Introducing 'Secure Access Service Edge'

The industry’s latest buzzword is largely a repackaging exercise that bundles a collection of capabilities together and offers them as a cloud-delivered service.
Source: DarkReading
Introducing ‘Secure Access Service Edge’

Cybersecurity's Lament: There are No Cooks in Space

Cybersecurity staff are on edge for the same reason that there are no cooks on the ISS: Organizations are carefully watching expenses for jobs that don’t require dedicated team members.
Source: DarkReading
Cybersecurity’s Lament: There are No Cooks in Space

CVE-2020-15518

VeeamFSR.sys in Veeam Availability Suite before 10 and Veeam Backup & Replication before 10 has no device object DACL, which allows unprivileged users to achieve total control over filesystem I/O requests.
Source: NIST
CVE-2020-15518

V Shred Exposes Pics and PII on 100,000 Customers

V Shred Exposes Pics and PII on 100,000 Customers

Nearly 100,000 customers have had their sensitive personal data and revealing photos exposed online after a US-based fitness company misconfigured an Amazon database.


Las Vegas-headquartered V Shred left the S3 bucket containing over 1.3 million individual files publicly accessible, according to vpnMentor.


The research team discovered the leak on May 14 but it took a whole month for the company to disable access to the offending files. Initially, V Shred apparently claimed it was necessary for user files to be publicly available and denied that any PII data had been exposed. Once informed, it removed the PII but said it was leaving the other files publicly accessible, according to vpnMentor.


The 606GB trove contained three CSV files with PII on over 96,000 users, featuring full names, home and email addresses, phone numbers, birth dates, social security numbers, social media accounts, usernames and passwords, health conditions and more.


The database also contained meal plans, profile photos and “before and after” body photos for some customers, as well as details on 52 trainers, according to the report.


“Using the PII data exposed through the S3 bucket, malicious hackers and cyber-criminals could create very effective phishing campaigns targeting V Shred customers,” vpnMentor claimed.


“If the CSV files contained the social security numbers of any individuals, this would be a goldmine for cyber-criminals. They could utilize such information for a wide range of fraud and wholesale identity theft.”


Users could also be blackmailed with threats to release their before and after photos, it added.


The firm discovered V Shred’s misconfigured S3 bucket as part of a broader web mapping project which has already revealed multiple leaks, exposing hundreds of millions of sensitive records.


These include fitness tech firm Kinomap which accidentally leaked 42 million records, sports retailer Decathlon, which leaked 123 million, and a British printing company which may have exposed military secrets.


Source: Infosecurity
V Shred Exposes Pics and PII on 100,000 Customers

GoldenSpy Uninstaller Appears Out of Nowhere

GoldenSpy Uninstaller Appears Out of Nowhere

A mysterious uninstaller has been discovered in malware-laden tax software required for download by firms doing business in China, according to Trustwave.


The security vendor explained last week how it discovered a backdoor it named GoldenSpy inside Intelligent Tax software, produced by the Golden Tax Department of Aisino Corporation. A Chinese bank requires its business clients to download the software.


The security vendor claimed at the time that the powerful backdoor, which allowed for complete remote control of a victim’s network, could not be removed, even if Intelligent Tax was uninstalled.


However, after attracting widespread publicity, the backdoor has now been joined by a new file, discovered by Trustwave’s Threat Fusion team.


“This new sample’s sole mission is to delete GoldenSpy and remove any trace it existed. Including the deletion of registry entries, all files and folders (including the GoldenSpy log file), and finally, the uninstaller deletes itself,” explained the firm’s VP of cyber-threat detection and response, Brian Hussey.


“This GoldenSpy uninstaller will automatically download and execute, and effectively, will negate the direct threat of GoldenSpy in your environment. However, as the deployment of this uninstaller is delivered directly from the supposedly legitimate tax software, this has to leave users of Intelligent Tax concerned about what else could be downloaded and executed in a similar manner.”


It’s still unclear who seeded the original malware in the tax software. It could either have been done without the knowledge of the bank, or is part of a much wider conspiracy designed to monitor foreign firms doing business in the Middle Kingdom.


The swift appearance of an uninstaller would seem to favor the latter theory, as it’s unlikely that cyber-criminals would care if they were found out.


“Organizations must continuously be vigilant, always threat hunting, because our adversaries will continue to find new ways to trick, manipulate and socially engineer their way into environments,” Hussey argued.


“The value of the GoldenSpy case study is not the IOCs we provided, it’s the lesson that malware can be cleverly hidden in any software, regardless of its source or supposed legitimacy.”


Source: Infosecurity
GoldenSpy Uninstaller Appears Out of Nowhere

Global Dating App Users Exposed in Multiple Security Snafus

Global Dating App Users Exposed in Multiple Security Snafus

Security researchers have discovered five dating apps in the US and East Asia which are leaking millions of customer records thanks to misconfigured cloud databases.


A team from WizCase led by Avishai Efrat explained that the Elasticsearch servers, MongoDB databases and AWS buckets they found were left publicly accessible with no password.


In the US, an Amazon bucket traced to CatholicSingles was found to be leaking a 17MB database of 50,000 records including names, email addresses, billing addresses, phone numbers, age, gender, occupation and education.


Another dating site hosted in the US, Yestiki, leaked around 4300 records (352MB) including phone numbers, names, addresses and GPS location data of date venues, as well as user ratings, activity logs and Foursquare secret key IDs.


Next up is SPYKX.com, the South Korean company behind the Congdaq/Kongdak dating app. It was found leaking 123,000 records (600MB) via an unprotected Elasticsearch server, including emails, cleartext passwords, phone numbers, dates of birth, gender, education and GPSdata.


Also in South Korea, dating app Blurry exposed 70,000 user records (3667MB) via an Elasticsearch server, including private messages sent between users – some of which contained sensitive information like social media handles and phone numbers.


Finally, Japanese dating apps Charin and Kyuun, which appear to be owned by the same company, leaked over 100 million records via the same unsecured Elasticsearch database sitting on an AWS EC2 server.


Compromised user information included email addresses and passwords, both hashed and cleartext, user IDs, mobile device information and dating preferences such as distance and age, according to WizCase.


The researchers also found an additional six exposed servers packed with dating app user information but couldn’t identify the owner, although it claimed they may be the product of a web scraping operation. Data from users of Zhenai, Say Love, Netease, Love Chat and Companion were found.


It’s unclear whether any of the companies WizCase contacted has addressed the configuration errors, but the firm warned users of potential follow-on identity fraud, phishing, blackmail and privacy risks.


Back in September last year, the same research team was able to access a database of around 77,000 users of Heyyo, a Turkey-based online dating service.


Source: Infosecurity
Global Dating App Users Exposed in Multiple Security Snafus

CVE-2019-20419

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to execute arbitrary code via a DLL hijacking vulnerability in Tomcat. The affected versions are before version 8.5.5, and from version 8.6.0 before 8.7.2.
Source: NIST
CVE-2019-20419

CVE-2020-14172

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to achieve template injection via the Web Resources Manager. The affected versions are before version 8.8.1.
Source: NIST
CVE-2020-14172

CVE-2020-14173

The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.
Source: NIST
CVE-2020-14173

CVE-2019-20418

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. The affected versions are before version 8.8.0.
Source: NIST
CVE-2019-20418