A cross-site request forgery (CSRF) vulnerability in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Anchore Container Image Scanner Plugin
*   Apprenda Plugin
*   BigPanda Notifier Plugin
*   Build-Publisher Plugin
*   Compuware Common Configuration Plugin
*   CONS3RT Plugin
*   DotCi Plugin
*   extreme-feedback Plugin
*   NS-ND Integration Performance Publisher Plugin
*   NS-ND Integration Performance Publisher Plugin
*   RQM Plugin
*   Rundeck Plugin
*   SCM HttpClient Plugin
*   Security Inspector Plugin
*   SmallTest Plugin
*   View26 Test-Reporting Plugin
*   Walti Plugin
*   WildFly Deployer Plugin
*   Worksoft Execution Manager Plugin

**Descriptions****XSS vulnerability**

**SECURITY-2886 / CVE-2022-41224**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this component.

As of publication, the Jenkins security team is unaware of any exploitable help icon/tooltip in Jenkins core or plugins published by the Jenkins project. The vast majority of help icons use the l:help component instead of l:helpIcon. The few known instances of l:helpIcon do not have user-controllable contents.

Jenkins 2.370 escapes tooltips of the l:helpIcon UI component.

**Stored XSS vulnerability in Anchore Container Image Scanner Plugin**

**SECURITY-2821 / CVE-2022-41225**  
**Severity (CVSS):** High  
**Affected plugin: anchore-container-scanner**  
**Description:**

Anchore Container Image Scanner Plugin 1.0.24 and earlier does not escape content provided by the Anchore engine API.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control API responses by Anchore engine.

Anchore Container Image Scanner Plugin 1.0.25 escapes content provided by the Anchore engine API.

**XXE vulnerability in Compuware Common Configuration Plugin**

**SECURITY-2832 / CVE-2022-41226**  
**Severity (CVSS):** High  
**Affected plugin: compuware-common-configuration**  
**Description:**

Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to change the contents of the Topaz Workbench CLI home directory on agents to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Compuware Common Configuration Plugin 1.0.15 disables external entity resolution for its XML parser.

**CSRF vulnerability and missing permission check in NS-ND Integration Performance Publisher Plugin**

**SECURITY-2737 / CVE-2022-41227 (CSRF), CVE-2022-41228 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: cavisson-ns-nd-integration**  
**Description:**

NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified username and password.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

NS-ND Integration Performance Publisher Plugin 4.8.0.130 requires POST requests and Overall/Administer permission for the affected form validation method.

**Stored XSS vulnerability in NS-ND Integration Performance Publisher Plugin**

**SECURITY-2858 / CVE-2022-41229**  
**Severity (CVSS):** High  
**Affected plugin: cavisson-ns-nd-integration**  
**Description:**

NS-ND Integration Performance Publisher Plugin 4.8.0.134 and earlier does not escape configuration options of the Execute NetStorm/NetCloud Test build step.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

**Missing permission check in Build-Publisher Plugin**

**SECURITY-1994 / CVE-2022-41230**  
**Severity (CVSS):** Medium  
**Affected plugin: build-publisher**  
**Description:**

Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers.

**Path traversal and CSRF vulnerability in Build-Publisher Plugin**

**SECURITY-2139 / CVE-2022-41231 (path traversal), CVE-2022-41232 (CSRF)**  
**Severity (CVSS):** High  
**Affected plugin: build-publisher**  
**Description:**

Build-Publisher Plugin 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability that allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file.

**Missing permission checks in Rundeck Plugin**

**SECURITY-2170 / CVE-2022-41233**  
**Severity (CVSS):** Medium  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints.

This allows attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled.

**Missing webhook endpoint authorization in Rundeck Plugin**

**SECURITY-2169 / CVE-2022-41234**  
**Severity (CVSS):** Medium  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint.

This allows attackers with Item/Read permission to trigger jobs that are configured to be triggerable via Rundeck.

**Path traversal vulnerability in WildFly Deployer Plugin allows reading arbitrary files**

**SECURITY-2645 / CVE-2022-41235**  
**Severity (CVSS):** Medium  
**Affected plugin: wildfly-deployer**  
**Description:**

WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.

