Category Archives: Security

2022 Zero-Day exploitation continues at a worrisome pace

Experts warn that 55 zero-day vulnerabilities were exploited in attacks carried out by ransomware and cyberespionage groups in 2022.

Cybersecurity firm Mandiant reported that ransomware and cyberespionage groups exploited 55 zero-day flaws in attacks in the wild.

Most of the zero-day vulnerabilities were in software from Microsoft, Google, and Apple.

The figures show a decrease from 2021, but experts pointed out that they represent almost triple the number from 2020.

The majority of the zero-day vulnerabilities were exploited by China-linked threat actors as part of their cyberespionage campaigns.

The researchers reported that only four zero-day vulnerabilities were exploited by financially motivated threat actors, with 75% of these instances linked to ransomware attacks.

“Products from Microsoft, Google, and Apple made up the majority of zero-day vulnerabilities in 2022, consistent with previous years. The most exploited product types were operating systems (OS) (19), followed by browsers (11), security, IT, and network management products (10), and mobile OS (6). ” reads the report published by Mandiant.

According to the report, 13 zero-days in 2022 were exploited by cyber espionage groups, a figure that is consistent with 2021. Seven zero-days (CVE-2022-24682CVE-2022-1040CVE-2022-30190CVE-2022-26134CVE-2022-42475CVE-2022-27518, and CVE-2022-41328) were exploited in attacks in the wild by China-linked cyberespionage groups, while two zero-day vulnerabilities were exploited by suspected North Korea-linked APT groups.

“We identified four zero-day vulnerabilities for which we could attribute exploitation by financially motivated threat actors, a quarter of the total 16 zero-days for which we could determine a motivation for exploitation. 75% of these instances appear to be linked to ransomware operations, consistent with 2021 and 2019 data in which ransomware groups exploited the highest volume of zero-day vulnerabilities compared to other financially motivated actors.” continues the report. “However, the overall count and proportion of the total of financially motivated zero-day exploitation declined in 2022 compared to recent years.”

Multiple China-linked APT groups exploited the vulnerability CVE-2022-30190, aka Follina, while the exploitation of FortiOS vulnerabilities CVE-2022-42475 and CVE-2022-41328 was observed in particularly notable campaigns in 2022.

Mandiant believe that there is a shared development and logistics infrastructure behind the attacks.

Mandiant also observed two instances of Russian state zero-day exploitation. A first campaign carried out by the Russia-linked APT28 group exploited the CVE-2022-30190 flaw (aka Follina) in early June 2022. A second activity is related to a months-long campaign exploiting Microsoft Exchange vulnerability CVE-2023-23397 conducted by a threat actor tracked as UNC4697 (likely linked to the APT28 group).

The experts explained that increased focus on disrupting Russian cyber operations since Russia’s invasion of Ukraine may have discouraged Russia-linked groups from widely using zero-day exploits for access they expected to lose quickly. This implies that the exploitation of the CVE-2022-30190 flaw was likely opportunistic.

“Almost all 2022 zero-day vulnerabilities (53) were exploited for the purpose of achieving either (primarily remote) code execution or gaining elevated privileges, both of which are consistent with most threat actor objectives. While information disclosure vulnerabilities can often gain attention due to customer and user data being at risk of disclosure and misuse, the extent of attacker actions from these vulnerabilities is often limited.” concludes the report. “Alternatively, elevated privileges and code execution can lead to  lateral movement across networks, causing effects beyond the initial access vector.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

Lowe’s Market chain leaves client data up for grabs

A misconfiguration on a website owned by the US-based Lowe’s Market grocery store chain could have allowed threat actors to gain control of its systems.

On February 7, the Cybernews research team discovered a misconfiguration on the Lowe’s Market website. The supermarket chain’s website was leaking a treasure trove of private credentials, which left the company vulnerable to potential attacks by cybercriminals.

Together, the compromised credentials could enable an unscrupulous hacker to gain control of most of the online store’s functionality, see sensitive customer information, and abuse access to paid services, all while putting Lowe’s Market customers at risk.

With almost 150 locations, the Lowe’s chain primarily operates stores in Texas, New Mexico, Colorado, Arizona, and Kansas.

