Weekly in Security is a summary of the cybersecurity news from the past week. This post covers 2022-07-18 to 2022-07-25.
Atlassian released security advisory 2022-07-20. The Confluence app Questions for Confluence creates a the user disabledsystemuser with a hardcoded password. The presumably disabled user is added to the confluence-users group. As such, the account is able to login and access non-restricted pages by default. And the story get’s more exiting. The account contact address is dontdeletethisuser(at)email.com. The tld is used by the freemailer mail.com. The first one to notice this was 4chr4f2, who also registered the respective mail account. He subsequently received all the relevant mails for the hardcoded account. The affected app is developed by Atlassian themselves.
The article by STAR labs provides an details analysis of the post-auth RCE bug with CVSS 9.9. This is a good guide from the initial advisory to a working PoC.
During his internship at RandoriSec Arthur Mongodin investigated the kernel component netfilter.
discovered a weird comparison that does not fully protect a copy within a buffer.
It led to a heap buffer overflow that was exploited to obtain root privileges on Ubuntu 22 and kernel
Linux ubuntu 5.15.0-39-generic.
The source code of the exploit is available on our GitHub.
Avast Threat Labs provides some context to the recently patched CVE-2022-2294 in Google Chrome. The vulnerability was a memory corruption in WebRTC and was patched on 2022-07-04. The team observed exploitation attempts in the Middle East. Based on the TTPs the campaign is associated with Candiru. The threat actor was investigated by Citizen Lab and Microsoft in July 2021. After the disclosure they lay low and updated their toolset.
Avast Threat Labs provides an overview of recently observed Golang based malware. Multiplatform support and relative ease of development Golang promote the use of Golang also for malicious purposes. This is also supported by an ever increasing number of open source tools on Github that are sometimes resued by different threat actors.
Affinis is a Recurrent Neural Network SubDomain Discovery Tool. Affinis aims to find undiscovered or forgotten subdomains through the use of Natural Language Processing and the Keras LSTM RNN API.
Cervantes is an opensource collaborative platform for pentesters or red teams who want to save time to manage their projects, clients, vulnerabilities and reports in one place.