**SAN FRANCISCO****,** **March 21, 2023** **/PRNewswire/ --** Normalyze, a pioneering provider of cloud data security solutions, was granted the most fundamental patent to date for Data Security Posture Management (DSPM) by the U.S. Patent and Trademark Office. The patent addresses cloud data attack path detection based on security posture of the cloud environment and resource network path tracing. This patent is foundational for an emerging data-first approach to secure cloud-resident sensitive data and its implications will help to innovate the enterprise cybersecurity market at large.

Patent #11,575,696 describes how an accurate measure of cloud security posture enables the Normalyze DSPM platform to automatically trace network paths at scale between cloud-resident sensitive data and all points of access to determine attack paths. Paths are dynamically displayed to IT, security, and compliance teams, which instantly identify authorized versus unauthorized access – including propagation of breach attacks. Automated remediation workflows ensure continuous safety and compliance of the sensitive data. The Normalyze patent details how its technology, via integration, improves systems and methods of separate siloed tools such as cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), cloud-native application protection platform (CNAPP), and/or cloud-native configuration management databases (CMDB).

"This patent's technology enables the Normalyze platform with 360-degree visibility of where our data resides across our cloud environments and any associated risks," said Rahul Gupta, Head of Information Security and GRC at Sigma Computing. "Normalyze's ability to connect the dots around data – including accesses, identities, vulnerabilities, and configurations – helps us understand where the real threats are and remediate them in near real-time. It is a game changer for securing our cloud environments."

"This patent is the first and the most important in the DSPM space. Its technology connects the risks to sensitive data in customer cloud environments, allowing them to focus on what matters most instead of chasing thousands of alerts generated by other siloed products," said Ravi Ithal, CTO and cofounder of Normalyze. "Getting the first major patent for an emerging new category such as DSPM shows our thought leadership in helping customers protect their most valuable asset, which is their data."

Read more detail about the patent from Ravi Ithal in this blog post. Normalyze has additional patents pending and will be announcing them in the first half of 2023.

The Normalyze platform is generally available in full functionality and supports all major IaaS and PaaS cloud services such as AWS, Google Cloud, Microsoft Azure and Snowflake.

**About Normalyze:**

Normalyze is a pioneering provider of cloud data security solutions helping customers secure their data, applications, identities, and infrastructure across public clouds. With Normalyze, organizations can discover and visualize their cloud data attack surface within minutes and get real-time visibility and control into their security posture, including access, configurations, and sensitive data to secure cloud infrastructures at scale. The Normalyze patented and agentless scanning platform continuously discovers resources, sensitive data and access paths across all cloud environments. The company was founded by industry veterans 

Ravi Ithal and Amer Deeba and has several customers, including Chargepoint, Corelight,

 Fairfield, Ginkgo Bio, Netskope, Sigma Computing and others. The company is funded by Lightspeed Venture Partners and Battery Ventures.

For more information, please visit normalyze.ai

SOURCE Normalyze

Normalyze Granted Patent for Data Security Posture Management (DSPM)

The kernel tree of CentOS Stream 9 suffers from multiple use-after-free conditions that were already patched in upstream stable trees.

