Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Bugs. Show all posts

Soumnibot Malware Abuses Bugs to Escape Detection


Soumnibot Malware

A new Android banking virus called 'SoumniBot' employs a less prevalent obfuscation technique, attacking flaws in the Android manifest extraction and parsing method.

The approach allows SoumniBot to bypass typical Android security safeguards and steal information.
Kaspersky researchers found and researched the virus, providing technical details on how it exploits the Android procedure to parse and extract APK manifests.

Fooling Android’s Parser

Manifest files ('AndroidManifest.xml') are located in each app's root directory and contain information about components (services, broadcast receivers, content providers), permissions, and app data.

While malicious APKs can employ multiple compression strategies to confuse security programs and elude inspection, Kaspersky analysts discovered that SoumniBot uses three separate methods to bypass parser tests, all of which entail manipulating the manifest file's compression and size.

How the virus works?

First, while unpacking the APK's manifest file, SoumniBot utilizes an erroneous compression number that differs from the normal values (0 or 8) anticipated by the Android 'libziparchive' library assigned to the role.

Rather than rejecting these numbers, the Android APK parser defaults to accepting the data as uncompressed due to a flaw, allowing the APK to evade protection and keep executing on the device.

The second way includes misreporting the size of the manifest file in the APK, providing a value that is greater than the true figure.

Since the file was tagged as uncompressed in the previous step, it is copied directly from the archive, with rubbish "overlay" data filling in the gaps.

According to Kaspersky, while this extra data does not immediately affect the device because Android is configured to disregard it, it does play an important role in misleading code analysis tools.

The third evasion tactic is to use excessively long strings as the names of XML namespaces in the manifest file, making it impossible for automated analysis tools to examine them, as they frequently lack enough capacity to parse them.

Google has been notified by Kaspersky that APK Analyzer, the official analysis tool for Android, cannot handle files that use the aforementioned evasion techniques.

The danger of SoumniBots

At the moment of activation, SoumniBot communicates the infected device's carrier, number, and other profile information, and asks its configuration options from a hardcoded server address.

Next, it creates a malicious service that sends stolen data from the victim every 15 seconds and restarts every 16 minutes if it is interrupted.

IP addresses, contact lists, account information, SMS messages, images, videos, and digital certificates for online banking are among the exfiltrated data.

The techniques by which SoumniBot infiltrates smartphones are unknown, however, they could range from distribution through dubious websites and unofficial Android marketplaces to upgrading legitimate programs in trustworthy repositories with malicious code.

Kaspersky offers a concise collection of compromise indications, comprising malware hashes and two domains utilized by malware operators for command and control operations.

QWIXXRAT: A Fresh Windows RAT Emerges in the Threat Landscape

 

In early August 2023, the Uptycs Threat Research team uncovered the presence of a newly identified threat, the QwixxRAT, also referred to as the Telegram RAT. This malicious software was being promoted and distributed via platforms such as Telegram and Discord.

The QwixxRAT operates as a remote access trojan, capable of surreptitiously gathering sensitive information from targeted systems.

This ill-gotten data is then surreptitiously transmitted to the attacker's Telegram bot, granting them unauthorized access to the compromised user's confidential details. The process is facilitated by the threat actors who can manipulate and oversee the RAT's activities through the same Telegram bot.

“Once installed on the victim’s Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attacker’s Telegram bot, providing them with unauthorized access to the victim’s sensitive information.”reads a new report published by security firm Uptycs.

“To avoid detection by antivirus software, the RAT employs command and control functionality through a Telegram bot. This allows the attacker to remotely control the RAT and manage its operations.” 

Experts have identified the QwixxRAT as a meticulously engineered threat, specifically crafted to extract a wide spectrum of sensitive data. Its repertoire includes the theft of browser histories, credit card particulars, screenshots, keystrokes, FTP credentials, messenger conversations, and data linked to the Steam platform.

Uptycs, the cybersecurity company behind the discovery, underscored that the QwixxRAT is available for purchase on the criminal market. Interested parties can acquire a weekly subscription for 150 rubles or opt for a lifetime subscription priced at 500 rubles. Additionally, a limited free version has been noted by the researchers.

Technically, the QwixxRAT is coded in C# and takes the form of a compiled binary, functioning as a 32-bit executable tailored for CPU operations. With a total of 19 distinct functions, the malware exhibits a diverse set of capabilities.

In order to evade scrutiny, the malware incorporates various anti-analysis features and evasion tactics. Notably, the RAT employs a sleep function to introduce delays, serving as a mechanism to detect potential debugging activities. Furthermore, the malicious code performs checks to ascertain if it is running within a sandbox or virtual environment.

The QwixxRAT establishes persistence by creating a scheduled task tied to a concealed file located at "C:\Users\Chrome\rat.exe". Additionally, the malware possesses a self-destruct mechanism that can be triggered for the C# program's termination.

A unique characteristic of the QwixxRAT is its incorporation of a clipper code, enabling the capture of data copied to the clipboard. This technique is adeptly employed to extract cryptocurrency wallet information pertaining to Monero, Ethereum, and Bitcoin.

The researchers have taken a proactive step by publishing a YARA detection rule tailored to identify this particular threat.

New Exploit Unleashed for Cisco AnyConnect Bug Granting SYSTEM Privileges

Proof-of-concept (PoC) exploit code has been released for a significant vulnerability found in Cisco Secure Client Software for Windows, previously known as AnyConnect Secure Mobility Client. This flaw allows attackers to elevate their privileges to the SYSTEM level. Cisco Secure Client is a VPN software that enables employees to work remotely while ensuring a secure connection and providing network administrators with telemetry and endpoint management capabilities.

The vulnerability, identified as CVE-2023-20178, enables authenticated threat actors to escalate their privileges to the SYSTEM account without requiring complex attacks or user interaction. Exploiting this flaw involves manipulating a specific function within the Windows installer process.

To address this security issue, Cisco issued security updates on the previous Tuesday. The company's Product Security Incident Response Team (PSIRT) stated that there was no evidence of any malicious activities or public exploit code targeting the vulnerability at that time.

The fix for CVE-2023-20178 was included in the release of AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2.

Recently, security researcher Filip Dragović discovered and reported the Arbitrary File Delete vulnerability to Cisco. This week, Dragović published a PoC exploit code, which was tested against Cisco Secure Client (version 5.0.01242) and Cisco AnyConnect (version 4.10.06079).

Dragović explains that when a user establishes a VPN connection, the vpndownloader.exe process starts in the background and creates a directory in the format "<random numbers>.tmp" within the c:\windows\temp directory. By taking advantage of default permissions, an attacker can abuse this behavior to perform arbitrary file deletion using the NT Authority\SYSTEM account.

