Search This Blog

Showing posts with label Vulnerabilities and Exploits. Show all posts

Unprotected Private Key Allows Remote Hacking of PLCs

 

Industrial associations have been cautioned for this present week that a critical authentication bypass vulnerability can permit hackers to remotely compromise programmable logic controllers (PLCs) made by industrial automation giant Rockwell Automation that are marketed under the Logix brand. These gadgets, which range from the size of a little toaster to a huge bread box or considerably bigger, help control equipment and processes on assembly lines and in other manufacturing environments. Engineers program the PLCs utilizing Rockwell software called Studio 5000 Logix Designer. 

The vulnerability requires a low skill level to be exploited, CISA said. The vulnerability, which is followed as CVE-2021-22681, is the consequence of the Studio 5000 Logix Designer software making it possible for hackers to exfiltrate a secret encryption key. This key is hard-coded into both Logix controllers and engineering stations and confirms correspondence between the two gadgets. A hacker who got the key could then copy an engineering workstation and manipulate PLC code or configurations that directly impact a manufacturing process.

“Any affected Rockwell Logix controller that is exposed on the Internet is potentially vulnerable and exploitable,” said Sharon Brizinov, principal vulnerability researcher at Claroty, one of three organizations Rockwell credited with independently discovering the flaw. “To successfully exploit this vulnerability, an attacker must first obtain the secret key and have the knowledge of the cryptographic algorithm being used in the authentication process.” 

Rockwell isn't issuing a patch that straightforwardly addresses the issues coming from the hard-coded key. Instead, the organization is suggesting that PLC clients follow explicit risk mitigation steps. The steps include putting the controller mode switch into run, and if that is impractical, following different suggestions that are explicit to each PLC model.

 Those steps are laid out in an advisory Rockwell is making accessible to clients, just as in the CISA warning. Rockwell and CISA likewise suggest PLC clients adhere to standard security-in-depth security advice. Chief among the suggestions is guaranteeing that control system gadgets aren't accessible from the Internet. On the off chance that Logix PLC clients are segmenting industrial control networks and following other prescribed procedures, almost certainly, the risk posed by CVE-2021-22681 is negligible. What's more, if individuals haven't executed these practices, hackers likely have simpler ways to hijack the devices.

Google Reveals Details of a Recently Patched Windows Flaw

 

Google Project Zero team disclosed the details of a recently fixed Windows flaw, tracked as CVE-2021-24093, that can be compromised for remote code execution in the context of the DirectWrite user. Dominik Rottsches of Google and Mateusz Jurczyk of Google Project Zero discovered the flaws and reported the issue to Microsoft in November and the bug report was made public this week. 

The vulnerability was fixed with the release of February 2021 Patch Tuesday updates. Cybersecurity researchers Jurczyk and Rottsches explained CVE-2021-24093 as a DirectWrite heap-based buffer overflow linked to the processing of a specially designed TrueType font. They further explained that a hacker can trigger a memory corruption condition that can be exploited to execute arbitrary code in the context of the DirectWrite client. DirectWrite is a Windows API designed to provide supports measuring, drawing, and hit-testing of multi-format text.

This vulnerability in the Windows operating system affected the Windows graphics components and it can be compromised by luring the victim to a website containing a specially designed file set up to exploit the vulnerability. This flaw received the CVSS score of 8.8, but Microsoft has designated this flaw as ‘critical’ for all affected operating systems and the list includes Windows 10, Windows Server 2016 and 2019, and Windows Server.

Google published the report reading, “we have discovered a crash in the DWrite!fsg_ExecuteGlyph function when loading and rasterizing a malformed TrueType font with a corrupted “maxp” table. Specifically, it was triggered after changing the value of the maxPoints field from 168 to 0, and the maxCompositePoints value from 2352 to 3 in our test font. We believe that this causes an inadequately small buffer to be allocated from the heap.” 

Subsequently, cybersecurity researchers examined their exploit on a fully patched Windows 10 in all major browsers and released a proof-of-concept (POC) exploit.

Darknet Markets are Scrambling to Attract Joker’s Stash Clients

 

The administrator behind Joker's Stash professes to have formally closed down the operation on 15th February. Meanwhile, criminal gangs offering stolen payment cards for sale have stepped up their promotional efforts. Among the darknet marketplaces vying to get previous Joker's Stash clients are Brian's Club, Vclub, Yale Lodge, and UniCC, Kela says. Joker's Stash clients were likely already searching for a new marketplace, says the threat research firm Digital Shadows, because of the site's declining customer service and having its service hindered by law enforcement officials in December 2020. 

Brian's Club has gone the additional mile with its marketing efforts, Kela says. For instance, it has supplanted Joker's Stash as the official sponsor of the popular underground forum Omerta, which focuses on payment card trading. "With the heavy marketing and advertising that Brian's Club has been investing in, it seems that the long-time attempts of marketing to credit card traders may be finally paying off now that Joker's Stash is out of the picture," says Victoria Kivilevich, a threat intelligence analyst with Kela.