    CentOS Stream 9: missing kernel security fixesSomeone reminded me last week that lots of enterprise Linux kernels arenot based on upstream stable trees. The most notable enterprise Linuxdistro I'm aware of is RHEL (Red Hat Enterprise Linux), so I decided totake a look at the kernel tree of CentOS Stream 9 - according to<https://developers.redhat.com/products/rhel/contribute-to-rhel>CentOS Stream is the closest freely available thing to RHEL.The CentOS Stream 9 kernel(<https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9>)is based on the original upstream 5.14 release, so I decided to lookthrough for interesting commits in the linux-5.15.y stable tree andcheck whether the same commits exist in the CentOS kernel tree.One interesting candidate I found is390031c94211 (\"coredump: Use the vma snapshot in fill_files_note\")which fixes a locking bug that can lead to out-of-bounds writes,but from what I can tell actually exploiting this would be a big painbecause unless you manage to race with the vulnerable code twice,a memory write will happen approximately 4GiB out of bounds.ebda44da44f6 (\"net: sched: fix race condition in qdisc_graft()\")also looked maybe interesting.9a2544037600 (\"ovl: fix use after free in struct ovl_aio_req\")looks like a moderately nice bug, but I think it might only behittable on CentOS if an ext4 filesystem is mounted, althoughhttps://access.redhat.com/articles/rhel-limits seems to implythat ext4 is a supported filesystem on RHEL.I am reporting this bug under our usual 90-day deadline this time because ourpolicy currently doesn't have anything stricter for cases where security fixesaren't backported; we might change our treatment of this type of issue in thefuture.It would be good if upstream Linux and distributions like you could figure outsome kind of solution to keep your security fixes in sync, so that an attackerwho wants to quickly find a nice memory corruption bug in CentOS/RHEL can'tjust find such bugs in the delta between upstream stable and your kernel.(I realize there's probably a lot of history here.)This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2023-03-19.Related CVE Numbers: CVE-2023-1249,CVE-2023-0590,CVE-2023-1252.Found by: jannh@google.com

CentOS Stream 9 Missing Kernel Security Fixes

As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple.
While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage.
The

Cyber Threat Intel / Vulnerability

As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple.

While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage.

The findings come from threat intelligence firm Mandiant, which noted that desktop operating systems (19), web browsers (11), IT and network management products (10), and mobile operating systems (six) accounted for the most exploited product types.

Of the 55 zero-day bugs, 13 are estimated to have been abused by cyber espionage groups, with four others exploited by financially motivated threat actors for ransomware-related operations. Commercial spyware vendors were linked to the exploitation of three zero-days.

Among state-sponsored groups, those attributed to China have emerged as the most prolific, exploiting seven zero-days – CVE-2022-24682, CVE-2022-1040, CVE-2022-30190, CVE-2022-26134, CVE-2022-42475, CVE-2022-27518, and CVE-2022-41328 – during the year.

Much of the exploitation has focused on vulnerabilities in edge network devices such as firewalls for obtaining initial access. Various China-nexus clusters have also been spotted leveraging a flaw in Microsoft Diagnostics Tool (aka Follina) as part of disparate campaigns.

"Multiple separate campaigns may indicate that the zero-day was distributed to multiple suspected Chinese espionage clusters via a digital quartermaster," Mandiant said, adding it points to the "existence of a shared development and logistics infrastructure and possibly a centralized coordinating entity."

North Korean and Russian threat actors, on the other hand, have been linked to the exploitation of two zero-days each. This includes CVE-2022-0609, CVE-2022-41128, CVE-2022-30190, and CVE-2023-23397.

The disclosure comes as threat actors are also getting better at turning newly disclosed vulnerabilities into powerful exploits for breaching a wide range of targets across the world.

"While the discovery of zero-day vulnerabilities is a resource-intensive endeavor and successful exploitation is not guaranteed, the total number of vulnerabilities disclosed and exploited has continued to grow, the types of targeted software, including Internet of Things (IoT) devices and cloud solutions, continue to evolve, and the variety of actors exploiting them has expanded," Mandiant said.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

The Mandiant report also follows a warning from Microsoft's Digital Threat Analysis Center about Russia's persistent kinetic and cyber targeting as the war in Ukraine continues into the second year.

The tech giant said since January 2023 it has observed "Russian cyber threat activity adjusting to boost destructive and intelligence gathering capacity on Ukraine and its partners' civilian and military assets."

It further warned of a possible "renewed destructive campaign" mounted by the nation-state group known as Sandworm (aka Iridium) on organizations located in Ukraine and elsewhere.

What's more, Moscow-backed hackers have deployed at least two ransomware and nine wiper families against over 100 Ukrainian entities. No less than 17 European countries have been targeted in espionage campaigns between January and mid-February 2023, and 74 countries have been targeted since the start of the war.

Other key traits associated with Russian threat activity include the use of ransomware as weapons of cyber sabotage, gaining initial access through diverse methods, and leveraging real and pseudo hacktivist groups to expand the reach of Moscow's cyber presence.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022

Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.7.

**Description**

Feature create tag permit attacker injection html tag and execute it.

