CyberSecurity.PH #021
Dropbox breach; Threat blocklists; Government agencies not responsive to DICT cybersecurity; North Korean threat actors exploiting DMARC; DHCP options cause VPN apps to leak traffic; GitLab vulnerability; 45k+ vulnerable tinyproxy servers
Philippines
DICT says most PH Government agencies fail to act on their Cybersecurity warnings
DICT has been operating network scanning tools and facilities since December 2023 to detect vulnerabilities and cyber security issues among Philippine government agencies; the responses and remediation has been “…very low compared to what we expect…” according to DICT undersecretary Jeffrey Ian Dy.
Dy said that the DICT's network scanning initiative has detected over 30,000 vulnerabilities after scanning the assets of over 800 agencies, however just 55 of the 388 agencies have responded.
Further reading: PhilStar Global
Cybersecurity Threat Landscape
Weak DMARC policies abused by North Korean threat actors for social engineering attacks
US agencies have released a report detailing North Korean threat actors using weak DMARC policies to conduct spearphish campaigns.
The threat campaigns pose as legitimate journalists, academics, or other experts in East Asian affairs with credible links to North Korean policy circles. North Korea leverages these spearphishing campaigns to collect intelligence on geopolitical events, adversary foreign policy strategies, and any information affecting North Korean interests by gaining illicit access to targets private documents, research, and communications.
Further reading: The Record, Bleeping Computer, NSA.gov
Dropbox breach, passwords and authentication data accessed
Dropbox reported that a threat-actor breached company systems on April 24 and gained access to data for the Dropbox Sign product.
Threat actors accessed information related to all users of Dropbox Sign, including account settings, names and emails. For some users, phone numbers, hashed passwords and authentication information like API keys, OAuth tokens and multi-factor authentication methods were also exposed.
Further reading: Dropbox, The Record, Bleeping Computer, The Register
New botnet targets 10 year-old vulnerability in unpatched D-Link devices
A vulnerability in D-Link devices that was patched 10 years ago still has enough unpatched devices available to establish a serious botnet that has been labeled by researchers as “Goldoon”
The vulnerability (CVE-2015-2051) has low complexity but comes with critical security impact since it can allow threat actors to run code remotely on impacted D-Link devices.
Further reading: The Record, Fortinet
Cybersecurity Engineering
A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!
- Poutine - a security scanner to detect misconfigurations and vulnerabilities in the CI/CD pipelines of a repository, supporting GitHub Actions and Gitlab CI/CD - https://github.com/boostsecurityio/poutine
- blocklistproject/Lists - a maintained list of DNS records associated with web-applications and threats - Useful for use in firewalls and routers to prevent access to certain web-applications and common threat sources - https://github.com/blocklistproject/Lists
- OFFAT - automatically test APIs for common vulnerabilities after generating tests from openapi specification file - provides features to automatically fuzz inputs specified via YAML config file - https://github.com/OWASP/OFFAT
Cybersecurity Vulnerabilities
TunnelVision: Novel attack using rogue DHCP can cause VPN apps to leak traffic
DHCP option 121 has been discovered can be abused to introduce higher-priority default routes over-and-above VPN apps that hence cause those applications to leak traffic while users believe they are protected by the VPN application.
DHCP option 121 is legitimate and useful in network configurations where devices need route information about more than the default-route. The issue lies with VPN applications that are generally unable to detect or prevent this abuse because it occurs in a way they are unable to control (yet).
Android OS ignores DHCP option 121 data, so if you use a VPN app on Android you’ve managed to avoid the issue, for everyone else you’ll need to find a way to make sure your device connects to layer-2 networks that you control such as a personal-wifi hotspot.
Further reading: Leviathan Security, The Register, Krebs on Security
GitLab vulnerability allowing account hijack under active exploitation
GitLab (self-hosted) version 16.1.0, released May 1, 2023, introduced a feature that allows users to reset their GitLab account passwords using a different email address, and a bug in this feature that allows a specially crafted HTTP request to send a password reset link to an unverified, attacker-controlled email address thus enables unauthorized account takeovers.
CISA have added this vulnerability (CVE-2023-7028) to their Known Exploited Vulnerability catalog indicating the issue is actively being exploited - if you have not already patched you’re late, patch now!
Further reading: Gitlab, The Register, Arstechnica
45k+ Tinyproxy servers vulnerable to critical RCE vulnerability
A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption leading to remote code execution, threat actors only need to make a single HTTP request to trigger the vulnerability - according to Talos
According to Censys approx 57% of the 90k internet accessible TinyProxy instances observed are running vulnerable versions.
The report from Talos includes proof-of-exploit code.
Further reading: Bleeping Computer, The Hacker News, Dark Reading
Got news or something you’d like us to mention, feel free to get in contact - [email protected]