What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-09-13 21:15:10 | CVE-2022-40623 (lien direct) | The WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 does not utilize anti-CSRF tokens, which, when combined with other issues (such as CVE-2022-35518), can lead to remote, unauthenticated command execution. | Guideline | ★★ | |
|
2022-09-13 21:15:09 | CVE-2022-34336 (lien direct) | IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 229714. | Vulnerability Guideline | ★★★★★ | |
|
2022-09-13 20:15:09 | CVE-2022-20398 (lien direct) | In addOrUpdateNetwork of WifiServiceImpl.java, there is a possible way for a guest user to configure Wi-Fi due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-221859734 | Guideline | ||
|
2022-09-13 20:15:09 | CVE-2022-20393 (lien direct) | In extract3GPPGlobalDescriptions of TextDescriptions.cpp, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure from the media server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12LAndroid ID: A-233735886 | Guideline | ||
|
2022-09-13 20:15:09 | CVE-2022-2962 (lien direct) | A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. | Guideline | ||
|
2022-09-13 20:15:09 | CVE-2022-32244 (lien direct) | Under certain conditions an attacker authenticated as a CMS administrator access the BOE Commentary database and retrieve (non-personal) system data, modify system data but can't make the system unavailable. This needs the attacker to have high privilege access to the same physical/logical network to access information which would otherwise be restricted, leading to low impact on confidentiality and high impact on integrity of the application. | Guideline | ||
|
2022-09-13 20:15:09 | CVE-2021-0943 (lien direct) | In MMU_MapPages of TBD, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-238916921 | Guideline | ||
|
2022-09-13 20:15:09 | CVE-2022-20392 (lien direct) | In declareDuplicatePermission of ParsedPermissionUtils.java, there is a possible way to obtain a dangerous permission without user consent due to improper input validation. This could lead to local escalation of privilege during app installation or upgrade with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-213323615 | Guideline | ★★★★★ | |
|
2022-09-13 20:15:09 | CVE-2022-20399 (lien direct) | In the SEPolicy configuration of system apps, there is a possible access to the 'ip' utility due to an insecure default value. This could lead to local information disclosure of network data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-219808546References: Upstream kernel | Guideline | ||
|
2022-09-13 20:15:09 | CVE-2022-20396 (lien direct) | In SettingsActivity.java, there is a possible way to make a device discoverable over Bluetooth, without permission or user interaction, due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12L Android-13Android ID: A-234440688 | Guideline | ||
|
2022-09-13 20:15:09 | CVE-2022-20395 (lien direct) | In checkAccess of MediaProvider.java, there is a possible file deletion due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-221855295 | Guideline | ||
|
2022-09-13 20:15:08 | CVE-2021-0942 (lien direct) | The path in this case is a little bit convoluted. The end result is that via an ioctl an untrusted app can control the ui32PageIndex offset in the expression:sPA.uiAddr = page_to_phys(psOSPageArrayData->pagearray[ui32PageIndex]);With the current PoC this crashes as an OOB read. However, given that the OOB read value is ending up as the address field of a struct I think i seems plausible that this could lead to an OOB write if the attacker is able to cause the OOB read to pull an interesting kernel address. Regardless if this is a read or write, it is a High severity issue in the kernel.Product: AndroidVersions: Android SoCAndroid ID: A-238904312 | Guideline | ||
|
2022-09-13 20:15:08 | CVE-2021-0871 (lien direct) | In PVRSRVBridgePMRPDumpSymbolicAddr of the PowerVR kernel driver, a missing size check means there is a possible integer overflow that could allow out-of-bounds heap access. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-238921253 | Guideline | ||
|
2022-09-13 20:15:08 | CVE-2021-0697 (lien direct) | In PVRSRVRGXSubmitTransferKM of rgxtransfer.c, there is a possible user after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-238918403 | Guideline | ||
 |
2022-09-13 19:26:53 | Cyberattackers Abuse Facebook Ad Manager in Savvy Credential-Harvesting Campaign (lien direct) | Facebook lead-generation forms are being repurposed to collect passwords and credit card information from unsuspecting Facebook advertisers. | Guideline | ||
|