This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system.

This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. See the LTS upgrade guide.

**CSRF vulnerability in Security Inspector Plugin**

**SECURITY-2051 / CVE-2022-41236**  
**Severity (CVSS):** Medium  
**Affected plugin: security-inspector**  
**Description:**

Security Inspector Plugin 117.v6eecc36919c2 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users at the …​/report URL with a report based on attacker-specified report generation options. This could create confusion in users of the plugin who are expecting to see a different result.

A security hardening since Jenkins 2.287 and LTS 2.277.2 prevents exploitation of this vulnerability for the _Single user, multiple jobs_ report. Other report types are still affected.

**RCE vulnerability in DotCi Plugin**

**SECURITY-1737 / CVE-2022-41237**  
**Severity (CVSS):** High  
**Affected plugin: DotCi**  
**Description:**

DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types.

This results in a remote code execution (RCE) vulnerability exploitable by attackers able to modify .ci.yml files in SCM.

**Lack of authentication mechanism in DotCi Plugin webhook**

**SECURITY-2867 / CVE-2022-41238**  
**Severity (CVSS):** Medium  
**Affected plugin: DotCi**  
**Description:**

DotCi Plugin provides a webhook endpoint at /githook/ that can be used to trigger builds of the job for a GitHub repository.

In DotCi Plugin 2.40.00 and earlier, this endpoint can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits.

**Stored XSS vulnerability in DotCi Plugin**

**SECURITY-2884 / CVE-2022-41239**  
**Severity (CVSS):** High  
**Affected plugin: DotCi**  
**Description:**

DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted commit notifications to the /githook/ endpoint (see also SECURITY-2867).

This vulnerability is only exploitable in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier. See the LTS upgrade guide.

**Stored XSS vulnerability in Walti Plugin**

**SECURITY-1870 / CVE-2022-41240**  
**Severity (CVSS):** High  
**Affected plugin: walti**  
**Description:**

Walti Plugin 1.0.1 and earlier does not escape the information provided by the Walti API.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide malicious API responses from Walti.

**XXE vulnerability in RQM Plugin**

**SECURITY-2805 / CVE-2022-41241**  
**Severity (CVSS):** Medium  
**Affected plugin: rqm-plugin**  
**Description:**

RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to provide crafted API responses from Rational Quality Manager to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**Missing permission check in extreme-feedback Plugin**

**SECURITY-2001 / CVE-2022-41242**  
**Severity (CVSS):** Medium  
**Affected plugin: extreme-feedback**  
**Description:**

extreme-feedback Plugin 1.7 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps.

**Missing hostname validation in SmallTest Plugin**

**SECURITY-2068 / CVE-2022-41243**  
**Severity (CVSS):** Medium  
**Affected plugin: smalltest**  
**Description:**

SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured SmallTest server.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

**Missing hostname validation in View26 Test-Reporting Plugin**

**SECURITY-2069 / CVE-2022-41244**  
**Severity (CVSS):** Medium  
**Affected plugin: view26**  
**Description:**

View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

**CSRF vulnerability and missing permission check in Worksoft Execution Manager Plugin allow capturing credentials**

**SECURITY-2237 / CVE-2022-41245 (CSRF), CVE-2022-41246 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: ws-execution-manager**  
**Description:**

Worksoft Execution Manager Plugin 10.0.3.503 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**API key stored in plain text by BigPanda Notifier Plugin**

**SECURITY-2243 / CVE-2022-41247 (storage), CVE-2022-41248 (masking)**  
**Severity (CVSS):** Low  
**Affected plugin: bigpanda-jenkins**  
**Description:**

BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file BigpandaGlobalNotifier.xml on the Jenkins controller as part of its configuration.

This API key can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the API key, increasing the potential for attackers to observe and capture it.

