File upload vulnerability in Umbraco Forms v.8.7.0 allows unauthenticated attackers to execute arbitrary code via a crafted web.config and asp file.

**Why 730,000+ websites worldwide use Umbraco**

**Shape your website the way you want**

No limitations - develop and extend your website completely your way with a CMS that gives you unparalleled freedom.

**Get your message to market quickly**

With a user-friendly editing experience, editors are empowered to make and publish content quickly with no hassle.

**Choose the tools you want to work with**

Integrate easily with any tools and change the tech stack when your needs shift with a CMS that doesn’t lock you in.

**A CMS trusted by professionals**

**Andreas Rask Lundsgaard loves the business value Umbraco generates**

Umbraco Gold Partner, Business Development Director at Pentia

_“With Umbraco, we can deliver digital business value for our customers quickly and efficiently through amazing websites and integrated digital ecosystems. The agility of the platform allows us to continuously increase conversion rates and improve experience, helping our customers become digital leaders.”_

**Erica Cuellar loves Umbraco's easy content editing**

Digital Marketing Associate at Room to Read

_“The new site gives us a better way to present the work we do. Editing the site is now fun instead of feeling like a chore. I can now flex my creativity in a new way.”_

**How you can work with Umbraco**

**Explore the products**

**Umbraco CMS**

_Some of the cool product features:_

☑️ Intuitive content management

☑️ Easy customization and flexibility for developers

☑️ Rich integration and extensibility possibilities

☑️ Clean code and strong performance

☑️ A secure open-source platform that scales with you

Get a live demoMore about Umbraco CMS

**Umbraco Cloud**

_Some of the cool product features:_

**☑️** Umbraco CMS **installed**, **configured**, and **ready for development**

☑️ Hosting on Microsoft Azure

☑️ Automatic security and bug updates

☑️ Clone, deploy, and transfer content safely between multiple environments

☑️ Baseline feature allowing you to roll out campaign pages in no time

☑️ Project management features optimizing your workflows and user management

Get a live demoGet to know Umbraco Cloud

**Umbraco Heartcore**

_Some of the cool product features:_

**☑️** Umbraco CMS tailored for **headl****ess development  
**

☑️ Hosting on Microsoft Azure

☑️ Automatic upgrades

☑️ Connect the backend to any frontend you want

☑️ Ideal for omnichannel solutions and JAMstack setups

☑️ Ships with managed REST API, GraphQL, CDN, and more

Get a live demoExplore Umbraco Heartcore

**Continue learning with us**

**A CMS that fits you, not the other way around**

Whatever tools your team needs - **eCommerce, CRM, campaign management, or analytics - you can integrate them with Umbraco.**

There’s no vendor lock-in. With our composable approach to building digital experience platforms (DXP), you choose top-of-the-class tech solutions and create the exact tech stack you prefer. Build and scale a customized digital experience with a CMS at the core that connects all your tools without friction.

See what you can build

 

**Don't just take our word for it** 

**What's possible with Umbraco**

**Let us show you around**

See firsthand how Umbraco works - and more importantly, how it can work for your team. Book a free, no-strings-attached 1-on-1 demo where our friendly Umbraco specialist will take you on a personalized tour of Umbraco. 

Book a live demo

**Let's have a chat**

Would you like more information on:

*   What products and services we can offer you
*   How Umbraco will fit your exact needs
*   Looking for a trusted agency that could implement your website

Let’s see how we can work together.

Fill out the form and one of our friendly Umbraco specialists will get in touch.

CVE-2021-33224: Umbraco - the flexible open-source .NET (ASP.NET Core) CMS

Categories: News
Categories: Scams
Tags: LinkedIn

Tags:  Slinks

Tags:  phish

Tags:  phishing

Tags:  email

Tags:  payment details

Tags:  amazon

Tags:  gmail

Tags:  outlook

Tags:  hotmail

Tags:  scam

Tags:  scammers

The email claims if you not update your card information in the next 24 hours, your membership benefits will be cancelled.



(Read more...)




The post Fake Amazon Prime email abuses LinkedIn's URL shortener appeared first on Malwarebytes Labs.

Over the last few days, scammers have been sending out phishing mails that disguise bogus URLs with something called Slinks—shortened Linkedin URLs.

The shortened URLs redirect users to a different URL when they are clicked. If you’ve ever seen a Tiny URL, or a Bit.ly link, you’ll already be familiar with how these work. Shortened links are a common tool in the phishing armoury because they obscure the final destination of their links, and because familiar shortening services may be seen as more trustworthy.

