July 17, 2023

Fortify Security Team
Jul 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys
Date Published: July 16, 2023


Excerpt: “Researchers at the RWTH Aachen University in Germany published a study revealing that tens of thousands of container images hosted on Docker Hub contain confidential secrets, exposing software, online platforms, and users to a massive attack surface. Docker Hub is a cloud-based repository for the Docker community to store, share, and distribute Docker images. These container-creation templates include all of the necessary software code, runtime, libraries, environment variables, and configuration files to easily deploy an application in Docker. The German researchers analyzed 337,171 images from Docker Hub and thousands of private registries and found that roughly 8.5% contain sensitive data such as private keys and API secrets. The paper further shows that many of the exposed keys are actively used, undermining the security of elements that depend on them, like hundreds of certificates.”

Title: Fake Ads Manager Software and Malicious Extensions Target Facebook Accounts
Date Published: July 17, 2023


Excerpt: “Currently, the campaign has affected approximately 800 individuals and businesses globally, including 310 in the United States, with an ad budget compromise of $180,000. Facebook serves as a thriving platform for optimizing ad campaigns, making it a crucial tool for businesses worldwide to boost their revenues. However, it is not without its downsides, as the platform has been exploited by cybercriminals to spread malware and, even worse, ransomware. A recent warning issued by Malwarebytes’ senior threat researcher, Jérôme Segura, highlights the need for businesses to be vigilant. He cautions against falling victim to malicious Meta ad manager downloaders and Chrome extensions, particularly when faced with offers that seem too good to be true and involve clicking on suspicious URLs. The primary targets of these attacks are often business account users who are willing to invest their ad dollars in Meta platforms.”

Title: Critical XSS Vulnerability in Zimbra Exploited in the Wild (Cve-2023-34192)
Date Published: July 17, 2023


Excerpt: “A critical cross site scripting (XSS) vulnerability (CVE-2023-34192) in popular open source email collaboration suite Zimbra is being exploited by attackers. CVE-2023-34192 could allow a remote authenticated threat actor to execute arbitrary code through a crafted script to the /h/autoSaveDraft function. It affects Zimbra Collaboration Suite (ZCS) v.8.8.15. The company has provided admins with instruction on how to apply the fix manually, by editing a single data file. “This vulnerability has been actively exploited, making it imperative to take immediate action. We strongly recommend following the provided mitigation steps without delay,” the company noted. “The issue has been fixed through input sanitization. We have also performed rigorous testing to ensure the effectiveness and stability of the system. The fix is planned to be delivered in the July patch release.” Applying the fix will not lead to downtime, as it does not require service restart.”

Title: Email Hack Prompts Call for Microsoft to Make Security Logs Free
Date Published: July 17, 2023


Excerpt: “Microsoft has been criticized for charging its cloud services customers extra to access security logs after a China-based threat group hacked email accounts from more than two dozen organizations, including U.S. government agencies. The agencies targeted by the attackers reportedly include the State and Commerce Departments. Among the individuals email accounts accessed was one belonging to Secretary of Commerce Gina Raimondo. The threat group behind the attacks, identified by Microsoft as Storm-0558, used forged authentication tokens to access Microsoft 365 (M365) accounts using Outlook Web Access and Outlook.com. The attacks were first revealed July 11 and Microsoft provided a more detailed account of the compromise on Friday last week.”

Title: Former Contractor Accused of Remotely Accessing Town’s Water Treatment Facility
Date Published: July 14, 2023


Excerpt: “A federal grand jury has indicted a former employee of a contractor operating a California town’s wastewater treatment facility, alleging that he remotely turned off critical systems and could have endangered public health and safety. 53-year-old Rambler Gallor of Tracy, California, held a full-time position at a Massachusetts company that was contracted by the town of Discovery Bay to operate its water treatment plant. Gallor is said to have had an “instrumentation and control tech” role at the plant, which he did from July 2016 to December 2020. However, according to the indictment, Gallor is alleged to have planted software that allowed him to gain remote access to systems on the computer network of Discovery Bay’s Water Treatment facility from his personal computer. Specifically, it is alleged that after resigning his position in January 2021. Gallo accessed the facility’s computer system remotely and “transmitted a command to uninstall software that was the main hub of the facility’s computer network and that protected the entire water treatment system, including water pressure, filtration, and chemical levels.” A US Department of Justice press release gives no explanations or possible motive for Gallo’s alleged actions.”

