Search the Community

Adobe says the vulnerability is being used in attacks targeting Adobe Commerce users. Adobe has released an emergency patch to tackle a critical bug that is being exploited in the wild. On February 13, the tech giant said that the vulnerability impacts Adobe Commerce and Magento Open Source, and according to the firm's threat data, the security flaw is being weaponized "in very limited attacks targeting Adobe Commerce merchants." Tracked as CVE-2022-24086, the vulnerability has been issued a CVSS severity score of 9.8 out of 10, the maximum severity rating possible. The vulnerability is an improper input validation issue, described by the Common Weakness Enumeration (CWE) category system as a bug that occurs when a "product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly." CVE-2022-24086 does not require any administrator privileges to trigger. Adobe says the critical, pre-auth bug can be exploited in order to execute arbitrary code. As the vulnerability is severe enough to warrant an emergency patch, the company has not released any technical details, which gives customers time to accept fixes and mitigates further risks of exploit. The bug impacts Adobe Commerce (2.3.3-p1-2.3.7-p2) and Magento Open Source (2.4.0-2.4.3-p1), as well as earlier versions. Adobe's patches can be downloaded and manually applied here. Earlier this month, Adobe issued security updates for products including Premiere Rush, Illustrator, and Creative Cloud. The patch round tackled vulnerabilities leading to arbitrary code execution, denial-of-service (DoS), and privilege escalation, among other issues. Last week, Apple released a fix in iOS 15.3.1 to squash a vulnerability in Apple's Safari browser that could be exploited for arbitrary code execution. In February's Patch Tuesday, Microsoft resolved 48 vulnerabilities including one publicly-known zero-day security flaw. Via zdnet.com

Researchers find that lax ICS security is putting critical services at risk of exploitation. The "abysmal" state of security for industrial control systems (ICSs) is putting critical services at serious risk, new research finds. You only need to look at the chaos caused by a ransomware attack launched against Colonial Pipeline this year -- leading to panic buying and fuel shortages across part of the US -- to see what real-world disruption cyber incidents can trigger, and their consequences can go far beyond the damage one company has to repair. It was only last month that the Port of Houston fended off a cyberattack and there is no reason to believe cyberattacks on operational technology (OT) won't continue -- or, perhaps, become more common. On Friday, CloudSEK published a new report exploring ICSs and their security posture in light of recent cyberattacks against industrial, utility, and manufacturing targets. The research focuses on ICSs available through the internet. Some of the most common issues allowing initial access cited in the report include weak or default credentials, outdated or unpatched software vulnerable to bug exploitation, credential leaks caused by third parties, shadow IT, and the leak of source code. After conducting web scans for vulnerable ICSs, the team says that "hundreds" of vulnerable endpoints were found. CloudSEK highlighted four cases that the company says represents the current issues surrounding industrial and critical service cybersecurity today: An Indian water supply management company: Software accessible with default manufacturer credentials allowed the team to access the water supply management platform. Attackers could have tampered with water supply calibration, stop water treatments, and manipulate the chemical composition of water supplies. CloudSEK The Indian government: Sets of mail server credentials belonging to the Indian government were found on GitHub. A gas transport company: This critical service provider's web server, responsible for managing and monitoring gas transport trucks, was vulnerable to an SQL injection attack and administrator credentials were available in plaintext. Central view: The team also found hardcoded credentials belonging to the Indian government on a web server supporting monitors for CCTV footage across different services and states in the country. The US Cybersecurity and Infrastructure Security Agency (CISA) was informed of CloudSEK's findings, as well as associated international agencies. Via zdnet.com

Ireland's health services are still recovering from a ransomware attack, but hackers shouldn't expect their demands to be met. Rapid7 has disclosed the compromise of customer data and partial source code due to the Codecov supply chain attack. On Thursday, the cybersecurity firm said it was one of the victims of the incident, in which an attacker obtained access to the Codecov Bash uploader script. The cyberattack against Codecov took place on or around January 31, 2021, and was made public on April 15. The organization, which provides code coverage and testing tools, said that a threat actor tampered with the Bash uploader script, thereby compromising the Codecov-actions uploader for GitHub, Codecov CircleCl Orb, and the Codecov Bitrise Step. This enabled attackers to export data contained in user continuous integration (CI) environments. Hundreds of clients were potentially impacted, and now, Rapid7 has confirmed that the company was one of them. Rapid7 says the Bash uploader was used in a limited fashion as it was only set up on a single CI server used to test and build tooling internally for the Managed Detection and Response (MDR) service. As such, the attacker was kept away from product code, but they were able to access a "small subset of source code repositories" for MDR, internal credentials -- all of which have now been rotated -- and alert-related data for some MDR customers. Rapid7 has reached out to customers impacted by the data breach. The company pulled in cyberforensics assistance and following an investigation, has concluded that no other corporate systems or production environments were compromised. Codecov has since removed the unauthorized actor from its systems and is setting up monitoring and auditing tools to try and prevent another supply chain attack from occurring in the future. Impacted customers were notified via email addresses on record and through the Codecov app. Codecov recommends that users of the Bash uploaders between January 31, 2021, and April 1, 2021, who did not perform a checksum validation should re-roll their credentials out of caution. Via zdnet.com

