Archives

Google, Microsoft can get your passwords via web browser’s spellcheck

Google, Microsoft can get your passwords via web browser’s spellcheck
By Ax Sharma September 17, 2022 02:39 PM

Extended spellcheck features in Google Chrome and Microsoft Edge web browsers transmit form data, including personally identifiable information (PII) and in some cases, passwords, to Google and Microsoft respectively.

While this may be a known and intended feature of these web browsers, it does raise concerns about what happens to the data after transmission and how safe the practice might be, particularly when it comes to password fields.

Both Chrome and Edge ship with basic spellcheckers enabled. But, features like Chrome’s Enhanced Spellcheck or Microsoft Editor when manually enabled by the user, exhibit this potential privacy risk.
Spell-jacking: That’s your spellcheck sending PII to Big Tech

When using major web browsers like Chrome and Edge, your form data is transmitted to Google and Microsoft, respectively, should enhanced spellcheck features be enabled.

Depending on the website you visit, the form data may itself include PII—including but not limited to Social Security Numbers (SSNs)/Social Insurance Numbers (SINs), name, address, email, date of birth (DOB), contact information, bank and payment information, and so on.

Josh Summitt, co-founder & CTO of JavaScript security firm otto-js discovered this issue while testing his company’s script behaviors detection.

In cases where Chrome Enhanced Spellcheck or Edge’s Microsoft Editor (spellchecker) were enabled, “basically anything” entered in form fields of these browsers was transmitted to Google and Microsoft.

“Furthermore, if you click on ‘show password,’ the enhanced spellcheck even sends your password, essentially Spell-Jacking your data,” explains otto-js in a blog post.

“Some of the largest websites in the world have exposure to sending Google and Microsoft sensitive user PII, including username, email, and passwords, when users are logging in or filling out forms. An even more significant concern for companies is the exposure this presents to the company’s enterprise credentials to internal assets like databases and cloud infrastructure.”
Users may often rely on the “show password” option on sites where copying-pasting passwords is not allowed, for example, or when they suspect they’ve mistyped it.

To demonstrate, otto-js shared the example of a user entering credentials on Alibaba’ Cloud platform in the Chrome web browser—although any website can be used for this demonstration.

With enhanced spellcheck enabled, and assuming the user tapped “show password” feature, form fields including username and password are transmitted to Google at googleapis.com.

Article (https://www.bleepingcomputer.com/news/security/google-microsoft-can-get-your-passwords-via-web-browsers-spellcheck/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

“Where Service and Technical Skills Count”

Bitdefender Update BEST 7.6.3.212 (Windows) Release Notes – Slow Ring

Bitdefender has released version 7.6.3.212 of the Bitdefender Endpoint Security Tools (for Windows) on slow ring.

The release notes are available here. Link (https://www.bitdefender.com/business/support/en/77209-77540-windows-agent.html#UUID-24e427f0-a355-8638-b2d5-177b5e7c8c30)

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

“Where Service and Technical Skills Count”

Bitdefender releases free decryptor for LockerGoga ransomware

By Bill Toulas September 16, 2022 11:09 AM

Romanian cybersecurity firm Bitdefender has released a free decryptor to help LockerGoga ransomware victims recover their files without paying a ransom.

The free tool is available for download from Bitdefender’s servers and allows you to recover encrypted files using instructions in this usage guide [PDF]. LInk https://www.nomoreransom.org/uploads/LockerGoga-Decrypt-Doc.pdf

Bitdefender says the decryptor was developed in cooperation with law enforcement agencies, including Europol, the NoMoreRansom Project, the Zürich Public Prosecutor’s Office, and the Zürich Cantonal Police.

For a working decryptor to be created, researchers usually need to identify a flaw in the cryptography used by the ransomware encryptor.

However, in this case, the LockerGoga operators were arrested in October 2021, which may have allowed law enforcement to access the master private keys used to decrypt victims’ encryption keys.
How to decrypt your files

Files encrypted by LockerGoga will have the “.locked” filename extension and cannot be opened with regular software.

Bitdefender’s tool offers to scan your entire filesystem or a single folder, locate any encrypted files, and perform the decryption automatically.

For this to work, the computer needs to be connected to the internet, and the ransom notes generated by the ransomware during the encryption need to be in the original paths.

Bitdefender says the decryptor can operate either on a single machine or on entire networks encrypted by LockerGoga.

