This vulnerability allows remote attackers to execute arbitrary code on affected installations of Parse Server. Authentication is not required to exploit this vulnerability.
Daily Archives: November 15, 2022
ZDI-22-1591: Parse Server buildUpdatedObject Prototype Pollution Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Parse Server. Authentication is required to exploit this vulnerability.
ZDI-22-1592: Parse Server _expandResultOnKeyPath Prototype Pollution Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Parse Server. Authentication is required to exploit this vulnerability.
Somnia Ransomware Targets Ukraine
FortiGuard Labs is aware of a report that a new ransomware “Somnia” was observed in attacks against Ukraine. Somnia ransomware was deployed as a final payload in multiple staged attacks involving a fake IP scanner, Vidar stealer, and Cobalt Strike. The attack was attributed to FRwL (aka Z-Team, UAC-0118).Why is this Significant?This is significant because Somnia is the latest ransomware that reportedly targets Ukrainian interests. Other ransomware variants that previously targeted Ukraine include are but not restricted to Prestige, AcidRain, DoubleZero, CaddyWiper, IssacWiper, HermeticWiper, and WhisperGate.How was Somnia Ransomware Distributed?Somnia ransomware was reportedly distributed in an attack chain that goes through multiple stages. First, the attacker creates a fake Advanced IP Scanner Web site in an attempt to trick Ukrainian organizations into downloading and installing Vidar stealer disguised as “Advanced IP Scanner” installer. Once a victim’s machine is compromised by Vidar stealer, it tries to steal Telegram’s session data, which is then used to compromise VPN connections giving the attacker access to the victim’s network. Cobalt Strike was seen deployed to the compromised network. Reportedly Rсlone, Anydesk, and Ngrok were observed for data exfiltration. Finally, Somnia ransomware deployed to encrypt files on the compromised machines.What is Somnia Ransomware?Somnia is a ransomware that encrypts files on compromised machines. According to CERT-UA, there are two different types of Somnia ransomware; the one uses 3DES algorithm for file encryption and the other uses the AES algorithm. The affected files have a “.somnia” file extension.Somnia ransomware targets and encrypts files with the following extensions:File extensions targeted by Somnia ransomware (screenshot taken from a CERT-UA report)Since Somnia ransomware does not drop any ransom note and attacker’s contact information, victims will likely will not be able to decrypt the encrypted files.What is the Status of Protection?While Somnia ransomware samples are not publicly available, FortiGuard Labs detect the fake Advanced IP Scanner used as initial infection vector with the following AV signature:• W32/PossibleThreatReported network IOCs are blocked by Webfiltering.
Emotet Distributed Through U.S. Election Themed Link Files
FortiGuard Labs has discovered that Emotet was recently delivered through an archive file that has a file name targeting those interested in the U.S. midterm elections. The archive file is “US midterm elections The six races that could decide the US Senate.zip” that has a link file with the same name, which leads to Emotet.Why is this Significant?This is significant because Emotet is trying to leverage the interest of the U.S. midterm elections for infection. While FortiGuard Labs has not observed the infection vector, the file name “US midterm elections The six races that could decide the US Senate.zip” was likely distributed via emails. “The six races” likely refers to Arizona, Georgia, Michigan, Nevada, Pennsylvania, and Wisconsin where Democrats and Republican are expected to have close race in the elections, which gives better chance that recipients will open the archive contents. Emotets’ modus operandi includes distribution via malicious spam campaigns and thread hijacking of emails.What’s in “US midterm elections The six races that could decide the US Senate.zip”?The zip file contains a link file named “US midterm elections The six races that could decide the US Senate.lnk”. When the link file is executed, it drops a further script in %tmp% that will attempt to cycle through several URLs to download a Emotet DLL.The downloaded Emotet connects to C2 server and will likely deliver additional malware.FortiGuard Labs discovered that the same script is present in other link files “New York Election news and updates….lnk” and “Amazon warns of slower sales as economy weakens.lnk” that were submitted to VirusTotal at the end of October and beginning of November respectively.What is the Status of Protection?FortiGuard Labs provides the following AV signatures for the archive and link file involved in the attack:• LNK/Agent.AMY!tr.dldr• PossibleThreat.PALLAS.HC2 address is blocked by FortiGuard Webfiltering Client.
USN-5722-1: nginx vulnerabilities
It was discovered that nginx incorrectly handled certain memory operations in
the ngx_http_mp4_module module. A local attacker could possibly use this issue
with a specially crafted mp4 file to cause nginx to crash, stop responding, or
access arbitrary memory. (CVE-2022-41741, CVE-2022-41742)
python3.7-3.7.15-2.fc35
FEDORA-2022-760d1eac9b
Packages in this update:
python3.7-3.7.15-2.fc35
Update description:
Security fix for CVE-2022-37454
The Medibank Data Breach – Steps You Can Take to Protect Yourself
Hackers have posted another batch of stolen health records on the dark web—following a breach that could potentially affect nearly 8 million Australian Medibank customers, along with nearly 2 million more international customers.
The records were stolen in October’s reported breach at Medibank, one of Australia’s largest private health insurance providers. Given Australia’s population of almost 26 million people, close to a third of the population could find themselves affected.
The hackers subsequently issued ransomware demands with the threat of releasing the records. With their demands unmet, the hackers then started posting the records in batches, the first on November 8th and the latest dropping on November 14th.
