An analysis, put together by security tools vendor JFrog, involved accessing the popular Common Vulnerability Scoring System (CVSS), an open industry standard framework for assessing the severity of security problems. JFrog’s analysis, which focused on accessing the impact of security bugs in open source software, concluded that public CVSS impact metrics may be oversimplifying the risk posed by vulnerabilities because it lacks context, among other factors.
JFrog says that many NVD security ratings were “undeserved” as they were not as simple to exploit as reported. Furthermore, many of the analyzed vulnerabilities required complex configuration environments or particular conditions for a successful attack. JFrog also observed that 10 of the most prevalent vulnerabilities in 2022 impacting the enterprise tended to have low severity ratings and so are either regarded as a lower priority for enterprise IT teams and open source project maintainers – so remediation work is either delayed or (worse) entirely disregarded.
FBI Cracks Down on Genesis Market: 119 Arrested in Cybercrime Operation
A coordinated worldwide law enforcement investigation has brought to an end Genesis Market, a dubious online market that specialized in the sale of credentials for social media, bank accounts, and email addresses that had been stolen.
The massive crackdown, which comprised officials from 17 countries and coincided with the infrastructure seizure, resulted in 119 arrests and 208 property searches in 13 countries. The market’s.onion mirror, however, seems to be still operational.
Operation Cookie Monster has been given the secret moniker for the “unprecedented” law enforcement operation.
Since its launch in March 2018, Genesis Market has developed into a significant nexus for criminal activity, providing access to information taken from more than 1.5 million compromised systems worldwide, totaling more than 80 million credentials.
The volume of application-layer distributed denial of service (DDoS) attacks targeting HTTP and HTTPS websites grew by triple digits between 2019 and 2022. Netscout claimed the US national security sector experienced a massive 16,815% increase in attacks from Killnet hacktivists. The vendor also pointed to a notable 18% increase in direct-path attacks over the past three years, corresponding to a drop in reflection/amplification attacks of about the same percentage. Peak DDoS alert traffic in a single day reached as high as 436 petabits and more than 75 trillion packets – another indication of the scale of the modern DDoS threat.
In summary, the article is about Apple having two new zero-day vulnerabilities that have been exploited in attacks to compromise iPhones, Macs, and iPads. They have release emergency security updates. The first flaw is an out-of-bounds write that could lead to corruption of data. The second weakness allows data corruption when reusing freed memory, which “can be exploited by tricking the targets into loading malicious web pages under attackers’ control, which could lead to code execution on compromised systems”. Zero-day bugs have been abused by government-sponsored threat actors. These zero-days threats addressed above were most likely only used in highly-targeted attacks, but Apple recommends installing the emergency updates as soon as possible to block attempts and attacks.
According to the executive, even though Google Play’s data safety section already enables developers to highlight data deletion alternatives, the firm wants to give customers a more convenient and standardized way to request them.
According to the new policy, when developers comply with a request to delete an account, they also need to remove the related data.
Users who do not want to delete their entire account can utilize the feature to only erase specific data types, such as photographs, videos, or histories.
Outeye made it clear that developers would have to declare their data retention policies if they needed to keep certain data on hand for a legitimate reason (such as security, fraud prevention, or regulatory compliance).
Apple had a urgent iOS patch for a memory corruption issue that allows the attacker to execute arbitrary code with kernel privileges. Another vulnerability was a allows attacker to execute arbitrary code with system privileges. It was reported by anonymous researcher and got reported to Apple. It is unclear who is behind the attack but told the user to update their devices as soon as possible to avoid being a victim.
Are Source Code Leaks the New Threat Software vendors Should Care About?
The article I have chosen to highlight this week speaks to the criticality surrounding source code leaks. The article highlights twitter specifically stating “less than a month ago, Twitter indirectly acknowledged that some of its source code had been leaked on the code-sharing platform GitHub by sending a copyright infringement notice to take down the incriminated repository.
Other organizations have had source code leaked including Okta and Lastpass at the tail end of 2022.
Splunk Inc. in collaboration with Enterprise Strategy Group recently released the State of Security 2023, an annual global research report that examines the security issues facing the modern enterprise.
It found that Indian organizations are well-resourced but are scrambling to keep up and downtime can cost organizations approximately $365,000 per hour among many other findings.
I find the article challenging and interesting at the same time because they claim “bad actors are going unnoticed on corporate networks for extended periods of time” with an average period of two months between the time of the attack and when appropriate parties are aware of it.
Philadelphia Orchestra, Kimmel Center websites was attacked on Friday 13th February 2023. The website was down after cyberattack and this crippled ticket sales.
I find the article interesting because Arts venues like the Kimmel Center which also holds Broadway shows and the Philadelphia Ballet are ripe targets for ransomware gangs eager to hold hostage critical systems like ticketing.
The Metropolitan Opera in New York faced a similar situation in December, when a cyberattack shut down its website and box office. The attack came at a particularly inopportune time, costing the popular opera house about $200,000 in sales each day during the busy holiday season.
There is no sector of the economy that is immune to cyber-attack efforts should be made to secure system architecture and infrastructure.
MSI confirms security breach following ransomware attack claims https://www.bleepingcomputer.com/news/security/msi-confirms-security-breach-following-ransomware-attack-claims/
MSI, a computer hardware company, suffered a security breach as a result of a ransomware attack. The attackers claimed to have stolen confidential data, including source code, schematics, and confidential documents. MSI published a statement on Friday warning customers to ensure that they get their BIOS and firmware updates from official sources. “MSI urges users to obtain firmware/BIOS updates only from its official website, and not to use files from sources other than the official website,”
According to chats seen by BleepingComputer between the Money Message ransomware gang and an MSI representative, the threat actors demanded a ransom payment of $4,000,000 based on a claim that they’ve stolen roughly 1.5TB worth of documents from MSI’s network.
This article talks about Microsoft’s new AI-powered security tool, Microsoft Security Copilot. This tool uses the GPT-4 engine and Microsoft’s massive datasets to create a tool that allows security teams to work with the tool to gain faster insight into events and discover threat activity faster and more confidently. The tool can also be used to assess organizations for vulnerabilities by leveraging the machine model to evaluate assets at machine speed and correlate and summarize data rapidly. The tool is intended to work in conjunction with other Microsoft security tools such as Defender and Intune
Microsoft 365 administrators can filter client access to Exchange Online using a variety of factors using Client Access Rules (CARs) that contain priority values, exceptions, actions, and conditions. These factors include the IP address and authentication type of the client, as well as the protocol, application, or service they use to establish a connection. Once configured, they can help control access to Exchange Online resources within an organization. Microsoft announced on April 8 that the CARs deprecation in Exchange Online will be delayed for one year until September 2024. In an earlier announcement in September 2022, the company said that the old Exchange Online access rules would be phased out by September 2023. Subsequent attempts by the company to disable the CARs cmdlet failed to find a more secure alternative, resulting in a phase-out delay.
The Rise of CCTV Hacks in an Evolving Cyber-Threat Landscape
Cheap, simple closed-circuit television cameras designed for home use do not have the same protective features as surveillance cameras used in government facilities. Home CCTV cameras are more likely to be compromised by hackers and lead to information leakage. A big part of why CCTV hacking is such a threat is that the Internet of Things, or cloud-connected devices, provide multiple entry points. The network security of CCTV (and all devices associated with it) must avoid internal vulnerabilities and weaknesses while integrating active network security defenses from the hardware level down to the external layer to build robust defenses. In addition, users should always update their smart home security systems with the latest software and firmware updates.
Uber Technologies has disclosed another breach. Social Security numbers (SSNs) of 131 Uber drivers have been compromised. According to the Massachusetts Office of Consumer Affairs and Business Regulation, Uber Technologies reported the breach on March 31. It said 131 residents of Massachusetts were affected, and their SSNs were compromised. The detailed breach report is not available on the official website. However, judging from the letter circulating the internet, it seems that Uber drivers’ data was stolen from a law firm Genova Burns.
According to the letter, Genova Burns said an authorized third party “gained access to our systems, and certain limited files were accessed or exfiltrated between January 23, 2023, and January 31, 2023.” Drivers’ names, SSNs, and/or tax identification numbers were among the impacted data.
ChatGPT launched a bug bounty program offering up to $20.000 for advance notice on security vulnerabilities. The point of the program is for OpenAI patching account takeover vulnerabilities in ChatGPT that were being exploited in the wild. The company is specifically looking for security defects in the ChatGPT chatbot, including ChatGPT Plus, logins, subscriptions, OpenAI-created plugins and third-party plugins. Some examples of the types of vendors which would qualify in this category include Google Workspace, Asana, Trello, Jira, Monday.com, Zendesk, Salesforce and Stripe, the company said. The company also patched severe vulnerabilities in late March that could have allowed attackers to take over user accounts and view chat histories.
Queuejumber: Crtical unauthenticated RCE Vulnerability in MSMQ service:
Three flaws in the “Microsoft Message Queuing” service, often known as MSMQ, were recently found by Check Point Research. Microsoft was informed of these vulnerabilities, and a fix was released on April 2nd. The most serious of them, named QueueJumper by CPR (CVE-2023-21554), is a significant vulnerability that could allow unauthenticated attackers to potentially execute arbitrary code in the context of the Windows service process mqsvc.exe.
After the patch was applied, Check Point Research (CPR) published this blog to inform readers about this serious vulnerability and to offer tips for Windows users on how to defend themselves against it. To give people enough time to fix their computers before exposing the technical information in public, we will provide the complete technical information later this month.
ChatGPT, an artificial intelligence (AI) chatbot, has been causing quite a stir since its November 2022 launch due to the software’s surprisingly human and accurate responses.
Only two months after its launch, the auto-generative system had reached a record-breaking 100 million monthly active users. While its popularity grows, the current debate in the cybersecurity industry is whether this type of technology will help to make the internet safer or play right into the hands of those looking to cause chaos.
CVSS system criticized for failure to address real-world impact
An analysis, put together by security tools vendor JFrog, involved accessing the popular Common Vulnerability Scoring System (CVSS), an open industry standard framework for assessing the severity of security problems. JFrog’s analysis, which focused on accessing the impact of security bugs in open source software, concluded that public CVSS impact metrics may be oversimplifying the risk posed by vulnerabilities because it lacks context, among other factors.
JFrog says that many NVD security ratings were “undeserved” as they were not as simple to exploit as reported. Furthermore, many of the analyzed vulnerabilities required complex configuration environments or particular conditions for a successful attack. JFrog also observed that 10 of the most prevalent vulnerabilities in 2022 impacting the enterprise tended to have low severity ratings and so are either regarded as a lower priority for enterprise IT teams and open source project maintainers – so remediation work is either delayed or (worse) entirely disregarded.
FBI Cracks Down on Genesis Market: 119 Arrested in Cybercrime Operation
A coordinated worldwide law enforcement investigation has brought to an end Genesis Market, a dubious online market that specialized in the sale of credentials for social media, bank accounts, and email addresses that had been stolen.
The massive crackdown, which comprised officials from 17 countries and coincided with the infrastructure seizure, resulted in 119 arrests and 208 property searches in 13 countries. The market’s.onion mirror, however, seems to be still operational.
Operation Cookie Monster has been given the secret moniker for the “unprecedented” law enforcement operation.
Since its launch in March 2018, Genesis Market has developed into a significant nexus for criminal activity, providing access to information taken from more than 1.5 million compromised systems worldwide, totaling more than 80 million credentials.
https://thehackernews.com/2023/04/fbi-cracks-down-on-genesis-market-119.html
HTTP/S DDoS Attacks Soar 487% in Three Years
The volume of application-layer distributed denial of service (DDoS) attacks targeting HTTP and HTTPS websites grew by triple digits between 2019 and 2022. Netscout claimed the US national security sector experienced a massive 16,815% increase in attacks from Killnet hacktivists. The vendor also pointed to a notable 18% increase in direct-path attacks over the past three years, corresponding to a drop in reflection/amplification attacks of about the same percentage. Peak DDoS alert traffic in a single day reached as high as 436 petabits and more than 75 trillion packets – another indication of the scale of the modern DDoS threat.
https://www.infosecurity-magazine.com/news/https-ddos-attacks-soar-487-in/
https://www.bleepingcomputer.com/news/apple/apple-fixes-two-zero-days-exploited-to-hack-iphones-and-macs/
Apple fixes two zero-days exploited to hack iPhones and Macs (bleepingcomputer.com)
In summary, the article is about Apple having two new zero-day vulnerabilities that have been exploited in attacks to compromise iPhones, Macs, and iPads. They have release emergency security updates. The first flaw is an out-of-bounds write that could lead to corruption of data. The second weakness allows data corruption when reusing freed memory, which “can be exploited by tricking the targets into loading malicious web pages under attackers’ control, which could lead to code execution on compromised systems”. Zero-day bugs have been abused by government-sponsored threat actors. These zero-days threats addressed above were most likely only used in highly-targeted attacks, but Apple recommends installing the emergency updates as soon as possible to block attempts and attacks.
Google Mandates Data Deletion Policy For Android Apps
https://www.infosecurity-magazine.com/news/google-mandates-data-deletion/
According to the executive, even though Google Play’s data safety section already enables developers to highlight data deletion alternatives, the firm wants to give customers a more convenient and standardized way to request them.
According to the new policy, when developers comply with a request to delete an account, they also need to remove the related data.
Users who do not want to delete their entire account can utilize the feature to only erase specific data types, such as photographs, videos, or histories.
Outeye made it clear that developers would have to declare their data retention policies if they needed to keep certain data on hand for a legitimate reason (such as security, fraud prevention, or regulatory compliance).
https://www.securityweek.com/apple-ships-urgent-ios-patch-for-newly-exploited-zero-days/
Apple had a urgent iOS patch for a memory corruption issue that allows the attacker to execute arbitrary code with kernel privileges. Another vulnerability was a allows attacker to execute arbitrary code with system privileges. It was reported by anonymous researcher and got reported to Apple. It is unclear who is behind the attack but told the user to update their devices as soon as possible to avoid being a victim.
Are Source Code Leaks the New Threat Software vendors Should Care About?
The article I have chosen to highlight this week speaks to the criticality surrounding source code leaks. The article highlights twitter specifically stating “less than a month ago, Twitter indirectly acknowledged that some of its source code had been leaked on the code-sharing platform GitHub by sending a copyright infringement notice to take down the incriminated repository.
Other organizations have had source code leaked including Okta and Lastpass at the tail end of 2022.
https://thehackernews.com/2023/04/are-source-code-leaks-new-threat.html
Splunk Inc. in collaboration with Enterprise Strategy Group recently released the State of Security 2023, an annual global research report that examines the security issues facing the modern enterprise.
It found that Indian organizations are well-resourced but are scrambling to keep up and downtime can cost organizations approximately $365,000 per hour among many other findings.
I find the article challenging and interesting at the same time because they claim “bad actors are going unnoticed on corporate networks for extended periods of time” with an average period of two months between the time of the attack and when appropriate parties are aware of it.
References
https://www.cxotoday.com/press-release/state-of-security-2023-report-reveals-increase-in-data-breaches-and-outages-due-to-cybersecurity-incidents/
Philadelphia Orchestra, Kimmel Center websites was attacked on Friday 13th February 2023. The website was down after cyberattack and this crippled ticket sales.
I find the article interesting because Arts venues like the Kimmel Center which also holds Broadway shows and the Philadelphia Ballet are ripe targets for ransomware gangs eager to hold hostage critical systems like ticketing.
The Metropolitan Opera in New York faced a similar situation in December, when a cyberattack shut down its website and box office. The attack came at a particularly inopportune time, costing the popular opera house about $200,000 in sales each day during the busy holiday season.
There is no sector of the economy that is immune to cyber-attack efforts should be made to secure system architecture and infrastructure.
https://therecord.media/philadelphia-orchestra-kimmel-center-websites-down-after-cyberattack-cripples-ticket-sales
MSI confirms security breach following ransomware attack claims
https://www.bleepingcomputer.com/news/security/msi-confirms-security-breach-following-ransomware-attack-claims/
MSI, a computer hardware company, suffered a security breach as a result of a ransomware attack. The attackers claimed to have stolen confidential data, including source code, schematics, and confidential documents. MSI published a statement on Friday warning customers to ensure that they get their BIOS and firmware updates from official sources. “MSI urges users to obtain firmware/BIOS updates only from its official website, and not to use files from sources other than the official website,”
According to chats seen by BleepingComputer between the Money Message ransomware gang and an MSI representative, the threat actors demanded a ransom payment of $4,000,000 based on a claim that they’ve stolen roughly 1.5TB worth of documents from MSI’s network.
https://www.securityweek.com/microsoft-puts-chatgpt-to-work-on-automating-cybersecurity/
This article talks about Microsoft’s new AI-powered security tool, Microsoft Security Copilot. This tool uses the GPT-4 engine and Microsoft’s massive datasets to create a tool that allows security teams to work with the tool to gain faster insight into events and discover threat activity faster and more confidently. The tool can also be used to assess organizations for vulnerabilities by leveraging the machine model to evaluate assets at machine speed and correlate and summarize data rapidly. The tool is intended to work in conjunction with other Microsoft security tools such as Defender and Intune
Microsoft 365 administrators can filter client access to Exchange Online using a variety of factors using Client Access Rules (CARs) that contain priority values, exceptions, actions, and conditions. These factors include the IP address and authentication type of the client, as well as the protocol, application, or service they use to establish a connection. Once configured, they can help control access to Exchange Online resources within an organization. Microsoft announced on April 8 that the CARs deprecation in Exchange Online will be delayed for one year until September 2024. In an earlier announcement in September 2022, the company said that the old Exchange Online access rules would be phased out by September 2023. Subsequent attempts by the company to disable the CARs cmdlet failed to find a more secure alternative, resulting in a phase-out delay.
https://techcommunity.microsoft.com/t5/exchange-team-blog/update-deprecation-of-client-access-rules-in-exchange-online/ba-p/3790165
The Rise of CCTV Hacks in an Evolving Cyber-Threat Landscape
Cheap, simple closed-circuit television cameras designed for home use do not have the same protective features as surveillance cameras used in government facilities. Home CCTV cameras are more likely to be compromised by hackers and lead to information leakage. A big part of why CCTV hacking is such a threat is that the Internet of Things, or cloud-connected devices, provide multiple entry points. The network security of CCTV (and all devices associated with it) must avoid internal vulnerabilities and weaknesses while integrating active network security defenses from the hardware level down to the external layer to build robust defenses. In addition, users should always update their smart home security systems with the latest software and firmware updates.
https://www.infosecurity-magazine.com/opinions/rise-cctv-hacks-cyber-threat/
Uber discloses breach, dozens of drivers affected
Uber Technologies has disclosed another breach. Social Security numbers (SSNs) of 131 Uber drivers have been compromised. According to the Massachusetts Office of Consumer Affairs and Business Regulation, Uber Technologies reported the breach on March 31. It said 131 residents of Massachusetts were affected, and their SSNs were compromised. The detailed breach report is not available on the official website. However, judging from the letter circulating the internet, it seems that Uber drivers’ data was stolen from a law firm Genova Burns.
According to the letter, Genova Burns said an authorized third party “gained access to our systems, and certain limited files were accessed or exfiltrated between January 23, 2023, and January 31, 2023.” Drivers’ names, SSNs, and/or tax identification numbers were among the impacted data.
https://cybernews.com/security/uber-discloses-breach/
ChatGPT launched a bug bounty program offering up to $20.000 for advance notice on security vulnerabilities. The point of the program is for OpenAI patching account takeover vulnerabilities in ChatGPT that were being exploited in the wild. The company is specifically looking for security defects in the ChatGPT chatbot, including ChatGPT Plus, logins, subscriptions, OpenAI-created plugins and third-party plugins. Some examples of the types of vendors which would qualify in this category include Google Workspace, Asana, Trello, Jira, Monday.com, Zendesk, Salesforce and Stripe, the company said. The company also patched severe vulnerabilities in late March that could have allowed attackers to take over user accounts and view chat histories.
https://www.securityweek.com/chatgpt-creator-openai-ready-to-pay-hackers-via-new-bug-bounty-program/
Queuejumber: Crtical unauthenticated RCE Vulnerability in MSMQ service:
Three flaws in the “Microsoft Message Queuing” service, often known as MSMQ, were recently found by Check Point Research. Microsoft was informed of these vulnerabilities, and a fix was released on April 2nd. The most serious of them, named QueueJumper by CPR (CVE-2023-21554), is a significant vulnerability that could allow unauthenticated attackers to potentially execute arbitrary code in the context of the Windows service process mqsvc.exe.
After the patch was applied, Check Point Research (CPR) published this blog to inform readers about this serious vulnerability and to offer tips for Windows users on how to defend themselves against it. To give people enough time to fix their computers before exposing the technical information in public, we will provide the complete technical information later this month.
https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/
ChatGPT, an artificial intelligence (AI) chatbot, has been causing quite a stir since its November 2022 launch due to the software’s surprisingly human and accurate responses.
Only two months after its launch, the auto-generative system had reached a record-breaking 100 million monthly active users. While its popularity grows, the current debate in the cybersecurity industry is whether this type of technology will help to make the internet safer or play right into the hands of those looking to cause chaos.
https://venturebeat.com/security/chatgpt-may-hinder-the-cybersecurity-industry/