Experts released PoC exploit code for critical bug CVE-2022-40684 in Fortinet productsSecurity Affairs


Experts released the PoC exploit code for the authentication bypass flaw CVE-2022-40684 in FortiGate firewalls and FortiProxy web proxies.

A proof-of-concept (PoC) exploit code for the authentication bypass vulnerability CVE-2022-40684 (CVSS score: 9.6) in FortiGate firewalls and FortiProxy web proxies has been released online.

The vulnerability impacts FortiOS versions from 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1. FortiProxy versions from 7.0.0 to 7.0.6 and 7.2.0 are also impacted.

The cybersecurity firm addressed the flaw with the release of FortiOS/FortiProxy versions 7.0.7 or 7.2.2. The company also provided a workaround for those who can’t immediately deploy security updates.

An attacker can exploit the vulnerability to log into vulnerable devices.

“An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” reads the advisory issued by the company PSIRT.

The company urges customers of addressing this critical vulnerability immediately due to the risk of remote exploitation of the flaw. The public availability of the PoC exploit code can fuel a wave of attacks targeting Fortinet devices.

The bad news is that the vendor confirmed this week that the critical vulnerability is being exploited in the wild.

An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” reads the advisory issued by the company PSIRT.

“Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device’s logs: user=”Local_Process_Access.””

Researchers at the Horizon3 Attack Team have released a proof-of-concept (PoC) exploit code for the vulnerability.

“FortiOS exposes a management web portal that allows a user to configure the system,” reads the post published by Horizon3.ai. “Additionally, a user can SSH into the system which exposes a locked down CLI interface.”

The researchers demonstrated the vulnerability using FortiOS version 7.2.1, below are the necessary conditions of a request for exploiting the issue:

  1. Using the Fowarded header an attacker is able to set the client_ip to  “127.0.0.1”.
  2. The “trusted access” authentication check verifies that the client_ip is “127.0.0.1” and the User-Agent is “Report Runner” both of which are under attacker control.

“Any HTTP requests to the management interface of the system that match the conditions above should be cause for concern. An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures.” continues the post.

Experts pointed out that there are other ways to exploit this vulnerability and there may be other sets of conditions that work. This means that threat actors could develop their own exploit and use it in attacks in the wild, for this reason, it is essential to address the flaw immediately.

Researchers at Threat intelligence firm GreyNoise have already reported attacks attempting to exploit the issue. The attacks originated from 12 unique IP addresses, most of them located in Germany, followed by the US, Brazil, China, and France.

CVE-2022-40684 Grey Noise

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2022-40684)








Source link

Local insurance company Perri-Rae Boell & Associates helping support small businesses


Local insurance company Perri-Rae Boell & Associates helping support small businesses | 104.9 Pembroke Today















Skip to Content

listen live

Home

Accessibility





Source link

11 Best Designed Websites of 2022 – Forbes Advisor


The websites above have vastly distinct designs, but they each follow some fundamental principles of good website design, namely: clarity. Not every website has to use a minimalist design, but they should all offer clear, uncluttered information for the visitor.

When a visitor lands on your home page, they should find two basic things: what you do and what you want them to do, says Stefan Davis, owner and principal designer of Stefan Davis Design, which offers website and other design services for campaigns and nonprofit organizations.

“Whatever your goal is, pick a call to action that gets you to that goal,” Davis said. “[Include] one section that tells [the visitor], what will this website do for you? What kind of information are we giving the reader? And what do we want them to do?”

Davis recommends these key elements of good website design:

  • Consistency in colors. Limit your color palette for graphic elements to five colors: one white, one black and three colors that are consistent with your brand.
  • Consistent fonts and sizes. Use fonts that match your brand guide if you have one. Choose a single size and weight for header fonts and one for body fonts. Too much variety makes the site look cluttered.
  • Use a lot of photos, especially images of people. Davis recommends the home page be 50/50 images and text to avoid overwhelming the visitor with a wall of text.
  • Uncluttered. Avoid too much text, and don’t pack multiple CTAs or too much information into one section.
  • Include a single CTA on the home page to give the reader clear direction.

A designer and developer can add bells and whistles to help your site stand out, but you can achieve a professional and useful website experience without a ton of technical know-how or a big budget by following these basic principles. Davis notes that drag-and-drop website builders such as Squarespace and Wix are intentionally set up for non-coders, while WordPress is a better fit if you want to heavily customize.



Source link

WIP19, a new Chinese APT targets IT Service Providers and TelcosSecurity Affairs


Chinese-speaking threat actor, tracked as WIP19, is targeting telecommunications and IT service providers in the Middle East and Asia.

SentinelOne researchers uncovered a new threat cluster, tracked as WIP19, which has been targeting telecommunications and IT service providers in the Middle East and Asia.

