Skip to content ↓ | Skip to navigation ↓

All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of May 30, 2022. I’ve also included some comments on these stories.

Vendor Refuses to Remove Backdoor Account That Can Facilitate Attacks on Industrial Firms

Korenix JetPort industrial serial device servers have a backdoor account that could be abused by malicious hackers, Security Week reports.  Although this backdoor access could be exploited in attacks aimed at industrial organizations, the vendor says the account is needed for customer support.

ANDREW SWOBODA | Senior Security Researcher at Tripwire

Korenix JetPort product contains a backdoor account and was assigned CVE-2020-12501. This backdoor account was found back in 2020, but due to the disclosure process it was only made available recently. Unfortunately, it looks like the backdoor account passwords cannot be changed by a user.
The vendor claims that the account is needed for customer support and that the password “cannot be cracked in a reasonable amount of time.” However, it looks like the password was cracked and was posted to Packet Storm. According to the details posted on Packet Storm, there were three users with the following passwords: admin:admin, root:ilovekor, and kn001277:vup2u04.


Tim Horton’s App Tracked Movement In Violation Of Privacy Laws

Canadian coffee chain Tim Hortons’ mobile app regularly tracked and recorded the locations of its users even when their app was not open, reports Reuters. This is in direct violation of national privacy laws, Canada’s privacy regulator said on Wednesday in a report concluding a two-year-old investigation.

ANDREW SWOBODA | Senior Security Researcher at Tripwire

The privacy regulator conducted an investigation two years ago to determine how Tim Horton’s mobile application tracked users. The application was found to have tracked users even when the application was not open. The application has since been updated to remove the geolocation technology. Tim Hortons also claimed that the location data was never used for personalized marketing.

This just demonstrates the need to review the permissions that an application requires before installing applications on a mobile device.


New Windows Search zero-day added to Microsoft protocol nightmare

A new Windows Search zero-day vulnerability can be used to automatically open a search window containing remotely-hosted malware executables simply by launching a Word document, notes Bleeping Computer. The security issue can be leveraged because Windows supports a URI protocol handler called ‘search-ms’ that allows applications and HTML links to launch customized searches on a device.

ANDREW SWOBODA | Senior Security Researcher at Tripwire

Windows Search is subject to a zero-day that allows a search window to open containing remotely-hosted malware executables. To leverage this vulnerability an attacker needs to use the URI protocol and use the “search-ms” handler. This allows an attacker to search remote hosts and use a custom title in the search window.

“search-ms:query=proc&crumb=location:%5C%5Clive.sysinternals.com&displayname=Searching%20Sysinternals”

is an example from the article on how to mount live.sysinternals.com and search this remote share. The crumb variable allows you to set the location to search and the display name variable allows you to set the title for the search. To mitigate this vulnerability, it is possible to delete the search-ms protocol handler from Windows Registry. It should be noted that when modifying the registry, a back-up is made so that it can be restored if a mistake is made. Deleting “HKEY_CLASSES_ROOT\search-ms” removes the protocol handler.


Alert! Unpatched critical Atlassian Confluence Zero-Day RCE flaw actively exploited

Atlassian warned of an actively exploited critical unpatched remote code execution flaw (CVE-2022-26134) in Confluence Server and Data Center products. This vuln is being actively exploited in attacks in the wild, Security Affairs reports.

ANDREW SWOBODA | Senior Security Researcher at Tripwire

Atlassian Confluence and Data Center is subject to a code execution vulnerability. This vulnerability has been actively being exploited. The details about this vulnerability are being withheld until a patch has been released to fix this issue. A fix is estimated to be released by end of day June 3, 2022. To potentially reduce exposure, it is recommended that internet access is disabled for affected versions of Confluence and Data Center.

Keep in Touch with Tripwire VERT

Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.

Previous VERT Cybersecurity News Roundups