loading..

Product

Our Product

We are Reshaping the way companies find and fix critical vulnerabilities before they can be exploited.

loading..

Threatspy

Solutions

By Industry

Health Care

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecops

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

loading..

Threat Feeds

loading..

Threat Research

loading..

White Paper

loading..

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..

Our Story

loading..

Our Team

loading..

Careers

Press & Media

loading..

Contact Us
loading..
loading..

Request Demo

loading..

By submitting this form, you agree to our Subscription Agreement and Legal Policies.

background
background
loading..
loading..
loading..
Loading...

Pacific City Bank

AVOS Locker

loading..
loading..
loading..

AVOS Locker Ransomware gang targeted Pacific City Bank, exposing sensitive files

AVOS Locker Ransomware gang is behind the recent attacks targeting Pacific City bank, exposing sensitive files on their data leak site...

loading..
  06-Sep-2021
loading..
 2 min read

Related Articles

loading..

Vulnerability

Microsoft

Android

Android users prone to cmd injection & privilege escalation attacks ...

Microsoft security researchers discovered critical flaws in a framework used by Android apps from many prominent international mobile service providers. CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601 were discovered in a mobile framework owned by mce Systems, exposing users to command injection and privilege escalation attacks. The vulnerable apps have received millions of downloads from Google's Play Store and are pre-installed as system software on smartphones purchased from impacted telecommunications companies such as AT&T, TELUS, Rogers Communications, Bell Canada, and Freedom Mobile. According to security experts Jonathan Bar Or, Sang Shin Jung, Michael Peck, Joe Mansour, and Apurva Kumar of the Microsoft 365 Defender Research Team, _"the apps were incorporated in the devices' system image, implying that they were default programs installed by phone carriers."_ _"All of the applications are accessible on the Google Play Store, where they are subjected to Google Play Protect's automated safety checks, which previously did not screen for these sorts of vulnerabilities."_ _"Some of the impacted apps, like many pre-installed or default programs that most Android smartphones come with these days, cannot be entirely deleted or stopped without getting root access to the device."_ While the vendors Microsoft contacted had already updated their applications to remedy the problems prior to the security holes being exposed today in order to protect their consumers from attacks, apps from other telcos utilize the same buggy framework. _"Several more mobile service providers were detected using the vulnerable framework with their separate applications," the researchers stated. "This suggests that there may be further providers currently unknown that may be compromised."_ Microsoft said that if an Android OS (with the package name com.mce.mceiotraceagent) was installed _"by many mobile phone repair shops,"_ some Android devices might be vulnerable to attacks attempting to exploit these weaknesses. Those who discover this program on their smartphone are encouraged to uninstall it immediately in order to eliminate the attack vector. "All participating companies have addressed the vulnerabilities that affected applications with millions of downloads," the researchers claimed. "When combined with the significant system capabilities that pre-installed programs have, these vulnerabilities might have been attack vectors for attackers to obtain system configuration and sensitive information."

loading..
  27-May-2022
loading..
  2 min read
loading..

Vulnerability

OAS

Open Automation Software (OAS) platform found vulnerable to critical RCE & API a...

Vulnerabilities in the Open Automation Software (OAS) platform have been reported by threat researchers, allowing device access, denial of service, and remote code execution. <br> Michelin, Volvo, Intel, JBT AeroTech, the United States Navy, Dart Oil and Gas, General Dynamics, AES Wind Generation, and many other high-profile industrial firms employ OAS. As a result, platform vulnerabilities can put critical industrial sectors at risk of disruption and secret information leakage. <br> According to a Cisco Talos [assessment](https://blog.talosintelligence.com/2022/05/vuln-spotlight-open-automation-platform.html), OAS platform versions 16.00.0112 and below are vulnerable to a number of high and critical severity flaws that might lead to devastating attacks. <br> [CVE-2022-26833](https://talosintelligence.com/vulnerability_reports/TALOS-2022-1513), the most serious of the lot, has a CVSS severity rating of 9.4 out of 10 and concerns unauthenticated access and usage of the REST API capability in OAS. <br> An attacker might exploit this vulnerability by sending a series of specially crafted HTTP queries to the compromised endpoints. <br> According to Cisco Talos, the REST API is intended to grant programmatic access to the "Default" user for configuration changes and data viewing, which Talos researchers were able to authenticate by submitting a request with a blank username and password. <br> ![Authentic.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Authentic_00f4e6dc87.jpg) <br> A second critical vulnerability tracked as [CVE-2022-26082](https://talosintelligence.com/vulnerability_reports/TALOS-2022-1493), with a severity score of 9.1, is a file write vulnerability in the OAS Engine `SecureTransferFiles` module. <br> Cisco also highlighted a specially designed set of network requests sent to vulnerable endpoints that may have resulted in arbitrary remote code execution. <br> _"It is possible to upload an arbitrary file to any place permissible by the underlying user by sending a sequence of correctly prepared setup messages to the OAS Platform." These messages can be sent to TCP/58727 by default, and if successful, will be handled by the user OAS with standard user permissions."_ - Talos Cisco <br> This allows a remote threat actor to upload fresh authorized_keys files to the oas user's.ssh directory, allowing ssh commands to be used to access the system. <br> Cisco Talos has discovered additional flaws categorized under high-severity (CVSS: 7.5): <br> - CVE-2022-27169: obtain directory listing via network requests - CVE-2022-26077: information disclosure targeting account credentials - CVE-2022-26026: denial of service and loss of data links - CVE-2022-26303 & CVE-2022-26043: external configuration changes and creation of new users and security groups <br> Mitigation steps for addressing each of the vulnerabilities are provided by Cisco, which include deactivating services and shutting communication ports, so if updating to a newer version of OAS is not an option, there may be a solution with some functionality or convenience trade-offs. <br> Otherwise, it is also recommended to upgrade to a more recent version of the OAS platform. The security solutions for the two serious issues outlined above were included in version 16.00.0.113, which was issued on May 22, 2022, as a security update. <br> Upgrade lags are to be expected in industrial contexts that use elaborate and extensive data networking systems, but in this situation, due to the seriousness of the reported faults, fast action is required.

loading..
  27-May-2022
loading..
  3 min read
loading..

Brexit

Russia

Data Breach

Huntley, who directs Google's Threat Analysis Group, told Reuters that the "Engl...

According to a Google cybersecurity officer and the former chief of UK foreign intelligence, a new website that released hacked emails from numerous key proponents of Britain's secession from the European Union is linked to Russian hackers. The website, branded "Very English Coop d'Etat," claims to have exposed private emails from former British spymaster Richard Dearlove, major Brexit advocate Gisela Stuart, pro-Brexit historian Robert Tombs, and other Brexit supporters. According to the website, they are part of a gang of hardcore pro-Brexit politicians who are covertly directing the shots in the UK. While the authenticity of the leaked emails could not be immediately established, two leak victims revealed on Wednesday that they had been targeted by hackers and accused the Russian government. "I am completely aware of a Russian operation targeting a Proton account containing communications to and from me," Dearlove added, referring to the privacy-focused email provider ProtonMail. Dearlove, who oversaw Britain's foreign intelligence organization, known as MI6, from 1999 to 2004, told Reuters that the stolen data should be regarded with caution in light of "the current crisis in ties with Russia." In an email, Tombs stated that he and his colleagues were aware of "Russian misinformation based on unlawful hacking." He declined to comment further. Stuart, who led Britain's Leave campaign in 2016, did not respond to emails. According to Shane Huntley, director of Google's Threat Analysis Gang, the "English Coop" website was linked to what Alphabet Inc (GOOGL.O)-owned business recognized as "Cold River," a Russia-based hacking group. "We can see that through technical indications," Huntley explained. Huntley stated that the entire operation had "obvious technological ties" from Cold River's hacking attempts to publishing the disclosures. The Russian embassies in London and Washington did not respond to requests for comment. The Foreign Office in the United Kingdom, which handles media inquiries for MI6, declined to comment. Other Brexit supporters whose emails were suspected of being distributed on the website did not respond to emails sent to them. 'APPEARS TO BE VERY FAMILIAR' It's unclear how the emails were obtained, and the website that hosted them made no attempt to explain who was behind the leak. The majority of the disclosed texts appear to have been transmitted using ProtonMail. ProtonMail has refused to comment. Although Reuters could not independently confirm Google's judgment of a Russian link to the website, Thomas Rid, a cybersecurity specialist at Johns Hopkins University, said the site was similar to previous hack-and-leak operations ascribed to Russian hackers. "What strikes me is how similar the M.O. is to Guccifer 2 and DCLeaks," he added, referring to two sites that released stolen emails from Democrats in the run-up to the 2016 U.S. presidential election. "In some aspects, it seems extremely familiar, particularly the sloppiness," he remarked. If the leaked texts are genuine, it will be the second time in three years that suspected Kremlin agents have obtained and released private emails from a top British national security officer. According to Reuters, sensitive US-UK trade documents were published ahead of the UK election in 2019 after being taken from the email account of former trade minister Liam Fox. The specifics of the operation were never verified by UK officials, but then-British Foreign Minister Dominic Raab said the hack-and-leak was an attempt by the Kremlin to meddle in Britain's election, an accusation Moscow disputed. The "English Coop" website makes a number of claims, including that Dearlove was at the center of a plot by Brexit hardliners to depose former British Prime Minister Theresa May, who had negotiated a withdrawal agreement with the European Union in early 2019, and replace her with Johnson, who took a more hardline stance. According to Dearlove, the emails documented a "legitimate lobbying activity that, when viewed through an adversarial lens, is now vulnerable to distortion." He declined to comment further. Johnson, who took office in May of this year, has taken a firm line on Russia's invasion of Ukraine, pledging hundreds of millions of dollars in military weapons to the Ukrainian government. Johnson was in Kiev in April for a televised walkabout with Ukrainian President Volodymyr Zelensky. more info Johnson was formally barred from entering Russia on April 16. The "Coop" website was registered three days later, according to Internet domain data. Its URL includes the phrase "sneaky strawhead," a dig at Johnson's messy haircut. While media should not be afraid to cover authenticated data uncovered by the leak, Rid cautioned them to tread cautiously. "If the leak contains noteworthy detail, it is likewise important to note that the material originates from a hostile intelligence organization, especially in wartime," Rid added.

loading..
  26-May-2022
loading..
  4 min read