A bi-weekly list of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news
“A large-scale, catastrophic cyber event is likely within the next two years,” say 93 percent. cyber security experts and 86 percent World Economic Forum (WEF).
Geopolitical instability and a persistent lack of cybersecurity skills are making the situation even more precarious and forcing companies to rethink their presence in certain regions, according to the WEF Global Cybersecurity Outlook 2023 report, which polled 300 experts and C-suite executives.
Meanwhile, we’re still seeing a lot of very, very bad cyber attacks and breaches. Another massive breach recently occurred T-Mobile (this time 37 million customers were affected), source code theft and 10 million USD ransom demand from video game developer Riot Gamesand accidentally disclosed by the US government airlines There is no flight listroll call of suspected terrorists, from 2019
The LastPass the situation also continues to evolve following the password vault breach in November, with the latest password manager update acknowledging that “a threat actor exfiltrated encrypted backups from a third-party cloud storage service.”
While rival services will no doubt jump at the opportunity to increase their market share given the collapse of the market leader’s reputation, the hack also potentially brings unprecedented scrutiny to a hitherto highly regarded field. Indeed, Daily Swig. recently reported how several popular password managers auto-filled credentials on untrusted websites Bitwarden responded to renewed criticism of the encryption scheme by improving the default security configuration.
A fruitful security audit Gitsource code is another important story we’ve covered since the last issue of Deserialized.
Here are some more web security stories and other cybersecurity news that caught our attention over the past two weeks:
Research and attack methods
- Vulnerabilities in Popular Open Source Health Records and Medical Practice Management Platform OpenEMR allowed remote attackers to execute arbitrary system commands on any OpenEMR server and steal sensitive patient data, or even worse, remotely execute code (courtesy of Sonar)
- Jerry Shah shares how he found the API misconfiguration a SwaggerUI an endpoint on an unnamed web application in a private debugger that leaked a token from local storage
- ChatGPT lowers barriers to entry for threat actors with limited programming or technical skills, but state-sponsored miscreants are unlikely to increase the effectiveness of the alarmingly sophisticated chatbot tool, according to Recorded Future.
- Maksym Yaremchuk – number 80 on HackerOne’s all-time leaderboard, no less – details the critical difficulty pair account takeover exploits created by participating in a private bug program
- GitHub researcher Man Yue Mo accesses arbitrary kernel code execution and root a Google Pixel 6 mobile phone from the Android app
ChatGPT lowers barriers to entry for cybercrime but does little for state-sponsored cybercriminals
Bug bounty/vulnerability disclosure
- Security researchers can to prove mathematically the presence of software vulnerabilities without disclosing details that, in the wrong hands, could lead to malicious exploitation, explains New Scientist’s latest feature (Paywall).
- Intigriti wrote a blog post about safe harbor a clause for scientists created in the Belgian law on the protection of whistleblowers
- Daily Swig. recently reported on the upcoming third year Hack the Pentagon challenge, CORS misconfigurations in Tesla and other unnamed applications that earn researchers “several thousand dollars,” and a vulnerability in the Google Cloud Platform (GCP) project that earns researchers more than $22,000.
- Other recent entries include a $3,000 bounty for reflected XSS Microsoft Formsand Bug Bounty Switzerland’s inaugural “vulnerability of the month” involved a limited-time private program and thousands of devices exposed to the Internet.
- Bug Hunter Interview with British Hacker and YouTuber. Insider PhD and “Today is new” were posted on HackerOne and Bugcrowd respectively
New open source infosec/hacking tools
- Gato – or GitHub Attack Toolkit – assesses the impact of compromised personal access tokens on GitHub development environments. Tracking of public repos that use self-hosted runners is enabled, and GitHub recommends that they only be used on private repositories because otherwise “public repository forks can run malicious code on your self-hosted runner machine by creating a pull request that executes the code.” during work”
- Highlighter and Extractor (HaE) – Paris-based crowd-sourced security platform YesWeHack has released a Burp Suite extension that collects, categorizes, and highlights requests and/or responses to help detect vulnerable code patterns, bugs, reflections, and more.
- PyCript – Another Burp Suite extension, this time allowing you to bypass client-side encryption with custom logic for manual and automated testing using Python and NodeJS
- See Proxy – Golang reverse proxy with CobaltStrike malleable profile validation
- CVE-2022-47966 reader – Assess your exposure to a critical RCE bug affecting at least 24 on-premises ManageEngine products and currently in active use
More industry news
- NIST tracks potential updates (PDF) to NIST Cyber Security Framework and invites feedback from the infosec community
- In other US federal agency news, the NSA is issuing IPv6 Security Guidelines (PDF), CISA Updates Best Practices for Linking to the Miter Attack Framework (PDF), and CISA, NSA, and MS-ISAC Jointly Warn (PDF) About Malicious Use of Legitimate Remote Monitoring and Management (RMM) Software.
- Google documents progress on using randomization of names in DNS queries sent to authoritative name servers to reduce bouts of container poisoning
- Google also follows through on its intention to drop TrustCor Systems as Chrome’s root certificate authority (CA) by confirming a timetable for when certificates will be derecognised.
- Cloud-based cyber attacks jump 48% annually as malicious hackers spy on digital transformation trends – Check Point report
Previous edition Deserialized Web Security Review – Slack and Okta Breach, Lax US Government Password Notifications, and More