2022-09-13 19:15:13 | CVE-2022-39205 (lien direct) | Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. In versions of Onedev prior to 7.3.0 unauthenticated users can take over a OneDev instance if there is no properly configured reverse proxy. The /git-prereceive-callback endpoint is used by the pre-receive git hook on the server to check for branch protections during a push event. It is only intended to be accessed from localhost, but the check relies on the X-Forwarded-For header. Invoking this endpoint leads to the execution of one of various git commands. The environment variables of this command execution can be controlled via query parameters. This allows attackers to write to arbitrary files, which can in turn lead to the execution of arbitrary code. Such an attack would be very hard to detect, which increases the potential impact even more. Users are advised to upgrade. There are no known workarounds for this issue. | Guideline | ||
|
2022-09-13 19:15:13 | CVE-2022-39207 (lien direct) | Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. During CI/CD builds, it is possible to save build artifacts for later retrieval. They can be accessed through OneDev's web UI after the successful run of a build. These artifact files are served by the webserver in the same context as the UI without any further restrictions. This leads to Cross-Site Scripting (XSS) when a user creates a build artifact that contains HTML. When accessing the artifact, the content is rendered by the browser, including any JavaScript that it contains. Since all cookies (except for the rememberMe one) do not set the HttpOnly flag, an attacker could steal the session of a victim and use it to impersonate them. To exploit this issue, attackers need to be able to modify the content of artifacts, which usually means they need to be able to modify a project's build spec. The exploitation requires the victim to click on an attacker's link. It can be used to elevate privileges by targeting admins of a OneDev instance. In the worst case, this can lead to arbitrary code execution on the server, because admins can create Server Shell Executors and use them to run any command on the server. This issue has been patched in version 7.3.0. Users are advised to upgrade. There are no known workarounds for this issue. | Guideline | ||
|
2022-09-13 18:15:14 | CVE-2022-36104 (lien direct) | TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. Users are advised to update to TYPO3 version 11.5.16 to resolve this issue. There are no known workarounds for this issue. | Guideline | ||
|
2022-09-13 16:15:09 | CVE-2022-39799 (lien direct) | An attacker with no prior authentication could craft and send malicious script to SAP GUI for HTML within Fiori Launchpad, resulting in reflected cross-site scripting attack. This could lead to stealing session information and impersonating the affected user. | Guideline | ||
|
2022-09-13 16:15:08 | CVE-2022-35292 (lien direct) | In SAP Business One application when a service is created, the executable path contains spaces and isn’t enclosed within quotes, leading to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. If the service is exploited by adversaries, it can be used to gain privileged permissions on a system or network leading to high impact on Confidentiality, Integrity, and Availability. | Vulnerability Guideline | ★★★★ | |
|
2022-09-13 16:15:08 | CVE-2022-35295 (lien direct) | Under certain conditions, the application SAP BusinessObjects Business Intelligence Platform (Version Management System) - versions 420, 430, exposes sensitive information to an actor over the network with high privileges that is not explicitly authorized to have access to that information, leading to a high impact on Confidentiality. | Guideline | ||
|
2022-09-13 16:15:08 | CVE-2022-35294 (lien direct) | An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user. | Guideline | ||
 |
2022-09-13 15:00:00 | Anomali Cyber Watch: Iran-Albanian Cyber Conflict, Ransomware Adopts Intermittent Encryption, DLL Side-Loading Provides Variety to PlugX Infections, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, Defense evasion, DDoS, Iran, Ransomware, PlugX, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Microsoft Investigates Iranian Attacks Against the Albanian Government
(published: September 8, 2022)
Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania.
Analyst Comment: MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - T1070
Tags: OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona
BRONZE PRESIDENT Targets Government Officials
(published: September 8, 2022)
Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters.
Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | |
Ransomware Malware Tool Vulnerability Threat Guideline | APT 27 APT 34 | |
|
2022-09-13 14:15:08 | CVE-2022-2990 (lien direct) | An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container. | Guideline | ||
|
2022-09-13 14:15:08 | CVE-2022-2989 (lien direct) | An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container. | Guideline | ||
 |
2022-09-13 12:59:14 | Use-after-freedom: MiraclePtr (lien direct) | Posted by Adrian Taylor, Bartek Nowierski and Kentaro Hara on behalf of the MiraclePtr team Memory safety bugs are the most numerous category of Chrome security issues and we're continuing to investigate many solutions – both in C++ and in new programming languages. The most common type of memory safety bug is the “use-after-free”. We recently posted about an exciting series of technologies designed to prevent these. Those technologies (collectively, *Scan, pronounced “star scan”) are very powerful but likely require hardware support for sufficient performance. Today we're going to talk about a different approach to solving the same type of bugs. It's hard, if not impossible, to avoid use-after-frees in a non-trivial codebase. It's rarely a mistake by a single programmer. Instead, one programmer makes reasonable assumptions about how a bit of code will work, then a later change invalidates those assumptions. Suddenly, the data isn't valid as long as the original programmer expected, and an exploitable bug results. These bugs have real consequences. For example, according to Google Threat Analysis Group, a use-after-free in the ChromeHTML engine was exploited this year by North Korea. Half of the known exploitable bugs in Chrome are use-after-frees:  Diving Deeper: Not All Use-After-Free Bugs Are Equal Chrome has a multi-process architecture, partly to ensure that web content is isolated into a sandboxed “renderer” process where little harm can occur. An attacker therefore usually needs to find and exploit two vulnerabilities - one to achieve code execution in the renderer process, and another bug to break out of the sandbox. The first stage is often the easier one. The attacker has lots of influence in the renderer process. It's easy to arrange memory in a specific way, and the renderer process acts upon many different kinds of web content, giving a large “attack surface” that could potentially be exploited. The second stage, escaping the renderer sandbox, is trickier. Attackers have two options how to do this: They can exploit a bug in the underlying operating system (OS) through the limited interfaces available inside Chrome's sandbox. Or, they can exploit a bug in a more powerful, privileged part of Chrome - like the “browser” process. This process coordinates all the other bits of Chrome, so fundamentally has to be all-powerful. We imagine the attackers squeezing through the narrow part of a funnel: |
Vulnerability Threat Guideline | ||
 |
2022-09-13 00:00:00 | Pros and Cons of 5G (lien direct) | As private 5G networks continue to roll-out, CISOs and security leaders need to fully aware of the security implications to minimize cyber risk. Explore pros and cons as well as security tips for implementing private 5G. | Guideline | ||
|
2022-09-12 19:15:08 | CVE-2022-1700 (lien direct) | Improper Restriction of XML External Entity Reference ('XXE') vulnerability in the Policy Engine of Forcepoint Data Loss Prevention (DLP), which is also leveraged by Forcepoint One Endpoint (F1E), Web Security Content Gateway, Email Security with DLP enabled, and Cloud Security Gateway prior to June 20, 2022. The XML parser in the Policy Engine was found to be improperly configured to support external entities and external DTD (Document Type Definitions), which can lead to an XXE attack. This issue affects: Forcepoint Data Loss Prevention (DLP) versions prior to 8.8.2. Forcepoint One Endpoint (F1E) with Policy Engine versions prior to 8.8.2. Forcepoint Web Security Content Gateway versions prior to 8.5.5. Forcepoint Email Security with DLP enabled versions prior to 8.5.5. Forcepoint Cloud Security Gateway prior to June 20, 2022. | Vulnerability Guideline | ||
|
2022-09-12 15:15:08 | CVE-2022-37797 (lien direct) | In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition. | Guideline | ||
 |
