Malware Devil

Thursday, October 8, 2020

Credit card skimmer targets virtual conference platform

We’ve seen many security incidents affecting different websites simultaneously because they were loading the same tampered piece of code. In many instances, this is due to what we call a supply-chain attack, where a threat actor targets one company that acts as an intermediary to others.

In today’s case, the targeted websites all reside on the same server and sell video content from various conferences and conventions. The host control panel belongs to Playback Now, a company that provides its customers with an array of services to capture and deliver recorded material into an online conference experience.

Criminals decided to impersonate Playback Now by registering a malicious domain lexically close to their official website that could be used to discreetly serve a credit card skimmer as well as collect stolen data.

Their next move was to inject a malicious reference to this skimmer code into dozens of Magento sites hosted on the same IP address belonging to Playback Now. As a result, the financial details from customers shopping for conference material were now at risk.

Online conference sites compromised with Inter skimming kit

Playback Now provides organizations with an easy way to seamlessly convert an event into an online virtual experience. Conferences and seminars can be delivered via live streaming, on demand, or a hybrid of the two.

Their offering of a virtual conference expo hall seems like a timely solution during the pandemic for organizers and exhibitors to connect with customers just like at an in-person event.

Figure 1: Legitimate PlayBack Now website

Businesses or organizations that want to join the experience can get a dedicated website from where they will serve and promote their content. Take the following website built for the Association of Healthcare Internal auditors.

Once users have registered and purchased one of the packages, they can access recorded sessions online or save them onto a flash drive.

Figure 2: A Playback Now customer site that has been compromised

A closer look at the website’s source code reveals an external reference to a JavaScript file. It would be easy to overlook, thinking it is served from the legitimate Playback Now website (playbacknow.com), but there is an extra ‘s’ in that domain name (playbacknows[.]com) that gives it away.

That domain was registered only a couple of weeks ago and its home page is void of any content.

Domain name: playbacknows.com
Creation Date: 2020-09-21T20:22:10.00Z
Registrar: NAMECHEAP INC
Registrant Name: WhoisGuard Protected
Registrant Street: P.O. Box 0823-03411 
Registrant City: Panama

In total, we detected the reference to this domain in over 40 websites belonging to different organizations (see the IOCs section of this blogpost).

This JavaScript is a skimmer that has been lightly obfuscated and contains a certain number of strings that are a common marking for the Inter skimming kit.

Figure 3: Checkout page where skimmer will steal credit card data

When someone purchases a course or conference recording, their personal and credit card data will be leaked to criminals via the same malicious domain housing the skimmer.

Breach possibly related to Magento 1.x exploit

All affected Playback Now customer sites are running on the same IP address at 209.126.18.3. Using VirusTotal Graph we can see an interesting connection with a piece of malware we previously documented.

Figure 4: VirusTotal graph showing a connection between malware and hosting server

This GoLang sample attempts to bruteforce access into a variety of Content Management Systems. If successful, attackers could use the gained credentials to inject malicious code into e-commerce sites.

This connection was interesting but lost some value when we looked at the submission date for this sample to VirusTotal. It’s quite likely that the server was pinged just like many others, but it’s unclear whether it would have resulted in a breach, even at a later date.

Based on an analysis of the compromised Playback Now related sites, we found they were running a vulnerable version of the Magento CMS, namely version 1.x. Following the release of an exploitation tool, a wave of attacks was recently observed, compromising over two thousand sites.

Given the timeline, this incident could have been leveraging the same exploit and be carried out by the same or perhaps a different group.

The official website playbacknow.com is hosted on 209.126.18.3 as well, but it does not appear to be compromised. One thing to note though is that it is running a different CMS, namely WordPress version 5.4.

We contacted Playback Now to report this breach. In the meantime, Malwarebytes Browser Guard detects and blocks the fraudulent skimmer domain.

Figure 5: Malwarebytes Browser Guard blocking this attack

Indicators of Compromise (IOCs)

Skimmer

playbacknows[.]com/playback/index.js

Compromised sites

Website	Organization
playbacknar[.]com	National Association of Realtors
naraei[.]playbacknow[.]com	National Association of Realtors
nais[.]playbacknow[.]com	National Association of Independent Schools
nasmm[.]playbacknow[.]com	National Association of Senior Move Managers
tripleplay[.]playbacknow[.]com	Triple Play
digitaldealer[.]playbacknow[.]com	Digital Dealer
playbackaaj[.]com	American Association for Justice
playbackacp[.]com	American College of Physicians
playbacksmilesource[.]com	Smile Source
playbackc21[.]com	Century 21 University
playbackada[.]com	American Diabetes Association
playbacknailba[.]com	NAILBA
playbackswana[.]com	SWANA
playbacknaspa[.]com	NASPA
playbackaupresses[.]com	Association of University Presses
playbacknacba[.]com	NACBA
playbackaca[.]com	ACA International
playbacknala[.]com	NALA Paralegal Association
playbacknatp[.]com	National Association of Tax Professionals
iplayback[.]com	–
playbackcore[.]com	–
playbackndsc[.]com	National Down Syndrome Congress
playbackaata[.]com	American Art Therapy Association
playbacksnrs[.]com	Southern Nursing Research Society
playbackssp[.]com	Society for Scholarly Publishing
playbackcaregiving[.]com	Caregiving
playbackcas[.]com	Casualty Actuarial Society
playbackmpc[.]com	Midwest Podiatry Conference
playbackhinman[.]com	Hinman Dental
playbacknetworker[.]com	Psychotherapy Networker
playbacknara[.]com	National Association for Regulatory Administration
aspcvirtualsummit[.]org	American Society for Preventive Cardiology
playbackfgs[.]com	National Genealogy Society
playbackifa[.]com	International Franchise Association
playbackashe[.]com	Association for the Study of Higher Education
playbackippfa[.]com	IPPFA
playbackahri[.]com	Air Conditioning Heating Refrigeration Institute
playbackaonl[.]com	American Organization for Nursing Leadership
playbackngs[.]com	National Genealogy Society
playbackrlc[.]com	Restaurant Law Center
playbackahia[.]com	Association of Healthcare Internal Auditors
playbacknacac[.]com	National Association for College Admission Counseling

Server hosting compromised sites

209.126.18.3

The post Credit card skimmer targets virtual conference platform appeared first on Malware Devil.

https://malwaredevil.com/2020/10/08/credit-card-skimmer-targets-virtual-conference-platform-2/?utm_source=rss&utm_medium=rss&utm_campaign=credit-card-skimmer-targets-virtual-conference-platform-2

Credit card skimmer targets virtual conference platform

Online conference sites compromised with Inter skimming kit

Their offering of a virtual conference expo hall seems like a timely solution during the pandemic for organizers and exhibitors to connect with customers just like at an in-person event.

