у Microsoft вчера был Patch Tuesday для августа, 87 фиксов уязвимостей, включая две, которые активно эксплуатировались, и 23 RCE.
https://msrc.microsoft.com/update-guide/releaseNote/2023-Aug
ADV230003 - Microsoft Office Defense in Depth Update (publicly disclosed)
Microsoft has released an Office Defense in Depth update to fix a patch bypass of the previously mitigated and actively exploited CVE-2023-36884 remote code execution flaw.
The CVE-2023-36884 flaw allowed threat actors to create specially crafted Microsoft Office documents that could bypass the Mark of the Web (MoTW) security feature, causing files to be opened without displaying a security warning and perform remote code execution.
The vulnerability was actively exploited by the RomCom hacking group, who was previously known to deploy the Industrial Spy ransomware in attacks. The ransomware operation has since rebranded as 'Underground,' under which they continue to extort victims.
The flaw was discovered by Paul Rascagneres and Tom Lancaster with Volexity.
CVE-2023-38180 - .NET and Visual Studio Denial of Service Vulnerability
Microsoft has fixed an actively exploited vulnerability that can cause a DoS attack on .NET applications and Visual Studio.
Unfortunately, Microsoft did not share any additional details on how this flaw was used in attacks and did not disclose who discovered the vulnerability.
https://msrc.microsoft.com/update-guide/releaseNote/2023-Aug
ADV230003 - Microsoft Office Defense in Depth Update (publicly disclosed)
Microsoft has released an Office Defense in Depth update to fix a patch bypass of the previously mitigated and actively exploited CVE-2023-36884 remote code execution flaw.
The CVE-2023-36884 flaw allowed threat actors to create specially crafted Microsoft Office documents that could bypass the Mark of the Web (MoTW) security feature, causing files to be opened without displaying a security warning and perform remote code execution.
The vulnerability was actively exploited by the RomCom hacking group, who was previously known to deploy the Industrial Spy ransomware in attacks. The ransomware operation has since rebranded as 'Underground,' under which they continue to extort victims.
The flaw was discovered by Paul Rascagneres and Tom Lancaster with Volexity.
CVE-2023-38180 - .NET and Visual Studio Denial of Service Vulnerability
Microsoft has fixed an actively exploited vulnerability that can cause a DoS attack on .NET applications and Visual Studio.
Unfortunately, Microsoft did not share any additional details on how this flaw was used in attacks and did not disclose who discovered the vulnerability.
BleepingComputer
Microsoft Office update breaks actively exploited RCE attack chain
Microsoft today released a defense-in-depth update for Microsoft Office that prevents exploitation of a remote code execution (RCE) vulnerability tracked as CVE-2023-36884 that threat actors have already leveraged in attacks.
👍18❤2🤡2🤔1
Microsoft, чьими продуктами продолжают пользоваться 70-90% корпоративных клиентов в России, сообщила, что лицензии на продукты и решения компании будут действовать до конца сентября и продлить их больше не выйдет. Невозможность получать обновления снизит общую безопасность корпоративных сетей и послужит большим стимулом для пиратов активизировать свою работу, говорят эксперты. По их словам, «бесшовно» перейти на российские аналоги не получится: пользователям придется привыкать к новым интерфейсам приложений и ОС, перестраивать бизнес-процессы, а IT-специалистам — собирать новую параллельную инфраструктуру из российских решений
https://www.forbes.ru/tekhnologii/494299-zakolocennye-okna-kakie-problemy-vyzovet-otkaz-microsoft-prodlevat-licenzii
https://www.forbes.ru/tekhnologii/494299-zakolocennye-okna-kakie-problemy-vyzovet-otkaz-microsoft-prodlevat-licenzii
Forbes.ru
Заколоченные окна: какие проблемы вызовет отказ Microsoft продлевать лицензии
Microsoft, чьими продуктами продолжают пользоваться 70-90% корпоративных клиентов в России, сообщила, что лицензии на продукты и решения компании будут действовать до конца сентября и продлить их больше не выйдет. Невозможность получать обновления сн
👍73🎉50😢20🤣17🔥8🤡4👎3🤔2👌1🥱1👀1
Исследовательский документ о создании ML модели, которая обучается на звуках клавиатуры, и потом с вероятностью 95% может определить набираемый на ней текст (93%, если обучаться на звуках через сессию zoom). Жить не страшно, а очень страшно
https://arxiv.org/pdf/2308.01074.pdf
https://arxiv.org/pdf/2308.01074.pdf
😱83👍16🌚9🔥3😁3❤1
Анализ утекшего исходного кода Яндекса на предмет собираемых пользовательских данных
Conclusion
The AppMetrica SDKs give Yandex a very broad international reach of data subjects and Yandex has been evasive and misleading about how that data is used. While the data points collected up front are fairly disturbing, that data can say so much more about you when it’s matched and analyzed with other pre-existing data a company already has access to. Yandex makes a few gestures towards anonymization but they are ineffective because hashing isn’t used consistently, and more importantly they collect data that could easily re-identify a user and make sure it is all firmly associated (they refer to it as glueing) through a chain of ids and segments.
