News Items

The OECD recently published a new transnational agreement that it claims will help to safeguard user privacy when data is accessed for national security and law enforcement purposes. The "OECD Declaration on Government Access to Personal Data Held by Private Sector Entities" clarifies how member countries' security and policing agencies can access this data under existing legal frameworks. It is designed to improve trust in cross-border data flows, which are key to driving global economic growth. OECD secretary-general Mathis Cormann stated that being able to transfer data across borders is fundamental in this digital era for everything from social media use to international trade and cooperation on global health issues. Yet, without common principles and safeguards, the sharing of personal data across jurisdictions raises privacy concerns, particularly in sensitive areas like national security. Cormann noted that the landmark agreement formally recognizes that OECD countries uphold common standards and safeguards. He stated that it will help to enable flows of data between rule-of-law democracies, with the safeguards needed for individuals' trust in the digital economy and mutual trust among governments regarding the personal data of their citizens. The agreement was signed by the 38 OECD countries, including the US and UK, as well as the EU, and is open to others to join. It is currently unclear whether it will help to smooth the increasingly fraught relationship between the EU and US over cross-border data transfers. European courts have thrown out previous agreements between the two on concerns that EU citizens' privacy can't be guaranteed given intrusive US state surveillance.

Infosecurity reports: "OECD Signs Landmark Privacy Agreement"

Security researchers at Promon have discovered that two-thirds of cybersecurity professionals have suffered burnout over the past year due to work-related stress. The researchers polled over 300 information security pros at this year's Black Hat Europe expo in London to better understand the mental health of those working in the industry. The researchers noted that of those who reported burnout, the largest group (50%) cited workload as their biggest source of stress. The researchers found that 51% of responding cybersecurity professionals are working more than four hours per week over their contracted hours, with nearly a fifth working more than 10 hours over. The researchers noted that the next biggest sources of stress cited by respondents were management issues (19%), difficult relationships with colleagues (12%), inadequate access to the required tools (11%), and being underpaid (7%). The researchers stated that although mental health is becoming less taboo, it remains off-limits for many professionals. Nearly two-fifths (37%) of respondents said they didn't feel comfortable talking about it with their employer, while a quarter (26%) claimed their workplace does not offer sufficient mental health support. A further 21% said they don't even know if their employer offers any support. The researchers noted that over two-fifths (41%) of those polled said they have considered moving jobs in the past year as a result of burnout. That's bad news for an industry already struggling with skills shortages.

Infosecurity reports: "Two-Thirds of Security Pros Have Burnt Out in Past Year"

Developers know that hardcoding security credentials into source code is a poor idea, but it still happens, and the repercussions can be disastrous. Previously, GitHub only made its secret scanning service available to paying enterprise users who purchased GitHub Advanced Security, but the company is now making its secrets scanning service free for all public GitHub repositories. In 2022, GitHub informed partners in its secret scanning partner program about over 1.7 million potential secrets exposed in public repositories. The service searches repositories for more than 200 known token formats, alerting partners to suspected leaks. Users can also define their own regex patterns. If the code is hosted on GitHub, the company will immediately alert users when secrets in their source code are exposed. In order to use the service, it must be activated in GitHub security settings. However, the service will be rolled out and will not be available to all users until the end of January 2023. This article continues to discuss GitHub making its secret scanning service available to all public repositories on the code hosting platform for free.

TechCrunch reports "GitHub Brings Free Secret Scanning to All Public Repos"

According to security specialists at the National Institute of Standards and Technology (NIST), the SHA-1 algorithm, one of the first widely used techniques for securing electronic information, has reached the end of its useful life. The agency is now advising that Information Technology (IT) workers replace SHA-1 with more secure algorithms in the few cases where it is still utilized. Since 1995, SHA-1 has been used as part of the Federal Information Processing Standard (FIPS) 180-1. It is a modified version of SHA, the first hash function standardized for broad usage by the federal government in 1993. Since today's increasingly powerful computers can attack the algorithm, NIST has announced that SHA-1 should be phased out by December 31, 2030, in favor of the more secure SHA-2 and SHA-3 algorithms. SHA-1 has been used as a part of the foundation for numerous security applications, including website validation. It protects data by executing a complex math operation on the characters of a message, resulting in a short string of characters known as a hash. It is impossible to reconstruct the original message from the hash alone, but knowing the hash allows a recipient to determine whether the original message has been compromised. Little changes to the content drastically modify the resulting hash. Today's more powerful computers can create fake messages resulting in the same hash as the original, possibly jeopardizing the authenticity of the communication. In recent years, "collision" attacks have been launched to compromise SHA-1. NIST previously stated that federal agencies should avoid using SHA-1 in cases when collision attacks are a serious threat, such as when creating digital signatures. This article continues to discuss the retirement of the SHA-1 cryptographic algorithm.

NIST reports "NIST Retires SHA-1 Cryptographic Algorithm"

MoneyMonger, an Android malware campaign, was discovered hidden in money-lending apps created with Flutter. According to research conducted by the Zimperium zLabs team, the malware leverages multiple levels of social engineering to exploit its victims and enables bad actors to steal private data from personal devices and use it to blackmail individuals. Zimperium experts say the MoneyMonger malware, spread through third-party app stores and sideloaded onto victims' Android devices, was designed to target those who need quick cash. It employs different levels of social engineering to exploit its victims, beginning with a predatory loan scheme and the promise of rapid cash for those who follow a few basic instructions. During the installation process, the victim is informed that certain permissions are required on the mobile device to verify their eligibility for a loan. These permissions are then used to capture and exfiltrate information, including the contact list, GPS location data, a list of installed applications, sound recordings, call logs, SMS lists, and storage and file lists. It also acquires access to cameras. This stolen information could be used to blackmail and intimidate people into paying high interest rates. If the victim fails to pay on time, and in some situations even after the loan has been repaid, the malicious actors threaten to disclose information, call individuals from the contact list, and transfer images from the device. One of the novel characteristics of this malware is its use of the Flutter Software Development Kit (SDK) to hide malicious code. While the open-source User Interface (UI) software kit Flutter has been a game-changer for application developers, bad actors have leveraged its capabilities and structure to launch apps with severe security and privacy risk to victims. MoneyMonger takes advantage of Flutter's framework to hide features and make the detection of malicious behavior via static analysis difficult. According to Richard Melick, director of mobile threat intelligence at Zimperium, consumers who use money lending apps are most at risk, but due to the nature of this threat and the manner in which attackers steal sensitive information for blackmail, they also put their employers or other organizations at risk. This article continues to discuss findings regarding the MoneyMonger Android malware campaign, the resurgence of banking Trojans, and the expected rise in blackmail threats in 2023.

Dark Reading reports "Blackmailing MoneyMonger Malware Hides in Flutter Mobile Apps"

Since OpenAI's launch of ChatGPT, commentators have expressed concern about the impact Artificial Intelligence (AI)-driven content creation will have on cybersecurity. Many researchers are concerned that generative AI solutions will make cybercrime more accessible. For example, without any technical or coding knowledge, any user can enter a query to generate malicious code and convincing phishing emails using ChatGPT. Security teams can use ChatGPT for defensive purposes such as code testing. However, the solution has significantly complicated the threat landscape by lowering the entry barrier for cyberattacks. The central challenge created by OpenAI's creation from a cybersecurity standpoint is that anyone, regardless of technical expertise, can create code to generate malware and ransomware on-demand. While ChatGPT can be used to help developers write good code, it can also and has already been used for malicious purposes, according to Matt Psencik, Director and Endpoint Security Specialist at Tanium. Psencik has already seen the bot be asked to assist in reverse engineering code to find zero-day exploits that could be used maliciously. ChatGPT has built-in safeguards to prevent the system from being used for illegal activity. For example, it will refuse to generate shellcode or provide specific instructions on how to generate shellcode or establish a reverse shell, and it will flag malicious keywords such as phishing in order to block the requests. The difficulty with these measures is that they rely on the AI identifying that the user is attempting to create malicious code, which users might obfuscate by rephrasing searches. In addition, there is no immediate penalty for breaching OpenAI's content policy. Security researchers have already started to test ChatGPT's potential to write malicious code. For instance, security researcher and co-founder of Picus Security, Dr. Suleyman Ozarslan, recently used ChatGPT to launch a phishing campaign and create ransomware for MacOS. This article continues to discuss how ChatGPT and other AI-driven content-creation platforms could impact cybercrime and cybersecurity.