As you would expect, a LinkedIn shortened link is going to carry a certain amount of trust for someone on the receiving end. This has been put to the test a number of times. For example, in February of last year Slinks were being used to send people to IRS and PayPal phishes. As Brian Krebs notes, this tactic has been around for some years and was spotted in 2016 being sent out via Skype spam.

Now they're being used in a scam based on Amazon's popular Prime membership.

**Fake Prime email**

The email claims to have been sent from “Prime” and has the subject "New Membership Statement : Renewal P‎‎rime Membership statement was ended - Your renewal scheduled on February 21, 2023." The text reads:

Due to a problem with your card, we were unable to charge your ac͏count $12.99 and applicable taxes for the next 1 month of Amazon Prime.

Your membership benefits are currently on hold.

If you not update your card information in the next 24 hours, your membership benefits will be cancelled. To continue enjoy your membership benefits, please update your payment information.

We are sorry for any inconvenience this may have caused.

Sincerely

Prime Team

The email includes an Update Now button. Hovering over it reveals the Slink URL, and hitting it redirects you to a site resembling an Amazon login page.

Some folks may wonder why an Amazon email contains LinkedIn links, but many won't. Some won't notice, and some will assume it's OK, becasue they've been trained that way. Email newsletters and promotions often use shorteners and tracking links. As a result, odd-looking URLs won't necessarily alarm recipients as being unusual.

**Fake Amazon login**

The phishing site asks for an email or phone number tied to an Amazon account.

Next, the site directs you to a tailored password page, using the information you just entered. For example, entering a Gmail address leads to a page asking for the Gmail password. Enter a Microsoft address, and you'll be directed to a Microsoft-centric password request page, and so on.

With these details out of the way, the phishers move on and begin collecting even more personal information. First up, via a “Security Checkup”, the site asks for

*   Mother’s maiden name
*   Phone number
*   Date of birth

Next up:

*   Address
*   City
*   State/province/region
*   Zip / postal code

Finally, the site asks for credit / debit card information.

*   Cardholder name
*   Card number
*   Security code
*   Expiration date

In terms of damage done, someone filling these sections in and hitting submit has potentially handed over their password, credit card details, and a lot of answers to common security questions.

Not good at all.

**How to avoid phishing attacks**

*   **Block known bad websites.** Malwarebytes DNS filtering  blocks malicious websites used for phishing attacks, as well as websites used to spread or control malware.
*   **Don't take things at face value.** Phishing attacks often seem to come from people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Take action.** If you receive a phishing attempt at work, report it to your IT or security team. I you fall for a phish, make your data useless: If you entered a password, change it, if you entered credit card details, cancel the card.
*   **Use a password manager.** Password managers can create, remember, and fill in passwords for you. They protect you against phishing because they won't enter your credentials into a fake site.
*   **Use a FIDO2 2FA device.** Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Fake Amazon Prime email abuses LinkedIn's URL shortener

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 17 and Feb. 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed...

Threat Round up for February 17 to February 24

Generative AI is heating up everywhere and fundamentally changing everything we know about how cybercriminals develop and deploy attacks.

There has been a lot of talk about generative AI and chatbots like ChatGPT launching cyberattacks. What does that mean for the future of cybersecurity, and how can organizations prepare?

Threat actors are using ChatGPT to launch cyberattacks now. ChatGPT allows threat actors to increase the speed and variation of their attacks by modifying code in malware or creating thousands of variations of social engineering attacks to increase the probability of success. As machine learning technologies advance, so will the variety of ways this technology is used for malicious intent.

Generative AI is heating up everywhere and fundamentally changing everything we know about how cybercriminals develop and deploy attacks with increased speed and variations. The possible uses of AI for malicious intent are in their infancy. AI-powered technologies that leverage generative AI and diffusion models can modify the appearance of video and voice. They will most likely be used for cyberattacks, resulting in unfortunate consequences for organizations.

A race to develop new technologies leveraging AI is happening in voice (written and verbal), video, and more, as is evidenced by OpenAI's ChatGPT, Google's Bard, and Microsoft's AI-powered Bing. All are large language models that exponentially accelerate access to knowledge and rapidly generate new forms of content based on that contextualized knowledge. These tools rely on big data sets and the quality of those data sets.

While ChatGPT has the initial lead as the fastest-growing tool in history, don't bet against Google's ability to surpass ChatGPT in the future. It will certainly be a race, unlike anything we've seen before. As these new technologies become available, they will be used by organizations and cybercriminals, and both sides will use them to perpetrate and stop cybercrime. The abuse of AI is something we knew would happen for a long time, which is why SlashNext engineers have been developing natural-language generative AI technology for a few years in anticipation of these types of changes in the threat landscape.