The experts believe the group operated for cyber espionage purposes and is a Chinese-speaking threat group.

The researchers pointed out that the cluster has some overlap with Operation Shadow Force, but uses new malware and different techniques.

The activity of the group is characterized by the usage of a legitimate, stolen digital certificate issued by a company called DEEPSoft, that was used to sign malicious code in an attempt to avoid detection.

“Almost all operations performed by the threat actor were completed in a “hands-on keyboard” fashion, during an interactive session with compromised machines. This meant the attacker gave up on a stable C2 channel in exchange for stealth.” reads the report published by SentinelOne.

“Our analysis of the backdoors utilized, in conjunction with pivoting on the certificate, suggest portions of the components used by WIP19 were authored by WinEggDrop, a well-known Chinese-speaking malware author who has created tools for a variety of groups and has been active since 2014.”

The researchers noticed that portions of the malicious components used by WIP19 were developed by a Chinese-speaking group tracked as WinEggDrop, who has been active since 2014.

WIP19 also seems to be linked to the Operation Shadow Force group due to similarities in the use of malicious artifact developed by WinEggDrop and tactical overlaps.

“As the toolset itself appears to be shared among several actors, it is unclear whether this is a new iteration of operation “Shadow Force” or simply a different actor utilizing similar TTPs.” continues the report. “The activity we observed, however, represents a more mature actor, utilizing new malware and techniques.”

The researchers linked an implant dubbed “SQLMaggie”, recently described by DCSO CyTec, to this activity.

WIP19

The threat actors employed multiple tools in their attacks, including ìa credential dumper, network scanner, browser stealer, keystroke logger and screen recorder (ScreenCap).

SQLMaggie is used to compromise Microsoft SQL servers and leverage the access to run arbitrary commands via SQL queries.

Experts reported instances of the SQLMaggie implant in 285 servers spread across 42 countries, most of them in South Korea, India, Vietnam, China.

The experts have no doubts about the attackers’ motivation, another China-linked threat actor is gathering intelligence with this operation.

“WIP19 is an example of the greater breadth of Chinese espionage activity experienced in critical infrastructure industries,” SentineOne concludes.

“The existence of reliable quartermasters and common developers enables a landscape of hard-to-identify threat groups that are using similar tooling, making threat clusters difficult to distinguish from the defenders point of view.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, China)








Source link

TikTok Music could change the game


There has been talk for some time now of TikTok parent ByteDance launching a music streaming service in Western markets. It already has Resso in Indonesia, India, and Brazil, but has spiked interest recently with trademark registrations, new Twitter accounts, and reports that ‘more than a dozen’ new markets are being prepped. TikTok has become one of the central forces in the digital music market ecosystem, eroding the cultural capital of traditional streaming services. It is a logical leap to assume that if TikTok becomes a key force in music discovery, it could do the same for consumption. While this is certainly the case, ByteDance’s streaming opportunity is a whole lot bigger and more disruptive than Resso:

TikTok Music: Resso is a perfectly decent streaming service, but similarly to YouTube Music, it only scratches the surface of what it could be. Both TikTok and YouTube have unique content, behaviour, features, and culture that stand in stark contrast to standard streaming. It is difficult to translate much of this because of licensing constraints but doing so should be the priority for both TikTok and YouTube. This will drive differentiation and help the industry carve out genuine new growth pockets rather than just unearthing the remnants of the addressable base for standard streaming. Of even more relevance to the music business, unless rightsholders can empower ByteDance’s streaming offering with something truly different, is the risk that its growth will largely comprise of switching Spotify subscribers. The music business needs the maturing streaming market to be about growth, not substitution. Perhaps TikTok Music Twitter profiles point to something bigger and bolder than Resso.

Discovery is consumption: People used to discover music on the radio and then go and buy it. That model has been turned upside down. Now, people (younger audiences in particular) discover most of their new music on TikTok or YouTube before going to radio-like streaming services to consume it. What is more, much of the ‘discovery’ that happens on TikTok is consumption. It is not just consumption either, it is consumption that streaming cannot replicate. This is before even considering the importance of ‘lean through’ creative behaviour, such as doing a duet or a dance challenge to your favourite artist’s new track. Music is the soundtrack and often the catalyst to this ‘consumption’, but when that music is listened to on streaming, it is stripped of all that creative and cultural context – It is like only listening to the soundtrack of a movie. Movie soundtracks do well as formats, but they only exist because of the movies as that is where the real value lies. All of this is why a TikTok Music service could be so exciting as it could provide both the creative and cultural context, not just the stripped-down audio file.

