Critical Sophos Firewall vulnerability allows remote code execution
Sophos has fixed A critical vulnerability in the Sophos Firewall product, which allowed remote code execution, and which held a CVSS score of 9.8, has now been fixed by its manufacturer. The vulnerability allowed a remote attacker to bypass authentication and access the Firewall’s User Portal or Webadmin interface in order to execute arbitrary code. The vulnerability was reported to Sophos by an unnamed external security researcher through the company’s bug bounty program. Sophos has released hotfixes that should reach most instances automatically.
Okta: “We made a mistake” delaying the Lapsus$ hack disclosure
A bad week for Okta, which is admitting publicly that is “made a mistake [in] delaying the disclosure of hack from the Lapsus$ data extortion group that took place in January.” The company has since released a timeline of the incident and of its investigation activities. The hack itself originated at Sitel, Okta’s third-party provider of customer support services. In admitting its mistake, Okta says it is ultimately responsible for its contracted service providers like Sitel. Okta claims that “in January it wasn’t aware of the extent of the incident which, the company believed, was limited to an unsuccessful account takeover attempt targeting a Sitel support engineer.”
CISA adds 66 new flaws to the Known Exploited Vulnerabilities Catalog
According to Binding Operational Directive (BOD) 22-01: “Reducing the Significant Risk of Known Exploited Vulnerabilities, Federal Civilian Executive Branch agencies have to address the identified vulnerabilities by April 15, 2022 to protect their networks against attacks exploiting the flaws in the catalog.” Experts are recommending that private organizations also review the catalog and address the vulnerabilities in their infrastructure. “The oldest flaws in the set of 66 recently added issues are dated back to 2005, while the newest ones have a 2022 CVE date.”
Google issues emergency fix for Chrome zero-day
This high-severity security issue is being described as a Type Confusion bug in the V8 JavaScript and WebAssembly engine. The bug was reported by an anonymous researcher, but Google has yet to determine the bug bounty amount. Googles notes, in an advisory, that they are aware that an exploit for this bug exists in the wild, although they did not provide details on the vulnerability or on the observed exploitation. A patch has been included in Chrome 99.0.4844.84, which is now rolling out for Windows, Mac and Linux users. This is not the same Zero-Day bug that we reported here on Friday as being exploited by North Korean threat actors.
Thanks to our episode sponsor, Varonis
Kaspersky added to FCC list that bans Huawei, ZTE from US networks
The security company is now being listed a company that poses “an unacceptable risk to the national security of the United States.” The decision puts Kaspersky in the same class as Chinese telecom makers Huawei and ZTE, which were added to the list in 2021. The Agency noted, in a public notice issued Friday, that “the Kaspersky decision is based on a 2017 ruling by the Department of Homeland Security (DHS), which banned the company’s products and services from U.S. government use.” Kaspersky for its part states that such charges are unsubstantiated and suggests the ban has more to do with the current “geopolitical climate.”
Hackers remotely start, unlock Honda Civics with $300 tech
A key fob hijack issue occurring with some Honda vehicles manufactured between 2016 and 2020 is, according to The Register, “a demonstration that auto manufacturers haven’t adapted their technology to keep up with known threats.” This security weakness, as discovered by a student at University of Massachusetts Dartmouth. According to the research, “various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, trunk-open and remote start. This allows for an attacker to eavesdrop on the request and conduct a replay attack.”
‘Precursor malware’ infection may be a sign you’re about to get ransomware
Lumu Technologies founder and CEO Ricardo Villadiego suggests that “precursor malware,” which is essentially reconnaissance malicious code, lays the groundwork for a full ransomware campaign to come. Companies that can find and remediate that precursor malware can ward off the ransomware attack, he says. He bases his statements on a study of more than 2,000 companies that Lumu monitors, in which every ransomware attack came with other malware preceding it and paving the way. Lumu collected information from such aspects as DNS queries, network flows, access logs, firewalls and proxies and correlates the data to identify whether any asset is trying to contact an adversarial infrastructure. “A better way to operate, he says, “is by assuming you’re compromised and let your network prove otherwise.”