CVE-2021-20238

Read Time:41 Second

It was found in OpenShift Container Platform 4 that ignition config, served by the Machine Config Server, can be accessed externally from clusters without authentication. The MCS endpoint (port 22623) provides ignition configuration used for bootstrapping Nodes and can include some sensitive data, e.g. registry pull secrets. There are two scenarios where this data can be accessed. The first is on Baremetal, OpenStack, Ovirt, Vsphere and KubeVirt deployments which do not have a separate internal API endpoint and allow access from outside the cluster to port 22623 from the standard OpenShift API Virtual IP address. The second is on cloud deployments when using unsupported network plugins, which do not create iptables rules that prevent to port 22623. In this scenario, the ignition config is exposed to all pods within the cluster and cannot be accessed externally.

Read More

CVE-2020-25691

Read Time:11 Second

A flaw was found in darkhttpd. Invalid error handling allows remote attackers to cause denial-of-service by accessing a file with a large modification date. The highest threat from this vulnerability is to system availability.

Read More

CVE-2020-14479

Read Time:8 Second

Sensitive information can be obtained through the handling of serialized data. The issue results from the lack of proper authentication required to query the server

Read More

CVE-2019-14839

Read Time:9 Second

It was observed that while login into Business-central console, HTTP request discloses sensitive information like username and password when intercepted using some tool like burp suite etc.

Read More

CVE-2022-26233: Barco Control Room Management Suite File Path Traversal Vulnerability

Read Time:21 Second

Posted by Murat Aydemir on Apr 01

*I. SUMMARY*
Title: [CVE-2022-2623] Barco Control Room Management Suite File Path
Traversal Vulnerability
Product: Barco Control Room Management Suite before 2.9 build 0275 and all
prior versions
Vulnerability Type: File Path Traversal
Credit by/Researcher: Murat Aydemir from Accenture Cyber Security Team
(Prague CFC)
Contact: https://twitter.com/mrtydmr75
Github: https://github.com/murataydemir

*II. CVE REFERENCE, CVSS SCORES &…

Read More

Scammers are Exploiting Ukraine Donations

Read Time:5 Minute, 45 Second

Authored by Vallabh Chole and Oliver Devane

Scammers are very quick at reacting to current events, so they can generate ill-gotten gains. It comes as no surprise that they exploited the current events in Ukraine, and when the Ukrainian Twitter account tweeted Bitcoin and Ethereum wallet addresses for donations we knew that scammers would use this as a lure for their victims.

This blog covers some of the malicious sites and emails McAfee has observed in the past few weeks.

Crypto wallet donation scams

A crypto donation scam occurs when perpetrators create phishing websites and emails that contain cryptocurrency wallets asking for donations. We have observed several new domains being created which perform this malicious activity, such as ukrainehelp[.]world and ukrainethereum[.]com.

Ukrainhelp[.]world

Below is a screenshot of Ukrainehelp[.]world, which is a phishing site asking for crypto donations for UNICEF. The website contains the BBC logo and several crypto wallet addresses.

While investigating this site, we observed that the Ethereum wallet used use was also associated with an older crypto scam site called eth-event20.com. The image below shows the current value of the crypto wallet which is worth $114,000. Interestingly this wallet transfers all its coins to 0xc95eb2aa75260781627e7171c679a490e2240070 which in turn transfers to 0x45fb09468b17d14d2b9952bc9dcb39ee7359e64d. The final wallet currently has 313 ETH which is worth over $850,000. This shows the large sums of money scammers can generate with phishing sites.

Ukrainethereum[.]com

Ukrainethereum[.]com is another crypto scam site, but what makes this one interesting is the features it contains to gain the victim’s confidence in trusting the website such as a fake chatbox and a fake donation verifier.

Fake Chat

The image above shows the chatbox on the left-hand side which displays several messages. At first glance, it would appear as if other users are on the website and talking, but when you reload the site it shows the same messages. This is due to the chat messages being displayed from a list that is used to populate the website with JavaScript code as shown on the right-hand side.  

Fake Donation Verifier 

The site contains a donation checker so the victim can see if their donation was received, as shown below. 

