This week is a hodge-podge rollup of warnings, threats, and vulnerabilities. There is something for everyone, bloggers, website administrators, and any remote-work-from-home-digital-nomad with a side-hustle.
A funny thing about security vulnerabilities, defects and flaws may exist in products for years until revealed by any number of involved parties. They sit silent waiting for exploitation by threat actors. Vendors or IT staff may deem problems as insignificant, and therefore unfixed, until by intent or accident hackers discover them as a doorway to a critical weakness.
Whether it be a zero-day exploit or a years-old sleeper creeping back to haunt a vendor and the public, keeping your assets up to date it is a good strategy. Those who insist on remaining on old or obsolete systems risk becoming an unintended honeypot for hackers within minutes if they ever access the internet. A Honeypot Attracts More Than Bears – X-Industry – Red Sky Alliance
Worse yet, the one aspect of the system which is impossible to fully mitigate from corruption is the human mind. The most secure system is still victim to poor decisions and unintentional acts of trust by the users.
Web Browsers Exploits
Zero-Day Exploits, News and Analysis
Google Project Zero Detects a Record Number of Zero-Day Exploits in 2021 (thehackernews.com)
The browser you use to traverse, search, and view the world-wide-web is no less vulnerable to exploitable bugs. What makes a web browser interesting is the available material to evaluate the browser-application weaknesses is the entirety of the internet itself.
Naturally, the tools to detect and remediate or mitigate risks are maturing rapidly. As detection methods improve, so does the number of issues found.
The Google report shows both halves of this conflict. It also indicates the persistence of bad actors. The often-repeated message for the user is to keep your software up to date, allowing the automatic updates to occur. Improvements in vendor update processes continue to become less impacting to a user’s work-in-progress.
A look at the number of exploits remediated over 2022 Q1 indicates a more eventful year than average so far, and a bit less than 2021. Nevertheless, keep the patch pace on par.
Recommendation and References:
0day “In the Wild” – Google Sheets
RainLoop Webmail
Email Theft
Unpatched Bug in RainLoop Webmail Could Give Hackers Access to all Emails (thehackernews.com)
A popular remote-worker and digital-nomad passive income gig is third-party web and domain administration. The RainLoop defect is known and un-patched for months, leaving users at potential risk of having all email exposed. If you are managing the domains of yourself or others, check your webmail software. Maintaining your products preserves your credibility.
While writing this post, I stopped to check which webmail services I have configured on my domains. While I pay for hosting services, there is a level of self-care still required. I cannot assume the hosting company IT folks managed all maintenance and updates.
Recommendation and References:
“In the absence of patches, SonarSource is recommending users to migrate to a RainLoop fork called SnappyMail, which is actively maintained and unaffected by the security issue.”
– from thehackernews.com
SnappyMail, your webmail client
Lenovo Laptops Firmware
Impact to Lenovo Flex; IdeaPads; Legion; V14, V15, and V17 series; and Yoga laptops
New Lenovo UEFI Firmware Vulnerabilities Affect Millions of Laptops (thehackernews.com)
With millions of affected laptops, many popular with remote workers who are ‘users’ not ‘computer gurus’, consider checking your devices for the latest available patches. The firmware flaw can allow malicious software to resided persistently on the computer through reboots and is difficult to detect.
I used Lenovo laptops for a decade, and even with enterprise support, I rarely received timely BIOS or firmware updates. I looked for and installed them myself.
I will add, as with any updates, make sure you have current system backups. No update process is proof against the variety of device configurations owned by the public. The possibility of failure to launch after is always there.
Recommendation and References:
Apply the latest patches and updates
Lenovo Notebook BIOS Vulnerabilities – Lenovo Support US
Elementor Plugin for WordPress
Plugin Remote Code Execution
Critical Remote Code Execution Vulnerability in Elementor (wordfence.com)
The team at Wordfence team does a remarkable job of reporting and mitigating WordPress vulnerabilities. This is, again, important to the remote workers managing WordPress sites for side-hustle income. Web administrators should verify automatic updates of plugins are enabled or check for updates if not.
This exploit allows authenticated users to upload arbitrary code, exposing the website to further exploitation. Elementor is a widely used plugin with millions of downloads giving it a high priority to address.
I personally recommend Wordfence as an add-on to any self-managed site. I have found the Wordfence posts, updates, blocking processes, and notifications educational. Their awareness and information sharing make the community safer.
Recommendation and References:
Elementor Website Builder – WordPress plugin | WordPress.org
Iranian Advanced Persistent Threat
Social Engineering
Social Engineering Remains Key Tradecraft for Iranian APTs – Message (recordedfuture.com)
RecordedFuture.com has an excellent writeup on the social engineering tactics used by Iranian-based threat actors. It serves as a notable example and primer on identifying the methods employed.
Social engineering exploits human weakness. It remains stubbornly difficult to patch our brains. There are dozens of advance persistent threat (APT) actors, Iran being just one. Iranian based APTs have years of continued expertise subverting our best intentions for malicious purposes.
“These include the use of charismatic sock puppets, the lure of prospective job opportunities, solicitation by journalists, and masquerading as think tank experts seeking opinions.”
– Recorded Future
The warning for the remote worker is to keep your guard up. Unsolicited employment opportunities through Twitter, Facebook, LinkedIn, and others requesting your résumé, to “click here to apply,” or accept simple friend requests may have ill intent. As a digital nomad the lure is great to find work. Those of us using our computing assets to support multiple customers or contracts become a bridge to into corporate exploitation if our systems become compromised.
I recommend the full Recorded Future report for the details.
Recommendation and References:
Social Engineering Remains Key Tradecraft for Iranian APTs – PDF Details (recordedfuture.com)