Cybersecurity 🔐 And Much More Newsletter 📪 — Week 22 (2022)
Welcome to my weekly newsletter, if you are not yet subscribed, please do. It might include books, articles, tech, tips, and of course interesting stuff about cybersecurity.
📰 CISA’s Exploited Vulnerabilities 🚨 🚨 🚨
It’s true that some zero-days and critical vulnerabilities surfaced in May and early June, but it’s definitely not a reason to forget about the elephant in the room and ignore the known exploited vulnerabilities on CISA’s list. In fact, there are 75+ actively exploited vulnerabilities on the must-patch list.
Check out CISA’s list of known vulnerabilities.
👾 Atlassian Zero-Day Exploited in the Wild
A zero-day (Remote code Execution — RCE) vulnerability (CVE-2022–26134) in Atlassian Confluence Server and Data Center Exploited in the Wild. Atlassian has been made aware of the current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. Note: Confluence is web-based software used for workspace collaboration. It can be deployed on-premise or as part of Atlassian Cloud.
👾 GitLab Critical vulnerability
GitLab addressed a critical (CVSS score = 9.9) vulnerability (CVE-2022–1680) that can be exploited by attackers to take over users’ accounts. The recommendation is to upgrade immediately to the latest version.
Here are the seven (08) flaws related to this vulnerability:
- Account take over via SCIM email change [Critical]: When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users’ email addresses via SCIM to an attacker-controlled email address and thus — in the absence of 2FA — take over those accounts.
- Quick action commands susceptible to XSS [High]: Missing validation of input used in quick actions allowed an attacker to exploit XSS by injecting HTML in contact details.
- IP allowlist bypass when using Trigger tokens [Medium]: allowed an attacker already in possession of a valid Project Trigger Token to misuse it from any location even when IP address restrictions were configured.
- IP allowlist bypass when using Project Deploy Tokens [Medium]: allowed an attacker already in possession of a valid Project Deploy Token to misuse it from any location even when IP address restrictions were configured.
- Improper Authorization in the Interactive web Terminal [Medium]: allows users with the Developer role to open terminals on other Developers’ running jobs.
- Subgroup members can list members of the parent groups [Medium]: It may be possible for a subgroup member to access the members’ list of their parent groups. This is a medium severity issue
- Group member lock bypass [Low]: It may be possible for malicious group maintainers to add new members to a project within their group, through the REST API, even after their group owner enabled a setting to prevent members from being added to projects within that group.
You can read more about this on GitLab’s Security Advisory Blog Post.
🍎 New MacOS Browser Hijacking Campaign
The CrowdStrike Content Research team recently analyzed a MacOS targeted browser hijacking campaign that modifies the user’s browsing experience to deliver ads. Research began with a variant that uses a combination of known techniques to deliver, persist and sideload a Chrome extension.
👾 Microsoft Office Zero-Day Vulnerability
Nao Sec researchers explain the path to infection includes the malicious template loading an exploit via a hypertext markup language (HTML) file from a remote server.
The remote control execution (RCE) flaw, tracked as CVE-2022–3019, is associated with the Microsoft Support Diagnostic Tool (MSDT), which collects information about bugs in the company’s products and reports to Microsoft Support.
This remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, delete data, or create new accounts in the context allowed by the user’s rights.
🤖 Android Malware Sneakily Subscribes to Premium Services
A malware names SMSFactory is adding undesired costs to the victims’ phone bills by subscribing to premium services. According to researchers from Avast, this malware targeted Android users since May of last year in Russia, Brazil, Argentina, Turkey, and Ukraine. This malware can not just easily add up $300+ to your phone bill, but also extract your contact list to spread the malware further and infect your friends and family.
🍎 Apple Blocked 1.6M application for Privacy Violations
In 2021, Apple protected customers from nearly $1.5 billion in potentially fraudulent transactions and stopped over 1.6 million risky and vulnerable apps and app updates from defrauding users. This was possible because of multiple factors, like:
- App Review Process
- Reviewing Fraudulent Ratings and Reviews
- Deactivating Fraudulent Accounts
- Remediating Payment and Credit Card Fraud
🦧 NFTs Theft in a Discord Server Hack
After compromising a Discord account, attackers posted a phishing scam and the Discord server and stole $250k worth of Ethereum and thirty-two NFTs.
👋 Tips — 🔐 Security — Let’s compare some VPN applications
What should you look for when shopping for personal VPN applications? well, it depends on your priorities and usage, but it can be summarized in 5 main characteristics:
- Encrypted Connections: The application uses Strong Encryption (e.g. AES-256), secure VPN protocols (e.g. OpenVPN, IKEv2), secure key exchange (e.g. Diffie-Hellman), plus the usage of new encryption keys for each session, and multi-layer encryption (e.g. encrypting data twice).
- Data Breach Monitoring: The application let the users know if their information was leaked in any recent data breach and provides best practices to mitigate the risks they may be exposed to.
- Data Protection Features: The application does not keep any logs nor monitor activities (e.g. Session length, IP Addresses, Browsing History).
- Tracking and Ad Blockers: Trackers and ads are blocked by default from being loaded by the users’ browsers. It also provides information on the websites targeting the users and what kind of information they are trying to retrieve.
- Threat Protection: The application prevents the users’ browsers from loading any malicious content when browsing risky websites.
- Server Locations: The application offers multiple locations across all continents and multiple servers per location/country.
- Privacy: The application complies with strict privacy laws and doesn’t share your data with 3rd parties and government agencies.
- Automation: The application enables VPN connection when connected to unsecured or new networks, and can also use random servers and IP addresses.
I said “shopping” for VPN applications rather than saying “choosing” because of the difficulty to find a good and secure product for free. However, the list above should give you an idea on what capabilities you should be looking for.
📝 Note — 🔐 Security — Attack Surface Management (ASM)
With the large cloud adoption, we notice year after year, that managing threats (vulnerability management) and attack surfaces (exposure to threats) are getting more difficult than ever. The reason is that the cloud removes the notion of [Perimeter], and this makes the company’s assets exposed to the internet.
According to Verizon’s DBIR report, 13% of breaches are caused by misconfiguration, this can be seen as human error-related causes, but it is way more than that. It’s the lack of visibility, ignoring the basics, the best practices, and looking for the next shiny tool to acquire.
Here are some quick tips to reduce your cloud exposure:
- IAM: Define your roles based on the least privilege principle, use just-in-time access for privileged users, and of course, MFA is still a good thing to do.
- Hardening: follow the hardening guides for whatever technology you’re using, it sounds simple, isn’t it? well, it’s also easy if you consider it from day one.
- Inventory: you can’t protect the unknown, have an inventory of all your assets before thinking about reducing your attack surface.
- Edges: your edges are like your perimeter when using the cloud (if it is still correct to use these in the same sentence), they are the entry point to your kingdom, so make sure you address any integrations you have with 3rd parties and prioritize any insecure protocols that might be in use.
- DevSecOps: these days, even code is in the cloud. Doing things right the first time and considering security at early stages in your pipeline (before the wiring the first line of code) is a must, as well as automation ad continuous scanning
📝 Note — 📡 Telco/IoT Security — Top 4 Steps in Building your 5G Security Strategy
It’s true that 5G will transform the world of telecommunication, and connect billions of devices at a considerably higher speed and minimal latency to empower various use cases. But at a greater cost, which is introducing significant risks to the global economy, nations, and individuals. These risks can be summarized in 3 major areas:
- Policies and Standards: it represents the foundation for securing 5G, but nation-states might influence it to benefit their proprietary technology. In addition to this, Service Providers might not follow all the best practices when implementing or operating 5G networks.
- Supply Chain: malicious software or hardware can be introduced into the 5G supply chain and make entire countries vulnerable to interception, manipulation, and disruption of communications and data.
- Architecture: 5G networks will have an immense attack surface not only for their complexity but also for their overlap with older technologies like 4G.
Despite how scary it sounds, there will always be ways to diminish risk, and here are some actions that can be taken in this regard:
- Prevent and Detect Lateral Movement by implementing secure IAM (Identity and Access Management), secure configuration management, Threat Monitoring, Response Automation, and Orchestration.
- Securely Isolate Network Resources: apply the Least Privilege principle, Resources Isolation, Runtime Security, and Real-time detection and response.
- Data Protection: Preserve data confidentiality, integrity, and availability by protecting at all states, at rest, in transit, and while in use.
- Ensure Cloud Infrastructure Integrity: ensure platform and container integrity using encryption and best practices.
🧪 Most of our Evolutionary Trees Could be Wrong
New research suggests that determining evolutionary trees of organisms by comparing anatomy rather than gene sequences is misleading. The study shows that we often need to overturn centuries of scholarly work that classified living things according to how they look. Researchers found that the animals grouped together by molecular trees lived more closely together geographically than the animals grouped using morphological trees.
📚 🤔 Books I’m Currently Reading
Title: Perfectly Confident: How to Calibrate Your Decisions Wisely
Author: Don Moore
A surge of confidence can feel fantastic — offering a rush of energy and even a dazzling future vision. It can give us the courage and bolster our determination when facing adversity. But if that self-assurance leads us to pursue impossible goals, it can waste time, money, and energy. Self-help books and motivational speakers tell us that the more confident we are, the better. But this way of thinking can lead to enormous trouble.
Decades of research demonstrate that we often have an over-inflated sense of self and are rarely as good as we believe. Perfectly Confident is the first book to bring together the best psychological and economic studies to explain exactly what confidence is when it can be helpful, and when it can be destructive in our lives.
📚 🤩 Books I Recommend Reading
Title: Emotional Agility: Get Unstuck, Embrace Change, and Thrive in Work and Life
Author: Susan David
The path to personal and professional fulfillment is rarely straight. Ask anyone who has achieved his or her biggest goals or whose relationships thrive and you’ll hear stories of many unexpected detours along the way. What separates those who master these challenges and those who get derailed? The answer is agility — emotional agility.
Emotional agility is a revolutionary, science-based approach that allows us to navigate life’s twists and turns with self-acceptance, clear-sightedness, and an open mind. Renowned psychologist Susan David developed this concept after studying emotions, happiness, and achievement for more than twenty years. She found that no matter how intelligent or creative people are, or what type of personality they have, it is how they navigate their inner world — their thoughts, feelings, and self-talk — that ultimately determines how successful they will become.
🎙 Podcast — You might know what PTSD is, or not. How about Cyber PTSD?
We usually count the damage from a cyberattack in Dollars and Euros, but the psychological damage to the victims is rarely discussed, if at all. So, what is the psychological and emotional toll of cyberattacks? Can scams, hacks, and breaches lead to Cyber Post-Traumatic Stress Disorder?
Quote of the Week
“When you feel great, dare to help someone else feel great too.” — Someone Nice 😊