Deserialized web security roundup: ‘Catastrophic cyber events’, another T-Mobile breach, more LastPass problems

We bring you a comprehensive update on the latest AppSec vulnerabilities, innovative hacking techniques, and key developments in cybersecurity.

According to a recent survey by the World Economic Forum (WEF), 93% of cybersecurity experts and 86% of business leaders anticipate that a significant cyber event is highly probable within the next two years.

Factors contributing to this grim outlook include ongoing geopolitical unrest and a persistent deficiency in cybersecurity expertise, as revealed in the WEF’s Global Cybersecurity Outlook 2023 report, which surveyed 300 specialists and executives.

In the interim, we continue to witness numerous severe cyberattacks and data breaches. Recently, T-Mobile reported a major breach affecting 37 million customers, alongside a $10 million ransom demand from Riot Games related to leaked source code, and an unsecured airline mistakenly revealing the US government’s No Fly List from 2019.

The situation surrounding LastPass remains in flux following breaches of its password vaults in November, with recent updates indicating that “encrypted backups were exfiltrated by a threat actor from a third-party cloud storage service”.

Subscribe to Daily Swig Deserialized, our new bi-weekly report covering web security, bug bounty programs, and hacking culture.

While competing services may look to capitalize on LastPass’s damaged reputation, this incident casts unprecedented scrutiny on an industry that was previously held in high regard. Additionally, The Daily Swig has highlighted issues such as popular password managers auto-filling credentials on untrusted websites, and Bitwarden has responded to criticisms of its encryption practices by strengthening its default security settings.

We also reported on a productive security review of Git’s source code, a noteworthy story since the last edition of Deserialized.

Here are additional web security topics and cybersecurity stories that drew our attention over the past two weeks:

Web Vulnerabilities

• OpenText / Critical / Multiple pre-authentication RCEs via cs.exe and Java frontend plus multiple post-authentication vulnerabilities / Disclosed with patch January 17
• Rancher API / Critical / A patch released in September 2022 failed to secure secrets, encryption keys, and SSH keys stored in plaintext directly on Kubernetes objects like Clusters / Disclosed and patched January 26
• Tiki Tiki CMS / Critical / Unauthenticated attackers could execute arbitrary code through a combination of CSRF and PHP object injection in the popular open-source wiki-based CMS / Patched August 23, disclosed January 9
• VMware vRealize Log Insight / Critical / Several vulnerabilities including directory traversal, broken access control, deserialization, and information disclosure / Disclosed with patch January 24
• Zoho ManageEngine / Critical / The PoC and reports of in-the-wild exploitation heighten the urgency of patching on-premise Zoho ManageEngine products against this RCE vulnerability after it surfaced / Disclosed and patched October 27

Research and Attack Techniques

• Exploiting vulnerabilities in the widely used health records and management platform OpenEMR allowed remote attackers to execute arbitrary system commands and gain access to sensitive patient information – including potential remote code execution (courtesy of Sonar)
• Jerry Shah recounts the discovery of an API misconfiguration on a SwaggerUI endpoint that leaked authorization tokens from local storage in a private bug bounty program
• ChatGPT lowers the entry threshold for individuals with limited programming skills to engage in cybercrime, though state-sponsored actors may not achieve operational efficiencies using the sophisticated chatbot, according to Recorded Future
• Maksym Yaremchuk, ranked 80 on HackerOne’s all-time leaderboard, details a duo of critical account takeover exploits discovered during a private bug bounty engagement
• Man Yue Mo from GitHub achieved arbitrary kernel code execution and root access on a Google Pixel 6 through an Android application

Bug Bounty / Vulnerability Disclosure

• New research indicates that security specialists can mathematically prove software vulnerabilities without revealing details that could be maliciously exploited, as discussed in a recent feature by New Scientist (paywall)
• Intigriti shared a blog post regarding the safe harbor provisions for researchers established by Belgian whistleblower protection laws
• The upcoming third edition of the Hack The Pentagon challenge was recently reported by The Daily Swig alongside details of Google Cloud Platform (GCP) project vulnerabilities that earned researchers over $22,000
• Other notable writeups include a $3,000 bounty for a reflected XSS vulnerability in Microsoft Forms. The inaugural ‘vulnerability of the month’ from Bug Bounty Switzerland deals with a limited-time private program affecting thousands of exposed appliances.
• Interviews with prominent hackers such as ‘InsiderPhD’ and ‘TodayIsNew’ have been published by HackerOne and Bugcrowd, respectively.

New Open Source Infosec/Hacking Tools

• Gato – GitHub Attack Toolkit designed to evaluate compromised access tokens’ impacts within GitHub development environments. It facilitates tracking public repositories using self-hosted runners, which GitHub advises should only be utilized in private repositories due to potential security risks.
• Highlighter And Extractor (HaE) – A new Burp Suite extension aimed at helping detect vulnerable code patterns and errors through passive enumeration.
• PyCript – A Burp Suite extension that facilitates bypassing client-side encryption through custom logic for both manual and automated testing using Python and NodeJS.
• SeeProxy – A Golang reverse proxy that validates CobaltStrike malleable profiles.
• CVE-2022-47966 Scanner – A tool for assessing exposure to the critical RCE vulnerability affecting a variety of on-premise ManageEngine products.

More Industry News

• NIST is seeking feedback on potential updates (PDF) to the NIST Cybersecurity Framework.
• In other US federal agency updates, the NSA has released IPv6 security guidance (PDF), CISA has provided updated best practices for mapping to the MITRE ATT&CK Framework (PDF), and a joint warning has been issued regarding the malicious use of legitimate RMM software.
• Google is advancing its efforts in case randomization for DNS queries to combat cache poisoning attacks.
• Additionally, Google has confirmed plans to disengage from TrustCor Systems as a root certificate authority, thereby establishing a timeline for discontinuing recognition of its certificates.
• Cloud-based cyber-attacks surged by 48% year-over-year as malicious actors exploit opportunities in the rapidly changing digital landscape, as per a Check Point report.

PREVIOUS EDITION Deserialized web security roundup – Slack and Okta breaches, lax US government passwords report, and more