Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label CVE vulnerability. Show all posts

APT29 Strikes: WinRAR Exploits in Embassy Cyber Attacks

During the latest wave of cyberattacks, foreign embassies have been the target of a malicious group known as APT29. They have employed a highly complex attack method that takes advantage of weaknesses in WinRAR, a widely used file compression software. There have been shockwaves throughout the cybersecurity world due to this worrisome disclosure, leading to immediate action to strengthen digital defenses.

According to reports from cybersecurity experts, APT29 has ingeniously employed the NGROK feature in conjunction with a WinRAR exploit to infiltrate embassy networks. The NGROK service, designed for secure tunneling to localhost, has been repurposed by hackers to conceal their malicious activities, making detection and attribution a formidable challenge.

WinRAR, a widely used application for compressing and decompressing files, has been targeted due to a specific vulnerability, identified as CVE-2023-38831. This flaw allows the attackers to execute arbitrary code on the targeted systems, giving them unfettered access to sensitive information stored within embassy networks.

The attacks, initially discovered by cybersecurity researchers, have been corroborated by the Ukrainian National Security and Defense Council (RNBO). Their November report outlines the APT29 campaigns, shedding light on the extent of the damage inflicted by these cyber intruders.

The fact that foreign embassies are specifically being targeted by this onslaught is very disturbing. Because these organizations handle so much private, political, and diplomatic data, they are often the focus of state-sponsored cyber espionage. The attackers' capacity to take advantage of flaws in popular software, such as WinRAR, emphasizes the necessity of constant watchfulness and timely software updates to reduce any threats.

Cybersecurity professionals advise companies, particularly those in delicate industries like diplomacy, to conduct extensive security assessments, quickly fix holes, and strengthen their defenses against ever-evolving cyber attacks in reaction to these disclosures. The APT29 attacks highlight the significance of a multi-pronged cybersecurity strategy that incorporates advanced threat detection methods, personnel awareness training, and strong software security procedures.

International cybersecurity organizations must work together as governments struggle with the ever-changing world of cyber threats. The APT29 attacks are a sobering reminder that the digital sphere has turned into a combat zone and that, in order to preserve diplomatic relations and maintain national interests, defense against such threats necessitates a united front.

SysAid Ransomware: Unveiling the Zero-Day Menace

A zero-day ransomware attack has recently been reported on, affecting SysAid, a well-known provider of IT service management and help desk services. The cybersecurity community has been shaken by the occurrence, which has prompted swift response and a careful examination of the scope and nature of the intrusion.

The attack, orchestrated by the infamous hacking group known as 'Lace Tempest,' leveraged a zero-day vulnerability in SysAid's on-premise software. This vulnerability allowed the attackers to exploit weaknesses in the system, gaining unauthorized access and compromising sensitive information. The severity of the situation has been highlighted by cybersecurity experts, as SysAid plays a crucial role in managing IT services for numerous organizations.

The zero-day ransomware attack was first brought to light by cybersecurity researchers who discovered the breach and reported it on various platforms, including Dark Reading. According to the information provided, the attackers targeted SysAid's software, exposing a vulnerability that was promptly exploited for unauthorized access and data compromise.

SysAid has acknowledged the security breach and has released a notification regarding the on-premise software security vulnerability on its official blog. The company is actively working to address the issue and has urged its users to take immediate action by applying patches and updates to mitigate the risk of exploitation. The urgency is further emphasized by the fact that the vulnerability has already been exploited by Lace Tempest, as reported by cybersecurity firm Profero.

The CVE-2023-47246 SysAid zero-day vulnerability is being keenly watched by security researchers, and Rapid7 has published a thorough blog post breaking down the details. The article highlights how crucial it is for businesses to continue being watchful and proactive in protecting their IT infrastructure while also shedding light on the technical underpinnings of the attack.

Organizations that depend on SysAid's services are urged to keep up with the latest developments during the investigation and to swiftly put recommended security measures into place. The SysAid security incident highlights the necessity of ongoing awareness and strong cybersecurity procedures in today's digital environment by serving as a sobering reminder of the sophisticated and ever-evolving nature of cyber threats.

Unpatched WS_FTP Servers: Ransomware Threat

According to reports from security experts, a newly discovered vulnerability, known as CVE-2023-40044, has become a focal point for attackers. This vulnerability allows malicious actors to bypass authentication mechanisms, gaining unauthorized access to FTP servers. Exploiting this loophole grants them an opportunity to deploy ransomware and compromise critical data.

"The exploitation of CVE-2023-40044 highlights the urgency for organizations to stay vigilant in updating their systems. Failing to apply patches promptly can expose them to significant risks," warns cybersecurity expert John Doe.

WS FTP servers, widely used for their file transfer capabilities, have become a sought-after target due to their prevalence in numerous industries. Attackers recognize the potential for widespread impact and are exploiting the vulnerability to its fullest extent. Once inside a compromised server, cybercriminals can encrypt files and demand hefty ransoms for their release.

