🔒
There are new articles available, click to refresh the page.
Yesterday — 26 May 2022Security News

Twitter Fined $150 Million for Misusing Users' Data for Advertising Without Consent

26 May 2022 at 08:03
Twitter, which is in the process of being acquired by Tesla CEO Elon Musk, has agreed to pay $150 million to the U.S. Federal Trade Commission (FTC) to settle allegations that it abused non-public information collected for security purposes to serve targeted ads. In addition to the monetary penalty for "misrepresenting its privacy and security practices," the company has been banned from

Tails OS Users Advised Not to Use Tor Browser Until Critical Firefox Bugs are Patched

26 May 2022 at 09:08
The maintainers of the Tails project have issued a warning that the Tor Browser that's bundled with the operating system is unsafe to use for accessing or entering sensitive information. "We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.)," the project said in an

Italy announced its National Cybersecurity Strategy 2022/26

26 May 2022 at 09:13

Italy announced its National Cybersecurity Strategy for 2022/26, a crucial document to address cyber threats and increase the resilience of the country.

Italy presented its National Cybersecurity Strategy for 2022/26 and reinforce the government’s commitment to addressing cyber threats and increasing the resilience of the country to cyber attacks.

The strategy is aligned with the commitments undertaken within international organizations of which Italy is a member party.

The threat landscape rapidly changes and urges the government to review its strategy and propose a series of objectives to achieve in the next four years.

The strategy, developed by the National Cybersecurity Agency, includes 82 objectives and aims to address the following challenges:

  • To ensure a cyber resilient digital transition of the Public Administration (PA) and of the productive system;
  • To predict the evolution of the cyber threats to reduce their impact on national infrastructure and organizations.
  • Preventing online disinformation in a broader context of the hybrid threat;
  • Management of cyber crises;
  • National and European strategic digital sector autonomy.

The strategy recognizes the duty of the State in implementing measures to increase the security of the state, organizations, and its citizens in the digital domain.
The document remarks that cybersecurity is an essential investment and an enabling factor for the
development of the national economy and industry. A secure country is a more competitive country.

“The ongoing evolution of technology that has shaped our current society keeps raising new risks as it continues to develop, along with most sophisticated attack techniques. However, such a scenario doesn’t always match with the society’s cybersecurity awareness level.” reads the strategy. “Given those risks, this strategy aims to target the strengthening of our resilience in the digital transition, by fostering the safe use of technologies essentials for our present and future economic prosperity, the achievement of cybersecurity strategic autonomy, the cyber crises management in complex geopolitical scenarios, as well as anticipating the evolution of cyber threats and tackling the spread of online disinformation, while respecting human rights, our values and principles.”

The strategy promotes a cyber “security-oriented” approach that stresses the importance of collaboration between public and private entities.

The macro-goals of the Italian National Cybersecurity Strategy are:

  • The protection of national strategic assets;
  • The response to cyber threats and the management of incidents and crises;
  • The development of new digital technologies to secure digital assets.
National Cybersecurity Strategy

Below is the link to the strategy:

Italian cybersecurity agency ACN also published the implementation plan which provides for each goal defined in the National Cybersecurity Strategy the measures to implement:

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, National Cybersecurity Strategy)

The post Italy announced its National Cybersecurity Strategy 2022/26 appeared first on Security Affairs.

Do not use Tails OS until a flaw in the bundled Tor Browser will be fixed

26 May 2022 at 10:31

The maintainers of the Tails project (The Amnesic Incognito Live System) warn users that the Tor Browser bundled with the OS could expose their sensitive information.

The maintainers confirmed that Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information.

We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.).” reads the advisory published by project maintainers.

Tails is a security and privacy-oriented Linux distribution, it is a portable operating system that protects against surveillance and censorship.

The root cause of the alert is a couple of critical zero-day issues, tracked as CVE-2022-1802 and CVE-2022-1529, in the Firefox browser that was addressed by Mozilla in May. The vulnerabilities were reported by Manfred Paul during the Pwn2Own 2022 hacking contest that took place in Vancouver last week:

The Tor browser is based on the Firefox browser and is developed as part of the Tor Project.

The CVE-2022-1802 vulnerability can allow an attacker to set up a rogue website to bypass some of the security built in Tor Browser and access information from other websites.

“If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context.” reads the advisory.

The Tails team pointed out that the flaw doesn’t break the anonymity and encryption of Tor connections, this means that it is still safe and anonymous to access websites from Tails if the users don’t share sensitive information with them.