Kela and Flashpoint additionally say that Yale Lodge could arise as a dominant market for stolen card information since it operates both Tor and clear web card shop and has a self-facilitated checking service. This service permits the buyer to verify whether the card data being purchased is substantial. Kivilevich brings up, however, that Yale Lodge charges a $150 registration fee and a minimum deposit of $200, which is 10 times higher than what Joker's Stash required.

Flashpoint says the operators of the Ferum market likewise have a wealth of experience and give simple access, yet the site has less card information available for sale than others. Then, Trump's Dumps, which is a newer operation, has expanded its publicizing, Flashpoint reports. It offers an assortment of services, including a self-facilitated checking service. Kivilevich says she has spotted Vclub members attempting to enlist Joker's Stash clients on darknet forums. Be that as it may, Kela's research has discovered numerous complaints about the quality of cards accessible on Vclub. 

“Cybercriminals buy cards and dump not only in specialized shops but also on forums, via instant messaging channels, and behind closed doors in private deals," Kivilevich says.

Trend Micro Detects Vulnerabilities in The SHAREit Program

 

In the SHAREit program, Trend Micro has found several vulnerabilities. The bugs may be exploited by extracting sensitive data from users, and by using malicious code or programs to run arbitrary code with the ShareIt permissions. It can also contribute to remote execution code (RCE). In the past, the software was often associated with bugs that used to download and abuse users' files. While the app allows for the upload and update of file types like the Android Package (APK), there are most definitely accidentally unconsidered bugs correlated with these functions. 

SHAREit is one of the best-known applications in the Google Play Store. Users can download and distribute files and share them with others using this app. SHAREit was also one of 60 Chinese apps barred late last year in India. Notably, more than one billion times the Android application has been downloaded. 

The vulnerabilities can be used to execute malicious code for the SHAREit program on smartphones. The key cause of safety deficiencies is the lack of appropriate controls on who can access the code of the program.

Echo Duan, a mobile threats analyst for security firm Trend Micro, reported that malicious applications installed on a computer and user or attackers executing a personal network attack can be able to distribute malicious instructions to the SHAREit app and hijack its legal code-execution functionality, override local files on the app, or install applications from third parties without user knowledge.

The app is also susceptible to so-called Man-in-the-Disk Attacks, a form of vulnerability first identified by Check Point in 2018 that focuses on uncertain storage of insecure app assets in the storage capacity of the phone shared with other applications [in which attackers can erase, edit, or substitute them]. 

"We reported these vulnerabilities to the vendor, who has not responded yet," Duan said today. "We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data," he added, it will also be impossible to track attacks from the viewpoint of a defender.

On their website, SHAREit developers say that 1.8 billion people in over 200 countries around the world use their software. The iOS app for SHAREit does not have any influence on it and runs on another codebase. Though the software was last updated in its Play Store list on February 9, 2021, a fix for revealed vulnerabilities has been not listed in the update's changelog. At the time of publication, the software is still usable for download.

For software makers, businesses, and consumers alike, security should be a top priority. Trend Micro suggests that operating devices and applications themselves should be frequently upgraded and modified for secure mobile app use.

Palo Alto Next Generation Firewall Detected With Four Vulnerabilities

 

Details of a series of bugs in Palo Alto Firewall Software, which the network provider addressed last September, were revealed by security researchers recently. The four-vulnerability swarm of bugs contains many bugs within, found by protection experts in Positive Technologies in the Palo Alto PAN-OS operating system. The next-generation firewall (NGFW) from Palo Alto Networks is the leading corporate firewall used to protect businesses from many cyber threats worldwide. It works with its own "PAN-OS" operating system. 

Palo Alto Networks, Inc. is an American, international, Santa Clara, California-based, cybersecurity corporation. Its key offerings are a portal for integrated firewalls and cloud-based offers to broaden these firewalls into other security dimensions. 

The vulnerabilities detected could lead to arbitrary OS command execution by an authorized user CVE-2020-2037 and CVE-2020-2038 – denial of service by an unauthorized user (CVE-2020-2039), and reflected cross-site scripting (XSS) (CVE-2020-2036). The weakness of CVE-2020-2037 was caused by the absence of user input filters. These may have contributed to remote code execution (RCE), but only pre-authorized users were limited to service, minimizing overall risk. These vulnerabilities allow an attacker to acquire access to sensitive information, to interrupt firewall component availability, or to access internal network segments. A black box examination of the web control interface of the firewall found, that the first vulnerability was triggered by a lack of user input filtering. PHP scripts manage user requests and transfers all data relating to a local port listening facility. It searches the data and returns the findings to the web application customer. 

“Using these vulnerabilities, an attacker can gain access to sensitive data, disrupt the availability of firewall components or gain access to internal network segments,” the researchers stated.

