Silk Road Seizure, Psychic Signatures, Twitter Algorithms, & Linux Desktops – PSW #738

Interesting: “If you are running one of the vulnerable versions then an attacker can easily forge some types of SSL certificates and handshakes (allowing interception and modification of communications), signed JWTs, SAML assertions or OIDC id tokens, and even WebAuthn authentication messages. All using the digital equivalent of a blank piece of paper.”

"Mandiant and Project Zero each have a different scope for the types of zero-days they track. Project Zero, for example, doesn't currently focus on analyzing flaws in Internet-of-things devices that are exploited in the wild. As a result, the absolute numbers in the two reports aren't directly comparable, but both teams tracked a record high number of exploited zero-days in 2021. Mandiant tracked 80 last year compared to 30 in 2020, and Project Zero tracked 58 in 2021 compared to 25 the year before. The key question for both teams, though, is how to contextualize their findings, given that no one can see the full scale of this clandestine activity."

“Another advantage of open source is that people can learn from the code,” said Wysopal. “Even if Twitter doesn’t implement improvements, it could lead to better social media algorithms on other or new platforms.” - This could also open up a cat and mouse game, as people figure out how to cheat the algorithms, Twitter then has to implement defenses, those defenses are open-source, rinse, lather and repeat.

"The flaw is tracked as CVE-2022-0540 and comes with a severity rating of 9.9. It allows a remote attacker to bypass authentication by sending a specially crafted HTTP request to vulnerable endpoints." - just when I think there is a glimmer of hope...

"Last year, prosecutors quietly signed an agreement with Ulbricht stipulating that a portion of a newfound trove of Silk Road bitcoins, seized from an unnamed hacker, will be used to cancel out the more than $183 million in restitution Ulbricht was ordered to pay as part of his 2015 sentence, a number calculated from the total illegal sales of the Silk Road based on exchange rates at the time of each transaction."

Expired domains are being leveraged to lure users from legitimate backlinks to the prior legitimate site.

DHS is drinking their own Kool-AId. VDP participation, per BOD 21-01, is now complete for their internet facing sites, and they are now hiring vetted researchers to test them.

Cisco has addressed a high-severity vulnerability (CVE-2022-20773) affecting its Umbrella Virtual Appliance (VA) that could be exploited by attackers to remotely steal administrator credentials.

The operators of the "Lemon_Duck" botnet have been spotted conducting a large-scale Monero crypto-mining campaign in which they are exploiting misconfigured Docker systems in order to hide their wallets behind proxy pools.

Atlassian has patched a critical authentication bypass vulnerability (CVE-2022-0540) in the Jira and Jira Service Management "Seraph" web authentication framework and could be exploited by attackers to bypass authentication and authorization by sending a specially crafted HTTP request. ==> Patch your Jira environment

T-Mobile has confirmed that the "Lapsus$" extortion group managed to breach its network in March 2022, giving the gang access to its systems. Team chat messages show LAPSUS$ members continuously targeted T-Mobile employees, whose access to internal company tools could give them everything they needed to conduct hassle-free 'SIM swaps'

WSO2's API Manager, Identity Server, Enterprise Integrator, and Open Banking products are impacted by an arbitrary file upload vulnerability (CVE-2022-29464) that has already been exploited in the wild. Time to roll the update.

Those behind the "Emotet" botnet have been spotted altering their existing methods and testing new attack approaches on a "very small and limited scale," related to Microsoft actions taken in February to block macros that facilitated malware execution.

More bad security news from the Great Resignation: Code42’s new research on Wednesday said that when employees quit their jobs, there’s now a 37% chance the organization will lose intellectual property. The research also adds that some 96% of all companies surveyed say they have experienced challenges in protecting corporate data from insider risks.

The cryptocurrency entrepreneur who bought a NFT of Twitter founder Jack Dorsey’s first tweet was hoping to sell it for $48 million, more than 16 times the $2.9 million he paid for it. But after an auction that lasted a week, the highest bid offered was a mere $280.