**CSRF vulnerability and missing permission check in SCM HttpClient Plugin allow capturing credentials**

**SECURITY-2708 / CVE-2022-41249 (CSRF), CVE-2022-41250 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: scm-httpclient**  
**Description:**

SCM HttpClient Plugin 1.5 and earlier does not perform permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Missing permission check in Apprenda Plugin allows enumerating credentials IDs**

**SECURITY-2710 / CVE-2022-41251**  
**Severity (CVSS):** Medium  
**Affected plugin: apprenda**  
**Description:**

Apprenda Plugin 2.2.0 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

**Missing permission checks in CONS3RT Plugin allow enumerating credentials IDs**

**SECURITY-2752 / CVE-2022-41252**  
**Severity (CVSS):** Medium  
**Affected plugin: cons3rt**  
**Description:**

CONS3RT Plugin 1.0.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

**CSRF vulnerability and missing permission checks in CONS3RT Plugin allow capturing credentials**

**SECURITY-2751 / CVE-2022-41253 (CSRF), CVE-2022-41254 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: cons3rt**  
**Description:**

CONS3RT Plugin 1.0.0 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**API token stored in plain text by CONS3RT Plugin**

**SECURITY-2759 / CVE-2022-41255**  
**Severity (CVSS):** Low  
**Affected plugin: cons3rt**  
**Description:**

CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

This API token can be viewed by users with access to the Jenkins controller file system.

**Severity**

*   SECURITY-1737: High
*   SECURITY-1870: High
*   SECURITY-1994: Medium
*   SECURITY-2001: Medium
*   SECURITY-2051: Medium
*   SECURITY-2068: Medium
*   SECURITY-2069: Medium
*   SECURITY-2139: High
*   SECURITY-2169: Medium
*   SECURITY-2170: Medium
*   SECURITY-2237: Medium
*   SECURITY-2243: Low
*   SECURITY-2645: Medium
*   SECURITY-2708: Medium
*   SECURITY-2710: Medium
*   SECURITY-2737: Medium
*   SECURITY-2751: Medium
*   SECURITY-2752: Medium
*   SECURITY-2759: Low
*   SECURITY-2805: Medium
*   SECURITY-2821: High
*   SECURITY-2832: High
*   SECURITY-2858: High
*   SECURITY-2867: Medium
*   SECURITY-2884: High
*   SECURITY-2886: High

**Affected Versions**

*   Jenkins weekly up to and including 2.369
*   **Anchore Container Image Scanner Plugin** up to and including 1.0.24
*   **Apprenda Plugin** up to and including 2.2.0
*   **BigPanda Notifier Plugin** up to and including 1.4.0
*   **Build-Publisher Plugin** up to and including 1.22
*   **Compuware Common Configuration Plugin** up to and including 1.0.14
*   **CONS3RT Plugin** up to and including 1.0.0
*   **DotCi Plugin** up to and including 2.40.00
*   **extreme-feedback Plugin** up to and including 1.7
*   **NS-ND Integration Performance Publisher Plugin** up to and including 4.8.0.129
*   **NS-ND Integration Performance Publisher Plugin** up to and including 4.8.0.134
*   **RQM Plugin** up to and including 2.8
*   **Rundeck Plugin** up to and including 3.6.11
*   **SCM HttpClient Plugin** up to and including 1.5
*   **Security Inspector Plugin** up to and including 117.v6eecc36919c2
*   **SmallTest Plugin** up to and including 1.0.4
*   **View26 Test-Reporting Plugin** up to and including 1.0.7
*   **Walti Plugin** up to and including 1.0.1
*   **WildFly Deployer Plugin** up to and including 1.0.2
*   **Worksoft Execution Manager Plugin** up to and including 10.0.3.503

**Fix**

*   Jenkins weekly should be updated to version 2.370
*   **Anchore Container Image Scanner Plugin** should be updated to version 1.0.25
*   **Compuware Common Configuration Plugin** should be updated to version 1.0.15
*   **NS-ND Integration Performance Publisher Plugin** should be updated to version 4.8.0.130