At the time of writing, the company has already fixed the issue. Cybernews reached out to Lowe’s Market regarding the details of the misconfiguration and the possible duration of data exposure. However, the company has yet to provide a response to the inquiry.

Access to databases

Researchers found a publicly accessible environment file (.env) hosted on the Lowe’s Market website. Public access to the file posed a risk to the security of the company’s systems, as it was leaking sensitive data and numerous credentials.

An examination of the environment file suggests that the developers were not following the best practices, while poor security configurations might have led to more secrets, an industry term for vital data that should be kept private, being exposed.

The leaked secrets could have allowed threat actors to access databases as the hosts, usernames, and ports of main, tracking, legacy, recipe, and databases were exposed.

Database hosts and credentials are considered sensitive information, as they are used to access respective databases and their contents. In the case of Lowe’s Market, most database hosts are internet-connected, making it particularly easy for threat actors to access them.

Due to legal reasons, it is impossible to check the contents of the databases, but the titles suggest that some of them contained information about products, such as recipes, while others could have contained customer usage data.

At least one of the databases likely contained user information, as the company has limited support for online grocery purchases. One of the titles in the legacy database contained the word “billing,” leading researchers to assume that it may have contained private user data.

The environment file also revealed the access key to Amazon Web Services (AWS) S3 server and bucket name. This information could have been used to log in and access the bucket and its contents and modify or delete existing data.

While the AWS S3 bucket could have stored sensitive information, based on its name, researchers assume it stored only website-related assets.

“The bucket most likely only stored images used by the site and similar, non-sensitive assets,” said Cybernews researcher Aras Nazarovas.

“It is possible that it contained sensitive information as well, as we saw some cases like that, but there is no way to know in this particular case.”

A treasure trove of keys uncovered

The .env file contained numerous application programming interface (API) keys dedicated to a specific website’s functionality. Malicious actors could have used the leaked API keys and credentials to steal user information, change product pricing, and hijack most of the store’s functionality.

One of these leaked keys, GrocerKey API, allowed access to partial credit card information, addresses, and top-spending users, as well as the ability to send unsolicited orders, issue refunds, launch ad campaigns, reset passwords, and check in-store and in-app balances.

The REST API key that enables querying user information was also leaked, and this could have allowed a threat actor to use it along with GrocerKey API to make unauthorized online purchases.

Some other leaked keys could have enabled threat actors to use the company’s official communication channels to send malicious messages across various platforms.

Screenshot of leaked API keys and email credentials | Source: Cybernews

For instance, cybercriminals could have used the leaked Campaign Monitor, Pushwoosh, Loyalty Lane, and Postmark API keys to send emails, application notifications, and SMS messages to Lowe’s Market users. In addition, the threat actor could have used leaked Inmar API keys and credentials to produce custom coupons with significant discounts.

Finally, the exposed Geocoder API key could have allowed a threat actor to gain access to the company’s Google Maps API. A malicious actor could thus exploit the key to use this access for personal gain, resulting in increased usage and, subsequently, higher bills that the company would be responsible for paying.

This is because each request sent through the Geocoder API to Google Maps would be charged to the company as the legal owner of that account.

“No sensitive information can be obtained, the only possible misuse would be to send requests through the API, or flooding the API with requests to a point where the account would be rate-limited, affecting the website’s ability to display maps,” said Nazarovas.

Takeover of Facebook app

Along with the API keys, the environment file also exposed Facebook OAuth credentials and Github OAuth tokens.

Using the leaked Facebook app ID and secret key, the attacker could have requested sensitive user data from Facebook or taken over Lowe’s Market’s Facebook application, with serious consequences for user privacy and security.

Leaking such sensitive information as the GitHub OAuth token could have been dangerous as it can provide unauthorized access to a user’s Github account and the repositories it contains.

According to CyberNews more grocery stores might be affected, if you want to learn more give a loot at the original post at:

About the author: Paulina Okunytė, Journalist at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Lowe’s Market)

Top 5 Insider Threats to Look Out For in 2023

Unquestionably, ‘insider threats’ is one of the most neglected aspects of cybersecurity and some companies fail to recognize associated dangers.