Once users have registered and purchased one of the packages, they can access recorded sessions online or save them onto a flash drive.

That domain was registered only a couple of weeks ago and its home page is void of any content.

Domain name: playbacknows.com
Creation Date: 2020-09-21T20:22:10.00Z
Registrar: NAMECHEAP INC
Registrant Name: WhoisGuard Protected
Registrant Street: P.O. Box 0823-03411 
Registrant City: Panama

In total, we detected the reference to this domain in over 40 websites belonging to different organizations (see the IOCs section of this blogpost).

This JavaScript is a skimmer that has been lightly obfuscated and contains a certain number of strings that are a common marking for the Inter skimming kit.

When someone purchases a course or conference recording, their personal and credit card data will be leaked to criminals via the same malicious domain housing the skimmer.

Breach possibly related to Magento 1.x exploit

Given the timeline, this incident could have been leveraging the same exploit and be carried out by the same or perhaps a different group.

We contacted Playback Now to report this breach. In the meantime, Malwarebytes Browser Guard detects and blocks the fraudulent skimmer domain.

Indicators of Compromise (IOCs)

Skimmer

playbacknows[.]com/playback/index.js

Compromised sites

Website	Organization
playbacknar[.]com	National Association of Realtors
naraei[.]playbacknow[.]com	National Association of Realtors
nais[.]playbacknow[.]com	National Association of Independent Schools
nasmm[.]playbacknow[.]com	National Association of Senior Move Managers
tripleplay[.]playbacknow[.]com	Triple Play
digitaldealer[.]playbacknow[.]com	Digital Dealer
playbackaaj[.]com	American Association for Justice
playbackacp[.]com	American College of Physicians
playbacksmilesource[.]com	Smile Source
playbackc21[.]com	Century 21 University
playbackada[.]com	American Diabetes Association
playbacknailba[.]com	NAILBA
playbackswana[.]com	SWANA
playbacknaspa[.]com	NASPA
playbackaupresses[.]com	Association of University Presses
playbacknacba[.]com	NACBA
playbackaca[.]com	ACA International
playbacknala[.]com	NALA Paralegal Association
playbacknatp[.]com	National Association of Tax Professionals
iplayback[.]com	–
playbackcore[.]com	–
playbackndsc[.]com	National Down Syndrome Congress
playbackaata[.]com	American Art Therapy Association
playbacksnrs[.]com	Southern Nursing Research Society
playbackssp[.]com	Society for Scholarly Publishing
playbackcaregiving[.]com	Caregiving
playbackcas[.]com	Casualty Actuarial Society
playbackmpc[.]com	Midwest Podiatry Conference
playbackhinman[.]com	Hinman Dental
playbacknetworker[.]com	Psychotherapy Networker
playbacknara[.]com	National Association for Regulatory Administration
aspcvirtualsummit[.]org	American Society for Preventive Cardiology
playbackfgs[.]com	National Genealogy Society
playbackifa[.]com	International Franchise Association
playbackashe[.]com	Association for the Study of Higher Education
playbackippfa[.]com	IPPFA
playbackahri[.]com	Air Conditioning Heating Refrigeration Institute
playbackaonl[.]com	American Organization for Nursing Leadership
playbackngs[.]com	National Genealogy Society
playbackrlc[.]com	Restaurant Law Center
playbackahia[.]com	Association of Healthcare Internal Auditors
playbacknacac[.]com	National Association for College Admission Counseling

Server hosting compromised sites

209.126.18.3

The post Credit card skimmer targets virtual conference platform appeared first on Malware Devil.

https://malwaredevil.com/2020/10/08/credit-card-skimmer-targets-virtual-conference-platform/?utm_source=rss&utm_medium=rss&utm_campaign=credit-card-skimmer-targets-virtual-conference-platform

RAINBOWMIX Apps in Google Play Serve Up Millions of Ad Fraud Victims

Collectively, 240 fraudulent Android apps — masquerading as retro game emulators — account for 14 million installs.
Read More

The post RAINBOWMIX Apps in Google Play Serve Up Millions of Ad Fraud Victims appeared first on Malware Devil.

https://malwaredevil.com/2020/10/08/rainbowmix-apps-in-google-play-serve-up-millions-of-ad-fraud-victims/?utm_source=rss&utm_medium=rss&utm_campaign=rainbowmix-apps-in-google-play-serve-up-millions-of-ad-fraud-victims

Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work

There’s an old adage in information security: “Every company gets penetration tested, whether or not they pay someone for the pleasure.” Many organizations that do hire professionals to test their network security posture unfortunately tend to focus on fixing vulnerabilities hackers could use to break in. But judging from the proliferation of help-wanted ads for offensive pentesters in the cybercrime underground, today’s attackers have exactly zero trouble gaining that initial intrusion: The real challenge seems to be hiring enough people to help everyone profit from the access already gained.

One of the most common ways such access is monetized these days is through ransomware, which holds a victim’s data and/or computers hostage unless and until an extortion payment is made. But in most cases, there is a yawning gap of days, weeks or months between the initial intrusion and the deployment of ransomware within a victim organization.

