Daily Archives: March 22, 2022

News

Windstream Enterprise launches managed SASE with Cato Networks

Read Time:34 Second

Windstream Enterprise, a managed communications service company, is launching a comprehensive, managed secure access service edge (SASE) solution in partnership with cloud-native SASE provider Cato Networks.

With Cato’s technology, Windstream can offer a SASE solution to meet rising customer demand for a holistic network and security-as-a-service offering, says Mike Frane, VP of product management at Windstream Enterprise.

Windstream Enterprise wraps its extensive managed services expertise around the SASE services by delivering concierge-level configuration, analysis, and optimization through our Technical Service Management (TSM) team, coupled with comprehensive security oversight and management from our Cyber Security Operations Center (CSOC),” Frane says.

To read this article in full, please click here

Read More

Advisories

USN-5343-1: Linux kernel vulnerabilities

Read Time:8 Minute, 52 Second

Yiqi Sun and Kevin Wang discovered that the cgroups implementation in the
Linux kernel did not properly restrict access to the cgroups v1
release_agent feature. A local attacker could use this to gain
administrative privileges. (CVE-2022-0492)

It was discovered that the aufs file system in the Linux kernel did not
properly restrict mount namespaces, when mounted with the non-default
allow_userns option set. A local attacker could use this to gain
administrative privileges. (CVE-2016-2853)

It was discovered that the aufs file system in the Linux kernel did not
properly maintain POSIX ACL xattr data, when mounted with the non-default
allow_userns option. A local attacker could possibly use this to gain
elevated privileges. (CVE-2016-2854)

It was discovered that the f2fs file system in the Linux kernel did not
properly validate metadata in some situations. An attacker could use this
to construct a malicious f2fs image that, when mounted and operated on,
could cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2019-19449)

It was discovered that the XFS file system implementation in the Linux
kernel did not properly validate meta data in some circumstances. An
attacker could use this to construct a malicious XFS image that, when
mounted, could cause a denial of service. (CVE-2020-12655)

Kiyin (尹亮) discovered that the NFC LLCP protocol implementation in the
Linux kernel contained a reference counting error. A local attacker could
use this to cause a denial of service (system crash). (CVE-2020-25670)

Kiyin (尹亮) discovered that the NFC LLCP protocol implementation in the
Linux kernel did not properly deallocate memory in certain error
situations. A local attacker could use this to cause a denial of service
(memory exhaustion). (CVE-2020-25671, CVE-2020-25672)

Kiyin (尹亮) discovered that the NFC LLCP protocol implementation in the
Linux kernel did not properly handle error conditions in some situations,
leading to an infinite loop. A local attacker could use this to cause a
denial of service. (CVE-2020-25673)

Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation
incorrectly handled EAPOL frames from unauthenticated senders. A physically
proximate attacker could inject malicious packets to cause a denial of
service (system crash). (CVE-2020-26139)

Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation could
reassemble mixed encrypted and plaintext fragments. A physically proximate
attacker could possibly use this issue to inject packets or exfiltrate
selected fragments. (CVE-2020-26147)

It was discovered that the BR/EDR pin-code pairing procedure in the Linux
kernel was vulnerable to an impersonation attack. A physically proximate
attacker could possibly use this to pair to a device without knowledge of
the pin-code. (CVE-2020-26555)

It was discovered that the bluetooth subsystem in the Linux kernel did not
properly perform access control. An authenticated attacker could possibly
use this to expose sensitive information. (CVE-2020-26558, CVE-2021-0129)

It was discovered that the FUSE user space file system implementation in
the Linux kernel did not properly handle bad inodes in some situations. A
local attacker could possibly use this to cause a denial of service.
(CVE-2020-36322)

It was discovered that the Infiniband RDMA userspace connection manager
implementation in the Linux kernel contained a race condition leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash) or possible execute arbitrary code.
(CVE-2020-36385)

It was discovered that the DRM subsystem in the Linux kernel contained
double-free vulnerabilities. A privileged attacker could possibly use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2021-20292)

