Mailchimp Security Breach
Popular email marketing and newsletter service Mailchimp has disclosed another security vulnerability that allows threat actors to gain access to internal support and account administration tools to obtain information on 133 customers. .
“The unauthorized actor carried out a social engineering attack against Mailchimp employees and contractors and gained access to several Mailchimp accounts using the stolen employee credentials. compromised in this attack,” the Intuit-owned company said in a statement.
The development was first reported by TechCrunch.
Mailchimp said it identified the breach on January 11, 2023, and noted that there was no evidence that an unauthorized party breached the Intuit system or other customer information beyond 133 accounts.
He added that the primary contacts for all affected accounts were notified within 24 hours and he has since helped those users regain access to their accounts. However, the Atlanta-based company did not disclose how long the intruder stayed on its systems and the exact type of information accessed.
But WooCommerce, one of the hacked accounts, said the incident exposed users’ names, hosting URLs, addresses and email addresses, but did not reveal payment details, passwords or other information. their other sensitivities.
In the last year alone, Mailchimp has been the victim of two different breaches, the first of which involved a bad guy gaining unauthorized access to 319 customer accounts in April 2022 in order to commit crimes. Cryptocurrency scam.
Then, in August 2022, he fell for another sophisticated social engineering attack orchestrated by a group known as 0ktapus (aka Scatter Swine), which resulted in the loss of 216 customer accounts. violated.
Reference:
https://thehackernews.com/2023/01/mailchimp-suffers-another-security.html
Mailchimp Suffers Another Security Breach Compromising Some Customers’ Information
Jan 19, 2023 Ravie Lakshmanan
What is causing T-mobile breach?
According to 93% of cybersecurity professionals and 86% of business leaders surveyed by the World Economic Forum (WEF), “A catastrophic cyber event could occur within the next two years.”
Geopolitical uncertainty and persistent cybersecurity skills shortages are making the situation more precarious and forcing companies to rethink their presence in certain regions, WEF’s Global Cybersecurity Outlook 2023 report, which collects the opinions of 300 experts and senior executives, reveals.
In the meantime, we’re still seeing very, very bad cyber breaches and attacks. More recently, there was another major breach at T-Mobile (37 million customers affected this time), which stole the source code and resulted in a $10 million ransom demand from video game developer Riot. Games and the negligence of the US government. No Fly List airline, a roll call of suspected terrorists, from 2019.
LastPass’s situation also continued to evolve after its password vault was compromised in November, with the password manager’s latest update admitting that “a malicious actor stole copies encrypted storage of a third-party cloud storage service”.
While rival services will no doubt spy an opportunity to grow their market share given the market leader’s reputational crash, the hack is also perhaps bringing unprecedented scrutiny to the hitherto highly regarded field. Indeed, The Daily Swig recently reported on how several popular password managers auto-filled credentials on untrusted websites, while Bitwarden responded to renewed criticism of its encryption scheme by enhancing its default security configuration.
A fruitful security audit of Git’s source code is another notable story we covered since the last edition of Deserialized.
Here are some more web security stories and other cybersecurity news that caught our attention in the last fortnight:
Web vulnerabilities
OpenText / Critical / Pre-auth RCEs via cs.exe and Java frontend plus multiple post-authentication vulnerabilities / Disclosed with patch January 17
Rancher API / Critical / A patch rolled out in September 2022 failed to stop secrets, encryption keys, and SSH keys from being stored in plaintext directly on Kubernetes objects like Clusters / Disclosed and patched January 26
Tiki Tiki CMS / Critical / Unauthenticated attackers could execute arbitrary code by combining CSRF with PHP object injection in the popular open source, wiki-based CMS / Patched August 23, disclosed January 9
VMware vRealize Log Insight / Critical / Directory traversal, broken access control, deserialization, information disclosure vulnerabilities / Disclosed with patch January 24
Zoho manageEngine / Critical / PoC and in-the-wild exploitation raises the stakes regarding patching on premise Zoho ManageEngine products against this RCE vulnerability after a surfaced / Disclosed and patched October 27
Research and attack techniques
Vulnerabilities in popular open source health records and medical practice management platform OpenEMR allowed remote attackers to execute arbitrary system commands on any OpenEMR server and to steal sensitive patient data – and worse still, remote code execution (courtesy of Sonar)
Jerry Shah recounts how he found an API misconfiguration on a SwaggerUI endpoint in an unnamed web application on a private bug bounty program that leaked the authorization token from local storage
ChatGPT lowers the barriers to entry for threat actors with limited programming or technical skills, but state-backed miscreants are unlikely to gain operational efficiencies from the unnervingly sophisticated chatbot tool, according to Recorded Future
Maksym Yaremchuk – number 80 on HackerOne’s all-time leaderboard, no less – details a pair of critical severity account takeover exploits fashioned during an engagement with a private bug bounty program
GitHub researcher Man Yue Mo achieves arbitrary kernel code execution and root on a Google Pixel 6 mobile phone from android app.
