Directory Traversal vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server Dashboard allows Path Traversal. This affects versions from 1.5.11 through 1.5.12, from 1.6.5 through 1.6.20.1, from 1.7.0 before 1.7.16.1

CVE-2022-0072: openlitespeed/httpserver.cpp at v1.7.16 · litespeedtech/openlitespeed

Without even asking for permissions, the newly discovered 'SiriSpy' flaw in Apple's iOS Bluetooth access could allow someone to access user interactions with Siri and keyboard-dictation audio.

For anyone who thought their conversations with Siri were sacred and keyboard dictation recordings were secure, a new analysis found a flaw in the iOS Bluetooth that could allow someone to grab audio from both. 

The find is from researcher Guilherme Rambo, who published details of an Apple iOS flaw he calls "SiriSpy," tracked under CVE-2022-32946. It would let a malicious app that a user has been convinced to install eavesdrop on audio interactions with iPhones.

"Any app with access to Bluetooth could record your conversations with Siri and audio from the iOS keyboard dictation feature when using AirPods or Beats headsets," Rambo wrote. "This would happen without the app requesting microphone access permission, and without the app leaving any trace that it was listening to the microphone." 

Rambo explained he regularly does cybersecurity research on AirPods, leading him to the find. 

After alerting Apple to the vulnerability in late August, Rambo said on Oct. 24 that iOS 16.1, along with all of the other remaining Apple operating systems, were updated with a fix. Making the find even sweeter, Rambo added he's been told by Apple he will receive a $7,000 bug bounty for his efforts. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

iOS Bug Lets Apps Record Siri Conversations

Multiple command injection vulnerabilities in GL.iNet GoodCloud IoT Device Management System Version 1.00.220412.00 via the ping and traceroute tools allow attackers to read arbitrary files on the system.

CVE-2022-42055: GL.iNET MT300N-V2 Vulnerabilities and Hardware Teardown

Supply chain attacks were all the rage in 2020 after SolarWinds, but we seem to have forgotten how important they are.

Thursday, October 27, 2022 14:10

Welcome to this week’s edition of the Threat Source newsletter.

There are plenty of jokes about whether we’re “aware” of cybersecurity during National Cybersecurity Awareness Month. But now I’m wondering if people are aware of supply chain attacks.

I thought we hit the pinnacle of supply chain attacks in 2020 with the SolarWinds attack, when these types of attacks dominated headlines and defenders started shouting from the mountaintops about how important it is to be ready for supply chain attacks.

And then Kaseya came along a few months later when attackers found a different way to deploy malicious updates that were disguised as legitimate patches.

And still today, we’re warning about the dangers of how prevalent supply chain attacks are and how everyone needs to be ready for this attacker technique. This leaves me wondering if Kaseya and SolarWinds weren’t the breaking point — what is?

It seems like no matter how many times we see major ransomware attacks, even coming to the point of making it impossible for people to get gas, attackers are back again with another ransomware attack a few weeks later.

We still have several hurdles to overcome to fix the supply chain attack problem, as Jaeson Schultz from our Outreach team outlined in this recent post. But it’s clear that these attacks aren’t going anywhere, and neither are defenders’ warnings.

As I wrote at the start of October, it can be easy to poke fun at Cybersecurity Awareness Month because it’s impossible to define what it even means to be “aware” of cybersecurity. Clearly, there’s still awareness to spread, though, and we keep needing to spread it in regard to supply chain attacks, ransomware and pretty much every other type of cyber attack.

**The one big thing**

For the first time since collecting such data, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats in the third quarter of 2022. It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective.

**Why do I care?**

This data represents what Talos IR is actively seeing in the wild over the past few months and is likely representative of the broader threat landscape.

**So now what?**

A lack of MFA remains one of the biggest impediments to enterprise security. Nearly 18 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection and response (EDR) solutions. Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication.

