GoDaddy joins the dots and realizes he’s been under attack for three years • The Register

GoDaddy joins the dots and realizes he’s been under attack for three years • The Register

In short Web hosting and domain name company GoDaddy has disclosed a new attack on its infrastructure and concluded it was one of a series of related incidents dating back to 2020.

The company took the unusual step of detailing the attacks in its Form 10-K – the official annual report that listed entities are required to file in the United States.

The filing details a March 2020 attack that “compromised the hosting login credentials of approximately 28,000 hosting customers to their hosting accounts as well as the login credentials of a small number of our staff” and a November 2021 breach of its hosted WordPress service.

The latest attack took place in December 2022, when boffins detected “an unauthorized third party accessed and installed malware on our cPanel hosting servers,” the filing said. “The malware intermittently redirected random customer websites to malicious sites.”

GoDaddy is unsure of the root cause of the incident, but believes it may be the result of a “multi-year campaign by a sophisticated group of actors who, among other things, installed malware on our systems and obtained pieces of code related to certain services within GoDaddy.”

“To date, these incidents and other cyber threats and attacks have not resulted in any material adverse impact on our business or operations,” the filing said – showing enormous empathy for customers whose sites were redirected during the most recent attack, or hit. by previous incidents.

In a brief statement on the incident, GoDaddy speculated that the goal of the December 2022 attacks “is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities”.

–Simon Sharwood

Moscow plans to legalize piracy – but only for the glory of Mother Russia

The Russian government is working on changes to its penal code that would legalize piracy in the Federation – provided it is done in the service of Russian interests, of course.

According to the Russian news service TASS, Alexander Khinshtein, head of the State Duma’s committee on information policy, wants exemptions from liability for hackers, but other than throwing the idea at journalists, he doesn’t. had no details to add.

Yet, Khinshtein said, “I firmly believe that it is necessary to use all resources to fight the enemy effectively”, adding that Russia must be able to respond adequately to any threat – and who better to help than a well-established army. of pirates?

Hacking groups linked to Russia are notorious for the damage caused – or attempted – by groups like Killnet, Cozy Bear, Vice Society or any of the myriad others linked to attacks on its enemies – both in Ukraine and elsewhere.

These groups may operate with some impunity in Russia, but the law is still not on their side, as TASS has pointed out. Russian cybercrime laws are strict – if not always enforced – and exceptions are said to be non-existent.

Two sets of laws relate to piracy activities: Articles 272 and 273 of the Criminal Code of the Russian Federation, which respectively cover illegal access and the creation, distribution and use of malicious computer software.

Illegal access and/or use of malware, if it results in “serious consequences or (the creation of) a threat”, can get a Russian up to seven years in prison, with lesser penalties possible for less damage or acting independently of a group.

Adding exceptions for what TASS has described as “white hat” operations in the interests of the Russian government would give considerable leeway to state-sponsored hackers who are already doing so.

More alarming, however, is the encouragement it would give to green hats more likely to break a system than break into it, script kiddies for the lulz, and turnkey dark web scammers. There is no indication that such a law is about to be passed – Khinshtein said it still needs to be discussed “in more detail” – but it could be a good idea to strengthen this security posture. Especially if you are in a critical industry.

Critical vulnerabilities of the week

We’re still on the heels of February’s rather romantic Patch Tuesday, so if you’re wondering where a few well-known vulnerabilities are in this list, we might have them covered already.

That said, there’s still plenty of fun to patch if you haven’t had enough of it already.

  • CVSS 10.0 – CVE-2023-24482: Siemens COMOS Plant Engineering Software contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code and cause a denial of service;
  • CVSS 9.8 – CVE-2022-1343: Siemens Brownfield Connectivity Client contains multiple vulnerabilities capable of causing a denial of service condition;
  • CVSS 9.8 – CVE-2022-46169: Open source operational monitoring and fault management software Cacti contains a command injection vulnerability that is not new, but CISA said it recently spotted an exploit in the wild, so fix it now;
  • CVSS 9.8 – CVE-2022-39952: FortiNAC web server may allow an unauthenticated attacker to perform an arbitrary write due to external check filename path vulnerability (now fixed);
  • CVSS 9.3 – CVE-2021-42756: FortiWeb’s proxy daemon has multiple stack-based buffer overflow vulnerabilities that may allow an unauthenticated attacker to execute arbitrary code.

Mozilla’s Firefox 110, Firefox ESR 102.8, and Thunderbird 102.8 were also released this week and addressed a total of eight CVEs shared by a mix of the three products. Because Mozilla’s bug reporting is limited and it doesn’t provide actual CVSS scores, we’ve selected bugs it classifies as high priority, defined as those that can be used to collect sensitive data and “don’t require than normal browsing actions”.

None of the bugs fixed by Mozilla in this release were considered critical.

  • CVE-2023-0767: Maliciously crafted PKCS 12 files can be used to trigger arbitrary memory writes;
  • CVE-2023-25728: Content-Security-Policy-Report-Only header can be abused to leak unredacted URI of child iframe;
  • CVE-2023-25730: requesting fullscreen mode and then blocking the main thread may force Firefox to enter fullscreen mode indefinitely, allowing confusion or impersonation attacks;
  • CVE-2023-25735: Firefox’s Spidermonkey JavaScript engine has a use-after-release bug due to bucket mismatch;
  • CVE-2023-25737: invalid downcast of nsTextNode to SVGElement may cause undefined behavior;
  • CVE-2023-25738: Firefox on Windows has printing issues that block device drivers;
  • CVE-2023-25739: Failed module load requests are not checked, leading to post-free user vulnerabilities in ScriptLoadContext;
  • CVE-2023-25743: Firefox Focus does not include a notification to enter fullscreen mode, which could allow spoofing of malicious websites.
  • CVE-2023-25743: Firefox Focus does not include a notification to enter fullscreen mode, which could allow spoofing of malicious websites.

Finally, CVE-2023-24809 won’t keep anyone awake at night unless they’re avid players of the venerable Rogue-like adventure game NetHack. The 5.5-rated flaw is found in versions 3.6.2 through 3.6.6 and means that illegal input to the “C” command (call) can cause a buffer overflow and crash the NetHack process. “This vulnerability may be a security issue for systems where NetHack has suid/sgid installed and for shared systems,” an advisory warns. Upgrading to version 3.6.7 resolves the issue. No backup, people!

Emergency declared in Oakland, California after ransomware attack

Oakland, Calif., declared a state of emergency on Valentine’s Day — and not because there was too much love in the air. A week of work did little to eliminate a ransomware attack that hit the city on February 8.

As we reported in last week’s Security Roundup, the attack did not take down 911 services, disrupt finances or worsen emergency response times, but the precaution of taking much of the city’s network offline to stop the attack led to a slow recovery. and some inaccessible non-emergency systems.

“The network outage impacted many non-emergency systems, including our ability to collect payments, process reports, and issue permits and licenses,” the city said in a 15 update. February, adding that residents should call before coming to a city office. in case it is closed.

The Oakland government said police and fire departments are still responding to emergency calls as usual, but non-emergency requests should be made online or reported by calling the local non-emergency 311 line.

By declaring a state of emergency, Oakland accelerated its ability to procure equipment and materials to respond to the ransomware attack, as well as activate rescuers and facilitate the issuance of orders by the leaders.

The Oakland city government said the investigation into the attack is ongoing and law enforcement is investigating. The city did not say how the attack happened, who was behind it, or what sort of ransom demand was made. ®

Leave a Comment