News

• Sysrv-K Botnet Targets Windows, Linux
• FBI: Hackers Used Malicious PHP Code To Grab Credit Card Data
• iPhones Vulnerable To Attack Even When Turned Off
• Don't Accidentally Hire A North Korean Hacker, FBI Warns
• Ransomware Gang Hacks Costa Rica, Asks Residents To Overthrow The Government
• Google Assuring Open Source Code To Secure Software Supply Chains
• Zyxel Remote Execution Bug Is Being Exploited
• Microsoft's May Patch Tuesday Updates Cause Windows AD Authentication Errors
• Twitter Turns Its Privacy Policy Into An Old School Video Game
• Ex-eBay Exec Admits Cyberstalking Critics
• San Francisco Police Use Driverless Cars For Surveillance
• EU Governments, Lawmakers Agree On Tougher Cybersecurity Rules For Key Sectors
• Threat Actors Use Telegram To Spread Eternity Malware-As-A-Service
• Ransomware Operators Send Their Ransom Note To The Victim's Printer
• Malware Builder Leverages Discord Webhooks
• Zyxel Silently Patches Command Injection Vulnerability With 9.8 Severity Rating
• Hackers Are Exploiting WordPress Tools To Hawk Scams
• Turmoil In Crypto Market As Stablecoin Tether Breaks Dollar Peg
• Novel Nerbian Trojan Uses Advanced Anti-Detection Tricks
• Ukraine War: Don't Underestimate Russia Cyber Threat, Warns US
• APT Gang Sidewinder Goes On Two Year Attack Spree Across Asia
• Ransomware The Final Nail In Coffin For Small University
• Intel Memory Bug Poses Risk For Hundreds Of Products
• Russia Fails To Recover RuTube Access On Third Day Of Outage
• Western Governments Accuse Russia Of Hacking US Satellite Internet Provider

• Getting to Know the CIS Benchmarks Tue, 17 May 2022 08:00:00 Z
  There are many ways for you to get involved in the development process of the CIS Benchmarks and to use a Benchmark's security recommendations.

Looking Glass Cyber

Malware Patrol

• InfoSec Articles (04/25/2022 – 05/09/2022)
• InfoSec Articles (04/11/2022 – 04/25/2022)

SecList

• Evaluation of cyber activities and the threat landscape in Ukraine
  With this article, our core aim is to share a threat landscape overview, which Kaspersky cybersecurity researchers are observing in relation to the conflict, with the wider international community and thus to contribute to broader ongoing cyber-stability discussions of threat-related insights.

securingtomorrow.mcafee.com

• What’s a Parent to Do? Closing the Protection Gap between You and Your Children.
• Life Behind the Screens of Parents, Tweens, and Teens: McAfee’s Connected Family Study
• How To Secure Your Online Life? Find Your Protection Score!
• Stay on top of your online security with our Protection Score
• Introducing Personal Data Cleanup
• $625 Million Stolen in Latest Crypto Attack: 5 Tips on How to Use Digital Currency Safely
• What Are Browser Cookies and How Do I Manage Them?
• What the FBI Wants You to Know About the Latest Phishing Scheme
• Three Years of Pay Parity: Lessons in Maintaining Equality
• Smarter Homes & Gardens: Protecting the Smart Devices in Your Home
• Cold Wallets, Hot Wallets: The Basics of Storing Your Crypto Securely

Quick Heal

• Beware – Banking Trojans using enhanced techniques to spread malware.
• Critical Zero-Day “Log4Shell” Vulnerability “CVE-2021-44228” Exploited in the Wild
• Update Security Certificate to Install Quick Heal Product Successfully
• Caution! Beware of the Fake WhatsApp Mother’s Day Scam.
• Introduction of DNS tunneling and how attackers use it.
• Worried about your mobile security? Here’s how to secure your device and enhance performance
• Spring4Shell: Zero-Day vulnerability CVE-2022-22965 in Spring Framework
• Stay Alert of Facebook Credential Stealer Applications Stealing User’s Credentials.
• CVE-2021-44228: New Apache Log4j ‘Log4Shell’ Zero-Day Being Exploited in the Wild
• Anydesk Software Exploited to Spread Babuk Ransomware

