Shenanigans and more – PSW #804

"QNAP urges its customers to secure their devices by changing the default access port number, deactivating port forwarding on their routers and UPnP on the NAS, using robust passwords for their accounts, implementing password policies, and deactivating the admin account targeted in attacks." - I mean or you could just ship a more secure product!

"Google hasn't published detailed stats about the dangers of sideloading in a while, but in 2018, it used to publish yearly security reports with statistics on malware installation sources. Back then, Google found that 0.04 percent of all downloads from the Google Play Store were "PHAs" (potentially harmful apps), while sources "Outside of Google Play" had a 0.92 percent PHA install rate. That means you're 20 times more likely to install malware outside of the Play Store, and considering that is basically a comparison between having some malware controls on Google Play and none at all on the free-wheeling Internet, it's not a huge surprise." - Now Google needs to do this for all Android devices, like Android TV devices that come with malware pre-installed. Except, deals may have been made that device manufacturers are allowing this to happen and sharing the profits (At least that is my theory).

This write-up is totally awesome. A good read for sure, funny too. And this: "The real moral of the story is a lesson for attackers and fellow researchers - attack ‘hard’ targets, with significant barriers to entry, and often you’ll be surprised by just how ‘soft’ they are."

I actually now agree with the author. Now you have to go read the article :)

https://www.wired.com/story/unciphered-ironkey-password-cracking-bitcoin/

Of course, it's weird, its crypto currency, and it's ALWAYS weird. This is a weird story.

Mozilla has released security updates to address vulnerabilities in Firefox ESR 115.4 and Firefox 119. A cyber threat actor could exploit these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Mozilla security advisories Firefox ESR 115.4 and Firefox 119 for more information and apply the necessary updates.

The International Criminal Court provided additional information about the cyberattack five weeks ago, saying that it was a targeted operation for espionage.. Forensic analysis “thus far indicates a targeted and sophisticated attack with the objective of espionage.” There is not adequate information currently available to attribute the attack to a specific threat actor.

The ICC offered to handle the international ransomware court cases recently.

The Washington, DC Board of Elections (DCBOE) says that cyber criminals accessed the district’s voter rolls via a third-party services provider. The breach occurred on the network of DataNet Systems. The compromised data include personal information, such as driver’s license numbers, dates of birth, partial Social Security numbers and contact information.

To file a claim, customers must call the AmFam help desk. Bill due dates are being extended until systems are back online. If you're delaying that payment, don't forget to watch for the window to re-open. While this appears to be a ransomware attack, it's not yet clear if extortion over exfiltrated data is also in play. This, so far, is looking like a good case study to model your ransomware response on.

Cybersecurity researchers from Kaspersky have uncovered a sophisticated new piece of malware called TetrisPhantom seen compromising secure USB drives to steal data. It also targets air-gapped systems which rely on encrypted USB devices to pass data between them.

Eight newly discovered vulnerabilities in the SolarWinds Access Rights Manager Tool (ARM) CVE-2023-35180, CVD-2023-35184 and CVE-2023-35186 can be abused for remote code execution, while CVE-2023-35181 and CVE-2023-35813 allow local users to perform privilege escalation. The final (most severe) three, CVE-2023-35182, CVE-2023-35185 and CVE-2023-35187, allow RCE due to improper validation for the methods createGlobalServerChannelInternal, OpenFile, and OpenClientUpdateFile, respectively, allow that SYSTEM level code execution. The vulnerabilities are fixed in ARM version 2023.2.1.

As this is SolarWinds, assume adversaries are seeing blood in the water....

This issue has been exploited by multiple groups. Be careful and as you apply patches assume the device is already compromised, possibly multiple times.

Never expose management interfaces to the Internet/untrusted networks. Perhaps disable this web-UI altogether.

The two flaws here - CVE-2023-4966, a buffer overflow flaw, which can result in sensitive information disclosure with a CVSS score of 9.4 and CVE-2023-4967, a denial-of-service flaw, with a CVSS score of 8.2 make an attractive target. Essentially in under two weeks the announced vulnerability is being actively exploited. While the exploit only works on NetScaler ADC and NetScaler Gateways setup as gateways, or AAA virtual servers, you need to apply the update as they still contain the vulnerable code, even if not in the vulnerable configuration, assume threat actors are working to exploit the flaws in the non-gateway/AAA configured devices. This flaw is in CISA's KVE catalog with a due date of November 8th and guidance to apply the mitigation (update) or discontinue use of the product.

Okta disclosed that stolen credentials were used to access the company’s support case management system. The intruder was able to view customer HTTP Archive (HAR) files that were uploaded as part of support cases. HAR files sometimes include cookies and session tokens, which bad actors can exploit to impersonate users.

When you're gathering data for a support ticket, be aware of sensitive data included in that data. Consider redacting, or better still not gathering in the first place, as redacting log files is painful.

Cisco disclosed a new high-severity zero-day (CVE-2023-20273) today, this new vulnerability gains root access on a device running IOS XE, allowing an attacker to deploy implants. However, first the device has to be compromised using the authentication bypass, zero-day flaw CVE-2023-20198.

Deputy National Security Advisor Anne Neuberger revealed on Wednesday that North Korea is escalating its cyber capabilities by harnessing the power of artificial intelligence (AI), posing a significant risk for enterprises worldwide.