Unauthenticated users can carry out Denial-of-Service (DoS) attacks with a different vulnerability. The Nginx application platform is built into the firewall. The bug causes several files to be transferred to this server in such a manner that no storage space is left. The Palo Alto Networks NGFW site control panel is no longer available without any disk space resources. This is essentially a denial of service since the system as a whole cannot usually be used in this situation.

“We tried to open the web management interface but could not log in,” the researchers explained. “Most likely, this happened because PHP failed to create a session file on disk, due to the lack of disk space available. As a result, we were able to conduct a DoS attack on Palo Alto NGFW components acting as an unauthenticated user.” 

The fourth vulnerability involved a reflective XSS vulnerability exposed in the /unauth/php/change_password.php script. This script uses the user-controlled vector $_SERVER['PHP SELF'].

Though all four of the bugs are fixed, but each of these affected separate versions of PAN-OS, so the safest recommendation for sysadmins is to update to the current edition of the supported product.

NIST NVD Report Shows Increase in Low-Complexity CVEs

 

Common vulnerabilities and exposures, or CVEs, are seemingly increasing at a faster rate as a proportion of the overall number of bugs reported, which, according to a survey, have increasingly risen as per the cybersecurity teams. These are very easy to exploit. 

Recently, Redscan, a managed detection, response, and pen-testing professional, evaluated more than 18,000 CVEs filed in the National Vulnerability Database (NVD) of the U.S. National Institute of Standards and Technology (NIST) in 2020 and published a report, NIST Security Vulnerability Trends in 2020: An Analysis.

It shows that just over half (57%) is graded as "high" and "critical" - the most significant figure reported in any year till date. The report often discusses the increase in low difficulty vulnerabilities and the rise of those vulnerabilities that do not involve user interaction. That means that an attacker can take advantage of the user with limited technical skills as well. According to the research, this number has hiked since 2017, after declining dramatically between 2001 and 2014. These developments demonstrate the need for companies to enhance the awareness of wild vulnerabilities and to follow a multi-layered approach for the management of vulnerabilities. In 2020, almost 4000 vulnerabilities can be defined as the “worst of worst” – meeting the worst criteria for all types of NVD filters. 

The research report says, “The prevalence of low complexity vulnerabilities in recent years means that sophisticated adversaries do not need to ‘burn’ their high complexity zero-days on their targets and have the luxury of saving them for future attacks instead.” 

“Low complexity vulnerabilities lend themselves to mass exploitation as the attacker does not need to consider any extenuating factors or issues with an attack path. This situation is worsened once exploit code reaches the public and lower-skilled attackers can simply run scripts to compromise devices.” 

Another vulnerability trend is to be tackled: low-complex CVEs, 63 percent of vulnerabilities found in 2020, are increasing. A rising challenge for safety teams has been a large number of vulnerabilities with low complexity. Complexity is one of the most critical things to consider while evaluating vulnerability risks and in-wild exploitation the timeframes. The low-complex CVEs are loaned to rapid mass manipulation because attackers do not have to consider extenuating circumstances or route problems. 

Alongside, companies also need to improve oversight of tech vendors' activities. They must determine how their manufacturers test their custom code and the use of their goods of non-member libraries. 

“Vulnerabilities which require no interaction to exploit present a complex challenge for security teams, underscoring the need for defense-in-depth. This includes enhancing the visibility of attack behaviors once a compromise has occurred,” added George Glass, Head of Threat Intelligence at Redscan

RiskSense Report Affirms Surge in Vulnerabilities Associated with Ransomware

 

In recent years, the threat from Ransomware has grown enormously. The ransomware attacks have started to threaten more web applications, open-source platforms, and systems as attackers explore more precise pathways to the biggest and most important data stores of organizations. 

In the year 2019, a research report showed the total vulnerabilities associated with ransomware were 57 which quadrupled in the year 2020 to 223, whereas the total counting of the ransomware families hiked from 19 to 125. The vast majority of faults in ransomware attacks– almost 96 percent, were reported in public before 2019. Software-as-a-service (SaaS) apps emerged as a new ransomware target with the largest number of faults with successful exploits patterns. Lastly, more than 15 operational families are offered ransomware-as-a-service, allowing almost everyone to initiate ransomware attacks without coding or safety skills. 

Approximately 40% of 223 CVEs connected to recent ransomware attacks are vulnerable to five common protection vulnerabilities which are identified as: permissions, privileges, and access controls; injection code, improper input validation, incorrect operating constraints inside memory buffer boundaries, and confidential information disclosure to the unauthorized consumer. The report published by RiskSense states that these overlaps "make it easy for ransomware families to predict new vulnerability disclosures with similar characteristics." 

Srinivas Mukkamala, CEO, and co-founder of RiskSense said their analysis shows that both short-term patterns, like COVID-19 that drive more companies onto the Internet, as well as more advances in digital transformation and cloud acceptance across the sector, contribute to this increased attack surface. These aspects have merged to pushed many companies with misconfigurations, and will most likely be abused by malware organizations, to implement technology – such as cloud applications, VPNs, and home network. 