 

The first image on left shows the verification box for donation to check if it is completed or not 
Upon clicking ‘Check’ the victim is shown a message to say the donation was received.  
What occurs, is upon clicking ‘Check’ the JavaScript code changes the website code so that it displays the ‘Thanks!’ message, and no actual check is performed. 

Phishing Email 

The following image shows one of the examples of phish emails we have observed. 

The email is not addressed to anyone specifically as they are mass-mailed to multiple email addresses. The wallet IDs in the email are not associated with the official Ukraine Twitter and are owned by scammers. As you can see in the image above, they are similar as the first 3 characters are the same. This could lead to some users believing it is legitimate. Therefore, it’s important to check that the wallet address is identical.  

Credit Card Information Stealer 

This is the most common type of phishing website. The goal of these sites it entices the victim into entering their credit card and personally identifiable information (PII) data by making them believe that the site being visited is official. This section contains details on one such website we have found using Ukraine donations as a lure.  

Razonforukrain[.]com 

The image below shows the phishing site. The website was used to save the children’s NGO links and images, which made it appear more genuine. You can see that is it asking the victim to enter their credit card and billing information.  

Once the data is entered, and the victim clicks on ‘Donate’, the information will be submitted via the form and will be sent to scammers so they can then use or sell the information. 

We observed that a few days after the website was created, the scammers change the site code so that it became a Mcdonald’s phishing site targeting the Arab Emirates. This was a surprising change in tactics. 

The heatmap below shows the detections McAfee has observed around the world for the malicious sites mentioned in this blog. 

Conclusion 

How to identify a phishing email? 

Look for the domain from where you received mail, attackers masquerade it. 
Use McAfee Web Advisor as this prevents you from accessing malicious sites 
If McAfee Web Advisor is not used, links can be manually checked at https://trustedsource.org/. 
Perform a Web Search of any crypto wallet addresses. If the search returns no or a low number of hits it is likely fraudulent. 
Check for poor grammar and suspicious logos  
For more detailed advice please visit McAfee’s How to recognize and protect yourself from phishing page (https://service.mcafee.com/?locale=en-CA&articleId=TS101810&page=shell&shell=article-view 

How to identify phishing websites? 

Use McAfee Web Advisor as this prevents you from accessing malicious sites 
Look at the URL of the website which you are visiting and make sure it is correct. Look for alterations such as logln-paypal.com instead of login.paypal.com 
If you are unsure that the website is legitimate. Perform a Web search of the URL. You will find many results If they are genuine. If the search returns no or a low number of hits it is likely fraudulent 
Hyperlinks and site addresses that do not match the sender – Hover your mouse over the hyperlink or call-to-action button in the email. Is the address shortened or is it different from what you would expect from the sender? It may be a spoofed address from the 
Verify if the URL and Title of the page match. Such as the website, razonforukraine[.]com with a title reading “McDonald’s Delivery” 

For general cyber scam, education click here (https://www.mcafee.com/consumer/en-us/landing-page/retention/scammer-education.html) 

McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee Web Advisor 

 

Type 
Value 
Product 
Detected 

URL – Phishing Sites  
ukrainehelp[.]world 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
ukrainethereum[.]com 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
unitedhelpukraine[.]kiev[.]ua/ 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
donationukraine[.]io/donate 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
help-ukraine-compaign[.]com/shop 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
ukrainebitcoin[.]online/ 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
ukrainedonation[.]org/donate 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
ukrainewar[.]support 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
sendhelptoukraine[.]com 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
worldsupportukraine[.]com 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
paytoukraine[.]space 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
razonforukraine[.]com 
McAfee WebAdvisor  
Blocked 

 

The post Scammers are Exploiting Ukraine Donations appeared first on McAfee Blog.

Read More

AcidRain Wiper Suspected in Satellite Broadband Outage in Europe

Read Time:3 Minute, 0 Second

FortiGuard Labs is aware a report that a new wiper malware was deployed and destroyed data on modems and routers for KA-SAT satellite broadband services, resulting in service outages across Europe on February 24th, 2022. The service interruption also caused the disconnection of remote access to 5,800 wind turbines in Europe. According to security vendor SentinelOne, AcidRain wiper shares similarities with a VPNFilter stage 3 destructive plugin. The Federal Bureau of Investigation (FBI) and Department of Justice disrupted the VPNFilter botnet by seizing a domain that was part of the Command-and-Control (C2) infrastructure. The Russian-connected the Sofacy threat actor (also known as APT28, Sednit, Pawn Storm, Fancy Bear, and Tsar) is believed to have operated the VPNFilter botnet. Why is this Significant?This is significant not only because a new wiper malware was used in the attack but also because the attack caused service interruption for satellite broadband services in Europe, including Ukraine, and 5,800 wind turbines in Europe were knocked offline.Also, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released a joint advisory on March 17th, 2022, warning of cyberattacks on U.S. and international satellite communication (SATCOM) networks. What Happened?According to the statement released by Viasat, a provider of KA-SAT satellite broadband services, the attack occurred in two phases.1. On February 24th, 2022, “malicious traffic were detected emanating from several SurfBeam2 and SurfBeam 2+ modems and/or associated customer premise equipment (CPE) physically located within Ukraine and serviced by one of the KA-SAT consumer-oriented network partitions. This targeted denial of service attack made it difficult for many modems to remain online.” 2. Then, the company started to observe a gradual decline of the connected modems. Subsequently, a large number of additional modems across much of Europe exited the network and they did not re-enter to the network. The statement continues as saying that the attacker gained remote access to the trusted management segment of the KA-SAT network through a misconfigured VPN appliance. The threat actor moved laterally through the network and ultimately sent “legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable.”The belief is that “these destructive commands” refer to AcidRain wiper malware.What is VPNFilter malware?VPNFilter is a IoT malware that was first reported in mid-2018 and targeted home and Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices. The malware is not only capable of performing data exfiltration but also rendering devices completely inoperable.FortiGuard Labs published a research blog series on VPNFilter malware in 2018. See the Appendix for a link to “VPNFilter Malware – Critical Update” and “VPNFilter Update – New Attack Modules Documented”.What is the threat actor Sofacy?Sofacy is a threat actor who is believed to operate for Russian interests. The threat actor has been in operation since at least 2007 and targets a wide range of sectors including government, military and security organizations.One of the most infamous activities carried out by the Sofacy group is their alleged involvement in hacking “networks and endpoints associated with the U.S. election” in 2016, in which the FBI the US Department of Homeland Security (DHS) released a join advisory on December 29th, 2016.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against AcidRain wiper malware believed to have been used in the attack:ELF/AcidRain.A!tr

Read More

Friday Squid Blogging: Squid Migration and Climate Change

Read Time:25 Second

New research on the changing migration of the Doryteuthis opalescens as a result of climate change.

News article:

Stanford researchers have solved a mystery about why a species of squid native to California has been found thriving in the Gulf of Alaska about 1,800 miles north of its expected range: climate change.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Read More

Upstart crime site woos Raid Forums orphans

Read Time:35 Second

A new crime site for hackers is positioning itself as an alternative to Raid Forums, a popular watering hole for threat actors before it was mysteriously taken down in February.

The new site, Breach Forums, was launched by an old Raid Forum hand who goes by the handle “pompompurin,” according to a blog post this week by Flashpoint, a threat intelligence company. In the welcoming thread to the forum, pompompurin stated that the new hacker community was being created as an alternative to Raid Forums.

“If RaidForums does ever return in any official capacity,” pompompurin wrote, “this forum will be closed and this domain will redirect to it.”

To read this article in full, please click here

Read More

Exiger launches data-agnostic supply chain risk platform

Read Time:55 Second

New York-based risk management company Exiger this week launched a new supply chain risk monitoring service, designed to incorporate a wide and customizeable array of data sources into its calcluations.

The company’s Supply Chain Explorer is a fully as-a-service offering – users don’t have to host it in their data centers or run it on a dedicated appliance. The idea is to track a company’s supplier network through online digital footprints, shipping data and contract information to provide a close to real-time picture of potential disruptions in the user’s supply chain.

The system works by scanning public data sources, social media, and a host of other datasets for keywords specific to companies that form part of the user’s supply chain. That data is then processed by a proprietary AI, which identifies potential impacts to the supply chain – for example, if a supplier company makes headlines for production defects or some such, the system can flag this to the user so that alternative arrangements can be made.

To read this article in full, please click here

Read More