Cybersecurity 🔐 And Much More Newsletter 📪 Vol. 3 Num. 07
Greetings, friends.
Welcome to my newsletter, if you are not yet subscribed, please do. It might include books, articles, tech, tips, and cool stuff about cybersecurity.
Enjoy!
What’s Happening
🚨 New Mirai Botnet Variant Exploiting Linux and IoT Devices
A new variant of the notorious Mirai botnet has been found leveraging several security vulnerabilities to propagate itself to Linux and IoT devices.
Observed during the second half of 2022, the new version has been dubbed V3G4 by Palo Alto Networks Unit 42, which identified three different campaigns likely conducted by the same threat actor.
“Once the vulnerable devices are compromised, they will be fully controlled by attackers and become a part of the botnet,” Unit 42 researchers said. “The threat actor has the capability to utilize those devices to conduct further attacks, such as distributed denial-of-service (DDoS) attacks.”
The attacks primarily single out exposed servers and networking devices running Linux, with the adversary weaponizing as many as 13 flaws that could lead to remote code execution (RCE).
Some of the notable flaws relate to critical flaws in Atlassian Confluence Server and Data Center, DrayTek Vigor routers, Airspan AirSpot, and Geutebruck IP cameras, among others. The oldest flaw in the list is CVE-2012–4869, an RCE bug in FreePBX.
Following a successful compromise, the botnet payload is retrieved from a remote server using the wget and cURL utilities.
🕷️ GoDaddy Discloses Multi-Year Security Breach
Web hosting services provider GoDaddy on Friday disclosed a multi-year security breach that enabled unknown threat actors to install malware and siphon source code related to some of its services.
The company attributed the campaign to a “sophisticated and organized group targeting hosting services.”
GoDaddy said in December 2022, it received an unspecified number of customer complaints about their websites getting sporadically redirected to malicious sites, which it later found was due to the unauthorized third party gaining access to servers hosted in its cPanel environment.
The threat actor “installed malware causing the intermittent redirection of customer websites,” the company said.
The ultimate objective of the intrusions, GoDaddy said, is to “infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities.”
In a related 10-K filing with the U.S. Securities and Exchange Commission (SEC), the company said the December 2022 incident is connected to two other security events it encountered in March 2020 and November 2021.
The 2020 breach entailed the compromise of hosting login credentials of about 28,000 hosting customers and a small number of its personnel.
Then in 2021, GoDaddy said a rogue actor used a compromised password to access a provisioning system in its legacy code base for Managed WordPress (MWP), affecting close to 1.2 million active and inactive MWP customers across multiple GoDaddy brands.
🤖 Critical Bugs in Schneider Electric Modicon PLCs
Security researchers have disclosed two new vulnerabilities affecting Schneider Electric Modicon programmable logic controllers (PLCs) that could allow for authentication bypass and remote code execution.
The flaws, tracked as CVE-2022–45788 (CVSS score: 7.5) and CVE-2022–45789 (CVSS score: 8.1), are part of a broader collection of security defects tracked by Forescout as OT:ICEFALL.
Successful exploitation of the bugs could enable an adversary to execute unauthorized code, denial-of-service, or disclosure of sensitive information.
The cybersecurity company said the shortcomings can be chained by a threat actor with known flaws from other vendors (e.g., CVE-2021–31886) to achieve deep lateral movement in operational technology (OT) networks.
🦠 Critical Vulnerability Discovered in ClamAV Antivirus
Cisco has rolled out security updates to address a critical flaw reported in the ClamAV open source antivirus engine that could lead to remote code execution on susceptible devices.
Tracked as CVE-2023–20032 (CVSS score: 9.8), the issue relates to a case of remote code execution residing in the HFS+ file parser component.
The flaw affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Google security engineer Simon Scannell has been credited with discovering and reporting the bug.
“This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write,” Cisco Talos said in an advisory. “An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device.”
Successful exploitation of the weakness could enable an adversary to run arbitrary code with the same privileges as that of the ClamAV scanning process, or crash the process, resulting in a denial-of-service (DoS) condition.
🏴☠️ Hackers Using Google Ads to Spread Malware
Chinese-speaking individuals in Southeast and East Asia are the targets of a new rogue Google Ads campaign that delivers remote access trojans such as FatalRAT to compromised machines.
The attacks involve purchasing ad slots to appear in Google search results and direct users looking for popular applications to rogue websites hosting trojanized installers, ESET said in a report published today. The ads have since been taken down.
