It has been a busy week in the world of cyber-security with multiple platforms and companies updating their software and patching all the vulnerabilities
- Google has patched two new zero-day bugs which was actively exploited in recent weeks
- The November 2020 security update of SAP fixed many critical vulnerabilities
- Cardbleed Attack – Demystified.
Update all your things
Google has patched two new zero-day bugs which was actively exploited in recent weeks with a quick turnaround. The vulnerability was known as CVE-2020-16013 and CVE-2020-16017 and the bugs were identified and posted by “anonymous” sources to Google, unlike previous cases that were discovered by the elite security team of the company’s Project Zero.
Two New Chrome 0-Days Under Active Attacks – Update Your Browser https://t.co/KRceYdbvr2
Google has patched two more zero-day flaws in the Chrome web browser for desktop, making it the fourth and fifth actively exploited vulnerabilities addressed by the shttps://t.co/GmusOqbbqK
— M157q News RSS (@M157q_News_RSS) November 12, 2020
SAP patching open-ended vulnerabilities
The November 2020 security update of SAP fixed many critical vulnerabilities affecting SolMan, Data Services, ABAP, S4 / HANA, and NetWeaver products. The company has published a total of 19 new safety measures since the previous patch day. Six in the 19 have been marked critical, four new notes have been added and two notes have been revised which were previously published.
Two vulnerabilities have been resolved in SAP Data Services by another “hot news” patch. These affect Apache Struts and were discovered last year. The exploitation of the bug would lead to the execution of remote code and, respectively, a denial-of-service (DoS) state.
A knowledge disclosure issue in SAP Commerce Cloud, and DoS and SSRF bugs in Commerce Cloud, three of the latest patches fix high-severity vulnerabilities including server-side request forgery (SSRF) and reflected cross-site scripting (XSS) problems in SAP Fiori Launchpad have all been patched. Medium-severity bugs in NetWeaver, Bank Analyzer, S/4 HANA Financial Goods, SAP Process Integration, E-Bilanz ERP Client, and Visual Business Viewer have been also been resolved.
Credit card Hacks
According to the reports from the research, the surge of cyber attacks against retailers operating the Magento 1.x e-commerce platform earlier this year was attributed to one single party.
The attack is named Cardbleed in which at least 2,806 online storefronts running Magento 1.x were attacked by the attacks, which had already entered end-of-life as of June 30, 2020. RiskIQ said in an analysis that this group has carried out a large number of different Magecart attacks through the supply chain, such as the Adverline incident, or through the use of exploits such as the September Magento 1 compromises, frequently compromise large numbers of websites at once. The analysis for publish earlier this week.
Stealing credit card data and information through injecting e-skimmers on shopping websites is a no-brainer attempt of Magecart which numerous hacker groups targeting online shopping cart systems have been using a lot lately.
However, Magecart operators have stepped up their efforts to conceal card stealer code in recent months. They have been concealing code inside image metadata containers and even conduct IDN homograph attacks on plant web skimmers hidden inside the favicon file of a website. Cardbleed was first reported by Sansec, works by communicating with the Magento admin panel by using unique domains and then using the ‘Magento Connect’ function to download and install a piece of malware called ‘mysql.php’ that gets automatically deleted after the skimmer code is added to “prototype.js.”
What is even more interesting is that the skimmer used in the compromises is a variant of the Ant and Cockroach skimmer first observed in August 2019 — so named after a function labeled “ant_cockcroach()” and a variable “ant_check” found in the code. The researchers added that the attackers have shuffled their infrastructure since the Cardbleed campaign was publicized.