**Top security headlines of the week**

The Biden administration is preparing to release updated guidelines and warnings around election security with a few days left before the midterm elections. A bulletin reportedly being drafted includes information on threats from Russia, China and other state-sponsored actors. Election workers and local officials are also having to deal with physical threats to polling workers and locations, all while the number of volunteers is dwindling. Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency released a PSA stating that malicious cyber activity is "unlikely to disrupt or prevent voting." (Politico, Axios, Voice of America)

Apple released security updates for its iOS and iPadOS operating systems this week, including fixes for a vulnerability that “may have been actively exploited.” There are 20 vulnerabilities fixed in these updates in all. CVE-2022-42827 is the most notable vulnerability, which could allow an attacker to execute code with Kernel privileges via an attacker-controlled app. This is the third Kernel-related out-of-bounds memory vulnerability that Apple has patched in each of its previous security updates: CVE-2022-32894 and CVE-2022-32917. CVE-2022-32917 was known to be used in attacks in the wild. (Forbes, The Hacker News)

Two vulnerabilities in Microsoft's Mark of the Web (MoTW) security feature could allow an attacker to send JavaScript files that could bypass security blocks in place. Attackers are reportedly actively exploiting both issues, though Microsoft has yet to issue any formal fixes for the vulnerabilities, and there are no workarounds available. Mark of the Web protects users against files from untrusted sources, but the two vulnerabilities could allow the attackers to construct the files in a way that they are not appropriately marked by Windows. Attackers commonly use .js files as attachments or downloads that can run outside a web browser. (Dark Reading, Bleeping Computer)

**Can't get enough Talos?**

*   Talos Takes Ep. #118: Threat Hunting 101
*   Beers with Talos Ep. #127: I’m a skiddie, and you can too!
*   A bug in Abode’s home security system could let hackers remotely switch off cameras
*   Talos Incident Response Q3 2022 Quarterly Report

**Upcoming events where you can find Talos**

**Click or Treat? How not to fall for a phishing attack this Halloween** (Oct. 31)  
Virtual

**BSides Lisbon** (Nov. 10 - 11)  
Cidade Universitária, Lisboa, Portugal

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681  
**MD5:** f1fe671bcefd4630e5ed8b87c9283534  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** PUA.Win.Tool.Hackkms::1201

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
**MD5:** 2c8ea737a232fd03ab80db672d50a17a  
**Typical Filename:** LwssPlayer.scr  
**Claimed Product:** 梦想之巅幻灯播放器  
**Detection Name:** Auto.125E12.241442.in02

Threat Source newsletter (Oct. 27, 2022): I thought we were already aware of supply chain attacks?

Categories: News
Tags: Amazon

Tags:  Twitch

Tags:  Prime

Tags:  streaming

Tags:  gamer

Tags:  gaming

Tags:  advert

Tags:  advertising

Tags:  in-game

We take a look at new form of ad tech for Twitch streaming viewers, but not players. How does it work? Can it even be successful?



(Read more...)




The post New streaming ad technology plays hide-and-seek with gamers appeared first on Malwarebytes Labs.

A new form of digital advertising is looking to make its way to you courtesy of video gaming. However, there’s a rather peculiar twist involved. These ads won’t appear in front of you while playing; in fact, they’re designed to trigger when someone _else_ is in-game. The most baffling twist of all? Those people triggering the ads won’t see them either!

How does this work? Let’s take a look at how advertising has been used in an Amazon gaming title previously, and see how that could create a frosty reception for any new ad technology.

**The sliding doors of advertising banners**

This is a push to place more advertising, and sales opportunities, in front of the huge streaming audiences which exist in Twitch channels. Twitch is owned by Amazon and the retail giant is also responsible for a number of gaming titles. Any way to synergise advertising or marketing across multiple platforms is potentially going to be a big revenue generator.

The biggest of these titles, Old World, is sometimes used for various types of advertising promotions and methods. Often, this is to the annoyance of the people playing the game who’d much rather all of this was done somewhere else. For example, just recently players were complaining about Rings of Power advert banners inside a part of the New World title/continue screen. Rings of Power is developed by Amazon, and the ad promotes it as being available on Prime Video. Both show and game are fantasy worlds, so thematically there’s a connection but that doesn’t seem to have impressed at least one player out there.

**Streaming the ads**

Twitch streaming is a huge business, with massive audiences and a number of increasingly rich streamers. Twitch has had various types of adverts for some time now, and here too, ads are a contentious subject. Viewers complain about what they feel are too many ads in a short space of time, and streamers worry that ads can end up making your channel annoying or even reducing subscriber count.

A recent change to ad types and functionality made the ads “less annoying” overall. Even so, it seems more varied types of ad presentations were required to lower the risk of turning people away from streaming or watching altogether.

**Now you see it…now you don’t (but you might)**

Way back in 2005, dynamic ads were introduced to titles like The Matrix Online. Essentially these were empty billboards, and the ad network paired up with the game could display on-the-fly adverts, which meant current products could always be advertised in the game.

