My workload has been mounting in recent weeks. As a result, I've not been consistent with this series this year. Hopefully, I'll be here next week to shout at the top of my voice that Yes! I made it this week. Nevertheless, let's do some review!
Introduction
This week, most of our review entails articles about software vulnerabilities. However, a story is about Supply Chain Attacks.
Lapsus$ and SolarWinds hackers both use the same old trick to bypass MFA
Multifactor Authentication (MFA) is an added security measure for user accounts. When enabled account, it aims to allow only the account user via a secondary key. However, history has shown that not all MFA is implemented in the same way. Therefore, some could be bypassed, as is the case in this story.
What's more, the hacker group Lapsus$ has been on a hacking spree recently and they've lots of private data to the public. So, this article is an interesting read.
Excerpt from the article:
Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor,” Mandiant researchers wrote. “The [Nobelium] threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.
Critical Vulnerabilities Found in Microsoft Defender for IoT
The vulnerabilities in question are SQL injection vulnerabilities. Both vulnerabilities got a CVSS score of 10.
Excerpt from the article:
The researchers say the vulnerability allowed them to “insert, update, and execute SQL special commands.” They came up with proof-of-concept (PoC) code that exploits the bug to extract a logged-in user session ID from the database, which leads to complete account takeover.
Also related to the token validation process, albeit performed by a different function, CVE-2021-42311 exists because an API token used for verification is shared across Defender for IoT installations.
A Large-Scale Supply Chain Attack Distributed Over 800 Malicious NPM Packages
The article indicates that the attack is hard to spot. Yet, double check the packages that you download and install in your projects.
Excerpt from the article:
As it seems this time, the attacker has fully-automated the process of NPM account creation and has opened dedicated accounts, one per package, making his new malicious packages batch harder to spot.
New Spring Java framework zero-day allows remote code execution
At the time of writing, there is no patch for the zero-day bug.
Excerpt from the article:
This new Spring RCE vulnerability, now dubbed Spring4Shell, is caused by unsafe deserialization of passed arguments.
While it was initially thought to affect all Spring apps running on Java 9 or greater, it was later determined that there are specific requirements that must be met for a Spring app to be vulnerable.
Cybersecurity Vendors Assessing Impact of Recent OpenSSL Vulnerability
Tavis Ormandy of Google discovered the vulnerability in some versions of OpenSSL. However, there is a fix in the newer OpenSSL of the affected versions. Nevertheless, affected companies that use OpenSSL in their products are in investigating the impact of the vulnerabilities.
Excerpt from the article:
Palo Alto Networks on Wednesday informed customers that it’s still investigating the impact of CVE-2022-0778 on its products, but the company has so far confirmed that PAN-OS, the GlobalProtect app, and the Cortex XDR agent software contain a vulnerable version of OpenSSL.
F5 says the OpenSSL vulnerability affects BIG-IP and Traffix products and it’s working on patches. BIG-IP is only affected if specific configurations are used.
Sophos says the vulnerability impacts its Firewall, UTM and Web Appliance products. The company’s advisory informs customers that fixes are scheduled for late March and April.
Critical GitLab vulnerability lets attackers take over accounts
The vulnerability has to do with hardcoded passwords.
Excerpt from the article:
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
Apple rushes out patches for two 0-days threatening iOS and macOS users
In the world of computer security, nothing is scarier than a zero-day bug. Talk less, of two zero-days!
Excerpt from the article:
Apple credited an anonymous researcher with discovering both vulnerabilities. The first vulnerability, CVE-2022-22675, resides in macOS for Monterey and in iOS or iPadOS for most iPhone and iPad models.
The flaw, which stems from an out-of-bounds write issue, gives hackers the ability to execute malicious code that runs with privileges of the kernel, the most security-sensitive region of the OS. CVE-2022-22674, meanwhile, also results from an out-of-bounds read issue that can lead to the disclosure of kernel memory.
Support Me
I am on a journey to keep you updated about important security stories that affect you and me. I'll appreciate your support.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, I'll see you next Friday (In Shaa' Allah).