The attacker can further leverage this Windows installer behavior and the fact that a client update process is executed after each successful VPN connection to spawn a SYSTEM shell, thus escalating their privileges. The technique for privilege escalation is described in detail.

It's worth noting that in October, Cisco urged customers to patch two additional security flaws in AnyConnect, which had public exploit code available and had been fixed three years earlier due to active exploitation. Furthermore, in May 2021, Cisco patched an AnyConnect zero-day vulnerability with public exploit code, following its initial disclosure in November 2020.

"Securing Your Digital Assets: Uncovering the Untraceable Data Theft Bug in Google Workspace's Drive Files"

 


Security consultants say hackers can steal information from Google Drive accounts through a method known as password mining. It is all done to conceal the fact that they have taken away a lot of information without leaving any trace behind. 

Google Workspace has been found vulnerable to a critical security flaw revealed in the past few days. Thousands of files on people's drives are at risk of silent theft by hackers due to this vulnerability. Due to the current trend of increased remote working and digital collaboration, and as a result of this alarming vulnerability, immediate attention must be given to ensuring the security and privacy of sensitive information. 

Mitiga Security researchers discovered a security vulnerability in Google Workspace that was previously unknown. The attacker could use this technique to exfiltrate data from Google Drive without leaving a trace. Due to a forensic vulnerability, this vulnerability allows a user to exfiltrate data from an application. This is without leaving a trail for anyone to see what they did. 

There is a security issue pertaining specifically to actions taken by users without a Google Workspace enterprise license. This makes it a particularly serious issue. There will be no documentation for the actions carried out on private drive-by users without a paid Google Workspace license. 

When hackers cancel their paid license and switch to a free "Cloud Identity Free" license, they can disable logging and recording on their computers. 

A great collaboration tool that Google offers is Google Workspace. There are, however, several security holes that exist in its security system. There is no such thing as an untouchable threat when it comes to data. When there is a lot of connectivity between things, cloud services can be extremely risky. An entire department's work can be overturned by one wrong link in a chain of documents that are all dependent on one another. 

There is a "Cloud Identity Free" license available by default to all Google Drive users. There are no logs kept in the system regarding actions performed by a user on their private drive. This is unless an administrator assigns a paid license to the user. In this environment, due to the lack of visibility, threat actors can manipulate or steal data without being detected. Two different methods can be used to exploit security vulnerabilities in a computer system. 

As a first method, a threat actor compromises a user's account, manipulates the license of that user, and allows the threat actor access to and download private files through the user's account. The only thing that is preserved during license revocation and reassignment is the logs that accompany the process. During the revoking of a paid license, the second method targets employees who are involved in the process. Despite being revoked, a license can still be useful for downloading sensitive files from a private drive if the account is not disabled before the license is revoked. 

A threat actor could easily revoke a cloud storage account's paid license by following a few simple steps, thereby reverting an account to the free "Cloud Identity Free" license if the account is compromised by a threat actor.

There is no record-keeping or logging functionality in the system, so this would turn it off. Once that was done, they could exfiltrate any files they wanted, without leaving any trace of what they did behind. As far as an administrator is concerned, all they may notice later is the fact that someone has revoked a paid license. 

A company called Mitiga says it notified Google that it had found the information, but the company has not responded. An important step of any post-mortem or hacking forensics process is to identify which files have been taken during a data breach so you can conduct your investigation accordingly. It can assist victims in determining what types of information were taken and, as a consequence, if there is a need to worry about identity theft, wire fraud, or something similar, help them establish if they are in danger. 

In addition to logging, one of the standard methods by which IT teams keep track of potential intrusions before causing severe damage is to ensure that all activity is logged appropriately. Google Drive accounts, on the other hand, are often left without adequate controls by hackers, which makes it easier for them to steal data undetected.

It is also imperative that cloud storage providers take more robust steps to protect user data to prevent vulnerabilities like this from occurring in the future. Even though Google has yet to reply to Mitiga's findings, the company will likely address this problem shortly. It will result in an enhanced level of security for its platform as a result. 

The users should remain vigilant while they are awaiting the emergence of the attacks and make sure they are protecting their data. It is also recommended that they regularly monitor their Google Drive accounts to make sure that there are no suspicious activities or unauthorized access. Further, it must be noted that strong passwords must be used and two-factor authentication must be used to prevent unauthorized access from happening. 

Many documents and files can be stolen, including confidential business documents, proprietary information, financial records, intellectual property, and personal documentation. Regulatory violations, as well as financial fraud, corporate espionage, reputation damage, and other potential economic repercussions, can result from data breaches on a large scale. This is far beyond a mere failure to recover data. 

Due to the alarming nature of this discovery, you must take immediate action to protect your sensitive data and protect yourself against potentially harmful hacks. 

To improve your organization's security posture, it is recommended you take the following steps: 

Make sure two-factor authentication is enabled in your account. Two-factor authentication on your Google Workspace account adds extra security. As a result, even if your login credentials are compromised, this will apply an additional security layer. This will ensure you cannot access your account until you pass an additional verification step. 

Stay Educated: Make the most of Google Workspace security alerts and advisories and keep up to date on the latest security threats. It is imperative to keep an eye on official sources, including Google's security bulletins and blogs, for more information regarding security threats. 

You need to educate your employees about the risks of phishing attacks. You need to give them the tools to act when interacting with suspicious emails and websites. Educate them about phishing risks and the importance of action when providing login credentials. Reporting suspicious activity promptly should be encouraged as part of organizational culture.

A Vulnerability in OAuth Exposed Social Media Logins to Account Takeover

 

As reported by security researchers, a new OAuth-related vulnerability in an open-source application development framework could allow Facebook, Google, Apple, and Twitter users to account takeover, personal data leaking, identity theft, financial fraud, and unauthorized actions on other online platforms. 

The security vulnerability was discovered in the Expo framework, which is used by numerous web businesses to implement the OAuth authentication protocol. CVE-2023-28131 has been assigned to the vulnerability, which is part of the software's social login capability. The vulnerability allows a bad actor to take activities on behalf of compromised online platform accounts. According to Salt Security's API Security Report, users witnessed a 117% rise in API attack traffic in 2016.

OAuth is a standard protocol that allows users to authorize access to private resources on one website or application to another without exposing their login credentials. This is a challenging procedure that can lead to security risks. Researchers from Salt Labs revealed that by altering some phases in the OAuth procedure on the Expo site, they could take control of other accounts and steal sensitive information such as credit card details, private messages, and health records - as well as perform operations online on behalf of other users.