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Apprenda Plugin
*   BigPanda Notifier Plugin
*   Build-Publisher Plugin
*   CONS3RT Plugin
*   DotCi Plugin
*   extreme-feedback Plugin
*   NS-ND Integration Performance Publisher Plugin
*   RQM Plugin
*   Rundeck Plugin
*   SCM HttpClient Plugin
*   Security Inspector Plugin
*   SmallTest Plugin
*   View26 Test-Reporting Plugin
*   Walti Plugin
*   WildFly Deployer Plugin
*   Worksoft Execution Manager Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2169, SECURITY-2170, SECURITY-2645, SECURITY-2821, SECURITY-2884
*   **Jeff Thompson, CloudBees, Inc.** for SECURITY-2051
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-2886
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2237, SECURITY-2737, SECURITY-2805, SECURITY-2858, SECURITY-2867
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2068, SECURITY-2069
*   **Marc Heyries** for SECURITY-2243
*   **Matt Sicker, CloudBees, Inc.** for SECURITY-1994, SECURITY-2001
*   **Valdes Che Zogou, CloudBees, Inc.** for SECURITY-2708, SECURITY-2710, SECURITY-2751, SECURITY-2752, SECURITY-2832
*   **Valdes Che Zogou, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2759
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1870, SECURITY-2139

CVE-2022-41227: Jenkins Security Advisory 2022-09-21

Jenkins CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

CVE-2022-41255: Jenkins Security Advisory 2022-09-21

Categories: News
Tags: YouTube

Tags:  transparency

Tags:  report

Tags:  misinformation

Tags:  cyberbullying

Tags:  child safety

We take a look at YouTube's latest video removal statistics, including the fight to shut down misinformation.



(Read more...)




The post YouTube transparency report shows battle against misinformation appeared first on Malwarebytes Labs.

Statistics for YouTube community guidelines enforcement are now available for the period April to June 2022, via Google’s Transparency Report. YouTube channels are terminated if they accrue three community guideline strikes in 90 days, have a case of severe abuse (predatory behaviour, for example), or are determined to be wholly dedicated to violating YouTube’s community guidelines.

The guidelines are pretty much what you’d expect. Separate categories exist for spam and deceptive practices; sensitive content; violent / dangerous content; regulated goods; and, just recently, misinformation, which covers things like election misinformation, COVID-19 medical misinformation, and vaccine misinformation.

The latest report appears to be the first time YouTube has offered a glimpse at misinformation takedowns, and it makes for interesting reading.

**Running the numbers**

Of the almost four million channels removed in Q2 2022, 89 percent of were removed under “Spam, misleading, and scams”. Within this tally, 122,000 videos (not channels) violated misinformation policies of one form or another.

On a similar note, by far the biggest source of video comment removal is, once again, “Spam, misleading, and scams”. This time around, we’re talking a staggering 458,784,993 comments. This is just 61 percent of overall removals, with “Harassment and cyberbullying” weighing in a distant second with 130,998,769 (17 percent).

Misinformation has been a major issue for many years online. Everything from conflict to COVID has been caught up at some point, often with potentially serious results. It’s not so long ago that the word “Infodemic” was bouncing around. Elsewhere, deepfakes have tried (badly) to interfere with the invasion of Ukraine, and US elections.

**Delayed virality and rapid shutdowns**

The biggest reason for videos being removed was child safety, clocking 1,383,028 removals (31 percent of the overall tally). While misinformation is clearly a small chunk of YouTube video change, it’s nevertheless good to see the video giant doing something about it.

One welcome statistic is how quickly YouTube is able to shut down bogus videos before anyone even sees the content. Where misinformation is concerned, this is vital to prevent mistruths and other nonsense going viral. 32 percent of the content it removed had precisely zero views, with 37 percent of videos receiving between one and ten views. 31 percent of videos had received more than ten views, and the report does not appear to indicate more detail beyond that simple statistic. “More than 10 views” could obviously be pretty much anything.

**Sizing up the problem**

We are very much in a time where infodemics (there’s that word again!) are a thing. Indeed, misinformation can easily become harmful or outright malicious. Social media echo chambers merely exacerbate the problem. We’ve reached the point where people are developing AI tools that fact check their own work.

This is clearly a huge problem which won’t be solved anytime soon, but technology giants opening up the door on their largely quiet work on misinformation may help to slowly point us in the right direction.

YouTube transparency report shows battle against misinformation

By Waqas
For now, Cylance ransomware is still in its early stages, yet it has already claimed several victims.
This is a post from HackRead.com Read the original post: New Cylance Ransomware Targets Linux and Windows, Warn Researchers

Do not confuse Cylance Ransomware with the Blackberry-owned Cylance cybersecurity company.

The cybersecurity researchers at Palo Alto Networks Unit 42 have discovered a new strain of Cylance Ransomware, which has already claimed several victims. Researchers noticed it early Friday morning, and further probing revealed that it is targeting Linux and Windows devices.

As of now, insufficient information is available about Cylance Ransomware, indicating that it is a relatively recent emergence. The ransom note received by victims was published by Unit 42 which contains the attackers’ email addresses, but surprisingly not the ransom amount. Here is the content of the ransom note:

“All your files are encrypted, and currently unusable, but you need to follow our instructions. Otherwise, you can’t return your data (never. It’s just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will cooperate with us. It’s not in our interests.”

“To check the ability of returning files, we decrypt one file for free. That is our guarantee. If you will not cooperate with our service – for us, it does not matter. But you will lose time and data, cause just we have the private key. time is more valuable than money.”

It is believed that the amount will be disclosed to the victim when they contact the attacker. The attackers have warned against any attempt to restore or change the files, as it would destroy the private key, which means the data will be lost forever.

**Attack Methodology**

In a tweet, researchers explained that the modus operandi of the ransomware attack involves encrypting files and appending them with a “.Cylance” extension. In addition, a text file titled “Read Me” is added to all encrypted files’ folders. This file contains the attacker’s ransom note.

**Who is Distributing Cylance Ransomware?**

For your information, Cylance is actually a cybersecurity company owned by BlackBerry Ltd. The company is known for mitigating and preventing ransomware attacks on enterprise organizations. However, why threat actors named the ransomware after this company is unclear, or it could be that they are looking for extra attention or to negatively impact Cylance in the long run.

Although Cylance ransomware is still in its early stages, it will be crucial to monitor its targets and wait for more information from the infosec community. Currently, samples of the ransomware are available on MalwareBazaar, a project by abuse.ch that shares malware samples with the infosec community, AV vendors, and threat intelligence providers.

1.  95.6% of Malware in 2022 Targeted Windows
2.  Lessons from Holy Ghost ransomware attacks
3.  CryWiper poses as ransomware to target Russia
4.  Royal Ransomware: New Threat Uses Google Ads
5.  Alert against AXLocker, Octocrypt, Alice ransomware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

New Cylance Ransomware Targets Linux and Windows, Warn Researchers

The Telegram channel and website Deep State uses public data and insider intelligence to power its live tracker of Ukraine’s ever-shifting front line.

Over time, Deep State has added more advanced features and quirks to the map. A toolbar in the bottom-left corner offers the option to enable different layers, including weather patterns, fortifications, and gamma radiation levels in case of nuclear disaster. Users can simulate the effect of different weapons, calculating the range and potential damage of everything from self-propelled howitzers and ballistic missiles to Patriot air defense systems and nuclear explosions. A hidden Easter egg summons an animation of Baby Yoda that, when poked, uses the Force to destroy Russian units.

The map soon became too much for Mykula and Pohorilyi to manage alone; they now enlist the help of more than 100 paid employees and volunteers. Their methods have also evolved. They still use open source intelligence to verify new information, but also acquire data directly from frontline military units whom they’ve developed relationships with. In some cases, the authority of a single source whom they’ve learned to trust is enough, though Mykula admits there have been occasional errors. In other cases, when multiple sources contradict one another, they wait until definitive evidence emerges. Propaganda is rife on both sides, and Mykula insists that Deep State will take no part in it. “We want to win,” he says. “Propaganda will not win.”

Mykula and Pohorilyi do, however, oblige when Ukrainian military commanders request delays to map updates that may compromise their activities. They also receive some government funding for an alternate version of the map available only to verified members of the military. The government funding also goes toward other intelligence activities that Ruslan refuses to discuss; most of their funding comes from public donations.

Late in the first year of the war, Mykula and Pohorilyi learned that their map was helping another, unexpected group of users: Russian soldiers. The map’s designer had added a function that would display instructions to surrender if a user tried to access from a Russian IP address. Then, in October 2022, in an interview with a popular Ukrainian blogger, a Russian POW testified that he had used Deep State’s map for this exact purpose.

The success of Deep State’s map has attracted more users to their original Telegram channel, which now has more than 700,000 subscribers. It publishes its own original reports of the war, all available through a free app, which other established Ukrainian media organizations sometimes refer to. But the map remains the most popular product, used by Ukrainians at home and abroad to track the front line that, at the time of writing, creeps further toward their office in Kyiv every day.

Both Mykula and Pohorilyi approach their work with a stern dedication that belies their youth and inexperience. “We don’t want to disappoint our audience because our projects have become critical for Ukrainians,” Mykula says. “If you compare us to other maps, you will see that Ukrainians don’t go to check on them. They come to us.”

_This story first appeared in the September/October 2024 edition of WIRED UK_.

When War Came to Their Country, They Built a Map

Over a million domains are susceptible to takeover by malicious actors by means of what has been called a Sitting Ducks attack.
The powerful attack vector, which exploits weaknesses in the domain name system (DNS), is being exploited by over a dozen Russian-nexus cybercriminal actors to stealthily hijack domains, a joint analysis published by Infoblox and Eclypsium has revealed.
"In a Sitting

Vulnerability / Threat Intelligence

Over a million domains are susceptible to takeover by malicious actors by means of what has been called a **Sitting Ducks** attack.

The powerful attack vector, which exploits weaknesses in the domain name system (DNS), is being exploited by over a dozen Russian-nexus cybercriminal actors to stealthily hijack domains, a joint analysis published by Infoblox and Eclypsium has revealed.

"In a Sitting Ducks attack, the actor hijacks a currently registered domain at an authoritative DNS service or web hosting provider without accessing the true owner's account at either the DNS provider or registrar," the researchers said.

"Sitting Ducks is easier to perform, more likely to succeed, and harder to detect than other well-publicized domain hijacking attack vectors, such as dangling CNAMEs."

Once a domain has been taken over by the threat actor, it could be used for all kinds of nefarious activities, including serving malware and conducting spams, while abusing the trust associated with the legitimate owner.

Details of the "pernicious" attack technique were first documented by The Hacker Blog in 2016, although it remains largely unknown and unresolved to date. More than 35,000 domains are estimated to have been hijacked since 2018.

"It is a mystery to us," Dr. Renee Burton, vice president of threat intelligence at Infoblox, told The Hacker News. "We frequently receive questions from prospective clients, for example, about dangling CNAME attacks which are also a hijack of forgotten records, but we have never received a question about a Sitting Ducks hijack."

At issue is the incorrect configuration at the domain registrar and the authoritative DNS provider, coupled with the fact that the nameserver is unable to respond authoritatively for a domain it's listed to serve (i.e., lame delegation).

It also requires that the authoritative DNS provider is exploitable, permitting the attacker to claim ownership of the domain at the delegated authoritative DNS provider while not having access to the valid owner's account at the domain registrar.

In such a scenario, should the authoritative DNS service for the domain expire, the threat actor could create an account with the provider and claim ownership of the domain, ultimately impersonating the brand behind the domain to distribute malware.

"There are many variations \[of Sitting Ducks\], including when a domain has been registered, delegated, but not configured at the provider," Burton said.

The Sitting Ducks attack has been weaponized by different threat actors, with the stolen domains used to fuel multiple traffic distribution systems (TDSes) such as 404 TDS (aka Vacant Viper) and VexTrio Viper. It has also been leveraged to propagate bomb threat hoaxes and sextortion scams.

"Organizations should check the domains they own to see if any are lame and they should use DNS providers that have protection against Sitting Ducks," Burton said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Over 1 Million Domains at Risk of 'Sitting Ducks' Domain Hijacking Technique

CVE-2021-32078

CVE-2021-23428

When processing subtitles format media file, KMPlayer version 2018.12.24.14 or lower doesn't check object size correctly, which leads to integer underflow then to memory out-of-bound read/write. An attacker can exploit this issue by enticing an unsuspecting user to open a malicious file.

CVE-2019-9133: KrCERT/CC - KISA 인터넷 보호나라&KrCERT

Possible stack buffer overflow due to lack of check on the maximum number of post NAN discovery attributes while processing a NAN Match event in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

Search

lenovo warranty check/lookup | check warranty status | lenovo support us