Note that the decryption process can be interrupted or not always work as expected, and you might end up with corrupted files. For this reason, the decrypter has the “backup files” option ticked by default, and users are recommended to leave that setting enabled.
Who was LockerGoga

The LockerGoga ransomware operation launched in January 2019, hitting high-profile targets such as the French engineering firm Altran Technologies and the Norwegian aluminum giant Norsk Hydro.

Together with Ryuk and MegaCortex, LockerGoga was involved in ransomware attacks against at least 1,800 organizations worldwide.

In October 2021, twelve individuals were arrested in an international law enforcement operation for deploying various ransomware strains, including LockerGoga.

“Its operator, who has been detained since October 2021 pending trial, is part of a larger cybercrime ring that used LockerGoga and MegaCortext ransomware to infect more than 1,800 persons and institutions in 71 countries to cause an estimated damage of $US 104 million,” Bitdefender explains in the decryptor announcement.

Since the operator’s arrest, threat actors have ceased using the LockerGoga ransomware, and the ransomware’s source code was never released.

Therefore, this decryptor will mostly be for past victims who refused to pay the ransom and have been waiting to recover their files for free.

Article (https://www.bleepingcomputer.com/news/security/bitdefender-releases-free-decryptor-for-lockergoga-ransomware/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

“Where Service and Technical Skills Count”

Rackspace Email Customers

Rackspace Email Customer, 

As we continue our preparations to migrate Rackspace Email users to a new and improved mail platform, we are announcing a change in our spam and trash retention settings.  

On November 1st 2022, Rackspace Email will change the retention rules for the spam and trash folders to 30 days. This means that any mail data in these folders older than the retention limits will be removed. 

Prior to November 1st, the mailbox owner will need to review the mail in those folders and move any mail they want to keep into another folder. You can view the spam and trash limits for each mailbox by logging into https://cp.rackspace.com        

– Mailbox: Navigate to Mailboxes > manage > settings       

– Domain: Navigate to Rackspace Email > Settings > Folder Cleanup 

This change will help users manage their storage usage automatically, effectively increasing the total available mail quota for most users.

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

“Where Service and Technical Skills Count”

Your APIs have no clothes

This week, SecurityBoulevard has featured an interesting article on why APIs have no clothes — APIs being the digital equivalent of the protagonist in the Hans Christian Andersen’s folktale The Emperor’s New Clothes. In the story, the emperor was exposed, but no one told him or was willing to do anything about it. Not so different from where you might find yourself with APIs.

The first challenge to API security the author highlights is presented by the disappearing perimeter. Organizations can no longer rely on perimeter protections, such as firewalls, to protect their assets. The adoption of cloud technology and PaaS has meant that the external perimeter is largely eroded. Instead, the focus needs to move to protect the API endpoints themselves by using advanced authentication like multi-factor authentication (MFA), and monitoring multiple levels of the network to identify attacks.

As ever, the lack of cybersecurity talent and skills only exacerbates the problem, and nowhere is this more acutely felt than with APIs. Many of the lessons learned with protecting web applications no longer apply to APIs, and teams need to learn new skills or adapt their methods to protect APIs.

To remedy this and get your APIs covered, the author suggests going back to the basics in protecting APIs, namely:

Authentication
Auditing and logging
Encryption

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

“Where Service and Technical Skills Count”

Microsoft rolls out emergency fix for blocked Windows logins

By Sergiu Gatlan September 8, 2022 12:20 PM
Microsoft says a Windows 11 update released in late August is blocking customers from signing in with newly added Microsoft Account users after restarting or logging off systems running Windows 11, version 21H2.

“After installing KB5016691 and adding a new Microsoft account user in Windows, you might be unable to sign in for a brief time after the first restart or sign out. The issue only affects the newly added Microsoft account user and only for the first sign in,” Microsoft explained.

“This issue only affects devices after adding a Microsoft account. It does not affect Active Directory domain users accounts or Azure Active Directory accounts.”

Microsoft says it addressed this issue via Known Issue Rollback (KIR), a Windows capability designed to revert buggy Windows non-security fixes pushed through Windows Update.

Once rolled out, KIR-issued fixes usually reach all consumer and non-managed business devices within a day. Affected users can also get the fix after restarting any impacted Windows devices.

