CISA warns of attackers now exploiting Windows Print Spooler bug

by | Apr 20, 2022 | News

cisa security flaws windows print spooler bug lpe

Post Views: 399

Premium Content

 

Patreon

Subscribe to Patreon to watch this episode.

 

Reading Time: 2 Minutes

The Cybersecurity and Infrastructure Security Agency (CISA) has added three new security flaws to its list of actively exploited bugs, including a local privilege escalation bug in the Windows Print Spooler.

 

 

“As of 9:30 PM UTC on April 18, 2022, we’ve notified victims of this campaign whom we have identified as having repository contents downloaded by an unauthorized party through abuse of third-party OAuth user tokens maintained by Heroku and Travis CI,” the company revealed in an update to the original statement.

Just as GitHub’s Chief Security Officer Mike Hanley previously said when the breach was disclosed, the company is yet to find any evidence that any of its systems have been compromised since the incident was discovered.

“We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats which could be abused by an attacker,” GitHub said.

While GitHubTravis CI, and Heroku revoked all OAuth tokens to block further access, impacted organizations are advised to keep monitoring and reviewing their audit logs and user account security logs for potentially malicious activity.

 

 

 

See Also: Complete Offensive Security and Ethical Hacking Course

 

 

 

Solutions

 

“Should we identify additional customers who have been affected, we will notify those customers promptly. If you do not receive a notification email from us, that means GitHub has not identified your account as impacted by the current incident,” GitHub added on Monday.

 

 

No Travis CI customer data exposed

On Monday, the Travis CI team said that it was informed last Friday, April 15, “that certain private customer repositories may have been accessed by an individual who used a man-in-the-middle 2FA attack, leveraging a third-party integration token.”

Travis CI added that the threat actor breached a Heroku service and gained access to a private app OAuth key used to integrate the Heroku and Travis CI app.

However, since this key only provided limited access to customer data, Travis CI says that its customers’ repos or data were not exposed in the attack.

“We thoroughly investigated this issue and found no evidence of intrusion into a private customer repository (i.e. source code) as the OAuth key stolen in the Heroku attack does not provide that type of access,” the Travis CI team said.

“Based on what we have found, we do not believe this is an issue or risk to our customers.”

 

 
 
 

 

 

Guidance for finding evidence of malicious activity

 

GitHub has shared the following guidance with potentially affected customers to help them investigate their logs for evidence of exfiltration or malicious activity:

  • Review all your private repositories for secrets or credentials stored in them. There are several tools that can help with this task, such as GitHub secret scanning and trufflehog.
  • Review the OAuth applications that you’ve authorized for your personal account or that are authorized to access your organization and remove anything that’s no longer needed.
  • Follow GitHub’s guidelines for hardening the security posture of your GitHub organization.
  • Review your account activity, personal access tokens, OAuth apps, and SSH keys for any activity or changes that may have come from the attacker.
  • Additional questions should be directed to GitHub Support.

GitHub disclosed this incident on Friday evening, three days after first discovering the attack on April 12, when the attacker accessed GitHub’s npm production infrastructure.

 

 

 

See Also: Recon Tool: Smap

The threat actor used a compromised AWS API key obtained after downloading multiple private npm repositories using stolen OAuth tokens.

The impact on the npm organization includes unauthorized access to private GitHub.com repos and “potential access” to npm packages stored on AWS S3 servers.

While the attacker stole data from private repositories, GitHub believes none of the packages were modified, and no user account data or credentials were accessed in this incident.

More information on how GitHub has responded to protect its customers and what affected organizations need to know in the security alert published on Friday.

 

 

 

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

 

 

 

See Also: Write up: Hacking is an art, and so is subdomain enumeration.

 

Source: bleepingcomputer.com

Source Link

 

 

 

 

 

Merch

Share This