Search This Blog

Showing posts with label Bugs. Show all posts

GitHub Introduces Private Flaw Reporting to Secure Software Supply Chain

 

GitHub, a Microsoft-owned code hosting platform, has announced the launch of a direct channel for security researchers to report vulnerabilities in public repositories that allow it. The new private vulnerability reporting capability allows repository administrators to enable security researchers to report any vulnerabilities found in their code to them. 

Some repositories may include instructions on how to contact the maintainers for vulnerability reporting, but for those that do not, researchers frequently report issues publicly. Whether the researcher reports the vulnerability through social media or by creating a public issue, this method may make vulnerability details insufficiently public. 

To avoid such situations, GitHub has implemented private reporting, which allows researchers to contact repository maintainers who are willing to enroll directly. If the functionality is enabled, the reporting security researchers are given a simple form to fill out with information about the identified problem.

According to GitHub, "anyone with admin access to a public repository can enable and disable private vulnerability reporting for the repository." When a vulnerability is reported, the repository maintainer is notified and can either accept or reject the report or ask additional questions about the issue.

According to GitHub, the benefits of the new capability include the ability to discuss vulnerability details privately, receiving reports directly on the same platform where the issue is discussed and addressed, initiating the advisory report, and a lower risk of being contacted publicly.

Private vulnerability reporting can be enabled from the repository's main page's 'Settings' section, in the 'Security' section of the sidebar, under 'Code security and analysis.' Once the functionality is enabled, security researchers can submit reports by clicking on a new 'Report a vulnerability' button on the repository's 'Advisories' page.

The private vulnerability reporting was announced at the GitHub Universe 2022 global developer event, along with the general availability of CodeQL support for Ruby, a new security risk and coverage view for GitHub Enterprise users, and funding for open-source developers.

The platform will provide a $20,000 incentive to 20 developers who maintain open-source repositories through the new GitHub Accelerator initiative. While, the new $10 million M12 GitHub Fund will support future open-source companies.

Several Flaws Affect the Juniper Junos OS

 

Multiple high-severity security flaws in Juniper Networks devices have been discovered. The most serious is a CVSS score of 8.1 for a remote pre-authenticated PHP archive file deserialization vulnerability tracked as CVE-2022-22241. The vulnerability was found in Junos OS's J-Web component. An attacker can exploit the flaw by sending a specially crafted POST request, causing deserialization that could result in unauthorized local file access or arbitrary code execution. 

“Multiple vulnerabilities have been found in the J-Web component of Juniper Networks Junos OS. One or more of these issues could lead to unauthorized local file access, cross-site scripting attacks, path injection and traversal, or local file inclusion.” reads the advisory published by the vendor. 

“Phar files (PHP Archive) files contain metadata in serialized format, which when parsed by a PHP file operation function leads to the metadata getting deserialized. An attacker can abuse this behavior to exploit an object instantiation vulnerability inside the Juniper codebase.” reads the analysis published by Octagon Networks. 

“This vulnerability can be exploited by an unauthenticated remote attacker to get remote phar files deserialized, leading to arbitrary file write, which leads to a remote code execution (RCE) vulnerability.” 

Other vulnerabilities discovered by the experts are:
  • CVE-2022-22242: pre-authenticated reflected XSS on the error page. 
  • CVE-2022-22243: XPATH Injection in jsdm/ajax/wizards/setup/setup.php
  • CVE-2022-22244: XPATH Injection in send_raw() method.
  • CVE-2022-22245: Path traversal during file upload leads to RCE.
  • CVE-2022-22246: PHP file include /jrest.php.  
To address the flaws,  the vendor released patches for Junos OS versions 19.1R3-S9, 19.2R3-S6, 19.3R3-S7, 19.4R3-S9, 20.1R3-S5, 20.2R3-S5, 20.3R3-S5, 20.4R3-S4, 21.1R3-S2, 21.3R3, 21.4R3, 22.1R2, 22.2R1, and more.

Fortinet Alerts: Active Exploitation of Newly Discovered Critical Auth Bypass Bug

 

Fortinet revealed on Monday that a recently patched critical security vulnerability affecting its firewall and proxy products is being actively exploited in the wild. 
The flaw, identified as CVE-2022-40684 (CVSS score: 9.6), concerns an authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager that could allow a remote attacker to perform unauthorised operations on the administrative interface via specially crafted HTTP(S) requests. 

"Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs: user='Local_Process_Access,'" the company noted in an advisory.

The list of impacted devices is below -
  • FortiOS version 7.2.0 through 7.2.1
  • FortiOS version 7.0.0 through 7.0.6
  • FortiProxy version 7.2.0
  • FortiProxy version 7.0.0 through 7.0.6
  • FortiSwitchManager version 7.2.0, and
  • FortiSwitchManager version 7.0.0
Updates have been released by the security company in FortiOS versions 7.0.7 and 7.2.2, FortiProxy versions 7.0.7 and 7.2.1, and FortiSwitchManager version 7.2.1.

The security firm has released updates for FortiOS versions 7.0.7 and 7.2.2, FortiProxy versions 7.0.7 and 7.2.1, and FortiSwitchManager version 7.2.1. The announcement comes just days after Fortinet sent "confidential advance customer communications" to its customers, urging them to install patches to prevent potential attacks exploiting the flaw. If updating to the latest version is not an option, users should disable the  HTTP/HTTPS administrative interface, or alternatively limit IP addresses that can access the administrative interface.