The researchers who discovered the bug have earned themselves $200,000. A zero-day vulnerability in Zoom which can be used to launch remote code execution (RCE) attacks has been disclosed by researchers. Pwn2Own, organized by the Zero Day Initiative, is a contest for white-hat cybersecurity professionals and teams to compete in the discovery of bugs in popular software and services. The latest competition included 23 entries, competing in different categories including web browsers, virtualization software, servers, enterprise communication, and local escalation of privilege. For successful entrants, the financial rewards can be high -- and in this case, Daan Keuper and Thijs Alkemade earned themselves $200,000 for their Zoom discovery. The researchers from Computest demonstrated a three-bug attack chain that caused an RCE on a target machine, and all without any form of user interaction. As Zoom has not yet had time to patch the critical security issue, the specific technical details of the vulnerability are being kept under wraps. However, an animation of the attack in action demonstrates how an attacker was able to open the calculator program of a machine running Zoom following its exploit. As noted by Malwarebytes, the attack works on both Windows and Mac versions of Zoom, but it has not -- yet -- been tested on iOS or Android. The browser version of the videoconferencing software is not impacted. In a statement to Tom's Guide, Zoom thanked the Computest researchers and said the company was "working to mitigate this issue with respect to Zoom Chat." In-session Zoom Meetings and Zoom Video Webinars are not affected. Vendors have a 90-day window, which is standard practice in vulnerability disclosure programs, to resolve the security issues found. End-users just need to wait for a patch to be issued -- but if worried, they can use the browser version in the meantime. Other successful attacks of note during the content include: Apple Safari: Jack Dates, kernel-level code execution, $100,000 Microsoft Exchange: DEVCORE, complete server takeover, $200,000 Microsoft Teams: OV, code execution, $200,000 Ubuntu Desktop: Ryota Shiga, standard user to root, $30,000 Via zdnet.com

Free Bitcoin? Don’t believe it. Those of us riding the Bitcoin (BTC) wave have watched interest in the cryptocurrency rise especially as the price of a single coin has now reached over $37,000. Bitcoin, Ethereum (ETH), and now Dogecoin (DOGE) -- thanks to a few tweets by Elon Musk -- have all come onto the radar of would-be traders, but as with every investment, scam artists are seeking means to cash in. Cryptocurrency is certainly not immune to scams or other threats. Cryptocurrency exchanges hit with cyberattacks can end up losing trader funds; exit scams still occur, and regulators are constantly battling fraud. We're unlikely to see any end of crypto-related scams anytime soon, and in a new warning posted by Kaspersky, a new scheme is now targeting users of Discord. Discord is a messaging and voice chat service that caters to an estimated 300 million users, having branched out from a gamer-heavy community to general use for clubs and for friends to stay in touch. According to Kaspersky researcher Mikhail Sytnik, scam artists are now entering Discord servers and are sending private messages to users that appear to be from new, up-and-coming cryptocurrency exchanges. As new projects and ones that want to "support traders in difficult times," these 'exchanges' try to attract users with promises of free cryptocurrency. And, of course, the recipient is the lucky one chosen for free BTC or ETH. Naturally, such a scam doesn't attempt to attract users with a paltry offering; instead, thousands of dollars' worth of cryptocurrency is being awarded. Lucky you. Each message contains instructions and a code for accepting the "gift," Kasperksy notes, as well as a link to register on the fake exchange. Kaspersky As cryptocurrency wallets are now a top target for threat actors, the websites will also offer "two-factor authentication" and "phishing protection" options to try and appear legitimate. Kaspersky Victims going through the registration process are then lured to provide a substantial personal profile, including contact details, photo ID, a selfie, and a signature. While these checks are now common on legitimate cryptocurrency trading posts, this information can be packaged up and sold to other cybercriminals, or could potentially be used in identity theft. In the final step of this particular scheme, once the prize 'code' is submitted and accepted, the scammers require a small "top-up" in either BTC, ETH, or USD to process the gift. Should a victim hand over their cash, of course, it's gone for good. Fake exchanges are only one attack vector used by scam artists in the cryptocurrency sector -- Initial Coin Offerings (ICOs), too, are constantly abused. In January, a resident of San Francisco was jailed for six months after defrauding investors of cryptocurrency worth an estimated $20 million by pretending to be an ICO consultant. He has been ordered to pay $4.4 million in restitution. Via zdnet.com

Kobalos’ codebase is tiny, but its impact is not. A small but complex malware variant is targeting supercomputers worldwide. Reverse engineered by ESET and described in a blog post on Tuesday, the malware has been traced back to attacks against supercomputers used by a large Asian Internet Service Provider (ISP), a US endpoint security vendor, and a number of privately-held servers, among other targets. The cybersecurity team has named the malware Kobalos in deference to the kobalos, a small creature in Greek mythology believed to cause mischief. Kobalos is unusual for a number of reasons. The malware's codebase is tiny but is sophisticated enough to impact at least Linux, BSD, and Solaris operating systems. ESET suspects it may possibly be compatible with attacks against AIX and Microsoft Windows machines, too. While working with the CERN Computer Security Team, ESET realized the "unique, multiplatform" malware was targeting high performance computer (HPC) clusters. In some cases of infection, it appears that 'sidekick' malware hijacks SSH server connections to steal credentials that are then used to obtain access to HPC clusters and deploy Kobalos. Kobalos is, in essence, a backdoor. Once the malware has landed on a supercomputer, the code buries itself in an OpenSSH server executable and will trigger the backdoor if a call is made through a specific TCP source port. Other variants act as middlemen for traditional command-and-control (C2) server connections. Kobalos grants its operators remote access to file systems, allows them to spawn terminal sessions, and also acts as connection points to other servers infected with the malware. ESET says that a unique facet of Kobalos is its ability to turn any compromised server into a C2 through a single command. The malware was a challenge to analyze as all of its code is held in a "single function that recursively calls itself to perform subtasks," ESET says, adding that all strings are encrypted as a further barrier to reverse engineering. As of now, more research needs to be conducted in the malware -- and who may be responsible for its development. Via zdnet.com