2022-09-12 10:00:00 | How to unite security and compliance in 5 simple ways (lien direct) | This blog was written by an independent guest blogger. We have entered the era of data compliance laws, but regulations have not quite caught up to the level of risk that most organizations are exposed to. Uniting security and compliance is crucial to maintaining regulation standards and ensuring a secure environment for your business. Digital transformation and the rollout of new digital tools are moving faster than the speed of litigation. For example, many industries are utilizing connected IoT tools that significantly increase attack vectors. But compliance laws do not have adequate standards to protect them from a growing IoT. Even with compliance laws in place, Gartner predicts that nearly half of all organizations worldwide will experience a supply chain attack by 2025. These findings represent a threefold increase in attacks, despite growing data regulations. Cybersecurity has never been more important than it is now. There are innumerable attack vectors that hackers take advantage of, and with the Covid-19 pandemic having pushed so many people online, more targets are available, too. Today, everyone is at risk. How can organizations unite security and compliance more effectively? Here are 5 ways to improve your security posture and maintain compliance at the same time. Focus on data protection There are steps that individual users should take to ensure their data security, like using two-factor authentication for mobile apps and implementing a VPN when working from home. And considering that financial scams cost consumers $5.8 billion in 2021 (with $1 billion lost in crypto), encrypting data is becoming more important too. This is why users should definitely encrypt their smartphones and desktop devices if they hold sensitive information such as banking details and also really on encrypted crypto wallet addresses for securely storing their crypto assets. But companies shouldn’t rely on their customers to take security measures. Organizations need to focus on securing their perimeters and building a plan to protect data in case of an incident. A cybersecurity plan is especially important for industries like manufacturing, where 71% of leaders are concerned about the data impacts of a growing IoT. Companies use connected devices like sensors, tablets, and other industry-specific tools to improve operations and increase productivity. But this has serious data security implications that must be addressed. From a data protection perspective, the best measure that companies can take is to avoid processing and storing data that isn’t necessary. If regulated data like personal or financial information is necessary to complete certain tasks, companies need to use the best encryption they can find. Make friends with compliance auditors Security and compliance are growing issues, both separately and together. Many industries require heightened levels of compliance and regulation like healthcare, finance, and manufacturing. Like everyone else, companies in these industries are also taking advantage of new tools and technology to make their services more convenient for customers and workers. Third-party apps like insurance | Vulnerability Guideline | ||
 |
2022-09-12 09:56:30 | Common Criteria Certification: What Is It, and What Does It Mean for Tripwire Enterprise? (lien direct) | >Common Criteria for Information Technology Security Evaluation (CC) is an international agreement that provides a set of standards, testing processes, and documentation standards that is widely recognized as the leading standard for defined software security standards. The Canadian Centre for Cyber Security performs evaluations on common IT products and releases a report called “Common Criteria […]… Read More | Guideline | ||
|
2022-09-09 22:15:08 | CVE-2022-38266 (lien direct) | An issue in the Leptonica linked library (v1.79.0) in Tesseract v5.0.0 allows attackers to cause an arithmetic exception leading to a Denial of Service (DoS) via a crafted JPEG file. | Guideline | ||
|
2022-09-09 20:15:11 | CVE-2022-36110 (lien direct) | Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1. | Guideline | ||
 |
2022-09-09 16:09:44 | $30 Million worth of cryptocurrency stolen by Lazarus from Axie Infinity was recovered (lien direct) | >US authorities recovered more than $30 million worth of cryptocurrency stolen by the North Korea-linked Lazarus APT from Axie Infinity. A joint operation conducted by enforcement and leading organizations in the cryptocurrency industry allowed to recover more than $30 million worth of cryptocurrency stolen by North Korean-linked APT group Lazarus from online video game Axie […] | Guideline | APT 38 | |
|
2022-09-09 15:15:14 | CVE-2022-39119 (lien direct) | In network service, there is a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed | Guideline | ||
|
2022-09-09 15:15:10 | CVE-2022-36423 (lien direct) | OpenHarmony-v3.1.2 and prior versions have an incorrect configuration of the cJSON library, which leads a Stack overflow vulnerability during recursive parsing. LAN attackers can lead a DoS attack to all network devices. | Vulnerability Guideline | ||
 |
