Vulnerability In LibreOffice And OpenOffice Allows For Spoofing Digital Signatures

 LibreOffice, OpenOffice Vulnerability Patched

Recently what happens, a severe vulnerability threatening the validity of digital signatures caught attention as the vendors addressed it. Specifically, the vulnerability existed in OpenOffice and LibreOffice simultaneously, allowing signature spoofing. 

OpenOffice is a now-discontinued open-source office suite, and LibreOffice is an open-source fork of it. Nonetheless, the maintainers of both tools have patched the bug that triggered the security risk. Specifically, the vulnerability first caught the attention of researchers from Network and Data Security (NDS) at the Ruhr-University Bochum. The researchers from the same university have also detailed Shadow Attacks earlier this year that would allow meddling with the digitally signed PDF files. 

This time, they found an improper certificate validation bug in both software. An adversary could spoof digital signatures in an ODF document via an invalid algorithm. 

Then, the software would present it as a valid signature from a trusted party after failing to recognize the invalid algorithm. Real-time exploitation of such a flaw could allow signing sensitive documents falsely without detection. Following the bug reports, both LibreOffice and OpenOffice officials started working to address the glitch. Consequently, they could fix the bug (recognized as CVE-2021-25635 for LibreOffice and CVE-2021-41832 for Apache OpenOffice) with the release of LibreOffice 7.0.5/7.1.1 and Apache OpenOffice 4.1.1. 

While the patches are out, users might not receive the updates automatically. Hence, they have to manually download the latest versions of both tools to get the patches. Given the bug’s severity, users must ensure updating their devices with the latest patched versions at the earliest. Meanwhile, users must remain careful when interacting with digitally signed documents and shouldn’t trust the “trusted list” functionality.

 Let us know your thoughts in the comments.

Ukraine Arrested a Operator of DDoS Botnet with 100,000 Compromised Devices

 Ukrainian law enforcement authorities on Monday disclosed the arrest of a hacker responsible for the creation and management of a "powerful botnet" consisting of over 100,000 enslaved devices that was used to carry out distributed denial-of-service (DDoS) and spam attacks on behalf of paid customers.

As the SBU cyber specialists managed to establish, the attacker turned out to be a resident of Ivano-Frankivsk region. is also said to have leveraged the automated network to detect vulnerabilities in websites and break into them as well as stage brute-force attacks in order to guess email passwords. In addition to cyberattacks and hacking, he picked up passwords for e-mail boxes on remote platforms, the so-called "brute force". 

The Ukrainian police agency said it has conducted a raid of the suspect's residence and seized their computer equipment as evidence of illegal activity.

The Security service of Ukrain SSU said in a press statement ( He found customers on closed forums and in Telegram chats, and made payments to "customers" through electronic payment systems banned in Ukraine. At the same time, according to the investigation, the Prykarpattia resident is a representative of the Russian electronic system of instant payments Webmoney, which is subject to the sanctions of the National Security and Defense Council. ) The payments were facilitated via WebMoney, a Russian money transfer platform banned in Ukraine.

The type of development comes weeks after Russian cybersecurity firm Rostelecom-Solar, a subsidiary of the telecom operator Rostelecom, disclosed late last month that it had sinkholed a portion of the Mēris DDoS botnet that's known to have co-opted an estimated 250,000 hosts into its mesh.

NKTsKI and Rostelecom-Solar prevent the Meris botnet from hijacking more than 45,000 devices

By intercepting and analyzing the commands used to control infected devices, the company said it was able to "detect 45,000 network devices, identify their geographic location and isolate them from the botnet." Over 20% of the devices attacked are located in Brazil, followed by Ukraine, Indonesia, Poland, and India.

Sky.com servers exposed via misconfiguration

 CyberNews researchers found an exposed configuration file hosted on a Sky.com subdomain containing production data.

CyberNews researchers found an exposed configuration file hosted on a Sky.com subdomain, containing what appear to be production-level database access credentials, as well as addresses to development endpoints.

Sky, a subsidiary of Comcast, is Europe’s largest media company, boasting a 12% market share and a revenue of approximately £13.4 billion in 2020, as well as more than 31,000 employees and 24 million customers. UpLift Media, launched by Sky and Molson Coors in 2015, is an in-venue digital screen advertising network that operates digital screens in bars and other leisure venues across the UK.

Sky customers have been told to change their passwords immediately, raising fears that the company may have been hit by a data breach.

The company has sent out emails to customers across the UK urging them to reset their passwords as part of a "security measure".

The email contains a link for users to choose a new passwords as Sky has had to change their existing logins, raising fears that the company has suffered some kind of breach or attack.

