InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Brave Search, the browser developer’s privacy-centric Internet search engine, is celebrating its first anniversary after surpassing 2.5 billion queries and seeing almost 5,000% growth in a year.
To celebrate this success, Brave Software announced that Brave Search is finally exiting its beta phase and will become the default search engine for all users of the Brave browser.
Additionally, a new search results curation feature called “Goggles” will be released in beta and made available to those who wish to test it.
Brave Search grows by almost 5,000%
Since launching in June 2021, Brave Search grew by almost 5,000%, starting with 8.1 Million search queries in June 2021 and growing to 411.7 million by the end of May 2022.
Brave says it grew its current query volume four times quicker than DuckDuckGo, likely assisted by its large community of Brave Browser users.
Brave says that independence has remained at the epicenter of the company’s focus, with Brave Search users receiving 92% of their queries directly from Brave’s independent search index rather than through Bing and Google indexes.
“Search engines that depend too much or exclusively on Big Tech are subject to censorship, biases, and editorial decisions,” explains Brave in the blog post.
“Brave Search is committed to openness in search. It does not manipulate its algorithm to bias, filter, or down-rank results (unless it’s compelled by law to do so).”
Besides focusing on privacy and independence, Brave also strived to offer new mechanisms that would enrich the experience of using Brave Search.
Discussions were introduced this April as a new feature on Brave Search to draw results from social media platforms like Reddit.
Security researchers have apparently discovered more than 1.6 million secrets leaked by websites, including more than 395,000 exposed by the one million most popular domains.
Modern web applications typically embed API keys, cryptographic secrets, and other credentials within JavaScript files in client-side source code.
Aided by a tool developed specifically for the task, researchers from RedHunt Labs sought information disclosure vulnerabilities via a ânon-intrusiveâ probe of millions of website home pages and exceptions thrown by debug pages used in popular frameworks.
âThe number of secrets exposed via the front end of hosts is alarmingly huge,â said Pinaki Mondal, security researcher at RedHunt Labs, in a blog post.
âOnce a valid secret gets leaked, it paves the path for lateral movement amongst attackers, who may decide to abuse the business service account leading to financial losses or total compromise.â
Millions of secrets
The first of two mammoth scans focused on the one million most heavily trafficked websites. It yielded 395,713 secrets, three quarters of which (77%) were related to Google services reCAPTCHA, Google Cloud, or Google OAuth.
Googleâs reCAPTCHA alone accounted for more than half (212,127) of these secrets â and the top five exposed secret types was completed by messaging app LINE and Amazon Web Services (AWS).
Phase two, which involved scanning around 500 million hosts, surfaced 1,280,920 secrets, most commonly pertaining to Stripe, followed by Google reCAPTCHA, Google Cloud API, AWS, and Facebook.
A majority of exposures across both phases â 77% â occurred in frontend JavaScript files.
Most JavaScript was served through content delivery networks (CDNs), with the Squarespace CDN leading the way with over 197,000 exposures.
Mondal blamed the âdecadesâ-old problem of leaked secrets on the âcomplexities of the software development lifecycleâ, adding: âAs the code-base enlarges, developers often fail to redact the sensitive data before deploying it to production.â
âNon-intrusiveâ research
The RedHunt Labs research team told The Daily Swig that they are still âcontinuously reporting the secrets through automation to their source domains provided they have an email [address] mentioned on their home pageâ.
The researchers said they had encountered no legal problems related to the research so far.
âWe received a few abuse reports against the boxes on which the scan was run and we have handled them,â they said.
The âextremely non-intrusiveâ process involved no âmore than a few HTTP requests per domainâ and no written actions â âonly read requests to HTTP URLs and JavaScript files were sentâ.
The captured secrets, meanwhile, are âstored on an encrypted volume with access to very limited folksâ and âwill be disposed of after a monthâ, added the researchers.
Red Hunt Labs has open-sourced the tool developed for the research and created a demonstration video:
Called HTTPLoot, it can crawl and scrape URLs asynchronously, check for leaked secrets in JavaScript files, find and complete forms to trigger error/debug pages, extract secrets from debug pages, and automatically detect tech stacks.
