image
The Akkadian Provisioning Manager, which is used as a third-party provisioning tool within Cisco Unified Communications environments, has three high-severity security vulnerabilities that can be chained together to enable remote code execution (RCE) with elevated privileges, researchers said. They remain unpatched, according to the researchers at Rapid7 who discovered them. Cisco’s UC suite enables VoIP and video communications across business footprints. The Akkadian product is an appliance that’s typically used in large enterprises to help manage the process of provisioning and configuring all of the UC clients and instances, via automation. The issues, all present in version 4.50.18 of the Akkadian platform, are as follows: CVE-2021-31579: Use of hard-coded credentials (ranking 8.2 out of 10 on the CVSS vulnerability-severity scale) CVE-2021-31580 and CVE-2021-31581: Improper neutralization of special elements used in an OS command (using exec and vi commands, respectively; ranking 7.9) CVE-2021-31582: Exposure of sensitive information to an unauthorized actor (ranking 7.9) Combining CVE-2021-31579 with either CVE-2021-31580 or CVE-2021-31581 will allow an unauthorized adversary to gain root-level shell access to affected devices, according to Rapid7. That makes it easy to install cryptominers, keystroke loggers, persistent shells and any other type of Linux-based malware. Meanwhile, researchers said that CVE-2021-31582 can allow an attacker who is already…

Source

image
Baby clothes retailer Carter’s inadvertently exposed the personal data of hundreds of thousands of its customers, dating back years, according to a new disclosure. The issue started with Linc, which is a vendor the company used to automate purchases online, according to analysts with vpnMentor who first discovered the issue. The Linc system was delivering customers shortened URLs with Carter’s purchase and shipping details without basic security protections. The links contained everything from purchase details to tracking information and more. “Furthermore, by modifying the Linc URLs (to which the shortened URLs were redirecting), it was possible to access backend JSON data, which revealed even more personal information about customers that wasn’t exposed by the confirmation pages, such as: Full names delivery addresses and phone numbers,” the report explained. The analysts calculated that more than 410,000 records, and hundreds of thousands of customer records, were exposed in the leak — which they estimated dates as far back as 2015. “Those shortened URLs were easily discoverable to hackers due to a lack of sufficient entropy or compensating security protocols,” the vpnMentor analysts wrote. “Carter’s also put no authentication in place to verify that only the person who’d made the purchase could visit the confirmation page.” Compounding the risk, the researchers found that the links never expired, meaning customers who might have purchased from Carter’s years ago were…

Source

image
Sol Oriens, a subcontractor for the U.S. Department of Energy (DOE) that works on nuclear weapons with the National Nuclear Security Administration (NNSA), last month was hit by a cyberattack that experts say came from the relentless REvil ransomware-as-a-service (RaaS) gang. The Albuquerque, N.M. company’s website has been unreachable since at least June 3, but Sol Oriens officials confirmed to Fox News and to CNBC that the firm became aware of the breach sometime last month. The company’s statement, captured in a Tweet stream posted by CNBC’s Eamon Javers on Thursday: “In May 2021, Sol Oriens became aware of a cybersecurity incident that impacted our network environment. The investigation is ongoing, but we recently determined that an unauthorized individual acquired certain documents from our systems. Those documents are currently under review, and we are working with a third-party technological forensic firm to determine the scope of potential data that may have been involved. We have no current indication that this incident involves client classified or critical security-related information. Once the investigation concludes, we are committed to notifying individuals and entities whose information is involved …” As Javers noted, “we don’t know everything this small company does,” but he posted a sample job posting that indicates that it handles nuclear weapons issues: “Senior Nuclear Weapon System Subject Matter. Expert with more than 20 years of experience with…