Threat Post

• Sysrv-K Botnet Targets Windows, Linux
• iPhones Vulnerable to Attack Even When Turned Off
• Microsoft’s May Patch Tuesday Updates Cause Windows AD Authentication Errors
• Threat Actors Use Telegram to Spread ‘Eternity’ Malware-as-a-Service
• Malware Builder Leverages Discord Webhooks
• You Can’t Eliminate Cyberattacks, So Focus on Reducing the Blast Radius
• Novel ‘Nerbian’ Trojan Uses Advanced Anti-Detection Tricks
• Intel Memory Bug Poses Risk for Hundreds of Products
• Novel Phishing Trick Uses Weird Links to Bypass Spam Filters
• Actively Exploited Zero-Day Bug Patched by Microsoft

Naked Security

• Apple patches zero-day kernel hole and much more – update now!
• Firefox out-of-band update to 100.0.1 – just in time for Pwn2Own?
• He sold cracked passwords for a living – now he’s serving 4 years in prison
• S3 Ep82: Bugs, bugs, bugs (and Colonial Pipeline again) [Podcast]
• Serious Security: Learning from curl’s latest bug update
• Colonial Pipeline facing $1,000,000 fine for poor recovery plans
• RubyGems supply chain rip-and-replace bug fixed – check your logs!
• You didn’t leave enough space between ROSE and AND, and AND and CROWN
• S3 Ep81: Passwords (still with us!), Github, Firefox at 100, and network worms [Podcast]
• World Password Day – the 1960s just called and gave you your passwords back

Security Affairs

• Venezuelan cardiologist accused of operating and selling Thanos ransomware
• Over 200 Apps on Play Store were distributing Facestealer info-stealer
• CISA adds CVE-2022-30525 flaw in Zyxel Firewalls to its Known Exploited Vulnerabilities Catalog
• A custom PowerShell RAT uses to target German users using Ukraine crisis as bait
• Apple fixes the sixth zero-day since the beginning of 2022
• Experts show how to run malware on chips of a turned-off iPhone
• Ukrainian national sentenced to 4 years in prison for selling access to hacked servers
• Eternity Project: You can pay $260 for a stealer and $490 for a ransomware
• May 08 – May 14 Ukraine – Russia the silent cyber conflict
• Security Affairs newsletter Round 365 by Pierluigi Paganini

Security Awareness Tips of the week

Exploits

• Trojan-Ransom.Thanos MVID-2022-0607 Code Execution
• SDT-CW3B1 1.1.0 Command Injection
• Online Discussion Forum Site 1.0 SQL Injection
• Showdoc 2.10.3 Cross Site Scripting
• OpenCart So Listing Tabs 2.2.0 Unsafe Deserialization
• T-Soft E-Commerce 4 SQL Injection
• T-Soft E-Commerce 4 Cross Site Scripting
• Survey Sparrow Enterprise Survey Software 2022 Cross Site Scripting
• SolarView Compact 6.0 Command Injection
• Zyxel Firewall ZTP Unauthenticated Command Injection
• Chrome 100 extensions::ExtensionApiFrameIdMap::GetFrameId Heap Use-After-Free
• IpMatcher 1.0.4.1 Server-Side Request Forgery
• Ransom.Conti MVID-2022-0606 Code Execution
• Zyxel Remote Command Execution
• Ransom.Conti MVID-2022-0605 Code Execution
• WordPress WP Event Manager 3.1.27 Cross Site Scripting
• Ransom.Conti MVID-2022-0604 Code Execution
• HighCMS/HighPortal 12.x SQL Injection
• Ransom.Conti MVID-2022-0603 Code Execution
• Ransom.Conti MVID-2022-0602 Code Execution
• Ransom.Conti MVID-2022-0601 Code Execution
• Konica Minolta bizhub MFP Printer Terminal Sandbox Escape
• Ransom.REvil MVID-2022-0600 Code Execution
• Ransom.REvil MVID-2022-0599 Code Execution
• Ransom.REvil MVID-2022-0598 Code Execution

