CISA urges software devs to weed out SQL injection vulnerabilities

From bleepingcomputer.com

CISA and the FBI urged executives of technology manufacturing companies to prompt formal reviews of their organizations’ software and implement mitigations to eliminate SQL injection (SQLi) security vulnerabilities before shipping.

In SQL injection attacks, threat actors “inject” maliciously crafted SQL queries into input fields or parameters used in database queries, exploiting vulnerabilities in the application’s security to execute unintended SQL commands, such as exfiltrating, manipulating, or deleting sensitive data stored in the database.

This can lead to unauthorized access to confidential data, data breaches, and even a complete takeover of the targeted systems because of improper input validation and sanitization in web applications or software that interact with the targeted databases.

CISA and the FBI advise the use of parameterized queries with prepared statements to prevent SQL injection (SQLi) vulnerabilities. This approach separates SQL code from user data, making it impossible for malicious input to be interpreted as an SQL statement.

Read more…

RESTRICT SSH ACCESS TO ONLY ALLOW RSYNC

From linux-audit.com

Rsync is still one of the most popular tools to synchronize files between two systems. Although it has a few caveats when dealing with special files, it can do its job very well. In this explainer we will show how to use it in combination with SSH and at the same restrict SSH access to only allow the rsync job to run.

In this article we refer to system01 having the original files and it wants to send them to the receiving system (system02)

CREATE USER ON RECEIVING SYSTEM

The system that receives the files (system02) should have a user that will be used for the file transport. Typically this is a dedicated user for file transfers. For this example we call it backupuser. The user does not need a password, as we don’t want interactive logins.

adduser --disabled-password --shell /bin/bash --gecos "Backup user" backupuser

GENERATE THE KEY

Using the ssh-keygen utility we can create a new key. In this example we will store the SSH keys in /data/ssh-keys and restrict access, so let’s create that path first.

mkdir -p /data/ssh-keys
chmod 700 /data/ssh-keys

Next step is the creating of the key: ssh-keygen -t ed25519 -f /data/ssh-keys/backupuser-key -C "backupuser for system1"

The -t defines the type of key, in this case Ed25519. For modern versions of SSH this will be the default, but older systems might still use RSA. By defining the type we ensure that we have the right type.

Read more…

CISA Warns Of Active Exploitation Of Flaws In Fortinet, Ivanti, & Nice Linear

From gbhackers.com

A recent security alert warns of three critical vulnerabilities actively exploited in the wild, of which the first is CVE-2023-48788, an SQL injection vulnerability in Fortinet FortiClient EMS.

Attackers can use SQL injection vulnerabilities to insert malicious SQL code into a program that depends on a database. 

It can give attackers unauthorized access to sensitive information, modify data, or disrupt operations.

The second vulnerability (CVE-2021-44529) is a code injection vulnerability present in the Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA).

Read more…

UK, New Zealand Accuse China of Cyberattacks on Government Entities

From securityweek.com

After the UK called out Chinese hackers for targeting parliamentarians’ emails and the country’s Electoral Commission, New Zealand said it had also linked cyberattacks on its parliament to Chinese state-sponsored threat actors.  

On the same day that the US slapped fresh sanctions against two Chinese hackers and a China-based technology company serving as a front for malicious cyber operations, the UK called out and sanctioned the same entities for hacking into its own systems.

The tech firm, Wuhan Xiaoruizhi Science and Technology Company Limited, has been operating on behalf of the Chinese Ministry of State Security (MSS) and is part of China’s state-sponsored apparatus, the UK says.

Read more…

95% of companies face API security problems

From helpnetsecurity.com

Despite the critical role of APIs, the vast majority of commercial decision-makers are ignoring the burgeoning security risk for businesses, according to Fastly.

Application Programming Interfaces (APIs) have long been recognised as a bedrock of the digital economy and recent figures suggest that the majority of all internet traffic is now directed via APIs.

The lack of action on API breaches

The ubiquity of APIs means they have become one of cybercriminals’ favourite gateways for account takeover attacks. In a recent survey by Fastly, 84% of respondents admitted to not having advanced API security in place.

The lack of action on API breaches comes despite the vast majority of decision-makers knowing there is a problem. 95% of respondents surveyed by Fastly said they had experienced API security problems in the last twelve months.

79% had delayed the rollout or integration of a new application due to API security concerns. In addition, 79% claim to place a ‘high or very high’ level of importance on API security. Asked why none of this has translated into action, ‘insufficient budget’ and a ‘lack of expertise’ were the most commonly stated reasons.

“The results of our survey show that decision-makers know that increased reliance on APIs creates a risk of serious cyberattacks. But so far they are not doing enough about it. This is surprising given that the operational and reputational cost of a breach far outweighs the price of deploying a consolidated web application and API security solution from a single provider,” said Jay Coley, Senior Security Architect at Fastly.

Read more…

New ZenHammer memory attack impacts AMD Zen CPUs

From bleepingcomputer.com

Academic researchers developed ZenHammer, the first variant of the Rowhammer DRAM attack that works on CPUs based on recent AMD Zen microarchitecture that map physical addresses on DDR4 and DDR5 memory chips.

AMD Zen chips and DDR5 RAM modules were previously considered less vulnerable to Rowhammer, so the latest findings challenge this notion.

The ZenHammer attack was developed by researchers at public research university ETH Zurich, who shared their technical paper with BleepingComputer.

Read more…

Air Europa customers warned their data may have been leaked

From sg.news.yahoo.com

Another major airline company has suffered a cyberattack which resulted in sensitive customer data leaking to the hackers.

A report from the Wall Street Journal claims Air Europa was hit by an incident discovered in October 2023.

The news was confirmed by International Consolidated Airlines Group (IAG), the Anglo-Spanish multinational airline holding company that acquired Air Europa in 2023 for roughly €500 million.

Airlines under attack

IAG has reportedly sent out a breach notification email to affected individuals, telling them that their names, dates of birth, nationalities, ID cards, passport information, and phone numbers, have all been taken by the hackers.

We don’t know exactly how many people are affected by this incident, but Air Europa claims to service roughly 12 million people a year.

So far, there is no evidence of the data being misused on the dark web, but “If it were to happen, the resulting inconvenience would be limited in any case,” Air Europa allegedly said in the email.

Airlines are a popular target for hackers. In January 2024, one of the biggest aircraft leasing companies in the world suffered a ransomware attack that resulted in the theft of sensitive corporate data. AerCap confirmed the news in a 6-K form filed with the U.S. Securities and Exchange Commission (SEC) in which it experienced a “cybersecurity incident related to ransomware”.

The company played down the effect of the incident, noting, “We have full control of all of our IT systems and to date, we have suffered no financial loss related to this incident.”

And In late November 2023, Gulf Air, the national air carrier for the Kingdom of Bahrain, confirmed suffering a data breach.  The “data breach incident” allegedly happened on November 24, and resulted in the compromise of “some information from its email and client database” due to unauthorized access.

Read more…