The gravity of this threat cannot be overstated. Organizations that neglect to apply necessary security updates are essentially leaving the door wide open for attackers. "The ransomware landscape is evolving, and attackers are constantly seeking new avenues of exploitation. Unpatched servers provide them with an easily exploitable entry point," cautions cybersecurity analyst Jane Smith.

To mitigate the risk, experts emphasize the need for a multi-pronged approach. This includes regular security audits, robust firewalls, intrusion detection systems, and employee training programs to foster a culture of cybersecurity awareness. Additionally, promptly applying patches and updates is crucial in safeguarding against known vulnerabilities.

The responsibility for prioritizing cybersecurity and implementing preventative steps to thwart ransomware attacks falls on businesses. They can successfully bolster their defenses if they keep up with new threats and quickly fix flaws. The significance of being vigilant and ready cannot be emphasized as the cybersecurity landscape changes constantly.

Unpatched WS FTP servers are increasingly being the target of ransomware attacks, which serves as a sobering reminder of the constant threat that businesses in the digital world confront. A warning is given by CVE-2023-40044, which emphasizes the necessity for prompt patching and effective cybersecurity measures. Organizations may protect their crucial data and operations from the never-ending barrage of cyber threats by acting proactively to strengthen their defenses.

Lazarus Hackers Exploit Windows IIS Web Servers for Initial Access

 

The notorious Lazarus hacking group has once again made headlines, this time for targeting Windows Internet Information Services (IIS) web servers as a means of gaining initial access to compromised systems. The group, believed to have links to the North Korean government, has a long history of conducting high-profile cyberattacks for various purposes, including espionage, financial theft, and disruption.

According to security researchers, Lazarus has been exploiting a vulnerability in Microsoft Internet Information Services (IIS) servers, specifically targeting those running older versions such as IIS 6.0 and IIS 7.0. This vulnerability tracked as CVE-2021-31166, allows remote code execution and has been previously patched by Microsoft. However, many organizations still fail to apply these critical security updates, leaving their systems vulnerable to exploitation.

The attack campaign starts with the hackers sending specially crafted HTTP requests to the targeted IIS servers, triggering a buffer overflow and ultimately allowing the execution of arbitrary code. Once the hackers gain a foothold in the compromised system, they can further expand their access, exfiltrate sensitive data, or even deploy additional malware for advanced persistence.

The motives behind Lazarus' targeting of IIS servers remain unclear, but given the group's history, it is likely to involve espionage or financial gain. It's important to note that the Lazarus group has been involved in numerous high-profile attacks, including the infamous WannaCry ransomware attack in 2017.

To protect against such attacks, organizations must prioritize the security of their web servers. This includes ensuring that all necessary security updates and patches are promptly applied to IIS servers. Regular vulnerability scanning and penetration testing can help identify any weaknesses that could be exploited by threat actors.

Additionally, organizations should implement robust security measures, such as web application firewalls (WAFs) and intrusion detection systems (IDS), to detect and block suspicious activities targeting their web servers. Strong access controls, regular monitoring of system logs, and user awareness training are also crucial in mitigating the risk of initial access attacks.

The Lazarus group's continued activities serve as a reminder that cyber threats are ever-evolving and require constant vigilance. Organizations must stay proactive in their approach to cybersecurity, staying up to date with the latest threats and implementing appropriate measures to protect their systems and data.

Nokoyawa Ransomware Attacks Use Windows Zero-Day Vulnerability

A Windows zero-day vulnerability has been exploited in a recent string of ransomware attacks. The attacks involve a new strain of ransomware called Nokoyawa, which leverages the vulnerability to infect and encrypt files on Windows systems.

According to reports, the Nokoyawa ransomware attacks have been detected in various industries, including healthcare, finance, and government. The attackers are believed to be targeting organizations in Europe and Asia, with a particular focus on Japan.

The vulnerability exploited by Nokoyawa is a 'zero-day', meaning that it is an unknown vulnerability that has not been previously disclosed or patched. In this case, the vulnerability is believed to be a memory corruption issue that allows the attacker to execute arbitrary code on the targeted system.

This type of vulnerability is particularly concerning as it allows attackers to bypass security measures that are designed to protect against known vulnerabilities. As a result, organizations may be caught off guard by attacks that exploit zero-day vulnerabilities.

To protect against Nokoyawa and other ransomware attacks, it is important for organizations to keep their software up to date and to implement strong security measures, such as endpoint protection and network segmentation. Additionally, organizations should regularly back up their data to minimize the impact of a successful ransomware attack.

The discovery of this zero-day vulnerability underscores the importance of cybersecurity research and the need for organizations to take a proactive approach to identify and mitigate vulnerabilities in their systems. By staying up to date on the latest threats and vulnerabilities, organizations can better protect themselves from cyber-attacks and minimize the risk of data loss and other negative impacts.

3CX Cyberattack: Cryptocurrency Firms at Risk

Cryptocurrency companies were among the targets of the recent 3CX supply chain attack, according to security researchers. The attack began with the compromise of 3CX, a VoIP provider used by businesses for communication services. Cyber attackers then installed a backdoor to gain access to victims’ networks.

