Improper Input Validation vulnerability in ABB 800xA, Control Software for AC 800M, Control Builder Safe, Compact Product Suite – Control and I/O, ABB Base Software for SoftControl allows an attacker to cause the denial of service.
It was discovered that the update for the virt:rhel module in the RHSA-2020:4676 (https://access.redhat.com/errata/RHSA-2020:4676) erratum released as part of Red Hat Enterprise Linux 8.3 failed to include the fix for the qemu-kvm component issue CVE-2020-10756, which was previously corrected in virt:rhel/qemu-kvm via erratum RHSA-2020:4059 (https://access.redhat.com/errata/RHSA-2020:4059). CVE-2021-20295 was assigned to that Red Hat specific security regression. For more details about the original security issue CVE-2020-10756, refer to bug 1835986 or the CVE page: https://access.redhat.com/security/cve/CVE-2020-10756.
It was found in OpenShift Container Platform 4 that ignition config, served by the Machine Config Server, can be accessed externally from clusters without authentication. The MCS endpoint (port 22623) provides ignition configuration used for bootstrapping Nodes and can include some sensitive data, e.g. registry pull secrets. There are two scenarios where this data can be accessed. The first is on Baremetal, OpenStack, Ovirt, Vsphere and KubeVirt deployments which do not have a separate internal API endpoint and allow access from outside the cluster to port 22623 from the standard OpenShift API Virtual IP address. The second is on cloud deployments when using unsupported network plugins, which do not create iptables rules that prevent to port 22623. In this scenario, the ignition config is exposed to all pods within the cluster and cannot be accessed externally.
A flaw was found in darkhttpd. Invalid error handling allows remote attackers to cause denial-of-service by accessing a file with a large modification date. The highest threat from this vulnerability is to system availability.
Sensitive information can be obtained through the handling of serialized data. The issue results from the lack of proper authentication required to query the server
It was observed that while login into Business-central console, HTTP request discloses sensitive information like username and password when intercepted using some tool like burp suite etc.
Posted by Murat Aydemir on Apr 01
*I. SUMMARY*
Title: [CVE-2022-2623] Barco Control Room Management Suite File Path
Traversal Vulnerability
Product: Barco Control Room Management Suite before 2.9 build 0275 and all
prior versions
Vulnerability Type: File Path Traversal
Credit by/Researcher: Murat Aydemir from Accenture Cyber Security Team
(Prague CFC)
Contact: https://twitter.com/mrtydmr75
Github: https://github.com/murataydemir
*II. CVE REFERENCE, CVSS SCORES &…
Authored by Vallabh Chole and Oliver Devane
Scammers are very quick at reacting to current events, so they can generate ill-gotten gains. It comes as no surprise that they exploited the current events in Ukraine, and when the Ukrainian Twitter account tweeted Bitcoin and Ethereum wallet addresses for donations we knew that scammers would use this as a lure for their victims.
This blog covers some of the malicious sites and emails McAfee has observed in the past few weeks.
A crypto donation scam occurs when perpetrators create phishing websites and emails that contain cryptocurrency wallets asking for donations. We have observed several new domains being created which perform this malicious activity, such as ukrainehelp[.]world and ukrainethereum[.]com.
Below is a screenshot of Ukrainehelp[.]world, which is a phishing site asking for crypto donations for UNICEF. The website contains the BBC logo and several crypto wallet addresses.
While investigating this site, we observed that the Ethereum wallet used use was also associated with an older crypto scam site called eth-event20.com. The image below shows the current value of the crypto wallet which is worth $114,000. Interestingly this wallet transfers all its coins to 0xc95eb2aa75260781627e7171c679a490e2240070 which in turn transfers to 0x45fb09468b17d14d2b9952bc9dcb39ee7359e64d. The final wallet currently has 313 ETH which is worth over $850,000. This shows the large sums of money scammers can generate with phishing sites.
