Jenkins discloses dozens of zero-day bugs in multiple plugins
Thursday saw the Jenkins security team unveiling 34 security flaws affecting 29 plugins within the Jenkins open-source automation server. Among these vulnerabilities, 29 are zero-day issues awaiting resolution. The severity of these zero-days spans from mild to severe, as per their CVSS base scores. Jenkins’ data indicates that these affected plugins collectively boast over 22,000 installations. The catalogue of unaddressed vulnerabilities encompasses XSS, Stored XSS, Cross-Site Request Forgery (CSRF) vulnerabilities, inadequate permission checks, and the storage of passwords, secrets, API keys, and tokens in plaintext. Shodan data reveals that there are presently over 144,000 Jenkins servers exposed on the internet, potentially susceptible to attacks if equipped with unpatched plugins.
Rogue HackerOne employee steals bug reports to sell on the side
According to the company’s statement on Friday, the deceitful employee reached out to approximately six HackerOne clients and earned rewards for “several disclosures.” On June 22nd, HackerOne addressed a client’s concern regarding a dubious vulnerability report received from an individual using the alias “rzlr” via a non-official communication channel. The client had observed that a similar security issue had previously been reported through HackerOne’s platform. The fraudulent staff member received rewards for certain reports they submitted, enabling HackerOne to track the financial transactions and identify the culprit as one of its employees responsible for evaluating vulnerability reports across multiple client programs.
Patchable and preventable security issues lead causes of Q1 attacks
In the first quarter of 2022, a striking 82% of attacks on organizations stemmed from the exposure of known vulnerabilities in their external-facing perimeter or attack surface. These unaddressed vulnerabilities far outweighed breach-related financial losses attributed to human error, which constituted 18% of incidents. Tetra Defense’s quarterly report highlights a significant surge in cyberattacks targeting United States organizations from January to March 2022. The report underscores the importance of employee security practices, pointing out that a lack of multi-factor authentication (MFA) measures and compromised credentials remain prominent factors in attacks against organizations.
Raspberry Robin Windows worm has already infected hundreds of organizations.
Discovered by cybersecurity researchers from Red Canary, Raspberry Robin is a Windows worm that propagates through removable USB devices. It uses Windows Installer to reach out to QNAP-associated domains and download a malicious DLL. The malware uses TOR exit nodes as a backup C2 infrastructure. The malware was first spotted in September 2021, with Red Canary experts observed it targeting organizations in the technology and manufacturing industries. BleepingComputer reported that Microsoft warned its customers via a private threat intelligence advisory sent to Microsoft Defender for Endpoint subscribers.
Thanks to today’s episode sponsor, Votiro
British Army social media accounts hijacked
On Sunday, the Twitter and YouTube accounts of the British army fell victim to a malicious third party, who exploited them to steer visitors towards cryptocurrency scams. The Ministry of Defence (MoD) press office Twitter account alerted the public to the breach around 7 pm local time, and four hours later, an update confirmed the resolution of the issue. The hackers utilized the compromised accounts to share numerous promotional links leading to various crypto and NFT scams, often featuring live stream videos with well-known figures such as Elon Musk and Jack Dorsey. Santander, a prominent lending institution, highlights this tactic as a rapidly growing trend within the cryptocurrency scam domain.
UK signs deal to share police biometric database with US border guards
As per a member of the European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs (LIBE), discussions were held this week with representatives from the US Department of Homeland Security on an informal basis regarding plans under the Enhanced Border Security Partnership (EBSP). The EBSP aims to enhance the capability of the US Department of Homeland Security in identifying threats through the sharing of biometric information. Israel joined this agreement in March. Members of the LIBE committee disclosed that they have learned that the UK, along with three unspecified EU member states, had already agreed to reinstate US visa requirements, allowing access to police biometric databases.
FBI adds CryptoQueen to top ten most wanted
Ruja Ignatova, a Bulgarian individual believed to be in her forties, is sought for her alleged involvement in operating a cryptocurrency Ponzi scheme named OneCoin. Federal investigators allege that the fugitive orchestrated the scheme to deceive victims, resulting in losses exceeding $4 billion. Ignatova has been unreachable since 2017, following the issuance of an arrest warrant by US authorities and the tightening of the investigation around her. In 2014, OneCoin emerged as a purported cryptocurrency, offering incentives to sellers for recruiting additional buyers. However, FBI agents assert that OneCoin held no value and lacked the security provided by blockchain technology, a cornerstone of legitimate cryptocurrencies. For those intrigued by this narrative, the BBC’s podcast division presents a 10-episode series titled “The Missing Cryptoqueen.”
(BBC News)