**Proof of Concept**

    1. Add question
    2. Create tag with payload in description:
    
    <img src=x onerror=alert(1) >
    
    3. Post your question
    4. Go to link http://<your domain>/tags/<id tag>/timeline  and click created. Payload executed.
    

**POC**

https://drive.google.com/file/d/1KncWqifwi\_VTbTxmCNotwMXeUkNgF9Ji/view?usp=sharing

**Impact**

Executing JavaScript in victim's session which leads to potential account takeover, perform actions as that user, ...

CVE-2023-1536: Store XSS in create tag in answer

By Deeba Ahmed
Researchers suspect that the malware may be operated by Russian-speaking groups, given the references to the language in its code.
This is a post from HackRead.com Read the original post: DotRunpeX: The Malware That Infects Systems with Multiple Families

****Currently, **DotRunpeX malware**** **appears to be primarily distributed through phishing emails and malicious Google Ads, presenting a significant threat to users’ systems.****

A new malware that distributes multiple known malware families, including Agent Tesla, FormBook, Ave Maria, NetWire, LokiBot, Raccoon Stealer, Remcos, RedLine Stealer, Vidar, and Rhadamanthys, has been discovered by Checkpoint researchers.

Dubbed DotRunpeX, the malware is a new injector written in .NET, created using the Process Hollowing technique, and used to infect systems with different malware families.

The researchers noted that DotRunpeX is being actively developed. Its infection chain invades the system as a second-stage malware, usually deployed via a downloader or loader delivered via malicious attachments in phishing emails.

Additionally, it can leverage malicious Google Ads that appear in search results to direct unsuspecting users when they search for commonly used software such as LastPass and AnyDesk and send them to copycat sites delivering trojanized installers.

A malicious Google Ad and phishing email that drop the malware (Image: Check Point)

Though the injector is fairly new, there are several similarities it shares with its previous versions. For example, the injector’s name is derived from its version information, which is the same for both versions across all samples the researchers analyzed. They also noted that it contained ProductName – RunpeX.Stub.Framework.

Their analysis revealed that each malware sample had an embedded payload of a specific malware family to be injected, which becomes possible by abusing the vulnerable procexp.sys process explorer driver incorporated into the malware for obtaining kernel mode execution.

They analyzed publicly shared data by independent researchers regarding DotRunpeX but learned that the malware was misattributed to a well-known malware family. Furthermore, they learned that the first-stage loader and the second-stage loader had no connection.

The most recent activity of DotRunpeX was detected in October 2022. It was noticed that using the KoiVM virtualizing protector adds an extra obfuscation layer. These findings were somewhat similar to a malvertising campaign discovered by SentinelOne in February 2023. In that instance, the loader and injector components were referred to as MalVirt.

Researchers suspect that the malware may be operated by Russian-speaking groups, given the references to the language in its code.

1.  New YTStealer Malware is Hijacking YouTube Channels
2.  YouTube Tutorial Videos Spread Vidar, Raccoon Malware
3.  Adsense abused: 11,000 sites hacked in a backdoor attack
4.  Google Drive behind most malicious Office doc downloads
5.  Google Ads drop FatalRAT in fake messenger, browser apps

DotRunpeX: The Malware That Infects Systems with Multiple Families

No-code has lowered the barrier for non-developers to create applications. AI will completely eliminate it.

Since ChatGPT captured our imaginations, people have been contemplating its pending impact on the business world. This week, these thoughts became a reality, with Google and Microsoft embedding AI features into their business productivity suites.

Microsoft took another major step by releasing AI Copilot for Power Apps, Microsoft's low-code platform. Power Apps can connect far and beyond the Microsoft ecosystem, with almost a thousand built-in connectors to everything from Salesforce to on-prem and AWS. With one swift move, AI has been integrated into the day-to-day workflows of the world's largest organizations.

This is an amazing achievement, and other low-code/no-code platforms will surely try to catch up quickly. But ask yourself: Who will make the decision to integrate data with AI? Who will grant access? The answer: Every business user, and you won't even know, since they'll let AI impersonate their accounts.