“For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.” reads the alert published by project maintainers.

tails os

The maintainers’ alert states that other applications in OS are not affected by the flaw. Thunderbird, for example, is not affected because JavaScript is disabled.

The Safest security level of Tor Browser is not affected because JavaScript is disabled at this security level.

This vulnerability will be addressed with the release of Tails 5.1 on May 31.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, domain name system)

The post Do not use Tails OS until a flaw in the bundled Tor Browser will be fixed appeared first on Security Affairs.

Hackers Increasingly Using Browser Automation Frameworks for Malicious Activities

26 May 2022 at 10:49
Cybersecurity researchers are calling attention to a free-to-use browser automation framework that's being increasingly used by threat actors as part of their attack campaigns. "The framework contains numerous features which we assess may be utilized in the enablement of malicious activities," researchers from Team Cymru said in a new report published Wednesday. "The technical entry bar for the

The Added Dangers Privileged Accounts Pose to Your Active Directory

26 May 2022 at 10:49
In any organization, there are certain accounts that are designated as being privileged. These privileged accounts differ from standard user accounts in that they have permission to perform actions that go beyond what standard users can do. The actions vary based on the nature of the account but can include anything from setting up new user accounts to shutting down mission-critical systems.

Experts Warn of Rise in ChromeLoader Malware Hijacking Users' Browsers

26 May 2022 at 11:24
A malvertising threat is witnessing a new surge in activity since its emergence earlier this year. Dubbed ChromeLoader, the malware is a "pervasive and persistent browser hijacker that modifies its victims' browser settings and redirects user traffic to advertisement websites," Aedan Russell of Red Canary said in a new report. ChromeLoader is a rogue Chrome browser extension and is typically

Critical 'Pantsdown' BMC Vulnerability Affects QCT Servers Used in Data Centers

26 May 2022 at 13:18
Quanta Cloud Technology (QCT) servers have been identified as vulnerable to the severe "Pantsdown" Baseboard Management Controller (BMC) flaw, according to new research published today. "An attacker running code on a vulnerable QCT server would be able to 'hop' from the server host to the BMC and move their attacks to the server management network, possibly continue and obtain further

Experts warn of a new malvertising campaign spreading the ChromeLoader

26 May 2022 at 14:38

Researchers warn of a new malvertising campaign spreading the ChromeLoader malware that hijacks the victims’ browsers.

Researchers from Red Canary observed a new malvertising campaign spreading the ChromeLoader malware that hijacks the victims’ browsers.

ChromeLoader is a malicious Chrome browser extension, it is classified as a pervasive browser hijacker that modifies browser settings to redirect user traffic. Threat actors spread the malware via an ISO file masqueraded as a cracked video game or pirated movie or TV show.

“However, ChromeLoader uses PowerShell to inject itself into the browser and add a malicious extension to it, a technique we don’t see very often (and one that often goes undetected by other security tools). If applied to a higher-impact threat—such as a credential harvester or spyware—this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user’s browser sessions.” reads the analysis published by the experts.

The malware is able to redirect the user’s traffic and hijacking user search queries to popular search engines, including Google, Yahoo, and Bing. The malicious code is also able to use PowerShell to inject itself into the browser and added the extension to the browser.

Upon running the executable included in the mounted .ISO image file, the ChromeLoader is installed, along with a .NET wrapper for the Windows Task Scheduler used by the threat to achieve the persistence.

“Executing CS_Installer.exe creates persistence through a scheduled task using the Service Host Process (svchost.exe). Notably, ChromeLoader does not call the Windows Task Scheduler (schtasks.exe) to add this scheduled task, as one might expect. Instead, we saw the installer executable load the Task Scheduler COM API, along with a cross-process injection into svchost.exe (which is used to launch ChromeLoader’s scheduled task).” continues the analysis.

chromeloader

In April, the researcher Colin Cowie also published an analysis of the macOS version of ChromeLoader, the malicious code is able to install malicious extensions into both the Chrome and Safari web browsers.

The report published by the experts includes the following detection opportunities for this threat:

  • Detection opportunity 1: PowerShell containing a shortened version of the encodedCommand flag in its command line;
  • Detection opportunity 2: PowerShell spawning chrome.exe containing load-extension and AppData\Local within the command line;
  • Detection opportunity 3: Shell process spawning process loading a Chrome extension within the command line;
  • Detection opportunity 4: Redirected Base64 encoded commands into a shell process

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, chromeloader)

The post Experts warn of a new malvertising campaign spreading the ChromeLoader appeared first on Security Affairs.