That’s because it usually takes time and a good deal of effort for intruders to get from a single infected PC to seizing control over enough resources within the victim organization where it makes sense to launch the ransomware.

This includes pivoting from or converting a single compromised Microsoft Windows user account to an administrator account with greater privileges on the target network; the ability to sidestep and/or disable any security software; and gaining the access needed to disrupt or corrupt any data backup systems the victim firm may have.

Each day, millions of malware-laced emails are blasted out containing booby-trapped attachments. If the attachment is opened, the malicious document proceeds to quietly download additional malware and hacking tools to the victim machine (here’s one video example of a malicious Microsoft Office attachment from the malware sandbox service any.run). From there, the infected system will report home to a malware control server operated by the spammers who sent the missive.

At that point, control over the victim machine may be transferred or sold multiple times between different cybercriminals who specialize in exploiting such access. These folks are very often contractors who work with established ransomware groups, and who are paid a set percentage of any eventual ransom payments made by a victim company.

THE DOCTOR IS IN

Enter subcontractors like “Dr. Samuil,” a cybercriminal who has maintained a presence on more than a dozen top Russian-language cybercrime forums over the past 15 years. In a series of recent advertisements, Dr. Samuil says he’s eagerly hiring experienced people who are familiar with tools used by legitimate pentesters for exploiting access once inside of a target company — specifically, post-exploit frameworks like the closely-guarded Cobalt Strike.

“You will be regularly provided select accesses which were audited (these are about 10-15 accesses out of 100) and are worth a try,” Dr. Samuil wrote in one such help-wanted ad. “This helps everyone involved to save time. We also have private software that bypasses protection and provides for smooth performance.”

From other classified ads he posted in August and September 2020, it seems clear Dr. Samuil’s team has some kind of privileged access to financial data on targeted companies that gives them a better idea of how much cash the victim firm may have on hand to pay a ransom demand. To wit:

“There is huge insider information on the companies which we target, including information if there are tape drives and clouds (for example, Datto that is built to last, etc.), which significantly affects the scale of the conversion rate.

Requirements:
– experience with cloud storage, ESXi.
– experience with Active Directory.
– privilege escalation on accounts with limited rights.

* Serious level of insider information on the companies with which we work. There are proofs of large payments, but only for verified LEADs.
* There is also a private MEGA INSIDE , which I will not write about here in public, and it is only for experienced LEADs with their teams.
* We do not look at REVENUE / NET INCOME / Accountant reports, this is our MEGA INSIDE, in which we know exactly how much to confidently squeeze to the maximum in total.

According to cybersecurity firm Intel 471, Dr. Samuil’s ad is hardly unique, and there are several other seasoned cybercriminals who are customers of popular ransomware-as-a-service offerings that are hiring sub-contractors to farm out some of the grunt work.

“Within the cybercriminal underground, compromised accesses to organizations are readily bought, sold and traded,” Intel 471 CEO Mark Arena said. “A number of security professionals have previously sought to downplay the business impact cybercriminals can have to their organizations.”

“But because of the rapidly growing market for compromised accesses and the fact that these could be sold to anyone, organizations need to focus more on efforts to understand, detect and quickly respond to network compromises,” Arena continued. “That covers faster patching of the vulnerabilities that matter, ongoing detection and monitoring for criminal malware, and understanding the malware you are seeing in your environment, how it got there, and what it has or could have dropped subsequently.”

WHO IS DR. SAMUIL?

In conducting research for this story, KrebsOnSecurity learned that Dr. Samuil is the handle used by the proprietor of multi-vpn[.]biz, a long-running virtual private networking (VPN) service marketed to cybercriminals who are looking to anonymize and encrypt their online traffic by bouncing it through multiple servers around the globe.

Have a Coke and a Molotov cocktail. Image: twitter.com/multivpn

MultiVPN is the product of a company called Ruskod Networks Solutions (a.k.a. ruskod[.]net), which variously claims to be based in the offshore company havens of Belize and the Seychelles, but which appears to be run by a guy living in Russia.

The domain registration records for ruskod[.]net were long ago hidden by WHOIS privacy services. But according to Domaintools.com [an advertiser on this site], the original WHOIS records for the site from the mid-2000s indicate the domain was registered by a Sergey Rakityansky.

This is not an uncommon name in Russia or in many surrounding Eastern European nations. But a former business partner of MultiVPN who had a rather public falling out with Dr. Samuil in the cybercrime underground told KrebsOnSecurity that Rakityansky is indeed Dr. Samuil’s real surname, and that he is a 32- or 33-year-old currently living in Bryansk, a city located approximately 200 miles southwest of Moscow.

Neither Dr. Samuil nor MultiVPN have responded to requests for comment.

The post Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work appeared first on Malware Devil.

https://malwaredevil.com/2020/10/08/amid-an-embarrassment-of-riches-ransom-gangs-increasingly-outsource-their-work-2/?utm_source=rss&utm_medium=rss&utm_campaign=amid-an-embarrassment-of-riches-ransom-gangs-increasingly-outsource-their-work-2

Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work

The post Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work appeared first on Security Boulevard.

The post Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work appeared first on Malware Devil.

https://malwaredevil.com/2020/10/08/amid-an-embarrassment-of-riches-ransom-gangs-increasingly-outsource-their-work/?utm_source=rss&utm_medium=rss&utm_campaign=amid-an-embarrassment-of-riches-ransom-gangs-increasingly-outsource-their-work

Securing an Agile and Hybrid Workforce

Guest article by Andrea Babbs, UK General Manager, VIPRE

2020 has forced businesses to revise many of their operations. One significant transition being the shift to a remote working model, for which many were unprepared in terms of equipment, infrastructure and security. As the government now urges people to return to work, we’re already seeing a shift towards a hybrid workforce, with many employees splitting their time between the office and working from home.