Source

image
New data from the February hack of CD Projekt Red, the videogame-development company behind Cyberpunk 2077 and the Witcher series, is circulating online. Earlier this year, the company suffered a ransomware attack in which a cyberattack group (believed by some to be the HelloKitty gang) “gained access to our internal network, collected certain data belonging to CD PROJEKT Capital Group and left a ransom note,” the company said at the time. The ransomware also encrypted the company’s systems, but CD Projekt Red was able to restore everything from backup – leaving the real issue to be the stolen data. Ransomware gangs have doubled down on the increasingly common “double-extortion” threat, saying they will auction stolen data if victims don’t pay. Many also maintain “name and shame” blogs – used by operators to post leaked data from victims that refused to send over a ransom. And indeed, in the CD Projekt Red ransom note (also tweeted out), the cybercriminals said that they had “dumped full copies” of the source code for Cyberpunk 2077, Gwent, the Witcher 3 and an “unreleased version” of the Witcher 3; and, stolen sensitive corporate information relating to accounting, administration, HR, investor relations, legal and more. “Source codes will be sold or leaked online, and your documents will be sent to our contacts in gaming journalism,” according to the note, which went on to say that not paying up has an impact to the company’s public image, stock price and investor…

Source

image
A monster cyberattack on SITA, a global IT provider for 90 percent of the world’s airline industry, is slowly unfurling to reveal the largest supply-chain attack on the airline industry in history. The enormous data breach, estimated to have already impacted 4.5 million passengers, has potentially been traced back to the Chinese state-sponsored threat actor APT41, and analysts are warning airlines to hunt down any traces of the campaign concealed within their networks. SITA announced the attack in March, and soon after Singapore and Malaysia Airlines were the first airlines to disclose that their customers’ personal data had been exposed. Most recently, SITA’s customer Air India reported an attack on its systems. “After Air India revealed the details of its security breach, it became clear that the carriers were most likely dealing with one of the biggest supply-chain attacks in the airline industry’s history,” Group-IB analyst Nikita Rostovcev said in a recent report about the discovery. The campaign’s code name is ColunmTK, the Group-IB report said, which researchers came up with by combining the first two domains used for DNS tunneling in the attack: ns2[.]colunm[.]tk and ns1[.]colunm[.]tk. SITA Attack Claims Air India Among Victims Air India made the first public statement about its breach on May 21, however, it wasn’t until later that Group-IB traced its origins to SITA, which is responsible for processing personal customer data for the airline. Adding in Air India’s…

Source

image
The U.S. Department of Justice (DOJ) announced on Thursday that a multinational operation has led to the seizure of Slilpp, a well-known marketplace for selling stolen online logins that offered more than 80 million sets of credentials for sale. Since 2012, Slilpp has been an underground market to buy and sell logins for bank accounts, online payment accounts, mobile phone accounts, retailer accounts and more, according to the DOJ. Those who purchased the login credentials used them to conduct unauthorized transactions, such as wire transfers. The DOJ said in a statement that so far, more than a dozen individuals have been charged or arrested by US law enforcement in connection with the Slilpp marketplace. According to the affidavit, the FBI, working in coordination with foreign law enforcement partners, identified a series of servers that hosted the Slilpp marketplace infrastructure and its various domain names. Authorities in the U.S., Germany, the Netherlands and Romania worked together to seize the servers and the domains and to thereby disrupt the buying and selling of identities. There were more than 1,400 account providers represented in the vast marketplace’s offerings. According to the affidavit, a fraction of the victimized account providers have calculated losses so far, but just based on the limited number of victim reports, the stolen login credentials sold over Slilpp have been used to cause over $200 million in losses in the U.S. alone. “The full impact of…

Source

image
Hackers have breached computer game maker Electronic Arts (EA) and stolen source code and related tools for the company’s extensive game library, the company has confirmed. EA said it’s investigating “a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen,” according to a statement published in numerous online reports. The longtime game developer is known for titles such as The Sims, Madden NFL and FIFA 21. “No player data was accessed, and we have no reason to believe there is any risk to player privacy,” the company said. EA did not immediately return an emailed request for comment from Threatpost Friday morning.Despite EA’s downplaying of the incident, the initial source that reported it suggested the breach was indeed quite serious. A report in Vice Motherboard published late Thursday claims hackers posted on a dark web forum that they have taken the source code for EA’s FIFA 21 as well as code for its matchmaking server, in addition to numerous other company assets. That post appears to be available via a Google cached web page from June 6 that bears the headline “We sell the FIFA 21 full src code and tools,” asking for a price of $28 million for the 780 gigabyte data dump. The web page, which was emailed to Threatpost, lists a raft of stolen information, including the FIFA 21 matchmaking server, FIFA 22 API keys and some SDK and debugging tools; and the source code for FrostBite, the engine that powers…