Ukrainethereum[.]com is another crypto scam site, but what makes this one interesting is the features it contains to gain the victim’s confidence in trusting the website such as a fake chatbox and a fake donation verifier.
The image above shows the chatbox on the left-hand side which displays several messages. At first glance, it would appear as if other users are on the website and talking, but when you reload the site it shows the same messages. This is due to the chat messages being displayed from a list that is used to populate the website with JavaScript code as shown on the right-hand side.
The site contains a donation checker so the victim can see if their donation was received, as shown below.
The first image on left shows the verification box for donation to check if it is completed or not
Upon clicking ‘Check’ the victim is shown a message to say the donation was received.
What occurs, is upon clicking ‘Check’ the JavaScript code changes the website code so that it displays the ‘Thanks!’ message, and no actual check is performed.
The following image shows one of the examples of phish emails we have observed.
The email is not addressed to anyone specifically as they are mass-mailed to multiple email addresses. The wallet IDs in the email are not associated with the official Ukraine Twitter and are owned by scammers. As you can see in the image above, they are similar as the first 3 characters are the same. This could lead to some users believing it is legitimate. Therefore, it’s important to check that the wallet address is identical.
This is the most common type of phishing website. The goal of these sites it entices the victim into entering their credit card and personally identifiable information (PII) data by making them believe that the site being visited is official. This section contains details on one such website we have found using Ukraine donations as a lure.
The image below shows the phishing site. The website was used to save the children’s NGO links and images, which made it appear more genuine. You can see that is it asking the victim to enter their credit card and billing information.
Once the data is entered, and the victim clicks on ‘Donate’, the information will be submitted via the form and will be sent to scammers so they can then use or sell the information.
We observed that a few days after the website was created, the scammers change the site code so that it became a Mcdonald’s phishing site targeting the Arab Emirates. This was a surprising change in tactics.
The heatmap below shows the detections McAfee has observed around the world for the malicious sites mentioned in this blog.
Look for the domain from where you received mail, attackers masquerade it.
Use McAfee Web Advisor as this prevents you from accessing malicious sites
If McAfee Web Advisor is not used, links can be manually checked at https://trustedsource.org/.
Perform a Web Search of any crypto wallet addresses. If the search returns no or a low number of hits it is likely fraudulent.
Check for poor grammar and suspicious logos
For more detailed advice please visit McAfee’s How to recognize and protect yourself from phishing page (https://service.mcafee.com/?locale=en-CA&articleId=TS101810&page=shell&shell=article-view)
Use McAfee Web Advisor as this prevents you from accessing malicious sites
Look at the URL of the website which you are visiting and make sure it is correct. Look for alterations such as logln-paypal.com instead of login.paypal.com
If you are unsure that the website is legitimate. Perform a Web search of the URL. You will find many results If they are genuine. If the search returns no or a low number of hits it is likely fraudulent
Hyperlinks and site addresses that do not match the sender – Hover your mouse over the hyperlink or call-to-action button in the email. Is the address shortened or is it different from what you would expect from the sender? It may be a spoofed address from the
Verify if the URL and Title of the page match. Such as the website, razonforukraine[.]com with a title reading “McDonald’s Delivery”
For general cyber scam, education click here (https://www.mcafee.com/consumer/en-us/landing-page/retention/scammer-education.html)
McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee Web Advisor
Type
Value
Product
Detected
URL – Phishing Sites
ukrainehelp[.]world
McAfee WebAdvisor
Blocked
URL – Phishing Sites
ukrainethereum[.]com
McAfee WebAdvisor
Blocked
URL – Phishing Sites
unitedhelpukraine[.]kiev[.]ua/
McAfee WebAdvisor
Blocked
URL – Phishing Sites
donationukraine[.]io/donate
McAfee WebAdvisor
Blocked
URL – Phishing Sites
help-ukraine-compaign[.]com/shop
McAfee WebAdvisor
Blocked
URL – Phishing Sites
ukrainebitcoin[.]online/
McAfee WebAdvisor
Blocked
URL – Phishing Sites
ukrainedonation[.]org/donate
McAfee WebAdvisor
Blocked
URL – Phishing Sites
ukrainewar[.]support
McAfee WebAdvisor
Blocked
URL – Phishing Sites
sendhelptoukraine[.]com
McAfee WebAdvisor
Blocked
URL – Phishing Sites
worldsupportukraine[.]com
McAfee WebAdvisor
Blocked
URL – Phishing Sites
paytoukraine[.]space
McAfee WebAdvisor
Blocked
URL – Phishing Sites
razonforukraine[.]com
McAfee WebAdvisor
Blocked
The post Scammers are Exploiting Ukraine Donations appeared first on McAfee Blog.