As organisations are now reassessing their long-term office strategies, front and centre to that shift needs to be their IT security underpinned by a dependable and flexible cloud infrastructure. Andrea Babbs, UK General Manager, VIPRE, discusses what this new way of working means long-term for an organisation’s IT security infrastructure and how businesses can successfully move from remote working to a secure and agile workforce.

Power of the Cloud

In light of the uncertainty that has plagued most organisations, many are looking to options that can future-proof their business and enable as much continuity as possible in the event of another unforeseen event. The migration of physical servers to the Cloud is therefore a priority, not only to facilitate agile working, but to provide businesses with greater flexibility, scalability and more efficient resources.

COVID-19 accelerated the shift towards Cloud-based services, with more data than ever before now being stored in the Cloud. For those organisations working on Cloud-based applications and drives, the challenges of the daily commute, relocations for jobs and not being able to ‘access the drive’ are in the past for many. Cloud services are moving with the user – every employee can benefit from the same level of security no matter where they are working or which device they are using. However, it’s important to ensure businesses are taking advantage of all the features included in their Cloud subscriptions, and that they’re configured securely for hybrid working.

Layered Security Defence

Cloud-powered email, web and network security will always underline IT security defences, but these are only the first line of defence. Additional layers of security are also required to help the user understand the threat landscape, both external and internal. Particularly when working remotely with limited access to IT support teams, employees must be ready to question, verify the authenticity and interrogate the risk level of potential phishing emails or malicious links.

With increased pressure placed on users to perform their roles faster and achieve greater results than ever before, employees will do what it takes to power through and access the information they need in the easiest and quickest way possible. This is where the cloud has an essential role to play in making this happen, not just for convenience and agility but also to allow users to stay secure – enabling secure access to applications for all devices from any location and the detection and deletion of viruses – before they reach the network.

Email remains the most-used communication tool, even more so when remote working, but it also remains the weakest link in IT security, with 91%of cybercrimes beginning with an email. By implementing innovative tools that prompt employees to double-check emails before they send them, it can help reduce the risk of sharing the wrong information with the wrong individual.

Additional layers of defence such as email checking tools, are removing the barriers which slow the transition to agile working and are helping to secure our new hybrid workforce, regardless of the location they’re working in, or what their job entails.

Educating the User

The risk an individual poses to an organisation can often be the main source of vulnerability in a company’s IT infrastructure. When remote working became essential overnight, businesses faced the challenges of malware spreading from personal devices, employees being distracted and exposing incorrect information and an increase in COVID-related cyber-attacks.

For organisations wanting to evolve into a hybrid work environment, their IT security policies need to reflect the new reality. By re-educating employees about existing products and how to leverage any additional functionality to support their decision making, users can be updated on these cyber risks and understand their responsibilities.

Security awareness training programmes teach users to be alert and more security conscious as part of the overall IT security strategy. In order to fully mitigate IT security risks and for the business to benefit from an educated workforce, both in the short and long term, employees need to change their outdated mindset.

Changing the Approach
The evolution of IT and security over the past 20 years means that working from home is now easily achievable with cloud-based setups, whereas in the not too distant past, it would have been impossible. But the key to a successful and safe agile workforce is to shift the approach of full reliance on IT, to a mindset where everyone is alert, responsible, empowered and educated with regular training, backed up by tools that reinforce a ‘security first’ approach.

IT departments cannot be expected to stay one step ahead of cybercriminals and adapt to new threats on their own. They need their colleagues to work mindfully and responsibly on the front lines of cyber defence, comfortable in the knowledge that everything they do is underpinned by a robust and secure IT security infrastructure, but that the final decision to click the link, send the sensitive information or download the file, lies with them.

Conclusion

As employees prove they can work from home productively, the role of the physical office is no longer necessary. For many companies, it is a sink or swim approach when implementing a hybrid and agile workforce. Introducing and retaining flexibility in operations now will help organisations cope better with any future unprecedented events or crises.

By focusing on getting the basics right and powered by the capabilities of the Cloud, highlighting the importance of layered security and challenging existing mindsets, businesses will be able to shift away from remote workers being the ‘exception,’ to a secure and agile workforce as a whole.

The post Securing an Agile and Hybrid Workforce appeared first on Security Boulevard.

The post Securing an Agile and Hybrid Workforce appeared first on Malware Devil.

https://malwaredevil.com/2020/10/08/securing-an-agile-and-hybrid-workforce/?utm_source=rss&utm_medium=rss&utm_campaign=securing-an-agile-and-hybrid-workforce

5 Lessons About Software Security for Cybersecurity Awareness Month

October is cybersecurity awareness month, and this year, the overarching theme is ???Do Your Part. #BeCyberSmart.??? When considering what ???cybersmart??? means in application security, we realized we unearthed some data this year that made us a little cybersmarter and could help other security professionals and developers increase their AppSec smarts as well. We???re sharing those data gems below.

1. Lack of developer participation in and engagement with security training is a problem.

A recent research report, sponsored by Veracode and conducted by Enterprise Strategy Group (ESG), found that most organizations require their developers to consume AppSec training, but 35 percent said less than half of development teams are participating in formal training. In addition, most respondents reported that they lack programs to measure the effectiveness of developer security training. What???s the lesson here? Given that developers have been increasingly tasked with implementing security measures, including writing secure code and remediating vulnerabilities, it???s vital that they are trained to do so. But it has to be relevant, engaging training that will encourage participation.

2. It???s nearly impossible to have effective AppSec without integrating into developer workflows.

In the ESG survey, 43 percent of organizations agreed that DevOps integration is critical to improving application security (AppSec) programs. With the speed of development today, security tests that slow or block developers are simply not feasible. Lesson No. 2: AppSec should be integrated and automated. Integrating security measures into the CI/CD toolchain not only makes it easier for developers to run AppSec tests, but it also helps organizations discover security issues sooner, which speeds up time to deployment.