• [webapps] Showdoc 2.10.3 - Stored Cross-Site Scripting (XSS)
• [remote] SolarView Compact 6.0 - OS Command Injection
• [webapps] T-Soft E-Commerce 4 - SQLi (Authenticated)
• [webapps] T-Soft E-Commerce 4 - 'UrunAdi' Stored Cross-Site Scripting (XSS)
• [webapps] Survey Sparrow Enterprise Survey Software 2022 - Stored Cross-Site Scripting (XSS)
• [remote] SDT-CW3B1 1.1.0 - OS Command Injection
• [webapps] TLR-2005KSH - Arbitrary File Delete
• [webapps] Royal Event Management System 1.0 - 'todate' SQL Injection (Authenticated)
• [webapps] College Management System 1.0 - 'course_code' SQL Injection (Authenticated)
• [remote] F5 BIG-IP 16.0.x - Remote Code Execution (RCE)
• [webapps] TLR-2005KSH - Arbitrary File Upload
• [remote] Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)
• [webapps] WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)
• [webapps] Joomla Plugin SexyPolling 2.1.7 - SQLi
• [webapps] WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)
• [webapps] MyBB 1.8.29 - MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated)
• [webapps] Beehive Forum - Account Takeover
• [webapps] PHProjekt PhpSimplyGest v1.3. - Stored Cross-Site Scripting (XSS)
• [webapps] Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated)
• [webapps] Explore CMS 1.0 - SQL Injection
• [remote] DLINK DAP-1620 A1 v1.01 - Directory Traversal
• [remote] PyScript - Read Remote Python Source Code
• [remote] Google Chrome 78.0.3904.70 - Remote Code Execution
• [remote] Tenda HG6 v3.3.0 - Remote Command Injection
• [webapps] Anuko Time Tracker - SQLi (Authenticated)
• [remote] Apache CouchDB 3.2.1 - Remote Code Execution (RCE)
• [remote] Wondershare Dr.Fone 12.0.7 - Remote Code Execution (RCE)
• [local] Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)
• [local] ExifTool 12.23 - Arbitrary Code Execution
• [webapps] e107 CMS v3.2.1 - Multiple Vulnerabilities
• [webapps] Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS)
• [webapps] Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS)
• [remote] DLINK DIR850 - Open Redirect
• [remote] DLINK DIR850 - Insecure Access Control
• [remote] Prime95 Version 30.7 build 9 - Remote Code Execution (RCE)
• [remote] ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure
• [local] Wondershare Dr.Fone 11.4.10 - Insecure File Permissions
• [local] TCQ - ITeCProteccioAppServer.exe - Unquoted Service Path
• [local] UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe' Unquoted Service Path
• [remote] SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE)
• [webapps] CSZ CMS 1.3.0 - 'Multiple' Blind SQLi
• [webapps] Bitrix24 - Remote Code Execution (RCE) (Authenticated)
• [remote] Bookeen Notea - Directory Traversal
• [webapps] Magento eCommerce CE v2.3.5-p2 - Blind SQLi
• [webapps] WordPress Plugin Advanced Uploader 4.2 - Arbitrary File Upload (Authenticated)
• [remote] USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor

Last 20 Website Defacements - Zone-h

• http://montealto.sp.gov.br/kurdz.txt
• https://is-mp.nuvem.gov.br/authenticationendpoint/psy.html
• https://api.prodam.sp.gov.br/authenticationendpoint/psy.html
• https://idmtest.secretariajuridica.gov.co//authenticationendpoint/psy.txt
• https://is-admin-mp.nuvem.gov.br/authenticationendpoint/dock.html
• https://is-mp.dev.nuvem.gov.br//authenticationendpoint/dock.html
• https://identity.nise.gov.bd/authenticationendpoint/dock.html
• https://simwas-2021.pekalongankab.go.id/.well-known/
• https://cascading.pekalongankab.go.id/.well-known/a.php
• https://simdalev.pekalongankab.go.id/.well-known/
• https://perdin.bappedalitbang.pekalongankab.go.id/.well-known/
• http://www.eskum.pn-simpangtigaredelong.go.id/readme.txt
• https://facra.mep.gov.ao/.well-known/
• http://www.secti.al.gov.br/images/cyz.txt
• http://pa-bengkulukota.go.id/images/cyz.txt
• http://www1.eaaay.gov.co/images/cyz.txt
• http://intranet.sme.fortaleza.ce.gov.br/images/cyz.txt
• http://www.cidg.pnp.gov.ph/images/cyz.txt
• https://www.labor.gov.lb/iq.txt
• https://contraloria.bcs.gob.mx/Freak.html

