Welcome to 2026, and welcome back to Exploit Brokers by Forgebound Research. In this packed episode, we’re covering five major cybersecurity stories — any one of which could have been its own episode. From Microsoft’s emergency patch to security professionals turning to the dark side, let’s dive in.
HN21 – Underground Market for Twitter/X Accounts; Google OAuth Backdoor for Hackers
Welcome to another captivating episode of Exploit Brokers! In this installment, we delve deep into the ever-evolving world of cybercrime and digital security. Join us as we unravel two gripping stories that shed light on the precarious nature of our online existence.
First up, we explore the dark corners of the internet where cybercriminals flood the dark web with stolen X/Twitter gold accounts. Verified accounts, belonging to celebrities and organizations, have become a lucrative target for crooks. Learn how they compromise these accounts, what they do with them, and how you can protect yourself from falling victim to these scams. #Cybercrime #DarkWeb #TwitterGoldAccounts #OnlineSecurity
Next, we tackle the concerning vulnerability in Google’s OAuth system. Password changes are often seen as a quick fix to account compromise, but malicious actors have found a way to circumvent this. Discover how an exploit allows hackers to regain access to your account even after you change your password. We break down the details and share tips on how to safeguard your online presence effectively. #GoogleSecurity #PasswordReset #OnlinePrivacy #cybersecurity #DigitalThreats #Malware #Cyberattacks #OnlineSafety
Join us as we navigate the complex web of cybercrime and digital security, arming you with the information you need to stay one step ahead of hackers and scammers. Don’t forget to hit that subscribe button and ring the notification bell to stay updated on all things cybersecurity. Your online safety is our priority! #ExploitBrokers #TechNews #CybersecurityAwareness #staysafeonline #oauth #cybercrime #hackers #hackingnews
Sources:
Stolen Twitter/X Accounts: https://www.darkreading.com/application-security/cybercriminals-flood-dark-web-x-twitter-gold-accounts
Google Password Vuln: https://www.theregister.com/2024/01/02/infostealer_google_account_exploit/
HN20 – T-Mobile’s Watchful Eye, Big Brother, and the Misconstrued Fines. The Prelude to Big Brother?
In this episode of Exploit Brokers, we delve into a recent online uproar surrounding T-Mobile and its alleged imposition of fines for text messages containing hate speech and other violations. We take a closer look at the image that sparked the controversy, which led many to fear that T-Mobile was turning into a “Big Brother” figure, constantly monitoring and fining consumers. However, as we investigate further, we find that the situation is not as dire as it initially seemed
As we dissect the details, we emphasize the importance of staying informed about evolving policies and industry practices. While there is no immediate cause for consumer alarm, it’s crucial to keep an eye on developments in the telecommunications sector to ensure that user privacy and freedom of communication are protected.
Join us as we separate fact from fiction in this intriguing story of T-Mobile, potential fines, and the evolving landscape of digital communication. Please subscribe to our podcast or YouTube channel for more thought-provoking discussions on tech and cybersecurity.
#tmobile #privacyconcerns #telecommunications #datasecurity #bigbrother #digitalprivacy #internetsecurity #onlineprivacy
HN 12 – The Dark Side of Hacking: Russian Hackers’ Infrastructural Shift and Google AI’s Fuzzing
Minecraft’s BleedingPipe Vulnerability: Breaking down the dangerous vulnerability found in popular mods and how to protect your server.
Hey Minecraft players, if you’re into modding you’re going to want to tune in. So, in an article by Malwarebytes Labs a new vulnerability known as BleedingPipe has been found. The bug allows for Remote Code Execution or RCE on both servers and clients. The bug occurs when a hacker sends a specially crafted payload to take over the server. The bug is found within the deserialization class in java that is used to exchange network packets between servers and clients. The bug has been exploited as lately as July 9th 2023. In a blog post by MMPA, it lists the vulnerable mods as those like EnderCore, Gadomancy, LogisticsPipes with versions older than 0.10.0.71 and a few other mods. MMPA has released a mod to help protect servers and clients by adding filtering on the network going to the vulnerable part of the code.
So, let’s talk first about what is happening in a bit more of a code perspective. Deserialization and serialization are ways to transfer data from one place to another. So, let’s say you have a player whose health dropped a bit. The server can send out that information by serializing a data packet and sending it out. This then requires the receiver to deserialize the packet and interpret what is needs to update or do. This is a common functionality that exists in all kinds of apps that communicate between clients, servers, and other programs. My big concern here is twofold. One is the person or company that maintains the mods. They must be aware of and have the time and effort available to fix the vulnerability. Secondly, is the maintainer of the server. The server admin and/or owner must have time and effort available as well as the insight to update the affected mods. If you know someone who maintains mods or maintains servers, then you should share my content with them so we can raise awareness. In the meantime, you can go look at the PipeBlocker mod by MMPA to help start protecting yourself sooner rather than later.
MMPA: https://blog.mmpa.info/posts/bleeding-pipe/
BlueCharlie’s Evasive Moves: Dive deep into how this Russian APT actor shifts tactics and what this means for cybersecurity
So, the APT or Advanced Persistent Threat actor BlueCharlie is attempting to evade detection by swapping their old infrastructure such as domains out for 94 new domains. BlueCharlies is a Russian espionage APT actor. They also go by “Clasito”, “COLDDRIVER”, “SEABORGIUM”, and “StarBlizzard” and have been active since 2017. They target government, defense, education, and political organizations and have also targeted Non-Government Organizations, Journalists, and think tanks. Recently, researchers began to map out BlueCharlie’s campaigns, the impact on the Russia-Ukraine war, broke down BlueCharlie’s infrastructure and attributed a specific person that is though to be leading BlueCharlie’s actions. An anonymous analyst from Recorded Future’s Insikt revaled some insight into how BlueCharlie used a tool known as Evilginx. The attackers took advantage of Evilginx ability to conduct a Man-in-The-Middle attack. The framework allows an attacker to append a legitimate looking domain url to the end of a phishing domain. So an example would be something like http://phisphingDomain[.]com/sso[.]legitimate[.]gov. where an unaware user may see the sso[.]legitimate[.]gov url and assume it’s an authentic website instead of appended to a domain controlled by the attacker. However, their new domains now appear to combine two random IT-related terms and are not currently appending legitimate urls at the end of their phishing domains. An example of their new naming structure given would be storage-gateway[.]com and no longer append a legitimate domain in efforts to appear real. The change is predicted to be because of their old infrastructure being exposed. It’s not uncommon for APT actors to change up strategy when their main strategy is exposed and is being actively looked for.
So, I’ve talked about the article but what does all this mean? An APT actor is a way to identify activities by some malicious cyber group. In this case, the APT actor is a Russian affiliated actor that is conducting hack-and-leak oriented attacks. In other words, they want to put all secrets of everyone they target out in the open. Their favorite known tool is called Evilginx, which is an open-source tool available on github. This tool is maintained by someone in the cyber security space. A lot of the popular tools used by white hat, black hat, and gray hat alike are open-source tools or commercially available. The tools can be used for good purposes, educational purposes, or evil purposes. The use ultimately falls on who is using it. There are proprietary tools and software like malware written by black hats, or Ghidra written by the NSA before it was open-sourced. The biggest takeaway is that attacks will come in all shapes and sizes and exposing an attack doesn’t completely neutralize it. It’s important to keep good security practices, keep software up to date, and minimize risk by being precautious in what you click and let run on your machines.
Blue Charlie Higher Up: https://www.nisos.com/blog/coldriver-group-report/
Infrastructure switch up: https://www.recordedfuture.com/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023
Google’s AI Bug Hunter: Learn how Google is utilizing AI to push the boundaries of vulnerability discovery
So, Google has released a security blog article titled, “AI-Powered Fuzzing: Breaking the Bug Hunting Barrier”. It’s an interesting sounding title but what does it mean? Let’s break it down.