The matcher process is clear evidence that at least some of the data collected by Yandex could be synced with Russian state owned entities. Yandex also appears to be very, very close to becoming state controlled or nationalized, and it is about to be required to share international user data from its taxi services with the FSB.
If your company runs an app, pay attention to who runs your SDKs, what data points they may collect and where they are sending your users’ data. Yandex claimed it gets consent through the apps and that it only gets the data app developers choose to send it, throwing the blame right at its partners' doorsteps.
If you are a consumer, know that nothing is guaranteed to stay harmless forever. Maybe you trust this app with your data now, but how will you feel when that app gets sold to a company you don’t trust? Or if that company is headquartered in a country that becomes hostile to yours? Or its government starts making concerning demands to turn over user data? In theory you should be able to take your data back if you live in a jurisdiction that requires companies to respect data deletion requests, but the insights derived from that data might be considered that company's work product and not included in that deletion. In the case of the AppMetrica SDKs, you might not even realize a company has your data because they are quietly embedded in another company's app.
As a former executive pointed out, Yandex got itself into a situation where the Russian state gamed the News algorithms until it was effectively 70% state sponsored propaganda, because they built a tool without considering the risk of how it could be abused by the Russian government. That is how we should think about Yandex's ad tech ecosystem. Yandex built a massive system of data collection and analysis, that commingles Russian and international user data, and it is very likely about to be handed to the Kremlin on a silver platter. The Russian government could do a lot of harm with it. In 2019, Yandex turned over taxi data that "helped the authorities fabricate a criminal case" against a Meduza journalist and revealed a confidential office location. Is improving ad targeting and personalized user experiences really worth the risk of building tools that could be exploited in this way?
Оригинал
https://www.confiant.com/news/the-yandex-leak-how-a-russian-search-giant-uses-consumer-data
Пересказ на русском
https://roskomsvoboda.org/post/yandex-sbor-mnozhestva-dannyh/
Conclusion
The AppMetrica SDKs give Yandex a very broad international reach of data subjects and Yandex has been evasive and misleading about how that data is used. While the data points collected up front are fairly disturbing, that data can say so much more about you when it’s matched and analyzed with other pre-existing data a company already has access to. Yandex makes a few gestures towards anonymization but they are ineffective because hashing isn’t used consistently, and more importantly they collect data that could easily re-identify a user and make sure it is all firmly associated (they refer to it as glueing) through a chain of ids and segments.
The matcher process is clear evidence that at least some of the data collected by Yandex could be synced with Russian state owned entities. Yandex also appears to be very, very close to becoming state controlled or nationalized, and it is about to be required to share international user data from its taxi services with the FSB.
If your company runs an app, pay attention to who runs your SDKs, what data points they may collect and where they are sending your users’ data. Yandex claimed it gets consent through the apps and that it only gets the data app developers choose to send it, throwing the blame right at its partners' doorsteps.
If you are a consumer, know that nothing is guaranteed to stay harmless forever. Maybe you trust this app with your data now, but how will you feel when that app gets sold to a company you don’t trust? Or if that company is headquartered in a country that becomes hostile to yours? Or its government starts making concerning demands to turn over user data? In theory you should be able to take your data back if you live in a jurisdiction that requires companies to respect data deletion requests, but the insights derived from that data might be considered that company's work product and not included in that deletion. In the case of the AppMetrica SDKs, you might not even realize a company has your data because they are quietly embedded in another company's app.
As a former executive pointed out, Yandex got itself into a situation where the Russian state gamed the News algorithms until it was effectively 70% state sponsored propaganda, because they built a tool without considering the risk of how it could be abused by the Russian government. That is how we should think about Yandex's ad tech ecosystem. Yandex built a massive system of data collection and analysis, that commingles Russian and international user data, and it is very likely about to be handed to the Kremlin on a silver platter. The Russian government could do a lot of harm with it. In 2019, Yandex turned over taxi data that "helped the authorities fabricate a criminal case" against a Meduza journalist and revealed a confidential office location. Is improving ad targeting and personalized user experiences really worth the risk of building tools that could be exploited in this way?
Оригинал
https://www.confiant.com/news/the-yandex-leak-how-a-russian-search-giant-uses-consumer-data
Пересказ на русском
https://roskomsvoboda.org/post/yandex-sbor-mnozhestva-dannyh/
Confiant
The Yandex Leak: How a Russian Search Giant Uses Consumer Data
In late January 2023, almost 45 GB of source code from the Russian search giant Yandex was leaked on BreachForums by a former Yandex employee.
👍57🤡14🔥5❤3👎3🤣2🤯1🤬1
Forwarded from Сталингулаг
Товарищ майор сегодня радует прямо с утра: в МВД решили не мелочиться и разработали законопроект, отменяющий тайну переписки. Если закон будет принят (а почему бы и нет?), то любое общение в интернете и информация о подключениях, сможет стать объектом для оперативно-розыскной деятельности и быть отслежено удаленно через облачные хранилища, дата-центры и т.д. в режиме реального времени. Решение суда для подобного сканирования граждан можно получить уже после того, как о вас всё узнают заинтересованные лица. И презумпцию невиновности тоже сразу сносят, чтобы два раза не вставать
🤬103🎉37🫡18😁17🤮9🥰4🤡3🖕3😨2
Прикольный дивайс, который прикидывается другими устройствами Apple, чтобы обмануть пользователя и заставить ввести пароль от apple id.
https://techcrunch.com/2023/08/16/this-70-device-can-spoof-an-apple-device-and-trick-you-into-sharing-your-password/
https://infosec.exchange/@jb0x168/110879394826675242
https://techcrunch.com/2023/08/16/this-70-device-can-spoof-an-apple-device-and-trick-you-into-sharing-your-password/
https://infosec.exchange/@jb0x168/110879394826675242
TechCrunch
This $70 device can spoof an Apple device and trick you into sharing your password
A researcher built a $70 contraption designed to send pop-up prompts to nearby iPhones, which could trick targets into giving away their password.
🌚54😱23❤11🔥9🥰3👏3👍1👎1
если вы вдруг пользуетесь WinRAR, вам надо поставить апдейт, в котором исправлена критическая уязвимость
https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=232&cHash=c5bf79590657e32554c6683296a8e8aa
отчет об уязвимости, которую эксплуатировали с апреля, с прицелом на занимающихся криптоторговлей
https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=232&cHash=c5bf79590657e32554c6683296a8e8aa
отчет об уязвимости, которую эксплуатировали с апреля, с прицелом на занимающихся криптоторговлей
https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
WinRAR Latest News
WinRAR 7.13 Final released
WinRAR - the data compression, encryption and archiving tool for Windows that opens RAR and ZIP files. Compatible with many other file formats.
🤣42🏆19👎2👍1😢1🤡1
в канале дебютирует корейский язык! С историей про китайские шпионские чипы в приборах, которые использует Корейское метеорологическое агентство для мониторинга погоды. Утверждается, что “вредоносный код” на самом деле является чипом, который слушает окружающие радиочастоты. Разведка Южной Кореи ведет расследование!
https://news.kbs.co.kr/news/view.do?ncd=7754114&utm_source=substack&utm_medium=email
https://www.ichannela.com/news/main/news_detailPage.do?publishId=000000363086&utm_source=substack&utm_medium=email
https://www.ichannela.com/news/main/news_detailPage.do?publishId=000000363087&utm_source=substack&utm_medium=email
https://news.kbs.co.kr/news/view.do?ncd=7754114&utm_source=substack&utm_medium=email
https://www.ichannela.com/news/main/news_detailPage.do?publishId=000000363086&utm_source=substack&utm_medium=email
https://www.ichannela.com/news/main/news_detailPage.do?publishId=000000363087&utm_source=substack&utm_medium=email
KBS 뉴스
기상청 납품된 중국산 기상장비서 악성코드…국정원 전수조사 중
기상청에 납품된 중국산 기상장비에서 악성코드가 발견된 것으로 파악됐습니다. 기상청 관계자는 오늘(22일...
🔥35🤔13😱9🍌3👍2❤1
а вот хорошая коллекция данных о взломе MOVEit.
TL;DR 60 миллионов утекших записей индивидуальных пользователей, на 84% — жертвы в США.
https://techcrunch.com/2023/08/25/moveit-mass-hack-by-the-numbers/
TL;DR 60 миллионов утекших записей индивидуальных пользователей, на 84% — жертвы в США.
https://techcrunch.com/2023/08/25/moveit-mass-hack-by-the-numbers/
TechCrunch
MOVEit, the biggest hack of the year, by the numbers | TechCrunch
The mass-exploitation of MOVEit file transfer servers — the largest hack of the year so far — now affects at least 60 million people.
🔥10🥱3🤡1
https://www.404media.co/the-secret-weapon-hackers-can-use-to-dox-nearly-anyone-in-america-for-15-tlo-usinfosearch-transunion/
On the messaging app Telegram, I entered a tiny amount of information about my target into the dark blue text box—their name and the state I believed they lived in—and pressed enter. A short while later, the bot spat out a file containing every address that person had ever lived at in the U.S., all the way back to their college dorm more than a decade earlier. The file included the names and birth years of their relatives. It listed the target’s mobile phone numbers and provider, as well as personal email addresses. Finally, the file contained information from their drivers’ license, including its unique identification number. All of that data cost $15 in Bitcoin. The bot sometimes offers the Social Security number too for $20.
On the messaging app Telegram, I entered a tiny amount of information about my target into the dark blue text box—their name and the state I believed they lived in—and pressed enter. A short while later, the bot spat out a file containing every address that person had ever lived at in the U.S., all the way back to their college dorm more than a decade earlier. The file included the names and birth years of their relatives. It listed the target’s mobile phone numbers and provider, as well as personal email addresses. Finally, the file contained information from their drivers’ license, including its unique identification number. All of that data cost $15 in Bitcoin. The bot sometimes offers the Social Security number too for $20.
404 Media
The Secret Weapon Hackers Can Use to Dox Nearly Anyone in America for $15
Violent criminals who rob, assault, and shoot targets have found a way to tap into data from credit bureaus.
🤯25🌚11👍3🔥3💩2❤1😁1🎉1🤮1
The National Science Foundation's National Optical-Infrared Astronomy Research Laboratory, or NOIRLab, reported that a cybersecurity incident that occurred on Aug. 1 has prompted the lab to temporarily halt operations at its Gemini North Telescope in Hawaii and Gemini South Telescope in Chile. Other, smaller telescopes on Cerro Tololo in Chile were also affected.
https://www.space.com/noirlab-gemini-north-south-telescopes-hacked-cybersecurity
https://www.space.com/noirlab-gemini-north-south-telescopes-hacked-cybersecurity
Space
'Cosmic butterfly' wings shimmer in image of violently colliding galaxies
The two spiral galaxies are about 60 million light-years from Earth.
😢24🤬8👍2❤1
рассказ о том, как ФБР и правоохранительные органы других стран добрались до ботнета Qakbot, и не только получили контроль над инфраструктурой, но и смогли провести деинсталяцию уже установленного вредоносного ПО на компьютерах жертв.
https://www.bleepingcomputer.com/news/security/how-the-fbi-nuked-qakbot-malware-from-infected-windows-pcs/
https://www.bleepingcomputer.com/news/security/how-the-fbi-nuked-qakbot-malware-from-infected-windows-pcs/
BleepingComputer
How the FBI nuked Qakbot malware from infected Windows PCs
The FBI announced today the disruption of the Qakbot botnet in an international law enforcement operation that not only seized infrastructure but also uninstalled the malware from infected devices.
👍44🔥21👎2
фейковое приложение Signal в Google Play
https://www.forbes.com/sites/thomasbrewster/2023/08/30/malicious-signal-app-planted-on-google-play-by-china-linked-cyber-spies/
https://www.forbes.com/sites/thomasbrewster/2023/08/30/malicious-signal-app-planted-on-google-play-by-china-linked-cyber-spies/
Forbes
A Fake Signal App Was Planted On Google Play By China-Linked Hackers
Hackers who previously targeted Uyghurs evaded Google Play security checks to push a fake Signal app for Android. It uses a never previously-documented method to spy on the encrypted comms tool.
🤣39😱7👍5❤1✍1🤬1🤩1🤝1
в популярном расширении для Wordpress обнаружена уязвимость, связанная с манипуляциями токеном, позволяющая хакерам получить доступ к информации на сайте
https://patchstack.com/articles/pre-auth-access-token-manipulation-in-all-in-one-wp-migration-extensions/
https://patchstack.com/articles/pre-auth-access-token-manipulation-in-all-in-one-wp-migration-extensions/
Patchstack
Vulnerability in All-in-One WP Migration extensions - Patchstack
There is a security vulnerability in All-in-One WP Migration extensions - an unauthenticated access token manipulation.
😢7👍2🤩2