Cyberattacks are growing more complex as technology advances. Many businesses concentrate their cybersecurity efforts solely on external attacks, which leaves more openings for internal risks. Some companies fail to recognise the danger of losing confidential information owing to employee negligence or malice. Unquestionably, ‘insider threats’ is one of the most neglected aspects of cybersecurity. According to statistics on insider threats, these threats may originate from employees, business contractors, or other reliable partners with simple access to your network. However, insider threat reports and recent developments have shown a sharp rise in the frequency of insider attacks. Because of these, cybersecurity professionals are now paying more attention to the detrimental effects of insider attacks.

In general, security experts need more confidence in their ability to identify and thwart insider threats successfully. 74% of respondents in an insider attack said their company was moderately to extremely vulnerable. 74% of respondents—a 6% increase from 2021—also claim that insider threat assaults have become more regular. In 2022, 60% of respondents said they had an insider attack, while 8% said more than 20. Insider assaults are more challenging to identify and thwart than external attacks, according to 48% of respondents. It can be challenging for defences to distinguish between insider threats and regular user activity since insider threats employ genuine accounts, passwords, and IT technologies. Overall, insider threats are becoming a more significant threat. These findings imply that security teams should prepare for them in 2023.

Organisations must be able to address the risks from malicious insiders who intentionally steal sensitive data for personal reasons and users who can accidentally expose information due to negligence or simple mistakes. 

Here are the top 5 threats security teams should look out for in 2023:

Employee Negligence

Employee carelessness or ignorance may result in unintentional data leaks, improper handling of sensitive information, or a failure to adhere to security policies and procedures. Negligence is to blame for more than two of every three insider incidents. Workers could not be cognizant of the possible hazards they bring to the company or might not prioritise security measures. They act carelessly, repeating passwords for personal and professional accounts or leaving flash drives with private data at a coffee shop without intending to cause harm. Some are unaware of their involvement and fall victim to social engineering techniques like phishing scams. Others may engage in negligent behaviour, such as evading security measures for convenience.

Malicious Insiders

Insiders who intend to cause harm to the company by stealing data, interfering with business processes, or selling confidential information are considered malicious insiders. These people might be driven by greed, retaliation, or a desire to upend the business. These people are currently employed. They might not be the most ardent supporters of your business, and they frequently vent their resentment by erasing or changing important data sets, leaking confidential information, or taking other sabotage measures. Turn cloaks are malicious insiders who consciously do something terrible to an organisation. A trustworthy business partner, contractor, or employee could be the insider. Turn cloaks may have ideological, vengeful, or pecuniary motivations. Some engage in clandestine activities like stealing private information or sensitive documents.

Insider Collusion

When two or more employees collaborate to steal information, commit fraud, or participate in other nefarious acts, this is called insider collusion. As a result of the employees’ collaboration and potential ability to conceal their activities, this type of danger might be challenging to identify. Whether intentionally or unintentionally, these threats serve a foreign power. They might be forced to divulge information by outsiders through blackmail or bribery, or they might be tricked into disclosing their login information via social engineering. The most challenging insider risks to identify are moles, which are potentially the most damaging. Moles function similarly to turn cloaks, except they join a firm intending to harm the organisation. Whether they support a nation-state or an unknown cause, they are frequently motivated by an intense political motive.

Third-Party Vendors and Contractors

Companies with access to sensitive data or systems may be at risk of insider threats from third-party suppliers and contractors. These individuals might adhere to different security procedures than full-time employees and have a lower stake in the company’s success. Not every insider works for the company. Suppliers, contractors, vendors, and other outside parties with limited inside access can pose an equal threat to staff members with the same rights. Most businesses outsource some of their work to specialised companies or outside agencies. These third parties are occasionally easy targets for cyber attackers because they lack advanced security protocols. Suppose these companies are provided privileged access to part of your company network. In that case, you can bet that the bad actors will infiltrate your system after compromising the partner’s security network, resulting in a third-party data breach.

Security Policy Evaders

The group of workers that prefer to ignore security policies and protocols is last but certainly not least. The business frequently has security policies created to safeguard its personnel and data. Some regulations could be burdensome and inconvenient, and some employees might choose the simple route. Contemporary businesses have security procedures in place to protect their critical data. These safeguards may bother some employees, who may devise workarounds that raise the risk of a data leak. These workarounds could jeopardise the security and data protection of the organisation. Policy evaders might be considered insider threats since they purposefully break security policies, procedures, and best practices.


Organisations can employ technological solutions like access restrictions, monitoring, data loss prevention technologies and insider threat solutions “to rein in their insider risk and prevent threats.” A thorough security plan should be in place and periodically reviewed and updated when new risks arise. Your company’s reputation, future growth, customers, and employees can all be protected by knowing how insider threats show themselves.

About the Author: Mosopefoluwa Amao is a certified Cybersecurity Analyst and Technical writer. She has experience working as a Security Operations Center (SOC) Analyst with a history of creating relevant cybersecurity content for organizations and spreading security awareness. She volunteers as an Opportunities and Resources Writer with a Nigerian based NGO where she curated weekly opportunities for women. She is also a regular writer at Bora.

Her other interests are law, volunteering and women’s rights. In her free time, she enjoys spending time at the beach, watching movies or burying herself in a book.

Connect with her on LinkedIn and Instagram

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Insider Threats)

CISA adds Adobe ColdFusion bug to Known Exploited Vulnerabilities Catalog

US CISA added an actively exploited vulnerability in Adobe ColdFusion to its Known Exploited Vulnerabilities Catalog.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Adobe ColdFusion, tracked as CVE-2023-26360 (CVSS score: 8.6), to its Known Exploited Vulnerabilities Catalog.

This week Adobe released security updates for ColdFusion versions 2021 and 2018 to resolve the critical flaw CVE-2023-26360 that was exploited in very limited attacks.

“Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion.” reads the advisory published by the company.

The vulnerability is an Improper Access Control that can allow a remote attacker to execute arbitrary code. The vulnerability could also lead to arbitrary file system read and memory leak.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this flaw by April 5, 2023.

The US Agency also added the following vulnerabilities to the catalog that must be addressed by April 4, 2023.

  • CVE-2023-23397 – Microsoft Office Outlook Privilege Escalation Vulnerability.
  • CVE-2023-24880 – Microsoft Windows SmartScreen Security Feature Bypass Vulnerability.
  • CVE-2022-41328 – Fortinet FortiOS Path Traversal Vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

Key aerospace player Safran Group leaks sensitive data

Top aviation company Safran Group left itself vulnerable to cyberattacks, likely for well over a year, underlining how vulnerable big aviation firms are to threat actors, according to research by Cybernews.

Original post at

The Cybernews research team recently discovered that the French-based multinational aviation company, the eighth largest aerospace supplier worldwide, was leaking sensitive data due to a misconfiguration of its systems. The vulnerability left the company at risk from cyberattacks over an extended period of time.

According to its own estimates, Safran Group ’s revenue for 2022 was above €19 billion. It collaborates with Airbus, the second-largest aerospace company globally after Boeing, to manufacture aerospace equipment.

The Safran Group is also involved in developing cutting-edge technologies beyond aviation, such as modules currently in use in the James Webb Telescope, the world’s largest optical telescope in space. Also, the company manufactures surface-to-air defense systems and missiles.

Cybernews reached out to Safran Group regarding the leak researchers found, and at the time of writing, the misconfiguration has been fixed.

The discovery

Researchers found a publicly available environment file used by the beta deployment of the open-source video-calling app Jitsi Meet. The Cybernews team estimates that the file stayed publicly available for around a year-and-a-half, leaving Safran Group vulnerable to potential attacks throughout that time.

The leaked sensitive information included the Laravel app key, JSON Web Token (JWT) key, MySQL credentials, and Simple Mail Transfer Protocol (SMTP) credentials for the “no-reply” email.

The Cybernews researchers highlight that the exposure of these keys and credentials could have made it relatively easy for attackers to gain access to the website’s backend, employee computers, and other servers.

The Laravel app key is a token that helps to keep user browser cookies safe. If threat actors know this token, they can use it to decrypt cookies, which might contain session IDs. Knowing them, a threat actor could be able to hijack the session and therefore the account.

The leak also included the JWT secret key, another type of token, which is usually used for authentication. These tokens can be both for a user, and for an admin. If attackers had access to this key, they could create an admin account and have privileged access to a website.

“The JWT secret key is used to generate and verify JWT tokens in use on that site,” added Cybernews researcher Aras Nazarovas.

Threat actors could also have used the admin accounts to plant web shells – malicious scripts that enable them to compromise web servers and launch additional attacks.

The leaked MySQL database logins could be used to get into the company’s database stored on the same server and steal information. If hackers took control of the systems at the Safran Group, they could move around and get access to confidential documents or even damage their equipment.

If the threat actor gets access to the SMTP credentials, they can use them to send emails to trick people into giving away sensitive information. The emails would appear to all intents and purposes to be legitimate, as they would be sent from the company’s servers.

This could negatively have impacted other aviation companies, stressed Nazarovas.

“Other aviation companies would expect messages from this email, and would be the primary target of this attack, as it was for a video-conferencing application that they likely used before, for meetings with Safran employees,” he said.

Cybernews researchers advise the company to take swift action to mitigate risks and prevent future breaches by changing leaked credentials. It is crucial to ensure that leaked keys are in longer bit-lengths and encoded using secure encryption/hashing algorithms.

Additionally, the company should consider whether the platform needs to be accessible through the internet or only through a VPN, which would provide an additional layer of security.

Sensitive infrastructure a tempting target

Due to Safran Group’s position in the aviation supply chain, with only one hop between the company and the aircraft builders that use its products, a supply-chain attack could have a far-reaching impact, posing a risk to the company and its customers in the aviation sector.

As the company is developing cutting-edge technologies, it is a substantial target for advanced persistent threat (APT) groups, often associated with nation-states or state-sponsored groups and driven by political or economic motives.

Safran has already been targeted by threat actors. As reported in 2011, the company fell victim to two cyberattacks, which are suspected to be part of an espionage attempt.

The unidentified hackers allegedly attempted to map the company’s computer system between 2009 and 2010. While no serious spying activities were reported, government officials confirmed that there were attempts to do so.

In 2018, Safran is believed to have suffered a cyberattack on its internal network. According to the US government and media reports at the time, hackers believed to be linked to a state security ministry in China collaborated with six hackers and two insiders at a company’s Chinese office to steal jet engine blueprints.

While the authorities did not specifically name Safran, media reporting on the incident said they believed it was “almost certainly” the target of the espionage operation.

Tough times for aviation

The aviation industry had a rough start to the year. In January, an alerting system responsible for notifying pilots and airlines of potential dangers experienced a glitch that resulted in the temporary suspension of domestic flights throughout the US. Some media sources said over 7,800 flights were delayed, and 1,200 were canceled, while others claimed as many as 11,000 in total were disrupted.

The same month, an FBI “No-Fly” list containing around 1.5 million entries was leaked from an unprotected server at CommuteAir airlines. On February 14, Scandinavian Airlines (SAS) suffered a cyberattack that knocked the airline’s website and mobile app offline for multiple hours, with Anonymous Sudan taking responsibility for the attack.

The aviation industry is considered a prime target for cybercriminals due to its critical infrastructure. In recent years, experts have seen a substantial increase in cyberattacks against the industry, which reportedly suffers a ransomware attack every week.

A rising number of state-sponsored and organized crime syndicates are capable of large-scale targeted intrusions to disrupt operations and steal valuable intellectual property.

More on cybersecurity concerns in the aviation sector are available in the original post:

About the author: Paulina Okunytė, Journalist at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Safran Group)

Microsoft Patch Tuesday fix Outlook zero-day actively exploited

Microsoft Patch Tuesday updates for March 2023 addressed 74 vulnerabilities, including a Windows zero-day exploited in ransomware attacks.

Microsoft Patch Tuesday security updates for March 2023 addressed 74 new vulnerabilities in Microsoft Windows and Windows Components; Office and Office Components; Edge (Chromium-based); Microsoft Dynamics; Visual Studio; and Azure.

Six of the fixed issues are rated Critical and 67 are rated Important, while only one is rated Moderate in severity.

Two of the vulnerabilities addressed by the IT giant, respectively tracked as CVE-2023-23397 and CVE-2023-24880, are actively exploited in the wild.

The CVE-2023-23397 flaw is a Microsoft Outlook spoofing vulnerability that can lead to an authentication bypass.

A remote, unauthenticated attacker can exploit the flaw to access a user’s Net-NTLMv2 hash by sending a specially crafted e-mail to an affected system.

“An attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.” reads the advisory published by Microsoft.

“The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.” “External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers’ control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim.”

The vulnerability was reported by the CERT-UA and the Microsoft Incident Response, Microsoft Threat Intelligence (MSTI), suggesting that is has been exploited by a nation-state actor.

The second flaw actively exploited in the wild is a Windows SmartScreen security feature bypass vulnerability tracked as CVE-2023-24880.

An attacker can exploit the vulnerability to bypass Mark of the Web (MOTW) defenses by using specially crafted files. Microsoft Office SmartScreen and Protected View defense features rely on MOTW, this means that the flaw can be exploited to bypass them and deliver malware via crafted documents.

“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.” states Microsoft.

This second flaw has been exploited by attackers to bypass the Windows SmartScreen and deploy the Magniber ransomware.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Patch Tuesday)

Adobe fixed ColdFusion flaw listed as under active exploit

Adobe is warning that a critical zero-day flaw in ColdFusion web app development platform was exploited in very limited attacks.

Software giant Adobe released security updates for ColdFusion versions 2021 and 2018 to resolve a critical flaw, tracked as CVE-2023-26360 (CVSS base score 8.6), that was exploited in very limited attacks.

“Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion.” reads the advisory published by the company.

The vulnerability is an Improper Access Control that can allow a remote attacker to execute arbitrary code. The vulnerability could also lead to arbitrary file system read and memory leak.

The company also fixed a critical deserialization of untrusted data issue in Adobe ColdFusion, tracked as CVE-2023-26359 (CVSS base score 9.8), that can lead to arbitrary code execution.

Adobe also fixed a ColdFusion Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), tracked as CVE-2023-26361 (CVSS base score 4.9) that can lead to memory leak.

In March 2023, the company released eight patches addressing a total of 105 vulnerabilities in Photoshop, Experience Manager, Dimension, Commerce, Substance 3D Stager, Cloud Desktop Application, and Illustrator. ZDI reported that a total of 77 of these bugs were reported through its program. The experts pointed out that this is the “largest Adobe update in quite some time.”

Only the patch for Cold Fusion is listed as under active exploit.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Patch Tuesday)

CISA adds Plex Media Server bug, exploited in LastPass attack, to Known Exploited Vulnerabilities Catalog

US CISA added remote code execution vulnerability in Plex Media Server to its Known Exploited Vulnerabilities Catalog.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a remote code execution (RCE) vulnerability in the Plex Media Server, tracked as CVE-2020-5741 (CVSS score: 7.2), to its Known Exploited Vulnerabilities Catalog.

The three-year-old high-severity flaw is a deserialization of untrusted data in Plex Media Server on Windows, a remote, authenticated attacker can trigger it to execute arbitrary Python code.

“This issue allowed an attacker with access to the server administrator’s Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it. This could be done by setting the server data directory to overlap with the content location for a library on which Camera Upload was enabled.” reads the advisory published by Plex. “This issue could not be exploited without first gaining access to the server’s Plex account.”

The company addressed the vulnerability with the release of Plex Media Server 1.19.3 in May 2020.

The security breach suffered by LastPass was caused by the failure to update Plex on the home computer of one of its engineers.

Recently, the password management software firm disclosed a “second attack,” a threat actor used data stolen from the August security breach and combined it with information available from a third-party data breach. Then the attackers exploited a flaw in a third-party media software package to target the firm.

LastPass revealed that the home computer of one of its DevOp engineers was hacked as part of a sophisticated cyberattack.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this flaw by March 31, 2023.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Plex)

The risk of pasting confidential company data into ChatGPT

Experts warn that employees are providing sensitive corporate data to the popular artificial intelligence chatbot model ChatGPT.

Researchers from Cyberhaven Labs analyzed the use of ChatGPT by 1.6 million workers at companies across industries. They reported that 5.6% of them have used it in the workplace and 4.9% have provided company data to the popular chatbot model since it launched. ChatGPT uses this data to build its knowledge base, but it publicly shares information built on it.