Mukkamala further added that “All of [those trends] actually opened up the aperture and attack surface for ransomware to target and if you look at the vulnerabilities, you can clearly see that your SaaS has been targeted, your backup as a service has been targeted, your remote access services have been targeted and interestingly, we’re looking at your open-source libraries being targeted.” 

RiskSense also detects the increasing usage by state-supported, specialized persistent threat groups of many of the same vulnerabilities. These groups would certainly not infect malware payload entities, but increasingly use the same security vulnerabilities and misconfigurations. 

Often organizations do not actually have the expertise or security officers to keep up, and RiskSense research shows that several different weaknesses in the typical attack chain are abused, depending on metrics such as the gravity of the Common Vulnerability Scoring System to assign priority to the job can be folly. Some of the firms, provide their own method, using data analysis to determine which current bugs are related to exploits seen in the wild, for what they call patch intelligence. 

Ransomware defense “is becoming more like an analytics play, where you’ve got to collect all your data and start prioritizing based on the exploitability and [whether] it's active right now,” stated Mukkamala.

Nespresso Prepaid Vending Machines Hacked by a Belgian Researcher for Free Coffee

 

Polle Vanhoof, a Belgian cybersecurity researcher discovered there a flaw in the older Nespresso prepaid coffee machine smart cards and exploited the vulnerability to acquire virtually limitless free drinks.

Vanhoof revealed the vulnerability in Nespresso coffee machine smart cards back in September 2020 and he openly lauded the efforts of Nespresso for managing the issue and now with Nespresso’s approval, he has published his article regarding the flaws in the payment system. Nespresso is unperturbed that other coffee vendors can use this vulnerability to their advantage because this hacking method can only be applied on the older payment cards that have a network connection. 

Modus operandi of this hack

Nespresso payment system operates on ‘stored-value wireless payment card’, it is identical but different from how the modern credit card works. Here wireless refers to the card which uses Near Field Communication (NFC), NFC is used by credit cards, modern door security cards, and nearly in every passport issued in the past decade. 

When someone waves an NFC card close to the NFC reader, the card begins to power up due to the electromagnetic emissions from the reader (which needs to be attached to the power supply), the card powers up due to the antenna present on it in the form of a metal coil that produces electricity as it moves via a magnetic field. The electrical energy which is left in the charged-up card is utilized for a short, wireless exchange of cryptographic data with the NFC reader. It means that NFC cards do not require a battery so they can be tiny, flat, light, and cheap. 

Vanhoof disclosed that older Nespresso cards operate on the Mifare Classic NFC chip and this chip does not have strong enough cryptography which makes the NFC cards vulnerable. NFC cards require a delicate balance of low power consumption with high cryptographic power and in the case of Mifare classic, this balance is more in the favor of the attacker. Mifare Classic runs on a stripped-down 48-bit cipher called Cryptol instead of a well-acknowledged and publicly documented algorithm called AES-128.

SolarWinds CEO: “SolarWinds Orion Development Program was Exploited by the Hackers”

 

Sudhakar Ramakrishna, CEO of SolarWinds confirmed that ‘suspicious activity’ was spotted in its Office 365 environment which permitted threat actors to secure access and exploit the SolarWinds Orion development program. Threat actors secured access into the SolarWinds’s environment via flawed credentials and a third-party application that a zero-day susceptibility.

Threat actors secured access to the SolarWinds email account to programmatically access accounts of targeted SolarWinds employees in business and technical roles. 
Threat actors used the compromised credential of SolarWinds personnel as a doorway for securing access and exploit the development environment for the SolarWinds Orion network monitoring platform. Initially, Microsoft alerted SolarWinds regarding a breach into its Office 365 environment on December 13 – the same day news of the data breach went public.

Ramakrishna wrote in a blog post that “we’ve confirmed that a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles. By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment.”

“While it’s widely understood any one company could not protect itself against a sustained and unprecedented nation-state attack of this kind, we see an opportunity to lead an industry-wide effort that makes SolarWinds a model for secure software environments, development processes, and products”, he further added.

Investigators of SolarWinds have not spotted a specific flaw in Office 365 that would have permitted the threat actors to enter the firm’s environment via Office 365. Ramakrishna believes that the Russian foreign intelligence service has played a significant role in the SolarWinds’s hack. SolarWinds is analyzing the data from various systems and logs, including from its Office 365 and Azure tenants.

Brandon Wales, acting director of the Cybersecurity and infrastructure Security agency told The Wall Street that SolarWinds has no direct link to the 30 percent of the private sectors and government victims of the massive hacking campaign but investigators failed to identify another company whose products were widely compromised. SolarWinds’s investigation will be continued for at least one month due to the flawless campaign by the threat actors to remove evidence of their actions.

