Feed aggregator

Tank, the leader of the Zeus cybercrime gang, was arrested by the Swiss police

Security Affairs - Thu, 11/17/2022 - 05:21
A suspected leader of the Zeus cybercrime gang, Vyacheslav Igorevich Penchukov (aka Tank), was arrested by Swiss police.

Swiss police last month arrested in Geneva Vyacheslav Igorevich Penchukov (40), also known as Tank, which is one of the leaders of the JabberZeus cybercrime group.

Vyacheslav “Tank” Penchukov, the accused 40-year-old Ukrainian leader of a prolific cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses in the United States and Europe, has been arrested in Switzerland, according to multiple sources.” reported the popular investigator Brian Kress.

“Penchukov was named in a 2014 indictment by the U.S. Department of Justice as a top figure in the JabberZeus Crew, a small but potent cybercriminal collective from Ukraine and Russia that attacked victim companies with a powerful, custom-made version of the Zeus banking trojan.”

The man will be extradited to the United States on November 15, according to a statement from the Federal Office of Justice (FOJ) in Switzerland.

Penchukov is on the FBI’s “Most Wanted” list and has been sought for 10 years.

Penchukov opposed the decision of the extradition during a hearing on October 24 and will likely appeal it at the Swiss Criminal Federal Court and the Swiss Supreme Court.

“By order of the Federal Office of Justice (FOJ) and based on an extradition request from the USA, a Ukrainian national was arrested in the Canton of Geneva on 23 October 2022 and detained pending extradition,” Swiss prosecutors told BleepingComputer. “The US authorities accuse the prosecuted person of extortion, bank fraud, and identity theft, among other things. During the hearing on 24 October 2022, the person did not consent to his extradition to the USA via a simplified proceeding.” “After completion of the formal extradition procedure, the FOJ has decided to grant his extradition to the USA on 15 November 2022. The decision of the FOJ may be appealed at the Swiss Criminal Federal Court, respectively at the Swiss Supreme Court.”

In response to an enquiry mentioning Penchukov, following earlier reporting by @BrianKrebs, a spokesperson for the Swiss Federal Office of Justice sent the following statement. pic.twitter.com/cSElBmkqAz

— Alexander Martin (@AlexMartin) November 16, 2022

In 2012, the Ukrainian national Vyacheslav Igorevich Penchukov was accused of being a member of a cybercrime gang known as JabberZeus Crew. It was a small cybercriminal ring that was targeting SMBs with a custom-made version of the Zeus banking trojan. At the time, DoJ accused Penchukov of coordinating the exchange of stolen banking credentials and money mules and received alerts once a bank account had been compromised.

Krebs reported that Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, noted in 2014 that Tank told co-conspirators in a JabberZeus chat on July 22, 2009 that his daughter, Miloslava, was and told him Miloslava birth weight.

Warner explained that Tank was identified by searching Ukrainian birth records for the only girl named Miloslava born on that day with a specific birth weight.

Krebs pointed out that Penchukov was able to evade prosecution by Ukrainian authorities for many years due to his political connections. The late son of former Ukrainian President Victor Yanukovych would serve as godfather to Tank’s daughter Miloslava.

Two other members of the gang, Yevhen Kulibaba and Yuriy Konovalenko, were arrested in 2014 and pleaded guilty. Both were sentenced to two years and ten months of incarceration in May 2015 followed by a supervised release of 1 year.

Another member of the JabberZeus gang, Maksim Yakubets (aka “Aqua”) is currently wanted by the FBI, which is offering a $5 million reward for information leading to his arrest and conviction.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Zeus)

The post Tank, the leader of the Zeus cybercrime gang, was arrested by the Swiss police appeared first on Security Affairs.

Categories: Cyber Security News

FBI-Wanted Leader of the Notorious Zeus Botnet Gang Arrested in Geneva

The Hacker News - Thu, 11/17/2022 - 05:11
A Ukrainian national who has been wanted by the U.S for over a decade has been arrested by Swiss authorities for his role in a notorious cybercriminal ring that stole millions of dollars from victims' bank accounts using malware called Zeus. Vyacheslav Igorevich Penchukov, who went by online pseu­do­nyms "tank" and "father," is said to have been involved in the day-to-day operations of the group
Categories: Cyber Security News