**AI + Low-Code/No-Code = A Perfect Storm**

In recent years, low-code/no-code has given business users newfound freedom. They were granted developer-level power that enabled them to customize their digital experience, with the technical skills they already have rather than having to learn new ones. Business users have started building applications that solve the problems that hurt most, on top of their day-to-day business data, without relying on IT or waiting for resources. After just a few years of low-code/no-code, many enterprises find themselves with tens or hundreds of thousands of applications, built outside of IT with no oversight or control.

Forget about CI/CD or security reviews, most of these applications follow the "push save to deploy to production" model instead. Quickly and quietly, applications developed outside of IT without SDLC have become a significant portion of enterprise business applications. This has already become a major concern for enterprise security.

Enter AI. Imagine that every conversation you had with ChatGPT involved you giving it access to business data, and left behind a nice little application you could play around with and share with others. Got a long business email? Let AI shorten it for you. Need to find relevant customers in your CRM? Let AI generate statistics for you. Need to analyze user behavior over product telemetry? Let AI query the database for you. Don't stop there! Create mini-applications to allow answering those questions repeatedly, and share them with your coworkers! Every application requires access — your access. Low-code has lowered the barrier for non-developers to create applications. AI, however, will completely eliminate it.

Low-code/no-code provides ease-of-connectivity to business data by removing the difficult hurdles around authentication, and provides a host of widgets business users can combine creatively to address their needs. AI brings power to everyone, allowing them to create by simply asking for what they want. The two techniques fit together like a glove and a hand. Superpowered by AI, low-code/no-code expands from "everyone can build an application" to "everyone builds an application, for everything they think of, all of the time."

**You Are Not in Control**

Who decides what data the AI can access? You might be thinking this would be IT, or the security team, but you would be wrong. Business users are making those decisions. But how?

Imagine a scenario where every business user in a large enterprise starts to build their own applications. Setting aside the skill gap, the No. 1 hurdle to progress would be identity and access. Provisioning an application identity and granting the right permissions to it would require approval, which would trigger questions and perhaps even a security review. You won't get to tens of thousands of applications in a large enterprise this way.

To circumvent this hurdle, low-code/no-code platforms made a significant compromise: Applications can — and mostly do — impersonate users rather than have their own identities. This completely negates the permission issue. As a low-code/no-code developer, I can embed my own identity within my newly created application. I can even share my credentials with others, so they'll be able to build their own applications with my access to data or performing operations on my behalf. No more waiting for approval — we have a green light to create!

The problem with this credentials-sharing-as-a-service is that it completely negates the enterprise permission model. If users are sharing their credentials with each other, there's no easy way to distinguish them. Moreover, an application can leverage credentials across your organizational boundary — say, an employee's personal email account — in combination with a business account. To add a cherry on top, moving data between one account and the other is done by automated copy-and-paste on the low-code/no-code platform's cloud. No data gets transmitted, so there is no opportunity to block data leaking out.

Credential sharing and data leakage have been a major issue with low-code/no-code applications. AI doesn't change that, but it magnifies the scale of the problem. When AI is plugged into a low-code/no-code platform, the AI gains potential access to everything the platform can access. The transition between potential and in-practice access is up to whoever prompts the AI to build a low-code/no-code application for them. We are trusting our business users with making the right choice without any guardrails or guidance.

**Business Users Build Enterprise Applications**

More than a specific technology, low-code/no-code is an idea — a strong push into IT decentralization and business empowerment. It has already brought tremendous productivity benefits to the world's largest organizations, because the employees who know best how to impact the business are the business users.

For professionals in IT and security, this is a paradigm shift. No longer can we rely on the security savviness of developers or official security mandates. We must embrace business users and help guide them in the right direction. If we fail to do so, the forces of productivity and data-hungry AI will surely be glad to do that for us.

AI Has Your Business Data

Users of affected devices that want to mitigate risk from the security issues in the Exynos chipsets can turn off Wi-Fi and Voice-over-LTE settings, researchers from Google's Project Zero say.

A newly disclosed set of vulnerabilities in Samsung chipsets has exposed millions of Android mobile phone users to potential remote code execution (RCE) attacks, until their individual device vendors make patches available for the flaws.

