Cybersecurity is a dynamic field, and the attacks cannot be stopped. Therefore, it is paramount to know the updates on the current attack patterns to plan safety in the best possible ways. To this end, here are the primary cybersecurity headlines this week.
Two Vulnerabilities Detected in CMS Platform Umbraco
Cybersecurity experts at AppCheck recently discovered two vulnerabilities in the CMS platform Umbraco. Dubbed CVE-2022-22690, the first is an application URL overwrite vulnerability, and the second, dubbed CVE-2022-22691, is a persistent password reset bug. With over 730,000 active installations, Umbraco is a sought-after open-source content management system (CMS) provider. These vulnerabilities (made public on 18th January) expose its users to account takeovers by adversaries.
For all application code requirements that need a URL pointing back to the site, Umbraco uses a configuration called ‘ApplicationUrl.’ For instance, a user who wishes to change their password receives a password reset URL. For all URLs that are not configured, attackers can manipulate the URL and redirect users to sites/pages of their choice. This enables the adversaries to intercept the reset token and conduct account takeovers. Fortunately, the vulnerability doesn’t affect Umbraco versions above 9.2.0. Therefore, Umbraco recommends users update the versions to 9.2.0 or above for ransomware protection.
The second vulnerability is a password reset bug, which provides users with an attacker-controlled URL when using the password reset token in the unconfigured URL. While Umbraco has released temporary fixes for the issues, they do not ensure security from all the vulnerabilities. For instance, the Healthcheck Notifications, Content Notifications, and the Keep-Alive task still remain affected.
Major Security Flaws in Official App for Beijing 2022 Winter Olympics
The Chinese government has recently launched ‘My 2022’ – the official app for Beijing 2022 Winter Olympics. Unfortunately, the app exposed users’ sensitive data and is declared incompatible with Apple’s App Store guidelines, Google’s software policy, and China’s own privacy protection laws.
The app’s privacy policy doesn’t state who receives all the sensitive data uploaded by users. Further, it allows third-party actors to access these user files in cleartext form. The sensitive information collected by the My2022 app includes WLAN status, installed apps on the device, audio information, location access, device identifiers and model, real-time location, device storage access, and cellular service provider information. Reportedly, this data is needed for translation services, COVID-19 protection controls, tourism recommendations and navigation, and Weibo integration.
Interestingly, all athletes, press, and audience members have to use the My2022 app. There is no exception, and the app also collects their vaccination status, passport details, demographic data, health status, etc. The information collected for domestic users includes their names, profile pictures, phone numbers, national identification numbers, email addresses, and employment information. This information is shared with the Beijing Organizing Committee for the 2022 Olympics.
Cybersecurity researchers at Citizen Lab have found that attackers can spoof five or more servers and intercept data by making a malicious host appear trusted. Unfortunately, nobody from the Beijing Organizing Committee for the 2022 Olympics has responded to Citizen Labs’ security risks report. The app developers released the ‘My 2022’ app version 2.0.5 recently, and one might hope that this version deals away with all the risks, but they continue to be unresolved.
STG Acquires McAfee and FireEye – Trio to be Called Trellix
Symphony Technology Group (STG) acquired McAfee for $4 billion in March 2021, and this acquisition was followed by the takeover of FireEye for $1.2 billion in June 2021. By October 2021, STG had completed all procedures of acquiring these two cybersecurity giants, and the organizations together will now be known as ‘Trellix‘ (a name inspired by the humble trellis).
Trellix will direct its triple energy to enhance threat detection and incident response using machine learning (ML) and automation. The organization aims to provide living security, which is to say that it will facilitate email security technology that adapts newer and better strategies to protect operations from threat actors. However, a thing to note is that not all of McAfee Enterprise has merged with STG. The secure service edge portfolio (including secure web gateway, cloud access security broker, and zero-trust network access) shall eventually be separated. Currently, Trellix has over 5,000 employees, 40,000 customers, and around $2 billion in revenue.
FluBot Emerges With Improved Malware Version
The FluBot operators have been spreading their improved version since October 2021. The malicious campaign uses fake security updates, making unsuspecting users install malicious codes. Cybersecurity experts found that the FluBot operators used a smishing campaign to target Polish users wherein they are asked to click on the link received on SMS to view a video. This is actually a malicious link installing Flubot through a fake Flash Player APK.
Once a user downloads the malicious app, it installs FluBot and accesses users’ contact lists. The contact list is then stolen and uploaded to the C2 server. Using this contact list, FluBot targets all people on the victim’s list and sends malicious SMSes to them. This entire scheme comes under the FluBot 5.2 version. The new version comes with a new UPDATE_ALT_SEED command which can change the domain generation algorithms (DGA) seed. The FluBot operators can avoid the DNS blocklists and isolate the C2 infrastructure using these features. In addition, the DGA mechanism uses 30 top-level domains instead of the three used earlier.
Cybersecurity experts warn users to stay ahead of the advanced attack vector used by FluBot operators and implement cybersecurity tools and measures like firewalls, antimalware solutions, behavior-based detection, etc.
Oracle to Release 500 New Security Patches
Oracle is set to release its Critical Patch Update (CPU) for January 2022, including over 500 new security patches. The pre-release statement says that Oracle has prepared 483 patches for 2022’s first CPU of 2022. These include patches for vulnerabilities in Graph Server and Client, Secure Backup, Oracle Essbase, Communications Applications, Construction and Engineering, Communications, Financial Services Applications, Enterprise Manager, Fusion Middleware, PeopleSoft, Insurance Applications, Utilities Applications, and Support Tools.
In addition, the patches shall also fix high-severity flaws in Big Data Graph, Airlines Data Model, Commerce, Food and Beverage Applications, Communications Data Model, E-Business Suite, Health Sciences Applications, GoldenGate, HealthCare Applications, Hyperion, iLearning, Hospitality Applications, JD Edwards, Policy Automation, MySQL, Retail Applications, Siebel CRM, REST Data Services, TimesTen In-Memory, Supply Chain, Systems and Spatial Studio.
Oracle recommends that customers implement all cybersecurity patches as soon as they are released as these flaws do not require authentication for remote exploitation and have already been exploited before. Oracle shall release the other 2022 CPUs on 19th April, 19th July, and 18th October. Last year, Oracle fixed 1,400 cybersecurity issues in all four CPUs.
UK Police Working Towards Educating Children on Computer Misuse Act
Lately, children as young as nine years old have been launching DDoS attacks. This trend has compelled the UK police to launch a cybersecurity awareness initiative to persuade young people against involvement in such criminal acts. A new education campaign is in the making wherein the National Crime Agency (NCA) has collaborated with Schools Broadband (part of ISP the Talk Straight Group). The campaign aims to redirect all students browsing for specific terms related to DDoS and other cybercrimes to a selected range of cyber choice websites.
The campaign aims to educate young learners on cybercrime’s repercussions and teach them about the Computer Misuse Act. The trial scheme is already bringing positive results and has reduced the number of searchers for specific terms related to DDoS like booter and stresser. The scheme will be soon rolled out in more than 2000 primary and secondary schools across the nation.