100 Apps, Endless Security Checks

The Hacker News - Thu, 11/17/2022 - 05:00
On average, organizations report using 102 business-critical SaaS applications, enabling operations of most departments across an organization, such as IT and Security, Sales, Marketing, R&D, Product Management, HR, Legal, Finance, and Enablement. An attack can come from any app, no matter how robust the app is.Without visibility and control over a critical mass of an organization’s entire SaaS
Categories: Cyber Security News

* HackYeah 2022: darmowe wejście z kodem NIEBEZPIECZNIK

Niebezpiecznik.pl - Thu, 11/17/2022 - 04:00
Darmowa pizza, technologiczne wyzwania, prawie milion złotych w puli nagród i dużo dobrej kawy, czyli HackYeah w jednym zdaniu! Chcesz dowiedzieć się, jak dołączyć do wydarzenia zupełnie za darmo i zgarnąć drugą pensję w 24h? Zapraszamy! Już 19-20 listopada w krakowskiej Tauron Arenie odbędzie się ósma edycja największego w Europie stacjonarnego hackathonu. Wydarzenie jest skierowane […]

Iran-linked threat actors compromise US Federal Network

Security Affairs - Thu, 11/17/2022 - 02:58
Iran-linked threat actors compromised a Federal Civilian Executive Branch organization using a Log4Shell exploit and installed a cryptomining malware.

According to a joint advisory published by the FBI and CISA, an Iran-linked APT group compromised a Federal Civilian Executive Branch (FCEB) organization using an exploit for the Log4Shell flaw (CVE-2021-44228) and deployed a cryptomining malware.

Log4Shell impacts the products of several major companies that use Log4j, but in many attacks, the vulnerability has been exploited against affected VMware software.

In this specific case, the Iranian hackers hacked an unpatched VMware Horizon server to gain remote code execution.

“CISA obtained four malicious files for analysis during an on-site incident response engagement at a Federal Civilian Executive Branch (FCEB) organization compromised by Iranian government sponsored advanced persistent threat (APT) actors.” reads the Malware Analysis Report (AR22-320A) published by CISA. These files have been identified as variants of the XMRIG cryptocurrency mining software. The files include a kernel driver, two Windows executables, and a configuration file to control one of the executable’s behavior on the network and infected host.”

CISA conducted an incident response engagement in the impacted Federal Civilian Executive Branch (FCEB) organization between mid-June and mid-July 2022.

The government experts discovered that after the installation of the XMRig crypto miner, the attackers performed lateral movement reaching the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence within the compromised network.

“CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.” reads the joint advisory. “CISA and FBI are releasing this Cybersecurity Advisory (CSA) providing the suspected Iranian government-sponsored actors’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help network defenders detect and protect against related compromises.”

CISA and FBI encourage all organizations running vulnerable VMware servers to assume compromise and initiate threat-hunting activities.

The join advisory urges organizations that suspect initial access or compromise to assume lateral movement by threat actors, investigate connected systems (including the DC), and audit privileged accounts. The advisory includes recommendations to protect against similar malicious cyber activity.

CISA and FBI recommend:

  • Install updated builds to ensure affected VMware Horizon and UAG systems are updated to the latest version.
  • Keep all software up to date and prioritize patching known exploited vulnerabilities (KEVs).
  • Minimize the internet-facing attack surface.
  • Use best practices for identity and access management (IAM).
  • Audit domain controllers.
  • Create a deny list of known compromised credentials.
  • Secure credentials by restricting where accounts and credentials can be used.

In June, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), published a joint advisory to warn of hacking attempts exploiting the Log4Shell flaw in VMware Horizon servers to compromise target networks.

“CISA and the United States Coast Guard Cyber Command (CGCYBER) have released a joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches.” reads the advisory.

The CVE-2021-44228 flaw made the headlines in December after Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for the critical remote code execution zero-day vulnerability (aka Log4Shell) that affects the Apache Log4j Java-based logging library.

In one attack documented by government experts, threat actors were able to move laterally inside the network and collect and exfiltrate sensitive data.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

The post Iran-linked threat actors compromise US Federal Network appeared first on Security Affairs.

Categories: Cyber Security News

High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices

The Hacker News - Thu, 11/17/2022 - 01:58
Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems. Cybersecurity firm Rapid7 said the flaws could be abused to remote access to the devices and defeat security constraints. The two high-severity issues, which were reported to F5 on August 18, 2022, are as follows -
Categories: Cyber Security News

Iranian Hackers Compromised a U.S. Federal Agency’s Network Using Log4Shell Exploit

The Hacker News - Thu, 11/17/2022 - 01:22
Iranian government-sponsored threat actors have been blamed for compromising a U.S. federal agency by taking advantage of the Log4Shell vulnerability in an unpatched VMware Horizon server. The details, which were shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), come in response to incident response efforts undertaken by the authority from mid-June through mid-July 2022
Categories: Cyber Security News

North Korean Hackers Targeting Europe and Latin America with Updated DTrack Backdoor

The Hacker News - Thu, 11/17/2022 - 00:56
Hackers tied to the North Korean government have been observed using an updated version of a backdoor known as Dtrack targeting a wide range of industries in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey and the U.S. "Dtrack allows criminals to upload, download, start or delete files on the victim host," Kaspersky researchers Konstantin Zykov and Jornt van der Wiel 
Categories: Cyber Security News

F5 fixed 2 high-severity Remote Code Execution bugs in its products

Security Affairs - Wed, 11/16/2022 - 17:02
Researchers at cybersecurity firm Rapid7 have identified several vulnerabilities and other potential security issues affecting F5 products.

Rapid7 researchers discovered several vulnerabilities in F5 BIG-IP and BIG-IQ devices running a customized distribution of CentOS. The experts also discovered several bypasses of security controls that the security vendor F5 does not recognize as exploitable vulnerabilities.

The vulnerabilities discovered by the experts are:

CVE-2022-41622 is an unauthenticated remote code execution via cross-site request forgery (CSRF) that impacts BIG-IP and BIG-IQ products.

“An attacker may trick users who have at least resource administrator role privilege and are authenticated through basic authentication in iControl SOAP into performing critical actions. An attacker can exploit this vulnerability only through the control plane, not through the data plane. If exploited, the vulnerability can compromise the complete system.” reads the advisory published by the vendor.

CVE-2022-41800 is an authenticated remote code execution via RPM spec injection that resides in the Appliance mode iControl REST. In Appliance mode, an authenticated user with valid user credentials assigned the Administrator role can bypass Appliance mode restrictions.

“In Appliance mode, an authenticated user with valid user credentials assigned the Administrator role may be able to bypass Appliance mode restrictions. This is a control plane issue; there is no data plane exposure.” reads the advisory. “Appliance mode is enforced by a specific license or may be enabled or disabled for individual Virtual Clustered Multiprocessing (vCMP) guest instances.”

The above vulnerabilities have been rated as high-severity.

Rapid7 reported both vulnerabilities to F5 on August 18, 2022, it also supported the vendor addressing them.

Below are the bypasses of security controls that F5 rejected because not exploitable:

  • ID1145045 – Local privilege escalation via bad UNIX socket permissions (CWE-269)
  • ID1144093 – SELinux bypass via incorrect file context (CWE-732)
  • ID1144057 – SELinux bypass via command injection in an update script (CWE-78)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, BIG-IP)

The post F5 fixed 2 high-severity Remote Code Execution bugs in its products appeared first on Security Affairs.

Categories: Cyber Security News

Lazarus APT uses DTrack backdoor in attacks against LATAM and European orgs

Security Affairs - Wed, 11/16/2022 - 13:50
North Korea-linked Lazarus APT is using a new version of the DTrack backdoor in attacks aimed at organizations in Europe and Latin America.

North Korea-linked APT Lazarus is using a new version of the DTrack backdoor to attack organizations in Europe and Latin America, Kaspersky researchers warn.

DTrack is a modular backdoor used by the Lazarus group since 2019, it was employed in attacks against a wide variety of targets, from financial environments to a nuclear power plan.

DTrack allows attackers to gather information from the infected host, and upload/download/manipulate files on the infected host, exfiltrate data, and execute commands.

Experts noticed that the DTrack versions used in recent attacks are similar to past ones, however, it is now employed to target a growing number of targets.

The backdoor unpacking process is composed of several stages, the second-stage malicious code is stored inside the malware PE file. DTrack retrieves the payload by reading it from an offset within the file or by reading it from a resource within the PE binary.

The second stage payload is a heavily obfuscated shellcode, the APT group used an encryption method different for each sample.

Unlike previous DTrack variants, the one employed in the recent attacks could employ more than three stage payloads.

“One new aspect of the recent DTrack variants is that the third stage payload is not necessarily the final payload; there may be another piece of binary data consisting of a binary configuration and at least one shellcode, which in turn decrypts and executes the final payload.” continues the analysis.

Once the final payload (a DLL) is decrypted, the malicious code leverages the process hollowing to load into explorer.exe. Another difference in recent campaigns is that the recent variants of the backdoor uses three C2 servers instead of six.