Expo framework is an open-source platform for developing mobile and online applications. The Expo framework is utilized by 650,000 developers at a range of significant enterprises, according to Salt Security researchers.

The platform also enables developers to create native apps with a single codebase and offers a collection of tools, frameworks, and services to make the development process easier. "One of the included services is OAuth, which allows developers to easily integrate a social sign-in component into their website," according to the researchers.

Salt Labs researchers uncovered this vulnerability, which has the potential to compromise hundreds of firms using Expo, in a major online platform, Codecademy.com, which offers free coding education in a dozen programming languages.

On January 24, Salt Security discovered the vulnerability. It was reported to Expo on February 18, and the company immediately produced a hotfix and provided mitigation, but it "recommends that customers update their deployment to deprecate this service to fully remove the risk."

As noted by Aviad Carmel, a Salt Security security researcher, this is the second OAuth vulnerability uncovered in a third-party framework used by hundreds of businesses, and it might have affected hundreds of websites and apps.

The OAuth vulnerability, according to Carmel, was part of the social sign-in process, in which Expo acts as an intermediary and sends user credentials to the destination website.

"Exploiting this vulnerability involves intercepting the flow mentioned above. By doing so, an attacker can manipulate Expo to send the user credentials to his own malicious domain instead of the intended destination," Carmel said.

Carmel recommends organizations understand how OAuth works and which endpoints can receive user inputs to avoid making similar mistakes when using OAuth. Many vendors are reporting an increase in API assaults and vulnerabilities in open-source software at a time when API traffic is quickly increasing as a result of digital transformation programs. The largest breach in 2022 was caused by an API hack at Twitter, which revealed 221 million users' email addresses and other personal information.



This Twitter Bug is Making Users Secret Circle Tweets Public

 

Twitter launched Circle in August 2022, allowing you to limit your tweets to a chosen group of users without making your account private. While the function was designed to limit the visibility of your tweets to a group smaller than your number of followers, a recent issue has reportedly exposed your private tweets to many others outside your Circle, even if they do not follow you.

Many users have observed that tweets intended for Twitter Circles are reaching all followers rather than just those in the Circle. Amanda Silberling of TechCrunch, who saw another person's ostensibly private tweet, notes that personal posts display under Twitter's newly launched "For You" area.

Because the feature is intended to allow users to tweet secretly, many people use it to express sensitive thoughts and sentiments, as well as restricted media such as naked photographs, and the flaw poses a significant privacy risk to the account that posts all of those private tweets.

For months, Twitter Circle has been buggy. Certain users have reported that their tweets from the Circle have reached other followers outside of it. Meanwhile, some users claim that the tweets are available to anyone other than followers. Affected users discovered the flawed nature of the service when a few strangers responded with tweets intended for the inner circle.

While it's difficult to pinpoint a specific cause for the glitch, it could be related to recent changes to Twitter's recommendation algorithm, which divided the feed into "For You" and "Following" timelines. As the names suggest, For You also displays tweets from users you don't follow.

Elon Musk's private jet was made public on Twitter in October. Musk compared the incident to "doxing" and responded by suspending the @ElonJet account as well as the accounts of journalists who reported on it. 

However, when it comes to users' privacy — despite using a mechanism that ostensibly guarantees it — Musk does not appear to be concerned. Twitter Circle has allegedly been plagued by bugs for several months. These difficulties have not piqued Twitter's interest, despite the digital titan persistently promoting the platform's paid tier, Twitter Blue.

This could be considered a violation of users' permission and a data breach under EU legislation. Any monetary punishment, however, may be subject to interference by US authorities and legislators.


Hackers can Open Smart Garage Doors From Anywhere in the World

 

According to findings from a security researcher, hackers can remotely tap into a specific brand of smart garage door opener controllers and open them all over the world due to a number of security weaknesses that the firm, Nexx, has refused to repair. 

The flaws represent a major risk to Nexx users, who have access to wi-fi-connected garage door opener controllers among other things. As per a copy of an email obtained with Motherboard, the researcher who discovered the vulnerability claims that Nexx has not reacted to their attempts to responsibly report the vulnerabilities for months.

“Completely remote. Anywhere in the world,” Sam Sabetan, the security researcher, told Motherboard, describing the hack.

Nexx describes its goods as "easy-to-use products that work with things you already own." Its garage product links to a person's existing garage door opener and allows them to remotely activate it via a smartphone app. “Life is complicated enough. Remembering whether or not you left your garage door open should be the least of your worries: Get peace of mind,” the company advertises on its website. Nexx has run campaigns on Kickstarter.

Sabtean demonstrated the hack in a video proof-of-concept. It shows his fist unlocking his own garage door with the Nexx app, as promised. He then accesses a tool that allows him to read communications sent by the Nexx device. Sabetan uses the app to close the door and records the data that the device sends to Nexx's server during this activity.

Sabetan not only receives information on his own device but also messages from 558 other gadgets. According to the video, he can now see the device ID, email address, and name associated with each. He then sends an order to the garage via software rather than the app, and his door opens once more. Sabetan only tested this on his own garage door, but he could have used this technique to open other users' garage doors as well.

Sabetan told Motherboard he could open doors “for any customer.” “That’s the craziest bug. But the disabling alarm and turning on [and] off smart plugs is pretty neat too,” he added, referring to another Nexx product that allows users to control power outlets in their home.

The repercussions of someone weaponizing these vulnerabilities are far-reaching, and might pose a serious security risk to Nexx's clients. A hacker might randomly open Nexx doors all across the world, exposing their garage contents and possibly their homes to opportunistic robbers. Pets could flee. Customers may become irritated if they see someone opening and closing their property without knowing why. In more extreme circumstances, a hacker could exploit the flaws as part of a targeted assault against the particular garage that used Nexx’s security system.

Sabetan and Motherboard have made numerous attempts to contact Nexx about the problems. Sabetan claimed that the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) had tried to contact him. The corporation has not responded or fixed the issues. This means that security flaws are still available to hackers who desire to exploit them. As a result, Motherboard will not go to great lengths on them, instead focusing on their influence on customers. On Tuesday, CISA issued its own advisory regarding security issues.

Nexx appears to be purposefully disregarding at least some inquiries attempting to alert them to the vulnerabilities. Sabetan contacted Nexx's support again because Nexx's support email did not react to his vulnerability report, this time stating that he needed assistance with his own Nexx product. According to a copy of the email Sabetan shared with Motherboard, Nexx's support personnel responded at the time.

