Daily Archives: October 17, 2020

TikTok launched a public bug bounty program

Chinese video-sharing social networking service TikTok announced this week the launch of a public bug bounty program in collaboration with HackerOne.

The popular Chinese video-sharing social networking service TikTok has launched this week a public bug bounty program through the HackerOne platform.

White hat hackers are invited to report security flaws in TikTok websites, including several subdomains, and both Android and iOS apps.

The company is offering between $1,700 and $6,900 for high-severity flaws, the payout for a critical issue can go up to $14,800.

“We encourage security researchers to focus their efforts on finding security vulnerabilities demonstrating meaningful impact. Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard).” reads the program description.

The idea to reward white hat hackers for reporting security flaws is not new for the Chinese firm that claimed to have already paid out more than $40,000 through its bug bounty program.

The company has had a Vulnerability Reporting Policy and follows a Coordinated Disclosure Policy with a waiting period of 90 days from submission.

“This partnership will help us to gain insight from the world’s top security researchers, academic scholars and independent experts to better uncover potential threats and make our security defenses even stronger,” said Luna Wu of TikTok’s Global Security Team.

Source: Messagero

President Trump is trying to ban TikTok in the United States due to security and privacy concerns. TikTok has denied any accusation of sharing data with the Beijing government. TikTok confirmed that all US user data is stored in the US, with a backup in Singapore.

TikTok challenged the decision in a US court and the judge blocked the President’s request to ban the Chinese company in the country.

The US Government is making pressure on TikTok’s parent firm Bytedance to sell its U.S. operations to an American company.

Pierluigi Paganini

(SecurityAffairs – hacking, TikTok)

The post TikTok launched a public bug bounty program appeared first on Security Affairs.

Star Witness in Case Against Cisco: Its Own Documents

Judge Lauds Plaintiffs' Use of 'Cisco's Technical Documents in an Unaltered Form'
Plaintiffs in the patent infringement case Centripetal Networks v. Cisco Networks won the day thanks to clear testimony and using Cisco's own technical documents in unaltered form. By contrast, the judge slammed Cisco for offering disagreeing witnesses and attempting to focus on old, irrelevant technology.

Strong Crypto Again the Target of Western Governments

'Lawful Access' Means Weak Crypto on Which Anyone Can Eavesdrop - Not Just the Cops
Stop me if you think that you've heard this one before: The U.S., U.K. and some allied governments are continuing to pretend that criminals will get a free pass - and police won't be able to crack cases - so long as individuals and businesses have access to products and services that use strong encryption.

Criminals Still Going Crazy for Cryptocurrency

Innovation and Privacy Enhancements Complicate Law Enforcement Investigations
Cybercrime wouldn't exist as we know it today without there being a multitude of technologies and services that criminals have been able to turn to their advantage, and cryptocurrency is one of the prime examples, especially when it comes to ransomware, darknet markets and money laundering.

NIST Exhibits at the 2020 Grace Hopper Conference

NIST will exhibit at the 2020 Grace Hopper Conference To learn how you can work with NIST, please see our opportunities. Information Technology Laboratory Careers Internships (Current positions open September 4, 2020 and close on Thursday, October 31, 2020) Student Trainee (Computer Science) – ZP1599- I / II Student Trainee (IT Specialist) – ZP2299 – I / II NIST NRC Postdoctoral Program (Two competitions per year, Open December 1 - February 1 and Open June 1 - August 1) Engineering Laboratory PREP Opportunities (Proposed start date: January 2021) Student or Full Time Employment Opportunity In

Four npm packages found opening shells and collecting info on Linux, Windows systems

On Thursday, four JavaScript packages have been removed from the npm portal because they have been found containing malicious code.

NPM staff removed four JavaScript packages from the npm portal because were containing malicious code. Npm is the largest package repository for any programming language.

The four packages, which had a total of one thousand of downloads, are:

“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer,” the npm security team said.

“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,”

The researcher AX Sharma, who analyzed the packages, revealed that plutov-slack-clientnodetest1010, and nodetest199 share identical code.

Experts warn that systems running applications that imported one of these packages should be potentially compromised because the three JavaScript libraries opened web shells on the computers running them.

web shell is a code, often written in typical web development programming languages (e.g., ASP, PHP, JSP), that attackers implant on web servers to gain remote access and code execution.

The npmpubman, unlike the other packages, was found collecting user data from the environment variables and uploads the gathered info to a remote host.

The malicious code could work on both Windows and *nix operating systems, including major distros, including Linux, FreeBSD, OpenBSD.

One of the packages was uploaded on the npm portal in May, while the remaining ones were uploaded in September 2018.

“It is possible that all four packages were authored by the same attacker(s) despite conflicting data provided in the package.json manifests.” reported Bleeping Computer.

“In a real-world scenario, npmpubman could be used as a part of an attacker’s reconnaissance efforts to collect information about a system, whereas the other packages establish a direct connection between the attacker’s and the victim’s computers.”