It was discovered that a race condition existed in the timer implementation
in the Linux kernel. A privileged attacker could use this to cause a denial
of service. (CVE-2021-20317)

Or Cohen and Nadav Markus discovered a use-after-free vulnerability in the
nfc implementation in the Linux kernel. A privileged local attacker could
use this issue to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-23134)

It was discovered that the Xen paravirtualization backend in the Linux
kernel did not properly deallocate memory in some situations. A local
attacker could use this to cause a denial of service (memory exhaustion).
(CVE-2021-28688)

It was discovered that the RPA PCI Hotplug driver implementation in the
Linux kernel did not properly handle device name writes via sysfs, leading
to a buffer overflow. A privileged attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2021-28972)

It was discovered that a race condition existed in the netfilter subsystem
of the Linux kernel when replacing tables. A local attacker could use this
to cause a denial of service (system crash). (CVE-2021-29650)

It was discovered that a race condition in the kernel Bluetooth subsystem
could lead to use-after-free of slab objects. An attacker could use this
issue to possibly execute arbitrary code. (CVE-2021-32399)

It was discovered that the CIPSO implementation in the Linux kernel did not
properly perform reference counting in some situations, leading to use-
after-free vulnerabilities. An attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2021-33033)

It was discovered that a use-after-free existed in the Bluetooth HCI driver
of the Linux kernel. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2021-33034)

Asaf Modelevsky discovered that the Intel(R) Ethernet ixgbe driver for the
Linux kernel did not properly validate large MTU requests from Virtual
Function (VF) devices. A local attacker could possibly use this to cause a
denial of service. (CVE-2021-33098)

Norbert Slusarek discovered that the CAN broadcast manger (bcm) protocol
implementation in the Linux kernel did not properly initialize memory in
some situations. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2021-34693)

马哲宇 discovered that the IEEE 1394 (Firewire) nosy packet sniffer driver in
the Linux kernel did not properly perform reference counting in some
situations, leading to a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-3483)

It was discovered that an out-of-bounds (OOB) memory access flaw existed in
the f2fs module of the Linux kernel. A local attacker could use this issue
to cause a denial of service (system crash). (CVE-2021-3506)

It was discovered that the bluetooth subsystem in the Linux kernel did not
properly handle HCI device initialization failure, leading to a double-free
vulnerability. An attacker could use this to cause a denial of service or
possibly execute arbitrary code. (CVE-2021-3564)

It was discovered that the bluetooth subsystem in the Linux kernel did not
properly handle HCI device detach events, leading to a use-after-free
vulnerability. An attacker could use this to cause a denial of service or
possibly execute arbitrary code. (CVE-2021-3573)

Murray McAllister discovered that the joystick device interface in the
Linux kernel did not properly validate data passed via an ioctl(). A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code on systems with a joystick device
registered. (CVE-2021-3612)

It was discovered that the tracing subsystem in the Linux kernel did not
properly keep track of per-cpu ring buffer state. A privileged attacker
could use this to cause a denial of service. (CVE-2021-3679)

It was discovered that the Virtio console implementation in the Linux
kernel did not properly validate input lengths in some situations. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2021-38160)

It was discovered that the KVM hypervisor implementation in the Linux
kernel did not properly compute the access permissions for shadow pages in
some situations. A local attacker could use this to cause a denial of
service. (CVE-2021-38198)

It was discovered that the MAX-3421 host USB device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2021-38204)

It was discovered that the NFC implementation in the Linux kernel did not
properly handle failed connect events leading to a NULL pointer
dereference. A local attacker could use this to cause a denial of service.
(CVE-2021-38208)

It was discovered that the configfs interface for USB gadgets in the Linux
kernel contained a race condition. A local attacker could possibly use this
to expose sensitive information (kernel memory). (CVE-2021-39648)

It was discovered that the ext4 file system in the Linux kernel contained a
race condition when writing xattrs to an inode. A local attacker could use
this to cause a denial of service or possibly gain administrative
privileges. (CVE-2021-40490)

It was discovered that the 6pack network protocol driver in the Linux
kernel did not properly perform validation checks. A privileged attacker
could use this to cause a denial of service (system crash) or execute
arbitrary code. (CVE-2021-42008)

It was discovered that the ISDN CAPI implementation in the Linux kernel
contained a race condition in certain situations that could trigger an
array out-of-bounds bug. A privileged local attacker could possibly use
this to cause a denial of service or execute arbitrary code.
(CVE-2021-43389)

It was discovered that the Phone Network protocol (PhoNet) implementation
in the Linux kernel did not properly perform reference counting in some
error conditions. A local attacker could possibly use this to cause a
denial of service (memory exhaustion). (CVE-2021-45095)

Wenqing Liu discovered that the f2fs file system in the Linux kernel did
not properly validate the last xattr entry in an inode. An attacker could
use this to construct a malicious f2fs image that, when mounted and
operated on, could cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-45469)

Amit Klein discovered that the IPv6 implementation in the Linux kernel
could disclose internal state in some situations. An attacker could
possibly use this to expose sensitive information. (CVE-2021-45485)

It was discovered that the per cpu memory allocator in the Linux kernel
could report kernel pointers via dmesg. An attacker could use this to
expose sensitive information or in conjunction with another kernel
vulnerability. (CVE-2018-5995)

Read More

Advisories

USN-5340-1: CKEditor vulnerabilities

Read Time:54 Second

Kyaw Min Thein discovered that CKEditor incorrectly handled
certain inputs. An attacker could possibly use this issue
to execute arbitrary code. This issue only affects
Ubuntu 18.04 LTS. (CVE-2018-9861)

Micha Bentkowski discovered that CKEditor incorrectly handled
certain inputs. An attacker could possibly use this issue to
execute arbitrary code. This issue only affects
Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-9281)

Anton Subbotin discovered that CKEditor incorrectly handled
certain inputs. An attacker could possibly use this issue to
execute arbitrary code. This issue only affects
Ubuntu 21.10. (CVE-2021-32808)

Anton Subbotin discovered that CKEditor incorrectly handled
certain inputs. An attacker could possibly use this issue to
inject arbitrary code. (CVE-2021-32809)

Or Sahar discovered that CKEditor incorrectly handled certain
inputs. An attacker could possibly use this issue to execute
arbitrary code. This issue only affects
Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-33829)

Mika Kulmala discovered that CKEditor incorrectly handled
certain inputs. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2021-37695)

Read More

News

‘Spam Nation’ Villain Vrublevsky Charged With Fraud

Read Time:7 Minute, 24 Second

Pavel Vrublevsky, founder of the Russian payment technology firm ChronoPay and the antagonist in my 2014 book “Spam Nation,” was arrested in Moscow this month and charged with fraud. Russian authorities allege Vrublevsky operated several fraudulent SMS-based payment schemes, and facilitated money laundering for Hydra, the largest Russian darknet market. But according to information obtained by KrebsOnSecurity, it is equally likely Vrublevsky was arrested thanks to his propensity for carefully documenting the links between Russia’s state security services and the cybercriminal underground.

An undated photo of Vrublevsky at his ChronoPay office in Moscow.

ChronoPay specializes in providing access to the global credit card networks for “high risk” merchants — businesses involved in selling services online that tend to generate an unusually large number of chargebacks and reports of fraud, and hence have a higher risk of failure.

When I first began writing about Vrublevsky in 2009 as a reporter for The Washington Post, ChronoPay and its sister firm Red & Partners (RNP) were earning millions setting up payment infrastructure for fake antivirus peddlers and spammers pimping male enhancement drugs.

Using the hacker alias “RedEye,” the ChronoPay CEO oversaw a burgeoning pharmacy spam affiliate program called Rx-Promotion, which paid some of Russia’s most talented spammers and virus writers to bombard the world with junk email promoting Rx-Promotion’s pill shops. RedEye also was the administrator of Crutop, a Russian language forum and affiliate program that catered to thousands of adult webmasters.

In 2013, Vrublevsky was sentenced to 2.5 years in a Russian penal colony for convincing one of his top affiliates to launch a distributed denial-of-service (DDoS) attack against a competitor that shut down the ticketing system for the state-owned Aeroflot airline.

Following his release from jail, Vrublevsky began working on a new digital payments platform based in Hong Kong called HPay Ltd (a.k.a. Hong Kong Processing Corporation). HPay appears to have had a great number of clients that were running schemes which bamboozled people with fake lotteries and prize contests.

According to Russian prosecutors, the scam went like this: Consumers would receive an SMS with links to sites that falsely claimed a number of well-known companies were sponsoring drawings and lotteries for people who enrolled or agreed to answer surveys. All who responded were told they were winners, but also that they had to pay a commission to pick up the prize. That scheme allegedly stole 500 million rubles (~ USD $4.5 million) from over 100,000 consumers.

There are scant public records that show a connection between ChronoPay and HPay, apart from the fact that the latter’s website — hpay[.]io — was originally hosted on the same server (185.111.218.63) along with a handful of other domains, including Vrublevsky’s personal website rnp[.]com.

But then earlier this month, KrebsOnSecurity received a large amount of information that was stolen from ChronoPay recently when hackers managed to compromise the company’s Confluence server. Confluence is a web-based corporate wiki platform, and ChronoPay used their Confluence installation to document in exquisite detail how it creatively distributes the risk associated with high-risk processing by routing transactions through a myriad of shell companies and third-party processors.

A Google-translated snippet of the hacked ChronoPay Confluence installation. Click to enlarge.

Incredibly, Vrublevsky himself appears to have used ChronoPay’s Confluence wiki to document his entire 20+ years of personal and professional history in the high-risk payments space, including the company’s most recent forays with HPay. The latest document in the hacked archive is dated April 2021.

These diary entries, interspersed between highly technical how-tos, are all written in Russian and in the third person. But they are unmistakably Vrublevsky’s words: Some of the elaborate stories in the wiki were identical to theories that Vrublevsky himself espoused to me throughout hundreds of hours of phone interviews. Also, in some of the entries the narrator switches from “he” to “I” when describing the actions of Vrublevsky.

Vrublevsky’s memoire/wiki invokes the nicknames and real names of Russian hackers who worked with the protection of corrupt officials in the Russian Federal Security Service (FSB), the successor agency to the Soviet KGB. In several diary entries, Vrublevsky writes about various cybercriminals and Russian law enforcement officials involved in processing credit card payments tied to online gambling sites.

Russian banks are prohibited from processing payments for online gambling, and as a result many online gaming sites catering to Russian speakers have chosen to process credit card payments through Ukrainian financial institutions.

That’s according to Vladislav “BadB” Horohorin, the convicted cybercriminal who shared the ChronoPay Confluence data with KrebsOnSecurity. In February 2017, Horohorin was released after serving four years in a U.S. prison for his role in the 2009 theft of more than $9 million from RBS Worldpay.

Horohorin said Vrublevsky has been using his knowledge of the card processing networks to extort people in the online gambling industry who may run afoul of Russian laws.

“Russia has strict regulations against processing for the gambling business,” Horohorin said. “While Russian banks can’t do it, Ukrainian ones can, so we have Ukrainian banks processing gambling and casinos, which mostly Russian gamblers use. What Pavel does is he blackmails those Ukrainian banks using his connections and knowledge. Some pay, some don’t. But some people are not very tolerant of that kind of abuse.”

A native of Donetsk, Ukraine, Horohorin told KrebsOnSecurity he hacked and shared the ChronoPay Confluence installation because Vrublevsky had threatened a family member. Horohorin believes Vrublevsky secretly operated the “bad bank” channel on Telegram, which calls attention to online gambling operations that are violating Visa and MasterCard regulations (violations that can bring the violator hundreds of thousands of dollars in fines).

“Pavel scrupulously wrote his diary for a long time, and there is a lot of information on the people he knows,” Horohorin told KrebsOnSecurity. “My understanding is he wrote this in order to blackmail people later. There is a lot of interesting stuff, a lot of names and a lot of very intimate info about Russian card processing market, as well as Pavel’s own escapades.”

ChronoPay’s hacked Confluence server contains many diary entries about major players in the Russian online gambling and bookmaking industries.

Among the escapades recounted in the ChronoPay founder’s diaries are multiple stories involving the self-proclaimed “King of Fraud!” Aleksandr “Nastra” Zhukov, a Russian national who ran an advertising fraud network dubbed “Methbot” that stole $7 million from publishers through bots made to look like humans watching videos online.

The journal explains that Zhukov lived with a ChronoPay employee and had a great deal of interaction with ChronoPay’s high-risk department, so much so that Zhukov at one point gave Vrublevsky a $100,000 jeweled watch as a gift. Zukhov was arrested in Bulgaria in 2018 and extradited to the United States. Following a jury trial in New York that ended last year, Zhukov was sentenced to 10 years in prison.

According to the Russian news outlet Kommersant, Vrublevsky and company operated “Inferno Pay,” a payments portal that worked with Hydra, the largest Russian darknet market for illicit goods, including drug trafficking, malware, and counterfeit money and documents.

Inferno Pay, a cryptocurrency and payment API allegedly operated by the ChronoPay CEO.

“The services of Inferno Pay, whose commission came to 30% of the transaction, were actively used by online casinos,” Kommersant wrote on Mar. 12.

The drama surrounding Vrublevsky’s most recent arrest is reminiscent of events leading up to his imprisonment nearly a decade ago, when several years’ worth of ChronoPay internal emails were leaked online.

Kommersant said Russian authorities also searched the dwelling of Dmitry Artimovich, a former ChronoPay director who along with his brother Igor was responsible for running the Festi botnet, the same spam botnet that was used for years to pump out junk emails promoting Vrublevsky’s pharmacy affiliate websites. Festi also was the botnet used in the DDoS attack that sent Vrubelvsky to prison for two years in 2013.

Artimovich says he had a falling out with Vrublevsky roughly five years ago, and he’s been suing the company ever since. In a message to KrebsOnSecurity, Artimovich said while Vrublevsky was involved in a lot of shady activities, he doubts Vrublevksy’s arrest was really about SMS payment scams as the government claims.

“I do not think that it was a reason for his arrest,” Artimovich said. “Our law enforcement usually don’t give a shit about sites like this. And I don’t think that Vrublevsky made much money there. I believe he angered some high-ranking person. Because the scale of the case is much larger than Aeroflot. Police made search of 22 people. Illegal seizure of money, computers.”

The Hydra darknet market. Image: bitcoin.com

Read More

News

White House Warns of Possible Russian Cyberattacks

Read Time:1 Minute, 12 Second

News:

The White House has issued its starkest warning that Russia may be planning cyberattacks against critical-sector U.S. companies amid the Ukraine invasion.

[…]

Context: The alert comes after Russia has lobbed a series of digital attacks at the Ukrainian government and critical industry sectors. But there’s been no sign so far of major disruptive hacks against U.S. targets even as the government has imposed increasingly harsh sanctions that have battered the Russian economy.

The public alert followed classified briefings government officials conducted last week for more than 100 companies in sectors at the highest risk of Russian hacks, Neuberger said. The briefing was prompted by “preparatory activity” by Russian hackers, she said.
U.S. analysts have detected scanning of some critical sectors’ computers by Russian government actors and other preparatory work, one U.S. official told my colleague Ellen Nakashima on the condition of anonymity because of the matter’s sensitivity. But whether that is a signal that there will be a cyberattack on a critical system is not clear, Neuberger said.
Neuberger declined to name specific industry sectors under threat but said they’re part of critical infrastructure ­– a government designation that includes industries deemed vital to the economy and national security, including energy, finance, transportation and pipelines.

President Biden’s statement. White House fact sheet. And here’s a video of the extended Q&A with deputy national security adviser Anne Neuberger.

Read More