3. Open source code is pervasive, vulnerable, and typically not checked for security.

Our most recent State of Software Security (SOSS) report found that a typical Java application is made up of 97 percent open source and third-party libraries. In addition, our State of Software Security: Open Source Edition report published this year found that 70.5 percent of applications have a security flaw in an open source library. But ??? shockingly ??? the ESG report referenced above found that less than 50 percent of organizations scan their open source libraries for security. Why? It???s not uncommon for application developers to assume that third-party libraries were already scanned for vulnerabilities by library developers. Unfortunately, you can???t rely on library developers to keep your applications safe. The cybersmart practice is to scan third-party libraries on a regular basis.

4. You could be pulling in more open source code than you think.

Developers pull in one open source library, but that library is dependent on another library, which is dependent on another library, and so on. In fact, research for our State of Software Security: Open Source Edition report found that most applications have a large percentage of secondary (and tertiary, and more) dependencies.

Take a look at the image below taken from our Software Composition Analysis solution. The empty circle in the middle is your application, and all of the sections around it are different direct and indirect libraries. In this specific example, all of the colored sections are libraries containing vulnerabilities that affect the application either directly or indirectly. Bottom line: Get a handle on all the code that makes up your applications, even the open source code reaching your app indirectly.

5. The majority of open source flaws are pulled into the code indirectly.

As mentioned above, flaws can be introduced into code directly by the application developer or indirectly by another library in use. And flaws introduced indirectly, known as transitive dependencies, make up the majority of open source flaws. In fact, in our recent report, State of Software Security: Open Source Edition, we found that 70.5 percent of the applications had an open source flaw, and of those applications, 46.6 percent of the flaws were transitive, and 41.9 percent were direct (11.5 percent were both).

Takeaway: You can have vulnerabilities lurking several layers deep; don???t be complacent if you???re just assessing the security of your direct dependencies.

Learn more

#BeCyberSmart about application security, this month and every month. To learn more, watch this short video. ﾂ?

ﾂ?

The post 5 Lessons About Software Security for Cybersecurity Awareness Month appeared first on Security Boulevard.

The post 5 Lessons About Software Security for Cybersecurity Awareness Month appeared first on Malware Devil.

https://malwaredevil.com/2020/10/08/5-lessons-about-software-security-for-cybersecurity-awareness-month/?utm_source=rss&utm_medium=rss&utm_campaign=5-lessons-about-software-security-for-cybersecurity-awareness-month

ESB-2020.3482 – [Cisco] Cisco Firepower Management Center: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3482
   Cisco Firepower Management Center Cross-Site Scripting Vulnerability
                              8 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Firepower Management Center
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account            
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-3320  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xss-yLrjqqU

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Firepower Management Center Cross-Site Scripting Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-fmc-xss-yLrjqqU

First Published: 2020 October 7 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvs72390

CVE-2020-3320    

CWE-79

CVSS Score:
5.4  AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:X/RL:X/RC:X

Summary

  o A vulnerability in the web-based management interface of Cisco Firepower
    Management Center could allow an authenticated, remote attacker to conduct
    a cross-site scripting (XSS) attack against a user of the web-based
    management interface of an affected device.
    The vulnerability is due to insufficient validation of user-supplied input
    by the web-based management interface of an affected device. An attacker
    could exploit this vulnerability by first entering input within the
    web-based management interface and then persuading a user of the interface
    to view the crafted input within the interface. A successful exploit could
    allow the attacker to execute arbitrary script code in the context of the
    affected interface or access sensitive, browser-based information.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-fmc-xss-yLrjqqU

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco Firepower
    Management Center releases 6.6.1 and earlier.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    For information about fixed software releases, see the Details section in
    the bug ID(s) at the top of this advisory.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o Cisco would like to thank Giulio Comi for reporting this vulnerability.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cross-Site Scripting

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-fmc-xss-yLrjqqU

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2020-OCT-07  |
    +----------+---------------------------+----------+--------+--------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX36KleNLKJtyKPYoAQj2Iw//eJ82grnb7HXjzE+XRZqxkTFgefZifUWN
pwQlam5IVw/uQGeR7KcSKSirpJRST6A5KTm4F3M2Pcr6o9w+HJbe6MDYnVXy3Cev
1NGWw/GoTP+1sJpXh5Bk5NTcrSTFOu2Ac+eXmP6CgER5xJmTDEN8BnDMWh66rg4q
U/wRChCozomZX6GSi6Yu6QXT6ZWkmyJeoLrKiQreipLy8q+Slq8eHyAaz08Y1ke0
ZJjLrrQOgDjLA14UkgWb2STNr9itS8NI+pdtUpN64nQ8yFh0CCFqOvt/RT6qcO3W
+wrQOEM7RqoKoJneYNAujJqdo7UvasaWgi9l3XuLwgjIjQoLbErGya0Og3bpiMnm
MMYftiMz14WPstlT+mBVPN4L4KLBN5ApFCBidXdWz0Y9s2+OGStknTam7j0ALz4j
/tfhkQOKYwLT4Hc4tua2Sn0WmjkQmU5iv/F8iLvbo2T8dQy/sstydu+00E4Dabwq
BkuawlFd3KWWrKSgwQlTEFmUdMnLZlL+rlsKcsY+UGkswBFIhUttLan/8ZfkTTQ9
7leG88ZvXArqWrW+nv5IHi2LZdiwkA6gMK9n6wZr8oEGR1MtfYOMmM/LlJjgScHJ
lQS8BekDiWlah1w4s1lqh+Psins9Pnw+cmXWt09nDezD0diGPvapUO9fT+wMjqsO
dXbrqlEwBIo=
=VI87
-----END PGP SIGNATURE-----

The post ESB-2020.3482 – [Cisco] Cisco Firepower Management Center: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2020/10/08/esb-2020-3482-cisco-cisco-firepower-management-center-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3482-cisco-cisco-firepower-management-center-multiple-vulnerabilities

ESB-2020.3481 – [Cisco] Cisco Identity Services Engine: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3481
              Cisco Identity Services Engine Vulnerabilities
                              8 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Identity Services Engine
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account            
                   Modify Arbitrary Files          -- Existing Account            
                   Cross-site Scripting            -- Remote with User Interaction
                   Unauthorised Access             -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-3589 CVE-2020-3467 

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxs-mf5cbYx5
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-auth-bypass-uJWqLTZM

Comment: This bulletin contains two (2) Cisco Systems security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Identity Services Engine Cross-Site Scripting Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-ise-xxs-mf5cbYx5

First Published: 2020 October 7 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvu33884

CVE-2020-3589    

CWE-79

Summary

  o A vulnerability in the web-based management interface of Cisco Identity
    Services Engine (ISE) Software could allow an authenticated, remote
    attacker with administrative credentials to conduct a cross-site scripting
    (XSS) attack against a user of the interface.