Security Researchers Received More Than $6.7 MIllion by Google as Bug Bounty Rewards

 

Security experts from 62 nations were paid more than $6.7 million (nearly Rs. 49 crore) by Google for identifying susceptibilities in Google products last year. Google has successfully managed to run the Vulnerability Reward Programs (VRPs) for ten years and the company has paid nearly $28 million to the security experts for spotting the vulnerabilities in Google products.

Google stated this week that “the incredibly hard work, dedication, and expertise of our researchers in 2020 resulted in a record-breaking payout of over $6.7 million in rewards, with an additional $280,000 given to charity. Following our increase in exploit payouts in November 2019, we received a record 13 working exploit submissions in 2020, representing over $1 million in exploit reward payouts”.

According to the company, Guang Gong (@oldfresher) and the team of experts at the 360 Alpha Lab at Chinese cybersecurity firm Qihoo 360 discovered 30% of the total number of Android vulnerabilities as a part of the bug bounty program. The latest vulnerability spotted by this group is a 1-click remote root exploit in Android, Google said this team still hold the record for receiving the highest Android payout ($161,337) for spotting the vulnerability in 2019.

Last year, the tech giant paid $50,000 to the security experts for spotting the flaws in Android developer preview and introduced bounty programs for Android Auto OS, Android chipsets, and for writing fuzzers for Android code. In Google Play, Google expanded the standard for certified Android apps to incorporate apps utilizing the Exposure Notification API and executing contact tracing to fight Covid-19. 

Apart from bounty rewards, over 180 security researchers have received more than $400,000 from Google in the form of grants for submitting 200 bug reports that resulted in 100 confirmed susceptibilities in Google products and the open-source ecosystem. The other notable tech firms that have a similar bug bounty reward program are Facebook, OnePlus, Qualcomm, Mozilla, Microsoft, and Reddit.

Windows 7 Remain Vulnerable to Blind TCP/IP Hijacking Attacks

 

Adam Zabrocki, a security researcher warned window operating system users regarding the susceptibilities of Windows 7 to blind TCP/IP hijacking attacks. Adam Zabrocki reported the vulnerability to Microsoft reported eight years ago.

Windows 7 was launched in the year 2009 and reached its end of life a year ago – which can be seen in users no longer receiving security updates. In 2008, Adam Zabrocki created a proof of concept of this venerable attack methodology with Windows XP as the target point. In 2012, a security researcher notified Microsoft regarding the same TCP/IP vulnerabilities that made the attack feasible in Windows 7 and all the subsequent versions. 

Microsoft only patched the bug in Windows 8 and considered the bug “very difficult” to be exploited. Nearly one in four PCs is still running on the old operating system and are potentially susceptible to form of cyber-attack. In 1994, Kevin Mitnick orchestrated the most infamous blind TCP/IP hijacking strike against the computer systems of Tsutomu Shimomura at the San Diego Supercomputer Centre on Christmas day. 

The impact of TCP/IP hijacking attacks is not as fatal as it was some years ago. If the threat actor can hijack any TCP/IP session which is established but the upper-layer structure properly executes encryption then the options of a threat actor are limited in terms of what they can do with it; with the assumption that the cyber attacker does not have the capability of generating encrypted messages.

However, one thing that persists is “widely deployed protocols which do not encrypt the traffic, e.g, FTP, SMTP, HTTP, DNS, IMAP, and more” that would allow a threat actor to “send any commands on behalf of the original client”, Zabrocki explained.

Packets containing IP header were sent to the victim’s user by Zabrocki to discover how many packets were sent to link each probe. This laid the path to a ‘covert channel’ via which Zabrocki could uncover the user IP and port, and sequence numbers for both users and server. 

Node.js Detected with Vulnerability encountered by Captain Freak

 

Node.js is a cross-platform, open-source, JavaScript back-end operating environment running on Chrome V8 and running JavaScript programming from outside a Web browser. Recently a vulnerability in Node.js could have been used to exploit the framework and achieve remote code execution (RCE). 

A report published on January 23, by Shoeb 'Captain Freak' Patel a self-described 'want to be' security researcher, says that the analysis indicates that Express.js might be prone to read local file errors. In conjunction with an old version of the Handlebars engine (Handlebars is a popular templating engine for web applications.), the malicious code may be run remotely. “If you are using Express.Js with Handlebars as templating engine invoked via hubs view engine, for Server Side Rendering, you are likely vulnerable to Local File Read (LFR) and potential Remote Code Execution (RCE),” stated Captain Freak. 

Further Captain Freak has claimed that because of his experience with the developer's code he wanted to search for flaws in Node.js, Express.js, and Handlebars. He said that he "stumbled" last week over a vital local security file that demanded a payload of fewer than 10 lines of code for the RCE exploit, and “To be honest, I should not have been that surprised.” 

“The betrayal by in-built modules, dependencies, and packages have been the reason to introduce numerous security bugs. This is a recurring theme in software security,” added Captain Freak. 

He elucidated that if the target user is responding with X-Powered-By: Express and there is HTML in responses, it’s highly likely that Node.js with server-side templating is being used. For which the user can attach a layout to the discovery for the GET or POST body parameter in their wordlist. If the arbitrary value of layout parameter added is resulting in 500 Internal Server Error with ENOENT: no such file or directory in body, then the user has hit the LFR. 

The treason of built-in modules, dependencies, and applications has contributed to various security vulnerabilities. In software safety, this is still a recurrent issue. Captain Freak created a CTF challenge to verify whether or not this was understood, and he shared it with several of his talented friends from different Network security, Node, Backend Tech, CTF, and Bug Bounty internet forums. 

Later this turned out to be a not known vulnerability, only 4 people (all CTFers) were able to solve this problem even after providing the whole source code. Captain Freak discovered, strange code at Node.js, that any file with an extension could be read from the root view directory, + layout and forwarded to handlebars; Compilation of which lets us use the HTML file that we fully monitor after compiling the file. RCE will then be triggered with particular specifications, requiring the use of versions 4.0.3 and below. This issue has been patched in Handlebars versions 4.1.2, 4.0.14, and later. 

“I wrote about it so that the whole Node.js and web development community [would] know about this quirky behavior in this stack,” stated Captain Freak.

Cook County’s Court Related Records Exposed

 

The WebsitePlanet research group in collaboration with Security Researcher Jeremiah Fowler found a non-password protected database that contained more than 323,277 court-related records. Upon further investigation, the researchers found that the records were completely identified with Cook County, Illinois, the second-most populous region in the United States after Los Angeles County.

As per the research group, nearly every record, which dated back to 2012 and as far as possible up to 2020, contained some type of personally identifiable information (PII), for example, complete names, home addresses, email addresses, case numbers, and private insights regarding the cases. The database seemed, by all accounts – to be an inside record management system that contained point by point notes about case status or issues with the cases or people. The case type appears to have been sorted by markers, for example, IMM (likely ‘immigration’), FAM (presumably 'family'), and CRI (most likely 'criminal'). The information was in plaintext, and web access had no limitations. The content could be accessed, downloaded, altered, or erased by anybody with an internet connection. 

The researchers quickly reached the Cook County CTO. The database was secured days after the fact. It is unclear, however, if the affected people were advised about the data exposure or on the off chance that they were educated about the danger of how this data could be utilized to possibly target them. The researchers state, "We could not find any reference to a public notice of a data breach of court records. No one replied to our responsible disclosure notice, phone voice message, or a follow-up email, so we were unable to know exactly what these records were used for or the full extent of the exposure." 

WebsitePlanet postulates that the database may have had a place with a specialist Cook County department of caseworkers working with individuals who required extra assistance. Nearly by definition, everyone included inside the database could be delegated ‘vulnerable’ and a practical objective for scammers. The data contained – would give various ways to deal with such assaults. Assaults could go from identity theft to blackmail.

Experts found a vulnerability in the application of the Moscow State Services

Specialists of the company Postuf reported a vulnerability in the application of the Moscow State Services, with which it was possible to gain access to the account, knowing only the user's mobile number.

This made it possible to get all the information that the user specified on the site: full name, e-mail, year of birth, medical insurance number, list of movable and immovable property, information about the foreign passport, about children, students in schools, etc. Knowing the number of the medical insurance number and the year of birth, it was possible to get access to medical information: which doctors a person visits, what prescriptions are written to him, the history of attachment to clinics, etc.

"The vulnerability made it possible not just to view, but also to change the data", said the founder of the company Postuf Bekhan Gendargenoevsky.

The expert notes that it is impossible to cause serious harm by knowing the data from the portal, but personal data can be used by hackers for phishing attacks.

"It is impossible to steal money directly [with such information], although hackers can use their knowledge in social engineering and try to steal bank card data from a person," said the computer security specialist.

He also noted that since the system has no restrictions on the number of requests for access to accounts, requesting the so-called beautiful numbers, it was possible to get information "about a number of well-known personalities who, as a rule, have such numbers."

A representative of the Moscow Department of Information Technology did not confirm the information about the vulnerability, stressing that authorization in the Moscow State Services mobile application without specifying a password is impossible.

State Services is a federal state information system. It provides individuals and legal entities with access to information about state and municipal institutions and organizations, and the services they provide in electronic form.


Location Data of More Than 100 Million Users Got Compromised

 

Shazam, a popular music app was a doorway to the user’s precise location. Threat actors took advantage of the Shazam app susceptibilities to discover the victim’s specific location. Ashley King, a British IT security researcher uncovered the vulnerabilities in the Shazam app which could expose the locations of android and iOS users.

The vulnerability in the Shazam app was termed CVE-2019-8791 and CVE-2019-8792, more than 100 million users were affected at the time. Threat actors used a single malicious URL to acquire access to the victim’s precise location. This URL led the victim to the Shazam app, Shazam then opens a WebView and executes the malware which results in sending the victim’s location data back to the threat actor.