Dex: ID Service Patches Bug that Allows Unauthorized Access to Client Applications

 

The renowned OpenID Connect (OIDC) identity service, Dex has detected and patched a critical vulnerability. The bug allows a threat actor access to the victim's ID tokens via intercepted authorization code, potentially accessing clients’ applications without authorization. The vulnerability was patched by Sigstore developers Hayden Blauzvern, Bob Callaway, and ‘joernchen', who initially reported the bug. 

The open-source sandbox project of Cloud Native Computing Foundation, Dex utilizes an identification layer on top of OAuth 2.0, providing authentication to other applications.  

Dex acts as a portal to other identity providers through certain ‘connectors’, ranging from authentication to LDAP servers, SAML providers, or identity providers like GitHub, Google, and Active Directory. As a result, Dex claims 35.6 million downloads to date. As stated in the Developer's notification, the bug affects “Dex instances with the public clients (and by extension, clients accepting tokens issued by those Dex instances.” 

As per the discovery made by security researchers, the threat actor can steal an OAuth authentication code by luring the victim to enter a malicious website and further, leading him into the OIDC flow. Thence the victim is tricked into exchanging the authorization code for a token, which allows access to applications that accept the token. As the exploit can be used multiple times, the threat actor can get a new token every time the old one expires.  

The bug thus comes into existence because the authentication process instigates a persistent “connector state parameter" as the request ID to look up the OAuth code. 

“Once the user has successfully authenticated, if the webserver is able to call /approval before the victim’s browser calls /approval, then an attacker can fetch the Dex OAuth code which can be exchanged for an ID token using the /token endpoint,” the advisory stated. The users are advised to update to version 2.35.0, as the vulnerability, having the CVSS rating of 9.3, affects versions 2.34.0 and older.  

The bug was fixed by introducing a hash-based message authentication (HMAC) code, that utilizes a randomly generated per-request secret, oblivious to the threat actor, and is persisted between the initial login and the approval request, making the server request unpredictable.

Attackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite

 

Hackers are actively attempting to exploit an unpatched remote code execution (RCE) vulnerability in Zimbra Collaboration Suite (ZCS), a popular web client and email server. 

The CVE-2022-41352 zero-day security flaw is rated critical (CVSS v3 score: 9.8) and enables an attacker to upload arbitrary files via "Amavis" (email security system). An attacker who successfully exploits the vulnerability can overwrite the Zimbra webroot, insert a shellcode, and gain access to other users' accounts. 

The zero-day vulnerability was discovered at the beginning of September when administrators posted details about attacks on Zimbra forums.

Due to  insecure cpio usage

The vulnerability is caused by Amavis' use of the 'cpio' file archiving utility to extract archives when scanning a file for viruses. An exploitable flaw in the cpio component enables an attacker to create archives that can be extracted anywhere on a Zimbra-accessible filesystem.

When an email is sent to a Zimbra server, the Amavis security system extracts the archive and scans its contents for viruses. If it extracts a specially crafted.cpio,.tar, or.rpm archive, the contents may be extracted to the Zimbra webroot. An attacker could exploit this vulnerability to deploy web shells to the Zimbra root, effectively giving them shell access to the server.

On September 14, Zimbra issued a security advisory advising system administrators to install Pax, a portable archiving utility, and restart their Zimbra servers to replace the vulnerable component, cpio.
Installing Pax solves the problem because Amavis prefers it over cpio by default, so no further configuration is required.

"If the pax package is not installed, Amavis will fall-back to using cpio, unfortunately the fall-back is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot," warned the September security advisory.

"For most Ubuntu servers the pax package should already be installed as it is a dependency of Zimbra. Due to a packaging change in CentOS, there is a high chance pax is not installed."

Vulnerability is being actively exploited

While the vulnerability has been actively exploited since September, a new Rapid7 report sheds new light on its active exploitation and includes a proof-of-concept exploit that allows attackers to easily create malicious archives.

Worse, Rapid7 tests show that many Linux distributions officially supported by Zimbra still do not install Pax by default, leaving these installations vulnerable to the bug.

Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8 are among these distributions. Pax was included in earlier LTS releases of Ubuntu, 18.04 and 20.04, but it was removed in 22.04. Zimbra plans to mitigate this issue decisively by deprecating cpio and making Pax a prerequisite for Zimbra Collaboration Suite, thus enforcing its use.

Since proof-of-concept (PoC) exploits have been publicly available for some time, the risk of failing to implement the workaround is severe. Zimbra intends to address this issue decisively by deprecating cpio and making Pax a requirement for Zimbra Collaboration Suite, thereby mandating its use. 

"In addition to this cpio 0-day vulnerability, Zimbra also suffers from a 0-day privilege escalation vulnerability, which has a Metasploit module. That means that this 0-day in cpio can lead directly to a remote root compromise of Zimbra Collaboration Suite servers," further warn the researchers.

However, the risks persist for existing installations, so administrators must act quickly to protect their ZCS servers.

Researchers Recently Made the World's Websites Less Vulnerable to Hacking and Cyberattacks

 

An international team of researchers has created a scanning tool to reduce the vulnerability of websites to hacking and cyberattacks. The black box security assessment prototype, which was tested by engineers in Australia, Pakistan, and the UAE, outperforms existing web scanners, which collectively fail to detect the top ten weaknesses in web applications. 

Dr Yousef Amer, a mechanical and systems engineer at UniSA, is one of the co-authors of a new international paper that describes the tool's development in the wake of increasing global cyberattacks. Cybercrime cost the globe $6 trillion in 2021, representing a 300 percent increase in online criminal activity over the previous two years. 

Remote working, cloud-based platforms, malware, and phishing scams have resulted in massive data breaches, while the implementation of5G and Internet of Things (IoT) devices has made us more connected – and vulnerable – than ever. Dr. Yousef Amer and colleagues from Pakistan, the United Arab Emirates, and Western Sydney University highlight numerous security flaws in website applications that are costing organisations badly.

Because of the pervasive use of eCommerce, iBanking, and eGovernment sites, web applications have become a prime target for cybercriminals looking to steal personal and corporate information and disrupt business operations. Despite an anticipated $170 billion global outlay on internet security in 2022 against a backdrop of escalating and more severe cyberattacks, existing web scanners, according to Dr. Amer, fall far short of evaluating vulnerabilities.

“We have identified that most of the publicly available scanners have weaknesses and are not doing the job they should,” he says.

Almost 72% of businesses have experienced at least one serious security breach on their website, with vulnerabilities tripling since 2017. According to WhiteHat Security, a world leader in web application security, 86% of scanned web pages have on average 56% vulnerabilities. At least one of these is classified as critical. The researchers compared the top ten vulnerabilities to 11 publicly available web application scanners.

“We found that no single scanner is capable of countering all these vulnerabilities, but our prototype tool caters for all these challenges. It’s basically a one-stop guide to ensure 100 per cent website security. There’s a dire need to audit websites and ensure they are secure if we are to curb these breaches and save companies and governments millions of dollars,”Dr Amer stated.

'Witchetty’ Group Targeted Middle Eastern Gov, Stock Exchange of African Nation

 

A cyber-espionage group is targeting the governments of several Middle Eastern countries and has previously attacked an African country's stock exchange, stealing massive amounts of data with malware. 

The Symantec Threat Hunter Team named the espionage group "Witchetty" in a report published Thursday, but it has also been known as "LookingFrog." Witchetty attacks are distinguished by the use of two pieces of malware: X4 and a second-stage payload known as LookBack. 

“From what we can see, their end goal is classic espionage, finding computers on the network, stealing data and exfiltrating it out of the organization,” said Dick O’Brien, a member of the Symantec Threat Hunter team.

In recent months, the group has been updating its tools to use steganography, a technique in which hackers hide malicious code within an image. In Witchetty's case, the malware is disguised as a Microsoft Windows logo.

Symantec tracked the group's attacks from February to September, noting that the attackers used ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities to obtain access in three incidents.

According to several national cybersecurity agencies, ProxyShell and ProxyLogon are among the most commonly exploited vulnerabilities by threat groups. They stole credentials, moved laterally across the network, and installed malware on other computers from there.

The attackers used the ProxyShell vulnerability to launch an attack on a Middle Eastern government agency on February 27. The hackers moved around the network for several months, exfiltrating data and stealing other information. The hackers' most recent actions occurred on September 1, when they downloaded several remote files.

O'Brien told The Record that they do not have enough information to make an attribution at this time, but that Witchetty was first discovered in April by ESET researchers, who stated it was part of a larger cyber-espionage operation linked to the Chinese state-backed advanced persistent threat (APT) group Cicada or APT10. According to ESET, the group has specifically targeted governments, diplomatic missions, charities, and industrial/manufacturing organisations.

Symantec previously linked the group to a VLC Media Player attack campaign, prompting the Indian government to outright ban the popular programme earlier this year. The group was accused in February of carrying out a months-long attack on Taiwan's financial sector.

APT10, according to the anonymous research group IntrusionTruth, was based in Tianjin, China, and allegedly operated out of the Tianjin State Security Bureau, a regional arm of the Chinese Ministry of State Security. In the summer of 2018, Rapid7 and Recorded Future implicated the group in another attack on Norwegian cloud service provider Visma AG.

Watchdog Finds, Over Half of Operating Systems at VA Medical Center in Texas are Outdated

 

According to an IT security assessment released on Tuesday by the Department of Veterans Affairs' Office of Inspector General, more than half of the network switches at the Harlingen VA Health Care Center in Harlingen, Texas, were running outdated operating systems and did not meet the department's baseline configurations. 

The audit was conducted to evaluate whether Harlingen was complying with the Federal Information Security Management Act, or FISMA, information security safeguards. The OIG stated that it chose Harlingen for an assessment because it had not previously been reviewed during the annual FISMA audit. 

Harlingen is part of the Texas Valley Coastal Bend Healthcare System, which receives approximately 300,000 outpatient visits per year. The OIG discovered flaws in three of the four security control areas at Harlingen, including configuration management, contingency planning and access controls. OIG’s inspection team did not document any issues with the center’s security management.

OIG discovered flaws in three of Harlingen's four security control areas, including configuration management, contingency planning, and access controls. The OIG inspection team found no problems with the centre's security management.

The audit found significant flaws in Harlingen's configuration management controls, which were used to identify and track the centre's hardware and software components. These flaws included an inaccurate component inventory list, unaddressed security flaws, and an inability to identify all critical and high-risk vulnerabilities across the centre's network.

Most concerning was OIG’s finding that “almost 53 per cent of the Harlingen centre’s network switches used operating systems that no longer receive maintenance or vulnerability support from the vendor.” And the outdated devices did not meet the baseline configurations for network equipment mandated by the VA Office of Information and Technology Configuration Control Board, which reflect “agreed-on specifications for systems or configuration items within those systems." 

“Network devices and IT systems are an organization’s most critical infrastructure,” OIG said in its assessment. “Upgrading is not just a defensive strategy but a proactive one that protects network stability.”

Despite VA's use of an automated inventory system, the OIG assessment revealed varying tallies of IT components at Harlingen. The VA discovered 1,568 devices at the centre, while the OIG assessment team discovered 1,544 devices on the Harlingen network. However, according to the audit, VA's Enterprise Mission Assurance Support Services system, or eMASS, which "allows for FISMA systems inventory tracking and reporting activities," only identified 942 devices.

“Because VA’s eMASS is used for developing system security and privacy plans, without an accurate inventory of network devices in eMASS, VA has no assurance that these plans implement security controls for all the components within the system,” the audit said. 

OIG's inspection team also compared on-site vulnerability scans from Jan. 10 to Jan. 13, 2022, with those conducted remotely by VA's Office of Information and Technology, and discovered 16 serious vulnerabilities on the Harlingen network that had not been mitigated within VA's established timeframe for addressing vulnerabilities. These included "five critical vulnerabilities on less than 1% of the computers and 11 high-risk vulnerabilities."

The OIG's inspection team also discovered that database managers were not adequately maintaining log data; that computer rooms and communications closets throughout the facility lacked fire detection systems; and that the computer room housing the center's police servers lacked a visitor access log. Furthermore, the OIG discovered that Harlingen's contingency plan "did not fully address reconstituting all systems to restore IT operations to a fully operational state following a disaster."

The OIG made four recommendations to the VA's assistant secretary for information and technology and chief information officer "due to enterprise-wide IT security issues similar to those identified during previous FISMA audits and IT security reviews." The OIG also made another recommendation to Harlingen's director to “validate that appropriate physical and environmental security measures are implemented and functioning as intended.” VA concurred with all five recommendations. 

VA has long struggled to meet FISMA requirements, with the Government Accountability Office stating in a November 2019 report that VA was one of the federal agencies with inadequate information security protections, including when it came to implementing effective security controls and mitigating vulnerabilities.

On Sept. 22, the OIG released a separate IT security assessment of the Alexandria VA Medical Center in Pineville, Louisiana, documenting deficiencies in three of the facility's four security control areas and discovering "critical and high-risk vulnerabilities on 37% of the devices."

The FISMA audit of VA's agencywide compliance for fiscal year 2021, released in April, found that the department as a whole "continues to face significant challenges in complying with FISMA due to the nature and maturity of its information security program.” OIG noted in Tuesday’s assessment of Harlingen that the FY2021 FISMA audit made 26 recommendations to VA, and that “all 26 recommendations were repeated from the prior year.”

BIND Updates Patch High-Severity Flaws

The Internet Systems Consortium (ISC) announced this week the availability of patches for six remotely exploitable vulnerabilities in the widely used BIND DNS software. 

Four of the fixed security vulnerabilities have a severity rating of 'high.' All four have the potential to cause a denial-of-service (DoS) condition. The first of these is CVE-2022-2906, which affects "key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions," according to ISC's advisory. 

A remote attacker could use the flaw to gradually deplete available memory, resulting in a crash. Because the attacker could exploit the vulnerability again after restarting, "there is the potential for service denial," according to ISC.

The second flaw, tracked as CVE-2022-3080, may cause the BIND 9 resolver to crash under certain conditions when crafted queries are sent to the resolver. According to ISC, CVE-2022-38177 is a memory leak issue in the DNSSEC verification code for the ECDSA algorithm that can be triggered by a signature length mismatch.

“By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources,” ISC explains.

CVE-2022-38178, a memory leak affecting the DNSSEC verification code for the EdDSA algorithm that can be triggered by malformed ECDSA signatures, is the fourth high-severity bug addressed in BIND 9. BIND 9.18 (stable branch), BIND 9.19 (development version), and BIND 9.16 all received updates (Extended Support Version). As per ISC, no public exploits targeting these vulnerabilities are known.

The US Cybersecurity and Infrastructure Security Agency (CISA) urged users and administrators on Thursday to review ISC's advisories for these four security holes and apply the available patches as soon as possible.

Unpatched 15-year Old Python Flaw Allows Code Execution in 350k Projects

 

As many as 350,000 open-source projects are potentially vulnerable to exploitation due to a 15-year-old security vulnerability in a Python module. The open-source repositories cover a wide range of industries, including software development, artificial intelligence/machine learning, web development, media, security, and information technology management. 

The flaw, designated CVE-2007-4559 (CVSS score: 6.8), is deeply embedded in the tarfile module, and successful exploitation could result in code execution from an arbitrary file write. 

"The vulnerability is a path traversal attack in the extract and extract all functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the '..' sequence to filenames in a TAR archive," Trellix security researcher Kasimir Schulz said in a writeup.

The bug, first reported in August 2007, relates to how a specially crafted tar archive can be used to overwrite arbitrary files on a target machine simply by opening the file.

Simply put, a threat actor can exploit the flaw by uploading a malicious tarfile in a way that allows the adversary to escape the directory that a file is intended to be extracted to and achieve code execution, potentially allowing the adversary to seize control of a target device.

"Never extract archives from untrusted sources without prior inspection," the Python documentation for tarfile reads. "It is possible that files are created outside of path, e.g. members that have absolute filenames starting with '/' or filenames with two dots '..'."

The flaw is similar to a recently disclosed security flaw in RARlab's UnRAR utility (CVE-2022-30333), which could result in remote code execution. Trellix has also released a custom utility called Creosote to scan for projects vulnerable to CVE-2007-4559, revealing the vulnerability in both the Spyder Python IDE and Polemarch.

"Left unchecked, this vulnerability has been unintentionally added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface," Douglas McKee noted.

A 15-Year-Old Bug Affected Over 350,000 Open-Source Projects

 

Trellix, an advanced research centre rediscovered a 15-year-old vulnerability in Python programming language that is still being exploited and has affected over 350,000 projects. 

The threat researchers at Trellix considered claimed to have found a zero-day vulnerability, it is a 15-year-old security flaw in the Python module, that has remained unpatched, and is now exposing around 350,000 open as well as closed source projects to the risk of supply chain cyberattacks. 

The Trellix estimate indicates that many of the affected repositories are used by machine learning tools that help developers to complete the project as soon as possible. 

In of one of the articles, Kasimir Schulz mentioned that the vulnerability was a form of routed traversal attack in the “extract and extractall functions of the tarfile module,” which is contained within the TAR file module itself. These open-source projects cover a wide range of areas including web development, media, IT management, software development, artificial intelligence, machine learning, and security. 

The vulnerability, tracked as “CVE-2007-4559”, permits the threat actor linked with a user, to execute the code and overlap the arbitrary files by using filenames with dedicated sequenced filenames in the TAR archive. This allows the attacker to acquire control of the targeted device. 

It is similar to the vulnerability named, CVE-2022-30333, which was recently found in RARIab’s UnRAR, which also allows the attacker to execute the code remotely. 

The CVE-2007-4559 was first discovered in 2007 when it was declared as a vulnerability of low importance by Red Hat, one of the world’s leading solution providers of enterprise open-source software. 

The bug can be leveraged on Linux as well. It includes the specially crafted TAR archive used to overwrite or overlap the existing arbitrary files on the targeted device by just opening the file. It is through this simple overlap that the attacker is able to inject the malicious tarfile in a way that allows him to execute the code by intending that the file be extracted after crossing the directory boundary. 

Reportedly, the patches have been introduced by Trellix for the aforesaid vulnerability. Initially, they are made available for about 11000 projects, but within the next week, they will be available for about 7000 projects.

TeamTNT is Back & Targets Servers to Run Bitcoin Encryption Solvers

 

AquaSec threat analysts have detected TeamTNT activity on their honeypots since early September, leading them to believe the infamously hacking group is back in business. 

TeamTNT announced its retirement in November 2021, and most associated observations since then have involved remnants of previous infections, such as automated scripts, but no new payloads. The recent attacks, however, bear various signatures associated with TeamTNT and rely on tools previously deployed by the gang, indicating that the threat actor is likely making a comeback.  The researchers observed three attack types utilized in the reportedly new TeamTNT attacks, the most intriguing being the use of hijacked servers' computational power to run Bitcoin encryption solvers.

The attack, dubbed "the Kangaroo attack" because it employs Pollard's Kangaroo WIF solver, scans for vulnerable Docker Daemons, deploys an AlpineOS image, drops a script ("k.sh"), and eventually retrieves the solver from GitHub. Pollard's Kangaroo interval ECDLP (Elliptic Curve Discrete Logarithm Problem) solver algorithm attempts to decipher the SECP256K1 encryption used in Bitcoin's public-key cryptography.

“It [the algorithm] is designed to run in a distributed fashion since the algorithm breaks the key into chunks and distributes them to various nodes (attacked servers), collecting the results which are then written locally to a text file,” explains AquaSec.

While quantum computing is expected to break existing Bitcoin encryption at some point in the future, it is thought to be impossible to achieve with current machines, TeamTNT appears willing to test the theory anyway, using other people's resources.

Perhaps the threat actors are simply experimenting with new attack pathways, payload deployment, and evasion while performing intensive operations on captured systems, with the Kangaroo attack ticking all of the boxes.

Other Attacks

Other attacks detected by AquaSec are similar to previous TeamTNT operations but have some new characteristics.

The "Cronb Attack" employs well-documented rootkits, cron jobs for persistence, cryptominers for profit, and lateral movement tools. The appearance of new C2 infrastructure addresses and more elaborate data exchange is the novel element.

The "What Will Be" attack targets Docker Daemons with shell-file dropping Alpine images once more, taking advantage of a vulnerability to escape from the container to the host. The attackers then download and execute additional scripts, rootkits, and a cryptominer, as well as add cronjobs and perform network SSH scans.

These scripts introduce a new trick in this attack, allowing threat actors to optimise crypto mining performance by modifying CPU model-specific registers. Whether it is TeamTNT or someone else carrying out these attacks, organisations should strengthen their cloud security, strengthen Docker configuration, and implement all available security updates before it is too late.

CISA Expands Flaws Catalog With Old, Exploited Vulnerabilities

 

On September 15, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) added six critical vulnerabilities to its Known Exploited Vulnerabilities Catalog. 

“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose a significant risk to the federal enterprise,” the Agency wrote.

Three of the six issues involve the Linux kernel, one the Code Aurora ACDB audio driver (found in third-party products such as Qualcomm and Android), and one a remote code execution risk in Microsoft Windows. While CISA's Vulnerability Catalog is regularly updated, the newly added flaws are noticeable because some of them are quite old. 

“What is concerning me is that four of the CVEs posted [yesterday] are from 2013, and one is from 2010,” Paul Baird, chief technical security officer UK at Qualys, told Infosecurity Magazine.

Only one of the newly exploited vulnerabilities is a 2022 CVE. According to the executive, this demonstrates that many businesses struggle to fully understand their information technology (IT) infrastructure, keep those IT assets up to date, or adequately mitigate issues so that there is no risk of exploitation.

“Patching known vulnerabilities is one of the best ways to prevent attacks, but many companies are finding it hard to keep up,” Baird added. “Similarly, end-of-life systems should be replaced or migrated if they are still needed for businesses.”

The six known vulnerabilities were added to CISA's catalogue just days after the Agency added two zero-day attacks affecting Microsoft Windows Common Log File System Driver and Apple iOS / iPadOS / macOS Monterey and Big Sur, respectively.

In addition, CISA has recently published new guidelines to assist developers in improving the security of the software supply chain. CISA, the National Security Agency (NSA), and the Office of the Director of National Intelligence collaborated on the document (ODNI).

Lazarus Hackers are Using Log4j to Hack US Energy Companies

 

A new cyber espionage campaign targeting US, Canadian, and Japanese energy providers has been linked to the North Korean state-sponsored Lazarus hacking group, according to security researchers.

Cisco Talos, a threat intelligence company, announced Thursday that Lazarus, also known as APT38, was observed targeting unidentified energy providers in the United States, Canada, and Japan between February and July of this year. 

According to Cisco's findings, the hackers exploited a year-old Log4j vulnerability known as Log4Shell to compromise internet-exposed VMware Horizon servers in order to gain an initial foothold on a victim's enterprise network before deploying bespoke malware known as "VSingle" and "YamaBot" to gain long-term persistent access. 

Japan's national cyber emergency response team, known as CERT, recently linked YamaBot to the Lazarus APT. Symantec first disclosed information of this espionage campaign in April of this year, attributing the operation to "Stonefly," another North Korean hacking group with some overlaps with Lazarus.

However, Cisco Talos discovered a previously unknown remote access trojan (RAT) called "MagicRAT," which is attributed to the Lazarus Group and is used by hackers for reconnaissance and credential theft.

Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura, “The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives. This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”

However, in recent months, the group has shifted its focus to blockchain and cryptocurrency organisations. It has been associated with the recent thefts of $100 million in cryptocurrency from Harmony's Horizon Bridge and $625 million in cryptocurrency from the Ronin Network, an Ethereum-based sidechain created for the popular play-to-earn game Axie Infinity.

Pyongyang has long used stolen cryptocurrency and information theft to finance its nuclear weapons programme. In July, the United States offered a $10 million reward for data on members of state-sponsored North Korean threat groups, including Lazarus, more than doubling the amount previously offered. The State Department made the announcement in April.

The Lazarus Group is a North Korean-backed hacking organisation best known for the high-profile Sony hack in 2016 and the WannaCry ransomware attack in 2017. Lazarus is also motivated by efforts to support North Korea's state objectives, such as military R&D and evasion of international sanctions.

New Zero-day Flaw in BackupBuddy Plugin Leaves WordPress Users at Risk

 

Wordfence, a WordPress security company, has disclosed that a zero-day vulnerability in the BackupBuddy plugin is being actively exploited. 

"This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it stated.

Users can back up their entire WordPress installation from the dashboard, including theme files, pages, posts, widgets, users, and media files, among other things. The flaw (CVE-2022-31474, CVSS score: 7.5) affects versions 8.5.8.0 to 8.7.4.1 of the plugin, which has an estimated 140,000 active installations. It was fixed in version 8.7.5, which was released on September 2, 2022. 

The problem stems from the "Local Directory Copy" function, which is intended to keep a local copy of the backups. The vulnerability, according to Wordfence, is the consequence of an insecure implementation that allows an unauthenticated threat actor to download any arbitrary file on the server. Additional information about the vulnerability has been withheld due to active in-the-wild abuse and the ease with which it can be exploited.

The plugin's developer, iThemes, said, "This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation. This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd."

Wordfence reported that the targeting of CVE-2022-31474 began on August 26, 2022, and that it has blocked nearly five million attacks since then. The majority of the intrusions attempted to read the files listed below -
  • /etc/passwd
  • /wp-config.php
  • .my.cnf
  • .accesshash
Users of the BackupBuddy plugin are encouraged to update to the most recent version. They should determine that they may have been compromised, it's recommended to reset the database password, change WordPress Salts, and rotate API keys stored in wp-config.php.

Hackers Repeatedly Targeting Financial Services in French-Speaking African Countries

 

Over the last two years, a persistent cyber-attack campaign targeting major financial institutions in French-speaking African countries has surfaced. Check Point Research (CPR) discovered the campaign and termed it 'DangerousSavanna.' To start infection chains, it used spear phishing techniques. 

The threat actors allegedly sent malicious attachment emails in French to employees in Ivory Coast, Morocco, Cameroon, Senegal, and Togo, using a variety of file types to entice victims, including PDF, Word, ZIP, and ISO files. DangerousSavanna hackers also used lookalike domains to impersonate other African financial institutions such as Tunisian Foreign Bank and Nedbank.

Sergey Shykevich, threat intelligence group manager at CPR explained, "Our suspicion is that this is a financially motivated cybercriminal, but we don't have conclusive evidence yet. Whoever it is, this threat actor, or group of actors, is highly targeted and persistent in infecting specific victims, and right now, we are aware of at least three major financial corporations that operate in these countries that have been affected."

Furthermore, the cybersecurity expert stated that Check Point's assessment indicates that this actor will continue to try to break into its targeted companies until vulnerabilities are discovered or employees make a mistake.

"Usually, when a hacker targets financial institutions directly, their main goal is to secure access to core banking systems such as payment card issuing systems, SWIFT transfers and ATM control systems," Shykevich added.

In general, the Check Point executive stated that cyber-criminals believe that the fragile economies of some African countries are linked to a lack of cybersecurity investment.

"But the finance and banking sector is actually one of the most impacted industries worldwide, experiencing 1144 weekly cyber–attacks on average," Shykevich explained.

CPR provided companies with advice on preventing spear phishing attacks in an advisory detailing some of DangerousSavanna's recent attacks. These methods include keeping systems up to date, implementing multi-factor authentication (MFA), confirming suspicious email activity before interacting, educating employees, and testing their cybersecurity knowledge on a regular basis.

The DangerousSavanna warning comes just weeks after cybersecurity firm Vade revealed that banks around the world received the majority of phishing attacks in the first half of 2022.

Mirai Variant MooBot Botnet Exploiting D-Link Router Flaws

 

MooBot, a Mirai botnet variant, is transforming vulnerable D-Link devices into an army of denial-of-service bots by exploiting multiple vulnerabilities. 

Palo Alto Networks Unit 42 said in a Tuesday report, "If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks."
 
MooBot, which was first revealed in September 2019 by Qihoo 360's Netlab team, has previously aimed at LILIN digital video recorders and Hikvision video surveillance products to broaden its network. As many as four different flaws in D-Link devices, both old and new, have paved the way for the deployment of MooBot samples in the most recent wave of attacks discovered by Unit 42 in early August 2022. These are some examples:
  • CVE-2015-2051 (CVSS score: 10.0) - D-Link HNAP SOAPAction Header Command Execution Vulnerability
  • CVE-2018-6530 (CVSS score: 9.8) - D-Link SOAP Interface Remote Code Execution Vulnerability
  • CVE-2022-26258 (CVSS score: 9.8) - D-Link Remote Command Execution Vulnerability, and
  • CVE-2022-28958 (CVSS score: 9.8) - D-Link Remote Command Execution Vulnerability
Exploiting the aforementioned flaws successfully could result in remote code execution and the retrieval of a MooBot payload from a remote host, which then decodes instructions from a command-and-control (C2) server to launch a DDoS attack on a specific IP address and port number.

Customers with D-Link appliances are strongly advised to implement the company's patches and upgrades to mitigate potential threats.

The researchers stated, "The vulnerabilities [...] have low attack complexity but critical security impact that can lead to remote code execution.n Once the attacker gains control in this manner, they could take advantage by including the newly compromised devices into their botnet to conduct further attacks such as DDoS."

WatchGuard Firewall Exploit Threatens Appliance Takeover

 

WatchGuard has fixed multiple vulnerabilities in two major firewall brands, ranging in severity from medium to critical. Two of the flaws, when combined, permitted Ambionics security engineer Charles Fol to gain pre-authentication remote root on any WatchGuard Firebox or XTM appliance. 

Both the Firebox and XTM product lines were implicated in a number of hacking attacks earlier this year, with Russian state-sponsored threat actor Sandworm exploiting a privilege escalation vulnerability to build the Cyclops Blink botnet, which was shut down in April. 

WatchGuard released three firmware updates over a four-month period, patching a number of critical vulnerabilities.

Complete access as root

Fol told The Daily Swig, “By combining the two latter, a remote, unauthenticated attacker can get complete access to the firewall system as a super user, or root. This is the worst possible impact. He or she can now read or change the configuration, intercept traffic, et cetera. The first one, in some cases, allows an attacker to obtain the master credentials of the authentication servers, and possibly use this to connect as an administrator on the firewall.”

Fol believes that as a result of the numerous security alerts generated during his research, including those relating to Cyclops Blink, fewer WatchGuard users now have their administration interface exposed on the internet.

"The first vulnerability, Xpath, is accessible through the standard, client interface, and as such is much more likely to be exposed; a quick shodan search revealed around 350,000 instances," he said.

He recommends that users remove their administration interface from the internet and keep their systems up to date. Fol stated that he reported the flaws at the end of March and received a prompt response. A month later, the security team at WatchGuard confirmed that a patch would be available on June 21.

RTLS Systems Found Vulnerable to MiTM Attacks & Location Manipulation

 

Multiple vulnerabilities in Ultra-wideband (UWB) Real-time Locating Systems (RTLS) have been reported, allowing threat actors to launch adversary-in-the-middle (AitM) attacks and tamper with location information. 

The cybersecurity firm Nozomi Networks disclosed in a technical write-up last week, "The zero-days found specifically pose a security risk for workers in industrial environments. If a threat actor exploits these vulnerabilities, they have the ability to tamper with safety zones designated by RTLS to protect workers in hazardous areas."

RTLS is used for automatically identifying and tracking the location of objects or people in real-time, typically within a confined indoor area. This is accomplished by attaching tags to assets, which broadcast USB signals to fixed reference points known as anchors, which then determine their location. 

However, flaws discovered in RTLS solutions (Sewio Indoor Tracking RTLS UWB Wi-Fi Kit and Avalue Renity Artemis Enterprise Kit) meant they could be weaponized to intercept network packets exchanged between anchors and the central server and stage traffic manipulation attacks.

Simply stated, the concept is to guesstimate the anchor coordinates and use them to manipulate the RTLS system's geofencing rules, effectively tricking the software into allowing access to restricted areas and even disrupting production environments. Even worse, by changing the position of tags and placing them within geofencing zones, an adversary can affect the shutdown of entire production lines by indicating that a worker is nearby even when no one is present. 

In another situation, the location data could be tampered with to place a worker outside of a geofencing zone, causing dangerous machinery to restart while a worker is nearby, posing serious safety risks. However, it is worth noting that doing so requires an attacker to either compromise a computer connected to that network or covertly add a rogue device to gain unauthorised access to the network.

Last but not the least, how to prevent these attacks?

To prevent AitM attacks, it is recommended to enforce network segregation and add a traffic encryption layer on top of existing communications. 

"Weak security requirements in critical software can lead to safety issues that cannot be ignored," researchers Andrea Palanca, Luca Cremona, and Roya Gordon said. "Exploiting secondary communications in UWB RTLS can be challenging, but it is doable."

Nozomi recommends that administrators of RTLS systems use firewalls to restrict access, intrusion detection systems, and SSH tunneling with packet synchronisation counter-values for data encryption.

Amazon Patches Ring Android App Flaw Exposing Camera Recordings

 

Amazon has patched a critical vulnerability in the Amazon Ring app for Android that could have enabled hackers to download saved camera recordings from customers. The flaw was discovered and disclosed to Amazon on May 1st, 2022 by security researchers at application security testing company Checkmarx, and it was fixed on May 27th. 

Because the Ring Android app has over 10 million downloads and is used by people all over the world, access to a customer's saved camera recordings could have enabled a wide range of malicious behaviour, from extortion to data theft. 

Checkmarx discovered an 'activity' that could be launched by any other app installed on the Android device while analysing the Ring Android app. An 'activity' on Android is a programme 0component that displays a screen that users can interact with to perform a specific action. When developing an Android app, you can expose that activity to other installed apps by including it in the app's manifest file.

Checkmarx discovered that the 'com.ringapp/com.ring.nh.deeplink.DeepLinkActivity' activity was exposed in the app's manifest, enabling any other install app to launch it.

"This activity would accept, load, and execute web content from any server, as long as the Intent's destination URI contained the string “/better-neighborhoods/”," explained a report by Checkmarx shared with BleepingComputer before publishing.

This meant they could start the activity and send it to an attacker-controlled web server to interact with it. However, only pages hosted on the ring.com or a2z.com domains were able to interact with the activity.

The Checkmarx researchers got around this restriction by discovering an XSS vulnerability on the https://cyberchef.schlarpc.people.a2z.com/ URL, which allowed them to compromise the system.

"With this cookie, it was then possible to use Ring’s APIs to extract the customer’s personal data, including full name, email, and phone number, and their Ring device’s data, including geolocation, address, and recordings." - Checkmarx.

With a working attack chain in place, the researchers could have exploited the vulnerability by developing and publishing a malicious app on Google Play or another site. Once a user was duped into installing the app, it would launch the attack and send the Ring customer's authentication cookies to the attackers.

Analyzing videos with machine learning

However, as a threat actor, what would you do with the massive amount of videos that you could gain access to by exploiting this vulnerability?

Checkmarx discovered that they could sift through the videos using the Amazon Rekognition service, an image and video analysis service. The service could use machine learning to find videos of celebrities, documents containing specific words, or even a password scribbled carelessly on a post-it note stuck to a monitor.

This information could then be relayed back to the threat actor, who could use it for extortion, network intrusion, or simply to be a voyeuristic observer. The good news is that Amazon quickly responded to Checkmarx's bug report and released a fix.

"It was a pleasure to collaborate so effectively with the Amazon team, who took ownership and were professional through the disclosure and remediation process," concluded the Checkmarx report.

"We take the security of our devices and services seriously and appreciate the work of independent researchers. We issued a fix for supported Android customers back in May, soon after the researchers' submission was processed. Based on our review, no customer information was exposed," Ring told BleepingComputer.