Zyxel addresses four flaws affecting APs, AP controllers, and firewalls

26 May 2022 at 19:28

Zyxel addressed multiple vulnerabilities impacting many of its products, including APs, AP controllers, and firewalls.

Zyxel has released security updates to address multiple vulnerabilities affecting multiple products, including firewall, AP, and AP controller products.

Below is the list of the four vulnerabilities, the most severe one is a command injection flaw in some CLI commands tracked as CVE-2022-26532 (CVSS v3.1 7.8):

  • CVE-2022-0734: A cross-site scripting vulnerability was identified in the CGI program of some firewall versions that could allow an attacker to obtain some information stored in the user’s browser, such as cookies or session tokens, via a malicious script.
  • CVE-2022-26531: Multiple improper input validation flaws were identified in some CLI commands of some firewall, AP controller, and AP versions that could allow a local authenticated attacker to cause a buffer overflow or a system crash via a crafted payload.
  • CVE-2022-26532: A command injection vulnerability in the “packet-trace” CLI command of some firewall, AP controller, and AP versions could allow a local authenticated attacker to execute arbitrary OS commands by including crafted arguments to the command.
  • CVE-2022-0910: An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions. The flaw could allow an attacker to downgrade from two-factor authentication to one-factor authentication via an IPsec VPN client.

According to the advisory published by the vendor, the issues affect USG/ZyWALL, USG FLEX, ATP, VPN, NSG firewalls, NXC2500 and NXC5500 AP controllers, and NAP, NWA, WAC, and WAX Access Point families.

The vendor has already released security patched to address the flaws for most of the affected models.

The hotfix for NXC2500 AP controllers affected by CVE-2022-26531 and CVE-2022-26532 must be requested from a local service representative.

Experts urge admins to upgrade their installs to avoid cyber attacks exploiting the above flaws.

This advice is especially important for US companies as we head into a holiday weekend when it is common for threat actors to conduct attacks.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Zyxel)

The post Zyxel addresses four flaws affecting APs, AP controllers, and firewalls appeared first on Security Affairs.

Exposed: the threat actors who are poisoning Facebook

26 May 2022 at 20:40

An investigation of the infamous “Is That You?” video scam led Cybernews researchers into exposing threat actors who are poisoning Facebook

Original post @ https://cybernews.com/security/exposed-the-threat-actors-who-are-poisoning-facebook/

An investigation of the infamous “Is That You?” video scam has led Cybernews researchers to a cybercriminal stronghold, from which threat actors have been infecting the social media giant with thousands of malicious links every day. At least five suspects, thought to be residing in the Dominican Republic, have been identified.

Facebook has long been a happy hunting ground for online crooks, who take great pleasure in turning unwary members of the internet community into their prey.

It can start with something as seemingly innocuous as a message from a “friend” – in fact a cybercriminal pretending to be such – inviting you to click on a juicy link to the next big share-fest, be it a music clip, funny video, or anything else you might be interested in.

Is that you scam infographic
Screenshot of the original Is That You? scam uncovered on Facebook.

The only thing that’s juicy about such bogus links is the bundle of personal details you are giving up by clicking on them, because it won’t be the latest hot clip you’re sharing when you do – just your name, address, and passwords, which are then harvested for profit by the threat actor who has fooled you.

Given its likelihood of being used as a platform for such scams, Facebook has been on the Cybernews radar for some time – in February last year, we exposed the “Is That You?” phishing scam on its Messenger service that had been doing the rounds since at least 2017.

Since then, the research team has remained vigilant, keeping tabs on suspect activities on Facebook. Recently, that vigilance was rewarded when we received a tip-off from fellow cyber investigator Aidan Raney – who first reached out to us after our original findings were published – that malicious links were being distributed to users.

Upon further examination, it turned out that thousands of these phishing links had been distributed, through a devious network sprawling across the back channels of the social media platform.

Left unchecked, this could result in hundreds of thousands of unwary social media users falling foul of the dodgy links – the “Is That You?” scam was thought to have hooked in around half a million victims before we uncovered it.

That campaign was initiated by sending the potential mark a message from one of their Facebook contacts. The message contained what appears to be a video link with a text in German suggesting that they are featured in the clip.

Is that you infograph
Mind map of a devious cybercriminal enterprise.

