Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Jessica Haworth 13 January 2023 at 18:31 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

  

Slack suffered a security breach recently, “involving unauthorized access to a subset of Slack’s code repositories” according to the messaging platform.

The company said that although no customers were affected, an internal investigation revealed that an unknown actor downloaded private code repositories on or around December 27.

“We discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository,” a statement read.

“No downloaded repositories contained customer data, means to access customer data or Slack’s primary codebase.”

Identity management company Okta also fell victim to a breach when an unknown actor accessed its code repositories.

The incident occurred “in early December 2022”, the vendor said, without confirming whether or not any data was stolen.

It did confirm that it “promptly placed temporary restrictions on access to Okta GitHub repositories and suspended all GitHub integrations with third-party applications”.

And over in the US, a government watchdog spent $15,000 to build a password-cracking program – only to discover employees were using easily-guessable credentials all along.

The complicated software, financed by the Department of the Interior, was designed to take on tasks such as recovering hashed passwords.

However it ultimately found that it was able to recover nearly 14,000 employee passwords, – 16% of all department accounts – due to “easily cracked passwords, lack of multifactor authentication, and other failures”.

Among other stories from The Daily Swig in recent days were secure messaging app Threema disputing the seriousness of flaws in its software, developers being urged to rotate secrets in CircleCI due to a security breach, and cross-origin resource (CORS) misconfigurations in the environments of enterprises including Tesla that left internal networks vulnerable.

Here are some other web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   Cisco / Critical / RCE, authentication bypass vulnerabilities / Disclosed with patch, January 11
*   CKEditor / Critical / CSRF vulnerability in CKEditor can lead to RCE (remote code execution) in XWiki / Patched in CKEditor Integration version 1.64.3
*   Mozilla / Moderate / Attacker could inject markup due to the fact Firefox failed to implement the unsafe-hashes CSP (content security policy) directive / Disclosed with patch, December 13
*   VMWare / Critical / Command injection, directory traversal vulnerabilities / Patched in VMWare vRealize Network Insight v6.8
*   Zoom / Medium, High / Path traversal, local privilege escalation bugs for Windows, Android, MacOS clients / Patched January

**Research and attack techniques**

*   Researchers from Sonarsource discovered a command injection vulnerability as well as an authentication bypass vulnerability in open source web-based monitoring tool Cacti which allowed unauthenticated exploitation.
*   A malicious Python file found on the PyPi repository adds backdoor and data exfiltration features to what appears to be a legitimate SDK (software development kit) client from security firm SentinelOne, researchers at ReversingLabs have reported.
*   Also concerning PyPi, researcher Tom Forbes found 57 valid AWS keys present on the Python package index belonging to Amazon, Intel, and other organizations by scanning new packages with GitHub Actions.
*   A research team from Imperva demonstrated how they discovered a vulnerability in Google Chrome that led to the theft of sensitive files, such as crypto wallets and cloud provider credentials.
*   And Harsh Bothra from Cobalt released this handy write up on how pen testers can spot prototype pollution-style attacks.
**Bug bounty/vulnerability disclosure**

*   Researcher Matt Kunze netted a $107,500 bug bounty reward from Google for reporting vulnerabilities in the Google Home Mini smart speaker which allowed him to access the microphone on the device and make arbitrary HTTP requests on the local network.
*   Security firm CloudSek released BeVigil, a tool to enable bug bounty hunters to find and report vulnerabilities in mobile apps.
*   And hacker Jerry Gamblin published this extensive guide on the CVE year in review, featuring data on assigned vulnerabilities from the year 2022.
**New open source infosec/hacking tools**

*   GCP Goat is a vulnerable cloud infrastructure tool featuring the latest released OWASP Top 10 web application security risks and other misconfiguration, designed to help test developers test their code in a cloud environment.
*   Another cloud-based tool, PEACH is a tenant isolation framework for cloud applications to help protect against malicious actors accessing “data belonging to other customers”, for example, in cases such as ChaosDB, ExtraReplica, and AttachMe.
*   Open source tool sbom-utility has been released, an API platform for validating, querying, updating, and managing standardized SBOMs.
**For devs**

*   Exact Realty has released this blog post explaining how developers can defend against introducing cross-site request forgery (CSRF) vulnerabilities into websites.
*   Google’s Chromium project now supports the use of third-party Rust libraries from C++, and will include Rust code in the Chrome binary “within the next year”.
**For fun**

Finally, SplendidData’s bonkers bug bounty program policy was subject to online infosec scrutiny recently.

The rules date back to at least early 2021, however it still sparked a lively discussion thread on Twitter over the last week as some of its questionable terms were highlighted.

Its policy boasts guidance such as ‘we will not respond to your request’ and that the company ‘cannot guarantee’ that no legal action will be taken, even if the vulnerability was disclosed responsibly.

Unsurprisingly, this spread like wildfire on infosec Twitter with one user called TJ joking: “I like the “we MIGHT sue you, idk” aspect… adds a little excitement to life.”

RECOMMENDED Prototype pollution-like bug variant discovered in Python

Deserialized web security roundup – Slack, Okta security breaches, lax US government passwords report, and more&nbsp;

Categories: News
Tags: Pegasus

Tags:  spyware

Tags:  Pegasus spyware

Tags:  NSO Group

Tags:  NSO

Tags:  Apple

Tags:  WhatsApp

Tags:  Meta

Tags:  Foreign Sovereign Immunity Act

The US Supreme Court essentially gave Meta’s WhatsApp the go ahead to pursue their case against Pegasus’s NSO Group.



(Read more...)




The post WhatsApp lawsuit against NSO Group greenlit by Supreme Court  appeared first on Malwarebytes Labs.

On Monday, the US Supreme Court denied the NSO Group's petition for a _writ of certiorari_, a request to the high court to review its case, signaling that Meta's WhatsApp can go ahead with its case against the Israeli-based company behind the Pegasus spyware. The court didn't explain why it refused to hear the NSO's appeal.

If you recall, WhatsApp filed a lawsuit against NSO in 2019 under the Computer Fraud and Abuse Act for allegedly targeting and installing spyware on roughly 1,400 devices of its global users, including human rights activists, journalists, and government officials.

NSO group allegedly did this by exploiting a then zero-day vulnerability in WhatsAapp. Based on a detailed timeline of the case, NSO said it is protected by the Foreign Sovereign Immunity Act (FSIA), which shields foreign government officials from common law, making it immune to the lawsuit—an argument district court judges in California were unconvinced by.

The company then filed a motion to dismiss the case in the US Court of Appeals, insisting it should be granted immunity, much to the dismay of a number of organizations: Microsoft, Google, Cisco, GitHub, LinkedIn, VMWare, and Internet Association (IA). These companies then banded together to file an amicus brief supporting WhatsApp's case.

Microsoft said:

> “We believe the NSO Group's business model is dangerous and that such immunity would enable it and other PSOAs to continue their dangerous business without legal rules, responsibilities or repercussions. The expansion of sovereign immunity that NSO seeks would further encourage the burgeoning cyber-surveillance industry to develop, sell and use tools to exploit vulnerabilities in violation of US law. Private companies should remain subject to liability when they use their cyber-surveillance tools to break the law, or knowingly permit their use for such purposes, regardless of who their customers are or what they’re trying to achieve."

Eventually, the Appeals Court rejected NSO's appeal.

Appeals Court judge Danielle Forrest wrote in a unanimous opinion:

> "NSO does not contend that it meets the FSIA’s definition of 'foreign state,' and, of course, it cannot. It is not itself a sovereign. NSO is a private corporation that provides products and services to sovereigns — several of them," 
> 
> "Whatever NSO's government customers do with its technology and services does not render NSO an 'agency or instrumentality of a foreign state,' as Congress has defined that term. Thus, NSO is not entitled to the protection of foreign sovereign immunity."

The NSO Group's request for the Supreme Court to review its case was its last straw effort to be recognized as a foreign government agent and is, therefore, entitled to sovereign immunity.

In a statement to Reuters, WhatsApp spokesperson Carl Woog is quoted saying:

> "NSO's spyware has enabled cyberattacks targeting human rights activists, journalists and government officials. We firmly believe that their operations violate US law and they must be held to account for their unlawful operations."

Meta's WhatsApp is not the only tech giant suing the NSO Group. Apple also filed a lawsuit against the Israeli firm in November 2021 for violating terms of service by hacking into the devices of Apple users, calling the company "amoral 21st-century mercenaries."

**We don't just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

WhatsApp lawsuit against NSO Group greenlit by Supreme Court 

By Waqas
The data was collected through web scraping techniques however some sites are reporting it as a "Twitter data breach," or " Twitter being hacked." 
This is a post from HackRead.com Read the original post: Twitter Scraping Breach: 209 Million Accounts Leaked on Hacker Forum

The leaked Twitter data is now circulating on several hacking forums, including prominent Russian-language ones.

Personal data, including email addresses, of nearly 209 million **Twitter** users were scraped, stolen, and posted on an online hacking forum. As seen by Hackread.com, the database posted online contains 209,000,000 records, all belonging to Twitter users.

The database comprises usernames, follower counts, creation dates, and email addresses of Twitter users. The good news is that no passwords, phone numbers, IP addresses, or physical addresses were leaked.

Leaked data – Screenshot: Hackread.com

Although some reports claim that the total number of leaked accounts is 235 million, Hackread.com’s analysis suggests that the exact number, after deleting duplicate accounts, is 209 million.

This should not come as a surprise, as just a couple of months ago, a hacker **leaked 5.4 million account details** of Twitter users. This was followed by another incident in which a threat actor was selling scraped data of **400 million Twitter users**.

The data leak is currently being regarded as one of the most impactful and significant leaks he has seen so far because leaking such a vast amount of email IDs can expose the victims to a range of attacks, including doxing, hacking, and targeted phishing.

The information can expose the users’ real identities since people use their real names to create email addresses.

It is worth noting that the threat actor leaked the data on a hacker forum that surfaced as an alternative to the popular and **now-seized Raidforums**. In their post, they stated that the leaked data was collected through web scraping techniques however some sites are reporting it as a “Twitter data breach,” or ” Twitter being hacked.”

However, some are of the opinion that the leaked data is at least two years old. Ron Scott-Adams, VMware’s product line marketing manager, examined the data and claimed that it is at least two years old, and except for email addresses, it mainly consists of publicly available data.

Conversely, Synopsys’ associate principal consultant, Jamie Boote, stated that the data was collected through web scraping via a now-fixed **Twitter bug**.

“In 2021, people discovered that the Twitter API could be used to disclose email addresses that were provided from other sources and also leak some other semi-public info like tying a Twitter handle with that email address,” the email dumps were then used by different groups as seed material to look for handles they could exploit, added Boote.

This issue was fixed one year back so it seems that someone collected the data, combined it with new accounts, and leaked it online. HaveIBeenPwned’s Troy Hunt also assessed the data and stated that it is pretty much what it has been described as.

It is still unclear who hacked and leaked the data online. But security experts are sure that the breach occurred in 2021. Nevertheless, the incident reveals the **dangers of unsecured API**. Users must change their Twitter password and ensure the same password isn’t used for other sites.

Twitter is yet to comment.

1.  **APT Groups Trapping Targets with Clever Twitter Scheme**
2.  **Researcher logs into Trump’s Twitter with password MAGA2020**
3.  **Twitter hacker charged in sim swapping, cryptocurrency scheme**
4.  **Twitter Goes on Tor with New Dark Web Domain to Evade Censorship**
5.  **Mastermind of 2020’s top celebrity Twitter hack sentenced to 3 years**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Twitter Scraping Breach: 209 Million Accounts Leaked on Hacker Forum

Plus: Patches for Apple iOS 16, Google Chrome, Windows 10, and more.

The holiday season is almost over, but security patches are still continuing to arrive thick and fast in December. The month has seen updates released by Apple, Google, and Microsoft, as well as enterprise software companies including the likes of SAP, Citrix, and VMWare. 

Many of the patches fix zero-day vulnerabilities already being exploited in attacks, making it important that they are applied as soon as possible. Here’s the lowdown on all the patches released in December.

Apple iOS and iPadOS 16.2, iOS 15.7.2, iOS 16.1.2

Apple released a major point upgrade to its iOS 16 operating system in December: iOS 16.2. The update comes with features including end-to-end encryption in iCloud, but it also fixes 35 security vulnerabilities.

None of the issues patched in iOS 16.2 are known to have been used in attacks; however, many are pretty serious. The flaws include six in the Kernel and nine in the engine that powers Apple’s Safari browser, WebKit, which could allow an attacker to execute code. 

Apple also released iOS 15.7.2 for users of older iPhones that can’t run iOS 16, fixing a flaw already being used in attacks. Tracked as CVE-2022-42856, the WebKit vulnerability could allow an attacker to execute code, according to Apple’s support page. At the end of November, Apple fixed the same WebKit flaw in iOS 16.1.2.

Since the launch of iOS 16 in September, Apple has been offering security updates to those who don’t want to upgrade to the new operating system. But iOS 15.7.2 is only for older iPhones, so if you’ve got an iPhone 8 or above, you now need to upgrade to iOS 16 to stay secure. 

The iPhone maker also released macOS Ventura 13.1, watchOS 9.2, tvOS 16.2, macOS Big Sur 11.7.2, macOS Monterey 12.6.2, and Safari 16.2.

Google Android 

December was a hefty patch month for Google’s Android operating system, with fixes for dozens of security vulnerabilities issued during the month. Tracked as CVE-2022-20411, the most severe is a critical vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed, Google said in a security bulletin. 

Google also fixed two critical flaws in the Android Framework component, CVE-2022-20472 and CVE-2022-20473. Meanwhile, 151 Pixel-specific bugs were patched by Google in December. 

The December patch is available for Google’s own Pixel devices as well as Samsung smartphones, including the hardware maker’s flagship Galaxy range. 

Google Chrome 108

Google has issued an emergency update for its Chrome browser to fix the ninth zero-day vulnerability of the year. Tracked as CVE-2022-4262, the high-severity type confusion issue in Chrome’s V8 JavaScript engine could allow a remote attacker to exploit heap corruption via a crafted HTML page. “Google is aware that an exploit for CVE-2022-4262 exists in the wild,” the browser maker said in a blog.

The emergency update arrived just days after Google released Chrome 108, patching 28 security flaws. Among the fixes are CVE-2022-4174—a type confusion flaw in V8—and several use-after-free bugs. None of these vulnerabilities have been exploited in attacks, according to Google. But given that the latest bug is already in the hands of attackers, it’s a good idea to update Chrome as soon as possible.

Microsoft Patch Tuesday 

Microsoft’s December Patch Tuesday was another big one, fixing 49 security vulnerabilities, including a flaw being used in attacks. Tracked as CVE-2022-44698, the issue is a Windows SmartScreen security feature bypass vulnerability that could lead to loss of integrity and availability.

“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft said.

Update Android Right Now to Fix a Scary Remote-Execution Flaw

NVIDIA GPU Display Driver for Windows contains a vulnerability where a regular user can cause an out-of-bounds read, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

CVE-2022-42267: Security Bulletin: NVIDIA GPU Display Driver - November 2022

ISOS firmwares from versions 1.81 to 2.00 contain hardcoded credentials from embedded StreamX installer that integrators are not forced to change.

**Published Firmwares in 2022**

**V2.01 : 11.11.2022**

2304

Bug fix

Moxa Real TTY driver update

2397

Security

OpenSSL: fix CVE-2020-1971

2406

Security

PAM: fix 'Empty Password improper authentication' (CWE-287)

2424

Bug fix

DA-820 and DA-820C: fix 'empty slot' command

2438

Bug fix

DA-820C: fix network error messages at bootup

2442

Security

sudo: fix CVE-2021-3156

2455

Security

OpenLDAP: fix multiple CVE

2464

Bug fix

Cellular modems: fix USB disconnect/connect problem

2470

Security

OpenSSL: fix multiple CVE (CVE-2021-23839, CVE-2021-23840, CVE-2021-23841)

2482

Bug fix

Postgres: fix the running state view

2491

Bug fix

Firmware update: improved the management of the postgresql service

2556

Add-on

Virtual: VirtIO NIC driver added for some KVM based hypervisors

2560

Add-on

DA-820C: support for I350-T4 and CP102U cards added

2561

Bug fix

DA-820C: fix comment update on slot 2

2590

Bug fix

Mono: moved "ApplicationData" and "CommonApplicationData" folders to /opt partition

2620

Bug fix

DA-820C: improvement of the firmware update (TPM related)

2743

Add-on

APU2: support for additional serial ports from P3

2812

Bug fix

IG2: fix EtherCAT driver for ARM64.

2857

Security

DA-820C: SysRq commands disabled

2858

Bug fix

Boot process, automatically fix potential mount errors

2873

Bug fix

NTP Server, fix the 'jump backwards in time

2878

Security

rsyslog: fix CVE-2022-24903

2897

Security

Force password change during the first login (CVE-2022-4780)

2940

Security

Virtual, open-vm-tools: fix CVE-2022-31676

2951

Bug fix

OpenLDAP: files integrated into the backup

2970

Bug fix

RADIUS: files integrated into the backup

 

Add-on

IG2: support for digital inputs/outputs

 

Security

RADIUS Integration

 

Security

Firmware Integrity Check integration

 

Security

Manage rate limiting (avoid DoS)

 

Security

Update of the Linux kernels

 

Security

Update of the Linux packages

 

Bug fix

StreamX Setup 6.05.00 (StreamConfig: version 35 of the parameters)

**V2.00d - 22.04.2022 (only for CX9020)**

2825

Add-on

Staging: images for 2GB and 4GB SD cards.

 

Bug fix

StreamX Setup v6.04.25 of 07.04.2022 (StreamConfig: version 34 of the parameters)

**V2.00c - 24.02.2022 (only for CX9020)**

 

Add-on

earlyoom: memory watchdog to protect EtherLAB from an 'out of memory'.

 

Bug fix

StreamX Setup v6.04.17 of 18.02.2022 (StreamConfig: version 34 of the parameters)

**Published Firmwares in 2021**

**V2.00 : 24.02.2021**

1279

Bug fix

Fix StreamView HTML serialization errors

1715

Bug fix

Fix StreamDaemon is no more responding on ARM architectures

1867

Bug fix

Fix general Mono memory leaks

1980

Bug fix

Mono: major upgrade to version 6.10.0.104

2135

Security

Sudo: fix potential vulnerability (CVE-2019-18684)

2157

Security

Fix CVE-2019-14899 : Inferring and hijacking VPN-tunneled TCP connections

2175

Bug fix

EtherCAT: etherlab stack update

2189

Bug fix

CX9020: fix speed of second LAN which was sometimes fixed at 10 Mbit/s

2283

Bug fix

Virtual: open-vm-Tools produces no more messages continuously.

2297

Add-on

Support of stunnel for all hardwares

2298

Add-on

CX9020: support of the LEDs TC, FB1, FB2

2327

Add-on

Backup of Postgresql configuration files

2332

Add-on

Postgresql: log file rotate mechanism

2340

Bug fix

Network: fix manual lan won't goes up at boot

2343

Bug fix

APC910: fix lan1 detection on TS17.04

2362

Security

OpenLDAP: fix CVE-2020-25709 and CVE-2020-25710

2382

Add-on

APC910: support for USB1 to USB4 ports added for model TS17

2429

Bug fix

Cellular modems: fix the enable/disable NMEA feature

 

Add-on

First integration of the hardware Elvexys IG2

 

Add-on

CX9020: bootloader version 5 for kernel compatibility

 

Security

CX9020: StreamBridge is no more executed with root account (least privilege)

 

Security

Update of the Linux kernels

 

Security

Update of the Linux packages

 

Bug fix

StreamX Setup v6.02.90 of 10.02.2021 (StreamConfig: version 34 of the parameters)

**Published Firmwares in 2020**

**V1.99 : 17.06.2020**

1827

Add-on

Cellular: PPP as default gateway is now listed into the network section in StreamConsole

1880

Add-on

Virtual hardware: OVF file compatibility for ESX 5.5

1893

Security

PostgreSQL: fixed multiple vulnerabilities

1897

Add-on

Virtual hardware: changed from generic to Intel network adapter

1906

Security

StrongSwan: upgrades to fix CVE-2018-16151 / CVE-2018-16152

1908

Security

Kernel: upgrades to fix CVE-2018-14634

1931

Bug fix

Cellular: fix for the configuration migration

1939

Bug fix

Cellular: fix USAN management when receiveing a SMS

1940

Bug fix

Fix to no more generate duplicate paths after a firmware migration

1954

Security

OpenSSL: fix multiple vulnerabilities

1984

Bug fix

LEDs: swapped the management of Storage and SNMP Agent

1985

Bug fix

Firmwares files with special chars are now possibles

2002

Bug fix

LEDs: no more turned off after a long period of time

2023

Bug fix

Bonds on B&R APC910 are now working as expected

2060

Add-on

CX9020: compatibility with HW rev. 3

2088

Security

Kernel: upgrades to fix CVE-2019-11477 (SACK Panic)

2095

Add-on

Virtual hardware: drivers for VMXNET3 added

2106

Bug fix

Cellular: fix infinite loop in ppp restart Under certain conditions

2112

Security

SysRq commands over serial ports is now disable for all hardware

2127

Security

Sudo: fix CVE-2019-14287 Potential bypass of Runas user restrictions

2138

Security

Unable to use SCP anymore

2142

Bug fix

APC910: fix the use of lan2 without the additional 4 lans board

2150

Add-on

Firmware update: error codes 24 and 25 added

2151

Bug fix

Default Gateway no more lost after changing the IP on the interface binded to the default gateway

2165

Security

OpenSSL : fix CVE-2019-1551

2167

Bug fix

SSL Certificates for StreamX applications are now backuped

2180

Add-on

Beckhoff CX9020: support of the new HW revision of TOSIBOX 4G modem (based on Quectel EC25 chip)

2199

Add-on

Firewall: extend ports range for StreamX services.

2218

Add-on

Fsck package added (File System Consistency Check)

2269

Bug fix

Moxa DA-820, fix the receive mechanism on serial ports P1 and P2 when used in RS485 2 wires mode.

 

Bug fix

PFC100/PFC200: use Wago BSP v. 2.8.35

 

Add-on

First integration of the hardware B&R APC910

 

Add-on

First integration of the hardware APU4

 

Add-on

First integration of the hardware Moxa DA-820C

 

Add-on

APU2 and APU4: support for the LEDs and the dual power boards

 

Add-on

APU2: support for two dual LAN mPCIe boards

 

Add-on

APU4: support for one dual mPCIe board

 

Add-on

UC-8112: first LEDs management

 

Add-on

Support of PRP for Moxa DA-820 and Moxa DA-820C from StreamConsole

 

Add-on

Support of stunnel for Virtual hardware

 

Add-on

Firewall: added UDP port 123 for NTP server

 

Security

Update of the Linux kernels

 

Security

Update of the Linux packages

 

Bug fix

StreamX Setup of 08.05.2020 (StreamConfig: version 34 of the parameters)

**Published Firmwares in 2018**

**V1.98 : 05.07.2018**

1738

Security

Kernel: upgrades to fix Meltdown and Spectre vulnerabilities

1826

Security

Moxa DA-820, fix the process to disable physical USB ports

 

Add-on

PostgreSQL, migration process updated for future major upgrades

 

Add-on

First integration of virtual hardware (VMWare) with the configinit tool

 

Bug fix

Moxa DA-681A, fix the RS485

 

Bug fix

Moxa DA-720, fix the RS485 2 wires mode on P2

 

Add-on

Moxa UC-8100, new bootloader for Linux kernel 4.1

 

Bug fix

All libraries: update to the latest stable version

 

Security

Improving hardening like using ASLR and Stack Smaching Protection

 

Bug fix

Cellular: fix the use of CTS and DTS signals

 

Bug fix

StreamX Setup of 22.06.2018 (StreamConfig: version 32 of the parameters)

**V1.97 : 05.03.2018 (only for DA-681A, DA-720, UC-81xx and APU2)**

1743

Security

Moxa Nport: the owner of the remote serial ports is now the group streamx\_apps instead of root

1729

Bug fix

WD Cellular: prevent rebooting the system if a firmware upgrade is in progress

1782

Bug fix

WD Cellular: don't block anymore in case of huge system time changes

 

Add-on

WD Cellular: the RSSI and the cellular antenna ID are now published in memory files for other programs

1748

Add-on

DHCP Client: new default settings for interoperability with slow DHCP servers

 

Add-on

First integration of the hardware Moxa DA-720

 

Bug fix

StreamX Setup of 27.02.2018 (StreamConfig: version 32 of the parameters)

CVE-2022-4780: ISOS release notes - Elvexys SA

According to the FBI and Internet Crime Complaint Center, 25% of ransomware complaints involve healthcare providers.

While ransomware groups have not spared any industry, attackers have put the healthcare sector at the top of their preferred targets. The surge in hospitals falling victim to breaches has raised concerns among regulators and government officials who have moved to push through new policies and legislation.

CommonSpirit, one of the largest nonprofit healthcare systems in the US, posted a privacy breach notice on Dec. 1, warning that 623,774 patient records were exposed after a breach on Sept. 16. The nationwide network of 140 hospitals and over 1,000 care facilities in 21 states confirmed that ransomware attackers accessed the patient records, but said there is currently no evidence that personal information was misused. The potentially affected patients were those treated at CommonSpirit’s Franciscan Medical Group and Franciscan Health in Washington. The four hospitals are now known as Virginia Mason Franciscan Health, a CommonSpirit affiliate.

The current spike builds on last year's 35% increase in overall attacks on healthcare providers compared with 2020, according to Critical Insight, a managed detection and response (MDR) service provider. According to Critical Insight, cyberattacks on healthcare providers affected 45 million individuals last year, compared with 34 million in 2020 and 14 million in 2018.

In October, the FBI Internet Crime Complaint Center (ICA) reported that among 16 critical infrastructures, the healthcare and public health sector accounts for 25% of ransomware complaints. The US Department of Health and Human Services (HHS) in April issued a warning about Hive, an aggressive ransomware group that has targeted healthcare organizations.

The HHS Health Sector Cybersecurity Coordination Center (HC3) noted that Hive is known to have been in operation since June 2021, and "in that time has been very aggressive in targeting the US health sector."

Another recent hacker group to emerge that is targeting healthcare providers with ransomware is Daixin Team. In October, HHS joined the Cybersecurity and Infrastructure Agency (CISA) and the FBI with an advisory warning that Daixin Team is actively pursuing healthcare providers with ransomware that uses Babuk Locker, source code that encrypts files in VMware EXSi servers.

Daixin Team's ransomware encrypts healthcare providers' electronic health records, diagnostics, imaging, and intranet services, according to the advisory. The group has also exfiltrated personally identifiable information (PII) and patient health information (PHI) and has extorted ransoms by threatening to release that data.

**Impact of Ransomware on Healthcare**

During the Disruptive Innovators CIO Forum in New York earlier this month, a conference focused on emerging technology for the healthcare industry, a panel discussion addressed the surge in ransomware. "Ransomware is now probably the No. 1 security issue for most healthcare organizations today," said Christopher Kunney, SVP of digital innovation at Divurgent, an IT advisory firm for healthcare organizations.

Kunney, one of the panelists, warned ransomware will remain a growing threat in healthcare "as we expand the footprint outside the four walls of the hospital and we look at things like virtual care, and other technologies that can now sit on top of our network infrastructure."

Saket Modi, who moderated the panel and is co-founder and CEO of Safe Security, noted that one of the first known deaths attributed to ransomware, a newborn in Alabama, occurred last year. "A ransomware attack is no longer just financial and reputational; it can have an actual impact to the life of people," Modi said. Besides the risk of data exfiltration, ransomware attacks are a risk to the delivery of patient care, especially when attackers access systems responsible for keeping patients alive.

"We have to realize that cybersecurity isn't just about data security; it's also a matter of life and death," added Michael Archuleta, CIO of Mt. San Rafael Hospital and Clinics in Trinidad, Colo.

Noting that COVID forced healthcare providers to accelerate their digital transformation efforts in recent years, many organizations haven't adequately addressed the security risks associated with the implementation technology and systems that are now accessible.

"We're living in the digital age of healthcare, and we need to start incorporating initiatives technology outcomes that better enhance our overall experience and better enhancing patient outcomes, but also keep secure the entire organization moving forward," Archuleta said.

**Healthcare Cybersecurity Act of 2022**

Looking to stem the mounting attacks, Rep. Jason Crow (D-CO) sponsored the Healthcare Cybersecurity Act. The bill, introduced in September, would require CISA to collaborate with HHS to improve cybersecurity in the healthcare industry.

According to the bill's summary, CISA and HHS would provide resources "including cyber-threat indicators and appropriate defense measures, available to federal and nonfederal entities that receive information through HHS programs."

The bill also calls for CISA to provide cybersecurity training and remediation strategies to those who own or provide health care services. Archuleta, the CIO of Mt. San Rafael Hospital and Clinics, said that 91% of targeted ransomware attacks came from phishing emails directed at employees, many of whom haven't received adequate training. "We are not focusing on developing a human firewall within our organization," he said.

Meanwhile, Senator Mark Warner (D-VA) published a policy options white paper that details existing cybersecurity threats and potential responses from the federal government. The paper draws on Warner's staff and cybersecurity experts' research and a broad set of options for the federal government to collaborate with healthcare providers to improve their cyber protection capabilities and a blueprint for recovering from attacks.

"The healthcare sector is uniquely vulnerable to cyberattacks, and the transition to better cybersecurity has been painfully slow and inadequate," Warner said in a statement. "The federal government and the health sector must find a balanced approach to meet the dire threats, as partners with shared responsibilities."

Healthcare Providers and Hospitals Under Ransomware's Siege

Security leaders must maintain an effective cybersecurity strategy to help filter some of the noise on new vulnerabilities.

The security industry collectively loses its mind when new vulnerabilities are discovered in software. OpenSSL is no exception, and two new vulnerabilities overwhelmed news feeds in late October and early November 2022. Discovery and disclosure are only the beginnings of this never-ending vulnerability cycle. Affected organizations are faced with remediation, which is especially painful for those on the front lines of IT. Security leaders must maintain an effective cybersecurity strategy to help filter some of the noise on new vulnerabilities, recognize impacts to supply chains, and secure their assets accordingly.

**Supply Chain Attacks Aren't Going Away**

In roughly a year's time, we've suffered through severe vulnerabilities in componentry including Log4j, Spring Framework, and OpenSSL. Exploitation of older vulnerabilities also never ceases from implementations that are misconfigured or that use known vulnerable dependencies. In November 2022, the public learned of an attack campaign against the Federal Civilian Executive Branch (FCEB), attributable to a state-sponsored Iranian threat. This US federal entity was running VMware Horizon infrastructure that contained the Log4Shell vulnerability, which served as the initial attack vector. FCEB was hit with a complex attack chain that included lateral movement, credential compromise, system compromise, network persistence, endpoint protection bypass, and cryptojacking.

Organizations may ask "why consume OSS at all?" after security incidents from vulnerable packages like OpenSSL or Log4j. Supply chain attacks continue trending upward because componentry reuse makes “good business sense” for partners and suppliers. We engineer systems by repurposing existing code rather than building from scratch. This is to reduce engineering effort, scale operationally, and deliver quickly. Open source software (OSS) is generally considered trustworthy by virtue of the public scrutiny it receives. However, software is ever-changing, and issues arise through coding mistakes or linked dependencies. New issues are also uncovered through evolution of testing and exploitation techniques.

**Tackling Supply Chain Vulnerabilities**

Organizations need appropriate tooling and process to secure modern designs. Traditional approaches such as vulnerability management or point-in-time assessments alone can't keep up. Regulations may still allow for these approaches, which perpetuates the divide between "secure" and "compliant." Most organizations aspire to obtain some level of DevOps maturity. "Continuous" and "automated" are common traits of DevOps practices. Security processes shouldn't differ. Security leaders must maintain focus throughout build, delivery, and runtime phases as part of their security strategy:

*   **Continuously scan in CI/CD:** Aim to secure build pipelines (i.e., shift-left) but acknowledge that you won't be able to scan all code and nested code. Success with shift-left approaches is limited by scanner efficacy, correlation of scanner output, automation of release decisions, and scanner completion within release windows. Tooling should help prioritize risk of findings. Not all findings are actionable, and vulnerabilities may not be exploitable in your architecture.

*   **Continuously scan during delivery:** Component compromise and environment drift happen. Applications, infrastructure, and workloads should be scanned while being delivered in case something was compromised in the digital supply chain when being sourced from registries or repositories and bootstrapped.

*   **Continuously scan in runtime:** Runtime security is the starting point of many security programs, and security monitoring underpins most cybersecurity efforts. You need mechanisms that can collect and correlate telemetry in all types of environments, though, including cloud, container, and Kubernetes environments. Insights gathered in runtime should feed back to earlier build and delivery stages. Identity and service interactions

*   **Prioritize vulnerabilities exposed in runtime:** All organizations struggle with having enough time and resources to scan and fix everything. Risk-based prioritization is fundamental to security program work. Internet exposure is just one factor. Another is vulnerability severity, and organizations often focus on high and critical severity issues since they're deemed to have the most impact. This approach can still waste cycles of engineering and security teams because they may be chasing vulnerabilities that never get loaded at runtime and that aren't exploitable. Use runtime intelligence to verify what packages actually get loaded in running applications and infrastructure to know the actual security risk to your organization.

We've created product-specific guidance to steer customers through the recent OpenSSL madness.

The latest OpenSSL vulnerability and Log4Shell remind us of the need for cybersecurity preparedness and effective security strategy. We must remember that CVE-IDs are just those known issues in public software or hardware. Many vulnerabilities go unreported, particularly weaknesses in homegrown code or environmental misconfigurations. Your cybersecurity strategy must account for distributed and diverse technology of modern designs. You need a modernized vulnerability management program that uses runtime insights to prioritize remediation work for engineering teams. You also need threat detection and response capabilities that correlate signals across environments to avoid surprises.

**About the Author**

    

Michael Isbitski, Director of Cybersecurity Strategy at Sysdig, has researched and advised on cybersecurity for over five years. He's versed in cloud security, container security, Kubernetes security, API security, security testing, mobile security, application protection, and secure continuous delivery. He's guided countless organizations globally in their security initiatives and supporting their business.

Prior to his research and advisory experience, Mike learned many hard lessons on the front lines of IT with over 20 years of practitioner and leadership experience focused on application security, vulnerability management, enterprise architecture, and systems engineering.

Supply Chain Risks Got You Down? Keep Calm and Get Strategic!

vRealize Operations (vROps) contains a broken access control vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.4.

Advisory ID: VMSA-2022-0034

CVSSv3 Range: 4.4-7.2

Issue Date: 2022-12-15

Updated On: 2022-12-15 (Initial Advisory)

CVE(s): CVE-2022-31707, CVE-2022-31708

Synopsis: VMware vRealize Operations (vROps) updates address privilege escalation vulnerabilities (CVE-2022-31707, CVE-2022-31708)

****1\. Impacted Products****

*   VMware vRealize Operations (vROps)

****2\. Introduction****

Multiple vulnerabilities in VMware vRealize Operations (vROps) were privately reported to VMware. Patches and updates are available to remediate these vulnerabilities in affected VMware products.

****3a. VMware vRealize Operations (vROps) privilege escalation vulnerability (CVE-2022-31707)****

vRealize Operations (vROps) contains a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.

A malicious actor with administrative privileges in the vROps application can gain root access to the underlying operating system.

To remediate CVE-2022-31707 apply the fixes listed in the 'Fixed Version' column of the 'Response Matrix' below.

VMware would like to thank Anonymous working with Trend Micro Zero Day Initiative, and thiscodecc of MoyunSec TopBreaker Labs and Bing Liu of MoyunSec for independently reporting this issue to us.

****3b. VMware vRealize Operations (vROps) contains an access control vulnerability (CVE-2022-31708)****

vRealize Operations (vROps) contains a broken access control vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.4.

A malicious actor with admin privileges in the vROps application can read sensitive information from the underlying operating system.

To remediate CVE-2022-31708 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below.

VMware would like to thank Anonymous working with Trend Micro Zero Day Initiative, and thiscodecc of MoyunSec TopBreaker Labs and Bing Liu of MoyunSec for independently reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware vRealize Operations (vROps)

8.10

Any

CVE-2022-31707, CVE-2022-31708

4.4, 7.2

important

8.10.1

N/A

N/A

VMware vRealize Operations (vROps)

8.6.x

Any

CVE-2022-31707, CVE-2022-31708

4.4, 7.2

important

KB90232

N/A

N/A

****4\. References****

****5\. Change Log****

2022-12-15 VMSA-2022-0034

Initial security advisory.

****6\. Contact****

CVE-2022-31708: VMSA-2022-0034

vRealize Network Insight (vRNI) directory traversal vulnerability in vRNI REST API. A malicious actor with network access to the vRNI REST API can read arbitrary files from the server.

Advisory ID: VMSA-2022-0031

CVSSv3 Range: 7.5-9.8

Issue Date: 2022-12-13

Updated On: 2022-12-13 (Initial Advisory)

CVE(s): CVE-2022-31702, CVE-2022-31703

Synopsis: VMware vRealize Network Insight (vRNI) updates address command injection and directory traversal security vulnerabilities (CVE-2022-31702, CVE-2022-31703)

****1\. Impacted Products****

*   VMware vRealize Network Insight (vRNI)

****2\. Introduction****

Multiple vulnerabilities in VMware vRealize Network Insight (vRNI)were privately reported to VMware. Patches and updates are available to remediate these vulnerabilities in affected VMware products.

****3a. VMware vRealize Network Insight (vRNI) command injection vulnerability (CVE-2022-31702)****

vRealize Network Insight (vRNI) contains a command injection vulnerability present in the vRNI REST API. VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8.

A malicious actor with network access to the vRNI REST API can execute commands without authentication.

To remediate CVE-2022-31702 apply the fixes listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.

VMware would like to thank ZDI for reporting this vulnerability to us.

****3b. VMware vRealize Network Insight (vRNI) contains a directory traversal vulnerability (CVE-2022-31703)****

vRealize Network Insight (vRNI) directory traversal vulnerability in vRNI REST API. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.5.

A malicious actor with network access to the vRNI REST API can read arbitrary files from the server.

To remediate CVE-2022-31703 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.

VMware would like to thank ZDI for reporting this vulnerability to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware vRealize Network Insight (vRNI)

6.8.0

Any

CVE-2022-31702, CVE-2022-31703

NA

N/A

Unaffected

NA

NA

VMware vRealize Network Insight (vRNI)

6.7

Any

CVE-2022-31702, CVE-2022-31703

9.8, 7.5

critical

6.7 HF

None

NA

VMware vRealize Network Insight (vRNI)

6.6

Any

CVE-2022-31702, CVE-2022-31703

9.8, 7.5

critical

6.6 HF

None

NA

VMware vRealize Network Insight (vRNI)

6.5.x

Any

CVE-2022-31702, CVE-2022-31703

9.8, 7.5

critical

6.5.x HF

None

NA

VMware vRealize Network Insight (vRNI)

6.4

Any

CVE-2022-31702, CVE-2022-31703

9.8, 7.5

critical

6.4 HF

None

NA

VMware vRealize Network Insight (vRNI)

6.3

Any

CVE-2022-31702, CVE-2022-31703

9.8, 7.5

critical

6.3 HF

None

NA

VMware vRealize Network Insight (vRNI)

6.2

Any

CVE-2022-31702, CVE-2022-31703

9.8, 7.5

critical

6.2 HF

None

NA

****4\. References****

****5\. Change Log****

2022-12-13 VMSA-2022-0031

Initial security advisory.

****6\. Contact****

Tag

#vmware