Since cyberattacks are becoming more and more common these days, staying abreast of the latest news headlines is important to learn from them and keep our information assets secure. This week’s cybersecurity news headlines cover some significant patches and fixes. Read on to find out what’s happening in cyberspace.
SAP Announces Multiple Security Notes
SAP recently announced ten new and two updated security notes on its June 2022 Security Patch Day. Among these latest notes, CVE-2022-27668 (with a CVSS score of 8.6) was considered the most severe vulnerability. It involved improper access control related to the SAProuter proxy in the ABAP and NetWeaver platforms. Exploiting this vulnerability would allow adversaries to affect systems’ availability by executing administration commands on the systems connected to the SAPRouter. It is recommended that customers apply the patch at the earliest.
Another high-severity cybersecurity issue (with a CVSS score of 8.2) in NetWeaver AS Java was also addressed in SAP. This note came with four other notes addressing CVE-2022-31590 (a privilege escalation issue in PowerDesigner Proxy 16.7 with a CVSS score of 7.8), among other vulnerabilities.
Can this New Vulnerability Leak Your Crypto Seed?
A new vulnerability is targeting crypto wallet owners. It involves accessing the secret recovery phrase of user wallets and stealing their cryptocurrencies and NFTs. Recovery phrases, or seeds, are the human-readable versions of the private keys of user wallets. With access to this recovery phrase, any hacker can import the wallet to their device and steal the NFTs and cryptocurrencies. First discovered by cybersecurity experts at Halborn in September 2021, this vulnerability has been dubbed CVE-2022-32969. It exploits the standard restore session system used by web browsers to facilitate the saving of non-password input fields on the disk.
Browser wallet extensions like Metamask, Brave, and Phantom do not use a password field to enter recovery phrases; they rely on regular input fields. These input fields get saved on the disk in plain text form. This makes it easy for adversaries to steal the seeds and import users’ wallets to their own devices. Attackers can use a remote access trojan to access user devices; the rest is a cakewalk. But cybersecurity experts also mentioned that for the vulnerability to be exploited, users need to check the checkbox asking to “Show Secret Recovery Phrase,” as this ensures that the password gets stored on the local disk.
Metamask patched the vulnerability in its wallet extension version 10.11.3. Phantom dealt with it in April 2022, and xDefi addressed the vulnerability in version 13.3.8. However, Brave has yet to release a statement or address the issue. Users who feel they might have been affected by the flaw should consider migrating their assets to new accounts.
Interpol Arrests 2000 Scammers
An Interpol operation recently recovered $50 million in illicit funds and arrested 2,000 alleged scammers from 76 countries. The International Criminal Police Organization (Interpol) conducted a drive to investigate the rising social engineering scams where adversaries trick users into revealing their sensitive and confidential information.
Interpol’s operation lasted two months and was codenamed “First Light 2022.” It involves both Interpol and the local police in global countries. Reportedly, the police identified 3,000 different suspects during their investigation and arrested 2000 of them on accounts of money laundering. They also froze 4000 bank accounts and conducted raids at 1770 global locations. Among the captured was a Chinese national who was wanted in connection with an enormous Ponzi scheme that police say involved some 24,000 victims and the theft of 34 million euros.
Cisco Patches ESA Vulnerability
Cisco recently patched a critical security flaw in Email Security Appliance (ESA), Web Manager, and Secure Email that could be exploited to sidestep authentication. Tracked as CVE-2022-20798, this bypass vulnerability has a CVSS score of 9.8 and is caused due to improper authentication checks. The vulnerability happens when the target devices use Lightweight Directory Access Protocol (LDAP) for external authentication.
Cybersecurity experts at Cisco mentioned that to exploit CVE-2022-20798, hackers would need to enter a specific input on the login page of the targeted device. Once hackers do this, they gain access to the device’s web-based management interface. The flaw was discovered while fixing a technical assistance center (TAC) issue. It affects systems running AsyncOS software
versions 11 and earlier, 12, 12.x, 13, 13.x, 14, and 14.x. However, two conditions need to be met for the attack to be successful:
- External authentication is used to configure the devices.
- The LDAP authentication protocol is used.
DDoS Operator Sentenced to 24 Months in Prison
A 33-year-old man called Matthew Gatrel from St. Charles, Illinois, was recently sentenced to 24 months in prison because of his role in executing three counts of wire fraud and computer-related felonies. Gatrel was convicted in September 2021 for owning and operating DownThem.org and AmpNode.com. DownThem.org is a website allowing users to pay and launch powerful DDoS attacks, and AmpNode.com provides bulletproof hosting services for a few. Both these services facilitate DDoS attack amplification and server spoofing.
Cybersecurity experts noted that DownThem had more than 2,000 users in 2018 and launched over 200,000 attacks on financial institutions, government websites, schools, universities, and homes. The accused provided customer support for both DownThem and AmpNode and also guided users on how to launch DDoS attacks using these. Gatrel was sentenced to two years in prison owing to his active role in deploying and demonstrating the use of these attack tools. One of his allies, Juan Martinez, also ended up with a five-year prison sentence for his role in spreading DownThem.
New Phishing Toolkit in Town
Adversaries are putting up a sophisticated phishing toolkit called ‘NakedPages’ for sale on the dark web. This toolkit can be used to target Microsoft Office and Google and is being sold via a PHP-based phishing app. It is also being advertised on some Telegram channels. NakedPages works on Linux and asks for read, write, and execute permission from users. It is a fully automated toolkit with over 50 ready-to-use site projects and phishing templates. NakedPages comes with a fully-integrated and battle-based anti-bot functionality that helps detect all kinds of bots from 120 countries. It also allows adversaries to manually receive and decode responses, filter users from the Js config, and add cookies.
The use of toolkits has increased significantly in the recent past. Though NakedPages is relatively new, it is an effective phishing tool. Since phishing toolkits are easy-to-use and available for free, their use is rapidly increasing. Users are advised to prioritize protecting personal and digital data to avoid such attacks.