Some of the spoofed applications include Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao, and WPS Office.
“The websites and installers downloaded from them are mostly in Chinese and in some cases falsely offer Chinese language versions of software that is not available in China,” the Slovak cybersecurity firm said, adding it observed the attacks between August 2022 and January 2023.
A majority of the victims are located in Taiwan, China, and Hong Kong, followed by Malaysia, Japan, the Philippines, Thailand, Singapore, Indonesia, and Myanmar. The attackers’ end goals are unclear as yet.
👾 Fortinet Issues Patches for 40 Vulnerabilities
Fortinet has released security updates to address 40 vulnerabilities in its software lineup, including FortiWeb, FortiOS, FortiNAC, and FortiProxy, among others.
Two of the 40 flaws are rated Critical, 15 are rated High, 22 are rated Medium, and one is rated Low in severity.
Top of the list is a severe bug residing in the FortiNAC network access control solution (CVE-2022–39952, CVSS score: 9.8) that could lead to arbitrary code execution.
“An external control of file name or path vulnerability [CWE-73] in FortiNAC web server may allow an unauthenticated attacker to perform arbitrary write on the system,” Fortinet said.
The products impacted by the vulnerability are as follows -
- FortiNAC version 9.4.0
- FortiNAC version 9.2.0 through 9.2.5
- FortiNAC version 9.1.0 through 9.1.7
- FortiNAC 8.8 all versions
- FortiNAC 8.7 all versions
- FortiNAC 8.6 all versions
- FortiNAC 8.5 all versions, and
- FortiNAC 8.3 all versions
🐦 Twitter Limits SMS-Based 2FA to Blue Subscribers Only
Twitter has announced that it’s limiting the use of SMS-based two-factor authentication (2FA) to its Blue subscribers.
“While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used — and abused — by bad actors,” the company said.
“We will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.”
Twitter users who have not subscribed to Blue that have enrolled for SMS-based 2FA have time till March 20, 2023, to switch to an alternative method such as an authenticator app or a hardware security key.
After this cutoff date, non-Twitter Blue subscribers will have their option disabled.
👾 Researchers Hijack Popular NPM Package with Millions of Downloads
A popular npm package with more than 3.5 million weekly downloads has been found vulnerable to an account takeover attack.
“The package can be taken over by recovering an expired domain name for one of its maintainers and resetting the password,” software supply chain security company Illustria said in a report.
While npm’s security protections limit users to have only one active email address per account, the Israeli firm said it was able to reset the GitHub password using the recovered domain.
The attack, in a nutshell, grants a threat actor access to the package’s associated GitHub account, effectively making it possible to publish trojanized versions to the npm registry that can be weaponized to conduct supply chain attacks at scale.
This is achieved by taking advantage of a GitHub Action that’s configured in the repository to automatically publish the packages when new code changes are pushed.
“Even though the maintainer’s npm user account is properly configured with [two-factor authentication], this automation token bypasses it,” Bogdan Kortnov, co-founder and CTO of Illustria, said.
Security Bites
👋 Tips — 🔐 Security — Why Companies Fail at Security?
In today’s digital age, cybersecurity has become a crucial aspect of every business, big or small. However, despite the increased awareness and attention given to cybersecurity, many companies still fail at implementing a robust and effective security system. In this article, we will discuss why companies fail at security and how they can improve their approach.
Ignoring the Basics
One of the primary reasons why companies fail at security is because they ignore the basics. This includes failing to update software, use strong passwords, and implement two-factor authentication. Many businesses overlook these essential security practices and assume that they are not vulnerable to cyber-attacks. However, ignoring these basics can leave the company’s network and data vulnerable to exploitation by cybercriminals.
Not Educating the Users
Another common mistake that companies make is not educating their employees on cybersecurity best practices. Cyber-attacks often target unsuspecting employees through phishing scams and social engineering tactics. If employees are not aware of the risks and how to prevent them, they may inadvertently compromise the company’s security. Therefore, it is essential to educate all employees on the basics of cybersecurity and how to identify and report suspicious activity.
Not Having Visibility of Their Assets
Many companies fail to have complete visibility of their assets, including hardware, software, and data. Without proper asset management, it becomes challenging to identify vulnerabilities, determine what needs to be secured, and monitor for suspicious activity. Companies need to conduct regular audits and scans to ensure they have a comprehensive inventory of all their assets, including those on-premises and in the cloud.