**How Real the Generative AI Threat Is and How Organizations Can Prepare**

Generative AI, chatbots, and diffusion models are all developments in AI that present a real danger to users and businesses. Right now, ChatGPT, in particular, is a real enhancement to malware, business email compromise (BEC), and ransomware threat development. Cyberattacks are most dangerous when delivered with speed and frequency to targets.

With malware, ChatGPT enables cybercriminals to make infinite code variations to stay one step ahead of the malware detection engines. BEC attacks are target attempts to social engineer a victim into giving valuable financial information or data. These attacks require personalized messages to be successful. Now ChatGPT can create well-written, personal emails en masse with infinite variations. The speed and frequency of these attacks will increase and yield a higher success rate of user compromises and breaches. Legacy security technology doesn't stand a chance against these types of attacks. 

We must fight AI cyber threats with AI cybersecurity technology. When cybercriminals launch successful attacks, the results are massively disruptive to people, organizations, and the economy. The No. 1 cyber challenge that organizations face globally is human-focused attacks. Cybercriminals are increasing their attacks in LinkedIn, Microsoft Teams, Messenger, and Slack and taking advantage of the most vulnerable part of organizations: its people.

Many organizations are already using AI-based cybersecurity products to manage detection and response. AI technologies with generative AI will become essential technology to stop hackers and breaches. As new technology becomes available, hackers and cybersecurity vendors will use it to perpetrate and stop cybercrime. The abuse of AI is something we knew would happen for a long time, which is why SlashNext has been developing a natural-language generative AI technology for a year and a half in anticipation of these types of threats.

ChatGPT is not new, but OpenAI is the first to make an interface, so it's more accessible. ChatGPT is not the technology to fend off threats designed with ChatGPT. Still, generative AI technology, which makes ChatGPT possible, will be used to develop cyber defenses capable of stopping malware and BEC threats developed with ChatGPT. 

**About the Author**

    

Patrick Harr is the CEO of SlashNext, an integrated cloud messaging security company using patented HumanAI™ to stop BEC, smishing, account takeovers, scams, malware, and exploits in email, mobile, and Web messaging before they become a breach.

Generative AI Changes Everything We Know About Cyberattacks

A previously unidentified threat group uses open source malware and phishing to conduct cyber-espionage on shipping and medical labs associated with COVID-19 treatments and vaccines.

A previously unknown threat actor that exclusively uses a slew of publicly available and living-off-the-land tools has been targeting Asia-based shipping companies and medical laboratories in an intelligence-gathering operation since October, researchers have found.

Dubbed Hydrochasma by researchers at Symantec, which is owned by Broadcom Software, the group as yet does not appear to have stolen any data, but seems to target industries that are involved in COVID-19-related treatments or vaccines for cyberespionage, Symantec's Threat Hunter Team wrote in a blog post published this week.

"While Symantec researchers didn't observe data being exfiltrated from victim machines, some of the tools deployed by Hydrochasma do allow for remote access and could potentially be used to exfiltrate data," researchers wrote.

Judging by its tools and tactics, the group's chief motive appears to be achieving persistent access to victim machines without being detected, "as well as an effort to escalate privileges and spread laterally across victim networks," they noted.

Indeed, the lack of custom malware lends itself to this motive, Brigid O Gorman, senior intelligence analyst with Symantec Threat Hunter team, tells Dark Reading.

"The group's reliance on living-off-the-land and publicly available tools is notable," she says. "This may tell us a number of things about the group, including a desire to stay under the radar and make attribution of their activity more difficult."

**How Hydrochasma Attacks**

Researchers first were alerted to concerning activity on the victim's network when they noticed the presence of SoftEther VPN, a free, open source, and cross-platform VPN software often used by attackers.

Like many other threat groups, Hydrochasma appeared to use phishing as its means of initial access to a targeted network. Indeed, phishing remains one of the most successful ways for attackers to compromise networks, and it continues to grow and evolve at a fast clip.

In this case, the first sign of suspicious activity that researchers found on victim machines was a lure document with a file name in the organization's native language that appeared to be an email attachment for a freight company "product specification," they said. Researchers also found a lure that mimicked a resume for a "development engineer."

Once Hydrochasma gains access to a machine, attackers drop a Fast Reverse Proxy, a tool that can expose a local server protected by a network address translation (NAT) or firewall to the Internet. That in turn drops a legitimate Microsoft Edge update file. That's followed up by another file that's actually a publicly available tool called Meterpreter — which is part of the Metasploit framework — that can be used for remote access, researchers said.

**Everything But the Kitchen Sink**

In fact, in the campaign that researchers observed, the group bombarded the victim organization with what seemed like everything but the kitchen sink in a flurry of publicly available tools aimed to guarantee its presence and persistence on the network.

"It is relatively unusual to see an attack group using only open source malware in an attack chain, so this did make Hydrochasma's activity stand out to us," O Gorman notes.

Other tools being wielded by Hydrochasma in the attack included: Gogo scanning tool, an automated scanning engine; Process Dumper, which allows attackers to dump domain passwords; AlliN scanning tool, which can be used for lateral penetration of the intranet; and Fscan, a publicly available hacktool that can scan for open ports and more.

Researchers also observed Hydrochasma using Cobalt Strike Beacon, a legitimate pen-testing tool that attackers also have widely adopted for executing commands; injecting, elevating, and impersonating processes; and uploading and downloading files on victim networks. The group also deployed a shellcode loader and a corrupted portable executable in the attack.

Their assault on the victim network didn't stop there, however; additional tools that researchers observed being used in the attack included: Procdump, for monitoring an application for CPU spikes and generating crash dumps; BrowserGhost, which can grab passwords from a browser; the tunneling tool Gost proxy; Ntlmrelay for intercepting validated authentication requests to access network services; and HackBrowserData, an open source tool that can decrypt browser data.

**Avoiding Compromise**

Symantec included both file and network indicators of compromise in its blog post to help organizations identify if they're being targeted by Hydrochasma.

The extensive use of dual-use and living-off-the-land tools by the group highlights the need for organizations to have a comprehensive security solution to detect suspicious behavior on network machines, as well as stop malware, O Gorman says: "Organizations should adopt a defense in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain," she tells Dark Reading. "Organizations should also be aware of and monitor the use of dual-use tools inside their network."

In general, Symantec also advises implementing proper audit and control of administrative account usage, as well as the creation of profiles of usage for admin tools, "as many of these tools are used by attackers to move laterally undetected through a network," O Gorman adds.

Hydrochasma Threat Group Bombards Targets With Slew of Commodity Malware, Tools

App-based multi-factor authentication — which is still free on Twitter — is safer than SMS MFA. So in theory, forcing people to pay for it would make them less likely to use it and switch to the free option.

Thursday, February 23, 2023 14:02

Welcome to this week’s edition of the Threat Source newsletter.

Social media’s latest business plan seems to be charging for security.

Twitter recently announced a plan to make SMS-based two-factor authentication a paid service as part of Twitter Blue — asking users to pay either $8 or $11 monthly for the feature set. Meta, Facebook’s parent company, also announced a new pay-for-verification service on Facebook and Instagram that will allow users to pay up to $14 a month for “a verified badge that authenticates your account with government ID, proactive account protection, access to account support, and increased visibility and reach.”

The Twitter plan falls into a gray area for me. I’ve talked to experts who pointed out that app-based multi-factor authentication — which is still free on Twitter — is safer than SMS MFA. So in theory, forcing people to pay for it would make them less likely to use it and switch to the free option.

However, among all Twitter users who utilize MFA, more than 74 percent of them opt into SMS-based authentication. Based on the estimated number of Twitter users (more than 353 million) and the total amount of users who use any type of MFA (2.6 percent), that means about 6,845,841 accounts will be forced to pay to continue their use of SMS-based authentication or switch to an app-based method.

Many of these users may switch to Twitter Blue or find a new way to keep MFA on their accounts. Many of them will just drop the feature altogether. I would argue any good social media company needs to keep its users’ safety a priority no matter what.

Things like making sure you can’t be impersonated on a site seem like it would be a basic expectation when you give up the amount of personal information you already must to sign up. And many consumers (especially someone who’d be considered the “Average Joe”) do not want to spend time downloading a new MFA app and completing the setup process.

Even the security savvy are growing tired of having to download multiple MFA apps for various uses, leaving password managers as the clearest path to a safe login (but those aren’t foolproof, either).

Meta and Twitter users who don’t want to pay for the additional protections have a few other options to improve their account’s security:

*   Purchase a physical security key that generates a unique code each time you go to log into your account.
*   Enroll in app-based multi-factor authentication (like Cisco Duo), which is still free to use on Twitter.
*   If you’re setting up an MFA app for the first time, follow the U.S. Cybersecurity and Infrastructure Security Agency’s guidelines for implementing phishing-resistant MFA.
*   If you opt to not enroll in any sort of MFA, use a password management program to generate a new, random password with a mix of characters and cases and store it securely using the program. But app-based MFA is always the safest option.

**The one big thing**

An unknown actor is deploying the new MortalKombat ransomware a GO variant of the Laplas Clipper malware, to steal cryptocurrency from victims. Talos researchers have seen several campaigns targeting individuals, small businesses and large organizations that aim to steal or demand ransom payments in cryptocurrency.

**Why do I care?**

MortalKombat (yes, a reference to that “Mortal Kombat”) is a new ransomware that just appeared in January, so we still know relatively little about this malware family, though new protections are now available from Talos. While cryptocurrency’s value is down across the board, that doesn’t mean attackers have stopped caring about it, and it’s still the safest way for attackers to make money without being tracked.

**So now what?**

Talos released several new Snort rules and ClamAV signatures to protect against the threats we outlined in last week’s blog post. Cisco Secure Endpoint users can also use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat.

**Top security headlines of the week**

**The Clop ransomware gang claims its recently breached more than 130 organizations**, many of them related to health care, with a large chunk affecting CHS Healthcare patients. CHS reported the breach to the U.S. Securities and Exchange Commission, saying that the attack targeted GoAnywhere MFT, a managed file transfer product. The filing stated the breach affected up to 1 million individuals. Members of Clop said it exploited the security flaw, CVE-2023-0669, which enables them to gain remote code execution on unpatched GoAnywhere MFT instances with their administrative console exposed to the internet. The breaches took place over the course of 10 days earlier this year. (Bleeping Computer, Ars Technica)

**The FBI said it recently “contained” a security incident** on its computer network, offering sparse details otherwise. “The FBI is aware of the incident and is working to gain additional information,” the bureau said in a statement to news network CNN. “This is an isolated incident that has been contained. As this is an ongoing investigation the FBI does not have further comment to provide at this time.” The report also indicates that the attack specifically targeted the portion of the FBI’s network it uses in investigations of images of child sexual exploitation. (CNN, InfoSecurity)

**Data brokers are increasingly relying on information from virtual therapy apps to profit from users’ information.** A new study from Duke University found that one firm even charged $100,000 a year for a "subscription" service to data that included information on individuals’ mental health conditions. This data included highly sensitive information, such as a person’s demographics, and what ailments they’ve reported, including depression, OCD, bipolar disorder and strokes. Virtual therapy apps have become increasingly popular among the American population, especially during the COVID-19 pandemic. They offer a cheaper and more accessible option to patients who often find it difficult to find therapy providers that accept insurance. (PBS, Washington Post, Duke University)

**Can’t get enough Talos?**

*   Crypto investors under attack by new malware, reveals Cisco Talos
*   Microsoft Patch Tuesday for February 2023 — Snort rules and prominent vulnerabilities
*   Beers with Talos Ep. #130: Ransomware is a people problem (but getting rid of email helps)

**Upcoming events where you can find Talos**

**WiCyS** **(March 16 - 18)**

Denver, CO

**RSA** **(April 24 - 27)**

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

Threat Source newsletter (Feb. 23, 2023) — Social media sites are making extra security a paid

Eliminate passwords in user authentication workflow with Vault Vision's passkey features like facial recognition, fingerprint and pin verification on all modern devices.

**DENVER, Feb. 22, 2023 /PRNewswire-PRWeb/ --** Vault Vision, a leading user  
authentication platform for developers announced the launch of passkey  
authentication technology enabling secure and convenient logins on modern  
devices. Legacy passwords are central to website and app security, but 81% of  
hacking-related breaches leveraged either stolen and/or weak passwords. A Google  
study found that 75% of Americans are frustrated with passwords and 43% have  
shared their password with someone. Passkey auth aims to solve an inherent  
weakness in passwords with support from Apple, Google and Microsoft on all  
modern browsers and devices.  
For application users, passkey is an easier replacement for passwords. With  
passkey, users can sign in to applications with biometric authentication such as  
a fingerprint or facial verification, PIN, or pattern, unlocking them from  
having to remember and manage passwords. A user can sign into applications on  
all modern devices using a passkey, which can be created on a mobile phone and  
used to sign in to a website on a separate laptop. Passkey authentication makes  
it phishing-resistant and brute force attacks, and one the most secure  
authentication methods available today. Vault Vision's one click passwordless  
login drastically improves the user registration and login workflow with the  
addition of passkey.

For developers, Vault Vision's user authentication platform enables easy  
integration of passwordless logins into any website or application built on  
React, Node, Python, Go and low code platforms like Webflow. Developers can  
leverage Vault Vision's open sourced examples available as GitHub repos in  
React, Node, Python and Go, which can be deployed with auto-generated and  
pre-set copy-and-paste environment configuration stanzas. These repos offer an  
implementation insight into the integration flows with auth use cases. "Vault  
Vision is the only passwordless-first auth platform that does not require a  
password during setup." said Neil Proctor, CEO and Founder, Vault Vision. "Our  
technology enables developers to register without passwords and start creating  
local development environments with our user auth in less than a minute. For end  
users, the convenience of passwordless login drives user registration and login  
growth with facial recognition, fingerprint & pin based verification on all  
modern devices".  
The addition of passkey auth and passwordless logins makes Vault Vision's one of  
the most secure authentication platform with its privacy-first architecture.  
Vault Vision is the only authentication platform that protects end user privacy  
from password breaches by eliminating use of third-party scripts and low quality  
sdk's. With the average authentication tool employing an average of eight  
tracking elements, Vault Vision maintains zero third-party dependence  
eliminating vendor breach risk for developers and the ability to operate in  
air-gapped and secure operating environments.  
Vault Vision offers free developer sandboxes and expert help with your free  
trial, learn more here.**About Vault Vision**  
Vault Vision is a no code user authentication platform that enables developers  
to easily deploy user auth & passwordless logins on React, Python, Go, Node  
applications and low code platforms like Webflow. Vault Vision's authentication  
technology increases login engagement and drives user registration growth with  
OpenID Connect (OIDC), FIDO2 and passkey logins. End users benefit from Vault  
Vision's convenient authentication features like passkey facial recognition,  
fingerprint, pin based verification, OIDC logins for Apple, Google and  
Microsoft, two-factor auth (2FA), multi-factor auth (MFA), universal time-based  
one-time password (TOTP) auth, SSO with email and hardware key auth. Vault  
Vision's is a FIDO Alliance member and its user authentication technology is  
OpenID Certified.

Vault Vision Launches One Click Passwordless Logins With Passkey User Authentication

File upload vulnerability in Instantdeveloper RD3 22.0.8500, allows attackers to execute arbitrary code.

Il team Offensive Security di Swascan ha identificato una vulnerabilità nel framework **Instant Developer** **RD3 < 22.5 r23**. 

La vulnerabilità interessa tutti gli applicativi sviluppati con il framework RD3 nelle versioni inferiori a quella indicata. 

****_Instant Developer_** **

_Instant Developer_ è una famiglia di piattaforme ad alta produttività per lo sviluppo di applicazioni multicanale e multipiattaforma progettata per risolvere i problemi che affliggono maggiormente i professionisti dello sviluppo software_._ 

****Technical summary** **

L’Offensive Security Team di Swascan ha trovato un importante vulnerabilità su:  

**Assets** 

**Vulnerability** 

**CVSS** 

**Severity** 

**Instant Developer RD3 Framework < 22.5 r23**

Arbitrary File Upload 

**9.8** 

**Critical** 

Nella seguente sezione vengono riportati i dettagli tecnici su questa vulnerabilità, comprese le evidenze e un proof-of-concept. Questa vulnerabilità può interessare tutti i clienti che utilizzano il software per sviluppare le proprie Webapp. 

**Dettaglio Vulnerabilità** 

**Framework RD3 – Arbitrary file upload** 

CWE-434: _Unrestricted File Upload_  

CVSSv3.1 Base Score: **9.8**  

CVSSv3.1 Base Vector:        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 

OWASP Top10 2021:          A04 – Insecure Design 

**_Descrizione_** 

La vulnerabilità è stata individuata nella libreria “full.js” del framework RD3 di InstantDeveloper. 

Ciò può consentire ad un attaccante di effettuare l’upload di file malevoli per l’esecuzione di codice arbitrario o di una shell attraverso la quale potrebbe eseguire comandi arbitrari sul server remoto. A seguito di ciò, l’attaccante potrebbe altresì effettuare ricerca di credenziali, movimenti laterali all’interno dell’infrastruttura, oppure semplicemente creare disservizi (DoS) caricando file di grandi dimensioni. 

La vulnerabilità interessa tutti gli applicativi sviluppati con il framework RD3 nelle versioni inferiori alla 22.5 r23. 

**_Assets_** 

*   https://<TARGET>/<cartella applicazione>/<file applicazione>.aspx/?WCI=IWFiles&WCE=&SESSIONID=\[cookie Sessione\] 

**_Proof of Concept_** 

La vulnerabilità è stata individuata analizzando il file full.js dove è presente una porzione di codice relativa che riguarda l’upload di file. Ciò ha permesso di trovare l’entrypoint per creare il comando di upload. 

Di seguito viene riportata la porzione di codice sopra citata: 

**Evidenza** **1** **Codice sorgente full.js** 

Si mostra di seguito come sia stato possibile, sfruttando quanto descritto in precedenza, caricare sul server una reverse shell.  

Per ottenere tale risultato è stato edeguito il seguente comando 

curl -kis -F “\[email protected\]<FILE MALEVOLO>.aspx” -H “Cookie: ASP.NET\_SessionId=<CODICE SESSIONE>” -A Chrome https://<TARGET>/<cartella applicazione>/<file applicazione>.aspx /?WCI=IWFiles&WCE=&SESSIONID=<CODICE SESSIONE> 

Tale processo è descritto dalle seguenti evidenze: 

**Evidenza 2 Upload reverse shell** 

Di seguito viene mostrata la shell interattiva sul server: 

**Evidenza 3 Reverse shell interattiva sul server target** 

**_Remediation_** 

Ricompilare l’applicazione con l’ultima versione del framework 22.5 r23. 

**_Riferimenti_** 

*   https://cwe.mitre.org/data/definitions/434.html 
*   https://owasp.org/Top10/it/A04\_2021-Insecure\_Design/ 
*   https://docs.microsoft.com/it-it/dotnet/standard/security/secure-coding-guidelines 
*   https://cheatsheetseries.owasp.org/cheatsheets/DotNet\_Security\_Cheat\_Sheet.html 
*   https://doc.instantdeveloper.com/ 

****Considerazioni del Vendor** **

Durante il processo di Responsible Disclosure il vendo ha fornito le seguenti considerazioni per meglio specificare alcuni aspetti della vulnerabilità e della conseguente remediation: 

1) Per sfruttare la vulnerabilità era necessario conoscere il SessionID di una sessione utente che avesse effettuato il login (utente autenticato). Solo avendo accesso al browser dove era in esecuzione una sessione autenticata era possibile ottenere un SessionID valido. 

2) Se il programmatore non ha rimosso l’autenticazione dalla propria applicazione il sistema non permette l’upload di file in sessioni non autenticate (dalla versione 20.5). E’ compito del programmatore verificare le credenziali utente e autorizzare l’accesso all’applicazione solo quando è stato correttamente identificato (tramite username/password). 

3) A partire dalla versione 22.0 nella cartella TEMP dell’applicazione è stato inserito un apposito file che non permette l’esecuzione di file arbitrari. Il programmatore, che usa l’ambiente di sviluppo, non deve rimuovere tale file e deve correttamente installarlo nell’applicazione quando questa viene installata in produzione. 

4) Quando viene eseguito l’upload di un file da una sessione autenticata è compito del programmatore decidere se tale file è corretto o meno. Lo può fare implementando l’evento OnFileUpload nel quale può decidere se accettare o meno l’upload. Qualora l’upload sia rifiutato dal programmatore il file viene immediatamente rimosso dal disco. 

5) Pro Gamma fornisce un ambiente di sviluppo general purpose ed è compito del programmatore sviluppare l’applicazione e configurare il web server quando la stessa è resa disponibile su internet. 

3.  **Disclosure Timeline** 

*   25-07-2022: Vulnerabilità scoperta 

*   24-08-2022: Swascan contatta il vendor (1° tentativo, senza risposta) 
*   29-08-2022: Swascan richiede il CVE-ID  al mitre 
*   07-09-2022: Swascan contatta il vendor (2° tentativo, con risposta) 
*   15-09-2022: Swascan condivide il report con il vendor  
*   23-01-2023: Il vendor rilascia la versione 22.5 r23 
*   15-02-2023: Il mitre rilascia il CVE-ID CVE-2022-39983

CVE-2022-39983: ​​Vulnerability Report - Instant Developer RD3 (CVE-2022-39983)

A DoD email server hosted in the cloud (and now secured) had no password protection in place for at least two weeks.

A US Department of Defense email server hosted on Microsoft Azure's government cloud service reportedly was found wide open to the public Internet for a period of about two weeks before it was properly secured.

According to a report on TechCrunch, a security researcher spotted the email server containing internal US military messages, some with sensitive personal information, including an SF-86 questionnaire that federal workers fill out as part of their security clearance process. It was one of a group of email servers in the US Special Operations Command (USSCOM) but likely on the civilian side, the report said.

The email server appeared to have been misconfigured and was running without password protection. Once TechCrunch alerted USSCOM, the agency fixed the issue. "\[W\]hat we can confirm at this point is no one hacked US Special Operations Command's information systems," a USSCOM spokesperson told TechCrunch.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

US Military Emails Exposed via Cloud Account

It's a banner year for attacks coming through traditional email as well as newer collaboration technologies, such as Slack and Microsoft Teams. What's next?

Phishing and other messaging-based attacks continue to be a pervasive threat, with 97% of companies seeing at least one email phishing attack in the past 12 months and three-quarters of firms expecting significant costs from an email-based attack.

That's according to the "State of Email Security" (SOES) report, based on a survey of 1,700 IT professionals published by Mimecast this week. The report also found that the most significant email-borne threats continue to be phishing, ransomware, and spoofing. 

Two-thirds of respondents acknowledged a successful ransomware attack, with companies in certain industries more likely to be a victim, including consumer services (87%), energy (83%), healthcare (80%) and the media and entertainment (86%) sectors. On the spoofing side, 91% of those surveyed had seen attempts to steal or use their email domain in an attack, according to the survey.

The increased concern about cyberattacks via email and collaboration platforms comes as companies have shifted to hybrid work environments, making tools like Slack and Microsoft Teams popular ways of exploitation by opportunistic cybercriminals. Nearly three-quarters of companies surveyed feel it is likely or extremely likely that their company will suffer an attack delivered through their collaboration tools, according to the study, which was conducted by market research firm Vanson Bourne.

"While email remains the primary attack vector for bad actors, collaboration tools provide a new threat surface for cybercriminals to infiltrate," the report stated. "And this, in turn, creates even more risk for CISOs and their teams to manage."

Though certainly not a new area, attacks on messaging and collaboration software are a growing source of compromise for companies. In its quarterly "Phishing Activity Trends Report," the Anti-Phishing Working Group (APWG) detected 1.3 million attacks in third quarter of 2022, up from 1.1 million phishing attacks in the second quarter of 2022. Attackers are also getting better at fooling defenses and sneaking into users' inboxes, with 19% of phishing attacks bypassing platform defenses, according to a report released in October.

With the ramped-up activity comes more awareness, at least. "More \[company\] leaders are increasingly aware of the dangerous ramifications cyberattacks pose against their business," says Thom Bailey, senior director of strategy at Mimecast. "However, organizations are still behind the curve in terms of security posture."

**Collaboration Tools Expand Quickly**

Collaboration tools represent an expanding attack surface area, according to the SOES survey. While the vast majority of professionals (90%) maintain that collaboration tools are essential to their company's workflow, keeping up with the installed base of tools is "overwhelming," according to those polled. Two-thirds of professionals (67%) are overwhelmed by the number of tools, and more than half (55%) have to attempt to detect and manage tools downloaded by workers without approval.

That said, whether the attacker uses email as their vector, or Slack or Teams, the end goal is the same, Bailey says.

"It’s important to remember that even though the attack vector is slightly different, the human end user is still the key target," he says. "The majority of attacks targeting collaboration channels leverage the human element, where an adversary makes a compelling appeal for a recipient to engage with the attacker."

On the email side, more companies are adopting email security specifications, such as Domain-based Message Authentication, Reporting and Conformance (DMARC) and Brand Indicators for Message Identification (BIMI) to prevent spoofing. To protect their domains, 88% of survey respondents would like to use the DMARC standard to make their email more resilient to spoofing attacks. Unfortunately, only a bit more than a quarter (27%) have actually deployed the features, according to the SOES survey.

**Can ChatGPT Help With Phishing as Well?**

While anti-spam engines are among the earliest applications of machine learning to cybersecurity, most professionals aim to go further, with 92% either using or planning to use artificial intelligence (AI) features and machine learning (ML) to bolster their current defenses. Doing so can help cybersecurity teams keep up with attackers, Bailey says.

"When combined with natural language processing tools such as auto-encoders or large language models, \[AI\] can help detect anomalies in the writing style and communication patterns of inbound emails, blocking messages and alerting employees accordingly," he says. "It also helps reduce human error ... further enabling strained IT teams ... to offset critical workforce challenges by automating repetitive tasks and streamlining workflows to drive higher levels of efficiency."

The SOES survey included professionals from companies of various sizes, including 15% with fewer than 500 employees, 76% with between 500 and 10,000 employees, and 9% with more than 10,000 employees. The top industry sectors represented by the survey professionals included financial services (14%), technology and telecommunications (13%), retail (13%), and healthcare (11%).

Tag

#microsoft