Security Wrap-Up (August 25th, 2021)

Hi, everybody - Chad here. It’s good to be back after last week’s (and yesterday’s) absence. You barely noticed, you say? You didn’t shriek my name while shaking closed fists at the sky even once last Tuesday, you say? Man, whatever - you’re just trying to play it cool. It’s fine. The good news is, I’m back, my sister’s wedding went off without any unplanned shenanigans last week, and now we can get back to our terrifying security news. This week…

Phishing campaign uses UPS.com XSS vuln to distribute malware
Well, you’re definitely getting more than you ordered with this tracking email scam. It looks pretty legit, too! Researchers have reported that this phishing scam utilized an XSS vulnerability in UPS dot com to push fake/malicious ‘Invoice’ Word docs to recipients. The email contains numerous legitimate links that have no malicious intent. But, the tracking number is a link to UPS’s site that includes an exploit for an XSS vulnerability which will inject malicious JavaScript into the browser when the page is opened. If you’re new to the wrap-up, this type of vulnerability is categorized as “XSS”, or cross-site scripting.

Attackers Increasingly Target Linux in the Cloud
More bad news for Linux folks, as various distros continue to be targeted by attackers. This article from DarkReading focuses on Linux in the cloud, which is rapidly becoming the distro/instance of choice for various gigantic organizations, based on lots of cool options that Linux offers. Namely/lately, the feature of choice is the ability to use “containers” within the OS. Unfortunately, not all containers can be trusted - a lot of the most widely-used have shown a significant number of vulnerabilities. According to the article, “The official Python image, for example, has 482 vulnerabilities — 32 of them critical — while the official WordPress image has 402 vulnerabilities, 26 of them critical.” Keep that hygiene clean, y’all!

Windows 10 Admin Rights Gobbled by Razer Devices
Ahh, it’s finally Facepalm O’Clock! From the article at ThreatPost: “A zero-day bug in the device installer software for Razer peripherals – be they a Razer mouse, keyboard or any device that uses the Synapse utility – gives the plugger-inner full admin rights on Windows 10, just by inserting a compatible peripheral and downloading Synapse.” Now, I don’t know too many hateful, malicious plugger-inners myself, but jeez - that’s a pretty big slap in the face of the Cyber Hygiene Falcon®, a fictional animal mascot that I just invented. Personally, I’ve only used/supported Windows when forced but the former Admin in me just can’t stop laughing/screaming. Yup. Ol’ Cybey is gonna shed a tear or two over this one!

1 Like