Royal Mail customer data leak shutters online Click and Drop

By

-

3 November 2022

A Technical Snafu Shut Down The Uk’s Royal Mail Click And Drop Website On Tuesday After A Security “issue” Allowed Some Customers To See Others’ Order Information.

The data leak started around 13:00 GMT, and according to an alert posted on Click and Drop’s status page, Royal Mail shut down the website about an hour later.

In an update posted shortly before 14:00 GMT, the postal service noted:

We have been made aware there was an issue affecting Click & Drop that meant some customers could see other customers’ orders. As a protective measure, we have stopped access to Click & Drop temporarily. We fully understand and apologise for the inconvenience caused by this. Our engineers are working as hard as possible to get the site back up and running as expected. Further updates will be posted here as soon as we have more information.

In subsequent alerts, Royal Mail assured customers that its engineers continued to work on a fix, and hoped to have the site back online “as soon as possible.” The service, which allows customers to print labels and pay for postage online, and then track packages until they reach their destination, vowed that it was “treating this as the highest priority.”

Later, Royal Mail suggested users resort to actual paper “emergency” order forms instead of the online versions. Who even owns a printer these days? Emergency, indeed.

About four hours later, at 18:01 GMT, the postal service marked the issue as “resolved,” and the website was up and running. “We apologise for any inconvenience this has caused our customers,” Royal Mail said. “The root cause is now under investigation.”

On Wednesday, the online service noted “no incidents reported today.” However, some customers took to Twitter to say the site still wasn’t working, and they had been charged twice but not received any postage label.

Royal Mail did not immediately respond to The Register‘s questions about how many customers’ data was exposed, or whether the incident was due to a mistake or something more malicious.

As of Tuesday, Royal Mail had not notified the UK’s Information Commissioner’s Office (ICO), according to Sky News. The postal service has 72 hours after becoming aware of a data breach to notify the consumer privacy watchdog agency, unless the leak doesn’t “pose a risk to people’s rights and freedoms” an ICO spokesperson told the media outlet.

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Bookmark

Please login to bookmark

OpenSSL fixed two high-severity vulnerabilities

By

RiSec.Mitch

-

2 November 2022

0

The OpenSSL project fixed two high-severity flaws in its cryptography library that can trigger a DoS condition or achieve remote code execution.

The OpenSSL software library allows secure communications over computer networks against eavesdropping or need to identify the party at the other end. OpenSSL contains an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

Both flaws are buffer overrun issues that can be triggered in X.509 certificate verification by providing a specially crafted email address.

“The first, CVE-2022-3786, allows a threat actor to “craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.` character.” The second, CVE-2022-3602, is similar, but in this case, a threat actor could “craft a malicious email to overflow four attacker-controlled bytes on the stack.” These could result in a denial of service or remote code execution.” reads a post published by Censys.

This buffer overflow could cause a denial of service condition or potentially lead to remote code execution.

“An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.’ character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server.” reads the advisory published by the CVE-2022-3786. “In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.”

The CVE-2022-3602 flaw was initially rated as CRITICAL, but further analysis based on some of the mitigating factors led its severity rate to be downgraded to HIGH.

Both vulnerabilities have been addressed with the release of the OpenSSL 3.0.7 release.

As of October 30th, 2022, the number of unique hosts having one or more services broadcasting that they use OpenSSL was 1,793,111. Of those, only 7,062 (0.4%) hosts run a vulnerable version of the library, which is greater than or equal to version 3.0.0.

Most of the hosts were located in the U.S., Germany, Japan, China, Czechia, the U.K., France, Russia, Canada, and the Netherlands.

“We still consider these issues to be serious vulnerabilities and affected users are encouraged to upgrade as soon as possible,” reads a blog post published by the OpenSSL team. “We are not aware of any working exploit that could lead to remote code execution, and we have no evidence of these issues being exploited as of the time of release of this post.”

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Bookmark

Please login to bookmark

‘CosMiss’ vulnerability found in Microsoft Azure developer tool

By

RiSec.Mitch

-

1 November 2022

0

Microsoft addressed a vulnerability affecting a tool used by developers within its Azure cloud computing service, according to researchers from the tech giant and cybersecurity firm Orca Security.

Both released a report on Tuesday outlining a vulnerability dubbed “CosMiss” in Jupyter Notebooks for Azure Cosmos DB — an open-source interactive developer environment allowing users to create and share documents that have live code, equations and more.

A Microsoft spokesperson said 99.8% of Azure Cosmos DB customers do not use Jupyter notebooks and are not vulnerable to this issue because the tool is currently in preview.

To exploit the bug, an attacker would need to know the session’s ‘Globally Unique Identifier’ — also known as GUID. The number is used by developers working with Microsoft technology.