As a workaround, those experiencing this issue can wait for the lock screen to appear again, as it will resolve itself after some time, allowing users to log in as expected.
Group policies available for enterprise

As an IT admin, you must install and configure a KIR Group Policy to resolve this known issue on affected enterprise-managed devices.

“The special Group Policy can be found in Computer Configuration -> Administrative Templates -> KB5016691 220722_051525 Known Issue Rollback -> Windows 11 (original release),” Microsoft added.

You can download this Rollback Group Policy for Windows 11, version 21H2, from here.

To deploy the Known Issue Rollback via Group Policy, you have to go to the Local Computer Policy or the Domain policy on your domain controller using the Group Policy Editor to choose the Windows version you need to target.

Detailed information on how to deploy and configure KIR Group Policies can be found on Microsoft’s support website.

In July, Microsoft issued another emergency fix via Known Issue Rollback (KIR) to address an issue causing the Windows 11 start menu to malfunction after installing recent updates.

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

Apple backports fix for actively exploited iOS zero-day to older iPhones

By Sergiu Gatlan August 31, 2022 03:16 PM

Apple has released new security updates to backport patches released earlier this month to older iPhones and iPads addressing a remotely exploitable WebKit zero-day that allows attackers to execute arbitrary code on unpatched devices.

This zero-day vulnerability is the same one Apple patched for macOS Monterey and iPhone/iPad devices on August 17, and for Safari on August 18.

The flaw is tracked as CVE-2022-3289 and is an out-of-bounds write vulnerability in WebKit, the web browser engine used by Safari and other apps to access the web.

If successfully exploited, it allows attackers to perform arbitrary code execution remotely by tricking their targets into visiting a maliciously crafted website under their control.

In a security advisory published today, Apple once again said that they’re aware of reports that this security issue “may have been actively exploited.”

The list of devices today’s security updates apply to includes iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation), all of them running iOS 12.5.6.
Patch your older phones to block attacks

Even though Apple has disclosed that it received reports of active exploitation in the wild, the company is yet to release info regarding these attacks.

By withholding this information, Apple is likely aiming to allow as many users as possible to apply the security updates before other attackers pick up on the zero-day’s details and start deploying exploits in their own attacks targeting vulnerable iPhones and iPads.

Although this zero-day vulnerability was most likely only used in targeted attacks, it’s still strongly advised to install today’s iOS security updates as soon as possible to block potential attack attempts.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added this security bug to its catalog of exploited vulnerabilities on August 19, requiring Federal Civilian Executive Branch (FCEB) agencies to patch it to protect “against active threats.”

This is the seventh zero-day bug fixed by Apple since the start of the year:

In March, Apple patched two zero-day bugs in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675).
In February, Apple released security updates to fix another WebKit zero-day bug exploited in attacks against iPhones, iPads, and Macs.
In January, Apple patched two other exploited zero-days that enabled code execution with kernel privileges (CVE-2022-22587) and web browsing activity tracking (CVE-2022-22594).

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

 

Okta one-time MFA passcodes exposed in Twilio cyberattack

By Ionut Ilascu August 28, 2022 01:15 PM
he threat actor behind the Twilio hack used their access to steal one-time passwords (OTPs) delivered over SMS from customers of Okta identity and access management company.

Okta provides its customers with multiple forms of authentication for services, including temporary codes delivered over SMS through Twilio.

With access to the Twilio console, the threat actor could see mobile phone numbers and OTPs belonging to Okta customers.
Using Twilio to search for OTPs

On August 4, cloud communications company Twilio discovered that an unauthorized party gained access to its systems and information belonging to its customers.

At the time, one of the services Okta used for customers opting for SMS as an authentication factor was provided by Twilio.

On August 8, Okta learned that the Twilio hack exposed “unspecified data relevant to Okta” and started to route SMS-based communication through a different provider.

Using internal system logs from Twilio’s security team, Okta was able to determine that the threat actor had access to phone numbers and OTP codes belonging to its customers.

“Using these logs, Okta’s Defensive Cyber Operations’ analysis established that two categories of Okta-relevant mobile phone numbers and one-time passwords were viewable during the time in which the attacker had access to the Twilio console” – Okta

The company notes that an OTP code remains valid for no more than five minutes.

When it comes to the threat actor’s activity in the Twilio console regarding its customers, Okta distinguishes between “targeted” and “incidental exposure” of phone numbers.

The company says that the intruder searched for 38 phone numbers, almost all of them associated with one organization, indicating interest in gaining access to that client’s network.