    The vulnerability exists because the web-based management interface does
    not properly validate user-supplied input. An attacker could exploit this
    vulnerability by injecting malicious code into specific pages of the
    interface. A successful exploit could allow the attacker to execute
    arbitrary script code in the context of the interface or access sensitive,
    browser-based information. To exploit this vulnerability, an attacker would
    need to have valid administrative credentials.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ise-xxs-mf5cbYx5

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected the following
    releases of Cisco ISE Software:

       2.2p16 and earlier
       2.3p7 and earlier
       2.4p12 and earlier
       2.6p7 and earlier
       2.7p2 and earlier

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco ISE
    Software releases 3.0 and later.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, Cisco ISE Software releases 2.2p17 and 2.4p13
    contained the fix for this vulnerability.

    For information about other fixed software releases, see the Details
    section in the bug ID(s) at the top of this advisory.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cross-Site Scripting

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ise-xxs-mf5cbYx5

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2020-OCT-07  |
    +----------+---------------------------+----------+--------+--------------+

- -------------------------------------------------------------------------------


Cisco Identity Services Engine Authorization Bypass Vulnerability

Priority:        High

Advisory ID:     cisco-sa-ise-auth-bypass-uJWqLTZM

First Published: 2020 October 7 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvt44829

CVE-2020-3467    

CWE-863

CVSS Score:
7.7  AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the web-based management interface of Cisco Identity
    Services Engine (ISE) could allow an authenticated, remote attacker to
    modify parts of the configuration on an affected device.

    The vulnerability is due to improper enforcement of role-based access
    control (RBAC) within the web-based management interface. An attacker could
    exploit this vulnerability by sending a crafted HTTP request to an affected
    device. A successful exploit could allow the attacker to modify parts of
    the configuration. The modified configuration could either allow
    unauthorized devices onto the network or prevent authorized devices from
    accessing the network. To exploit this vulnerability, an attacker would
    need valid Read-Only Administrator credentials.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ise-auth-bypass-uJWqLTZM

Affected Products

  o Vulnerable Products

    This vulnerability affects vulnerable releases of Cisco ISE.

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers are advised to upgrade to an appropriate fixed software release
    as indicated in the following table:

    Cisco Identity Services Engine Release            First Fixed Release
    2.2 and earlier                                   Not vulnerable
    2.3                                               2.4 Patch13
    2.4                                               2.4 Patch13
    2.5                                               2.6 Patch7
    2.6                                               2.6 Patch7
    2.7                                               2.7 Patch2
    3.0                                               Not vulnerable

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o Cisco would like to thank Sebastian Halter of Deutsche Telekom AG for
    reporting this vulnerability.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ise-auth-bypass-uJWqLTZM

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2020-OCT-07  |
    +----------+---------------------------+----------+--------+--------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX36Kg+NLKJtyKPYoAQjLFw//TqN2C8udlbOOjfZD/HViw6oCO5jgR+am
VUZtZ542KoDKsyj/C3sP4Nm4gBqFOKnJvQCFMuQlO2fTGup+o9ubegoF90kM4TZf
d2hmjbSNCvFlVhUXpfE+TWn5ZwyW/WjfEVNBSSkmAXWtasb6OMuKJk71ZeOHw7Co
v20rsiwCVsxfIxINMjvmMPuP8rCAh9gMzP1BmPNdt2uZrF5y0Z7nBZsCKSEYOBnZ
vMPijHSg7Td3+wB6dw//hKHUMyDP0Vpt/+z9ygqT9vWj3eWUMtx2ur88SpGiI0wj
TsnB+iaaYmjbonb008sN60jlhc9TGfp3ruaZ6D1eBAW1KfPOwt+ycxJ755/jDNIr
3rFKYjabSHn/xCo0yyqI+yCs3zPCaze6Jcnf007VnvMoeUKBPZgiQW2AyTw4XVNE
R5pUKKjGxaNfXeUpCSW8jylHAneceLBdLegcVq7dIsgizwIUulQGS6cwyjl+9Pvg
+LcwLeRFRHuKtJWCWmtAgIYffrGsjeFbct4j3ntb3UArbWRldfHTanC8Opo34epq
/5WdtBJ4rB/suEyFc+XelXFTERknp1fZb44PbQu1B6a9G9j0GO0VEBwdSMW6RCH8
gntv5LnDOelWI8O+Q/TZJ1kt91l0sAUrEkKYiTPi15W51gvYGbgkwjK1XGpX+Y2S
OMLSEPirqHc=
=1kA2
-----END PGP SIGNATURE-----

The post ESB-2020.3481 – [Cisco] Cisco Identity Services Engine: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2020/10/08/esb-2020-3481-cisco-cisco-identity-services-engine-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3481-cisco-cisco-identity-services-engine-multiple-vulnerabilities

ESB-2020.3480 – [Cisco] Cisco Industrial Network Director: Denial of service – Existing account

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3480
     Cisco Industrial Network Director Denial of Service Vulnerability
                              8 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Industrial Network Director
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-3567  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ind-dos-BwG634zn

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Industrial Network Director Denial of Service Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-ind-dos-BwG634zn

First Published: 2020 October 7 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvu39803

CVE-2020-3567    

CWE-20

Summary

  o A vulnerability in the management REST API of Cisco Industrial Network
    Director (IND) could allow an authenticated, remote attacker to cause the
    CPU utilization to increase to 100 percent, resulting in a denial of
    service (DoS) condition on an affected device.