“Great to know your support is alive and well and that I’ve been ignored for two months,” Sabetan replied. Please respond to ticket [ticket number,” he wrote, referring to his vulnerability report.


Microsoft Conduct an Emergency Fix for the Notorious ‘Acropalypse’ Bug


Recently, Microsoft has acted quickly in patching up the ‘acropalypse’ bug that was discovered earlier this week. The bug could apparently enable information cropped out of images via the Windows screenshot tools to be recovered. 

According to BleepingComputer, Microsoft has now issued an OOB (out-of-band or emergency) update that patches the aforementioned issue, technically named CVE-2023-28303. Microsoft is now urging users to apply the update as soon as possible. 

Furthermore, the update is not difficult to apply. All that the user has to do is click the Library icon in Microsoft Store, then pick Get updates (top right). Doing so will enable the patch to be applied if it has not already been installed automatically. 

Carry on Cropping 

The acropalypse bug shares some similarities with the vulnerability that targeted the Markup feature on Google Pixel phones, i.e. images and screenshots cropped in the Windows 11 Snipping Tool and the Windows 10 Snip and Sketch tool could well be compromised. 

The CVE-2023-28303 bug signifies that parts of a PNG or JPEG image that has been cropped out are not completely removed from the file after it is saved again. These cropped sections could include a variety of sensitive information, like bank account credentials or medical records. 

Moreover, it is important to note that applying the patch would not be able to fix any file that has already been cropped and exploited. It will only be applied to the ones that will be edited in the future. Users must re-crop any existing images to ensure that the excess parts of the picture have been appropriately removed. 

Analysis: A Quick Fix for a Worrying Bug 

Initially, recovering cropped out part of images may not appear to be a significantly severe security vulnerability- after all, who would care if someone manages to recover some empty sky that you have removed from that one photo from one of your vacations? 

However, there are a lot of reasons that makes cropping is a serious problem, as tech journalists know all too well. One could compromise their personal and important information from these cropped images, like email address, bank account numbers and contact details. Thus, it is well advised to users to cut off any information as such information before sharing it widely over the internet. 

In today’s era, where one shares so many photos with others and on the web at large, it is important from a security perspective that these images do not, in any way, expose more than we want them to, something that was a case of concern with CVE-2023-28303. 

Although, Microsoft has acted quickly to patch the issue, it is still concerning to note that the same bug was being exposed to two completely separated software from both Microsoft and Google in recent days.  

How SMB Protocol Functions and its Susceptibility to Vulnerabilities

 

The SMB protocol enables computers connected to the same network to share files and hardware such as printers and external hard drives. However, the protocol's popularity has also led to an increase in malicious attacks, as older versions of SMB do not use encryption and can be exploited by hackers to access sensitive data. It is crucial to understand the different types of SMB and how to stay protected from associated risks. 

The Server Message Block (SMB) is a network protocol used for sharing data between devices on a local or wide area network. Originally developed by IBM in the mid-1980s for file sharing in DOS, it has since been adopted by other operating systems including Microsoft's Windows, Linux, and macOS.

The SMB protocol plays a crucial role in the regular activities of various businesses and groups by providing a convenient means of retrieving files and accessing resources from other computers connected to the network.

Consider a scenario where you are part of a team whose members operate from distinct locations. In such situations, the SMB protocol is an excellent tool for swiftly and effortlessly exchanging files. It enables every team member to retrieve identical data and collaborate on assignments. Several individuals can remotely view or modify the same file as if it were stored on their personal computers.

How Does the SMB Protocol Function?

To establish a connection between the client and server, the SMB protocol employs the request and response method. Here are the steps to make it work:

Step 1: Client request: The client (the device making the request) sends an SMB packet to the server. The packet includes the complete path to the requested file or resource.

Step 2: Server response: The server (the device that has access to the requested file or resource) evaluates the request and, if successful, responds with an SMB packet containing additional information on how to access the data.

Step 3: Client Process: The client receives the response and then processes the data or resource as needed.

SMB Protocol Types

The SMB protocol has seen a few upgrades as technology has advanced. There are several types of SMB protocols available today, including:
  • SMB Version 1: This is the original version of the SMB protocol, released by IBM in 1984 for file exchange on DOS. It was later modified by Microsoft for use on Windows.
  • CIFS: The Common Internet File System (CIFS) is a modified version of SMBv1 that was designed to allow for the sharing of larger files. It was first included in Windows 95.
  • SMB Version 2: SMB v2 was released by Microsoft in 2006 with Windows Vista as a more secure and efficient alternative to previous versions. This protocol added features like improved authentication, larger packet sizes, and fewer commands.
  • SMB Version 3: SMB v3 was released by Microsoft with Windows 8. It was created to boost performance while also adding support for end-to-end encryption and improved authentication methods.
  • Version 3.1.1 of SMB: The most recent version of the SMB protocol was released with Windows 10 in 2015, and it is fully compatible with all previous versions. It adds new security features such as AES-128 encryption and enhanced security features to combat malicious attacks.
What Are the SMB Protocol's Risks?

Although the SMB protocol has been a valuable asset to many businesses, it also poses some security risks. This protocol has been used by hackers to gain access to corporate systems and networks. It has evolved into one of the most popular attack vectors used by cyber criminals to breach systems.

Worse, despite the availability of upgraded versions of SMB, many Windows devices continue to use the older, less secure versions 1 or 2. This increases the likelihood that malicious actors will exploit these devices and gain access to sensitive data.

The following are the most common SMB exploits.
  • Brute Force Attacks
  • Man-in-the-Middle Attacks
  • Buffer Overflow Attacks
  • Ransomware Attacks
  • Remote Code Execution
Maintain Your Safety While Employing the SMB Protocol

Despite the risks associated with the SMB protocol, it remains an important component of Windows. As a result, it is critical to ensure that all business systems and networks are protected from malicious attacks.

To stay safe, only use the most recent version of the SMB protocol, keep your security software up to date, and keep an eye on your network for unusual activity. It is also critical to train your staff on cybersecurity best practices and to ensure that all users use strong passwords. By taking these precautions, you can keep your company safe from malicious attacks.

Specifically, Targeted VMware RCE Vulnerabilities

 


As of today, VMware's vRealize Log Insight platform is vulnerable to three security vulnerabilities, that have been exposed by publicly available exploit code. This has enabled cybercriminals to weaponize these vulnerabilities in a variety of ways. Several critical unauthenticated remote code execution (RCE) bugs have been found. 

