Press Release
Heroku acknowledges that a cyberattack resulted in the theft of user credentials.
The GitHub integration OAuth tokens that were taken last month also contributed to the vulnerability of an internal client database, according to a recent statement from Heroku.
The cloud platform, which is owned by Salesforce, acknowledged that the same compromised token was utilised by attackers to steal client credentials that had been hashed and salted from “a database.”
Following yesterday’s contact between BleepingComputer and Salesforce, Heroku released an update.
Even though BleepingComputer doesn’t have any OAuth integrations that leverage Heroku apps or GitHub, we unexpectedly received a password reset email from Heroku, like many other users. This suggested that there was another reason for these password resets.
Forced password resets are explained by Heroku.
Following the security breach from last month, Heroku began this week forcing password resets for a portion of its user accounts without providing a detailed justification.
Some Heroku users received emails on Tuesday evening informing them that their account passwords would be changed as a result of the security breach, with the subject line “Heroku security notification – resetting user account passwords on May 4, 2022.” The email noted that the reset will also invalidate all API access tokens and force users to create new ones.
However, the original security problem being discussed involves threat actors stealing OAuth tokens given to Heroku and Travis-CI and utilising them to retrieve data from secure GitHub repositories belonging to a variety of companies, including npm.
According to a previous statement from GitHub, “On April 12, GitHub Security started an investigation that uncovered evidence that an attacker exploited stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organisations, including npm.”
These tokens had previously been used by the OAuth integrations of the Travis-CI and Heroku platforms to link with GitHub and release apps.
Threat actors could access and download data from GitHub repositories belonging to users who gave their accounts permission to the stolen Heroku or Travis CI OAuth apps by stealing these OAuth tokens. Notably, the issue had no effect on GitHub’s infrastructure, processes, or private repositories.
But up until this point, it was still unclear why Heroku would need to reset some user account passwords.
It turns out that threat actors were able to access Heroku’s internal database of client accounts through the compromised token for a Heroku machine account:
Heroku updates its security warning: “Our research also discovered that the same compromised token was used to access a database and exfiltrate the hashed and salted passwords for users’ accounts.”
“Because of this, Salesforce is making sure that all Heroku user passwords are changed and that any potentially vulnerable credentials are updated. We have added more detections and rotated internal Heroku credentials. We are still looking into the token compromise’s origin.”
A reader of YCombinator Hacker News suggested that the “database” being discussed might be what was formerly known as “core-db.”
Craig Kerstiens of the PostgreSQL platform CrunchyData, a former employee of Heroku, is the reader in question.
According to Kerstiens, the internal database is referenced in the most recent report as “a database.”
“It appears [the attacker] had access to internal systems, but I don’t want to guess too much. It was discovered, noted, and reported to Heroku by GitHub. You can’t argue against the need for further clarity, but it would be wise to follow up with Salesforce on that.”
After being contacted by BleepingComputer, Kerstiens acknowledged writing these statements.
Clients refer to ambiguous disclosure as a “train crash.”
In its initial statement about the security breach, Heroku said that accounts using compromised OAuth tokens from Heroku had exploited GitHub repositories to gain unauthorised access.
The business has previously said that “The compromised tokens could give the threat actor access to customer GitHub repos, but not customer Heroku accounts.”
However, the password reset emails legitimately raised consumer worries that Heroku’s investigation might have turned up additional malicious activity by the threat actors that wasn’t being made public.
The disclosure was termed “a complete train wreck and a case study on how not to interact with your customers,” by some YCombinator Hacker News readers.
Heroku has started to shed some light on the issue in an effort to be more open with the community.
According to Heroku, “We embrace transparency and recognise that our customers are looking for a deeper understanding of the implications of this incident and our reaction thus far.”
The cloud platform added that it had reached a stage where more material could be disclosed without jeopardising the ongoing investigation after cooperating with GitHub, threat intelligence suppliers, industry partners, and law enforcement during the inquiry:
A different third-party integrator, Travis-CI, revealed, however, that no client data had been harmed by the event on the business day that followed GitHub’s initial notice.
Users of Heroku are urged to keep checking the security notification page for updates concerning the incident.
Press Release
NVIDIA resolves critical issues affecting Windows and Linux devices.