According to reports, the Lazarus Group, a North Korean threat actor, is suspected to be behind the attack. Researchers discovered a second-stage backdoor installed in the compromised systems, which allowed attackers to gain persistent access to victims’ networks. The attack has impacted various industries, including finance, healthcare, and government.

Security experts have warned that supply chain attacks, like the one seen in the 3CX incident, are becoming increasingly common. Cryptocurrency companies, in particular, have become attractive targets due to the digital nature of their assets. Michael Hamilton, former CISO of the City of Seattle, stated, “Cryptocurrency is the perfect target for ransomware and supply chain attacks.”

Businesses can take steps to protect themselves against supply chain attacks by vetting their vendors and implementing strict security protocols. They should also have a plan in place in case of a breach, including regular backups of critical data.

As cyber attackers continue to evolve their tactics, it is essential for businesses to stay vigilant and proactive in their cyber defense measures. As noted by cybersecurity expert Bruce Schneier, “Security is a process, not a product.” By continuously assessing their security posture and implementing best practices, businesses can mitigate the risk of a supply chain attack and other cyber threats.

The 3CX breach highlights the growing threat of supply chain attacks and the need for organizations to implement stronger cybersecurity measures to protect themselves and their customers. The incident also serves as a reminder for cryptocurrency companies to be particularly vigilant, as they are often prime targets for cybercriminals. By staying up to date with the latest security trends and investing in robust security solutions, organizations can better defend against these types of attacks and ensure the safety of their sensitive data.

Ransomware Targeting VMware ESXi Servers Rises

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint advisory warning about an ongoing ESXiArgs ransomware campaign targeting unpatched and out-of-service or out-of-date versions of the VMware ESXi hypervisor for virtual machines (VMs).

The OpenSLP service contains a heap overflow bug that can be exploited by unverified threat actors in simple attacks. This security hole is identified as CVE-2021-21974 on the CVE database. 3,800 VMware ESXi servers around the world have reportedly been compromised, potentially rendering any running VMs useless, as per CISA.

Application of the patch as soon as feasible is strongly advised by CERT-FR, but it also says that systems that are not patched should be checked for indicators of compromise.

Although it has since moved to North America, the ESXiArgs ransomware appears to have begun attacking servers in Europe around February 3. Organizations should isolate impacted servers, reinstall ESXi 7. x or ESXi 8. x in a supported version, and apply any patches, according to the French computer emergency response team (CERT).

Updated ESXiArgs Ransomware

On infected ESXi hosts, the ransomware encrypts files with the. vmxf,.vmx,.vmdk,.vmsd, and. nvram extensions and produces a.args file for each encrypted document with metadata.

The research shows that ESXiArgs is based largely on stolen Babuk source code, which has previously been used by other ESXi ransomware attacks, including CheersCrypt and the PrideLocker encryptor from the Quantum/Dagon group. It is unclear whether this is a new variety or simply a shared Babuk codebase because the ransom notes for ESXiArgs and Cheerscrypt are quite similar but the encryption technique is distinct.

CISA and FBI urged owners of VMware ESXi servers to upgrade them to the most recent version, harden ESXi hypervisors by turning off the SLP service and make sure the ESXi hypervisor is not accessible through the open internet.

Cisco Fixes a Major Issue in Small Business Routers


Several end-of-life (EoL) VPN routers are affected by a critical authentication bypass flaw that Cisco alerted customers. The issue has publicly available attack code. Hou Liuyang of Qihoo 360 Netlab discovered the security hole (CVE-2023-20025) in the internet management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 routers.

CVE-2023-20025 validation of user input within incoming HTTP packets could enable an unauthorized remote attacker to bypass authorization on an affected system. An attacker could send false HTTP requests to the router, bypass authentication, and get root access to the operating system due to a flaw where user input within inbound HTTP packets is not properly validated.

The second vulnerability, identified as CVE-2023-20026, could enable remote code execution (RCE), but in order to exploit it, an attacker must have access to the device in question. As a result, the bug is graded medium and has a CVSS score of 6.5.

According to Cisco, the flaws do not need to be exploited in tandem by attackers and are independent of one another. However, it would be simple to exploit an authentication bypass with a remote code execution flaw that first requires attackers to be able to authenticate.

An effective mitigation, as per Cisco, is to stop remote administration of the routers and block access to ports 443 and 60443, making the routers only reachable through the LAN interface, even though there are no fixes for the issues. Despite the routers were stopped, researchers found that the installed base still exists. Out-of-date equipment frequently remains in commercial settings even after it has been disconnected, providing a fertile target for cyber attacker's.

As per Mike Parkin, senior technical engineer at Vulcan Cyber, the Cisco small business routers afflicted by such flaws still see pretty broad usage, even they are all finally end of term.  A difficulty is that the devices are frequently used by people who may not have the money to replace them or by smaller firms with limited resources.