Kaspersky reported attacks against entities in multiple industries, including education, chemical manufacturing, governmental research centers and policy institutes, IT service providers, utility providers and telecommunications.

Recent attacks hit entities in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey and the United States.

“The DTrack backdoor continues to be used actively by the Lazarus group. Modifications in the way the malware is packed show that Lazarus still sees DTrack as an important asset. Despite this, Lazarus has not changed the backdoor much since 2019, when it was initially discovered.” concludes the report. “When the victimology is analyzed, it becomes clear that operations have expanded to Europe and Latin America, a trend we’re seeing more and more often.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

The post Lazarus APT uses DTrack backdoor in attacks against LATAM and European orgs appeared first on Security Affairs.

Categories: Cyber Security News

Researchers Discover Hundreds of Amazon RDS Instances Leaking Users' Personal Data

The Hacker News - Wed, 11/16/2022 - 08:04
Hundreds of databases on Amazon Relational Database Service (Amazon RDS) are exposing personal identifiable information (PII), new findings from Mitiga, a cloud incident response company, show. "Leaking PII in this manner provides a potential treasure trove for threat actors – either during the reconnaissance phase of the cyber kill chain or extortionware/ransomware campaigns," researchers Ariel
Categories: Cyber Security News

7 Reasons to Choose an MDR Provider

The Hacker News - Wed, 11/16/2022 - 07:19
According to a recent survey, 90% of CISOs running teams in small to medium-sized enterprises (SMEs) use a managed detection and response (MDR) service. That’s a 53% increase from last year. Why the dramatic shift to MDR? CISOs at organizations of any size, but especially SMEs, are realizing that the threat landscape and the way we do cybersecurity are among the many things that will never look
Categories: Cyber Security News

New RapperBot Campaign targets game servers with DDoS attacks

Security Affairs - Wed, 11/16/2022 - 06:39
Fortinet researchers discovered new samples of RapperBot used to build a botnet to launch Distributed DDoS attacks against game servers.

Fortinet FortiGuard Labs researchers have discovered new samples of the RapperBot malware that are being used to build a DDoS botnet to target game servers.

Researchers from FortiGuard Labs discovered the previously undetected RapperBot IoT botnet in August, and reported that it is active since mid-June 2022. The bot borrows a large portion of its code from the original Mirai botnet, but unlike other IoT malware families, it implements a built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai.

Experts also noticed that the most recent samples include the code to maintain persistence, which is rarely implemented in other Mirai variants.

Earlier samples of the malware had the brute-forcing credential list hardcoded into the binary, but from July the samples started retrieving the list from the C2 server.

Since mid-July, RapperBot started using self-propagation to maintaining remote access into the brute-forced SSH servers. The bot runs a shell command to replace remote victims’ ~/.ssh/authorized_keys with one containing the threat actors’ SSH public key with the comment “helloworld,”

Once stored public keys stored in ~/.ssh/authorized_keys, anyone with the corresponding private key can authenticate the SSH server without supplying a password.

RapperBot is also able to retain its foothold on any devices on which it is executed by appending the same aforementioned SSH key to the local “~/.ssh/authorized_keys” on the infected device upon execution. This allows the malware to maintain its access to these infected devices via SSH even after a device reboot or the removal of RapperBot from the device. 

In early October 2022, the researchers spotted new samples that they believe to be part of a separate campaign to launch Distributed Denial of Service (DDoS) attacks against game servers.

“But once we analyzed these new samples, we observed a significant difference between them and the earlier campaign. In fact, it turns out that this campaign is less like RapperBot than an older campaign that appeared in February and then mysteriously disappeared in the middle of April. Other related campaigns uncovered during this investigation are detailed later in this article.” reads the report published by FortiGuard Labs.

The researchers noticed that the latest variant uses the same C2 network protocol of previous samples, it supports additional commands to support the Telnet brute force. Below is the list of commands and IDs:

  • 0x00: Register (used by the client)
  • 0x01: Keep-Alive/Do nothing
  • 0x02: Stop all DoS attacks and terminate the client
  • 0x03: Perform a DoS attack
  • 0x04: Stop all DoS attacks
  • 0x06: Restart Telnet brute forcing
  • 0x07: Stop Telnet brute forcing

The latest samples also implement DoS attacks against the GRE protocol (likely reusing the Mirai source code) and the UDP protocol used by the Grand Theft Auto: San Andreas Multi Player (SA:MP) mod.