Until then, the best bet for users who want to protect against the threat is to turn off Wi-Fi calling and Voice-over-LTE settings on their devices, according to the researchers from Google's Project Zero who discovered the flaws.

In a blog post last week, the researchers said they had reported as many as 18 vulnerabilities to Samsung in the company's Exynos chipsets, used in multiple mobile phone models from Samsung, Vivo, and Google. Affected devices include Samsung Galaxy S22, M33, M13, M12, A71, and A53, Vivo S16, S15, S6, X70, X60, and X30, and Google's Pixel 6 and Pixel 7 series of devices.

**Android Users Face Complete Compromise**

Four of the vulnerabilities in the Samsung Exynos chipsets give attackers a way to completely compromise an affected device, with no user interaction needed and requiring the attacker to only know the victim's phone number, Project Zero threat researcher Tim Willis wrote.

"Tests conducted by Project Zero confirm that those four vulnerabilities \[CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498\] allow an attacker to remotely compromise a phone at the baseband level," Willis said. "With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely." 

The security researcher identified the remaining 14 vulnerabilities in Samsung Exynos chipsets as being somewhat less severe.

In an emailed statement, Samsung said it had identified six of the vulnerabilities as potentially impacting some of its Galaxy devices. The company described the six flaws as not being "severe" and said it had released patches for five of them in a March security update. Samsung will release a patch for the sixth flaw in April. The company did not respond to a Dark Reading request seeking information on whether it will release patches for all 18 vulnerabilities that Google disclosed. It's also unclear whether, or when, all affected Samsung Galaxy devices will receive the updates.

Willis said affected Google Pixel devices had already received a fix for one of the disclosed flaws (CVE-2023-24033) with the company's March 2023 security update. Google did not immediately respond to a Dark Reading request for information on when patches would be available for the remaining vulnerabilities. Vivo did not respond immediately to a Dark Reading request either, so the company's plans for addressing the vulnerabilities remain unclear as well.

**The Android Patch Gap Problem**

In the past, device vendors have taken their time addressing vulnerabilities in the Android ecosystem. So, if that's any indication, users affected by the vulnerabilities in the Samsung chipset could be in for a long wait. 

In November, Project Zero researchers reported on what they described a significant patch gap resulting from the delay between when a firmware patch for an Android device becomes available and when a device vendor actually makes it available for their users. As an example, Project Zero researchers pointed to several vulnerabilities they discovered in the ARM Mali GPU driver. Google reported the vulnerabilities to ARM last June and July, after which the latter issued patches for the flaws in July and August. Yet more than three months later, in November, when Google tested affected devices for the vulnerability, the researchers found every single device still vulnerable to the issues.

"The easy part is fixing the hardware flaws with new software," says Ted Miracco, CEO at Approov. "The harder part is getting manufacturers to push the updates to the end users and getting end users to update their devices," he says. Unfortunately, many users of the chipsets may not be quick to patch the devices and users are probably largely unaware if the vulnerabilities, he says.

Vulnerabilities like the ones Project Zero discovered in the Samsung chipsets exist not only in the Android ecosystem, but in the iOS ecosystem and any complex supply chain involving sophisticated hardware and software as well, Miracco continues. The challenge is reducing the time from detecting flaws to deploying solutions on all devices. 

"This is an area where the Android ecosystem needs to put a lot attention, as updates can be few and far between with many manufacturers of mobile devices," he says. Enterprises could mandate that users who bring their own devices (BYOD) to work must utilize devices from approved suppliers that have a track record of rapidly deploying updates, Miracco adds.

Krishna Vishnubhotla, vice president of product strategy at Zimperium, says vulnerabilities like these highlight the need for enterprises to evaluate their mobile security strategies. "It makes sense for enterprises to guide their employees on how to stay safe and if there are new requirements for enterprise access," he notes.

With so much original equipment manufacturer (OEM) fragmentation in the Android space, the patches might only be available after a few months for all the vulnerabilities discovered. "This is why it's important for enterprises to invest in security that can handle zero-day threats and can be updated over the air," Vishnubhotta adds.