Redhunt Labs has set out four best practices for preventing and mitigating leaked secrets, including setting restrictions on access keys, centrally managing secrets in a restricted environment or config file, setting up alerts for leaked secrets, and continuously monitoring source code for information leakage issues.
Threat actors behind web skimming campaigns are using malicious JavaScript to mimic Google Analytics and Meta Pixel scripts to avoid detection.
Microsoft security researchers recently observed web skimming campaigns that used multiple obfuscation techniques to avoid detection.
The threat actors obfuscated the skimming script by encoding it in PHP, which, in turn, was embedded in an image file, using this trick the code is executed when a websiteâs index page is loaded.
The experts also observed compromised web applications injected with malicious JavaScript masquerading as Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts. Some skimming scripts also included anti-debugging mechanisms.
The term web skimming refers to the criminal practice to harvest payment information of visitors of a website during checkout. Crooks use to exploit vulnerabilities in e-commerce platforms and CMSs to inject the skimming script into the page of the e-store. In some cases, attackers can exploit vulnerabilities in installed third-party plugins and themes to inject malicious scripts.
âDuring our research, we came across two instances of malicious image files being uploaded to a Magento-hosted server. Both images contained a PHP script with a Base64-encoded JavaScript, and while they had identical JavaScript code, they slightly differed in their PHP implementation.â reads the analysis published by Microsoft. âThe first image, disguised as a favicon (also known as a shortcut or URL icon), was available on VirusTotal, while the other one was a typical web image file discovered by our team.â
Microsoft also observed attackers masquerading as Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts to avoid raising suspicion.
The attackers place a Base64-encoded string inside a spoofed Google Tag Manager code. This string decoded toÂ
trafficapps.business
/data.php?p=form.
Encoded skimming script in a spoofed Google Analytics code (Source Microsoft)
Experts noticed that the attackers behind the Meta Pixel spoofing used newly registered domains (NRDs) using HTTPS.
âGiven the increasingly evasive tactics employed in skimming campaigns, organizations should ensure that their e-commerce platforms, CMSs, and installed plugins are up to date with the latest security patches and that they only download and use third-party plugins and services from trusted sources,â Microsoft concludes.
Researchers uncovered a massive hacking campaign that compromised thousands of WordPress websites to redirect visitors to scam sites.
Cybersecurity researchers from Sucuri uncovered a massive campaign that compromised thousands of WordPress websites by injecting malicious JavaScript code that redirects visitors to scam content.
The infections automatically redirect site visitors to third-party websites containing malicious content (i.e. phishing pages, malware downloads), scam pages, or commercial websites to generate illegitimate traffic.
âThe websites all shared a common issue â malicious JavaScript had been injected within their websiteâs files and the database, including legitimate core WordPress files, such as:
./wp-includes/js/jquery/jquery.min.js
./wp-includes/js/jquery/jquery-migrate.min.jsâ
âOnce the website had been compromised, attackers had attempted to automatically infect any .js files with jQuery in the names. They injected code that begins with â/* trackmyposs*/eval(String.fromCharCodeâŠââreads the analysis published by Sucuri.
In some attacks, users were redirected to a landing page containing a CAPTCHA check. Upon clicking on the fake CAPTCHA, theyâll be opted in to receive unwanted ads even when the site isnât open.
The ads will look like they are generated from the operating system and not from a browser.
According to Sucuri, at least 322 websites were compromised as a result of this new wave of attacks and were observed redirecting visitors to the malicious website drakefollow.com.
âOur team has seen an influx in complaints for this specific wave of the massive campaign targeting WordPress sites beginning May 9th, 2022, which has impacted hundreds of websites already at the time of writing.â concludes the report. âIt has been found that attackers are targeting multiple vulnerabilities in WordPress plugins and themes to compromise the website and inject their malicious scripts. We expect the hackers will continue registering new domains for this ongoing campaign as soon as existing ones become blacklisted.â
Website admins could check if their websites have been compromised by using Sucuriâs free remote website scanner.
Digital banking has been a reality for quite a while now, particularly pushed forward in these last few years. Is security keeping up the pace?
