File upload vulnerability in Instantdeveloper RD3 22.0.8500, allows attackers to execute arbitrary code.

Il team Offensive Security di Swascan ha identificato una vulnerabilità nel framework **Instant Developer** **RD3 < 22.5 r23**. 

La vulnerabilità interessa tutti gli applicativi sviluppati con il framework RD3 nelle versioni inferiori a quella indicata. 

****_Instant Developer_** **

_Instant Developer_ è una famiglia di piattaforme ad alta produttività per lo sviluppo di applicazioni multicanale e multipiattaforma progettata per risolvere i problemi che affliggono maggiormente i professionisti dello sviluppo software_._ 

****Technical summary** **

L’Offensive Security Team di Swascan ha trovato un importante vulnerabilità su:  

**Assets** 

**Vulnerability** 

**CVSS** 

**Severity** 

**Instant Developer RD3 Framework < 22.5 r23**

Arbitrary File Upload 

**9.8** 

**Critical** 

Nella seguente sezione vengono riportati i dettagli tecnici su questa vulnerabilità, comprese le evidenze e un proof-of-concept. Questa vulnerabilità può interessare tutti i clienti che utilizzano il software per sviluppare le proprie Webapp. 

**Dettaglio Vulnerabilità** 

**Framework RD3 – Arbitrary file upload** 

CWE-434: _Unrestricted File Upload_  

CVSSv3.1 Base Score: **9.8**  

CVSSv3.1 Base Vector:        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 

OWASP Top10 2021:          A04 – Insecure Design 

**_Descrizione_** 

La vulnerabilità è stata individuata nella libreria “full.js” del framework RD3 di InstantDeveloper. 

Ciò può consentire ad un attaccante di effettuare l’upload di file malevoli per l’esecuzione di codice arbitrario o di una shell attraverso la quale potrebbe eseguire comandi arbitrari sul server remoto. A seguito di ciò, l’attaccante potrebbe altresì effettuare ricerca di credenziali, movimenti laterali all’interno dell’infrastruttura, oppure semplicemente creare disservizi (DoS) caricando file di grandi dimensioni. 

La vulnerabilità interessa tutti gli applicativi sviluppati con il framework RD3 nelle versioni inferiori alla 22.5 r23. 

**_Assets_** 

*   https://<TARGET>/<cartella applicazione>/<file applicazione>.aspx/?WCI=IWFiles&WCE=&SESSIONID=\[cookie Sessione\] 

**_Proof of Concept_** 

La vulnerabilità è stata individuata analizzando il file full.js dove è presente una porzione di codice relativa che riguarda l’upload di file. Ciò ha permesso di trovare l’entrypoint per creare il comando di upload. 

Di seguito viene riportata la porzione di codice sopra citata: 

**Evidenza** **1** **Codice sorgente full.js** 

Si mostra di seguito come sia stato possibile, sfruttando quanto descritto in precedenza, caricare sul server una reverse shell.  

Per ottenere tale risultato è stato edeguito il seguente comando 

curl -kis -F “\[email protected\]<FILE MALEVOLO>.aspx” -H “Cookie: ASP.NET\_SessionId=<CODICE SESSIONE>” -A Chrome https://<TARGET>/<cartella applicazione>/<file applicazione>.aspx /?WCI=IWFiles&WCE=&SESSIONID=<CODICE SESSIONE> 

Tale processo è descritto dalle seguenti evidenze: 

**Evidenza 2 Upload reverse shell** 

Di seguito viene mostrata la shell interattiva sul server: 

**Evidenza 3 Reverse shell interattiva sul server target** 

**_Remediation_** 

Ricompilare l’applicazione con l’ultima versione del framework 22.5 r23. 

**_Riferimenti_** 

*   https://cwe.mitre.org/data/definitions/434.html 
*   https://owasp.org/Top10/it/A04\_2021-Insecure\_Design/ 
*   https://docs.microsoft.com/it-it/dotnet/standard/security/secure-coding-guidelines 
*   https://cheatsheetseries.owasp.org/cheatsheets/DotNet\_Security\_Cheat\_Sheet.html 
*   https://doc.instantdeveloper.com/ 

****Considerazioni del Vendor** **

Durante il processo di Responsible Disclosure il vendo ha fornito le seguenti considerazioni per meglio specificare alcuni aspetti della vulnerabilità e della conseguente remediation: 

1) Per sfruttare la vulnerabilità era necessario conoscere il SessionID di una sessione utente che avesse effettuato il login (utente autenticato). Solo avendo accesso al browser dove era in esecuzione una sessione autenticata era possibile ottenere un SessionID valido. 

2) Se il programmatore non ha rimosso l’autenticazione dalla propria applicazione il sistema non permette l’upload di file in sessioni non autenticate (dalla versione 20.5). E’ compito del programmatore verificare le credenziali utente e autorizzare l’accesso all’applicazione solo quando è stato correttamente identificato (tramite username/password). 

3) A partire dalla versione 22.0 nella cartella TEMP dell’applicazione è stato inserito un apposito file che non permette l’esecuzione di file arbitrari. Il programmatore, che usa l’ambiente di sviluppo, non deve rimuovere tale file e deve correttamente installarlo nell’applicazione quando questa viene installata in produzione. 

4) Quando viene eseguito l’upload di un file da una sessione autenticata è compito del programmatore decidere se tale file è corretto o meno. Lo può fare implementando l’evento OnFileUpload nel quale può decidere se accettare o meno l’upload. Qualora l’upload sia rifiutato dal programmatore il file viene immediatamente rimosso dal disco. 

5) Pro Gamma fornisce un ambiente di sviluppo general purpose ed è compito del programmatore sviluppare l’applicazione e configurare il web server quando la stessa è resa disponibile su internet. 

3.  **Disclosure Timeline** 

*   25-07-2022: Vulnerabilità scoperta 

*   24-08-2022: Swascan contatta il vendor (1° tentativo, senza risposta) 
*   29-08-2022: Swascan richiede il CVE-ID  al mitre 
*   07-09-2022: Swascan contatta il vendor (2° tentativo, con risposta) 
*   15-09-2022: Swascan condivide il report con il vendor  
*   23-01-2023: Il vendor rilascia la versione 22.5 r23 
*   15-02-2023: Il mitre rilascia il CVE-ID CVE-2022-39983

CVE-2022-39983: ​​Vulnerability Report - Instant Developer RD3 (CVE-2022-39983)

A DoD email server hosted in the cloud (and now secured) had no password protection in place for at least two weeks.

A US Department of Defense email server hosted on Microsoft Azure's government cloud service reportedly was found wide open to the public Internet for a period of about two weeks before it was properly secured.

According to a report on TechCrunch, a security researcher spotted the email server containing internal US military messages, some with sensitive personal information, including an SF-86 questionnaire that federal workers fill out as part of their security clearance process. It was one of a group of email servers in the US Special Operations Command (USSCOM) but likely on the civilian side, the report said.

The email server appeared to have been misconfigured and was running without password protection. Once TechCrunch alerted USSCOM, the agency fixed the issue. "\[W\]hat we can confirm at this point is no one hacked US Special Operations Command's information systems," a USSCOM spokesperson told TechCrunch.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

US Military Emails Exposed via Cloud Account

It's a banner year for attacks coming through traditional email as well as newer collaboration technologies, such as Slack and Microsoft Teams. What's next?

Phishing and other messaging-based attacks continue to be a pervasive threat, with 97% of companies seeing at least one email phishing attack in the past 12 months and three-quarters of firms expecting significant costs from an email-based attack.

That's according to the "State of Email Security" (SOES) report, based on a survey of 1,700 IT professionals published by Mimecast this week. The report also found that the most significant email-borne threats continue to be phishing, ransomware, and spoofing. 

Two-thirds of respondents acknowledged a successful ransomware attack, with companies in certain industries more likely to be a victim, including consumer services (87%), energy (83%), healthcare (80%) and the media and entertainment (86%) sectors. On the spoofing side, 91% of those surveyed had seen attempts to steal or use their email domain in an attack, according to the survey.

The increased concern about cyberattacks via email and collaboration platforms comes as companies have shifted to hybrid work environments, making tools like Slack and Microsoft Teams popular ways of exploitation by opportunistic cybercriminals. Nearly three-quarters of companies surveyed feel it is likely or extremely likely that their company will suffer an attack delivered through their collaboration tools, according to the study, which was conducted by market research firm Vanson Bourne.

"While email remains the primary attack vector for bad actors, collaboration tools provide a new threat surface for cybercriminals to infiltrate," the report stated. "And this, in turn, creates even more risk for CISOs and their teams to manage."

Though certainly not a new area, attacks on messaging and collaboration software are a growing source of compromise for companies. In its quarterly "Phishing Activity Trends Report," the Anti-Phishing Working Group (APWG) detected 1.3 million attacks in third quarter of 2022, up from 1.1 million phishing attacks in the second quarter of 2022. Attackers are also getting better at fooling defenses and sneaking into users' inboxes, with 19% of phishing attacks bypassing platform defenses, according to a report released in October.

With the ramped-up activity comes more awareness, at least. "More \[company\] leaders are increasingly aware of the dangerous ramifications cyberattacks pose against their business," says Thom Bailey, senior director of strategy at Mimecast. "However, organizations are still behind the curve in terms of security posture."

**Collaboration Tools Expand Quickly**

Collaboration tools represent an expanding attack surface area, according to the SOES survey. While the vast majority of professionals (90%) maintain that collaboration tools are essential to their company's workflow, keeping up with the installed base of tools is "overwhelming," according to those polled. Two-thirds of professionals (67%) are overwhelmed by the number of tools, and more than half (55%) have to attempt to detect and manage tools downloaded by workers without approval.

That said, whether the attacker uses email as their vector, or Slack or Teams, the end goal is the same, Bailey says.

"It’s important to remember that even though the attack vector is slightly different, the human end user is still the key target," he says. "The majority of attacks targeting collaboration channels leverage the human element, where an adversary makes a compelling appeal for a recipient to engage with the attacker."

On the email side, more companies are adopting email security specifications, such as Domain-based Message Authentication, Reporting and Conformance (DMARC) and Brand Indicators for Message Identification (BIMI) to prevent spoofing. To protect their domains, 88% of survey respondents would like to use the DMARC standard to make their email more resilient to spoofing attacks. Unfortunately, only a bit more than a quarter (27%) have actually deployed the features, according to the SOES survey.

**Can ChatGPT Help With Phishing as Well?**

While anti-spam engines are among the earliest applications of machine learning to cybersecurity, most professionals aim to go further, with 92% either using or planning to use artificial intelligence (AI) features and machine learning (ML) to bolster their current defenses. Doing so can help cybersecurity teams keep up with attackers, Bailey says.

"When combined with natural language processing tools such as auto-encoders or large language models, \[AI\] can help detect anomalies in the writing style and communication patterns of inbound emails, blocking messages and alerting employees accordingly," he says. "It also helps reduce human error ... further enabling strained IT teams ... to offset critical workforce challenges by automating repetitive tasks and streamlining workflows to drive higher levels of efficiency."

The SOES survey included professionals from companies of various sizes, including 15% with fewer than 500 employees, 76% with between 500 and 10,000 employees, and 9% with more than 10,000 employees. The top industry sectors represented by the survey professionals included financial services (14%), technology and telecommunications (13%), retail (13%), and healthcare (11%).

Phishing Fears Ramp Up on Email, Collaboration Platforms

Technology tuck-in enhances industry's broadest XDR security platform.

**DALLAS****,** **Feb. 22, 2023** **/PRNewswire/ --** Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, has announced the signing of a definitive agreement to acquire Anlyz, a leading provider of security operations center (SOC) technology. The acquisition will extend Trend's orchestration, automation and integration capabilities and will enable enterprises and Managed Security Service Providers (MSSPs) to improve operational efficiencies, cost effectiveness and security outcomes.

The deal encompasses intellectual property, industry expertise and more than 40 technical employees all focused on bolstering Trend's security platform strategy. With this acquisition, the company will expand its engineering team of over 3000, adding a new research & development center in Bangalore, India.

Managed Security Service Providers (MSSPs) will be empowered to grow their strategic SOC services while minimizing the complexity of the underlying security stack by reducing the number of technology vendors needed. Trend's enterprise customers will benefit from a comprehensive extended detection and response (XDR) and incident response orchestration platform that can maximize analyst productivity and help relieve resource constraints.

Gartner research stated, "As buyers, both end customers and service providers, continue to consolidate vendors/providers, buyers will seek best-of-suite and integrated solutions over best-of- breed point solutions. Preferred technology vendors will be those that ease integration with other IT and security technology and tools within the environment, supporting efforts toward use-case-based outcomes."\[1\]

"We are happy to welcome the Anlyz team into the Trend family – together we are increasing SOC effectiveness and reducing both the technology and resources burdens," said Kevin Simzer, Chief Operating Officer at Trend Micro. "Due to market pressure, we see organizations moving past security point-solution experiments in preference for platform breadth that allows for vendor consolidation, maximized return on investments and efficiencies."

Trend Micro and Anlyz have been technology alliance partners since 2021 and share more than 30 joint customers that are positioned to move forward quickly to capitalize on the opportunities ahead.

\[1\] Gartner®, Emerging Trends: Future of Security Services, Shawn Eftink, John Collins, November 2021 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Eventus TechSol is one of the many MSSPs powering joint customers delivering measurable "XDR Powered SOC" improvements for clients. "We have reduced the mean-time-to-detect and mean-time-to-respond ratio, down from weeks to hours for incidents," said Jay Thakker, Practice Head at the company. "We use playbooks for log enrichment and automated response as well as threat intelligence and threat hunting capabilities provided by the platform to proactively hunt for known and behavioral attacks."

Anlyz has primarily focused on security orchestration and case management delivering powerful SOAR capabilities for MSSPs to manage the incident response process across multiple clients. It also offers intelligent log aggregation enabling data ingestion and enrichment across a range of data sources and security solutions, using a high performance, scalable architecture. Trend will leverage Anlyz's SOAR solution and rich set of product connectors to broaden its platform and enable additional integration and automation options across customers' IT ecosystems.

Trend's MSSP channel customers will benefit from:

*   An anchor technology platform to manage the SOC function for their clients
*   A reduced requirement to architect individual custom solutions for their customers, thanks to an integrated core stack and multi-tenant view out of the box
*   Visibility, analysis, and automation across Trend, third-party products, and customer instances, making it easier to manage XDR across multiple customers
*   A scalable, flexible, and feature-rich platform to appeal to all types of customers no matter the size and complexity of their IT environment

**Notice Regarding Forward-Looking Statements**

Certain statements included in this press release that are not historical facts are forward-looking statements. Forward-looking statements are sometimes accompanied by words such as "believe," "may," "will," "estimate," "continue," "anticipate," "intend," "expect," "should," "would," "plan," "predict," "potential," "seem," "seek," "future," "outlook" and similar expressions that predict or indicate future events or trends or that are not statements of historical matters. These forward-looking statements include, but are not limited to, statements concerning the future plans or prospects for the acquisition. These statements are based on our current expectations and beliefs and are subject to a number of factors and uncertainties that could cause actual results to differ materially from those described in the forward-looking statements. Although we believe that the expectations reflected in our forward-looking statements are reasonable, we do not know whether our expectations will prove correct. You are cautioned not to place undue reliance on these forward-looking statements, which speak only as of the date hereof, even if subsequently made available by us on our website or otherwise. We do not undertake any obligation to update, amend or clarify these forward-looking statements, whether as a result of new information, future events or otherwise, except as may be required under applicable securities laws.

**About Trend Micro**

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.TrendMicro.com.  

The Gartner Report(s) described herein, (the "Gartner Report(s)") represent(s) data, research opinion or viewpoints published, as part of a syndicated subscription service, by Gartner, Inc. ("Gartner"), and are not representations of fact. Each Gartner Report speaks as of its original publication date (and not as of the date of this Prospectus) and the opinions expressed in the Gartner Report(s) are subject to change without notice.

SOURCE Trend Micro Incorporated

Trend Micro Acquires SOC Technology Expert Anlyz

Attackers are now using multiple types of distributed denial-of-service (DDoS) attacks to take down sites. Here are some ways to defend and protect.

Distributed denial-of-service (DDoS) attacks occur when an individual device, known as a bot, or a network of devices, known as a botnet, is infected with malware. These bots or botnets flood websites with increased traffic volumes over a period of hours or even days in an attempt to take services offline. Recently, hacktivist groups have begun leveraging DDoS attacks to extort site owners for financial, competitive advantage, or political reasons. This can represent a serious threat for enterprise businesses.

Planning and preparation are key to developing an effective DDoS defense. But first you need to understand how these attacks work.

**DDoS Attack Types**

New DDoS attack vectors emerge every day thanks to innovative artificial intelligence (AI) technology and a growing cybercrime ecosystem. But in general, there are three main types of DDoS attacks, each of which encompasses a variety of cyberattacks. The first is known as a volumetric attack, which primarily focuses on bandwidth and is designed to overwhelm the network layer with traffic. For example, domain name server (DNS) amplification attacks leverage open DNS servers to flood a target with DNS response traffic.

Another type of DDoS is a protocol attack, which exploits weaknesses in Layers 3 and 4 of the protocol stack, targeting critical resources. For example, synchronization packet floods (SYN) will consume all available server resources as a way to make servers unavailable.

Finally, a resource layer attack disrupts data transmission between hosts by targeting web application packets. For example, SQL injection attacks will insert malicious code into strings. These strings are subsequently passed to a SQL server to be parsed and executed.

And while these categories can cover a broad range of DDoS attacks, security teams also need to be aware that cybercriminals can compromise their networks by using multiple attack types from different categories.

**Protecting Against, Responding to DDoS Attacks**

When websites or servers go down, companies risk losing sales and customers, incurring high recovery costs and damaging their reputations. In some regions and industry sectors, they may even be subject to penalties and fines. Here are four ways to respond to DDoS attacks.

**1\. Evaluate Your Risks and Make Sure You're Protected**

The first step is to identify the publicly exposed applications within your organization. Make sure you note typical application behavior patterns so you can identify anomalies and respond accordingly. Because DDoS attacks typically spike during peak business seasons, such as the holidays, organizations should look for scalable DDoS protection services with advanced mitigation capabilities. Specific service features include traffic monitoring; adaptive real-time tuning; DDoS protection telemetry, monitoring, and alerting; and access to a rapid response team.

**2\. Get Prepared With a DDoS Response Strategy**

One proactive measure that all companies should take is to develop a rapid response strategy. Start by forming a DDoS rapid response team that knows how to identify, mitigate, and monitor attacks. This team should also be able to work with internal stakeholders and customers.

**3\. Identify Potential Weaknesses**

Use attack simulations to understand how your services will respond in the event of an attack. These simulations should confirm that your services or applications will be able to function normally without disrupting users' experiences, and they should happen during off-business hours or within a staging environment to minimize business impact. When conducting an attack simulation, make sure you identify potential technology and process gaps to inform your DDoS response strategy.

**4\. Respond, Learn, Adapt In the Face of Attacks**

In the event of an actual DDoS attack, contact an established DDoS response team or other technical professionals to conduct your attack investigation and post-attack analysis. This retrospective analysis is especially critical as it can help to clarify whether service or user disruptions were due to a lack of scalable architecture. Focus your evaluation on which applications or services experienced the greatest disruptions, as well as the effectiveness of your DDoS response strategy.

Of course, DDoS attacks are just one type of emerging cyberthreat. For more information on ongoing cybersecurity developments and best practices, check out Microsoft Security Insider.

4 Tips to Guard Against DDoS Attacks

In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service

Summary

Zipbomb resource exhaustion in Octopus Server (CVE-2022-2883)

Advisory Number

2023-01

Discovery Date

05 Nov 2022

Patch Release Date

06 Feb 2023

Advisory Release Date

14 Feb 2023

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-2883

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.4.8423 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service

The versions of Octopus Server affected by this vulnerability are:

*   All 0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x versions
*   All 2018.x.x, 2019.x.x, 2020.x.x, 2021.x.x versions
*   All 2022.1.x, 2022.2.x versions
*   All 2022.3.x versions before 2022.3.11043
*   All 2022.4.x versions before 2022.4.8401

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.3.11043
*   2022.4.8401

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.4.8423). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.4.8423):**

If you have feature version...

...then upgrade to this version

0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x

2022.3.11043 or greater

2018.x, 2019.x, 2020.x, 2021.x

2022.3.11043 or greater

2022.1.x, 2022.2.x

2022.3.11043 or greater

2022.3.x

2022.3.11043 or greater

2022.4.x

2022.4.8401 or greater

**Mitigation**

There is no known mitigation for CVE-2022-2883, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found by Bartłomiej Górkiewicz

CVE-2022-2883: Security Advisory 2023-02

Making the option available only to paid subscribers — while also claiming SMS authentication is broken — doesn't make sense, some say. Is it a cash grab?

Twitter's sudden decision to disable SMS-based two-factor authentication (2FA) for all users except subscribers of its paid Twitter Blue service has infuriated security experts and further tarnished the social media giant's already somewhat dubious reputation for protecting users of its services.

Twitter, on Feb. 15, announced that in 30 days it would disable text-message based — or SMS-based — 2FA for all but paying Twitter Blue subscribers. "After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method," the company said. "At that time, accounts with text message 2FA still enabled will have it disabled."

Several analysts view the move as ill-conceived and weakening protections for the millions of users that currently use the two-factor option when accessing their Twitter accounts. Even those who agree with Twitter's view about text message-based authentication mechanisms being somewhat susceptible to attack still perceive it as offering magnitudes more protection than not having a second factor at all.

**Twitter's Ill-Conceived Move**

"The optics are certainly bad," says Richard Stiennon, chief research analyst at IT-Harvest. "This move seems to put a price on better security for Twitter which is the poster child for account takeover attacks dating back to 2008 when a script kiddie in California ran John the Ripper against celebrity accounts to guess their passwords."

The company urged users that still want to enable 2FA for their Twitter accounts to consider using an authentication app or security key/token as their second factor. Authentication apps are mobile apps that generate a one-time password or key that users can use in addition to their password when accessing an account on which they have enabled two-factor authentication. Examples include Google Authenticator, Microsoft Authenticator, and LastPass Authenticator. 

Security keys are usually a physical device — like a USB dongle — that users can use to verify their identity when logging in to an account. "These methods require you to have physical possession of the authentication method and are a great way to ensure your account is secure," Twitter said.

"Using an authenticator app is better \[than text-based 2FA\]," Steinnon notes, "but there will never be a large number of users unless Twitter makes such an app a requirement and makes it available for free."

**Raising Questions About Text-Based 2FA**

The social media company's brief statement announcing its decision to stop SMS authentication alluded to concerns over the security of the process as the main motivation: "While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used — and abused — by bad actors."

The widespread use of mobile devices for SMS-based 2FA authentication, for instance, has driven an increase in so called SIM-swapping attacks, where a threat actor transfers another individual's phone number to their SIM card so they can intercept the SMS authentication messages used for 2FA. Concerns over weaknesses in mobile networks allowing attackers to intercept SMS messages and use it to break into 2FA protected accounts have persisted for years, as have calls to replace it with stronger token and app based token generators.

Nonetheless, Stiennon and others dismiss that explanation as not being enough reason to disable the option for anyone that wants to use it. "For highly targeted attacks, it is true that SMS can be intercepted by determined attackers," he says, noting that such attacks are rare.

**An Attempt to Raise Revenue?**

John Pescatore, director of emerging security trends at the SANS Institute, says Twitter's move is somewhat akin to a bank insisting that users of a free checking account only enter their PIN — and not their ATM card as well — to use an ATM machine. "While SMS messaging as 2FA is less secure than tokens, trusted apps, or other phishing-resistant forms, it is still so much more secure than reusable passwords," he says.

"The only justification for what they are doing is an attempt to raise revenue," Pesactore tells Dark Reading. Otherwise, why would they allow a supposedly less secure authentication only be available to their paid subscribers, he points out.

A transparency report that Twitter released in December 2021 showed at that time that some 2.4% of active Twitter accounts had enabled 2FA. Of that, 74.4% used SMS authentication, 28.9% used an authentication app, and 0.5% had a security key. Based on those numbers (the most recent), only a relatively small proportion of Twitter's active accounts would appear directly impacted by Twitter's recent decision — though, of course, adoption could have increased since 2021. Still, some see it as another indication of what they perceive as Twitter's cavalier attitude toward user security. Earlier this year, after all, an apparent API endpoint compromise at Twitter allowed an attacker to steal data on some 200 million Twitter users and put it up for sale on an underground forum.

"Twitter has a consistently poor record around security," Pescatore notes. Last year, for instance, the Federal Trade Commission assessed a $150 million civil penalty over the company not taking steps required of them to fix problems that caused privacy violations dating back years, he says. Those violations had to do with Twitter using phone numbers and email addresses that it collects for 2FA to deliver targeted advertising instead. 

"Under new ownership, this year they first tried to increase revenue by giving verified identity status to anyone willing to pay $8," Pescatore adds.

**Coming Under the Microscope**

As if the company's security challenges were not bad enough, Elon Musk's controversial leadership of Twitter has also put the company's every move under the microscope.

"As with anything to do with Twitter nowadays, the broader context for their decisions invites a lot of controversy from all over the political spectrum," says Fernando Montenegro, an analyst with Omdia.

With the latest move, there's a general understanding that SMS 2FA is less resistant to some attacks than the authenticator apps or security keys. So getting users to move towards "better" MFA is a good thing for potentially improving resilience against these attacks, he adds. "It's also a decision that saves Twitter money, as they will no longer be sending MFA SMS messages to accounts that are not subscribers," Montenegro says.

The key question here is whether people use SMS because it's easier to set it up or just because they don't know about alternatives, he points out. "If the former, and Twitter doesn't make the process easier, then security is likely to suffer. If the latter, then their decision can actually result in more people knowing about other options for MFA and turning those on."

Analysts Slam Twitter's Decision to Disable SMS-Based 2FA

By Waqas
Threat actors have hacked two data centers in Asia and accessed login credentials of top technology giants, including Apple, Uber, Microsoft, Samsung, Alibaba, etc., and leaked them on a hacker forum.
This is a post from HackRead.com Read the original post: Login Details of Tech Giants Leaked in Two Data Center Hacks

The leaked data includes email addresses, password hashes, names, phone numbers, and more.

Hackers obtained login credentials for several mainstream corporate giants, including Microsoft, Samsung, Uber and Apple, etc. and gained remote access to the entities’ surveillance cameras after attacking two data centers in Asia.

A screenshot from the leaked data shows login credentials for Samsung, Amazon, Uber, Alibaba and more. (Credit: Hackread.com)

This was **revealed** by the cyber security firm Resecurity. The company originally identified the data breach in September 2021; however, details of it were only revealed to the media now as on February 20th, 2023, hackers leaked the stolen login credentials online.

It is worth noting that these credentials were leaked on Breachforums by a threat actor going by the handle of “Minimalman.” For your information, Breachforums is a hacker and cybercrime forum that surfaced as an alternative to the popular and **now-seized Raidforums**.

According to Resecurity, hackers accessed two of the largest data center operators in Asia that were being used by several mainstream companies and technology giants. From there, the hackers could obtain customer support logins for high-profile companies, including Amazon and Apple, BMW, Microsoft, Alibaba, Walmart, Goldman Sachs, etc.

As seen by Hackread.com on the hacker forum, the threat actors managed to obtain and leak credentials from over 2,000 firms and a Chinese foreign-exchange platform.

The data centers have been identified as Shanghai-based GDS Holdings and Singapore-based ST Telemedia Global. Both data centers reportedly forced all customers to change their passwords in January 2023.

**Dangers**

The dangers of hackers obtaining login credentials of tech giants such as Apple, Amazon, Microsoft, Samsung and others are numerous and severe. Firstly, such credentials allow hackers to access sensitive customer data, including payment information and personal details, which can lead to **identity theft and financial fraud**.

Secondly, hackers can use these credentials to gain access to the company’s networks, potentially compromising intellectual property and trade secrets. Additionally, with access to company accounts, hackers can launch cyber attacks against other organizations, amplifying the damage caused by their actions.

Furthermore, a breach of a tech giant’s login credentials can have far-reaching consequences, impacting not only the company and its customers but the wider economy and society as a whole. For instance, if a company like Amazon were to suffer a significant data breach, it could lead to a loss of consumer trust, which could in turn affect the confidence of investors and the stock market.

Moreover, a successful hack of a tech giant’s credentials could inspire copycat attacks, leading to an escalation in cybercrime and potentially destabilizing the digital infrastructure that underpins much of our daily lives.

To mitigate these risks, tech giants must remain vigilant in their cybersecurity measures, ensuring that their systems are regularly updated and that their employees are trained to detect and prevent security breaches.

Companies must also invest in advanced technologies such as machine learning and artificial intelligence to detect and respond to cyber threats in real time. Finally, companies must ensure that they comply with industry standards and regulations related to cybersecurity, such as the General Data Protection Regulation (**GDPR**), to protect the privacy and security of their customers.

1.  **Sydney Data Center Targeted By FinFisher Spyware**
2.  **Hackers attack National Data Center with watering hole attack**
3.  **Hyperconverged Infrastructure (HCI) is Changing Data Centers**
4.  **Top sites affected after OVH data center catches disastrous fire**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Login Details of Tech Giants Leaked in Two Data Center Hacks

This advisory ties together older research on a contact file handling flaw on Microsoft Windows as well as recent research discovered that uses the same methodologies.

[-] Microsoft Windows Contact file / Remote Code Execution (Resurrected 2022)  / CVE-2022-44666

[+] John Page (aka hyp3rlinx)  
[+] twitter.com/hyp3rlinx  
[+] ISR: ApparitionSec

Back in 2018 I discovered three related Windows remote code execution vulnerabilities affecting both VCF and Contact files.  
They were purchased by Trend Micro Zero Day Initiative (@thezdi) from me and received candidate identifiers ZDI-CAN-6920 and ZDI-CAN-7591.  
Microsoft as usual denied a fix and it was subsequently dropped as a zero day on January 10, 2019 in coordination with the ZDI program.

Almost five years passed, until researcher j00sean resurrected the flaws to add additional protocol vectors LDAP etc.  
Microsoft finally decided to patch and assign CVE-2022-44666 even though the vulnerabilities are exactly the same.

Old 2019 advisories:  
=====================  
1) Windows VCF RCE  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-FILE-INSUFFICIENT-WARNING-REMOTE-CODE-EXECUTION.txt

2) Windows Contact HTML injection  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-HTML-INJECTION-MAILTO-LINK-ARBITRARY-CODE-EXECUTION.txt

3) Windows Contact RCE  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt

Circa 2022 updated:  
=====================  
https://github.com/j00sean/CVE-2022-44666#readme  
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-44666

Additional References:  
=======================  
https://www.zerodayinitiative.com/advisories/ZDI-19-013/  
https://www.zdnet.com/article/poc-for-windows-vcf-zero-day-published-online/  
https://thehackernews.com/2019/01/vcard-windows-hacking.html  
https://twitter.com/hyp3rlinx/status/1083528552253919232  
https://seclists.org/bugtraq/2019/Jan/43  
https://vimeo.com/312824315  
https://www.exploit-db.com/exploits/46167  
https://www.rapid7.com/db/modules/exploit/windows/fileformat/microsoft_windows_contact/

Special thanks to j00sean for his work and resurrecting this vulnerability from the dead and helping deal with M$

hyp3rlinx

Microsoft Windows Contact File Remote Code Execution

Twitter is disabling SMS-based two-factor authentication. Switch to these alternatives to keep your account safe.

The latest bizarre move of Elon Musk’s Twitter ownership weakens the security of millions of accounts. On February 17, Twitter announced plans to stop people using SMS-based two-factor authentication to secure their accounts—unless they start paying for a Twitter Blue subscription. However, there are more secure, free, and easier ways to continue protecting your Twitter account with two-factor authentication.

Two-factor authentication, also known as 2FA or multi-factor authentication, is one of the most effective ways to protect your online accounts from being hacked. When logging in to a website, app, or service, 2FA requires you to sign in using your username and password, then verify that the login is authentic using another piece of information. Most commonly, this involves entering a temporary code that’s generated or sent to you in real time.

This second piece of information helps to prove that the person logging in is actually you. While billions of passwords have been compromised online, the 2FA code is often delivered to or created by the device that’s in your pocket. Having any kind of two-factor authentication turned on is better than none. However, it isn’t entirely foolproof. For years, security researchers have warned that SMS-based two-factor authentication isn’t as secure as other 2FA options.

That’s because SIM-swapping attacks, where phone numbers are compromised by attackers, let criminals access 2FA messages and break into accounts. Put simply: Using another 2FA option, even if it is slightly less convenient, is your best option.

In its announcement, Twitter said people have 30 days to turn off SMS-based 2FA and move to another option. It said the system had been abused by “bad actors” in the past. On March 20, Twitter will “disable” using text messages for two-factor authentication—unless you pay for the privilege. People have already started seeing pop-ups telling them to “remove text message two-factor authentication” before this date. 

However, Twitter’s announcement has baffled, confused, and angered security researchers. They say removing SMS-based 2FA just for people who don’t pay for Twitter Blue doesn’t make any sense and will weaken people’s security if they do not move to another 2FA option. Here’s what you should do to keep your account secure.

Use an Authenticator App or Security Key

Instead of turning 2FA off on your Twitter account, there are two better options: authenticator apps and security keys. They both work using the same principles as SMS-based 2FA. To enable either of these alternatives you will need to visit Twitter, open its **Settings and privacy**, then **Security and account access**, **Security**, and finally **Two-factor authentication**. (Or just click here if you are logged in). Here you will get the option to use two-factor authentication via an app or using security keys.

Instead of sending your six-digit authentication code via SMS message, authenticator apps are constantly generating the codes themselves and are synced with the services you use. Authenticator apps list all the websites you have registered with them and display the codes you need to enter to log in. These codes refresh every 30 seconds. Each time you need to log in to a website or app, you visit the authenticator app after entering your username and password to get the authentication code instead of waiting for a text message. (It’s particularly helpful if your phone doesn’t have connectivity for some reason.)

There are multiple, free two-factor authentication apps to pick from, although they all offer the same essential service and can be used across platforms. The big players have their own apps:There’s Google’s Authenticator App and Microsoft Authenticator. Alternatively, various password managers that you may already use, such as 1Password, have their own authenticator services. There’s also Twilio’s Authy App. And if you have an iPhone, you can use Apple’s built-in generator. 

Each has pros and cons that you should consider before picking one. For instance, you may be heavily locked into Microsoft’s or Google’s ecosystems and want to use their apps. Google’s is relatively basic but doesn’t sync elsewhere; Microsoft’s app offers password management services. However, the Microsoft and Authy apps appear to collect more user analytics data than Google’s. Whatever app you pick, it’s possible to switch to another authenticator.

Setting up an authentication app on Twitter, and anywhere else, is simple. For Twitter, you need to visit its 2FA page. Then open your authentication app, select the option to add a new account, then scan the QR Twitter shows you. Enter the six-digit code on your app and you’re done.

Alternatively, instead of an authenticator app, you can use a security key. The keys are physical pieces of hardware that you either plug into your computer when logging in or connect to your phone. They’re the most secure method of 2FA as an attacker physically needs the key to log in to your account—whereas an attacker always has the possibility of trying to trick you into handing over a generated six-digit authentication code.

Once you’ve set up an authenticator app or hardware key for Twitter, you’ll also want to make a note of Twitter’s backup code for your account. The backup code can be used to log in to Twitter if you can’t access your 2FA options, such as losing your phone or security key. (The first time you set up 2FA on Twitter it will provide you with a backup code, although this can be regenerated online.) You should save this in a safe place, such as your password manager.

Tag

#microsoft