The use of ChatGPT is becoming a serious problem in the workspace, it can potentially cause the leak of sensitive and confidential data. For this reason, companies like JP Morgan and Verizon are blocking access to the chatbot over concerns about confidential data. 

The experts reported that less than one percent (0.9%) of employees is responsible for 80% of leaks caused by pasting company data into the chatbot. This percentage could rapidly increase in the next months with the integration of the technology in multiple services, for example through the use of ChatGPT API.

Employees believe that the artificial intelligence chatbot developed by OpenAI can significatively improve their productivity.

The experts also warn that enterprise security software cannot monitor the use of ChatGPT by employees and prevent the leak of sensitive/confidential company data.

“Since ChatGPT launched publicly, 5.6% of knowledge workers have tried using it at least once in the workplace. Furthermore, 2.3% of employees have put confidential company data into ChatGPT.” reads the report published by Cyberhaven Labs. “Despite a growing number of companies outright blocking access to ChatGPT, usage continues to grow exponentially. On March 1, our product detected a record 3,381 attempts to paste corporate data into ChatGPT per 100,000 employees, defined as “data egress” events in the chart below.”

The researchers also monitored workers copying data out of the popular chatbot and pasting it elsewhere, like a company email, Google Doc, or their source code editor. They noticed that employees copy data out of the chatbot more than they paste company data into ChatGPT at a nearly 2-to-1 ratio.

The researchers pointed out that the average company leaks sensitive data to ChatGPT hundreds of times each week. For example, during the week of February 26 – March 4, workers at the average company with 100,000 employees provided confidential documents into the AI-based chatbot 199 times, client data 173 times, and source code 159 times.

We cannot demonize the use of the popular platform in the workplace, however, it is essential to spread awareness about the risks of the improper use of such technology

Let me close with this question I made to the chatbot:

How risky is it to provide company data to ChatGPT?

“As a large language model, ChatGPT doesn’t have the ability to store or acquire company or personal data. This means that there is no inherent risk in using ChatGPT to discuss general issues or ask knowledge-related questions.

However, if you provide confidential or sensitive information about a company or person, that information could be vulnerable to potential security or privacy threats associated with online communication. In general, it’s always important to exercise due diligence when discussing sensitive information online.

In summary, ChatGPT doesn’t represent a risk to the security of company data in itself, but it’s always important to be mindful of online privacy and security and carefully consider what kind of information you share on a chatbot platform.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AI)

Cisco fixed CVE-2023-20049 DoS flaw affecting enterprise routers

Cisco fixed a high-severity DoS vulnerability (CVE-2023-20049) in IOS XR software that impacts several enterprise routers.

Cisco has released security updates to address a high-severity DoS vulnerability, tracked as CVE-2023-20049 (CVSS score of 8.6), in IOS XR software used by several enterprise-grade routers.

The vulnerability resides in the bidirectional forwarding detection (BFD) hardware offload feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9903 Compact High-Performance Routers.

An unauthenticated, remote attacker can trigger the flaw to cause a line card to reset, resulting in a denial of service (DoS) condition.

An attacker can trigger the CVE-2023-20049 vulnerability by sending a crafted IPv4 BFD packet to a vulnerable device.

“This vulnerability is due to the incorrect handling of malformed BFD packets that are received on line cards where the BFD hardware offload feature is enabled.” reads the advisory published by the vendor. “. A successful exploit could allow the attacker to cause line card exceptions or a hard reset, resulting in loss of traffic over that line card while the line card reloads.”

This flaw affects Cisco routers running a vulnerable release of Cisco IOS XR 64-bit Software and have BFD hardware offload enabled for any of the installed line cards:

  • ASR 9000 Series Aggregation Services Routers only if they have a Lightspeed or Lightspeed-Plus-based line card installed
  • ASR 9902 Compact High-Performance Routers
  • ASR 9903 Compact High-Performance Routers

The company pointed out that this vulnerability does not affect the following Cisco products:

  • IOS Software
  • IOS XE Software
  • IOS XR Platforms not listed in the Vulnerable Products section of this advisory

As a workaround, Cisco recommends disabling the BFD hardware offload and creating Infrastructure Access Control lists.

The IT giant addressed the issue with the release of IOS XR versions 7.5.3, 7.6.2, and 7.7.1.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, routers)