SECURITY WARNINGS & Notices - Please post them here

[bob3160]

Weekly Security News Roundup w/e 2-26-2021

https://youtu.be/J9VYa6e6dIo

[Asyn]

T-Mobile discloses data breach after SIM swapping attacks
https://www.bleepingcomputer.com/news/security/t-mobile-discloses-data-breach-after-sim-swapping-attacks/

[bob3160]

T-Mobile discloses data breach after SIM swapping attacks
https://www.bleepingcomputer.com/news/security/t-mobile-discloses-data-breach-after-sim-swapping-attacks/

Update February 27, 02:44 EST: The attackers used an internal T-Mobile application to target up to 400 customers in SIM swap attack attempts, BleepingComputer has learned. No T-Mobile for Business customers were impacted during this incident.
Headlines can and quite often can be very deceiving.

[Asyn]

Beware: AOL phishing email states your account will be closed
https://www.bleepingcomputer.com/news/security/beware-aol-phishing-email-states-your-account-will-be-closed/

[Asyn]

One of the biggest Android VPNs hacked? Data of 21 million users from 3 Android VPNs put for sale online
https://cybernews.com/security/one-of-the-biggest-android-vpns-hacked-data-of-21-million-users-from-3-android-vpns-put-for-sale-online/

[Asyn]

Microsoft fixes actively exploited Exchange zero-day bugs, patch now
https://www.bleepingcomputer.com/news/security/microsoft-fixes-actively-exploited-exchange-zero-day-bugs-patch-now/

[Asyn]

SITA data breach affects millions of travelers from major airlines
https://www.bleepingcomputer.com/news/security/sita-data-breach-affects-millions-of-travelers-from-major-airlines/
https://www.sita.aero/pressroom/news-releases/sita-statement-about-security-incident/

[polonus]

The latest Word Press plug-in zero-day was not detected by WordFence,
but as a result of reporting by Submitter: Ville Korhonen (Seravo), Antony Booker (WP Charged)
Submitter website: https://seravo.com/
Has been patched  with  4.1.7 vof mentioned Plus Addons for Elementor plug-in.

polonus

[bob3160]

Security News Roundup for the Week ending 3/12/2021
https://youtu.be/Hw2um5Q3jbA

[Asyn]

15-year-old Linux kernel bugs let attackers gain root privileges
https://www.bleepingcomputer.com/news/security/15-year-old-linux-kernel-bugs-let-attackers-gain-root-privileges/

[polonus]

More information on the Google fix for a second actively exploited Chrome browser zero-day was not given,
as it comes marked as "RESERVED": https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21193

We somehow know it is in their browser Webkit-engine, called Blink, specially positioned to harm Apple's webkit version's opposition.

What we can at least say, that it comes in the realm of the following category of bugs, a so-called "Use after Free" error-bug: https://cwe.mitre.org/data/definitions/416.html

More information is given as enough Google chrome users have been updating to the latest browser version,
and have been patched against this zero-day memory bug.

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

[polonus]

Lector saluti,

Microsoft how dare you do this to the security community?
It now becomes clear why Microsoft acquired Github.
Reason for the removal of exploit code: Working security through obscurity and defending their interests dictatorially,
by deleting all info that they do not like to be made public. In this case that particular POC info,
during times of their Exchange server security drama.

Sign of the times? Is not this against the rules for responsible disclosure to the security community and beyond?
Re: https://arstechnica.com/gadgets/2021/03/critics-fume-after-github-removes-exploit-code-for-exchange-vulnerabilities/

Might not even been Microsoft that removed the Proxy-Logon POC code, but Github itself.
The info iand not gone (e.g. at preatorian dot com with diff between the original and patched code),
and still available on archived repositories, only direct links have been removed.

Again the discussion.
Should we protect users too lazy and irresponsible to patch thousands and thousands of such Exchange servers soon?
Some would certainly speak out for that.

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

[bob3160]

Lector saluti,

Microsoft how dare you do this to the security community?
It now becomes clear why Microsoft acquired Github.
Reason for the removal of exploit code: Working security through obscurity and defending their interests dictatorially,
by deleting all info that they do not like to be made public. In this case that particular POC info,
during times of their Exchange server security drama.

Sign of the times? Is not this against the rules for responsible disclosure to the security community and beyond?
Re: https://arstechnica.com/gadgets/2021/03/critics-fume-after-github-removes-exploit-code-for-exchange-vulnerabilities/

Might not even been Microsoft that removed the Proxy-Logon POC code, but Github itself.
The info iand not gone (e.g. at preatorian dot com with diff between the original and patched code),
and still available on archived repositories, only direct links have been removed.

Again the discussion.
Should we protect users too lazy and irresponsible to patch thousands and thousands of such Exchange servers soon?
Some would certainly speak out for that.

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

A dissenting view
Marcus Hutchins, a security researcher at Kryptos Logic, pushed back on those critics. He said Github has indeed removed PoCs for patched vulnerabilities affecting non-Microsoft software. He also made a case for Github removing the Exchange exploit.
“I’ve seen Github remove malicious code before, and not just code targeted at Microsoft products,” he told me in a direct message. “I highly doubt MS played any role in the removal and it just simply fell afoul of Github’s ‘Active malware or exploits’ policy in the [terms of service], due to the exploit being extremely recent and the large number of servers at imminent risk of ransomware.”
Responding to Kennedy on Twitter, Hutchins added, "'Has already been patched.' Dude, there’s more than 50,000 unpatched exchange servers out there. Releasing a full ready to go RCE chain is not security research, it’s recklessness and stupid.”

[polonus]

Hi bob3160,

We are doing this to ourselves, by making use of "closed propriety source",
which cannot be gone over with scrutiny like with open source code.
Security through obscurity is the name of the game.

Mind you the Chinese now also sit on MAPP program exploits, and not only the services from the US of A.
Closed source, we have all confidence it it, and some prosper from it.

But alas as the POC info is already out on Interwebz, and once there, it won't go away,
A pity for monopolists. Re: https://www.praetorian.com/blog/reproducing-proxylogon-exploit/

Hope the POC-code will return there after all Exchange servers have been fully patched.
Certainly there should be room for "responsible disclosure" to check on what MS is up to.

polonus

[Asyn]

Microsoft fixes actively exploited Exchange zero-day bugs, patch now
https://www.bleepingcomputer.com/news/security/microsoft-fixes-actively-exploited-exchange-zero-day-bugs-patch-now/

One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021
https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/