In August, the npm security team has removed the JavaScript library “fallguys” from the npm portal because it was containing a malicious code used to steal sensitive files from an infected users’ browser and Discord application.

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Four npm packages found opening shells and collecting info on Linux, Windows systems appeared first on Security Affairs.

Google warned users of 33,015 nation-state attacks since January

Google delivered over 33,000 alerts to its users during the first three quarters of 2020 to warn them of attacks from nation-state actors.

Google delivered 33,015 alerts to its users during the first three quarters of 2020 to warn them of phishing attacks, launched by nation-state actors, targeting their accounts.

Google sent 11,856 government-backed phishing warnings during Q1 2020, 11,023 in Q2 2020, and 10,136 in Q3 2020.

Shane Huntley, Director at Google’s Threat Analysis Group (TAG), revealed that her team has shared its findings with the campaigns and the Federal Bureau of Investigation.

The IT giant pointed out that major events like elections and COVID-19 represent opportunities for threat actors.

The trend in the nation-state attacks is consistent with what others have subsequently reported.

Google TAG report nation-state actors

“Overall, we’ve seen increased attention on the threats posed by APTs in the context of the U.S. election. U.S government agencies have warned about different threat actors, and we’ve worked closely with those agencies and others in the tech industry to share leads and intelligence about what we’re seeing across the ecosystem.” reads the report published by Google TAG.

Since last summer, TAG team has tracked a large spam network linked to China that is running an influence operation on multiple platforms, primarily on YouTube. The threat actor behind this campaign was primarily acquiring or hijacking existing accounts and using them to spread content crafted for their intent.

According to Google, the alerts are shown to up to 0.1% of all Gmail accounts. The company’s alert advises Gmail users to take several measures to secure their accounts, such as enrolling in the Advanced Protection Program, keeping software up to date, enabling Gmail 2-step verification, as well as using Google Authenticator and/or a physical security key for 2-step verification.

As the course of the COVID-19 pandemic evolves, Google experts warn of threat actors evolving their tactics as well. During the last summer, Google observed threat actors from China, Russia, and Iran targeting pharmaceutical companies and researchers involved in the development of a vaccine. 

In September, Google experts started to observe attacks carried out by multiple North Korea-linked APT groups aimed at COVID-19 researchers and pharmaceutical companies, especially those based in South Korea.

This week, the Google Cloud team revealed that in September 2017 it has mitigated DDoS attack that reached 2.54 Tbps, the largest DDoS attack of ever.

This attack is the largest DDoS attack recorded to date and according to a report published by the Google Threat Threat Analysis Group (TAG) it was carried out by a state-sponsored threat actor.

Pierluigi Paganini

(SecurityAffairs – hacking, Google TAG)

The post Google warned users of 33,015 nation-state attacks since January appeared first on Security Affairs.

UK NCSC recommends organizations to fix CVE-2020-16952 SharePoint RCE flaw asap

The U.K. National Cyber Security Centre (NCSC) issued an alert to urge organizations to patch CVE-2020-16952 RCE vulnerability in MS SharePoint Server.

The U.K. National Cyber Security Centre (NCSC) issued an alert to warn of the risks of the exploitation for the CVE-2020-16952 remote code execution (RCE) vulnerability in Microsoft SharePoint Server and urges organizations to address the flaw.

Attackers could exploit this vulnerability to run arbitrary code and execute operations in the context of the local administrator on vulnerable SharePoint servers.

The issue is caused by the improper validation in user-supplied data and can be exploited when a user uploads a specially crafted SharePoint application package to a vulnerable version of SharePoint.

The vulnerability affects Microsoft SharePoint Foundation 2013 Service Pack 1, Microsoft SharePoint Enterprise Server 2016, and Microsoft SharePoint Server 2019, while SharePoint Online as part of Office 365 is not impacted.

“The NCSC strongly advises that organizations refer to the Microsoft guidance referenced in this alert and ensure the necessary updates are installed in affected SharePoint products,” reads the alert. “The NCSC generally recommends following vendor best practice advice in the mitigation of vulnerabilities. In the case of this SharePoint vulnerability, it is important to install the latest updates as soon as practicable.”

The server-side include (SSI) vulnerability CVE-2020-16952 was reported by the researcher Steven Seeley from Qihoo 360 Vulcan Team, who also provided a proof-of-concept exploit for the RCE flaw.

An exploit module for the open-source Metasploit penetration testing framework was also available, it works on SharePoint 2019 on Windows Server 2016.

Security experts recommend applying the October 2020 SharePoint security updates ([1],[2],[3]).

Experts pointed out that SharePoint servers are used in enterprise environments, for this reason, such kind of vulnerabilities is very dangerous.

The UK NCSC confirms that both CVE-2020-16952 and CVE-2015-1641 flaws are included in the list of most exploited vulnerabilities since 2016 published in a joint advisory by the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2020-16952)

The post UK NCSC recommends organizations to fix CVE-2020-16952 SharePoint RCE flaw asap appeared first on Security Affairs.