Advisories

Symantec Packet Stoem Security

• Ubuntu Security Notice USN-5427-1 Tue, 17 May 2022 17:25:51 GMT
  Ubuntu Security Notice 5427-1 - Muqing Liu and neoni discovered that Apport incorrectly handled detecting if an executable was replaced after a crash. A local attacker could possibly use this issue to execute arbitrary code as the root user. Gerrit Venema discovered that Apport incorrectly handled connections to Apport sockets inside containers. A local attacker could possibly use this issue to connect to arbitrary sockets as the root user.
• Ubuntu Security Notice USN-5426-1 Tue, 17 May 2022 17:25:44 GMT
  Ubuntu Security Notice 5426-1 - Jakub Wilk discovered that needrestart incorrectly used some regular expressions. A local attacker could possibly use this issue to execute arbitrary code.
• Ubuntu Security Notice USN-5425-1 Tue, 17 May 2022 17:25:20 GMT
  Ubuntu Security Notice 5425-1 - Yunho Kim discovered that PCRE incorrectly handled memory when handling certain regular expressions. An attacker could possibly use this issue to cause applications using PCRE to expose sensitive information. This issue only affects Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 21.10 and Ubuntu 22.04 LTS. It was discovered that PCRE incorrectly handled memory when handling certain regular expressions. An attacker could possibly use this issue to cause applications using PCRE to have unexpected behavior. This issue only affects Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
• Apple Security Advisory 2022-05-16-8 Tue, 17 May 2022 17:18:31 GMT
  Apple Security Advisory 2022-05-16-8 - Xcode 13.4 addresses a logic issue and a privilege escalation issue.
• Ubuntu Security Notice USN-5424-1 Tue, 17 May 2022 17:14:57 GMT
  Ubuntu Security Notice 5424-1 - It was discovered that OpenLDAP incorrectly handled certain SQL statements within LDAP queries in the experimental back-sql backend. A remote attacker could possibly use this issue to perform an SQL injection attack and alter the database.
• Ubuntu Security Notice USN-5423-1 Tue, 17 May 2022 17:12:26 GMT
  Ubuntu Security Notice 5423-1 - Michał Dardas discovered that ClamAV incorrectly handled parsing CHM files. A remote attacker could possibly use this issue to cause ClamAV to stop responding, resulting in a denial of service. Michał Dardas discovered that ClamAV incorrectly handled parsing TIFF files. A remote attacker could possibly use this issue to cause ClamAV to stop responding, resulting in a denial of service. Michał Dardas discovered that ClamAV incorrectly handled parsing HTML files. A remote attacker could possibly use this issue to cause ClamAV to consume resources, resulting in a denial of service.
• Ubuntu Security Notice USN-5311-2 Tue, 17 May 2022 17:07:22 GMT
  Ubuntu Security Notice 5311-2 - USN-5311-1 released updates for contained. Unfortunately, a subsequent update reverted the fix for thisCVE by mistake. This update corrects the problem. It was discovered that containerd allows attackers to gain access to read- only copies of arbitrary files and directories on the host via a specially- crafted image configuration. An attacker could possibly use this issue to obtain sensitive information.
• Apple Security Advisory 2022-05-16-7 Tue, 17 May 2022 17:07:04 GMT
  Apple Security Advisory 2022-05-16-7 - Safari 15.5 addresses code execution and use-after-free vulnerabilities.
• Apple Security Advisory 2022-05-16-6 Tue, 17 May 2022 17:06:48 GMT
  Apple Security Advisory 2022-05-16-6 - tvOS 15.5 addresses bypass, code execution, integer overflow, out of bounds access, out of bounds write, and use-after-free vulnerabilities.
• Apple Security Advisory 2022-05-16-5 Tue, 17 May 2022 17:06:32 GMT
  Apple Security Advisory 2022-05-16-5 - watchOS 8.6 addresses bypass, code execution, integer overflow, out of bounds access, out of bounds write, and use-after-free vulnerabilities.
• WordPress Tatsu Builder Remote Code Execution Tue, 17 May 2022 17:02:14 GMT
