A daily look at the relevant information security news from overnight - 29 July, 2022

Episode 276 - 29 July 2022

Kimsuky Stealing Emails- https://www.bleepingcomputer.com/news/security/cyberspies-use-google-chrome-extension-to-steal-emails-undetected/

NPM Cards Discord -
https://www.infosecurity-magazine.com/news/malicious-npm-packages-steal/

Trojan Play Store Apps -
https://thehackernews.com/2022/07/over-dozen-android-apps-on-google-play.html

Phishing Countdown- https://www.zdnet.com/article/this-phishing-attack-uses-a-countdown-clock-to-panic-you-into-handing-over-passwords/

IP Camera Hack -
https://thehackernews.com/2022/07/dahua-ip-camera-vulnerability-could-let.html

Hi, I’m Paul Torgersen. It’s Friday July 29th, 2022 and this is a look at the information security news from overnight.

From BleepingComputer.com:
A North Korean-backed threat group tracked as Kimsuky is using a malicious browser extension to steal emails from Google Chrome or Microsoft Edge users reading their webmail. The malware, called SHARPEXT supports Chrome, Edge and Whale browsers and can steal mail from Gmail and AOL accounts. Details in the article.

From InfoSecurity-Magazine.com:

Researchers have discovered a supply chain attack using malicious npm packages, this time targeting Discord users. The purpose of the campaign, named LofyLife, appears to be to steal Discord tokens and users’ credit card data. Kaspersky said it identified four suspicious packages which feature obfuscated Python and JavaScript code. Details and a link to the write up inside.

From TheHackerNews.com:
Another 17 so-called productivity apps have been uncovered and removed from the Google Play store. The apps did perform some basic tasks they advertise, but they were also dropping in malicious apps like Octo, Hydra, Ermac, and TeaBot. See the full list of affected apps in the article and make sure you delete those puppies.

From ZDNet.com:
A new phishing attack has taken a page out of the ransomware playbook by using a countdown clock to pressure victims into entering their username and password. At the end of the countdown they would be permanently locked out of whatever account is being targeted. Obviously nothing actually changes when the countdown reaches zero, but for some less sophisticated users, this could be very compelling.

And last, from TheHackerNews.com:
A security vulnerability in Dahua's Open Network Video Interface Forum standard implementation (ONVIF), can lead to a threat actor seizing control of IP cameras. ONVIF governs an open standard for how IP-based physical security products communicate with one another in a vendor-agnostic manner. I’m sure you can understand how some nation-state bad guys would be very interested in tapping into live video feeds. Get your patch on kids.

That’s all for me. Have a great weekend. If you like this podcast, please spread the word, and until next time, be safe out there.

A daily look at the relevant information security news from overnight - 28 July, 2022

Episode 275 - 28 July 2022

NetStandard Knocked Offline- https://www.bleepingcomputer.com/news/security/kansas-msp-shuts-down-cloud-services-to-fend-off-cyberattack/

Moxa NPort Flaws -
https://www.securityweek.com/moxa-nport-device-flaws-can-expose-critical-infrastructure-disruptive-attacks

Post Macro Tactics -
https://www.infosecurity-magazine.com/news/hackers-change-tactics-for-new/

Naughty Knotweed- https://thehackernews.com/2022/07/microsoft-uncover-austrian-company.html

Twitter Data Sale -
https://www.infosecurity-magazine.com/news/criminal-twitter-users-data/

Hi, I’m Paul Torgersen. It’s Thursday July 28th, 2022 and this is a look at the information security news from overnight.

From BleepingComputer.com:
Managed service provider NetStandard suffered a cyberattack causing the company to shut down its MyAppsAnywhere cloud services. The company said Hosted GP, Hosted CRM, Hosted Exchange, and Hosted Sharepoint will be offline until further notice, but that no other services were impacted. That being said, their main website remains down as well. No word on threat actor or malware involved, but it is assumed to be a ransomware hit.

