- #Last pass account update
- #Last pass account code
- #Last pass account Offline
- #Last pass account series
This vulnerability is triggered by these email gateways unpacking a compressed file to scan it for malware, and as such doesn’t require any special configuration or open ports. The latest is this FBI warning (pdf), that as of August 23, fully patched Barracuda ESG appliances were still being compromised.
#Last pass account update
We missed this update last week, but the Barracuda saga continues. The solution was the simple one, to just turn off SVG support altogether. The flaw was reported in June, and a fix went live in July. On other browsers, Further user interaction is required, in the form of following a link to open a new tab. If the victim is running Safari, the CSP is written to allow access to the entire page at this point. Using the leaked name, the attacker sends a second email, that executed the blob from the first.
#Last pass account series
That email also has CSS in it, that uses the cross-fade() function to leak the temporary name of the blob one byte at a time, by making a series of requests back to a malicious server. One email has a JavaScript file as an attachment, which automatically gets converted into a blob, but not executed. The key to making use of this is to send two emails to the victim. That’s intended to be used for temporary content that uses a random UUID to refer to it. One of the allowed contents, however, is the script-src blob. It’s not that easy, as Proton Mail also uses iframe sandboxing and Content Security Policy (CSP). This means that JavaScript can be smuggled inside of an SVG element. But in regular old HTML, tags are absolute, and quotation marks are mere suggestions.
Inside SVG tags, quotation marks are absolute, and additional tags inside of quotes are ignored. SVG data is very different from normal HTML, and making that change has some unexpected effects.
#Last pass account code
The first observation is that tags in incoming emails get replaced with - after the code has run through the HTML sanitizer. Proton Mail is carefully built to avoid exactly this sort of attack, so it takes some clever work to pull it off. Researchers at Sonar set their sights on Proton Mail, and found some impressive issues, that chained together results in running unsanitized JavaScript from inside an incoming email, with access to the entire logged-in account. VMware Aria has a CVSS 9.8 vulnerability, which boils down to a shared SSH key across all installs from version 6.0 to 6.10. If there’s anything worse than losing your keys, it’s forgetting to generate them in the first place. The Hardcore Matrix team has put together an attack chain that uses these keys to inject a custom module into the UEFI boot image. In March MSI suffered a major breach, and among the pilfered data was MSI’s BootGuard private key. Those issues have been fixed, but after quite a wild ride. That key should not have worked for enterprise accounts, but a bug in a Microsoft key validation allowed the consumer systems key to work for enterprise accounts.
That crash dump was brought into development systems, and an engineer’s account was later accessed by Storm-0558. A crash log from 2021 unintentionally included the key, and Microsoft’s automated redaction system didn’t catch it. There was a big open question at that point, as to how exactly an outside group managed to access such a signing key. You may remember a story from a couple months ago, where Microsoft found the Chinese threat group, Storm-0558, forging authentication tokens using a stolen signing key.
#Last pass account Offline
Since attackers have had unrestricted access to the database, they’ve been able to run offline attacks against accounts with very low iterations, and apparently that approach has been successful. Additionally, accounts created before security improvements in 2018 may have had master passwords shorter than 12 characters, and the hash iterations on those accounts may have been set distressingly low. The bulletproof security of the LastPass system depends in part on the rate limiting of authenticating with the LastPass web service. There is a pattern that has been noticed, that almost all of them had a seed phrase stored in LastPass this past November when the entire LastPass database was breached. Over $35 million has been drained from just over 150 individuals, and the list reads like a who’s-who of the least likely to fall for the normal crypto scams. There has been a rash of cryptocurrency thefts targeting some unexpected victims.
0 kommentar(er)
