COSMOS BANK HACKED CASE:
Interpol has issued a red corner notice against a prime suspect in the alleged Rs 94-crore malware attack on Cosmos Cooperative Bank, which has its headquarters in Pune. One of the key accused in the case has been traced in a foriegn country, police said.
Deputy Commissioner of Police (Cyber and Economic Offences Wing) Sambhaji Kadam said, “Once the suspect was identified and there was credible information about his location in a foreign country, we sought a non-bailable warrant against him. Subsequently, a request for a red corner notice was processed through nodal agencies, which is the CID(Criminal Investigation Department) in Maharashtra and CBI (Central Bureau of Investigation) for India. After Interpol verified the request, a red corner notice was issued against the suspect on August 18.”
In one of the biggest cyber attacks on an Indian bank, several cloned debit cards of Cosmos Bank were used for thousands of ATM transactions from India and 28 other countries in a period of seven hours on August 11, 2018.
Dual vulnerability combo in popular CMS Joomla could lead to full system compromise
Dual vulnerability combo in popular CMS Joomla could lead to full system compromise
John Leyden 08 June 2021 at 14:43 UTC
Research Hacking News Hacking Techniques
Patched finally issued following difficult triage and disclosure process
Dangerous duo of Joomla security bugs could lead to full system compromise
Security researchers have revealed the details of two vulnerabilities in Joomla – the popular content management system – which, if chained together, could be used to achieve full system compromise.
The two vulnerabilities – a password reset vulnerability and a stored cross-site scripting (XSS) flaw – were both discovered by security researchers at Fortbridge and responsibly disclosed to Joomla’s developers in February and March, respectively.
After some delays, Joomla released a patch for the XSS vulnerability with version 3.9.2 of the CMS (released in May). The (arguably less serious) password reset vulnerability will be resolved with a “trusted_hosts” configuration, Joomla’s developers told Fortbridge.
Combination attack
The two vulnerabilities in Joomla were both high severity and “when chained together they allow an attacker to take over a Joomla website completely”, Fortbridge’s Adrian Tiron told The Daily Swig.
“Once the attacker has full access to the Joomla website, [they] can upload a php shell which will allow [them] to execute commands on the server,” Tiron warned.
Catch up on the latest security research news
The first vulnerability allows the attacker to reset an administrator’s password.
Tiron explained: “The attacker triggers the password reset process and can manipulate the password reset link to point to the attacker’s server where [they will] capture the victim’s token and reset [their] password once the victim clicks on the link, or the link is fetched by some AV/EDR [anti-virus/ endpoint detection and response] scanning solution.
“Once the attacker was able to reset the admin’s password an obtained admin privileges, [they] use the second vulnerability, a stored XSS, to target the ‘Super Admin’ user.”
By escalating privileges to ‘Super Admin’, an attacker can gain full access and the ability to run a remote code execution (RCE) attack against a vulnerable Joomla CMS, Fortbridge warns.
The root cause of the second flaw is that Joomla’s developers used a blocklist to block extensions, but forgot to block .html, according to Fortbridge.
Wider lessons
Fortbridge published a detailed technical write-up of its finding this week. A related proof of concept code was posted on GitHub.
The Daily Swig invited Joomla to comment on these findings but we’re yet to hear back. We’ll update this story as and when more information comes to hand.
Joomla is one of the most popular CMS platforms with more than 1.5 million installations worldwide. Fortbridge came across the bugs it discovered in the platform during a penetration testing exercise.
Beyond the significance of the findings in their own right they offer lessons to other developers, according to Fortbridge’s Tiron.
For one thing the sored XSS flaw would have been preventable through the use of allowlists rather than blocklists. Secondly avoid making password reset links using $_SERVER['HTTP_HOST'] / $_SERVER['SERVER_NAME'], because these “variables are actually user input”, Tiron advised.
GitHub has updated its policy on malware and exploit research to make the platform more accommodating to vulnerability hunters.
Being serious about security is a must’Apache Software Foundation custodians on fulfilling its founding mission
08 June 2021
US government launches first VDP program with Bugcrowd
08 June 2021
GitHub changes policy to welcome security researchers
07 June 2021
GitHub has updated its policy on malware and exploit research to make the platform more accommodating to vulnerability hunters.
The policy changes mean that dual-use security research and collaboration on GitHub is explicitly permitted.
GitHub has retained the ability to disrupt any attempts to abuse its platform in active exploit or malware delivery campaigns.
What this means in practice is that posting proof of concept exploits or vulnerabilities will be permitted and even encouraged by GitHub, but that this permission will be pulled in the event of any malfeasance.
Read more of the latest news about infosec research
If code hosted on GitHub causes downtime, denial of service, or data loss then the offending code will be pulled. The same policy will apply to any active malware slinging or exploit abusing campaign.
GitHub has introduced an appeals and reinstatement process to handle any disputes. The coders hangout wants security researchers to include their contact information in the optional SECURITY.md file so that concerned parties can attempt to resolve disputes prior to escalating and reporting any suspected abuse to GitHub.
GitHub’s policy changes, announced on Friday, follow weeks of consultations with the community, launched in April.
Ray Walsh, a digital privacy expert at ProPrivacy, told The Daily Swig that GitHub's policy update on exploits, malware, and vulnerability research is "intended to clarify existing policies rather than to introduce new ones".
"The community informed policy changes help to do away with gray areas and confusion surrounding the hosting of code that might have previously been considered infringing," Walsh explained.
"GitHub has now further clarified that 'dual use' technologies instrumental to security practices, such as penetration testing, are considered crucial enough to be hosted on the platform."
Walsh concluded: "Open-source tools that can potentially be leveraged for nefarious purposes often have valid use cases, and it is great to see GitHub working with the community to clarify why and when code can be hosted – and how appeals can be made if content believed to have beneficial applications has been unnecessarily or unfairly restricted."
0 Comments