From SecurityWeek.com:
Two high severity flaws have been found in the NPort 5110 device servers from Moxa. The vulnerabilities can be exploited remotely to cause the targeted device to enter a denial of service condition. The only way to regain control of the device is to physically power it down, which might present a challenge as many of these devices are in very remote locations. These things are designed to connect to Ethernet networks and should not be exposed to the internet. However, a Shodan search found at least 5,300 of them that are. Now some of these may be honeypots, but they’re not ALL honeypots. Customers should contact Moxa for a security patch.

From InfoSecurity-Magazine.com:
Since Microsoft announced they would disable macros by default, the use of macro-enabled attachments by threat actors decreased by around 66% between October 2021 and June 2022. Awesome. But, where there’s a will there's a way. In that same timeframe, the number of malicious campaigns using container file formats jumped up 176%. These formats include ISO, RAR, ZIP and IMG files that contain macro-enabled docs. Now the ISO and RAR formats will still have the Mark of the Web, meaning they originated from the internet and their macros would be blocked, but the files within them would not. Link to the ProofPoint research in the article.

From TheHackerNews.com:
A threat actor tracked as Knotweed, used several Windows and Adobe zero-day exploits in highly-targeted attacks against targets in Europe and Central America. They are actually an Austrian outfit called DSIRF that supposedly sells general security and information analysis services to commercial customers. As a side gig, they created a cyberweapon called Subzero, which can hack phones, computers, and internet-connected devices. Talk about vertical integration.

And last, from InfoSecurity-Magazine.com:
A user named devil is selling a database of 5.4 million Twitter users' information on the Breached Forums site....

A daily look at the relevant information security news from overnight - 27 July, 2022

Episode 274 - 27 July 2022

WordFly Breach- https://www.securityweek.com/mailing-list-provider-wordfly-scrambling-recover-following-ransomware-attack

Now IIS See You -
https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-increasingly-hacked-with-iis-backdoors/

Messaging Threats -
https://threatpost.com/messaging-apps-cybercriminals/180303/

Robin Banks Phishing Service- https://www.bleepingcomputer.com/news/security/new-robin-banks-phishing-service-targets-bofa-citi-and-wells-fargo/

No Knock Nuki -
https://www.securityweek.com/nuki-smart-lock-vulnerabilities-allow-hackers-open-doors

Hi, I’m Paul Torgersen. It’s Wednesday July 27th, 2022 and this is a look at the information security news from overnight.

From SecurityWeek.com:
Mailing list provider WordFly has been offline for more than two weeks after a ransomware attack encrypted data on some of its systems. The attack hit on July 10, and the company hasn’t been able to restore service since. The company confirms data was exfiltrated, but believes it was subsequently deleted. They expect to be down at least another few days before they get systems operational again. No word on the malware or threat actor.

From BleepingComputer.com:
Attackers are increasingly using Internet Information Services, IIS, web server extensions to backdoor unpatched Exchange servers. Being installed in the exact location and using the same structure as legitimate modules, they provide attackers' with a perfect and durable persistence mechanism. Details and a link to the Microsoft report in the article.

From ThreatPost.com:
Threat actors are tapping the multi-feature nature of messaging apps such as Telegram and Discord as a foundation in persistent campaigns that threaten users. Intel 471 identified three key ways in which threat actors are leveraging the apps: storing stolen data, hosting malware payloads, and using bots that perform the dirty work. Details and a link inside.

From BleepingComputer.com:
A new phishing as a service platform has shown up with the name Robin Banks. As you may have guessed, it offers ready-made phishing kits targeting the customers of well-known banks. Companies like Citibank, Bank of America, Capital One, Wells Fargo, etc. Oh, they also offer templates to steal Microsoft, Google, Netflix, and T-Mobile accounts. Pricing from $50 to $200 a month.

