Last Week in Infosec

24. June to 01. July 2022

No week goes by with something new to report on in the infosec world. Let’s take a look at some of the more noteworthy infosec activities that happened this week.

News on Vulnerabilities & Attacks

Users Push for Updates after Splunk Patches Critical Flaws

Splunk, a company that provides data monitoring and search services, has fixed a code execution vulnerability in its Splunk Enterprise deployment server and has reportedly promised to back-port the fix to prior versions, after users have pushed for updates to legacy versions. [1]

Versions previous to 9.0 allow clients to use the server to deploy forwarder bundles to other clients due to a critical vulnerability, CVE-2022-32158.

All the other Universal Forwarder (UF) endpoints in the company might be controlled by an attacker who had gained access to or compromised a single universal forwarder in the environment.

The Daily Swig was told by Nick Heudecker, senior director of market strategy and competitive intelligence at Cribl, that this vulnerability is significant because Splunk users frequently deploy thousands or tens of thousands of UFs throughout their infrastructure.

UnRAR Vulnerability used in Zimbra Hacks

Thanks to a path traversal vulnerability in UnRaR, unauthenticated attackers can escalate privileges and execute arbitrary commands as a Zimbra user. [2]

The Common Vulnerability Scoring System (CVSS) has given the path traversal vulnerability discovered in the Unix versions of UnRAR, the identification number CVE-2022-30333, and a base score of 7.5.

To put things in perspective, over 200,000 enterprises, government agencies, and financial institutions use Zimbra as their email solution. The fact that emails were taken from individual user accounts using a 0-day vulnerability demonstrates the value of a hacked email account to an attacker and the catastrophic effects that such vulnerabilities have on an organization. Passwords might be changed, classified papers could be taken, and organization members could pose as you to compromise more accounts.

This flaw adheres to a typical pattern of flaws whereby changing user input after it has been verified results in bypassing security measures.

Potential Brocade Vulnerabilities in multiple Storage Solutions

Brocade, a networking solutions company, has announced that they have discovered 9 vulnerabilities in their SANnav management application. [3]

Six of the vulnerabilities affect third party tools such as Oracle Java, OpenSSL or NGINX and can allow attackers to manipulate data, decrypt data, or cause a denial of service condition.

The remaining security flaws (CVE-2022-28167, CVE-2022-28168, and CVE-2022-28166) where found internally and there is no proof that they have been exploited in the wild. However, these flaws may impact the storage solutions of several businesses that work with Brocade, such as HPE, NetApp, Dell, Fujitsu, Huawei, IBM, and Lenovo.

As a result, the attacker may have access to sensitive data or even the device itself. Brocade has released a patch for the vulnerability, but it is unclear how many devices are affected.

News Related to Threat Actors & Campaigns

Nine accused members of phishing gang arrested

Nine accused members of a successful phishing gang who allegedly gained 100 million hryvnias ($3.4 million) by attracting locals with the promise of financial support from the EU were recently detained by Ukrainian “cyber-police.” [4] To solve the case, digital professionals collaborated with agents from the Pechersk Police Department and the National Bank of Ukraine (NBU) experts. The nine people detained are suspected of creating and running over 400 phishing websites asking users to enter their bank account and credit card information to apply for EU social welfare payments.

The group would utilize the information once they had it to take over users’ accounts and move their money. The NBU claims that over 5000 victims were duped in this manner, netting the scammers millions of dollars. During the arrests, the police also seized illegally earned money , bank cards, mobile phones, and computer equipment.

👩‍🎓 A good security awareness training program will teach your employees how to spot phishing emails and websites and how to respond if they still fall victim to an attack. It's essential to keep your employees up-to-date on the latest phishing threats and regularly test their knowledge with quizzes and simulations. LastBreach can train your employees and verify their readiness. 

Other News Related to Business, Politics, and Culture

OpenSea email addresses leaked to third-party vendor

The world’s most significant non-fungible token (NFT) marketplace, OpenSea, has discovered that a disgruntled employee at a third-party vendor exchanged the email addresses of its users with an unauthorized outside party.[5]

OpenSea’s head of security, Cory Hardman, cautioned users on June 29th: “If you have shared your email with OpenSea in the past, you should presume you were impacted”., an automated messaging platform used by marketers to compose and deliver emails, push alerts, and SMS messages, was the offender, according to OpenSea.

A Major Hack has Exposed $100 Million in Crypto

The latest significant theft in the decentralized finance industry saw hackers stealing $100 million in cryptocurrencies from the blockchain bridge Horizon. [6]

Users can use Horizon to transfer tokens from the Ethereum network to Binance Smart Chain. According to Harmony, a separate bridge for bitcoin was unaffected by the hack.

The theft adds to a recent flood of negative headlines about cryptocurrency. After experiencing a severe liquidity shortage due to a significant decline in the value of their assets, cryptocurrency lenders Celsius and Babel Finance froze withdrawals. Three Arrows Capital, a troubled cryptocurrency hedge fund, maybe on the verge of defaulting on a $660 million debt from brokerage house Voyager Digital.

That’s it for our summary on infosec stories that made headlines this week. Be sure to stay up to date on the latest news and continue to take precautions to protect your data.

Did we miss any important news last week? Write us on Twitter @HashtagSecurity 🙋‍♂️

Weekly Infosec News Summary

Let’s examine the most recent cyber events that have occurred recently in different parts of the world.

Vulnerabilities & Attacks News

Critical PHP vulnerability opens QNAP NAS devices to remote attacks

This week in infosec news, a critical PHP vulnerability was discovered that exposes QNAP NAS devices to remote attacks.[1] A vulnerability in the web server component of a device’s firmware could allow an attacker to gain control of the device and access sensitive data. 

Customers are advised to update their QTS or QuTS hero operating systems, and the devices are also advised not to be connected to the internet.

Additionally, QNAP has recommended that customers contact QNAP Support for help if they cannot identify the ransom letter after updating the firmware and entering the obtained DeadBolt decryption key.

This shows once again, why it is important to regularly test your infrastructure for security issues. Luckily, it just so happens that your reading a blog post by the people that can help you. Check out our website for more infos on our penetration tests and vulnerability assessments. 😉

Russia exploits Microsoft Follina vulnerability against Ukraine

This week’s story comes from Ukraine, where Russian hackers have used the Follina flaw to access sensitive information.[2]

The Follina vulnerability, a few months back, now affects all versions of Microsoft Windows and can be exploited remotely.[3] This means that hackers can gain access to a system without prior knowledge or access to the target network. In the case of the Ukrainian attacks, the hackers could use the Follina flaw to deploy a backdoor called Poison Ivy, which allowed them to gain access to sensitive data.

These attacks underscore the need for organizations to patch their systems as soon as possible and implement robust security measures.

Vulnerability in Citrix ADM allows admin passwords to be reset

Recently, a critical Citrix ADM vulnerability was discovered that creates a means to reset admin passwords. 

A remote, unauthenticated user ran the risk of crashing a system via a denial-of-service (DoS) exploit and subsequently resetting admin credentials on the next reboot due to the inappropriate access control vulnerability (CVE-2022-27511).

The vulnerability could be exploited to force the “reset of the administrator password at the next device reboot, allowing an attacker with SSH [Secure Shell] access to connect with the default administrator credentials after the device has rebooted,” according to a Citrix advisory published last week. [4]

The vulnerability, which is present in the Citrix Application Delivery Controller and Gateway appliance, can be exploited by an unauthenticated attacker to gain administrative access to the appliance. While the patch for this vulnerability has been available for several weeks, it is unclear how many appliances are still vulnerable.

News Related to Threat Actors & Campaigns

Chinese hackers are distributing SMS bomber tools with malware inside

Chinese hackers are distributing an SMS bomber tool with malware hidden inside. The tool, designed to send many text messages to a specific phone number, includes a backdoor that allows the attacker to execute commands remotely on the victim’s device. The malware has been spreading via a phishing campaign that targets Android users in China. Once installed, the malware collects information about the victim’s device and sends it to a remote server. [5]

Insights into Magecart’s infrastructure reveal that the campaign is vast

Infosec researchers have discovered a new Magecart infrastructure that reveals the scale of ongoing Magecart campaigns.[6] This infrastructure consists of several servers that store stolen credit card data. The servers are located in different parts of the world, suggesting that the people behind Magecart use a distributed network to avoid detection. It proves how important it is for companies to be vigilant against Magecart attacks. It also shows how cybercriminals use increasingly sophisticated methods to steal sensitive information.

Other News Related to Business, Politics, and Culture

Cyberattacks on Ukraine highlighted by Microsoft

On Wednesday, Microsoft announced it had uncovered new evidence of Russian state-sponsored attacks on Ukrainian entities.Despite the news, tensions between Ukraine and Russia continue to rise, with the two countries locked in a conflict over the breakaway region of Crimea. In a blog post, Microsoft’s Threat Intelligence Center said it had discovered a group of hackers known as Strontium targeting government agencies, political parties, and media organizations in Ukraine. The group has also been linked to previous attacks on the Ukrainian power grid and the NotPetya malware outbreak. [8] Microsoft did not name any specific targets of the latest attacks but said they were “consistent with the group’s longstanding interest in Ukrainian affairs.” 

Earlier this week, Ukrainian security officials said they had uncovered a plot to disrupt the country’s financial system and critical infrastructure. 

Scammer steals Microsoft credentials with voicemail scam

Recent scams target Microsoft users to steal their credentials.[9] The scam starts with a voicemail from Microsoft stating that there has been a problem with the recipient’s account. The message then instructs the user to call a phone number to resolve the issue. However, the phone number belongs to a scammer who tries to trick the user into revealing their login information. Recently, there have been many scams targeting Microsoft users recently, so it’s essential to be vigilant when dealing with unsolicited calls or messages. If you suspect that you may have been a victim of this scam, be sure to change your password and enable two-factor authentication on your account as soon as possible.

Five European countries use Pegasus spyware, NSO confirms

The NSO Group has long been known for selling its spyware to government organizations worldwide. Now, new information has surfaced that suggests at least five European countries have used Pegasus spyware to target opponents and journalists. The software, designed to infect phones and collect data, was first used by the UAE to target human rights activists. It was then acquired by Mexico, where it was used to target journalists investigating corruption. [10]

This new information confirms what many infosec experts have long suspected: that governments worldwide are using NSO Group’s spyware to violate human rights.

We are witnessing an increase in cybercrime as we move further into the digital age. Every week, it seems like there’s a new story of some major data breach or cyber attack making headlines. This week was no different, as there were several important stories in the infosec world and these are just a few of the major stories from this week. Next week, we’ll get back to you with another updated news summary so be sure to add this blog to your watch list.