2022-09-09 07:47:46 | Les 4 pires scénarios pour un site e-commerce - et comment les éviter (lien direct) | Quand on sait que 90 % des boutiques en ligne échouent, cela fait un peu froid dans le dos. Tous les commerçants en ligne rencontrent des difficultés et seuls ceux qui abordent les problèmes avec créativité survivent. Le monde de l'e-commerce est sans pitié. Imaginons le scénario suivant : une boutique en ligne autrefois prospère est aujourd'hui sur la pente descendante. Le trafic est en berne, les leads difficiles à trouver et, quoi que son propriétaire fasse, rien ne va plus. Heureusement, d'autres (...) - Points de Vue | Guideline | ||
|
2022-09-08 22:15:08 | CVE-2022-40280 (lien direct) | An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE). createDB in security/provisioning/src/provisioningdatabasemanager.c has a missing sqlite3_close after sqlite3_open_v2, leading to a denial of service. | Guideline | ||
|
2022-09-08 22:15:08 | CVE-2022-40281 (lien direct) | An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE). cyassl_connect_step2 in curl/vtls/cyassl.c has a missing X509_free after SSL_get_peer_certificate, leading to information disclosure. | Guideline | ||
|
2022-09-08 11:51:32 | Cybersécurité dans la santé : 20 % des centres de soins touchés ont vu la mortalité de leurs patients augmentée à la suite d\'une cyberattaque (lien direct) | Cybersécurité dans la santé : 20 % des centres de soins touchés ont vu la mortalité de leurs patients augmentée à la suite d'une cyberattaque. Proofpoint, société leader dans le domaine de la cybersécurité et de la conformité, publie aujourd'hui un nouveau rapport en partenariat avec le Ponemon Institute, l'un des principaux organismes de recherche en sécurité informatique. - Malwares | Guideline | ||
|
2022-09-07 23:15:14 | CVE-2022-36086 (lien direct) | linked_list_allocator is an allocator usable for no_std systems. Prior to version 0.10.2, the heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than `3 * size_of::` because of metadata write operations. This vulnerability impacts all the initialization functions on the `Heap` and `LockedHeap` types, including `Heap::new`, `Heap::init`, `Heap::init_from_slice`, and `LockedHeap::new`. It also affects multiple uses of the `Heap::extend` method. Version 0.10.2 contains a patch for the issue. As a workaround, ensure that the heap is only initialized with a size larger than `3 * size_of::` and that the `Heap::extend` method is only called with sizes larger than `2 * size_of::()`. Also, ensure that the total heap size is (and stays) a multiple of `2 * size_of::()`. | Vulnerability Guideline | ★★★★ | |
|
2022-09-07 20:15:13 | CVE-2022-3130 (lien direct) | A vulnerability classified as critical has been found in codeprojects Online Driving School. This affects an unknown part of the file /login.php. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-207873 was assigned to this vulnerability. | Vulnerability Guideline | ||
|
2022-09-07 20:15:11 | CVE-2022-3129 (lien direct) | A vulnerability was found in codeprojects Online Driving School. It has been rated as critical. Affected by this issue is some unknown functionality of the file /registration.php. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-207872. | Vulnerability Guideline | ||
|
2022-09-07 19:15:08 | CVE-2022-36069 (lien direct) | Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by vetting any Git or Poetry config files that might be present in the directory. Versions 1.1.9 and 1.2.0b1 contain patches for this issue. | Vulnerability Guideline | ||
|
2022-09-07 19:15:08 | CVE-2022-36070 (lien direct) | Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue. | Vulnerability Guideline | ||
|
2022-09-07 15:42:52 | Scaleway nomme Tristan Nitot au poste de " responsable du développement durable " (lien direct) | Scaleway, the cloud of choice, fournisseur d'infrastructures numériques conçues pour répondre aux besoins des startups et des organisations publiques et privées, annonce la nomination de Tristan Nitot au poste de " responsable du développement durable " (Sustainability Lead). - Business | Guideline | ||
|
2022-09-07 15:00:00 | Anomali Cyber Watch: EvilProxy Defeats Second Factor, Ragnar Locker Ransomware Hits Critical Infrastructure, Montenegro Blames Russia for Massive Cyberattack, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Critical infrastructure, Crypto mining, Delayed execution, Phishing, Ransomware, Reverse proxy, Russia, and Steganography. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web
(published: September 5, 2022)
Resecurity researchers analyzed EvilProxy, a phishing kit that uses reverse proxy and cookie injection methods to bypass two-factor authentication (2FA). EvilProxy uses extensive virtual machine checks and browser fingerprinting. If the victim passes the checks, Evilproxy acts as a proxy between the victim and the legitimate site that asks for credentials. EvilProxy is being sold as a service on the dark web. Since early May 2022, Evilproxy enables phishing attacks against customer accounts of major brands such as Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex, and others.