NVIDIA has released security upgrades to fix ten more bugs impacting the NVIDIA Virtual GPU (vGPU) management software in addition to six security holes discovered in Windows and Linux GPU display drivers.
The flaws make Windows and Linux systems vulnerable to attacks that could cause a denial of service, privilege escalation, data manipulation, or information disclosure.
Because all of these security flaws need local user access, potential attackers must first get access to susceptible targets via a different attack method.
Patching of eleven high severity vulnerabilities
Attackers can simply escalate privileges to obtain permissions above those provided by the OS after successfully exploiting one of the vulnerabilities fixed today.
Denial-of-service attacks or gaining access to otherwise inaccessible information can also be used to temporarily disable workstations running vulnerable drivers or software.
With the exception of the security flaws identified as CVE-2021-1052, CVE-2021-1053, and CVE-2021-1056 affecting the Linux GPU Display Driver for Tesla GPUs, which will start receiving an updated driver version on January 18, 2021, NVIDIA has patched all impacted software products and platforms.
The flaws have CVSS V3 base ratings ranging from 5.3 to 8.4, and NVIDIA has classified 11 of them as high-risk.
The risk assessment “is based on an average of risk across a broad set of deployed systems and may not represent the true risk of your local installation,” according to NVIDIA’s security alert.
To accurately assess the risk these vulnerabilities represent to your particular system configuration, the business further suggests speaking with an IT or security specialist.
The January 2021 Security Bulletin is a complete list of security problems that NVIDIA patched this month.
Several driver updates are accessible from hardware vendors.
NVIDIA advises users to use the security updates offered on the NVIDIA Driver Downloads page to upgrade their GeForce, NVIDIA RTX, Quadro, NVS, and Tesla GPU display drivers, as well as Virtual GPU Manager and guest driver software.
According to the business, certain consumers who choose not to manually fix the weaknesses might also get security upgrades bundled with Windows GPU display driver 460.84, 457.49, and 452.66 versions from their computer hardware vendors.
Users of the NVIDIA vGPU enterprise software must sign into the NVIDIA Enterprise Application Hub in order to download updates from the NVIDIA Licensing Center.
Press Release
By plugging in a mouse, Razer Bug enables you to access Windows 10 administration.
By just putting in a Razer mouse or keyboard, a Razer Synapse zero-day vulnerability that has been publicly published on Twitter enables you to take control of Windows as an administrator.
A well-known maker of computer accessories, Razer is well recognised for their gaming keyboards and mice.
The Razer Synapse programme will immediately download and start installing on a computer when a Razer device is plugged into Windows 10 or Windows 11. Users can set up macros, map buttons, and modify their gear using the software Razer Synapse.
Over 100 million people use Razer Synapse, according to Razer, who claims that number.
The plug-and-play Razer Synapse installation contains a zero-day vulnerability that, when exploited, allows users to swiftly gain SYSTEM access on a Windows system. This vulnerability was found by security researcher jonhat.
The greatest user rights in Windows, known as SYSTEM privileges, provide users the ability to run any command on the operating system. Basically, if a user has Windows’ SYSTEM capabilities, they have total control over the system and are able to install anything they want, including malicious software.
Razer had yet to respond, so yesterday jonhat revealed the zero-day vulnerability on Twitter and provided a little video explaining how the flaw operates.
Using a mouse while plugged in to gain access to the SYSTEM
We chose to test the flaw as BleepingComputer has a Razer mouse handy. We can confirm that it took us roughly two minutes to get SYSTEM rights in Windows 10 after plugging in our mouse.
It should be emphasised that this is a local privilege escalation (LPE) vulnerability, requiring physical access to a computer and a Razer device. To exploit the problem, all you need to do is purchase a $20 Razer mouse from Amazon and plug it into a Windows 10 computer.
On one of our Windows 10 machines, we set up a temporary ‘Test’ user with ordinary, non-administrator capabilities to test this flaw.
When we connected the Razer device to Windows 10, the operating system downloaded and set up both the driver and the Razer Synapse application automatically.
The Razer installation application got SYSTEM access as a result of the RazerInstaller.exe executable being started by a Windows process with SYSTEM privileges, as demonstrated below.
The setup procedure lets you choose the folder where the Razer Synapse software will be installed when you install it. Everything goes wrong when you have the choice of where to install your software.