Online banking and mobile banking apps have made great security strides in recent years. In fact, some of todayâs most well-respected banks are improving security measures by offering SMS or email alerts for financial transactions, multi-factor authentication, fraud monitoring and alerts, and two-step verification for large money transfers. When these features are set up correctly, they exponentially increase the security for personal banking accounts.
Unfortunately, not all consumers use these critical safeguards on their accounts. Our recent Retail Banking Survey found that 30% of those relying on a password only change it one to two times a year, and 23% admit to never changing their password. Despite banks working to improve online security protocols, consumers must also do their part in taking advantage of enhanced security features to keep their accounts safe.
What makes digital banking vulnerable the most?
Instead of physically walking into a bank to manage finances, consumers can now access their account effortlessly on a banking website or mobile app. However, since banks strive to make the digital banking experience as intuitive and frictionless as possible for users, this can also present an opportunity for hackers to access unwitting consumersâ bank accounts.
Since authenticating a consumerâs true identity is so important to the online banking experience, if a bank does not offer strong identity verification, or if consumers are not practicing proper cyber hygiene on their mobile devices and computers, they can be socially engineered into giving up access to their bank account. Considering the majority (45%) of bank customers continue to use traditional username and password to log in, as opposed to more secure methods like thumbprint (20%), facial recognition (17%) or two-factor authentication (16%), consumerâs financial information is more vulnerable than they may realize.
What are the common mistakes consumers make when using digital banking?
The biggest mistake is that many customers still use the same username and password combination to access their online bank account, as they would for other websites. Since websites are constantly being breached (and then their entire password databases are bought and sold on hacker forums), todayâs fraudsters are well-versed in testing stolen credentials to log into as many other sensitive websites (like emails, bank accounts and cloud storage accounts) as possible. This is why consumers must use a lengthy and unique password for their online banking accounts, one that can also easily be created and managed through a password manager.
Another common mistake is when consumers donât set up secure multi-factor authentication, which is necessary in protecting oneself in todayâs online world, because simple credentials can be stolen or guessed by a hacker at any time. This protocol is easy to set up and makes it exponentially more difficult for hackers to gain access to a banking account, as it requires additional security measures like FaceID and TouchID, coupled with the consumerâs login credentials, to authenticate to the online bank.
Finally, banking customers should take advantage of security alerts to keep their financial information secure. Many banks allow customers to set up monitoring and security alerts in their banking profiles, so they know when someone is either accessing their account or performing any financial transactions with their funds. This can help them take action much quicker against potential hacks, as well as keep a closer eye on their financial information.
How aware are consumers of the possible threats to their bank accounts and data and how proactive have they become in protecting them?
Many people are still not aware of how easily a fraudster can convince the average person to unknowingly give up their bank account details. Furthermore, many donât know that poor cyber hygiene on their computers and mobile devices can lead to them inadvertently exposing their personal information.
Some good cyber hygiene practices include keeping devices and all automatically installed apps up to update, installing only trusted apps from the App Store, running anti-virus software and being suspicious of unsolicited calls, texts and emails from banks.
Hackers are using fake emails, texts and phone calls to trick people into thinking their bank is directly contacting them to take some kind of âurgent action,â by coaxing them to verify fake fraudulent activity, or their personal details. Furthermore, there have been cases of fake banking apps distributed on the Google Play Store that look identical to legitimate Android banking apps, but were actually designed to steal victimsâ banking credentials.
Banks also educate their customers about the dangers of online banking, as well as actively encourage them to set up features such as multi-factor authentication and security alerts on their accounts.
Consumers should be routinely checking their bank accounts for fraudulent activity, and according to our survey, 41% people check their bank accounts almost every day. Security is a team sport, and it involves active participation by everyone involved to ensure that bank accounts remain safe. In addition to monitoring their accounts, consumers can do their part by making sure they turn on the various security features in their bank account profile.
What can banks do to strengthen their cyber resiliency while offering a satisfactory customer experience?
Banks should continue to communicate to customers how easy it is to enable multi-factor authentication and security alerts for their accounts. This will mitigate many security issues, even if the consumer decides to continue using the same credentials on their banking site, as they do on other websites.
Additionally, banks can strengthen their cyber resiliency using a superior digital insights platform, to ensure that the process and flow for setting up online banking security controls, such as multi-factor authentication and alerts, are seamless and easy to activate. This allows banks to monitor visitorsâ digital banking experience, identify and resolve specific pain points consumers face when trying to set up better security controls on their profile, either due to technical errors or confusing UX designs.
If they have any setup issues, and back out of turning features on, banks can pinpoint exactly where that occurred so they can address it, and people are more encouraged in the future to finish the setup process. Real-time monitoring of web and mobile banking applications can also help flag fraudulent activity, so that action can be taken against it and prevent it in the future.
Burpsuite, the proxy-based tool used to evaluate the security of web-based applications and do hands-on testing developed by PortSwigger. It is one of the most popular penetration testing and vulnerability finder tools and is often used for checking web application security.
Threat actors compromised WordPress sites to deploy a script that was used to launch DDoS attacks, when they are visited, on Ukrainian websites.
MalwareHunterTeam researchers discovered the malicious script on a compromised WordPress site, when the users were visiting the website the script launched a DDoS attack against ten Ukrainian sites.
Thereâs about hundred of them actually. All through the WP vulns. Unfortunately, many providers/owners doesnât react. @GoDaddy ignores abuse letters completely
The only evidence of the ongoing attack is the slowing down of the browser performance.
According to BleepingComputer, which first reported the discovery, DDoS attacks targeted pro-Ukrainian sites and Ukrainian government agencies, including think tanks, recruitment sites for the International Legion of Defense of Ukraine, and financial sites.
Google addresses an actively exploited zero-day flaw with the release of Chrome 99.0.4844.84 for Windows, Mac, and Linux.
Google fixed an actively exploited high-severity zero-day vulnerability with the release of Chrome 99.0.4844.84 for Windows, Mac, and Linux.
Google has released Chrome 99.0.4844.84 for Windows, Mac, and Linux users to address a high-severity zero-day bug, tracked as CVE-2022-1096, exploited in the wild.
The CVE-2022-1096 vulnerability is a Type Confusion in V8 JavaScript engine, the bug was reported by an anonymous on 2022-03-23.
âThe Stable channel has been updated to 99.0.4844.84 for Windows, Mac and Linux which will roll out over the coming days/weeks.â reads the security advisory published by Google.
âGoogle is aware that an exploit for CVE-2022-1096 exists in the wild.â
At this time, Google has yet to publish technical details about the flaw ether how it was exploited by threat actors in the wild.
âAccess to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but havenât yet fixed.â continues the advisory.
CVE-2022-0609
 is the second zero-day vulnerability addressed by the IT giant this year in Chrome. In February Google fixed a high-severity zero-day flaw, tracked asÂ
CVE-2022-0609
, which was actively exploited. Google released a Chrome emergency update for Windows, Mac, and Linux to fix theÂ
Mozilla has published Firefox 97.0.2, an âout-of-bandâ update that closes two bugs that are officially listed as critical.
Mozilla reports that both of these holes are already actively being exploited, making them so-called zero-day bugs, which means, in simple terms, that the crooks got there first:
We have had reports of attacks in the wild abusing [these] flaw[s].
Access to information about the bugs is still restricted to Mozilla insiders, presumably to make it harder for attackers to get at the technical details of how to exploit these security holes.
Assuming that the existing zero-day exploits are not widely known (these days, true zero-days are often jealously guarded by their discoverers because theyâre considered both scarce and valuable), temporarily limiting access to the source code changes does provide some protection against copycat attacks.
As weâve mentioned many times before on Naked Security, finding and exploiting a zero-day hole when you know where to start looking, and what to start looking for, is very much easier than discovering such a bug from scratch.
The bugs are listed as:
CVE-2022-26485.Use-after-free in XSLT parameter processing. This bug has apparently already been exploited for remote code exection (RCE), implying that attackers with no existing privileges or accounts on your computer could trick you into running malware code of their choice simply by luring you to an innocent-looking but booby-trapped website.
CVE-2022-26486,Use-after-free in WebGPU IPC Framework. This bug has apparently already been exploited for whatâs known as a sandbox escape. This sort of security hole can typically be abused on its own (for example, to give an attacker access to files that are supposed to be off limits), or in combination with an RCE bug to allow implanted malware to escape from the security confines imposed by your browser, thus making an already bad situation even worse.
Use-after-free bugs occur when one part of a program signals its intention to stop using a chunk of memory that was allocated to itâŠ
âŠbut carries on using it anyway, thus potentially trampling on data that other parts of the program are now relying on.
What to do?
Go to the About Firefox dialog to check your current version.
If you are out of date then Firefox will offer to fetch the update and then present a [Restart Firefox] button; click the button, or exit and restart the browser, to deploy the update.
The version numbers you want are: Firefox 97.0.2 (if you are using the regular release), or Firefox 91.6.1 ESR (if you are using the extended support release), or Firefox 97.3.0 for Android.
If youâre on Android, check for updates via the Play Store.
If youâre a Linux user where Firefox is managed by your distro, check your distro creator.
Researchers from WordPress security company Wordfence discovered a high-severity vulnerability that affects three different WordPress plugins that impact over 84,000 websites. The vulnerability tracked as CVE-2022-0215 is a cross-site request forgery (CSRF) issue that received a CVSS score of 8.8.
A threat actor could exploit the vulnerability to take over vulnerable websites.
The flaw impacts three plugins maintained by Xootix:
âOn November 5, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in âLogin/Signup Popupâ, a WordPress plugin that is installed on over 20,000 sites. A few days later we discovered the same vulnerability present in two additional plugins developed by the same author: âSide Cart Woocommerce (Ajax)â, installed on over 60,000 sites, and âWaitlist Woocommerce ( Back in stock notifier )â, installed on over 4,000 sites.â reads the advisory published by Wordfence. âThis flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a siteâs administrator into performing an action, such as clicking on a link.â
A critical privilege-escalation vulnerability could lead to backdoors for admin access nesting in web servers.
A popular WordPress SEO-optimization plugin, called All in One SEO, has a pair of security vulnerabilities that, when combined into an exploit chain, could leave website owners open to site takeover. The plugin is used by more than 3 million websites.
An attacker with an account with the site â such as a subscriber, shopping account holder or member â can take advantage of the holes, which are a privilege-escalation bug and an SQL-injection problem, according to researchers at Sucuri.
âWordPress websites by default allow any user on the web to create an account,â researchers said in a posting on Wednesday. âBy default, new accounts are ranked as subscriber and do not have any privileges other than writing comments. However, certain vulnerabilities, such as the ones just discovered, allow these subscriber users to have vastly more privileges than they were intended to have.â
The pair is ripe for easy exploitation, according to Sucuri, so users should upgrade to the patched version, v. 4.1.5.3. Marc Montpas, a security researcher at Automattic, was credited with finding the bugs.
Pick a random person, and ask them these two questions:
Q1.Have you heard of Apache? Q2.If so, can you name an Apache product?
Weâre willing to wager that you will get one of two replies:
A1.No.A2.(Not applicable.) A1.Yes.A2.Log4j.
Two weeks ago, however, weâd suggest that very few people had heard of Log4j, and even amongst those cognoscenti, few would have been particularly interested in it.
Until a cluster of potentially catastrophic bugs â originally implemented as features, on the grounds that less is never more â were revealed under the bug-brand Log4Shell, the Log4j programming library was merely one of those many components that got sucked into and used by thousands, perhaps even hundreds of thousands, of Java applications and utilities.
Log4j was just âpart of the supply chainâ that came bundled into more back-end servers and cloud-based services than anyone actually realised until now.
Many sysdamins, IT staff and cybersecurity teams have spent the past two weeks eradicating this programmatic plague from their demesnes. (Yes, thatâs a real word. Itâs pronounced domains, but the archaic spelling avoids implying a Windows network.)
Google released security updates to address five vulnerabilities in the Chrome web browser, including a high-severity zero-day flaw, tracked as CVE-2021-4102, exploited in the wild.
The CVE-2021-4102 flaw is a use-after-free issue in the V8 JavaScript and WebAssembly engine, its exploitation could lead to the execution of arbitrary code or data corruption.
âGoogle is aware of reports that an exploit for CVE-2021-4102 exists in the wild.â reads the advisory published by Google which did not share additional info regarding these attacks.
The vulnerability was reported by an anonymous researcher on 2021-12-09.
Google has already addressed 17 zero-day vulnerabilities in Chrome this year, below is the full list:
CISA adds Log4Shell Log4j flaw to the Known Exploited Vulnerabilities Catalog
The U.S. CISA added 13 new vulnerabilities to the Known Exploited Vulnerabilities Catalog, including Apache Log4Shell Log4j and Fortinet FortiOS issues.
Below is the list of new vulnerabilities added to the Known Exploited Vulnerabilities Catalog, which is the list of issues frequently used as attack vector by threat actors in the wild and that pose significant risk to the federal enterprise.
Red Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability
6/10/2022
The CVE-2021-44228 flaw made the headlines last week, after Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for the critical remote code execution zero-day vulnerability (aka Log4Shell) that affects the Apache Log4j Java-based logging library.
The impact of the issue is devastating, thousands of organizations worldwide are potentially exposed to attacks and security experts are already reported exploitation attempts in the wild.
CISA also warns of a recently disclosed arbitrary file download vulnerability in FortiOS, tracked as CVE-2021-44168, that is actively exploited.
âA download of code without integrity check vulnerability [CWE-494] in the âexecute restore src-visâ command of FortiOS may allow a local authenticated attacker to download arbitrary files on the device via specially crafted update packages.â reads the advisory published by Fortinet. âFortinet is aware of an instance where this vulnerability was abused and recommends immediately validating your systems for indicators of compromiseâ
Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for a critical remote code execution zero-day vulnerability, tracked a CVE-2021-44228 (aka Log4Shell), in the Apache Log4j Java-based logging library.
The Log4j is widely used by both enterprise apps and cloud services, including Apple iCloud and Steam.
A remote, unauthenticated attacker can exploit the CVE-2021-44228 to execute arbitrary code on a vulnerable system leading to a complete system takeover.
The vulnerability was discovered by researchers from Alibaba Cloudâs security team that notified the Apache Foundation on November 24. According to the experts, the vulnerability is easy to exploit and does not require special configuration, for this reason, it received a CVSSv3 score of 10/10. Researchers pointed out that Apache Struts2, Apache Solr, Apache Druid, Apache Flink are all affected by this vulnerability.
Now researchers from cybersecurity firm Cybereason have released a script that works as a âvaccineâ(dubbed Logout4Shell) that allows remotely mitigating the Log4Shell vulnerability by turning off the âtrustURLCodebaseâ setting in vulnerable instances of the library.
âWhile the best mitigation against this vulnerability is to patch log4j to 2.15.0 and above, in Log4j version (>=2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath. Additionally, if the server has Java runtimes >= 8u121, then by default, the settings com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase are set to âfalseâ, mitigating this risk. However, enabling these system property requires access to the vulnerable servers as well as a restart.â reads the GitHub Page set up for the Log4Shell project.
Cyberreson experts pointed out that enabling these system property requires access to the vulnerable servers, and the servers have to be restarted.
there's a minecraft client & server exploit open right now which abuses a vulerability in log4j versions 2.0 – 2.14.1, there are proofs of concept going around already.
Mass scanning activity detected from multiple hosts checking for servers using Apache Log4j (Java logging library) vulnerable to remote code execution (https://t.co/GgksMUlf94).
Query our API for "tags=CVE-2021-44228" for source IP addresses and other IOCs. #threatintel
The metadata stored on the file led the researchers to several WordPress database dumps, which contained multiple administrator usernames and email addresses, as well as the hashed password for the Microsoft Vancouver website.
Security researchers â us at CyberNews included â routinely use search engines that index publicly accessible Internet of Things (IoT) devices and web servers for threat intelligence. This helps us warn users and organizations that their data is being exposed and help them plug the leaks.
Back in September, while gathering intelligence on an IoT search engine, our security researchers stumbled upon a DS_STORE file that was apparently stored on a web server owned by Microsoft Vancouver.
Leaving DS_STORE files on remote web servers is dangerous because they display their folder structure, which may result in leaks of sensitive or confidential data. This is exactly what happened with the leftover DS_STORE file present on the Microsoft Vancouver web server.
âBy analyzing the file, our Investigations team was able to learn about the files hosted on the Microsoft Vancouver server, as well as several database dump files stored on the server.â
These database dumps contained multiple administrator usernames and email addresses, as well as the hashed password for Microsoft Vancouverâs WordPress website.
According to the companyâs website, Microsoft Vancouver is home to teams that work on developing a variety of Microsoft products, including âNotes, MSN, Gears of War, Skype, and mixed reality applications, both for desktop and HoloLens.â
On September 27, CyberNews researchers reached out to Microsoft Canada via their official contact email in order to report their findings and help secure the exposed file.
Unfortunately, we did not hear back from the company right away. Even though warnings from security researchers can sometimes get overlooked by large organizations, several additional emails are usually enough to break through and reach the eyes of security teams. As such, we made multiple additional attempts at contacting Microsoft via customer support email addresses and phone numbers listed on the companyâs official websites.
On December 2, public access to the DS_STORE file was finally disabled and it is no longer leaking sensitive data. After the file was secured, we reached out to Microsoft for additional comment regarding the incident but have yet to hear back.
As a resource, the internet is a wonderful place for children to learn, explore ideas, and express themselves creatively. The internet is also key in a childâs social development, helping to strengthen communication skills, for example when playing games or chatting with friends.
However, parents should be aware that all these activities often come with risks. Kids online can be exposed to inappropriate content, cyberbullying, and even predators.
While keeping an eye on what your children see and do online helps protect them against these risks, itâs not easy monitoring your kids without feeling like youâre invading their privacy. Just asking what websites they visit may give the impression that you donât trust your child.
The key to combatting any big risk is education. Itâs important for you and your children to be aware of the dangers, how to protect against them, and how to identify the warning signs. This is why weâve put together this guide, to help both you and your kids* understand how to navigate the internet safely.
*Look out for our âFor Kidsâ tips below, which you can share with your kids and teens.
A 2020 study by the Pew Research Center found that:
86% of parents of a child under age 11 limit their childâs screen time, while 75% check what their child does online.
71% of parents of a child age 11 or under are concerned their child has too much screen time.
66% of parents think parenting is harder today than it was 20 years ago, with 21% blaming social media in general.
65% of parents believe itâs acceptable for a child to have their own tablet computer before age 12.
Threat actors are exploiting a recently addressed server-side request forgery (SSRF) vulnerability, tracked as CVE-2021-40438, in Apache HTTP servers.
The CVE-2021-40438 flaw can be exploited against httpd web servers that have the mod_proxy module enabled. A threat actor can trigger the issue using a specially crafted request to cause the module to forward the request to an arbitrary origin server.
The vulnerability was patched in mid-September with the release of version 2.4.49, it impacts version 2.4.48 and earlier.
âA crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user.â reads the change log for version 2.4.49.
Since the public disclosure of the vulnerability, several PoC exploits for CVE-2021-40438 have been published.
Now experts from Germanyâs Federal Office for Information Security (BSI) and Cisco are warning of ongoing attacks attempting to exploit the vulnerability.
Cisco published a security advisory to inform its customers that it is investigating the impact of the issue on its products. The issue impacts Prime Collaboration Provisioning, Security Manager, Expressway series and TelePresence Video Communication Server (VCS) products. However, the IT giant states that it is still investigating its product line.
âIn November 2021, the Cisco PSIRT became aware of exploitation attempts of the vulnerability identified by CVE ID CVE-2021-40438.â reads the security advisory published by CISCO.
The German BSI agency also published an alert about this vulnerability, it is aware of at least one attack exploiting this vulnerability.
âThe BSI is aware of at least one case in which an attacker was able to do so through exploitation the vulnerability to obtain hash values of user credentials from the victimâs system. The vulnerability affects all versions of Apache HTTP Server 2.4.48 or older.â reads the alert published by the BSI.
![Why you should download Brave Browser NOW! by [Eddie Lance]](https://m.media-amazon.com/images/I/41dDRaRp9EL.jpg)
![INSTRUCTIONS FOR SET UP SECURITY POLICY WEB SERVER APACHE by [David Du]](https://m.media-amazon.com/images/I/41uFA2ri8YL.jpg)