Jupyter Notebooks for Azure Cosmos DB are run in the context of a temporary notebook workspace which have a maximum lifetime of one hour, a Microsoft spokesperson noted, adding that after one hour, the workspace and all data inside it — including notebooks — are automatically deleted.

“The bug was introduced on August 12th and fully patched worldwide on Oct 6th, two days after it was reported. To exploit it, an attacker would have to guess a 128-bit cryptographically random GUID of an active session and use it within an hour,” Microsoft explained.

“Microsoft conducted an investigation of log data from August 12th to Oct 6th and did not identify any brute force requests that would indicate malicious activity. No customers were impacted, and no action is required.”

If a hacker is somehow able to guess the GUID, Microsoft said the attacker would “gain read/write access to the notebooks in the victim’s workspace.”

The impact of the breach would be limited to the one-hour period when the temporary notebooks workspace is active. It does not give an attacker access to other functions within the tool.

Microsoft thanked Orca Security for discovering the bug and the security company released its own report explaining exploitation of the issue, calling it a “highly important vulnerability.”

Orca Security researchers told The Record that they checked the fix and confirmed that all users of the tool are now protected.

The researchers noted that the tool is used “extensively in Microsoft’s own e-commerce platforms and in the retail industry for storing catalog data and for event sourcing in order processing pipelines.”

Since Cosmos DB Notebooks are used by developers to create code, they can at times contain highly sensitive information such as secrets and private keys embedded in the code, Orca Security researchers explained.

“Jupyter Notebooks are built into Azure Cosmos DB, and are used by developers to perform common tasks, such as data cleaning, data exploration, data transformation, and machine learning,” the researchers said.

“This is especially risky since Cosmos DB Notebooks are used by developers to create code and often contain highly sensitive information such as secrets and private keys embedded in the code.”

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Bookmark

Please login to bookmark

Unofficial fix emerges for Windows bug abused to infect home PCs with ransomware

By

RiSec.Mitch

-

1 November 2022

0

A cybersecurity firm has issued another unofficial patch to squash a bug in Windows that Microsoft has yet to fix, with this hole being actively exploited to spread ransomware.

Rewind to October 17, and Acros Security released a small binary patch to address a flaw in Microsoft’s Mark-of-the-Web (MotW) feature. This feature is supposed to set a flag in the metadata for files obtained from the internet, USB sticks, and other untrusted sources. This flag ensures that when those files are opened, extra security protections kick in, such as Office blocking macros from running or the operating system checking that the user really did want to run that .exe.

It turns out it’s possible to bypass this feature, and have files downloaded from the web not carry the MotW flag, thus side-stepping all those protections when opened. Specifically, an attacker could prevent Windows from putting the MotW flag on files extracted from a ZIP archive obtained from an untrusted source. This can be exploited by miscreants to lure marks into opening ZIP archives, and running malicious software within without tripping the expected security protections. The bug was highlighted months ago by Will Dormann, a senior vulnerability analyst at Analygence.

Microsoft has yet to fix this oversight. IT watcher Kevin Beaumont on October 10 said the bug was now being exploited in the wild. Acros put out a micropatch about a week later that can be applied to close this hole while you wait for Redmond to catch up.

Now Acros has emitted another patch that addresses a related MotW security hole in Windows that Microsoft again has not yet fixed.

What’s new?

Just days before the first patch was released, HP Wolf Security shared a report about a spate of ransomware infections in September that each started with a web download. Victims were told to fetch a ZIP archive that contained a JavaScript file masquerading as an antivirus or Windows software update.

The script, when run, actually deployed Magniber, a ransomware strain aimed at Windows home users. It scrambles documents and can extort as much as $2,500 from victims to restore their data, according to Wolf Security.

“Even though Magniber does not fall into the category of Big Game Hunting, it can still cause significant damage,” the Wolf team wrote in its report, where Big Game Hunting refers to crooks specifically infecting large, rich enterprises in hope of a big payday. “Home users were the likely target of this malware based on the supported operating system versions and UAC bypass.”

Crucially, HP malware analyst Patrick Schlapfer noted that the malicious JavaScript in the Magniber ZIP archive did carry the MotW flag but still executed without a SmartScreen alert popping up to either halt the requested action or warn the user against proceeding, as you’d expect for an internet-fetched archive. Mitja Kolsek, CEO of Acros, confirmed SmartScreen was being bypassed by the Magniber script.

Microsoft’s SmartScreen is supposed to, among other things, block obvious malicious files or caution users if a file looks suspicious, but the Magniber ZIP archive’s contents were able to side step that process entirely. That is to say: there’s a bug in Windows that has been exploited so that the MotW flag is not applied to internet-sourced files, and now there’s exploitation of a related vulnerability in which MotW is set but it has no effect.