A project by the name OSS-Fuzz was started back in 2016 and has been super important in automated vulnerability discovery for projects that are open sourced. For those who may not know Open-Source projects are projects whose authors have released the code for others to view. Different licenses let you do different things from making a copy with your own changes to different commercialization rights, but the underlying premise is people being able to see the code that runs the software. Vulnerability discovery is important because it’s the process of finding bugs that can lead to attacks against a software. Without the vulnerability discovery feedback, you could have bugs that could go unnoticed and then attacked in the wild. Now Google has been testing applying their Large Language Models or LLMs to help improve performance of OSS-Fuzz. To give further context fuzzing is the process of introducing large amounts of random, malformed, and unexpected inputs to see if crashes or bad behavior occurs.
Google has used the OSS-Fuzz service to freely support over 1,000 open sources projects and they have found and verified fixes for over 10,000 vulnerabilities. Even with these impressive numbers it’s thought that the service only covers about 30% of an open source’s project’s total code. A study referenced in the blog article suggests that the best way to increase the coverage is by adding additional places for fuzzing to test. This isn’t quite simple as it isn’t automated the way the current estimated 30% coverage is.
The blog article also states that the best way to get extra coverage is for those who maintain an open-source project is to take the time to add more fuzz targets as they are onboarded and integrate OSS-Fuzz into their infrastructure. This does take a time investment and as with any testing that is put into a program is generally a great way to improve the reliability and stability of a program. The downside is that it does require some investment to not only set the testing and fuzz targets in place but some rearchitecting of the program may be needed if the code is not easily modified for testing.
This is where the most recent innovation of LLMs can come into play.
Google created a framework to evaluate whether LLMs like Google’s Large Language Models could be prompted to add new fuzz targets and improve code coverage. Well simply put the results look extremely promising. After several rounds of prompt engineering, the process of fine-tuning prompting to get the desired outcome, they were able to add anywhere from 1.5% to 31% additional coverage to projects. This is amazing given it does not require the maintainers of the open-source project to do any code changes themselves.
Now this is only the early stages, and more research is still to come but this is exciting technology for fuzz-oriented bug hunting. As well the Google blog notes their longer-term goals which include extending support to other language ecosystems beyond C/C++ to languages like Java and Python. They also want to automate the project onboarding process to bring the barrier of entry lower for any open-source project that wishes to take advantage of OSS-Fuzz.
I know that was a lot and many non-developers may not know the full impact of this. It’s essentially leveraging AI like ChatGPT to add ways for testing to occur. The more testing can happen at scale and automatically then the more bugs can be found faster. Zero-days and Vulnerabilities are like games of cat and mouse. The fastest player wins until the other catches up. The more bugs are squashed before major attackers can take advantage the better projected targets are. The last thing anyone wants is a major bug to go unnoticed and allow a nation-state hacker group to steal millions of dollars’ worth of data.
Source: https://security.googleblog.com/2023/08/ai-powered-fuzzing-breaking-bug-hunting.html
New Mac Malware Alert: Unmasking the new variant of XLoader hiding in a productivity app
So the apple never falls far from the tree. A new variant of XLoader malware has been discovered. XLoader is a macos malware that is hiding itself as OfficeNote, a productivity app. The new version of XLoader is bundled inside an Apple disk image or .dmg file. The file uses the name OfficeNote.dmg and is signed by a developer signature MAIT JAKHU (54YDV8NU9C). The first time this malware was found was back in 2020. The malware is thought to be the new “Formbook” a keylogger and information grabber that was distributed as a Malware-as-a-service or MaaS. We’ve been seeing Malware-as-a-service appear more and more. It’s the illegal version of software-as-a-service that allows people to subscribe to useful software and webapps for their personal or business needs.
The original mac variant of XLoader was a compiled .JAR file that requires a Java runtime to be able to execute. However Apple does not ship Java Runtime Environments with Macs for quite a while now. The newest XLoader is now using C and Objective C which run natively on Macs. The disk image that the malware is bundled with was signed on July 17, 2023. It’s important to note that apple has revoked the signature and should no longer show up as a trusted signature. SentinelOne said that the multiple traces of the malware were detected on VirusTotal around July 2023. This likely indicates they were actively trying to get infections and running a large infection campaign around that time.
Researchers found advertisements for the Mac variant of the malware for $199/month or 3 months at $299. The researches noted that this is significantly more expensive than the windows version which are normally sold for $59 a month or $129 for 3 months.
The malware itself is designed to steal clipboard data and information stored in common web browser directors such as Firefox and chrome. Safari does not appear to be targeted, however. As well the malware is using sleep commands to avoid raising red flags that could lead to it being detected.
What does this all mean exactly? Well, a new Mac malware is on the loose and looking to infect someone looking for a productivity app such as a word processor. Clipboard stealing and directory data harvesting are concerning because they could be trying to steal credentials, cookies, and other data that could lead to leaking sensitive data or ways to gain access to personal or business accounts. This is especially concerning since the malware appears to create a persistent process in the Mac OS through a Launch Agent. Launch Agents are legitimate ways for developers who need persistent processes to run such as a background service for a user’s application.
Most operating systems provide ways to have something known as Daemons running. A Daemon is a background process that handles requests for an application but does not require the user to have a window up. This is useful for things like web servers and remote tools since you don’t want to leave a window open to have things running.
Keep a look out for any apps known as OfficeNote for the mac users out there. Only install software from trusted sources and always be careful what you download and what you install.
Source: https://thehackernews.com/2023/08/new-variant-of-xloader-macos-malware.html
Outro
Hey guys thank you for listening to this episode of Exploit Brokers. Please consider subscribing and clicking the bell notification to get updated when new episodes are published. As well share us with others to help us get noticed by others so we can spread awareness of the cyber threats we face today.
The digital world will continue to evolve and whether hacking news, breaches, malware, ai, or a myriad of other issues arise; Exploit Brokers will be here to help shine some light on it. While it may seem daunting, our mission is to serve as your beacon, to help lighten up the dark corners of the cyber world and be a source of knowledge for those willing to join us. Information is our strongest ally and together we form our strongest shield. Until our next episode, stay safe and keep your digital shields up.
HN11 – T-Mobile Hacked, PayPal Hacked, and new Hook Android Banking Malware.
Intro
Hey guys T-Mobile got hacked, PayPal gets hit by a massive credential stuffing attack, a new android malware that is an evolution of an existing banking malware, and a phone ad scheme that infected real apps. All this in this episode of Exploit Broker’s Hacking News Round up. You’re not going to want to miss this.
PayPal Accounts hit by Credential Stuffing Attack
So, let’s talk about PayPal for a second. It appears they were sending out data breach notifications but before you run out and check your account know that the issue happened back in December 2022. We are finding out more details now because PayPal distributed a security incident notice. We are getting more details and it’s important we discuss and figure out what happened. Did PayPal have some unknown zero day? A flaw in the configuration of some server? No. It appears it was a large Credential Stuffing Attack.
Simply put a credential stuffing attack involves hackers taking known passwords from data dumps on the internet and then use a brute force login tool to try to login to multiple websites with the leaked credentials. The brute force login tool pretends to be a web browser and will try logging into an account using passwords found for a known user. It relies heavily on a user reusing the same password for multiple things. Let’s say you use password 123, if you do please change it, but for this discussion let’s say you use password123 on website a,b,c,d and then there is a data breach and website a leaks your password. A credential stuffing attack would try to login to website b,c, or d with the password found on the internet. Hackers would use the information they got from the website a breach to login to the other websites.
You must keep all your passwords as unique as possible and try not to repeat the same password on multiple websites.
So now that we know a bit more about what happened, let’s talk about what PayPal did. As soon as PayPal found out about the hack, they began an investigation. They reset the password of affected users and setup enhanced security that required a password change on the next login. They also gave users a chance to get two years of Equifax and their identity monitor solution.
What did the hackers have access to? According to PayPal they could view your name, date of birth, social security number, address, and individual tax identification number. This was all between a window thought to be from December 6th to December 8 back in 2022. It also looks like almost 35,000 users were affected by the incident.
So, on the surface it sounds bad, and it is bad for anyone who is affected by the hack. On the plus side PayPal found the attack early on and was able to rule out a vulnerability on their side. The issue with bugs found on the application is they can take longer to fix and can generally affect a wider base of users. In this case a credential stuffing attack would be a result of hackers finding passwords on the internet and by chance it’s the same password on the targeted website. It’s important to change up passwords often and minimize, if not eliminate all together, reused passwords. It’s a good practice to use something like a password manager to help randomize passwords for all your accounts. However, make sure the master password is complex and not something you’ve used before.
Should you panic, stop using PayPal, and disconnect your internet and go offline forever? No. You need to look into a password manager, change out the most critical passwords you have, and rotate passwords out often. Hacking is becoming a more common place and it’s important to learn to navigate without fear.
T-Mobile Hacked
The cell phone carrier T-Mobile just recently released notice about a security breach back in late November. T-Mobile filed a report with the Securities and Exchange Commission or SEC about a security incident involving 37 million of its customers. It appears hackers found their way into the network and stole addresses, phone numbers, and birth dates of the affected customers. According to the report the hackers were not able to steal passwords, pins, credit cards, social security numbers, or bank account information.
This only adds fuel to the flames for T-Mobile. For those who may not be aware I’ll recap what’s happened over the past few years.
Back in August 2018 hackers managed to use a vulnerable Application Programming Interface or API to steal details from about 2 million T-Mobile customers. Although they stated passwords, financial information, and social security numbers were not compromised they hackers did potentially steal name, billing zip code, phone number, account number, email address, and account type. That was the beginning of their troubles.
The following year in November 2019 they had another data breach. This time it appeared that roughly over 1 million pre-paid customers had their name, billing address, phone number, account number, rate, plan and calling feature information stolen.
Continuing down this timeline we find ourselves at March 2020. This time hackers were able to break into an employee’s email account and used it to steal customer account information. The hackers were able to get names, addresses, phone numbers, and rates. The hackers were not able to get financial information or Social Security Numbers.
The rest of 2020 looked quiet and then we get to 2021.
2021 had two T-Mobile hacking events. One in January 2021 and the other in August 2021. The January event did not expose names, physical or email addresses, financial data, credit card information, social security numbers, tax ids, passwords, or pins. The August event, however, is a different story.
The hacking event in August 2021, appeared to have been the worst. Hackers were able to steal names, driver license details, government identification numbers, social security numbers, dates of birth, prepaid customer pins, addresses, and phone numbers. The event was disclosed days after a hacker put the data up for sale on an underground forum.
Now back to our new and recent incident. Although financial and social security information was not stolen, they were able to steal addresses, phone numbers, and dates of birth. This means the impacted customers are now further opened to being targets of phishing campaigns, spam campaigns, and even more personal information is available so that identity theft becomes even easier for hackers to exploit.
This is a prime example of why you need to rotate passwords often, get identity monitoring, lock down your credit, and sign up for a service that notifies you if passwords, email, and any of your personal information is found on the dark web.
August 2018 Source: https://grahamcluley.com/hackers-t-mobile-data/
November 2019 Source: https://techcrunch.com/2019/11/22/more-than-1-million-t-mobile-customers-exposed-by-breach/
March 2020 source: https://www.theregister.com/2020/03/05/tmobile_breach/
January 2021 source: https://www.theregister.com/2020/03/05/tmobile_breach/
August 2021 source:
New Rat Can Take Over your Device
The Android banking malware world has two very dangerous families known primarily between Hydra and Octo. These two families of malware are dangerous because of their ability to perform a Device Take-Over or DTO. Once a device has been taken over by a hacker, they van view and interact with the screen. Hackers can exfiltrate data, manipulate apps and do anything that someone who has psychical access to the phone could do.
There is one other family of Android Banking Malware with comparable infection, ERMAC. ERMAC was being rented by its creator DukeEugene but the biggest different is it did not have the ability to do a device take over. ERMAC source code was sold, and several renamed variants popped up. Infections with the name MetaDroid and OWL were found by ThreatFabric.
The story however has taken a turn. Recently DukeEugene posted a new advertising for a brand-new banking malware known as Hook. Hook was touted as a new malware written from scratch. I’d assume this was to get bad actors interested in a new piece of tech that doesn’t have samples everywhere or to rebrand the product toward a new audience. The claim of being written from scratch, however, may be false as the team at ThreatFabric found that the malware shares a lot of the same source code as the original ERMAC.
So why am I bringing this up if it’s the same ERMAC malware that isn’t as powerful as Hydra and Octo? Hook has some shiny new upgrades that make it concerning. It can now communicate in Realtime and bidirectionally. To give context previously the malware would be using a polling method where it would periodically send messages to the server controlling it. This makes it hard to do anything quickly as changes would require waiting until the next time a poll occurred. The new Realtime communication known as WebSocket communication opens a remote connection and can keep it open until the control server is happy with the conversation. This coupled with its last addition make it a formable malware.
Hook can now use Virtual Network Computing or VNC to view the device remotely and abusing accessibility services to interact with UI elements. These two abilities, viewing and controlling the device, upgrade the malware to the same threat level as Hydra and Octo. Hook can now be considered a Device Take-Over capable malware. It can perform clicks, filling in text boxes, take screen shots, and more. It also can view and retrieve files on the victim device. If you have crypto or use WhatsApp you’ll want to be extra careful. Hook has the ability to extract seed phrases for wallets which would allow a hacker to create a copy of the wallet. Lastly, Hook has the ability to read and send messages from the popular messaging app WhatsApp. Hook is a new malware to be on the lookout for.
Source: https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html
Outro
Malware, password hacking, and leaked data are only a portion of the cyber threats of the digital world we live in. If you want to stay up to date and learn about the threats lurking in the cyber shadows stay tuned. This has been Exploit Brokers; I’ll see you in the next one.
HN10 – License Plates Hacked, Canada Reclassifies Tether, JsonWebToken Vulnerability, & More.
Intro
Hey guys and welcome to Exploit Brokers where we break down articles, recap recent hacking events, and give insight on the technical aspects of the hacking events. I will explain things and give my opinion on tech and hacking events so let’s get started.
Hackable License Plates or Hack way or the Highway
What if your car’s license plate could track you? What if hackers were able to access that information and could now monitor the position of your car whenever they wanted? This isn’t science fiction this is what security researchers were able to access when they gained admin access to Reviver’s backend system. In an article by Vice titled, “Researchers Could Track the GPS Location of All of California’s New Digital License Plates” they dive into the issue found by security researchers. Reviver is the company that sells and maintains the REVIVER license plate, a digital license plate that the company states is the modern license plate. The digital license plate also allows a personalized message at the bottom of the plate. Once the security researcher was able to gain admin access, they could change this to whatever they wanted. In addition to modifying the personalized message an attacker could track the plate, update, and delete any plate they want to. Currently California is allowing digital license plates and Reviver is the sole provider of these plates.
Let’s break down the technical information available to try to understand what happened. At first glance it appears there are two main account types of an account given, a “CONSUMER” type and a “CORPORATE” type. At least that’s what appears to normally be passed out. There was a third type of account identified as a “REVIVER” account. This acted as an admin account or root in Linux terms. This means whoever had an account with a “REVIVER” type on it would be able to wield virtually unchecked powers. In my opinion this sounds like something developers and testers would implement so they can get in and out of the system for testing, maintaining, and enhancing pieces of code and products. This is purely what I suspect happened but only REVIVER currently knows what the intention of the account type was.
The good news? Reviver has patched the issues that were reported by the security researchers. Good on them. It’s nice to see companies being receptive to bugs being reported and doing something about it. Far too many times do you hear about companies ignoring bug reports or outside people finding flaws in their systems. REVIVER I think you did well in fixing the issues promptly.
Source: https://www.vice.com/en/article/wxn9vx/researchers-track-reviver-digital-license-plate-gps-location
Canada’s standard means tether gets more restrictions.
It appears the crypto markets can’t catch a break. Decrypt.co is reporting on some more bad news for the crypto markets. It appears that crypto.com will delist the tether stable coin in Canada due to pressures from Canadian regulators. Users will only have until January 31st to trade or withdraw their tether coins. There was some confusion since the notice by crypto.co did not specifically list that only Canadian Users would be affected. Any remaining tether coin after the January 31st deadline would be automatically converted over to another stable coin known as USD Coin which is by the financial tech company Circle.
The controversial decision was essentially forced by the Ontario Securities Commission when the Canadian Standards Association or CSA stated their view on stable coins. The CSA essentially views stablecoins or stablecoin related agreements to be securities and/or derivatives. This change of view means that the stablecoins are now seen a regulated entity like that of stocks, derivatives, futures, and things of that nature. For my American viewers the Ontario Securities association is essentially the Canadian Securities and Exchange Commission or the SEC.
Let’s stop for a second and give some background on the topic. A stable coin is the intermediary between crypto and fiat currency. It is generally tied to another currency or commodity and makes it easier for transactions between coins to happen without the added steps of exchanging to fiat currency such as US dollars. Stable coins are backed by the real-world assets such as the US dollar. To give further background on stable coins; tether is the third-largest digital asset by market capitalization and the largest crypto stablecoin available at the time of this recording. As well, the USD Coin is the second largest stablecoin by a FinTech company known as Circle. The move to change to USDC for any remaining tether makes sense. USDC is owned by a registered Money Service business in the US and is therefore already regulated and scrutinized by the US. Tether had previous issues in the past including lawsuits brought up pertaining to their statements pertaining to USDT being backed by cash and cash equivalents. I’ll be sure to do a video on this in the future.
Source: https://decrypt.co/118812/crypto-com-delist-tether-canada
Let’s JWT this down
The one thing most developers and system admins don’t want to hear is that there is a severe vulnerability in systems they are developing or maintaining. A new high-severity flaw has been found in JsonWebToken or JWT. The severity has the potential to allow an attacker to do Remote Code Execution or RCE. Known as CVE-2022-23529, has been patched in the 9.0.0 version of the JWT package. If your app is running 8.5.1 or below, then it’s time to update it to 9.0.0 to avoid it being exploited out in the wild.
To give some context JWT is how some web applications authenticate users. The JWT library is developed and maintained by Auth0 which is owned by Okta, Inc. The severity is a concern because the JWT library we’re discussing has over 10 million weekly downloads on NPM , the popular node package manager, and is used by over 22,000 projects. That means thousands of potential applications that are running vulnerable code that could lead to an attacker executing malicious code on a victim server.
We’re seeing more and more software supply chain related attacks lately. Essentially why attack an application directly when you can find exploitable bugs in package that have widespread usage. This allows you to target tons of applications all at once. The moment a strong vulnerability is found the attacker only needs to play the numbers game to try and get a successful attack underway.
Developers should be mindful of security as often as possible. I know it’s alluring to think that software has to be shipped fast but it’s important to have processes in place to try to catch as many of these vulnerabilities as soon as possible. It’s impossible to eventually introduce bugs into applications but the more that are caught the harder it is for an attacker to find an easy vector of attack.
Source: https://thehackernews.com/2023/01/critical-security-flaw-found-in.html
The Zero Day in Sugar
So, there is a major vulnerability in the SugarCRM that allows attackers to take full control of the victim’s server. A recent Zero Day, or previously unknown vulnerability, has been discovered to have been exploited in the wild against SugarCRM instances. The zero day has reportedly affected 12 percent or roughly 354 of the over 3,000 SugarCRM servers online. SugarCRM did make a hot fix available early January and has applied it to its cloud-based offerings. It does encourage any admin running SugarCRM on their own servers to patch as soon as possible.
The vulnerability was posted in late December and included Google Dorks, or search queries used to find certain things by using by Google’s powerful web crawling. A hacker can use a google dork to find websites that are potentially vulnerable by searching information not generally available on the surface of the website.
To give more info on the zero-day found, it was identified as an authentication bypass bug. An authentication bypass bug allows an attacker to send access the server without needing to be authenticated or logged in. The attacker in this instance was able to manipulate a file on the server. The file manipulation allowed the attacker to obtain a cookie which can then be chained to upload a malicious image. The malicious image contained code that allows the attacker to open a remote session on the server. Once they have a remote session on the server, they can do virtually anything they want to. This essentially means the hacker has completely taken over the server and could place other backdoors and launch their own apps at the expense of the server owner.
Outro
Thank you for tuning in this has been Exploit Brokers, I’ll see you in the next one!