    The vulnerability is due to insufficient validation of requests sent to the
    REST API. An attacker could exploit this vulnerability by sending a crafted
    request to the REST API. A successful exploit could allow the attacker to
    cause a permanent DoS condition that is due to high CPU utilization. Manual
    intervention may be required to recover the Cisco IND.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ind-dos-BwG634zn

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco IND releases
    earlier than Release 1.9.0.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, Cisco IND releases 1.9.0 and later contained
    the fix for this vulnerability.

    For information about fixed software releases, see the Details section in
    the bug ID(s) at the top of this advisory.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ind-dos-BwG634zn

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2020-OCT-07  |
    +----------+---------------------------+----------+--------+--------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX36KceNLKJtyKPYoAQioyRAApFwX3lRHZucEGZIr5oZXbTJXX/P3oTOR
2NA8Bgr1WiZviwyMHOH1RaSUX5w1dJ3wmpuvZQZOkswc1AJGPzSIrI5ITBzRyEKj
Kze3/AuhpJVu1n3EAShyZMkjKU0LtRET4ZtbUCmjdNZQjdQCXnOBLm4l7hs0pI0Q
aV7YmzKS9uzQOz3eaT82CxdjEwHatMP1hLUyNGJ8aaoBvvV140KKO3OWqmGdhyYh
LtkCpH4GF/ITcX5waE57EgP/uSWD3MLrqIy4YDnjU6gHlAx/aj6kiBDY9S/8HhBK
pYH89te90okz6VsE0bI7ulk5X9cdG37W3IPXp/1EOQJiHLEUHwowdw7KlmWAaRoS
EiAdCcpUKicG6KtXJ2eT8k5uh6yLPjt1FPMbGPVsBPTP7L3+p3O47vrI4o2cj54e
Zx6FD0bYPMh12wujA+OT0p/J7lqqOPYPjCd1KQ2KbKvOmU4qFyWN1oBbjKb6eO2o
s45mTeCGwswdynneb9PlMxeo2X87izIiUIY23WxvqLHQ5FXPKY164eqd4SQm7Dit
6oCsTT9ycp9PCwLwHdNvbJxSHgKSEupGkkOyiqyBN0BK067WXYZ5VRhm5y3TYgrc
lVXgVYos9YowFRyVjghprohrtd9NeDtHVPYgCnVIvpBCde4+xqFtAOiK0vmVfJEw
aaHpW7yZG3c=
=4Lma
-----END PGP SIGNATURE-----

The post ESB-2020.3480 – [Cisco] Cisco Industrial Network Director: Denial of service – Existing account appeared first on Malware Devil.

https://malwaredevil.com/2020/10/08/esb-2020-3480-cisco-cisco-industrial-network-director-denial-of-service-existing-account/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3480-cisco-cisco-industrial-network-director-denial-of-service-existing-account

ESB-2020.3478 – [Cisco] Cisco SD-WAN vManage Software: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3478
          Cisco SD-WAN vManage Cross-Site Scripting Vulnerability
                              8 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco SD-WAN vManage Software
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Cross-site Scripting            -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-3536  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-xss-xXeLFpC3

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco SD-WAN vManage Cross-Site Scripting Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-sdwan-xss-xXeLFpC3

First Published: 2020 October 7 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvt77659

CVE-2020-3536    

CWE-79

CVSS Score:
6.4  AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:X/RL:X/RC:X

Summary

  o A vulnerability in the web-based management interface of Cisco SD-WAN
    vManage Software could allow an authenticated, remote attacker to conduct a
    cross-site scripting (XSS) attack against a user of the interface.

    The vulnerability exists because the web-based management interface does
    not properly validate user-supplied input. An attacker could exploit this
    vulnerability by inserting malicious data into a specific data field in an
    affected interface. A successful exploit could allow the attacker to
    execute arbitrary script code in the context of the affected interface.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-sdwan-xss-xXeLFpC3

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco vManage
    Software releases earlier than releases 20.1.2 and 20.3.1.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, Cisco vManage Software releases 20.1.2 and
    later and releases 20.3.1 and later contained the fix for this
    vulnerability.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cross-Site Scripting

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-sdwan-xss-xXeLFpC3

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2020-OCT-07  |
    +----------+---------------------------+----------+--------+--------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX36J5eNLKJtyKPYoAQh9vhAAnLMweneuyMaB5aYFTD3Mru79pObn/Xe3
kP8tmbjaEosK7ftyVYeR0fLQ9qqA1K+Hcg03A+ekC1U76q/Cc1/StJw2PPeHQZrP
H5haXAJLvNUEAYpxTNBe/gkFS6oe2BVIOI7frqSAE+epXAQ2tTM8zTq6C8OqOwbU
hajZMyLYWO6K228Tq2VTXxnvUfYVSAACLNprxhW4TxMJqFwpJc5Phj/BCm2r+Ldv
fIwlJ7w2z1baHXZKxzeuMAkGtGiwEKUjDHJgqHII8Hy1oxEJR+YMUuXgIIpW6OgE
h9cBRQ95sFcQfmZuQ6LdSDgCcHr6W5G2naJFJuSQ0M5V+MTgR6WWgjWh28tkDEn1
BPhePVcBaA0EENb1koGRAtUWWMHv5epWaiWQ9Wk8nWYeN8yDBK03jovaz3XXhDXS
PzRWm2lUpPDDl5WSEvCsdcRLmjLwZfvvCxCGWre/Cj9vPoOPp7+0A8idGD3y/6mC
nOGJxSobYnU29NSlzyqNWgU+QHUm5nIKxnvXTo7EINJ+ki9tS5OFtKVExJIhXau/
amEH+/+yd8FmFxoKdeiJpcL3MCdd0oqDGsP5G5SGdFBISwPTwrFjnUEHj8lEdwM6
zeQrewSSToAo//segAJfC3nouF5lpZoMl7Mmb9HAS/bH+mCXzsUe/SuMur60867G
0/kBZ+JJh/Y=
=+BcY
-----END PGP SIGNATURE-----