Source

image
A distributed denial-of-service (DDoS) extortion group has blazed back on the cybercrime scene, this time under the name of “Fancy Lazarus.” It’s been launching a series of new attacks that may or may not have any teeth, researchers said. The new name is a tongue-in-cheek combination of the Russia-linked Fancy Bear advanced persistent threat (APT) and North Korea’s Lazarus Group. The choice seems natural, given that the gang was last seen – including in a major campaign in October – purporting to be various APTs, including Armada Collective, Fancy Bear and Lazarus Group. According to Proofpoint, this time around the gang has been sending threatening, targeted emails to various organizations, including those operating in the energy, financial, insurance, manufacturing, public utilities and retail sectors – asking for a two-Bitcoin (BTC) starting ransom (around $75,000) if companies want to avoid a crippling DDoS attack. The price doubles to four BTC after the deadline, and increases by one BTC each day after that. The targets are mostly located in the U.S. While it’s hard to make a definitive correlation, the timing of some of the Fancy Lazarus campaigns correspond with high-profile ransomware attacks over the past six months, in terms of targeting the same vertical industries, according to Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. “These include utility, natural gas and manufacturing,” she told Threatpost. “This could be an attempt…

Source

image
Google is warning that a bug in its Chrome web browser is actively under attack, and it is urging users to upgrade to the latest 91.0.4472.101 version to mitigate the issue. In all, Google rolled out fixes for 14 bugs impacting its Windows, Mac and Linux browsers as part of its June update to the Chrome desktop browser. “Google is aware that an exploit for CVE-2021-30551 exists in the wild,” wrote Chrome technical program manager Prudhvikumar Bommana in a Wednesday post. That exploit is identified as a type confusion bug within Google’s V8 open-source JavaScript and WebAssembly engine. The confusion vulnerability is tied to the browser’s ActionScript Virtual Machine. “Usually, when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion,” according to a technical description of the bug. Possible Wider Impact of Exploited Chrome Browser Bug The update coincides with the release of the Android Chrome browser to Chrome 91 (91.0.4472.101), also on Wednesday. While the desktop and mobile versions of the Chrome web browser share the same version number, it is unclear if the updated Android Chrome browser is impacted by the same vulnerabilities. Also unclear is if Microsoft’s Edge browser, based on the Chromium open-source browser codebase (principally developed and maintained by Google), is also impacted. In related news, on Tuesday, Microsoft released a patch for vulnerabilities under active…

Source

image
The STEM Audio Table conference-room speaker has a security vulnerability that would allow unauthenticated remote code execution (RCE) as root – paving the way for eavesdropping on conversations, denial of service, lateral movement throughout enterprise networks and more. And, there are multiple additional security issues as well, according to GRIMM researchers, all of which would allow an attacker to interfere with the device. The STEM Audio Table is a high-end, nine-speaker smart device, shaped like a large puck, that sits on a conference table to enable whole-room conferencing. It can also be used with other devices to, say, enable video calls. It sports a web-based control interface and connects via the internet to download firmware updates. “Modern business often relies heavily on the Internet and software resources such as Zoom or Skype to support daily operations. Use of such systems often requires additional hardware resources like microphones and cameras,” researchers noted. “What were once mechanical or analog devices are now increasingly being redesigned with embedded processors. This change in direction implies that what seem like ordinary commodity devices are, in fact, reasonably capable computing machines with attack surfaces very similar to traditional PCs.” RCE Security Bugs GRIMM said that the RCE bug is a stack-based buffer overflow issue, located in the “local_server_get() and sip_config_get() in stem_firmware_linux_2.0.0.out” function. The…

Source