In the vRealize Log Insight platform, VMware claims that the platform is moving forward under the name Aria Operations, which provides intelligent log management for infrastructures and applications "in any environment," VMware states. In addition to offering IT departments visibility across physical, virtual, and cloud environments, dashboards and analytics are also able to be extended by third parties. This is done through the use of third-party extensions. 

This platform is typically incorporated into an appliance and can gain access to sensitive areas of an organization's IT infrastructure across a wide range of devices. 

Once an attacker has gained access to the Log Insight host, he could exploit some interesting features depending on the type of application he integrates with. This is according to Horizon.ai researcher James Horseman, who examined the publicly available exploit code. Often, the ingested logs may include sensitive information from other services. This includes session tokens, API keys, and personally identifiable information, all of which can be gathered during an attack. Having acquired keys and sessions on one system, one could pivot to another. This would enable one to further compromise the system by obtaining the key and session from the other system. 

As a result, according to Dustin Childs, chief executive officer of Trend Micro's Zero Day Initiative (ZDI), the organization responsible for disclosing the vulnerabilities, organizations need to be aware of the risks associated, particularly since these bugs and their accessibility are low barriers to exploitation. 

This type of centralized log management tool can be used in an enterprise to do centralized log management. However, using this tool for this type of centralized log control poses a substantial risk for the enterprise. This is because VMware recommends that the patch be tested and deployed as quickly as possible after it has been received by you. 

VMware vRealize Log Insight Bugs: An In-Depth Look 

According to the original VMware advisory, both critical issues carry severity scores of 9.8 out of 10. As a result, malicious actors may be able to inject files into an impacted appliance's operating system. This could result in remote code execution if an unauthenticated, malicious actor can perform such a task. 

A first-case vulnerability (CVE-2022-3172) allows an attacker to traverse a directory, which is the most serious vulnerability; a second-case vulnerability (CVE-2022-31704) allows an attacker to exploit some issues with access control. 

As for the third flaw, it is a denial of service vulnerability that is less likely to trigger a denial of service due to its risk of being exploited by an unauthenticated malicious actor (CVE-2022-31710, CVSS 7.5), which could allow an unauthenticated malicious actor to remotely trigger a denial of service. 

Creating a Bug Chain to Facilitate a full Takeover of a System

It was revealed by researchers at Horizon.ai that the three exploit issues could have been chained together after they identified the code in the wild. This led VMware to update its advisory today as a result. 

As Horseman wrote, it is apparent that this particular vulnerability chain [combined] can be exploited very easily. However, he added that it requires some kind of infrastructure setup to serve malicious payloads to the attacker. There is an issue with this vulnerability that allows remote code execution as root, which means an attacker can take full control of a computer by exploiting this vulnerability. 

However, he did point out that the product is intended for use in an internal network. There were 45 cases out there in which the appliances were discovered to be publicly exposed on the internet based on Shodan data. Despite that, it should be noted that the chain can be used both internally and externally. 

"It's very likely that the attacker already has a foothold somewhere else on the network by the time they target this product since this product is not likely to be exposed to the Internet," he noted. To determine if there has been any damage caused by an attacker, additional investigation is necessary.

The virtualization giant released a cache containing the three vulnerabilities last week as part of a larger cache that contained one other weakness. A medium-severity vulnerability that has the potential to enable data harvesting without authentication (CVE-2022-31711, CVSS 5.3) is another weakness. Currently, there is no public exploit code for the latter, but that could change shortly, especially since cybercriminals are becoming increasingly interested in VMware's offerings. 

Likely, other issues could also be exploited in a variety of ways in the future. To prove that the vulnerabilities exist, ZDI's children claim that they have proof-of-concept code available. The researchers did not think it would be a surprise if others were able to come up with an exploit quickly. 

What are the Best Practices for Protecting an Enterprise? 

Admins should apply VMware's patches to their organizations as soon as possible to ensure that their organizations are protected, or use another workaround recommended by VMware. A recent release by Horizon.ai has also enabled organizations to track the progress of any attacks by publishing indicators of compromise (IoCs). 

The key to ensuring that your log data is protected is to make sure that you are using either vRealize or Aria Operations for centralized log management, Childs advises. Aside from patching, which should be the first step, there are other things to consider. These include whether it is connected to the Internet and whether there is an IP restriction on who can access the platform. Furthermore, it reminds us that every tool or product within an organization is a potential target for an attacker to gain a foothold.   

ISC Issues Security Updates to Address New BIND DNS Software Bugs

 

The Internet Systems Consortium (ISC) has issued updates to address multiple security flaws in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite, which could result in a denial-of-service (DoS) condition. 

According to its website, the open-source software is utilized by major financial institutions, national and international carriers, internet service providers (ISPs), retailers, manufacturers, educational institutions, and government entities. 

All four flaws are found in name, a BIND9 service that acts as an authoritative nameserver for a predefined set of DNS zones or as a recursive resolver for local network clients. The following are the bugs that have been rated 7.5 on the CVSS scoring system:
  • CVE-2022-3094 - An UPDATE message flood may cause named to exhaust all available memory
  • CVE-2022-3488 - BIND Supported Preview Edition named may terminate unexpectedly when processing ECS options in repeated responses to iterative queries
  • CVE-2022-3736 - named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries
  • CVE-2022-3924 - named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota
Exploiting the vulnerabilities successfully could cause the named service to crash or exhaust available memory on a target server.

Versions 9.16.0 to 9.16.36, 9.18.0 to 9.18.10, 9.19.0 to 9.19.8, and 9.16.8-S1 to 9.16.36-S1 are affected. CVE-2022-3488 affects BIND Supported Preview Edition 9.11.4-S1 through 9.11.37-S1. They've been fixed in 9.16.37, 9.18.11, 9.19.9, and 9.16.37-S1.

Although there is no evidence that any of these vulnerabilities are actively exploited, users are advised to upgrade to the most recent version as soon as possible in order to reduce potential threats.

GitHub Introduces Private Flaw Reporting to Secure Software Supply Chain

 

GitHub, a Microsoft-owned code hosting platform, has announced the launch of a direct channel for security researchers to report vulnerabilities in public repositories that allow it. The new private vulnerability reporting capability allows repository administrators to enable security researchers to report any vulnerabilities found in their code to them. 

Some repositories may include instructions on how to contact the maintainers for vulnerability reporting, but for those that do not, researchers frequently report issues publicly. Whether the researcher reports the vulnerability through social media or by creating a public issue, this method may make vulnerability details insufficiently public. 

To avoid such situations, GitHub has implemented private reporting, which allows researchers to contact repository maintainers who are willing to enroll directly. If the functionality is enabled, the reporting security researchers are given a simple form to fill out with information about the identified problem.

According to GitHub, "anyone with admin access to a public repository can enable and disable private vulnerability reporting for the repository." When a vulnerability is reported, the repository maintainer is notified and can either accept or reject the report or ask additional questions about the issue.

According to GitHub, the benefits of the new capability include the ability to discuss vulnerability details privately, receiving reports directly on the same platform where the issue is discussed and addressed, initiating the advisory report, and a lower risk of being contacted publicly.

Private vulnerability reporting can be enabled from the repository's main page's 'Settings' section, in the 'Security' section of the sidebar, under 'Code security and analysis.' Once the functionality is enabled, security researchers can submit reports by clicking on a new 'Report a vulnerability' button on the repository's 'Advisories' page.

The private vulnerability reporting was announced at the GitHub Universe 2022 global developer event, along with the general availability of CodeQL support for Ruby, a new security risk and coverage view for GitHub Enterprise users, and funding for open-source developers.

The platform will provide a $20,000 incentive to 20 developers who maintain open-source repositories through the new GitHub Accelerator initiative. While, the new $10 million M12 GitHub Fund will support future open-source companies.

Several Flaws Affect the Juniper Junos OS

 

Multiple high-severity security flaws in Juniper Networks devices have been discovered. The most serious is a CVSS score of 8.1 for a remote pre-authenticated PHP archive file deserialization vulnerability tracked as CVE-2022-22241. The vulnerability was found in Junos OS's J-Web component. An attacker can exploit the flaw by sending a specially crafted POST request, causing deserialization that could result in unauthorized local file access or arbitrary code execution. 

“Multiple vulnerabilities have been found in the J-Web component of Juniper Networks Junos OS. One or more of these issues could lead to unauthorized local file access, cross-site scripting attacks, path injection and traversal, or local file inclusion.” reads the advisory published by the vendor. 

“Phar files (PHP Archive) files contain metadata in serialized format, which when parsed by a PHP file operation function leads to the metadata getting deserialized. An attacker can abuse this behavior to exploit an object instantiation vulnerability inside the Juniper codebase.” reads the analysis published by Octagon Networks. 

“This vulnerability can be exploited by an unauthenticated remote attacker to get remote phar files deserialized, leading to arbitrary file write, which leads to a remote code execution (RCE) vulnerability.” 

Other vulnerabilities discovered by the experts are:
  • CVE-2022-22242: pre-authenticated reflected XSS on the error page. 
  • CVE-2022-22243: XPATH Injection in jsdm/ajax/wizards/setup/setup.php
  • CVE-2022-22244: XPATH Injection in send_raw() method.
  • CVE-2022-22245: Path traversal during file upload leads to RCE.
  • CVE-2022-22246: PHP file include /jrest.php.  
To address the flaws,  the vendor released patches for Junos OS versions 19.1R3-S9, 19.2R3-S6, 19.3R3-S7, 19.4R3-S9, 20.1R3-S5, 20.2R3-S5, 20.3R3-S5, 20.4R3-S4, 21.1R3-S2, 21.3R3, 21.4R3, 22.1R2, 22.2R1, and more.

Fortinet Alerts: Active Exploitation of Newly Discovered Critical Auth Bypass Bug

 

Fortinet revealed on Monday that a recently patched critical security vulnerability affecting its firewall and proxy products is being actively exploited in the wild. 
The flaw, identified as CVE-2022-40684 (CVSS score: 9.6), concerns an authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager that could allow a remote attacker to perform unauthorised operations on the administrative interface via specially crafted HTTP(S) requests. 

"Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs: user='Local_Process_Access,'" the company noted in an advisory.

The list of impacted devices is below -
  • FortiOS version 7.2.0 through 7.2.1
  • FortiOS version 7.0.0 through 7.0.6
  • FortiProxy version 7.2.0
  • FortiProxy version 7.0.0 through 7.0.6
  • FortiSwitchManager version 7.2.0, and
  • FortiSwitchManager version 7.0.0
Updates have been released by the security company in FortiOS versions 7.0.7 and 7.2.2, FortiProxy versions 7.0.7 and 7.2.1, and FortiSwitchManager version 7.2.1.

The security firm has released updates for FortiOS versions 7.0.7 and 7.2.2, FortiProxy versions 7.0.7 and 7.2.1, and FortiSwitchManager version 7.2.1. The announcement comes just days after Fortinet sent "confidential advance customer communications" to its customers, urging them to install patches to prevent potential attacks exploiting the flaw. If updating to the latest version is not an option, users should disable the  HTTP/HTTPS administrative interface, or alternatively limit IP addresses that can access the administrative interface.

Dex: ID Service Patches Bug that Allows Unauthorized Access to Client Applications

 

The renowned OpenID Connect (OIDC) identity service, Dex has detected and patched a critical vulnerability. The bug allows a threat actor access to the victim's ID tokens via intercepted authorization code, potentially accessing clients’ applications without authorization. The vulnerability was patched by Sigstore developers Hayden Blauzvern, Bob Callaway, and ‘joernchen', who initially reported the bug. 

The open-source sandbox project of Cloud Native Computing Foundation, Dex utilizes an identification layer on top of OAuth 2.0, providing authentication to other applications.  

Dex acts as a portal to other identity providers through certain ‘connectors’, ranging from authentication to LDAP servers, SAML providers, or identity providers like GitHub, Google, and Active Directory. As a result, Dex claims 35.6 million downloads to date. As stated in the Developer's notification, the bug affects “Dex instances with the public clients (and by extension, clients accepting tokens issued by those Dex instances.” 

As per the discovery made by security researchers, the threat actor can steal an OAuth authentication code by luring the victim to enter a malicious website and further, leading him into the OIDC flow. Thence the victim is tricked into exchanging the authorization code for a token, which allows access to applications that accept the token. As the exploit can be used multiple times, the threat actor can get a new token every time the old one expires.  

The bug thus comes into existence because the authentication process instigates a persistent “connector state parameter" as the request ID to look up the OAuth code. 

“Once the user has successfully authenticated, if the webserver is able to call /approval before the victim’s browser calls /approval, then an attacker can fetch the Dex OAuth code which can be exchanged for an ID token using the /token endpoint,” the advisory stated. The users are advised to update to version 2.35.0, as the vulnerability, having the CVSS rating of 9.3, affects versions 2.34.0 and older.  

The bug was fixed by introducing a hash-based message authentication (HMAC) code, that utilizes a randomly generated per-request secret, oblivious to the threat actor, and is persisted between the initial login and the approval request, making the server request unpredictable.

Attackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite

 

Hackers are actively attempting to exploit an unpatched remote code execution (RCE) vulnerability in Zimbra Collaboration Suite (ZCS), a popular web client and email server. 

The CVE-2022-41352 zero-day security flaw is rated critical (CVSS v3 score: 9.8) and enables an attacker to upload arbitrary files via "Amavis" (email security system). An attacker who successfully exploits the vulnerability can overwrite the Zimbra webroot, insert a shellcode, and gain access to other users' accounts. 

The zero-day vulnerability was discovered at the beginning of September when administrators posted details about attacks on Zimbra forums.

Due to  insecure cpio usage

The vulnerability is caused by Amavis' use of the 'cpio' file archiving utility to extract archives when scanning a file for viruses. An exploitable flaw in the cpio component enables an attacker to create archives that can be extracted anywhere on a Zimbra-accessible filesystem.

When an email is sent to a Zimbra server, the Amavis security system extracts the archive and scans its contents for viruses. If it extracts a specially crafted.cpio,.tar, or.rpm archive, the contents may be extracted to the Zimbra webroot. An attacker could exploit this vulnerability to deploy web shells to the Zimbra root, effectively giving them shell access to the server.

On September 14, Zimbra issued a security advisory advising system administrators to install Pax, a portable archiving utility, and restart their Zimbra servers to replace the vulnerable component, cpio.
Installing Pax solves the problem because Amavis prefers it over cpio by default, so no further configuration is required.

"If the pax package is not installed, Amavis will fall-back to using cpio, unfortunately the fall-back is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot," warned the September security advisory.

"For most Ubuntu servers the pax package should already be installed as it is a dependency of Zimbra. Due to a packaging change in CentOS, there is a high chance pax is not installed."

Vulnerability is being actively exploited

While the vulnerability has been actively exploited since September, a new Rapid7 report sheds new light on its active exploitation and includes a proof-of-concept exploit that allows attackers to easily create malicious archives.

Worse, Rapid7 tests show that many Linux distributions officially supported by Zimbra still do not install Pax by default, leaving these installations vulnerable to the bug.

Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8 are among these distributions. Pax was included in earlier LTS releases of Ubuntu, 18.04 and 20.04, but it was removed in 22.04. Zimbra plans to mitigate this issue decisively by deprecating cpio and making Pax a prerequisite for Zimbra Collaboration Suite, thus enforcing its use.

Since proof-of-concept (PoC) exploits have been publicly available for some time, the risk of failing to implement the workaround is severe. Zimbra intends to address this issue decisively by deprecating cpio and making Pax a requirement for Zimbra Collaboration Suite, thereby mandating its use. 

"In addition to this cpio 0-day vulnerability, Zimbra also suffers from a 0-day privilege escalation vulnerability, which has a Metasploit module. That means that this 0-day in cpio can lead directly to a remote root compromise of Zimbra Collaboration Suite servers," further warn the researchers.

However, the risks persist for existing installations, so administrators must act quickly to protect their ZCS servers.

Researchers Recently Made the World's Websites Less Vulnerable to Hacking and Cyberattacks

 

An international team of researchers has created a scanning tool to reduce the vulnerability of websites to hacking and cyberattacks. The black box security assessment prototype, which was tested by engineers in Australia, Pakistan, and the UAE, outperforms existing web scanners, which collectively fail to detect the top ten weaknesses in web applications. 

Dr Yousef Amer, a mechanical and systems engineer at UniSA, is one of the co-authors of a new international paper that describes the tool's development in the wake of increasing global cyberattacks. Cybercrime cost the globe $6 trillion in 2021, representing a 300 percent increase in online criminal activity over the previous two years. 

Remote working, cloud-based platforms, malware, and phishing scams have resulted in massive data breaches, while the implementation of5G and Internet of Things (IoT) devices has made us more connected – and vulnerable – than ever. Dr. Yousef Amer and colleagues from Pakistan, the United Arab Emirates, and Western Sydney University highlight numerous security flaws in website applications that are costing organisations badly.

Because of the pervasive use of eCommerce, iBanking, and eGovernment sites, web applications have become a prime target for cybercriminals looking to steal personal and corporate information and disrupt business operations. Despite an anticipated $170 billion global outlay on internet security in 2022 against a backdrop of escalating and more severe cyberattacks, existing web scanners, according to Dr. Amer, fall far short of evaluating vulnerabilities.

“We have identified that most of the publicly available scanners have weaknesses and are not doing the job they should,” he says.

Almost 72% of businesses have experienced at least one serious security breach on their website, with vulnerabilities tripling since 2017. According to WhiteHat Security, a world leader in web application security, 86% of scanned web pages have on average 56% vulnerabilities. At least one of these is classified as critical. The researchers compared the top ten vulnerabilities to 11 publicly available web application scanners.

“We found that no single scanner is capable of countering all these vulnerabilities, but our prototype tool caters for all these challenges. It’s basically a one-stop guide to ensure 100 per cent website security. There’s a dire need to audit websites and ensure they are secure if we are to curb these breaches and save companies and governments millions of dollars,”Dr Amer stated.

'Witchetty’ Group Targeted Middle Eastern Gov, Stock Exchange of African Nation

 

A cyber-espionage group is targeting the governments of several Middle Eastern countries and has previously attacked an African country's stock exchange, stealing massive amounts of data with malware. 

The Symantec Threat Hunter Team named the espionage group "Witchetty" in a report published Thursday, but it has also been known as "LookingFrog." Witchetty attacks are distinguished by the use of two pieces of malware: X4 and a second-stage payload known as LookBack. 

“From what we can see, their end goal is classic espionage, finding computers on the network, stealing data and exfiltrating it out of the organization,” said Dick O’Brien, a member of the Symantec Threat Hunter team.

In recent months, the group has been updating its tools to use steganography, a technique in which hackers hide malicious code within an image. In Witchetty's case, the malware is disguised as a Microsoft Windows logo.

Symantec tracked the group's attacks from February to September, noting that the attackers used ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities to obtain access in three incidents.

According to several national cybersecurity agencies, ProxyShell and ProxyLogon are among the most commonly exploited vulnerabilities by threat groups. They stole credentials, moved laterally across the network, and installed malware on other computers from there.

The attackers used the ProxyShell vulnerability to launch an attack on a Middle Eastern government agency on February 27. The hackers moved around the network for several months, exfiltrating data and stealing other information. The hackers' most recent actions occurred on September 1, when they downloaded several remote files.

