Security Leftovers

posted by Roy Schestowitz on Jul 21, 2023,
updated Jul 21, 2023

• Recently Patched GE Cimplicity Vulnerabilities Reminiscent of Russian ICS Attacks

  Over a dozen vulnerabilities patched by GE in its Cimplicity HMI/SCADA product are reminiscent of ICS attacks conducted by the Russian Sandworm group.

• Famed Hacker Kevin Mitnick Dead at 59

  Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at security awareness training firm KnowBe4.

• Exploitation of New Citrix Zero-Day Likely to Increase, Organizations Warned

  Citrix has patched several vulnerabilities, including CVE-2023-3519, a critical remote code execution zero-day that has been exploited in attacks.

• FCC and NIST unveils the Cyber Trust Mark, a voluntary US IoT security label

  Representatives of the Federal Communications Commission (FCC) and the National Institute of Standards and Technology (NIST) have recently unveiled a U.S. national IoT security label at the White House called the “U.S. Cyber Trust Mark” to inform consumers about the security, safety, and privacy of a specific IoT and Smart Home device. IoT security has been a problem for years with routers shipping with telnet enabled with default usernames and passwords, vulnerabilities in SDKs, unencrypted passwords transmitted over the network, millions of devices with older microcontrollers without built-in hardware security features, etc… There have been industry efforts to solve this such as the Arm PSA initiative, as well as regulations to prevent default usernames/passwords in new devices, but nothing about IoT security that can help a consumer find out if a device is supposed to be secure or not.

• Deobfuscation of Malware Delivered Through a .bat File, (Thu, Jul 20th)

  I found a phishing email that delivered a RAR archive (password protected).

• Citrix ADC Vulnerability CVE-2023-3519, 3466 and 3467 - Patch Now!, (Wed, Jul 19th)

  
  Citrix released details on a new vulnerability on their ADC (Application Delivery Controller) yesterday (18 July 2023), CVE-2023-3519. This is an unauthenticated RCE (remote code execution), which means an attacker can run arbitrary code on your ADC without authentication.
  This affects ADC hosts configured in any of the "gateway" roles (VPN virtual server, ICA Proxy, CVPN, RDP Proxy), which commonly face the internet, or as an authentication virtual server (AAA server), which is usually visible only from internal or management subnets.

• US to certify smart home devices, routers from next year

  The initiative has been proposed by Federal Communications Commission chairwoman Jessica Rosenworcel and the agency will use a QR code that links to to a national registry of certified devices.

  The NIST will also start working on a program to identify consumer-grade routers that are better able to withstand bids to eavesdrop, steal passwords, and attack other devices and high-value networks.

• Oracle Releases 508 New Security Patches With July 2023 CPU

  Oracle has released 508 new security patches as part of the July 2023 CPU, including more than 70 that address critical vulnerabilities

• Practice Your Security Prompting Skills

  Gandalf is an interactive LLM game where the goal is to get the chatbot to reveal its password. There are eight levels of difficulty, as the chatbot gets increasingly restrictive instructions as to how it will answer. It’s a great teaching tool.

  I am stuck on Level 7.

  Feel free to give hints and discuss strategy in the comments below. I probably won’t look at them until I’ve cracked the last level.

• Microsoft Bows to Pressure to Free Up Cloud Security Logs [Ed: Just a PR stunt after a major blunder. And people who don't use "clown computing" get logging as they wish, so this is just an upselling ploy.]

  Facing intense pressure after Chinese APT hack, Microsoft plans to expand logging defaults for lower-tier M365 customers.

• Microsoft set to expand access to detailed logs in the wake of [Microsoft security failure/breach]n

  Under fire for security failures and premium pricing for security features, Microsoft said it would make logging tools more widely available.

• Microsoft expands logging access, but holds back some premium features [Ed: Way to distract from a massive breach]

  "Additional Audit Premium features include longer default retention periods and automation support for importing log data into other tools for analysis."

• Windows ransomware group Cl0P leaks some PwC files on clear web

  Cl0P first breached PwC in May. The firm acknowledged it had suffered an intrusion through MOVEit, telling the Australian Financial Review on 19 June: "We are aware that MOVEit, a third-party transfer platform, has experienced a cyber security incident which has impacted hundreds of organisations including PwC."

  While Cl0p has divided the files stolen from PwC into 11 batches and listed all on the dark web, only four of these batches have been listed on the clear web.

  {loadposition sam08}There is a spelling mistake in the URL of the site on the clear web; technology industry sources told iTWire that this could be intentional, with a threat to correct it, and thus make the site easier to find, serving as an additional means of leverage.

• Estee Lauder Companies breached by both Alphv and Cl0p

  In its statement about the breach on Wednesday, Estee Lauder said: "After becoming aware of the incident, the company proactively took down some of its systems and promptly began an investigation with the assistance of leading third-party cyber security experts.

  "The company is also co-ordinating with law enforcement. Based on the current status of the investigation, the company believes the unauthorised party obtained some data from its systems, and the company is working to understand the nature and scope of that data.

• Exposed Gits: 10 Years on

  Nearly 10 years ago my colleague wrote a cracking post on exposed Git repositories.

• Two Jira Plugin Vulnerabilities in Attacker Crosshairs

  Attackers are exploiting two path traversal vulnerabilities in the Stagil navigation for Jira – Menus & Themes plugin.

• 
Exploit Attempts for "Stagil navigation for Jira Menus & Themes" CVE-2023-26255 and CVE-2023-26256, (Tue, Jul 18th)

  Today, I noticed the following URL on our "first seen URLs" page:

• Recycling Giant Tomra Takes Systems Offline Following Cyberattack

  Norwegian recycling giant Tomra says internal systems have been taken offline to contain an extensive cyberattack.

• Adobe Releases New Patches for Exploited ColdFusion Vulnerabilities

  Adobe releases a second round of patches for recent ColdFusion vulnerabilities, including flaws that have been exploited in attacks.