“Remember that on Windows 10 and Windows 11, opening any potentially harmful file triggers a SmartScreen inspection of said file, whereby SmartScreen determines if the file is clear to get launched or the user should be warned about it,” Kolsek said.

And it turns out the script file in the Magniber ZIP bypasses SmartScreen due to a broken digital Authenticode signature. This signature confuses Windows so that the script is just allowed to run even though its MotW flag is set.

Analygence’s Dormann tweeted on October 18 in response to Schlapfer that “if the file has this malformed Authenticode signature, the SmartScreen and/or file-open warning dialog will be skipped regardless of script contents, as if there is no MotW on the file.”

Microsoft’s Authenticode is a digital code-signing technology that identifies the publisher and verifies the software has not been tampered with after being signed and released. Dormann found that script file signature was malformed to the point that Windows “could not even properly parse them. This, for some peculiar reason, led to Windows trusting them – and letting malicious executables execute without a warning,” Koslek wrote.

Further inspection by Acros Security found that the flaw came about because SmartScreen, when trying to parse the malformed signature, returned an error, which led the operating system to run the program and infect the machine without triggering a warning.

Acros’s latest micropatch, released October 28, works for Windows 11 version 21H2, eight versions of Windows 10 including 21H1 and 21H2, and Windows Server versions 2019 and 2022, we’re told.

A spokesperson for Microsoft told us of this latest vulnerability: “We are aware of the technique and are investigating to determine the appropriate steps to address the issue.”

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Bookmark

Please login to bookmark

Everything you need to know about the OpenSSL 3.0.7 Patch

By

RiSec.Mitch

-

1 November 2022

0

Table of Contents

Vulnerability Details

The vulnerability is a buffer overflow in the X.509 certificate verification, which is the code used to validate TLS certificates. The vulnerability could potentially be exploited to allow remote code execution via a malicious TLS certificate; however, it requires that the malicious TLS certificate be signed by a trusted CA.

X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602)
==========================================================

Severity: High

A buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs
after certificate chain signature verification and requires either a
CA to have signed the malicious certificate or for the application to
continue certificate verification despite failure to construct a path
to a trusted issuer. An attacker can craft a malicious email address
to overflow four attacker-controlled bytes on the stack. This buffer
overflow could result in a crash (causing a denial of service) or
potentially remote code execution.

Many platforms implement stack overflow protections which would mitigate
against the risk of remote code execution. The risk may be further
mitigated based on stack layout for any given platform/compiler.

Pre-announcements of CVE-2022-3602 described this issue as CRITICAL.
Further analysis based on some of the mitigating factors described above
have led this to be downgraded to HIGH. Users are still encouraged to
upgrade to a new version as soon as possible.

In a TLS client, this can be triggered by connecting to a malicious
server. In a TLS server, this can be triggered if the server requests
client authentication and a malicious client connects.

OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

This issue was reported to OpenSSL on 17th October 2022 by Polar Bear.
The fixes were developed by Dr Paul Dale.

We are not aware of any working exploit that could lead to code execution,
and we have no evidence of this issue being exploited as of the time of
release of this advisory (November 1st 2022).

X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)

Since certificate verification is typically done on the client side, this vulnerability primarily affects clients not servers. There is a case where servers could be exploited via TLS Client Authentication, which may bypass the CA signing requirements as client certs are usually not required to be signed by a trusted CA. Since client authentication is rare ,and most servers do not have it enabled, server exploitation should be low risk.

Attackers could exploit this vulnerability by directing client to a malicious TLS server which uses a specially crafted certificate to trigger the vulnerability.

Likelihood of exploitation

Give the fact the vulnerability is primarily client-side, requires the malicious certificate to be signed by a trusted CA (or the user to ignore the warning), and is complex to exploit, I estimate a low chance of seeing in-the-wild exploitation.

Affected Systems

Important Note: OpenSSL 3 is not the same as SSLv3. This vulnerability exists only in OpenSSL Version 3 and not SSLv3.

The vulnerability affects only OpenSSL version 3.0.0 to 3.0.6, with the patch being shipped in version 3.0.7. Due to the fact OpenSSL 3.0.0 was released in September 2021, it is far less widespread than previous versions. Given the very recent release date, older appliances with hardcoded OpenSSL version are unlikely to be vulnerable.

NCSC-NL has a helpful list of confirmed affected/unaffected software here: https://github.com/NCSC-NL/OpenSSL-2022/tree/main/software

Detecting OpenSSL Version

There are several ways a system can use OpenSSL; I’ll explain each of them below and specific remedies.