A whole 17 years later, we have one of the first original advancements of this digital advertising concept, though it’s a bit of an odd one. It's Old World, once again being used as a sort of test zone for advertising demo purposes:

> Experimental ads technology is being tested with Amazon Game Studios to virtually insert ads in-game that would only be visible to people watching the streamer. pic.twitter.com/uWGXGzPfcK#StreamerNews
> 
> — Zach Bussey (@zachbussey) October 24, 2022

The advert, a wobbling bit of text on a wall way off to the left, is being generated by advertising tech which only displays the ad to the people watching the _stream_ of the game being played. Nobody actually playing the game will be able to see it, a bit of ad tech wizardry that means only people who _watch_ other people play videogames, specifically online (and not on a couch), will potentially see this ads. 

There isn’t currently a huge amount of information out there on this new experimental tech yet, but it bears a striking resemblance to Virtual Product Placement (VPP) tools used to change adverts in streamed shows and movies from Amazon and Peacock  referenced back in May. It may well be different technology, but it could have easily inspired similar thinking where gaming and game streaming products are concerned.

**A roll of the advertising dice**

The big question is how successful is this likely to be? Traditional in-game advertising relies on funnelling players into places where they’re guaranteed to see an ad. You can’t do much with your marketing and advertising strategies if nobody sees the adverts in the first place.

As the player has no idea where the ads are, they may never venture anywhere near one of the new temporary adverts raising the question of who this is actually for, or how overt the adverts will have to be made to account for the possibility of missing them. It’s likely these in-game ads can’t be clicked, so how will anyone determine which ads are successful or failures especially given a “good” ad might never even make it to a screen?

**You should always have a choice with advertising**

However this is intended to work, we’ll probably have to wait a while longer to discover more concrete details. If you like streaming, whether as a player or a viewer, you are absolutely being marketed to regardless of which device or platform you use. Whether it’s pages of EULAs and data analytic opt-outs, or privacy policies filled with connected advertisers, informed decisions over your data are a good thing.

You may be able to opt-out of certain data retention policies, or block certain types of ads, but this likely won’t work everywhere. It’s up to you to decide which level of advertising, or product promotion, and even tracking or profiling you’re comfortable with and go from there. As far as anyone connected to Twitch streaming where advertising is concerned, it seems to be more of an annoyance about fatigue and intrusiveness than anything related to privacy or data collection. Perhaps a “blink and you’ll miss it” ad style is just what the streaming doctor ordered.

New streaming ad technology plays hide-and-seek with gamers

The implementation of backslash parsing in the Dart URI class for versions prior to 2.18 and Flutter versions prior to 3.30 differs from the WhatWG URL standards. Dart uses the RFC 3986 syntax, which creates incompatibilities with the '\' characters in URIs, which can lead to auth bypass in webapps interpreting URIs. We recommend updating Dart or Flutter to mitigate the issue.

CVE-2022-3095: sdk/CHANGELOG.md at master · dart-lang/sdk

Rockwell Automation Stratix Devices Containing Cisco IOS

Cybersecurity and telecom providers from around the world can now test their technologies and use cases in OneLayer's digital twin private network environment.

**TEL AVIV, Israel, Oct. 27, 2022 /PRNewswire/ —** OneLayer, a pioneer in securing private LTE/5G networks for enterprises, announced today the launch of one of the world's first 5G private network security labs. The lab, which will be open to the public for research purposes, acts as a digital twin to simulate specific threat scenarios posed to an enterprise network. The data collected during these simulations will help companies find the best security solutions for each organization and its needs.

Private cellular networks provide organizations with improved connectivity and increased reliability, a dedicated bandwidth with capacity and range, no lag time, and connectivity of IoT and OT devices across vast areas. As organizations increasingly adopt private networks, they must also address securing such networks, so the same standard of security applied to enterprise IP networks is addressed in the cellular domain.

The OneLayer 5G Security Lab provides a simulated environment for cyber and telecom companies to examine diverse security challenges and solutions in this domain. Using core equipment from Nokia, Druid, and Airspan, the lab can create private networks based on different types of cores, end units, and IoT devices to model different types of cyberattacks and the solutions to defend against them.

