Deserialized Web Security Roundup: ‘Catastrophic Cyber Incidents,’ Another T-Mobile Breach, More LastPass Issues
Your fortnightly overview of AppSec vulnerabilities, new hacking techniques and other cyber security news
“A far-reaching, catastrophic cyber incident is likely within the next two years” according to 93% of cybersecurity experts and 86% of business leaders polled by World Economic Forum (WEF).
Geopolitical instability and the persistent lack of cybersecurity skills are making the situation more precarious and prompting firms to reconsider their presence in certain regions, revealed the WEF’s Global Cybersecurity Outlook 2023 report, which surveyed the views of 300 experts and C-suite executives.
Meanwhile, we’re still seeing a lot of very, very bad cyber attacks and breaches. Most recently, there has been a new mega breach T-Mobile (37 million customers affected this time), source code theft and subsequent $10 million ransom demand from video game developer Riot Gamesand the accidental exposure of an airline by US authorities No fly lista roll call for suspected terrorists, as of 2019.
The LastPass The situation also continues to evolve following the November password vault breach, with the latest update from the beleaguered password manager admitting that “a threat actor exfiltrated encrypted backups from a third-party cloud storage service”.
While rival services will no doubt spy an opportunity to increase their market share given the market leader’s reputation crash, the hack may also bring unprecedented scrutiny to the hitherto highly regarded field. Actual, The Daily Swig recently reported how several popular password managers automatically filled in credentials on untrusted sites, while The Bitwarden responded to renewed criticism of the encryption scheme by improving the default security configuration.
A fruitful security audit of GivenThe source code for is another notable story we’ve covered since the last issue of Deserialized.
Here are a few more cybersecurity stories and other cybersecurity news that caught our attention over the past fortnight:
Research and attack techniques
- Vulnerabilities in popular open source health record and medical practice management platform OpenEMR allowed remote attackers to execute arbitrary system commands on any OpenEMR server and steal sensitive patient data—and worse, remote code execution (courtesy of Sonar)
- Jerry Shah shares how he found an API misconfiguration on one SwaggerUI endpoint in an unnamed web application on a private bug bounty program that leaked the authorization token from local storage
- ChatGPT lowers the barriers to entry for threat actors with limited programming or technical skills, but state-sponsored villains are unlikely to gain operational efficiencies from the unnervingly sophisticated chatbot tool, according to Recorded Future
- Maksym Yaremchuk – number 80 on HackerOne’s all-time leaderboard – describes a pair of critical severity account takeover exploits created during an engagement with a private bug bounty program
- GitHub researcher Man Yue Mo achieves arbitrary kernel execution and root on a Google Pixel 6 mobile phone from an Android app
ChatGPT lowers barriers to entry for cybercrime but is of little use to state-sponsored cybercrooks
Bug bounty / vulnerability disclosure
- Security researchers can mathematically prove the existence of a software vulnerability without revealing details that in the wrong hands could lead to malicious exploitation, explains a recent New Scientist feature (paywall)
- Intigriti has written a blog post about safe harbour clause for researchers created by the Belgian Law on the Protection of Whistleblowers
- The Daily Swig recently reported on the upcoming third annual Hack The Pentagon challenge, CORS misconfigurations at Tesla and other, unnamed programs earning researchers “a few thousand dollars,” and vulnerabilities in Google Cloud Platform (GCP) projects netting researchers more than $22,000
- Other recent write-ups include a $3,000 bounty for a reflected XSS in Microsoft Formswhile Bug Bounty Switzerland’s first “vulnerability of the month” related to a time-limited private program and thousands of devices exposed to the Internet
- Bug hunter interviews with British hacker and YouTuber ‘InsiderPhD’ and ‘Today is new’ have been published by HackerOne and Bugcrowd respectively
New open source infosec/hacking tools
- Gato – or the GitHub Attack Toolkit – evaluates the impact of compromised personal access tokens in GitHub development environments. Enables tracking of public repositories that use self-hosted runners, which GitHub recommends only be deployed in private repos because otherwise “forks of your public repository could potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow “
- Highlighter and Extractor (HaE) – Paris-based crowdsourced security platform YesWeHack has released a Burp Suite extension that collects, categorizes and highlights requests and/or responses to help discover vulnerable code patterns, bugs, reflections and more in a passive enumeration process
- PyCript – Another Burp Suite extension, this time allowing client-side encryption bypass via custom logic for manual testing and automation testing with Python and NodeJS
- See Proxy – Golang reverse proxy with CobaltStrike malleable profile validation
- CVE-2022-47966 Scanner – Assess your exposure to the critical RCE flaw affecting at least 24 local ManageEngine products and currently being actively exploited
More industry news
- NIST follows potential updates (PDF) to NIST Cybersecurity Framework and invites the infosec community to provide feedback
- In other US federal agency news, the NSA prints IPv6 Security Guide (PDF), CISA Updates Miter Attack Framework Mapping Best Practices (PDF), and CISA, NSA, and MS-ISAC Jointly Warn (PDF) About Malicious Use of Legitimate Remote Monitoring and Management (RMM) Software.
- Google documents progress in leveraging case randomization of DNS search names sent to authoritative name servers to reduce the impact of cache poisoning attack
- Google is also following through on its intention to drop TrustCor Systems as a root certificate authority (CA) for Chrome, and confirming a schedule to stop recognizing the certificates.
- Cloud-based cyber attacks jump 48% year-over-year as malicious hackers spy opportunities in digital transformation trend – Check Point Report
PREVIOUS EDITION Deserialized Web Security Roundup – Slack and Okta Breach, Leaked Report on US Government Passwords and More