FortiGuard Labs is aware a report that a new wiper malware was deployed and destroyed data on modems and routers for KA-SAT satellite broadband services, resulting in service outages across Europe on February 24th, 2022. The service interruption also caused the disconnection of remote access to 5,800 wind turbines in Europe. According to security vendor SentinelOne, AcidRain wiper shares similarities with a VPNFilter stage 3 destructive plugin. The Federal Bureau of Investigation (FBI) and Department of Justice disrupted the VPNFilter botnet by seizing a domain that was part of the Command-and-Control (C2) infrastructure. The Russian-connected the Sofacy threat actor (also known as APT28, Sednit, Pawn Storm, Fancy Bear, and Tsar) is believed to have operated the VPNFilter botnet. Why is this Significant?This is significant not only because a new wiper malware was used in the attack but also because the attack caused service interruption for satellite broadband services in Europe, including Ukraine, and 5,800 wind turbines in Europe were knocked offline.Also, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released a joint advisory on March 17th, 2022, warning of cyberattacks on U.S. and international satellite communication (SATCOM) networks. What Happened?According to the statement released by Viasat, a provider of KA-SAT satellite broadband services, the attack occurred in two phases.1. On February 24th, 2022, “malicious traffic were detected emanating from several SurfBeam2 and SurfBeam 2+ modems and/or associated customer premise equipment (CPE) physically located within Ukraine and serviced by one of the KA-SAT consumer-oriented network partitions. This targeted denial of service attack made it difficult for many modems to remain online.” 2. Then, the company started to observe a gradual decline of the connected modems. Subsequently, a large number of additional modems across much of Europe exited the network and they did not re-enter to the network. The statement continues as saying that the attacker gained remote access to the trusted management segment of the KA-SAT network through a misconfigured VPN appliance. The threat actor moved laterally through the network and ultimately sent “legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable.”The belief is that “these destructive commands” refer to AcidRain wiper malware.What is VPNFilter malware?VPNFilter is a IoT malware that was first reported in mid-2018 and targeted home and Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices. The malware is not only capable of performing data exfiltration but also rendering devices completely inoperable.FortiGuard Labs published a research blog series on VPNFilter malware in 2018. See the Appendix for a link to “VPNFilter Malware – Critical Update” and “VPNFilter Update – New Attack Modules Documented”.What is the threat actor Sofacy?Sofacy is a threat actor who is believed to operate for Russian interests. The threat actor has been in operation since at least 2007 and targets a wide range of sectors including government, military and security organizations.One of the most infamous activities carried out by the Sofacy group is their alleged involvement in hacking “networks and endpoints associated with the U.S. election” in 2016, in which the FBI the US Department of Homeland Security (DHS) released a join advisory on December 29th, 2016.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against AcidRain wiper malware believed to have been used in the attack:ELF/AcidRain.A!tr
New research on the changing migration of the Doryteuthis opalescens as a result of climate change.
News article:
Stanford researchers have solved a mystery about why a species of squid native to California has been found thriving in the Gulf of Alaska about 1,800 miles north of its expected range: climate change.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
