CYBERSECURITY NEWS V. 05.11 – Oracle WebLogic flaw, 0-day in Windows kernel, Nitro Software data breach
hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates with comments from our experts
News for discussion
Hackers actively exploit a critical vulnerability in Oracle WebLogic
Oracle WebLogic Server is a popular application server used for building and deploying enterprise Java EE applications. The WebLogic Server console component has a severe RCE vulnerability – CVE-2020-14882 (CVSS score: 9.8). Earlier this month, the company patched over 400 vulnerabilities in its products, including this critical issue. It can be exploited without any privileges or user interaction by attackers accessing the network via HTTP. The issue affects Oracle WebLogic versions 10.3.6.0.0, 188.8.131.52.0, 184.108.40.206.0, 220.127.116.11.0, and 18.104.22.168. There are currently over 3000 Oracle WebLogic servers on the network potentially vulnerable to CVE-2020-14882. According to the researchers, the attacks come from China, the USA, Moldova, and Hong Kong. Installing the latest Oracle patch is the best way to protect against these attacks.
Yet another vulnerability in Oracle WebLogic. It seems that there’s not a month when they did not find a critical vulnerability in this product. No advanced tools are required to exploit this one. The only good thing is, administrators are so used to covering up WebLogic vulnerabilities that the update process became automatic. Most likely, most servers will be quickly patched, and bug hunters will find those left behind.
Nitro Software data breach affects Google, Apple, and Microsoft
The developer of the renowned PDF editor, Nitro Software, has suffered a colossal data breach. Nitro offers a cloud-based service for sharing documents. The service currently has 10,000 business customers and 1.8 million licensed users. On October 21, the company reported a “low impact security incident” that allegedly did not affect user data. However, it later became known that Nitro had hidden the true scale of the leak. According to Cyble specialists, cybercriminals are already selling user bases and 1 TB of documents stolen from the Nitro cloud. The data is up for auction, and the initial bid is $ 80,000. The user_credential database contains 70 million user records, including email addresses, full names, bcrypt password hashes, company names, IP addresses, etc.
0-day in Windows kernel exploited in targeted attacks
Google Project Zero has discovered a zero-day in the Windows kernel (CVE-2020-17087). Such an early publication is a forced measure: attackers have already found this vulnerability and are trying to use it in targeted attacks. Microsoft developers are preparing patches expected on the next “patch Tuesday” – November 10. The vulnerability is related to the Windows Kernel Cryptography Driver (cng.sys), specifically the cng! CfgAdtpFormatPropertyBlock function, and belongs to the category of pool-based buffer overflow. It cannot be exploited directly: first, the attacker has to gain local access to the system and then find and leverage another vulnerability. The researchers have also published a proof-of-concept (PoC) exploit code that can cause vulnerable Windows devices to malfunction. The PoC has been tested on the latest version of Windows 10, but the vulnerability is also present in other versions of the OS, starting with Windows 7.
Online supermarket Lazada confirms over 1M accounts leaked
Around one million accounts of Alibaba-owned Singapore e-commerce company Lazada have been hacked. On October 29, RedMart customers were logged out of their accounts and prompted to reset their passwords before logging in again. Lazada, RedMart’s parent company, discovered the violation during a “regular proactive monitoring” of its systems. In a message to its customers, Lazada said the incident resulted in unauthorized access to a “RedMart-only database, which contained personal information like names, phone numbers, encrypted passwords, and partial credit card numbers. However, the compromised database is a legacy system no longer in use and is not linked to any operational Lazada database.