Ecosystem: The single most important factor of all though is TikTok’s ecosystem play. In the traditional streaming value chain, you have creators, rights, distribution, promotion, and consumption. TikTok achieves these with its superpower: its audience. Creation comes from the audience, who then distribute and market the content (via the user-centric algorithm framework, user shares, recreation, and other means), and then, of course, the audience consumes. It is a self-contained, virtuous cycle – An ecosystem. Right now, artists are pumped into the system by label marketing teams, and independent artists can push out of the system into traditional streaming with SoundOn. Yet, over time, TikTok’s creation, distribution, and consumption will become ever more self-contained, making TikTok part of what MIDiA identified as the music industry counter-culture. TikTok Music could be a major step on that journey.



Source link

DJI drone tracking data exposed in USSecurity Affairs


Over 80,000 drone IDs were exposed in the leak of a database containing information from airspace monitoring devices manufactured by DJI.

Original post at CyberNews: https://cybernews.com/privacy/dji-drone-tracking-data-exposed-in-us/

Over 80,000 drone IDs were exposed in a data leak after a database containing information from dozens of airspace monitoring devices manufactured by the Chinese-owned DJI was left accessible to the public.

Think twice before taking out your shiny new drone for a spin near the Cannes Film Festival, a prison, a nuclear power plant, or an airport. Enhanced security institutions use devices to monitor drone movement, posing a privacy risk to its owner.

Recently, the Cybernews research team stumbled upon an unprotected database with over 90 million drone-monitoring logs generated by DJI devices – the largest market player in the world that sells both drones and devices to surveil them.

The surveillance race

Used by the military, businesses, and consumers, drones are “fundamentally changing aviation.” Therefore, the US Federal Aviation Administration (FAA) envisions integrating drones into the National Airspace System (NAS) by identifying all unmanned aircraft systems (UAS.)

The FAA introduced remote ID – analogous to license plates for drones – to identify owners of all drones in case they are flying in an unsafe manner or where they are not allowed to fly. Remote ID will provide information about drones in flight – the identity, location, and altitude of the drone and its control station or take-off location.

But it seems that Chinese-owned DJI, already controlling the lion’s share of the drone market worldwide, got there first. In 2017, it introduced the AeroScope device to provide an in-flight drone identification system.

In fact, the company boasted about protecting the prestigious Cannes Film Festival 2022 from unsolicited intrusions from aerial cameras – AeroScope was used by police officers to watch for drones in the area’s no-fly zone.

“From temporary events like festivals, government events, and major sporting events to fixed sites like airports, prisons, and nuclear power plants, AeroScope is a simple, robust technical solution to provide immediate information about DJI drones in the area – from their flight paths to their pilot locations to their serial numbers,” DJI said.

The Shenzhen-headquartered company holds a whopping 70% of the global consumer and enterprise drone market, according to the Business Insider report from 2020.

DJI was blacklisted by the Biden Administration in 2021 for its alleged involvement in the surveillance of the Uyghur Muslim minority in China.

On October 5, 2022, the US Defence Department added DJI and a dozen other companies to a list of Chinese entities believed to be connected to the Chinese military. Pentagon paved the way to further restrictions on their businesses, arguing that access to advanced technologies is crucial for modernizing the People’s Liberation Army.

DJI was also in the spotlight after Ukraine’s Vice Prime Minister Mykhailo Fedorov accused the company of helping the Kremlin to kill civilians by allowing Russia to freely use DJI devices, including AeroScope, on Ukrainian soil.

The discovery

AeroScope, a drone-monitoring device by DJI, can “identify the vast majority of popular drones on the market today.”

The Cybernews Research Team discovered an open database with over 90 million entries of drone-monitoring logs created by 66 different DJI AeroScope devices, with the majority of them (53) being located in the US. Some were located in Qatar (six) and a few in Germany, France, and Turkey.

Logs included the drone’s position, model and serial number, the position of the drone’s pilot, and home location (usually the point of take-off). No personally identifiable information (PII) was present in the dataset. In total, we found over 80,000 unique drone IDs in the instance.

DJI told Cybernews that a 54.5GB-strong dataset, discovered by our researchers on July 11 and hosted by AWS in the US, is not their property, meaning that the data was most likely exposed by their client using AeroScope devices to monitor the airspace for drones.

Since the server was hosted on AWS and didn’t have any domains assigned to it, it was impossible for our researchers to track down the owner even with the help of VirusTotal, Centralops Domain dossier, nmap, and dig, among other useful open-source-intelligence (OSINT) tools.

Cybernews informed both DJI and AWS about the leaky database for them to fix the issue as soon as possible to reduce the risk of threat actors accessing the dataset. AWS said it had passed our “security concern on to the specific customer for their awareness and potential mitigation.”