Several Sky customers took to Twitter to ask Sky if the emails were genuine, or part of a phishing scam, with the firm's official Sky Help Team account replying that they were. ‘To help keep customer’s accounts safe we occasionally reset the password for Sky accounts. Customers can reset their password online at Sky.com,’ a Sky spokesperson said, adding that the company has not been breached. However the account also told some customers that the reset was linked to "part of the incident that happened last week", possibly referencing a recent attack.  "We have been informed by the provider of Sky.com email that a number of email accounts have been accessed without permission," its official disclosure on the incident read, "as a precautionary measure these accounts have been locked." 

We have seen more impact and  what Sky.com have taken precautions to come across this Breach and one of the cybersecurity Experts teams have reported them and here is the link which the experts team clearly show's that how they found out the Data. https://securityaffairs.co/wordpress/123143/data-breach/sky-com-server-misconfiguration.html

Streaming Platform "Twitch" Confirms Hack

Twitch, Amazon's most popular live video streaming platform Twitch said on Wednesday 06 October, 2021. Hackers have broken into it's network after reports of exposed confidential company data surfaced online.

 The platform, where users often stream live video game play, including broadcasts of E-sports competitions. In addition, it offers music broadcasts, creative content, and more confirmed the break-in on Twitter. Amazon bought Twitch for almost $1 billion in 2014. The site is primarily focused on videos and livestreams for video game enthusiasts.

"We can confirm a breach has taken place," Twitch said in post from its verified Twitter account.

"Our teams are working with urgency to understand the extent of this."

The statement came after reports emerged that a massive dump of Twitch data had been posted on fringe anonymous message board 4Chan. A post at 4Chan served up 125 gigabytes of data reported to include Twitch source code, records of payouts to streamers, and a digital video game distribution service being built by Amazon Game Studios. It did not appear that personal Twitch user data was in the dump, but the extent of the hack was still being investigated. Google searches for "how to delete Twitch" rocketed eightfold as news of the hack spread, according to marketing analysts firm N. Rich.

"With such a concerning data breach from a platform as widespread and global as Twitch, users are naturally wanting to protect themselves and their data as soon as possible," an N.Rich spokesperson said. 

The hacker took more than 125 gigabytes of data in the breach, according to the 4chan post.

The person who posted the trove of stolen data left a message claiming the break-in was performed to foster competition in video streaming, and because the Twitch community "is a disgusting toxic cesspool," according to media reports. Users of Twitch, the world's biggest video game streaming site, staged a virtual walkout last month to voice outrage over barrages of racist, sexist and homophobic abuse on the platform. The phenomenon of "hate raids" -- torrents of abuse -- has seen the platform become increasingly unpleasant many for Twitch streamers who are not white or straight.

A Twitter hashtag, #TwitchDoBetter, has become a magnet for complaints over the past month, largely from female, non-white and LGBTQ players saying that Twitch is failing to stop internet trolls running amok -- all while taking 50 percent of streamers' earnings.

Twitch has maintained that it is working to improve tools for protecting accounts from abuses.

The service is suing two users in US federal court, accusing them of orchestrating the so-called "hate raids."

https://twitter.com/Twitch/status/1445770441176469512?s=20

While Twitch is still investigating and says there’s no indication login details were exposed, we’d still recommend changing your Twitch password and enabling two-factor authentication if you haven’t already done so.

Vulnerability Scanning v/s Penetration Testing

 A lot of people confuses the importance of vulnerability scanning with penetration testing. The Vulnerability scanning cannot replace the importance of penetration testing as we all know, and penetration testing, on its own, cannot secure the entire network. In this case both are important at their respective levels, needed in cyber risk analysis, and it is required by standards such as PCI, HIPAA, ISO 27001, etc.

Vulnerability scanning vs Penetration Testing

Basically Penetration testing exploits a vulnerability in your system architecture in other hand vulnerability scanning (or assessment) checks for known vulnerabilities and generates a report on risk exposure. which later provides the Forensic reports for the clients.

Either penetration testing or vulnerability scanning depends mostly on three factors:

1. Scope
2. Risk and Criticality of assets
3. Cost and Time

Penetration Testing

Penetration testing scope is typically targeted and there is always a human factor involved. There is no automated penetration testing – which requires the use of tools, sometimes a lot of tools. But it also requires an extremely experienced person to conduct penetration testing. A good penetration tester always at some point during their testing craft a script, change parameters of an attack or tweak settings of the tools he or she may be using.

It could be at application or network level but specific to a function, department or number of assets.  One can include the whole infrastructure and all applications but that is impractical in the real world because of cost and time. You define your scope on a number of factors that are mainly based on risk and how important is an asset.

