6/2/2020 - An Apple Zero Day and Hidden Nazi Gold

CNN - Carole Baskin awarded the zoo once owned by 'Tiger King' Joe Exotic -

An Oklahoma judge ruled in favor of Baskin's Big Cat Rescue Corporation Monday in its lawsuit against the Greater Wynnewood Development Group, LLC, (GWDC). The latter company once was owned by Exotic, whose real name is Joseph Allen Maldonado-Passage.

The order gives Baskin control of about 16 acres of land in Garvin County, Oklahoma, that is home to an animal park with an array of big cats.

 JNS - ‘Failed cyber attack on Israel was designed to trigger a humanitarian disaster’ -

“The attempt to attack Israel was coordinated and organized with the aim of crippling our humanitarian water system. This is not critical state infrastructure, and we were able to prevent the attack, but had it been successful, we would have found ourselves—in the midst of the coronavirus crisis—dealing with some damage to the civilian population and even temporary water shortages, or the introduction of chlorine or other chemicals in the wrong doses that could have ended with a disaster,” he said. 

CITADELO - Full infrastructure takeover of VMware Cloud Director (CVE-2020-3956) -

Citadelo discovered a vulnerability that could allow an attacker to gain access to sensitive data and take over control of private clouds within an entire infrastructure. The vulnerability would enable a user to gain control over all customers within the cloud. It also grants access to an attacker to modify the login section of the entire infrastructure to capture the username and password of another customer.

...

An authenticated actor can send malicious traffic to VMware Cloud Director using the web-based interface or API calls. Cloud providers offering a free trial to potential new customers using VMware Cloud Director are at high risk because an untrusted actor can quickly take advantage.

HelpNet Security - Lean into zero trust to ensure security in times of agility -

Many organizations grant more trust to users on the intranet versus users on the internet. Employees working from home – while unknowingly browsing potentially malicious websites and clicking on doctored COVID-19 maps that download malware – are using company laptops and VPNs to connect to the corporate network and from there are granted a much wider degree of latitude in terms of access to different resources.

Once a user’s credentials are compromised, this implicit trust associated with a user’s locality of access from the intranet can be taken advantage of to spread malware laterally within the organization. It’s clear, therefore, that it’s no longer possible to tackle security with an internet-versus-intranet approach, where assets within the network perimeter are considered safe.

A good way to navigate this minefield and secure an organization is to assume that everything is suspect and adopt a zero trust approach. Zero trust aims to eliminate implicit trust associated with the locality of user access, for example users on the Intranet versus the Internet, and moves the focus of security to applications, devices, and users.

ZDNet -  Cisco warns: These Nexus switches have been hit by a serious security flaw -

This bug, tracked as CVE-2020-10136, can be used to trigger a denial of service on affected Nexus switches or, more worryingly, route traffic from an attacker's machine to a target's internal network after bypassing input Access Control Lists (ACLs) for filtering incoming internet traffic. 

Several of Cisco's widely used Nexus switches harbor a flaw that causes the device to "unexpectedly decapsulate and process IP in IP packets that are destined to a locally configured IP address, even when no tunnel configuration is present". 

Fox - Nazi diary reveals secret location of WWII treasure worth billions, report says -

The diary was written by a S.S. officer under the pseudonym "Michaelis," Polish news site The First News (TFN) reported. It contained the plans of Heinrich Himmler, who wanted to hide the priceless works of art, artifacts and other riches the Nazis stole during the war. The diary is said to contain a map that shows 11 sites where the Nazis hid the riches, including a 16th-century castle near Roztoka, Poland.

Bhanukjain.com - Zero-day in Sign in with Apple -

What if I say, your Email ID is all I need to takeover your account on your favorite website or an app. Sounds scary, right? This is what a bug in Sign in with Apple allowed me to do.

In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures. This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.