Bug bounty / vulnerability disclosure
Security researchers can mathematically show the life of a software program vulnerability with out revealing info that withinside the incorrect palms should cause malicious exploitation, explains a current New Scientist feature (paywall)
Intigriti has penned a weblog submit at the secure harbor clause for researchers created through the Belgian Act at the Protection of Whistleblowers
The Daily Swig lately stated on the approaching 0.33 annual Hack The Pentagon challenge, CORS misconfigurations at Tesla and different, unnamed packages incomes researchers a “few thousand dollars”, and Google Cloud Platform (GCP) task vulnerabilities netting researchers extra than $22,000
Other current writeups consist of a $3,000 bounty for a contemplated XSS in Microsoft Forms, even as Bug Bounty Switzerland’s inaugural ‘vulnerability of the month’ associated with a time-confined non-public application and lots of home equipment uncovered to the net
Bug hunter interviews with British hacker and YouTuber ‘InsiderPhD’ and ‘TodayIsNew’ had been posted through HackerOne and Bugcrowd, respectively
New open supply infosec/hacking gear
Gato – or GitHub Attack Toolkit – evaluates the effect of compromised private get entry to tokens inside GitHub improvement environments. Enables monitoring of public repos that use self-hosted runners, which GitHub recommends are best deployed in non-public repos due to the fact otherwise “forks of your public repository can probably run risky code in your self-hosted runner device through growing a pull request that executes the code in a workflow”
Highlighter And Extractor (HaE) – Paris-primarily based totally crowdsourced protection platform YesWeHack has launched a Burp Suite extension that collects, categorizes, and highlights requests and/or responses to assist discover inclined code patterns, errors, reflections, and extra in a passive enumeration system
PyCript – Another Burp Suite extension, this time permitting the bypassing of client-aspect encryption through custom good judgment for guide and automation trying out with Python and NodeJS
SeeProxy – Golang opposite proxy with CobaltStrike malleable profile validation
CVE-2022-47966 Scanner – Assess your publicity to the crucial RCE computer virus affecting as a minimum 24 on-premise ManageEngine merchandise and presently being actively exploited
More enterprise information
NIST trails ability updates (PDF) to the NIST Cybersecurity Framework and invitations the infosec network to provide remarks
In different US federal organisation information, the NSA troubles IPv6 protection guidance (PDF), CISA updates first-rate practices for mapping to Mitre Attack Framework (PDF), and CISA, NSA, and MS-ISAC at the same time warn (PDF) of malicious use of valid faraway tracking and management (RMM) software program
Google files development on leveraging case randomization of DNS question names despatched to authoritative nameservers so one can mitigate the effect of cache poisoning assaults
Google additionally follows thru on its goal to drop TrustCor Systems as a root certificates authority (CA) for Chrome, confirming a timetable for ceasing to apprehend its certificate
Cloud-primarily based totally cyber-assaults bounce 48% yr on yr as malicious hackers undercover agent possibilities in virtual transformation trend – Check Point record.
Reference:
https://portswigger.net/daily-swig/vulnerabilities. The daily swig.
What is ICSS up to?
CyberSec101: 
Leave a comment