"The goal of this security lab is to provide the opportunity to test private networks and security use cases to improve the understanding of connected IoT and OT devices for continued R&D of OneLayer's private cellular security platform," said Liron Ben-Horin, VP of Systems Engineering at OneLayer. "We intend to collect and analyze data in order to profile devices and segment networks appropriately. We want to share our tools and capabilities with the private network ecosystem to foster industry collaboration. As such, we welcome any company that is researching or testing LTE/5G devices to join us on this journey at our Tel Aviv-based security lab."

"OTORIO and OneLayer have joined forces in order to leverage OneLayer's 5G Security Lab to test the integrations with various technologies and telecom systems," said Matan Dobrushin, VP Research at OTORIO. "We are excited for our mutual research collaboration to ensure the usability, efficiency and safety of OTORIO's solutions in hybrid networks."

"We are excited for the opportunity to leverage OneLayer's Security Lab and to work together to improve the cybersecurity of 5G core network devices," said Sharon Brizinov, Director of Security Research at Claroty's Team82. "The collaborations coming out of the security lab will benefit enterprise security overall as we explore the ever-growing attack surface of the Extended Internet of Things (XIoT) and these devices' connectivity within cellular networks."

"Armis recognizes the growing risk raised by private cellular networks," said Barak Hadad, Head of Research at Armis. "Together with OneLayer, we can help defenders gain full visibility to their core networks and their connected devices."

"I'm excited to see a Tel Aviv-based startup, OneLayer, investing in a unique 5G devices lab. These types of activities enable the Israeli ecosystem and cybersecurity market to ensure we are ahead of the bad guys as the network continues to evolve," said Eli Fainberg, VP Product at Forescout.

**About OneLayer**

OneLayer provides enterprise-grade security for private LTE/5G networks. Its platform and IoT security toolkit can be implemented in private cellular networks to provide better visibility, control and protection for organizations. The company was founded by world-class cybersecurity experts with a deep understanding of both cellular protocols and IoT security needs and veterans from the IDF's 8200 and 81 intelligence units. OneLayer is backed by industry-leading advisors and has partnered with experts both in the cybersecurity domain as well as the telecom industry. To learn more about OneLayer please visit https://one-layer.com/ or LinkedIn.

OneLayer Opens 5G Security Lab for Network Security Companies to Research Threats to Private Cellular Networks

Survey points to gaps in understanding of what's driving higher costs and limiting access to cyber insurance coverage — and what businesses can do about it.

**SCHAUMBURG, Ill., Oct. 26, 2022 /PRNewswire/ —** Good news for cybersecurity: More risk managers have purchased cyber insurance to help protect their businesses and customers from the potentially disastrous consequences of breaches and hacks. The bad news: Increasing premiums and restrictions for cyber coverage over the past year have created frustration for some business leaders.

This is the mixed picture emerging from the just-released 12th annual Information Security and Cyber Risk Management study from Zurich North America and Advisen Ltd., a Zywave Company. The 2022 study indicates that 86% of respondents now have cyber insurance, up three percentage points from 2021 and the highest percentage in the history of the survey. About 83% of respondents say they've taken steps to assess their cyber risk, and 69% have invested in cybersecurity solutions to mitigate risk.

Such findings suggest that CEOs, CIOs and risk managers increasingly grasp the threat that cyberattacks pose to their businesses, customers and the economy. But comments in the survey also reveal gaps in understanding of the drivers of insurance rates and restrictions and the role that risk mitigation actions play in the ability to access coverage at an affordable price.

"Our latest survey shows that many respondents recognize cyber threats and claims have increased in frequency and severity, but some business leaders struggle with the extent of the impact on insurance costs, policy terms and risk selection," said Michelle Chia, Head of Professional Liability and Cyber at Zurich North America. "What's clear is that cyber resilience is critical to business resilience. Carriers, distributors, risk managers, IT professionals, governments and employees everywhere need to work together to strengthen cyber resilience in this fast-evolving risk landscape."

Other highlights from the survey:

*   54% of respondents who experienced a claim reported it to their cyber insurance carrier. More than 70% recouped costs from their cyber insurance carrier, while a portion of claims are still in process.
*   52% have increased their organization's oversight of IT vendor management in response to geopolitical conflict concerns.
*   52% of respondents agreed that their cyber insurance meets their expectations and provides value, and 61% said their coverage meets some but not all organizational needs.
*   Over 93% of respondents said they expect Data Breach and Cyber Extortion/Ransomware coverage to be included in cyber insurance policies, followed by Data Restoration (87%) and Business Interruption (75%).
*   81% of respondents reported having cyber incident response plans in place, but less than 60% test these plans regularly.
*   62% of respondents cited "Enhance Employee Training" as one of their top cybersecurity priorities over the next year.