Article ( https://www.bleepingcomputer.com/news/security/okta-one-time-mfa-passcodes-exposed-in-twilio-cyberattack/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

CISA: Just-Disclosed Palo Alto Networks Firewall Bug Under Active Exploit

Lara Seals Managing Editor, News, Dark Reading
August 24, 2022
The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that a high-severity security vulnerability in Palo Alto Networks firewalls is being actively exploited in the wild.

The bug (CVE-2022-0028, with a CVSS severity score of 8.6), exists in the PAN-OS operating system that runs the firewalls, and could allow a remote threat actor to abuse the firewalls to deploy distributed denial-of-service (DDoS) attacks against targets of their choice — without having to authenticate.

Exploitation of the issue can help attackers to cover their tracks and location.

“The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target,” according to the Palo Alto Networks advisory issued earlier this month.

The bug arises thanks to a URL-filtering policy misconfiguration.

Instances that use a non-standard configuration are at risk; to be exploited, the firewall configuration “must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface,” the advisory read.
Exploited in the Wild

Two weeks since that disclosure, CISA said that it has now seen the bug being adopted by cyber adversaries in the wild, and it’s added it to its Known Exploited Vulnerabilities (KEV) catalogue. Attackers can exploit the flaw to deploy both reflected and amplified versions of DoS floods.

Bud Broomhead, CEO at Viakoo, says bugs that can be marshaled into service to support DDoS attacks are in more and more demand.

“The ability to use a Palo Alto Networks firewall to perform reflected and amplified attacks is part of an overall trend to use amplification to create massive DDoS attacks,” he says. “Google’s recent announcement of an attack which peaked at 46 million requests per second, and other record-breaking DDoS attacks will put more focus on systems that can be exploited to enable that level of amplification.”

Article ( https://www.darkreading.com/vulnerabilities-threats/cisa-palo-alto-firewall-bug-active-exploit)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

Apple security updates fix 2 zero-days used to hack iPhones, Macs

By Lawrence Abrams August 17, 2022 06:35 PM

Apple has released emergency security updates today to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs.

Zero-day vulnerabilities are security flaws known by attackers or researchers before the software vendor has become aware or been able to patch them. In many cases, zero-days have public proof-of-concept exploits or are actively exploited in attacks.

Today, Apple has released macOS Monterey 12.5.1 and iOS 15.6.1/iPadOS 15.6.1 to resolve two zero-day vulnerabilities that are reported to have been actively exploited.

The two vulnerabilities are the same for all three operating systems, with the first tracked as CVE-2022-32894. This vulnerability is an out-of-bounds write vulnerability in the operating system’s Kernel.

The kernel is a program that operates as the core component of an operating system and has the highest privileges in macOS, iPadOS, and iOS.

An application, such as malware, can use this vulnerability to execute code with Kernel privileges. As this is the highest privilege level, a process would be able to perform any command on the device, effectively taking complete control over it.

The second zero-day vulnerability is CVE-2022-32893 and is an out-of-bounds write vulnerability in WebKit, the web browser engine used by Safari and other apps that can access the web.

Apple says this flaw would allow an attacker to perform arbitrary code execution and, as it’s in the web engine, could likely be exploited remotely by visiting a maliciously crafted website.

The bugs were reported by anonymous researchers and fixed by Apple in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1 with improved bounds checking for both bugs.

The list of devices affected by both vulnerabilities are:

Macs running macOS Monterey
iPhone 6s and later
iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Apple disclosed active exploitation in the wild, however, it did not release any additional info regarding these attacks.

Likely, these zero-days were only used in targeted attacks, but it’s still strongly advised to install today’s security updates as soon as possible.
Seven zero-days patched by Apple this year

In March, Apple patched two more zero-day bugs that were used in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675) that could also be used to execute code with Kernel privileges.

In January, Apple patched two more actively exploited zero-days that enabled attackers to achieve arbitrary code execution with kernel privileges (CVE-2022-22587) and track web browsing activity and the users’ identities in real-time (CVE-2022-22594).

In February, Apple released security updates to fix a new zero-day bug exploited to hack iPhones, iPads, and Macs, leading to OS crashes and remote code execution on compromised devices after processing maliciously crafted web content.

 

Article (https://www.bleepingcomputer.com/news/security/apple-security-updates-fix-2-zero-days-used-to-hack-iphones-macs/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”