Troubling data

Needless to say, the surveillance of drones is upsetting enough for people who simply take theirs out for a spin or to capture aerial footage. Given the security concerns, tracking of drones is inevitable: however, it’s reasonable to expect that surveillance data is kept in protected databases.

Aras Nazarovas, a Cybernews researcher, said this information is upsetting to hobbyists since it can essentially show the routes they take with your drone.

“For people who launch drones in their backyards, there is an added danger of revealing their address, and the fact that they are rich enough to have a DJI drone – prices range from $300 to $13,700, and you can see which drone they have,” Nazarovas said.

About the author: Jurgita Lapienytė Chief Editor at CyberNews

Original post at: https://cybernews.com/privacy/dji-drone-tracking-data-exposed-in-us/

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, drone)








Source link

Emporia High girls tennis ready for state


Emporia High girls tennis ready for state

Kali Keough, Peyton Chanley and Ashlyn Foraker qualified for state on Saturday. Photo by Dylan Sherwood/KVOE Sports.

The first state tournament of the 2022-23 season is here.

The Emporia High girls tennis team will be sending three participants to the Class 5A state tournament.

Two of the three members, freshmen Kali Keough and Peyton Chanley will be making their debuts at state. Junior Ashlynn Foraker is making her second trip to state.

Keough earned a No. 2-seed in singles play after taking second in last week’s regional tournament at Emporia High.


Chanley and Foraker will be playing in their second tournament after taking sixth at regionals.

Chanley says they’ve learned more about each other during their preparations this week.

Foraker says she’s treating this like it’s a normal tournament.

Coach Saul Trujillo says he wants his three state qualifiers to enjoy their time at state.

Matches will be played at the Andover District Tennis Complex.



Source link

Severe flaw in popular plugin remains unpatched


An actively exploited zero-day vulnerability in WordPress plugin WPGateway has led to more than 4.6 million attempted attacks in the past month. The currently unpatched flaw is the second significant WordPress vulnerability to be found over the past week.

Wordpress vulnerability
A WordPress plugin vulnerability is being actively targeted for attack. (Photo by Primakov/Shutterstock)

When exploited, this vulnerability, identified as CVE-2022-3180, is used to add malicious administrator users to sites running the plugin. Administrator privileges allow attackers to effectively achieve a complete site takeover.

WordPress technology was behind 43.2% of active websites in 2021, up from 39.5% at the end of 2020, according to a report from security monitoring platform Patchstack.

WordPress vulnerability: is your site affected?

The exploit has been given a CVSS score of 9.8, indicating high severity. The vulnerability was uncovered late last week by WordPress’s security company WordFence, prompting it to alert all WordPress users.

WordPress has not yet released a patch for the vulnerability, but Wordfence has implemented a ‘firewall rule’ to block the exploit on Wordfence Premium, Wordfence Care and Wordfence Response when it was uncovered on Thursday. Since then the firewall has successfully blocked 4.6m attacks on more than 280,000 websites, Wordfence says. Sites using the free version of WordPress will receive similar protection from 8 October.

According to Wordfence, the most common indicator of compromise for this vulnerability is a malicious administrator with the username ‘rangex’. “If you see this user added to your dashboard, it means your site has been compromised,” the announcement says.

Users with the WPGateway plugin installed have been urged to remove it immediately until a patch is made available and to check for malicious administrator users on the WordPress dashboard. 

If the indicators of compromise are uncovered, Wordfence recommends contacting Wordfence Care or Wordfence Response for help.

Content from our partners
The ongoing battle to secure schools from cyberattack

How to provide integrated care systems with the best cybersecurity

Why businesses must overhaul disaster recovery plans

Other WordPress vulnerabilities

As WordPress’s popularity has grown, so has the number of attempted cyberattacks on its users. Patchstack’s research shows that reported vulnerabilities on the platform were up 150% year-on-year in 2021.

CVE-2022-3180 is not the only WordPress vulnerability spotted in the wild in recent weeks. A flaw in a plugin called BackupBuddy, CVE-2022-3180, comes with a high rating of 7.5, and has been used in almost five million attempted attacks since 26 August, Wordfence says.

BackupBuddy is designed to smooth the process of backing up files and file management, which provides the plugin access to files in various destinations including Google Drive, OneDrive and AWS. “Unfortunately the method to download these locally stored files was insecurely implemented making it possible for unauthenticated users to download any file stored on the server,” a Wordfence statement said.

The vulnerability was patched on 2 September, and users are strongly advised to download the latest version of the software to avoid potential problems.



Source link

COMMUNITY SPOTLIGHT: LV Four Seasons Trail goes haunted


COMMUNITY SPOTLIGHT: LV Four Seasons Trail goes haunted | 104.9 Pembroke Today















Skip to Content

listen live

Home

Accessibility





Source link