The most significant difference in the latest campaign was the complete replacement of the code to carry out SSH brute force attacks with the more usual Telnet equivalent.

“The Telnet brute forcing code is designed primarily for self-propagation and resembles the old Mirai Satori botnet. Unlike the earlier SSH brute-forcing campaign, the plaintext credentials are embedded into the malware instead of being downloaded from the C2.” continues the report.

The list of hardcoded credentials is composed of default credentials associated with IoT devices. The analysis of the prompt messages hardcoded into the malware revealed that the bot mainly targets routers and DVRs. The latest campaign aims at older devices with the Qualcomm MDM9625 chipset, such as LTE modems.

Once it has gained access to the device, it sends the credentials used, the IP address of the compromised device, and its architecture to the C2 server on a separate port, 5123. Then the malware attempts to install the RapperBot payload binary on the compromised device.

“Based on the undeniable similarities between this new campaign and the previously reported RapperBot campaign, it is highly likely that they are being operated by a single threat actor or by different threat actors with access to a privately-shared base source code.” the researchers conclude.

“Unlike the previous RapperBot campaign, this new campaign has a clear motivation to compromise as many IoT devices as possible to build a DDoS botnet.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, RapperBot)

The post New RapperBot Campaign targets game servers with DDoS attacks appeared first on Security Affairs.

Categories: Cyber Security News

Kara od UODO dla gminy Dobrzyniewo Duże. Były procedurki, ale nie było ich wdrożenia w rzeczywistości ;-)

Sekurak.pl - Wed, 11/16/2022 - 06:36

Co się wydarzyło? Naruszenie polegało na kradzieży służbowego komputera z danymi osobowymi, na którym nie zastosowano odpowiednich zabezpieczeń w celu ochrony tych danych, co skutkowało naruszeniem ich poufności. Do kradzieży doszło poza siedzibą administratora, gdyż użytkujący laptop pracownik przechowywał go poza zakładem pracy, w domu. Jak można się spodziewać komputer nie miał wdrożonego...

Artykuł Kara od UODO dla gminy Dobrzyniewo Duże. Były procedurki, ale nie było ich wdrożenia w rzeczywistości ;-) pochodzi z serwisu Sekurak.

Kolejny przykład prostego phishingu [analiza]

Sekurak.pl - Wed, 11/16/2022 - 06:22

Otrzymaliśmy próbkę stosunkowo łatwo wykrywalnego phishingu i chcemy się nim podzielić z naszymi Czytelnikami, gdyż jest książkowym przykładem, gdzie i jak można zweryfikować, czy wszystko w korespondencji e-mail nie budzi naszych zastrzeżeń. Poniżej w kilku krokach prezentujemy sposób na samodzielną weryfikację. Rys. 1. Książkowy przykład phishingu. Po pierwsze: nadawca Musimy...

Artykuł Kolejny przykład prostego phishingu [analiza] pochodzi z serwisu Sekurak.

Beginning 2023 Google plans to rollout the initial Privacy Sandbox Beta

Security Affairs - Wed, 11/16/2022 - 03:18
Google announced it will roll out the Privacy Sandbox system for Android in beta to a limited number of Android 13 devices in early 2023.

Google announced it will roll out the Privacy Sandbox for Android in beta to mobile devices running Android 13 starting early next year. The Privacy Sandbox aims at creating technologies to protect people’s privacy online limiting covert tracking.

The goals of the Privacy Sandbox are:

  • Build new technology to keep your information private;
  • Enable publishers and developers to keep online content free without relying on intrusive tracking;
  • Collaborate with the industry to build new internet privacy standards;

The company will initially install start the sandbox on a small percentage of devices and increase over time.

“Beginning early next year we plan to rollout the initial Privacy Sandbox Beta to Android 13 mobile devices, so that developers can take the next steps in testing these new solutions. We’ll start with a small percentage of devices and increase over time.” reads the announcement.

“The Privacy Sandbox Beta will be available for ad tech and app developers who wish to test the ads-related APIs as part of their solutions.”

Developers will need to complete an enrollment process in order to utilize the ads-related APIs, including TopicsFLEDGE, and Attribution Reporting. The IT giant will verify the identity of the developer and gather developer-specific data needed by the APIs.

Google will release a closed beta of the SDK Runtime distribution to select apps for testing purposes.

Development teams that want to utilize the Beta release have to compile their solutions with an API level 33 SDK extension update that is coming soon.

“For companies that rely on third party solutions for ad serving or ad measurement, we recommend working with your providers to understand their testing roadmaps and how you can participate in early testing of Privacy Sandbox.” concludes the announcement.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, privacy)

The post Beginning 2023 Google plans to rollout the initial Privacy Sandbox Beta appeared first on Security Affairs.

Categories: Cyber Security News

Warning: New RapperBot Campaign Aims to Launch DDoS Attacks at Game Servers

The Hacker News - Wed, 11/16/2022 - 02:35
Cybersecurity researchers have unearthed new samples of malware called RapperBot that are being used to build a botnet capable of launching Distributed Denial of Service (DDoS) attacks against game servers. "In fact, it turns out that this campaign is less like RapperBot than an older campaign that appeared in February and then mysteriously disappeared in the middle of April," Fortinet
Categories: Cyber Security News

Google to Roll Out Privacy Sandbox Beta on Android 13 by Early 2023

The Hacker News - Wed, 11/16/2022 - 00:24
Internet behemoth Google on Tuesday said it plans to roll out Privacy Sandbox for Android in beta to mobile devices running Android 13 starting early next year. "The Privacy Sandbox Beta will be available for ad tech and app developers who wish to test the ads-related APIs as part of their solutions," the company said. To that end, developers will need to complete an enrollment process in order
Categories: Cyber Security News

Experts found critical RCE in Spotify’s Backstage

Security Affairs - Tue, 11/15/2022 - 17:23
Researchers discovered a critical vulnerability impacting Spotify’s Backstage Software Catalog and Developer Platform.

Researchers from the security firm Oxeye discovered a critical Remote Code Execution in Spotify’s Backstage (CVSS Score of 9.8). Backstage is Spotify’s open-source platform for building developer portals, it’s used by a several organizations, including American Airlines, Netflix, Splunk, Fidelity Investments and Epic Games.

The issue can be exploited by triggering a recently disclosed VM sandbox escape vulnerability (CVE-2022-36067 aka Sandbreak) in the vm2 third-party library.

Oxeye researchers reported this RCE vulnerability via Spotify’s bug bounty program, and the Backstage development team quickly fixed it with the release of version 1.5.1.

“An unauthenticated threat actor can execute arbitrary system commands on a Backstage application by exploiting a vm2 sandbox escape in the Scaffolder core plugin.” reads the advisory published by Oxeye.

The vulnerability resides in the software templates tools that allow developers to create components in Backstage.

The researchers explained that the template engine utilizes the vm2 library to prevent the execution of untrusted code.

“In reviewing how to confine this risk, we noticed that the templating engine could be manipulated to run shell commands by using user-controlled templates with Nunjucks outside of an isolated environment. As a result, Backstage started using the vm2 JavaScript sandbox library to mitigate this risk.” continues the advisory. “In an earlier research paper, Oxeye found a vm2 sandbox escape vulnerability that results in remote code execution (RCE) on the hosting machine.”

The researchers run a simple query for the Backstage favicon hash in Shodan and discovered more than 500 Backstage instances exposed to the internet.

The experts noticed that Backstage is deployed by default without an authentication mechanism or an authorization mechanism, which allows guest access. Some of the publicly-exposed Backstage instances did not require any authentication. 

Further tests allowed the experts to determine that the vulnerability could be exploited without authentication on many instances. 

“The root of any template-based VM escape is gaining JavaScript execution rights within the template. By using “logic-less” template engines such as Mustache, you can avoid introducing server-side template injection vulnerabilities. Separating the logic from the presentation as much as possible can greatly reduce your exposure to the most dangerous template-based attacks.” concludes the report. “For more information about mitigating template-based vulnerabilities, see PortSwigger’s technical advisory. And if you use Backstage with authentication, enable it for both the front and backend.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Spotify’s Backstage)

The post Experts found critical RCE in Spotify’s Backstage appeared first on Security Affairs.

Categories: Cyber Security News

Critical RCE Flaw Reported in Spotify's Backstage Software Catalog and Developer Platform

The Hacker News - Tue, 11/15/2022 - 12:01
Spotify's Backstage has been discovered as vulnerable to a severe security flaw that could be exploited to gain remote code execution by leveraging a recently disclosed bug in a third-party module. The vulnerability (CVSS score: 9.8), at its core, takes advantage of a critical sandbox escape in vm2, a popular JavaScript sandbox library (CVE-2022-36067 aka Sandbreak), that came to light last
Categories: Cyber Security News

Pages