Ashley King reported the vulnerabilities in December 2018 three months after apple acquired the Shazam app. The flaw in Shazam app was finally patched on March 26, 2019, both on iOS and android but the specifics of it were only revealed last week. 

Ashley explained via a blog post that “Shazam uses deep links throughout the app as part of its navigation. I found that a particular exported deep link (which was responsible for loading a website inside a web view) was not validating its parameter, allowing external resources to be in control. This web view included a few java scripts interfaces that allowed content to communicate with the Android & iOS API’s making it possible to pull back device-specific information and the last known precise location of the user”.

Apple and Google Play Security Rewards Program did not deem ‘location data’ as big enough of a security threat even though the vulnerability was patched – most firms do not see user’s location data as a privacy issue, Ashley concluded.

Cyber Security Researcher Exposes the Biggest Threat Regarding YouTube Users Privacy

 

David Schutz, a security researcher uncovered the potential unauthorized access to a user’s viewing history, favorites, and playlists by the threat actors. Threat actors manipulated the website and embedded a YouTube video to secure access to a user’s viewing history and playlists.

Threat actors managed to earn $1,337 via the security bug, Schutz explained that he discovered the vulnerabilities by linking two things – in a somewhat “unexpected” manner. Website developers utilize YouTube embedded player to embed videos into their own site and this player also has a feature known as API (Application Programming Interface). 

API lets users embed functions commonly executed on YouTube into their personal website or application. API also allows the users to retrieve, insert, delete or update many of these resources. A resource constitutes a kind of item that comprises part of the YouTube experience which includes loading a new video or playlist, subscription, play/pause the player.

Every user on YouTube has a few personal playlists, for example, the playlist with the ID ‘HL’ comprises the user’s viewing history and the ID with ‘WL’ contains the user’s view later and so on.

David Schutz explained the vulnerabilities via blog post: “Since the YT embedded player is also logged in to YT, a malicious website could have embedded a player, instructed it to play e.g., the ‘HL’ playlist (which would start playing the currently visiting user’s watch history), and get the contents of the playlists using the API the embedded player has, thereby stealing the watch history of the user who opened the website”.

“The attacker could also have prepared a page for a specific victim, which when opened by that victim, would steal the victim’s unlisted videos (which otherwise would require knowing the ID to watch). The main issue was that you were able to load private playlists into the player in the name of the victim, and later steal the contents of those private playlists,” the post further read. 

Serious Vulnerabilities Discovered in Group Face Time Apps

 

Threat actors utilized Google Duo, Facebook Messenger, Signal, JioChat, and Mocha messaging apps vulnerabilities to their advantage by listening to user’s surroundings without any consent before the user on the other side received the call.

Natalie Silvanovich, a Google project Security Researcher discovered the [Group Face Time] bug in multiple video conferencing mobile applications and now all the vulnerabilities in these apps are fixed. iPhones, renowned across the globe for their security features were reported with a critical flaw in January 2019. 

Apple’s FaceTime group chat vulnerabilities allowed hackers to start off a FaceTime video call and eavesdrop on targets. Threat actors tricked the users by attaching their own number as a third person in a group chat right before the user on the other end received the call. This vulnerability was considered so critical that forced the company to eradicate the FaceTime group chats feature. Later, the issue was resolved via iOS update.

Natalie Silvanovich stated that “I investigated the signalling state machines of seven video conferencing applications and found five vulnerabilities that could allow a caller device to force a callee device to transmit audio or video data. Theoretically, ensuring callee consent before audio or video transmission should be a fairly simple matter of waiting until the user accepts the call before adding any tracks to the application”. 

“however when I looked at real applications, they enabled transmission in many different ways. Most of these led to vulnerabilities that allowed calls to be connected without interaction from the callee”, she further added. 

In December 2020 the Google Duo bug, a race condition that permitted callees to leak video packets from unanswered calls to the caller was patched. Two relatable vulnerabilities were discovered in the Mocha messengers and JioChat in July 2020; vulnerabilities that permitted sending JioChat audio, patched in July 2020. Mocha messengers audio and video bugs were patched in August 2020 after exploitation by the threat actors.

Cisco Shows no Intentions on Patching EOL Vulnerabilities

 

Cisco, an American Multinational Conglomerate stated this week it does not plan on fixing vulnerabilities in end-of-life (EOL) Cisco routers, more than 70 vulnerabilities were spotted in CISCO’s Small Business RV110W, RV130, RV130W, and routers. Despite these vulnerabilities, the company has no intentions to fix these patches.

Cisco stated that these devices have reached end-of-life (EOL) hence there is no point in fixing the Cisco routers. The deadline regarding software maintenance releases and bug fixes was December 1, 2020. Cisco has released software updates to fix these vulnerabilities and said they are not mindful of threat actor exploits targeting the vulnerabilities.

CVE-2021-1144 recognized as a high severity bug (CVSS score of 8.8) in Connected Mobile Experiences (CMX) is the most valuable flaw which can be exploited by threat actors to alter the passwords for any user account on the system which includes administrator accounts as well. Threat actors can exploit the vulnerability by sending an altered HTTP request to a susceptible device.

