The package jpeg-js before 0.4.4 are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.




Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-JS-JPEGJS-2859218
    
*   **published**
    
    7 Jun 2022
    
*   **disclosed**
    
    6 Jun 2022
    
*   **credit**
    
    Sohom Datta
    

**How to fix?**

Upgrade jpeg-js to version 0.4.4 or higher.

**Overview**

Affected versions of this package are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.

**PoC**

1.  Create a npm workspace npm init
2.  Install the jpeg-js library
3.  Create a JS file with the following code: \`\`\`js const jpeg = require('jpeg-js');

let buf = Buffer.from( 'ffd8ffc1f151d800ff51d800ffdaffde', 'hex' ); jpeg.decode( buf );

\`\`\` 4) Run the file and observe that the code never stops running

**Details**

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

*   High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
    
*   Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

CVE-2022-25851: Denial of Service (DoS) in jpeg-js | CVE-2022-25851 | Snyk

A Linux-based banking Trojan is a master at staying under the radar.

A stealthy Linux threat called Symbiote is targeting financial institutions in Latin America, with all file, processes, and network artifacts hidden by the malware, making it virtually invisible to detection by live forensics.

The malware was first uncovered in November, according to a blog post by BlackBerry Research. What sets Symbiote apart from other Linux malware is its approach to infecting running processes, rather than using a stand-alone executable file to inflict damage.

It then harvests credentials to provide remote access for the threat actor, exfiltrating credentials as well as storing them locally.

"It operates as a rootkit and hides its presence on the machine. Once it has infected the machine fully, it allows you to see only what it wants you to see," Joakim Kennedy, security researcher at Intezer and author of the BlackBerry blog post, explains. "Essentially, you can't trust what the machine is telling you."

However, it can be detected externally, he says, since it exfiltrates stolen credentials via the DNS requests.

Kennedy says the domain names the malware uses impersonate big banks in Brazil, which also helps it stay under the radar.

"While we couldn't tell based on only what we found, attackers targeting financial institutions are often motivated by potential monetary gain," he says.

**Shared Object Library**

Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, points out that unlike most malware variants, the Symbiote malware is a shared object library, instead of an executable file.

Symbiote uses the LD\_PRELOAD variable that allows it to be pre-loaded by applications before other shared object libraries.

"This is a sophisticated and evasive technique that can help the malware blend in with legitimate running processes and applications, which is one of the reasons Symbiote is difficult to detect," she says.

The malware also has Berkeley Packet Filter (BPF) hooking functionality. Packet capture tools intercept, or capture, network traffic typically for the purposes of an investigation.

BPF is a tool embedded within several Linux operating systems that allows users to filter out certain packets depending on the type of investigation they are performing, which can reduce the overall results, making analysis easier.

"The Symbiote malware is designed to essentially filter its traffic out of the packet capture results," Hoffman explains. "This is just another layer of stealth used by the attackers to cover their tracks and fly under the radar."

Kennedy adds that this is the first time the BPF hooking functionality has been observed operating in this way, and points out that other malware variants have typically used BPF to receive commands from their command-and-control server.

"This malware instead uses this method to hide network activity," he says. "It's an active measure used by the malware to prevent being detected if someone investigates the infected machine — like covering up its footsteps so it's harder to track down.”

**Easier to Attack?**

Mike Parkin, senior technical engineer at Vulcan Cyber, says there may be a perception on the attacker's part that the targets in Latin America have a less mature security infrastructure and would thus be easier to attack.

He explains that the attackers went out of their way to hide their malware from anything that's running on the infected system, leveraging BPF to hide their communications traffic.

"While this will work on the local host, other network-monitoring tools will be able to identify the hostile traffic and the infected source," he says.

He explains that there are several endpoint tools available that should identify changes on a victim system.

"There are also forensic techniques that can use the malware's own behavior against it to reveal its presence," he notes. "The authors who created Symbiote went to great lengths hide their malware. They leveraged a combination of techniques, though in so doing delivered some indicators of compromise that defenders could use to identify an infection in-situ."

Kennedy says that the most important action is to focus on the techniques used by this malware to ensure that you can detect and/or protect against those, whether you're protecting against Symbiote or another attack that uses the same technique.

"I would say Symbiote, and other recently discovered undetected Linux malware, shows that operating systems other than Windows are not immune to highly evasive malware," he says. "Since it doesn’t get as much attention as Windows malware, we don't know what else is out there that hasn’t been discovered yet."

