The Oh No! news.

Oh No! News is Good

News.

TAGS: Oh No News, Threat analysis, QNAP

Threat analysis;

your attack surface.

Source: QNAP

warns of critical auth bypass flaw in its NAS devices. The Taiwanese

Network Attached Storage (NAS) device maker disclosed three

vulnerabilities that can lead to an authentication bypass, command

injection, and SQL injection.

CVE-2024-21899: If exploited, the improper authentication

vulnerability could allow users to compromise the security of the system

via a network.

CVE-2024-21900: If exploited, the injection vulnerability could

allow authenticated users to execute commands via a network.

CVE-2024-21901: If exploited, the SQL injection vulnerability could

allow authenticated administrators to inject malicious code via a

network.

The flaws impact various versions of QNAP's operating systems,

including QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x,

QuTScloud c5.x, and the myQNAPcloud 1.0.x service.

Source: Switzerland:

Play ransomware leaked 65,000 government documents. In a new

statement published today, the Swiss government confirmed that 65,000

government documents were leaked in the breach.

Supporting Source: Hacker

attack on Xplain: National Cyber Security Centre publishes data analysis

report.

Relevance of the published data volume.

The data package published on the darknet comprised around 1.3

million files. Once the data had been downloaded, the NCSC took the lead

in systematically categorising and triaging all documents relevant to

the Federal Administration. The results showed that the volume of data

relevant to the Federal Administration comprised around 65,000

documents, or approximately 5% of the total published data set. The

majority of these files belonged to Xplain (47,413) with a share of over

70%; around 14% (9,040) belonged to the Federal Administration. Around

95% of the Federal Administration’s files belonged to the administrative

units of the Federal Department of Justice and Police (FDJP): the

Federal Office of Justice, Federal Office of Police, State Secretariat

for Migration and the internal IT service centre ISC-FDJP. With just

over 3% of the data, the Federal Department of Defence, Civil Protection

and Sport (DDPS) is slightly affected and the other departments are only

marginally affected in terms of volume.

Proportion of sensitive data.

Sensitive content such as personal data, technical information,

classified information and passwords was found in around half of the

Federal Administration's files (5,182). Personal data such as names,

email addresses, telephone numbers and postal addresses were found in

4,779 of these files. In addition, 278 files contained technical

information such as documentation on IT systems, software requirement

documents or architec