Unpatched Samsung Chipset Vulnerabilities Open Android Users to RCE Attacks

A new piece of malware dubbed dotRunpeX is being used to distribute numerous known malware families such as Agent Tesla, Ave Maria, BitRAT, FormBook, LokiBot, NetWire, Raccoon Stealer, RedLine Stealer, Remcos, Rhadamanthys, and Vidar.
"DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used to infect systems with a variety of known malware families," Check

A new piece of malware dubbed **dotRunpeX** is being used to distribute numerous known malware families such as Agent Tesla, Ave Maria, BitRAT, FormBook, LokiBot, NetWire, Raccoon Stealer, RedLine Stealer, Remcos, Rhadamanthys, and Vidar.

"DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used to infect systems with a variety of known malware families," Check Point said in a report published last week.

Said to be in active development, dotRunpeX arrives as a second-stage malware in the infection chain, often deployed via a downloader (aka loader) that's transmitted through phishing emails as malicious attachments.

Alternatively, it's known to leverage malicious Google Ads on search result pages to direct unsuspecting users searching for popular software such as AnyDesk and LastPass to copycat sites hosting trojanized installers.

The latest DotRunpeX artifacts, first spotted in October 2022, add an extra obfuscation layer by using the KoiVM virtualizing protector.

It's worth pointing out that the findings dovetail with a malvertising campaign documented by SentinelOne last month in which the loader and the injector components were collectively referred to as MalVirt.

Check Point's analysis has further revealed that "each dotRunpeX sample has an embedded payload of a certain malware family to be injected," with the injector specifying a list of anti-malware processes to be terminated.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

This, in turn, is made possible by abusing a vulnerable process explorer driver (procexp.sys) that's incorporated into dotRunpeX so as to obtain kernel mode execution.

There are signs that dotRunpeX could be affiliated to Russian-speaking actors based on the language references in the code. The most frequently delivered malware families delivered by the emerging threat include RedLine, Raccoon, Vidar, Agent Tesla, and FormBook.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New DotRunpeX Malware Delivers Multiple Malware Families via Malicious Ads

Adobe Connect versions 11.4.5 and below as well as versions 12.1.5 and below suffer from a file disclosure vulnerability.

    # Title: adobe connect - Local File Disclosure / Download [security featurebypass vulnerability]# Author: h4shur# date:2021.01.16-2023.02.17# CVE: CVE-2023-22232# Vendor Homepage: https://www.adobe.com# Software Link: https://www.adobe.com/products/adobeconnect.html# Version: 11.4.5 and earlier, 12.1.5 and earlier# User interaction: None# Tested on: Windows 10 & Google Chrome, kali linux & firefox### Summary:Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) areaffected by an Improper Access Control vulnerability that could result in aSecurity feature bypass. An attacker could leverage this vulnerability toimpact the integrity of a minor feature.Exploitation of this issue does not require user interaction.### Description :There are many web applications in the world, each of which hasvulnerabilities due to developer errors, and this is a problem for all ofthem, and even the best of them, like the "adobe connect" program, havevulnerabilities that occur every month. They are found and fixed by theteam.* What is LFD bug?LFD bug stands for Local File Disclosure / Download, which generally allowsthe attacker to read and download files within the server, so it can beconsidered a very dangerous bug in the web world and programmers must beaware of it. Be careful and maintain security against this bug* Intruder access level with LFD bugThe level of access using this bug can be even increased to the level ofaccess to the website database in such a way that the hacker readssensitive files inside the server that contain database entry informationand enters the database and by extracting the information The admin willhave a high level of access* Identify vulnerable sitesTo search for LFD bugs, you should check the site inputs. If there is noproblem with receiving ./ characters, you can do the test to read the filesinside the server if they are vulnerable. Enter it and see if it is read ornot, or you can use files inside the server such as / etc / passwd / .. andstep by step using ../ to return to the previous path to find the passwdfile* And this time the "lfd" in "adobe connect" bug:To download and exploit files, you must type the file path in the"download-url" variable and the file name and extension in the "name"variable.You can download the file by writing the file path and file name andextension.When you have written the file path, file name and extension in the siteaddress variables, a download page from Adobe Connect will open for you,with "Save to My Computerfile name]" written in the download box and a file download link at thebottom of the download box, so you can download the file.* There are values inside the url that do not allow a file other than thisfile to be downloaded.* Values: sco_id and ticketsBut if these values are cleared, you will see that reloading is possiblewithout any obstaclesAt another address, you can download multiple files as a zip file.We put the address of the files in front of the variable "ffn" and if wewant to add the file, we add the variable "ffn" again and put the addressof the file in front of it. The "download_type" variable is also used tospecify the zip extension.### POC :https://target.com/[folder]/download?download-url=[URL]&name=[file.type]https://target.com/[folder]/download?output=output&download_type=[Suffix]&ffn=[URL]&baseContentUrl=[basefile folder]### References:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22232https://nvd.nist.gov/vuln/detail/CVE-2023-22232https://helpx.adobe.com/security/products/connect/apsb23-05.html

