10 Items Added to CISA Actively Exploited List
by Artie Kaye
The US Cybersecurity and Infrastructure Security Agency had added 10 items to their list of must address exploits. The date to fix by is September 15, 2022. As these are actively being used by attackers in the wild it is recommended to resolve the issues. Below are the CVE numbers, the companies, and the link to the solutions for said problems.
dotCMS
CVE-2022-26352
https://www.dotcms.com/security/SI-62
Apache
CVE-2022-24706
https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00
CVE-2022-24112
https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94
VMware Tanzu
CVE-2022-22963
https://tanzu.vmware.com/security/cve-2022-22963
WebRTC
CVE-2022-2294
https://groups.google.com/g/discuss-webrtc/c/5KBtZx2gvcQ
Grafana Labs
CVE-2021-39226
https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/
Delta Electronics
CVE-2021-38406
https://www.cisa.gov/uscert/ics/advisories/icsa-21-252-02
Apple
CVE-2021-31010
https://support.apple.com/en-us/HT212804
https://support.apple.com/en-us/HT212805
https://support.apple.com/en-us/HT212806
https://support.apple.com/en-us/HT212807
https://support.apple.com/en-us/HT212824
Pear
CVE-2020-36193
https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916
https://www.drupal.org/sa-core-2021-001
https://access.redhat.com/security/cve/cve-2020-36193
CVE-2020-28949
https://pear.php.net/bugs/bug.php?id=27002
https://www.drupal.org/sa-core-2020-013
https://access.redhat.com/security/cve/cve-2020-28949
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://thehackernews.com/2022/08/cisa-adds-10-new-known-actively.html
Twilio, CloudFlare and Oktapus
by Artie Kaye
The recent hacks against Twilio, CloudFlare and many other companies have been made by a group dubbed Oktapus. The moniker comes from the apparent desire to find Okta credentials in the targeted databases. Okta is a company which provides single sign on services, which allows one account to access the accounts linked to it. As many business portals can be accessed using Okta, this magnifies the potential damage that could be done.
Researchers at Permiso have outlined a potential source for attack, which could shed light on why the Okta accounts are the target for Oktapus. The vector is account management, and transferring existing account privileges from one account to another. This is a function of the software and can only be implemented by administrator level users. Okta has given a list of suggestions for decreasing the chance of being compromised. Links to Permiso’s and Okta’s posts can be found below.
https://permiso.io/blog/s/down-with-idp-impersonate-me/
https://www.securityweek.com/okta-impersonation-technique-could-be-utilized-attackers
https://www.securityweek.com/okta-says-customer-data-compromised-twilio-hack
https://thehackernews.com/2022/08/okta-hackers-behind-twilio-and.html
Lloyd’s of London and Cyber Insurance
by Artie Kaye
In a bulletin released on August 16, Lloyd’s of London has addressed the increase in financial damages brought on by cyber attacks. They are choosing to make an exclusion for state sponsored cyber attacks, which could disqualify someone from an insurance payout if the cyber attack came from a government, or government backed attacker. With their place in the insurance world, these decisions could be adopted by many other companies in the coming months across the world. The full bulletin is linked below.