The “Choose a Folder” window will show up when you move your folder. When you right-click the dialogue while holding down Shift, you will be given the option to “Open PowerShell window here,” which will launch a PowerShell prompt in the folder displayed in the dialogue.
This PowerShell prompt will inherit the same rights as the process that launched it because it was run with SYSTEM permissions.
As you can see in the screenshot below, after typing the “whoami” command at the PowerShell prompt, it became clear that the console has SYSTEM capabilities, enabling us to execute whatever command we like.
According to Will Dormann, a Vulnerability Analyst at the CERT/CC, other applications installed by the Windows plug-and-play mechanism is likely to include similar flaws.
Razer will address the flaw
Razer has contacted the security researcher to let them know that they will be delivering a remedy after this zero-day issue attracted significant notice on Twitter.
Despite the fact that the vulnerability was made public, Razer also informed the researcher that he would be getting a bug bounty payment.
Press Release
Major Canadian banks experience a bizarre, hours-long outage
Major Canadian banks fell unavailable for several hours, denying consumers access to e-transfers, online and mobile banking, and other services.
The Canadian Imperial Bank of Commerce, Scotiabank, Bank of Montreal, and Royal Bank of Canada (RBC) are among the institutions apparently affected by the outage (CIBC).
For many, online banking and e-Transfers are not working.
Yesterday, the main banks in Canada went offline, making it difficult for many people to access e-Transfers, online, and mobile banking services.
The number of reports of people experiencing problems accessing their online banking peaked on Wednesday between 5 and 6 p.m. Eastern time, while BleepingComputer is still receiving an influx of these reports today:
An RBC spokesman acknowledged that “we are currently having technical challenges with our online and mobile banking, as well as our phone services.”
“We have no ETA to offer at this time, but our specialists are looking into it and striving to fix it as soon as they can. We value your tolerance.”
Customers continued to report problems a few hours later, within 30 minutes of RBC declaring that all systems were operating normally:
Andrew Currie, an RBC client, stated that the disruption left him without “access to my money at the grocery store” and forced him to wait in line for the cash register for 30 minutes.
Customers of BMO also noticed that the bank’s “Global Money Transfer service” was unavailable “all day” and that transfers were being automatically denied without any apparent cause. Such customers were advised to contact customer care by a BMO representative.
Inconsistencies with their internet banking were not acknowledged by CIBC.
Customers were apparently locked out of the TD Bank mobile banking app, and customer support agents said they “haven’t been told of recent concerns with our online service through EasyWeb.”
According to a TD Bank representative speaking to BleepingComputer, the bank had no significant system issues or outages.
It’s unclear at this moment whether some people’s difficulties at the ATMs were caused by the outage. According to an RBC staffer, the customer experiencing ATM problems is using an old debit card:
Some transfers are subject to rules under the Emergencies Act.
Although the reason for the outage is unknown, its timing is very intriguing because it comes only a few days after Canadian Prime Minister Justin Trudeau used the Emergencies Act in the midst of ongoing “Freedom Convoy” rallies.
Deputy Prime Minister Chrystia Freeland detailed the new rules that payment service providers must follow in accordance with the recently implemented Emergencies Act on Monday during a press briefing on Parliament Hill.
Additionally, without a court ruling and without risking civil liability, the Emergencies Act gives banks the power to freeze the accounts of people and companies they believe to be connected to the illegal blockades.
However, as the Deputy PM notes, since banks are currently required to report to FINTRAC, it is still unclear how new legislation will cause a planned or unanticipated outage.
-
Apps1 year ago
Why is Everyone Talking About Hindi Keyboards?
-
Social Media1 year ago
Who is Rouba Saadeh?
-
Apps1 year ago
Things you need to know about Marathi keyboard today
-
Apps1 year ago
Stuck with Your default Bangla keyboard? Isn’t it time for a change?
-
Social Media1 year ago
Mati Marroni Instagram Wiki (Model’s Age, Net Worth, Body Measurements, Marriage)
-
Entertainment1 year ago
12 Online Streaming Sites that Serve as Best Alternatives to CouchTuner
-
Games11 months ago
Top 7 Popular Puzzle and Card Games for Relaxing Your Brain on Mobile, Featuring Solitaire
-
Entertainment1 year ago
Movierulz Website: Movierulzz 2021 Latest Movies on Movierulz.com