VB reports "How ChatGPT Can Turn Anyone Into a Ransomware and Malware Threat Actor"

The Christmas season is a busy time for phishers. According to Check Point research, 17 percent of all malicious files distributed via email in November were related to orders and shipping during the Black Friday holiday season, which is expected to worsen in December as attackers attempt to exploit shipping, package notifications, and more. In addition, researchers at the email security firm Avanan have discovered an increase in phishing campaigns involving direct deposits. The scammer will pose as an employee, requesting that the Human Resources department or a manager change their direct deposit information. Emails impersonating delivery companies such as UPS, DHL, and FedEx are also popular. These impersonation attacks attempt to obtain credentials, often in the form of a delivery charge or a compensation claim for a lost package. People are more likely to fall for these scams at this time of year because they are expecting packages. There is also the age-old scam of sending malware in the form of an attachment disguised as an invoice or delivery notification. This article continues to discuss the rise in phishing attacks this holiday season and how people can avoid falling victim to such attacks.

BetaNews reports "Phishing Scams Are Coming to Town"

Most people associate Lego with toy bricks and childhood imagination, but the Lego company has now entered the digital age by offering a service called BrickLink, which has been discovered to be insecure. A new report from Salt Security reveals the discovery of Application Programming Interface (API) security vulnerabilities in BrickLink, an online marketplace for buying and selling used Legos. The API security flaws can lead to a large-scale takeover of customers' accounts and server compromise. The API flows could have allowed threat actors to manipulate platform users and gain access to Personally Identifiable Information (PII) stored internally by the platform. Furthermore, an attacker could have gained access to internal production data, leading to a complete compromise of the company's internal servers. The flaws were discovered by inspecting areas of the website that support user input fields. Researchers discovered a Cross-Site Scripting (XSS) vulnerability in the coupon search functionality's "Find Username" dialog box, which allowed them to inject and execute code on an end user's machine via a crafted link. The Salt Security team chained the XSS vulnerability with a Session ID exposed on another page, hijacked the session, and took over the account. The second flaw was discovered on the "Upload to Wanted List" page. The endpoint allows users to upload an XML list of Lego parts and sets. The researchers used this feature to launch an XML External Entity (XXE) injection attack. Researchers were able to read files on the web server and execute a Server-Side Request Forgery (SSRF) attack by leveraging the XXE injection attack. It has the potential to be abused in a variety of ways, including stealing Amazon Elastic Compute Cloud (EC2) tokens from the server. This article continues to discuss the potential exploitation and impact of API vulnerabilities found in the Lego BrickLink marketplace.

SiliconANGLE reports "Unsecure Bricks: API Vulnerabilities Found in Lego BrickLink Marketplace"

The popular data analytics company Social Blade has admitted to being hacked. Social Blade offers a data analytics tool based in the US that tracks social media platforms such as YouTube, Facebook, Twitter, and TikTok. The company claims to have seven million unique visitors to its website each month. Social Blade stated that it had been notified of a systems breach on December 14, while insisting no credit card data had been leaked. Other Personally Identifiable Information (PII), such as email addresses, Internet protocol (IP) addresses, hashes used to conceal passwords, client IDs, and authentication tokens for connected accounts, were among the data offered for sale on a dark web forum by the hacker behind the incident. Based on a cursory examination of the hacker's breach notification, a Cybernews researcher believes the threat actor may have performed a SQL injection attack. The hacker, who claims to have breached Social Blade in September, also stated that they intended to make only a few sales before deleting the thread advertising the data, but no price was listed. This article continues to discuss the Social Blade hack.

Cybernews reports "Social Blade Admits to Being Hacked"

Security researchers at Zscaler have found that the vast majority of cyberattacks over the past year have used TLS/SSL encryption to hide from security teams. The researchers analyzed 24 billion blocked threats during the period October 2021-September 2022 to compile their new "2022 State of Encrypted Attacks Report." The researchers found that over 85% of attacks are now HTTPS-based in a bid to stay hidden from security tools, a 20% increase on the previous year. The researchers argued that although legacy firewalls support packet filtering and stateful inspection, it's resource intensive to do this scale, meaning many encrypted threats go unchecked. The researchers noted that this is why certain sectors are more impacted than others, with manufacturing seeing a 239% increase in attacks over the period, followed by education (132%). The researchers stated that the US (155%), India (87%), and Japan (613%) recorded the biggest increases in encrypted attacks over the past 12 months. South Africa became a member of the top five list of countries most targeted by HTTPS-based attacks, alongside the US, India, the UK, and Australia. The researchers noted that malicious scripts and payloads, including ransomware, accounted for the vast majority (90%) of these attacks. On the positive side, The researchers noted that government organizations and retailers both saw the number of encrypted attacks fall by 40% and 63%, respectively.

Infosecurity reports: "Over 85% of Attacks Hide in Encrypted Channels"

Talos researchers discovered a phishing campaign using Scalable Vector Graphics (SVG) images embedded in HTML email attachments to distribute the QBot malware. HTML smuggling is an evasive malware delivery method that involves using legitimate HTML5 and JavaScript features. Malicious payloads are delivered through encoded strings in an HTML attachment or webpage. The target device's browser, which is inside the security perimeter of the victim's network, generates the malicious HTML code. When the victim receives the email and opens the attachment, the browser decodes and runs the embedded script, which assembles a malicious payload directly on the victim's device. The embedded SVG files in the attack detailed by Talos contained JavaScript that reassembles a Base64 encoded QBot malware installer. The installer is then automatically downloaded through the victim's browser. The JavaScript embedded in the SVG image contains a malicious ZIP archive. Since the malware payload is assembled directly on the victim's machine rather than being transmitted over the network, this HTML smuggling technique can avoid detection by security devices. The QBot malware, which is spread through phishing messages, can hijack a victim's email and send itself out as a reply to an existing email thread. The smuggled JavaScript code inside the SVG image begins the attack when the recipient opens the HTML attachment. The script generates a password-protected malicious ZIP archive and then prompts the user to save the file. The password can be found in the HTML attachment. If the recipient enters the password provided by the attacker and opens the ZIP archive, an. ISO file can be extracted. The file allows the QBot malware to infect the victim. This article continues to discuss the new phishing campaign distributing the QBot malware to Windows systems using SVG files.

Security Affairs reports "Crooks Use HTML Smuggling to Spread QBot Malware via SVG Files"

The Royal ransomware gang is demonstrating sophisticated tactics such as partial and rapid encryption, which researchers believe may reflect the years of experience its members gained as leaders of the now-defunct Conti Group. Royal ransomware appears to operate globally and independently. It does not appear that the group employs affiliates through Ransomware-as-a-Service (RaaS) or targets a specific sector or country. The group is known to demand up to $2 million in ransom and claims to have published 100 percent of the data extracted from its victims. Researchers from the Cybereason Security Research & Global SOC Team revealed that further analysis of how the Royal ransomware group works reveal an innovative group with varied ways to deploy ransomware and evade detection so it can do significant damage before victims can respond. The concept of partial encryption, which locks up only a predetermined portion of file content rather than all of it, is a key aspect of Royal's tactics. While partial encryption is not a new tactic, it is critical to Royal's strategy, with the group taking it to a new level not seen in ransomware activity before, according to the researchers. Royal has recently expanded the concept by basing the tactic on flexible-percentage encryption that can be tailored to the target, making detection more difficult, according to the Cybereason researchers. The group also uses multiple threads to accelerate the encryption process, giving victims less time to stop it once it begins, and the encryption starts and deploys in different ways, making detection difficult. This article continues to discuss new observations surrounding the Royal ransomware gang.

Dark Reading reports "Royal Ransomware Puts Novel Spin on Encryption Tactics"

The Senate just passed a bill by unanimous consent that would ban the social media app TikTok from all government devices amid increased scrutiny over the app's perceived threats to national security. Lawmakers have been increasingly vocal about their concerns over the world's most popular app, owned by ByteDance, a Beijing-based company. Critics of the app worry that the company's connections to the Chinese Communist Party could lead to United States citizens' data being acquired by the U.S. adversary and used maliciously. Governors in some states have already issued bans or suggested bans of the app on state-issued or leased devices, including Nebraska, South Dakota, South Carolina, Maryland, Texas, Oklahoma, and Arkansas.

Washington Examiner reports: "Senate Unanimously Passes Bill Banning TikTok From Government Devices"

Over the last two years, a cyberespionage group with ties to Iran's Islamic Revolutionary Guard Corps (IRGC) has been observed attacking new targets, including medical researchers, an aerospace engineer, and even a Florida-based realtor. TA453, also known as Phosphorus, Charming Kitten, and APT42, has a history of targeting Middle Eastern academics, policymakers, journalists, and dissidents. However, recent changes in their targeting and tactics suggest that the group has shifted its operations to support the IRGC's intelligence needs. According to Sherrod DeGrippo, Vice President of Threat Research and Detection at Proofpoint, they are going after new targets with new techniques and more hostile intent, providing insight into the goals of the IRGC and the flexible mandate under which TA453 operates. Proofpoint said it began to notice differences in TA453's targeting in late 2020, when the group was observed using credential harvesting attacks on senior professionals at various medical research organizations in the US and Israel. Most of the targets had genetics, oncology, and neurology backgrounds. Proofpoint researchers discovered spear phishing attacks targeting women's and gender studies scholars at different North American universities in July and August 2021. Around the same time, the group targeted multiple Iranian travel agencies operating out of Tehran with a credential harvesting operation, most likely to collect information about Iranians' movements outside of Iran. A February 2022 attack on a Florida-based realtor involved in the sale of multiple homes near the headquarters of US Central Command was another departure from the group's usual targets. CENTCOM is the US Combatant Command in charge of military operations in the Middle East. In addition to the shift in targeting, Proofpoint researchers stated that TA453 has recently adopted new techniques. For example, the group previously created email accounts and used them to send phishing emails to potential victims, but has recently begun targeting individuals using compromised accounts. This article continues to discuss changes in TA453's targets and tactics.

The Record reports "Iran-Linked Cyberspies Expand Targeting to Medical Researchers, Travel Agencies"

According to new research from Splunk, public sector organizations lack the cybersecurity intelligence they require, and the problem is far worse than in the private sector. The Splunk 2022 Public Sector Survey reveals that nearly half of public sector agencies struggle to use data to detect and prevent cybersecurity threats, and 50 percent find it difficult to use data to inform cybersecurity decisions. It was discovered that 56 percent of public sector agencies have difficulty leveraging data to mitigate and recover from cybersecurity incidents. The report also looked into the data issues that directly affect public-private partnerships. According to the report, 44 percent of respondents in the public sector believe that the shared cybersecurity intelligence available to them should be improved for their needs, compared to 29 percent of respondents in the private sector. Despite a general trend toward sharing cybersecurity intelligence, the survey found that public and private sector organizations are less likely to share cybersecurity intelligence outside their sector. Only 42 percent of respondents in the public sector report regularly sharing data with the private sector, while 38 percent of private sector respondents report sharing data with government agencies. The report cites challenges and scarce resources in leveraging data as the leading causes behind the lack of data sharing. Although dealing with cybersecurity in the public sector may be more difficult, both the public and private sectors share similar cybersecurity priorities. Improving threat response and remediation ranked first in the public and private sectors. Both the public and private sectors are planning investments to address cybersecurity priorities, including monitoring, threat intelligence, and security assessments. However, the private sector is more likely to plan investments in security orchestration, automation and response, centralized log management, and observability. This article continues to discuss the data challenges weakening the cybersecurity posture of organizations.

SiliconANGLE reports "Splunk Report Finds Public Sector Organizations Lack Cybersecurity Intelligence"

According to the Department of Defense (DOD) CIO John Sherman, the Pentagon plans to implement a zero trust architecture across its entire enterprise by 2027. The goal is to have zero trust deployed across most of the DOD's enterprise systems. Sherman stated that while that is an ambitious goal for those familiar with zero trust, the adversary capability forces them to move at that rate. Remote work and connected devices are common in today's world. A company's technology stack is constantly being supplemented with new tools and applications. Therefore, enterprises can no longer define a perimeter to protect themselves, no matter how hard they try. Security must now be validated for each app, user, software, and device. All requests are assumed to be unauthorized until proven otherwise, with zero trust. Instead of relying on a single technology, zero trust employs various strategies, including multi-factor authentication (MFA), micro-segmentation, and Artificial Intelligence (AI)-driven contextual analytics. Organizations that adopt the zero trust strategy incur 20.5 percent lower costs for a data breach than those that do not. Companies that use zero trust save nearly $1 million in average breach costs compared to those without it. This article continues to discuss the Pentagon's plans to implement a zero trust architecture across its entire enterprise by 2027.

Security Intelligence reports "The DOD Aims for Full Zero Trust Deployment by 2027"

Bug bounty platform HackerOne recently found that ethical hackers have identified and reported more than 65,000 software vulnerabilities in 2022. The popular hacker-powered platform, which hosts bug bounty programs for both private and public organizations, including government agencies, has paid out a total of $230 million in bug bounties since its inception. HackerOne noted that to date, 22 hackers submitted vulnerability reports through their bug bounty program and have earned over $1 million in bounties, up from 12 in 2021. HackerOne stated that reports for vulnerability types typically introduced by digital transformation had seen the most significant growth, with misconfigurations growing by 150% and improper authorization by 45%. The overall time to remediation has also increased from 35 to 37 days. HackerOne found that aviation and aerospace companies were the slowest to patch, with a median time to remediate of 148.3 days, followed by medical technology organizations, at 73.9 days. Cryptocurrency and blockchain firms were the fastest, with 11.6 days to remediate. According to HackerOne, organizations need to implement effective vulnerability reporting means, as 50% of ethical hackers chose not to disclose the identified security issues because the impacted entities did not have a vulnerability disclosure program. Others (12%) were deterred by threatening legal language. HackerOne noted that cross-site scripting (XSS) vulnerabilities earned ethical hackers the largest amount of money in 2022, followed by improper access control bugs and information disclosure flaws. Insecure direct object reference (IDOR) and improper authorization rounded up the top five. HackerOne also found that 95% of ethical hackers focus on identifying vulnerabilities in websites, while 24% of them focus on cloud platforms. HackerOne observed an overall 45% increase in the use of vulnerability disclosure programs, with organizations in the pharmaceutical sector registering the highest increase, at 700%. The automotive, telecommunications, and cryptocurrency and blockchain industries also registered a rise in the use of vulnerability disclosure programs, at 400%, 156%, and 143% growth, respectively.

SecurityWeek reports: "HackerOne Surpasses $230 Million in Paid Bug Bounties"

According to the new Xfinity Cyber Health Report from Comcast, 78 percent of Americans engage in risky online behaviors that expose them to cyber threats, such as reusing or sharing passwords, skipping software updates, and more, which is a 14 percent increase from two years ago. Comcast's Xfinity Cyber Health Report combines data from a new Wakefield Research consumer survey of 1,000 US adults with national threat data collected by Xfinity's xFi Advanced Security platform. Among the findings is that Xfinity xFi homes have an average of 15 connected devices, a 25 percent increase from 2020. The average power user has 34 devices. In addition, 58 percent of consumers are planning to purchase at least one connected device this holiday season. Xfinity's xFi Advanced Security platform blocks an average of 23 unique threats per home each month, with the total number of attacks at least three-to-four times that number. According to the report, people continue to underestimate threats, with 74 percent of Americans believing their home network is attacked less than ten times per month. Sixty-one percent believe devices are secure right out of the box when purchased. Only 20 percent of those surveyed said they would immediately know if they fell victim to a cyberattack. Another 32 percent are unsure they would ever know if they were a cyberattack victim. Fifty-one percent of the respondents are unsure if they would know if a non-screen device, such as a robot vacuum or a smart plug, was hacked. This article continues to discuss key findings from Comcast's Xfinity Cyber Health Report.

BetaNews reports "Unsafe on Any Site -- Over Three-Quarters of Americans Admit to Risky Online Behavior"

German software maker SAP recently announced the release of 14 new and five updated security notes as part of its December 2022 Security Patch Day, including four notes that address critical vulnerabilities in Business Client, BusinessObjects, NetWeaver, and Commerce. With a CVSS score of 10, the most severe of SAP's security notes updates a note released on April 2018 Patch Day, which deals with software updates for the Chrome-based browser in SAP Business Client. The second security note that SAP marked as hot news resolves a server-side request forgery (SSRF) in the BusinessObjects platform. Tracked as CVE-2022-41267 (CVSS score of 9.9), the vulnerability allows an attacker with "normal BI user privileges" to replace any file in the BusinessObjects server at the operating system level. SAP noted that this enables the attacker to take full control of the system and has a significant impact on the confidentiality, integrity, and availability of the application. The third hot news security note in SAP's December 2022 Security Patch Day resolves a critical improper access control flaw in NetWeaver's user defined search (CVE-2022-41272, CVSS score of 9.9) that could allow attackers to perform unauthorized operations. The last hot news note that SAP released this month deals with a remote command execution bug associated with Apache Commons Text in SAP Commerce (CVE-2022-42889, CVSS score of 9.8). SAP noted that the vulnerability was disclosed in October 2022 and has been compared to the notorious Log4Shell vulnerability, although it is not as widespread. This month, SAP also announced the release of five high-priority security notes that resolve vulnerabilities in BASIS, Business Planning and Consolidation, BusinessObjects, Commerce, and SAPUI5. Two of these are updates to notes released in October and November 2022. The remaining security notes that SAP announced on December 2022 Security Patch Day deal with medium-severity vulnerabilities in Disclosure Management, NetWeaver, Solutions Manager, BusinessObjects, Sourcing, and Contract Lifecycle Management.

SecurityWeek reports: "SAP's December 2022 Security Updates Patch Critical Vulnerabilities"

The UK's financial regulator has recently warned of an increase in scams promising non-existent loans as fraudsters look to pressure consumers struggling to make ends meet before Christmas. The Financial Conduct Authority (FCA) polled 2000 UK consumers last month. The FCA found that loan fee fraud rose 21% year-on-year for the 12-month period November 2021-October 2022. This doesn't include those who reported to the FCA but managed to avoid being scammed out of money. The FCA noted that victims typically receive an unsolicited call, text, or email offering them a loan and are pressured into making an upfront payment as a "deposit" or "admin fee" in order to proceed. However, there is no loan, and the scammers pocket the cash. The FCA found that two-fifths of consumers feel pressured by family and friends to maintain their usual Christmas spending this year, while a third are concerned about how they will afford it. More than one in eight participants said they plan to take out a loan this year. Worryingly, the regulator claimed that nearly two-thirds (64%) of consumers don't know what loan fee fraud is, and only a fifth (22%) can identify its warning signs. The FCA noted that the average amount lost is 260 pounds ($322), more than half the amount UK consumers expect to spend on presents this Christmas. The FCA stated, "if you are considering taking out a loan, please pause and check the FCA's Register to make sure you are dealing with a legitimate lender. Don't let scammers be the ones enjoying your Christmas this year."

Infosecurity reports: "Loan Fee Fraud Surges by a Fifth as Christmas Approaches"

Apple has confirmed that a two-week-old iPhone software update fixed a zero-day security vulnerability, which it now says was actively exploited. The update, iOS 16.1.2, was released on November 30 to all supported iPhones, including the iPhone 8 and later, and included unspecified important security updates. According to Apple's security updates page, the update fixed a flaw in WebKit, the browser engine that powering Safari and other apps. If exploited, the flaw could allow malicious code to run on the person's device. Apple stated that the WebKit bug was discovered and reported by security researchers at Google's Threat Analysis Group (TAG), which investigates nation-state-backed spyware, hacking, and cyberattacks. When a user visits a malicious domain in their browser or via the in-app browser, WebKit bugs are often exploited. It is not uncommon for threat actors to discover vulnerabilities in WebKit that can allow them to gain access to the device's operating system and the user's private data. In addition, WebKit flaws can be combined with other flaws to bypass multiple layers of a device's defenses. According to Apple, the vulnerability was exploited against iOS versions prior to iOS 15.1, which was released in October 2021. Apple has also released iOS and iPadOS 15.7.2 to address the WebKit vulnerability in iPhone 6s and later models, as well as some iPad models. This article continues to discuss the actively exploited WebKit vulnerability that Apple has fixed.

TechCrunch reports "Apple Fixes 'Actively Exploited' Zero-Day Security Vulnerability Affecting Most iPhones"

