An independent researcher has received a $100,500 bug bounty from Apple after discovering a security hole in the company’s Safari browser for macOS that could allow a malicious website to hijack accounts and seize control of users’ webcams.
Read more in my article on the Hot for Security blog.
As eventful as 2020 was, 2021 was equal to its predecessor. It was a year that bounced from hope to cautious optimism, then back to disquiet. While some of our cybersecurity predictions for 2021 were accurate, the year came to a close as organizations are forced to address the significant challenges of dealing with the Log4j vulnerability. As we enter 2022, we’ve asked a few of the experts on the CIS team to share their 2022 cybersecurity predictions. Some, you’ll notice, are similar to last year’s, as we work hard to stay steps ahead of threats and bad actors. But there are also a few new predictions we’ll be sure to keep an eye on as we step into 2022. […]
FortiGuard Labs is aware that VMware disclosed a critical vulnerability (CVE-2021-22005) on September 21st, 2021 that affects vCenter Server versions 6.7 and 7.0. A malicious attacker with network access to port 443 on vCenter Server can exploit the vulnerability and can execute code on vCenter Server upon successful exploitation. The VMware advisory was updated on September 24th that the vulnerability is being exploited in the wild. In addition, exploit code is publicly available.Why is this Significant?VMware has one of the highest market shares in the server virtualization market so the vulnerability can have widespread affect. Also, some public reports indicate that CVE-2021-22005 is being exploited in the wild. With exploit code being publicly available, more attackers are expected to leverage the security bug. Because of the potential impact the vulnerability has in the field, CISA released an advisory on September 24th, 2021.What are the Details of the Vulnerability?Details of the vulnerability have not been disclosed by VMware.Has VMware Released an Advisory for CVE-2021-22005?Yes, the vendor released a cumulative advisory on September 21st, 2021. See the Appendix for a link to VMSA-2021-0020.1. The vendor also released a supplemental blog post and an advisory. See the Appendix to a link to “VMSA-2021-0020: What You Need to Know” and “VMSA-2021-0020: Questions & Answers”.Has the Vendor Released a Patch?Yes. VMware released a patch on September 21st, 2021.Any Mitigation and or Workarounds?VMware provided workarounds in a blog. See the Appendix to a link to “Workaround Instructions for CVE-2021-22005 (85717)”.What is The Status of Coverage?FortiGuard Labs is investigating for IPS protection. This Threat Signal will be updated with protection information as it becomes available.
On September 16th, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and United States Coast Guard Cyber Command (CGCYBER) released a new joint advisory titled – Alert (AA21-259A) APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus. Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to a REST API authentication bypass, which ultimately allows for remote code execution. The vulnerability has been assigned CVE-2021-40539.What Are the Technical Details of the Vulnerability?An authentication bypass vulnerability exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. Remote code execution is possible via affected REST API URL(s) that could allow for remote code execution. Successful exploitation of the vulnerability allows an attacker to place webshells within the victim environment. Once inside the victim environment, an adversary can conduct the following – Lateral movement, compromising administrator credentials, post exploitation, and exfiltrating registry hives and Active Directory files from a domain controller.Is this Being Exploited in the Wild?Yes. According to US-CERT, this is limited to targeted attacks by a sophisticated unnamed APT group.What Verticals are Being Targeted?According to the US-CERT alert, the following list of verticals have been observed to be targeted – academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors including transportation, IT, manufacturing, communications, logistics, and finance. What is the CVSS score?9.8 CRITICALHas the Vendor Issued a Patch?Yes, patches were released on September 6th, 2021 by the vendor. Please refer to the APPENDIX “ADSelfService Plus 6114 Security Fix Release” for details.What is the Status of Coverage? FortiGuard Labs provides the following IPS signature for CVE-2021-40539:Zoho.ManageEngine.ADSelfService.Plus.Authentication.BypassAny Mitigation and or Workarounds?It is strongly recommended to update to ADSelfService Plus build 6114. This update is located on the vendor homepage “ADSelfService Plus 6114 Security Fix Release” within the APPENDIX. It is also highly suggested to keep all affected devices from being publicly accessible or being placed behind a physical security appliance/firewall, such as a FortiGate. For further mitigation and workarounds, please refer to the US-CERT Alert and the Zoho Advisory in the APPENDIX.
Wordle – good or bad for the world? Whatever your opinion, at least someone wants to spoil players’ fun. Meanwhile, we take a look at the threat mobile phones can pose to your mental health.
All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.
Wordle – good or bad for the world? Whatever your opinion, at least someone wants to spoil players’ fun. Meanwhile, we take a look at the threat mobile phones can pose to your mental health.
All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.
Apple has released urgent security updates for its customers, following the discovery of zero-day vulnerabilities that can be used to hack into iPhones, iPads, and Macs.
Apple has released urgent security updates for its customers, following the discovery of zero-day vulnerabilities that can be used to hack into iPhones, iPads, and Macs.
The National Security Agency has announced the winning entry to its ninth annual Best Cybersecurity Research Paper Competition.
The winning paper was written by Yanyi Liu from Cornell University and Rafael Pass, professor of Computer Science at Cornell Tech. It expounded a theorem that relates the existence of one-way functions (OWFs) to a measurement of the complexity of a string of text.
“OWFs are vital components of modern symmetric encryptions, digital signatures, authentic schemes and more,” said an NSA spokesperson.
“Until now, it has been assumed that OWF functions exist even though research shows that they are both necessary and sufficient for much of the security provided by cryptography.”
Titled On One-way Functions and Kolmogorov Complexity, the winning paper was published at the 2020 IEEE (Institute of Electrical and Electronics Engineers) Symposium on Foundations of Computer Science.
The chief of NSA’s Laboratory for Advanced Cybersecurity Research picked the winning entry in a decision informed by the opinions of 10 distinguished international cybersecurity experts who independently reviewed the top papers among 34 nominations.
“One-way functions are a key underpinning in many modern cryptography systems and were first proposed in 1976 by Whitfield Diffie and Martin Hellman,” said an NSA spokesperson.
“These functions can be efficiently computed but are difficult to reverse, as determining the input based on the output is computationally expensive.”
The NSA gave an honorable mention to another paper, Retrofitting Fine Grain Isolation in the Firefox Renderer, written by Shravan Narayan, Craig Disselhoen, Tal Garfinkel, Nathan Froyd, Sorin Lerner Hovav Shacham and Deian Stefan.
Originally published at the USENIX Security Conference 2020, this paper provides a security solution in the Firefox web browser. The paper also demonstrated that the technology could be applied to other situations.
“NSA congratulates the winners, and recently opened the nomination process for the 10th Annual Best Scientific Cybersecurity Paper Competition on January 15 2022,” said the NSA.
The agency said it will welcome nominations of papers published during 2021 in peer-reviewed journals, magazines, or technical conferences that show “an outstanding contribution to cybersecurity science.”
The nomination period for the 10th annual Best Cybersecurity Research Paper Competition closes on 15 April 2022.