Some of the penetration tester Spends a lot of money on low-risk assets which may take a number of days to exploit is not practical. Penetration testing requires high skilled knowledge and that’s why it is costly. Testers often exploit a new vulnerability or discover vulnerabilities that are not known to normal business processes. Penetration testing normally can take from days to a few weeks, it is often conducted once a year and reports are short and to the point. It does have a higher than average chance of causing outages.

Penetration testers are well versed in: 

• Black hat attack methodologies (e.g., remote access attacks, SQL injection)
• Internal and external testing (i.e., perspective of someone within the network, perspective of hacker over Internet)
• Web front-end technologies (e.g.,Javascript, HTML)
• Web application programming languages (e.g., Python, PHP)
• Web APIs (e.g., restful, SOAP)
• Network technologies (e.g, firewalls, switches, IDS)
• Networking protocols (e.g., TCP/UDP, SSL)
• Operating systems (e.g., Linux, Windows)
• Scripting languages (e.g., Python, Perl)
• Testing tools (e.g., Nessus, Metasploit)
• In short, penetration testers provide a deep look into the data security of an application and/or an organization.

Vulnerability Scanning

On the other hand, vulnerability scanning is the act of identifying potential vulnerabilities in network devices such as firewalls, routers, switches, servers and applications. It is automated and focuses on finding potential and know vulnerabilities on the network or an application level. It does not exploit the vulnerabilities. Vulnerability scanners only identify potential vulnerabilities; they do not exploit the vulnerabilities. Hence, they are not built to find zero-day exploits. The scope of vulnerability scanning is business-wide, requiring automated tools to manage a high number of assets. It is wider in scope than penetration testing. Products specific knowledge is needed to effectively use the vulnerability scans product. It is usually run by administrators or security personnel with good networking knowledge.

Vulnerability scans can be run frequently on any number of assets to ascertain known vulnerabilities are detected and patched. Thus, you can eliminate more serious vulnerabilities for your valuable resources quickly. An effective way to remediate vulnerabilities is to follow the vulnerability management lifecycle. The cost of a vulnerability scan is low to moderate as compared to penetration testing, and it is a detective control as opposed to preventive like penetration testing.

Vulnerability management can be fed into patch management for effective patching. Patches must be tested on a test system before rolling out to production.

Limitations of a vulnerability scan 

False positives

Businesses must manually check each vulnerability before testing again

Does not confirm that a vulnerability is exploitable

See Also: Picking Your Vulnerability Scanner: The Questions You Should Ask

Which is better? A vulnerability scan or penetration test?

Both tests work together to encourage optimal network and application security. Vulnerability scans are great weekly, monthly, or quarterly insight into your network security (the quick X-ray), while penetration tests are a very thorough way to deeply examine your network security (the periodic detailed MRI). Yes, penetration tests are expensive, but you are paying a professional to examine every nook and cranny of your business the way a real world attacker would, to find a possibility of compromise.

Phishing Attacks Maintain. Elevated Levels Into The Middle Of 2021

some of the new Data from the Anti-Phishing Working Group (AWPG) indicates Q2 2021  showed similar type of Phishing activity to the prior quarter, Indicating no slowdown in attacks. We’d all like to see some sort of reprieve to the heightened levels of phishing and spear phishing attacks that makes the process simple we’ve experienced over the last 18 months. Since the pandemic started, the cybercrime ecosystem has grown and evolved into new attack methods and business models never before seen, with phishing remaining at the forefront. According to the AWPG data, the number of  brands targeted in Q2 rose by more than 15 percent, and financial Institutions and Social Media continue to be primary targets of phishing attacks.

Phishing-As-A-Service Responsible For Over 300,000 URLs Used In Attacks

A new phishing-as-a-service (Phaas) spotted by Microsoft puts quality phishing templates and sites into the hands of any would-be cyber attacker. As “crime as a service” has continued to expand, it’s no surprise to hear that the Microsoft 365 Defender Threat Intelligence Team has spotted a set of phishing campaigns that all seem to utilize the phishing as a service operator; the group responsible has been referred to as BulletProfitLink or Anthrax with over 300,000 subdomains in use from a single campaign alone. These PhaaS providers offer complete malicious websites that include registration and sign-in pages, phishing templates, as well as hosting and support.

Someone's Impersonating The California DMV In Texts

The California DMV has warned of an ongoing smashing campaign seeking customers’ personal and financial information, Pasadena Now reports. “The California Department of Motor Vehicles (DMV) reminds customers that it will never ask for personal information related to driver’s license number, Social Security number or financial information through text or unsolicited phone calls or email,” the DMV said in a statement. “The DMV has heard from multiple customers who have received text messages directing them to an unfamiliar link. If a link does not direct customers to the main DMV website at dmv.ca.gov, it is NOT from the DMV. The department stressed that, while it sometimes does send texts or emails to customers, it won’t contact you out of the blue asking for personal information.