SMB routers are widely used, since many users now work from home or hybrid offices, not just SMBs that are affected. The susceptible product could be used by branch offices, COEs, or even home offices.



JsonWebToken Library Security Flaw: Used in 20,000+ Projects

In the widely-used open-source project, JavaScript library JsonWebToken researchers from Palo Alto Networks unit 42 found a new high-severity vulnerability   CVE-2022-23529. 

Palo Alto Networks released a security advisory on Monday highlighting how the weakness could be used by an attacker to execute code remotely on a server that was verifying a maliciously constructed JSON web token (JWT) request. 

The JSON web token JavaScript module, designed and maintained by Okta's Auth0, enables users to decode, validate, and create JSON web tokens as a way of securely communicating information among two entities enabling authorization and authentication. The npm software registry receives more than 10 million downloads per week and is used in more than 22,000 projects.

Therefore, the capability of running malicious code on a server could violate confidentiality and integrity guarantees, enabling a bad actor to alter any files on the host and carry out any operation of its choice using a contaminated private key. However, Unit 42 cautions that to exploit it, malicious actors would need to first breach the secret management procedure with an app and a JsonWebToken server, dropping the severity level to 7.6/10.

Researchers discovered that after verifying a maliciously constructed JWS token, threat actors might use JsonWebToken to execute remote malware on servers. This is aided by a bug in JsonWebToken's verify() method, which checks a JWT and returns the decoded data. The token, the secretOrPublicKey, and options are the three inputs that this method accepts.

Artur Oleyarsh of Palo Alto Networks Unit 42 said, "An attacker will need to leverage a fault within the secret management mechanism to exploit the vulnerability mentioned in this post and manipulate the secretOrPublicKey value."

The security researcher claims that the Auth0 technical team released a patch for the vulnerability in December 2022. "We appreciate the Auth0 team's competent handling of the disclosure procedure and the provision of a patch for the reported vulnerability," said Oleyarsh.

In summary, the cybersecurity analyst stressed the importance of security awareness when utilizing open-source software. It is critical that downstream users proactively identify, mitigate, and patch vulnerabilities in such products as open-source software often appears as a lucrative first entry pathway for threat actors to stage supply chain attacks. The fact that hackers are now considerably faster at exploiting recently discovered flaws, substantially reducing the time between a patch release and exploit availability, simply makes matters difficult.

50% of KEV Catalog Were Big Corporations

According to Grey Noise, almost 50% of the upgrades to the KEV catalog in 2022 were due to actively exploited vulnerabilities in Microsoft, Adobe, Cisco, and Apple products. The KEV catalog's earlier vulnerabilities from before 2022 made up 77% of the updates. 

In the initial year of the catalog's existence, CISA identified over 850 vulnerabilities, excluding   300 vulnerabilities reported in November and December 2021. As per CSW's Decoding of the CISA KEV study, "the fact they are a part of CISA KEV is rather significant as it suggests that many businesses are still using these outdated systems and therefore are ideal targets for attackers."

Based on a study by a team from Cyber Security Works, a handful of the vulnerabilities in the KEV catalog come from devices that have already reached End-of-Life (EOL) and End-of-Service-Life (EOSL). Despite the fact that Windows Server 2008 and Windows 7 are EOSL products, the KEV catalog identifies 127 Server 2008 vulnerabilities and 117 Windows 7 vulnerabilities.

The catalog has evolved into the official source for information on vulnerabilities by attackers, even though it was initially designed for vital infrastructure and public service firms. It is crucial since, by 2022, the National Vulnerability Database assigned Common Vulnerabilities and Exposures (CVE) identifiers to over 12,000 vulnerabilities.  Corporate teams can establish customized priority lists using the catalog's curated list of CVEs that are currently being attacked. 

In reality, CSW discovered there was a slight delay between the time a CVE Numbering Authority (CNA) like Mozilla or MITRE issued a CVE to a flaw and the time the vulnerability was posted to the NVD. For instance, the BitPaymer ransomware took advantage of a vulnerability in Apple WebKitGTK (CVE-2019-8720), which Red Hat assigned a CVE for in October 2019 but was added to the KEV catalog in March. As of the beginning of November, it has not been included in the NVD.  

According to CSW, 22% of the vulnerabilities in the catalog are privileging execution issues while 36% of the vulnerabilities are remote code execution problems. Whenever a vulnerability is actively being exploited, has a CVE assigned to it, and is supported by clear mitigation instructions, does CISA update the KEV catalog. 


CISA Expands Flaws Catalog With Old, Exploited Vulnerabilities

 

On September 15, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) added six critical vulnerabilities to its Known Exploited Vulnerabilities Catalog. 

“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose a significant risk to the federal enterprise,” the Agency wrote.

Three of the six issues involve the Linux kernel, one the Code Aurora ACDB audio driver (found in third-party products such as Qualcomm and Android), and one a remote code execution risk in Microsoft Windows. While CISA's Vulnerability Catalog is regularly updated, the newly added flaws are noticeable because some of them are quite old. 