And last, from SecurityWeek.com:
Security researchers have documented 11 vulnerabilities impacting Nuki smart lock products, you may not be able to see my air quotes. Nuki Smart Lock and Nuki Bridge, allow users to unlock their doors with their smartphones by simply walking in range. Brilliant. Exploiting the found vulnerabilities could result in a fully compromised device, including the ability to open and close the door without the owner even noticing. After being notified of the flaws in April, Nuki has issued patches this month.

That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.

A daily look at the relevant information security news from overnight - 26 July, 2022

Episode 273 - 26 July 2022

Grails RCE Vuln- https://portswigger.net/daily-swig/critical-security-vulnerability-in-grails-could-lead-to-remote-code-execution

PrestaShop Skimmer -
https://thehackernews.com/2022/07/hackers-exploit-prestashop-zero-day-to.html

LinkedIn Phishing for Admins -
https://www.bleepingcomputer.com/news/security/linkedin-phishing-target-employees-managing-facebook-ad-accounts/

PolicyBazaar Breached- https://www.infosecurity-magazine.com/news/indian-insurance-policybazaar/

FileWave Crit Flaws -
https://thehackernews.com/2022/07/critical-filewave-mdm-flaws-open.html

Hi, I’m Paul Torgersen. It’s Tuesday July 26th, 2022 and from Denver, this is a look at the information security news from overnight.

From PortSwigger.net:
A critical vulnerability within a Grails application runtime could allow an attacker to gain remote code execution. The attack exploits a section of the Grails data-binding logic, and has been confirmed on Grails framework versions 3.3.10 and higher, including Grails framework 4 and 5, that are running on Java 8. It has been observed in both the embedded Tomcat runtime and applications deployed as a Web Archive to a Tomcat instance. The company urges all users, even those using unaffected versions, to update as soon as possible.

From TheHackerNews.com:
Threat actors are exploiting a previously unknown security flaw in the open source PrestaShop e-commerce platform to inject malicious skimmer code. PrestaShop is the leading open-source e-commerce solution in Europe and Latin America, used by nearly 300,000 online merchants worldwide. The company said they found a zero-day flaw in its service that has been addressed in version 1.7.8.7, although they are not sure that was the only flaw vulnerable to the attack.

From BleepingComputer.com:
A new spear phishing campaign named Ducktail is targeting professionals on LinkedIn to take over Facebook business accounts. The threat actors are specifically targeting people who have admin privileges on their employer’s social media accounts. Fingers point to a Vietnamese threat actor that has been active since at least 2021 and maybe back as far as 2018.

From Infosecurity-Magazine.com:
Indian insurance company Policybazaar has advised that it suffered a data breach, confirming an unauthorized access to their systems on July 19. The company has found and fixed the exploited vulnerability and claims that no significant customer data was exposed.

And last, from TheHackerNews.com:
FileWave's mobile device management system has been found vulnerable to two critical security flaws that could be leveraged to carry out remote attacks and seize control of a fleet of devices connected to it. The two flaws relate to an authentication bypass, and the use of a hard-coded cryptographic key. There are more than 1,100 internet-facing FileWave servers that are vulnerable to the attack. Get your patch on kids.

That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.

A daily look at the relevant information security news from overnight - 25 July, 2022

Episode 272 - 25 July 2022

Entrust Breached- https://www.bleepingcomputer.com/news/security/digital-security-giant-entrust-breached-by-ransomware-gang/

UEFI Rootkit -
https://thehackernews.com/2022/07/experts-uncover-new-cosmicstrand-uefi.html

Urgent SonicWall Patch -
https://www.securityweek.com/sonicwall-warns-critical-gms-sql-injection-vulnerability

Cisco Nexus Patches Three- https://portswigger.net/daily-swig/cisco-patches-dangerous-bug-trio-in-nexus-dashboard

Racoon Gets Buff -
https://thehackernews.com/2022/07/racoon-stealer-is-back-how-to-protect.html

Hi, I’m Paul Torgersen. It’s Monday July 25th, 2022, this is a look at the information security news from overnight.

