New variants of a banking malware called Grandoreiro have been found to adopt new tactics in an effort to bypass anti-fraud measures, indicating that the malicious software is continuing to be actively developed despite law enforcement efforts to crack down on the operation.
"Only part of this gang was arrested: the remaining operators behind Grandoreiro continue attacking users all over the

New variants of a banking malware called Grandoreiro have been found to adopt new tactics in an effort to bypass anti-fraud measures, indicating that the malicious software is continuing to be actively developed despite law enforcement efforts to crack down on the operation.

"Only part of this gang was arrested: the remaining operators behind Grandoreiro continue attacking users all over the world, further developing new malware and establishing new infrastructure," Kaspersky said in an analysis published Tuesday.

Some of the other freshly incorporated tricks include the use of a domain generation algorithm (DGA) for command-and-control (C2) communications, ciphertext stealing (CTS) encryption, and mouse tracking. Also observed are "lighter, local versions" that are specifically focused on targeting banking customers in Mexico.

Grandoreiro, active since 2016, has consistently evolved over time, taking efforts to stay undetected, while also widening its geographic scope to Latin America and Europe. It's capable of stealing credentials for 1,700 financial institutions, located in 45 countries and territories.

It's said to operate under the malware-as-a-service (MaaS) model, although evidence points to it being only offered to select cybercriminals and trusted partners.

One of the most significant developments this year concerning Grandoreiro is the arrests of some of the group's members, an event that has led to the fragmentation of the malware's Delphi codebase.

"This discovery is supported by the existence of two distinct codebases in simultaneous campaigns: newer samples featuring updated code, and older samples which rely on the legacy codebase, now targeting only users in Mexico — customers of around 30 banks," Kaspersky said.

Grandoreiro is primarily distributed by means of a phishing email, and to a lesser extent, through malicious ads served on Google. The first stage is a ZIP file, which, in turn, contains a legitimate file and an MSI loader that's responsible for downloading and launching the malware.

Campaigns observed in 2023 have been found to leverage extremely large portable executables with a file size of 390 MB by masquerading as AMD External Data SSD drivers to bypass sandboxes and fly under the radar.

The banking malware comes equipped with features to gather host information and IP address location data. It also extracts the username and checks if it contains the strings "John" or "WORK," and if so, halts its execution.

"Grandoreiro searches for anti-malware solutions such as AVAST, Bitdefender, Nod32, Kaspersky, McAfee, Windows Defender, Sophos, Virus Free, Adaware, Symantec, Tencent, Avira, ActiveScan, and CrowdStrike," the company said. "It also looks for banking security software, such as Topaz OFD and Trusteer."

Another notable function of the malware is to check for the presence of certain web browsers, email clients, VPN, and cloud storage applications on the system and monitor user activity across those apps. Furthermore, it can act as a clipper to reroute cryptocurrency transactions to wallets under the threat actor's control.

Newer attack chains detected in the aftermath of the arrests this year include a CAPTCHA barrier prior to the execution of the main payload as a way to get around automatic analysis.

The latest version of Grandoreiro has also received significant updates, including the ability to self-update, log keystrokes, select the country for listing victims, detect banking security solutions, use Outlook to send spam emails and monitor Outlook emails for specific keywords.

It's also equipped to capture mouse movements, signaling an attempt to mimic user behavior and trick anti-fraud systems into identifying the activity as legitimate.

"This discovery highlights the continuous evolution of malware like Grandoreiro, where attackers are increasingly incorporating tactics designed to counter modern security solutions that rely on behavioral biometrics and machine learning," the researchers said.

Once the credentials are obtained, the threat actors cash out the funds to accounts belonging to local money mules by means of transfer apps, cryptocurrency, or gift cards, or an ATM. The mules are identified using Telegram channels, paying them $200 to $500 per day.

Remote access to the victim machine is facilitated using a Delphi-based tool named Operator that displays a list of victims whenever they begin browsing a targeted financial institution website.

"The threat actors behind the Grandoreiro banking malware are continuously evolving their tactics and malware to successfully carry out attacks against their targets and evade security solutions," Kaspersky said.

"Brazilian banking trojans are already an international threat; they're filling the gaps left by Eastern European gangs who have migrated into ransomware."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Grandoreiro Banking Malware Variants Emerge with Advanced Tactics to Evade Detection

Tax preparation firms shared user information with Google and Meta without proper consent by using tracking pixels

Four tax preparation software companies failed to comply with government rules that require the sharing of tax-related info to be done only with specific disclosures and full tax-payer consent, according to an audit released by the Treasure Inspector General for Tax Administration (TIGTA) in the United States.

> “According to Treasury Regulation § 301.7216-3, tax return information may not be used or disclosed except as specifically permitted or when the taxpayer provides consent.”

The Internal Revenue Service (IRS) partners with tax professionals and other entities that assist taxpayers in meeting their tax obligations. Before partnering with these professionals and entities, the IRS conducts suitability checks. But the IRS does not have awareness of the full scope of information that an online provider routinely collects, beyond what is filed with the IRS, or shared with third parties.

Further, the guidance for obtaining taxpayer consent to use or disclose taxpayer information does not specifically address the use of pixels, such as those used by Facebook and Google to track information on a website.

These pixels are basically a piece of code that website owners can place on their website. The pixel collects data that helps businesses track conversions from ads, optimize ads, build target audiences for future ads, and re-market to people that have already taken some kind of action on their website. That’s nice for the advertisers, but the combined information of all these pixels potentially provides the recipients with an almost complete portrait of your browsing behavior.

The audit was performed after TIGTA received a congressional letter raising concerns about the data sharing practices of online tax filing companies. This letter spoke of data sharing methods that used a pixel to capture an individual’s entries on the online tax filing companies’ website, which then sent data entered for the preparation of online tax returns to a third party to focus marketing and advertisement efforts to each user.

In other words, information that is highly regulated was collected and shared outside the rules of those regulations, which could have allowed for invasions of privacy.

TIGTA acknowledged that it shared similar concerns and that it was in the process of conducting a separate but related review.

TIGTA did not disclose the names of the four companies that were the subject of these investigations, but in a follow-up letter from 3 senators and a member of congress they mention TaxSlayer, H&R Block, TaxAct, and Ramsey Solutions.

The review found that the audited companies’ consent statements did not comply with the requirements of Treasury Regulation § 301.7216. Specifically, the consent statements did not clearly identify the intended purpose of the disclosure and the specific recipient(s) of the tax return information.

Based on the results TIGTA advised the IRS to update their revenue procedure to include language that consent statements must identify the purpose of disclosure and specific recipient(s); evaluate whether any updates are needed to the guidance regarding data sharing practices, e.g., the use of pixels; and identify and implement potential solutions that will ensure that online providers comply with the regulatory requirements of taxpayer consent statements.

The IRS has taken actions to address the previously reported deficiencies with the suitability check processes and procedures for tax preparation companies. For example, the IRS:

*   Updated procedures to ensure consistency with initial and continuous suitability checks.
*   Established a consistent adjudication process for applicants with a criminal history.
*   Modified procedures to systemically create cases requiring research and resolution for tax compliance issues.
*   Modified procedures to accept only electronic fingerprint cards.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 After concerns of handing Facebook taxpayer info, four companies found to have improperly shared data 

Russia, Iran, and China are targeting the US election with an evolving array of influence operations in the last days of campaign season.

As November 5 draws closer, the Microsoft Threat Analysis Center (MTAC) warned on Wednesday that malicious foreign influence operations launched by Russia, China, and Iran against the US presidential election are continuing to evolve and should not be ignored even though they have come to feel inevitable. In the group's fifth report, researchers emphasize the range of ongoing activities as well as the inevitability that attackers will work to stoke doubts about the integrity of the election in its aftermath.

In spite of escalating conflict in the Middle East, Microsoft says that Iran has been able to keep up its operations targeting the US election, particularly targeting the Trump campaign and attempting to foment anti-Israel sentiment. Russian actors, meanwhile, have been focused on targeting the Harris campaign with character attacks and AI-generated content, including deepfakes. And China has shifted its focus in recent weeks, researchers say, to target down-ballot Republican candidates as well as sitting members of Congress who promote policies adversarial to China or in conflict with its interests.

Crucially, MTAC says it is all but certain that these actors will attempt to stoke division and mistrust in vote security on Election Day and in its immediate aftermath.

“As MTAC observed during the 2020 presidential cycle, foreign adversaries will amplify claims of election rigging, voter fraud, or other election integrity issues to sow chaos among the US electorate and undermine international confidence in US political stability,” the researchers wrote in their report.

As the 2024 campaign season enters its final phase, the researchers say that they expect to see AI-generated media continuing to show up in new campaigns, particularly because content can spread so rapidly in the charged period immediately around Election Day. The report also notes that Microsoft has detected Iranian actors probing election-related websites and media outlets, “suggesting preparations for more direct influence operations as Election Day nears.”

Chinese actors focusing on US congressional races and other figures also indicates a fluency and far-reaching approach to deploying influence operations. China-backed groups have recently launched campaigns against US representative Barry Moore, and US senators Marsha Blackburn and Marco Rubio (who is not currently up for reelection), pushing corruption allegations and promoting opposing candidates.

MTAC says that many influence campaigns from all of the actors fail to gain traction. But the efforts are still significant, because the narratives that do break through can have significant impact, and the activity in general contributes to the volume and intensity of false and misleading claims circulating in the information landscape surrounding the election.

“History has shown that the ability of foreign actors to rapidly distribute deceptive content can significantly impact public perception and electoral outcomes,” MTAC general manager Clint Watts wrote in a blog post on Wednesday. “With a particular focus on the 48 hours before and after Election Day, voters, government institutions, candidates and parties must remain vigilant to deceptive and suspicious activity online.”

Microsoft Warns Foreign Disinformation Is Hitting the US Election From All Directions

Popular titles on both Google Play and Apple's App Store include hardcoded and unencrypted AWS and Azure credentials in their codebases or binaries, making them vulnerable to misuse by threat actors.

Source: Aleksia via Alamy Stock Photo

Several widely used mobile apps, some with millions of downloads, expose hardcoded and unencrypted credentials to cloud services within their code bases, researchers from Symantec have found. This potentially allows anyone with access to the app’s binary or source code to extract the credentials to exploit cloud infrastructure for misuse.

Popular apps for both Android and iPhone devices include credentials for either Amazon Web Services (AWS) and Microsoft Azure Blog Storage within their code, Symantec revealed in a blog post this week. And they're found on each device platform’s respective official mobile app store: Google Play and Apple's App Store.

"This dangerous practice means that anyone with access to the app's binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to severe security breaches," Symantec engineers wrote in the post.

Further, the "widespread nature" of the vulnerabilities across apps for both iOS and Android platforms "underscores the urgent need for a shift towards more secure development practices" when it comes to mobile applications, they added.

Symantec’s research zeroed in on a number of widely distributed mobile applications that included either AWS or Azure credentials in their codebases. In terms of the former, both Android and iOS apps are guilty of credential exposure, while several Android apps expose Azure storage credentials.

Related:SoftwareOne Launches Cloud Competency Centre in Malaysia

For example, an app called The Pic Stitch: Collage Maker found on the Google Play store contains hardcoded AWS production credentials — including the production Amazon S3 bucket name, the read and write access keys, and secret keys — in its codebase, the researchers found. It also reveals staging credentials in some cases.

**iOS Apps With Serious Security Risks**

Meanwhile, three iOS apps examined by Symantec also were found to expose AWS credentials. One called Crumbl, which has more than 3.9 million user ratings and is ranked No. 5 in the Food & Drink category on the Apple App Store, initializes an AWSStaticCredentialsProvider with plaintext credentials. The credentials, which are used to configure AWS services, include both an access key and secret key.

Furthermore, the app also includes another "significant security oversight" by including a WebSocket Secure (WSS) endpoint within its code. This endpoint, part of the Amazon API URL, is hardcoded with an API Gateway that directly connects to the Internet of Things services on AWS.

"Exposing such URLs alongside static credentials makes it easier for attackers to potentially intercept or manipulate communications, leading to unauthorized access to the associated AWS resources," the engineers wrote. Thus, this vulnerable configuration, without proper encryption or obfuscation, "presents a serious risk to the integrity of the application and its backend infrastructure," they noted.

Related:Unmanaged Cloud Credentials Pose Risk to Half of Orgs

Two other iOS apps with hundreds of thousands of App Store ratings also expose AWS credentials by hardcoding them directly within their code; the apps are Eureka: Earn Money for Surveys and Videoshop – Video Editor.

The former allocates an INMAWSCredentials object and initializes it with the access key and secret key, both stored in plaintext and which can be used to log events to AWS, "exposing critical cloud resources to potential attacks," the engineers said.

The latter directly embeds unencrypted AWS credentials in the \[VSAppDelegate setupS3\] method, which means anyone with access to the app's binary could easily extract them. This would give them unauthorized access to the associated S3 buckets and potentially lead to data theft or manipulation.

**Android Apps Expose Azure Credentials**

Similarly, three Android applications expose credentials to Microsoft Azure Blob Storage directly, via either their binaries or codebases, Symantec found.

Related:Cisco Disables DevHub Access After Security Breach

An Indian ride-sharing app, Meru Cabs — which has more than 5 million downloads on Google Play — includes hardcoded Azure credentials within its UploadLogs service by embedding a connection string that includes an account key. "This connection string is used to manage log uploads, exposing critical cloud storage resources to potential abuse," the engineers wrote.

Sulekha Business, another Android app with more than 500,000 downloads, embeds multiple hardcoded Azure credentials used for various purposes — such as adding posts, handling invoices, and storing user profiles — across its codebase.

A third Android app that also has more than 500,000 downloads, ReSound Tinnitus Relief, also hardcodes Azure Blob Storage credentials for managing various assets and sound files, the exposure of which could lead to unauthorized access and data breaches.

**Mitigation Begins With App Development**

Symantec’s findings come a day after the release of a report by Datadog that found that unmanaged credentials that live for too long on a cloud-based network posed a security risk to half of organizations. Indeed, any inadvertent disclosure of credentials to cloud services exposes any organization with network infrastructure, software, or other assets running on them to significant risk, according to Symantec.

A good place to start to mitigate these risks is in the development of applications, where developers should follow best practices for managing sensitive information. They include the use of environment variables to store sensitive credentials so they are loaded at runtime rather than embedded directly in the app's code, according to Symantec.

Developers also should use dedicated secrets management tools, such as AWS Secrets Manager or Azure Key Vault, to securely store and access credentials. If the credentials must be stored in the app, then they should ensure that they use strong encryption algorithms, and decrypt them at runtime as needed.

According to Symantec, another way to protect credentials and also avoid other potential app-development missteps is to integrate automated security-scanning tools into the development pipeline to detect common security flaws early in the development process.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Mobile Apps With Millions of Downloads Expose Cloud Credentials

The #opentowork hashtag may attract the wrong crowd as criminals target LinkedIn users to steal personal information, or scam them.

Microsoft’s social network for professionals, LinkedIn, is an important platform for job recruiters and seekers alike. It’s also a place where criminals go to find new potential victims.

Like other social media platforms, LinkedIn is no stranger to bots attracted to special keywords and hashtags. Think “I was laid off”, “I’m #opentowork” and similar phrases that can wake up a swarm of bots hungry to scam someone new.

Bots are problematic as they not only create a poor user experience but also present real security risks. Perhaps even more insidious are customized phishing attempts, where fraudulent LinkedIn accounts directly reach out to their victim via the premium InMail feature. In this case, it’s all about harvesting personal information from targets of interest.

In this article, we review recent observations and provide tips for job seekers and users of the platform in general.

**Hungry bots**

Online bots are so common that they transcend every possible industry: advertising, music and concerts, social media, games, and more. There are even companies whose entire business model is to disrupt and contain bots. The impact of bots depends on which point of view you are taking, as it can range from simple nuisance, to opinion swaying, costly fraud, and a lot more in between.

We recently observed fake LinkedIn accounts that prey on those just laid off. Within minutes of a post, dozens of accounts start replying with links or requests to be added as a connection.

The use of certain hashtags was already known to attract bots, and the _#opentowork_ one is no different. Ironically, even a recruiter was previously swamped with similar messages and questioned whether they might have to refrain from ever having to use the hashtag again:

The battle between HR and the bots was featured in a Brian Krebs article from a couple of years ago. While the accounts we saw in the most recent campaign were not labeled as recruiters directly, they often pointed to other profiles that were. In the majority of cases, scammers used the name of real people and their pictures to create new accounts.

It appears their primary goal may be to gain connections by pretending to help a job seeker. This may increase the supposed authenticity of their profile and make it harder to shut them down.

LinkedIn did take action sometime after we witnessed the original spam wave. Many of the accounts indeed disappeared and comments were removed. It’s unclear whether this was a result of user reports, LinkedIn’s own algorithms, or a combination of both.

Fine tuning anti-fraud algorithms requires constant calibration, and isn’t without casualties. Some content creators have been banned due to “false positives”, eroding the trust and dedication they put into the platform.

**You’ve got InMail**

While bots are annoying, they are usually so predictable and noisy that they can be spotted from miles away, especially when they duplicate their own comments on the same post. More dangerous are personalized requests that come directly into a user’s inbox.

It’s the same idea of a fake recruiter, but the profile looks more credible and scammers are using paid accounts. In fact, the ability to send a message to a user who’s not in your circle of contacts, is one of LinkedIn’s feature for going premium, called InMail.

In the image seen above, an alleged Amazon recruiter going by the name “Kay Poppe”, sent a direct message about a unique job opportunity at Amazon Web Services. The so-called recruiter’s profile picture looks to be AI-generated, and the name Kay Poppe vaguely reminds us of “K-pop”, the Korean pop music phenomenon. Perhaps this is a bit of a stretch, but we couldn’t help but think of North Korea’s relentless phishing attempts.

This was not a standard, copy-paste message but rather a carefully crafted one based on the victim’s job profile. The link shortener they used was related to their current position and was the hook to get them to visit a fake LinkedIn page showing a number of documents related to that role. None of the links to the documents actually load what they claim to be, instead they are meant to be a segway to a page hosting a phishing kit.

In this particular instance, this is the Rockstar2FA phishing-as-a-service toolkit used to harvest Google credentials. As more and more people are using two-factor authentication, criminals have come up with their own methods to bypass 2FA. While it is recommended to avoid SMS-based verification and instead use a one-time password (OTP) app, users can still get social engineered into entering the temporary code into a phishing page.

Stealing a Google account is usually only the first step in longer chain leading to a full compromise. Many people use their Google email as a recovery address for a number of other online accounts. This can allow a criminal to reset as many passwords as they can get their hands on before the victim even realizes what’s happened. It’s also not unusual to get locked out of your account and then struggle to regain control of it.

**Fish in a larger pod**

Scammers are notorious for targeting the vulnerable, and one could say that after losing a job you probably feel this way. All too eager to regain employment, you may jump at the first opportunity and engage in a conversation that could end badly.

Many of the bots spamming via comments tie back to some kind of fraud such as the advance-fee scam where you need to pay an up-front fee in order to receive goods or services. Some job offers are also too good to be true, and you could unknowingly participate in illegal activities by helping to funnel and launder money.

The more targeted phishing attempts are dangerous not only for the individual in question but also for the company they work for. This may be the case if you are not actively looking for a new job, and as such compromising you could in turn have further consequences, such as getting an entry point into an entire organization.

Whether you are looking for a job or already have one, you should expect to get contacted by some unknown third-party at some point. Treat every such inquiry with suspicion and caution. Remember that on the internet, not everyone is who they pretend to be.

Also, consider passkeys, a newer form of authentication that was specifically designed to move away from passwords and be less prone to phishing attacks. They rely on a private-public key exchange between a device and the service’s login page removing the need to enter passwords or codes.

If you ever fall victim to a scam, time is of the essence. Immediately:

*   be on the lookout for unusual account changes
*   proactively do a full password sweep
*   reach out to your bank and credit card company
*   inform your contacts who may receive fraudulent messages coming from you

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 LinkedIn bots and spear phishers target job seekers 

ABB Cylon Aspect version 3.08.01 suffers from an unauthenticated log information disclosure vulnerability. An unauthorized attacker can reference the affected page and disclose the webserver's log file containing system information running on the device.

    ABB Cylon Aspect 3.08.01 (logCriticalLookup.php) Unauthenticated Log DisclosureVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The ABB BMS/BAS controller suffers from an unauthenticated log informationdisclosure vulnerability. An unauthorized attacker can reference the affectedpage and disclose the webserver's log file containing system information runningon the device.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5848Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5848.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░          ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl http://192.168.73.31/logCriticalLookup.php

ABB Cylon Aspect 3.08.01 logCriticalLookup.php Unauthenticated Log Disclosure

    ABB Cylon Aspect 3.08.01 (throttledLog.php) Unauthenticated Log DisclosureVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The ABB BMS/BAS controller suffers from an unauthenticated log informationdisclosure vulnerability. An unauthorized attacker can reference the affectedpage and disclose the webserver's log file containing system information runningon the device.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5847Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5847.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░          ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl http://192.168.73.31/throttledLog.php?instance=1

ABB Cylon Aspect 3.08.01 throttledLog.php Unauthenticated Log Disclosure

Ubuntu Security Notice 7079-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

    ==========================================================================Ubuntu Security Notice USN-7079-1October 22, 2024webkit2gtk vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTSSummary:Several security issues were fixed in WebKitGTK.Software Description:- webkit2gtk: Web content engine library for GTK+Details:Several security issues were discovered in the WebKitGTK Web and JavaScriptengines. If a user were tricked into viewing a malicious website, a remoteattacker could exploit a variety of issues related to web browser security,including cross-site scripting attacks, denial of service attacks, andarbitrary code execution.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  libjavascriptcoregtk-4.1-0      2.46.1-0ubuntu0.24.04.1  libjavascriptcoregtk-6.0-1      2.46.1-0ubuntu0.24.04.1  libwebkit2gtk-4.1-0             2.46.1-0ubuntu0.24.04.1  libwebkitgtk-6.0-4              2.46.1-0ubuntu0.24.04.1Ubuntu 22.04 LTS  libjavascriptcoregtk-4.0-18     2.46.1-0ubuntu0.22.04.3  libjavascriptcoregtk-4.1-0      2.46.1-0ubuntu0.22.04.3  libjavascriptcoregtk-6.0-1      2.46.1-0ubuntu0.22.04.3  libwebkit2gtk-4.0-37            2.46.1-0ubuntu0.22.04.3  libwebkit2gtk-4.1-0             2.46.1-0ubuntu0.22.04.3  libwebkitgtk-6.0-4              2.46.1-0ubuntu0.22.04.3This update uses a new upstream release, which includes additional bugfixes. After a standard system update you need to restart any applicationsthat use WebKitGTK, such as Epiphany, to make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-7079-1  CVE-2024-40866, CVE-2024-44187Package Information:  https://launchpad.net/ubuntu/+source/webkit2gtk/2.46.1-0ubuntu0.24.04.1  https://launchpad.net/ubuntu/+source/webkit2gtk/2.46.1-0ubuntu0.22.04.3

Ubuntu Security Notice USN-7079-1

Red Hat Security Advisory 2024-8232-03 - Red Hat OpenShift Container Platform release 4.17.2 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8232.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.17.2 packages and security update  
Advisory ID:        RHSA-2024:8232-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8232  
Issue date:         2024-10-23  
Revision:           03  
CVE Names:          CVE-2024-5569  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.17.2 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.17.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.17.2. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:8229

Security Fix(es):

* encoding/gob: golang: Calling Decoder.Decode on a message which contains  
deeply nested structures can cause a panic due to stack exhaustion  
(CVE-2024-34156)  
* github.com/jaraco/zipp: Denial of Service (infinite loop) via crafted zip  
file in jaraco/zipp (CVE-2024-5569)  
* go/parser: golang: Calling any of the Parse functions containing deeply  
nested literals can cause a panic/stack exhaustion (CVE-2024-34155)  
* go/build/constraint: golang: Calling Parse on a \"// +build\" build tag  
line with deeply nested expressions can cause a panic due to stack  
exhaustion (CVE-2024-34158)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.17 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.17/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.17/release_notes/ocp-4-17-release-notes.html

CVEs:

CVE-2024-5569

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2296413  
https://bugzilla.redhat.com/show_bug.cgi?id=2310527  
https://bugzilla.redhat.com/show_bug.cgi?id=2310528  
https://bugzilla.redhat.com/show_bug.cgi?id=2310529

Red Hat Security Advisory 2024-8232-03

Red Hat Security Advisory 2024-8228-03 - Red Hat OpenShift Container Platform release 4.17.2 is now available with updates to packages and images that fix several bugs.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8228.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Low: OpenShift Container Platform 4.17.2 security and extras update  
Advisory ID:        RHSA-2024:8228-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8228  
Issue date:         2024-10-22  
Revision:           03  
CVE Names:          CVE-2023-37920  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.17.2 is now available with updates to packages and images that fix several bugs.

This release includes a security update for Red Hat OpenShift Container Platform 4.17.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.17.2. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:8229

Security Fix(es):

* python-certifi: Removal of e-Tugra root certificate (CVE-2023-37920)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.17 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.17/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.17/release_notes/ocp-4-17-release-notes.html

CVEs:

CVE-2023-37920

References:

https://access.redhat.com/security/updates/classification/#low  
https://bugzilla.redhat.com/show_bug.cgi?id=2226586

Tag

#web