Title: Rogue Azure AD Guests Can Steal Data via Power Apps
Date Published: July 14, 2023


Excerpt: “Guest accounts in Azure AD (AAD) are meant to provide limited access to corporate resources for external third parties — the idea is to enable collaboration without risking too much exposure. But enterprises may be unknowingly oversharing access to sensitive resources and applications with guests in Azure AD, paving the way for data theft and more. An upcoming presentation at Black Hat USA in August will detail how a toxic combination of easily manipulated default guest account settings and promiscuous connections within Microsoft’s low-code development platform known as Power Apps can kick open the door to giving guest accounts wide-open access to the corporate jewels. Power Apps provides a rapid development environment for businesses to build custom apps that connect various online and on-premises data sources (such as SharePoint, Microsoft 365, Dynamics 365, SQL Server, and so on).”

Title: Software Firm JumpCloud Attacked by Nation-State Actors
Date Published: July 15, 2023


Excerpt: “Enterprise software firm JumpCloud said a sophisticated nation-state threat actor is behind a security incident that targeted some of its customers last week. The company, which operates a zero-trust directory platform that authenticates, authorizes and manages users, devices and applications, JumpCloud reset all of its API keys, potentially affecting thousands of customers including Cars.com and GoFundMe. Nick Rago, field CTO at Salt Security, said the API key reset could affect operations, management and administration of single sign-on, MFA, password management, device management and more related to the Jumpcloud platform. “Because thousands of organizations rely on this platform for the management of these critical services, the customer impact is severe,” Rago said. The unnamed nation-state actor gained unauthorized access to Jumpcloud systems and targeted a small and specific set of its customers on June 27, the company said.”

Title: Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!
Date Published: July 16, 2023


Excerpt: “The backdoor dropped in the scam had the ability to exfiltrate a wide range of data, including the hostname, username, and a comprehensive list of home directory contents. Cybersecurity researchers have uncovered a deceptive trend within the security community—a proof of concept (PoC) repository on GitHub that appears to address vulnerabilities but actually contains a hidden backdoor. The discovery by the Uptycs threat research team has raised concerns among the security research community. PoCs are typically used by researchers to identify potential vulnerabilities through harmless testing. However, this malicious PoC operates as a downloader, disguising its activities as a kernel-level process while silently executing a Linux bash script. The backdoor has the ability to exfiltrate a wide range of data, including the hostname, username, and a comprehensive list of home directory contents. Moreover, by adding their SSH key to the authorized_keys file, an attacker can achieve full control over a targeted system.”

Title: WormGPT, the Generative AI Tool to Launch Sophisticated BEC Attacks
Date Published: July 16, 2023


Excerpt: “The WormGPT case: How Generative artificial intelligence (AI) can improve the capabilities of cybercriminals and allows them to launch sophisticated attacks.
Researchers from SlashNext warn of the dangers related to a new generative AI cybercrime tool dubbed WormGPT. Since chatbots like ChatGPT made the headlines, cybersecurity experts warned of potential abuses of Generative artificial intelligence (AI) that can be exploited by cybercriminals to launch sophisticated attacks. Generative AI, or generative artificial intelligence, is a type of machine learning that is able to produce text, video, images, and other types of content. It is a subset of artificial intelligence (AI) that focuses on creating new data rather than simply analyzing existing data.”

Title: Gamaredon Hackers Start Stealing Data 30 Minutes After a Breach
Date Published: July 15, 2023


Excerpt: “Ukraine’s Computer Emergency Response Team (CERT-UA) is warning that the Gamaredon hacking operates in rapid attacks, stealing data from breached systems in under an hour. Gamaredon, aka Armageddon, UAC-0010, and Shuckworm, is a Russian, state-sponsored cyber-espionage hacking group with cybersecurity researchers linking them to the FSB (Russian Federal Security Service) and having members who are former SSU officers who defected to Russia in 2014. Since the start of the Russian invasion, the threat actors are believed to be responsible for thousands of attacks against the government and other critical public and private organizations in Ukraine. The accumulation of data from these attacks has enabled CERT-UA to outline the group’s attacks, which it shares to help defenders detect and stop network infiltration attempts.”

Recent Posts

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 https://securityaffairs.com/148465/hacking/pwnpress-platform.html Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

Critical Patches Issued for Microsoft Products, July 11, 2023

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs;...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...