Failing at Prioritizing Risks
In the cybersecurity landscape, not all risks are equal. Companies need to prioritize their risks based on the potential impact they could have on the business. For example, a vulnerability that allows attackers to gain access to sensitive data should take precedence over a less critical issue. Companies that fail to prioritize their risks can waste resources and leave themselves vulnerable to severe threats.
Focusing on Preventive Controls, not Detection and Alerting
Lastly, companies often focus on preventive controls such as firewalls and antivirus software, neglecting detection and alerting systems. While preventive controls are essential, they can’t stop all attacks. Companies need to implement detection and alerting systems that can quickly identify and respond to potential security incidents. This way, they can mitigate the damage and prevent the attack from spreading.
Conclusion
In conclusion, companies that ignore the basics, fail to educate their users, lack visibility of their assets, fail to prioritize risks, and focus only on preventive controls, are more vulnerable to cyber-attacks. It’s essential for businesses to implement a comprehensive security system that addresses these issues to mitigate the risks of a cyber-attack. By prioritizing cybersecurity and taking a proactive approach, companies can protect their data, their customers, and their reputation.
My Favorites
📚 Books — The First 20 Hours: How to Learn Anything… Fast! by Josh Kaufman
Take a moment to consider how many things you want to learn to do. What’s on your list? What’s holding you back from getting started? Are you worried about the time and effort it takes to acquire new skills — time you don’t have and effort you can’t spare?
Research suggests it takes 10,000 hours to develop a new skill. In this nonstop world when will you ever find that much time and energy?
To make matters worse, the early hours of practicing something new are always the most frustrating. That’s why it’s difficult to learn how to speak a new language, play an instrument, hit a golf ball, or shoot great photos. It’s so much easier to watch TV or surf the web…
In The First 20 Hours, Josh Kaufman offers a systematic approach to rapid skill acquisition: how to learn any new skill as quickly as possible. His method shows you how to deconstruct complex skills, maximize productive practice, and remove common learning barriers. By completing just 20 hours of focused, deliberate practice you’ll go from knowing absolutely nothing to performing noticeably well.
This method isn’t theoretical: it’s field-tested. Kaufman invites readers to join him as he field tests his approach by learning to program a Web application, play the ukulele, practice yoga, re-learn to touch type, get the hang of windsurfing, and study the world’s oldest and most complex board game.
📚 Books — Linux Basics for Hackers: Getting Started with Networking, Scripting, and Security in Kali by Author by OccupyTheWeb
If you’re getting started along the exciting path of hacking, cybersecurity, and pentesting, Linux Basics for Hackers is an excellent first step. Using Kali Linux, an advanced penetration testing distribution of Linux, you’ll learn the basics of using the Linux operating system and acquire the tools and techniques you’ll need to take control of a Linux environment.
First, you’ll learn how to install Kali on a virtual machine and get an introduction to basic Linux concepts. Next, you’ll tackle broader Linux topics like manipulating text, controlling file and directory permissions, and managing user environment variables. You’ll then focus in on foundational hacking concepts like security and anonymity and learn scripting skills with bash and Python. Practical tutorials and exercises throughout will reinforce and test your skills as you learn how to:
- Cover your tracks by changing your network information and manipulating the rsyslog logging utility
- Write a tool to scan for network connections, and connect and listen to wireless networks
- Keep your internet activity stealthy using Tor, proxy servers, VPNs, and encrypted email
- Write a bash script to scan open ports for potential targets
- Use and abuse services like MySQL, Apache web server, and OpenSSH
- Build your own hacking tools, such as a remote video spy camera and a password cracker
Hacking is complex, and there is no single way in. Why not start at the beginning with Linux Basics for Hackers?
🎙 Podcast — From the Vault: “The Birth of American Propaganda” — A Conversation on Manipulating the Masses with John Hamilton
When the Committee on Public Information was created in April of 1917, the United States was but one week into the first World War. In fact, the Selective Service Act would not come about for another month after the organization of the CPI. Why was Woodrow Wilson so quick to establish a system of control over public opinion, and how successful was this endeavor?
To answer these questions and more, author John Hamilton joins Andrew in a conversation about how propaganda and manipulation were used as a covert tactic during WWI and beyond. As John notes, “everything that’s done today can be traced to the CPI.” (Link)
Quote of the Week
“You may not like the enemy, but the enemy and you are doing the same thing to manipulate people’s attitudes. And while you may think you have a just cause, your means are quite often the same — Right down to lying, and manipulation and coercion.” — John Hamilton.