O'Brien told The Record that they do not have enough information to make an attribution at this time, but that Witchetty was first discovered in April by ESET researchers, who stated it was part of a larger cyber-espionage operation linked to the Chinese state-backed advanced persistent threat (APT) group Cicada or APT10. According to ESET, the group has specifically targeted governments, diplomatic missions, charities, and industrial/manufacturing organisations.

Symantec previously linked the group to a VLC Media Player attack campaign, prompting the Indian government to outright ban the popular programme earlier this year. The group was accused in February of carrying out a months-long attack on Taiwan's financial sector.

APT10, according to the anonymous research group IntrusionTruth, was based in Tianjin, China, and allegedly operated out of the Tianjin State Security Bureau, a regional arm of the Chinese Ministry of State Security. In the summer of 2018, Rapid7 and Recorded Future implicated the group in another attack on Norwegian cloud service provider Visma AG.

Watchdog Finds, Over Half of Operating Systems at VA Medical Center in Texas are Outdated

 

According to an IT security assessment released on Tuesday by the Department of Veterans Affairs' Office of Inspector General, more than half of the network switches at the Harlingen VA Health Care Center in Harlingen, Texas, were running outdated operating systems and did not meet the department's baseline configurations. 

The audit was conducted to evaluate whether Harlingen was complying with the Federal Information Security Management Act, or FISMA, information security safeguards. The OIG stated that it chose Harlingen for an assessment because it had not previously been reviewed during the annual FISMA audit. 

Harlingen is part of the Texas Valley Coastal Bend Healthcare System, which receives approximately 300,000 outpatient visits per year. The OIG discovered flaws in three of the four security control areas at Harlingen, including configuration management, contingency planning and access controls. OIG’s inspection team did not document any issues with the center’s security management.

OIG discovered flaws in three of Harlingen's four security control areas, including configuration management, contingency planning, and access controls. The OIG inspection team found no problems with the centre's security management.

The audit found significant flaws in Harlingen's configuration management controls, which were used to identify and track the centre's hardware and software components. These flaws included an inaccurate component inventory list, unaddressed security flaws, and an inability to identify all critical and high-risk vulnerabilities across the centre's network.

Most concerning was OIG’s finding that “almost 53 per cent of the Harlingen centre’s network switches used operating systems that no longer receive maintenance or vulnerability support from the vendor.” And the outdated devices did not meet the baseline configurations for network equipment mandated by the VA Office of Information and Technology Configuration Control Board, which reflect “agreed-on specifications for systems or configuration items within those systems." 

“Network devices and IT systems are an organization’s most critical infrastructure,” OIG said in its assessment. “Upgrading is not just a defensive strategy but a proactive one that protects network stability.”

Despite VA's use of an automated inventory system, the OIG assessment revealed varying tallies of IT components at Harlingen. The VA discovered 1,568 devices at the centre, while the OIG assessment team discovered 1,544 devices on the Harlingen network. However, according to the audit, VA's Enterprise Mission Assurance Support Services system, or eMASS, which "allows for FISMA systems inventory tracking and reporting activities," only identified 942 devices.

“Because VA’s eMASS is used for developing system security and privacy plans, without an accurate inventory of network devices in eMASS, VA has no assurance that these plans implement security controls for all the components within the system,” the audit said. 

OIG's inspection team also compared on-site vulnerability scans from Jan. 10 to Jan. 13, 2022, with those conducted remotely by VA's Office of Information and Technology, and discovered 16 serious vulnerabilities on the Harlingen network that had not been mitigated within VA's established timeframe for addressing vulnerabilities. These included "five critical vulnerabilities on less than 1% of the computers and 11 high-risk vulnerabilities."

The OIG's inspection team also discovered that database managers were not adequately maintaining log data; that computer rooms and communications closets throughout the facility lacked fire detection systems; and that the computer room housing the center's police servers lacked a visitor access log. Furthermore, the OIG discovered that Harlingen's contingency plan "did not fully address reconstituting all systems to restore IT operations to a fully operational state following a disaster."

The OIG made four recommendations to the VA's assistant secretary for information and technology and chief information officer "due to enterprise-wide IT security issues similar to those identified during previous FISMA audits and IT security reviews." The OIG also made another recommendation to Harlingen's director to “validate that appropriate physical and environmental security measures are implemented and functioning as intended.” VA concurred with all five recommendations. 

VA has long struggled to meet FISMA requirements, with the Government Accountability Office stating in a November 2019 report that VA was one of the federal agencies with inadequate information security protections, including when it came to implementing effective security controls and mitigating vulnerabilities.

On Sept. 22, the OIG released a separate IT security assessment of the Alexandria VA Medical Center in Pineville, Louisiana, documenting deficiencies in three of the facility's four security control areas and discovering "critical and high-risk vulnerabilities on 37% of the devices."

The FISMA audit of VA's agencywide compliance for fiscal year 2021, released in April, found that the department as a whole "continues to face significant challenges in complying with FISMA due to the nature and maturity of its information security program.” OIG noted in Tuesday’s assessment of Harlingen that the FY2021 FISMA audit made 26 recommendations to VA, and that “all 26 recommendations were repeated from the prior year.”

BIND Updates Patch High-Severity Flaws

The Internet Systems Consortium (ISC) announced this week the availability of patches for six remotely exploitable vulnerabilities in the widely used BIND DNS software. 

Four of the fixed security vulnerabilities have a severity rating of 'high.' All four have the potential to cause a denial-of-service (DoS) condition. The first of these is CVE-2022-2906, which affects "key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions," according to ISC's advisory. 

A remote attacker could use the flaw to gradually deplete available memory, resulting in a crash. Because the attacker could exploit the vulnerability again after restarting, "there is the potential for service denial," according to ISC.

The second flaw, tracked as CVE-2022-3080, may cause the BIND 9 resolver to crash under certain conditions when crafted queries are sent to the resolver. According to ISC, CVE-2022-38177 is a memory leak issue in the DNSSEC verification code for the ECDSA algorithm that can be triggered by a signature length mismatch.

“By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources,” ISC explains.

CVE-2022-38178, a memory leak affecting the DNSSEC verification code for the EdDSA algorithm that can be triggered by malformed ECDSA signatures, is the fourth high-severity bug addressed in BIND 9. BIND 9.18 (stable branch), BIND 9.19 (development version), and BIND 9.16 all received updates (Extended Support Version). As per ISC, no public exploits targeting these vulnerabilities are known.

The US Cybersecurity and Infrastructure Security Agency (CISA) urged users and administrators on Thursday to review ISC's advisories for these four security holes and apply the available patches as soon as possible.