtoken is developed and maintained by Okta’s Auth0.

Serbia Slammed With DDoS Attacks

The Serbian Ministry of the Interior reported over the weekend being targeted by at least five separate distributed denial-of-service (DDoS) attacks in 48 hours, intended to hobble the country’s IT infrastructure.

The cyberattacks come amid rising tensions in the Balkans as a result of the Russian invasion of Ukraine.

Malicious PyPI Packages Using Cloudflare Tunnels to Sneak Through Firewalls

In yet another campaign targeting the Python Package Index (PyPI) repository, six malicious packages have been found deploying information stealers on developer systems. The affected packages include pyrologin, easytimestamp, discorder, discord-dev, style.py, and pythonstyles.

The malware is designed to launch a PowerShell script that retrieves a ZIP archive file, install invasive dependencies such as pynput, pydirectinput, and pyscreenshot, and run a Visual Basic Script extracted from the archive to execute more PowerShell code.

The rogue packages are also capable of harvesting cookies, saved passwords, and cryptocurrency wallet data from Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, Opera GX, and Vivaldi browsers.

Hackers push fake Pokemon NFT game to take over Windows devices

Threat actors are using a well-crafted Pokemon NFT card game website to distribute the NetSupport remote access tool and take control over victims’ devices.

The website “pokemon-go[.]io,” which is still online at the time of writing, claims to be home to a new NFT card game built around the Pokemon franchise, offering users strategic fun together with NFT investment profits.

Those who click on the “Play on PC” button download an executable that looks like a legitimate game installer but, in reality, installs the NetSupport remote access tool (RAT) on the victim’s system.

Air France and KLM notify customers of account hacks

Air France and KLM have informed Flying Blue customers that some of their personal information was exposed after their accounts were breached.

Affected customers were also warned that their accounts had been locked due to the breach and that they must go to the KLM and Air France websites to change their passwords.

VSCode Marketplace can be abused to host malicious extensions

Researchers at AquaSec have found it surprisingly easy to upload malicious Visual Studio Code extensions to the VSCode Marketplace, and discovered signs of threat actors already exploiting this weakness.

The proof-of-concept (PoC) extension created by AquaSec gained over 1,500 installations in under 48 hours, with the “victim” developers worldwide.

Rackspace Sunsets Email Service Downed in Ransomware Attack

Rackspace Technology has completed its forensic investigation into the Dec. 2 ransomware attack that took down its Hosted Exchange Email service, and announced that it will discontinue that offering and transition it to cloud-based Microsoft 365.

The company said it has no plans to rebuild the hosted Exchange server environment, which has been down since the attack, and that it already had been on track to migrate to 365 before the ransomware incident.

Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More

Nice writeup on Sam Curry & friends on their work exploring the security of telematic systems, automotive APIs, and the infrastructure that supports it.

Buckle up!

--

--