My Shared Links — Week 03/2023
Collection of the {cyber,info}security resources and links I have found insightful and shared during week #03 of 2023.
Exploits released for two Samsung Galaxy App Store vulnerabilities
Two vulnerabilities in the Galaxy App Store, Samsung’s official repository for its devices, could enable attackers to install any app in the Galaxy Store without the user’s knowledge or to direct victims to a malicious web location.
The Korean smartphone maker announced on January 1, 2023 that it fixed the two flaws and released a new version for Galaxy App Store (4.5.49.8).
Crims steal data on 40 million T-Mobile US customers
T-Mobile US today said someone abused an API to download the personal information of 37 million subscribers.
PayPal accounts breached in large-scale credential stuffing attack
If you’re using Paypal, worth a read ⬇️ .. and take actions to protect your account(s).
PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data.
Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites.
Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022–42475)
Mandiant (now part of Google Cloud) is tracking a suspected China-nexus campaign believed to have exploited a recently announced vulnerability in Fortinet’s FortiOS SSL-VPN, CVE-2022–42475, as a zero-day.
Evidence suggests the exploitation was occurring as early as October 2022 and identified targets include a European government entity and a managed service provider located in Africa.
Ukraine links data-wiping attack on news agency to Russian hackers
The Computer Emergency Response Team of Ukraine (CERT-UA) has linked a destructive malware attack targeting the country’s national news agency (Ukrinform) to Sandworm Russian military hackers.
CERT-U says the cyberattack was likely carried out by the Sandworm group based on the threat actors’ tactics, which was previously linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
MailChimp discloses new breach after employees got hacked
Email marketing firm MailChimp suffered another breach after hackers accessed an internal customer support and account administration tool, allowing the threat actors to access the data of 133 customers.
MailChimp says the attackers gained access to employee credentials after conducting a social engineering attack on Mailchimp employees and contractors.
Self-Checkout This Discord C2
IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages.
While Discord and its related software are not malicious, Discord has been leveraged by threat actors to deliver malware and remote access trojans (RATs) as a command and control (C2) channel. This is the first instance X-Force has encountered a Discord C2 channel using the native Discord bot capabilities.
Microsoft Azure Services Flaws Could’ve Exposed Cloud Resources to Unauthorized Access
Four different Microsoft Azure services have been found vulnerable to server-side request forgery (SSRF) attacks that could be exploited to gain unauthorized access to cloud resources. The security issues, which were discovered by Orca Security between October 8, 2022 and December 2, 2022 in Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins, have since been addressed by Microsoft.
“The discovered Azure SSRF vulnerabilities allowed an attacker to scan local ports, find new services, endpoints, and sensitive files — providing valuable information on possibly vulnerable servers and services to exploit for initial entry and the location of sensitive information to target.”
Three of the flaws are rated Important in severity, while the SSRF flaw impacting Azure Machine Learning is rated Low in severity.
Avast releases free BianLian ransomware decryptor
Security software company Avast has released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers.
The availability of a decryptor comes only about half a year after increased activity from BianLian ransomware over the summer of 2022, when the threat group breached multiple high-profile organizations.
Git patches two critical remote code execution security flaws
Git has patched two critical severity security vulnerabilities that could allow attackers to execute arbitrary code after successfully exploiting heap-based buffer overflow weaknesses.
Security experts from X41 (Eric Sesterhenn and Markus Vervier) and GitLab (Joern Schneeweisz) found these vulnerabilities as part of a security source code audit of Git sponsored by OSTIF.
Datadog rotates RPM signing key exposed in CircleCI hack
Cloud security firm Datadog says that one of its RPM GPG signing keys and its passphrase have been exposed during a recent CircleCI security breach.
However, the company added that it has yet to find evidence that this key was leaked or misused.
In response to CircleCI’s disclosure that the threat actor stole customers’ environment variables, tokens, and keys from its databases, Datadog has released a new version of its Agent 5 RPM for CentOS/RHEL, signed with a new key.
The company has also released a new Linux install script that removes the affected key from the Datadog repo file and the RPM database.
EU citizens’ rights are under threat from anti-encryption proposals
In December 2020, The Council of the European Union released a five-page resolution that called for the EU to pass new rules to govern the use of end-to-end encryption in Europe.
We [ProtonMail] strongly oppose this resolution because it foreshadows an attack on encryption(new window). We [ProtonMail] were not the only European-based end-to-end encrypted service that was alarmed by the EU’s sudden shift against privacy. See joint statement with with Threema, Tresorit, and Tutanota below:
How AI chatbot ChatGPT changes the phishing game
The Microsoft-backed free chatbot is improving fast and can not only write emails, essays but can also code. ChatGPT is also polyglot and that could facilitate and increase exponentially phishing attacks.
The Dangers of Default Cloud Configurations
Great to remind this once in a while….
When you hear “default settings” in the context of the cloud, a few things can come to mind: default admin passwords when setting up a new application, a public AWS S3 bucket, or default user access. Often, vendors and providers consider customer usability and ease more important than security, resulting in default settings. One thing needs to be clear: Just because a setting or control is default doesn’t mean it’s recommended or secure.
New Backdoor Created Using Leaked CIA’s Hive Malware Discovered in the Wild
Unidentified threat actors have deployed a new backdoor that borrows its features from the U.S. Central Intelligence Agency (CIA)’s Hive multi-platform malware suite, the source code of which was released by WikiLeaks in November 2017.
Cacti Servers Under Attack as Majority Fail to Patch Critical Vulnerability
A majority of internet-exposed Cacti servers have not been patched against a recently patched critical security vulnerability that has come under active exploitation in the wild.
The issue in question relates to CVE-2022–46169 (CVSS score: 9.8), a combination of authentication bypass and command injection that enables an unauthenticated user to execute arbitrary code on an affected version of the open-source, web-based monitoring solution.
ODIN Intelligence website is defaced as hackers claim breach
The website for ODIN Intelligence, a company that provides technology and tools for law enforcement and police departments, was defaced on Sunday.
The apparent hack comes days after Wired reported that an app developed by the company, SweepWizard, which allows police to manage and coordinate multi-agency raids, had a significant security vulnerability that exposed personal information of police suspects and sensitive details of upcoming police operations to the open web.
Emma Best, co-founder of non-profit transparency collective DDoSecrets, told TechCrunch that data was exfiltrated from ODIN’s servers and that the organization was in possession of it. “We received the data the other day and are processing it,” Best said.
Norton LifeLock Password Manager Accounts Compromised
Breach notification letters from Norton LifeLock warn that customers using their password manager services have been compromised. However, unlike the LastPass data breach, this security incident is due to credential stuffing attacks.
