It’s no secret that 3rd party apps can boost productivity, enable remote and hybrid work and are overall, essential in building and scaling a company’s work processes.

An innocuous process much like clicking on an attachment was in the earlier days of email, people don’t think twice when connecting an app they need with their Google workspace or M365 environment, etc. Simple actions that users take, from creating an email to updating a contact in the CRM, can result in several other automatic actions and notifications in the connected platforms.

As seen in the image below, the OAuth mechanism makes it incredibly easy to interconnect apps and many don’t consider what the possible ramifications could be. When these apps and other add-ons for SaaS platforms ask for permissions’ access, they are usually granted without a second thought, presenting more opportunities for bad actors to gain access to a company’s data. This puts companies at risk for supply chain access attacks, API takeovers and malicious third party apps.

Oauth mechanism permission request

When it comes to local machines and executable files, organizations already have control built in that enables security teams to block problematic programs and files. It needs to be the same when it comes to SaaS apps.

Learn how to gain visibility into your SaaS stack

images from Hacker News

A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).

“The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities,” AT&T Alien Labs said in a technical write-up published last week. “Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices.”

First disclosed by Securonix in March and later by Fortinet, Enemybot has been linked to a threat actor tracked as Keksec (aka Kek Security, Necro, and FreakOut), with early attacks targeting routers from Seowon Intech, D-Link, and iRZ.

Enemybot, which is capable of carrying out DDoS attacks, draws its origins from several other botnets like Mirai, Qbot, Zbot, Gafgyt, and LolFMe. An analysis of the latest variant reveals that it’s made up of four different components –

• A Python module to download dependencies and compile the malware for different OS architectures
• The core botnet section
• An obfuscation segment designed to encode and decode the malware’s strings, and
• A command-and-control functionality to receive attack commands and fetch additional payloads

images from Hacker News

Cybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems.

The vulnerability came to light after an independent cybersecurity research team known as nao_sec uncovered a Word document (“05-2022-0438.doc“) that was uploaded to VirusTotal from an IP address in Belarus.

“It uses Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code,” the researchers noted in a series of tweets last week.

According to security researcher Kevin Beaumont, who dubbed the flaw “Follina,” the maldoc leverages Word’s remote template feature to fetch an HTML file from a server, which then makes use of the “ms-msdt://” URI scheme to run the malicious payload.

The shortcoming has been so named because the malicious sample references 0438, which is the area code of Follina, a municipality in the Italian city of Treviso.

images from Hacker News

Cybersecurity researchers have disclosed a new ransomware strain called GoodWill that compels victims into donating for social causes and provide financial assistance to people in need.

“The ransomware group propagates very unusual demands in exchange for the decryption key,” researchers from CloudSEK said in a report published last week. “The Robin Hood-like group claims to be interested in helping the less fortunate, rather than extorting victims for financial motivations.”

Written in .NET, the ransomware was first identified by the India-based cybersecurity firm in March 2022, with the infections rendering sensitive files inaccessible without decrypting them. The malware, which makes use of the AES algorithm for encryption, is also notable for sleeping for 722.45 seconds to interfere with dynamic analysis.

The encryption process is followed by displaying a multiple-paged ransom note that requires the victims to carry out three socially-driven activities to be able to obtain the decryption kit.

images from Hacker News

Network credentials and virtual private network (VPN) access for colleges and universities based in the U.S. are being advertised for sale on underground and public criminal marketplaces.

“This exposure of sensitive credential and network access information, especially privileged user accounts, could lead to subsequent cyber attacks against individual users or affiliated organizations,” the U.S. Federal Bureau of Investigation (FBI) said in an advisory published last week.

The cyber intrusions against educational institutions involve threat actors leveraging tactics like spear-phishing and ransomware to carry out credential harvesting activities. The gathered credentials are then exfiltrated and sold on Russian cybercrime forums for prices ranging from a few to thousands of U.S. dollars.

images from Hacker News