“What is concerning me is that four of the CVEs posted [yesterday] are from 2013, and one is from 2010,” Paul Baird, chief technical security officer UK at Qualys, told Infosecurity Magazine.

Only one of the newly exploited vulnerabilities is a 2022 CVE. According to the executive, this demonstrates that many businesses struggle to fully understand their information technology (IT) infrastructure, keep those IT assets up to date, or adequately mitigate issues so that there is no risk of exploitation.

“Patching known vulnerabilities is one of the best ways to prevent attacks, but many companies are finding it hard to keep up,” Baird added. “Similarly, end-of-life systems should be replaced or migrated if they are still needed for businesses.”

The six known vulnerabilities were added to CISA's catalogue just days after the Agency added two zero-day attacks affecting Microsoft Windows Common Log File System Driver and Apple iOS / iPadOS / macOS Monterey and Big Sur, respectively.

In addition, CISA has recently published new guidelines to assist developers in improving the security of the software supply chain. CISA, the National Security Agency (NSA), and the Office of the Director of National Intelligence collaborated on the document (ODNI).

Major Vulnerabilities Found in Wireless LAN Devices in Airlines

The two major vulnerabilities were found in the series of the flexlan, a LAN device providing internet services in airlines. The Necrum security labs’ researchers Samy Younsi and Thomas Knudsen, initiated the research which led to tracking two critical vulnerabilities which were identified as CVE-2022-36158 and CVE-2022-36159. 

The vulnerabilities were detected in the Flexlan series named FXA3000 and FXA2000 and have been associated with a Japan-based firm known as Contec. 
 
The researchers said while considering the first vulnerability, that during the execution of reverse engineering on firmware, we found a hidden web page, which was not entailed in the list of wireless LAN manager interfaces. They also added that it simplifies the enforcement of the Linux command over the device with root privileges. The researchers mentioned that the first vulnerability gave access to all the system files along with the telnet port which allows to access the whole device.   
 
Regarding the second vulnerability, the researchers said, it makes use of hard-coded, weak cryptographic keys and backdoor accounts. While carrying out the research, the researchers were also able to recover and get access to a shadow file within a few minutes with the help of a brute-force attack. The file contained the hash of two users including root and users. 
 
The researchers explained the issue that the device owner is only able to change the password from the interface of the web admin as the root account is reserved for maintenance purposes by Contec. This allows the attacker with a root hard-coded password able to access all Flexlan FXA2000 and FXA3000 series effortlessly. 
 
With respect to the solutions, researchers emphasized the importance of mentioned to maintaining cyber security, with regard to the first Vulnerability. They said, “the hidden engineering web pages should be removed from all unfortified devices. As weak passwords make access easier for cyber attackers.” For the second vulnerability, the advisory commented, “the company should create new strong passwords, for every single device with the manufacturing process."

HP Bug Left Unpatched for a Year

Six high-severity software flaws have been known since July 2021, they cause a range of vulnerabilities in HP products used in enterprise settings and are not yet patched.

Firmware defects can result in malware infections that last even after an OS re-installation or allow long-term breaches that would not be detected by regular security techniques, making them extremely dangerous.

Although some of the weaknesses were made public by Binarly at Black Hat 2022 a month ago, the manufacturer hasn't delivered security upgrades for all afflicted models, leaving many customers vulnerable to attacks.

Binarly contributed to the resolution of six serious flaws that not only affect these devices but also numerous other HP product lines. This disclosure, which details arbitrary code execution flaws linked to System Management Mode, was coordinated with the HP PSIRT team (HPSBHF03806) (SMM).

SMM is a component of the UEFI firmware, which offers system-wide features including power management and low-level device control. Since this SMM sub-system has greater privileges than the operating system kernel (ring 0), vulnerabilities affecting the SMM can render security mechanisms ineffective.

According to Binarly, HP has not fixed the following six vulnerabilities for months:
  • Stack-based buffer overflow resulting in unauthorized code execution is CVE-2022-23930. Score for CVSS v3: 8.2 'High'
  • Out-of-bounds write on CommBuffer, which permits evading some validation, is CVE-2022-31644. Score for CVSS v3: 7.5 'High'
  • Out-of-bounds write on CommBuffer due to failure to verify the size of the pointer given to the SMI handler, CVE-2022-31645. Score for CVSS v3: 8.2 'High'
  • Out-of-bounds writing using the direct memory manipulation API feature can result in privilege elevation and arbitrary code execution, according to CVE-2022-31646. Score for CVSS v3: 8.2 'High'
  • CVE-2022-31640 - Inadequate input validation gives attackers access to the CommBuffer data and creates a conduit for unauthorized changes. Score for CVSS v3: 7.5 'High'
  • Callout vulnerability in the SMI handler that allows for arbitrary code execution is CVE-2022-31641. Score for CVSS v3: 7.5 'High'
Patch fix updates

Three security advisories have been posted by HP acknowledging the aforementioned vulnerabilities, and an equal number of BIOS updates have been released to remedy the problems for some of the vulnerable models; with the exception of thin client PCs, which received security updates on August 9, 2022. 

While CVE-2022-31640 and CVE-2022-31641 were fixed during August, the most recent update was released on September 7, 2022, and many HP workstations are still vulnerable. Furthermore, CVE-2022-23930 was patched on all impacted systems in March 2022.

The BIOS is a crucial component that guarantees compatibility between updated software and legacy hardware. Before installing Windows 10, make certain that your computer has the most recent BIOS installed.

The Windows update may fail and roll back due to an outdated graphics driver. Before beginning the update procedure, it is advised to check and make sure the most recent Graphics drivers are installed on your computer.


Zyxel Updates NAS Devices to Fix Potential Security Flaw

Shaposhnikov Ilya alerted about a major security vulnerability, targeting Zyxel's network-attached storage (NAS) device. The vulnerability was identified as CVE-2022-3474 and the patches for the same were released. The vulnerability officially described as a 'format string vulnerability' affects Zyxel NAS326 firmware versions before V5.21(AAZF.12)C0 and has a CVSS score of 9.8/10.

An attacker could take advantage of the issue by sending specially created UDP packets to vulnerable products. The firm said in an alert that a successful flaw exploit might allow a hacker to run whatever code they want on the vulnerable device.

Zyxel provided security upgrades in May 2022 to address a number of vulnerabilities impacting a variety of products, including firewall, AP, and AP controller products.

The following versions are affected by the flaw:
  • NAS326 (versions before V5.21(AAZF.11)C0)
  • NAS540 (versions prior to V5.21(AATB.8)C0), and
  • Prior to V5.21(ABAG.8)C0, NAS542
This revelation follows Zyxel's July patching of the CVE-2022-30526 and CVE-2022-2030 vulnerabilities impacting its firewall products, which affect local root access and authenticated directory traverse.

The four vulnerabilities with the command injection bug in some CLI commands classified as CVE-2022-26532 being the most critical are as follows: 
  • CVE-2022-0734: A cross-site scripting vulnerability was found in the CGI program of various firewall versions, which could let an attacker use a malicious script to access data stored in the user's browser, like cookies or session tokens.
  • CVE-2022-26531: Several erroneous input validation problems were discovered in several CLI commands of some firewall, AP controller, and AP versions that might let a local authorized attacker bring down the system or trigger a buffer overflow through the use of a specially crafted payload.
  • CVE-2022-26532: Certain firewall, AP controller, and AP versions contain the 'packet-trace' CLI command that contains a command injection vulnerability that might allow a local, authorized attacker to execute arbitrary OS instructions by providing specially crafted inputs to the function.
  • CVE-2022-0910: In the CGI program of various firewall versions, an authentication bypass issue resulting from a deficient access control mechanism has been discovered. An attacker may be able to use an IPsec VPN client to switch from two-factor verification to one-factor verification due to the bug.
A few days after QNAP issued a warning about a fresh wave of Deadbolt ransomware attacks aimed at its NAS consumers, Zyxel released its caution. 

In earlier assaults that exploited another critical-severity vulnerability resulting in remote code execution, a Mirai botnet variant targeted Zyxel NAD products.

Remote code execution flaws in NAS devices, which are frequently used to store massive amounts of data, might easily result in complete device compromise. NAS devices are frequently the target of ransomware assaults. 


Apple Offers iOS Update to Fix Vulnerabilities

Apple has patched a vulnerability that was potentially used by hackers in its iOS 12 upgrade for older iPhone and iPad models. The vulnerability was discovered by an anonymous researcher, who has received acknowledgment.

The flaw, identified as CVE-2022-32893 (CVSS score: 8.8), affects WebKit and is an out-of-bounds write problem that could result in arbitrary code execution when processing maliciously created web content, according to a document released by the firm on Wednesday.

A security vulnerability found in the platform affects users of Google Chrome, Mozilla Firefox, and Microsoft Edge as well because WebKit powers Safari and every other third-party browser accessible for iOS and iPadOS.

The security patch fixes a Safari vulnerability that might have allowed unauthorized access for users to parse maliciously created web content and execute arbitrary code. With enhanced bounds checking, the developers appear to have found a solution. Apple stated that they are already aware of a report that claims the problem may have been intentionally exploited.

Several older Apple devices, including the iPhone 5S, iPhone 6, iPhone 6 Plus, iPad Air, iPad Mini 2, iPad Mini 3, and iPod Touch, are compatible with the 275 MB update published to fix the vulnerability.

12.5.6, build 16H71, is the most recent version of the software. It appears to close the security flaw that the business recently fixed in the iOS 15.6.1 release, listed as CVE-2022-32893. 

After fixing two bugs in iOS 15.6.1, iPadOS 15.6.1, macOS 12.5.1, and Safari 15.6.1 as part of updates released on August 18, 2022, the iPhone manufacturer has released a new round of patches. 