From BleepingComputer.com:
Identity and access management company Entrust has confirmed that it was the victim of a cyberattack. Threat actors were able to breach their network and steal data from internal systems. The company says they have found no indication that the breach has impacted their operation or their products and services. No word on malware strain or threat actor involved. More to come I’m sure.

From TheHackerNews.com:
An unknown Chinese-speaking threat actor has been attributed with a new kind of UEFI firmware rootkit called CosmicStrand. The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and are related to designs using the H81 chipset. Victims identified so far are just individuals in China, Vietnam, Iran and Russia, with no discernable ties to business or government agencies. A link to the Kaspersky research in the article.

From SecurityWeek.com:
SonicWall has issued urgent patches for a critical flaw in its Global Management System software, warning that the issue exposes businesses to remote attacks. The 9.4 severity flaw provides a pathway for a remote attacker to execute arbitrary SQL queries in the database. The vulnerability exists due to insufficient sanitization of user-supplied data.

From PortSwigger.net:
Serious vulnerabilities in Cisco Nexus Dashboard give attackers a viable path to executing arbitrary commands as root, uploading container image files, or performing cross-site request forgery attacks. Cisco has issued patches for the three bugs, one of them carrying a 9.8 severity rating. The company said it was not aware of any of these bugs being exploited in-the-wild. Get your patch on kids.

And last, from TheHackerNews.com:
The new and vastly improved version of Raccoon Stealer has hit the scene. Not only can it steal browser passwords, cookies, and auto-fill data, it can now also steal credit card numbers, cryptocurrency and crypto wallets, harvest file data, drop files onto the system, list apps installed on the machine, and take screenshots. Fortunately, just like with the real world rodents, basic precautions should keep the varmint at bay: beware of spoofed messages and don’t click any links you didn’t know were specifically coming.

That’s all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.

A daily look at the relevant information security news from overnight - 22 July, 2022

Episode 271 - 22 July 2022

Drupal Updates- https://www.securityweek.com/code-execution-and-other-vulnerabilities-patched-drupal

Zyxel Firewall Patches -
https://portswigger.net/daily-swig/zyxel-firewall-vulnerabilities-left-business-networks-open-to-abuse

PayPal Double Spear Phishing -
https://www.infosecurity-magazine.com/news/paypal-used-send-malicious-double/

Okta Too Open- https://threatpost.com/risks-okta-sso/180249/

Candiru’s DevilsTongue -
https://www.bleepingcomputer.com/news/security/chrome-zero-day-used-to-infect-journalists-with-candiru-spyware/

Hi, I’m Paul Torgersen. It’s Friday July 22nd, 2022, and from Victoria one last time, this is a look at the information security news from overnight.

From SecurityWeek.com:
Drupal has released patches for four vulnerabilities. The most critical flaw affects Drupal 9.3 and 9.4. and it can lead to arbitrary PHP code execution on Apache web servers. The other three vulnerabilities also impact the Drupal core and can lead to cross-site scripting attacks, information disclosure, or access bypass. Get your patch on kids.

From PortSwigger.net:
Zyxel has released patches for several of its firewall products following the discovery of two security vulnerabilities that left business networks open to exploitation. One is an authenticated directory traversal vulnerability in the Common Gateway Interface, and the other is a local privilege escalation vulnerability that was identified in the command-line interface. You should update to the latest versions as soon as you can.

From Infosecurity-Magazine.com:
Threat actors are using PayPal to send out phishing invoices. PayPal domains are usually “allow-listed” by organizations’ email filters, so cyber-criminals are registering accounts and composing malicious invoices on the platform. Many are spoofing Norton products, but substituting their own information for payments. They even have someone answering the included Customer Service number to continue the charade to extract dollars from their victims.

From ThreatPost.com:
Four newly discovered attack paths in the products for IAM vendor Okta could lead to PII exposure, account takeover, or even organizational data destruction. Note that the researchers call these “attack paths” and not vulnerabilities. Okta says this is a non issue and all you need to do is tweak up your security profile a little, which is beyond what they offer as their default settings. You can see the details in the article.

And last, from BleepingComputer.com:
The Israeli spyware vendor Candiru was found using a Google Chrome zero day to spy on journalists and other high-interest individuals in the Middle East with their 'DevilsTongue' spyware. Threat researchers from Avast, who discovered the vulnerability and reported it to Google, revealed that they unearthed the flaw after investigating spyware attacks on their clients. The vuln was patched on July 4. Details and a link to the research in the article.

That’s all for me today. Have a great rest of your day. Like and subscribe, and until next next time, be safe out there.

A daily look at the relevant information security news from overnight - 21 July, 2022

Episode 270 - 21 July 2022

Patched Atlassian- https://www.bleepingcomputer.com/news/security/atlassian-fixes-critical-confluence-hardcoded-credentials-flaw/

Linux Hit by Lightning -
https://thehackernews.com/2022/07/new-linux-malware-framework-let.html

Renewed Redeemer -
https://www.bleepingcomputer.com/news/security/new-redeemer-ransomware-version-promoted-on-hacker-forums/

Apple Pushed Update- https://www.securityweek.com/apple-ships-urgent-security-patches-macos-ios

Neopets Nabbed -
https://www.bleepingcomputer.com/news/security/neopets-data-breach-exposes-personal-data-of-69-million-members/

Hi, I’m Paul Torgersen. It’s Thursday July 21st, 2022, and from Victoria, this is a look at the information security news from overnight.

From BleepingComputer.com:
Atlassian has patched a critical hardcoded credentials vulnerability in Confluence Server and Data Center that could let remote, unauthenticated attackers log into vulnerable servers. The hardcoded password is added after installing the Questions for Confluence app, for an account with the username disabledsystemuser. It was designed to help admins with the migration of data from the app to the Confluence Cloud.

From TheHackerNews.com:
A never-before-seen malware called Lightning Framework targets Linux machines to install rootkits. The malware has been dubbed a "Swiss Army Knife" and is equipped with a plethora of features, making it one of the most intricate frameworks developed for targeting Linux systems. Details and a link to the research report in the article.

From BleepingComputer.com:
A threat actor is promoting a new version of their free-to-use Redeemer ransomware builder on hacker forums. According to its author, the 2.0 release was written entirely in C++ and works on Windows Vista, 7, 8, 10, and 11. This offers unskilled threat actors an easy entry to the world of encryption-backed extortion attacks. All they pay is 20% of any ransom they manage to collect.

From SecurityWeek.com:
Apple's security response team has pushed out software fixes for at least 39 vulnerabilities impacting macOS Catalina, iOS and iPadOS platforms. The patches provide updates for numerous memory safety flaws, some serious enough to expose users to remote code execution attacks. Apple is urging users to update straight away. Get your patch on kids.

And last today, from BleepingComputer.com:
Neopets has suffered a data breach leading to the theft of source code as well as a database containing the personal information of over 69 million members. A hacker known as 'TarTarX' began selling the source code and database for four bitcoins, about $94,000 at current prices. He did not confirm his attack vector, but it appears he still has active access to the database.

That’s all for me today. Have a great rest of your day. Like and subscribe, and until next tomorrow, be safe out there.

A daily look at the relevant information security news from overnight - 20 July, 2022

Episode 269 - 20 July 2022

Knauf Knocked Out- https://www.bleepingcomputer.com/news/security/building-materials-giant-knauf-hit-by-black-basta-ransomware-gang/

Rusty Luna -
https://thehackernews.com/2022/07/new-rust-based-ransomware-family.html

GPS Over-Tracking -
https://www.zdnet.com/article/flaws-in-a-popular-gps-tracker-could-allow-hackers-to-track-or-stop-vehicles-say-security-researchers/

Oracle Patchfest- https://www.securityweek.com/oracle-releases-349-new-security-patches-july-2022-cpu

Magicart Skim -
https://docs.google.com/document/d/1Kse6lMi7hJEg1wDnVS_ZEND2pZOEMT4a9We3erCPsXE/edit

Hi, I’m Paul Torgersen. It’s Wednesday July 20th, 2022, and from Victoria, this is a look at the information security news from overnight.

From BleepingComputer.com:
The Knauf Group, a large Germany based building materials company, has announced it has been the target of a cyberattack that has disrupted its business operations. Their global IT team has shut down all systems to isolate the incident. Knauf has not confirmed it is a ransomware attack, but the Black Basta group has claimed responsibility for the attack on their extortion site. So far they claim to have released about 20% of the information they stole, which indicates they are likely still hopeful to receive a ransom from the victim.

From TheHackerNews.com:
Researchers have disclosed a brand-new ransomware family written in Rust, that Kaspersky Labs has named Luna. The ransomware is fairly simple and appears to be in its early development. It is designed to be used by Russian speaking threat actors, and can run on Windows, Linux, and ESXi systems.

From ZDNet.com:
Critical security vulnerabilities in the MiCODUS MV720 vehicle GPS tracker could be used to remotely track, stop or even take control of vehicles in which it is installed. These devices are popular with large companies and government entities, with approximately 1.5 million of them currently in use in 169 countries. Researchers at BitSight, who found the flaws, say these devices should not be used until patches are available. No word from MiCODUS on when that might be.

From SecurityWeek.com:
Oracle’s quarterly Critical Patch Update has a total of 349 new security patches, including 230 for vulnerabilities that can be exploited by remote, unauthenticated attackers. 64 of the vulnerabilities are rated critical, with four of those scoring a ten out of ten. Financial Services Applications received the largest number of fixes, followed by Oracle Communications, then Fusion Middleware. Get your patch on kids.

And last today, from ThreatPost.com:
A Magecart campaign has been skimming payment-card credentials from customers using three online restaurant-ordering systems. The attack has affected over 300 restaurants and compromised at least 50,000 cards so far, which have already been offered up for sale on the dark web. The platforms impacted are MenuDrive, Harbortouch, and InTouchPOS.

That’s all for me today. Have a great rest of your day. Like and subscribe, and until next tomorrow, be safe out there.

A daily look at the relevant information security news from overnight - 19 July, 2022

Episode 268 - 19 July 2022

Mac is Back-Doored- https://www.bleepingcomputer.com/news/security/elastix-voip-systems-hacked-in-massive-campaign-to-install-php-web-shells/

Fake Crypto Apps -
https://www.zdnet.com/article/fbi-these-fake-apps-are-trying-to-steal-your-crypto-heres-what-to-watch-out-for/

FlipKart Breach -
https://techcrunch.com/2022/07/18/cleartrip-data-breach-dark-web/

SATAn Air Gapped Attack- https://thehackernews.com/2022/07/new-air-gap-attack-uses-sata-cable-as.html

Russians Hiding on the Cloud -
https://www.bleepingcomputer.com/news/security/russian-svr-hackers-use-google-drive-dropbox-to-evade-detection/

Hi, I’m Paul Torgersen. It’s Tuesday July 19th, 2022, and from Port Angeles, this is a look at the information security news from overnight.

From BleepingComputer.com:
Unknown threat actors are using a previously undetected malware to backdoor macOS devices and exfiltrate information. ESET researchers named the malware CloudMensis because it uses pCloud, Yandex Disk, and Dropbox public cloud storage services for C2 communications. It is not known yet how the malware is distributed. Details in the article.

From ZDNet.com:
The FBI has warned that criminal groups are creating fraudulent apps that mimic real financial services brands that have so far duped investors into parting with $42.7 million over the past six months. Many of these are mimicking cryptocurrency services as there continue to be a flood of new players in the space and some ambiguity around crypto investing. Details and links to the advisory in the article.

From TechCrunch.com:
Cleartrip, a popular travel-booking platform in India, has confirmed a data breach after hackers claimed to post the stolen data on the dark web. Exact details of the stolen data are not yet known, however analysis of the screenshots posted make it appear that significant amounts of data were accessed, including forward looking information, which may indicate an insider was involved.

From TheHackerNews.com:
Researchers have developed a new method to steal data from an air gapped machine using the Serial ATA cable. Dubbed SATAn, the attack uses the SATA cable as a covert channel to emanate electromagnetic signals and transfer information to a nearby receiver just over a meter away. Fortunately, this technique does require physical access to the machine initially, which obviously makes it much more difficult. On the other hand, Stuxnet required physical access as well, so you never know.

And last today, from BleepingComputer.com:
State-backed Russian hackers have started using legitimate Google Drive cloud storage services to evade detection. It is akin to hiding in plain sight by getting lost in the crowd. Google cloud storage is ubiquitous and pretty much universally trusted. Russian threat actors are abusing that trust to render their attacks exceedingly difficult, if not impossible, to detect and block.

That’s all for me. Have a great rest of your day. Like and subscribe, and until next time, be safe out there.

A daily look at the relevant information security news from overnight - 18 July, 2022

Episode 267 - 18 July 2022

Elastix VoIP Attack- https://www.bleepingcomputer.com/news/security/elastix-voip-systems-hacked-in-massive-campaign-to-install-php-web-shells/

Botnet Targeting ICS -
https://thehackernews.com/2022/07/hackers-distributing-password-cracking.html

Play Store Purge -
https://threatpost.com/google-boots-malware-marketplace/180241/

Juniper Patches- https://www.securityweek.com/juniper-networks-patches-over-200-third-party-component-vulnerabilities

Blitz.JS Polluted -
https://portswigger.net/daily-swig/prototype-pollution-in-blitz-js-leads-to-remote-code-execution

Hi, I’m Paul Torgersen. It’s Monday July 18th, 2022, and from Port Angeles, this is a look at the information security news from overnight.

From BleepingComputer.com:
Threat analysts have uncovered a large-scale campaign targeting Elastix VoIP telephony servers with more than 500,000 malware samples over a period of about three months. The attackers are likely exploiting CVE-2021-45461, a remote code execution vulnerability with a 9.8 severity. The goal is to plant a PHP web shell that could run arbitrary commands on the compromised communications server. Details in the article.

From TheHackerNews.com:
Industrial engineers and operators are the target of a new campaign that leverages password cracking software to seize control of Programmable Logic Controllers and co-opt the machines to a botnet. Attackers are exploiting a vulnerability in the firmware which allows it to retrieve the password on command. They then drop the Sality malware and turn the host into a peer in Sality's peer-to-peer botnet. More details inside.

From ThreatPost.com:
Google has removed eight apps from its Play store that were propagating a new variant of the Joker spyware. Unfortunately those apps had already accounted for a total of over 3 million downloads. Those apps are: Vlog Star Video Editor, Creative 3D Launcher, Wow Beauty Camera, Gif Emoji Keyboard, (yes I said gif not jif) Freeglow Camera, Coco Camera, Funny Camera, and Razer Keyboard & Theme.

From SecurityWeek.com:
Juniper Networks has published 21 security advisories to inform customers about patches for more than 200 vulnerabilities. Six of those advisories impact their own products, including Junos OS, Junos Space, Contrail Networking, and Northstar Controller products. The rest were vulnerabilities affecting third-party components such as Nginx, OpenSSL, Samba, Java SE, SQLite and Linux. Details in the article.

And last today, from PortSwigger.net:
Blitz.js, a JavaScript web application framework, has patched a dangerous prototype pollution vulnerability that could lead to remote code execution on Node.js servers. The bug allows attackers to manipulate the code in the Blitz.js app to create a reverse shell and run arbitrary commands on the server. You can find all the dirty details in the article.

That’s all for me. Have a great rest of your day. Like and subscribe, and until next time, be safe out there.