# **系統安全筆記** > 楊忠誠 410929577 > **Weekly system security news** ### 3/6 [Jaw-dropping Coinbase security bug allowed users to steal unlimited cryptocurrency](https://portswigger.net/daily-swig/jaw-dropping-coinbase-security-bug-allowed-users-to-steal-unlimited-cryptocurrency) The bug was spotted by security engineer ‘Tree of Alpha’, whose disclosure led to them receiving the cryptocurrency exchange’s biggest ever bounty payout this month. **Alpha discovered that they were able to trade cryptocurrency that wasn’t theirs due to a missing logic validation check in a Retail Brokerage API endpoint, which allowed a user to submit trades to a specific order book using a mismatched source account.** This could have potentially allowed an attacker to steal unlimited cryptocurrency from the platform. ### 3/11 [Microsoft Addresses 3 Zero-Days & 3 Critical Bugs for March Patch Tuesday](https://threatpost.com/microsoft-zero-days-critical-bugsmarch-patch-tuesday/178817/) > **The computing giant patched 71 security vulnerabilities in an uncharacteristically light scheduled update, including its first Xbox bug.** The issues affect the gamut of the computing giant’s portfolio, including Microsoft Windows and Windows Components, Azure Site Recovery, Microsoft Defender for Endpoint and IoT, Intune, Edge (Chromium-based), Windows HTML Platforms, Office and Office Components, Skype, .NET and Visual Studio, Windows RDP, SMB Server. ### 3/20 [Dozens of budget Android phones are at risk due to a critical security flaw](https://www.androidpolice.com/dozens-of-budget-android-phones-are-at-risk-due-to-a-critical-security-flaw/) A major privacy vulnerability in a chipset from Unisoc. A hacker aware of the flaw could access all stored data and pretty much seize control of your phone. Someone who knew what they were doing could then access system logs, text messages, contacts, other sensitive data — or just straight-up brick the device. In an email, Kryptowire explained in broad terms that hackers could take advantage of the problem by using a Unisoc-authored pre-installed app that comes bundled with the chip. The app has no authentication protocols, essentially making it an open door to someone with nasty intentions. ### 3/27 [Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability](https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html) Type confusion errors, which arise when a resource (e.g., a variable or an object) is accessed using a type that's incompatible to what was originally initialized, could have serious consequences in languages that are not memory safe like C and C++, enabling a malicious actor to perform out-of-bounds memory access. "When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution," MITRE's [Common Weakness Enumeration (CWE) explains](https://cwe.mitre.org/data/definitions/843.html). ### 4/9 [Honda bug lets a hacker unlock and start your car via replay attack](https://www.bleepingcomputer.com/news/security/honda-bug-lets-a-hacker-unlock-and-start-your-car-via-replay-attack/) The attack consists of a threat actor capturing the RF signals sent from your key fob to the car and resending these signals to take control of your car's remote keyless entry system. The vulnerability, tracked as CVE-2022-27254, is a Man-in-the-Middle (MitM) attack or more specifically a replay attack in which an attacker intercepts the RF signals normally sent from a remote key fob to the car, manipulates these signals, and re-sends these at a later time to unlock the car at will. ### 4/10 [Apple emergency update fixes zero-days used to hack iPhones, Macs](https://www.bleepingcomputer.com/news/security/apple-emergency-update-fixes-zero-days-used-to-hack-iphones-macs/) The two flaws are an out-of-bounds write issue (CVE-2022-22674) in the Intel Graphics Driver that allows apps to read kernel memory and an out-of-bounds read issue (CVE-2022-22675) in the AppleAVD media decoder that will enable apps to execute arbitrary code with kernel privileges. ### 4/18 [Blast From the Past: What the Y2K Bug Reveals About Cybersecurity Today](https://securityintelligence.com/articles/y2k-bug-cybersecurity-today/) 1. Fixing a vulnerability may create a new vulnerability 2. Fixing your own vulnerabilities also improves cybersecurity for connected systems. 3. Don’t expect everyone to give you credit for averting disaster. 4. The biggest risks come from not one, but multiple points of failure or vulnerability. 5. Testing is everything. 6. Investment to prevent catastrophe is expensive but often money-saving in the long run. 7. Old systems can create new problems. ### 4/24 [Critical Auth Bypass Bug Reported in Cisco Wireless LAN Controller Software](https://thehackernews.com/2022/04/critical-auth-bypass-bug-reported-in.html) Tracked as [CVE-2022-20695](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-auth-bypass-JRNhV4fF), the issue has been rated 10 out of 10 for severity and enables an adversary to bypass authentication controls and log in to the device through the management interface of WLC. *"This vulnerability is due to the improper implementation of the password validation algorithm. An attacker could exploit this vulnerability by logging in to an affected device with crafted credentials. A successful exploit could allow the attacker to bypass authentication and log in to the device as an administrator. The attacker could obtain privileges that are