Adobe Connect 11.4.5 / 12.1.5 Local File Disclosure

By Deeba Ahmed
In addition to Google Pixel and Samsung devices, Vivo devices were also vulnerable to this attack.
This is a post from HackRead.com Read the original post: Hackers can hijack Samsung and Pixel phones by knowing phone number

****The cybersecurity researchers at Google identified eighteen zero-day vulnerabilities, four of which allowed Hackers to remotely compromise smartphone devices using just the victim’s phone number.****

Google Pixel and Samsung phone owners should be cautious, as Google’s bug-hunting team, Project Zero, has discovered as many as 18 security vulnerabilities impacting Exynos modems.

Reportedly, these vulnerabilities, if combined, can allow an adversary to gain complete control over a smartphone without alerting the user. The devices vulnerable to these vulnerabilities include the following:

*   Google Pixel 6 and Pixel 7 series
*   Vivo S16, S15, S6, X70, X60, and X30 series
*   Samsung S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series.

In addition, wearable devices using the Exynos W20 chipset, such as Galaxy Watch 4 and 5, and vehicles using the Exynos Auto T5123 chipset are also vulnerable.

According to Project Zero head Tim Willis, these zero-day vulnerabilities were found in late 2022 and early 2023. Out of the 18 security flaws, four allow attackers to compromise the phone remotely using just the victim’s phone number.

In addition, skilled threat actors can create an operational exploit quickly to “silently and remotely” compromise impacted devices. These four flaws are the most crucial of all.

> Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker knows the victim’s phone number.
> 
> Google Project Zero

One of the exploits has been assigned a CVE (Common Vulnerabilities and Exposures) number, CVE-2023-24033, and Google has withheld it, which is a rare instance considering its previous bug disclosures. In this flaw, the impacted baseband model chipsets don’t check the format types that the SDP module specifies, leading to a denial of service attack.

Hence, an attacker can remotely lock the phone and bar the user from using it. It was fixed in Google’s March 2023 security update and has already been implemented in Pixel 7 series phones. However, Pixel 6 series, including Pixel 6 Pro, and Pixel 6a, do not yet have it.

The other 14 vulnerabilities aren’t as critical. Some have been assigned CVEs, including CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, and CVE-2023-26076, while 9 are still awaiting CVEs.

It is worth noting that attackers would need a malicious mobile network operator or local access to the device to exploit them. Although it may sound impossible, a report from June 2022 shows that ISPs have been assisting malicious threat actors in installing malware on victim devices.

The good news, according to Google’s blog post, for Samsung Galaxy S22 owners in the US is that their phones don’t have a Samsung Exynos chipset but a Qualcomm chipset, so their devices aren’t vulnerable. However, European owners of the same phone are not as lucky. Therefore, those using unpatched devices must disable Wi-Fi Calling and VoLTE (voice over LTE).

1.  Hacking Honda and Nissan Cars by Knowing VIN number
2.  Hacking Facebook Account by Knowing its Phone Number
3.  New attack vector ReVoLTE lets hackers monitor phone calls
4.  Hacker finds Aussie PM’s passport number using his Instagram
5.  PlayStation serial number leads Feds to bust a massive drug ring

Tag

#google