System

The system may have OpenSSL installed, which can be executed by running the command ‘openssl’

How to check the version
run the command: ‘openssl version’ (without quotes)

Dynamically Linked

Most software will ship with OpenSSL code contained within a library (a DLL file on Windows, or SO file on Linux).

How To check the version
OpenSSL library are typically named libcrypto.so or libssl.so on Linux, and libcrypto.dll or libssl.dll on Windows. The filename may sometimes contain the version number at the end, but this is not always the case. The best method is to extract the OpenSSL version number from the file’s content using a combination of strings and RegEx.

Below I’ve attached an example version scanner for Linux and Windows. Please note, these are only example scripts and not designed for production use. Use with care, and note they are not 100% guaranteed to find every OpenSSL library on the server.

Linux & *Nix Scanner (Bash Script): https://github.com/MalwareTech/SpookySSLTools/blob/main/openssl_scan.sh

Windows scanner (PowerShell): https://github.com/MalwareTech/SpookySSLTools/blob/main/openssl_scan.ps1

Statically Linked Software

Sometimes software is built in such a way that all the libraries (usually DLL or SO) files are simply compiled into the main software executable. This is the worst case and hardest to deal with.

How To Detect
Using something similar method to the above scripts but for executables instead of libraries.

Unix-like: strings /path/to/executable | grep “^OpenSSL\s*[0-9].[0-9].[0-9]”
Windows: select-string -Path C:\path\to\executable.exe -Pattern “OpenSSL\s*[0-9].[0-9].[0-9]” -AllMatches | % { $_.Matches } | % { $_.Value }

Current Exploitation Status

Proof of Concept: there is no confirmed proof of concept available for this vulnerability yet
Exploitation: there is no confirmed in the wild exploitation of this vulnerability yet
Vulnerability Credit: Polar Bear (SandboxEscaper)

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Bookmark

Please login to bookmark

Hackers selling access to 576 corporate networks for $4 million

By

RiSec.Mitch

-

31 October 2022

0

A new report shows that hackers are selling access to 576 corporate networks worldwide for a total cumulative sales price of $4,000,000, fueling attacks on the enterprise.

The research comes from Israeli cyber-intelligence firm KELA which published its Q3 2022 ransomware report, reflecting stable activity in the sector of initial access sales but a steep rise in the value of the offerings, reports BleepingComputer

Although the number of sales for network access remained about the same as in the previous two quarters, the cumulative requested price has now reached $4,000,000.

For comparison, the total value of initial access listings in Q2 2022 was $660,000, recording a drop in value that coincided with the summer ransomware hiatus that hurt demand.

The road to ransomware

Initial access brokers (IABs) are hackers who sell access to corporate networks, usually achieved through credential theft, webshells, or exploiting vulnerabilities in publicly exposed hardware.

After establishing a foothold on the network, the threat actors sell this corporate access to other hackers who use it to steal valuable data, deploy ransomware, or conduct other malicious activity.

The reasons IABs choose not to leverage network access vary, ranging from lacking diverse intrusion skills to preferring not to risk increased legal trouble.

IABs still play a crucial role in the ransomware infection chain, even if they got sidelined last year when big ransomware gangs that operated as crime syndicates operated their own IAB departments.

Q3 ’22 numbers

In the third quarter of 2022, KELA’s analysts observed 110 threat actors posting 576 initial access offerings totaling a cumulative value of $4,000,000.

**Monthly volume of initial access sales** *(KELA)*

The average selling price of these listings was $2,800, while the median selling price reached a record figure of $1,350.

**Initial access sales prices** *(KELA)*

KELA also saw a case of a single access being offered for purchase at the astronomical price of $3,000,000. However, this listing was not included in the Q3 ’22 stats and totals due to doubts about its authenticity.

The top three IABs operated a large-scale business, offering between 40 and 100 accesses for sale in Q3 2022.

Based on hacking forum discussions and marketplace listing removal events, the average time to sell corporate access was just 1.6 days, while most were of RDP and VPN types.

This quarter’s most targeted country was the United States, accounting for 30.4% of all IAB offerings. This stat is close to the 39.1% share of ransomware attacks in Q3 targeting U.S. companies.

**Most targeted countries by IABs in Q3** *(KELA)*

When looking at the targeted sectors, professional services, manufacturing, and technology topped the list with 13.4%, 10.8%, and 9.4%, respectively. Again, ransomware attacks feature a similar ranking, emphasizing the connection between the two.

**Sectors IABs targeted the most in Q3** *(KELA)*

As initial access brokers have become an integral part of the ransomware attack chain, properly securing your network from intrusion is crucial.