"While there's more to be done, it's encouraging to see organizations taking steps to shore up their cyber resilience," Chia said. "Insights from this survey present the opportunity for insurance carriers and brokers to provide continuing education on the shifting cyber risk environment and mitigation techniques. Those responsible for managing cyber risk can refer to this survey's insights to help gain organizational support for additional investments to enhance cyber resilience and access to insurance coverage."

The survey was completed at least in part by 353 risk managers, insurance buyers and other risk professionals. The majority classified themselves as either a chief risk manager or the head of a risk management department (28 percent); a different member of a risk management department (25 percent); a chief information security officer or chief privacy officer (5 percent); or other executive, such as a CIO, CFO or CEO (20 percent).

The full Information Security and Cyber Risk Management survey report is here.

**About Zurich North America**

Zurich North America is one of the largest providers of insurance solutions and services to businesses and individuals. Our customers represent industries ranging from agriculture to technology. Zurich North America is part of Zurich Insurance Group, a leading multi-line insurer serving people and businesses in more than 210 countries and territories. Founded 150 years ago, Zurich is transforming insurance. In addition to providing insurance protection, Zurich is increasingly offering prevention services such as those that promote wellbeing and enhance climate resilience.

Reflecting its purpose to "create a brighter future together," Zurich aspires to be one of the most responsible and impactful businesses in the world. It is targeting net-zero emissions by 2050 and has the highest-possible ESG rating from MSCI. In 2020, Zurich launched the Zurich Forest project to support reforestation and biodiversity restoration in Brazil.

The Group has about 56,000 employees and is headquartered in Zurich, Switzerland. Zurich Insurance Group Ltd (ZURN), is listed on the SIX Swiss Exchange and has a level I American Depositary Receipt (ZURVY) program, which is traded over-the-counter on OTCQX. Further information is available at www.zurich.com.

2022 Advisen-Zurich Survey Illuminates Growing Cybersecurity Concerns

A now-patched security flaw in Apple's iOS and macOS operating systems could have potentially enabled apps with Bluetooth access to eavesdrop on conversations with Siri.
Apple said "an app may be able to record audio using a pair of connected AirPods," adding it addressed the Core Bluetooth issue in iOS 16.1 with improved entitlements.
Credited with discovering and reporting the bug in August

A now-patched security flaw in Apple's iOS and macOS operating systems could have potentially enabled apps with Bluetooth access to eavesdrop on conversations with Siri.

Apple said "an app may be able to record audio using a pair of connected AirPods," adding it addressed the Core Bluetooth issue in iOS 16.1 with improved entitlements.

Credited with discovering and reporting the bug in August 2022 is app developer Guilherme Rambo. The bug, dubbed **SiriSpy**, has been assigned the identifier CVE-2022-32946.

"Any app with access to Bluetooth could record your conversations with Siri and audio from the iOS keyboard dictation feature when using AirPods or Beats headsets," Rambo said in a write-up.

"This would happen without the app requesting microphone access permission and without the app leaving any trace that it was listening to the microphone."

The vulnerability, according to Rambo, relates to a service called DoAP that's included in AirPods for Siri and Dictation support, thereby enabling a malicious actor to craft an app that could be connected to the AirPods via Bluetooth and record the audio in the background.

This is compounded by the fact that "there's no request to access the microphone, and the indication in Control Center only lists 'Siri & Dictation,' not the app that was bypassing the microphone permission by talking directly to the AirPods over Bluetooth LE."

While the attack requires that the app has access to Bluetooth, this restriction can be trivially bypassed as users granting Bluetooth access to the app are unlikely to expect that it could also open the door to accessing their conversations with Siri and audio from dictation.

On macOS, however, the exploit could be abused to achieve a total bypass of the Transparency, Consent and Control (TCC) security framework, meaning any app can record conversations with Siri without requesting for any permissions in the first place.

Rambo said the reason for this behavior is owing to the lack of entitlement checks for BTLEServerAgent, the daemon service responsible for handling DoAP audio.

A software patch remediating this flaw is available for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later. It has also been resolved in all supported versions of macOS.

The iOS 16.1 update, which was released on October 24, 2022, comes with fixes for a total of 20 flaws, including a Kernel vulnerability (CVE-2022-42827) that it disclosed as being actively exploited in the wild.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#ios