  WordPress Tatsu Builder plugin versions prior to 3.3.13 suffer from an unauthenticated remote code execution vulnerability.
• Apple Security Advisory 2022-05-16-4 Tue, 17 May 2022 16:59:55 GMT
  Apple Security Advisory 2022-05-16-4 - Security Update 2022-004 Catalina addresses bypass, code execution, denial of service, integer overflow, out of bounds access, out of bounds read, out of bounds write, and use-after-free vulnerabilities.
• Apple Security Advisory 2022-05-16-3 Tue, 17 May 2022 16:59:42 GMT
  Apple Security Advisory 2022-05-16-3 - macOS Big Sur 11.6.6 addresses bypass, code execution, denial of service, out of bounds access, out of bounds read, out of bounds write, and use-after-free vulnerabilities.
• Apple Security Advisory 2022-05-16-2 Tue, 17 May 2022 16:58:15 GMT
  Apple Security Advisory 2022-05-16-2 - macOS Monterey 12.4 addresses buffer overflow, bypass, code execution, denial of service, integer overflow, out of bounds access, out of bounds read, out of bounds write, and use-after-free vulnerabilities.
• Apple Security Advisory 2022-05-16-1 Tue, 17 May 2022 16:57:57 GMT
  Apple Security Advisory 2022-05-16-1 - iOS 15.5 and iPadOS 15.5 addresses bypass, code execution, denial of service, integer overflow, out of bounds access, out of bounds write, and use-after-free vulnerabilities.
• Ubuntu Security Notice USN-5422-1 Tue, 17 May 2022 16:57:29 GMT
  Ubuntu Security Notice 5422-1 - Shinji Sato discovered that libxml2 incorrectly handled certain XML files. An attacker could possibly use this issue to cause a crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, and Ubuntu 16.04 ESM. It was discovered that libxml2 incorrectly handled certain XML files. An attacker could possibly use this issue to cause a crash or execute arbitrary code.
• Ubuntu Security Notice USN-5421-1 Mon, 16 May 2022 14:16:31 GMT
  Ubuntu Security Notice 5421-1 - It was discovered that LibTIFF incorrectly handled certain images. An attacker could possibly use this issue to cause a crash, resulting in a denial of service. This issue only affects Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. Chintan Shah discovered that LibTIFF incorrectly handled memory when handling certain images. An attacker could possibly use this issue to cause a crash, resulting in a denial of service, or possibly execute arbitrary code.
• Red Hat Security Advisory 2022-2253-01 Mon, 16 May 2022 14:16:11 GMT
  Red Hat Security Advisory 2022-2253-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a traversal vulnerability.
• Red Hat Security Advisory 2022-2256-01 Mon, 16 May 2022 13:59:19 GMT
  Red Hat Security Advisory 2022-2256-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a traversal vulnerability.
• Red Hat Security Advisory 2022-2255-01 Mon, 16 May 2022 13:55:34 GMT
  Red Hat Security Advisory 2022-2255-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a traversal vulnerability.
• Red Hat Security Advisory 2022-2236-01 Fri, 13 May 2022 16:05:30 GMT
  Red Hat Security Advisory 2022-2236-01 - Subversion is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes.
• Red Hat Security Advisory 2022-1699-01 Fri, 13 May 2022 16:05:21 GMT
  Red Hat Security Advisory 2022-1699-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.50.
• Ubuntu Security Notice USN-5419-1 Fri, 13 May 2022 16:05:08 GMT
  Ubuntu Security Notice 5419-1 - It was discovered that Rsyslog improperly handled certain invalid input. An attacker could use this issue to cause Rsyslog to crash.
• Ubuntu Security Notice USN-5420-1 Fri, 13 May 2022 16:04:39 GMT
  Ubuntu Security Notice 5420-1 - It was discovered that Vorbis incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service, or possibly execute arbitrary code.
• Red Hat Security Advisory 2022-2234-01 Thu, 12 May 2022 16:35:42 GMT
  Red Hat Security Advisory 2022-2234-01 - Subversion is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes.