Search This Blog

Showing posts with label Application Security. Show all posts

Google Ads Exploited to Tempt Corporate Employees Into Installing LOBSHOT Backdoor


As part of a sophisticated scheme to trick corporate employees into installing malware, a newly uncovered backdoor and credential-stealer is disguising itself as a genuine software download. 

Elastic Software researchers spotted the malware, known as LOBSHOT, spreading through deceptive Google Ads for well-known remote-workforce applications like AnyDesk, they reported in a recent blog post. 

"Attackers promoted their malware using an elaborate scheme of fake websites through Google Ads and embedding backdoors in what appears to users as legitimate installers," researcher Daniel Stepanic wrote in the post. 

Additionally, LOBSHOT, a backdoor that appears to be financially motivated and steals victims' banking, cryptocurrency, and other credentials and data, appears to be the work of threat group TA505, which is known for disseminating the Clop ransomware, according to the researchers.

The DLL from download-cdn[.]com, a domain historically connected to the threat group known for its involvement in the Dridex, Locky, and Necurs operations, was run by the bogus download site used to disseminate LOBSHOT, according to the claim.

The researchers "assess with moderate confidence" that LOBSHOT is a new malware capability utilised by the gang based on this other infrastructure connected to TA505 that is used in the campaign. 

In addition, fresh samples associated with this family are being discovered by researchers every week, and they "expect it to be around for some time," he added. 

Utilising nefarious ads by Google 

Potential victims are exposed to LOBSHOT by clicking on Google Ads for what appear to be real workforce software, such AnyDesk, similar to similar threat campaigns seen earlier in the year. Similar tactics were used in January to propagate the malware-as-a-service Rhadamanthys Stealer using website redirects from Google Ads that also masqueraded as download pages for well-known remote-workforce applications like AnyDesk and Zoom.

According to Elastic Search, the campaigns are in fact connected to "a large spike" in the usage of malvertising that security researchers have been noticing since earlier this year. 

"Similar infection chains were observed in the security community with commonalities of users searching for legitimate software downloads that ended up getting served illegitimate software from promoted ads from Google," Stepanic further wrote. 

This behaviour indicates a pattern of persistent rival abuse and expansion of their influence "through malvertising such as Google Ads by impersonating legitimate software," he said. 

Stepanic recognised that while these malware kinds may appear to be minor and have a narrow scope, they actually pack a powerful punch thanks to their "fully interactive remote control capabilities" that enable threat actors to acquire initial access to corporate networks and carry out subsequent destructive activities. 

Infection chain 

When a person conducts a web search for a trustworthy piece of software, Google Ads returns a boosted result that is actually a malicious website. This is when the LOBSHOT infection chain starts. 

"In one observed instance, the malicious ad was for a legitimate remote desktop solution, AnyDesk," the researcher explained. "Careful examination of the URL goes to https://www.amydecke[.]website instead of the legitimate AnyDesk URL, https://www.anydesk[.]com." 

The consumer visits a landing page for the software they were hoping to download after clicking on that advertisement, which appears to be legitimate. 

The researchers claimed that it is actually an MSI installer that the user's PC executes after downloading. Stepanic stated that the landing pages had "very convincing branding that matched the legitimate software and had Download Now buttons that pointed to an MSI installer."

Elastic Software claims that when MSI is executed, a PowerShell is launched that downloads LOBSHOT through rundll32 and starts a connection with the attacker-owned command-and-control server. 

Exploitation and mitigation 

Attackers employ LOBSHOT's hVNC (Hidden Virtual Network Computing) component, a module that permits "direct and unobserved access to the machine," as one of its key features, to get access to targets. 

The hVNC (Hidden Virtual Network Computing) component of LOBSHOT is one of its key features. This module enables "direct and unobserved access to the machine," and is utilised by attackers to avoid detection, according to Stepanic. He added, "this feature is frequently baked into many popular families as plugins and continues to be successful in evading fraud-detection systems." 

According to the researchers, LOBSHOT, like the majority of malware currently in use, uses dynamic import resolution to get around protection software and delay the early discovery of its capabilities.

"This process involves resolving the names of the Windows APIs that the malware needs at runtime as opposed to placing the imports into the program ahead of time," Stepanic added. 

Researchers have provided links to several Elastic Search GitHub sites that illustrate preventative measures to fend off malware like LOBSHOT connected to its numerous activities, including Suspicious Windows Explorer Execution, Suspicious Parent-Child Relationship, and Windows.Trojan.Lobshot. 

The post also provides guidelines that businesses can use to build EQL searches to look for behaviours that are suspiciously similar to the ones that the researchers saw LOBSHOT execute in connection to grandparent, parent, and kid relationships.

Unpatched ICS Flaws in Critical Infrastructure: CISA Issues Alert


This week, the US Cybersecurity and Infrastructure Security Agency (CISA) released recommendations for a total of 49 vulnerabilities in eight industrial control systems (ICS) utilised by businesses in various critical infrastructure sectors. Several of these vulnerabilities are still unpatched. 

Organizations in the critical infrastructure sectors must increasingly take cybersecurity into account. Environments for ICS and operational technology (OT) are becoming more and more accessible via the Internet and are no longer air-gapped or compartmentalised as they once were. As a result, both ICS and OT networks have grown in popularity as targets for both nation-state players and threat actors driven by financial gain.

That's bad because many of the flaws in the CISA advisory can be remotely exploited, only require a simple assault to succeed, and provide attackers access to target systems so they may manipulate settings, elevate privileges, get around security measures, steal data, and crash systems. Products from Siemens, Rockwell Automation, Hitachi, Delta Electronics, Keysight, and VISAM all have high-severity vulnerabilities. 

The CISA recommendation was released at the same time as a study from the European Union on threats to the transportation industry, which included a similar warning about the possibility of ransomware attacks on OT systems used by organisations that handle air, sea, rail, and land transportation. Organizations in the transportation industry are also affected by at least some of the susceptible systems listed in CISA's alert. 

Critical vulnerabilities

Siemens' RUGGEDCOM APE1808 technology contains seven of the 49 vulnerabilities listed in CISA's alert and is not currently patched. The flaws give an attacker the ability to crash or increase the level of privileges on a compromised system. The device is presently used by businesses in several critical infrastructure sectors all around the world to host commercial applications. 

The Scalance W-700 devices from Siemens have seventeen more defects in various third-party parts. The product is used by businesses in the chemical, energy, food, agricultural, and manufacturing sectors as well as other critical infrastructure sectors. In order to protect network access to the devices, Siemens has urged organisations using the product to update their software to version 2.0 or later. 

InfraSuite Device Master, a solution used by businesses in the energy sector to keep tabs on the health of crucial systems, is impacted by thirteen of the recently discovered vulnerabilities. Attackers can utilise the flaws to start a denial-of-service attack or to obtain private information that could be used in another attack. 

Other vendors in the CISA advisory that have several defects in their products include Visam, whose Vbase Automation technology had seven flaws, and Rockwell Automaton, whose ThinManager product was employed in the crucial manufacturing industry and had three flaws. For communications and government businesses, Keysight had one vulnerability in its Keysight N6845A Geolocation Server, while Hitachi updated details on a previously known vulnerability in its Energy GMS600, PWC600, and Relion products. 

For the second time in recent weeks, CISA has issued a warning to firms in the critical infrastructure sectors regarding severe flaws in the systems such organisations employ in their operational and industrial technology settings. Similar warnings on flaws in equipment from 12 ICS suppliers, including Siemens, Hitachi, Johnson Controls, Panasonic, and Sewio, were released by the FCC in January. 

Many of the defects in the previous warning, like the current collection of flaws, allowed threat actors to compromise systems, increase their privileges, and wreak other havoc in ICS and OT contexts. 

OT systems under attack

A report this week on cyberthreats to the transportation industry from the European Union Agency for Cybersecurity (ENISA) issued a warning about potential ransomware attacks against OT systems. The report's analysis of 98 publicly reported incidents in the EU transportation sector between January 2021 and October 2022 was the basis for the report. 

According to the data, 47% of the attacks were carried out by cybercriminals who were motivated by money. The majority of these attacks (38%) involved ransomware. Operational disruptions, spying, and ideological assaults by hacktivist groups were a few more frequent reasons. 

Even while these attacks occasionally caused collateral damage to OT systems, ENISA's experts did not discover any proof of targeted attacks on them in the 98 events it examined. 

"The only cases where OT systems and networks were affected were either when entire networks were affected or when safety-critical IT systems were unavailable," the ENISA report stated. However, the agency expects that to change. "Ransomware groups will likely target and disrupt OT operations in the foreseeable future."

The research from the European cybersecurity agency cited an earlier ENISA investigation that warned of ransomware attackers and other new threat groups tracked as Kostovite, Petrovite, and Erythrite that target ICS and OT systems and networks. The report also emphasised the ongoing development of malware designed specifically for industrial control systems, such as Industroyer, BlackEnergy, CrashOverride, and InController, as indicators of increasing attacker interest in ICS environments. 

"In general, adversaries are willing to dedicate time and resources in compromising their targets to harvest information on the OT networks for future purposes," the ENISA report further reads. "Currently, most adversaries in this space prioritize pre-positioning and information gathering over disruption as strategic objectives."

Enterprise Attack Surface Widening Access Control Gap in Microsoft Active Directory


Users in Windows environments may be able to access domains other than those for which they are authenticated due to a security flaw in Microsoft's Active Directory (AD) service that IT administrators may not be aware of. 

The majority of Windows domain-type networks come pre-configured with AD, Microsoft's all-purpose identity management tool for authenticating computers, printers, users, and virtually anything else taking part in an IT environment. According to Frost & Sullivan, tens of thousands of businesses use the service, including 90% of the Global Fortune 1000 corporations.

By using AD to manage authentication across a domain, network administrators may ensure that only authorised users can access the resources that have been assigned to them. 

Nevertheless, Charlie Clark, a security researcher at Semperis, described how a user might circumvent AD's security measures and access domains for which they were not specifically given permission in a study released on March 14. He says that by doing so, an attacker's "attack surface" is greatly enlarged. Obviously, the larger the attack surface, the more likely it is that an attacker will discover an exploitable bug. 

The transitive property of mathematics states that if a = b and b = c, then a = c. In AD, if domain A connects to domain B and domain B links to domain C, domains A and C may or may not be able to access one another depending on whether they share a "transitive trust." According to Microsoft's website, "transitivity controls whether a trust can be extended outside of the two domains with which it was built." 

An external trust—a manually created, nontransitive form of trust in AD—could exist between two domains belonging to two different organisations. The problem, according to Clark, is that one firm can utilise external trust to access sister domains that are part of the same group (referred to by Microsoft as a "forest") as the second, even if no formal external trust has been established for those domains. 

"An authorised user from one domain would only be able to target the precise domain they've established a trust with," as per Clark, assuming what we believed about non-transitive trusts were accurate. They wouldn't be able to go to other domains outside of the forest." 

As opposed to this, "every account within the trusted domain will be able to authenticate against any domain throughout the whole forest in which the trusting domain resides," he stated in his research. 

A malicious user who learns how to move about a forest at will can gain access to things like accounts and data that they shouldn't be able to find.

Clark claims that because it is so simple to take control of one domain inside a forest, it "allows an attacker to have a significantly bigger attack surface from any low-privileged user on a trusted domain." 

On May 4, 2022, Clark informed Microsoft of his initial findings. In an email on September 29, Microsoft stated that "According to our assessment, this submission does not constitute a security issue for servicing. This research doesn't seem to point out any flaws in Microsoft products or services that could allow an attacker to compromise their integrity, accessibility, or confidentiality." The business then concluded the investigation. 

Trust: Why it matters 

Clark spent more than 15 years working as a systems administrator and six years as a pen tester. Every medium-sized to major infrastructure or business I've worked with has had external trusts, he asserts. He claims that if extra safeguards aren't in place, the majority of AD's clients are most likely at risk right now. 

Clark advises administrators to delete all external trusts in order to safeguard against this type of access control misuse in addition to Microsoft's suggestions. The next best thing is to keep track of which users are accessing what if this is not achievable. 

Awareness is ultimately the most crucial factor. A false sense of security could otherwise cause administrators to make mistakes. People can tell that the risk is larger for a trustworthy domain. So they might put more security in place for that domain, Clark says, but they might not put the same level of security in place for the other domains in the forest even though the risk is identical. 

"I think the main thing is to make system admins aware that this is possible," Clark concluded. By knowing this, "they can harden the rest of the domain sufficiently."

Dangers of Adopting Unsanctioned SaaS Applications


A sleek little app-store sidebar was silently introduced to the right side of your session screen by the most recent programme update, as you might have seen on your most recent Zoom calls. With the touch of a button and without even pausing their Zoom session, this feature enables any business user inside your company to connect the software-as-a-service (SaaS) apps displayed in the sidebar.

The fact that anyone within an organisation can deploy, administer, and manage SaaS applications emphasises both one of the major strengths and security threats associated with SaaS. Although this technique could be quick and simple for business enablement, it also intentionally avoids any internal security review procedures. 

As a result, your security team is unable to identify which applications are being adopted and used, as well as whether or not they may be vulnerable to security threats, whether or not they are being used securely, or how to put security barriers in place to prevent unauthorised access to them. Zero-trust security principles become nearly hard to enforce. 

Joint Obligation 

Companies need to understand that they are continually being urged by vendors to install additional apps and adopt new features before they reprimand their staff for recklessly utilising SaaS applications. Indeed, the applications themselves frequently meet crucial business demands, and sure, employees naturally want to use them right away without waiting for a drawn-out security evaluation. But, whether they are aware of it or not, they are acting in this way because shrewd application providers are actively marketing to them and frequently tricking users into thinking they are adhering to security best practices. Users are not always reading the consent text displayed on the consent screens that are intended to give users pause during installation and nudge them to read about their rights and obligations. 

Always be cautious

In other circumstances, security is frequently presumed. Consider well-known brands' application markets. Vendors do not have the motivation, financial interest, or capacity to assess the security posture of every third-party application sold on their marketplaces. Yet, in order to promote the business, they may mislead users into believing that anything sold there retains the same level of protection as the marketplace vendor, frequently by omission. Similarly, market descriptions may be worded in such a way as to imply that their application was developed in partnership with or approved by a significant, secure brand.

The use of application marketplaces results in third-party integrations that pose the same vulnerabilities as those that led to numerous recent assaults. During the April 2022 GitHub assault campaign, attackers were able to steal and exploit legitimate Heroku and Travis-CI OAuth tokens issued to well-known suppliers. According to GitHub, the attackers were able to steal data from dozens of GitHub customers and private repositories by using the trust and high access offered to reputable vendors. 

Similarly, CircleCI, a provider focusing in CI/CD and DevOps technologies, reported in December 2022 that some customer data was stolen in a data breach. The investigation was sparked by a hacked GitHub OAuth token. According to the CircleCI team's research, the attackers were able to obtain a valid session token from a CircleCI engineer, allowing them to bypass the two-factor authentication mechanism and gain unauthorised access to production systems. They were able to steal consumer variables, tokens, and keys as a result. 

An Attraction to Frictionless Adoption 

Vendors also design their platforms and incentive plans to make adoption as simple as accepting a free trial, a lifetime free service tier, or swiping a credit card, frequently with alluring discounts to try and buy without commitment. Vendors want users to adopt any exciting, new capability immediately, so they remove all barriers to adoption, including going around ongoing IT and security team reviews. It is hoped that an application will prove to be too well-liked by business users and crucial to corporate operations to be removed, even if security personnel become aware of its use. 

Making adoption too simple, however, can also result in a rise in the number of underutilised, abandoned, and exposed apps. An app can frequently continue to function after it has been rejected during a proof of concept (PoC), abandoned because users have lost interest in it, or the app owner has left the company. This results in an expanded and unprotected attack surface that puts the organisation and its data at greater risk.

While educating business users on SaaS security best practises is important, it's even more crucial to prevent SaaS sprawl by teaching them to think more critically about the seductive promises of quick deployment and financial incentives made by SaaS suppliers.

Additionally, security teams ought to use solutions that can help them manage risks associated with SaaS misconfiguration and SaaS-to-SaaS integrations. These technologies allow customers to continue utilising SaaS applications as required while also conducting security due diligence on new vendors and integrations and setting up crucial security barriers.

FinTech Sector Emerges as a Prominent Target for Cybercriminals

Like every other sector that has evolved, thanks to the innovative digital transformation it has adopted, cybercrime has become a significant challenge in the finances of organizations. As per research by VMware’s Modern Bank Heist, there has been an increase of a whopping 238% in cyberattacks on companies’ financial sectors since the wake of the COVID-19 pandemic. 

A series of cyberattacks witnessed recently on the DeFi platform illustrates how fintech companies have emerged as a prominent target and a big prize to cyber criminals. Particularly when it comes to fintech apps, there is often a huge possibility for profit. Attackers can also do greater damage by going after tech users, who may have adopted comparatively less stringent cybersecurity measures. One malicious software can deprive fintech consumers of their assets and ruin the reputation of the financial organization. 

Considering the seriousness of the constantly evolving threat, fintech companies are now required to reconsider their approach including their identity and access control strategies, in order to ensure sure that their platforms are equally trusted by consumers and businesses. It is crucial to implement the right controls to maintain an organization's security posture as this industry continues to transition to the cloud, but doing so presents a unique set of problems. 

Why Are FinTech Applications Hard to Secure? 

While cloud development has emerged as a breakthrough, garnering the opportunity for new apps to be made possible and existing apps to operate more smoothly than before, it has also rapidly increased the number of potential attack surfaces and created additional opportunities for configuration errors, human mistake, and identity management problems. 

Any form of change makes a company vulnerable at the cloud scale, whether it is upgrading an outdated program to a new and better cloud-based architecture or enhancing current capabilities. Due to the fact that an infrastructure's attack surface now expands and is dynamic in the cloud, this can further increase the explosion radius of a single attack. 

Fintech applications must also adhere to strict regularity standards that differ from country to country and frequently incur heavy fines for noncompliance. 

Since operating in the financial sector requires a greater standard of accountability towards clients and the entire sector, which can be a challenging task, organizations must assure visibility, dependability, and proper configuration as a result of fintech. 

Fintech companies need to maintain a tight grasp on security and privacy from the very beginning of growth, especially as third-party services continue to expand, in order to remain competitive in this extremely crowded market. 

How can FinTech Sector be Secured? 

Since fintech organizations are more dependent on vendors and other partners like manufacturers, suppliers, and subcontractors and an increasingly complex supply chain. This further could be a reason for the system being exposed to potential attackers. 

Companies frequently lack visibility into their third- and fourth-party partners, and consequently, the large amount of data that is available to them. Interoperability is crucial in today's software-centric world, but it frequently makes firms even more vulnerable to attackers. 

Fintech developers are thus advised to continuously be vigilant for potential problems with the software supply chain and the security risks that third-party services may pose to their companies. 

We are listing more measures that could be adopted by fintech organizations to safeguard themselves from potential cyber-attacks that could hinder their security: 

  • Companies must be aware of the entities that have access to their data and applications, along with their location and what they do with it. It will be crucial to integrate identity and access management (IAM) systems as dangers inside fintech continue to develop significantly.
  • An organization must have the appropriate technology and tactics in place to safeguard and comply with industry regulations as well as to consistently protect its sensitive data, especially in the cloud. IAM systems, for instance, offer businesses protection without impeding progress or burdening their teams with the extra workload. 
Unfortunately, the security risks offered by financially motivated cybercriminals will only get more advanced over time. The fintech sector must adopt a proactive security posture and a strong identity and access management strategy that can handle the complexity and scope of today's cloud security concerns in order to meet the pressure to protect sensitive client data.   

Utilizing an Integrated Approach for Application Security

Among every industry and organizations, application security has emerged as a progressively complex and challenging issue. Over the past few years, the rapid innovation in this field has resulted in the increase of attack surfaces, significantly where firms have shifted to modern application stacks on cloud-based security. Attack surfaces have also been expanded by the increased deployment of the Internet of Things (IoT) and connected devices, as well as by new hybrid working patterns. 

The volume and sophistication of cybercrime attacks have sharply increased at the same time, causing concerns inside IT departments. According to the most recent study from Cisco AppDynamics, the shift to a security approach for the full application stack, 78% of technologists believe that their company is susceptible to a multi-stage cybersecurity attack that would target the entire application stack over the course of the following 12 months. Indeed, such an attack might have catastrophic results for brands. 

The major problem for IT teams is the lack of the right level of visibility and insights in order to recognize where new threats are emerging across a complicated topology of applications. More than half of engineers claim that they frequently find themselves operating in "security limbo" since they are unsure of their priorities and areas of concentration. 

IT teams can safeguard the complete stack of modern apps throughout the entire application lifecycle by using an integrated approach to application security. It offers total protection for applications across code, containers, and Kubernetes, from development to production. Moreover, with coupled application and security monitoring, engineers can assess the potential business effect of vulnerabilities and then prioritize their responses instead of being left in the dark. 

Moving to a Security Approach for the Full Application Stack 

In order to improve the organization security, tech experts are recognizing the need for adopting a security strategy for the entire application stack that provides comprehensive protection for their applications from development through to production across code, containers, and Kubernetes. 

Moreover, IT teams are required to integrate their performances and security checks to gain a better understanding of the way security flaws and incidents could impact users and organizations. Tech experts can assess the significance of risks using severity scoring while taking the threat's context into account thanks to business transaction insights. This entails that they can give priority to threats that pose a risk to an application or environment that is crucial for conducting business. 

Due to the complexity and dynamic nature of cloud-native technologies, as well as the quick expansion of attack surfaces, IT teams are increasingly relying on automation and artificial intelligence (AI) to automatically identify and fix problems across the entire technology stack, including cloud-native microservices, Kubernetes containers, multi-cloud environments, or mainframe data centers. 

AI is already being used for continuous detection and prioritization, maximizing speed and uptime while lowering risk by automatically identifying and blocking security exploits without human interaction. Also, more than 75% of technologists think AI will become more crucial in tackling the issues their firm has with speed, size, and application security skills. 

To safeguard modern application stacks, companies must encourage much closer IT team collaboration. With a DevSecOps strategy, security teams analyze and evaluate security risks and priorities during planning phases to establish a solid basis for development. This adds security testing early in the development process. 

IT teams can be far more proactive and strategic in how they manage risk with a comprehensive approach to application security that combines automation, integrated performance, security monitoring, and DevSecOps approaches. A security strategy for the entire application stack can free engineers from their impasse and enable them to create more secure products, prevent expensive downtime, and advance into the next innovation era.  

From BMW to Ferrari, Automotive Industry Flooded with Vulnerabilties

Automakers struggling with vulnerabilities

A range of automakers from Toyota to Acura is affected by vulnerabilities within their vehicles that can let hackers steal personally identifiable information (PII), lock owners out of their vehicles, and even control functions like starting and stopping the vehicle's engine. 

A team of seven security experts said vulnerabilities in the automakers' internal applications and systems gave them a proof-of-concept hack to send commands using only the vehicle identification number (VIN), which can be seen through the windshield outside the vehicle. 

Experts found security loopholes in the automaker industry

The team has found serious security loopholes from automakers like BMW, Ford, Volvo, Ferrari, and various others throughout Europe, the US, and Asia. It has also found problems with suppliers and telematic companies like Spireon, which makes Gps-based vehicle tracking solutions. 

BMW said that IT and data security are the top priorities for the company, and it continuously monitors its system landscapes for potential security threats or vulnerabilities. 

"The relevant addressed vulnerability issues were closed within 24 hours and we have no indication of any data leaks. No vehicle-related IT systems were affected or compromised. No BMW Group customers or employee accounts were compromised," a spokesperson at BMW said. 

This is the most recent security threat that surfaced, in March last year, telemetry from industrial systems security firm Dragons found Emotet command-and-control servers in contact with various automotive manufacturer systems. 

In December, experts found vulnerabilities in three mobile apps that let drivers remotely unlock or start their vehicles. These bugs allowed unauthorized malicious actors to perform the same commands from afar. 

Automakers slow to identify threats

Security vulnerabilities have been a challenge in the automotive industry for a long time, and automakers are not very proactive in identifying the potential severity of the threat developments. 

Experts believe that while automakers are slowly changing into software developers, they find it difficult to address all points of the development cycle- which includes security. 

One very simple notion is if you're not good at software, you're probably not going to be very good at making that software safe. That is guaranteed." "Automakers look at this in a more reactive way than a proactive way, basically saying we'll address the small number of customers affected and solve the issue and then everything goes back to normal," he says. "That's the way of thinking for many carmakers," said Gartner automotive industry analyst Pedro Pacheco.

When automakers make more sophisticated ecosystems that connect customers with app stores and connect them with their smartphones and other connected devices, the stakes also get high. 

"This is the reason why cybersecurity is going to become more and more of a pressing issue," said Pedro. "The more the vehicle takes over driving, then of course the more chances there are that this can be used against the customer and against the automaker. It hasn't happened yet, but it could very well happen in the future."

Patch ASAP: Critical Citrix and VMware Bugs Threaten Takeover of Remote Workspaces

Critical authentication-bypass vulnerabilities in Citrix and VMware offerings are threatening devices running remote workspaces with complete takeover, the vendors warned this week. 

Given both vendors’ history of exploitation, admits are warned of prioritizing patching, alerts both disclosures prompted CISA on Wednesday. 

Citrix Gateway, A Perfect Avenue for Infesting Orgs: 

As for Citrix, a critical vulnerability tracked as CVE-2022-27510 (with a CVSS vulnerability-severity score of 9.8 out of 10) allows unauthorized access to the Citrix Gateway when device is used as SSL VPN solution. Consequently, allowing access to the internal company applications from any device through the Internet, and offering single sign-on across applications and devices. 

This way the vulnerability would give a threat actor means to easily access initial data, then dig deeper into an organization’s cloud footprint and create nuisance across the network. 

In a published advisory, Citrix also noted that its Application Delivery Controller (ADC) product, that provides admin visibility into applications across multiple cloud instances, is vulnerable to remote desktop takeover (CVE-2022-27513, CVSS 8.3), and brute force protection bypass (CVE-2022-27516, CVSS 5.3). 

According to researcher Satnam Narang, Citrix Gateway and ADC have always been a favorite target to cybercriminals, thanks to how many parts of an organization they provide entrée into. Thus, marking the importance of patching. 

"Citrix ADC and Gateways have been routinely targeted by a number of threat actors over the last few years through the exploitation of CVE-2019-19781, a critical path traversal vulnerability that was first disclosed in December 2019 and subsequently exploited beginning in January 2020 after exploit scripts for the flaw became publicly available," Narang wrote in a Wednesday blog. 

"CVE-2019-19781 has been leveraged by state-sponsored threat with ties to China and Iran, as part of ransomware attacks against various entities including the healthcare sector, and was recently included as part of an updated list of the top vulnerabilities exploited by the People’s Republic of China state-sponsored actors from early October," he added. 

Users should be quick in updating to Gateway versions 13.1-33.47, 13.0-88.12, and 12.1-65.21 to patch the latest issues. 

VMware Workspace ONE Assist, a trio of cybercrime threat: 

On the other hand, VMware has reported three authentication-bypass bugs, all in its Workspace ONE Assist for Windows. The bugs (CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687, all with CVSS 9.8) allows both local and remote attackers to gain administrative access privileges without the need to authenticate, giving them full run of targeted devices. 

Workspace ONE Assist is a remote desktop product that is mainly used by tech support to troubleshoot and fix issues relating to IT, for employees from afar. As such, it operates with the highest levels of privilege, potentially giving remote attackers an ideal initial access target and pivot point to other corporate resources. 

Moreover, VMware revealed two additional vulnerabilities in Workspace ONE Assist. One is a cross-site scripting (XSS) flaw (CVE-2022-31688, CVSS 6.4), and the other (CVE-2022-31689, CVSS 4.2) that allows a "malicious actor who obtains a valid session token to authenticate to the application using that token," notes vendor’s Tuesday advisory. 

VMware as well has a history of being a target to cybercriminals. A proof-of-concept (PoC) exploit was almost immediately published on GitHub and tweeted out to the world after a major Workspace ONE Access vulnerability (used to distribute corporate apps to distant employees) identified as CVE-2022-22954 was revealed in April. 

Consequently, researchers from multiple security firms started looking for probes and exploit attempts very soon thereafter — with an ultimate motive of infecting targets with numerous or establishing a backdoor via Log4Shell. 

Online users are advised to update their Workspace ONE Assist to version 22.10 in order to patch all of the most recently disclosed problems.   

Rapid7 Researchers are Closely Monitoring Critical Bug in Apache Commons Text


A remote code execution vulnerability in the Apache Commons Text library has sparked comparisons with the ‘Log4Shell’ flaw that surfaced in the widely used open-source component Log4j last year.

Tracked as CVE-2022-42889, the Commons Text bug centers on an unsafe execution of the library’s variable interpolation functionality. The hacker can exploit the bug to trigger code execution when processing malicious input in the library’s default configuration. 

The Rapid7 researchers who discovered and reported the Commons Text flaw in March have downplayed its comparative effect. 

The susceptible StringSubstitutor interpolator is comparatively less utilized than the vulnerable string substitution in Log4j and the nature of such an interpolator means that getting crafted input to the vulnerable object is less likely than merely communicating with such a well-designed string as in Log4Shell. 

“The vulnerability has been compared to Log4Shell since it is an open-source library-level vulnerability that is likely to impact a wide variety of software applications that use the relevant object. However, initial analysis indicates that this is a bad comparison.” reads the technical published by Rapid7 researchers. “The nature of the vulnerability means that, unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input.” 

Apache’s security team also confirmed that the scope of the flaw is not as serious as Log4Shell, explaining that the string interpolation is a documented feature. 

“The vulnerability is indeed very similar. The Apache Commons Text code appears to be based on the Log4j code, as both of them enable interpolation of multiple Lookup sources. Log4j enabled JNDI lookups [while] Apache Commons Text and Apache Commons Configuration allow script lookups – both could lead to RCE. The impact is, therefore, very high," the researchers explained. 

Preventive measures 

The Apache Commons Text versions are 1.5 through 1.9, and all JDK versions, and has been fixed in version 1.10. However, it is still recommended that users should upgrade Apache Commons Text to 1.10.0, which disables the problematic interpolators by default. 

The users should install these patches as soon they become available, and prioritize anywhere the vendor indicates that their implementation may be remotely exploitable.

Multiple Security Bugs Identified in EZVIZ Smart Cams


The vulnerabilities allow a hacker to remotely access the camera, download images, decrypt them, and circumvent authentication to inject code remotely. 

Security analysts at Bitdefender have published a detailed analysis on vulnerabilities in several lines of EZVIZ Internet of Things (IoT) cameras, a smart home security brand used across the globe. The vulnerabilities unearthed in at least five EZVIZ camera models could allow a hacker to remotely access the camera, download images, decrypt them, and circumvent authentication to inject code remotely.

"When daisy-chained, the discovered vulnerabilities allow an attacker to remotely control the camera, download images, and decrypt them," the researchers explained. "Use of these vulnerabilities can bypass authentication and potentially execute code remotely, further compromising the integrity of the affected cameras." 

The vulnerabilities spotted in the affected device models are listed below: - 

• CS-CV248 [20XXXXX72] - V5.2.1 build 180403 
• CS-C6N-A0-1C2WFR [E1XXXXX79] - V5.3.0 build 201719 
• CS-DB1C-A0-1E2W2FR [F1XXXXX52] - V5.3.0 build 211208 
• CS-C6N-B0-1G2WF [G0XXXXX66] - v5.3.0 build 210731 
• CS-C3W-A0-3H4WFRL [F4XXXXX93] - V5.3.5 build 22012 

Threat analysts discovered the first vulnerability (tracked as CVE-2022-2471) in the ‘configMotionDetectArea’ API endpoint. Subsequently, they identified an insecure direct object reference vulnerability at multiple API endpoints that pave a path for hackers to gain access to the camera, and a third remote vulnerability allows hackers to exfiltrate the encryption key for the video. 

The final security bug, tracked under CVE-2022-2472, lets a hacker recover the administrator password and control the device. 

“Our analysis uncovered several vulnerabilities in the EZVIZ smart devices and their API endpoints that could allow an attacker to carry out a variety of malicious actions, including remote code execution and access to the video feed,” said Dan Berte, director, IoT Security at Bitdefender. One of the main features of these devices is the ability to be accessed from anywhere the user has an internet connection.” 

The researchers advised users to apply the patches, update the software immediately, and regularly visit the manufacturer’s website for any EZVIZ camera security-related news. 

Last year in August, BitDefender security experts unearthed multiple zero-day vulnerabilities in a home baby monitor, made by China-based developer Victure. In a security report, researchers disclosed the stack-based buffer flaw present in the ONVIF server Victure PC420 component camera that allows hackers to plant remote codes on the victim device. When exploited, hackers can discover cameras (not owned by them) and command devices to broadcast camera feeds to a third party and exploit the camera firmware.

Newly Discovered Flaw in GitHub Actions Allows Code to Bypass Review Mechanism


A newly uncovered security vulnerability in GitHub Actions allows software code to bypass the required reviews mechanism to a secured branch, allowing it into the pipeline to production. 

Omer Gil and his team of researchers at security startup Cider Security discovered the flaw in GitHub actions during research into novel attack vectors in the arena of DevSecOps, which evades security protections and exists even in the installations of companies that have not enabled the recently introduced feature.

"An attacker compromising a GitHub user account, or simply a developer that wants to bypass this restriction, can simply push code to a protected branch. Since code in protected branches is usually used in production systems by many users or by other systems, the impact is high," Gil explained.

Vulnerability in GitHub Actions 

GitHub Actions is GitHub's continuous integration/continuous delivery offering, which offers a mechanism to automate, customize and implement software development workflows right in the repository from development to production systems, Cider Security explained in a blog post on Medium. 

Furthermore, the GitHub Actions is installed by default on any GitHub organization, and on all of its repositories, and any user who has the privilege to push code to the repositories can design a workflow that operates when code is pushed. 

“Anyone with write access to a repository can modify the permissions granted to the GITHUB_TOKEN, adding or removing access as required, by editing the permissions key in the workflow file,” Cider Security explained.

“As the PR is created, it cannot be merged since approval is required. However, the workflow immediately runs and the PR is approved by the GitHub-actions bot, which the GITHUB_TOKEN belongs to. It’s not an organization member, but counts as PR approval, and effectively allows the attacker to approve their own PR, basically bypassing the branch protection rules.,” Cider Security further said.

"The issue is not fixed. GitHub said they'll work on fixing it. I believe adversaries can definitely take advantage of this issue in their attempts to reach production systems and expand their hold in their victims' assets," Gil noted. 

To mitigate the risks, Cider Security has advised organizations to consider disabling GitHub Actions across their whole enterprise or for particular (more sensitive) repositories. Additionally, the issue can be solved by requiring the approval of Code Owners, or by requiring two or more approvals to merge a pull request.