Symbiote Malware Poses Stealthy, Linux-Based Threat to Financial Industry

The House committee's televised hearings interrogate the Capitol attack with damning new evidence. Whether it's enough to prevent another one is uncertain.

It’s hard to tell which fact should shock us most out of the first, surprisingly compelling public hearing of the congressional committee investigating the insurrection at the US Capitol on January 6.

Jared Kushner brushing aside as mere “whining” the repeated resignation threats from White House counsel and its top lawyers in the face of Donald Trump’s ongoing push to overturn the election?

The fact that even as rioters surged through the Capitol and members of Congress fled in terror, Donald Trump, the president of the United States, never once spoke to any corner of the US government to ask for help—never once called the Justice Department, Homeland Security, or the Pentagon?

The committee’s allegations that members of Congress sought presidential pardons for their own roles in the January 6 events?  

Or the simple power of a brave police officer talking about our nation’s most sacred democratic space as a “war zone” and how—repeatedly injured by the rioters that the GOP has sought in the last 18 months to reframe as “normal tourists” engaged in “legitimate political discourse”—she slipped on others’ blood spread across the steps of the US Capitol? 

After months of behind-the-scenes investigation, wide-ranging subpoenas, witness depositions, document reviews, countless hours of reviewing video footage, and delicate internal political machinations, the public portion of the House’s January 6 select committee kicked off Thursday night with a two-hour blockbuster that immediately established the stakes of the work—the former president of the United States attempted nothing less than a coup to remain in power—and recentered its work as one of the most important political investigations in our lifetime.

Committee vice-chair Rep. Liz Cheney, a Wyoming Republican who has been excoriated by her own party for agreeing to participate in the investigation alongside Republican Rep. Adam Kinzinger of Illinois, provided a captivating introduction and overview of the events of January 6, 2021. She also highlighted what the committee will explore over the course of roughly a half-dozen hearings this month and immediately gave the lie to GOP dismissals of the investigation as nothing more than a political witch hunt.

The skillful—and politically courageous—presentation by Cheney, followed up by multiple video segments produced by the committee, highlights the coordination among armed, white nationalist militia groups like the Proud Boys and Oath Keepers, as well as the singular role Donald Trump played in stoking lies that the election had been stolen and then inviting his supporters to come to Washington on January 6 to protest—protests that quickly escalated into a brutal, violent assault on the Capitol that had lawmakers fleeing for their lives. One of the most powerful video clips showed staffers of Republican leader Kevin McCarthy—who has long downplayed the Capitol assault—evacuating their House offices in terror. Other clips showed the crowd chanting, “Hang Mike Pence” and insurrectionists screaming in the face of police to demand that they hand over House speaker Nancy Pelosi. Cheney closed her poised and pointed presentation with a warning to the hundreds of her GOP colleagues who have excused the events of 1/6: “There will come a day when Donald Trump is gone, but your dishonor will remain.”

Committee chair Rep. Bennie Thompson, Democrat of Mississippi, outlined how future hearings would focus on the particulars of the conspiracy and the careful construction of Trump’s knowing lies—committee members explained that they saw in Trump’s behavior a “sophisticated” seven-step plan for overturning the election—but Thursday’s hearing mostly focused on reminding Americans of the stakes involved. This was no ordinary political protest. This was no ordinary election loss. The actions of Donald Trump before, during, and after the January 6 Capitol assault instead marked an end to America’s 240-year tradition of peaceful transitions of presidential power.

Instead, Donald Trump embarked on a concerted effort to use the tools of the presidency and the US government to overturn the legitimate, authentic election results—even though his own staff told him, according to their depositions aired Thursday in the hearing, that “there was no there there.”

First Trump lied to the public. Then he tried to weaponize the Justice Department to back his lies. He pressured state election officials and legislators to embrace far-fetched legal theories and change their states’ election results. His team worked to invent and send to Washington invalid slates of electors, in the hopes that Congress would recognize them and allow him to overturn his loss. He summoned supporters and encouraged armed groups to join him in DC on January 6, promising in a tweet that it “will be wild.” Then he pressured Vice President Mike Pence to violate his constitutional oath and refuse to certify the valid election results ahead of January 6. And lastly, he seemingly refused to lift a finger—either to place a telephone call or send a tweet—to summon federal aid as the Capitol and legislative branch remained under violent assault for hours. Instead, according to the committee, only Vice President Pence—himself hiding at a secure loading dock inside the Capitol complex after being hastily evacuated from the Senate chamber above—contacted the military and ordered them to respond and secure the Capitol.

Taken together, it is the most audacious, calculated, and unconstitutional plot America has faced in its history—one that came far closer to success than anyone imagined.

Over the course of those two hours, the committee succeeded in reframing the national conversation and focused on the true horror of January 6. In doing so, it surely raised the pressure on the Justice Department, which is conducting a seemingly slow-moving parallel investigation that has seen hundreds of low-level indictments and charges against January 6 rioters—including the arrest just yesterday of a GOP gubernatorial candidate in Michigan—and a number of more serious “seditious conspiracy” indictments against Oath Keepers and Proud Boys leaders. Thus far, it has stopped short of penetrating Donald Trump’s motley collection of enablers, grifters, and hangers-on.

Despite the shocking clarity of the committee’s opening presentation, it remains uncertain at best whether it will be able to break through America’s political polarization and its increasingly separate-and-unequal media ecosystems. Fox News, alone among the major networks, refused to air the hearings live and instead allowed its host Tucker Carlson, who increasingly features openly white nationalist positions, to spew venom to his millions of prime-time viewers during an hour-long show, unusually uninterrupted by commercials.

In many ways, Fox’s decision to double down on Tucker Carlson’s lies Thursday night is unsurprising. The network’s decision in the weeks after the 2020 election—as Donald Trump built up the Big Lie and set the kindling for January 6—to embrace Trump’s lies and undermine the legitimacy of then-President-elect Joe Biden’s victory makes it all but an unindicted co-conspirator in the violence on Capitol Hill.

The challenge America now faces, heading into next week’s follow-up hearings, is that none of us know what part of Donald Trump’s story we’re living in—the beginning, the middle, or the end? The committee’s work ahead is to convince America to view January 6 as a turning point, not a warning that we will later say went ignored.

There’s a saying, after all, that there’s no such thing as an unsuccessful coup. An unsuccessful coup is just practice.

The January 6 Hearing Was a Warning

The commission argues that legislative action is needed to ensure a well-functioning market for AI systems that balances benefits and risks.

The European Commission (EC) is currently debating new rules and actions for trust and accountability in artificial intelligence (AI) technology through a legal framework called the EU AI Act. Its aim is to promote the development and uptake of AI while addressing potential risks some AI systems can pose to safety and fundamental rights.

While most AI systems will pose low to no risk, the EU says, some create dangers that must be addressed. For example, the opacity of many algorithms may create uncertainty and hamper effective enforcement of existing safety and rights laws.

The EC argues that legislative action is needed to ensure a well-functioning internal market for AI systems where both benefits and risks are adequately addressed.

"The EU AI Act aims to be a human centric legal-ethical framework that intends to safeguard and protect human rights and fundamental freedoms from violations of these rights and freedoms by algorithms and smart machines," says Mauritz Kop, Transatlantic Technology Law Forum Fellow at Stanford Law School and strategic intellectual property lawyer at AIRecht.

The right to know whether you are dealing with a human or a machine — which is becoming increasingly more difficult as AI becomes more sophisticated — is part of that vision, he explains.

Kop notes that AI is now mostly unregulated, except for a few sector-specific rules. The act aims to address the legal gaps and loopholes by introducing a product safety regime for AI.

"The risks are too high for nonbinding self-regulation by companies alone," he says.

**Effects on AI Innovation**

Kop admits that regulatory conformity and legal compliance will be a burden, especially for early AI startups developing high-risk AI systems. Empirical research that shows the GDPR – while preserving privacy and data protection and data security – had a negative effect on innovation, he notes.

Risk classification for AI is based on the intended purpose of the system, in line with existing EU product safety legislation. Classification depends on the function the AI system performs and on the specific purpose and modalities for which the system is used.

"The legal uncertainty surrounding \[regulation\] and the lack of budget to hire specialized lawyers or multidisciplinary teams still are significant barriers for a flourishing AI startup and scale-up ecosystem," Kop says. "The question remains whether the AI Act will improve or worsen the startup climate in the EU."

The EC will determine which AI gets classified as "high risk" using criteria that are still under debate, creating a list of examples of high-risk systems to help guide judgment.

"It will be a dynamic list that contains various types of AI applications used in certain high-risk industries, which means the rules get stricter for riskier AI in healthcare and defense than they are for AI apps in tourism," Kop says. "For instance, medical AI is \[classified as\] high risk to prevent direct harm to patients due to AI errors."

He notes there is still controversy about the criteria and definition of AI that the draft uses. Some commentators argue it should be more technology-specific, aimed at certain riskier types of machine learning, such as deep unsupervised learning or deep reinforcement learning.

"Others focus more on the intent of the system, such as social credit scoring, instead of potential harmful results, such as neuro-influencing," Kop added. "A more detailed classification of what 'risk' entails would thus be welcome in the final version of the act."

**Facial Recognition as a High-Risk Technology**

Joseph Carson, chief security scientist and advisory CISO at Delinea, participated in several of the talks around the act, including as a subject matter expert in the use of AI in law enforcement and articulating the concerns around security and privacy.

The EU AI Act, he says, will mainly affect those organizations that already collect and process personal identifiable information. Therefore, it will impact how they use advanced algorithms in processing the data.

"It is important to understand the risks if no regulation or act is in place and what the possible impact \[is\] if organizations abuse the combination of sensitive data and algorithms," Carson says. "The future of the Internet is a scary place, and the enforcement of the EU AI Act allows us to embrace the future of the Internet using AI with both responsibility and accountability."

Regarding facial recognition, he says the technology should be regulated and controlled.

"It has many amazing uses in society, but it must be something you opt in and agree to use; citizens must have a choice," he says. "If no act is in place, we will see a significant increase in deepfakes that will spiral out of control."

Malin Strandell-Jansson, senior knowledge expert at McKinsey & Co, says facial recognition is one of the most debated issues in the draft act, and the final outcome is not yet clear.

In its draft format, the AI Act strictly prohibits the use of real-time remote biometric identification in publicly accessible spaces for law enforcement purposes, as it poses particular risks for fundamental rights – notably human dignity, respect for private and family life, protection of personal data, and nondiscrimination.

Strandell-Jansson points out a few exceptions, including use for law enforcement purposes for the targeted search for specific potential victims of crime, including missing children; the response to the imminent threat of a terror attack; or the detection and identification of perpetrators of serious crimes.

"Regarding private businesses, the AI Act considers all emotion recognition and biometric categorization systems to be high-risk applications if they fall under the use cases identified as such — for example, in the areas of employment, education, law enforcement, migration, and border control," she explains.

As such, potential providers would have to subject such AI systems to transparency and conformity obligations before putting them on the market in Europe.

**The Time to Act on AI Is Now**

Dr. Sohrob Kazerounian, AI research lead at Vectra, an AI cybersecurity company, says the need to create a regulatory framework for AI has never been more pressing.

"AI systems are rapidly being integrated into products and services across wide-ranging markets," he says. "Yet the trustworthiness and interpretability of these systems can be rather opaque, with poorly understood risks to users and society more broadly."

While some existing legal frameworks and consumer protections may be relevant, applications that use AI are sufficiently different enough from traditional consumer products that they necessitate fundamentally new legal mechanisms, he adds.

The overarching goal of the bill is to anticipate and mitigate the most critical risks resulting from the use and failure of AI, with actions ranging from banning systems deemed to have "unacceptable risk" altogether to heavy regulation of "high-risk" systems. Another, albeit less-noted, consequence of the framework is that it could provide clarity and certainty to markets about what regulations will exist and how they will be applied.

"As such, the regulatory framework may in fact result in increased investment and market participation in the AI sector," Kazerounian said.

**Limits for Deepfakes and Biometric Recognition**

By addressing specific AI use cases, such as deepfakes and biometric or emotional recognition, the AI Act is hoping to ameliorate the heightened risks such technologies pose, such as violation of privacy, indiscriminate or mass surveillance, profiling and scoring of citizens, and manipulation, Strandell-Jansson says.  

"Biometrics for categorization and emotion recognition have the potential to lead to infringements of people's privacy and their right to the protection of personal data as well as to their manipulation," she says. "In addition, there are serious doubts as to the scientific nature and reliability of such systems."

The bill would require people to be notified when they encounter deepfakes, biometric recognition systems, or AI applications that claim to be able to read their emotions. Although that's a promising step, it raises a couple of potential issues.

Overall, Kazerounian says it is "undoubtedly" a good start to require increased visibility for consumers when they are being classified by biometric data and when they are interacting with AI-generated content rather than real humans or real content.

"Unfortunately, the AI act specifies a set of application areas within which the use of AI would be considered high-risk, without necessarily discussing the risk-based criteria that could be used to determine the status of future applications of AI," he said. "As such, the seemingly ad-hoc decisions about which application areas are considered high-risk simultaneously appear to be too specific and too vague."

Current high-risk areas include certain types of biometric identification, operation of critical infrastructure, employment decisions, and some law enforcement activities, he explains.

"Yet it isn't clear why only these areas were considered high-risk and furthermore doesn't delineate which applications of statistical models and machine-learning systems within these areas should receive heavy regulatory oversight," he adds.

**Possible Groundwork for Similar US Law**

It is unclear what this act could mean for a similar law in the US, Kazerounian says, noting that it has now been more than half a decade since the passing of GDPR, the EU law on data regulation, without any similar federal laws following in the US — yet.

"Nevertheless, GDPR has undoubtedly influenced the behavior of multinational corporations, which have either had to fracture their policies around data protections for EU and non-EU environments or simply have a single policy based on GDPR applied globally," he said. "In any case, if the US decides to propose legislation on the regulation of AI, at a minimum it will be influenced by the EU act."

EU Debates AI Act to Protect Human Rights, Define High-Risk Uses

So-called Symbiote malware, first found targeting financial institutions, contains stealthy rootkit capabilities.

A new malware variant attacking Linux systems that steals credentials and allows for remote access to victim machines camouflages so well that the researchers studying it say they can't conclude if it's being used in targeted or larger-scale attack campaigns.

Security researchers from Intezer and BlackBerry's Research & Intelligence Team say the so-called Symbiote malware is unusual in that it's not a pure executable file: it's actually a shared object library that loads itself into a machine's running processes using the LD\_Preload file in Linux. "Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability," the researchers wrote in a blog post this week.

Symbiote was first sighted in November of 2021, they said, and at the time appeared to be created for attacking financial institutions in Latin America.

"Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect. Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware. In addition to the rootkit capability, the malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges," the researchers wrote.

While detecting the rootkit is a major challenge, the researchers said organizations should watch for anomalous DNS requests. But relying on antivirus and endpoint detection and response tools to detect it is moot: They can be compromised by the rootkit since it's embedded in "userland," the researchers warned.  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Linux Malware 'Nearly Impossible to Detect'

A new research undertaken by a group of academics from the University of California San Diego has revealed for the first time that Bluetooth signals can be fingerprinted to track smartphones (and therefore, individuals).
The identification, at its core, hinges on imperfections in the Bluetooth chipset hardware introduced during the manufacturing process, resulting in a "unique physical-layer

A new research undertaken by a group of academics from the University of California San Diego has revealed for the first time that Bluetooth signals can be fingerprinted to track smartphones (and therefore, individuals).

The identification, at its core, hinges on imperfections in the Bluetooth chipset hardware introduced during the manufacturing process, resulting in a "unique physical-layer fingerprint."

"To perform a physical-layer fingerprinting attack, the attacker must be equipped with a Software Defined Radio sniffer: a radio receiver capable of recording raw IQ radio signals," the researchers said in a new paper titled "Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices."

The attack is made possible due to the ubiquitous nature of Bluetooth Low Energy (BLE) beacons that are continuously transmitted by modern devices to enable crucial functions such as contact tracing during public health emergencies.

The hardware defects, on the other hand, stem from the fact that both Wi-Fi and BLE components are often integrated together into a specialized "combo chip," effectively subjecting Bluetooth to the same set of metrics that can be used to uniquely fingerprint Wi-Fi devices: carrier frequency offset and IQ imbalance.

Fingerprinting and tracking a device then entails extracting CFO and I/Q imperfections for each packet by computing the Mahalanobis distance to determine "how close the features of the new packet" are to its previously recorded hardware imperfection fingerprint.

"Also, since BLE devices have temporarily stable identifiers in their packets \[i.e., MAC address\], we can identify a device based on the average over multiple packets, increasing identification accuracy," the researchers said.

That said, there are several challenges to pulling off such an attack in an adversarial setting, chief among them being that the ability to uniquely identify a device depends on the BLE chipset used as well as the chipsets of other devices that are in close physical proximity to the target.

Other critical factors that could affect the readings include device temperature, differences in BLE transmit power between iPhone and Android devices, and the quality of the sniffer radio used by the malicious actor to execute the fingerprinting attacks.

"By evaluating the practicality of this attack in the field, particularly in busy settings such as coffee shops, we found that certain devices have unique fingerprints, and therefore are particularly vulnerable to tracking attacks, others have common fingerprints, they will often be misidentified," the researchers concluded.

"BLE does present a location tracking threat for mobile devices. However an attacker's ability to track a particular target is essentially a matter of luck."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Find Bluetooth Signals Can be Fingerprinted to Track Smartphones

A Privilege Escalation vulnerability exists in Sourcecodester Money Transfer Management System 1.0, which allows a remote malicious user to gain elevated privileges to the Admin role via any URL.

\# Exploit Title: Privilege Escalation via Forced Browsing

\# Google Dork: NA

\# Date: 11/03/2022

\# Exploit Author: Ali J.

\# Vendor Homepage: https://www.sourcecodester.com/

\# Software Link: https://www.sourcecodester.com/php/15015/money-transfer-management-system-send-money-businesses-php-free-source-code.html

\# Version: 1.0

\# Tested on: Windows 10

\# CVE : CVE-2021-44582

Steps to Reproduce:

1\. Login to the Money Transfer Management System with admin credentials and copy the URL.

2\. Logout from the admin role and login with the normal user credentials, observe the available modules on the left side.

3\. Paste the admin URL and observe that the application is vulnerable to Privilege Escalation via Forced Browsing.

CVE-2021-44582: CVE-2021-44582/Privilege Escalation via Forced Browsing in Sourcecodester Money Transfer Management System at main · warmachine-57/CVE-2021-44582

Sysadmins should update their installations immediately

Jessica Haworth 10 June 2022 at 12:34 UTC

Sysadmins should update their installations immediately

Two flaws in the web interface of a Fujitsu cloud storage system could allow an unauthenticated attacker to read, write, and destroy backed up files.

The security vulnerabilities were present in the enterprise-grade Fujitsu Eternus CS8000 (Control Center) V8.1.

Researchers from NCC Group found two separate issues due to a lack of user input validation in two PHP scripts, which are normally included post-authentication.

Both flaws, a command injection in and a command injection in , could allow an attacker to gain remote code execution on the appliance without prior authentication or authorization.

Read more of the latest web security research here

As no include-guards are in-place, the attacker is able to trigger the script without prior authentication by calling it directly.

This would enable them to take control over the appliance as if they were logged in directly via a secure shell.

“If exploited, the attacker obtains limited user privileges on the machine as the ‘www-data’ user; however, it should be noted that the Kernel on the system which NCC Group’s Fox-IT encountered is severely outdated, allowing an attacker to easily escalate their privileges to the administrative ‘root’ user of the system,” a blog post from NCC Group reads.

“Due to the sensitive nature of the system, any attacker with full control over the system is potentially able to read, modify and potentially destroy the entire virtual backup tapes, which could be used as an initial stage of a ransomware attack to ensure the victim is not able to recover and is forced to pay the ransom.”

**Patch now**

The issues were discovered during a penetration test conducted by NCC Group on behalf of a client. They were then reported to Fujitsu, which has since patched the bugs (PDF).

Fujitsu said it has “no knowledge” of any working exploit code, and has seen no successful attempts to exploit the vulnerabilities in the wild.

NCC Group advised users to upgrade to the latest version of the software immediately. It has also listed other recommendations to mitigate the bugs in the blog post.

The Daily Swig has reached out to both NCC Group and Fujitsu for comment and will update this article accordingly.

DON’T MISS Chinese cyber threat actors are widely abusing well-known attacks to infiltrate networks, CISA warns

Separate Fujitsu cloud storage vulnerabilities could enable attackers to destroy virtual backups

The dangerous malware appears to be well and truly back in action, sporting new variants and security-dodging behaviors in a wave of recent phishing campaigns.

The dangerous malware appears to be well and truly back in action, sporting new variants and security-dodging behaviors in a wave of recent phishing campaigns.

Emotet’s resurgence in April seems to be the signal of a full comeback for what was once dubbed “the most dangerous malware in the world,” with researchers spotting various new malicious phishing campaigns using hijacked emails to spread new variants of the malware.

The “new and improved” version of Emotet is exhibiting a “troubling” behavior of effectively collecting and using stolen credentials, “which are then being weaponized to further distribute the Emotet binaries,” Charles Everette from Deep Instinct revealed in a blog post this week.

“\[Emotet\] still utilizes many of the same attack vectors it has exploited in the past,” he wrote. “The issue is that these attacks are getting more sophisticated and are bypassing today’s standard security tools for detecting and filtering out these types of attacks.”

In April, Emotet malware attacks returned after a 10-month “spring break” with targeted phishing attacks linked to the threat actor known as TA542, which since 2014 has leveraged the Emotet malware with great success, according to a report by Proofpoint.

These attacks—which were being leveraged to deliver ransomware—came on the back of attacks in February and March hitting victims in Japan using hijacked email threads and then “using those accounts as a launch point to trick victims into enabling macros of attached malicious office documents,” Deep Instinct’s Everette wrote.

“Looking at the new threats coming from Emotet in 2022 we can see that there has been an almost 900 percent increase in the use of Microsoft Excel macros compared to what we observed in Q4 2021,” he wrote.

**Emotet Rides Again**

The attacks that followed in April targeted new regions beyond Japan and also demonstrated other characteristics signaling a ramp-up in activity and rise in sophistication of Emotet, Deep Instinct noted.

Emotet, like other threat groups, continues to leverage a more than 20-year-old Office bug that was patched in 2017, CVE-2017-11882, with nearly 20 percent of the samples that researchers observed exploiting this flaw. The Microsoft Office Memory corruption vulnerability allows an attacker to perform arbitrary code execution.

Nine percent of the new Emotet threats observed were never seen before, and 14 percent of the recent emails spreading the malware bypassed at least one email gateway security scanner before it was captured, according to Deep Instinct.

Emotet still primarily uses phishing campaigns with malicious attachments as its transportation of choice, with 45 percent of the malware detect using some type of Office attachment, according to Deep Instinct. Of these attachments, 33 percent were spreadsheets, 29 percent were executables and scripts, 22 percent were archives and 11 percent were documents.

Other notable changes to Emotet’s latest incarnation is its use of  64-bit shell code, as well as more advanced PowerShell and active scripts in attacks, according to Deep Instinct.

****History of a Pervasive Threat****

Emotet started its nefarious activity as a banking trojan in 2014, with its operators having the dubious honor of being one of the first criminal groups to provide malware-as-a-service (MaaS), Deep Instinct noted.

The trojan evolved over time to become a full-service threat-delivery mechanism, with the ability to install a collection of malware on victim machines, including information stealers, email harvesters, self-propagation mechanisms and ransomware. Indeed, Trickbot and the Ryuk and Conti ransomware groups have been habitual partners of Emotet, with the latter using the malware to gain initial entry onto targeted systems.

Emotet appeared to be put out of commission by an international law-enforcement collaborative takedown of a network of hundreds of botnet servers supporting the system in January 2021. But as often happens with cybercriminal groups, its operators have since regrouped and seem to be working once again at full power, researchers said.

In fact, in November 2021 when Emotet emerged again nearly a year after it went dark, it was on the back of its collaborator Trickbot. A team of researchers from Cryptolaemus, G DATA and AdvIntel separately observed the trojan launching a new loader for Emotet, signaling its return to the threat landscape.

Potent Emotet Variant Spreads Via Stolen Email Credentials

By Owais Sultan
Hyperconverged infrastructure is changing the way data centers work for the better. Learn about the benefits of hyperconverged…
This is a post from HackRead.com Read the original post: Hyperconverged Infrastructure (HCI) is Changing Data Centers

****Hyperconverged infrastructure is changing the way data centers work for the better. Learn about the benefits of hyperconverged infrastructure.****

Every year there is a huge number of technological reforms and upgrades that can make life easier for both individuals and companies. Sometimes, large-scale changes also affect the data processing centers.

If even more than 10 years ago data center managers worked with traditional infrastructure familiar to everyone, then in recent years there have been big changes. These changes were the use of networks that provide both speed and availability (software-defined networks), a distributed information technology architecture in which customer data is processed at the edge of the network, as close as possible to the source (edge computing), the fifth generation of mobile communications, as well as artificial intelligence. 

Such technologies imply a major transformation in how data centers operate. However, the most important thing is that qualified specialists are needed to work with such technologies, which means higher requirements for data center managers. They must be able and know how to work with such innovative solutions, and explore and customize them. It would seem that the use of technology should be beneficial, but for people working with such innovations, this becomes a challenge. 

That is why the latest technology has been developed that promises to solve all these problems. 

**Table of Contents:**

1.  **Hyperconverged Infrastructure** 
2.  **Converged Infrastructure** 
3.  **Key Benefits of HCI**

**Hyperconverged Infrastructure **

Before describing all the advantages of technology, it is worth considering the hyperconverged infrastructure definition. HCI is a distributed infrastructure platform that combines servers, networks, and storage with sophisticated software to produce adaptable key components that may improve existing infrastructure.

The consistent building pieces required to establish a hyperconverged infrastructure can be acquired as a mix of electronic, electrical, and mechanical hardware or as virtual stacks.

Such an infrastructure consists of standard components: servers running on the x86 architecture, software for creating, running, and managing virtual machines, and special software needed for management.

The beauty of a hyperconverged data center is that if you need more processing power, you can easily scale the process. All you need to do is attach a few extra boxes, depending on how much you need to scale everything. Thus, each organization gets a great opportunity to improve the processing centers of HCI data. 

It is already clearly visible how quickly the demand for the creation of such data centers is growing. 3 years ago, the global market for such products and services was estimated at over $6 billion. In 5 years, it will be valued at more than $22 billion. Companies now must cut information technology expenses, drastically speed up the building of data centers, manage numerous operations, and grow swiftly.

**Converged Infrastructure **

There existed a converged infrastructure prior to the introduction of such an upgraded infrastructure. It comprises pre-engineered equipment and programs that professionals may purchase and install independently. In short, it’s like an IKEA crib. You get a set of ready-made components that you need to combine to get the finished product. That is, you get components that will be compatible with each other. You do not need to search for suppliers for each component to separately assemble everything you need. 

Hyperconverged infrastructure is a more advanced CI. This infrastructure already contains all the necessary components that you can work with. In simple words, if CI is an IKEA crib that needs to be assembled, then HCI is a prepackaged meal that you just need to heat.

If you use a similar infrastructure in your data center, then to increase the capacity, you only need to order more infrastructure units. Easy and simple scalability allows multiple companies to increase the volume of data processing, as well as quickly adapt to new company needs. 

**Key Benefits of HCI**

Scalability is the most important advantage of HCI. However, this is not all that such an infrastructure can offer. 

**Low-cost hyperconverged infrastructure units **

HCI requires x86 servers, which are installed in most modern data centers. Thus, companies do not need to spend money to buy the necessary servers. In addition, every time there is a need to add capacity, companies need to buy only one type of device instead of a huge variety of different devices. They can be purchased from a single supplier, which reduces the time of purchase and implementation.

In addition, if necessary, if there are difficulties with installation or updates, then you only need to seek technical assistance from one vendor instead of working with many different vendors. 

**Remote control **

Infrastructure components are handled as services in a software-defined data center. They can be managed and configured remotely, which greatly facilitates the work of managers. At any time of the day or night, managers can quickly reduce or increase the amount of storage, and memory, adjust computing power, as well as all the necessary resources. This means that managers will be able to update all resources used as soon as it is needed.  

**Achieving the greatest efficiency of all processes **

All used infrastructure resources are combined into clusters. If you need more memory for a particular process or application, or need more storage capacity and compute power, you can quickly identify those resources that aren’t already being used to provide what you need. With unified management, managers can quickly discover these resources, pool them together, and make them available for process or application execution when needed. 

**Integrated management **

You only need a single console to manage all the processes. Local and remote clusters can be managed from one place. Thus, the entire management process is greatly simplified. 

Companies operating in the field of IT have a chance to reduce the costs of IT departments, as well as increase their productivity. The work of specialists is facilitated since it is no longer necessary to think about how to deploy a system, integrate it, and separately maintain each component while solving other problems associated with managing the center. 

There is no need to expand the staff, as well as to attract consultants who charge a lot for their work. If your staff has generalists, then they will be able to do most of the work without help. 

**Conclusion **

There are many benefits to implementing hyperconverged infrastructure in your data center. The first and most important is the speed and ease of scaling, which is low cost. In addition, all processes can be controlled remotely using a single console. Achieving the greatest efficiency of all processes occurs quickly if necessary.

1.  Why Data Security is crucial?
2.  Big Data and Cybersecurity: Opportunity or Threat?
3.  How big data analytics helps enterprises improve cybersecurity
4.  Top Data-Driven Methods for Improving Your Investment Decisions
5.  Cybersecurity, Big Data & Automation Tools: What Marketers Need To Know

Tag

#mac