AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 02/06/2023

Atlassian fixes critical bug giving access to Jira Service Management 

A critical vulnerability in Atlassian’s Jira Service Management Server and Data Center could allow an unauthenticated attacker to impersonate other users and gain remote access to the systems. Atlassian explains that the security issue affects versions 5.3.0 through 5.5.0 and that hackers can get “access to a Jira Service Management instance under certain circumstances.” Tracked as CVE-2023-22501, the vulnerability has a critical severity score of 9.4, as calculated by Atlassian. It could be used to target bot accounts in particular, due to their frequent interactions with other users and their increased likelihood to be included in Jira issues or requests or receiving emails with a “View Request” link – either condition being necessary for acquiring signup tokens. 

 

Scores of Redis Servers Infested by Sophisticated Custom-Built Malware 

An unknown threat actor has been quietly mining Monero cryptocurrency on open source Redis servers around the world for years, using a custom-made malware variant that is virtually undetectable by agentless and conventional antivirus tools. Since September 2021, the threat actor has compromised at least 1,200 Redis servers — that thousands of mostly smaller organizations use as a database or a cache — and taken complete control over them. Researchers from Aqua Nautilus, who spotted the campaign when an attack hit one of its honeypots, are tracking the malware as “HeadCrab.” 

 

Dashlane publishes its source code to GitHub in transparency push 

Password management company Dashlane has made its mobile app code available on GitHub for public perusal, a first step it says in a broader push to make its platform more transparent. The Dashlane Android app code is available now alongside the iOS incarnation, though it also appears to include the codebase for its Apple Watch and Mac apps even though Dashlane hasn’t specifically announced that. The company said that it eventually plans to make the code for its web extension available on GitHub too. 

 

Stalkerware Developer Hit with $400K Fine 

The developer of several stalkerware apps has been handed a fine of nearly half a million dollars and told to modify the software. A consortium of 16 companies owned by Patrick Hinchy produced snooping apps Auto Forward, Easy Spy, DDI Utilities, Highster Mobile, PhoneSpector, Surepoint and TurboSpy. These enabled customers to secretly monitor a comprehensive range of activities on other devices, including call logs; text messages; photos and videos; location; Gmail, WhatsApp and Skype; social media activity and browsing history. Although Hinchy promoted the software as legal, it required users to install it on other adults’ mobile devices, which breaks federal and New York state laws, according to attorney general Leticia James. Hinchy failed to inform customers of the potential damage installing the products could cause to a device. Rooting or jailbreaking devices invalidates the manufacturer’s warranty. 

 

Ransomware scum launch wave of attacks on critical, but old, VMWare ESXi vuln 

France’s Computer Emergency Response Team has issued a Bulletin D’Alerte regarding a campaign to infect VMware’s ESXI hypervisor with ransomware. We get a little language lesson with this one: France’s CERT describes this as an attempt to “déployer un rançongiciel,” while Italy’s Agenzia per la Cybersicurezza Nazionale – which has also warned of the campaign – warns that a “rilascio di ransomware” is under way. Neither nation’s infosec authorities offer any information about the source of the attack, but both note that it goes after CVE-2021-21974 – a 9.1/10 rated bug disclosed and patched almost two years ago in February 2021. 

 

School laptop auction devolves into extortion allegation 

When a Texas school district sold some old laptops at auction last year, it probably didn’t expect to end up in a public legal fight with a local computer repair shop – but a debate over what to do with district data found on the liquidated machines has led to precisely that. The San Benito Consolidated Independent School District sold more than 3,500 devices at auction in July 2022, of which 700 were purchased by local computer repair and resale shop RDA Technologies. RDA co-owner David Avila said he found 11 hard drives the district had failed to wipe, and which contained sensitive data on employees and students. Avila told local media that he reported the presence of the data to the district in October, saying “legally, it’s their job to wipe out or destroy hard drives.”  

Related Posts