Microsoft has patched 48 new vulnerabilities in its products, including one that attackers are actively exploiting and another that was publicly disclosed but is not currently being exploited. Six of the vulnerabilities addressed in the company's final monthly security update for the year are classified as critical. It assigned an important severity rating to 43 vulnerabilities and a moderate severity rating to three flaws. Microsoft's update includes patches for out-of-band CVEs addressed in the previous month, as well as 23 vulnerabilities in Google's Chromium browser technology. The flaw being actively exploited by attackers is not one of the more serious bugs patched. The flaw allows attackers to circumvent the Windows SmartScreen security feature, which protects users from malicious files downloaded from the Internet. According to Microsoft, an attacker can create a malicious file that can evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features that rely on MOTW tagging, such as Protected View in Microsoft Office. According to Kevin Breen, Immersive Labs' director of cyber threat research, this flaw poses only a minor risk to organizations as it must be used together with an executable file or other malicious code, such as a document or script file. In these cases, this CVE bypasses some of Microsoft's built-in reputation scanning and detection, specifically SmartScreen, which would normally alert a user that the file may not be safe. However, users should not underestimate the threat and should patch the flaw as soon as possible. Another flaw, an elevation of privilege issue in the DirectX Graphics kernel, was described by Microsoft as a publicly known zero-day but not actively exploited. The vulnerability, labeled as important, would allow an attacker to gain system-level privileges if exploited. This article continues to discuss some of the vulnerabilities addressed in Microsoft's final Patch Tuesday of the year.

Dark Reading reports "Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Update"

A critical security flaw in the Amazon Elastic Container Registry (ECR) Public Gallery could have enabled attackers to delete any container image or inject malicious code into images from other Amazon Web Services (AWS) accounts. The Amazon ECR Public Gallery is a public repository of container images that are used to share ready-to-use applications and popular Linux distributions such as Nginx, EKS Distro, Amazon Linux, CloudWatch agent, and Datadog agent. A Lightspin security analyst discovered a new flaw in the ECR Public Gallery that allows users to modify other users' existing public images, layers, tags, registries, and repositories by abusing undocumented Application Programming Interface (API) actions. On November 15, 2022, the researcher reported the vulnerability to AWS Security, and Amazon fixed it in less than 24 hours. Although there is no evidence of this flaw being exploited in the wild, threat actors could have used it in large-scale supply chain attacks against many users. The top six most downloaded container images in ECR Public Gallery have had over 13 billion downloads, indicating that any malicious injection could have resulted in "out-of-control" infections. According to Lightspin, 26 percent of all Kubernetes clusters have at least one pod that pulls an image from the ECR Public Gallery. Therefore, the consequences could have been significant. This article continues to discuss the potential exploitation and impact of the severe security flaw discovered in the Amazon ECR Public Gallery.

Bleeping Computer reports "Amazon ECR Public Gallery Flaw Could Have Wiped or Poisoned Any Image"

A security issue involving manufacturing keys from major device manufacturers such as LG and Samsung has opened the door for malware apps to infiltrate user devices as legitimate updates. These malware apps can grant an attacker complete system-level access to an Android device because the operating system trusts any app signed with this key. This attack would not necessarily need the end user to download a new app because it could be delivered as an update to an existing app on the device. Whether the app was installed through the Play Store, a manufacturer-specific outlet such as the Galaxy Store, or was sideloaded independently, makes no difference. Google disclosed the security leak but did not name the manufacturers involved. However, through subsequent listings on VirusTotal, independent researchers were able to learn the names of some of the companies that had keys stolen, which include Samsung, LG, Mediatek, RevoView, and SZROCO. Although Google only recently disclosed the security breach to the public, it claims that Samsung, LG, and all other known impacted companies had resolved the issue by May 2022. APKMirror, a third-party Android app archiving site, reports that malware apps using signed keys from Samsung were recently uploaded. VirusTotal reports exploits involving signed malware apps dating back to 2016. The manufacturers involved claim to have resolved the issue within their own environments, but it is impossible to know if other manufacturers were impacted and their current status. According to Ivan Wallis, Global Architect at Venafi, any manufacturer with these signing keys must act immediately. This situation illustrates the lack of proper security controls over code signing certificates, specifically signing keys for the Android platform. These certificate leaks are related to this, as these vendor certificates made their way into the wild, allowing for misuse and the potential to sign malicious Android applications masquerading as certain vendors. Bad actors can have access to the same permissions as the core service. Since there is a lack of information surrounding code signing, it is difficult to determine the impact of a breach because the private key could be anywhere. At this point, the code signing environment must be considered fully compromised, and key/certificate rotation must occur immediately. This article continues to discuss the potential impact of the Android security leak.

CPO Magazine reports "Major Android Security Leak: Manufacturer Signing Keys Used To Validate Malware Apps"