Analyst Comment: EvilProxy is a dangerous automation tool that enables more phishing attacks. Additionally, EvilProxy targeting GitHub and npmjs accounts increases risks of follow-up supply-chain attacks. Anomali platform has historic EvilProxy network indicators that can help when investigating incidents affecting 2FA. With 2FA bypass, users need to be aware of phishing risks and pay even more attention to domains that ask for their credentials and 2FA codes.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Supply Chain Compromise - T1195
Tags: EvilProxy, Phishing, Phishing-as-s-service, Reverse proxy, Cookie injection, 2FA, MFA, Supply chain
Ragnar Locker Ransomware Targeting the Energy Sector
(published: September 1, 2022)
Cybereason researchers investigated the Ragnar Locker ransomware that was involved in cyberattack on DESFA, a Greek pipeline company. On August 19, 2022, the Ragnar Locker group listed DESFA on its data leak site. The group has been active since 2019 and it is not the first time it targets critical infrastructure companies with the double-extortion scheme. Their Ragnar Locker ransomware shows the typical abilities of modern ransomware including system information and location collection, deleting shadow copies, identifying processes (antiviruses, backup solutions, IT remote management solutions, and virtual-based software), and encrypting the system with the exception list in mind.
Analyst Comment: Ragnar Locker appears to be an aggressive ransomware group that is not shy attacking critical infrastructure as far as they are not in the Commonwealth of Independent States (Russia and associated countries). Always be on high alert while reading emails, in particular those with attachments, URL redirection, false sense of urgency or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and teste |
Ransomware Malware Tool Threat Patching Guideline | Yahoo | |
|
2022-09-07 14:15:08 | CVE-2022-31166 (lien direct) | XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Starting in versions 11.3.7, 11.0.3, and 12.0RC1, it is possible to exploit a bug in XWikiRights resolution of groups to obtain privilege escalation. More specifically, editing a right with the object editor leads to adding a supplementary empty value to groups which is then resolved as a reference to XWiki.WebHome page. Adding an XWikiGroup xobject to that page then transforms it to a group, any user put in that group would then obtain the privileges related to the edited right. Note that this security issue is normally mitigated by the fact that XWiki.WebHome (and XWiki space in general) should be protected by default for edit rights. The problem has been patched in XWiki 13.10.4 and 14.2RC1 to not consider anymore empty values in XWikiRights. It's possible to work around the problem by setting appropriate rights on XWiki.WebHome page to prevent users to edit it. | Guideline | ||
|
2022-09-07 13:15:09 | CVE-2022-37189 (lien direct) | DDMAL MEI2Volpiano 0.8.2 is vulnerable to XML External Entity (XXE), leading to a Denial of Service. This occurs due to the usage of the unsafe 'xml.etree' library to parse untrusted XML input. | Guideline | ||
 |
2022-09-07 10:00:00 | The Cost of a Data Breach for Government Agencies (lien direct) | >What happens when attackers breach local government, police departments or public health services? What would happen if attackers compromised the U.S. Treasury’s network? These types of incidents happen every month and lead to service interruptions at the very least. More serious problems could occur, such as leakage of classified data or damage to critical infrastructure. […] | Data Breach Guideline |
To see everything:
