Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

Researcher discovered a “more powerful” variant of an elevation-of-privilege flaw for which Microsoft released a botched patch earlier this month.
Attackers are actively exploiting a Windows Installer zero-day vulnerability that was discovered when a patch Microsoft issued for another security hole inadequately fixed the original and unrelated problem.

Over the weekend, security researcher Abdelhamid Naceri discovered a Windows Installer elevation-of-privilege vulnerability tracked as CVE-2021-41379 that Microsoft patched a couple of weeks ago as part of its November Patch Tuesday updates.
 
!!!

The EU needs more cybersecurity graduates to plug the political bloc's shortage of skilled infosec bods, according to a report from the ENISA online security agency.

The public sectors of EU countries should "support a unified approach" to infosec-focused higher education, it says, addressing an issue that is by no means unique to the bloc.

In a new report titled "Addressing the EU Cybersecurity Skills Shortage and Gap Through Higher Education", academics Jason Nurse and Konstantinos Adamos, together with ENISA's Athanasios Grammatopoulos and Fabio Di Franco, said the European Union needs to get more students signing up for cybersecurity degrees.

The report found that the majority of cybersecurity degrees offered across the 27-states – 77 per cent – are at master's degree level. Just under a fifth (17 per cent) are undergraduate degrees while 6 per cent are at "postgraduate" level.

Kirjoitin tästä toissa päivänä, eli koulutusta pitää muuttaa esim AMK tasolla siten että exploittaus ja pahanteko otetaan ensin esille ja sitten koulutetaan miten se korjataan alusta asti. Samalla pitäisi aloittaa myös raudan heikkouksista ja miten niitä on aikojen saatossa exploitattu. Tämä antaa niin rauta kuin softainsseille ymmärryksen alusta asti miten homma toimii kuin sen sijaan että se on erillisenä kurssina peruskoulutuksen jälkeen.
 
An unpatched Windows security vulnerability could allow information disclosure and local privilege escalation (LPE), researchers have warned. The issue (CVE-2021-24084) has yet to get an official fix, making it a zero-day bug – but a micropatch has been rolled out as a stop-gap measure.

Security researcher Abdelhamid Naceri originally reported the vulnerability as an information-disclosure issue in October 2020, via Trend Micro’s Zero-Day Initiative (ZDI). Though Microsoft had told him it was planning a fix for last April, the patch has not yet been forthcoming.

Then, this month, Naceri discovered that CVE-2021-24084 could also be exploited for LPE, so that non-admin Windows users can read arbitrary files even if they do not have permissions to do so. In a proof-of-concept exploit, he demonstrated that it’s possible to copy files from a chosen location into a Cabinet (.CAB) archive that the user can then open and read.

The process for doing so is very similar to the LPE exploitation approach for the HiveNightmare bug, CVE-2021-36934, which affects the Security Accounts Manager (SAM) database in all versions of Windows 10. The SAM component in Windows houses user account credentials and network domain information – a juicy target for attackers.

“As HiveNightmare/SeriousSAM has taught us, an arbitrary file disclosure can be upgraded to local privilege escalation if you know which files to take and what to do with them,” Mitja Kolsek, head of the 0patch team, noted in a recent posting. “We confirmed this [for the zero-day and were] able to run code as local administrator.”

Niin monta zeroday exploittia. Tänä vuonna niitä on palanut iso kasa.
 
Microsoft has revealed its Digital Crimes Unit (DCU) won court approval to take control of websites a Chinese gang was using to attack targets across the world – often by exploiting vulnerabilities in Microsoft products.

A post attributed to Microsoft's corporate veep for customer security & trust, Tom Burt, states the US District Court for the Eastern District of Virginia has granted Microsoft to take control of malicious websites operated by a group called Nickel that has been around since at least 2016.

Burt's post indicates that Microsoft spotted Nickel trying to pinch information from "government agencies, think tanks and human rights organizations". Taking control of the websites Nickel owned will make it harder for the gang to conduct such attacks, Burt opined.

Nickel is also known as "KE3CHANG," "APT15," "Vixen Panda," "Royal APT" and "Playful Dragon".

Whatever the gang is called, it targets unpatched systems in the hope of owning and operating them with stealthy malware.
 
cve-2021-44228-diagram.jpg

og4J is an open-source Java-based logging tool available from Apache. It has the ability to perform network lookups using the Java Naming and Directory Interface to obtain services from the Lightweight Directory Access Protocol. The end result: Log4j will interpret a log message as a URL, go and fetch it, and even execute any executable payload it contains with the full privileges of the main program. Exploits are triggered inside text using the ${} syntax, allowing them to be included in browser user agents or other commonly-logged attributes.
 
The NCA now becomes the second law enforcement agency to officially supply HIBP with hacked passwords after the US Federal Bureau of Investigations began a similar collaboration with the service back in May. In a blog post today, Troy Hunt, HIBP creator Troy Hunt said that 225 million of the compromised passwords found by the NCA were new and unique.

These passwords have been added to a section of the HIBP website called Pwned Passwords. This section allows companies and system administrators to check and see if their current passwords have been compromised in hacks and if they are likely to be part of public lists used by threat actors in brute-force and password-spraying attacks. Currently, the HIBP Pwned Passwords collection includes 5.5 billion entries, of which 847 million are unique. All these passwords are also available as a free download, so companies can check their passwords against the data set locally without connecting to Hunt's service.

In a statement shared by Hunt, the NCA said it found the compromised passwords, paired with email accounts, in an account at a UK cloud storage facility. The NCA said they weren't able to determine or attribute the compromised email and password combos to any specific platform or company.

 
The Belgian military said on Tuesday it had been hit with a cyberattack five days ago and was still battling to restore affected parts of its system.
Military spokesman Olivier Severin told AFP that elements hit by last Thursday's attack, which contaminated services connected to the internet, were still being analysed and restored.
Severin did not name any group suspected of the attack and gave no further details of the systems involved.
The attackers are believed to have targeted a vulnerability in Log4j, a logging library that keeps track of events on a system.
The flaw, which was publicised earlier this month, was labelled "the single biggest, most critical vulnerability of the last decade" by US cybersecurity firm Tenable.
It can allow attackers to take control of a machine, move around the victim's network and deploy ransomware and spyware.
The Belgian military imposed "quarantine measures" to "contain the infected elements", Severin told the Belga press agency on Monday.
Log4j is a common piece of code and the vulnerability has led to widespread concern, but no other attacks on major companies or institutions have yet been reported.
 
 
Suomalaisittain merkittävän tietoturva-yhtiön, FSecuren politiikka ainakin vuosi sitten, oli GSM-verkossa mobiililaitteiden hyväksytysti käyttö, vain Applen kännyköille.
 
Suomalaisittain merkittävän tietoturva-yhtiön, FSecuren politiikka ainakin vuosi sitten, oli GSM-verkossa mobiililaitteiden hyväksytysti käyttö, vain Applen kännyköille.
Mikäs ompun tuotteissa tekee niistä turvallisen GSM-verkkoon? Eikös ne ihan GSM-salauksella siellä toimi...

Sitten jos mennään pikaviestinnän puolelle, niin siellähän on käytössä kaksisuuntainen salaus, mutta..

Ihan mielenkiintoinen juttu jos tarkemmin penkoo. Wanhasta skannerin kuvanpakkausohjelmasta löytynyt bufferoverflow joka mahdollisti logiikkaporttien luomisen ja sitä kautta yksinkertaisen tietokoneen luomisen kännyn sisään... NSO on ollut muutenkin esillä, ja taitoa ilmeisesti löytyy...
 
Appsit paskaa androideissa?
Sitäkin jos niitä ihan kaikkialta latailee tai jotain randomeita emoijia play kaupasta. Yhtä hyvin Apple ne appsit tutkii kuin Googlekin, eli automaattisesti. Vanhat anterot on vaan niin paskoja turvallisuuden kannalta ja käyttäjät vielä paskempia... tottakai jollain random pelillä pitää olla oikeus osoitekirjaan ja käyttäjän vielä se hyväksyä...
 
Criminals are actively exploiting the high-severity Log4Shell vulnerability on servers running VMware Horizon in an attempt to install malware that allows them to gain full control of affected systems, the UK’s publicly funded healthcare system is warning.

CVE-2021-44228 is one of the most severe vulnerabilities to come to light in the past few years. It resides in Log4J, a system-logging code library used in thousands if not millions of third-party applications and websites. That means there is a huge base of vulnerable systems. Additionally, the vulnerability is extremely easy to exploit and allows attackers to install Web shells, which provide a command window for executing highly privileged commands on hacked servers.
 
U.S. Cyber Command task force executed what is being described as its “first offensive cyber effect operation” against real-world cyber threats. While the exact nature of the operation and its target remains unknown, the event was significant enough for the U.S. Secretary of Defense to personally attend to watch the operation in action.

The operation was conducted between February and August 2021 by a task force consisting of personnel from the Maryland Air National Guard’s 175th Cyber Operations Group, the Delaware Air National Guard’s 166th Cyber Operations Squadron, U.S. Navy’s Cyber Strike Activity Sixty-Three, the U.S. Air Force’s 341st Cyber Operations Squadron, and the Air Force Reserve. The task force executed the operation from February to August last year, although the Air National Guard (ANG) just announced it this week. While there have been other offensive cyber operations conducted by U.S. Cyber Command (USCYBERCOM), this is the first conducted and acknowledged by this particular task force.
 
Researchers discovered a bug related to the Log4J logging library vulnerability, which in this case opens the door for an adversary to execute remote code on vulnerable systems. However, this flaw does not pose the same risk as the previously identified in Log4Shell, they said.

Frog security discovered the flaw and rated critical in the context of the H2 Java database console, a popular open-source database, according to a Thursday blog post by researchers.

H2 is attractive to developers for its lightweight in-memory solution–which precludes the requirement for data to be stored on disk—and is used in web platforms such as Spring Boot and IoT platforms such as ThingWorks.
 
Team82 and Synk examined 16 different URL parsing libraries, including: urllib (Python), urllib3 (Python), rfc3986 (Python), httptools (Python), curl lib (cURL), Wget, Chrome (Browser), Uri (.NET), URL (Java), URI (Java), parse_url (PHP), url (NodeJS), url-parse (NodeJS), net/url (Go), uri (Ruby) and URI (Perl).
As an example of a real-world attack scenario, slash confusion could lead to server-side request forgery (SSRF) bugs, which could be used to achieve RCE. Researchers explained that different libraries handle URLs with more than the usual number of slashes (https:///www.google.com, for instance) in different ways: Some of them ignore the extra slash, while others interpret the URL as having no host.

In the case of the former (the approach of most modern browsers as well as cURL), accepting malformed URLs with an incorrect number of slashes can lead to SSRF, researchers explained: “[Libraries that do not] ignore extra slashes…will parse this [malformed] URL as a URL with an empty authority (netloc), thus passing the security check comparing the netloc (an empty string in this case) to google.com. However, since cURL ignores the extra slash, it will fetch the URL as if it had only two slashes, thus bypassing the attempted validation and resulting in a SSRF vulnerability.”

URL confusion is also responsible for the Log4Shell patch bypass, according to Claroty, because two different URL parsers were used inside the JNDI lookup process: One parser was used for validating the URL, and another for fetching it.
 
The European Space Agency (ESA) is inviting applications from attackers who fancy having a crack at its OPS-SAT spacecraft.

It's all in the name of ethical hacking, of course. The plan is to improve the resilience and security of space assets by understanding the threats dreamed up by security professionals and members of he public alike.

OPS-SAT has, according to ESA, "a flight computer 10 times more powerful than any current ESA spacecraft" and the CubeSat has been in orbit since 2019, providing a test bed for software experiments.

It is therefore the ideal candidate for l33t h4x0rs to turn their attention to, while ESA engineers ensure the environment is kept under control.

"The in-built robustness of OPS-SAT makes it the perfect flying platform for ethical hackers to demonstrate their skills in a safe but suitably realistic environment," explained Dave Evans, OPS-SAT mission manager.
 
Russian law enforcement authorities said on Friday that they have arrested 14 people associated with REvil, a top ransomware group that has disrupted critical operations of wealthy targets and held their data hostage.

The action, carried out by Russia’s FSB, the successor agency to the KGB, is a rare example of the country’s government cracking down on cybercrime by its citizens. The US and Russia have no extradition treaty in place, and critics have said the Kremlin routinely harbors cybercriminals as long as they don’t target organizations located in the former Soviet Union. The arrests come as tensions between Russia and the US escalate over a standoff involving Ukraine.

A joint operation between the FSB and local police searched 25 addresses and detained 14 people; it also seized 426 million rubles, $600,000, 500,000 euros, computer equipment, and 20 luxury cars, Friday’s release said. Russian officials said they directly informed their US counterparts of the action. The authorities carried out the operation following a request from the US, the FSB said.
 
Linux users on Tuesday got a major dose of bad news—a 12-year-old vulnerability in a system tool called Polkit gives attackers unfettered root privileges on machines running any major distribution of the open source operating system.


Previously called PolicyKit, Polkit manages system-wide privileges in Unix-like OSes. It provides a mechanism for nonprivileged processes to safely interact with privileged processes. It also allows users to execute commands with high privileges by using a component called pkexec, followed by the command.
 
Back
Top