LastPass Compromised
To All LastPass Customers,
I want to inform you of a development that we feel is important for us to share with our LastPass business and consumer community.
Two weeks ago, we detected some unusual activity within portions of the LastPass development environment. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.
We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.
In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.
Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We have included a brief FAQ below of what we anticipate will be the most pressing initial questions and concerns from you. We will continue to update you with the transparency you deserve.
Thank you for your patience, understanding and support.
Karim Toubba
CEO LastPass
Now, what are some of the common questions that are rising about this?
Has my Master password or the Master Password of my users been compromised?
No - Your Master password and subsequent user’s Master passwords are safe.
Has any data within my vault or my users’ vaults been compromised?
No - Your data has not been tampered with or compromised.
Has any of my personal information or the personal information of my users been compromised?
No - “Our investigation has shown no evidence of any unauthorized access to customer data in our production environment.”
What should I do to protect myself and my vault data?
At this time LastPass is not advising any customers to worry about changing passwords or credentials.
In good conscience of HackerHub though, we recommend customers to change account credentials (or at least your Master password). In the unlikely event that something were to occur and user data was compromised, it’s best to be in-front of the ‘data leak’ that would happen.
At the end of LastPass’s statement, they reassure customers that continuous updates about the investigation will be provided throughout course of time.
8 Year Old Linux Kernel Exploit Found
Dubbed DirtyCred by a group of academics from Northwestern University, the security weakness exploits a previously unknown flaw (CVE-2022-2588) to escalate privileges to the maximum level.
"DirtyCred is a kernel exploitation concept that swaps unprivileged kernel credentials with privileged ones to escalate privilege," researchers Zhenpeng Lin, Yuhang Wu, and Xinyu Xing noted. "Instead of overwriting any critical data fields on kernel heap, DirtyCred abuses the heap memory reuse mechanism to get privileged."
This entails three steps -
Free an in-use unprivileged credential with the vulnerability
Allocate privileged credentials in the freed memory slot by triggering a privileged userspace process such as su, mount, or sshd
Operate as a privileged user
The novel exploitation method, according to the researchers, pushes the dirty pipe to the next level, making it more general as well as potent in a manner that could work on any version of the affected kernel.
The Borat RAT provides a dashboard for malicious hackers to perform RAT malware activities and the ability to compile the malware binary for DDoS and ransomware attacks on the victim's machine. The RAT also includes code to launch a DDoS attack, slows down response services to legitimate users, and can even cause the site to go offline.
Remarkably, Borat RAT can deliver a ransomware payload to the victim's machine to encrypt users' files and demand a ransom. The package also includes a keylogger executable file that monitors keystrokes on victims' computers and saves them in a .txt file for exfiltration.
The other functionalities of Borat RAT malwarethat make it fun or not so fun including
A reverse proxy to protect the hacker
The ability to steal credentials from browsers or discord tokens
Introduce malicious code into legitimate processes
To annoy or scare its victims, the Borat RAT can also perform the following actions:
Switching off and on the monitor
Hiding/showing the desktop features such as the start button and taskbar
Playing unwanted audio
Switching the webcam light on/off
The Borat RAT malware will check to see if the system has a connected microphone and if so, will record audio from the computer, which will be saved in another file called "micaudio.wav." Similarly, the malware can begin recording from the camera if a webcam is discovered on the system.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday moved to add a critical SAP security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
The issue in question is CVE-2022-22536, which has received the highest possible risk score of 10.0 on the CVSS vulnerability scoring system and was addressed by SAP as part of its Patch Tuesday updates for February 2022.
Described as an HTTP request smuggling vulnerability, the shortcoming impacts the following product versions -
SAP Web Dispatcher (Versions - 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87)
SAP Content Server (Version - 7.53)
SAP NetWeaver and ABAP Platform (Versions - KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49)
"An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary web caches," CISA said in an alert.
"A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation," Onapsis, which discovered the flaw, notes. "Consequently, this makes it easy for attackers to exploit it and more challenging for security technology such as firewalls or IDS/IPS to detect it (as it does not present a malicious payload)."
Aside from the SAP weakness, the agency added new flaws disclosed by Apple (CVE-2022-32893, and CVE-2022-32894) and Google (CVE-2022-2856) this week as well as previously documented Microsoft-related bugs (CVE-2022-21971 and CVE-2022-26923) and a remote code execution vulnerability in Palo Alto Networks PAN-OS (CVE-2017-15944, CVSS score: 9.8) that was disclosed in 2017.
CVE-2022-21971 (CVSS score: 7.8) is a remote code execution vulnerability in Windows Runtime that was resolved by Microsoft in February 2022. CVE-2022-26923 (CVSS score: 8.8), fixed in May 2022, relates to a privilege escalation flaw in Active Directory Domain Services.
"An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System," Microsoft describes in its advisory for CVE-2022-26923.
The CISA notification, as is traditionally the case, is light on technical details of in-the-wild attacks associated with the vulnerabilities so as to avoid threat actors taking further advantage of them.
To mitigate exposure to potential threats, Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the relevant patches by September 8, 2022.
Other Good Weekly Articles
Patch Your Smartphone App for Your Doorbell Camera - Ring Attacks!
Semiconductor Shortage Hitting Car Manufacturers in the Wallet