The post ESB-2020.3478 – [Cisco] Cisco SD-WAN vManage Software: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2020/10/08/esb-2020-3478-cisco-cisco-sd-wan-vmanage-software-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3478-cisco-cisco-sd-wan-vmanage-software-multiple-vulnerabilities

ESB-2020.3479 – [Cisco] Cisco Nexus Data Broker Software: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3479
       Cisco Nexus Data Broker Software Path Traversal Vulnerability
                              8 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Nexus Data Broker Software
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Modify Arbitrary Files -- Remote with User Interaction
                   Unauthorised Access    -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-3597  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndb-path-traversal-wVDyXZPy

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Nexus Data Broker Software Path Traversal Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-ndb-path-traversal-wVDyXZPy

First Published: 2020 October 7 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCvu98436

CVE-2020-3597    

CWE-23

Summary

  o A vulnerability in the configuration restore feature of Cisco Nexus Data
    Broker software could allow an unauthenticated, remote attacker to perform
    a directory traversal attack on an affected device.

    The vulnerability is due to insufficient validation of configuration backup
    files. An attacker could exploit this vulnerability by persuading an
    administrator to restore a crafted configuration backup file. A successful
    exploit could allow the attacker to overwrite arbitrary files that are
    accessible through the affected software on an affected device.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ndb-path-traversal-wVDyXZPy

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco Nexus Data
    Broker releases 3.9(0) and earlier.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    For information about fixed software releases, see the Details section in
    the bug ID(s) at the top of this advisory.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o Cisco would like to thank Lukasz Wierzbicki for reporting this
    vulnerability.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-ndb-path-traversal-wVDyXZPy

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2020-OCT-07  |
    +----------+---------------------------+----------+--------+--------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX36KYeNLKJtyKPYoAQiydA//Qlc2BPgDM3y0pN3MIdaboKyJSFUpmhOU
TXYLwuGYdj56+7S2ZR78LgjrO/+5GPd1jLttbhaEu0G/BgYVTK2MUSR/JXW0oEKH
g00kHDe3Y436EXi9WQPAceCsfAuDw9MtKZj9PcbXX4K/0/MBFuzuSrPwQgy+UFA8
n8LUdP9Yc+ppfubLbq918rXWbLyQDs9MHJDzAMgIpYet1mP+iteIZD74Ystz5DPR
tdfcEd+hkAkEqt4RDuyzAB88CpHEXdoiu9m9xFh9cKAmUcpGPAteYjlJJtpDqOTg
CLrgWWdt2xNBTKZB86URH0IvRqewCa14p6y1I9Yqn4XWB0Xn1yMkne+qUMcnnHj7
noyNk2W2gzUDfUIN/hTgSEJmUrpUNfIm8SXaO2zvqryyVuTwQDUoOGKdqjjbM2I/
vAxeZZUeNkgEJy6pCZmt4eLHIgjafWm0FpPsmZfi3+Qt538tRw/+ZhykQbhl5xM4
bb07liyg5qzl/QOuKckPpR4RXjeyDoFp9XhSw1HtsVbueTEhhcEfzZRZehXIqx2n
gTLCjGDYN9YGBG/V5+rSgBal97HhntJXRxd8itxrGZLHrpz45PLvZwz0DYupRB1b
dBWOYpsGv/TB1BZsitbooE/UQLayypQ4GaY74CHF5L53Ey+uAR93rPPVRUZt2w4S
MUxCx2eNG9g=
=ZOq1
-----END PGP SIGNATURE-----

The post ESB-2020.3479 – [Cisco] Cisco Nexus Data Broker Software: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2020/10/08/esb-2020-3479-cisco-cisco-nexus-data-broker-software-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3479-cisco-cisco-nexus-data-broker-software-multiple-vulnerabilities

Malware Devil

Malware Devil

Thursday, October 8, 2020

Credit card skimmer targets virtual conference platform

Online conference sites compromised with Inter skimming kit

Breach possibly related to Magento 1.x exploit

Indicators of Compromise (IOCs)

Credit card skimmer targets virtual conference platform

Online conference sites compromised with Inter skimming kit

Breach possibly related to Magento 1.x exploit

Indicators of Compromise (IOCs)

RAINBOWMIX Apps in Google Play Serve Up Millions of Ad Fraud Victims

Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work

THE DOCTOR IS IN

WHO IS DR. SAMUIL?

Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work

Securing an Agile and Hybrid Workforce

5 Lessons About Software Security for Cybersecurity Awareness Month

1. Lack of developer participation in and engagement with security training is a problem.

2. It???s nearly impossible to have effective AppSec without integrating into developer workflows.

3. Open source code is pervasive, vulnerable, and typically not checked for security.

4. You could be pulling in more open source code than you think.

5. The majority of open source flaws are pulled into the code indirectly.

Learn more

ESB-2020.3482 – [Cisco] Cisco Firepower Management Center: Multiple vulnerabilities

ESB-2020.3481 – [Cisco] Cisco Identity Services Engine: Multiple vulnerabilities

ESB-2020.3480 – [Cisco] Cisco Industrial Network Director: Denial of service – Existing account

ESB-2020.3478 – [Cisco] Cisco SD-WAN vManage Software: Multiple vulnerabilities

ESB-2020.3479 – [Cisco] Cisco Nexus Data Broker Software: Multiple vulnerabilities

Barbary Pirates and Russian Cybercrime

Blog Archive

About Me