The game is afoot!

Hot for the chase, our cyber detectives began their inquiry by scrutinizing a malicious link sent to one victim, to learn how the scam had been put together.

“I figured out what servers did what, where code was hosted, and how I could identify other servers,” said Raney. “I then used this information and urlscan.io [a website that allows one to scan URLs] to look for more phishing links matching the same characteristics as this one.”

A thorough search of servers connected to the phishing links turned up a page that was sending credentials to a site called devsbrp.app. Further scrutiny revealed a banner thought to be attached to a control panel, with the text “panelfps by braunnypr” written on it.

Using these as keywords in a subsequent search led the research team straight to the panel and banner creator, whose email address and password combinations were also discovered – neatly turning the tables on cybercriminals used to stealing credentials of unsuspecting web users.

Inside a criminal stronghold

Using the threat actor’s own details, Cybernews accessed a website that turned out to be the command and control center for most of the phishing attacks linked to the gang, thought to number at least five threat actors but possibly many more. This provided our intrepid investigators with a trove of information on the crooks behind the Facebook phishing scam, including their likely country of residence – the Dominican Republic.

“We were able to export the user list for everybody registered to this panel,” said the Cybernews researcher. “Using the usernames on the list, we started uncovering the identities of as many people on the list as people, but there is still more work to be done.”

One of the suspects that Raney identified is likely the same threat actor that the Cybernews research team was able to name in February 2021. Back then, we sent the relevant information to the Cyber Emergency Response Team (CERT) in the Dominican Republic, as evidence suggested that the campaign was also launched from there.

At the time of writing, all relevant information has been handed over to the authorities pending further investigation.

If you want to know how to protect yourself, give a look at this post:

https://cybernews.com/security/exposed-the-threat-actors-who-are-poisoning-facebook/

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Facebook)

The post Exposed: the threat actors who are poisoning Facebook appeared first on Security Affairs.

Today — 27 May 2022Security News

Experts released PoC exploit code for critical VMware CVE-2022-22972 flaw

27 May 2022 at 05:58

Security researchers released PoC exploit code for the critical authentication bypass vulnerability CVE-2022-22972 affecting multiple VMware products.

Horizon3 security researchers have released a proof-of-concept (PoC) exploit and technical analysis for the critical authentication bypass vulnerability CVE-2022-22972 affecting multiple VMware products.

The virtualization giant recently warned that a threat actor can exploit the CVE-2022-22972 flaw (CVSSv3 base score of 9.8) to obtain admin privileges and urges customers to install patches immediately.

“This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0014. The ramifications of this vulnerability are serious.” states VMware.

The CVE-2022-22972 flaw affects Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation.

“VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.” reads the advisory published by the company. “A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.”

The company acknowledged Bruno López of Innotec Security for the discovery of the flaw.

VMware addressed the flaw and also provided workarounds for admins who cannot immediately install security patches.

VMware did not provide technical details about the flaw, then Horizon3 researchers performed an analysis of the patch. 

“Our POC sends requests starting at the /vcac endpoint the same way a browser would and parses the login page to extract these hidden fields. These hidden fields are then encoded into the body of the final POST with the Host header set to our custom login server. The POC then parses the response to extract the authentication cookies. These cookies can be used to execute actions as the chosen user.” reads the analysis published by the researchers. “This script can be used by bypass authentication on vRealize Automation 7.6 using CVE-2022-22972. Workspace ONE and vIDM have different authentication endpoints, but the crux of the vulnerability remains the same.”

The experts pointed out that the CVE-2022-22972 issue is a relatively simple Host header manipulation vulnerability.

cve-2022-22972

Threat actors could easily exploit this issue. Searching on Shodan.io for the affected VMware applications we can find organizations in the healthcare and education industries, and state government potentially vulnerable.

The Cybersecurity and Infrastructure Security Agency (CISA) issued the Emergency Directive 22-03 to order federal agencies to fix VMware CVE-2022-22972 and CVE-2022-22973 flaws or to remove the affected products from their networks by May 23, 2022.

DHS also orders federal agencies to report the status of all VMware installs on their networks into Cyberscope by May 24, 2022.

The Cybersecurity and Infrastructure Security Agency (CISA) further highlighted this security flaw’s severity lev

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, VMWare)

The post Experts released PoC exploit code for critical VMware CVE-2022-22972 flaw appeared first on Security Affairs.

  • There are no more articles
❌