This includes placing remote access servers behind VPNs, restricting access to publicly exposed devices, enabling MFA, and conducting phishing training to prevent the theft of corporate credentials.

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Bookmark

Please login to bookmark

What You Should Know about the New OpenSSL Vulnerability

By

RiSec.Mitch

-

31 October 2022

0

Table of Contents

TL;DR: If you use OpenSSL 3.0 or higher, prepare to upgrade to version 3.0.7 as soon as possible. The fix is available from Tuesday, 1 November 2022, between 1300-1700 UTC.

On Tuesday, the OpenSSL team announced the release of a new version to address a critical vulnerability in versions 3.0.0 and higher. The new version will be available from November 1, 2022. The OpenSSL library rarely has critical vulnerabilities, but due to its popularity and widespread use, we should be cautious.

On the basis of the critical level assigned by the OpenSSL team, we can assume that the vulnerability can be easily exploited, and involves data leakage or remote code execution. It is therefore extremely important that organizations act swiftly to determine any use of the affected OpenSSL version and if they are exposed to the vulnerability.

Impact of the Vulnerability

According to the announcement, the vulnerability affects only newer versions of OpenSSL V3.0 and higher. It is hard to predict the potential damage and risk of this vulnerability to the organization. What we do know is that, despite being the most recent version of OpenSSL, which was released one year ago, OpenSSL V3.0 is far less ubiquitous than OpenSSL V1.0.

We can split the impact into different categories: OS distributions, containers, web applications and any other application that uses an embedded OpenSSL library.

OpenSSL V3.0 has been incorporated into Linux operating systems such as Ubuntu 22.04 LTS, MacOS Ventura, Fedora 36, and others. It should be noted, however, that most of these Linux distributions only include OpenSSL 3.0 and above in their most recent releases of the OS applications. These versions are considered testing versions so may not be widely used in production systems. If you develop proprietary software in your organization, you should also check if your code uses the vulnerable OpenSSL version.

In addition, many Docker Official images still use OpenSSL V1.x and are not affected. The Docker Official container images for popular projects like Redis and httpd are unaffected. On the other hand, NodeJS’s latest version is vulnerable.

In terms of web applications, the adoption of OpenSSL V3.0 is very slow. Running a query in Shodan, we found approximately 14,000 devices running OpenSSL V3.0.0 as opposed to 770,000 running OpenSSL V1.1.1. According to this survey, OpenSSL V3.0 is adopted by less than 0.2% of websites worldwide, in comparison to more than 75% of V1.

We see that the adoption of OpenSSL V3.0 and above is still very low. Nonetheless, you should still check if you have entities with the vulnerable version in your organization.

Vulnerable OS Versions

Based on our research, we’ve compiled a list of the most popular OS distributions and versions that contain the vulnerable OpenSSL version.

	OS Distribution	OpenSSL Version
	Fedora 36	3.0.5
	Fedora Rawhide	3.0.5
	Ubuntu 22.04	3.0.2
	Oracle linux 9.0	3.0.1
	Kali 2022.3	3.0.5/3.0.4
	Redhat ES 9	3.0.0
	Redhat Enterprise Linux RHEL-9.0	3.0.1
	OpenBSD 7.2	3.0.5
	OpenBSD 7.1	3.0.2
	Linux Mint 21 Vanessa	3.0.2
	Maegia Cauldron	3.0.5
	OpenMandriva	3.0.6
	Rocky Linux release 9.0 (Blue Onyx)	3.0.1
	Debian unstable sid/sting bookworm	3.0.5
	Linux lite 6.0 fluorite	3.0.2u
	Almalinux OS 9.0	3.0.1e
	CentOS Stream 9	3.0.1
	Nix unstable	3.0.5
	Gentoo linux unstable	3.0.5
	Kubuntu 22.10 kinetic/22.04 jammy	3.0.5/3.0.2
	Lubuntu 22.10 kinetic/22.04 jammy	3.0.5/3.0.2
	xubuntu 22.10 kinetic/22.04 jammy	3.0.5/3.0.2
	Ubuntu MATE kinetic/22.04 jammy	3.0.5/3.0.2
	Ubuntu Budgie 22.10 kinetic/22.04 jammy	3.0.5/3.0.2
	Ubuntu Studio 22.10 kinetic/22.04 jammy	3.0.5/3.0.2
	Ubuntu Unity 22.10 kinetic	3.0.5
	Ubuntu Kylin 22.04 jammy	3.0.2

view raw VulnerableDistros|OpenSSL.csv hosted with love by GitHub

How To Detect If You Are Vulnerable

As shown above, OpenSSL can be used in multiple places in your organization. We’ve created a list of 5 methods to detect which OpenSSL version you are using and determine if you are exposed to the vulnerability:

1. OpenSSL Version Command

The command allows you to determine the version your system is currently using. Based on that you can tell if the version is 3.0.*.

ubuntu@ubuntu:~$ openssl version
OpenSSL 1.1.1n  15 Mar 2022

2. Linux Package Managers

Amazon Linux:

repoquery --all --pkgnarrow=installed --qf="%{NAME} %{VERSION} %{RELEASE}" | grep openssl

OR

rpm -qa --queryformat "%{NAME} %{VERSION} %{RELEASE}\n" | grep openssl

Debian & Ubuntu:

dpkg-query -W -f="\${Package},\${Version}\n" | grep openssl

RHEL, Fedora, Oracle, CentOS:

rpm -qa --queryformat "%{NAME} %{VERSION} %{RELEASE}\n"` | grep openssl

3. Docker Image Vulnerability Database

The Docker Image Vulnerability Database can help you find vulnerable Docker images. For now, the placeholder is dubbed “DSA-2022-0001.”

4. Vulnerability Scanning For Docker Local Images

apt-get update && apt-get install docker-scan-plugin

The docker scan command allows you to scan existing Docker images using the image name or ID. For example, run the following command to scan the hello-world image:

docker scan hello-world

5. Trivy

sudo trivy image --format spdx oraclelinux:9 | grep -i -C 4 openssl

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Bookmark

Please login to bookmark

The door is open for anyone to become a cyber defender

By

RiSec.Mitch

-

31 October 2022

0

Table of Contents

Throughout Cybersecurity Awareness Month, Microsoft has highlighted the importance of cybersecurity and provided resources to help people and organizations stay safe. It’s great to have this month as a reminder, and even better if that awareness becomes a year-round endeavor. Education is really the key. With the increase of sophisticated cyber attacks, we know that the combination of security tools and educated users is our best line of defense. After all, security teams are increasingly stretched to protect today’s sprawling digital ecosystem. And it’s not going to get any easier as the talent shortage in our industry grows. Current estimates predict that the global workforce will need to train and hire roughly 3.4 million cybersecurity professionals to effectively defend organizations’ critical assets.¹

The great news is we have an opportunity to not only grow our community of defenders but strengthen it by breaking down barriers, being more inclusive, and making careers in cybersecurity more accessible to all, reads an article on the Microsoft website.

Strengthening security through diverse viewpoints

To meet the current and future challenges, the defender community needs to be as diverse as the attackers we face. Unfortunately, while progress is being made, many groups are still underrepresented in the field of cybersecurity. Less than 25 percent of the cyber workforce are women and, in 2021, only 9 percent of cybersecurity workers were Black and only 4 percent Hispanic.² Not only is the current underrepresentation among these groups a wildly missed opportunity, but it also means we don’t have the benefit of diverse viewpoints as we try to address complex cybersecurity issues.

Fortunately, the seeds of change are here, and it’s up to all of us to nurture their growth. According to a study commissioned by Microsoft, 82 percent of American women believe there is an opportunity for them in the cybersecurity industry. And they’re right! Cybersecurity is an incredible career path, one that’s interesting and challenging, and where you can make a real difference in the world, every single day. Still, 71 percent of women feel that cybersecurity is “too complex” of a career, and that perception is something we simply must change. At Microsoft, we’re working hard to do just that. Aimee Reyes, who received a cybersecurity scholarship through Microsoft’s partnership with the Last Mile Education Fund, summed up her experience this way: “For anyone who thinks that cybersecurity is a male profession, I would say you’re going to see a lot of men. It doesn’t mean you can’t make your own table, make your own seat. It doesn’t mean that you don’t belong, because you do.”

I could not agree more!

Making cybersecurity training accessible to more students

In 2021, Microsoft launched its cybersecurity jobs campaign to help community colleges in the United States train the next generation of cyber defenders. The campaign aims to fill thousands of cybersecurity jobs by 2025 by providing free cybersecurity curricula to accredited higher education institutions, along with training for faculty and financial aid for low-income students.

Since its inception, more than 1,000 low-income community college students across 47 states have benefited from the Microsoft Cybersecurity Scholarship Program in partnership with the Last Mile Education Fund. This scholarship program has been very effective in reaching a talent pool that may not have had access to further education. According to a student named Justin: “Without this grant, there is no way I could have started this semester. I’ve already put my family through too much trying to make this happen to risk any chance of not finishing. Thank you for believing in me.” Because of feedback like this and strong results, Microsoft has expanded its cybersecurity jobs campaign to an additional 24 countries, all of which have a skills gap in their cybersecurity workforces, both in numbers and diversity.

Also, to help provide girls with real-world inspiration, we created Microsoft DigiGirlz, which offers female middle and high school students an early opportunity to learn about careers in technology, as well as connect with Microsoft employees and participate in hands-on technology workshops. And for students who want to showcase their skills, Microsoft has created the Imagine Cup, which allows entrants to access exclusive training, gain mentorship opportunities, compete to win great prizes, and collaborate on creating new technologies that make a difference.

I absolutely love that these programs help inspire and empower students. And I’m so excited that Microsoft is partnering with some amazing organizations to help empower educators, as well.

Providing educators with cybersecurity tools and curricula

Through the Microsoft Learn for Educators program, we’re also providing access to certification course materials for Security, Compliance, and Identity Fundamentals (SC-900), and Microsoft Azure Security Technologies (AZ-500). Additional support for faculty includes free practice exams, curriculum integration, and course-prep sessions led by Microsoft trainers. In addition, we’re expanding access to cybersecurity courses to educational institutions through LinkedIn Learning, and there are even more security skilling opportunities available through our Microsoft Learn platform.

Microsoft is also partnering with the National Cybersecurity Training & Education Center (NCyTE) to provide faculty with professional development opportunities as well as support colleges in attaining the Center of Academic Excellence in Cyber Defense (CAE-CD) designation. This support will provide a foundation for cybersecurity training at nearly 15 percent of community colleges across the United States. In a recent interview with Fortune magazine, Naria Santa Lucia, Senior Director of Digital Skills and Employability at Microsoft Philanthropies, explained our approach in simple terms: “Community colleges are so affordable, and they are everywhere. That system has a lot of women and lots of students of color. If we can really tap that infrastructure to start getting that message out, that’s a good start to diversifying the talent pipeline.”⁴

Still going strong, Microsoft Technology Education and Learning Support (TEALS) has been helping to build sustainable computer science education programs since 2009. TEALS helps teachers learn to teach computer science by pairing them with industry volunteers and proven curricula. Since the program began, more than 95,000 students have received computer science education. TEALS currently supports more than 500 high schools in the United States and British Columbia, Canada. In the past year, Microsoft has expanded the TEALS program course offerings to include cybersecurity at 37 schools.

Forging partnerships to foster new cyber defenders

Security is a team sport, and partnership is critical to our success as a defender community. Microsoft continues to partner with organizations that practice similar values and focus on diversity for cybersecurity education.

In the United States, only eight percent of information security analysts are African American.³ Microsoft is working to raise that number through its participation in the HBCU Cybersecurity Industry Collaboration Initiative Pilot.⁵ The initiative is designed to develop students for careers in cybersecurity and engineering through research collaborations, guest lecturers, and mentoring programs in collaboration with four historically Black colleges and universities (HBCUs): Hampton University, North Carolina A&T State University, Prairie View A&M University, and Virginia State University. Separately, the Blacks at Microsoft (BAM) program will also award 45 scholarships this year totaling USD182,500.

Microsoft has also partnered with Girl Security to “create career pathways for girls, women, and gender minorities to shape solutions to our most pressing security challenges” through mentorship programs, summer programming, trainings, and specific curriculum for high school students and early-in-career women. Microsoft also provides support for all women, allies, and advocates through partnership with WiCyS (Women in CyberSecurity). Through this partnership, Microsoft is helping to globally empower the recruitment, retention, and advancement of women with mentorship, professional development programs, scholarships, conferences, and job fairs. This includes partnering with WiCyS on the expansion of their student chapters in more than 20 countries.

The only thing missing is you

Microsoft is committed to making cybersecurity a viable career path for everyone. Creating a safer online world requires all of us—from every background—to bring to this mission the superpowers, the diverse skills, perspectives, and life experiences we each embody to defeat tomorrow’s cyberthreats. In the spirit of Cybersecurity Awareness Month, I hope you’ll share this post with friends, family, colleagues, or anyone with an interest in exploring a career in cybersecurity. There is so much opportunity to be a cyber defender.

Learn more

To learn about educational and professional cybersecurity opportunities at Microsoft, make sure to check out our Cybersecurity Awareness website for education resources.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Bookmark

Please login to bookmark

VMware warns of the public availability of CVE-2021-39144 exploit code

By

RiSec.Mitch

-

31 October 2022

0

VMware warned of the availability of a public exploit for a recently addressed critical remote code execution flaw in NSX Data Center for vSphere (NSX-V).

VMware NSX is a network virtualization solution that is available in VMware vCenter Server.

The remote code execution vulnerability resides in the XStream open-source library. Unauthenticated attackers can exploit the vulnerability in low-complexity attacks without user interaction.

“Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of ‘root’ on the appliance.” reads the advisory published by the company.

The product team has also released patches for end-of-life products due to the severity of the vulnerability.

“VMware has confirmed that exploit code leveraging CVE-2021-39144 against impacted products has been published.” reads the advisory published by the virtualization giant.

The virtualization firm also published separate guidance to upgrade NSX-V 6.4.14 appliances on Cloud Foundation 3.x.

The company urges its customers to upgrade their installs to the latest release

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Bookmark

Please login to bookmark

Security experts targeted with malicious CVE PoC exploits on GitHub

By

RiSec.Mitch

-

30 October 2022

0

A team of researchers at the Leiden Institute of Advanced Computer Science (Soufian El Yadmani, Robin The, Olga Gadyatskaya) discovered thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for multiple vulnerabilities.

The experts analyzed PoCs shared on GitHub for known vulnerabilities discovered in 2017-2021, some of these repositories were used by threat actors to spread malware.

The experts pointed out that public code repositories do not provide any guarantees that any given PoC comes from a trustworthy source.

“We discovered that not all PoCs are trustworthy. Some proof-of-concepts are fake (i.e., they do not actually offer PoC functionality), or even malicious: e.g., they attempt to exfiltrate data from the system they are being run on, or they try to install malware on this system.” reads the research paper published by the experts.

The team focused on a set of symptoms observed in the collected dataset, such as calls to malicious IP addresses, encoded malicious code, or included Trojanized binaries. The boffins analyzed 47313 repositories and 4893 of them were malicious repositories (i.e. 10.3% of the studied repositories have symptoms of malicious intent).

“This figure shows a worrying prevalence of dangerous malicious PoCs among the exploit code distributed on GitHub.” continues the paper.

The researchers analyzed a total of 358277 IP addresses, 150734 of them were unique IPs and 2864 were blacklisted. 1,522 IP addressed were labeled as malicious by Virus Total, and 1,069 of them were listed in the AbuseIPDB database.

Of the 150,734 unique IPs extracted, 2,864 matched blacklist entries. 1522 were detected as malicious in AV scans on Virus Total, and 1069 were present in the AbuseIPDB database.

Most of the malicious detections are related to vulnerabilities from 2020.

During their research the experts found multiple examples of malicious PoC developed for CVEs and shared some case studies.

One of the examples is related to a PoC developed for the CVE-2019-0708, also known as BlueKeep.

“This repository was created by a user under the name Elkhazrajy. The source code contains a base64 line that once decoded will be running. It contains another Python script with a link to Pastebin28 that will be saved as a VBScript, then run by the first exec command. After investigating the VBScript we discovered that it contains the Houdini malware.” continues the paper.

Another example detailed by the experts is related to a malicious PoC designed to gather info about the target. In this case the URL to the server used for data exfiltration was base64-encoded.

The boffins explained that their study has several limitations. For example the GitHub API proved unreliable and not all repositories corresponding to the used CVE IDs were collected.

Another limitation is related to the use of heuristics for detecting malicious PoCs. Experts explained that the approach can miss some malicious PoCs in their dataset.

“However, this approach cannot detect every malicious PoC based on source code, since it is always possible to find more creative ways to obfuscate it. We have investigated code similarity as a feature to help identifying new malicious repositories. Our results show that indeed malicious repositories are on average more similar to each other than non-malicious one.” conclude the experts. “This result is the first step to develop more robust detection techniques.”

The researchers have shared their findings with GitHub and some of the malicious repositories have yet to be removed.

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

sour ce

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Bookmark

Please login to bookmark

<img class="tdb-logo-img" src="https://www.realinfosec.net/wp-content/uploads/2022/08/risec.png" alt="Logo" title="" data-eio="l" />

<img class="tdb-logo-img" src="https://www.realinfosec.net/wp-content/uploads/2022/08/risec.png" alt="Logo" title="" data-eio="l" />

What’s new?

Vulnerability Details

Likelihood of exploitation

Affected Systems

Detecting OpenSSL Version

System

Dynamically Linked

Statically Linked Software

Current Exploitation Status

The road to ransomware

Q3 ’22 numbers

Impact of the Vulnerability

Vulnerable OS Versions

How To Detect If You Are Vulnerable

1. OpenSSL Version Command

2. Linux Package Managers

3. Docker Image Vulnerability Database

4. Vulnerability Scanning For Docker Local Images

5. Trivy

Strengthening security through diverse viewpoints

Making cybersecurity training accessible to more students

Providing educators with cybersecurity tools and curricula

Forging partnerships to foster new cyber defenders

The only thing missing is you

Learn more

Editor Picks

Featured

Cyber Academy

ABOUT US

Social

Subscribe for weekly updates

Add RiSec to your Homescreen?