Infosec In Brief A pair of Congressional Democrats have demanded a review of the Common Vulnerabilities and Exposures (CVE) program amid uncertainties about continued US government funding for the scheme.
In a letter [PDF] letter to the Comptroller General of the US, ranking House Homeland Security committee member Bennie Thompson (D-MS) and ranking House Science, Space and Tech committee member Zoe Lofgren (D-CA) asked the Government Accountability Office (GAO) to investigate management of the program.
Federal funding for the CVE program ended in April and while the Cybersecurity and Infrastructure Security Agency found funds to keep it running for eleven months, the lawmakers worry the flow of cybersecurity data that government and businesses rely on could cease.
Thompson and Lofgren said they want “the efficiency and effectiveness” of government programs designed to support NVD and CVE assessed.
“These programs underpin how organizations across the world mitigate vulnerabilities that could otherwise be exploited by malicious actors and carry out their broader cybersecurity programs,” the pair’s letter to Comptroller General Eugene Dodaro said. “Cybersecurity remains one of the greatest challenges facing our nation.”
The pair of Democrats asked the GAO to examine programs at the National Institute of Standards and Technology that support vulnerability management data programs like the National Vulnerability Database, the CVE program itself, and the role of the Department of Homeland Security (CISA’s parent agency) supporting CVE. The letter also asked the GAO to assess the extent to which public and private sector entities rely on NVD and CVEs.
The second Trump administration has proposed substantial cuts to CISA’s budget, and there have been layoffs and top-level attrition at the agency.
Several senior leaders have left the agency in recent months.
The administration has decided on smaller cuts to CISA’s budget for the 2026 fiscal year, after House Republicans signed off on a $135 million reduction, well below an initial proposal to slice $495 million.
Democrats have said that’s still too large a cut for such an important agency.
Critical vulnerabilities of the week: Roundcube XSS alert
We’ve found just one fresh critical-rated flaw The Register hasn’t already covered in recent days.
It’s a cross-site scripting vulnerability present in open-source webmail platform Roundcube, and abuses a desanitization issue in the message body of emails. A remote attacker who exploits this flaw can steal and send emails from a victim’s account with a specially crafted message, and it’s already happening in the wild.
This one’s called CVE-2024-42009 and has a CVSS score of 9.3. It’s found in Roundcube version 1.5.7 plus versions 1.6.x through 1.6.7.
How to prevent nefarious hijacking of your Discord invite links
Scammers are abusing a flaw in popular chat app Discord to hijack links and send victims to sites that can install remote access trojans and crypto-stealing malware.
Check Point Research on Thursday published findings of an investigation into the links Discord sends when its users invite others to join different chat groups. Those links are supposed to expire after a certain period.
Check Point found they don’t expire and attackers can therefore abuse them to direct victims anywhere.
That means anyone with a premium Discord subscription can reuse an expired invite code on their own server – and point it at something other than the intended Discord group.
Check Point has observed cybercriminals doing just that.
Check Point said the safest way for Discord admins to avoid scamming their own users is to use an invite link set to never expire – stealing those is practically impossible.
Mortgage customers informed of data breach eight months after the fact
Virginia-based McLean Mortgage Company has just told over 30,000 of its customers that someone stole their data – in October 2024.
McLean began sending letters to affected customers this week informing them of the breach.
The letters explain that the company learned of the breach way back when, and decided not to inform companies until it completed a review of the incident.
That happened in mid-May.
A sample breach notification letter doesn’t mention how the attack happened, only mentioning “an unauthorized actor gained access” to the company’s network and “may have downloaded certain files.”
The mortgage company said it later determined that stolen data may include full names, Social Security numbers, driver’s license numbers, and financial account information. McLean’s lawyers said the company “worked diligently to effectuate notification to potentially affected individuals” – a statement that’s at odds with the nine-month wait for disclosure.
McLean has offered credit-monitoring services to victims.
Popular pentesting tool breaks bad
Researchers at Proofpoint have spotted miscreants using the TeamFiltration pentesting tool to break into Entra ID (formerly Azure Active Directory) accounts.
Proofpoint has peeped attacks on around 80,000 accounts across hundreds of organizations and thinks some succeeded.
The unknown attackers behind the campaign, which Proofpoint has dubbed “UNK_SneakyStrike”, use TeamFiltration to launch user-enumeration and password spraying attempts leveraging the Microsoft Teams API and AWS servers.
Most targets were in the US, but the threat actors also went after orgs in Ireland and the UK.
While TeamFiltration has been available to pen-testers since 2021, Proofpoint said threat actors have only used it maliciously since UNK_SneakyStrike campaign began.
Proofpoint predicts more such attacks as threat actors “increasingly adopt advanced intrusion tools and platforms … as they pivot away from less effective intrusion methods.”
Oh, []()+! – hundreds of thousands of websites can JSF*ck you
Website injection is nothing new, but using a cheekily-named JavaScript obfuscation to hide malicious code in legitimate websites is, according to Palo Alto Networks.
The security vendor’s threat researchers have discovered a campaign that’s injected malicious code in at least 269,552 webpages.
The code is hard to spot because whoever wrote it obfuscated their work into just six characters – []()+! – using a method known as JSF*ck.
“This is unexpected compared to examples of malicious injected JavaScript code we normally find, as there is no single variable or function name that seems to be executed at first glance,” PAN said of the campaign. “During our analysis, we found thousands of websites with this type of obfuscated JavaScript injected into their webpages.”
Coders can obfuscate any JavaScript code with this technique, the report found, thanks to JavaScript’s use of type coercion that converts different data types to ensure operations can be performed.
Defenses against standard website injections should work against this attack, but may require a little more effort because the malicious code is so well hidden. ®
