| title | date | draft | logo |
|---|---|---|---|
Dec 26, 2022 |
2022-12-26 14:55:08 +0545 |
false |
images/infosec/default.png |
{{< toc >}}
Multiple vulnerabilities have been discovered in the password management software Passwordstate that could allow an unauthenticated hacker to access users' plaintext passwords or gain greater privileges within the application. The vulnerabilities were reported by Swiss cybersecurity firm modzero AG and could potentially be used by an attacker to exfiltrate passwords from the system, overwrite stored passwords within the database, or even gain shell access to the host system. Passwordstate, which is developed by Australian company Click Studios and has over 29,000 customers, is widely used by IT professionals. One of the vulnerabilities also affects the Chrome browser extension for Passwordstate. A newer version of the extension, released on September 7, 2022, is available to address this issue. Multiple vulnerabilities in password management software Passwordstate could allow an attacker with a valid username to access users' plaintext passwords, overwrite passwords within the database, or achieve remote code execution. It is important for users to ensure they are using the latest version of the software and to follow good password security practices. Passwordstate suffered a supply chain attack in April 2021 that allowed hackers to install a backdoor on customers' machines. It is important to use secure software and protect against these types of attacks.
Passwordstate Enterprise password manager
https://thehackernews.com/2022/12/critical-security-flaw-reported-in.html
To protect against vulnerabilities and threats, users of Passwordstate's password management software should update to version 9.6 or later.
- CVE-2022-3875
- CVE-2022-3876
- CVE-2022-3877
In their recent attacks targeting a variety of industries, the Vice Society ransomware actors have switched to yet another custom ransomware payload. "This ransomware variant, dubbed 'PolyVice,' employs a strong encryption scheme based on the NTRUEncrypt and ChaCha20-Poly1305 algorithms. Unlike other ransomware gangs, the cybercrime actor does not use in-house developed file-encrypting malware. Instead, it is known to use third-party lockers in their attacks, such as Hello Kitty, Zeppelin, and RedAlert ransomware.it has also been observed that the threat actor used call back phishing to trick victim into installing remote desktop software for initial access.
Windows Operating System
https://thehackernews.com/2022/12/vice-society-ransomware-attackers-adopt.html
Employee must be aware of phishing emails and email security must be implemented.
Researchers have discovered two security vulnerabilities in the open-source blogging platform Ghost. One of the vulnerabilities, known as CVE-2022-41654, is an authentication bypass issue that allows unprivileged users to make unauthorized changes to newsletter settings. The other vulnerability, known as CVE-2022-41697, is an enumeration issue in the login functionality that could lead to the disclosure of sensitive information. Ghost has released updates to address these vulnerabilities, but users running certain versions of the platform are required to update their software to protect against these flaws. Ghost is used on over 52,600 websites, primarily in the US, UK, Germany, China, France, Canada, and India.
JavaScript-based blogging platform.
https://thehackernews.com/2022/12/two-new-security-flaws-reported-in.html
Update to version 4.48.8 for versions 4.46.0 to 4.48.7, and update to version 5.22.7 for any version of v5 up to and including 5.22.6
- CVE-2022-41654
- CVE-2022-41697
Threat actors associated with the Play ransomware strain are using a neverbefore-seen exploit chain to overcome blocking policies for ProxyNotShell weaknesses in Microsoft Exchange Server in order to gain remote code execution (RCE) via Outlook Web Access (OWA). "The new exploit approach circumvents URL rewriting mitigations for the Autodiscover endpoint,"CrowdStrike researchers Brian Pitchford, Erik Iker, and Nicolas Zilio said in a technical report published on Tuesday.Play ransomware, which initially appeared in June 2022, was found to use many of the same strategies as other ransomware families like as Hive and Nokoyawa, the latter of which was updated to Rust in September 2022. Investigations of various Play ransomware incursions by the cybersecurity firm revealed that initial access to the target environments was gained through the OWA endpoint rather than directly abusing CVE-2022-41040.The approach, dubbed OWASSRF, most likely exploits another serious hole recorded as CVE-2022-41080 (CVSS score: 8.8) to obtain privilege escalation, followed by exploiting CVE-2022-41082 for remote code execution. According to CrowdStrike, the adversary was able to drop legitimate Plink and AnyDesk executables to retain permanent access, as well as take efforts to cleanse Windows Event Logs on compromised servers to mask the malicious activity.Microsoft patched all three vulnerabilities as part of their Patch Tuesday upgrades for November 2022.It's uncertain whether CVE-2022-41080, like CVE-2022-41040 and CVE-2022-41082, was actively exploited as a zero-day.
Microsoft Exchange Server
https://thehackernews.com/2022/12/ransomware-hackers-using-new-way-to.html
Install the latest patches as soon as possible.
The Zerobot DDoS botnet has received updates that allow it to target more internet-connected devices and expand its network. The malware, called DEV1061 by Microsoft Threat Intelligence Center (MSTIC), spreads through vulnerabilities in web applications and IoT devices such as firewalls, routers, and cameras. The latest version of Zerobot also includes the ability to exploit vulnerabilities in Apache and Apache Spark, and new DDoS attack capabilities. The Zerobot DDoS botnet, also known as ZeroStresser, is being offered as a DDoS-for-hire service to other criminal actors and is being advertised for sale on various social media networks. Microsoft has found that the latest version of Zerobot targets unpatched and improperly secured devices, and also attempts to brute-force over SSH and Telnet on ports 23 and 2323 to spread to other hosts. Zerobot was among the 48 domains seized by the U.S. Federal Bureau of Investigation (FBI) this month for offering DDoS attack services to paying customers. The Zerobot DDoS botnet, also known as ZeroStresser, is a malware-as-a-service offered to other criminal actors that self-propagates to more susceptible systems and spreads by compromising devices with known vulnerabilities. Zerobot 1.1 includes seven new DDoS attack methods using protocols such as UDP, ICMP, and TCP, and is being sold on social media networks. Zerobot was among the domains seized by the U.S. Federal Bureau of Investigation (FBI) for offering DDoS attack services to paying customers.
Internet connected devices like firewalls, routers, and cameras.
https://thehackernews.com/2022/12/zerobot-botnet-emerges-as-growing.html
Keep all software and devices up to date with the latest patches and updates.
- CVE-2021-42013
- CVE-2022-33891