CVE-2021-1237 (CVSS score of 7.8) is tracked as another high severity flow, it was detected in the AnyConnect Secure Mobility Client for Windows, influencing the Web Security Agent Components and the endpoint solution’s Network Access Manager. This vulnerability could be exploited by an authenticated and local threat actor for Dynamic Link Library (DLL) installation.

Cisco stated that “an attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges”.

Cisco issued 18 other recommendations explaining medium severity bugs in Proximity Desktop for Windows, ASR 5000 routers, Enterprise NFV Infrastructure Software (NFVIS), Webex, Finesse, Firepower Management Center (FMC), Video Surveillance 8000 IP Cameras, Unified Communications products, DNA Center, AnyConnect Secure Mobility Client, and CMX API authorizations.

Joker's Stash, the Largest Carding Forum Shutting Down

 

Joker's Stash opened in 2014 and was perhaps the most well-known underground carding site which gave new stolen credit card data and a guarantee of card validity. The activity gas has undergone a decline since mid-2020. The normally active administrator, Joker's Stash, had several gaps in communication. Joker's Stash, announced on January 15, 2021, that it is expected to shut down in a month - the stipulated date being February 15, 2021. The news was announced by the site's administrator through messages posted on different underground cybercrime forums where the site normally publicized its services.

Threat intelligence firm Intel 471 posted a blog expressing that Joker's Stash's fall comes after an extremely tempestuous close to 2020, documenting the website's end. In October, the individual who purportedly runs the site declared that he had contracted COVID-19, going through seven days in the hospital. The condition has influenced the site's forums, inventory replenishments, and different tasks. Intel 471 likewise found that the customers of the site were complaining that the shop's payment card data quality was progressively poor. 

The FBI and Interpol held onto four domains operated by the marketplace. During that time, the site's administrators said the law enforcement crackdown left just restricted effect on the site, the domains were just utilized as proxies to reroute clients from landing pages to the genuine marketplace, and that authorities didn't hold onto any servers containing card or client information. Despite the fact that the seizure didn't have a lot of effects, it chiefly influenced the site's reputation and made clients feel that the once-untouchable Joker's Stash was presently an open book for law enforcement agencies. 

The Joker's Stash admin didn't give more insights about the choice to close down the site. They may have chosen to stop as opposed to being taken down by the law enforcement agencies. Nonetheless, that doesn't infer that the site's administrator is now immune to prosecution. Prior to its declaration of closing down, the Joker's Stash was viewed as perhaps the most profitable cybercrime operations today.

As indicated by Christopher Thomas, Intelligence Production Analyst at Gemini Advisory, the shop is assessed to have made countless dollars in illicit profits, despite the fact that this cash also goes to the vendors themselves. Joker's Stash has been working since October 7, 2014. Last year alone, the site had posted more than 35 million CP (card present) records and in excess of 8 million CNP (card not present) records.

The site's administrator intends to wipe all servers and backups when they shut their operations next month.

Bug Detected in Linux Mint Virtual Keyboard by Two Kids

 

The Linux Mint screensaver has been detected with a flaw, it was discovered by two children who were playing on their dad’s computer. The maintainers of the Linux Mint project have labeled this security bug as vulnerable for it could have allowed any threat actor to bypass the OS screensaver and its password, accessing the locked desktops. 

Accessing the desktop in this way is as simple as via the virtual keyboard, the screensaver could be crashed, and the desktop would be unlocked.

"A few weeks ago, my kids wanted to hack my Linux desktop, so they typed and clicked everywhere while I was standing behind them looking at them play," states the user whose kids have discovered the flaw in the screensaver. He further added that his kids crashed the Linux Mint screensaver by pressing random keys on both the physical and the on-screen keyboards and bypassed the lock. Their father initially thought that this was an accidental move, however, the kids managed to do the same, second time as well.

Clement Lefebvre the developer of the Linux Mint also said that this issue was eventually tracked down to libcaribou, the on-screen keyboard (OSK) component that ships with Cinnamon, the desktop interface used by Linux Mint. In this regard, he wrote, “we’ll most likely patch libcaribou here”. 

The team mentioned that the vulnerability is generated when the user presses the "ē" key on the ‘on-screen’ keyboard, which eventually causes the system to crash. However, it is also observed that in most of the cases the bug generated crashes the Cinnamon desktop process if the virtual keyboard is left open for a long time, from the screensaver, this bug crashes the screensaver rather than the Cinnamon process. This in turn allows users to access the elemental desktop. 

Further, Lefebvre added “the bug was introduced in the Linux Mint OS when the project patched another vulnerability last October, tracked on the Xorg update as CVE-2020-25712” while the bug affects all the other distributions running Cinnamon 4.2 + and any other software that uses libcaribou. 

Later on 13th January 2021, a patch was released for this vulnerability that addresses the bug and prevents future crashes.