According to Medibank, the records and information could include diagnoses, a list of conditions, and further information such as:
“[P]ersonal data such as names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for AHM customers (not expiry dates), in some cases passport numbers for our international students (not expiry dates), and some health claims data.”
Medibank continues to keep its customers up to date on the latest developments on its website and further states they will contact customers, via email and post, to clarify what has been stolen and what has been published on the dark web.
What should I do if I think my information was caught up in the Medibank breach?
Any time a data breach occurs, it means that your personal information could end up in the hands of a bad actor. In the case of Medibank, the hackers posted the stolen information on the dark web, which unfortunately means that the likelihood of a potential scammer or thief obtaining this information is a near certainty.
In light of this, there are a few steps you can take to protect yourself in the aftermath of a data breach, which involves a combination of preventative steps and some monitoring on your part.
Report unauthorised use of your information or accounts immediately
Home Affairs Minister Clare O’Neil called for Australians to “Contact Services Australia if you believe there has been unauthorised activity in your Medicare account.” Further, Australians can take the following additional steps to protect themselves in the wake of identity theft.
Keep an eye out for phishing attacks
With some personal information in hand, bad actors may seek out more. They may follow up a breach with rounds of phishing attacks that direct you to bogus sites designed to steal your personal information—either by tricking you into providing it or by stealing it without your knowledge. So as it’s always wise to keep a skeptical eye open for unsolicited messages that ask you for information in some form or other, often in ways that urge or pressure you into acting. Always look out for phishing attacks, particularly after breaches.
If you are contacted by Medibank, make certain the communication is legitimate. Bad actors may pose as Medibank to steal personal information. Do not click on links sent in emails, texts, or messages. Instead, go straight to the Medibank website or contact them by phone directly.
Change your passwords and use a password manager
While it does not appear that login information was affected, a password update is still a strong security move. Strong and unique passwords are best, which means never reusing your passwords across different sites and platforms. Using a password manager will help you keep on top of it all, while also storing your passwords securely. Moreover, changing your passwords regularly can reduce your risk in the event of a data breach. Namely, a breached password is no good to a hacker if you’ve changed it.
Enable two-factor authentication
While a strong and unique password is a good first line of defense, enabling two-factor authentication across your accounts will help your cause by providing an added layer of security. It’s increasingly common to see nowadays, where banks and all manner of online services will only allow access to your accounts after you’ve provided a one-time passcode sent to your email or smartphone. If your accounts support two-factor authentication, enable it.
Consider using identity monitoring
An identity monitoring service can monitor everything from email addresses to credit cards, bank account numbers and phone numbers for signs of breaches so you can take action to secure your accounts before they’re used for identity theft. Personal information harvested from data breaches can end up on dark web marketplaces where it’s bought by other bad actors so they can launch their own attacks. McAfee’s identity monitoring service helps you keep an eye on your personal info and provides alerts if your data is found, averaging 10 months ahead of similar services.
Check your credit and consider a credit freeze
When personal information gets released, there’s a chance that a hacker, scammer, or thief will put it to use. This may include committing fraud, where they draw funds from existing accounts, and theft, where they create new accounts in your name. This may include identity theft, where someone pretends to be you, generally to gain access to more information or services, and may escalate to identity fraud, where funds are stolen from your account.
Another step that customers can take is to place a credit freeze on their credit reports with the major credit agencies in Australia— Equifax, illion, and Experian. This will help prevent bad actors from opening new lines of credit or take out loans in your name by “freezing” your credit report so that potential creditors cannot pull it for reference. Terms of freezing a credit report will vary, so check with each agency for details.
Consider using comprehensive online protection
A complete suite of online protection software can offer layers of extra security. Identity thieves generally focus on easy targets to save time. Elevated security across the majority of your data can make you a far more difficult target. In addition to more private and secure time online with a VPN, identity monitoring, and password management, this includes web browser protection that can block malicious and suspicious links that could lead you down the road to malware or a phishing scam—which antivirus protection can’t do alone. Additionally, McAfee offers support from a licensed recovery pro who can help you restore your credit, just in case.
Should I replace my driver’s licence?
Per Medibank, some victims of the breach may have had their driver’s licence number exposed. Given that a licence number is such a unique piece of personally identifiable information, anyone notified by Medibank that theirs may have been affected should strongly consider changing them. The process for replacing a licence document will vary depending on your state or territory.
The recent Optus breach of September 2022 saw some states and territories propose making exceptions to the rules for attack victims, so look to your local government for guidance.
The Medibank data breach – you have ways to protect yourself
Not all data breaches make the news. Businesses and organizations, large and small, have all fallen victim to them, and with regularity. The measures you can take here are measures you can take even if you don’t believe you were caught up in the Medibank breach.
However, you have every reason to act now rather than wait for additional news. Staying on top of our credit and identity has always been important, but given all the devices, apps, and accounts we keep these days leaves us more exposed than ever, which makes protection a must.
The post The Medibank Data Breach – Steps You Can Take to Protect Yourself appeared first on McAfee Blog.
DSA-5281 nginx – security update
It was discovered that parsing errors in the mp4 module of Nginx, a
high-performance web and reverse proxy server, could result in denial
of service, memory disclosure or potentially the execution of arbitrary
code when processing a malformed mp4 file.
DSA-5280 grub2 – security update
Several issues were found in GRUB2’s font handling code, which could
result in crashes and potentially execution of arbitrary code. These
could lead to by-pass of UEFI Secure Boot on affected systems.