Briahna Joy Gray and Robby Soave react to podcaster Joe Rogan's recent comments on the mainstream media's seeming obsession in covering the Jan. 6, 2021, Capitol riots. #j6#joerogan#insurrectionneverstopsOriginally aired March 29, 2023; • Joe Rogan SLAMS M...
About Rising:
Rising is a weekday morning show with bipartisan hosts that breaks the mold of morning TV by taking viewers inside the halls of Washington power like never before. The show leans into the day's political cycle with cutting edge analysis from DC insiders who can predict what is going to happen. It also sets the day's political agenda by breaking exclusive news with a team of scoop-driven reporters and demanding answers during interviews with the country's most important political newsmakers.
Follow Rising on social media:
The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies today to patch security vulnerabilities exploited as zero-days in recent attacks to install commercial spyware on mobile devices.
The flaws in question were abused as part of several exploit chains in two separate highly-targeted campaigns targeting Android and iOS users, as Google's Threat Analysis Group (TAG) recently revealed.
In the first series of attacks spotted in November 2022, the threat actors used separate exploit chains to compromise iOS and Android devices.
One month later, a complex chain of multiple 0-days and n-days was exploited to target Samsung Android phones running up-to-date Samsung Internet Browser versions.
The end payload was a spyware suite for Android capable of decrypting and extracting data from numerous chat and browser apps.
Both campaigns were highly targeted, and the attackers "took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices," according to Google TAG's Clément Lecigne.
> Google TAG's discovery was prompted by findings shared by Amnesty International's Security Lab, which also published details regarding domains and infrastructure used in the attacks.
CISA has added today five of the ten vulnerabilities used in the two spyware campaigns to its Known Exploited Vulnerabilities (KEV) catalog:
CVE-2021-30900 Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability
CVE-2022-38181 Arm Mali GPU Kernel Driver Use-After-Free Vulnerability
CVE-2023-0266 Linux Kernel Use-After-Free Vulnerability
CVE-2022-3038 Google Chrome Use-After-Free Vulnerability
CVE-2022-22706 Arm Mali GPU Kernel Driver Unspecified Vulnerability
> The cybersecurity agency gave Federal Civilian Executive Branch Agencies (FCEB) agencies three weeks, until April 20, to patch vulnerable mobile devices against potential attacks that would target these five security flaws.
According to the BOD 22-01 binding operational directive issued in November 2021, FCEB agencies must secure their networks against all bugs added to CISA's list of vulnerabilities known to be exploited in attacks.
While the BOD 22-01 directive only applies to FCEB agencies, CISA strongly urged today all organizations to prioritize packing these bugs to thwart exploitation attempts.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned.
"A new modular toolkit called ‘AlienFox’ allows threat actors to scan for misconfigured servers to steal authentication secrets and credentials for cloud-based email services.
The toolkit is sold to cybercriminals via a private Telegram channel, which has become a typical funnel for transactions among malware authors and hackers.
> Researchers at SentinelLabs who analyzed AlienFox report that the toolset targets common misconfigurations in popular services like online hosting frameworks, such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress.
The analysts have identified three versions of AlienFox, indicating that the author of the toolkit is actively developing and improving the malicious tool.
AlienFox targets your secrets
AlienFox is a modular toolset comprising various custom tools and modified open-source utilities created by different authors.
Threat actors use AlienFox to collect lists of misconfigured cloud endpoints from security scanning platforms like LeakIX and SecurityTrails.
Then, AlienFox uses data-extraction scripts to search the misconfigured servers for sensitive configuration files commonly used to store secrets, such as API keys, account credentials, and authentication tokens.
The targeted secrets are for cloud-based email platforms, including 1and1, AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Nexmo, Office365, OneSignal, Plivo, Sendgrid, Sendinblue, Sparkpostmail, Tokbox, Twilio, Zimbra, and Zoho.
The toolkit also includes separate scripts to establish persistence and escalate privileges on vulnerable servers.
Extracting secrets from AWS (left) and Office365 (right)(SentinelLabs)
An evolving toolset
SentinelLabs reports that the earliest version found in the wild is AlienFox v2, which focuses on web server configuration and environment file extraction.
Next, the malware parses the files for credentials and tests them on the targeted server, attempting to SSH using the Paramiko Python library.
AlienFox v2 also contains a script (awses.py) that automates sending and receiving messages on AWS SES (Simple Email Services) and applies elevated privilege persistence to the threat actor’s AWS account.
Retrieving email addresses(SentinelLabs)
Finally, the second version of AlienFox features an exploit for CVE-2022-31279, a deserialization vulnerability on Laravel PHP Framework.
AlienFox v3 brought an automated key and secret extraction from Laravel environments, while stolen data now featured tags indicating the harvesting method used.
Most notably, the third version of the kit introduced better performance, now featuring initialization variables, Python classes with modular functions, and process threading.
The most recent version of AlienFox is v4, which features better code and script organization and targeting scope expansion.
More specifically, the fourth version of the malware has added WordPress, Joomla, Drupal, Prestashop, Magento, and Opencart targeting, an Amazon.com retail site account checker, and an automated cryptocurrency wallet seed cracker for Bitcoin and Ethereum.
Wallet seed generator(SentinelLabs)
The new “wallet cracking” scripts indicate that the developer of AlienFox wants to expand the clientele for the toolset or enrich its capabilities to secure subscription renewals from existing customers.
To protect against this evolving threat, admins must ensure that their server configuration is set with the proper access controls, file permissions, and removal of unnecessary services.
Additionally, implementing MFA (multi-factor authentication) and monitoring for any unusual or suspicious activity on accounts can help stop intrusions early."
Dish Network has been slapped with multiple class action lawsuits after it suffered a ransomware incident that was behind the company's multi-day "network outage." The legal actions aim to recover losses faced by DISH investors who were adversely affected by what has been dubbed a "securities fraud."
Twitter announced on Friday that it's open-sourcing the code behind the recommendation algorithm the platform uses to select the contents of the users' For You timeline.
Over 15 million publicly facing services are susceptible to at least one of the 896 vulnerabilities listed in CISA's KEV (known exploitable vulnerabilities) catalog.
A 10-year-old Windows vulnerability is still being exploited in attacks to make it appear that executables are legitimately signed, with the fix from Microsoft still "opt-in" after all these years. Even worse, the fix is removed after upgrading to Windows 11.
TMX Finance and its subsidiaries TitleMax, TitleBucks, and InstaLoan have collectively disclosed a data breach that exposed the personal data of 4,822,580 customers.
CompTIA certification helps you keep your skills current and could help you advance your career. This 13-course bundle gets you started for $54.97, 98% off the $3887 MSRP, but only through the end of April 3rd.
A Russian hacking group tracked as TA473, aka 'Winter Vivern,' has been actively exploiting vulnerabilities in unpatched Zimbra endpoints since February 2023 to steal the emails of NATO officials, governments, military personnel, and diplomats.
Microsoft has shared more information on what types of malicious embedded files OneNote will soon block to defend users against ongoing phishing attacks pushing malware.
• Joe Rogan SLAMS M...
0
