Cybercriminals Selling Access to Networks Compromised via Recent Fortinet Vulnerability

From securityweek.com

Security researchers at Cyble have observed initial access brokers (IABs) selling access to enterprise networks likely compromised via a recently patched critical vulnerability in Fortinet products.

Tracked as CVE-2022-40684 and impacting FortiOS, FortiProxy, and FortiSwitchManager products, the vulnerability was publicly disclosed in early October, when it was already exploited in malicious attacks.

The issue is an authentication bypass allowing a remote attacker to use specially crafted HTTP or HTTPS requests to perform unauthorized operations on a vulnerable appliance’s admin interface.

Essentially, the security defect provides the attacker with admin access to SSH on the target appliance, allowing the attacker to update or add a valid public SSH key to the device and gain complete control over it.

Read more…

Oracle Fusion Middleware Vulnerability Exploited in the Wild

From securityweek.com

The US Cybersecurity and Infrastructure Security Agency (CISA) on Monday warned organizations that a critical Oracle Fusion Middleware vulnerability patched in early 2022 is being exploited in attacks.

The security hole, tracked as CVE-2021-35587, impacts Oracle Access Manager, which provides the Oracle Fusion Middleware single sign-on (SSO) solution. The affected product is used by many major organizations, such as VMware, Huawei, and Qualcomm, according to the researchers who found the vulnerability.

The flaw, which impacts the OpenSSO Agent component, can allow an unauthenticated attacker with network access via HTTP to take control of Oracle Access Manager. A patch was announced by Oracle in January 2022, when the company released its Critical Patch Updates.

Oracles has credited the Vietnamese researchers known as Jang (VNPT) and Peterjson (VNG Corporation) for reporting the vulnerability. The researchers published a blog post detailing their findings in March, and noted that the flaw was discovered during the analysis of what they called a ‘mega’ Fusion Middleware vulnerability that Oracle took six months to patch.

Read more…

Hackers Using Trending TikTok ‘Invisible Challenge’ to Spread Malware

From thehackernews.com

TikTok Challenge

Threat actors are capitalizing on a popular TikTok challenge to trick users into downloading information-stealing malware, according to new research from Checkmarx.

The trend, called Invisible Challenge, involves applying a filter known as Invisible Body that just leaves behind a silhouette of the person’s body.

But the fact that individuals filming such videos could be undressed has led to a nefarious scheme wherein the attackers post TikTok videos with links to rogue software dubbed “unfilter” that purport to remove the applied filters.

Read more…

Managing Cyber Risk with Cyber Risk Quantification

From kovrr.com

Cybersecurity leaders are struggling with a simple question that tends to be difficult to answer with any accuracy: What is the cost of a cyber attack on our organization? Industry research, such as that provided by the respected Ponemon Institute, offers an average figure, which is around $4 million. However, that data point is not all that useful, in reality. Some cyber attacks cost effectively nothing. They’re routine, resolved in the course of a day’s work. Other attacks can be catastrophic, even threatening a company’s survival. 

So, what is the cost of a cyber attack? It’s somewhere between zero dollars and kill-the-business. Senior business managers, boards of directors, insurance carriers and other stakeholders all need a more precise answer. To address this need, businesses are adopting a process known as cyber risk quantification (CRQ). The goal of cyber risk quantification is to develop an accurate estimate of the costs of cyber risk exposure. The CRQ process involves multiple streams of analysis that incorporate company-specific cost models with loss data from industry peers and other factors.

Read more…

The top 200 most common passwords in 2022 are bad, mkay?

From helpnetsecurity.com

most common passwords 2022

According to NordPass’ latest list of top 200 most common passwords in 2022, “password” is the most popular choice, followed by “123456”, “123456789”, “guest” and “qwerty“. 2022 is ending and 2023 is almost upon us, but despite yearly entreates to users to up their password game, weak and often (re)used passwords are obviously still a problem.

Read more…

Small open source projects pose significant security risks

From techtarget.com

Open source continues to come of age with stronger institutional backing and increased financial support for maintainers. But developers on smaller projects are often unpaid, which carries security risks when they leave or defect, according to industry experts.

Open source software had a resurgence in the 1980s as a reaction against corporate attempts to control software. Now open source repository GitHub, which started development in 2007 with bootstrapped funding, has $1 billion in annual recurring revenue, according to Microsoft’s first-quarter fiscal year 2023 earnings call in October. Microsoft acquired GitHub in 2018 for $7.5 billion.

Read more…

ISO/IEC 27001 – What’s new in Pipeline

From securityboulevard.com

Now that it has been formally launched, the new ISO 27001 standard is available. The complete name of the standard is ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection — Information Security Management Systems. Our essential services are supported by vital infrastructures, whose operation depends heavily on the flow of knowledge and data. The reality of our work and personal life is deeply entwined with information security. It is crucial for companies of all sizes to safeguard their information-driven everyday operations, sensitive data, and intellectual property against cyber threats. Building corporate resilience demands a timely and flexible strategy in the era of industrialized cyberattacks, where information security dangers are always evolving. Information and data power value-added business processes. Nothing in our digital economy operates without information sharing.

Read more…