Silk Road Seizure, Psychic Signatures, Twitter Algorithms, & Linux Desktops – PSW #738
This week in the Security News: Java’s “psychic paper”, Musk’s plans for Twitter’s algorithm, Bossware, What Google is getting wrong about expired domains, & NFT Tweet Auctions, Silk Road Seizures, 0-Days, & more!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
- 1. Major cryptography blunder in Java enables “psychic paper” forgeries - Interesting: “If you are running one of the vulnerable versions then an attacker can easily forge some types of SSL certificates and handshakes (allowing interception and modification of communications), signed JWTs, SAML assertions or OIDC id tokens, and even WebAuthn authentication messages. All using the digital equivalent of a blank piece of paper.”
- 2. Hackers are exploiting 0-days more than ever - "Mandiant and Project Zero each have a different scope for the types of zero-days they track. Project Zero, for example, doesn't currently focus on analyzing flaws in Internet-of-things devices that are exploited in the wild. As a result, the absolute numbers in the two reports aren't directly comparable, but both teams tracked a record high number of exploited zero-days in 2021. Mandiant tracked 80 last year compared to 30 in 2020, and Project Zero tracked 58 in 2021 compared to 25 the year before. The key question for both teams, though, is how to contextualize their findings, given that no one can see the full scale of this clandestine activity."
- 3. Musk’s plans to make Twitter’s algorithms public raises disinformation conundrum - “Another advantage of open source is that people can learn from the code,” said Wysopal. “Even if Twitter doesn’t implement improvements, it could lead to better social media algorithms on other or new platforms.” - This could also open up a cat and mouse game, as people figure out how to cheat the algorithms, Twitter then has to implement defenses, those defenses are open-source, rinse, lather and repeat.
- 4. Hackers can infect >100 Lenovo models with unremovable malware. Are you patched?
- 5. The Nimbuspwn Linux Flaw Allows Root Access
- 6. 5-Year Vulnerability Trends Are Both Surprising and Sadly Predictable
- 7. Zero-Day Vulnerabilities Are on the Rise – Schneier on Security
- 8. ‘Bossware is coming for almost every worker’: the software you might not realize is watching you
- 9. Atlassian fixes critical Jira authentication bypass vulnerability - "The flaw is tracked as CVE-2022-0540 and comes with a severity rating of 9.9. It allows a remote attacker to bypass authentication by sending a specially crafted HTTP request to vulnerable endpoints." - just when I think there is a glimmer of hope...
- 10. Docker servers hacked in ongoing cryptomining malware campaign
- 11. These hackers showed just how easy it is to target critical infrastructure
- 12. AWS’s Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation
- 13. Microsoft Discovers New Privilege Escalation Flaws in Linux Operating System
- 14. Elon Musk to Acquire Twitter
- 15. A $3 Billion Silk Road Seizure Will Erase Ross Ulbricht’s Debt - "Last year, prosecutors quietly signed an agreement with Ulbricht stipulating that a portion of a newfound trove of Silk Road bitcoins, seized from an unnamed hacker, will be used to cancel out the more than $183 million in restitution Ulbricht was ordered to pay as part of his 2015 sentence, a number calculated from the total illegal sales of the Silk Road based on exchange rates at the time of each transaction."
- 1. How a new generation of IoT botnets is amplifying DDoS attacks
- 2. VMWare Identity Manager Attack: New Backdoor Discovered
- 3. CVE-2022-21449: Psychic Signatures in Java
- 4. Brave’s browser can automatically bypass Google’s AMP pages
- 5. Researchers Detail Bug That Could Paralyze Snort Intrusion Detection System
- 6. ESET uncovers vulnerabilities in Lenovo laptops
- 7. Cory Doctorow on Twitter
- 1. What Google is getting wrong about expired domains – TechCrunch - Expired domains are being leveraged to lure users from legitimate backlinks to the prior legitimate site.
- 2. Hack DHS: Homeland Security’s first bug bounty turns up 122 vulnerabilities - DHS is drinking their own Kool-AId. VDP participation, per BOD 21-01, is now complete for their internet facing sites, and they are now hiring vetted researchers to test them.
- 3. Static SSH host key in Cisco Umbrella allows stealing admin credentials - Cisco has addressed a high-severity vulnerability (CVE-2022-20773) affecting its Umbrella Virtual Appliance (VA) that could be exploited by attackers to remotely steal administrator credentials.
- 4. Docker servers hacked in ongoing cryptomining malware campaign - The operators of the "Lemon_Duck" botnet have been spotted conducting a large-scale Monero crypto-mining campaign in which they are exploiting misconfigured Docker systems in order to hide their wallets behind proxy pools.
- 5. Atlassian Patches Critical Authentication Bypass Vulnerability in Jira - Atlassian has patched a critical authentication bypass vulnerability (CVE-2022-0540) in the Jira and Jira Service Management "Seraph" web authentication framework and could be exploited by attackers to bypass authentication and authorization by sending a specially crafted HTTP request. ==> Patch your Jira environment
- 6. T-Mobile confirms Lapsus$ had access its systems - T-Mobile has confirmed that the "Lapsus$" extortion group managed to breach its network in March 2022, giving the gang access to its systems. Team chat messages show LAPSUS$ members continuously targeted T-Mobile employees, whose access to internal company tools could give them everything they needed to conduct hassle-free 'SIM swaps'
- 7. Organizations Warned of Attacks Exploiting WSO2 Vulnerability - WSO2's API Manager, Identity Server, Enterprise Integrator, and Open Banking products are impacted by an arbitrary file upload vulnerability (CVE-2022-29464) that has already been exploited in the wild. Time to roll the update.
- 8. Group behind Emotet botnet malware testing new methods to get around Microsoft security - Those behind the "Emotet" botnet have been spotted altering their existing methods and testing new attack approaches on a "very small and limited scale," related to Microsoft actions taken in February to block macros that facilitated malware execution.
- 9. One-third of employees who quit their jobs take company IP with them? - More bad security news from the Great Resignation: Code42’s new research on Wednesday said that when employees quit their jobs, there’s now a 37% chance the organization will lose intellectual property. The research also adds that some 96% of all companies surveyed say they have experienced challenges in protecting corporate data from insider risks.
- 10. Auction of Dorsey tweet NFT—listed at $48M—closes at high of $280 - The cryptocurrency entrepreneur who bought a NFT of Twitter founder Jack Dorsey’s first tweet was hoping to sell it for $48 million, more than 16 times the $2.9 million he paid for it. But after an auction that lasted a week, the highest bid offered was a mere $280.