the same level as an administrative user but it depends on the crafted credentials ### 5/2 [An npm Registry Bug Allowed Adding Random Maintainers To Malicious Packages](https://latesthackingnews.com/2022/05/02/an-npm-registry-bug-allowed-adding-random-maintainers-to-malicious-packages/) As elaborated in a recent post, researchers from Aqua Security caught an npm registry bug allowing adding maintainers randomly. A logical flaw existed in the platform registry that allowed a package creator to add other users as maintainers. Dubbed “package planting,” this activity didn’t require the other users’ input, nor would notify them. Hence, users might get registered unknowingly as ‘maintainers’ to malicious packages. > **ref :** > https://blog.aquasec.com/npm-package-planting > https://www.bleepingcomputer.com/news/security/npm-flaw-let-attackers-add-anyone-as-maintainer-to-malicious-packages/ **期末報告** [more...](/ggU38sBRTdOss9BpCQxPMw) ### 5/10 [Cyber Attack Causes Chaos in Costa Rica Government Systems](https://www.usnews.com/news/world/articles/2022-04-22/cyber-attack-causes-chaos-in-costa-rica-government-systems) A number of its systems have been affected from tax collection to importation and exportation processes through the customs agency. Attacks on the social security agency’s human resources system and on the Labor Ministry, as well as others followed. The initial attack forced the Finance Ministry to shut down for several hours the system responsible for the payment of a good part of the country’s public employees, which also handles government pension payments. It also has had to grant extensions for tax payments. > Conti typically rents out its ransomware infrastructure to “affiliates” who pay for the service. The affiliate attacking Costa Rica could be anywhere in the world, Liska said. ### 5/16 [Hackers Actively Exploit F5 BIG-IP Bug](https://threatpost.com/exploit-f5-big-ip-bug/179563/) > - hackers can use the exploit by sending just two commands and some headers to target and access an F5 application endpoint named “bash” which is exposed to the internet > - hackers are dropping PHP webshells to “/tmp/f5.sh” and installing them to “/usr/local/www/xui/common/css/”. Attacks show the threat actors using the addresses 216[.]162.206[.]213 and 209[.]127.252[.]207 for dropping the payload. The payload is executed and removed from the system after installation. > - The exploit can also work when no password is supplied > - If you configured F5 box as a load balancer and firewall via self IP it is also vulnerable > - the easiness of the exploit and the common term for the vulnerable endpoint ‘bash’ raises suspicion among security researchers ### 5/16 [F5 Warns of Critical Bug Allowing Remote Code Execution in BIG-IP Systems](https://threatpost.com/f5-critical-bugbig-ip-systems/179514/) > * The vulnerability is ‘critical’ with a CVSS severity rating of 9.8 out of 10. > * F5 BIG-IP is a combination of software and hardware that is designed around access control, application availability and security solutions. > * tracked as CVE-2022-1388 with a severity rating of 9.8 out of 10 by the Common Vulnerabilities Scoring System (CVSS) version 3.90. > This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services Three “temporary mitigation” methods were advised by F5, for those who can’t deploy security patches immediately: - block all access to the iControl REST interface through self IP addresses - restrict iControl REST access through the management interface - modify the BIG-IP httpd configuration ### 5/23 [New Phishing Attack Targets Windows Systems With Three Infostealers](https://latesthackingnews.com/2022/05/19/new-phishing-attack-targets-windows-systems-with-three-infostealers/) > Three different infostealers (data-stealing malware) attack the target device – AveMariaRAT / BitRAT / PandoraHVNC As elaborated, the attack begins with a phishing email impersonating a trusted source. The email includes a payment report as an attachment, tricking the user into opening the file. Once the victim opens the malicious Excel file, an alert appears on the screen regarding enabling Macros. Although, at this point, choosing “Disable Macros” should halt the intended action. But the malicious file actually embeds an auto-start Macro that begins using VBA method right after opening the file. That means the underlying attack executes right there, completing various steps to gain persistence on the target system. Eventually, after abusing PowerShell and VBA, the final malware payload gets deployed and executed on the device. **ref:** https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware ### 5/23 [Google Chat adds warning banners to protect against phishing attacks](https://gadgetofficials.com/google-chat-adds-warning-banners-to-protect-against-phishing-attacks/) Google’s new warning banners first appeared in Gmail on Workspace accounts to level out makes an attempt to lure somebody with a hyperlink that could possibly be used for malware, phishing, or ransomware. On the finish of April, Google expanded the banners to Google Docs, warning customers towards suspected malicious information in a number of Google Workspace apps (Docs, Sheets, Slides, and Drawing) irrespective of the place they opened the hyperlink from **ref:** https://workspaceupdates.googleblog.com/2022/05/new-google-chat-banners-protect-against-malicious-links.html