The FBI warns of education sector credentials being placed for sale on the dark web. We take a look at the risks involved.
The post FBI warns of education sector credentials on dark web forums appeared first on Malwarebytes Labs.

The FBI is warning academics to be on their guard, as an embattled education sector continues to experience attacks and breaches, with data spilling onto the so-called dark web. The government agency’s Private Industry Notification \[PDF\] cites US academic credentials up for grabs from a variety of sources.

**A stepping stone to compromise**

From the summary:

> _The FBI is informing academic partners of identified US college and university credentials advertised for sale on online criminal marketplaces and publicly accessible forums. This exposure of sensitive credential and network access information, especially privileged user accounts, could lead to subsequent cyber attacks against individual users or affiliated organizations._

Data for sale is not unusual. Phishing, social engineering, and credential stuffing are often the end result. Dumps of education/university data can offer specific in-roads into campus networks, or further harvesting of student and employee credentials or personal information. Additionally, the FBI warns:

> _If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations._

**A wide range of data possibilities**

Private sites and regular forums aren’t the only cause for concern. The FBI also observed data sitting on instant messaging platforms too. Some of their findings:

*   **Late 2020**: 2,000 unique username/password .edu combinations were up for sale on the dark web. Payment for this was made via donations to an unspecified Bitcoin wallet.
*   **May 2021**: Over 36,000 email/password combinations for .edu addresses were observed on a “publicly available instant messaging platform.” This apparently fed into other unnamed illegal activities.
*   **January 2022**: “Russian cyber criminal forums” were offering network and VPN credentials, both for sale or free to access. Screenshots showing the attacker’s proof of access is common on portals such as this. Prices of stolen accounts ranged from “a few to multiple thousands of US dollars.”

**Keeping the education sector safe: an uphill struggle**

This warning comes at a time of sustained cyber attacks in and around education. Last year, the FBI warned of an increase in ransomware targeting institutions. Sure enough, in 2022 we’ve seen colleges close down and data lost. There’s also constant concerns over cyber security funding to contend with.

The FBI recommends colleges, universities, and other academic entities establish and maintain strong relationships with the FBI field office in their region, along with observing the various mitigation strategies in their notification alert. We expect to see more data dumps and breaches over the coming months, but hopefully careful observation of security procedures and mitigations will make a dent in some criminal’s plans.

**Tips from the FBI**

*   Keep operating systems up to date, and patch in a timely fashion. Beware of End of Life (EOL) support for systems and applications.
*   Implement user training to reduce the risk of phishing and social engineering.
*   Use strong passwords, avoid password reuse, and establish lock-out rules for incorrect attempts.
*   Encourage the use of multifactor authentication (MFA) for as many services as possible, including webmail, VPN, and critical systems.
*   Reduce credential exposure by restricting where accounts can be used alongside local device credential protection features.
*   Segment networks to help prevent spread of malware and unauthorized access.
*   Automate security scanning, and use monitoring tools to help identify network abnormalities and compromise attempts.
*   Secure and closely monitor remote desktop protocol (RDP) use, alongside restricting login attempts and using additional authentication measures for logging in remotely.

FBI warns of education sector credentials on dark web forums

Red Hat Security Advisory 2022-4816-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include a privilege escalation vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: container-tools:3.0 security update  
Advisory ID:       RHSA-2022:4816-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4816  
Issue date:        2022-05-31  
CVE Names:         CVE-2022-1227 CVE-2022-27649 CVE-2022-27651  
====================================================================  
1. Summary:

An update for the container-tools:3.0 module is now available for Red Hat  
Enterprise Linux 8.4 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The container-tools module contains tools for working with containers,  
notably podman, buildah, skopeo, and runc.

Security Fix(es):

* psgo: Privilege escalation in 'podman top' (CVE-2022-1227)

* podman: Default inheritable capabilities for linux container should be  
empty (CVE-2022-27649)

* buildah: Default inheritable capabilities for linux container should be  
empty (CVE-2022-27651)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1972343 - podman's image index corrupted during WAN emulation tests [rhel-8.4.0.z]  
2066568 - CVE-2022-27649 podman: Default inheritable capabilities for linux container should be empty  
2066840 - CVE-2022-27651 buildah: Default inheritable capabilities for linux container should be empty  
2070368 - CVE-2022-1227 psgo: Privilege escalation in 'podman top'

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
buildah-1.19.9-1.module+el8.4.0+14872+9efa52a3.src.rpm  
cockpit-podman-29-2.module+el8.4.0+14872+9efa52a3.src.rpm  
conmon-2.0.26-1.module+el8.4.0+14872+9efa52a3.src.rpm  
container-selinux-2.167.0-1.module+el8.4.0+14872+9efa52a3.src.rpm  
containernetworking-plugins-0.9.1-1.module+el8.4.0+14872+9efa52a3.src.rpm  
criu-3.15-1.module+el8.4.0+14872+9efa52a3.src.rpm  
crun-0.18-2.module+el8.4.0+14872+9efa52a3.src.rpm  
fuse-overlayfs-1.4.0-2.module+el8.4.0+14872+9efa52a3.src.rpm  
libslirp-4.3.1-1.module+el8.4.0+14872+9efa52a3.src.rpm  
oci-seccomp-bpf-hook-1.2.0-1.module+el8.4.0+14872+9efa52a3.src.rpm  
podman-3.0.1-9.module+el8.4.0+14872+9efa52a3.src.rpm  
runc-1.0.0-76.rc95.module+el8.4.0+14872+9efa52a3.src.rpm  
skopeo-1.2.2-8.module+el8.4.0+14872+9efa52a3.src.rpm  
slirp4netns-1.1.8-1.module+el8.4.0+14872+9efa52a3.src.rpm  
toolbox-0.0.8-1.module+el8.4.0+14872+9efa52a3.src.rpm  
udica-0.2.4-1.module+el8.4.0+14872+9efa52a3.src.rpm

aarch64:  
buildah-1.19.9-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
buildah-debuginfo-1.19.9-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
buildah-debugsource-1.19.9-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
buildah-tests-1.19.9-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
buildah-tests-debuginfo-1.19.9-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
conmon-2.0.26-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
conmon-debuginfo-2.0.26-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
conmon-debugsource-2.0.26-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
containernetworking-plugins-0.9.1-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
containernetworking-plugins-debuginfo-0.9.1-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
containernetworking-plugins-debugsource-0.9.1-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
containers-common-1.2.2-8.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
crit-3.15-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
criu-3.15-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
criu-debuginfo-3.15-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
criu-debugsource-3.15-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
crun-0.18-2.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
crun-debuginfo-0.18-2.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
crun-debugsource-0.18-2.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
fuse-overlayfs-1.4.0-2.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
fuse-overlayfs-debuginfo-1.4.0-2.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
fuse-overlayfs-debugsource-1.4.0-2.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
libslirp-4.3.1-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
libslirp-debuginfo-4.3.1-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
libslirp-debugsource-4.3.1-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
libslirp-devel-4.3.1-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
oci-seccomp-bpf-hook-1.2.0-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
oci-seccomp-bpf-hook-debuginfo-1.2.0-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
oci-seccomp-bpf-hook-debugsource-1.2.0-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
podman-3.0.1-9.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
podman-catatonit-3.0.1-9.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
podman-catatonit-debuginfo-3.0.1-9.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
podman-debuginfo-3.0.1-9.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
podman-debugsource-3.0.1-9.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
podman-plugins-3.0.1-9.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
podman-plugins-debuginfo-3.0.1-9.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
podman-remote-3.0.1-9.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
podman-remote-debuginfo-3.0.1-9.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
podman-tests-3.0.1-9.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
python3-criu-3.15-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
runc-1.0.0-76.rc95.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
runc-debuginfo-1.0.0-76.rc95.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
runc-debugsource-1.0.0-76.rc95.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
skopeo-1.2.2-8.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
skopeo-debuginfo-1.2.2-8.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
skopeo-debugsource-1.2.2-8.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
skopeo-tests-1.2.2-8.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
slirp4netns-1.1.8-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
slirp4netns-debuginfo-1.1.8-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm  
slirp4netns-debugsource-1.1.8-1.module+el8.4.0+14872+9efa52a3.aarch64.rpm

noarch:  
cockpit-podman-29-2.module+el8.4.0+14872+9efa52a3.noarch.rpm  
container-selinux-2.167.0-1.module+el8.4.0+14872+9efa52a3.noarch.rpm  
podman-docker-3.0.1-9.module+el8.4.0+14872+9efa52a3.noarch.rpm  
toolbox-0.0.8-1.module+el8.4.0+14872+9efa52a3.noarch.rpm  
udica-0.2.4-1.module+el8.4.0+14872+9efa52a3.noarch.rpm

ppc64le:  
buildah-1.19.9-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
buildah-debuginfo-1.19.9-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
buildah-debugsource-1.19.9-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
buildah-tests-1.19.9-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
buildah-tests-debuginfo-1.19.9-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
conmon-2.0.26-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
conmon-debuginfo-2.0.26-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
conmon-debugsource-2.0.26-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
containernetworking-plugins-0.9.1-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
containernetworking-plugins-debuginfo-0.9.1-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
containernetworking-plugins-debugsource-0.9.1-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
containers-common-1.2.2-8.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
crit-3.15-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
criu-3.15-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
criu-debuginfo-3.15-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
criu-debugsource-3.15-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
crun-0.18-2.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
crun-debuginfo-0.18-2.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
crun-debugsource-0.18-2.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
fuse-overlayfs-1.4.0-2.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
fuse-overlayfs-debuginfo-1.4.0-2.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
fuse-overlayfs-debugsource-1.4.0-2.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
libslirp-4.3.1-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
libslirp-debuginfo-4.3.1-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
libslirp-debugsource-4.3.1-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
libslirp-devel-4.3.1-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
oci-seccomp-bpf-hook-1.2.0-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
oci-seccomp-bpf-hook-debuginfo-1.2.0-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
oci-seccomp-bpf-hook-debugsource-1.2.0-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
podman-3.0.1-9.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
podman-catatonit-3.0.1-9.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
podman-catatonit-debuginfo-3.0.1-9.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
podman-debuginfo-3.0.1-9.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
podman-debugsource-3.0.1-9.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
podman-plugins-3.0.1-9.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
podman-plugins-debuginfo-3.0.1-9.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
podman-remote-3.0.1-9.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
podman-remote-debuginfo-3.0.1-9.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
podman-tests-3.0.1-9.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
python3-criu-3.15-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
runc-1.0.0-76.rc95.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
runc-debuginfo-1.0.0-76.rc95.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
runc-debugsource-1.0.0-76.rc95.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
skopeo-1.2.2-8.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
skopeo-debuginfo-1.2.2-8.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
skopeo-debugsource-1.2.2-8.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
skopeo-tests-1.2.2-8.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
slirp4netns-1.1.8-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
slirp4netns-debuginfo-1.1.8-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm  
slirp4netns-debugsource-1.1.8-1.module+el8.4.0+14872+9efa52a3.ppc64le.rpm

s390x:  
buildah-1.19.9-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
buildah-debuginfo-1.19.9-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
buildah-debugsource-1.19.9-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
buildah-tests-1.19.9-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
buildah-tests-debuginfo-1.19.9-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
conmon-2.0.26-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
conmon-debuginfo-2.0.26-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
conmon-debugsource-2.0.26-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
containernetworking-plugins-0.9.1-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
containernetworking-plugins-debuginfo-0.9.1-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
containernetworking-plugins-debugsource-0.9.1-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
containers-common-1.2.2-8.module+el8.4.0+14872+9efa52a3.s390x.rpm  
crit-3.15-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
criu-3.15-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
criu-debuginfo-3.15-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
criu-debugsource-3.15-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
crun-0.18-2.module+el8.4.0+14872+9efa52a3.s390x.rpm  
crun-debuginfo-0.18-2.module+el8.4.0+14872+9efa52a3.s390x.rpm  
crun-debugsource-0.18-2.module+el8.4.0+14872+9efa52a3.s390x.rpm  
fuse-overlayfs-1.4.0-2.module+el8.4.0+14872+9efa52a3.s390x.rpm  
fuse-overlayfs-debuginfo-1.4.0-2.module+el8.4.0+14872+9efa52a3.s390x.rpm  
fuse-overlayfs-debugsource-1.4.0-2.module+el8.4.0+14872+9efa52a3.s390x.rpm  
libslirp-4.3.1-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
libslirp-debuginfo-4.3.1-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
libslirp-debugsource-4.3.1-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
libslirp-devel-4.3.1-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
oci-seccomp-bpf-hook-1.2.0-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
oci-seccomp-bpf-hook-debuginfo-1.2.0-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
oci-seccomp-bpf-hook-debugsource-1.2.0-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
podman-3.0.1-9.module+el8.4.0+14872+9efa52a3.s390x.rpm  
podman-catatonit-3.0.1-9.module+el8.4.0+14872+9efa52a3.s390x.rpm  
podman-catatonit-debuginfo-3.0.1-9.module+el8.4.0+14872+9efa52a3.s390x.rpm  
podman-debuginfo-3.0.1-9.module+el8.4.0+14872+9efa52a3.s390x.rpm  
podman-debugsource-3.0.1-9.module+el8.4.0+14872+9efa52a3.s390x.rpm  
podman-plugins-3.0.1-9.module+el8.4.0+14872+9efa52a3.s390x.rpm  
podman-plugins-debuginfo-3.0.1-9.module+el8.4.0+14872+9efa52a3.s390x.rpm  
podman-remote-3.0.1-9.module+el8.4.0+14872+9efa52a3.s390x.rpm  
podman-remote-debuginfo-3.0.1-9.module+el8.4.0+14872+9efa52a3.s390x.rpm  
podman-tests-3.0.1-9.module+el8.4.0+14872+9efa52a3.s390x.rpm  
python3-criu-3.15-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
runc-1.0.0-76.rc95.module+el8.4.0+14872+9efa52a3.s390x.rpm  
runc-debuginfo-1.0.0-76.rc95.module+el8.4.0+14872+9efa52a3.s390x.rpm  
runc-debugsource-1.0.0-76.rc95.module+el8.4.0+14872+9efa52a3.s390x.rpm  
skopeo-1.2.2-8.module+el8.4.0+14872+9efa52a3.s390x.rpm  
skopeo-debuginfo-1.2.2-8.module+el8.4.0+14872+9efa52a3.s390x.rpm  
skopeo-debugsource-1.2.2-8.module+el8.4.0+14872+9efa52a3.s390x.rpm  
skopeo-tests-1.2.2-8.module+el8.4.0+14872+9efa52a3.s390x.rpm  
slirp4netns-1.1.8-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
slirp4netns-debuginfo-1.1.8-1.module+el8.4.0+14872+9efa52a3.s390x.rpm  
slirp4netns-debugsource-1.1.8-1.module+el8.4.0+14872+9efa52a3.s390x.rpm

x86_64:  
buildah-1.19.9-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
buildah-debuginfo-1.19.9-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
buildah-debugsource-1.19.9-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
buildah-tests-1.19.9-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
buildah-tests-debuginfo-1.19.9-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
conmon-2.0.26-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
conmon-debuginfo-2.0.26-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
conmon-debugsource-2.0.26-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
containernetworking-plugins-0.9.1-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
containernetworking-plugins-debuginfo-0.9.1-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
containernetworking-plugins-debugsource-0.9.1-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
containers-common-1.2.2-8.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
crit-3.15-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
criu-3.15-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
criu-debuginfo-3.15-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
criu-debugsource-3.15-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
crun-0.18-2.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
crun-debuginfo-0.18-2.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
crun-debugsource-0.18-2.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
fuse-overlayfs-1.4.0-2.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
fuse-overlayfs-debuginfo-1.4.0-2.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
fuse-overlayfs-debugsource-1.4.0-2.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
libslirp-4.3.1-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
libslirp-debuginfo-4.3.1-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
libslirp-debugsource-4.3.1-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
libslirp-devel-4.3.1-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
oci-seccomp-bpf-hook-1.2.0-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
oci-seccomp-bpf-hook-debuginfo-1.2.0-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
oci-seccomp-bpf-hook-debugsource-1.2.0-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
podman-3.0.1-9.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
podman-catatonit-3.0.1-9.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
podman-catatonit-debuginfo-3.0.1-9.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
podman-debuginfo-3.0.1-9.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
podman-debugsource-3.0.1-9.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
podman-plugins-3.0.1-9.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
podman-plugins-debuginfo-3.0.1-9.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
podman-remote-3.0.1-9.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
podman-remote-debuginfo-3.0.1-9.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
podman-tests-3.0.1-9.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
python3-criu-3.15-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
runc-1.0.0-76.rc95.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
runc-debuginfo-1.0.0-76.rc95.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
runc-debugsource-1.0.0-76.rc95.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
skopeo-1.2.2-8.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
skopeo-debuginfo-1.2.2-8.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
skopeo-debugsource-1.2.2-8.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
skopeo-tests-1.2.2-8.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
slirp4netns-1.1.8-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
slirp4netns-debuginfo-1.1.8-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm  
slirp4netns-debugsource-1.1.8-1.module+el8.4.0+14872+9efa52a3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1227  
https://access.redhat.com/security/cve/CVE-2022-27649  
https://access.redhat.com/security/cve/CVE-2022-27651  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYpYjmNzjgjWX9erEAQg3xQ/+IKxvtpR4s+2jt/xcLmi+rw2XppDFf3Hm  
lOF8K5Ri5QOEPYZfnm5qt1eeOoVaB+J3KRopZW5CnclK34LZ15DP3bVfcpiCAGrS  
V7LL6kfGX5HC1GjFrvkSBZidijkDjNP03kwbw1YUsKGjyMqLV+1//Yf3f8iO1nTo  
DeK03ok+igJFFBJrZ4BI/FqMwi+lD1Nu8LA/vry5OYL6FdmPVNJFRqExudttZPFi  
CDO/QpwI94hZuJSUswKNeL9UXLZnY/pQwMsa4Ul9SSWzG4xG7b0uMR3O+2lQDVU0  
dGDZf3mkdzrqElr8S2jHj9RfsElmM/hyup1d+7MoxqUiPSCSBPzw4KzYQ5pJdddR  
+MlpiYFWFcrP4QXIRf7WHlUrH62MR+R3cCuGTlkxrohtdP/YygcFP9uz2JcT8Rki  
0m8GSW+O3MPlbMxIpbEH+sflL1+L/7Ni6YdXdF21g34FuADcYBRQSYTUmmjpObNg  
9ktp0GxmyvCW6f9HTCkzeljybr8JwkX5Zxr2oAGEFdrbCD0qqzTOIvR1979f+Q70  
9ikftTiLPqdJd1QlzogDWwnXkYNMj9Jsr/VDDgRSLCcfwhIxY2wJQ6+x5d0KU6HW  
Rget3q9pYXZJg1V9IWwYpvMV4WpDJFuk5DWrR3hJu2TgzQmnZK4nbuAaskCIlkg0  
jtzkWy9UMDw=AVg2  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-4816-01

**Why is this Chrome CVE included in the Security Update Guide?**

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

**How can I see the version of the browser?**

1.  In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2.  Click on **Help and Feedback**
3.  Click on **About Microsoft Edge**

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20220524**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20220524)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2022-1875: Chromium: CVE-2022-1875 Inappropriate implementation in PDF

By Waqas
The network credentials and VPN access information were mainly acquired through ransomware, spear-phishing, and other cyberattacks. According to…
This is a post from HackRead.com Read the original post: Hackers Selling US Colleges VPN Credentials on Russian Forums- FBI

**The network credentials and VPN access information were mainly acquired through ransomware, spear-phishing, and other cyberattacks.**

According to the US Federal Bureau of Investigation (FBI), hackers are selling virtual private network (VPN) access and network credentials used by employees of a “multitude” of colleges and universities in the US. The stolen data is sold on Russian underground cybercrime platforms.

The FBI noted that in May 2021, they discovered over 36,000 email/password combinations for addresses ending with .edu. These addresses were available publicly on instant messaging platforms commonly used by cybercriminals.

> “As of January 2022, Russian cybercriminal forums offered for sale or posted for public access the network credentials and virtual private network accesses to a multitude of identified US-based universities and colleges across the country, some of which included screenshots as proof of access.”
> 
> The FBI

**Targeted Universities**

According to the FBI’s Private Industry Notification \[PDF\], most of the credentials part of the data up for sale on Russian hacker platforms were obtained through ransomware attacks and spear-phishing campaigns launched against US educational institutions over the years.

The institutions targeted in ransomware attacks in the last couple of years include:

*   Ohlone College
*   Centralia College
*   Stratford University
*   The Yeshiva University
*   Stony Brook University
*   The University of Miami
*   Savannah State University
*   National University College
*   The University of Maryland
*   North Carolina A&T University
*   The University of Detroit Mercy
*   Florida International University
*   The University of Colorado Boulder
*   The University of California, Merced
*   Phillips Community College of Arkansas

It is worth noting that some of the universities mentioned in the list were targeted by the cl0p ransomware gang, while some were targeted by Iranian hackers. Nevertheless, currently, the stolen data is up for sale for several thousand dollars, depending on the nature of the information.

**What are the Consequences**

The FBI stated that such sensitive data and network access information, particularly privileged accounts, can enable threat actors to launch more cyberattacks against the organization and the user.

> “Such tactics have continued to prevail and ramped up with COVID-themed phishing attacks to steal university login credentials, according to security researchers from a US-based company in December 2021.”
> 
> The FBI

The credentials may be sold to other hackers, or the seller may ask for donations to offer full access to the data. They can use the credentials to brute-force credential stuffing attacks, drain the account of “stored value,” and leverage/resell credit card numbers and other personally identifiable information. They can also submit fake transactions and launch malicious scams against the account holder or the affiliated entity.

**More FBI Alerts**

1.  FBI – Malicious QR codes stealing login and financial data
2.  FBI issues flash alert after APT groups exploited VPN flaws
3.  FBI warns of hackers mailing malicious USB drives to spread ransomware
4.  52 Critical Infrastructure Orgs Hit by Ragnar Locker Ransomware Gang – FBI
5.  Targeting Satellite? CISA, FBI Warns of Attacks on SATCOM Network Providers

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Hackers Selling US Colleges VPN Credentials on Russian Forums- FBI

Validation check loopholes exposed

Malicious actors can take unauthorized ownership of online accounts even before their victims sign up for services, according to new research backed by the Microsoft Security Response Center (MSRC).

Dubbed ‘account pre-hijacking’, the class of attack involves an attacker setting an account takeover exploit in motion before the victim has even registered with an online service. After the victim signs up, the attacker takes advantage of security holes in the service’s authentication mechanisms to access or take ownership of the newly-created account.

The study (PDF) found dozens of high-traffic services to be vulnerable to at least one type of pre-hijacking attack. The research sheds light on the security issues surrounding account creation, a seldom scrutinised issue.

**More than one way to pre-hijack an account**

The research was supported by one of the Identity Project Research Grants awarded by the MSRC in early 2020.

“In this project, we explored several topics, but soon noticed a pattern emerging around the ‘pre-hijacking’ threat model,” Andrew Paverd, a senior researcher at MSRC, and independent researcher Avinash Sudhodanan told The Daily Swig.

Account pre-hijacking assumes that the victim doesn’t yet have an account on the target service and the attacker knows the email and other basic details of the victim. The researchers discovered five types of pre-hijacking attack scenarios.

Some take advantage of multiple account creation modes supported by many online services. On many websites, users can directly provide an email address and password to create their account or use federated authentication by using a consumer-focused single sign-on (SSO) service, as provided by the likes of Facebook, Google, and Microsoft.

DON’T FORGET TO READ Security ‘researcher’ hits back against claims of malicious CTX file uploads

For example, in one type of attack, the attacker creates an account with the victim’s email address. The victim then creates an account using the federated approach. In some services, this merges the attacker’s and victim’s accounts, giving them both simultaneous access to the same account.

In another type of attack, the attacker creates an account with the victim’s email and associates their own federated identity to the same account. When the victim tries to create their account, they will be prompted to reset their password. The victim will obtain access to the account, but the attacker will also be able to access the account through the SSO identity.

The researchers said: “It’s very positive to see how many online services are moving towards single sign-on \[but\] this means that they might have to support multiple login mechanisms. This in itself is not necessarily an issue, and many services do this securely.

“Our research simply points out some subtle pitfalls to be aware of when supporting multiple login mechanisms,” the researchers added.

**Switch hitter**

Paverd and Sudhodanan pointed out that three of the attacks they found do not require the service to support multiple login mechanisms.

For example, in one scheme, the attacker’s session might remain active even after the victim recovers their account and resets the password.

Catch up on the latest authentication news and analysis

In yet another scenario, the attacker creates an account with the victim’s email and initiates an email change request to the attacker’s own email address. The attacker then waits for the victim to claim the account before completing the email change request and taking ownership of the account.

**Top services affected**

In their study, the researchers examined 75 services that ranked among Alexa’s list of top-150 high-traffic domains. At least 35 were affected by one or more account pre-hijacking attacks, including Dropbox, Instagram, LinkedIn, WordPress.com, and Zoom. Fortunately, all the affected services were notified of the vulnerabilities and have implemented the necessary fixes.

“We think that a lack of awareness may have been the main cause of these potential vulnerabilities. We are therefore publishing this research to raise awareness and help organizations mitigate these vulnerabilities,” Paverd and Sudhodanan said.

The most important takeaway, the researchers concluded, is “to verify that the user actually owns any user-supplied identifiers (e.g., email address or phone number) before using them to create a new account or adding them to an existing account”. This would mitigate all types of pre-hijacking attacks identified to date.

The researchers’ paper also describes several other possible defense-in-depth strategies.

They recommended that users enable multi-factor authentication (MFA) whenever possible because it stops most pre-hijacking attacks they uncovered.

Another sign of account pre-hijacking is receiving an email about an account that you did not create, which users usually ignore. “Report this to the relevant website,” the researchers said.

YOU MAY ALSO LIKE Tails users warned not to launch bundled Tor browser until security hole is fixed

Dozens of high-traffic websites vulnerable to ‘account pre-hijacking’, study finds

Red Hat Security Advisory 2022-4770-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.9.1.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Critical: thunderbird security update  
Advisory ID:       RHSA-2022:4770-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4770  
Issue date:        2022-05-27  
CVE Names:         CVE-2022-1529 CVE-2022-1802   
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 91.9.1.

Security Fix(es):

* Mozilla: Untrusted input used in JavaScript object indexing, leading to  
prototype pollution (CVE-2022-1529)

* Mozilla: Prototype pollution in Top-Level Await implementation  
(CVE-2022-1802)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2089217 - CVE-2022-1802 Mozilla: Prototype pollution in Top-Level Await implementation  
2089218 - CVE-2022-1529 Mozilla: Untrusted input used in JavaScript object indexing, leading to prototype pollution

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
thunderbird-91.9.1-1.el8_1.src.rpm

ppc64le:  
thunderbird-91.9.1-1.el8_1.ppc64le.rpm  
thunderbird-debuginfo-91.9.1-1.el8_1.ppc64le.rpm  
thunderbird-debugsource-91.9.1-1.el8_1.ppc64le.rpm

x86_64:  
thunderbird-91.9.1-1.el8_1.x86_64.rpm  
thunderbird-debuginfo-91.9.1-1.el8_1.x86_64.rpm  
thunderbird-debugsource-91.9.1-1.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1529  
https://access.redhat.com/security/cve/CVE-2022-1802  
https://access.redhat.com/security/updates/classification/#critical

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYpEx1NzjgjWX9erEAQj8jA/+L6C0GLnaChCCIBO2QJa6u1TWH3H8MsD1  
bZE5hGvCD9/U+zh1ZahF+9wgTXsGxhvusoBam8yDfLHqe70M7hHZtddVlkVF2yQr  
9Y0yjoWNx2hSBTbUDIO+Haegp6BoUmgTlrTjGnz/5gdr0Z/qTaYk56E1EYtQj0Y9  
qHf7j+FXWleZ0n4+1np1dXcTwKChr1wEmp5+5cvRifwwyMsZkc9asHQa/SH6xFiw  
voE70Hjvc2SzPdF+hCpxu9qxBXa6aEfqpyVVgHrRvUY/RMnpSTG57lCKkVvZocWp  
KgT/AkRPHC9fAsiKg/CNYgocTua76hrd24UyuCPIVsh3KhwgwIX3DIYfsb4/3QPy  
P4Xs8tsAzfh0c0m0lOb1Dgb//YaqntOiD6b6VrMagwNXR+4vcnR4j2t0hQ8RRBCL  
ZYylbF5PfLjcERsMHIoUKupvApPRgvzeVuk6Fo6dfb1jig5NfoBO4mimbfMZ0bD8  
syngbPVPrq1OhZskkFdT8CEbEVq238aeCiVqiG+6sgi5UVfoRuE0MtKqfhrbtNJp  
coCFOT6HOdsTdAexn8N2OvbRtXnztdaiOA1m9UiSrcSBiojBhIkzGuuMzv9H6tZ7  
M+DdvWWoDVS/CcLzardhSejiwJXTBupKv0Tw6pAxkE96UnuRMHRFEvQmc1fsbTLN  
tcim65iKDz4=  
=Pxim  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-4770-01

A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).
"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services

A nascent Linux-based botnet named **Enemybot** has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).

"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices."

First disclosed by Securonix in March and later by Fortinet, Enemybot has been linked to a threat actor tracked as Keksec (aka Kek Security, Necro, and FreakOut), with early attacks targeting routers from Seowon Intech, D-Link, and iRZ.

Enemybot, which is capable of carrying out DDoS attacks, draws its origins from several other botnets like Mirai, Qbot, Zbot, Gafgyt, and LolFMe. An analysis of the latest variant reveals that it's made up of four different components -

*   A Python module to download dependencies and compile the malware for different OS architectures
*   The core botnet section
*   An obfuscation segment designed to encode and decode the malware's strings, and
*   A command-and-control functionality to receive attack commands and fetch additional payloads

Also incorporated is a new scanner function that's engineered to search random IP addresses associated with public-facing assets for potential vulnerabilities, while also taking into account new bugs within days of them being publicly disclosed.

"In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing \[a\] shell command," the researchers said, pointing to a new "adb\_infect" function. ADB refers to Android Debug Bridge, a command-line utility used to communicate with an Android device.

Besides the Log4Shell vulnerabilities that came to light in December 2021, this includes recently patched flaws in Razer Sila routers (no CVE), VMware Workspace ONE Access (CVE-2022-22954), and F5 BIG-IP (CVE-2022-1388) as well as weaknesses in WordPress plugins like Video Synchro PDF.

Other weaponized security shortcomings are below -

*   **CVE-2022-22947** (CVSS score: 10.0) - A code injection vulnerability in Spring Cloud Gateway
*   **CVE-2021-4039** (CVSS score: 9.8) - A command injection vulnerability in the web interface of the Zyxel
*   **CVE-2022-25075** (CVSS score: 9.8) - A command injection vulnerability in TOTOLink A3000RU wireless router
*   **CVE-2021-36356** (CVSS score: 9.8) - A remote code execution vulnerability in KRAMER VIAware
*   **CVE-2021-35064** (CVSS score: 9.8) - A privilege escalation and command execution vulnerability in Kramer VIAWare
*   **CVE-2020-7961** (CVSS score: 9.8) - A remote code execution vulnerability in Liferay Portal

What's more, the botnet's source code has been shared on GitHub, making it widely available to other threat actors. "I assume no responsibility for any damages caused by this program," the project's README file reads. "This is posted under Apache license and is also considered art."

"Keksec's Enemybot appears to be just starting to spread, however due to the authors' rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,'' the researchers said.

"This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

EnemyBot Linux Botnet Now Exploits Web Server, Android and CMS Vulnerabilities

Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gitea prior to 1.16.9 via unfiltered pdfs

**Stored Cross-site Scripting in gitea**

Moderate severity GitHub Reviewed Published May 30, 2022 • Updated Jun 2, 2022

GHSA-ph3w-2843-72mx: Stored Cross-site Scripting in gitea

Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gitea prior to 1.16.9.

@@ -88,10 +88,14 @@ func ServeData(ctx \*context.Context, name string, size int64, reader io.Reader)

}

if (st.IsImage() || st.IsPDF()) && (setting.UI.SVG.Enabled || !st.IsSvgImage()) {

ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(\`inline; filename="%s"\`, name))

if st.IsSvgImage() {

if st.IsSvgImage() || st.IsPDF() {

ctx.Resp.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")

ctx.Resp.Header().Set("X-Content-Type-Options", "nosniff")

ctx.Resp.Header().Set("Content-Type", typesniffer.SvgMimeType)

if st.IsSvgImage() {

ctx.Resp.Header().Set("Content-Type", typesniffer.SvgMimeType)

} else {

ctx.Resp.Header().Set("Content-Type", typesniffer.ApplicationOctetStream)

}

}

} else {

ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(\`attachment; filename="%s"\`, name))

CVE-2022-1928: Fix raw endpoint PDF file headers (#19825) · go-gitea/gitea@65e0688

The new draft guidance on premarket submissions incorporates quality system regulations and doubles down on a life-cycle approach to product security.

It's hard to believe, but medical device manufacturers who are subject to Food and Drug Administration premarket approval — the FDA process of review to evaluate the safety and effectiveness of Class III medical devices — are still operating under the FDA's original medical device cybersecurity guidance from 2014 and a subsequent update in 2018. But that is about to change in a major way.

Instead of finalizing the 2018 premarket cybersecurity draft guidance, the FDA has decided to issue a new 2022 version to reflect the rapid evolution of cybersecurity, incorporating a new set of quality system regulations (QSRs) with significant changes to its 2018 predecessor.

**New FDA Draft Guidance  
**The new draft guidance, titled "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions," deals with myriad design, labeling, and documentation issues that will have to be addressed by medical device manufacturers before their new devices can gain FDA premarket approval.

The FDA's original guidance on cybersecurity was just nine pages while the 2022 version swells to 50 pages, reflecting advancements in the cybersecurity ecosystem and best practices. It appears that, when approving connected medical devices for market, the FDA will be taking a long look at how cybersecurity is implemented, especially regarding levels of risk to patient safety.

**Updated Regulations: Why Now?  
**Requiring greater cybersecurity measures to protect medical devices and their operational and patient data is vital since the healthcare industry has become a massive target of cyberattacks. Data breaches hit an all-time high in 2021, exposing a record volume of protected health information. Besides pilfering data, a growing number of breaches attempt to disrupt the smooth operation of medical devices like computed tomography and magnetic resonance imaging machines, potentially causing incorrect diagnoses, unnecessary medical procedures, or direct harm to patients.

The American Hospital Association's senior adviser for cybersecurity and risk has stated that medical devices used in hospital rooms suffer from an average of 6.2 vulnerabilities. As devices become more complex and interconnected, opportunities for cyberattackers to exploit vulnerabilities are becoming greater, hence the need for updated regulations.

**Incorporating Cybersecurity into Quality System Regulations to Boost Safety  
**With the new guidance, the FDA seeks to ensure that the next generation of medical devices will be far safer and secure throughout the entire device life cycle, from premarket and throughout the entire useful life, beginning from the earliest stages of design (shift-left) to post-production (shift-right).

With the proposed guidance, the FDA is doubling down on its efforts to incorporate cybersecurity into quality regulations to address the complexity of modern devices and today's evolving threat landscape.

**From CBOM to SBOM: What's the Difference?  
**Surprisingly, one of the major changes that the new guidance brings is a leniency in the requirement for manufacturers to provide a complete software bill of materials (SBOM) instead of a more tedious cybersecurity bill of materials (CBOM), as was required in the 2018 draft. Medical device manufacturers were balking at the 2018 guidelines because of this stringency.

An SBOM is more in line with cybersecurity standards across most industries and aligns with the Biden administration's recently issued Executive Order 14028, "Improving the Nation's Cybersecurity." It contains all of the required software packages (commercial and open source) and their versions.

The much more complicated CBOM, according to the 2018 guidance, demands "a list of commercial, open source, and off-the-shelf software and hardware components to enable device users (including patients, care providers, and healthcare delivery organizations) to effectively manage their assets, understand the potential impact of identified vulnerabilities to the device — and the connected system — and to deploy countermeasures to maintain the device's essential performance."

**A Secure Product Development Framework for Every Device  
**The latest guidance asks medical device manufacturers to consider using a secure product development framework (SPDF) to achieve the goals of the QSR: "An SPDF encompasses all aspects of a product's lifecycle, including development, release, support, and decommission."

Besides compliance with the draft guidance, the call for using an SPDF can add significant value to medical devices. As the draft guideline states: "Using SPDF processes during device design may prevent the need to re-engineer the device when connectivity-based features are added after marketing and distribution, or when vulnerabilities resulting in uncontrolled risks are discovered."

**Is the New FDA Draft Guidance Binding?  
**Until July 7, the FDA is inviting medical device manufacturers and the public to comment on the new draft, which is expected to be finalized later this year when it will become the new FDA cybersecurity guidance for medical devices. While FDA guidance is nonbinding, the approved version will provide a road map for how medical device manufacturers should address cybersecurity in their products to ensure compliance and patient safety.

The FDA is not the only federal agency looking to strengthen cybersecurity regs. Legislation called the Protecting and Transforming Cyber Health Care (PATCH) Act was recently introduced in the US Congress. The act, the EO, and other proposed bills contain provisions that will strengthen the FDA's ability to require medical device manufacturers to meet certain cybersecurity objectives.

In order to future-proof for impending legislation, medical device manufacturers should start investigating solutions that can generate detailed SBOMs and continuously detect vulnerabilities and mitigate risks in order to stay compliant with the FDA's 2022 guidance and beyond.

Tag

#pdf