BU-CERT News

From helpnetsecurity.com

Two vulnerabilities (CVE-2024-42219, CVE-2024-42218) affecting the macOS version of the popular 1Password password manager could allow malware to steal secrets stored in the software’s vaults and obtain the account unlock key, AgileBits has confirmed.

Discovered by the Robinhood Red Team during a security assessment of 1Password for Mac and then privately reported to the software’s makers, the vulnerabilities have been fixed in two consecutive versions of the software: v8.10.36 (released on July 9) and v8.10.38 (released on August 6).

AgileBits says that they have received no reports that these issues were discovered or exploited by anyone else.

Read more…

From wired.com

The flood of text messages started arriving early this year. They carried a similar thrust: The United States Postal Service is trying to deliver a parcel but needs more details, including your credit card number. All the messages pointed to websites where the information could be entered.

Like thousands of others, security researcher Grant Smith got a USPS package message. Many of his friends had received similar texts. A couple of days earlier, he says, his wife called him and said she’d inadvertently entered her credit card details. With little going on after the holidays, Smith began a mission: Hunt down the scammers.

Over the course of a few weeks, Smith tracked down the Chinese-language group behind the mass-smishing campaign, hacked into their systems, collected evidence of their activities, and started a months-long process of gathering victim data and handing it to USPS investigators and a US bank, allowing people’s cards to be protected from fraudulent activity.

Read more…

From linkedin.com

Israeli cyber security company Oligo has uncovered an 18-year-old vulnerability which they have dubbed “0.0.0.0 Day,” – a critical flaw that allows malicious websites to bypass browser security measures in Google Chrome, Mozilla Firefox, and Apple Safari, enabling them to interact with services on a local network. This flaw enables unauthorized access and remote code execution on local services by attackers from outside the network.

Notably, this vulnerability only affects Linux and macOS devices, leaving Windows users unaffected.

The root of this issue lies in the inconsistent implementation of security mechanisms across various browsers, compounded by a lack of industry-wide standardization. Consequently, the seemingly innocuous IP address 0.0.0.0 can be exploited by attackers to target local services, which may include those used for development, operating systems, and internal networks.

The impact of the 0.0.0.0 Day vulnerability is widespread, affecting both individuals and organizations. The discovery of active exploitation campaigns, such as ShadowRay, highlights the urgency of addressing this vulnerability.

Read more…

From bleepingcomputer.com

Threat actors have hijacked more than 35,000 registered domains in so-called Sitting Ducks attacks that allow claiming a domain without having access to the owner’s account at the DNS provider or registrar.

In a Sitting Ducks attack, cybercriminals exploit configuration shortcomings at the registrar level and insufficient ownership verification at DNS providers.

Researchers at DNS-focused security vendor Infoblox and at firmware and hardware protection company Eclypsium discovered that there are more than a million domains that can be hijacked every day via the Sitting Ducks attacks.

Read more…

From thehackernews.com

The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could be exploited to trigger a denial-of-service (DoS) condition.

“A cyber threat actor could exploit one of these vulnerabilities to cause a denial-of-service condition,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory.

The list of four vulnerabilities is listed below –

• CVE-2024-4076 (CVSS score: 7.5) – Due to a logic error, lookups that triggered serving stale data and required lookups in local authoritative zone data could have resulted in an assertion failure
• CVE-2024-1975 (CVSS score: 7.5) – Validating DNS messages signed using the SIG(0) protocol could cause excessive CPU load, leading to a denial-of-service condition.
• CVE-2024-1737 (CVSS score: 7.5) – It is possible to craft excessively large numbers of resource record types for a given owner name, which has the effect of slowing down database processing
• CVE-2024-0760 (CVSS score: 7.5) – A malicious DNS client that sent many queries over TCP but never read the responses could cause a server to respond slowly or not at all for other clients

Read more…

From securityonline.info

Resecurity has uncovered a widespread campaign exploiting critical vulnerabilities in ServiceNow, a popular platform for digital workflows. The flaws, identified as CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, allowed unauthenticated attackers to execute code remotely and steal sensitive data.

The widespread use of ServiceNow, particularly within major corporations and government entities, has made it a prime target for threat actors. Resecurity’s investigation uncovered a rapid surge in malicious activity immediately following the public release of a proof-of-concept exploit. Attackers, armed with this knowledge, wasted no time in scanning the internet for vulnerable instances, primarily leveraging CVE-2024-4879 to execute code remotely and exfiltrate sensitive data.

Estimating the impact is challenging, but ServiceNow is an extremely popular platform for managing digital workflows in modern IT environments. According to the output of FOFA, a popular network search engine from China, approximately 300,000 ServiceNow instances could be potentially probed remotely. These instances may have different ACL (Access Control Lists) or other access limitations at both the network and application levels, making this only an approximate estimation.

Read more…

From trendmicro.com

This is an extremely unfortunate situation for those affected, and we hope for a speedy remediation and recovery for all those involved. 

While many eyes will be focused on the recovery of their Windows environment, it is important to remember to diligently monitor your non-Windows environments, as adversaries can take advantage of distracted teams. Our research team is constantly watching the general landscape to see if threat actors are taking advantage in any way and will share any significant developments here.  

In the quest to stay a step ahead of the bad guys, sometimes software is pushed quickly. And the nature of software is that there are sometimes bugs. It is important to have processes in place to catch and mitigate bugs quickly, and to evolve software deployment processes to avoid impacting an entire global customer base simultaneously.

At Trend, we have a variety of resilience strategies based on our own experiences that we continually enhance across our people, process, and technology. We take a ring deployment approach that allows us to roll out software updates in batches starting with our own internal deployment, and then to groups of customers to limit exposure if issues are found. Additionally, we have blue screen of death (BSOD) monitoring and operational capabilities to rollback affected builds rapidly. 

Trend continues to be on standby to help and we will continue to monitor the situation and provide updates from our research team in this blog.

Read more…