The Cybersecurity and Infrastructure Security Agency (CISA), which discovered the significant bug and gave it a CVSS rating of 8.8, also identified it and published a warning about it last month.

Although specifics about the assaults' nature are unknown, Apple confirmed in a boilerplate statement that it was aware that this problem may have been actively exploited.

On September 7, Apple will also unveil the iPhone 14 series and iOS 16. Unfortunately, iOS 16 will not be made available to users of iPhone 8. Furthermore, older iOS device owners are urged to update as soon as possible to reduce security risks.

TikTok Android Vulnerability Identified by Microsoft 

 

In the TikTok Android app, Microsoft has described a high-severity weakness that might have enabled a hacker to take over an account by luring users into clicking on a link.

The bug's current identification is CVE-2022-28799. According to Microsoft, the flaw has not yet been exploited by the public, despite the app having an estimated 1.5 billion downloads on the Play Store. Microsoft advises all TikTok users on Android to upgrade the app to the most recent version while it is being patched.

In fact, Microsoft detected over 70 vulnerable JavaScript methods that, when combined with a bug to take control of WebView, might be exploited to provide the attacker's capability.

Threat actors could execute authenticated HTTP queries or access or modify the private information of TikTok users using the ways that were publicly disclosed.

In essence, attackers who would have been successful in exploiting this vulnerability might have easily:
  • Retrieved the users' authentication tokens by triggering a request to a server under their control and logging the cookie and the request headers.
  • Retrieved or modified the users' TikTok account data, including private videos and profile settings by triggering a request to a TikTok endpoint and retrieving the reply via the JavaScript callback.
"The TikTok Android app was revealed to have a WebView Hijacking vulnerability due to an unvalidated deep link on an invalid argument. Through a JavaScript interface, this may have led to account hijacking, " The HackerOne  explained in an article.

Only about a month after Microsoft first revealed the security flaw, TikTok version 23.7.3 was launched with a patch to address the CVE-2022-28799 tracking number.

Microsoft further said that "Once the targeted TikTok user clicks the hacker's specially constructed malicious link, the attacker's server is granted total access to the JavaScript bridge and can activate any accessible functionality."

The server of the attacker sends back an HTML page with JavaScript code that modifies the user's profile biography and sends video upload tokens back to the attacker.

Attackers with complete access to users' accounts could modify their profile information, send messages, upload movies, and even post private videos.

Tiktok has also fixed further security vulnerabilities that might have let hackers steal customers' personal details or take over their accounts to tamper with footage.

Onapsis Report: Flaws to be Fixed Immediately

CISA urged government organizations to fix the seven vulnerabilities it had added to its inventory on Thursday by September 8. The 'Known Exploited Vulnerabilities Catalog' is a list of CISA vulnerabilities that should be patched because they are known to be actively exploited in cyberattacks. 
List of vulnerabilities actively used by hackers, including the most recent security bugs from Apple. Google, SAP, and Microsoft.

Vulnerabilities

Onapsis disclosed the major SAP CVE-2022-22536 vulnerability in February and gave it a 10/10 severity level. CISA promptly alerted administrators of the need to fix the flaw because failure to do so could result in data loss, risks of financial fraud, disruptions of crucial business processes, ransomware attacks, and the cessation of all operations

The vendor addressed the issue in February in Web Dispatcher, Content Server 7.53, NetWeaver Application Server ABAP, NetWeaver Application Server Java, and ABAP Platform.

According to Doyhenard's research study, "both CVE-2022-22536 and CVE-2022-22532 were remotely exploitable and could be utilized by unauthenticated attackers to entirely compromise any SAP installation on the planet."

On Wednesday, Apple announced security upgrades for the CVE-2022-32893 and CVE-2022-32894 flaws in macOS and iOS/iPadOS, stating that these vulnerabilities might be used to execute code on unsecured devices.

Apple did not explain how the vulnerabilities were being exploited, however, given that CVE-2022-32894 permits code to be run with kernel privileges, it would enable total device takeover.

Google Chrome 104.0.5112.101, which was released on Tuesday, has a remedy for the CVE-2022-2856 vulnerability. Vulnerability researcher Hossein Lotfi found more information about the problem, albeit it hasn't been disclosed how hackers have used it in attacks.

Microsoft resolved the CVE-2022-21971 remote code execution vulnerability in the February 2022 Patch Tuesday, but there is no data on how it is currently being used in the wild. However, CVE-2022-26923 affects Active Directory Domain Services and involves privilege escalation. Days after Microsoft issued a fix in May, PoC exploits started to surface.

Martin Doyhenard, an Onapsis researcher, will give a paper on exploiting inter-process communication in SAP's HTTP server on August 10 at the Black Hat conference and on August 13 at the Def Con conference. The 18-page document Onapsis published describing its findings is also available.

FCEB agencies are required to address the discovered vulnerabilities by the deadline to safeguard their networks from attacks that take advantage of the flaws in the catalog, as stated in Binding Operational Directive (BOD) 22-0: Reducing the Significant Risk of Known Exploited Vulnerabilities.

Secure Boot Vulnerabilities Impact Bootloaders, Systems Compromised


About Secure Boost Bugs

Bootloaders that were in majority of the systems made in the last 10 years have been impacted by Secure Bost bypass vulnerabilities. 

Secure Boot is a mechanism made to prevent a device's boot process from threats, to bypass it will allow an attacker to execute arbitrary code before the operating system can load. 

It allows installation of stealthy and persistent malware. The Secure Boot vulnerabilities were found in the Eurosoft (CVE-2022-34301) CVE-2022-34303, New Horizon Datasys (CVE-2022-34302), and CryptoPro Secure Disk for BitLocker (CVE-2022-34303) bootloaders. 

As per Eclypsium (company) bootloaders are found in almost every device made in the past 10 years, this includes ARM and x86-64 devices.

How does the bugs work?

The CryptoPro Secure Disk and Eurosoft bootloader bugs contain signed UEFI shells, the hackers are able to bypass Secure Boot by exploiting built-in capabilities. For these security loopholes, one can easily exploit automated startup scripts. 

According to Eclypsium the bootloader contains a built-in bypass for Secure Boot that leaves Secure Boot on but disables the Secure Boot checks. This bypass can further enable even more complex evasions such as disabling security handlers. 

In this case, an attacker would not need scripting commands, and could directly run arbitrary unsigned code. To exploit any of these bugs, a hacker must have admin or root privileges on the targeted Linux and Windows system. 

But the company said that there are many ways to get these permissions on a device. The flawed bootloaders are signed by Microsoft. As per an advisory issued by the CERT/CC at Carnegie Mellon University, the tech giant has been working with vendors to address the flaws and it has restricted the certificates linked with the affected bootloaders. 

"In 2020, Eclypsium disclosed the existence of a vulnerability named BootHole, which affected all operating systems that used the GRUB2 bootloader with Secure Boot. Some vendors rushed to release patches in response to BootHole, but they caused many systems," says Security Week. 


Kaspersky VPN Secure Connection Vulnerability Discovered

Kaspersky's VPN Secure Connection for Microsoft Windows has a local privilege-escalation (LPE) vulnerability that could allow an already-authenticated hacker to access administrative privileges and potentially seize total control of a victim's computer.

Researchers disagree over the bug's CVSS score, which is tracked as CVE-2022-27535. The bug has a high-severity CVSS score of 7.8 out of 10 as per a Synopsys alert published, but Kaspersky scores it as moderate with a 5.0 CVSS level.

In either case, it is present in the Support Tools section of the app and would enable root access to Server, the highest level possible in the Windows environment, allowing an authenticated hacker to delete any file at will from the system.

The Kaspersky team has fixed a flaw in the Kaspersky VPN Secure Connection that was exploited by an authorized hacker to trigger arbitrary file deletion on the host. It might result in device malfunction or the deletion of crucial system files necessary for proper system operation. 

An attacker needed to create a specific file and persuade customers to utilize the 'Delete all service data and reports' or 'Save report on your computer' product capabilities in order to carry out this attack.

Users should upgrade to version 21.6 or later to patch their systems because Kaspersky has solved the problem.


Bug Discovered in DrayTek Vigor Routers by Trellix

The widely used series of DrayTek Vigor routers for small businesses have been found to have a significant, pre-authenticated remote code execution (RCE) vulnerability. Researchers caution that if it is exploited, it may enable total device takeover as well as access to a larger network.

The DrayTek Vigor series of business routers has 29 variants that are vulnerable, according to threat detection company Trellix. Although other versions that share the same codebase are also affected, the problem was initially identified in a Vigor 3910 device.

In under 30 days from the time, it was discovered, the Taiwan-based maker delivered firmware patches to fix the flaw. 

The vulnerability CVE-2022-3254 could enable a remote, unauthenticated attacker to run arbitrary code and seize total control of a susceptible device. The hacker might get hold of breach private data, spy on network activity, or use the exploited router to run a botnet. Denial of service (DoS) conditions can result from unsuccessful exploitation efforts.

DrayTek Vigor devices benefited from the "work from home" trend during the pandemic to gain a reputation. Over 700,000 online devices were found in a Shodan search, with the majority being in the UK, Vietnam, Netherlands, and Australia. This is susceptible to attack without user input.

The vulnerability can be exploited without the need for user input or passwords thanks to the default device configuration, which allows for both LAN and internet access.

At least 200,000 of the discovered routers were determined by the researchers to expose the vulnerable service on the internet, making them easily exploitable without user input or any other specific requirements. The attack surface is reduced because many of the remaining 500,000 are considered vulnerable using one-click attacks, but only via LAN.

Although Trellix has not detected any evidence of this vulnerability being exploited in the wild, threat actors frequently employ DrayTek routers as a target for their hacks, therefore it's crucial that customers apply the patch as soon as they can.

There have been no indications of CVE-2022-32548, although as CISA recently highlighted, state-sponsored APTs from China and others frequently target SOHO routers.