Deserialized web security roundup: ‘Catastrophic cyber events’, another T-Mobile breach, more LastPass problems

This is your bi-weekly summary of application security vulnerabilities, emerging hacking methods, and the latest cybersecurity updates.

{“According to 93% of cybersecurity professionals and 86% of business leaders surveyed, a significant catastrophic cyber incident is likely within the next two years,” said the World Economic Forum (WEF).

The WEF’s Global Cybersecurity Outlook 2023 report, which gathered insights from 300 experts and executives, highlighted that geopolitical instability coupled with the ongoing shortage of cybersecurity professionals is leading many organizations to reconsider their operations in specific areas.

Meanwhile, numerous alarming cyber attacks and breaches continue to emerge in the news. Recently, T-Mobile confirmed another significant breach affecting 37 million customers, alongside a ransom demand of $10 million from Riot Games following the theft of its source code, and the exposure of the US government’s No Fly List by an airline, which included names of suspected terrorists from 2019.

The situation surrounding LastPass is also developing post-its November breach, where the company recently acknowledged that “a threat actor obtained encrypted backups from a third-party cloud service” in another update about this incident.

Subscribe to Daily Swig Deserialized, our newly established bi-weekly summary of web security, bug bounty, and hacking culture.

Competitors are looking to seize the opportunity to expand their market share following LastPass’s reputation damage, as this hacking incident brings unprecedented focus on what was once a highly esteemed domain. In fact, The Daily Swig recently reported about various password managers, which were discovered to auto-fill credentials on unsecured sites. To respond to renewed criticism, Bitwarden has taken measures to enhance its security settings.

The findings from a comprehensive security audit of Git’s codebase are also noteworthy and have recently been discussed since the last edition of Deserialized.

Let’s delve into some additional web security stories and cybersecurity news that have drawn our attention over the past two weeks:

Web vulnerabilities

• OpenText / Critical / Pre-auth RCEs via cs.exe and Java frontend plus multiple post-authentication vulnerabilities / Disclosed with patch January 17
• Rancher API / Critical / A patch enforced in September 2022 failed to prevent sensitive information from being stored in plaintext directly on Kubernetes objects like Clusters / Disclosed and patched January 26
• Tiki Tiki CMS / Critical / Attackers with no authentication could execute arbitrary code using a combination of CSRF with PHP object injection in the well-known open-source CMS / Patched August 23, disclosed January 9
• VMware vRealize Log Insight / Critical / Vulnerabilities including directory traversal, broken access control, deserialization, and information disclosure / Disclosed with patch January 24
• Zoho ManageEngine / Critical / The emergence of Proof of Concept and active exploitation of this RCE vulnerability on on-premise Zoho ManageEngine products raises the importance of timely patching / Disclosed and patched October 27

Research and attack techniques

• Exploits found within the popular open-source health records and medical practice management platform OpenEMR permitted remote attackers to execute arbitrary system commands and access sensitive patient data – worse still, it opened the door to remote code execution (as reported by Sonar)
• Jerry Shah shares the story of discovering an API misconfiguration on a SwaggerUI endpoint via an unnamed web application in a private bug bounty initiative, which leaked the authorization token from local storage
• ChatGPT lowers the barrier of entry for less technically skilled threat actors, but state-sponsored attackers may not benefit from this sophisticated chatbot according to Recorded Future
• Maksym Yaremchuk, ranked 80th on HackerOne’s all-time leaderboard, describes two high-severity account takeover exploits uncovered during a private bug bounty engagement
• Researcher Man Yue Mo on GitHub achieved arbitrary kernel code execution and root access on a Google Pixel 6 mobile device via an Android application

• Security researchers are now able to mathematically demonstrate the existence of software vulnerabilities without disclosing details that could be exploited, according to a recent New Scientist feature (paywall)
• Intigriti has published a blog post discussing the safe harbor clause introduced by the Belgian Act on the Protection of Whistleblowers for researchers
• The Daily Swig also provided insights on the upcoming third annual Hack The Pentagon challenge, CORS misconfigurations at Tesla, and other unnamed programs that have yielded researchers “thousands of dollars”, alongside more than $22,000 from Google Cloud Platform vulnerabilities this year
• Recent write-ups include a reported $3,000 bounty received for a reflected XSS vulnerability found in Microsoft Forms, while Bug Bounty Switzerland’s inaugural ‘vulnerability of the month’ focused on thousands of exposed appliances through a time-sensitive private initiative
• Bug hunter interviews featuring British hacker and YouTuber ‘InsiderPhD’ and ‘TodayIsNew’ have been shared by HackerOne and Bugcrowd respectively

New open-source infosec/hacking tools

• Gato – GitHub Attack Toolkit assesses the implications of compromised personal access tokens within GitHub environments. This tool aids in tracking public repositories using self-hosted runners, while GitHub recommends these be confined to private repositories to avoid potential risks of executing dangerous code within public repositors via pull requests
• Highlighter And Extractor (HaE) – A newly launched Burp Suite extension by YesWeHack that collects, categorizes, and highlights requests/responses to improve detection of vulnerable code patterns, errors, reflections, etc., through a non-intrusive enumeration process
• PyCript – Another Burp Suite extension that enables bypassing client-side encryption utilizing custom logic for manual and automated testing with Python and NodeJS
• SeeProxy – A Golang redirect proxy tool with validation capabilities for the CobaltStrike malleable profile
• CVE-2022-47966 Scanner – A tool to evaluate exposure to the critical RCE vulnerability identified in numerous on-premise ManageEngine products, which are actively being exploited

More industry news

• NIST is exploring potential updates to the NIST Cybersecurity Framework and welcomes feedback from the infosec community as detailed in this concept paper (PDF)
• In other news from US federal agencies, the NSA has released guidance on IPv6 security (PDF), while CISA has updated its best practices document for Mitre Attack Framework (PDF). CISA, NSA, and MS-ISAC have also jointly alerted the public about the misuse of legitimate remote monitoring and management (RMM) software (PDF)
• Google has documented the progress made in implementing randomization of DNS query names sent to authoritative nameservers to defend against cache poisoning attacks
• Google is following through with its decision to discontinue TrustCor Systems as a root certificate authority (CA) in Chrome, providing a timeline for the cessation of certificate recognition officially confirmed
• Report from Check Point indicates a 48% year-over-year increase in cloud-based cyber-attacks, as hackers exploit opportunities amid the trend of digital transformation. More details here.

PREVIOUS EDITION: Deserialized web security roundup – Findings on Slack and Okta breaches, and a report on insecure US government passwords